Bug#1068017: Y2038-safe replacements for utmp/wtmp and lastlog
On Fri, Apr 26, 2024 at 08:06:15PM +0100, RL wrote: > the chkrootkit package provides several utilities for examining some of > these files: chkutmp chkwtmp and check_wtmpx and chklastlog [a] -- it does > not use pam but reads the files in /var/log > > How would I test these against the new files - i assume the new versions > are compatable but might need bigger variables in those utilities? As briefly mentioned on the wiki page, TTBOMK the new files are sqlite3 databases. > https://salsa.debian.org/pkg-security-team/chkrootkit I took a quick look, but I'm not sure which of the checks would be applicable. For checks that do not rely on the implications of the old file structure, you can probably use libwtmpdb or use libsqlite3-0 directly. Chris
Processed: tagging 1066842, retitle 1066842 to bookworm-pu: package extrepo-data/1.0.3+deb12u1
Processing commands for cont...@bugs.debian.org: > tags 1066842 + confirmed Bug #1066842 [release.debian.org] Updating extrepo-offline-data in Debian Stable Added tag(s) confirmed. > retitle 1066842 bookworm-pu: package extrepo-data/1.0.3+deb12u1 Bug #1066842 [release.debian.org] Updating extrepo-offline-data in Debian Stable Changed Bug title to 'bookworm-pu: package extrepo-data/1.0.3+deb12u1' from 'Updating extrepo-offline-data in Debian Stable'. > thanks Stopping processing here. Please contact me if you need assistance. -- 1066842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066842 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1066842: Updating extrepo-offline-data in Debian Stable (debdiff)
On Tue, Apr 23, 2024 at 09:10:54AM +0200, Thomas Goirand wrote: > diff -Nru extrepo-data-1.0.3/debian/changelog > extrepo-data-1.0.3+deb12u1+1/debian/changelog > --- extrepo-data-1.0.3/debian/changelog 2022-10-13 16:27:28.0 > +0200 > +++ extrepo-data-1.0.3+deb12u1+1/debian/changelog 2024-04-23 > 09:03:00.0 +0200 > @@ -1,3 +1,10 @@ > +extrepo-data (1.0.3+deb12u1+1) bookworm; urgency=medium > + > + * Update the repo data from the Debian unstable branch. > + * Fix d/copyright mime syntax. > + > + -- Thomas Goirand Tue, 23 Apr 2024 09:03:00 +0200 There's a stray "+1" in the version, should be 1.0.3+deb12u1. Is this actually a backport of current unstable though? In which case it should include the changelog from 1.0.4 and be 1.0.4~deb12u1. With one fix or the other, go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: bullseye-pu: package emacs/27.1+1-3.1+deb11u3
Processing control commands: > affects -1 + src:emacs Bug #1069943 [release.debian.org] bullseye-pu: package emacs/27.1+1-3.1+deb11u3 Added indication that 1069943 affects src:emacs -- 1069943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069943 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Re: Making trixie debootstrap-able again?
hi kibi, fwiw, bootstraping trixie still works using mmdebstrap, while it fails with debootstrap and cdebootstrap. I've notified #-release about the debootstrap breakage on the 24th and added that mmdebstrap was still working on the 25th... https://jenkins.debian.net/job/reproducible_mmdebstrap_trixie/ etc show this nicely. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ If it feels like we’re breaking climate records every year, it’s because we are. signature.asc Description: PGP signature
Bug#1069933: bookworm-pu: package emacs/1:28.2+1-15+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: em...@packages.debian.org Control: affects -1 + src:emacs This is security update for CVEs marked no-dsa by the secteam. It backports a series of upstream commits for CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 and CVE-2024-30205. I had to backport a feature that the fixes use to pop up a dialog asking the user about the potentially unsafe remote resources. This involves only localised code changes, and is already two years old, so has received an adequate amount of testing upstream. I manually tested the fixes using reproducers provided in the BTS and from upstream. The fixes are already in unstable. I have uploaded to stable-pu. -- Sean Whitton diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog --- emacs-28.2+1/debian/changelog 2023-05-13 21:17:27.0 +0100 +++ emacs-28.2+1/debian/changelog 2024-04-27 10:49:04.0 +0100 @@ -1,3 +1,10 @@ +emacs (1:28.2+1-15+deb12u1) bookworm; urgency=high + + * Fix CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 +(Closes: #1067630). + + -- Sean Whitton Sat, 27 Apr 2024 10:49:04 +0100 + emacs (1:28.2+1-15) unstable; urgency=medium * emacs-common: add breaks/replaces emacs-bin-common (<< 1:28) since the diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm --- emacs-28.2+1/debian/.git-dpm2023-03-31 19:22:32.0 +0100 +++ emacs-28.2+1/debian/.git-dpm2024-04-27 10:49:04.0 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -023ac1eff558f6fb387fea1629b084c8929de18d -023ac1eff558f6fb387fea1629b084c8929de18d +1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 +1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 279b82e64e15b5e2df3cb522636c6db85a8ee659 279b82e64e15b5e2df3cb522636c6db85a8ee659 emacs_28.2+1.orig.tar.xz diff -Nru emacs-28.2+1/debian/.gitignore emacs-28.2+1/debian/.gitignore --- emacs-28.2+1/debian/.gitignore 1970-01-01 01:00:00.0 +0100 +++ emacs-28.2+1/debian/.gitignore 2024-04-27 10:49:04.0 +0100 @@ -0,0 +1,81 @@ +*~ +.\#* +/*-stamp +/.debhelper/ +/build-gtk/ +/build-lucid/ +/build-nox/ +/build-src/ +/build-x/ +/elgz-canary +/elgz-info +/emacs +/emacs-bin-common +/emacs-bin-common.README.Debian +/emacs-bin-common.debhelper.log +/emacs-bin-common.lintian-overrides +/emacs-bin-common.postinst +/emacs-bin-common.postrm +/emacs-bin-common.prerm +/emacs-bin-common.substvars +/emacs-common +/emacs-common.README.00 +/emacs-common.README.01 +/emacs-common.README.Debian +/emacs-common.debhelper.log +/emacs-common.docs +/emacs-common.links +/emacs-common.lintian-overrides +/emacs-common.postinst +/emacs-common.postinst.debhelper +/emacs-common.postrm.debhelper +/emacs-common.prerm +/emacs-common.prerm.debhelper +/emacs-common.substvars +/emacs-el +/emacs-el.debhelper.log +/emacs-el.prerm +/emacs-el.substvars +/emacs-gtk +/emacs-gtk.README.Debian +/emacs-gtk.debhelper.log +/emacs-gtk.desktop +/emacs-gtk.links +/emacs-gtk.lintian-overrides +/emacs-gtk.menu +/emacs-gtk.postinst +/emacs-gtk.postinst.debhelper +/emacs-gtk.postrm +/emacs-gtk.postrm.debhelper +/emacs-gtk.prerm +/emacs-gtk.substvars +/emacs-lucid +/emacs-lucid.README.Debian +/emacs-lucid.debhelper.log +/emacs-lucid.desktop +/emacs-lucid.lintian-overrides +/emacs-lucid.menu +/emacs-lucid.postinst +/emacs-lucid.postinst.debhelper +/emacs-lucid.postrm.debhelper +/emacs-lucid.prerm +/emacs-lucid.substvars +/emacs-nox +/emacs-nox.README.Debian +/emacs-nox.debhelper.log +/emacs-nox.desktop +/emacs-nox.links +/emacs-nox.lintian-overrides +/emacs-nox.menu +/emacs-nox.postinst +/emacs-nox.postinst.debhelper +/emacs-nox.postrm +/emacs-nox.postrm.debhelper +/emacs-nox.prerm +/emacs-nox.substvars +/emacs.debhelper.log +/emacs.substvars +/files +/stamp-configured +/tmp-alt-list +\#*\# diff -Nru emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch --- emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch 1970-01-01 01:00:00.0 +0100 +++ emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch 2024-04-27 10:49:04.0 +0100 @@ -0,0 +1,44 @@ +From d9bd61923515607fcc7ada4ba66b7e58e8ba00d9 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:19:46 +0300 +Subject: org-macro--set-templates: Prevent code evaluation + +* lisp/org/org-macro.el (org-macro--set-templates): Get rid of any +risk to evaluate code when `org-macro--set-templates' is called as a +part of major mode initialization. This way, no code evaluation is +ever triggered when user merely opens the file or when +`mm-display-org-inline' invokes Org major mode to fontify mime part +preview in email messages. + +(cherry picked from commit
Processed: bookworm-pu: package emacs/1:28.2+1-15+deb12u1
Processing control commands: > affects -1 + src:emacs Bug #1069933 [release.debian.org] bookworm-pu: package emacs/1:28.2+1-15+deb12u1 Added indication that 1069933 affects src:emacs -- 1069933: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069933 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff
Hi Jonathan, On 22.04.24 18:59, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1064550: bullseye-pu: libjwt/1.10.2-1+deb11u1
Hi Jonathan, On 22.04.24 19:10, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1069929: transition: erlang
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: erl...@packages.debian.org Control: affects -1 + src:erlang Hi release team! I'd like to update Erlang for trixie to new major release Erlang 27 which is due in upcoming May or June. Since currently Erlang 25 is in Debian (two major releases short) I expect some failures of rebuilding existing packages (Erlang 27 introduces new expressions, removes some deprecated functions etc.). I've already uploaded erlang 1:27.0+dfsg~rc3 to experimental for testing and started to check if the affected packaged build (at least). My plan is the following: 1. Finish testing all the reverse dependencies with rc3 and upcoming 1:27.0+dfsg, file bugreports. 2. Elang 27 build depends on a few packages which aren't in testing or even in Debian yet: * autoconf (>= 2.72), it is in experimetal at the moment, see [1] * node-fontsource-inconsolata, node-fontsource-lato, * node-fontsource-merriweather, they are used to build documentation (currently Erlang in experimental is built without docs) and sit in NEW (see [2], [3], [4]). By the way is this normal that the are in NEW for two months without any resolution? 3. So after these packages clear unstable, and after 1:27.0.1 is out (June or July 2024), I'll upload Erlang to unstable and likely do a bunch of NMUs to fix remaining bugs. There will be necessary to do quite a few bin-NMUs also. Here is the list of affected packages with short comments where I did some testing: # Broken (not in testing) averell ejabberd ejabberd-contrib (builds fine, depends on ejabberd) erlang-cowboy erlang-p1-pgsql (builds fine, depends on erlang-p1-xml) erlang-ranch erlang-p1-xmpp (builds fine, depends on erlang-p1-xml) erlang-p1-xml # Broken (need patching/updating) erlang-bbmustache erlang-jiffy erlang-luerl erlang-p1-pkix erlang-p1-sqlite3 erlang-p1-tls erlang-p1-utils kamailio (uses only C interface to Erlang, FTBFS is unrelated to Erlang) mochiweb (fix of rebar3 dependencis should help) elixir (patch is ready, also upcoming 1.17 will support Erlang 27 explicitly) rebar3 (updating to 3.23.0 works, have to update dependencies, e.g. erlang-inets is missing for 27) wings3d (patch is ready) yaws (patch is ready) # Broken (need elixir and likely patching/updating) erlang-hex rabbitmq-server # Build as is erlang-asciideck erlang-base64urls erlang-bear erlang-bitsack erlang-cf erlang-cl erlang-cowlib erlang-cuttlefish erlang-erlware-commons erlang-folsom erlang-getopt erlang-goldrush erlang-horse erlang-idna erlang-jose erlang-lager erlang-meck erlang-metrics erlang-mimerl erlang-p1-acme erlang-p1-cache-tab erlang-p1-eimp erlang-p1-iconv erlang-p1-mqtree erlang-p1-mysql erlang-p1-oauth2 erlang-p1-pam erlang-p1-sip erlang-p1-stringprep erlang-p1-stun erlang-p1-yaml erlang-p1-yconf erlang-p1-zlib erlang-poolboy erlang-proper erlang-redis-client erlang-unicode-util-compat erlang-uuid manderlbot neotoma rebar sonic-pi tsung [1] https://tracker.debian.org/pkg/autoconf [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065253 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065254 [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065256 The Ben file below should correctly determine the affected packages, but definitely does not cover all possible cases of bad and good packages (some of them require elixir instead of erlang-base, for example) Ben file: title = "erlang"; is_affected = .build-depends ~ /dh-rebar|erlang-dev|erlang-base|rebar|rebar3/; is_good = .depends ~ /erlang-base (>= 1:27/; is_bad = .depends ~ /erlang-base (>= 1:(1|2[0-6])/; -- Sergei Golovan
Processed: transition: erlang
Processing control commands: > affects -1 + src:erlang Bug #1069929 [release.debian.org] transition: erlang Added indication that 1069929 affects src:erlang -- 1069929: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069929 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems