Bug#694168: unblock: paramiko/1.7.7.1-3.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package paramiko The unblock would fix the RC bug #668239. diff -Nru paramiko-1.7.7.1/debian/changelog paramiko-1.7.7.1/debian/changelog --- paramiko-1.7.7.1/debian/changelog 2012-07-09 17:03:17.0 +0200 +++ paramiko-1.7.7.1/debian/changelog 2012-11-13 00:15:17.0 +0100 @@ -1,3 +1,10 @@ +paramiko (1.7.7.1-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Drop problematic hostkey.patch (closes: #682050). + + -- Michael Gilbert mgilb...@debian.org Mon, 12 Nov 2012 23:14:26 + + paramiko (1.7.7.1-3) unstable; urgency=low * Accept NMU uploads (Closes: #659007, #668239) diff -Nru paramiko-1.7.7.1/debian/patches/hostkey.patch paramiko-1.7.7.1/debian/patches/hostkey.patch --- paramiko-1.7.7.1/debian/patches/hostkey.patch 2012-07-09 16:43:09.0 +0200 +++ paramiko-1.7.7.1/debian/patches/hostkey.patch 1970-01-01 01:00:00.0 +0100 @@ -1,17 +0,0 @@ -Index: paramiko-1.7.7.1/paramiko/client.py -=== paramiko-1.7.7.1.orig/paramiko/client.py 2011-05-22 01:57:09.0 + -+++ paramiko-1.7.7.1/paramiko/client.py2012-07-05 00:38:50.0 + -@@ -303,11 +303,7 @@ - - server_key = t.get_remote_server_key() - keytype = server_key.get_name() -- --if port == SSH_PORT: --server_hostkey_name = hostname --else: --server_hostkey_name = [%s]:%d % (hostname, port) -+server_hostkey_name = hostname - our_server_key = self._system_host_keys.get(server_hostkey_name, {}).get(keytype, None) - if our_server_key is None: - our_server_key = self._host_keys.get(server_hostkey_name, {}).get(keytype, None) diff -Nru paramiko-1.7.7.1/debian/patches/series paramiko-1.7.7.1/debian/patches/series --- paramiko-1.7.7.1/debian/patches/series 2012-07-09 16:43:09.0 +0200 +++ paramiko-1.7.7.1/debian/patches/series 2012-11-13 00:15:44.0 +0100 @@ -1,2 +1 @@ -hostkey.patch Fix-SSHException-when-re-keying-over-a-fast-connection.patch unblock paramiko/1.7.7.1-3.1 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121124143654.31153.12188.report...@keks.naturalnet.de
Bug#694316: unblock: klibc/2.0.1-3.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package klibc The upload fixes RC bug #692951. unblock klibc/2.0.1-3.1 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru klibc-2.0.1/debian/changelog klibc-2.0.1/debian/changelog --- klibc-2.0.1/debian/changelog 2012-10-08 21:58:29.0 +0200 +++ klibc-2.0.1/debian/changelog 2012-11-12 17:51:57.0 +0100 @@ -1,3 +1,10 @@ +klibc (2.0.1-3.1) unstable; urgency=low + + * Non-maintainer upload with consent of maintainer. + * Add migration script for /usr/share/doc/libklibc-dev (Closes: #692951) + + -- Thorsten Glaser t...@mirbsd.de Sun, 11 Nov 2012 11:30:14 + + klibc (2.0.1-3) unstable; urgency=medium [ Bill Pringlemeir ] diff -Nru klibc-2.0.1/debian/libklibc-dev.postinst klibc-2.0.1/debian/libklibc-dev.postinst --- klibc-2.0.1/debian/libklibc-dev.postinst 1970-01-01 01:00:00.0 +0100 +++ klibc-2.0.1/debian/libklibc-dev.postinst 2012-11-12 17:51:10.0 +0100 @@ -0,0 +1,66 @@ +#!/bin/sh +# From MirOS: contrib/hosted/tg/deb/mksh/debian/pdksh.postinst,v 1.2 2012/06/27 07:16:31 tg Exp $ + +set -e + +# This maintainer script can be called the following ways: +# +# * new-postinst configure [$most_recently_configured_version] +# The package is unpacked; all dependencies are unpacked and, when there +# are no circular dependencies, configured. +# +# * old-postinst abort-upgrade $new_version +# * conflictors-postinst abort-remove in-favour $package +# $new_version +# * postinst abort-remove +# * deconfigureds-postinst abort-deconfigure in-favour +# $failed_install_package $fip_version [removing +# $conflicting_package $cp_version] +# The package is unpacked; all dependencies are at least Half-Installed, +# previously been configured, and not removed. In some error situations, +# dependencies may not be even fully unpacked. +# +# * postinst triggered ${triggers[*]} +# For trigger-only calls, i.e. if configure is not called. + +docdir=/usr/share/doc/libklibc-dev +move_docdir() { + test -d /usr/share/doc/. || return 0 + test -d $docdir rmdir --ignore-fail-on-non-empty $docdir + if test -e $docdir; then + echo 2 The old $docdir was locally modified. + echo 2 Saved as $docdir.dpkg-old + (mv $docdir $docdir.dpkg-old || :) + fi + if test -e $docdir; then + echo 2 FAILED! Remove $docdir manually, + echo 2 then retry (dpkg -a --configure). + exit 1 + fi + ln -sf libklibc $docdir +} + +case $1 in +configure) + # convert old docdir into a symlink, dpkg won't do that for us + test -h $docdir || move_docdir + ;; + +abort-upgrade|abort-remove|abort-deconfigure) + ;; + +triggered) + ;; + +*) + echo 2 postinst called with unknown subcommand '$1' + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0
Bug#695082: unblock: redmine/1.4.4+dfsg1-1.1
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package redmine The migration to wheezy would fix the RC bugs #687449 and #693994. diff -Nru redmine-1.4.4+dfsg1/debian/changelog redmine-1.4.4+dfsg1/debian/changelog - --- redmine-1.4.4+dfsg1/debian/changelog 2012-06-18 23:26:08.0 +0200 +++ redmine-1.4.4+dfsg1/debian/changelog2012-11-28 04:57:40.0 +0100 @@ -1,3 +1,13 @@ +redmine (1.4.4+dfsg1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * debian/control: add dependency on rubygems or recent enough ruby +(Closes: #693994) [Axel Beckert]. + * debian/postinst: replace exit status -1 with 2 for shell compatibility +(e.g. ksh) (Closes: #687449). + + -- Dominik George n...@naturalnet.de Sun, 29 Nov 2012 14:18:29 +0200 + redmine (1.4.4+dfsg1-1) unstable; urgency=low * Upstream update. diff -Nru redmine-1.4.4+dfsg1/debian/control redmine-1.4.4+dfsg1/debian/control - --- redmine-1.4.4+dfsg1/debian/control2012-05-18 16:36:43.0 +0200 +++ redmine-1.4.4+dfsg1/debian/control 2012-11-24 13:26:41.0 +0100 @@ -16,6 +16,7 @@ Pre-Depends: debconf Depends: ruby | ruby-interpreter, ruby-rails-2.3 (=2.3.14) | rails (=2.3.14), + rubygems | ruby (= 4.9), dbconfig-common, redmine-sqlite | redmine-mysql | redmine-pgsql, ruby-rack (= 1.4.0), diff -Nru redmine-1.4.4+dfsg1/debian/postinst redmine-1.4.4+dfsg1/debian/postinst - --- redmine-1.4.4+dfsg1/debian/postinst 2012-05-14 10:50:14.0 +0200 +++ redmine-1.4.4+dfsg1/debian/postinst 2012-11-24 13:30:45.0 +0100 @@ -276,7 +276,7 @@ rake -s db:migrate_plugins RAILS_ENV=$fRailsEnv X_DEBIAN_SITEID=${lInstance} VERBOSE=$RAKE_VERBOSE || true else echo Error when running rake db:migrate, check database configuration. - - exit -1 + exit 2 fi else echo Redmine instance \${lInstance}\ database must be configured manually. unblock redmine/1.4.4+dfsg1-1.1 - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQFOBAEBCAA4BQJQvUXeMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAFq0Af/UWbUsInnS23XTmCT41GA ckw5CJUinMeFFtcWRm/helSWmOAAYd7wxPb/gxa4ribk7V/75tBIpy+HqyP7n3kN IMpG8QzYlYinUYrPNcJsoqFExh9JtRNDHNkmcjXA4MFMuW2RNCRJojkthBR+6B4z S+5D7KREDh92ZGdLB2+vXDkur7IeqrcIhmsJw5VubQw/9v/9ELAxHBHhRXCy65Y8 roZiw6GglwGSRc4tq3Wkbf3ieJsWkkU8LfkkkRv8ihAU0zJ7+mRwJCU6mJuO7LAz 4lEAkiFUUFL54R8RU3LzA7cVeu5Wo0B4Ma/7pahL8NI3m1aeJta1uaqjECecRR5s cA== =6U+Y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121204003752.12476.29738.report...@keks.naturalnet.de
Bug#695630: unblock: ldap2zone/0.2-3.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package ldap2zone The unblock would fix RC bug #690377 . diff -Nru ldap2zone-0.2/debian/changelog ldap2zone-0.2/debian/changelog - --- ldap2zone-0.2/debian/changelog2012-07-25 08:11:24.0 +0200 +++ ldap2zone-0.2/debian/changelog 2012-12-10 23:28:13.0 +0100 @@ -1,3 +1,14 @@ +ldap2zone (0.2-3.1) unstable; urgency=low + + [ Dominik George ] + * Non-maintainer upload. + * Fix unbound variable in ldap2bind script (Closes: #690377) + + [ Thorsten Glaser ] + * Convert patch to DEP-3; fix CR-LF endings; sponsor (Closes: #695597) + + -- Thorsten Glaser t...@mirbsd.de Mon, 10 Dec 2012 23:27:15 +0100 + ldap2zone (0.2-3) unstable; urgency=low * Fixed installation of default file diff -Nru ldap2zone-0.2/debian/patches/ldap_host_param ldap2zone-0.2/debian/patches/ldap_host_param - --- ldap2zone-0.2/debian/patches/ldap_host_param 1970-01-01 01:00:00.0 +0100 +++ ldap2zone-0.2/debian/patches/ldap_host_param2012-12-10 23:27:01.0 +0100 @@ -0,0 +1,18 @@ +Description: fix wrong variable name +Author: Dominik George n...@naturalnet.de +Bug-Debian: http://bugs.debian.org/690377 +Forwarded: no +Reviewed-By: Thorsten Glaser t...@debian.org +Last-Update: 2012-12-10 + +--- a/ldap2bind b/ldap2bind +@@ -31,7 +31,7 @@ if [ $ALLOW_TRANSFER ]; then + else ALLOW_TRANSFER_PARAM=; + fi + +-ZONES=dapsearch -LLL $LDAP_HOST_PARAM -x (objectClass=dNSZone) zoneName | grep zoneName: | sort | uniq | awk '{print $2}' ++ZONES=dapsearch -LLL $LDAP_URI_PARAM -x (objectClass=dNSZone) zoneName | grep zoneName: | sort | uniq | awk '{print $2}' + ldap2zone=hich ldap2zone + rndc=hich rndc + diff -Nru ldap2zone-0.2/debian/patches/series ldap2zone-0.2/debian/patches/series - --- ldap2zone-0.2/debian/patches/series 2012-07-25 08:13:06.0 +0200 +++ ldap2zone-0.2/debian/patches/series 2012-12-10 23:25:58.0 +0100 @@ -1 +1,2 @@ fix-default-location +ldap_host_param unblock ldap2zone/0.2-3.1 - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQFOBAEBCAA4BQJQxmxYMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAEnwAf9HyBaK0hRfTQu+WqkI11E bmrX9yzLafkID2o1lZtsYtRvVveHmbaBcNPIMw1HF2HtgX/tvl75oPQKDv1j1JFa L85A7TM4kMy88HmR492xB/jyRt47aTzjz6BT1SBl24eCmKctZKY0MFMn/0TtNJjh eR6ZmsJzymAFY62SrMZfG1eShub1DHWVpGbaJ6QXRXw2Too17hlVAZ2VJtWpdI42 A01Vj9MwkqonuMCtAgINE4zWET4pbofzZ/bEMBMRS75crMqaN3IxXRfl2yOvc9vK ea+RkQtwQIbsmR/tUu34ulY2GD3l2B0H0ZQ9Wb6qEby4UycgfwogE2Na/z6HY6lp Yw== =kWYV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121210231226.6688.80044.report...@keks.naturalnet.de
Bug#695630: Acknowledgement (unblock: ldap2zone/0.2-3.1)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, unfortunately the debdiff got messed up when pasting. Here is a correct version of the debdiff, minus the BTSs mishandling of line breaks: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=30;filename=ldap2zone_0.2-3.1.debdiff;att=1;bug=690377 - -nik - -- * mirabilos is handling my post-1990 smartphone * mirabilos Aaah, it vibrates! Wherefor art thou, daemonic device?? PGP fingerprint: 2086 9A4B E67D 1DCD FFF6 F6C1 59FC 8E1D 6F2A 8001 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQFOBAEBCAA4BQJQxm2IMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAEyDAf/ci4t4agVZ+0FbCzZy5Kg GKQsElnOjqDwwoHnNdQjm0CEN4JQNA035wRCDrgFf138NLzy6wlXunFImXS47pTS Ou21zbpiGEd7877JTxbfqMI1Z3gLMFgSZ8b4TndXpNwdKT2PmqAExgLUTemc4U3R w5Xl7c5B8VQx/Dknf4YRO3oxDTWkLrGpT+gf1p4tI5LhyY5jkxc3fseua21DKgTn gITI8pM3cZ5GKNcIWb4QDNzQRLgQaUD9wCjsR1GNZAJRxVQHvtLI0nQxE5iR/A5L kEBLooTl0v3ZQwErbzm8AKHMGtS6O45U+YCUuADlFvZ2pe4DMtzSoiL1/5sATIle /Q== =uwrJ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.02.1212110016220.5...@keks.naturalnet.de
Question on proposed integration of MediaWiki 1.19.3 in wheezy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear release managers, today, I chose to fix RC bug #694998. It is a security issue with MediaWiki 1.19.2 currently in testing, and there are two ways of fixing this issue. The easiest would be to get the new upstream version 1.19.3 into testing. I created the new package and a debdiff [2]. This diff is quite large because the update also incorporates tons of translation updates. The other possibility is to backport the changes for the security fixes to 1.19.2, which is also non-problematic. I prepared a debdiff for that as well [3]. The question is if the release team would grant a freeze exception for the new upstream version 1.19.3, maybe considering the translation changes non-critical? Looking forward to your feedback, Nik [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694998 [2] http://shore.naturalnet.de/~nik/mediawiki_1.19.2-2_1.19.3-0.1.debdiff [3] http://shore.naturalnet.de/~nik/mediawiki_1.19.2-2_1.19.2-2.1.debdiff - -- * mirabilos is handling my post-1990 smartphone * mirabilos Aaah, it vibrates! Wherefor art thou, daemonic device?? PGP fingerprint: 2086 9A4B E67D 1DCD FFF6 F6C1 59FC 8E1D 6F2A 8001 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQFOBAEBCAA4BQJQyFTLMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAGdNQgAjgT7dKHee7zBD+PD5991 PmNTsx+r84ynlUaibX8i5R7OUErC8h5wRraAe/XYHEeHSRyjYnEFatbMbYvKRzZD CZxBlbNNvDcTV/UjhgBMIaNfaQZxYoxCktuMVuhdDrFv6A6T7flAJPNEmh7ATS+Q fci4QLLtZg2F1v1y+8NyWQHk8CwEoXtOplZBR9kHgVTZMWVBUI//wsJr0wIAY11A 5c9yhaUFUHIWAx1c2zw74+MaqMAbBiYav3LGXBdTbMscihFcxtql4/s8+xgVHeCn aYrSsHE984MdjI1BiYqygiBWNWjBiEc4hTGZI2GPWByORJMBM1QjqZUha3KzSZ5Z +w== =xOmo -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.02.1212121002080.5...@keks.naturalnet.de
