Bug#1040415: bullseye-pu: package pacemaker/2.1.5-1+deb12u1

[Ferenc Wágner]

"Adam D. Barratt"  writes:

> Assuming that all of the changes are in unstable (or not required
> there), please go ahead.

Hi Adam,

All three patches are cherry-picks (although one required manual
backporting) from 2.1.6, which is already in testing.
Source-only upload done, hope it's all right.
-- 
Thanks,
Feri.

Bug#1040415: bullseye-pu: package pacemaker/2.1.5-1+deb12u1

[Ferenc Wágner]

Control: tag -1 - confirmed

Jonathan Wiltshire  writes:

> On Wed, Jul 05, 2023 at 07:14:09PM +0200, Ferenc Wágner wrote:
>
>> Shortly after the release of bookworm we got a report that Pacemaker
>> regressed in certain migration scenarios when compared to the bullseye
>> version.  Upstream identified the cause (a bug already fixed in 2.1.6),
>> and after backporting the fix the submitter acknowledged that they can't
>> reproduce the bug anymore with the proposed packages.
>> https://bugs.clusterlabs.org/show_bug.cgi?id=5521
>> Pacemaker package bug opened after discussion on the mailing list:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040165
>
> Please go ahead, and bear in mind the upload window closes next weekend.

Thanks, Jonathan!  Does it mean that I have to upload before 15th of July?

On the other hand, meanwhile upstream notified me that to fully fix this
bug I need to backport one more patch, which in turn required including
a third one.  So the debdiff grew a little, please reconfirm the upload:

$ debdiff pacemaker_2.1.5-1.dsc pacemaker_2.1.5-1+deb12u1.dsc
dpkg-source: warning: extracting unsigned source package 
(/home/wferi/ha/pacemaker/pacemaker_2.1.5-1.dsc)
diff -Nru pacemaker-2.1.5/debian/changelog pacemaker-2.1.5/debian/changelog
--- pacemaker-2.1.5/debian/changelog2023-01-22 16:38:34.0 +0100
+++ pacemaker-2.1.5/debian/changelog2023-07-09 23:10:45.0 +0200
@@ -1,3 +1,17 @@
+pacemaker (2.1.5-1+deb12u1) bookworm; urgency=medium
+
+  * [0c22be8] New patches fixing migration regression.
+Backport of https://github.com/ClusterLabs/pacemaker/pull/3020/ to
+Pacemaker 2.1.5 (without the CTS changes, which we don't ship):
+5754a2af9 Refactor: scheduler: improve xpath efficiency when unpacking
+3f6f524f1 Low: scheduler: unknown_on_node() should ignore pending actions
+ad9fd9548 Fix: scheduler: handle cleaned migrate_from history correctly
+The starting refactor is required by the other two patches, but the
+third patch still needed backporting.
+Thanks to Ken Gaillot (Closes: #1040165)
+
+ -- Ferenc Wágner   Sun, 09 Jul 2023 23:10:45 +0200
+
 pacemaker (2.1.5-1) unstable; urgency=medium
 
   * [5792d59] Work around lazy loading of GitHub release pages in watch file
diff -Nru pacemaker-2.1.5/debian/gbp.conf pacemaker-2.1.5/debian/gbp.conf
--- pacemaker-2.1.5/debian/gbp.conf 2023-01-22 13:10:39.0 +0100
+++ pacemaker-2.1.5/debian/gbp.conf 2023-07-09 22:33:06.0 +0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bookworm
 upstream-branch = upstream/latest
 
 [import-orig]
diff -Nru 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
--- 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
  1970-01-01 01:00:00.0 +0100
+++ 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
  2023-07-09 23:07:30.0 +0200
@@ -0,0 +1,30 @@
+From: Ken Gaillot 
+Date: Wed, 1 Feb 2023 17:12:13 -0600
+Subject: Fix: scheduler: handle cleaned migrate_from history correctly
+
+Fixes T623
+---
+ lib/pengine/unpack.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/pengine/unpack.c b/lib/pengine/unpack.c
+index e9fcae1..99a2dc4 100644
+--- a/lib/pengine/unpack.c
 b/lib/pengine/unpack.c
+@@ -2937,6 +2937,16 @@ unpack_migrate_to_success(pe_resource_t *rsc, pe_node_t 
*node, xmlNode *xml_op,
+ }
+ 
+ } else { // Pending, or complete but erased
++
++/* If there is no history at all for the resource on an online 
target, then
++ * it was likely cleaned. Just return, and we'll schedule a probe. 
Once we
++ * have the probe result, it will be reflected in target_newer_state.
++ */
++if ((target_node != NULL) && target_node->details->online
++&& unknown_on_node(rsc, target)) {
++return;
++}
++
+ /* If the resource has newer state on the target, this migrate_to no
+  * longer matters for the target.
+  */
diff -Nru 
pacemaker-2.1.5/debian/patches/Low-scheduler-unknown_on_node-should-ignore-pending-actio.patch
 
pacemaker-2.1.5/debian/patches/Low-scheduler-unknown_on_node-should-ignore-pending-actio.patch
--- 
pacemaker-2.1.5/debian/patches/Low-scheduler-unknown_on_node-should-ignore-pending-actio.patch
  1970-01-01 01:00:00.0 +0100
+++ 
pacemaker-2.1.5/debian/patches/Low-scheduler-unknown_on_node-should-ignore-pending-actio.patch
  2023-07-09 23:07:30.0 +0200
@@ -0,0 +1,80 @@
+From: Ken Gaillot 
+Date: Thu, 2 Feb 2023 10:25:53 -0600
+Subject: Low: scheduler: unknown_on_node() should ignore pending actions
+
+Previously, unknown

Bug#1040415: bullseye-pu: package pacemaker/2.1.5-1+deb12u1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

[ Reason ]
Shortly after the release of bookworm we got a report that Pacemaker
regressed in certain migration scenarios when compared to the bullseye
version.  Upstream identified the cause (a bug already fixed in 2.1.6),
and after backporting the fix the submitter acknowledged that they can't
reproduce the bug anymore with the proposed packages.
https://bugs.clusterlabs.org/show_bug.cgi?id=5521
Pacemaker package bug opened after discussion on the mailing list:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040165

[ Impact ]
Core HA functionality is impacted, there's no easy way to work around
the problem.  Pacemaker 2.1.5-1 is unsuitable for big portion of its
intended applications.

[ Tests ]
The submitter tested and confirmed the fix.

[ Risks ]
The patch is small but the backport wasn't trivial due to extensive
refactorings meanwhile.  I asked upstream to sanity-check it, but
haven't got a reply yet.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

$ debdiff pacemaker_2.1.5-1.dsc pacemaker_2.1.5-1+deb12u1.dsc
diff -Nru pacemaker-2.1.5/debian/changelog pacemaker-2.1.5/debian/changelog
--- pacemaker-2.1.5/debian/changelog2023-01-22 16:38:34.0 +0100
+++ pacemaker-2.1.5/debian/changelog2023-07-02 21:39:59.0 +0200
@@ -1,3 +1,11 @@
+pacemaker (2.1.5-1+deb12u1) bookworm; urgency=medium
+
+  * [20411a8] New patch: Fix: scheduler: handle cleaned migrate_from history
+correctly.
+Thanks to Ken Gaillot (Closes: #1040165)
+
+ -- Ferenc Wágner   Sun, 02 Jul 2023 21:39:59 +0200
+
 pacemaker (2.1.5-1) unstable; urgency=medium

   * [5792d59] Work around lazy loading of GitHub release pages in watch file
diff -Nru pacemaker-2.1.5/debian/gbp.conf pacemaker-2.1.5/debian/gbp.conf
--- pacemaker-2.1.5/debian/gbp.conf 2023-01-22 13:10:39.0 +0100
+++ pacemaker-2.1.5/debian/gbp.conf 2023-07-02 21:39:59.0 +0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bookworm
 upstream-branch = upstream/latest

 [import-orig]
diff -Nru 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
--- 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
  1970-01-01 01:00:00.0 +0100
+++ 
pacemaker-2.1.5/debian/patches/Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
  2023-07-02 21:39:59.0 +0200
@@ -0,0 +1,30 @@
+From: Ken Gaillot 
+Date: Wed, 1 Feb 2023 17:12:13 -0600
+Subject: Fix: scheduler: handle cleaned migrate_from history correctly
+
+Fixes T623
+---
+ lib/pengine/unpack.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/pengine/unpack.c b/lib/pengine/unpack.c
+index 5fcba3b..abfd06f 100644
+--- a/lib/pengine/unpack.c
 b/lib/pengine/unpack.c
+@@ -2920,6 +2920,16 @@ unpack_migrate_to_success(pe_resource_t *rsc, pe_node_t 
*node, xmlNode *xml_op,
+ }
+
+ } else { // Pending, or complete but erased
++
++/* If there is no history at all for the resource on an online 
target, then
++ * it was likely cleaned. Just return, and we'll schedule a probe. 
Once we
++ * have the probe result, it will be reflected in target_newer_state.
++ */
++if ((target_node != NULL) && target_node->details->online
++&& unknown_on_node(rsc->id, target, data_set)) {
++return;
++}
++
+ /* If the resource has newer state on the target, this migrate_to no
+  * longer matters for the target.
+  */
diff -Nru pacemaker-2.1.5/debian/patches/series 
pacemaker-2.1.5/debian/patches/series
--- pacemaker-2.1.5/debian/patches/series   2023-01-22 13:31:42.0 
+0100
+++ pacemaker-2.1.5/debian/patches/series   2023-07-02 21:39:59.0 
+0200
@@ -5,3 +5,4 @@
 Shipping-the-CTS-is-not-useful.patch
 Always-run-Inkscape-under-the-C.UTF-8-locale.patch
 Fix-typos-resouce-resource.patch
+Fix-scheduler-handle-cleaned-migrate_from-history-correct.patch
diff -Nru pacemaker-2.1.5/debian/salsa-ci.yml 
pacemaker-2.1.5/debian/salsa-ci.yml
--- pacemaker-2.1.5/debian/salsa-ci.yml 2023-01-22 13:10:39.0 +0100
+++ pacemaker-2.1.5/debian/salsa-ci.yml 2023-07-02 21:39:59.0 +0200
@@ -5,6 +5,7 @@

 variables:
   SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
+  RELEASE: bookworm

 autopkgtest:
   extends: .test-autopkgtest
-- 
Thanks,
Feri.

Bug#1029566: transition: shibboleth-sp

[Ferenc Wágner]

Ferenc Wágner  writes:

> Sebastian Ramacher  writes:
>
>> ACK, please go ahead.
>
> Great, shibboleth-sp was uploaded and is already fully green in the
> transition tracker.  Please schedule the binNMUs for
> shibboleth-resolver.

Hi,

The transition tracker is already all green.
-- 
Thanks for your help!
Feri.

Bug#1029566: transition: shibboleth-sp

[Ferenc Wágner]

Sebastian Ramacher  writes:

> ACK, please go ahead.

Great, shibboleth-sp was uploaded and is already fully green in the
transition tracker.  Please schedule the binNMUs for
shibboleth-resolver.
-- 
Thanks,
Feri.

Bug#1029566: transition: shibboleth-sp

[Ferenc Wágner]

control: tags -1 - moreinfo

Sebastian Ramacher  writes:

> On 2023-01-24 17:17:36 +0100, Ferenc Wágner wrote:
>
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: transition
>> 
>> When reporting #1028286 (transition: xml-security-c) I totally missed
>> that one of the mentioned planned upper layer uploads is the
>> shibboleth-sp 3.3 -> 3.4 upgrade, which, contrary to the xml-security-c
>> transition, actually entails an SONAME change.  Since this wasn't
>> explicit in the original bug, we decided to ask for your ACK again.
>> As you can see in the autogenerated tracker at
>> https://release.debian.org/transitions/html/auto-shibboleth-sp.html,
>> there are only two reverse dependencies, both of which are internal to
>> the Shibboleth ecosystem (thus maintained by us) and both build without
>> changes against shibboleth-sp 3.4.1+dfsg-1.
>
> What would be the consequences of postponing this transition to trixie?

There are no significant functional changes in this transition.  Our
main reason for proposing it is to ship bookworm with the "current
stable release" as much as possible, because upstream provides security
support for the latest two stable releases only [1], and Shibboleth,
being security software, heavily depends on being patched in a timely
manner to stay useful.  While upstream actively works with us on
preparing updates during the embargo periods, this may not be enough if
we have to backport the fixes ourselves, so we strive to minimize such
exposure.  Since this transition affects only two packages, which we
need to rebuild anyway, we'd welcome the additional safety this upgrade
would mean in providing security support for bookworm.

[1] 
https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1134625008/ProductVersioning
-- 
Best regards,
Feri.

Bug#1029566: transition: shibboleth-sp

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

When reporting #1028286 (transition: xml-security-c) I totally missed
that one of the mentioned planned upper layer uploads is the
shibboleth-sp 3.3 -> 3.4 upgrade, which, contrary to the xml-security-c
transition, actually entails an SONAME change.  Since this wasn't
explicit in the original bug, we decided to ask for your ACK again.
As you can see in the autogenerated tracker at
https://release.debian.org/transitions/html/auto-shibboleth-sp.html,
there are only two reverse dependencies, both of which are internal to
the Shibboleth ecosystem (thus maintained by us) and both build without
changes against shibboleth-sp 3.4.1+dfsg-1.

