Bug#989713: libsane1: add recommends on sane-airscan
Package: libsane1 Version: 1.0.31-4 Severity: important X-Debbugs-CC: debian-print...@lists.debian.org There is nothing in Debian bullseye that depends on sane-airscan, which means that driverless scanning will not work out of the box on the default GNOME install and live images, which install simple-scan. Ubuntu have added Recommends: sane-airscan to libsane1: https://patches.ubuntu.com/s/sane-backends/sane-backends_1.0.32-0ubuntu2.patch I suggest that Debian adopt the same change as Ubuntu. Since this change probably does not meet the freeze policy, you will need to file an unblock request with the release team. https://release.debian.org/bullseye/freeze_policy.html -- System Information: Debian Release: 11.0 APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental'), (500, 'testing-security') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-7-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libsane1 depends on: ii acl2.2.53-10 ii adduser3.118 ii libavahi-client3 0.8-5 ii libavahi-common3 0.8-5 ii libc6 2.31-12 ii libcairo2 1.16.0-5 ii libcurl3-gnutls7.74.0-1.2 ii libgcc-s1 10.2.1-6 ii libglib2.0-0 2.68.1-2 ii libgphoto2-6 2.5.27-1 ii libgphoto2-port12 2.5.27-1 ii libieee1284-3 0.2.11-14 ii libjpeg62-turbo1:2.0.6-4 ii libpng16-161.6.37-3 ii libpoppler-glib8 20.09.0-3.1 ii libsane-common 1.0.31-4 ii libsnmp40 5.9+dfsg-3+b1 ii libstdc++6 10.2.1-6 ii libtiff5 4.2.0-1 ii libusb-1.0-0 2:1.0.24-3 ii libxml22.9.10+dfsg-6.7 ii udev 247.3-5 Versions of packages libsane1 recommends: ii ipp-usb 0.9.17-3+b3 ii sane-utils 1.0.31-4 Versions of packages libsane1 suggests: ii avahi-daemon 0.8-5 ii hplip 3.21.2+dfsg1-2 -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#989567: debconf.postinst is completely unnecessary unless upgrading from pre-etch
Hi Chris,
On Thu, Jun 10, 2021 at 08:30:55PM +0200, Chris Hofstaedtler wrote:
> * Helmut Grohne [210610 18:30]:
> [..]
> > - /usr/share/debconf/transition_db.pl
> > - /usr/share/debconf/fix_db.pl
>
> From a very quick look, these scripts could also then be removed,
> possibly?
I fully concur. Thank you. Patch updated.
Helmut
diff --minimal -Nru debconf-1.5.76/Makefile debconf-1.5.76+nmu1/Makefile
--- debconf-1.5.76/Makefile 2021-03-20 14:14:50.0 +0100
+++ debconf-1.5.76+nmu1/Makefile2021-06-07 20:02:34.0 +0200
@@ -63,7 +63,6 @@
# Other libs and helper stuff.
install -m 0644 confmodule.sh confmodule $(prefix)/usr/share/debconf/
install frontend $(prefix)/usr/share/debconf/
- install -m 0755 transition_db.pl fix_db.pl $(prefix)/usr/share/debconf/
# Install essential programs.
install -d $(prefix)/usr/sbin $(prefix)/usr/bin
find . -maxdepth 1 -perm /100 -type f -name 'dpkg-*' | \
diff --minimal -Nru debconf-1.5.76/debian/changelog
debconf-1.5.76+nmu1/debian/changelog
--- debconf-1.5.76/debian/changelog 2021-03-20 14:14:50.0 +0100
+++ debconf-1.5.76+nmu1/debian/changelog2021-06-07 20:02:34.0
+0200
@@ -1,3 +1,11 @@
+debconf (1.5.76+nmu1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Delete debconf postinst script and associated scripts as they only handle
+upgrades from pre-etch. (Closes: #-1)
+
+ -- Helmut Grohne Mon, 07 Jun 2021 20:02:34 +0200
+
debconf (1.5.76) unstable; urgency=medium
[ Colin Watson ]
diff --minimal -Nru debconf-1.5.76/debian/postinst
debconf-1.5.76+nmu1/debian/postinst
--- debconf-1.5.76/debian/postinst 2021-03-20 14:14:50.0 +0100
+++ debconf-1.5.76+nmu1/debian/postinst 1970-01-01 01:00:00.0 +0100
@@ -1,72 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ -z "$DEBIAN_HAS_FRONTEND" ] && [ "$1" = configure ] && [ -n "$2" ] && \
- dpkg --compare-versions "$2" lt 1.1.0; then
- # Transition from old database format before debconf starts up.
- if dpkg --compare-versions "$2" lt 0.9.00; then
- if [ -e /var/lib/debconf/config.db -o -e
/var/lib/debconf/templates.db ]; then
- /usr/share/debconf/transition_db.pl
- fi
- # This package used to add itself to apt.conf. That could
result in
- # a zero-byte file, since it no longer does. Detect that and
remove
- # the file.
- if [ ! -s /etc/apt/apt.conf ]; then
- rm -f /etc/apt/apt.conf
- fi
- fi
-
- # Fix up broken db's before debconf starts up.
- if dpkg --compare-versions "$2" lt 1.0.25; then
- /usr/share/debconf/fix_db.pl
- fi
-
- # configdb splits into passworded and non-passworded parts, before
debconf
- # starts up. Do so only if the debconf.conf has the new databases in it.
- if dpkg --compare-versions "$2" lt 1.1.0 &&
- perl -e 'use Debconf::Db; Debconf::Db->load; for (@ARGV) { exit 1
unless
- Debconf::DbDriver->driver($_) }' config passwords; then
- # copies in only the passwords, of course
- debconf-copydb config passwords
- # makes a new config with only non-passwords in it
- debconf-copydb config newconfig \
- -c Name:newconfig \
- -c Driver:File \
- -c Reject-Type:password \
- -c Filename:/var/cache/debconf/newconfig.dat \
- -c Mode:644
- mv -f /var/cache/debconf/newconfig.dat
/var/cache/debconf/config.dat
- fi
-fi
-
-. /usr/share/debconf/confmodule
-
-if [ "$1" = configure ] && [ -n "$2" ] && dpkg --compare-versions "$2" lt
1.3.11; then
- # Remove old debconf database, and associated cruft in /var/lib/debconf.
- # In fact, the whole directory can go! Earlier versions of debconf in
the
- # 0.9.x series kept it just in case, so make sure to delete it on
upgrade
- # from any of those versions, or even older versions.
- if dpkg --compare-versions "$2" lt 0.9.50; then
- rm -rf /var/lib/debconf
- fi
-
- # Kill db cruft.
- if dpkg --compare-versions "$2" lt 0.9.73; then
- # It may not be present, if upgrading from long ago.
- db_unregister foo/bar || true
- db_unregister debconf/switch-to-slang || true
- fi
- if dpkg --compare-versions "$2" lt 1.3.11; then
- db_unregister debconf/showold || true
- fi
-
- # The Text frontend became the Readline frontend.
- if dpkg --compare-versions "$2" lt 1.0.10; then
- db_get debconf/frontend || true
- if [ "$RET" = Text ]; then
- db_set debconf/frontend Readline || true
- fi
- fi
-
Bug#989712: delete cruft from passwd and login maintainer scripts
Source: shadow
Version: 1:4.8.1-1
Tags: patch
The maintainer scripts have accumulated a bit of obsolete code over
time. This code becomes problematic as we are in the process of changing
the installation bootstrap. Less code means less things we touch.
Therefore, I ask for cleaning up this code. In detail:
* The code for dealing with logoutd can be removed, because it was
already absent in buster (probably longer) and we don't support skip
upgrades.
* The creation of /etc/subuid and /etc/subgid is duplicated inside
login.postinst. Initialize only once.
* login.preinst and passwd.preinst handle upgrades from pre 1:4.0.3 and
can be deleted.
Please consider applying the attached patch.
Helmut
diff --minimal -Nru shadow-4.8.1/debian/changelog shadow-4.8.1/debian/changelog
--- shadow-4.8.1/debian/changelog 2020-02-07 15:54:14.0 +0100
+++ shadow-4.8.1/debian/changelog 2021-06-11 07:55:31.0 +0200
@@ -1,3 +1,13 @@
+shadow (1:4.8.1-1.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Remove obsolete upgrade code from maintainer scripts. (Closes: #-1)
++ logoutd is gone since at least buster.
++ Delete duplicate subuid/subgid creation.
++ Delete preinsts upgrading from 1:4.0.3.
+
+ -- Helmut Grohne Fri, 11 Jun 2021 07:55:31 +0200
+
shadow (1:4.8.1-1) unstable; urgency=medium
* debian/default/useradd: Fix typo DHSELL -> DSHELL (Closes: #897028)
diff --minimal -Nru shadow-4.8.1/debian/login.postinst
shadow-4.8.1/debian/login.postinst
--- shadow-4.8.1/debian/login.postinst 2020-02-07 15:54:14.0 +0100
+++ shadow-4.8.1/debian/login.postinst 2021-06-11 07:53:36.0 +0200
@@ -2,18 +2,5 @@
set -e
-if test "$1" = configure
-then
- if test -f /etc/init.d/logoutd
- then
- if test "$(md5sum /etc/init.d/logoutd)" =
"9080f92783dd53f6f2108e698c06bd53 /etc/init.d/logoutd"
- then
- echo "removing logoutd cruft"
- rm /etc/init.d/logoutd
- update-rc.d logoutd remove
- fi
- fi
-fi
-rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
if [ "$1" = "configure" ]; then
@@ -38,19 +26,6 @@
fi
fi
-# Create subuid/subgid if missing
-if [ ! -e /etc/subuid ]; then
-touch /etc/subuid
-chown root:root /etc/subuid
-chmod 644 /etc/subuid
-fi
-
-if [ ! -e /etc/subgid ]; then
-touch /etc/subgid
-chown root:root /etc/subgid
-chmod 644 /etc/subgid
-fi
-
#DEBHELPER#
exit 0
diff --minimal -Nru shadow-4.8.1/debian/login.preinst
shadow-4.8.1/debian/login.preinst
--- shadow-4.8.1/debian/login.preinst 2020-02-07 15:54:14.0 +0100
+++ shadow-4.8.1/debian/login.preinst 1970-01-01 01:00:00.0 +0100
@@ -1,52 +0,0 @@
-#! /bin/sh
-
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#* `install'
-#* `install'
-#* `upgrade'
-#* `abort-upgrade'
-#
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-remove_md5() {
-if md5sum $1 2>/dev/null |grep -q $2; then
- cp $1 $1.pre-upgrade
- sed -e '/^[^#][ \t]*assword[ \t]*required[ \t]*pam_unix.so/ s/ md5$//'
$1 >$1.post-upgrade \
- && mv $1.post-upgrade $1
-fi
-}
-
-
-case "$1" in
-install|upgrade)
-if [ "x$2" != "x" ] ; then
- if dpkg --compare-versions $2 lt 1:4.0.3 ; then
- remove_md5 /etc/pam.d/login 5e61c3334e25625fe1fa4d79cf9123ff
- fi
- fi
-
-;;
-
-abort-upgrade)
-;;
-
-*)
-echo "preinst called with unknown argument \`$1'" >&2
-exit 1
-;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
-
-
diff --minimal -Nru shadow-4.8.1/debian/passwd.postinst
shadow-4.8.1/debian/passwd.postinst
--- shadow-4.8.1/debian/passwd.postinst 2020-02-07 15:54:14.0 +0100
+++ shadow-4.8.1/debian/passwd.postinst 2021-06-11 07:54:40.0 +0200
@@ -4,19 +4,5 @@
case "$1" in
configure)
-# Fix permissions on various log files from old versions of the debian
-# installer, some unrelated to passwd but we decided to put the fix
-# here since there was no better place. This can safely be removed
-# after etch is released.
-if dpkg --compare-versions "$2" lt "1:4.0.14-9"; then
- for log in /var/log/base-config* \
- $(find /var/log/debian-installer/ /var/log/installer/ -type
f 2>/dev/null ); do
- if [ -e "$log" ]; then
- chmod 600 "$log"
- fi
-done
-fi
-
-rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
if ! getent group shadow | grep -q '^shadow:[^:]*:42'
then
diff
Bug#989706: csvformat has a similar warning
$ echo -e "1,2,3\n4,5,6\n7,8" | csvformat -d , -D , /usr/lib/python3/dist-packages/unittest2/compatibility.py:143: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.10 it will stop working 1,2,3 4,5,6 7,8 -- Time is the fire in which we all burn.
Bug#646869: Comment allez-vous?
Fai un tentativo ora! https://bit.ly/357fWby Mary Fred☝
Bug#989710: RFP: markdownlint -- A tool to check markdown files and flag style issues.
Package: wnpp Severity: wishlist * Package name : markdownlint Version : 0.11.0 Upstream Author : Phil Dibowitz * URL : https://github.com/markdownlint/markdownlint/ * License : MIT Programming Lang : Ruby Description : A tool to check markdown files and flag style issues. This package provides a tool to validate the syntax of markdown files and highlight potential style-related issues. It allows creating custom collections of rules which may be enabled or disabled, or parameterized in a specific way, for a given project.
Bug#989709: ansible: yarn.py isn't compatible with the version of yarnpkg currently in Debian (error: unknown option '--no-emoji')
Package: ansible
Severity: important
Version: 2.10.7+merged+base+2.10.8+dfsg-1
Control: tags -1 patch
Dear maintainers,
When running a `yarn` command via ansible on a Bullseye machine, it
fails with this error:
fatal: [XXX.XXX.XXX.XXX]: FAILED! => {"changed": false, "cmd":
"/usr/bin/yarnpkg install --non-interactive --no-emoji", "msg": "error:
unknown option '--no-emoji'", "rc": 1, "stderr": "error: unknown option
'--no-emoji'\n", "stderr_lines": ["error: unknown option '--no-emoji'"],
"stdout": "", "stdout_lines": []}
It indeed appears this flag has been gone from `yarnpkg` since 2017 [1],
the new flag being `--emoji [bool]`. This parameter defaults to `false`,
so there's actually no need to pass it at all.
I'm marking this as important, since even when not using the ansible
yarn module, ansible still fails.
This is the handler I'm running to get the previously-mentioned error:
- name: yarn install
yarn:
executable: /usr/bin/yarnpkg
path: /srv/vogol/frontend
I've attached a patch to this bug report. I've tested said patch and it
seems to solve the issue.
Cheers, and thanks for maintaining ansible in Debian.
PS: I'm not sure why the yarn.py file is duplicated by the way (it's in
ansible_collections/community/general/plugins/modules/yarn.py and
ansible_collections/community/general/plugins/modules/packaging/language/yarn.py).
The same exact file.
[1]:
https://github.com/yarnpkg/yarn/commit/10b82bb063c2e2feee669ddb9dfaf4126b74c7a7#diff-867becf4a9c2c6c6d4e7c1278750724e
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org
⠈⠳⣄
diff --git a/debian/patches/0008-fix-yarn-emoji-error.patch b/debian/patches/0008-fix-yarn-emoji-error.patch
new file mode 100644
index 0..39279728a
--- /dev/null
+++ b/debian/patches/0008-fix-yarn-emoji-error.patch
@@ -0,0 +1,31 @@
+yarnpkg in Debian doesn't have the --no-emoji flag anymore, so using any yarn
+command via ansible fails. The new flag (--emoji [boo]) defaults to false, so
+there's no need to pass anything.
+Index: ansible/collections-debian-merged/ansible_collections/community/general/plugins/modules/packaging/language/yarn.py
+===
+--- ansible.orig/collections-debian-merged/ansible_collections/community/general/plugins/modules/packaging/language/yarn.py
ansible/collections-debian-merged/ansible_collections/community/general/plugins/modules/packaging/language/yarn.py
+@@ -205,9 +205,6 @@ class Yarn(object):
+ cmd.append('--registry')
+ cmd.append(self.registry)
+
+-# always run Yarn without emojis when called via Ansible
+-cmd.append('--no-emoji')
+-
+ # If path is specified, cd into that path and run the command.
+ cwd = None
+ if self.path and not self.globally:
+Index: ansible/collections-debian-merged/ansible_collections/community/general/plugins/modules/yarn.py
+===
+--- ansible.orig/collections-debian-merged/ansible_collections/community/general/plugins/modules/yarn.py
ansible/collections-debian-merged/ansible_collections/community/general/plugins/modules/yarn.py
+@@ -205,9 +205,6 @@ class Yarn(object):
+ cmd.append('--registry')
+ cmd.append(self.registry)
+
+-# always run Yarn without emojis when called via Ansible
+-cmd.append('--no-emoji')
+-
+ # If path is specified, cd into that path and run the command.
