Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Didier 'OdyX' Raboud]

Control: tag -1 -moreinfo

Le lundi, 8 avril 2024, 12.16:34 h CEST Christian Franke a écrit :
> Jonathan Wiltshire wrote:
> > ...
> > Thanks. The bug #1050288 isn't fixed in unstable according to the BTS,
> > which is a requirement. What's the status?
> 
> The problem described in #1050288 does not longer occur since NSIS 3.09.
> The problem appeared in Debian 12 because the Mingw-w64 toolchain now
> enables ASLR (and therefore emits relocation information) by default but
> NSIS does not support relocation information. NSIS upstream addressed
> this in the build recipes of 3.09.
> 
> I could confirm that this has the desired effect:
> In the smartmontools project, we use a Debian 12 based docker image for
> reproducible CI builds (https://builds.smartmontools.org/). After
> forcibly upgrading NSIS to 3.09 from Debian trixie, the problem
> disappeared. Here the related commit:
> https://github.com/smartmontools/docker-build/commit/9b231f0
> 
> Therefore I guess that #1050288 is also fixed in unstable.

I've just now marked it as fixed. Sorry I hadn't checked that the bug was in 
the correct state.

All lights should now be green.

Best,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#1050588: bookworm-pu: package nsis/3.08-3+deb12u1

[Didier 'OdyX' Raboud]

Le samedi, 3 février 2024, 10.46:29 h CET Adam D. Barratt a écrit :
> On Sat, 2024-02-03 at 10:33 +0100, Thomas Gaugler wrote:
> > I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
> > propose the changes committed into the debian/bookworm branch on the
> > 27th January 2024 to be released as updated nsis 3.08-3+deb12u1
> > packages
> > ().
> 
> Thanks, but you've still not attached a debdiff of a prepared package,
> as requsted. Pointers to git are useful, but they're not the same as an
> actual package debdiff, which sometimes reveals changes that aren't
> immediately obvious from git.
> 
> (A debdiff attached to the bug is also there in perpetuity.)

Here comes the debdiff as I would upload it.

Thanks for the reminder.

Best,
OdyXdiff -Nru nsis-3.08/debian/changelog nsis-3.08/debian/changelog
--- nsis-3.08/debian/changelog	2022-08-15 07:58:35.0 +0200
+++ nsis-3.08/debian/changelog	2024-02-05 11:18:05.0 +0100
@@ -1,3 +1,12 @@
+nsis (3.08-3+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream commits to fix CVE-2023-37378 (Closes: #1040880)
+  * Use common options for nsis-doc installation
+  * Exclude Debian revison suffix from VER_REVISION
+  * Backport upstream commit to disable stub relocations (Closes: #1050288)
+
+ -- Thomas Gaugler   Mon, 05 Feb 2024 11:18:05 +0100
+
 nsis (3.08-3) unstable; urgency=medium
 
   [ Thomas Gaugler ]
diff -Nru nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch
--- nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch	1970-01-01 01:00:00.0 +0100
+++ nsis-3.08/debian/patches/CVE-2023-37378_Don-t-allow-everyone-to-delete.patch	2024-02-05 11:18:05.0 +0100
@@ -0,0 +1,27 @@
+Origin: upstream, https://github.com/kichik/nsis/commit/409b5841479c44fbf33a6ba97c1146e46f965467.patch
+Bug: https://sf.net/p/nsis/bugs/1296
+Bug-Debian: https://bugs.debian.org/1040880
+
+From 409b5841479c44fbf33a6ba97c1146e46f965467 Mon Sep 17 00:00:00 2001
+From: Anders 
+Date: Wed, 21 Jun 2023 23:38:48 +
+Subject: [PATCH] Don't allow everyone to delete the uninstaller directory
+
+git-svn-id: https://svn.code.sf.net/p/nsis/code/NSIS/trunk@7396 212acab6-be3b-0410-9dea-997c60f758d6
+---
+ Source/exehead/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/exehead/util.c b/Source/exehead/util.c
+index ba682f6f75..634d4a69f8 100644
+--- a/Source/exehead/util.c
 b/Source/exehead/util.c
+@@ -62,7 +62,7 @@ const UINT32 g_restrictedacl[] = {
+   0x1000, // ACCESS_ALLOWED_ACE:ACCESS_MASK: GENERIC_ALL
+   0x0201, 0x0500, 0x0020, 0x0220, // ACCESS_ALLOWED_ACE:SID (BUILTIN\Administrators) NOTE: GetAdminGrpSid() relies on this being the first SID in the ACL
+   0x00140300, // ACCESS_ALLOWED_ACE:ACE_HEADER (ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE)
+-  0x00130041, // ACCESS_ALLOWED_ACE:ACCESS_MASK: DELETE|READ_CONTROL|SYNCHRONIZE|FILE_DELETE_CHILD|FILE_LIST_DIRECTORY
++  0x001200c1, // ACCESS_ALLOWED_ACE:ACCESS_MASK: SYNCHRONIZE|READ_CONTROL|FILE_LIST_DIRECTORY|FILE_DELETE_CHILD|FILE_READ_ATTRIBUTES
+   0x0101, 0x0100, 0x // ACCESS_ALLOWED_ACE:SID (WORLD\Everyone)
+ };
+ 
diff -Nru nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch
--- nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch	1970-01-01 01:00:00.0 +0100
+++ nsis-3.08/debian/patches/CVE-2023-37378_Don-t-delete-old-uninstaller.patch	2024-02-05 11:18:05.0 +0100
@@ -0,0 +1,32 @@
+Origin: upstream, https://github.com/kichik/nsis/commit/c40cf78994e74a1a3a381a850c996b251e3277c0.patch
+Bug: https://sf.net/p/nsis/bugs/1296
+Bug-Debian: https://bugs.debian.org/1040880
+
+From c40cf78994e74a1a3a381a850c996b251e3277c0 Mon Sep 17 00:00:00 2001
+From: Anders 
+Date: Sat, 3 Jun 2023 15:10:54 +
+Subject: [PATCH] Don't delete old uninstaller if it points somewhere else
+
+git-svn-id: https://svn.code.sf.net/p/nsis/code/NSIS/trunk@7394 212acab6-be3b-0410-9dea-997c60f758d6
+---
+ Source/exehead/Main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Source/exehead/Main.c b/Source/exehead/Main.c
+index 78ff558c6e..e39c631671 100644
+--- a/Source/exehead/Main.c
 b/Source/exehead/Main.c
+@@ -376,10 +376,10 @@ EXTERN_C void NSISWinMainNOCRT()
+ 
+ if (ec)
+ {
+-  // Delete previous uninstaller
+-  if (DeleteFile(unexe))
++  // Delete previous uninstaller (if it is safe to do so)
++  if (!(GetFileAttributes(unexe) & FILE_ATTRIBUTE_REPARSE_POINT) && DeleteFile(unexe))
+   {
+-myDelete(state_temp_dir, DEL_DIR|DEL_RECURSE);
++myDelete(state_temp_dir, DEL_DIR);
+ if 

Re: Bug#1028451: 2nd DisplayPort doesn't get video

[Didier 'OdyX' Raboud]

Hello Salvatore,

17 janvier 2023 07:14 "Salvatore Bonaccorso"  a écrit:
> I will bite the bullet (taking full responsibility for it if
> necessary, don't blame the other kernel team members) and ask here now
> the release team: Can we let linux 6.1.4-1 despite the RC bug
> reported, migrate to testing, so we can move on to 6.1.y? Let's keep
> the bug as RC severity. I'm currently working on uploading as well
> 6.1.6 or 6.1.7 (depending on the timing) further after that to
> unstable. Unfortuantely there is still not a solution to address
> #1028451 but will contain other important fixes (including security
> ones).
> 
> Thank you for considering it,
> 
> Odyx, I feel sorry, this will knowingly impact your and others!

No problem; such is the life on the unstable/testing edge.

I'll keep a 6.0.0-6 kernel around, and will keep testing the most
recent kernels; as well as report back if these help.

Best,

OdyX

Re: Bug#1028451: 2nd DisplayPort doesn't get video

[Didier 'OdyX' Raboud]

Hello there,

I finally managed to test

https://github.com/archlinux/linux/commit/7c4fed4d2afd27d7acb8835f8e79f49c99c03cdf.patch

(which is a revert of 4d07b0bc403403438d9cf88450506240c5faf92f)

… on top of 6.1.4-1.

I can confirm (without looking into any code-related details), that the two
of my DisplayPort-connected screens light up and work correctly.

(The "first" external screen is connected with a DisplayPort-DVI converter; that
one always worked; the "second" is connected directly via DisplayPort, which 
didn't
work on unpatched 6.1.4)


14 janvier 2023 17:52 "Diederik de Haas"  a écrit:
> On Saturday, 14 January 2023 16:30:05 CET Salvatore Bonaccorso wrote:
>> On Thu, Jan 12, 2023 at 02:51:05PM +0100, Diederik de Haas wrote:
>> On Thursday, 12 January 2023 12:03:24 CET Sjoerd Simons wrote:
>>> Fwiw there is a general regression with AMDGPU MST on linux 6.1; tracked
>>> 
>>> upstream here:
>>> https://gitlab.freedesktop.org/drm/amd/-/issues/2171
>> 
>> Thanks! About an hour ago the suggested fix was to revert commit
>> 4d07b0bc403403438d9cf88450506240c5faf92f part of v6.1-rc1
>> 
>> https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#
>> s4.2.2 describes a procedure to build a kernel with the proposed patch
>> (attached).
>> 
>> OdyX: Can you try to see whether that resolves the issue?
>> 
>> Should we keep 6.1.y based kernel out of testing until this is clear?
>> As we aim though to have 6.1.y into bookworm I would see it as more
>> preferable to get 6.1.4 in for testing, we will need to followup as
>> well soonish with another interation for e.g. for fixing
>> CVE-2023-0266.
> 
> As CVE-2023-0266 is fixed in 6.1.6, I'd suggest to upload that now, which I
> believe is ready to be uploaded already.
> That should keep 6.1.y out of testing for a few more days.
> 
>> Now if it turns out that this is the same issue as the referenced
>> upstream, reverting I think we only should really revert the commit if
>> that's queued up for 6.1. There is currently some furhter discussion
>> on
>> https://lore.kernel.org/stable/dcf0612f-7d40-d607-e9aa-94599594e...@amd.com
>> /T/#m38bdafb9c6c64b167ec94ac1bd131f1d2db66e40
>> 
>> Given the size of the revert, there is as well a chance to re-break
>> other parts. So preferring to closely follow upstream here, whatever
>> the decision will be.
> 
> Agreed.
> 
> I asked 'OdyX' to test the revert to make sure it would indeed fix *this*
> issue, IOW what I consider standard bug triaging.
> 
> But even Daniel Vetter has SERIOUS 'issues' with the revert, next to the other
> people who weren't happy about it. So *I* wouldn't suggest applying it to
> Debian (although I don't think my opinion should have much weight).
> 
> As for letting this bug _continue_ to prevent a migration, ie keep the RC
> status, I'm against it and for downgrading it to 'important'.
> You could opt to add a NEWS item to warn people about this potential issue.
> 
> But the original report is about the *2nd* DisplayPort being 'broken'.
> 
> On zaterdag 14 januari 2023 17:04:52 CET you wrote:
> 
>> Basically this issue breaks all usage of Displayport MST on amdgpu systems.
>> Which roughly translates to breaking external monitors for everyone using
>> an USB-C docks with multiple display outputs (which is pretty common these
>> days) on AMD laptops. As well as those like myself who daisy-chain display
>> port monitors with an amdgpu using graphics card.
> 
> I understand that would be annoying for you, but I don't think that it would
> affect the majority of our users.

Hrm. More and more laptops come with usb-c only, and dongles/docks become more
and more common.

It's clearly a serious regression, as such setups "just worked" with 6.0.

Best,

OdyX

Bug#989161: [pre-approval] unblock: cups/2.3.3op2-3+deb11u1

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le vendredi, 28 mai 2021, 23.21:56 h CEST Sebastian Ramacher a écrit :
> On 2021-05-27 09:03:49 +0200, Didier 'OdyX' Raboud wrote:
> > unblock cups/2.3.3op2-3+deb11u1
> 
> ACK, please remove the moreinfo tag once the new version is available in
> unstable.

Got the "Accepted cups 2.3.3op2-3+deb11u1 (source) into unstable" email, 
removing the tag.

Thanks for your work!

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#989161: [pre-approval] unblock: cups/2.3.3op2-3+deb11u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: c...@packages.debian.org

Please approve the following update for src:cups

[ Reason ]
Mikko Rapeli reported a USB printing regression in #989073, which, lukily
enough, was already reported and fixed upstream. It matters for Bullseye's
quality to ensure smooth USB printing.

[ Impact ]
Failure to print without comprehensible error messages nor configurable ways
to fix USB printing.

[ Tests ]
There are none, but as you'll see, these patches merely extend timeouts; also,
they have been reviewed and merged upstream, by the long-term upstream author,
Michael Sweet.

[ Risks ]
Given the trivialness of the patches as well as the extended review, I
consider the risks to be negligible.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
I'm also attaching the "direct" patches, as my use of git debrebase produces a
noisy debdiff. I have also picked the 2.3.3op2-3+deb11u1 version, as
2.3.3op2-4 was already uploaded in experimental; please advise if a change is
needed.

Many thanks for your work!

unblock cups/2.3.3op2-3+deb11u1
From: Zdenek Dohnal 
Date: Tue, 13 Apr 2021 15:44:14 +0200
Subject: backend/usb-libusb.c: Use 60s timeout for reading at backchannel

Some older models malfunction if timeout is too short.

Origin: upstream, https://github.com/OpenPrinting/cups/pull/174
Bug: https://github.com/OpenPrinting/cups/issues/160
Bug-Debian: https://bugs.debian.org/989073
---
 backend/usb-libusb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/usb-libusb.c b/backend/usb-libusb.c
index d6b0eb4..fbb0d9d 100644
--- a/backend/usb-libusb.c
+++ b/backend/usb-libusb.c
@@ -1704,7 +1704,7 @@ static void *read_thread(void *reference)
 readstatus = libusb_bulk_transfer(g.printer->handle,
  g.printer->read_endp,
  readbuffer, rbytes,
- , 250);
+ , 6);
 if (readstatus == LIBUSB_SUCCESS && rbytes > 0)
 {
   fprintf(stderr, "DEBUG: Read %d bytes of back-channel data...\n", 
(int)rbytes);
From: Zdenek Dohnal 
Date: Tue, 13 Apr 2021 15:47:37 +0200
Subject: backend/usb-libusb.c: Revert enforcing read limits

This commit reverts the change introduced by 2.2.12 [1] - its
implementation caused a regression with Lexmark filters.

[1] 
https://github.com/apple/cups/commit/35e927f83529cd9b4bc37bcd418c50e307fced35

Origin: upstream, https://github.com/OpenPrinting/cups/pull/174
Bug: https://github.com/OpenPrinting/cups/issues/72
---
 backend/usb-libusb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/usb-libusb.c b/backend/usb-libusb.c
index fbb0d9d..89b5182 100644
--- a/backend/usb-libusb.c
+++ b/backend/usb-libusb.c
@@ -1721,7 +1721,8 @@ static void *read_thread(void *reference)
 * Make sure this loop executes no more than once every 250 miliseconds...
 */
 
-if ((g.wait_eof || !g.read_thread_stop))
+if ((readstatus != LIBUSB_SUCCESS || rbytes == 0) &&
+(g.wait_eof || !g.read_thread_stop))
   usleep(25);
   }
   while (g.wait_eof || !g.read_thread_stop);
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog  2021-02-12 14:09:29.0 +0100
+++ cups-2.3.3op2/debian/changelog  2021-05-27 08:49:36.0 +0200
@@ -1,3 +1,12 @@
+cups (2.3.3op2-3+deb11u1) unstable; urgency=medium
+
+  * Backport 2 upstream USB backend fixes:
+- Revert enforcing read limits (caused a regression with Lexmark filters)
+- Use 60s timeout (instead of 250ms) for reading at backchannel, as some
+  older models malfunction if timeout is too short (Closes: #989073)
+
+ -- Didier Raboud   Thu, 27 May 2021 08:49:36 +0200
+
 cups (2.3.3op2-3) unstable; urgency=medium
 
   [ Helge Kreutzmann ]
diff -Nru 
cups-2.3.3op2/debian/patches/0001-backend-usb-libusb.c-Use-60s-timeout-for-reading-at-.patch
 
cups-2.3.3op2/debian/patches/0001-backend-usb-libusb.c-Use-60s-timeout-for-reading-at-.patch
--- 
cups-2.3.3op2/debian/patches/0001-backend-usb-libusb.c-Use-60s-timeout-for-reading-at-.patch
1970-01-01 01:00:00.0 +0100
+++ 
cups-2.3.3op2/debian/patches/0001-backend-usb-libusb.c-Use-60s-timeout-for-reading-at-.patch
2021-05-27 08:49:36.0 +0200
@@ -0,0 +1,26 @@
+From: Zdenek Dohnal 
+Date: Tue, 13 Apr 2021 15:44:14 +0200
+Subject: backend/usb-libusb.c: Use 60s timeout for reading at backchannel
+
+Some older models malfunction if timeout is too short.
+
+Origin: upstream, https://github.com/OpenPrinting/cups/pull/174
+Bug: https://github.com/OpenPrinting/cups/issues/160
+Bug-Debian: https://bugs.debian.org/989073
+---
+ backend/usb-libusb.c | 2 +-
+ 1 file changed, 1 

Bug#987493: unblock: gutenprint/5.3.3-5

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le dimanche, 25 avril 2021, 11.37:23 h CEST Graham Inggs a écrit :
> On Sat, 24 Apr 2021 at 17:48, Didier 'OdyX' Raboud  wrote:
> > This is a pre-approval request for package package gutenprint.
> 
> Please go ahead and upload, and remove the moreinfo tag once the new
> version is available in unstable.

Hello Graham,

Thanks for your prompt ack and your work as release team member!

Uploaded, and built already for most archs.

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#987493: unblock: gutenprint/5.3.3-5

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gutenpr...@packages.debian.org

This is a pre-approval request for package package gutenprint.

[ Reason ]
It was reported on #987457 that the gutenprint-locales packages contained no…
locales. This has apparently slipped through almost a full release cycle.

Anyway. I'd like to fix this in unstable, by building and installing the .mo
files.

[ Impact ]
No translations for gutenprint.

[ Tests ]
The patch I propose adds a non-regression test in dh_install.

[ Risks ]
I can't think of any, besides taking more disk-space for potentially unused
translations.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock gutenprint/5.3.3-5
diff -Nru gutenprint-5.3.3/debian/changelog gutenprint-5.3.3/debian/changelog
--- gutenprint-5.3.3/debian/changelog   2020-02-17 08:36:42.0 +0100
+++ gutenprint-5.3.3/debian/changelog   2021-04-24 17:37:27.0 +0200
@@ -1,3 +1,9 @@
+gutenprint (5.3.3-5) unstable; urgency=medium
+
+  * Build and install translations in gettext-locales (Closes: #987457)
+
+ -- Didier Raboud   Sat, 24 Apr 2021 17:37:27 +0200
+
 gutenprint (5.3.3-4) unstable; urgency=medium
 
   * Backport upstream patch:
diff -Nru gutenprint-5.3.3/debian/rules gutenprint-5.3.3/debian/rules
--- gutenprint-5.3.3/debian/rules   2020-02-17 08:36:42.0 +0100
+++ gutenprint-5.3.3/debian/rules   2021-04-24 17:37:27.0 +0200
@@ -26,9 +26,15 @@
  $(MAINTAINER_MODE) \
  --enable-nls
 
+execute_after_dh_auto_build-indep:
+   # Build the gettext translations (#987457)
+   cd po && make update-gmo
+
 override_dh_install-indep:
dh_install -i
rm -f debian/gutenprint-locales/usr/share/locale/*/*.po
+   # Make sure at least some locales are installed (#987457)
+   test -n "$$(find debian/gutenprint-locales/usr/share/locale -name 
gutenprint.mo)"
 
 override_dh_installdocs:
dh_installdocs -pescputil --link-doc=libgutenprint9

Bug#986532: unblock: ipp-usb/0.9.17-3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ipp-...@packages.debian.org

Please unblock package ipp-usb

[ Reason ]
It adds a NEWS.Debian useful for upgrades' understanding (see #978561)

[ Impact ]
If not unblocked, we expect more support (via bugs) to explain how ipp-usb
and other usb-holding drivers will interact.

[ Other info ]
ipp-usb/0.9.17-3 was uploaded on March 5, in Soft freeze, but was "forgotten",
and/or had running autopkgtests. Anyway, here we are and it should be
unblocked.

Thanks in advance!

unblock ipp-usb/0.9.17-3
diff -Nru ipp-usb-0.9.17/debian/changelog ipp-usb-0.9.17/debian/changelog
--- ipp-usb-0.9.17/debian/changelog 2021-02-21 18:02:51.0 +0100
+++ ipp-usb-0.9.17/debian/changelog 2021-03-05 16:40:13.0 +0100
@@ -1,3 +1,9 @@
+ipp-usb (0.9.17-3) unstable; urgency=medium
+
+  * Add a NEWS entry to clarify ipp-usb's purpose (Closes: #978561)
+
+ -- Brian Potkin   Fri, 05 Mar 2021 16:40:13 +0100
+
 ipp-usb (0.9.17-2) unstable; urgency=medium
 
   * Let ipp-usb be Multi-Arch: foreign (Closes: #980217)
diff -Nru ipp-usb-0.9.17/debian/NEWS ipp-usb-0.9.17/debian/NEWS
--- ipp-usb-0.9.17/debian/NEWS  1970-01-01 01:00:00.0 +0100
+++ ipp-usb-0.9.17/debian/NEWS  2021-03-05 16:40:13.0 +0100
@@ -0,0 +1,14 @@
+ipp-usb (0.9.17-3) unstable; urgency=medium
+
+  ipp-usb uses the IPP-over-USB protocol to allow the setting up of a
+  driverless print queue for most USB connected modern multi-function
+  and a few modern USB-only devices. The default is to auto-setup the
+  queue with cups-browsed.
+
+  Existing or newly created queues on a USB connection for IPP-over-USB
+  capable devices using vendor drivers will not work while the ipp-usb
+  service is activated and managing the connection. Details are at
+
+  https://wiki.debian.org/CUPSDriverlessPrinting
+
+ -- Brian Potkin   Fri, 05 Mar 2021 16:40:13 +0100

Bug#982838: RoM: win32-loader must not migrate automatically

[Didier 'OdyX' Raboud]

Source: win32-loader
Version: 0.10.5
Severity: serious
X-Debbugs-Cc: debian-b...@lists.debian.org, debian-release@lists.debian.org

win32-loader is one of the rare packages always blocked, because it has a
'byhand' counterpart per release: `/debian/tools/win32-loader/{release}`, and
therefore needs a manual action by FTP masters in sync ("around the time of")
with the unblock.

This bug exists to manually block any src:win32-loader migration without a
manual sync from FTP masters.

It'll be updated to be marked "found" in the latest version, and "notfound"
in any version allowed to migrate.

Best, for the win32-loader maintainers,
  OdyX

Bug#982606: unblock: win32-loader/0.10.4

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-b...@lists.debian.org

Please unblock package win32-loader in its 0.10.4 version

[ Reason ]
win32-loader is one of the rare packages always blocked, because it has a
'byhand' counterpart per release: `/debian/tools/win32-loader/{release}`, and
therefore needs a manual action by FTP masters in sync ("around the time of")
with the unblock.

[ Impact ]
It's been since 0.10.1 (September 2020) that it hasn't been migrated, and I (as
co-maintainer), want the 0.10.4 changes in for Bullseye.

[ Tests ]
There are no significant error reports for the version in unstable, I deem
this version as really safe to migrate. If it were a normal package, it would
have migrated for every version.

Please CC ftpmas...@debian.org when granting this unblock, for them to proceed
with their magic.

