Bug#1016974: sofia-sip: CVE-2022-31001 CVE-2022-31002 CVE-2022-31003
On Thu, Aug 11, 2022 at 11:08:49PM +0200, Evangelos Ribeiro Tzaras wrote: > Hi Moritz, > > On Wed, 2022-08-10 at 22:08 +0200, Moritz Mühlenhoff wrote: > > Source: sofia-sip > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for sofia-sip. > > I will try to apply the patches and prepare a release! > > > CVE-2022-31001[0]: > ... > > CVE-2022-31002[1]: > ... > > CVE-2022-31003[2]: > ... > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > ACK. > Is there a specific format needed when referencing the CVE? Not really, just mention them in debian/changelog :-) In addition we'll keep security-tracker.debian.org updated when the upload reaches unstable. Once the fix is in unstable (and if there are issues reported after a few days) we can sort out an update for bullseye-security. Cheers, Moritz
Bug#1016984: RM: ladish -- RoQA; Depends on Python 2, depends on legacy Gnome libs, unmaintained
Package: ftp.debian.org Severity: normal Please remove ladish: - There was no followup to the "proposed removal bug" from 2018 (#888657) - Depends on Python 2, which is being removed in Bookworm - Last upload in 2019, removed from testing since 2.25 years Cheers, Moritz
Bug#1016986: Should pd-py be removed?
Source: pd-py Version: 0.2.2+git20170625.1.88fc77a-2 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2, which is finally being removed in Bookworm - Last upload in 2018 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1016983: Should k3d be removed?
Source: k3d Version: 0.8.0.6-8 Severity: serious Your package came up as a candidate for removal from Debian: - Python 2 will finally be removed in Bookworm and there's no upstream porting activity - Last upload four years ago - Multiple other FTBFS issue If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1016139: For Review: Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)
On Wed, Aug 10, 2022 at 05:05:12PM +1000, Craig Small wrote: > > Do you have capacity to prepare updates for bullseye? > > > Yes, see attached debdiff for review. It's just those two patches. Looks good, thanks! Please upload to security-master. Cheers, Moritz
Bug#1016845: warn users about insecure webkit* packages
On Mon, Aug 08, 2022 at 11:07:16AM +, Holger Levsen wrote: > so, for bookworm, we should add > > - qtwebkit-opensource-src > - qtwebengine-opensource-src > > to security-support-limited ("only for trusted content") and that's it? I think so, yes. Cheers, Moritz
Bug#1016667: Should this package be removed?
Source: caldav-tester Version: 7.0+20190225-4 Severity: serious Your package came up as a candidate for removal from Debian: The plan is to remove Python 2 in Bookworm and there's no porting activity towards Python 3. If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1016666: RM: iotjs -- RoQA; unmaintained, open security issues, depends on Python 2
Package: ftp.debian.org Severity: normal See #1011124 Cheers, Moritz
Bug#1016665: RM: gspiceui -- RoQA; Blocks removal of geda-gaf, unmaintained
Package: ftp.debian.org Severity: normal Please remove gspiceui. It blocks the removal of geda-gaf (#1008700) and #967915 hasn't seen maintainer action since two years. Cheers, Moritz
Bug#1016664: RM: easyspice -- RoQA; depends on geda-gaf which is being removed
Package: ftp.debian.org Severity: normal Please remove easyspice. It blocks the removal of geda-gaf (#1008700) and #967916 hasn't seen a reply in two years. Cheers, Moritz
Bug#1014764: closed by Hilko Bengen (Re: Bug#1014764: guestfs-tools: CVE-2022-2211)g
reopen 1014764 thanks On Thu, Jul 28, 2022 at 07:51:03AM +, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the src:guestfs-tools package: > > #1014764: guestfs-tools: CVE-2022-2211 > > It has been closed by Hilko Bengen . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Hilko Bengen > by > replying to this email. > > > -- > 1014764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014764 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > Date: Thu, 28 Jul 2022 09:23:17 +0200 > From: Hilko Bengen > To: 1014764-d...@bugs.debian.org > Subject: Re: Bug#1014764: guestfs-tools: CVE-2022-2211 > User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) > > It turned out that triggering rebuilds was enough to get guestfs-tools > built, so it can migrate now. Closing the issue. Hi Hilko, But regardless of the rebuild https://github.com/libguestfs/libguestfs-common/commit/35467027f657de76aca34b48a6f23e9608b23a57 isn't present in 1.48.2? Cheers, Moritz
Bug#1015981: Should grokmirror be removed?
Source: grokmirror Version: 1.0.0-1.1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Last maintainer upload in 2016 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015980: Should pd-aubio be removed?
Source: pd-aubio Version: 0.4-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Last upload in 2014 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015979: Should python-unshare be removed?
Source: python-unshare Version: 0.2-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Last upload in 2016 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.16.0-6-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1015978: Should falcon be removed?