+ cwd = None
+ if self.path and not self.globally:
diff --git a/debian/patches/series b/debian/patches/series
index b880a37b9..5da2abf08 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
0003-preserve-debian-dir.patch
0005-use-py3.patch
0007-fix-interpreter-fallback.patch
+0008-fix-yarn-emoji-error.patch
OpenPGP_signature
Description: OpenPGP digital signature
Bug#987368: Installer fails at first menu "Choose language"
On Thu, Jun 10, 2021 at 12:11:05AM +0100, Steve McIntyre wrote: > >Looking at the history in this bug, things are not working as we hoped >when we added the multi-console support. When I initially worked with >Wookey on this, we didn't see errors like this at all in >testing. That's not to say that there's *not* a problem here, but >maybe other changes made since then have caused it to be uncovered. > >Multi-console support is a significant improvement for a number of >non-x86 users. This is particularly the case for those with arm64 >systems where the firmware might default to the primary console being >a serial port but the user doesn't even know that. We wanted to be >able to start d-i on all the likely-looking consoles (serial *and* tty >*and* graphical), allowing the user to interact with the one they >preferred. > >In our testing, I don't remember ever seeing udpkg invocations racing >against each other like this. But in my own testing for d-i Bullseye >RC2 in an arm64 VM here I've just seen this exact problem myself so >it's clearly a thing! > >I'm looking at udpkg now to see what I can do there. I'm hoping that >it might be a reasonably quick fix use filesytem-based locking around >status file updates. Having experimented with exactly that, after a little bit of tweaking I think I've fixed the bug. Previously I could reproduce this bug readily, ~75% of the time on my local arm64 VM. With my new udpkg build included, I've just run things through a dozen times in succession with no problem encountered. I think that's good enough, so I've pushed and uploaded a new udpkg into unstable. Please check back in a couple of days with a daily build and validate this fixes things for you too. -- Steve McIntyre, Cambridge, UK.st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
Bug#989708: libxfce4ui-common: xfce4-keyboard-shortcuts.xml is not valid XML
Package: libxfce4ui-common Version: 4.16.0-1 Severity: important Control: forwarded -1 https://gitlab.xfce.org/xfce/libxfce4ui/-/issues/44 Control: tags -1 patch Dear maintainers, xfce4-keyboard-shortcuts.xml, installed to /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-keyboard-shortcuts.xml, is not valid XML. Indeed, from the line 88 to the line 95, is used instead of `. Sadly, this crashes libs used to parse XML, like Python's xml.etree.ElementTree. This bug has been reported upstream, but I've attached a patch to this bug report. Maybe it's not too late for it to make it to Bullseye? Cheers, -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau ⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org ⠈⠳⣄ diff --git a/debian/patches/0001_Invalid_XML.patch b/debian/patches/0001_Invalid_XML.patch new file mode 100644 index 000..137a747 --- /dev/null +++ b/debian/patches/0001_Invalid_XML.patch @@ -0,0 +1,30 @@ +This patch fixes invalid XML introduced in upstream commit +b7a75bf99a6fb4ebeb2476d71209bafef29d. +See https://gitlab.xfce.org/xfce/libxfce4ui/-/issues/44 for more details. +Index: libxfce4ui/libxfce4kbd-private/xfce4-keyboard-shortcuts.xml +=== +--- libxfce4ui.orig/libxfce4kbd-private/xfce4-keyboard-shortcuts.xml libxfce4ui/libxfce4kbd-private/xfce4-keyboard-shortcuts.xml +@@ -85,14 +85,14 @@ + + + +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ + + + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..b145cce --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001_Invalid_XML.patch OpenPGP_signature Description: OpenPGP digital signature
Bug#932711: 404 for http://standards.ieee.org/regauth/oui/oui.txt
> I would like to fix this bug (for oldstable/debian 9 at least) and > to update the package for bullseye (with 2021 data) before > the release. So it turns out this bug only affects stretch, which is under LTS maintenance now, I have forwarded a patch to them[0] but it's not yet clear whether it's gonna be fixed or not (due to LTS focusing on critical issues). Luciano, I'd like to reset the git repo on salsa to import it using "gbp import-dscs ieee-data --debsnap" which will import all the previous releases and properly tag them, this will help us if we ever need to perform a upload that is not targeted to unstable (when we need to branch on a previous upload). I would like to do this reset and also upload a new release of ieee-data with updated data, adding myself as an Uploader, and ask the release team to unblock the migration to testing. I'll wait a couple of days to see if you have any objections and will proceed if there's no reply. I'm assuming that this will not be an issue as you signed up for Low Threshold NMUs. Thank you :) [0] https://lists.debian.org/debian-lts/2021/06/msg4.html -- Samuel Henrique
Bug#989707: sway: should inherit xkb_model and xkb_layout from /etc/default/keyboard
Package: sway Version: 1.5.1-2 Hello, Currently one has to add lines like this to one's sway config: input type:keyboard xkb_model "pc105" input type:keyboard xkb_layout "us+spw(emacs)" but I already have these values configured in /etc/default/keyboard. I think that something should be added to /etc/sway/config.d which causes sway to respect the values in /etc/default/keyboard, as that's the standard way to set keyboard configuration on Debian. Thanks! -- Sean Whitton signature.asc Description: PGP signature
Bug#989664: xterm: .Xresources VT100 override for copy/paste ignored
On Thu, Jun 10, 2021 at 04:37:04PM -0400, Casey M. Bessette wrote: > Here's the output of xrdb: > > $ xrdb -q ...colors shouldn't matter... > Xcursor.size: 0 > Xcursor.theme: > Xcursor.theme_core: 1 > Xft.hintstyle: hintnone > Xft.rgba: none > xterm*VT100.Translations: #override Ctrl Shift V: ^ missing "\n" > insert-selection(CLIPBOARD) \n Ctrl Shift C: copy-selection(CLIPBOARD) I have this: *customization: -color XScreenSaver.newLoginCommand: gdm-control --switch-user Xcursor.size: 0 Xcursor.theme: Xcursor.theme_core: 1 Xft.hintstyle: hintnone Xft.rgba: none xterm*VT100.Translations: #override \n Ctrl Shift C: copy-selection(CLIPBOARD) \n Ctrl Shift V: insert-selection(CLIPBOARD) If the "\n" is missing, then the code for control/shift/V is all part of a comment. -- Thomas E. Dickey https://invisible-island.net ftp://ftp.invisible-island.net signature.asc Description: PGP signature
Bug#946447: thefuck: diff for NMU version 3.29-0.2
Control: tags 946447 + patch
Control: tags 946447 + pending
Dear maintainer,
I've prepared an NMU for thefuck (versioned as 3.29-0.2) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer or cancel the NMU.
Best regards,
Francisco
diff -Nru thefuck-3.29/debian/changelog thefuck-3.29/debian/changelog
--- thefuck-3.29/debian/changelog 2019-08-22 22:15:36.0 +
+++ thefuck-3.29/debian/changelog 2021-06-09 23:10:07.0 +
@@ -1,3 +1,10 @@
+thefuck (3.29-0.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add missing Depends 'python3-distutils' on thefuck. (Closes: #946447)
+
+ -- Francisco Vilmar Cardoso Ruviaro Wed, 09
Jun 2021 23:10:07 +
+
thefuck (3.29-0.1) unstable; urgency=medium
* Non-maintainer upload
diff -Nru thefuck-3.29/debian/control thefuck-3.29/debian/control
--- thefuck-3.29/debian/control 2019-08-22 22:15:36.0 +
+++ thefuck-3.29/debian/control 2021-06-09 22:53:44.0 +
@@ -20,6 +20,7 @@
${misc:Depends},
python3-colorama,
python3-decorator,
+ python3-distutils,
python3-pkg-resources,
python3-psutil,
python3-six
--
Francisco Vilmar Cardoso Ruviaro
4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00
OpenPGP_signature
Description: OpenPGP digital signature
Bug#989179: aeskeyfind calculates wrong results on kernel 5.10.0.6 and glibc 2.31-11
> The investment of the time in the autopkgtests was obviously not for > nothing... It gets even better... debci is showing us[0] that aeskeyfind is broken both on armhf and arm64 [1][2]. I'm willing to bet both errors are coming from the reliance on undefined behavior of aeskeyfind and that it might have been broken for those archs before bullseye. I'll reduce the set of archs we build aeskeyfind for to i386 and amd64, it's apparent we can't ensure that the package is working fine for our users on the other archs. Feel free to express your concerns if you disagree. I'll also be uploading rsakeyfind with your integ tests to see if we spot anything weird on other archs through debci. So coming back your quote, the ROI of your work has just increased xD Sorry I forgot to explicitly mention yours and Adrian's name on the changelog entry resolving this bug, I ended up doing it in a rush and didn't notice it was missing. [0] https://tracker.debian.org/pkg/aeskeyfind [1] https://ci.debian.net/data/autopkgtest/testing/armhf/a/aeskeyfind/12898988/log.gz [2] https://ci.debian.net/data/autopkgtest/testing/arm64/a/aeskeyfind/12898959/log.gz Cheers, -- Samuel Henrique
Bug#989706: csvkit: DeprecationWarning from csvclean
Package: csvkit Version: 1.0.5-2 Severity: normal Dear Maintainer, Thank you very much for sharing your valuable time and skill to maintain Debian's csvkit package. Here's a one-liner that causes its "csvclean" command to complain, at least on my computer. bash$ echo -e "1,2,3\n4,5,6\n7,8" | csvclean /usr/lib/python3/dist-packages/unittest2/compatibility.py:143: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.10 it will stop working 1 error logged to stdin_err.csv I'd like to think eliminating the warning is as easy as importing the ABCs from 'collections.abc'. Maybe you'd like to use my little one liner to test fixes for csvkit and python3-csvkit. Thanks again, Kingsley -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 4.4.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages csvkit depends on: ii python3-csvkit 1.0.5-2 pn python3:any csvkit recommends no packages. Versions of packages csvkit suggests: ii csvkit-doc 1.0.2-1 -- no debconf information
Bug#989682: RFS: libexplain/1.4.D001-11 [QA] [RC] -- library of system-call-specific strerror repl - development files
> > The unblock request is bug #989681 [0], not confirmed yet. > Unblock request was approved earlier today. Håvard
Bug#989693: [Debian-med-packaging] Bug#989693: brian: Fails to build reproducibly
Control: tag -1 pending Hi Nilesh, Nilesh Patra, on 2021-06-10: > I've committed a patch to salsa here[1] and will upload post bullseye > release. Cool, Thanks! I mark the bug pending upload accordingly; I see your commit in the main trunk, so your changes should make it to the next upload gracefully. Cheers, :) -- Étienne Mollier Fingerprint: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da Sent from /dev/pts/2, please excuse my verbosity. signature.asc Description: PGP signature
Bug#989628: base-files: shell profile check for bash and interactiveness
On Wed, 2021-06-09 at 04:56 +0200, Christoph Anton Mitterer wrote:
> - Shouddn't it also cover the sourcing of /etc/profile.d/*.sh
> (for the same reasons)?
Taking that one back,... /etc/profile.d/*.sh is obviously meant to me
like /etc/profile, which would also get sourced when invoked as `sh`.
I myself use now the following for /etc/profile and .profile (just with
/etc/bash.bashrc replaced with ~/.bashrc:
---
#check whether any internal variables used in this script have already been set
and unset them
if [ -n "${profile_p+is_set}" ]; then
printf 'Warning: The variable `profile_p` had already been set when
executing `%s` and will be unset/overwritten.\n' '~/.profile' >&2
unset -v profile_p
fi
#source `/etc/bash.bashrc`
if [ -z "${-##*i*}" ] && [ -n "$-" ]; then
#when executed in an interactive (login) shell …
# The existence of a non-empty variable `BASH` is merely an indicator
that the
# shell might be bash. This serves as a rapid test.
# However, its non-existence guarantees that the shell isn’t bash.
if [ -n "${BASH-}" ] && { [ -n "${0##*/sh}" ] && [ "$0" != 'sh'
]; }; then
#… that is (presumably) bash and not invoked as `sh` and …
# `ps`, which is part of the non-essential package `procps`,
may not be
# available. `realpath`, which is part of the essential package
`coreutils`, is
# guaranteed to be available.
if { [ -x /bin/ps ] && { profile_p="$( /bin/ps -o exe= -p
$$ 2>/dev/null )" || profile_p=''; [ "${profile_p}" = /usr/bin/bash ] || [
"${profile_p}" = /bin/bash ]; }; }|| \
{ [ -L /proc/$$/exe ] && { profile_p="$(
/usr/bin/realpath --canonicalize-existing /proc/$$/exe 2>/dev/null )" ||
profile_p=''; [ "${profile_p}" = /usr/bin/bash ] || [ "${profile_p}" =
/bin/bash ]; }; }; then
#… it’s actually bash
if [ -f /etc/bash.bashrc ]; then
. /etc/bash.bashrc
fi
fi
fi
fi
#source `/etc/profile.d/*.sh`
if [ -d /etc/profile.d ]; then
for profile_p in /etc/profile.d/*.sh; do
if [ -f "${profile_p}" ]; then
. "${profile_p}"
fi
done
fi
#cleanups
unset -v profile_p
---
That also no longer sets PS1 as /etc/profile does right now. This would
anyway just get used in login shells and just for non-bash... and it
seems e.g. dash sets #/$ automatically.
But of course one could just add the `else` back above.
It also uses -f instead of -r when sourcing /etc/profile.d . I think it
makes more sense to check whether these are regular files and actually
give and error if they're not readable.
Maybe one can just drop the {...} that uses ps to find out which binary
is used by the shell - ps also needs /proc.
Also, this might not work for HURD/kFreeBSD ... so either just not
check it at all, or one might need to add some alternative way for
those.
Well, pick whatever you like :-D
Cheers,
Chris.
Bug#989628: base-files: shell profile check for bash and interactiveness
Oh and I forgot: Mine also doesn't set the PATH. This seems to be done already by someone else (PAM?) and again, it would only work for login-shells but not for e.g. desktop sessions or shells spawned in there.
Bug#989704: ITP: node-postcss-preset-env -- Convert modern CSS into something browsers understand
Package: wnpp Severity: wishlist Owner: Pirate Praveen Need this for node-katex update to 0.13 but it does not support postcss 8 yet. https://github.com/csstools/postcss-preset-env/issues/191 Probably will use https://www.npmjs.com/package/postcss-preset-evergreen till it gains postcss 8 support.
Bug#989664: xterm: .Xresources VT100 override for copy/paste ignored
On Wed, Jun 09, 2021 at 01:53:09PM -0400, Casey M. Bessette wrote: > Package: xterm > Version: 366-1 > Severity: normal > X-Debbugs-Cc: casey.besse...@gmail.com > > Dear Maintainer, > > My .Xresources file has this in it: > > !enable copy/paste: > !http://unix.stackexchange.com/questions/225062/how-can-i-copy-text-from-xterm-awesome-debian-virtualbox > xterm*VT100.Translations: #override \ > Ctrl Shift V:insert-selection(CLIPBOARD) \n\ > Ctrl Shift C:copy-selection(CLIPBOARD) > > I run xrdb -merge ~/.Xresources after editing the file. This has enabled me > to use ctrl-shift-c to copy and ctrl-shift-v to paste in and out of xterm. > > In bullseye, this no longer works. Now if I hit ctrl-shift-c, it acts > no different than if I hit ctrl-c. This worked for me on jessie and stretch. > I haven't used buster. It's working for me :-( (testing with bullseye, and xterm #366 as packaged by Debian) > If I modify other lines in my .Xresources file, such as the size of the > font, colors, or xterm geometry, those changes are still honored and > work as expected. > > I'm using Xfce 4.16 and X.Org 1.20.11. ...same here If it hadn't worked, I'd be checking on the order of translation-resources and looking at the debug trace. But since it works for me, I suggest adding the output of "xrdb -q", which might be helpful. -- Thomas E. Dickey https://invisible-island.net ftp://ftp.invisible-island.net signature.asc Description: PGP signature
Bug#987941: buster-pu: package pacemaker/2.0.1-5+deb10u2
On Wed, 09 Jun 2021 09:17:26 +0200 wf...@niif.hu wrote:
> Andreas kindly provided further refinements for his patch in #985173.
> I'll update this stable update request with the new debdiff shortly.
Here it is:
$ debdiff pacemaker_2.0.1-5+deb10u1.dsc pacemaker_2.0.1-5+deb10u2.dsc
diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog2020-11-07 20:21:48.0 +0100
+++ pacemaker-2.0.1/debian/changelog2021-06-10 21:45:34.0 +0200
@@ -1,3 +1,19 @@
+pacemaker (2.0.1-5+deb10u2) buster; urgency=medium
+
+ [ Andreas Beckmann ]
+ * [1088b23] pacemaker-resource-agents: Bump Breaks+Replaces: pacemaker
+to (<< 2)
+A new upstream release instroduced as security update 1.1.24-0+deb9u1 in
+stretch added the new file /usr/lib/ocf/resource.d/pacemaker/ifspeed to
+pacemaker, while it resides in pacemaker-resource-agents in buster.
+(Closes: #985173)
+ * [4f1844b] libpe-status28/libpengine27: Add Breaks against libpe-
+status10/libpengine10 (>= 1.1.24)
+The version in stretch-security shipped libraries with SOVERSION 16
+instead of 10. (See: #981088)
+
+ -- Ferenc Wágner Thu, 10 Jun 2021 21:45:34 +0200
+
pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high
* [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
diff -Nru pacemaker-2.0.1/debian/control pacemaker-2.0.1/debian/control
--- pacemaker-2.0.1/debian/control 2020-11-07 20:21:48.0 +0100
+++ pacemaker-2.0.1/debian/control 2021-06-10 21:44:36.0 +0200
@@ -84,9 +84,9 @@
${misc:Depends},
# split out of pacemaker so that pacemaker-remote can also use them:
Breaks:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
Replaces:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
Description: cluster resource manager general resource agents
${S:X-Common-Description}
.