Best regards, and thanks for your work,
OdyX

unblock win32-loader/0.10.4

P.S. Yes. That's an almost verbatim copy of #967048

Bug#976018: buster-pu: package cups/2.2.10-6+deb10u4

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-print...@lists.debian.org

#961345 affects Debian stable for certain printers/conditions; it's a daemon
crash with "invalid free()". As far as I could tell, it's likely a regression,
but due to causes external to CUPS.

This is the proposed changelog entry:
cups (2.2.10-6+deb10u4) buster; urgency=medium

  * Backport upstream fix:
- backend,scheduler/ipp.c: Fix 'printer-alert' invalid free
  (Closes: #961345)

 -- Didier Raboud   Sat, 28 Nov 2020 12:09:48 +0100

The only backported patch is from https://github.com/OpenPrinting/cups/pull/43,
which got merged upstream. Full debdiff attached.

Could I upload?

Cheers,

OdyX
diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog2020-04-25 16:27:21.0 +0200
+++ cups-2.2.10/debian/changelog2020-11-28 12:09:48.0 +0100
@@ -1,3 +1,11 @@
+cups (2.2.10-6+deb10u4) buster; urgency=medium
+
+  * Backport upstream fix:
+- backend,scheduler/ipp.c: Fix 'printer-alert' invalid free
+  (Closes: #961345)
+
+ -- Didier Raboud   Sat, 28 Nov 2020 12:09:48 +0100
+
 cups (2.2.10-6+deb10u3) buster; urgency=medium
 
   * Backport upstream security fixes:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm 2020-04-25 16:27:21.0 +0200
+++ cups-2.2.10/debian/.git-dpm 2020-11-28 11:47:32.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-f1b7b7e074291c85366a60f7a197dea19e62c9cf
-f1b7b7e074291c85366a60f7a197dea19e62c9cf
+e512765460ec633ad43872436b243021f252a69a
+e512765460ec633ad43872436b243021f252a69a
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru 
cups-2.2.10/debian/patches/0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch
 
cups-2.2.10/debian/patches/0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch
--- 
cups-2.2.10/debian/patches/0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch
  1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.10/debian/patches/0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch
  2020-11-28 11:47:32.0 +0100
@@ -0,0 +1,46 @@
+From e512765460ec633ad43872436b243021f252a69a Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal 
+Date: Mon, 9 Nov 2020 07:40:20 +0100
+Subject: backend,scheduler/ipp.c: Fix 'printer-alert' invalid free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The fix is created by Bernhard Übelacker from apple/cups #5826.
+
+Bug-Upstream: https://github.com/OpenPrinting/apple/pull/5826
+Bug-Upstream: https://github.com/OpenPrinting/cups/pull/43
+Bug-Debian: https://bugs.debian.org/961345
+---
+ backend/ipp.c   | 2 +-
+ scheduler/ipp.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/backend/ipp.c b/backend/ipp.c
+index bc678f50a..3b65ea3af 100644
+--- a/backend/ipp.c
 b/backend/ipp.c
+@@ -3056,7 +3056,7 @@ report_printer_state(ipp_t *ipp) /* I - IPP response */
+   * Report alerts and messages...
+   */
+ 
+-  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_TEXT)) != NULL)
++  if ((pa = ippFindAttribute(ipp, "printer-alert", IPP_TAG_STRING)) != NULL)
+ report_attr(pa);
+ 
+   if ((pam = ippFindAttribute(ipp, "printer-alert-message",
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 9be8a7f3b..cb12d49c4 100644
+--- a/scheduler/ipp.c
 b/scheduler/ipp.c
+@@ -4908,8 +4908,8 @@ copy_printer_attrs(
+   }
+ 
+   if (printer->alert && (!ra || cupsArrayFind(ra, "printer-alert")))
+-ippAddString(con->response, IPP_TAG_PRINTER, IPP_TAG_STRING,
+- "printer-alert", NULL, printer->alert);
++ippAddOctetString(con->response, IPP_TAG_PRINTER,
++ "printer-alert", printer->alert, 
(int)strlen(printer->alert));
+ 
+   if (printer->alert_description &&
+   (!ra || cupsArrayFind(ra, "printer-alert-description")))
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series   2020-04-25 16:27:21.0 +0200
+++ cups-2.2.10/debian/patches/series   2020-11-28 11:47:32.0 +0100
@@ -49,3 +49,4 @@
 0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
 0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
 0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
+0052-backend-scheduler-ipp.c-Fix-printer-alert-invalid-fr.patch

Bug#967048: unblock: win32-loader/0.10.1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-b...@lists.debian.org

Please unblock package win32-loader in its 0.10.1 version

[ Reason ]
win32-loader is one of the rare packages always blocked, because it has a
'byhand' counterpart per release: `/debian/tools/win32-loader/{release}`, and
therefore needs a manual action by FTP masters in sync ("around the time of")
with the unblock.

[ Impact ]
It's been since 0.9.5 (March 2019) that it hasn't been migrated, and I (as
co-maintainer), want the 0.10* changes in for Bullseye.

[ Tests ]
There are no significant error reports for the version in unstable, I deem
this version as really safe to migrate. If it were a normal package, it would
have migrated for every version.

Please CC ftpmas...@debian.org when granting this unblock, for them to proceed
with their magic.

Best regards, and thanks for your work,
OdyX

unblock win32-loader/0.10.1

Bug#958953: stretch-pu: package cups/2.2.1-8+deb9u6

[Didier 'OdyX' Raboud]

15 juin 2020 21:43 "Adam D. Barratt"  a écrit:
> On Mon, 2020-04-27 at 09:03 +0200, Didier 'OdyX' Raboud wrote:
>> CVE-2020-3898 and CVE-2019-8842 got fixed in unstable and pending for
>> stable (#958814), after coordinated disclosure.
>> 
>> I'd like to fix these in an oldstable upload too:
>> 
>> cups (2.2.1-8+deb9u6) stretch; urgency=medium
>> 
>> * Backport upstream security fixes:
>> - CVE-2020-3898: heap-buffer-overflow in libcups’s
>> ppdFindOption()
>> function in ppd-mark.c
>> - CVE-2019-8842: The `ippReadIO` function may under-read an
>> extension
>> field
> 
> Please go ahead; sorry for the delay.

NP; uploaded.

Thanks for your time,

OdyX

Bug#958953: stretch-pu: package cups/2.2.1-8+deb9u6

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

CVE-2020-3898 and CVE-2019-8842 got fixed in unstable and pending for stable
(#958814), after coordinated disclosure.

I'd like to fix these in an oldstable upload too:

cups (2.2.1-8+deb9u6) stretch; urgency=medium

  * Backport upstream security fixes:
- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
  function in ppd-mark.c
- CVE-2019-8842: The `ippReadIO` function may under-read an extension
  field

 -- Didier Raboud   Mon, 27 Apr 2020 08:50:13 +0200

Debdiff and direct patches attached.

Regards,

OdyX

-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2020-01-19 09:53:03.0 +0100
+++ cups-2.2.1/debian/changelog 2020-04-27 08:50:13.0 +0200
@@ -1,3 +1,13 @@
+cups (2.2.1-8+deb9u6) stretch; urgency=medium
+
+  * Backport upstream security fixes:
+- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
+  function in ppd-mark.c
+- CVE-2019-8842: The `ippReadIO` function may under-read an extension
+  field
+
+ -- Didier Raboud   Mon, 27 Apr 2020 08:50:13 +0200
+
 cups (2.2.1-8+deb9u5) stretch; urgency=medium
 
   * Backport upstream security fix:
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2020-01-19 09:53:03.0 +0100
+++ cups-2.2.1/debian/.git-dpm  2020-04-27 08:49:57.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-44f7d84856de97443c6785cd9ab9c6915224b7a2
-44f7d84856de97443c6785cd9ab9c6915224b7a2
+70cf04f3bfe8b7387f3c45c27cf7b48fb7959614
+70cf04f3bfe8b7387f3c45c27cf7b48fb7959614
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
--- 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
   1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
   2020-04-27 08:49:57.0 +0200
@@ -0,0 +1,56 @@
+From 8d851ace388e2f272770ec4dec361b2ae7007ea4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg 
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c   |  3 +--
+ ppdc/ppdc-source.cxx | 14 --
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 44a22c5cb..b806b22a5 100644
+--- a/cups/ppd.c
 b/cups/ppd.c
+@@ -1737,8 +1737,7 @@ _ppdOpen(
+  constraint->choice1, constraint->option2,
+constraint->choice2))
+   {
+-case 0 : /* Error */
+-  case 1 : /* Error */
++default : /* Error */
+   pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+   goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 27f5c342d..47bce26c3 100644
+--- a/ppdc/ppdc-source.cxx
 b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to 
read
+ 
+   switch (sscanf(name, "%dx%d", , ))
+   {
+-case 0 :
+-_cupsLangPrintf(stderr,
+-  _("ppdc: Bad resolution name \"%s\" on line %d of "
+-"%s."), name, fp->line, fp->filename);
+-break;
+ case 1 :
+ ydpi = xdpi;
+   break;
+-  }
++case 2 :
++break;
++default :
++_cupsLangPrintf(stderr,
++  _("ppdc: Bad resolution name \"%s\" on line %d of "
++"%s."), name, fp->line, fp->filename);
++break;
++}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
diff -Nru 
cups-2.2.1/debian/patches/0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
 
cups-2.2.1/debian/patches/0057-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
--- 

Bug#958814: buster-pu: package cups/2.2.10-6+deb10u3

[Didier 'OdyX' Raboud]

Le samedi, 25 avril 2020, 18.48:34 h CEST Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Sat, 2020-04-25 at 16:33 +0200, Didier 'OdyX' Raboud wrote:
> > CVE-2020-3898 and CVE-2019-8842 got fixed in unstable, after
> > coordinated disclosure.
> 
> Please go ahead.

Uploaded, thanks for the quick ACK.

Should I file a similar request for oldstable?

Cheers,
OdyX

Bug#958814: buster-pu: package cups/2.2.10-6+deb10u3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

CVE-2020-3898 and CVE-2019-8842 got fixed in unstable, after coordinated
disclosure.

I'd like to fix these in a stable upload too.

cups (2.2.10-6+deb10u3) buster; urgency=medium

  * Backport upstream security fixes:
- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
  function in ppd-mark.c
- CVE-2019-8842: The `ippReadIO` function may under-read an extension
  field

 -- Didier Raboud   Sat, 25 Apr 2020 16:27:21 +0200

Debdiff and direct patches attached.

Regards,

OdyX


-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog2020-01-19 09:36:31.0 +0100
+++ cups-2.2.10/debian/changelog2020-04-25 16:27:21.0 +0200
@@ -1,3 +1,13 @@
+cups (2.2.10-6+deb10u3) buster; urgency=medium
+
+  * Backport upstream security fixes:
+- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
+  function in ppd-mark.c
+- CVE-2019-8842: The `ippReadIO` function may under-read an extension
+  field
+
+ -- Didier Raboud   Sat, 25 Apr 2020 16:27:21 +0200
+
 cups (2.2.10-6+deb10u2) buster; urgency=medium
 
   * Backport upstream security fixes:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm 2020-01-19 09:36:31.0 +0100
+++ cups-2.2.10/debian/.git-dpm 2020-04-25 16:25:37.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-1b21a83376cee1f213faf7f4b4d89dd766c28975
-1b21a83376cee1f213faf7f4b4d89dd766c28975
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
+f1b7b7e074291c85366a60f7a197dea19e62c9cf
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru 
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
 
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
--- 
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
  1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.10/debian/patches/0050-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
  2020-04-25 16:25:37.0 +0200
@@ -0,0 +1,56 @@
+From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg 
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c   |  3 +--
+ ppdc/ppdc-source.cxx | 14 --
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index b823d17b4..8d3eb8a3b 100644
+--- a/cups/ppd.c
 b/cups/ppd.c
+@@ -1705,8 +1705,7 @@ _ppdOpen(
+  constraint->choice1, constraint->option2,
+constraint->choice2))
+   {
+-case 0 : /* Error */
+-  case 1 : /* Error */
++default : /* Error */
+   pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+   goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 5add81002..383f0183d 100644
+--- a/ppdc/ppdc-source.cxx
 b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to 
read
+ 
+   switch (sscanf(name, "%dx%d", , ))
+   {
+-case 0 :
+-_cupsLangPrintf(stderr,
+-  _("ppdc: Bad resolution name \"%s\" on line %d of "
+-"%s."), name, fp->line, fp->filename);
+-break;
+ case 1 :
+ ydpi = xdpi;
+   break;
+-  }
++case 2 :
++break;
++default :
++_cupsLangPrintf(stderr,
++  _("ppdc: Bad resolution name \"%s\" on line %d of "
++"%s."), name, fp->line, fp->filename);
++break;
++}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
diff -Nru 
cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
 
cups-2.2.10/debian/patches/0051-CVE-2019-8842-The-ippReadIO-function-may-under-read-.patch
--- 

Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5

[Didier 'OdyX' Raboud]

Le samedi, 18 janvier 2020, 21.06:29 h CET Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Tue, 2019-12-31 at 14:33 +0100, Didier 'OdyX' Raboud wrote:
> >   cups (2.2.1-8+deb9u5) stretch; urgency=medium
> >   
> > * Backport upstream security fixes:
> >   - Fix memory leak in ppdOpen (Closes: #946941)
> >   - CVE-2019-2228: The `ippSetValuetag` function did not validate
> > 
> > the
> > 
> > default language value (Closes: #946782)
> 
> Please go ahead.

Uploaded too!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#947832: buster-pu: package cups/2.2.10-6+deb10u2

[Didier 'OdyX' Raboud]

Le samedi, 18 janvier 2020, 21.05:53 h CET Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Tue, 2019-12-31 at 14:22 +0100, Didier 'OdyX' Raboud wrote:
> > CVE-2019-2228 affects stable's cups (see #946782); and I'd also like
> > to fix another memory leak (#946941).
> > 
> > My proposed changelog would be:
> >   cups (2.2.10-6+deb10u2) buster; urgency=medium
> 
> The attached debdiff, otoh, had
> 
> +cups (2.2.10-6+deb10u2) buster-security; urgency=high
> 
> Please feel free to go ahead, with the non-security version. :-)

Uploaded, thanks for the authorization!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5

[Didier 'OdyX' Raboud]

Le mardi, 31 décembre 2019, 14.33:54 h CET Didier 'OdyX' Raboud a écrit :
> CVE-2019-2228 affects oldstable's cups (see #946782); and I'd also like to
> fix another memory leak (#946941). (See #947832 for the stable/buster pu)

It turns out I can't easily backport the fix for #946941; so here's a reduced 
proposal:

cups (2.2.1-8+deb9u5) stretch; urgency=medium

  * Backport upstream security fix:
- CVE-2019-2228: The `ippSetValuetag` function did not validate the
  default language value (Closes: #946782)

 -- Didier Raboud   Tue, 31 Dec 2019 17:02:30 +0100

debdiff attached.

Cheers,
OdyXdiff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog	2019-08-21 09:51:54.0 +0200
+++ cups-2.2.1/debian/changelog	2019-12-31 17:02:30.0 +0100
@@ -1,3 +1,11 @@
+cups (2.2.1-8+deb9u5) stretch; urgency=medium
+
+  * Backport upstream security fix:
+- CVE-2019-2228: The `ippSetValuetag` function did not validate the
+  default language value (Closes: #946782)
+
+ -- Didier Raboud   Tue, 31 Dec 2019 17:02:30 +0100
+
 cups (2.2.1-8+deb9u4) stretch; urgency=low
 
   * Fix multiple security/disclosure issues (Closes: #934957)
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm	2019-08-21 09:51:54.0 +0200
+++ cups-2.2.1/debian/.git-dpm	2019-12-31 17:02:18.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+44f7d84856de97443c6785cd9ab9c6915224b7a2
+44f7d84856de97443c6785cd9ab9c6915224b7a2
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
--- cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	1970-01-01 01:00:00.0 +0100
+++ cups-2.2.1/debian/patches/0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch	2019-12-31 17:02:18.0 +0100
@@ -0,0 +1,23 @@
+From 44f7d84856de97443c6785cd9ab9c6915224b7a2 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Fri, 13 Dec 2019 09:30:46 -0500
+Subject: CVE-2019-2228: Fix ippSetValueTag validation of default language
+
+Closes: #946782
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 843b4d997..8840a1d09 100644
+--- a/cups/ipp.c
 b/cups/ipp.c
+@@ -4721,7 +4721,7 @@ ippSetValueTag(
+   return (0);
+ 
+ if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
+-!strcmp(ipp->attrs->next->name, "attributes-natural-language"))
++!strcmp(ipp->attrs->next->name, "attributes-natural-language") && (ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
+ {
+  /*
+   * Use the language code from the IPP message...
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series	2019-08-21 09:51:54.0 +0200
+++ cups-2.2.1/debian/patches/series	2019-12-31 17:02:18.0 +0100
@@ -52,3 +52,4 @@
 0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 0054-Fix-multiple-security-disclosure-issues.patch
+0055-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch


signature.asc
Description: This is a digitally signed message part.

Bug#947834: stretch-pu: package cups/2.2.1-8+deb9u5

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Oldstable Release Team,

CVE-2019-2228 affects oldstable's cups (see #946782); and I'd also like to fix
another memory leak (#946941). (See #947832 for the stable/buster pu)

My proposed changelog would be:

  cups (2.2.1-8+deb9u5) stretch; urgency=medium
  
* Backport upstream security fixes:
  - Fix memory leak in ppdOpen (Closes: #946941)
  - CVE-2019-2228: The `ippSetValuetag` function did not validate the
default language value (Closes: #946782)
  
   -- Didier Raboud   Tue, 31 Dec 2019 14:25:30 +0100

… the proposed debdiff is attached.

Cheers,
OdyX
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2019-08-21 09:51:54.0 +0200
+++ cups-2.2.1/debian/changelog 2019-12-31 14:25:30.0 +0100
@@ -1,3 +1,12 @@
+cups (2.2.1-8+deb9u5) stretch; urgency=medium
+
+  * Backport upstream security fixes:
+- Fix memory leak in ppdOpen (Closes: #946941)
+- CVE-2019-2228: The `ippSetValuetag` function did not validate the
+  default language value (Closes: #946782)
+
+ -- Didier Raboud   Tue, 31 Dec 2019 14:25:30 +0100
+
 cups (2.2.1-8+deb9u4) stretch; urgency=low
 
   * Fix multiple security/disclosure issues (Closes: #934957)
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2019-08-21 09:51:54.0 +0200
+++ cups-2.2.1/debian/.git-dpm  2019-12-31 14:25:08.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
-8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+c60d0154b20313af2bdec051ab5473320a6de1e8
+c60d0154b20313af2bdec051ab5473320a6de1e8
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch 
cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch
--- cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch 
1970-01-01 01:00:00.0 +0100
+++ cups-2.2.1/debian/patches/0055-Fix-memory-leak-in-ppdOpen.patch 
2019-12-31 14:25:08.0 +0100
@@ -0,0 +1,32 @@
+From bf1d779750f63fd2519865ac5cd5656cbdd9e3e0 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Thu, 1 Aug 2019 13:02:35 -0400
+Subject: Fix memory leak in ppdOpen
+
+Closes: #946941
+---
+ cups/ppd.c | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 44a22c5cb..42fff3509 100644
+--- a/cups/ppd.c
 b/cups/ppd.c
+@@ -719,6 +719,8 @@ _ppdOpen(
+  strncmp(ll, keyword, ll_len)))
+   {
+   DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++  free(string);
++  string = NULL;
+   continue;
+   }
+   else if (localization == _PPD_LOCALIZATION_ICC_PROFILES)
+@@ -738,6 +740,8 @@ _ppdOpen(
+   if (i >= (int)(sizeof(color_keywords) / sizeof(color_keywords[0])))
+   {
+ DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++free(string);
++string = NULL;
+ continue;
+   }
+   }
diff -Nru 
cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
 
cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
--- 
cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
   1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.1/debian/patches/0056-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
   2019-12-31 14:25:08.0 +0100
@@ -0,0 +1,23 @@
+From c60d0154b20313af2bdec051ab5473320a6de1e8 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Fri, 13 Dec 2019 09:30:46 -0500
+Subject: CVE-2019-2228: Fix ippSetValueTag validation of default language
+
+Closes: #946782
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 843b4d997..8840a1d09 100644
+--- a/cups/ipp.c
 b/cups/ipp.c
+@@ -4721,7 +4721,7 @@ ippSetValueTag(
+   return (0);
+ 
+ if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
+-!strcmp(ipp->attrs->next->name, "attributes-natural-language"))
++!strcmp(ipp->attrs->next->name, "attributes-natural-language") && 
(ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
+ {
+  /*
+   * Use the language code from the IPP message...
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series2019-08-21 09:51:54.0 +0200
+++ cups-2.2.1/debian/patches/series2019-12-31 14:25:08.0 +0100
@@ -52,3 +52,5 @@
 0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 0054-Fix-multiple-security-disclosure-issues.patch

Bug#947832: buster-pu: package cups/2.2.10-6+deb10u2

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

CVE-2019-2228 affects stable's cups (see #946782); and I'd also like to fix
another memory leak (#946941).

My proposed changelog would be:

  cups (2.2.10-6+deb10u2) buster; urgency=medium
  
* Backport upstream security fixes:
  - Fix memory leak in ppdOpen (Closes: #946941)
  - CVE-2019-2228: The `ippSetValuetag` function did not validate the
default language value (Closes: #946782)
  
   -- Didier Raboud   Tue, 31 Dec 2019 14:16:46 +0100


… the proposed debdiff is attached.

Cheers,
OdyX
diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog2019-08-21 09:43:13.0 +0200
+++ cups-2.2.10/debian/changelog2019-12-31 13:54:34.0 +0100
@@ -1,3 +1,12 @@
+cups (2.2.10-6+deb10u2) buster-security; urgency=high
+
+  * Backport upstream security fixes:
+- Fix memory leak in ppdOpen (Closes: #946941)
+- CVE-2019-2228: The `ippSetValuetag` function did not validate the
+  default language value (Closes: #946782)
+
+ -- Didier Raboud   Tue, 31 Dec 2019 13:54:34 +0100
+
 cups (2.2.10-6+deb10u1) buster; urgency=medium
 
   * Fix multiple security/disclosure issues (Closes: #934957)
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm 2019-08-21 09:43:13.0 +0200
+++ cups-2.2.10/debian/.git-dpm 2019-12-31 13:53:45.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
-9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
+1b21a83376cee1f213faf7f4b4d89dd766c28975
+1b21a83376cee1f213faf7f4b4d89dd766c28975
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch 
cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch
--- cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch
1970-01-01 01:00:00.0 +0100
+++ cups-2.2.10/debian/patches/0048-Fix-memory-leak-in-ppdOpen.patch
2019-12-31 13:53:45.0 +0100
@@ -0,0 +1,32 @@
+From 545d46fb0bf1cd8414ab28148f3a3126c3cf75fe Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Thu, 1 Aug 2019 13:02:35 -0400
+Subject: Fix memory leak in ppdOpen
+
+Closes: #946941
+---
+ cups/ppd.c | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 435b992f4..b823d17b4 100644
+--- a/cups/ppd.c
 b/cups/ppd.c
+@@ -716,6 +716,8 @@ _ppdOpen(
+  strncmp(ll, keyword, ll_len)))
+   {
+   DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++  free(string);
++  string = NULL;
+   continue;
+   }
+   else if (localization == _PPD_LOCALIZATION_ICC_PROFILES)
+@@ -735,6 +737,8 @@ _ppdOpen(
+   if (i >= (int)(sizeof(color_keywords) / sizeof(color_keywords[0])))
+   {
+ DEBUG_printf(("2_ppdOpen: Ignoring localization: \"%s\"\n", keyword));
++free(string);
++string = NULL;
+ continue;
+   }
+   }
diff -Nru 
cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
 
cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
--- 
cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
  1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.10/debian/patches/0049-CVE-2019-2228-Fix-ippSetValueTag-validation-of-defau.patch
  2019-12-31 13:53:45.0 +0100
@@ -0,0 +1,23 @@
+From 1b21a83376cee1f213faf7f4b4d89dd766c28975 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Fri, 13 Dec 2019 09:30:46 -0500
+Subject: CVE-2019-2228: Fix ippSetValueTag validation of default language
+
+Closes: #946782
+---
+ cups/ipp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cups/ipp.c b/cups/ipp.c
+index cc9c6af50..98b499716 100644
+--- a/cups/ipp.c
 b/cups/ipp.c
+@@ -4563,7 +4563,7 @@ ippSetValueTag(
+   return (0);
+ 
+ if (ipp->attrs && ipp->attrs->next && ipp->attrs->next->name &&
+-!strcmp(ipp->attrs->next->name, "attributes-natural-language"))
++!strcmp(ipp->attrs->next->name, "attributes-natural-language") && 
(ipp->attrs->next->value_tag & IPP_TAG_CUPS_MASK) == IPP_TAG_LANGUAGE)
+ {
+  /*
+   * Use the language code from the IPP message...
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series   2019-08-21 09:43:13.0 +0200
+++ cups-2.2.10/debian/patches/series   2019-12-31 13:53:45.0 +0100
@@ -45,3 +45,5 @@
 0045-Fix-an-issue-with-PreserveJobHistory-and-time-values.patch
 manpage-translations.patch
 0047-Fix-multiple-security-disclosure-issues.patch
+0048-Fix-memory-leak-in-ppdOpen.patch

Bug#946165: nmu: usb-modeswitch_2.5.2+repack0 | openocd_0.10.0-6

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hello,

the micro-transition for jimtcl (SONAME bump from 0.77 to 0.79) is in progress; 
two packages need to be rebuilt:

https://release.debian.org/transitions/html/auto-jimtcl.html

nmu usb-modeswitch_2.5.2+repack0-2 . ANY . unstable . -m "Rebuild against 
libjim0.79"
nmu openocd_0.10.0-6 . ANY . unstable . -m "Rebuild against libjim0.79"

I have manually tested the two builds on amd64.

