Bug#1077584: bullseye-pu: package putty/0.74-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: pu...@packages.debian.org Control: affects -1 + src:putty User: release.debian@packages.debian.org Usertags: pu [ Reason ] Security fix CVE-2024-31497 [ Impact ] Vulnerable biased nonce generation is still here. [ Tests ] Full crypto test suite testing particularly CVE-2024-31497 is run [ Risks ] Low reviewed by maintainer Approved by Colin [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] putty (0.74-1+deb11u2) bullseye; urgency=medium * Non-maintainer upload. * Cherry-pick from upstream: - Refactor the ssh_hash vtable. - Add an extra HMAC constructor function. - Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. diff -Nru putty-0.74/debian/changelog putty-0.74/debian/changelog --- putty-0.74/debian/changelog 2023-12-22 17:36:21.0 + +++ putty-0.74/debian/changelog 2024-07-16 10:13:59.0 + @@ -1,3 +1,18 @@ +putty (0.74-1+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload. + * Cherry-pick from upstream: +- Refactor the ssh_hash vtable. +- Add an extra HMAC constructor function. +- Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker +to recover a user's NIST P-521 secret key via a quick attack in +approximately 60 signatures. In other words, an adversary +may already have enough signature information to compromise a victim's +private key, even if there is no further use of vulnerable PuTTY +versions. + + -- Bastien Roucari??s Tue, 16 Jul 2024 10:13:59 + + putty (0.74-1+deb11u1) bullseye-security; urgency=medium * Cherry-pick from upstream: diff -Nru putty-0.74/debian/.git-dpm putty-0.74/debian/.git-dpm --- putty-0.74/debian/.git-dpm 2023-12-21 16:54:36.0 + +++ putty-0.74/debian/.git-dpm 2024-07-16 10:13:59.0 + @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -a24da4ff8e3a0d9f2b4adf9d092358f41df18432 -a24da4ff8e3a0d9f2b4adf9d092358f41df18432 +3b973f00dd0076ae305a0b5e7ddab9b811a833dd +3b973f00dd0076ae305a0b5e7ddab9b811a833dd 4bd8df1aca313a0da36e559bd4a4d0cf0bc2eaa8 4bd8df1aca313a0da36e559bd4a4d0cf0bc2eaa8 putty_0.74.orig.tar.gz diff -Nru putty-0.74/debian/.gitignore putty-0.74/debian/.gitignore --- putty-0.74/debian/.gitignore 2023-12-21 16:54:36.0 + +++ putty-0.74/debian/.gitignore 1970-01-01 00:00:00.0 + @@ -1,7 +0,0 @@ -/*.debhelper* -/*.substvars -/files -/pterm -/putty -/putty-doc -/putty-tools diff -Nru putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch --- putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch 1970-01-01 00:00:00.0 + +++ putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch 2024-07-16 10:13:59.0 + @@ -0,0 +1,691 @@ +From 9f15a5795bf67d90aad97a394c4b1a93a56d4cba Mon Sep 17 00:00:00 2001 +From: Simon Tatham +Date: Sun, 15 Dec 2019 09:30:10 + +Subject: Refactor the ssh_hash vtable. (NFC) + +Refactor the ssh_hash vtable. (NFC) + +The idea is to arrange that an ssh_hash object can be reused without +having to free it and allocate a new one. So the 'final' method has +been replaced with 'digest', which does everything except the trailing +free; and there's also a new pair of methods 'reset' and 'copyfrom' +which overwrite the state of a hash with either the starting state or +a copy of another state. Meanwhile, the 'new' allocator function has +stopped performing 'reset' as a side effect; now it _just_ does the +administrative stuff (allocation, setting up vtables), and returns an +object which isn't yet ready to receive any actual data, expecting +that the caller will either reset it or copy another hash state into +it. + +In particular, that means that the SHA-384 / SHA-512 pair no longer +need separate 'new' methods, because only the 'reset' part has to +change between them. + +This commit makes no change to the user-facing API of wrapper +functions in ssh.h, except to add new functions which nothing yet +calls. The user-facing ssh_hash_new() calls the new and reset methods +in succession, and the copy and final methods still exist to do +new+copy and digest+free. + +origin: backport, https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=156762fc0246c4ff587c72eed7010552f9c1e5bb +--- + ssh.h | 26 ++ + sshmd5.c | 26 +++--- + sshsh256.c | 100
Bug#1077557: Most changelog items missing in 2.117.1 changelog entry (Re: lintian_2.117.1_source.changes ACCEPTED into unstable)
Le lundi 29 juillet 2024, 23:40:28 UTC Axel Beckert a écrit :
> Package: lintian
> Version: 2.117.1
> Severity: serious
>
> Hi Bastien,
>
> Debian FTP Masters wrote:
> > Date: Sat, 27 Jul 2024 21:39:04 +
> > Source: lintian
> > Architecture: source
> > Version: 2.117.1
> > Distribution: unstable
> > Urgency: medium
> > Maintainer: Debian Lintian Maintainers
> > Changed-By: Bastien Roucariès
> > Closes: 1077112
> > Changes:
> > lintian (2.117.1) unstable; urgency=medium
> > .
> >[ Axel Beckert ]
> >* Retroactively mention #1033894 in previous changelog entry.
> > .
> >[ Otto Kekäläinen ]
> >* Declare compliance with Debian Policy 4.7.0
> >* Salsa-CI: Run both current and new Lintian to
> > ensure full compatibility
> > .
> >[ Bastien Roucariès ]
> >* Avoid an error with recent dpkg tools
> >* Workarround failure with recent gcc
> >* invalid-versioned-provides could not be anymore tested
> > due to dpkg-dev change
> >* rebuild against dh-elpa >=2.1.5 (Closes: #1077112)
> > Checksums-Sha1: […]
>
> Thanks a lot for stepping in and daring to do a Lintian release!
>
> Unfortunately a few things went rather bad and I wanted to fix
> this up quickly:
>
> * No tag change summary (private/generate-tag-summary not run)
>
> * Most changelog entries and closed bug numbers missing. (gbp dch not
> run or went weirdly bad?) IMHO this makes this version of Lintian
> unfit for release, hence the RC severity. Also to avoid that this
> version to migrates to testing.
>
> * Wrong version number. There are quite some new tags in this release,
> hence a feature additions, which requires the minor version to be
> bumped (i.e. to 2.118.0) according to Semantic Versioning (which
> Lintian tries to follow for a while now): https://semver.org/
>
> * The last git commits included in the upload are not pushed to the
> git repository on Salsa.
Will fix and add a checklist to CONTRIBUTING.md
Thansk
Bastien
>
> Especially because of the last issue, currently nobody can continue
> working on Lintian and fix the other things mentioned. So please push
> your work as soon as possible, so that we can fix the remaining issues
> with the 2.117.1.
>
> This is what I would retroactively add to the 2.117.1 changelog entry
> (based on current git with the current changelog entries from the
> upload manually fiddled in) and then just tagging an 2.118.0 release
> to get things back on track:
>
> + * Summary of tag changes:
> ++ Added:
> + - gir-package-name-does-not-match
> + - package-installs-deprecated-python2-path
> + - systemd-alternatives
> + - systemd-diversion
> + - uses-deprecated-python-stdlib
> ++ Removed:
> + - uses-python-distutils
>
>[ Axel Beckert ]
>* Retroactively mention #1033894 in previous changelog entry.
> + * data/changes-file/known-dists: Add trixie and forky
> + * Refresh data (fonts and debhelper add-ons and commands)
> + * Refresh data (add-ons, commands, fonts)
>
>[ Bastien Roucariès ]
> + * Avoid an error with recent dpkg tools
> + * Workarround failure with recent gcc
> + * invalid-versioned-provides could not be anymore tested due to
> +dpkg-dev change
>* rebuild against dh-elpa >=2.1.5 (Closes: #1077112)
>
> + [ Simon McVittie ]
> + * gobject-introspection | dh-sequence-gir implements dh --with=gir
> +(Closes: #964290, #1063709)
> + * gir: Also look for GIR XML in /usr/lib/${DEB_HOST_MULTIARCH}/gir-1.0
> + * t/recipes/checks/desktop/gnome/gir: Install multiarch files correctly
> + * t: Assert that desktop/gnome/gir checks are done on multiarch locations
> + * t: Exercise the good (no warnings) case for multiarch desktop/gnome/gir
> + * tags: Describe preferred Provides for typelib-package-name-does-not-match
> + * tags: Mention the multiarch directory for public GIR XML
> + * tags: Say how to add Depends/Provides for gir-missing-typelib-dependency
> + * t: Catch up with best practices for GIR XML packaging
> + * desktop/gnome/gir: Check for GIR XML canonical naming
> + * data: Add nogir as a known build-profile
> +
> + [ Louis-Philippe Véronneau ]
> + * missing-prerequisite-for-pyproject-backend: add support for whey
> + * Modify checks for the python3-pdm-pep517 -> python3-pdm-backend rename.
> + * New tag: uses-deprecated-python-stdlib
> + * New tag: package-installs-deprecated-python2-path (Closes: #1033294)
> + * Refactor 'python-module-in-wrong-location' check
> +
> + [ Nilesh Patra ]
> + * Obsolete package p
Bug#1077515: bookworm-pu: package putty/0.78-2+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: pu...@packages.debian.org Control: affects -1 + src:putty User: release.debian@packages.debian.org Usertags: pu [ Reason ] Security fix CVE-2024-31497 [ Impact ] Vulnerable biased nonce generation is still here. [ Tests ] Full crypto test suite testing particularly CVE-2024-31497 is run [ Risks ] Low reviewed by maintainer Approved by Colin [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * Non-maintainer upload. * Cherry-pick from upstream: - Add an extra HMAC constructor function - Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. * Run test/cryptsuite.py during build. diff -Nru putty-0.78/debian/changelog putty-0.78/debian/changelog --- putty-0.78/debian/changelog 2023-12-18 19:13:57.0 + +++ putty-0.78/debian/changelog 2024-07-16 10:44:03.0 + @@ -1,3 +1,18 @@ +putty (0.78-2+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Cherry-pick from upstream: +- Add an extra HMAC constructor function +- Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker + to recover a user's NIST P-521 secret key via a quick attack in + approximately 60 signatures. In other words, an adversary + may already have enough signature information to compromise a victim's + private key, even if there is no further use of vulnerable PuTTY + versions. + * Run test/cryptsuite.py during build. + + -- Bastien Roucari??s Tue, 16 Jul 2024 10:44:03 + + putty (0.78-2+deb12u1) bookworm-security; urgency=medium * CVE-2023-48795: Cherry-pick from upstream: diff -Nru putty-0.78/debian/control putty-0.78/debian/control --- putty-0.78/debian/control 2023-12-18 19:13:47.0 + +++ putty-0.78/debian/control 2024-07-16 10:44:03.0 + @@ -8,6 +8,7 @@ debhelper-compat (= 13), dh-exec, dpkg-dev (>= 1.15.7~), + python3 , Build-Depends-Arch: imagemagick, libgtk-3-dev, libx11-dev, diff -Nru putty-0.78/debian/.git-dpm putty-0.78/debian/.git-dpm --- putty-0.78/debian/.git-dpm 2023-12-18 19:13:47.0 + +++ putty-0.78/debian/.git-dpm 2024-07-16 10:44:03.0 + @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -cbe541c94bed68e3a009f622d7f36bd4ca00a005 -cbe541c94bed68e3a009f622d7f36bd4ca00a005 +fc80bc63dba4a891e7fca2ffda5390d000e1971d +fc80bc63dba4a891e7fca2ffda5390d000e1971d e517b33826b38389d4d45a859603a635bd3cf55b e517b33826b38389d4d45a859603a635bd3cf55b putty_0.78.orig.tar.gz diff -Nru putty-0.78/debian/.gitignore putty-0.78/debian/.gitignore --- putty-0.78/debian/.gitignore 2023-12-18 19:13:47.0 + +++ putty-0.78/debian/.gitignore 1970-01-01 00:00:00.0 + @@ -1,9 +0,0 @@ -/*.debhelper* -/*.substvars -/build -/files -/pterm -/putty -/putty-doc -/putty-tools -/version.but.save diff -Nru putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch --- putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch 1970-01-01 00:00:00.0 + +++ putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch 2024-07-16 10:44:03.0 + @@ -0,0 +1,108 @@ +From 5a6f12336d7ddfb0322898cba3cde010341e945c Mon Sep 17 00:00:00 2001 +From: Simon Tatham +Date: Mon, 1 Apr 2024 07:45:21 +0100 +Subject: Add an extra HMAC constructor function. + +Add an extra HMAC constructor function. + +This takes a plain ssh_hashalg, and constructs the most natural kind +of HMAC wrapper around it, taking its key length and output length +to be the hash's output length. In other words, it converts SHA-foo +into exactly the thing usually called HMAC-SHA-foo. + +It does it by constructing a new ssh2_macalg vtable, and including it +in the same memory allocation as the actual hash object. That's the +first time in PuTTY I've done it this way. + +Nothing yet uses this, but a new piece of code is about to. + +origin: backport, https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=dea3ddca0537299ebfe907dd4c883fe65bfb4035 +--- + crypto/hmac.c | 45 +++-- + ssh.h | 5 + + 2 files changed, 48 insertions(+), 2 deletions(-) + +diff --git a/crypto/hmac.c b/crypto/hmac.c +index adeccd29..fa70c8e6 100644 +--- a/crypto/hmac.c b/crypto/hmac.c +@@ -18,9
Bug#1060103: New of imagemagick7
control: tags -1 - moreinfo Hi, Last reverse deps of lib magick pipeline is not really bad https://salsa.debian.org/debian/imagemagick/-/pipelines/708187 A lot of failure are due to broken package or does not use pkgconfig I suppose we could go to experimental Bastien signature.asc Description: This is a digitally signed message part.
