Bug#1053641: transition: libavif

2023-10-07 Thread Boyuan Yang 
Hi,

在 2023-10-07星期六的 23:59 +0300,Adrian Bunk写道:
> On Sat, Oct 07, 2023 at 03:33:16PM -0400, Boyuan Yang wrote:
> > ...
> > (2) Fix current jpeg-xl in Sid properly. That won't be too trivial since 
> > the new
> > testing error is likely triggered by some unclear changes in 
> > build-dependencies over
> > the past several months.
> > ...
> 
> Fix below, only tested on i386 but should also fix s390x.
> 
> > Thanks,
> > Boyuan Yang
> > ...
> 
> cu
> Adrian
> 
> --- jpeg-xl-0.7.0/debian/rules.old2023-10-07 20:36:28.728571696 +
> +++ jpeg-xl-0.7.0/debian/rules2023-10-07 20:36:51.420550561 +
> @@ -23,6 +23,8 @@
>    DEB_CXXFLAGS_MAINT_APPEND += -fno-tree-vectorize
>  endif
>  
> +DEB_CXXFLAGS_MAINT_APPEND += -fexcess-precision=fast
> +
>  ifneq (,$(filter $(DEB_HOST_ARCH), arm64 armel armhf ppc64el))
>    # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77728
>    DEB_CXXFLAGS_MAINT_APPEND += -Wno-psabi

Thanks. I noticed that gcc-13 changed its default from -fexcess-precision=fast 
to
-fexcess-precision=standard with -std=c++17[2], and this is likely the root 
cause of
recent FTBFS. I have incorporated your patch into jpeg-xl/0.7.0-10.2 upload, and
the build seems to go on well. Looks like we can continue and finish the libavif
transition.

[2] https://gcc.gnu.org/gcc-13/changes.html#cxx


Best,
Boyuan Yang


signature.asc
Description: This is a digitally signed message part

NEW changes in stable-new

2023-10-07 Thread Debian FTP Masters 
Processing changes file: 
arctica-greeter_0.99.3.0-1+deb12u2_mips64el-buildd.changes
  ACCEPT
Processing changes file: 
arctica-greeter_0.99.3.0-1+deb12u2_mipsel-buildd.changes
  ACCEPT

NEW changes in oldstable-new

2023-10-07 Thread Debian FTP Masters 
Processing changes file: chromium_117.0.5938.62-1~deb11u1_source.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb11u1_all-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb11u1_amd64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb11u1_arm64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb11u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb11u1_source.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb11u1_all-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb11u1_amd64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb11u1_arm64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb11u1_i386-buildd.changes
  ACCEPT
Processing changes file: 
chromium_117.0.5938.132-1~deb11u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb11u1_source.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb11u1_all-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb11u1_amd64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb11u1_arm64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb11u1_armhf-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb11u1_i386-buildd.changes
  ACCEPT
Processing changes file: 
chromium_117.0.5938.149-1~deb11u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_sourceonly.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_all-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_amd64-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_arm64-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_armel-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_armhf-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_i386-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_mips64el-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_mipsel-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: exim4_4.94.2-7+deb11u1_s390x-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_source.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_all-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_amd64-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_arm64-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_armel-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_armhf-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_i386-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_mips64el-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_mipsel-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_ppc64el-buildd.changes
  ACCEPT
Processing changes file: glibc_2.31-13+deb11u7_s390x-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_sourceonly.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_all-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_amd64-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_arm64-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_armel-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_armhf-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_i386-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_mips64el-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_mipsel-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_ppc64el-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.9.0-1+deb11u2_s390x-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_source.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_amd64-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_arm64-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_armel-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_armhf-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_i386-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_mips64el-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_mipsel-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb11u1_s390x-buildd.changes
  ACCEPT
Processing changes file:

NEW changes in stable-new

2023-10-07 Thread Debian FTP Masters 
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_all-buildd.changes
  ACCEPT
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_amd64-buildd.changes
  ACCEPT
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_arm64-buildd.changes
  ACCEPT
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_armel-buildd.changes
  ACCEPT
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_armhf-buildd.changes
  ACCEPT
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_i386-buildd.changes
  ACCEPT
Processing changes file: 
arctica-greeter_0.99.3.0-1+deb12u2_ppc64el-buildd.changes
  ACCEPT
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_s390x-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_all-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_amd64-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_arm64-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_armel-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_armhf-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_i386-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_mips64el-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_mipsel-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_ppc64el-buildd.changes
  ACCEPT
Processing changes file: mrtg_2.17.10-5+deb12u2_s390x-buildd.changes
  ACCEPT
Processing changes file: openrefine_3.6.2-2+deb12u2_all-buildd.changes
  ACCEPT

Re: Planning for 12.3

2023-10-07 Thread Mark Hymers 
On Sat, 07, Oct, 2023 at 06:59:03PM +0100, Jonathan Wiltshire spoke thus..
> How about:
>   4th December (better for cadence)
>  11th December (more likely suitable in practice)

Assuming that (as mentioned on IRC) you mean November, I can do either
of those for ftp- right now.

Mark


-- 
Mark Hymers 


signature.asc
Description: PGP signature

Bug#1053641: transition: libavif

2023-10-07 Thread Adrian Bunk 
On Sat, Oct 07, 2023 at 03:33:16PM -0400, Boyuan Yang wrote:
>...
> (2) Fix current jpeg-xl in Sid properly. That won't be too trivial since the 
> new
> testing error is likely triggered by some unclear changes in 
> build-dependencies over
> the past several months.
>...

Fix below, only tested on i386 but should also fix s390x.

> Thanks,
> Boyuan Yang
>...

cu
Adrian

--- jpeg-xl-0.7.0/debian/rules.old  2023-10-07 20:36:28.728571696 +
+++ jpeg-xl-0.7.0/debian/rules  2023-10-07 20:36:51.420550561 +
@@ -23,6 +23,8 @@
   DEB_CXXFLAGS_MAINT_APPEND += -fno-tree-vectorize
 endif
 
+DEB_CXXFLAGS_MAINT_APPEND += -fexcess-precision=fast
+
 ifneq (,$(filter $(DEB_HOST_ARCH), arm64 armel armhf ppc64el))
   # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77728
   DEB_CXXFLAGS_MAINT_APPEND += -Wno-psabi

Re: Planning for 12.3

2023-10-07 Thread Jonathan Wiltshire 
On Sat, Oct 07, 2023 at 06:59:03PM +0100, Jonathan Wiltshire wrote:
> How about:
>   4th December (better for cadence)
>  11th December (more likely suitable in practice)

Erm, astute readers will realise the 4th and 11th are Saturdays in
November, not December. The correct proposals should be:

 2nd December (better for candence, no-go for me)
 9th December (more likely suitable in practice)

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1



signature.asc
Description: PGP signature

Bug#1053641: transition: libavif

2023-10-07 Thread Boyuan Yang 
X-Debbugs-CC: ma...@debian.org

在 2023-10-07星期六的 20:32 +0200,Sebastian Ramacher写道:
> Control: tags -1 confirmed
> 
> On 2023-10-07 14:06:44 -0400, Boyuan Yang wrote:
> > I am looking at starting the transition for package libavif,
> > which comes with a SONAME bump
> > (libavif15, v0.11.1-3 (sid) -> libavif16, v1.0.1-1 (exp)).
> > 
> > * jpeg-xl (Current version FTBFS unconditionally due to a different reason
> > in Testing/Sid; my NMU fix just accepted in Sid)
> > 
> > Do we need to wait till my NMU-ed jpeg-xl to migrate to Testing before
> > starting the libavif transition?
> 
> No, that's not necessary. Please go ahead.

Alright, here comes the tricky part.

In the test build of reverse build-dependencies, only amd64 builds are examined.
Now, the rebuilt jpeg-xl has some new FTBFS on other architectures; and while 
some
issues are easy to solve (e.g., missing  header for arm64), some issues 
are
not (like the new test failures for i386 and s390x) [1].

Probably I uploaded the libavif/1.0.1-1 to Sid too soon; and while I tried to 
cancel
the upload with "dcut rm" and "dcut cancel", these commands never successfully
intercept the upload ("no such upload found", "no file to delete", etc), and we 
are
having the new libavif in Sid now to trigger the transition. This is the worst
condition we could have, though I consciously tried to avoid it :-(

I am now wondering what would be the best way to get this transition done in a 
sane
way. A few choices in my mind:

(1) Make a sloppy upload to jpeg-xl in Sid to ignore post-build testing errors 
(and
possibly newly-emerged autopkgtest errors, if any?) so that the libavif 
transition can
finish, and count on the upcoming jpeg-xl (0.7 -> 0.8) transition to correct 
these
ignored errors;

(2) Fix current jpeg-xl in Sid properly. That won't be too trivial since the new
testing error is likely triggered by some unclear changes in build-dependencies 
over
the past several months.

(3) Wait till a sane jpeg-xl 0.8 upload (with transition) is ready, and entangle
jpeg-xl transition with libavif transition.

It would be great if you have any suggestion, or even better, some good patches
on it.

Thanks,
Boyuan Yang


[1] https://buildd.debian.org/status/package.php?p=jpeg-xl

NEW changes in stable-new

2023-10-07 Thread Debian FTP Masters 
Processing changes file: arctica-greeter_0.99.3.0-1+deb12u2_source.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_source.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_amd64-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_arm64-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_armel-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_armhf-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_i386-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_mips64el-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_mipsel-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: libxpm_3.5.12-1.1+deb12u1_s390x-buildd.changes
  ACCEPT

Processed: tagging 992330, tagging 1021176

2023-10-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 992330 - moreinfo
Bug #992330 [release.debian.org] bullseye-pu: package nova/22.2.2-1+deb11u1 
(CVE-2021-3654)
Removed tag(s) moreinfo.
> tags 1021176 - moreinfo
Bug #1021176 [release.debian.org] bullseye-pu: package 
openvswitch/2.15.0+ds1-2+deb11u1
Removed tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1021176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021176
992330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992330
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: closing 1026078

2023-10-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> close 1026078
Bug #1026078 [release.debian.org] bullseye-pu: package ceph/14.2.21-1 
CVE-2022-3650 
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1026078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026078
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#1053641: transition: libavif

2023-10-07 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed
Bug #1053641 [release.debian.org] transition: libavif
Added tag(s) confirmed.

-- 
1053641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053641
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053641: transition: libavif

2023-10-07 Thread Sebastian Ramacher 
Control: tags -1 confirmed

On 2023-10-07 14:06:44 -0400, Boyuan Yang wrote:
> Package: release.debian.org
> Control: affects -1 + src:libavif
> X-Debbugs-Cc: liba...@packages.debian.org ma...@debian.org
> User: release.debian@packages.debian.org
> Usertags: transition
> X-Debbugs-Cc: by...@debian.org
> Severity: normal
> 
> I am looking at starting the transition for package libavif,
> which comes with a SONAME bump
> (libavif15, v0.11.1-3 (sid) -> libavif16, v1.0.1-1 (exp)).
> 
> I tried with the rebuild of all packages on the transition page:
> 
> Level 1:
> 
> * libavif (OK)
> 
> Level 2:
> 
> * jpeg-xl (Current version FTBFS unconditionally due to a different reason
> in Testing/Sid; my NMU fix just accepted in Sid)
> * libgd2 (OK)
> * links2 (OK)
> * qt-avif-image-plugin (OK)
> 
> Level 3:
> 
> * darktable (OK)
> * kimageformats (OK)
> * webkit2gtk (OK)
> * wpewebkit (OK)
> 
> 
> Do we need to wait till my NMU-ed jpeg-xl to migrate to Testing before
> starting the libavif transition?

No, that's not necessary. Please go ahead.

Cheers
-- 
Sebastian Ramacher

Processed: Re: Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2

2023-10-07 Thread Debian Bug Tracking System 
Processing control commands:

> close -1
Bug #1049899 [release.debian.org] bookworm-pu: package exim4/4.96-15+deb12u2
Marked Bug as done

-- 
1049899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049899
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2

2023-10-07 Thread Jonathan Wiltshire 
Control: close -1

On Sat, Oct 07, 2023 at 01:28:01PM +0200, Andreas Metzler wrote:
> On 2023-10-07 Jonathan Wiltshire  wrote:
> [...]
> > The version number in this request matches one we've had via a DSA (5512);
> > are they the same or does the proposed upload supercede it?
> [...]
> 
> 
> Hello,
> 
> I will need to rebase the proposed changes version on top of the DSA. I
> got early notice that a security update was going to be needed and
> expected that the timing had very good chance to conflict with the
> stable update. (Which it did.) I therefore did not actually upload the
> stable update. I only sent off-list notice about a delay (to Adam)
> because the security issue was embargoed.
> 
> As of now there are still three open exim issues with too little info
> but I still expect two more patches to exim and one for libspf. So I
> will wait a little bit more before proposing another stable-upload. - Is
> it alright to keep this bug open or should I close this one and reopen
> another one when I am ready?

Ok, let's have a replacement request when you have everything together, and
then it'll be off our radar in the meantime.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1053532: arctica-greeter 0.99.3.0-1+deb12u2 flagged for acceptance

2023-10-07 Thread Jonathan Wiltshire 
package release.debian.org
tags 1053532 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==

Package: arctica-greeter
Version: 0.99.3.0-1+deb12u2

Explanation:

Processed: arctica-greeter 0.99.3.0-1+deb12u2 flagged for acceptance

2023-10-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 1053532 = bookworm pending
Bug #1053532 [release.debian.org] bookworm-pu: package 
arctica-greeter/0.99.3.0-1+deb12u2
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1053532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053641: transition: libavif

2023-10-07 Thread Boyuan Yang 
Package: release.debian.org
Control: affects -1 + src:libavif
X-Debbugs-Cc: liba...@packages.debian.org ma...@debian.org
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: by...@debian.org
Severity: normal

I am looking at starting the transition for package libavif,
which comes with a SONAME bump
(libavif15, v0.11.1-3 (sid) -> libavif16, v1.0.1-1 (exp)).

I tried with the rebuild of all packages on the transition page:

Level 1:

* libavif (OK)

Level 2:

* jpeg-xl (Current version FTBFS unconditionally due to a different reason
in Testing/Sid; my NMU fix just accepted in Sid)
* libgd2 (OK)
* links2 (OK)
* qt-avif-image-plugin (OK)

Level 3:

* darktable (OK)
* kimageformats (OK)
* webkit2gtk (OK)
* wpewebkit (OK)


Do we need to wait till my NMU-ed jpeg-xl to migrate to Testing before
starting the libavif transition?

(jpeg-xl package maintainer added in the CC list.)

Ben file:

(The current autogenerated transition page
https://release.debian.org/transitions/html/auto-libavif.html can
be reused.)

title = "libavif";
is_affected = .depends ~ "libavif15" | .depends ~ "libavif16";
is_good = .depends ~ "libavif16";
is_bad = .depends ~ "libavif15";

Thanks,
Boyuan Yang


signature.asc
Description: This is a digitally signed message part

Processed: transition: libavif

2023-10-07 Thread Debian Bug Tracking System 
Processing control commands:

> affects -1 + src:libavif
Bug #1053641 [release.debian.org] transition: libavif
Added indication that 1053641 affects src:libavif

-- 
1053641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053641
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

NEW changes in stable-new

2023-10-07 Thread Debian FTP Masters 
Processing changes file: chromium_117.0.5938.62-1~deb12u1_source.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb12u1_all-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb12u1_amd64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb12u1_arm64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.62-1~deb12u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb12u1_source.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb12u1_all-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb12u1_amd64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb12u1_arm64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.132-1~deb12u1_i386-buildd.changes
  ACCEPT
Processing changes file: 
chromium_117.0.5938.132-1~deb12u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb12u1_source.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb12u1_all-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb12u1_amd64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb12u1_arm64-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb12u1_armhf-buildd.changes
  ACCEPT
Processing changes file: chromium_117.0.5938.149-1~deb12u1_i386-buildd.changes
  ACCEPT
Processing changes file: 
chromium_117.0.5938.149-1~deb12u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_sourceonly.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_all-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_amd64-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_arm64-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_armel-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_armhf-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_i386-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_mips64el-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_mipsel-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_ppc64el-buildd.changes
  ACCEPT
Processing changes file: exim4_4.96-15+deb12u2_s390x-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_source.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_all-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_amd64-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_arm64-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_armhf-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_i386-buildd.changes
  ACCEPT
Processing changes file: 
firefox-esr_115.3.0esr-1~deb12u1_mips64el-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: firefox-esr_115.3.0esr-1~deb12u1_s390x-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_source.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_all-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_amd64-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_arm64-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_armel-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_armhf-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_i386-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_mips64el-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_mipsel-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_ppc64el-buildd.changes
  ACCEPT
Processing changes file: glibc_2.36-9+deb12u3_s390x-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_sourceonly.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_all-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_amd64-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_arm64-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_armel-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_armhf-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_i386-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_mips64el-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_mipsel-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_ppc64el-buildd.changes
  ACCEPT
Processing changes file: libvpx_1.12.0-1+deb12u2_s390x-buildd.changes
  ACCEPT
Processing changes file: mosquitto_2.0.11-1.2+deb12u1_source.changes
  ACCEPT

Planning for 12.3

2023-10-07 Thread Jonathan Wiltshire 
Hi,

The next point release for bookworm should be around the end of November
2023. We're about a week behind cadence anyway, but I already know the 28th
November will be unsuitable (Cambridge mini-debconf) and the weekend
following is probably recovery time for a lot of people.

Much after that we get into holidays and well off cadence.

How about:
  4th December (better for cadence)
 11th December (more likely suitable in practice)

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1



signature.asc
Description: PGP signature

Processed: openrefine 3.6.2-2+deb12u2 flagged for acceptance

2023-10-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 1053461 = bookworm pending
Bug #1053461 [release.debian.org] bookworm-pu: package 
openrefine/3.6.2-2+deb12u2
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1053461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053461
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: mrtg 2.17.10-5+deb12u2 flagged for acceptance

2023-10-07 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 1053141 = bookworm pending
Bug #1053141 [release.debian.org] bookworm-pu: package mrtg/2.17.10-5+deb12u2
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1053141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053141: mrtg 2.17.10-5+deb12u2 flagged for acceptance

2023-10-07 Thread Jonathan Wiltshire 
package release.debian.org
tags 1053141 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==

Package: mrtg
Version: 2.17.10-5+deb12u2

Explanation: handle moved configuration file in a policy-compliant way

Bug#1053461: openrefine 3.6.2-2+deb12u2 flagged for acceptance

2023-10-07 Thread Jonathan Wiltshire 
package release.debian.org
tags 1053461 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==

Package: openrefine
Version: 3.6.2-2+deb12u2

Explanation: fix remote code execution vulnerability [CVE-2023-41887 
CVE-2023-41886]

Re: Bug#1040901: Upcoming changes to Debian Linux kernel packages

2023-10-07 Thread Bastian Blank 
Moin

On Sun, Sep 24, 2023 at 03:01:51PM +0200, Bastian Blank wrote:
> ## Kernel modules will be signed with an ephemeral key

This is now
https://salsa.debian.org/kernel-team/linux/-/merge_requests/607.

> ## Image packages contains more version info
> 
> Example: linux-image-6.5.3-cloud-arm64

> It will not longer be possible to reliably derive the package name from
> kernel release (see above), as both values are not really related
> anymore.

I missed that apt does something similar (maintainers cced).  It wants
to see if a particular package matches the current kernel to make the
autoremove prevention work.  That lookup is quite a hard problem.

What should work:  We define a new control field.  It contains both the
kernel name and a version prefix. 

Example:
- Linux 6.6 (would match 6.6-1, 6.6.1-1)
- Linux 6.6.3 (would match 6.6.3-1, but not 6.6.3+2-1)
- Linux 6.6.3+2

The algorithm would be something like this:
- Check $(uname -s) against the first word.  Otherwise completely
  ignore.
- Check if $(uname -r) matches the version prefix in this field.  Mark
  as keep if it matches.
- Aggregate packages by version prefix.
- Sort as version, keep newest two(?).

This means:
- Images and headers are always kept with the same versions.
- Different images (-arm64, -rt-arm64) are always kept together.

Counter proposal: Use see the kernel release as debian version and match
on the upstream version.  But then we need to re-define what we put into
the kernel release field.  In 6.6.1-1-cloud-arm64, the upstream version
is 6.6.1-1-cloud, not 6.6.1 as we would need.  We could of course change
that to: 6.6.1-1~cloud+arm64.  That should always sort correctly in
regard of the package version.

> ## Header and tool packages will not longer contain version

This is obsolete with the counter proposal of a meta package that always
pulls in image and headers of the same version.

Regards,
Bastian

-- 
Without followers, evil cannot spread.
-- Spock, "And The Children Shall Lead", stardate 5029.5

Bug#1038451: marked as done (bullseye-pu: package systemd/247.3-7+deb11u4)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1038451,
regarding bullseye-pu: package systemd/247.3-7+deb11u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1038451: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038451
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-systemd-maintainers at lists.alioth.debian.org

Dear release team,

I have uploaded one new bugfix for systemd in bullseye. It is a
backport of two upstream patches to fix a calendar spec calculation
hang on DST change when TZ=Europe/Dublin as reported by Bullseye users
at #1033540.

The source debdiff is attached.

-- 
Kind regards,
Luca Boccassi
diff -Nru systemd-247.3/debian/changelog systemd-247.3/debian/changelog
--- systemd-247.3/debian/changelog	2023-04-30 13:56:31.0 +0100
+++ systemd-247.3/debian/changelog	2023-06-18 15:55:54.0 +0100
@@ -1,3 +1,10 @@
+systemd (247.3-7+deb11u4) bullseye; urgency=medium
+
+  * backport patches to fix a calendar spec calculation hang on DST change
+if TZ=Europe/Dublin (Closes: #1033540)
+
+ -- Luca Boccassi   Sun, 18 Jun 2023 15:55:54 +0100
+
 systemd (247.3-7+deb11u3) bullseye; urgency=medium
 
   * udev: fix creating /dev/serial/by-id/ symlinks for USB devices.
diff -Nru systemd-247.3/debian/patches/series systemd-247.3/debian/patches/series
--- systemd-247.3/debian/patches/series	2023-04-30 13:51:17.0 +0100
+++ systemd-247.3/debian/patches/series	2023-06-18 15:55:16.0 +0100
@@ -37,6 +37,8 @@
 time-util-fix-buffer-over-run.patch
 machined-varlink-fix-double-free.patch
 Always-free-deserialized_subscribed-on-reload.patch
+shared-calendarspec-abort-calculation-after-1000-iteratio.patch
+shared-calendarspec-when-mktime-moves-us-backwards-jump-f.patch
 debian/Use-Debian-specific-config-files.patch
 debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
 debian/Make-run-lock-tmpfs-an-API-fs.patch
diff -Nru systemd-247.3/debian/patches/shared-calendarspec-abort-calculation-after-1000-iteratio.patch systemd-247.3/debian/patches/shared-calendarspec-abort-calculation-after-1000-iteratio.patch
--- systemd-247.3/debian/patches/shared-calendarspec-abort-calculation-after-1000-iteratio.patch	1970-01-01 01:00:00.0 +0100
+++ systemd-247.3/debian/patches/shared-calendarspec-abort-calculation-after-1000-iteratio.patch	2023-06-18 15:55:16.0 +0100
@@ -0,0 +1,55 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= 
+Date: Sun, 21 Mar 2021 20:59:32 +0100
+Subject: shared/calendarspec: abort calculation after 1000 iterations
+
+We have a bug where we seem to enter an infinite loop when running in the
+Europe/Dublin timezone. The timezone is "special" because it has negative SAVE
+values. The handling of this should obviously be fixed, but let's use a
+belt-and-suspenders approach, and gracefully fail if we fail to find an answer
+within a specific number of attempts. The code in this function is rather
+complex, and it's hard to rule out another bug in the future.
+
+(cherry picked from commit 169615c9a8cdc54d748d4dfc8279be9b3c2bec44)
+---
+ src/shared/calendarspec.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c
+index 7162592..80acc57 100644
+--- a/src/shared/calendarspec.c
 b/src/shared/calendarspec.c
+@@ -1211,6 +1211,10 @@ static bool matches_weekday(int weekdays_bits, const struct tm *tm, bool utc) {
+ return (weekdays_bits & (1 << k));
+ }
+ 
++/* A safety valve: if we get stuck in the calculation, return an error.
++ * C.f. https://bugzilla.redhat.com/show_bug.cgi?id=1941335. */
++#define MAX_CALENDAR_ITERATIONS 1000
++
+ static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) {
+ struct tm c;
+ int tm_usec;
+@@ -1224,7 +1228,7 @@ static int find_next(const CalendarSpec *spec, struct tm *tm, usec_t *usec) {
+ c = *tm;
+ tm_usec = *usec;
+ 
+-for (;;) {
++for (unsigned iteration = 0; iteration < MAX_CALENDAR_ITERATIONS; iteration++) {
+ /* Normalize the current date */
+ (void) mktime_or_timegm(, spec->utc);
+ c.tm_isdst = spec->dst;
+@@ -1321,6 +1325,14 @@ static int find_next(const

Bug#1035304: marked as done (bullseye-pu: package systemd/247.3-7+deb11u3)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035304,
regarding bullseye-pu: package systemd/247.3-7+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-systemd-maintain...@lists.alioth.debian.org

Dear release team,

I have uploaded two new bugfixes for systemd in bullseye. One fixes a
regression introduced by a security fix in udev rules, that has been
reported by a bullseye user. The other fixes an old memory leak.

The source debdiff is attached.

Kind regards,
Luca Boccassi


debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1053271: marked as done (bullseye-pu: package cpio/2.13+dfsg-7.1~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053271,
regarding bullseye-pu: package cpio/2.13+dfsg-7.1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053271: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053271
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@security.debian.org, Anibal Monsalve Salazar 


This updates the cpio package in bullseye to the package
in bookworm/trixie/sid (same upstream version).

The first 3 post-bullseye uploads are CVE-2021-38185 plus
regression fixes for this change.

The 2.13+dfsg-7.1 changes are one documentation change and two
changes that look desirable (even though they alone might not have
warranted a stable update):
  * Suggest libarchive-dev (Closes: #662718).
  * d/copyright: Convert to machine-readable format.
  * Fix CRC with new ASCII format when file > 2GB (Closes: #962188).

There are no bugs in the BTS that any regressions have been caused
by any of these changes during the 1 year since they were uploaded
to bookworm/sid.
diffstat for cpio-2.13+dfsg cpio-2.13+dfsg

 changelog|   39 
 control  |2 
 copyright|   51 -
 patches/992045-CVE-2021-38185-rewrite-dynamic-string-support |  454 +++
 patches/992098-regression-of-orig-fix-for-CVE-2021-38185 |   36 
 patches/992192-Fix-dynamic-string-reallocations.patch|   80 +
 patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch   |   34 
 patches/series   |4 
 8 files changed, 685 insertions(+), 15 deletions(-)

diff -Nru cpio-2.13+dfsg/debian/changelog cpio-2.13+dfsg/debian/changelog
--- cpio-2.13+dfsg/debian/changelog 2020-09-17 14:16:18.0 +0300
+++ cpio-2.13+dfsg/debian/changelog 2023-09-30 15:18:55.0 +0300
@@ -1,3 +1,42 @@
+cpio (2.13+dfsg-7.1~deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bullseye.
+
+ -- Adrian Bunk   Sat, 30 Sep 2023 15:18:55 +0300
+
+cpio (2.13+dfsg-7.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Suggest libarchive-dev (Closes: #662718).
+  * d/copyright: Convert to machine-readable format.
+  * Fix CRC with new ASCII format when file > 2GB (Closes: #962188).
+
+ -- Bastian Germann   Wed, 14 Sep 2022 21:45:55 +0200
+
+cpio (2.13+dfsg-7) unstable; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * Fix dynamic string reallocations (Closes: #992192)
+
+ -- Anibal Monsalve Salazar   Sun, 22 Aug 2021 15:21:53 
+1000
+
+cpio (2.13+dfsg-6) unstable; urgency=high
+
+  * Fix regression of original fix for CVE-2021-38185
+Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185 
+Closes: #992098
+
+ -- Anibal Monsalve Salazar   Fri, 13 Aug 2021 13:06:27 
+1000
+
+cpio (2.13+dfsg-5) unstable; urgency=medium
+
+  * Fix CVE-2021-38185
+Add patch 992045-CVE-2021-38185-rewrite-dynamic-string-support
+Closes: #992045
+
+ -- Anibal Monsalve Salazar   Wed, 11 Aug 2021 01:18:33 
+1000
+
 cpio (2.13+dfsg-4) unstable; urgency=medium
 
   * Source only upload to enable migration.
diff -Nru cpio-2.13+dfsg/debian/control cpio-2.13+dfsg/debian/control
--- cpio-2.13+dfsg/debian/control   2020-02-01 15:11:00.0 +0200
+++ cpio-2.13+dfsg/debian/control   2022-09-14 22:45:55.0 +0300
@@ -17,7 +17,7 @@
 Replaces: cpio-mt
 Conflicts: mt-st (<< 0.6), cpio-mt
 Multi-Arch: foreign
-Suggests: libarchive1
+Suggests: libarchive-dev
 Description: GNU cpio -- a program to manage archives of files
  GNU cpio is a tool for creating and extracting archives, or copying
  files from one place to another.  It handles a number of cpio formats
diff -Nru cpio-2.13+dfsg/debian/copyright cpio-2.13+dfsg/debian/copyright
--- cpio-2.13+dfsg/debian/copyright 2020-02-01 15:11:00.0 +0200
+++ cpio-2.13+dfsg/debian/copyright 2022-09-14 22:45:55.0 +0300
@@ -1,16 +1,39 @@
-This is the Debian GNU/Linux prepackaged version of GNU cpio
-(including mt).
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian GNU/Linux prepackaged version of GNU cpio
+ (including mt).
+ .
+ This

Bug#1053270: marked as done (bullseye-pu: package curl/7.74.0-1.3+deb11u9)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053270,
regarding bullseye-pu: package curl/7.74.0-1.3+deb11u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org, charlesmel...@riseup.net
Control: affects -1 + src:curl

[ Reason ]
Vulnerabilities were discovered and reported to Curl upstream [1][2] with the
following CVE IDs:

- CVE-2023-28321
- CVE-2023-28322

The description of the CVE-2023-28321 is:

> An improper certificate validation vulnerability exists in curl
>  listed as "Subject Alternative Name" in TLS server certificates. curl
> can be built to use its own name matching function for TLS rather than
> one provided by a TLS library. This private wildcard matching function
> would match IDN (International Domain Name) hosts incorrectly and
> could as a result accept patterns that otherwise should mismatch. IDN
> hostnames are converted to puny code before used for certificate
> checks. Puny coded names always start with `xn--` and should not be
> allowed to pattern match, but the wildcard check in curl could still
> check for `x*`, which would match even though the IDN name most likely
> contained nothing even resembling an `x`.

And the description of the CVE-2023-28322 is:

> An information disclosure vulnerability exists in curl  doing HTTP(S) transfers, libcurl might erroneously use the read
> callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when
> the `CURLOPT_POSTFIELDS` option has been set, if the same handle
> previously wasused to issue a `PUT` request which used that callback.
> This flaw may surprise the application and cause it to misbehave and
> either send off the wrong data or use memory after free or similar in
> the second transfer. The problem exists in the logic for a reused
> handle when it is (expected to be) changed from a PUT to a POST.

This proposed update is meant to fix those vulnerabilities.

[ Impact ]
As the vulnerabilities are present in bullseye's curl code, they can be
exploited by malicious actors.

[ Tests ]
Automatic tests were executed (from the curl test suite) during build
time. Everything passed after the changes were introduced.

I also conducted a test to see if the CVE-2023-28321 was fixed. In order
to do so, I've followed the report's reproduction steps [3] and tested in a
bullseye container. The default bullseye curl version is vulnerable, but
this new one is not. Unfortunately the PoC of CVE-2023-28322 was crafted
using a newer version of libcurl, so I wasn't able to validate the fix
of the backported patch.

Also, note the fix for CVE-2023-28321 comes from CentOS and is already
available there.

[ Risks ]
The changes for weren't big because the delta between bullseye's version and
current upstream are not that large (true for CVE-2023-28322). Though
they exist so I did a backport of the patch (obviously there is a
chance of introducing bugs here, but we are using the tests to spot it).

Also, the fix for CVE-2023-28321 is new code based on the fix applied in curl
8.1.0 done by a Red Hat engineer. So, new bugs could have been
introduced.

I reviewed this fix and samueloph reviewed everything (both fixes and
packaging).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Here is a list of the commits applied to this pu release:

commit a1190a634dcca9a85f8217c71b1073825885a16e
Author: Carlos Henrique Lima Melara 
Date:   Sun Sep 10 15:29:53 2023 +0530

Finalize changelog for 7.74.0-1.3+deb11u9 bullseye upload

commit 39155aa17df39693c2f21ef5dbb0ddf11568256f
Author: Carlos Henrique Lima Melara 
Date:   Fri Sep 8 19:00:25 2023 +0530

d/p/CVE-2023-28322.patch: backport patch

commit 156409a45db1c739edece8fd3b3d4d78d09c82ae
Author: Carlos Henrique Lima Melara 
Date:   Sun Aug 13 11:01:11 2023 -0300

Import 2 new patches fixing CVES

One comes from upstream and another from CentOS.

