Bug#866440: marked as done (mcomix: depends on obsolete python-imaging (replace with python3-pil or python-pil))

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Mon, 04 Jun 2018 05:34:51 +
with message-id 
and subject line Bug#866440: fixed in mcomix 1.2.1-1.1
has caused the Debian Bug report #866440,
regarding mcomix: depends on obsolete python-imaging (replace with python3-pil 
or python-pil)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866440: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866440
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:mcomix
Version: 1.2.1-1
Severity: important
Tags: sid buster
User: d...@debian.org
Usertags: imaging-pillow

One or more binary packages built from this source depends on or
recommends python-imaging, which is obsolete for some years now.
Please build the source using the python-pil package. If your
package doesn't need to be built with Python2, please consider using
Python3 and depend on python3-pil.

Planning to remove python-imaging for the buster release, so the
severity of this issues might be raised.
--- End Message ---
--- Begin Message ---
Source: mcomix
Source-Version: 1.2.1-1.1

We believe that the bug you reported is fixed in the latest version of
mcomix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicholas Breen  (supplier of updated mcomix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 29 May 2018 21:35:28 -0700
Source: mcomix
Binary: mcomix
Architecture: source
Version: 1.2.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Krzysztof Klimonda 
Changed-By: Nicholas Breen 
Description:
 mcomix - GTK+ image viewer for comic books
Closes: 866440
Changes:
 mcomix (1.2.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Replace Depends: python-imaging with python-pil.  (Closes: #866440)
Checksums-Sha1:
 a4092791de810b075fbb703f5e83e7d01d466b21 1856 mcomix_1.2.1-1.1.dsc
 26071a974a7d193e97aaf34bbc7d69785e4d87a4 2104 mcomix_1.2.1-1.1.debian.tar.xz
 dbe8d47d871b0f6b4b83385ebf80a797b162bbae 5255 mcomix_1.2.1-1.1_source.buildinfo
Checksums-Sha256:
 9a826882ad89e724628a83f67948c59f62ddc736ca17ba9cc42f4ec89f2477f3 1856 
mcomix_1.2.1-1.1.dsc
 643e270371acb69e5080d338397d81adf379efa72b2641fd14926234865454dd 2104 
mcomix_1.2.1-1.1.debian.tar.xz
 9c9844db9fa1ff20f079ac9b75bd99642d2a7a6930914237eb0592172d969857 5255 
mcomix_1.2.1-1.1_source.buildinfo
Files:
 8084bdf091c547845d8df677c58f98cf 1856 x11 optional mcomix_1.2.1-1.1.dsc
 3e1a70ba061a8db9b89e8bdf90f533dd 2104 x11 optional 
mcomix_1.2.1-1.1.debian.tar.xz
 16b389673ebf26f13e4e8a35c8d313e6 5255 x11 optional 
mcomix_1.2.1-1.1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEEhD5fph5gYziYdtLl7kr9aexlEI8FAlsOLxYSHG5icmVlbkBk
ZWJpYW4ub3JnAAoJEO5K/WnsZRCP7A8P/A13VIMCXJ7M8Fx0IwrCYcdN8Lauia9g
8sMBJ6e8DXTnWsdXzuWCor0ApdLqHOnbyD/5g/MIz5tPnVTmww8JmBtpA11XENHk
5BqKqeCkQ2TYa17FUfpxXlftKF2LV0LB99Sm6mpaLR6djmvSUar2DeyvS18+kMWq
d+CrHZ0OTFjUsrjB21wOiRErB1kbSyAihOpTUJ4uuxm0oALEhD4opCaM9ga9yP2e
02VYa5VihGP+A4uiIrHfLyUZBc7LoGQbOMWe9zwul4qhdwAF/cLZJA642i0poCqg
HS4kb66rl85GrTiKq8TmvzvqcJuHKomSyxk8hT7cAVf+bcT6/7ZPdMclYpDn9EmM
lPHHD3TtlKVlW94r23ahPMRqeCc4hV8JI//T4pxaiNXuQiJ4pHjB5mQsl5YDDPl2
q0EPvoHuOdmgMaDkkVMX03grIAL51e+In15GsUaBQ3L/uOp+gyZU/N4PyNGDiyrg
Xp7KV4Uu9BPhMGdjmbhi8/NvP+CHySvspUww+yXakjqKb6vGS6SJ5FgbGavFiJEb
49UGvcDKxF4IggpkGlWG7myTg0DSb3Pumdk24KYnY9kA6BDfLtDUmuujNEifSb7G
deOM1kNwK/JxuleYJojgTMUlCV8ZYGEeFv1f/W5t7+yzPJIHsaOMDjPMV2t5oZZT
Uc7eFP6mXRFO
=ygO1
-END PGP SIGNATURE End Message ---

Bug#900018: FTBFS with latest cmdliner

2018-06-03 Thread Andy Li 
Hi Mehdi,

Just saw that you've fixed that in the new upload.
Thanks for taking care of it!

Best regards,
Andy

On Sun, Jun 3, 2018 at 7:08 PM, Mehdi Dogguy  wrote:

> Hi Andy,
>
> On 2018-05-25 08:40, Andy Li wrote:
>
>> I've a patch:
>> https://github.com/ocaml/opam/compare/1.2.2...andyli:1.2.2-fix.patch
>> It's based on the discussion with upstream at
>> https://discuss.ocaml.org/t/the-forever-beta-issue/1779/6
>>
>>
> In fact, the patch introduces a bug and makes the build fail later in
> the process (can't generate manpages and test-suite doesn't succeed).
>
> Do you confirm this on your side as well?
>
> --
> Mehdi
>

Bug#900677: marked as done (ruby-google-protobuf: does not install pure ruby files)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Mon, 04 Jun 2018 01:49:49 +
with message-id 
and subject line Bug#900677: fixed in protobuf 3.6.0~rc2-2
has caused the Debian Bug report #900677,
regarding ruby-google-protobuf: does not install pure ruby files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900677
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: ruby-google-protobuf
version: 3.6.0~rc2-1
severity: grave
justification: makes package unusable

When trying to use ruby-google-protobuf, I get this error

LoadError: cannot load such file -- google/protobuf

if you compare with previous versions of ruby-google-protobuf (
http://snapshot.debian.org/package/ruby-google-protobuf/3.5.2-1/),
you'll see it does not install the pure ruby files (ruby/lib directory).



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.6.0~rc2-2

We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS)  (supplier of updated protobuf 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 03 Jun 2018 15:52:16 +
Source: protobuf
Binary: ruby-google-protobuf libprotobuf16 libprotobuf-lite16 libprotobuf-dev 
libprotoc16 libprotoc-dev protobuf-compiler python-protobuf python3-protobuf 
libprotobuf-java
Architecture: source amd64 all
Version: 3.6.0~rc2-2
Distribution: experimental
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) 
Changed-By: Laszlo Boszormenyi (GCS) 
Description:
 libprotobuf-dev - protocol buffers C++ library (development files)
 libprotobuf-java - Java bindings for protocol buffers
 libprotobuf-lite16 - protocol buffers C++ library (lite version)
 libprotobuf16 - protocol buffers C++ library
 libprotoc-dev - protocol buffers compiler library (development files)
 libprotoc16 - protocol buffers compiler library
 protobuf-compiler - compiler for protocol buffer definition files
 python-protobuf - Python bindings for protocol buffers
 python3-protobuf - Python 3 bindings for protocol buffers
 ruby-google-protobuf - Protocol Buffers
Closes: 900677
Changes:
 protobuf (3.6.0~rc2-2) experimental; urgency=medium
 .
   * Build all Ruby files (closes: #900677).
   * Explicitly link with atomic on armel, mips, mipsel and powerpc
 architectures.
Checksums-Sha1:
 8f17f74dc171887daee3242c4271f72412780405 2763 protobuf_3.6.0~rc2-2.dsc
 9d7c087829642342e5c65df725bb243981bde119 22200 
protobuf_3.6.0~rc2-2.debian.tar.xz
 78fa715978b6915fa603a2df46eec9544a902004 1075312 
libprotobuf-dev_3.6.0~rc2-2_amd64.deb
 12c97e97c517ccaa8687e5b618a7af16ecc8a327 739208 
libprotobuf-java_3.6.0~rc2-2_all.deb
 2a00e0428fb38e7fccf3d71d5941ddbdecdd3326 1155584 
libprotobuf-lite16-dbgsym_3.6.0~rc2-2_amd64.deb
 3de8e472fc0b4fa1ecd30d1ea6f84dc34e6cbc51 159640 
libprotobuf-lite16_3.6.0~rc2-2_amd64.deb
 f956855faddadac1f785f7c2918a89b3f0d35ee7 8520820 
libprotobuf16-dbgsym_3.6.0~rc2-2_amd64.deb
 3a444c7d660bafcba8cbd27499f0eedfe5f8441e 784180 
libprotobuf16_3.6.0~rc2-2_amd64.deb
 4b75920ff919ee601807671865b3df0a21177140 728644 
libprotoc-dev_3.6.0~rc2-2_amd64.deb
 5f353275cb0c5f23654dfd87b95136b78e455449 10321548 
libprotoc16-dbgsym_3.6.0~rc2-2_amd64.deb
 bf1ab90d5f924397df2fbd6f4dfc29f887ec3178 643688 
libprotoc16_3.6.0~rc2-2_amd64.deb
 aab3bd5671d9f9dcd8019ba49a017b4179da5ce4 76116 
protobuf-compiler-dbgsym_3.6.0~rc2-2_amd64.deb
 7691e785d844b36dbeb58024de320a920b18ea3b 62580 
protobuf-compiler_3.6.0~rc2-2_amd64.deb
 5359dfc695eeb5d055b748822f6edc1670e3e096 18827 
protobuf_3.6.0~rc2-2_amd64.buildinfo
 1dbb927008d7850e865f2daeb6341bc10b2f1d1e 910396 
python-protobuf-dbgsym_3.6.0~rc2-2_amd64.deb
 b4fde8646e10773a488341b5a5a57374c79bf250 328828 
python-protobuf_3.6.0~rc2-2_amd64.deb
 ed9e0f194a4ff63d34e376cfa0c7d1420d9f18e7 927888 
python3-protobuf-dbgsym_3.6.0~rc2-2_amd64.deb
 595fff79e3a7f0aa6d7d41d4e5d426e25e10836d 328868

Bug#870233: smplayer: executes javascript code downloaded from insecure URL

2018-06-03 Thread Jonas Smedegaard 

Hi Reinhard,

Excerpts from Reinhard Tartler's message of juni 3, 2018 10:48 pm:

On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard  wrote:
smplayer includes code in src/basegui.cpp to download and (I guess) 
execute javascript code for parsing youtube paths.  The download URL 
is http://updates.smplayer.info/yt.js which is insecure and therefore 
I suspect easy to replace with evil code.


Apparently, this was already fixed upstream quite some time ago in
package version 17.11.2~ds0-1 without mentioning this in
debian/changelog. I'm therefore closing this bug manually.


Sorry, but I don't see any such change, and it seems the problematic 
code is still there:



$ git grep updates.smplayer.info
src/links.h:#define URL_YT_CODE "http://updates.smplayer.info/yt.js;
src/links.h:#define URL_VERSION_INFO 
"http://updates.smplayer.info/version_info.ini;



$ grep -C5 URL_YT_CODE src/basegui.cpp 
void BaseGui::YTUpdateScript() {

static CodeDownloader * downloader = 0;
if (!downloader) downloader = new CodeDownloader(this);
downloader->saveAs(Paths::configPath() + "/yt.js");
downloader->show();
downloader->download(QUrl(URL_YT_CODE));
}
#endif // YT_USE_YTSIG
#endif //YOUTUBE_SUPPORT

void BaseGui::gotForbidden() {


Could you perhaps reference the git commit you believe fixed this?


- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

[x] quote me freely  [ ] ask before reusing  [ ] keep private


pgpqPAQkGR3c4.pgp
Description: PGP signature

Processed: reopening 870233

2018-06-03 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> reopen 870233
Bug #870233 {Done: Reinhard Tartler } [src:smplayer] 
smplayer: executes javascript code downloaded from insecure URL
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions 17.11.2~ds0-1 and smplayer/17.7.0~ds0-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
870233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870233
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#898943: Multiple vulnerabiliities in Mongoose

2018-06-03 Thread Ricardo Villalba 
I don't know yet. I guess I'll have to look for another simple web server.


2018-06-03 23:15 GMT+02:00 Reinhard Tartler :
> Thanks for the tip, Ricardo!
>
> It appears that disabling that define still compiles (and installs)
> the vulnerable program. I'll upload a new package that not only
> disables that define, but also modifies the top-level Makefile to no
> longer build and install mongoose:
>
> https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
>
> Let me know what you think and what do you intend to do upstream to
> resolve this issue.
>
> Thanks,
> Reinhard
> On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba  
> wrote:
>>
>> Hello.
>>
>> I wasn't aware of those vulnerabilities in mongoose.
>> It's possible to disable the support for chromecast in smplayer
>> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
>>
>> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler :
>> > Hi Richardo,
>> >
>> > I'm not sure if you have seen this email, Moritz from the debian
>> > security team is reporting a release-critical bug in smplayer. More
>> > specifically, smplayer appears to be using the mongoose webserver
>> > implementation as in implementation detail of the chromecast
>> > component.
>> >
>> > Having to remove smplayer would be most unfortunate. I checked the
>> > upstream commits at
>> > https://github.com/cesanta/mongoose/commits/master, but apparently
>> > there is no fix available yet. Maybe I'm missing something but if not,
>> > my question to you is whether we can easily disable the chromecast
>> > component from the smplayer build?
>> >
>> > Please let me know your thoughts on this.
>> >
>> > Best,
>> > Reinhard
>> >
>> > -- Forwarded message -
>> > From: Moritz Muehlenhoff 
>> > Date: Thu, May 17, 2018 at 12:51 PM
>> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
>> > To: Debian Bug Tracking System 
>> >
>> >
>> > Source: smplayer
>> > Severity: grave
>> > Tags: security
>> >
>> > smplayer seems to embed Cesenta Mongoose:
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>> >
>> > Cheers,
>> > Moritz
>> >
>> > ___
>> > pkg-multimedia-maintainers mailing list
>> > pkg-multimedia-maintain...@alioth-lists.debian.net
>> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>> >
>> >
>> > --
>> > regards,
>> > Reinhard
>>
>>
>>
>> --
>> RVM
>
>
>
> --
> regards,
> Reinhard



-- 
RVM

Bug#899021: libembperl-perl: FTBFS with Perl 5.27, unmaintained upstream

2018-06-03 Thread Dominic Hargreaves 
On Sun, May 20, 2018 at 10:17:43AM +0200, Dominique Dumont wrote:
> On Friday, 18 May 2018 17:08:38 CEST Dominic Hargreaves wrote:
> > Currently the package has a popcon of inst: 37 / vote: 22 / recent: 1
> > suggesting that it is barely used anywhere. 
> 
> Reading its features, I think this module may have been a good idea when it 
> was created back in 1997, but I'm afraid it's now completely obsoleted by 
> modern JavaScript frameworks.  
> 
> > So I suggest that rather than
> > spending any more time maintaining it, we remove it from Debian.
> 
> Agreed.

I asked the Embperl mailing list about this, and although noone
who actually uses the Embperl Debian packages spoke up, there was
definitely some interest in keeping it alive. I have hopefully reflected
the views of pkg-perl here:

http://mail-archives.apache.org/mod_mbox/perl-embperl/201805.mbox/browser

Cheers,
Dominic.

Bug#900511: libcurl4 Conflicts: libcurl3

2018-06-03 Thread Richard B. Kreckel 
On Sat, 2 Jun 2018 23:14:40 +0300 Adrian Bunk  wrote:
> libcurl3 is not part of buster, and using libraries from previous 
> releases that are no longer present in a new stable Debian release is 
> not strictly supported - it works most of the time, but when problems
> are reported a Breaks/Conflicts against that library is usually the
> solution.

Yeah, I have read this:
https://salsa.debian.org/debian/curl/merge_requests/2.

Still, the question remains: Why can different libssl packages coexist
fine (even if they are from a previous Debian version) but libcurl
packages cannot?

There are external software packages shipped as .deb which require
libcurl3. (I've seen that the LightWorks video editor and several games
are affected.) To support those, there should be a way to provide libcurl3.

Processed: Re: jaxb 2.3.0.1-2 FTBFS

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 important
Bug #882525 [src:jaxb] netbeans FTBFS with jaxb 2.3.0
Severity set to 'important' from 'serious'
> close -1
Bug #882525 [src:jaxb] netbeans FTBFS with jaxb 2.3.0
Marked Bug as done

-- 
882525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882525: jaxb 2.3.0.1-2 FTBFS

2018-06-03 Thread Emmanuel Bourg 
Control: severity -1 important
Control: close -1

Le 03/06/2018 à 16:46, Markus Koschany a écrit :
> Control: reopen -1
> 
> jaxb 2.3.0.1-2 fails to build from source. Reopening.

The build failure isn't related to jaxb/2.3.0.1-2 addressing this bug,
but to the upload of jaxb-api/2.3.0-1 which triggered JDK bug
JDK-8193802 [1] (fixed in OpenJDK 11). I'll fix that by disabling the
multi release jar in src:jaxb-api.

Please reopen #882525 if netbeans still FTBFS with the same error
initially reported once src:jaxb is buildable.

[1] https://bugs.openjdk.java.net/browse/JDK-8193802

Bug#897505: marked as done (arbtt: FTBFS: hlibrary.setup: Encountered missing dependencies: base >=4.7 && <4.10)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 21:49:43 +
with message-id 
and subject line Bug#897505: fixed in arbtt 0.10.0.2-1
has caused the Debian Bug report #897505,
regarding arbtt: FTBFS: hlibrary.setup: Encountered missing dependencies: base 
>=4.7 && <4.10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897505: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897505
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: arbtt
Version: 0.9.0.13-1
Severity: serious
Tags: buster sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20180502 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part (hopefully):
>  debian/rules build
> test -x debian/rules
> mkdir -p "."
> CDBS WARNING:DEB_DH_STRIP_ARGS is deprecated since 0.4.85
> CDBS WARNING:DEB_COMPRESS_EXCLUDE is deprecated since 0.4.85
> . /usr/share/haskell-devscripts/Dh_Haskell.sh && \
> make_setup_recipe
> Running ghc --make Setup.hs -o debian/hlibrary.setup
> [1 of 1] Compiling Main ( Setup.hs, Setup.o )
> 
> Setup.hs:26:17: warning: [-Wdeprecations]
> In the use of `rawSystemProgram'
> (imported from Distribution.Simple.Program):
> Deprecated: "use runProgram instead"
>|
> 26 | rawSystemProgram verb configuredProg
>| 
> Linking debian/hlibrary.setup ...
> . /usr/share/haskell-devscripts/Dh_Haskell.sh && \
> configure_recipe
> Running debian/hlibrary.setup configure --ghc -v2 
> --package-db=/var/lib/ghc/package.conf.d --prefix=/usr 
> --libdir=/usr/lib/haskell-packages/ghc/lib --libexecdir=/usr/lib 
> --builddir=dist-ghc --ghc-option=-optl-Wl\,-z\,relro 
> --haddockdir=/usr/lib/ghc-doc/haddock/arbtt-0.9.0.13/ --datasubdir=arbtt 
> --htmldir=/usr/share/doc/libghc-arbtt-doc/html/
> Configuring arbtt-0.9.0.13...
> CallStack (from HasCallStack):
>   die', called at 
> libraries/Cabal/Cabal/Distribution/Simple/Configure.hs:948:20 in 
> Cabal-2.0.1.0:Distribution.Simple.Configure
>   configureFinalizedPackage, called at 
> libraries/Cabal/Cabal/Distribution/Simple/Configure.hs:470:12 in 
> Cabal-2.0.1.0:Distribution.Simple.Configure
>   configure, called at libraries/Cabal/Cabal/Distribution/Simple.hs:570:20 in 
> Cabal-2.0.1.0:Distribution.Simple
>   confHook, called at 
> libraries/Cabal/Cabal/Distribution/Simple/UserHooks.hs:67:5 in 
> Cabal-2.0.1.0:Distribution.Simple.UserHooks
>   configureAction, called at 
> libraries/Cabal/Cabal/Distribution/Simple.hs:174:19 in 
> Cabal-2.0.1.0:Distribution.Simple
>   defaultMainHelper, called at 
> libraries/Cabal/Cabal/Distribution/Simple.hs:128:42 in 
> Cabal-2.0.1.0:Distribution.Simple
>   defaultMainWithHooks, called at Setup.hs:13:8 in main:Main
> hlibrary.setup: Encountered missing dependencies:
> base >=4.7 && <4.10
> make: *** [/usr/share/cdbs/1/class/hlibrary.mk:142: configure-ghc-stamp] 
> Error 1

The full build log is available from:
   http://aws-logs.debian.net/2018/05/02/arbtt_0.9.0.13-1_unstable.log

A list of current common problems and possible solutions is available at
http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!

About the archive rebuild: The rebuild was done on EC2 VM instances from
Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
failed build was retried once to eliminate random failures.
--- End Message ---
--- Begin Message ---
Source: arbtt
Source-Version: 0.10.0.2-1

We believe that the bug you reported is fixed in the latest version of
arbtt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Breitner  (supplier of updated arbtt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 03 Jun 2018 22:59:50 +0200
Source: arbtt
Binary: arbtt
Architecture: source
Version: 0.10.0.2-1
Distribution: unstable
Urgency: medium
Maintainer: Joachim Breitner 
Changed-By: Joachim Breitner 
Description:
 arbtt  - Automatic Rule-Based Time Tracker
Closes: 897505
Changes:
 arbtt (0.10.0.2-1) unstable;

Bug#898943: Multiple vulnerabiliities in Mongoose

2018-06-03 Thread Reinhard Tartler 
Thanks for the tip, Ricardo!

It appears that disabling that define still compiles (and installs)
the vulnerable program. I'll upload a new package that not only
disables that define, but also modifies the top-level Makefile to no
longer build and install mongoose:

https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch

Let me know what you think and what do you intend to do upstream to
resolve this issue.

Thanks,
Reinhard
On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba  wrote:
>
> Hello.
>
> I wasn't aware of those vulnerabilities in mongoose.
> It's possible to disable the support for chromecast in smplayer
> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
>
> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler :
> > Hi Richardo,
> >
> > I'm not sure if you have seen this email, Moritz from the debian
> > security team is reporting a release-critical bug in smplayer. More
> > specifically, smplayer appears to be using the mongoose webserver
> > implementation as in implementation detail of the chromecast
> > component.
> >
> > Having to remove smplayer would be most unfortunate. I checked the
> > upstream commits at
> > https://github.com/cesanta/mongoose/commits/master, but apparently
> > there is no fix available yet. Maybe I'm missing something but if not,
> > my question to you is whether we can easily disable the chromecast
> > component from the smplayer build?
> >
> > Please let me know your thoughts on this.
> >
> > Best,
> > Reinhard
> >
> > -- Forwarded message -
> > From: Moritz Muehlenhoff 
> > Date: Thu, May 17, 2018 at 12:51 PM
> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> > To: Debian Bug Tracking System 
> >
> >
> > Source: smplayer
> > Severity: grave
> > Tags: security
> >
> > smplayer seems to embed Cesenta Mongoose:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
> >
> > Cheers,
> > Moritz
> >
> > ___
> > pkg-multimedia-maintainers mailing list
> > pkg-multimedia-maintain...@alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
> >
> >
> > --
> > regards,
> > Reinhard
>
>
>
> --
> RVM



-- 
regards,
Reinhard

Processed: severity of 888831 is normal

2018-06-03 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> severity 31 normal
Bug #31 [firefox-esr] [firefox-esr] NS_ERROR_NET_INADEQUATE_SECURITY for 
https sites - libnss3 dependency
Severity set to 'normal' from 'grave'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
31: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=31
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#870233: marked as done (smplayer: executes javascript code downloaded from insecure URL)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 3 Jun 2018 16:48:29 -0400
with message-id 

and subject line Re: Bug#870233: smplayer: executes javascript code downloaded 
from insecure URL
has caused the Debian Bug report #870233,
regarding smplayer: executes javascript code downloaded from insecure URL
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
870233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870233
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: smplayer
Version: 17.7.0~ds0-1
Severity: grave
Tags: security
Justification: user security hole

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

smplayer includes code in src/basegui.cpp to download and (I guess)
execute javascript code for parsing youtube paths.  The download URL is
http://updates.smplayer.info/yt.js which is insecure and therefore I
suspect easy to replace with evil code.


 - Jonas

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAll+w9sACgkQLHwxRsGg
ASEgTA//QMLa7jZwjXz3F1r+2NkukhdvQ5QQyZsXbk8sfHyOnCpHJmy2fqZhudmx
uq3hhOyCD1SVGLTGp0YURWe8ScwhebjqXfvtNIV4Xzz7oGkXGqWeBaYuYuEyvOF+
UtTDmKtg2ZbvbOjyuq4krEr8sKEH37WJn02esrDsrXSGrXmz5I42+pAlau5/vecb
NaHmcBs+jDKkLkoziKn3CSauqmmHXIn58ECO/cLD1ziPYGuZDjjgafUKxhQfDcKz
v5S/NbleKzWIMbgicpcXoru3FE88iBs8rKW0X8o0rg2AYXlvYjoTKFj3SAv5MYiv
Tlo9TgT7iWNXb2yK0FuxDDeG/FaM5g741CAWfAj/j9qTEF1E2Zf3F+YOrReFtMdw
szl2q2kw6vkmQzVA+0jBZIIw2VJCuMyDBxV5aDEEyaaw7Mc0l1rAFxHPcdq/Os/Q
UkW38xn5M0GMYOZAMOu55ymP6f5StrOTRqURUGCxY3ZcVTBSRMzG57ds8WlkcGa0
Rxb8EK/nCjAkbye7k1g9ajYuYEbYqdknBLZs9ngAEPF/CmadUmv7a+dfwAhfjy99
vXBiyJxNrwHwMZqqbZ7GYkplZOap5cuthJsA127bd9M4935ZmwgGY6hrx3+y4b5J
9FNO/9x1etJ2+skGjY+1t9vDBOuhqtE6VlR0i0N1bMKkxKM7J2w=
=ZQlT
-END PGP SIGNATURE-
--- End Message ---
--- Begin Message ---
Version: 17.11.2~ds0-1

Hi Jonas,

thank you for the report and sorry for the late reply,

On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard  wrote:

> smplayer includes code in src/basegui.cpp to download and (I guess)
> execute javascript code for parsing youtube paths.  The download URL is
> http://updates.smplayer.info/yt.js which is insecure and therefore I
> suspect easy to replace with evil code.

Apparently, this was already fixed upstream quite some time ago in
package version 17.11.2~ds0-1 without mentioning this in
debian/changelog. I'm therefore closing this bug manually.

