Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: hapr...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:haproxy Hi, For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539, and I also like to fix those for stable and oldstable. CC'ing the security team, in case they want to issue an DSA instead. The changes can also be found on the LTS repository: https://salsa.debian.org/lts-team/packages/haproxy [ Tests ] I've tested the fixes manually, using netcat to inject problematic http requests and confirm that the patched version rejects the malicous requests. (using nginx and also netcat as http server.) (Being verbose here to document the tests for later reference ;-)) haproxy is listening on port 8080 e.g for CVE-2023-40225: echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080 must be rejected with 400 Bad Request and without the "#" accepted. for CVE-2023-45539, nginx is stopped, and netcat listens on port 80: echo 'GET / HTTP/.1.1 host: whatever content-length: ' | netcat localhost 8080 If the request is accepted (and forwarded to the listening netcat), haproxy is vulnerable. If a "400 Bad request" ist thrown, without netcat receiving something, haproxy is not vulnerable. (haproxy is running on port 8080) [ Risks ] Upstream patch, applied cleanly. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Debdiff attached. I'v uploaded the package to o-s-p-u already. Cheers, -- tobi diff -Nru haproxy-2.2.9/debian/changelog haproxy-2.2.9/debian/changelog --- haproxy-2.2.9/debian/changelog 2023-04-10 16:18:09.0 +0200 +++ haproxy-2.2.9/debian/changelog 2023-12-25 09:46:44.0 +0100 @@ -1,3 +1,13 @@ +haproxy (2.2.9-2+deb11u6) bullseye; urgency=high + + * Non-maintainer upload by the Security Team. + * Import upstream patch for CVE-2023-40225, forwarding malformed +Content-Length Headers. Closes: #1043502. + * Import upstream patch for CVE-2023-45539, accepting invalid requests +containing '#' as part of the URI component. + + -- Tobias Frost Mon, 25 Dec 2023 09:46:44 +0100 + haproxy (2.2.9-2+deb11u5) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru haproxy-2.2.9/debian/.gitlab-ci.yml haproxy-2.2.9/debian/.gitlab-ci.yml --- haproxy-2.2.9/debian/.gitlab-ci.yml 1970-01-01 01:00:00.0 +0100 +++ haproxy-2.2.9/debian/.gitlab-ci.yml 2023-12-25 09:46:44.0 +0100 @@ -0,0 +1,7 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye' diff -Nru haproxy-2.2.9/debian/patches/CVE-2023-40225.patch haproxy-2.2.9/debian/patches/CVE-2023-40225.patch --- haproxy-2.2.9/debian/patches/CVE-2023-40225.patch 1970-01-01 01:00:00.0 +0100 +++ haproxy-2.2.9/debian/patches/CVE-2023-40225.patch 2023-12-25 09:46:44.0 +0100 @@ -0,0 +1,257 @@ +Description: CVE-2023-40225 - http: reject any empty content-length header value + The content-length header parser has its dedicated function, in order + to take extreme care about invalid, unparsable, or conflicting values. + But there's a corner case in it, by which it stops comparing values + when reaching the end of the header. This has for a side effect that + an empty value or a value that ends with a comma does not deserve + further analysis, and it acts as if the header was absent. + . + While this is not necessarily a problem for the value ending with a + comma as it will be cause a header folding and will disappear, it is a + problem for the first isolated empty header because this one will not + be recontructed when next ones are seen, and will be passed as-is to the + backend server. A vulnerable HTTP/1 server hosted behind haproxy that + would just use this first value as "0" and ignore the valid one would + then not be protected by haproxy and could be attacked this way, taking + the payload for an extra request. + . + In field the risk depends on the server. Most commonly used servers + already have safe content-length parsers, but users relying on haproxy + to protect a known-vulnerable server might be at risk (and the risk of + a bug even in a reputable server should never be dismissed). + . + A configuration-based work-around consists in adding the following rule + in the frontend, to explicitly reject requests featuring an empty + content-length header that would have not be folded into an existing + one: + . + http-request deny if { hdr_len(content-length) 0 } + . + The real fix consists in adjusting the parser so that it always expects a + value at the beginning
Bug#1059426: bookworm-pu: package haproxy/2.6.12-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: hapr...@packages.debian.org X-Debbugs-Cc: t...@security.debian.org Control: affects -1 + src:haproxy Hi, For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539, and I also like to fix those for stable and oldstable. CC'ing the security team, in case they want to issue an DSA instead. The changes can also be found on the LTS repository: https://salsa.debian.org/lts-team/packages/haproxy [ Tests ] I've tested the fixes manually, using netcat to inject problematic http requests and confirm that the patched version rejects the malicous requests. (using nginx and also netcat as http server.) (Being verbose here to document the tests for later reference ;-)) haproxy is listening on port 8080 e.g for CVE-2023-40225: echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080 must be rejected with 400 Bad Request and without the "#" accepted. for CVE-2023-45539, nginx is stopped, and netcat listens on port 80: echo 'GET / HTTP/.1.1 host: whatever content-length: ' | netcat localhost 8080 If the request is accepted (and forwarded to the listening netcat), haproxy is vulnerable. If a "400 Bad request" ist thrown, without netcat receiving something, haproxy is not vulnerable. (haproxy is running on port 8080) [ Risks ] Upstream patch, applied cleanly. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Debdiff attached. I'v uploaded the package to s-p-u already. diff -Nru haproxy-2.6.12/debian/changelog haproxy-2.6.12/debian/changelog --- haproxy-2.6.12/debian/changelog 2023-04-01 11:05:57.0 +0200 +++ haproxy-2.6.12/debian/changelog 2023-12-25 10:03:03.0 +0100 @@ -1,3 +1,13 @@ +haproxy (2.6.12-1+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the Security Team. + * Import upstream patch for CVE-2023-40225, forwarding malformed +Content-Length Headers. Closes: #1043502. + * Import upstream patch for CVE-2023-45539, accepting invalid requests +containing '#' as part of the URI component. + + -- Tobias Frost Mon, 25 Dec 2023 10:03:03 +0100 + haproxy (2.6.12-1) unstable; urgency=medium * New upstream version. diff -Nru haproxy-2.6.12/debian/.gitlab-ci.yml haproxy-2.6.12/debian/.gitlab-ci.yml --- haproxy-2.6.12/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 +0100 +++ haproxy-2.6.12/debian/.gitlab-ci.yml2023-12-25 10:03:03.0 +0100 @@ -0,0 +1,7 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm' diff -Nru haproxy-2.6.12/debian/patches/CVE-2023-40225.patch haproxy-2.6.12/debian/patches/CVE-2023-40225.patch --- haproxy-2.6.12/debian/patches/CVE-2023-40225.patch 1970-01-01 01:00:00.0 +0100 +++ haproxy-2.6.12/debian/patches/CVE-2023-40225.patch 2023-12-25 10:03:03.0 +0100 @@ -0,0 +1,257 @@ +Description: CVE-2023-40225 - http: reject any empty content-length header value + The content-length header parser has its dedicated function, in order + to take extreme care about invalid, unparsable, or conflicting values. + But there's a corner case in it, by which it stops comparing values + when reaching the end of the header. This has for a side effect that + an empty value or a value that ends with a comma does not deserve + further analysis, and it acts as if the header was absent. + . + While this is not necessarily a problem for the value ending with a + comma as it will be cause a header folding and will disappear, it is a + problem for the first isolated empty header because this one will not + be recontructed when next ones are seen, and will be passed as-is to the + backend server. A vulnerable HTTP/1 server hosted behind haproxy that + would just use this first value as "0" and ignore the valid one would + then not be protected by haproxy and could be attacked this way, taking + the payload for an extra request. + . + In field the risk depends on the server. Most commonly used servers + already have safe content-length parsers, but users relying on haproxy + to protect a known-vulnerable server might be at risk (and the risk of + a bug even in a reputable server should never be dismissed). + . + A configuration-based work-around consists in adding the following rule + in the frontend, to explicitly reject requests featuring an empty + content-length header that would have not be folded into an existing + one: + . + http-request deny if { hdr_len(content-length) 0 } + . + The real fix consists in adjusting the parser so that it always expects a + value at the beginning of the header or aft
Bug#1057327: bookworm-pu: package amanda/3.5.1-11+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ama...@packages.debian.org Control: affects -1 + src:amanda This upload fixes CVE-2023-30577, a backup-user-to-root vulnerability. After fixing this CVE already for unstable (NMU pending, ETA Friday), buster and stretch, I'd also like to fix it for bookworm and bullseye. The patch is taken from upstream [1] and has been merged already there. Package test suite is still happy. [1] https://github.com/zmanda/amanda/pull/228 [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable (as said, pending NMU) I've uploaded the package already to the s-p-u queue. -- Cheers, tobi diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog --- amanda-3.5.1/debian/changelog 2023-03-21 18:35:47.0 +0100 +++ amanda-3.5.1/debian/changelog 2023-12-03 14:17:07.0 +0100 @@ -1,3 +1,10 @@ +amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the Security Team. + * Apply upstream fix for CVE-2023-30577 (Closes: #1055253) + + -- Tobias Frost Sun, 03 Dec 2023 14:17:07 +0100 + amanda (1:3.5.1-11) unstable; urgency=medium * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use diff -Nru amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch --- amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch 1970-01-01 01:00:00.0 +0100 +++ amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch 2023-12-03 13:55:48.0 +0100 @@ -0,0 +1,83 @@ +Description: CVE-2023-30577 - Local privilege escalation. +Origin: https://github.com/zmanda/amanda/pull/228 +Bug: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055253 +--- a/client-src/runtar.c b/client-src/runtar.c +@@ -39,6 +39,11 @@ + #include "amutil.h" + #include "conffile.h" + #include "client_util.h" ++#include ++ ++static const char *whitelisted_args[] = {"--blocking-factor", "--file", "--directory", "--exclude", "--transform", "--listed-incremental", "--newer", "--exclude-from", "--files-from", NULL}; ++ ++bool check_whitelist(char* option); + + int main(int argc, char **argv); + +@@ -49,6 +54,7 @@ + { + #ifdef GNUTAR + int i; ++char **j; + char *e; + char *dbf; + char *cmdline; +@@ -182,20 +188,23 @@ + g_str_has_prefix(argv[i],"--verbose")) { + /* Accept theses options */ + good_option++; +- } else if (g_str_has_prefix(argv[i],"--blocking-factor") || +- g_str_has_prefix(argv[i],"--file") || +- g_str_has_prefix(argv[i],"--directory") || +- g_str_has_prefix(argv[i],"--exclude") || +- g_str_has_prefix(argv[i],"--transform") || +- g_str_has_prefix(argv[i],"--listed-incremental") || +- g_str_has_prefix(argv[i],"--newer") || +- g_str_has_prefix(argv[i],"--exclude-from") || +- g_str_has_prefix(argv[i],"--files-from")) { ++ } else if (check_whitelist(argv[i])) { + if (strchr(argv[i], '=')) { + good_option++; + } else { + /* Accept theses options with the following argument */ + good_option += 2; ++ ++/* Whitelisting only the allowed arguments*/ ++for(j=whitelisted_args; *j; j++) { ++if (strcmp(argv[i], *j) == 0) { ++break; ++} ++} ++ ++if (!*j) { ++good_option = 0; // not allowing arguments absent in the whitelist ++} + } + } else if (argv[i][0] != '-') { + good_option++; +@@ -239,3 +248,23 @@ + return 1; + #endif + } ++ ++bool ++check_whitelist( ++gchar* option) ++{ ++bool result = TRUE; ++char** i; ++ ++for(i=whitelisted_args; *i; i++) { ++if (g_str_has_prefix(option, *i)) { ++break; ++} ++} ++ ++if (!*i) { ++result = FALSE; // not allowing arguments absent in the whitelist ++} ++ ++return result; ++} diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series --- amanda-3.5.1/debian/patches/series 2023-03-21 18:35:47.0 +0100 +++ amanda-3.5.1/debian/patches/series 2023-12-03 14:09:19.0 +0100 @@ -49,3 +49,4 @@ 50-fix-CVE-2022-37704 52-fix-CVE-2022-37704_part_2 56-fix-CVE-2022-37703 +57-CVE-2023-30577.patch signature.asc Description: PGP signature
Bug#1057221: bullseye-pu: package opendkim/2.11.0~beta2-4+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: opend...@packages.debian.org Control: affects -1 + src:opendkim (The same as #1056732, this time targeting oldstable) After sponsoring the maintainer David Bürgin I've offered them to tackle s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285) Before the upload, stable and sid were at the same version, namely 2.11.0~beta2-8, so the patch could been applied as is, without changes needed. Additional changes, not suitable for s-p-u have been dropped. The patch is authored by David Bürgin and they confirm that they have tested the patch and it indeeds fix the issue (quote from #1056285#19): > Hello Tobi, > > > A question to that: Can you elaborate a bit on the testing you have > > done to verify that this patch indeed fixes the vulnerability? > > (Asking, becasue unfortunatly there is not lot of information available > > e.g from the upstream issue and upstream seems to be generally very > > silent… > I developed the upstream patch, and so did do the necessary testing > locally. You can simply prepare a crafted message containing some > Authentication-Results headers and then see if the right ones get > deleted. (I've uploaded the package to the s-p-u queue already.) debdiff attached. diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog --- opendkim-2.11.0~beta2/debian/changelog 2020-10-12 15:15:30.0 +0200 +++ opendkim-2.11.0~beta2/debian/changelog 2023-12-01 19:17:01.0 +0100 @@ -1,3 +1,13 @@ +opendkim (2.11.0~beta2-4+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the Security Team. + + [ David Bürgin ] + * Add patch "rev-ares-deletion.patch" for CVE-2022-48521: +Delete Authentication-Results headers in reverse (Closes: #1041107). + + -- Tobias Frost Fri, 01 Dec 2023 19:17:01 +0100 + opendkim (2.11.0~beta2-4) unstable; urgency=medium * Update debhelper-compat to compatibility level 13. diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch --- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 1970-01-01 01:00:00.0 +0100 +++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 2023-12-01 19:11:21.0 +0100 @@ -0,0 +1,33 @@ +Description: Delete Authentication-Results headers in reverse (CVE-2022-48521) +Author: David Bürgin +Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189 + +--- a/opendkim/opendkim.c b/opendkim/opendkim.c +@@ -13651,9 +13651,16 @@ + return SMFIS_TEMPFAIL; + } + +- c = 0; ++ c = 1; ++ + for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next) + { ++ if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) ++c++; ++ } ++ ++ for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev) ++ { + memset(ares, '\0', sizeof(struct authres)); + + if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) +@@ -13664,7 +13671,7 @@ + char *slash; + + /* remember index */ +-c++; ++c--; + + /* parse the header */ + arstat = ares_parse((u_char *) hdr->hdr_val, diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series --- opendkim-2.11.0~beta2/debian/patches/series 2020-07-24 10:48:27.0 +0200 +++ opendkim-2.11.0~beta2/debian/patches/series 2023-12-01 19:14:10.0 +0100 @@ -4,3 +4,4 @@ fix-miltertest-eom-check-smtpreply.patch fix-genzone-subdomains.patch suppress-brackets-syslog.patch +rev-ares-deletion.patch signature.asc Description: PGP signature
Bug#1056732: bookworm-pu: package opendkim/2.11.0~beta2-8+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: opend...@packages.debian.org Control: affects -1 + src:opendkim After sponsoring the maintainer David Bürgin I've offered them to tackle s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285) Before the upload, stable and sid were at the same version, namely 2.11.0~beta2-8, so the patch could been applied as is, without changes needed. Additional changes, not suitable for s-p-u have been dropped. The patch is authored by David Bürgin and they confirm that they have tested the patch and it indeeds fix the issue (quote from #1056285#19): > Hello Tobi, > > > A question to that: Can you elaborate a bit on the testing you have > > done to verify that this patch indeed fixes the vulnerability? > > (Asking, becasue unfortunatly there is not lot of information available > > e.g from the upstream issue and upstream seems to be generally very > > silent… > I developed the upstream patch, and so did do the necessary testing > locally. You can simply prepare a crafted message containing some > Authentication-Results headers and then see if the right ones get > deleted. (I've uploaded the package to the s-p-u queue already.) debdiff attached. -- Cheers, tobi diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog --- opendkim-2.11.0~beta2/debian/changelog 2022-12-20 09:10:44.0 +0100 +++ opendkim-2.11.0~beta2/debian/changelog 2023-11-25 17:19:13.0 +0100 @@ -1,3 +1,13 @@ +opendkim (2.11.0~beta2-8+deb12u1) bookworm; urgency=medium + + * Non-Maintainer upload by the security team. + + [ David Bürgin ] + * Add patch "rev-ares-deletion.patch" for CVE-2022-48521: +Delete Authentication-Results headers in reverse (Closes: #1041107). + + -- Tobias Frost Sat, 25 Nov 2023 17:19:13 +0100 + opendkim (2.11.0~beta2-8) unstable; urgency=medium [ David Bürgin ] diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch --- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 1970-01-01 01:00:00.0 +0100 +++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch 2023-11-25 17:19:13.0 +0100 @@ -0,0 +1,33 @@ +Description: Delete Authentication-Results headers in reverse (CVE-2022-48521) +Author: David Bürgin +Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189 + +--- a/opendkim/opendkim.c b/opendkim/opendkim.c +@@ -13651,9 +13651,16 @@ + return SMFIS_TEMPFAIL; + } + +- c = 0; ++ c = 1; ++ + for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next) + { ++ if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) ++c++; ++ } ++ ++ for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev) ++ { + memset(ares, '\0', sizeof(struct authres)); + + if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0) +@@ -13664,7 +13671,7 @@ + char *slash; + + /* remember index */ +-c++; ++c--; + + /* parse the header */ + arstat = ares_parse((u_char *) hdr->hdr_val, diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series --- opendkim-2.11.0~beta2/debian/patches/series 2022-12-12 14:41:20.0 +0100 +++ opendkim-2.11.0~beta2/debian/patches/series 2023-11-25 17:19:13.0 +0100 @@ -12,3 +12,4 @@ conf_refcnt.patch lua-5.3.patch fix-RSA_Sign-call.patch +rev-ares-deletion.patch signature.asc Description: PGP signature