Re: Question on proposed integration of MediaWiki 1.19.3 in wheezy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Can you provide us with a filtered debfiff of the 1.19.3? Just remember to let us know what filtering you used (e.g. filterdiff -x '*/messages/Messages*.php' ). find attached the filtered diff. It was created using: filterdiff \ -x '*/includes/installer/Installer.i18n.php' \ -x '*/languages/messages/Messages*.php' \ -x '*/tests/phpunit/languages/*.php' \ mediawiki_1.19.2-2_1.19.3-0.1.debdiff \ mediawiki_1.19.2-2_1.19.3-0.1_wo_translations.diff I'd really appreciate your acknowledgement of 1.19.3 because it would really ease life for everyone involved. Cheers, Nik - -- * mirabilos is handling my post-1990 smartphone * mirabilos Aaah, it vibrates! Wherefor art thou, daemonic device?? PGP fingerprint: 2086 9A4B E67D 1DCD FFF6 F6C1 59FC 8E1D 6F2A 8001 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQFOBAEBCAA4BQJQyF7VMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAHh1gf/S/DBIbBnYJrsamSeU07g /6rETCAfm2f0EnumpiV6AG8M9+mW8f9u4OmNna3btAErgtg/H+WlN0clTK32/AB/ k3JD7hSwTmG4nTAP7jabPVZO6zdDjpPn1vk4CiKrqKDdf+lr+LrEmgliIjc3Bk21 CQllneMniT7JSpMQoDxb+Ywrwno1XTFfmZrw3RxavhxmV4rxEWLCYBWQP+HpPnNq +cnprcg3iEd+sDJT7SqWvcmV+jrmN2RfPwKOn3dlIQaNsfyGqayl+fUkn15ClCKG /hGZ5kKFiFASx6F0qon+QF7/02qpbHE6q1QXEuyuvJ9PIRe2ewuxzUFqZW75H3q3 0w== =vsZB -END PGP SIGNATURE-diff -Nru mediawiki-1.19.2/debian/changelog mediawiki-1.19.3/debian/changelog --- mediawiki-1.19.2/debian/changelog 2012-10-02 14:09:51.0 +0200 +++ mediawiki-1.19.3/debian/changelog 2012-12-12 09:47:27.0 +0100 @@ -1,3 +1,14 @@ +mediawiki (1:1.19.3-0.1) unstable; urgency=high + + * Non-maintainer upload. + * New upstream version fixes security issues (Closes: 694998). ++ Prevent session fixation in Special:UserLogin (CVE-2012-5391) + https://bugzilla.wikimedia.org/show_bug.cgi?id=40995 ++ Prevent linker regex from exceeding PCRE backtrack limit + https://bugzilla.wikimedia.org/show_bug.cgi?id=41400 + + -- Dominik George n...@naturalnet.de Wed, 12 Dec 2012 09:44:08 +0100 + mediawiki (1:1.19.2-2) unstable; urgency=low * debian/watch: mangle the epoch away so DDPO is green again diff -Nru mediawiki-1.19.2/includes/DefaultSettings.php mediawiki-1.19.3/includes/DefaultSettings.php --- mediawiki-1.19.2/includes/DefaultSettings.php 2012-08-31 00:25:34.0 +0200 +++ mediawiki-1.19.3/includes/DefaultSettings.php 2012-11-29 19:36:12.0 +0100 @@ -33,7 +33,7 @@ /** @endcond */ /** MediaWiki version number */ -$wgVersion = '1.19.2'; +$wgVersion = '1.19.3'; /** Name of the site. It must be changed in LocalSettings.php */ $wgSitename = 'MediaWiki'; diff -Nru mediawiki-1.19.2/includes/GlobalFunctions.php mediawiki-1.19.3/includes/GlobalFunctions.php --- mediawiki-1.19.2/includes/GlobalFunctions.php 2012-08-31 00:25:34.0 +0200 +++ mediawiki-1.19.3/includes/GlobalFunctions.php 2012-11-29 19:36:12.0 +0100 @@ -3293,6 +3293,23 @@ } /** + * Check if there is sufficent entropy in php's built-in session generation + * PHP's built-in session entropy is enabled if: + * - entropy_file is set or you're on Windows with php 5.3.3+ + * - AND entropy_length is 0 + * We treat it as disabled if it doesn't have an entropy length of at least 32 + * + * @return bool true = there is sufficient entropy + */ +function wfCheckEntropy() { + return ( + ( wfIsWindows() version_compare( PHP_VERSION, '5.3.3', '=' ) ) + || ini_get( 'session.entropy_file' ) + ) + intval( ini_get( 'session.entropy_length' ) ) = 32; +} + +/** * Override session_id before session startup if php's built-in * session generation code is not secure. */ @@ -3302,16 +3319,8 @@ return; } - // PHP's built-in session entropy is enabled if: - // - entropy_file is set or you're on Windows with php 5.3.3+ - // - AND entropy_length is 0 - // We treat it as disabled if it doesn't have an entropy length of at least 32 - $entropyEnabled = ( - ( wfIsWindows() version_compare( PHP_VERSION, '5.3.3', '=' ) ) - || ini_get( 'session.entropy_file' ) - ) - intval( ini_get( 'session.entropy_length' ) ) = 32; - + $entropyEnabled = wfCheckEntropy(); + // If built-in entropy is not enabled or not sufficient override php's built in session id generation code if ( !$entropyEnabled ) { wfDebug( __METHOD__ . : PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n ); diff -Nru mediawiki-1.19.2/includes/installer/Installer.i18n.php mediawiki-1.19.3/includes/installer/Installer.i18n.php diff -Nru mediawiki-1.19.2/includes/installer/Installer.php mediawiki-1.19.3/includes/installer/Installer.php --- mediawiki-1.19.2/includes/installer/Installer.php 2012-08-31 00:25:34.0 +0200 +++ mediawiki-1.19.3/includes/installer/Installer.php 2012-11-29 19:36:12.0 +0100 @@ -756,6 +756,11 @@ /** * Environment check for the PCRE module. + * + * @note
Bug#695904: unblock: mediawiki/1:1.19.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mediawiki. The unblock would fix security-relevant RC bug #694998 . The unblock has been discussed and approved by Niels Thykier on d-r@l.d.o beforehand. unblock mediawiki/1:1.19.3-1 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121214081839.4358.48520.report...@keks.naturalnet.de
Bug#696103: unblock: python-webob/1.1.1-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package python-webob The unblock would fix RC bug #695050 . The debdiff against the version in testing can be found at: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=python-webob_1.1.1-1.1_debdiff.patch;att=1;bug=695050 unblock python-webob/1.1.1-1.1 - -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQFOBAEBCAA4BQJQziBQMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAEOQwf/dKikfMo1uH0CP3gTZAC0 vF5Bu+ygtYB2T5VHMwL5NVDTsZaaBz9rgE17jCm8K5G3zcCJBB2TKk8BK31eLac/ DB7XHWQC1KwIj7GUIMDPOUDsjNkLO8fOs7FRkHMeAa6MI+2CS4ZKPZ2PPIWc5FOV KbWcmwldKLu3OZyRwQNvIfGeyfla1LDlO7+ViNclDdmyftV8fFudWbW3v4eQGX0o bsA8fYYkzK8J/SFJP+zCVeiZM5ZIUFbavFlTSQAcsVwecB7Engd8vJh0hAy3zQPM +3L7/xBfvj7kuI18txjbnTY0b7Ua9NvrFSBwfJN3hFV0OlLR2SElNW8oOlrK6m2Z ig== =O8dn -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121216192610.6847.60658.report...@keks.naturalnet.de
Re: mplayer crash seriously with newer libogg
Hi, so i upgraded mplayer rebuild agains new libogg and goes bad.. then i upgrade mplayer sources and rebuild agains libogg (and several others new) and work fine I am not sure what you mean. Does this report affect mplayer and libogg *both* installed from the Debian repository or does it affect your own build? -nik -- * concerning Mozilla code leaking assertion faiures to tty without D-BUS * mirabilos That means, D-BUS is a tool that makes software look better than it actually is. PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Updating xloadimage to libtiff5
Hi, I have prepared xloadimage for upload to assume maintainership for it, and the PTS tells me I should prepare it for the libtiff5 transition. My understanding is that I should make it build against libtiff5 rather than libtiff4, and that is what I did. My understanding is that this will bring forward the transition. However, my sponsor says that the libtiff5 transition means that I must under no circumstances upload any changes that deal with libtiff. Could you please explain to me what is the correct way of dealing with the libtiff5 transition? Cheers, Nik -- * concerning Mozilla code leaking assertion failures to tty without D-BUS * mirabilos That means, D-BUS is a tool that makes software look better than it actually is. PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Updating xloadimage to libtiff5
Hi, My understanding is that I should make it build against libtiff5 rather than libtiff4, and that is what I did. My understanding is that this will bring forward the transition. another DD now explained to me that problems may arise with library packages that have reverse dependencies, because those might break when I rebuild against libtiff5. However, as xloadimage is a leaf package, except for electricsheep, which most likely does not use xloadimage as a dynamic object, I was told that the change might not be critical. I thus ask for permission to have xloadimage with a libtiff5 dependency uploaded. Cheers, Nik -- # apt-assassinate --help Usage: apt-assassinate [upstream|maintainer] package PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Updating xloadimage to libtiff5
Hi Niels, Now, I am not sure tiff counts as your average transition. Since it involves two source packages instead of just one. If your (patched) package can be build against either the new or the old version of libtiff, then I suspect an upload is not a problem at this time. That means, I should Build-Depend on neither libtiff4-dev or libtiff5-dev, but libtiff-dev, and patch hthe code so it builds with either? Or is it ok to have the code build only against libtiff5-dev, and depend on that one explicitly? -nik -- Wer den Grünkohl nicht ehrt, ist der Mettwurst nicht wert! PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Updating xloadimage to libtiff5
Hi, Let me clarify, build against either here being the source code can compile against either (not having Build-Depends that allow either). Huh? That means, if I Build-Depend on libtiff5-dev, it still has to build against libtiff4? I do not get that… Cheers, Nik -- * concerning Mozilla code leaking assertion failures to tty without D-BUS * mirabilos That means, D-BUS is a tool that makes software look better than it actually is. PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Updating xloadimage to libtiff5
Hi, I meant, you upload your package built against libtiff4-dev, which is the status quo. However, you do a build-test where you swap libtiff4-dev with libtiff5-dev to see if your package would compile if libtiff5-dev had been used instead of libtiff4-dev. So when the time comes, all you have to do, is to swap libtiff4-dev with libtiff5-dev. I conclude from that, that I should *in general* not use libtiff5-dev right now? Having a apckage build *only* against libtiff5-dev is not acceptable, although the package is there and already has dependencies? I'd like to get a clear answer from the release team, if I: a) should upload the package without touching anything libtiff-related, b) should upload the package with a versioned libtiff5 dependency, c) should patch the code to build against both and use an unversioned Build-Depends. Cheers, Nik -- * concerning Mozilla code leaking assertion failures to tty without D-BUS * mirabilos That means, D-BUS is a tool that makes software look better than it actually is. PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Updating xloadimage to libtiff5
I conclude from that, that I should *in general* not use libtiff5-dev right now? Having a apckage build *only* against libtiff5-dev is not acceptable, although the package is there and already has dependencies? I should add that I plan to implement a new feature in xloadimage, which will not work with libtiff4-dev anyway, so as of then xloadimage would need libtiff5 anyway. -nik -- Natureshadow Auf welchem Server liegt das denn jetzt…? mirabilos Wenn es nicht übers Netz kommt bei Hetzner, wenn es nicht gelesen wird bei STRATO, wenn es klappt bei manitu. PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Proposed release goal: UTF-8 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, As previously (https://lists.debian.org/debian-devel/2013/08/msg00217.html) discussed, I'd like to propose improving support for UTF-8. All material shipped with Debian should be encoded this way I absolutely second this proposal. Why haven't you added it to https://wiki.debian.org/ReleaseGoals ? What is the usertag for it? Cheers, Nik - - -BEGIN PGP SIGNATURE- Version: APG v1.0.8-fdroid iQFNBAEBCgA3BQJSSmIfMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJW+dB/4iU+HvetAzVUlAd8UqG7CN DyMKgp02BftFclxiuoIO1bWlIznFspJoCPS9jaVFyps34PacAlQXBj6eZ3mS7aEv EBKQ5jvw07WKdiSDwghRCCsAX8QKfBMSeTI3d/3EdGecqUpnpAFghD7ZEaZHX/R8 qZ0LPxxl/28kJB7VjTCRk1f6kDv1CW1d05jI81nRnDNz+KdXX5g+i7+7qf79AzWg UFHLxgYjfdcdvZnuagVGkoHcsvxZdi1IwzcZEjfBS3Kit6IDxSBDVR8/bVa5tREo tX93WfT/bfZqNCy3IXl5MRPAAjF020mbQT4jXQctrOXMY5SxwDnrMbLdytG8hkF0 =gxzJ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/99dad22f-316b-49b3-98f0-07478a2b3...@email.android.com
Bug#767390: Bug#767248: dbconfig-common: removes any permissions from generated include files on upgrade
I think this patch doesn't work when installing a new package (it does work on upgrades). So I think the two added lines need to be within an 'if [ -e $outputfile ] ; then' statement. I figured that and re-created the patch - apparently, I uploaded the old one :(. Turns out it is not enough either. Attached is (the only) working patch, which leaves anything but the contents of any existing file intact. DO NOT UPLOAD the previous patch, as it indeed breaks another code flow. -nik -- Dominik George (Vorstandsvorsitzender, Pädagogischer Leiter) Teckids e.V. - Erkunden, Entdecken, Erfinden. https://www.teckids.org diff -Nru dbconfig-common-1.8.47+nmu2/dbconfig-generate-include dbconfig-common-1.8.47+nmu3/dbconfig-generate-include --- dbconfig-common-1.8.47+nmu2/dbconfig-generate-include 2014-10-13 21:05:57.0 +0200 +++ dbconfig-common-1.8.47+nmu3/dbconfig-generate-include 2014-10-31 12:32:40.0 +0100 @@ -408,7 +408,7 @@ ucf --debconf-ok $tmpout $outputfile 2 rm -f $tmpout else - mv $tmpout $outputfile + cat $tmpout $outputfile fi check_permissions [ $owner ] chown $owner $outputfile diff -Nru dbconfig-common-1.8.47+nmu2/debian/changelog dbconfig-common-1.8.47+nmu3/debian/changelog --- dbconfig-common-1.8.47+nmu2/debian/changelog2014-10-13 21:31:13.0 +0200 +++ dbconfig-common-1.8.47+nmu3/debian/changelog2014-10-29 16:43:27.0 +0100 @@ -1,3 +1,11 @@ +dbconfig-common (1.8.47+nmu3) unstable; urgency=medium + + * Non-maintainer upload. + * Do not remove permissions from include files on upgrade, +thanks to Simon Bruder. (Closes: #767248) + + -- Dominik George n...@naturalnet.de Wed, 29 Oct 2014 16:38:19 +0100 + dbconfig-common (1.8.47+nmu2) unstable; urgency=low * Non-maintainer upload. signature.asc Description: OpenPGP digital signature
Bug#767390: Bug#767248: dbconfig-common: removes any permissions from generated include files on upgrade
mktemp is supposed to be secure, catting into a yet non-existing file may not. Paul mktemp is safe in that it uses unique file names. Apart from that it adheres to the effective user and effective umask, making it no more and no less safe than any other operation creating files. -nik -- Dominik George (Vorstandsvorsitzender, Pädagogischer Leiter) Teckids e.V. - Erkunden, Entdecken, Erfinden. https://www.teckids.org signature.asc Description: OpenPGP digital signature
Bug#775914: GPG/SSH agent in MATE desktop stopped working
Hi Mike and others, this has been seen to in latest mate-session-manager upload-proposal (1.8.1-7). See #775914 on Debian BTS [1]. Your issue has already been reported as #775571 [2]. I have built 1.8.1-7 locally and can confirm that it works well. Cheers, Nik -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54c75490.6050...@naturalnet.de
Bug#855397: unblock: xrdp/0.9.1-7