CVE-2023-28321
CVE-2023-28322

[ Other info ]
Links:

[1]

Bug#1053290: marked as done (bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053290,
regarding bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053290
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

As requested by the security team, I would like to bring the microcode
update level for AMD64 processors in Bullseye and Bookworm to match what
we have in Sid and Trixie.  This is the bug report for Bullseye, a
separate one will be filled for Bookmorm.

This fixes:
CVE-2023-20569 "AMD Inception" on AMD Zen4 processors

There are no releavant issues reported on this microcode update,
considering the version of amd64-microcode already available as security
updates for bookworm and bullseye.

[ Impact ]

If this update is not approved, owners of some Zen4 processors will
depend on UEFI updates to be protected against CVE-2023-20569.

[ Tests ]

There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2023-08-10 (sid), 2023-08-12
(trixie).

[ Risks ]

Unknown, but not believed to be any different from other AMD microcode
updates.

Linux kernel updates related to these microcode update fixes are already
available in Bookworm and Bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.

Diffstat:
 README |   15 +
 amd-ucode/README   |   13 +++
 amd-ucode/microcode_amd_fam19h.bin |binary
 amd-ucode/microcode_amd_fam19h.bin.asc |   16 ++---
 debian/NEWS|   15 +
 debian/changelog   |   38 +
 6 files changed, 89 insertions(+), 8 deletions(-)

[ Other info ]

The package version with "~" is needed to guarantee smooth updates to
the next debian release.

-- 
  Henrique Holschuh
diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
 
 latest commits in this release:
 
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen 
+Date:   Tue Aug 8 19:02:39 2023 +
+
+linux-firmware: Update AMD cpu microcode
+
+* Update AMD cpu microcode for processor family 19h
+
+Key Name= AMD Microcode Signing Key (for signing microcode container files only)
+Key ID  = F328AE73
+Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+Signed-off-by: John Allen 
+Signed-off-by: Josh Boyer 
+
 commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
 Author: John Allen 
 Date:   Wed Jul 19 19:17:57 2023 +
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
   Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
 
 Microcode patches in microcode_amd_fam19h.bin:
+  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue

Bug#1053522: marked as done (bullseye-pu: cups/2.3.3op2-3+deb11u6)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053522,
regarding bullseye-pu: cups/2.3.3op2-3+deb11u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053522
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I
got some complaints:
 - the mentioned filename of the cupsd configuration contained a typo
   and several users were unsure what to do now ...
 - ... especially as the contents of debian/NEWS was also shown on
   computers where only cups client was installed.

So this upload fixes the typo and removes debian/NEWS again, so that the
text is only shown when cups-daemon will be updated.

I know it is rather late for this, but maybe this makes things easier for
our users.

  Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog  2023-09-29 21:20:27.0 +0200
+++ cups-2.3.3op2/debian/changelog  2023-10-05 16:35:27.0 +0200
@@ -1,3 +1,11 @@
+cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium
+
+  * remove debian/NEWS again to avoid too much information when only
+the client part is installed
+  * fix typo in config filename
+
+ -- Thorsten Alteholz   Thu, 05 Oct 2023 16:35:27 +0200
+
 cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium
 
   * move debian/NEWS.Debian to debian/NEWS
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS 
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS   2023-09-29 21:20:27.0 
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS   2023-10-05 16:35:27.0 
+0200
@@ -4,7 +4,7 @@
   unauthorized users to fetch documents over local or remote networks.
   Since this is a configuration fix, it might be that it does not reach you if 
you
   are updating 'cups-daemon' (rather than doing a fresh installation).
-  Please double check your /etc/cups/cupds.conf file, whether it limits the 
access
+  Please double check your /etc/cups/cupsd.conf file, whether it limits the 
access
   to CUPS-Get-Document with something like the following
   >  
   >AuthType Default
diff -Nru cups-2.3.3op2/debian/NEWS cups-2.3.3op2/debian/NEWS
--- cups-2.3.3op2/debian/NEWS   2023-09-29 21:20:27.0 +0200
+++ cups-2.3.3op2/debian/NEWS   1970-01-01 01:00:00.0 +0100
@@ -1,16 +0,0 @@
-cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium
-
-  This release addresses a security issue (CVE-2023-32360) which allows
-  unauthorized users to fetch documents over local or remote networks.
-  Since this is a configuration fix, it might be that it does not reach you if 
you
-  are updating 'cups-daemon' (rather than doing a fresh installation).
-  Please double check your /etc/cups/cupds.conf file, whether it limits the 
access
-  to CUPS-Get-Document with something like the following
-  >  
-  >AuthType Default
-  >Require user @OWNER @SYSTEM
-  >Order deny,allow
-  >   
-  (The important line is the 'AuthType Default' in this section)
-
- -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1053220: marked as done (bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053220,
regarding bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053220
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection due to incorrect escape handling
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
Two low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: use `URI->new($url)->as_string` in each
  redirections
- OIDC open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Yadd
diff --git a/debian/NEWS b/debian/NEWS
index c4d7ee951..ba4a14a12 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:38:51 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   AuthBasic now enforces 2FA activation (CVE-2023-28862):
diff --git a/debian/changelog b/debian/changelog
index 5d2c62ac0..35d5599a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix open redirection due to incorrect escape handling
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 16:35:14 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862)
@@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
 
 lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
 
-  * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+  * Fix auth process in password-testing plugins (Closes: #1005302, 
CVE-2021-40874)
 
  -- Yadd   Thu, 24 Feb 2022 15:16:09 +0100
 
diff --git a/debian/clean b/debian/clean
index 73f167814..cdb4a5ae4 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1,3 +1,4 @@
+doc/pages/documentation/current/.buildinfo
 lemonldap-ng-manager/site/htdocs/static/js/conftree.js
 lemonldap-ng-manager/site/htdocs/static/struct.json
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..dce756430
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,627 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1,

Bug#1053240: marked as done (bullseye-pu: package ghostscript/9.53.3~dfsg-7+deb11u6)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053240,
regarding bullseye-pu: package ghostscript/9.53.3~dfsg-7+deb11u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053240
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ghostscr...@packages.debian.org, car...@debian.org
Control: affects -1 + src:ghostscript

Hi stable release managers,

[ Reason ]
Fix two CVEs which we did mark no-dsa (though one might after more
thinking be a candiate). Fix CVE-2023-38559 and CVE-2023-43115.

[ Impact ]
CVE-2023-38559 and CVE-2023-43115 would remain open so far.

[ Tests ]
Performed manual test for CVE-2023-43115.

[ Risks ]
Should be low, following the upstream commits to resolve the issues
which are very targeted.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fixes to address the CVEs. Adjust checks on input and
for the second issue, prevent PostScript programs switching to the IJS
device after SAFER has been activated (and prevent changes to the
IjsServer parameter after SAFER has been activated).

[ Other info ]
None.

Regards,
Salvatore
diff -Nru ghostscript-9.53.3~dfsg/debian/changelog 
ghostscript-9.53.3~dfsg/debian/changelog
--- ghostscript-9.53.3~dfsg/debian/changelog2023-07-02 11:54:08.0 
+0200
+++ ghostscript-9.53.3~dfsg/debian/changelog2023-09-29 14:24:57.0 
+0200
@@ -1,3 +1,12 @@
+ghostscript (9.53.3~dfsg-7+deb11u6) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Copy pcx buffer overrun fix from devices/gdevpcx.c (CVE-2023-38559)
+(Closes: #1043033)
+  * IJS device - try and secure the IJS server startup (CVE-2023-43115)
+
+ -- Salvatore Bonaccorso   Fri, 29 Sep 2023 14:24:57 +0200
+
 ghostscript (9.53.3~dfsg-7+deb11u5) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch 
ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch
--- ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch  
1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch  
2023-09-29 14:24:57.0 +0200
@@ -0,0 +1,28 @@
+From: Chris Liddell 
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c
+Origin: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
+Bug-Debian: https://bugs.debian.org/1043033
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-38559
+
+Bounds check the buffer, before dereferencing the pointer.
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 7b14d9c712b4..6351fb77ac75 100644
+--- a/base/gdevdevn.c
 b/base/gdevdevn.c
+@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, 
int step, gp_file * file
+ byte data = *from;
+ 
+ from += step;
+-if (data != *from || from == end) {
++if (from >= end || data != *from) {
+ if (data >= 0xc0)
+ gp_fputc(0xc1, file);
+ } else {
+-- 
+2.40.1
+
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch 
ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch
--- ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch  
1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch  
2023-09-29 14:24:57.0 +0200
@@ -0,0 +1,53 @@
+From: Ken Sharp 
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: IJS device - try and secure the IJS server startup
+Origin: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-43115
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an

Bug#1052611: marked as done (bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052611,
regarding bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052611
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: roundc...@packages.debian.org
Control: affects -1 + src:roundcube

[ Reason ]

roundcube 1.4.13+dfsg.1-1~deb11u1 is vulnerable to CVE-2023-43770:
cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages.

The Security Team decided not to issue a DSA for that CVE, but it's now
fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as
testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu
too.

[ Impact ]

Roundcube users will remain vulnerable to the XSS issue.  For users
uprading from buster-security to bullseye, that would be a security
regression.

[ Tests ]

The XSS fix is covered by automated tests (phpunit) at build time, and I
also manually tested the fix.

[ Risks ]

I believe the regression risk is very low, given the diff is fairly
simple, and this is not a backport but an official upstream release from
the LTS branch.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * New security/bugfix upstream release:
+ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
  of linkrefs in plain text messages. (Closes: #1052059)
+ Enigma: Fix initial synchronization of private keys.
  * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1.
  * Refresh d/patches.

[ Other info ]

bullseye(-security) has been following the upstream 1.4 branch, so I
propose to upload 1.4.14+dfsg.1-1~deb11u1 rather than cherry-pick the
CVE-2023-43770 fix on top of 1.4.13+dfsg.1-1~deb11u1.

-- 
Guilhem.
diffstat for roundcube-1.4.13+dfsg.1 roundcube-1.4.14+dfsg.1

 CHANGELOG   |8 
 composer.json-dist  |5 
 debian/changelog|   11 
 debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch|4 
 debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch |8 
 debian/patches/fix-install-path.patch   |4 
 debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch |2 
 debian/patches/update-composer.patch|9 
 debian/patches/update-script.patch  |2 
 debian/upstream/signing-key.asc |  199 
+++---
 index.php   |2 
 installer/index.php |2 
 plugins/enigma/lib/enigma_driver_gnupg.php  |7 
 program/include/iniset.php  |2 
 program/lib/Roundcube/bootstrap.php |2 
 program/lib/Roundcube/rcube_string_replacer.php |4 
 public_html/index.php   |2 
 public_html/plugins/enigma/lib/enigma_driver_gnupg.php  |7 
 tests/Framework/StringReplacer.php  |   12 
 tests/Framework/Text2Html.php   |   17 
 20 files changed, 223 insertions(+), 86 deletions(-)

diff -Nru roundcube-1.4.13+dfsg.1/CHANGELOG roundcube-1.4.14+dfsg.1/CHANGELOG
--- roundcube-1.4.13+dfsg.1/CHANGELOG   2021-12-29 23:45:05.0 +0100
+++ roundcube-1.4.14+dfsg.1/CHANGELOG   2023-09-16 22:01:19.0 +0200
@@ -1,5 +1,9 @@
-CHANGELOG Roundcube Webmail
-===
+# Changelog Roundcube Webmail
+
+RELEASE 1.4.14
+--
+- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in 
plain text messages
+- Enigma: Fix initial synchronization of private keys
 
 RELEASE 1.4.13

Bug#1052552: marked as done (bullseye-pu: package libapache-mod-jk/1:1.2.48-1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052552,
regarding bullseye-pu: package libapache-mod-jk/1:1.2.48-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052552
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


[ Reason ]

Fixing CVE-2023-41081 in Bullseye.
Unintended exposure of the status worker and/or bypass security constraints
configured in httpd by using implicit mapping.

[ Tests ]

Implicit mapping no longer works with this update and users must
explicitly configure it. Otherwise an error message is logged now
which means the update works as intended.

[ Risks ]

Users who unintentionally relied on the implicit mapping functionality
will have to update their configuration but this is intended and
needed to avoid the bypass of other security constraints.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus
diff -Nru libapache-mod-jk-1.2.48/debian/changelog 
libapache-mod-jk-1.2.48/debian/changelog
--- libapache-mod-jk-1.2.48/debian/changelog2020-06-04 21:42:29.0 
+0200
+++ libapache-mod-jk-1.2.48/debian/changelog2023-09-24 17:09:51.0 
+0200
@@ -1,3 +1,20 @@
+libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high
+
+  * Fix CVE-2023-41081:
+The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
+forward requests from Apache to Tomcat, in some circumstances, such as when
+a configuration included "JkOptions +ForwardDirectories" but the
+configuration did not provide explicit mounts for all possible proxied
+requests, mod_jk would use an implicit mapping and map the request to the
+first defined worker. Such an implicit mapping could result in the
+unintended exposure of the status worker and/or bypass security constraints
+configured in httpd. As of this security update, the implicit mapping
+functionality has been removed and all mappings must now be via explicit
+configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
+(Closes: #1051956)
+
+ -- Markus Koschany   Sun, 24 Sep 2023 17:09:51 +0200
+
 libapache-mod-jk (1:1.2.48-1) unstable; urgency=medium
 
   * New upstream version 1.2.48.
diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 
libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch
--- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 
01:00:00.0 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 
17:09:51.0 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany 
+Date: Sun, 24 Sep 2023 16:39:43 +0200
+Subject: CVE-2023-41081
+
+Bug-Debian: https://bugs.debian.org/1051956
+Origin: 
https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792
+---
+ native/apache-2.0/mod_jk.c | 19 ---
+ 1 file changed, 19 deletions(-)
+
+diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c
+index b755116..d9345d7 100644
+--- a/native/apache-2.0/mod_jk.c
 b/native/apache-2.0/mod_jk.c
+@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r)
+ rconf->rule_extensions = e;
+ }
+ }
+-else if (worker_env.num_of_workers == 1) {
+-  /** We have a single worker ( the common case ).
+-  ( lb is a bit special, it should count as a single worker but
+-  I'm not sure how ). We also have a manual config directive that
+-  explicitly give control to us. */
+-worker_name = worker_env.worker_list[0];
+-if (JK_IS_DEBUG_LEVEL(xconf->log))
+-jk_log(xconf->log, JK_LOG_DEBUG,
+-   "Single worker (%s) configuration for %s",
+-   worker_name, r->uri);
+-}
+ else {
+ if (!xconf->uw_map) {
+ if (JK_IS_DEBUG_LEVEL(xconf->log))
+@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r)
+ r->uri = clean_uri;
+ }
+

Bug#1052363: marked as done (bullseye-pu: cups/2.3.3op2-3+deb11u4)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052363,
regarding bullseye-pu: cups/2.3.3op2-3+deb11u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052363
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for cups fixes CVE-2023-4504 and CVE-2023-32360 in 
Bullseye. These CVEs have been marked as no-dsa by the security team, but 
at least CVE-2023-32360 got anRC bug (#1051953).


  Thorsten

PS: There already is 2.3.3op2-3+deb11u3 in P-Udiff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog  2023-06-24 10:54:05.0 +0200
+++ cups-2.3.3op2/debian/changelog  2023-09-19 21:20:27.0 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u4) bullseye; urgency=medium
+
+  * CVE-2023-4504
+Postscript parsing heap-based buffer overflow
+  * CVE-2023-32360 (Closes: #1051953)
+authentication issue
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
 
   * CVE-2023-34241 (Closes: #1038885)
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS 
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS   2023-06-22 23:22:40.0 
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS   2023-09-19 21:20:27.0 
+0200
@@ -1,3 +1,11 @@
+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
+
 cups (2.1.4-3) unstable; urgency=low
 
   The default ErrorPolicy is changed from 'stop-printer' to 'retry-job',
diff -Nru cups-2.3.3op2/debian/NEWS.Debian cups-2.3.3op2/debian/NEWS.Debian
--- cups-2.3.3op2/debian/NEWS.Debian1970-01-01 01:00:00.0 +0100
+++ cups-2.3.3op2/debian/NEWS.Debian2023-09-19 21:20:27.0 +0200
@@ -0,0 +1,7 @@
+cups (2.4.2-6) unstable; urgency=low
+
+  In case this is not a fresh installation of cups, please double check
+  whether your cupsd.conf really does contain the limitiation for
+  "CUPS-Get-Document" (see patch 0019-CVE-2023-32360.patch)
+
+ -- Thorsten Alteholz   Tue, 19 Sep 2023 21:20:27 +0200
diff -Nru cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch 
cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch
--- cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch  1970-01-01 
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0019-CVE-2023-32360.patch  2023-09-19 
21:20:27.0 +0200
@@ -0,0 +1,27 @@
+From: Thorsten Alteholz 
+Date: Wed, 20 Sep 2023 23:21:42 +0200
+Subject: CVE-2023-32360
+
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index 09059dc..67d1c8b 100644
+--- a/conf/cupsd.conf.in
 b/conf/cupsd.conf.in
+@@ -65,7 +65,13 @@ WebInterface @CUPS_WEBIF@
+ Order deny,allow
+   
+ 
+-  
++  
++Require user @OWNER @SYSTEM
++Order deny,allow
++  
++
++  
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+   
diff -Nru cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch 
cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch
--- cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch   1970-01-01 
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0020-CVE-2023-4504.patch   2023-09-19 
21:20:27.0 +0200
@@ -0,0 +1,33 @@
+From: Thorsten Alteholz 
+Date: Wed, 20 Sep 2023 23:22:44 +0200
+Subject: CVE-2023-4504
+
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
+index fbe52f3..89ef158 100644
+--- a/cups/raster-interpret.c
 b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,   /* I  - Stack */
+ 
+   cur ++;
+ 
+-if (*cur == 'b')
++ /*
++  * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++  */
++
++  if (!*cur)
++

Bug#1052420: marked as done (bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052420,
regarding bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:flameshot
X-Debbugs-Cc: flames...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: by...@debian.org
Severity: normal


[ Reason ]
As reported in https://bugs.debian.org/1051408 , current flameshot
in Debian 11 (Bullseye) will silently upload the current captured
screenshot to imgur without confirmation whenever the corresponding
hotkey is pressed. This imposes a security risk of leaking sensitive
information.

In order to mitigate this issue, I propose to upload flameshot
0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded
in the source code. Users who wish to utilize the img uploading
feature can fill in their own imgur token in flameshot config
window to re-enable the feature.


[ Impact ]
If the update is not approved, users of flameshot will have their
captured screenshot uploaded to imgur by default when the hotkey
is pressed without prompt, which poses a security and information
leaking risk to Debian 11 users using flameshot.

[ Tests ]
Manually tested in a Debian Bullseye VM.

[ Risks ]
Minimum risk as seen from debdiff.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Reset hardcoded imgur token to all zero to invalidate img uploading
functionality by default. For details, please check debdiff attached.

[ Other info ]
Upstream takes a different fix by popping up a confirmation window
whenever an image upload is to be done. The details can be found
at https://github.com/flameshot-org/flameshot/releases/tag/v11.0.0 .
Such solution is not applied here due to the workload in backporting
all UI source code changes.


Thanks,
Boyuan Yang
diff -Nru flameshot-0.9.0+ds1/debian/changelog flameshot-0.9.0+ds1/debian/changelog
--- flameshot-0.9.0+ds1/debian/changelog	2021-07-22 18:10:19.0 -0400
+++ flameshot-0.9.0+ds1/debian/changelog	2023-09-21 13:16:48.0 -0400
@@ -1,3 +1,20 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * debian/patches/0006-Disable-default-imgur-token.patch:
+Disable default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+(Closes: #1051408)
+
+ -- Boyuan Yang   Thu, 21 Sep 2023 13:16:48 -0400
+
 flameshot (0.9.0+ds1-2) unstable; urgency=high
 
   * debian/patches/0003-Disable-automatic-update-checking-by-default.patch:
diff -Nru flameshot-0.9.0+ds1/debian/NEWS.Debian flameshot-0.9.0+ds1/debian/NEWS.Debian
--- flameshot-0.9.0+ds1/debian/NEWS.Debian	1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/NEWS.Debian	2023-09-21 13:16:48.0 -0400
@@ -0,0 +1,16 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * This version disables the default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This version strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+.
+For more information, check out https://bugs.debian.org/1051408 .
+
+ -- Boyuan Yang   Thu, 21 Sep 2023 13:16:48 -0400
diff -Nru flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch

Bug#1052288: marked as done (bullseye-pu: package qemu/1:5.2+dfsg-11+deb11u3)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052288,
regarding bullseye-pu: package qemu/1:5.2+dfsg-11+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: q...@packages.debian.org, m...@tls.msk.ru
Control: affects -1 + src:qemu

Various low severity security issues in qemu, debdiff below.
I've tested this on a Bullseye ganeti cluster using the
updated qemu.

Cheers,
Moritz

diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog
--- qemu-5.2+dfsg/debian/changelog  2022-05-04 21:50:01.0 +0200
+++ qemu-5.2+dfsg/debian/changelog  2023-09-04 16:11:35.0 +0200
@@ -1,3 +1,19 @@
+qemu (1:5.2+dfsg-11+deb11u3) bullseye; urgency=medium
+
+  * CVE-2021-20196 (Closes: #984453)
+  * CVE-2023-0330 (Closes: #1029155)
+  * CVE-2023-1544 (Closes: #1034179)
+  * CVE-2023-3354
+  * CVE-2021-3930
+  * CVE-2023-3180
+  * CVE-2021-20203 (Closes: #984452)
+  * CVE-2021-3507 (Closes: #987410)
+  * CVE-2020-14394 (Closes: #979677)
+  * CVE-2023-3301
+  * CVE-2022-0216 (Closes: #1014590)
+
+ -- Moritz Mühlenhoff   Mon, 04 Sep 2023 16:11:35 +0200
+
 qemu (1:5.2+dfsg-11+deb11u2) bullseye-security; urgency=medium
 
   * virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch
diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch 
qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch
--- qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch   1970-01-01 
01:00:00.0 +0100
+++ qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch   2023-08-22 
12:42:56.0 +0200
@@ -0,0 +1,67 @@
+From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Thu, 4 Aug 2022 15:13:00 +0200
+Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
+ xhci_ring_chain_length() (CVE-2020-14394)
+
+The loop condition in xhci_ring_chain_length() is under control of
+the guest, and additionally the code does not check for failed DMA
+transfers (e.g. if reaching the end of the RAM), so the loop there
+could run for a very long time or even forever. Fix it by checking
+the return value of dma_memory_read() and by introducing a maximum
+loop length.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
+Message-Id: <20220804131300.96368-1-th...@redhat.com>
+Reviewed-by: Mauro Matteo Cascella 
+Acked-by: Gerd Hoffmann 
+Signed-off-by: Thomas Huth 
+---
+ hw/usb/hcd-xhci.c | 23 +++
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- qemu-5.2+dfsg.orig/hw/usb/hcd-xhci.c
 qemu-5.2+dfsg/hw/usb/hcd-xhci.c
+@@ -21,6 +21,7 @@
+ 
+ #include "qemu/osdep.h"
+ #include "qemu/timer.h"
++#include "qemu/log.h"
+ #include "qemu/module.h"
+ #include "qemu/queue.h"
+ #include "migration/vmstate.h"
+@@ -720,9 +721,13 @@ static int xhci_ring_chain_length(XHCISt
+ bool control_td_set = 0;
+ uint32_t link_cnt = 0;
+ 
+-while (1) {
++do {
+ TRBType type;
+-dma_memory_read(xhci->as, dequeue, , TRB_SIZE);
++if (dma_memory_read(xhci->as, dequeue, , TRB_SIZE) != MEMTX_OK) {
++qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
++  __func__);
++return -1;
++}
+ le64_to_cpus();
+ le32_to_cpus();
+ le32_to_cpus();
+@@ -756,7 +761,17 @@ static int xhci_ring_chain_length(XHCISt
+ if (!control_td_set && !(trb.control & TRB_TR_CH)) {
+ return length;
+ }
+-}
++
++/*
++ * According to the xHCI spec, Transfer Ring segments should have
++ * a maximum size of 64 kB (see chapter "6 Data Structures")
++ */
++} while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
++
++qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring 
size!\n",
++  __func__);
++
++return -1;
+ }
+ 
+ static void xhci_er_reset(XHCIState *xhci, int v)
diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch 
qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch
--- qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch   1970-01-01 
01:00:00.0 +0100
+++

Bug#1052150: marked as done (bullseye-pu: package openssh/1:8.4p1-5+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052150,
regarding bullseye-pu: package openssh/1:8.4p1-5+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052150
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: open...@packages.debian.org
Control: affects -1 + src:openssh

[ Reason ]
https://bugs.debian.org/1042460 is a security issue affecting bullseye.
The security team doesn't think it warrants a DSA, but thinks it's worth
fixing in a point release.  I agree.

[ Impact ]
Forwarding an SSH agent to a remote system may be exploitable by
administrators of that remote system in complicated conditions.  See
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.

[ Tests ]
I have tested this manually as far as I'm able to do so.  Essentially,
this shuts down the exploit at the first hurdle by refusing to load
objects that don't appear to be valid FIDO/PKCS#11 modules intended for
use by ssh-agent.

[ Risks ]
The code isn't quite trivial, but it's fairly straightforward once you
understand what it's doing.

The second upstream patch in the series wasn't in OpenSSH 9.3p2 (the
initial upstream release addressing this vulnerability), but I think
it's worth taking anyway because it shuts down a range of clever attacks
along these same lines without introducing an unreasonable amount of
extra complexity.  Ubuntu did the same thing in their security updates
for this.

I wasn't able to backport the other part of upstream's fix for this
(disallowing remote addition of FIDO/PKCS#11 keys by default), because
that relies on the mechanism in
https://www.openssh.com/agent-restrict.html and bullseye doesn't have
that.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
See attached debdiff.

Thanks,

-- 
Colin Watson (he/him)  [cjwat...@debian.org]
diff -Nru openssh-8.4p1/debian/.git-dpm openssh-8.4p1/debian/.git-dpm
--- openssh-8.4p1/debian/.git-dpm   2022-07-01 23:37:41.0 +0100
+++ openssh-8.4p1/debian/.git-dpm   2023-09-17 23:46:46.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ed99ef256258d8556dbe39d976c2528ede050f14
-ed99ef256258d8556dbe39d976c2528ede050f14
+fb685ebb9f8391ab2836715c9c347ee50a0c9f48
+fb685ebb9f8391ab2836715c9c347ee50a0c9f48
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
 openssh_8.4p1.orig.tar.gz
diff -Nru openssh-8.4p1/debian/changelog openssh-8.4p1/debian/changelog
--- openssh-8.4p1/debian/changelog  2022-07-01 23:37:41.0 +0100
+++ openssh-8.4p1/debian/changelog  2023-09-17 23:46:46.0 +0100
@@ -1,3 +1,12 @@
+openssh (1:8.4p1-5+deb11u2) bullseye; urgency=medium
+
+  * Cherry-pick from OpenSSH 9.3p2:
+- [CVE-2023-38408] Fix a condition where specific libraries loaded via
+  ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
+  execution via a forwarded agent socket (closes: #1042460).
+
+ -- Colin Watson   Sun, 17 Sep 2023 23:46:46 +0100
+
 openssh (1:8.4p1-5+deb11u1) bullseye; urgency=medium
 
   * Backport from upstream:
diff -Nru openssh-8.4p1/debian/patches/CVE-2023-38408-1.patch 
openssh-8.4p1/debian/patches/CVE-2023-38408-1.patch
--- openssh-8.4p1/debian/patches/CVE-2023-38408-1.patch 1970-01-01 
01:00:00.0 +0100
+++ openssh-8.4p1/debian/patches/CVE-2023-38408-1.patch 2023-09-17 
23:46:46.0 +0100
@@ -0,0 +1,30 @@
+From 8175e38eaf5636f45c3f27f4eadee1d583b70d35 Mon Sep 17 00:00:00 2001
+From: Damien Miller 
+Date: Thu, 13 Jul 2023 12:09:34 +1000
+Subject: terminate pkcs11 process for bad libraries
+
+Origin: upstream, 
https://anongit.mindrot.org/openssh.git/commit/?id=b23fe83f06ee7e721033769cfa03ae840476d280
+Last-Update: 2023-09-17
+
+Patch-Name: CVE-2023-38408-1.patch
+---
+ ssh-pkcs11.c | 6 ++
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index f495883d1..d864051c4 100644
+--- a/ssh-pkcs11.c
 b/ssh-pkcs11.c
+@@ -1519,10 +1519,8 @@

Bug#1052027: marked as done (bullseye-pu: package cargo-mozilla/0.66.0+ds1-1~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052027,
regarding bullseye-pu: package cargo-mozilla/0.66.0+ds1-1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052027
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-rust-maintain...@alioth-lists.debian.net

Hi,

Following up on #1051051, this updates cargo-mozilla for the upcoming
Firefox ESR 115. Just like for rustc-mozilla, the risk here is small
as this package is only used to build firefox-esr and thunderbird.

I have used the resulting package to successfully build and test
firefox-esr 115.0.2 on bullseye.

Attached is the diff from 0.66 itself so that the changes in the
backport are easier to review. A diff from 0.47 is not attached.

Cheers,
Emilio
diff -ruNp cargo-0.66.0+ds1/debian/cargo.bash-completion 
cargo-mozilla-0.66.0+ds1/debian/cargo.bash-completion
--- cargo-0.66.0+ds1/debian/cargo.bash-completion   2023-01-11 
18:55:09.0 +0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo.bash-completion   1970-01-01 
01:00:00.0 +0100
@@ -1 +0,0 @@
-src/etc/cargo.bashcomp.sh cargo
diff -ruNp cargo-0.66.0+ds1/debian/cargo.dirs 
cargo-mozilla-0.66.0+ds1/debian/cargo.dirs
--- cargo-0.66.0+ds1/debian/cargo.dirs  2023-01-11 18:55:09.0 +0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo.dirs  1970-01-01 01:00:00.0 
+0100
@@ -1 +0,0 @@
-usr/bin
diff -ruNp cargo-0.66.0+ds1/debian/cargo-doc.docs 
cargo-mozilla-0.66.0+ds1/debian/cargo-doc.docs
--- cargo-0.66.0+ds1/debian/cargo-doc.docs  2023-01-11 18:55:09.0 
+0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo-doc.docs  1970-01-01 
01:00:00.0 +0100
@@ -1 +0,0 @@
-target/doc
diff -ruNp cargo-0.66.0+ds1/debian/cargo.manpages 
cargo-mozilla-0.66.0+ds1/debian/cargo.manpages
--- cargo-0.66.0+ds1/debian/cargo.manpages  2023-01-11 18:55:09.0 
+0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo.manpages  1970-01-01 
01:00:00.0 +0100
@@ -1,2 +0,0 @@
-src/etc/man/cargo-*.1
-src/etc/man/cargo.1
diff -ruNp cargo-0.66.0+ds1/debian/cargo-mozilla.bash-completion 
cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla.bash-completion
--- cargo-0.66.0+ds1/debian/cargo-mozilla.bash-completion   1970-01-01 
01:00:00.0 +0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla.bash-completion   
2023-01-11 18:55:09.0 +0100
@@ -0,0 +1 @@
+src/etc/cargo.bashcomp.sh cargo
diff -ruNp cargo-0.66.0+ds1/debian/cargo-mozilla.dirs 
cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla.dirs
--- cargo-0.66.0+ds1/debian/cargo-mozilla.dirs  1970-01-01 01:00:00.0 
+0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla.dirs  2023-01-11 
18:55:09.0 +0100
@@ -0,0 +1 @@
+usr/bin
diff -ruNp cargo-0.66.0+ds1/debian/cargo-mozilla-doc.docs 
cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla-doc.docs
--- cargo-0.66.0+ds1/debian/cargo-mozilla-doc.docs  1970-01-01 
01:00:00.0 +0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla-doc.docs  2023-01-11 
18:55:09.0 +0100
@@ -0,0 +1 @@
+target/doc
diff -ruNp cargo-0.66.0+ds1/debian/cargo-mozilla.manpages 
cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla.manpages
--- cargo-0.66.0+ds1/debian/cargo-mozilla.manpages  1970-01-01 
01:00:00.0 +0100
+++ cargo-mozilla-0.66.0+ds1/debian/cargo-mozilla.manpages  2023-01-11 
18:55:09.0 +0100
@@ -0,0 +1,2 @@
+src/etc/man/cargo-*.1
+src/etc/man/cargo.1
diff -ruNp cargo-0.66.0+ds1/debian/changelog 
cargo-mozilla-0.66.0+ds1/debian/changelog
--- cargo-0.66.0+ds1/debian/changelog   2023-01-11 18:55:09.0 +0100
+++ cargo-mozilla-0.66.0+ds1/debian/changelog   2023-07-30 10:37:52.0 
+0200
@@ -1,3 +1,15 @@
+cargo-mozilla (0.66.0+ds1-1~deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport to bullseye as cargo-mozilla.
+  * Build-dep on rustc-mozilla.
+  * Don't build the doc package.
+  * Vendor libgit2 1.5.1, the system one is too old.
+  * Build-dep on libpcre3-dev, for libgit2.
+  * Don't use namespaced features.
+
+ -- Emilio Pozuelo Monfort   Sun, 30 Jul 2023 10:37:52 +0200
+
 cargo (0.66.0+ds1-1) unstable; urgency=medium
 
   [ Fabian Grünbichler ]
diff -ruNp cargo-0.66.0+ds1/debian/control

Bug#1051884: marked as done (bullseye-pu: package openssl/1.1.1w-0~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1051884,
regarding bullseye-pu: package openssl/1.1.1w-0~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051884
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:openssl
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

OpenSSL upstream released 1.1.1w which the last stable update to the
1.1.1 series because it is EOL since last Monday.
The update is fairly small and contains a few fixes for memory leaks.
The mentioned CVE affects only Windows.

Sebastian
diff -Nru openssl-1.1.1v/appveyor.yml openssl-1.1.1w/appveyor.yml
--- openssl-1.1.1v/appveyor.yml	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/appveyor.yml	1970-01-01 01:00:00.0 +0100
@@ -1,78 +0,0 @@
-image:
-  - Visual Studio 2017
-
-platform:
-- x64
-- x86
-
-environment:
-fast_finish: true
-matrix:
-- VSVER: 15
-
-configuration:
-- shared
-- plain
-- minimal
-
-before_build:
-- ps: >-
-Install-Module VSSetup -Scope CurrentUser
-- ps: >-
-Get-VSSetupInstance -All
-- ps: >-
-gci env:* | sort-object name
-- ps: >-
-If ($env:Platform -Match "x86") {
-$env:VCVARS_PLATFORM="x86"
-$env:TARGET="VC-WIN32 no-asm --strict-warnings"
-} Else {
-$env:VCVARS_PLATFORM="amd64"
-$env:TARGET="VC-WIN64A-masm"
-}
-- ps: >-
-If ($env:Configuration -Match "shared") {
-$env:SHARED="no-makedepend"
-} ElseIf ($env:Configuration -Match "minimal") {
-$env:SHARED="no-shared no-dso no-makedepend no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_SMALL_FOOTPRINT"
-} Else {
-$env:SHARED="no-shared no-makedepend"
-}
-- call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM%
-- mkdir _build
-- cd _build
-- perl ..\Configure %TARGET% %SHARED%
-- perl configdata.pm --dump
-- cd ..
-- ps: >-
-if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER`
--or ( log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT |
- Select-String "\[extended tests\]") ) {
-$env:EXTENDED_TESTS="yes"
-}
-
-build_script:
-- cd _build
-- ps: >-
-If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) {
-cmd /c "nmake build_all_generated 2>&1"
-cmd /c "nmake PERL=no-perl 2>&1"
-}
-- cd ..
-
-test_script:
-- cd _build
-- ps: >-
-If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) {
-if ($env:EXTENDED_TESTS) {
-cmd /c "nmake test V=1 2>&1"
-} Else {
-cmd /c "nmake test V=1 TESTS=-test_fuzz 2>&1"
-}
-}
-- ps: >-
-if ($env:EXTENDED_TESTS) {
-mkdir ..\_install
-cmd /c "nmake install DESTDIR=..\_install 2>&1"
-}
-- cd ..
diff -Nru openssl-1.1.1v/CHANGES openssl-1.1.1w/CHANGES
--- openssl-1.1.1v/CHANGES	2023-08-01 15:51:35.0 +0200
+++ openssl-1.1.1w/CHANGES	2023-09-11 16:08:11.0 +0200
@@ -7,6 +7,30 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1v and 1.1.1w [11 Sep 2023]
+
+ *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+
+The POLY1305 MAC (message authentication code) implementation in OpenSSL
+does not save the contents of non-volatile XMM registers on Windows 64
+platform when calculating the MAC of data larger than 64 bytes. Before
+returning to the caller all the XMM registers are set to zero rather than
+restoring their previous content. The vulnerable code is used only on newer
+x86_64 processors supporting the AVX512-IFMA

Bug#1051902: marked as done (bullseye-pu: package dpkg/1.20.13)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1051902,
regarding bullseye-pu: package dpkg/1.20.13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051902: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051902
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@packages.debian.org
Control: affects -1 + src:dpkg

Hi!

[ Reason ]

This update backports the loong64 arch support as requested in #1051763
because some of the Debian infra is still using bullseye. There's also
a fix for a segfault on virtual field formatting which is rather easy
to trigger for packages that are known to dpkg, but are not installed,
such as virtual packages or references from Recommends or Suggests,
which was also included in the 1.21.22 pre-approval request included
in bookworm. And finally a fix for a memory leak, included in 1.22.0
in unstable.

[ Impact ]

- If the loong64 arch is not supported in oldstable, packages and
  infra will not be able to add support for it.
- Easy to trigger segfault.
- Memory leak.

[ Tests ]

The arch addition and the segfault fix have tests. The memory leak
was detected by gcc ASAN, but it is trivial to verify. These pass
all dpkg unit test and functional tests, which are part of its release
process.

[ Risks ]

As part of the segfault backport, I also cherry-picked a minor
refactoring change that was required by another commit adding unit
tests for the module involved (which is required by the first
cherry-pick), but that should give better test coverage.

The two other changes seem rather low risk.

[ Checklist ]

  [√] *all* changes are documented in the d/changelog
  [√] I reviewed all changes and I approve them
  [√] attach debdiff against the package in (old)stable
  [√] the issue is verified as fixed in unstable

[ Changes ]

The git log is included in the debdiff, which I'm attaching in its full
compressed form with no filtering applied, but you might want to
filterdiff with:

  xzcat dpkg-1.20.12-1.20.13.debdiff.xz |
filterdiff --exclude '*.po' --exclude '*.pot' \
   --exclude '*/man/*/*.pod' \
   --exclude '*/testsuite' --exclude '*/t-func/*.m4' \
   --exclude '*/Makefile.in' \
   --exclude '*/configure'

Thanks,
Guillem


dpkg-1.20.12-1.20.13.debdiff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1051051: marked as done (bullseye-pu: package rustc-mozilla/1.63.0+dfsg1-2~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1051051,
regarding bullseye-pu: package rustc-mozilla/1.63.0+dfsg1-2~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051051
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: team+pkg-mozi...@tracker.debian.org

Hi,

The time has come for a new Firefox / Thunderbird ESR release in *stable.
This will require rustc/cargo/cbindgen backports as usual. For bookworm
we're in a good shape for this update, but for bullseye and buster we'll
need all three updates.

For rustc-mozilla, I've used the version from bookworm. Hopefully I got
all the stage0 binaries this time.

Risk is low as this package is only used to build FF/TB. I have
successfully built the whole chain up to FF 115 ESR on amd64.

I'm attaching a diff from rustc_1.63/bookworm to the proposed update. I don't 
think there's much value in a 1.59->1.63 diff, but if you want it say so and 
I'll prepare one.

Thanks,
Emilio
diff -ruNp debian.rustc/changelog debian/changelog
--- debian.rustc/changelog  2023-01-14 09:38:46.0 +0100
+++ debian/changelog2023-07-28 13:44:06.0 +0200
@@ -1,3 +1,13 @@
+rustc-mozilla (1.63.0+dfsg1-2~deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport to bullseye as rustc-mozilla.
+  * Do a bootstrap build.
+  * Disable wasm.
+  * Disable new binary packages rustfmt, -clippy, -all.
+
+ -- Emilio Pozuelo Monfort   Fri, 28 Jul 2023 13:44:06 +0200
+
 rustc (1.63.0+dfsg1-2) unstable; urgency=medium
 
   [ Fabian Grünbichler ]
diff -ruNp debian.rustc/control debian/control
--- debian.rustc/control2023-01-14 09:38:46.0 +0100
+++ debian/control  2023-07-28 13:44:06.0 +0200
@@ -1,4 +1,4 @@
-Source: rustc
+Source: rustc-mozilla
 Section: devel
 Priority: optional
 Maintainer: Debian Rust Maintainers 

@@ -12,14 +12,14 @@ Build-Depends:
  debhelper-compat (= 13),
  dpkg-dev (>= 1.17.14),
  python3:native,
- cargo:native (>= 0.60.0)  ,
- rustc:native (>= 1.62.0+dfsg) ,
- rustc:native (<= 1.63.0++),
- llvm-14-dev:native,
- llvm-14-tools:native,
+# cargo:native (>= 0.60.0)  ,
+# rustc:native (>= 1.62.0+dfsg) ,
+# rustc:native (<= 1.63.0++),
+ llvm-13-dev:native,
+ llvm-13-tools:native,
  gcc-mingw-w64-x86-64-posix:native [amd64] ,
  gcc-mingw-w64-i686-posix:native [i386] ,
- libllvm14 (>= 1:14.0.0),
+ libllvm13 (>= 1:13.0.0),
  cmake (>= 3.0) | cmake3,
 # needed by some vendor crates
  pkg-config,
@@ -38,30 +38,32 @@ Build-Depends:
  curl ,
  ca-certificates ,
 Build-Depends-Indep:
- wasi-libc (>= 0.0~git20220510.9886d3d~~) ,
- wasi-libc (<= 0.0~git20220510.9886d3d++) ,
- clang-14:native,
+# wasi-libc (>= 0.0~git20220510.9886d3d~~) ,
+# wasi-libc (<= 0.0~git20220510.9886d3d++) ,
+ clang-13:native,
 Build-Conflicts: gdb-minimal 
 Standards-Version: 4.2.1
 Homepage: http://www.rust-lang.org/
 Vcs-Git: https://salsa.debian.org/rust-team/rust.git
 Vcs-Browser: https://salsa.debian.org/rust-team/rust
 
-Package: rustc
+Package: rustc-mozilla
 Architecture: any
 Multi-Arch: allowed
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${shlibs:Depends}, ${misc:Depends},
- libstd-rust-dev (= ${binary:Version}),
+ libstd-rust-mozilla-dev (= ${binary:Version}),
  gcc, libc-dev, binutils (>= 2.26)
 Recommends:
  cargo (>= 0.64.0~~), cargo (<< 0.65.0~~),
 # llvm is needed for llvm-dwp for -C split-debuginfo=packed
- llvm-14,
+ llvm-13,
 Suggests:
 # lld and clang are needed for wasm compilation
- lld-14, clang-14,
-Replaces: libstd-rust-dev (<< 1.25.0+dfsg1-2~~)
+ lld-13, clang-13,
+Conflicts: rustc
+Provides: rustc (= ${binary:Version})
+Replaces: libstd-rust-dev (<< 1.25.0+dfsg1-2~~), rustc
 Breaks: libstd-rust-dev (<< 1.25.0+dfsg1-2~~)
 Description: Rust systems programming language
  Rust is a curly-brace, block-structured expression language.  It
@@ -76,7 +78,7 @@ Description: Rust systems programming la
  generic programming and meta-programming, in both static and dynamic
  styles.
 
-Package: libstd-rust-1.63
+Package: libstd-rust-mozilla-1.63
 Section: libs
 Architecture: any
 Multi-Arch: same
@@ -98,12 +100,12 @@ Description: Rust standard libraries
  This package contains the standard Rust libraries, built as

Bug#1052082: marked as done (bullseye-pu: package rust-cbindgen/0.24.3-2~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1052082,
regarding bullseye-pu: package rust-cbindgen/0.24.3-2~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052082
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-rust-maintain...@alioth-lists.debian.net

Hi,

This updates rust-cbindgen to 0.24, as required by Firefox ESR 115.
The risk is low as the only (build)rdep of cbindgen are firefox-esr
and thunderbird.

Attached is a debian/ diff of the update.

Cheers,
Emilio
diff -ruNp rust-cbindgen-0.23.0/debian/changelog 
rust-cbindgen-0.24.3/debian/changelog
--- rust-cbindgen-0.23.0/debian/changelog   2022-07-04 10:53:21.0 
+0200
+++ rust-cbindgen-0.24.3/debian/changelog   2023-07-28 14:16:44.0 
+0200
@@ -1,32 +1,32 @@
-rust-cbindgen (0.23.0-1~deb11u1) bullseye; urgency=medium
+rust-cbindgen (0.24.3-2~deb11u1) bullseye; urgency=medium
 
   * Non-maintainer upload.
   * Backport to bullseye.
   * Vendor dependencies, they are not available in bullseye.
-  * Only build the cbindgen binary.
   * Lower dh-cargo build-dep.
   * Build with rust-mozilla.
 
- -- Emilio Pozuelo Monfort   Mon, 04 Jul 2022 10:53:21 +0200
+ -- Emilio Pozuelo Monfort   Fri, 28 Jul 2023 14:16:44 +0200
 
-rust-cbindgen (0.23.0-1) unstable; urgency=medium
+rust-cbindgen (0.24.3-2) unstable; urgency=medium
 
-  * Package cbindgen 0.23.0 from crates.io using debcargo 2.5.0
+  * Team upload.
+  * Package cbindgen 0.24.3 from crates.io using debcargo 2.6.0
+  * Relax dev-dependency on serial-test.
 
- -- Sylvestre Ledru   Fri, 03 Jun 2022 11:20:37 +0200
+ -- Peter Michael Green   Thu, 17 Nov 2022 20:11:36 +
 
-rust-cbindgen (0.20.0-1~deb11u1) bullseye; urgency=medium
+rust-cbindgen (0.24.3-1) unstable; urgency=medium
 
-  * Non-maintainer upload.
-  * Backport to bullseye.
+  * Package cbindgen 0.24.3 from crates.io using debcargo 2.5.0
 
- -- Emilio Pozuelo Monfort   Thu, 02 Dec 2021 12:49:31 +0100
+ -- Sylvestre Ledru   Sat, 25 Jun 2022 15:27:28 +0200
 
-rust-cbindgen (0.20.0-1) unstable; urgency=medium
+rust-cbindgen (0.23.0-1) unstable; urgency=medium
 
-  * Package cbindgen 0.20.0 from crates.io using debcargo 2.4.4-alpha.0
+  * Package cbindgen 0.23.0 from crates.io using debcargo 2.5.0
 
- -- Sylvestre Ledru   Sun, 22 Aug 2021 14:26:42 +0200
+ -- Sylvestre Ledru   Fri, 03 Jun 2022 11:20:37 +0200
 
 rust-cbindgen (0.19.0-1) experimental; urgency=medium
 
diff -ruNp rust-cbindgen-0.23.0/debian/control 
rust-cbindgen-0.24.3/debian/control
--- rust-cbindgen-0.23.0/debian/control 2022-06-17 13:33:38.0 +0200
+++ rust-cbindgen-0.24.3/debian/control 2023-07-28 14:16:44.0 +0200
@@ -27,9 +27,10 @@ Build-Depends: debhelper (>= 12),
 Maintainer: Debian Rust Maintainers 

 Uploaders:
  Sylvestre Ledru 
-Standards-Version: 4.5.1
+Standards-Version: 4.6.1
 Vcs-Git: https://salsa.debian.org/rust-team/debcargo-conf.git [src/cbindgen]
 Vcs-Browser: 
https://salsa.debian.org/rust-team/debcargo-conf/tree/master/src/cbindgen
+X-Cargo-Crate: cbindgen
 Rules-Requires-Root: no
 
 #Package: librust-cbindgen-dev
@@ -55,8 +56,8 @@ Rules-Requires-Root: no
 # librust-cbindgen+clap-dev (= ${binary:Version})
 #Provides:
 # librust-cbindgen-0-dev (= ${binary:Version}),
-# librust-cbindgen-0.23-dev (= ${binary:Version}),
-# librust-cbindgen-0.23.0-dev (= ${binary:Version})
+# librust-cbindgen-0.24-dev (= ${binary:Version}),
+# librust-cbindgen-0.24.3-dev (= ${binary:Version})
 #Description: Generating C bindings to Rust code - Rust source code
 # This package contains the source for the Rust cbindgen crate, packaged by
 # debcargo for use with cargo and dh-cargo.
@@ -72,10 +73,10 @@ Rules-Requires-Root: no
 # librust-cbindgen+default-dev (= ${binary:Version}),
 # librust-cbindgen-0+clap-dev (= ${binary:Version}),
 # librust-cbindgen-0+default-dev (= ${binary:Version}),
-# librust-cbindgen-0.23+clap-dev (= ${binary:Version}),
-# librust-cbindgen-0.23+default-dev (= ${binary:Version}),
-# librust-cbindgen-0.23.0+clap-dev (= ${binary:Version}),
-# librust-cbindgen-0.23.0+default-dev (= ${binary:Version})
+# librust-cbindgen-0.24+clap-dev (= ${binary:Version}),
+# librust-cbindgen-0.24+default-dev (= ${binary:Version}),
+#

Bug#1051937: marked as done (bullseye-pu: package cairosvg/2.5.0-1.1+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1051937,
regarding bullseye-pu: package cairosvg/2.5.0-1.1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cairo...@packages.debian.org, Joe Burmeister 
, car...@debian.org
Control: affects -1 + src:cairosvg

Dear SRM,

[ Reason ]
Triggered by a offlist-report from Joe Burmeister, cairosvg suffers
from a regression from the original fix upstream for CVE-2023-27586,
where embedded images using data URIs no longer work without the
unsafe flag. To fix the issue it would only be necessary to dissalow
loading of external files, but data URIs would be expected to still
work.

See:
- https://bugs.debian.org/1050643
- https://github.com/Kozea/CairoSVG/issues/383

[ Impact ]
Without using the unsafe flag, it is not possible to embed images
using data URIs.

[ Tests ]
Joe tested the updated package with a (non public) testcase.

[ Risks ]
Syncs up with upstream fixes after the original fix for
CVE-2023-27586.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Allow to handle data-URLs in safe mode as well, using a introduced
safe_fetch which fetches the content of a passed url if it's a data
URL and return an empty SVG otherwise.

[ Other info ]
None

Regards,
Salvatore
diff -Nru cairosvg-2.5.0/debian/changelog cairosvg-2.5.0/debian/changelog
--- cairosvg-2.5.0/debian/changelog 2023-03-23 20:51:51.0 +0100
+++ cairosvg-2.5.0/debian/changelog 2023-09-06 21:24:37.0 +0200
@@ -1,3 +1,10 @@
+cairosvg (2.5.0-1.1+deb11u2) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle data-URLs in safe mode (Closes: #1050643)
+
+ -- Salvatore Bonaccorso   Wed, 06 Sep 2023 21:24:37 +0200
+
 cairosvg (2.5.0-1.1+deb11u1) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch 
cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch
--- cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch   
1970-01-01 01:00:00.0 +0100
+++ cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch   
2023-09-06 21:24:37.0 +0200
@@ -0,0 +1,61 @@
+From: Guillaume Ayoub 
+Date: Tue, 18 Apr 2023 14:51:13 +0200
+Subject: Handle data-URLs in safe mode.
+Origin: 
https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
+Bug: https://github.com/Kozea/CairoSVG/issues/383
+Bug-Debian: https://bugs.debian.org/1050643
+
+Fix #383.
+---
+ cairosvg/parser.py |  5 ++---
+ cairosvg/url.py| 11 +++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index 61275f0a1073..06a65db5c0e2 100644
+--- a/cairosvg/parser.py
 b/cairosvg/parser.py
+@@ -14,7 +14,7 @@ from defusedxml import ElementTree
+ from . import css
+ from .features import match_features
+ from .helpers import flatten, pop_rotation, rotations
+-from .url import fetch, parse_url, read_url
++from .url import fetch, parse_url, read_url, safe_fetch
+ 
+ # 'display' is actually inherited but handled differently because some markers
+ # are part of a none-displaying group (see test painting-marker-07-f.svg)
+@@ -393,8 +393,7 @@ class Tree(Node):
+ 
+ # Don’t allow fetching external files unless explicitly asked for
+ if 'url_fetcher' not in kwargs and not unsafe:
+-self.url_fetcher = (
+-lambda *args, **kwargs: b'')
++self.url_fetcher = safe_fetch
+ 
+ self.xml_tree = tree
+ root = cssselect2.ElementWrapper.from_xml_root(tree)
+diff --git a/cairosvg/url.py b/cairosvg/url.py
+index b4a78eaf6645..7b184e6e74d9 100644
+--- a/cairosvg/url.py
 b/cairosvg/url.py
+@@ -84,6 +84,17 @@ def fetch(url, resource_type):
+ return urlopen(Request(url, headers=HTTP_HEADERS)).read()
+ 
+ 
++def safe_fetch(url, resource_type):
++"""Fetch the content of ``url`` only if it’s a data-URL.
++
++

Bug#1051339: marked as done (bullseye-pu: package horizon/18.6.2-5+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1051339,
regarding bullseye-pu: package horizon/18.6.2-5+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051339: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051339
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hori...@packages.debian.org
Control: affects -1 + src:horizon

Dear Stable release team,

Horizon in Bookworm is impacted by CVE-2022-45582: Open redirect /
phishing attack via "success_url" parameter. See:

https://bugs.debian.org/1050518

This version of the package includes the upstream patch to fix
the problem.

[ Impact ]
See https://bugs.debian.org/1050518: open redirect in
snapshots edition.

[ Tests ]
The package runs extensive unit tests, and upstream runs extensive
functional tests, so I'm confident nothing broke.

[ Risks ]
Minimal. See above. Plus the patch is very limited in scope.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please allow me to upload horizon/3:18.6.2-5+deb11u2 to bookworm for
inclusion in the next point release.

Cheers,

Thomas Goirand (zigo)
diff -Nru horizon-18.6.2/debian/changelog horizon-18.6.2/debian/changelog
--- horizon-18.6.2/debian/changelog 2021-09-30 16:41:14.0 +0200
+++ horizon-18.6.2/debian/changelog 2023-09-06 10:20:55.0 +0200
@@ -1,3 +1,11 @@
+horizon (3:18.6.2-5+deb11u2) bullseye; urgency=medium
+
+  * CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter,
+add upstream patch: "Fix success_url parameter issue for Edit Snapshot"
+(Closes: #1050518).
+
+ -- Thomas Goirand   Wed, 06 Sep 2023 10:20:55 +0200
+
 horizon (3:18.6.2-5+deb11u1) bullseye; urgency=medium
 
   * Compile translations at build time.
diff -Nru 
horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
 
horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
--- 
horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
1970-01-01 01:00:00.0 +0100
+++ 
horizon-18.6.2/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch
2023-09-06 10:20:55.0 +0200
@@ -0,0 +1,51 @@
+Author: manchandavishal 
+Date: Wed, 14 Sep 2022 22:17:58 +0530
+Description: CVE-2022-45582 Fix success_url parameter issue for Edit Snapshot
+ The "success_url" param is used when updating the project snapshot
+ [1] and it lacks sanitizing the input URL that allows an attacker to
+ redirect the user to another website. This patch update 'Updateview'
+ class to not use the "sucess_url" method.
+Bug: https://launchpad.net/bugs/1982676
+Bug-Debian: https://bugs.debian.org/1050518
+Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/862902
+Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
+Last-Update: 2023-09-06
+
+Index: horizon/openstack_dashboard/dashboards/project/snapshots/views.py
+===
+--- horizon.orig/openstack_dashboard/dashboards/project/snapshots/views.py
 horizon/openstack_dashboard/dashboards/project/snapshots/views.py
+@@ -12,7 +12,6 @@
+ 
+ from django.urls import reverse
+ from django.urls import reverse_lazy
+-from django.utils.http import urlencode
+ from django.utils.translation import ugettext_lazy as _
+ 
+ from horizon import exceptions
+@@ -104,11 +103,8 @@ class UpdateView(forms.ModalFormView):
+ def get_context_data(self, **kwargs):
+ context = super(UpdateView, self).get_context_data(**kwargs)
+ context['snapshot'] = self.get_object()
+-success_url = self.request.GET.get('success_url', "")
+ args = (self.kwargs['snapshot_id'],)
+-params = urlencode({"success_url": success_url})
+-context['submit_url'] = "?".join([reverse(self.submit_url, args=args),
+-  params])
++context['submit_url'] = reverse(self.submit_url, args=args)
+ return context
+ 
+ def get_initial(self):
+@@ -117,12 +113,6

Bug#1050638: marked as done (bullseye-pu: package clamav/0.103.9+dfsg-0+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050638,
regarding bullseye-pu: package clamav/0.103.9+dfsg-0+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050638
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:clamav
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

This is a stable update from clamav upstream in the 0.103.x series.
It fixes the following CVE
- CVE-2023-20197 (Possible DoS in HFS+ file parser).

I excluded the docs update from the attached diff. The resulting diff
ist mostly the mentioned CVE plus compiler warnings.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Sebastian
diff -Nru clamav-0.103.8+dfsg/clamonacc/clamonacc.c clamav-0.103.9+dfsg/clamonacc/clamonacc.c
--- clamav-0.103.8+dfsg/clamonacc/clamonacc.c	2023-02-13 01:03:33.0 +0100
+++ clamav-0.103.9+dfsg/clamonacc/clamonacc.c	2023-08-16 08:21:10.0 +0200
@@ -61,7 +61,7 @@
 pthread_t ddd_pid= 0;
 pthread_t scan_queue_pid = 0;
 
-static void onas_handle_signals();
+static void onas_handle_signals(void);
 static int startup_checks(struct onas_context *ctx);
 static struct onas_context *g_ctx = NULL;
 
diff -Nru clamav-0.103.8+dfsg/clamonacc/client/socket.h clamav-0.103.9+dfsg/clamonacc/client/socket.h
--- clamav-0.103.8+dfsg/clamonacc/client/socket.h	2023-02-13 01:03:33.0 +0100
+++ clamav-0.103.9+dfsg/clamonacc/client/socket.h	2023-08-16 08:21:10.0 +0200
@@ -31,4 +31,4 @@
 };
 
 cl_error_t onas_set_sock_only_once(struct onas_context *ctx);
-int onas_get_sockd();
+int onas_get_sockd(void);
diff -Nru clamav-0.103.8+dfsg/clamonacc/c-thread-pool/thpool.c clamav-0.103.9+dfsg/clamonacc/c-thread-pool/thpool.c
--- clamav-0.103.8+dfsg/clamonacc/c-thread-pool/thpool.c	2023-02-13 01:03:33.0 +0100
+++ clamav-0.103.9+dfsg/clamonacc/c-thread-pool/thpool.c	2023-08-16 08:21:10.0 +0200
@@ -8,7 +8,7 @@
  *
  /
 
-#define _POSIX_C_SOURCE 200809L
+#define _GNU_SOURCE
 #include 
 #include 
 #include 
diff -Nru clamav-0.103.8+dfsg/clamonacc/inotif/hash.c clamav-0.103.9+dfsg/clamonacc/inotif/hash.c
--- clamav-0.103.8+dfsg/clamonacc/inotif/hash.c	2023-02-13 01:03:33.0 +0100
+++ clamav-0.103.9+dfsg/clamonacc/inotif/hash.c	2023-08-16 08:21:10.0 +0200
@@ -58,7 +58,7 @@
 
 #if defined(HAVE_SYS_FANOTIFY_H)
 
-static struct onas_bucket *onas_bucket_init();
+static struct onas_bucket *onas_bucket_init(void);
 static void onas_free_bucket(struct onas_bucket *bckt);
 static int onas_bucket_insert(struct onas_bucket *bckt, struct onas_element *elem);
 static int onas_bucket_remove(struct onas_bucket *bckt, struct onas_element *elem);
diff -Nru clamav-0.103.8+dfsg/clamonacc/inotif/inotif.c clamav-0.103.9+dfsg/clamonacc/inotif/inotif.c
--- clamav-0.103.8+dfsg/clamonacc/inotif/inotif.c	2023-02-13 01:03:33.0 +0100
+++ clamav-0.103.9+dfsg/clamonacc/inotif/inotif.c	2023-08-16 08:21:10.0 +0200
@@ -66,7 +66,7 @@
 
 static int onas_ddd_init_ht(uint32_t ht_size);
 static int onas_ddd_init_wdlt(uint64_t nwatches);
-static int onas_ddd_grow_wdlt();
+static int onas_ddd_grow_wdlt(void);
 
 static int onas_ddd_watch(const char *pathname, int fan_fd, uint64_t fan_mask, int in_fd, uint64_t in_mask);
 static int onas_ddd_watch_hierarchy(const char *pathname, size_t len, int fd, uint64_t mask, uint32_t type);
diff -Nru clamav-0.103.8+dfsg/clamonacc/scan/onas_queue.c clamav-0.103.9+dfsg/clamonacc/scan/onas_queue.c
--- clamav-0.103.8+dfsg/clamonacc/scan/onas_queue.c	2023-02-13 01:03:33.0 +0100
+++ clamav-0.103.9+dfsg/clamonacc/scan/onas_queue.c	2023-08-16 08:21:10.0 +0200
@@ -82,7 +82,7 @@
 return CL_SUCCESS;
 }
 
-static void *onas_init_event_queue()
+static void *onas_init_event_queue(void)
 {
 
 if (CL_EMEM == onas_new_event_queue_node(_onas_event_queue_head)) {
@@ -122,7 +122,7 @@
 return;
 }
 
-static void onas_destroy_event_queue()
+static void onas_destroy_event_queue(void)
 {
 
 if (NULL == g_onas_event_queue_head) {
@@ -200,7 +200,7 @@
 pthread_cleanup_pop(1);
 }
 
-static int

Bug#1050538: marked as done (bullseye-pu: package batik/1.12-4+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050538,
regarding bullseye-pu: package batik/1.12-4+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050538: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050538
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ba...@packages.debian.org
Control: affects -1 + src:batik

Dear Release Team,

I would like to propose an upload of batik in the next point release.

[ Reason ]
CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They are fixed
in sid (and soon trixie). I discussed with Security team, they said a DSA is
not needed but suggested to fix the CVE in bullseye in a point release.

The two CVE are corrected by backporting upstream changes.

[ Impact ]
The two CVE would remain:
``A malicious SVG can probe user profile / data and send it directly as
parameter to a URL.''
and
``A malicious SVG could trigger loading external resources by default, causing
resource consumption or in some cases even information disclosure.''

[ Tests ]
The rdeps using the classes touched by upstream corrections were rebuilt in a 
bullseye chroot. No additional tests were made.

[ Risks ]
Code is quite trivial and it is a direct backport of changes made in version
1.17, currently in sid. Risks due to the changes in the code are quite limited
in my opinion, but batik has many rdeps so you might consider the security
risks are not important enough to deserve an update in a point release.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in oldstable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Changes are in 7 files and consist in:
- Blocking loading external resource by default
http://svn.apache.org/viewvc?view=revision=1905049
- Switching to empty whitelist of packages for the class RhinoClassShutter
https://svn.apache.org/viewvc?view=revision=1905011

Thanks for your attention,

-- 
Pierre
diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog
--- batik-1.12/debian/changelog 2022-10-29 16:22:11.0 +0200
+++ batik-1.12/debian/changelog 2023-08-25 11:07:07.0 +0200
@@ -1,3 +1,10 @@
+batik (1.12-4+deb11u2) bullseye; urgency=medium
+
+  * Team upload.
+  * Fixing CVE-2022-44729 and CVE-2022-44730
+
+ -- Pierre Gruet   Fri, 25 Aug 2023 11:07:07 +0200
+
 batik (1.12-4+deb11u1) bullseye-security; urgency=high
 
   * Team upload.
diff -Nru batik-1.12/debian/patches/CVE-2022-447xx.patch 
batik-1.12/debian/patches/CVE-2022-447xx.patch
--- batik-1.12/debian/patches/CVE-2022-447xx.patch  1970-01-01 
01:00:00.0 +0100
+++ batik-1.12/debian/patches/CVE-2022-447xx.patch  2023-08-25 
11:06:23.0 +0200
@@ -0,0 +1,199 @@
+Description: fixing CVE-2022-44729 and CVE-2022-44730
+ by applying the file changes of upstream commits fixing the CVE
+Author: Pierre Gruet 
+Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and 
https://issues.apache.org/jira/browse/BATIK-1349
+Forwarded: not-needed
+Last-Update: 2023-08-24
+
+--- 
a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
 
b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+@@ -74,6 +74,9 @@
+ParsedURL docURL){
+ // Make sure that the archives comes from the same host
+ // as the document itself
++if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
++return;
++}
+ if (docURL == null) {
+ se = new SecurityException
+ (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+--- 
a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
 
b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -20,6 +20,7 @@
+ 
+ import org.mozilla.javascript.ClassShutter;
+ import java.util.Arrays;
++import java.util.ArrayList;
+ import java.util.List;
+ 
+ /**
+@@ -29,7 +30,7 @@
+  * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
+  */
+ public class RhinoClassShutter implements ClassShutter {
+-private static

Bug#1050333: marked as done (bullseye-pu: package ltsp/21.01-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050333,
regarding bullseye-pu: package ltsp/21.01-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050333: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050333
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: l...@packages.debian.org, alk...@gmail.com, vagr...@debian.org
Control: affects -1 + src:ltsp

Similar to the bookworm-pu #1050090 for ltsp, the same fix needs to land
in Debian bullseye. However, we gained more knowledge about it (see under
IMPORTANT below).

While preparing the initial Debian Edu 12 release, we came across a problem in
LTSP. Thin client machines and diskless workstations started failing to boot
from NFS-located chroot environments.

[ Reason ]
The underlying cause is a regression in the linux kernel since version 5.15
(see #1049885 [1]) for details.

A workaround could be found for LTSP in Debian 12 (it is not just a
Debian Edu problem). This upload provides this workaround and brings
back above named functionality (PXE-booting Debian systems via LTSP
when the system is a chroot tree on NFS).