Best regards,
reinhard--- End Message ---

Bug#879442: marked as done (pgloader FTBFS with cl-asdf 2:3.3.0-1)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 22:44:36 +0200
with message-id <1528058676.9575.7.ca...@debian.org>
and subject line Re: pgloader FTBFS with cl-asdf 2:3.3.0-1
has caused the Debian Bug report #879442,
regarding pgloader FTBFS with cl-asdf 2:3.3.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pgloader
Version: 3.3.2+dfsg-1
Severity: serious
Tags: buster sid

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/pgloader.html

...
buildapp --require sb-posix \
 --require sb-bsd-sockets   \
 --load /usr/share/common-lisp/source/cl-asdf/build/asdf.lisp \
 --asdf-path .  \
 --asdf-tree /usr/share/common-lisp/systems \
 --load-system asdf-finalizers  \
 --load-system asdf-system-connections  \
 --load-system pgloader \
 --load src/hooks.lisp  \
 --entry pgloader:main  \
 --dynamic-space-size 4096   \
 --compress-core\
 --output build/bin/pgloader
; compiling file "/usr/share/common-lisp/source/cl-asdf/build/asdf.lisp" 
(written 13 OCT 2017 04:56:23 AM):

; 
/build/1st/pgloader-3.4.1+dfsg/debian/home/.cache/common-lisp/sbcl-1.3.14.debian-linux-x64/usr/share/common-lisp/source/cl-asdf/build/asdf-TMP.fasl
 written
; compilation finished in 0:00:23.423
;; loading file #P"/usr/share/common-lisp/source/cl-asdf/build/asdf.lisp"
;; loading system "asdf-finalizers"
;; loading system "asdf-system-connections"
;; loading system "pgloader"
Fatal CIRCULAR-DEPENDENCY:
  Circular dependency:
 ((# . #)
  (#
   . #)
  (#
   . #)
  (#
   . #)
  (#
   . #)
  (#
   . #)
  (#
   . #))
debian/rules:31: recipe for target 'override_dh_auto_build' failed
make[1]: *** [override_dh_auto_build] Error 1
--- End Message ---
--- Begin Message ---
On Sat, 21 Oct 2017 19:02:41 +0300 Adrian Bunk  wrote:
> Source: pgloader
> Version: 3.3.2+dfsg-1
> Severity: serious
> Tags: buster sid
> 
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/pgloader.html

Since #900099 and #900155 have been fixed, pgloader no longer FTBFS. Closing.

-- 
⢀⣴⠾⠻⢶⣦⠀  Sébastien Villemot
⣾⠁⢠⠒⠀⣿⡁  Debian Developer
⢿⡄⠘⠷⠚⠋⠀  http://sebastien.villemot.name
⠈⠳⣄  http://www.debian.org


signature.asc
Description: This is a digitally signed message part
--- End Message ---

Bug#896768: marked as done (playitslowly: missing build dependency on python3-distutils)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 20:43:51 +
with message-id 
and subject line Bug#896768: fixed in playitslowly 1.5.0-1.1
has caused the Debian Bug report #896768,
regarding playitslowly: missing build dependency on python3-distutils
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
896768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896768
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: playitslowly
Version: 1.5.0-1
Severity: serious
Tags: buster sid

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/playitslowly.html

...
 fakeroot debian/rules clean
dh clean --with python3 --buildsystem=pybuild
   dh_auto_clean -O--buildsystem=pybuild
pybuild --clean -i python{version} -p 3.6
I: pybuild base:217: python3.6 setup.py clean 
Traceback (most recent call last):
  File "setup.py", line 5, in 
from distutils.core import setup
ModuleNotFoundError: No module named 'distutils.core'
E: pybuild pybuild:336: clean: plugin distutils failed with: exit code=1: 
python3.6 setup.py clean 
dh_auto_clean: pybuild --clean -i python{version} -p 3.6 returned exit code 13
make: *** [debian/rules:7: clean] Error 25


Due to

python3.6 (3.6.5~rc1-2) unstable; urgency=medium

  * python3.6: Drop dependency on python3-distutils.
...
 -- Matthias Klose   Tue, 20 Mar 2018 14:29:58 +0800
--- End Message ---
--- Begin Message ---
Source: playitslowly
Source-Version: 1.5.0-1.1

We believe that the bug you reported is fixed in the latest version of
playitslowly, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 896...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk  (supplier of updated playitslowly package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 22:01:14 +0300
Source: playitslowly
Binary: playitslowly
Architecture: source
Version: 1.5.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Tiago Bortoletto Vaz 
Changed-By: Adrian Bunk 
Description:
 playitslowly - Plays back audio files at a different speed or pitch
Closes: 896768
Changes:
 playitslowly (1.5.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add the missing build dependency on python3-distutils.
 (Closes: #896768)
Checksums-Sha1:
 37b9b1146fe2ded3a335f8e4f19f3981b7231144 1924 playitslowly_1.5.0-1.1.dsc
 1498b8effc87e4d16efe2c33426650ba5a9042eb 2688 
playitslowly_1.5.0-1.1.debian.tar.xz
Checksums-Sha256:
 eabaea638a4fa7364c5638d3554b347c107ef16d1704119984e5d9aad620e43c 1924 
playitslowly_1.5.0-1.1.dsc
 fbf30ec6c6e391c7fcb0eb354a31a9d69e5bb3ce9a2f17ce388ec9a038f551b7 2688 
playitslowly_1.5.0-1.1.debian.tar.xz
Files:
 ee43cfcbc1d3968db0b3453262439266 1924 gnome optional playitslowly_1.5.0-1.1.dsc
 b11bea6a633219f3f5a95cf5cf70ae16 2688 gnome optional 
playitslowly_1.5.0-1.1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlsUO7IACgkQiNJCh6LY
mLGx4g/9EFt0OvlxR1BtmBbm/dXvGcDrAubsjZ0Rh56kK2n8JFY4Q7oVXiNXQ+/r
q6Bzo4wRmh+BxLuA8nF5QKWLkcsC4AGPyzXPvLbh8HhaTAl5grZYRouNVfW/tJIH
tlh3bx1WMTKdOMSenVO5Qvddz52BRlegEIexd/TXUbv6o6CgWognNJ+Px7mNiy9N
pV9ku3sSYp8pUTry1iyPIw+A17AAKnHyB+7YTvy+OadoANtybsIPBQMkQuyZhUhC
OLOqD4gBOxzNxdiRder0+czwA9NgVN5l0UYeqRZ4I0OnzaW3oSZSF6olDb1bDhm5
EZ1z2R2qkmu3DBI8MwOmDwJhswmemJoB9lBeATarjh5SDAu85BnZp2kjB7TC3SdR
XauXAnLezE2Fox92DuJjG2f9YIGGRXvAirZ6ew+rVj/2kVoE1L23VgCt1Q3YE+F+
Fq7ptbZHhCVGtYl2bDBuTQXqmuHTSOaVvZpfzegMuwvoonYAJsAUkGJDNmv+N673
6ECoZdsa5ipN4AhS5mWcQSxbiGm+CFMSrGD0XfrsP86MzzCPdglEm5pFg8wUxMAK
HAihXmZUdwXcPjiLmmVeXQe6ZBaaQTnP/Lvk+kWMtbJH/MHeDmr+uS5owIDxCXd7
R3XSszJUcdwT6zOys2DqitN414oF4rQc8KddA0QrzajwVc5tw1E=
=XVSH
-END PGP SIGNATURE End Message ---

Bug#669214: marked as done (libjpedal-jbig2-java: obsolete depends default-jdk-builddep)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 20:43:18 +
with message-id 
and subject line Bug#669214: fixed in libjpedal-jbig2-java 20100117-1.1
has caused the Debian Bug report #669214,
regarding libjpedal-jbig2-java: obsolete depends default-jdk-builddep
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
669214: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libjpedal-jbig2-java
Version: 20100117-1
Severity: normal

Package depends on obsolete default-jdk-builddep, please update.


-- System Information
Debian Release: wheezy/sid
  APT Prefers unstable
  APT policy: (990, unstable) (1, experimental)
Architecture: i386
Kernel: Linux taiko 3.2.0-2-686-pae #1 SMP Fri Apr 6 05:25:56 UTC 2012 i686 
GNU/Linux
Locale: LANG=en_US.UTF-8

-- Versions of packages `libjpedal-jbig2-java depends on'.


--- End Message ---
--- Begin Message ---
Source: libjpedal-jbig2-java
Source-Version: 20100117-1.1

We believe that the bug you reported is fixed in the latest version of
libjpedal-jbig2-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 669...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk  (supplier of updated libjpedal-jbig2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 20 May 2018 22:22:27 +0300
Source: libjpedal-jbig2-java
Binary: libjpedal-jbig2-java
Architecture: source
Version: 20100117-1.1
Distribution: unstable
Urgency: high
Maintainer: Steffen Moeller 
Changed-By: Adrian Bunk 
Description:
 libjpedal-jbig2-java - library for accession of large images
Closes: 669214
Changes:
 libjpedal-jbig2-java (20100117-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Apply changes from Jari Aalto:
 - Update to packaging format "3.0 quilt".
 - Update to Standards-Version to 3.9.3 and debhelper to 9.
 - Change obsolete depends default-jdk-builddep to default-jdk
   (Closes: #669214),
Checksums-Sha1:
 76eec2d3f3444ce8acb504a96d4301fd3c289c2f 1863 
libjpedal-jbig2-java_20100117-1.1.dsc
 72a5e9364a89da8fadbe8e9459cb46745b087b67 2432 
libjpedal-jbig2-java_20100117-1.1.debian.tar.xz
Checksums-Sha256:
 708dc2c73aef30676506160da538848d5c1945f32810204eec6e59626aa68b51 1863 
libjpedal-jbig2-java_20100117-1.1.dsc
 1191222fac171c2eab6c1bd40f8fe25cfc1a0d079b90900997d4a63bd292bca9 2432 
libjpedal-jbig2-java_20100117-1.1.debian.tar.xz
Files:
 89e7e033dfb77c8a39250c66b2fd2231 1863 java extra 
libjpedal-jbig2-java_20100117-1.1.dsc
 92213c2a083781a1337161ae45f4c2c7 2432 java extra 
libjpedal-jbig2-java_20100117-1.1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlsBzAwACgkQiNJCh6LY
mLElGRAAo0GyU9WMXHqMs2o8dYDL4cUKLDPMZYK+mggubLo5wrjFAhtG+hMRbWcQ
23ahcC2k1dXuO8e1UP6TOVuM8fycMVlDAEfA2L1Qn8isouidftTtNnMedcXPRTvA
Q6c9FNnOP+n4MLHxXrFVT5kS1xmP/E/BxqDgwKhLGwy0IxVZ4S0iCEuVRXwaNgIC
9sqwnmTqHS7K7rHBQ5cvg5GRdq78PbxPmIQj6xmqjb0f0CNcntmw8WOQ7HaJp0i6
EVo75Nq64QMe65STmuQZkU/Ct4xbPBSkHkFQGcL12kwbcoxyvpAnOOw4JJngC18c
Vnuf9Xf/TCkTOBtw/7ydtwaMtXpqUBazTiy5AG8mluuD6IbEkaXhMBq7GsjmPkLQ
GEfFvzhVm6sz2J7UglDru/A/XXlC2+PzwVJG9aFyC0hTHMzqcBSqqFlAo17nQA8H
0mmN9XHy2WE9daFV6UO+ZlEZ8Y/vBsAVkSGO9SxoCzNTDNEDDXERkKag3qRf95uf
dbPZc+UpcSjRPn0vnjxKPjbNqnQcWAdJI7V2zJxacl31wI3S/am9GJTFb6T3jL7I
Zr93bo1gkmdeN04p85/zpaMGSx7GRcClHQ5DWKDBVuG22D7+4+SAoevXGbN2Fbpl
JxNMDph+AOt0D8rHOy6M4J64hvorHHeI6gZF5N1r5uT9lRySNNI=
=HDtq
-END PGP SIGNATURE End Message ---

Bug#897453: marked as done (mtbl: FTBFS: configure: error: Package requirements (liblz4 > 129) were not met)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 3 Jun 2018 23:26:46 +0300
with message-id <20180603202646.GF17315@localhost>
and subject line Already fixed in experimental
has caused the Debian Bug report #897453,
regarding mtbl: FTBFS: configure: error: Package requirements (liblz4 > 129) 
were not met
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897453
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mtbl
Version: 0.8.0-1
Severity: serious
Tags: buster sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20180502 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part (hopefully):
> checking whether to build shared libraries... yes
> checking whether to build static libraries... yes
> checking for pkg-config... /usr/bin/pkg-config
> checking pkg-config is at least version 0.9.0... yes
> checking for liblz4... no
> configure: error: Package requirements (liblz4 > 129) were not met
> 
> Requested 'liblz4 > 129' but version of lz4 is 1.8.1
> You may find new versions of lz4 at http://www.lz4.org/
> 
> Consider adjusting the PKG_CONFIG_PATH environment variable if you
> installed software in a non-standard prefix.
> 
> Alternatively, you may set the environment variables liblz4_CFLAGS
> and liblz4_LIBS to avoid the need to call pkg-config.
> See the pkg-config man page for more details.
>   tail -v -n \+0 config.log

The full build log is available from:
   http://aws-logs.debian.net/2018/05/02/mtbl_0.8.0-1_unstable.log

A list of current common problems and possible solutions is available at
http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!