Bug#1076817: ocsinventory: php-cas does not work
Source: ocsinventory Version: 2.8.1+dfsg1-1 Severity: important Tags: patch bullseye Dear Maintainer, php-cas support was broken for bullseye It need (1) https://github.com/OCSInventory-NG/OCSInventory- ocsreports/commit/f8a667f9f19b285799ec6a25a28240165b039dfb (2) https://github.com/OCSInventory-NG/OCSInventory- ocsreports/commit/3693fb9f9aea1a6ff9df4e7fd0125a88147c98c2 signature.asc Description: This is a digitally signed message part.
Bug#1076562: forcemerge
control: forcemerge 1076158 -1 signature.asc Description: This is a digitally signed message part.
Bug#1076562: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick User: release.debian@packages.debian.org Usertags: pu [ Reason ] * CVE-2023-34151 fix was incomplete (Closes: #1070340) * Fix variation of CVE-2023-1289 found by testing. [ Impact ] * CVE are still open is not fixed [ Tests ] Manual test of CVE-2023-34151, automatic of CVE-2023-1289. Cross checked by santiago [ Risks ] Risk are low, crosscheck done by santiago. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [Other changes] Update d/changelog for old fixed CVE. Investigated status with carnil diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-17 15:31:24.0 + +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 16:52:37.0 + @@ -1,3 +1,12 @@ +imagemagick (8:6.9.11.60+dfsg-1.3+deb11u4) bullseye; urgency=medium + + * CVE-2023-34151 fix was incomplete (Closes: #1070340) + * Fix variation of CVE-2023-1289 found by testing. + * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) + * Fix CVE-2021-20313: Fix a divide by zero + + -- Bastien Roucari??s Thu, 11 Jul 2024 16:52:37 + + imagemagick (8:6.9.11.60+dfsg-1.3+deb11u3) bullseye-security; urgency=medium * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder @@ -33,7 +42,7 @@ was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash -and denial of service. +and denial of service. Fix also CVE-2022-3213. * Fix CVE-2023-5341: A heap use-after-free flaw was found in coders/bmp.c @@ -57,8 +66,11 @@ * Fix CVE-2022-28463: Buffer overflow in cin coder. * Fix CVE-2022-32545: Value outside the range of unsigned char (Closes: #1016442) + * Fix CVE-2021-40211: Division by zero in function ReadEnhMetaFile +of coders/emf.c. * Fix CVE-2022-32546: Value outside the range of representable -values of type 'unsigned long' at coders/pcl.c, +values of type 'unsigned long' at coders/pcl.c + * Fix CVE-2022-32547: fix a misaligned address access. * Use Salsa CI -- Bastien Roucari??s Fri, 29 Dec 2023 11:18:56 + diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control --- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.0 + +++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 16:46:06.0 + @@ -1,4 +1,4 @@ -# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg +# Autogenerated Tue Jun 25 18:15:31 UTC 2024 from make -f debian/rules update_pkg Source: imagemagick Section: graphics Priority: optional diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 1970-01-01 00:00:00.0 + +++ imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 2024-07-11 16:46:06.0 + @@ -0,0 +1,166 @@ +From: Cristy +Date: Thu, 25 Feb 2021 17:03:18 -0500 +Subject: CVE-2021-20312/CVE-2021-20313 possible divide by zero + clear + buffers + +--- + coders/thumbnail.c | 3 ++- + magick/cipher.c | 12 ++-- + magick/colorspace.c | 16 + magick/memory.c | 21 - + magick/signature.c | 2 +- + 5 files changed, 33 insertions(+), 21 deletions(-) + +diff --git a/coders/thumbnail.c b/coders/thumbnail.c +index f456faa..3833341 100644 +--- a/coders/thumbnail.c b/coders/thumbnail.c +@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info, + break; + q++; + } +- if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ++ if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) || ++ (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q))) + ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + thumbnail_image=BlobToImage(image_info,q,length,>exception); + if (thumbnail_image == (Image *) NULL) +diff --git a/magick/cipher.c b/magick/cipher.c +index a6d90fc..e7b5a81 100644 +--- a/magick/cipher.c b/magick/cipher.c +@@ -485,8 +485,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext, + Reset registers. + */ + alpha=0; +- (void) memset(key,0,sizeof(key)); +- (void)
Bug#1076158: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick User: release.debian@packages.debian.org Usertags: pu [ Reason ] * CVE-2023-34151 fix was incomplete (Closes: #1070340) * Fix variation of CVE-2023-1289 found by testing. * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) * Fix CVE-2021-20313: Fix a divide by zero [ Impact ] CVE are still opened [ Tests ] Automatic test for CVE-2023-1289, other manual test with libasan [ Risks ] Low review of changes and testing cross checked with santiago [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-17 15:31:24.0 + +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 16:52:37.0 + @@ -1,3 +1,12 @@ +imagemagick (8:6.9.11.60+dfsg-1.3+deb11u4) bullseye; urgency=medium + + * CVE-2023-34151 fix was incomplete (Closes: #1070340) + * Fix variation of CVE-2023-1289 found by testing. + * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) + * Fix CVE-2021-20313: Fix a divide by zero + + -- Bastien Roucari??s Thu, 11 Jul 2024 16:52:37 + + imagemagick (8:6.9.11.60+dfsg-1.3+deb11u3) bullseye-security; urgency=medium * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder @@ -33,7 +42,7 @@ was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash -and denial of service. +and denial of service. Fix also CVE-2022-3213. * Fix CVE-2023-5341: A heap use-after-free flaw was found in coders/bmp.c @@ -57,8 +66,11 @@ * Fix CVE-2022-28463: Buffer overflow in cin coder. * Fix CVE-2022-32545: Value outside the range of unsigned char (Closes: #1016442) + * Fix CVE-2021-40211: Division by zero in function ReadEnhMetaFile +of coders/emf.c. * Fix CVE-2022-32546: Value outside the range of representable -values of type 'unsigned long' at coders/pcl.c, +values of type 'unsigned long' at coders/pcl.c + * Fix CVE-2022-32547: fix a misaligned address access. * Use Salsa CI -- Bastien Roucari??s Fri, 29 Dec 2023 11:18:56 + diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control --- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.0 + +++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 16:46:06.0 + @@ -1,4 +1,4 @@ -# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg +# Autogenerated Tue Jun 25 18:15:31 UTC 2024 from make -f debian/rules update_pkg Source: imagemagick Section: graphics Priority: optional diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 1970-01-01 00:00:00.0 + +++ imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 2024-07-11 16:46:06.0 + @@ -0,0 +1,166 @@ +From: Cristy +Date: Thu, 25 Feb 2021 17:03:18 -0500 +Subject: CVE-2021-20312/CVE-2021-20313 possible divide by zero + clear + buffers + +--- + coders/thumbnail.c | 3 ++- + magick/cipher.c | 12 ++-- + magick/colorspace.c | 16 + magick/memory.c | 21 - + magick/signature.c | 2 +- + 5 files changed, 33 insertions(+), 21 deletions(-) + +diff --git a/coders/thumbnail.c b/coders/thumbnail.c +index f456faa..3833341 100644 +--- a/coders/thumbnail.c b/coders/thumbnail.c +@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info, + break; + q++; + } +- if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ++ if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) || ++ (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q))) + ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + thumbnail_image=BlobToImage(image_info,q,length,>exception); + if (thumbnail_image == (Image *) NULL) +diff --git a/magick/cipher.c b/magick/cipher.c +index a6d90fc..e7b5a81 100644 +--- a/magick/cipher.c b/magick/cipher.c +@@ -485,8 +485,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext, + Reset registers. + */ + alpha=0; +- (void) memset(key,0,sizeof(key)); +- (void)
Bug#1076156: bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: imagemag...@packages.debian.org
Control: affects -1 + src:imagemagick
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
* CVE-2023-34151 fix was incomplete (Closes: #1070340)
* Fix variation of CVE-2023-1289 found by testing.
[ Impact ]
* CVE are still open is not fixed
[ Tests ]
Manual test of CVE-2023-34151, automatic of CVE-2023-1289.
[ Risks ]
Risk are low, crosscheck done by santiago.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-12 20:15:47.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 10:48:47.0 +
@@ -1,3 +1,10 @@
+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-34151 fix was incomplete (Closes: #1070340)
+ * Fix variation of CVE-2023-1289 found by testing.
+
+ -- Bastien Roucari??s Thu, 11 Jul 2024 10:48:47 +
+
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
* Acknowledge NMU
@@ -34,7 +41,7 @@
was found in coders/tiff.c in ImageMagick. This issue
may allow a local attacker to trick the user into opening
a specially crafted file, resulting in an application crash
-and denial of service.
+and denial of service. Fix also CVE-2022-3213.
* Fix CVE-2023-5341: A heap use-after-free flaw was found in
coders/bmp.c
diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control
--- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 10:48:47.0 +
@@ -1,4 +1,4 @@
-# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg
+# Autogenerated Mon Jun 24 16:27:31 UTC 2024 from make -f debian/rules update_pkg
Source: imagemagick
Section: graphics
Priority: optional
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch 1970-01-01 00:00:00.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch 2024-07-11 10:48:47.0 +
@@ -0,0 +1,29 @@
+From: Cristy
+Date: Tue, 23 Apr 2024 18:19:24 -0400
+Subject: CVE-2023-34151: properly cast double to size_t
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340
+
+forgot to cast double to unsigned int
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9.patch
+---
+ coders/mvg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/mvg.c b/coders/mvg.c
+index 2d503e1..d8e793e 100644
+--- a/coders/mvg.c
b/coders/mvg.c
+@@ -191,8 +191,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ 96.0;
+ draw_info->affine.sy=image->y_resolution == 0.0 ? 1.0 : image->y_resolution/
+ 96.0;
+- image->columns=(size_t) (draw_info->affine.sx*image->columns);
+- image->rows=(size_t) (draw_info->affine.sy*image->rows);
++ image->columns=CastDoubleToUnsigned(draw_info->affine.sx*image->columns);
++ image->rows=CastDoubleToUnsigned(draw_info->affine.sy*image->rows);
+ status=SetImageExtent(image,image->columns,image->rows);
+ if (status == MagickFalse)
+ {
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch 1970-01-01 00:00:00.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch 2024-07-11 10:48:47.0 +
@@ -0,0 +1,72 @@
+From: Cristy
+Date: Mon, 21 Feb 2022 11:55:23 -0500
+Subject: CVE-2023-34151
+
+This is a prerequist for fixing it
+
+magick produces incorrect result possibly due to overflow
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4870
+origin: https://github.com/ImageMagick/ImageMagick6/commit/8b7b17c8fef72dab479e6ca676676d8c5e395dd6
+---
+ coders/txt.c | 24
+ magick/image-private.h | 11 +++
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/coders/txt.c b/coders/txt.c
+index 0e5c794..bca071f 100644
+--- a/coders/txt.c
b/coders/txt.c
+@@ -573,18 +573,18 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
+
Bug#1075759: isa-support: please add armv8 + crc support package
Le jeudi 4 juillet 2024, 12:51:01 UTC Luca Boccassi a écrit : Hi, > Source: isa-support > Severity: wishlist > X-Debbugs-Cc: pkg-dpdk-de...@lists.alioth.debian.org > > Dear Maintainer(s), > > For src:dpdk we would like to depend on a higher arm64 baseline, which > includes the crc extension. Would it be possible to add a new package > that matches it? > > For reference, we compile with: -march=armv8-a+crc I will really prefer to add an arch level like armv8.1-a if possible. Does it exist some processor with crc without ‘+lse’, ‘+rdma’ ? Next question how can I detect it ? rouca > > https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html > > Thank you! > > signature.asc Description: This is a digitally signed message part.
Bug#1074391: More information
control: severity -1 important
control: retitle -1 should be split between arch and arch:all
Thanks to Yadd partially solved.
However this package should be split between arch and arch:all part
Bastien
> On 6/28/24 01:04, Bastien Roucariès wrote:
> > Hi,
> >
> > I get this backtrace (yadd could you get a glimpse)
> >
> > Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'esbuild' imported from
> > assemblyscript/assemblyscript/scripts/build.js
> > Did you mean to import
> > "file:///usr/lib/x86_64-linux-gnu/nodejs/esbuild/lib/main.js"?
> > at packageResolve (node:internal/modules/esm/resolve:854:9)
> > at moduleResolve (node:internal/modules/esm/resolve:927:18)
> > at defaultResolve (node:internal/modules/esm/resolve:1157:11)
> > at ModuleLoader.defaultResolve
> > (node:internal/modules/esm/loader:383:12)
> > at ModuleLoader.resolve (node:internal/modules/esm/loader:352:25)
> > at ModuleLoader.getModuleJob (node:internal/modules/esm/loader:227:38)
> > at ModuleWrap. (node:internal/modules/esm/module_job:87:39)
> > at link (node:internal/modules/esm/module_job:86:36) {
> >code: 'ERR_MODULE_NOT_FOUND'
> >
> > In all the case maybe this package could be split between arch/not arch part
>
> Hi,
>
> maybe a `pkgjs-ln esbuild` could fix this
>
signature.asc
Description: This is a digitally signed message part.
Bug#1074391: More information
Hi,
I get this backtrace (yadd could you get a glimpse)
Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'esbuild' imported from
assemblyscript/assemblyscript/scripts/build.js
Did you mean to import
"file:///usr/lib/x86_64-linux-gnu/nodejs/esbuild/lib/main.js"?
at packageResolve (node:internal/modules/esm/resolve:854:9)
at moduleResolve (node:internal/modules/esm/resolve:927:18)
at defaultResolve (node:internal/modules/esm/resolve:1157:11)
at ModuleLoader.defaultResolve (node:internal/modules/esm/loader:383:12)
at ModuleLoader.resolve (node:internal/modules/esm/loader:352:25)
at ModuleLoader.getModuleJob (node:internal/modules/esm/loader:227:38)
at ModuleWrap. (node:internal/modules/esm/module_job:87:39)
at link (node:internal/modules/esm/module_job:86:36) {
code: 'ERR_MODULE_NOT_FOUND'
In all the case maybe this package could be split between arch/not arch part
Bastien
signature.asc
Description: This is a digitally signed message part.