Source: falcon Version: 1.8.8-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Dropped from testing in 2018 - Last upload in 2017 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015977: Should vland be removed?
Source: vland Version: 0.8-1 Severity: serious Your package came up as a candidate for removal from Debian, it's one of the few remaining packages still depending on Python 2 and there're no visible upstream activity to port it to vland? If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015976: Should vmm be removed?
Source: vmm Version: 0.6.2-2 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Last upload in 2017, removed from testing since 2019 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015975: Should python-neuroshare be removed?
Source: python-neuroshare Version: 0.9.2-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Last upload in 2014 - Dead upstream (last commits from 2016) If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015974: Should gnat-gps be removed?
Source: gnat-gps Version: 19.2-3 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - Removed from testing since 2019 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1015973: Should xdeb be removed?
Source: xdeb Version: 0.6.7 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 - No upload since five years If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1014533: php8.1: CVE-2022-31625 CVE-2022-31626
Hi Ondřej, On Thu, Jul 07, 2022 at 05:57:24PM +0200, Ondřej Surý wrote: > Hi, > > thanks for the poke. > > Would it be also ok to do the php7.4 via bullseye-security or do you > want me specifically to do the stable-updates? The two issues are not the most severe, but we can do a DSA. I'll look into your upload in the next 1-2 days. Cheers, Moritz
Bug#1013343: dbus-broker: CVE-2022-31212
On Thu, Jun 23, 2022 at 07:24:50AM +0200, Salvatore Bonaccorso wrote: > > Gut feeling, to me this looks something which can be fixed in the > upcoming point release but would not need a DSA. Will leave the final > decision on it though to Moritz. Agreed, I don't think we need a DSA here, this is merely a crash and I'm not even sure this crosses any reasonable trustr boundary, if service definitions with untrusted Exec statements are in use, this is probably the lesser of worries... Cheers, Moritz
Bug#1013278: RM: nvtv -- RoQA; Dead upstream, RC buggy, unmaintained
Package: ftp.debian.org Severity: normal Please remove nvtv. The last maintainer upload happened a decade ago, it's dead upstream and RC-buggy. Cheers, Moritz
Bug#1013274: RM: w3-recs -- RoQA; Obsolete
Package: ftp.debian.org Severity: normal Please remove w3-recs. It contains an 11 year old summary of World Wide Web Consortium (W3C) recommendations, which are obsolete by now. And the package is orphaned since six years. Cheers, Moritz
Bug#1013266: RM: golang-github-blevesearch-bleve -- RoQA; Obsolete, orphaned, outdated
Package: ftp.debian.org Severity: normal Please remove golang-github-blevesearch-bleve. The version in the archive is five years old and there are no reverse deps (it was added for Gitea, which is no longer shipped). Cheers, Moritz
Bug#1012513: apache2: CVE-2022-31813 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
On Wed, Jun 08, 2022 at 07:51:28PM +0200, Yadd wrote: > Hi, > > those CVEs are tagged low/moderate by upstream, why did you tag this bug as > grave ? Anything moderate or above should get fixed by the next Debian release IOW RC severity. Cheers, Moritz
Bug#1012332: RM: pluxml -- RoQA; unmaintained, open security issues
Package: ftp.debian.org Severity: normal Please remove pluxml. The last upload was in 2018 and there's plenty of open/unfixed security vulnerabilities. Cheers, Moritz
Bug#1012138: CVE-2021-40426
Source: sox Version: 14.4.2+git20190427-3 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434 The report states that upstream was notified, but we need to figure out whether this was addressed by upstream already or not (and if so, in which commit) Cheers, Moritz
Bug#1011954: CVE-2022-1586 CVE-2022-1587
Source: pcre2 Version: 10.36-2 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team CVE-2022-1587 https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 CVE-2022-1586 https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c Cheers, Moritz
Bug#1010671: libsdl2-ttf-dev: CVE-2022-27470 - Arbitrary memory overwrite loading glyphs and rendering text
On Mon, May 09, 2022 at 12:59:42PM +0100, Simon McVittie wrote: > If I'm understanding the issue correctly, it's only a problem if a user > of SDL_ttf is using an untrusted TTF font file, which is a relatively > unusual thing to do: normally games either rely on system fonts, or bundle > a font in the game data, both of which are trusted (if only because anyone > in a position to insert a crafted font file could equally well insert > malicious code). Exactly that. We don't need a DSA here I think. Cheers, Moritz
Bug#1010626: RM: dpatch -- RoQA; obsolete
Package: ftp.debian.org Severity: normal Please remove dpatch. It has been obsoleted by source format 3.0/quilt Please force the removal, there are still 10 remaining build deps, but they are all dropped from testing, have RC bugs and are generally unmaintained (no maintainer uploads since at least 10 years, in some cases dating back to 2003...). If anyone cases, these are easy to fix, the rest will be removed if not fixed by the bookworm freeze. Cheers, Moritz
