Bug#1081266: apache2: Reverse proxy via mod_rewrite broken after upgrade to 2.4.62-1~deb12u1
Package: apache2 Version: 2.4.62-1~deb12u1 Severity: important X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org Dear Maintainer, After upgrading apache2 packages, we noticed that our SEO rewriting rules in apache2 no longer worked and Tomcat tried to access non-existing file paths with URL encoded questionmarks. I have first noticed that is issue affects Debian 12, but I can confirm that it also affects Debian 11, so this happens in oldstable, apache2 2.4.62-1~deb11u1, too. To show the issue, you'll want to enable the following mods: a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm rewrite I have set up a balancer worker in mods-available/proxy_balancer.conf: BalancerMember ajp://localhost:8009 secret=youllneverknow I have narrowed the issue down to using a proxy RewriteRule inside a Directory block. So to reproduce, set up /etc/apache2/sites-available/000-default.conf like this: ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined DirectoryIndex index.html RewriteEngine On RewriteRule ^/?(.*?)$ balancer://tomcat/demo/index.jsp?rewrite=$1 [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA] To illustrate the issue, I have set up a simple /demo/ application in Tomcat 10, but the problem is caused by the Apache2 webserver, so this part is not relevant here. Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to http://127.0.0.1/foo/bar/?someparam will result in the following request being proxied to tomcat, as is expected: GET /demo/index.jsp?rewrite=foo/bar/&someparam After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled: GET /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam You can see that the complete parameter string is added twice now, with the leading ? being escaped the first time around, which in turn causes the path to be completely messed up, so Tomcat won't be able to find the file and returns a 404 status. When turning on debug logging in apache2, one can see that the request path is still fine during mod_rewrite processing, it only gets broken during mod_proxy processing. The issue does not occur, when the RewriteRule is placed outside of the Directory block. Unfortunately, this is not a viable workaround for us, we really need to be able to use this inside and we need the full flexibility of mod_rewrite too, so we cannot implement the same thing using ProxyPass, either. For now, the only resolution is to downgrade the apache2 packages: apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1 apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1 apache2-utils=2.4.61-1~deb12u1 After the downgrade, the RewriteRule with the proxy directive is back to working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels like having to pin the previous apache2 version is not a good solution, but upgrading it is not possible until this is fixed. If I had to guess, this may be caused by the following change: mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets with BalancerMember(s). PR 69168. [Yann Ylavic] -- Package-specific info: -- System Information: Debian Release: 12.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.11-8-pve (SMP w/24 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin2.4.62-1~deb12u1 ii apache2-data 2.4.62-1~deb12u1 ii apache2-utils 2.4.62-1~deb12u1 ii init-system-helpers1.65.2 ii media-types10.0.0 ii perl 5.36.0-7+deb12u1 ii procps 2:4.0.2-3 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages apache2 recommends: ii ssl-cert 1.1.2 Versions of packages apache2 suggests: pn apache2-doc pn apache2-suexec-pristine | apache2-suexec-custom pn www-browser Versions of packages apache2-bin depends on: ii libapr1 1.7.2-3 ii libaprutil1 1.6.3-1 ii libaprutil1-dbd-sqlite3 1.6.3-1 ii libaprutil1-ldap 1.6.3-1 ii libbrotli1 1.0.9-2+b6 ii libc62.36-9+deb12u8 ii libcrypt11:4.4.33-2 ii libcurl4 7.88.1-10+deb12u7 ii libjansson4 2.14-2 ii libldap-2.5-0
Bug#1079799: valgrind-mpi: symbol lookup error: libmpiwrap-amd64-linux.so: undefined symbol: ompi_mpi_character
Package: valgrind-mpi Version: 1:3.19.0-1 Severity: important Dear Maintainer, I am trying to debug memory problems in parallel programs started with mpirun. When doing this with the command from the openmpi documentation I get: $ LD_PRELOAD=/usr/lib/x86_64-linux-gnu/valgrind/libmpiwrap-amd64-linux.so mpirun -np 4 echo "hello" mpirun: symbol lookup error: /usr/lib/x86_64-linux-gnu/valgrind/libmpiwrap- amd64-linux.so: undefined symbol: ompi_mpi_character $ I would have expected this to run the program in parallel under valgrind. It did that on oldstable. The problem is there in both Debian stable and testsing. Kind regards, Markus -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-23-amd64 (SMP w/64 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages valgrind-mpi depends on: ii libc6 2.36-9+deb12u7 ii valgrind 1:3.19.0-1 Versions of packages valgrind-mpi recommends: ii gdb 13.1-3 valgrind-mpi suggests no packages. -- no debconf information
Bug#1078769: libwebkit2gtk-4.1-0: libwebkit2gtk does not render or is unresponsive if run in VMware guest with 3D acceleration enabled
Package: libwebkit2gtk-4.1-0 Version: 2.44.2-1~deb12u1 Severity: important I have 2 programs installed which use this webkit rendering library: "yelp" and "surf". yelp does not render anything. surf renders a website to some degree but usually there is no way to enter any input. If you instruct surf to render "duckduckgo.com", you cannot enter anything into the search bar. This problem happens only when run in an installation which is a VMware guest. VMware version is current (17.5.0), running in a Windows 10 host. All VMware drivers and utilities inside the Linux VM have been installed from the offical Debian repo. The problem definitely has something to do with 3D acceleration because if I turn that off in VMware, libwebkit2gtk works just fine inside the Linux VM. -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-23-amd64 (SMP w/10 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages libwebkit2gtk-4.1-0 depends on: ii bubblewrap 0.8.0-2 ii gstreamer1.0-plugins-base 1.22.0-3+deb12u2 ii gstreamer1.0-plugins-good 1.22.0-5+deb12u1 ii libatk1.0-0 2.46.0-5 ii libavif15 0.11.1-1 ii libc6 2.36-9+deb12u7 ii libcairo2 1.16.0-7 ii libdrm2 2.4.114-1+b1 ii libenchant-2-2 2.3.3-2 ii libepoxy0 1.5.10-1 ii libfontconfig1 2.14.1-4 ii libfreetype62.12.1+dfsg-5+deb12u3 ii libgbm1 22.3.6-1+deb12u1 ii libgcc-s1 12.2.0-14 ii libgcrypt20 1.10.1-3 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+deb12u1 ii libgles21.6.0-1 ii libglib2.0-02.74.6-2+deb12u3 ii libgstreamer-gl1.0-01.22.0-3+deb12u2 ii libgstreamer-plugins-bad1.0-0 1.22.0-4+deb12u5 ii libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 ii libgstreamer1.0-0 1.22.0-2 ii libgtk-3-0 3.24.38-2~deb12u1 ii libharfbuzz-icu06.0.0+dfsg-3 ii libharfbuzz0b 6.0.0+dfsg-3 ii libhyphen0 2.8.8-7 ii libicu7272.1-3 ii libjavascriptcoregtk-4.1-0 2.44.2-1~deb12u1 ii libjpeg62-turbo 1:2.1.5-2 ii liblcms2-2 2.14-2 ii libmanette-0.2-00.2.6-3+b1 ii libpango-1.0-0 1.50.12+ds-1 ii libpng16-16 1.6.39-2 ii libseccomp2 2.5.4-1+deb12u1 ii libsecret-1-0 0.20.5-3 ii libsoup-3.0-0 3.2.2-2 ii libsqlite3-03.40.1-2 ii libstdc++6 12.2.0-14 ii libsystemd0 252.26-1~deb12u2 ii libtasn1-6 4.19.0-2 ii libwayland-client0 1.21.0-1 ii libwayland-server0 1.21.0-1 ii libwebp71.2.4-0.2+deb12u1 ii libwebpdemux2 1.2.4-0.2+deb12u1 ii libwoff11.0.2-2 ii libx11-62:1.8.4-2+deb12u2 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii libxslt1.1 1.1.35-1 ii xdg-dbus-proxy 0.1.4-3 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages libwebkit2gtk-4.1-0 recommends: ii gstreamer1.0-gl 1.22.0-3+deb12u2 ii gstreamer1.0-libav1.22.0-2 ii gstreamer1.0-plugins-bad 1.22.0-4+deb12u5 ii libgl1-mesa-dri 22.3.6-1+deb12u1 ii xdg-desktop-portal-gtk1.14.1-1 Versions of packages libwebkit2gtk-4.1-0 suggests: pn gstreamer1.0-alsa -- no debconf information
Bug#1074958: finalcut: ftbfs with GCC-14
You need to upgrade to FINAL CUT version 0.9.1: https://github.com/gansm/finalcut/releases/tag/0.9.1 On Wed, 03 Jul 2024 12:26:34 + Matthias Klose wrote: > Package: src:finalcut > Version: 0.9.0-2 > Severity: important > Tags: sid trixie > User: debian-...@lists.debian.org > Usertags: ftbfs-gcc-14 > > [This bug is targeted to the upcoming trixie release] > > Please keep this issue open in the bug tracker for the package it > was filed for. If a fix in another package is required, please > file a bug for the other package (or clone), and add a block in this > package. Please keep the issue open until the package can be built in > a follow-up test rebuild. > > The package fails to build in a test rebuild on at least amd64 with > gcc-14/g++-14, but succeeds to build with gcc-13/g++-13. The > severity of this report will be raised before the trixie release. > > The full build log can be found at: > http://qa-logs.debian.net/2024/07/01/finalcut_0.9.0-2_unstable_gccexp.log > The last lines of the build log are at the end of this report. > > To build with GCC 14, either set CC=gcc-14 CXX=g++-14 explicitly, > or install the gcc, g++, gfortran, ... packages from experimental. > > apt-get -t=experimental install g++ > > Common build failures are new warnings resulting in build failures with > -Werror turned on, or new/dropped symbols in Debian symbols files. > For other C/C++ related build failures see the porting guide at > http://gcc.gnu.org/gcc-14/porting_to.html > > [...] > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format- security -fcf-protection -c output/tty/ftermcap.cpp -fPIC -DPIC -o output/tty/.libs/ftermcap.o > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format- security -fcf-protection -c output/tty/ftermcapquirks.cpp -fPIC -DPIC -o output/tty/.libs/ftermcapquirks.o > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format- security -fcf-protection -c output/tty/fterm.cpp -fPIC -DPIC -o output/tty/.libs/fterm.o > /bin/bash ../libtool --tag=CXX --mode=compile g++ -std=c++14 - DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT - std=c++14 -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix- map=/<>=. -fstack-protector-strong -fstack-clash- protection -Wformat -Werror=format-security -fcf-protection -c -o output/tty/ftermdebugdata.lo output/tty/ftermdebugdata.cpp > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format- security -fcf-protection -c output/tty/ftermdebugdata.cpp -fPIC -DPIC -o output/tty/.libs/ftermdebugdata.o > /bin/bash ../libtool --tag=CXX --mode=compile g++ -std=c++14 - DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT - std=c++14 -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix- map=/<>=. -fstack-protector-strong -fstack-clash- protection -Wformat -Werror=format-security -fcf-protection -c -o output/tty/ftermdetection.lo output/tty/ftermdetection.cpp > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format- security -fcf-protection -c output/tty/ftermdetection.cpp -fPIC -DPIC -o output/tty/.libs/ftermdetection.o > /bin/bash ../libtool --tag=CXX --mode=compile g++ -std=c++14 - DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT - std=c++14 -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix- map=/<>=. -fstack-protector-strong -fstack-clash- protection -Wformat -Werror=format-security -fcf-protection -c -o output/tty/ftermfreebsd.lo output/tty/ftermfreebsd.cpp > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format- security -fcf-protection -c output/tty/ftermcapquirks.cpp -o output/tty/ftermcapquirks.o >/dev/null 2>&1 > libtool: compile: g++ -std=c++14 -DHAVE_CONFIG_H -I. -I.. -I../final -Wall -Werror -DCOMPILE_FINAL_CUT -std=c++14 -Wdate-time - D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/<>=. -fstack- pro
Bug#1076953: /usr/sbin/hylafax_wrapper: /usr/sbin/hylafax_wrapper breaks BindPaths= in hfaxd.service and faxq.service
Package: hylafax-server Version: 3:6.0.7-5 Severity: important File: /usr/sbin/hylafax_wrapper Dear Maintainer, the script hylafax_wrapper is used in cron.weekly/hylafax to wrap calls to (among others) faxcron. When triggered, it will globally do a bind mount / unmount on /var/spool/hylafax/etc, thus breaking the local bind mounts in hfaxd.service / faxq.service using systemd's BindPaths=/etc/hylafax:/var/spool/hylafax/etc option. Outcome: After the weekly cron run, /var/spool/hylafax/etc appears empty for faxq and hfaxd started using systemd. -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-21-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages hylafax-server depends on: ii adduser 3.134 ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1 ii debconf [debconf-2.0] 1.5.82 ii ghostscript 10.0.0~dfsg-11+deb12u4 ii hylafax-client 3:6.0.7-5 ii init-system-helpers 1.65.2 ii libc6 2.36-9+deb12u7 ii libcrypt1 1:4.4.33-2 ii libgcc-s1 12.2.0-14 ii libjbig02.1-6.1 ii libpam0g1.5.2-6+deb12u1 ii libstdc++6 12.2.0-14 ii libtiff-tools 4.5.0-6+deb12u1 ii libtiff64.5.0-6+deb12u1 ii postfix [mail-transport-agent] 3.7.11-0+deb12u1 ii psmisc 23.6-1 ii sed 4.9-1 ii systemd 252.26-1~deb12u2 ii sysvinit-utils [lsb-base] 3.06-4 ii zlib1g 1:1.2.13.dfsg-1 hylafax-server recommends no packages. Versions of packages hylafax-server suggests: pn mgetty pn psrip -- Configuration Files: /etc/hylafax/config changed [not included] /etc/hylafax/hfaxd.conf changed [not included] /etc/hylafax/hosts.hfaxd [Errno 13] Permission denied: '/etc/hylafax/hosts.hfaxd' -- debconf information excluded Thank you for using reportbug
Bug#1076618: ifupdown: reportbug template should not include network/interfaces
Package: ifupdown Version: 0.8.41 Severity: normal Dear Maintainer, When reporting a bug in ifupdown, a copy of /etc/network/interfaces is included. While I realise that that may frequently be relevant information, that should at least not happen silently and automatically, as interfaces may contain all kinds of sensitive information (in particular all sorts of wifi secrets, which in the case of WPA-EAP often work in other places, too). Thanks! -- Package-specific info: --- /etc/network/interfaces: (embargoed) --- up and down scripts installed: /etc/network/if-down.d: total 24 -rwxr-xr-x 1 root root 281 Mar 4 2023 _psi_warmal -rwxr-xr-x 1 root root 62 Mar 25 2015 ifstats lrwxrwxrwx 1 root root 17 Mar 12 2023 jabber -> ../scripts/jabber -rwxr-xr-x 1 root root 119 Aug 29 2023 monitor -rwxr-xr-x 1 root root 372 Feb 24 2021 openvpn -rwxr-xr-x 1 root root 323 Jan 5 2022 resolvconf -rwxr-xr-x 1 root root 759 Dec 9 2022 resolved lrwxrwxrwx 1 root root 32 May 1 00:45 wpasupplicant -> ../../wpa_supplicant/ifupdown.sh /etc/network/if-post-down.d: total 8 -rwxr-xr-x 1 root root 61 Oct 23 2018 block-wifi lrwxrwxrwx 1 root root 25 May 1 00:45 hostapd -> ../../hostapd/ifupdown.sh -rwxr-xr-x 1 root root 1409 Mar 24 2016 wireless-tools lrwxrwxrwx 1 root root 32 May 1 00:45 wpasupplicant -> ../../wpa_supplicant/ifupdown.sh /etc/network/if-pre-up.d: total 16 -rwxr-xr-x 1 root root 344 Aug 11 2010 ethtool lrwxrwxrwx 1 root root 25 May 1 00:45 hostapd -> ../../hostapd/ifupdown.sh -rwxr-xr-x 1 root root 62 Oct 23 2018 unblock-wifi -rwxr-xr-x 1 root root 4191 Sep 15 2018 wireless-tools lrwxrwxrwx 1 root root 32 May 1 00:45 wpasupplicant -> ../../wpa_supplicant/ifupdown.sh /etc/network/if-up.d: total 56 -rwxr-xr-x 1 root root 965 Jan 5 2022 000resolvconf -rw-r--r-- 1 root root 332 Mar 4 2023 _psi_warmal -rw-r--r-- 1 root root 109 Feb 15 2020 _z_check_gvo_dc -rwxr-xr-x 1 root root 1685 Sep 22 2014 ethtool -rwxr-xr-x 1 root root 99 Jul 27 2018 ifstats lrwxrwxrwx 1 root root 17 Mar 12 2023 jabber -> ../scripts/jabber -rwxr-xr-x 1 root root 264 Nov 28 2014 ledblink -rwxr-xr-x 1 root root 537 Aug 22 2023 monitor -rwxr-xr-x 1 root root 4938 Feb 20 2021 mountnfs -rwxr-xr-x 1 root root 415 Oct 3 2019 ntpdate -rwxr-xr-x 1 root root 1048 Jan 17 2023 ntpsec-ntpdate -rwxr-xr-x 1 root root 385 Feb 24 2021 openvpn -rwxr-xr-x 1 root root 4663 Dec 9 2022 resolved lrwxrwxrwx 1 root root 32 May 1 00:45 wpasupplicant -> ../../wpa_supplicant/ifupdown.sh -- System Information: Debian Release: 12.6 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 6.6.8-g47cb3fd3419e (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) Versions of packages ifupdown depends on: ii adduser 3.134 ii iproute2 6.1.0-3 ii libc6 2.36-9+deb12u7 Versions of packages ifupdown recommends: ii isc-dhcp-client [dhcp-client] 4.4.3-P1-2 Versions of packages ifupdown suggests: ii ppp 2.4.9-1+1.1+b1 pn rdnssd -- debconf information: ifupdown/convert-interfaces: true
Bug#1076371: libopenmpi3t64: linked library libpmix.so.2 not found