Bug#1054915: bookworm-pu: package freerdp2/2.11.2+dfsg1-1~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: freer...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:freerdp2 I'm asking for pre-approval to update freerdp2 from 2.10.0 to 2.11.2. The changes from 2.10.0 to 2.11.2 are mainly targeting security fixes (12 CVE's, see security tracker [1] for details), [1] https://security-tracker.debian.org/tracker/source-package/freerdp2 upstream changelog is at https://github.com/FreeRDP/FreeRDP/blob/stable-2.0/ChangeLog all commits are: https://github.com/FreeRDP/FreeRDP/compare/2.10.0...2.11.2 When working on the LTS updates, I've been in contact in contact with the maintainer and one of the upstream maintainer and checked with them about feasbility and e.g confirmed that the new upstream version is ABI compatible. I've tested reverse dependencies (remmina, vinagre, gnome-connections) against a Windows 10 RDP host and confirmed packages are still working. Backporting the fixes is of course possible, but bears a significant risk for regression, therefor I would prefer to use the new upstream version, given also that upstream changes are only a few and fixing also a few bugs that would be nice to be fixed. As far as I understood it, the maintainers would also prefer the new version over patching the one in stable. (They are in CC, so can intervene if I got that wrong…) If this is a viable route, please let me know and I will prepare a debdiff for a the real approval. -- Cheers, tobi
Bug#1051552: bookworm-pu: package timg/1.4.5-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@packages.debian.org Control: affects -1 + src:timg [ Reason ] Fixing CVE-2023-40968 (buffer overflow vulnerability) [ Risks ] Patch is trivial, taken from uptream; local testing done. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable diff -Nru timg-1.4.5/debian/changelog timg-1.4.5/debian/changelog --- timg-1.4.5/debian/changelog 2022-11-30 20:09:18.0 +0100 +++ timg-1.4.5/debian/changelog 2023-09-09 19:07:01.0 +0200 @@ -1,3 +1,9 @@ +timg (1.4.5-1+deb12u1) bookworm; urgency=medium + + * Cherry-pick upstream fix for CVE-2023-40968 (Closes: #1051231) + + -- Tobias Frost Sat, 09 Sep 2023 19:07:01 +0200 + timg (1.4.5-1) unstable; urgency=medium [ Tobias Frost ] diff -Nru timg-1.4.5/debian/patches/CVE-2023-40968.patch timg-1.4.5/debian/patches/CVE-2023-40968.patch --- timg-1.4.5/debian/patches/CVE-2023-40968.patch 1970-01-01 01:00:00.0 +0100 +++ timg-1.4.5/debian/patches/CVE-2023-40968.patch 2023-09-09 19:07:01.0 +0200 @@ -0,0 +1,23 @@ +Description: CVE-2023-40968 buffer overflow vulnerability +Origin: https://github.com/hzeller/timg/commit/2e9414e668144bbe0afc074dac17b74ef4acfdcf +Bug: https://github.com/hzeller/timg/issues/115 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051231 +--- a/src/unicode-block-canvas.cc b/src/unicode-block-canvas.cc +@@ -417,13 +417,14 @@ ++ SCREEN_END_OF_LINE_LEN); // Finishing a line. + + // Depending on even/odd situation, we might need one extra row. +-const size_t new_backing = width * (height + 1) * sizeof(rgba_t); ++// For quarter, we have one extra possible pixel wider. ++const size_t new_backing = (width + 1) * (height + 1) * sizeof(rgba_t); + if (new_backing > backing_buffer_size_) { + backing_buffer_ = (rgba_t *)realloc(backing_buffer_, new_backing); + backing_buffer_size_ = new_backing; + } + +-const size_t new_empty = width * sizeof(rgba_t); ++const size_t new_empty = (width + 1) * sizeof(rgba_t); + if (new_empty > empty_line_size_) { + empty_line_ = (rgba_t *)realloc(empty_line_, new_empty); + empty_line_size_ = new_empty; diff -Nru timg-1.4.5/debian/patches/series timg-1.4.5/debian/patches/series --- timg-1.4.5/debian/patches/series2022-11-30 19:52:10.0 +0100 +++ timg-1.4.5/debian/patches/series2023-09-09 19:07:01.0 +0200 @@ -1 +1,2 @@ use-system-qui.patch +CVE-2023-40968.patch
Bug#1040865: bullseye-pu: package yajl/2.1.0-3+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl Previous o-s-p-u upload was #1040137; two additional CVEs have been fixed since then and the fix for CVE-2023-33460 has been found to be incomplete. This upload is part of fixing yajl for every release. So far sid, buster (DLA-3492), stretch and jessie (ELA-892-1) has been targeted. bookworm s-p-u is pending, see #1040863 CVE-2017-16516 When a crafted JSON file is supplied to yajl, the process might crash with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results potentially in a denial of service. CVE-2022-24795 The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. CVE-2023-33460 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function, which potentially cause out-of-memory in server and cause crash. [ Risks ] Required changes are minimal, see debdiff. Package testsuite passes. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue. diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2023-07-02 13:31:39.0 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-11 19:55:30.0 +0200 @@ -1,3 +1,15 @@ +yajl (2.1.0-3+deb11u2) bullseye; urgency=medium + + [Tobias Frost] + * Non-maintainer upload. + * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5 + + [John Stamp] + * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036) + * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984) + + -- Tobias Frost Tue, 11 Jul 2023 19:55:30 +0200 + yajl (2.1.0-3+deb11u1) bullseye; urgency=medium * Non-maintainer upload. diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch --- yajl-2.1.0/debian/patches/CVE-2017-16516.patch 1970-01-01 01:00:00.0 +0100 +++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch 2023-07-10 19:32:01.0 +0200 @@ -0,0 +1,22 @@ +Description: Fix for CVE-2017-16516 + Potential buffer overread: A JSON file can cause denial of service. +Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/248 +--- + src/yajl_encode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/yajl_encode.c b/src/yajl_encode.c +@@ -139,8 +139,8 @@ + end+=3; + /* check if this is a surrogate */ + if ((codepoint & 0xFC00) == 0xD800) { +-end++; +-if (str[end] == '\\' && str[end + 1] == 'u') { ++if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { ++end++; + unsigned int surrogate = 0; + hexToDigit(, str + end + 2); + codepoint = diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch --- yajl-2.1.0/debian/patches/CVE-2022-24795.patch 1970-01-01 01:00:00.0 +0100 +++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch 2023-07-10 19:32:01.0 +0200 @@ -0,0 +1,30 @@ +Description: Fix for CVE-2022-24795 + An integer overflow will lead to heap memory corruption with large (~2GB) inputs. +Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/239 +--- + src/yajl_buf.c | 12 +++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/src/yajl_buf.c b/src/yajl_buf.c +@@ -45,7 +45,17 @@ + + need = buf->len; + +-while (want >= (need - buf->used)) need <<= 1; ++if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { ++/* We cannot allocate more memory than SIZE_MAX. */ ++abort(); ++} ++while (want >= (need - buf->used)) { ++if (need >= (size_t)((size_t)(-1)<<1)>>1) { ++/* need would overflow. */ ++abort(); ++} ++need <<= 1; ++} + + if
Bug#1040863: bookworm-pu: package yajl/2.1.0-3+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl Previous s-p-u upload was #1040136, two additional CVEs have been fixed since then and the fix for CVE-2023-33460 has been found to be incomplete. This upload is part of fixing yajl for every release. So far sid, buster (DLA-3492), stretch and jessie (ELA-892-1) has been targeted. CVE-2017-16516 When a crafted JSON file is supplied to yajl, the process might crash with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results potentially in a denial of service. CVE-2022-24795 The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. CVE-2023-33460 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function, which potentially cause out-of-memory in server and cause crash. [ Risks ] Required changes are minimal, see debdiff. Package testsuite passes. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue. diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.0 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-10 18:06:21.0 +0200 @@ -1,3 +1,15 @@ +yajl (2.1.0-3+deb12u2) bookworm; urgency=medium + + [Tobias Frost] + * Non-maintainer upload. + * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5 + + [John Stamp] + * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036) + * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984) + + -- Tobias Frost Mon, 10 Jul 2023 18:06:21 +0200 + yajl (2.1.0-3+deb12u1) bookworm; urgency=medium * Non-maintainer upload. diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch --- yajl-2.1.0/debian/patches/CVE-2017-16516.patch 1970-01-01 01:00:00.0 +0100 +++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch 2023-07-10 18:06:21.0 +0200 @@ -0,0 +1,22 @@ +Description: Fix for CVE-2017-16516 + Potential buffer overread: A JSON file can cause denial of service. +Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/248 +--- + src/yajl_encode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/yajl_encode.c b/src/yajl_encode.c +@@ -139,8 +139,8 @@ + end+=3; + /* check if this is a surrogate */ + if ((codepoint & 0xFC00) == 0xD800) { +-end++; +-if (str[end] == '\\' && str[end + 1] == 'u') { ++if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { ++end++; + unsigned int surrogate = 0; + hexToDigit(, str + end + 2); + codepoint = diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch --- yajl-2.1.0/debian/patches/CVE-2022-24795.patch 1970-01-01 01:00:00.0 +0100 +++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch 2023-07-10 18:06:21.0 +0200 @@ -0,0 +1,30 @@ +Description: Fix for CVE-2022-24795 + An integer overflow will lead to heap memory corruption with large (~2GB) inputs. +Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/239 +--- + src/yajl_buf.c | 12 +++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/src/yajl_buf.c b/src/yajl_buf.c +@@ -45,7 +45,17 @@ + + need = buf->len; + +-while (want >= (need - buf->used)) need <<= 1; ++if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { ++/* We cannot allocate more memory than SIZE_MAX. */ ++abort(); ++} ++while (want >= (need - buf->used)) { ++if (need >= (size_t)((size_t)(-1)<<1)>>1) { ++/* need would overflow. */ ++abort(); ++} ++need <<= 1; ++} + + if (need != buf->len) { + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch --- yajl-2.1.0
Bug#1040858: nmu: libnginx-mod-http-modsecurity_1.0.3-1+b1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: libnginx-mod-http-modsecur...@packages.debian.org, Ervin Hegedüs Control: affects -1 + src:libnginx-mod-http-modsecurity Control: block 1040799 by -1 nmu libnginx-mod-http-modsecurity_1.0.3-1+b3 . ANY . unstable . -m "rebuild against pcre2 (Closes: #1037226)" The situation is explained in more details in #1040799, but the gist is that src:libnginx-mod-http-modsecurity is currently compiled against "old" PCRE3 instead of "new" PCRE2, and thus is broken in unstable, testing and stable.. This were the events that lead to the issue: - nginx uploaded with OLD PCRE - libnginx-mod-http-modsecurity entered NEW and had been accepted - it uses the OLD PCRE, as it is compiled against libmodsecurity3, which uses PCRE at that time - nginx uploaded with NEW PCRE2 - modsecurity uploaded with PCRE2 Situation: nginx -> PCRE2 modsecurity -> PCRE2 libnginx-mod-http-modsecurity -> OLD PCRE --> a binnmu will rectify that. As Adam said in #1040799, this needs to be fixed first in unstable, this is why I'm filing this bug. ("b3" is required to ensure that unstable is newr than stable) -- tobi
Bug#1040799: nmu: libnginx-mod-http-modsecurity_1.0.3-1+b1
( sent to early) please do a binnmu for bookworm: nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . bookworm . -m "rebuild against pcre2 (Closes: #1037226)" and for unstable: nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . unstable . -m "rebuild against pcre2 (Closes: #1037226)" > Regards, > > Adam > > >
Bug#1040799: nmu: libnginx-mod-http-modsecurity_1.0.3-1+b1
On Mon, 10 Jul 2023 21:08:14 +0100 "Adam D. Barratt" wrote: > Control: tags -1 + bookworm moreinfo > > On Mon, 2023-07-10 at 21:55 +0200, Ervin Hegedüs wrote: > > nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . bookworm . -m > > "Closes: 1037226" > > *Please* include information in binNMU requests that allows us to > identify the actual problem without having to dig around. As an > additional note, the text in the "message" argument (-m) is copied > verbatim into changelogs, which will then be visible to users and > anyone else viewing the changelog. It needs to be more descriptive than > a bug number. > > The BTS metadata for #1037226 indicates that it also affects unstable > and testing. Is that correct? If so, it needs to be fixed there first. > If not, please explain why unstable is not affected despite having > exactly the same package version. > I was in contact with Ervin and suggested him to file the binnmu -- for stable *and* for unstable to get #1037226 fixed. the mentioned pr is related to a new nginx version and orthogonal to the problem in said bug report, beside that the the pr improves the packaging in that aspect. for now a rebuild suffices also for unstable. summary of #1037226: That lead to the issue: - nginx uploaded with OLD PCRE - libnginx-mod-http-modsecurity entered NEW and had been accepted - it uses the OLD PCRE, as it is compiled against libmodsecurity3, which uses PCRE at that time - nginx uploaded with NEW PCRE2 - modsecurity uploaded with PCRE2 Situation: nginx -> PCRE2 modsecurity -> PCRE2 libnginx-mod-http-modsecurity -> OLD PCRE --> a binnmu will rectify that. please do a binnmu for bookworm: nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . bookworm . -m "rebuild against pcre2 (Closes: #1037226)" > Regards, > > Adam > > >
Bug#1040137: bullseye-pu: package yajl/2.1.0-3+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl [ Reason ] This upload is part of fixing yajl for every release. So far sid, bookworm (#1040136), buster (DLA-3478), stretch and jessie (ELA-888-1) has been targeted. [ Tests ] Package has a test suite which passes. Additionally it has been manually verified using asan that the memory leak is indeed fixed. [ Risks ] Required changes are minimal, see debdiff. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (I've already uploaded the package to s-p-u) -- tobi
Bug#1040136: bookworm-pu: package yajl/2.1.0-3+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: y...@packages.debian.org Control: affects -1 + src:yajl This upload fixes CVE-2023-33460, a memory leak issue that can cause a crash/DoS. [ Reason ] This upload is part of fixing yajl for every release. So far sid, buster (DLA-3478), stretch and jessie (ELA-888-1) has been targeted. [ Tests ] Package has a test suite which passes. Additionally it has been manually verified using asan that the memory leak is indeed fixed. [ Risks ] Required changes are minimal, see debdiff. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (I've already upload the package to s-p-u) -- tobi diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2018-10-03 00:51:58.0 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.0 +0200 @@ -1,3 +1,11 @@ +yajl (2.1.0-3+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Import upstream patch for CVE-2023-33460. (Closes: #1039984) + * Fix d/control Homepage field (Closes: #1040034) + + -- Tobias Frost Sat, 01 Jul 2023 14:55:44 +0200 + yajl (2.1.0-3) unstable; urgency=medium [ Jelmer Vernooij ] diff -Nru yajl-2.1.0/debian/control yajl-2.1.0/debian/control --- yajl-2.1.0/debian/control 2018-10-02 23:59:41.0 +0200 +++ yajl-2.1.0/debian/control 2023-07-01 14:45:57.0 +0200 @@ -5,7 +5,7 @@ Build-Depends: debhelper (>= 11), cmake, doxygen Standards-Version: 4.2.1 Rules-Requires-Root: no -Homepage: http://lloyd.github.com/yajl/ +Homepage: https://lloyd.github.io/yajl/ Vcs-Browser: https://github.com/jstamp/yajl Vcs-Git: https://github.com/jstamp/yajl.git diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch --- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 1970-01-01 01:00:00.0 +0100 +++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-01 14:51:32.0 +0200 @@ -0,0 +1,21 @@ +Description: Fix for CVE-2023-33460a + Memory leak in yajl 2.1.0 with use of yajl_tree_parse function +Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984 +Bug: https://github.com/lloyd/yajl/issues/250 +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/yajl_tree.c b/src/yajl_tree.c +@@ -445,6 +445,9 @@ + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series --- yajl-2.1.0/debian/patches/series2015-09-25 14:44:02.0 +0200 +++ yajl-2.1.0/debian/patches/series2023-07-01 14:37:45.0 +0200 @@ -1,2 +1,3 @@ dynamically-link-tools.patch multiarch.patch +CVE-2023-33460.patch
Bug#1036709: unblock: libsepol/3.4-2.1
On Wed, 24 May 2023 16:52:06 +0200 Tobias Frost wrote: > Please unblock package libsepol > > It fixes #1031798, inaccurate copyright file. > > No other changes done. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > The package has been uploaded to DELAYED/2, ETA May 26th 2023, ~16:45 It is now in unstable. > > unblock libsepol/3.4-2.1 >
Bug#1036711: unblock: camping/2.3-1.1
On Wed, 24 May 2023 17:55:48 +0200 Tobias Frost wrote: > Please unblock package camping > > It fixes a broken symlink to a font. (#861040) > This had been fixed already earlier, (2.1.580-1.1) > but that NMU has not been incoroporated in the package and lost. > The nmu is using the original patch from the BTS. > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > [ Other info ] > The package has been uploaded to DELAYED/2, ETA May 26th, 18:00 CET It is now in unstable. > > unblock camping/2.3-1.1
Bug#1036709: unblock: libsepol/3.4-2.1
Forgot to add the debdiff… diff -Nru libsepol-3.4/debian/changelog libsepol-3.4/debian/changelog --- libsepol-3.4/debian/changelog 2022-06-15 09:56:48.0 +0200 +++ libsepol-3.4/debian/changelog 2023-05-24 16:43:03.0 +0200 @@ -1,3 +1,10 @@ +libsepol (3.4-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix "Inaccurate copyright file" (Closes: #1031798) + + -- Tobias Frost Wed, 24 May 2023 16:43:03 +0200 + libsepol (3.4-2) unstable; urgency=medium * fix validation of user declarations in modules, patch proposed upstream diff -Nru libsepol-3.4/debian/copyright libsepol-3.4/debian/copyright --- libsepol-3.4/debian/copyright 2022-06-15 09:56:48.0 +0200 +++ libsepol-3.4/debian/copyright 2023-05-24 16:36:19.0 +0200 @@ -1,49 +1,83 @@ -This is the Debian package for libsepol, and it is built from sources -obtained from http://userspace.selinuxproject.org/releases/current/devel/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Comment: + This is the Debian package for libsepol. + . + This package was debianized by Russell Coker on + Fri, 20 Aug 2004 17:26:18 +1000. +Source: https://github.com/SELinuxProject/selinux/wiki/Releases - - -This package was debianized by Russell Coker on -Fri, 20 Aug 2004 17:26:18 +1000. - -libsepol is +Files: * +Copyright: libsepol is Copyright (C) 2003, 2004 Stephen Smalley Copyright (C) 2003-2007 Red Hat, Inc. Copyright (C) 2004, 2005 Trusted Computer Solutions, Inc. - Copyright (C) 2003-2008 Tresys Technology, LLC - - + Copyright (C) 2003-2008, 2011 Tresys Technology, LLC + Copyright (C) 2017 Mellanox Techonolgies Inc. + Copyright (c) 2008 NEC Corporation +License: LGPL-2.1+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. - + . This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. - + . You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - -On Debian GNU/Linux systems, the complete text of the Lesser GNU General -Public License can be found in `/usr/share/common-licenses/LGPL'. - - This package is maintained by Manoj Srivastava . - - The Debian specific changes are © 2005-2008, Manoj Srivastava - , and distributed under the terms of the GNU - General Public License, version 2. - - -On Debian GNU/Linux systems, the complete text of the GNU General -Public License can be found in `/usr/share/common-licenses/GPL'. - +Comment: + On Debian GNU/Linux systems, the complete text of the Lesser GNU General + Public License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'. + +Files: cil/test/unit/CuTest.* +Copyright: (c) 2003 Asim Jalis +License: Zlib + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + . + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + . + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software in + a product, an acknowledgment in the product documentation would be + appreciated but is not required. + . + 2. Altered source versions must be plainly marked as such, and must not + be misrepresented as being the original software. + . + 3. This notice may not be removed or altered from any source + distribution. + +Files: debian/* +Copyright: © 2005-2008, Manoj Srivastava + 2012-2022 Laurent Bigonville + 2011-2018 Russell Coker +License: GPL-2 +The Debian specific changes are distributed under the terms of the +GNU General Public License, version 2. + . A copy of the GNU General Public License is also available at http://www.gnu.org/copyleft/gpl.html>. You may also obtain it by writing to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - -Manoj Srivastava -arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 +Comment: + On Debian GNU/Linux systems, the complete text of the GNU General + Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +Files: man/*man8/chkcon.8 + man/man8/genpolusers.8 +Copyright: (c) 1997 Manoj Srivastava +License: GPL-2+ +This is free documentation; you can
