Bug#1026177: bullseye-pu: package golang-github-prometheus-exporter-toolkit/0.5.1-2
Hi Moritz, On 16/12/2022 10:02, Moritz Mühlenhoff wrote: If we're doing a stable update anyway, could we also piggyback the fix https://security-tracker.debian.org/tracker/CVE-2022-46146 ? Good point. I have just uploaded a 0.5.1-2+deb11u2 release containing a backport of the fix, I am attaching the debdiff against 0.5.1-2 here. Do I need to create a new bug for the release team? -- Martina Ferrari (Tina)diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog --- golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog 2021-01-25 14:10:41.0 + +++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog 2022-12-19 23:02:39.0 + @@ -1,3 +1,16 @@ +golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u2) bullseye; urgency=medium + + * Backport fix for CVE-2022-46146. Closes: #1025127. + + -- Martina Ferrari Mon, 19 Dec 2022 23:02:39 + + +golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u1) bullseye; urgency=medium + + * Patch tests to avoid race condition. Closes: #1013578. +Thanks to Santiago Vila for the adjusted patch. + + -- Martina Ferrari Thu, 15 Dec 2022 22:33:17 + + golang-github-prometheus-exporter-toolkit (0.5.1-2) unstable; urgency=medium * Team upload. diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/control golang-github-prometheus-exporter-toolkit-0.5.1/debian/control --- golang-github-prometheus-exporter-toolkit-0.5.1/debian/control 2021-01-19 14:44:59.0 + +++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/control 2022-12-19 23:02:39.0 + @@ -1,6 +1,7 @@ Source: golang-github-prometheus-exporter-toolkit Maintainer: Debian Go Packaging Team -Uploaders: Daniel Swarbrick +Uploaders: Daniel Swarbrick , + Martina Ferrari , Section: devel Testsuite: autopkgtest-pkg-go Priority: optional diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch --- golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch 1970-01-01 00:00:00.0 + +++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch 2022-12-19 23:02:39.0 + @@ -0,0 +1,31 @@ +Author: Martina Ferrari +Description: Fix test failures due to race conditions +Forwarded: https://github.com/prometheus/exporter-toolkit/issues/108 +Last-Updated: Mon, 29 Aug 2022 17:39:56 + + +--- a/web/users_test.go b/web/users_test.go +@@ -18,6 +18,7 @@ + "net/http" + "sync" + "testing" ++ "time" + ) + + // TestBasicAuthCache validates that the cache is working by calling a password +@@ -42,6 +43,7 @@ + ListenAndServe(server, "testdata/tls_config_users_noTLS.good.yml", testlogger) + close(done) + }() ++ time.Sleep(250 * time.Millisecond) + + login := func(username, password string, code int) { + client := {} +@@ -106,6 +108,7 @@ + ListenAndServe(server, "testdata/tls_config_users_noTLS.good.yml", testlogger) + close(done) + }() ++ time.Sleep(250 * time.Millisecond) + + login := func() { + client := {} diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch --- golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch 1970-01-01 00:00:00.0 + +++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch 2022-12-19 23:02:39.0 + @@ -0,0 +1,112 @@ +Author: Julien Pivotto +Date: Tue Nov 29 10:22:49 2022 +0100 +Forwarded: not-needed +Last-Updated: Mon, 19 Dec 2022 20:11:12 + +Description: + Backport of upstream commits 2528877 and 0af5c3f: + +Merge pull request from GHSA-7rg2-cxvp-9p7p + +* Fix authentication bypass if stored password hash is known + +Signed-off-by: Julien Pivotto + +* Add test for CVE-2022-46146 + +Signed-off-by: Julien Pivotto + +* Fix tests + +Signed-off-by: Julien Pivotto + +--- a/web/users.go b/web/users.go +@@ -18,6 +18,7 @@ + import ( + "encoding/hex" + "net/http" ++ "strings" + "sync" + + "github.com/go-kit/kit/log" +@@ -74,7 +75,12 @@ + hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi" + } + +- cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...)) ++ cacheKey := strings.Join( ++ []string{ ++
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Drew On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > The hypre/petsc part of this transition is complete. > > The sundials part is waiting for dyssol to be patched. Anton is preparing > this. sundials will also need fixes for #1026330 and #1026352. Cheers > > Drew > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > Control: tags -1 confirmed > > > > Hi Drew > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > Package: release.debian.org > > > Severity: normal > > > User: release.debian@packages.debian.org > > > Usertags: transition > > > X-Debbugs-Cc: Anton Gladky > > > > > > We'd like to update the numerical library stack in time for the new > > > stable release. > > > > > > Affected libraries are > > > > > > hypre2.25.0 -> 2.26.0 > > > petsc/slepc3.17 -> 3.18 > > > sundials 5.8.0 -> 6.4.1 > > > > > > Autotransitions are already generated: > > > https://release.debian.org/transitions/html/auto-hypre.html > > > https://release.debian.org/transitions/html/auto-petsc.html > > > https://release.debian.org/transitions/html/auto-slepc.html > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > Most of the dependent packages are under our control > > > (Debian Science Team), octave is the main one outside our team. > > > > > > Updates have built fine in experimental and dependent > > > packages are building successfully against them. > > > > > > Anton Gladky will upload the sundials update. > > > > Please go ahead > > > > Cheers > -- Sebastian Ramacher