Package: libopenmpi3t64 Version: 4.1.6-13.3 Severity: normal Dear Maintainer, when I run autopkg tests for my package (opm-simulators) in sid then I get the following error for tests run with mpirun: [frau-mahlzahn:35821] mca_base_component_repository_open: unable to open mca_pmix_ext3x: libpmix.so.2: cannot open shared object file: No such file or directory (ignored) [frau-mahlzahn:35821] [[56274,0],0] ORTE_ERROR_LOG: Not found in file ../../../../../../orte/mca/ess/hnp/ess_hnp_module.c at line 320 -- It looks like orte_init failed for some reason; your parallel process is likely to abort. There are many reasons that a parallel process can fail during orte_init; some of which are due to configuration or environment problems. This failure appears to be an internal failure; here's some additional information (which may only be relevant to an Open MPI developer): opal_pmix_base_select failed --> Returned value Not found (-13) instead of ORTE_SUCCESS -- the library is linked to by /usr/lib/x86_64-linux- gnu/openmpi/lib/openmpi3/mca_pmix_ext3x.so but somehow marked as not found. It is on the system though. root@frau-mahlzahn:/# ldd /usr/lib/x86_64-linux- gnu/openmpi/lib/openmpi3/mca_pmix_ext3x.so | grep pmix libpmix.so.2 => not found root@frau-mahlzahn:/# find /usr/lib/x86_64-linux-gnu -name libpmix.so.2 /usr/lib/x86_64-linux-gnu/pmix2/lib/libpmix.so.2 root@frau-mahlzahn:/# dpkg -S /usr/lib/x86_64-linux-gnu/pmix2/lib/libpmix.so.2 libpmix2t64:amd64: /usr/lib/x86_64-linux-gnu/pmix2/lib/libpmix.so.2 root@frau-mahlzahn:/# The error can be easily replicated with: echo '#!/bin/bash' > test.sh echo 'echo hello' >> test.sh mpirun test.sh This is also causing CI regressions for opm-common on riscv64, see e.g. [1]. Best regards, Markus [1] https://ci.debian.net/packages/o/opm-models/testing/riscv64/48956914/ -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-21-amd64 (SMP w/64 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1074369: luakit: please use sensible-utils
On Thu, Jun 27, 2024 at 10:56:18AM +, Bastien Roucariès wrote: > Could you please merge > https://salsa.debian.org/debian/luakit/-/merge_requests/3 Thanks for the patch. That totally makes sense. I've merged the MR just now. -- Markus
Bug#1053285: AttributeError: 'PlatformioCLI' object has no attribute 'resultcallback'
On Sat, 30 Sep 2023 20:58:29 +0200 Gregor Riepl wrote: Package: platformio Version: 4.3.4-3 Severity: grave Justification: renders package unusable Forwarded: https://github.com/platformio/platformio-core/issues/4075 X-Debbugs-Cc: onit...@gmail.com The current version of PlatformIO in Debian no longer works with python3-click due to the following incompatibility: AttributeError: 'PlatformioCLI' object has no attribute 'resultcallback'. Did you mean: 'result_callback'? This issue has been fixed in PlatformIO 5.2.1. Preferably, update to the latest upstream version (6.1.11 currently). Pretty, pretty please fix this bug. Or remove the package if it's unmaintained... cu -- Markus
Bug#1070300: pmix_psquash_base_select failed during MPI_INIT on 32bit architectures
Hi, the problem already appears in OpenMPI's own autopkgtests, see [1] Best, Markus [1] https://ci.debian.net/packages/o/openmpi/unstable/i386/46207866/
Bug#1070300: pmix_psquash_base_select failed during MPI_INIT on 32bit architectures
Source: openmpi Version: 4.1.6-13 Severity: serious Justification: unkown Control: affects -1 src:dune-grid Dear Maintainer, I just uploaded a new version of package dune-grid and noticed that none of our parallel tests start successfully on 32bit architectures. 2/66 Test #2: scsgmappertest ***Failed0.15 sec -- It looks like pmix_init failed for some reason; your parallel process is likely to abort. There are many reasons that a parallel process can fail during pmix_init; some of which are due to configuration or environment problems. This failure appears to be an internal failure; here's some additional information (which may only be relevant to an PMIX developer): pmix_psquash_base_select failed --> Returned value -46 instead of PMIX_SUCCESS -- [arm-ubc-05:12560] PMIX ERROR: NOT-FOUND in file ../../../../../../../../opal/mca/pmix/pmix3x/pmix/src/server/pmix_server.c at line 237 [arm-ubc-05:12559] [[INVALID],INVALID] ORTE_ERROR_LOG: Unable to start a daemon on the local node in file ../../../../../../orte/mca/ess/singleton/ess_singleton_module.c at line 716 [arm-ubc-05:12559] [[INVALID],INVALID] ORTE_ERROR_LOG: Unable to start a daemon on the local node in file ../../../../../../orte/mca/ess/singleton/ess_singleton_module.c at line 172 -- It looks like orte_init failed for some reason; your parallel process is likely to abort. There are many reasons that a parallel process can fail during orte_init; some of which are due to configuration or environment problems. This failure appears to be an internal failure; here's some additional information (which may only be relevant to an Open MPI developer): orte_ess_init failed --> Returned value Unable to start a daemon on the local node (-127) instead of ORTE_SUCCESS -- -- It looks like MPI_INIT failed for some reason; your parallel process is likely to abort. There are many reasons that a parallel process can fail during MPI_INIT; some of which are due to configuration or environment problems. This failure appears to be an internal failure; here's some additional information (which may only be relevant to an Open MPI developer): ompi_mpi_init: ompi_rte_init failed --> Returned "Unable to start a daemon on the local node" (-127) instead of "Success" (0) -- *** An error occurred in MPI_Init *** on a NULL communicator *** MPI_ERRORS_ARE_FATAL (processes in this communicator will now abort, ***and potentially your MPI job) [arm-ubc-05:12559] Local abort before MPI_INIT completed completed successfully, but am not able to aggregate error messages, and not able to guarantee that all other processes were killed! See [1] for a complete build where the tests using mpirun fail in this way. This happens on these architectures: armel, armhf, i386, hppa Best, Markus [1] https://buildd.debian.org/status/fetch.php?pkg=dune- grid&arch=armel&ver=2.9.0-4&stamp=1714724856&raw=0 -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-20-amd64 (SMP w/64 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openmpi-bin depends on: ii libc62.36-9+deb12u6 ii libevent-core-2.1-7 2.1.12-stable-8 ii libopenmpi3 4.1.4-3+b1 ii openmpi-common 4.1.4-3 ii openssh-client [ssh-client] 1:9.2p1-2+deb12u2 openmpi-bin recommends no packages. Versions of packages openmpi-bin suggests: ii gfortran [fortran-compiler] 4:12.2.0-3 -- no debconf information
Bug#1070296: compile freerdp2 with WITH_GSSAPI
Package: libfreerdp2-2 Version: 2.10.0+dfsg1-1 Remmina and other RDP clients are unable to connect to Windows RDP servers when the user is member of the group "Protected Users". The group "Protected Users" forces the user account to use Kerberos authentication and is recommended to prevent Kerberos Tickets and password hashes to be cached on the server. Typically these tickets and hashes are used for lateral movement after a breach. libfreerdp2-2 needs to be compiled with "WITH_GSSAPI=on" to be able to connect with user accounts protected in such a way. Kind Regads, Markus Wigge
Bug#1069967: fai-client: install_packages E: Unable to locate package ...
Package: fai-client Severity: wishlist Dear Maintainer, When a non-existing package is in the list of packages passed to install_packages apt-get responds with the following error message. E: Unable to locate package ... This in turn fails the installation of all the packages in the list. I know this is the default behavior of apt-get but I would like to request an option for install_packages to ignore non-existing packages and retry the installation again with the same list but without the non-existing package(s). If such an option won't be implemented then an option to isolate a list of packages to be installed could also work. Then a user could define a list of packages that they would be ok with not being installed due to reasons such as them being non-existing. -- Markus
Bug#1069492: Seems to be an OpenMPI problem
Hi, the problem occurs during startup of OpenMPI when running mpirun. I see similar problems for other packages during the same rebuild. Hence I don't think this is related to us but rather to OpenMPI. Best, Markus
Bug#1069581: pymongo: CVE-2024-21506 out-of-bound read
Package: pymongo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for pymongo. CVE-2024-21506[0]: | Versions of the package pymongo before 4.6.3 are vulnerable to Out- | of-bounds Read in the bson module. Using the crafted payload the | attacker could force the parser to deserialize unmanaged memory. The | parser tries to interpret bytes next to buffer and throws an | exception with string. If the following bytes are not printable | UTF-8 the parser throws an exception with a single byte. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21506 https://www.cve.org/CVERecord?id=CVE-2024-21506 Please adjust the affected versions in the BTS as needed. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1064762: Upstream has an incoming fix
Hi, seems like upstream already has a proposed fix, see [1] Best, Markus [1] https://gitlab.kitware.com/vtk/vtk/-/issues/19258#note_1510307
Bug#1065270: Unable to open VTK file with appended data that were fine with previous versions (invalid token in vtkXMLDataParser)
Hi, Note that this is kind of a duplicate of [0]. I have marked [0] as blocking this one. Some further information: I tried to follow this up a bit. Looking at the upstream expat bugs [1] [2] it might very well be that vtk9 was relying in internals of expat's xml processing and their assumptions broke when moving to 2.6.0. Hence this probably is an incompatibility on vtk9's side rather than a bug in expat. At least upstream thinks that way in in [1] and closed the bug. The stalled discussion about this in VTK9 can be found in [3]. Should we reassing this to vtk9? Best, Markus [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064762 [1] https://github.com/libexpat/libexpat/issues/857 [2] https://github.com/libexpat/libexpat/issues/840 [3] https://gitlab.kitware.com/vtk/vtk/-/issues/19258
Bug#1064762: Might be an incompatibility of vtk9 with expat/2.6.0
Hi. I tried to follow this up a bit. Looking at the upstream expat bugs [1] [2] it might very well be that vtk9 was relying in internals of expat's xml processing and their assumptions broke when moving to 2.6.0. Hence this probably is an incompatibility on vtk9's side rather than a bug in expat. At least upstream thinks that way in in [1] and closed the bug. The stalled discussion about this in VTK9 can be found in [3]. Should we reassing this to vtk9? Best, Markus [1] https://github.com/libexpat/libexpat/issues/857 [2] https://github.com/libexpat/libexpat/issues/840 [3] https://gitlab.kitware.com/vtk/vtk/-/issues/19258
Bug#1034420: grub-efi-amd64: Package update fails with error: installation script subprocess returned error exit status 128
Hi, I am running into the same problem. One of my machines fails the install with: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 128 here the full log with -x in and DEBCONF_DEBUG=developer # dpkg --configure -a --debug=77 D01: root= admindir=/var/lib/dpkg D01: ensure_diversions: new, (re)loading D01: process queue pkg grub-efi:amd64 queue.len 1 progress 1, try 1 D40: checking dependencies of grub-efi:amd64 (- ) D000400: checking group ... D000400: checking possibility -> grub-common D000400: checking non-provided pkg grub-common:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility -> grub-efi-amd64 D000400: checking non-provided pkg grub-efi-amd64:amd64 D000400: unpacked/halfconfigured, defer D000400: found 1 D000400: found 1 matched 0 possfixbytrig - D40: ok 1 msgs >><< D01: process queue pkg grub-efi-amd64:amd64 queue.len 1 progress 2, try 1 D40: checking dependencies of grub-efi-amd64:amd64 (- ) D000400: checking group ... D000400: checking possibility -> debconf D000400: checking non-provided pkg debconf:all D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility -> grub-common D000400: checking non-provided pkg grub-common:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility -> grub2-common D000400: checking non-provided pkg grub2-common:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility -> grub-efi-amd64-bin D000400: checking non-provided pkg grub-efi-amd64-bin:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility -> ucf D000400: checking non-provided pkg ucf:all D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D40: ok 2 msgs >><< D40: checking Breaks D000400: checking breaker grub2-common:amd64 virtbroken Setting up grub-efi-amd64 (2.06-13+deb12u1) ... D02: trigproc_activate_packageprocessing pkg=grub-efi-amd64:amd64 D02: fork/exec /var/lib/dpkg/info/grub-efi-amd64.postinst ( configure 2.06-3~deb11u6 ) + cached_available_ids= + case "$1" in + . /usr/share/debconf/confmodule ++ '[' '!' '' ']' ++ PERL_DL_NONLAZY=1 ++ export PERL_DL_NONLAZY ++ '[' '' ']' ++ exec /usr/share/debconf/frontend /var/lib/dpkg/info/grub-efi-amd64.postinst configure 2.06-3~deb11u6 debconf (developer): frontend started debconf (developer): frontend running, package name is grub-efi-amd64 debconf (developer): starting /var/lib/dpkg/info/grub-efi-amd64.config configure 2.06-3~deb11u6 debconf (developer): <-- SET grub2/linux_cmdline debconf (developer): --> 0 value set debconf (developer): <-- SET grub2/linux_cmdline_default module.sig_enforce=0 i915.preliminary_hw_support=1 intel_iommu=on amd_iommu=on kvm_amd.npt=1 kvm_amd.avic=1 iommu=pt debconf (developer): --> 0 value set debconf (developer): <-- debconf (developer): --> 20 Bad line "" received from confmodule. debconf (developer): <-- INPUT medium grub2/linux_cmdline debconf (developer): --> 30 question skipped debconf (developer): <-- INPUT medium grub2/linux_cmdline_default debconf (developer): --> 30 question skipped debconf (developer): <-- INPUT low grub2/enable_os_prober debconf (developer): --> 30 question skipped debconf (developer): <-- INPUT low grub2/force_efi_extra_removable debconf (developer): --> 30 question skipped debconf (developer): <-- INPUT low grub2/update_nvram debconf (developer): --> 30 question skipped debconf (developer): <-- GO debconf (developer): --> 0 ok dpkg: error processing package grub-efi-amd64 (--configure): installed grub-efi-amd64 package post-installation script subprocess returned error exit status 128 D02: post_script_tasks - ensure_diversions D01: ensure_diversions: same, skipping D02: post_script_tasks - trig_incorporate D01: process queue pkg grub-efi:amd64 queue.len 0 progress 1, try 1 D40: checking dependencies of grub-efi:amd64 (- ) D000400: checking group ... D000400: checking possibility -> grub-common D000400: checking non-provided pkg grub-common:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility -> grub-efi-amd64 D000400: checking non-provided pkg grub-efi-amd64:amd64 D000400: not configured/able D00040
Bug#1068514: bullseye-pu: package imlib2/1.7.1-2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: iml...@packages.debian.org, a...@debian.org Control: affects -1 + src:imlib2 [ Reason ] Fixing CVE-2024-25447, CVE-2024-25448 and CVE-2024-25450 in bullseye. [ Impact ] CVE remain unfixed in bullseye while they are already fixed in stable and newer distributions. [ Tests ] Code changes are trivial [ Risks ] Code changes are trivial and are already present in bookworm. No regressions have been reported. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] A variable in the tgaflip function was multiplied with the height and not the width which can cause a heap buffer overflow. diff -Nru imlib2-1.7.1/debian/changelog imlib2-1.7.1/debian/changelog --- imlib2-1.7.1/debian/changelog 2021-01-23 22:00:25.0 +0100 +++ imlib2-1.7.1/debian/changelog 2024-04-06 22:40:50.0 +0200 @@ -1,3 +1,11 @@ +imlib2 (1.7.1-2+deb11u1) bullseye; urgency=medium + + * Fix CVE-2024-25447 and CVE-2024-25448 and CVE-2024-25450. +A heap-buffer overflow vulnerability was discovered in imlib2 when using +the tgaflip function in loader_tga.c + + -- Markus Koschany Sat, 06 Apr 2024 22:40:50 +0200 + imlib2 (1.7.1-2) unstable; urgency=medium * Drop obsolete libltdl3-dev dependency. diff -Nru imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch --- imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch 1970-01-01 01:00:00.0 +0100 +++ imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch 2024-04-06 22:40:50.0 +0200 @@ -0,0 +1,26 @@ +From: Markus Koschany +Date: Fri, 5 Apr 2024 16:29:27 +0200 +Subject: CVE-2024-25447 and CVE-2024-25448 and CVE-2024-25450 + +Origin: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 +--- + src/modules/loaders/loader_tga.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c +index e9729b0..ae96a3b 100644 +--- a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c +@@ -595,9 +595,9 @@ tgaflip(DATA32 * in, int w, int h, int fliph, int flipv) + x2 = fliph ? w - 1 : 0; + for (x = 0; x < nx; x++, x2 += dx) + { +- tmp = in[y * h + x]; +- in[y * h + x] = in[y2 * h + x2]; +- in[y2 * h + x2] = tmp; ++ tmp = in[y * w + x]; ++ in[y * w + x] = in[y2 * w + x2]; ++ in[y2 * w + x2] = tmp; + } + } + } diff -Nru imlib2-1.7.1/debian/patches/series imlib2-1.7.1/debian/patches/series --- imlib2-1.7.1/debian/patches/series 2021-01-23 22:00:25.0 +0100 +++ imlib2-1.7.1/debian/patches/series 2024-04-06 22:40:50.0 +0200 @@ -1 +1,2 @@ 01_removed-data-dir.patch +CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch
Bug#1060381: tomcat10: catalina.out is not recreated after deletion
Control: tags -1 moreinfo [already CCed the submitter but forgot to add the bug report] Hello Daniel, On Wed, 10 Jan 2024 12:42:34 +0100 Daniel von Obernitz wrote: > Package: tomcat10 > Version: 10.1.6-1+deb12u1 > Severity: normal > X-Debbugs-Cc: t...@security.debian.org > > Dear Maintainer, > > when you stop tomcat10.service and delete the /var/log/tomcat10/catalina.out, the file will not be recreated after the next tomcat10.service start. [...] I don't understand the problem here. You deliberately deleted catalina.out. What stops you from using touch /var/log/tomcat10/catalina.out to recreate it? Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1068350: [musl] Re: Bug#1068350: musl: miscompiles (runtime problems) on riscv64 and s390x with static-pie → seems to be a toolchain bug after all, it does too hit glibc
Am Fri, Apr 05, 2024 at 05:58:15AM + schrieb Thorsten Glaser: > Markus Wichmann dixit: > >In any case, the emission of non-relative relocations is the issue here, > >and it is coming from the linker. > > They are present in the glibc static-pie binary as well, though. > And tbh they look to me like “just plug the absolute address of > the symbol here, please”, which is perfectly fine for things like > an array of strings when the actual string has already its own symbol. > > (Disclaimer: I know… barely anything about Unix relocation types, > a bit more about those on DOS and even TOS.) > Then glibc's static-pie startup code also processes symbolic relocations. musl's doesn't. It only processes relative relocations. And changing this would require some massive reworking. We'd somehow have to put stage 2 of the dynamic linker into rcrt1.o. A symbolic lookup doesn't really make sense for a static executable outside of FDPIC. The only difference in address space possible is a relative offset. In order to do a symbolic relocation, you also need the symbol lookup stuff, which - granted - for a static PIE is probably very simple because there can be only one symbol table, but still. I thought the whole point of static-PIE support was to only leave relative relocations around. Ciao, Markus
Bug#1068350: [musl] Re: Bug#1068350: musl: miscompiles (runtime problems) on riscv64 and s390x with static-pie → seems to be a toolchain bug after all, it does too hit glibc
Am Fri, Apr 05, 2024 at 05:04:37AM + schrieb Thorsten Glaser: > Should be correct: > > /usr/libexec/gcc/s390x-linux-gnu/13/collect2 -fno-lto -dynamic-linker > /lib/ld-musl-s390x.so.1 -nostdlib -static -static -pie --no-dynamic-linker -o > mksh /usr/lib/s390x-linux-musl/rcrt1.o /usr/lib/s390x-linux-musl/crti.o > /usr/lib/gcc/s390x-linux-gnu/13/crtbeginS.o -L/usr/lib/s390x-linux-musl -L > /usr/lib/gcc/s390x-linux-gnu/13/. -z relro -z now --as-needed -z text > --eh-frame-hdr lalloc.o edit.o eval.o exec.o expr.o funcs.o histrap.o jobs.o > lex.o main.o misc.o shf.o syn.o tree.o var.o ulimit.o --start-group > /usr/lib/gcc/s390x-linux-gnu/13/libgcc.a > /usr/lib/gcc/s390x-linux-gnu/13/libgcc_eh.a -lc --end-group > /usr/lib/gcc/s390x-linux-gnu/13/crtendS.o /usr/lib/s390x-linux-musl/crtn.o > > HTH & HAND, > //mirabilos I may not really know what I am talking about, so take this with a grain of salt, but isn't this missing a -Bsymbolic somewhere? Ironically, that switch causes ld to not emit symbolic relocations. I seem to remember reading long ago in Rich's initial -static-pie proposal that that was one of the switches added to the linker command line. In any case, the emission of non-relative relocations is the issue here, and it is coming from the linker. Ciao, Markus
Bug#1068350: [musl] Re: Bug#1068350: musl: miscompiles (runtime problems) on riscv64 and s390x with static-pie → seems to be a toolchain bug after all, it does too hit glibc
Hi, in static-pie, relocations get processed in _start, before main() is called. In musl, this is done by linking with rcrt1.o as start file instead of crt1.o. And that file processes all relative relocations. You can check with readelf -r what the relocation types are. If they are not relative, they will not be processed. What you are seeing seems indicative of missing relocation processing. Is it possible you are linking in the wrong start file? gcc -v should output the command line it feeds to the linker. Ciao, Markus
Bug#1043227: patch still valid? (opm-common: test failure on ppc64el with -O3)
Hi, Concerning the patch: It seems like -O2 is the default in Debian now anyway. Will the patch still work as it is? I did some investigations on platti.debian.org. I have no idea what the problem is. My hunch is that compiler optimization breaks the code here. If I add a simple print statement like this then the test passes: (sid_ppc64el-dchroot)blattms@platti:~/opm-common$ git diff opm/output/data/InterRegFlow.hpp diff --git a/opm/output/data/InterRegFlow.hpp b/opm/output/data/InterRegFlow.hpp index 0e1dadcc4..7e2aeabbe 100644 --- a/opm/output/data/InterRegFlow.hpp +++ b/opm/output/data/InterRegFlow.hpp @@ -29,7 +29,7 @@ #include #include #include - +#include namespace Opm { namespace data { /// Intermediary Protocol to Linearise Per-Connection Flow Rates Into Subrange. @@ -271,7 +271,7 @@ namespace Opm { namespace data { using sz_t = decltype(InterRegFlow::bufferSize()); const auto& [begin, end] = this->elements_; - +std::cout<<"distance=";//<< std::distance(begin, end);// << " size="<< InterRegFlow::bufferSize()<(std::distance(begin, end)) == InterRegFlow::bufferSize(); } (sid_ppc64el-dchroot)blattms@platti:~/opm-common$ Best, Markus
Bug#1055857: patch still valid? (opm-common: test failure on ppc64el with -O3)
Hi, Concerning the patch: It seems like -O2 is the default in Debian now anyway. Will the patch still work as it is? I did some investigations on platti.debian.org. I have no idea what the problem is. My hunch is that compiler optimization breaks the code here. If I add a simple print statement like this then the test passes: (sid_ppc64el-dchroot)blattms@platti:~/opm-common$ git diff opm/output/data/InterRegFlow.hpp diff --git a/opm/output/data/InterRegFlow.hpp b/opm/output/data/InterRegFlow.hpp index 0e1dadcc4..7e2aeabbe 100644 --- a/opm/output/data/InterRegFlow.hpp +++ b/opm/output/data/InterRegFlow.hpp @@ -29,7 +29,7 @@ #include #include #include - +#include namespace Opm { namespace data { /// Intermediary Protocol to Linearise Per-Connection Flow Rates Into Subrange. @@ -271,7 +271,7 @@ namespace Opm { namespace data { using sz_t = decltype(InterRegFlow::bufferSize()); const auto& [begin, end] = this->elements_; - +std::cout<<"distance=";//<< std::distance(begin, end);// << " size="<< InterRegFlow::bufferSize()<(std::distance(begin, end)) == InterRegFlow::bufferSize(); } (sid_ppc64el-dchroot)blattms@platti:~/opm-common$ Best, Markus
Bug#1066983: monopd: Fails to start monopd.service
Hello Shriram, Am Mittwoch, dem 27.03.2024 um 15:10 +0530 schrieb Shriram Ravindranathan: > Dear Markus, > > On 27/03/24 13:01, Markus Koschany wrote: > > As this bug report proves, normal people tend to have problems with system > > services. A system administrator would have simply disabled or masked the > > service. There is nothing here what could not have been resolved with some > > systemctl commands. > I am sorry but I don't understand the point you are trying to make here. > I don't think it is in the right spirit that we should expect anybody > (even sysadmins) to bodge the package somehow and get it to work. > The package is not broken and the bug severity is incorrect. Sylvain already explained what you could have done with systemctl to solve this issue. signature.asc Description: This is a digitally signed message part
Bug#1066983: monopd: Fails to start monopd.service
Hi Sylvain, Am Montag, dem 25.03.2024 um 18:48 +0100 schrieb Sylvain Rochet: > Hi Markus, > > On Mon, Mar 25, 2024 at 02:36:59AM +0100, Markus Koschany wrote: > > Sylvain Rochet wrote: > > > Actually, the main problem is /lib/systemd/system/monopd.socket which > > > set Accept=yes while monopd needs Accept=no (which is the default value). > > > > I wonder if monopd needs a systemd socket file at all and if we should > > disable the service after the installation. We have been using this > > setting since the introduction of systemd. If monopd runs with > > Accept=no then we also don't need a service template file. At some > > point I also noticed the same warning as Shriram > > > > "monopd.socket is a disabled or a static unit not running, not > > starting it." and then followed [1] and added the required template > > file. > > Yeah, socket activation is not really useful for public servers > services, it is mostly used for local services that can be spawned on > the fly later. Furthermore, socket activation breaks monopd metaserver > registration because the daemon must be running to register, so better > only ship the service file. I let you decide whether the service should > be disabled or enabled by default (but unless something recently > changed, daemon usually runs by default on Debian. I admit having lost > track :D). Our Policy is still to enable autostarting a service but I also don't see a must directive in 9.3.3.1 [1], so if there is a good reason it should be OK to disable the service and let the local administrator re-enable it, if desired. > > I have been running monopd for the past decade and I also suspect the > > daemon is affected by some bugs which might be remotely exploitable. > > What makes you think that? > > My daemon is running attached to gdb so I can easily catch and trace any > issue that would kill the process. So far it's been over 10 years > without a single issue, some process lived for several years between > systems reboot. > > I am not saying it is bug free because nothing is bug free, but if it is > remotely exploitable and actively exploited, I would be aware of it on > my running instance. I have seen multiple lines like that in my log files before: monopd.service: main process exited, code=killed, status=11/SEGV It happens from time to time but at some time it was more frequent which made me believe that some players found a way to reproducibly crash the server. I can send you my log file but you probably can't easily debug the problem because there was no gdb attached to the process. > > Since users usually don't need the monopd server anyway, if they want > > to play a game, they should make a conscious decision to start it if > > they want to use it locally. For a simple internet game, the daemon is > > not required. > > Installing the server package isn't already a conscious decision? As this bug report proves, normal people tend to have problems with system services. A system administrator would have simply disabled or masked the service. There is nothing here what could not have been resolved with some systemctl commands. However I believe I just remove the systemd socket file now and be done with it. There are pros and cons for autostarting the service or disabling it but we don't need to overthink this. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1066983: monopd: Fails to start monopd.service
Sylvain Rochet wrote: > Actually, the main problem is /lib/systemd/system/monopd.socket which > set Accept=yes while monopd needs Accept=no (which is the default value). I wonder if monopd needs a systemd socket file at all and if we should disable the service after the installation. We have been using this setting since the introduction of systemd. If monopd runs with Accept=no then we also don't need a service template file. At some point I also noticed the same warning as Shriram "monopd.socket is a disabled or a static unit not running, not starting it." and then followed [1] and added the required template file. I have been running monopd for the past decade and I also suspect the daemon is affected by some bugs which might be remotely exploitable. Since users usually don't need the monopd server anyway, if they want to play a game, they should make a conscious decision to start it if they want to use it locally. For a simple internet game, the daemon is not required. [1] https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html signature.asc Description: This is a digitally signed message part
Bug#1051647: please ship a fd(1) binary
Severity: normal Hello there, Would love this too. Some tooling looks for an `fd` binary and won't find an `fd` alias. Another problem is that the shell completions for bash/zsh shipped with the package don't work, since they define a `_fd` completion function. You can work around it with either `alias fd=fdfind` or `alias _fdfind=_fd`, but it would be nice not to have to. Raising the severity to normal because of this (first time doing that, not sure if it will actually work :)) Thanks, Markus
Bug#1064762: Bug is actually in expat xml-parser
Hi, One of the DUNE developers has some more insight on this: https://gitlab.dune-project.org/core/dune-grid/-/issues/184#note_135809 This looks like being the same problem that I noted for Paraview on ubuntu. It seems that a bugfix in the xml-parser `expat` broke parsing binary data. Debian sid contains expat 2.6.2 where this is fixed. Ubuntu 23.10 has recently backported a fix to 2.5.0 which broke reading appended data in paraview for me. So the issue reported here may now also effect Ubuntu 23.10. * Bug report for Ubuntu: https://bugs.launchpad.net/ubuntu/+source/expat/+bug/2058415 * Related discussion for arch: https://discourse.paraview.org/t/i-cannot-read-a-vtp-file-i-could-open-yesterday-can-someone-try-to-open-it/13938 * In the debian security tracker for expat one can the the CVEs that * have been fixed in sid but (so far) not in stable and testing. In * Ubuntu the patches for these CVEs have been backported already: * https://security-tracker.debian.org/tracker/source-package/expat Best, Markus
Bug#1001644: [Pkg-sssd-devel] Bug#1001644: libpam-sss: OTP-enabled users do not recieve OTP prompts from pam_sss.so
I like Sam's suggestions. Has a maintainer considered it? -- Markus
Bug#1067002: plymouth: Theme broken if config file is a symlink
Package: plymouth Version: 24.004.60-1+b2 Severity: minor Dear Maintainer, I used to have a symlink from /etc/plymouth/plymouthd.conf to my dotfiles repository, which resulted in a broken theme (a gray screen with three white dots). At some point I realized that the initramfs hook is copying the symlink itself, so I switched to a hardlink which resolved that issue. The problem is in /usr/share/initramfs-tools/hooks/plymouth which uses `cp -dRp` to copy certain files. Could that be changed to `cp -p` perhaps? I noticed that `cp -R` will still create symlinks when used with a single file, but recursion isn't necessary in these cases anyway. I also saw some other hooks explicitly use `cp -L`. Thanks, Markus -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.7.9-1-liquorix-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages plymouth depends on: ii init-system-helpers 1.66 ii initramfs-tools 0.142 ii libc62.37-15.1 ii libdrm2 2.4.120-2 ii libplymouth5 24.004.60-1+b2 ii systemd 255.4-1+b1 ii udev 255.4-1+b1 plymouth recommends no packages. Versions of packages plymouth suggests: ii desktop-base 12.0.6+nmu1 pn plymouth-themes -- Configuration Files: /etc/plymouth/plymouthd.conf changed: [Daemon] Theme=moonlight ShowDelay=0 -- no debconf information
Bug#1065913: opm-common: Please drop dependencies on python3-distutils
Hi, the dependency is alread gone version 2023.10+ds-2 and later (unstable). We just need to wait for their migration to testing. Best, Markus
Bug#1064762: Works with vtk9.3 installed in venv via pip (was Re: dune-grid: FTBFS: make[1]: *** [/usr/share/dune/dune-debian.mk:39: override_dh_auto_test] Error 1)
Hi, I did some further tests with the provided test case. If I install vtk (latest version 9.3) with pip in a venve. The script also does not report an error for the relative paths. Tested on stable and in a sid chroot. Best, Markus
Bug#1065914: opm-simulators: Please drop dependencies on python3-distutils
Hi, there is already a version (2023.10+ds-2) uploaded to unstable with the python3-distutils dependency. We just need to for it's migration. Best, Markus
Bug#1064762: dune-grid: FTBFS: make[1]: *** [/usr/share/dune/dune-debian.mk:39: override_dh_auto_test] Error 1
Hi, these tests write out vtk files and read them in using python3-vtk9. If parsing of the file succeeds then the test was successful. How the files are written did not change between Debian stable and Debian sid. I have verified that the files are the same. Attached is a small test case in python3-vtk9-test.tar.gz that mimics the problems. The script test/vtkcheckcomb.py will read the file vtktest-1D-leafview-nonconforming-appendedbase64.vtp using different relative paths with vtkXMLPolyDataReader. On Debian stable all those cases succeed (see log file tests/stable/vtkcheckcomb.log. On Debian sid all of the fail with this error of vtk xml parser: 2024-03-11 14:31:34.098 ( 0.123s) [A51E0740] vtkXMLParser.cxx:375ERR| vtkXMLDataParser (0x1659c80): Error parsing XML in stream at line 27, column 9, byte index 1562: not well-formed (invalid token) 2024-03-11 14:31:34.099 ( 0.123s) [A51E0740] vtkXMLReader.cxx:521ERR| vtkXMLPolyDataReader (0x15f4e90): Error parsing input file. ReadXMLInformation aborting. 2024-03-11 14:31:34.099 ( 0.123s) [A51E0740] vtkExecutive.cxx:752ERR| vtkCompositeDataPipeline (0x1631800): Algorithm vtkXMLPolyDataReader(0x15f4e90) returned failure for request: vtkInformation (0x166e920) Debug: Off Modified Time: 775 Reference Count: 1 Registered Events: (none) Request: REQUEST_INFORMATION ALGORITHM_AFTER_FORWARD: 1 FORWARD_DIRECTION: 0 I have no clue why this is the case. To me it is more likely that the problem is due a change in vtk9. Hence I am reassinging to vtk9 in the hope that the maintainers there have more clues than me. Best, Markus python3-vtk9-test.tar.gz Description: application/gzip
Bug#1060076: alberta: FTBS on ppc64el: Package fixed but Sponsor for uploading needed
Dear all, I was able to fix the FTBFS by backporting two upstream patches. You can find my changes in MR [1]. Note that this also adds the changes for the 64bit time_t transition made in version 3.0.3-1.1 to the repository. As I am not Debian Developer and not maintaining the alberta, Hence I need a sponsor from e.g. the Debian Science team that uploads the fixed package. alberta is marked for removal today. Thanks a lot. Best, Markus [1] https://salsa.debian.org/science-team/alberta/-/merge_requests/4 signature.asc Description: PGP signature
Bug#1064016: adwaita-icon-theme: v46 cursor theme is missing legacy X11 icon names expected by many applications
On Monday, 4 March 2024 at 22:08, Simon McVittie wrote: > If upgrading libmutter-13-0 (and other packages from the same source) > to 45.3-3 fixes this, then you were experiencing #1063640. If not, > we should open a separate bug. Oh yes I was indeed still on 45.3-2, upgrading to 45.3-3 fixes the crash! I still get the default cursor when dragging, but this seems to be by design: - 45.3 branch uses `dnd-none`: https://gitlab.gnome.org/GNOME/mutter/-/blob/45.3/src/backends/meta-cursor-sprite-xcursor.c?ref_type=tags#L75 - main branch now uses `default`: https://gitlab.gnome.org/GNOME/mutter/-/blob/main/src/backends/meta-cursor-sprite-xcursor.c?ref_type=heads#L75 Thanks, Markus
Bug#1064016: adwaita-icon-theme: v46 cursor theme is missing legacy X11 icon names expected by many applications
Oh no, sorry I meant to say "46~beta-4" in the first sentence. Copied it from the bottom and forgot to change it :)
Bug#1064016: adwaita-icon-theme: v46 cursor theme is missing legacy X11 icon names expected by many applications
Hello there, Not sure if this is the correct bug to report this, but I ran into a gnome-shell crash with adwaita-icon-theme 46~beta-3 when opening the overview (Super key) and trying to grab one of the windows: ``` No cursor theme available, please install a cursor theme Received an X Window System error. This probably reflects a bug in the program. The error was 'BadCursor (invalid Cursor parameter)'. (Details: serial 13601 error_code 6 request_code 95 (core protocol) minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the MUTTER_SYNC environment variable to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the mtk_x_error() function.) == Stack trace for context 0x58854fb38590 == #0 58854fbffa08 i resource:///org/gnome/shell/ui/init.js:21 (13c026970bf0 @ 48) ``` Running with MUTTER_SYNC=1 extends the stack trace a bit: ``` == Stack trace for context 0x631cbba61570 == #0 631cbbb28c18 i resource:///org/gnome/shell/ui/dnd.js:390 (21d3a36f80b0 @ 440) #1 631cbbb28b68 i resource:///org/gnome/shell/ui/dnd.js:168 (21d3a36f2c90 @ 235) #2 631cbbb28ad8 i resource:///org/gnome/shell/ui/init.js:21 (21d3a3670bf0 @ 48) ``` So it's trying to use the `DND_IN_DRAG` cursor at [1]. I also noticed now that this cursor is missing in Firefox when e.g. dragging a link, but at least Firefox is polite enough to not crash (it just displays the default cursor). Downgrading to adwaita-icon-theme 45.0-4 resolves this. I still get the crash with 46~beta-3, so I guess it's not related to the "more minimal set of aliases". I should also mention I'm using gnome-shell 45.3-2 from experimental. [1]: https://gitlab.gnome.org/GNOME/gnome-shell/-/blob/96b91ec62c9c8133eb7b0e76e486a7cea6edebdb/js/ui/dnd.js#L390 Thanks and greetings, Markus
Bug#1064561: 1064561 dune-grid: FTBFS on i386: 98% tests passed, 1 tests failed out of 66
Hi, I did look into this shortly. I must admit that I problems seeing what could fail in this code. The code reads the second line of a file using using scanf and checks that the first number read is larger or equal 2.0 and less than or equal 2.2. Strangely this works for all the other files read. excerpt from dune/grid/io/file/gmshreader.hh void readfile(FILE * file, int cnt, const char * format, void* t1, void* t2 = 0, void* t3 = 0, void* t4 = 0, void* t5 = 0, void* t6 = 0, void* t7 = 0, void* t8 = 0, void* t9 = 0, void* t10 = 0) { off_t pos = ftello(file); int c = fscanf(file, format, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10); if (c != cnt) DUNE_THROW(Dune::IOError, "Error parsing " << fileName << " " "file pos " << pos << ": Expected '" << format << "', only read " << c << " entries instead of " << cnt << "."); } [...] // open file name, we use C I/O fileName = f; FILE* file = fopen(fileName.c_str(),"rb"); if (file==0) DUNE_THROW(Dune::IOError, "Could not open " << fileName); //= // Header: Read vertices into vector // Check vertices that are needed //= number_of_real_vertices = 0; boundary_element_count = 0; element_count = 0; // process header double version_number; int file_type, data_size; readfile(file,1,"%s\n",buf); if (strcmp(buf,"$MeshFormat")!=0) DUNE_THROW(Dune::IOError, "expected $MeshFormat in first line"); readfile(file,3,"%lg %d %d\n",&version_number,&file_type,&data_size); if( (version_number < 2.0) || (version_number > 2.2) ) DUNE_THROW(Dune::IOError, "can only read Gmsh version 2 files"); [...] File unitcube.sh: $MeshFormat 2.2 0 8 $EndMeshFormat $Nodes ... I will need to reproduce this somehow. Just need to learn how. Best, Markus
Bug#1064267: fontconfig 2.15 breaks color emoji
Hey Jeremy, Haha well I was debating if even "important" is warranted, given it's just about fancy emoji in the end. But I guess people do feel passionate about them :) Also didn't know that "serious" prevents migration to testing, will keep that in mind for the future! Thanks, Markus On Sunday, 25 February 2024 at 14:04, Jeremy Bícha wrote: > > > Control: severity -1 serious > > Oh, I wish you had filed this regression as Serious to prevent the > update's migration to Testing. > > Thank you, > Jeremy Bícha
Bug#1064267: fontconfig 2.15 breaks color emoji
Found the upstream bug: https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/400 > It seems the font is considered as a bitmap font now (wasn't the case in > 2.14.x) and because of no-bitmap.conf, the emoji font wouldn't load. Removing > this conf file makes the emoji font load fine. I am unsure whether to > consider this as a regression, but for now I will close this issue. After running "dpkg-reconfigure fontconfig-config" and enabling bitmap fonts the color emoji indeed work again. Greetings, Markus
Bug#1064267: fontconfig 2.15 breaks color emoji
Subject: fontconfig 2.15 breaks color emoji Package: fontconfig Version: 2.15.0-1 Severity: important Hello there, After the latest upgrade to 2.15.0 I noticed that color emoji from fonts-noto-color-emoji were broken, looks like matching doesn't work correctly anymore: ``` $ fc-match emoji NotoSans-Regular.ttf: "Noto Sans" "Regular" ``` Downgrading to 2.14.2-6+b1 fixes it: ``` $ fc-match emoji NotoColorEmoji.ttf: "Noto Color Emoji" "Regular" ``` Greetings, Markus -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.7.4-2-liquorix-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages fontconfig depends on: ii fontconfig-config 2.15.0-1 ii libc6 2.37-15 ii libfontconfig1 2.15.0-1 ii libfreetype6 2.13.2+dfsg-1+b1 fontconfig recommends no packages. fontconfig suggests no packages. -- no debconf information
Bug#1063868: O: xsecurelock -- X11 screen lock utility with the primary goal of security
Package: wnpp Severity: normal
Bug#1052714: firmware-amd-graphics: Missing firmware for AMD Radeon RX 7000 series cards
Seconding the suggestion for more frequent firmware updates to better align with the kernel packages. Maybe these could be provided in experimental/rc-buggy? I had a problem with my RX 7900 XT where it would reboot on resuming from suspend, which was fixed by grabbing the latest amdgpu firmware from the kernel tarball. Greetings, Markus
Bug#1061393: runescape: Runescape launcher won't start because of missing dependencies
Package: runescape Version: 0.8-2 Severity: important X-Debbugs-Cc: schm...@web.de After installing "runescape" (by "sudo apt install runescape") I could start the program "runescape", but it stopped executing at 98%. I could adjust the file "/usr/games/runescape" so that error messages were shown, which revealed a "java.lang.NoClassDefFoundError: java/util/jar/Pack200". The currently installed Java-Runtime is openjdk-17-jre. It appears that the Java-class Pack200 is deprecated since openjdk-11 (see: https://openjdk.org/jeps/336 ) and removed since openjdk-14 (see: https://openjdk.org/jeps/367 ). Therefore the package "runescape" won't work any longer. I don't see a way to fix this bug (other than adding old and deprecated java-classes). What do you think? -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.5.0-5-amd64 (SMP w/6 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages runescape depends on: ii 7zip [p7zip-full]23.01+dfsg-7 ii default-jre [java10-runtime] 2:1.17-75 ii openjdk-17-jre [java10-runtime] 17.0.10+7-1 ii p7zip-full 16.02+transitional.1 ii wget 1.21.4-1+b1 ii zenity 4.0.1-1 runescape recommends no packages. runescape suggests no packages. -- no debconf information
Bug#1060857: squid: updating to 4.6-1+deb10u9 causes empty responses for some HTTP requests
Hi, Am Dienstag, dem 16.01.2024 um 08:18 +0100 schrieb Lucas Nussbaum: > Hi, > > Adding debian-lts@l.d.o in the email loop, as asked on IRC. > > On 15/01/24 at 21:16 +0100, Lucas Nussbaum wrote: > > On 15/01/24 at 20:31 +0100, Lucas Nussbaum wrote: > > > Package: squid > > > Version: 4.6-1+deb10u9 > > > Severity: important > > > > > > Hi, > > > > > > After updating to 4.6-1+deb10u9, squid returns empty responses for some > > > URLs. > > I also confirmed that the regression is between 4.6-1+deb10u8 and 4.6- > 1+deb10u9 (4.6-1+deb10u8 is OK) Thank you for the report. I believe this is related to the fix for CVE-2023- 46846. I am currently investigating the problem. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1004844: games-finest: Consider adding endless-sky
Am Freitag, dem 12.01.2024 um 03:25 -0500 schrieb Dave Vasilevsky: > Hi again. It looks like endless-sky 0.10.2 has been in testing for awhile, > with no reported bugs. This version is quite new, updated in 2023. What do > you think about adding it to games-finest now? Hi, It's still on my todo list but with a low priority. As long as there are no major issue with endless-sky, it will be part of games-finest when I update src:debian-games again. Cheers, Markus signature.asc Description: This is a digitally signed message part
Bug#1060652: mate-control-center: "Raise selected Windows after delay" not working with WINE windows
Package: mate-control-center Version: 1.26.0-2+deb12u1 Severity: normal When you activate "Select windows when the mouse moves over them" there is a delay that you can set (Raise selected windows after XX seconds). I have set the delay to 1 second. The delay works unless the window being raised is a WINE application. In that case, the window is raised immediately, the delay is bypassed. -- System Information: Debian Release: 12.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-17-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages mate-control-center depends on: ii caja-common 1.26.1-1 ii desktop-file-utils 0.26-1 ii gsettings-desktop-schemas 43.0-1 ii libaccountsservice0 22.08.8-6 ii libc6 2.36-9+deb12u3 ii libcairo-gobject2 1.16.0-7 ii libcairo2 1.16.0-7 ii libcanberra-gtk3-0 0.30-10 ii libcanberra00.30-10 ii libdconf1 0.40.0-4 ii libfontconfig1 2.14.1-4 ii libfreetype62.12.1+dfsg-5 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1 ii libglib2.0-02.74.6-2 ii libglib2.0-bin 2.74.6-2 ii libgtk-3-0 3.24.38-2~deb12u1 ii libmarco-private2 1.26.1-3+deb12u2 ii libmate-desktop-2-171.26.0-2 ii libmate-slab0 1.26.0-2+deb12u1 ii libmate-window-settings11.26.0-2+deb12u1 ii libmatekbd4 1.26.0-1+deb12u1 ii libpango-1.0-0 1.50.12+ds-1 ii libpangocairo-1.0-0 1.50.12+ds-1 ii libpolkit-gobject-1-0 122-3 ii libx11-62:1.8.4-2+deb12u2 ii libxcursor1 1:1.2.1-1 ii libxi6 2:1.8-1+b1 ii libxklavier16 5.4-4 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii libxss1 1:1.2.3-1 ii marco-common1.26.1-3+deb12u2 ii mate-control-center-common 1.26.0-2+deb12u1 ii mate-desktop1.26.0-2 ii mate-icon-theme 1.26.0-1 ii mate-menus 1.26.0-3 ii mate-settings-daemon1.26.0-1 mate-control-center recommends no packages. Versions of packages mate-control-center suggests: pn gconf2 -- no debconf information
Bug#1059545: webext-ublock-origin-firefox: I get YouTube ads when Private Browsing
Hello, > Hi, > Lately I've been getting YouTube ads when I play videos on private windows. > This among other YouTube bugs (slow loading and such) have been fixed for > testing and unstable. If they can be backported it would be great. > > > (can be reproduced on a VM with defaults) My intention was to backport ublock-origin to Bookworm in January 2024. This will be a normal point update as usual, so you have to enable bookworm proposed-updates for early access. I try to update Bullseye as well. Stay tuned and a happy new year 2024. Markus signature.asc Description: This is a digitally signed message part
Bug#1059520: opendkim: Crashes when postfix accesses opendkim.sock
Package: opendkim Version: 2.11.0~beta2-8+deb12u1 Severity: important X-Debbugs-Cc: markusmitsc...@gmail.com Dear Maintainer, when i send an email via postfix from localhost postfix logs the following: warning: milter unix:/run/opendkim/opendkim.sock: can't read SMFIC_EOH reply packet header: Application error when i inspect the opendkim log i see: opendkim.service: Failed with result 'signal'. opendkim.service: Main process exited, code=killed, status=11/SEGV running opendkim from command line with "-vf" gives "segmentation fault" in the moment i send an email. Please let me know if you need something else. Greetings, Markus -- System Information: Debian Release: 12.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-16-cloud-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages opendkim depends on: ii adduser3.134 ii dns-root-data 2023010101 ii init-system-helpers1.65.2 ii libbsd00.11.7-2 ii libc6 2.36-9+deb12u3 ii libdb5.3 5.3.28+dfsg2-1 ii libldap-2.5-0 2.5.13+dfsg-5 ii liblua5.3-05.3.6-2 ii libmemcached11 1.1.4-1 ii libmilter1.0.1 8.17.1.9-2 ii libopendbx11.4.6-16+b1 ii libopendkim11 2.11.0~beta2-8+deb12u1 ii librbl12.11.0~beta2-8+deb12u1 ii libssl33.0.11-1~deb12u2 ii libunbound81.17.1-2+deb12u1 ii libvbr22.11.0~beta2-8+deb12u1 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages opendkim recommends: ii opendkim-tools 2.11.0~beta2-8+deb12u1 opendkim suggests no packages. -- Configuration Files: /etc/opendkim.conf changed: Syslog yes SyslogSuccess yes Canonicalizationrelaxed/simple Modesv OversignHeaders From UserID opendkim UMask 007 Socket local:/run/opendkim/opendkim.sock PidFile /run/opendkim/opendkim.pid TrustAnchorFile /usr/share/dns/root.key InternalHosts refile:/etc/opendkim/trusted ExternalIgnoreList refile:/etc/opendkim/trusted SigningTablerefile:/etc/opendkim/signing.table KeyTable/etc/opendkim/key.table SignatureAlgorithm rsa-sha256 -- no debconf information
Bug#1057940: swirc: FTBFS: invalid use of incomplete typedef ‘WINDOW’ {aka ‘struct _win_st’}
Alright, I will do so when I have time, but as soon as possible. Den 2023-12-10 kl. 23:17, skrev Santiago Vila: El 10/12/23 a las 22:09, Markus Uhlin escribió: My guess is that Ncurses is built with '--enable-opaque-curses' and defines NCURSES_OPAQUE=1. I'm currently running stable so I'm not able to reproduce the problem but if you can give me access to a computer where the problem occurs I can investigate it. Hmm, please note that when I say "if you can't reproduce it" it should be understood as "if you can't reproduce it using an unstable chroot". So, you should really use an unstable chroot in your own computer first (you can create it with debootstrap and then use it with schroot). Regarding the bug itself: Here is a very similar one which maybe gives you an idea about how to fix it, as it contains a fix at the end: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057553 Thanks.