Bug#1074391: esbuild: build esbuild main.js
Package: esbuild Version: 0.20.2-1 Severity: serious Justification: could not be imported from node Dear Maintainer, Could you build the node package esbuild ? Without it the package is broken from node point of view so serious bug. I can help here Bastien signature.asc Description: This is a digitally signed message part.
Bug#1074369: luakit: please use sensible-utils
Source: luakit Severity: wishlist Tags: patch Dear Maintainer, Could you please merge https://salsa.debian.org/debian/luakit/-/merge_requests/3 Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1074366: x-terminal-emulator depends
Package: debian-policy Version: 4.7.0.0 Severity: wishlist Dear Maintainer, Could you documents the depends for x-terminal-emulator I suppose it is xterm | x-terminal-emulator ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1074360: debian-policy: document sensible-terminal
Package: debian-policy Version: 4.7.0.0 Severity: wishlist Dear Maintainer, sensible-utils will carry in trixie sensible-terminal. It will allow one user to custumize the terminal to be used like sensible- editor do. Could you document it, in policy ? Thanks Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.8.12-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled debian-policy depends on no packages. Versions of packages debian-policy recommends: ii libjs-jquery 3.6.1+dfsg+~3.5.14-1 ii libjs-sphinxdoc 7.2.6-9 ii sphinx-rtd-theme-common 2.0.0+dfsg-1 Versions of packages debian-policy suggests: pn doc-base -- no debconf information
Bug#1070340: Bug CVE-2023-34151: Please add this doc here
Hi, Could you post as plain texte the document you put in a google doc and the image used as attached document ? It will help other to reproduce Thanks rouca signature.asc Description: This is a digitally signed message part.
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Le dimanche 16 juin 2024, 20:15:33 UTC Adam D. Barratt a écrit : Hi I am sorry I forget to enable by default for bullseye the NUL reject (only for bullseye) I will upload ASAP Bastien > On Sun, 2024-06-16 at 20:09 +0000, Bastien Roucariès wrote: > > Le dimanche 16 juin 2024, 20:08:42 UTC Adam D. Barratt a écrit : > > > On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > > > > "slightly non-conformant" really good justification for a pop-up > > > > news item on upgrades? I don't recall the other MTAs doing this. > > > > > > > > It's up to you, either way please go ahead. > > > > > > As with the bookworm upload, the NEWS file won't work as designed: > > > > > > +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS > > > > I have uploaded should I reupload ? > > If you want the NEWS file to actually be displayed to users, yes. :-) > > A deb11u2 / deb12u2 that simply renames the file appropriately would be > fine in each case. > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1073529: bookworm-pu: package pymongo/3.11.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: pymo...@packages.debian.org
Control: affects -1 + src:pymongo
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-5629
[ Impact ]
An out-of-bounds read in the 'bson' module allows deserialization
of malformed BSON provided by a Server to raise an exception which may contain
arbitrary application memory
[ Tests ]
Test suite of package
[ Risks ]
code is near trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* QA upload
* Fix CVE-2024-5629: An out-of-bounds read in the
'bson' module allowed deserialization of malformed BSON
* Use correct salsa CI
[ Other info ]
QA upload package is orphaned
diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog
--- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.0 +
@@ -1,3 +1,13 @@
+pymongo (3.11.0-1+deb11u1) bullseye; urgency=medium
+
+ * QA upload
+ * Fix CVE-2024-5629: An out-of-bounds read in the
+'bson' module allowed deserialization of malformed BSON
+provided by a Server to raise an exception which may
+contain arbitrary application memory
+
+ -- Bastien Roucari??s Sun, 16 Jun 2024 17:42:49 +
+
pymongo (3.11.0-1) unstable; urgency=medium
[ Federico Ceratto ]
diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control
--- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.0 +
@@ -1,7 +1,7 @@
Source: pymongo
Section: python
Priority: optional
-Maintainer: Federico Ceratto
+Maintainer: Debian QA Group
Build-Depends: debhelper-compat (= 13),
dh-python,
python3-all-dev,
diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml
--- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.0 +
@@ -1,9 +1,7 @@
-image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
- artifacts:
-paths:
-- "*.deb"
-expire_in: 1 day
- script:
-- gitlab-ci-git-buildpackage-all
+variables:
+ RELEASE: 'bullseye'
diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
--- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.0 +
+++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.0 +
@@ -0,0 +1,51 @@
+From: Shane Harvey
+Date: Wed, 27 Mar 2024 13:16:55 -0700
+Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check
+
+An out-of-bounds read in the 'bson' module allows deserialization
+of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
+
+bug: https://jira.mongodb.org/browse/PYTHON-4305
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629
+origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch
+---
+ bson/_cbsonmodule.c | 11 +--
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
+index f457f96..02d9105 100644
+--- a/bson/_cbsonmodule.c
b/bson/_cbsonmodule.c
+@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ uint32_t c_w_s_size;
+ uint32_t code_size;
+ uint32_t scope_size;
++uint32_t len;
+ PyObject* code;
+ PyObject* scope;
+ PyObject* code_type;
+@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ memcpy(_size, buffer + *position, 4);
+ code_size = BSON_UINT32_FROM_LE(code_size);
+ /* code_w_scope length + code length + code + scope length */
+-if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++len = 4 + 4 + code_size + 4;
++if (!code_size || max < code_size || max < len || len < code_size) {
+ goto invalid;
+ }
+ *position += 4;
+@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+
+ memcpy(_size, buffer + *position, 4);
+ scope_size = BSON_UINT32_FROM_LE(scope_size);
+-if (scope_size
Bug#1073524: bookworm-pu: package pymongo/3.11.0-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: pymo...@packages.debian.org
Control: affects -1 + src:pymongo
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-5629
[ Impact ]
An out-of-bounds read in the 'bson' module allows deserialization
of malformed BSON provided by a Server to raise an exception which may contain
arbitrary application memory
[ Tests ]
Test suite of package
[ Risks ]
code is near trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* QA upload
* Fix CVE-2024-5629: An out-of-bounds read in the
'bson' module allowed deserialization of malformed BSON
* Use correct salsa CI
+provided by a Server to raise an exception which may
+contain arbitrary application memory
[ Other info ]
QA upload package is orphaned
diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog
--- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.0 +
@@ -1,3 +1,13 @@
+pymongo (3.11.0-1+deb12u1) bookworm; urgency=medium
+
+ * QA upload
+ * Fix CVE-2024-5629: An out-of-bounds read in the
+'bson' module allowed deserialization of malformed BSON
+provided by a Server to raise an exception which may
+contain arbitrary application memory
+
+ -- Bastien Roucari??s Sun, 16 Jun 2024 17:42:49 +
+
pymongo (3.11.0-1) unstable; urgency=medium
[ Federico Ceratto ]
diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control
--- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.0 +
@@ -1,7 +1,7 @@
Source: pymongo
Section: python
Priority: optional
-Maintainer: Federico Ceratto
+Maintainer: Debian QA Group
Build-Depends: debhelper-compat (= 13),
dh-python,
python3-all-dev,
diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml
--- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.0 +
@@ -1,9 +1,7 @@
-image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
- artifacts:
-paths:
-- "*.deb"
-expire_in: 1 day
- script:
-- gitlab-ci-git-buildpackage-all
+variables:
+ RELEASE: 'bookworm'
diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
--- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.0 +
+++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.0 +
@@ -0,0 +1,51 @@
+From: Shane Harvey
+Date: Wed, 27 Mar 2024 13:16:55 -0700
+Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check
+
+An out-of-bounds read in the 'bson' module allows deserialization
+of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
+
+bug: https://jira.mongodb.org/browse/PYTHON-4305
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629
+origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch
+---
+ bson/_cbsonmodule.c | 11 +--
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
+index f457f96..02d9105 100644
+--- a/bson/_cbsonmodule.c
b/bson/_cbsonmodule.c
+@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ uint32_t c_w_s_size;
+ uint32_t code_size;
+ uint32_t scope_size;
++uint32_t len;
+ PyObject* code;
+ PyObject* scope;
+ PyObject* code_type;
+@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ memcpy(_size, buffer + *position, 4);
+ code_size = BSON_UINT32_FROM_LE(code_size);
+ /* code_w_scope length + code length + code + scope length */
+-if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++len = 4 + 4 + code_size + 4;
++if (!code_size || max < code_size || max < len || len < code_size) {
+ goto invalid;
+ }
+ *position += 4;
+@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+
+ memcpy(_size, buffer +
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Le dimanche 16 juin 2024, 20:08:42 UTC Adam D. Barratt a écrit : > On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > > "slightly non-conformant" really good justification for a pop-up > > news item on upgrades? I don't recall the other MTAs doing this. > > > > It's up to you, either way please go ahead. > > As with the bookworm upload, the NEWS file won't work as designed: > > +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS I have uploaded should I reupload ? Bastien > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
control: tag -1 - moreinfo Le samedi 15 juin 2024, 22:49:24 UTC Jonathan Wiltshire a écrit : Hi, Thanks for the review > Control: tag -1 moreinfo > > Hi, > > On Fri, Apr 12, 2024 at 10:18:02PM +, Bastien Roucariès wrote: > > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog > > --- zookeeper-3.8.0/debian/changelog2023-10-29 07:57:11.0 > > + > > +++ zookeeper-3.8.0/debian/changelog2024-03-25 08:30:56.0 > > + > > @@ -1,3 +1,22 @@ > > +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium > > Target should be bookworm.* Done > > > > diff -Nru > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > --- > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > 1970-01-01 00:00:00.0 + > > +++ > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > 2024-03-25 08:30:56.0 + > > @@ -0,0 +1,1223 @@ > > > This patch confuses me. It seems to contain a whole series of nested > patches? How do they get applied to the source package? ??? I do not understand, see patch 0027 joined it is a simple patch... > > > > diff -Nru zookeeper-3.8.0/debian/patches/series > > zookeeper-3.8.0/debian/patches/series > > --- zookeeper-3.8.0/debian/patches/series 2023-10-29 07:57:11.0 > > + > > +++ zookeeper-3.8.0/debian/patches/series 2024-03-25 08:30:56.0 > > + > > @@ -1,19 +1,10 @@ > > -#01-add-jtoaster-to-zooinspector.patch > > -#02-patch-build-system.patch > > 03-disable-cygwin-detection.patch > > 05-ZOOKEEPER-770.patch > > 06-ftbfs-gcc-4.7.patch > > 07-remove-non-reproducible-manifest-entries.patch > > -#08-reproducible-javadoc.patch > > 10-cppunit-pkg-config.patch > > 11-disable-minikdc-tests.patch > > 12-add-yetus-annotations.patch > > -#13-disable-netty-connection-factory.patch > > -#14-ftbfs-with-gcc-8.patch > > -#15-javadoc-doclet.patch > > -#16-ZOOKEEPER-1392.patch > > -#17-gcc9-ftbfs-925869.patch > > -#18-java17-compatibility.patch > > 19-add_missing-plugins-versions.patch > > 20-no-Timeout-in-tests.patch > > 21-use-ValueSource-with-ints.patch > > @@ -33,3 +24,4 @@ > > 35-flaky-test.patch > > 36-JUnitPlatform-deprecation.patch > > CVE-2023-44981.patch > > +0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > Presumably these dropped patches get integrated into the nested set in > 0027? Or are they actually dropped? they are droped because disabled but I have re-added to series as disabled patch, thanks it is clearer now Bastien > > > > > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + +++ zookeeper-3.8.0/debian/changelog 2024-06-16 10:40:07.0 + @@ -1,3 +1,22 @@ +zookeeper (3.8.0-11+deb12u2) bookworm; urgency=medium + + * Team upload + * Bug fix: CVE-2024-23944 (Closes: #1066947): +An information disclosure in persistent watchers handling was found in +Apache ZooKeeper due to missing ACL check. It allows an attacker to +monitor child znodes by attaching a persistent watcher (addWatch +command) to a parent which the attacker has already access +to. ZooKeeper server doesn't do ACL check when the persistent watcher +is triggered and as a consequence, the full path of znodes that a +watch event gets triggered upon is exposed to the owner of the +watcher. It's important to note that only the path is exposed by this +vulnerability, not the data of znode, but since znode path can contain +sensitive information like user name or login ID, this issue is +potentially critical. + * Add salsa CI + + -- Bastien Roucari??s Sun, 16 Jun 2024 10:40:07 + + zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium * Team upload: diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch --- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.0 + +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-06-16 10:40:07.0 + @@ -0,0 +1,1223 @@ +From: Andor Molnar +Date: Tue, 28 Nov 2023 21:25:00 +0100 +
Bug#1073290: systemd: Please breaks against dracut-core << 102-2~
Package: systemd Severity: serious Tags: patch Justification: Breaks unrelated package Control: affects -1 dracut-core Dear Maintainer, Following #1071182 could you add to systemd a breaks: dracut-core << 102-2~ Change is simple so I add patch tag, please remove if needed Bastien signature.asc Description: This is a digitally signed message part.
