Bug#1036884: Schedule
Hi! The earliest of the RC bugs filed for this transition have now been unresolved long enough to trigger AUTORM threats. This is unfortunate, since the maintainers can't do anything to fix them, since they are un-fixable until the required changes to the default compiler flags are implemented. In order for threats of removal not to trigger maintainers to blindly applying the proposed patches and uploading to unstable to close the bugs, you should either start the transition now or downgrade the severity of the bugs. Personally I think it would have made more sense to file these bugs with minor or normal severity (since they are simply informational at this stage) and then upgrade them to serious when the transition starts (at which point they become RC). Do you have an estimate when the uploads to unstable will start? Mattias signature.asc Description: This is a digitally signed message part
Bug#1033875: nmu: gridsite
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Control: affects -1 + src:gridsite This is a re-request of the gridsite nmu requested in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033347 That request was created March 23 and requested an nmu for gridsite_3.0.0~20180202git2fdbc6f-3. However the version in unstable at the time was 3.0.0~20230214gitee81151-1 (accepted in unstable March 2, migrated to testing March 24). Since the scheduled nmu was for a version no longer in unstable it never happened. The requested nmu was to rebuild on 32 bit architectures due to a bug in fakeroot that caused some files and directories in the package to have the wrong group and user. The current version was uploaded March 2 and the fakeroot bug was fixed in fakeroot 1.31-1.1, which was also uploaded on March 2. Unfortunately the fakeroot build had not reached the buildroots when gridsite was built. An nmu of gridsite 3.0.0~20230214gitee81151-1 is needed on the following architectures: armel armhf hppa i386 m68k mipsel sh4 Make sure that fakeroot >= 1.31-1.1 is used (current version in unstable is -1.2). These nmus should possibly be allowed to go into the upcoming release as well in order to fix the issue also there. Mattias Ellert signature.asc Description: This is a digitally signed message part
Bug#1028546: bullseye-pu: package voms-api-java_3.3.2-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
This proposed update fixes a FTBFS in bullseye.
It adds the patches used to fix the same issue in testing and unstable.
debdiff is attached.
Changes:
voms-api-java (3.3.2-1+deb11u1) bullseye; urgency=medium
.
* Disable tests failing with bouncycastle 1.71 (Closes: #1011698)
* Disable tests that fail due to expired certificates (Closes: #1021551)
Mattias Ellert
diff -Nru voms-api-java-3.3.2/debian/changelog voms-api-java-3.3.2/debian/changelog
--- voms-api-java-3.3.2/debian/changelog 2020-10-14 05:44:33.0 +0200
+++ voms-api-java-3.3.2/debian/changelog 2023-01-12 14:26:32.0 +0100
@@ -1,3 +1,10 @@
+voms-api-java (3.3.2-1+deb11u1) bullseye; urgency=medium
+
+ * Disable tests failing with bouncycastle 1.71 (Closes: #1011698)
+ * Disable tests that fail due to expired certificates (Closes: #1021551)
+
+ -- Mattias Ellert Thu, 12 Jan 2023 14:26:32 +0100
+
voms-api-java (3.3.2-1) unstable; urgency=medium
* Update to version 3.3.2 - matches canl-java 2.6.x
diff -Nru voms-api-java-3.3.2/debian/copyright voms-api-java-3.3.2/debian/copyright
--- voms-api-java-3.3.2/debian/copyright 2020-10-14 05:44:33.0 +0200
+++ voms-api-java-3.3.2/debian/copyright 2023-01-12 14:26:32.0 +0100
@@ -19,7 +19,7 @@
Files: debian/*
Copyright:
- 2012-2020, Mattias Ellert
+ 2012-2023, Mattias Ellert
License: Apache-2.0
License: Apache-2.0
diff -Nru voms-api-java-3.3.2/debian/patches/series voms-api-java-3.3.2/debian/patches/series
--- voms-api-java-3.3.2/debian/patches/series 2020-10-14 05:44:33.0 +0200
+++ voms-api-java-3.3.2/debian/patches/series 2022-12-13 09:42:05.0 +0100
@@ -1,2 +1,13 @@
-# Disable tests using non-local network interface
-voms-api-java-no-local.patch
+# Disable failing tests
+# IllegalState object explicit - implicit expected.
+# https://github.com/italiangrid/voms-api-java/issues/29
+voms-api-java-disable-some-tests.patch
+
+# Disable tests that fail due to expired certificates
+# https://github.com/italiangrid/voms-api-java/issues/30
+# 2022-09-24 (test0.cert.pem, wilco_cnaf_infn_it.cert.pem)
+voms-api-java-expired-2022-09-24.patch
+# 2022-10-08 (test_host_cnaf_infn_it.cert.pem)
+voms-api-java-expired-2022-10-08.patch
+# 2022-12-02 (test_host_2_cnaf_infn_it.cert.pem)
+voms-api-java-expired-2022-12-12.patch
diff -Nru voms-api-java-3.3.2/debian/patches/voms-api-java-disable-some-tests.patch voms-api-java-3.3.2/debian/patches/voms-api-java-disable-some-tests.patch
--- voms-api-java-3.3.2/debian/patches/voms-api-java-disable-some-tests.patch 1970-01-01 01:00:00.0 +0100
+++ voms-api-java-3.3.2/debian/patches/voms-api-java-disable-some-tests.patch 2022-06-22 11:32:12.0 +0200
@@ -0,0 +1,62 @@
+diff --git a/src/test/java/org/italiangrid/voms/test/ac/TestACGeneration.java b/src/test/java/org/italiangrid/voms/test/ac/TestACGeneration.java
+index bc7557c..32ba7a5 100644
+--- a/src/test/java/org/italiangrid/voms/test/ac/TestACGeneration.java
b/src/test/java/org/italiangrid/voms/test/ac/TestACGeneration.java
+@@ -191,7 +191,7 @@ public class TestACGeneration {
+ return ga;
+ }
+
+- @Test
++ // @Test
+ public void testGeneratedACParsing() throws KeyStoreException,
+ CertificateException, FileNotFoundException, IOException,
+ OperatorCreationException {
+@@ -230,7 +230,7 @@ public class TestACGeneration {
+
+ }
+
+- @Test
++ // @Test
+ public void testACValidation() {
+
+ ValidationResultChecker c = new ValidationResultChecker(true);
+@@ -247,7 +247,7 @@ public class TestACGeneration {
+
+ }
+
+- @Test
++ // @Test
+ public void testLSCValidationFailure() {
+
+ ValidationResultChecker c = new ValidationResultChecker(false,
+@@ -264,7 +264,7 @@ public class TestACGeneration {
+ assertEquals(validatedAttrs.size(), 0);
+ }
+
+- @Test
++ // @Test
+ public void testExpiredAACertValidationFailure()
+ throws OperatorCreationException {
+
+@@ -284,7 +284,7 @@ public class TestACGeneration {
+ assertEquals(validatedAttrs.size(), 0);
+ }
+
+- @Test
++ // @Test
+ public void testRevokedAACertValidationFailure() {
+
+ ValidationResultChecker c = new ValidationResultChecker(false,
+diff --git a/src/test/java/org/italiangrid/voms/test/ac/TestFakeVOMSACService.java b/src/test/java/org/italiangrid/voms/test/ac/TestFakeVOMSACService.java
+index 6eca55f..49f0498 100644
+--- a/src/test/java/org/italiangrid/voms/test/ac/TestFakeVOMSACService.java
b/src/test/java/org/italiangrid/voms/test/ac/TestFakeVOMSACService.java
+@@ -54,7 +54,7 @@ public class TestFakeVOMSACService extends TestACSupport {
+ initializeCredentials();
+ }
+
+- @Test
++ // @Test
+ public void testFakeAcServiceCreation() {
+
+ ACGenerationParams params = ACGenerationParams.builder()
diff -Nru voms-api-java-3.3.2/debian/patches/voms-api-java-expired-2022-09-24.patch
Bug#1014804: nmu: srm-ifce 1.24.5-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: binnmu Severity: normal The libgfal-srm-ifce1 binary package built from the srm-ifce source package has a dependency on libssl1.1 on the following architectures: hppa, m68k, sh4, sparc64 It needs a binNMU for the libssl3 transition on those architectures. https://packages.debian.org/unstable/libgfal-srm-ifce1 nmu srm-ifce_1.24.5-1 . hppa m68k sh4 sparc64 . -m 'Rebuild against libssl3' Mattias signature.asc Description: This is a digitally signed message part
Bug#984837: unblock: gsoap/2.8.104-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock I have submitted an update for the gsoap package, back-porting several fixes for CVEs from upstream. It fixes the RC bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983596 Due to the current soft freeze, the migration delay is 10 days, which would mean 18 March. However the hard freeze starts March 12, after which migration requires an explicit unblock. Hence this unblock request. Due to the RC bug, the package is marked for auto-removal, together with many packages that depend on it: Marked for autoremoval on 11 April: #983596 high Version 2.8.104-2 of gsoap is marked for autoremoval from testing on Sun 11 Apr 2021. It is affected by #983596. The removal of gsoap will also cause the removal of (transitive) reverse dependencies: arc-gui- clients, cgsi-gsoap, davix, gfal2, gridsite, lcas-lcmaps-gt4-interface, lcmaps, lcmaps-plugins-basic, lcmaps-plugins-jobrep, lcmaps-plugins- verify-proxy, lcmaps-plugins-voms, myproxy, nordugrid-arc, nordugrid- arc-nagios-plugins, openstack-cluster-installer, srm-ifce, voms, voms- mysql-plugin, xrootd. You should try to prevent the removal by fixing these RC bugs. I hope you will consider unblocking the update. Debdiff attached. Mattias diff -Nru gsoap-2.8.104/debian/changelog gsoap-2.8.104/debian/changelog --- gsoap-2.8.104/debian/changelog 2020-07-25 08:30:12.0 +0200 +++ gsoap-2.8.104/debian/changelog 2021-03-08 14:06:23.0 +0100 @@ -1,3 +1,12 @@ +gsoap (2.8.104-3) unstable; urgency=high + + * Backporting upstream fixes (Closes: #983596) +- Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 +- Fixes CVE: CVE-2020-13576 + * Urgency high due to fixing RC bug + + -- Mattias Ellert Mon, 08 Mar 2021 14:06:23 +0100 + gsoap (2.8.104-2) unstable; urgency=medium * Re-upload source only diff -Nru gsoap-2.8.104/debian/control gsoap-2.8.104/debian/control --- gsoap-2.8.104/debian/control 2020-07-22 15:23:55.0 +0200 +++ gsoap-2.8.104/debian/control 2021-03-08 14:06:23.0 +0100 @@ -13,7 +13,7 @@ Build-Depends-Indep: doxygen, graphviz -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Section: devel Vcs-Browser: https://salsa.debian.org/ellert/gsoap Vcs-Git: https://salsa.debian.org/ellert/gsoap.git diff -Nru gsoap-2.8.104/debian/copyright gsoap-2.8.104/debian/copyright --- gsoap-2.8.104/debian/copyright 2020-07-22 15:23:55.0 +0200 +++ gsoap-2.8.104/debian/copyright 2021-03-08 14:06:23.0 +0100 @@ -171,7 +171,7 @@ Files: debian/* Copyright: 2003-2007, Thomas Wana - 2011-2020, Mattias Ellert + 2011-2021, Mattias Ellert License: GPL-2+ On Debian systems, the complete text of the GPL version 2 license can be found in '/usr/share/common-licenses/GPL-2'. diff -Nru gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch --- gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 1970-01-01 01:00:00.0 +0100 +++ gsoap-2.8.104/debian/patches/gsoap-plugins-hardening.patch 2021-03-08 11:28:34.0 +0100 @@ -0,0 +1,336 @@ +diff -ur gsoap2-code-r191/gsoap/plugin/httpda.c gsoap2-code-r192/gsoap/plugin/httpda.c +--- gsoap2-code-r191/gsoap/plugin/httpda.c 2020-06-30 21:06:47.0 +0200 gsoap2-code-r192/gsoap/plugin/httpda.c 2020-11-19 19:29:25.0 +0100 +@@ -1460,7 +1460,7 @@ + MUTEX_LOCK(http_da_session_lock); + + for (session = http_da_session; session; session = session->next) +-if (!strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) ++if (session->realm && session->nonce && session->opaque && !strcmp(session->realm, realm) && !strcmp(session->nonce, nonce) && !strcmp(session->opaque, opaque)) + break; + + if (session) +diff -ur gsoap2-code-r191/gsoap/plugin/wsaapi.c gsoap2-code-r192/gsoap/plugin/wsaapi.c +--- gsoap2-code-r191/gsoap/plugin/wsaapi.c 2020-06-30 21:06:47.0 +0200 gsoap2-code-r192/gsoap/plugin/wsaapi.c 2020-11-19 19:29:25.0 +0100 +@@ -1056,7 +1056,7 @@ + oldheader->SOAP_WSA(FaultTo)->Address = oldheader->SOAP_WSA(ReplyTo)->Address; + } + /* use FaultTo */ +- if (oldheader && oldheader->SOAP_WSA(FaultTo) && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) ++ if (oldheader && oldheader->SOAP_WSA(FaultTo) && oldheader->SOAP_WSA(FaultTo)->Address && !strcmp(oldheader->SOAP_WSA(FaultTo)->Address, soap_wsa_noneURI)) + return soap_send_empty_response(soap, SOAP_OK); /* HTTP ACCEPTED */ + soap->header = NULL; + /* allocate a new header */ +diff -ur gsoap2-code-r191/gsoap/plugin/wsseapi.c gsoap2-code-r192/gsoap/plugin/wsseapi.c +--- gsoap2-code-r191/gsoap/plugin/wsseapi.c 2020-10-16
Bug#912784: stretch-pu: package davix/0.6.4-1.1+deb9u1
mån 2019-07-08 klockan 12:04 +0200 skrev Julien Cristau: > On Mon, Jul 8, 2019 at 11:54:18 +0200, Mattias Ellert wrote: > > > > Sorry for not getting back to you again sooner. > > > > > > The bug fix sounds OK. What's the d/rules change about? It's not > > > mentioned in the changelog. > > > > > > + rm -rf debian/tmp/usr/share/doc/davix/html/.doctrees > > > > > > Regards, > > > > > > Adam > > > > Sorry for the delay. This is due to lintian. > > > > $ lintian-info -t package-contains-python-doctree-file > > W: package-contains-python-doctree-file > > N: > > N: This package appears to contain a pickled cache of > > reStructuredText > > N: (*.rst) documentation in a .doctree file. > > N: > > N: These are not needed to display the documentation correctly > > and as > > N: they can contain absolute build paths can affect the > > reproducibility > > N: of the package. > > N: > > N: Either prevent the installation of the .doctree file (or > > parent > > N: doctrees directory if there is one) or pass the -d option to > > N: sphinx-build(1) to create the caches elsewhere. > > > That doesn't sound needed nor indeed appropriate for a stable update. > > Cheers, > Julien Please elaborate. Should I interpret your comment as a rejection unless that line is removed, or was this an invitation for me to argue in favour of it. I can't see how removing some unwanted files from the documentation package could be inappropriate. Mattias smime.p7s Description: S/MIME cryptographic signature