@@ -270,6 +270,10 @@
Depends:
${misc:Depends},
${shlibs:Depends},
+Breaks:
+# The new upstream version in stretch-security shipped
+# SOVERSION 16 instead of 10 (see #981088), get it removed:
+ libpe-status10 (>= 1.1.24),
Description: cluster resource manager Policy Engine status library
${S:X-Common-Description}
.
@@ -282,6 +286,10 @@
Depends:
${misc:Depends},
${shlibs:Depends},
+Breaks:
+# The new upstream version in stretch-security shipped
+# SOVERSION 16 instead of 10 (see #981088), get it removed:
+ libpengine10 (>= 1.1.24),
Description: cluster resource manager Policy Engine library
${S:X-Common-Description}
.
I'm ready to upload if you agree.
--
Thanks,
Feri
Bug#989041: eterm: CVE-2021-33477
Hi Jose, On Thu, Jun 10, 2021 at 11:08 PM Jose Antonio Jimenez Madrid wrote: > Thank you so much Utkarsh for the patch, Of course, no problem! :) > Please, upload it to unstable, as I have to upload it by Debian Mentors > so it will reach testing faster if you upload it to fix this security bug. > Also, you can upload it to buster-pu, the package version is the same > than in Stretch, so it just to upload the same that you have already > upload for Stretch. Okay, uploaded to unstable; filed an unblock request via #989703. Subsequently, uploaded to buster and opened the -pu bug, #989702. Let me know if you have any questions or concerns. Thanks! \o/ - u
Bug#989255: this bug is in bullseye as of today
Hello, I've experienced this bug today in debian bullseye (11.0).
Bug#989703: unblock: eterm/0.9.6-6.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hey, src:eterm has been affected by CVE-2021-33477 which is fixed in sid & stretch. -pu update for buster has also been filed. Since this is just a CVE fix, I'd request you to unblock this and let it go to bullseye. :) The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u eterm_sid.debdiff Description: Binary data
Bug#989702: buster-pu: package eterm/0.9.6-5+deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Tags: buster Severity: normal Hello, src:eterm has been affected by CVE-2021-33477 which is fixed in sid & stretch. Since the version in stretch & buster is the same, I'd like to get this update into -pu in the next release so as to avoid upgrade problems. The debdiff is duly attached. Let me know if you any more information. TIA! \o/ - u eterm_buster.debdiff Description: Binary data
Bug#989495: bluez: diff for NMU version 5.55-3.1
Control: tags 989700 + patch
Control: tags 989700 + pending
Dear maintainer,
I've prepared an NMU for bluez (versioned as 5.55-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Note, I did cancel the previoulsy pending NMU to include the
CVE-2021-3588 fix as well.
Regards,
Salvatore
diff -Nru bluez-5.55/debian/changelog bluez-5.55/debian/changelog
--- bluez-5.55/debian/changelog 2021-01-02 07:57:41.0 +0100
+++ bluez-5.55/debian/changelog 2021-06-10 21:34:56.0 +0200
@@ -1,3 +1,13 @@
+bluez (5.55-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * main: Don't warn for unset config option (Closes: #989495)
+ * shared/gatt-server: Fix not properly checking for secure flags
+(CVE-2020-26558, CVE-2021-0129) (Closes: #989614)
+ * gatt: Fix potential buffer out-of-bound (CVE-2021-3588) (Closes: #989700)
+
+ -- Salvatore Bonaccorso Thu, 10 Jun 2021 21:34:56 +0200
+
bluez (5.55-3) unstable; urgency=medium
* Add d/salsa-ci.yml.
diff -Nru bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch
--- bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch 1970-01-01 01:00:00.0 +0100
+++ bluez-5.55/debian/patches/gatt-Fix-potential-buffer-out-of-bound.patch 2021-06-10 21:34:56.0 +0200
@@ -0,0 +1,35 @@
+From: Luiz Augusto von Dentz
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: gatt: Fix potential buffer out-of-bound
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=3a40bef49305f8327635b81ac8be52a3ca063d5a
+Bug: https://github.com/bluez/bluez/issues/70
+Bug-Debian: https://bugs.debian.org/989700
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3588
+
+When client features is read check if the offset is within the cli_feat
+bounds.
+
+Fixes: https://github.com/bluez/bluez/issues/70
+---
+ src/gatt-database.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade3d9..f2d7b5821734 100644
+--- a/src/gatt-database.c
b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+ goto done;
+ }
+
++ if (offset >= sizeof(state->cli_feat)) {
++ ecode = BT_ATT_ERROR_INVALID_OFFSET;
++ goto done;
++ }
++
+ len = sizeof(state->cli_feat) - offset;
+ value = len ? &state->cli_feat[offset] : NULL;
+
+--
+2.32.0
+
diff -Nru bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch
--- bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch 1970-01-01 01:00:00.0 +0100
+++ bluez-5.55/debian/patches/main-Don-t-warn-for-unset-config-option.patch 2021-06-10 21:34:56.0 +0200
@@ -0,0 +1,23 @@
+From: Luiz Augusto von Dentz
+Date: Mon, 9 Nov 2020 14:57:56 -0800
+Subject: main: Don't warn for unset config option
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=02e46e9df6b0d897e6ba67dc3ea18e5e9c510e44
+Bug-Debian: https://bugs.debian.org/989495
+Bug: https://github.com/bluez/bluez/issues/51
+
+Unset options shall not be printed if debug is not enabled.
+---
+ src/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/main.c
b/src/main.c
+@@ -444,7 +444,7 @@ static void parse_controller_config(GKey
+ int val = g_key_file_get_integer(config, "Controller",
+ params[i].val_name, &err);
+ if (err) {
+- warn("%s", err->message);
++ DBG("%s", err->message);
+ g_clear_error(&err);
+ } else {
+ info("%s=%d", params[i].val_name, val);
diff -Nru bluez-5.55/debian/patches/series bluez-5.55/debian/patches/series
--- bluez-5.55/debian/patches/series 2021-01-02 07:57:41.0 +0100
+++ bluez-5.55/debian/patches/series 2021-06-10 21:34:56.0 +0200
@@ -10,3 +10,6 @@
shared-gatt-client-Fix-segfault-after-PIN-entry.patch
main.conf-Add-more-details-Closes-904212.patch
headers-use-releative-symlinks.patch
+main-Don-t-warn-for-unset-config-option.patch
+shared-gatt-server-Fix-not-properly-checking-for-sec.patch
+gatt-Fix-potential-buffer-out-of-bound.patch
diff -Nru bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch
--- bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch 1970-01-01 01:00:00.0 +0100
+++ bluez-5.55/debian/patches/shared-gatt-server-Fix-not-properly-checking-for-sec.patch 2021-06-10 21:34:56.0 +0200
@@ -0,0 +1,108 @@
+From: Luiz Augusto von Dentz
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: shared/gatt-server: Fix not properly checking for secure flags
+Origin: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit?id=00da0fb4972cf59e1c075f313da81ea549cb8738
+Bug-Debian-Security: https://security-tracker.debian.org
Bug#989701: buster-pu: package clevis/11-2+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hello stable release team,
for the upcoming stable point release, I've just uploaded src:clevis
("automated encryption framework") as version 11-2+deb10u2. There is
one change related to the TPM integration:
* Fix handling of TPM chips that support sha256 only
Type: upstream bug
Debian bug: https://bugs.debian.org/989648
Fixed in in stable and testing: 12-1 (February 2020)
Problem: Possibly due to a typo, the clevis-encrypt-tpm2 backend cannot
handle TPM chips that support sha256 only.
Regards,
Christoph
diff -Nru clevis-11/debian/changelog clevis-11/debian/changelog
--- clevis-11/debian/changelog 2021-01-25 20:03:26.0 +0100
+++ clevis-11/debian/changelog 2021-06-09 15:59:00.0 +0200
@@ -1,3 +1,10 @@
+clevis (11-2+deb10u2) buster; urgency=medium
+
+ * Cherry-pick "Bugfix: set pcr_bank from pcr_bank not pcr_hash
+field". Closes: #989648
+
+ -- Christoph Biedl Wed, 09 Jun 2021
19:58:50 +0200
+
clevis (11-2+deb10u1) buster; urgency=medium
* Cherry-pick two comments to fix initramfs creation: Closes: #969361
diff -Nru
clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
---
clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
1970-01-01 01:00:00.0 +0100
+++
clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
2021-06-09 15:55:44.0 +0200
@@ -0,0 +1,16 @@
+Subject: Bugfix: set pcr_bank from pcr_bank not pcr_hash field
+Origin: v11-5-g67fc67c
+Upstream-Author: Markus Linnala
+Date: Thu Mar 7 17:18:01 2019 +0200
+
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -88,7 +88,7 @@
+
+ key=`jose fmt -j- -Og key -u- <<< "$cfg"` || key="ecc"
+
+-pcr_bank=`jose fmt -j- -Og pcr_hash -u- <<< "$cfg"` || pcr_bank="sha1"
++pcr_bank=`jose fmt -j- -Og pcr_bank -u- <<< "$cfg"` || pcr_bank="sha1"
+
+ pcr_ids=`jose fmt -j- -Og pcr_ids -u- <<< "$cfg"` || true
+
diff -Nru clevis-11/debian/patches/series clevis-11/debian/patches/series
--- clevis-11/debian/patches/series 2021-01-25 20:03:26.0 +0100
+++ clevis-11/debian/patches/series 2021-06-09 15:55:55.0 +0200
@@ -2,6 +2,7 @@
# cherry-picked commits. Keep in upstream's chronological order
cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
+cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
# local modifications
debian.use-socat.patch
signature.asc
Description: PGP signature
Bug#989700: bluez: CVE-2021-3588
Source: bluez Version: 5.55-3 Severity: grave Tags: security upstream Forwarded: https://github.com/bluez/bluez/issues/70 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for bluez. CVE-2021-3588[0]: | The cli_feat_read_cb() function in src/gatt-database.c does not | perform bounds checks on the 'offset' variable before using it as an | index into an array for reading. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3588 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3588 [1] https://github.com/bluez/bluez/issues/70 [2] https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1926548 [3] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a Regards, Salvatore
Bug#981982: RFS: codelite/15.0+dfsg-1 [QA] -- Powerful and lightweight IDE
Hi Tobi, Many thanks for your review. >(Note: Due to the freeze, an upload to unstable is currently out of scope. You >might either want to wait for bullseye's release or target experimental for >now) I know. The new release and RFS preceded the freeze, but didn't attract a sponsor in time. I'll wait for bullseye. >Thanks for the updated package… >Some questions though: >- d/control: > - I see in the diff >- that you start Depend: on clangd and clang-format. >Is codelite _really_ depending as in Policy-Depends on it? It's long enough ago that I can't remember, but I'll check. > (there are some *arch-dependent* Build-Depends on clang stugg that seems to >be in contradiction… as the Depends are not arch-depenent this does not fit >somehow…) >- note this change is not documented in d/changelog, thats why I had to > guess: PLEASE document the _whys_ of your changes to help the sponsor out > until they improve in reading your mind… ;-) Sorry, that was an oversight. >nitpick: > - d/copyright does not need all those extra blank lines :) > >PS: You know the package is orphaned :) Could we talk you into adopting it? >(Its okay if you decline, but TIA for considering!) I know, and 40 or 50 years ago I'd have jumped at the chance. But codelite really deserves a long term maintainer, and that excludes me. >Tagging moreinfo because of the questions above (clang and freeze) >Remove the tag when you think the package is ready for a second review… Will do. Thanks again. Regards, David
Bug#989580: updated patch
Both patches are now upstream. Here's an updated debdiff. diff -Nru manpages-5.10/debian/changelog manpages-5.10/debian/changelog --- manpages-5.10/debian/changelog 2020-12-22 06:25:08.0 -0700 +++ manpages-5.10/debian/changelog 2021-06-10 13:13:28.0 -0600 @@ -1,3 +1,10 @@ +manpages (5.10-2) UNRELEASED; urgency=medium + + * kernel_lockdown.7: Remove description of unsupported lockdown lift +mechanism via SysRq. (Closes: #989580) (LP: #1931171) + + -- dann frazier Thu, 10 Jun 2021 13:13:28 -0600 + manpages (5.10-1) unstable; urgency=medium * New upstream version 5.10 diff -Nru manpages-5.10/debian/patches/0014-kernel_lockdown.7.patch manpages-5.10/debian/patches/0014-kernel_lockdown.7.patch --- manpages-5.10/debian/patches/0014-kernel_lockdown.7.patch 1969-12-31 17:00:00.0 -0700 +++ manpages-5.10/debian/patches/0014-kernel_lockdown.7.patch 2021-06-10 13:07:18.0 -0600 @@ -0,0 +1,47 @@ +From a989674d441617fe8fb9570dfb395867ff42 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Thu, 27 May 2021 09:13:42 +0200 +Subject: [PATCH 1/2] kernel_lockdown.7: Remove description of lifting via + SysRq (not upstream) + +The patch that implemented lockdown lifting via SysRq ended up +getting dropped[*] before the feature was merged upstream. Having +the feature documented but unsupported has caused some confusion +for our users. + +[*] http://archive.lwn.net:8080/linux-kernel/cacdnjuuxam06tcnczoa6nwxhnmqueqqm3ma8btukzpucs+d...@mail.gmail.com/ + +Signed-off-by: dann frazier +Cc: Heinrich Schuchardt +Cc: David Howells +Cc: Pedro Principeza +Cc: Randy Dunlap +Cc: Kyle McMartin +Cc: Matthew Garrett +Signed-off-by: Alejandro Colomar +Signed-off-by: Michael Kerrisk + +Bug-Debian: https://bugs.debian.org/989580 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1931171 +Origin: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=a989674d441617fe8fb9570dfb395867ff42 +Last-Update: 2021-06-10 + +diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 +index 30863de62..b0442b3b6 100644 +--- a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 +@@ -33,11 +33,6 @@ where X indicates the process name and Y indicates what is restricted. + .PP + On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled + if the system boots in EFI Secure Boot mode. +-.PP +-If the kernel is appropriately configured, lockdown may be lifted by typing +-the appropriate sequence on a directly attached physical keyboard. +-For x86 machines, this is +-.IR SysRq+x . + .\" + .SS Coverage + When lockdown is in effect, a number of features are disabled or have their +-- +2.32.0 + diff -Nru manpages-5.10/debian/patches/0015-kernel_lockdown.7.patch manpages-5.10/debian/patches/0015-kernel_lockdown.7.patch --- manpages-5.10/debian/patches/0015-kernel_lockdown.7.patch 1969-12-31 17:00:00.0 -0700 +++ manpages-5.10/debian/patches/0015-kernel_lockdown.7.patch 2021-06-10 13:09:09.0 -0600 @@ -0,0 +1,35 @@ +From 9d39058523043353681a8daa0c59531118ddf06f Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Mon, 7 Jun 2021 16:19:43 -0600 +Subject: [PATCH 2/2] kernel_lockdown.7: Remove additional text alluding to + lifting via SysRq + +My previous patch intended to drop the docs for the lockdown lift +SysRq, but it missed this other section that refers to lifting it +via a keyboard - an allusion to that same SysRq. + +Signed-off-by: dann frazier +Signed-off-by: Michael Kerrisk + +Bug-Debian: https://bugs.debian.org/989580 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1931171 +Origin: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=9d39058523043353681a8daa0c59531118ddf06f +Last-Update: 2021-06-10 + +diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 +index b0442b3b6..0c0a9500d 100644 +--- a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 +@@ -19,9 +19,6 @@ modification of the kernel image and to prevent access to security and + cryptographic data located in kernel memory, whilst still permitting driver + modules to be loaded. + .PP +-Lockdown is typically enabled during boot and may be terminated, if configured, +-by typing a special key combination on a directly attached physical keyboard. +-.PP + If a prohibited or restricted feature is accessed or used, the kernel will emit + a message that looks like: + .PP +-- +2.32.0 + diff -Nru manpages-5.10/debian/patches/series manpages-5.10/debian/patches/series --- manpages-5.10/debian/patches/series 2020-12-22 06:18:53.0 -0700 +++ manpages-5.10/debian/patches/series 2021-06-10 13:05:50.0 -0600 @@ -10,3 +10,5 @@ 0010-tzfile.5.patch 0011-man.7.patch 0013-rtnetlink.7.patch +0014-kernel_lockdown.7.patch +0015-kernel_lockdown.7.patch
Bug#989699: ITP: ignition-tool -- ign command line tool that accepts multiple subcommands
Package: wnpp Severity: wishlist Owner: Jose Luis Rivero * Package name: ignition-tools Version : 1.2.0 Upstream Author : Open Robotics * URL : http://ignitionrobotics.org/libraries/tools * License : Apache2 Programming Lang: Ruby Description : ign command line tool that accepts multiple subcommands Ignition tools provide the ign command line tool that accepts multiple subcommands. Each subcommand is implemented in a plugin that belongs to a specific Ignition project. For example, all the commands that start with ign topic ... will be implemented by the Ignition Transport library.