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: sendm...@packages.debian.org Control: affects -1 + src:sendmail User: release.debian@packages.debian.org Usertags: pu [ Reason ] Fix CVE-2023-51765 (smtp smugling) [ Impact ] SMTP smugling [ Tests ] Manual test using virtual machine [ Risks ] Low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * QA-upload * Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. diff -Nru sendmail-8.15.2/debian/changelog sendmail-8.15.2/debian/changelog --- sendmail-8.15.2/debian/changelog 2021-03-16 15:04:16.0 + +++ sendmail-8.15.2/debian/changelog 2024-05-13 18:44:56.0 + @@ -1,3 +1,24 @@ +sendmail (8.15.2-22+deb11u1) bullseye-security; urgency=medium + + * QA-upload + * Fix CVE-2023-51765 (Closes: #1059386): +sendmail allowed SMTP smuggling in certain configurations. +Remote attackers can use a published exploitation +technique to inject e-mail messages with a spoofed +MAIL FROM address, allowing bypass of an SPF protection +mechanism. This occurs because sendmail supports +. but some other popular e-mail servers +do not. This is resolved with 'o' in srv_features. + * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that +include NUL byte + * By default enable rejecting mail that include NUL byte. +set confREJECT_NUL to 'true' by default . +User could disable by setting confREJECT_NUL to false. +(Closes: #1070190). Close a variant of CVE-2023-51765 +aka SMTP smuggling. + + -- Bastien Roucari??s Mon, 13 May 2024 18:44:56 + + sendmail (8.15.2-22) unstable; urgency=medium * QA upload. diff -Nru sendmail-8.15.2/debian/configure.ac sendmail-8.15.2/debian/configure.ac --- sendmail-8.15.2/debian/configure.ac 2021-03-16 15:04:16.0 + +++ sendmail-8.15.2/debian/configure.ac 2024-05-13 18:44:56.0 + @@ -468,6 +468,7 @@ sm_envdef="$sm_envdef -DHASFLOCK=0"; sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1"; sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING +sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE"; # # version specific setup if test "$sm_version_major" = "8.16"; then diff -Nru sendmail-8.15.2/debian/NEWS.Debian sendmail-8.15.2/debian/NEWS.Debian --- sendmail-8.15.2/debian/NEWS.Debian 1970-01-01 00:00:00.0 + +++ sendmail-8.15.2/debian/NEWS.Debian 2024-05-13 18:44:56.0 + @@ -0,0 +1,19 @@ +sendmail (8.18.1-3) unstable; urgency=medium + + Sendmail was affected by SMTP smurgling (CVE-2023-51765). + Remote attackers can use a published exploitation technique + to inject e-mail messages with a spoofed MAIL FROM address, + allowing bypass of an SPF protection mechanism. + This occurs because sendmail supports some combinaison of + . + . + This particular injection vulnerability has been closed, + unfortunatly full closure need to reject mail that + contain NUL. + . + This is slighly non conformant with RFC and could + be opt-out by setting confREJECT_NUL to 'false' + in sendmail.mc file. + + -- Bastien Roucari??s Sun, 12 May 2024 19:38:09 + + diff -Nru sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch --- sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch 1970-01-01 00:00:00.0 + +++ sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch 2024-05-13 18:44:56.0 + @@ -0,0 +1,1242 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Thu, 15 Feb 2024 07:59:27 + +Subject: CVE-2023-51765 + +sendmail allowed SMTP smuggling in certain configurations. + +Remote attackers can use a published exploitation technique +to inject e-mail messages with a spoofed MAIL FROM address, +allowing bypass of an SPF protection mechanism. + +This occurs because sendmail supports . but some other popular +e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features. +--- + RELEASE_NOTES | 24 - + libsm/lowercase.c | 168 + + sendmail/collect.c | 204
Bug#1060103: transition: imagemagick7
Le dimanche 2 juin 2024, 11:17:33 UTC Sebastian Ramacher a écrit : > On 2024-02-02 17:21:43 +0000, Bastien Roucariès wrote: > > Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit : > > > Control: tags -1 moreinfo > > > > > > Hi Bastien > > > > > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote: > > > > Package: release.debian.org > > > > Severity: important > > > > User: release.debian@packages.debian.org > > > > Usertags: transition > > > > X-Debbugs-CC: ftpmas...@debian.org > > > > > > > > Imagemagick will need a new major bump > > > > > > > > I achieved to get imagemagick 7 build for experimental (it is only on > > > > salsa not > > > > uploaded yet). > > > > > > > > Every package include a version in the package name (except legacy > > > > package name > > > > and perl*) so I plan to do some step by step migration, because it is > > > > mainly > > > > coinstallable with imagemagick 6. > > > > > > Why does this migration require co-instabillity with the old version? > > > This makes the transition overly complicated. Do you expect major > > > changes required in reverse dependencies of imagemagick's shared > > > library? > > > > The problem is not the library but the command line interface that may need > > change. > > > > Librarry will break (I think here about php module that will need a > > update), but it is treatable. > > > > convert6 is not fully compatible with convert7 > > > > convert6 will be co installable with convert7 in order to test, and convert > > will be provided by alternative system. > > If they are not fully compatible, then alternatives are not an option. They are 95% compatible > How many packages are we talking about? Have bugs been filed for > packages thar are not compatible with convert7? The problem is chicken and eggs problem. If you could not test then you could not report bug. A least both should be in experimental for running a full archive rebuild Not also that imagemagick6 is supported upstream only until 2027... So we should migrate to 7. That why I think my way is a good way. Suse and redhat transitionned see https://fedoraproject.org/wiki/Changes/ImageMagick7 Discussion point to a least broken on redhat * autotrace - plan to notify upstream * dvdauthor - point to GraphicsMagick or IM6, plan to notify upstream * q - dead upstream, planned to point to IM6 * vdr-skinnopacity - current upstream dead, plan to notify new upstream * vdr-tvguide - plan to notify upstream We could also drop imagemagick6 and use graphickmagick if needed but it introduce other problem Thanks Bastien > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: sendm...@packages.debian.org Control: affects -1 + src:sendmail User: release.debian@packages.debian.org Usertags: pu [ Reason ] sendmail was affected by CVE-2023-51765 [ Impact ] close CVE-2023-51765 and reject NUL mail [ Tests ] CVE-2023-51765 fix was tested manually and cross checked [ Risks ] Code is complex and rejecting NUL is slighly RFC non conformant [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. [ Other info ] No regression bugs in sid/trixie since at least two week diff -Nru sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in --- sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2024-05-13 18:44:56.0 + @@ -65,6 +65,9 @@ dnl # define(`confDEF_USER_ID', `mail:mail')dnl dnl # +ifelse(eval(index(sm_ffr, `-D_FFR_REJECT_NUL_BYTE') >= 0), `1',dnl +`define(`confREJECT_NUL',`true')')dnl +dnl # dnl #- dnl # mailer paths and options dnl #- diff -Nru sendmail-8.17.1.9/debian/changelog sendmail-8.17.1.9/debian/changelog --- sendmail-8.17.1.9/debian/changelog 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/changelog 2024-05-13 18:44:56.0 + @@ -1,3 +1,24 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=high + + * QA upload + * Fix CVE-2023-51765 (Closes: #1059386): +sendmail allowed SMTP smuggling in certain configurations. +Remote attackers can use a published exploitation +technique to inject e-mail messages with a spoofed +MAIL FROM address, allowing bypass of an SPF protection +mechanism. This occurs because sendmail supports +. but some other popular e-mail servers +do not. This is resolved with 'o' in srv_features. + * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that +include NUL byte + * By default enable rejecting mail that include NUL byte. +set confREJECT_NUL to 'true' by default . +User could disable by setting confREJECT_NUL to false. +(Closes: #1070190). Close a variant of CVE-2023-51765 +aka SMTP smuggling. + + -- Bastien Roucari??s Mon, 13 May 2024 18:44:56 + + sendmail (8.17.1.9-2) unstable; urgency=medium * QA upload. diff -Nru sendmail-8.17.1.9/debian/configure.ac sendmail-8.17.1.9/debian/configure.ac --- sendmail-8.17.1.9/debian/configure.ac 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/configure.ac 2024-05-13 18:44:56.0 + @@ -466,6 +466,7 @@ sm_envdef="$sm_envdef -DHASFLOCK=1"; sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1"; sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING +sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE"; # # version specific setup if test "$sm_version_major" = "8.17"; then diff -Nru sendmail-8.17.1.9/debian/NEWS.Debian sendmail-8.17.1.9/debian/NEWS.Debian --- sendmail-8.17.1.9/debian/NEWS.Debian 1970-01-01 00:00:00.0 + +++ sendmail-8.17.1.9/debian/NEWS.Debian 2024-05-13 18:44:56.0 + @@ -0,0 +1,19 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=medium + + Sendmail was affected by SMTP smurgling (CVE-2023-51765). + Remote attackers can use a published exploitation technique + to inject e-mail messages with a spoofed MAIL FROM address, + allowing bypass of an SPF protection mechanism. + This occurs because sendmail supports some combinaison of + . + . + This particular injection vulnerability has been closed, + unfortunatly full closure need to reject mail that + contain NUL. + . + This is slighly non conformant with RFC and could + be opt-out by setting confREJECT_NUL to 'false' + in sendmail.mc file. + + -- Bastien Roucari??s Sun, 12 May 2024 19:38:09 + + diff -Nru sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch
Bug#1071417: bullseye-pu: package fossil/2.15.2-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: fos...@packages.debian.org
Control: affects -1 + src:fossil
User: release.debian@packages.debian.org
Usertags: pu
this bug was opened by previous arrangement with maintainer.
[ Reason ]
fossil is affected by a regression due to a security update of apache
CVE-2024-24795. Backport was choosen
because upstream does not document all commit needed for fixing the regression.
[ Impact ]
Fossil is broken at least server part
[ Tests ]
Full upstream test suite
[ Risks ]
Broken fossil
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Cherry picked and backport fix
[ Other info ]
None
diff -Nru fossil-2.15.2/debian/changelog fossil-2.15.2/debian/changelog
--- fossil-2.15.2/debian/changelog 2021-06-15 09:55:20.0 +
+++ fossil-2.15.2/debian/changelog 2024-05-14 21:29:39.0 +
@@ -1,3 +1,13 @@
+fossil (1:2.15.2-1+deb11u1) bullseye; urgency=medium
+
+ * Non maintainer fix with acknowlegment by maintainer.
+ * Cherry-pick fix f4ffefe708793b03 for CVE-2024-24795 and add
+"Breaks: apache2 (<< 2.4.59-1~)" to stage fix; see
+https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+(closes: #1070069)
+
+ -- Bastien Roucari??s Tue, 14 May 2024 21:29:39 +
+
fossil (1:2.15.2-1) unstable; urgency=high
* New upstream version, announcement (expurgated) says:
diff -Nru fossil-2.15.2/debian/control fossil-2.15.2/debian/control
--- fossil-2.15.2/debian/control 2021-04-07 08:12:51.0 +
+++ fossil-2.15.2/debian/control 2024-05-14 21:29:39.0 +
@@ -22,6 +22,7 @@
Architecture: any
Multi-Arch: foreign
Depends: libtcl8.6 | libtcl, ${misc:Depends}, ${shlibs:Depends}
+Breaks: apache2 (<< 2.4.59-1~), apache2-bin (<< 2.4.59-1~)
Suggests: gnupg | gnupg2
Description: DSCM with built-in wiki, http interface and server, tickets database
Fossil is an easy-to-use Distributed Source Control Management system
diff -Nru fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch
--- fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 1970-01-01 00:00:00.0 +
+++ fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 2024-05-14 21:29:39.0 +
@@ -0,0 +1,361 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?=
+Date: Tue, 14 May 2024 21:23:16 +
+Subject: Deal with the missing Content-Length field
+
+fix regression of CVE-2024-24795
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+origin: https://fossil-scm.org/home/vpatch?from=9c40ddbcd182f264=a8e33fb161f45b65
+---
+ src/cgi.c | 43 -
+ src/clone.c | 14 +++-
+ src/http.c | 71 +
+ src/main.c | 14 ++--
+ src/xfer.c | 1 +
+ 5 files changed, 121 insertions(+), 22 deletions(-)
+
+diff --git a/src/cgi.c b/src/cgi.c
+index d47575b..aade0fb 100644
+--- a/src/cgi.c
b/src/cgi.c
+@@ -1034,7 +1034,7 @@ void cgi_trace(const char *z){
+ }
+
+ /* Forward declaration */
+-static NORETURN void malformed_request(const char *zMsg);
++static NORETURN void malformed_request(const char *zMsg, ...);
+
+ /*
+ ** Initialize the query parameter database. Information is pulled from
+@@ -1080,6 +1080,7 @@ void cgi_init(void){
+ const char *zRequestUri = cgi_parameter("REQUEST_URI",0);
+ const char *zScriptName = cgi_parameter("SCRIPT_NAME",0);
+ const char *zPathInfo = cgi_parameter("PATH_INFO",0);
++ const char *zContentLength = 0;
+ #ifdef _WIN32
+ const char *zServerSoftware = cgi_parameter("SERVER_SOFTWARE",0);
+ #endif
+@@ -1186,7 +1187,15 @@ void cgi_init(void){
+ g.zIpAddr = fossil_strdup(z);
+ }
+
+- len = atoi(PD("CONTENT_LENGTH", "0"));
++ zContentLength = P("CONTENT_LENGTH");
++ if( zContentLength==0 ){
++len = 0;
++if( sqlite3_stricmp(PD("REQUEST_METHOD",""),"POST")==0 ){
++ malformed_request("missing CONTENT_LENGTH on a POST method");
++}
++ }else{
++len = atoi(zContentLength);
++ }
+ zType = P("CONTENT_TYPE");
+ zSemi = zType ? strchr(zType, ';') : 0;
+ if( zSemi ){
+@@ -1593,11 +1602,22 @@ void cgi_vprintf(const char *zFormat, va_list ap){
+ /*
+ ** Send a reply indicating that the HTTP request was malformed
+ */
+-static NORETURN void malformed_request(const char *zMsg){
+- cgi_set_status(501, "Not Implemented");
+- cgi_printf(
+-"Bad Request: %s\n", zMsg
+- );
++static NORETURN void malformed_request(const char *zMsg, ...){
++ va_list ap;
++ char *z;
++ va_start(ap, zMsg);
++ z = vmprintf(zMsg, ap);
++ va_end(ap);
++ cgi_set_status(400, "Bad Request");
++ zContentType = "text/plain";
++ if(
Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: fos...@packages.debian.org Control: affects -1 + src:fossil User: release.debian@packages.debian.org Usertags: pu this bug was opened by previous arrangement with maintainer. [ Reason ] fossil is affected by a regression due to a security update of apache CVE-2024-24795. Backport was choosen because upstream does not document all commit needed for fixing the regression. [ Impact ] Fossil is broken at least server part [ Tests ] Full upstream test suite [ Risks ] Broken fossil [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Backport from sid. They are no incompatibility and this is upstream maintenance and fix only version. [ Other info ] I have not attached the debdiff due to the fix beeing a backport from sid. Attached debdiff to sid instead diff -Nru fossil-2.24/debian/changelog fossil-2.24/debian/changelog --- fossil-2.24/debian/changelog 2024-04-30 14:32:05.0 + +++ fossil-2.24/debian/changelog 2024-05-07 19:26:27.0 + @@ -1,3 +1,10 @@ +fossil (1:2.24-6~deb12u1) bookworm; urgency=medium + + * Non maintainer upload with acknowledgement by maintainer + * Backport to bookworm + + -- Bastien Roucari??s Tue, 07 May 2024 19:26:27 + + fossil (1:2.24-6) unstable; urgency=medium * Add "Breaks: apache2-bin (<< 2.4.59-1~)" per #1070069 discussion. signature.asc Description: This is a digitally signed message part.
Bug#1070190: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
Le samedi 4 mai 2024, 12:40:25 UTC Andreas Beckmann a écrit : > On 04/05/2024 13.02, Andreas Beckmann wrote: > >> I have patched sendmail in order to enable O RejectNUL=True directive, > >> but I do not achieved the fact to enable it by default. > > >> Andreas could you get a glimpse at how to render RejectNUL a default ? > > Second attempt. Completely untested. This should work for both fresh > installations and upgrades (as long as *.cf gets regenerated). > > Could you try that? And especially that the opt-out instructions are > working? > > Short explanation of the changes: > - Patch upstream proto.m4 to unconditionally emit 'O RejectNUL' with a >default of 'false'. As long as confREJECT_NUL is not defined (also the >default), this will be commented, so safe if built without >_FFR_REJECT_NUL_BYTE > - In debian.m4 define confREJECT_NUL to 'true' if sendmail was built >with _FFR_REJECT_NUL_BYTE, so it is enabled by default on Debian > - If sendmail.mc undefines confREJECT_NUL (or defines it to 'false'), >RejectNUL will be disabled again. > > If that works on sid, it should be trivially backportable to > (old)*stable. There should be NEWS about that change. Test validated and pushed to git. Lack only the NEWS entry. Due to the complexity of this issue, as an outsider due you have an idea how to explain to a simple user. Bastien > > Andreas > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. > > Cheers, > > --Barak. > Thanks for you work, do you think a full backport of fossil is worthwhile for stable ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070190: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
Package: sendmail-bin Severity: important Tags: security help Forwarded: https://marc.info/?l=oss-security=171447187004229=2 Dear Maintainer, CVE-2023-51765 is not fully fixed at least for forwarding bad mail. We must reject NUL including mail as a stop gap method. I have patched sendmail in order to enable O RejectNUL=True directive, but I do not achieved the fact to enable it by default. It will need a NEWS.debian entry I suppose Andreas could you get a glimpse at how to render RejectNUL a default ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070155: bullseye-pu: package wpa/2.9.0-21+deb11u1
Package: release.debian.org Severity: important Tags: bullseye X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.9.0/debian/changelog wpa-2.9.0/debian/changelog --- wpa-2.9.0/debian/changelog 2021-02-25 21:19:14.0 + +++ wpa-2.9.0/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.9.0-21) unstable; urgency=high * Fix typos in the package descriptions. diff -Nru wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:45:18.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used
Bug#1070151: bookworm-pu: package wpa/2:2.10-12
Package: release.debian.org Severity: important Tags: bookworm X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog --- wpa-2.10/debian/changelog 2023-02-24 13:01:35.0 + +++ wpa-2.10/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.10-12+deb12u1) bookworm; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.10-12) unstable; urgency=medium * Prevent hostapd units from being started if there???s diff -Nru wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:42:02.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > I've uploaded a package with this fixed to unstable, 1:2.24-5, and > it's been autobuilt and pushed out. Seems to work okay, and can be > co-installed with apache2/sid. > > Just uploaded 1:2.24-6 that adds Breaks: apach2-bin per your recent message. > > Honestly, I'm not confident in my ability to properly back-port > security-related patches to old versions of fossil. It's a big > network-facing program with a large number of moving parts and a > substantial attack surface, all written in C. It uses its own sqlite3 > copy when the shared library in Debian isn't a high enough version or > doesn't have the right options enabled (currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) > All this means it would be super easy for me to miss some issue and > introduce a vulnerability if I try to back-port a security patch, > > particularly without myself deeply understanding the security issue. > > Stable has 1:2.21-1. > > I just made a debian-bookworm-proposed-updates branch rooted there and > tried to cherry-pick the fix, > https://fossil-scm.org/home/info/f4ffefe708793b03 but it does not > apply cleanly. Obviously I can do it manually though, however there > have been changes in the neighborhood. > > Also, are you *sure* I shouldn't also be applying > https://fossil-scm.org/home/info/71919ad1b542832c to the fixed > versions? Because I'm not! I'd be most comfortable if upstream simply > made a proper release with this fixed (which I bet they'd do upon > request), and I uploaded that with the appropriate "Breaks: > apache2-bin (<<...)", and did the (trivial) backport of that package > to bookworm and bullseye, with the "breaks:" modified to the > appropriate version. I agree with you, may be a fullbackport is better for bookworm see changes here (line with * are interesting commit to backport) Yadd do you have a piece of advice ? Bastien 2024-04-22 *16:29 cgi.md: be less specific about the Apache version in which the Content-Length change happened because a new forum post reports that it happens at least as far back as 2.4.41. ... 2024-04-21 18:51 Merge the update to zLib-1.3.1. ... 18:46 Improvements to comments in graph.c. No changes to actual code. ... *16:20 Fix parsing of the argument to the "Connection:" header of HTTP reply messages to deal with unusual arguments added by Apache mod_cgi. See forum thread ca6fc85c80f4704f. ... *15:37 Simplify parsing of the Connection: header in HTTP replies. ... *06:15 Only accept commas as separators for multiple values in "Connection:" HTTP headers, and ignore any white space surrounding (but not embedded into) values. The previous method would fall for (fictional) HTTP header values containing spaces, like "Connection: don't close", and recognize a value of "close". ... 2024-04-20 21:58 In /chat preview mode, apply the click handlers to pikchrs in the preview. ... *14:42 Fix parsing of "Connection:" HTTP headers with multiple values. ... 2024-04-19 16:08 Fix a minor problem in graph layout for timelines that made use of the offset-merge-riser enhancement. Problem originally seen on the bottom node of /timeline?p=6da255034b30b4b4=47362306a7dd7c6f. ... *13:11 More change-log enhancements: More details about the work-around for the Apache mod_cgi breakage, and put that work-around first on the change log since it seems to be important to people. ... 12:59 Formatting enhancements to the change log for the upcoming 2.24 release. ... 2024-04-18 17:14 Update the built-in SQLite to the latest pre-release of version 3.46.0, including the bug fix for the use of VALUES-as-coroutine with an OUTER JOIN. ... 17:00 Typo fix and add specific Apache version number to the notes about the Content-Length change. ... 2024-04-17 17:59 Change log updates. ... *15:30 • Edit [18d76fff]: Edit check-in comment. ... *14:02 Output a warning if a client sync or clone gets back a keep-alive HTTP reply that lacks a content-length header. ... *13:27 Only process HTTP replies that lack a Content-Length header if the connection is set to be closed. Suggested by https://bz.apache.org/bugzilla/show_bug.cgi?id=68905. ... *13:21 Update the change log in order to mention the Apache mod_cgi/Content-Length fix. ... *13:14 Update Apache mod_cgi/Content-Length documentation. ... *12:58 Fix the HTTP-reply parser so that it is able to deal with replies that lack a Content-Length header field. This resolves the issue reported by forum post 12ac403fd29cfc89. Also in this merge: (1) Add the --xverbose option to "fossil clone". (2) Improved error messages when web
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) On this proble could you cross check ? >SQLITE_ENABLE_JSON1 > >This compile-time option is a no-op. Prior to SQLite version 3.38.0 > (2022-02-22), it was necessary to compile with this option in order to > include the JSON SQL functions in the build. However, beginning with SQLite > version 3.38.0, those functions are included by default. Use the > -DSQLITE_OMIT_JSON option to omit them. If so you could drop for bookworm (if release team is ok) and sid this embeded code copy BTW I have just opened a bug and add some comment on embded code copy Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070126: fossil: Do not use embded sqlite
Source: fossil Severity: important Dear Maintainer, > currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) On this proble could you cross check ? >SQLITE_ENABLE_JSON1 > >This compile-time option is a no-op. Prior to SQLite version 3.38.0 (2022-02-22), it was necessary to compile with this option in order to include the JSON SQL functions in the build. However, beginning with SQLite version 3.38.0, those functions are included by default. Use the -DSQLITE_OMIT_JSON option to omit them. If so you could drop for bookworm (if release team is ok) and sid this embeded code copy Bastien signature.asc Description: This is a digitally signed message part.
Bug#1069063: distro-info: Please support distro-info --alias=trixie -r
Le mardi 30 avril 2024, 15:24:11 UTC Benjamin Drung a écrit : > Hi, > > On Mon, 2024-04-15 at 18:58 +, Bastien Roucariès wrote: > > Package: distro-info > > Version: 1.7 > > Severity: minor > > > > Dear Maintainer, > > > > distro-info --alias=trixie -r is misleading it return trixie instead of > > 13... > > > > Maybe a feature but should be documented > > > > I workarround by doing in my script in two steps: > > distro-info --$(distro-info --alias=trixie) -r > > --alias was not developed to be combined with -c/-r/-f. So either > distro-info should reject this parameter combination or change the > behaviour to what you wanted to do. > > Yes that is the bug, with additionnally a documentation bug. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070120: postfix: can't send mail due to obsolete /var/spool/postfix/etc/resolv.conf on new network
Le mardi 30 avril 2024, 14:52:46 UTC Vincent Lefevre a écrit : Hi, > Control: tags -1 security > > On 2024-04-30 16:33:14 +0200, Vincent Lefevre wrote: > > If I try to restart postfix, I get: > > > > postfix/postfix-script: warning: /var/spool/postfix/etc/resolv.conf and > > /etc/resolv.conf differ A solution may be to bind mount ro /etc/resolv.conf to /var/spool/postfix/etc/resolv.conf Bastien > > BTW, note that this is a security issue, because with wifi, > the DNS server often corresponds to the local router (e.g. > 10.3.0.1), and it may happen that the obsolete IP address > may correspond to some random machine on the network, which > could act as a malicious DNS server. > > > Indeed, /var/spool/postfix/etc/resolv.conf contains obsolete data. > > > > I had to do "cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf". > > I don't know how the update should be done. I suppose that > /etc/network/if-up.d/postfix is pointless in case of wifi as > it says "Called when a new interface comes up", but for wifi, > this is the same interface, only a new network. > > And I don't understand why restarting postfix did not update > the file. > > BTW, even ethernet connections may be affected in case of > network reconfiguration. > > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. Hi I give up for fossil patches (i am not fossil fluent) The bookworm version will need: - to add the patch - Breaks against apache2-bin ( 2.4.59-1~) The bullseye version will need: - to add the patch - Breaks against apache2-bin ( 2.4.59-1~) We have done a full backport of apache due to several bug BTW I suppose that sid version should for extra safety break against apache2-bin ( 2.4.59-1~) instead of apache2 You should begin and apache2 will follow ASAP Bastien For buster I will reprod you when done, > > Cheers, > > --Barak. > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? Yes except for unstable where you could go without coordination Fixed apache is 2.4.59-1 So I think a breaks: apache2 (<<2.4.59-1~) is safe on your side (transition will be blocked) When done I will upload a apache2 version with breaks: fossil ( << 2.4.59-2~) I will do the bpu when done with release team Bastien > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. > > Cheers, > > --Barak. > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Package: fossil Severity: serious Justification: break unreleated package affects: apache2 Dear Maintainer, CVE-2024-24795 is fixed in apache2. However it break fossil You need to apply https://fossil-scm.org/home/info/f4ffefe708793b03 See bug here: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905 I can help here and do proposed update We also need to use breaks relationship in apache2, in order to allow smooth upgrade Bastien signature.asc Description: This is a digitally signed message part.
Bug#1061519: shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551
Le lundi 15 avril 2024, 13:58:19 UTC Steve McIntyre a écrit : > On Mon, Apr 15, 2024 at 11:33:14AM +0000, Bastien Roucariès wrote: > >Source: shim > >Followup-For: Bug #1061519 > >Control: tags -1 + patch > > > >Dear Maintainer, > > > >Please find a MR here > >https://salsa.debian.org/efi-team/shim/-/merge_requests/13 > > ACK. Thanks for trying to help, but the merge isn't the hard bit here. > > Tthe new upstream is a little problematic and I'm debugging some boot > failures in my local CI already. I have backported here https://salsa.debian.org/efi-team/shim/-/merge_requests/14 Need test > > signature.asc Description: This is a digitally signed message part.
Bug#1069063: distro-info: Please support distro-info --alias=trixie -r
Package: distro-info Version: 1.7 Severity: minor Dear Maintainer, distro-info --alias=trixie -r is misleading it return trixie instead of 13... Maybe a feature but should be documented I workarround by doing in my script in two steps: distro-info --$(distro-info --alias=trixie) -r Bastien signature.asc Description: This is a digitally signed message part.
Bug#1069054: shim: install ca for secure boot
Source: shim Severity: minor Dear Maintainer, Could you install the ca used for secure boot somewhere in the tree ? It will help to check by autopkgtest the ca chain Bastien signature.asc Description: This is a digitally signed message part.
Bug#1061519: shim: CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551
Source: shim Followup-For: Bug #1061519 Control: tags -1 + patch Dear Maintainer, Please find a MR here https://salsa.debian.org/efi-team/shim/-/merge_requests/13 Bastien signature.asc Description: This is a digitally signed message part.
Bug#1068940: json-smart: please package the new upstream version
Source: json-smart Version: 2.2-3 Severity: wishlist Dear Maintainer, Please package the new upstream version I do not achieve to get maven compile it Bastien signature.asc Description: This is a digitally signed message part.
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Le samedi 13 avril 2024, 14:01:24 UTC Bastien Roucariès a écrit : > Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit : > Hi, > > > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > > > Package: release.debian.org > > > Severity: normal > > > Tags: bullseye > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > X-Debbugs-Cc: Bastien Roucariès > > > Control: affects -1 + src:json-smart > > > Control: block 1039985 with -1 > > > Control: block 1033474 with -1 > > > > > > [ Reason ] > > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > > > causing version skew on upgrades: > > > > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable > > is a pre condition for a point update. > > > > Bastien, since you fixed it in buster-lts, can you please also take care > > of addressing unstable? Done > > > Ok will do > > > > Cheers, > > Moritz > > > > signature.asc Description: This is a digitally signed message part.
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Le samedi 13 avril 2024, 14:00:00 UTC Moritz Mühlenhoff a écrit : Hi, > Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > > Package: release.debian.org > > Severity: normal > > Tags: bullseye > > User: release.debian@packages.debian.org > > Usertags: pu > > X-Debbugs-Cc: Bastien Roucariès > > Control: affects -1 + src:json-smart > > Control: block 1039985 with -1 > > Control: block 1033474 with -1 > > > > [ Reason ] > > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > > causing version skew on upgrades: > > CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable > is a pre condition for a point update. > > Bastien, since you fixed it in buster-lts, can you please also take care > of addressing unstable? Ok will do > > Cheers, > Moritz > signature.asc Description: This is a digitally signed message part.
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: zookee...@packages.debian.org Control: affects -1 + src:zookeeper User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2024-23944 (Closes: #1066947): An information disclosure in persistent watchers handling was found in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. [ Impact ] CVE-2024-23944 is not fixed [ Tests ] Full upstream testsuite run at build time [ Risks ] None know [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] See debdiff diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + +++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.0 + @@ -1,3 +1,22 @@ +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium + + * Team upload + * Bug fix: CVE-2024-23944 (Closes: #1066947): +An information disclosure in persistent watchers handling was found in +Apache ZooKeeper due to missing ACL check. It allows an attacker to +monitor child znodes by attaching a persistent watcher (addWatch +command) to a parent which the attacker has already access +to. ZooKeeper server doesn't do ACL check when the persistent watcher +is triggered and as a consequence, the full path of znodes that a +watch event gets triggered upon is exposed to the owner of the +watcher. It's important to note that only the path is exposed by this +vulnerability, not the data of znode, but since znode path can contain +sensitive information like user name or login ID, this issue is +potentially critical. + * Add salsa CI + + -- Bastien Roucari??s Mon, 25 Mar 2024 08:30:56 + + zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium * Team upload: diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch --- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.0 + +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-03-25 08:30:56.0 + @@ -0,0 +1,1223 @@ +From: Andor Molnar +Date: Tue, 28 Nov 2023 21:25:00 +0100 +Subject: CVE-2024-23944: ZOOKEEPER-4799: Refactor ACL check in 'addWatch' + command + +As of today, it is impossible to diagnose which watch events are dropped +because of ACLs. Let's centralize, systematize, and log the checks at +the 'process()' site in the Netty and NIO connections. + +(These 'process()' methods contain some duplicated code, and should also +be refactored at some point. This series does not change them.) + +This patch also adds a substantial number of tests in order to avoid +unexpected regressions. + +Co-authored-by: Patrick Hunt +Co-authored-by: Damien Diederen + +origin: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d +bug: https://issues.apache.org/jira/browse/ZOOKEEPER-4799 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-23944 +--- + .../apache/zookeeper/server/watch/WatchBench.java | 6 +- + .../java/org/apache/zookeeper/server/DataTree.java | 23 +- + .../org/apache/zookeeper/server/DumbWatcher.java | 4 +- + .../org/apache/zookeeper/server/NIOServerCnxn.java | 16 +- + .../apache/zookeeper/server/NettyServerCnxn.java | 17 +- + .../org/apache/zookeeper/server/ServerCnxn.java| 10 +- + .../org/apache/zookeeper/server/ServerWatcher.java | 29 + + .../zookeeper/server/watch/IWatchManager.java | 7 +- + .../zookeeper/server/watch/WatchManager.java | 15 +- + .../server/watch/WatchManagerOptimized.java| 15 +- + .../apache/zookeeper/server/MockServerCnxn.java| 4 +- + .../zookeeper/server/watch/WatchManagerTest.java | 14 +- + .../zookeeper/test/PersistentWatcherACLTest.java | 629 + + .../zookeeper/test/UnsupportedAddWatcherTest.java | 9 +- + 14 files changed, 763 insertions(+), 35 deletions(-) + create mode 100644
Bug#1064061: CVE-2023-52160
control: tags -1 + patch Hi, You will find a merge request for fixing CVE-2023-52160 https://salsa.debian.org/debian/wpa/-/merge_requests/15 I can do a NMU if neeeded Bastien signature.asc Description: This is a digitally signed message part.
Bug#1067130: modernizr: NMU or update to latest upstream 3.12 or 3.13
Le jeudi 28 mars 2024, 18:36:54 UTC Fab Stz a écrit : > To build modernizr an additional source file is required (file.js) this file > is added to missing-sources (it comes from the npm package of the same name > from npm server or from upstreams repo). It is required by the build script > from upstream. > > The patch is only here to use that file. That way there is no need to create > a Debian package for it (packaging npm nodes is beyond my knowledge and I'm > not really interested in doing that). > > Concerning your other question, I don't understand it. The binary packages > only ships the js & min.js, not the build script. The missing sources is > required only by the build script iirc. Thanks, this should be documented in: - the comment at the begiging of missing-source/file - the header of patch see https://dep-team.pages.debian.net/deps/dep3/ > > > Le 28 mars 2024 19:23:08 GMT+01:00, "Bastien Roucariès" a > écrit : > >Le jeudi 28 mars 2024, 18:16:09 UTC Fab Stz a écrit : > >> Hello Bastien, > >> > >> Iirc not so many packages depend on it and none seems to use the files > >> that are not shipped anymore in the binary package (the individual > >> 'rules'). > >> > >> Concerning the build maybe you could look at d/rules on the merge request. > >> It uses upstream's build script that builds the complete js. > > > >I do not understand: > >- please document the patch using dep format > >- explain how the build script do not ship in /usr/share > >debian/missingsources > > > >bastien > >> > >> Regards > >> Fab > >> > >> Le 28 mars 2024 18:54:27 GMT+01:00, "Bastien Roucariès" > >> a écrit : > >> >Le jeudi 28 mars 2024, 17:21:48 UTC Fab Stz a écrit : > >> >> Dear Maintainers, > >> >> > >> >> I'm thinking of doing an NMU for the package by updating it to > >> >> 3.13.0-0.1. The > >> >> MR is now open since July 2023 and this bug referencing it has been > >> >> existing > >> >> for about 10 days (in case the MR wouldn't have been noticed). > >> >> > >> >> There is also bug > >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001203 > >> >> which request a newer version since 2021. > >> >> > >> >> BTW, I would require a sponsor to upload the NMU. > >> >> > >> >> Do you have advice or comment on this?* > >> > > >> >What is the state of reverse depends ? > >> > > >> >How does it build ? > >> > > >> >Bastien > >> >> > >> >> Regards > >> >> Fab > >> >> > >> >> On Tue, 19 Mar 2024 08:58:23 +0100 Fab Stz wrote: > >> >> > Source: modernizr > >> >> > Version: update > >> >> > Severity: wishlist > >> >> > Tags: patch > >> >> > > >> >> > Dear Maintainer, > >> >> > > >> >> > Please update to latest upstream version 3.12 or 3.13 > >> >> > > >> >> > For 3.12 I created a merge request on the VCS at > >> >> > > >> >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/2 > >> >> > > >> >> > There is also one for 2.* in > >> >> > > >> >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/1 > >> >> > > >> >> > You just have to choose which you prefer or both one after the other. > >> >> > > >> >> > > >> >> > > >> >> > -- System Information: > >> >> > Debian Release: 12.5 > >> >> > APT prefers stable-updates > >> >> > APT policy: (991, 'stable-updates'), (991, 'stable-security'), > >> >> > (991, > >> >> > 'stable'), (990, 'proposed-updates'), (390, 'oldstable-security'), > >> >> > (390, > >> >> > 'oldstable'), (389, 'oldstable-updates'), (380, 'oldoldstable'), > >> >> > (379, > >> >> > 'oldoldstable-updates'), (370, 'oldoldstable'), (95, 'testing'), (94, > >> >> > 'unstable'), (93, 'experimental') > >> >> > Architecture: amd64 (x86_64) > >> >> > Foreign Architectures: i386 > >> >> > > >> >> > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > >> >> > Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, > >> >> > TAINT_UNSIGNED_MODULE > >> >> > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > >> >> > LANGUAGE=fr:en_US > >> >> > Shell: /bin/sh linked to /usr/bin/dash > >> >> > Init: systemd (via /run/systemd/system) > >> >> > LSM: AppArmor: enabled > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> =<3776087.mvXUDI8C0e.ref@debian> > >> >> <3776087.mvXUDI8C0e@debian> > >> >> > >> >> > >> >> > >> > > >> > > > signature.asc Description: This is a digitally signed message part.
Bug#1067130: modernizr: NMU or update to latest upstream 3.12 or 3.13
Le jeudi 28 mars 2024, 18:16:09 UTC Fab Stz a écrit : > Hello Bastien, > > Iirc not so many packages depend on it and none seems to use the files that > are not shipped anymore in the binary package (the individual 'rules'). > > Concerning the build maybe you could look at d/rules on the merge request. It > uses upstream's build script that builds the complete js. I do not understand: - please document the patch using dep format - explain how the build script do not ship in /usr/share debian/missingsources bastien > > Regards > Fab > > Le 28 mars 2024 18:54:27 GMT+01:00, "Bastien Roucariès" a > écrit : > >Le jeudi 28 mars 2024, 17:21:48 UTC Fab Stz a écrit : > >> Dear Maintainers, > >> > >> I'm thinking of doing an NMU for the package by updating it to 3.13.0-0.1. > >> The > >> MR is now open since July 2023 and this bug referencing it has been > >> existing > >> for about 10 days (in case the MR wouldn't have been noticed). > >> > >> There is also bug > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001203 > >> which request a newer version since 2021. > >> > >> BTW, I would require a sponsor to upload the NMU. > >> > >> Do you have advice or comment on this?* > > > >What is the state of reverse depends ? > > > >How does it build ? > > > >Bastien > >> > >> Regards > >> Fab > >> > >> On Tue, 19 Mar 2024 08:58:23 +0100 Fab Stz wrote: > >> > Source: modernizr > >> > Version: update > >> > Severity: wishlist > >> > Tags: patch > >> > > >> > Dear Maintainer, > >> > > >> > Please update to latest upstream version 3.12 or 3.13 > >> > > >> > For 3.12 I created a merge request on the VCS at > >> > > >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/2 > >> > > >> > There is also one for 2.* in > >> > > >> > https://salsa.debian.org/js-team/modernizr/-/merge_requests/1 > >> > > >> > You just have to choose which you prefer or both one after the other. > >> > > >> > > >> > > >> > -- System Information: > >> > Debian Release: 12.5 > >> > APT prefers stable-updates > >> > APT policy: (991, 'stable-updates'), (991, 'stable-security'), (991, > >> > 'stable'), (990, 'proposed-updates'), (390, 'oldstable-security'), (390, > >> > 'oldstable'), (389, 'oldstable-updates'), (380, 'oldoldstable'), (379, > >> > 'oldoldstable-updates'), (370, 'oldoldstable'), (95, 'testing'), (94, > >> > 'unstable'), (93, 'experimental') > >> > Architecture: amd64 (x86_64) > >> > Foreign Architectures: i386 > >> > > >> > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > >> > Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > >> > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > >> > LANGUAGE=fr:en_US > >> > Shell: /bin/sh linked to /usr/bin/dash > >> > Init: systemd (via /run/systemd/system) > >> > LSM: AppArmor: enabled > >> > > >> > > >> > > >> > > >> > > >> =<3776087.mvXUDI8C0e.ref@debian> > >> <3776087.mvXUDI8C0e@debian> > >> > >> > >> > > > signature.asc Description: This is a digitally signed message part.
Bug#1067130: modernizr: NMU or update to latest upstream 3.12 or 3.13
Le jeudi 28 mars 2024, 17:21:48 UTC Fab Stz a écrit : > Dear Maintainers, > > I'm thinking of doing an NMU for the package by updating it to 3.13.0-0.1. > The > MR is now open since July 2023 and this bug referencing it has been existing > for about 10 days (in case the MR wouldn't have been noticed). > > There is also bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001203 > which request a newer version since 2021. > > BTW, I would require a sponsor to upload the NMU. > > Do you have advice or comment on this?* What is the state of reverse depends ? How does it build ? Bastien > > Regards > Fab > > On Tue, 19 Mar 2024 08:58:23 +0100 Fab Stz wrote: > > Source: modernizr > > Version: update > > Severity: wishlist > > Tags: patch > > > > Dear Maintainer, > > > > Please update to latest upstream version 3.12 or 3.13 > > > > For 3.12 I created a merge request on the VCS at > > > > https://salsa.debian.org/js-team/modernizr/-/merge_requests/2 > > > > There is also one for 2.* in > > > > https://salsa.debian.org/js-team/modernizr/-/merge_requests/1 > > > > You just have to choose which you prefer or both one after the other. > > > > > > > > -- System Information: > > Debian Release: 12.5 > > APT prefers stable-updates > > APT policy: (991, 'stable-updates'), (991, 'stable-security'), (991, > > 'stable'), (990, 'proposed-updates'), (390, 'oldstable-security'), (390, > > 'oldstable'), (389, 'oldstable-updates'), (380, 'oldoldstable'), (379, > > 'oldoldstable-updates'), (370, 'oldoldstable'), (95, 'testing'), (94, > > 'unstable'), (93, 'experimental') > > Architecture: amd64 (x86_64) > > Foreign Architectures: i386 > > > > Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) > > Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > > LANGUAGE=fr:en_US > > Shell: /bin/sh linked to /usr/bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > > > > > > > > =<3776087.mvXUDI8C0e.ref@debian> > <3776087.mvXUDI8C0e@debian> > > > signature.asc Description: This is a digitally signed message part.