Ben file:

title = "shibboleth-sp";
is_affected = .depends ~ "libshibsp10" | .depends ~ "libshibsp11";
is_good = .depends ~ "libshibsp11";
is_bad = .depends ~ "libshibsp10";

Bug#1028286: transition: xml-security-c

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

In a recent message [1] Shibboleth upstream strongly recommended
building xml-security-c without Xalan support to reduce the attack
surface of Shibboleth installations, because Xalan is dead upstream and
pulling it in carries a considerable risk.  The Shibboleth stack is the
only consumer of the xml-security-c library in Debian, so we'd like to
follow upstream's recommendation.  This means flipping a configure
switch, which removes some features (and a dependency) of the library,
but does not change the library SONAME.  The resulting new library
version is usable as-is by the upper layers of Shibboleth stack, which
does not use the dropped functionality, so this wouldn't be a transition
in that sense, but we (the Shibboleth packaging team) still wanted to
run this by you.  We don't expect any fallout, xml-security-c was built
without Xalan until version 2.0.2-2 without issues.  Some maintenance
uploads of the upper layers were planned and will be done anyway.

[1] 
https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2023-January/005929.html

Unusable Ben file:

title = "xml-security-c";
is_affected = .depends ~ "libxml-security-c20" | .depends ~ 
"libxml-security-c20";
is_good = .depends ~ "libxml-security-c20";
is_bad = .depends ~ "libxml-security-c20";

Bug#987941: buster-pu: package pacemaker/2.0.1-5+deb10u2

[Ferenc Wágner]

"Adam D. Barratt"  writes:

> I'm not hugely happy that this has ended up not being in stretch, to
> be quite honest.

Agreed.  I was pushing for it in vain, unfortunately.

> We're in the process of organising the final point release for buster,
> as support for it moves over to the LTS team, so please go ahead.

Uploaded.

> +A new upstream release instroduced as security update 1.1.24-
> 0+deb9u1 in
>
> s/instroduced/introduced/

With this fix included.
-- 
Thanks,
Feri

Bug#987941: buster-pu: package pacemaker/2.0.1-5+deb10u2

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

The latest stretch security upgrade broke the upgrade path to buster.
Since fixing that in stretch didn't get any traction (#981088), we have
to fix this in buster, as put forward by Andreas Beckmann:

$ debdiff pacemaker_2.0.1-5+deb10u1.dsc pacemaker_2.0.1-5+deb10u2.dsc
diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog2020-11-07 20:21:48.0 +0100
+++ pacemaker-2.0.1/debian/changelog2021-03-28 03:21:46.0 +0200
@@ -1,3 +1,14 @@
+pacemaker (2.0.1-5+deb10u2) buster; urgency=medium
+
+  [ Andreas Beckmann ]
+  * [1088b23] pacemaker-resource-agents: Bump Breaks+Replaces: pacemaker to 
(<< 2)
+A new upstream release instroduced as security update 1.1.24-0+deb9u1 in
+stretch added the new file /usr/lib/ocf/resource.d/pacemaker/ifspeed to
+pacemaker, while it resides in pacemaker-resource-agents in buster.
+(Closes: #985173)
+
+ -- Ferenc Wágner   Sun, 28 Mar 2021 03:21:46 +0200
+
 pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high

   * [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
diff -Nru pacemaker-2.0.1/debian/control pacemaker-2.0.1/debian/control
--- pacemaker-2.0.1/debian/control  2020-11-07 20:21:48.0 +0100
+++ pacemaker-2.0.1/debian/control  2021-03-28 03:19:48.0 +0200
@@ -84,9 +84,9 @@
  ${misc:Depends},
 # split out of pacemaker so that pacemaker-remote can also use them:
 Breaks:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
 Replaces:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
 Description: cluster resource manager general resource agents
  ${S:X-Common-Description}
  .

I'm ready to upload if you agree.
-- 
Thanks,
Feri.

Bug#987662: unblock: shibboleth-sp/3.2.2+dfsg1-1

[Ferenc Wágner]

(m4)
diff -Nru shibboleth-sp-3.2.1+dfsg1/config_win32.h 
shibboleth-sp-3.2.2+dfsg1/config_win32.h
--- shibboleth-sp-3.2.1+dfsg1/config_win32.h2021-03-16 14:33:45.0 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/config_win32.h2021-04-23 00:18:15.0 
+0200
@@ -121,13 +121,13 @@
 #define PACKAGE_NAME "shibboleth"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "shibboleth 3.2.1"
+#define PACKAGE_STRING "shibboleth 3.2.2"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "shibboleth-sp"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "3.2.1"
+#define PACKAGE_VERSION "3.2.2"
 
 /* Define to the necessary symbol if this constant uses a non-standard name on
your system. */
@@ -140,7 +140,7 @@
 /* #undef TM_IN_SYS_TIME */
 
 /* Version number of package */
-#define VERSION "3.2.1"
+#define VERSION "3.2.2"
 
 /* Define to empty if `const' does not conform to ANSI C. */
 /* #undef const */
diff -Nru shibboleth-sp-3.2.1+dfsg1/debian/changelog 
shibboleth-sp-3.2.2+dfsg1/debian/changelog
--- shibboleth-sp-3.2.1+dfsg1/debian/changelog  2021-03-17 14:29:08.0 
+0100
+++ shibboleth-sp-3.2.2+dfsg1/debian/changelog  2021-04-27 12:11:06.0 
+0200
@@ -1,3 +1,20 @@
+shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high
+
+  * [e44283d] New upstream release: 3.2.2
+High urgency because it fixes CVE-2021-31826:
+Session recovery feature contains a null pointer dereference
+The cookie-based session recovery feature added in V3.0 contains a
+flaw that is exploitable on systems *not* using the feature if a
+specially crafted cookie is supplied.
+This manifests as a crash in the shibd daemon.
+Because it is very simple to trigger this condition remotely, it
+results in a potential denial of service condition exploitable by
+a remote, unauthenticated attacker.
+Thanks to Scott Cantor (Closes: #987608)
+  * [3a6ac33] Refresh our patches
+
+ -- Ferenc Wágner   Tue, 27 Apr 2021 12:11:06 +0200
+
 shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high
 
   * [4ecfe4a] New upstream release: 3.2.1
diff -Nru 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch
--- 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch   
2021-03-17 14:26:00.0 +0100
+++ 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch   
2021-04-27 12:06:29.0 +0200
@@ -9,7 +9,7 @@
  1 file changed, 5 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index ddae588..ceb34a3 100644
+index 57dd2c0..7690d8c 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test 
"x$ac_cv_have_decl_gss_get_name_attribu
diff -Nru 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
--- 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
2021-03-17 14:26:00.0 +0100
+++ 
shibboleth-sp-3.2.2+dfsg1/debian/patches/Use-runstatedir-from-future-Autoconf-2.70.patch
2021-04-27 12:06:29.0 +0200
@@ -37,7 +37,7 @@
  
  # If $DAEMON_USER is set, try to run shibd as that user.  However,
 diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am
-index 9176c17..0dd24cb 100644
+index c3490e0..466c699 100644
 --- a/shibsp/Makefile.am
 +++ b/shibsp/Makefile.am
 @@ -282,7 +282,7 @@ libshibsp_lite_la_LIBADD = \
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in 
shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in
--- shibboleth-sp-3.2.1+dfsg1/shibboleth.spec.in2020-12-15 
04:00:19.0 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibboleth.spec.in2021-04-23 
00:18:15.0 +0200
@@ -93,8 +93,8 @@
 Obsoletes: shibboleth-sp-devel = 2.5.0
 Requires:  libxerces-c-devel >= 3.2
 Requires:  libxml-security-c-devel >= 2.0.0
-Requires:  libxmltooling-devel >= 3.1.0
-Requires:  libsaml-devel >= 3.1.0
+Requires:  libxmltooling-devel >= 3.2.0
+Requires:  libsaml-devel >= 3.2.0
 %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
 %{!?_with_log4cpp:Requires: liblog4shib-devel >= 2}
 
@@ -481,6 +481,9 @@
 %doc %{pkgdocdir}/api
 
 %changelog
+* Thu Apr 22 2021 Scott Cantor  - 3.2.2-1
+- Fix devel dependency versions
+
 * Tue Dec 1 2020 Scott Cantor  - 3.2.0-1
 - Version and lib bump
 
diff -Nru shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp 
shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp
--- shibboleth-sp-3.2.1+dfsg1/shibsp/handler/impl/SAML2Logout.cpp   
2020-03-18 19:45:13.0 +0100
+++ shibboleth-sp-3.2.2+dfsg1/shibsp/handler/impl/SAML2Logout.cpp   
2

Bug#985772: unblock: shibboleth-sp/3.2.1+dfsg1-1

[Ferenc Wágner]

 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3540,7 +3540,7 @@
 
 # Define the identity of the package.
  PACKAGE='shibboleth-sp'
- VERSION='3.2.0'
+ VERSION='3.2.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -24274,7 +24274,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by shibboleth $as_me 3.2.0, which was
+This file was extended by shibboleth $as_me 3.2.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -24340,7 +24340,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-shibboleth config.status 3.2.0
+shibboleth config.status 3.2.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru shibboleth-sp-3.2.0+dfsg1/configure.ac 
shibboleth-sp-3.2.1+dfsg1/configure.ac
--- shibboleth-sp-3.2.0+dfsg1/configure.ac  2020-12-08 16:33:28.0 
+0100
+++ shibboleth-sp-3.2.1+dfsg1/configure.ac  2021-03-16 14:33:31.0 
+0100
@@ -1,5 +1,5 @@
 AC_PREREQ([2.50])
-AC_INIT([shibboleth],[3.2.0],[https://issues.shibboleth.net/],[shibboleth-sp])
+AC_INIT([shibboleth],[3.2.1],[https://issues.shibboleth.net/],[shibboleth-sp])
 AC_CONFIG_SRCDIR(shibsp)
 AC_CONFIG_AUX_DIR(build-aux)
 AC_CONFIG_MACRO_DIR(m4)
diff -Nru shibboleth-sp-3.2.0+dfsg1/config_win32.h 
shibboleth-sp-3.2.1+dfsg1/config_win32.h
--- shibboleth-sp-3.2.0+dfsg1/config_win32.h2020-12-07 21:51:12.0 
+0100
+++ shibboleth-sp-3.2.1+dfsg1/config_win32.h2021-03-16 14:33:45.0 
+0100
@@ -121,13 +121,13 @@
 #define PACKAGE_NAME "shibboleth"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "shibboleth 3.2.0"
+#define PACKAGE_STRING "shibboleth 3.2.1"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "shibboleth-sp"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "3.2.0"
+#define PACKAGE_VERSION "3.2.1"
 
 /* Define to the necessary symbol if this constant uses a non-standard name on
your system. */
@@ -140,7 +140,7 @@
 /* #undef TM_IN_SYS_TIME */
 
 /* Version number of package */
-#define VERSION "3.2.0"
+#define VERSION "3.2.1"
 
 /* Define to empty if `const' does not conform to ANSI C. */
 /* #undef const */
diff -Nru shibboleth-sp-3.2.0+dfsg1/debian/changelog 
shibboleth-sp-3.2.1+dfsg1/debian/changelog
--- shibboleth-sp-3.2.0+dfsg1/debian/changelog  2021-01-06 14:18:54.0 
+0100
+++ shibboleth-sp-3.2.1+dfsg1/debian/changelog  2021-03-17 14:29:08.0 
+0100
@@ -1,3 +1,12 @@
+shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high
+
+  * [4ecfe4a] New upstream release: 3.2.1
+High urgency because it contains the fix for the phishing vulnerability
+https://shibboleth.net/community/advisories/secadv_20210317.txt.
+  * [80b3470] Refresh our patches
+
+ -- Ferenc Wágner   Wed, 17 Mar 2021 14:29:08 +0100
+
 shibboleth-sp (3.2.0+dfsg1-2) unstable; urgency=medium
 
   * [84158eb] Revert "New patch: Require XMLTooling and OpenSAML 3.2 via pkg
diff -Nru 
shibboleth-sp-3.2.0+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch
--- 
shibboleth-sp-3.2.0+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch   
2020-12-27 21:57:54.0 +0100
+++ 
shibboleth-sp-3.2.1+dfsg1/debian/patches/Clean-up-cxxtest-configuration.patch   
2021-03-17 14:26:00.0 +0100
@@ -9,7 +9,7 @@
  1 file changed, 5 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 385d11d..c278574 100644
+index ddae588..ceb34a3 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -940,15 +940,10 @@ AM_CONDITIONAL([GSSAPI_NAMINGEXTS],[test 
"x$ac_cv_have_decl_gss_get_name_attribu
diff -Nru shibboleth-sp-3.2.0+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd 
shibboleth-sp-3.2.1+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd
--- shibboleth-sp-3.2.0+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd   
2020-12-07 21:51:12.0 +0100
+++ shibboleth-sp-3.2.1+dfsg1/schemas/shibboleth-3.0-native-sp-config.xsd   
2021-03-16 15:21:18.0 +0100
@@ -9,7 +9,7 @@
elementFormDefault="qualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
-   version="3.1">
+   version="3.2">
 
   http://www.w3.org/2000/09/xmldsig#; 
schemaLocation="xmldsig-core-schema.xsd" />
   
@@ -754,6 +754,7 @@
 
 
 
+
 
   
 
diff -Nru shibboleth-sp-3.2.0+dfsg1/shibboleth.spec 
shibboleth-sp-3.2.1+dfsg1/shibboleth.spec
--- shibboleth-sp-3.