IMPORTANT: Why provide this fix for bullseye then? The design in recent LTSP
is that the LTSP host creates a kind of ltsp-initrd containing the LTSP
software. This ltsp-initrd gets created by the host and is then used for
whatever target OS shall be booted. The kernel comes from the target OS, but
the ltsp-initrd comes from the LTSP host.

If one want to boot into a bookworm LTSP system (e.g. via PXE) and this bookworm
system gets served by a bullseye LTSP host, then the startup failed as described
in [1] occurs. So, the ltsp-initrd needs the proposed patch which needs to be
shipped in the Debian version of the LTSP host, thus (in this example) Debian
bullseye.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049885

[ Impact ]
LTSP clients with a rootfs containing a kernel newer than 5.15 can't be booted
with LTSP (from a bullseye LTSP host) if rootfs is on NFS.

[ Tests ]
Manual tests on a Debian Edu 11 network.

[ Risks ]
Another regression might have been introduced into LTSP with that workaround.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * debian/patches:
++ Add 0001_Avoid-mv-on-init-symlink-in-order-to-work-around-ove.patch
+  (cherry-picked from upstream). Avoid mv on init symlink in order to
+  work around overlayfs issue. (Closes: #1049397).

[ Other info ]
This issue has been discussed with and approved by LTSP upstream.

See: https://github.com/ltsp/ltsp/issues/860#issuecomment-1682047744
diff -Nru ltsp-21.01/debian/changelog ltsp-21.01/debian/changelog
--- ltsp-21.01/debian/changelog 2021-01-11 23:22:12.0 +0100
+++ ltsp-21.01/debian/changelog 2023-08-22 18:32:24.0 +0200
@@ -1,3 +1,12 @@
+ltsp (21.01-1+deb11u1) bullseye; urgency=medium
+
+  * debian/patches:
++ Add 0001_Avoid-mv-on-init-symlink-in-order-to-work-around-ove.patch
+  (cherry-picked from upstream). Avoid mv on init symlink in order to
+  work around overlayfs issue. (Closes: #1049397).
+
+ -- Mike Gabriel   Tue, 22 Aug 2023 18:32:24 +0200
+
 ltsp (21.01-1) unstable; urgency=medium
 
   [ Alkis Georgopoulos ]
diff -Nru 
ltsp-21.01/debian/patches/0001_Avoid-mv-on-init-symlink-in-order-to-work-around-ove.patch
 
ltsp-21.01/debian/patches/0001_Avoid-mv-on-init-symlink-in-order-to-work-around-ove.patch
--- 
ltsp-21.01/debian/patches/0001_Avoid-mv-on-init-symlink-in-order-to-work-around-ove.patch
   1970-01-01 01:00:00.0 +0100
+++ 
ltsp-21.01/debian/patches/0001_Avoid-mv-on-init-symlink-in-order-to-work-around-ove.patch
   2023-08-22 18:32:24.0 +0200
@@ -0,0 +1,26 @@
+From 19ccbb7c4a5daeebacb4157bea772e26c3fb0f44 Mon Sep 17 00:00:00 2001
+From: gber 
+Date: Thu, 17 Aug 2023 09:45:49 +0200
+Subject: [PATCH] Avoid mv on init symlink in order to work around overlayfs
+ issue (#860)
+
+Signed-off-by: Mike Gabriel 
+---
+ ltsp/client/initrd-bottom/55-initrd-bottom.sh | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+---

Bug#1050121: marked as done (bullseye-pu: package cryptmount/5.3.3-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050121,
regarding bullseye-pu: package cryptmount/5.3.3-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050121
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Version: 5.3.3-1
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: rwpen...@users.sourceforge.net
Control: affects -1 + src:cryptmount

[ Reason ]
When cryptmount is passed invalid command-line arguments, it is likely
to crash with a SEGV error due to inappropriately zeroed memory passed
to getopt_long().

[ Impact ]
The absence of error-messages when invalid command-line arguments are supplied
affects usability. The use of uninitialized memory with a setuid binary is,
potentially, a security risk.

[ Tests ]
The fix involves a single-line change to replace a call to malloc()
with one to calloc(). This has been tested manually on invalid command-line
arguments,
and the upstream "mudslinger" test-suite has been used for regression tests
across a wide range of usage scenarios.

[ Risks ]
The proposed change has very little risk of side-effects.

[ Checklist ]
  [x] *all* changes are documents in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bullseye
  [x] the issue is verified as fixed in unstable

[ Changes ]
A call to malloc() prior to using getopt_long() has been replaced by
a similar call to calloc().
diff -Nru cryptmount-5.3.3/debian/changelog cryptmount-5.3.3/debian/changelog
--- cryptmount-5.3.3/debian/changelog   2021-01-01 14:34:20.0 +
+++ cryptmount-5.3.3/debian/changelog   2023-07-20 11:30:00.0 +0100
@@ -1,3 +1,12 @@
+cryptmount (5.3.3-1+deb11u1) bullseye; urgency=low
+
+  * Fix for memory-initialization in command-line parser (bug#1038384)
+- one-line change to source-code, replacing malloc() with calloc()
+- reduces risk of SEGV crashes when handling unrecognized
+  command-line options
+
+ -- RW Penney   Sun, 20 Jul 2023 10:30:00 +
+
 cryptmount (5.3.3-1) unstable; urgency=low
 
   * New upstream release
diff -Nru cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch 
cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch
--- cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch2021-01-01 
15:19:51.0 +
+++ cryptmount-5.3.3/debian/patches/docfiles-pathnames.patch2023-07-20 
11:30:00.0 +0100
@@ -1,4 +1,7 @@
-Correct installation pathnames in documentation
+Description: Correct installation pathnames in documentation
+ Some documentation files not installed except in Debian packaging
+Author: RW Penney 
+Forwarded: not-needed
 --- a/README
 +++ b/README
 @@ -64,7 +64,7 @@
diff -Nru cryptmount-5.3.3/debian/patches/getopt-initialization.patch 
cryptmount-5.3.3/debian/patches/getopt-initialization.patch
--- cryptmount-5.3.3/debian/patches/getopt-initialization.patch 1970-01-01 
01:00:00.0 +0100
+++ cryptmount-5.3.3/debian/patches/getopt-initialization.patch 2023-07-01 
08:05:21.0 +0100
@@ -0,0 +1,14 @@
+Description: Fix memory initialization error in command-line parser
+Author: RW Penney 
+Forwarded: not-needed
+--- a/cryptmount.c
 b/cryptmount.c
+@@ -1372,7 +1372,7 @@
+ #ifdef _GNU_SOURCE
+ struct option *longopts;
+ 
+-longopts = (struct option*)malloc((n_options + 1) * sizeof(struct 
option));
++longopts = (struct option*)calloc(n_options + 1, sizeof(struct option));
+ for (i=0; i--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1050332: marked as done (bullseye-pu: package inetutils/2:2.0-1+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050332,
regarding bullseye-pu: package inetutils/2:2.0-1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050332
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: inetut...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:inetutils

Hi!

[ Reason ]

This update fixes a minor security issue, that the security team did
not feel worth a DSA. It is now fixed already in unstable and testing.

[ Impact ]

It could lead to security issues.

[ Tests ]

The only relevant part of the patch is the one involving ftpd, which
still works as expected after the patch.

[ Risks ]

The risks seem minimal, as it is only adding checks for the return
codes of the set*id() functions.

[ Checklist ]

  [√] *all* changes are documented in the d/changelog
  [√] I reviewed all changes and I approve them
  [√] attach debdiff against the package in (old)stable
  [√] the issue is verified as fixed in unstable

[ Changes ]

  * Add patch from upstream to check return values for set*id() functions.
Fixes CVE-2023-40303. (Closes: #1049365)

Thanks,
Guillem
diff -Nru inetutils-2.0/debian/changelog inetutils-2.0/debian/changelog
--- inetutils-2.0/debian/changelog  2022-08-30 13:34:41.0 +0200
+++ inetutils-2.0/debian/changelog  2023-08-23 12:05:48.0 +0200
@@ -1,3 +1,10 @@
+inetutils (2:2.0-1+deb11u2) bullseye; urgency=medium
+
+  * Add patch from upstream to check return values for set*id() functions.
+Fixes CVE-2023-40303. (Closes: #1049365)
+
+ -- Guillem Jover   Wed, 23 Aug 2023 12:05:48 +0200
+
 inetutils (2:2.0-1+deb11u1) bullseye; urgency=medium
 
   * telnet: Add checks for option reply parsing limits causing buffer
diff -Nru 
inetutils-2.0/debian/patches/0002-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-check-set-id-retu.patch
 
inetutils-2.0/debian/patches/0002-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-check-set-id-retu.patch
--- 
inetutils-2.0/debian/patches/0002-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-check-set-id-retu.patch
1970-01-01 01:00:00.0 +0100
+++ 
inetutils-2.0/debian/patches/0002-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-check-set-id-retu.patch
2023-08-23 12:05:48.0 +0200
@@ -0,0 +1,283 @@
+From 8dd3c8bae7f95fc096bd36efdf62cc33250074dc Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux 
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH 2/2] ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check set*id()
+ return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+Signed-off-by: Jeffrey Bencteux 
+Signed-off-by: Simon Josefsson 
+Fixes: CVE-2023-40303
+Closes: #1049365
+Forwarded: not-needed
+Origin: upstream, commit:e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
+---
+ ftpd/ftpd.c  | 10 +++---
+ src/rcp.c| 39 +--
+ src/rlogin.c | 11 +--
+ src/rsh.c| 25 +
+ src/rshd.c   | 20 +---
+ src/uucpd.c  | 15 +--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 92b2cca5..28dd523f 100644
+--- a/ftpd/ftpd.c
 b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+ {
+   logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+ return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+ goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else/* !AF_INET6 */
+ ((struct sockaddr_in *) _addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
+ {
+   if (seteuid ((uid_t) cred.uid))
+diff

Bug#1050119: marked as done (bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050119,
regarding bullseye-pu: package unrar-nonfree/1:6.0.3-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org


Hi,

[ Reason ]

unrar-nonfree is affected by CVE-2022-48579 in Bullseye. non-free
packages are not supported by the security team but it makes still
sense to fix this issue via a point update.

[ Impact ]

unrar-nonfree would continue to be affected by CVE-2022-48579.

[ Tests ]

I have manually created a rar archive which includes several symlinks
pointing to each other, files with relative paths and special
characters and in all cases unrar-nonfree seems to do the right thing.
An official reproducer was not available.

[ Risks ]

If I made a mistake there should be an unpack error or something
similar, which is not the case. Command switches didn't change so an
external program like xarchiver continues to work as expected.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable


[ Other info ]

Maintainer approves point update. (#1050080)
diff -Nru unrar-nonfree-6.0.3/debian/changelog 
unrar-nonfree-6.0.3/debian/changelog
--- unrar-nonfree-6.0.3/debian/changelog2022-05-10 13:26:16.0 
+0200
+++ unrar-nonfree-6.0.3/debian/changelog2023-08-20 09:58:26.0 
+0200
@@ -1,3 +1,13 @@
+unrar-nonfree (1:6.0.3-1+deb11u2) bullseye; urgency=high
+
+  * Non maintainer upload.
+  * Fix CVE-2022-48579:
+It was discovered that UnRAR, an unarchiver for rar files, allows
+extraction of files outside of the destination folder via symlink chains.
+(Closes: #1050080)
+
+ -- Markus Koschany   Sun, 20 Aug 2023 09:58:26 +0200
+
 unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high
 
   * Fix CVE-2022-30333 (Closes: #1010837)
diff -Nru unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch 
unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
--- unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
1970-01-01 01:00:00.0 +0100
+++ unrar-nonfree-6.0.3/debian/patches/0013-CVE-2022-48579.patch
2023-08-20 09:58:26.0 +0200
@@ -0,0 +1,429 @@
+From: Markus Koschany 
+Date: Mon, 14 Aug 2023 15:43:54 +0200
+Subject: CVE-2022-48579
+
+Origin: 
https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f
+---
+ arcread.cpp   |  4 ++-
+ extinfo.cpp   | 89 +++
+ extinfo.hpp   |  3 +-
+ extract.cpp   | 44 +
+ extract.hpp   |  6 
+ hardlinks.cpp |  2 --
+ model.cpp |  6 ++--
+ os.hpp|  1 +
+ pathfn.cpp| 14 +++---
+ timefn.hpp| 11 
+ ulinks.cpp|  6 ++--
+ win32stm.cpp  |  9 --
+ 12 files changed, 170 insertions(+), 25 deletions(-)
+
+diff --git a/arcread.cpp b/arcread.cpp
+index d1df6c0..63858d9 100644
+--- a/arcread.cpp
 b/arcread.cpp
+@@ -1441,7 +1441,9 @@ bool Archive::ReadSubData(Array *UnpData,File 
*DestFile,bool TestMode)
+   {
+ if (SubHead.UnpSize>0x100)
+ {
+-  // So huge allocation must never happen in valid archives.
++  // Prevent the excessive allocation. When reading to memory, normally
++  // this function operates with reasonably small blocks, such as
++  // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream.
+   uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName);
+   return false;
+ }
+diff --git a/extinfo.cpp b/extinfo.cpp
+index 5cb90a4..0f25f31 100644
+--- a/extinfo.cpp
 b/extinfo.cpp
+@@ -112,6 +112,68 @@ static bool LinkInPath(const wchar *Name)
+ }
+ 
+ 
++// Delete symbolic links in file path, if any, and replace them by 
directories.
++// Prevents extracting files outside of destination folder with symlink 
chains.
++bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring 
)
++{
++  // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like
++  // "lnk1/../dir", but converts the path to "dir". In Unix

Bug#1042057: marked as done (bullseye-pu: package pandoc/2.9.2.1-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1042057,
regarding bullseye-pu: package pandoc/2.9.2.1-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1042057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042057
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin 
Control: affects -1 + src:pandoc

[ Reason ]

pandoc 2.9.2.1-1 is vulnerable to CVE-2023-35936: Arbitrary file write
vulnerability via specially crafted image element in the input when generating
files using the `--extract-media` option or outputting to PDF format.

The Security Team decided not to issue a DSA for that CVE, but it's now fixed in
buster-security (2.2.1-3+deb10u1) as well as sid (2.17.1.1-2), so it makes sense
to fix it via (o)s-pu too.

[ Impact ]

For users uprading from buster-security to bullseye, that would be a security
regression.

[ Tests ]

A new unit test was added upstream, and backported along with the code fixes.  
The
test suite is now run at build time (this was not the case before due to
#1010179 — in fact some unit tests had to be updated for the suite to pass).  I
also manually verified that the PoC were fixed.

[ Risks ]

The upstream fixes were not trivial to backport due to major refactoring, but 
test
coverage is good.  (Upstream changes to pandoc.cabal are a no-op as far as 
debian
packaging is concerned.)

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Add d/salsa-ci.yml for Salsa CI.
  * Fix upstream test suite and make sure it is run at build time (cf. 
#1010179).
  * Fix CVE-2023-35936 and CVE-2023-38745: Arbitrary file write vulnerability
via specially crafted image element in the input when generating files using
the `--extract-media` option or outputting to PDF format. (Closes: #1041976)

-- 
Guilhem.
diffstat for pandoc-2.9.2.1 pandoc-2.9.2.1

 changelog |   13 +
 patches/2001_templates_avoid_privacy_breach.patch |   72 ++-
 patches/Adjust-tests.patch|  133 
 patches/CVE-2023-35936.patch  |  144 ++
 patches/CVE-2023-38745.patch  |   92 ++
 patches/series|3 
 rules |2 
 salsa-ci.yml  |8 +
 8 files changed, 462 insertions(+), 5 deletions(-)

diff -Nru pandoc-2.9.2.1/debian/changelog pandoc-2.9.2.1/debian/changelog
--- pandoc-2.9.2.1/debian/changelog 2020-08-23 10:24:33.0 +0200
+++ pandoc-2.9.2.1/debian/changelog 2023-07-21 19:59:53.0 +0200
@@ -1,3 +1,16 @@
+pandoc (2.9.2.1-1+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload.
+  * Add d/salsa-ci.yml for Salsa CI.
+  * Fix upstream test suite and make sure it is run at build time (cf.
+#1010179).
+  * Fix CVE-2023-35936 and CVE-2023-38745: Arbitrary file write vulnerability
+via specially crafted image element in the input when generating files
+using the `--extract-media` option or outputting to PDF format. (Closes:
+#1041976)
+
+ -- Guilhem Moulin   Fri, 21 Jul 2023 19:59:53 +0200
+
 pandoc (2.9.2.1-1) unstable; urgency=medium
 
   [ upstream ]
diff -Nru 
pandoc-2.9.2.1/debian/patches/2001_templates_avoid_privacy_breach.patch 
pandoc-2.9.2.1/debian/patches/2001_templates_avoid_privacy_breach.patch
--- pandoc-2.9.2.1/debian/patches/2001_templates_avoid_privacy_breach.patch 
2020-08-23 09:39:53.0 +0200
+++ pandoc-2.9.2.1/debian/patches/2001_templates_avoid_privacy_breach.patch 
2023-07-21 19:59:53.0 +0200
@@ -1,9 +1,12 @@
 Description: Avoid potential privacy breaches in templates
 Author: Jonas Smedegaard 
 License: GPL-3+
-Last-Update: 2018-06-12
+Last-Update: 2023-07-21
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+diff --git a/data/dzslides/template.html b/data/dzslides/template.html
+index 56ef896..c3c4c9e 100644
 --- a/data/dzslides/template.html
 +++

Bug#1050044: marked as done (bullseye-pu: package rar/2:5.5.0-1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1050044,
regarding bullseye-pu: package rar/2:5.5.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

Hello,

[ Reason ]

I would like to update rar in bullseye because it is affected by
CVE-2022-30333. This issue has been fixed in all other suites already
and it makes sense to address this problem in bullseye too. A backport
is the only sensible approach because rar is closed source.

[ Impact ]

The RAR archiver would continue to be vulnerable.

[ Tests ]

Unfortunately rar is just a non-free binary without source code, so I
had to rely on manual testing. Since there was not enough information
available to reproduce the problem, I created a normal rar archive
with random files and folders and another one which consisted of
several symlinks and files with relative paths. The extract operation
seems to work correctly in both cases.

[ Risks ]

I'm not aware of any major changes like different command switches
etc. but rar is non-free and closed source, so there is always some
kind of risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

I don't attach a debdiff because of the closed source binary of rar.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1041475: marked as done (bullseye-pu: package hnswlib/0.4.0-3+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1041475,
regarding bullseye-pu: package hnswlib/0.4.0-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1041475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041475
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hnsw...@packages.debian.org
Control: affects -1 + src:hnswlib

Hi,

[ Reason ]
hnswlib is affected by CVE-2023-37365 marked no-dsa, documented
through the important bug #1041426.  Quoting the CVE for short:
hnswlib has a double free in init_index when the M argument is a
large integer.

[ Impact ]
Users of hnswlib may encounter double-free crashes when
specifying randomly the M parameters to the software.

[ Tests ]
I verified the package built in a clean bullseye chroot, then
verified there were no autopkgtest regressions in bullseye, then
verified manualy that the reproducer did trigger the crash with
the current version in bullseye, and finally that the patched
version did not trigger the crash anymore, but instead raised
the warning message appropriately.

[ Risks ]
There is little risk as the change is relatively straightforward
but users who might like to set off-specifications values of the
M parameter may run into the self imposed limitation.  M is
documented to have values that make sense in a range from 2 to
100, and the patch sets a hard limit at 1 per upstream
recommendation.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in oldstable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Changes mostly consists in applying a version of the patch
discussed with upstream[1] ported to hnswlib 0.4.0-3 in
bullseye.  Instead of forwarding the value of the argument M
as-is, the code now checks for the value to be lesser than 1
before applying.  If the value is larger, then it is capped and
the library issues a warning.

[1]: https://github.com/nmslib/hnswlib/pull/484

[ Other info ]
It might have made sense to also set a check for M == 1, as it
will result in a crash, probably not as serious as the double
free though:

Traceback (most recent call last):
  File "", line 1, in 
RuntimeError: Not enough memory: addPoint failed to allocate linklist

M == 0 looks to behave, or has a special meaning.  In doubt, I
prefer leaving as-is.

I didn't notice lintian errors about the bullseye distribution,
contrary to the bookworm side.

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier 
 : :' :  gpg: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/4, please excuse my verbosity
   `-on air: Mile Marker Zero - Reaping Tide
diff -Nru hnswlib-0.4.0/debian/changelog hnswlib-0.4.0/debian/changelog
--- hnswlib-0.4.0/debian/changelog  2020-11-10 23:06:36.0 +0100
+++ hnswlib-0.4.0/debian/changelog  2023-07-19 11:07:28.0 +0200
@@ -1,3 +1,12 @@
+hnswlib (0.4.0-3+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * cve-2023-37365.patch: new: fix CVE-2023-37365.
+This is done by capping M to 1 per discussion with upstream.
+(Closes: #1041426)
+
+ -- Étienne Mollier   Wed, 19 Jul 2023 11:07:28 +0200
+
 hnswlib (0.4.0-3) unstable; urgency=medium
 
   * Team Upload.
diff -Nru hnswlib-0.4.0/debian/patches/cve-2023-37365.patch 
hnswlib-0.4.0/debian/patches/cve-2023-37365.patch
--- hnswlib-0.4.0/debian/patches/cve-2023-37365.patch   1970-01-01 
01:00:00.0 +0100
+++ hnswlib-0.4.0/debian/patches/cve-2023-37365.patch   2023-07-19 
11:04:35.0 +0200
@@ -0,0 +1,40 @@
+Description: hnswalg.h: cap M to 1 (CVE-2023-37365)
+ This patch works around issue nmslib#467, also referenced as CVE-2023-37365,
+ by implementing Yury Malkov's suggestion about capping the M value,
+ coding the maximum number of outgoing connections in the graph, to a
+ reasonable enough value of the order of 1.  For the record, the
+ documentation indicates reasonable values for M range from 2 to 100,
+ which are well within the cap; see ALGO_PARAMS.md.
+ .
+ The reproducer shown in issue nmslib#467 doesn't trigger the double free
+ condition anymore after this change is applied, but completes
+ successfully,

Bug#1049374: marked as done (bullseye-pu: package krb5/1.18.3-6+deb11u4)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1049374,
regarding bullseye-pu: package krb5/1.18.3-6+deb11u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1049374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049374
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: k...@packages.debian.org
Control: affects -1 + src:krb5


This is the bullseye version of the bookworm  update request I just filed.

[ Reason ]
Non-DSA security update for a DOS


[ Impact ]
A remote authenticated attacker can crash kadmind.

[ Tests ]
autopkgtest  should cover this code path; tested upstream.

[ Risks ]

Simple obvious patch.



[ Checklist ]
  [x ] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ x] the issue is verified as fixed in unstable

[ Changes ]
diff --git a/debian/changelog b/debian/changelog
index 60fb20b347..bea091f603 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.18.3-6+deb11u4) bullseye; urgency=medium
+
+  * Fixes CVE-2023-36054: a  remote authenticated attacker can cause
+kadmind to free an uninitialized pointer.  Upstream believes remote
+code execusion is unlikely, Closes: #1043431 
+
+ -- Sam Hartman   Mon, 14 Aug 2023 14:42:46 -0600
+
 krb5 (1.18.3-6+deb11u3) bullseye-security; urgency=high
 
   * Integer overflows in PAC parsing; potentially critical for 32-bit
diff --git 
a/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch 
b/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch
new file mode 100644
index 00..658dc99e5b
--- /dev/null
+++ b/debian/patches/0015-Ensure-array-count-consistency-in-kadm5-RPC.patch
@@ -0,0 +1,63 @@
+From: Greg Hudson 
+Date: Wed, 21 Jun 2023 10:57:39 -0400
+Subject: Ensure array count consistency in kadm5 RPC
+
+In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
+key_data array count when decoding.  Otherwise when the structure is
+later freed, xdr_array() could iterate over the wrong number of
+elements, either leaking some memory or freeing uninitialized
+pointers.  Reported by Robert Morris.
+
+CVE-2023-36054:
+
+An authenticated attacker can cause a kadmind process to crash by
+freeing uninitialized pointers.  Remote code execution is unlikely.
+An attacker with control of a kadmin server can cause a kadmin client
+to crash by freeing uninitialized pointers.
+
+ticket: 9099 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+
+(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
+---
+ src/lib/kadm5/kadm_rpc_xdr.c | 11 ---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
+index 8383e4e..9585080 100644
+--- a/src/lib/kadm5/kadm_rpc_xdr.c
 b/src/lib/kadm5/kadm_rpc_xdr.c
+@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, 
kadm5_principal_ent_rec *objp,
+int v)
+ {
+   unsigned int n;
++  bool_t r;
+ 
+   if (!xdr_krb5_principal(xdrs, >principal)) {
+   return (FALSE);
+@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, 
kadm5_principal_ent_rec *objp,
+   if (!xdr_krb5_int16(xdrs, >n_key_data)) {
+   return (FALSE);
+   }
++  if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
++  return (FALSE);
++  }
+   if (!xdr_krb5_int16(xdrs, >n_tl_data)) {
+   return (FALSE);
+   }
+@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, 
kadm5_principal_ent_rec *objp,
+   return FALSE;
+   }
+   n = objp->n_key_data;
+-  if (!xdr_array(xdrs, (caddr_t *) >key_data,
+- , ~0, sizeof(krb5_key_data),
+- xdr_krb5_key_data_nocontents)) {
++  r = xdr_array(xdrs, (caddr_t *) >key_data, , objp->n_key_data,
++sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
++  objp->n_key_data = n;
++  if (!r) {
+   return (FALSE);
+   }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index a62749cd49..c87cf1c9d2 100644
--- a/debian/patches/series
+++

Bug#1043270: marked as done (bullseye-pu: package autofs/5.1.7-1+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1043270,
regarding bullseye-pu: package autofs/5.1.7-1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1043270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: aut...@packages.debian.org, Mike Gabriel , 
car...@debian.org
Control: affects -1 + src:autofs

Dear SRMs,

[ Reason ]
A regression was noticed in autofs from buster to versions in the
upper suites. After changes upstream related to fix NFS mounts from
IPv6, regressions with delaying mounts were noticed when having
dualstacked server, client though while beeing in a IPv6 capable
subnet, equipped only with IPv4 address (and IPv6 link local
addresses). It was initially reported at

https://www.spinics.net/lists/autofs/msg02643.html

tracking down the issue to missing checks for reachability when
calculating the proximity. 

If an interface doesn't have an address of the family of the target
host, or the interface address is the IPv6 link local address, or
the target host address is the IPv6 link local address then don't
add it to the list of hosts to probe.

[ Impact ]
Getting noticable delays in automounts in affected configurations.

[ Tests ]
Manual test with affected configuration and confirming back to
upstream (see thread).

[ Risks ]
Upstream provided patch for the issue which should involve minimal
risk to apply back to the affected versions.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
>From https://www.spinics.net/lists/autofs/msg02668.html 

- use correct reference for IN6 macro call

> While the usage isn't strickly wrong it's also not correct and it
> passes compiler checks but it doesn't match the usage within the
> macro it's passed to.
> 
> Change it to match the IN6_* macro definition to reduce the potential
> for confusion.

- dont probe interface that cant send packet

See above in the reason paragraph.

[ Other info ]
For the debdiff: debdiff is generated against the current version
which is in bullseye-proposed-updates as this was already acked in
#1040950. If wanted I can additionally generate the debdiff against
5.1.7-1.

Regards,
Salvatore
diff -Nru autofs-5.1.7/debian/changelog autofs-5.1.7/debian/changelog
--- autofs-5.1.7/debian/changelog   2023-07-10 19:01:17.0 +0200
+++ autofs-5.1.7/debian/changelog   2023-08-08 10:31:29.0 +0200
@@ -1,3 +1,10 @@
+autofs (5.1.7-1+deb11u2) bullseye; urgency=medium
+
+  * use correct reference for IN6 macro call
+  * dont probe interface that cant send packet (Closes: #1041051)
+
+ -- Salvatore Bonaccorso   Tue, 08 Aug 2023 10:31:29 +0200
+
 autofs (5.1.7-1+deb11u1) bullseye; urgency=medium
 
   * debian/patches:
diff -Nru 
autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch 
autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch
--- autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch   
1970-01-01 01:00:00.0 +0100
+++ autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch   
2023-08-08 10:30:32.0 +0200
@@ -0,0 +1,160 @@
+From: Ian Kent 
+Date: Thu, 13 Jul 2023 10:44:49 +0800
+Subject: autofs-5.1.8 - dont probe interface that cant send packet
+Origin: https://www.spinics.net/lists/autofs/msg02667.html
+Bug-Debian: https://bugs.debian.org/1041051
+
+When calculating the proximity add checks for basic reachability.
+
+If an interface doesn't have an address of the family of the target
+host, or the interface address is the IPv6 link local address, or
+the target host address is the IPv6 link local address then don't
+add it to the list of hosts to probe.
+
+Reported-by: Salvatore Bonaccorso 
+Tested-by: Salvatore Bonaccorso 
+Cc: Goldwyn Rodrigues 
+Cc: Mike Gabriel 
+Signed-off-by: Ian Kent 
+---
+ CHANGELOG|  1 +
+ lib/parse_subs.c | 36 +++-
+ modules/replicated.c | 19 +++
+ 3 files changed, 47 insertions(+), 9 deletions(-)
+
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c

Bug#1040950: marked as done (bullseye-pu: package autofs/5.1.7-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040950,
regarding bullseye-pu: package autofs/5.1.7-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040950: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040950
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: aut...@packages.debian.org
Control: affects -1 + src:autofs

Two issues have recently been addressed in autofs uploads to unstable.

[ Reason ]

Fixed issues:

  * Don't let NFSv4-only mounts use rpcbind portmapper service.
  * Fix missing unlock in sasl_do_kinit_ext_cc().

[ Impact ]
Fix autofs hanging for LDAP+Kerberos setups. Avoid communication to
rpcbind for NFSv4-only mounts.


[ Tests ]
Manually, on production site, by bug submitters.

[ Risks ]
Regressions in autofs.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * debian/patches:
++ Add fix-nfs4-only-mounts-should-not-use-rpcbind.patch. Don't let NFSv4-
+  only mounts use rpcbind portmapper service. (Closes: #1034261).
++ Add fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch. Fix missing unlock
+  in sasl_do_kinit_ext_cc(). (Closes: #1039967).


[ Other info ]
Salvatore Bonnacorso (@carnil) will likely follow up this pu with another
pu. Not sure if he gets around to it before the deadline for the next
11.x point release.
diff -Nru autofs-5.1.7/debian/changelog autofs-5.1.7/debian/changelog
--- autofs-5.1.7/debian/changelog   2021-02-04 13:36:20.0 +0100
+++ autofs-5.1.7/debian/changelog   2023-07-10 19:01:17.0 +0200
@@ -1,3 +1,13 @@
+autofs (5.1.7-1+deb11u1) bullseye; urgency=medium
+
+  * debian/patches:
++ Add fix-nfs4-only-mounts-should-not-use-rpcbind.patch. Don't let NFSv4-
+  only mounts use rpcbind portmapper service. (Closes: #1034261).
++ Add fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch. Fix missing unlock
+  in sasl_do_kinit_ext_cc(). (Closes: #1039967).
+
+ -- Mike Gabriel   Mon, 10 Jul 2023 19:01:17 +0200
+
 autofs (5.1.7-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch 
autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch
--- 
autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch
1970-01-01 01:00:00.0 +0100
+++ 
autofs-5.1.7/debian/patches/fix-missing-unlock-in-sasl-do-kinit-ext-cc.patch
2023-07-05 12:14:29.0 +0200
@@ -0,0 +1,45 @@
+From b2571ed0df973a6dc6a8e661874655fa7cecdc37 Mon Sep 17 00:00:00 2001
+From: James Dingwall 
+Date: Wed, 20 Jul 2022 13:22:38 +0800
+Subject: autofs-5.1.8 - fix missing unlock in sasl_do_kinit_ext_cc()
+
+There is a missing mutex unlock in function sasl_do_kinit_ext_cc(),
+fix it.
+
+Signed-off-by: James Dingwall 
+Signed-off-by: Ian Kent 
+---
+# CHANGELOG| 1 +
+ modules/cyrus-sasl.c | 4 
+ 2 files changed, 5 insertions(+)
+
+#diff --git a/CHANGELOG b/CHANGELOG
+#index 1f7c93a..e0b285d 100644
+#--- a/CHANGELOG
+#+++ b/CHANGELOG
+#@@ -27,6 +27,7 @@
+# - add autofs_strerror_r() helper for musl.
+# - update configure.
+# - handle innetgr() not present in musl.
+#+- fix missing unlock in sasl_do_kinit_ext_cc().
+# 
+# 19/10/2021 autofs-5.1.8
+# - add xdr_exports().
+diff --git a/modules/cyrus-sasl.c b/modules/cyrus-sasl.c
+index ae046e0..738e363 100644
+--- a/modules/cyrus-sasl.c
 b/modules/cyrus-sasl.c
+@@ -721,6 +721,10 @@ sasl_do_kinit_ext_cc(unsigned logopt, struct 
lookup_context *ctxt)
+ 
+   debug(logopt, "Kerberos authentication was successful!");
+ 
++  status = pthread_mutex_unlock(_mutex);
++  if (status)
++  fatal(status);
++
+   return 0;
+ 
+ out_cleanup_def_princ:
+-- 
+cgit 
+
diff -Nru 
autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch 
autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch
--- 
autofs-5.1.7/debian/patches/fix-nfs4-only-mounts-should-not-use-rpcbind.patch   
1970-01-01 01:00:00.0 +0100
+++

Bug#1040865: marked as done (bullseye-pu: package yajl/2.1.0-3+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040865,
regarding bullseye-pu: package yajl/2.1.0-3+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040865
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

Previous o-s-p-u upload was #1040137; two additional CVEs have
been fixed since then and the fix for CVE-2023-33460 has been found
to be incomplete.