Bug#912784: stretch-pu: package davix/0.6.4-1.1+deb9u1
lör 2019-04-20 klockan 11:27 +0100 skrev Adam D. Barratt: > On Tue, 2019-01-08 at 09:50 +0100, Mattias Ellert wrote: > > Davix implements (among other things) a client to a gridsite > > > service > > (a > > SOAP web service based file server protocol). It queries the server > > for > > what version it is running in order to know which credential > > delegation > > method to use. > > > > The old code used the "getVersion" call to get the version, which > > returns the software version of the server. However, there exists > > several different implementations of the server, so the version of > > the > > server software is not indicative on what credential delegation > > method > > it implements. > > > > What determines which delegation method to use is the interface > > version implemented by the server, not the version number of the > > server software. By using the getInterfaceVersion call instead the > > davix client will use the correct delegation method. > > > > https://its.cern.ch/jira/browse/DMC-1047 > > > > Sorry for not getting back to you again sooner. > > The bug fix sounds OK. What's the d/rules change about? It's not > mentioned in the changelog. > > + rm -rf debian/tmp/usr/share/doc/davix/html/.doctrees > > Regards, > > Adam Sorry for the delay. This is due to lintian. $ lintian-info -t package-contains-python-doctree-file W: package-contains-python-doctree-file N: N: This package appears to contain a pickled cache of reStructuredText N: (*.rst) documentation in a .doctree file. N: N: These are not needed to display the documentation correctly and as N: they can contain absolute build paths can affect the reproducibility N: of the package. N: N: Either prevent the installation of the .doctree file (or parent N: doctrees directory if there is one) or pass the -d option to N: sphinx-build(1) to create the caches elsewhere. Mattias smime.p7s Description: S/MIME cryptographic signature
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
fre 2019-02-15 klockan 13:06 + skrev Adam D. Barratt:
> Control: tags -1 + moreinfo
>
> On 2019-02-15 10:12, Mattias Ellert wrote:
> > This is a proposal to fix CVE-2019-7659 in stretch.
> >
> > The update also addresses one additional advisory published by the
> > upstream developers.
>
> +-soap_encode_url(const char *s, char *t, size_t len)
> ++soap_encode_url(const char *s, char *t, int len)
>
> If soap_encode_url is a public symbol, that's an ABI break - int and
> size_t may well not be the same size, but they're definitely different
> signedness.
>
> Regards,
>
> Adam
Hi Adam.
After you closed the corresponding request for jessie I sent the jessie
update to debian-lts as suggested.
This triggered the same discussion regarding this function being
public. This is a quite long discussion - se the archive for details:
https://lists.debian.org/debian-lts/2019/02/msg00131.html
The outcome of the discussion was that using ssize_t instead of int in
the patch was a better idea, and that version was accepted.
I propose the same change for stretch.
Updated debdiff attached.
Mattias
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
+++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.0 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.35-4+deb9u2) stretch; urgency=medium
+
+ * Fix for CVE-2019-7659
+Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+denial of service (application abort) or possibly have unspecified other
+impact if a server application is built with the -DWITH_COOKIES flag. This
+affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+libraries, as these are built with that flag.
+ * Fix issue with DIME protocol receiver and malformed DIME headers
+This patch addresses a critical issue with the DIME protocol receiver that
+may cause the receiver to become unresponsive when a malformed DIME
+protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert Thu, 14 Feb 2019 17:12:12 +0100
+
gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
* Fix for CVE-2017-9765
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.0 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.18800 +0100
+@@ -7037,11 +7037,12 @@
+
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++ssize_t
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, ssize_t len)
+ { int c;
+- size_t n = len;
++ ssize_t n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.18800 +0100
+@@ -7037,11 +7037,12 @@
+
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++ssize_t
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, ssize_t len)
+ { int c;
+- size_t n = len;
++ ssize_t n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.08800 +0100
+@@ -3380,7 +3380,7 @@
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 ssize_t SOAP_FMAC2 soap_encode_url(const char*, char*, ssize_t);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch
-
Bug#922385: stretch-pu: package gsoap/2.8.35-4+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
This is a proposal to fix CVE-2019-7659 in stretch.
The update also addresses one additional advisory published by the
upstream developers.
debdiff is attached.
gsoap (2.8.35-4+deb9u2) stretch; urgency=medium
* Fix for CVE-2019-7659
Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
denial of service (application abort) or possibly have unspecified other
impact if a server application is built with the -DWITH_COOKIES flag. This
affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
libraries, as these are built with that flag.
* Fix issue with DIME protocol receiver and malformed DIME headers
This patch addresses a critical issue with the DIME protocol receiver that
may cause the receiver to become unresponsive when a malformed DIME
protocol message is received. -- https://www.genivia.com/advisory.html
Mattias Ellert
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
+++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.0 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.35-4+deb9u2) stretch; urgency=medium
+
+ * Fix for CVE-2019-7659
+Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+denial of service (application abort) or possibly have unspecified other
+impact if a server application is built with the -DWITH_COOKIES flag. This
+affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+libraries, as these are built with that flag.
+ * Fix issue with DIME protocol receiver and malformed DIME headers
+This patch addresses a critical issue with the DIME protocol receiver that
+may cause the receiver to become unresponsive when a malformed DIME
+protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert Thu, 14 Feb 2019 17:12:12 +0100
+
gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
* Fix for CVE-2017-9765
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.0 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.18800 +0100
+@@ -7037,11 +7037,12 @@
+
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { int c;
+- size_t n = len;
++ int n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.18800 +0100
+@@ -7037,11 +7037,12 @@
+
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { int c;
+- size_t n = len;
++ int n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h
+--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.0 +0200
gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.08800 +0100
+@@ -3380,7 +3380,7 @@
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*);
+ SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 2019-02-13 17:12:41.0
Bug#922384: jessie-pu: package gsoap/2.8.17-1+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
This is a proposal to fix CVE-2019-7659 in jessie.
The update also addresses one additional advisory published by the
upstream developers.
debdiff is attached.
gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
* Fix for CVE-2019-7659
Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
denial of service (application abort) or possibly have unspecified other
impact if a server application is built with the -DWITH_COOKIES flag. This
affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
libraries, as these are built with that flag.
* Fix issue with DIME protocol receiver and malformed DIME headers
This patch addresses a critical issue with the DIME protocol receiver that
may cause the receiver to become unresponsive when a malformed DIME
protocol message is received. -- https://www.genivia.com/advisory.html
Mattias Ellert
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
+++ gsoap-2.8.17/debian/changelog 2019-02-14 16:59:28.0 +0100
@@ -1,3 +1,18 @@
+gsoap (2.8.17-1+deb8u2) jessie; urgency=medium
+
+ * Fix for CVE-2019-7659
+Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a
+denial of service (application abort) or possibly have unspecified other
+impact if a server application is built with the -DWITH_COOKIES flag. This
+affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++
+libraries, as these are built with that flag.
+ * Fix issue with DIME protocol receiver and malformed DIME headers
+This patch addresses a critical issue with the DIME protocol receiver that
+may cause the receiver to become unresponsive when a malformed DIME
+protocol message is received. -- https://www.genivia.com/advisory.html
+
+ -- Mattias Ellert Thu, 14 Feb 2019 16:59:28 +0100
+
gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
* Fix for CVE-2017-9765
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 11:32:59.0 +0100
@@ -0,0 +1,50 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2019-01-18 15:22:36.285318129 +0100
gsoap-2.8/gsoap/stdsoap2.c 2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /**/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { register int c;
+- register size_t n = len;
++ register int n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2019-01-18 15:22:36.353317393 +0100
gsoap-2.8/gsoap/stdsoap2.cpp 2019-01-18 15:26:44.648630944 +0100
+@@ -6199,11 +6199,12 @@
+ /**/
+ #ifndef PALM_1
+ SOAP_FMAC1
+-size_t
++int
+ SOAP_FMAC2
+-soap_encode_url(const char *s, char *t, size_t len)
++soap_encode_url(const char *s, char *t, int len)
+ { register int c;
+- register size_t n = len;
++ register int n = len;
++ if (n <= 0) return 0;
+ while ((c = *s++) && --n > 0)
+ { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c))
+ *t++ = c;
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.h gsoap-2.8/gsoap/stdsoap2.h
+--- gsoap-2.8.orig/gsoap/stdsoap2.h 2019-01-18 15:22:36.256318443 +0100
gsoap-2.8/gsoap/stdsoap2.h 2019-01-18 15:25:20.408542687 +0100
+@@ -2747,7 +2747,7 @@
+ SOAP_FMAC1 void SOAP_FMAC2 soap_clr_attr(struct soap *soap);
+
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_url(struct soap *soap, const char*, const char*);
+-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t);
++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int);
+ SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*);
+ #ifdef WITH_COOKIES
+ SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val);
diff -Nru gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch
--- gsoap-2.8.17/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-malformed
Bug#912784: stretch-pu: package davix/0.6.4-1.1+deb9u1
mån 2018-12-03 klockan 08:17 +0100 skrev Julien Cristau: > Control: tag -1 moreinfo > > On Sat, Nov 03, 2018 at 10:31:32PM +0100, Mattias Ellert wrote: > > Package: release.debian.org > > Severity: normal > > Tags: stretch > > User: release.debian@packages.debian.org > > Usertags: pu > > > > This is a proposed update to the davix package in Debian 9 (stretch). I > > have created it in response to a request that was sent to me via e-mail > > (included below). > > > > The proposed update backports the specific bugfix mentioned in the > > request rather than updating to a newer version. This bugfix was part > > of the 0.6.8 update. The version in unstable and testing is currently > > 0.7.1. > > > Can you describe the effect of this bug? > > Cheers, > Julien Davix implements (among other things) a client to a gridsite service (a SOAP web service based file server protocol). It queries the server for what version it is running in order to know which credential delegation method to use. The old code used the "getVersion" call to get the version, which returns the software version of the server. However, there exists several different implementations of the server, so the version of the server software is not indicative on what credential delegation method it implements. What determines which delegation method to use is the interface version implemented by the server, not the version number of the server software. By using the getInterfaceVersion call instead the davix client will use the correct delegation method. https://its.cern.ch/jira/browse/DMC-1047 Mattias smime.p7s Description: S/MIME cryptographic signature
Bug#912784: stretch-pu: package davix/0.6.4-1.1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
This is a proposed update to the davix package in Debian 9 (stretch). I
have created it in response to a request that was sent to me via e-mail
(included below).