Many thanks for your work;

OdyX

-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#941468: buster-pu: package plasma-applet-redshift-control/1.0.18-2+deb10u1

[Didier 'OdyX' Raboud]

Le mardi, 1 octobre 2019, 23.30:03 h CEST Adam D. Barratt a écrit :
> On Tue, 2019-10-01 at 09:33 +0200, Didier 'OdyX' Raboud wrote:
> > The redshift plasma applet doesn't work correctly in buster due to a
> > wrong use
> > of `redshift` arguments; see #910901 "plasma-applet-redshift-control:
> > Mouse
> > wheel only reduces color temperature, in either direction".
> 
> Please go ahead; thanks.

Uploaded; thanks.

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#941468: buster-pu: package plasma-applet-redshift-control/1.0.18-2+deb10u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

The redshift plasma applet doesn't work correctly in buster due to a wrong use
of `redshift` arguments; see #910901 "plasma-applet-redshift-control: Mouse
wheel only reduces color temperature, in either direction".

This was fixed with the exact same patch in unstable; and the debdiff is
attached.

Thanks for considering!

Cheers,
OdyX
diff -Nru plasma-applet-redshift-control-1.0.18/debian/changelog 
plasma-applet-redshift-control-1.0.18/debian/changelog
--- plasma-applet-redshift-control-1.0.18/debian/changelog  2018-02-22 
07:16:23.0 +0100
+++ plasma-applet-redshift-control-1.0.18/debian/changelog  2019-10-01 
09:26:56.0 +0200
@@ -1,3 +1,10 @@
+plasma-applet-redshift-control (1.0.18-2+deb10u1) buster; urgency=medium
+
+  * Import upstream-submitted patch to fix manual mode for redshift
+>= 1.12 (Closes: #910901)
+
+ -- Didier Raboud   Tue, 01 Oct 2019 09:26:56 +0200
+
 plasma-applet-redshift-control (1.0.18-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru plasma-applet-redshift-control-1.0.18/debian/.gitattributes 
plasma-applet-redshift-control-1.0.18/debian/.gitattributes
--- plasma-applet-redshift-control-1.0.18/debian/.gitattributes 1970-01-01 
01:00:00.0 +0100
+++ plasma-applet-redshift-control-1.0.18/debian/.gitattributes 2019-10-01 
09:26:56.0 +0200
@@ -0,0 +1 @@
+changelog merge=dpkg-mergechangelogs
diff -Nru 
plasma-applet-redshift-control-1.0.18/debian/patches/fix-manual-mode-for-redshift-1.12.patch
 
plasma-applet-redshift-control-1.0.18/debian/patches/fix-manual-mode-for-redshift-1.12.patch
--- 
plasma-applet-redshift-control-1.0.18/debian/patches/fix-manual-mode-for-redshift-1.12.patch
1970-01-01 01:00:00.0 +0100
+++ 
plasma-applet-redshift-control-1.0.18/debian/patches/fix-manual-mode-for-redshift-1.12.patch
2019-10-01 09:26:56.0 +0200
@@ -0,0 +1,58 @@
+Description: Redshift version >= 1.12 requires the -P option to clear the 
existing gamma ramps for one-shot mode. Without it the screen gets darker and 
darker until it is impossible to see anything.
+
+Quoting from the redshift 1.12 manual page:
+
+-O TEMP One-shot manual mode (set color temperature). Use this with the -P 
option to clear the existing gamma ramps before applying the new color 
temperature.
+-P Reset existing gamma ramps before applying new color effect.
+
+This is a cherry-pick from the fix submitted upstream at 
https://phabricator.kde.org/D23330 
+
+Author: Melvin Vermeeren 
+Bug: https://bugs.kde.org/show_bug.cgi?id=395641
+Bug-Debian: https://bugs.debian.org/910901
+Last-Update: 2019-09-28
+
+--- a/package/contents/ui/CompactRepresentation.qml
 b/package/contents/ui/CompactRepresentation.qml
+@@ -48,6 +48,8 @@
+ property color redshiftColour: '#ff3c0b'
+ property color brightnessColour: '#39a2ee'
+ 
++property string versionString: 'N/A'
++
+ PlasmaCore.IconItem {
+ id: customIcon
+ anchors.fill: parent
+@@ -136,7 +138,11 @@
+ }
+ }
+ }
+-redshiftDS.connectedSources.push(redshiftOneTimeCommand)
++if (parseFloat(versionString) >= 1.12) {
++redshiftDS.connectedSources.push(redshiftOneTimeCommand + " 
-P")
++} else {
++redshiftDS.connectedSources.push(redshiftOneTimeCommand)
++}
+ }
+ 
+ onClicked: {
+@@ -169,4 +175,19 @@
+ }
+ }
+ 
++PlasmaCore.DataSource {
++id: getOptionsDS
++engine: 'executable'
++
++connectedSources: ['redshift -V']
++
++onNewData: {
++connectedSources.length = 0
++if (data['exit code'] > 0) {
++print('Error running redshift with command: ' + sourceName + 
'   ...stderr: ' + data.stderr)
++return
++}
++versionString = data.stdout.split(' ')[1]
++}
++}
+ }
diff -Nru plasma-applet-redshift-control-1.0.18/debian/patches/series 
plasma-applet-redshift-control-1.0.18/debian/patches/series
--- plasma-applet-redshift-control-1.0.18/debian/patches/series 1970-01-01 
01:00:00.0 +0100
+++ plasma-applet-redshift-control-1.0.18/debian/patches/series 2019-10-01 
09:26:56.0 +0200
@@ -0,0 +1 @@
+fix-manual-mode-for-redshift-1.12.patch

Bug#934928: win32-loader FTBFS on stable - any idea ?

[Didier 'OdyX' Raboud]

Control: clone -1 -2
Control: reopen -2 src:nsis
Control: retitle -2 NSIS: Farsi translation contains impossible conversions 
(YEH to CP1256)
Control: tags -2 upstream

Le samedi, 24 août 2019, 11.52:53 h CEST Simon McVittie a écrit :
> > Unable to convert processed string "نوشتن ممکن نیست: " to codepage 1256
> 
> That string appears to be part of the Farsi (fa) translation of nsis,
> found in "Contrib/Language files/Farsi.nlf" in nsis_3.04-1. It is indeed
> not possible to convert it to Windows codepage 1256:
> 
> $ python3
> 
> >>> "نوشتن ممکن نیست".encode('cp1256')
> 
> Traceback (most recent call last):
>   File "", line 1, in 
>   File "/usr/lib/python3.7/encodings/cp1256.py", line 12, in encode
> return codecs.charmap_encode(input,errors,encoding_table)
> UnicodeEncodeError: 'charmap' codec can't encode character '\u06cc' in
> position 12: character maps to  $ unicode U+06CC
> U+06CC ARABIC LETTER FARSI YEH
> 
> (I don't know whether converting this string to CP1256 is an appropriate
> thing to be doing.)
> 
> If that's the problem, maybe it would be possible to work around this by
> adjusting or disabling the Farsi translation, or by replacing the use of
> CP1256 with UTF-16 or something?

Indeed. According to this thread on unicode-ml in 2001 [1], this seems to
only be supported in "not-exactly-CP1256" old Windows environments.
There's a similar bug in Pidgin [2], which brings the following comment [3]:

;;  As this file needs to be encoded in CP1256 and CP1256 doesn't support U+06CC
;;  and U+0654 characters, I have removed all U+0654 characters and replaced 
U+06CC
;;  with U+064A in the middle of the words and with U+0649 at the end of the 
words.
;;  The Presian text will display correctly but the encoding is incorrect.

It seems they entirely disabled persian translation for their installer now [4].

So; it seems to me that this is something that should be addressed in
NSIS (upstream), so cloning and reassigning, so that we have a reference bug to
point to.

Cheers,
OdyX

[1] https://unicode.org/mail-arch/unicode-ml/y2001-m10/0197.html NSIS
[2] https://developer.pidgin.im/ticket/2573
[3] https://developer.pidgin.im/attachment/ticket/2573/persian.2.nsh
[4] 
https://bitbucket.org/pidgin/main/src/7c5b54ec931b03b9354e0d2fffcac40b13e4aaa5/pidgin/win32/nsis/create_nsis_translations.pl#lines-110

signature.asc
Description: This is a digitally signed message part.

Bug#934928: win32-loader FTBFS on stable - any idea ?

[Didier 'OdyX' Raboud]

Le dimanche, 25 août 2019, 12.20:16 h CEST Simon McVittie a écrit :
> On Sat, 24 Aug 2019 at 18:49:20 +0200, Didier 'OdyX' Raboud wrote:
> > The difference I finally found was that the buildds use LANG=C.UTF-8 and
> > LC_ALL=C.UTF-8 whereas mine was not enforcing these (and so I was building
> > with LC_ALL=POSIX).
> 
> This was a change in sbuild 0.78.0, so in practice a difference between
> buildds hosted on <= stretch (which used LC_ALL=POSIX) and buildds hosted
> on >= buster (which use LC_ALL=C.UTF-8).

Ah, thanks for the background.

> > +# A non-UTF-8 locale is needed for the NSIS build to convert some
> > language
> > strings
> > +LC_ALL := POSIX
> > +export LC_ALL
> 
> This is the first time I've encountered a package where changing the locale
> to C.UTF-8 *causes* FTBFS - normally the failure mode is that unit tests
> assume a UTF-8 (or at least legacy 8-bit) locale, and fail in LC_ALL=POSIX
> (or equivalently LC_ALL=C).

win32-loader is special™ :-)

> It would be interesting to know whether the Farsi locale *works* in the
> resulting build; but if it doesn't, then that probably isn't a regression,
> because version 0.9.4 in buster would probably be broken in the same way.

I have not tested win32-loader in non-Wine win32 environments recently, so 
we'd need someone with a Farsi Windows to test this.

But I see that Thomas is doing a lot of work on the experimental branch, and 
we should let this hit unstable soon!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#934928: win32-loader FTBFS on stable - any idea ?

[Didier 'OdyX' Raboud]

Le samedi, 24 août 2019, 20.26:37 h CEST Adam D. Barratt a écrit :
> On Sat, 2019-08-24 at 18:49 +0200, Didier 'OdyX' Raboud wrote:
> > @Adam: I assume I need to bump the version number and upload again,
> > right?
> 
> Yep.
> 
> (I assume the changelog etc still end up generated as UTF-8.)

Yep. So uploaded.

-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#935253: buster-pu: package cups/2.2.10-6+deb10u1

[Didier 'OdyX' Raboud]

Le dimanche, 25 août 2019, 17.37:47 h CEST Adam D. Barratt a écrit :
> Control: tags -1 -moreinfo +confirmed
> 
> On Wed, 2019-08-21 at 10:01 +0200, Didier 'OdyX' Raboud wrote:
> > This bug is about fixing the CVE-2019-8696, CVE-2019-8675 and other
> > security bugs fixed by CUPS upstream in [0] in buster.
> > 
> > The Security Team has declined fixing these in a security upload; so
> > here I come for a Stable update. The Stretch counterpart bug is
> > #935254.
> > 
> > The debdiff for Buster is attached. Can I (source-only) upload?
> 
> Yes, please go ahead.

Uploaded.

Thanks for your work!

OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#934928: win32-loader FTBFS on stable - any idea ?

[Didier 'OdyX' Raboud]

Hi there Simon,

thanks for the detailed investigation.

Le samedi, 24 août 2019, 11.52:53 h CEST Simon McVittie a écrit :
> On Fri, 23 Aug 2019 at 18:35:59 +0200, Didier 'OdyX' Raboud wrote:
> > I have uploaded win32-loader to buster to fix the out-of-sync archive
> > keys, but it has now repeatedly failed to build from source on the buster
> > buildds:
> > 
> > https://buildd.debian.org/status/logs.php?pkg=win32-loader=0.9.4%2Bdeb
> > 10u1
> > 
> > I can't reproduce this in a local buster schroot, so I'm slightly at loss.
> 
> I can reproduce this by trying to rebuild 0.9.4 in sbuild (a buster
> schroot created with sbuild-createchroot, hosted on a buster VM, using
> vectis[1]) if that's any help? Presumably there is some difference
> between your buster schroot and the one sbuild would use. See below
> for a full package list.

Yep. The difference I finally found was that the buildds use LANG=C.UTF-8 and 
LC_ALL=C.UTF-8 whereas mine was not enforcing these (and so I was building 
with LC_ALL=POSIX).

By fixing this, I could reproducibly fail to build win32-loader :-)

> > Unable to convert processed string "نوشتن ممکن نیست: " to codepage 1256
> 
> That string appears to be part of the Farsi (fa) translation of nsis,
> found in "Contrib/Language files/Farsi.nlf" in nsis_3.04-1. It is indeed
> not possible to convert it to Windows codepage 1256: (…)
> 
> (I don't know whether converting this string to CP1256 is an appropriate
> thing to be doing.)
> 
> If that's the problem, maybe it would be possible to work around this by
> adjusting or disabling the Farsi translation, or by replacing the use of
> CP1256 with UTF-16 or something?

Hrm. For a stable upload, this seems to be enough to let the build go through:

--- a/debian/rules
+++ b/debian/rules
@@ -24,6 +24,10 @@ BUILT_USING_LIST := $(shell set -e; \
 
 NSIS_VERSION  := $(shell dpkg-query -f='$${Version}' -W nsis )
 
+# A non-UTF-8 locale is needed for the NSIS build to convert some language 
strings
+LC_ALL := POSIX
+export LC_ALL
+
 %:
dh $@
 
Any idea of a more targeted fix?

@Adam: I assume I need to bump the version number and upload again, right? 
(debdiff attached)

Cheers,
OdyXdiff -Nru win32-loader-0.9.4+deb10u1/debian/changelog win32-loader-0.9.4+deb10u2/debian/changelog
--- win32-loader-0.9.4+deb10u1/debian/changelog	2019-08-16 08:53:00.0 +0200
+++ win32-loader-0.9.4+deb10u2/debian/changelog	2019-08-24 18:44:18.0 +0200
@@ -1,3 +1,9 @@
+win32-loader (0.9.4+deb10u2) buster; urgency=medium
+
+  * Fix stable FTBFS through enforcing LC_ALL=POSIX
+
+ -- Didier Raboud   Sat, 24 Aug 2019 18:44:18 +0200
+
 win32-loader (0.9.4+deb10u1) buster; urgency=medium
 
   * Rebuild in stable to embed the latest debian-archive-keyring
diff -Nru win32-loader-0.9.4+deb10u1/debian/rules win32-loader-0.9.4+deb10u2/debian/rules
--- win32-loader-0.9.4+deb10u1/debian/rules	2019-08-16 08:53:00.0 +0200
+++ win32-loader-0.9.4+deb10u2/debian/rules	2019-08-24 18:44:18.0 +0200
@@ -24,6 +24,10 @@
 
 NSIS_VERSION  := $(shell dpkg-query -f='$${Version}' -W nsis )
 
+# A non-UTF-8 locale is needed for the NSIS build to convert some language strings
+LC_ALL := POSIX
+export LC_ALL
+
 %:
 	dh $@
 


signature.asc
Description: This is a digitally signed message part.

Bug#934928: win32-loader FTBFS on stable - any idea ?

[Didier 'OdyX' Raboud]

Hi there Thomas,

I have uploaded win32-loader to buster to fix the out-of-sync archive keys, 
but it has now repeatedly failed to build from source on the buster buildds:

https://buildd.debian.org/status/logs.php?pkg=win32-loader=0.9.4%2Bdeb10u1

I can't reproduce this in a local buster schroot, so I'm slightly at loss.

Do you have any idea why it fails to build? Would you see a minimal patch to 
let it build in stable?

Many thanks in advance,

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#934928: Bug#933829: win32-loader: Checksums need to be updated for new stable release, download fails to validate Release file.

[Didier 'OdyX' Raboud]

Le mercredi, 21 août 2019, 10.44:51 h CEST Adam D. Barratt a écrit :
> Control: tags -1 -moreinfo +confirmed
> 
> On 2019-08-21 09:14, Didier 'OdyX' Raboud wrote:
> > Le mardi, 20 août 2019, 16.55:47 h CEST Adam D. Barratt a écrit :
> >> Control: tags -1 + moreinfo
> >> 
> >> [Recipients changed to use the p-u bug rather than the win32-loader
> >> one]
> 
> >> On 2019-08-16 07:55, Didier 'OdyX' Raboud wrote:
> [...]
> 
> >> > +win32-loader (0.9.3+deb10u1) buster; urgency=medium
> >> > +
> >> > +  * Rebuild in stable to embed the latest debian-archive-keyring
> >> > +(Closes: #933829)
> >> > +
> >> > + -- Didier Raboud   Fri, 16 Aug 2019 08:53:00 +0200
> >> > +
> >> > 
> >> >  win32-loader (0.9.3) unstable; urgency=medium
> >> >  
> >> >[ Thomas Gaugler ]
> >> 
> >> This wants to be against 0.9.4, which is the version in buster. It
> >> will
> >> also want an unblock-udeb for the 0.9.5 upload in unstable, so that
> >> reaches testing before the point release.
> > 
> > Ah, indeed; thanks for the check.
> > 
> > +win32-loader (0.9.4+deb10u1) buster; urgency=medium
> > +
> > +  * Rebuild in stable to embed the latest debian-archive-keyring
> > +(Closes: #933829)
> > +
> > + -- Didier Raboud   Fri, 16 Aug 2019 08:53:00 +0200
> 
> Better. :-) Please go ahead.

Uploaded.

> > As for the unblock-udeb; do you need another bug, or were you asking
> > debian-
> > boot@ for approval?
> 
> My understanding was that it's blocked at your request rather than
> -boot's, to ensure that it doesn't get out of sync with the files in
> tools/ on mirrors. I can happily add the unblock-udeb, but we'll need to
> make sure that ftp-master also do the relevant magic on their side. (If
> that's still manual intervention.)

(Thanks for the unblock :-) )

As far as I'm concerned, it can stay unblocked outside of the freeze. I don't 
care _enough_ for the testing win32-loader.exe to be in sync to warrant always 
needing to unblocking this package manually.

Where would it make sense to document that the win32-loader /tools/ 
counterpart needs to be copied from unstable to testing at freeze time and for 
each subsequent upload only, but that we're fine with having it out-of-sync 
outside of the freeze?

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#935254: stretch-pu: package cups/2.2.1-8+deb9u4

[Didier 'OdyX' Raboud]

Control: retitle -1 stretch-pu: package cups/2.2.1-8+deb9u4

Hi there,

sorry for the bug cloning mess; I hope things are as they should now. This bug 
is about fixing the CVE-2019-8696, CVE-2019-8675 and other security bugs fixed 
by CUPS upstream in [0] in stretch.

The Security Team has declined fixing these in a security upload; so here I 
come for an Oldstable update. The Buster counterpart bug is #935253.

The debdiff for Stretch is attached. Can I (source-only) upload?

Cheers,
OdyX

[0] https://github.com/apple/cups/commit/
f24e6cf6a39300ad0c3726a41a4aab51ad54c109diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog	2018-12-14 13:58:47.0 +0100
+++ cups-2.2.1/debian/changelog	2019-08-21 09:51:54.0 +0200
@@ -1,3 +1,13 @@
+cups (2.2.1-8+deb9u4) stretch; urgency=low
+
+  * Fix multiple security/disclosure issues (Closes: #934957)
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
+- Fixed IPP buffer overflow
+- Fixed memory disclosure issue in the scheduler
+- Fixed DoS issues in the scheduler
+
+ -- Didier Raboud   Wed, 21 Aug 2019 09:51:54 +0200
+
 cups (2.2.1-8+deb9u3) stretch; urgency=low
 
   * Backport upstream fixes for:
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm	2018-12-14 13:58:47.0 +0100
+++ cups-2.2.1/debian/.git-dpm	2019-08-21 09:51:54.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-a40147f12081943df6c85b6b1f4d302633a6995c
-a40147f12081943df6c85b6b1f4d302633a6995c
+8d6c8479d69d091ee83bbf7e10249f98cdaefa99
+8d6c8479d69d091ee83bbf7e10249f98cdaefa99
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch
--- cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch	1970-01-01 01:00:00.0 +0100
+++ cups-2.2.1/debian/patches/0054-Fix-multiple-security-disclosure-issues.patch	2019-08-21 09:51:54.0 +0200
@@ -0,0 +1,188 @@
+From 8d6c8479d69d091ee83bbf7e10249f98cdaefa99 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Thu, 15 Aug 2019 14:08:31 -0400
+Subject: Fix multiple security/disclosure issues:
+
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
+- Fixed IPP buffer overflow (rdar://50035411)
+- Fixed memory disclosure issue in the scheduler (rdar://51373853)
+- Fixed DoS issues in the scheduler (rdar://51373929)
+
+This is a backport of f24e6cf6a39300ad0c3726a41a4aab51ad54c109 on top of 2.2.1.
+---
+ cups/http.c|  9 +++--
+ cups/ipp.c |  9 ++---
+ cups/snmp.c| 20 +++-
+ scheduler/client.c | 23 ---
+ 4 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/cups/http.c b/cups/http.c
+index b3abbe73e..7ac773ad2 100644
+--- a/cups/http.c
 b/cups/http.c
+@@ -1891,7 +1891,7 @@ httpPrintf(http_t *http,		/* I - HTTP connection */
+ 	   ...)/* I - Additional args as needed */
+ {
+   ssize_t	bytes;			/* Number of bytes to write */
+-  char		buf[16384];		/* Buffer for formatted string */
++  char		buf[65536];		/* Buffer for formatted string */
+   va_list	ap;			/* Variable argument pointer */
+ 
+ 
+@@ -1903,7 +1903,12 @@ httpPrintf(http_t *http,		/* I - HTTP connection */
+ 
+   DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
+ 
+-  if (http->data_encoding == HTTP_ENCODING_FIELDS)
++  if (bytes > (ssize_t)(sizeof(buf) - 1))
++  {
++http->error = ENOMEM;
++return (-1);
++  }
++  else if (http->data_encoding == HTTP_ENCODING_FIELDS)
+ return ((int)httpWrite2(http, buf, (size_t)bytes));
+   else
+   {
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 5ed31f53d..843b4d997 100644
+--- a/cups/ipp.c
 b/cups/ipp.c
+@@ -4706,9 +4706,7 @@ ippSetValueTag(
+ break;
+ 
+ case IPP_TAG_NAME :
+-if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
+-temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
+-temp_tag != IPP_TAG_MIMETYPE)
++if (temp_tag != IPP_TAG_KEYWORD)
+   return (0);
+ 
+ (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
+@@ -4716,10 +4714,7 @@ ippSetValueTag(
+ 
+ case IPP_TAG_NAMELANG :
+ case IPP_TAG_TEXTLANG :
+-if (value_tag == IPP_TAG_NAMELANG &&
+-(temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
+- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
+- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
++if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
+   return (0);
+ 
+ if (value_tag == IPP_TAG_TEXTLANG && temp_tag != 

Bug#934928: Bug#933829: win32-loader: Checksums need to be updated for new stable release, download fails to validate Release file.