About the archive rebuild: The rebuild was done on EC2 VM instances from
Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
failed build was retried once to eliminate random failures.
--- End Message ---
--- Begin Message ---
Version: 1.1.1-2

This seems to be already fixed in experimental:
https://tests.reproducible-builds.org/debian/rb-pkg/experimental/amd64/mtbl.html

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed--- End Message ---

Bug#896403: faker: diff for NMU version 0.7.7-2.1

2018-06-03 Thread Adrian Bunk 
Control: tags 896403 + patch
Control: tags 896403 + pending

Dear maintainer,

I've prepared an NMU for faker (versioned as 0.7.7-2.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

diff -Nru faker-0.7.7/debian/changelog faker-0.7.7/debian/changelog
--- faker-0.7.7/debian/changelog	2017-01-31 08:32:59.0 +0200
+++ faker-0.7.7/debian/changelog	2018-06-03 23:17:06.0 +0300
@@ -1,3 +1,11 @@
+faker (0.7.7-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * python-fake-factory: Add the missing dependency
+on python-ipaddress. (Closes: #896403)
+
+ -- Adrian Bunk   Sun, 03 Jun 2018 23:17:06 +0300
+
 faker (0.7.7-2) unstable; urgency=high
 
   * Fix Non-determistically FTBFS due to tests sometimes exposing
diff -Nru faker-0.7.7/debian/control faker-0.7.7/debian/control
--- faker-0.7.7/debian/control	2017-01-30 23:27:11.0 +0200
+++ faker-0.7.7/debian/control	2018-06-03 23:17:06.0 +0300
@@ -23,7 +23,7 @@
 Package: python-fake-factory
 Architecture: all
 Depends: ${misc:Depends},
- ${python:Depends}
+ ${python:Depends}, python-ipaddress
 Description: Faker is a Python library that generates fake data (Python 2)
  The fake data can be used to bootstrap a database, create XML documents, or
  anonymize data taken from a production service.

Processed: faker: diff for NMU version 0.7.7-2.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896403 + patch
Bug #896403 [python-fake-factory] python-fake-factory: faker fails to import
Added tag(s) patch.
> tags 896403 + pending
Bug #896403 [python-fake-factory] python-fake-factory: faker fails to import
Added tag(s) pending.

-- 
896403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896403
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#896768: playitslowly: diff for NMU version 1.5.0-1.1

2018-06-03 Thread Adrian Bunk 
On Sun, Jun 03, 2018 at 04:33:59PM -0300, Tiago Bortoletto Vaz wrote:
> Hi Adrian,

Hi Thiago,

> Thanks for the NMU, feel free to reschedule it for a immediate upload.

thanks, done.

> Bests,

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Processed: python-ipcalc: diff for NMU version 1.99.0-3.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896290 + patch
Bug #896290 [python-ipcalc] python-ipcalc: ipcalc fails to import
Added tag(s) patch.
> tags 896290 + pending
Bug #896290 [python-ipcalc] python-ipcalc: ipcalc fails to import
Added tag(s) pending.

-- 
896290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896290
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#896290: python-ipcalc: diff for NMU version 1.99.0-3.1

2018-06-03 Thread Adrian Bunk 
Control: tags 896290 + patch
Control: tags 896290 + pending

Dear maintainer,

I've prepared an NMU for python-ipcalc (versioned as 1.99.0-3.1) and
uploaded it to DELAYED/15. Please feel free to tell me if I
should cancel it.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

diff -Nru python-ipcalc-1.99.0/debian/changelog python-ipcalc-1.99.0/debian/changelog
--- python-ipcalc-1.99.0/debian/changelog	2017-01-30 11:14:22.0 +0200
+++ python-ipcalc-1.99.0/debian/changelog	2018-06-03 22:33:06.0 +0300
@@ -1,3 +1,10 @@
+python-ipcalc (1.99.0-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add the missing dependency on python-six. (Closes: #896290)
+
+ -- Adrian Bunk   Sun, 03 Jun 2018 22:33:06 +0300
+
 python-ipcalc (1.99.0-3) unstable; urgency=medium
 
   * Fixing wrong VCS URL
diff -Nru python-ipcalc-1.99.0/debian/control python-ipcalc-1.99.0/debian/control
--- python-ipcalc-1.99.0/debian/control	2017-01-30 11:14:22.0 +0200
+++ python-ipcalc-1.99.0/debian/control	2018-06-03 22:33:06.0 +0300
@@ -13,7 +13,7 @@
 
 Package: python-ipcalc
 Architecture: all
-Depends: ${python:Depends}, ${misc:Depends}
+Depends: ${python:Depends}, python-six, ${misc:Depends}
 Provides: ${python:Provides}
 Recommends: ${python:Recommends}
 Description: Python IP subnet calculator

Processed: Re: jaxb 2.3.0.1-2 FTBFS

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 serious
Bug #882525 [src:jaxb] netbeans FTBFS with jaxb 2.3.0
Severity set to 'serious' from 'important'

-- 
882525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#896768: playitslowly: diff for NMU version 1.5.0-1.1

2018-06-03 Thread Tiago Bortoletto Vaz 
Hi Adrian,

Thanks for the NMU, feel free to reschedule it for a immediate upload.

Bests,

On Sun, Jun 03, 2018 at 10:04:59PM +0300, Adrian Bunk wrote:
> Control: tags 896768 + patch
> Control: tags 896768 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for playitslowly (versioned as 1.5.0-1.1) and 
> uploaded it to DELAYED/14. Please feel free to tell me if I should 
> cancel it.
> 
> cu
> Adrian
> 
> -- 
> 
>"Is there not promise of rain?" Ling Tan asked suddenly out
> of the darkness. There had been need of rain for many days.
>"Only a promise," Lao Er said.
>Pearl S. Buck - Dragon Seed
> 



-- 
tiago

Processed: python-pgspecial: diff for NMU version 1.9.0-1.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896246 + patch
Bug #896246 [python3-pgspecial] python3-pgspecial: pgspecial fails to import
Added tag(s) patch.
> tags 896246 + pending
Bug #896246 [python3-pgspecial] python3-pgspecial: pgspecial fails to import
Added tag(s) pending.
> tags 896291 + patch
Bug #896291 [python-pgspecial] python-pgspecial: pgspecial fails to import
Added tag(s) patch.
> tags 896291 + pending
Bug #896291 [python-pgspecial] python-pgspecial: pgspecial fails to import
Added tag(s) pending.

-- 
896246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896246
896291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#896291: python-pgspecial: diff for NMU version 1.9.0-1.1

2018-06-03 Thread Adrian Bunk 
Control: tags 896246 + patch
Control: tags 896246 + pending
Control: tags 896291 + patch
Control: tags 896291 + pending

Dear maintainer,

I've prepared an NMU for python-pgspecial (versioned as 1.9.0-1.1) and 
uploaded it to DELAYED/15. Please feel free to tell me if I should 
cancel it.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

diff -Nru python-pgspecial-1.9.0/debian/changelog python-pgspecial-1.9.0/debian/changelog
--- python-pgspecial-1.9.0/debian/changelog	2017-10-30 03:47:55.0 +0200
+++ python-pgspecial-1.9.0/debian/changelog	2018-06-03 22:17:15.0 +0300
@@ -1,3 +1,11 @@
+python-pgspecial (1.9.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add the missing dependencies on python{,3}-psycopg2.
+(Closes: #896291, #896246)
+
+ -- Adrian Bunk   Sun, 03 Jun 2018 22:17:15 +0300
+
 python-pgspecial (1.9.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru python-pgspecial-1.9.0/debian/control python-pgspecial-1.9.0/debian/control
--- python-pgspecial-1.9.0/debian/control	2017-10-30 03:45:04.0 +0200
+++ python-pgspecial-1.9.0/debian/control	2018-06-03 22:17:15.0 +0300
@@ -25,7 +25,7 @@
 Package: python-pgspecial
 Architecture: all
 Depends: ${misc:Depends},
- ${python:Depends},
+ ${python:Depends}, python-psycopg2
 Description: Meta-commands handler for Postgres Database (Python 2)
  This package provides an API to execute meta-commands (AKA "special", or
  "backslash commands") on PostgreSQL.
@@ -35,7 +35,7 @@
 Package: python3-pgspecial
 Architecture: all
 Depends: ${misc:Depends},
- ${python3:Depends},
+ ${python3:Depends}, python3-psycopg2
 Description: Meta-commands handler for Postgres Database (Python 3)
  This package provides an API to execute meta-commands (AKA "special", or
  "backslash commands") on PostgreSQL.

Processed: python-pgspecial: diff for NMU version 1.9.0-1.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896246 + patch
Bug #896246 [python3-pgspecial] python3-pgspecial: pgspecial fails to import
Ignoring request to alter tags of bug #896246 to the same tags previously set
> tags 896246 + pending
Bug #896246 [python3-pgspecial] python3-pgspecial: pgspecial fails to import
Ignoring request to alter tags of bug #896246 to the same tags previously set
> tags 896291 + patch
Bug #896291 [python-pgspecial] python-pgspecial: pgspecial fails to import
Ignoring request to alter tags of bug #896291 to the same tags previously set
> tags 896291 + pending
Bug #896291 [python-pgspecial] python-pgspecial: pgspecial fails to import
Ignoring request to alter tags of bug #896291 to the same tags previously set

-- 
896246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896246
896291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#898944: marked as done (CVE-2018-6561)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 19:20:08 +
with message-id 
and subject line Bug#898944: fixed in dojo 1.13.0+dfsg1-1
has caused the Debian Bug report #898944,
regarding CVE-2018-6561
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
898944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dojo
Severity: grave
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6561

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: dojo
Source-Version: 1.13.0+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 20:40:08 +0200
Source: dojo
Binary: libjs-dojo-core libjs-dojo-dijit libjs-dojo-dojox shrinksafe
Architecture: source all
Version: 1.13.0+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers 

Changed-By: Bastien Roucariès 
Description:
 libjs-dojo-core - modular JavaScript toolkit
 libjs-dojo-dijit - modular JavaScript toolkit - Dijit
 libjs-dojo-dojox - modular JavaScript toolkit - DojoX
 shrinksafe - JavaScript compression system
Closes: 831548 852923 863693 898944
Changes:
 dojo (1.13.0+dfsg1-1) unstable; urgency=high
 .
   * Add myself as uploader
   * New upstream release
   * Remove swf file
   * Bump compat and standard version
   * Install shrinksafe to /usr/share/java/shrinksafe
   * Do not use mtasc Closes: #831548).
 Bail early on the storage plugin, fallback to next storage
 plugin.
   * Move to git dpm
   * Bug fix: "Updating the dojo Uploaders list", thanks to Tobias Frost
 (Closes: #863693).
   * Dojo is now the new upstream of shrinksafe. New shrinksafe will fix
 FTBFS: OPTIMIZER FAILED: JavaException:
 java.lang.RuntimeException: null, thanks to Lucas Nussbaum
 (Closes: #852923).
   * Install dojox documentation
   * Fix CVE-2018-6561 (Closes: #898944)
 dijit.Editor in Dojo Toolkit 1.13 allows XSS via
 the onload attribute of an SVG element.
Checksums-Sha1:
 9bef2b9b3121348acdef3fa43456a611665fd5fb 2386 dojo_1.13.0+dfsg1-1.dsc
 f522f355f1773b3b0e9eaa1ab37c6dfe2c1b036f 33885989 dojo_1.13.0+dfsg1.orig.tar.gz
 9e41e0df65224abdf22767ddeca14da9872f006a 16096 
dojo_1.13.0+dfsg1-1.debian.tar.xz
 eb57aeb3a8d34c0cfe8a829f848682b98db66c3a 12569 
dojo_1.13.0+dfsg1-1_amd64.buildinfo
 5931c794b041fcba9eda5a6a3760fd43d4646c74 496444 
libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 c0f7c604d1a2645341f1cd16b14b5f42889a51b3 803656 
libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 5471f0cc09daa6b272871cb929124e4f77a8493c 2728708 
libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 08722daa870d62ddd6664f3d097f778199e1fca6 255336 
shrinksafe_1.13.0+dfsg1-1_all.deb
Checksums-Sha256:
 50e970709e29ad36d78f6136f6e581cc255379fd15672a7d14e41958410f9a6f 2386 
dojo_1.13.0+dfsg1-1.dsc
 62bee07718b32770624af0b4f7cd91afd12df085bfa5eef5858c535f30672dc3 33885989 
dojo_1.13.0+dfsg1.orig.tar.gz
 24c418b478a89ad54d287f8c078946e11f327399cf7a1060fa54c618877ad399 16096 
dojo_1.13.0+dfsg1-1.debian.tar.xz
 a90acca4884e6630f1a008a50f44aec5b73c1751ce9000406ba42a655448be80 12569 
dojo_1.13.0+dfsg1-1_amd64.buildinfo
 9cbf1420214136dbfe42ca9288463e5dc04924ca4495c9d6d7b55f7185a3b4f5 496444 
libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 860efdd497d50ecb5e811df0487c2860a85f8c9466a0af660585c0fc67986230 803656 
libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 e567b724a07312f7d82cec6c75efee466a74380bceb2f6e70d665af483d767b8 2728708 
libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 c63a35749fb78428e126d8ea3e9b25dfd4ff53aaf363ac11c661af9b03d0eb6b 255336 
shrinksafe_1.13.0+dfsg1-1_all.deb
Files:
 851d674ac708650d8e28185ec76fcb81 2386 javascript optional 
dojo_1.13.0+dfsg1-1.dsc
 65bb5479ec52de977795eda738585c3b 33885989 javascript optional 
dojo_1.13.0+dfsg1.orig.tar.gz
 3841026bbcbe9aa23591a281d15b10f7 16096 javascript optional 
dojo_1.13.0+dfsg1-1.debian.tar.xz