Bug#1010264: CVE-2022-28391
On Wed, Apr 27, 2022 at 11:29:00PM -0400, Theodore Ts'o wrote: > Neither seems to be security related. Are you sure this was correctly > filed against e2fsprogs? Apologies, I reported multiple incoming new issues from the CVE feed and I must have mis-pasted the wrong Emacs buffer into the report. The correct references are https://bugzilla.redhat.com/show_bug.cgi?id=2069726 https://bugzilla.redhat.com/show_bug.cgi?id=2068113 And the proposed patch was already posted at: https://lore.kernel.org/linux-ext4/20220421173148.20193-1-lczer...@redhat.com/T/#u Cheers, Moritz
Bug#1010265: CVE-2022-28805
Package: lua5.4 Version: 5.4.4-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2022-28805: https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa http://lua-users.org/lists/lua-l/2022-02/msg1.html http://lua-users.org/lists/lua-l/2022-02/msg00070.html Can you please check whether this also affects the older Lua versions in the archive? Cheers, Moritz
Bug#1010264: CVE-2022-28391
Package: e2fsprogs Version: 1.46.5-2 Severity: important This issue was found by Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 Details and the patches they used are in the report above, but the patches are not yet merged upstream, might be worth to wait until that's fixed since the impact is rather low. Cheers, Moritz
Bug#1010263: CVE-2022-1304
Package: e2fsprogs Version: 1.46.5-2 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2022-1304, originally reported to Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2069726 https://bugzilla.redhat.com/show_bug.cgi?id=2068113 Patch (not yet merged: https://lore.kernel.org/linux-ext4/20220421173148.20193-1-lczer...@redhat.com/T/#u Cheers, Moritz
Bug#1009932: RM: gjots2 -- RoQA; Depends on Python 2, unmaintained
Package: ftp.debian.org Severity: normal Please remove gjots2. It still depends on Python 2 and is thus removed from testing since 2019, the last maintainer upload dates back to 2018. Cheers, Moritz
Bug#1009929: RM: lxmms2 -- RoQA; Depends on xmms2, which is going away
Package: ftp.debian.org Severity: normal Please remove lxmms2. It's a wrapper around xmms2, which itself is dead upstream ad incompatible with ffmpeg 5 and will be removed from bookworm (and eventually the archive). Cheers, Moritz
Bug#1009930: Drop Suggests on xmms2
Source: playerctl Version: 2.4.1-1 Severity: normal Hi, please remove the Suggests: on xmms2. It will not be part of bookworm (#1005902) and eventually removed from the archive. Cheers, Moritz
Bug#1009335: RM: python-keepkey -- RoQA; Depends on Python 2
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ri...@paraeasy.ch Please remove python-keepkey. The version currently in the archive is very old and still depends on Python 2. Removal acked by the maintainer in #1009273 Cheers, Moritz
Bug#1009282: Should live-wrapper be removed?
Source: live-wrapper Version: 0.10 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Depends on vmdebootstrap which was removed - It's not included in Bullseye, but we did release live images so I guess live-wrapper got replaced by something else? If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal at some point. Cheers, Moritz
Bug#1009281: Should cinfony be removed?
Source: cinfony Version: 1.2-4 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Dead upstream - No reverse dependencies If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1009280: Should python-passfd be removed?
Source: python-passfd Version: 0.2-3 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2020 - No reverse dependencies - Last upload in 2016 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1009276: Should fsl be removed?
Source: fsl Version: 5.0.8-6 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since two years - Also FTBFSes with GCC 10 - Last upload in 2019 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1009273: Should python-keepkey be removed?
Source: python-keepkey Version: 0.7.3-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Last upload back in 2016 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1009269: Should sphinx-patchqueue be removed?
Source: sphinx-patchqueue Version: 0.5.0-2 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - No remaining reverse dependencies - Last upload in 2015 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008920: Versions table not rebuilt after latest Buster 10.2 point release
Package: tracker.debian.org Severity: normal The last point release for buster updated various packages. The packages updated as part of the release are showing up under "news", but the respective versions are not updated in the "versions" table on the left. And likewise for "versioned links". Two examples: cups 2.2.10-6+deb10u5: https://tracker.debian.org/pkg/cups openssl 1.1.1n-0+deb10u1 https://tracker.debian.org/pkg/openssl Cheers, Moritz
Bug#1008792: Should vmtk be removed?
Source: vmtk Version: 1.3+dfsg-2.3 Severity: serious Your package came up as a candidate for removal from Debian: - Depends on Python 2 and thus removed from testing since 2019 (current upstream 1.4 is fixed, though) - Last maintainer upload in 2016 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008791: Should googlefontdirectory-tools be removed?