Bug#984501: unblock: libqb/2.0.3-1

[Ferenc Wágner]

help in
- short | recursive ) echo "Configuration of libqb 2.0.2:";;
+ short | recursive ) echo "Configuration of libqb 2.0.3:";;
esac
   cat <<\_ACEOF
 
@@ -1649,7 +1649,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libqb configure 2.0.2
+libqb configure 2.0.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2426,7 +2426,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libqb $as_me 2.0.2, which was
+It was created by libqb $as_me 2.0.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4666,7 +4666,7 @@
 
 # Define the identity of the package.
  PACKAGE='libqb'
- VERSION='2.0.2'
+ VERSION='2.0.3'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -23074,7 +23074,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libqb $as_me 2.0.2, which was
+This file was extended by libqb $as_me 2.0.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -23140,7 +23140,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-libqb config.status 2.0.2
+libqb config.status 2.0.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libqb-2.0.2/debian/changelog libqb-2.0.3/debian/changelog
--- libqb-2.0.2/debian/changelog2020-12-26 16:07:32.0 +0100
+++ libqb-2.0.3/debian/changelog2021-03-04 06:11:31.0 +0100
@@ -1,3 +1,11 @@
+libqb (2.0.3-1) unstable; urgency=medium
+
+  * [f0b428b] New upstream release (2.0.3)
+  * [ff0eed7] Delete upstream patch, refresh the rest
+  * [bee0959] Acknowledge new symbols
+
+ -- Ferenc Wágner   Thu, 04 Mar 2021 06:11:31 +0100
+
 libqb (2.0.2-1) unstable; urgency=medium
 
   * [afb0870] libqb-tools took over qb-blackbox from libqb-dev (<< 2)
diff -Nru libqb-2.0.2/debian/libqb100.symbols 
libqb-2.0.3/debian/libqb100.symbols
--- libqb-2.0.2/debian/libqb100.symbols 2020-12-25 16:19:24.0 +0100
+++ libqb-2.0.3/debian/libqb100.symbols 2021-03-04 06:10:02.0 +0100
@@ -91,6 +91,7 @@
  qb_log_blackbox_open@Base 2.0.1
  qb_log_blackbox_print_from_file@Base 2.0.1
  qb_log_blackbox_write_to_file@Base 2.0.1
+ qb_log_callsite_get2@Base 2.0.3
  qb_log_callsite_get@Base 2.0.1
  qb_log_callsites_dump@Base 2.0.1
  qb_log_callsites_register@Base 2.0.1
@@ -114,6 +115,7 @@
  qb_log_format_init@Base 2.0.1
  qb_log_format_set@Base 2.0.1
  qb_log_from_external_source@Base 2.0.1
+ qb_log_from_external_source_va2@Base 2.0.3
  qb_log_from_external_source_va@Base 2.0.1
  qb_log_init@Base 2.0.1
  qb_log_priority2str@Base 2.0.1
diff -Nru 
libqb-2.0.2/debian/patches/doxygen2man-ignore-all-whitespace-brief-description.patch
 
libqb-2.0.3/debian/patches/doxygen2man-ignore-all-whitespace-brief-description.patch
--- 
libqb-2.0.2/debian/patches/doxygen2man-ignore-all-whitespace-brief-description.patch
2020-12-26 16:07:22.0 +0100
+++ 
libqb-2.0.3/debian/patches/doxygen2man-ignore-all-whitespace-brief-description.patch
1970-01-01 01:00:00.0 +0100
@@ -1,21 +0,0 @@
-From: =?utf-8?q?Ferenc_W=C3=A1gner?= 
-Date: Sat, 26 Dec 2020 16:06:28 +0100
-Subject: doxygen2man: ignore all-whitespace brief description
-

- doxygen2man/doxygen2man.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doxygen2man/doxygen2man.c b/doxygen2man/doxygen2man.c
-index f7973fd..c1cb438 100644
 a/doxygen2man/doxygen2man.c
-+++ b/doxygen2man/doxygen2man.c
-@@ -756,7 +756,7 @@ static void print_manpage(char *name, char *def, char 
*brief, char *args, char *
-   fprintf(manfile, ".TH %s %s %s \"%s\" \"%s\"\n", allcaps(name), 
man_section, dateptr, package_name, header);
- 
-   fprintf(manfile, ".SH NAME\n");
--  if (brief) {
-+  if (brief && not_all_whitespace(brief)) {
-   fprintf(manfile, "%s \\- %s\n", name, brief);
-   } else {
-   fprintf(manfile, "%s\n", name);
diff -Nru 
libqb-2.0.2/debian/patches/Fix-typos-and-inconsistencies-in-doxygen2man-help-text.patch
 
libqb-2.0.3/debian/patches/Fix-typos-and-inconsistencies-in-doxygen2man-help-text.patch
--- 
libqb-2.0.2/debian/patches/Fix-typos-and-inconsistencies-in-doxygen2man-help-text.patch
 2020-12-26 16:06:56.0 +0100
+++ 
libqb-2.0.3/debian/patches/Fix-typos-and-inconsistencies-in-doxygen2man-help-text.patch
 2021-03-04 05:50:39.0 +0100
@@ -7,10 +7,10 @@
  1 file changed, 9 insertions(+), 9 deletions(-)
 
 diff --git a/d

Bug#979320: transition: xmltooling

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

The recent 3.2 release of the Shibboleth SP is a minor release, but due
to the internal structure of the stack it entails the usual three
transitions for xmltooling, opensaml and shibboleth-sp.  I'd like to do
successive sourceful uploads for these (the updated packages are already
in experimental).  The two other impacted packages build fine without any
change: shibboleth-resolver and moonshot-gss-eap.  The auto-{xmltooling,
opensaml,shibboleth-sp} trackers are good.  I'm ready to upload to
unstable on your word.
-- 
Thanks,
Feri.

Bug#978155: transition: libqb

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

I'd like to transition to libqb version 2.  The dependency list is
fairly short, and mostly contains packages under the HA Team umbrella.
The only breakage is caused by symbols file changes, which I'm ready to
fix by sourceful uploads of corosync and pacemaker.  The kronosnet
package will also receive a sourceful upload to use the new binary
package doxygen2man.  Altogether I rebuilt the following packages in
preparation:

kronosnet (with source changes)
corosync (with source changes)
corosync-qdevice
pacemaker (with source changes)
dlm
booth
fence-virt
sbd
ocfs2-tools
lvm2
usbguard

The auto-libqb tracker seems usable just too broad.

Ben file:

title = "libqb";
is_affected = .depends ~ "libqb0" | .depends ~ "libqb100";
is_good = .depends ~ "libqb100";
is_bad = .depends ~ "libqb0";

When you see fit, I'll upload libqb, kronosnet, corosync and pacemaker
in succession, then request the necessary binNMUs.
-- 
Thanks,
Feri.

Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

There's an old bug reported against xml-security-c (#922984), which was fixed
in the 2.0 branch in buster but still lingers around in 1.7 in stretch.  I'm
ready to upload with the following debdiff:

$ debdiff xml-security-c_1.7.3-4+deb9u[23].dsc 
diff -Nru xml-security-c-1.7.3/debian/changelog 
xml-security-c-1.7.3/debian/changelog
--- xml-security-c-1.7.3/debian/changelog   2018-12-10 11:45:41.0 
+0100
+++ xml-security-c-1.7.3/debian/changelog   2020-07-04 12:47:24.0 
+0200
@@ -1,3 +1,10 @@
+xml-security-c (1.7.3-4+deb9u3) stretch; urgency=medium
+
+  * [02c3993] New patch: Fix a length bug in concat method.
+Thanks to Scott Cantor (Closes: #922984 )
+
+ -- Ferenc Wágner   Sat, 04 Jul 2020 12:47:24 +0200
+
 xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
 
   * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
diff -Nru 
xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch 
xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch
--- xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch 
1970-01-01 01:00:00.0 +0100
+++ xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch 
2020-07-04 12:47:01.0 +0200
@@ -0,0 +1,24 @@
+From: Scott Cantor 
+Date: Mon, 4 Sep 2017 18:41:41 +
+Subject: Fix a length bug in concat method.
+
+git-svn-id: 
https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk@1807280 
13f79535-47bb-0310-9956-ffa450edef68
+
+Closes: #922984
+---
+ xsec/utils/XSECSafeBuffer.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xsec/utils/XSECSafeBuffer.cpp b/xsec/utils/XSECSafeBuffer.cpp
+index 71ae9a0..6d0798b 100644
+--- a/xsec/utils/XSECSafeBuffer.cpp
 b/xsec/utils/XSECSafeBuffer.cpp
+@@ -639,7 +639,7 @@ void safeBuffer::sbXMLChCat(const char * str) {
+ 
+   assert (t != NULL);
+ 
+-  len += XMLString::stringLen(t);
++  len += XMLString::stringLen(t) * size_XMLCh;
+   len += (xsecsize_t) (2 * size_XMLCh);
+ 
+   checkAndExpand(len);
diff -Nru xml-security-c-1.7.3/debian/patches/series 
xml-security-c-1.7.3/debian/patches/series
--- xml-security-c-1.7.3/debian/patches/series  2018-12-10 11:45:41.0 
+0100
+++ xml-security-c-1.7.3/debian/patches/series  2020-07-04 12:47:01.0 
+0200
@@ -24,3 +24,4 @@
 Default-KeyInfo-resolver-doesn-t-check-for-empty-element-.patch
 SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
 SANTUARIO-496-Prevent-KeyInfoResolver-returning-NONE-keys.patch
+Fix-a-length-bug-in-concat-method.patch

Bug#962659: transition: xmltooling

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Dear Release Team,

The 3.1 release of the Shibboleth software stack changed the ABI and API
of all the components.  It's pretty self-contained in Debian, though.
The affected packages (xmltooling, opensaml, shibboleth-sp and
shibboleth-resolver) are all in experimental now, and moonshot-gss-eap
will only need a binnmu to complete the transition.

We're ready to upload to unstable if you agree.

Ben file:

title = "shibboleth31";
is_affected = .depends ~ "libxmltooling8" | .depends ~ "libsaml10" | .depends ~ 
"libshibsp8" | .depends ~ "libshibresolver2" | .depends ~ "libxmltooling9" | 
.depends ~ "libsaml11" | .depends ~ "libshibsp9" | .depends ~ 
"libshibresolver3";
is_good = .depends ~ "libxmltooling9" | .depends ~ "libsaml11" | .depends ~ 
"libshibsp9" | .depends ~ "libshibresolver3";
is_bad = .depends ~ "libxmltooling8" | .depends ~ "libsaml10" | .depends ~ 
"libshibsp8" | .depends ~ "libshibresolver2";

Thanks,
the Shibboleth packaging team.

Bug#950488: buster-pu: package kronosnet/1.8-2

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

I'v got a bold request: please let me update Kronosnet in buster from
1.8-2 to 1.13-something to fix #946222.  During the buster freeze
period, upstream released 1.9 and 1.10, but those didn't bring important
fixes, so I didn't request freeze exceptions for them.  However, when
Proxmox VE 6.0 got released (based on Debian buster), their users
reported lots of intertwined bugs, and the developers iterated through
1.11, 1.12 and 1.13 in quick succession to fix them, see the linked
https://forum.proxmox.com/threads/pve-5-4-11-corosync-3-x-major-issues.56124.
>From the announcements:

1.9, May 2019:
(https://lists.kronosnet.org/pipermail/devel/2019-May/77.html)
1.10, Jun 2019:
(https://lists.kronosnet.org/pipermail/devel/2019-June/78.html)

1.11, Aug 2019:
  Major bug fixes in the PMTUd code. MTU was not calculated correctly
  when using crypto and PMTUd would fail due to timeouts when using
  crypto and systems are overloaded. Thanks to the proxmox community for
  reporting the issues and testing pre-fixes.
  (https://lists.kronosnet.org/pipermail/devel/2019-August/79.html)

1.12, Sep 2019:
* IMPORTANT: any version prior to 1.12 has a memory corruption bug that
  could cause knet to crash or hung when the network is not stable for a
  long period of time. Please see
  https://github.com/kronosnet/kronosnet/issues/255 for details.
  If you are unable to upgrade to 1.12, please make sure to cherry pick
  
https://github.com/kronosnet/kronosnet/commit/6a92361c7554c2aa7222d6f868e43704694683c7
  (stable branch) into your distribution as soon as possible.