Bug#852923: marked as done (dojo: FTBFS: OPTIMIZER FAILED: JavaException: java.lang.RuntimeException: null)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 19:20:07 +
with message-id 
and subject line Bug#852923: fixed in dojo 1.13.0+dfsg1-1
has caused the Debian Bug report #852923,
regarding dojo: FTBFS: OPTIMIZER FAILED: JavaException: 
java.lang.RuntimeException: null
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
852923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852923
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dojo
Version: 1.11.0+dfsg-1
Severity: serious
Tags: stretch sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20170128 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part (hopefully):
> make[1]: Entering directory '/<>/dojo-1.11.0+dfsg'
> ln -s /usr/share/java/js.jar /usr/share/java/shrinksafe.jar util/shrinksafe/
> cd util/buildscripts && ./build.sh profile=standard action=release
> processing profile resource 
> /<>/dojo-1.11.0+dfsg/util/buildscripts/profiles/standard.profile.js
> info(107) Package Version: package: dijit; version: 1.11.0
> processing profile resource 
> /<>/dojo-1.11.0+dfsg/dijit/dijit.profile.js
> info(107) Package Version: package: dojox; version: 1.11.0
> processing profile resource 
> /<>/dojo-1.11.0+dfsg/dojox/dojox.profile.js
> info(107) Package Version: package: dojo; version: 1.11.0
> processing profile resource 
> /<>/dojo-1.11.0+dfsg/dojo/dojo.profile.js
> discovering resources...
> starting reading resources...
> starting processing raw resource content...
> starting tokenizing resource...
> starting processing resource tokens...
> starting parsing resource...
> starting processing resource AST...
> warn(224) A plugin dependency was encountered but there was no build-time 
> plugin resolver. module: dijit/Fieldset; plugin: dojo/query
> warn(224) A plugin dependency was encountered but there was no build-time 
> plugin resolver. module: dijit/RadioMenuItem; plugin: dojo/query
> warn(224) A plugin dependency was encountered but there was no build-time 
> plugin resolver. module: dijit/Tree; plugin: dojo/query
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?./_BidiMixin; reference module id: 
> dijit/_WidgetBase
> warn(224) A plugin dependency was encountered but there was no build-time 
> plugin resolver. module: dijit/form/_RadioButtonMixin; plugin: dojo/query
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?./bidi/Chart; reference module id: 
> dojox/charting/Chart
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?./bidi/Chart3D; reference module id: 
> dojox/charting/Chart3D
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?../bidi/action2d/ZoomAndPan; reference module 
> id: dojox/charting/action2d/MouseZoomAndPan
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?../bidi/action2d/Tooltip; reference module id: 
> dojox/charting/action2d/Tooltip
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?../bidi/action2d/ZoomAndPan; reference module 
> id: dojox/charting/action2d/TouchZoomAndPan
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?../bidi/axis2d/Default; reference module id: 
> dojox/charting/axis2d/Default
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?../bidi/widget/Chart; reference module id: 
> dojox/charting/widget/Chart
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?../bidi/widget/Legend; reference module id: 
> dojox/charting/widget/Legend
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?./bidi/_BidiMixin; reference module id: 
> dojox/grid/DataGrid
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?dojox/mobile/bidi/Accordion; reference module 
> id: dojox/mobile/Accordion
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id: dojo-bidi?dojox/mobile/bidi/Badge; reference module id: 
> dojox/mobile/Badge
> warn(216) dojo/has plugin resource could not be resolved during build-time. 
> plugin resource id:

Bug#831548: marked as done (dojo: mtasc removal)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 19:20:07 +
with message-id 
and subject line Bug#831548: fixed in dojo 1.13.0+dfsg1-1
has caused the Debian Bug report #831548,
regarding dojo: mtasc removal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
831548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831548
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dojo
Severity: normal

I would like to remove mtasc from the Debian archive. It has been
unmaintained in Debian and upstream for years. The web ecosystem is
moving away from Flash towards standard web technologies, which can
now replace most use of Flash. Debian should encourage our upstreams
to move towards standard web technologies like HTML5 and JavaScript.
Please talk to your upstreams about transitioning away from
ActionScript 2 towards HTML5 JavaScript. If they need to still
support Flash for some users, then they should switch to something
like Haxe. 

-- 

bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: dojo
Source-Version: 1.13.0+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 831...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 20:40:08 +0200
Source: dojo
Binary: libjs-dojo-core libjs-dojo-dijit libjs-dojo-dojox shrinksafe
Architecture: source all
Version: 1.13.0+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers 

Changed-By: Bastien Roucariès 
Description:
 libjs-dojo-core - modular JavaScript toolkit
 libjs-dojo-dijit - modular JavaScript toolkit - Dijit
 libjs-dojo-dojox - modular JavaScript toolkit - DojoX
 shrinksafe - JavaScript compression system
Closes: 831548 852923 863693 898944
Changes:
 dojo (1.13.0+dfsg1-1) unstable; urgency=high
 .
   * Add myself as uploader
   * New upstream release
   * Remove swf file
   * Bump compat and standard version
   * Install shrinksafe to /usr/share/java/shrinksafe
   * Do not use mtasc Closes: #831548).
 Bail early on the storage plugin, fallback to next storage
 plugin.
   * Move to git dpm
   * Bug fix: "Updating the dojo Uploaders list", thanks to Tobias Frost
 (Closes: #863693).
   * Dojo is now the new upstream of shrinksafe. New shrinksafe will fix
 FTBFS: OPTIMIZER FAILED: JavaException:
 java.lang.RuntimeException: null, thanks to Lucas Nussbaum
 (Closes: #852923).
   * Install dojox documentation
   * Fix CVE-2018-6561 (Closes: #898944)
 dijit.Editor in Dojo Toolkit 1.13 allows XSS via
 the onload attribute of an SVG element.
Checksums-Sha1:
 9bef2b9b3121348acdef3fa43456a611665fd5fb 2386 dojo_1.13.0+dfsg1-1.dsc
 f522f355f1773b3b0e9eaa1ab37c6dfe2c1b036f 33885989 dojo_1.13.0+dfsg1.orig.tar.gz
 9e41e0df65224abdf22767ddeca14da9872f006a 16096 
dojo_1.13.0+dfsg1-1.debian.tar.xz
 eb57aeb3a8d34c0cfe8a829f848682b98db66c3a 12569 
dojo_1.13.0+dfsg1-1_amd64.buildinfo
 5931c794b041fcba9eda5a6a3760fd43d4646c74 496444 
libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 c0f7c604d1a2645341f1cd16b14b5f42889a51b3 803656 
libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 5471f0cc09daa6b272871cb929124e4f77a8493c 2728708 
libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 08722daa870d62ddd6664f3d097f778199e1fca6 255336 
shrinksafe_1.13.0+dfsg1-1_all.deb
Checksums-Sha256:
 50e970709e29ad36d78f6136f6e581cc255379fd15672a7d14e41958410f9a6f 2386 
dojo_1.13.0+dfsg1-1.dsc
 62bee07718b32770624af0b4f7cd91afd12df085bfa5eef5858c535f30672dc3 33885989 
dojo_1.13.0+dfsg1.orig.tar.gz
 24c418b478a89ad54d287f8c078946e11f327399cf7a1060fa54c618877ad399 16096 
dojo_1.13.0+dfsg1-1.debian.tar.xz
 a90acca4884e6630f1a008a50f44aec5b73c1751ce9000406ba42a655448be80 12569 
dojo_1.13.0+dfsg1-1_amd64.buildinfo
 9cbf1420214136dbfe42ca9288463e5dc04924ca4495c9d6d7b55f7185a3b4f5 496444 
libjs-dojo-core_1.13.0+dfsg1-1_all.deb

Bug#869864: marked as done (dojo: New version available, watch file fails)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 19:20:07 +
with message-id 
and subject line Bug#852923: fixed in dojo 1.13.0+dfsg1-1
has caused the Debian Bug report #852923,
regarding dojo: New version available, watch file fails
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
852923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852923
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dojo
Version: 1.11.0
Severity: serious
Justification: fails to build from source (but built successfully in the past)

Dear Maintainer,

the dojo package fails to build, which blocks the package tt-rss from entering 
testing.
There is a new version available (1.12.2), which has not been recognized, sine 
the
watch task fails with:

uscan had problems while searching for a new upstream version:
In watchfile debian/watch, reading webpage
  http://download.dojotoolkit.org/dojo-release-1.12.2-shrinksafe.tar.gz/ 
failed: 404 Not Found

Maybe try github instead?
https://github.com/dojo/dojo/releases

Maybe a package upgrade and a small cleanup will make it build again.

Stefan

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: dojo
Source-Version: 1.13.0+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
dojo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 852...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated dojo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 20:40:08 +0200
Source: dojo
Binary: libjs-dojo-core libjs-dojo-dijit libjs-dojo-dojox shrinksafe
Architecture: source all
Version: 1.13.0+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers 

Changed-By: Bastien Roucariès 
Description:
 libjs-dojo-core - modular JavaScript toolkit
 libjs-dojo-dijit - modular JavaScript toolkit - Dijit
 libjs-dojo-dojox - modular JavaScript toolkit - DojoX
 shrinksafe - JavaScript compression system
Closes: 831548 852923 863693 898944
Changes:
 dojo (1.13.0+dfsg1-1) unstable; urgency=high
 .
   * Add myself as uploader
   * New upstream release
   * Remove swf file
   * Bump compat and standard version
   * Install shrinksafe to /usr/share/java/shrinksafe
   * Do not use mtasc Closes: #831548).
 Bail early on the storage plugin, fallback to next storage
 plugin.
   * Move to git dpm
   * Bug fix: "Updating the dojo Uploaders list", thanks to Tobias Frost
 (Closes: #863693).
   * Dojo is now the new upstream of shrinksafe. New shrinksafe will fix
 FTBFS: OPTIMIZER FAILED: JavaException:
 java.lang.RuntimeException: null, thanks to Lucas Nussbaum
 (Closes: #852923).
   * Install dojox documentation
   * Fix CVE-2018-6561 (Closes: #898944)
 dijit.Editor in Dojo Toolkit 1.13 allows XSS via
 the onload attribute of an SVG element.
Checksums-Sha1:
 9bef2b9b3121348acdef3fa43456a611665fd5fb 2386 dojo_1.13.0+dfsg1-1.dsc
 f522f355f1773b3b0e9eaa1ab37c6dfe2c1b036f 33885989 dojo_1.13.0+dfsg1.orig.tar.gz
 9e41e0df65224abdf22767ddeca14da9872f006a 16096 
dojo_1.13.0+dfsg1-1.debian.tar.xz
 eb57aeb3a8d34c0cfe8a829f848682b98db66c3a 12569 
dojo_1.13.0+dfsg1-1_amd64.buildinfo
 5931c794b041fcba9eda5a6a3760fd43d4646c74 496444 
libjs-dojo-core_1.13.0+dfsg1-1_all.deb
 c0f7c604d1a2645341f1cd16b14b5f42889a51b3 803656 
libjs-dojo-dijit_1.13.0+dfsg1-1_all.deb
 5471f0cc09daa6b272871cb929124e4f77a8493c 2728708 
libjs-dojo-dojox_1.13.0+dfsg1-1_all.deb
 08722daa870d62ddd6664f3d097f778199e1fca6 255336 
shrinksafe_1.13.0+dfsg1-1_all.deb
Checksums-Sha256:
 50e970709e29ad36d78f6136f6e581cc255379fd15672a7d14e41958410f9a6f 2386 
dojo_1.13.0+dfsg1-1.dsc
 62bee07718b32770624af0b4f7cd91afd12df085bfa5eef5858c535f30672dc3 33885989

Bug#900709: rapid-photo-downloader: Many dependencies seem to be missing

2018-06-03 Thread Adrian Bunk 
Package: rapid-photo-downloader
Version: 0.9.9-1
Severity: serious

$ rapid-photo-downloader 
Traceback (most recent call last):
  File "/usr/bin/rapid-photo-downloader", line 11, in 
load_entry_point('rapid-photo-downloader==0.9.9', 'gui_scripts', 
'rapid-photo-downloader')()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 480, in 
load_entry_point
return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2691, 
in load_entry_point
return ep.load()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2322, 
in load
return self.resolve()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2328, 
in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python3/dist-packages/raphodo/rapid.py", line 73, in 
import gphoto2 as gp
ModuleNotFoundError: No module named 'gphoto2'
$ sudo apt-get install python3-gphoto2
$ rapid-photo-downloader 
Traceback (most recent call last):
  File "/usr/bin/rapid-photo-downloader", line 11, in 
load_entry_point('rapid-photo-downloader==0.9.9', 'gui_scripts', 
'rapid-photo-downloader')()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 480, in 
load_entry_point
return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2691, 
in load_entry_point
return ep.load()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2322, 
in load
return self.resolve()
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2328, 
in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python3/dist-packages/raphodo/rapid.py", line 161, in 
from raphodo.newversion import (
  File "/usr/lib/python3/dist-packages/raphodo/newversion.py", line 40, in 

import requests
ModuleNotFoundError: No module named 'requests'
$ sudo apt-get install python3-requests
$  rapid-photo-downloader   
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-bunk'
libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915
libGL error: failed to open drm device: No such file or directory
libGL error: failed to load driver: i965
ERRORpymediainfo is installed, but the library libmediainfo appears to be 
missing


This was not even on a clean system, please check in a clean chroot
that no dependencies are missing.

Processed: playitslowly: diff for NMU version 1.5.0-1.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896768 + patch
Bug #896768 [src:playitslowly] playitslowly: missing build dependency on 
python3-distutils
Added tag(s) patch.
> tags 896768 + pending
Bug #896768 [src:playitslowly] playitslowly: missing build dependency on 
python3-distutils
Added tag(s) pending.