> Ack, please go ahead. Uploaded. diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-02-13 21:09:43.0 +0100 +++ xrdp-0.9.1/debian/changelog 2017-02-18 16:46:17.0 +0100 @@ -1,3 +1,9 @@ +xrdp (0.9.1-7) unstable; urgency=medium + + * Fix RFX with large tile sets, e.g. full HD displays. (Closes: #855387) + + -- Dominik George <n...@naturalnet.de> Sat, 18 Feb 2017 16:46:17 +0100 + xrdp (0.9.1-6) unstable; urgency=medium * Fix japanese keyboard detection. (Closes: #854847) diff -Nru xrdp-0.9.1/debian/patches/highres.diff xrdp-0.9.1/debian/patches/highres.diff --- xrdp-0.9.1/debian/patches/highres.diff 1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/highres.diff 2017-02-17 14:00:59.0 +0100 @@ -0,0 +1,51 @@ +From: Dominik George <n...@naturalnet.de> +Forwarded: https://github.com/neutrinolabs/xrdp/pull/664 +Acked-by: Thorsten Glaser <t...@mirbsd.de> +Subject: RFX fixes for large tile sets. + This patch disables the limitation of rects to use and then + dynamically calculates the size of the message from the + rects that are really used. +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855387 +Bug: https://github.com/neutrinolabs/xrdp/issues/524 +--- a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c +@@ -22,6 +22,7 @@ + #include "xrdp.h" + #include "thread_calls.h" + #include "fifo.h" ++#include "limits.h" + + #ifdef XRDP_RFXCODEC + #include "rfxcodec_encode.h" +@@ -320,21 +321,25 @@ process_enc_rfx(struct xrdp_encoder *sel + mutex = self->mutex; + event_processed = self->xrdp_encoder_event_processed; + +-if ((enc->num_crects > 512) || (enc->num_drects > 512)) +-{ ++out_data_bytes = 16 * 1024 * 1024; ++ ++if ((enc->num_crects > (INT_MAX / sizeof(struct rfx_tile))) || ++(enc->num_drects > (INT_MAX / sizeof(struct rfx_rect) - ++sizeof(struct rfx_tile) * enc->num_crects - ++256 - out_data_bytes)) || ++(enc->num_crects < 0) || (enc->num_drects < 0)) { + return 0; + } + +-out_data_bytes = 16 * 1024 * 1024; +-index = 256 + sizeof(struct rfx_tile) * 512 + +- sizeof(struct rfx_rect) * 512; ++index = 256 + sizeof(struct rfx_tile) * enc->num_crects + ++ sizeof(struct rfx_rect) * enc->num_drects; + out_data = (char *) g_malloc(out_data_bytes + index, 0); + if (out_data == 0) + { + return 0; + } + tiles = (struct rfx_tile *) (out_data + out_data_bytes + 256); +-rfxrects = (struct rfx_rect *) (tiles + 512); ++rfxrects = (struct rfx_rect *) (tiles + enc->num_crects); + + count = enc->num_crects; + for (index = 0; index < count; index++) diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series --- xrdp-0.9.1/debian/patches/series2017-02-13 21:06:43.0 +0100 +++ xrdp-0.9.1/debian/patches/series2017-02-17 13:08:38.0 +0100 @@ -8,3 +8,4 @@ systemd.diff lfs.diff kb_jp.diff +highres.diff -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Hundeshagenstr. 26 · 53225 Bonn Mobile: +49-1520-1981389 · https://www.dominik-george.de/ Teckids e.V. · FrOSCon e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Maintainer LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: PGP signature
Bug#855068: unblock: xrdp/0.9.1-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package xrdp The upload fixes the important bug #854847, pre-approval given in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854847#26 . 0.9.1-5 has not yet migrated to testing, but got unblocked as well in #854676, so the following debdiff is not strictly against the version that is in testing *now* ;). diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog - --- xrdp-0.9.1/debian/changelog 2017-02-09 12:47:36.0 +0100 +++ xrdp-0.9.1/debian/changelog 2017-02-13 21:09:43.0 +0100 @@ -1,3 +1,9 @@ +xrdp (0.9.1-6) unstable; urgency=medium + + * Fix japanese keyboard detection. (Closes: #854847) + + -- Dominik George <n...@naturalnet.de> Mon, 13 Feb 2017 21:09:43 +0100 + xrdp (0.9.1-5) unstable; urgency=medium * Ensure creation of /run directory. (Closes: #854548) diff -Nru xrdp-0.9.1/debian/patches/kb_jp.diff xrdp-0.9.1/debian/patches/kb_jp.diff - --- xrdp-0.9.1/debian/patches/kb_jp.diff1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/kb_jp.diff2017-02-13 21:08:39.0 +0100 @@ -0,0 +1,16 @@ +From: YOSHINO Yoshihito <yy.y.ja...@gmail.com> +Subject: xrdp: fails to detect some Japanese keyboard +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854847 +Bug: https://github.com/neutrinolabs/xrdp/issues/663 +--- a/xrdp/xrdp_keyboard.ini b/xrdp/xrdp_keyboard.ini +@@ -62,6 +62,9 @@ rdp_layout_de=0x0407 + rdp_layout_fr=0x040C + rdp_layout_it=0x0410 + rdp_layout_jp=0x0411 ++rdp_layout_jp=0xe0010411 ++rdp_layout_jp=0xe0200411 ++rdp_layout_jp=0xe0210411 + rdp_layout_kr=0x0412 + rdp_layout_ru=0x0419 + rdp_layout_se=0x041D diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series - --- xrdp-0.9.1/debian/patches/series2017-02-06 21:57:37.0 +0100 +++ xrdp-0.9.1/debian/patches/series2017-02-13 21:06:43.0 +0100 @@ -7,3 +7,4 @@ kfreebsd.diff systemd.diff lfs.diff +kb_jp.diff unblock xrdp/0.9.1-6 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAliiFBYxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pY4vQ//dlQqzSoTteLLGUtcbQ11ozYHGh1x XWbVr5ir8JTqI/BtTaMBuRXq4w0Yxw7mqp/9QCVFnTpczLxzfdTElTNL/j4ZmazP hJYvmm28bXDD4fNREpTdcZT7QQMojRUocswMmnf9d1maZdq/qukK6Ux0MQCITbs/ DLn3Xvgsr0zxrUP7crVCH6BfX859EBfzlPfQoWaf6u0rNaHiNcPar7TLL0RCNhh/ hjI/OPuJIUPC0chhp5ddUXZOsZ5lHDK4TIG0hjDE3SiWIOv4dPF7nVDzREQ7h8kx LqrQh0qVeKOSW3+x+fOeaQvemKONuGb2J7fmUrCrYKCRycHys90d4Y9yhCR4aeAG qp0It52pOKJwn93rohFNiGOQzoQE3BzaS+zSt05FuU96MzA38ph34jlFRuhsZjHV 7CBR82T/yBf24W5uEyghJFue59cPu0/4sPkT5txWY96enypbJCtcLVb8tHxd3IAY xFxYKRscch2XHdFu0LgSKU+Ol4sXoUTDjomtANekpyTRpB3iKyuZmwX19sI2Blgi dEnHLNCVDP4GTYhpCpgeAaTHx54ML3nC05rzPxGY5d5Zpqlxy957qKCRYSQMc1vB whmRtEKd7Eq529quiSLKwVALL1k3pxlr/+LVLV2N2eiK/tN2h495SL+ncH0EGyjq WcS8M55A4aJFwxI= =MSnh -END PGP SIGNATURE-
Bug#854676: unblock: xrdp/0.9.1-5 [RC]
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package xrdp The upload fixes the release critical bug #854548. Unfortunately, a Forwarded: header in another patch file slipped in… I do not think it makes the package unfit for migration, but do I have to make a new upload and add it to the changelog? - --- xrdp-0.9.1/debian/changelog 2017-01-25 18:10:11.0 +0100 +++ xrdp-0.9.1/debian/changelog 2017-02-09 12:47:36.0 +0100 @@ -1,3 +1,9 @@ +xrdp (0.9.1-5) unstable; urgency=medium + + * Ensure creation of /run directory. (Closes: #854548) + + -- Dominik George <n...@naturalnet.de> Thu, 09 Feb 2017 12:47:36 +0100 + xrdp (0.9.1-4) unstable; urgency=high [ Thorsten Glaser ] diff -Nru xrdp-0.9.1/debian/patches/lfs.diff xrdp-0.9.1/debian/patches/lfs.diff - --- xrdp-0.9.1/debian/patches/lfs.diff 2017-01-25 18:03:33.0 +0100 +++ xrdp-0.9.1/debian/patches/lfs.diff 2017-02-06 21:57:37.0 +0100 @@ -1,5 +1,6 @@ From: Thorsten Glaser <t...@mirbsd.org> Subject: Enable Large File Support on (at least) 32-bit Linux +Forwarded: https://github.com/neutrinolabs/xrdp/issues/647 Reviewed-by: Dominik George <n...@naturalnet.de> --- a/configure.ac +++ b/configure.ac diff -Nru xrdp-0.9.1/debian/patches/systemd.diff xrdp-0.9.1/debian/patches/systemd.diff - --- xrdp-0.9.1/debian/patches/systemd.diff 2017-01-25 18:10:11.0 +0100 +++ xrdp-0.9.1/debian/patches/systemd.diff 2017-02-09 12:47:28.0 +0100 @@ -3,7 +3,7 @@ Forwarded: https://github.com/neutrinolabs/xrdp/pull/646 --- a/instfiles/xrdp-sesman.service +++ b/instfiles/xrdp-sesman.service - -@@ -1,12 +1,13 @@ +@@ -1,12 +1,14 @@ [Unit] Description=xrdp session manager -After=syslog.target network.target @@ -17,12 +17,13 @@ Type=forking -PIDFile=/var/run/xrdp-sesman.pid +PIDFile=/run/xrdp/xrdp-sesman.pid ++RuntimeDirectory=xrdp EnvironmentFile=-/etc/sysconfig/xrdp EnvironmentFile=-/etc/default/xrdp ExecStart=/usr/sbin/xrdp-sesman $SESMAN_OPTIONS --- a/instfiles/xrdp.service +++ b/instfiles/xrdp.service - -@@ -1,13 +1,16 @@ +@@ -1,13 +1,17 @@ [Unit] Description=xrdp daemon +Documentation=man:xrdp(8) man:xrdp.ini(5) @@ -34,6 +35,7 @@ Type=forking -PIDFile=/var/run/xrdp.pid +PIDFile=/run/xrdp/xrdp.pid ++RuntimeDirectory=xrdp EnvironmentFile=-/etc/sysconfig/xrdp EnvironmentFile=-/etc/default/xrdp +User=xrdp unblock xrdp/0.9.1-5 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlicXqExGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pYoHg//Q08RXyzpYCe+zbR3e8o7YB2hhC+R zFKXct+nlpSR4TpXw3q26cx5GkeC/KsweHkuNJWN8MbNCw/TzLmBnF7YpFVj+/P0 hKoAnl07rr8mKtl6cp2MdYXR8/QsOSJR6tyvb8yHitrTpqt2MH6XhXvoMj0y6u3D 4bbb7vYdKSwmFVOGArdrW+T2tzfdrnzhrhIt6nYSJorpSAsMOAAwhZxtlNVnQh6q miNGVbgCnD7Dbo8Vlmv9WCiA4EzOe2HOw/XhBLX4LwqxUT2OuL56V2VYyc0Q6wGt nX1xBC9MFKdc+Uw4ukST0ZvUA75JyI7zqb02RjEbn5/iNlbVy07zOClfYb2OqoVI UZ67938yw3sAgHkm8E327er1LQEvTrGBB9PHsp9BJjJeR7w6CEU6zwLIaw/ZAJrY AiYU8/oAw38FzpPp5lCOuStCdP9IlrD09CZG67HbrJl+YWU2DkdoPEqNJ8649s75 XzobFAR40KTaemD81+zVEI8JUI3g6MA5yNAWvh9Qk+tm3kQizBmJ/4jYnrA89EcV 0CGVhW9ibCFUou2QWde2M5U04UwrChCU5AprqEwXMg8BTUvrTV8gxuOpVmGZf1Bh t7uDagV2XFKwoahoYlM2b9yUCLBgWnSNwRC8aCKDXlOGcWT4M9orYsHYhpr11y9O nvAX54I8gPbzr6I= =jNIf -END PGP SIGNATURE-
unblock pre-approval: xrdp #854847
Dear release team, I'd like to ask whether you could have a look at the bug and patch in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854847 and give pre-approval for getting an unblock for this patch. Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Hundeshagenstr. 26 · 53225 Bonn Mobile: +49-1520-1981389 · https://www.dominik-george.de/ Teckids e.V. · FrOSCon e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Maintainer LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: PGP signature
Bug#855397: unblock: xrdp/0.9.1-7 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please give pre-approval unblock package xrdp It fixes the important bug #855387, which prevents xrdp from working with high but common display resolutions. diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog - --- xrdp-0.9.1/debian/changelog 2017-02-13 21:09:43.0 +0100 +++ xrdp-0.9.1/debian/changelog 2017-02-17 13:21:12.0 +0100 @@ -1,3 +1,9 @@ +xrdp (0.9.1-7) UNRELEASED; urgency=medium + + * Fix RFX with large tile sets, e.g. full HD displays. (Closes: #855387) + + -- Dominik George <n...@naturalnet.de> Fri, 17 Feb 2017 13:21:12 +0100 + xrdp (0.9.1-6) unstable; urgency=medium * Fix japanese keyboard detection. (Closes: #854847) diff -Nru xrdp-0.9.1/debian/patches/highres.diff xrdp-0.9.1/debian/patches/highres.diff - --- xrdp-0.9.1/debian/patches/highres.diff 1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/highres.diff 2017-02-17 13:21:12.0 +0100 @@ -0,0 +1,51 @@ +From: Dominik George <n...@naturalnet.de> +Forwarded: https://github.com/neutrinolabs/xrdp/pull/664 +Acked-by: Thorsten Glaser <t...@mirbsd.de> +Subject: RFX fixes for large tile sets. + This patch disables the limitation of rects to use and then + dynamically calculates the size of the message from the + rects that are really used. +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855387 +Bug: https://github.com/neutrinolabs/xrdp/issues/524 +--- a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c +@@ -22,6 +22,7 @@ + #include "xrdp.h" + #include "thread_calls.h" + #include "fifo.h" ++#include "limits.h" + + #ifdef XRDP_RFXCODEC + #include "rfxcodec_encode.h" +@@ -320,21 +321,25 @@ process_enc_rfx(struct xrdp_encoder *sel + mutex = self->mutex; + event_processed = self->xrdp_encoder_event_processed; + +-if ((enc->num_crects > 512) || (enc->num_drects > 512)) +-{ ++out_data_bytes = 16 * 1024 * 1024; ++ ++if ((enc->num_crects > (INT_MAX / sizeof(struct rfx_tile))) || ++(enc->num_drects > (INT_MAX / sizeof(struct rfx_rect) - ++sizeof(struct rfx_tile) * enc->num_crects - ++256 - out_data_bytes)) || ++(enc->num_crects < 0) || (enc->num_drects < 0)) { + return 0; + } + +-out_data_bytes = 16 * 1024 * 1024; +-index = 256 + sizeof(struct rfx_tile) * 512 + +- sizeof(struct rfx_rect) * 512; ++index = 256 + sizeof(struct rfx_tile) * enc->num_crects + ++ sizeof(struct rfx_rect) * enc->num_drects; + out_data = (char *) g_malloc(out_data_bytes + index, 0); + if (out_data == 0) + { + return 0; + } + tiles = (struct rfx_tile *) (out_data + out_data_bytes + 256); +-rfxrects = (struct rfx_rect *) (tiles + 512); ++rfxrects = (struct rfx_rect *) (tiles + enc->num_crects); + + count = enc->num_crects; + for (index = 0; index < count; index++) diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series - --- xrdp-0.9.1/debian/patches/series2017-02-13 21:06:43.0 +0100 +++ xrdp-0.9.1/debian/patches/series2017-02-17 13:08:38.0 +0100 @@ -8,3 +8,4 @@ systemd.diff lfs.diff kb_jp.diff +highres.diff unblock xrdp/0.9.1-7 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlim9ScxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pazPA//bO8g/hTWYhtsdEKHqxduVFZI43sG 5S54PuxK0IlpKo4abBh4GAN1hrhSA146oPRxHZwAfAYwtoHFSoPZ4eFN8+Dg79qK sd0058aJb/9K5NrtToFKiZkwcRV1Bnn6ZWGVw6kghRC8p8Ji0U2b29ACv44sV+lj 1rdMm8Y5GcVegtZX1RWxrOEaJ6OEMHbyUX8U1C6RRqQYIaDvk1rQBidV1Ho+CZOe HArOzvtdZDPcnlA0QtiWszB/hT78EMDeWWMbZXnRJ0GxoHatD9ykFTEe2xn19Net 7PZ7GeD2JsqcKXTQad1j9MVmCiORnI7UfDzsB/L0xrfbGa5I8utANqravY4coDUo YhGE+GRstvA74BE9bin/A4SV0ijDrCzpVJQYQOyCEUTgTl8ZP87Eu065oCz+iT/N NQnEFWQSu7ij1aPvksm1xCmdOsjLNGpulmQM9ofTQrFDWv/yEZ5OtqxP0tFBy7KE wEr1QxE89ryh4eW/Xz7+VStWwjCajinc11LmgCseK7BHXJGrBXth/g+s8colafaY 8KNJ2bA3nR/HWvoekiSLecBZurF4wvnFoCG+nuJd2Ek/xavrwNuMMXnf7W5G6RNq tpGUHF3zHvGje2Ezeeq6pt18QlsBlPnAjzr7sQHvj17IYJg93Yma1wrzP8yMX27e GXFbMrXMU4Bn0rA= =gTFo -END PGP SIGNATURE-
Bug#861117: unblock: xrdp/0.9.1-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package xrdp The new upload fixes a security issue, CVE-2017-6967. debdiff attached. unblock xrdp/0.9.1-8 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlj+RsoxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8paFIA//cjCuExHwFCdQEA704IKCqjYNJI7/ GI5u2qNK/2LX54y5F9+cc0yqiAPZ964wynyPc+3ZGidWVBPz1bkNACwHTsxGFxrP fkgfCsiuMEfFpq63VB3ui+0R/WTxFyNdza0nJt8V3/S6afP5KzxvIa4++oTVLnJj cpXOgVrxa2u00/mH3zo4+yZOwhjFqgmcB2qEIoUdhlDq5oRYZG5W6y68yFqIF+7w YeUF3ISDgPDY7ngCxuGHU9aGVkY+Yb/8be/AF5JhQNuTNrMrXQVoZnosGyVWY12e ER/KGt0Xfj+REi1e0Y3Qi6Ik4fTe1JChXOaLOKFGfXoeqkFzZjFwrSVEnoDT5dJ8 h0m3tjHuxuYSPmahK+seO/K0V2nHUR4NV2QUNOj1k/9g2aUZCrFjWpjXADLKqJy8 ll6xkcc5GKwbDZG0hNOH/OoWfEb3u+xhNq7vTPMiuu/43omPsJO3bf/sm0AeQKLk wuBQAg8GAb68KpasTyZeUEY6CS484TPN9GY+1MZmnQmIjEgOLKVinv2NpXHZBQjU Bc2HNeK2nRXxXgkJ1IDYKnprD5fNPMr/1UNkXWOxAdaRCXDrAZcaAnkUuZ3wBsnX Dd0RLQzfX83aiUw/X2Rf0al/QhyiinqN5e0Hx/OLCgd5pGEDKqT+sBQ7RKT2ng74 EUR5uCBxv5Sl2ww= =XzFs -END PGP SIGNATURE- diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-02-18 16:46:17.0 +0100 +++ xrdp-0.9.1/debian/changelog 2017-04-24 20:14:36.0 +0200 @@ -1,3 +1,9 @@ +xrdp (0.9.1-8) unstable; urgency=medium + + * Fix CVE-2017-6967. (Closes: #858143, #855536) + + -- Dominik George <n...@naturalnet.de> Mon, 24 Apr 2017 20:14:36 +0200 + xrdp (0.9.1-7) unstable; urgency=medium * Fix RFX with large tile sets, e.g. full HD displays. (Closes: #855387) diff -Nru xrdp-0.9.1/debian/patches/cve-2017-6967.diff xrdp-0.9.1/debian/patches/cve-2017-6967.diff --- xrdp-0.9.1/debian/patches/cve-2017-6967.diff1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/cve-2017-6967.diff2017-04-24 20:14:36.0 +0200 @@ -0,0 +1,91 @@ +From: Jay Sorg <jay.s...@gmail.com> +Date: Mon, 20 Mar 2017 18:59:44 -0700 +Subject: [PATCH] sesman: move auth/pam calls to main process +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858143 +Origin: https://github.com/neutrinolabs/xrdp/commit/4b8a33e087ee9cf5556b40b717cd7e8ff243b3c3 + +--- a/sesman/scp_v0.c b/sesman/scp_v0.c +@@ -36,6 +36,7 @@ scp_v0_process(struct SCP_CONNECTION *c, + tbus data; + struct session_item *s_item; + int errorcode = 0; ++int do_auth_end = 1; + + data = auth_userpass(s->username, s->password, ); + +@@ -131,6 +132,9 @@ scp_v0_process(struct SCP_CONNECTION *c, + log_message(LOG_LEVEL_INFO, "starting Xorg session..."); + display = session_start(data, SESMAN_SESSION_TYPE_XORG, s); + } ++/* if the session started up ok, auth_end will be called on ++ sig child */ ++do_auth_end = display == 0; + } + else + { +@@ -151,5 +155,8 @@ scp_v0_process(struct SCP_CONNECTION *c, + { + scp_v0s_deny_connection(c); + } +-auth_end(data); ++if (do_auth_end) ++{ ++auth_end(data); ++} + } +--- a/sesman/scp_v1.c b/sesman/scp_v1.c +@@ -38,7 +38,7 @@ void DEFAULT_CC + scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s) + { + long data; +-int display; ++int display = 0; + int retries; + int current_try; + enum SCP_SERVER_STATES_E e; +@@ -46,6 +46,7 @@ scp_v1_process(struct SCP_CONNECTION *c, + struct session_item *sitem; + int scount; + SCP_SID sid; ++int do_auth_end = 1; + + retries = g_cfg->sec.login_retry; + current_try = retries; +@@ -124,14 +125,21 @@ scp_v1_process(struct SCP_CONNECTION *c, + log_message(LOG_LEVEL_INFO, "starting Xvnc session..."); + display = session_start(data, SESMAN_SESSION_TYPE_XVNC, s); + } +-else ++else if (SCP_SESSION_TYPE_XRDP == s->type) + { + log_message(LOG_LEVEL_INFO, "starting X11rdp session..."); + display = session_start(data, SESMAN_SESSION_TYPE_XRDP, s); + } ++else if (SCP_SESSION_TYPE_XORG == s->type) ++{ ++log_message(LOG_LEVEL_INFO, "starting Xorg session..."); ++display = session_start(data, SESMAN_SESSION_TYPE_XORG, s); ++} ++/* if the session started up ok, auth_end will be called on ++