Bug#1057940: swirc: FTBFS: invalid use of incomplete typedef ‘WINDOW’ {aka ‘struct _win_st’}
My guess is that Ncurses is built with '--enable-opaque-curses' and defines NCURSES_OPAQUE=1. I'm currently running stable so I'm not able to reproduce the problem but if you can give me access to a computer where the problem occurs I can investigate it. Den 2023-12-10 kl. 20:18, skrev Santiago Vila: invalid use of incomplete typedef ‘WINDOW’ {aka ‘struct _win_st’}
Bug#1055147: seahorse-adventures: No keypress recognised
Hi Francesco, Am Sonntag, dem 03.12.2023 um 17:42 +0100 schrieb Francesco Ariis: > Il 03 dicembre 2023 alle 17:14 Markus Koschany ha scritto: > > I spoke too soon. Tested the wrong Debian release. So it appears the > > underlying > > problem is in python3-pygame which changed significantly between Bullseye > > and > > Bookworm but I'm not sure how I can fix this in seahorse-adventures right > > now. > > I managed to get keydown working like this: > - in /usr/share/games/seahorse-adventures/lib/menu.py > - go to line 119 > - substitute > if e.type is USEREVENT and e.action == 'down': > with > if e.type == USEREVENT and e.action == 'down': > - keydown will work again Thanks a lot for the report and your proposed patch. As soon as I'm back home tomorrow, I'll give it a try. Thanks for mentioning the other seahorse- adventures fork. Maybe there are even more improvements. I'll check that too. Best, Markus signature.asc Description: This is a digitally signed message part
Bug#1055147: seahorse-adventures: No keypress recognised
Control: severity -1 grave I spoke too soon. Tested the wrong Debian release. So it appears the underlying problem is in python3-pygame which changed significantly between Bullseye and Bookworm but I'm not sure how I can fix this in seahorse-adventures right now. signature.asc Description: This is a digitally signed message part
Bug#1057047: tomcat10-common: Tomcat 10 helper script doesn't look for temurin based jdk installs
On Tue, 28 Nov 2023 17:59:18 +0100 Joan wrote: > Package: tomcat10-common > Version: 10.1.15-1 > Severity: normal > X-Debbugs-Cc: aseq...@gmail.com > > Dear Maintainer, > > * What led up to the situation? > I am trying to use debian's tomcat 10 with java 21, since it's not present on debian I used the one from > https://adoptium.net/installation/linux/ that has a repository. [...] Hello, we support only OpenJDK and there is even openjdk-21-jre in unstable. For stable releases only one version of openjdk is supported in general, currently OpenJDK 17. signature.asc Description: This is a digitally signed message part
Bug#1057315: tiles: CVE-2023-49735
Am Sonntag, dem 03.12.2023 um 15:10 +0100 schrieb Moritz Muehlenhoff: > > But maybe we can set it as "no-dsa", is it only used as build > > dependency for libspring-java and not sensible outside? > > Spring is already marked as unsupported, so we can simply extend that. +1 This is sensible in this case. signature.asc Description: This is a digitally signed message part
Bug#1055147: seahorse-adventures: No keypress recognised
Control: severity -1 normal On Wed, 01 Nov 2023 09:25:19 +0100 Francesco Ariis wrote: > Package: seahorse-adventures > Version: 1.1+dfsg-6 > Severity: grave > Justification: renders package unusable > X-Debbugs-Cc: fa...@ariis.it > > Dear Maintainer, > > to replicate: > > 1. Launch `seahorse-adventures` > 2. Now you are in the menu. > 3. Press any direction key > 3. The grey indicator in the menu does not move. It seems that keypresses > are not recognised. The game is thus unplayable. I could not reproduce your problem. The keys work as expected and I can navigate the menu and the game without any problems. signature.asc Description: This is a digitally signed message part
Bug#933264: gradle: Nearly 3-year-old version almost useless
Am Freitag, dem 01.12.2023 um 13:06 +0100 schrieb Matthias Geiger: > > Kotlin is now in debian, is there anything else blocking the update ? As a start I have built Gradle 4.6 from source with almost only system libraries but I hit a wall because there seems to be a bug in our Kotlin version or rather 4.6 requires a different version, so this version still relies on upstream's binary distribution of Kotlin. I will push this in a few days and then let's see how we can proceed from here on. Why still 4.6? Jumping to a newer version like 6.x (which is already superseded by 8.x) requires updates of many different system libraries which in turn requires updates of reverse-dependencies of said libraries and so on. So whenever you change something in Debian's Java eco system you have to be prepared to fix a bunch of other seemingly (un)related stuff as well. More details follow soon. Markus signature.asc Description: This is a digitally signed message part
Bug#1056754: marked as done (bouncycastle: CVE-2023-33202)
Hi tony, Am Donnerstag, dem 30.11.2023 um 21:02 -0800 schrieb tony mancill: > On Thu, Nov 30, 2023 at 09:51:09PM +, Debian Bug Tracking System wrote: > > Subject: Bug#1056754: fixed in bouncycastle 1.77-1 > > > > Source: bouncycastle > > Version: 1.77-1 > > Distribution: unstable > > Changed-By: Markus Koschany > > * New upstream version 1.77. (Closes: #1049356) > > Hi Markus, > > Thank you for your efforts to get BC updated. > > > * Remove backward-compatibility.patch. It is time to fix those issues > > properly in our reverse-dependencies. > > I agree completely. And thank you for filing bugs for the r-deps that > need to be addressed. thanks. Fortunately there is enough time to fix them. I'll try to help fixing them step by step. signature.asc Description: This is a digitally signed message part
Bug#1057171: libitext5-java: FTBFS with bouncycastle 1.77
Source: libitext5-java Version: 5.5.13.3-2 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, libitext5-java fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. BUILD FAILURE [INFO] [INFO] Total time: 12.832 s [INFO] Finished at: 2023-11-30T13:27:49+01:00 [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler- plugin:3.10.1:compile (default-compile) on project itextpdf: Compilation failure: Compilation failure: [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja va:[223,95] cannot find symbol [ERROR] symbol: method getObject() [ERROR] location: class org.bouncycastle.asn1.ASN1TaggedObject [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja va:[246,109] cannot find symbol [ERROR] symbol: method getObject() [ERROR] location: class org.bouncycastle.asn1.ASN1TaggedObject [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja va:[346,70] cannot find symbol [ERROR] symbol: method getObject() [ERROR] location: variable tg of type org.bouncycastle.asn1.ASN1TaggedObject [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja va:[350,70] cannot find symbol [ERROR] symbol: method getObject() [ERROR] location: variable tg of type org.bouncycastle.asn1.ASN1TaggedObject [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja va:[1286,28] cannot find symbol [ERROR] symbol: method getObject() [ERROR] location: variable tag of type org.bouncycastle.asn1.ASN1TaggedObject [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/PdfPKCS7.ja va:[1287,48] cannot find symbol [ERROR] symbol: method getObject() [ERROR] location: variable tag of type org.bouncycastle.asn1.ASN1TaggedObject [ERROR] /<>/itext/src/main/java/com/itextpdf/text/pdf/security/Certificate Util.java:[123,67] incompatible types: org.bouncycastle.asn1.ASN1IA5String cannot be converted to org.bouncycastle.asn1.DERIA5String [ERROR] -> [Help 1] [ERROR] signature.asc Description: This is a digitally signed message part
Bug#1057170: ssl-utils-clojure: FTBFS with bouncycastle 1.77
Source: ssl-utils-clojure Version: 3.5.0-2 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, ssl-utils-clojure fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. lein jar Compiling 2 source files to /<>/target/classes /<>/src/java/com/puppetlabs/ssl_utils/ExtensionsUtils.java:632: error: cannot find symbol return asn1ObjToObj(taggedObj.getObject()); ^ symbol: method getObject() location: variable taggedObj of type ASN1TaggedObject 1 error Compilation of Java sources(lein javac) failed. make[1]: *** [debian/rules:19: override_dh_auto_build] Error 1 make[1]: Leaving directory '/<>' make: *** [debian/rules:11: binary] Error 2 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 --- - signature.asc Description: This is a digitally signed message part
Bug#1057169: pdftk-java: FTBFS with bouncycastle 1.77
Source: pdftk-java Version: 3.3.3-1 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, pdftk-java fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. [javac] /<>/java/com/gitlab/pdftk_java/com/lowagie/text/pdf/PdfPKCS7.java: 228: error: cannot find symbol [javac] ASN1Sequence content = (ASN1Sequence)((DERTaggedObject)signedData.getObjectAt(1)).getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: class DERTaggedObject [javac] /<>/java/com/gitlab/pdftk_java/com/lowagie/text/pdf/PdfPKCS7.java: 261: error: cannot find symbol [javac] DEROctetString rsaDataContent = (DEROctetString)((DERTaggedObject)rsaData.getObjectAt(1)).getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: class DERTaggedObject [javac] /<>/java/com/gitlab/pdftk_java/com/lowagie/text/pdf/PdfPKCS7.java: 297: error: cannot find symbol [javac] ASN1Sequence sseq = (ASN1Sequence)tagsig.getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: variable tagsig of type ASN1TaggedObject [javac] /<>/java/com/gitlab/pdftk_ signature.asc Description: This is a digitally signed message part
Bug#1057168: jdeb: FTBFS with bouncycastle 1.77
Source: jdeb Version: 1.9-1 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, jdeb fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. ERROR] Failures: [ERROR] PGPSignerTestCase.testClearSign:79->Assert.assertEquals:146- >Assert.assertEquals:117 expected:<...[] -END PGP SIGNAT...> but was:<...[Sek] -END PGP SIGNAT...> [INFO] [ERROR] Tests run: 90, Failures: 1, Errors: 0, Skipped: 0 [INFO] [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 14.039 s [INFO] Finished at: 2023-11-30T13:32:26+01:00 [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire- plugin:2.22.3:test (default-test) on project jdeb: There are test failures. [ERROR] [ERROR] Please refer to /<>/target/surefire-reports for the individual test results. [ERROR] Please refer to dump files (if any exist) [date].dump, [date]- jvmRun[N].dump and [date].dumpstream. [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException [0m[0mdh_auto_test: error: /usr/lib/jvm/default-java/bin/java -noverify -cp /usr/share/maven/boot/plexus-classworlds-2.x.jar -Dmaven.home=/usr/share/maven -Dmaven.multiModuleProjectDirectory=/<> - Dclassworlds.conf=/etc/maven/m2-debian.conf - Dproperties.file.manual=/<>/debian/maven.properties org.codehaus.plexus.classworlds.launcher.Launcher -s/etc/maven/settings- debian.xml -Ddebian.dir=/<>/debian - Dmaven.repo.local=/<>/debian/maven-repo --batch-mode test returned exit code 1 make: *** [debian/rules:6: build] Error 25 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 signature.asc Description: This is a digitally signed message part
Bug#1057167: libapache-poi-java: FTBFS with bouncycastle 1.77
Source: libapache-poi-java Version: 4.0.1-4 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, libapache-poi-java fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. ompile-ooxml: [javac] Compiling 589 source files to /<>/build/ooxml-classes [javac] Ignoring source, target and bootclasspath as release has been set [javac] /<>/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLS ignatureFacet.java:235: error: cannot find symbol [javac] ASN1OctetString keyHashOctetString = (ASN1OctetString)derTaggedObject.getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: variable derTaggedObject of type DERTaggedObject [javac] /<>/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLS ignatureFacet.java:239: error: cannot find symbol [javac] X500Name name = X500Name.getInstance(derTaggedObject.getObject()); [javac] ^ [javac] symbol: method getObject() [javac] location: variable derTaggedObject of type DERTaggedObject [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: /<>/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.j ava uses unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 2 errors BUILD FAILED /<>/build.xml:1133: Compile failed; see the compiler error output for details. signature.asc Description: This is a digitally signed message part
Bug#1057166: pgpainless: FTBFS with bouncycastle 1.77
Source: pgpainless Version: 1.3.16-2 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, pgpainless fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. It seems, in this case, just a test is failing now. Failures (1): JUnit Jupiter:CertifyCertificateTest:testKeyDelegation() MethodSource [className = 'org.pgpainless.key.certification.CertifyCertificateTest', methodName = 'testKeyDelegation', methodParameterTypes = ''] => org.pgpainless.exception.SignatureValidationException: Cannot verify direct-key signature correctness org.pgpainless.signature.consumer.SignatureValidator$17.verify(SignatureValidat or.java:547) org.pgpainless.signature.consumer.SignatureVerifier.verifyDirectKeySignature(Si gnatureVerifier.java:328) org.pgpainless.key.certification.CertifyCertificateTest.testKeyDelegation(Certi fyCertificateTest.java:98) java.base/java.lang.reflect.Method.invoke(Method.java:568) java.base/java.util.ArrayList.forEach(ArrayList.java:1511) [...] Caused by: org.bouncycastle.openpgp.PGPException: signature is not a key binding signature. org.bouncycastle.openpgp.PGPSignature.verifyCertification(Unknown Source) org.pgpainless.signature.consumer.SignatureValidator$17.verify(SignatureValidat or.java:539) [...] Test run finished after 44748 ms [ 240 containers found ] [ 0 containers skipped] [ 240 containers started] [ 0 containers aborted] [ 240 containers successful ] [ 0 containers failed ] [ 732 tests found ] [ 1 tests skipped ] [ 731 tests started ] [ 0 tests aborted ] [ 730 tests successful ] [ 1 tests failed ] signature.asc Description: This is a digitally signed message part
Bug#1057165: libitext-java: FTBFS with bouncycastle 1.77
Source: libitext-java Version: 2.1.7-14 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, libitext-java fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. compile: [mkdir] Created dir: /<>/build/bin [javac] /<>/ant/compile.xml:45: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds [javac] Using javac -source 1.5 is no longer supported, switching to 7 [javac] Using javac -target 1.5 is no longer supported, switching to 7 [javac] Compiling 359 source files to /<>/build/bin [javac] warning: [options] bootstrap class path not set in conjunction with -source 7 [javac] warning: [options] source value 7 is obsolete and will be removed in a future release [javac] warning: [options] target value 7 is obsolete and will be removed in a future release [javac] warning: [options] To suppress warnings about obsolete options, use -Xlint:-options. [javac] /<>/core/com/lowagie/text/pdf/MappedRandomAccessFile.java:58: warning: [removal] AccessController in java.security has been deprecated and marked for removal [javac] import java.security.AccessController; [javac] ^ [javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:356: error: cannot find symbol [javac] if (tag.getObject() instanceof ASN1Sequence) { [javac]^ [javac] symbol: method getObject() [javac] location: variable tag of type ASN1TaggedObject [javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:357: error: cannot find symbol [javac] seq = (ASN1Sequence)tag.getObject(); [javac]^ [javac] symbol: method getObject() [javac] location: variable tag of type ASN1TaggedObject [javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:403: error: cannot find symbol [javac] ASN1Sequence content = (ASN1Sequence)((DERTaggedObject)signedData.getObjectAt(1)).getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: class DERTaggedObject [javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:435: error: cannot find symbol [javac] DEROctetString rsaDataContent = (DEROctetString)((DERTaggedObject)rsaData.getObjectAt(1)).getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: class DERTaggedObject [javac] /<>/core/com/lowagie/text/pdf/PdfPKCS7.java:488: error: cannot find symbol [javac] ASN1Sequence seqin = (ASN1Sequence)tg.getObject(); [javac] ^ [javac] symbol: method getObject() [javac] location: variable tg of type ASN1TaggedObject [javac] /<>/core/com/lowagie/text/pdf/FontDetails.java:264: warning: [removal] Integer(int) in Integer has been deprecated and marked for removal [javac] Integer codeKey = new Integer(code); [javac] ^ [javac] /<>/core/com/lowagie/text/pdf/TrueTypeFontUnicode.java:144: warning: [removal] Integer(int) in Integer has been deprecated and marked for removal [javac] inverseCmap.put(new Integer(metrics[0]), code); [javac] ^ [javac] /<>/core/com/lowagie/text/pdf/TrueTypeFontUnicode.java:150: warning: [removal] Integer(int) in Integer has been deprecated and marked for removal [javac] return inverseCmap == null ? null : (Integer) inverseCmap.get(new Integer(code)); [javac] ^ [javac] /<>/core/com/lowagie/text/pdf/MappedRandomAccessFile.java:203: warning: [removal] AccessController in java.security has been deprecated and marked for removal [javac] Boolean b = (Boolean) AccessController.doPrivileged(new PrivilegedAction() { [javac] ^ [javac] Note: Some input files use or override a deprecated API. [javac] Note: Recompile with -Xlint:deprecation for details. [javac] Note: Some input files use unchecked or unsafe operations. [javac] Note: Recompile with -Xlint:unchecked for details. [javac] 5 errors [javac] 9 warnings signature.asc Description: This is a digitally signed message part
Bug#1057162: jglobus: FTBFS with bouncycastle 1.77
Source: jglobus Version: 2.1.0-8.1 Severity: serious Tags: ftbfs sid User: a...@debian.org Usertags: bouncycastle-1.77 X-Debbugs-Cc: a...@debian.org Dear maintainer, jglobus fails to build from source with bouncycastle 1.77. The reason is the removal of long deprecated methods. The (hopefully) relevant error message from the build log. [ERROR] COMPILATION ERROR : [INFO] - [ERROR] /<>/ssl-proxies/src/main/java/org/globus/gsi/proxy/ext/ProxyPolicy.java:[63,46] cannot find symbol symbol: method getObject() location: class org.bouncycastle.asn1.DERTaggedObject [INFO] 1 error
Bug#1032164: bouncycastle: inconsistency in debian/rules?