The proposed update backports the specific bugfix mentioned in the
request rather than updating to a newer version. This bugfix was part
of the 0.6.8 update. The version in unstable and testing is currently
0.7.1.
Mattias
Vidarebefordrat meddelande
Från: Paul Millar
Till: mattias.ell...@physics.uu.se
Ämne: davix version in Debian stretch
Datum: Tue, 16 Oct 2018 15:06:11 +0200
Hi Mattias,
I was wondering whether it was possible to get the davix version
currently in buster (0.6.8) into stretch?
davix v0.6.8 contains this fix:
https://its.cern.ch/jira/browse/DMC-1047
which is pretty important for us.
Of course, if you got the latest version (v0.6.9) into stretch, buster
and sid, that would be even better. That version has further fixes that
would be helpful.
Cheers,
Paul.
diff -Nru davix-0.6.4/debian/changelog davix-0.6.4/debian/changelog
--- davix-0.6.4/debian/changelog 2016-12-15 21:40:12.0 +0100
+++ davix-0.6.4/debian/changelog 2018-11-03 18:37:23.0 +0100
@@ -1,3 +1,10 @@
+davix (0.6.4-1.1+deb9u1) stretch; urgency=medium
+
+ * Use getInterfaceVersion to retrieve the delegation version implemented
+ * https://its.cern.ch/jira/browse/DMC-1047
+
+ -- Mattias Ellert Sat, 03 Nov 2018 18:37:23 +0100
+
davix (0.6.4-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru davix-0.6.4/debian/patches/0001-DMC-1047-use-getInterfaceVersion-to-retrieve-the-del.patch davix-0.6.4/debian/patches/0001-DMC-1047-use-getInterfaceVersion-to-retrieve-the-del.patch
--- davix-0.6.4/debian/patches/0001-DMC-1047-use-getInterfaceVersion-to-retrieve-the-del.patch 1970-01-01 01:00:00.0 +0100
+++ davix-0.6.4/debian/patches/0001-DMC-1047-use-getInterfaceVersion-to-retrieve-the-del.patch 2018-11-03 15:38:46.0 +0100
@@ -0,0 +1,33 @@
+From 436bb62eb7df614e3c68bdcbb60c56b406feb8f8 Mon Sep 17 00:00:00 2001
+From: Andrea Manzi
+Date: Mon, 28 May 2018 16:13:29 +0200
+Subject: [PATCH] DMC-1047: use getInterfaceVersion to retrieve the delegation
+ version implemented
+
+---
+ src/modules/copy/delegation/delegation.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/modules/copy/delegation/delegation.cpp b/src/modules/copy/delegation/delegation.cpp
+index 203268d..55f242b 100644
+--- a/src/modules/copy/delegation/delegation.cpp
b/src/modules/copy/delegation/delegation.cpp
+@@ -204,12 +204,12 @@ static int get_delegation_version(const std::string& ucred, const std::string& p
+
+ if (soap_ssl_client_context(soap_v, SOAP_SSL_DEFAULT, ucred.c_str(), passwd.c_str(),
+ ucred.c_str(), capath.c_str(), NULL) == 0) {
+-delegation2::tns2__getVersionResponse response;
+-delegation2::soap_call_tns2__getVersion(soap_v, dlg_endpoint.c_str(),
++delegation2::tns2__getInterfaceVersionResponse response;
++delegation2::soap_call_tns2__getInterfaceVersion(soap_v, dlg_endpoint.c_str(),
+ "http://www.gridsite.org/namespaces/delegation-2;, response);
+
+ if (soap_v->error == 0) {
+-version = atoi(response.getVersionReturn);
++version = atoi(response.getInterfaceVersionReturn);
+ }
+ else {
+ // Assume version 1 (does not implement the version method)
+--
+2.19.1
+
diff -Nru davix-0.6.4/debian/patches/series davix-0.6.4/debian/patches/series
--- davix-0.6.4/debian/patches/series 2016-12-15 21:36:45.0 +0100
+++ davix-0.6.4/debian/patches/series 2018-11-03 18:35:30.0 +0100
@@ -1,3 +1,10 @@
davix-linking.patch
+
+# Add support for openssl-1.1.0
+# https://its.cern.ch/jira/browse/DMC-888
0001-DMC-888-16-Add-support-for-openssl-1.1.0.patch
0002-DMC-888-16-Fix-SL5-build.patch
+
+# Use getInterfaceVersion to retrieve the delegation version implemented
+# https://its.cern.ch/jira/browse/DMC-1047
+0001-DMC-1047-use-getInterfaceVersion-to-retrieve-the-del.patch
diff -Nru davix-0.6.4/debian/rules davix-0.6.4/debian/rules
--- davix-0.6.4/debian/rules 2016-12-15 21:40:12.0 +0100
+++ davix-0.6.4/debian/rules 2018-11-03 18:37:23.0 +0100
@@ -32,6 +32,7 @@
override_dh_install:
rm debian/tmp/usr/share/doc/davix/LICENSE
rm -rf debian/tmp/usr/include/gtest debian/tmp/usr/lib/libgtest.a debian/tmp/usr/lib/libgtest_main.a
+ rm -rf debian/tmp/usr/share/doc/davix/html/.doctrees
dh_install --fail-missing
override_dh_strip:
signature.asc
Description: This is a digitally signed message part
Bug#908893: stretch-pu: package globus-gsi-credential_7.11-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
This is a proposed update to the globus-gsi-credential package in
Debian 9 (stretch). I have created it in response to a request that was
sent to me via e-mail (included below).
Mattias
Vidarebefordrat meddelande
Från: Dave Dykstra
Till: Mattias Ellert
Ämne: libglobus-gsi-credential1 fix for stretch
Datum: Fri, 14 Sep 2018 15:56:24 -0500
Hi Mattias,
There's been a fix
https://github.com/globus/globus-toolkit/issues/115
affecting cvmfs-x509-helper in Debian testing libglobus-gsi-credential1
version 7.14-1 since last November, but it still hasn't made it into
Debian 9 stretch or stretch-updates. Could you backport it there?
Meanwhile I have been maintaining a patched copy in the cvmfs-contrib
repository (https://cvmfs-contrib.github.io).
Dave
diff -Nru globus-gsi-credential-7.11/debian/changelog globus-gsi-credential-7.11/debian/changelog
--- globus-gsi-credential-7.11/debian/changelog 2016-11-08 23:25:05.0 +0100
+++ globus-gsi-credential-7.11/debian/changelog 2018-09-15 16:15:42.0 +0200
@@ -1,3 +1,11 @@
+globus-gsi-credential (7.11-1+deb9u1) stretch; urgency=medium
+
+ * Fix issue with voms proxy and openssl 1.1
+ * https://github.com/globus/globus-toolkit/issues/115
+ * https://github.com/globus/globus-toolkit/pull/116
+
+ -- Mattias Ellert Sat, 15 Sep 2018 16:15:42 +0200
+
globus-gsi-credential (7.11-1) unstable; urgency=medium
* GT6 update
diff -Nru globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch
--- globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch 1970-01-01 01:00:00.0 +0100
+++ globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch 2018-09-15 16:09:00.0 +0200
@@ -0,0 +1,70 @@
+From 924cb64dda4dae571456772bd1db62d5bbe25ccf Mon Sep 17 00:00:00 2001
+From: Mischa Salle
+Date: Mon, 23 Oct 2017 20:16:26 +0200
+Subject: [PATCH] Simple patch for GT issue #115
+
+This patch reorders the the setting of the check_issued and the initialization
+of the X509_STORE_CTX object with the X509_STORE thereby solving
+https://github.com/globus/globus-toolkit/issues/115
+---
+ .../source/library/globus_gsi_cred_handle.c | 28 +--
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/library/globus_gsi_cred_handle.c b/library/globus_gsi_cred_handle.c
+index 9877ad603d..e890f56abf 100644
+--- a/library/globus_gsi_cred_handle.c
b/library/globus_gsi_cred_handle.c
+@@ -1745,19 +1745,19 @@ globus_gsi_cred_verify_cert_chain(
+
+ if (X509_STORE_load_locations(cert_store, NULL, cert_dir))
+ {
++#if OPENSSL_VERSION_NUMBER < 0x1010L
++/* override the check_issued with our version */
++cert_store->check_issued = globus_gsi_callback_check_issued;
++#else
++X509_STORE_set_check_issued(cert_store, globus_gsi_callback_check_issued);
++#endif
++
+ store_context = X509_STORE_CTX_new();
+ X509_STORE_CTX_init(store_context, cert_store, cert,
+ cred_handle->cert_chain);
+ X509_STORE_CTX_set_depth(store_context,
+ GLOBUS_GSI_CALLBACK_VERIFY_DEPTH);
+
+-#if OPENSSL_VERSION_NUMBER < 0x1010L
+-/* override the check_issued with our version */
+-store_context->check_issued = globus_gsi_callback_check_issued;
+-#else
+-X509_STORE_set_check_issued(X509_STORE_CTX_get0_store(store_context), globus_gsi_callback_check_issued);
+-#endif
+-
+ globus_gsi_callback_get_X509_STORE_callback_data_index(
+ _data_index);
+
+@@ -1937,19 +1937,19 @@ globus_gsi_cred_verify_cert_chain_when(
+
+ if (X509_STORE_load_locations(cert_store, NULL, cert_dir))
+ {
++/* override the check_issued with our version */
++#if OPENSSL_VERSION_NUMBER < 0x1010L
++cert_store->check_issued = globus_gsi_callback_check_issued;
++#else
++X509_STORE_set_check_issued(cert_store, globus_gsi_callback_check_issued);
++#endif
++
+ store_context = X509_STORE_CTX_new();
+ X509_STORE_CTX_init(store_context, cert_store, cert,
+ cred_handle->cert_chain);
+ X509_STORE_CTX_set_depth(store_context,
+ GLOBUS_GSI_CALLBACK_VERIFY_DEPTH);
+
+-/* override the check_issued with our version */
+-#if OPENSSL_VERSION_NUMBER < 0x1010L
+-store_context->check_issued = globus_gsi_callback_check_issued;
+-#else
+-X509_STORE_set_check_issued(X509_STORE_CTX_get0_store(store_context), globus_gsi_callback_check_issued);
+-#endif
+-
+ globus_gsi_callback_get_X509_STORE_callback_data_index(
+ _data_index);
+
diff -Nru glo
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
fre 2017-08-18 klockan 13:47 +0200 skrev Mattias Ellert: > > > No. You want to open a bug report against your own package, telling > > there is a security bug. and you want to refer that on in the closes > > statement. > > > > This contradicts what Adam said in bug #872441: > > > If there is no bug filed against gsoap that relates to the issue, then > > there should be no bug closed in the changelog. > > Can you resolve your differences? > > Mattias Hi again. Is there a resolution to this? Is a Closes statement mandatory or not? Mattias signature.asc Description: This is a digitally signed message part
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
fre 2017-08-18 klockan 13:08 +0200 skrev Martin Zobel-Helas: > Hi, > > On Fri Aug 18, 2017 at 11:35:21 +0200, Mattias Ellert wrote: > > tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas: > > > Hi, > > > > > > On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote: > > > > Package: release.debian.org > > > > Severity: normal > > > > Tags: jessie > > > > User: release.debian@packages.debian.org > > > > Usertags: pu > > > > > > > > This is a proposal to fix CVE-2017-9765 in jessie. > > > > debdiff is attached. > > > > > > > > Mattias Ellert > > > > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog > > > > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 > > > > +0200 > > > > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 > > > > +0200 > > > > @@ -1,3 +1,9 @@ > > > > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium > > > > + > > > > + * Fix for CVE-2017-9765 (Closes: ) > > > > + > > > > + -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 > > > > 11:30:40 +0200 > > > > + > > > > gsoap (2.8.17-1) unstable; urgency=medium > > > > > > once this changelog has a proper Closes line with bug-number this patch > > > looks sane to me. > > > > > > Cheers, > > > Martin > > > (former stable release manager) > > > > > > > Closes statement removed as requested. > > See bug #872441 for the discussion. > > No. You want to open a bug report against your own package, telling > there is a security bug. and you want to refer that on in the closes > statement. > This contradicts what Adam said in bug #872441: > If there is no bug filed against gsoap that relates to the issue, then > there should be no bug closed in the changelog. Can you resolve your differences? Mattias signature.asc Description: This is a digitally signed message part
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt:
> On 2017-08-18 8:01, Mattias Ellert wrote:
> > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:
> > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote:
> > > > Hi,
> > > >
> > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote:
> > >
> > > [...]
> > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
> > > > > +
> > > > > + * Fix for CVE-2017-9765 (Closes: )
>
> [...]
> > > Is there actually a Debian bug for the issue? I couldn't find one.
>
> [...]
> > I don't understand the last comment here.
>
> Apparently not.
>
> > Of course there is a bug - it is this one.
> >
> > The reason the debdiff in the request says "Closes: ", is a
> > chicken-and-egg problem. You are supposed to attach the debdiff to the
> > request, but before you make the request its BTS number does not yet
> > exists - so you can't include it in the attachment at creation time.
> > After I got the confirmation back with the number I updated the
> > changelog with the bug number.
>
> *NO*. There is no chicken and egg problem here at all.
>
> The bug number you would close in the changelog relates to a bug filed
> _against gsoap_, the same as it would for any other upload. You should
> never be closing bugs filed against release.debian.org in an upload of
> your package. You're fixing a bug in your package, the release.d.o bug
> is a means of tracking that, not a thing fixed in the upload.
>
> If there is no bug filed against gsoap that relates to the issue, then
> there should be no bug closed in the changelog.
>
> Regards,
>
> Adam
Closes statement removed as requested.
I am sorry to have upset you, but to me it was obvious the bug should
be closed by the update, and the instruction did not say it should not
be. Maybe you could add a sentence stating this in the instructions.
Mattias
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100
+++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+ * Fix for CVE-2017-9765
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 11:58:11 +0200
+
gsoap (2.8.35-4) unstable; urgency=medium
* Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.0 +0200
gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ char *s = buf;
+- int i = sizeof(buf);
+- soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ size_t i = sizeof(buf);
++ soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.0 +0200
gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ char *s = buf;
+- int i = sizeof(buf);
+- soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ size_t i = sizeof(buf);
++ soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.35/debian/patches
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
tor 2017-08-17 klockan 20:21 +0200 skrev Martin Zobel-Helas:
> Hi,
>
> On Thu Aug 17, 2017 at 16:38:30 +0200, Mattias Ellert wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian@packages.debian.org
> > Usertags: pu
> >
> > This is a proposal to fix CVE-2017-9765 in jessie.
> > debdiff is attached.
> >
> > Mattias Ellert
> > diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
> > --- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200
> > +++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
> > @@ -1,3 +1,9 @@
> > +gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
> > +
> > + * Fix for CVE-2017-9765 (Closes: )
> > +
> > + -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017
> > 11:30:40 +0200
> > +
> > gsoap (2.8.17-1) unstable; urgency=medium
>
> once this changelog has a proper Closes line with bug-number this patch
> looks sane to me.
>
> Cheers,
> Martin
> (former stable release manager)
>
Closes statement removed as requested.
See bug #872441 for the discussion.
Mattias
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200
+++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+ * Fix for CVE-2017-9765
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 11:30:40 +0200
+
gsoap (2.8.17-1) unstable; urgency=medium
* New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 09:29:32.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c 2010-04-06 18:23:14.0 +0200
gsoap-2.7/gsoap/stdsoap2.c 2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ register char *s = buf;
+- register int i = sizeof(buf);
+- register soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ register size_t i = sizeof(buf);
++ register soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp 2010-04-06 18:23:14.0 +0200
gsoap-2.7/gsoap/stdsoap2.cpp 2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ register char *s = buf;
+- register int i = sizeof(buf);
+- register soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ register size_t i = sizeof(buf);
++ register soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series 2014-07-11 20:36:40.0 +0200
+++ gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.0 +0200
@@ -21,3 +21,6 @@
# https://sourceforge.net/p/gsoap2/patches/119/
gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch
signature.asc
Description: This is a digitally signed message part
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > Hi, > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > [...] > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > + > > > + * Fix for CVE-2017-9765 (Closes: ) > > > + > > > + -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 > > > 11:58:11 +0200 > > > + > > > gsoap (2.8.35-4) unstable; urgency=medium > > > > once this changelog has a proper Closes line with bug-number this patch > > looks sane to me. > > Is there actually a Debian bug for the issue? I couldn't find one. > > Regards, > > Adam > Hi! I don't understand the last comment here. Of course there is a bug - it is this one. The reason the debdiff in the request says "Closes: ", is a chicken-and-egg problem. You are supposed to attach the debdiff to the request, but before you make the request its BTS number does not yet exists - so you can't include it in the attachment at creation time. After I got the confirmation back with the number I updated the changelog with the bug number. Mattias signature.asc Description: This is a digitally signed message part
Bug#872442: jessie-pu: package gsoap/2.8.17-1+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
This is a proposal to fix CVE-2017-9765 in jessie.
debdiff is attached.
Mattias Ellert
diff -Nru gsoap-2.8.17/debian/changelog gsoap-2.8.17/debian/changelog
--- gsoap-2.8.17/debian/changelog 2014-07-11 13:45:59.0 +0200
+++ gsoap-2.8.17/debian/changelog 2017-08-16 11:30:40.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.17-1+deb8u1) jessie; urgency=medium
+
+ * Fix for CVE-2017-9765 (Closes: )
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 11:30:40 +0200
+
gsoap (2.8.17-1) unstable; urgency=medium
* New upstream release
diff -Nru gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.17/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 09:29:32.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.c gsoap-2.7/gsoap/stdsoap2.c
+--- gsoap-2.7.orig/gsoap/stdsoap2.c 2010-04-06 18:23:14.0 +0200
gsoap-2.7/gsoap/stdsoap2.c 2017-08-01 15:05:03.634309308 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ register char *s = buf;
+- register int i = sizeof(buf);
+- register soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ register size_t i = sizeof(buf);
++ register soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.7.orig/gsoap/stdsoap2.cpp gsoap-2.7/gsoap/stdsoap2.cpp
+--- gsoap-2.7.orig/gsoap/stdsoap2.cpp 2010-04-06 18:23:14.0 +0200
gsoap-2.7/gsoap/stdsoap2.cpp 2017-08-01 15:05:03.636309306 +0200
+@@ -1509,17 +1509,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ register char *s = buf;
+- register int i = sizeof(buf);
+- register soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ register size_t i = sizeof(buf);
++ register soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.17/debian/patches/series gsoap-2.8.17/debian/patches/series
--- gsoap-2.8.17/debian/patches/series 2014-07-11 20:36:40.0 +0200
+++ gsoap-2.8.17/debian/patches/series 2017-08-16 11:28:38.0 +0200
@@ -21,3 +21,6 @@
# https://sourceforge.net/p/gsoap2/patches/119/
gsoap-doxygen-paths.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch
signature.asc
Description: This is a digitally signed message part
Bug#872441: stretch-pu: package gsoap/2.8.35-4+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
This is a proposal to fix CVE-2017-9765 in stretch.
debdiff is attached.
Mattias Ellert
diff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog
--- gsoap-2.8.35/debian/changelog 2016-12-06 09:32:36.0 +0100
+++ gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.0 +0200
@@ -1,3 +1,9 @@
+gsoap (2.8.35-4+deb9u1) stretch; urgency=medium
+
+ * Fix for CVE-2017-9765 (Closes: )
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 16 Aug 2017 11:58:11 +0200
+
gsoap (2.8.35-4) unstable; urgency=medium
* Rebuild for OpenSSL 1.1.0
diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch
--- gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 1970-01-01 01:00:00.0 +0100
+++ gsoap-2.8.35/debian/patches/gsoap-CVE-2017-9765.patch 2017-08-16 11:54:02.0 +0200
@@ -0,0 +1,54 @@
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c
+--- gsoap-2.8.orig/gsoap/stdsoap2.c 2016-04-03 03:33:31.0 +0200
gsoap-2.8/gsoap/stdsoap2.c 2017-08-01 14:51:44.141083499 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ char *s = buf;
+- int i = sizeof(buf);
+- soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ size_t i = sizeof(buf);
++ soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
+diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp
+--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2016-04-03 03:33:31.0 +0200
gsoap-2.8/gsoap/stdsoap2.cpp 2017-08-01 14:51:44.143083498 +0200
+@@ -1711,17 +1711,16 @@
+ soap_get_pi(struct soap *soap)
+ { char buf[64];
+ char *s = buf;
+- int i = sizeof(buf);
+- soap_wchar c = soap_getchar(soap);
+- /* This is a quick way to parse XML PI and we could use a callback instead to
+- * enable applications to intercept processing instructions */
+- while ((int)c != EOF && c != '?')
+- { if (--i > 0)
++ size_t i = sizeof(buf);
++ soap_wchar c;
++ /* Parse the XML PI encoding declaration and look for */
++ while ((int)(c = soap_getchar(soap)) != EOF && c != '?')
++ { if (i > 1)
+ { if (soap_blank(c))
+ c = ' ';
+ *s++ = (char)c;
++ i--;
+ }
+-c = soap_getchar(soap);
+ }
+ *s = '\0';
+ DBGLOG(TEST, SOAP_MESSAGE(fdebug, "XML PI \n", buf));
diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series
--- gsoap-2.8.35/debian/patches/series 2016-09-26 14:49:01.0 +0200
+++ gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.0 +0200
@@ -10,3 +10,6 @@
# Backport fix from upstream
gsoap-backport.patch
+
+# CVE-2017-9765
+gsoap-CVE-2017-9765.patch
signature.asc
Description: This is a digitally signed message part
Bug#858907: unblock: canl-c/2.1.8-1
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal
The 2.1.8 release is a security fix that addresses a vulnerability
found in the previous release.
Debdiff from the current version in testing 2.1.7-3 is attached.
No other changes than addressing the vulnerability is part of the new
release. The upstream changelog entry for the release (as can be seen
in the attached debdiff) is:
2.1.8-1
- Security fix to verify certificates properly (EGI RT #12276):
- Treat untrusted certificates properly in proxy_verify_cert_chain()
- Override only openssl errors relevant to X.509 handling
Mattias
diff -Nru canl-c-2.1.7/ChangeLog canl-c-2.1.8/ChangeLog
--- canl-c-2.1.7/ChangeLog 2016-08-19 10:20:47.0 +0200
+++ canl-c-2.1.8/ChangeLog 2017-02-23 22:16:26.0 +0100
@@ -135,3 +135,7 @@
2.1.7-1
- Quick fix to prevent RFC Proxy DN forgery (RT #11476)
+2.1.8-1
+- Security fix to verify certificates properly (EGI RT #12276):
+ - Treat untrusted certificates properly in proxy_verify_cert_chain()
+ - Override only openssl errors relevant to X.509 handling
diff -Nru canl-c-2.1.7/debian/changelog canl-c-2.1.8/debian/changelog
--- canl-c-2.1.7/debian/changelog 2016-12-23 15:14:18.0 +0100
+++ canl-c-2.1.8/debian/changelog 2017-03-22 15:56:11.0 +0100
@@ -1,3 +1,9 @@
+canl-c (2.1.8-1) unstable; urgency=medium
+
+ * Update to version 2.1.8
+
+ -- Mattias Ellert <mattias.ell...@physics.uu.se> Wed, 22 Mar 2017 15:56:11 +0100
+
canl-c (2.1.7-3) unstable; urgency=medium
* Reverse the order of conditional dependencies
diff -Nru canl-c-2.1.7/debian/control canl-c-2.1.8/debian/control
--- canl-c-2.1.7/debian/control 2016-12-23 15:13:43.0 +0100
+++ canl-c-2.1.8/debian/control 2017-03-22 15:56:11.0 +0100
@@ -4,7 +4,7 @@
Maintainer: Mattias Ellert <mattias.ell...@physics.uu.se>
Build-Depends: debhelper, bison, flex, libc-ares-dev, libkrb5-dev, libssl1.0-dev | libssl-dev (<< 1.1), libtool, libtool-bin, pkg-config, texlive-fonts-recommended, texlive-latex-extra, texlive-latex-recommended
Standards-Version: 3.9.8
-Homepage: http://www.eu-emi.eu/
+Homepage: https://github.com/CESNET/canl-c
Package: libcanl-c2
Section: libs
diff -Nru canl-c-2.1.7/debian/copyright canl-c-2.1.8/debian/copyright
--- canl-c-2.1.7/debian/copyright 2016-08-25 11:30:50.0 +0200
+++ canl-c-2.1.8/debian/copyright 2017-03-22 15:54:02.0 +0100
@@ -1,7 +1,7 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: canl-c
Upstream-Contact: CESNET Product Teams <emi...@metacentrum.cz>
-Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.7.tar.gz
+Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.8.tar.gz
Files: *
Copyright: 2004-2011 Members of the EGEE Collaboration
@@ -26,7 +26,7 @@
PURPOSE.