Bug#973365: On MacBook Pro (P8600) wifi card with BCM4322 chipset does not work
Hello Roger, Il giorno lun, 31/05/2021 alle 00.09 +0900, Roger Shimizu ha scritto: > control: tags -1 +moreinfo > > On Thu, Oct 29, 2020 at 10:45 PM Giuseppe Sacco wrote: [...] > > Hello, > > on an Apple MacBook Pro running debian testing (kernel package is > > version 5.9.1-1), I have this card: > > > > # lspci | fgrep Netw > > 02:00.0 Network controller: Broadcom Inc. and subsidiaries BCM4322 > > 802.11a/b/g/n Wireless LAN Controller (rev 01) > > > > The card is recognized and managed by the broadcom-sta driver but it > > does not displays the list of available networks: > > You may try latest 6.30.223.271-16 or its backports version. > If it still doesn't work for you, you may try b43 driver [1] > > [1] https://wiki.debian.org/bcm43xx I just tested both solutions, but the problem is still there. Because of this, I am forced to use an external USB WiFi card instead of the internal one. Thank you, Giuseppe
Bug#989567: debconf.postinst is completely unnecessary unless upgrading from pre-etch
* Helmut Grohne [210610 18:30]: [..] > - /usr/share/debconf/transition_db.pl > - /usr/share/debconf/fix_db.pl >From a very quick look, these scripts could also then be removed, possibly? Chris
Bug#989513: unblock: galera-4/26.4.8-1
Hello! > > Please unblock package galera-4 to fix MariaDB upgrade as reported in > > #988089. > > I appreciate a fix for that bug, but did you really have to do that by > uploading a new upstream release too? How is the new upstream release > related to that bug? Yes, the upstream package is a maintenance/fix release for Galera 4 that does not introduce any new features, only fixes bugs. It is the kind of change that could go into Debian Bullseye as a stable update too, so I thought it would be better to do it now. > > [ Risks ] > > Low, leaf package. > > Nope, the package is a key package. Indeed, it seems to be listed at https://udd.debian.org/cgi-bin/key_packages.yaml.cgi However, only MariaDB depends on it and the package is very small and has traditionally had zero or almost zero bugs in Debian. I would argue that including it now is a very safe thing to do. It has also been well tested. > > This also introduces the latest upstream version. It has already been > > in Sid for a while without reported regressions, and in general Galera > > packages have been very low on regressions. > > But that is totally not in line with our freeze policy [1][2]. Please > revert the upstream release while fixing 988089. I beg you to reconsider, as the new upstream release is a bugfix-only release that would be uploaded post-Bullseye in a stable update anyway. Having these bugfixes in Bullseye is a service to our users and very low risk, and thus hopefully justifiable during hard freeze.
Bug#989698: prometheus-nextcloud-exporter: [INTL:nl] Dutch translation of debconf messages
Package: prometheus-nextcloud-exporter Severity: wishlist Tags: l10n patch Dear Maintainer, Please find attached the Dutch translation of prometheus-nextcloud- exporter debconf messages. It has been submitted for review to the debian-l10n-dutch mailing list. Please add it to your next package revision. It should be put as debian/po/nl.po in your package build tree. -- Met vriendelijke groet, Frans Spiesschaert nl.po.gz Description: application/gzip
Bug#989679: clusterssh: cssh fails to start: missing initialise method
On Thu, Jun 10, 2021 at 07:19:22PM +0200, gregor herrmann wrote: > On Thu, 10 Jun 2021 09:33:01 +0200, Dominique Dumont wrote: > > cssh always fails on start: > > > > $ cssh 192.168.1.14 > > Can't locate object method "initialise" via package > > "App::ClusterSSH::Window" at /usr/share/perl5/App/ClusterSSH.pm line 308. > > > > This does not look like a missing dependency. > > > > Is cssh working fine on your side ? > > (Just a co-maintainer without deeper knowledge of cssh here.) > > Yes, `cssh $hostname' just (after removing an unsupported option from > ~/.clusterssh/config) outputs "Opening to: $hostname" and connects, > not other output or errors. > > I wonder if something under Tk::* or X11::* might be missing or > screwed up on this system? But I guess you're quicker to dive into > this issue than me :) Hi Dominique, I tested too and am not able to reproduce in my environment. I compared the dependency versions in the bug report and they match mine completely, so I believe that Gregor's question about Tk or X11 is the next place to look. Let's start by determining what window manager, etc. you are running and see if we can reproduce the problem on another system. My assumption is that initialise isn't present because App::ClusterSSH::Window->new() failed in some unexpected way - that is, somewhere in here: https://salsa.debian.org/debian/clusterssh/-/blob/master/lib/App/ClusterSSH/Window.pm#L34-44 (But that's just a hunch.) Cheers, tony signature.asc Description: PGP signature
Bug#989587: unblock: uacme/1.7.1-1
Control: tags -1 - moreinfo On Thu, Jun 10, 2021 at 02:52:26PM +0200, Graham Inggs wrote: Control: tags -1 + confirmed Please go ahead and upoad to unstable, then remove the moreinfo tag. Done: http://deb.debian.org/debian/pool/main/u/uacme/uacme_1.7.1-1.dsc Nicola
Bug#989697: RFP: jpegqs -- JPEG artifacts removal tool
Package: wnpp Severity: wishlist X-Debbugs-Cc: Michael Shigorin * Package name : jpegqs Version : 1.20210408 Upstream Author : Ilya Kurdyukov - https://github.com/ilyakurdyukov * URL : https://github.com/ilyakurdyukov/jpeg-quantsmooth * License : LGPL-2.1 Programming Lang: C Description : JPEG artifacts removal tool JPEG Quant Smooth tries to recover the lost precision of DCT coefficients based on a quantization table from a JPEG image. The package has been requested on Launchpad and in Debian Russian Mailing List. https://launchpad.net/bugs/1929533 https://lists.debian.org/msgid-search/20210609081016.gb8...@imap.altlinux.org The program has been already packaged in ALT Linux. You may find their spec useful. http://git.altlinux.org/gears/j/jpegqs.git?a=blob;f=.gear/jpegqs.spec signature.asc Description: This is a digitally signed message part
Bug#989041: eterm: CVE-2021-33477
Thank you so much Utkarsh for the patch, Please, upload it to unstable, as I have to upload it by Debian Mentors so it will reach testing faster if you upload it to fix this security bug. Also, you can upload it to buster-pu, the package version is the same than in Stretch, so it just to upload the same that you have already upload for Stretch. I will send the patch to upstream. There are several minor issues I have to coordinate with upstream that can be done later. Thank you so much for your great work. Jose
Bug#989696: mk-build-deps: --remove should also remove changes and buildinfo files
Package: devscripts Version: 2.21.2 Severity: wishlist The --remove option removes the package file after installing it. It should also remove the changes and buildinfo file. -- Package-specific info: --- /etc/devscripts.conf --- Empty. --- ~/.devscripts --- Not present -- System Information: Debian Release: 11.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages devscripts depends on: ii dpkg-dev 1.20.9 ii fakeroot 1.25.3-1.1 ii file 1:5.39-3 ii gnupg 2.2.27-2 ii gnupg22.2.27-2 ii gpgv 2.2.27-2 ii gpgv2 2.2.27-2 ii libc6 2.31-12 ii libfile-dirlist-perl 0.05-2 ii libfile-homedir-perl 1.006-1 ii libfile-touch-perl0.11-1 ii libfile-which-perl1.23-1 ii libipc-run-perl 20200505.0-1 ii libmoo-perl 2.004004-1 ii libwww-perl 6.53-1 ii patchutils0.4.2-1 ii perl 5.32.1-4 ii python3 3.9.2-3 ii sensible-utils0.0.14 ii wdiff 1.2.2-2+b1 Versions of packages devscripts recommends: ii apt 2.2.3 ii curl7.74.0-1.2 ii dctrl-tools 2.24-3+b1 ii debian-keyring 2021.03.24 ii dput1.1.0 ii equivs 2.3.1 ii libdistro-info-perl 1.0 ii libdpkg-perl1.20.9 ii libencode-locale-perl 1.05-1.1 ii libgit-wrapper-perl 0.048-1 ii libgitlab-api-v4-perl 0.26-1 ii liblist-compare-perl0.55-1 ii liblwp-protocol-https-perl 6.10-1 ii libsoap-lite-perl 1.27-1 ii libstring-shellquote-perl 1.04-1 ii libtry-tiny-perl0.30-1 ii liburi-perl 5.08-1 pn licensecheck ii lintian 2.104.0 ii man-db 2.9.4-2 ii patch 2.7.6-7 ii pristine-tar1.49 ii python3-apt 2.2.0 ii python3-debian 0.1.39 ii python3-magic 2:0.4.20-3 ii python3-requests2.25.1+dfsg-2 ii python3-unidiff 0.5.5-2 ii python3-xdg 0.27-2 ii strace 5.10-1 ii unzip 6.0-26 ii wget1.21-1+b1 ii xz-utils5.2.5-2 Versions of packages devscripts suggests: ii adequate 0.15.6 ii at 3.1.23-1.1 ii autopkgtest 5.16 pn bls-standalone ii bsd-mailx [mailx]8.1.2-0.20180807cvs-2 ii build-essential 12.9 pn check-all-the-things pn cvs-buildpackage ii debhelper13.3.4 pn devscripts-el ii diffoscope 177 pn disorderfs pn dose-extra pn duck pn faketime ii gnuplot 5.4.1+dfsg1-1 ii gnuplot-qt [gnuplot] 5.4.1+dfsg1-1 pn how-can-i-help ii libauthen-sasl-perl 2.1600-1.1 pn libdbd-pg-perl ii libfile-desktopentry-perl0.22-2 pn libnet-smtps-perl pn libterm-size-perl ii libtimedate-perl 2.3300-2 pn libyaml-syck-perl pn mmdebstrap ii mozilla-devscripts 0.54.2 pn mutt ii openssh-client [ssh-client] 1:8.4p1-5 ii piuparts 1.1.3 pn postgresql-client pn pristine-lfs ii quilt0.66-2.1 pn ratt ii reprotest0.7.16 ii svn-buildpackage 0.8.7 ii w3m 0.5.3+git20210102-6 -- no debconf information -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#989694: openmpi: Enable IPv6 support
Source: openmpi Severity: normal Dear Maintainer, Please anable IPv6 support with: >>> diff --git a/debian/rules b/debian/rules index 65ae135d..01ee67ec 100755 --- a/debian/rules +++ b/debian/rules @@ -92,6 +92,7 @@ extra_flags = \ --with-hwloc=external \ --disable-silent-rules \ --enable-mpi-cxx \ + --enable-ipv6 \ --with-devel-headers \ --with-slurm \ --with-sge \ -- System Information: Debian Release: 11.0 APT prefers testing APT policy: (730, 'testing'), (670, 'stable-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental'), (500, 'testing-security') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#989665: user-mode-linux FTBFS: link error
Control: tag -1 pending On Wed, 2021-06-09 at 20:57 +0300, Adrian Bunk wrote: > Source: user-mode-linux > Version: 5.10um2 > Severity: serious > Tags: ftbfs > > https://buildd.debian.org/status/package.php?p=user-mode-linux&suite=sid > > ... > LD .tmp_vmlinux.kallsyms1 > /usr/bin/ld: anonymous version tag cannot be combined with other > version tags > /usr/bin/ld: init/main.o: warning: relocation in read-only section > `.text' > /usr/bin/ld: warning: creating DT_TEXTREL in a PIE > collect2: error: ld returned 1 exit status > make[1]: *** [Makefile:1167: vmlinux] Error 1 Thanks for the bug report Adrian. I hope to prepare an upload to Unstable soon. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: This is a digitally signed message part
Bug#989679: clusterssh: cssh fails to start: missing initialise method
On Thu, 10 Jun 2021 09:33:01 +0200, Dominique Dumont wrote: > cssh always fails on start: > > $ cssh 192.168.1.14 > Can't locate object method "initialise" via package "App::ClusterSSH::Window" > at /usr/share/perl5/App/ClusterSSH.pm line 308. > > This does not look like a missing dependency. > > Is cssh working fine on your side ? (Just a co-maintainer without deeper knowledge of cssh here.) Yes, `cssh $hostname' just (after removing an unsupported option from ~/.clusterssh/config) outputs "Opening to: $hostname" and connects, not other output or errors. I wonder if something under Tk::* or X11::* might be missing or screwed up on this system? But I guess you're quicker to dive into this issue than me :) Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- signature.asc Description: Digital Signature
Bug#976044: (no subject)
On Sat, Nov 28, 2020 at 08:10:10PM +0100, Mmobilea wrote: > I'm sending a translation. Thanks for the translation, and sorry for my delay. There was a missing closing quote here: > #: ../Debconf/FrontEnd/Gnome.pm:96 > msgid "" > "If you quit this configuration dialog, then the package being configured " > "will probably fail to install, and you may have to fix it manually. This may > " > "be especially difficult if you are in the middle of a large upgrade." > msgstr "Jeśli zamkniesz to okno dialogowe konfiguracji, konfigurowany pakiet > prawdopodobnie się nie zainstaluje, i będziesz musiał naprawić go ręcznie. To > może być szczególnie tródne, jeśli jesteś w połowie dużej aktualizacji. I've corrected that and will commit it. -- Colin Watson (he/him) [cjwat...@debian.org]
Bug#989693: brian: Fails to build reproducibly
Source: brian
Version: 2.4.2-6
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: timestamps, randomness
X-Debbugs-Cc: nil...@debian.org, reproducible-b...@lists.alioth.debian.org
Dear Maintainer,
Brian does not build reproducibly because:
a) It injects timestamps into docs
b) It injects files and text in random order into files
Super thanks to Felix C. Stegerman for helping with
patch for the latter reason! :-)
I've committed a patch to salsa here[1] and will upload post bullseye
release.
Also attaching the corresponding patch with this email
[1]:
https://salsa.debian.org/med-team/brian/-/commit/f16a61b846edb138e0d81cba1cc5e58f0e625ccc
Nilesh
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.7.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
From f16a61b846edb138e0d81cba1cc5e58f0e625ccc Mon Sep 17 00:00:00 2001
From: Nilesh Patra
Date: Thu, 10 Jun 2021 22:03:05 +0530
Subject: [PATCH] Make build reproducible
---
debian/patches/reproducible.patch | 65 +++
debian/patches/series | 1 +
debian/rules | 1 +
3 files changed, 67 insertions(+)
create mode 100644 debian/patches/reproducible.patch
diff --git a/debian/patches/reproducible.patch
b/debian/patches/reproducible.patch
new file mode 100644
index ..05db27f0
--- /dev/null
+++ b/debian/patches/reproducible.patch
@@ -0,0 +1,65 @@
+Description: Fix timestamps, insert files in deterministic order
+Author: Nilesh Patra
+Last-Update: 2021-06-10
+--- a/dev/tools/release/setversion.py
b/dev/tools/release/setversion.py
+@@ -8,7 +8,7 @@
+ * README.txt version
+ '''
+
+-import os, sys, re, datetime
++import os, sys, re, datetime, time
+
+
+ def setversion(version):
+@@ -47,7 +47,9 @@
+
+
+ def setreleasedate():
+-releasedate = str(datetime.date.today())
++releasedate = str(datetime.datetime.utcfromtimestamp(
++int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))
++).date())
+ pathname = os.path.abspath(os.path.dirname(__file__))
+ os.chdir(pathname)
+ os.chdir('../../../')
+--- a/docs_sphinx/conf.py
b/docs_sphinx/conf.py
+@@ -99,8 +99,10 @@
+
+ # General information about the project.