1.13, Oct 2019:
* IMPORTANT/URGENT: fix defrag buffer reclaim logic that could lead knet
   to deliver corrupted data to the application (corosync or alike).
* IMPORTANT/URGENT: fix MTU boundary check on links with very high
   packet loss and avoid delivering corrupted (short) data to the
   application.
(https://lists.kronosnet.org/pipermail/devel/2019-October/81.html)

Since Proxmox upgraded Kronosnet to 1.13, things settled and seem to
work reliably.  But Debian stable users were left out in the cold, I had
to recommend installing Kronosnet for bullseye, which worked for some
time but isn't optimal, so eventually #946222 was filed.  Backports
would certainly be a possibility, but given that Kronosnet 1.8 in buster
isn't really usable for anything serious, I decided to ask for a stable
update first.  Of course this would include some unnecessary (but good)
changes as well; while it would be possible to cherry pick the relevant
commits only, that involves quite some back-and-forth stuff muddying the
waters and would result in a misleading version number as well.  Since
the only package depending on Kronosnet is Corosync, which is also under
the HA Team umbrella, I find the risk acceptable (and the pieces would
fall back on me after all).

Some upstream communication about cherry-picking possibilities:

https://github.com/kronosnet/kronosnet/pull/242
"the big fat PMTU patch is a very serious bug. [...] The previous patch
set was less invasive but still wrong [...] The last patch, while
invasive in the look, makes the code a lot simpler and functional"

https://github.com/kronosnet/kronosnet/pull/257#issuecomment-533054215
"please make sure to cherry pick this fix ASAP, also for Debian stable.
It's a bad crash and memory corrupter. [...] coverity scan fixes will
hit stable release in 1.12, I would wait to push them into a stable
update for Debian, they are super nice, but nothing critical enough to
force it.  For #242 I still strongly recommend to take the big patch.
It's been tested a lot now"
-- 
Looking forward to hearing your advice,
Feri.

Bug#950478: buster-pu: package corosync/3.0.1-2

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Corosync upstream called my attention to an issue worth a stable update.
A potentially serious problem with a simple fix, which I backported to
the buster package:

$ debdiff corosync_3.0.1-2.dsc corosync_3.0.1-2+deb10u1.dsc
diff -Nru corosync-3.0.1/debian/changelog corosync-3.0.1/debian/changelog
--- corosync-3.0.1/debian/changelog 2019-02-04 00:31:24.0 +0100
+++ corosync-3.0.1/debian/changelog 2020-02-02 12:32:26.0 +0100
@@ -1,3 +1,11 @@
+corosync (3.0.1-2+deb10u1) buster; urgency=medium
+
+  * [f826af9] This branch is for buster updates
+  * [bfbfd3e] New patch: totemsrp: Reduce MTU to left room second mcast.
+Thanks to Jan Friesse (Closes: #950476)
+
+ -- Ferenc Wágner   Sun, 02 Feb 2020 12:32:26 +0100
+
 corosync (3.0.1-2) unstable; urgency=medium
 
   * [70f53cb] Switch to Debhelper level 12.
diff -Nru corosync-3.0.1/debian/gbp.conf corosync-3.0.1/debian/gbp.conf
--- corosync-3.0.1/debian/gbp.conf  2019-02-03 11:42:36.0 +0100
+++ corosync-3.0.1/debian/gbp.conf  2020-02-01 08:45:41.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 
 [import-orig]
diff -Nru corosync-3.0.1/debian/patches/series 
corosync-3.0.1/debian/patches/series
--- corosync-3.0.1/debian/patches/series2019-02-03 11:42:36.0 
+0100
+++ corosync-3.0.1/debian/patches/series2020-02-02 12:31:51.0 
+0100
@@ -6,3 +6,4 @@
 AC_PROG_SED-is-already-present.patch
 Use-the-SED-variable-provided-by-configure.patch
 Use-the-AWK-variable-provided-by-configure.patch
+totemsrp-Reduce-MTU-to-left-room-second-mcast.patch
diff -Nru 
corosync-3.0.1/debian/patches/totemsrp-Reduce-MTU-to-left-room-second-mcast.patch
 
corosync-3.0.1/debian/patches/totemsrp-Reduce-MTU-to-left-room-second-mcast.patch
--- 
corosync-3.0.1/debian/patches/totemsrp-Reduce-MTU-to-left-room-second-mcast.patch
   1970-01-01 01:00:00.0 +0100
+++ 
corosync-3.0.1/debian/patches/totemsrp-Reduce-MTU-to-left-room-second-mcast.patch
   2020-02-02 12:31:51.0 +0100
@@ -0,0 +1,43 @@
+From: Jan Friesse 
+Date: Mon, 7 Oct 2019 15:26:22 +0200
+Subject: totemsrp: Reduce MTU to left room second mcast
+
+Messages sent during recovery phase are encapsulated so such message has
+extra size of mcast structure. This is not so big problem for UDPU,
+because most of the switches are able to fragment and defragment packet
+but it is problem for knet, because totempg is using maximum packet size
+(65536 bytes) and when another header is added during retransmition,
+then packet is too large.
+
+Solution is to reduce mtu by 2 * sizeof (struct mcast).
+
+Signed-off-by: Jan Friesse 
+Reviewed-by: Fabio M. Di Nitto 
+
+Closes: #950476
+---
+ exec/totemsrp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index ab27924..d846a0f 100644
+--- a/exec/totemsrp.c
 b/exec/totemsrp.c
+@@ -805,7 +805,7 @@ static void totempg_mtu_changed(void *context, int net_mtu)
+ {
+   struct totemsrp_instance *instance = context;
+ 
+-  instance->totem_config->net_mtu = net_mtu - sizeof (struct mcast);
++  instance->totem_config->net_mtu = net_mtu - 2 * sizeof (struct mcast);
+ 
+   log_printf (instance->totemsrp_log_level_debug,
+   "Net MTU changed to %d, new value is %d",
+@@ -5093,7 +5093,7 @@ void main_iface_change_fn (
+ }
+ 
+ void totemsrp_net_mtu_adjust (struct totem_config *totem_config) {
+-  totem_config->net_mtu -= sizeof (struct mcast);
++  totem_config->net_mtu -= 2 * sizeof (struct mcast);
+ }
+ 
+ void totemsrp_service_ready_register (

I'm ready to upload if you agree.
-- 
Thanks,
Feri.

Bug#950139: buster-pu: package xmltooling/3.0.4-1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8:
Race condition bug in new session cookie feature leads to SP crash) in
buster.  The actual upstream fix touches four lines:

diff --git a/xmltooling/security/impl/DataSealer.cpp 
b/xmltooling/security/impl/DataSealer.cpp
index c7ec7f9..aef85b7 100644
--- a/xmltooling/security/impl/DataSealer.cpp
+++ b/xmltooling/security/impl/DataSealer.cpp
@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const
 
 safeBuffer ciphertext;
 try {
+// Keys are not threadsafe, use a clone to encrypt.
+scoped_ptr clonedKey(defaultKey.second->clone());
 scoped_ptr 
method(XENCEncryptionMethod::create(env.get(), algorithm));
-if (!handler->encryptToSafeBuffer(, method.get(), 
defaultKey.second, dummydoc, ciphertext))
 {
+if (!handler->encryptToSafeBuffer(, method.get(), clonedKey.get(), 
dummydoc, ciphertext)) {
 throw XMLSecurityException("Data encryption failed.");
 }
 }
@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const
 unsigned int len = 0;
 safeBuffer plaintext;
 try {
+// Keys are not threadsafe, use a clone to decrypt.
+scoped_ptr clonedKey(requiredKey.second->clone());
 scoped_ptr 
method(XENCEncryptionMethod::create(env.get(), algorithm));
-len = handler->decryptToSafeBuffer(, method.get(), 
requiredKey.second, dummydoc, plaintext)
;
+len = handler->decryptToSafeBuffer(, method.get(), clonedKey.get(), 
dummydoc, plaintext);
 }
 catch (const XSECException& ex) {
 auto_ptr_char msg(ex.getMsg());

Upstream cut a new release (3.0.5) for this fix specifically, but the
full diff between 3.0.4 and 3.0.5 is much longer due to changes in the
version number in several files, VC project files, generated Autotools
files, RPM spec file and Windows resource file.  Still not huge, and
most of that is entirely irrelevant for Debian.  But in the 3.0.5-1
upload I included some packaging changes (mainly autopkgtest and Salsa
CI, but also a no-effect upgrade to debhelper compat 12).  I guess you'd
rather not review all this in a stable update, right?  Then I'll add a
quilt patch and submit that, as you prefer.
-- 
Thanks,
Feri.

Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

The Security Team declined handling #913136 via a security upload and
recommended the stable upgrade route instead.  So I retargeted the
upload; the debdiff below differs in the changelog header only.
I'm ready to upload if you agree.

Thanks for your consideration.
Feri.

$ debdiff xml-security-c_1.7.3-4+deb9u1.dsc xml-security-c_1.7.3-4+deb9u2.dsc
diff -Nru xml-security-c-1.7.3/debian/changelog 
xml-security-c-1.7.3/debian/changelog
--- xml-security-c-1.7.3/debian/changelog   2018-08-03 11:32:52.0 
+0200
+++ xml-security-c-1.7.3/debian/changelog   2018-12-10 11:45:41.0 
+0100
@@ -1,3 +1,20 @@
+xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
+
+  * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
+combinations of key content.
+Particular KeyInfo combinations result in incomplete DSA key structures
+that OpenSSL can't handle without crashing.  In the case of Shibboleth
+SP software this manifests as a crash in the shibd daemon.  Exploitation
+is believed to be possible only in deployments employing the PKIX trust
+engine, which is generally recommended against.
+The upstream patches backported from 2.0.2 apply analogous safeguards to
+the RSA and ECDSA key handling as well.
+Upstream bug: https://issues.apache.org/jira/browse/SANTUARIO-496
+CVE: not assigned
+Thanks to Scott Cantor (Closes: #913136)
+
+ -- Ferenc Wágner   Mon, 10 Dec 2018 11:45:41 +0100
+
 xml-security-c (1.7.3-4+deb9u1) stretch-security; urgency=high
 
   * [93b87c6] New patch: Default KeyInfo resolver doesn't check for empty
diff -Nru 
xml-security-c-1.7.3/debian/patches/SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
 
xml-security-c-1.7.3/debian/patches/SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
--- 
xml-security-c-1.7.3/debian/patches/SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
 1970-01-01 01:00:00.0 +0100
+++ 
xml-security-c-1.7.3/debian/patches/SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
 2018-12-10 11:45:41.0 +0100
@@ -0,0 +1,103 @@
+From: Scott Cantor 
+Date: Thu, 11 Oct 2018 15:13:40 +
+Subject: SANTUARIO-496 - DSA verification crashes OpenSSL on invalid
+ combinations of key content
+
+Backport of
+git-svn-id: 
https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk@1843562 
13f79535-47bb-0310-9956-ffa450edef68
+---
+ xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp | 12 
+ xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp  | 12 
+ xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.cpp | 12 
+ 3 files changed, 36 insertions(+)
+
+diff --git a/xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp 
b/xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
+index 57999a2..5bdf133 100644
+--- a/xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
 b/xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.cpp
+@@ -164,6 +164,12 @@ bool OpenSSLCryptoKeyDSA::verifyBase64Signature(unsigned 
char * hashBuf,
+   "OpenSSL:DSA - Attempt to validate signature with empty 
key");
+   }
+ 
++XSECCryptoKey::KeyType keyType = getKeyType();
++if (keyType != KEY_DSA_PAIR && keyType != KEY_DSA_PUBLIC) {
++throw XSECCryptoException(XSECCryptoException::DSAError,
++"OpenSSL:DSA - Attempt to validate signature without public key");
++}
++
+ char* cleanedBase64Signature;
+   unsigned int cleanedBase64SignatureLen = 0;
+ 
+@@ -264,6 +270,12 @@ unsigned int 
OpenSSLCryptoKeyDSA::signBase64Signature(unsigned char * hashBuf,
+   "OpenSSL:DSA - Attempt to sign data with empty key");
+   }
+ 
++KeyType keyType = getKeyType();
++if (keyType != KEY_DSA_PAIR && keyType != KEY_DSA_PRIVATE) {
++throw XSECCryptoException(XSECCryptoException::DSAError,
++"OpenSSL:DSA - Attempt to sign data without private key");
++}
++
+   DSA_SIG * dsa_sig;
+ 
+   dsa_sig = DSA_do_sign(hashBuf, hashLen, mp_dsaKey);
+diff --git a/xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp 
b/xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp
+index 3233343..09ba69e 100644
+--- a/xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp
 b/xsec/enc/OpenSSL/OpenSSLCryptoKeyEC.cpp
+@@ -151,6 +151,12 @@ bool 
OpenSSLCryptoKeyEC::verifyBase64SignatureDSA(unsigned char * hashBuf,
+   "OpenSSL:EC - Attempt to validate signature with empty 
key");
+   }
+ 
++KeyType keyType = getKeyType();
++if (keyType != KEY_EC_PAIR && keyType != KEY_EC_PUBLIC) {
++throw XSECCryptoException(XSECCryptoException::ECError,
++"OpenSSL:EC - Attempt to validate signature without public key");
++}
++
+   char * cleanedBase64Signature;
+   unsigned int cleanedBase64SignatureLen = 0;
+ 
+@@ -225