Files: debian/*
-Copyright: 2013-2016 Mattias Ellert
+Copyright: 2013-2017 Mattias Ellert
License: Apache-2.0
License: Apache-2.0
diff -Nru canl-c-2.1.7/project/version.properties canl-c-2.1.8/project/version.properties
--- canl-c-2.1.7/project/version.properties 2016-08-19 10:20:47.0 +0200
+++ canl-c-2.1.8/project/version.properties 2017-02-23 22:16:26.0 +0100
@@ -1,3 +1,3 @@
# $Header:
-module.version=2.1.7
+module.version=2.1.8
module.age=1
diff -Nru canl-c-2.1.7/src/proxy/sslutils.c canl-c-2.1.8/src/proxy/sslutils.c
--- canl-c-2.1.7/src/proxy/sslutils.c 2016-08-19 10:20:46.0 +0200
+++ canl-c-2.1.8/src/proxy/sslutils.c 2017-02-23 22:16:26.0 +0100
@@ -1934,20 +1934,7 @@
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x1000L
-case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
- /*
- * OpenSSL 1.0 causes the cert to be added twice to
- * the store.
- */
- if (proxy_check_proxy_name(ctx->cert) &&
- !X509_cmp(ctx->cert, ctx->current_cert))
-ok = 1;
- break;
-#endif
-
case X509_V_ERR_INVALID_CA:
-case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
/*
* This may happen since proxy issuers are not CAs
*/
@@ -1966,14 +1953,6 @@
}
break;
-case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-case X509_V_ERR_CERT_UNTRUSTED:
- if (proxy_check_proxy_name(ctx->current_cert) > 0) {
-/* Server side, needed to fully recognize a proxy. */
-ok = 1;
- }
- break;
-
#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
/* Proxies ARE allowed */
@@ -2291,50 +2270,26 @@
X509_STORE *cert_store = NULL;
X509_LOOKUP * lookup = NULL;
X509_STORE_CTX csc;
-X509 * xcert = NULL;
-X509 *
Bug#854263: unblock: voms/2.1.0~rc0-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal voms/2.1.0~rc0-2 closes #854211. When the voms library is used together with the globus libraries a assertion was triggered in the previous version (voms/2.1.0~rc0-1). The updated version (voms/2.1.0~rc0-2) resolves this issue. This restores e.g. the the voms support in the myproxy package. Mattias signature.asc Description: This is a digitally signed message part
Migration hint for cgsi-gsoap and lcgdm?
Hi! Version 1.3.8-1 of cgsi-gsoap has been a valid candidate for migration to testing for some time, but hasn't done the migration yet. The "more excuses" page says migrating the package would make four binary packages built from the lcgdm source package uninstallable. lcgdm in testing is at version 1.8.9-1+b1 and in unstable at version 1.8.9-1+b2. If cgsi-gsoap 1.3.8-1 and lcgdm 1.8.9-1+b2 would migrate together it wouldn't cause any breakage as far as I can tell, but doing the migration one package at a time will cause breakage irrespectively of which of the two migrates first. Can this be hinted? Mattias signature.asc Description: This is a digitally signed message part
Bug#745475: broken auto-removal logic
tor 2014-11-20 klockan 08:14 +0100 skrev Julien Cristau: On Wed, Nov 19, 2014 at 07:23:28 +0100, Mattias Ellert wrote: I would like to propose to increase the severity of this bug back to serious. I find it extremely disruptive. No, this bug is very much not serious. Cheers, Julien I strongly disagree with this assessment. This happens again and again and again. It is very far from very much not serious. Mattias smime.p7s Description: S/MIME cryptographic signature
Bug#745475: broken auto-removal logic
I would like to propose to increase the severity of this bug back to serious. I find it extremely disruptive. At the moment mariadb is broken, and every package that has a dependency on mariadb-client | mysql-client or recursively depends on such a package is marked autorm even though mysql is not broken. Mattias signature.asc Description: This is a digitally signed message part
Bug#768538: unblock voms/2.0.11-4
Control: -1 tags - moreinfo Control: -1 retitle unblock: voms/2.0.11-5 New version with Pre-Depends: 2.0.11-5 Mattias signature.asc Description: This is a digitally signed message part
Bug#768506: unblock globus packages with fix for symlink-to-dir conversions
Control: tags -1 - moreinfo New versions with Pre-Depends: globus-common/15.26-3 globus-authz/3.10-3 globus-authz-callout-error/3.5-3 globus-callout/3.13-3 globus-ftp-client/8.13-6 globus-ftp-control/5.12-3 globus-gass-copy/9.12-3 globus-gass-transfer/8.8-3 globus-gram-client/13.10-3 globus-gram-job-manager-callout-error/3.5-3 globus-gram-job-manager-scripts/6.7-3 globus-gram-protocol/12.12-3 globus-gridmap-callout-error/2.4-3 globus-gsi-callback/5.6-3 globus-gsi-cert-utils/9.10-3 globus-gsi-credential/7.7-3 globus-gsi-openssl-error/3.5-3 globus-gsi-proxy-core/7.7-3 globus-gsi-proxy-ssl/5.7-3 globus-gsi-sysconfig/6.8-3 globus-gssapi-error/5.4-3 globus-gssapi-gsi/11.13-3 globus-gss-assist/10.12-3 globus-openssl-module/4.6-3 globus-rsl/10.9-3 globus-scheduler-event-generator/5.7-3 globus-xio/4.15-3 globus-xio-gridftp-driver/2.8-3 globus-xio-gsi-driver/3.6-3 Mattias signature.asc Description: This is a digitally signed message part
Bug#768537: unblock: myproxy/6.0-2
Control: -1 tags - moreinfo Control: -1 retitle unblock: myproxy/6.0-3 New version with Pre-Depends: 6.0/3 Mattias signature.asc Description: This is a digitally signed message part
Bug#768537: unblock: myproxy/6.0-2
lör 2014-11-08 klockan 10:06 +0100 skrev Mattias Ellert: Closes: #768266 (Severity: serious; RC) In addition to fixing the above bug, the update also applies a patch to enable TLS. The previous package used SSLv3 only, which is no longer appropriate. Some of the tests in the test suite failed without the patch because Debian's openssl 1.0.1j-1 has disabled SSLv3. With the patch the test suite passes. This test failure has since been reported as bug #768722 Unblocking this update will therefore also resolve that bug for the release. Mattias signature.asc Description: This is a digitally signed message part
Bug#768811: unblock: globus-simple-ca/4.14-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Closes: #768771 (Severity: serious; RC)
diff -Nru globus-simple-ca-4.14/debian/changelog globus-simple-ca-4.14/debian/changelog
--- globus-simple-ca-4.14/debian/changelog 2014-10-29 05:35:25.0 +0100
+++ globus-simple-ca-4.14/debian/changelog 2014-11-09 12:02:35.0 +0100
@@ -1,3 +1,10 @@
+globus-simple-ca (4.14-3) unstable; urgency=medium
+
+ * Don't try to write to $HOME/.rnd during make check (Closes: #768771)
+ * Enable verbose tests
+
+ -- Mattias Ellert mattias.ell...@fysast.uu.se Sun, 09 Nov 2014 10:35:42 +0100
+
globus-simple-ca (4.14-2) unstable; urgency=medium
* Move make check to build target (Closes: #765145)
diff -Nru globus-simple-ca-4.14/debian/patches/globus-simple-ca-rnd.patch globus-simple-ca-4.14/debian/patches/globus-simple-ca-rnd.patch
--- globus-simple-ca-4.14/debian/patches/globus-simple-ca-rnd.patch 1970-01-01 01:00:00.0 +0100
+++ globus-simple-ca-4.14/debian/patches/globus-simple-ca-rnd.patch 2014-11-09 11:48:29.0 +0100
@@ -0,0 +1,18 @@
+diff --git a/test/Makefile.am b/test/Makefile.am
+index 4ec92d2..0576f5c 100644
+--- a/test/Makefile.am
b/test/Makefile.am
+@@ -6,7 +6,11 @@ test_scripts = $(check_SCRIPTS)
+
+ TESTS = $(test_scripts)
+
+-TEST_PATH=$(abs_top_builddir):$(GLOBUS_COMMON_PATH):$${PATH}
++TEST_PATH = $(abs_top_builddir):$(GLOBUS_COMMON_PATH):$${PATH}
+
+ EXTRA_DIST = $(check_SCRIPTS)
+-TESTS_ENVIRONMENT=export PATH=$(TEST_PATH);
++TESTS_ENVIRONMENT = export \
++PATH=$(TEST_PATH) \
++RANDFILE=$(abs_top_builddir)/test/.rnd;
++
++CLEANFILES = .rnd
diff -Nru globus-simple-ca-4.14/debian/patches/series globus-simple-ca-4.14/debian/patches/series
--- globus-simple-ca-4.14/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ globus-simple-ca-4.14/debian/patches/series 2014-11-09 11:40:51.0 +0100
@@ -0,0 +1,2 @@
+# Don't try to write to ${HOME}/.rnd during make check
+globus-simple-ca-rnd.patch
diff -Nru globus-simple-ca-4.14/debian/rules globus-simple-ca-4.14/debian/rules
--- globus-simple-ca-4.14/debian/rules 2014-10-27 16:14:50.0 +0100
+++ globus-simple-ca-4.14/debian/rules 2014-11-09 11:58:11.0 +0100
@@ -18,6 +18,9 @@
configure-stamp:
dh_testdir
+ # Avoid regenerating man page due to bad timestamps
+ touch -r grid-ca-create.xml grid-ca-create.1
+
dh_autoreconf
./configure \
@@ -43,7 +46,7 @@
dh_testdir
$(MAKE)
- $(MAKE) check
+ $(MAKE) check VERBOSE=1
touch $@
signature.asc
Description: This is a digitally signed message part
Bug#768537: unblock: myproxy/6.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Closes: #768266 (Severity: serious; RC)
In addition to fixing the above bug, the update also applies a patch to
enable TLS. The previous package used SSLv3 only, which is no longer
appropriate. Some of the tests in the test suite failed without the
patch because Debian's openssl 1.0.1j-1 has disabled SSLv3. With the
patch the test suite passes.