Bug#1067020: jupyterlab: please use node-get-intrinsic
Source: jupyterlab Version: 4.0.11+ds1-1 Severity: important Dear Maintainer, Your package include files included elsewhere: python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/.eslintrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/.github/FUNDING.yml python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/.nycrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/CHANGELOG.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/LICENSE python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/README.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/index.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/package.json python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/get- intrinsic/test/GetIntrinsic.js -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.6.15-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1067019: jupyterlab: use pacckaged node-call-bind (provided package)
Source: jupyterlab Version: 4.0.11+ds1-1 Severity: important Dear Maintainer, node-call-bind provided virtual package provides these files python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.eslintignore python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.eslintrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.github/FUNDING.yml python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/.nycrc python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/CHANGELOG.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/LICENSE python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/README.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/callBound.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/index.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/package.json python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/test/callBound.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/call- bind/test/index.js -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.6.15-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1067017: jupyterlab: Use node-long package
Source: jupyterlab Version: 4.0.11+ds1-1 Severity: serious Justification: duplicate code source not build from source Dear Maintainer, Your package include the following file packaged elsewhere python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/LICENSE python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/README.md python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/dist/long.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/dist/long.js.map python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/index.d.ts python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/index.js python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/package.json python3-jupyterlab: /usr/share/jupyter/lab/staging/node_modules/@xtuc/long/src/long.js Moreover, it was hard for debian to get this files builded and @xtuc ones does not build from source Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.6.15-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1063508: ITP: node-long -- Class for representing 64-bit two's-complement integer value
control: tags -1 + pending Uploaded waiting ftpmaster Le vendredi 9 février 2024, 03:39:41 UTC Marco Trevisan a écrit : > Package: wnpp > Severity: wishlist > Owner: Marco Trevisan (Treviño) > X-Debbugs-CC: debian-de...@lists.debian.org > > * Package name: node-long > Version : 5.2.3 > Upstream Author : Daniel Wirtz > * URL : https://github.com/dcodeIO/long.js#readme > * License : Apache-2.0 > Programming Lang: JavaScript > Description : Class for representing 64-bit two's-complement > integer value > > A Long class for representing a 64 bit two's-complement integer value > derived from the Closure Library for stand-alone use and extended with > unsigned support. > . > This is a class used by various modules that does not use newer bigint. > . > Node.js is an event-based server-side JavaScript engine. > > This is a tiny module that is needed for protobufjs (bug #977564), > although being widely used according to npm stats, I feel it's better to > package it as standalone and not as grouped package. > > Salsa repository is at: > https://salsa.debian.org/3v1n0-guest/node-esm2umd/-/tree/debian/latest > > Please mark the debian/latest as default branch since I can't change it > myself. > > The package had a dependency on a very tiny project (esm2umd) that was > just basically a tiny wrapper to babel. I've also prepared the packaging > for it [1], but given that such project has not a clear license (I > mailed the maintainer meanwhile), I preferred to avoid using it, also > because it's really just a script using babel and I have been able to > easily re-implement it, making the build process slightly bigger > > The package needs sponsor, since I'm only a maintainer, but I'll be > happy keeping the maintenance of it. > > I've given access to the js salsa team. > > [1] https://salsa.debian.org/3v1n0-guest/node-esm2umd/ > > signature.asc Description: This is a digitally signed message part.
Bug#1019980: lintian: source-is-missing check for HTML is much too sensitive
Le jeudi 8 février 2024, 19:57:22 UTC Bill Allombert a écrit : > On Thu, Feb 08, 2024 at 06:39:18PM +0000, Bastien Roucariès wrote: > > Le jeudi 8 février 2024, 18:31:28 UTC Santiago Ruano Rincón a écrit : > > > On Sat, 14 Oct 2023 20:23:18 +0200 Bill Allombert > > > wrote: > > > > On Sun, Sep 18, 2022 at 12:14:07AM +0100, Colin Watson wrote: > > > > > Package: lintian > > > > > Version: 2.115.3 > > > > > Severity: normal > > > > > > > > > > Lintian issues these errors for putty 0.77-1: > > > > > > > > > > E: putty source: source-is-missing [doc/html/AppendixA.html] > > > > > E: putty source: source-is-missing [doc/html/AppendixB.html] > > > > > E: putty source: source-is-missing [doc/html/AppendixE.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter10.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter2.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter3.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter4.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter5.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter7.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter8.html] > > > > > E: putty source: source-is-missing [doc/html/Chapter9.html] > > > > > E: putty source: source-is-missing [doc/html/IndexPage.html] > > > > > > > > > > This is pretty oversensitive. Firstly, it's HTML, which is still > > > > > often > > > > > enough written by hand anyway. As it happens, these particular HTML > > > > > files are generated from halibut input that's also provided in the > > > > > source package, though I can't see how Lintian could possibly expect > > > > > to > > > > > know that. > > > > Are you sure it is not embdeded base64 encoded png or minified javascript* ? > > > > If not we could try to know why it choke ? > > > > In this particular case, it is the source package that choke. If halibut > > include the name of the source > > in the html we could magically remove the source is missing warnings. > > > > Another alternative if we could determine the file was compiled by halibut, > > we could demote to pedantic warning > > and ask to repack in order to be sure to recompile from source. > > There are far too many different HTML generators out there to handle. We have done this for doxyen and sphinx, so maybe not for more > You would need to define a standard way to indicate the path to the source in > the generated file. > But some generator authors might consider this is an inacceptable data leak, > so > this would only be done if some environment variable is defined. for doxygen or sphinx we only detect some string in html file and whitelist Generared by something will work Moreover adding missing-source override like could be done be done by adding manualy a symlink debian/missing-sources/ fullname pointing to the righ location. We also magically search know source by using some heurtistic in SourceMissing.pm So the basic framework is here, we only need to add more rules Bastien > > In the short term, I suggest to disable it since there is no policy > requirement > for the source code to be in a particular path, so it is not an error. > > At the very least, it should not be generated more than once per package. > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1019980: lintian: source-is-missing check for HTML is much too sensitive
Le jeudi 8 février 2024, 18:31:28 UTC Santiago Ruano Rincón a écrit : > On Sat, 14 Oct 2023 20:23:18 +0200 Bill Allombert wrote: > > On Sun, Sep 18, 2022 at 12:14:07AM +0100, Colin Watson wrote: > > > Package: lintian > > > Version: 2.115.3 > > > Severity: normal > > > > > > Lintian issues these errors for putty 0.77-1: > > > > > > E: putty source: source-is-missing [doc/html/AppendixA.html] > > > E: putty source: source-is-missing [doc/html/AppendixB.html] > > > E: putty source: source-is-missing [doc/html/AppendixE.html] > > > E: putty source: source-is-missing [doc/html/Chapter10.html] > > > E: putty source: source-is-missing [doc/html/Chapter2.html] > > > E: putty source: source-is-missing [doc/html/Chapter3.html] > > > E: putty source: source-is-missing [doc/html/Chapter4.html] > > > E: putty source: source-is-missing [doc/html/Chapter5.html] > > > E: putty source: source-is-missing [doc/html/Chapter7.html] > > > E: putty source: source-is-missing [doc/html/Chapter8.html] > > > E: putty source: source-is-missing [doc/html/Chapter9.html] > > > E: putty source: source-is-missing [doc/html/IndexPage.html] > > > > > > This is pretty oversensitive. Firstly, it's HTML, which is still often > > > enough written by hand anyway. As it happens, these particular HTML > > > files are generated from halibut input that's also provided in the > > > source package, though I can't see how Lintian could possibly expect to > > > know that. Are you sure it is not embdeded base64 encoded png or minified javascript* ? If not we could try to know why it choke ? In this particular case, it is the source package that choke. If halibut include the name of the source in the html we could magically remove the source is missing warnings. Another alternative if we could determine the file was compiled by halibut, we could demote to pedantic warning and ask to repack in order to be sure to recompile from source. Thanks > > > > Dear Lintian maintainers, > > > > This test is causing hundreds of false positive and should be disabled as > > soon as possible. This is a huge waste of time for everybody. > > > > If you need help with that, please tell me, I have worked on lintian in the > > past. > > Dear Lintian maintainers, > > I cannot offer the same help as ballombe, but I also find it would help > to disable these errors. At least, could they be "demoted" to warnings? > Thanks in advance, > > Santiago > signature.asc Description: This is a digitally signed message part.
Bug#1012289: RFH: lintian -- Debian package checker
Le lundi 5 février 2024, 12:42:04 UTC Bill Allombert a écrit : > On Mon, Feb 05, 2024 at 12:28:02PM +0100, Axel Beckert wrote: > > Hi Bill, > > > > Bill Allombert wrote: > > > By the way, what happened to lintian.debian.org ? > > > > Seems as if someone (not me, just noticed it today when > > "private/refresh-data" failed…) pulled the plug on at least the DNS > > name. Probably because it hasn't been updated since Felix' try to > > rewrite it, which AFAIK was never finished, but the old thing also no > > more worked. (There's probably a lot of legacy code in > > "lib/Lintian/Output" related to one of these two website generations, > > maybe even both.) > > I used to generate my own copy of it because the official one was > out of date. Help here is welcome. I really like the l.d.o site particularly the graph > > > IMHO it's generally a good thing, except that it would have been > > better to redirect it to the according UDD pages instead. > > Yes, because there are ton of places still linking to lintian.debian.org > (e.g. wikipedia). We should ask DSA to redirect to salsa or UDD. > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1012289: RFH: lintian -- Debian package checker
Le dimanche 4 février 2024, 14:02:58 UTC Bill Allombert a écrit : > On Tue, Aug 16, 2022 at 11:56:20AM +0000, Bastien Roucariès wrote: > > Source: lintian > > Version: 2.115.2 > > Followup-For: Bug #1012289 > > > > Dear Maintainer, > > > > I will restep to be a lintian maint.Could you please prepare a list of > > urgent > > action ? > > Areyou still available as lintian maintainer ? It sure would need an upload. I can I am doing some pull request update Bastien > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1060103: transition: imagemagick7
Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit : > Control: tags -1 moreinfo > > Hi Bastien > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote: > > Package: release.debian.org > > Severity: important > > User: release.debian@packages.debian.org > > Usertags: transition > > X-Debbugs-CC: ftpmas...@debian.org > > > > Imagemagick will need a new major bump > > > > I achieved to get imagemagick 7 build for experimental (it is only on salsa > > not > > uploaded yet). > > > > Every package include a version in the package name (except legacy package > > name > > and perl*) so I plan to do some step by step migration, because it is mainly > > coinstallable with imagemagick 6. > > Why does this migration require co-instabillity with the old version? > This makes the transition overly complicated. Do you expect major > changes required in reverse dependencies of imagemagick's shared > library? The problem is not the library but the command line interface that may need change. Librarry will break (I think here about php module that will need a update), but it is treatable. convert6 is not fully compatible with convert7 convert6 will be co installable with convert7 in order to test, and convert will be provided by alternative system. We avoid a flag day, but we need co installable library. Bastien > > PS: Before the time_t transition is done, we will not process other > transitions. Not a problem, but I will like to upload work on experimental in order to test other arch than i386/amd64/arm that I could test Bastien > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#1060103: Remainder of imagemagick7 transition plan
Hi, A gentle remainder about imagemagick7 transition plan. Many thanks for santiago to review partially it, but I need green light from release team. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1062428: tinyxml: Swith to maintained fork
Source: tinyxml Version: 2.6.2-6;1 Severity: important Tags: security Justification: security support X-Debbugs-Cc: Debian Security Team Dear Maintainer, It seems that a fork of tinyxml is well maintained here https://github.com/leethomason/tinyxml2 Could be possible to evaluate the switch of fork ? Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-5-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1061272: sudo: Does not build from prefered source
Source: sudo Severity: serious Tags: ftbfs Justification: yacc/lex are prefered source Dear Maintainer, You do not pass the --with-devel=yes configure flags thus you do not rebuild from source autogenerated file like gram.c and gram.h from gram.y Usually debian build from source grammar file particularly for sensitive security components like sudo Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-5-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458
On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso wrote: Hi Guilhem, hi Moritz, > Hi Guilhem, hi Moritz, > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > There are some minor changes staged in the salsa git repo. It would be > > > good > > > to include them as well. Feel free to push the patch to git and upload. > > > Alternatively a merge request works as well of course. > > > > Thanks for the fast response! Tagged and uploaded. > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > for a separate project that embeds libxml), I can propose debdiffs for > > bullseye and bookworm. > > I think the former is correct but still bit biased. We initially had > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > now commmited > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > hich does match my understanding for this doubled CVE assignment. The > document is actually not very very clear. It still metnions > CVE-2023-40462 but does not consistently say "TinyXML as used in". > Still hope we can agree the above matches our all udnerstanding. > Moritz given you updated back then the entry from NFU and tinyxml, if > you still strongly disagree I will revert the above, but I tried to > explain my reasoning in the commit message. > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > for CVE-2021-42260 and the issue report at > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > description for CVE-2023-40458, but will want to see if Moritz has an > additional input here. > > If this is the case we either have the otpion to mark it really as > duplicate (and request a reject from MITRE) or it is again just a > ALEOS issue "... tinyxml as used in". Again the table here is not very > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > were explicitly listed the two CVEs with brackeds including the > product in the the table, but this is not the case for CVE-2023-40458. > > Moritz? Any news of this triagging ? Bastien > > Regards, > Salvatore > > signature.asc Description: This is a digitally signed message part.