Hi, On Tue, 28 Feb 2023 22:08:12 +0100 Thomas Uhle wrote: > Source: bouncycastle > Version: 1.72-1 > Severity: normal > > Dear maintainers, > > I wonder why in debian/rules the pom files were synchronized with the > ones from Maven having the suffix "-jdk18on" while for building the binary > packages still "ant/jdk15+.xml" is used instead of "ant/jdk18+.xml". Good question. Perhaps the jdk18+ jar files were breaking some reverse- dependencies in the past. The soon to be released 1.77 version of bouncycastle will require updates of several of those reverse-dependencies. As soon as those issues are fixed, we can rebuild everything with jdk18+ again. signature.asc Description: This is a digitally signed message part
Bug#1019488: bouncycastle: incomplete information in the manifest files
This problem still exists in 1.77 (to be released soon). That sounds like a bnd problem. I can find a reference to a bnd.sh script but it is not included in the source distribution. There is also a add_module.sh script. If we can't find a way to automate this build step, we could use jh_manifest which I would prefer over the patch. signature.asc Description: This is a digitally signed message part
Bug#1057077: rabbitmq-server: .erlang.cookie overwritten if 20 uppercase characters
Source: rabbitmq-server Version: 3.10.8-3 Severity: normal Dear Maintainer, The postinst script will overwrite the `/var/lib/rabbitmq/.erlang.cookie` file if it contains exactly 20 uppercase characters. ``` if grep -q -E '^[A-Z]{20}$' /var/lib/rabbitmq/.erlang.cookie ; then OLD_UMASK=$(umask) umask 077; openssl rand -base64 -out /var/lib/rabbitmq/.erlang.cookie 42 umask ${OLD_UMASK} if [ ""$(ps --no-headers -o comm 1) = "systemd" ] ; then if systemctl is-active --quiet rabbitmq-server.service ; then systemctl restart rabbitmq-server.service fi fi fi ``` The rabbitmq-server service failed to start on one of our nodes in our cluster after the package was upgraded as the nodes in our cluster happen to share a .erlang.cookie that match this condition. This is a dangerous approach which the package should not enforce. If 20 uppercase characters is seen as insecure then the package should instead inform the user of it and not simply overwriting the file. This is bug report was requested by the Ubuntu package maintainers when I filed a bug report on their tracker [1] as they use this source package as their upstream. [1] https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/2044248
Bug#1055857: transition: opm-common
Hi, Am Thu, Nov 23, 2023 at 09:32:31AM +0100 schrieb Sebastian Ramacher: On 2023-11-12 21:42:20 +0100, Markus Blatt wrote: Dear Debian release team, A new upstream release of OPM is available. To ease migration to testing I am requesting a mini-transition. Uploading to unstable would probably work even without a transition, but I would like to play it safe. This should only affect the OPM source packages opm-common, opm-grid, opm- models, opm-simulators and opm-upscaling. I have already uploaded new versions to experimental that seemed to have built without any issues, see [1]. (please explain about the transition: impacted packages, reason, ... for more info see: https://wiki.debian.org/Teams/ReleaseTeam/Transitions) Ben file: title = "libopm-common-2023"; is_affected = .depends ~ "libopm-common-2023.04" | .depends ~ "libopm- common-2023.10"; is_good = .depends ~ "libopm-common-2023.10"; is_bad = .depends ~ "libopm-common-2023.04"; libopm-common has a Provides: libopm-common-X, but the shared library included in libopm-common also has a SONAME of libopm-common.X. Why is the packaging not following the common practice of matching the package name with the SONAME? Thanks a lot for noticing. Indeed the library has an SONAME, but as upstream does not care about API changes, one cannot rely on them. Basically the SONAME is changed with every release. Releases happen twice a year in April/October. Hence we have 2022.04, 2022.10, 2023.04, 2023.10, etc. The problem probably is that there is no compatibility between 2023.04 and 2023.10. If we would do intermediate snapshot releases, then those might have slightly incompatibe APIs, too. The reason for the current situation probably is a combination of lack of knowledge on my side and inspiration taken from libdune-common-dev. I now realise that the situation is different here, though. Solving the SONAME issue might require quite some additional work. We would need to start with 2024.0 now and increase the major number with every release. If we do this only in Debian then those numbers would also differ from upstream, which might be a problem. What would your suggestion be? Cheers, Markus
Bug#1052589: Additional information
> > https://salsa.debian.org/java-team/apache-directory-server/-/merge_requests/1 > > The patch looks good to me. Markus, do you have a preference for this > patch over updating to M27? I haven't looked closely at the efforts to > update to M27 aside from the fact that our (other) patches will need to > be ported, and there could be some build adjustments for the dependency > on BouncyCastle. Hi tony and thanks Vladimir for preparing the patch. I only had a brief look at this issue but I am all for applying the patch now rather than wait before someone can upgrade apache-directory-server to a new upstream release. If it works, go for it. :) Cheers, Markus signature.asc Description: This is a digitally signed message part
Bug#975405: libwabt.js => sucess but need policy and help
Hey, Am Montag, dem 13.11.2023 um 09:19 + schrieb Bastien Roucariès: [...] > Apo can I add myself to your package ? Do you care to comaintain with > javascript team ? I assume you are referring to wabt and this bug report [1] ? Do you have a solution for the circular dependency that building libwabt.js would create? In general I would be totally fine if you or the Javascript team would completely take over wabt and binaryen because both of them and emscripten are closely related. See also #1052003; emscripten FTBFS with binaryen from experimental. Personally I only need wabt and binaryen to build WebAssembly code from source for the ublock-origin Firefox/Chromium addon but I'm not really interested in becoming more involved in the Javascript ecosystem. So feel free to take over both packages and remove me as the maintainer. Regards, Markus [1] https://bugs.debian.org/975405 signature.asc Description: This is a digitally signed message part
Bug#1055857: transition: opm-common
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: debian-scie...@lists.debian.org Dear Debian release team, A new upstream release of OPM is available. To ease migration to testing I am requesting a mini-transition. Uploading to unstable would probably work even without a transition, but I would like to play it safe. This should only affect the OPM source packages opm-common, opm-grid, opm- models, opm-simulators and opm-upscaling. I have already uploaded new versions to experimental that seemed to have built without any issues, see [1]. (please explain about the transition: impacted packages, reason, ... for more info see: https://wiki.debian.org/Teams/ReleaseTeam/Transitions) Ben file: title = "libopm-common-2023"; is_affected = .depends ~ "libopm-common-2023.04" | .depends ~ "libopm- common-2023.10"; is_good = .depends ~ "libopm-common-2023.10"; is_bad = .depends ~ "libopm-common-2023.04"; Thanks a lot. Kind regards, Markus [1] https://qa.debian.org/developer.php?login=markus%40dr-blatt.de
Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl
Control: reassign -1 trapperkeeper-webserver-jetty9-clojure Control: found -1 1.7.0-2+deb10u1 Control: close -1 1.7.0-2+deb10u2 I have just released DLA 3647-1. I believe this problem is fixed in version 1.7.0-2+deb10u2 of trapperkeeper-webserver-jetty9-clojure now. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl
Am Sonntag, dem 05.11.2023 um 20:35 + schrieb Adam D. Barratt: > [...] > After a bit of searching, I happened across a discussion of a similar > change in a different product that mentioned the > SslContextFactory$Server syntax, so gave that a try. The resulting > package is now installed on handel.d.o and seems to work - at least, > it's been running for 45 minutes now (whereas the broken versions > lasted less than 5 minutes) and at least one client has successfully > made a "puppet agent" run in the meantime. > > I've attached a debdiff of the package we're now running, with the > revised patch. Great, thanks for the update. I feared the Java dot syntax couldn't be applied one-to-one to Clojure. I suggest we wait another 24h to confirm it works and if you don't see another regression then I'll release a new update tomorrow. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl
Am Sonntag, dem 05.11.2023 um 16:33 + schrieb Adam D. Barratt: > [...] > Do you have an idea how simple rebuilding the bullseye package on > buster would be? I'm happy to try that in general, but I've not really > looked at the Java ecosystem in Debian much. Sorry, I missed those new or updated dependencies. That complicates the matter a little. We also have to deal with clojure here, a LISP dialect of the Java language with a different build system (leiningen), but if all dependencies were in place a rebuild would be pretty simple. As a last resort I could bundle all those dependencies together with trapperkeeper-* the Java way TM but I hope we can avoid that. The most ideal solution is a patch for the current version in Buster. I have uploaded a new revision to people.debian.org with minimal changes here: https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/ dget - x https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/ trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.1.dsc should work as expected. I'm attaching the debdiff as well. My solution is to replace the old SslContextFactory class with the new inner SslContextFactory.Server class but I don't know if this change has the desired effect because I couldn't test it. FTR, the already applied 0005-maint-Disable-EndpointIdentification.patch (new in version +deb10u1) is related to the problem. Actually back then it did "fix" the SSL problem and I'm a bit surprised it resurfaced now. There is also a third alternative. I could revert the split change in jetty9. https://github.com/jetty/jetty.project/pull/3480/files#diff-58640db0f8f2cd84b7e653d1c1540913 If the new revision doesn't work for you, please send me your puppetdb config, and I try to figure out a solution myself without the feedback loop delay. Thanks in advance. Regards, Markus diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog --- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog 2019-09-13 11:00:50.0 +0200 +++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/changelog 2023-11-05 18:06:31.0 +0100 @@ -1,3 +1,10 @@ +trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1.1) buster-security; urgency=medium + + * Non-maintainer upload. + * Replace deprecated class SslContextFactory with SslContextFactory.Server. + + -- Markus Koschany Sun, 05 Nov 2023 18:06:31 +0100 + trapperkeeper-webserver-jetty9-clojure (1.7.0-2+deb10u1) buster; urgency=medium [ Manfred Stock ] diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch --- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch 2019-09-13 10:54:48.0 +0200 +++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/0005-maint-Disable-EndpointIdentification.patch 2023-11-05 18:06:31.0 +0100 @@ -1,4 +1,3 @@ -From 9db4170381e07165078e544340e12b38676c2613 Mon Sep 17 00:00:00 2001 From: Justin Stoller Date: Fri, 24 May 2019 16:10:44 -0700 Subject: [PATCH] (maint) Disable EndpointIdentification @@ -30,10 +29,10 @@ 1 file changed, 1 insertion(+) diff --git a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj -index 3a577bb..02e7c7d 100644 +index 99c9885..28cfef7 100644 --- a/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj +++ b/src/puppetlabs/trapperkeeper/services/webserver/jetty9_core.clj -@@ -197,6 +197,7 @@ +@@ -192,6 +192,7 @@ (.setKeyStore (:keystore keystore-config)) (.setKeyStorePassword (:key-password keystore-config)) (.setTrustStore (:truststore keystore-config)) @@ -41,6 +40,3 @@ ;; Need to clear out the default cipher suite exclude list so ;; that Jetty doesn't potentially remove one or more ciphers ;; that we want to be included. --- -2.20.1 - diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series --- trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series 2019-09-13 10:54:48.0 +0200 +++ trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/series 2023-11-05 18:06:31.0 +0100 @@ -3,3 +3,4 @@ 0003-TK-369-Add-LifeCycleImplementingRequestLogImpl.patch 0004-Implement-LifeCycle-methods-missing-from-RequestLogI.patch 0005-maint-Disable-EndpointIdentification.patch +SslContextFactory.patch diff -Nru trapperkeeper-webserver-jetty9-clojure-1.7.0/debian/patches/SslContextFactory.patch trapperkeeper-webserv
Bug#1055382: trapperkeeper-webserver-jetty9-clojure: end-of-life support for jetty9
Source: trapperkeeper-webserver-jetty9-clojure Version: 4.4.1-5 Severity: normal X-Debbugs-Cc: a...@debian.org Dear maintainer, this is a heads-up to let you know that jetty9 has reached its end-of-life and will not receive official upstream security support anymore. I plan to package a supported jetty version this release cycle which will replace jetty9 eventually. At the moment jetty 11 seems to be the best version because it supports the Jakarta servlet API but this is not finally decided yet. It seems trapperkeeper-webserver-jetty9-clojure is tightly coupled with puppetdb and jetty9 is currently the only supported version. Please prepare for the removal of jetty9 during the trixie release cycle. If this is not feasible then there will be no security support for jetty9 and thus puppetdb anymore. Regards, Markus
Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl
Hello, Am Samstag, dem 04.11.2023 um 17:03 + schrieb Adam D. Barratt: > Source: jetty9 > Version: 9.4.50-4+deb10u1 > Severity: serious > X-Debbugs-Cc: d...@debian.org > > Hi, > > Upgrading libjetty9-java and libjetty9-extra-java to the version from > DLA 3641-1 reliably causes PuppetDB to fail to start, with the > stacktrace shown below. Downgrading resolves the issue. > > I'm not sure which keystore is being referred to, but none of the files > listed in /etc/puppetdb/conf.d/jetty.ini appear to contain more than a > single certificate. thanks for the report. This looks like a bug in trapperkeeper-webserver-jetty9- clojure to me. Upstream commit https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/3ee6a410436c1a236ca33d511c5373c3328054ef appears to address the problem. The version in Buster lacks the InternalSslContextFactory class though. Instead the deprecated SslContextFactory class is referenced in jetty9_config.clj and jetty9_core.clj. My first idea is to change SslContextFactory occurrences to SslContextFactory.Server. Backporting the version of trapperkeeper-webserver-jetty9-clojure from Bullseye to Buster is the second one. AFAICS puppetdb and puppetserver are the only consumers. Could you install the version of trapperkeeper-webserver-jetty9-clojure from Bullseye and reinstall the jetty9 security update and report back if this solves your problem? Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#840955: Status of ITP/RFP courier-zdkimfilter
Hello Helge, On 11/1/23 10:18, Helge Kreutzmann wrote: I haven't done anything besides doing a testbuild. Before proceeding further I wanted to inquire about the status of your work on this package, so I don't waste time redoing Debian integration. thanks for reaching out. Unfortunately, I can only tell you that I plan to abandon packaging of courier altogether. It's been a struggle for me to keep up the community work recently and many people were far less than appreciative. Noticing that upstream now runs their own packaging convinced me it's not worth for me to keep maintaining this for Debian proper. Sorry for the rather bad news. Markus
Bug#1054122: bookworm-pu: package axis/1.4-28
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fixing CVE-2023-40743: Axis allows potentially dangerous lookup mechanisms which may lead to DoS, SSRF or even RCE. [ Tests ] The fix is trivial. If the name of the JNDI service contains a certain string then do nothing. That filters out unsupported protocols effectively. [ Risks ] Axis in Debian is mainly used to build other software packages and serves no other purpose. It is very unlikely that it is used in third party applications outside of Debian but better safe than sorry. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog --- axis-1.4/debian/changelog 2018-12-03 08:25:51.0 +0100 +++ axis-1.4/debian/changelog 2023-10-17 14:05:20.0 +0200 @@ -1,3 +1,15 @@ +axis (1.4-28+deb12u1) bookworm; urgency=medium + + * Team upload. + * Fix CVE-2023-40743: +When integrating Apache Axis 1.x in an application, it may not have been +obvious that looking up a service through "ServiceFactory.getService" +allows potentially dangerous lookup mechanisms such as LDAP. When passing +untrusted input to this API method, this could expose the application to +DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) + + -- Markus Koschany Tue, 17 Oct 2023 14:05:20 +0200 + axis (1.4-28) unstable; urgency=medium * Fixed the build failure with Java 11 (Closes: #911187) diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch axis-1.4/debian/patches/CVE-2023-40743.patch --- axis-1.4/debian/patches/CVE-2023-40743.patch1970-01-01 01:00:00.0 +0100 +++ axis-1.4/debian/patches/CVE-2023-40743.patch2023-10-17 14:05:20.0 +0200 @@ -0,0 +1,32 @@ +From: Markus Koschany +Date: Tue, 17 Oct 2023 00:46:49 +0200 +Subject: CVE-2023-40743 + +Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 +--- + src/org/apache/axis/client/ServiceFactory.java | 5 + + 1 file changed, 5 insertions(+) + +diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java +index 33054a5..73e89ee 100644 +--- a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java +@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + + if (context != null) { + String name = (String)environment.get("jndiName"); ++ ++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) { ++ return null; ++} + if (name == null) { + name = "axisServiceName"; + } +@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + context.bind(name, service); + } catch (NamingException e1) { + // !!! Couldn't do it, what should we do here? ++ return null; + } + } + } else { diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series --- axis-1.4/debian/patches/series 2018-12-03 00:33:50.0 +0100 +++ axis-1.4/debian/patches/series 2023-10-17 14:05:20.0 +0200 @@ -8,3 +8,4 @@ java9-compatibility.patch java11-compatibility.patch CVE-2018-8032.patch +CVE-2023-40743.patch