Mattias
diff -Nru myproxy-6.0/debian/changelog myproxy-6.0/debian/changelog
--- myproxy-6.0/debian/changelog 2014-09-27 17:27:12.0 +0200
+++ myproxy-6.0/debian/changelog 2014-11-08 06:41:39.0 +0100
@@ -1,3 +1,10 @@
+myproxy (6.0-2) unstable; urgency=medium
+
+ * Properly handle symlink-to-dir conversion in doc package (Closes: #768266)
+ * Enable TLS - debian's openssl has disabled SSLv3 by default
+
+ -- Mattias Ellert mattias.ell...@fysast.uu.se Fri, 07 Nov 2014 23:51:15 +0100
+
myproxy (6.0-1) unstable; urgency=medium
* Update to 6.0, adapt to Globus Toolkit 6
diff -Nru myproxy-6.0/debian/libmyproxy-doc.postinst myproxy-6.0/debian/libmyproxy-doc.postinst
--- myproxy-6.0/debian/libmyproxy-doc.postinst 1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.postinst 2014-11-07 23:49:50.0 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+/usr/share/doc/libmyproxy-doc \
+libmyproxy-dev 6.0-2~ \
+libmyproxy-doc -- $@
diff -Nru myproxy-6.0/debian/libmyproxy-doc.postrm myproxy-6.0/debian/libmyproxy-doc.postrm
--- myproxy-6.0/debian/libmyproxy-doc.postrm 1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.postrm 2014-11-07 23:49:50.0 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+/usr/share/doc/libmyproxy-doc \
+libmyproxy-dev 6.0-2~ \
+libmyproxy-doc -- $@
diff -Nru myproxy-6.0/debian/libmyproxy-doc.preinst myproxy-6.0/debian/libmyproxy-doc.preinst
--- myproxy-6.0/debian/libmyproxy-doc.preinst 1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/libmyproxy-doc.preinst 2014-11-07 23:49:50.0 +0100
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+dpkg-maintscript-helper symlink_to_dir \
+/usr/share/doc/libmyproxy-doc \
+libmyproxy-dev 6.0-2~ \
+libmyproxy-doc -- $@
diff -Nru myproxy-6.0/debian/patches/myproxy-tls.patch myproxy-6.0/debian/patches/myproxy-tls.patch
--- myproxy-6.0/debian/patches/myproxy-tls.patch 1970-01-01 01:00:00.0 +0100
+++ myproxy-6.0/debian/patches/myproxy-tls.patch 2014-11-08 06:12:14.0 +0100
@@ -0,0 +1,53 @@
+diff --git a/myproxy.c b/myproxy.c
+index 24e744f..9f2fb65 100644
+--- a/myproxy.c
b/myproxy.c
+@@ -544,8 +544,9 @@ myproxy_bootstrap_trust(myproxy_socket_attrs_t *attrs)
+ }
+
+ /* get trust root(s) from the myproxy-server */
+-ctx = SSL_CTX_new(SSLv3_client_method());
+-SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++ctx = SSL_CTX_new(SSLv23_client_method());
++SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 |
++ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+
+ if (!(sbio = BIO_new_ssl_connect(ctx))) goto error;
+ if ( (sockfd = get_connected_myproxy_host_socket(
+diff --git a/myproxy_ocsp.c b/myproxy_ocsp.c
+index 440f6ef..d39e1dc 100644
+--- a/myproxy_ocsp.c
b/myproxy_ocsp.c
+@@ -311,11 +311,12 @@ int myproxy_ocsp_verify(X509 *cert, X509 *issuer) {
+ goto end;
+ }
+ X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
+- ctx = SSL_CTX_new(SSLv3_client_method());
++ ctx = SSL_CTX_new(SSLv23_client_method());
+ if (ctx == NULL) {
+ result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY;
+ goto end;
+ }
++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_cert_store(ctx, store);
+ SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
+
+diff --git a/ssl_utils.c b/ssl_utils.c
+index 0749e5b..4ff5aa5 100644
+--- a/ssl_utils.c
b/ssl_utils.c
+@@ -2146,12 +2146,13 @@ ssl_verify_gsi_chain(SSL_CREDENTIALS *chain)
+X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
+X509_STORE_CTX_init(csc, cert_store, chain-certificate, NULL);
+
+- sslContext = SSL_CTX_new(SSLv3_server_method());
++ sslContext = SSL_CTX_new(SSLv23_server_method());
+if (sslContext == NULL) {
+ verror_put_string(Initializing SSL_CTX);
+ ssl_error_to_verror();
+ goto end;
+}
++ SSL_CTX_set_options(sslContext, SSL_OP_NO_SSLv2);
+
+SSL_CTX_set_purpose(sslContext, X509_PURPOSE_ANY);
+
diff -Nru myproxy-6.0/debian/patches/series myproxy-6.0/debian/patches/series
--- myproxy-6.0/debian/patches/series 2014-09-27 18:31:26.0 +0200
+++ myproxy-6.0/debian/patches/series 2014-11-08 06:05:21.0 +0100
@@ -2,3 +2,5 @@
myproxy-pathmax.patch
# Missing depandencies
myproxy-deps.patch
+# Enable TLS
+myproxy-tls.patch
signature.asc
Description: This is a digitally signed message
Bug#768538: unblock voms/2.0.11-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Closes: #768276 (Severity: serious; RC) Mattias diff -Nru voms-2.0.11/debian/changelog voms-2.0.11/debian/changelog --- voms-2.0.11/debian/changelog 2014-08-07 05:18:24.0 +0200 +++ voms-2.0.11/debian/changelog 2014-11-08 07:20:44.0 +0100 @@ -1,3 +1,9 @@ +voms (2.0.11-4) unstable; urgency=medium + + * Properly handle symlink-to-dir conversion in doc package (Closes: #768276) + + -- Mattias Ellert mattias.ell...@fysast.uu.se Sat, 08 Nov 2014 07:19:30 +0100 + voms (2.0.11-3) unstable; urgency=medium * Drop depends on voms-dev in voms-doc (Closes: #755570) diff -Nru voms-2.0.11/debian/control voms-2.0.11/debian/control --- voms-2.0.11/debian/control 2014-08-07 05:05:04.0 +0200 +++ voms-2.0.11/debian/control 2014-11-08 07:41:14.0 +0100 @@ -2,7 +2,7 @@ Priority: optional Maintainer: Mattias Ellert mattias.ell...@fysast.uu.se Build-Depends: debhelper (= 5), autoconf, automake, libtool, autotools-dev, libssl-dev, libexpat1-dev, gsoap, pkg-config, xsltproc, docbook-xml, docbook-xsl, doxygen-latex, texlive-fonts-recommended -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Section: libs Vcs-Browser: http://svn.nordugrid.org/trac/packaging/browser/debian/voms Vcs-Svn: http://svn.nordugrid.org/repos/packaging/debian/voms diff -Nru voms-2.0.11/debian/voms-doc.postinst voms-2.0.11/debian/voms-doc.postinst --- voms-2.0.11/debian/voms-doc.postinst 1970-01-01 01:00:00.0 +0100 +++ voms-2.0.11/debian/voms-doc.postinst 2014-11-08 07:24:55.0 +0100 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +dpkg-maintscript-helper symlink_to_dir \ +/usr/share/doc/voms-doc \ +voms-dev 2.0.11-4~ \ +voms-doc -- $@ diff -Nru voms-2.0.11/debian/voms-doc.postrm voms-2.0.11/debian/voms-doc.postrm --- voms-2.0.11/debian/voms-doc.postrm 1970-01-01 01:00:00.0 +0100 +++ voms-2.0.11/debian/voms-doc.postrm 2014-11-08 07:24:55.0 +0100 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +dpkg-maintscript-helper symlink_to_dir \ +/usr/share/doc/voms-doc \ +voms-dev 2.0.11-4~ \ +voms-doc -- $@ diff -Nru voms-2.0.11/debian/voms-doc.preinst voms-2.0.11/debian/voms-doc.preinst --- voms-2.0.11/debian/voms-doc.preinst 1970-01-01 01:00:00.0 +0100 +++ voms-2.0.11/debian/voms-doc.preinst 2014-11-08 07:24:55.0 +0100 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +dpkg-maintscript-helper symlink_to_dir \ +/usr/share/doc/voms-doc \ +voms-dev 2.0.11-4~ \ +voms-doc -- $@ signature.asc Description: This is a digitally signed message part
Bug#768506: unblock globus packages with fix for symlink-to-dir conversions
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi! I got bug reports for 6 of the globus packages saying they did not handle symlink to dir conversion properly. However, the same problem exists in all globus packages providing a doc binary package (except for one that just recently had the doc package added and never had the symlink). I have uploaded updates for all 29 affected globus packages, and not only the 6 packages I got bug reports for. I would like for you to consider unblocking all of them. These uploads adds the maintainer scripts needed to handle the symlink-to-dir conversion properly to the latest version in unstable, without other changes (except adding VERBOSE=1 to the make check call where it was not there before). For some of these updates, the version in unstable to which the fix for the problem was applied had not already migrated to testing. The changes w.r.t. the versions in testing are small (minor version updates only) and for most of the package the new upstream version was done after upstream accepted the patches that were already applied in the debian package of the previous version. globus-authz 3.10-2 (Closes: #762857) globus-authz-callout-error 3.5-2 (Closes: #762855) globus-callout 3.13-2 (Closes: #762860) globus-common 15.26-2 (Closes: #762862) [1] globus-ftp-client 8.13-5 globus-ftp-control 5.12-2 globus-gass-copy 9.12-2 globus-gass-transfer 8.8-2 globus-gram-client 13.10-2 [2] globus-gram-job-manager-callout-error 3.5-2 globus-gram-job-manager-scripts 6.7-2 globus-gram-protocol 12.12-2 globus-gridmap-callout-error 2.4-2 globus-gsi-callback 5.6-2 globus-gsi-cert-utils 9.10-2 globus-gsi-credential 7.7-2 globus-gsi-openssl-error 3.5-2 globus-gsi-proxy-core 7.7-2 globus-gsi-proxy-ssl 5.7-2 globus-gsi-sysconfig 6.8-2 globus-gssapi-error 5.4-2 globus-gssapi-gsi 11.13-2 globus-gss-assist 10.12-2 globus-openssl-module 4.6-2 globus-rsl 10.9-2 (Closes: #762863) globus-scheduler-event-generator 5.7-2 (Closes: #762864) globus-xio 4.15-2 globus-xio-gridftp-driver 2.8-2 globus-xio-gsi-driver 3.6-2 [1] The globus-common update also (Closes: #768219) - missing Breaks/Replaces due to a man page moved from another package [2] The globus-gram-client update to version 13.10-2 (the current version in testing is 13.8-1) is an important security update. Even without the fix for the symlink-to-dir problem I would have filed an unblock request for the 13.10 version due to this. The 13.8 version forced the use of SSLv3 (for compatibility with really old server versions). This is not appropriate any more and upstream removed this in the 13.10 update. Since Debian's openssl 1.0.1j-1 disables SSLv3, the 13.8 version does not work anymore against servers on Debian and the 13.10 is needed. Mattias signature.asc Description: This is a digitally signed message part
Bug#728179: migration?
As far as I can see the migration should be able to happen now. There are no longer any packages in unstable that depends on libgsoap3. https://ftp-master.debian.org/cruft-report-daily.txt says: * source package gsoap version 2.8.16-2 no longer builds binary package(s): libgsoap3 on armel,armhf,i386,ia64,mips,mipsel,powerpc,sparc - suggested command: dak rm -m [auto-cruft] NBS (no longer built by gsoap) -s unstable -a armel,armhf,i386,ia64,mips,mipsel,powerpc,sparc -p -R -b libgsoap3 - No dependency problem found Maybe some hinting is needed? Mattias signature.asc Description: This is a digitally signed message part
Bug#728179: latex2html causes condor not to build
block 728179 by 723913 thanks The condor binnmu due to the gsoap update failed during documentation generation due to a recent problem with latex2html. If \captions are removed from all \tables and \figures in the documentation the build succeeds, but that is clearly not the right thing to do... Mattias signature.asc Description: This is a digitally signed message part
Bug#728179: Is anyone handling this?
Due to changes in other build dependencies unrelated to the gsoap update the cgsi-gsoap and lcgdm packages needed changes to the source package. The need for binnmu of these packages therefore no longer exists. The following is still needed: nmu gridsite . amd64 i386 powerpc sparc . -m Rebuild against libgsoap4 nmu voms . ALL . -m Rebuild against libgsoap4 nmu srm-ifce . ALL . -m Rebuild against libgsoap4 nmu gfal2 . ALL . -m Rebuild against libgsoap4 and libgridsite2 dw gfal2 . ALL . -m srm-ifce-dev ( 1.18.0-1+b1) nmu condor . ALL . -m Rebuild against libgsoap4 nmu virtualbox . amd64 i386 . -m Rebuild against libgsoap4 Mattias signature.asc Description: This is a digitally signed message part
Bug#728179: Thanks
sön 2013-12-01 klockan 19:02 +0100 skrev Mattias Ellert: dw gfal2 . ALL . -m srm-ifce-dev ( 1.18.0-1+b1) That should have been = 1.18.0-1+b1 - sorry for screwing up. And many thanks for executing the nmus. Mattias signature.asc Description: This is a digitally signed message part
Bug#728179: Is anyone handling this?