Bug#1060103: transition: imagemagick7
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: transition X-Debbugs-CC: ftpmas...@debian.org Imagemagick will need a new major bump I achieved to get imagemagick 7 build for experimental (it is only on salsa not uploaded yet). Every package include a version in the package name (except legacy package name and perl*) so I plan to do some step by step migration, because it is mainly coinstallable with imagemagick 6. - upload to experimental a version with perl and without legacy name - migrate perl and versioned package - add to experimental libmakickgwand-dev libmagick++-dev libmagickcore-dev - migrate package that depends on libmakickgwand-dev libmagick++-dev libmagickcore-dev (every thing that build against imagemagick) to imagemagick7 - add to experimental imagemagick package - migrate imagemagick package to unstable What do you think of this plan ? From a security point of view it is better to go to imagemagick7 (so important severity) I expect breakage only on the last step. See https://imagemagick.org/script/porting.php ftpmaster it need more work because it will need three manual step. Bastien * perlmagick, libmagickcore-dev, libmakickgwand-dev libmagick++-dev, imagemagick, libimage-magick-perl libimage-magick-q16-perl libimage- magick-q16hdri-perl signature.asc Description: This is a digitally signed message part.
Bug#989998: Fixed upstream: need help ?
Hi, I have just fix this CVE for buster and I want to know if you need help to release a fix for unstable ? The LTS fix are here https://salsa.debian.org/lts-team/packages/keystone/ Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1037219: Uploaded imagemagick/8:6.9.11.60+dfsg-1.3+deb11u2
Hi, I have just uploaded Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055300: Reopen + fix
control: reopen -1 control: found -1 5.4.0-1 control: forwarded -1 https://github.com/ansible-collections/amazon.aws/pull/1704 control: tag -1 + fixed-upstream Hi, This bug lie in ansible... Reopen this bug and use the patch as fwd field. rouca signature.asc Description: This is a digitally signed message part.
Bug#975405: libwabt.js => sucess but need policy and help
Le lundi 13 novembre 2023, 11:18:42 UTC Markus Koschany a écrit : > Hey, > > Am Montag, dem 13.11.2023 um 09:19 + schrieb Bastien Roucariès: > > [...] > > Apo can I add myself to your package ? Do you care to comaintain with > > javascript team ? > > I assume you are referring to wabt and this bug report [1] ? > > Do you have a solution for the circular dependency that building libwabt.js > would create? > > In general I would be totally fine if you or the Javascript team would > completely take over wabt and binaryen because both of them and emscripten are > closely related. See also #1052003; emscripten FTBFS with binaryen from > experimental. > > Personally I only need wabt and binaryen to build WebAssembly code from source > for the ublock-origin Firefox/Chromium addon but I'm not really interested in > becoming more involved in the Javascript ecosystem. So feel free to take over > both packages and remove me as the maintainer. I think the solution here is build profiles like we other package involving this kind of stuff. Ok will take for it and add javascript team > > Regards, > > Markus > > [1] https://bugs.debian.org/975405 > > signature.asc Description: This is a digitally signed message part.
Bug#1008017: audiofile: CVE-2022-24599/CVE-2019-13147 Fix
Le samedi 11 novembre 2023, 18:22:41 UTC Bastien Roucariès a écrit : > control: tags -1 + patch > > Hi, > > Could you apply the merge request > https://salsa.debian.org/multimedia-team/audiofile/-/merge_requests/5 and > made a release ? > > It fix the two CVE > > Bastien Send fix to DELAYED/7 Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1008017: audiofile: CVE-2022-24599/CVE-2019-13147 Fix
control: tags -1 + patch Hi, Could you apply the merge request https://salsa.debian.org/multimedia-team/audiofile/-/merge_requests/5 and made a release ? It fix the two CVE Bastien signature.asc Description: This is a digitally signed message part.
Bug#1041112: Merge request
control: tags -1 + pending I have a merge request waiting here Plan a NMU/7 https://salsa.debian.org/multimedia-team/sox/-/merge_requests?scope=all=opened rouca signature.asc Description: This is a digitally signed message part.
Bug#1055370: Important for a few package: add security support
Hi, I have one package that fail actually due to this. A CVE was fixed by coordinating a fix between rmagick and imagemagick and I test that the CVE is closed using an autopkgtest I believe also it is important from a security point of view to add fix for security issue Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055585: ITP: node-envinfo -- Generate reports of the common details used by Node.js packages
Package: wnpp Severity: important Owner: Bastien Roucariès X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-envinfo Version : 7.11.0+~cs13.4.1 Upstream Contact: https://github.com/tabrindle/envinfo#readme https://github.com/sindresorhus/os-name/tags https://github.com/sindresorhus/macos-release/tags https://github.com/sindresorhus/windows-release/tags https://registry.npmjs.org/yamlify-object * URL : https://github.com/tabrindle/envinfo#readme https://github.com/sindresorhus/os-name/tags https://github.com/sindresorhus/macos-release/tags https://github.com/sindresorhus/windows-release/tags https://registry.npmjs.org/yamlify-object * License : Expat Programming Lang: Typescript/javascript Description : Generate reports of the common details used by Node.js packages Generate reports of the common details used by Node.js packages This package generate reports of common software installed on our computer, including browser version, Node.js version, Operating System and programming language support. . This is used by webpack a javascript module bundler, for generating build time report. . Node.js is an event-based server-side JavaScript engine. This package is needed for rebuild from source webpack that is an essential package of javascript team
Bug#1055346: dh-nodejs: should provide dh_nodejs_autodocs
Package: dh-nodejs Version: 0.15.15 Severity: important Dear Maintainer, dh-nodejs should provide dh-nodejs-autodocs -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-3-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dh-nodejs depends on: ii debhelper 13.11.7 ii libdebian-copyright-perl 0.2-6 ii libdebian-source-perl 0.122 ii libdpkg-perl 1.22.1 ii libgraph-perl 1:0.9727-1 ii libipc-run-perl 20231003.0-1 ii libjson-perl 4.1-1 ii libyaml-perl 1.30-2 ii nodejs18.13.0+dfsg1-1 ii perl 5.36.0-9 dh-nodejs recommends no packages. Versions of packages dh-nodejs suggests: ii node-rollup-plugin-commonjs 25.0.4+ds1-1 ii node-rollup-plugin-node-resolve 15.1.0+ds-1 ii pkg-js-tools 0.15.15 ii rollup 3.28.0-2 -- no debconf information
Bug#1055328: node-minimatch: could not build using webpack
Package: node-minimatch Version: 9.0.3-4 Severity: serious Justification: FTBFS other package Dear Maintainer, I could not build node-envinfo due to the trick done for default export only for require. Webpack do a mix of two and do not find the import default... Therefore it is required to export default for both Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055172: python3 should recommend netbase
Package: python3 Version: 3.11.4-5+b1 Severity: important Tags: newcomer Dear Maintainer, I order to avoid some strange error in autopkgtest of python related package, could be possible to recommend netbase ? It is needed for acessing /etc/services and well known port/host Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-2-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3 depends on: ii libpython3-stdlib 3.11.4-5+b1 ii python3-minimal3.11.4-5+b1 ii python3.11 3.11.6-3 python3 recommends no packages. Versions of packages python3 suggests: ii python3-doc 3.11.4-5 ii python3-tk3.11.5-1 ii python3-venv 3.11.4-5+b1 -- no debconf information
Bug#1055103: webpack: split env
Package: webpack Version: 5.76.1+dfsg1+~cs17.16.16-1 Severity: important Dear Maintainer, I think the way to go is to split env from webpack env need webpack to build but need a few package Yadd what do you think ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1055053: RM: {imagemagick-doc, imagemagick-common} [all] -- ROM; removed from source package
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick Please remove this two transitionnal package Thanks Bastien
Bug#1054444: golang-github-facebook-ent: website is build with Docusaurus not packaged for debian
control: retitle -1 golang-github-facebook-ent: include non free font Calibre Le mardi 24 octobre 2023, 06:13:41 UTC Cyril Brulebois a écrit : > Hi Bastien, > > Bastien Roucariès (2023-10-23): > > Source: golang-github-facebook-ent > > Version: 0.5.4-3 > > Severity: serious > > Tags: ftbfs > > Justification: FTBFS > > Control: block -1 by 1054426 > > > > Dear Maintainer, > > > > The documentation is build with docusaurus. > > > > See website directory > > https://sources.debian.org/src/golang-github-facebook-ent/0.5.4-3/doc/website/ > > > > You should repack or package docusaurus and rebuild > > Please describe the actual problem you're seeing. I have just checked docusaurus build package, but here .js code is readable, except the woff file that are build from calibre without source and non-free https://klim.co.nz/licences/#enterprise > > Cheers, > signature.asc Description: This is a digitally signed message part.
Bug#1054433: node-puppeteer: website is build with Docusaurus not packaged for debian
control: retitle -1 fasttext: website is build with Docusaurus not packaged for debian Le mardi 24 octobre 2023, 06:41:55 UTC Andrius Merkys a écrit : > Hi, > > On 2023-10-23 22:06, Bastien Roucariès wrote: > > Source: fasttext > > Source package names in Subject and Source do not match. Please retitle > if this is not intentional. > > Best, > Andrius > signature.asc Description: This is a digitally signed message part.
Bug#1054432: [Pkg-javascript-devel] Bug#1054432: node-puppeteer: website is build with Docusaurus not packaged for debian
control: retitle -1 node-katex: website is build with Docusaurus not packaged for debian Le mardi 24 octobre 2023, 06:40:59 UTC Andrius Merkys a écrit : > Hi, > > On 2023-10-23 22:04, Bastien Roucariès wrote: > > Source: node-katex > > Source package names in Subject and Source do not match. Please retitle > if this is not intentional. > > Best, > Andrius > signature.asc Description: This is a digitally signed message part.
Bug#1054444: golang-github-facebook-ent: website is build with Docusaurus not packaged for debian
Source: golang-github-facebook-ent Version: 0.5.4-3 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/golang-github-facebook-ent/0.5.4-3/doc/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian
Source: node-graphql Version: 16.8.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2 You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054440: reassign
control: reassign -1 ts-node signature.asc Description: This is a digitally signed message part.
Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian
Source: node-ts-jest Version: 29.1.1+~cs0.2.6-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054440: ts-node: website is build with Docusaurus not packaged for debian
Source: ts-nod Version: 10.9.1+~cs8.8.29-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/ts-node/10.9.1%252B~cs8.8.29-1/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian
Source: node-rjsf Version: 5.6.2+~5.0.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54 You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054438: golang-entgo-ent: website is build with Docusaurus not packaged for debian
Source: golang-entgo-ent Version: 0.11.3-4 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/data/main/g/golang-entgo-ent/0.11.3-4/doc/website You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054437: golang-ariga-atlas: website is build with Docusaurus not packaged for debian
Source: golang-ariga-atlas Version: 0.7.2-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/golang-ariga-atlas/0.7.2-2/doc/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian
Source: node-react-redux Version: 8.1.2+dfsg1+~cs1.2.3-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian
Source: node-redux Version: 4.2.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054433: node-puppeteer: website is build with Docusaurus not packaged for debian
Source: fasttext Version: 0.9.2+ds-5 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054432: node-puppeteer: website is build with Docusaurus not packaged for debian
Source: node-katex Version: 0.16.4+~cs6.1.0-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See: https://sources.debian.org/src/node-katex/0.16.4+~cs6.1.0-1/website/ You should repack or package docusaurus and rebuild Bastien signature.asc Description: This is a digitally signed message part.
Bug#1054431: node-puppeteer: website is build with Docusaurus not packaged for debian
Source: node-puppeteer Version: 13.4.1+dfsg-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See: https://sources.debian.org/src/node-puppeteer/13.4.1+dfsg-2/website/ You should repack or package docusaurus and rebuild Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.5.0-2-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1054426: RFP: docusaurus -- Docusaurus is a project for building, deploying, and maintaining open source project websites easily
Package: wnpp Severity: wishlist * Package name: docusaurus Version : 1 Upstream Contact: Facebook, Inc. and its affiliates. (Facebook, Inc. and its affiliates.) * URL : https://github.com/facebook/docusaurus * License : expat Programming Lang: javascript Description : Docusaurus is a project for building, deploying, and maintaining open source project websites easily Docusaurus is a project for building, deploying, and maintaining open source project websites easily. Docusaurus is built in a way so that it can get running in as little time as possible. We've built Docusaurus to handle the website build process so you can focus on your project. Docusaurus ships with localization support via CrowdIn. Empower and grow your international community by translating your documentation. While Docusaurus ships with the key pages and sections you need to get started, including a home page, a docs section, a blog, and additional support pages, it is also customizable as well to ensure you have a site that is uniquely yours. This is needed for: node-puppeteer ts-node thunderbird netdata golang-github-facebook-ent golang-entgo-ent node-ts-jest firefox-esr mkdocs-material firefox fasttext node-react-redux gitlab node-redux node-rjsf node-jest node-webassemblyjs golang-ariga-atlas node-graphql node-katex gitaly
Bug#1054405: RM: libjs-punycode [all] -- NVIU; Provided now by nodejs-punycode
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: ruby-rails-assets-punyc...@packages.debian.org Control: affects -1 + src:ruby-rails-assets-punycode Control: block 1051089 by -1 Please remove libjs-punycode. It is now provide by nodejs-punycode Thanks bastien
Bug#994540: Go ahead with imagemagick/experimental ?
Le dimanche 22 octobre 2023, 15:03:50 UTC Sebastian Ramacher a écrit : > Control: tags -1 confirmed > > On 2023-10-22 14:51:42 +, Bastien Roucariès wrote: > > Le dimanche 22 octobre 2023, 14:08:20 UTC Sebastian Ramacher a écrit : > > > Hi Bastien > > > > > > On 2023-10-21 20:10:47 +, Bastien Roucariès wrote: > > > > Can I go ahead with imagemagick experimental ? > > > > > > As a year has past since the last mail to the transition bug report: did > > > any new build failures in reverse dependencies appear? What's the > > > status? > > > > Reverse build are ok (just tested in pbuilder), so for me it is a green > > light > > Please go ahead. Done > > Cheers > signature.asc Description: This is a digitally signed message part.