This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3492), stretch and jessie (ELA-892-1) has been targeted.
bookworm s-p-u is pending, see #1040863

CVE-2017-16516

When a crafted JSON file is supplied to yajl, the process might
crash with a SIGABRT in the yajl_string_decode function in
yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

The 1.x branch and the 2.x branch of `yajl` contain an integer overflow
which leads to subsequent heap memory corruption when dealing with large
(~2GB) inputs.

CVE-2023-33460

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function,
which potentially cause out-of-memory in server and cause crash.


[ Risks ]
Required changes are minimal, see debdiff. Package testsuite passes.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u 
queue.
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog 2023-07-02 13:31:39.0 +0200
+++ yajl-2.1.0/debian/changelog 2023-07-11 19:55:30.0 +0200
@@ -1,3 +1,15 @@
+yajl (2.1.0-3+deb11u2) bullseye; urgency=medium
+
+  [Tobias Frost]
+  * Non-maintainer upload.
+  * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
+
+  [John Stamp]
+  * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
+  * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. 
(Closes: #1039984)
+
+ -- Tobias Frost   Tue, 11 Jul 2023 19:55:30 +0200
+
 yajl (2.1.0-3+deb11u1) bullseye; urgency=medium
 
   * Non-maintainer upload.
diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch 
yajl-2.1.0/debian/patches/CVE-2017-16516.patch
--- yajl-2.1.0/debian/patches/CVE-2017-16516.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch  2023-07-10 
19:32:01.0 +0200
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: 
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/yajl_encode.c
 b/src/yajl_encode.c
+@@ -139,8 +139,8 @@
+ end+=3;
+ /* check if this is a surrogate */
+ if ((codepoint & 0xFC00) == 0xD800) {
+-end++;
+-if (str[end] == '\\' && str[end + 1] == 'u') {
++if (end + 2 < len && str[end + 1] == '\\' && str[end 
+ 2] == 'u') {
++end++;
+ unsigned int surrogate = 0;
+ hexToDigit(, str + end + 2);
+ codepoint =
diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch 
yajl-2.1.0/debian/patches/CVE-2022-24795.patch
--- yajl-2.1.0/debian/patches/CVE-2022-24795.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch  2023-07-10 
19:32:01.0 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) 
inputs.
+Origin:

Bug#1041397: marked as done (bullseye-pu: package asmtools/7.0-b09-2~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1041397,
regarding bullseye-pu: package asmtools/7.0-b09-2~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1041397: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041397
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: asmto...@packages.debian.org, ebo...@apache.org
Control: affects -1 + src:asmtools

We need to introduce a backport of asmtools in the version found in bookworm
to bullseye. It's needed for the latest versions of openjdk-11 LTS (as part
of the test suite).

The debdiff below is against the version of asmtools in bookworm
(since the package is new in bullseye).

Cheers,
Moritz

diff -Nru asmtools-7.0-b09/debian/changelog asmtools-7.0-b09/debian/changelog
--- asmtools-7.0-b09/debian/changelog   2023-02-06 21:22:12.0 +0100
+++ asmtools-7.0-b09/debian/changelog   2023-07-16 15:58:23.0 +0200
@@ -1,3 +1,9 @@
+asmtools (7.0-b09-2~deb11u1) bullseye; urgency=medium
+
+  * Rebuild for Bullseye, needed for latest openjdk-11
+
+ -- Moritz Mühlenhoff   Sun, 16 Jul 2023 15:58:23 +0200
+
 asmtools (7.0-b09-2) unstable; urgency=medium
 
   * Source only upload
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1040758: marked as done (bullseye-pu: package spip/3.2.11-3+deb11u9)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040758,
regarding bullseye-pu: package spip/3.2.11-3+deb11u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040758
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip

This issue is similar to #1040756 in bookworm.

Another upstream release fixed a security issue. It introduces some
factorisation adding two more clean up in sessions. We agreed with the
security team that this don’t warrant a DSA.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html

The 3.2 branch is not maintained upstream anymore, but the patches have
been cherry-picked directly from the 4.1 branch, except for the first
one that needed some slight editing. Also, I’ve already deployed the
proposed package on a server providing over 30 SPIP websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance.

Regards,

taffit
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-06-11 15:47:39.0 +0200
+++ spip-3.2.11/debian/changelog	2023-07-08 20:38:26.0 +0200
@@ -1,3 +1,11 @@
+spip (3.2.11-3+deb11u9) bullseye; urgency=medium
+
+  * Backport security fix from 4.1.11
+- use an auth_desensibiliser_session() function to centralize extended
+  authentification data filtering.
+
+ -- David Prévot   Sat, 08 Jul 2023 20:38:26 +0200
+
 spip (3.2.11-3+deb11u8) bullseye; urgency=medium
 
   * Backport security fixes from 4.1.10
diff -Nru spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch
--- spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0056-security-Utiliser-une-fonction-d-di-e-pour-nettoyer-.patch	2023-07-08 20:38:18.0 +0200
@@ -0,0 +1,69 @@
+From: Cerdic 
+Date: Mon, 3 Jul 2023 10:23:02 +0200
+Subject: =?utf-8?q?security=3A_Utiliser_une_fonction_d=C3=A9di=C3=A9e_pour_?=
+ =?utf-8?q?nettoyer_les_donn=C3=A9es_d=E2=80=99auteur_lors_de_la_pr=C3=A9pa?=
+ =?utf-8?q?ration_d=E2=80=99une_session?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+- Ajout d’une fonction `auth_desensibiliser_session()` pour desensibiliser une ligne auteur,
+- qu'on utilise lors de la preparation d'une session
+- et dans informer_login
+
+Refs:  spip-team/securite#4847
+(cherry picked from commit 2e4d6273cee8ec63ce7f565a73262a8aae70b7bb)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/f1d2351c90a6127cab354be1647662ec5e941676
+---
+ ecrire/inc/auth.php | 23 ++-
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/ecrire/inc/auth.php b/ecrire/inc/auth.php
+index 12fc4ce..cb61446 100644
+--- a/ecrire/inc/auth.php
 b/ecrire/inc/auth.php
+@@ -249,11 +249,7 @@ function auth_init_droits($row) {
+ 	$GLOBALS['visiteur_session'] = array_merge((array)$GLOBALS['visiteur_session'], $row);
+ 
+ 	// au cas ou : ne pas memoriser les champs sensibles
+-	unset($GLOBALS['visiteur_session']['pass']);
+-	unset($GLOBALS['visiteur_session']['htpass']);
+-	unset($GLOBALS['visiteur_session']['alea_actuel']);
+-	unset($GLOBALS['visiteur_session']['alea_futur']);
+-	unset($GLOBALS['visiteur_session']['ldap_password']);
++	$GLOBALS['visiteur_session'] = auth_desensibiliser_session($GLOBALS['visiteur_session']);
+ 
+ 	// creer la session au besoin
+ 	if (!isset($_COOKIE['spip_session'])) {
+@@ -310,6 +306,22 @@ function auth_init_droits($row) {
+ 	return ''; // i.e. pas de pb.
+ }
+ 
++/**
++ * Enlever les clés sensibles d'une ligne auteur
++ * @param array $auteur
++ * @return array
++ */
++function auth_desensibiliser_session(array $auteur) {
++	$cles_sensibles = ['pass', 'htpass', 'alea_actuel', 'alea_futur', 'ldap_password', 'backup_cles'];
++	foreach

Bug#1040677: marked as done (bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040677,
regarding bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040677
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-tough-coo...@packages.debian.org
Control: affects -1 + src:node-tough-cookie

[ Reason ]
node-tough-cookie is vulnerable to prototype pollution

[ Impact ]
Littel security issue

[ Tests ]
Test updated, passed

[ Risks ]
No risk, patch is trivial and tested

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Create new object instead of using default {}

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3652359..84339cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-tough-cookie (4.0.0-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2023-26136)
+
+ -- Yadd   Sun, 09 Jul 2023 08:32:32 +0400
+
 node-tough-cookie (4.0.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26136.patch 
b/debian/patches/CVE-2023-26136.patch
new file mode 100644
index 000..05e6372
--- /dev/null
+++ b/debian/patches/CVE-2023-26136.patch
@@ -0,0 +1,71 @@
+Description: Fix prototype pollution
+ CVE-2023-26136
+Author: Yadd 
+Forwarded: not-needed
+Last-Update: 2023-07-07
+
+--- a/lib/memstore.js
 b/lib/memstore.js
+@@ -39,7 +39,7 @@
+   constructor() {
+ super();
+ this.synchronous = true;
+-this.idx = {};
++this.idx = Object.create(null);
+ if (util.inspect.custom) {
+   this[util.inspect.custom] = this.inspect;
+ }
+@@ -109,10 +109,10 @@
+ 
+   putCookie(cookie, cb) {
+ if (!this.idx[cookie.domain]) {
+-  this.idx[cookie.domain] = {};
++  this.idx[cookie.domain] = Object.create(null);
+ }
+ if (!this.idx[cookie.domain][cookie.path]) {
+-  this.idx[cookie.domain][cookie.path] = {};
++  this.idx[cookie.domain][cookie.path] = Object.create(null);
+ }
+ this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+ cb(null);
+@@ -144,7 +144,7 @@
+ return cb(null);
+   }
+   removeAllCookies(cb) {
+-this.idx = {};
++this.idx = Object.create(null);
+ return cb(null);
+   }
+   getAllCookies(cb) {
+--- a/test/cookie_jar_test.js
 b/test/cookie_jar_test.js
+@@ -669,4 +669,29 @@
+   }
+ }
+   })
++  .addBatch({
++"Issue #282 - Prototype pollution": {
++  "when setting a cookie with the domain __proto__": {
++topic: function() {
++  const jar = new tough.CookieJar(undefined, {
++rejectPublicSuffixes: false
++  });
++  // try to pollute the prototype
++  jar.setCookieSync(
++"Slonser=polluted; Domain=__proto__; Path=/notauth",
++"https://__proto__/admin;
++  );
++  jar.setCookieSync(
++"Auth=Lol; Domain=google.com; Path=/notauth",
++"https://google.com/;
++  );
++  this.callback();
++},
++"results in a cookie that is not affected by the attempted prototype 
pollution": function() {
++  const pollutedObject = {};
++  assert(pollutedObject["/notauth"] === undefined);
++}
++  }
++}
++  })
+   .export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..67af372
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26136.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1040668: marked as done (bullseye-pu: package tang/8-3+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040668,
regarding bullseye-pu: package tang/8-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org
Control: affects -1 + src:tang

This is the bullseye version of #1040646

[ Reason ]
Fix https://security-tracker.debian.org/tracker/CVE-2023-1672 for
Debian 11 ("bullseye"), tagged "no-dsa (minor)" by the security team.

The problem of creating key material without restrictive file
permissions probably existed upstream since always. Up to and including
Debian 10 ("buster") however, this situation was caught by enforcing
restrictive permissions on the key directory.

With Debian 11 ("bullseye") a change in the creation of that directory
caused it to be created with a too permissive mode.

[ Impact ]
Without the change being accepted, the directory that holds the private
key would stay world-readable. Also this would continue to put users at
risk who configured a different key directory but did not enforce
restrictive access permissions.

[ Tests ]
No automated tests I'm aware of. Of course I did a manual test, and the
outcome matched the expectations.

[ Risks ]
The changes are small and rather straight-forward. I'd be surprised if
they introduce problems.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable (14.1)

[ Changes ]
* Assert restrictive permissions of the key directory in Debian's
  postinst.
  For regular users and new instaaltions.
* Upstream's change to create the key file with restrictive
  permissions.
  Mostly for users who configure a different key directory.
* Recommend a key rotation in setups where this seems wise, add
  some details in NEWS.Debian.
* Make the key rotation program executable as it should always
  have been.

Regards,

Christoph

diff -Nru tang-8/debian/changelog tang-8/debian/changelog
--- tang-8/debian/changelog 2021-12-16 20:47:10.0 +0100
+++ tang-8/debian/changelog 2023-07-08 12:41:29.0 +0200
@@ -1,3 +1,14 @@
+tang (8-3+deb11u2) bullseye; urgency=high
+
+  * Fix CVE-2023-1672:
+- Cherry-pick "Fix race condition when creating/rotating keys"
+- Assert restrictive permissions on tang's key directory
+In existing multi-user bullseye installations, rotating the keys
+is suggested.
+  * Make the tangd-rotate-keys program executable
+
+ -- Christoph Biedl   Sat, 08 Jul 2023 
12:41:29 +0200
+
 tang (8-3+deb11u1) bullseye-security; urgency=high
 
   * Fix data leak [CVE-2021-4076]
diff -Nru 
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
 
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
--- 
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
   1970-01-01 01:00:00.0 +0100
+++ 
tang-8/debian/patches/bullseye/1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch
   2023-07-08 12:41:29.0 +0200
@@ -0,0 +1,73 @@
+Subject: Fix race condition when creating/rotating keys (#123)
+Origin: v13-3-g8dbbed1 
+Upstream-Author: Sergio Correia 
+Date: Wed Jun 14 10:53:20 2023 -0300
+
+When we create/rotate keys using either the tangd-keygen and
+tangd-rotate-keys helpers, there is a small window between the
+keys being created and then the proper ownership permissions being
+set. This also happens when there are no keys and tang creates a
+pair of keys itself.
+
+In certain situations, such as the keys directory having wide open
+permissions, a user with local access could exploit this race
+condition and read the keys before they are set to more restrictive
+permissions.
+
+To prevent this issue, we now set the default umask to 0337 before
+creating the files, so that they are already created with restrictive
+

Bug#1040930: marked as done (bullseye-pu: package ca-certificates-java/20190909+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040930,
regarding bullseye-pu: package ca-certificates-java/20190909+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040930: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040930
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Matthias Klose 

[ Reason ]
The bullseye-security upload of openjdk-17 broke the very fragile
assumption in ca-certificates-java that a jre can be used even
before it was configured for the first time.
As a result new installations of openjdk-17-jre-headless from
bullseye-security (or -pu) (and its circular dependency
ca-certificates-java from bookworm) will fail, #1039472, (but
upgrades seem to work fine, since the jre has been configured at
least once in the past).

[ Impact ]
openjdk will fail on new installations after the next point release

[ Tests ]
local piuparts tests of bullseye with the fixed package installed,
buster->bullseye with the fixed package in the upgrade path and
bullseye->bookworm starting from the fixed package.
All installation/upgrades work fine.

[ Risks ]
The hack may break with the next openjdk-17 upload to oldstable, but
there is no alternative solution as trigger support is not yet prepared
in bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
In case ca-certificates-java wants to run with a not-yet-configured-once
jre, try to temporarily place a java.security file to make the java
command runnable again.

[ Other info ]
The patch is a backported variant of the HACK that temporarily appeared
in sid (ca-certificates-java 20230620).


Andreas
>From f020db198e9e96dbc9ddaf4b3dbe3d9247b85ae5 Mon Sep 17 00:00:00 2001
From: Matthias Klose 
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH]   [ Vladimir Petko ]   * d/ca-certificates-java.postinst:
 Work-around not yet configured jre.

(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
 debian/changelog | 8 
 debian/postinst  | 7 +++
 2 files changed, 15 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e35274e..a49805a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+  [ Vladimir Petko ]
+  * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+(Closes: #1039472)
+
+ -- Andreas Beckmann   Tue, 27 Jun 2023 01:12:19 +0200
+
 ca-certificates-java (20190909) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/postinst b/debian/postinst
index 555f87b..7d68036 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -50,6 +50,13 @@ setup_path()
 if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
 export JAVA_HOME=/usr/lib/jvm/$jvm
 PATH=$JAVA_HOME/bin:$PATH
+   # copy java.security to allow import to function
+   security_conf=/etc/${jvm%-${arch}}/security
+   if [ -f ${security_conf}/java.security.dpkg-new ] \
+   && [ ! -f ${security_conf}/java.security ]; then
+   cp -v ${security_conf}/java.security.dpkg-new \
+   ${security_conf}/java.security
+   fi
 break
 fi
 done
-- 
2.20.1

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1040137: marked as done (bullseye-pu: package yajl/2.1.0-3+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040137,
regarding bullseye-pu: package yajl/2.1.0-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040137
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

[ Reason ]
This upload is part of fixing yajl for every release. So far sid, bookworm
(#1040136), buster (DLA-3478), stretch and jessie (ELA-888-1) has been
targeted.

[ Tests ]
Package has a test suite which passes. Additionally it has been
manually verified using asan that the memory leak is indeed fixed.

[ Risks ]
Required changes are minimal, see debdiff.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

(I've already uploaded the package to s-p-u)

-- 
tobi
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1039860: marked as done (bullseye-pu: package nvidia-graphics-drivers-tesla-470/470.199.02-1~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039860,
regarding bullseye-pu: package 
nvidia-graphics-drivers-tesla-470/470.199.02-1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039860
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Control: clone -1 -2
Control: retitle -2 bookworm-pu: package 
nvidia-graphics-drivers-tesla-470/470.199.02-1~deb12u1
Control: tag -2 = bookworm
Control: usertag -2 pu

[ Reason ]
Let's update nvidia-graphics-drivers-tesla-470 in bookworm/bullseye
to a new upstream release fixing some CVEs.

[ Impact ]
A proprietary graphics driver with more CVEs open.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in stable is an
established procedure.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  (excluding the blobs)
  [x] attach debdiff against the package in (old)stable
  (excluding the blobs)
  [x] the issue is verified as fixed in unstable

[ Changes ]
This is a rebuild of the package from sid with no further changes.
No packaging changes this time ;-)

[ Other info ]
The bookworm upload will be 470.199.02-1~deb12u1

Andreas
diff --git a/debian/README.source b/debian/README.source
index 05196920..f12ec8c5 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -33,7 +33,7 @@ Upstream support timeframes
 Tesla 460 (PB)  01/2022 EoL
 Tesla 470 (LTSB)07/2024
 Tesla 510 (PB)  01/2023 EoL
-Tesla 515 (PB)  05/2023
+Tesla 515 (PB)  05/2023 EoL
 Tesla 525 (PB)  12/2023
 
 
@@ -67,20 +67,12 @@ The branch structure in the GIT repository
 460-tesla   EoL   (bullseye)  470-tesla, tesla-460/main
 tesla-460/main  EoL   (bullseye),(sid)tesla-470/main, 
tesla-460/transition-470
 tesla-460/transition-470  bullseye,sid
-470   bullseye510, 470-tesla
-470-tesla (bullseye)  510-tesla, tesla-470/main
-tesla-470/mainbullseye,bookworm,sid tesla-510/main
-510 EoL   (bookworm),sid  515, 510-tesla
-510-tesla   EoL   (bookworm)  515-tesla, tesla-510/main
-tesla-510/main  EoL   (bookworm),(sid)tesla/510, 
tesla-510/transition
-tesla-510/transition  sid
-tesla/510   EoL   (bookworm),sid  tesla/515
-515   (bookworm),sid  525, 515-tesla
-515-tesla (bookworm)  525-tesla, tesla/515
-tesla/515 (bookworm),sid  tesla/525
-525   (bookworm),sid  YYY, 525-tesla
+470   bullseye525, 470-tesla
+470-tesla (bullseye)  525-tesla, tesla-470/main
+tesla-470/mainbullseye,bookworm,sid tesla/525
+525   bookworm,sidYYY, 525-tesla
 525-tesla (bookworm)  ZZZ-tesla, tesla/525
-tesla/525 (bookworm),sid  tesla/ZZZ
+tesla/525 bookworm,sidtesla/ZZZ
 main  sid YYY
 tesla/mainsid
 YYY   experimentalZZZ, (main)
diff --git a/debian/changelog b/debian/changelog
index b814ff31..f40fa976 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,43 @@
+nvidia-graphics-drivers-tesla-470 (470.199.02-1~deb11u1) bullseye; 
urgency=medium
+
+  * Rebuild for bullseye.
+
+ -- Andreas Beckmann   Thu, 29 Jun 2023 00:17:37 +0200
+
+nvidia-graphics-drivers-tesla-470 (470.199.02-1) unstable; urgency=medium
+
+  * New upstream production branch release 470.199.02 (2023-06-26).
+* Fixed CVE-2023-25515, CVE-2023-25516.  (Closes: #1039684)
+  https://nvidia.custhelp.com/app/answers/detail/a_id/5468
+* Improved compatibility with recent Linux kernels.
+
+  [ Andreas Beckmann ]
+  * Refresh patches.
+
+ -- Andreas Beckmann   Thu, 29 Jun 2023 00:16:48 +0200
+
+nvidia-graphics-drivers (470.199.02-1) bullseye; urgency=medium
+
+

Bug#1039854: marked as done (bullseye-pu: package nvidia-graphics-drivers/470.199.02-1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039854,
regarding bullseye-pu: package nvidia-graphics-drivers/470.199.02-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039854
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Let's update nvidia-graphics-drivers in bullseye to a new
upstream release fixing some CVEs.

[ Impact ]
A proprietary graphics driver with more CVEs open.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in stable is an
established procedure.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  (excluding the blobs)
  [x] attach debdiff against the package in (old)stable
  (excluding the blobs)
  [ ] the issue is verified as fixed in unstable
  will be fixed with an upload of the 525 driver soon

[ Changes ]
This package is nearly identical to
src:nvidia-graphics-drivers-tesla-470 470.199.02-1* in
sid/bookworm (soon)/bullseye (soon).
There are no packaging changes this time ;-)

[ Other info ]
n/a

Andreas
diff --git a/debian/README.source b/debian/README.source
index 05196920..f12ec8c5 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -33,7 +33,7 @@ Upstream support timeframes
 Tesla 460 (PB)  01/2022 EoL
 Tesla 470 (LTSB)07/2024
 Tesla 510 (PB)  01/2023 EoL
-Tesla 515 (PB)  05/2023
+Tesla 515 (PB)  05/2023 EoL
 Tesla 525 (PB)  12/2023
 
 
@@ -67,20 +67,12 @@ The branch structure in the GIT repository
 460-tesla   EoL   (bullseye)  470-tesla, tesla-460/main
 tesla-460/main  EoL   (bullseye),(sid)tesla-470/main, 
tesla-460/transition-470
 tesla-460/transition-470  bullseye,sid
-470   bullseye510, 470-tesla
-470-tesla (bullseye)  510-tesla, tesla-470/main
-tesla-470/mainbullseye,bookworm,sid tesla-510/main
-510 EoL   (bookworm),sid  515, 510-tesla
-510-tesla   EoL   (bookworm)  515-tesla, tesla-510/main
-tesla-510/main  EoL   (bookworm),(sid)tesla/510, 
tesla-510/transition
-tesla-510/transition  sid
-tesla/510   EoL   (bookworm),sid  tesla/515
-515   (bookworm),sid  525, 515-tesla
-515-tesla (bookworm)  525-tesla, tesla/515
-tesla/515 (bookworm),sid  tesla/525
-525   (bookworm),sid  YYY, 525-tesla
+470   bullseye525, 470-tesla
+470-tesla (bullseye)  525-tesla, tesla-470/main
+tesla-470/mainbullseye,bookworm,sid tesla/525
+525   bookworm,sidYYY, 525-tesla
 525-tesla (bookworm)  ZZZ-tesla, tesla/525
-tesla/525 (bookworm),sid  tesla/ZZZ
+tesla/525 bookworm,sidtesla/ZZZ
 main  sid YYY
 tesla/mainsid
 YYY   experimentalZZZ, (main)
diff --git a/debian/changelog b/debian/changelog
index 3cfb9f5c..13cf2635 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,25 @@
+nvidia-graphics-drivers (470.199.02-1) bullseye; urgency=medium
+
+  * New upstream production branch release 470.199.02 (2023-06-26).
+* Fixed CVE-2023-25515, CVE-2023-25516.  (Closes: #1039678)
+  https://nvidia.custhelp.com/app/answers/detail/a_id/5468
+* Improved compatibility with recent Linux kernels.
+
+  [ Andreas Beckmann ]
+  * Refresh patches.
+  * Upload to bullseye.
+
+ -- Andreas Beckmann   Wed, 28 Jun 2023 23:20:58 +0200
+
+nvidia-graphics-drivers (470.182.03-2) UNRELEASED; urgency=medium
+
+  * Backport vm_area_struct_has_const_vm_flags changes from 470.199.02 to fix
+kernel module build for Linux 6.3.
+  * Backport drm_driver_has_dumb_destroy changes from 525.116.03 to fix kernel
+module build for Linux 6.4.
+
+ -- Andreas Beckmann   Sun, 18 Jun 2023

Bug#1039708: marked as done (bullseye-pu: package lua5.3/5.3.3-1.1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039708,
regarding bullseye-pu: package lua5.3/5.3.3-1.1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039708: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039708
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lua...@packages.debian.org
Control: affects -1 + src:lua5.3

[ Reason ]

lua5.3=5.3.3-1.1 (buster, bullseye) is vulnerable to CVE-2019-6706 and
CVE-2020-24370.  These were fixed in an a recent buster-security upload
(cf. DLA-3469-1).  The Security Team didn't think a DSA was warranted
for bullseye, and suggested to go via bullseye-pu instead.

[ Impact ]

* bullseye's lua5.3 would remain vulnerable to CVE-2019-6706 and
  CVE-2020-24370 (unlike buster-security).
* buster-security version (5.3.3-1.1+deb10u1) would remain higher than
  bullseye's (5.3.3-1.1).

[ Tests ]

* CVE-2019-6706 and CVE-2020-24370 POCs.
* (Adapted) upstream test suite from v5.3.6.
* (Local tests only, the above isn't run at build time nor in
  autopkgtests.)

[ Risks ]

Trivial patches backported from upstream's 5.3 branch.  The same patches
have been uploaded to buster-security on June 23.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

[ Changes ]

 * Backport upstream fix for CVE-2019-6706: Use after free in
   lua_upvaluejoin in lapi.c. (Closes: #920321)
 * Backport upstream fix CVE-2020-24370: Segmentation fault in getlocal
   and setlocal functions in ldebug.c. (Closes: #988734)
 * Add d/salsa-ci.yml for Salsa CI.

[ Other info ]

The suggested debdiff is exactly (modulo d/changelog and d/salsa-ci.yml)
what was uploaded to buster-security.

-- 
Guilhem.
diffstat for lua5.3-5.3.3 lua5.3-5.3.3

 changelog|   10 +++
 patches/CVE-2019-6706.patch  |   57 +++
 patches/CVE-2020-24370.patch |   39 +
 patches/series   |2 +
 salsa-ci.yml |9 ++
 5 files changed, 117 insertions(+)

diff -Nru lua5.3-5.3.3/debian/changelog lua5.3-5.3.3/debian/changelog
--- lua5.3-5.3.3/debian/changelog   2018-12-28 20:10:13.0 +0100
+++ lua5.3-5.3.3/debian/changelog   2023-06-22 22:03:38.0 +0200
@@ -1,3 +1,13 @@
+lua5.3 (5.3.3-1.1+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2019-6706: Use after free in lua_upvaluejoin in lapi.c. (Closes:
+#920321)
+  * Fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions
+in ldebug.c. (Closes: #988734)
+
+ -- Guilhem Moulin   Thu, 22 Jun 2023 22:03:38 +0200
+
 lua5.3 (5.3.3-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 
lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch
--- lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 1970-01-01 
01:00:00.0 +0100
+++ lua5.3-5.3.3/debian/patches/CVE-2019-6706.patch 2023-06-22 
22:03:38.0 +0200
@@ -0,0 +1,57 @@
+From: Roberto Ierusalimschy 
+Date: Wed, 27 Mar 2019 14:30:12 -0300
+Subject: Fixed bug in 'lua_upvaluejoin'
+
+Bug-fix: joining an upvalue with itself could cause a use-after-free
+crash.
+
+Origin: 
https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e
+Bug: http://lua-users.org/lists/lua-l/2019-01/msg00039.html
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-6706
+Bug-Debian: https://bugs.debian.org/920321
+---
+ src/lapi.c | 12 ++--
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/lapi.c b/src/lapi.c
+index c9455a5..86eac00 100644
+--- a/src/lapi.c
 b/src/lapi.c
+@@ -1253,13 +1253,12 @@ LUA_API const char *lua_setupvalue (lua_State *L, int 
funcindex, int n) {
+ }
+ 
+ 
+-static UpVal **getupvalref (lua_State *L, int fidx, int n, LClosure **pf) {
++static UpVal **getupvalref (lua_State *L, int fidx, int n) {
+   LClosure *f;
+   StkId fi = index2addr(L, fidx);
+   api_check(L, ttisLclosure(fi), "Lua function expected");
+   f = clLvalue(fi);
+   api_check(L, (1 <= n && n <= f->p->sizeupvalues), "invalid upvalue index");
+-  if

Bug#1039994: marked as done (bullseye-pu: package logrotate/3.18.0-2+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039994,
regarding bullseye-pu: package logrotate/3.18.0-2+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039994
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:logrotate
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
The previous upload (3.18.0-2+deb11u1) cherry picked several commits
around the state file handling of logrotate.
In particular 
debian/patches/applied-upstream/Do-not-lock-state-file-dev-null.patch
added the following wording to the man page:

If /dev/null is given as the state file, then logrotate will not
try to lock or write the state file.

In the current bullseye version this is only true for locking but nor
for writing since the related commit was not included.
Thus the usage of /dev/null as the state file can lead to /dev/null
being replaced by a regular file.
See #1039868 as an example.

[ Impact ]
Users might be instructed by the man page to use /dev/null as a
throwaway state file and end up with /dev/null being replaced with a
regular file.

[ Tests ]
The testsuite of logrotate passes and there have been no issues in
logrotate versions that include that commit, in particular 3.21.0,
which is the version in Debian stable and unstable.

[ Risks ]
The change is a single trivial added path comparison to skip the state
file writing iff the state file is literal "/dev/null". There is no
change in behavior if the state file is not "/dev/null".

[ Checklist ]
 [X] *all* changes are documented in the d/changelog
 [X] I reviewed all changes and I approve them
 [X] attach debdiff against the package in (old)stable
 [X] the issue is verified as fixed in unstable

[ Changes ]
Skip writing the state to the file iff the path is literal "/dev/null".
Add a test case around using /dev/null as a state file.

[ Other info ]

diff -Nru logrotate-3.18.0/debian/changelog logrotate-3.18.0/debian/changelog
--- logrotate-3.18.0/debian/changelog   2022-01-30 17:29:14.0 +0100
+++ logrotate-3.18.0/debian/changelog   2023-06-30 19:45:16.0 +0200
@@ -1,3 +1,10 @@
+logrotate (3.18.0-2+deb11u2) bullseye; urgency=medium
+
+  * d/patches: cherry-pick usptream fix:
+- writeState: do nothing if state file is /dev/null (Closes: #1039868)
+
+ -- Christian Göttsche   Fri, 30 Jun 2023
19:45:16 +0200
+
logrotate (3.18.0-2+deb11u1) stable; urgency=medium

  * d/patches: cherry-pick upstream fixes:
diff -Nru 
logrotate-3.18.0/debian/patches/applied-upstream/writeState-do-nothing-if-state-file-is-dev-null.patch
logrotate-3.18.0/debian/patches/applied-upstream/writeState-do-nothing-if-state-file-is-dev-null.patch
--- 
logrotate-3.18.0/debian/patches/applied-upstream/writeState-do-nothing-if-state-file-is-dev-null.patch
 1970-01-01 01:00:00.0 +0100
+++ 
logrotate-3.18.0/debian/patches/applied-upstream/writeState-do-nothing-if-state-file-is-dev-null.patch
 2023-06-30 19:45:16.0 +0200
@@ -0,0 +1,76 @@
+From: Kamil Dudka 
+Date: Thu, 3 Jun 2021 10:51:07 +0200
+Applied-Upstream:
https://github.com/logrotate/logrotate/commit/456692644cbf5adb6253cb7ed2d169e950a9e348
+Subject: writeState: do nothing if state file is /dev/null
+
+If users do not want to use any state file, they can specify `/dev/null`
+as the state file.  Without this fix, logrotate would unnecessarily fail
+to rename a temporary file to `/dev/null`.
+
+Fixes: https://github.com/logrotate/logrotate/issues/395
+---
+ logrotate.c|  4 
+ test/Makefile.am   |  1 +
+ test/test-0089.sh  | 14 ++
+ test/test-config.89.in |  4 
+ 4 files changed, 23 insertions(+)
+ create mode 100755 test/test-0089.sh
+ create mode 100644 test/test-config.89.in
+
+diff --git a/logrotate.c b/logrotate.c
+index d110d54..31161bb 100644
+--- a/logrotate.c
 b/logrotate.c
+@@ -2515,6 +2515,10 @@ static int writeState(const char *stateFilename)
+ char *prevCtx;
+ int force_mode = 0;
+
++if (!strcmp(stateFilename, "/dev/null"))
++/* explicitly asked not to write the state file */
++return 0;
++
+ localtime_r(, );
+
+ tmpFilename = malloc(strlen(stateFilename) + 5 );
+diff --git a/test/Makefile.am b/test/Makefile.am
+index f1a0062..97e5775 100644

Bug#1039738: marked as done (bullseye-pu: package nvidia-graphics-drivers-tesla-450/450.248.02-1~deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039738,
regarding bullseye-pu: package 
nvidia-graphics-drivers-tesla-450/450.248.02-1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039738: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039738
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Let's update nvidia-graphics-drivers-tesla-450 in bullseye to a new
upstream release fixing some CVEs.