-- 
896768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896768
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#896768: playitslowly: diff for NMU version 1.5.0-1.1

2018-06-03 Thread Adrian Bunk 
Control: tags 896768 + patch
Control: tags 896768 + pending

Dear maintainer,

I've prepared an NMU for playitslowly (versioned as 1.5.0-1.1) and 
uploaded it to DELAYED/14. Please feel free to tell me if I should 
cancel it.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

diff -Nru playitslowly-1.5.0/debian/changelog playitslowly-1.5.0/debian/changelog
--- playitslowly-1.5.0/debian/changelog	2016-12-03 22:39:26.0 +0200
+++ playitslowly-1.5.0/debian/changelog	2018-06-03 22:01:14.0 +0300
@@ -1,3 +1,11 @@
+playitslowly (1.5.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add the missing build dependency on python3-distutils.
+(Closes: #896768)
+
+ -- Adrian Bunk   Sun, 03 Jun 2018 22:01:14 +0300
+
 playitslowly (1.5.0-1) unstable; urgency=medium
 
   * Make the build reproducible. Thanks to Chris Lamb. (Closes: 839631)
diff -Nru playitslowly-1.5.0/debian/control playitslowly-1.5.0/debian/control
--- playitslowly-1.5.0/debian/control	2016-12-03 22:35:26.0 +0200
+++ playitslowly-1.5.0/debian/control	2018-06-03 22:01:14.0 +0300
@@ -2,7 +2,7 @@
 Section: gnome
 Priority: optional
 Maintainer: Tiago Bortoletto Vaz 
-Build-Depends: debhelper (>= 9), dh-python, python3
+Build-Depends: debhelper (>= 9), dh-python, python3, python3-distutils
 Standards-Version: 3.9.6
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/playitslowly.git
 Vcs-Git: git://anonscm.debian.org/collab-maint/playitslowly.git

Processed: python-scruffy: diff for NMU version 0.3.3-1.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896207 + pending
Bug #896207 [python-scruffy] python-scruffy: scruffy fails to import
Added tag(s) pending.
> tags 896374 + patch
Bug #896374 [python3-scruffy] python3-scruffy: scruffy fails to import
Added tag(s) patch.
> tags 896374 + pending
Bug #896374 [python3-scruffy] python3-scruffy: scruffy fails to import
Added tag(s) pending.

-- 
896207: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896207
896374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896374
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#896207: python-scruffy: diff for NMU version 0.3.3-1.1

2018-06-03 Thread Adrian Bunk 
Control: tags 896207 + pending
Control: tags 896374 + patch
Control: tags 896374 + pending

Dear maintainer,

I've prepared an NMU for python-scruffy (versioned as 0.3.3-1.1) and 
uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

diff -Nru python-scruffy-0.3.3/debian/changelog python-scruffy-0.3.3/debian/changelog
--- python-scruffy-0.3.3/debian/changelog	2016-05-11 17:46:44.0 +0300
+++ python-scruffy-0.3.3/debian/changelog	2018-06-03 21:53:39.0 +0300
@@ -1,3 +1,11 @@
+python-scruffy (0.3.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add the missing dependencies on python{,3}-pkg-resources.
+(Closes: #896207, #896374)
+
+ -- Adrian Bunk   Sun, 03 Jun 2018 21:53:39 +0300
+
 python-scruffy (0.3.3-1) unstable; urgency=medium
 
   * Initial release. (Closes: #823992)
diff -Nru python-scruffy-0.3.3/debian/control python-scruffy-0.3.3/debian/control
--- python-scruffy-0.3.3/debian/control	2016-05-11 17:43:19.0 +0300
+++ python-scruffy-0.3.3/debian/control	2018-06-03 21:53:39.0 +0300
@@ -24,7 +24,7 @@
 Architecture: all
 Multi-Arch: foreign
 Depends: ${misc:Depends},
- ${python:Depends}
+ ${python:Depends}, python-pkg-resources
 Description: framework for taking care of a bunch of boilerplate in Python2 apps
  Scruffy is a framework for taking care of a bunch of boilerplate in
  Python apps. It handles the loading of configuration files, the loading
@@ -50,7 +50,7 @@
 Architecture: all
 Multi-Arch: foreign
 Depends: ${misc:Depends},
- ${python3:Depends}
+ ${python3:Depends}, python3-pkg-resources
 Description: framework for taking care of a bunch of boilerplate in Python3 apps
  Scruffy is a framework for taking care of a bunch of boilerplate in
  Python apps. It handles the loading of configuration files, the loading

Bug#898943: Multiple vulnerabiliities in Mongoose

2018-06-03 Thread Ricardo Villalba 
Hello.

I wasn't aware of those vulnerabilities in mongoose.
It's possible to disable the support for chromecast in smplayer
commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro

2018-06-03 18:41 GMT+02:00 Reinhard Tartler :
> Hi Richardo,
>
> I'm not sure if you have seen this email, Moritz from the debian
> security team is reporting a release-critical bug in smplayer. More
> specifically, smplayer appears to be using the mongoose webserver
> implementation as in implementation detail of the chromecast
> component.
>
> Having to remove smplayer would be most unfortunate. I checked the
> upstream commits at
> https://github.com/cesanta/mongoose/commits/master, but apparently
> there is no fix available yet. Maybe I'm missing something but if not,
> my question to you is whether we can easily disable the chromecast
> component from the smplayer build?
>
> Please let me know your thoughts on this.
>
> Best,
> Reinhard
>
> -- Forwarded message -
> From: Moritz Muehlenhoff 
> Date: Thu, May 17, 2018 at 12:51 PM
> Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> To: Debian Bug Tracking System 
>
>
> Source: smplayer
> Severity: grave
> Tags: security
>
> smplayer seems to embed Cesenta Mongoose:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>
> Cheers,
> Moritz
>
> ___
> pkg-multimedia-maintainers mailing list
> pkg-multimedia-maintain...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>
>
> --
> regards,
> Reinhard



-- 
RVM

Processed: python-scruffy: diff for NMU version 0.3.3-1.1

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tags 896207 + pending
Bug #896207 [python-scruffy] python-scruffy: scruffy fails to import
Ignoring request to alter tags of bug #896207 to the same tags previously set
> tags 896374 + patch
Bug #896374 [python3-scruffy] python3-scruffy: scruffy fails to import
Ignoring request to alter tags of bug #896374 to the same tags previously set
> tags 896374 + pending
Bug #896374 [python3-scruffy] python3-scruffy: scruffy fails to import
Ignoring request to alter tags of bug #896374 to the same tags previously set

-- 
896207: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896207
896374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896374
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900708: wireshark: CVE-2018-11356 CVE-2018-11357 CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361 CVE-2018-11362

2018-06-03 Thread Salvatore Bonaccorso 
Source: wireshark
Version: 2.4.6-1
Severity: serious
Tags: security upstream
Justification: regression from stable

Hi,

The following vulnerabilities were published for wireshark.

Reasoning for the RC severity: some issues are fixed already in stable
via a DSA, but the fixes missing in the next stable. Thus the RC
severity athough just from aspect of the severity of the issue that
might not be warranted.

CVE-2018-11356[0]:
| In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS
| dissector could crash. This was addressed in
| epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for
| an empty name in an SRV record.

CVE-2018-11357[1]:
| In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP
| dissector and other dissectors could consume excessive memory. This was
| addressed in epan/tvbuff.c by rejecting negative lengths.

CVE-2018-11358[2]:
| In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931
| dissector could crash. This was addressed in
| epan/dissectors/packet-q931.c by avoiding a use-after-free after a
| malformed packet prevented certain cleanup.

CVE-2018-11359[3]:
| In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the RRC
| dissector and other dissectors could crash. This was addressed in
| epan/proto.c by avoiding a NULL pointer dereference.

CVE-2018-11360[4]:
| In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the GSM A DTAP
| dissector could crash. This was addressed in
| epan/dissectors/packet-gsm_a_dtap.c by fixing an off-by-one error that
| caused a buffer overflow.

CVE-2018-11361[5]:
| In Wireshark 2.6.0, the IEEE 802.11 protocol dissector could crash.
| This was addressed in epan/crypt/dot11decrypt.c by avoiding a buffer
| overflow during FTE processing in Dot11DecryptTDLSDeriveKey.

CVE-2018-11362[6]:
| In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LDSS
| dissector could crash. This was addressed in
| epan/dissectors/packet-ldss.c by avoiding a buffer over-read upon
| encountering a missing '\0' character.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11356
[1] https://security-tracker.debian.org/tracker/CVE-2018-11357
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11357
[2] https://security-tracker.debian.org/tracker/CVE-2018-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11358
[3] https://security-tracker.debian.org/tracker/CVE-2018-11359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11359
[4] https://security-tracker.debian.org/tracker/CVE-2018-11360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11360
[5] https://security-tracker.debian.org/tracker/CVE-2018-11361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11361
[6] https://security-tracker.debian.org/tracker/CVE-2018-11362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11362

Regards,
Salvatore

Bug#900018: marked as done (FTBFS with latest cmdliner)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 18:35:22 +
with message-id 
and subject line Bug#900018: fixed in opam 1.2.2-7
has caused the Debian Bug report #900018,
regarding FTBFS with latest cmdliner
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: opam
Version: 1.2.2-6+b1
Severity: serious

opam fails to build from source using latest cmdliner which was uploaded
to Debian/Sid a few days ago:

File "client/opamArg.ml", line 384, characters 25-29:
Error: This expression has type
 ?docv:string ->
 (string -> ('a, [ `Msg of string ]) result) * 'a printer ->
 'a converter
   but an expression was expected of type
 'b converter = 'b parser * 'b printer
../OCamlMakefile:1076: recipe for target 'client/opamArg.cmo' failed

Full build log can be found here:

   
https://buildd.debian.org/status/fetch.php?pkg=opam=armel=1.2.2-6%2Bb3=1526941860=0

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages opam depends on:
ii  build-essential  12.4
ii  curl 7.58.0-2
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.27-3
ii  opam-docs1.2.2-6
ii  tar  1.30+dfsg-2
ii  unzip6.0-21
ii  wget 1.19.5-1
ii  zlib1g   1:1.2.11.dfsg-1

Versions of packages opam recommends:
ii  aspcud 1:1.9.4-1
pn  darcs  
ii  git1:2.17.0-1
pn  mercurial  
pn  ocaml  
ii  rsync  3.1.2-2.1

opam suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: opam
Source-Version: 1.2.2-7

We believe that the bug you reported is fixed in the latest version of
opam, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mehdi Dogguy  (supplier of updated opam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 03 Jun 2018 20:09:58 +0200
Source: opam
Binary: opam opam-docs
Architecture: source amd64 all
Version: 1.2.2-7
Distribution: unstable
Urgency: medium
Maintainer: Debian OCaml Maintainers 
Changed-By: Mehdi Dogguy 
Description:
 opam   - package manager for OCaml
 opam-docs  - package manager for OCaml (documentation)
Closes: 900018 900118
Changes:
 opam (1.2.2-7) unstable; urgency=medium
 .
   * Constraint minimal version for ocaml-re to 1.7.2
 - update d/control accordingly
 - add patch 0004-Use-newest-ocaml-re-s-API.patch
   * Use {Char,String}.lowercase_ascii instead of {Char,String}.lowercase
 - add patch 0005-Use-Char-String-.lowercase_ascii.patch
 - requires OCaml >= 4.03.0~
   * Port to cmdliner 1.0.2 (Closes: #900018)
 - update d/control accordingly
 - add patch 0006-Port-to-cmdliner-1.0.2.patch
   * It is not necessary to depend on 'tar' (Closes: #900118)
   * Update Vcs-* fields
   * Add 'm4' in Recommends (LP: #1289944)
Checksums-Sha1:
 e5613d90a625d4da9a7230ded6048de0eb6574ec 2379 opam_1.2.2-7.dsc
 60177ae521b93cb0f3530e255911ffddc7c60ba0 11512 opam_1.2.2-7.debian.tar.xz
 38a48c11c80f095d403598e66c704d1f8d463a17 827624 opam-dbgsym_1.2.2-7_amd64.deb
 577438375752c87d6acf334ab448e68702926757 324288 opam-docs_1.2.2-7_all.deb
 27f97fa56eaca52a3c4cb46adb463d081837c093 10324 opam_1.2.2-7_amd64.buildinfo
 3442477bd4ee8ad3c7a42d0ce6ffb8a483fd69c2 2392312 opam_1.2.2-7_amd64.deb
Checksums-Sha256:
 6c00d302e6d6fd67c7456724b2cd88f753a7650e1e460d6832286379978fc1eb 2379 
opam_1.2.2-7.dsc
 ecc4f65777e0c239e746f317fd8eae69ceae9fb5292bb4dc7402c0399c322d82 11512 
opam_1.2.2-7.debian.tar.xz
 3ab76f474e3de03d6c7c15d7ec6f238ccc50ec1c807744d6dc74a8675ae4101c 827624 
opam-dbgsym_1.2.2-7_amd64.deb

Bug#898943: Fwd: Bug#898943: Multiple vulnerabiliities in Mongoose

2018-06-03 Thread Reinhard Tartler 
Hi Richardo,

I'm not sure if you have seen this email, Moritz from the debian
security team is reporting a release-critical bug in smplayer. More
specifically, smplayer appears to be using the mongoose webserver
implementation as in implementation detail of the chromecast
component.

Having to remove smplayer would be most unfortunate. I checked the
upstream commits at
https://github.com/cesanta/mongoose/commits/master, but apparently
there is no fix available yet. Maybe I'm missing something but if not,
my question to you is whether we can easily disable the chromecast
component from the smplayer build?

Please let me know your thoughts on this.