Bug#1036711: unblock: camping/2.3-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: camp...@packages.debian.org Control: affects -1 + src:camping Please unblock package camping It fixes a broken symlink to a font. (#861040) This had been fixed already earlier, (2.1.580-1.1) but that NMU has not been incoroporated in the package and lost. The nmu is using the original patch from the BTS. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] The package has been uploaded to DELAYED/2, ETA May 26th, 18:00 CET unblock camping/2.3-1.1 diff -Nru camping-2.3/debian/changelog camping-2.3/debian/changelog --- camping-2.3/debian/changelog2023-01-31 16:26:42.0 +0100 +++ camping-2.3/debian/changelog2023-05-24 17:43:23.0 +0200 @@ -1,3 +1,10 @@ +camping (2.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix broken font symlink (Closes: #861040) + + -- Tobias Frost Wed, 24 May 2023 17:43:23 +0200 + camping (2.3-1) unstable; urgency=medium * Team upload. diff -Nru camping-2.3/debian/rules camping-2.3/debian/rules --- camping-2.3/debian/rules2023-01-31 16:26:42.0 +0100 +++ camping-2.3/debian/rules2023-05-24 17:38:44.0 +0200 @@ -43,7 +43,7 @@ ln -s /usr/share/fonts/truetype/lato/Lato-Light.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/ ln -s /usr/share/fonts/truetype/lato/Lato-LightItalic.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/ ln -s /usr/share/fonts/truetype/lato/Lato-Regular.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/ - ln -s /usr/share/fonts/truetype/lato/Lato-RegularItalic.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/ + ln -s /usr/share/fonts/truetype/lato/Lato-Italic.ttf debian/camping/usr/share/doc/camping/rdoc/fonts/Lato-RegularItalic.ttf override_dh_auto_clean: dh_auto_clean signature.asc Description: PGP signature
Bug#1036709: unblock: libsepol/3.4-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: libse...@packages.debian.org Control: affects -1 + src:libsepol Please unblock package libsepol It fixes #1031798, inaccurate copyright file. No other changes done. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] The package has been uploaded to DELAYED/2, ETA May 26th 2023, ~16:45 unblock libsepol/3.4-2.1 -- tobi signature.asc Description: PGP signature
Bug#1036598: unblock: opencascade/7.6.3+dfsg1-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: opencasc...@packages.debian.org Control: affects -1 + src:opencascade Please unblock package opencascade The upload fixes: #1036581 occt-draw: broken symlink: /usr/bin/occt-draw -> occt-draw-7.5 Its a targeted fix, only repairing the symlink. See debdiff. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock opencascade/7.6.3+dfsg1-7 diff -Nru opencascade-7.6.3+dfsg1/debian/changelog opencascade-7.6.3+dfsg1/debian/changelog --- opencascade-7.6.3+dfsg1/debian/changelog2023-05-14 11:37:53.0 +0200 +++ opencascade-7.6.3+dfsg1/debian/changelog2023-05-23 09:45:56.0 +0200 @@ -1,3 +1,10 @@ +opencascade (7.6.3+dfsg1-7) unstable; urgency=medium + + * Update broken symlink /usr/bin/occt-draw to new version + occt-draw-7.6" (Closes: #1036581) + + -- Tobias Frost Tue, 23 May 2023 09:45:56 +0200 + opencascade (7.6.3+dfsg1-6) unstable; urgency=medium * Let libocct-data-exchange-dev Conflicts: with liboce-modeling- diff -Nru opencascade-7.6.3+dfsg1/debian/occt-draw.links opencascade-7.6.3+dfsg1/debian/occt-draw.links --- opencascade-7.6.3+dfsg1/debian/occt-draw.links 2022-07-31 14:33:23.0 +0200 +++ opencascade-7.6.3+dfsg1/debian/occt-draw.links 2023-05-23 08:13:21.0 +0200 @@ -1 +1 @@ -/usr/bin/occt-draw-7.5 /usr/bin/occt-draw +/usr/bin/occt-draw-7.6 /usr/bin/occt-draw
Bug#1036045: unblock: opencascade/7.6.3+dfsg1-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: opencasc...@packages.debian.org Control: affects -1 + src:opencascade Please unblock package opencascade Helmut Grohne reported in #1035009 a missing Conflict: on several package, leading in certtain circumstances to installation errors. (Details in the bug) Additionally, this upload fixes two lintian *errors*: (E: depends-on-obsolete-package), suggestiong renaming two Depends: libfreetype6-dev with libfreetype-dev libgl1-mesa-dev with libgl-dev [ Risks ] Changes are trivial piuparts is happy as well (CI: https://salsa.debian.org/science-team/opencascade/-/pipelines/527866, piuparts job: https://salsa.debian.org/science-team/opencascade/-/jobs/4214165) [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock opencascade/7.6.3+dfsg1-6 -- Cheers, tobi
Bug#1035821: unblock: retroarch-assets/1.7.6+git20221024+dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: retroarch-ass...@packages.debian.org Control: affects -1 + src:retroarch-assets Please unblock package retroarch-assets The upload fixes #1035793, a missing depdency on fonts-droid-fallback [ Tests ] Manual test that symlink is no longer dangling and a piuparts run. [ Risks ] Trivial fix [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock retroarch-assets/1.7.6+git20221024+dfsg-3 Cheers, -- tobi diff -Nru retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog --- retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog2023-01-12 20:48:03.0 +0100 +++ retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog2023-05-09 17:19:28.0 +0200 @@ -1,3 +1,10 @@ +retroarch-assets (1.7.6+git20221024+dfsg-3) unstable; urgency=medium + + * Team upload. + * Add Depends: fonts-droid-fallback (Closes: #1035793) + + -- Tobias Frost Tue, 09 May 2023 17:19:28 +0200 + retroarch-assets (1.7.6+git20221024+dfsg-2) unstable; urgency=low * Update Vcs-* pointers to libretro subproject diff -Nru retroarch-assets-1.7.6+git20221024+dfsg/debian/control retroarch-assets-1.7.6+git20221024+dfsg/debian/control --- retroarch-assets-1.7.6+git20221024+dfsg/debian/control 2023-01-12 20:48:03.0 +0100 +++ retroarch-assets-1.7.6+git20221024+dfsg/debian/control 2023-05-09 17:19:16.0 +0200 @@ -18,6 +18,7 @@ Multi-Arch: foreign Depends: ${shlibs:Depends}, ${misc:Depends}, fonts-dejavu-core, + fonts-droid-fallback, fonts-noto-extra, fonts-roboto-unhinted Description: RetroArch assets for Ozone, GLUI, RGUI and XMB
Bug#1035335: unblock: solarpowerlog/0.25-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: solarpower...@packages.debian.org Control: affects -1 + src:solarpowerlog Please unblock package solarpowerlog [ Reason ] A problem has been reported to me, that the a valid HTML writer configuration are rejected by solarpowerlog. This is a regression in 0.25. A similar problem exists with the DBWriter, the example configurations are using a differnt field for the password, so configurations using a password will be rejected too. [ Impact ] Parts of solarpowerlog are not usable. [ Tests ] Manual tests. [ Risks ] Package is a leaf package, code change is small [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock solarpowerlog/0.25-1 diff -Nru solarpowerlog-0.25/debian/changelog solarpowerlog-0.25/debian/changelog --- solarpowerlog-0.25/debian/changelog 2022-01-07 14:20:10.0 +0100 +++ solarpowerlog-0.25/debian/changelog 2023-05-01 10:00:20.0 +0200 @@ -1,3 +1,9 @@ +solarpowerlog (0.25-2) unstable; urgency=medium + + * Cherry-pick fixes for broken htmlwriter and dbfilter. (Closes: #1035333) + + -- Tobias Frost Mon, 01 May 2023 10:00:20 +0200 + solarpowerlog (0.25-1) unstable; urgency=medium * New upstream release. diff -Nru solarpowerlog-0.25/debian/patches/fix_dbwriter.patch solarpowerlog-0.25/debian/patches/fix_dbwriter.patch --- solarpowerlog-0.25/debian/patches/fix_dbwriter.patch1970-01-01 01:00:00.0 +0100 +++ solarpowerlog-0.25/debian/patches/fix_dbwriter.patch2023-05-01 09:41:37.0 +0200 @@ -0,0 +1,48 @@ +commit e77389f3b88794b2ba57624052195e3b399cc1a2 +Author: Tobias Frost +Date: Mon May 1 09:31:47 2023 +0200 + +[DBWriter] Bugfix: Use db_password (instead db_passwd) for password configuration + +(to be aligned with the examples) + +diff --git a/src/DataFilters/DBWriter/CDBWriterFilter.cpp b/src/DataFilters/DBWriter/CDBWriterFilter.cpp +index 6e3e141..4242a6b 100644 +--- a/src/DataFilters/DBWriter/CDBWriterFilter.cpp b/src/DataFilters/DBWriter/CDBWriterFilter.cpp +@@ -193,7 +193,7 @@ bool CDBWriterFilter::CheckConfig() + fail = true; + } + if (_cfg_cache_db_passwd.empty()) { +-_missing_req_parameter(logger, _cfg_cache_db_type, "db_passwd"); ++_missing_req_parameter(logger, _cfg_cache_db_type, "db_password"); + fail = true; + } + if (_cfg_cache_db_database.empty()) { +@@ -231,7 +231,7 @@ bool CDBWriterFilter::CheckConfig() + } + + if (_cfg_cache_db_passwd.empty()) { +-_missing_req_parameter(logger, _cfg_cache_db_type, "db_passwd"); ++_missing_req_parameter(logger, _cfg_cache_db_type, "db_password"); + fail = true; + } + if (_cfg_cache_db_database.empty()) { +@@ -270,7 +270,7 @@ bool CDBWriterFilter::CheckConfig() + } + + if (!_cfg_cache_db_passwd.empty()) { +-_wrong_parameter(logger, _cfg_cache_db_type, "db_passwd"); ++_wrong_parameter(logger, _cfg_cache_db_type, "db_password"); + fail = true; + } + +@@ -701,7 +701,7 @@ CConfigCentral* CDBWriterFilter::getConfigCentralObject(CConfigCentral* parent) + _cfg_cache_db_mode, std::string("")) + ("db_user", Description_DBWriter_db_user, + _cfg_cache_db_user, std::string("")) +-("db_passwd", Description_DBWriter_db_passwd, ++("db_password", Description_DBWriter_db_passwd, + _cfg_cache_db_passwd, std::string("")) + ("db_database", Description_DBWriter_db_database, + _cfg_cache_db_database, std::string("")) diff -Nru solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch --- solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch 1970-01-01 01:00:00.0 +0100 +++ solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch 2023-05-01 09:41:37.0 +0200 @@ -0,0 +1,19 @@ +commit e4bd00f13656ff8815e52f23a59daff46271d646 +Author: Tobias Frost +Date: Mon May 1 09:26:31 2023 +0200 + +[HTMLWriter] Bugfix: Logic error in rejected valid configuration. + +diff --git a/src/DataFilters/HTMLWriter/CHTMLWriter.cpp b/src/DataFilters/HTMLWriter/CHTMLWriter.cpp +index 192fe05..2c7ab54 100644 +--- a/src/DataFilters/HTMLWriter/CHTMLWriter.cpp b/src/DataFilters/HTMLWriter/CHTMLWriter.cpp +@@ -219,7 +219,7 @@ bool CHTMLWriter::CheckConfig() + + std::auto_ptr cc(getConfigCentralObject(NULL)); + +- bool fail = cc->CheckConfig(logger, configurationpath); ++ bool fail = !cc->CheckConfig(logger, configurationpath);(cc->
Bug#1033947: unblock: widelands/2:1.1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: widela...@packages.debian.org Control: affects -1 + src:widelands Please unblock package widelands The upload fixes the version constraint in widelands-data.maintscript for symlink_to_dir. The original version constraint was 1:21-2~, the last version that had the directory. However, the symlink_to_dir was only introduced in 2:1.0-3, so if a user upgraded from a version later than 1:21-2~, the migration would not be triggered as maintscript would believe it is not needed anymore. In such cases the game would crash as reported in #1033879. (Please provide enough (but not too much) information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Risks ] The game is a leaf package. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock widelands/2:1.1-3 Cheers, -- tobi diff -Nru widelands-1.1/debian/changelog widelands-1.1/debian/changelog --- widelands-1.1/debian/changelog 2022-12-27 23:29:29.0 +0100 +++ widelands-1.1/debian/changelog 2023-04-04 16:15:53.0 +0200 @@ -1,3 +1,10 @@ +widelands (2:1.1-3) unstable; urgency=medium + + * Team upload. + * Fix version constraint in dir_to_symlink. (Closes: #1033879) + + -- Tobias Frost Tue, 04 Apr 2023 16:15:53 +0200 + widelands (2:1.1-2) unstable; urgency=medium * Team upload. diff -Nru widelands-1.1/debian/widelands-data.maintscript widelands-1.1/debian/widelands-data.maintscript --- widelands-1.1/debian/widelands-data.maintscript 2022-12-27 23:29:29.0 +0100 +++ widelands-1.1/debian/widelands-data.maintscript 2023-04-04 16:15:49.0 +0200 @@ -1,2 +1 @@ -dir_to_symlink /usr/share/games/widelands/data/i18n/fonts/Culmus ../../../../../fonts/truetype/culmus-fancy 1:21-2~ - +dir_to_symlink /usr/share/games/widelands/data/i18n/fonts/Culmus ../../../../../fonts/truetype/culmus-fancy 2:1.1-3~
Bug#1033946: unblock: unknown-horizons/2019.1-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: unknown-horiz...@packages.debian.org Control: affects -1 + src:unknown-horizons Please unblock package unknown-horizons This updates fixes #1033833: the package font-unifont dropped shipping unifont.ttf last summer, and this breaks unknown-horizons/2019.1-5 as the symlink to the font is no longer valid and the game fails to load. The update fixes the symlink to the otf font, which works with the game as well. [ Impact ] Game would be broken. [ Risks ] This game is a leaf package. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock unknown-horizons/2019.1-6 diff -Nru unknown-horizons-2019.1/debian/changelog unknown-horizons-2019.1/debian/changelog --- unknown-horizons-2019.1/debian/changelog2022-08-28 13:16:18.0 +0200 +++ unknown-horizons-2019.1/debian/changelog2023-04-03 19:23:41.0 +0200 @@ -1,3 +1,11 @@ +unknown-horizons (2019.1-6) unstable; urgency=medium + + * Team upload. + * add d/clean: enable building twice from source tree, delete created files. + * Replace link to unifont.ttf with unifont.otf. (Closes: #1033833) + + -- Tobias Frost Mon, 03 Apr 2023 19:23:41 +0200 + unknown-horizons (2019.1-5) unstable; urgency=medium * Team upload. diff -Nru unknown-horizons-2019.1/debian/clean unknown-horizons-2019.1/debian/clean --- unknown-horizons-2019.1/debian/clean1970-01-01 01:00:00.0 +0100 +++ unknown-horizons-2019.1/debian/clean2023-04-03 19:08:30.0 +0200 @@ -0,0 +1,6 @@ +content/gfx/atlas/*png +.cache/ +content/actionsets.json +content/tilesets.json +UnknownHorizons.egg-info/ +content/atlas.sql diff -Nru unknown-horizons-2019.1/debian/links unknown-horizons-2019.1/debian/links --- unknown-horizons-2019.1/debian/links2022-08-27 15:26:54.0 +0200 +++ unknown-horizons-2019.1/debian/links2023-04-03 19:13:03.0 +0200 @@ -1 +1 @@ -/usr/share/fonts/truetype/unifont/unifont.ttf /usr/share/unknown-horizons/content/fonts/Unifont.ttf +/usr/share/fonts/opentype/unifont/unifont.otf /usr/share/unknown-horizons/content/fonts/Unifont.ttf
Bug#1031948: bullseye-pu: package libgit2/1.1.0+dfsg.1-4+deb11u1
On Sat, Apr 01, 2023 at 08:13:23PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2023-02-25 at 21:16 +0100, Tobias Frost wrote: > > After fixing CVE-2023-22742 for LTS and ELTS, I'd like to see > > this CVE also fixed in stable, for consistency. > > > > The CVE is an inproper ssh certificate validation vulnerabilty, > > which allows man-in-the-middle attacks. > > > > +libgit2 (1.1.0+dfsg.1-4+deb11u1) bullseye-security; urgency=high > > That wants to just be "bullseye". > > + This is a backport of the upstream fix to the Debian stretch version. > > Presumably that comment could also do with an update. > > Please go ahead. Thanks for the review. Fixed and uploaded! -- tobi
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
On Fri, Mar 17, 2023 at 09:15:36PM +0100, Salvatore Bonaccorso wrote: > Yes this is correct, you do not need to mention it. I just wanted to > make double sure it's as well on the radar (and have not checked if > you have uploaded with -v to incude the intermediate changelog entries > as well). I think I've forgotten that part… So please reject my upload and I'll fix that… -- tobi
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
Am 17. März 2023 19:18:50 UTC schrieb Salvatore Bonaccorso : > >On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote: >> Package: release.debian.org >> Severity: normal >> Tags: bullseye >> User: release.debian@packages.debian.org >> Usertags: pu >> X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso >> >> Control: affects -1 + src:intel-microcode >> >> (Please refer to #1032847#12 for security team's feedback >> that this should go through SPU.) >> >> The upload updates intel microcodes to target (See #1031334) >>- INTEL-SA-00700: CVE-2022-21216 >>- INTEL-SA-00730: CVE-2022-33972 >>- INTEL-SA-00738: CVE-2022-33196 >>- INTEL-SA-00767: CVE-2022-38090 >> >> the CVEs are information disclosure via local access vulnerbilities and >> potential privilege escalations. > >Note that speaking of fixed CVEs, for bullseye and older with the >upload CVE-2022-21233 get fixed as well (this one was as well not >warranting a DSA, it is as well SGX releated). yes, this CVE is fixed in 3.20220809.1, which is part of this update. to make sure i don't miss it: i thought i do not need to repeat the cve in d/changelog if it is mentioned in earlier d/changelog entries, right? >Regards, >Salvatore
Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1