+ project = 'Brian 2'
+-import datetime
+-copyright = '2012–{}, Brian authors'.format(datetime.datetime.today().year)
++import datetime, time
++copyright = '2012–{}, Brian
authors'.format(datetime.datetime.utcfromtimestamp(
++int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))
++).year)
+
+ # The version info for the project you're documenting, acts as replacement for
+ # |version| and |release|, also used in various other places throughout the
+--- a/brian2/sphinxext/examplefinder.py
b/brian2/sphinxext/examplefinder.py
+@@ -54,9 +54,9 @@
+ '''
+ name = obj.__name__
+ examples_map = get_examples_map()
+-examples = the_examples_map[name]
++examples = sorted(the_examples_map[name])
+ tutorials_map = get_tutorials_map()
+-tutorials = the_tutorials_map[name]
++tutorials = sorted(the_tutorials_map[name])
+ if len(examples+tutorials)==0:
+ return ''
+ txt = 'Tutorials and examples using this'
+--- a/brian2/sphinxext/generate_examples.py
b/brian2/sphinxext/generate_examples.py
+@@ -160,7 +160,7 @@
+ category_additional_files[relpath].append((file, full_name))
+ with codecs.open(fname, 'rU', encoding='utf-8') as f:
+ content = f.read()
+-output = file + '\n' + '=' * len(title) + '\n\n'
++output = file + '\n' + '=' * len(file) + '\n\n'
+ output += '.. code:: none\n\n'
+ content_lines = ['\t' + l for l in content.split('\n')]
+ output += '\n'.join(content_lines)
diff --git a/debian/patches/series b/debian/patches/series
index 742a3d6c..257f3619 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
ignore_failing_test.patch
privacy.patch
gsl-compiler-arg.patch
+reproducible.patch
diff --git a/debian/rules b/debian/rules
index a0cd4b0c..d1719605 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,7 @@
#!/usr/bin/make -f
# -*- makefile -*-
+export LANG=C.UTF-8 LC_ALL=C.UTF-8
ifeq (,$(findstring get-orig-source, $(MAKECMDGOALS)))
export http_proxy=http://127.0.0.1:9/
endif
--
GitLab
Bug#987958: buster-pu: package liferea/1.12.6-1+deb10u1
On Thu, 2021-06-10 at 11:19 +0200, Paul Gevers wrote: > Hi Adam, > > On 30-05-2021 22:06, Paul Gevers wrote: > > On Sun, 2 May 2021 20:23:30 +0200 Paul Gevers > > wrote: > > > [ Reason ] > > > It used to be enough to declare the liferea custom scheme as > > > local to access resources with a file scheme, but for WebKit2Gtk > > > >= 2.32 it looks like it is necessary to register the custom > > > scheme with a handler. > > > Although WebKit2Gtk hasn't been updated to 2.32 in stable yet, I > > > understand that it will be relatively soon for security support > > > reasons. > > > > webkit2gtk 2.32.1-1~deb10u1 entered stable today. So this bug is > > now > > impacting liferea users in stable. > > Upstream now has a blog post about it: > > https://lzone.de/liferea/blog/Recent-WebKitGTK-HTML-renderer-instabilities?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+LifereaBlog+%28Liferea+Blog%29 > > I've just uploaded the version I had prepared. Sorry, I could have sworn I replied to this the other day. :-( Thanks for the update. Regards, Adam
Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
Le 10/06/2021 à 17:31, Yadd a écrit : > Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit : >> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote: >>> Le 10/06/2021 à 12:16, Yadd a écrit : Le 10/06/2021 à 11:51, Yadd a écrit : > Hi, > > Hopefully there is an available-and-simple fix for #989562 > (CVE-2021-31618) ! > > Cheers, > Yadd Here is the debdiff >>> >>> Updated with all CVE fixes. Thanks to security-tracker and its >>> maintainers ;-) >>> >>> Cheers, >>> Yadd >> >>> diff --git a/debian/changelog b/debian/changelog >>> index b6096f7d..41cb8b28 100644 >>> --- a/debian/changelog >>> +++ b/debian/changelog >>> @@ -1,3 +1,12 @@ >>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium >>> + >>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request" >>> +(Closes: #989562, CVE-2021-31618) >>> + * Fix various low security issues (Closes: CVE-2020-13950, >>> CVE-2020-35452, >>> +CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) >> >> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567 >> https://www.openwall.com/lists/oss-security/2021/06/10/2 >> >> The CVE ID is from 2019, but it got public yesterday with the other fixes. >> >> Cheers, >> Moritz > > Hi, > > this adds a non trivial patch (attached debdiff shows the difference > with 2.4.46-6 which is already proposed in unblock issue (#989683). I > had to modify significantly upstream patch. As proposed earlier, I think > it should be more safe to upload Apache 2.4.48 in Bullseye instead of > this increasingly deviant hybrid (already 7 CVEs patches!). > > @release-team: please consider this new debdiff as a pre-aproval for > 2.4.46-7 > > Cheers, > Yadd And autopkgtest finally failed, so I'm not able to fix CVE-2019-31618... (patch uses some other changes introduced in 2.4.47 or 2.4.48)
Bug#985066: mono-gac: messes with the unpacking of another package
Followup-For: Bug #985066
Hi,
attached is a new version of the patch that also solves some of the
circular dependency issues. That seems to fix all the upgrade issues I
encountered when upgrading mono packages from buster to bullseye.
Andreas
diff -Nru mono-6.8.0.105+dfsg/debian/changelog
mono-6.8.0.105+dfsg/debian/changelog
--- mono-6.8.0.105+dfsg/debian/changelog2020-04-08 15:11:12.0
+0200
+++ mono-6.8.0.105+dfsg/debian/changelog2021-03-31 13:38:34.0
+0200
@@ -1,3 +1,24 @@
+mono (6.8.0.105+dfsg-4) UNRELEASED; urgency=medium
+
+ * mono-gac: Add Pre-Depends: mono-runtime-common (>= 5.20) and stop messing
+with /etc/mono/config manually. gacutil is used from hooks called by
+maintainer scripts and must stay functional even if unpacked and not yet
+configured. (Closes: #985066)
+ * Move mono-gac dependency from mono-runtime-common to mono-runtime-sgen and
+mono-runtime-boehm to avoid introducing a new dependency cycle.
+ * libmono-system4.0-cil, libmono-system-configuration4.0-cil: Drop
+mono-runtime dependency, all their rdepends also depend on
+libmono-corlib4.5-cil which already has the mono-runtime dependency.
+ * Move the actual library from libmono-corlib4.5-cil to
+libmono-corlib4.5-core-cil and redirect the circular libmono-*
+dependencies there to break the dependency cycle between mono-runtime and
+libmono-*. (Closes: #940301, #528090, #656895, #986275, #986293)
+ * mono-mcs: Clean up obsolete alternatives. (Closes: #801789)
+ * Ship /etc/mono/registry/LocalMachine/.
+ * Clean up empty /usr/lib/mono/aot-cache/${MONOARCH}/.
+
+ -- Andreas Beckmann Wed, 31 Mar 2021 13:38:34 +0200
+
mono (6.8.0.105+dfsg-3) unstable; urgency=high
* [2501df4] Workaround for gacutil System.Native mapping dependency
diff -Nru mono-6.8.0.105+dfsg/debian/control mono-6.8.0.105+dfsg/debian/control
--- mono-6.8.0.105+dfsg/debian/control 2020-02-25 22:34:26.0 +0100
+++ mono-6.8.0.105+dfsg/debian/control 2021-03-31 13:38:34.0 +0200
@@ -40,7 +40,6 @@
Depends: ${shlibs:Depends},
${misc:Depends},
binutils,
- mono-gac (= ${source:Version})
Description: Mono runtime - common files
Mono is a platform for running and developing applications based on the
ECMA/ISO Standards. Mono is an open source effort led by Xamarin.
@@ -78,6 +77,7 @@
Architecture: amd64 armel arm64 armhf i386 mipsel kfreebsd-amd64 kfreebsd-i386
powerpc ppc64 ppc64el s390x
Depends: ${shlibs:Depends},
${misc:Depends},
+ mono-gac (= ${source:Version}),
mono-runtime-common (= ${binary:Version})
Homepage: http://www.mono-project.com/Compacting_GC
Description: Mono runtime - SGen
@@ -100,6 +100,7 @@
Architecture: amd64 armel armhf i386 mipsel kfreebsd-amd64 kfreebsd-i386
powerpc ppc64 ppc64el s390x
Depends: ${shlibs:Depends},
${misc:Depends},
+ mono-gac (= ${source:Version}),
mono-runtime-common (= ${binary:Version})
Description: Mono runtime - Boehm
Mono is a platform for running and developing applications based on the
@@ -663,7 +664,8 @@
Package: libmono-corlib4.5-cil
Architecture: all
-Depends: ${misc:Depends}, tzdata,
+Depends: ${misc:Depends},
+ libmono-corlib4.5-core-cil (= ${source:Version}),
mono-runtime (>= ${mono:upversion}), mono-runtime (<<
${mono:next-upversion})
Recommends: libmono-i18n-west4.0-cil
Suggests: libmono-i18n4.0-all
@@ -682,6 +684,26 @@
US-ASCII, ISO 8859-1 (Latin 1) and UTF-8 users don't need any extra I18N
packages.
+Package: libmono-corlib4.5-core-cil
+Architecture: all
+Depends: ${misc:Depends}, tzdata,
+Breaks: libmono-corlib4.5-cil (<< 6.8.0.105+dfsg-3.1~)
+Replaces: libmono-corlib4.5-cil (<< 6.8.0.105+dfsg-3.1~)
+Description: Mono core library (for CLI 4.5)
+ Mono is a platform for running and developing applications based on the
+ ECMA/ISO Standards. Mono is an open source effort led by Xamarin.
+ Mono provides a complete CLR (Common Language Runtime) including compiler and
+ runtime, which can produce and execute CIL (Common Intermediate Language)
+ bytecode (aka assemblies), and a class library.
+ .
+ This package contains the Core Library (mscorlib.dll) of Mono for CLI 4.5,
+ which is the glue between the BCL (Base Class Libraries) and the JIT.
+ .
+ You should install libmono-i18n-west4.0-cil if you are using
+ ISO 8859-15 (Latin 9) or other common Western European code pages.
+ US-ASCII, ISO 8859-1 (Latin 1) and UTF-8 users don't need any extra I18N
+ packages.
+
Package: libmono-i18n4.0-all
Architecture: all
Depends: ${misc:Depends},
@@ -802,7 +824,7 @@
Recommends: ca-certificates-mono (= ${source:Version})
Depends: ${misc:Depends},
${cli:Depends},
- mono-runtime (>= ${mono:upversion}), mono-runtime (<<
${mono:next-upversion})
+#mono-runtime (>= ${mono:upversion}), mono-runtime (<<
${mono:next-upversion})
Description: Mono System libraries (for CLI 4.0)
Mono
Bug#932177: Please include apparmor profile directly in the package
Hi, Eduard Bloch (2021-05-24): > In case you have instructions on the proper process to get this fixed, > please let me know. Sure. The operations involved don't meet the freeze policy, so we'll have to wait until Bullseye is released. tl;dr: - Import and install an AppArmor profile. I would suggest the profile that's maintained upstream as a cross-distribution effort there: https://gitlab.com/apparmor/apparmor-profiles … but that's obviously your call. - Do the usual "take over a conffile from another package" dance: add Breaks+Replaces against the first version of apparmor-profiles-extra that won't ship the apt-cacher-ng profile anymore (ideally with "~" appended). We'll need to coordinate. - Add build-depends on dh-apparmor - Add a call to dh_apparmor in debian/rules. You'll find full, real-life examples in tcpdump 4.9.0-3, ntp 4.2.8p7+dfsg-1, and evince 3.20.0-2: they all took over AppArmor profiles that used to be shipped in apparmor-profiles-extra, which is great. > apparmor maintenance seems to be a case for the MIA team, their > contact address is still an Alioth mailing list. To me it looks like you're jumping to rather drastic conclusions a bit too hastily here. FYI, the mailing list you're referring to works just fine. A number of important and active teams in Debian have chosen to do the same. For example, it's hard to argue that the Debian Perl group is a case for the MIA team. It's true, however, that the Alioth mailing list continuation project is not meant to live forever. We'll cross that bridge once we get there. The number of uploads you'll see there should hopefully reassure you regarding MIA status of the AppArmor team: https://tracker.debian.org/pkg/apparmor https://tracker.debian.org/pkg/apparmor-profiles-extra (To be honest, this team currently has only 2 active people, each quite specialized, so like many other teams in Debian it's not awesomely sustainable. Oh well.) Cheers!
Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit :
> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote:
>> Le 10/06/2021 à 12:16, Yadd a écrit :
>>> Le 10/06/2021 à 11:51, Yadd a écrit :
Hi,
Hopefully there is an available-and-simple fix for #989562
(CVE-2021-31618) !
Cheers,
Yadd
>>>
>>> Here is the debdiff
>>
>> Updated with all CVE fixes. Thanks to security-tracker and its
>> maintainers ;-)
>>
>> Cheers,
>> Yadd
>
>> diff --git a/debian/changelog b/debian/changelog
>> index b6096f7d..41cb8b28 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,12 @@
>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium
>> +
>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
>> +(Closes: #989562, CVE-2021-31618)
>> + * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
>> +CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
>
> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567
> https://www.openwall.com/lists/oss-security/2021/06/10/2
>
> The CVE ID is from 2019, but it got public yesterday with the other fixes.
>
> Cheers,
> Moritz
Hi,
this adds a non trivial patch (attached debdiff shows the difference
with 2.4.46-6 which is already proposed in unblock issue (#989683). I
had to modify significantly upstream patch. As proposed earlier, I think
it should be more safe to upload Apache 2.4.48 in Bullseye instead of
this increasingly deviant hybrid (already 7 CVEs patches!).
@release-team: please consider this new debdiff as a pre-aproval for
2.4.46-7
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index fa775057..25650ac5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.4.46-7) UNRELEASED; urgency=medium
+
+ * Fix mod_proxy_wstunnel to avoid HTTP validation bypass
+(Closes: CVE-2019-17567)
+
+ -- Yadd Thu, 10 Jun 2021 17:19:55 +0200
+
apache2 (2.4.46-6) unstable; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
diff --git a/debian/patches/CVE-2019-17567.patch
b/debian/patches/CVE-2019-17567.patch
new file mode 100644
index ..0d9e3d51
--- /dev/null
+++ b/debian/patches/CVE-2019-17567.patch
@@ -0,0 +1,1854 @@
+Description: mod_proxy_wstunnel tunneling of non Upgraded connections
+ mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded
+ by the origin server was tunneling the whole connection regardless, thus
+ allowing for subsequent requests on the same connection to pass through
+ with no HTTP validation, authentication or authorization possibly
+ configured.
+Author: Apache authors
+Origin: upstream,
http://people.apache.org/~ylavic/patches/2.4.x-mod_proxy_http-upgrade-4on5-v2.patch
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-17567
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/proxy/mod_proxy.c
b/modules/proxy/mod_proxy.c
+@@ -314,7 +314,8 @@
+ }
+ }
+ else if (!strcasecmp(key, "upgrade")) {
+-if (PROXY_STRNCPY(worker->s->upgrade, val) != APR_SUCCESS) {
++if (PROXY_STRNCPY(worker->s->upgrade,
++ strcasecmp(val, "ANY") ? val : "*") != APR_SUCCESS)
{
+ return apr_psprintf(p, "upgrade protocol length must be < %d
characters",
+ (int)sizeof(worker->s->upgrade));
+ }
+--- a/modules/proxy/mod_proxy.h
b/modules/proxy/mod_proxy.h
+@@ -725,6 +725,19 @@
+proxy_worker *worker);
+
+ /**
++ * Return whether a worker upgrade configuration matches Upgrade header
++ * @param p memory pool used for displaying worker name
++ * @param worker the worker
++ * @param upgrade the Upgrade header to match
++ * @param dfltdefault protocol (NULL for none)
++ * @return1 (true) or 0 (false)
++ */
++PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p,
++ const proxy_worker *worker,
++ const char *upgrade,
++ const char *dflt);
++
++/**
+ * Get the worker from proxy configuration
+ * @param pmemory pool used for finding worker
+ * @param balancer the balancer that the worker belongs to
+@@ -1181,6 +1194,40 @@
+ conn_rec *origin, apr_bucket_brigade
*bb,
+ int flush);
+
++struct proxy_tunnel_conn; /* opaque */
++typedef struct {
++request_rec *r;
++const char *scheme;
++apr_pollset_t *pollset;
++apr_array_header_t *pfds;
++apr_interval_time_t timeout;
++struct proxy_tunnel_conn *client,
++ *origin;
++apr_size_t read_buf_size;
++int replied;
++} proxy_tunnel_rec;
++
++/**
++ * Create a tunnel, to be activated by ap_proxy_tunnel_
Bug#989691: valgrind: please release 3.17.0 for DWARF 5 support
Package: valgrind Version: 3.17.0 Severity: wishlist Dear maintainer, Please consider packaging (even to experimental) latest upstream release, currently being 3.17.0, which turns out to be a DWARF 5 dependency I would like to use. Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#987874: [pre-approval] unblock: osspd/1.3.2-12
Hi Ralf, On 03-06-2021 13:00, Ralf Jung wrote: >> Changing compat levels is no longer acceptable for bullseye. Please >> revert. > > Ah, that's a bummer. I was not aware of this policy, sorry for that. > Doing a revert upload sounds like a lot of hassle though that this > package is probably not worth -- so in this case it likely makes more > sense to simply remove the package from testing, and let it re-migrate > after the release. The current testing version (1.3.2-11) is broken with > current PulseAudio, so shipping it as-is makes no sense. If you really think another upload is too much hassle, you could convince us to unblock regardless if you build twice and show with diffoscope that the compat bump doesn't impact the (binary) packages at all. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#987370: node-pbkdf2: tests fail on armhf
tag 987370 + patch thanks Hi, Please find attached a small patch which increase the timeout only for armhf. Best, Dylan From: Dylan Aïssi Date: Thu, 10 Jun 2021 16:53:36 +0200 Subject: [PATCH] Increase dh_auto_test timeout for slow arch (Closes: #987370) --- debian/rules | 7 +++ 1 file changed, 7 insertions(+) diff --git a/debian/rules b/debian/rules index 218df65..e7c5ca0 100755 --- a/debian/rules +++ b/debian/rules @@ -4,5 +4,12 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +# Increase dh_auto_test timeout for slow arch +# https://bugs.debian.org/987370 +include /usr/share/dpkg/architecture.mk +ifeq ($(DEB_BUILD_ARCH),armhf) + export TAP_TIMEOUT=50 +endif + %: dh $@ -- 2.30.2
Bug#989593: installation report Raspberry Pi 4 UEFI
Marc Haber (2021-06-09): > I have attached the installer's syslog of a new installation. All > issues that I reported were observed during this installation. Thanks, this sticks out: May 25 11:15:32 localechooser: info: System locale (debian-installer/locale) = 'en_US.UTF-8' May 25 11:15:32 localechooser: info: Set debian-installer/language = 'en_US:en' May 25 11:15:32 debconf: Setting debconf/language to en_US:en May 25 11:15:32 main-menu[261]: INFO: Falling back to the package description for brltty-udeb May 25 11:15:32 main-menu[261]: INFO: Falling back to the package description for brltty-udeb May 25 11:15:34 main-menu[261]: INFO: Falling back to the package description for brltty-udeb May 25 11:15:34 main-menu[261]: INFO: Menu item 'console-setup-udeb' selected May 25 11:15:37 main-menu[261]: (process:1290): setupcon: gzip is not accessible. Will not save cached keyboard map. May 25 11:15:37 main-menu[261]: (process:1290): setupcon: gzip is not accessible. Will not save cached keyboard map. May 25 11:15:37 main-menu[261]: (process:1290): ckbcomp-mini: /usr/share/console-setup/pc105.ekmap.gz does not exist May 25 11:15:37 main-menu[261]: (process:1290): setupcon: gzip is not accessible. Will not save cached keyboard map. May 25 11:15:37 main-menu[261]: (process:1290): setupcon: gzip is not accessible. Will not save cached keyboard map. May 25 11:15:37 main-menu[261]: (process:1290): /bin/setupcon: line 722: can't create /etc/console-setup/cached_setup_keyboard.sh: nonexistent directory May 25 11:15:37 main-menu[261]: (process:1290): /bin/setupcon: line 730: can't create /etc/console-setup/cached_setup_font.sh: nonexistent directory May 25 11:15:37 main-menu[261]: (process:1290): /bin/setupcon: line 748: can't create /etc/console-setup/cached_setup_terminal.sh: nonexistent directory May 25 11:15:37 main-menu[261]: (process:1290): chmod: /etc/console-setup/cached_setup_keyboard.sh: No such file or directory May 25 11:15:37 main-menu[261]: (process:1290): chmod: /etc/console-setup/cached_setup_font.sh: No such file or directory May 25 11:15:37 main-menu[261]: (process:1290): chmod: /etc/console-setup/cached_setup_terminal.sh: No such file or directory May 25 11:15:37 main-menu[261]: (process:1290): ckbcomp-mini: /usr/share/console-setup/pc105.ekmap.gz does not exist and might explain why your keyboard settings don't work right after selecting the layout. This seems also strange (even if I must confess I've never grepped for s-s-d lines before): Jun 9 16:20:40 base-installer: Using CD-ROM mount point /media/cdrom/ Jun 9 16:20:40 base-installer: Identifying... Jun 9 16:20:40 base-installer: [27dc08d5c910ea7df2dee6e03e127e52-2] Jun 9 16:20:40 base-installer: Scanning disc for index files... Jun 9 16:20:41 base-installer: Found 1 package indexes, 0 source indexes, 1 translation indexes and 0 signatures Jun 9 16:20:41 base-installer: Found label 'Debian GNU/Linux testing _Bullseye_ - Official Snapshot arm64 NETINST 20210607-08:56' Jun 9 16:20:41 base-installer: This disc is called: Jun 9 16:20:41 base-installer: 'Debian GNU/Linux testing _Bullseye_ - Official Snapshot arm64 NETINST 20210607-08:56' Jun 9 16:20:41 base-installer: Copying package lists... Jun 9 16:20:41 base-installer: ^MReading Package Indexes... 0%^M Jun 9 16:20:41 base-installer: ^MReading Package Indexes... 0%^M Jun 9 16:20:41 base-installer: ^MReading Package Indexes... Done^M Jun 9 16:20:41 base-installer: ^MReading Translation Indexes... 0%^M Jun 9 16:20:41 base-installer: ^MReading Translation Indexes... Done^M Jun 9 16:20:41 base-installer: Writing new source list Jun 9 16:20:41 base-installer: Source list entries for this disc are: Jun 9 16:20:41 base-installer: deb cdrom:[Debian GNU/Linux testing _Bullseye_ - Official Snapshot arm64 NETINST 20210607-08:56]/ bullseye main Jun 9 16:20:41 base-installer: Repeat this process for the rest of the CDs in your set. Jun 9 16:20:41 base-installer: Ign:1 cdrom://[Debian GNU/Linux testing _Bullseye_ - Official Snapshot arm64 NETINST 20210607-08:56] bullseye InRelease Jun 9 16:20:41 base-installer: Err:2 cdrom://[Debian GNU/Linux testing _Bullseye_ - Official Snapshot arm64 NETINST 20210607-08:56] bullseye Release Jun 9 16:20:41 base-installer: Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs Jun 9 16:20:41 base-installer: Reading package lists... Jun 9 16:20:41 base-installer: Jun 9 16:20:41 base-installer: E: The repository 'cdrom://[Debian GNU/Linux testing _Bullseye_ - Official Snapshot arm64 NETINST 20210607-08:56] bullseye Release' does not have a Release file. Jun 9 16:20:41 base-installer: warning: apt update failed: 100 Jun 9 16:20:41 base-installer: dpkg-divert: warning: diverting file '/sb
Bug#938924: zziplib: Python2 removal in sid/bullseye
Hi! > This has been fixed in 0.13.71, with that version it's just a matter > of switching the build dep to python3. Yes. But this is quite a version bump: Last update was a few years ago, the old Debian git repo does not exist anymore and the zzip project switched its build system from automake to cmake. I started packaging the latest 0.13.72 release here: https://github.com/slyon/zziplib-debian A refresh of the patches and double-check of the test system still needs to be done. But if somebody already wants to do a brief review, I'd appreciate any comments! My dfsg tarball can be found here (removing some Windows binaries from the source, as documented in debian/copyright): http://people.ubuntu.com/~slyon/zzip/ Cheers, Lukas
Bug#980139: fc-cache failure
This still seems to be an issue, the script checks if the dejavu font is present and if it is not it continues, but then the call to build the fc-cache fails, presumably because no fonts are present in DESTDIR.
Bug#989619: task-kde-desktop: Wrong wallpaper installed on clean installation of Bullseye (Desktop & Lock)
On Tue, Jun 08, 2021 at 08:56:14PM +0100, Andy Simpkins wrote: >Package: task-kde-desktop >Version: 3.67 >Severity: important > >Dear Maintainer, > >*** Reporter, please consider answering these questions, where >appropriate *** > > * What led up to the situation? > Testing Weekly builds of DI ready for release (build 2021-06-07) > > * What exactly did you do (or not do) that was effective (or > ineffective)? > Clean installation into seporate VMs of all installation >media. Only >KDE desktop is affected. All other desktops correctly install and >select the 'Homeworld' wallpaper and lock screens. > > > * What was the outcome of this action? > KDE desktopinstallation had 'shell' as default walpaper and as > 'lockscreen' > > * What outcome did you expect instead? > I expected to see 'Homeworld' as the default wallpaper and lock >screen >- it wasn't 'shell' was set as the default. >Homeworld was installed, just not as the active setting >Login screen correctly showed 'homeworld' > > >I beleive that this would be an embarissment if we fail to correctly >theme the default desktop on KDE by bullseye release. >Note I have also tested GNOME, XFCE, Gnome FlashBack, Cinnamon, Mate, >LXQt, LXDE all sucessfully. Confirmed here in bullseye rc2. I've tried all the desktops and all are using the Debian Homeworld theme except Plasma. -- Steve McIntyre, Cambridge, UK.st...@einval.com Mature Sporty Personal More Innovation More Adult A Man in Dandism Powered Midship Specialty
Bug#989687: unblock: openbabel/3.1.1+dfsg-6
Control: tags -1 - moreinfo Hi Graham, On 2021-06-10 15:55, Graham Inggs wrote: > On Thu, 10 Jun 2021 at 13:45, Andrius Merkys wrote: >> I am seeking pre-approval to upload openbabel/3.1.1+dfsg-6. > > Please go ahead and upoad to unstable, then remove the moreinfo tag. Thanks! Uploaded openbabel/3.1.1+dfsg-6 and removed the moreinfo tag. Best, Andrius
Bug#989690: Add LOGO to /etc/os-release
Source: base-files Severity: normal Dear Maintainer, /etc/os-release can provide a logo name, this is now used by gnome-control-center to show the logo into the info panel. If debian would provide its logo name in such file we would be able to remove the downstream patch that forces the usage of /usr/share/icons/vendor/scalable/emblems/emblem-vendor.svg
Bug#989680: mirror submission for debian.obspm.fr
Hello Peter, thank's for your help. effectively, debian-backports is very old. i just deleted it @++ Philippe Le Thursday 10 Jun 2021 à 12:49:00 (+), Peter Palfrader a écrit : > On Thu, 10 Jun 2021, Philippe Hamy wrote: > > > Site: debian.obspm.fr > > Thanks! > > I notice / also has a debian-backports. That repository has been > retired many many years ago when it was included in the main /debian/ > tree. You should probably remove /debian-backports from your server. > > -- > | .''`. ** Debian ** > Peter Palfrader | : :' : The universal > https://www.palfrader.org/ | `. `' Operating System > | `-https://www.debian.org/
Bug#989681: unblock: libexplain/1.4.D001-11
Control: tags -1 + moreinfo confirmed Hi Håvard On Thu, 10 Jun 2021 at 10:21, Håvard Flaget Aasen wrote: > Please unblock package libexplain Please go ahead and upoad to unstable, then remove the moreinfo tag. Regards Graham
Bug#989680: mirror submission for debian.obspm.fr
On Thu, 10 Jun 2021, Philippe Hamy wrote: > Site: debian.obspm.fr Thanks! I notice / also has a debian-backports. That repository has been retired many many years ago when it was included in the main /debian/ tree. You should probably remove /debian-backports from your server. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Bug#989687: unblock: openbabel/3.1.1+dfsg-6
Control: tags -1 + moreinfo confirmed Hi Andrius On Thu, 10 Jun 2021 at 13:45, Andrius Merkys wrote: > I am seeking pre-approval to upload openbabel/3.1.1+dfsg-6. Please go ahead and upoad to unstable, then remove the moreinfo tag. Regards Graham
Bug#989689: ansible-lint: Unable to resolve tag names
Package: ansible-lint Version: 4.3.7-1 Severity: normal Dear Maintainer, Ansible-lint appears to be unable to resolve tag names. You can see this, for instance, when calling `ansible-lint -T`: $ ansible-lint -T ANSIBLE0002 ['[201]'] ANSIBLE0004 ['[401]'] ANSIBLE0005 ['[402]'] ANSIBLE0006 ['[303]'] ... readability ['[502]'] repeatability ['[401]', '[402]', '[403]'] resources ['[302]', '[303]'] safety ['[305]'] task ['[501]', '[502]', '[503]', '[504]', '[505]'] unpredictability ['[208]'] For comparison, on Fedora, tag names are resolved properly: $ ansible-lint -T # List of tags and rules they cover command-shell: # Specific to use of command and shell modules - command-instead-of-module - command-instead-of-shell - deprecated-command-syntax - inline-env-var - no-changed-when - risky-shell-pipe core: # Related to internal implementation of the linter - internal-error - load-failure - parser-error - syntax-check Granted, this is a newer version of ansible-lint, but the output above still seems wrong to me. Also, I noticed that I can't use tag names to disable a rule: # noqa var-spacing But it works when using a rule number: # noqa 123 The same hold true for trying to use the name in skip_list within .ansible-lint. -- System Information: Debian Release: 11.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.12.9-1.fc25.qubes.x86_64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ansible-lint depends on: ii ansible2.10.7+merged+base+2.10.8+dfsg-1 ii python33.9.2-3 ii python3-pkg-resources 52.0.0-3 ii python3-rich 9.11.0-1 ii python3-ruamel.yaml0.16.12-2 ii python3-yaml 5.3.1-4 ansible-lint recommends no packages. ansible-lint suggests no packages. -- no debconf information
Bug#989587: unblock: uacme/1.7.1-1
Control: tags -1 + confirmed Hi Nicola On Thu, 10 Jun 2021 at 08:33, Nicola Di Lieto wrote: > as requested I attach the source debdiff. Thank you. Please go ahead and upoad to unstable, then remove the moreinfo tag. Regards Graham
Bug#989682: RFS: libexplain/1.4.D001-11 [QA] [RC] -- library of system-call-specific strerror repl - development files
Package: sponsorship-requests Severity: important Dear mentors, I am looking for a sponsor for my package "libexplain": * Package name: libexplain Version : 1.4.D001-11 Upstream Author : Peter Miller * URL : http://libexplain.sourceforge.net/ * License : GPL-3+, LGPL-3+ * Vcs : https://salsa.debian.org/debian/libexplain Section : devel It builds those binary packages: explain - utility to explain system call errors libexplain-doc - library of system-call-specific strerror repl - documentation libexplain51 - library of system-call-specific strerror repl libexplain-dev - library of system-call-specific strerror repl - development files To access further information about this package, please visit the following URL: https://mentors.debian.net/package/libexplain/ Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/libe/libexplain/libexplain_1.4.D001-11.dsc Changes since the last upload: libexplain (1.4.D001-11) unstable; urgency=medium . * QA upload. * d/control: Add libacl1-dev as dependency Closes: #962342 The unblock request is bug #989681 [0], not confirmed yet. Regards, Håvard [0] https://bugs.debian.org/989681
Bug#989681: unblock: libexplain/1.4.D001-11
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: haavard_aa...@yahoo.no
Please unblock package libexplain
Add missing dependency for package libexplain-dev Closes: #962342
[ Tests ]
Confirmed what the submitter wrote in the bug report.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock libexplain/1.4.D001-11
*** libexplain.debdiff
diff -Nru libexplain-1.4.D001/debian/changelog
libexplain-1.4.D001/debian/changelog
--- libexplain-1.4.D001/debian/changelog2020-05-18 16:16:07.0
+0200
+++ libexplain-1.4.D001/debian/changelog2021-06-09 22:23:28.0
+0200
@@ -1,3 +1,10 @@
+libexplain (1.4.D001-11) unstable; urgency=medium
+
+ * QA upload.
+ * d/control: Add libacl1-dev as dependency Closes: #962342
+
+ -- Håvard Flaget Aasen Wed, 09 Jun 2021 22:23:28
+0200
+
libexplain (1.4.D001-10) unstable; urgency=medium
[ Andreas Beckmann ]
diff -Nru libexplain-1.4.D001/debian/control libexplain-1.4.D001/debian/control
--- libexplain-1.4.D001/debian/control 2020-05-18 16:16:07.0 +0200
+++ libexplain-1.4.D001/debian/control 2021-06-09 22:20:43.0 +0200
@@ -63,6 +63,7 @@
.
This package contains the development files.
Depends:
+ libacl1-dev,
libexplain51 (= ${binary:Version}),
lsof,
${misc:Depends},
Bug#953972: ITP: golang-software.sslmate-src-go-pkcs12 -- Go library for encoding and decoding PKCS#12 files
Am 15.03.20 um 09:08 schrieb James Tocknell: Package: wnpp Severity: wishlist Owner: James Tocknell * Package name: golang-software.sslmate-src-go-pkcs12 Version : 0.0~git20190322.6e380ad-1 Upstream Author : SSLMate * URL : https://github.com/SSLMate/go-pkcs12 * License : BSD-3-clause Programming Lang: Go Description : Go library for encoding and decoding PKCS#12 files This is needed for https://github.com/FiloSottile/mkcert Hi James may I ask what's the status on this? I saw you did some initial packaging on this on salsa quite a while ago. This is also needed for https://github.com/smallstep/cli that wish to package. If you don't mind, I would like to pick up this ITP. kind regards, Peymaneh
Bug#989688: bsdmainutils FTBFS on musl-linux-arm64: error: expected identifier or ‘(’ before ‘[’ token
Source: bsdmainutils Version: 12.1.7+nmu3 Tags: patch User: helm...@debian.org Usertags: rebootstrap bsdmainutils fails to build from source on musl-linux-arm64. There, bits/stat.h happens to be included after bsdmainutils's freebsd.h and it contains this line: unsigned __unused[2]; This is bad as freebsd.h #defines __unused as the unused attribute. gcc is not very amused. Fortunately, __unused is unused in bsdmainutils, so we can quite simply delete it at no loss. Please consider applying the attached patch. Helmut diff --minimal -Nru bsdmainutils-12.1.7+nmu3/debian/changelog bsdmainutils-12.1.7+nmu4/debian/changelog --- bsdmainutils-12.1.7+nmu3/debian/changelog 2021-03-23 08:57:20.0 +0100 +++ bsdmainutils-12.1.7+nmu4/debian/changelog 2021-06-10 13:50:06.0 +0200 @@ -1,3 +1,11 @@ +bsdmainutils (12.1.7+nmu4) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Remove unused __unused macro from freebsd.h that is causing FTBFS on musl. +(Closes: #-1) + + -- Helmut Grohne Thu, 10 Jun 2021 13:50:06 +0200 + bsdmainutils (12.1.7+nmu3) unstable; urgency=medium * Non-maintainer upload. diff --minimal -Nru bsdmainutils-12.1.7+nmu3/freebsd.h bsdmainutils-12.1.7+nmu4/freebsd.h --- bsdmainutils-12.1.7+nmu3/freebsd.h 2018-01-30 11:07:30.0 +0100 +++ bsdmainutils-12.1.7+nmu4/freebsd.h 2021-06-10 13:49:50.0 +0200 @@ -3,6 +3,4 @@ #define __FBSDID(X) -#define __unused __attribute__((unused)) - #endif /* _FREEBSD_H_ */
Bug#989683: unblock: apache2/2.4.46-5
Control: retitle -1 unblock: apache2/2.4.46-6
Le 10/06/2021 à 12:21, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: secur...@debian.org
>
> Please unblock package apache2
>
> [ Reason ]
> Apache2 is vulnerable to a denial of service due to a NULL pointer
> dereference on specially crafted HTTP/2 request (#989562,
> CVE-2021-31618)
>
> [ Impact ]
> Denial of service
>
> [ Tests ]
> No new test
>
> [ Risks ]
> Patch is really trivial
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> unblock apache2/2.4.46-5
I added also fixes for other CVEs published with 2.4.48 release. All
these patches are trivial.
Cheers,
Yadd
unblock apache2/2.4.46-6
diff --git a/debian/changelog b/debian/changelog
index 8a02325f..fa775057 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apache2 (2.4.46-6) unstable; urgency=medium
+
+ * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
+CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
+
+ -- Yadd Thu, 10 Jun 2021 13:40:11 +0200
+
+apache2 (2.4.46-5) unstable; urgency=medium
+
+ * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+(Closes: #989562, CVE-2021-31618)
+
+ -- Yadd Thu, 10 Jun 2021 11:57:38 +0200
+
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
diff --git a/debian/patches/CVE-2020-13950.patch
b/debian/patches/CVE-2020-13950.patch
new file mode 100644
index ..cf0ef992
--- /dev/null
+++ b/debian/patches/CVE-2020-13950.patch
@@ -0,0 +1,28 @@
+Description: The proxy connection may be NULL during prefetch, don't try to
dereference it!
+ Still origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+Author: Apache authors
+Origin: upstream, https://svn.apache.org/r1678771
+Bug:
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/proxy/mod_proxy_http.c
b/modules/proxy/mod_proxy_http.c
+@@ -577,7 +577,6 @@
+ apr_off_t bytes;
+ int force10, rv;
+ apr_read_type_e block;
+-conn_rec *origin = p_conn->connection;
+
+ if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+ if (req->expecting_100) {
+@@ -637,7 +636,6 @@
+ "chunked body with Content-Length (C-L ignored)",
+ c->client_ip, c->remote_host ? c->remote_host: "");
+ req->old_cl_val = NULL;
+-origin->keepalive = AP_CONN_CLOSE;
+ p_conn->close = 1;
+ }
+
diff --git a/debian/patches/CVE-2020-35452.patch
b/debian/patches/CVE-2020-35452.patch
new file mode 100644
index ..52042108
--- /dev/null
+++ b/debian/patches/CVE-2020-35452.patch
@@ -0,0 +1,27 @@
+Description:
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/3b6431e
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-35452
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/aaa/mod_auth_digest.c
b/modules/aaa/mod_auth_digest.c
+@@ -1422,9 +1422,14 @@
+ time_rec nonce_time;
+ char tmp, hash[NONCE_HASH_LEN+1];
+
+-if (strlen(resp->nonce) != NONCE_LEN) {
++/* Since the time part of the nonce is a base64 encoding of an
++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++ */
++if (strlen(resp->nonce) != NONCE_LEN
++|| resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+- "invalid nonce %s received - length is not %d",
++ "invalid nonce '%s' received - length is not %d "
++ "or time encoding is incorrect",
+ resp->nonce, NONCE_LEN);
+ note_digest_auth_failure(r, conf, resp, 1);
+ return HTTP_UNAUTHORIZED;
diff --git a/debian/patches/CVE-2021-26690.patch
b/debian/patches/CVE-2021-26690.patch
new file mode 100644
index ..5ceec1fd
--- /dev/null
+++ b/debian/patches/CVE-2021-26690.patch
@@ -0,0 +1,20 @@
+Description:
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/67bd9bfe
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-26690
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/session/mod_session.c
b/modules/session/mod_session.c
+@@ -405,8 +405,8 @@
+ char *plast = NULL;
+ const char *psep = "=";
+ char *key = apr_strtok(pair, psep, &plast);
+-char *val = apr_strtok(NULL, psep, &plast);
+ if (key && *key) {
++ char *val = apr_strtok(NULL, sep, &plast);
+ if (!val || !*val) {
+ apr_table_unset(z->entries, key);
+
Bug#989687: unblock: openbabel/3.1.1+dfsg-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear release-team, I am seeking pre-approval to upload openbabel/3.1.1+dfsg-6. [ Reason ] In many places of openbabel/3.1.1+dfsg-5 version string of '3.1.0' is stored instead of the correct one, '3.1.1'. This has been fixed upstream, and the fix is backported as openbabel/3.1.1+dfsg-6 via patch. [ Impact ] Without the fix, command line tool 'obabel' reports '3.1.0' as its version, and this may lead to misunderstandings in bullseye. Incorrect version number will also appear in files generated via 'obabel' as well. Open Babel's pkgconfig lists '3.1.0' too. [ Tests ] * Built on clean sid chroot; * Upstream test suite and autopkgtest pass. * Test-rebuilt all reverse-dependencies in testing using ratt. [ Risks ] Most likely none. [ Checklist ] [*] all changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] diff in salsa.d.o instead of debdiff: [1] unblock openbabel/3.1.1+dfsg-6 [1] https://salsa.debian.org/debichem-team/openbabel/-/compare/debian%2F3.1.1+dfsg-5...fix-version-number Best, Andrius
Bug#989686: RM: gcc-cross-support/experimental -- ROM; is being implemented in gcc packaging
Package: ftp.debian.org Control: block 989685 by -1 Dear ftp master, please remove the source package src:gcc-cross-support from experimental. Its purpose was to be a proof of concept. It is now being implemented in gcc-defaults via #989685. src:gcc-defaults will take over most of the binary package names formerly provided by this source package. Helmut
Bug#989498: unblock: golang-1.15/1.15.9-5
On Sun, Jun 06, 2021 at 10:16:15PM +0200, Paul Gevers wrote: > So let's keep this bug open to keep track of this and only close it when > all rebuilds have migrated. Please know that I expect the golang team to > keep an eye on this too and warn us if anything is going wrong or takes > longer than expected. Please refrain from uploading any of the reverse > dependencies until their rebuild has migrated. > Most packages have been migrated today. However following packages are missing unblock for binNMU. + delve/1.6.1-1 + golang-github-sylabs-sif/1.0.9-2/ mipsel and mips64el only + runc/1.0.0~rc93+ds1-5
Bug#989684: Geequie crashed on startup with "X Window System error"
Package: geeqie Version: 1:1.6-9 Severity: normal Hi, when I start geequie I get this: ``` % GDK_SYNCHRONIZE=1 geeqie (geeqie:3890142): dbind-WARNING **: 11:32:24.999: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files (geeqie:3890142): Gdk-ERROR **: 11:32:25.991: The program 'geeqie' received an X Window System error. This probably reflects a bug in the program. The error was 'GLXBadDrawable'. (Details: serial 7479 error_code 160 request_code 152 (GLX) minor_code 29) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the GDK_SYNCHRONIZE environment variable to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) zsh: trace trap (core dumped) GDK_SYNCHRONIZE=1 geeqie ``` This is the backtrace: ``` PID: 3890142 (geeqie) UID: 1000 (joerg) GID: 1000 (joerg) Signal: 5 (TRAP) Timestamp: Thu 2021-06-10 11:32:25 CEST (1h 16min ago) Command Line: geeqie Executable: /usr/bin/geeqie Control Group: /user.slice/user-1000.slice/user@1000.service/app.slice/awesome.service Unit: user@1000.service User Unit: awesome.service Slice: user-1000.slice Owner UID: 1000 (joerg) Boot ID: f1e1e7fe6b0449b6ba3a21c1312f8ce2 Machine ID: 523cb54753234ed08c13ec497d0d3b64 Hostname: zenbook Storage: /var/lib/systemd/coredump/core.geeqie.1000.f1e1e7fe6b0449b6ba3a21c1312f8ce2.3890142.162331754500.zst (present) Disk Size: 12.8M Message: Process 3890142 (geeqie) of user 1000 dumped core. Stack trace of thread 3890142: #0 0x7f01b67a1677 g_log_writer_default (libglib-2.0.so.0 + 0x5c677) #1 0x7f01b679f787 g_log_structured_array (libglib-2.0.so.0 + 0x5a787) #2 0x7f01b67a0282 g_log_structured_standard (libglib-2.0.so.0 + 0x5b282) #3 0x7f01b6cc9bda _gdk_x11_display_error_event (libgdk-3.so.0 + 0x66bda) #4 0x7f01b6cd6f63 gdk_x_error (libgdk-3.so.0 + 0x73f63) #5 0x7f01b561a754 _XError (libX11.so.6 + 0x46754) #6 0x7f01a815ef6b __glXSendError (libGLX_mesa.so.0 + 0x33f6b) #7 0x7f01a8161ac1 __glXGetDrawableAttribute (libGLX_mesa.so.0 + 0x36ac1) #8 0x7f01b6090c58 _cogl_winsys_onscreen_get_buffer_age (libcogl.so.20 + 0x7cc58) #9 0x7f01b6119c56 clutter_stage_cogl_redraw (libclutter-1.0.so.0 + 0x42c56) #10 0x7f01b611d02b clutter_stage_gdk_redraw (libclutter-1.0.so.0 + 0x4602b) #11 0x7f01b6188d7c clutter_stage_do_redraw (libclutter-1.0.so.0 + 0xb1d7c) #12 0x7f01b611c695 master_clock_update_stage (libclutter-1.0.so.0 + 0x45695) #13 0x7f01b688c65f g_closure_invoke (libgobject-2.0.so.0 + 0x1465f) #14 0x7f01b689e99b signal_emit_unlocked_R (libgobject-2.0.so.0 + 0x2699b) #15 0x7f01b68a4c6f g_signal_emit_valist (libgobject-2.0.so.0 + 0x2cc6f) #16 0x7f01b68a51df g_signal_emit (libgobject-2.0.so.0 + 0x2d1df) #17 0x7f01b6ca751e gdk_frame_clock_paint_idle (libgdk-3.so.0 + 0x4451e) #18 0x7f01b6c91de9 gdk_threads_dispatch (libgdk-3.so.0 + 0x2ede9) #19 0x7f01b67992e4 g_timeout_dispatch (libglib-2.0.so.0 + 0x542e4) #20 0x7f01b679875f g_main_dispatch (libglib-2.0.so.0 + 0x5375f) #21 0x7f01b6798b08 g_main_context_iterate (libglib-2.0.so.0 + 0x53b08) #22 0x7f01b6798dfb g_main_loop_run (libglib-2.0.so.0 + 0x53dfb) #23 0x7f01b6fb43c5 gtk_main (libgtk-3.so.0 + 0x24c3c5) #24 0x55bc7d3b29f6 n/a (geeqie + 0x759f6) #25 0x7f01b5743d0a __libc_start_main (libc.so.6 + 0x26d0a) #26 0x55bc7d3b361a n/a (geeqie + 0x7661a) Stack trace of thread 3890147: #0 0x7f01b58103ff __GI___poll (libc.so.6 + 0xf33ff) #1 0x7f01b6798a9e g_main_context_poll (libglib-2.0.so.0 + 0x53a9e) #2 0x7f01b6798bbf g_main_context_iteration (libglib-2.0.so.0 + 0x53bbf) #3 0x7f01b6798c11 glib_worker_main (libglib-2.0.so.0 + 0x53c11) #4 0x7f01b67c227d g_thread_proxy (libglib-2.0.so.0 + 0x7d27d) #5 0x7f01b58ecea7 start_thread (libpthread.so.0 + 0x8ea7) #6 0x7f01b581adef __clone (libc.so.6 + 0xfddef) Stack trace of thread 3890143: #0 0x7f01b58f37b2 futex_wait_ca
Bug#987816:
tag 987816 fixed-upstream + patch thanks Upstream patch is available at: https://github.com/dask/distributed/commit/668f3f1d38
Bug#989683: unblock: apache2/2.4.46-5
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: secur...@debian.org
Please unblock package apache2
[ Reason ]
Apache2 is vulnerable to a denial of service due to a NULL pointer
dereference on specially crafted HTTP/2 request (#989562,
CVE-2021-31618)
[ Impact ]
Denial of service
[ Tests ]
No new test
[ Risks ]
Patch is really trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock apache2/2.4.46-5
diff --git a/debian/changelog b/debian/changelog
index 8a02325f..7ddeb00a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.4.46-5) unstable; urgency=medium
+
+ * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+(Closes: #989562, CVE-2021-31618)
+
+ -- Yadd Thu, 10 Jun 2021 11:57:38 +0200
+
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
diff --git a/debian/patches/CVE-2021-31618.patch
b/debian/patches/CVE-2021-31618.patch
new file mode 100644
index ..12d59c8b
--- /dev/null
+++ b/debian/patches/CVE-2021-31618.patch
@@ -0,0 +1,20 @@
+Description: fix NULL pointer dereference on specially crafted HTTP/2 request
+Author: Upstream
+Origin: upstream,
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
+Bug-Debian: https://bugs.debian.org/989562
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/http2/h2_stream.c
b/modules/http2/h2_stream.c
+@@ -638,7 +638,7 @@
+
+ static void set_error_response(h2_stream *stream, int http_status)
+ {
+-if (!h2_stream_is_ready(stream)) {
++if (!h2_stream_is_ready(stream) && stream->rtmp) {
+ conn_rec *c = stream->session->c;
+ apr_bucket *b;
+ h2_headers *response;
diff --git a/debian/patches/series b/debian/patches/series
index 20bc4b61..8dfa2af8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ tlsv13-add-logno.diff
# This patch is applied manually
#suexec-custom.patch
spelling-errors.diff
+CVE-2021-31618.patch
Bug#989317: systemd kill background processes after user logs out (#825394 regression)
Control: reassign -1 lxc As discussed on #debian-release, I'm going to reassign this bug report to lxc as peb has plans to add a helper script which intends to improve the user experience when running unprivileged containers under cgroupv2. Quoting the relevant part from IRC: my reason for asking is that I'd like to add an helper script to the package currently, under pure CGroups v2 systemd hosts, an unprivileged container can't be started without running a systemd-run --user command with some tweaks I'd like to provide the users with a lxc-unpriv-start script that'll do the needed work or give them hints on what to do anymore because systemd gets in the way. Using systemd for this, [...] A short summary: Debian bullseye switched to cgroupv2 which now makes it necessary to run lxc-start as unprivileged user via "systemd-run -p Delegate=yes". This in turn makes the lxc processes part of the systemd --user session, not the login session. Which in turn requires "linger" to enable daemon processes to persist once a user logs out. Maybe I missed something and linger is the only option in this case (and lxc's README.Debian could have a note about this). Or maybe there is a different way to achieve what Matt is trying to do? OpenPGP_signature Description: OpenPGP digital signature
Bug#988662: unblock: apt/2.2.4
Control: retitle -1 unlock: apt/2.2.4
Control: tag -1 - moreinfo
On Sat, Jun 05, 2021 at 07:46:19PM +0200, Julian Andres Klode wrote:
> On Tue, Jun 01, 2021 at 10:09:44PM +0200, Paul Gevers wrote:
> > Control: tags -1 moreinfo
> >
> > Hi Julian,
> >
> > Sorry it took so long to reply; pre-approvals are regularly awkward.
> >
> > On Mon, 17 May 2021 17:07:08 +0200 Julian Andres Klode
> > wrote:
> > > Please unblock package apt
> >
> > Can you elaborate how severe do you think these issues are? I mean, I
> > guess you were in doubt if they qualify for the freeze policy (typically
> > if the maintainer doubts, the update doesn't qualify). Or were there
> > different reasons why you didn't just upload and ask for a regular unblock?
>
> My understanding is that release team prefers pre-approvals for more
> complex uploads in key packages where it's not just one RC bug being
> fixed or well "it's how we always do it, except for emergency hotfixes".
>
> >
> > To me it seems:
>
> We also found out that the JSON hooks are being installed by snapd, so
> people with that installed might actually see bugs, though we haven't
> seen them before (not sure why it works :D).
>
> > * The EOF could be a real thing, but the bug was reported by you and
> > only found during testing. Is this a regression or has it long been there?
>
> It's been there forever, but it's not triggered in testing before for
> unknown reasons. It's making it harder for me to
>
> > * TLS handshake is nice to have (for consistency).
>
> It's vital to ensure people get sensible re
>
> > * phased policy isn't a thing in Debian, so not relevant AFAICT
>
> Not at the moment, but the fix doesn't hurt us either, and would allow
> us (or people deploying Debian w/ custom repos) to make use of it in the
> future.
>
> >
> > I'm tempted to NACK.