Re: Migrating golang-github-smallstep-certificates 0.19.0-1 to testing
Hi, On 18-12-2022 22:35, Peymaneh wrote: Those are only autopkgtest regressions Manually scheduled. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Dyssol has just been (today!) released. I will upload it ASAP. Regards Anton Am Mo., 19. Dez. 2022 um 18:14 Uhr schrieb Drew Parsons : > > The hypre/petsc part of this transition is complete. > > The sundials part is waiting for dyssol to be patched. Anton is > preparing this. > > Drew > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > Control: tags -1 confirmed > > > > Hi Drew > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > >> Package: release.debian.org > >> Severity: normal > >> User: release.debian@packages.debian.org > >> Usertags: transition > >> X-Debbugs-Cc: Anton Gladky > >> > >> We'd like to update the numerical library stack in time for the new > >> stable release. > >> > >> Affected libraries are > >> > >> hypre2.25.0 -> 2.26.0 > >> petsc/slepc3.17 -> 3.18 > >> sundials 5.8.0 -> 6.4.1 > >> > >> Autotransitions are already generated: > >> https://release.debian.org/transitions/html/auto-hypre.html > >> https://release.debian.org/transitions/html/auto-petsc.html > >> https://release.debian.org/transitions/html/auto-slepc.html > >> https://release.debian.org/transitions/html/auto-sundials.html > >> > >> Most of the dependent packages are under our control > >> (Debian Science Team), octave is the main one outside our team. > >> > >> Updates have built fine in experimental and dependent > >> packages are building successfully against them. > >> > >> Anton Gladky will upload the sundials update. > > > > Please go ahead > > > > Cheers
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
The hypre/petsc part of this transition is complete. The sundials part is waiting for dyssol to be patched. Anton is preparing this. Drew On 2022-11-29 23:34, Sebastian Ramacher wrote: Control: tags -1 confirmed Hi Drew On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: Anton Gladky We'd like to update the numerical library stack in time for the new stable release. Affected libraries are hypre2.25.0 -> 2.26.0 petsc/slepc3.17 -> 3.18 sundials 5.8.0 -> 6.4.1 Autotransitions are already generated: https://release.debian.org/transitions/html/auto-hypre.html https://release.debian.org/transitions/html/auto-petsc.html https://release.debian.org/transitions/html/auto-slepc.html https://release.debian.org/transitions/html/auto-sundials.html Most of the dependent packages are under our control (Debian Science Team), octave is the main one outside our team. Updates have built fine in experimental and dependent packages are building successfully against them. Anton Gladky will upload the sundials update. Please go ahead Cheers
Processed: changing my email address
Processing commands for cont...@bugs.debian.org: > submitter 423454 zack+debian.b...@owlfolio.org Bug #423454 [aptitude] way to mark (esp. with ':' or '=') all binaries from the same source package Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 447532 zack+debian.b...@owlfolio.org Bug #447532 [audacity] "repeat amplify" does not do the same thing as selecting "amplify" again from the menu Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 493911 zack+debian.b...@owlfolio.org Bug #493911 [qa.debian.org] qa.debian.org: less scary notice for remove-from-unstable bugs for only some architectures Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 494923 zack+debian.b...@owlfolio.org Bug #494923 [xvfb] xvfb-run: feature request: option to isolate processes from parent environment Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 525893 zack+debian.b...@owlfolio.org Bug #525893 [wicd] please improve wired/wireless hardware detection Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 548396 zack+debian.b...@owlfolio.org Bug #548396 [epiphany-browser] epiphany-browser: large blank area, missing entries in location bar dropdown Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 548756 zack+debian.b...@owlfolio.org Bug #548756 [epiphany-browser] epiphany-browser: Downloads silently lost if target directory is un-writable Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 572244 zack+debian.b...@owlfolio.org Bug #572244 [gnome-power-manager] xserver-xorg: gnome-power-manager complains about broken IDLETIME counter Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 586803 zack+debian.b...@owlfolio.org Bug #586803 [partman-partitioning] debian-installer: partitioner should create a "BIOS boot" partition when GPT is requested Bug #606408 [partman-partitioning] partman-partitioning: please warn when using GPT without a bios_grub partition Bug #615215 [partman-partitioning] installation-reports: Boot failure after install w/ GPT partitioning on Intel motherboard(s) Bug #615589 [partman-partitioning] installation-reports: Partitioning completes without creating bios_boot partition required by GRUB Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 598553 zack+debian.b...@owlfolio.org Bug #598553 [openmpi] Add support for blocking progress Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 658556 zack+debian.b...