Bug#1060103: transition: imagemagick7

2024-06-02 Thread Bastien Roucariès 
Le dimanche 2 juin 2024, 11:17:33 UTC Sebastian Ramacher a écrit :
> On 2024-02-02 17:21:43 +0000, Bastien Roucariès wrote:
> > Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit :
> > > Control: tags -1 moreinfo
> > > 
> > > Hi Bastien
> > > 
> > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote:
> > > > Package: release.debian.org
> > > > Severity: important
> > > > User: release.debian@packages.debian.org
> > > > Usertags: transition
> > > > X-Debbugs-CC: ftpmas...@debian.org
> > > > 
> > > > Imagemagick will need a new major bump
> > > > 
> > > > I achieved to get imagemagick 7 build for experimental (it is only on 
> > > > salsa not
> > > > uploaded yet).
> > > > 
> > > > Every package include a version in the package name (except legacy 
> > > > package name
> > > > and perl*) so I plan to do some step by step migration, because it is 
> > > > mainly
> > > > coinstallable with imagemagick 6.
> > > 
> > > Why does this migration require co-instabillity with the old version?
> > > This makes the transition overly complicated. Do you expect major
> > > changes required in reverse dependencies of imagemagick's shared
> > > library?
> > 
> > The problem is not the library but the command line interface that may need 
> > change.
> > 
> > Librarry will break (I think here about php module that will need a 
> > update), but it is treatable.
> > 
> > convert6 is not fully compatible with convert7
> > 
> > convert6 will be co installable with convert7 in order to test, and convert 
> > will be provided by alternative system.
> 
> If they are not fully compatible, then alternatives are not an option.

They are 95% compatible

> How many packages are we talking about? Have bugs been filed for
> packages thar are not compatible with convert7?

The problem is chicken and eggs problem. If you could not test then you could 
not report bug.
A least both should be in experimental for running a full archive rebuild

Not also that imagemagick6 is supported upstream only until 2027... So we 
should migrate to 7.

That why I think my way is a good way.

Suse and redhat transitionned see 
https://fedoraproject.org/wiki/Changes/ImageMagick7

Discussion point to a least broken on redhat
* autotrace - plan to notify upstream
* dvdauthor - point to GraphicsMagick or IM6, plan to notify upstream
* q - dead upstream, planned to point to IM6
* vdr-skinnopacity - current upstream dead, plan to notify new upstream
* vdr-tvguide - plan to notify upstream

We could also drop imagemagick6 and use graphickmagick if needed but it 
introduce other problem

Thanks

Bastien
> 
> Cheers
> 



signature.asc
Description: This is a digitally signed message part.

Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1

2024-05-19 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: sendm...@packages.debian.org
Control: affects -1 + src:sendmail
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
sendmail was affected by CVE-2023-51765

[ Impact ]
close CVE-2023-51765 and reject NUL mail

[ Tests ]
CVE-2023-51765 fix was tested manually and cross checked

[ Risks ]
Code is complex and rejecting NUL is slighly RFC non conformant

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Fix CVE-2023-51765 (Closes: #1059386):
sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation
technique to inject e-mail messages with a spoofed
MAIL FROM address, allowing bypass of an SPF protection
mechanism. This occurs because sendmail supports
. but some other popular e-mail servers
do not. This is resolved with 'o' in srv_features.
  * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that
include NUL byte
  * By default enable rejecting mail that include NUL byte.
set confREJECT_NUL to 'true' by default .
User could disable by setting confREJECT_NUL to false.
(Closes: #1070190). Close a variant of CVE-2023-51765
aka SMTP smuggling.


[ Other info ]
No regression bugs in sid/trixie since at least two week
diff -Nru sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in
--- sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in	2023-01-11 22:26:28.0 +
+++ sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in	2024-05-13 18:44:56.0 +
@@ -65,6 +65,9 @@
 dnl #
 define(`confDEF_USER_ID', `mail:mail')dnl
 dnl #
+ifelse(eval(index(sm_ffr, `-D_FFR_REJECT_NUL_BYTE') >= 0), `1',dnl
+`define(`confREJECT_NUL',`true')')dnl
+dnl #
 dnl #-
 dnl # mailer paths and options
 dnl #-
diff -Nru sendmail-8.17.1.9/debian/changelog sendmail-8.17.1.9/debian/changelog
--- sendmail-8.17.1.9/debian/changelog	2023-01-11 22:26:28.0 +
+++ sendmail-8.17.1.9/debian/changelog	2024-05-13 18:44:56.0 +
@@ -1,3 +1,24 @@
+sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=high
+
+  * QA upload
+  * Fix CVE-2023-51765 (Closes: #1059386):
+sendmail allowed SMTP smuggling in certain configurations.
+Remote attackers can use a published exploitation
+technique to inject e-mail messages with a spoofed
+MAIL FROM address, allowing bypass of an SPF protection
+mechanism. This occurs because sendmail supports
+. but some other popular e-mail servers
+do not. This is resolved with 'o' in srv_features.
+  * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that
+include NUL byte
+  * By default enable rejecting mail that include NUL byte.
+set confREJECT_NUL to 'true' by default .
+User could disable by setting confREJECT_NUL to false.
+(Closes: #1070190). Close a variant of CVE-2023-51765
+aka SMTP smuggling.
+
+ -- Bastien Roucari??s   Mon, 13 May 2024 18:44:56 +
+
 sendmail (8.17.1.9-2) unstable; urgency=medium
 
   * QA upload.
diff -Nru sendmail-8.17.1.9/debian/configure.ac sendmail-8.17.1.9/debian/configure.ac
--- sendmail-8.17.1.9/debian/configure.ac	2023-01-11 22:26:28.0 +
+++ sendmail-8.17.1.9/debian/configure.ac	2024-05-13 18:44:56.0 +
@@ -466,6 +466,7 @@
 sm_envdef="$sm_envdef -DHASFLOCK=1";
 sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1";
 sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING 
+sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE";
 #
 # version specific setup
 if test "$sm_version_major" = "8.17"; then
diff -Nru sendmail-8.17.1.9/debian/NEWS.Debian sendmail-8.17.1.9/debian/NEWS.Debian
--- sendmail-8.17.1.9/debian/NEWS.Debian	1970-01-01 00:00:00.0 +
+++ sendmail-8.17.1.9/debian/NEWS.Debian	2024-05-13 18:44:56.0 +
@@ -0,0 +1,19 @@
+sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=medium
+
+  Sendmail was affected by SMTP smurgling (CVE-2023-51765).
+  Remote attackers can use a published exploitation technique
+  to inject e-mail messages with a spoofed MAIL FROM address,
+  allowing bypass of an SPF protection mechanism.
+  This occurs because sendmail supports some combinaison of
+  .
+  .
+  This particular injection vulnerability has been closed,
+  unfortunatly full closure need to reject mail that
+  contain NUL.
+  .
+  This is slighly non conformant with RFC and could
+  be opt-out by setting confREJECT_NUL to 'false'
+  in sendmail.mc file.
+
+ -- Bastien Roucari??s   Sun, 12 May 2024 19:38:09 +
+
diff -Nru sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch

Bug#1071417: bullseye-pu: package fossil/2.15.2-1+deb11u1

2024-05-18 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: fos...@packages.debian.org
Control: affects -1 + src:fossil
User: release.debian@packages.debian.org
Usertags: pu

this bug was opened by previous arrangement with maintainer.

[ Reason ]
fossil is affected by a regression due to a security update of apache
CVE-2024-24795. Backport was choosen
because upstream does not document all commit needed for fixing the regression.

[ Impact ]
Fossil is broken at least server part

[ Tests ]
Full upstream test suite

[ Risks ]
Broken fossil

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Cherry picked and backport fix

[ Other info ]
None
diff -Nru fossil-2.15.2/debian/changelog fossil-2.15.2/debian/changelog
--- fossil-2.15.2/debian/changelog	2021-06-15 09:55:20.0 +
+++ fossil-2.15.2/debian/changelog	2024-05-14 21:29:39.0 +
@@ -1,3 +1,13 @@
+fossil (1:2.15.2-1+deb11u1) bullseye; urgency=medium
+
+  * Non maintainer fix with acknowlegment by maintainer.
+  * Cherry-pick fix f4ffefe708793b03 for CVE-2024-24795 and add
+"Breaks: apache2 (<< 2.4.59-1~)" to stage fix; see
+https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+(closes: #1070069)
+
+ -- Bastien Roucari??s   Tue, 14 May 2024 21:29:39 +
+
 fossil (1:2.15.2-1) unstable; urgency=high
 
   * New upstream version, announcement (expurgated) says:
diff -Nru fossil-2.15.2/debian/control fossil-2.15.2/debian/control
--- fossil-2.15.2/debian/control	2021-04-07 08:12:51.0 +
+++ fossil-2.15.2/debian/control	2024-05-14 21:29:39.0 +
@@ -22,6 +22,7 @@
 Architecture: any
 Multi-Arch: foreign
 Depends: libtcl8.6 | libtcl, ${misc:Depends}, ${shlibs:Depends}
+Breaks: apache2 (<< 2.4.59-1~), apache2-bin (<< 2.4.59-1~)
 Suggests: gnupg | gnupg2
 Description: DSCM with built-in wiki, http interface and server, tickets database
  Fossil is an easy-to-use Distributed Source Control Management system
diff -Nru fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch
--- fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch	1970-01-01 00:00:00.0 +
+++ fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch	2024-05-14 21:29:39.0 +
@@ -0,0 +1,361 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= 
+Date: Tue, 14 May 2024 21:23:16 +
+Subject: Deal with the missing Content-Length field
+
+fix regression of CVE-2024-24795
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+origin: https://fossil-scm.org/home/vpatch?from=9c40ddbcd182f264=a8e33fb161f45b65
+---
+ src/cgi.c   | 43 -
+ src/clone.c | 14 +++-
+ src/http.c  | 71 +
+ src/main.c  | 14 ++--
+ src/xfer.c  |  1 +
+ 5 files changed, 121 insertions(+), 22 deletions(-)
+
+diff --git a/src/cgi.c b/src/cgi.c
+index d47575b..aade0fb 100644
+--- a/src/cgi.c
 b/src/cgi.c
+@@ -1034,7 +1034,7 @@ void cgi_trace(const char *z){
+ }
+ 
+ /* Forward declaration */
+-static NORETURN void malformed_request(const char *zMsg);
++static NORETURN void malformed_request(const char *zMsg, ...);
+ 
+ /*
+ ** Initialize the query parameter database.  Information is pulled from
+@@ -1080,6 +1080,7 @@ void cgi_init(void){
+   const char *zRequestUri = cgi_parameter("REQUEST_URI",0);
+   const char *zScriptName = cgi_parameter("SCRIPT_NAME",0);
+   const char *zPathInfo = cgi_parameter("PATH_INFO",0);
++  const char *zContentLength = 0;
+ #ifdef _WIN32
+   const char *zServerSoftware = cgi_parameter("SERVER_SOFTWARE",0);
+ #endif
+@@ -1186,7 +1187,15 @@ void cgi_init(void){
+ g.zIpAddr = fossil_strdup(z);
+   }
+ 
+-  len = atoi(PD("CONTENT_LENGTH", "0"));
++  zContentLength = P("CONTENT_LENGTH");
++  if( zContentLength==0 ){
++len = 0;
++if( sqlite3_stricmp(PD("REQUEST_METHOD",""),"POST")==0 ){
++  malformed_request("missing CONTENT_LENGTH on a POST method");
++}
++  }else{
++len = atoi(zContentLength);
++  }
+   zType = P("CONTENT_TYPE");
+   zSemi = zType ? strchr(zType, ';') : 0;
+   if( zSemi ){
+@@ -1593,11 +1602,22 @@ void cgi_vprintf(const char *zFormat, va_list ap){
+ /*
+ ** Send a reply indicating that the HTTP request was malformed
+ */
+-static NORETURN void malformed_request(const char *zMsg){
+-  cgi_set_status(501, "Not Implemented");
+-  cgi_printf(
+-"Bad Request: %s\n", zMsg
+-  );
++static NORETURN void malformed_request(const char *zMsg, ...){
++  va_list ap;
++  char *z;
++  va_start(ap, zMsg);
++  z = vmprintf(zMsg, ap);
++  va_end(ap);
++  cgi_set_status(400, "Bad Request");
++  zContentType = "text/plain";
++  if(

Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1

2024-05-12 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: fos...@packages.debian.org
Control: affects -1 + src:fossil
User: release.debian@packages.debian.org
Usertags: pu

this bug was opened by previous arrangement with maintainer.

[ Reason ]
fossil is affected by a regression due to a security update of apache
CVE-2024-24795. Backport was choosen
because upstream does not document all commit needed for fixing the regression.

[ Impact ]
Fossil is broken at least server part

[ Tests ]
Full upstream test suite

[ Risks ]
Broken fossil

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Backport from sid. They are no incompatibility and this is upstream maintenance
and fix only version.

[ Other info ]
I have not attached the debdiff due to the fix beeing a backport from sid. 
Attached debdiff to sid instead
diff -Nru fossil-2.24/debian/changelog fossil-2.24/debian/changelog
--- fossil-2.24/debian/changelog	2024-04-30 14:32:05.0 +
+++ fossil-2.24/debian/changelog	2024-05-07 19:26:27.0 +
@@ -1,3 +1,10 @@
+fossil (1:2.24-6~deb12u1) bookworm; urgency=medium
+
+  * Non maintainer upload with acknowledgement by maintainer
+  * Backport to bookworm
+
+ -- Bastien Roucari??s   Tue, 07 May 2024 19:26:27 +
+
 fossil (1:2.24-6) unstable; urgency=medium
 
   * Add "Breaks: apache2-bin (<< 2.4.59-1~)" per #1070069 discussion.


signature.asc
Description: This is a digitally signed message part.

Bug#1070155: bullseye-pu: package wpa/2.9.0-21+deb11u1

2024-04-30 Thread Bastien Roucariès 
Package: release.debian.org
Severity: important
Tags: bullseye
X-Debbugs-Cc: w...@packages.debian.org
Control: affects -1 + src:wpa
User: release.debian@packages.debian.org
Usertags: pu
tags: security


[ Reason ]
CVE-2023-52160 security bug

[ Impact ]
security bug is present

[ Tests ]
Test suite run fine

[ Checklist ]
  [ X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [ X] attach debdiff against the package in (old)stable
  [ X] the issue is verified as fixed in unstable

[ Changes ]
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

[ Other info ]
Buster is fixed so upgrade reintroduce the CVE

Bastiendiff -Nru wpa-2.9.0/debian/changelog wpa-2.9.0/debian/changelog
--- wpa-2.9.0/debian/changelog	2021-02-25 21:19:14.0 +
+++ wpa-2.9.0/debian/changelog	2024-04-30 22:45:18.0 +
@@ -1,3 +1,19 @@
+wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload on behalf of the Security Team.
+  * Fix CVE-2023-52160 (Closes: #1064061):
+The implementation of PEAP in wpa_supplicant allows
+authentication bypass. For a successful attack,
+wpa_supplicant must be configured to not verify
+the network's TLS certificate during Phase 1
+authentication, and an eap_peap_decrypt vulnerability
+can then be abused to skip Phase 2 authentication.
+The attack vector is sending an EAP-TLV Success packet
+instead of starting Phase 2. This allows an adversary
+to impersonate Enterprise Wi-Fi networks.
+
+ -- Bastien Roucari??s   Tue, 30 Apr 2024 22:45:18 +
+
 wpa (2:2.9.0-21) unstable; urgency=high
 
   * Fix typos in the package descriptions.
diff -Nru wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch
--- wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch	1970-01-01 00:00:00.0 +
+++ wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch	2024-04-30 22:45:18.0 +
@@ -0,0 +1,211 @@
+From: Jouni Malinen 
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication
+ requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used

Bug#1070151: bookworm-pu: package wpa/2:2.10-12

2024-04-30 Thread Bastien Roucariès 
Package: release.debian.org
Severity: important
Tags: bookworm
X-Debbugs-Cc: w...@packages.debian.org
Control: affects -1 + src:wpa
User: release.debian@packages.debian.org
Usertags: pu
tags: security


[ Reason ]
CVE-2023-52160 security bug

[ Impact ]
security bug is present

[ Tests ]
Test suite run fine

[ Checklist ]
  [ X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [ X] attach debdiff against the package in (old)stable
  [ X] the issue is verified as fixed in unstable

[ Changes ]
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

[ Other info ]
Buster is fixed so upgrade reintroduce the CVE

Bastiendiff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog
--- wpa-2.10/debian/changelog	2023-02-24 13:01:35.0 +
+++ wpa-2.10/debian/changelog	2024-04-30 22:45:18.0 +
@@ -1,3 +1,19 @@
+wpa (2:2.10-12+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload on behalf of the Security Team.
+  * Fix CVE-2023-52160 (Closes: #1064061):
+The implementation of PEAP in wpa_supplicant allows
+authentication bypass. For a successful attack,
+wpa_supplicant must be configured to not verify
+the network's TLS certificate during Phase 1
+authentication, and an eap_peap_decrypt vulnerability
+can then be abused to skip Phase 2 authentication.
+The attack vector is sending an EAP-TLV Success packet
+instead of starting Phase 2. This allows an adversary
+to impersonate Enterprise Wi-Fi networks.
+
+ -- Bastien Roucari??s   Tue, 30 Apr 2024 22:45:18 +
+
 wpa (2:2.10-12) unstable; urgency=medium
 
   * Prevent hostapd units from being started if there???s
diff -Nru wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch
--- wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch	1970-01-01 00:00:00.0 +
+++ wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch	2024-04-30 22:42:02.0 +
@@ -0,0 +1,211 @@
+From: Jouni Malinen 
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication
+ requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-13 Thread Bastien Roucariès 
Le samedi 13 avril 2024, 14:01:24 UTC Bastien Roucariès a écrit :
> Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit :
> Hi,
> 
> > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann:
> > > Package: release.debian.org
> > > Severity: normal
> > > Tags: bullseye
> > > User: release.debian@packages.debian.org
> > > Usertags: pu
> > > X-Debbugs-Cc: Bastien Roucariès 
> > > Control: affects -1 + src:json-smart
> > > Control: block 1039985 with -1
> > > Control: block 1033474 with -1
> > > 
> > > [ Reason ]
> > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
> > > causing version skew on upgrades:
> > 
> > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable
> > is a pre condition for a point update.
> > 
> > Bastien, since you fixed it in buster-lts, can you please also take care
> > of addressing unstable?

Done
> 
> 
> Ok will do
> > 
> > Cheers,
> > Moritz
> > 
> 
> 



signature.asc
Description: This is a digitally signed message part.

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-13 Thread Bastien Roucariès 
Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit :
Hi,

> Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc: Bastien Roucariès 
> > Control: affects -1 + src:json-smart
> > Control: block 1039985 with -1
> > Control: block 1033474 with -1
> > 
> > [ Reason ]
> > Two CVEs were fixed in buster-lts, but not yet in bullseye or later,
> > causing version skew on upgrades:
> 
> CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable
> is a pre condition for a point update.
> 
> Bastien, since you fixed it in buster-lts, can you please also take care
> of addressing unstable?


Ok will do
> 
> Cheers,
> Moritz
> 



signature.asc
Description: This is a digitally signed message part.

Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2

2024-04-12 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: zookee...@packages.debian.org
Control: affects -1 + src:zookeeper
User: release.debian@packages.debian.org
Usertags: pu


[ Reason ]
CVE-2024-23944 (Closes: #1066947):
An information disclosure in persistent watchers handling was found in
Apache ZooKeeper due to missing ACL check.  It allows an attacker to
monitor child znodes by attaching a persistent watcher (addWatch
command) to a parent which the attacker has already access
to. ZooKeeper server doesn't do ACL check when the persistent watcher
is triggered and as a consequence, the full path of znodes that a
watch event gets triggered upon is exposed to the owner of the
watcher. It's important to note that only the path is exposed by this
vulnerability, not the data of znode, but since znode path can contain
sensitive information like user name or login ID, this issue is
potentially critical.

[ Impact ]
CVE-2024-23944 is not fixed

[ Tests ]
Full upstream testsuite run at build time

[ Risks ]
None know

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
See debdiff
diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog
--- zookeeper-3.8.0/debian/changelog	2023-10-29 07:57:11.0 +
+++ zookeeper-3.8.0/debian/changelog	2024-03-25 08:30:56.0 +
@@ -1,3 +1,22 @@
+zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium
+
+  * Team upload
+  * Bug fix: CVE-2024-23944 (Closes: #1066947):
+An information disclosure in persistent watchers handling was found in
+Apache ZooKeeper due to missing ACL check.  It allows an attacker to
+monitor child znodes by attaching a persistent watcher (addWatch
+command) to a parent which the attacker has already access
+to. ZooKeeper server doesn't do ACL check when the persistent watcher
+is triggered and as a consequence, the full path of znodes that a
+watch event gets triggered upon is exposed to the owner of the
+watcher. It's important to note that only the path is exposed by this
+vulnerability, not the data of znode, but since znode path can contain
+sensitive information like user name or login ID, this issue is
+potentially critical.
+  * Add salsa CI
+
+ -- Bastien Roucari??s   Mon, 25 Mar 2024 08:30:56 +
+
 zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium
 
   * Team upload:
diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch
--- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch	1970-01-01 00:00:00.0 +
+++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch	2024-03-25 08:30:56.0 +
@@ -0,0 +1,1223 @@
+From: Andor Molnar 
+Date: Tue, 28 Nov 2023 21:25:00 +0100
+Subject: CVE-2024-23944: ZOOKEEPER-4799: Refactor ACL check in 'addWatch'
+ command
+
+As of today, it is impossible to diagnose which watch events are dropped
+because of ACLs.  Let's centralize, systematize, and log the checks at
+the 'process()' site in the Netty and NIO connections.
+
+(These 'process()' methods contain some duplicated code, and should also
+be refactored at some point.  This series does not change them.)
+
+This patch also adds a substantial number of tests in order to avoid
+unexpected regressions.
+
+Co-authored-by: Patrick Hunt 
+Co-authored-by: Damien Diederen 
+
+origin: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d
+bug: https://issues.apache.org/jira/browse/ZOOKEEPER-4799
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-23944
+---
+ .../apache/zookeeper/server/watch/WatchBench.java  |   6 +-
+ .../java/org/apache/zookeeper/server/DataTree.java |  23 +-
+ .../org/apache/zookeeper/server/DumbWatcher.java   |   4 +-
+ .../org/apache/zookeeper/server/NIOServerCnxn.java |  16 +-
+ .../apache/zookeeper/server/NettyServerCnxn.java   |  17 +-
+ .../org/apache/zookeeper/server/ServerCnxn.java|  10 +-
+ .../org/apache/zookeeper/server/ServerWatcher.java |  29 +
+ .../zookeeper/server/watch/IWatchManager.java  |   7 +-
+ .../zookeeper/server/watch/WatchManager.java   |  15 +-
+ .../server/watch/WatchManagerOptimized.java|  15 +-
+ .../apache/zookeeper/server/MockServerCnxn.java|   4 +-
+ .../zookeeper/server/watch/WatchManagerTest.java   |  14 +-
+ .../zookeeper/test/PersistentWatcherACLTest.java   | 629 +
+ .../zookeeper/test/UnsupportedAddWatcherTest.java  |   9 +-
+ 14 files changed, 763 insertions(+), 35 deletions(-)
+ create mode 100644

Bug#1060103: transition: imagemagick7

2024-02-02 Thread Bastien Roucariès 
Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit :
> Control: tags -1 moreinfo
> 
> Hi Bastien
> 
> On 2024-01-05 22:35:44 +, Bastien Roucariès wrote:
> > Package: release.debian.org
> > Severity: important
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > X-Debbugs-CC: ftpmas...@debian.org
> > 
> > Imagemagick will need a new major bump
> > 
> > I achieved to get imagemagick 7 build for experimental (it is only on salsa 
> > not
> > uploaded yet).
> > 
> > Every package include a version in the package name (except legacy package 
> > name
> > and perl*) so I plan to do some step by step migration, because it is mainly
> > coinstallable with imagemagick 6.
> 
> Why does this migration require co-instabillity with the old version?
> This makes the transition overly complicated. Do you expect major
> changes required in reverse dependencies of imagemagick's shared
> library?

The problem is not the library but the command line interface that may need 
change.

Librarry will break (I think here about php module that will need a update), 
but it is treatable.

convert6 is not fully compatible with convert7

convert6 will be co installable with convert7 in order to test, and convert 
will be provided by alternative system.

We avoid a flag day, but we need co installable library.

Bastien

> 
> PS: Before the time_t transition is done, we will not process other
> transitions.

Not a problem, but I will like to upload work on experimental in order to test 
other arch than i386/amd64/arm that I could test

Bastien

> 
> Cheers
> 



signature.asc
Description: This is a digitally signed message part.

Bug#1060103: Remainder of imagemagick7 transition plan

2024-02-02 Thread Bastien Roucariès 
Hi,

A gentle remainder about imagemagick7 transition plan.

Many thanks for santiago to review partially it, but I need green light from 
release team.

Bastien

signature.asc
Description: This is a digitally signed message part.

Bug#1060103: transition: imagemagick7

2024-01-05 Thread Bastien Roucariès 
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-CC: ftpmas...@debian.org

Imagemagick will need a new major bump

I achieved to get imagemagick 7 build for experimental (it is only on salsa not
uploaded yet).

Every package include a version in the package name (except legacy package name
and perl*) so I plan to do some step by step migration, because it is mainly
coinstallable with imagemagick 6.
- upload to experimental a version with perl and without legacy name
- migrate perl and versioned package
- add to experimental libmakickgwand-dev libmagick++-dev  libmagickcore-dev
- migrate package that depends on libmakickgwand-dev libmagick++-dev
libmagickcore-dev (every thing that build against imagemagick) to imagemagick7
- add to experimental imagemagick package
- migrate imagemagick package to unstable

What do you think of this plan ? From a security point of view it is better to
go to imagemagick7 (so important severity)

I expect breakage only on the last step. See
https://imagemagick.org/script/porting.php

ftpmaster it need more work because it will need three manual step.