65b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696 +sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960 +sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792 +sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776 +sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800 +sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664 +sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816 +sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112 +sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112 +sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x2424, size 20480 +sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424 +sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872 +sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 + + -- Tobias Frost Tue, 14 Mar 2023 19:17:02 +0100 + +intel-microcode (3.20221108.1) unstable; urgency=medium + + * New upstream microcode datafile 20221108 +* New Microcodes: + sig 0x000606c1, pf_mask 0x10, 2022-08-07, rev 0x1000201, size 286720 + sig 0x000b0671, pf_mask 0x32, 2022-09-07, rev 0x010e, size 204800 +* Updated Microcodes: + sig 0x000706e5, pf_mask 0x80, 2022-08-02, rev 0x00b6, size 113664 + sig 0x000806c1, pf_mask 0x80, 2022-06-28, rev 0x00a6, size 110592 + sig 0x000806d1, pf_mask 0xc2, 2022-06-28, rev 0x0042, size 102400 + sig 0x000806ec, pf_mask 0x94, 2022-07-31, rev 0x00f4, size 105472 + sig 0x00090661, pf_mask 0x01, 2022-07-15, rev 0x0017, size 20480 + sig 0x00090672, pf_mask 0x07, 2022-09-19, rev 0x0026, size 218112 + sig 0x00090675, pf_mask 0x07, 2022-09-19, rev 0x0026 + sig 0x000b06f2, pf_mask 0x07, 2022-09-19, rev 0x0026 + sig 0x000b06f5, pf_mask 0x07, 2022-09-19, rev 0x0026 + sig 0x000906a3, pf_mask 0x80, 2022-09-19, rev 0x0424, size 217088 + sig 0x000906a4, pf_mask 0x80, 2022-09-19, rev 0x0424 + sig 0x000906ed, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 104448 + sig 0x000a0652, pf_mask 0x20, 2022-07-31, rev 0x00f4, size 96256 + sig 0x000a0653, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 97280 + sig 0x000a0655, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 96256 + sig 0x000a0660, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 97280 + sig 0x000a0661, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 96256 + sig 0x000a0671, pf_mask 0x02, 2022-08-02, rev 0x0056, size 103424 + + -- Henrique de Moraes Holschuh Sat, 03 Dec 2022 17:21:08 -0300 + +intel-microcode (3.20220809.1) unstable; urgency=medium + + * New upstream microcode datafile 20220809 +* Fixes INTEL-SA-00657, CVE-2022-21233 + Stale data from APIC leaks SGX memory (AEPIC leak) +* Fixes unspecified errata (functional issues) on Xeon Scalable +* Updated Microcodes: + sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816 + sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032 + sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888 + sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776 + sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776 + sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640 + sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280 + sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400 + sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064 + sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064 + sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424 + sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + * source: update symlinks to reflect id of the latest release, 20220809 + + -- Henrique de Moraes Holschuh Fri, 19 Aug 2022 14:21:20 -0300 + intel-microcode (3.20220510.1~deb11u1) bullseye-security; urgency=medium * Backport to Debian bullseye (no relevant changes) Binary files /tmp/gbnDrf7LzN/intel-microcode-3.20220510.1~deb11u1/intel-ucode/06-55-03 and /tmp/mQ6OQnU49L/intel-microcode-3.20230214.1~deb11u1/intel-ucode/06-55-03 differ Binary files /tmp/gbnDrf7LzN/intel-microcode-3.20220510.1~deb11u1/intel-ucode/06-55-04 and /tmp/mQ6OQnU49L/intel-microcode-3.20230214.1~deb11u1/intel-ucode/06-55-04 differ Binary files /tmp/gbnDrf7LzN/intel-microcode-3.20220510.1~deb11u1/intel-ucode/06-55-06 and /tmp/mQ6OQnU49L/intel-microcode-3.20230214.1~deb11u1/intel-ucode/06-55
Bug#1032847: unblock: intel-microcode/3.20230214.1
Control: tag -1 -moreinfo > > On Sun, Mar 12, 2023 at 06:56:21PM +0100, Tobias Frost wrote: > > I've uploaded intel-microcode to DELAYED/5, ETA will be Mar 17 ~18:00 CET > > Please unblock package intel-microcode once it hits unstable. > > Please remove the moreinfo tag from this bug when it's ready to review. It's now in unstable. -- tobi
Bug#1032847: unblock: intel-microcode/3.20230214.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: intel-microc...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:intel-microcode I've uploaded intel-microcode to DELAYED/5, ETA will be Mar 17 ~18:00 CET Please unblock package intel-microcode once it hits unstable. The upload updates intel microcodes to target (See #1031334) - INTEL-SA-00700: CVE-2022-21216 - INTEL-SA-00730: CVE-2022-33972 - INTEL-SA-00738: CVE-2022-33196 - INTEL-SA-00767: CVE-2022-38090 the CVEs are information disclosure via local access vulnerbilities and potential privilege escalations. I plan to provide updated packages for bullseye (security team in CC). As well as LTS (buster) and ELTS (stretch an jessie) as part of the freexian LTS/ELTS project) To keep the fixes consistent, I'd like to let them flow from sid -> jessie… [ Tests ] I've tested that the package works on Intel hardware that I have access to. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock intel-microcode/3.20230214.1 -- tobi diff -Nru intel-microcode-3.20221108.2/debian/changelog intel-microcode-3.20230214.1/debian/changelog --- intel-microcode-3.20221108.2/debian/changelog 2023-02-17 01:12:52.0 +0100 +++ intel-microcode-3.20230214.1/debian/changelog 2023-03-12 18:16:50.0 +0100 @@ -1,3 +1,52 @@ +intel-microcode (3.20230214.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream microcode datafile 20230214 +- Includes Fixes for: (Closes: #1031334) + - INTEL-SA-00700: CVE-2022-21216 + - INTEL-SA-00730: CVE-2022-33972 + - INTEL-SA-00738: CVE-2022-33196 + - INTEL-SA-00767: CVE-2022-38090 + * New Microcodes: +sig 0x000806f4, pf_mask 0x10, 2022-12-19, rev 0x2c000170 +sig 0x000806f4, pf_mask 0x87, 2022-12-27, rev 0x2b000181 +sig 0x000806f5, pf_mask 0x10, 2022-12-19, rev 0x2c000170 +sig 0x000806f5, pf_mask 0x87, 2022-12-27, rev 0x2b000181 +sig 0x000806f6, pf_mask 0x10, 2022-12-19, rev 0x2c000170 +sig 0x000806f6, pf_mask 0x87, 2022-12-27, rev 0x2b000181 +sig 0x000806f7, pf_mask 0x87, 2022-12-27, rev 0x2b000181 +sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170 +sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064 +sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181 +sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 +sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e +sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e, size 212992 +sig 0x000b06a3, pf_mask 0xc0, 2022-12-08, rev 0x410e + * Updated Microcodes: +sig 0x00050653, pf_mask 0x97, 2022-08-30, rev 0x1000161, size 36864 +sig 0x00050656, pf_mask 0xbf, 2022-08-26, rev 0x4003303, size 37888 +sig 0x00050657, pf_mask 0xbf, 2022-08-26, rev 0x5003303, size 37888 +sig 0x0005065b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696 +sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960 +sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792 +sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776 +sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800 +sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664 +sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816 +sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c +sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 +sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c +sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429 +sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112 +sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429 +sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x2424, size 20480 +sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424 +sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872 +sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c +sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c + + -- Tobias Frost Sun, 12 Mar 2023 18:16:50 +0100 + intel-microcode (3.20221108.2) unstable; urgency=medium * Move source and binary from non-free/admin to non-free-firmware/admin Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55-03 and /tmp/Ekjb2KZejs/intel-microcode-3.20230214.1/intel-ucode/06-55-03 differ Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55-06 and /tmp/Ekjb2KZejs/intel-microcode-3.20230214.1/intel-ucode/06-55-06 differ Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55-07 and /tmp/Ekjb2KZejs/intel-microcode-3.20230214.1/intel-ucode/06-55-07 differ Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55
Bug#1031948: bullseye-pu: package libgit2/1.1.0+dfsg.1-4+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libg...@packages.debian.org Control: affects -1 + src:libgit2 After fixing CVE-2023-22742 for LTS and ELTS, I'd like to see this CVE also fixed in stable, for consistency. The CVE is an inproper ssh certificate validation vulnerabilty, which allows man-in-the-middle attacks. [ Tests ] I've manually tested the patch (checking if git poperations still work using the ssh transport. Autopkgtests are green too. [ Risks ] Manual tests and test suite works ok. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] The change is a backport of the upstream fix: https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea diff -Nru libgit2-1.1.0+dfsg.1/debian/changelog libgit2-1.1.0+dfsg.1/debian/changelog --- libgit2-1.1.0+dfsg.1/debian/changelog 2021-01-06 18:28:58.0 +0100 +++ libgit2-1.1.0+dfsg.1/debian/changelog 2023-02-24 16:11:52.0 +0100 @@ -1,3 +1,10 @@ +libgit2 (1.1.0+dfsg.1-4+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Backport patch for CVE-2023-22742 (Closes: #1029368) + + -- Tobias Frost Fri, 24 Feb 2023 16:11:52 +0100 + libgit2 (1.1.0+dfsg.1-4) unstable; urgency=medium * Source-only upload for migration. diff -Nru libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch --- libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch1970-01-01 01:00:00.0 +0100 +++ libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch2023-02-24 16:11:52.0 +0100 @@ -0,0 +1,523 @@ +Description: CVE-2023-22742 - fails to verify SSH keys by default + CVE-Description: libgit2 is a cross-platform, linkable library + implementation of Git. When using an SSH remote with the optional libssh2 + backend, libgit2 does not perform certificate checking by default. Prior + versions of libgit2 require the caller to set the `certificate_check` field of + libgit2's `git_remote_callbacks` structure - if a certificate check callback is + not set, libgit2 does not perform any certificate checking. This means that by + default - without configuring a certificate check callback, clients will not + perform validation on the server SSH keys and may be subject to a + man-in-the-middle attack. + This is a backport of the upstream fix to the Debian stretch version. +Origin: https://github.com/libgit2/libgit2/pull/6449 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029368 +Forwarded: +Last-Update: 2023-02-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/transports/ssh.c b/src/transports/ssh.c +@@ -475,15 +475,122 @@ + return 0; + } + ++ ++#define KNOWN_HOSTS_FILE ".ssh/known_hosts" ++ ++/* ++ * Load the known_hosts file. ++ * ++ * Returns success but leaves the output NULL if we couldn't find the file. ++ */ ++static int load_known_hosts(LIBSSH2_KNOWNHOSTS **hosts, LIBSSH2_SESSION *session) ++{ ++ git_buf path = GIT_BUF_INIT; ++ LIBSSH2_KNOWNHOSTS *known_hosts = NULL; ++ int error; ++ char *home = getenv("HOME"); ++ ++ assert(hosts); ++ ++ if (!home) ++ return GIT_ENOTFOUND; ++ ++ ++ ++ if ((error = git_buf_join(, '/', home, KNOWN_HOSTS_FILE)) < 0) ++ goto out; ++ ++ if ((known_hosts = libssh2_knownhost_init(session)) == NULL) { ++ ssh_error(session, "error initializing known hosts"); ++ error = -1; ++ goto out; ++ } ++ ++ /* ++ * Try to read the file and consider not finding it as not trusting the ++ * host rather than an error. ++ */ ++ error = libssh2_knownhost_readfile(known_hosts, path.ptr, LIBSSH2_KNOWNHOST_FILE_OPENSSH); ++ if (error == LIBSSH2_ERROR_FILE) ++ error = 0; ++ if (error < 0) ++ ssh_error(session, "error reading known_hosts"); ++ ++out: ++ *hosts = known_hosts; ++ ++ git_buf_free(); ++ ++ return error; ++} ++ ++static const char *hostkey_type_to_string(int type) ++{ ++ switch (type) { ++ case LIBSSH2_KNOWNHOST_KEY_SSHRSA: ++ return "ssh-rsa"; ++ case LIBSSH2_KNOWNHOST_KEY_SSHDSS: ++ return "ssh-dss"; ++#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_256 ++ case LIBSSH2_KNOWNHOST_KEY_ECDSA_256: ++ return "ecdsa-sha2-nistp256"; ++ case LIBSSH2_KNOWNHOST_KEY_ECDSA_384: ++ return "ecdsa-sha2-nistp384"; ++ case LIBSSH2_KNOWNHOST_KEY_ECDSA_521: ++ return "ecdsa-sha2-nistp521"; ++#endif ++#ifdef LIBSS
Bug#1031879: unblock: gnome-shell-pomodoro/0.22.1-1 (Preapproval)
Hi Sebastian > > Please go ahead. > Thanks, I've uploaded it to unstable. -- tobi
Bug#1031879: unblock: gnome-shell-pomodoro/0.22.1-1 (Preapproval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: gnome-shell-pomod...@packages.debian.org Control: affects -1 + src:gnome-shell-pomodoro Please unblock package gnome-shell-pomodoro There is currently an nasty bug in this gnome-shell extension which makes the overlay non-exitable, basically make the user stuck at a kind of lock screen until the pomodoro break timer runs out (e.g 10 minutes) Debian bug is #1031528 Upstream bug is: https://github.com/gnome-pomodoro/gnome-pomodoro/issues/635 It is fixed in upstream version 0.22.1-1 Unfortunatly it is not easy to isolate the required patch (I tried and broke more stuff), as important internal parts have been refactored and bits of those refactorings are needed, so that I came to the conclusion it would be less risky to use the new minor upstream release. Upstream changes are NOT massive: Release version 0.22.1: * Close screen overlay by hitting Esc key - a failsafe method * Don't open screen overlay while a video call app is fullscreen * Fixed screen overlays timer label getting ellipsized * Fixed screen overlay being over screensaver animation * Add --reset commandline option Upstream diff between the two version: https://github.com/gnome-pomodoro/gnome-pomodoro/compare/0.22.0...0.22.1 The package is a leaf package, so the risk to break other stuff is not huge. unblock gnome-shell-pomodoro/0.22.1-1 Please let me know if this would be OK and then I'll prepare a debdiff (I don't anticipate the need to change something in the packaging itself) Cheers, -- tobi
Bug#1020303: bullseye-pu: package modsecurity-apache/2.9.3-3+deb11u2
Package: release.debian.org Followup-For: Bug #1020303 Dear stable release team, Yesterday I've uploaded fixed versions of modsecurity-apache to buster / stretch as part of the Debian LTS/ELTS project. (DLA-3283-1 / ELA-77-9-1) Since this bug (#1023303) has been opened, the issue Alberto wanted to addressed has been assigned CVE-2022-48279. An additinal vulnerability has been identified as well, CVE-2023-24021, which is also fixed by this proposed upload. I'd like to see these fixes also in stable, therefore the attached debdiff fixes both issues. To make sure that there is no misunderstanding: The change in modsecurity-apache does NOT affect stable's modsecurity-crs at all, there is no incompatiblity here (only a newer modsecurity-crs needs this fixes to work properly) [ Reason ] Fixing CVE-2022-48279 and CVE-2023-24021 also in stable. [ Impact ] CVE-2022-48279 In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase. CVE-2023-24021 Incorrect handling of null-bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer overflows on the Web Application Firewall when executing rules reading the FILES_TMP_CONTENT collection [ Tests ] The changes were checked with the modsecurity-crs test suite on a bullseye, buster and stretch VM. The have been reviewed by Ervin (package maintainer, modsecurity-crs upstream) and Ervin also conducted tests. [ Risks ] IMHO Risk is low: - The patches are from the upstream puill requests - significant testing effort has been done. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Other info ] Note that the description of CVE-2023-24021 on e.g mitre / security tracker is outdated, the updated text quoted is currently pending to be updated by mitre, as I've received updates from the discoveres of the vulnerability only after I have filed the CVE last week. -- tobi diff -Nru modsecurity-apache-2.9.3/debian/changelog modsecurity-apache-2.9.3/debian/changelog --- modsecurity-apache-2.9.3/debian/changelog 2021-12-01 16:04:02.0 +0100 +++ modsecurity-apache-2.9.3/debian/changelog 2023-01-27 10:09:29.0 +0100 @@ -1,7 +1,20 @@ +modsecurity-apache (2.9.3-3+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload by the LTS security team. + + [ Ervin Hegedus ] + * Fix CVE-2022-48279: Added multipart_part_headers.patch + + [ Tobias Frost ] + * Fix CVE-2023-24021, cherry-picking upstream commit. (Closes: #1029329) + * Fix typo in CVE number in 2.9.3-3+deb11u1 entry. (s/--/-/) + + -- Tobias Frost Fri, 27 Jan 2023 10:09:29 +0100 + modsecurity-apache (2.9.3-3+deb11u1) bullseye-security; urgency=high * Added json_depth_limit.patch -Fixes CVE--2021-42717 +Fixes CVE-2021-42717 -- Ervin Hegedus Wed, 01 Dec 2021 16:04:02 +0100 diff -Nru modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch --- modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch 1970-01-01 01:00:00.0 +0100 +++ modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch 2023-01-27 10:03:33.0 +0100 @@ -0,0 +1,59 @@ +Description: CVE-2023-24021 FILES_TMP_CONTENT may sometimes lack complete content +Origin: https://github.com/SpiderLabs/ModSecurity/pull/2857 +Bug-Debian: https://bugs.debian.org/1029329 +From 4324f0ac59f8225aa44bc5034df60dbeccd1d334 Mon Sep 17 00:00:00 2001 +From: Martin Vierula +Date: Wed, 4 Jan 2023 11:34:11 -0800 +Subject: [PATCH] Fix: FILES_TMP_CONTENT may sometimes lack complete content +--- a/apache2/re_variables.c b/apache2/re_variables.c +@@ -1164,6 +1164,7 @@ + FILE *file; + size_t nread; + char *full_content = NULL; ++char *full_content_tmp_ptr = NULL; + size_t total_lenght = 0; + msre_var *rvar = NULL; + +@@ -1173,19 +1174,23 @@ + continue; + } + ++full_content = (char *)apr_pcalloc(mptmp, (sizeof(char)*parts[i]->length) + 1); ++if (full_content == NULL) { ++if (msr->txcfg->debuglog_level >= 3) { ++msr_log(msr, 3, "Variable FILES_TMP_CONTENT will not be created, not " \ ++"enough memory available."); ++} ++goto files_tmp_content_not_enough_mem; ++} ++full_content_tmp_ptr = full_content; ++ +
Bug#1029217: bullseye-pu: package libapreq2/2.13-7~deb11u1
On Thu, Jan 19, 2023 at 09:08:20PM +0100, Salvatore Bonaccorso wrote: > Hi Tobi, > > Small formal review: > > On Thu, Jan 19, 2023 at 08:52:37PM +0100, Tobias Frost wrote: > > forgot to attach the diff > > > > > diff -Nru libapreq2-2.13/debian/changelog libapreq2-2.13/debian/changelog > > --- libapreq2-2.13/debian/changelog 2019-09-18 09:12:54.0 +0200 > > +++ libapreq2-2.13/debian/changelog 2023-01-19 20:25:21.0 +0100 > > @@ -1,3 +1,10 @@ > > +libapreq2 (2.13-7~deb11u1) UNRELEASED; urgency=high > > The version number should be 2.13-7+deb11u1 in this case. Don't forget > to set target distribution as well to 'bullseye'. Thanks for taking a look! I've fixed it in salsa [1]. [1] https://salsa.debian.org/debian/libapreq2/-/tree/debian/bullseye > Regards, > Salvatore
Bug#1029217: bullseye-pu: package libapreq2/2.13-7~deb11u1