Is anyone receiving this bug report? It was filed a month ago and I have not received any response so far. Since my last mail nordugrid-arc was updated to a new version and was built with the new gridsite, so it no longer needs a binnmu. nmu gridsite . amd64 i386 powerpc sparc . -m Rebuild against libgsoap4 nmu voms . ALL . -m Rebuild against libgsoap4 nmu cgsi-gsoap . ALL . -m Rebuild against libgsoap4 nmu lcgdm . ALL . -m Rebuild against libgsoap4 dw lcgdm . ALL . -m libcgsi-gsoap-dev ( 1.3.5-2+b1) nmu srm-ifce . ALL . -m Rebuild against libgsoap4 dw srm-ifce . ALL . -m libcgsi-gsoap-dev ( 1.3.5-2+b1) nmu gfal2 . ALL . -m Rebuild against libgsoap4 and libgridsite2 dw gfal2 . ALL . -m srm-ifce-dev ( 1.18.0-1+b1) nmu condor . ALL . -m Rebuild against libgsoap4 nmu virtualbox . amd64 i386 . -m Rebuild against libgsoap4 signature.asc Description: This is a digitally signed message part
Bug#728179: Status
Current status: canl-c (accepted - built for all primary archs) gsoap (update accepted - built for all primary archs. libgsoap3 needs removal - replaced with libgsoap4) gridsite (amd64, i386, powerpc and sparc need binnmu for libgsoap3 → libgsoap4 transition. libgridsite1.7 needs removal - replaced with libgridsite2) voms (all primary archs need binnmu for libgsoap3 → libgsoap4 transition) cgsi-gsoap (all primary archs need binnmu for libgsoap3 → libgsoap4 transition) lcgdm (all primary archs need binnmu for libgsoap3 → libgsoap4 transition - must be done after the cgsi-gsoap binnmu) srm-ifce (all primary archs need binnmu for libgsoap3 → libgsoap4 transition - must be done after the cgsi-gsoap binnmu) gfal2 (all primary archs need binnmu for libgsoap3 → libgsoap4 and libgridsite1.7 → libgridsite2 transitions - must be done after the srm-ifce binnmu) nordugrid-arc (all primary archs need binnmu for libgridsite1.7 → libgridsite2 transition) condor (all primary archs need binnmu for libgsoap3 → libgsoap4 transition) virtualbox [contrib] (amd64 and i386 need binnmu for libgsoap3 → libgsoap4 transition) Mattias signature.asc Description: This is a digitally signed message part
Bug#728179: transition: libgsoap4, libgridsite2, canl-c
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi! There are currently three packages that are somewhat tangled. 1) canl-c 2.1.2-1 This package is in the NEW queue - it is a new dependency for gridsite 2.0.4 below. 2) gridsite 2.0.4-2 Updated version of the gridsite package. Accepted in testing, but not buildable due to the missing canl-c. This update means a transition from libgridsite1.7 to libgridsite2. 3) gsoap 1.8.16-1 Updated gsoap package. This is in the NEW queue and means a transition for libgsoap3 to libgsoap4. The gridsite package above depends on gsoap. Packages needing rebuild: canl-c (in NEW queue) gsoap (in NEW queue) gridsite (depends canl-c, gsoap) voms (depends gsoap) cgsi-gsoap (depends gsoap, voms) lcgdm (depends gsoap, cgsi-gsoap, voms) srm-ifce (depends cgsi-gsoap) gfal2 (depends gsoap, gridsite, lcgdm, srm-ifce) nordugrid-arc (depends gridsite) condor (depends gsoap) virtualbox [contrib] (depends gsoap) Mattias signature.asc Description: This is a digitally signed message part
Bug#720611: nmu: cgsi-gsoap on sh4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, libcgsi-gsoap1_1.3.5-2 was built against libgsoap3 on all architectures except sh4, where it was built against libgsoap2. nmu libcgsi-gsoap1_1.3.5-2 . sh4 . -m Rebuild for libgsoap3 smime.p7s Description: S/MIME cryptographic signature
Bug#709312: nmu: Packages depending on gsoap
Package: release.debian.org User: release.debian@packages.debian.org Usertags: binnmu The update of gsoap from version 2.8.7 to 2.8.12 has changed to package name for the gsoap libraries from libgsoap2 to libgsoap3. Depending packages therefore needs to be rebuilt. The cgsi-gsoap package required changes to the source package and has been updated. The voms package was updated because of a new upstream release (2.0.10-1) and was then rebuilt with the new gsoap version. The remaining packages should be binnmu'ed srm-ifce (1.15.2-2) gfal2 (2.2.1-2) - preferably built after srm-ifce due to build dep on srm-ifce-dev lcgdm (1.8.6-3) condor (7.8.2~dfsg.1-1+deb7u1 [unstable] and 7.8.7~dfsg.1-1 [exp]) virtualbox (4.2.10-dfsg-1 [contrib]) - only amd64 needs nmu, i386 was built with newer deps. Mattias signature.asc Description: This is a digitally signed message part
Bug#685663: Upload to t-p-u
Hi! Since there was an RC bug reported against version 2.0.0-3 (some missing Replaces/Breaks), allowing this version back in to testing again would not be a good idea. I created a 2.0.0-3+wheezy1 version with the same fix that is in 2.0.0-5 and uploaded it to testing-proposed-updates. Mattias signature.asc Description: This is a digitally signed message part
Bug#695768: unblock globus-common/14.7-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception unblock globus-common/14.7-2 globus-common 14.7-2 implements a fix for an RC bug (#694392) that also affects the current version in testing (14.6-1). The changes between the 14.6 and 14.7 upstream source versions - ignoring the autotools generated files (aclocal.m4, Makefile.in, config.guess, config.sub, configure, install-sh, ltmain.sh, missing) - only consist of the addition of doxygen documentation to some previously undocumented functions and changing the version number. So no actual code changes. Mattias signature.asc Description: This is a digitally signed message part
Bug#685663: unblock nordugrid-arc/2.0.0-3
tor 2012-08-23 klockan 17:54 +0200 skrev Cyril Brulebois: Hi Mattias, Mattias Ellert mattias.ell...@fysast.uu.se (23/08/2012): The nordugrid-arc 2.0.0-3 package had already migrated to testing before the freeze, but was kicked out because a dependency of one of its binary packages was removed due to an RC classified bug. That package (bdii) has since been fixed and an unblock request for the fix has been filed. I'm not sure we're going to consider unblocking bdii, at least in its current form. It looks like a package which pretty much fails to comply with the freeze policy, so unless you come up with minimal changes to only fix actual bugs… (Hint: new upstream release, changing configuration, adding features, fixing lintian warnings, rewriting copyright, etc. are *not* things to do in unstable when you have RC bug fixes you want to get into testing.) Mraw, KiBi. Hi! bdii 5.2.5-2+wheezy3 was accepted into testing proposed updates on Nov 2. So the missing dependency of nordugrid-arc is back. Could nordugrid-arc be added to testing proposed updates too? Mattias signature.asc Description: This is a digitally signed message part
Bug#683142: unblock: bdii/5.2.12-1
fre 2012-08-31 klockan 14:01 +0200 skrev Niels Thykier: I believe the RC bug fix on 5.2.5-2 should be reasonable sane and lets take that as a starting point. ~Niels bdii_5.2.5-2+wheezy1 was uploaded to testing-proposed-updates. Mattias smime.p7s Description: S/MIME cryptographic signature
Bug#683142: Proposed backport
tor 2012-08-23 klockan 17:54 +0200 skrev Cyril Brulebois: Hi Mattias, I'm not sure we're going to consider unblocking bdii, at least in its current form. It looks like a package which pretty much fails to comply with the freeze policy, so unless you come up with minimal changes to only fix actual bugs… (Hint: new upstream release, changing configuration, adding features, fixing lintian warnings, rewriting copyright, etc. are *not* things to do in unstable when you have RC bug fixes you want to get into testing.) Mraw, KiBi. Thank you for your feedback. I here attach a debdiff for a proposed backport of the fix to the RC bug only. Is this an acceptable change? diff -Nru bdii-5.2.5/debian/bdii.lintian-overrides bdii-5.2.5/debian/bdii.lintian-overrides --- bdii-5.2.5/debian/bdii.lintian-overrides 2011-06-14 11:58:13.0 +0200 +++ bdii-5.2.5/debian/bdii.lintian-overrides 2012-08-24 09:09:48.0 +0200 @@ -1,2 +1,2 @@ -bdii: non-standard-file-perm *etc/bdii/bdii-slapd.conf 0640 != 0644 -bdii: non-standard-file-perm *etc/bdii/bdii-top-slapd.conf 0640 != 0644 +bdii: non-standard-file-perm *usr/share/bdii/bdii-slapd.conf 0640 != 0644 +bdii: non-standard-file-perm *usr/share/bdii/bdii-top-slapd.conf 0640 != 0644 diff -Nru bdii-5.2.5/debian/bdii.postinst bdii-5.2.5/debian/bdii.postinst --- bdii-5.2.5/debian/bdii.postinst 2011-09-27 07:49:57.0 +0200 +++ bdii-5.2.5/debian/bdii.postinst 2012-08-24 11:00:12.0 +0200 @@ -3,14 +3,21 @@ set -e sed s/\(rootpw *\)secret/\1$(mkpasswd -s 0 | tr '/' 'x')/ \ --i /etc/bdii/bdii-slapd.conf /etc/bdii/bdii-top-slapd.conf +-i /usr/share/bdii/bdii-slapd.conf /usr/share/bdii/bdii-top-slapd.conf -chown openldap:openldap /etc/bdii/bdii-slapd.conf -chown openldap:openldap /etc/bdii/bdii-top-slapd.conf +chown openldap:openldap /usr/share/bdii/bdii-slapd.conf +chown openldap:openldap /usr/share/bdii/bdii-top-slapd.conf chown -R openldap:openldap /var/lib/bdii chown -R openldap:openldap /var/log/bdii +# Old versions with slapd configs listed in conffiles +dpkg-maintscript-helper rm_conffile \ +/etc/bdii/bdii-slapd.conf 5.2.5-2+wheezy1~ bdii -- $@ +dpkg-maintscript-helper rm_conffile \ +/etc/bdii/bdii-top-slapd.conf 5.2.5-2+wheezy1~ bdii -- $@ + # Remove obsolete cron script left behind by dpkg -rm -f /etc/cron.d/bdii-proxy +dpkg-maintscript-helper rm_conffile \ +/etc/cron.d/bdii-proxy 5.2.5-2+wheezy1~ bdii -- $@ #DEBHELPER# diff -Nru bdii-5.2.5/debian/bdii.postrm bdii-5.2.5/debian/bdii.postrm --- bdii-5.2.5/debian/bdii.postrm 1970-01-01 01:00:00.0 +0100 +++ bdii-5.2.5/debian/bdii.postrm 2012-08-24 11:00:12.0 +0200 @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +# Old versions with slapd configs listed in conffiles +dpkg-maintscript-helper rm_conffile \ +/etc/bdii/bdii-slapd.conf 5.2.5-2+wheezy1~ bdii -- $@ +dpkg-maintscript-helper rm_conffile \ +/etc/bdii/bdii-top-slapd.conf 5.2.5-2+wheezy1~ bdii -- $@ + +# Remove obsolete cron script left behind by dpkg +dpkg-maintscript-helper rm_conffile \ +/etc/cron.d/bdii-proxy 5.2.5-2+wheezy1~ bdii -- $@ + +#DEBHELPER# diff -Nru bdii-5.2.5/debian/bdii.preinst bdii-5.2.5/debian/bdii.preinst --- bdii-5.2.5/debian/bdii.preinst 1970-01-01 01:00:00.0 +0100 +++ bdii-5.2.5/debian/bdii.preinst 2012-08-24 11:00:12.0 +0200 @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +# Old versions with slapd configs listed in conffiles +dpkg-maintscript-helper rm_conffile \ +/etc/bdii/bdii-slapd.conf 5.2.5-2+wheezy1~ bdii -- $@ +dpkg-maintscript-helper rm_conffile \ +/etc/bdii/bdii-top-slapd.conf 5.2.5-2+wheezy1~ bdii -- $@ + +# Remove obsolete cron script left behind by dpkg +dpkg-maintscript-helper rm_conffile \ +/etc/cron.d/bdii-proxy 5.2.5-2+wheezy1~ bdii -- $@ + +#DEBHELPER# diff -Nru bdii-5.2.5/debian/changelog bdii-5.2.5/debian/changelog --- bdii-5.2.5/debian/changelog 2011-09-27 07:58:08.0 +0200 +++ bdii-5.2.5/debian/changelog 2012-08-24 09:08:29.0 +0200 @@ -1,3 +1,9 @@ +bdii (5.2.5-2+wheezy1) testing; urgency=low + + * Backport RC bug fix to wheezy (Closes: #663444) + + -- Mattias Ellert mattias.ell...@fysast.uu.se Fri, 24 Aug 2012 09:00:09 +0200 + bdii (5.2.5-2) unstable; urgency=low * Remove obsolete cron script left behind by dpkg (Closes: #642589) diff -Nru bdii-5.2.5/debian/rules bdii-5.2.5/debian/rules --- bdii-5.2.5/debian/rules 2011-09-04 20:21:31.0 +0200 +++ bdii-5.2.5/debian/rules 2012-08-24 10:49:27.0 +0200 @@ -45,6 +45,13 @@ sed s/BDII_USER=.*/BDII_USER=openldap/ \ -i debian/bdii/etc/bdii/bdii.conf + # Move bdii slapd config files out of /etc + mkdir debian/bdii/usr/share/bdii + mv debian/bdii/etc/bdii/bdii-slapd.conf debian/bdii/usr/share/bdii + mv debian/bdii/etc/bdii/bdii-top-slapd.conf debian/bdii/usr/share/bdii + ln -s ../../usr/share/bdii/bdii-slapd.conf debian/bdii/etc/bdii + ln -s ../../usr/share/bdii/bdii-top-slapd.conf debian/bdii/etc/bdii + binary-arch: # : @@ -60,6
Bug#685663: unblock nordugrid-arc/2.0.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Control: block -1 by 683142 unblock nordugrid-arc/2.0.0-3 The nordugrid-arc 2.0.0-3 package had already migrated to testing before the freeze, but was kicked out because a dependency of one of its binary packages was removed due to an RC classified bug. That package (bdii) has since been fixed and an unblock request for the fix has been filed. This is a request to unblock this package so that it can get back in when its currently blocked dependency (bdii) is unblocked. Mattias signature.asc Description: This is a digitally signed message part
Bug#683142: Updated version
retitle 683142 unblock: bdii/5.2.12-2 thanks An updated package using the dpkg-maintscript-helper script as requested is now available in unstable. Mattias signature.asc Description: This is a digitally signed message part