Bug#1054121: bullseye-pu: package axis/1.4-28
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fixing CVE-2023-40743: Axis allows potentially dangerous lookup mechanisms which may lead to DoS, SSRF or even RCE. [ Tests ] The fix is trivial. If the name of the JNDI service contains a certain string then do nothing. That filters out unsupported protocols effectively. [ Risks ] Axis in Debian is mainly used to build other software packages and serves no other purpose. It is very unlikely that it is used in third party applications outside of Debian but better safe than sorry. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog --- axis-1.4/debian/changelog 2018-12-03 08:25:51.0 +0100 +++ axis-1.4/debian/changelog 2023-10-17 14:05:20.0 +0200 @@ -1,3 +1,15 @@ +axis (1.4-28+deb11u1) bullseye; urgency=medium + + * Team upload. + * Fix CVE-2023-40743: +When integrating Apache Axis 1.x in an application, it may not have been +obvious that looking up a service through "ServiceFactory.getService" +allows potentially dangerous lookup mechanisms such as LDAP. When passing +untrusted input to this API method, this could expose the application to +DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) + + -- Markus Koschany Tue, 17 Oct 2023 14:05:20 +0200 + axis (1.4-28) unstable; urgency=medium * Fixed the build failure with Java 11 (Closes: #911187) diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch axis-1.4/debian/patches/CVE-2023-40743.patch --- axis-1.4/debian/patches/CVE-2023-40743.patch1970-01-01 01:00:00.0 +0100 +++ axis-1.4/debian/patches/CVE-2023-40743.patch2023-10-17 14:05:20.0 +0200 @@ -0,0 +1,32 @@ +From: Markus Koschany +Date: Tue, 17 Oct 2023 00:46:49 +0200 +Subject: CVE-2023-40743 + +Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 +--- + src/org/apache/axis/client/ServiceFactory.java | 5 + + 1 file changed, 5 insertions(+) + +diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java +index 33054a5..73e89ee 100644 +--- a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java +@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + + if (context != null) { + String name = (String)environment.get("jndiName"); ++ ++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) { ++ return null; ++} + if (name == null) { + name = "axisServiceName"; + } +@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + context.bind(name, service); + } catch (NamingException e1) { + // !!! Couldn't do it, what should we do here? ++ return null; + } + } + } else { diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series --- axis-1.4/debian/patches/series 2018-12-03 00:33:50.0 +0100 +++ axis-1.4/debian/patches/series 2023-10-17 14:05:20.0 +0200 @@ -8,3 +8,4 @@ java9-compatibility.patch java11-compatibility.patch CVE-2018-8032.patch +CVE-2023-40743.patch
Bug#1053820: fixed in tomcat9 9.0.43-2~deb11u8
Am Dienstag, dem 17.10.2023 um 08:00 +1100 schrieb Sam Lander: > Hi Emmanuel > Last night, I re-enabled HTTP2 with the new (9.0.43-2~deb11u8) build. > Unfortunately, it did not fix my problem. > I am going to rummage with tcpdump and a purpose-installed debian VM to > investigate further. > Hopefully I can either track the problem down myself (not very likely), or at > least offer you a better quality bug report. > Hello Sam, there was another issue that we only found today. HTTP2 should work as expected in version 9.0.43-2~deb11u9 again. It will be released shortly. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1053535: Add support for timestamps with nanoseconds [patch]
Hello, > i'm not at all convinced that this is a useful change, in particular > in a backup/restore tool. A restore tool should, as its name says, restore the backup as most pristine as possible. Currently dump/restore (on linux) restores timestamps only with seconds, dropping micro- or nanoseconds. > please provide more information as to what benefits this change is > expected to provide, For more than a decade linux kernels and ext2/3/4 filesystems support timestamps with nanoseconds. Most userland utilities have been updated to use it. dump/restore is overdue. It is a severe deficit loosing a part of time information when restoring a backup. I believe nowadays most expect that a backup tool uses all facilities the underlying system supports. > and how those benefits are supposed to outweight > the massive downside of complete incompatibility with existing backups. Incompatibility with existing backups is an issue only, if backups are archived. Usually backups are overwritten regularly. (In my case every two months.) In order to prevent a mismatch a version information at the beginng of a dumpfile (or tape) would be useful. I did not manage to find the code locations where dump begins to write resp. where restore begins to read. I have found restore contains some code to convert "old headers". I could not figure out, what this means. The code for opening and reading a dumpfile is rather complicated and not well documented. Please note the patch does not introduce a "complete incompatibility". I did some tests with mixed combinations with old/new dumps and old/new restores. Directories and files where restored correctly but with erroneous timestamps. Please note there already is a mismatch between sizeof(dinode) and sizeof(ext2_inode) before applying the patch. assert(sizeof(dinode_old) <= sizeof(ext2_inode)) failes. See compat/include/bsdcompat.h and dump/traverse.c. I have sent my patch in in order to share it with the community. May be someone else picks it up and adds version information to the dumpfile. Markus
Bug#1053820: libtomcat9-java: ERR_HTTP2_PROTOCOL_ERROR in browsers after upgrade 9.0.43-2~deb11u7 over u6
Hello and thanks for the report, I am currently looking into some test failures caused by the recent changes to Tomcat's HTTP2 stack. The following tests fail for Tomcat9 now. Your issue might be related. If we can find out more about the problem, we will address it in a future update as soon as possible. [concat] TEST-org.apache.coyote.http2.TestAsync.NIO.txt [concat] TEST-org.apache.coyote.http2.TestAsync.NIO2.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_1.NIO.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_1.NIO2.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_2.NIO.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_5_2.NIO2.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_4.NIO.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_4.NIO2.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_5.NIO.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Section_6_5.NIO2.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Timeouts.NIO.txt [concat] TEST-org.apache.coyote.http2.TestHttp2Timeouts.NIO2.txt Markus signature.asc Description: This is a digitally signed message part
Bug#1053713: webkit2gtk: Build with ENABLE_PDFJS=OFF?
Source: webkit2gtk Version: 2.40.3-2~deb12u1 Severity: wishlist Dear Maintainer, Recent webkits force PDF rendering in the browser using pdf.js. To me, this is a pain for several reasons, including pdf.js not having my usual PDF viewer's key bindings, and PDF rendering being entirely broken on sites I have disabled javascript for (i.e., almost all of them). Regrettably, as far as I can tell, at this point there is no way to turn off pdf.js at runtime. I suspect the sort of person that is running webkit-based browsers will typically have configured some PDF reader they like as well and will hence likely be about as annoyed if their browser ignores that choice as I am. Given that, the lack of a runtime switch, and the fact that building a webkit package takes the better part of a day on my box: Any chance you could build with ENABLE_PDFJS=OFF at least until upstream fiddles in a runtime switch? Thanks, Markus -- System Information: Debian Release: 12.1 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'oldstable-updates'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 6.1.38 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init)
Bug#1053552: gavodachs2-server: Error while setting up with postgresql 16
On Fri, Oct 06, 2023 at 09:56:41AM +0200, Ole Streicher wrote: > 108s alter role untrusted set extra_float_digits=3 > 108s > 108s The database engine reported: > 108s > 108s ERROR: permission denied to alter role > 108s DETAIL: Only roles with the CREATEROLE attribute and the ADMIN option > 108s on role "untrusted" may alter this role. > > I don't think that has anything to do with the astropy update. This > seems to be connected to Postgresql version (16.0-2); a similar install > (with Postgresql 15.4-3) succeeded. Oh bother. Yeah, that's unrelated to astropy and absolutely related to increasingly tight rules in postgres. I'll think about a workaround (to restore this workaround) on Monday. -- Markus
Bug#1053461: bookworm-pu: package openrefine/3.6.2-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fixing CVE-2023-41886 and CVE-2023-41887. OpenRefine is a powerful free, open source tool for working with messy data. Prior to this version, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. [ Tests ] I have verified that the new test case works as expected. [ Risks ] Low, leaf package, all tests work as expected. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Other info ] Please note that I have previously uploaded another bookworm-pu, #1051429, to fix CVE-2023-37476. This update addresses the new CVE mentioned in this bug report. CVE-2023-37476 has been fixed with 3.6.2-2+deb12u1 already. diff --git a/debian/changelog b/debian/changelog index 16033d8..37acbbf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium + + * Fix CVE-2023-41887 and CVE-2023-41886: +OpenRefine is a powerful free, open source tool for working with messy +data. Prior to this version, a remote code execution vulnerability allows +any unauthenticated user to execute code on the server. + + -- Markus Koschany Wed, 04 Oct 2023 15:02:45 +0200 + openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium * Fix CVE-2023-37476: diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch new file mode 100644 index 000..274b758 --- /dev/null +++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch @@ -0,0 +1,183 @@ +From: Markus Koschany +Date: Wed, 4 Oct 2023 14:39:55 +0200 +Subject: CVE-2023-41887 and CVE-2023-41886 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 +--- + .../extension/database/DatabaseConfiguration.java | 16 + .../database/mariadb/MariaDBConnectionManager.java | 12 +--- + .../database/mysql/MySQLConnectionManager.java | 11 +-- + .../database/pgsql/PgSQLConnectionManager.java | 11 +-- + .../database/sqlite/SQLiteConnectionManager.java| 9 - + .../database/DatabaseConfigurationTest.java | 21 + + 6 files changed, 48 insertions(+), 32 deletions(-) + create mode 100644 extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java + +diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +index 47dad7f..3f0dd57 100644 +--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +@@ -29,6 +29,9 @@ + package com.google.refine.extension.database; + + ++import java.net.URI; ++import java.net.URISyntaxException; ++ + public class DatabaseConfiguration { + + private String connectionName; +@@ -128,4 +131,17 @@ public class DatabaseConfiguration { + + + ++public URI toURI() { ++try { ++return new URI( ++"jdbc:" + databaseType.toLowerCase(), ++databaseHost + ((databasePort == 0) ? "" : (":" + databasePort)), ++"/" + databaseName, ++useSSL ? "useSSL=true" : null, ++null ++); ++} catch (URISyntaxException e) { ++throw new IllegalArgumentException(e); ++} ++} + } +diff --git a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java +index 4af014a..04c7dc8 100644 +--- a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java +@@ -139,7 +139,7 @@ public class MariaDBConnectionManager { + + Class.forName(type.getClassPath()); + DriverManager.setLoginTimeout(10); +-String dbURL = getDatabaseUrl(databaseConfiguration); ++String dbURL = databaseConfiguration.toURI().toString(); + connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(), + databaseConfiguration.getDatabasePassword()); + +@@ -173,14 +173,4 @@ public class MariaDBConnectionManager { + } + + } +- +- +- +-private static St
Bug#1052575: jss: CVE-2022-4132
Package: jss X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jss. CVE-2022-4132[0]: Tomcat: Memory leak in JSS If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-4132 https://www.cve.org/CVERecord?id=CVE-2022-4132 Please adjust the affected versions in the BTS as needed. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1052572: hoteldruid: CVE-2023-43371 CVE-2023-43373 CVE-2023-43374 CVE-2023-43375 CVE-2023-43376 CVE-2023-43377
Package: hoteldruid X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for hoteldruid. CVE-2023-43371[0]: | Hoteldruid v3.0.5 was discovered to contain a SQL injection | vulnerability via the numcaselle parameter at | /hoteldruid/creaprezzi.php. CVE-2023-43373[1]: | Hoteldruid v3.0.5 was discovered to contain a SQL injection | vulnerability via the n_utente_agg parameter at | /hoteldruid/interconnessioni.php. CVE-2023-43374[2]: | Hoteldruid v3.0.5 was discovered to contain a SQL injection | vulnerability via the id_utente_log parameter at | /hoteldruid/personalizza.php. CVE-2023-43375[3]: | Hoteldruid v3.0.5 was discovered to contain multiple SQL injection | vulnerabilities at /hoteldruid/clienti.php via the annonascita, | annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, | and mesescaddoc parameters. CVE-2023-43376[4]: | A cross-site scripting (XSS) vulnerability in | /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to | execute arbitrary web scripts or HTML via a crafted payload injected | into the nometipotariffa1 parameter. CVE-2023-43377[5]: | A cross-site scripting (XSS) vulnerability in | /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows | attackers to execute arbitrary web scripts or HTML via a crafted | payload injected into the destinatario_email1 parameter. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43371 https://www.cve.org/CVERecord?id=CVE-2023-43371 [1] https://security-tracker.debian.org/tracker/CVE-2023-43373 https://www.cve.org/CVERecord?id=CVE-2023-43373 [2] https://security-tracker.debian.org/tracker/CVE-2023-43374 https://www.cve.org/CVERecord?id=CVE-2023-43374 [3] https://security-tracker.debian.org/tracker/CVE-2023-43375 https://www.cve.org/CVERecord?id=CVE-2023-43375 [4] https://security-tracker.debian.org/tracker/CVE-2023-43376 https://www.cve.org/CVERecord?id=CVE-2023-43376 [5] https://security-tracker.debian.org/tracker/CVE-2023-43377 https://www.cve.org/CVERecord?id=CVE-2023-43377 Please adjust the affected versions in the BTS as needed. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1052553: bookworm-pu: package libapache-mod-jk/1:1.2.48-2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fixing CVE-2023-41081 in Bookworm. Unintended exposure of the status worker and/or bypass security constraints configured in httpd by using implicit mapping. [ Tests ] Implicit mapping no longer works with this update and users must explicitly configure it. Otherwise an error message is logged now which means the update works as intended. [ Risks ] Users who unintentionally relied on the implicit mapping functionality will have to update their configuration but this is intended and needed to avoid the bypass of other security constraints. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus diff -Nru libapache-mod-jk-1.2.48/debian/changelog libapache-mod-jk-1.2.48/debian/changelog --- libapache-mod-jk-1.2.48/debian/changelog2023-02-18 19:17:18.0 +0100 +++ libapache-mod-jk-1.2.48/debian/changelog2023-09-24 16:40:59.0 +0200 @@ -1,3 +1,20 @@ +libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high + + * Fix CVE-2023-41081: +The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to +forward requests from Apache to Tomcat, in some circumstances, such as when +a configuration included "JkOptions +ForwardDirectories" but the +configuration did not provide explicit mounts for all possible proxied +requests, mod_jk would use an implicit mapping and map the request to the +first defined worker. Such an implicit mapping could result in the +unintended exposure of the status worker and/or bypass security constraints +configured in httpd. As of this security update, the implicit mapping +functionality has been removed and all mappings must now be via explicit +configuration. This issue affects Apache Tomcat Connectors (mod_jk only). +(Closes: #1051956) + + -- Markus Koschany Sun, 24 Sep 2023 16:40:59 +0200 + libapache-mod-jk (1:1.2.48-2) unstable; urgency=medium * Declare compliance with Debian Policy 4.6.2. diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch --- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 01:00:00.0 +0100 +++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 16:40:59.0 +0200 @@ -0,0 +1,47 @@ +From: Markus Koschany +Date: Sun, 24 Sep 2023 16:39:43 +0200 +Subject: CVE-2023-41081 + +Bug-Debian: https://bugs.debian.org/1051956 +Origin: https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792 +--- + native/apache-2.0/mod_jk.c | 19 --- + 1 file changed, 19 deletions(-) + +diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c +index b755116..d9345d7 100644 +--- a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c +@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r) + rconf->rule_extensions = e; + } + } +-else if (worker_env.num_of_workers == 1) { +- /** We have a single worker ( the common case ). +- ( lb is a bit special, it should count as a single worker but +- I'm not sure how ). We also have a manual config directive that +- explicitly give control to us. */ +-worker_name = worker_env.worker_list[0]; +-if (JK_IS_DEBUG_LEVEL(xconf->log)) +-jk_log(xconf->log, JK_LOG_DEBUG, +- "Single worker (%s) configuration for %s", +- worker_name, r->uri); +-} + else { + if (!xconf->uw_map) { + if (JK_IS_DEBUG_LEVEL(xconf->log)) +@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r) + r->uri = clean_uri; + } + } +- +-if (worker_name == NULL && worker_env.num_of_workers) { +-worker_name = worker_env.worker_list[0]; +-if (JK_IS_DEBUG_LEVEL(xconf->log)) +-jk_log(xconf->log, JK_LOG_DEBUG, +- "Using first worker (%s) from %d workers for %s", +- worker_name, worker_env.num_of_workers, r->uri); +-} + } + if (worker_name) + apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name); diff -Nru libapache-mod-jk-1.2.48/debian/patches/series libapache-mod-jk-1.2.48/debian/patches/series --- libapache-mod-jk-1.2.48/debian/patches/series 2023-02-18 19:17:18.0 +0100 +++ libapache-mod-jk-1.2.48/debian/patches/series 2023-09-24 16:40:59.0