>
> It seems we have another more important bug in file quoting reported on
> IRC today that can break downloads from repos that used to work if they
> contained "special" characters:
> https://salsa.debian.org/apt-team/apt/-/merge_requests/175
>
> I've not looked into it much yet.
>
> Would you be tempted to NACK those small bug fixes (they are after all,
> except for JSON, all single or two line logic or return value fixes) if
> they accompanied the more critical bug fix?
>
>
> Also not sure if we want all of those 3 commits or just the first
> one. I can look into it in detail on Monday.
I had not received a reply, so I went ahead, included the first of
those changes into the existing 2.2.4 and uploaded it to unstable
as the URL quoting regression made this release critical.
In case you are not aware of the background: We used to have all
URLs in the acquire system decoded and then quoted them when doing
GET; which caused bugs - we had to dequote URLs we got for redirects,
and then the requoting quoted stuff differently, so files were not
found. This was fixed in 2.1.15, but we missed 2 out of 3 places
where the URL is built for .*deb files. The ones most used even :/
Scary set of changes :)
This means that ugh, if the package name includes epochs, it will
fail to download. Not a problem for dak repos, but um, apparently
there are repos out there that do include them...
Let's have a look at the code parts of the diff, here in
the form of the git diff, as filtering that was a bit easier
- I left out the doc typo fix, and the large swath of improved
and added tests. Full debdiff is attached.
I'll start by looking at the acquire quoting changes.
I'm not sure how this bit plays into the Filename field specifically
(because pkgAcqArchive is not a subclass of pkgAcqFile),
but DonKult included it in the commit, so there must be a reason for
it. Certainly it was wrong.
Original state: URLs used to be unquoted, so local filenames were unquoted two
In 2.1.15-2.2.3: URLs can be passed in quoted or unquoted, and will be
quoted if spaces are in there (or no %). That optional quoting happened after
determining the destination filename, so filenames were still unquoted -
unless you happen to call with a quoted filename already in which case,
ugh bad. So, super inconsistent.
For 2.2.4: Filename is always quoted at the start if not quoted yet, and
then dequoted for local destination filename, ensuring that we download
to the same filename whether you pass in the name pre-quoted or it's
quoted on demand.
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 90bcc50fa..73d2b0c8a 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -3852,16 +3852,16 @@ pkgAcqFile::pkgAcqFile(pkgAcquire *const Owner,
string const &URI, HashStringLis
const string &DestDir, const string
&DestFilename,
bool const IsIndexFile) : Item(Owner),
d(NULL), IsIndexFile(IsIndexFile), ExpectedHashes(Hashes)
{
+ ::URI url{URI};
+ if (url.Path.find(' ') != std::string::
Bug#980311: Fix available!
Okay, I found a scanner here which needs the same driver and the fix in
this merge request fixes it for me:
https://gitlab.com/sane-project/backends/-/merge_requests/634
The attached patch should apply on 1.0.32 at least, probably earlier
versions, too. It should be upstream with 1.0.33 then.
Hope it helps!
From 63942f7a7473496d1160f02f5c1da3620525690d Mon Sep 17 00:00:00 2001
From: Wolfram Sang
Date: Thu, 10 Jun 2021 11:32:04 +0200
Subject: [PATCH] gt68xx: fix use-after-free and two mem leaks
The config file argument needs to be freed when a device is not set.
That was missed for two occasions. The other occasion was freeing it
unconditionally leading to a use-after-free for the regular use case.
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980311
This is the least intrusive fix. The code really wants to be refactored.
Tested with a Mustek 1200 UB Plus.
---
backend/gt68xx.c | 22 +++---
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/backend/gt68xx.c b/backend/gt68xx.c
index 6e43765d3..08919287a 100644
--- a/backend/gt68xx.c
+++ b/backend/gt68xx.c
@@ -1174,8 +1174,11 @@ static SANE_Status probe_gt68xx_devices(void)
new_dev[i]->model->firmware_name);
}
if (i == 0)
-DBG (5, "sane_init: firmware %s can't be loaded, set device "
- "first\n", word);
+{
+ DBG (5, "sane_init: firmware %s can't be loaded, set device "
+ "first\n", word);
+ free (word);
+}
}
else
{
@@ -1198,8 +1201,11 @@ static SANE_Status probe_gt68xx_devices(void)
new_dev[i]->model->name, new_dev[i]->model->vendor);
}
if (i == 0)
-DBG (5, "sane_init: can't set vendor name %s, set device "
- "first\n", word);
+{
+ DBG (5, "sane_init: can't set vendor name %s, set device "
+ "first\n", word);
+ free (word);
+}
}
else
{
@@ -1221,9 +1227,11 @@ static SANE_Status probe_gt68xx_devices(void)
new_dev[i]->model->name, new_dev[i]->model->model);
}
if (i == 0)
-DBG (5, "sane_init: can't set model name %s, set device "
- "first\n", word);
- free (word);
+{
+ DBG (5, "sane_init: can't set model name %s, set device "
+ "first\n", word);
+ free (word);
+}
}
else
{
--
2.30.2
signature.asc
Description: PGP signature
Bug#989513: unblock: galera-4/26.4.8-1
Control: tags -1 moreinfo Dear Otto, On 06-06-2021 03:47, Otto Kekäläinen wrote: > Please unblock package galera-4 to fix MariaDB upgrade as reported in #988089. I appreciate a fix for that bug, but did you really have to do that by uploading a new upstream release too? How is the new upstream release related to that bug? > [ Risks ] > Low, leaf package. Nope, the package is a key package. > This also introduces the latest upstream version. It has already been > in Sid for a while without reported regressions, and in general Galera > packages have been very low on regressions. But that is totally not in line with our freeze policy [1][2]. Please revert the upstream release while fixing 988089. Paul [1] https://release.debian.org/bullseye/freeze_policy.html [2] https://release.debian.org/bullseye/FAQ.html OpenPGP_signature Description: OpenPGP digital signature
Bug#987958: buster-pu: package liferea/1.12.6-1+deb10u1
Hi Adam, On 30-05-2021 22:06, Paul Gevers wrote: > On Sun, 2 May 2021 20:23:30 +0200 Paul Gevers wrote: >> [ Reason ] >> It used to be enough to declare the liferea custom scheme as local to >> access resources with a file scheme, but for WebKit2Gtk >= 2.32 it looks >> like it is necessary to register the custom scheme with a handler. >> Although WebKit2Gtk hasn't been updated to 2.32 in stable yet, I >> understand that it will be relatively soon for security support reasons. > > webkit2gtk 2.32.1-1~deb10u1 entered stable today. So this bug is now > impacting liferea users in stable. Upstream now has a blog post about it: https://lzone.de/liferea/blog/Recent-WebKitGTK-HTML-renderer-instabilities?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+LifereaBlog+%28Liferea+Blog%29 I've just uploaded the version I had prepared. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#980311: no need for more data
Hi Wolfram, Am Donnerstag, 10. Juni 2021, 09:35:50 CEST schrieb Wolfram Sang: > I found the culprit (hiding between the confusing indentation). No need > to send more data. I will work now on a fix. That sounds great! Thank you very much for looking into this. If you need me to test patches, please let me know the codebase they need to be applied against. Happy hacking, Christian -- signature.asc Description: This is a digitally signed message part.
Bug#960336: RFS: gtkorvo-libenet/1.3.15-1 [ITP] -- Georgia Tech fork of libenet
Control: tags -1 moreinfo Hi Kyle, I'm currently looking over (old) RFS bugs… And this one is very old :( Sorry for that … So, before looking into it, can you confirm that you still interested in maintaining this library? Other than that, I prefer to sponsor only based on .dsc-files, preferable uploaded to mentors.debian.net, as this is a (IMHO) more concise defintion about exactly what to sponsor and selfish /me has also some automation in place for mentos… So I'd take a look at libatl after you confirmed and have some .dsc for me :) Just remove the moreinfo tag when ready and I will take a look :) -- Cheers, tobi
Bug#960710: RFS: adios2/2.6.0-1 [ITP] -- ADIOS2 Adaptable IO system for simulations
Control: tags -1 moreinfo (tagging as there was no reply)
Bug#960312: RFS: libffs/1.7.0-1 [ITP] -- Data communication library
Control: tags -1 moreinfo Hi Kyle, I'm currently looking over (old) RFS bugs… And this one is very old :( Sorry for that … So, before looking into it, can you confirm that you still interested in maintaining this library? Other than that, I prefer to sponsor only based on .dsc-files, preferable uploaded to mentors.debian.net, as this is a (IMHO) more concise defintion about exactly what to sponsor and selfish /me has also some automation in place for mentos… So I'd take a look at libatl after you confirmed and have some .dsc for me :) Just remove the moreinfo tag when ready and I will take a look :) -- Cheers, tobi
Bug#989680: mirror submission for debian.obspm.fr
Sorry, folder for cd sync is not image-cd but: debian-cd/ Br, Philippe
Bug#960059: RFS: libdill/2.4.2-1 [ITP] -- Just-in-time code generation library
Control: tags -1 moreinfo Hi Kyle, I'm currently looking over (old) RFS bugs… And this one is very old :( Sorry for that … So, before looking into it, can you confirm that you still interested in maintaining this library? Other than that, I prefer to sponsor only based on .dsc-files, preferable uploaded to mentors.debian.net, as this is a (IMHO) more concise defintion about exactly what to sponsor and selfish /me has also some automation in place for mentos… So I'd offer take a look at this library after you confirmed and have some .dsc for me :) Just remove the moreinfo tag when ready and I will take a look :) -- Cheers, tobi (recycling the text from 960049)
Bug#989680: mirror submission for debian.obspm.fr
Package: mirrors Severity: wishlist User: mirr...@packages.debian.org Usertags: mirror-submission Submission-Type: new Site: debian.obspm.fr Type: leaf Archive-architecture: ALL amd64 arm64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 mips mips64el mipsel powerpc ppc64el s390x Archive-http: /debian/ Maintainer: Philippe Hamy Country: FR France Location: Paris / Meudon Sponsor: Observatoire de Paris https://www.obspm.fr/ Comment: hello, i propose a new mirror in france in my university "observatoire de paris". i have sync this two mirror: debian/ image-cd/ actually we have 1Gb internet data connection. Project for upgrade to 10Gb is in progress. Server/router/switch is already at 10Go. Have a nice day, Best regards, Philippe Trace Url: http://debian.obspm.fr/debian/project/trace/ Trace Url: http://debian.obspm.fr/debian/project/trace/ftp-master.debian.org Trace Url: http://debian.obspm.fr/debian/project/trace/debian.obspm.fr
Bug#980311: no need for more data
I found the culprit (hiding between the confusing indentation). No need to send more data. I will work now on a fix. signature.asc Description: PGP signature
Bug#702948: CUDA Toolkit Samples
I'm not entirely sure if they're the same as the CUDA Toolkit Samples, but if they are, the license situation might have improved: https://github.com/NVIDIA/cuda-samples Best regards Thomas
Bug#989227: Still some porblems
Am 10.06.2021 um 08:08 schrieb Bob Wong: > I am under the testing branch, but even after a dist-upgrade, I still > don't find the feature motion tracker. By the way, when can you > release version 21.04? I'm glad to use some more features. The fix comes after the bullseye release. We are in freeze so no new feature releases. But I intent to backport this to bullseye -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: https://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */
Bug#989679: clusterssh: cssh fails to start: missing initialise method
Package: clusterssh Version: 4.16-2 Severity: important Dear Maintainer, cssh always fails on start: $ cssh 192.168.1.14 Can't locate object method "initialise" via package "App::ClusterSSH::Window" at /usr/share/perl5/App/ClusterSSH.pm line 308. This does not look like a missing dependency. Is cssh working fine on your side ? All the best Dod -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-7-amd64 (SMP w/8 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages clusterssh depends on: ii libexception-class-perl 1.44-1 ii libtry-tiny-perl0.30-1 ii libx11-protocol-other-perl 31-1 ii libx11-protocol-perl0.56-7.1 ii openssh-client 1:8.4p1-5 ii perl5.32.1-4 ii perl-tk 1:804.035-0.1+b1 ii xterm 366-1 clusterssh recommends no packages. clusterssh suggests no packages. -- no debconf information
Bug#982975: Your RFS bugs.
Control: tags -1 moreinfo Hi Thomas, basically the same remarks I gave for #987996 apply to this packages as well: - You need to close the ITP bugs (and file them if you haven't) - Intial uploads only have one entry in the changelog (closing the ITP.) - The mentor pages might some hints that some stuff needs fixing (at least on a few packages are lintian _errors_, for example) Note: I saw at least one possible false positive for one lintian _warning_) I'm tagging the RFS moreinfo as they need some fixes before it makes sense to review in depth. please remove the tag once the issues are fixed and there is something to review. Cheers, -- tobi
Bug#989678: unblock: nettle/3.7.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Can I get a pre-approval and unblock for nettle 3.7.3-1? This is a pure bugfix release addressing only CVE-2021-3580, possible DOS vulnerability on invalid (zero or too large) input to RSA decryption functions. (It also improves test coverage.) https://security-tracker.debian.org/tracker/CVE-2021-3580 https://bugs.debian.org/989631 unblock nettle/3.7.3-1 ChangeLog| 36 +++ NEWS | 38 configure| 22 +++--- configure.ac | 6 ++-- debian/changelog | 7 + nettle.pdf | Bin 651264 -> 651264 bytes pkcs1-sec-decrypt.c | 8 +++-- rsa-decrypt-tr.c | 11 --- rsa-decrypt.c| 10 +++ rsa-internal.h | 4 +-- rsa-sec-decrypt.c| 13 +++-- rsa-sign-tr.c| 61 +++ rsa.h| 5 ++-- testsuite/rsa-encrypt-test.c | 40 - testsuite/rsa-sec-decrypt-test.c | 17 ++- 15 files changed, 216 insertions(+), 62 deletions(-) diff --git a/ChangeLog b/ChangeLog index bb169e8..4787cff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,39 @@ +2021-05-22 Niels Möller + + * configure.ac: Bump package version, to 3.7.3. + (LIBNETTLE_MINOR): Bump minor number, to 8.4. + (LIBHOGWEED_MINOR): Bump minor number, to 6.4. + +2021-05-17 Niels Möller + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is + in range. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. + * rsa-decrypt.c (rsa_decrypt): Likewise. + * testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n. + +2021-05-14 Niels Möller + + * rsa-sign-tr.c (rsa_sec_blind): Delete mn argument. + (_rsa_sec_compute_root_tr): Delete mn argument, instead require + that input size matches key size. Rearrange use of temporary + storage, to support in-place operation, x == m. Update all + callers. + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of + input, for calling _rsa_sec_compute_root_tr. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. + + * testsuite/rsa-encrypt-test.c (test_main): Test calling all of + rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input. + +2021-05-06 Niels Möller + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message + length is valid, for given key size. + * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for + calls to rsa_sec_decrypt specifying a too large message length. + 2021-03-21 Niels Möller * NEWS: NEWS entries for 3.7.2. diff --git a/NEWS b/NEWS index 897527c..4a55da8 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,41 @@ +NEWS for the Nettle 3.7.3 release + + This is bugfix release, fixing bugs that could make the RSA + decryption functions crash on invalid inputs. + + Upgrading to the new version is strongly recommended. For + applications that want to support older versions of Nettle, + the bug can be worked around by adding a check that the RSA + ciphertext is in the range 0 < ciphertext < n, before + attempting to decrypt it. + + Thanks to Paul Schaub and Justus Winter for reporting these + problems. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.4 and libhogweed.so.6.4, with sonames + libnettle.so.8 and libhogweed.so.6. + + Bug fixes: + + * Fix crash for zero input to rsa_sec_decrypt and + rsa_decrypt_tr. Potential denial of service vector. + + * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return + failure for out of range inputs, instead of either crashing, + or silently reducing input modulo n. Potential denial of + service vector. + + * Ensure that rsa_decrypt returns failure for out of range + inputs, instead of silently reducing input modulo n. + + * Ensure that rsa_sec_decrypt returns failure if the message + size is too large for the given key. Unlike the other bugs, + this would typically be triggered by invalid local + configuration, rather than by processing untrusted remote + data. + NEWS for the Nettle 3.7.2 release This is a bugfix release, fixing a bug in ECDSA signature diff --git a/configure b/configure index 9dc199b..500bd92 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nettle 3.
Bug#989677: ITP: golang-github-smallstep-truststore -- Package to locally install development certificates
Package: wnpp Severity: wishlist Owner: Peymaneh Nejad * Package name: golang-github-smallstep-truststore Version : 0.9.6-1 Upstream Author : Smallstep * URL : https://github.com/smallstep/truststore * License : Apache-2.0 Programming Lang: Go Description : Go library for locally installing development certificates This package is a dependency of caddy https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810890
Bug#989410: FYI recent master fixes these issues
Hi, from working at a related s390x issue in Ubuntu [1] I can confirm that the recent fixes in nss master resolve this issue. Upstream bug [2], fixes [3][4] If you can't just wait for 3.67 I hope that FYI will help you to fix it. [1]: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1931104 [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1566124 [3]: https://github.com/nss-dev/nss/commit/32ebd26354548fc3f883a56e8bfafc78f5265ce8 [4]: https://github.com/nss-dev/nss/commit/73b47b7cb5133302087980ef321a83670d383db1 -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