Bastien

*  perlmagick, libmagickcore-dev, libmakickgwand-dev libmagick++-dev,
imagemagick, libimage-magick-perl libimage-magick-q16-perl libimage-
magick-q16hdri-perl


signature.asc
Description: This is a digitally signed message part.

Bug#1037219: Uploaded imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2

2023-12-29 Thread Bastien Roucariès 
Hi,

I have just uploaded

Bastien

signature.asc
Description: This is a digitally signed message part.

Imagemagick major version transition : ask for guidance + plan

2023-12-27 Thread Bastien Roucariès 
Hi,

I achieved to get imagemagick 7 build for experimental. 

Every package include a version in the package name (except legacy pacakge name 
and perl*) so I plan to do some step by step migration, because it is mainly 
coinstallable with imagemagick 6.
- upload to experimental a version with perl and without legacy name
- migrate perl and versionned package
- add to experimental libmakickgwand-dev libmagick++-dev  libmagickcore-dev
- migrate package that depends on libmakickgwand-dev libmagick++-dev  
libmagickcore-dev (every thing that build against imagemagick)
- add to experimental imagemagick package
- migrate imagemagick package to unstable

What do you think of this plan ?

I expect breakage only on the last step.

ftpmaster it need more work because it will need three manual step.

Bastien

*  perlmagick, libmagickcore-dev, libmakickgwand-dev libmagick++-dev, 
imagemagick, libimage-magick-perl libimage-magick-q16-perl 
libimage-magick-q16hdri-perl 



signature.asc
Description: This is a digitally signed message part.

Re: Pause /usr-merge moves

2023-12-02 Thread Bastien Roucariès 
Le vendredi 1 décembre 2023, 21:04:12 UTC Helmut Grohne a écrit :
> Hi developers,
> 
> I have unfortunate news regarding /usr-merge. I uncovered yet another
> problem that we haven't seen mentioned earlier. We do not yet know how
> to deal with it and it may take some time to come up with a good
> compromise. As a result, please pause further moves from / to /usr.
> Exceptions:
>  * With more uploads, more systemd units will move. While such moves may
>trigger the new problem, I expect that to be rare.
>  * Continue fixing RC bugs, in particular those that are due to
>dh_installsystemd or systemd.pc having moved to /usr.
>  * Continue applying DEP17P7 mitigations for udev rules. Patches for
>these have been sent by Christian Hofstaedler and a few people from
>the Cambridge miniconf. These are unrelated.
> 
> The rest of this mail is lots of funky details for those interested in
> understanding what went wrong here. Others are encouraged to do
> something more joyful :)
> 
> Before we go, let me express sincere thanks to so many people that
> helped me track this down. In particular, the input of David
> Kalnischkies, Guillem Jover and Julian Andres Klode was invaluable.
> 
> Fundamentally, Conflicts do not reliably prevent concurrent unpacking of
> packages as policy §7.4 may suggest. I have reported this as #1057199.
> Consequently, what we look at here is situations where Conflicts are
> used to mitigate file loss in the face of aliasing changes. Debian
> policy §6.6 is more precise and details that when unpacking a package,
> conflicting packages may be deconfigured and removed after the unpack.
> In theory, the difference should not be noticeable, because dpkg
> accurately tracks ownership of files with respect to packages. Aliasing
> changes this and can cause file loss. The situation arises when
> installing or upgrading a package to a version that happens to be in
> conflict with another package to be removed. A simple example is
> upgrading a bookworm system with molly-guard and systemd-sysv to sid and
> in the process deleting molly-guard. A similar issue happens when
> upgrading a bookworm system with busybox-static to sid and in that
> process installing busybox and thus removing busybox-static. The
> situation is hard to come by, because apt tends to remove the package
> that goes away early when it can. I have implemented a reproducer
> without apt for systemd-sysv #1057220. There are also situations where
> apt reproduces this available from the policy bug mentioned earlier. In
> particular, when one package has versioned Conflicts for another and the
> other has versioned Breaks for the former, this reproduces with apt.
> This essentially breaks DEP17 proposed mitigations M7 and M18.
> 
> I have also locally extended dumat to produce a report of affected
> Conflicts and am attaching it to this mail. The only packages that have
> not yet migrated and have this problem are systemd-sysv,
> busybox/busybox-static and resolvconf and I have filed RC bugs for them.
> There are other instances in trixie already.

Could we have a list of trixie affected ?
> 
> I welcome ideas for solving these problems. Let me summarize those I
> already am aware of.
> 
> Julian Andres Klode proposes adding a "barrier package" that we may call
> usrmerge-support (or repurpose usr-is-merged). Affected Conflicts can be
> moved to the barrier package and the conflicting package would then
> express Pre-Depends on the barrier package. When the barrier's postinst
> runs, any conflicting package definitely has been removed and due to
> using Pre-Depends, the conflicting package definitely has not been
> unpacked yet.

Why not creating per package a barrier package ?


> 
> Another option is duplicating affected files (e.g. using hard links) in
> the data.tar and then restoring lost files during postinst.
> 
> Depending on what problem we are solving, we may also move to protective
> diversions (DEP17 M8).
> 
> It also is not clear how easy it is to reproduce this bug class in an
> actual upgrade. It took long to find the issue for a reason. Depending
> on what files go missing, we may get away with asking users to dpkg
> --audit and then apt reinstall affected packages.
> 
> That barrier package approach sounds relatively promising to me, but
> there is no implementation of that approach as of this writing.
> 
> If you want to support finding a solution, please contribute to this
> email thread of join #debian-usrmerge on oftc.
> 
> Helmut
>

Bug#994540: Go ahead with imagemagick/experimental ?

2023-10-22 Thread Bastien Roucariès 
Le dimanche 22 octobre 2023, 15:03:50 UTC Sebastian Ramacher a écrit :
> Control: tags -1 confirmed
> 
> On 2023-10-22 14:51:42 +, Bastien Roucariès wrote:
> > Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit :
> > > Hi Bastien
> > > 
> > > On 2023-10-21 20:10:47 +, Bastien Roucariès wrote:
> > > > Can I go ahead with imagemagick experimental ?
> > > 
> > > As a year has past since the last mail to the transition bug report: did
> > > any new build failures in reverse dependencies appear? What's the
> > > status?
> > 
> > Reverse build are ok (just tested in pbuilder), so for me it is a green 
> > light
> 
> Please go ahead.
Done
> 
> Cheers
> 



signature.asc
Description: This is a digitally signed message part.

Re: Go ahead with imagemagick/experimental ?