Bug#930026: unblock: pacemaker/2.0.1-5

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package pacemaker

Dear Release Team,

It turned out that the original upstream security fixes for #927714
(already contained in pacemaker 2.0.1-4 in testing) introduced some
bugs, which were fixed in three followup upstream patches.  These are
all lumped together in the proposed 1.1.16-1+deb9u1 security upload (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927714#29).  The
following debdiff brings the above fixes of the fixes into buster as well:

diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog2019-05-12 14:23:41.0 +0200
+++ pacemaker-2.0.1/debian/changelog2019-06-02 14:01:06.0 +0200
@@ -1,3 +1,12 @@
+pacemaker (2.0.1-5) unstable; urgency=medium
+
+  * [17ae230] Backport three more patches from upstream fixing memory safety
+bugs.
+Clearing up fallout from the preceding security fixes.
+Thanks to Ken Gaillot 
+
+ -- Ferenc Wágner   Sun, 02 Jun 2019 14:01:06 +0200
+
 pacemaker (2.0.1-4) unstable; urgency=high
 
   * [54ace53] Fix check for already present statoverride.
diff -Nru 
pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
 
pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
--- 
pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
1970-01-01 01:00:00.0 +0100
+++ 
pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
2019-06-02 13:49:43.0 +0200
@@ -0,0 +1,22 @@
+From: Ken Gaillot 
+Date: Wed, 24 Apr 2019 16:25:46 -0500
+Subject: Fix: libcrmcommon: avoid use-of-NULL when checking whether process
+ is active
+
+---
+ lib/common/pid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/common/pid.c b/lib/common/pid.c
+index 2439680..4fbf2dd 100644
+--- a/lib/common/pid.c
 b/lib/common/pid.c
+@@ -57,7 +57,7 @@ crm_pid_active(long pid, const char *daemon)
+ } else if (rc == 0 && (daemon == NULL || have_proc_pid == -1)) {
+ return 1;  /* kill as the only indicator, cannot double check */
+ 
+-} else {
++} else if (daemon != NULL) {
+ /* make sure PID hasn't been reused by another process
+XXX: might still be just a zombie, which could confuse decisions */
+ bool checked_through_kill = (rc == 0);
diff -Nru 
pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
 
pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
--- 
pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
1970-01-01 01:00:00.0 +0100
+++ 
pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
2019-06-02 13:49:43.0 +0200
@@ -0,0 +1,182 @@
+From: Ken Gaillot 
+Date: Fri, 12 Apr 2019 09:46:51 -0500
+Subject: Log: libcrmcluster: improve CPG membership messages
+
+Show CPG event reason when provided by corosync, make messages more readable,
+upgrade duplicate pid messages to warnings (and log only one message in those
+cases).
+---
+ lib/cluster/cpg.c | 91 ++-
+ 1 file changed, 56 insertions(+), 35 deletions(-)
+
+diff --git a/lib/cluster/cpg.c b/lib/cluster/cpg.c
+index 2898c51..ef6fa36 100644
+--- a/lib/cluster/cpg.c
 b/lib/cluster/cpg.c
+@@ -360,8 +360,6 @@ pcmk_message_common_cs(cpg_handle_t handle, uint32_t 
nodeid, uint32_t pid, void
+ return NULL;
+ }
+ 
+-#define PEER_NAME(peer) ((peer)? ((peer)->uname? (peer)->uname : "") 
: "")
+-
+ static int cmp_member_list_nodeid(const void *first,
+   const void *second)
+ {
+@@ -376,6 +374,32 @@ static int cmp_member_list_nodeid(const void *first,
+ return 0;
+ }
+ 
++static const char *
++cpgreason2str(cpg_reason_t reason)
++{
++switch (reason) {
++case CPG_REASON_JOIN:   return " via cpg_join";
++case CPG_REASON_LEAVE:  return " via cpg_leave";
++case CPG_REASON_NODEDOWN:   return " via cluster exit";
++case CPG_REASON_NODEUP: return " via cluster join";
++case CPG_REASON_PROCDOWN:   return " for unknown reason";
++default:break;
++}
++return "";
++}
++
++static inline const char *
++peer_name(crm_node_t *peer)
++{
++if (peer == NULL) {
++return "unknown node";
++} else if (peer->uname == NULL) {
++return "peer node";
++} else {
++return peer->uname;
++}
++}
++
+ v

Bug#928644: unblock: libqb/1.0.5-1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libqb

Dear Release Team,

The 1.0.4 upstream security release of libqb introduced regressions,
which were fixed in 1.0.4-2 by the addition of some quilt patches.
These patches were upstreamed and released as 1.0.5.  So the 1.0.5-1
version currently in unstable has no actual code changes, the patched
tree is identical to that of 1.0.4-2, except for the man page timestamps
(these files are rebuilt anyway), the version number and a punctuation
fix in the documentation (which also went upstream after 1.0.5).

The following debdiff is therefore not very insightful:

diff -Nru libqb-1.0.4/ChangeLog libqb-1.0.5/ChangeLog
--- libqb-1.0.4/ChangeLog   2019-04-12 10:30:53.0 +0200
+++ libqb-1.0.5/ChangeLog   2019-04-25 10:30:00.0 +0200
@@ -1,3 +1,35 @@
+2019-04-25  Christine Caulfield  
+
+   version: bump soname for 1.0.5 release
+
+2019-04-23  Ferenc Wágner  
+
+   Let remote_tempdir() assume a NUL-terminated name
+   This is the case already.  We also fix a buffer overflow opportunity in
+   the memcpy() call by this change.
+
+   Make it impossible to truncate or overflow the connection description
+   It's hard to predict the length of formatted output, so we'd better
+   notice (and abort) if the description is truncated.  Incidentally,
+   mkdtemp() does this for us in the shared memory branch, but do an
+   explicit check there as well for consistency, and get rid of the wrongly
+   parametrized strncat() risking a buffer overflow (CONNECTION_DESCRIPTION
+   is not the length of the source "/qb").
+   Similar truncation checks should be added to qb_ipcs_{shm,us}_connect()
+   where they build the request/response names, and possibly to other
+   places using snprintf().
+
+   Allow group access to the IPC directory
+   And don't abort if we aren't permitted to chown() it.  The client might
+   still have the privileges to enter it.
+
+   Errors are represented as negative values
+
+   Fix garbled Doxygen markup
+   Part of d0ec0a6 on the master branch: fix the unreadable docstring.
+
+   Fix spelling: plaform -> platform
+
 2019-04-12  Christine Caulfield  
 
version: update version-info for 1.0.4 release
diff -Nru libqb-1.0.4/configure libqb-1.0.5/configure
--- libqb-1.0.4/configure   2019-04-12 10:30:39.0 +0200
+++ libqb-1.0.5/configure   2019-04-25 10:29:47.0 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libqb 1.0.4.
+# Generated by GNU Autoconf 2.69 for libqb 1.0.5.
 #
 # Report bugs to .
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='libqb'
 PACKAGE_TARNAME='libqb'
-PACKAGE_VERSION='1.0.4'
-PACKAGE_STRING='libqb 1.0.4'
+PACKAGE_VERSION='1.0.5'
+PACKAGE_STRING='libqb 1.0.5'
 PACKAGE_BUGREPORT='develop...@clusterlabs.org'
 PACKAGE_URL=''
 
@@ -1407,7 +1407,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libqb 1.0.4 to adapt to many kinds of systems.
+\`configure' configures libqb 1.0.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1477,7 +1477,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of libqb 1.0.4:";;
+ short | recursive ) echo "Configuration of libqb 1.0.5:";;
esac
   cat <<\_ACEOF
 
@@ -1611,7 +1611,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libqb configure 1.0.4
+libqb configure 1.0.5
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2388,7 +2388,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libqb $as_me 1.0.4, which was
+It was created by libqb $as_me 1.0.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4569,7 +4569,7 @@
 
 # Define the identity of the package.
  PACKAGE='libqb'
- VERSION='1.0.4'
+ VERSION='1.0.5'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -21860,7 +21860,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libqb $as_me 1.0.4, which was
+This file was extended by libqb $as_me 1.0.5, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -21930,7 +21930,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed '

Bug#926346: unblock: kronosnet/1.8-2

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package kronosnet

Dear Release Team,

The buildd setup got me again: the upload you kindly unblocked in
#926246 failed to build on all release architectures, because the
official buildds have module loading disabled, thus lack SCTP support,
and the changes introduced a new unit test which wasn't protected from
this yet.  I already uploaded a new revision 1.8-2 which adds a patch to
skip this new test if the SCTP protocol is not supported.  (The same
tests succeed on debci all right, BTW.)  I've blacklisted the sctp
module on my test machine to catch this problem next time.  For now,
please unblock 1.8-2; I provide the incremental debdiff below for ease
of review.

Thanks,
Feri.

diff -Nru kronosnet-1.8/debian/changelog kronosnet-1.8/debian/changelog
--- kronosnet-1.8/debian/changelog  2019-04-01 23:59:14.0 +0200
+++ kronosnet-1.8/debian/changelog  2019-04-03 10:33:30.0 +0200
@@ -1,3 +1,10 @@
+kronosnet (1.8-2) unstable; urgency=medium
+
+  * [b6a2cdc] New patch: send test: skip the SCTP test if SCTP is not supported
+by the kernel
+
+ -- Ferenc Wágner   Wed, 03 Apr 2019 10:33:30 +0200
+
 kronosnet (1.8-1) unstable; urgency=medium
 
   * [ff7beff] New upstream release (1.8)
diff -Nru 
kronosnet-1.8/debian/patches/send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
 
kronosnet-1.8/debian/patches/send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
--- 
kronosnet-1.8/debian/patches/send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
1970-01-01 01:00:00.0 +0100
+++ 
kronosnet-1.8/debian/patches/send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch
2019-04-03 10:33:22.0 +0200
@@ -0,0 +1,28 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= 
+Date: Wed, 3 Apr 2019 10:26:11 +0200
+Subject: send test: skip the SCTP test if SCTP is not supported by the kernel
+
+For example, module loading is disabled on Debian build daemons.
+---
+ libknet/tests/api_knet_send.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libknet/tests/api_knet_send.c b/libknet/tests/api_knet_send.c
+index f241201..1c55db1 100644
+--- a/libknet/tests/api_knet_send.c
 b/libknet/tests/api_knet_send.c
+@@ -173,12 +173,13 @@ static void test(uint8_t transport)
+   }
+ 
+   if (knet_link_set_config(knet_h, 1, 0, transport, , , 0) < 0) {
++  int exit_status = transport == KNET_TRANSPORT_SCTP && errno == 
EPROTONOSUPPORT ? SKIP : FAIL;
+   printf("Unable to configure link: %s\n", strerror(errno));
+   knet_host_remove(knet_h, 1);
+   knet_handle_free(knet_h);
+   flush_logs(logfds[0], stdout);
+   close_logpipes(logfds);
+-  exit(FAIL);
++  exit(exit_status);
+   }
+ 
+   if (knet_link_set_enable(knet_h, 1, 0, 1) < 0) {
diff -Nru kronosnet-1.8/debian/patches/series 
kronosnet-1.8/debian/patches/series
--- kronosnet-1.8/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ kronosnet-1.8/debian/patches/series 2019-04-03 10:33:22.0 +0200
@@ -0,0 +1 @@
+send-test-skip-the-SCTP-test-if-SCTP-is-not-supported-by-.patch

unblock kronosnet/1.8-2

Bug#926203: unblock: pacemaker/2.0.1-2

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package pacemaker

Dear Release Team,

As reported in #925354, the newly reintroduced pacemaker-dev package
missed Breaks+Replaces against some long-obsolete packages from wheezy,
leading to file conflicts in certain situations.  The version already in
unstable fixes this bug, please unblock it.

Thanks,
Feri.

diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog2019-03-04 21:34:46.0 +0100
+++ pacemaker-2.0.1/debian/changelog2019-04-01 13:39:28.0 +0200
@@ -1,3 +1,19 @@
+pacemaker (2.0.1-2) unstable; urgency=medium
+
+  * [d8939cc] Avoid file conflicts with leftover packages from wheezy.
+Pacemaker-dev in wheezy was a metapackage pulling in several -dev
+packages.  It is removed during the jessie dist-upgrade due to
+dependency problems, and jessie does not have pacemaker at all, so these
+obsolete -dev packages are left behind, unless replaced by the
+renamed -dev packages from jessie-backports or later from stretch, both
+of which requires manual action.  Lacking that, a manual install of the
+reintroduced pacemaker-dev from buster will try to overwrite headers
+from those obsolete -dev packages causing file conflicts, because the
+old Breaks+Replaces relations weren't carried over from the stretch
+packages. (Closes: #925354)
+
+ -- Ferenc Wágner   Mon, 01 Apr 2019 13:39:28 +0200
+
 pacemaker (2.0.1-1) unstable; urgency=medium
 
   * [7d6ff2e] New upstream release (2.0.1)
diff -Nru pacemaker-2.0.1/debian/control pacemaker-2.0.1/debian/control
--- pacemaker-2.0.1/debian/control  2019-03-04 21:30:38.0 +0100
+++ pacemaker-2.0.1/debian/control  2019-03-29 09:06:28.0 +0100
@@ -332,6 +332,10 @@
  liblrmd-dev (<< 2),
  libpengine-dev (<< 2),
  libstonithd-dev (<< 2),
+# header ghosts from wheezy, where pacemaker-dev used to exist:
+ libcrmcluster1-dev,
+ libcrmcommon2-dev,
+ libpengine3-dev,
 Replaces:
  libcib-dev (<< 2),
  libcrmcluster-dev (<< 2),
@@ -340,6 +344,10 @@
  liblrmd-dev (<< 2),
  libpengine-dev (<< 2),
  libstonithd-dev (<< 2),
+# header ghosts from wheezy, where pacemaker-dev used to exist:
+ libcrmcluster1-dev,
+ libcrmcommon2-dev,
+ libpengine3-dev,
 Description: cluster resource manager development
  ${S:X-Common-Description}
  .

unblock pacemaker/2.0.1-2

Bug#926162: unblock: opensaml/3.0.1-1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package opensaml

Dear Release Team,

To fix their latest security bug, Shibboleth upstream made a coordinated
patch release of the full stack, as usual.  You already unblocked the
critical part of this (xmltooling and shibboleth-sp) and they even
reached testing, so we're good.  OpenSAML, the middle component also
gained a small patch, and I'm asking you about that now.  It isn't
critical at all, just a tuning down of a handful or error messages to
warn level.  As upstream put it: "The goal of those changes was to reach
a state in which any ERROR in the log requires a necessary operational
response." I think eliminating this deviation would improve the
administration experience and the upstream support opportunities for the
users of buster, thus I ask you to consider accepting it.