forgot to attach the diff diff -Nru libapreq2-2.13/debian/changelog libapreq2-2.13/debian/changelog --- libapreq2-2.13/debian/changelog 2019-09-18 09:12:54.0 +0200 +++ libapreq2-2.13/debian/changelog 2023-01-19 20:25:21.0 +0100 @@ -1,3 +1,10 @@ +libapreq2 (2.13-7~deb11u1) UNRELEASED; urgency=high + + * Non-maintainer upload by the Security Team. + * Backport fix for CVE-2022-22728. (Closes: #1018191) + + -- Tobias Frost Thu, 19 Jan 2023 20:25:21 +0100 + libapreq2 (2.13-7) unstable; urgency=high * Source-only upload. diff -Nru libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch --- libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch 1970-01-01 01:00:00.0 +0100 +++ libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch 2023-01-19 20:24:24.0 +0100 @@ -0,0 +1,385 @@ +Description: CVE-2022-22728 -- multipart form parse memory corruption + A flaw in Apache libapreq2 versions 2.16 and earlier could cause a + buffer overflow while processing multipart form uploads. A remote + attacker could send a request causing a process crash which could lead + to a denial of service attack. + This is #1 of 4 patches, see also https://www.openwall.com/lists/oss-security/2023/01/02/2 +Origin: https://svn.apache.org/viewvc?view=revision=1894937 +Bug-Debian: https://bugs.debian.org/1018191 +Reviewed-by: Tobias Frost +Last-Update: 2023-01-13 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/library/parser_header.c b/library/parser_header.c +@@ -39,7 +39,10 @@ + HDR_GAP, + HDR_VALUE, + HDR_NEWLINE, +-HDR_CONTINUE, ++HDR_CONTLINE, ++HDR_WANTLINE, ++HDR_NEXTLINE, ++HDR_LASTLINE, + HDR_COMPLETE, + HDR_ERROR + } status; +@@ -59,16 +62,17 @@ + apreq_value_t *v; + apr_bucket *e, *f; + apr_status_t s; +-struct iovec vec[APREQ_DEFAULT_NELTS], *iov, *end; +-apr_array_header_t arr; ++struct iovec vec[APREQ_DEFAULT_NELTS], *iov; ++apr_array_header_t arr, *a = + char *dest; + const char *data; + apr_size_t dlen; ++int i; + + if (nlen == 0) + return APR_EBADARG; + +-param = apreq_param_make(pool, NULL, nlen, NULL, vlen - 1); /*drop (CR)LF */ ++param = apreq_param_make(pool, NULL, nlen, NULL, vlen); + *(const apreq_value_t **) = >v; + + arr.pool = pool; +@@ -80,67 +84,78 @@ + e = APR_BRIGADE_FIRST(bb); + + /* store name in a temporary iovec array */ +- + while (nlen > 0) { + apr_size_t len; +-end = apr_array_push(); +-s = apr_bucket_read(e, (const char **)>iov_base, ++ ++if (a->nelts == a->nalloc) { ++a = apr_array_make(pool, arr.nalloc * 2, sizeof(struct iovec)); ++memcpy(a->elts, arr.elts, arr.nelts * sizeof(struct iovec)); ++a->nelts = arr.nelts; ++} ++iov = (struct iovec *)apr_array_push(a); ++ ++assert(e != APR_BRIGADE_SENTINEL(bb)); ++s = apr_bucket_read(e, (const char **)>iov_base, + , APR_BLOCK_READ); + if (s != APR_SUCCESS) + return s; ++iov->iov_len = len; + + assert(nlen >= len); +-end->iov_len = len; + nlen -= len; + + e = APR_BUCKET_NEXT(e); + } + + /* skip gap */ +- + while (glen > 0) { ++assert(e != APR_BRIGADE_SENTINEL(bb)); + s = apr_bucket_read(e, , , APR_BLOCK_READ); + if (s != APR_SUCCESS) + return s; + + assert(glen >= dlen); + glen -= dlen; ++ + e = APR_BUCKET_NEXT(e); + } + + /* copy value */ +-assert(vlen > 0); + dest = v->data; + while (vlen > 0) { ++apr_size_t off; + ++assert(e != APR_BRIGADE_SENTINEL(bb)); + s = apr_bucket_read(e, , , APR_BLOCK_READ); + if (s != APR_SUCCESS) + return s; + +-memcpy(dest, data, dlen); +-dest += dlen; +-assert(vlen >= dlen); +-vlen -= dlen; ++for (off = 0; off < dlen; ++off) { ++const char ch = data[off]; ++if (ch == '\r' || ch == '\n') { ++/* skip continuation CRLF(s) */ ++continue; ++} ++assert(vlen > 0); ++*dest = ch; ++++dest; ++--vlen; ++} ++ + e = APR_BUCKET_NEXT(e); + } +- +-assert(dest[-1] == '\n'); +- +-if (dest[-2] == '\r') +---dest; +- +-dest[-1] = 0; +-v->dlen = (dest - v->data) - 1; ++v->dlen = dest - v->data; ++*dest++ = 0; + + /* write name */ + v->name = dest; +-iov = (struct iovec *)arr.elts; +- +-while (iov <= end) { ++for (i = 0; i < a->nelts; ++i) { ++iov = (struct iovec *)a->elts + i;
Bug#1029217: bullseye-pu: package libapreq2/2.13-7~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libapr...@packages.debian.org, Salvatore Bonaccorso Control: affects -1 + src:libapreq2 I've uploaded prepared an security update of libapreq2 for LTS and ELTS. The proposed upload fixes the CVE also for bullseye. CVE-2022-22728: A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack. I've conducted tests with e.g the reverse dependency rapache (libapache2-mod-r-base) -- tobi
Bug#1027746: transition: log4cxx
Hi Sebastian, thanks for the go ahead! On Wed, 4 Jan 2023 19:42:13 +0100 Sebastian Ramacher wrote: > Control: tags -1 confirmed > > Please go ahead. Uploaded to unstable and it has been built on all archs already… :) I guess it is ready to schedule the binNMUs :) -- Cheers, tobi
Re: SONAME bumps (transitions) always via experimental
On Thu, Jan 05, 2023 at 02:29:42PM +0100, Sebastian Ramacher wrote: > > From recent memory and assuming there are no issues with d/copyright, > binary-NEW uploads to experimental have been processed swiftly. This is also my experience that binary-NEW uploads for library SONAME bumps are handled very fast, (also) in experimental. (Some time ago sponsored such a package, at is was even accepted within an hour :)) -- tobi
Bug#1027746: transition: log4cxx
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: log4...@packages.debian.org Control: affects -1 + src:log4cxx Hi, I'm currently preparing for log4cxx13 -> log4cxx15 transition. (SO_NAME 14 had been skipped by upstream) All it's r-depends builds fine, and there are only three, I anticipate a smooth transition: R-Dependees are: solarpowerlog ✔ ros-rosconsole ✔ ros-ros-comm ✔ (zookeeper is B-D on log4cxx, however it is not using it, #1027732) Waiting for the green light from you ;-) -- tobi
Bug#1025700: bullseye-pu: package virglrenderer/0.8.2-5+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Gert Wollny (CC'ing Gert Wollny as maintainer of virglrenderer so he is aware) [ Reason ] I'm currently preparing a security update for virglrenderer for LTS and figured out that there is one of the fixed CVEs is not adressed in bullseye yet. The CVE fixed is CVE-2022-0135: (#1009073) To have this CVE also fixed in bullseye, I'm asking for permission to upload a targeted fix for the next stable point release. The changes are on this branch: https://salsa.debian.org/debian/virglrenderer/-/tree/debian/bullseye namely adding this patch: https://salsa.debian.org/debian/virglrenderer/-/blob/debian/bullseye/debian/patches/CVE-2022-0135.patch [ Impact ] The description of CVE-2022-0135 is: An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution. [ Tests ] Upstream provides a unit-text which covers this CVE. [ Risks ] The patch is taken from upstream: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable -- tobi diff -Nru virglrenderer-0.8.2/debian/changelog virglrenderer-0.8.2/debian/changelog --- virglrenderer-0.8.2/debian/changelog2020-12-07 13:38:41.0 +0100 +++ virglrenderer-0.8.2/debian/changelog2022-12-07 17:24:59.0 +0100 @@ -1,3 +1,10 @@ +virglrenderer (0.8.2-5+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Cherry-pick upstream fix for CVE-2022-0135. (Closes: #1009073) + + -- Tobias Frost Wed, 07 Dec 2022 17:24:59 +0100 + virglrenderer (0.8.2-5) unstable; urgency=medium [ Christian Ehrhardt ] diff -Nru virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch --- virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 1970-01-01 01:00:00.0 +0100 +++ virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 2022-12-07 17:24:59.0 +0100 @@ -0,0 +1,83 @@ +Description: CVE-2022-0135 + An out-of-bounds write issue was found in the VirGL virtual OpenGL + renderer (virglrenderer). This flaw allows a malicious guest to create a + specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, + leading to a denial of service or possible code execution. +Origin: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009073 +Last-Update: 2022-12-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/vrend_renderer.c b/src/vrend_renderer.c +@@ -7097,8 +7097,11 @@ + info->box->height) * elsize; + if (res->target == GL_TEXTURE_3D || + res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || + res->target == GL_TEXTURE_CUBE_MAP_ARRAY) + send_size *= info->box->depth; ++ else if (need_temp && info->box->depth != 1) ++ return EINVAL; + + if (need_temp) { + data = malloc(send_size); +--- a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c +@@ -958,6 +958,48 @@ + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); + } + ++/* Test adapted from yaojun8558...@gmail.com: ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 ++*/ ++static void test_vrend_3d_resource_overflow() { ++ ++struct virgl_renderer_resource_create_args resource; ++resource.handle = 0x4c474572; ++resource.target = PIPE_TEXTURE_2D_ARRAY; ++resource.format = VIRGL_FORMAT_Z24X8_UNORM; ++resource.nr_samples = 2; ++resource.last_level = 0; ++resource.array_size = 3; ++resource.bind = VIRGL_BIND_SAMPLER_VIEW; ++resource.depth = 1; ++resource.width = 8; ++resource.height = 4; ++resource.flags = 0; ++ ++virgl_renderer_resource_create(, NULL, 0); ++virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); ++ ++uint32_t size = 0x400; ++uint32_t cmd[size]; ++int i = 0; ++cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; ++cmd[i++] = resource.handle; ++cmd[i++] = 0; // level ++cmd[i++] = 0; // usage ++cmd[i++] = 0; // stride ++cmd[i++] = 0; // layer_stride ++cmd[i++] = 0; // x ++cmd[i++] = 0; // y ++cmd[i++] = 0; // z ++cmd[i++] = 8; // w ++cmd[i++]
Bug#1019416: Prusa-Slicer and wxwidget3.2 (Transition: wxwidgets3.2)
control: block -1 by 1023365 FWWIW, wxwidget 3.2 breaks at least prusa-slicer (#1022234, #1023365). Upstream explictily says it does not (yet) support wxwidgets 3.2. [1] Just mentioning here, as it *builds* fine against wxwigets3.0, but does not work (instant crashes). Prusa-Slicer is for many people owning a 3D printer a very important package, it would be a pitty if bookworm have it… Is there a possiblity to keep wx3.0 for bookworm? Cheers, -- tobi signature.asc Description: PGP signature
Bug#1023263: bullseye-pu: package clickhouse/18.16.1+ds-4+deb10u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hi Release-Team, [ Reason ] I'm currently preparing a security update for clickhouse for LTS. As the versions are quite similar, I've also prepared an update for bullseye, even if the issues are marked "minor". The CVE's are: CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305 (Details on them are in #1008216) I've checked with the security team and they indicated that this might be something for stable-proposed-updates. The changes are on this branch: https://salsa.debian.org/debian/ClickHouse/-/commits/debian/bullseye [ Impact ] The assement in #1008216 is: By triggering the vulnerabilities, an attacker can crash the ClickHouse server, leak memory contents or even cause remote code execution. [ Tests ] The package has an extensive test suite. I've also locally briefly tested the package. [ Risks ] The change is cherry-picked from upstream fix. Upstream has moved along source files and restructued things, but the affected code is the same. The upstream fix mentioned below also contains other fixes, introduced in later -- no in Debian -- versions. Upstream fix: https://github.com/ClickHouse/ClickHouse/pull/27136 Patch used: https://salsa.debian.org/debian/ClickHouse/-/blob/debian/bullseye/debian/patches/CVE-2021-4238x-and-4330x.patch [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable The NMU fixing this is currently in DELAYED. ETA Nov 5 ~13:00) [ Changes ] See patch. (The remaining change is to salsa-ci configuration, to be able to utilize the CI for testbuilds.) [ Other info ] Cheers, -- tobi diff -Nru clickhouse-18.16.1+ds/debian/changelog clickhouse-18.16.1+ds/debian/changelog --- clickhouse-18.16.1+ds/debian/changelog 2020-12-03 20:45:03.0 +0100 +++ clickhouse-18.16.1+ds/debian/changelog 2022-10-31 17:33:32.0 +0100 @@ -1,3 +1,12 @@ +clickhouse (18.16.1+ds-7.2+deb11u1) bullseye-security; urgency=medium + + * Non-maintainer upload by the Security Team. + * Add Salsa CI config for bullseye. + * Fix CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305 +(Closes: #1008216) + + -- Tobias Frost Mon, 31 Oct 2022 17:33:32 +0100 + clickhouse (18.16.1+ds-7.2) unstable; urgency=medium [Balint Reczey] diff -Nru clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch --- clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 1970-01-01 01:00:00.0 +0100 +++ clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 2022-10-31 17:25:21.0 +0100 @@ -0,0 +1,134 @@ +Description: Fix for CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305 + Cherry pick relevant parts from upstream PR, adapted to version in Debian. +Origin: https://github.com/ClickHouse/ClickHouse/pull/27136 +Bug-Debian: https://bugs.debian.org/1008216 +Forwarded: no +Applied-Upstream: yes, https://github.com/ClickHouse/ClickHouse/pull/27136 +Last-Update: 2022-10-30 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/dbms/src/IO/LZ4_decompress_faster.cpp b/dbms/src/IO/LZ4_decompress_faster.cpp +@@ -342,13 +342,16 @@ + + + template +-void NO_INLINE decompressImpl( ++bool NO_INLINE decompressImpl( + const char * const source, + char * const dest, ++ size_t source_size, + size_t dest_size) + { + const UInt8 * ip = (UInt8 *)source; + UInt8 * op = (UInt8 *)dest; ++const UInt8 * const input_end = ip + source_size; ++UInt8 * const output_begin = op; + UInt8 * const output_end = op + dest_size; + + while (1) +@@ -387,13 +390,19 @@ + /// output: xyzHello, w + /// ^-op (we will overwrite excessive bytes on next iteration) + +-wildCopy(op, ip, copy_end);/// Here we can write up to copy_amount - 1 bytes after buffer. ++{ ++auto * target = std::min(copy_end, output_end); ++wildCopy(op, ip, target);/// Here we can write up to copy_amount - 1 bytes after buffer. ++ ++if (target == output_end) ++return true; ++} + + ip += length; + op = copy_end; + +-if (copy_end >= output_end) +-return; ++if (unlikely(ip > input_end)) ++return false; + + /// Get match offset. + +@@ -401,6 +410,9 @@ + ip += 2; + const UInt8 * match = op - offset; + ++if (unlikely(match < output_begin)) ++return false; ++ + /// Get match length. + + length = token & 0x0F; +@@ -441,7 +453,10 @@ + + copy(op, match); /// copy_amount + copy_amount - 1 - 4
Bug#1019722: nmu: openmpi_4.1.0-10
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: 1019...@bugs.debian.org nmu openmpi_4.1.0-10 . ANY . unstable . -m "Rebuild with fixed dh-fotran-mod (See #1019050)"" As reported in #1019721, openmpi is affected by #1019050, so a rebuild should fix that. -- tobi
Bug#1018190: nmu: deal.ii_9.4.0-1+b1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Now that pmix has been reverted, deal.ii can be rebuilt against opencascade 7.6.3, to make it installable again. Please add an additional Dep-Wait on pmix > 4.2.0+really.4.1.2-1~ as pmix for mips64el is not yet built (it seems to run out of memory on this arch) nmu deal.ii_9.4.0-1+b1 . ANY . unstable . -m "rebuild against opencascade 7.6.3" -- Thanks tobi
Re: libpmix2: symbol lookup error: /usr/lib/x86_64-linux-gnu/openmpi/lib/openmpi3/mca_pmix_ext3x.so: undefined symbol: pmix_value_load
On Tue, 23 Aug 2022 18:01:23 +0200 Drew Parsons wrote: > Source: pmix > Followup-For: Bug #1017356 > Control: reopen -1 > Control: found 1017356 pmix/4.2.0-2 > > Adrian's last comments still apply all the same. > The problem is still there. > > (tests of version 4.2.0-1 in experimental get run in unstable, see > https://ci.debian.net/packages/m/mpi4py/unstable/amd64/ ) > > There are many reverse depencies broken due to this issue… I was looking into the ABI change and it seems to me that there will be some efforts required to update to compensate for the removed functions. Maybe it would be a good idea to revert pmix to 4.1.2 ? (e.g pmix-4.2.0+really-4.1.2-1) be uploaded and then do a proper transistion? CC'in the release team to soliciate their input. -- tobi
Bug#1015254: transition: opencascade
Hi Sebastian, netgen has now been fixed. Can you schedule a binNMU for gmsh, so that gmsh will be installable again? (there is no sourceful upload needed to make that happen) Possibly, not sure if really needed, with a Dep-Wait on netgen >= 6.2.2006+really6.2.1905+dfsg-5.1, as some ports have not recompiled netgen yet. -- Thanks tobi On Tue, Aug 16, 2022 at 09:10:33PM +0200, Sebastian Ramacher wrote: > On 2022-07-18 14:26:26 +0200, Tobias Frost wrote: > > Hi Release team, > > > > opencascade has a new release with bumps so name to 7.6 The transition > > tracker [1] > > correctly picked it up already after the upload to experimental. > > > > [1] https://release.debian.org/transitions/html/auto-opencascade.html > > > > This bug is also to help me keeping track of the transistion as it will > > need at least > > one sourceful upload of netgen. > > > > building the reverse depenencies, results are: > > > > Dependency level 2 > > > > freecad (sid only)✔ (RC buggy due to other issues) > > kicad ✔ > > netgen✘ (fixed upstream, #1014964)) > > > > With a local built of netgen (patched to just make it compile, not > > preserving functionality), > > I could get also Dependency level 3 to be built: > > > > gmsh_4.5.6+ds1 ✔ (BDs on netgen) > > > > Dependency Level 4: > > deal.ii_9.1.1-9 ✔ (BDs on gmsh) > > > > > > I'm not sure if I can come up with a proper patch for netgen, but I will > > try. > > netgen and reverse depenencies have been removed. This transition is > done. > > Cheers > -- > Sebastian Ramacher
Bug#1015254: transition: opencascade
Apperantly it has been done alrasdy, sorry for the noise and disregard the previous mail… -- tobi Hi Sebastian, netgen has now been fixed. Can you schedule a binNMU for gmsh, so that gmsh will be installable again? (there is no sourceful upload needed to make that happen) Possibly, not sure if really needed, with a Dep-Wait on netgen >= 6.2.2006+really6.2.1905+dfsg-5.1, as some ports have not recompiled netgen yet. -- Thanks tobi On Tue, Aug 16, 2022 at 09:10:33PM +0200, Sebastian Ramacher wrote: > On 2022-07-18 14:26:26 +0200, Tobias Frost wrote: > > Hi Release team, > > > > opencascade has a new release with bumps so name to 7.6 The transition > > tracker [1] > > correctly picked it up already after the upload to experimental. > > > > [1] https://release.debian.org/transitions/html/auto-opencascade.html > > > > This bug is also to help me keeping track of the transistion as it will > > need at least > > one sourceful upload of netgen. > > > > building the reverse depenencies, results are: > > > > Dependency level 2 > > > > freecad (sid only)✔ (RC buggy due to other issues) > > kicad ✔ > > netgen✘ (fixed upstream, #1014964)) > > > > With a local built of netgen (patched to just make it compile, not > > preserving functionality), > > I could get also Dependency level 3 to be built: > > > > gmsh_4.5.6+ds1 ✔ (BDs on netgen) > > > > Dependency Level 4: > > deal.ii_9.1.1-9 ✔ (BDs on gmsh) > > > > > > I'm not sure if I can come up with a proper patch for netgen, but I will > > try. > > netgen and reverse depenencies have been removed. This transition is > done. > > Cheers > -- > Sebastian Ramacher
Bug#1015254: transition: opencascade
Hi, On Mon, Aug 01, 2022 at 08:29:45AM +0100, Graham Inggs wrote: > Control: tags -1 confirmed > > Hi Tobi > > On Sun, 31 Jul 2022 at 16:51, Tobias Frost wrote: > > I've uploading 7.6.3 right now to experimental; as I removed the confirmed > > tag, please reACK > > the "go ahead" -- I've tested that all r-depends that worked before are > > still compiling > > reACK opencascade has now built on all release archs. I'd suggest to start binNMU freecad and maybe then proceed to remove netgen together with gmsh and deal.ii temporarily from testing. (the later two need an updated netgen…) (I'll poked the maintainer of netgen already, but no respons… As netgen has a "+really" version without really documenting the reason, I fear if I NMU a newer version I could break stuff…) -- Cheers, tobi
Bug#1015254: transition: opencascade
On Sun, Jul 31, 2022 at 02:02:22PM +0200, Tobias Frost wrote: (...) > as NEW will be involved) Silly me, NEW is not involved... I've uploading 7.6.3 right now to experimental; as I removed the confirmed tag, please reACK the "go ahead" -- I've tested that all r-depends that worked before are still compiling -- tobi
Bug#1015254: transition: opencascade
