Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hej, Am Mittwoch, 4. Oktober 2023, 15:02:11 CEST schrieb Adam D. Barratt: [...] > Thanks, but it's too late to get the updated package accepted for the > 11.8 point release now in any case. > > The question that remains from Jonathan's mail is - is it OK to > include the plasma-desktop and knewstuff updates without > plasma-discover, or should those be held back until plasma-discover > is ready, and all three released at the same time? I don't know to be honest. I guess the safe way is to release all three together. -- Med vänliga hälsningar Patrick Franz
Bug#1028489: transition: boost1.81
Hi Anton, Is there anything I can do to help this transition along? I wish to package software that does not build on 1.74, but does on 1.81 and 1.82. If there's anyway I can assist with bumping boost-defaults to 1.81 or 1.82 I would be happy to help. Regards, David James
Bug#1043599: marked as done (transition: libunistring)
Your message dated Wed, 4 Oct 2023 16:46:50 +0200 with message-id and subject line Re: Bug#1043599: transition: libunistring has caused the Debian Bug report #1043599, regarding transition: libunistring to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1043599: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043599 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Control: affects -1 + src:libunistring Control: forwarded -1 https://release.debian.org/transitions/html/auto-libunistring.html Control: block -1 by 1026820 Hello, I'm looking for the transition from libunistring2 to libunistring5 due to an upstream SONAME bump in the new release. The build of the reverse-dependency fails with clisp. The corresponding ftbfs bug #1026820 was opened on December 21, 2022 and today the severity was raised to serious. The build of the other packages from testing for the reverse dependencies are ok: - boxes ok - gettext ok - gss-ntlmssp ok - guile-2.2 ok - guile-3.0 ok - libidn2 ok - libpodofo ok - libratbag ok - lxhotkey ok - rygel ok - termdebug ok - wcd ok - gnutls28 ok - libpsl ok - libt3window ok - gnunet ok - libt3widget ok - mailutils ok - sssd ok - tilde ok Ben file: Affected: .depends ~ /\b(libunistring5|libunistring2)\b/ Good: .depends ~ /\b(libunistring5)\b/ Bad: .depends ~ /\b(libunistring2)\b/ CU Jörg -- New: GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D GPG key (long) : 09F89F3C8CA1D25D GPG Key: 8CA1D25D CAcert Key S/N : 0E:D4:56 Jörg Frings-Fürst D-54470 Lieser git: https://git.jff.email/cgit/ Skype:jff-skype@jff.email Jami: joergfringsfuerst Telegram: @joergfringsfuerst Matrix: @joergff:matrix.snct-gmbh.de My wish list: - Please send me a picture from the nature at your home. signature.asc Description: This is a digitally signed message part --- End Message --- --- Begin Message --- On 2023-08-31 14:06:07 +0200, Sebastian Ramacher wrote: > Control: tags -1 confirmed > > On 2023-08-13 14:46:35 +0200, Jörg Frings-Fürst wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > Control: affects -1 + src:libunistring > > Control: forwarded -1 > > https://release.debian.org/transitions/html/auto-libunistring.html > > Control: block -1 by 1026820 > > > > > > > > Hello, > > > > I'm looking for the transition from libunistring2 to libunistring5 due to > > an upstream SONAME bump in the new release. > > Please go ahead The old binary packages got removed from testing. Cheers -- Sebastian Ramacher--- End Message ---
Bug#1053461: bookworm-pu: package openrefine/3.6.2-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
[ Reason ]
Fixing CVE-2023-41886 and CVE-2023-41887.
OpenRefine is a powerful free, open source tool for working with messy
data. Prior to this version, a remote code execution vulnerability
allows any unauthenticated user to execute code on the server.
[ Tests ]
I have verified that the new test case works as expected.