Bug#861844: unblock: xrdp/0.9.1-9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package xrdp This package updates the security fix in 0.9.1-8, which turned out to be incomplete. diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog - --- xrdp-0.9.1/debian/changelog 2017-04-24 20:14:36.0 +0200 +++ xrdp-0.9.1/debian/changelog 2017-05-04 18:59:10.0 +0200 @@ -1,3 +1,9 @@ +xrdp (0.9.1-9) unstable; urgency=high + + * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143) + + -- Dominik George <n...@naturalnet.de> Thu, 04 May 2017 18:59:10 +0200 + xrdp (0.9.1-8) unstable; urgency=medium * Fix CVE-2017-6967. (Closes: #858143, #855536) diff -Nru xrdp-0.9.1/debian/patches/cve-2017-6967.diff xrdp-0.9.1/debian/patches/cve-2017-6967.diff - --- xrdp-0.9.1/debian/patches/cve-2017-6967.diff 2017-04-24 20:14:36.0 +0200 +++ xrdp-0.9.1/debian/patches/cve-2017-6967.diff2017-05-04 18:59:04.0 +0200 @@ -3,6 +3,8 @@ Subject: [PATCH] sesman: move auth/pam calls to main process Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858143 Origin: https://github.com/neutrinolabs/xrdp/commit/4b8a33e087ee9cf5556b40b717cd7e8ff243b3c3 +Reviewed-By: Dominik George <n...@naturalnet.de> +Reviewed-By: Thorsten Glaser <t...@mirbsd.org> --- a/sesman/scp_v0.c +++ b/sesman/scp_v0.c @@ -89,3 +91,46 @@ g_free(slist); } +--- a/sesman/session.c b/sesman/session.c +@@ -335,7 +335,6 @@ session_start_sessvc(int xpid, int wmpid + g_sigterm(xpid); + g_sigterm(wmpid); + g_sleep(1000); +-auth_end(data); + g_exit(0); + } + +@@ -490,6 +489,7 @@ session_start_fork(tbus data, tui8 type, + return 0; + } + ++auth_start_session(data, display); + pid = g_fork(); /* parent is fork from tcp accept, +child forks X and wm, then becomes scp */ + +@@ -548,7 +548,6 @@ session_start_fork(tbus data, tui8 type, + else if (wmpid == 0) + { + wait_for_xserver(display); +-auth_start_session(data, display); + pampid = g_fork(); /* parent waits, todo + child becomes wm */ + if (pampid == -1) +@@ -639,7 +638,6 @@ session_start_fork(tbus data, tui8 type, + else + { + g_waitpid(pampid); +-auth_stop_session(data); + g_deinit(); + g_exit(0); + } +@@ -967,6 +965,8 @@ session_kill(int pid) + + if (tmp->item->pid == pid) + { ++auth_stop_session(tmp->item->data); ++auth_end(tmp->item->data); + /* deleting the session */ + log_message(LOG_LEVEL_INFO, "++ terminated session: username %s, display :%d.0, session_pid %d, ip %s", tmp->item->name, tmp->item->display, tmp->item->pid, tmp->item->client_ip); + g_free(tmp->item); unblock xrdp/0.9.1-9 - -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlkLYAMxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pYRAw//bw6MocflTzsylMfGLlakD7gaZCzF 6DGjfgTRVuycCBT8kkGcIutG1ZEnQLW62JXKDfpzPomvyyNbE49TqxosNrMR1/kd Gb13bVA989K3VSZEVmxV9MgQIz9NbnetdkBvgbmNwDlqcwnyhSLX5VwE+NhOcDF2 rU+uhhvjIbHpqer7bJAo7iyKAC4kEffNs1gQkEvvc8/BYGqOD6l+3glE3rbjGE1k li5/uo0jBpo1Dexn6n0Q0Q7L/yUmXiuy8+1/2hVBWgMVB+r2Rp2XK4+lsZMp4WV+ 9NoTGMtSEDduZxXOQcVPaljO6cNfMEoQVwUcv/KStTx24lCCWdtus1Yk7X0ie1D3 WeVX2yFZdBU/AT2qWzI2iODRaddLOtTMXtVGlXUqnp0+uTtv1EUOrJMAJoaXpKQY WZ6mR+LBZXPFBd6gkPq0p8lxvK0PVwl/fbZPXSH2vr8LJfJdDwXajMRrIWgWmfXv 3PYdjkGCqtNZeKcC0uzu9bXHyFFfFqm2BGGzhziC1ReutZ4BnmdxJa6LtYor8WRf rsMsyL0T+uF/lJofmkuQs30OZExxc0qVnFiLxP57AZnJrO7GfUfUL4zkx9nP/dJr Xtf8VST/dwhDYUj4Q7PjVGmbIAdgWzR5ZkR6yNejiidpI8mWzVv0vaJGK3m3Ky6f vHyxYjeok7czajA= =4M+b -END PGP SIGNATURE-
Bug#878996: stretch-pu: package xrdp/0.9.1-9
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear stable release managers, I would like to update xrdp in stretch. xrdp 0.9.1-9 has a bug marked as important in the BTS, causing xrdp to go into an endless loop whewn shutting down an SSL context and causing very high load on the system when it does. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876976 Find attached the debdiff between the current stable version and the proposed update. Cheers, Nik - -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlnnJwkxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pZwuRAApyqFBZMpTFICL5NOrVXnC43+W0I5 q2ft6ukZ+9nhSMYsFCohxtqthfzn3YW2CcSHBmfk5Ig/+UST+zARiw48qM+a0/pW Wr9gsK2UMlnSve1R/4kw5NKfFfAxTF1L+JGvvAbEwfsM42jLdQkQOb/7uc8oe+bE OEKs+HvU5PcsAGv4beoLANtWzikg1nIoukppyRPaZx3HY3iGZv5NVRmrY68mWYHM /Z8dv4spg6qpCOt8PrMmIe7K2SbS4apUKNDjbgh/BFAkHSKQs3xpBKeGmtFak4oM mc2GmvHfcDG74qqNOn0Z/NwKaQhBUWjEx/Ok45ctNWcKObk5WZ02G5zrhYz7K7J6 Y0QKoC+f1E8zH0iQAhW80AaOIFZfT1OonNLpxQcc/JECQYSIxZsr/e6EAEeQWCeV OUCLZh/7tBpnRwzXKAEr36QGlKfyjtchCnbgfFO+2yiaOIc2mn8Lx5QgSUnv+vlV HGqVvdtZecDKz862zKew495Xuf16gBxg95zS5sfKzLEG+xzspr41Pve+QC25rJry BV3OsrS4IhpMaOUQEyJhY+AncWX0ZvWQraPF7Ise5YWiI5sjIFGmQkjqjoT2QiB/ pFYnOUaPv7zkPaBI3NL4+GZyMskPba16gnL0032HrIRhFdAerXd6bUBtX50Gq9FF jfjCKuq2/VZbMzY= =z88f -END PGP SIGNATURE- diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-05-04 18:59:10.0 +0200 +++ xrdp-0.9.1/debian/changelog 2017-10-18 11:56:31.0 +0200 @@ -1,3 +1,11 @@ +xrdp (0.9.1-9+deb9u1) stable; urgency=medium + + * Fix high CPU load on SSL shutdown. (Closes: #876976) ++ xrdp could in some situations cause permanent high load on a + system if an SSL shutdown got into an endless loop. + + -- Dominik George <n...@naturalnet.de> Wed, 18 Oct 2017 11:56:31 +0200 + xrdp (0.9.1-9) unstable; urgency=high * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143) diff -Nru xrdp-0.9.1/debian/patches/fix-876976.patch xrdp-0.9.1/debian/patches/fix-876976.patch --- xrdp-0.9.1/debian/patches/fix-876976.patch 1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/fix-876976.patch 2017-10-18 11:53:29.0 +0200 @@ -0,0 +1,16 @@ +From: Jay Sorg <jay.s...@gmail.com> +Origin: https://github.com/neutrinolabs/xrdp/commit/2c96908ea500880c71d3593dd2b2b5b5275bdbf5 +Subject: if SSL_shutdown fails, only call one more time +Bug: https://github.com/neutrinolabs/xrdp/issues/872 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876976 +--- a/common/ssl_calls.c b/common/ssl_calls.c +@@ -754,7 +754,7 @@ ssl_tls_disconnect(struct ssl_tls *self) + return 0; + } + status = SSL_shutdown(self->ssl); +-while (status != 1) ++if (status != 1) + { + status = SSL_shutdown(self->ssl); + if (status <= 0) diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series --- xrdp-0.9.1/debian/patches/series2017-04-27 12:48:33.0 +0200 +++ xrdp-0.9.1/debian/patches/series2017-10-18 11:50:09.0 +0200 @@ -10,3 +10,4 @@ kb_jp.diff highres.diff cve-2017-6967.diff +fix-876976.patch
Bug#884561: stretch-pu: package pam-krb5-migrate/0.0.11-4
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I would like to update pam-krb5-migrate in stretch to fix #873271. Right now, the package is unusable because it installs files to the wrong directories. I took over maintenance of the package, which is why I also change the maintainer in the new package (as to not wrongly mark it as an NMU). Diff attached. Cheers, Nik -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlo1jcQxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pZW/RAA0yjmuxuBzOktQoyjNzKgUel0Tv4D MEl7p7vscUJKwL9RJ/HkB95J38fSFJkwCtWBhg9dpDin6VCqZvg4B5XCjYyxYWd6 7kW7dPxf76GHoRj5qeoEjlFp5vP5k/NhuBI2by6t+z35lTtBDEtHaqzFTvoR2+jm 2GpkqdKk/u7slD1BNyOP9XG/gKfViC7DjO0QNIyNESWJ1t5liwFWvx35W1e/+izC FWG/By4WbmFaZiDYcZIUKQyy5d57swziVQwAzKSf1ItwgJC+lFy5iLMUMVgMHBxd fWePt/FF+MQmhNEV+WRr8PbCPNudQaZB3QW1PvHXzusvQprELxgqpLA1FuRT47J1 y4AvkJFYG3iXRDhhn7m5B9ZsKl2t4HWg87HNUw3daoew/yWNzeHA8baBCs77VOm5 E3+JcGxfeTqjtAuXH0rXuzTH4o5sZWWVs2st1jmJIEKvEbbWbqh1dwsarpXVnDkK DXtHoj/E4HXGin9gJAH3dBiV6udbolTXzTGHzbsEtbpjmgGc0IjhIPRDWRamt3fX p2EIGKW1yXWnAYhEk3PWPM1pgmijdVgr3aJOTIdQYV9K8RTA9e6r/nQBEKenk6xX FDrYOQyW/VF7ew5VKmDGjZglJ3Fj93IO002l/xJSZDvqDJY+D+PvaQcJ1bvEgMi6 thO1UGJbKoniyX4= =MSeb -END PGP SIGNATURE- diff --git a/debian/changelog b/debian/changelog index f59576e..f1c26a0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +pam-krb5-migrate (0.0.11-4+deb9u1) stretch; urgency=medium + + * Fix install paths. (Closes: #873271) + * Make myself maintainer (instead of marking this an NMU, +which it isn't). + + -- Dominik George <n...@naturalnet.de> Sat, 16 Dec 2017 21:51:59 +0100 + pam-krb5-migrate (0.0.11-4) unstable; urgency=medium * Drop support for Heimdal. Closes: #837695 diff --git a/debian/control b/debian/control index 98ccc21..d10797d 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,7 @@ Source: pam-krb5-migrate Section: admin Priority: optional -Maintainer: Jelmer Vernooij <jel...@debian.org> +Maintainer: Dominik George <n...@naturalnet.de> Standards-Version: 3.9.8 Build-Depends: comerr-dev, debhelper (>= 5.0.70~), diff --git a/debian/libpam-krb5-migrate-mit.install b/debian/libpam-krb5-migrate-mit.install index 859fba5..77f7a0f 100644 --- a/debian/libpam-krb5-migrate-mit.install +++ b/debian/libpam-krb5-migrate-mit.install @@ -1,2 +1,2 @@ -mit/pam_krb5_migrate_mit.so /lib/security/pam_krb5_migrate_mit.so -debian/libpam-krb5-migrate-mit.pam-config /usr/share/pam-configs/krb5-migrate-mit +mit/pam_krb5_migrate_mit.so lib/security +debian/libpam-krb5-migrate-mit.pam-config usr/share/pam-configs
Bug#884483: stretch-pu: package xrdp/0.9.1-9+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I'd like to update xrdp in stretch for two important bugs: 1. #882463, CVE-2017-16927: Local DoS Security team says it's not critical enough for stretch-security and I should instead target stretch-pu (although I disagree). 2. #884453, High CPU load in ssl_tls_accept Remote users could use up quite a lot or all system resources by keeping TLS contexts in a certain state. Please find the debdiff attached. Cheers, Nik -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlo0F1gxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8paeRA//apbQ6DhlOkmV6C5+bQ3dSPK0BYbV CAEwhIVSNSsIr7M8726DcoRPIcfdkmU9sE6T84QXf8wShBzoGPTjI9WWIhkwOF2o UuBWZ68wKnQ7A4wuH9br5TYkeF6TDHpct7PE2N+p/BlihXUuUqReXqa4KSjtmKuj l5Q2VJUyUUwyNlZWash8wAY+NmRqpF681sMJCol1v3LQ3F5JUije2rayw//2tdYW HGBYAZEzU/FXZEQyfS6507lyjjiGLWmiwYSGvpvEyr5dg1rJCDNr4P4KH9qbUYLS 4LVpbh8FcsGlnopyjlW9z791upwHUpyyJD2+GTda3zBCTIlTwII7+NJ3L5jpYL// JDXAigt1H09vb2ZYcfjm/P2gqd6yIP9PZDeBjetgQ2Z+pD8/1BrzG/OUd1glxNXU kElHUMvJQxv5jm6XKPldcoBN2CQqwm9NOxiQsx/DyEyhAEpL78+sg1hZ+oPUrj4j I/vX9CGE30mWCEwU6PQqkYS8urN+bvVVFYFO8jM+xYeJZTjwvnjPJkgp89+poGzp ZeRPYyY9+OxMMJJke3aSvrU5wXXpePvz29/KXzAuOTsLavkeL1RQkW7NPtHWtCYk qKICivi10AqLY2Ye2PScnUdAdgJ6spye/b2hju1Hzrz3oeUlxBd5ME2v90QsvbVq CW0Pxt5DlSX9Ir8= =8FZ1 -END PGP SIGNATURE- diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-10-18 11:56:31.0 +0200 +++ xrdp-0.9.1/debian/changelog 2017-12-15 19:28:28.0 +0100 @@ -1,3 +1,10 @@ +xrdp (0.9.1-9+deb9u2) stretch; urgency=medium + + * Fix CVE-2017-16927. (Closes: #882463) + * Fix high CPU load on ssl_tls_accept. (Closes: #884453) + + -- Dominik George <n...@naturalnet.de> Fri, 15 Dec 2017 19:28:28 +0100 + xrdp (0.9.1-9+deb9u1) stretch; urgency=medium * Fix high CPU load on SSL shutdown. (Closes: #876976) diff -Nru xrdp-0.9.1/debian/patches/cve-2017-16927.patch xrdp-0.9.1/debian/patches/cve-2017-16927.patch --- xrdp-0.9.1/debian/patches/cve-2017-16927.patch 1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/cve-2017-16927.patch 2017-12-15 19:28:28.0 +0100 @@ -0,0 +1,137 @@ +From: Idan Freiberg +Subject: sesman: scpv0, accept variable length data fields +Origin: https://github.com/neutrinolabs/xrdp/commit/ebd0510a7d4dab906b6e01570205dfa530d1f7bf.diff +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882463 +--- a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c +@@ -157,7 +157,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + struct SCP_SESSION *session = 0; + tui16 sz; + tui32 code = 0; +-char buf[257]; ++char *buf = 0; + + if (!skipVchk) + { +@@ -222,27 +222,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + /* reading username */ + in_uint16_be(c->in_s, sz); +-buf[sz] = '\0'; ++buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++buf[sz] = '\0'; + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__); ++g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +-buf[sz] = '\0'; ++buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++buf[sz] = '\0'; + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); ++g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++g_free(buf); + + /* width */ + in_uint16_be(c->in_s, sz); +@@ -268,9 +272,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0) + { ++buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_domain(session, buf); ++g_free(buf); + } + } + +@@ -281,9 +287,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0) + { ++buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_program(session, buf); ++g_free(buf); + } + } + +@@ -294,9 +302,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0)
Bug#884483: stretch-pu: package xrdp/0.9.1-9+deb9u1
Hi, On Fri, Dec 15, 2017 at 07:41:29PM +0100, Dominik George wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu Any news ☺? Cheers, Nik signature.asc Description: PGP signature
Bug#895596: stretch-pu: package xrdp/0.9.1-9+deb9u2