Bug#683142: unblock: bdii/5.2.12-1
sön 2012-07-29 klockan 12:46 +0200 skrev Niels Thykier: On 2012-07-29 06:47, Mattias Ellert wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception unblock bdii/5.2.12-1 Hi! The bdii package was removed from testing due to an RC bug, together with the packages that depends on it. The 5.2.12-1 update fixes the RC bug (bug #663444). I would like to request a freeze exception for this update to allow the bdii package and the packages depending on it to be part of the release. Mattias Why did you include a new upstream release in this? It makes it harder for us to review and reduces the chance for you to get the unblock? Does this upstream release have important bug fixes, if so what are they? I had been preparing an update to a new upstream release for a long time before finally making the upload. On several occasions I have completed a potential update and then looked at the BTS and thought that I should fix that RC bug before doing the upload. Since fixing the RC bug was not trivial this always ment that I held off doing the upload. I finally did fix the RC bug. The fixed package compared to the last package I prepared and did not upload was really just fixing the RC bug. The changes in the package between the previous upload and the new one are very minor. It is true that if you list the files changed the list is not short, but most of the changed files are in the debian directory. These changes are there to do the fix of the RC bug, fix some lintian warnings and update the copyright file to the new recommended format. The changes to the patches are just dropping the parts of the patches that were accepted upstream and rebasing the remaining parts. For the changes to the upstream itself, i.e. the files outside the debian directory. These are mainly changes to the default configuration to reduce the memory consumption and to add support for IPv6. --- bdii-5.2.5/debian/bdii.preinst +++ bdii-5.2.12/debian/bdii.preinst @@ -0,0 +1,16 @@ +#!/bin/sh + +set -e + +if [ $1 = upgrade ] ; then +if dpkg --compare-versions $2 lt 5.2.12 ; then +# Old versions with slapd configs listed in conffiles + if [ -w /var/lib/dpkg/info/bdii.conffiles ] ; then + sed -e /bdii-slapd.conf/d -e /bdii-top-slapd.conf/d \ + -i /var/lib/dpkg/info/bdii.conffiles + fi + rm -f /etc/bdii/bdii-slapd.conf /etc/bdii/bdii-top-slapd.conf +fi +fi + +#DEBHELPER# I think dpkg-maintscript-helper rm_conffile is what you want to be policy compliant, but I could be wrong. Yes this is probably a better idea. I was very happy when I managed to write a maintainer script that solved the RC bug. But looking at the code in the dpkg-maintscript-helper script I realize that there are corner cases that are not properly handled by by script. I haven't read the full diff, so there are possibly more issues lurking in it. In its current state, I am not inclined to grant an exception. ~Niels PS: urgency=high is no effect when the package is not in testing (in case you weren't aware of it) I was not aware. However, the package was in testing until 2 days before I did the upload. The fact the package was removed made the update very urgent - and then the urgency is ignored because it was removed Well... I don't make the rules. I can make another update using the dpkg-maintscript-helper script instead of my own not-so-great fix. If you truly do not want to take advantage of the fixes for memory usage and IPv6 support I could also upload a version where I backport the fix for the RC bug to the 5.2.5 version. But I personally think using the new version would be better. Let me know what you think is petter. Mattias signature.asc Description: This is a digitally signed message part
Bug#683142: unblock: bdii/5.2.12-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception unblock bdii/5.2.12-1 Hi! The bdii package was removed from testing due to an RC bug, together with the packages that depends on it. The 5.2.12-1 update fixes the RC bug (bug #663444). I would like to request a freeze exception for this update to allow the bdii package and the packages depending on it to be part of the release. Mattias smime.p7s Description: S/MIME cryptographic signature
Migration hint for cgsi-gsoap and lfc?
Hi! grep-excuses says: ellert@debian-wheezy:~$ grep-excuses lfc lfc (1.8.0.1-1 to 1.8.1.2-1) Maintainer: Mattias Ellert 11 days old (needed 10 days) Valid candidate ellert@debian-wheezy:~grep-excuses cgsi-gsoap cgsi-gsoap (1.3.4.0-1 to 1.3.4.2-1) Maintainer: Mattias Ellert 12 days old (needed 10 days) Valid candidate but the migration doesn't seem to happen. The reason listed under more excuses, i.e. that some packages would become uninstallable, doesn't seem to make sense to me. Would it help to hint them together? Mattias signature.asc Description: This is a digitally signed message part
Re: Migration hint for cgsi-gsoap and lfc?
fre 2011-09-16 klockan 11:34 +0100 skrev Adam D. Barratt: On Fri, 16 Sep 2011 11:33:03 +0200, Mattias Ellert wrote: ellert@debian-wheezy:~$ grep-excuses lfc lfc (1.8.0.1-1 to 1.8.1.2-1) Maintainer: Mattias Ellert 11 days old (needed 10 days) Valid candidate ellert@debian-wheezy:~grep-excuses cgsi-gsoap cgsi-gsoap (1.3.4.0-1 to 1.3.4.2-1) Maintainer: Mattias Ellert 12 days old (needed 10 days) Valid candidate but the migration doesn't seem to happen. The reason listed under more excuses, i.e. that some packages would become uninstallable, doesn't seem to make sense to me. It's perfectly correct. liblcgdm1 (from lfc) and libcgsi-gsoap1 (from cgsi-gsoap) in testing both depend on libvomsapi0, whereas the versions in unstable both depend on libvomsapi1. dpm-mysql-copyd (at least) depends on both liblcgdm1 and libcgsi-gsoap1 so migrating only one of them would result in it indirectly depending on libvomsapi0 and libvomsapi1. In itself that wouldn't be a problem, but for some reason those two libraries conflict. Would it help to hint them together? Probably. What would help more would be not having the library packages conflict. The fact that libvomsapi1 both Conflicts and Replaces libvomsapi0 suggests that you're doing it wrong[tm]. Specifically, the issue seems to be that the packages both contain things like /usr/share/voms/vomses.template and /etc/vomses. Those seem like things that really shouldn't be in a shared library package. Regards, Adam libvomsapi0 is orphan - it is no longer built by any source package. According the the documentation http://www.debian.org/doc/manuals/developers-reference/pkgs.html#removing-pkgs such packages are supposed to be removed automatically, and filing a removal request should not be necessary. I don't really understand why it is still there in testing, I expected it to have been removed when the new voms package migrated to testing. On the other hand, I didn't expect that the voms package would migrate before all packages that depended on libvomsapi0 had been rebuilt and no longer had this dependency, and that then all these packages would then migrate together. It seems there are details in how migration works that I don't fully understand. Mattias signature.asc Description: This is a digitally signed message part
Bug#597884: unblock: globus-common/11.5-2
fre 2010-09-24 klockan 20:07 +0100 skrev Adam D. Barratt: On Thu, 2010-09-23 at 22:06 +0200, Mattias Ellert wrote: The only differences w.r.t. the 11.5-1 version currently in testing is a change to a single line in a header file done in order to solve an incompatibility issue with a header file from Boost and the addition of an additional depends to the -dev package. That's not quite the only change; there's also: patches/globus-common-setup.patch | 30 +++--- patches/globus-common-usr.patch |2 - which appear to be a couple of s/require/use/ changes (and a chunk of refresh noise in the first)? Also, _why_ is the new dependency required? The changelog simply says that it has been added with no further detail. Regards, Adam The change from require to use is a correction of the changes introduced by the patch. The imported Perl module is not optional, and therefore use should be used and not require. The added dependency is the package that provides this Perl module. So the change from require to use and the addition of the dependency are really part of the same bugfix. Mattias signature.asc Description: This is a digitally signed message part
Bug#597884: unblock: globus-common/11.5-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Please unblock globus-common The only differences w.r.t. the 11.5-1 version currently in testing is a change to a single line in a header file done in order to solve an incompatibility issue with a header file from Boost and the addition of an additional depends to the -dev package. unblock globus-common/11.5-2 signature.asc Description: This is a digitally signed message part
Hint needed for globus-ftp-client?
Hi! The globus-ftp-client package is stuck in unstable: Checking globus-ftp-client: * trying to update globus-ftp-client from 3.14-6 to 5.2-1 (candidate is 13 days old) * globus-ftp-client is not yet built on mips: 3.14-6 vs 5.2-1 (missing 1 binary: libglobus-ftp-client1) The package is built on mips. However, the libglobus-ftp-client1 package is replaced with libglobus-ftp-client2 due to a soname bump. All packages that depended on libglobus-ftp-client1 have either been updated with new versions that Build-Depends the new version (globus-gass-copy, globus-gass-cache-program) or binNMUed (dpm, dpm-postgres). These builds have completed successfully also on mips - though mips was the last to complete, but that was 5 days ago now. Mattias signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: Hint needed for globus-ftp-client?
fre 2010-02-26 klockan 13:15 + skrev Adam D. Barratt: Mattias Ellert wrote: Checking globus-ftp-client: * trying to update globus-ftp-client from 3.14-6 to 5.2-1 (candidate is 13 days old) * globus-ftp-client is not yet built on mips: 3.14-6 vs 5.2-1 (missing 1 binary: libglobus-ftp-client1) The package is built on mips. However, the libglobus-ftp-client1 package is replaced with libglobus-ftp-client2 due to a soname bump. All packages that depended on libglobus-ftp-client1 have either been updated with new versions that Build-Depends the new version (globus-gass-copy, globus-gass-cache-program) or binNMUed (dpm, dpm-postgres). These builds have completed successfully also on mips - though mips was the last to complete, but that was 5 days ago now. It looks like a couple of packages still depend on libglobus-ftp-client1: # Broken Depends: globus-gram-job-manager: globus-gram-job-manager [alpha armel hppa hurd-i386 i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 sparc] nordugrid-arc-nox: nordugrid-arc-nox-plugins-globus [alpha amd64 armel hppa i386 ia64 mips mipsel powerpc s390 sparc] globus-gram-job-manager has had a sourceful upload which can't be built currently as it build-depends on libglobus-libxml2-dev, which is still in NEW. nordugrid-arc-nox has a version in NEW. Regards, Adam Forgot about that one. The new version of that package doesn't depend on it and I only grepped for dependencies in the new version. I guess I just have to wait... Mattias signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: Please binNMU dpm and dpm-postgres against updated globus-ftp-client
lör 2010-02-13 klockan 09:52 +0100 skrev Luk Claes: Mattias Ellert wrote: Hi! The new version of globus-ftp-client bumps the soname from 1 to 2. For this reason dpm and dpm-postgre needs to be rebuilt with the new version. The other packages depending on globus-ftp-client have been updated. nmu dpm_1.7.4.1-3 . ALL . -m 'Rebuild against updated globus-ftp-client.' dw dpm_1.7.4.1-3 . ALL . -m 'libglobus-ftp-client-dev (= 5.2-1)' nmu dpm-postgres_1.7.4.1-3 . ALL . -m 'Rebuild against updated globus-ftp-client.' dw dpm-postgres_1.7.4.1-3 . ALL . -m 'libglobus-ftp-client-dev (= 5.2-1)' Scheduled. Cheers Luk Thank you. However, it look like hurd-i386 was not included in ALL. Mattias signature.asc Description: Detta är en digitalt signerad meddelandedel
Please binNMU dpm and dpm-postgres against updated globus-ftp-client
Hi! The new version of globus-ftp-client bumps the soname from 1 to 2. For this reason dpm and dpm-postgre needs to be rebuilt with the new version. The other packages depending on globus-ftp-client have been updated. nmu dpm_1.7.4.1-3 . ALL . -m 'Rebuild against updated globus-ftp-client.' dw dpm_1.7.4.1-3 . ALL . -m 'libglobus-ftp-client-dev (= 5.2-1)' nmu dpm-postgres_1.7.4.1-3 . ALL . -m 'Rebuild against updated globus-ftp-client.' dw dpm-postgres_1.7.4.1-3 . ALL . -m 'libglobus-ftp-client-dev (= 5.2-1)' Thanks. Mattias signature.asc Description: Detta är en digitalt signerad meddelandedel