2023-10-22 Thread Bastien Roucariès 
Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit :
> Hi Bastien
> 
> On 2023-10-21 20:10:47 +, Bastien Roucariès wrote:
> > Can I go ahead with imagemagick experimental ?
> 
> As a year has past since the last mail to the transition bug report: did
> any new build failures in reverse dependencies appear? What's the
> status?

Reverse build are ok (just tested in pbuilder), so for me it is a green light
> 
> Cheers
> 



signature.asc
Description: This is a digitally signed message part.

Go ahead with imagemagick/experimental ?

2023-10-21 Thread Bastien Roucariès 
Hi,

Can I go ahead with imagemagick experimental ?

Thanks

Bastien

signature.asc
Description: This is a digitally signed message part.

Bug#1037219: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2

2023-06-08 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: imagemag...@packages.debian.org
Control: affects -1 + src:imagemagick

[ Reason ]
Imagemagick is affected in stable by a few securities problems.

[ Impact ]
Security problems with some exploit (image) in the wild

[ Tests ]
Yes testsuite is included in the package and autopkgtest

[ Risks ]
Code is complex,I prefer to not solve in a single step all the security bugs.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
+  * Fix CVE-2021-3574: memory leak was found in TIFF coder
+  * Fix CVE-2021-4219: a special crafted file could lead to a DOS.
+  * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in
+some coders (Closes: #1013282)
+  * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c
+  * Fix CVE-2021-20245: Fix a divide by zero in webp coder
+  * Fix CVE-2021-20246: Fix a divide by zero in resample code.
+  * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function.
+  * Fix CVE-2021-39212: Postscript files could be read and written
+when specifically excluded by a module policy in policy.xml file.
+(Closes: #996588)
+  * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+(Closes: #1013282)
+  * Fix CVE-2022-28463: Buffer overflow in cin coder.
+  * Fix CVE-2022-32545: Value outside the range of unsigned char
+(Closes: #1016442)
+  * Fix CVE-2022-32546: Value outside the range of representable
+values of type 'unsigned long' at coders/pcl.c,
+  * Use Salsa CI

[ Other info ]
Security team is ok with this.
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog	2023-02-03 17:59:42.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/changelog	2023-05-26 07:10:27.0 +
@@ -1,3 +1,27 @@
+imagemagick (8:6.9.11.60+dfsg-1.3+deb11u2) bullseye-security; urgency=medium
+
+  * Fix CVE-2021-3574: memory leak was found in TIFF coder
+  * Fix CVE-2021-4219: a special crafted file could lead to a DOS.
+  * Fix CVE-2021-20241 / CVE-2021-20243: divide by zero in
+some coders (Closes: #1013282)
+  * Fix CVE-2021-20244: Fix a divide by zero in visual-effects.c
+  * Fix CVE-2021-20245: Fix a divide by zero in webp coder
+  * Fix CVE-2021-20246: Fix a divide by zero in resample code.
+  * Fix CVE-2021-20309: Fix a divide by zero in WaveImage function.
+  * Fix CVE-2021-39212: Postscript files could be read and written
+when specifically excluded by a module policy in policy.xml file.
+(Closes: #996588)
+  * Fix CVE-2022-1114: Heap use after free in RelinquishDCMInfo()
+(Closes: #1013282)
+  * Fix CVE-2022-28463: Buffer overflow in cin coder.
+  * Fix CVE-2022-32545: Value outside the range of unsigned char
+(Closes: #1016442)
+  * Fix CVE-2022-32546: Value outside the range of representable
+values of type 'unsigned long' at coders/pcl.c,
+  * Use Salsa CI
+
+ -- Bastien Roucariès   Fri, 26 May 2023 07:10:27 +
+
 imagemagick (8:6.9.11.60+dfsg-1.3+deb11u1) bullseye-security; urgency=medium
 
   * Fix CVE-2022-44267 / CVE-2022-44268
diff -Nru imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh
--- imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh	1970-01-01 00:00:00.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/debian/salsa-ci-enable-sec-and-update-repos.sh	2023-05-26 07:10:27.0 +
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -x
+set -e
+
+# Debug what repositories are available to begin with
+grep -r "^deb " /etc/apt/sources.*
+
+# Enable the same repositories that were available at build time in
+# registry.salsa.debian.org/salsa-ci-team/pipeline/base:bullseye
+. /etc/os-release
+cat << EOF > /etc/apt/sources.list.d/base-$VERSION_CODENAME-repos.list
+deb http://deb.debian.org/debian $VERSION_CODENAME main
+deb http://deb.debian.org/debian-security $VERSION_CODENAME-security main
+deb http://deb.debian.org/debian $VERSION_CODENAME-updates main
+EOF
+
+apt-get update
+
+# Ref
+# bullseye piuparts test runner environment is missing the bullseye-updates apt repository: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/292
+# piuparts: doesn't install dependencies from experimental or -backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/58
+# autopkgtest: doesn't install dependencies from experimental or backports: https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/85
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch imagemagick-6.9.11.60+dfsg/debian/patches/0026-CVE-2021-3574-memory-leak.patch
--- im

CVE-2023-1289: hard to fix break ABI

2023-05-14 Thread Bastien Roucariès 
Hi,

I want to have some guidance about CVE-2023-1289

Fixing it will need to add a field recursion in an exported structure... It 
will therefore break ABI

We could also disable internal svg coder and fallback on inkscape

You marked the bug no DSA, so maybe we could postpone

Bastien

signature.asc
Description: This is a digitally signed message part.

Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3

2023-03-03 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-css-w...@packages.debian.org
Control: affects -1 + src:node-css-what

[ Reason ]
CVE-2022-21222/CVE-2021-33587 The package css-what before 2.1.3 are vulnerable
to Regular Expression Denial of Service (ReDoS) due to the usage of insecure
regular expression in the re_attr variable of index.js. The exploitation of
this vulnerability could be triggered via the parse function.

[ Impact ]
DoS due to exponential regexp search.

[ Tests ]
Package testsuite was run, code modification was tested.
recheck tested the absence of reDos

[ Risks ]
* no backport is possible due to upstream rewrite in typescript. Modification
of the regex was chosen in order to be least disruptive.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The ReDoS sensible regexp was rewritten in a linear form, step by step (5
patches).