Hi, > Note that the uploading window for 9.5 is closing this weekend, so I > took the liberty to build and upload with your debdiff. Hope this if > fine with you otherwise I will ask Adam to reject my upload! Oh thanks! We had a work meeting of Teckids, the Free software (and mostly Debian) youth organisation all the weekend, so I missed that. Thanks a lot for tkaing care of that! Cheers, Nik signature.asc Description: PGP signature
Bug#891829: stretch-pu: package needrestart/2.11-3
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I would like to update needrestart in the upcoming point release to fix the RC bug #876459 in stretch. It causes regular unintended restarts of critical services. The maintainer seems to lack time, so I have offered help to fix this in stretch. I got it reviewed by Mike Gabriel, who also offers to sponsor the upload. Find attached the debdiff. Thanks, Nik - -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlqX1+4xGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pY7Cw/9ESJmQMvwveheqIoCzLB4GTOYW6yK ADuq8nHfQNmvd1Xdn/ejDwTEuz0NH/trRfuxvZ2oyIKFHMmpCx1meI5wy/wXypE1 dAroycHl4IRI3vruM1d8eg7LIzziak8tXJgg1gQt3RF9UOtE0WDMT4zPmPF5CBPk kx4b4jBKEsrLz6IyjpXL7z+v7BmJ4+Qb9rmWI9ewEiKionnqfgfwivhjZg52PX0P 3wHIhgHUwbyQtzonZJq19iXyEg48nhKSCVYs0J1zRxTk5FEMkdplAWZwPVjrpDOT jLL0LpJncv+AV3fukXl+JmHaF3EfTfKyKjtHD1SD2L2cTRPg/5zP9XBUL59W11wH HbjmoyfEqib99nSp0bySDQSBJdJbnJ0DluvekT2O1JmYNG8KaYdhs2z/9Zw/wQe3 u0Qmgqw34P/bP21yURutCEjQjBqWACkcnLq85Evmx597gr6ZrV2ObBO393mnimwB OEsxOWw6wBAJzyqTeWD1cRCqp4gI/JqGfP5R5FsfkOkIjgRac05UIoVJSncAssl0 O+wmbFs99X8bgCSPzXB9M0ASJKxRMCPzBK/79QFWg8jUj/v8tkrCMHoBpViBu/Ut dXPwTJEqIvK32tixDhqLzyAHZY0j6T1X8G1jJ+tYssQ+FXQZ9i50w1in1ZEF+mKi +fzXy9IBnDs9xgY= =QteC -END PGP SIGNATURE- diff -Nru needrestart-2.11/debian/changelog needrestart-2.11/debian/changelog --- needrestart-2.11/debian/changelog 2017-05-26 15:45:04.0 +0200 +++ needrestart-2.11/debian/changelog 2018-02-28 22:48:43.0 +0100 @@ -1,3 +1,11 @@ +needrestart (2.11-3+deb9u0.1) stretch; urgency=medium + + * Non-maintainer upload. + * Fix switching to list mode if debconf is run non-interactively. +(Closes: #876459) + + -- Dominik George <n...@naturalnet.de> Wed, 28 Feb 2018 22:48:43 +0100 + needrestart (2.11-3) unstable; urgency=high * Add patch 03-perl-warning to fix a warning from Perl triggered in version diff -Nru needrestart-2.11/debian/patches/05-fix-debconf-noninteractive.diff needrestart-2.11/debian/patches/05-fix-debconf-noninteractive.diff --- needrestart-2.11/debian/patches/05-fix-debconf-noninteractive.diff 1970-01-01 01:00:00.0 +0100 +++ needrestart-2.11/debian/patches/05-fix-debconf-noninteractive.diff 2018-02-28 22:48:43.0 +0100 @@ -0,0 +1,16 @@ +From: Piotr Pańczyk <piotr.panc...@assecobs.pl> +Subject: Fix switcihng to list mode if debconf is run non-interactively +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876459 +Origin: https://github.com/liske/needrestart/commit/6c83d643a21fe0da2c8ae5ece97a778b347a033c + +--- a/needrestart b/needrestart +@@ -181,7 +181,7 @@ $nrconf{ui} = qq(NeedRestart::UI::stdio) + die "Hook directory '$nrconf{hook_d}' is invalid!\n" unless(-d $nrconf{hook_d} || $opt_b); + $opt_r = $nrconf{restart} unless(defined($opt_r)); + die "ERROR: Unknown restart option '$opt_r'!\n" unless($opt_r =~ /^(l|i|a)$/); +-$is_tty++ if($opt_r eq 'i' && exists($ENV{DEBIAN_FRONTEND}) && $ENV{DEBIAN_FRONTEND} eq 'noninteractive'); ++$is_tty = 0 if($opt_r eq 'i' && exists($ENV{DEBIAN_FRONTEND}) && $ENV{DEBIAN_FRONTEND} eq 'noninteractive'); + $opt_r = 'l' if(!$is_tty && $opt_r eq 'i'); + + $opt_m = $nrconf{ui_mode} unless(defined($opt_m)); diff -Nru needrestart-2.11/debian/patches/series needrestart-2.11/debian/patches/series --- needrestart-2.11/debian/patches/series 2017-05-26 15:45:04.0 +0200 +++ needrestart-2.11/debian/patches/series 2018-02-28 22:45:55.0 +0100 @@ -2,3 +2,4 @@ 02-install-restart-d.diff 03-perl-warning.diff 04-ignore-systemd-services.diff +05-fix-debconf-noninteractive.diff
Bug#895596: stretch-pu: package xrdp/0.9.1-9+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The last upload to stretch, fixing a minor security issue, had an incomplete patch provided by upstream which can lead to memory corruption and crashes in some cases. The update was first negotiated with the security team, who proposed to update via stretch-pu AND stretch-updates. Find attached the debdiff. N.B.: This is not an NMU - I am now using my debian.org mail address, but did not want to change Uploaders: in a stable update (or should I?). -BEGIN PGP SIGNATURE- iQKJBAEBCABzFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlrQbtsxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYyMcZG9taW5p ay5nZW9yZ2VAaXQucGlyYXRlbnBhcnRlaS5kZQAKCRC3mjwWoMTyljN1D/9DMKk+ 5+A2QnYFxVCeqKKhBt/Yc+dXb7CsyDW80nUZWnlyP0XHi4OChJg8+MyjKVMIMTmp Vr5LBJbFDlDaQ/hqNY0KKqc4Md4PcEXF+krcN4nL0bEAdAFT7BdDJA+rFeoCGz8z Vi2Ev0JkdWJndHuNMrGFZb0ESOxy+4vF1P7j7zrTvFfeXj/PowbIUzBGPBEQ8o6y ELbMjXk0ma5gri9mvyv0xaRV7oDUhHA/czq1A+aM2anJmABaZJzLxWd/9YKcvzxV Gyhv3dQtESd+fQOzbtqW1okhxPIOnaDcldRDjdvNNLsE7PMjcxq0PresNZkeBMKM Yys7AInm3L8Pv2dHImAl7GSHyO6FpvFWy8DT9IdSgpz196X/Vx/I6do0lPPbqpWT Q52vCQ21lR7F6FXYYwoDVzpGrM1OB6bOeJxmM6AnTfzwAKsF5g0+AGZuiW0i3AQj guxhf5CnoVvUfxY7yixjOZUosvipdU/Fktcbs3rpE2tbHKV84pFcq+EJBjjzKMVc p/rQW2UP53pZGvO45t5S0cwlnqRtxcXH15yyOfMGdx9jdAWcnVHB8h69TIi0jVWB 1s74hN1IpYbCLu63f/ei1NtOKEkJ8vvTl92omHp548G09oIJNenGTI8WQ1mBXzwg ZqmqS081W7/dtRv+PiZkF+Gh8+QpQHk627f42w== =H6gU -END PGP SIGNATURE- diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-12-15 19:28:28.0 +0100 +++ xrdp-0.9.1/debian/changelog 2018-04-12 23:43:25.0 +0200 @@ -1,3 +1,10 @@ +xrdp (0.9.1-9+deb9u3) stretch; urgency=high + + * Fix patch for CVE-2017-16927. (Closes: #884702) ++ Off-by-one mistake could crash xrdp in some cases. + + -- Dominik George <naturesha...@debian.org> Thu, 12 Apr 2018 23:43:25 +0200 + xrdp (0.9.1-9+deb9u2) stretch; urgency=medium * Fix CVE-2017-16927. (Closes: #882463) diff -Nru xrdp-0.9.1/debian/patches/cve-2017-16927.patch xrdp-0.9.1/debian/patches/cve-2017-16927.patch --- xrdp-0.9.1/debian/patches/cve-2017-16927.patch 2017-12-15 19:28:28.0 +0100 +++ xrdp-0.9.1/debian/patches/cve-2017-16927.patch 2018-04-12 23:43:25.0 +0200 @@ -18,7 +18,7 @@ /* reading username */ in_uint16_be(c->in_s, sz); -buf[sz] = '\0'; -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); - +buf[sz] = '\0'; @@ -34,7 +34,7 @@ /* reading password */ in_uint16_be(c->in_s, sz); -buf[sz] = '\0'; -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); - +buf[sz] = '\0'; @@ -53,7 +53,7 @@ if (sz > 0) { -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); buf[sz] = '\0'; scp_session_set_domain(session, buf); @@ -65,7 +65,7 @@ if (sz > 0) { -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); buf[sz] = '\0'; scp_session_set_program(session, buf); @@ -77,7 +77,7 @@ if (sz > 0) { -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); buf[sz] = '\0'; scp_session_set_directory(session, buf); @@ -89,7 +89,7 @@ if (sz > 0) { -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); buf[sz] = '\0'; scp_session_set_client_ip(session, buf); @@ -102,7 +102,7 @@ /* reading username */ in_uint16_be(c->in_s, sz); -buf[sz] = '\0'; -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); +buf[sz] = '\0'; @@ -119,7 +119,7 @@ /* reading password */ in_uint16_be(c->in_s, sz); -buf[sz] = '\0'; -+buf = g_new0(char, sz); ++buf = g_new0(char, sz + 1); in_uint8a(c->in_s, buf, sz); +buf[sz] = '\0';
Bug#884561: stretch-pu: package pam-krb5-migrate/0.0.11-4
Control: tag -1 - moreinfo Hi, sorry for losing track of this ☹… > Care to provide the binary debdiff as well? Sure: debdiff libpam-krb5-migrate-mit_0.0.11-4+b1_amd64.deb libpam-krb5-migrate-mit_0.0.11-4+deb9u1_amd64.deb [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first - -rw-r--r-- root/root /lib/security/pam_krb5_migrate_mit.so -rw-r--r-- root/root /usr/share/pam-configs/libpam-krb5-migrate-mit.pam-config Files in first .deb but not in second - -rw-r--r-- root/root /lib/security/pam_krb5_migrate_mit.so/pam_krb5_migrate_mit.so -rw-r--r-- root/root /usr/share/doc/libpam-krb5-migrate-mit/changelog.Debian.amd64.gz -rw-r--r-- root/root /usr/share/pam-configs/krb5-migrate-mit/libpam-krb5-migrate-mit.pam-config Control files: lines which differ (wdiff format) Installed-Size: [-45-] {+42+} Maintainer: [-Jelmer Vernooij <jel...@debian.org>-] {+Dominik George <n...@naturalnet.de>+} Source: pam-krb5-migrate [-(0.0.11-4)-] Version: [-0.0.11-4+b1-] {+0.0.11-4+deb9u1+} > Also, when did this break? I do not know. I adopted the package after the stretch release. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Hundeshagenstr. 26 · 53225 Bonn Phone: +49 228 92934581 · https://www.dominik-george.de/ Teckids e.V. · FrOSCon e.V. · Debian Developer LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: PGP signature
Bug#884561: stretch-pu: package pam-krb5-migrate/0.0.11-4
Hi, On Sun, Apr 01, 2018 at 10:45:10PM +0200, Andreas Beckmann wrote: > On Sat, 31 Mar 2018 20:53:05 +0200 Dominik George > <naturesha...@debian.org> wrote: > > Files in second .deb but not in first > > - > > -rw-r--r-- root/root /lib/security/pam_krb5_migrate_mit.so > > > Files in first .deb but not in second > > - > > -rw-r--r-- root/root > > /lib/security/pam_krb5_migrate_mit.so/pam_krb5_migrate_mit.so > > Does dpkg gracefully handle directory->file transitions? > I know it intentionally doesn't do symlink<->directory transitions ... Well, at least I successfully upgraded from the package in stretch to my new version ☺. -nik signature.asc Description: PGP signature
Bug#912068: stretch-pu: package apache-directory-server/2.0.0~M15-4
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I would like to upload fixes for two RC bugs that affect stretch and make the package uninstallable and, after manually fixing that, unusable: #909063 - apacheds: package installation fails due to incorrect apacheds.service unit #911557 - apacheds: broken symlinks: /usr/share/apacheds/lib/{log4j-1.2,commons-io,antlr}.jar Find attached the diff between the version now in stretch and the proposed version. -BEGIN PGP SIGNATURE- iQKJBAEBCABzFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlvUzCUxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYyMcZG9taW5p ay5nZW9yZ2VAaXQucGlyYXRlbnBhcnRlaS5kZQAKCRC3mjwWoMTylrCFD/0QUhlM ijX+9V3iHy8/j5T/jsLB5jyOcYuuFofC1vucHN9IQAx809U002X1ODYwicydkXcq wpo9RAvPqJr1zYO47p9O8M/qj0wf1r4g/avZRH0rJbf1n0I8O8yJAUvTHtKjQXub sARZm3HmZ/axSES281IzBthvjmPnMMJR6347irFrTIemgvBO84yxTw6n4qHMD+uc hJPfjJ0bYuk+db0zv99QG8cSfGJoZG5IxpasIQKFvkBzj147EW+uzEahy/UxnqUw kUobzzsviLR9qh2R2Rf8RlIIuKsfP9Fvdtf4aUwd00XpsW6nk3O37Rrlz/ZeWosP RPEizy0cwaFYWxlTwVRd/2Gj6wKnGVHbNBU6x++XRGEae5nyFB5AnQcbWw8Zoj+M Q4Cgfh07RtN5nu9o07MNrorr1ks/2muDFp+0Mu8T2inQ4p0V9Wf2RFEEJy/BPZMX p7/h+4iP5CO2vtT130zhZhbj0laxdQ1HRVIjAmknSrYHF5QAY3BNINHiYp4YjfTH piIGjddlW+DDwNvN/UXIAOtmxJlfpB/pcblSzzMLnTnxgNoxXxfPVN2qYQDJznvf vk9yx1t2P829QE09eeOpR9TQnujU6uwN5rOosTw8mv4oH2Z7YOcJQ3V7otMUCXp4 Z3IfnTn+Cyj1HBMixuPc4KduGAufG6mdvX2Osw== =oswM -END PGP SIGNATURE- diff --git a/debian/apacheds.service b/debian/apacheds.service index e6de514..23efa17 100644 --- a/debian/apacheds.service +++ b/debian/apacheds.service @@ -8,14 +8,15 @@ Type=simple User=apacheds Group=apacheds EnvironmentFile=/etc/default/apacheds -ExecStart=${JAVA_HOME}/bin/java ${JAVA_OPTS} \ --Dapacheds.controls=${ADS_CONTROLS} \ --Dapacheds.extendedOperations=${ADS_EXTENDED_OPERATIONS} \ - -Dlog4j.configuration=file:${ADS_INSTANCES}/${ADS_INSTANCE}/conf/log4j.properties \ --Dapacheds.log.dir=${ADS_INSTANCES}/${ADS_INSTANCE}/log \ --cp '${ADS_HOME}/lib/*' \ -org.apache.directory.server.UberjarMain \ -${ADS_INSTANCES}/${ADS_INSTANCE}/ +ExecStart=/bin/sh -c "exec \ +${JAVA_HOME}/bin/java ${JAVA_OPTS} \ + -Dapacheds.controls=${ADS_CONTROLS} \ + -Dapacheds.extendedOperations=${ADS_EXTENDED_OPERATIONS} \ + -Dlog4j.configuration=file:${ADS_INSTANCES}/${ADS_INSTANCE}/conf/log4j.properties \ + -Dapacheds.log.dir=${ADS_INSTANCES}/${ADS_INSTANCE}/log \ + -cp '${ADS_HOME}/lib/*' \ + org.apache.directory.server.UberjarMain \ + ${ADS_INSTANCES}/${ADS_INSTANCE}/" PrivateTmp=true [Install] diff --git a/debian/changelog b/debian/changelog index 62c6358..bdfa64f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +apache-directory-server (2.0.0~M15-4+deb9u1) stretch; urgency=medium + + * Team upload. + * Fix command in systemd service file. (Closes: #909063) + * Add missing dependencies to libraries. (Closes: #911557) + + -- Dominik George Sat, 27 Oct 2018 15:32:48 +0200 + apache-directory-server (2.0.0~M15-4) unstable; urgency=medium * Transition to Jetty 9 diff --git a/debian/control b/debian/control index 0b02379..31df170 100644 --- a/debian/control +++ b/debian/control @@ -30,7 +30,14 @@ Homepage: http://directory.apache.org Package: libapacheds-java Architecture: all -Depends: ${maven:Depends}, ${misc:Depends}, libapacheds-i18n-java (= ${source:Version}), libapacheds-kerberos-codec-java (= ${source:Version}) +Depends: + libantlr-java, + libapacheds-i18n-java (= ${source:Version}), + libapacheds-kerberos-codec-java (= ${source:Version}), + libcommons-io-java, + liblog4j1.2-java, + ${maven:Depends}, + ${misc:Depends}, Suggests: ${maven:OptionalDepends} Description: Apache Directory Server (Libraries) ApacheDS is an embbedable directory server entirely written in Java, which
Re: Proposal: Repository for fast-paced package backports
>> I actually think volatile is a good name. After all, it's not so far >from the previous volatile. > >volatile is a very bad name for this because we've used it already for >something else. Well, I consider it more or less the same basic idea. The old and new ideas have more in common than not, with the only difference being that previously, volatile packages also had versions in stable. -nik
Re: Proposal: Repository for fast-paced package backports