[Didier 'OdyX' Raboud]

Le mardi, 20 août 2019, 16.55:47 h CEST Adam D. Barratt a écrit :
> Control: tags -1 + moreinfo
> 
> [Recipients changed to use the p-u bug rather than the win32-loader one]
> 
> On 2019-08-16 07:55, Didier 'OdyX' Raboud wrote:
> > So win32-loader needs a stable update.
> > 
> > debian-boot@ / debian-release@: can I upload src:win32-loader in source
> > only
> > with the following diff?
> > 
> > diff -Nru win32-loader-0.9.3/debian/changelog
> > win32-loader-0.9.3+deb10u1/
> > debian/changelog
> > --- win32-loader-0.9.3/debian/changelog 2019-01-02 18:38:43.0
> > +0100
> > +++ win32-loader-0.9.3+deb10u1/debian/changelog 2019-08-16
> > 08:53:00.0
> > +0200
> > @@ -1,3 +1,10 @@
> > +win32-loader (0.9.3+deb10u1) buster; urgency=medium
> > +
> > +  * Rebuild in stable to embed the latest debian-archive-keyring
> > +(Closes: #933829)
> > +
> > + -- Didier Raboud   Fri, 16 Aug 2019 08:53:00 +0200
> > +
> > 
> >  win32-loader (0.9.3) unstable; urgency=medium
> >  
> >[ Thomas Gaugler ]
> 
> This wants to be against 0.9.4, which is the version in buster. It will
> also want an unblock-udeb for the 0.9.5 upload in unstable, so that
> reaches testing before the point release.

Ah, indeed; thanks for the check.

+win32-loader (0.9.4+deb10u1) buster; urgency=medium
+
+  * Rebuild in stable to embed the latest debian-archive-keyring
+(Closes: #933829)
+
+ -- Didier Raboud   Fri, 16 Aug 2019 08:53:00 +0200

As for the unblock-udeb; do you need another bug, or were you asking debian-
boot@ for approval?

OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#935253: buster-pu: package cups/2.2.10-6+deb10u1

[Didier 'OdyX' Raboud]

Hi there,

sorry for the bug cloning mess; I hope things are as they should now. This bug 
is about fixing the CVE-2019-8696, CVE-2019-8675 and other security bugs fixed 
by CUPS upstream in [0] in buster.

The Security Team has declined fixing these in a security upload; so here I 
come for a Stable update. The Stretch counterpart bug is #935254.

The debdiff for Buster is attached. Can I (source-only) upload?

Cheers,
OdyX

[0] https://github.com/apple/cups/commit/
f24e6cf6a39300ad0c3726a41a4aab51ad54c109diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog	2019-04-23 08:33:01.0 +0200
+++ cups-2.2.10/debian/changelog	2019-08-21 09:43:13.0 +0200
@@ -1,3 +1,13 @@
+cups (2.2.10-6+deb10u1) buster; urgency=medium
+
+  * Fix multiple security/disclosure issues (Closes: #934957)
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
+- Fixed IPP buffer overflow
+- Fixed memory disclosure issue in the scheduler
+- Fixed DoS issues in the scheduler
+
+ -- Didier Raboud   Wed, 21 Aug 2019 09:43:13 +0200
+
 cups (2.2.10-6) unstable; urgency=medium
 
   * Backport patch from upstream's 2.2 "stable" branch:
diff -Nru cups-2.2.10/debian/.git-dpm cups-2.2.10/debian/.git-dpm
--- cups-2.2.10/debian/.git-dpm	2019-04-23 08:33:01.0 +0200
+++ cups-2.2.10/debian/.git-dpm	2019-08-21 09:43:13.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9615ef5f2b8374bfe2816f8ff4314234362ce841
-9615ef5f2b8374bfe2816f8ff4314234362ce841
+9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
+9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 25b2338346ef3abbb93ea88476887cba7b2b86f8
 cups_2.2.10.orig.tar.gz
diff -Nru cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch
--- cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch	1970-01-01 01:00:00.0 +0100
+++ cups-2.2.10/debian/patches/0047-Fix-multiple-security-disclosure-issues.patch	2019-08-21 09:43:13.0 +0200
@@ -0,0 +1,188 @@
+From 9af82602a9fe2523ceeef46f2d6e6378e2dc7eb7 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Thu, 15 Aug 2019 14:08:31 -0400
+Subject: Fix multiple security/disclosure issues:
+
+- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
+- Fixed IPP buffer overflow (rdar://50035411)
+- Fixed memory disclosure issue in the scheduler (rdar://51373853)
+- Fixed DoS issues in the scheduler (rdar://51373929)
+
+This is a backport of f24e6cf6a39300ad0c3726a41a4aab51ad54c109 on top of 2.2.10.
+---
+ cups/http.c|  9 +++--
+ cups/ipp.c |  9 ++---
+ cups/snmp.c| 20 +++-
+ scheduler/client.c | 23 ---
+ 4 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/cups/http.c b/cups/http.c
+index 5c14ef68e..3fadb5acb 100644
+--- a/cups/http.c
 b/cups/http.c
+@@ -1905,7 +1905,7 @@ httpPrintf(http_t *http,		/* I - HTTP connection */
+ 	   ...)/* I - Additional args as needed */
+ {
+   ssize_t	bytes;			/* Number of bytes to write */
+-  char		buf[16384];		/* Buffer for formatted string */
++  char		buf[65536];		/* Buffer for formatted string */
+   va_list	ap;			/* Variable argument pointer */
+ 
+ 
+@@ -1917,7 +1917,12 @@ httpPrintf(http_t *http,		/* I - HTTP connection */
+ 
+   DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf));
+ 
+-  if (http->data_encoding == HTTP_ENCODING_FIELDS)
++  if (bytes > (ssize_t)(sizeof(buf) - 1))
++  {
++http->error = ENOMEM;
++return (-1);
++  }
++  else if (http->data_encoding == HTTP_ENCODING_FIELDS)
+ return ((int)httpWrite2(http, buf, (size_t)bytes));
+   else
+   {
+diff --git a/cups/ipp.c b/cups/ipp.c
+index 2c09f2703..cc9c6af50 100644
+--- a/cups/ipp.c
 b/cups/ipp.c
+@@ -4548,9 +4548,7 @@ ippSetValueTag(
+ break;
+ 
+ case IPP_TAG_NAME :
+-if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
+-temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
+-temp_tag != IPP_TAG_MIMETYPE)
++if (temp_tag != IPP_TAG_KEYWORD)
+   return (0);
+ 
+ (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
+@@ -4558,10 +4556,7 @@ ippSetValueTag(
+ 
+ case IPP_TAG_NAMELANG :
+ case IPP_TAG_TEXTLANG :
+-if (value_tag == IPP_TAG_NAMELANG &&
+-(temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
+- temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
+- temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
++if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
+   return (0);
+ 
+ if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
+diff --git 

Re: Bug#933829: win32-loader: Checksums need to be updated for new stable release, download fails to validate Release file.

[Didier 'OdyX' Raboud]

Le dimanche, 4 août 2019, 08.43:49 h CEST Yetoo Happy a écrit :
> Dear Maintainer,
> 
> Checksums need to be updated for new stable release, download fails to
> validate Release file. I built package using Debian 10.0 intending to embed
> the new checksum and testing the built package found the error didn't occur 
> when downloading in the executable.

I just tested a rebuild in a buster chroot and can confirm that the rebuilt 
win32-loader.exe can download the release correctly.

So win32-loader needs a stable update.

debian-boot@ / debian-release@: can I upload src:win32-loader in source only 
with the following diff?

diff -Nru win32-loader-0.9.3/debian/changelog win32-loader-0.9.3+deb10u1/
debian/changelog
--- win32-loader-0.9.3/debian/changelog 2019-01-02 18:38:43.0 +0100
+++ win32-loader-0.9.3+deb10u1/debian/changelog 2019-08-16 08:53:00.0 
+0200
@@ -1,3 +1,10 @@
+win32-loader (0.9.3+deb10u1) buster; urgency=medium
+
+  * Rebuild in stable to embed the latest debian-archive-keyring
+(Closes: #933829)
+
+ -- Didier Raboud   Fri, 16 Aug 2019 08:53:00 +0200
+
 win32-loader (0.9.3) unstable; urgency=medium
 
   [ Thomas Gaugler ]




Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#928965: unblock: lsb/10.2019051400

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le mardi, 14 mai 2019, 19.42:42 h CEST Jonathan Wiltshire a écrit :
> Please go ahead and remove the moreinfo tag from this bug when it is ready
> to be unblocked.

Uploaded, built, piuparts ran; removing the moreinfo tag.

(Autopackage tests in progress for _many_ packages).

Cheers, and thanks for your consideration,

OdyX

Bug#928965: unblock: lsb/10.2019051400

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I hereby request an upload authorization towards an unblock for package lsb
10.2019051400, which was not uploaded yet.

lsb (10.2019051400) unstable; urgency=medium

  [ Harald Dunkel ]
  * pidofproc: use "pidof -c" to avoid pidofproc results from containers or 
chroots
(Closes: #888743)

 -- Didier Raboud   Tue, 14 May 2019 08:50:39 +0200

It would be exactly identical as 10.2019032400 from experimental, uploaded on
March 24, and for which no regressions have been reported. It would fix
src:lsb important bug #888743 for buster.

The full debdiff is attached.

Thanks for your consideration, cheers,
OdyX

unblock lsb/10.2019051400
diff -Nru lsb-10.2019031300/debian/changelog lsb-10.2019051400/debian/changelog
--- lsb-10.2019031300/debian/changelog  2019-03-13 21:42:26.0 +0100
+++ lsb-10.2019051400/debian/changelog  2019-05-14 08:50:39.0 +0200
@@ -1,3 +1,11 @@
+lsb (10.2019051400) unstable; urgency=medium
+
+  [ Harald Dunkel ]
+  * pidofproc: use "pidof -c" to avoid pidofproc results from containers or 
chroots
+(Closes: #888743)
+
+ -- Didier Raboud   Tue, 14 May 2019 08:50:39 +0200
+
 lsb (10.2019031300) unstable; urgency=low
 
   [ Dmitry Bogatov ]
diff -Nru lsb-10.2019031300/init-functions lsb-10.2019051400/init-functions
--- lsb-10.2019031300/init-functions2019-03-13 21:42:26.0 +0100
+++ lsb-10.2019051400/init-functions2019-05-14 08:50:39.0 +0200
@@ -107,7 +107,7 @@
# pid file doesn't exist, try to find the pid nevertheless
if [ -x /bin/pidof ] && [ ! "$specified" ]; then
  status="0"
- /bin/pidof -o %PPID -x $1 || status="$?"
+ /bin/pidof -c -o %PPID -x $1 || status="$?"
  if [ "$status" = 1 ]; then
  return 3 # program is not running
  fi

Bug#927784: unblock: cups/2.2.10-6

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le mardi, 23 avril 2019, 11.35:59 h CEST Ivo De Decker a écrit :
> On Tue, Apr 23, 2019 at 09:20:51AM +0200, Didier 'OdyX' Raboud wrote:
> > I hereby request an upload authorization towards an unblock for package
> > cups 2.2.10-6; which was not uploaded yet.
> > 
> >   cups (2.2.10-6) unstable; urgency=medium
> >   
> > * Backport patch from upstream's 2.2 "stable" branch:
> >   - Fix an issue with `PreserveJobHistory` and time values (Issue
> >   #5538)
> > (Closes: #921741)
> > 
> > The `PreserveJobHistory` configuration doesn't work correctly in 2.2.10,
> > and this was fixed by upstream in 2.2.11; this upload has only a
> > cherry-pick of upstream's ba9d68cc7467a7a47ef219071902b9e9eb6dbc44 and
> > would fix src:cups bug #921741.
> 
> Please go ahead with the upload to unstable and remove the moreinfo tag from
> this bug once the package is built.

Uploaded; and it built on all release architectures.

Cheers, and thanks for your consideration,
OdyX

Bug#926800: unblock: cups-filters/1.21.6-5

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package cups-filters 1.21.6-5

It fixes a severity: important bug (#926576) in cups-filters; which is a
regression in the ghostscript support triggered by the version of Ghostscript
that will be shipped in Buster (9.27), quoting the upstream developer
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926576#20):

> The old call used the undocumented internal "pdfdict" of Ghostscript 
> which from Ghostscript 9.27 on is not accessible any more for security 
> reasons. Now I use the call suggested in the Arch Linux bug report using
> "runpdfbegin".

The full (noisy) debdiff is attached, but here comes the real source diff:

--- a/filter/foomatic-rip/pdf.c
+++ b/filter/foomatic-rip/pdf.c
@@ -47,9 +47,8 @@ static int pdf_count_pages(const char *filename)
 size_t bytes;
 
 snprintf(gscommand, CMDLINE_MAX, "%s -dNODISPLAY -q -c "
-"'/pdffile (%s) (r) file def pdfdict begin pdffile pdfopen begin "
-"(PageCount: ) print pdfpagecount == flush currentdict pdfclose "
-"end end quit'",
+"'/pdffile (%s) (r) file runpdfbegin (PageCount: ) print "
+"pdfpagecount = quit'",
 gspath, filename);
 
 FILE *pd = popen(gscommand, "r");


This patch was uploaded to experimental as 1.22.5-1 and to unstable as 1.21.6-5
today.

unblock cups-filters/1.21.6-5

Cheers, and thanks for your time;
OdyX
diff -Nru cups-filters-1.21.6/debian/changelog 
cups-filters-1.21.6/debian/changelog
--- cups-filters-1.21.6/debian/changelog2019-02-16 14:31:17.0 
+0100
+++ cups-filters-1.21.6/debian/changelog2019-04-10 17:13:22.0 
+0200
@@ -1,3 +1,11 @@
+cups-filters (1.21.6-5) unstable; urgency=medium
+
+  * Backport upstream patch:
+ - foomatic-rip: Changed Ghostscript call to count pages in a PDF file so
+   that it works with GS 9.27 (Closes: #926576)
+
+ -- Didier Raboud   Wed, 10 Apr 2019 17:13:22 +0200
+
 cups-filters (1.21.6-4) unstable; urgency=medium
 
   * Backport upstream patch:
diff -Nru cups-filters-1.21.6/debian/.git-dpm 
cups-filters-1.21.6/debian/.git-dpm
--- cups-filters-1.21.6/debian/.git-dpm 2019-02-16 14:31:17.0 +0100
+++ cups-filters-1.21.6/debian/.git-dpm 2019-04-10 17:13:22.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-c1ec6e6233f90f7944e796732bcb68b546e75512
-c1ec6e6233f90f7944e796732bcb68b546e75512
+ac421831bde36d391900eba263cb6215eacb4927
+ac421831bde36d391900eba263cb6215eacb4927
 ec41f03b4dc5def5a6d53ea1dbb856f4b1bba169
 ec41f03b4dc5def5a6d53ea1dbb856f4b1bba169
 cups-filters_1.21.6.orig.tar.xz
diff -Nru 
cups-filters-1.21.6/debian/patches/0005-foomatic-rip-Changed-Ghostscript-call-to-count-pages.patch
 
cups-filters-1.21.6/debian/patches/0005-foomatic-rip-Changed-Ghostscript-call-to-count-pages.patch
--- 
cups-filters-1.21.6/debian/patches/0005-foomatic-rip-Changed-Ghostscript-call-to-count-pages.patch
  1970-01-01 01:00:00.0 +0100
+++ 
cups-filters-1.21.6/debian/patches/0005-foomatic-rip-Changed-Ghostscript-call-to-count-pages.patch
  2019-04-10 17:13:22.0 +0200
@@ -0,0 +1,26 @@
+From ac421831bde36d391900eba263cb6215eacb4927 Mon Sep 17 00:00:00 2001
+From: Till Kamppeter 
+Date: Sun, 7 Apr 2019 16:34:16 +0200
+Subject: foomatic-rip: Changed Ghostscript call to count pages in a PDF file
+ so that it works with GS 9.27.
+
+---
+ filter/foomatic-rip/pdf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/filter/foomatic-rip/pdf.c b/filter/foomatic-rip/pdf.c
+index 9c3979bb2..bc739bd80 100644
+--- a/filter/foomatic-rip/pdf.c
 b/filter/foomatic-rip/pdf.c
+@@ -47,9 +47,8 @@ static int pdf_count_pages(const char *filename)
+ size_t bytes;
+ 
+ snprintf(gscommand, CMDLINE_MAX, "%s -dNODISPLAY -q -c "
+-   "'/pdffile (%s) (r) file def pdfdict begin pdffile pdfopen begin "
+-   "(PageCount: ) print pdfpagecount == flush currentdict pdfclose "
+-   "end end quit'",
++   "'/pdffile (%s) (r) file runpdfbegin (PageCount: ) print "
++   "pdfpagecount = quit'",
+gspath, filename);
+ 
+ FILE *pd = popen(gscommand, "r");
diff -Nru cups-filters-1.21.6/debian/patches/auto-gitignore 
cups-filters-1.21.6/debian/patches/auto-gitignore
--- cups-filters-1.21.6/debian/patches/auto-gitignore   2019-02-16 
14:31:17.0 +0100
+++ cups-filters-1.21.6/debian/patches/auto-gitignore   2019-04-10 
17:13:22.0 +0200
@@ -4,7 +4,7 @@
 .gitignore file(s).  This patch is autogenerated, to provide these
 updates to users of the official Debian archive view of the package.
 
-[dgit (8.3) update-gitignore]
+[dgit (8.4) update-gitignore]
 ---
 diff --git a/.gitignore b/.gitignore
 new file mode 100644
diff -Nru cups-filters-1.21.6/debian/patches/series 
cups-filters-1.21.6/debian/patches/series
--- cups-filters-1.21.6/debian/patches/series   2019-02-16 

Bug#925874: unblock: cups/2.2.10-5

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package cups 2.2.10-5

Actually; to be entirely transparent, I uploaded to unstable by mistake; I had
considered the changes not to warrant going through an unblock process. Anyway.
The changes are non-invasive and non-risky, extend hardware support, and
(well), they sit in unstable. :-)

Don't hesitate to ask me for a revert, I'm glad to do so.

The real debdiff is attached, but given my use of git-dpm, is quite noisy. The
real "source diff" is the following (in short, two org.cups.usb-quirks
additions and a manpage translation update):

diff -Nru cups-2.2.10/debian/changelog cups-2.2.10/debian/changelog
--- cups-2.2.10/debian/changelog2019-02-16 14:48:42.0 +0100
+++ cups-2.2.10/debian/changelog2019-03-27 17:13:07.0 +0100
@@ -1,3 +1,15 @@
+cups (2.2.10-5) unstable; urgency=medium
+
+  [ Helge Kreutzmann ]
+  * Correct error in german manpage translation
+
+  [ Didier Raboud ]
+  * Backport patches from upstream's 2.2 "stable" branch:
+- Add USB quirks rule for Xerox printers (Issue #5523)
+- Add a USB quirks rule for the DYMO 450 Turbo (Issue #5521)
+
+ -- Didier Raboud   Wed, 27 Mar 2019 17:13:07 +0100
+
 cups (2.2.10-4) unstable; urgency=low
 
   * Backport patches from upstream's 2.2 "stable" branch:
diff -Nru cups-2.2.10/debian/manpage-po4a/po/de.po 
cups-2.2.10/debian/manpage-po4a/po/de.po
--- cups-2.2.10/debian/manpage-po4a/po/de.po2019-02-16 14:48:42.0 
+0100
+++ cups-2.2.10/debian/manpage-po4a/po/de.po2019-03-27 17:13:07.0 
+0100
@@ -12,7 +12,7 @@
 msgstr ""
 "Project-Id-Version: cups man pages 2.2.7-5\n"
 "POT-Creation-Date: 2018-12-08 12:54+0100\n"
-"PO-Revision-Date: 2018-12-09 06:47+0100\n"
+"PO-Revision-Date: 2019-03-03 07:38+0100\n"
 "Last-Translator: Helge Kreutzmann \n"
 "Language-Team: de \n"
 "Language: de\n"
@@ -2210,7 +2210,7 @@
 msgstr ""
 "Die Datei I konfiguriert den CUPS-Auftragsplaner (Scheduler), "
 "B(8). Sie befindet sich normalerweise in dem Verzeichnis I. B Datei, Verzeichnis und Benutzerkonfigurationsdirektiven, "
+"cups>. B Datei-, Verzeichnis- und Benutzerkonfigurationsdirektiven, 
"
 "die früher in der Datei B erlaubt wurden, werden jetzt "
 "stattdessen in der Datei B(5) gespeichert, um bestimmte "
 "Arten von Angriffen zur Rechteerweiterung zu vermeiden."
diff -Nru 
cups-2.2.10/debian/patches/0040-Add-USB-quirks-rule-for-Xerox-printers-Issue-5523.patch
 
cups-2.2.10/debian/patches/0040-Add-USB-quirks-rule-for-Xerox-printers-Issue-5523.patch
--- 
cups-2.2.10/debian/patches/0040-Add-USB-quirks-rule-for-Xerox-printers-Issue-5523.patch
 1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.10/debian/patches/0040-Add-USB-quirks-rule-for-Xerox-printers-Issue-5523.patch
 2019-03-27 17:13:07.0 +0100
@@ -0,0 +1,20 @@
+From f8eac850dfbdb4a8d6a02f4d5eb2a473e7b088b4 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Tue, 19 Feb 2019 11:11:54 -0500
+Subject: Add USB quirks rule for Xerox printers (Issue #5523)
+
+---
+ backend/org.cups.usb-quirks | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/backend/org.cups.usb-quirks b/backend/org.cups.usb-quirks
+index 0586602ab..77233ea18 100644
+--- a/backend/org.cups.usb-quirks
 b/backend/org.cups.usb-quirks
+@@ -293,3 +293,6 @@
+ 
+ # Lexmark E120n (Issue #5478)
+ 0x043d 0x00cc no-reattach
++
++# All Xerox printers (Issue #5523)
++0x0924 no-reattach
diff -Nru 
cups-2.2.10/debian/patches/0041-Add-a-USB-quirks-rule-for-the-DYMO-450-Turbo-Issue-5.patch
 
cups-2.2.10/debian/patches/0041-Add-a-USB-quirks-rule-for-the-DYMO-450-Turbo-Issue-5.patch
--- 
cups-2.2.10/debian/patches/0041-Add-a-USB-quirks-rule-for-the-DYMO-450-Turbo-Issue-5.patch
  1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.10/debian/patches/0041-Add-a-USB-quirks-rule-for-the-DYMO-450-Turbo-Issue-5.patch
  2019-03-27 17:13:07.0 +0100
@@ -0,0 +1,20 @@
+From d4d7ff4dad47ad4d278ca2c84efd602354a4e627 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Thu, 21 Feb 2019 09:54:59 -0500
+Subject: Add a USB quirks rule for the DYMO 450 Turbo (Issue #5521)
+
+---
+ backend/org.cups.usb-quirks | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/backend/org.cups.usb-quirks b/backend/org.cups.usb-quirks
+index 77233ea18..44d6bb8cb 100644
+--- a/backend/org.cups.usb-quirks
 b/backend/org.cups.usb-quirks
+@@ -296,3 +296,6 @@
+ 
+ # All Xerox printers (Issue #5523)
+ 0x0924 no-reattach
++
++# Dymo 450 Turbo (Issue #5521)
++0x0922 0x0021 unidir
diff -Nru cups-2.2.10/debian/patches/series cups-2.2.10/debian/patches/series
--- cups-2.2.10/debian/patches/series   2019-02-16 14:48:42.0 +0100
+++ cups-2.2.10/debian/patches/series   2019-03-27 17:13:07.0 +0100
@@ -37,7 +37,9 @@
 0037-Use-the-same-requested-attributes-values-for-all-IPP.patch
 0038-Add-a-USB-quirk-rule-for-the-Lexmark-E120n-Issue-547.patch
 

Bug#916435: stretch-pu: package cups/2.2.1-8+deb9u3

[Didier 'OdyX' Raboud]

Control: tags -1 +pending

Le lundi, 4 février 2019, 23.06:44 h CET Adam D. Barratt a écrit :
> Please go ahead.