[ Impact ]
A proprietary graphics driver with more CVEs open.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in stable is an
established procedure.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  (excluding the blobs)
  [x] attach debdiff against the package in (old)stable
  (excluding the blobs)
  [x] the issue is verified as fixed in unstable

[ Changes ]
This is a rebuild of the package from sid with no further changes.
No packaging changes this time ;-)

[ Other info ]
More updates for the other driver series are coming.


Andreas
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1039040: marked as done (bullseye-pu: cups/2.3.3op2-3+deb11u3)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039040,
regarding bullseye-pu: cups/2.3.3op2-3+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039040: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039040
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for cups fixes CVE-2023-32324 and CVE-2023-34241 in 
Bullseye. Both CVE have been marked as no-dsa by the security team.


The same fixes have been already uploaded to Unstable and nobody 
complained yet.


  Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog  2022-05-23 22:03:02.0 +0200
+++ cups-2.3.3op2/debian/changelog  2023-06-24 10:54:05.0 +0200
@@ -1,3 +1,14 @@
+cups (2.3.3op2-3+deb11u3) bullseye; urgency=medium
+
+  * CVE-2023-34241 (Closes: #1038885)
+use-after-free in cupsdAcceptClient()
+
+  * CVE-2023-32324
+A heap buffer overflow vulnerability would allow a remote attacker to 
+lauch a dos attack.
+
+ -- Thorsten Alteholz   Sat, 24 Jun 2023 10:54:05 +0200
+
 cups (2.3.3op2-3+deb11u2) bullseye-security; urgency=high
 
   * CVE-2022-26691
diff -Nru cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch 
cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch
--- cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch  1970-01-01 
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0017-CVE-2023-32324.patch  2023-06-24 
10:54:05.0 +0200
@@ -0,0 +1,29 @@
+From: Thorsten Alteholz 
+Date: Wed, 31 May 2023 23:20:58 +0200
+Subject: CVE-2023-32324
+
+---
+ cups/string.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad1..1f81d60 100644
+--- a/cups/string.c
 b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+  * String functions for CUPS.
+  *
++ * Copyright © 2023 by OpenPrinting.
+  * Copyright © 2007-2019 by Apple Inc.
+  * Copyright © 1997-2007 by Easy Software Products.
+  *
+@@ -729,6 +730,8 @@ _cups_strlcpy(char   *dst, /* O - 
Destination string */
+ {
+   size_t  srclen; /* Length of source string */
+ 
++  if (size == 0)
++return (0);
+ 
+  /*
+   * Figure out how much room is needed...
diff -Nru cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch 
cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch
--- cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch  1970-01-01 
01:00:00.0 +0100
+++ cups-2.3.3op2/debian/patches/0018-CVE-2023-34241.patch  2023-06-24 
10:54:05.0 +0200
@@ -0,0 +1,57 @@
+From: Thorsten Alteholz 
+Date: Sat, 24 Jun 2023 19:51:21 +0200
+Subject: CVE-2023-34241
+
+---
+ scheduler/client.c | 16 +++-
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 9730eea..48e19b9 100644
+--- a/scheduler/client.c
 b/scheduler/client.c
+@@ -192,13 +192,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener 
socket */
+/*
+ * Can't have an unresolved IP address with double-lookups enabled...
+ */
+-
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+-"Name lookup failed - connection from %s closed!",
++"Name lookup failed - closing connection from %s!",
+ httpGetHostname(con->http, NULL, 0));
+ 
++httpClose(con->http);
+ free(con);
+ return;
+   }
+@@ -234,11 +232,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener 
socket */
+   * with double-lookups enabled...
+   */
+ 
+-  httpClose(con->http);
+-
+   cupsdLogClient(con, CUPSD_LOG_WARN,
+-  "IP lookup failed - connection from %s closed!",
++  "IP lookup failed - closing connection from %s!",
+   httpGetHostname(con->http, NULL, 0));
++
++  httpClose(con->http);
+   free(con);
+   return;
+ }
+@@ -255,11 +253,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener 
socket */
+ 
+   if (!hosts_access(_req))
+   {
+-httpClose(con->http);
+-
+ cupsdLogClient(con, CUPSD_LOG_WARN,
+ "Connection from %s refused by /etc/hosts.allow and "
+   "/etc/hosts.deny rules.",

Bug#1038813: marked as done (bullseye-pu: package aide/0.17.3-4+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1038813,
regarding bullseye-pu: package aide/0.17.3-4+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1038813: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038813
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@packages.debian.org
Control: affects -1 + src:aide

Dear stable releas team,

this pre-upload request for the aide package is filed to ask for
guidance whether this package is suitable for bullseye-proposed-updates.
I have never done this before and am open for suggestions to improve and
for documentation pointers.

A fixed package has recently migrated to testing, the corresponding
bookworm request is #1037945.

[ Reason ]
This update fixes #1037436, a "just" important bug that causes incorrect
processing of extended attributes on symlinks that are monitored by
aide. This is a fix suggested by upstream (who is also a DD).

[ Impact ]
Without this fix, Aide will wrongly process extended attributes for
the file a symlink points to, which is not the intended behavior. The
fixed aide will process the extended attributes of a symlink.

[ Tests ]
This bug is sadly not covered by automated tests. I created a symlink
with extended attributes pointing to a file with different extended
attributes and verified that actually the extended attributes of the
symlink show up in the database.

[ Risks ]
Risks are that I goofed up in the fixes.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
commit b1d036a82a336836f05ed0d6dcb0b4bab6c7501f (HEAD -> bullseye)
Author: Marc Haber 
Date:   Wed Jun 21 18:29:23 2023 +0200

prepare upload to bullseye

Git-Dch: ignore

commit 60e63ac4052724be4a2b078940e266e835e89bf7
Author: Marc Haber 
Date:   Wed Jun 21 18:27:56 2023 +0200

refresh patch for bullseye

Git-Dch: ignore

commit f2912c100a5d3d9b37d4ab9318d5b8b9bf45025c
Author: Marc Haber 
Date:   Wed Jun 14 04:15:51 2023 +0200

Fix handling of extended attributes on symlinks

Closes: #1037436

This fixes wrong behavior regarding extended attributes on symlinks.
Prior versions of aide would wrongly process the extended attributes
of the file a symlink points to. This fix makes aide correctly process
the extended attributes of the link itself, which is the intended
behavior.

The fix for extended attributes on symlinks might lead to reported
changed entries during the next AIDE run. You can use the
`report_ignore_changed_attrs` option (see aide.conf(5)) to ignore
changes of the xattrs attribute; but be aware that this will not
only exclude the expected changes (of the symlink files) but also
the unexpected changes (of other files).

[ Other info ]
source debdiff attached. A binary debdiff will be delivered on request.

Please indicate whether this package might be a valid candidate to be in
the next bullseye point release.

Greetings
Marc
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1039020: marked as done (bullseye-pu: package schleuder/3.6.0-3+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039020,
regarding bullseye-pu: package schleuder/3.6.0-3+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039020
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gitcom...@henk.geekmail.org
Control: affects -1 + src:schleuder

Dear release team,

[ Reason ]
Missing versioning of the ruby-activerecord dependency might lead to
failing upgrades from buster to bullseye if done in two stages, in
contrast to only one stage. This issue was reported by Hendrik Jäger and
Andreas Beckmann, both privately and in Debian via #1036950.

It was fixed in unstable via 4.0.3-8.

[ Impact ]
Severe, as upgrades might fail, depending on how these are done.

[ Tests ]
Tests were done both manually and via Salsa CI. Additionally, to ease
future maintenance and ensure upgrades work as expected, a new "piuparts
multi distro upgrade" CI test job was introduced. [2]

[ Risks ]
There should be none, I believe.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add missing versioning on ruby-activerecord dependency, to ensure
correct ordering during upgrades.

For details, see the attached debdiff of 3.6.0-3+deb11u1, as currently
present in bullseye, and 3.6.0-3+deb11u2.

Thanks for your work!

Cheers,
Georg


[1] 
https://salsa.debian.org/ruby-team/schleuder/-/commit/08fd9a91a938346f5cad3cf216f8225b6f6cdd0e
diff -Nru schleuder-3.6.0/debian/changelog schleuder-3.6.0/debian/changelog
--- schleuder-3.6.0/debian/changelog	2021-12-26 16:28:29.0 +
+++ schleuder-3.6.0/debian/changelog	2023-06-24 15:02:25.0 +
@@ -1,3 +1,14 @@
+schleuder (3.6.0-3+deb11u2) bullseye; urgency=medium
+
+  * debian/control:
+- Add missing versioning on ruby-activerecord dependency. Before, upgrades
+  from buster to bullseye might have failed if done in two stages, in
+  contrast to only one stage, which worked as expected. Thanks to
+  Hendrik Jäger and Andreas Beckmann for reporting this issue.
+  (Closes: #1036950)
+
+ -- Georg Faerber   Sat, 24 Jun 2023 15:02:25 +
+
 schleuder (3.6.0-3+deb11u1) bullseye; urgency=medium
 
   * debian/patches:
diff -Nru schleuder-3.6.0/debian/control schleuder-3.6.0/debian/control
--- schleuder-3.6.0/debian/control	2021-12-26 16:28:29.0 +
+++ schleuder-3.6.0/debian/control	2023-06-24 15:02:25.0 +
@@ -39,7 +39,7 @@
  lsb-base,
  rake,
  ruby | ruby-interpreter,
- ruby-activerecord,
+ ruby-activerecord (>= 2:6~),
  ruby-charlock-holmes,
  ruby-gpgme,
  ruby-mail,
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1038943: marked as done (bullseye-pu: package lapack/3.9.0-3+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1038943,
regarding bullseye-pu: package lapack/3.9.0-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1038943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038943
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lap...@packages.debian.org
Control: affects -1 + src:lapack

Dear Release Team,

[ Reason ]
This oldstable update fixes important bug #1037188.

The bug is in LAPACKE (the C interface to LAPACK, which is in Fortran).

For symmetric eigenvalue problems, the returned eigenvector matrix
is incorrect (when row-major layout of matrices is used).

This is a regression from buster. The bug has been fixed in bookworm and sid.

[ Impact ]
Incorrect numerical result (one of the worst kind of bug for numerical
software)

[ Tests ]
I verified that the proposed upload fixes the bug.
It introduces no regression in the internal LAPACK testsuite.

[ Risks ]
The patch affects a couple of leaf functions, so the risk
is limited.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
A quilt patch added, containing an upstream commit.

--
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  https://sebastien.villemot.name
⠈⠳⣄  https://www.debian.org
diff -Nru lapack-3.9.0/debian/changelog lapack-3.9.0/debian/changelog
--- lapack-3.9.0/debian/changelog   2020-08-01 16:15:54.0 +0200
+++ lapack-3.9.0/debian/changelog   2023-06-23 14:53:50.0 +0200
@@ -1,3 +1,11 @@
+lapack (3.9.0-3+deb11u1) bullseye; urgency=medium
+
+  * lapacke-syev-heev.patch: new patch, fixes eigenvector matrix in
+LAPACKE’s interface to symmetric eigenvalue problem (syev and heev
+functions) (Closes: #1037242)
+
+ -- Sébastien Villemot   Fri, 23 Jun 2023 14:53:50 +0200
+
 lapack (3.9.0-3) unstable; urgency=medium
 
   [ Sébastien Villemot ]
diff -Nru lapack-3.9.0/debian/patches/lapacke-syev-heev.patch 
lapack-3.9.0/debian/patches/lapacke-syev-heev.patch
--- lapack-3.9.0/debian/patches/lapacke-syev-heev.patch 1970-01-01 
01:00:00.0 +0100
+++ lapack-3.9.0/debian/patches/lapacke-syev-heev.patch 2023-06-23 
14:53:50.0 +0200
@@ -0,0 +1,215 @@
+Description: Fix eigenvector matrix in LAPACKE’s interface to symmetric 
eigenvalue problem
+ The syev and heev functions, when passed jobz=V and called in row major order
+ mode, would return an incorrect eigenvector matrix (incorrect lower- or
+ upper-triangle part).
+Origin: upstream, 
https://github.com/Reference-LAPACK/lapack/commit/7d5bb9e5e641772227022689162dd9cc47e64de0
+Bug: https://github.com/Reference-LAPACK/lapack/issues/850
+Bug-Debian: https://bugs.debian.org/1037242
+Last-Update: 2023-06-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/LAPACKE/src/lapacke_cheev_work.c 
b/LAPACKE/src/lapacke_cheev_work.c
+index f505dfab0..aa78e678e 100644
+--- a/LAPACKE/src/lapacke_cheev_work.c
 b/LAPACKE/src/lapacke_cheev_work.c
+@@ -78,7 +78,11 @@ lapack_int LAPACKE_cheev_work( int matrix_layout, char 
jobz, char uplo,
+ info = info - 1;
+ }
+ /* Transpose output matrices */
+-LAPACKE_che_trans( LAPACK_COL_MAJOR, uplo, n, a_t, lda_t, a, lda );
++if ( jobz == 'V') {
++LAPACKE_cge_trans( LAPACK_COL_MAJOR, n, n, a_t, lda_t, a, lda );
++} else {
++LAPACKE_che_trans( LAPACK_COL_MAJOR, uplo, n, a_t, lda_t, a, lda 
);
++}
+ /* Release memory and exit */
+ LAPACKE_free( a_t );
+ exit_level_0:
+diff --git a/LAPACKE/src/lapacke_cheevd_2stage_work.c 
b/LAPACKE/src/lapacke_cheevd_2stage_work.c
+index e9e6a5d1d..d26c84785 100644
+--- a/LAPACKE/src/lapacke_cheevd_2stage_work.c
 b/LAPACKE/src/lapacke_cheevd_2stage_work.c
+@@ -79,7 +79,11 @@ lapack_int LAPACKE_cheevd_2stage_work( int matrix_layout, 
char jobz, char uplo,
+ info = info - 1;
+ }
+ /* Transpose output matrices */
+-LAPACKE_che_trans( LAPACK_COL_MAJOR, uplo, n, a_t, lda_t, a, lda );
++if ( jobz == 'V') {
++LAPACKE_cge_trans(

Bug#1039470: marked as done (bullseye-pu: package openblas/0.3.13+ds-3+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1039470,
regarding bullseye-pu: package openblas/0.3.13+ds-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1039470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039470
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: openb...@packages.debian.org
Control: affects -1 + src:openblas

Dear Release Team,

[ Reason ]
This oldstable update fixes important bug #1025480.

As a reminder, OpenBLAS is a BLAS (basic linear algebra) implementation that
provides kernels optimized for different generations of CPUs (ISAs). All the
kernels are embedded in the library binary, and the kernel selection is done at
runtime depending on the CPU model (this is called “dynamic arch” in the
OpenBLAS jargon).

The problem that I am trying to fix is the following: the AVX512 kernel 
(nicknamed
“SkylakeX”) is miscompiled in openblas 0.3.13+ds-3, so that openblas gives
incorrect numerical results in the DGEMM function (basic matrix multiplication)
on AVX512-capable hardware.

The cause of the problem is the following: the build-time check for determining
whether the compiler is able to understand AVX512 assembly/intrinsics was
doubly incorrect. It would test the build machine capabilities (instead of the
compiler capabilities); and it would check for AVX2 instead of AVX512. As a
consequence, on pre-AVX2 hardware, the build system would conclude that the
compiler is not able to understand AVX512 primitives, and would create a broken
AVX512 (SkylakeX) DGEMM kernel (essentially a Haswell kernel, but with some
wrong assumptions, hence leading to incorrect numerical results).

Versions 0.3.13+ds-3 and 0.3.13+ds-2, which are affected by the bug, were built
on the x86-csail-01 build daemon in 2021, which I suppose was pre-Ivybridge.
Binary packages built for e.g. on x86-conova-01 or x86-ubc-01 are not affected
by the bug, so I suppose these machines has at least AVX2. But I do not have
access to the build machine specifications to verify these conclusions.

[ Impact ]
Incorrect results in DGEMM (basic matrix multiplication) on AVX512-capable
hardware (hence a pretty serious bug for numerical software).

[ Tests ]
I manually verified that, on an Ivybridge machine, the package built without
the patch is buggy (i.e. gives incorrect results on AVX512-capable hardware),
and the package built with the patch works fine.

The internal testsuite of OpenBLAS still passes with the patch.

[ Risks ]
Risk is limited, since the patch should only affect AVX512 kernels (which are
already broken anyways).

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
A quilt patch added, containing an upstream pull request. The patch removes the
dependency of the binary package produced on the build machine specifications
(i.e. it will build correct AVX512 kernel, irrespectively of the build machine).

--
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  https://sebastien.villemot.name
⠈⠳⣄  https://www.debian.org
diff -Nru openblas-0.3.13+ds/debian/changelog 
openblas-0.3.13+ds/debian/changelog
--- openblas-0.3.13+ds/debian/changelog 2021-04-18 10:36:29.0 +0200
+++ openblas-0.3.13+ds/debian/changelog 2023-06-25 21:56:08.0 +0200
@@ -1,3 +1,11 @@
+openblas (0.3.13+ds-3+deb11u1) bullseye; urgency=medium
+
+  * avx512-dgemm.patch: new patch taken from upstream. Fixes incorrect 
numerical
+results of DGEMM on AVX512-capable hardware, when the package has been 
built
+on pre-AVX2 hardware (e.g. Intel Ivybridge). (Closes: #1025480)
+
+ -- Sébastien Villemot   Sun, 25 Jun 2023 21:56:08 +0200
+
 openblas (0.3.13+ds-3) unstable; urgency=medium
 
   * fix-arm64-sigill.patch: new patch, fixes SIGILL on arm64 with numpy.
diff -Nru openblas-0.3.13+ds/debian/patches/avx512-dgemm.patch 
openblas-0.3.13+ds/debian/patches/avx512-dgemm.patch
--- openblas-0.3.13+ds/debian/patches/avx512-dgemm.patch1970-01-01 
01:00:00.0 +0100
+++ openblas-0.3.13+ds/debian/patches/avx512-dgemm.patch2023-06-25 
21:56:08.0 +0200
@@ -0,0 +1,80 @@
+Description:

Bug#1037236: marked as done (bullseye-pu: package gss/1.0.3-6+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037236,
regarding bullseye-pu: package gss/1.0.3-6+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
libgss3 has a file conflict with libgss0, which may have remained
installed on a system originating from lenny

[ Impact ]
qa tests (piuparts with non-default config) fail

[ Tests ]
the piuparts test that exposed the bug passes with the updated package

[ Risks ]
low, only affects packages not in bullseye

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
  (but differently)

[ Changes ]
adding Breaks+Replaces against the obsolete libgss0 package

[ Other info ]


Andreas
diff -Nru gss-1.0.3/debian/changelog gss-1.0.3/debian/changelog
--- gss-1.0.3/debian/changelog  2021-01-09 00:18:27.0 +0100
+++ gss-1.0.3/debian/changelog  2023-06-07 01:45:19.0 +0200
@@ -1,3 +1,10 @@
+gss (1.0.3-6+deb11u) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * libgss3: Add Breaks+Replaces: libgss0 (<< 0.1).  (Closes: #988172)
+
+ -- Andreas Beckmann   Wed, 07 Jun 2023 01:45:19 +0200
+
 gss (1.0.3-6) unstable; urgency=low
 
   * Fix arch/indep-only builds.
diff -Nru gss-1.0.3/debian/control gss-1.0.3/debian/control
--- gss-1.0.3/debian/control2021-01-09 00:14:00.0 +0100
+++ gss-1.0.3/debian/control2023-06-07 01:45:19.0 +0200
@@ -50,6 +50,8 @@
 Multi-Arch: same
 Depends: libshishi-dev (>= 0.0.42), ${misc:Depends}, ${shlibs:Depends}
 Suggests: shishi
+Breaks: libgss0 (<< 0.1),
+Replaces: libgss0 (<< 0.1),
 Description: Library for Generic Security Services
  The GNU Generic Security Service Library (GSSLib) is a free
  implementation of the GSS-API security framework.  GSSLib uses Shishi
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1038153: marked as done (bullseye-pu: package spip/3.2.11-3+deb11u8)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1038153,
regarding bullseye-pu: package spip/3.2.11-3+deb11u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1038153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:spip

Hi,

SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html

The main backported fix is the one that limits recursion depth in
protege_champ() function.

The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).

As usual, I’ve already deployed the proposed package on a server
providing over 30 SPIP websites.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

Regards,

David
diff -Nru spip-3.2.11/debian/changelog spip-3.2.11/debian/changelog
--- spip-3.2.11/debian/changelog	2023-02-28 22:51:50.0 +0100
+++ spip-3.2.11/debian/changelog	2023-06-11 15:47:39.0 +0200
@@ -1,3 +1,13 @@
+spip (3.2.11-3+deb11u8) bullseye; urgency=medium
+
+  * Backport security fixes from 4.1.10
+- Limit recursion depth in protege_champ() function
+- Avoid unserialize use in security screen
+- Properly block hidden files in provided htaccess
+- Update security screen to 1.5.3
+
+ -- David Prévot   Sun, 11 Jun 2023 15:47:39 +0200
+
 spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium
 
   * Backport security fixes from v3.2.18
diff -Nru spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch	1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0052-security-limiter-la-profondeur-de-recursion-de-prote.patch	2023-06-11 15:47:34.0 +0200
@@ -0,0 +1,37 @@
+From: Cerdic 
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: backport, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 --
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 34926cf..2b3639b 100644
+--- a/ecrire/balise/formulaire_.php
 b/ecrire/balise/formulaire_.php
+@@ -33,9 +33,19 @@ include_spip('inc/texte');
+  * @return string|array
+  * Saisie protégée
+  **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ 	if (is_array($texte)) {
+-		$texte = array_map('protege_champ', $texte);
++		// si on dépasse la prof max on tronque
++		if ($max_prof > 0) {
++			return array_map(
++function($v) use ($max_prof) {
++	return protege_champ($v, $max_prof-1);
++},
++$texte
++			);
++		}
++		// si on dépasse la prof max on tronque
++		return [];
+ 	} else {
+ 		if (is_null($texte)) {
+ 			return $texte;
diff -Nru spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	1970-01-01 01:00:00.0 +0100
+++ spip-3.2.11/debian/patches/0053-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	2023-06-11 15:47:34.0 +0200
@@ -0,0 +1,64 @@
+From: Cerdic 
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked

Bug#1037196: marked as done (bullseye-pu: package dbus/1.12.28-0+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037196,
regarding bullseye-pu: package dbus/1.12.28-0+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037196: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@packages.debian.org, debian-b...@lists.debian.org
Control: affects -1 + src:dbus

[ Reason ]
Fix a local denial of service for which the security team does not intend
to do a DSA (dbus#457, #1037151; CVE assignment pending).

[ Impact ]
While a sysadmin is using `dbus-monitor --system` or similar tools,
an unprivileged local user can cause denial of service by crashing the
`dbus-daemon --system`.

The new upstream release also fixes some smaller bugs:
- fix a denial of service that wasn't relevant for the way Debian compiles
  dbus (it was only a problem when assertions are enabled)
- an autopkgtest regression on Ubuntu kernels
- wrong upstream bug reporting URLs
- a documentation typo

[ Tests ]
Build-time tests and autopkgtests pass. There is new test coverage for the
denial of service, which was able to reproduce the bug. I also smoke-tested
this on a GNOME virtual machine; I already upgraded my real-hardware
systems to bookworm, so I can't directly test this on hardware.

[ Risks ]
It's a key package, so any regressions would be highly visible.

Technically dbus has udebs, although as noted in the similar bookworm
update request, they aren't directly useful for anything.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  - intentionally not done yet due to the full freeze, because dbus
has udebs

[ Changes ]
bus/connection.c: fix the denial of service, #1037151
dbus/dbus-connection{.c,-internal.h}: enablers for #1037151
dbus/dbus-string.c: fix a local denial of service if assertions are
enabled in the dbus-daemon, which in Debian they are not
doc/dbus-api-design.duck: fix a typo in some sample code, not functionally
significant
configure.ac, dbus/dbus-sysdeps-unix.c: update bug reporting URLs
AUTHORS, NEWS, configure.ac: release administrivia
test/data/dbus-installed-tests.aaprofile.in: make a test profile a little
more permissive to fix an autopkgtest regression on Ubuntu kernels
test/data/valid-config-files, test/monitor.c: reproducer for the denial
of service bug

smcv
debdiff *.dsc | filterdiff -p1 -xaminclude_static.am -xMakefile.in -x'*/Makefile.in' -xconfigure

diffstat for dbus-1.12.24 dbus-1.12.28

 AUTHORS |4 +
 Makefile.in |2 
 NEWS|   54 +++
 aminclude_static.am |2 
 build-aux/ltmain.sh |4 -
 bus/Makefile.in |2 
 bus/connection.c|   15 
 configure   |   36 +-
 configure.ac|6 -
 dbus/Makefile.in|2 
 dbus/dbus-connection-internal.h |2 
 dbus/dbus-connection.c  |   11 ++-
 dbus/dbus-string.c  |2 
 dbus/dbus-sysdeps-unix.c|2 
 debian/changelog|   13 +++
 doc/dbus-api-design.duck|4 -
 test/Makefile.in|2 
 test/data/dbus-installed-tests.aaprofile.in |4 +
 test/data/valid-config-files/forbidding.conf.in |3 
 test/monitor.c  |   84 +---
 20 files changed, 212 insertions(+), 42 deletions(-)

diff -Nru dbus-1.12.24/AUTHORS dbus-1.12.28/AUTHORS
--- dbus-1.12.24/AUTHORS	2022-10-05 11:04:10.0 +0100
+++ dbus-1.12.28/AUTHORS	2023-06-06 14:00:50.0 +0100
@@ -40,6 +40,7 @@
 Daniel P. Berrange 
 Daniel Reed 
 Dan Williams 
+Dave Jones 
 Dave Reisner 
 David King 
 David Zeuthen 
@@ -65,6 +66,7 @@
 Havoc Pennington 
 Havoc Pennington

Bug#1037214: marked as done (bullseye-pu: package appstream-glib/0.7.18-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037214,
regarding bullseye-pu: package appstream-glib/0.7.18-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037214: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye moreinfo
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: appstream-g...@packages.debian.org
Control: affects -1 + src:appstream-glib

[ Reason ]
Recent server-side changes on flathub.org mean that it started publishing
Appstream metadata that appstream-glib doesn't understand ( and 
markup), and appstream-glib is intolerant of non-recognised markup in
this context, causing `flatpak search` to regress in bullseye. (#1037206)

[ Impact ]
If not fixed, `flatpak search` will show an error message for Flathub
users and not offer any search results, unless the user upgrades to
the version from bullseye-backports (which is unaffected by appstream-glib
bugs because it has switched to using libappstream, a different codebase).

[ Tests ]
I confirmed that this fixes the reproducer from #1037206.

bullseye's gnome-software, which uses appstream-glib, is still able
to display search results from both Debian (I searched for amoebax)
and Flathub (I searched for steamlink and organicmaps). The package
description for organicmaps, which includes  and therefore triggered
this bug, is not displayed correctly in gnome-software (text inside 
doesn't appear), but that isn't a regression: the same behaviour is seen
without this change.

The patches also add a regression test, which is run at build-time
and passes.

[ Risks ]
These are straightforward backports from the newer upstream release in
bookworm, and have also been proposed for an Ubuntu 22.04 stable update.
The original change introduced a test failure, for which the subsequent
upstream fix is also included.

I've marked this as moreinfo because it should ideally be reviewed by the
package's maintainer (not me).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are part of solving #1037206.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1037182: marked as done (bullseye-pu: package bmake/20200710-14+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037182,
regarding bullseye-pu: package bmake/20200710-14+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037182
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
There is a directory vs. symlink conflict between bsdowl (buster, not in
bullseye) and bmake (buster), causing bsdowl files to and up in a
location behind a symlink from bmake.
bsdowl has been fixed in bookworm and sid, but that happened to late for
bullseye (was already autorm'ed, not reintroducible).
With the Conflicts against the unfixed bsdowl version added to bmake,
the old bsdowl package from buster gets removed on systems upgraded to
bullseye. If someone really need it, I can provide a backport of the
fixed bsdowl from bookworm in bullseye-backports.

[ Impact ]
QA tools warn about files installed over a directory symlink, maybe
silently overwriting other packages files.

[ Tests ]
manual piuparts tests
  buster -> bullseye + fix
  buster -> bullseye -> bullseye + fix
no longer fail with
  ERROR: installs objects over existing directory symlinks:
  /usr/share/mk/bps.autoconf.mk (bsdowl) != 
/usr/share/bmake/mk-bmake/bps.autoconf.mk (?)
/usr/share/mk -> bmake/mk-bmake
  ...

[ Risks ]
Low, only affects packages not part of bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
  - bsdowl ships the files in the new canonical location
  - bmake verifies that no other package messes up its symlinks

[ Changes ]
add Conflict against unfixed bsdowl versions, i.e. the version from
buster that may have survived the upgrade to bullseye since bsdowl is
not part of bullseye.

[ Other info ]
n/a

Andreas
diff -Nru bmake-20200710/debian/changelog bmake-20200710/debian/changelog
--- bmake-20200710/debian/changelog 2021-04-02 12:53:47.0 +0200
+++ bmake-20200710/debian/changelog 2023-06-07 09:48:17.0 +0200
@@ -1,3 +1,11 @@
+bmake (20200710-14+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Add Conflicts: bsdowl (<< 2.2.2-1.2~) for directory vs. symlink conflict.
+(Closes: #985347)
+
+ -- Andreas Beckmann   Wed, 07 Jun 2023 09:48:17 +0200
+
 bmake (20200710-14) unstable; urgency=medium
 
   * Remove the bsd.*.mk autodetection now that we actually ship symlinks.
diff -Nru bmake-20200710/debian/control bmake-20200710/debian/control
--- bmake-20200710/debian/control   2021-04-02 12:53:47.0 +0200
+++ bmake-20200710/debian/control   2023-06-07 09:48:17.0 +0200
@@ -13,6 +13,7 @@
 Multi-Arch: foreign
 Replaces: pmake
 Provides: pmake
+Conflicts: bsdowl (<< 2.2.2-1.2~)
 Breaks: pmake (<< 20200710-2)
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: NetBSD make
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1037175: marked as done (bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037175,
regarding bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2023-28617
Bug #1033341

latex in ob-latex.el in Org Mode (≤9.6.1) allows attackers to execute
arbitrary commands via a file name or directory name that contains
shell metacharacters.

At this time, org-mode 9.1.14+dfsg-3 in buster continues to be
affected.  Bullseye's copy of Emacs also has a bundled version that is
effected, and I'm willing to patch that copy too.  Elpa-org-mode is a
modular add-on that upgrades and shadows that copy, by the way, so
the CVE should be fixed here first.

[ Impact ]
Security risk that is worth the effort to fix.  Emacs has no
sandboxing...  Carnil asked me to "consider proposing a fix via the
upcoming bullseye point release" (#1033341), so here I am!

[ Tests ]
For the version of src:org-mode, in bullseye, manual testing; however,
the same fix has been tested in the bundled copy of Org-mode that
is part of Emacs in bookworm.  This fix has seen two months of testing.

[ Risks ]
It's a trivial and fairly obvious fix that was discussed upstream here:
https://list.orgmode.org/tencent_04cf842704737012ccbcd63cd654dd41c...@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e?cve=title

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A cherry picked patch that has been tested in bookworm for two months,
an update to the series file, and a changelog entry.  The patch
replaces calls to the external "mv" command with Emacs internal
function "rename-file", which has been in active use since the '80s.


Thank you for all the work that you are doing for bookworm!
Regards,
Nicholas
diff -Nru org-mode-9.4.0+dfsg/debian/changelog 
org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog2020-09-24 10:07:33.0 
-0400
+++ org-mode-9.4.0+dfsg/debian/changelog2023-06-04 13:26:52.0 
-0400
@@ -1,3 +1,12 @@
+org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium
+
+  * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting
+0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs
+did (Closes: #1033341).  Thanks to Rob Browning's work in that package,
+fixing org-mode was trivially easy!
+
+ -- Nicholas D Steeves   Sun, 04 Jun 2023 13:26:52 -0400
+
 org-mode (9.4.0+dfsg-1) unstable; urgency=medium
 
   * New upstream version 9.4.0+dfsg
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
 
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
--- 
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
1969-12-31 19:00:00.0 -0500
+++ 
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
2023-06-04 03:17:12.0 -0400
@@ -0,0 +1,51 @@
+From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001
+From: Xi Lu 
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: Fix command injection vulnerability CVE-2023-28617
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+Trivially backport the following upstream patch like emacs-1:28.2+1-15 did:
+
+  * lisp/ob-latex.el: Fix command injection vulnerability
+
+  (org-babel-execute:latex):
+  Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+  TINYCHANGE
+
+The second patch of the series does not appear to needed by Org-mode 9.4.0.
+
+Origin: 
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
+Bug-Debian: https://bugs.debian.org/1033341
+---
+ lisp/ob-latex.el | 13 +
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
+index 4b343dd..704ae4e 100644

Bug#1037187: marked as done (bullseye-pu: package libprelude/5.2.0-3+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037187,
regarding bullseye-pu: package libprelude/5.2.0-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037187: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037187
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Control: block 996878 with -1
Control: affects -1 + src:libprelude
Control: tag 996878 patch pending

[ Reason ]
'import prelude' fails in python3 due to some missing symbol, rendering
python3-prelude useless.