Control: tags -1 -confirmed On Fri, Jul 22, 2022 at 02:42:13PM +0200, Graham Inggs wrote: > Control: tags -1 confirmed > > Hi Tobi > > On Mon, 18 Jul 2022 at 14:30, Tobias Frost wrote: > > opencascade has a new release with bumps so name to 7.6 The transition > > tracker [1] > > correctly picked it up already after the upload to experimental. > > Please go ahead with the upload to unstable. Upstream has released 7.6.3 in the mean time. This version seems to adress several issues, so I plan to package 7.6.3 first before uploading 7.6.2 to upstream. I'll update this bug report when ready (as NEW will be involved) and for the mean time remove the "confirmed" tag. If that does not sound like a good plan to you, please let me know ;-) -- tobi
Bug#1015254: transition: opencascade
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: block 1014964 by -1 Hi Release team, opencascade has a new release with bumps so name to 7.6 The transition tracker [1] correctly picked it up already after the upload to experimental. [1] https://release.debian.org/transitions/html/auto-opencascade.html This bug is also to help me keeping track of the transistion as it will need at least one sourceful upload of netgen. building the reverse depenencies, results are: Dependency level 2 freecad (sid only)✔ (RC buggy due to other issues) kicad ✔ netgen✘ (fixed upstream, #1014964)) With a local built of netgen (patched to just make it compile, not preserving functionality), I could get also Dependency level 3 to be built: gmsh_4.5.6+ds1 ✔ (BDs on netgen) Dependency Level 4: deal.ii_9.1.1-9 ✔ (BDs on gmsh) I'm not sure if I can come up with a proper patch for netgen, but I will try. Cheers, -- tobi
Bug#1012651: transition: log4cxx
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition I'm preparing the transistion for log4cxx from SONAME 12 to SONAME 13. I have built the r-deps locally with the result indicated below: solarpowerlog-- builds fine ros-rosconsole -- builds fine zookeeper-- FTBFS, unrelated to log4cxx (#984406) TL:DR: Should be a small, smooth transition. Ben file: (The "auto" transistion seems to be right already) title = "log4cxx"; is_affected = .depends ~ "liblog4cxx12" | .depends ~ "liblog4cxx13"; is_good = .depends ~ "liblog4cxx13"; is_bad = .depends ~ "liblog4cxx12"; -- Waiting for your green light, tobi
Bug#1003346: transition: log4cxx
On Sun, Jan 09, 2022 at 02:46:47PM +0100, Sebastian Ramacher wrote: > Please go ahead Done and it seems that all rebuild have been scheduled and completed already! Thanks especially for that quick turnaround! Cheers, -- tobi
Bug#1003346: transition: log4cxx
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: ros-roscons...@packages.debian.org, Hi, I'm planning to transit liblog4cxx 0.11 -> 0.12. https://release.debian.org/transitions/html/auto-log4cxx.html list 3 reverse dependencies. Here is there status in respect to log4cxx: log4cxx: Uploaded to experimental, all release archs green. ros-rosconsole: Needs upload, Patch available (#1001881 -- uploaded to experimental already) solarpowerlog: Compile fine with new version. zookeeper: Not in testing, already RC-buggy (FTBFS unrelated to transition) Ben file: title = "log4cxx"; is_affected = .depends ~ "liblog4cxx11" | .depends ~ "liblog4cxx12"; is_good = .depends ~ "liblog4cxx12"; is_bad = .depends ~ "liblog4cxx11"; Waiting for your green light :) Cheers, -- tobi
Bug#1002814: nmu: dovecot-antispam_2.0+20171229-1+b8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, dovecot-anitspam seems to need a binNMU for the new dovecot version recently uploaded... nmu dovecot-antispam_2.0+20171229-1+b8 . ANY . unstable . -m "rebuild for dovecot-abi-2.3.abiv17" -- tobi
Bug#990027: Bug#990176: RFS: opendmarc/1.4.0~beta1+dfsg-6 -- Milter implementation of DMARC
Control: tags 990027 -moreinfo I've just uploaded the package. Cheers, tobi On Tue, Jun 22, 2021 at 08:30:56AM +0200, David Bürgin wrote: > Package: sponsorship-requests > Severity: normal > > Dear mentors, > > I am looking for a sponsor for my package "opendmarc": > > * Package name: opendmarc >Version : 1.4.0~beta1+dfsg-6 >Upstream Author : The Trusted Domain Project > * URL : http://www.trusteddomain.org/opendmarc > * License : BSD-2-clause, GPL-3+ with AutoConf exception, > BSD-3-clause and SOSL > * Vcs : https://salsa.debian.org/kitterman/opendmarc >Section : mail > > It builds those binary packages: > > libopendmarc-dev - Headers and development libraries for the OpenDMARC > library > libopendmarc2 - Library for DMARC validation and reporting > opendmarc - Milter implementation of DMARC > > To access further information about this package, please visit the following > URL: > > https://mentors.debian.net/package/opendmarc/ > > Alternatively, one can download the package with dget using this command: > > dget -x > https://mentors.debian.net/debian/pool/main/o/opendmarc/opendmarc_1.4.0~beta1+dfsg-6.dsc > > Changes since the last upload: > > opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high > . >* Add patch for CVE-2021-34555 from upstream issue tracker: > - Do not dereference NULL in multi-value From headers (Closes: #990001) > > An unblock was pre-approved, for details see: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990027 > > Thank you! > > > -- > David >
Bug#989530: RFS: mupdf/1.14.0+ds1-4+deb10u3 [NMU, CVE-2020-16600] -- lightweight PDF viewer
On Fri, Jun 11, 2021 at 10:44:10PM +0200, Bastian Germann wrote: > On Mon, 31 May 2021 19:41:53 +0200 Tobias Frost wrote: > > The diff looks good, but there are some formalities… > > > > - Can you file an "Stable Proposed Updates" unblock request to get an > > approval. > > Approved at #989530. > > > - Possibly you should file an bug for CVE-2020-16600 and > > close it in the changelog. (That would make it more transparent.) > > Available at #989526. > > > - Please also send a NMU announcement to the package's bts. > > Also available at #989526. > Uploaded! Many thanks Bastian for your contributions! -- tobi signature.asc Description: PGP signature
Bug#989681: Bug#989682: RFS: libexplain/1.4.D001-11 [QA] [RC] -- library of system-call-specific strerror repl - development files
Control: tags 989681 -moreinfo Uploaded; Thanks Håvard for the fix! -- tobi
Bug#988492: buster-pu: package ircii/20190117-1
On Sat, 29 May 2021 15:11:30 +0100 "Adam D. Barratt" wrote: > Please go ahead. > Thanks, Adam. I've just sponsored the uploaded for Håvard. -- Cheers, tobi
Bug#973645: transition: log4cplus
Am 3. November 2020 10:35:16 MEZ schrieb Sebastian Ramacher : >Control: forwarded -1 >https://release.debian.org/transitions/html/auto-log4cplus.html >Control: tags -1 + confirmed > >please go ahead with the upload to unstable. > >Cheers Thanks Sebastian! uploaded and all buildds are happy already.
Bug#973645: transition: log4cplus
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi release-team, transition time again :) This time, log4cplus… https://release.debian.org/transitions/html/auto-log4cplus.html seems to have picked it up correctly. I've rebuilt the mentioned r-deps already successfully. isc-kea -- FTBFS in sid currently, but builds fine with the version in VCS (FTBFS unrelated to the transition #973641) openvdb -- builds fine with new version. Waiting for your green light… -- Cheers, tobi
Bug#970402: transition: log4cxx
On Tue, 15 Sep 2020 21:29:50 +0200 Emilio Pozuelo Monfort > > Waiting for the green light from you ;-) > > Go ahead. the new log4xx 0.11 is now in unstable and has built on all release archs. (So, I guess the binmnu party can start now ;-) Cheers, -- tobi
Bug#970402: transition: log4cxx
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello release team! I'm preparing the transition of log4cxx. It's already showing up on https://release.debian.org/transitions/html/auto-log4cxx.html, so ben seems to be hapy… Building r-deps was successful: ros-rosconsole ✔ solarpowerlog ✔ zookeeper ✔ Everything looks ready ;-) Waiting for the green light from you ;-) Cheers, -- tobi
Bug#956351: transition: opencascade
On Mon, 27 Apr 2020 21:42:53 +0200 Tobias Frost wrote: > The following packages of Dependency level 2 could already be binNMUed: > gmsh_4.5.6+ds1 > kicad_5.1.5+dfsg1-2 Sorry for the noise, I just realized that that has happened already. Read: You are awesome!) netgen is now in DELAYED/5. -- tobi
Bug#956351: transition: opencascade
On Sat, Apr 25, 2020 at 02:29:53PM +0200, Emilio Pozuelo Monfort wrote: > Control: tags -1 confirmed > Go ahead. Thanks! opencascade is now in unstable and all archs have successuflly built. The following packages of Dependency level 2 could already be binNMUed: gmsh_4.5.6+ds1 kicad_5.1.5+dfsg1-2 For netgen (the remaining package in Depenency level 2) I will prepare a NMU soon. Cheers, -- tobi
Bug#956351: transition: opencascade
Update: deal.ii -- patch available (unrelated to opencascade, just exposed by it) freecad -- same as deal.ii. Also patch available. However, due to pyside2 it will remain RC buggy. So theoretically the transistion would be ready… Let me know when I can proceed. -- tobi
Bug#956351: transition: opencascade
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi Release team, opencascade has a new release with bumps so name to 7.4 The transition tracker [1] correctly picked it up already after the upload to experimental. [1] https://release.debian.org/transitions/html/auto-opencascade.html This bug is also to help me keeping track of the transistion as it might be that some packages do need patches to build for the new version. I'm currently building the reverse depenencies, results so far: Dependency level 2 gmsh_4.5.6+ds1✔ kicad_5.1.5+dfsg1-2 ✔ netgen-6.2.1804+dfsg1 ✘ (patch available) Dependency level 3 deal.ii_9.1.1-9 ✔ (BDs on gmsh) freecad (sid only) ✘ (seems to be #953721) I will file a bug for netgen and block it with this bugs. Cheers, -- tobi
Bug#926911: unblock: epsilon/0.7.1-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package epsilon, the NMU fixes #924650 Debdiff attached. unblock epsilon/0.7.1-1.1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru epsilon-0.7.1/debian/changelog epsilon-0.7.1/debian/changelog --- epsilon-0.7.1/debian/changelog 2015-10-10 17:43:41.0 +0200 +++ epsilon-0.7.1/debian/changelog 2019-04-06 12:38:25.0 +0200 @@ -1,3 +1,10 @@ +epsilon (0.7.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Apply patch from BTS to fix, thanks doko for the patch (Closes: #924650) + + -- Tobias Frost Sat, 06 Apr 2019 12:38:25 +0200 + epsilon (0.7.1-1) unstable; urgency=medium * New upstream release. diff -Nru epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff --- epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff 1970-01-01 01:00:00.0 +0100 +++ epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff 2019-04-06 12:16:28.0 +0200 @@ -0,0 +1,13 @@ +--- a/epsilon/scripts/benchmark.py b/epsilon/scripts/benchmark.py +@@ -46,6 +46,10 @@ def parseDiskStatLine(L): + appropriate record type (either L{partitionstat} or L{diskstat}). + """ + parts = L.split() ++# https://www.kernel.org/doc/Documentation/ABI/testing/procfs-diskstats ++# ignore new diskstat values ++if len(parts) == 18: ++parts = parts[:-4] + device = parts[2] + if len(parts) == 7: + factory = partitionstat diff -Nru epsilon-0.7.1/debian/patches/series epsilon-0.7.1/debian/patches/series --- epsilon-0.7.1/debian/patches/series 2015-10-10 17:43:41.0 +0200 +++ epsilon-0.7.1/debian/patches/series 2019-04-06 12:16:28.0 +0200 @@ -1 +1,2 @@ 0001-Gracefully-handle-not-finding-working-directory.patch +kernel-4.18-diskstats.diff
Bug#926734: unblock: libcaca/0.99.beta19-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libcaca The new packages fixes 6 CVE's. (Bug #917807) Thanks! unblock libcaca/0.99.beta19-2.1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru libcaca-0.99.beta19/debian/changelog libcaca-0.99.beta19/debian/changelog --- libcaca-0.99.beta19/debian/changelog2014-06-02 22:39:11.0 +0200 +++ libcaca-0.99.beta19/debian/changelog2019-04-06 22:18:41.0 +0200 @@ -1,3 +1,12 @@ +libcaca (0.99.beta19-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-Pick fixes from upstream git repository: +- CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and + CVE-2018-20549 (Closes: #917807) + + -- Tobias Frost Sat, 06 Apr 2019 22:18:41 +0200 + libcaca (0.99.beta19-2) unstable; urgency=medium * debian/patches/100_doxygen.diff: remove deprecated Doxygen variables. diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch --- libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 1970-01-01 01:00:00.0 +0100 +++ libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 2019-04-06 21:36:52.0 +0200 @@ -0,0 +1,45 @@ +From 84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c Mon Sep 17 00:00:00 2001 +From: Sam Hocevar +Date: Sat, 29 Dec 2018 22:13:56 +0100 +Subject: [PATCH] dither: fix integer overflows that were causing a division by + zero. + +Fixes: #36 (CVE-2018-20544) +--- + caca/dither.c | 16 + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/caca/dither.c b/caca/dither.c +index 04b678e0..c6ebab1b 100644 +--- a/caca/dither.c b/caca/dither.c +@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h, + /* First get RGB */ + if(d->antialias) + { +-fromx = (x - x1) * w / deltax; +-fromy = (y - y1) * h / deltay; +-tox = (x - x1 + 1) * w / deltax; +-toy = (y - y1 + 1) * h / deltay; ++fromx = (uint64_t)(x - x1) * w / deltax; ++fromy = (uint64_t)(y - y1) * h / deltay; ++tox = (uint64_t)(x - x1 + 1) * w / deltax; ++toy = (uint64_t)(y - y1 + 1) * h / deltay; + + /* We want at least one pixel */ + if(tox == fromx) tox++; +@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h, + } + else + { +-fromx = (x - x1) * w / deltax; +-fromy = (y - y1) * h / deltay; +-tox = (x - x1 + 1) * w / deltax; +-toy = (y - y1 + 1) * h / deltay; ++fromx = (uint64_t)(x - x1) * w / deltax; ++fromy = (uint64_t)(y - y1) * h / deltay; ++tox = (uint64_t)(x - x1 + 1) * w / deltax; ++toy = (uint64_t)(y - y1 + 1) * h / deltay; + + /* tox and toy can overflow the canvas, but they cannot overflow + * when averaged with fromx and fromy because these are guaranteed diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch --- libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 1970-01-01 01:00:00.0 +0100 +++ libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 2019-04-06 22:08:34.0 +0200 @@ -0,0 +1,34 @@ +Description: img2txt: fix an integer overflow in the BMP loader. +Origin: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592 +Forwarded: not-needed +Applied-Upstream: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592 +Last-Update: 2019-04-06 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/common-image.h b/src/common-image.h +@@ -1,19 +1,19 @@ + /* + * Imaging tools for cacaview and img2irc +- * Copyright (c) 2003-2012 Sam Hocevar +- *All Rights Reserved ++ * Copyright (c) 2003-2018 Sam Hocevar ++ * All Rights Reserved + * + * This program is free software. It comes without any warranty, to + * the extent permitted by applicable law. You can redistribute it + * and/or modify it under the terms of the Do What the Fuck You Want +- * to Public License, Version 2, as published by Sam Hocevar. See +- * http://www.wtfpl.net/ for more details. ++ * to Public License, Versio
Bug#926580: unblock: amavisd-new/2.11.0-6.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package amavisd-new This diff fixes #882324, diff attached. (The NMU has been acked by the maintainer) unblock amavisd-new/2.11.0-6.1 -- Cheers, tobi -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru amavisd-new-2.11.0/debian/changelog amavisd-new-2.11.0/debian/changelog --- amavisd-new-2.11.0/debian/changelog 2019-02-13 07:48:10.0 +0100 +++ amavisd-new-2.11.0/debian/changelog 2019-04-05 18:04:57.0 +0200 @@ -1,3 +1,11 @@ +amavisd-new (1:2.11.0-6.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix to honor "originating" configuration flag, by cherry-picking upstream +patch. (Closes: #882324) + + -- Tobias Frost Fri, 05 Apr 2019 18:04:57 +0200 + amavisd-new (1:2.11.0-6) unstable; urgency=medium * Fix start-stop-daemon insecure error. Closes: #921016. diff -Nru amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch --- amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch 1970-01-01 01:00:00.0 +0100 +++ amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch 2019-04-05 17:56:43.0 +0200 @@ -0,0 +1,26 @@ +Description: honor "originating" configuration flag, +Origin: https://gitlab.com/amavis/amavis/commit/206109d4c21f28dcd2ba3f42a19b7d77e2bbc100.patch +Date: Wed, 10 Oct 2018 16:34:58 +0200 +Subject: [PATCH] Applied DKIM signing patch (#6) +Applied-Upstream: Yes +Last-Update: 2019-04-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/amavisd b/amavisd +@@ -22829,6 +22829,7 @@ + } + # load policy banks from the 'client_ipaddr_policy' lookup + Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl; ++$msginfo->originating(c('originating')); + + $msginfo->client_addr($cl_ip); # ADDR + $msginfo->client_port($cl_port);# PORT +@@ -34361,6 +34362,7 @@ + $sig_ind++; + } + Amavis::load_policy_bank($_,$msginfo) for @bank_names; ++ $msginfo->originating(c('originating')); + $msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid; + # if (ll(5) && $sig_ind > 0) { + # # show which header fields are covered by which signature diff -Nru amavisd-new-2.11.0/debian/patches/series amavisd-new-2.11.0/debian/patches/series --- amavisd-new-2.11.0/debian/patches/series2019-02-03 09:55:48.0 +0100 +++ amavisd-new-2.11.0/debian/patches/series2019-04-05 17:54:53.0 +0200 @@ -7,3 +7,4 @@ 90_fix_snmp_subagent_warning 95_amavisd_helpers_fixes 0009-Fix-an-unescaped-brace-in-amavisd.patch +0010-fix-882324.patch
Bug#926480: unblock: tvtime/1.0.11-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package tvtime The patch fixes #924076, a insecure usage of /tmp. The important part of the debdiff is this: --- a/src/utils.c +++ b/src/utils.c @@ -202,17 +202,11 @@ } } -/* If we can't use our /tmp directory, put the fifo in $HOME. */ -if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) { -if( asprintf( , "%s/.tvtime/tvtimefifo-%s", - getenv( "HOME" ), hostname ) < 0 ) { -fifo = 0; -} -} else { -if( asprintf( , "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) { -fifo = 0; -} -} +/* put the fifo in $HOME */ + if( asprintf( , "%s/.tvtime/tvtimefifo-%s", + getenv( "HOME" ), hostname ) < 0 ) { + fifo = 0; + } free( hostname ); free( fifodir ); return fifo; (Sorry for the refreshing of the patches, I realized this just now that this would not have been necessary) Debdiff attached. Cheers, tobi unblock tvtime/1.0.11-4 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru tvtime-1.0.11/debian/changelog tvtime-1.0.11/debian/changelog --- tvtime-1.0.11/debian/changelog 2018-12-10 23:50:07.0 +0100 +++ tvtime-1.0.11/debian/changelog 2019-04-05 20:27:01.0 +0200 @@ -1,3 +1,14 @@ +tvtime (1.0.11-5) unstable; urgency=medium + + * QA upload. + * Create repository on salsa. + * Refresh patches + * Fix "insecure use of /tmp" by only using the fall back to $HOME. +This is patch 0002-disable-insecure-temp-file.patch +(Closes: #924076) + + -- Tobias Frost Fri, 05 Apr 2019 20:27:01 +0200 + tvtime (1.0.11-4) unstable; urgency=medium * QA upload. diff -Nru tvtime-1.0.11/debian/control tvtime-1.0.11/debian/control --- tvtime-1.0.11/debian/control2018-12-10 23:50:07.0 +0100 +++ tvtime-1.0.11/debian/control2019-04-05 19:56:54.0 +0200 @@ -22,6 +22,8 @@ libasound2-dev Standards-Version: 3.9.3 Homepage: https://linuxtv.org/wiki/index.php/Tvtime +VCS-Browser: https://salsa.debian.org/debian/tvtime +VCS-Git: https://salsa.debian.org/debian/tvtime.git Package: tvtime Architecture: any diff -Nru tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch --- tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch 2018-12-10 21:35:44.0 +0100 +++ tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch 2019-04-05 19:57:51.0 +0200 @@ -14,8 +14,6 @@ src/get_media_devices.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/src/get_media_devices.c b/src/get_media_devices.c -index 619734ea..453b0677 100644 --- a/src/get_media_devices.c +++ b/src/get_media_devices.c @@ -23,6 +23,7 @@ @@ -26,6 +24,3 @@ #include #include #include --- -2.11.0 - diff -Nru tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch --- tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch 1970-01-01 01:00:00.0 +0100 +++ tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch 2019-04-05 20:10:15.0 +0200 @@ -0,0 +1,25 @@ +--- a/src/utils.c b/src/utils.c +@@ -202,17 +202,11 @@ + } + } + +-/* If we can't use our /tmp directory, put the fifo in $HOME. */ +-if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) { +-if( asprintf( , "%s/.tvtime/tvtimefifo-%s", +- getenv( "HOME" ), hostname ) < 0 ) { +-fifo = 0; +-} +-} else { +-if( asprintf( , "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) { +-fifo = 0; +-} +-} ++/* put the fifo in $HOME */ ++if( asprintf( , "%s/.tvtime/tvtimefifo-%s", ++ getenv( "HOME" ), hostname ) < 0 ) { ++fifo = 0; ++} + free( hostname ); + free( fifodir ); + return fifo; diff -Nru tvtime-1.0.11/debian/patches/freetype.patch tvtime-1.0.11/debian/patches/freetype.patch --- tvtime-1.0.11/debian/patches/freetype.patch 2018-10-26 17:32:26.0 +0200 +++ tvtime-1.