Uploaded, thanks for the confirmation.

Cheers,
OdyX

Bug#916435: stretch-pu: package cups/2.2.1-8+deb9u3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

CUPS in stable has two no-dsa security issues in stretch which I'd like to fix:

- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random number seed

My proposed changelog entry is the following:

cups (2.2.1-8+deb9u3) stretch; urgency=low

  * Backport upstream fixes for:
- CVE-2017-18248: DBUS notifications could crash the scheduler
- CVE-2018-4700: Linux session cookies used a predictable random
  number seed (Closes: #915909)

I'm attaching the two upstream patches (mere cherry-picks from the
upstream-2.2 branch) and the proposed debdiff.

Thanks for your consideration, cheers,
   OdyX
 
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2018-07-03 07:45:20.0 +0200
+++ cups-2.2.1/debian/changelog 2018-12-14 13:58:47.0 +0100
@@ -1,7 +1,16 @@
+cups (2.2.1-8+deb9u3) stretch; urgency=low
+
+  * Backport upstream fixes for:
+- CVE-2017-18248: DBUS notifications could crash the scheduler
+- CVE-2018-4700: Linux session cookies used a predictable random
+  number seed (Closes: #915909)
+
+ -- Didier Raboud   Fri, 14 Dec 2018 13:58:47 +0100
+
 cups (2.2.1-8+deb9u2) stretch-security; urgency=low
 
   * CVE-2018-6553: Fix AppArmor cupsd sandbox bypass due to use of hard links
-  * Backport upstream fix for:
+  * Backport upstream fixes for:
 - CVE-2018-4180 Local Privilege Escalation to Root in dnssd Backend 
(CUPS_SERVERBIN)
 - CVE-2018-4181 Limited Local File Reads as Root via cupsd.conf Include 
Directive
 - CVE-2018-4182 cups-exec Sandbox Bypass Due to Insecure Error Handling
@@ -9,7 +18,7 @@
 - CVE-2017-15400: Restrict IPP Everywhere filters to only list supported 
PDLs
   to fix CRLF and Code Injection in Printer Zeroconfig
 
- -- Didier Raboud   Tue, 03 Jul 2018 07:45:20 +0200
+ -- Didier Raboud   Wed, 11 Jul 2018 11:29:27 +0200
 
 cups (2.2.1-8+deb9u1) stretch; urgency=low
 
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2018-07-03 07:45:20.0 +0200
+++ cups-2.2.1/debian/.git-dpm  2018-12-14 13:57:48.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ed0d3345b936ea9d88356965770ddf5eecba46be
-ed0d3345b936ea9d88356965770ddf5eecba46be
+a40147f12081943df6c85b6b1f4d302633a6995c
+a40147f12081943df6c85b6b1f4d302633a6995c
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
--- 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
   1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.1/debian/patches/0052-DBUS-notifications-could-crash-the-scheduler-Issue-5.patch
   2018-12-14 13:57:46.0 +0100
@@ -0,0 +1,42 @@
+From f083e69ad83bd9445c1c3bfdf6878096ceb54113 Mon Sep 17 00:00:00 2001
+From: Michael Sweet 
+Date: Mon, 23 Oct 2017 16:23:43 -0400
+Subject: DBUS notifications could crash the scheduler (Issue #5143)
+
+- scheduler/ipp.c: Make sure requesting-user-name string is valid UTF-8.
+
+Fixes: CVE-2017-18248
+---
+ scheduler/ipp.c | 12 ++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index dde976c72..50f5004b7 100644
+--- a/scheduler/ipp.c
 b/scheduler/ipp.c
+@@ -1576,6 +1576,16 @@ add_job(cupsd_client_t  *con,   /* I - Client 
connection */
+ return (NULL);
+   }
+ 
++  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
++
++  if (attr && !ippValidateAttribute(attr))
++  {
++send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: 
%s"), cupsLastErrorString());
++if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
++  attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
++return (NULL);
++  }
++
+   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+   {
+ send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1594,8 +1604,6 @@ add_job(cupsd_client_t  *con,/* I - Client 
connection */
+   add_job_uuid(job);
+   apply_printer_defaults(printer, job);
+ 
+-  attr = ippFindAttribute(job->attrs, "requesting-user-name", IPP_TAG_NAME);
+-
+   if (con->username[0])
+   {
+ cupsdSetString(>username, con->username);
diff -Nru 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
--- 
cups-2.2.1/debian/patches/0053-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
   1970-01-01 01:00:00.0 +0100
+++ 

Bug#891142: stretch-pu: package cups/2.2.1-8+

[Didier 'OdyX' Raboud]

Le vendredi, 23 février 2018, 18.50:52 h CET Adam D. Barratt a écrit :
> > The proposed debdiff is attached; can I upload to stretch?
> 
> Please go ahead.

Uploaded.

> > Do you need another bug for Jessie ?

Done; #891251.

Thanks for your time!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#891251: jessie-pu: package cups/1.7.5-11+deb8u3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

(Mirroring #891142 for stretch):

CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.

According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Jessie (and Stretch). It was fixed independently on wheezy
already.

The proposed debdiff is attached; can I upload to jessie?
diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog 2017-07-21 14:44:00.0 +0200
+++ cups-1.7.5/debian/changelog 2018-02-23 19:34:51.0 +0100
@@ -1,3 +1,12 @@
+cups (1.7.5-11+deb8u3) jessie; urgency=low
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+arbitrary IPP commands by sending POST requests to the CUPS daemon in
+conjunction with DNS rebinding. This was caused by a whitelisted
+"localhost.localdomain" entry.
+
+ -- Didier Raboud   Fri, 23 Feb 2018 19:34:51 +0100
+
 cups (1.7.5-11+deb8u2) jessie; urgency=high
 
   * Disable SSLv3 and RC4 by default to address POODLE vulnerability
diff -Nru 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
--- 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
1970-01-01 01:00:00.0 +0100
+++ 
cups-1.7.5/debian/patches/CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch
2018-02-23 19:34:51.0 +0100
@@ -0,0 +1,23 @@
+From afa80cb2b457bf8d64f775bed307588610476c41 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: [PATCH] Don't treat "localhost.localdomain" as an allowed replacement
+ for localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/scheduler/client.c
 b/scheduler/client.c
+@@ -4220,9 +4220,6 @@
+ 
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+   !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-  !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+   !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series2017-07-21 13:32:05.0 +0200
+++ cups-1.7.5/debian/patches/series2018-02-23 19:34:51.0 +0100
@@ -66,3 +66,4 @@
 # po4a might not be appropriate. It also needs to be high on the patch
 # queue to catch all Debian-specific changes
 manpage-translations.patch
+CVE-2017-18190-Dont-treat-localhost.localdomain-as-replacement-for-localhost.patch

Bug#891142: stretch-pu: package cups/2.2.1-8+

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

CUPS is affected by CVE-2017-18190: remote attackers could execute arbitrary
IPP commands by sending POST requests to the CUPS daemon in conjunction with
DNS rebinding. This was caused by a whitelisted "localhost.localdomain" entry.

According to the Security Team it doesn't warrant a DSA, but still makes sense
to be addressed on Stretch (and Jessie). It was fixed independently on wheezy
already.

The proposed debdiff is attached; can I upload to stretch? Do you need another
bug for Jessie ?

Cheers,
OdyX
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2017-01-31 08:00:49.0 +0100
+++ cups-2.2.1/debian/changelog 2018-02-22 17:51:44.0 +0100
@@ -1,3 +1,12 @@
+cups (2.2.1-8+deb9u1) stretch; urgency=low
+
+  * CVE-2017-18190: Prevent an issue where remote attackers could execute
+arbitrary IPP commands by sending POST requests to the CUPS daemon in
+conjunction with DNS rebinding. This was caused by a whitelisted
+"localhost.localdomain" entry.
+
+ -- Didier Raboud   Thu, 22 Feb 2018 17:51:44 +0100
+
 cups (2.2.1-8) unstable; urgency=medium
 
   [ JP Guillonneau ]
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2017-01-18 14:02:35.0 +0100
+++ cups-2.2.1/debian/.git-dpm  2018-02-22 17:51:44.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-96d42e942cf2c930c3b535317bafd886c775a160
-96d42e942cf2c930c3b535317bafd886c775a160
+63883f6c2d0ebbb3e7499799b727fdb7d3f52d72
+63883f6c2d0ebbb3e7499799b727fdb7d3f52d72
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
--- 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
   1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.1/debian/patches/0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch
   2018-02-22 17:51:44.0 +0100
@@ -0,0 +1,25 @@
+From 63883f6c2d0ebbb3e7499799b727fdb7d3f52d72 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Tue, 3 Jan 2017 13:52:47 -0500
+Subject: Don't treat "localhost.localdomain" as an allowed replacement for
+ localhost, since it isn't.
+
+Fixes: CVE-2017-18190
+---
+ scheduler/client.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 42010def1..20ccf11a9 100644
+--- a/scheduler/client.c
 b/scheduler/client.c
+@@ -3890,9 +3890,6 @@ valid_host(cupsd_client_t *con)  /* I - Client 
connection */
+ 
+ return (!_cups_strcasecmp(con->clientname, "localhost") ||
+   !_cups_strcasecmp(con->clientname, "localhost.") ||
+-#ifdef __linux
+-  !_cups_strcasecmp(con->clientname, "localhost.localdomain") ||
+-#endif /* __linux */
+ !strcmp(con->clientname, "127.0.0.1") ||
+   !strcmp(con->clientname, "[::1]"));
+   }
diff -Nru cups-2.2.1/debian/patches/series cups-2.2.1/debian/patches/series
--- cups-2.2.1/debian/patches/series2017-01-18 14:02:35.0 +0100
+++ cups-2.2.1/debian/patches/series2018-02-22 17:51:44.0 +0100
@@ -45,3 +45,4 @@
 0045-Build-mantohtml-with-the-build-architecture-compiler.patch
 0046-Do-not-execute-genstrings-during-build.patch
 manpage-translations.patch
+0048-Don-t-treat-localhost.localdomain-as-an-allowed-repl.patch

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Le mardi, 27 juin 2017, 20.32:11 h CEST Cyril Brulebois a écrit :
> Assuming that this was successfully tested (including by setting those
> two options to restore support for insecure crypto) on a jessie system,
> and once you've fixed the codename in debian/changelog (you want jessie
> rather than jessie-security), feel free to upload.

Uploaded now after testing. I also fixed a typo in the changelog: AllowSSLv3 
vs AllowSSL3 (superfluous 'v').

Sorry for the delay.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#864973: stretch-pu: package win32-loader/0.8.3+deb9u1

[Didier 'OdyX' Raboud]

Le dimanche, 25 juin 2017, 22.53:27 h CEST Cyril Brulebois a écrit :
> Looks good to me, feel free to upload, thanks.
> 
> By the way, we probably shouldn't be using “stable” in URLs, but the
> target distribution (stretch here)?

Uploaded.

I noticed 0.8.4 hasn't migrated to testing, which might cause an issue though: 
do we need to put 0.8.3+deb9u1 in testing, or migrate 0.8.4 (with the ftp-
master dance) ?

Cheers,
OdyX

Bug#864973: stretch-pu: package win32-loader/0.8.3+deb9u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

As discussed on debian-boot starting from
https://lists.debian.org/4374235.3xk2uo9...@odyx.org , win32-loader
(in stretch) still doesn't use the deb.debian.org agreed-upon mirror.
Also, as it's standalone version embeds multiple other packages (as
listed on
https://deb.debian.org/debian/tools/win32-loader/stable/win32-loader.txt
), the 0.8.3 version as released with Stretch still contains jessie's
debian-archive-keyring.

Specifically, we held this upload back then because we were waiting on
gnupg's 2.1.18-8 (which pu request is tracked in #863734)

It would be good to have an updated win32-loader in Stretch; the
possible debdiff would be attached.

Cheers,
OdyX
diff -Nru win32-loader-0.8.3/branch.nsi win32-loader-0.8.3+deb9u1/branch.nsi
--- win32-loader-0.8.3/branch.nsi   2017-01-01 11:40:06.0 +0100
+++ win32-loader-0.8.3+deb9u1/branch.nsi2017-06-18 10:21:47.0 
+0200
@@ -63,7 +63,7 @@
   StrCpy $base_path_images  "netboot/debian-installer/hurd-$arch"
 ${EndIf}
   ${Else}
-StrCpy $base_url "http://httpredir.debian.org/debian/dists/stable/;
+StrCpy $base_url "http://deb.debian.org/debian/dists/stable/;
 ${If} $kernel == "linux"
   ; Only Debian GNU/Linux will have a stable branch for the stretch cycle
   StrCpy $base_path_hashes"main/installer-$arch/current/images/"
diff -Nru win32-loader-0.8.3/debian/changelog 
win32-loader-0.8.3+deb9u1/debian/changelog
--- win32-loader-0.8.3/debian/changelog 2017-04-19 18:03:11.0 +0200
+++ win32-loader-0.8.3+deb9u1/debian/changelog  2017-06-18 10:25:41.0 
+0200
@@ -1,3 +1,10 @@
+win32-loader (0.8.3+deb9u1) stretch; urgency=medium
+
+  * Drop bz2 compression for source
+  * Replace all mirror urls with deb.debian.org
+
+ -- Didier Raboud   Sun, 18 Jun 2017 10:25:41 +0200
+
 win32-loader (0.8.3) unstable; urgency=low
 
   * The « Pippita » release
diff -Nru win32-loader-0.8.3/debian/rules win32-loader-0.8.3+deb9u1/debian/rules
--- win32-loader-0.8.3/debian/rules 2017-04-19 18:03:11.0 +0200
+++ win32-loader-0.8.3+deb9u1/debian/rules  2017-06-18 10:21:47.0 
+0200
@@ -13,7 +13,7 @@
 PACKAGES_LIST := $(shell set -e; \
for p in ${B_D_PACKAGES}; \
do \
-   dpkg-query --showformat='$${source:Package;-25} 
$${source:Version;-25} 
http://ftp.debian.org/debian/pool/main/$${source:Package;1}/$${source:Package}\\n'
 --show $$p; \
+   dpkg-query --showformat='$${source:Package;-25} 
$${source:Version;-25} 
http://deb.debian.org/debian/pool/main/$${source:Package;1}/$${source:Package}\\n'
 --show $$p; \
done)
 
 BUILT_USING_LIST := $(shell set -e; \
diff -Nru win32-loader-0.8.3/debian/source/options 
win32-loader-0.8.3+deb9u1/debian/source/options
--- win32-loader-0.8.3/debian/source/options2014-08-28 20:34:04.0 
+0200
+++ win32-loader-0.8.3+deb9u1/debian/source/options 1970-01-01 
01:00:00.0 +0100
@@ -1,2 +0,0 @@
-# Compress source using bz2
-compression = bzip2
diff -Nru win32-loader-0.8.3/Makefile win32-loader-0.8.3+deb9u1/Makefile
--- win32-loader-0.8.3/Makefile 2017-03-20 20:56:38.0 +0100
+++ win32-loader-0.8.3+deb9u1/Makefile  2017-06-18 10:21:47.0 +0200
@@ -181,7 +181,7 @@
   $(NULL)
genisoimage -r -J -o $@ netboot/daily
 
-BASE_URL=http://ftp.nl.debian.org/debian/dists/stable/main
+BASE_URL=http://deb.debian.org/debian/dists/stable/main
 netboot/download-stable-stamp:
mkdir -p netboot/stable/install.{386,amd}/gtk
wget 
$(BASE_URL)/installer-i386/current/images/netboot/debian-installer/i386/linux \

Re: [pkg-gnupg-maint] Last chance for d-i changes in stretch

[Didier 'OdyX' Raboud]

Le mardi, 30 mai 2017, 12.56:29 h CEST Daniel Kahn Gillmor a écrit :
> I've just filed unblock request #863734, which will hopefully achieve
> this result.

Ah great. Will keep an eye and upload as soon that's granted :-)

-- 
OdyX

Re: Last chance for d-i changes in stretch

[Didier 'OdyX' Raboud]

Le samedi, 27 mai 2017, 17.17:10 h CEST Didier 'OdyX' Raboud a écrit :
> win32-loader should be arch:all-rebuilt (aka uploaded) with a versionned
> Build-Depends on the  latest debian-archive-keyring. It would therefore
> also embed the latest versions of all the other binaries its standalone
> version embeds.

For all packages with the same version in unstable and testing, it's not an 
issue (and doesn't need an explicit B-D version); it's the case for all but 
one of the packages win32-loader has a Built-Using value for: src:gnupg2 is 
currently in 2.1.18-8 version in unstable and -6 in testing.

If I upload win32-loader now, it will embed gpgv-win32 2.1.18-8, no matter 
which gnupg2 version will be part of stretch. There are three alternatives, in 
decreasing order of preference:
* get gnupg2 in testing, upload win32-loader to unstable, migrate it
* upload win32-loader to unstable, upload it _too_ (with a different version?) 
in testing-proposed-updates to get rid of the version discrepancy
* upload win32-loader to unstable, migrate it (and too bad for the version 
difference)

> It also currently uses httpredir.debian.org as only mirror, so we should
> decide if it makes sense to consolidate onto deb.debian.org for win32-
> loader too.

I've staged a change of all mirror references to deb.debian.org. The 
previously-discussed source compression change away from .bz2 would also be 
part of that upload. I'm waiting for directions regarding gnupg2 :-)

Cheers,
OdyX
-- 
OdyX

signature.asc
Description: This is a digitally signed message part.

Re: Last chance for d-i changes in stretch

[Didier 'OdyX' Raboud]

Le vendredi, 26 mai 2017, 19.04:13 h CEST Cyril Brulebois a écrit :
> Hi,
> 
> You might have noticed final preparations for d-i Stretch RC 4 are
> underways. A new debian-installer upload (or a binNMU) will need to
> happen before the first stretch release (aka. r0). If there's anything
> you want or would like to include in r0, now is the time to mention it.
> 
> Right now, the last upload/binNMU will be needed:
>  - to account for updated keys in debian-archive-keyring;
>  - to include pending netcfg changes (IPv6 vs. rdnssd);
>  - to possibly include a last choose-mirror update;

win32-loader should be arch:all-rebuilt (aka uploaded) with a versionned 
Build-Depends on the  latest debian-archive-keyring. It would therefore 
also embed the latest versions of all the other binaries its standalone 
version embeds.

It also currently uses httpredir.debian.org as only mirror, so we should 
decide if it makes sense to consolidate onto deb.debian.org for win32-
loader too.

Opinions?

Cheers,
OdyX

Bug#861843: unblock: (pre-approval) hplip/3.16.11+repack0-3

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le dimanche, 7 mai 2017, 16.25:00 h CEST Niels Thykier a écrit :
> Didier 'OdyX' Raboud:
> > I plan to upload hplip with a simple fix for #861731 (UnicodeDecodeError
> > on some filenames) that has apparently been committed upstream.
> 
> Ack, please go ahead and remove the moreinfo tag once the upload has
> been ACCEPTed and the package built on all relevant release architectures.

These have happened.

Cheers,
OdyX

Bug#861843: unblock: (pre-approval) hplip/3.16.11+repack0-3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

I plan to upload hplip with a simple fix for #861731 (UnicodeDecodeError on
some filenames) that has apparently been committed upstream.