Best,
Reinhard

-- Forwarded message -
From: Moritz Muehlenhoff 
Date: Thu, May 17, 2018 at 12:51 PM
Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
To: Debian Bug Tracking System 


Source: smplayer
Severity: grave
Tags: security

smplayer seems to embed Cesenta Mongoose:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922

Cheers,
Moritz

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintain...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers


-- 
regards,
Reinhard

Bug#889522: marked as done (baresip FTBFS: test failure)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 15:19:20 +
with message-id 
and subject line Bug#889522: fixed in baresip 0.5.9-1
has caused the Debian Bug report #889522,
regarding baresip FTBFS: test failure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
889522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889522
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: baresip
Version: 0.5.7-1
Severity: serious

Some recent change in unstable makes baresip FTBFS:

https://tests.reproducible-builds.org/debian/history/baresip.html
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/baresip.html

...
[ RUN  ] test_ua_register
ua: SIP register failed: Invalid argument
TEST_ERR: test/ua.c:114: (Invalid argument)
selftest: ua_register test failed (Invalid argument)
ua: SIP register failed: Invalid argument
TEST_ERR: test/ua.c:114: (Invalid argument)
selftest: ua_register test failed (Invalid argument)
ua: SIP register failed: Invalid argument
TEST_ERR: test/ua.c:114: (Invalid argument)
selftest: ua_register test failed (Invalid argument)
test_ua_register: test failed (Invalid argument)
test failed (Invalid argument)
re main loop:
  maxfds:  1024
  nfds:24
  method:  3 (epoll)

Makefile:208: recipe for target 'test' failed
make[1]: *** [test] Error 22
--- End Message ---
--- Begin Message ---
Source: baresip
Source-Version: 0.5.9-1

We believe that the bug you reported is fixed in the latest version of
baresip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vasudev Kamath  (supplier of updated baresip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 20:28:56 +0530
Source: baresip
Binary: baresip baresip-core baresip-gtk baresip-ffmpeg baresip-gstreamer 
baresip-x11
Architecture: source
Version: 0.5.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team 
Changed-By: Vasudev Kamath 
Description:
 baresip- portable and modular SIP user-agent - metapackage
 baresip-core - portable and modular SIP user-agent - core parts
 baresip-ffmpeg - portable and modular SIP user-agent - FFmpeg codecs and 
formats
 baresip-gstreamer - portable and modular SIP user-agent - GStreamer pipelines
 baresip-gtk - portable and modular SIP user-agent - GTK+ front-end
 baresip-x11 - portable and modular SIP user-agent - X11 features
Closes: 859278 888344 889522
Changes:
 baresip (0.5.9-1) unstable; urgency=medium
 .
   [ upstream ]
   * New release(s).
 Closes: bug#889522, Thanks to Adrian Bunk.
 Closes: bug#888344, Thanks to James Cowgill.
 .
   [ Jonas Smedegaard ]
   * Declare compliance with Debian Policy 4.1.4.
   * Update copyright info:
 + Extend coverage for main upstream authors.
 + Add Files section lacking licensing.
   * Update package relations: Tighten build-dependency on libre-dev.
   * Update Vcs-* fields: Source hosted at Salsa.debian.org now.
   * Remove Ramakrishnan Muthhukrishnan as uploader: Thanks for your
 interest in the past, Ram.
 Closes: Bug#859278. Thanks to Mattia Rizzolo and the MIA team.
 .
   [ Vasudev Kamath ]
   * Bump compat level to 10.
   * debhelper now uses versioned depend on >= 10~.
   * Add README.source indicating how to handle and upload package to
 archive.
Checksums-Sha1:
 21c1e3d92817e1caee87f00adca650bfd9494de2 3160 baresip_0.5.9-1.dsc
 2dee621c06499edd7b5e3ba0f031806f6c28567a 589680 baresip_0.5.9.orig.tar.gz
 e8472d8f55574986bc9eb4477b518b0881890f2f 11972 baresip_0.5.9-1.debian.tar.xz
Checksums-Sha256:
 9f3c8f32208e6b3a14dfbad44278f9c21e27b9b87f8c97abbb1ad325ea8dbf3c 3160 
baresip_0.5.9-1.dsc
 11b1b6d582f903afeb5853a9163e2081ec128b64c384b7e04e5973398f61c08c 589680 
baresip_0.5.9.orig.tar.gz
 3a0591869e5f8b6b21829610bb3a7bc734969ea25276e876fb61b7e52a855717 11972 
baresip_0.5.9-1.debian.tar.xz
Files:
 e20be6c284265650970aaafbda0320c7 3160 comm optional baresip_0.5.9-1.dsc
 6a4b4c0d26932aa9abcbbc2ad401285e 589680 comm optional

Bug#900522: marked as done (gitlab: Security Release: 10.8.2, 10.7.5, and 10.6.6)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 15:04:49 +
with message-id 
and subject line Bug#900522: fixed in gitlab 10.7.5+dfsg-1
has caused the Debian Bug report #900522,
regarding gitlab: Security Release: 10.8.2, 10.7.5, and 10.6.6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900522
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gitlab
Version: 10.6.5+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 10.7.3+dfsg-1

Hi

There was a new gitlab security update, as per 
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/

(Unfortunately, there are no CVE assigned yet, which would ease the
tracking in any case).

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gitlab
Source-Version: 10.7.5+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen  (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jun 2018 19:54:01 +0530
Source: gitlab
Binary: gitlab
Architecture: source
Version: 10.7.5+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Pirate Praveen 
Description:
 gitlab - git powered software platform to collaborate on code (non-omnibus
Closes: 900522
Changes:
 gitlab (10.7.5+dfsg-1) experimental; urgency=medium
 .
   * New upstream version 10.7.5+dfsg (Closes: #900522)
Checksums-Sha1:
 ef6cb1592e6b08999be3e3ae49fe83d146f78469 2481 gitlab_10.7.5+dfsg-1.dsc
 4332e462c567ebd8c6aee1c7faafc7a93cf435d2 44558720 
gitlab_10.7.5+dfsg.orig.tar.xz
 dba190d3a0de853b2c891547d8fe3dc87642b2c0 62860 
gitlab_10.7.5+dfsg-1.debian.tar.xz
 6c386cfae416905d8f8d0a4be860ae3902528646 6230 
gitlab_10.7.5+dfsg-1_source.buildinfo
Checksums-Sha256:
 6fd5ec4cf3cbf8ddce095d204aa4d21c888402b5de3951802995aac49a95cfcf 2481 
gitlab_10.7.5+dfsg-1.dsc
 0cb3822bed81ef9751cfa43e249c6cb4f0a8efbd538b1691518513b16e713ec6 44558720 
gitlab_10.7.5+dfsg.orig.tar.xz
 062c9273fd77a5befbf0e4093730564b36556d858f2f786f25482487f0ab38dc 62860 
gitlab_10.7.5+dfsg-1.debian.tar.xz
 163bf119f1eb8c4a0de9ab6e46f5d3795b6fc853c474ced11107f3aea0fd5fec 6230 
gitlab_10.7.5+dfsg-1_source.buildinfo
Files:
 b135fd6430411620197592c5f6e43ca7 2481 contrib/net optional 
gitlab_10.7.5+dfsg-1.dsc
 a1238231aebb48caaf9ec87fff4fcc58 44558720 contrib/net optional 
gitlab_10.7.5+dfsg.orig.tar.xz
 a6d3570911c8fef38bc5f29164ba5bad 62860 contrib/net optional 
gitlab_10.7.5+dfsg-1.debian.tar.xz
 7745da284f6cd1fd8b8ee2c2543e8339 6230 contrib/net optional 
gitlab_10.7.5+dfsg-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlsUABwACgkQzh+cZ0US
wirZcQ//ZZrbJmr7EXGEbkTtuaArSi8AHnnuEv2sDqhMbjSJSNtpnqonC5sU6UHT
tpRr7wzgDEZPQ865Xeo+eMk3rLKwksIErzr1uc+hmjZTqHYWOrUVwVoTgv47Wc81
50eQwpcTzOrpndWya0nFdSmU8l3e4h6270p2fk1Mt4MKlLdCpbVfsW3BtIbolYwm
MOfO8x/ib77jbgK0FsdWVjD6DLYwlO/HFWXVISYsOuhfF6LqNEdq/F+/EZfSA7pl
qHHkoQ0crPl9QWWHY1nuC8rK/t6hmIelOAp/N7r2/iMYVz6shYwe4ERdd+Vt7+zi
4j7xCZtT3hvMpbelgCTCZFC0nmhCFr6CAjp0VCQd/nKFlusZ7hQTURWAuyn956Mg
zcZwaO2IBLtDqgcnoPI7QTa6cdWjiB31weOPixLKafvsIrh1nTglur0bktA7+a45
uzGcg6LGQ5x7ufRCex7mogj42QNGqEQbNryYskMrlYtosfR4XYVDAqGyNn4Iygx1
TdzRy8eqEUlTsBXPE9jdl16DF5Wh7cTj2Al1jBUK8Fh7F/2kWwoIWuQP0JmTNnD2
Swe4RED4eZGCfeJnkjy8CeU0Tj6EDHhi7Ocez7vkh4zdkg4TKLNxgGYn8sF+8G3f
ZS88LjuH6XOl6+x87OMErxkT2HatJIh3TL0RlIvb9XQa4L/wPBA=
=nLop
-END PGP SIGNATURE End Message ---

Processed: affects 900677

2018-06-03 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> affects 900677 gitlab
Bug #900677 [ruby-google-protobuf] ruby-google-protobuf: does not install pure 
ruby files
Added indication that 900677 affects gitlab
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
900677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900677
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900533: chromium 67.0.3396.62-1: youtube video, gif's, html5, and movies no longer work

2018-06-03 Thread rcm0502 

Hi.

I have also been bitten by this bug, resolved by downgrading back to 
chromium 66.0.3359.181-1 and then watching Youtube videos or using web 
video chat applications worked again.


Hoping for a resolution soon enough.

Thanks,

R
On Thu, 31 May 2018 18:34:46 -0400 "Justin P." wrote:
> Package: chromium
> Version: 67.0.3396.62-1
> Severity: grave
> Justification: renders package unusable
>
> Dear Maintainer,
>
> *** Reporter, please consider answering these questions, where 
appropriate ***

>
> * What led up to the situation?
>
> Can't use video on youtube. Gif's no longer work. And I cannot get 
media to play. This started after upgrading from 66.0.3359.181-1 to 
67.0.3396.62-1

>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> Reverting the package was the only solution I could find. It appears 
the app build may be missing some flags in the build. I found this that 
had similar errors to my situation 
https://groups.google.com/a/chromium.org/forum/?nomobile=true#!msg/android-webview-dev/oVjyFhhxOQ8/ns8q9uPrCAAJ

>
> * What was the outcome of this action?
>
> chromium 66.0.3359.181-1 was reinstalled, video is working again.
>
> * What outcome did you expect instead?
>
> chromium 67.0.3396.62-1 video should work after install.
>
> Chromium Log while trying to play files
> [129:160:0531/181749.318090:ERROR:render_media_log.cc(30)] 
MediaEvent: MEDIA_ERROR_LOG_ENTRY {"error":"FFmpegDemuxer: open context 
failed"}
> [129:129:0531/181749.320645:ERROR:render_media_log.cc(30)] 
MediaEvent: PIPELINE_ERROR DEMUXER_ERROR_COULD_NOT_OPEN
> [129:160:0531/181749.352209:ERROR:render_media_log.cc(30)] 
MediaEvent: MEDIA_ERROR_LOG_ENTRY {"error":"FFmpegDemuxer: open context 
failed"}
> [129:129:0531/181749.354280:ERROR:render_media_log.cc(30)] 
MediaEvent: PIPELINE_ERROR DEMUXER_ERROR_COULD_NOT_OPEN
> [129:160:0531/181749.551754:ERROR:render_media_log.cc(30)] 
MediaEvent: MEDIA_ERROR_LOG_ENTRY {"error":"audio decoder initialization 
failed"}
> [129:129:0531/181749.559473:ERROR:render_media_log.cc(30)] 
MediaEvent: PIPELINE_ERROR DECODER_ERROR_NOT_SUPPORTED
> [129:160:0531/181750.431299:ERROR:render_media_log.cc(30)] 
MediaEvent: MEDIA_ERROR_LOG_ENTRY {"error":"audio decoder initialization 
failed"}
> [129:129:0531/181750.433293:ERROR:render_media_log.cc(30)] 
MediaEvent: PIPELINE_ERROR DECODER_ERROR_NOT_SUPPORTED

> libpng warning: iCCP: known incorrect sRGB profile
>
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)

> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages chromium depends on:
> ii chromium-common 67.0.3396.62-1
> ii libasound2 1.1.6-1
> ii libatk-bridge2.0-0 2.26.2-1
> ii libatk1.0-0 2.28.1-1
> ii libavcodec57 7:3.4.2-2+b1
> ii libavformat57 7:3.4.2-2+b1
> ii libavutil55 7:3.4.2-2+b1
> ii libc6 2.27-3

Bug#831548: [Pkg-javascript-devel] Bug#831548: RM: mtasc -- ROM; obsoleted by newer standard web technologies

2018-06-03 Thread Bastien ROUCARIES 
Hi,

On Sat, Jun 2, 2018 at 9:10 AM, Bastien ROUCARIES
 wrote:
>
>
> Le sam. 2 juin 2018 à 08:59, Niels Thykier  a écrit :
>>
>> On Sat, 23 Dec 2017 06:58:52 +0800 Paul Wise  wrote:
>> > Control: severity -1 serious
>> > Control: severity 831553 normal
>> >
>> > Hi everyone,
>> >
>> > The buster cycle is the right time to remove mtasc from the Debian
>> > archive. It has been unmaintained in Debian and upstream for years. The
>> > web ecosystem is moving away from Flash towards standard web tech,
>> > which can now replace most use of Flash. Debian should encourage our
>> > upstreams to move towards standard web tech like HTML5 and JavaScript.
>> >
>> > Please talk to your upstreams about transitioning away from
>> > ActionScript 2 towards HTML5 JavaScript. If they need to still
>> > support Flash for some users, then they should switch to something
>> > like Haxe but they should not build Flash files by default.
>> >
>> > On Fri, 22 Dec 2017 17:29:50 -0500 Scott Kitterman wrote:
>> >
>> > > 15 months later all but one of those bugs is still open.  Can you
>> > > either work
>> > > with the maintainers to get them done or close this request until it's
>> > > ripe
>> > > for processing.
>> >
>> > --
>> > bye,
>> > pabs
>> >
>> > https://wiki.debian.org/PaulWise
>>
>> Hi,
>>
>> This package (dojo) is officially maintained by the Javascript team but
>> appears to be de facto unmaintained.  It has several RC bugs and is
>> stalling the removal of obsolete packages (admittedly only from unstable).
>>
>> If you are still interested in maintaining the package, then please
>> resolve the RC bugs (at the very least this bug, which is blocking
>> others).  If there is no visible progress on resolving this bug in a
>> month from now, I will assume you are no longer interested in it and
>> that you will support a removal of dojo from unstable.
>>
>> I have explicitly included all listed maintainers and uploaders (except
>> for Frank, which appears to have disclaimed interest in this package per
>> #863693)
>>
>> Thanks,
>> ~Niels

I needed to merge shrinksafe back in dojo (upstream merge). I have
modified the control file and will upload ASAP.