Source: googlefontdirectory-tools Version: 20120309.1-1.1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Last maintainer upload in 2015 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008704: Sould astk be removed?
Source: astk Version: 1.13.1-2.1 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Last maintainer upload in 2014 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008703: Should sortsmill-tools be removed?
Source: sortsmill-tools Version: 0.4-2 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python and thus removed from testing since 2019 - Last upload in 2013 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008702: Should ketchup be removed?
Source: ketchup Version: 1.0.1+git20111228+e1c62066-2 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Last upload in 2017 - Seems dead upstream (last commit from eight years ago) - Per #946203 doesn't even suppport kernels using 5.x.x If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008701: Should broctl be removed?
Source: broctl Version: 1.4-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still uses Python 2.7 and thus removed from testing since 2019 - Last upload in 2015 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008700: Should geda-gaf be removed?
Source: geda-gaf Version: 1:1.8.2-11 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Also uses outdated Guile - Last upload in 2018 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008500: Should undertaker be removed?
Source: undertaker Version: 1.6.1-4.2 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and thus removed from testing since 2019 - Last maintainer upload in 2016 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008499: Should neard be removed?
Source: neard Version: 0.16-0.1 Severity: serious Your package came up as a candidate for removal from Debian: - Last maintainer upload in 2013 - Depends on Python 2 and thus removed from testing since 2019 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008498: Should hgsubversion be removed?
Source: hgsubversion Version: 1.9.3+git20190419+6a6ce-5 Severity: serious Your package came up as a candidate for removal from Debian: - Still depends on Python 2 and removed from testing since 2020 - Dead upstream (no commits after 2019) If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008286: Should nglister be removed?
Source: nglister Version: 1.0.2 Severity: serious Your package came up as a candidate for removal from Debian: - Last upload in 2016 - Removed from testing since 2019 - Multiple RC bugs If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008285: Should zorp be removed?
Source: zorp Version: 7.0.1~alpha2-3 Severity: serious Your package came up as a candidate for removal from Debian: - Last upload in 2019, removed from testing since 2017 - Still depends on Python 2.7 and thus RC-buggy If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008273: Should python-nemu be removed?
Source: python-nemu Version: 0.3.1-1 Severity: serious Your package came up as a candidate for removal from Debian: - Last upload in 2016 and dropped from testing in 2019 - Still uses Python 2.7 and not fixed upstream either If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008274: Should sandsifter be removed?
Source: sandsifter Version: 1.04-1 Severity: serious Your package came up as a candidate for removal from Debian: - Still uses Python 2.7 and thus RC buggy - Last upload in 2019 and not in testing since 2019 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008272: Should postnews be removed?
Source: postnews Version: 0.7-1 Severity: serious Your package came up as a candidate for removal from Debian: - Removed from testing for ~ two years, no followup to RC bugs - Also no changes upstream since 2017 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008271: Should arriero be removed?
Source: arriero Version: 0.6-1 Severity: serious Your package came up as a candidate for removal from Debian: - Last upload in 2017 - Still uses Python 2.7 and thus RC buggy - Missed the last two stable releases and removed from testing since 2018 If you disagree and want to continue to maintain this package, please just close this bug (and fix the open issues). If you agree with the removal, please reassign to ftp.debian.org by sending the following commands to cont...@bugs.debian.org: -- severity $BUGNUM normal reassign $BUGNUM ftp.debian.org retitle $BUGNUM RM: -- RoM; thx -- Otherwise I'll move forward and request it's removal in a month. Cheers, Moritz
Bug#1008265: CVE-2018-25032: zlib memory corruption on deflate
Source: zlib Version: 1:1.2.11.dfsg-2 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team This was assigned CVE-2018-25032: https://www.openwall.com/lists/oss-security/2022/03/24/1 https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 Cheers, Moritz
Bug#1008264: Multiple security issues
Source: pluxml Version: 5.6-1 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team CVE-2022-25020: https://github.com/MoritzHuppert/CVE-2022-25020/blob/main/CVE-2022-25020.pdf CVE-2022-25018: https://github.com/MoritzHuppert/CVE-2022-25018/blob/main/CVE-2022-25018.pdf CVE-2022-24587: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf CVE-2022-24586: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf CVE-2022-24585: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf CVE-2021-38603: http://packetstormsecurity.com/files/163823/PluXML-5.8.7-Cross-Site-Scripting.html https://github.com/KielVaughn/CVE-2021-38603 CVE-2021-38602: https://github.com/KielVaughn/CVE-2021-38602 Cheers, Moritz