[ Risks ]
Low, leaf package, all tests work as expected.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Other info ]
Please note that I have previously uploaded another bookworm-pu,
#1051429, to fix CVE-2023-37476. This update addresses the new CVE
mentioned in this bug report. CVE-2023-37476 has been fixed with
3.6.2-2+deb12u1 already.
diff --git a/debian/changelog b/debian/changelog
index 16033d8..37acbbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium
+
+ * Fix CVE-2023-41887 and CVE-2023-41886:
+OpenRefine is a powerful free, open source tool for working with messy
+data. Prior to this version, a remote code execution vulnerability allows
+any unauthenticated user to execute code on the server.
+
+ -- Markus Koschany Wed, 04 Oct 2023 15:02:45 +0200
+
openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
* Fix CVE-2023-37476:
diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
new file mode 100644
index 000..274b758
--- /dev/null
+++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
@@ -0,0 +1,183 @@
+From: Markus Koschany
+Date: Wed, 4 Oct 2023 14:39:55 +0200
+Subject: CVE-2023-41887 and CVE-2023-41886
+
+Origin:
https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
+---
+ .../extension/database/DatabaseConfiguration.java | 16
+ .../database/mariadb/MariaDBConnectionManager.java | 12 +---
+ .../database/mysql/MySQLConnectionManager.java | 11 +--
+ .../database/pgsql/PgSQLConnectionManager.java | 11 +--
+ .../database/sqlite/SQLiteConnectionManager.java| 9 -
+ .../database/DatabaseConfigurationTest.java | 21 +
+ 6 files changed, 48 insertions(+), 32 deletions(-)
+ create mode 100644
extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+
+diff --git
a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+index 47dad7f..3f0dd57 100644
+---
a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+@@ -29,6 +29,9 @@
+ package com.google.refine.extension.database;
+
+
++import java.net.URI;
++import java.net.URISyntaxException;
++
+ public class DatabaseConfiguration {
+
+ private String connectionName;
+@@ -128,4 +131,17 @@ public class DatabaseConfiguration {
+
+
+
++public URI toURI() {
++try {
++return new URI(
++"jdbc:" + databaseType.toLowerCase(),
++databaseHost + ((databasePort == 0) ? "" : (":" +
databasePort)),
++"/" + databaseName,
++useSSL ? "useSSL=true" : null,
++null
++);
++} catch (URISyntaxException e) {
++throw new IllegalArgumentException(e);
++}
++}
+ }
+diff --git
a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+index 4af014a..04c7dc8 100644
+---
a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+@@ -139,7 +139,7 @@ public class MariaDBConnectionManager {
+
+ Class.forName(type.getClassPath());
+ DriverManager.setLoginTimeout(10);
+-String dbURL = getDatabaseUrl(databaseConfiguration);
++String dbURL = databaseConfiguration.toURI().toString();
+ connection = DriverManager.getConnection(dbURL,
databaseConfiguration.getDatabaseUser(),
+ databaseConfiguration.getDatabasePassword());
+
+@@ -173,14 +173,4 @@ public class MariaDBConnectionManager {
+ }
+
+ }
+-
+-
+-
+-private static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Hi, On Mon, 2023-10-02 at 19:05 +0200, Patrick Franz wrote: > Hej, > > Am Montag, 2. Oktober 2023, 19:04:00 CEST schrieb Jonathan Wiltshire: > > Ping on this? It's urgent given the point release is planned for > > the > > coming weekend, and we're currently unsure if the related fix is > > safe > > to release without this one. If there's no answer we'll have to > > play > > safe and hold plasma-desktop back until the next cycle as well. > > Thanks for the ping. I'll try to get it done tomorrow or the day > after. Thanks, but it's too late to get the updated package accepted for the 11.8 point release now in any case. The question that remains from Jonathan's mail is - is it OK to include the plasma-desktop and knewstuff updates without plasma-discover, or should those be held back until plasma-discover is ready, and all three released at the same time? Regards, Adam
NEW changes in oldstable-new
Processing changes file: debian-installer-netboot-images_20210731+deb11u9_all-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: debian-installer-netboot-images_20210731+deb11u9_source.changes ACCEPT
