Candidates for removal from testing (2013-01-24)

[Niels Thykier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

We are considering removing the following packages from testing as
they have unfixed RC bugs filed against them. The packages can be
found in the attached dd-list.  The bugs that put them on this list
can be found in the removals file (also attached) just above the
package name.

The packages have been selected based on the following criteria:
 * The package had at least one RC bug without activity for the past
   14 days.
 * If a bug is assigned to multiple packages, both packages will be
   affected.
 * The RC bug affects both unstable and testing.
 * The affected package does not have any reverse dependencies in
   testing.

If the relevant RC bugs in the affected packages are not dealt with
/before/ Thursday the 31th of Jan., the packages will be removed from
testing.  Note that dealt with may also include downgrading a
severity-inflated bug or fixing affected versions in the BTS.

Please remember to file unblock bugs for packages fixed via uploads to
unstable (and tpu bugs for requests to fix the package via a tpu
upload).

Should you need a bit more time than given, please do not hesitate to
contact us.  It is also easier for us if we can avoid having to
reintroduce a removed package.

We will check the DELAYED queues before activing the removal hints, so
NMUs in the DELAYED queues will be given a chance to reach unstable.

Thanks,
Niels (on behalf of the Release Team)

The bugs were found using the tools from:
  svn://svn.debian.org/svn/collab-qa/rc-buggy-leaf-packages


http://release.debian.org/wheezy/freeze_policy.html

  --88-- dd-list --88--
Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org
   jenkins

Debian QA Group packa...@qa.debian.org
   bzr-gtk

James Page james.p...@ubuntu.com
   jenkins (U)

Pierre Chifflier pol...@debian.org
   glpi

Romain Beauxis to...@rastageeks.org
   lastfmproxy

Wouter Verhelst wou...@debian.org
   pmw

  --88-- end of dd-list --88--

  --88-- removals --88--
# #697402
remove bzr-gtk/0.103.0+bzr792-3

# #694642
remove glpi/0.83.31-1

# #696816
remove jenkins/1.447.2+dfsg-2

# #694589
remove lastfmproxy/1.3b-2

# #696844
remove pmw/1:4.24-1

  --88-- end of removals --88--
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRAUhvAAoJEAVLu599gGRCdKoP/AouibtJnE4H4MGdGNxU4rJE
G4kJaeqpR/aeKBiti30eXdUwKLfMNGE2dFqbrp0Wgp/YSE+vr22JyqyC43AHoKkD
dLhpqcnFVKfQe97MvsdbVel6Ox5x45wwGFqkO5HwT6M5cLc9RClCm7sA0XyCsinQ
dmq3nR0tJW9pfnTm97bwCRmisJ9DwVxtgjKqr082sfQFsUOkZP7OpM2q0ZDtwC84
X4/P+7rHSOor8Evj8lE75fN4rXu0e4bjq98yRprRuHHyWLSmqpuvFpniBlQFmsI3
kdMv2r5WL6NU3bT6IGDhjcx4gq8FouRbKYyTybhua2J8Ez9bkp4gbR5VMh3nmIrI
e7BI0UEWIeYz2TmyclSp/1DCjQY+Rl9NmTJpklcJuAUgtDHt2pZCnVemz/iEvkjv
mZbVhynfNeZrnlR0KQGQXdshm2K2amF0WoF9as71vU9EqMUI2DXiD8fDTgtQa2+B
YuP1Pk5hEko5A9c9tAjSNfEOjnLaFfbUfW1+5gCplzF7Vd4FcY5JTiAKzOliwPpD
lMrPL5XTgUDfz6d9sW2aGA2Iyk6ruhDk0d98YcpmviQE72aTyHuZ8m97zqhAprdt
eaCD56R3TJfr2DKRh6933Ccq7AtLcUx4asOCZV6myEFKSg4kMd5LEAyVlziNYxxx
Gp5OZE+O4xLtiMtU+MUy
=/0Pa
-END PGP SIGNATURE-

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

[bts-link] source package eclipse

[bts-link-upstream]

#
# bts-link upstream status pull for source package eclipse
# see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html
#

user bts-link-upstr...@lists.alioth.debian.org

# remote status report for #595282 (http://bugs.debian.org/595282)
# Bug title: eclipse: Update 3.5.2-5 - 3.5.2-6 causes Android SDK plugin to 
stop working
#  * https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132
#  * remote status changed: NEW - ASSIGNED
forwarded 595282 https://bugs.eclipse.org/bugs/show_bug.cgi?id=351485, 
merged-upstream: https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132
usertags 595282 - status-NEW
usertags 595282 + status-ASSIGNED

# remote status report for #595282 (http://bugs.debian.org/595282)
# Bug title: eclipse: Update 3.5.2-5 - 3.5.2-6 causes Android SDK plugin to 
stop working
#  * https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132
#  * remote status changed: NEW - ASSIGNED
forwarded 595282 https://bugs.eclipse.org/bugs/show_bug.cgi?id=351485, 
merged-upstream: https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132
usertags 595282 - status-NEW
usertags 595282 + status-ASSIGNED

thanks

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#696816: jenkins: Security issues were found in Jenkins core

[Steven McDonald]

Hi there,

The issue was raised on debian-devel[0] that this bug still affects
unstable and is causing jenkins to be a candidate for removal from
wheezy. I have backported the fixes for these issues from upstream git;
they are attached to this e-mail as separate quilt patches for the sake
of cleanliness.

I have also uploaded a source NMU package[1] to mentors.debian.net,
which I intend to seek sponsorship for if I don't get a reply to this
bug report within 72 hours (as the deadline given by the Release Team
for removal from testing is 31st January).

Please let me know if you need anything further from me.

Thanks,
Steven.

[0] Thread Candidates for removal from testing (2013-01-24), which
doesn't seem to be in the web archives yet.

[1] http://mentors.debian.net/package/jenkins
Description: Cherry-picked fix from 1.480.1
 Security issue:
   - CVE-2012-6073 open redirect
Origin: Upstream, commit ab0ac1ac499f734892c2203edc508a6dbf5fa42d
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816
--- a/core/src/main/java/hudson/Util.java
+++ b/core/src/main/java/hudson/Util.java
@@ -1173,6 +1173,31 @@
 }
 
 /**
+ * Return true if the systemId denotes an absolute URI .
+ *
+ * The same algorithm can be seen in {@link URI}, but
+ * implementing this by ourselves allow it to be more lenient about
+ * escaping of URI.
+ */
+public static boolean isAbsoluteUri(String uri) {
+int idx = uri.indexOf(':');
+if (idx0)  return false;   // no ':'. can't be absolute
+
+// #, ?, and / must not be before ':'
+return idx_indexOf(uri, '#')  idx_indexOf(uri,'?')  idx_indexOf(uri,'/');
+}
+
+/**
+ * Works like {@link String#indexOf(int)} but 'not found' is returned as s.length(), not -1.
+ * This enables more straight-forward comparison.
+ */
+private static int _indexOf(String s, char ch) {
+int idx = s.indexOf(ch);
+if (idx0)  return s.length();
+return idx;
+}
+
+/**
  * Loads a key/value pair string as {@link Properties}
  * @since 1.392
  */
--- a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
+++ b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
@@ -137,7 +137,7 @@
 String pattern = req.getParameter(pattern);
 if(pattern==null)
 pattern = req.getParameter(path); // compatibility with Hudson1.129
-if(pattern!=null) {
+if(pattern!=null  !Util.isAbsoluteUri(pattern)) {// avoid open redirect
 rsp.sendRedirect2(pattern);
 return;
 }
--- a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
+++ b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
@@ -31,6 +31,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import hudson.Util;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.ui.webapp.AuthenticationProcessingFilter;
 
@@ -50,6 +51,9 @@
 if (targetUrl == null)
 return getDefaultTargetUrl();
 
+if (Util.isAbsoluteUri(targetUrl))
+return .; // avoid open redirect
+
 // URL returned from determineTargetUrl() is resolved against the context path,
 // whereas the from URL is resolved against the top of the website, so adjust this.
 if(targetUrl.startsWith(request.getContextPath()))
--- a/core/src/test/java/hudson/UtilTest.java
+++ b/core/src/test/java/hudson/UtilTest.java
@@ -230,4 +230,14 @@
 			}
 		}
 }
+
+public void testIsAbsoluteUri() {
+assertTrue(Util.isAbsoluteUri(http://foobar/;));
+assertTrue(Util.isAbsoluteUri(mailto:k...@kohsuke.org));
+assertTrue(Util.isAbsoluteUri(d123://test/));
+assertFalse(Util.isAbsoluteUri(foo/bar/abc:def));
+assertFalse(Util.isAbsoluteUri(foo?abc:def));
+assertFalse(Util.isAbsoluteUri(foo#abc:def));
+assertFalse(Util.isAbsoluteUri(foo/bar));
+}
 }
Description: Cherry-picked fix from 1.480.1
 Security issue:
   - CVE-2012-6074 cross-site scripting vulnerability
Origin: Upstream, commit 1d48e7bf8254349a19328d56bd8006635a95866d
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816
--- a/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
+++ b/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
@@ -68,7 +68,7 @@
 tr class=${transitive}
   td/td
   td colspan=2 class=desc
-j:out value=${build.truncatedDescription}/
+j:out value=${app.markupFormatter.translate(build.truncatedDescription)}/
   /td
 /tr
   /j:if


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: login regression

[Julian Taylor]

the fix introduced a very annoying regression:
see https://issues.jenkins-ci.org/browse/JENKINS-16278

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#698974: libjsyntaxpane-java: Need update to 0.9.5~r156

[Felix Natter]

Package: libjsyntaxpane-java
Version: 0.9.5~r148-2
Severity: important

Dear Maintainer,

I am in the process of packaging freeplane 1.2.20, and this
requires jsyntaxpane 0.9.5~r156. Now I checked that (in testing)
only umlet and freeplane depend on libjsyntaxpane-java,
and both packages work better with r156 than with r148
(I built umlet 11.3-5 from unstable and with jsyntaxpane
0.9.5~r148 the editor pane has no highlighting, but with
0.9.5~r156 it seems to work fine).

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-686-pae (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- no debconf information

-- 
Felix Natter

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#698975: maven: Install 3.x poms

[Andrew Ross]

Package: maven
Version: 3.0.4-5
Severity: normal

Dear Maintainer,

It would be very helpful for packaging of dependent packages if the poms for 
this package could also install 3.x symlinks where possible. This would avoid 
the potential need to update dependent packages when maven gets updated.

Thanks,
Andy

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#698998: felix-main: felix-framework requires java-wrappers to be installed, but it's not listed as a dependency

[Sjors Gielen]

Package: felix-main
Version: 4.0.1-2
Severity: important

felix-main includes a script called felix-framework, which is a short-hand
for starting the Felix framework in one go. This script sources the file
/usr/lib/java-wrappers/java-wrappers.sh without checking whether that file
exists. The file comes from the java-wrappers package, but that package is not
listed as a dependency for felix-main. This causes using the felix-framework
tool to fail if java-wrappers is not installed.

Two solutions are possible: java-wrappers can be added as a run-time dependency
for the felix-main package, or a check can be added to the tool not to source
the /usr/lib/java-wrappers/java-wrappers.sh file if it doesn't exist.

Without the felix-framework short-hand, the Felix framework can still be used
by calling java -jar /usr/share/felix-framework/bin/felix.jar yourself.
Therefore I'm giving this bug Severity: important for breaking a normal
use-case but not breaking the pacakge completely.

sjors@foo:~$ felix-framework
/usr/bin/felix-framework: 9: .: Can't open 
/usr/lib/java-wrappers/java-wrappers.sh
sjors@foo:~$ sudo apt-get install java-wrappers
[…]
sjors@foo:~$ felix-framework
[…]
Welcome to Apache Felix Gogo

g!

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages felix-main depends on:
ii  libfelix-bundlerepository-java  1.6.6-1
ii  libfelix-gogo-command-java  0.12.0-2
ii  libfelix-gogo-runtime-java  0.10.0-2
ii  libfelix-gogo-shell-java0.10.0-2
ii  libfelix-main-java  4.0.1-2

felix-main recommends no packages.

Versions of packages felix-main suggests:
pn  libfelix-main-java-doc  none

-- no debconf information

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.