Hi, I like the general direction, but there are some aspects of your >proposal >which should be improved. Thanks! >> Other ideas: fastlane, unsupported > >Or maybe something like "fastpaced", after all this repo would not be >unsupported at all, the very point is to provide actual support after >all. I actually think volatile is a good name. After all, it's not so far from the previous volatile. >> - The package must be maintained in unstable, like every other >package. > >Given the nature of the packages in "fastpaced", it's counterproductive >to mandate the same standards as for the standard archive, it rather >makes >sense to relax some aspects. > >E.g. we usually try to avoid embedded code copies. But for a package >like Gitlab that doesn't really add any value, if an embedded Ruby >package is affected, Gitlab upstream fixes it in their weekly release >anyway. And if not using the embedded code copies you'll end up with >plenty of >dependencies which can no longer be fulfilled from stable as upstream >moves forward. The intention is to keep the way open to have a real backport again should the situation change. I find that very important for compatibility and assuring upgrade paths. >> I propose to add the volatile repository next to the backports >> repository, and treat it as part of backports. > >I wouldn't tie this to backports at all, rather make it a separate >section of the archive and have some ACL mechanism to allow the DDs >maintaining a fastpaced package to grant access to it (similar to >#817285). I am open to this, as long as the goals to have full compatibility with backports stay the same. -nik
Re: Proposal: Repository for fast-paced package backports
Hi, >having read the whole Gitlab discussion, I still don't get how/why the >new repository depends or relates to backports. Instead it could be >self-contained, except for stuff already available in stable. Couldn't >you roll the new repository entirely independent of any backports? Even >if you say there won't be any additional work for the backport policy >owners, letting a new repo depend on backports will implicitly have an >impact, which doesn't sound fully thought through yet. This is answered in the proposal. The reason is to not have volatile abused to ease backporting, and to allow packages to easily move back to backports again. >I consider especially copying parts of the version scheme fairly >confusing. This gives your concept a bad touch of just trying to work >around established rules (i.e. backports rules). Instead of defining >such minor facets I would recommend you to work on clarity about what >rules you want to establish in the new repo instead. I am a bit disappointed that my efforts to emphasize good compatibility with established processes is interpreted that way. As I already laid out several times during the last days, I am in fact disappointed that assuming bad or egoistic intentions seems to have become normal in Debian. That said, the version numbering is a way to ensure work *with* established rules, not around. >Also, as Alex suggested, I would prefer if such experiments could be >started outside the official Debian archive, like backports once >successfully did. Given how much efforts it took to get backports >integrated officially, I don't consider adding a new repo a minor >change. Did you discuss your idea with ftp masters, dak maintainers, >and buildd admins before? I did not discuss this proposal before discussing this proposal, no. That's why I am discussing this proposal :). If you read it properly, you will find that does not add anything really new, but extends something existing - yet without interfering with it much. >I acknowledge that Debian needs a solution to support fast moving >projects like Gitlab better than now. Yet, without a *proof* of concept >how this could work out in the long run (i.e. across more than one >Debian release cycle), I don't think it is the right time to ask for >such a big change now. Again, the change is not new - it is an extension of backports, using the exact same concepts and rules, apart from the source distribution and the target directory. It is an extension designed to play very nicely with backports. > I consider Debian open enough to support such >concepts outside the official archive first. I hope that e.g. official buildds will not grab code from my private machine and build it, for example. -nik
Re: Proposal: Repository for fast-paced package backports
>Just to make things a bit clearer for people who may not have followed >some of the discussions on d-bp-users lately: the point is to be able >to >support fast-moving software with not-so-fast moving dependencies; >the dependencies may easily be backported without too large a burden >(their versions will not come too often, so they will be able to >migrate > to testing and thus fulfil the criteria for being in backports), while >the main piece of software moves too fast, including across major >versions and with incompatible changes, so that it is not suitable for >being included in a stable release (thus the part in the proposal about >blocking its migration to testing). > >The maintainers of the stack will first package the dependencies, wait >for them to migrate to testing, then backport them, and then they will >upload the main piece of software first to unstable and then to the new >suite under discussion. Exactly. And the result shall still have the same quality as any package in -backports, technically, as far as it can. Thus the requirements for version, etc. Volatile is not to become a place to dump packages to bypass -backports. On the contrary. -nik
Re: Proposal: Repository for fast-paced package backports
> - no need to keep a volatile package out of testing Oh, and yes. Having a package in testing means it will be supported for a stable lifecycle - a full contradiction to volatile! -nik
Re: Proposal: Repository for fast-paced package backports
Hi, >I would, however, completely separate it from backports. I.e. > > - separate NEW queue > - different suffix > - no need to keep a volatile package out of testing > >Why? > > - volatile is a different beast from backports, this should be > very clear to both package maintainers and our users The idea is to have them separated, but fully interoperable. I.e. the proposal ensures such things as: - foo is not supportable for the buster release cycle. It goes to volatile. - foo becomes supportable for buster+2. - foo is backported (as in -backports) to buster+1 This will work properly, among other such scenari. > - volatile must not put any burden on the backports team, which > e.g. a common NEW queue would probably impose The whole point is that it is not new work or a new burden. This is one reason for the rules being almost the same and the clear decision path and movement between -backports and -volatile. A -volatile package is handled exactly the same, except it comes from unstable. The workload is the same as if the package had migrated to testing and was being uploaded to -backports. The defined preconditions ensure this is not abused for a ton of packages. -nik
Re: Proposal: Repository for fast-paced package backports
> >If there are other issues to solve than the lifespan of the package > >version, they must be solved in another way. > > I agree with you, it is the best outcome. But when people with power > (-backports ftp masters) are not willing to consider it, we have to go > with plan B, which is less than ideal, but can move things forward. Plan B in this case are PPAs. If you want to engage in that idea, please do separately from the -volatile idea. > >> As I said, gitlab was not about manpower. This new repo is completly > >against > >> our vision of what backports is. Therefore we don't want it within > >the > >> backports suite. > > > If people argue both ways, how can we answer? Either it adds more work > for -backports team or it does not. Some people say its not fair to > add more load while ftp masters say its not about load. As Alex laid out, it's mostly just the -backports team handling the NEW queue. So all of this really is independent from -backports, if another NEW queue is added (which I do not think is the best idea, but still possible). But, I do not think it is possible to start -volatile completely independently. I am pretty certain there is enough man power to handle it as a new suite, but on the other hand I am also certain there is not enough manpower to operate a compelte set of seperate services for it. In any case, I propose we stop discussing the who and where questions for a while and concentrate on the what and how. I will collect the opinions on that, and in a week or two, incorporate them into the proposal, along with the different possibilities for implementation. -nik signature.asc Description: PGP signature
Re: Proposal: Repository for fast-paced package backports
> - Should the package begin to migrate to testing again, it must >be moved to stable-backports. > > - Using the same ~bpo version namespace Both of these poitns are there to *not* change anything about backports. If a package stops qualifying for -volatile, and starts qualifying for -backports, it's under the backports realm again. I consider this very important so it is very clear for maintainers what -volatile is for - in particular, *not* for bypassing -backports limitations. The sharing of the version namespace is partially a direct consequence of the previous point. > - "treat it as part of backports", which I assume means that >backports users would automatically consume this repo No. I see where the misunderstanding comes from - that's not what I was intending to say. -colatile is intended to be a compelte separate suite, that users can add to their sources.list separately (if they do, they also need to add the regular -backports, however). The rest of what I meant as "treat as part of" is adhering to the same rules, standards, etc., and re-using existing infrastructure like the NEW queue due to that. Also to ensure that the qualification of packages for either -backports or -volatile is clear and inforced. > > - new binary uploads to volatile have to undergo the >same NEW queue as backports This as about sharing resources and enforcing the same rules (except for source and target suites). The proposal is still possible without sharing the same NEW queue, but the first two points are a major concept ensuring that it will work. It will not work as well when removing them. -nik signature.asc Description: PGP signature
Re: Proposal: Repository for fast-paced package backports
> I don't want backports to contain things are are not suited for a > release. That's why we are doing all this. It is NOT about anything to backports. It is about adding something new that uses the same RULES as backports, with a slight diversion, and thus can also make use of infrastructure already there for backports. Neither being economic with manpower and machines nor trying to be a good neighbour by adhering to the same rules means to change or add anything to -backports. -nik signature.asc Description: PGP signature
Re: Proposal: Repository for fast-paced package backports
Hi, > 2. I am happy with the current charter of backports and I think it's > possible to move forward with fastpaced without having to change > that charter. Yep. That's exactly why the proposal changes nothing about -backports. I am still confused why Alex and you keep insisting that anything would be changing there. > 3. formerer is speaking from experience when he says that it's > possible to make this kind of change unofficially first, learn > from it, and thus set the groundwork for making it official. > > If you foresee obstacles to that, can you say more about where > they lie? Maybe we can help address them, or maybe we can find > another way forward. > > If you don't see obstacles, why not start today? I think I already made those obstacles clear: Starting outside means buying, installing and operating at least a server vor volatile.debian.net (or whatever you call it), setting up and maintaining an upload queue, the queued, and everything around it, building from source for at least the most important architectures on hardware that needs to be there and maintained for that, etc. There are several issues with that: - It costs a lot time that could better be used elsewhere. - It costs extra money, which I for one do not have to spare. - I do not sure I can do it right, because I do not know all the technical details. Thus, because the change as it is proposed has such a low impact on anything else, I consider doing all that over again unnecessary. Don't get me wrong - I would not hesitate to go through it if it were for anything that could break things, or make life harder for others, or something like that. I am just putting the impact of the change and the resources needed for seperate infrastructure in relation. Everything about this proposal ahs already been tested when -backports was young (thanks for doing the work!). This proposal contains nothing new to learn, neither technically nor policy-wise. It works the same way backports do, with the same considerations, except for the source and target suites of the packages. If you know how to start with a new service at {volatile,fastpaced,whatever}.debian.net without having to reinvent the wheel for acceptign uploads, getting packages built, etc., please enlighten me. -nik signature.asc Description: PGP signature
Re: Proposal: Repository for fast-paced package backports