Bug#1008071: RM: xcal -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal Please remove xcal. It's dead upstream, unmaintained (last upload in 2008) and there's three RC bugs. Cheers, Moritz
Bug#1008070: RM: bopm -- RoQA; unmaintained, RC-buggy, alternatives exist
Package: ftp.debian.org Severity: normal Please remove bopm. It's unmaintained (last upload a decade ago), RC buggy, dead upstream and a maintained fork (hopm) is in the archive. Cheers, Moritz
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: m...@tls.msk.ru Various low severity qemu issues, but since quite a few of those have piled up, it makes sense to move to an update. Debdiff below. Cheers, Moritz diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog --- qemu-3.1+dfsg/debian/changelog 2020-07-24 14:00:34.0 +0200 +++ qemu-3.1+dfsg/debian/changelog 2022-02-15 18:53:24.0 +0100 @@ -1,3 +1,34 @@ +qemu (1:3.1+dfsg-8+deb10u9) buster; urgency=medium + + * CVE-2021-3930 + * CVE-2021-3748 (Closes: #993401) + * CVE-2021-3713 (Closes: #992727) + * CVE-2021-3682 (Closes: #991911) + * CVE-2021-3608 (Closes: #990563) + * CVE-2021-3607 (Closes: #990564) + * CVE-2021-3582 (Closes: #990565) + * CVE-2021-3527 (Closes: #988157) + * CVE-2021-3392 (Closes: #984449) + * CVE-2021-20257 (Closes: #984450) + * CVE-2021-20221 + * CVE-2021-20203 (Closes: #984452) + * CVE-2021-20196 (Closes: #984453) + * CVE-2021-20181 + * CVE-2020-35505 (Closes: #979679) + * CVE-2020-35504 (Closes: #979679) + * CVE-2020-27617 (Closes: #973324) + * CVE-2020-25723 (Closes: #975276) + * CVE-2020-25624 (Closes: #970541) + * CVE-2020-25625 (Closes: #970542) + * CVE-2020-25085 (Closes: #970540) + * CVE-2020-25084 (Closes: #970539) + * CVE-2020-15859 (Closes: #965978) + * CVE-2020-13253 (Closes: #961297) + * None of the slirp changes got backported to 3.1, if you use it you should +really upgrade to the version of qemu in bullseye + + -- Moritz Mühlenhoff Tue, 15 Feb 2022 18:53:24 +0100 + qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium * mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6 diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch --- qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 1970-01-01 01:00:00.0 +0100 +++ qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 2022-02-01 16:26:24.0 +0100 @@ -0,0 +1,80 @@ +790762e54871143415bffcec4cb3c022c3cd / CVE-2020-13253 + +--- qemu-3.1+dfsg.orig/hw/sd/sd.c qemu-3.1+dfsg/hw/sd/sd.c +@@ -1149,12 +1149,14 @@ static sd_rsp_type_t sd_normal_command(S + case 17: /* CMD17: READ_SINGLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; +- +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + return sd_r1; + + default: +@@ -1165,12 +1167,14 @@ static sd_rsp_type_t sd_normal_command(S + case 18: /* CMD18: READ_MULTIPLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; +- +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + return sd_r1; + + default: +@@ -1210,13 +1214,17 @@ static sd_rsp_type_t sd_normal_command(S + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + if (sd_wp_addr(sd, sd->data_start)) + sd->card_status |= WP_VIOLATION; + if (sd->csd[14] & 0x30) +@@ -1234,13 +1242,17 @@ static sd_rsp_type_t sd_normal_command(S + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + if (sd_wp_addr(sd, sd->data_start)) + sd->card_status |= WP_VIOLATION; + if (sd->csd[14] & 0x30) diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch
Bug#1007920: buster-pu: package flac/1.3.3-2+deb11u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: fab...@debian.org Fixes a minor security issue, debdiff below (and was just uploaded). Tested with a few sample files. Cheers, Moritz diff -Nru flac-1.3.3/debian/changelog flac-1.3.3/debian/changelog --- flac-1.3.3/debian/changelog 2020-12-21 16:39:34.0 +0100 +++ flac-1.3.3/debian/changelog 2022-03-14 10:51:59.0 +0100 @@ -1,3 +1,9 @@ +flac (1.3.3-2+deb11u1) bullseye; urgency=medium + + * CVE-2021-0561 (Closes: #1006339) + + -- Moritz Mühlenhoff Mon, 14 Mar 2022 10:51:59 +0100 + flac (1.3.3-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch --- flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 1970-01-01 01:00:00.0 +0100 +++ flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 2022-03-14 10:50:51.0 +0100 @@ -0,0 +1,30 @@ +From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001 +From: Neelkamal Semwal +Date: Fri, 18 Dec 2020 22:28:36 +0530 +Subject: [PATCH] libFlac: Exit at EOS in verify mode + +When verify mode is enabled, once decoder flags end of stream, +encode processing is considered complete. + +CVE-2021-0561 + +Signed-off-by: Ralph Giles +--- + src/libFLAC/stream_encoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c +index 4c91247fe8..7109802c27 100644 +--- a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c +@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC + encoder->private_->verify.needs_magic_hack = true; + } + else { +- if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) { ++ if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder) ++ || (!is_last_block ++ && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) { + FLAC__bitwriter_release_buffer(encoder->private_->frame); + FLAC__bitwriter_clear(encoder->private_->frame); + if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA) diff -Nru flac-1.3.3/debian/patches/series flac-1.3.3/debian/patches/series --- flac-1.3.3/debian/patches/series2020-12-21 16:38:15.0 +0100 +++ flac-1.3.3/debian/patches/series2022-03-14 10:51:25.0 +0100 @@ -2,3 +2,4 @@ privacy-breach-logo.patch 0001-remove-build-path-from-generated-FLAC.tag-file.patch 0020-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch +0021-CVE-2021-0561.patch \ Kein Zeilenumbruch am Dateiende.