This is the changelog entry:
>   [ Gaurav Sood ]
>   * Fix handling of unicode filenames in sixext.py
> (Closes: #861731, LP: #1480152)

Please see the attached debdiff
diff -Nru hplip-3.16.11+repack0/debian/changelog 
hplip-3.16.11+repack0/debian/changelog
--- hplip-3.16.11+repack0/debian/changelog  2017-01-30 21:36:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/changelog  2017-05-04 18:35:44.0 
+0200
@@ -1,3 +1,11 @@
+hplip (3.16.11+repack0-3) unstable; urgency=low
+
+  [ Gaurav Sood ]
+  * Fix handling of unicode filenames in sixext.py
+(Closes: #861731, LP: #1480152)
+
+ -- Didier Raboud   Thu, 04 May 2017 18:35:44 +0200
+
 hplip (3.16.11+repack0-2) unstable; urgency=medium
 
   [ Brian Potkin ]
diff -Nru hplip-3.16.11+repack0/debian/gbp.conf 
hplip-3.16.11+repack0/debian/gbp.conf
--- hplip-3.16.11+repack0/debian/gbp.conf   2017-01-30 19:42:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/gbp.conf   2017-05-04 18:34:48.0 
+0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/stretch
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru hplip-3.16.11+repack0/debian/.git-dpm 
hplip-3.16.11+repack0/debian/.git-dpm
--- hplip-3.16.11+repack0/debian/.git-dpm   2017-01-30 19:42:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/.git-dpm   2017-05-04 18:34:48.0 
+0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-23ef661a83d0a96ba61be2eef3ac502a2c000724
-23ef661a83d0a96ba61be2eef3ac502a2c000724
+602e2d8fb42cf4b62bf245702f314fecf6a2227c
+602e2d8fb42cf4b62bf245702f314fecf6a2227c
 eafc834119e19d43010499f9205cd5f4485973f4
 eafc834119e19d43010499f9205cd5f4485973f4
 hplip_3.16.11+repack0.orig.tar.xz
diff -Nru 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
--- 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
  1970-01-01 01:00:00.0 +0100
+++ 
hplip-3.16.11+repack0/debian/patches/0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch
  2017-05-04 18:34:48.0 +0200
@@ -0,0 +1,29 @@
+From 602e2d8fb42cf4b62bf245702f314fecf6a2227c Mon Sep 17 00:00:00 2001
+From: Gaurav Sood 
+Date: Thu, 4 May 2017 18:32:08 +0200
+Subject: Fix handling of unicode filenames in sixext.py
+
+LP: #1480152
+Closes: #861731
+---
+ base/sixext.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/sixext.py b/base/sixext.py
+index 0bf4fc4f4..311bf72c6 100644
+--- a/base/sixext.py
 b/base/sixext.py
+@@ -110,11 +110,11 @@ if PY3:
+ 
+ 
+ def to_string_utf8(s):
+-return s.decode("utf-8")
++return s.decode("utf-8", 'ignore')
+ 
+ 
+ def to_string_latin(s):
+-return s.decode("latin-1")
++return s.decode("latin-1", 'ignore')
+ 
+ 
+ def to_unicode(s, enc=None):
diff -Nru hplip-3.16.11+repack0/debian/patches/series 
hplip-3.16.11+repack0/debian/patches/series
--- hplip-3.16.11+repack0/debian/patches/series 2017-01-30 19:42:12.0 
+0100
+++ hplip-3.16.11+repack0/debian/patches/series 2017-05-04 18:34:48.0 
+0200
@@ -21,3 +21,4 @@
 0021-Fix-erroneous-tabs-in-hpps-python-code.patch
 0022-Add-include-cups-ppd.h-in-various-places-as-CUPS-2.2.patch
 0023-Fix-list-wrapping-in-scan.py-to-fix-generated-manpag.patch
+0024-Fix-handling-of-unicode-filenames-in-sixext.py.patch

Bug#861729: unblock: win32-loader/0.8.3

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock-udeb package win32-loader 0.8.3 as it fixes an FTBFS
on i386 in stretch (and is always blocked because of the manual migration to
be done by ftpmasters):

> * Fix FTBFS on i386: use gawk to prepare README file (Closes: #860695)

(This is a bug in mawk, reported as #860751)

debdiff is attached.

ftpmaster: please copy debian/tools/win32-loader/unstable into …/testing 

unblock-udeb win32-loader/0.8.3

Cheers, OdyX
diff -Nru win32-loader-0.8.2/debian/changelog 
win32-loader-0.8.3/debian/changelog
--- win32-loader-0.8.2/debian/changelog 2017-03-20 21:23:59.0 +0100
+++ win32-loader-0.8.3/debian/changelog 2017-04-19 18:03:11.0 +0200
@@ -1,3 +1,11 @@
+win32-loader (0.8.3) unstable; urgency=low
+
+  * The « Pippita » release
+
+  * Fix FTBFS on i386: use gawk to prepare README file (Closes: #860695)
+
+ -- Didier Raboud   Wed, 19 Apr 2017 18:03:11 +0200
+
 win32-loader (0.8.2) unstable; urgency=medium
 
   * The « Iao » release
diff -Nru win32-loader-0.8.2/debian/control win32-loader-0.8.3/debian/control
--- win32-loader-0.8.2/debian/control   2017-03-20 21:12:00.0 +0100
+++ win32-loader-0.8.3/debian/control   2017-04-19 18:03:11.0 +0200
@@ -10,6 +10,7 @@
  mingw-w64,
  libgcrypt-mingw-w64-dev, libgpg-error-mingw-w64-dev,
  librsvg2-bin, icoutils,
+ gawk,
  gettext,
  grub-pc-bin (>= 1.99~rc1-3),
  imagemagick,
diff -Nru win32-loader-0.8.2/debian/rules win32-loader-0.8.3/debian/rules
--- win32-loader-0.8.2/debian/rules 2017-03-20 21:10:08.0 +0100
+++ win32-loader-0.8.3/debian/rules 2017-04-19 18:03:11.0 +0200
@@ -39,9 +39,9 @@
dh_auto_build

# Prepare the README file
-   awk '{sub(/@PACKAGES_LIST@/,"$(PACKAGES_LIST)")}1 \
- {sub(/@NSIS_VERSION@/,"$(NSIS_VERSION)")}1 \
- {sub(/@W32_VERSION@/,"$(W32_VERSION)")}1' \
+   gawk '{sub(/@PACKAGES_LIST@/,"$(PACKAGES_LIST)")}1 \
+ {sub(/@NSIS_VERSION@/,"$(NSIS_VERSION)")}1 \
+ {sub(/@W32_VERSION@/,"$(W32_VERSION)")}1' \
debian/win32-loader_doc.txt > $(W32_BYHAND_NAME).txt
cat debian/copyright >> $(W32_BYHAND_NAME).txt
 endif

Bug#859084: unblock: win32-loader/0.8.2

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock-udeb package win32-loader 0.8.2 as it fixes a FTBFS
in stretch (and is always blocked because of the manual migration to
be done by ftpmasters):

>   * Fix dpkg-query calls to use source:* for Version and Package directly
> - Add Build-Dependency on dpkg (>= 1.16.2) for that support
> - Fixes the FTBFS revealed by loadlin's binNMU
> (Closes: #858104)

debdiff is attached.

ftpmaster: please copy debian/tools/win32-loader/unstable into …/testing 

unblock-udeb win32-loader/0.8.2

Cheers, OdyX
diff -Nru win32-loader-0.8.1/debian/changelog 
win32-loader-0.8.2/debian/changelog
--- win32-loader-0.8.1/debian/changelog 2016-12-29 20:57:22.0 +0100
+++ win32-loader-0.8.2/debian/changelog 2017-03-20 21:23:59.0 +0100
@@ -1,3 +1,14 @@
+win32-loader (0.8.2) unstable; urgency=medium
+
+  * The « Iao » release
+
+  * Fix dpkg-query calls to use source:* for Version and Package directly
+- Add Build-Dependency on dpkg (>= 1.16.2) for that support
+- Fixes the FTBFS revealed by loadlin's binNMU
+(Closes: #858104)
+
+ -- Didier Raboud   Mon, 20 Mar 2017 21:23:59 +0100
+
 win32-loader (0.8.1) unstable; urgency=medium
 
   * The « poipoi » release
diff -Nru win32-loader-0.8.1/debian/control win32-loader-0.8.2/debian/control
--- win32-loader-0.8.1/debian/control   2016-12-29 19:06:06.0 +0100
+++ win32-loader-0.8.2/debian/control   2017-03-20 21:12:00.0 +0100
@@ -4,6 +4,7 @@
 Maintainer: Debian Install System Team 
 Uploaders: Robert Millan , Didier Raboud 
, Christian Perrier 
 Build-Depends:
+ dpkg (>= 1.16.2),
  debhelper (>= 9),
  nsis (>= 2.48), nsis-pluginapi,
  mingw-w64,
diff -Nru win32-loader-0.8.1/debian/rules win32-loader-0.8.2/debian/rules
--- win32-loader-0.8.1/debian/rules 2016-12-29 20:06:05.0 +0100
+++ win32-loader-0.8.2/debian/rules 2017-03-20 21:10:08.0 +0100
@@ -13,23 +13,13 @@
 PACKAGES_LIST := $(shell set -e; \
for p in ${B_D_PACKAGES}; \
do \
-   if test `dpkg-query --showformat='x$${Source}x' --show $$p` = 
"xx"; \
-   then \
-   dpkg-query --showformat='$${Package;-25} 
$${Version;-25} 
http://ftp.debian.org/debian/pool/main/$${Package;1}/$${Package}\\n' --show 
$$p; \
-   else \
-   dpkg-query --showformat='$${Package;-25} 
$${Version;-25} 
http://ftp.debian.org/debian/pool/main/$${Source;1}/$${Source}\\n' --show $$p; \
-   fi; \
+   dpkg-query --showformat='$${source:Package;-25} 
$${source:Version;-25} 
http://ftp.debian.org/debian/pool/main/$${source:Package;1}/$${source:Package}\\n'
 --show $$p; \
done)
 
 BUILT_USING_LIST := $(shell set -e; \
for p in ${B_D_PACKAGES}; \
do \
-   if test `dpkg-query --showformat='x$${Source}x' --show $$p` = 
"xx"; \
-   then \
-   dpkg-query --showformat='$${Package} (= $${Version}), ' 
--show $$p; \
-   else \
-   dpkg-query --showformat='$${Source} (= $${Version}), ' 
--show $$p; \
-   fi; \
+   dpkg-query --showformat='$${source:Package} (= 
$${source:Version}), ' --show $$p; \
done)
 
 NSIS_VERSION  := $(shell dpkg-query -f='$${Version}' -W nsis )

Bug#854065: unblock: cups/2.2.1-8

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package cups in version 2.2.1-8, it carries a french manpages
translation update, closing #852662 (that was the french translator's request
for update). I made a dch mistake, which made me skip -7, sorry for that.

$ debdiff cups_2.2.1-{6,8}.dsc | diffstat
 changelog |7 
 manpage-po4a/po/fr.po |  444 ++
 2 files changed, 239 insertions(+), 212 deletions(-)

Cheers,
OdyX

unblock cups/2.2.1-8

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Hi there Adam,

Le samedi, 28 janvier 2017, 17.15:32 h CET Adam D. Barratt a écrit :
> On Tue, 2016-12-20 at 09:20 +0100, Didier 'OdyX' Raboud wrote:
> > Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > > The debdiff is the one we tend to look at, but it looks like it was not
> > > attached.
> > 
> > Indeed, sorry. Here it comes.
> 
> +--- a/doc/help/ref-cupsd-conf.html.in
>  b/doc/help/ref-cupsd-conf.html.in
> +@@ -2004,23 +2004,23 @@
> + variable that should be passed to child processes.
> +
> +
> +-SSLListen
> ++SSLOptions
> +
> + Examples
> +
> + 
> +-SSLListen 127.0.0.1:443
> +-SSLListen 192.0.2.1:443
> ++SSLOptions 127.0.0.1:443
> ++SSLOptions 192.0.2.1:443
> + 
> 
> This looks wrong, as do the remainder of the changes to that hunk of the
> diff.

That's Ubuntu's patch as released in their 1.7.2-0ubuntu1.7 trusty-security 
upload from Nov 2015, fixing [LP:1505328], written by Bryan Quigley and 
reviewed by their security team member Marc Deslauriers. But they arguably 
missed that wrong documentation change, indeed.

Updated debdiff attached.

-- 
OdyX

[LP:1505328] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.0 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.0 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud <o...@debian.org>  Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 10:05:10.0 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 10:05:10.0 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 10:05:10.0 +0200
@@ -13,7 +13,7 @@
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 10:05:10.0 +0200
@@ -24,7 +24,7 @@
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ip

Re: Bug#850887: [TIMELY for TC members] Interim Ballot Proposal: #850887 binutils mips

[Didier 'OdyX' Raboud]

Le mercredi, 11 janvier 2017, 22.38:33 h CET Sam Hartman a écrit :
> I heard back from doko today.  We can expect a reply tomorrow.  We also
> talked briefly about the issue.

Good. Thanks for this work.

> Realistically, i cannot imagine the TC coming to any final decision on
> something like this in under three weeks.  That timeline seems fairly
> aggressive actually.

Right. It implies that every involved party (Lisandro, the Release Team, 
Matthias, and the TC members) can provide a high bandwidth to that issue.

> However, I think the TC could act much more quickly in an interim
> capacity.

Yes.

> I personally believe that having packages building is a better interim
> state than the status quo.  There are risks to an interim measure.  We
> could have packages in the archive that build but fail to function
> correctly.

Ack.

> Depending on what we do long term, we could end up replacing
> packges currently in Stretch with packages we can no longer rebuild.

The worst case is needing to rebootstrap mips' stretch either from jessie, or 
in a cross-bootstrap situation, right ?

> I personally think that when I weigh those risks against my estimate of
> their probability, I think it makes sense to adopt an interim measure.

I agree.

> Roughly I propose to override the maintainer and permit an NMU to be
> made for this issue.

It would be much preferable if Matthias would accept that patch, or revert to 
the previous working version. But if it needs an NMU, so be it.

(Mid-term, I want to understand how it can make sense to change Debian's
 binutils' tracked branch (2.27→2.28) three days before the transition
 freeze.
)

> The decision stands until the maintainer fixes the bug or Stretch
> releases, or another resolution is passed (presumably with a more
> permanent decision).

Absolutely.

> Yes, that means that the maintainer could reintroduce the bug and revert
> the NMU immediately on the release of Stretch.

Absolutely. I wouldn't support a resolution enforcing that NMU in unstable 
forever. New release cycles are our reset button, really.

> I propose to be very agressive in calling for a vote on the following
> ballot.
> I plan to call for a vote in 24 hours if I get support from at least one
> TC member and no objections from within the TC or release team.

Let this mail be my support !

> Also, within that time, we should hear from doko.  His input may change
> my thinking even for an interim measure.

Yes, absolutely. There was only one mail from Matthias on the #844227, only to 
NAK the NMU, on an RC bug opened since November, his input is long overdue!

> 
> In #850887, the Debian Technical Committee was asked to choose a
> solution for #840227, a bug that prevents a significant number of
> packages from building on the mips architecture.  Given the upcoming
> Stretch freeze, this issue is urgent.
> 
> As an interim measure, using its powers under section 6.1.4 of the
> Debian Constitution, the Technical Committee overrules Matthias
> Klose's decision to revert the NMU of binutils fixing #840227.  The
> committee requests Lisandro Damián Nicanor Pérez Meyer to make a new
> NMU fixing #840227.
> 
> The committee requests the release team to support the interim nature of
> this solution and if a permanent solution is adopted before the release of
> Stretch, to consider including that solution in Stretch even if the freeze
> criteria would not normally permit such consideration.
> 
> In addition, the committee requests the stable release managers for Stretch
> to consider including the eventual upstream solution for this issue into a
> stretch update.
> 
> This interim decision stands until the release of Stretch, until it is
> replaced by resolution, or until the binutils maintainer fixes #840227 in
> some other manner.
> 
> 
> Choice 1:  Approve the Resolution (3:1 majority)
> Choice 2: Reject this Interim Measure
> Choice 3: Further Discussion
> 

I agree with the ballot including Ian's suggestion, and think we should start 
the vote as early as this week-end.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#850801: unblock: win32-loader/0.8.1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
X-Debbugs-Cc: win32-loa...@packages.debian.org, ftpmas...@ftp-master.debian.org
Usertags: unblock

Please unblock-udeb package win32-loader 0.8.1. as it has some useful
stretch'ification (and is always blocked because of the manual
migration to be done by ftpmasters):

>  * As NSIS doesn't support downloading from https (#819092), and as
>d-i dailies are now on an https-enforced hosts: don't allow branch
>or kernel selection
>  * Replace the Lines screenshot by a recent softWaves screenshot

ftpmaster: please copy debian/tools/win32-loader/unstable into …/testing 

unblock-udeb win32-loader/0.8.1

Cheers, OdyX

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit :
> You can't immediately re-use the version. Either we can reject the 
> current package and you can then upload a fixed +deb8u1, or you can 
> upload +deb8u2 which just adds the fix above.

It does make sense to re-use the same version, doesn't it? If so, please 
reject, I'll upload after that.

-- 
Cheers,
OdyX

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le lundi, 2 janvier 2017, 18.10:15 h CET Adam D. Barratt a écrit :
> On Sun, 2017-01-01 at 11:38 +0100, Didier 'OdyX' Raboud wrote:
> > Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> > > Control: tags -1 + confirmed
> > > 
> > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue,
> > > > and
> > > > security team members suggested to get it fixed through stable
> > > > updates.
> > > > 
> > > > This bug is a simple 'fetching gpg key from keyservers with a short
> > > > keyid' problem, and upstream's fix is to use the full fingerprint.
> > > 
> > > Please go ahead.
> > 
> > Uploaded, thanks for the confirmation.
> 
> Automated post-upload lintian checks caught a new issue:
> 
> +E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz
> 
> and indeed:
> 
> adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c
> hplip-gui_3.14.6-1_all.deb | grep toolbox.1 -rw-r--r-- root/root   818
> 2014-06-15 07:31 ./usr/share/man/man1/hp-toolbox.1.gz
> adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c
> /srv/ftp-master.debian.org/policy/pool/main/h/hplip/hplip-gui_3.14.6-1+deb8
> u1_all.deb | grep toolbox.1 -rw-r--r-- root/root20 2016-12-27 13:48
> ./usr/share/man/man1/hp-toolbox.1.gz
> 
> Any idea what's going on there?

Ah yes. I had fixed this in b1b3f529471d15fb97d1c651f3c60901cc67131b, see 
attached patch.

This is due to new (entirely rightful) restrictions in the buildds (or in my 
sbuild setup) apparently.

So I should cherry-pick that and re-upload (re-using the 3.14.6-1+deb8u1 
version number ?) ?

-- 
Cheers,
OdyX>From b1b3f529471d15fb97d1c651f3c60901cc67131b Mon Sep 17 00:00:00 2001
From: Didier Raboud <o...@debian.org>
Date: Mon, 3 Oct 2016 11:37:37 +0200
Subject: [PATCH] Export HOME when building the manpages to permit hp-toolbox's
 manpage generation

---
 debian/rules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/rules b/debian/rules
index d44f11cbf..1aa626d6f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,6 +167,7 @@ override_dh_install:
 	for file in *; do \
 			if readlink $$file | grep ".py"; then \
 PYTHONPATH=../lib/python$(PYTHON_DEFAULT_VERSION)/$(PYTHON_SITENAME)/ \
+HOME=./ \
 LD_LIBRARY_PATH=../lib/$(DEB_HOST_MULTIARCH) python3 ./$$file --help-man > $(CURDIR)/$$file.1 ; \
 			fi; \
 	done \
-- 
2.11.0

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
> > security team members suggested to get it fixed through stable updates.
> > 
> > This bug is a simple 'fetching gpg key from keyservers with a short
> > keyid' problem, and upstream's fix is to use the full fingerprint.
> 
> Please go ahead.

Uploaded, thanks for the confirmation.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear RT,

I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
security team members suggested to get it fixed through stable updates.

This bug is a simple 'fetching gpg key from keyservers with a short
keyid' problem, and upstream's fix is to use the full fingerprint.

The debdiff is attached.

Cheers,
OdyX
diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog
--- hplip-3.14.6/debian/changelog   2014-06-15 09:24:19.0 +0200
+++ hplip-3.14.6/debian/changelog   2016-12-27 09:13:54.0 +0100
@@ -1,3 +1,11 @@
+hplip (3.14.6-1+deb8u1) stable; urgency=medium
+
+  * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key
+fingerprint when fetching key from keyservers
+(Closes: #787353, LP: #1432516)
+
+ -- Didier Raboud   Tue, 27 Dec 2016 09:13:54 +0100
+
 hplip (3.14.6-1) unstable; urgency=low
 
   * New upstream release
diff -Nru 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
--- 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 1970-01-01 01:00:00.0 +0100
+++ 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 2016-12-27 09:10:11.0 +0100
@@ -0,0 +1,19 @@
+Description: Use the full key fingerprint, to fix insecure binary driver 
verification
+Bug-CVE: CVE-2015-0839
+Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516
+Bug-Debian: https://bugs.debian.org/787353
+Origin: vendor
+Last-Update: 2015-07-15
+
+--- a/base/validation.py
 b/base/validation.py
+@@ -40,8 +40,7 @@
+ 
+ 
+ class GPG_Verification(DigiSign_Verification):
+-
+-def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
++def __init__(self, pgp_site = 'pgp.mit.edu', key = 
0x4ABA2F66DBD5A95894910E0673D770CDA59047B9):
+ self.__pgp_site = pgp_site
+ self.__key = key
+ self.__gpg = utils.which('gpg',True)
diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series
--- hplip-3.14.6/debian/patches/series  2014-04-04 17:05:13.0 +0200
+++ hplip-3.14.6/debian/patches/series  2016-12-27 09:04:13.0 +0100
@@ -18,3 +18,4 @@
 #hp-mkuri-libnotify-so-4-support.dpatch
 hpaio-option-duplex.diff
 musb-c-do-not-crash-on-usb-failure.patch
+cve-2015-0839-insecure-binary-driver-verification.patch

Bug#845254: unblock: win32-loader/0.8.0

[Didier 'OdyX' Raboud]

Le lundi, 21 novembre 2016, 23.30:52 h CET Cyril Brulebois a écrit :
> so feel free to let this package get into testing when it's copied over
> by ftpmasters.

Le lundi, 21 novembre 2016, 21.09:46 h CET Didier 'OdyX' Raboud a écrit :
> 0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please
> copy debian/tools/win32-loader/unstable into …/testing

ftpmasters: ping ?

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Control: tag -1 -moreinfo

Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > - and debdiff
> > cups_1.7.5-11+deb8u2.debdiff
> 
> The debdiff is the one we tend to look at, but it looks like it was not
> attached.

Indeed, sorry. Here it comes.

-- 
Cheers,
OdyXdiff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.0 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.0 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 09:55:05.0 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 09:55:10.0 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 09:55:09.0 +0200
@@ -13,7 +13,7 @@
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 09:55:08.0 +0200
@@ -24,7 +24,7 @@
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2016-10-10 09:55:07.0 +0200
@@ -11,7 +11,7 @@
 
 --- a/scheduler/ipp.c
 +++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
ipp_attribute_t	*attr,		/* Current attribute */
  			*attr2,		/* Job attribute */
  			*prev2;		/* Previous job attribute */
@@ -23,7 +23,7 @@
  
  
   /*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
}
  
   /*
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/series	2016-10-10 09:54:51.0 +0200
@@ -6,6 +6,7 @@
 str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
 str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch
 

Bug#845254: unblock: win32-loader/0.8.0

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package win32-loader 0.8.0. win32-loader is special in that it
is always 'block'ed, because it needs manual ftpmaster intervention on
migration:

> # doesn't actually produce udebs, but blocked RoM (not d-i RM): it gets
> # handled by the ftp team so make sure the package migrates at the same time
> # it gets copied into debian/tools/$suite.
> block-udeb win32-loader

0.8.0 is long overdue in stretch, please let it migrate. ftpmaster: please
copy debian/tools/win32-loader/unstable into …/testing 

unblock win32-loader/0.8.0

Cheers, OdyX

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

We've been made aware that CUPS' SSL as of Jessie (and Wheezy, but I'll see
this with the LTS team) is vulnerable to POODLE.

Here come:
- patch;
str4476-disable-sslv3-and-rc4-by-default.patch
- git commit series;
0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
0002-Refresh-patches.patch
0003-cups-1.7.5-11-deb8u2-Debian-release.patch
- and debdiff
cups_1.7.5-11+deb8u2.debdiff

Thanks for your consideration

--
Cheers,
OdyX
>From c2aabd5199b3acb0a1b4f3b4866ef87dc8cd6e68 Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Mon, 10 Oct 2016 10:05:10 +0200
Subject: [PATCH 3/3] cups 1.7.5-11+deb8u2 Debian release

---
 debian/changelog | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bff361e..01fb495 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
-- 
2.9.3

>From c5d8f701e8d3cd9dc927705d16c31878bae0b5b0 Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Mon, 10 Oct 2016 10:03:37 +0200
Subject: [PATCH 2/3] Refresh patches

---
 debian/patches/cupsd-idleexittimeout-systemd.patch| 4 ++--
 debian/patches/cupsd-idleexittimeout.patch| 2 +-
 debian/patches/log-debug-history-nearly-unlimited.patch   | 2 +-
 debian/patches/pidfile.patch  | 4 ++--
 ...bedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch | 4 ++--
 debian/patches/systemd-optional-socket-activation.patch   | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/debian/patches/cupsd-idleexittimeout-systemd.patch b/debian/patches/cupsd-idleexittimeout-systemd.patch
index 4abc692..8800658 100644
--- a/debian/patches/cupsd-idleexittimeout-systemd.patch
+++ b/debian/patches/cupsd-idleexittimeout-systemd.patch
@@ -21,7 +21,7 @@ Last-Update: 2014-10-23
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@ Last-Update: 2014-10-23
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff --git a/debian/patches/cupsd-idleexittimeout.patch b/debian/patches/cupsd-idleexittimeout.patch
index c799b3c..9f5f3b4 100644
--- a/debian/patches/cupsd-idleexittimeout.patch
+++ b/debian/patches/cupsd-idleexittimeout.patch
@@ -27,7 +27,7 @@ Last-Update: 2014-06-04
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff --git a/debian/patches/log-debug-history-nearly-unlimited.patch b/debian/patches/log-debug-history-nearly-unlimited.patch
index 25378cb..fc66d3e 100644
--- a/debian/patches/log-debug-history-nearly-unlimited.patch
+++ b/debian/patches/log-debug-history-nearly-unlimited.patch
@@ -13,7 +13,7 @@ Author: till.kamppe...@gmail.com
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff --git a/debian/patches/pidfile.patch b/debian/patches/pidfile.patch
index 9496ed1..90bc57b 100644
--- a/debian/patches/pidfile.patch
+++ b/debian/patches/pidfile.patch
@@ -24,7 +24,7 @@ Last-Update: 2012-11-29
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@ Last-Update: 2012-11-29
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff --git a/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch 

Re: Fwd: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE [Jessie]

[Didier 'OdyX' Raboud]

Le jeudi, 13 octobre 2016, 10.03:44 h CEST Emilio Pozuelo Monfort a écrit :
> You probably wanted to send this to team@security or debian-security@ ?
> 
> If you want this to go through stable (pu) rather than stable-security,
> please file a pu bug against release.debian.org.