@owlfolio.org Bug #658556 [gnome-session] gnome-session: on suspend, screen reappears for a moment after fading out Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 661387 zack+debian.b...@owlfolio.org Bug #661387 [iceweasel] iceweasel: crash inside nouveau_dri.so from canvas3d on html5boilerplate Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 740562 zack+debian.b...@owlfolio.org Bug #740562 [src:policycoreutils] policycoreutils: cannot disable modules defining types required only by disabled modules Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 746796 zack+debian.b...@owlfolio.org Bug #746796 [deja-dup] deja-dup: automatic backups always say "delayed, will start when network available" Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 757470 zack+debian.b...@owlfolio.org Bug #757470 [network-manager] network-manager: after resume from suspend, fails to start dhclient on wired interface Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 758911 zack+debian.b...@owlfolio.org Bug #758911 [libc6-dev] libc6-dev: spurious sign-conversion warning for setrlimit, clang 3.5, _GNU_SOURCE Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 760997 zack+debian.b...@owlfolio.org Bug #760997 [grub2-common] /usr/sbin/grub-install: unicode.pf2 is installed twice in /boot, wasting space Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 807858 zack+debian.b...@owlfolio.org Bug #807858 [quodlibet] quodlibet: "Saving the songs you changed" window immobile & obscures other programs Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 814240 zack+debian.b...@owlfolio.org Bug #814240 [apt] systemd triggers break upgrades within unstable Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg '. > submitter 826246 zack+debian.b...@owlfolio.org Bug #826246 [deja-dup] deja-dup: progress details pane does not stretch vertically when window is
Bug#1026392: transition: gnat-12
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello. The gcc-V source package builds the Ada compiler (gnat-V) and companion library (libgnat-V). The default Ada compiler is selected by the gnat package. In unstable and testing, gnat Depends: gnat-11. In experimental, gnat Depends: gnat-12. Most Ada packages are currently removed from testing because of #1020018 (in libxmlada, a quite common indirect build-dependency via gprbuild) (fixed by this transition). Ada libraries have specific requirements. * They must Build-Depend: gnat (>= V) gnat (<< V+1). * Each -dev package name carries a version, similar to the shared object version for lib packages. Most changes in the source require a renaming of the -dev package, and a source upload of all reverse dependencies. In order to reduce the number of such transitions, many unrelated changes, like new upstream releases, are introduced with a libgnat transition and tested in experimental. * Each -dev package depends on both gnat and gnat-V. GCC builds no libgnat-V-dev package. The sources for the Ada standard library are distributed with the compiler in the gnat-V package. So it is convenient to track the transition with the libgnat-V package instead (even when the ABI is unchanged). Ben file: title = "gnat-12"; is_affected = .depends ~ "libgnat-8" | .depends ~ "libgnat-9" | .depends ~ "libgnat-10" | .depends ~ "libgnat-11" | .depends ~ "libgnat-12"; is_good = .depends ~ "libgnat-12"; is_bad = .depends ~ "libgnat-8" | .depends ~ "libgnat-9" | .depends ~ "libgnat-10" | .depends ~ "libgnat-11"; libgmpada https://buildd.debian.org/status/fetch.php?pkg=libgmpada=i386=1.5-1=1661971646=0 libgnatcoll-db https://buildd.debian.org/status/fetch.php?pkg=libgnatcoll-db=mipsel=23%7E20220814-1=1661841082=0 - are removed from testing because of #1020018, - are updated in experimental, but now fail to build on a supported architecture. I intend to - fill RC bugs against them in order to prevent their migration from unstable to to testing. - reupload them from experimental to unstable with the other packages as part of the transition (so that the versions depending on gnat-11 disappear from unstable) (and so that RC-buggy but mostly usable versions are available) - try to fix the issues after the transition is completed Is this the right way to proceed? adacgi adasockets ahven anet dbusada gprbuild gprbuild libalog libaunit libflorist libgnatcoll libgnatcoll-bindings libgtkada liblog4ada libncursesada libtemplates-parser libtexttools libxmlada libxmlada libxmlezout pcscada ready in experimental, removed from unstable plplot ready in experimental dh-ada-library gprconfig-kb ready in experimental (not Ada libraries, but connected and part of the transition) ghdl music123 are ready in experimental (not Ada libraries, but part of the transition because of dh-ada-library/8) These source packages produce no library and should only need a bin-NMU in due time: nmu topal_81-2 . ANY . -m 'Rebuild with gnat-12' nmu whitakers-words_0.2020.10.27-1.2 . ANY . -m 'Rebuild with gnat-12' nmu phcpack_2.4.86+dfsg-2. ANY . -m 'Rebuild with gnat-12' ada-reference-manual only requires gnat at build time and should not be affected. adabrowse adacontrol asis gnat-gps libaws are removed from testing because of unrelated RC bugs and should not block anything.