Bug#911740: nmu: freeimage_3.17.0+ds1-5+b5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi Release team, I think that the binNMU for freeimage against libraw19 did not work; the package has downloaded and installed libraw16 during build, instead of *19. Can you please check if if needed re-issue the binNMU? (I did not check whether other packages are affected too.) Many thanks, tobi nmu freeimage_3.17.0+ds1-5+b5 . alpha . unstable . -m "Rebuild against libraw19." -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#823991: libpng16-16: generates a ton of noisy warnings
Control: reassign -1 libwine Control: retitle -1 libwine: Does not declare a Depends: on libpng Hi Gianfranceo, let me reassign this bug to the wine party people, because I think it is a bug there, at least it should be investigated why the package is using libpng but not declaring a Depends on it. (I already asked for a binNMU in #824006, so it is save to recycle this bug) -- tobi
Bug#824006: nmu: wine_1.8.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Seems so that a binNMU is required for wine. (See #823991) nmu wine_1.8.1-2 . ANY . unstable . -m "Rebuild against libpng1.6." -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#822540: nmu: libapache2-mod-qos_11.25-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Maintainer obviously not built on an up-to-date system. nmu libapache2-mod-qos_11.25-1 . amd64 . -m "Rebuild against libpng1.6" Dear Sergey, This bug could have been easily avoided. please make sure that you *always* build on an updated system; even better use tools like pbuilder or sbuild or like to *ensure* that you have the latest packages installed. BEST is, of course, to do source-only uploads, which are possible since ~1.5 years. See https://wiki.debian.org/SourceOnlyUpload for details. Thanks! -- tobi -- System Information: Debian Release: 8.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.0.5-revert-done (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
Bug#822302: nmu: vtk-dicom_0.7.6-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu While working on decrufting gdcm I noticed that there is a package in need of a binnmu -- it still Depends on gdcm 2.4 (gdcm was only lately fixed for hurd, that's why it missed it) nmu vtk-dicom_0.7.6-1 . hurd-i386 . unstable . -m "Rebuild against gdcm2.6." Thanks! -- tobi -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#650601: libpng Package in experimental
Am Mittwoch, den 06.04.2016, 15:33 + schrieb Gianfranco Costamagna: > Hi, > > > > Ack. :) > > > > I don't let you change your mind now :) > uploaded on debomatic-amd64, and on unstable a few seconds ago. > > lets the *fun* start! > > BTW I added me and Tobias in uploaders list, as per private mail > exchange with the > current maintainers. > > thanks! > > Gianfranco > Thanks Gianfranco! Yeah, up to mooore fun, *cough*.. let's take bets how many packages will make it ;-) (Next, I'll raise the remaining bugs to RC and post an update to -devel.) ... -- tobi
Bug#650601: libpng Package in experimental
On Sun, 3 Apr 2016 09:55:55 +0200 Gianfranco Costamagnawrote: with an ftpmaster *really fast* accept we are > now in place and ready for the transition. > > I think we are ready for the ack. > > thanks, > > Gianfranco > I agree with Gianfranco, "NOW" would be a great time to start that adventure... Waiting will just increases entropy again, and it is already quite some work to keep the can-of-worms^W breakages low, as you can see from the latest NMUs I did..) Regarding libpng-config, I do not have a complete list, but during the rebuilds I made a list of affected packages, but I faintly remember that there were at one-two others. They were leafpackages though, so no need to worry for them, IMHO. afarmagetronad openmsx neverball libapache2-mod-qos Also, I'm prepared to dedicated any free time to fix breakages during the transition.. -- tobi
Bug#650601: libpng Package in experimental
> Hi Gianfranco, > > Of course they can B-D on libpng16-devtools (but requires several sourceful > uploads during the transition), but than we have that nasty SONAME back in the > B-depdencies... > Should we provide also a SONAME-neutral package name here? Ähm, we have already a Provides: libpng-devtools here, I just didn't see it.. So strike that part above -- tobi
Bug#650601: libpng Package in experimental
Hi Gianfranco, I've just got a change to take a look at the new libpng package. A remark: - The change that libbpng-dev only recommends libpng16-devtools will cause some build failures, as several packages needs the devtool to be pulled in but do not declare a dependency on this. Of course they can B-D on libpng16-devtools (but requires several sourceful uploads during the transition), but than we have that nasty SONAME back in the B-depdencies... Should we provide also a SONAME-neutral package name here? I once said that we should check if we could just drop libpng16-devtools' dependency on libpng-dev... Did you check if that is feasible? In that case we could retain the dependency on libpng-devtools and it would also not be necessary to have an libpng-devtools package/provide.. -- tobi
Bug#650601: libpng is going to be NMUed soon.
On Sat, 26 Mar 2016 00:50:58 +0100 Emilio Pozuelo Monfortbinary-NEW shouldn't be a big deal. Just make sure to upload to experimental. OK, then let's follow Gianfrancos proposoal! Beside that, here's a last report on the rebuilding on my server: (I need to free up space on the server for other purposes, so I need to cease the continous rebuilding) Those are the packages that still fails on my server: calligra(2.8.5+dfsg-1.3~libpng16) caret (5.6.4~dfsg.1-3.1~libpng16) fw4spl (0.9.2-3.1~libpng16) gnubg (1.05.000-7.1~libpng16) libtk-img (1.4.2+dfsg-2.1~libpng16) odin(1.8.8-2.1~libpng16) openvrml(0.18.9-7.1~libpng16) png++ (0.2.5-1.1~libpng16) root-system (5.34.19+dfsg-1.3~libpng16) timidity(2.13.2-40.4~libpng16) xemacs21(21.4.22-14.1~libpng16) Those are currently in testing: - gnubg, FTBFS seems to be #818889, has patch - libtk-img needs libpng1.6 in sid to be fixed (#741894) - png++, NMU in DELAYED/5 #819283 - timidity, RC-Buggy #814879, removal on March 31 -- tobi
Bug#650601: libpng is going to be NMUed soon.
On Wed, 23 Mar 2016 21:58:56 +0100 Gianfranco Costamagna wrote: > > 1) provide a real libpng-dev and upload on experimental in 7 days starting now. > (I'm going to upload on deferred/7 in a few minutes/hours) > Hi Gianfranco, what bothers me is that having a real libpng-dev package requires us to go through NEW. I'd avoid NEW-processing at this point of time, as its processing is non-deterministic and might eat up significant amount of time left until the freeze... And time is running fast. At the moment no package requires a versioned dependency on libpng-dev anyway, so IMHI that can be deferred to a later time. (I believe having a real libpng-dev package is a good idea, so lets go for it, cleared from NEW via experimental *once* libpng16 is is sid) At this point of time, I think we're in better control when manually uploading libpng12 and libpng16 in a coordinated way. Gianfranco, Emilio: Thoughts? -- tobi
Bug#650601: Update on libpng's transition status
Am Sonntag, den 31.01.2016, 17:52 + schrieb Mattia Rizzolo: > On Sun, Jan 31, 2016 at 05:46:07PM +0100, Tobias Frost wrote: > > Still FTBFS are, I've put an analysis why so on the titanpad [1], > > but > > those are all _not_ libpng related and many of those packages are > > not > > in testing. > > Analysis of what is in testing atm: > > > > blender > > notice that blender should be ready for libpng1.6 once the ilmbase > and > openexr transition start, so that the experimental version can be > used > (which should be fine). > Actually, Those 2 transitions are way smaller than libpng, and I > would > have expected them to be already started... #810568 I just scheduled a build of the experimental version on my server, and it looks good so far. (It needs experimental B-Ds as well) > > criticalmass > > I was able to build this just fine here. > I also tested it against libpng16 and built a binary depending on it > just fine. > I believe there is something fishy on your part here :) Yes, you're right: It has been building fine also on my server already.[1], it was an left over from my list; (I had lately problems with somepackage in conjunction with parallel build and pbuilder -- criticalmass is one of those) [1] http://libpng.sviech.de/!summary.txt > > gmsh > > vtk6 > > These 2 at the moment are not buildable because they are several > levels > down of the openmpi transition and need other libs to be built first. > I just believe openmpi needs to be done first before of this. vtk6 built fine previously with libpn1.6, as well as gmsh. (For gmsh I still have the old buildlog: https://libpng.sviech.de/old/gmsh.build, for vtk6 they've got overwritten but there are still the resulting packages at https://libpng.sviech.de/libpng16/pool/main/v/vtk6/ ) So, I guess we could ignore this collision? > > yt > > yt is going to be autoremoved soon (Feb 9) so this can be ignored. > > > [1] https://titanpad.com/libpng16-transistion > > > So if I'm not blind or anything, I belive this transition has no > actual > blocker (but other transitions to be done first, though). > > Of course in something so big something will come out during the > transition, but hey ^^ It would be a miracle, as we see with openmpi.. Knocking wood, though. But I have the feeling we are in a good position, and at least the next few weeks I'm able to commit some time to this. For the procedure, does it help the case / would it make sense to upload a libpng16 *without* provding libconfig-dev to sid, to have it in testing already, when we pull the trigger? (As you know, said trigger is the Provides: libpng-dev line; without it all the packages will use libpng12-dev..) -- tobi
Bug#650601: libpng is ready for transtion
This time with d-boot in CC... Forwarding to debian-boot, as requested from Cyril. Debian-Boot people, please take a look at #650601 -- the libpng16 transition which is now ready to be started. There are a few udebs affected, which is tested as described below (following a request from Cyril). IMHO also the udeb part is ready for the transition, but I'm not in the d-i topics. -- tobi On Tue, 26 Jan 2016 22:05:22 +0100 Tobias Frost <t...@debian.org> wrote: > Hallo KiBi, > > On Tue, 26 Jan 2016 10:51:11 +0100 Cyril Brulebois <k...@debian.org> > wrote: > > > Has anyone tested a debian installer build where some packages were > > built against libpng12-0-udeb and some other against libpng16-16- > udeb? > > Does that work? Or are we looking at a giant transition where > everything > > must switch to libpng16 at once? > >  > > Mraw, > > KiBi. > > As requested, I performed those build of the d-i, version 20160106: > > Testmatrix > > A libcairo2-udeb_1.14.6-1.1~libpng16_amd64.udeb > B libdirectfb-1.2-9-udeb_1.2.10.0-5.2~libpng16_amd64.udeb > C libfreetype6-udeb_2.6.1-0.2~libpng16_amd64.udeb > D libgdk-pixbuf2.0-0-udeb_2.32.3-1.1~libpng16_amd64.udeb > E libpng16-16-udeb_1.6.20-1.2~libpng16+patched+1_amd64.udeb > F matchbox-keyboard-udeb_0.1+svn20080916-10.1~libpng16_amd64.udeb > > Two more udeb packages where generated during the mass rebuild on my > server, bu removed from test-matrix, as they do not Depend: on libpng: > libslang2, libdirectfb-bin > > Key x -> libpng16-version used >     . -> standard version used > >    A B C D E F   result   (comment) > 1  . . . . . .   builds   "control group" > 2  x . x . x .   builds     > 3  . x x . x .   builds > 4  . . . x x .   builds > 5  . x . x x x   builds   > 6  x x x x x x  builds  "target version" > > > Procedure: > - debuld in debian-installer directory. > - examination of created debian-installer-images tarball, especially > the MANIFEST.udebs file for installed udebs (if matches expectations, > if both libpngs are present > > > Let me know if you want to see other combinations tested too (and > which) > > Thanks > -- > tobi > >
Update on libpng's transition status
TL;DL: 13 FTBFS left, but those are not libpng's fault. Out of those 13 packages, only 5 are in testing right now. (I think that's all I can do from my side for now, so I'l pause the efforts waiting for the other parties involved.) Details: The stats are now, and this is the best we can currently get: Built: 474 Failed: 13 OK: 461 The progress is due to the NMU's and the fixing of libvigraimpex, so that its B-Ds became buildable. Still FTBFS are, I've put an analysis why so on the titanpad [1], but those are all _not_ libpng related and many of those packages are not in testing. 3depict blender calligra caret exult fw4spl gmsh libtk-img odin openvrml root-system xemacs21 vtk6 yt There are two packages which are started to fail, due to the accidential transition-required openmpi upload, #813128: vtk6 gmsh Only those packages are in testing: blender criticalmass gmsh vtk6 yt [1] https://titanpad.com/libpng16-transistion -- tobi
Bug#650601: libpng is ready for transtion
Forwarding to debian-boot, as requested from Cyril. Debian-Boot people, please take a look at #650601 -- the libpng16 transition which is now ready to be started. There are a few udebs affected, which is tested as described below (following a request from Cyril). IMHO also the udeb part is ready for the transition, but I'm not in the d-i topics. -- tobi On Tue, 26 Jan 2016 22:05:22 +0100 Tobias Frost <t...@debian.org> wrote: > Hallo KiBi, > > On Tue, 26 Jan 2016 10:51:11 +0100 Cyril Brulebois <k...@debian.org> > wrote: > > > Has anyone tested a debian installer build where some packages were > > built against libpng12-0-udeb and some other against libpng16-16- > udeb? > > Does that work? Or are we looking at a giant transition where > everything > > must switch to libpng16 at once? > > > > Mraw, > > KiBi. > > As requested, I performed those build of the d-i, version 20160106: > > Testmatrix > > A libcairo2-udeb_1.14.6-1.1~libpng16_amd64.udeb > B libdirectfb-1.2-9-udeb_1.2.10.0-5.2~libpng16_amd64.udeb > C libfreetype6-udeb_2.6.1-0.2~libpng16_amd64.udeb > D libgdk-pixbuf2.0-0-udeb_2.32.3-1.1~libpng16_amd64.udeb > E libpng16-16-udeb_1.6.20-1.2~libpng16+patched+1_amd64.udeb > F matchbox-keyboard-udeb_0.1+svn20080916-10.1~libpng16_amd64.udeb > > Two more udeb packages where generated during the mass rebuild on my > server, bu removed from test-matrix, as they do not Depend: on libpng: > libslang2, libdirectfb-bin > > Key x -> libpng16-version used >     . -> standard version used > >    A B C D E F   result   (comment) > 1  . . . . . .   builds   "control group" > 2  x . x . x .   builds     > 3  . x x . x .   builds > 4  . . . x x .   builds > 5  . x . x x x   builds   > 6  x x x x x x  builds  "target version" > > > Procedure: > - debuld in debian-installer directory. > - examination of created debian-installer-images tarball, especially > the MANIFEST.udebs file for installed udebs (if matches expectations, > if both libpngs are present > > > Let me know if you want to see other combinations tested too (and > which) > > Thanks > -- > tobi > >
Re: Bug#650601: libpng is ready for transtion
> Tobias Frost <t...@debian.org> (2016-01-25): >> Dear release-team, >> >> Now that all NMUs are in DELAYED for all fixables. >> I think we are ready to throw the switch. > > You haven't answered <20160106232316.ga28...@mraw.org>. > > Mraw, > KiBi. > Nobuhiro, Anibal, this is a question for you: https://lists.debian.org/debian-devel/2016/01/msg00248.html {quote} Speaking of this particular udeb, I've just spotted libpng16-16-udeb has a Conflicts against libpng12-0-udeb. I'm not sure why, and the changelog doesn't seem to explain either. libpng16-16 and libpng12-0 seems to be co-installable, so I'm not sure why their respective udebs shouldn't be. {/quote}
Re: Bug#650601: libpng is ready for transition
Am Dienstag, den 26.01.2016, 22:25 + schrieb Gianfranco Costamagna: > Hi Tobias > > > +libpng1.6 (1.6.20-1.2) > > unstable; urgency=medium > > Do you want to go on unstable or it is a typo? > > Gianfranco Typo
Bug#650601: libpng1.6 transistin (Was: Processed: fvwm: diff for NMU version 1:2.6.5.ds-4.1)
Am Dienstag, den 26.01.2016, 18:07 +0100 schrieb Emilio Pozuelo Monfort: > On 26/01/16 17:54, Gianfranco Costamagna wrote: > > Hi Emilio! > > > > > > > Can send another summary with your proposed plan here? Currently > > > libpng12-dev > > > provides libpng-dev but libpng16-dev doesn't. Are you going to > > > switch that? Or > > > do you plan to build a libpng-dev package from src:libpng1.6? > > > > > > sure, the only reason that libpng-dev wasn't provided has been to > > avoid people building accidentally > > with libpng16 when uploading on experimental. > > > > IIRC the plan is to upload on unstable with the Provides: libpng- > > dev line enabled > > (it is already there, just commented), > > and the change for the udeb file conflict (ongoing test right now). > > > > I think libpng12-dev will stop providing the libpng-dev at the same > > time, but I'm not sure > > Either that needs to happen, or a real libpng-dev package needs to be > built. > Otherwise if we have libpng12-dev and libpng16-dev providing libpng- > dev, things > won't be deterministic. > > (My*) plan'd be to upload (1) libpng12 WITHOUT providing libpng-dev and (2) libpng16 WITH providing it. I'm not sure whats better: if that should happen at the very same time, or if we should delay (2) until e.g the -12 package arrived at all archs, to ensure that there will be no point of time where libpng-dev is provided by two packages or solve any races by delaying the start of the binnmus until we can ensure that all archs are getting the right one. A real libpng-dev package would be actually my* favorite, but this requires going through NEW and I fear that that would destroy the momentum we experience now to push this forward. Also, a real libpng- dev Package could still be introduced later. -- tobi * Nobuhiro / Anibal should give the definitive direction how the want to manage their package...
Bug#650601: libpng is ready for transtion
Hallo KiBi, On Tue, 26 Jan 2016 10:51:11 +0100 Cyril Bruleboiswrote: > Has anyone tested a debian installer build where some packages were > built against libpng12-0-udeb and some other against libpng16-16- udeb? > Does that work? Or are we looking at a giant transition where everything > must switch to libpng16 at once? > > Mraw, > KiBi. As requested, I performed those build of the d-i, version 20160106: Testmatrix A libcairo2-udeb_1.14.6-1.1~libpng16_amd64.udeb B libdirectfb-1.2-9-udeb_1.2.10.0-5.2~libpng16_amd64.udeb C libfreetype6-udeb_2.6.1-0.2~libpng16_amd64.udeb D libgdk-pixbuf2.0-0-udeb_2.32.3-1.1~libpng16_amd64.udeb E libpng16-16-udeb_1.6.20-1.2~libpng16+patched+1_amd64.udeb F matchbox-keyboard-udeb_0.1+svn20080916-10.1~libpng16_amd64.udeb Two more udeb packages where generated during the mass rebuild on my server, bu removed from test-matrix, as they do not Depend: on libpng: libslang2, libdirectfb-bin Key x -> libpng16-version used . -> standard version used A B C D E F result (comment) 1 . . . . . . builds "control group" 2 x . x . x . builds 3 . x x . x . builds 4 . . . x x . builds 5 . x . x x x builds 6 x x x x x x builds "target version" Procedure: - debuld in debian-installer directory. - examination of created debian-installer-images tarball, especially the MANIFEST.udebs file for installed udebs (if matches expectations, if both libpngs are present Let me know if you want to see other combinations tested too (and which) Thanks -- tobi
Re: Bug#650601: libpng is ready for transtion
Am Dienstag, den 26.01.2016, 20:45 +1100 schrieb Aníbal Monsalve Salazar: > On Tue, 2016-01-26 10:23:13 +0100, Tobias Frost wrote: > > > Tobias Frost <t...@debian.org> (2016-01-25): > > > > Dear release-team, > > > > > > > > Now that all NMUs are in DELAYED for all fixables. > > > > I think we are ready to throw the switch. > > > > > > You haven't answered <20160106232316.ga28...@mraw.org>. > > > > > > Mraw, > > > KiBi. > > > > > > > Nobuhiro, Anibal, > > > > this is a question for you: > > > > https://lists.debian.org/debian-devel/2016/01/msg00248.html > > > > {quote} > > Speaking of this particular udeb, I've just spotted libpng16-16- > > udeb has > > a Conflicts against libpng12-0-udeb. I'm not sure why, and the > > changelog > > doesn't seem to explain either. libpng16-16 and libpng12-0 seems to > > be > > co-installable, so I'm not sure why their respective udebs > > shouldn't be. > > {/quote} > > The Conflicts against libpng12-0-udeb can be removed. Hi Anibal, OK to NMU that or do you want to do the upload yourself? diff -Nru libpng1.6-1.6.20/debian/changelog libpng1.6- 1.6.20/debian/changelog --- libpng1.6-1.6.20/debian/changelog 2016-01-24 11:26:12.0 +0100 +++ libpng1.6-1.6.20/debian/changelog 2016-01-26 22:28:29.0 +0100 @@ -1,3 +1,10 @@ +libpng1.6 (1.6.20-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * libpng16-16-udeb should not Conflicts: libpng-12-0 + + -- Tobias Frost <t...@debian.org> Tue, 26 Jan 2016 22:27:21 +0100 + libpng1.6 (1.6.20-1.1) experimental; urgency=medium * Non-maintainer upload. diff -Nru libpng1.6-1.6.20/debian/control libpng1.6- 1.6.20/debian/control --- libpng1.6-1.6.20/debian/control 2016-01-24 11:29:17.0 +0100 +++ libpng1.6-1.6.20/debian/control 2016-01-26 22:28:22.0 +0100 @@ -71,7 +71,6 @@ Priority: extra Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} -Conflicts: libpng12-0-udeb Description: PNG library - minimal runtime library (version 1.6) libpng is a library implementing an interface for reading and writing PNG (Portable Network Graphics) format files.
libpng is ready for transtion
Dear release-team, Now that all NMUs are in DELAYED for all fixables. I think we are ready to throw the switch. Please let us know and assign us the transition slot :) Please assign a slot. Here's the actual summary [1] Built: 474 Failed: 34 OK: 440 The failed ones split up as follow: NMUs: 12 Patches: 2 RC Buggy: 13 RC as B-D: 4 RM: 2 (my package: 1) - The NMUs are uploaded, waiting to enter the archives. - Also Gianfranco uploaded tons of packages to update the B-D to libpng-dev. - The two patches are submitted to the BTS with a review request. A NMU will follow... - The RC Buggy packages are not building in sid as well, no way to check them without fixing them. - 4 Packages B-D on libvigraimpex, which is one of the RC packages. - 2 packages are to be removed - 1 package is mine, fix in prepration (rbdoom3bfg) Details: NMU in DELAYED - 12 == antigrav autotrace ctsim exult freeimage pngnq literki libtwin nagios3 openlayer scorched3d xaos Patch available (review requested): 2 netpbm-free ghostscript RC-Buggy in sid: - 13 blender calligra caret criticalmass fw4spl libvigraimpex odin openvrml libtk-img root-system wine-development xemacs21 yt reverse B-Ds libvigraimpex: - 4 === 3depict enblend-enfuse gamera hugin RM or RM requested: - 2 === exrtools celestia the remaining: === rbdoom3bfg is my package, a patch is almost ready. [1] http://libpng.sviech.de/!summary.txt The file in the link will be updated as I rebuild package when uploads have been done; (manual process) -- tobi signature.asc Description: This is a digitally signed message part
Bug#650601: Processed: fvwm: diff for NMU version 1:2.6.5.ds-4.1
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi Emilio and release team > (sorry for the previous mail and thanks for the untag, I fixed the uploa > d) > > as you have noticed yesterday and today I NMUed the remaining "please > switch from libpng-{3,12,12-0}-dev to libpng-dev" bugs. > (around ~30 NMUs that will hit unstable hopefully in 7 days) > > there are a couple of packages with a build-dependency on > libpng-dev | libpng12-dev but I didn't NMU them because I don't think > they are going to give troubles in the transition context. > > Now, we should be left with ~50 packages currently FTBFS, but I think > for most of them we could easily have patches from Fedora or upstream > new versions (many of them already have patches on BTS) > > This is a list of packages, according to the bug blocking this one. > pngnq: patch, but should wait for the transition to start > libtheora: patch > openmsx: patch (should wait the transition to start) > calligra: no patch, out of testing, arch linux has the latest version > and seems to build against libpng16 > libcoyotl: has an RC bug (license issue), no patch > xcftools: testsuite failure fedora has the latest, maybe they have a pat > ch > neverball: patch, but should wait for the transition to start > openjfx: no patch, but new upstream release > tucnak: no patch, but new upstream release > xemacs21: FTBFS against gcc-5 > openlayer: mailed the bug report with a patch (not sure if enough) > armagetronad: patch? I think it is a matter of changing the configure > script > aseprite: should be a matter of a define (new upstream release) > libpgplot-perl: patch, fixed in git > mathgl: patch from fedora? > https://lists.fedoraproject.org/pipermail/scm-commits/2011-December/6932 > 05.html > abiword: patch, fixed, but failing for another reason now > nagios3: not in testing, RC buggy > celestia: RM ROM Dead upstream > warzone2100: new upstream release: according to google fedora builds > it fine with new libpng > netpbm-free: ZLIB_VERSION undeclared, should be trivial to fix > (missing include), if it isn't still not fixed (mailed the bug report) > exult: no patch, but new upstream release (snapshot) > fw4spl: double RC buggy > rbdoom3bfg: no patch > exrtools: patch > libapache2-mod-qos: missing b-d patch > ifeffit: seems to be failing because of missing b-d, and needs > probably rebuilds of other build-dependencies, RC buggy > matplotlib: should be fine now > pcsx2: probably needs some rebuilds to make build-dependencies installab > le > root-system: FTBFS for unrelated reasons? RC buggy > ctsim: needs some rebuilds to be fixed (e.g. libgdk-pixbuf2.0-dev) >should be easy to patch > wine-development: I think no issue, unrelated build failure > scorched3d: FTBFS, but should be trivial to fix (pointer change) > libtk-img: FTBFS but fedora has patches > https://pkgs.fedoraproject.org/cgit/rpms/tkimg.git/tree/ > > > so, basically the ~50 FTBFS are now down to 31 (some of them have been > NMUed while writing this email), and the "no patch" bugs are currently > only 6, and I suspect some of them even will rebuild fine (probably > transition related issues). > > So, if we exclude the RC buggy packages we are down to really a couple > of packages, but I think we should start the transition and fix them > later, specially because the build failures logs are from libpng15 in > some cases, and it isn't worth the effort to double check them. > > Can we have a transition slot if possible, or should we fix something > more? > > Please note: all the NMUs will need 6/7 days to go in unstable. > > (there is also a bug against texlive-base to stop using the embedded > libpng version, but obviously it can't be fixed until the transition > starts) > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJWoh2BAAoJEPNPCXROn13Z56YP/iOUBrd6wkQl/B+EcbhmiT5F > aF8DMPoeh8zcKkvsXIjmvwg7XkMz0e/RlrVv1XsgYrnD5jt46N9Su+LZrscAlMFs > rMOPHaubnhueFLYAxK9nCxJUgPJ6m/abAp1BiNVQsq+kI1MNTECRkxAadtdcND5i > NlP/BbOJalwbpMWtcVF3SFrrdJmSrwcaSeXPg0coK8uCLt2xw4n1dMTAk2G3zFr4 > F/JlOU2Aqyy6fhK5DeXewgBe1Bd5S/x+q+sy41d4hSQffJF039vk4ng/FzWJpuya > N6juMLL8RnBs7f/H7MgOXy8mkbo8Pov2jt/NCQqLWN7lLBS6heu5wQWQdtydM24u > n/KfDpALrJtHOHZLorg0ZUsHCncYqQmPNQJG7uiIosXy45iC2q+EKbU9sD8eKVly > epXloyUDV0ubphfp9Py0OYARpZCiQqFyUnnojQ47NBpabD6YMHece2fByfAoHJMr > H/1Vqw9yGWAwa4BJRDdMTWHDhTQH6IZOD/rhCnj4J2ORXJrpL4BVW6QwdKfn33BV > 4x78LpOneGLe2IxlmMe68wNw+xX+8qXnt3PdIB/fKuOOxsQ45bTc7yKXpjBr6Q0I > kT7JtUGo0aW940TsW/yPWl3UewjUV89W0VE211HuVFBJNoVV8Z1IzoxJLPpgD35J > LW1DDVuMLushD6zkFLCr > =538b > -END PGP SIGNATURE- > Many thanks Gianfranco for the summary! Regarding the packages requiring libpng-config, I proposed to the maintainers do another libng16 upload, so that that tool will be pulled in as depdenceny (Otherwise we'll have the soversion hardcoded again in some B-D; I'd like to avoid that.) Please, Anibal & Nobuhiro shout STOP if you do not like this otherwise I'll NMU my proposal tomorrow evening
Bug#650601: transition: libpng 1.5
Dear all, rebuilt is now complete. The final stats are: Built: 463* Failed: 117 OK: 346 The summary is also here: https://libpng.sviech.de/!summary.txt On the same server are also the complete buildlogs: https://libpng.sviech.de/ I will no proceed with the preparations of the MBF announcement. Tobi * libreoffice is the only package I did not rebuild
Bug#650601: transition: libpng 1.5
On Sun, 27 Dec 2015 14:25:29 +0100 Pedretti Fabio <pedretti.fabio@gmail .com> wrote: > Hi, I could provide a fast server (16+ xeon cores, 32gb+ ram) accessible > via ssh for test rebuild. If it can be useful let me know. > Il 27/dic/2015 14:08, "Tobias Frost" <t...@debian.org> ha scritto: > > > Hi, > > > > Now the stats read: > > Built: 417 > > Failed: 112 > > OK: 304 > > > > To get forward, I drafted some MBF announcement on the Titanpad. Would > > be cool if some can check it and maybe improve it (writing is not my > > strength) > > > > https://titanpad.com/libpng16-transistion > > > > In the draft propose the following plan: > > > > 0. Assess situation (rebuld) -- done > > 1. MBF announcement > > 2. File bugs > > for packages failing to build or needing updates in the B-Ds > > 2. Upload > > libpng1.6 to unstable, providing libpng-dev (after "GO" from the > > release team) > > 2a Upload libpng1.2 without providing libpng-dev to > > unstable > > 3. Raise severity to RC > > 4. Prepare patches and NMU them > > 5. binNMU > > 6. fix remaining issues to finish transition > > 7. Remove libpng12 from > > unstable > > > > I'd go to upload 16 package with providing libpng-dev from day 1. and > > then in a second step (as it needs to pass NEW) provide libpng-dev as > > real package to allow versioned depends later. This second-step package > > can be cleared via experimental. > > > > Nobuhiro, what do you think? As said, now I'd have time > > Emilio/Release-Team: The plan sounds OK with you? > > > > -- > > To unsubscribe, send mail to 650601-unsubscr...@bugs.debian.org. > > Thanks for the offer! Currently not needed, but in case we'll do another rebuild I willl contact you! Tobi
Bug#650601: transition: libpng 1.5
Hi, Now the stats read: Built: 417 Failed: 112 OK: 304 To get forward, I drafted some MBF announcement on the Titanpad. Would be cool if some can check it and maybe improve it (writing is not my strength) https://titanpad.com/libpng16-transistion In the draft propose the following plan: 0. Assess situation (rebuld) -- done 1. MBF announcement 2. File bugs for packages failing to build or needing updates in the B-Ds 2. Upload libpng1.6 to unstable, providing libpng-dev (after "GO" from the release team) 2a Upload libpng1.2 without providing libpng-dev to unstable 3. Raise severity to RC 4. Prepare patches and NMU them 5. binNMU 6. fix remaining issues to finish transition 7. Remove libpng12 from unstable I'd go to upload 16 package with providing libpng-dev from day 1. and then in a second step (as it needs to pass NEW) provide libpng-dev as real package to allow versioned depends later. This second-step package can be cleared via experimental. Nobuhiro, what do you think? As said, now I'd have time Emilio/Release-Team: The plan sounds OK with you?
Bug#650601: transition: libpng 1.5
After building 288 packages some intermediate result: 288 built 85 failed 200 built ok (3 currently rebuilding due some BD needed to be rebuilt themselves too) Short analysis of the build errors are on this titanpad: https://titanpad.com/libpng16-transistion I will continue update the pad with new results. To build the packages, I modified the libpng16 package from experimental to provides also libpng-dev and libpng12-dev. -- tobi
Bug#650601: transition: libpng 1.5
Am Freitag, den 25.12.2015, 20:28 +0100 schrieb Alexandre Detiste: > > There's one game from this list for which nobody should waste time > on: freecraft. Noted on the pad*. Thanks Alexandre * anyone feel free to add such notes to the pad themselves...