Bug#1026177: bullseye-pu: package golang-github-prometheus-exporter-toolkit/0.5.1-2

[Martina Ferrari]

Hi Moritz,

On 16/12/2022 10:02, Moritz Mühlenhoff wrote:


If we're doing a stable update anyway, could we also piggyback the
fix https://security-tracker.debian.org/tracker/CVE-2022-46146 ?


Good point. I have just uploaded a 0.5.1-2+deb11u2 release containing a 
backport of the fix, I am attaching the debdiff against 0.5.1-2 here. Do 
I need to create a new bug for the release team?



--
Martina Ferrari (Tina)diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
2021-01-25 14:10:41.0 +
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/changelog
2022-12-19 23:02:39.0 +
@@ -1,3 +1,16 @@
+golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u2) bullseye; 
urgency=medium
+
+  * Backport fix for CVE-2022-46146. Closes: #1025127.
+
+ -- Martina Ferrari   Mon, 19 Dec 2022 23:02:39 +
+
+golang-github-prometheus-exporter-toolkit (0.5.1-2+deb11u1) bullseye; 
urgency=medium
+
+  * Patch tests to avoid race condition. Closes: #1013578.
+Thanks to Santiago Vila for the adjusted patch.
+
+ -- Martina Ferrari   Thu, 15 Dec 2022 22:33:17 +
+
 golang-github-prometheus-exporter-toolkit (0.5.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-github-prometheus-exporter-toolkit-0.5.1/debian/control 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/control
--- golang-github-prometheus-exporter-toolkit-0.5.1/debian/control  
2021-01-19 14:44:59.0 +
+++ golang-github-prometheus-exporter-toolkit-0.5.1/debian/control  
2022-12-19 23:02:39.0 +
@@ -1,6 +1,7 @@
 Source: golang-github-prometheus-exporter-toolkit
 Maintainer: Debian Go Packaging Team 
-Uploaders: Daniel Swarbrick 
+Uploaders: Daniel Swarbrick ,
+   Martina Ferrari ,
 Section: devel
 Testsuite: autopkgtest-pkg-go
 Priority: optional
diff -Nru 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
--- 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
  1970-01-01 00:00:00.0 +
+++ 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/02-Avoid_race_in_test.patch
  2022-12-19 23:02:39.0 +
@@ -0,0 +1,31 @@
+Author: Martina Ferrari 
+Description: Fix test failures due to race conditions
+Forwarded: https://github.com/prometheus/exporter-toolkit/issues/108
+Last-Updated: Mon, 29 Aug 2022 17:39:56 +
+
+--- a/web/users_test.go
 b/web/users_test.go
+@@ -18,6 +18,7 @@
+   "net/http"
+   "sync"
+   "testing"
++  "time"
+ )
+ 
+ // TestBasicAuthCache validates that the cache is working by calling a 
password
+@@ -42,6 +43,7 @@
+   ListenAndServe(server, 
"testdata/tls_config_users_noTLS.good.yml", testlogger)
+   close(done)
+   }()
++  time.Sleep(250 * time.Millisecond)
+ 
+   login := func(username, password string, code int) {
+   client := {}
+@@ -106,6 +108,7 @@
+   ListenAndServe(server, 
"testdata/tls_config_users_noTLS.good.yml", testlogger)
+   close(done)
+   }()
++  time.Sleep(250 * time.Millisecond)
+ 
+   login := func() {
+   client := {}
diff -Nru 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
--- 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
  1970-01-01 00:00:00.0 +
+++ 
golang-github-prometheus-exporter-toolkit-0.5.1/debian/patches/03-CVE-2022-46146.patch
  2022-12-19 23:02:39.0 +
@@ -0,0 +1,112 @@
+Author: Julien Pivotto 
+Date:   Tue Nov 29 10:22:49 2022 +0100
+Forwarded: not-needed
+Last-Updated: Mon, 19 Dec 2022 20:11:12 +
+Description:
+ Backport of upstream commits 2528877 and 0af5c3f:
+
+Merge pull request from GHSA-7rg2-cxvp-9p7p
+
+* Fix authentication bypass if stored password hash is known
+
+Signed-off-by: Julien Pivotto 
+
+* Add test for CVE-2022-46146
+
+Signed-off-by: Julien Pivotto 
+
+* Fix tests
+
+Signed-off-by: Julien Pivotto 
+
+--- a/web/users.go
 b/web/users.go
+@@ -18,6 +18,7 @@
+ import (
+   "encoding/hex"
+   "net/http"
++  "strings"
+   "sync"
+ 
+   "github.com/go-kit/kit/log"
+@@ -74,7 +75,12 @@
+   hashedPassword = 
"$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
+   }
+ 
+-  cacheKey := hex.EncodeToString(append(append([]byte(user), 
[]byte(hashedPassword)...), []byte(pass)...))
++  cacheKey := strings.Join(
++  []string{
++  

Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials

[Sebastian Ramacher]

Hi Drew

On 2022-12-19 18:14:53 +0100, Drew Parsons wrote:
> The hypre/petsc part of this transition is complete.
> 
> The sundials part is waiting for dyssol to be patched.  Anton is preparing
> this.

sundials will also need fixes for #1026330 and #1026352.

Cheers

> 
> Drew
> 
> 
> On 2022-11-29 23:34, Sebastian Ramacher wrote:
> > Control: tags -1 confirmed
> > 
> > Hi Drew
> > 
> > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote:
> > > Package: release.debian.org
> > > Severity: normal
> > > User: release.debian@packages.debian.org
> > > Usertags: transition
> > > X-Debbugs-Cc: Anton Gladky 
> > > 
> > > We'd like to update the numerical library stack in time for the new
> > > stable release.
> > > 
> > > Affected libraries are
> > > 
> > > hypre2.25.0 -> 2.26.0
> > > petsc/slepc3.17 -> 3.18
> > > sundials  5.8.0 -> 6.4.1
> > > 
> > > Autotransitions are already generated:
> > > https://release.debian.org/transitions/html/auto-hypre.html
> > > https://release.debian.org/transitions/html/auto-petsc.html
> > > https://release.debian.org/transitions/html/auto-slepc.html
> > > https://release.debian.org/transitions/html/auto-sundials.html
> > > 
> > > Most of the dependent packages are under our control
> > > (Debian Science Team), octave is the main one outside our team.
> > > 
> > > Updates have built fine in experimental and dependent
> > > packages are building successfully against them.
> > > 
> > > Anton Gladky will upload the sundials update.
> > 
> > Please go ahead
> > 
> > Cheers
> 

-- 
Sebastian Ramacher

Re: Migrating golang-github-smallstep-certificates 0.19.0-1 to testing

[Paul Gevers]

Hi,

On 18-12-2022 22:35, Peymaneh wrote:

Those are only autopkgtest regressions


Manually scheduled.

Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials

[Anton Gladky]

Dyssol has just been (today!) released. I will upload it ASAP.

Regards

Anton

Am Mo., 19. Dez. 2022 um 18:14 Uhr schrieb Drew Parsons :
>
> The hypre/petsc part of this transition is complete.
>
> The sundials part is waiting for dyssol to be patched.  Anton is
> preparing this.
>
> Drew
>
>
> On 2022-11-29 23:34, Sebastian Ramacher wrote:
> > Control: tags -1 confirmed
> >
> > Hi Drew
> >
> > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote:
> >> Package: release.debian.org
> >> Severity: normal
> >> User: release.debian@packages.debian.org
> >> Usertags: transition
> >> X-Debbugs-Cc: Anton Gladky 
> >>
> >> We'd like to update the numerical library stack in time for the new
> >> stable release.
> >>
> >> Affected libraries are
> >>
> >> hypre2.25.0 -> 2.26.0
> >> petsc/slepc3.17 -> 3.18
> >> sundials  5.8.0 -> 6.4.1
> >>
> >> Autotransitions are already generated:
> >> https://release.debian.org/transitions/html/auto-hypre.html
> >> https://release.debian.org/transitions/html/auto-petsc.html
> >> https://release.debian.org/transitions/html/auto-slepc.html
> >> https://release.debian.org/transitions/html/auto-sundials.html
> >>
> >> Most of the dependent packages are under our control
> >> (Debian Science Team), octave is the main one outside our team.
> >>
> >> Updates have built fine in experimental and dependent
> >> packages are building successfully against them.
> >>
> >> Anton Gladky will upload the sundials update.
> >
> > Please go ahead
> >
> > Cheers

Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials

[Drew Parsons]

The hypre/petsc part of this transition is complete.