[ Other info ]
None
diff -Nru node-css-what-4.0.0/debian/changelog 
node-css-what-4.0.0/debian/changelog
--- node-css-what-4.0.0/debian/changelog2021-01-09 21:06:15.0 
+
+++ node-css-what-4.0.0/debian/changelog2023-03-01 13:47:23.0 
+
@@ -1,3 +1,15 @@
+node-css-what (4.0.0-3+deb11u1) bullseye-security; urgency=medium
+
+  * Team upload
+  * node-css-what was vulnerable to Regular Expression Denial of Service
+(ReDoS) due to the usage of insecure regular expression in the
+re_attr variable.
+The exploitation of this vulnerability could be triggered
+via the parse function.
+Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188)
+
+ -- Bastien Roucariès   Wed, 01 Mar 2023 13:47:23 +
+
 node-css-what (4.0.0-3) unstable; urgency=medium
 
   * Team upload
diff -Nru 
node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
 
node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
--- 
node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
  1970-01-01 00:00:00.0 +
+++ 
node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
  2023-03-01 13:47:23.0 +
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= 
+Date: Wed, 1 Mar 2023 08:12:48 +
+Subject: Partial fix of reDos CVE-2022-21222/CVE-2021-33587: attribute
+ selector
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = 
~= |= ^= $= *= are supported.
+
+Add also != that is checked as invalid latter in order to pass testsuite.
+
+So replace \S by [~|^$*!]
+
+Signed-off-by: Bastien Roucariès 
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+---
+ src/parse.ts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/parse.ts b/src/parse.ts
+index 677a029..628561b 100644
+--- a/src/parse.ts
 b/src/parse.ts
+@@ -81,7 +81,7 @@ export type TraversalType =
+ const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\u])+/;
+ const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi;
+ // Modified version of 
https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+-const reAttr = 
/^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\u-])+)\s*(?:(\S?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\u-])*)|)|)\s*([iI])?\]/;
++const reAttr = 
/^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\u-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\u-])*)|)|)\s*([iI])?\]/;
+ 
+ const actionTypes: { [key: string]: AttributeAction } = {
+ undefined: "exists",
diff -Nru 
node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
 
node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
--- 
node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
  1970-01-01 00:00:00.0 +
+++ 
node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
  2023-03-01 13:47:23.0 +
@@ -0,0 +1,55 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= 
+Date: Wed, 1 Mar 2023 10:10:47 +
+Subject: Partial fix of ReDos CVE-2022-21222/CVE-2021-33587: trim string
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Trim left the string avoiding a \s* at the beginning of the string, thus 
avoiding part of complexity.
+
+bug-debian: ht

Bug#1018076: Add depends to armv6-support

2022-08-27 Thread Bastien Roucariès 
Hi,

adding support to armv6-support will help here

Bastien

Bug#994540: transition: imagemagick

2021-09-17 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Imagemagick changes some internal structures. Upstream bump so (safe), so ask
for a rebuilt.

Ben file:

title = "imagemagick";
is_affected = .depends ~
"(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)"
| .depends ~
"(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)";
is_good = .depends ~
"(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)";
is_bad = .depends ~
"(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)";

Exception for imagemagick if late by a few minutes

2021-01-11 Thread Bastien Roucariès 
Hi,

I am going to ask an exception for imagemagick (see debian-private for reason 
of being late). It is a fixing 2 CVEs and an RC bug

Normally it is on the pipe so may be we do not need exception.

Bastien

signature.asc
Description: This is a digitally signed message part.

Bug#902558: transition: imagemagick

2018-06-27 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Imagemagick upstream break the API in stable 6 version.

They are a few security bug and I prefer to go to newest pacakge in order to 
close the maximum of security bugs without back porting

Ben file:

title = "imagemagick";
is_affected = .depends ~ 
/libmagick-core.*-5|libmagick-wand.*-5|libmagick++.*-7/ | .depends ~ 
/libmagick-core.*-6|libmagick-wand.*-6|libmagick++.*-8/";
is_good = .depends ~ /libmagick-core.*-6|libmagick-wand.*-6|libmagick++.*-8/;
is_bad = .depends ~ /libmagick-core.*-5|libmagick-wand.*-5|libmagick++.*-7/;


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#873103: [release.debian.org] Plan for imagemagick7 landing before next stable

2017-08-24 Thread Bastien ROUCARIÈS 
Package: release.debian.org
Severity: wishlist

Hi,

I plan to release imagemagick 7 before next stable version. And I want to 
coexist imagemagick6 and imagemagick7.

Moreover I wish to allow smooth upgrade between the two

So I open a bug in order to allow discussion with release team.

Main problem is perl library. I do not know how to deal with it, I could use 
update alternative to select between 6 and 7 or I could package only the 7 
one...

Bastien

signature.asc
Description: This is a digitally signed message part.

Bug#873102: [release.debian.org] transition: imagemagick

2017-08-24 Thread Bastien ROUCARIÈS 
Package: release.debian.org
Severity: important

Hi,

I have just landed an imagemagick version in experimental, that break the ABI. 
Previous ABI used double_t that is not ABI stable...

Could we get a transition of libmagickcore, libmagickwand and libmagick++

I have rebuilded reverse deps a few week ago (waiting for ftpmaster) and it 
was fine.

I will fix ASAP the problems.

I have set the severity to important because I will prefer to get quickly a 
newer imagemagick version due to the number of security bug to backport

Thanks for your work

Bastien


signature.asc
Description: This is a digitally signed message part.

Bug#864220: unblock: imagemagick/8:6.9.7.4+dfsg-11

2017-06-05 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

change are self contained and security fixes. Will avoid a security release 
just after release.

* Fix minor security bugs:
+ CVE-2017-9409: Memory leak in the icon file coder.
  (Closes: #864087)
+ CVE-2017-9407: the ReadPALMImage function in palm.c
  allows attackers to cause a denial of service (memory leak)
  via a crafted file. (Closes: #864089).
+ CVE-2017-9409: the ReadMPCImage function in mpc.c
  allows attackers to cause a denial of service (memory leak)
  via a crafted file. (Closes: #864090).

So

unblock imagemagick/8:6.9.7.4+dfsg-11


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#862772: unblock: imagemagick/8:6.9.7.4+dfsg-8

2017-05-16 Thread Bastien Roucariès 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

This fix more than 10 security bugs and a RC bug due to built-using

unblock imagemagick/8:6.9.7.4+dfsg-8

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-rt-amd64 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#849218: transition: imagemagick

2017-01-02 Thread Bastien ROUCARIÈS 
control: affect 844357 src:zbar
control: block -1 by 844357 
Le jeudi 29 décembre 2016, 16:37:43 CET Emilio Pozuelo Monfort a écrit :
> Control: tags -1 confirmed
> > The break was in 6.9.2-10 released in mid 2015. This is moreover only two
> > version latter than  current jessie and I believe it will be a security
> > nightmare to support three versions with more than 100 security patches
> 
> Alright, let's do this.
> 
> BTW please you're breaking threading with your email replies. That's a bit
> annoying.

zbar block transition due to  844357.

Bastien

> Cheers,
> Emilio



signature.asc
Description: This is a digitally signed message part.