Bug#1005981: Please migrate away from dpatch
On Fri, Feb 18, 2022 at 02:41:57PM -0800, Bill Poser wrote: > I am the developer of redet. I don't understand this bug report. redet does > not use anything called dpatch so far as I know. Is this something added in > the Debianization of redet downstream from me? Yes, exactly. It's a legacy mechanism in Debian to apply patches to an upstream codebase. Cheers, Moritz
Bug#1005988: Don't release with bookworm
Source: dpatch Version: 2.0.41 Severity: serious dpatch has been obsoleted by source format 3.0 (quilt), there's only 19 reverse dependencies in the archive (5 of them in testing), for which bugs have been filed. Cheers, Moritz
Bug#1005987: Please migrate away from dpatch
Source: mgetty Version: 1.2.1-1.1 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005985: Please migrate away from dpatch
Source: scim-skk Version: 0.5.2-7.2 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005986: Please migrate away from dpatch
Source: dvbsnoop Version: 1.4.50-5 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005984: Please migrate away from dpatch
Source: scim-canna Version: 1.0.0-4.3 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005983: Please migrate away from dpatch
Source: myspell Version: 1:3.0+pre3.1-24.2 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005982: Please migrate away from dpatch
Source: elscreen Version: 1.4.6-5.3 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005980: Please migrate away from dpatch
Source: syrep Version: 0.9-4.3 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005981: Please migrate away from dpatch
Source: redet Version: 8.26-1.4 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005979: Please migrate away from dpatch
Source: efax Version: 1:0.9a-20 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1005978: Please migrate away from dpatch
Source: vdk2 Version: 2.4.0-5.5 Severity: serious dpatch is deprecated and will be removed before the bookworm release. Please migrate to source format 3.0 (quilt) instead.
Bug#1004963: CVE-2020-21598 CVE-2020-21600 CVE-2020-21602
Source: libde265 Version: 1.0.8-1 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team CVE-2020-21602: https://github.com/strukturag/libde265/issues/242 CVE-2020-21600: https://github.com/strukturag/libde265/issues/243 CVE-2020-21598: https://github.com/strukturag/libde265/issues/237
Bug#1004933: RM: gif2apng -- RoQA; dead upstream, open security issues
Package: ftp.debian.org Severity: normal Please remove gif2apng, it's dead upstream and has open security issues Cheers, Moritz
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
On Tue, Jan 25, 2022 at 12:20:46AM +1100, Trent W. Buck wrote: > Package: debian-security-support > Version: 1:11+2021.03.19 > Severity: normal > File: /usr/share/debian-security-support/security-support-limited > > As at Debian 11, > > * webkitgtk is in src:webkit2gtk, not src:webkit. > * khtml is in src:khtml, not src:kde4libs. > > GNOME3 and KDE5 have been around for a while now. > I think security-support-limited should be updated to reflect this. webkit2gtk is fully supported since Buster and there have been plenty of security updates since then: https://security-tracker.debian.org/tracker/source-package/webkit2gtk khtml should in fact be added, since it's AFAICT used by Konqueror. Cheers, Moritz
Bug#1003662: Update homepage header
Source: libsixel Version: 1.8.6-2 Severity: normal It seems that since 1.10.3-1 the Debian package moved from https://github.com/saitoha/libsixel to https://github.com/libsixel/libsixel , right? If so please update the Homepage: entry in debian/control so the new site properly shows up in tracker.debian.org Cheers, Moritz
Bug#1003410: RM: flexbackup -- RoQA; unmaintained, dead upstream, RC-buggy
Package: ftp.debian.org Severity: normal Please remove flexbackup. It's dead upstream (last release from 2003), unmaintained (last maintainer upload in 2008, orphaned without an adopter since 2012) and currently RC-buggy. Plenty of alternatives exist. Cheers, Moritz
Bug#1003409: RM: xxgdb -- RoQA; dead upstream, unmaintained, alternatives exist
Package: ftp.debian.org Severity: normal Please remove xxgdb. It's dead upstream, unmaintained (last upload in 2010 and orphaned without an adopter since 2019) and alternatives like ddd exist. Cheers, Moritz