The sundials part is waiting for dyssol to be patched.  Anton is 
preparing this.


Drew


On 2022-11-29 23:34, Sebastian Ramacher wrote:

Control: tags -1 confirmed

Hi Drew

On 2022-11-29 12:16:55 +0100, Drew Parsons wrote:

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: Anton Gladky 

We'd like to update the numerical library stack in time for the new
stable release.

Affected libraries are

hypre2.25.0 -> 2.26.0
petsc/slepc3.17 -> 3.18
sundials  5.8.0 -> 6.4.1

Autotransitions are already generated:
https://release.debian.org/transitions/html/auto-hypre.html
https://release.debian.org/transitions/html/auto-petsc.html   
https://release.debian.org/transitions/html/auto-slepc.html

https://release.debian.org/transitions/html/auto-sundials.html

Most of the dependent packages are under our control
(Debian Science Team), octave is the main one outside our team.

Updates have built fine in experimental and dependent
packages are building successfully against them.

Anton Gladky will upload the sundials update.


Please go ahead

Cheers

Processed: changing my email address

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> submitter 423454 zack+debian.b...@owlfolio.org
Bug #423454 [aptitude] way to mark (esp. with ':' or '=') all binaries from the 
same source package
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 447532 zack+debian.b...@owlfolio.org
Bug #447532 [audacity] "repeat amplify" does not do the same thing as selecting 
"amplify" again from the menu
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 493911 zack+debian.b...@owlfolio.org
Bug #493911 [qa.debian.org] qa.debian.org: less scary notice for 
remove-from-unstable bugs for only some architectures
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 494923 zack+debian.b...@owlfolio.org
Bug #494923 [xvfb] xvfb-run: feature request: option to isolate processes from 
parent environment
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 525893 zack+debian.b...@owlfolio.org
Bug #525893 [wicd] please improve wired/wireless hardware detection
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 548396 zack+debian.b...@owlfolio.org
Bug #548396 [epiphany-browser] epiphany-browser: large blank area, missing 
entries in location bar dropdown
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 548756 zack+debian.b...@owlfolio.org
Bug #548756 [epiphany-browser] epiphany-browser: Downloads silently lost if 
target directory is un-writable
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 572244 zack+debian.b...@owlfolio.org
Bug #572244 [gnome-power-manager] xserver-xorg: gnome-power-manager complains 
about broken IDLETIME counter
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 586803 zack+debian.b...@owlfolio.org
Bug #586803 [partman-partitioning] debian-installer: partitioner should create 
a "BIOS boot" partition when GPT is requested
Bug #606408 [partman-partitioning] partman-partitioning: please warn when using 
GPT without a bios_grub partition
Bug #615215 [partman-partitioning] installation-reports: Boot failure after 
install w/ GPT partitioning on Intel motherboard(s)
Bug #615589 [partman-partitioning] installation-reports: Partitioning completes 
without creating bios_boot partition required by GRUB
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 598553 zack+debian.b...@owlfolio.org
Bug #598553 [openmpi] Add support for blocking progress
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 658556 zack+debian.b...@owlfolio.org
Bug #658556 [gnome-session] gnome-session: on suspend, screen reappears for a 
moment after fading out
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 661387 zack+debian.b...@owlfolio.org
Bug #661387 [iceweasel] iceweasel: crash inside nouveau_dri.so from canvas3d on 
html5boilerplate
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 740562 zack+debian.b...@owlfolio.org
Bug #740562 [src:policycoreutils] policycoreutils: cannot disable modules 
defining types required only by disabled modules
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 746796 zack+debian.b...@owlfolio.org
Bug #746796 [deja-dup] deja-dup: automatic backups always say "delayed, will 
start when network available"
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 757470 zack+debian.b...@owlfolio.org
Bug #757470 [network-manager] network-manager: after resume from suspend, fails 
to start dhclient on wired interface
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 758911 zack+debian.b...@owlfolio.org
Bug #758911 [libc6-dev] libc6-dev: spurious sign-conversion warning for 
setrlimit, clang 3.5, _GNU_SOURCE
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 760997 zack+debian.b...@owlfolio.org
Bug #760997 [grub2-common] /usr/sbin/grub-install: unicode.pf2 is installed 
twice in /boot, wasting space
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 807858 zack+debian.b...@owlfolio.org
Bug #807858 [quodlibet] quodlibet: "Saving the songs you changed" window 
immobile & obscures other programs
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 814240 zack+debian.b...@owlfolio.org
Bug #814240 [apt] systemd triggers break upgrades within unstable
Changed Bug submitter to 'zack+debian.b...@owlfolio.org' from 'Zack Weinberg 
'.
> submitter 826246 zack+debian.b...@owlfolio.org
Bug #826246 [deja-dup] deja-dup: progress details pane does not stretch 
vertically when window is 