[ Impact ]
'import prelude' will not work, breaking some packages depending on that

[ Tests ]
manual 'import prelude' with the fixed package in bullseye worked
added superficial autopkgtest testing the import

[ Risks ]
Low. The patch cannot make the unusable pyton module worse.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
only backported python module fixes from sid

[ Other info ]

Andreas
diff -Nru libprelude-5.2.0/debian/changelog libprelude-5.2.0/debian/changelog
--- libprelude-5.2.0/debian/changelog   2020-11-26 19:53:39.0 +0100
+++ libprelude-5.2.0/debian/changelog   2023-06-07 12:52:40.0 +0200
@@ -1,3 +1,17 @@
+libprelude (5.2.0-3+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport Python module fixes from 5.2.0-4/5.2.0-5.
+
+  [ Thomas Andrejak ]
+  * d.patches: Add new patch 025-Fix-PyIOBase_Type.patch
+- Fix PyIOBase_Type for Python 3.10 compatibility
+  * d.patches: Update 025-Fix-PyIOBase_Type.patch because swig is not
+executed (Closes: #996878)
+  * d.tests: Add test to valid that we can load prelude as a python module
+
+ -- Andreas Beckmann   Wed, 07 Jun 2023 12:52:40 +0200
+
 libprelude (5.2.0-3) unstable; urgency=medium
 
   * d.patches: Add new patch
diff -Nru libprelude-5.2.0/debian/patches/025-Fix-PyIOBase_Type.patch 
libprelude-5.2.0/debian/patches/025-Fix-PyIOBase_Type.patch
--- libprelude-5.2.0/debian/patches/025-Fix-PyIOBase_Type.patch 1970-01-01 
01:00:00.0 +0100
+++ libprelude-5.2.0/debian/patches/025-Fix-PyIOBase_Type.patch 2023-06-07 
12:52:40.0 +0200
@@ -0,0 +1,170 @@
+Description: Fix PyIOBase_Type for Python 3.10 compatibility
+Author: Thomas Andrejak 
+Last-Update: 2021-08-13
+Forwarded: yes, privately
+
+--- libprelude-5.2.0/bindings/python/libpreludecpp-python.i2020-09-09 
16:30:32.51000 +0200
 libprelude-5.2.0/bindings/python/libpreludecpp-python.i2021-08-13 
23:20:11.672221930 +0200
+@@ -163,6 +163,26 @@
+ $1 = _cb_python_log;
+ };
+ 
++%{
++static PyObject *PyIOBase_TypeObj;
++
++static int init_file_emulator(void)
++{
++PyObject *io = PyImport_ImportModule("_io");
++if (io == NULL)
++return -1;
++PyIOBase_TypeObj = PyObject_GetAttrString(io, "_IOBase");
++if (PyIOBase_TypeObj == NULL)
++return -1;
++return 0;
++}
++%}
++
++%init %{
++if (init_file_emulator() < 0) {
++return NULL;
++}
++%}
+ 
+ /* tell swig not to cast void * value */
+ %typemap(in) void *nocast_file_p %{
+@@ -172,8 +192,7 @@
+ 
+ }
+ #else
+-extern PyTypeObject PyIOBase_Type;
+-if ( ! PyObject_IsInstance((PyObject *) $input, (PyObject *) 
_Type) ) {
++if ( ! PyObject_IsInstance((PyObject *) $input, PyIOBase_TypeObj) ) {
+ SWIG_exception_fail(SWIG_RuntimeError, "Argument is not a 
file object");
+ }
+ #endif
+@@ -186,8 +205,7 @@
+ #if PY_VERSION_HEX < 0x0300
+ $1 = PyFile_Check((PyObject *) $input);
+ #else
+-extern PyTypeObject PyIOBase_Type;
+-$1 = PyObject_IsInstance((PyObject *) $input, (PyObject *) 
_Type);
++$1 = PyObject_IsInstance((PyObject *) $input, PyIOBase_TypeObj);
+ #endif
+ %}
+ 
+--- libprelude-5.2.0/bindings/python/_prelude.cxx
 libprelude-5.2.0/bindings/python/_prelude.cxx
+@@ -2761,7 +2761,7 @@ SwigPyBuiltin_FunpackSetterClosure (PyObject *obj, 
PyObject *val, void *closure)
+ 
+ SWIGINTERN void
+ SwigPyStaticVar_dealloc(PyDescrObject *descr) {
+-  PyObject_GC_UnTrack(descr);
++  PyObject_GC_UnTrack(descr);
+   Py_XDECREF(PyDescr_TYPE(descr));
+

Bug#1037054: marked as done (bullseye-pu: package libreswan/4.3-1+deb11u4)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037054,
regarding bullseye-pu: package libreswan/4.3-1+deb11u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan

[ Reason ]

Uploading libreswan 4.3-1+deb11u4 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.

Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.

[ Impact ]

Users on bullseye with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.

[ Tests ]

Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.

[ Risks ]

The risks of including these patches are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.

[ Other info ]

All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.

I'll be uploading an update to 4.10 for a bookworm point release
shortly as well.
diff -Nru libreswan-4.3/debian/changelog libreswan-4.3/debian/changelog
--- libreswan-4.3/debian/changelog  2023-03-03 08:34:50.0 -0500
+++ libreswan-4.3/debian/changelog  2023-06-01 16:14:59.0 -0400
@@ -1,3 +1,9 @@
+libreswan (4.3-1+deb11u4) bullseye; urgency=medium
+
+  * Resolve CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor   Thu, 01 Jun 2023 16:14:59 
-0400
+
 libreswan (4.3-1+deb11u3) bullseye-security; urgency=high
 
   * use upstream patch for 4.2 and 4.3
diff -Nru libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch 
libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch
--- libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch  
1969-12-31 19:00:00.0 -0500
+++ libreswan-4.3/debian/patches/0005-Resolve-CVE-2023-30570.patch  
2023-06-01 16:14:59.0 -0400
@@ -0,0 +1,140 @@
+From: Daniel Kahn Gillmor 
+Date: Thu, 1 Jun 2023 16:12:50 -0400
+Subject: Resolve CVE-2023-30570
+
+see https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
+
+This patch was ported from
+https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570-libreswan-4.x.patch
+---
+ programs/pluto/ikev1.c  | 60 ++---
+ programs/pluto/ikev1_aggr.c |  5 ++--
+ 2 files changed, 60 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index 2a06c2c..bb6c7be 100644
+--- a/programs/pluto/ikev1.c
 b/programs/pluto/ikev1.c
+@@ -1249,10 +1249,20 @@ void process_v1_packet(struct msg_digest *md)
+   struct state *st = NULL;
+   enum state_kind from_state = STATE_UNDEFINED;   /* state we started in 
*/
+ 
++  /*
++   * For the initial responses, don't leak the responder's SPI.
++   * Hence the use of send_v1_notification_from_md().
++   *
++   * AGGR mode is a mess in that the R0->R1 transition happens
++   * well before the transition succeeds.
++   */
+ #define SEND_NOTIFICATION(t)  \
+   {   \
+   pstats(ikev1_sent_notifies_e, t);   \
+-  if (st != NULL) \
++  if (st != NULL &&   \
++  st->st_state->kind != STATE_AGGR_R0 &&  \
++

Bug#1036811: marked as done (bullseye-pu: package ncurses/6.2+20201114-2+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036811,
regarding bullseye-pu: package ncurses/6.2+20201114-2+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036811: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036811
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ncur...@packages.debian.org, debian-b...@lists.debian.org
Control: affects -1 + src:ncurses

I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
Bullseye.  The changes are the same as in version 6.4-3 (see
#1035351[3]), except that there is no need to patch configure.in this
time.

[ Reason ]
Various memory corruption bugs exist when loading specifically crafted
terminfo database files.  This is a security problem in programs running
with elevated privileges, as users are allowed to provide their own
terminfo files under ${HOME}/.terminfo or via the TERMINFO or
TERMINFO_DIRS environment variables.

Backporting the upstream fixes would be too intrusive (and has not been
attempted in Bookworm either), but via a configure option it is possible
to prevent setuid/setgid programs from loading custom terminfo files
supplied by the user, after which the bugs are no longer security
relevant.

[ Impact ]
Local users could try privilege escalations in setuid/setgid programs
linked to the tinfo library.  How easily those can be achieved probably
depends on the program.

[ Tests ]
No automatic tests exist.  I have manually verified that programs can no
longer use custom terminfo files if their effective UID or GID differs
from the real one.  Also I have verified that the terminfo database in
the ncurses-{base,term} packages is unchanged from 6.2+20201114-2+deb11u2.

[ Risks ]
Users who are relying on their own terminfo files under
${HOME}/.terminfo can no longer use them in setuid/setgid programs and
will have to work around that, e.g. by changing their TERM environment
variable, using a different terminal emulator or asking their sysadmin
for help.

On my systems I did not find any setuid binaries linked to the tinfo
library, but some setgid games in the bsdgames package.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

I have slightly edited the debdiff to exclude spurious changes to the
debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
libtinfo6.symbols.  See devscripts bug #773762[4].

[ Other info ]
Since ncurses produces a udeb I have CC'ed debian-boot and tagged the
bug accordingly.  The screen binary in the screen-udeb package is
actually affected by the change, as it is installed setgid utmp.  This
should not really matter though, since the terminfo files in the
di-utils-terminfo package are installed in the standard place under
/lib/terminfo.

Thanks for consideration.

Cheers,
   Sven


1. https://security-tracker.debian.org/tracker/CVE-2023-29491
2. https://bugs.debian.org/1034372
3. https://bugs.debian.org/1035351
4. https://bugs.debian.org/773762

diff -Nru ncurses-6.2+20201114/debian/changelog ncurses-6.2+20201114/debian/changelog
--- ncurses-6.2+20201114/debian/changelog	2023-02-08 20:16:03.0 +0100
+++ ncurses-6.2+20201114/debian/changelog	2023-05-26 20:31:08.0 +0200
@@ -1,3 +1,17 @@
+ncurses (6.2+20201114-2+deb11u2) bullseye; urgency=medium
+
+  * Configure with "--disable-root-environ" to disallow loading of
+custom terminfo entries in setuid/setgid programs, mitigating the
+impact of CVE-2023-29491 (see #1034372).
+- Update the symbols files for the newly exported symbol
+  _nc_env_access.
+- New patch debian-env-access.diff, changing the behavior of the
+  "--disable-root-environ" configure option to not restrict programs
+  run by the superuser, equivalent to the "--disable-setuid-environ"
+  option introduced in the 20230423 patchlevel.
+
+ -- Sven Joachim   Fri, 26 May 2023 20:31:08 +0200
+
 ncurses (6.2+20201114-2+deb11u1) bullseye; urgency=medium
 
   * New patch CVE-2022-29458.diff: add a limit-check to guard against
diff -Nru ncurses-6.2+20201114/debian/libtinfo5.symbols ncurses-6.2+20201114/debian/libtinfo5.symbols
---

Bug#1036976: marked as done (bullseye-pu: package grunt/1.3.0-1+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036976,
regarding bullseye-pu: package grunt/1.3.0-1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036976
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gr...@packages.debian.org
Control: affects -1 + src:grunt

[ Reason ]
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition
leading to arbitrary file write in GitHub repository gruntjs/grunt prior to
1.5.3. This vulnerability is capable of arbitrary file writes which can lead
to local privilege escalation to the GruntJS user if a lower-privileged user
has write access to both source and destination directories as the
lower-privileged user can create a symlink to the GruntJS user's .bashrc
file or replace /etc/shadow file if the GruntJS user is root.

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk: patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Refuse to copy a file if destination is a symlink

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 23c3145..dcebea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Patch up race condition in symlink copying (Closes: CVE-2022-1537)
+
+ -- Yadd   Wed, 31 May 2023 14:59:30 +0400
+
 grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-1537.patch 
b/debian/patches/CVE-2022-1537.patch
new file mode 100644
index 000..19c750b
--- /dev/null
+++ b/debian/patches/CVE-2022-1537.patch
@@ -0,0 +1,39 @@
+Description: Patch up race condition in symlink copying
+Author: Vlad Filippov 
+Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa
+Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
+Forwarded: not-needed
+Applied-Upstream: 1.5.3, commit:58016ffa
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/grunt/file.js
 b/lib/grunt/file.js
+@@ -333,8 +333,8 @@
+ }
+   }
+   // Abort copy if the process function returns false.
+-  if (contents === false) {
+-grunt.verbose.writeln('Write aborted.');
++  if (contents === false || file.isLink(destpath)) {
++grunt.verbose.writeln('Write aborted. Either the process function 
returned false or the destination is a symlink');
+   } else {
+ file.write(destpath, contents, readWriteOptions);
+   }
+--- a/test/grunt/file_test.js
 b/test/grunt/file_test.js
+@@ -916,5 +916,13 @@
+   test.ok(fs.lstatSync(path.join(destdir.path, 
path.basename(fixtures))).isSymbolicLink());
+   test.done();
+ },
+-  }
++  },
++  'symbolicLinkDestError': function(test) {
++test.expect(1);
++var tmpfile = new Tempdir();
++fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), 
path.join(tmpfile.path, 'octocat.png'), 'file');
++grunt.file.copy(path.resolve('test/fixtures/octocat.png'), 
path.join(tmpfile.path, 'octocat.png'));
++test.ok(fs.lstatSync(path.join(tmpfile.path, 
'octocat.png')).isSymbolicLink());
++test.done();
++  },
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 24fd9f9..6231471 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ add-root-variable.patch
 fix-for-coffescript.diff
 adapt-gruntfile.patch
 CVE-2022-0436.patch
+CVE-2022-1537.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1036240: marked as done (bullseye-pu: package kscreenlocker/5.20.5-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036240,
regarding bullseye-pu: package kscreenlocker/5.20.5-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036240
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: delta...@debian.org,debian-qt-...@lists.debian.org

[ Reason ]
When trying to unlock the screen and entering a wrong password,
it can lead to an endless loop when using the PAM module.
This fix applies a patch from upstream that fixes the
behaviour.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035732

[ Impact ]
The screen cannot be unlocked and log files get flooded.

[ Tests ]
The bug reporter confirmed that the applied patch fixes the
issue.

[ Risks ]
The risks are low. The patch comes directly from upstream and
has been applied to later versions of kscreenlocker.
In addition, only a single line in the code needs to be moved.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

[ Other info ]
diffstat for kscreenlocker-5.20.5 kscreenlocker-5.20.5

 changelog |6 ++
 patches/auth_failure.diff |   15 +++
 patches/series|1 +
 3 files changed, 22 insertions(+)

diff -Nru kscreenlocker-5.20.5/debian/changelog 
kscreenlocker-5.20.5/debian/changelog
--- kscreenlocker-5.20.5/debian/changelog   2021-01-06 15:50:51.0 
+0100
+++ kscreenlocker-5.20.5/debian/changelog   2023-05-17 22:40:20.0 
+0200
@@ -1,3 +1,9 @@
+kscreenlocker (5.20.5-1+deb11u1) bullseye; urgency=medium
+
+  * Fix authentication error when using PAM (Closes: #1035732).
+
+ -- Patrick Franz   Wed, 17 May 2023 22:40:20 +0200
+
 kscreenlocker (5.20.5-1) unstable; urgency=medium
 
   [ Pino Toscano ]
diff -Nru kscreenlocker-5.20.5/debian/patches/auth_failure.diff 
kscreenlocker-5.20.5/debian/patches/auth_failure.diff
--- kscreenlocker-5.20.5/debian/patches/auth_failure.diff   1970-01-01 
01:00:00.0 +0100
+++ kscreenlocker-5.20.5/debian/patches/auth_failure.diff   2023-05-13 
11:24:07.0 +0200
@@ -0,0 +1,15 @@
+diff --git a/greeter/authenticator.cpp b/greeter/authenticator.cpp
+index b184e04..2dabd0f 100644
+--- a/greeter/authenticator.cpp
 b/greeter/authenticator.cpp
+@@ -281,9 +281,9 @@ void KCheckPass::handleVerify()
+ emit failed();
+ return;
+ case ConvPutAuthError:
++case ConvPutAuthAbort:
+ cantCheck();
+ return;
+-case ConvPutAuthAbort:
+ case ConvPutReadyForAuthentication:
+ m_ready = true;
+ if (m_mode == AuthenticationMode::Direct) {
diff -Nru kscreenlocker-5.20.5/debian/patches/series 
kscreenlocker-5.20.5/debian/patches/series
--- kscreenlocker-5.20.5/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ kscreenlocker-5.20.5/debian/patches/series  2023-05-13 11:21:34.0 
+0200
@@ -0,0 +1 @@
+auth_failure.diff
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1036182: marked as done (bullseye-pu: package spyder/4.2.1+dfsg1-3+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036182,
regarding bullseye-pu: package spyder/4.2.1+dfsg1-3+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036182
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spy...@packages.debian.org
Control: affects -1 + src:spyder

[ Reason ]
I mistakenly took only one of the four commits that made up the
duplicate-code-on-save bug fix in the deb11u1 update
(https://github.com/spyder-ide/spyder/pull/14759/commits); the result
has turned out to be quite broken ("Run file" no longer works!), but I
didn't realise this when I uploaded +deb11u1.  Of the other three
commits, one was purely cosmetic (whitespace consistency), 1.5 related
to the test suite (which is not included in the bullseye version of
spyder) and the remaining 0.5 of a commit (one line) was critical.

[ Impact ]
The "Run file" functionality is lost in many (most?) cases.

[ Tests ]
There are no automated tests in bullseye, unfortunately (which I why I
didn't discover this at the time).  Manual testing has indicated that
this patch fixes the issue.

[ Risks ]
I don't see any risk in applying this patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply half of the commit
https://github.com/spyder-ide/spyder/pull/14759/commits/b38e483eb5707db845921345084f4b7de20b6148
which was left out of the original patch.

[ Other info ]
That I'll be more careful next time?!

Best wishes,

   Julian


diff -Nru spyder-4.2.1+dfsg1/debian/changelog 
spyder-4.2.1+dfsg1/debian/changelog
--- spyder-4.2.1+dfsg1/debian/changelog 2023-01-09 19:58:36.0 +
+++ spyder-4.2.1+dfsg1/debian/changelog 2023-05-15 21:56:49.0 +0100
@@ -1,3 +1,10 @@
+spyder (4.2.1+dfsg1-3+deb11u2) bullseye; urgency=medium
+
+  * Fix broken patch in previous update, with thanks to Baptiste Pellegrin
+(closes: #1036128)
+
+ -- Julian Gilbey   Mon, 15 May 2023 21:56:49 +0100
+
 spyder (4.2.1+dfsg1-3+deb11u1) bullseye; urgency=medium
 
   * Fix duplicate-code-on-save bug (closes: #989660)
diff -Nru 
spyder-4.2.1+dfsg1/debian/patches/Prevent-double-saving-when-running-a-file.patch
 
spyder-4.2.1+dfsg1/debian/patches/Prevent-double-saving-when-running-a-file.patch
--- 
spyder-4.2.1+dfsg1/debian/patches/Prevent-double-saving-when-running-a-file.patch
   2023-01-09 19:58:36.0 +
+++ 
spyder-4.2.1+dfsg1/debian/patches/Prevent-double-saving-when-running-a-file.patch
   2023-05-15 21:56:49.0 +0100
@@ -158,7 +158,7 @@
  if self.get_option('save_all_before_run'):
 -self.save_all(save_new_files=save_new_files)
 +all_saved = self.save_all(save_new_files=save_new_files)
-+if not all_saved:
++if all_saved is not None and not all_saved:
 +return
  if self.__last_ec_exec is None:
  return
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1036314: marked as done (bullseye-pu: package mujs/1.1.0-1+deb11u3)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036314,
regarding bullseye-pu: package mujs/1.1.0-1+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036314
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Control: affects -1 + src:mujs
X-Debbugs-Cc: m...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2021-33797
Buffer-overflow via integer overflow.

[ Impact ]
Vulnerability to that CVE.

[ Tests ]
I have only tested for functionality (did not exploit the bug).

[ Risks ]
Code is trivial (extension of two while conditions).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Upstream patch.diff -Nru mujs-1.1.0/debian/changelog mujs-1.1.0/debian/changelog
--- mujs-1.1.0/debian/changelog 2022-11-21 13:10:02.0 +0100
+++ mujs-1.1.0/debian/changelog 2023-05-19 10:44:27.0 +0200
@@ -1,3 +1,9 @@
+mujs (1.1.0-1+deb11u3) bullseye; urgency=medium
+
+  * Fix CVE-2021-33797 via upstream patch
+
+ -- Bastian Germann   Fri, 19 May 2023 10:44:27 +0200
+
 mujs (1.1.0-1+deb11u2) bullseye-security; urgency=medium
 
   * Fix CVE-2022-44789, CVE-2022-30974, and CVE-2022-30975 via upstream patches
diff -Nru mujs-1.1.0/debian/patches/CVE-2021-33797.patch 
mujs-1.1.0/debian/patches/CVE-2021-33797.patch
--- mujs-1.1.0/debian/patches/CVE-2021-33797.patch  1970-01-01 
01:00:00.0 +0100
+++ mujs-1.1.0/debian/patches/CVE-2021-33797.patch  2023-05-19 
10:44:14.0 +0200
@@ -0,0 +1,31 @@
+Origin: upstream, 
https://git.ghostscript.com/?p=mujs.git;a=patch;h=833b6f1672b4f2991a63c4d05318f0b84ef4d550
+From: Tor Andersson 
+Date: Wed, 21 Apr 2021 12:25:48 +0200
+Subject: Issue #148: Check for overflow when reading floating point exponent.
+
+GCC with -O2 optimizes away the if(exp<-maxExponent) branch completely,
+so we don't end up with the expected '512' value for overflowing
+exponents. Limit the exponent parsing to MAX_INT instead to prevent
+signed overflow from tripping up over-eager optimizing compilers.
+---
+ jsdtoa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/jsdtoa.c b/jsdtoa.c
+index 858017d..97cac11 100644
+--- a/jsdtoa.c
 b/jsdtoa.c
+@@ -691,10 +691,12 @@ js_strtod(const char *string, char **endPtr)
+   }
+   expSign = FALSE;
+   }
+-  while ((*p >= '0') && (*p <= '9')) {
++  while ((*p >= '0') && (*p <= '9') && exp < INT_MAX/10) {
+   exp = exp * 10 + (*p - '0');
+   p += 1;
+   }
++  while ((*p >= '0') && (*p <= '9'))
++  p += 1;
+   }
+   if (expSign) {
+   exp = fracExp - exp;
diff -Nru mujs-1.1.0/debian/patches/series mujs-1.1.0/debian/patches/series
--- mujs-1.1.0/debian/patches/series2022-11-21 13:10:02.0 +0100
+++ mujs-1.1.0/debian/patches/series2023-05-19 10:43:04.0 +0200
@@ -5,3 +5,4 @@
 Cope-with-empty-programs-in-mujs-pp.patch
 Dont-fclose-a-FILE-that-is-NULL.patch
 Fix-use-after-free-in-getOwnPropertyDescriptor.patch
+CVE-2021-33797.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1036300: marked as done (bullseye-pu: package curl/7.74.0-1.3+deb11u8)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036300,
regarding bullseye-pu: package curl/7.74.0-1.3+deb11u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036300
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: c...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: samuel...@debian.org
Severity: normal

[ Reason ]
* Backport upstream patches to fix 5 CVEs:
  - CVE-2023-27533: TELNET option IAC injection
  - CVE-2023-27534: SFTP path ~ resolving discrepancy
  - CVE-2023-27535: FTP too eager connection reuse
  - CVE-2023-27536: GSS delegation too eager connection re-use
  - CVE-2023-27538: SSH connection too eager reuse still
* d/p/add_Curl_timestrcmp.patch: New patch to backport Curl_timestrcmp(),
  required for CVE-2023-27535.

[ Impact ]
None of the vulnerabilities are critical, but they have already been
fixed in buster and we should do the same for bullseye.

[ Tests ]
curl's testsuite didn't spot any regressions.
The same CVEs have also been fixed in buster already.

[ Risks ]
Regressions on TELNET, SFTP, FTP, GSS and SSH functionalities of curl.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Nothing besides the CVE fixes.
The patches were changed to apply cleanly on bullseye, all the changes
can be seen here:
https://salsa.debian.org/debian/curl/-/commit/4adf0d7c4d47610336294d39f84a8360522a5936
https://salsa.debian.org/debian/curl/-/commit/b3dedba95658cea02405af32f0652f83d87f6eac
https://salsa.debian.org/debian/curl/-/commit/6909425ffa87e4c35730ecc2801ef40492239048
https://salsa.debian.org/debian/curl/-/commit/54e6a929643fe14160049ed8d1bda72dd34db9f7
https://salsa.debian.org/debian/curl/-/commit/19c382231a004b45b3096f72fb722f6df5d31902

[ Other info ]
I will be working on the latest CVEs that have been published for curl
but I'll push those fixes in a different upload.


-- 
Samuel Henrique 


curl_7.74.0-1.3+deb11u8.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1036046: marked as done (bullseye-pu: package debian-parl/1.9.27+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036046,
regarding bullseye-pu: package debian-parl/1.9.27+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036046
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 + src:debian-parl
Control: block 1035344 with -1
Control: block 1000872 with -1
Control: affects 1036044 + src:debian-design
Control: block 1000737 with 1036044

debian-parl needs to be rebuilt against newer boxer-data to drop
dependencies on packages lo longer built by src:thunderbird, e.g.
lightning. Currently design-parl* are uninstallable in bullseye.

Effective binary debdiff caused by this rebuild:

$ debdiff parl-desktop_1.9.27_all.deb parl-desktop_1.9.27+deb11u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: task-laptop, acpi-support, acpi-support-base, alsa-utils, anacron, 
apt-listchanges, aptitude, bash-completion, bluez, catfish, 
debian-security-support, evince, firefox-esr, gnome-disk-utility, 
jitterentropy-rngd, libgl1-mesa-dri, libreoffice-calc, libreoffice-gtk3, 
libreoffice-impress, libreoffice-writer, lightdm, [-lightning,-] mlocate, 
mousepad, mpv, needrestart, network-manager-gnome, nuntius, parcimonie, 
pasystray, pavucontrol, pinentry-gtk2, popularity-contest, pulseaudio, 
pulseaudio-utils, pulsemixer, shotwell, slick-greeter, systemd, thunar, 
thunderbird, unattended-upgrades, unicode-screensaver, usermode, uuid-runtime, 
volumeicon-alsa, webext-dav4tbsync, webext-https-everywhere, 
webext-privacy-badger, webext-ublock-origin-firefox, xfce4-notifyd, 
xfce4-panel, xfce4-power-manager, xfce4-power-manager-plugins, 
xfce4-pulseaudio-plugin, xfce4-session, xserver-xorg
Version: [-1.9.27-] {+1.9.27+deb11u1+}

$ debdiff parl-desktop-world_1.9.27_all.deb 
parl-desktop-world_1.9.27+deb11u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: parl-desktop, firefox-esr-l10n-ach, firefox-esr-l10n-af, 
firefox-esr-l10n-an, firefox-esr-l10n-ar, firefox-esr-l10n-ast, 
firefox-esr-l10n-az, firefox-esr-l10n-be, firefox-esr-l10n-bg, 
firefox-esr-l10n-bn, firefox-esr-l10n-br, firefox-esr-l10n-bs, 
firefox-esr-l10n-ca, firefox-esr-l10n-cak, firefox-esr-l10n-cs, 
firefox-esr-l10n-cy, firefox-esr-l10n-da, firefox-esr-l10n-de, 
firefox-esr-l10n-dsb, firefox-esr-l10n-el, firefox-esr-l10n-en-ca, 
firefox-esr-l10n-en-gb, firefox-esr-l10n-eo, firefox-esr-l10n-es-ar, 
firefox-esr-l10n-es-cl, firefox-esr-l10n-es-es, firefox-esr-l10n-es-mx, 
firefox-esr-l10n-et, firefox-esr-l10n-eu, firefox-esr-l10n-fa, 
firefox-esr-l10n-ff, firefox-esr-l10n-fi, firefox-esr-l10n-fr, 
firefox-esr-l10n-fy-nl, firefox-esr-l10n-ga-ie, firefox-esr-l10n-gd, 
firefox-esr-l10n-gl, firefox-esr-l10n-gn, firefox-esr-l10n-gu-in, 
firefox-esr-l10n-he, firefox-esr-l10n-hi-in, firefox-esr-l10n-hr, 
firefox-esr-l10n-hsb, firefox-esr-l10n-hu, firefox-esr-l10n-hy-am, 
firefox-esr-l10n-ia, firefox-esr-l10n-id, firefox-esr-l10n-is, 
firefox-esr-l10n-it, firefox-esr-l10n-ja, firefox-esr-l10n-ka, 
firefox-esr-l10n-kab, firefox-esr-l10n-kk, firefox-esr-l10n-km, 
firefox-esr-l10n-kn, firefox-esr-l10n-ko, firefox-esr-l10n-lij, 
firefox-esr-l10n-lt, firefox-esr-l10n-lv, firefox-esr-l10n-mk, 
firefox-esr-l10n-mr, firefox-esr-l10n-ms, firefox-esr-l10n-my, 
firefox-esr-l10n-nb-no, firefox-esr-l10n-ne-np, firefox-esr-l10n-nl, 
firefox-esr-l10n-nn-no, firefox-esr-l10n-oc, firefox-esr-l10n-pa-in, 
firefox-esr-l10n-pl, firefox-esr-l10n-pt-br, firefox-esr-l10n-pt-pt, 
firefox-esr-l10n-rm, firefox-esr-l10n-ro, firefox-esr-l10n-ru, 
firefox-esr-l10n-si, firefox-esr-l10n-sk, firefox-esr-l10n-sl, 
firefox-esr-l10n-son, firefox-esr-l10n-sq, firefox-esr-l10n-sr, 
firefox-esr-l10n-sv-se, firefox-esr-l10n-ta, firefox-esr-l10n-te, 
firefox-esr-l10n-th, firefox-esr-l10n-tr, firefox-esr-l10n-uk, 
firefox-esr-l10n-ur, firefox-esr-l10n-uz, firefox-esr-l10n-vi, 
firefox-esr-l10n-xh, firefox-esr-l10n-zh-cn, firefox-esr-l10n-zh-tw, 
hunspell-af, hunspell-an, hunspell-ar, hunspell-be, hunspell-bg, hunspell-bn, 
hunspell-bo, hunspell-br,

Bug#1036043: marked as done (bullseye-pu: package boxer-data/10.8.28+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036043,
regarding bullseye-pu: package boxer-data/10.8.28+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036043
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 + src:boxer-data
Control: block 1035347 with -1

This is a data update to remove packages no longer built by
src:thunderbird, e.g. lightning. This is needed for rebuilding
src:debian-design and src:debian-parl in order to drop the unavailable
dependencies and make their binary packages installable again in
bullseye.


Andreas
diff --git a/buster/classes/Desktop/email/thunderbird/locale/ASIA.yml 
b/buster/classes/Desktop/email/thunderbird/locale/ASIA.yml
index 9769349..17ae2c3 100644
--- a/buster/classes/Desktop/email/thunderbird/locale/ASIA.yml
+++ b/buster/classes/Desktop/email/thunderbird/locale/ASIA.yml
@@ -19,7 +19,6 @@ parameters:
 - thunderbird-l10n-ko
 - thunderbird-l10n-ms
 - thunderbird-l10n-ru
-- thunderbird-l10n-si
 - thunderbird-l10n-tr
 - thunderbird-l10n-vi
 - thunderbird-l10n-zh-cn
diff --git a/buster/classes/Desktop/scheduling/lightning/init.yml 
b/buster/classes/Desktop/scheduling/lightning/init.yml
index 722a476..6a9d60e 100644
--- a/buster/classes/Desktop/scheduling/lightning/init.yml
+++ b/buster/classes/Desktop/scheduling/lightning/init.yml
@@ -5,7 +5,6 @@ parameters:
   doc:
 desktop-scheduling:
   pkg:
-- include Thunderbird extension Lightning
+- include Thunderbird extension DAV-4-TbSync
   pkg:
-- lightning
 - webext-dav4tbsync
diff --git a/debian/changelog b/debian/changelog
index cd1891a..77ff1cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+boxer-data (10.8.28+deb11u1) bullseye; urgency=medium
+
+  [ Jonas Smedegaard ]
+  * update class Desktop.scheduling.lightning:
+stop install package lightning (gone)
+  * update class Desktop.email.thunderbird.locale:
++ update subclass ASIA to stop include package thunderbird-l10n-si
+(Closes: #1035347)
+
+ -- Andreas Beckmann   Mon, 01 May 2023 15:43:00 +0200
+
 boxer-data (10.8.28) unstable; urgency=medium
 
   * fix exclude node showmebox-gnustep in autopkgtests
diff --git a/debian/gbp.conf b/debian/gbp.conf
index dad7295..4cc4bf2 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,6 @@
 # Configuration file for git-buildpackage and friends
 
 [DEFAULT]
+debian-branch = bullseye
 sign-tags = True
 filter = */.git*
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1036044: marked as done (bullseye-pu: package debian-design/3.0.22+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036044,
regarding bullseye-pu: package debian-design/3.0.22+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

debian-design needs to be rebuilt against newer boxer-data to drop
dependencies on packages lo longer built by src:thunderbird, e.g.
lightning. Currently design-desktop* are uninstallable in bullseye.