Right; thanks. I'll ask the security team first, and go through pu afterwards.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE

[Didier 'OdyX' Raboud]

Version: 2.0.2-1

Hi Frederic, hi Stable & LTS teams,

Frederic's suggestion is to patch CUPS to disable SSLv3 and RC4 algorithms to 
protect CUPS from the POODLE vulnerability.

Have we removed protocols' support in {old,}stable  before? Ubuntu applied 
this patch in Ubuntu Trusty, and RedHat did it in RHEL-7. I can prepare the 
patches if that's OKay for the LTS and stable release teams.

Looking forward to your feedback!
Cheers,
OdyX

Le vendredi, 30 septembre 2016, 12.52:55 h CEST Frederic Bonnard a écrit :
> would it be possible to review and maybe have this patch in wheezy ? (maybe
> also jessie as all cups < 2.1b1 are concerned).
> It has been applied in Redhat/Centos and Ubuntu in greater version (1.6.3
> and 1.7.2).
> I disables SSLv3 by default but gives the possibility with AllowSSL3 to
> turns SSLv3 back on and also AllowRC4 turns on just the RC4 cyphers.
> I tried to backport it to 1.5.3, so double checking would be nice.
> I tried it and it seems to work (also options to re-enable SSL3/RC4
> cyphers). For Jessie, it seems that the patch from Ubuntu
> cups-1.7.2-0ubuntu1.7 applies with some refresh.
> 
> https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163
> https://bugzilla.redhat.com/show_bug.cgi?id=1161172
> https://www.cups.org/str.php?L4476


signature.asc
Description: This is a digitally signed message part.

Bug#796442: §5.5 Uploads to suites other than unstable/experimental should use codenames, not suites

[Didier 'OdyX' Raboud]

Package: developers-reference
Version: 3.4.15
Severity: important
Tags: patch

As I understand the current Release Team practices (in X-Debbugs-CC), uploads
to non-unstable/experimental suites should nowadays rather use the codenames
(wheezy, wheezy-proposed-updates, wheezy-security or wheezy-lts) instead of
suites (oldstable, oldstable-proposed-updates, oldstable-security or
oldstable-lts). Although both styles work, using the codenames avoids
race-conditions in times around new stable releases, and are less confusing.

This could be a possible diff:

--- devref.orig.txt 2015-08-21 22:49:46.985614431 +0200
+++ devref.new.txt  2015-08-21 22:58:15.226984105 +0200
@@ -2209,9 +2209,10 @@
 from the first line of the debian/changelog file and places it in
 the Distribution field of the .changes file.
 
-There are several possible values for this field: stable,
-    unstable, testing-proposed-updates and experimental. Normally,
-packages are uploaded into unstable.
+Packages are normally uploaded into unstable. Uploads to unstable or
+experimental should use these suite names in the changelog entry;
+uploads for other supported suites should use the suite codenames,
+as they avoid any ambiguity.
 
 Actually, there are other possible distributions: codename
     -security, but read Section 5.8.5, “Handling security-related

Cheers, OdyX

Bug#783488: jessie-pu: package win32-loader/0.7.8+deb8u1

[Didier 'OdyX' Raboud]

Le mardi, 28 avril 2015, 20.10:47 Adam D. Barratt a écrit :
 Control: tags -1 + confirmed
 
 On Mon, 2015-04-27 at 14:36 +0200, Didier 'OdyX' Raboud wrote:
  I'd like to get two late-notified issues in the win32-loader package
  as released in jessie:
  
  * The screenshot describing the graphical version showcases Joy, not
  Lines * The standalone version
  (debian/tools/win32-loader/stable/win32-loader.exe on 
the mirrors) uses http.debian.net where httpredir.debian.org would
be better.
 Please go ahead.


Uploaded.

It probably needs some ftp-master magic, either now, or at point-release 
time, for /debian/tools/win32-loader/stable/

Cheers,

OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#783488: jessie-pu: package win32-loader/0.7.8+deb8u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to get two late-notified issues in the win32-loader package as
released in jessie:

* The screenshot describing the graphical version showcases Joy, not Lines
* The standalone version (debian/tools/win32-loader/stable/win32-loader.exe on
  the mirrors) uses http.debian.net where httpredir.debian.org would be better.

Debdiff is attached and you can find individual patches on the master-jessie
branch on the VCS:
http://anonscm.debian.org/cgit/d-i/win32-loader.git/log/?h=master-jessie

The two changes have already been uploaded to unstable.

Cheers, OdyX
diff -Nru win32-loader-0.7.8/branch.nsi win32-loader-0.7.8+deb8u1/branch.nsi
--- win32-loader-0.7.8/branch.nsi	2014-11-19 09:14:47.0 +0100
+++ win32-loader-0.7.8+deb8u1/branch.nsi	2015-04-26 15:13:40.0 +0200
@@ -61,7 +61,7 @@
   StrCpy $base_path_images  netboot/debian-installer/hurd-$arch
 ${EndIf}
   ${Else}
-StrCpy $base_url http://http.debian.net/debian/dists/stable/;
+StrCpy $base_url http://httpredir.debian.org/debian/dists/stable/;
 ${If} $kernel == linux
   ; Only Debian GNU/Linux will have a stable branch for the jessie cycle
   StrCpy $base_path_md5main/installer-$arch/current/images/
diff -Nru win32-loader-0.7.8/debian/changelog win32-loader-0.7.8+deb8u1/debian/changelog
--- win32-loader-0.7.8/debian/changelog	2014-12-16 17:00:29.0 +0100
+++ win32-loader-0.7.8+deb8u1/debian/changelog	2015-04-26 15:19:53.0 +0200
@@ -1,3 +1,10 @@
+win32-loader (0.7.8+deb8u1) jessie; urgency=low
+
+  * Replace the Joy screenshot by a recent Lines screenshot
+  * Replace http.debian.net with httpredir.debian.org
+
+ -- Didier Raboud o...@debian.org  Sun, 26 Apr 2015 15:19:28 +0200
+
 win32-loader (0.7.8) unstable; urgency=medium
 
   * Disable 'Download Debian GNU/kFreeBSD as stable' as this won't be possible
Les fichiers binaires /tmp/8OutFGwL2e/win32-loader-0.7.8/templates/gtk.bmp et /tmp/uRNO6rNZMo/win32-loader-0.7.8+deb8u1/templates/gtk.bmp sont différents
Les fichiers binaires /tmp/8OutFGwL2e/win32-loader-0.7.8/templates/gtk_orig.png et /tmp/uRNO6rNZMo/win32-loader-0.7.8+deb8u1/templates/gtk_orig.png sont différents

Bug#783206: unblock: debian-installer-netboot-images/20150422

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debian-installer-netboot-images, as it mirrors the d-i
in the same version. It's probably best to have it available in Jessie before
it becomes stable :-)

unblock debian-installer-netboot-images/20150422

As it drops two binary packages, it also needs manual decruft from FTP
Masters, I'll let you contact them to make this happen.

Cheers, OdyX

Debdiff is as follows:

--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+debian-installer-netboot-images (20150422) unstable; urgency=high
+
+  * Drop kfreebsd-{amd64,i386} from supported architectures
+
+ -- Didier Raboud o...@debian.org  Thu, 23 Apr 2015 14:51:10 +0200
+
+debian-installer-netboot-images (20150418) unstable; urgency=high
+
+  * Update to 20150418 images.
+  * Use httpredir.d.o as mirror
+
+ -- Didier Raboud o...@debian.org  Sun, 19 Apr 2015 11:17:56 +0200
+
 debian-installer-netboot-images (20150324) unstable; urgency=medium
 
   * Update to 20150324 images.
diff --git a/debian/control b/debian/control
index 84c53e8..7fdc266 100644
--- a/debian/control
+++ b/debian/control
@@ -67,26 +67,6 @@ Description: Debian-installer network boot images for i386
  This package contains images of the Debian Installer for the i386
  architecture.
 
-Package: debian-installer-8-netboot-kfreebsd-amd64
-Architecture: all
-Depends: ${misc:Depends}
-Provides: debian-installer-netboot-kfreebsd-amd64, debian-installer-netboot
-Suggests: tftpd-hpa
-Built-Using: ${d-i:built-using}
-Description: Debian-installer network boot images for kfreebsd-amd64
- This package contains images of the Debian Installer for the kfreebsd-amd64
- architecture.
-
-Package: debian-installer-8-netboot-kfreebsd-i386
-Architecture: all
-Depends: ${misc:Depends}
-Provides: debian-installer-netboot-kfreebsd-i386, debian-installer-netboot
-Suggests: tftpd-hpa
-Built-Using: ${d-i:built-using}
-Description: Debian-installer network boot images for kfreebsd-i386
- This package contains images of the Debian Installer for the kfreebsd-i386
- architecture.
-
 Package: debian-installer-8-netboot-mips
 Architecture: all
 Depends: ${misc:Depends}
diff --git a/debian/rules b/debian/rules
index b843454..1c3d1b7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,13 +2,13 @@
 
 export MAJOR_VERSION=8
 export DISTRIBUTION=jessie
-export MIRROR=http://ftp.debian.org/debian
+export MIRROR=http://httpredir.debian.org/debian
 export VERSION=$(shell dpkg-parsechangelog | sed -n 's/^Version: //p')
 export KFREEBSD_KERNEL_MAJOR=10
 
 # Don't forget to recreate debian/control after editing these lines: $
 # debian/rules debian/control
-SUPPORTED_ARCHITECTURES = amd64 arm64 armel armhf i386 kfreebsd-amd64 
kfreebsd-i386 mips mipsel powerpc ppc64el
-UNSUPPORTED_ARCHITECTURES = hurd-i386 s390x sparc
+SUPPORTED_ARCHITECTURES = amd64 arm64 armel armhf i386 mips mipsel powerpc 
ppc64el
+UNSUPPORTED_ARCHITECTURES = hurd-i386 kfreebsd-amd64 kfreebsd-i386 s390x sparc
 
 %:
dh $@


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150423202954.13129.74581.reportbug@gyllingar

Bug#776928: unblock: debian-installer-netboot-images/20150107

[Didier 'OdyX' Raboud]

Hi all,

Le dimanche, 8 février 2015, 21.54:04 Cyril Brulebois a écrit :
 Niels Thykier ni...@thykier.net (2015-02-06):
  A debhelper compat is an explicit no-go per the freeze policy.
  
  Otherwise, looks good to me.
 
 It's a bit unfortunate that d-i-n-i is huge and not too useful to
 upload during the release cycle in that we get to only notice this
 kind of things (woops, we bumped the debhelper version compat in
 that package too but it never reached testing) during the freeze;
 sorry about that.
 
 Since d-i-n-i is basically about collecting files in packages (see
 get-images.sh), and about shipping them through various binaries, this
 kind of things is /possibly/ harmless, but I really didn't check
 anything. It would probably be helpful to double check that dh 7 and
 dh 9 lead to identical binaries, and maybe think about letting this
 change slide with the rest (but so far I really have no opinion on
 this).

So I've gone and done that (twice), the result of all debdiffs is exactl 
identical:

 File lists identical (after any substitutions)
 
 No differences were encountered between the control files

This show that the change (but also that the revert) is harmless. 
Frankly, I'd find the explicit no-go therefore imposing a revert quite 
silly in this specific case.

 In case the explicit no-go stays (which I'd consider fair, to be
 honest), I'd rather avoid doing nasty things with the release version
 numbering (see Holger's reply), and get the revert through an upload
 matching RC 2. Which means getting d-i-n-i even later in testing but
 that would probably be safer.

That's technically correct. I'd find it quite sad to postpone a 
migration to testing for d-i-n-i, especially as every d-i upload [or at 
the very least, the final d-i] will impose a d-i-n-i upload and 
migration, again.

 On a slightly different note: Why we're still using a non-debian.org
 mirror (MIRROR in debian/rules) is still beyond me.

Using http.debian.net accelerates my builds by a big margin. I don't 
care enough though, so feel free to commit a change.

Cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1526927.S1h565oRuT@gyllingar

Bug#774759: [pre-approval] unblock: ghostscript/9.06~dfsg-2

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Le mercredi, 14 janvier 2015, 00.15:43 Ivo De Decker a écrit :
 OK, please go ahead and remove the moreinfo tag from this bug once the
 upload is in unstable.

Uploaded, and built by the buildds.

Cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/2035455.zHbze3Vvvl@gyllingar

Bug#774759: [pre-approval] unblock: ghostscript/9.06~dfsg-2

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear RT,

I'd like to get the patch for #732440 included in Jessie. The bug was
reported three independent times and is a premature abort in Ghostscript
processing. The patch that fixes that bug was included in upstream's
9.14 version and can be directly cherry-picked on top of 9.06~dfsg-1 as
currently in jessie.

Here goes the proposed changelog:

ghostscript (9.06~dfsg-2) unstable; urgency=medium

  * Add patch cherry-picked upstream to fix /typecheck error in /findfont
(Closes: #732440)

The cherry-picked patch as well as the full debdiff are attached.

TIA, cheers,

OdyX
diff -Nru ghostscript-9.06~dfsg/debian/changelog ghostscript-9.06~dfsg/debian/changelog
--- ghostscript-9.06~dfsg/debian/changelog	2014-08-27 04:08:44.0 +0200
+++ ghostscript-9.06~dfsg/debian/changelog	2015-01-07 08:28:03.0 +0100
@@ -1,3 +1,10 @@
+ghostscript (9.06~dfsg-2) unstable; urgency=medium
+
+  * Add patch cherry-picked upstream to fix /typecheck error in /findfont
+(Closes: #732440)
+
+ -- Didier Raboud o...@debian.org  Wed, 07 Jan 2015 08:27:52 +0100
+
 ghostscript (9.06~dfsg-1) unstable; urgency=medium
 
   * Team upload
diff -Nru ghostscript-9.06~dfsg/debian/patches/020140211~f4584b0.patch ghostscript-9.06~dfsg/debian/patches/020140211~f4584b0.patch
--- ghostscript-9.06~dfsg/debian/patches/020140211~f4584b0.patch	1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.06~dfsg/debian/patches/020140211~f4584b0.patch	2015-01-07 08:26:20.0 +0100
@@ -0,0 +1,48 @@
+From: Chris Liddell chris.lidd...@artifex.com
+Date: Tue, 11 Feb 2014 15:15:56 + (+)
+Subject: Bug 695031: don't assume we can read a font file
+X-Git-Tag: ghostpdl-9.12rc1~50
+X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=f4584b0e162a96ec143f0057de63c116e649e02b
+Bug-Debian: https://bugs.debian.org/732440
+
+Bug 695031: don't assume we can read a font file
+
+When we scan system fonts, we were assuming fonts found would be in a format
+Ghostscript understands. This is not necessarily the case.
+
+So put the minimal parsing call to get the font's name in a stopped context,
+so we can skip the file it's not an understandable format. And clean up the
+stack in the event we try such a file.
+
+No cluster differences.
+---
+
+--- a/Resource/Init/gs_fonts.ps
 b/Resource/Init/gs_fonts.ps
+@@ -385,12 +385,20 @@
+ pop pop pop
+   }{
+ % we could open the font file
+-.findfontname
+-not { dup 0 get } if  % stack: (newname) [ (name) (path) ]
+-% DEBUG { (  found ) print dup print (\n) print flush } if
+-% add entry to the fontmap
+-1 index exch 0 exch dup type /nametype ne {cvn} if put
+-aload pop .definefontmap
++mark 2 1 roll
++{.findfontname} stopped
++{
++  cleartomark
++  pop pop
++}
++{
++  3 -1 roll pop
++  not { dup 0 get } if  % stack: (newname) [ (name) (path) ]
++  % DEBUG { (  found ) print dup print (\n) print flush } if
++  % add entry to the fontmap
++  1 index exch 0 exch dup type /nametype ne {cvn} if put
++  aload pop .definefontmap
++} ifelse
+   } ifelse
+ } forall
+   } if
diff -Nru ghostscript-9.06~dfsg/debian/patches/series ghostscript-9.06~dfsg/debian/patches/series
--- ghostscript-9.06~dfsg/debian/patches/series	2014-08-27 03:59:17.0 +0200
+++ ghostscript-9.06~dfsg/debian/patches/series	2015-01-07 08:25:44.0 +0100
@@ -3,6 +3,7 @@
 020121130~a3d00da.patch
 020130619~1b87b82.patch
 020130619~daceba6.patch
+020140211~f4584b0.patch
 1001_document_inkcov_device.patch
 2001_docdir_fix_for_debian.patch
 2002_gs_man_fix_debian.patch
From: Chris Liddell chris.lidd...@artifex.com
Date: Tue, 11 Feb 2014 15:15:56 + (+)
Subject: Bug 695031: don't assume we can read a font file
X-Git-Tag: ghostpdl-9.12rc1~50
X-Git-Url: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff_plain;h=f4584b0e162a96ec143f0057de63c116e649e02b
Bug-Debian: https://bugs.debian.org/732440

Bug 695031: don't assume we can read a font file

When we scan system fonts, we were assuming fonts found would be in a format
Ghostscript understands. This is not necessarily the case.

So put the minimal parsing call to get the font's name in a stopped context,
so we can skip the file it's not an understandable format. And clean up the
stack in the event we try such a file.

No cluster differences.
---

--- a/Resource/Init/gs_fonts.ps
+++ b/Resource/Init/gs_fonts.ps
@@ -385,12 +385,20 @@
 pop pop pop
   }{
 % we could open the font file
-.findfontname
-not { dup 0 get } if  % stack: (newname) [ (name) (path) ]
-% DEBUG { (  found ) print dup print (\n) print flush } if
-% add entry to the fontmap
-1 index exch 0 exch dup type /nametype ne {cvn} if put
-

Re: Bug#772898: win32-loader testing and newer fails with TRANSLATE error

[Didier 'OdyX' Raboud]

Control: clone -1 -2
Control: retitle -2 nmu: nsis_2.46-9
Control: user -2 release.debian@packages.debian.org
Control: usertag -2 +binnmu

(Release Team, please see below :) )

Hi Bernhard  Cyril,

Many thanks for the detailed analysis!

Le dimanche, 14 décembre 2014, 15.47:47 Bernhard Übelacker a écrit :
 Looks similar to bug #654380. (There mingw defaulted to produce dlls
 depending also on some other mingw dlls)
 
 There the upstream bug report [2] mentions that plugins must not
 depend on a shared libgcc.
 
 So I assume that the plugins must not depend on a shared
 libwinpthread-1.dll either.
 
 The package build of win32-loader uses this file
 /usr/share/nsis/Plugins/NSISdl.dll which comes from packge
 nsis-common.
 
 If plugins must not depend on other dlls, then also other projects or
 users are affected, who want to build their installers with
 Jessie/testing.
 
 However, when I try to rebuild package nsis-common I get a nsisdl.dll
 which does not suffer from this dependency.
 
 Unfortunately I cannot find a build log for amd64, just for i386 [3].
 That one was build with g++-mingw-w64-i686 i386 4.9.0-2+13.
 My attempt uses g++-mingw-w64-i686 amd64 4.9.1-7+14.2.
 
 The changelog for g++-mingw-w64-i686 [4] shows this entry:
 
 gcc-mingw-w64 (14) unstable; urgency=medium
 
   * Provide compilers using Windows and POSIX threads. The default
 setup uses Windows threads, thus avoiding the dependency on the
 pthreads DLL (Closes: #748353, #750741).
 
 So probably the solution could be only these 2 steps?
 
 - to rebuild package nsis-common with the current g++-mingw-w64-i686
 package

This looks like it, indeed. I'm hereby cloning this bug into an NSIS
binNMU request:

@Release Team, could we please schedule binNMUs for nsis ?

nmu nsis_2.46-9 . ALL . -m Rebuild with gcc-mingw-w64 14 to ensure 
that NSISdl.dll doesn't depend on a shared libwinpthread-1

 - rebuild win32-loader with the newly built nsis-common package
 installed

I'll upload win32-loader when nsis is available from the mirrors.

Many thanks, cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/78814985.3kYXE0y7E4@gyllingar

Bug#773167: Bug#772898: win32-loader testing and newer fails with TRANSLATE error

[Didier 'OdyX' Raboud]

Le lundi, 15 décembre 2014, 19.20:07 Adam D. Barratt a écrit :
 On Mon, 2014-12-15 at 10:09 +0100, Didier 'OdyX' Raboud wrote:
  @Release Team, could we please schedule binNMUs for nsis ?
  
  nmu nsis_2.46-9 . ALL . -m Rebuild with gcc-mingw-w64 14 to ensure
  that NSISdl.dll doesn't depend on a shared libwinpthread-1
 Done.

Sorry for the unnecessary binNMU; NSISdl comes from nsis-common/all, and 
is not rebuilt in binary-arch builds. /o\

I will upload a new nsis version, adding the test proposed by Bernhard 
to trigger a build failure if that ever appears again.

Cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1592624.gkHtJ7EzoG@gyllingar

Bug#771228: unblock: epson-inkjet-printer-escpr/1.4.1-2

[Didier 'OdyX' Raboud]

Le jeudi, 27 novembre 2014 21.09:50, vous avez écrit :
 Please unblock package epson-inkjet-printer-escpr, it has the
 following changelog:
 
   * Backport the 1.4.4 change:
 - Fixed a problem when using Rear Feed Slot as InputSlot
   (Closes: #755408)
 
 #755408 is a bug of severity normal which the 1.4.4 upstream release
 was explicitly targetting.

Sorry, forgot the debdiff, there you go.

Cheers,
OdyXdiff -Nru epson-inkjet-printer-escpr-1.4.1/debian/changelog epson-inkjet-printer-escpr-1.4.1/debian/changelog
--- epson-inkjet-printer-escpr-1.4.1/debian/changelog	2014-07-28 10:11:30.0 +0200
+++ epson-inkjet-printer-escpr-1.4.1/debian/changelog	2014-11-26 13:36:41.0 +0100
@@ -1,3 +1,11 @@
+epson-inkjet-printer-escpr (1.4.1-2) unstable; urgency=medium
+
+  * Backport the 1.4.4 change:
+- Fixed a problem when using Rear Feed Slot as InputSlot
+  (Closes: #755408)
+
+ -- Didier Raboud o...@debian.org  Wed, 26 Nov 2014 13:36:11 +0100
+
 epson-inkjet-printer-escpr (1.4.1-1) unstable; urgency=medium
 
   * New 1.4.1 upstream version
diff -Nru epson-inkjet-printer-escpr-1.4.1/debian/patches/series epson-inkjet-printer-escpr-1.4.1/debian/patches/series
--- epson-inkjet-printer-escpr-1.4.1/debian/patches/series	2014-07-28 10:05:42.0 +0200
+++ epson-inkjet-printer-escpr-1.4.1/debian/patches/series	2014-11-24 22:22:02.0 +0100
@@ -1 +1,4 @@
+# Upstream backports
+u1.4.4-fixed-a-problem-when-using-rear-feed-slot-as-inputslot.patch
+
 dont_touch_debian_files.patch
diff -Nru epson-inkjet-printer-escpr-1.4.1/debian/patches/u1.4.4-fixed-a-problem-when-using-rear-feed-slot-as-inputslot.patch epson-inkjet-printer-escpr-1.4.1/debian/patches/u1.4.4-fixed-a-problem-when-using-rear-feed-slot-as-inputslot.patch
--- epson-inkjet-printer-escpr-1.4.1/debian/patches/u1.4.4-fixed-a-problem-when-using-rear-feed-slot-as-inputslot.patch	1970-01-01 01:00:00.0 +0100
+++ epson-inkjet-printer-escpr-1.4.1/debian/patches/u1.4.4-fixed-a-problem-when-using-rear-feed-slot-as-inputslot.patch	2014-11-24 22:23:16.0 +0100
@@ -0,0 +1,26 @@
+Description: Upstream 1.4.4 change: Fixed a problem when using Rear Feed Slot as InputSlot.
+Origin: upstream
+Bug-Debian: https://bugs.debian.org/755408
+Last-Update: 2014-11-24
+--- a/src/filter.c
 b/src/filter.c
+@@ -925,7 +925,7 @@
+  	
+ 	/* InputSlot */
+ 	inputslot = str_clone (filter_opt_p-inputslot, strlen (filter_opt_p-inputslot));
+- 	if (strcmp (inputslot, Rear) == 0 || strcmp (inputslot, RearPaperFeed) == 0){ 
++ 	if (strcmp (inputslot, RearPaperFeed) == 0){ 
+ 		debug_msg(Rear Tray\n);
+  		jobAttr.paperSource =  EPS_MPID_REAR;
+  	}
+@@ -945,8 +945,8 @@
+ 		debug_msg(Lower Tray\n);
+  		jobAttr.paperSource =  EPS_MPID_FRONT4;
+  	}
+- 	else if(strcmp (inputslot, ManualFeed) == 0){ 
+-		debug_msg(Manual Reed Tray\n);
++ 	else if(strcmp (inputslot, Rear) == 0 || strcmp (inputslot, ManualFeed) == 0){ 
++		debug_msg(Manual Feed Tray\n);
+  		jobAttr.paperSource =  EPS_MPID_REARMANUAL;
+  	}
+  	else if(strcmp (inputslot, DiskTray) == 0){ 

Bug#770707: unblock: cups/1.7.5-8

[Didier 'OdyX' Raboud]

Le dimanche, 23 novembre 2014, 21.39:59 Jonathan Wiltshire a écrit :
 On Sun, Nov 23, 2014 at 02:36:56PM +0100, Didier Raboud wrote:
  Please unblock package cups. The 1.7.5-8 upload has the following
  changes:
* Add a USB quirk fix for Brother HL-1250 (Closes: #712512)
  
  This was reported upstream as https://www.cups.org/str.php?L4519 .
  It's a routine USB quirk change to accomodate printers with weird
  USB behaviours. Severity: important
  
* Backport upstream patch to fix random crash in TLS handling. The
patch also   
  enables coredumps.(Closes: #760475, #760476)
 
 Unblocked.