Bug#1003149: Still declares some Py2 build deps
Source: topydo Version: 0.14-5 Severity: important topydo uses Python 3, but there are still two Python 2 build deps: python-all and python-setuptools. Cheers, Moritz
Bug#995212: chromium: Update to version 94.0.4606.61 (security-fixes)
On Sat, Jan 01, 2022 at 01:23:09PM -0500, Andres Salomon wrote: > How should I handle this? NMU to sid, let people try it out, and then > deal with buster/bullseye? Yeah, let's proceed with unstable first in any case. > Upload everything all at once? I'm also > going to try building for buster, unless the security team doesn't > think I should bother. I saw https://salsa.debian.org/dilinger/chromium/-/commit/5c05f430e192961527ec9a64bbaa64401dc14d95 , but buster now also includes LLVM/clang 11 (it was introduced to support a more recent Rust toolchain needed for Firefox), so you might be reduce complexity here further: https://tracker.debian.org/pkg/llvm-toolchain-11 It's in buster-proposed-updates since there hasn't been a point release since, but for the purposes of buster-security builds, it doesn't matter (they chroots have been modified to includen buster-proposed-updates temporarily): I'd say if it works out without additional overhead, let's also update buster-security, but it's also important not to overstretch the time/resources, so focusing on bullseye and EOLing buster is also an option for sure. Cheers, Moritz
Bug#995212: chromium: Update to version 94.0.4606.61 (security-fixes)
On Sun, Jan 02, 2022 at 06:53:51PM +0100, Mattia Rizzolo wrote: > Correlated, do you know how long do they plan on keeping using python2? > That's plainly unsuitable, it really is not going to last much longer in > debian. Current state of the Python 3 upstream migration can be found here: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/python3_migration.md So it sounds like it's almost ready except tests. But the migration doesn't seem like a top priority either, https://bugs.chromium.org/p/chromium/issues/detail?id=941669 dates back to March 2019... Cheers, Moritz
Bug#995212: chromium: Update to version 94.0.4606.61 (security-fixes)
On Sun, Dec 12, 2021 at 08:11:00PM -0500, Andres Salomon wrote: > On 12/5/21 6:41 AM, Moritz Mühlenhoff wrote: > > Am Sun, Dec 05, 2021 at 10:53:56AM +0100 schrieb Paul Gevers: > > Exactly that. > > > > I'd suggest anyone who's interested in seeing Chromium supported to first > > update it in unstable (and then work towards updated in bullseye-security). > > I started doing just that: https://salsa.debian.org/dilinger/chromium (v96 > and misc-fixes branches). As a side note: If any of the system/* patches cause issues, feel free to switch to the vendored copies. Vendoring in general is frowned upon since it requires that a fix in a libraries spreads out to all vendored copies, but for Chromium there's a steady stream of Chromium-internal security issues anyway, so for all practical purposes it doesn't make a difference if the Chromium security releases also include a fix for a vendored lib like ICU. Cheers, Moritz
Bug#1000906: RM: bareos -- RoQA; Really RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal Please remove bareos. It has nine open RC bugs, the last maintainer upload was in Feb 2019 and there was no objection to my removal proposal at #995837 for two months. Cheers, Moritz
Bug#1000904: RM: pycalendar -- RoQA; Depends on Python 2, dead upstream, unmaintained
Package: ftp.debian.org Severity: normal Please remove pycalendar. It depends on Python 2, is dead upstream (upstream issue for Py3 support is open since 2017 without action), there are no reverse dependencies (just a Recommends: by caldav-tester, but it's dropped from testing since a year for being RC-buggy as well) and the last maintainer upload was in 2017. Cheers, Moritz
Bug#1000902: RM: python-mode -- RoQA; orphaned, RC-buggy
Package: ftp.debian.org Severity: normal Please remove python-mode. It's RC-buggy (missed Bullseye, dropped from testing for > 15 months) and orphaned without an adopter since Sep 2020. Cheers, Moritz