Hi, On Wed, Dec 26, 2018 at 03:05:55PM +0100, gregor herrmann wrote: > (Can we keep this on one mailing list, please? /me restricts this to > -devel) No. This has the potential of keeping people who are directly impacted by this proposal out of the loop. > And besides that, I think the more universal answer is > bikesheds/PPAs/you-name-it instead of yet-another-suite. Absolutely not. It might be an answer, but to an entirely different question. This proposal is about providing packages under the same rules, policies and QA as any other package in Debian, built in the same trustworthy manner. This is something a PPA does not do. To stay with the gitlab example: I would very much like to see some people (including the company I work at, two organisations I am otherwise involved with,…) use packages from Debian. This is mostly about trust - it is a very useful policy to limit the entities to trust for software distribution if you run production systems, especially when they handle third-party data. Debian is such an entity - while there are many people working in it, it is a body with defined procedures and standards that can be relied upon. Debian telling users to add a PPA to their trusted entities that is managed by some person alone, be they a DD or not, defeats this entirely. On Wed, Dec 26, 2018 at 08:29:17PM +0530, Pirate Praveen wrote: > The -backports team does not want the dependencies of gitlab to be in > -backports even though it meets the criteria for backports. So we will > end up adding it to volatile. Now if some one else wants the same in > -backports, they will have to repeat the process. > > Take nodejs or npm for example, which I backported now. In buster the > -backports team does not want it in backports if I'm doing it for > gitlab, even though they satisfy the requirement for -backports. So we > will end up uploading these to volatile, if someone else wants it in > -backports, they will have to do it again. > > It is one way (volatile can use -backports, but -backports can't use > volatile). I'm fine with that if people don't want our work for volatile > not added to -backports. > > Dominik, > > I think we can go ahead with volatile as separate suite and take > packages from -backports if exist but add all new dependencies to -volatile. > > This, > > "Dependencies on other packages in volatile should be avoided if > possible. Especially, dependencies of the package that also need > backporting must not be added to volatile just because they are > dependencies — every dependency that is needed to be backported to > support the volatile package must be considered on its own and in all > but unprobable edge cases be maintained as a formal backport. Obviously, > the unprobable edge case occurs when the package depends on another > package that also fully qualifies for volatile, as described above." > > should be changed to, > > "Dependencies of the package that also need backporting must be added to > volatile." No. The dpendencies of gitlab not being accepted into backports right now is an entirely different issue. I am repeating myself: This proposal is not intended to ease the life of maintainers whose packages qulify for -backports. The only difference between -backports and -volatile in this draft proposal is that -volatile can take packages that are not in testing due to the exact one reason that hey have a shorter lifespan. No single other thing qualifies a package for -volatile if it is not qualified for -backports. If there are other issues to solve than the lifespan of the package version, they must be solved in another way. On Wed, Dec 26, 2018 at 04:32:28PM +0100, Alexander Wirt wrote: > As I said, gitlab was not about manpower. This new repo is completly against > our vision of what backports is. Therefore we don't want it within the > backports suite. Alexander, please don't get me wrong, but have you read the full proposal by now and considered it, independent of the gitlab story? I am pretty certain you did not did that yesterday before starting to object it - not because of your argumentation, but because reading, understanding, considering and challenging it and then writing your reply is simply not physically possible within the 4½ minutes it took you to object to it ☺. Therefore, I ask you to bring up the points you think are against your vision of backports. In fact, the proposal is laid out in a way that explicitly does *not* contradict it, and I am wondering what makes you think it does, let alone "completely". I still got the impression you are also confusing me with Praveen, to the views of whom I do bject as well to some extent (see above). So, this proposal is about extending -backports, but without getting in its way, and following all its ideas except for the source suite. Thus, please let us discuss this in a well-founded, argumentative manner instead of just ruling it out from the start. Thanks, Nik signature.asc Description: PGP
Re: Proposal: Repository for fast-paced package backports
Hi, > How to handle upgrades from stable to stable+1. Packages from backports > upgrade with no issues as stable+1 contains the same packages already > compiled for the stable+1. As long as the package is in -volatile, it is not in stable+1, and upgrades are ensured by the volatile maintainer. If the package is to go into stable+1 again, ist must move to -backports (see original proposal for details on that). > How about LTS? As stable-rolling repository would be usable in > conjunction with stable-backports and stable, would then > oldstable-rolling continue to roll or just freeze in place at the moment > when the stable becomes oldstable? I think oldstable-volatile could keep rolling if the maintainer wishes to do so, but must never be newer than stable-volatile, of course. Upgrades between oldstable-volatile and stable-volatile must be ensured by the maintainer. > Continuous delivery development model based upstream applications are > not quite a good fit for a stable release distribution. Maybe that's why we are drafting a mechanism to support them outside the stable release distribution ;). -nik signature.asc Description: PGP signature
Proposal: Repository for fast-paced package backports
Heisann, alle sammen, as announced in the recent thread about maintaining, I hereby propose a repository that allows making “backports” of packages available to users of the stable distribution, if those packages cannot be maintained in testing and backported in the usual way. If you are interested in what lead up to that, please see bug #915050. I will give a short summary of it here. Reasons for having a special place for some packages (You may want to skip this part if you are familiar with the situation.) As all developers know (but passers-by may not), for software to enter the Debian archive, it is always uploaded to the unstable distribution, then migrates to testing (hopefully ;)), which is at some point snapshot and made the new stable release. From there on, maintainers have two obligations: Firstly, keep the package in stable good and secure, e.g. by uploading security fixes for it once they become available upstream, or even backport fixes themselves. Secondly, provide the package in unstable with updates and ensure its migration, to keep it ready for the next stable release. Now, for some software packages, this process is problematic, because upstream may have another idea about software lifecycles. Concerning the GitLab example, upstream provides security fixes for three months for their stable releases. Backporting fixes from newer versions is very hard or impossible because the massive amounts of changes to the software in every new versions. This is something that also affects other packages, like Mozilla Firefox, which has a firefox package in unstable, and a separate firefox-esr package, with the ESR version of Firefox. Only the latter migrates to testing. Users of Debian honour it for its stability, but as an agile software lifecycle is adapted by more and more very popular software packages, not being able to install these packages in the trusted, well-known fashion through the official apt repositories is becoming more and more of a drawback. It can easily be assumed that the normal release and maintenance cycle of Debian stable will not change, which is very good, so we should find a way to still provide such software as described above to users. Why backports is not enough === This also is well-known, but for completeness: Formal backports in stable-backports are required to be direct backports from testing, and are a stepping stone within the upgrade from stable to stable+1. Thus, a version of a package that is not in testing can never be in stable-backports. Name of the new repository == In the past, the name “volatile” was used for a similar repository, but with a different scope (limited to data packages for things like virus scanners). I will thus use the working title volatile throughout this proposal, although this may change. Other ideas: fastlane, unsupported (Please feel free to add other ideas.) Requirements for a package to go into stable-volatile = The new volatile proposal is not intended to ease life for package maintainers who want to bypass the migration and QA requirements of the regular stable lifecycle, so special need must be taken to ensure only packages that need it go into volatile. I want to summarise the requirements like so: - The package must be maintained in unstable, like every other package. - The package must not be in testing, and care must be taken for the package not to migrate to testing. - Regular maintenance for the lifetime of stable must be impossible or unnecessarily hard, and this requirement should be assessed in a verifiable manner, e.g. referring to upstream’s lifecycle model. - There must be notable need for the package. Like for backports, user requests might be an indicator. - Should the package be removed from unstable, it must also be removed from volatile. - Should the package begin to migrate to testing again, it must be moved to stable-backports. Before starting to maintain a volatile package, the maintainer shall seek consent (or doubt) on debian-devel. Building packages and package dependencies == Packages for volatile are built the same way as formal backports, only that the source is taken from unstable rather than testing. In particular: - Changes shall be kept as small as possible. - The package is rebuilt against stable. - The package may depend on packages in stable, stable-backports or stable-volatile. Dependencies on other packages in volatile should be avoided if possible. Especially, dependencies of the package that also need backporting must not be added to volatile just because they are dependencies — every dependency that is needed to be backported to support the volatile package must be considered on its own and in all but unprobable edge cases be maintained as a formal
Re: Proposal: Repository for fast-paced package backports
> We already told you to build your own repo. You should probably start with identifying the senders of mail correctly ☺. I am not the gitlab maintainer (and will never be). > Imho you should start the same way backports started - outside of > debian. > Prove that it works and integrate into Debian later. I would agree with you if it were a big change - however, the proposal has a very low impact, if not none at all, on existing stuff. In contrast to what you seem to believe (accuse people of…), this proposal is about helping Debian as a whole, not forcing a certain package into the distribution. gitlab only serves as an example of why it is useful. The Debian infrastructure already supports everything that is needed to implement this, and starting with parallel infrastructure would probably mean that it will fail because this requires a single person spending time and money to maintain the infrastructure (which is otherwise already there), and to make it really work, this is a low (think of buildds, etc.). In any case, I do not see why you would fight the fact that someone makes a detailed proposal. A proposal can be accepted or denied, of course, but your tone implies you think noone should have made the proposal i nthe first place. Please don't fight people wanting to help based on your opinion about a prior case around gitlab. -nik signature.asc Description: PGP signature
Re: Proposal: Repository for fast-paced package backports
On Tue, Dec 25, 2018 at 10:11:43PM +0100, Alexander Wirt wrote: > https://lists.debian.org/debian-backports/2018/12/msg00028.html > > This wasn't about gitlab. Oh. I must have misread the "gitlab" in the subject, along withthe mail being sent to the gitlab maintainer, a gitlab bugreport in the BTS, and concerning a request to accept gitlab into backports ;). Still, there's a big difference: * The thread you refer to is about uploading to backports. This proposal ia about *not* uploading to backports. The newly-proposed section is only intended to co-exist with backports, and interact nicely with backports. (Mind the difference between backport as a general term for a package made available for an older distribution, and the name backports for a section in the Debian repository). * Your mail you are referring to talks about "backports" from unstable being a different workflow - this proposal proposes such a workflow. * Your mail refers to packages being indistinguishable in -backports - this proposal is all about having a new section in the repository to distinguish them. In short: This proposal addresses the exact concerns you raised before )although I am not the person you expressed them towards). -nik signature.asc Description: PGP signature
Re: Proposal: Repository for fast-paced package backports
> In short: This proposal addresses the exact concerns you raised before > )although I am not the person you expressed them towards). Well, sure, I was involved in that thread, but only in the way that I announced a proposal (this one). Not in any of the stuff concerning adding something to -backports. -nik signature.asc Description: PGP signature
Fwd: Nasty dependency/bug situation (with php-zmq, but applicable in general)
- Forwarded message from Dominik George - Date: Mon, 3 Dec 2018 13:09:37 +0100 From: Dominik George To: debian-de...@lists.debian.org Subject: Nasty dependency/bug situation (with php-zmq, but applicable in general) User-Agent: Mutt/1.10.1 (2018-07-13) Hi everybody, situation is as follows: I have a package (movim) which just got accepted into sid, and used to work properly. It now turns out that it is broken with PHP 7.3 - or rather, php-zmq has issues with PHP 7.3 [1]. Now the situation is as follows: * The bug is in php-zmq, but only with PHP 7.3. * Movim does not work due to that, but only with PHP 7.3. * PHP 7.3 is only in sid, testing has 7.2. This results in: * Movim, as it is, does not work in sid. * Once Movim migrates to testing, it works. As the issue is mot with movim, I'd rather not mark movim RC-buggy to stop it from migrating. Of course, the first step is to mark php-zmq RC-buggy in sid by reporting the upstream bug with severity grave. But there is actually no reason to remove php-zmq from testing until php7.3 migrates. I could tag the bug as only affecting sid - would that prevent auto-removal from testing? But in any case, this would become incorrect the moment php7.3 migrates. What is the correct course of action in such a situation, where a bug is in package A, but only if package B has version (>> X)? Cheers, Nik [1] https://github.com/mkoppanen/php-zmq/issues/193 - End forwarded message - -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Hundeshagenstr. 26 · 53225 Bonn Phone: +49 228 92934581 · https://www.dominik-george.de/ Teckids e.V. · FrOSCon e.V. · Debian Developer LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: PGP signature
Re: Is using experimental distribution for shelter during freeze useful?