Thanks. As it FTBFS on mips (unexpectedly so), I'll be uploading a fix 
to this (dropping an upstream patch) as well as for #768163 (dropping 
the color management patch that upstream refused).

I assume you'll want a separate unblock request, right?

Cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/3156571.jSKLIvVd1i@gyllingar

Bug#746367: wheezy-pu: package cups/1.5.3-5+deb7u2; Bug#746714: squeeze-pu: package cups/1.4.4-7+squeeze5

[Didier 'OdyX' Raboud]

Le vendredi, 2 mai 2014 21.16:15, vous avez écrit :
 Control: clone -1 -2
 Control: tags -1 = wheezy confirmed
 Control: tags -2 = squeeze confirmed
 Control: retitle -1 wheezy-pu: package cups/1.5.3-5+deb7u2
 Control: retitle -2 squeeze-pu: package cups/1.4.4-7+squeeze5

Aye. Sorry for that.

 Please s/-security// in the changelogs. With that change, feel free to
 upload.

Done, for both wheezy and squeeze.

Cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/2650686.4meBBSiO6X@gyllingar

Bug#732763: transition: cegui-mk2

[Didier 'OdyX' Raboud]

Hi Muammar,

What has happened to the process of uploading a 0.8.3 version of cegui-
mk2?

Le mardi, 24 décembre 2013, 09.58:21 Niels Thykier a écrit :
  I'd like to know if I could upload to unstable directly, or if
  rather it is preferred to do it first to experimental to finally
  upload to unstable.
 
 If the other reverse dependencies work with the new version of
 cegui-mk2 or their maintainers are happy with fixing them really
 soon (or getting their package removed from testing), feel free to
 upload to unstable.  Otherwise, you are welcome to start with
 experimental until the situation improves.

I'd be happy to help as I'd need a more recent CEGUI version to compile 
the latest developments of src:colobot.

Cheers,
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1783547.1GU12SxmqN@gyllingar

Re: Feel free to let win32-loader/0.7.4.9 into testing

[Didier 'OdyX' Raboud]

Hi Cyril,
(adding ftpmaster in CC).

Le lundi, 7 octobre 2013 01.57:42 Cyril Brulebois a écrit :
 looking at the testing summary page for d-i, I noticed win32-loader is
 blocked from automatic migration. I'm not sure whether we want to
 keep it that way but at least the 0.7.4.9 release currently in sid
 shouldn't hurt AFAICT; some bits of modernity on the source side,
 and updated Built-Using field on the binary side, so it should be OK
 to get testing in sync.

Sure, no problem for me. FTP-Masters need to copy (shortly after the 
migration of the package ideally) tools/win32-loader/unstable to 
tools/win32-loader/testing , see #710514.

Cheers,

OdyX


-- 
OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2626879.XAnzoYzleD@gyllingar

Bug#724815: pu: package cups/1.5.3-5+deb7u1

[Didier 'OdyX' Raboud]

Version: 1.6.1-1

Le samedi, 28 septembre 2013 12.00:40 Cyril Brulebois a écrit :
 Control: tag -1 wheezy confirmed
 
 Didier Raboud o...@debian.org (2013-09-28):
  This bug is already fixed (or rather, doesn't apply in cups 1.6 as
  shipped in jessie+ as the cups avahi backend has been rewritten.
 
 Please tell the BTS that, then.

Hereby doing that, marking as fixed in 1.6.1-1:

  cups (1.6.1-1) experimental; urgency=low
  
 * New upstream release
   - Avahi-based Bonjour/DNS-SD/mDNS support

 Looks good to me, please upload.

Uploaded, thanks for the fast review!

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#706598: tpu: win32-loader/0.7.4.7

[Didier 'OdyX' Raboud]

Le jeudi, 6 juin 2013 23.21:52, Adam D. Barratt a écrit :
 On Mon, 2013-06-03 at 21:41 +0200, Didier 'OdyX' Raboud wrote:
  win32-loader (0.7.4.7+deb7u1) stable; urgency=low
  
* Post-Wheezy release rebuild to update the embedded dependencies.
 
 Please go ahead; thanks.

Uploaded, thanks.

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#711211: pu: package lsb/4.1+Debian8+deb7u1

[Didier 'OdyX' Raboud]

Le mercredi, 5 juin 2013 20.58:25, Adam D. Barratt a écrit :
 Control: tags -1 + wheezy confirmed
 
 On Wed, 2013-06-05 at 18:08 +0200, Didier 'OdyX' Raboud wrote:
  Le mercredi, 5 juin 2013 16.09:43, Didier Raboud a écrit :
   The proposed changelog is the following:
   
   lsb (4.1+Debian8+deb7u1) stable; urgency=low
   
 * Fix lsb_release to correctly work with stable release updates
 
   incrementing the second digit from Wheezy on. (Closes: #711174)
 
 * Add jessie to the release codenames lookup table
 
 [...]
 
  Of course, I forgot to attach the debdiff… Meh.
 
 Please go ahead; thanks.

Uploaded, thanks!

Cheers,

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#706598: tpu: win32-loader/0.7.4.7

[Didier 'OdyX' Raboud]

Control: retitle -1 pu: win32-loader/0.7.4.7+deb7u1

Hi Julien,

Le jeudi, 2 mai 2013 17.38:03, Didier 'OdyX' Raboud a écrit :
 Le jeudi, 2 mai 2013 15.08:05, Julien Cristau a écrit :
  I think come back for r1.
 
 Fair enough. An upload to unstable would be good to have anyway, no? People
 could then test it with pre-release-almost-wheezy material before the
 stream of updates to unstable starts to flow.

I have now uploaded 0.7.4.8 to unstable and would like to get win32-loader 
0.7.4.7+deb7u1 with the following changelog (no other change to source) as 
follows:

win32-loader (0.7.4.7+deb7u1) stable; urgency=low

  * Post-Wheezy release rebuild to update the embedded dependencies.

 -- Didier Raboud o...@debian.org  Mon, 03 Jun 2013 21:31:52 +0200

Can I go ahead with the upload?

Thanks in advance, cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201306032141.53280.o...@debian.org

Bug#706598: tpu: win32-loader/0.7.4.7

[Didier 'OdyX' Raboud]

Le jeudi, 2 mai 2013 15.08:05, Julien Cristau a écrit :
  Usertags: tpu
 
 There's no such usertag.

Damn. Trying to get inspiration from existing requests doesn't work well 
apparently.

  What do you think ?
 
 I think come back for r1.

Fair enough. An upload to unstable would be good to have anyway, no? People 
could then test it with pre-release-almost-wheezy material before the stream 
of updates to unstable starts to flow.

Cheers,

OdyX


signature.asc
Description: This is a digitally signed message part.

debootstrap upload dropping InRelease handling ?

[Didier 'OdyX' Raboud]

Hi -boot, -release and Julien,

as far as I read the flow of bugs on -boot, debootstrap is still affected by 
#703889 which really needs fixing for a sane Wheezy. The patches stacked on 
the debootstrap git repository (which drop the InRelease handling, as was done 
in apt, attached) look sane to me. I have tested the patched debootstrap in 
the two usual situations (d-i context, normal context) and it just worked, so 
I'm in favour of pushing this to sid ASAP: it can't really be worse than now, 
and we can still fix any breakage afterwards.

I do volunteer to upload debootstrap as is on the git repository to help 
getting this fixed soon (if that helps); please comment.

Please 

OdyX
From 56cd612223507d9744224ec4d7c0aa9c06cc9985 Mon Sep 17 00:00:00 2001
From: Julien Cristau jcris...@debian.org
Date: Mon, 25 Mar 2013 14:31:44 +0100
Subject: [PATCH] Disable InRelease support.

gpgv won't give us back the signed data, and full gpg is not available
inside d-i (closes: #703889).
---
 debian/changelog |7 +++
 debian/control   |4 ++--
 functions|   47 +--
 3 files changed, 22 insertions(+), 36 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 97d9789..8dc903e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.48) UNRELEASED; urgency=low
+
+  * Disable InRelease support.  gpgv won't give us back the signed data, and
+full gpg is not available inside d-i (closes: #703889).
+
+ -- Julien Cristau jcris...@debian.org  Mon, 25 Mar 2013 14:16:19 +0100
+
 debootstrap (1.0.47) unstable; urgency=low
 
   * Team upload
diff --git a/debian/control b/debian/control
index 41af2df..0894e08 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
 
 Package: debootstrap
 Architecture: all
-Depends: ${misc:Depends}, wget, gnupg
-Recommends: ${keyring}
+Depends: ${misc:Depends}, wget
+Recommends: gnupg, ${keyring}
 Description: Bootstrap a basic Debian system
  debootstrap is used to create a Debian base system from scratch,
  without requiring the availability of dpkg or apt. It does this by
diff --git a/functions b/functions
index 1dc0f87..068aa06 100644
--- a/functions
+++ b/functions
@@ -503,60 +503,39 @@ download_release_sig () {
local m1=$1
local reldest=$2
local relsigdest=$3
-   local release_file_variant=$4
 
if [ -n $KEYRING ]  [ -z $DISABLE_KEYRING ]; then
-   if [ $release_file_variant != IN ]; then
-   progress 0 100 DOWNRELSIG Downloading Release file 
signature
-   progress_next 50
-   get $m1/dists/$SUITE/Release.gpg $relsigdest 
nocache ||
-   error 1 NOGETRELSIG Failed getting release 
signature file %s \
-   $m1/dists/$SUITE/Release.gpg
-   progress 50 100 DOWNRELSIG Downloading Release file 
signature
-   fi
+   progress 0 100 DOWNRELSIG Downloading Release file signature
+   progress_next 50
+   get $m1/dists/$SUITE/Release.gpg $relsigdest nocache ||
+   error 1 NOGETRELSIG Failed getting release signature 
file %s \
+   $m1/dists/$SUITE/Release.gpg
+   progress 50 100 DOWNRELSIG Downloading Release file signature
 
info RELEASESIG Checking Release signature
# Don't worry about the exit status from gpgv; parsing the 
output will
# take care of that.
-   if [ $release_file_variant = IN ]; then
-   (gpgv --status-fd 1 --keyring $KEYRING 
--ignore-time-conflict \
-$relsigdest || true) | read_gpg_status
-   else
-   (gpgv --status-fd 1 --keyring $KEYRING 
--ignore-time-conflict \
-$relsigdest $reldest || true) | read_gpg_status
-   fi
+   (gpgv --status-fd 1 --keyring $KEYRING --ignore-time-conflict 
\
+$relsigdest $reldest || true) | read_gpg_status
progress 100 100 DOWNRELSIG Downloading Release file signature
elif [ -z $DISABLE_KEYRING ]  [ -n $KEYRING_WANTED ]; then
warning KEYRING Cannot check Release signature; keyring file 
not available %s $KEYRING_WANTED
fi
-   if [ $release_file_variant = IN ]; then
-   rm -f $reldest
-gpg --output $reldest --decrypt --keyring $KEYRING 
--ignore-time-conflict $relsigdest
-   fi
 }
 
 download_release_indices () {
local m1=${MIRRORS%% *}
local reldest=$TARGET/$($DLDEST rel $SUITE $m1 
dists/$SUITE/Release)
-   local inreldest=$TARGET/$($DLDEST rel $SUITE $m1 
dists/$SUITE/InRelease)
local relsigdest
-   local release_file_variant=IN
progress 0 100 DOWNREL Downloading Release file

Bug#677795: Several packaging related errors

[Didier 'OdyX' Raboud]

Hi all,

I just stumbled upon this release-critical bug, #677795. As I read it, the 
package had several packaging-related issues summing up to that serious bug, 
filed two weeks before the freeze. Since then, in September, a package 
supposedly fixing these issues has been uploaded and queued in NEW [0]; it 
hasn't been liberated from NEW yet. From here, I see three ways forward:

a) a new package enters unstable, and then Wheezy, but that seems unlikely;
b) midgard2-core and php5-midgard2 are removed from Wheezy, thereby removing
   the RC bug.
c) that bug either gets downgraded to non-RC severity, or tagged wheezy-ignore
   by the release team.

As I think the concerns originally leading to the severity of that bug are 
correct, I would rather be of the opinion to drop the two packages. Release 
team: what's your opinion ?

Cheers,

OdyX

[0] http://ftp-master.debian.org/new/midgard2-core_10.05.7.1-2.html


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201303251530.58764.o...@debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Thomas, hi Release Team, hi Moodle maintainers.

Le jeudi, 28 février 2013 18.00:19, Didier 'OdyX' Raboud a écrit :
 So please just re-issue a correctly-versionned Debian package and I'll
 upload it to unstable (then we'll take a look at the package for
 testing-proposed- updates).

Given that:

a) we fail at releasing Moodle updates to unstable in a timely manner (and I
   have my share of the fault here);
b) we consequently fail at releasing Moodle security updates to wheezy in a
   timely manner (this unblock is opened for almost two months);
c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything (not
   even security), according to [0];
   Furthermore on that point, as far as I can see, there is noone taking
   responsibility to handle Moodle 2.2 security on the long term (Moodle in
   Wheezy will need to be security-handled for roughly three years, yet it is
   _already_ not supported).
d) there is (in my opinion) not enough people behind the maintenance of
   Moodle-in-Debian: Thomas is a good DM, but he's mostly alone, and I'm not
   willing to get more involved.

So as much as I find that unfortunate, I think that the best solution for all 
of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in Wheezy.

Thomasz, as you're the actual de-facto maintainer, please voice your opinion 
as I have voiced mine: the decision is in the hands of the Release Team I 
guess.

Cheers

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Sorry, missed my footnote:

Le lundi, 11 mars 2013 10.49:49, Didier 'OdyX' Raboud a écrit :
 c) Moodle 2.2 is already not supported anymore by Moodle HQ for anything
 (not even security), according to [0];

[0] http://docs.moodle.org/dev/Releases#Moodle_2.2

That allows me to correct what I wrote earlier: Moodle 2.2 is not yet out-
of-security support, but it will undoubtedly be from June 2013 on, which is 
still very early in the Wheezy-as-stable lifecycle.

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130303.43179.o...@debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Thomasz,

Le mercredi, 23 janvier 2013 23.57:39, Jonathan Wiltshire a écrit :
  Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit :
   CVE numbers added, new changelog entry copied below for your
   convenience. MSA-13-0001 has no CVE assigned. Newest package available
   at: dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc
  
  Seems good to me; now waiting on the release team's opinion
 
 I would be happy to accept the patches proposed, but they need fixing in
 unstable first if they have not been already.

Did you plan to prepare an update for Moodle 2.2 on unstable ? It would be 
good to get the latest security fixes in unstable soon and then to wheezy.

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201302281303.26215.o...@debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Thomas, and thanks for this package,

sorry for my misguided mail earlier, apparently yours just missed my inbox.

Le lundi, 28 janvier 2013 18.38:49, Tomasz Muras a écrit :
 The package for unstable is available at:
 dget http://dev.agilesparkle.com/moodle_2.2.7.dfsg-1.dsc
 
 Please review  upload to unstable. It contains all upstream fixes +
 CURL issue patch.

One important thing: this is not Moodle 2.2.7. That's the weekly release of 
Moodle 2.2, released after 2.2.7. So the version is IMHO wrong and should 
instead be something like 2.2.7+20130125.dfsg-1 .

Even if I usually try to stick to released tarballs, in the specific case of 
Moodle I'm fine with relasing weekly snapshots, but they must be versionned 
correctly. Other than that, the package looks good to me, besides the usual-
but-not-worse-than-before embedded libraries such as TinyMCE (3.4.9, 
tiny_mce.js, tiny_mce_popup.js and tiny_mce_src.js), HTMLPurifier.php and YUI 
(3.4.1).

So please just re-issue a correctly-versionned Debian package and I'll upload 
it to unstable (then we'll take a look at the package for testing-proposed-
updates).

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201302281800.19687.o...@debian.org

Bug#701811: unblock: cups/1.5.3-2.15

[Didier 'OdyX' Raboud]

Le mercredi, 27 février 2013 14.12:40, Adam D. Barratt a écrit :
 On 27.02.2013 12:33, Didier Raboud wrote:
  This upload fixes the following bugs:
  
  * #700961 AirPrint doesn't work on iOS 6 device. RC because it's a
regression from Squeeze. RC because it's a regression from Squeeze.
 
 So RC you mentioned it twice? ;-)

Meh. Good catch though.

 Unblocked.

Thanks !

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201302271424.22427.o...@debian.org

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Hi Tomasz,

Le samedi, 19 janvier 2013 14.37:39, Tomasz Muras a écrit :
 CVE numbers added, new changelog entry copied below for your
 convenience. MSA-13-0001 has no CVE assigned. Newest package available at:
 dget http://dev.agilesparkle.com/moodle_2.2.3.dfsg-2.6~wheezy2.dsc

Seems good to me; now waiting on the release team's opinion

  Please also prepare an update of Moodle 2.2.6+ for unstable to ensure
  that unstable gets the fixes targetted for Wheezy too. As unstable
  already diverged from the wheezy version, I think updating the unstable
  packaging to the latest 2.2 version is safe. I will also sponsor this
  version (after review, of course).
 
 I want to move to the latest 2.4 in unstable, I'm just waiting for
 wheezy to be released to continue packaging work. I needed 2.2 in stable
 only because the upgrade path is 1.9 - 2.2 - 2.4.

Well… The policy is to have unstable at least as well supported security-wise 
as testing, so we need a latest 2.2 (or a 2.2 with backports of the fixes 
proposed for t-p-u) approximatively in sync with the t-p-u upload; ideally 
before.

That said, I can prepare the 2.2 upload to unstable if you want, but I think 
it's a git merge away.

Cheers,

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2

[Didier 'OdyX' Raboud]

Control: retitle -1 tpu: package moodle/2.2.3.dfsg-2.6~wheezy2

(CC'ing the security team for information)

Hi Thomasz, and thanks for this upload proposal,

Le mardi, 15 janvier 2013 22.35:54, Tomasz Muras a écrit :
 Please unblock package moodle
 
 I am about to get new version of the package uploaded to
 testing-proposed-updates. The new version fixes a security issues from
 upstream release.

I will sponsor this upload once and if it gets accepted by the release team.

 diff -Nru moodle-2.2.3.dfsg/debian/changelog
 moodle-2.2.3.dfsg/debian/changelog
 --- moodle-2.2.3.dfsg/debian/changelog2012-12-31 18:26:26.0 
 +0100
 +++ moodle-2.2.3.dfsg/debian/changelog2013-01-15 22:29:57.0 
 +0100
 @@ -1,3 +1,17 @@
 +moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low
 +
 +  * Backport security issues from upstream Moodle 2.2.7.
 +* MSA-13-0009: MDL-37467 - blog posts available via RSS after
 blogging disabled
 +* MSA-13-0007: MDL-36600 - course message sending CSRF
 +* MSA-13-0001: MDL-37283 - lack of sanitization for google
 spellchecker +* MSA-13-0003: MDL-36977 - moodle backup paths not
 validated properly +* MSA-13-0002: MDL-27619 - teachers can set
 outcomes to be standard when re-editing
 +* MSA-13-0004: MDL-33340 - activity report showing lastaccess even
 if field hidden
 +* MSA-13-0008: MDL-36620 - guest users can access RSS feed for site
 level blogs
 +* MSA-13-0005: MDL-35991 - open redirect issues
 +
 + -- Tomasz Muras nexor1...@gmail.com  Tue, 15 Jan 2013 20:43:50 +0100
 +

Please include the CVEs in the changelog entry, as done for the latest entry: 
they are important for security problems tracking. They are available in the 
mail I forwarded to you in private. (CVE-2012-6098 to CVE-2012-6106).

Please also prepare an update of Moodle 2.2.6+ for unstable to ensure that 
unstable gets the fixes targetted for Wheezy too. As unstable already diverged 
from the wheezy version, I think updating the unstable packaging to the latest 
2.2 version is safe. I will also sponsor this version (after review, of 
course).

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201301171015.20868.o...@debian.org

Bug#697598: pu: package cups/1.4.4-7+squeeze3

[Didier 'OdyX' Raboud]

Le dimanche, 13 janvier 2013 18.51:36, Adam D. Barratt a écrit :
 Control: tags -1 + confirmed
 
 On Sat, 2013-01-12 at 17:52 +0100, Didier 'OdyX' Raboud wrote:
  Le samedi, 12 janvier 2013 16.07:45, Adam D. Barratt a écrit :
   On Mon, 2013-01-07 at 14:37 +0100, Didier Raboud wrote:
As a followup to DSA-2600-1, I'd like to fix the bug left open by
this security update: the manpage for cups-files.conf was not
included in cups, see #697543. The security team (and I do agree)
doesn't see an emergency in solving that trough a security upload
(see #697543#20 ), so here I am with a proposed-updates request.
   
   Please go ahead; thanks.
  
  Actually, I'd like additionally include both:
  - the fix for #697860 (update german manpage translation)
  - a small french manpage translation update
 
 Please go ahead; thanks.

Uploaded, thanks.

Cheers,

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201301141304.35382.o...@debian.org

Bug#697598: pu: package cups/1.4.4-7+squeeze3

[Didier 'OdyX' Raboud]

Le lundi, 14 janvier 2013 23.12:05, Adam D. Barratt a écrit :
 That debdiff is horrible. :-( (I realise much of it is noise with line
 numbers in the files changing.)

Yeah, sorry for that. The patch contains po files which get changed over time, 
creating unreadable diffs-of-diffs. I could have added a new patch but it 
doesn't make much sense. For Jessie I'm considering putting the verbatim po 
files in debian/whateva and handle symlinks with the patch, easing diff's 
reading. Slightly easing these situations, I hope

 Flagged for acceptance; thanks.

Thank you.

OdyX


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201301150808.49853.o...@debian.org