Bug#1000479: buster-pu: package jtreg/5.1-b01-2~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ebo...@apache.org, d...@debian.org The build requirements for openjdk-11 were bumped, starting with 11.0.13 jtreg 5 (and along with it a jtharness 6) are required to run the test suite. Since we need to follow 11.0.x releases for security updates, this blocks an update of 11.0.13 for buster-security. Attached are debdiffs against the versions relative to what's in bullseye. Fortunately openjdk is the only reverse dep of jtreg/jtharness. That's not great, but still less worse than firefox/rust :-) Debdiff below. diff -Nru jtreg-5.1-b01/debian/changelog jtreg-5.1-b01/debian/changelog --- jtreg-5.1-b01/debian/changelog 2020-07-15 04:28:47.0 + +++ jtreg-5.1-b01/debian/changelog 2021-11-19 16:26:05.0 + @@ -1,3 +1,10 @@ +jtreg (5.1-b01-2~deb10u1) buster; urgency=medium + + * Rebuild for buster, needed for latest OpenJDK 11.x release +- Switch to debhelper 12 + + -- Moritz Muehlenhoff Fri, 19 Nov 2021 16:26:05 + + jtreg (5.1-b01-2) unstable; urgency=medium * Team upload. diff -Nru jtreg-5.1-b01/debian/compat jtreg-5.1-b01/debian/compat --- jtreg-5.1-b01/debian/compat 1970-01-01 00:00:00.0 + +++ jtreg-5.1-b01/debian/compat 2021-11-19 16:26:05.0 + @@ -0,0 +1 @@ +12 diff -Nru jtreg-5.1-b01/debian/control jtreg-5.1-b01/debian/control --- jtreg-5.1-b01/debian/control2020-07-15 04:28:47.0 + +++ jtreg-5.1-b01/debian/control2021-11-19 16:26:05.0 + @@ -5,7 +5,7 @@ Uploaders: Guillaume Mazoyer Build-Depends: ant, - debhelper-compat (= 13), + debhelper, default-jdk, help2man, javahelp2,
Bug#1000480: buster-pu: package jtharness/6.0-b15-1~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ebo...@apache.org, d...@debian.org The build requirements for openjdk-11 were bumped, starting with 11.0.13 jtreg 5 (and along with it a jtharness 6) are required to run the test suite. Since we need to follow 11.0.x releases for security updates, this blocks an update of 11.0.13 for buster-security. Attached are debdiffs against the versions relative to what's in bullseye. Fortunately openjdk is the only reverse dep of jtreg/jtharness. That's not great, but still less worse than firefox/rust :-) Debdiff below. diff -Nru jtharness-6.0-b15/debian/changelog jtharness-6.0-b15/debian/changelog --- jtharness-6.0-b15/debian/changelog 2021-01-21 15:33:45.0 + +++ jtharness-6.0-b15/debian/changelog 2021-11-19 16:17:12.0 + @@ -1,3 +1,10 @@ +jtharness (6.0-b15-1~deb10u1) buster; urgency=medium + + * Rebuild for buster, needed for latest OpenJDK 11.x release +- Switch to debhelper 12 + + -- Moritz Muehlenhoff Fri, 19 Nov 2021 16:17:12 + + jtharness (6.0-b15-1) unstable; urgency=medium * Team upload. diff -Nru jtharness-6.0-b15/debian/compat jtharness-6.0-b15/debian/compat --- jtharness-6.0-b15/debian/compat 1970-01-01 00:00:00.0 + +++ jtharness-6.0-b15/debian/compat 2021-11-19 16:17:12.0 + @@ -0,0 +1 @@ +12 diff -Nru jtharness-6.0-b15/debian/control jtharness-6.0-b15/debian/control --- jtharness-6.0-b15/debian/control2021-01-21 15:18:46.0 + +++ jtharness-6.0-b15/debian/control2021-11-19 16:17:12.0 + @@ -5,7 +5,7 @@ Uploaders: Guillaume Mazoyer Build-Depends: ant, - debhelper-compat (= 13), + debhelper, default-jdk, javahelper, junit4,
Bug#998659: RM: residualvm -- ROM; Obsolete, merged into src:scummvm
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: only...@debian.org Please remove residualvm. It got merged into ScummVM 2.5.0, which is now in unstable: https://www.scummvm.org/news/20211009/ Removal also acked by Dmitry (CCed) Cheers, Moritz
Bug#998277: RM: opencaster -- RoQA; Depends on Python 2, dead upstream
Package: ftp.debian.org Severity: normal Please remove opencaster. It depends on Python 2 and is dead upstream. Removal was acked by Thorsten in #937194. Cheers, Moritz
Bug#998276: RM: libvirt-sandbox -- RoQA; Depends on Python 2, dead upstream
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: a...@sigxcpu.org Please remove libvirt-sandbox. It depends on Python 2 and is dead upstream. Removal was acked by Guido. Cheers, Moritz
Bug#996650: RM: citadel -- RoQA; Orphaned, RC buggy
Package: ftp.debian.org Severity: normal Please remove citadel. It's orphaned for over two years without an adopter and removed from testing since years since the current package is broken (939377). In addition there's open security issues. Cheers, Moritz
Bug#995845: RM: openopt -- RoQA; Depends on Python 2
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: deb...@onerussian.com Please remove openopt. It depends on Python 2 and is dead upstream. Acked by the maintainer (CCed) in #937209. Cheers, Moritz