> Your thoughts? sid is not a rolling release for the public, it is a development area. Some users use it as a rolling release to get bleeding edge software, but in fact they become a developer that way (not meaning DD). If you think regular development prevents you from staying up to date during the freeze, install the packages you need from experimental. You are a developer, after all. -nik signature.asc Description: PGP signature
Bug#924434: unblock pre-approval: movim/0.14.1-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock package movim Upstream fixed a few semi-critical bugs, which we here would call important. I added the bugs to the BTS and backported the fixes form the new upstream release, they are listed in the attached debdiff/changelog. If you are up to gifts today, you may as well pre-approve the upload of 0.14.2, the new upstream release. It does not include much more, only some more minor bugfixes and some UI improvements in CSS ;). unblock movim/0.14.1-4 -BEGIN PGP SIGNATURE- iQKJBAEBCgBzFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlyILzcxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYyMcZG9taW5p ay5nZW9yZ2VAaXQucGlyYXRlbnBhcnRlaS5kZQAKCRC3mjwWoMTylngIEAC9TpaQ MUrSe6vqDXtcrW+wDQ3dMgovdLH2fxpjvQ3SUvV9vAuOQc/9y+e0AllkqXgFEbEH TDLS0QoC9VpDun6ScPIJlCYHs2LfQc2HAcjlqJM/xToXAWzyMhafkt1B28v8m1y8 /LYowOfUR6e0LWmq2D9pBxaeRaGg0Ree5/vX7APuWLbAY0TIMM506p09yXVnuHvJ 2MTFdlyi6G0NK0ZY0GAa9pxQML7nC8ahO92EQKHVFpj9Yq0oRYni0OAiHdkYJn+7 GYLsnbx9g9XAYw97QGa7ucpR1PUg1jKPSZeLoSZNlXOSXBL/FQvo474/E9Z8RaVi V+q9lJjpjZ5DGiXy6fscUAhYM2rdLrvN49o0SjguVLehwwQKSW4wc2prY41SEG5g Hd4z48f7s6yDpmuoXeweY44MwPMh8UIbHDLlbZ+bIv9ZNLC3T1Niyt/NTnehBpyE xsZUqZwzH0aENr8f9/Mo8tZfvDkKkH6kWqGtW/Xam721mBERISUZ3dMwbyo7h32q ffMnL2+Ms8YjxmT+4l+iG/65kUxytdOWEMlFrQyJQTthrfrw5ygPBy2SrYBdrF2f 37VBDzRPYDKWxmoGdFYEYQ6YnHKITJDmI1mvrSTYzYZXtNwvOk0gMIiMlQuWBQL6 P7bdvSxVeqqqRyyMI+k6jef8LBUDajisNhRe9w== =NKPE -END PGP SIGNATURE- diff -Nru movim-0.14.1/debian/changelog movim-0.14.1/debian/changelog --- movim-0.14.1/debian/changelog 2019-02-23 17:19:27.0 +0100 +++ movim-0.14.1/debian/changelog 2019-03-12 22:49:08.0 +0100 @@ -1,3 +1,11 @@ +movim (0.14.1-4) unstable; urgency=medium + + * Restart movim daemon if it exits. (Closes: #924429) + * Fix MUC autojoin when used in parallel with other clients. (Closes: #924431) + * Allow long descriptions of MUC rooms. (Closes: #924432) + + -- Dominik George Tue, 12 Mar 2019 22:49:08 +0100 + movim (0.14.1-3) unstable; urgency=medium * Fix bug number in last changelog. diff -Nru movim-0.14.1/debian/patches/fix_924429.diff movim-0.14.1/debian/patches/fix_924429.diff --- movim-0.14.1/debian/patches/fix_924429.diff 1970-01-01 01:00:00.0 +0100 +++ movim-0.14.1/debian/patches/fix_924429.diff 2019-03-12 22:49:01.0 +0100 @@ -0,0 +1,16 @@ +From: Dominik George +Subject: Restart movim from systemd when it exits due to database outage or the like +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924429 +Origin: https://github.com/movim/movim/commit/4d2f0704de590db33567b8f6b843f2ed9e6fcf8c +Applied-Upstream: 0.14.2 +--- a/etc/systemd/system/movim.service b/etc/systemd/system/movim.service +@@ -13,6 +13,8 @@ WorkingDirectory=/usr/share/movim/ + StandardOutput=syslog + SyslogIdentifier=movim + PIDFile=/run/movim.pid ++Restart=on-failure ++RestartSec=10 + + [Install] + WantedBy=multi-user.target diff -Nru movim-0.14.1/debian/patches/fix_924431.diff movim-0.14.1/debian/patches/fix_924431.diff --- movim-0.14.1/debian/patches/fix_924431.diff 1970-01-01 01:00:00.0 +0100 +++ movim-0.14.1/debian/patches/fix_924431.diff 2019-03-12 22:49:08.0 +0100 @@ -0,0 +1,16 @@ +From: pitchum +SubjectL Fix MUC autojoin with non-int autojoin values saved by other clients. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924431 +Origin: https://github.com/movim/movim/commit/54d5fe37080f78b6ed7e74d73b04ebd49307b025 +Applied-Upstream: 0.14.2 +--- a/lib/moxl/src/Moxl/Xec/Action/Bookmark/Get.php b/lib/moxl/src/Moxl/Xec/Action/Bookmark/Get.php +@@ -35,7 +35,7 @@ class Get extends Action + $conference->conference = (string)$c->attributes()->jid; + $conference->name = (string)$c->attributes()->name; + $conference->nick = (string)$c->nick; +-$conference->autojoin = (int)$c->attributes()->autojoin; ++$conference->autojoin = filter_var($c->attributes()->autojoin, FILTER_VALIDATE_BOOLEAN); + + $conference->save(); + } diff -Nru movim-0.14.1/debian/patches/fix_924432.diff movim-0.14.1/debian/patches/fix_924432.diff --- movim-0.14.1/debian/patches/fix_924432.diff 1970-01-01 01:00:00.0 +0100 +++ movim-0.14.1/debian/patches/fix_924432.diff 2019-03-12 22:49:08.0 +0100 @@ -0,0 +1,47 @@ +From: Jaussoin Timothée (edhe...@movim.eu> +Subject: Fix database field for MUC description. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924432 +Origin: https://github.com/movim/movim/commit/a9458dd75a000cc5fd51702013eb5b885aed0d83 +Applied-Upstream: 0.14.2 +--- /dev/null b/database/migrations/20190224220950_change_length_columns_conferences_rosters_users.php +@@ -0,0 +1,39 @@ ++schema
Bug#924439: unblock: debian-edu-config/2.10.62
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock package debian-edu-config OK, first the most honest part: I f***ed up. 2.10.61 was uploade well before full freeze, fixing a list of bugs. I then wanted to fix two critical bugs which prevented parts of the package from workign at all, and when uploading, failed at primary school maths and thought it would get in before the full freeze. This also prevented the migration of 2.10.61. The upload's impact is limited to the Debian Edu pure blend. It fixes the following issues, which are not all tracked as a bug in BTS: * Fix handling of LDAP certificates on LTSP clients, especially verification. * Fix screen locking on LTSP clients with Xfce. * Replace the old skolelinux popcon service with only the Debian one. * Fix handling of LTSP client config from LDAP. All these are bugs that would probably grant an unblock. Looking at the situation described at the top, I kindly ask you to approve and unblock it without adding it as separate bug reports belatedly. Thanks! unblock debian-edu-config/2.10.62 - -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8), LANGUAGE=nb_NO:nb:no_NO:no:nn_NO:nn:da:sv:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQKJBAEBCgBzFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlyIPugxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYyMcZG9taW5p ay5nZW9yZ2VAaXQucGlyYXRlbnBhcnRlaS5kZQAKCRC3mjwWoMTylu1aD/9J4efC SUM3sHLVU+0EpToTTVCcFDas2JGK23y81NjXZ7wXzl9T6m7v2Lr/xScZIEQFy0wp MtJy2/6g3oVsYIFU7q2MpsTq917qcVugOLFqtAFB76+fxsY/saOyKDttOSnEpOcf nnEOf9mJbXh6gVdlgbpTkkGN1ZUsVy8MAbGuENLLo9S1h70rsHGCkVW5mNmAqpWR F3EIonLweCPcCAqJ5mcTxeW2g8ekHOSKiQmlxlDYreDpnHlGzTXN5rr+pm/uy48B Z38c98ym1IwYeG0t7B+JfTlHJ/J/NekRZbYZ+yh9TC8B3VXXakqrs/O9HXv4upG6 jKsNNgBXxgEu+EO/JPS0HtKKeFy5A8u3oCZ0cTiHR2Zksyh3qVuk9Mo7xRVdx86D 7OgTvBcxIf43z5ZFPcrKSId5CVRLGDD4kPNSgCFFeZDHZM7gZidOqE6SmfdGaldK gJIokBfKbEo2nyPYgA0z8ECppvImt6AYV2PK/m4eUCq6IonF/IbWidgb/tN6wc+3 UlLTA/9e4bJh009Gqmx/8jp4KxoZ1ASQCqe/ORJVghjhJQkA0i58n3iqB1CyuVot icXMI17IkrY29XIUdoqRTaZxm9KC2c5x8nLn7qx/VnhPMe/FjfRo/HHs4GI69DS7 VqbOB3pqv/jyi2wp+m/onyvR9LMFBDNrALJGVA== =dom6 -END PGP SIGNATURE- diff -Nru debian-edu-config-2.10.60/cf3/cf.workarounds debian-edu-config-2.10.62/cf3/cf.workarounds --- debian-edu-config-2.10.60/cf3/cf.workarounds2019-02-12 14:58:47.0 +0100 +++ debian-edu-config-2.10.62/cf3/cf.workarounds2019-02-23 17:12:47.0 +0100 @@ -22,5 +22,13 @@ "/etc/resolvconf/update-libc.d/squid" link_from => ln_s("/usr/share/debian-edu-config/squid.resolvconf"), move_obstructions => "true"; + +commands: + + debian.xfce.(ltspclient|ltspserver).installation:: + # Provide a screensaver as a workaround for #922718 (fixed in experimental + # but not in Buster). FIXME: Check if this is still needed for Bullseye. +"/usr/bin/apt-get install -y xscreensaver" + contain => in_shell; } diff -Nru debian-edu-config-2.10.60/debian/changelog debian-edu-config-2.10.62/debian/changelog --- debian-edu-config-2.10.60/debian/changelog 2019-02-12 15:00:57.0 +0100 +++ debian-edu-config-2.10.62/debian/changelog 2019-03-01 12:50:01.0 +0100 @@ -1,3 +1,32 @@ +debian-edu-config (2.10.62) unstable; urgency=medium + + * get-ldap-ltsp-config: Fix detection of MAC address. + * get-ldap-ltsp-config: Fix extraction of ltspConfig from LDAP. + * update-hostname-from-ip: Always print hostname if -n is used. + * Add myself as Uploader. + + -- Dominik George Fri, 01 Mar 2019 12:50:01 +0100 + +debian-edu-config (2.10.61) unstable; urgency=medium + + [ Wolfgang Schweer ] + * cf3/cf.workarounds: +- Provide Xfce screensaver for LTSP clients (workaround for bug #922718, + fixed in experimental but unlikely to be fixed in Buster). + * Improve LDAP server certificate check: +- tools/create-debian-edu-certs: + Make /etc/debian-edu/www/debian-edu-bundle.{crt,pem} downloadable. +- debian-edu-config.fetch-ldap-cert: + Verify the LDAP server cert using the downloaded Debian-Edu_rootCa one. + * testsuite/{ldap-client,ldap-server,sudo,webcache,webserver}: +- Fix scripts to match the recent configuration changes. + + [ Holger Levsen ] + * www/index* and www/*.po: replace http://popcon.skolelinux.org with +https://popcon.debian.org as the former is unmaintained. + + -- Holger Levsen Sun, 24 Feb 2019 18:28:43 +0100 + debian-edu-config (2.10.60) unstable; urgency=medium [ Wolfgang Sch
Re: Bits from the Release Team: Debian 10 'buster' is now in the soft freeze
Hi, > and stopped >accepting source packages into testing that are new to testing or got >removed Does that imply that new *binary* packages built from existing sources can migrate, if the upload is otherwise suitable during the soft freeze? -nik
Bug#928685: unblock: movim/0.14.1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock package movim The attached debdiff fixes both an important (and mildly security-relevant bug) in what directories the webserver in the default config grants access too, and an upstream bug not tracked in Debian that breaks handling of emojis in Jabber messages (displaying wrong wmojis to users). unblock movim/0.14.1-5 - -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8), LANGUAGE=nb_NO:nb:no_NO:no:nn_NO:nn:da:sv:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQKJBAEBCgBzFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlzTQLwxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYyMcZG9taW5p ay5nZW9yZ2VAaXQucGlyYXRlbnBhcnRlaS5kZQAKCRC3mjwWoMTylgqZD/4tgi2n KNfL/b3U1sjcqxy1irurI5ZEpR0Wk/2JtB+CbQ/g5fZXG4hxdDYxHgmpdyjYrHF+ sk4bU9EJ/XUn3GrKi0bBd5UiA3GJltGIkIs5bWikfktZA5czxRWNzHvj4T9BcSP2 /sUxvh0i67Vw3aKjCu14xNysWyHrezH85oVmIM/TpEDtE/Mu92kDJUmjxhk9zmgF SnzyH3s6963LpXXCGGbfuYkdwt7LNCnbm/qdiCbQHGin+Hgt2qatpPP9h0H+3HAj /yf3Re12tM5Z2YM/OeGeNCc/GaMXR+H11kAwTKe+1viAdAaQq7GxTi+KDn3ZUobE oWVovzhsN7ve+5fJAwtMOsaZCrUyclyAK3HsWGa+51//ypQVtJztMxZJmf50g7Go o4lUZ3Y+pzKbGyl1s1s8nosuYFr37hT3FnkHpWuFPPNn/vMljqQV3a5211bFpV34 PRWbV7OpWrxTWjuUS8YQUspozbrFRSZb8uz2jM2YxuZD2g0iGzJcyDGYxQd/XrMQ 0K31VY73cGKc6XQfnv2iKXz/y3viLaA/xCddaCsiXC9e+JbKgA8AXpsVn1UpBY6J ajEO6eodV0VY8lpLUh7ha6Kv6N6bhNKkBuvIzcOYwRMjCJbtBmdUp3mMl3+KPsng rPhLCMfG12/t26wAuFHECvd1IWYNPU5bZY8N8A== =Dcb5 -END PGP SIGNATURE- diff -Nru movim-0.14.1/debian/changelog movim-0.14.1/debian/changelog --- movim-0.14.1/debian/changelog 2019-03-12 22:49:08.0 +0100 +++ movim-0.14.1/debian/changelog 2019-05-08 22:38:32.0 +0200 @@ -1,3 +1,13 @@ +movim (0.14.1-5) unstable; urgency=medium + + [ Thorsten Glaser ] + * Add patch to fix emojis being replaced by the wrong images. + + [ Dominik George ] + * Add patch to add correct ACLs to webserver configs. (Closes: #928209) + + -- Dominik George Wed, 08 May 2019 22:38:32 +0200 + movim (0.14.1-4) unstable; urgency=medium * Restart movim daemon if it exits. (Closes: #924429) diff -Nru movim-0.14.1/debian/patches/fix_928209.diff movim-0.14.1/debian/patches/fix_928209.diff --- movim-0.14.1/debian/patches/fix_928209.diff 1970-01-01 01:00:00.0 +0100 +++ movim-0.14.1/debian/patches/fix_928209.diff 2019-05-08 22:37:41.0 +0200 @@ -0,0 +1,40 @@ +Subject: Fix ACLs in webserver configs. +From: Dominik George +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928209 +--- a/etc/apache2/conf-available/movim.conf b/etc/apache2/conf-available/movim.conf +@@ -7,8 +7,19 @@ Alias /movim/ /usr/share/movim/ + AllowOverride FileInfo Options + + +- ++ + Options -Indexes ++ ++ ++ Require all granted ++ ++ ++ Require all denied ++ ++ ++ ++ ++ Require all denied + + + +--- a/etc/nginx/conf.d/movim.conf b/etc/nginx/conf.d/movim.conf +@@ -17,6 +17,10 @@ location /movim/ { + } + + location /movim/cache/ { +- deny all; ++ location ~ \.jpg$ { ++ } ++ location ~ . { ++ deny all; ++ } + } + } diff -Nru movim-0.14.1/debian/patches/issue-835.diff movim-0.14.1/debian/patches/issue-835.diff --- movim-0.14.1/debian/patches/issue-835.diff 1970-01-01 01:00:00.0 +0100 +++ movim-0.14.1/debian/patches/issue-835.diff 2019-05-08 22:27:33.0 +0200 @@ -0,0 +1,29 @@ +Description: fix upstream issue 835: + do not flag non-emojis as single emojis + (reduced patch to bare minimum to fix the bug) +Bug: https://github.com/movim/movim/issues/835 +Forwarded: https://github.com/movim/movim/pull/837 +Author: mirabilos + +--- a/src/Movim/Emoji.php b/src/Movim/Emoji.php +@@ -66,10 +66,9 @@ class Emoji + public function replace($string): string + { + $this->_string = $string; ++$this->_lastEmoji = null; + + return preg_replace_callback($this->_regex, function ($matches) { +-$this->_lastEmoji = $matches[0]; +- + $astext = implode('-', + array_map('dechex', + unpack('N*', mb_convert_encoding($matches[0], 'UCS-4BE', 'UTF-8')) +@@ -80,6 +79,7 @@ class Emoji + return $matches[0]; + } + ++$this->_lastEmoji = $matches[0]; + $this->_lastEmojiURL = BASE_URI . 'themes/' . + \App\Configuration::get()->theme . + '/img/emojis/sv
Bug#927306: Alternative apporach for password re-setup
Hi, > This is a well tested patch that I can upload tonight (to unstable)? Or is > more testing time needed? If the patch really fixes the transition, then we > don't need the gosa s-pu. Do all agree? I tested: a) on stretch, that the script works, and produces expected results with a known password b) on buster, that the script works without mcrypt a) was mcrypt-based and upgraded from jessie some time ago, b) was installed as buster. I did not test the full upgrade path form stretch to buster, but I consider the changed part, namely the cred_decrypt function, well-tested. -nik signature.asc Description: PGP signature
Bug#927306: Alternative apporach for password re-setup
> with the attached patch, the conversion works on buster. > > The script uses php-mcrypt for no reason - the first use always returns > an constant 16, the second returns random bytes. > > With the applied patch, the script works without php-mcrypt. While focusing on what the two mcrypt library calls did, something felt weird, but I didn't know what. I somehow did not trust that what I did was right, because how this decryption should work was not entirely clear to me, despite having basic understanding of how it works. Now I know why: A random IV does not make any sense at all in decryption, and in ECB mode, there is no such thing as an IV at all. Thus, I updated the patch to remove that useless code all together. -nik --- gosa-mcrypt-to-openssl-passwords.orig 2019-04-18 19:38:43.665650068 +0200 +++ gosa-mcrypt-to-openssl-passwords.new 2019-04-18 21:43:28.782380951 +0200 @@ -25,9 +25,7 @@ } function cred_decrypt($input, $password) { - $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); - $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM); - return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv ), "\0\3\4\n"); + return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING ), "\0\3\4\n"); } signature.asc Description: PGP signature
Bug#927306: Alternative apporach for password re-setup
Hi, with the attached patch, the conversion works on buster. The script uses php-mcrypt for no reason - the first use always returns an constant 16, the second returns random bytes. With the applied patch, the script works without php-mcrypt. -nik --- gosa-mcrypt-to-openssl-passwords.orig 2019-04-18 19:38:43.665650068 +0200 +++ gosa-mcrypt-to-openssl-passwords.new 2019-04-18 19:55:39.708586849 +0200 @@ -25,8 +25,7 @@ } function cred_decrypt($input, $password) { - $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); - $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM); + $iv = random_bytes(16); return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv ), "\0\3\4\n"); } signature.asc Description: PGP signature
Please rebuild on buildd
Dear release team, I would be happy if buildd rebuilds of the following (source) packages could be scheduled: godot tdigest gnome-pass-search-provider upass Thanks, Nik signature.asc Description: PGP signature