The debdiff below does not convey properly how small this change really
is, because the current 3.0.0-2 package carries a forward ported
upstream patch CPPOST-110-Rebenchmark-tests-with-SHA256-disgest.patch,
which was released with 3.0.1 and thus removed from the Debian patch
queue.  So the biggest part of this diff does not appear if you compare
the patched trees.

The result of dh_auto_test was ignored in 3.0.0-1 waiting for the above
patch, and that should have already been reverted in 3.0.0-2, because
all tests succeed again with the patch (I checked the buildd logs
manually now).  So they're safe to reenable and have no effect on the
binary packages.

Finally, the path change in HTTPMetadataProvider.xml fixes a unit test
which requires network access and is skipped during the package build
anyway.  (But also succeeds after the necessary URL configuration now.)

If you're fine with this, I'm ready to upload opensaml/3.0.1-1 to
unstable.

Thanks,
Feri.

diff -Nru opensaml-3.0.0/configure opensaml-3.0.1/configure
--- opensaml-3.0.0/configure2018-07-10 03:09:31.0 +0200
+++ opensaml-3.0.1/configure2019-03-08 16:01:45.0 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for opensaml 3.0.0.
+# Generated by GNU Autoconf 2.69 for opensaml 3.0.1.
 #
 # Report bugs to .
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='opensaml'
 PACKAGE_TARNAME='opensaml'
-PACKAGE_VERSION='3.0.0'
-PACKAGE_STRING='opensaml 3.0.0'
+PACKAGE_VERSION='3.0.1'
+PACKAGE_STRING='opensaml 3.0.1'
 PACKAGE_BUGREPORT='https://issues.shibboleth.net/'
 PACKAGE_URL=''
 
@@ -1430,7 +1430,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures opensaml 3.0.0 to adapt to many kinds of systems.
+\`configure' configures opensaml 3.0.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1500,7 +1500,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of opensaml 3.0.0:";;
+ short | recursive ) echo "Configuration of opensaml 3.0.1:";;
esac
   cat <<\_ACEOF
 
@@ -1658,7 +1658,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-opensaml configure 3.0.0
+opensaml configure 3.0.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2202,7 +2202,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by opensaml $as_me 3.0.0, which was
+It was created by opensaml $as_me 3.0.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3067,7 +3067,7 @@
 
 # Define the identity of the package.
  PACKAGE='opensaml'
- VERSION='3.0.0'
+ VERSION='3.0.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -21436,7 +21436,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by opensaml $as_me 3.0.0, which was
+This file was extended by opensaml $as_me 3.0.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -21502,7 +21502,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-opensaml config.status 3.0.0
+opensaml config.status 3.0.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru opensaml-3.0.0/configure.ac opensaml-3.0.1/configure.ac
--- opensaml-3.0.0/configure.ac 2018-07-10 03:09:09.0 +0200
+++ opensaml-3.0.1/configure.ac 2019-02-21 21:05:56.0 +0100
@@ -1,5 +1,5 @@
 AC_PREREQ([2.50])
-AC_INIT([opensaml],[3.0.0],[https://issues.shibboleth.net/],[opensaml])

Bug#924748: unblock: shibboleth-sp/3.0.4+dfsg1-1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package shibboleth-sp

Dear Release Team,

When upstream fixed #924346 in xmltooling, they also fixed the same
problem (uncaught parser exceptions) in shibboleth-sp to prevent DoS
crashes that haven't been identified yet.  The fixes were published
together in new patch-level upstream releases for the whole Shibboleth
Service Provider stack: xmltooling, opensaml and shibboleth-sp.  Beyond
the DoS prevention, shibboleth-sp 3.0.4 consists of three other bugfixes:
* incorrect C++ code usage pattern invoking undefined behavior via
  boost::bind (https://issues.shibboleth.net/jira/browse/SSPCPP-847,
  already mentioned in unblock request #924577);
* certain web applications provoking unbounded cookie data growth
  (https://issues.shibboleth.net/jira/browse/SSPCPP-851); and
* documented configuration settings being ignored in some contexts
  (https://issues.shibboleth.net/jira/browse/SSPCPP-848).
This last one can be worked around by verbosely expanding the affected
configuration constructs, so it can be considered a minor issue.  But
the other three are major or potentially serious, so I ask for your
permission to to upload 3.0.4+dfsg1-1 to unstable with a future unblock.

Thanks,
Feri.

diff -Nru shibboleth-sp-3.0.3+dfsg1/configure 
shibboleth-sp-3.0.4+dfsg1/configure
--- shibboleth-sp-3.0.3+dfsg1/configure 2018-12-12 20:16:00.0 +0100
+++ shibboleth-sp-3.0.4+dfsg1/configure 2019-03-08 16:15:39.0 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for shibboleth 3.0.3.
+# Generated by GNU Autoconf 2.69 for shibboleth 3.0.4.
 #
 # Report bugs to .
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='shibboleth'
 PACKAGE_TARNAME='shibboleth-sp'
-PACKAGE_VERSION='3.0.3'
-PACKAGE_STRING='shibboleth 3.0.3'
+PACKAGE_VERSION='3.0.4'
+PACKAGE_STRING='shibboleth 3.0.4'
 PACKAGE_BUGREPORT='https://issues.shibboleth.net/'
 PACKAGE_URL=''
 
@@ -1522,7 +1522,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures shibboleth 3.0.3 to adapt to many kinds of systems.
+\`configure' configures shibboleth 3.0.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1592,7 +1592,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of shibboleth 3.0.3:";;
+ short | recursive ) echo "Configuration of shibboleth 3.0.4:";;
esac
   cat <<\_ACEOF
 
@@ -1792,7 +1792,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-shibboleth configure 3.0.3
+shibboleth configure 3.0.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2670,7 +2670,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by shibboleth $as_me 3.0.3, which was
+It was created by shibboleth $as_me 3.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3535,7 +3535,7 @@
 
 # Define the identity of the package.
  PACKAGE='shibboleth-sp'
- VERSION='3.0.3'
+ VERSION='3.0.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -24198,7 +24198,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by shibboleth $as_me 3.0.3, which was
+This file was extended by shibboleth $as_me 3.0.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -24264,7 +24264,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/&/g'`"
 ac_cs_version="\\
-shibboleth config.status 3.0.3
+shibboleth config.status 3.0.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru shibboleth-sp-3.0.3+dfsg1/configure.ac 
shibboleth-sp-3.0.4+dfsg1/configure.ac
--- shibboleth-sp-3.0.3+dfsg1/configure.ac  2018-10-12 20:06:42.0 
+0200
+++ shibboleth-sp-3.0.4+dfsg1/configure.ac  2019-03-08 16:09:43.0 
+0100
@@ -1,5 +1,5 @@
 AC_PREREQ([2.50])
-AC_INIT([shibboleth],[3.0.3],[https://issues.shibboleth.net/],[shibboleth-sp])
+AC_INIT([shibboleth],[3.0.4],[https://issues.shibboleth.net/],[shibboleth-sp])
 AC_CONFIG_SRCDIR(shibsp)
 AC_CONFIG_AUX_DIR(build-aux)
 AC_CONFIG_MACRO_DIR(m4)
diff -Nru shibboleth-sp-3.0.3+dfsg1/config_win32.h 
shibboleth-sp-3.0.4+dfsg1/config_win32.h
--- shibboleth-sp-3.0.3+dfsg1/config_win32.h2018-10-12 20:06:42.0 
+0200
+++ shibboleth-sp-3.0.4+dfsg1/config_win32.h2019-03-08 16:09:43.0 
+0100
@@ -121,13 

Bug#924577: unblock: xmltooling/3.0.4-1

[Ferenc Wágner]

 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "xmltooling"
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "3.0.3"
+#define PACKAGE_VERSION "3.0.4"
 
 /* Define to the necessary symbol if this constant uses a non-standard name on
your system. */
@@ -125,7 +125,7 @@
 /* #undef TM_IN_SYS_TIME */
 
 /* Version number of package */
-#define VERSION "3.0.3"
+#define VERSION "3.0.4"
 
 /* Define if you wish to disable XML-Security-dependent features. */
 /* #undef XMLTOOLING_NO_XMLSEC */
diff -Nru xmltooling-3.0.3/debian/changelog xmltooling-3.0.4/debian/changelog
--- xmltooling-3.0.3/debian/changelog   2018-12-24 10:51:09.0 +0100
+++ xmltooling-3.0.4/debian/changelog   2019-03-14 14:58:36.0 +0100
@@ -1,3 +1,22 @@
+xmltooling (3.0.4-1) unstable; urgency=high
+
+  * [f185b26] New upstream security release: 3.0.4
+DSA-4407-1, CVE-2019-9628: uncaught exception on malformed XML
+declaration.
+Invalid data in the XML declaration causes an exception of a type
+that was not handled properly in the parser class and propagates an
+unexpected exception type.
+This generally manifests as a crash in the calling code, which in the
+Service Provider software's case is usually the shibd daemon process,
+but can be Apache in some cases. Note that the crash occurs prior to
+evaluation of a message's authenticity, so can be exploited by an
+untrusted attacker.
+https://shibboleth.net/community/advisories/secadv_20190311.txt
+https://issues.shibboleth.net/jira/browse/CPPXT-143
+Thanks to Scott Cantor (Closes: #924346)
+
+ -- Ferenc Wágner   Thu, 14 Mar 2019 14:58:36 +0100
+
 xmltooling (3.0.3-1) unstable; urgency=medium
 
   [ Ferenc Wágner ]
diff -Nru xmltooling-3.0.3/xmltooling/Makefile.am 
xmltooling-3.0.4/xmltooling/Makefile.am
--- xmltooling-3.0.3/xmltooling/Makefile.am 2018-11-09 16:42:30.0 
+0100
+++ xmltooling-3.0.4/xmltooling/Makefile.am 2019-03-08 15:44:44.0 
+0100
@@ -229,7 +229,7 @@
$(PTHREAD_LIBS) \
$(dlopen_LIBS)
 
-AM_LDFLAGS = -version-info 8:3:0
+AM_LDFLAGS = -version-info 8:4:0
 
 libxmltooling_lite_la_SOURCES = \
${common_sources}
diff -Nru xmltooling-3.0.3/xmltooling/Makefile.in 
xmltooling-3.0.4/xmltooling/Makefile.in
--- xmltooling-3.0.3/xmltooling/Makefile.in 2018-11-09 16:42:35.0 
+0100
+++ xmltooling-3.0.4/xmltooling/Makefile.in 2019-03-08 15:45:41.0 
+0100
@@ -913,7 +913,7 @@
$(PTHREAD_LIBS) \
$(dlopen_LIBS)
 
-AM_LDFLAGS = -version-info 8:3:0
+AM_LDFLAGS = -version-info 8:4:0
 libxmltooling_lite_la_SOURCES = \
${common_sources}
 
diff -Nru xmltooling-3.0.3/xmltooling/soap/impl/CURLSOAPTransport.cpp 
xmltooling-3.0.4/xmltooling/soap/impl/CURLSOAPTransport.cpp
--- xmltooling-3.0.3/xmltooling/soap/impl/CURLSOAPTransport.cpp 2018-10-12 
19:33:58.0 +0200
+++ xmltooling-3.0.4/xmltooling/soap/impl/CURLSOAPTransport.cpp 2019-03-08 
15:44:44.0 +0100
@@ -90,7 +90,8 @@
 curl_easy_setopt(m_handle,CURLOPT_USERPWD,0);
 curl_easy_setopt(m_handle,CURLOPT_SSL_VERIFYHOST,2);
 curl_easy_setopt(m_handle,CURLOPT_HEADERDATA,this);
-m_headers=curl_slist_append(m_headers,"Content-Type: text/xml");
+m_headers = curl_slist_append(m_headers, "Content-Type: text/xml");
+m_headers = curl_slist_append(m_headers, "Expect:");
 }
 
 virtual ~CURLSOAPTransport() {
diff -Nru xmltooling-3.0.3/xmltooling/util/CurlURLInputStream.cpp 
xmltooling-3.0.4/xmltooling/util/CurlURLInputStream.cpp
--- xmltooling-3.0.3/xmltooling/util/CurlURLInputStream.cpp 2018-07-10 
03:00:14.0 +0200
+++ xmltooling-3.0.4/xmltooling/util/CurlURLInputStream.cpp 2019-03-08 
15:44:44.0 +0100
@@ -305,6 +305,8 @@
 " libcurl/" + LIBCURL_VERSION + ' ' + OPENSSL_VERSION_TEXT;
 fHeaders = curl_slist_append(fHeaders, ua.c_str());
 