Bug#1052552: bullseye-pu: package libapache-mod-jk/1:1.2.48-1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fixing CVE-2023-41081 in Bullseye. Unintended exposure of the status worker and/or bypass security constraints configured in httpd by using implicit mapping. [ Tests ] Implicit mapping no longer works with this update and users must explicitly configure it. Otherwise an error message is logged now which means the update works as intended. [ Risks ] Users who unintentionally relied on the implicit mapping functionality will have to update their configuration but this is intended and needed to avoid the bypass of other security constraints. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus diff -Nru libapache-mod-jk-1.2.48/debian/changelog libapache-mod-jk-1.2.48/debian/changelog --- libapache-mod-jk-1.2.48/debian/changelog2020-06-04 21:42:29.0 +0200 +++ libapache-mod-jk-1.2.48/debian/changelog2023-09-24 17:09:51.0 +0200 @@ -1,3 +1,20 @@ +libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high + + * Fix CVE-2023-41081: +The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to +forward requests from Apache to Tomcat, in some circumstances, such as when +a configuration included "JkOptions +ForwardDirectories" but the +configuration did not provide explicit mounts for all possible proxied +requests, mod_jk would use an implicit mapping and map the request to the +first defined worker. Such an implicit mapping could result in the +unintended exposure of the status worker and/or bypass security constraints +configured in httpd. As of this security update, the implicit mapping +functionality has been removed and all mappings must now be via explicit +configuration. This issue affects Apache Tomcat Connectors (mod_jk only). +(Closes: #1051956) + + -- Markus Koschany Sun, 24 Sep 2023 17:09:51 +0200 + libapache-mod-jk (1:1.2.48-1) unstable; urgency=medium * New upstream version 1.2.48. diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch --- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 01:00:00.0 +0100 +++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 17:09:51.0 +0200 @@ -0,0 +1,47 @@ +From: Markus Koschany +Date: Sun, 24 Sep 2023 16:39:43 +0200 +Subject: CVE-2023-41081 + +Bug-Debian: https://bugs.debian.org/1051956 +Origin: https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792 +--- + native/apache-2.0/mod_jk.c | 19 --- + 1 file changed, 19 deletions(-) + +diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c +index b755116..d9345d7 100644 +--- a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c +@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r) + rconf->rule_extensions = e; + } + } +-else if (worker_env.num_of_workers == 1) { +- /** We have a single worker ( the common case ). +- ( lb is a bit special, it should count as a single worker but +- I'm not sure how ). We also have a manual config directive that +- explicitly give control to us. */ +-worker_name = worker_env.worker_list[0]; +-if (JK_IS_DEBUG_LEVEL(xconf->log)) +-jk_log(xconf->log, JK_LOG_DEBUG, +- "Single worker (%s) configuration for %s", +- worker_name, r->uri); +-} + else { + if (!xconf->uw_map) { + if (JK_IS_DEBUG_LEVEL(xconf->log)) +@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r) + r->uri = clean_uri; + } + } +- +-if (worker_name == NULL && worker_env.num_of_workers) { +-worker_name = worker_env.worker_list[0]; +-if (JK_IS_DEBUG_LEVEL(xconf->log)) +-jk_log(xconf->log, JK_LOG_DEBUG, +- "Using first worker (%s) from %d workers for %s", +- worker_name, worker_env.num_of_workers, r->uri); +-} + } + if (worker_name) + apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name); diff -Nru libapache-mod-jk-1.2.48/debian/patches/series libapache-mod-jk-1.2.48/debian/patches/series --- libapache-mod-jk-1.2.48/debian/patches/series 2020-06-04 21:42:29.0 +0200 +++ libapache-mod-jk-1.2.48/debian/patches/series 2023-09-24 17:09:51.0 +0200 @@
Bug#1052197: xrdp: after bullseye-security upgrade, empty turquoise screen after logging in
I have just rebuilt and uploaded xorgxrdp 0.2.12-1+deb11u1 to bullseye- security. That should resolve the problem at hand. However I recommend to keep this bug report open and try to address the dependency problem between xrdp and xorgxrdp. If you claim that without a rebuild of xorgxrdp a new upstream version of xrdp would be broken, then this is a strong indication that xorgxrdp should be more than a recommendation in Debian terms: From the Debian Policy "Declaring relationships between packages" "The Depends field should be used if the depended-on package is required for the depending package to provide a significant amount of functionality." If xrdp only works with a specific version of xorgxrdp then this is true in my opinion and the recommendation should be changed to a Depends. We had a similar issue with librhino-java and shrinksafe in the recent past. librhino-java had to declare a versioned Breaks on shrinksafe and shrinksafe had to add a versioned (Build-)Depends on rhino/librhino-java. In my opinion we have the exact same situation here. In any case I leave that to the maintainers of xrdp/xorgxrdp to resolve. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1052197: xrdp: after bullseye-security upgrade, empty turquoise screen after logging in
Hello, the new Bullseye version of xrdp is identical to the version in Bookworm. Thus the underlying problem is probably more complex and I don't suspect that something is wrong with xrdp itself but more likely with a configuration option or related software packages which do something different than in Bookworm. I have tried to reproduce the problem on Bullseye with Gnome 3 installed. The problem here is that gnome-remote-desktop appears to interfere with xrdp, so I'm not totally sure what is caused by Gnome and what might be a bug in xrdp. Then I restarted the session with Gnome in Xorg mode and a remote connection to the xrdp server succeeded. However I got a black background instead of the normal wallpaper I have. Applications were shown correctly though. I definitely need more information about your setup or xrdp in general to debug this issue. Possible reasons for the behavior may be: 1. TLS / connection problem ? Did you do "adduser xrdp ssl-cert" ? Maybe a new TLS configuration option in 0.9.21.1? 2. graphic drivers ? I read that hardware accelerated drivers may cause such problems. Maybe try to disable them and use software rendering only? LIBGL_ALWAYS_SOFTWARE = true Please also upload the following log files: /var/log/xrdp-sesman.log /var/log/xrdp.log ~/.xsession-errors and journalctl -S -2m or something similar may provide more information about error messages, etc. ~/.xorgxrdp.10.log seems to belong to xorgxrdp. The package is only recommended but I wonder if the problem is potentially caused by it. xrdp is a build- dependency which suggests it might need a rebuild? But on the other hand then recommending the package would be wrong and it should be added to Depends. Someone else would have stumbled upon this sooner I guess. Regards, Markus signature.asc Description: This is a digitally signed message part
Bug#1050502: gnome-shell crash when restarting with ALT+F2, "r" on nvidia-graphics-drivers
@entry=..., args=..., retval=retval@entry=...) at ./obj-x86_64-linux-gnu/../gi/closure.cpp:184 #31 0x7fe2b1ff4884 in Gjs::Closure::marshal(_GValue*, unsigned int, _GValue const*, void*, void*) (this=0x56199c720bb0, return_value=0x7ffe91cc6330, n_param_values=, param_values=0x7ffe91cc63c0, invocation_hint=, marshal_data=) at /usr/include/mozjs-102/js/RootingAPI.h:613 #36 0x7fe2b27a0243 in 0x56199ae01960 [MetaDisplay]> (instance=instance@entry=0x56199ae01960, signal_id=, detail=detail@entry=0) at ../../../gobject/gsignal.c:3675 #32 0x7fe2b2785540 in g_closure_invoke (closure=0x56199c720bb0, return_value=0x7ffe91cc6330, n_param_values=1, param_values=0x7ffe91cc63c0, invocation_hint=0x7ffe91cc6310) at ../../../gobject/gclosure.c:832 #33 0x7fe2b2798afc in signal_emit_unlocked_R (node=node@entry=0x7ffe91cc6470, detail=detail@entry=0, instance=instance@entry=0x56199ae01960, emission_return=emission_return@entry=0x7ffe91cc64f0, instance_and_params=instance_and_params@entry=0x7ffe91cc63c0) at ../../../gobject/gsignal.c:3980 #34 0x7fe2b2799d51 in signal_emit_valist_unlocked (instance=instance@entry=0x56199ae01960, signal_id=signal_id@entry=178, detail=detail@entry=0, var_args=var_args@entry=0x7ffe91cc65d0) at ../../../gobject/gsignal.c:3625 #35 0x7fe2b27a0186 in g_signal_emit_valist (instance=0x56199ae01960, signal_id=178, detail=0, var_args=0x7ffe91cc65d0) at ../../../gobject/gsignal.c:3355 #37 0x7fe2b1aceea2 in meta_display_request_restart (display=display@entry=0x56199ae01960 [MetaDisplay]) at ../src/core/display.c:2601 #38 0x7fe2b1ae46a3 in restart_check_ready (context=0x56199a795c80 [MetaContextMain]) at ../src/core/restart.c:64 #39 restart_check_ready (context=0x56199a795c80 [MetaContextMain]) at ../src/core/restart.c:58 #40 restart_helper_read_line_callback (source_object=, res=, user_data=0x56199a795c80) at ../src/core/restart.c:92 #41 0x7fe2b22c8ec3 in g_task_return_now (task=task@entry=0x5619a4068fe0 [GTask]) at ../../../gio/gtask.c:1371 #42 0x7fe2b22c9b63 in g_task_return (type=, task=0x5619a4068fe0 [GTask]) at ../../../gio/gtask.c:1440 #43 g_task_return (task=0x5619a4068fe0 [GTask], type=) at ../../../gio/gtask.c:1397 #44 0x7fe2b226abe7 in g_data_input_stream_read_complete (task=0x5619a4068fe0 [GTask], read_length=7, skip_length=1) at ../../../gio/gdatainputstream.c:986 #45 0x7fe2b2263506 in async_fill_callback_wrapper (source_object=0x5619a403cc00 [GDataInputStream], res=0x5619a3a3ede0, user_data=0x5619a4068fe0) at ../../../gio/gbufferedinputstream.c:451 #46 0x7fe2b22c8ec3 in g_task_return_now (task=task@entry=0x5619a3a3ede0 [GTask]) at ../../../gio/gtask.c:1371 #47 0x7fe2b22c9b63 in g_task_return (type=, task=0x5619a3a3ede0 [GTask]) at ../../../gio/gtask.c:1440 #48 g_task_return (task=0x5619a3a3ede0 [GTask], type=) at ../../../gio/gtask.c:1397 #49 0x7fe2b2262efa in fill_async_callback (source_object=, result=, user_data=0x5619a3a3ede0) at ../../../gio/gbufferedinputstream.c:1051 #50 0x7fe2b229458e in async_ready_callback_wrapper (source_object=0x56199be0a2b0 [GUnixInputStream], res=0x5619a3759840, user_data=0x5619a3a3ede0) at ../../../gio/ginputstream.c:565 #51 0x7fe2b22c8ec3 in g_task_return_now (task=task@entry=0x5619a3759840 [GTask]) at ../../../gio/gtask.c:1371 #52 0x7fe2b22c9b63 in g_task_return (type=, task=0x5619a3759840 [GTask]) at ../../../gio/gtask.c:1440 #53 g_task_return (task=0x5619a3759840 [GTask], type=) at ../../../gio/gtask.c:1397 #54 0x7fe2b2292980 in read_async_pollable (stream=0x56199be0a2b0, task=0x5619a3759840 [GTask]) at ../../../gio/ginputstream.c:1403 #55 0x7fe2b22929fd in read_async_pollable_ready (stream=, user_data=) at ../../../gio/ginputstream.c:1368 #56 0x7fe2b2124099 in g_main_dispatch (context=context@entry=0x56199a7978b0) at ../../../glib/gmain.c:3476 #57 0x7fe2b21272d7 in g_main_context_dispatch_unlocked (context=0x56199a7978b0) at ../../../glib/gmain.c:4284 #58 g_main_context_iterate_unlocked (context=0x56199a7978b0, block=block@entry=1, dispatch=dispatch@entry=1, self=) at ../../../glib/gmain.c:4349 #59 0x7fe2b2127bdf in g_main_loop_run (loop=0x56199cd05ce0) at ../../../glib/gmain.c:4551 #60 0x7fe2b1ada039 in meta_context_run_main_loop (context=context@entry=0x56199a795c80 [MetaContextMain], error=error@entry=0x7ffe91cc69e0) at ../src/core/meta-context.c:482 #61 0x5619990919a3 in main (argc=, argv=) at ../src/main.c:683 (gdb) Broadcast message from system@station (Sun 2023-09-17 12:21:49 CEST): The system will reboot now! Broadcast message from system@station (Sun 2023-09-17 12:21:49 CEST): The system will reboot now! Connection to station closed by remote host. Connection to station closed. pi@pi:~$ Best regards, Markus
Bug#1042140: trophy: FTBFS: undefined reference to `pthread_mutexattr_setkind_np'
Control: reassign -1 src:clanlib Control: tags -1 pending This is actually a bug in clanlib which surfaced because of the recent uploads / rebuilds against glibc > 2.34. The pthread_mutexattr_setkind_np symbol is obsolete and has been replaced by pthread_mutexattr_settype. signature.asc Description: This is a digitally signed message part
Bug#1052003: emscripten: FTBFS with binaryen in experimental
Package: emscripten Version: 3.1.6~dfsg-5 Severity: important X-Debbugs-Cc: a...@debian.org Dear maintainer, emscripten fails to build from source with the latest version of binaryen, currently 116, in experimental. I'm attaching the complete build log. I intend to upload a new version of binaryen to unstable next year because I know that emscripten has no real maintainer and is currently maintained by the QA team. I will ping this bug report again before I do the upload but I hope someone else can look into this problem before that. I wonder if emscripten should embed the exact version of binaryen required to build the package to avoid a circular dependency (because then I could use emscripten to build wabt.js for example). These are the last log lines when emscripten fails: embuilder:INFO: building struct_info cache:INFO: generating system asset: sysroot/lib/wasm32-emscripten/struct_info.json... (this will be cached in "/<>/debian/em_cache/sysroot/lib/wasm32-emscripten/struct_info.json" for subsequent builds) emscripten:ERROR: emscript: failure to parse metadata output from wasm-emscripten-finalize. raw output is: Traceback (most recent call last): File "/<>/emcc.py", line 3947, in sys.exit(main(sys.argv)) ^^ File "/usr/lib/python3.11/contextlib.py", line 81, in inner return func(*args, **kwds) ^^^ File "/<>/emcc.py", line 3940, in main ret = run(args) ^ File "/<>/emcc.py", line 1199, in run phase_post_link(options, state, wasm_target, wasm_target, target) File "/usr/lib/python3.11/contextlib.py", line 81, in inner return func(*args, **kwds) ^^^ File "/<>/emcc.py", line 2753, in phase_post_link phase_emscript(options, in_wasm, wasm_target, memfile) File "/usr/lib/python3.11/contextlib.py", line 81, in inner return func(*args, **kwds) ^^^ File "/<>/emcc.py", line 2781, in phase_emscript emscripten.run(in_wasm, wasm_target, final_js, memfile) File "/<>/emscripten.py", line 932, in run emscript(in_wasm, out_wasm, outfile_js, memfile) File "/<>/emscripten.py", line 297, in emscript metadata = finalize_wasm(in_wasm, out_wasm, memfile) ^ File "/<>/emscripten.py", line 521, in finalize_wasm metadata = get_metadata_binaryen(infile, outfile, modify_wasm, args) ^ File "/usr/lib/python3.11/contextlib.py", line 81, in inner return func(*args, **kwds) ^^^ File "/<>/emscripten.py", line 406, in get_metadata_binaryen metadata = load_metadata_json(stdout) ^^ File "/<>/emscripten.py", line 851, in load_metadata_json metadata_json = json.loads(metadata_raw) File "/usr/lib/python3.11/json/__init__.py", line 346, in loads return _default_decoder.decode(s) ^^ File "/usr/lib/python3.11/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) ^^ File "/usr/lib/python3.11/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) FAIL: Compilation failed!: ['emcc', '-D_GNU_SOURCE', '-o', '/tmp/tmp3mop6qgt.js', '/tmp/tmpelb1y5rp.c', '-O0', '-Werror', '-Wno-format', '-nostdlib', '/<>/debian/em_cache/sysroot/lib/wasm32-emscripten/libcompiler_rt.a', '-sMEMORY64=0', '-sBOOTSTRAPPING_STRUCT_INFO=1', '-sLLD_REPORT_UNDEFINED=1', '-sSTRICT', '-sSINGLE_FILE', '-Wno-error=version-check', '-Wno-deprecated'] make[1]: *** [debian/rules:195: override_dh_auto_build] Error 1 make[1]: Leaving directory '/<>' make: *** [debian/rules:378: binary] Error 2 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 emscripten_3.1.6~dfsg-5.gz Description: application/gzip