Bug#849218: transition: imagemagick

2016-12-23 Thread Bastien ROUCARIÈS 
Package: release.debian.org
Severity: normal

Hi,

Due to #846385 could be possible to get transition for imagemagick.

Sorry for being late but upstream is really sloppy.

The break was in 6.9.2-10 released in mid 2015. This is moreover only two 
version latter than  current jessie and I believe it will be a security 
nightmare to support three versions with more than 100 security patches

Bastien





signature.asc
Description: This is a digitally signed message part.

Bug#838242: transition: imagemagick

2016-09-18 Thread Bastien ROUCARIÈS 
Package: release.debian.org
Severity: normal

Hi,

imagemagick waiting in NEWs (8:6.9.5.9+dfsg-1) will need a transition to 
experimental to unstable;

Next stable version need to be based on this version from a security point of 
view. It fix more than 50 securities bugs..;

Moreover this version use autopkg test improving the quality of testing.

Bastien

signature.asc
Description: This is a digitally signed message part.

Bug#769768: unblock: [security] imagemagick/8:6.8.9.9-3

2014-11-16 Thread bastien ROUCARIÈS 
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package imagemagick

It fix  CVE-2014-8716 (a two line change).

I have also updated previous changelog entry with proper CVE.

diff -Nru imagemagick-6.8.9.9/debian/changelog 
imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog2014-10-28 18:48:23.0 
+0100
+++ imagemagick-6.8.9.9/debian/changelog2014-11-12 21:58:20.0 
+0100
@@ -1,3 +1,13 @@
+imagemagick (8:6.8.9.9-3) unstable; urgency=high
+
+  * Fix a security bug (DOS). Some special crafted JPEG
+files could create a dos due to missing check in
+embeded EXIF properties (EXIF directory offsets
+must be greater than 0). Fix CVE-2014-8716
+(Closes: #768494).
+
+ -- Bastien Roucariès roucaries.bastien+deb...@gmail.com  Fri, 07 Nov 2014 
21:16:20 +0100
+
 imagemagick (8:6.8.9.9-2) unstable; urgency=high
 
   * Remove build-dep loop. Remove inkscape.
@@ -9,10 +19,11 @@
   * New upstream version, fixing four security problems:
 - Remotely DOS: convert +profile regression enters 
   infinite loop exhausting memory, thanks to 
-  Yuri D'Elia (Closes: #764872).
-- Fixed buffer overflow in PCX and DCM coder.
+  Yuri D'Elia (Closes: #764872). Fix CVE-2014-8561.
+- Fixed buffer overflow in PCX and DCM coder. Fix
+  CVE-2014-8562 and CVE-2014-8355.
 - Don't clone a 0x0 image breaking some assumption
-  in client code.
+  in client code. Fix CVE-2014-8354.
 - Off-by-one count when parsing an 8BIM profile.
   * Fix identify -quiet has non zero exit code on warnings
 (Closes:  #763686).
diff -Nru 
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
 
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
--- 
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
   2014-10-28 18:50:28.0 +0100
+++ 
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
   2014-11-15 14:47:56.0 +0100
@@ -82,5 +82,5 @@
  # If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
  # enable generation of interactive SVG images that allow zooming and panning.
 -- 
-2.1.1
+2.1.3
 
diff -Nru imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch 
imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
--- imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
2014-10-28 18:50:29.0 +0100
+++ imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
2014-11-15 14:47:56.0 +0100
@@ -5152,5 +5152,5 @@
 +!-- Magick Cache 25th July 2014 04:06 --
 +
 -- 
-2.1.1
+2.1.3
 
diff -Nru 
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
 
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
--- 
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
 2014-10-28 18:50:30.0 +0100
+++ 
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
 2014-11-15 14:47:57.0 +0100
@@ -2290,5 +2290,5 @@
 \ No newline at end of file
 +!-- Magick Cache 25th July 2014 05:32 --
 -- 
-2.1.1
+2.1.3
 
diff -Nru 
imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch 
imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch
--- imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch  
2014-10-28 18:50:30.0 +0100
+++ imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch  
2014-11-15 14:47:57.0 +0100
@@ -162,5 +162,5 @@
  
  /div
 -- 
-2.1.1
+2.1.3
 
diff -Nru 
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
 
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
--- 
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
1970-01-01 01:00:00.0 +0100
+++ 
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
2014-11-15 14:47:57.0 +0100
@@ -0,0 +1,33 @@
+From b61b7f4f0e705b6a9a9ba8b8af898a406b0fc87e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= roucaries.bast...@gmail.com
+Date: Fri, 7 Nov 2014 21:05:07 +0100
+Subject: [PATCH] Avoid crash and DOS with special crafted jpeg file
+
+Some special crafted JPEG file could lead to dos due to missing check in
+embeded EXIF properties (EXIF directory offsets must be greater than 0).
+
+Fix CVE-2014-8716.
+
+Forwarded: 
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3t=26456
+Bug-debian: http://bugs.debian.org/768494
+Applied-Upstream: 6.9.9.10
+---
+ magick/property.c | 2 ++
+ 1 file changed, 2 insertions

Bug#769697: unblock: xmorph/20140707

2014-11-15 Thread bastien ROUCARIÈS 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock xmorph fixing a RC bug

*Bug fix: fails to upgrade from wheezy - trying to overwrite
/usr/share/man/man1/morph.1.gz, thanks to Andreas Beckmann (Closes:
#767834).


--- xmorph-20140707/debian/changelog2014-07-07 00:01:03.0 +0200
+++ xmorph-20140707.1/debian/changelog  2014-11-15 15:47:27.0 +0100
@@ -1,3 +1,12 @@
+xmorph (1:20140707+nmu.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Bug fix: fails to upgrade from wheezy - trying to overwrite
+/usr/share/man/man1/morph.1.gz, thanks to Andreas Beckmann (Closes:
+#767834).
+
+ -- Bastien Roucariès roucaries.bastien+deb...@gmail.com  Sat, 15 Nov 2014 
15:47:21 +0100
+
 xmorph (1:20140707) unstable; urgency=low
 
   [ A Mennucc1 ]
diff -Nru xmorph-20140707/debian/control xmorph-20140707+nmu.1/debian/control
--- xmorph-20140707/debian/control  2014-07-06 23:42:09.0 +0200
+++ xmorph-20140707.1/debian/control2014-11-15 15:49:41.0 +0100
@@ -10,6 +10,8 @@
 Package: libmorph
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}


+Breaks: xmorph ( 1:20140707~)


+Replaces: xmorph ( 1:20140707~)  


 Priority: optional 


 Section: libs  


 Description: digital image warping library   

unblock xmorph/20140707

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141115165320.27547.6559.report...@bastien-debian.roucaries.org