+fHeaders = curl_slist_append(fHeaders, "Expect:");
+
 // Add User-Agent and cache headers.
 curl_easy_setopt(fEasy, CURLOPT_HTTPHEADER, fHeaders);
 
diff -Nru xmltooling-3.0.3/xmltooling/util/ParserPool.cpp 
xmltooling-3.0.4/xmltooling/util/ParserPool.cpp
--- xmltooling-3.0.3/xmltooling/util/ParserPool.cpp 2018-07-10 
03:00:14.0 +0200
+++ xmltooling-3.0.4/xmltooling/util/ParserPool.cpp 2019-03-08 
15:44:44.0 +0100
@@ -148,14 +148,28 @@
 checkinBuilder(janitor.release());
 return doc;
 }
-catch (XMLException& ex) {
+catch (const DOMException& ex) {
+parser->getDomConfig()->setParameter(XMLUni::fgDOMErrorHandler, 
(void*)nullptr);
+
parser->getDomConfig()->setParameter(XMLUni::fgXercesUserAdoptsDOMDocument, 
true);
+checkinBuilder(janitor.release());
+auto_ptr_char temp(e

Bug#923740: unblock: pacemaker/2.0.1-1

[Ferenc Wágner]

on of logs, CIB directory, and processes
   + tools: crm_verify returns reliable exit codes
-  + tools: crm_simulate simulated resource history uses same name as live 
cluster would
+  + tools: crm_simulate resource history uses same name as live cluster would
+
 
 * Fri Jul 6 2018 Ken Gaillot  Pacemaker-2.0.0-1
 - Changesets: 885
diff -Nru pacemaker-2.0.1~rc5/configure.ac pacemaker-2.0.1/configure.ac
--- pacemaker-2.0.1~rc5/configure.ac2019-02-25 22:35:40.0 +0100
+++ pacemaker-2.0.1/configure.ac2019-03-04 20:55:07.0 +0100
@@ -1075,7 +1075,7 @@
 AC_PATH_PROGS(GIT, git false)
 AC_MSG_CHECKING(build version)
 
-BUILD_VERSION=22ee9a769e
+BUILD_VERSION=9e909a5bdd
 if test $BUILD_VERSION != ":%h$"; then
 AC_MSG_RESULT(archive hash: $BUILD_VERSION)
 elif test -x $GIT -a -d .git; then
diff -Nru pacemaker-2.0.1~rc5/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1~rc5/debian/changelog2019-02-26 09:52:21.0 
+0100
+++ pacemaker-2.0.1/debian/changelog2019-03-04 21:34:46.0 +0100
@@ -1,3 +1,9 @@
+pacemaker (2.0.1-1) unstable; urgency=medium
+
+  * [7d6ff2e] New upstream release (2.0.1)
+
+ -- Ferenc Wágner   Mon, 04 Mar 2019 21:34:46 +0100
+
 pacemaker (2.0.1~rc5-1) unstable; urgency=medium
 
   * [79e9089] Drop duplicate external library linkages
diff -Nru pacemaker-2.0.1~rc5/doc/Pacemaker_Development/en-US/Ch-Coding.txt 
pacemaker-2.0.1/doc/Pacemaker_Development/en-US/Ch-Coding.txt
--- pacemaker-2.0.1~rc5/doc/Pacemaker_Development/en-US/Ch-Coding.txt   
2019-02-25 22:35:40.0 +0100
+++ pacemaker-2.0.1/doc/Pacemaker_Development/en-US/Ch-Coding.txt   
2019-03-04 20:55:07.0 +0100
@@ -243,7 +243,7 @@
 should be documented with Doxygen comment blocks, as Pacemaker's
 http://clusterlabs.org/pacemaker/doxygen/[online API documentation]
 is automatically generated via Doxygen. It is helpful to document
-private symols in the same way, with an +\internal+ tag in the
+private symbols in the same way, with an +\internal+ tag in the
 Doxygen comment.
 
 === Symbol Naming ===
diff -Nru 
pacemaker-2.0.1~rc5/doc/Pacemaker_Explained/en-US/Ch-Multi-site-Clusters.txt 
pacemaker-2.0.1/doc/Pacemaker_Explained/en-US/Ch-Multi-site-Clusters.txt
--- 
pacemaker-2.0.1~rc5/doc/Pacemaker_Explained/en-US/Ch-Multi-site-Clusters.txt
2019-02-25 22:35:40.0 +0100
+++ pacemaker-2.0.1/doc/Pacemaker_Explained/en-US/Ch-Multi-site-Clusters.txt
2019-03-04 20:55:07.0 +0100
@@ -208,7 +208,7 @@
 
 
 These commands will actually just print a message telling the user that they
-requre '--force'. That is probably a good exercise rather than letting novice
+require '--force'. That is probably a good exercise rather than letting novice
 users cut and paste '--force' here.
 
 
diff -Nru pacemaker-2.0.1~rc5/doc/Pacemaker_Explained/en-US/Ch-Resources.txt 
pacemaker-2.0.1/doc/Pacemaker_Explained/en-US/Ch-Resources.txt
--- pacemaker-2.0.1~rc5/doc/Pacemaker_Explained/en-US/Ch-Resources.txt  
2019-02-25 22:35:40.0 +0100
+++ pacemaker-2.0.1/doc/Pacemaker_Explained/en-US/Ch-Resources.txt  
2019-03-04 20:55:07.0 +0100
@@ -685,7 +685,7 @@
  indexterm:[Action,Property,enabled]
 
 |record-pending
-|FALSE
+|TRUE
 |If +true+, the intention to perform the operation is recorded so that
  GUIs and CLI tools can indicate that an operation is in progress.
  This is best set as an _operation default_ (see <>).
diff -Nru pacemaker-2.0.1~rc5/include/crm/cib/util.h 
pacemaker-2.0.1/include/crm/cib/util.h
--- pacemaker-2.0.1~rc5/include/crm/cib/util.h  2019-02-25 22:35:40.0 
+0100
+++ pacemaker-2.0.1/include/crm/cib/util.h  2019-03-04 20:55:07.0 
+0100
@@ -1,23 +1,17 @@
-/* 
- * Copyright (C) 2004 Andrew Beekhof 
- * 
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- * 
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+/*
+ * Copyright 2004-2019 Andrew Beekhof 
+ *
+ * This source code is licensed under the GNU Lesser General Public License
+ * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
  */
+
 #ifndef CIB_UTIL__H
 #  define CIB_UTIL__H
 
+#include// gboolean
+#include // cib_t
+#include // xmlNode
+
 #ifdef __cplusplus
 extern "C" {
 #endif
diff -Nru pacemaker-2.0.1~rc5/include/crm/cib.h 
pacemaker-2.0.1/include/crm/cib.h
--- p

Bug#918677: transition: pacemaker

[Ferenc Wágner]

Emilio Pozuelo Monfort  writes:

> On 15/01/2019 17:23, wf...@niif.hu wrote:
> 
>> The uploads are done, but the testing migration of pacemaker and pcs
>> probably deadlocked due to the autopkgtest of the latter.  Unstable pcs
>> needs unstable pacemaker, so they can only go together, which may need
>> manual intervention on your part.
>
> The way this is normally handled is by adding a Breaks on the new pacemaker
> against the broken pcs. That way the autopkgtests are run for the new pcs
> version, and britney migrates the two packages at the same time.

If only we knew in advance...  But there's a new Pacemaker pre-release
I'd like to upload; shall I add that Breaks now or just wait until this
unwrinkles?  I don't know when/if you will intervene or pcs will be
automatically migrated in two days.
-- 
Feri

Bug#918677: transition: pacemaker

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi Release Team,

We'd like to transition to Pacemaker 2.  The ben file below is mostly
equivalent to that of auto-pacemaker, but misses pacemaker-dev, because
I'm not sure how to handle that.  The current lib*-dev packages are
becoming transitional, depending on pacemaker-dev which is a union of
them.

The dlm package will also need a rebuild, because it dlopens libstonithd
and embeds its SONAME at build time.  Is there a way to represent this
in the tracker?  Anyway, I'm asking upstream for a new release, and will
do a sourceful upload once that happens (latest).  Would adding a
Recommends: libstonithdX let the auto tracker pick up this weak
dependency?

We expect sbd to break with the new Pacemaker libraries, and will handle
this with sourceful uploads.

I don't know of any other dependencies, this should be a very shallow
transition despite all the library packages taking part.  Please let me
know when I can upload Pacemaker 2 to unstable.

Thanks,
Feri.

Ben file:

title = "pacemaker";
is_affected = .depends ~ "libcib4" | .depends ~ "libcrmcluster4" | .depends ~ 
"libcrmcommon3" | .depends ~ "libcrmservice3" | .depends ~ "liblrmd1" | 
.depends ~ "libpe-rules2" | .depends ~ "libpe-status10" | .depends ~ 
"libpengine10" | .depends ~ "libstonithd2" | .depends ~ "libtransitioner2" | 
.depends ~ "libcib27" | .depends ~ "libcrmcluster29" | .depends ~ 
"libcrmcommon34" | .depends ~ "libcrmservice28" | .depends ~ "liblrmd28" | 
.depends ~ "libpe-rules26" | .depends ~ "libpe-status28" | .depends ~ 
"libpengine27" | .depends ~ "libstonithd26" | .depends ~ "libtransitioner25";
is_good = .depends ~ "libcib27" | .depends ~ "libcrmcluster29" | .depends ~ 
"libcrmcommon34" | .depends ~ "libcrmservice28" | .depends ~ "liblrmd28" | 
.depends ~ "libpe-rules26" | .depends ~ "libpe-status28" | .depends ~ 
"libpengine27" | .depends ~ "libstonithd26" | .depends ~ "libtransitioner25";
is_bad = .depends ~ "libcib4" | .depends ~ "libcrmcluster4" | .depends ~ 
"libcrmcommon3" | .depends ~ "libcrmservice3" | .depends ~ "liblrmd1" | 
.depends ~ "libpe-rules2" | .depends ~ "libpe-status10" | .depends ~ 
"libpengine10" | .depends ~ "libstonithd2" | .depends ~ "libtransitioner2";

Bug#918367: nmu: pam-mysql_0.8.0-1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu pam-mysql_0.8.1-1 . ANY . unstable . -m "Rebuild against MariaDB 10.3 
(switch to internal implementaion of some dropped symbols)"

Bug#918029: transition: corosync

[Ferenc Wágner]

Emilio Pozuelo Monfort  writes:

> On 02/01/2019 15:21, Ferenc Wágner wrote:
>
>> please schedule a rebuild of sheepdog and dlm on all relevant
>> architectures, that should finish it.
>
> Done.

Thanks, the rebuilds went through just fine, I think we can close this
transition.  (I didn't with this message in case you still need to do
some administration.)
-- 
Regards,
Feri

Bug#918029: transition: corosync

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

First of all, I'm sorry for inadvertently starting the Corosync
transition.  It isn't a problematic one, though: please schedule a
rebuild of sheepdog and dlm on all relevant architectures, that should
finish it.

Thanks,
Feri.

Ben file (the auto-corosync tracker looks fine, though):

title = "corosync";
is_affected = .depends ~ "libcfg6" | .depends ~ "libcfg7";
is_good = .depends ~ "libcfg7";
is_bad = .depends ~ "libcfg6";

Bug#888510: stretch-pu: package xmltooling/1.6.0-4

[Ferenc Wágner]

Control: tags -1 - moreinfo

"Adam D. Barratt"  writes:

> On Wed, 2018-02-28 at 06:45 +0100, Salvatore Bonaccorso wrote:
>
>> FTR, there was a xmltooling DSA yesterday including the fix. But I
>> guess the basic question remains if xmltooling still can be updated
>> to 1.6.3 (or now 1.6.4 based version?) for stretch.
>
> I was under the impression from the above exchange that Ferenc was
> going to provide a debdiff so we could see exactly what that looked
> like. I guess that now wants to be relative to the security update.

Hi,

I was waiting for the DSA with the followup on this.  I think this issue
is moot now, because 1.6.0-4+deb9u1 actually contains the fix for
CVE-2018-0486 as well, partly because the CVE-2018-0489 fix (which was
the reason for DSA-4126-1) was easier to apply on that.  So the original
basis of this request for a stable update is no more.

In practice the above means that the diff between current stable-
security (1.6.0-4+deb9u1) and current unstable (1.6.4-1) just got
smaller: it's only the version numbers and the Visual C compilation fix.
But I don't think these alone warrant a stable update, however elegant
that would be.