Effective binary debdiff caused by this rebuild:

$ debdiff design-desktop_3.0.22_all.deb design-desktop_3.0.22+deb11u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: alsa-utils, apt-listchanges, aptitude, bzip2, debian-security-support, 
dfc, evince, firefox-esr, less, libgl1-mesa-dri, libreoffice-calc, 
libreoffice-gtk3, libreoffice-impress, libreoffice-writer, lightdm, 
[-lightning,-] links, mc, mpv, mtr-tiny, nano, ncdu, needrestart, 
network-manager-gnome, pasystray, pavucontrol, popularity-contest, pulseaudio, 
pulseaudio-utils, pulsemixer, rsync, slick-greeter, thunar, thunderbird, 
unicode-screensaver, usermode, volumeicon-alsa, webext-dav4tbsync, wget, 
xfce4-notifyd, xfce4-panel, xfce4-power-manager, xfce4-power-manager-plugins, 
xfce4-pulseaudio-plugin, xfce4-session, xserver-xorg
Version: [-3.0.22-] {+3.0.22+deb11u1+}


Andreas
diff --git a/debian/changelog b/debian/changelog
index d5bd904..0d3aa41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debian-design (3.0.22+deb11u1) bullseye; urgency=medium
+
+  * rebuild using newer boxer-data
++ stop include lightning; closes: bug#1000737
+
+ -- Andreas Beckmann   Mon, 01 May 2023 17:12:37 +0200
+
 debian-design (3.0.22) unstable; urgency=medium
 
   * rebuild using newer boxer-data
diff --git a/debian/control b/debian/control
index 3e204a3..0c74743 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends: cdbs,
  boxer (>= 1.1.0),
  shellcheck,
 # lock to boxer-data minor release: Feature additions should be documented
- boxer-data (>= 10.8),
+ boxer-data (>= 10.8.28+deb11u1~),
  boxer-data (<< 10.9)
 Standards-Version: 4.5.1
 Homepage: https://wiki.debian.org/Design
diff --git a/debian/gbp.conf b/debian/gbp.conf
index dad7295..4cc4bf2 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,6 @@
 # Configuration file for git-buildpackage and friends
 
 [DEFAULT]
+debian-branch = bullseye
 sign-tags = True
 filter = */.git*
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam--- End Message ---

Bug#1035924: marked as done (bullseye-pu: package postgis/3.1.1+dfsg-1+deb11u2)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035924,
regarding bullseye-pu: package postgis/3.1.1+dfsg-1+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035924: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035924
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: post...@packages.debian.org
Control: affects -1 + src:postgis

[ Reason ]
The recent stable update to fix #1031392 introduced a regression as reported in 
#1035921.

[ Impact ]
Incorrect axis order for some projections.

[ Tests ]
Upstream test suite. Manually tested the updated package to verify the fix.

[ Risks ]
Low, leaf package.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Two additional upstream changes were required to fix the regression, one from 
before the patch in the previous stable update, and one following it.

[ Other info ]
N/A
diff -Nru postgis-3.1.1+dfsg/debian/changelog 
postgis-3.1.1+dfsg/debian/changelog
--- postgis-3.1.1+dfsg/debian/changelog 2023-02-16 19:00:56.0 +0100
+++ postgis-3.1.1+dfsg/debian/changelog 2023-05-11 10:39:28.0 +0200
@@ -1,3 +1,10 @@
+postgis (3.1.1+dfsg-1+deb11u2) bullseye; urgency=medium
+
+  * Add upstream patches to fix axis order regession.
+(closes: #1035921)
+
+ -- Bas Couwenberg   Thu, 11 May 2023 10:39:28 +0200
+
 postgis (3.1.1+dfsg-1+deb11u1) bullseye; urgency=medium
 
   * Update branch in gbp.conf & Vcs-Git URL.
diff -Nru 
postgis-3.1.1+dfsg/debian/patches/0001-Flip-N-E-systems-to-E-N-and-geodetic-systems-to-Lon-.patch
 
postgis-3.1.1+dfsg/debian/patches/0001-Flip-N-E-systems-to-E-N-and-geodetic-systems-to-Lon-.patch
--- 
postgis-3.1.1+dfsg/debian/patches/0001-Flip-N-E-systems-to-E-N-and-geodetic-systems-to-Lon-.patch
   1970-01-01 01:00:00.0 +0100
+++ 
postgis-3.1.1+dfsg/debian/patches/0001-Flip-N-E-systems-to-E-N-and-geodetic-systems-to-Lon-.patch
   2023-05-11 10:39:16.0 +0200
@@ -0,0 +1,146 @@
+Description: Flip N/E systems to E/N and geodetic systems to Lon/Lat, while 
leaving Polar systems as-is, references #4949, 3.1 branch
+Author: Paul Ramsey 
+Origin: 
https://trac.osgeo.org/postgis/changeset/8baf0b07b26df12d246c82bdae8ecd77371f3d24/git
+Bug: https://trac.osgeo.org/postgis/ticket/4949
+Bug-Debian: https://bugs.debian.org/1035921
+
+--- a/liblwgeom/lwgeom_transform.c
 b/liblwgeom/lwgeom_transform.c
+@@ -261,43 +261,63 @@ proj_cs_get_simplecs(const PJ *pj_crs)
+   return NULL;
+ }
+ 
++#define STR_EQUALS(A, B) strcmp((A), (B)) == 0
++#define STR_IEQUALS(A, B) (strcasecmp((A), (B)) == 0)
++#define STR_ISTARTS(A, B) (strncasecmp((A), (B), strlen((B))) == 0)
++
+ static uint8_t
+ proj_crs_is_swapped(const PJ *pj_crs)
+ {
+-  PJ *pj_cs;
+-  uint8_t rv = LW_FALSE;
++int axis_count;
++PJ *pj_cs = proj_cs_get_simplecs(pj_crs);
++if (!pj_cs)
++lwerror("%s: proj_cs_get_simplecs returned NULL", __func__);
++
++axis_count = proj_cs_get_axis_count(NULL, pj_cs);
++if (axis_count >= 2)
++{
++const char *out_name1, *out_abbrev1, *out_direction1;
++const char *out_name2, *out_abbrev2, *out_direction2;
++/* Read first axis */
++proj_cs_get_axis_info(NULL,
++pj_cs, 0,
++_name1, _abbrev1, _direction1,
++NULL, NULL, NULL, NULL);
++/* Read second axis */
++proj_cs_get_axis_info(NULL,
++pj_cs, 1,
++_name2, _abbrev2, _direction2,
++NULL, NULL, NULL, NULL);
++
++proj_destroy(pj_cs);
++
++/* Directions agree, this is a northing/easting CRS, so reverse it */
++if(out_direction1 && STR_IEQUALS(out_direction1, "north") &&
++   out_direction2 && STR_IEQUALS(out_direction2, "east") )
++{
++return LW_TRUE;
++}
++
++/* Oddball case? Both axes north / both axes south, swap */
++if(out_direction1 && out_direction2 &&
++   ((STR_IEQUALS(out_direction1, "north") && 
STR_IEQUALS(out_direction2, "north")) ||
++(STR_IEQUALS(out_direction1, "south") && 
STR_IEQUALS(out_direction2,

Bug#1035683: marked as done (bullseye-pu: package libbsd/0.11.3-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035683,
regarding bullseye-pu: package libbsd/0.11.3-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035683
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lib...@packages.debian.org
Control: affects -1 + src:libbsd

Hi!

[ Reason ]

The libbsd library used to provide MD5 implementations, but those got
split into their own libmd library, and the code removed and switched
to be wrappers to use the libmd implementations to preserve the ABI.
The wrapping for one of those functions was not implemented properly
and that caused the symbol to call itself instead of redirecting to
the libmd symbol, which results in an infinite loop. This got later
inadvertently fixed when the wrapping method was changed, so it never
got noticed as a stable candidate, until now. (So this does not affect
neither earlier versions, nor later ones in other Debian releases.)

[ Impact ]

Any program that might have been linked against old libbsd versions
and uses this symbol from libbsd (instead of using the libmd ones
directly) can end up in this infinite loop, spinning CPU.

[ Tests ]

This is currently not part of the test suite, as these functions are
wrappers over the ones in libmd, and deprecated in favor of direct use
of the symbols in libmd. And while the fix seems obviously correct,
I've done the following to make sure, just in case:

  ,---
  $ cat test.c
  #include 
  #include 
  int main() {
char digest[MD5_DIGEST_STRING_LENGTH + 1];
MD5File("test.c", digest);
printf("md5sum %s\n", digest);
return 0;
  }
  $ gcc test.c -lbsd -o test
  $ timeout 2 ./test
  $ echo $?
  124
  $ sudo dpkg -i libbsd0_0.11.3-1+deb11u1_amd64.deb
  $ timeout 2 ./test
  md5sum e75d8ce892d0ed5fb1aa2d39242f156c
  $ md5sum test.c
  e75d8ce892d0ed5fb1aa2d39242f156c  test.c
  `---

[ Risks ]

Seems like low risk to me

[ Checklist ]

  [√] *all* changes are documented in the d/changelog
  [√] I reviewed all changes and I approve them
  [√] attach debdiff against the package in (old)stable
  [√] the issue is verified as fixed in unstable

[ Changes ]

Adds a patch making the MD5File() function call the libmd MD5File()
one instead of calling itself.

Attached the debdiff for the update I've prepared.

Thanks,
Guillem
diff -Nru libbsd-0.11.3/debian/changelog libbsd-0.11.3/debian/changelog
--- libbsd-0.11.3/debian/changelog  2021-02-09 06:36:23.0 +0100
+++ libbsd-0.11.3/debian/changelog  2023-05-07 19:13:23.0 +0200
@@ -1,3 +1,11 @@
+libbsd (0.11.3-1+deb11u1) bullseye; urgency=medium
+
+  * Fix infinite loop when using MD5File() symbol due to missing symbol
+redirection. Thanks to Guillaume Morin .
+Closes: #1033671
+
+ -- Guillem Jover   Sun, 07 May 2023 19:13:23 +0200
+
 libbsd (0.11.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
libbsd-0.11.3/debian/patches/Fix-infinite-loop-on-MD5File-symbol-use.patch 
libbsd-0.11.3/debian/patches/Fix-infinite-loop-on-MD5File-symbol-use.patch
--- libbsd-0.11.3/debian/patches/Fix-infinite-loop-on-MD5File-symbol-use.patch  
1970-01-01 01:00:00.0 +0100
+++ libbsd-0.11.3/debian/patches/Fix-infinite-loop-on-MD5File-symbol-use.patch  
2023-05-07 19:13:23.0 +0200
@@ -0,0 +1,22 @@
+Author: Guillem Jover 
+Description: The MD5File() symbol is calling itself causing an infinite loop.
+ This was caused by an omission when switching to use the symbol redirects,
+ which was not applied for this symbol, but was subsequently fixed w/o notice
+ when the redirection method was changed, so this was not spotted as a stable
+ candidate fix.
+Origin: upstream, commit:e7cf8c5785b14fc8fbd37bb665a5f9a4f28c7888
+Bug-Debian: https://bugs.debian.org/1033671
+Forwarded: not-needed
+Last-Update: 2023-05-07
+
+--- a/src/md5.c
 b/src/md5.c
+@@ -105,7 +105,7 @@
+ MD5File(const char *filename, char *buf)
+ {
+   libmd_wrapper(MD5File);
+-  return MD5File(filename, buf);
++  return libmd_MD5File(filename, buf);
+ }
+ 
+ char *
diff -Nru libbsd-0.11.3/debian/patches/series 
libbsd-0.11.3/debian/patches/series
--- libbsd-0.11.3/debian/patches/series 1970-01-01 01:00:00.0 +0100

Bug#1035522: marked as done (bullseye-pu: package debian-security-support/1:11+2023.05.04)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035522,
regarding bullseye-pu: package debian-security-support/1:11+2023.05.04
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035522
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

hi,

this is a pre-approval request, I have not uploaded this yet (except to
unstable). 

[ Reason ]

unfortunatly debian-security-support in both bullseye and bookworm
are affected by - #1034077 
"debian-security-support: Lots of noise about DEBIAN_VERSION 12 being 
invalid when upgrading bullseye→bookworm"

though fortunatly the fix is trivial and buster is not affected.

(And unfortunatly I forgot to fix this in the last bullseye point release...)

[ Impact ]

Lots of noise on bullseye to bookworm upgrades with debian-security-support
installed (which has a popcon of ~2750)

[ Tests ]

none, but the diff is really small & straightforward, see attachment.

 check-support-status.in  |2 +-
 debian/changelog |   11 +++
 debian/rules |2 +-
 security-support-limited |1 +
 4 files changed, 14 insertions(+), 2 deletions(-)

[ Risks ]

more users complaining about noise.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Other info ]

As there will be no more bullseye point releases before the bookworm
release, this probably needs to go in via bullseye-updates. Is d/changelog
correct for this like it is?


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

If we'd ban all cars from cities tomorrow, next week we will wonder why we
waited for so long.
diff -Nru debian-security-support-11+2022.08.23/check-support-status.in debian-security-support-11+2023.05.04/check-support-status.in
--- debian-security-support-11+2022.08.23/check-support-status.in	2022-08-23 18:24:26.0 +0200
+++ debian-security-support-11+2023.05.04/check-support-status.in	2023-05-04 19:24:04.0 +0200
@@ -13,7 +13,7 @@
 # Oldest Debian version included in debian-security-support
 DEB_LOWEST_VER_ID=9
 # Version ID for next Debian stable
-DEB_NEXT_VER_ID=11
+DEB_NEXT_VER_ID=12
 
 if [ -z "$DEBIAN_VERSION" ] ; then
 DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)"
diff -Nru debian-security-support-11+2022.08.23/debian/changelog debian-security-support-11+2023.05.04/debian/changelog
--- debian-security-support-11+2022.08.23/debian/changelog	2022-08-23 18:26:34.0 +0200
+++ debian-security-support-11+2023.05.04/debian/changelog	2023-05-04 19:27:19.0 +0200
@@ -1,3 +1,14 @@
+debian-security-support (1:11+2023.05.04) bullseye; urgency=medium
+
+  [ Holger Levsen ]
+  * set DEB_NEXT_VER_ID=12 as bookworm is the next release. Closes: #1034077.
+Thanks to Stuart Prescott.
+
+  [ Sylvain Beucler ]
+  * security-support-limited: add gnupg1, see #982258.
+
+ -- Holger Levsen   Thu, 04 May 2023 19:27:19 +0200
+
 debian-security-support (1:11+2022.08.23) bullseye; urgency=medium
 
   * Update security-support-limited from 1:12+2022.08.19 from unstable,
diff -Nru debian-security-support-11+2022.08.23/debian/rules debian-security-support-11+2023.05.04/debian/rules
--- debian-security-support-11+2022.08.23/debian/rules	2022-08-23 18:24:26.0 +0200
+++ debian-security-support-11+2023.05.04/debian/rules	2023-05-04 19:24:04.0 +0200
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-NEXT_VERSION_ID=11
+NEXT_VERSION_ID=12
 
 DEBIAN_VERSION ?= $(shell cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)
 ifeq (,$(DEBIAN_VERSION))
diff -Nru debian-security-support-11+2022.08.23/security-support-limited debian-security-support-11+2023.05.04/security-support-limited
--- debian-security-support-11+2022.08.23/security-support-limited	2022-08-23 18:24:26.0 +0200
+++ debian-security-support-11+2023.05.04/security-support-limited	2023-05-04 19:24:04.0 +0200
@@ -12,6 +12,7 @@
 ganglia See README.Debian.security, only supported behind an authenticated HTTP

Bug#1035475: marked as done (bullseye-pu: package dkimpy/1.0.5-1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035475,
regarding bullseye-pu: package dkimpy/1.0.5-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035475
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

This is a new upstream release that we targetted to address bugs that
would generally be suitable for Debian post-release updates.

[ Reason ]
Fix bugs identified below.

Several significant bug fixes have been done that together merited an
upstream release of the older series (1.0).  While none of these are
known regressions from Buster, some of them are significant, in
particular:

The base64 validation regexp bug causes a 1-2% DKIM signature
verification failure rate, which adds up.

The ed25519 key file permissions fix has potential security implications
for anyone generating private keys on insecure systems.  This is low
probability because people shouldn't do this, but no doubt someone does.

[ Impact ]
Bugs aren't fixed.  Primary impact is 1-2% of messages that should pass
DKIM verification will be evaluated as failures.

[ Tests ]
The dkimpy package has an autopkgtest which runs the upstream test suite
(and passes).  I have this update running in production locally.

[ Risks ]
Risk is low.  The riskiest change, the base64 validation regexp fix has
been released in the dkimpy 1.1 series for a few months with no issues
reported.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

All upstream changes are described in the upstream changelog:

2023-04-30 Version 1.0.6
- Provide more specific error message when ed25519 private key is invalid
  (See LP 1901569 for background)
- Correct base64 validation regexp so that valid signature with == split
  between two lines are not incorrectly evaluated as invalid (LP:
  #2002295) - Thanks to  for the report and
  the proposed fix
- Fix traceback when attempting to verify an unsigned message using
  async verify (Thanks to Nikita Sychev for the report and a suggested
  fix) (LP: #2008723)
- Verify correct AMS header is used for ARC seal verification
- Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
  RSA key errors are treated (LP: #2018021)
- Create ed25519 key files with secure permissions to avoid risk of
  insecure chmode call/race condition (Thanks to Hanno Böck for the report
  and the suggested fix) (LP: #2017430)

The only packaging changes are to adjust for bullseye specifics

[ Other info ]
These bug fixes were included in unstable in version 1.1.0-1, 1.1.1-1,
1.1.2-1, and 1.1.3-1.
diff -Nru dkimpy-1.0.5/ChangeLog dkimpy-1.0.6/ChangeLog
--- dkimpy-1.0.5/ChangeLog  2020-08-08 22:34:58.0 -0400
+++ dkimpy-1.0.6/ChangeLog  2023-04-30 10:09:05.0 -0400
@@ -1,3 +1,20 @@
+2023-04-30 Version 1.0.6
+- Provide more specific error message when ed25519 private key is invalid
+  (See LP 1901569 for background)
+- Correct base64 validation regexp so that valid signature with == split
+  between two lines are not incorrectly evaluated as invalid (LP:
+  #2002295) - Thanks to  for the report and
+  the proposed fix
+- Fix traceback when attempting to verify an unsigned message using
+  async verify (Thanks to Nikita Sychev for the report and a suggested
+  fix) (LP: #2008723)
+- Verify correct AMS header is used for ARC seal verification
+- Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
+  RSA key errors are treated (LP: #2018021)
+- Create ed25519 key files with secure permissions to avoid risk of
+  insecure chmode call/race condition (Thanks to Hanno Böck for the report
+  and the suggested fix) (LP: #2017430)
+
 2020-08-08 Version 1.0.5
 - Update dnsplug for DNS Python (dns) 2.0 compatibility (LP: #1888583)
 - Fix @param srv_id typos (LP: #1890532)
diff -Nru dkimpy-1.0.5/debian/changelog dkimpy-1.0.6/debian/changelog
---

Bug#1035464: marked as done (bullseye-pu: package lttng-modules/2.12.5-1+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035464,
regarding bullseye-pu: package lttng-modules/2.12.5-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035464
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lttng-modu...@packages.debian.org
Control: affects -1 + src:lttng-modules

[ Reason ]
Fix the dkms build of lttng-modules against the current bullseye kernel
5.10.0-22.

[ Impact ]
I'ts currently impossible to use the lttng kernel tracer with the latest
bullseye kernel.

[ Tests ]
Tested manually on a bullseye virtual machine.

[ Risks ]
Minimal, won't be more broken than it actually is.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Backport the minimum list of upstream patches to support building on
5.10.0-22.
diff -Nru lttng-modules-2.12.5/debian/changelog 
lttng-modules-2.12.5/debian/changelog
--- lttng-modules-2.12.5/debian/changelog   2021-02-17 17:12:39.0 
-0500
+++ lttng-modules-2.12.5/debian/changelog   2023-05-03 11:13:07.0 
-0400
@@ -1,3 +1,20 @@
+lttng-modules (2.12.5-1+deb11u1) bullseye; urgency=medium
+
+  * Fix build on linux 5.10.0-22 (Closes: #1035364)
+
+  [ Michael Jeanson ]
+  * [a952a3a] Adjust gbp.conf for bullseye stable update
+
+  [ Povilas Kanapickas ]
+  * [ab16ac0] Add patch to fix build on Linux 5.10.137..5.11
+  * [25013d7] Add patch to fix build on Linux 5.10.119..5.11
+
+  [ Michael Jeanson ]
+  * [90a214b] dkms: conditionnaly include lttng-probe-random.ko
+  * [be2eaa4] Add patch to fix build on Linux 5.10.163..5.11
+
+ -- Michael Jeanson   Wed, 03 May 2023 11:13:07 -0400
+
 lttng-modules (2.12.5-1) unstable; urgency=medium
 
   * [8e0b514] New upstream version 2.12.5
diff -Nru lttng-modules-2.12.5/debian/gbp.conf 
lttng-modules-2.12.5/debian/gbp.conf
--- lttng-modules-2.12.5/debian/gbp.conf2021-02-17 17:12:39.0 
-0500
+++ lttng-modules-2.12.5/debian/gbp.conf2023-05-01 15:01:42.0 
-0400
@@ -1,3 +1,3 @@
 [DEFAULT]
-upstream-branch=upstream/latest
-debian-branch=debian/sid
+upstream-branch=upstream/stable-2.12.5
+debian-branch=debian/bullseye
diff -Nru lttng-modules-2.12.5/debian/lttng-modules-dkms.dkms.in 
lttng-modules-2.12.5/debian/lttng-modules-dkms.dkms.in
--- lttng-modules-2.12.5/debian/lttng-modules-dkms.dkms.in  2021-02-17 
17:12:39.0 -0500
+++ lttng-modules-2.12.5/debian/lttng-modules-dkms.dkms.in  2023-05-01 
15:07:32.0 -0400
@@ -169,10 +169,12 @@
 DEST_MODULE_LOCATION[$i]="/extra/probes"
 i=$((i+1))
 
-BUILT_MODULE_NAME[$i]="lttng-probe-random"
-BUILT_MODULE_LOCATION[$i]="probes/"
-DEST_MODULE_LOCATION[$i]="/extra/probes"
-i=$((i+1))
+if [ -f "$kernel_source_dir/include/trace/events/random.h" ]; then
+BUILT_MODULE_NAME[$i]="lttng-probe-random"
+BUILT_MODULE_LOCATION[$i]="probes/"
+DEST_MODULE_LOCATION[$i]="/extra/probes"
+i=$((i+1))
+fi
 
 BUILT_MODULE_NAME[$i]="lttng-probe-rcu"
 BUILT_MODULE_LOCATION[$i]="probes/"
diff -Nru 
lttng-modules-2.12.5/debian/patches/fix-adjust-range-v5.10.137-in-block-probe.patch
 
lttng-modules-2.12.5/debian/patches/fix-adjust-range-v5.10.137-in-block-probe.patch
--- 
lttng-modules-2.12.5/debian/patches/fix-adjust-range-v5.10.137-in-block-probe.patch
 1969-12-31 19:00:00.0 -0500
+++ 
lttng-modules-2.12.5/debian/patches/fix-adjust-range-v5.10.137-in-block-probe.patch
 2023-05-01 15:04:13.0 -0400
@@ -0,0 +1,92 @@
+From bee932ee7580bfa50e58cf4bb1e1bf98a0a80b15 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson 
+Date: Mon, 22 Aug 2022 14:16:27 -0400
+Subject: [PATCH] fix: adjust range v5.10.137 in block probe
+
+See upstream commit, backported in v5.10.137 :
+
+commit 1cb3032406423b25aa984854b4d78e0100d292dd
+Author: Christoph Hellwig 
+Date:   Thu Dec 3 17:21:39 2020 +0100
+
+block: remove the request_queue to argument request based
+tracepoints
+
+[ Upstream commit a54895fa057c67700270777f7661d8d3c7fda88a ]
+
+The request_queue can trivially be derived from the request.
+
+Change-Id:

Bug#1035105: marked as done (bullseye-pu: package distro-info-data/0.51+deb11u4)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035105,
regarding bullseye-pu: package distro-info-data/0.51+deb11u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035105
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: distro-info-d...@packages.debian.org, bdr...@debian.org
Control: affects -1 + src:distro-info-data

As usual, a distro-info-data update.

[ Reason ]
There's a new Ubuntu development release, a bookworm release date, and
some minor Ubuntu EoL changes.

* Update data to 0.58:
  - Add Debian 14 "forky" with a vague creation date.
  - Correct Ubuntu 23.04 release date to 2023-04-20.
  - Tighten validate-csv-data heuristics, restricting Ubuntu EoLs to
Tue-Thursday.
  - Document Ubuntu ESM overlap period (LP: #2003949)
  - Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028)
  - Set the planned release date for Debian bookworm (and an EoL based on it).
  - Adjust trixie's creation date to match bookworm's release.

[ Impact ]
Debian stable is unaware of the current Ubuntu development release, and
Debian bookworm release dates.

Currently:

$ debian-distro-info -t --date=2023-06-10
bookworm
$ debian-distro-info -s --date=2023-06-10
bullseye
$ ubuntu-distro-info -df
ubuntu-distro-info: Distribution data outdated.
Please check for an update for distro-info-data. See 
/usr/share/doc/distro-info-data/README.Debian for details.

Expected:

$ debian-distro-info -t --date=2023-06-10
trixie
$ debian-distro-info -s --date=2023-06-10
bookworm
$ ubuntu-distro-info -df
Ubuntu 23.10 "Mantic Minotaur"


[ Tests ]
Autopkgtests passed.
The changes include some updates to tests around the Ubuntu EoL dates.

Manually tested as above.

[ Risks ]
Data-only package, this will bring it up to parity with unstable.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru distro-info-data-0.51+deb11u3/debian/changelog 
distro-info-data-0.51+deb11u4/debian/changelog
--- distro-info-data-0.51+deb11u3/debian/changelog  2022-10-30 
07:31:55.0 -0400
+++ distro-info-data-0.51+deb11u4/debian/changelog  2023-04-29 
14:30:57.0 -0400
@@ -1,3 +1,17 @@
+distro-info-data (0.51+deb11u4) bullseye; urgency=medium
+
+  * Update data to 0.58:
+- Add Debian 14 "forky" with a vague creation date.
+- Correct Ubuntu 23.04 release date to 2023-04-20.
+- Tighten validate-csv-data heuristics, restricting Ubuntu EoLs to
+  Tue-Thursday.
+- Document Ubuntu ESM overlap period (LP: #2003949)
+- Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028)
+- Set the planned release date for Debian bookworm (and an EoL based on 
it).
+- Adjust trixie's creation date to match bookworm's release.
+
+ -- Stefano Rivera   Sat, 29 Apr 2023 14:30:57 -0400
+
 distro-info-data (0.51+deb11u3) bullseye; urgency=medium
 
   * Update data to 0.55:
diff -Nru distro-info-data-0.51+deb11u3/debian.csv 
distro-info-data-0.51+deb11u4/debian.csv
--- distro-info-data-0.51+deb11u3/debian.csv2022-10-30 07:31:55.0 
-0400
+++ distro-info-data-0.51+deb11u4/debian.csv2023-04-29 14:30:57.0 
-0400
@@ -15,7 +15,8 @@
 9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-06,2022-06-30,2027-06-30
 10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2029-06-30
 11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
-12,Bookworm,bookworm,2021-08-14
-13,Trixie,trixie,2023-08-01
+12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
+13,Trixie,trixie,2023-06-10
+14,Forky,forky,2025-08-01
 ,Sid,sid,1993-08-16
 ,Experimental,experimental,1993-08-16
diff -Nru distro-info-data-0.51+deb11u3/ubuntu.csv 
distro-info-data-0.51+deb11u4/ubuntu.csv
--- distro-info-data-0.51+deb11u3/ubuntu.csv2022-10-30 07:31:55.0 
-0400
+++ distro-info-data-0.51+deb11u4/ubuntu.csv2023-04-29 14:30:57.0 
-0400
@@ -26,14 +26,15 @@
 16.10,Yakkety Yak,yakkety,2016-04-21,2016-10-13,2017-07-20
 17.04,Zesty Zapus,zesty,2016-10-13,2017-04-13,2018-01-13
 17.10,Artful Aardvark,artful,2017-04-13,2017-10-19,2018-07-19
-18.04 LTS,Bionic

Bug#1035046: marked as done (bullseye-pu: package lacme/0.8.0-2+deb11u1)

2023-10-07 Thread Debian Bug Tracking System 
Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id 
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1035046,
regarding bullseye-pu: package lacme/0.8.0-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1035046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035046
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: la...@packages.debian.org
Control: affects -1 + src:lacme

[ Reason ]

The ACME specification (RFC 8555 sec. 7.1.6) clearly reads that state
transition for Order Objects follows (‘pending’ →) ‘ready’ →
‘processing’ → ‘valid’, but lacme 0.8.0-2 fails to handle the transition
via ‘processing’ state.
https://www.rfc-editor.org/rfc/rfc8555#section-7.1.6

[ Impact ]

As of today Order Requests still work on the production Let's Encrypt
environment, but now fails on the staging one.  It's unclear whether the
production server has different timing conditions (faster machine, so
the client doesn't have time to issue follow-up request while the server
is in ‘processing’ state), or if there was some code change deployed to
the staging server which is not in production (yet).

In the former case, the lacme client suffers from a race condition that
needs to be fixed anyway.  In the latter case, lacme will fail to handle
Order Requests (incl. certificate renewals) if/when the production ACME
server is upgraded.

The issue is fixed in unstable (0.8.2-1) and the unblock request for
bookworm was filed at #1034879.

[ Tests ]

Manual tests: I successfully ran the upstream test suite (which includes
multiple Order Requests) on the staging server.  (There is unfortunately
no autopkgtest running the test suite, because it requires inbound
80/tcp and a stable (wildcard) domain name.)

I also successfully issued Order Requests to Let's Encrypt's production
server.

[ Risks ]

src:lacme is a leaf package and the diff is rather trivial: AFAICT the
only change is a more lax handling of Order Object responses, so there
shouldn't be any risk associated with the upgrade.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bullseye
  [x] the issue is verified as fixed in unstable

[ Changes ]

  * Point debian-branch to debian/bullseye in debian/gbp.conf.
  * lacme client: Handle "ready" → "processing" → "valid" status change
during newOrder, instead of just "ready" → "valid".  The latter may
be what we observe when the server is fast enough, but according to
RFC 8555 sec. 7.1.6 the state actually transitions via "processing"
and the client needs to account for that.
It appears Let's Encrypt staging environment now has different
timing conditions and lacme is unable to request certificates due to
this issue.
(Closes: #1034834)

-- 
Guilhem.
diffstat for lacme-0.8.0 lacme-0.8.0

 changelog   |   11 
+
 gbp.conf|2 
 patches/client-Handle-ready-processing-valid-status-change-during.patch |   76 
++
 patches/series  |1 
 4 files changed, 89 insertions(+), 1 deletion(-)

diff -Nru lacme-0.8.0/debian/changelog lacme-0.8.0/debian/changelog
--- lacme-0.8.0/debian/changelog2021-05-04 01:37:13.0 +0200
+++ lacme-0.8.0/debian/changelog2023-04-28 10:25:54.0 +0200
@@ -1,3 +1,14 @@
+lacme (0.8.0-2+deb11u1) bullseye; urgency=medium
+
+  * client: Handle "ready" → "processing" → "valid" status change during
+newOrder, instead of just "ready" → "valid".  The latter may be what we
+observe when the server is fast enough, but according to RFC 8555 sec.
+7.1.6 the state actually transitions via "processing" and we need to
+account for that (closes: #1034834).
+  * d/gbp.conf: Set 'debian-branch = debian/bullseye'.
+
+ -- Guilhem Moulin   Fri, 28 Apr 2023 10:25:54 +0200
+
 lacme (0.8.0-2) unstable; urgency=medium
 
   * d/lacme.postrm: Don't delete system users on purge.  There might be files
diff -Nru lacme-0.8.0/debian/gbp.conf lacme-0.8.0/debian/gbp.conf
--- lacme-0.8.0/debian/gbp.conf 2021-05-04 01:37:13.0 +0200
+++ lacme-0.8.0/debian/gbp.conf 2023-04-28

  1   2   3   >