Bug#1026392: transition: gnat-12

[Nicolas Boulenguez]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hello.

The gcc-V source package builds the Ada compiler (gnat-V) and
companion library (libgnat-V).
The default Ada compiler is selected by the gnat package.
In unstable and testing, gnat Depends: gnat-11.
In experimental, gnat Depends: gnat-12.

Most Ada packages are currently removed from testing because of
#1020018 (in libxmlada, a quite common indirect build-dependency via
gprbuild) (fixed by this transition).

Ada libraries have specific requirements.
* They must Build-Depend: gnat (>= V) gnat (<< V+1).
* Each -dev package name carries a version, similar to the shared
  object version for lib packages.  Most changes in the source require
  a renaming of the -dev package, and a source upload of all reverse
  dependencies.
  In order to reduce the number of such transitions, many unrelated
  changes, like new upstream releases, are introduced with a libgnat
  transition and tested in experimental.
* Each -dev package depends on both gnat and gnat-V.

GCC builds no libgnat-V-dev package. The sources for the Ada standard
library are distributed with the compiler in the gnat-V package.  So
it is convenient to track the transition with the libgnat-V package
instead (even when the ABI is unchanged).

Ben file:

title = "gnat-12";
is_affected = .depends ~ "libgnat-8" | .depends ~ "libgnat-9" | .depends ~ 
"libgnat-10" | .depends ~ "libgnat-11" | .depends ~ "libgnat-12";
is_good = .depends ~ "libgnat-12";
is_bad = .depends ~ "libgnat-8" | .depends ~ "libgnat-9" | .depends ~ 
"libgnat-10" | .depends ~ "libgnat-11";

libgmpada
  
https://buildd.debian.org/status/fetch.php?pkg=libgmpada=i386=1.5-1=1661971646=0
libgnatcoll-db
  
https://buildd.debian.org/status/fetch.php?pkg=libgnatcoll-db=mipsel=23%7E20220814-1=1661841082=0
- are removed from testing because of #1020018,
- are updated in experimental, but now
  fail to build on a supported architecture.
I intend to
- fill RC bugs against them in order to prevent their migration from
  unstable to to testing.
- reupload them from experimental to unstable with the other packages
  as part of the transition
  (so that the versions depending on gnat-11 disappear from unstable)
  (and so that RC-buggy but mostly usable versions are available)
- try to fix the issues after the transition is completed
Is this the right way to proceed?

adacgi
adasockets
ahven
anet
dbusada
gprbuild
gprbuild
libalog
libaunit
libflorist
libgnatcoll
libgnatcoll-bindings
libgtkada
liblog4ada
libncursesada
libtemplates-parser
libtexttools
libxmlada
libxmlada
libxmlezout
pcscada
  ready in experimental, removed from unstable

plplot
  ready in experimental

dh-ada-library
gprconfig-kb
  ready in experimental
  (not Ada libraries, but connected and part of the transition)

ghdl
music123
  are ready in experimental
  (not Ada libraries, but part of the transition because of dh-ada-library/8)

These source packages produce no library and should only need a
bin-NMU in due time:
nmu   topal_81-2 . ANY . -m 'Rebuild with gnat-12'
nmu whitakers-words_0.2020.10.27-1.2 . ANY . -m 'Rebuild with gnat-12'
nmu phcpack_2.4.86+dfsg-2. ANY . -m 'Rebuild with gnat-12'

ada-reference-manual
  only requires gnat at build time and should not be affected.

adabrowse adacontrol asis gnat-gps libaws
  are removed from testing because of unrelated RC bugs
  and should not block anything.