If you agree, I think we can close this issue without further action.
-- 
Regards,
Feri

Bug#888510: stretch-pu: package xmltooling/1.6.0-4

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

The Security Team advised that CVE-2018-0486 should be fixed by a stable
update, because it isn't exploitable in the stretch version of the
Shibboleth stack, but software outside Debian could still be affected
by the issue.  Stretch currently has version 1.6.0; upstream fixed this
security issue in 1.6.3 (already uploaded to unstable).  Since 1.6.2 was
a revert of the most part of the changes in 1.6.1, 1.6.3 is effectively
three code changes beyond 1.6.0: the security fix itself:

diff --git a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp 
b/xmltooling/io/AbstractXMLObjectUnmarshal
ler.cpp
index ae2709e..487348e 100644
--- a/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
+++ b/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp
@@ -206,6 +206,8 @@ void AbstractXMLObjectUnmarshaller::unmarshallContent(const 
DOMElement* domEleme
 else if (childNode->getNodeType() == DOMNode::TEXT_NODE || 
childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) {
 m_log.debug("processing text content at position (%d)", position);
 setTextContent(childNode->getNodeValue(), position);
+} else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE 
|| childNode->getNodeType() == DOMNode::ENTITY_NODE) {
+throw UnmarshallingException("Unmarshaller found Entity/Reference 
node.");
 }
 
 childNode = childNode->getNextSibling();

a more general fix for the same issue for Xerces 3.2 (stretch has 3.1):

diff --git a/xmltooling/util/ParserPool.cpp b/xmltooling/util/ParserPool.cpp
index bad84f7..d157074 100644
--- a/xmltooling/util/ParserPool.cpp
+++ b/xmltooling/util/ParserPool.cpp
@@ -418,6 +418,7 @@ DOMLSParser* ParserPool::createBuilder()
 
parser->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution,
 true);
 parser->getDomConfig()->setParameter(XMLUni::fgDOMResourceResolver, 
dynamic_cast(this));
 parser->getDomConfig()->setParameter(XMLUni::fgXercesSecurityManager, 
m_security.get());
+parser->getDomConfig()->setParameter(XMLUni::fgDOMDisallowDoctype, true);
 return parser;
 }

and an equivalent transformation of ptr_vector<> into vector>
to work around some Visual C++ 15 quirk:

diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h 
b/xmltooling/security/AbstractPKIXTrustEngin
e.h
index 3666fb7..427904d 100644
--- a/xmltooling/security/AbstractPKIXTrustEngine.h
+++ b/xmltooling/security/AbstractPKIXTrustEngine.h
@@ -33,7 +33,8 @@
 
 #include 
 #include 
-#include 
+#include 
+#include 
 
 namespace xmltooling {
 
@@ -66,7 +67,7 @@ namespace xmltooling {
 AbstractPKIXTrustEngine(const xercesc::DOMElement* e=nullptr);
 
 /** Plugins used to perform path validation. */
-boost::ptr_vector m_pathValidators;
+std::vector< boost::shared_ptr > 
m_pathValidators;
 
 /** Controls revocation checking, currently limited to CRLs and 
supports "off", "entityOnly", 
"fullChain". */
 std::string m_checkRevocation;
diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp 
b/xmltooling/security/impl/AbstractPK
IXTrustEngine.cpp
index 5554fb9..54ceada 100644
--- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
+++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
@@ -50,7 +50,6 @@ using namespace xmlsignature;
 using namespace xmltooling::logging;
 using namespace xmltooling;
 using namespace std;
-using boost::ptr_vector;
 
 namespace xmltooling {
 // Adapter between TrustEngine and PathValidator
@@ -162,7 +161,8 @@ AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const 
xercesc::DOMElement* e)
 delete pv;
 throw XMLSecurityException("PathValidator doesn't 
support OpenSSL interface.")
;
 }
-m_pathValidators.push_back(ospv);
+boost::shared_ptr ptr(ospv);
+m_pathValidators.push_back(ptr);
 }
 }
 catch (exception& ex) {
@@ -175,11 +175,12 @@ AbstractPKIXTrustEngine::AbstractPKIXTrustEngine(const 
xercesc::DOMElement* e)
 }
 
 if (m_pathValidators.empty()) {
-m_pathValidators.push_back(
+boost::shared_ptr ptr(
 dynamic_cast(
 
XMLToolingConfig::getConfig().PathValidatorManager.newPlugin(PKIX_PATHVALIDATOR,
 e)
 )
 );
+m_pathValidators.push_back(ptr);
 }
 }
 
@@ -377,8 +378,8 @@ bool AbstractPKIXTrustEngine::validateWithCRLs(
 auto_ptr 
pkix(getPKIXValidationInfoIterator(credResolver, criteria));
 while (pkix->next()) {
 PKIXParams params(*this, *pkix.get(), inlineCRLs);
-for (ptr_vector::const_iterator v = 
m_pathValidators.begin(); v != m_pat
hValidators.end(); ++v) {
-if 

Bug#881127: transition: xerces-c

[Ferenc Wágner]

Emilio Pozuelo Monfort <po...@debian.org> writes:

> On 19/11/17 22:04, Ferenc Wágner wrote:
>
>> On Wed, 15 Nov 2017 20:08:28 + Bill Blough <de...@blough.us> wrote:
>> 
>>> The package has been uploaded to unstable [...]
>> 
>> xmltooling, opensaml2 and shibboleth-sp2 must be rebuilt again in this
>> order to correctly pick up the new xerces library.
>> 
>> Meanwhile I'd like to upload their latest upstream releases, which fix
>> serious security issues in the latter two (#881856 and #881857).  Shall
>> I wait for this transition to complete before the uploads?
>
> No need to wait in this case. Please go ahead.

Thanks, Emilio, all uploaded and mostly went through.  The kbsd buildds
somehow mixed up the build order, so those will need to retry the
opensaml2 and shibboleth-sp2 builds.  The moonshot-gss-eap build
failures seem unrelated.
-- 
Regards,
Feri

Bug#881127: transition: xerces-c

[Ferenc Wágner]

On Wed, 15 Nov 2017 20:08:28 + Bill Blough  wrote:

> The package has been uploaded to unstable [...]

Dear Release Team,

xmltooling, opensaml2 and shibboleth-sp2 must be rebuilt again in this
order to correctly pick up the new xerces library.

Meanwhile I'd like to upload their latest upstream releases, which fix
serious security issues in the latter two (#881856 and #881857).  Shall
I wait for this transition to complete before the uploads?
-- 
Thanks,
Feri

Bug#836941: Acknowledgement (nmu: shibboleth-sp2_2.6.0+dfsg1-3)

[Ferenc Wágner]

Shall I file a serious bug against libshibsp7 to keep it out of testing
until these binNMUs are scheduled?
-- 
Thanks,
Feri

Bug#836941: nmu: shibboleth-sp2_2.6.0+dfsg1-3

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hello,

A recenty reported bug in shibboleth-sp2 turned out to be two identical
problems in the pkg-config files shipped by xmltooling and opensaml2.
Since it breaks upgrades, I decided to fix this even though it delays
the testing migration for transition #836370.  xmltooling_1.6.0-3 and
opensaml2_2.6.0-4 is already "Installed" on all testing arches; please
rebuild shibboleth-sp2 against these fixed versions.

nmu shibboleth-sp2_2.6.0+dfsg1-3 . ALL . -m "Rebuild against fixed xmltooling 
(#836898) and opensaml2 (#836921)"

Thanks.

Bug#836370: transition: shibboleth

[Ferenc Wágner]

Emilio Pozuelo Monfort <po...@debian.org> writes:

> On 03/09/16 15:58, Ferenc Wágner wrote:
>
>> I'm finished with the uploads.  Xmltooling, opensaml2 and shibboleth-sp2
>> all built on the testing architectures.  Please trigger rebuilds of
>> shibboleth-resolver and moonshot-gss-eap
>
> Scheduled.

Thanks.  They looks mostly good on the transition trackers.  The build
logs don't explain the "bad" shibboleth-resolver states on amd64 and
i386 (to me), I hope it's just some transient.

>> (possibly also opensaml2 on powerpcspe, if you handle ports).
>
> That failed to build. A binnmu makes no sense. Perhaps you meant a
> give back? Why do you think that would help?

Yes, the powerpcspe and sh4 builds should be tried again.  They failed
because they somehow overtook the new xmltooling builds and thus met a
pre-C++11 libxmltooling.

Do you think there's anything else to do (but wait for testing
migration) with this transition?  I don't understand why opensaml2 and
shibboleth-sp2 are "partial" on all arches except the hurd, could you
please give me a hint?  It's the first time I look at such tables...
-- 
Thanks,
Feri

Bug#836370: transition: shibboleth

[Ferenc Wágner]

I'm finished with the uploads.  Xmltooling, opensaml2 and shibboleth-sp2
all built on the testing architectures.  Please trigger rebuilds of
shibboleth-resolver and moonshot-gss-eap (possibly also opensaml2 on
powerpcspe, if you handle ports).
-- 
Thanks,
Feri

Bug#836370: transition: shibboleth

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

xmltooling 1.6, opensaml2 2.6 and shibboleth-sp2 2.6 each change their SONAME
in this new version of this software stack.  The new stack is already in
experimental, and the two external depending packages (shibboleth-resolver
and moonshot-gss-eap) build successfully against the new stack without any
source change.  The auto-xmltooling, auto-opensaml2 and auto-shibboleth-sp2
trackers look good, but here's a unified ben file:

title = "shibboleth";
is_affected = .depends ~ "libxmltooling6v5" | .depends ~ "libsaml8v5" | 
.depends ~ "libshibsp6v5" | .depends ~ "libxmltooling7" | .depends ~ "libsaml9" 
| .depends ~ "libshibsp7";
is_good = .depends ~ "libxmltooling7" | .depends ~ "libsaml9" | .depends ~ 
"libshibsp7";
is_bad = .depends ~ "libxmltooling6v5" | .depends ~ "libsaml8v5" | .depends ~ 
"libshibsp6v5";

These packages will also be part of the openssl transition, but they are
incompatible with OpenSSL-1.1.  Upstream is already working on that on a
separate branch.  This internal SONAME transition, on the other hand, is
very self-contained and should finish before that in my opinion.

Bug#771962: unblock: openldap/2.4.40-3.1

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please pre-approve upload and unblock of package openldap.

The wheezy version of slapd, if running a partial replica, does not
seamlessly upgrade to the version in jessie (see #614569).  I'd like
to fix this via an NMU (hoping to find a sponsor), if you kindly
approved the following change:

$ debdiff openldap_2.4.40-3.dsc openldap_2.4.40-3.1.dsc
diff -u openldap-2.4.40/debian/changelog openldap-2.4.40/debian/changelog
--- openldap-2.4.40/debian/changelog
+++ openldap-2.4.40/debian/changelog
@@ -1,3 +1,12 @@
+openldap (2.4.40-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Disable schema checking for reloading the dumped data during upgrades,
+to avoid interrupting the upgrade procedure of partial replicas.
+(Closes: #614569).
+
+ -- Ferenc Wágner wf...@niif.hu  Wed, 03 Dec 2014 15:35:44 +0100
+
 openldap (2.4.40-3) unstable; urgency=medium
 
   * Remove trailing spaces from slapd.templates.
diff -u openldap-2.4.40/debian/slapd.scripts-common 
openldap-2.4.40/debian/slapd.scripts-common
--- openldap-2.4.40/debian/slapd.scripts-common
+++ openldap-2.4.40/debian/slapd.scripts-common
@@ -220,8 +220,11 @@
else
slapadd_opts=-g -F ${SLAPD_CONF}
fi
+   # Disable schema checking for the reload of the dumped data.
+   # Otherwise, reloading partial replicas fails, breaking the
+   # upgrade process.
capture_diagnostics slapadd ${slapadd_opts} \
-   -q -b $suffix -l $file || failed=1
+   -q -b $suffix -l $file -s || failed=1
if [ $failed ]; then
rm -f $dbdir/*
echo failed. 2

The package is available at
http://mentors.debian.net/package/openldap

The dsc file can be downloaded from
http://mentors.debian.net/debian/pool/main/o/openldap/openldap_2.4.40-3.1.dsc

unblock openldap/2.4.40-3.1
-- 
Thanks,
Feri.


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141203212004.5745.64479.report...@lant.ki.iif.hu

Bug#768610: unblock: sblim-wbemcli/1.6.2-9

[Ferenc Wágner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package sblim-wbemcli

This new revision fixes #768203 by declaring Breaks+Replaces
python-pywbem ( 0.8.0~dev650-1~) to seamlessly overwrite
/usr/bin/wbemcli during upgrades.


$ debdiff sblim-wbemcli_1.6.2-8_amd64.changes 
sblim-wbemcli_1.6.2-9_amd64.changes
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/05/625d058b87f61cfbc617e35a456158a39804a0.debug

Files in first .changes but not in second
-
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/56/0473fea4d0a8d844784984c15808613d316ff1.debug

Control files of package sblim-wbemcli: lines which differ (wdiff format)
-
{+Breaks: python-pywbem ( 0.8.0~dev650-1~)+}
{+Replaces: python-pywbem ( 0.8.0~dev650-1~)+}
Version: [-1.6.2-8-] {+1.6.2-9+}

Control files of package sblim-wbemcli-dbg: lines which differ (wdiff format)
-
Depends: sblim-wbemcli (= [-1.6.2-8)-] {+1.6.2-9)+}
Version: [-1.6.2-8-] {+1.6.2-9+}


unblock sblim-wbemcli/1.6.2-9

Thanks,
Feri.


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141108174253.8130.69725.report...@lant.ki.iif.hu