Could you check if my merge is right (particularly d/control breaks/replaces).

Repo is here https://salsa.debian.org/js-team/dojo


Bastien

>
> Will get a glimpse.
>
> BTw it means that a few lintian warning are now fatal because ftbfs...
>
> Bastien
>>
>>
>> --
>> Pkg-javascript-devel mailing list
>> pkg-javascript-de...@alioth-lists.debian.net
>>
>> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
>
>
> --
> Pkg-javascript-devel mailing list
> pkg-javascript-de...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Processed: limit source to dojo, tagging 863693, tagging 852923, tagging 898944, tagging 831548

2018-06-03 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> limit source dojo
Limiting to bugs with field 'source' containing at least one of 'dojo'
Limit currently set to 'source':'dojo'

> tags 863693 + pending
Bug #863693 [src:dojo] Updating the dojo Uploaders list
Added tag(s) pending.
> tags 852923 + pending
Bug #852923 [src:dojo] dojo: FTBFS: OPTIMIZER FAILED: JavaException: 
java.lang.RuntimeException: null
Bug #869864 [src:dojo] dojo: New version available, watch file fails
Added tag(s) pending.
Added tag(s) pending.
> tags 898944 + pending
Bug #898944 [src:dojo] CVE-2018-6561
Added tag(s) pending.
> tags 831548 + pending
Bug #831548 [src:dojo] dojo: mtasc removal
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
831548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831548
852923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852923
863693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863693
869864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869864
898944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900524: marked as done (prosody: CVE-2018-10847: insufficient stream header validation)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:32:40 +
with message-id 
and subject line Bug#900524: fixed in prosody 0.9.7-2+deb8u4
has caused the Debian Bug report #900524,
regarding prosody: CVE-2018-10847: insufficient stream header validation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: prosody
Version: 0.9.7-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 0.10.1-1
Control: forwarded -1 https://issues.prosody.im/1147


Hi,

The following vulnerability was published for prosody.

CVE-2018-10847[0]:
insufficient stream header validation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10847
[1] https://issues.prosody.im/1147
[2] https://blog.prosody.im/prosody-0-10-2-security-release/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: prosody
Source-Version: 0.9.7-2+deb8u4

We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated prosody package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 31 May 2018 22:31:54 +0200
Source: prosody
Binary: prosody
Architecture: source
Version: 0.9.7-2+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Matthew James Wild 
Changed-By: Salvatore Bonaccorso 
Closes: 900524
Description: 
 prosody- Lightweight Jabber/XMPP server
Changes:
 prosody (0.9.7-2+deb8u4) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * mod_c2s: Do not allow the stream 'to' to change across stream restarts
 (CVE-2018-10847) (Closes: #900524)
Checksums-Sha1: 
 9bc95045d627ed22b4c05aefe243e02e38874361 2165 prosody_0.9.7-2+deb8u4.dsc
 78e9e59976321aeac0959b9f67006a7dec05a08a 16160 
prosody_0.9.7-2+deb8u4.debian.tar.xz
Checksums-Sha256: 
 905b0f779de4dd650e45549bacf7530901501b0a84467154f74aca410b4ef2f5 2165 
prosody_0.9.7-2+deb8u4.dsc
 29086e0781c3e89c74869b082b6a70dfb82a3e9174276d37f090087a2b6b414e 16160 
prosody_0.9.7-2+deb8u4.debian.tar.xz
Files: 
 94f87627255cf8e2cf0c26521aadc55d 2165 net extra prosody_0.9.7-2+deb8u4.dsc
 1ebf6979356932c18386499a45825caf 16160 net extra 
prosody_0.9.7-2+deb8u4.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsQXTBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+9oP/0jn0FnERfr6evGIN02otiMO2NCZL5/7
2PSrBsWySopWa+EiirLC7+0a9ERzU1XzZ3ayRUFuTBQJAzsyY2AL/lJxyeJ4kfUj
S1a390dgChRMQXeQDNt2Xv7FMysLeOfhs8b51stoovRKEAmW67P0SN1I+i2UpOvA
82bn/svov1HZ6y0WZ00csUiUYQSPnM8P5HWbMkMowJT1Cb3XMotrtgZFYvmchrjB
ArlHEfTzrekdtyzT5Rh4YuoxhOT0Ek+mK7o4dEFNKjZXmp97MpeGe6hkfnj/yHCD
Hl4bM+h6dCU0PMIGgSh9h53Ll2tzoDjil4iRGjcfJesMJw3hGzBXmQhQl0GDh3po
DAV1+hGbm1jNxla/H1e6ousQuZUnUQnGJGUydCGsgZ2Pj1JioEcVSfj1TVLDhHS0
enWaKxNUGB4aAgu1xzKHNxH/pb/vr+TlW8kXeW7EY7bxMAf8Nz0hsqQrhCtbAWZO
TRdhvDYhNIrhIaxlmLI+SVmqzxRxChc6SvFy+bbu3CDgY7bGJfkUxSQ8r7EBD8N0
fKW5gh3SStKv2yqp0HS+4F/RsTW/avCphCwJVykxjwkITrUMN+YtPQF3cMjAMFgK
jvvLA1aK/Tsww1VfjKG+Y4lt02BoAUEKDkir2CxRgEyEswMLnX0BQu3pacmfZsKz
wchlfAjx8QNX
=QWJf
-END PGP SIGNATURE End Message ---

Bug#899332: marked as done (CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:32:43 +
with message-id 
and subject line Bug#899332: fixed in zookeeper 3.4.9-3+deb8u1
has caused the Debian Bug report #899332,
regarding CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899332
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zookeeper
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Fixed: 3.4.10-1

Hi,

The following vulnerability was published for zookeeper.

CVE-2018-8012[0]:
| No authentication/authorization is enforced when a server attempts to
| join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha
| through 3.5.3-beta. As a result an arbitrary end point could join the
| cluster and begin propagating counterfeit changes to the leader.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.4.9-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 23 May 2018 22:34:43 +0200
Source: zookeeper
Binary: libzookeeper-java zookeeper zookeeperd libzookeeper-java-doc 
libzookeeper-mt2 libzookeeper-st2 libzookeeper2 libzookeeper-mt-dev 
libzookeeper-st-dev zookeeper-bin python-zookeeper
Architecture: source all amd64
Version: 3.4.9-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libzookeeper-java - Core Java libraries for zookeeper
 libzookeeper-java-doc - API Documentation for zookeeper
 libzookeeper-mt-dev - Development files for multi threaded zookeeper C bindings
 libzookeeper-mt2 - Multi threaded C bindings for zookeeper
 libzookeeper-st-dev - Development files for single threaded zookeeper C 
bindings
 libzookeeper-st2 - Single threaded C bindings for zookeeper
 libzookeeper2 - C bindings for zookeeper - transitional package
 python-zookeeper - Python bindings for zookeeper
 zookeeper  - High-performance coordination service for distributed application
 zookeeper-bin - Command line utilities for zookeeper
 zookeeperd - Init control scripts for zookeeper
Closes: 899332
Changes:
 zookeeper (3.4.9-3+deb8u1) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2018-8012:
 No authentication/authorization is enforced when a server attempts to join
 a quorum in Apache ZooKeeper. As a result an arbitrary end point could join
 the cluster and begin propagating counterfeit changes to the leader.
 (Closes: #899332)
Checksums-Sha1:
 998a04487105c16bbe274e99492f5698caa6dcf0 3155 zookeeper_3.4.9-3+deb8u1.dsc
 d69f715874b0b10dfbc78628fce46efed124e6b0 85904 
zookeeper_3.4.9-3+deb8u1.debian.tar.xz
 26049d166ecff43d7f10a7bef0f2f849ecc96cba 1357160 
libzookeeper-java_3.4.9-3+deb8u1_all.deb
 d4ad48201a4c49ea154c8853704bd5e1817c497f 141926 
zookeeper_3.4.9-3+deb8u1_all.deb
 b45f8ea49c91439febd422e23a59e52b0453d2ca 44086 
zookeeperd_3.4.9-3+deb8u1_all.deb
 e33dc030a7d615e4afff3bbcebb0076fa9eecf90 408444 
libzookeeper-java-doc_3.4.9-3+deb8u1_all.deb
 1605e7b097c67a8a91f2bb07fcd8ef8a640b5d1d 74838 
libzookeeper-mt2_3.4.9-3+deb8u1_amd64.deb
 2550b3a193d676ce20e69e4f37ea04756af7599c 72602 
libzookeeper-st2_3.4.9-3+deb8u1_amd64.deb
 35253bf9784d4f49360fa1b9adf295bafb5a75f9 40920 
libzookeeper2_3.4.9-3+deb8u1_amd64.deb
 03ca7858c1df8a72d31b286d843f57e9b05d1d23 90550

Bug#900018: FTBFS with latest cmdliner

2018-06-03 Thread Mehdi Dogguy 

Hi Andy,

On 2018-05-25 08:40, Andy Li wrote:

I've a patch:
https://github.com/ocaml/opam/compare/1.2.2...andyli:1.2.2-fix.patch
It's based on the discussion with upstream at
https://discuss.ocaml.org/t/the-forever-beta-issue/1779/6



In fact, the patch introduces a bug and makes the build fail later in
the process (can't generate manpages and test-suite doesn't succeed).

Do you confirm this on your side as well?

--
Mehdi

Bug#899332: marked as done (CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:03:01 +
with message-id 
and subject line Bug#899332: fixed in zookeeper 3.4.9-3+deb9u1
has caused the Debian Bug report #899332,
regarding CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899332
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: zookeeper
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Fixed: 3.4.10-1

Hi,

The following vulnerability was published for zookeeper.

CVE-2018-8012[0]:
| No authentication/authorization is enforced when a server attempts to
| join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha
| through 3.5.3-beta. As a result an arbitrary end point could join the
| cluster and begin propagating counterfeit changes to the leader.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-8012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.4.9-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 899...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany  (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 23 May 2018 22:34:43 +0200
Source: zookeeper
Binary: libzookeeper-java zookeeper zookeeperd libzookeeper-java-doc 
libzookeeper-mt2 libzookeeper-st2 libzookeeper2 libzookeeper-mt-dev 
libzookeeper-st-dev zookeeper-bin python-zookeeper
Architecture: source all amd64
Version: 3.4.9-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libzookeeper-java - Core Java libraries for zookeeper
 libzookeeper-java-doc - API Documentation for zookeeper
 libzookeeper-mt-dev - Development files for multi threaded zookeeper C bindings
 libzookeeper-mt2 - Multi threaded C bindings for zookeeper
 libzookeeper-st-dev - Development files for single threaded zookeeper C 
bindings
 libzookeeper-st2 - Single threaded C bindings for zookeeper
 libzookeeper2 - C bindings for zookeeper - transitional package
 python-zookeeper - Python bindings for zookeeper
 zookeeper  - High-performance coordination service for distributed application
 zookeeper-bin - Command line utilities for zookeeper
 zookeeperd - Init control scripts for zookeeper
Closes: 899332
Changes:
 zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2018-8012:
 No authentication/authorization is enforced when a server attempts to join
 a quorum in Apache ZooKeeper. As a result an arbitrary end point could join
 the cluster and begin propagating counterfeit changes to the leader.
 (Closes: #899332)
Checksums-Sha1:
 a6a48b15200bce99d31dbe225f9059b324c3cd77 3172 zookeeper_3.4.9-3+deb9u1.dsc
 a0a6168dcd380c5586c8dcfa144668f7a1a21c6d 1931392 zookeeper_3.4.9.orig.tar.xz
 2fe8590457e4515736317981af6fd1516b6abcaa 85716 
zookeeper_3.4.9-3+deb9u1.debian.tar.xz
 c5091e0426ba7598532af8408f8879e71e523fc4 370720 
libzookeeper-java-doc_3.4.9-3+deb9u1_all.deb
 9bf2bfacb54d0a632beabbf4a1cbeffada11c601 1359262 
libzookeeper-java_3.4.9-3+deb9u1_all.deb
 a5bef36affab800e5ac48c7c202bb184337ecae6 90994 
libzookeeper-mt-dev_3.4.9-3+deb9u1_amd64.deb
 4e0e903f7b9f756e9812fee183a1540055de49d8 112724 
libzookeeper-mt2-dbgsym_3.4.9-3+deb9u1_amd64.deb
 c967d314f53b91efebade14c13dab294c52e2ef9 75078 
libzookeeper-mt2_3.4.9-3+deb9u1_amd64.deb
 fc30b5d6d9cefca01d60bb4317681f7a09e753c7 88256 
libzookeeper-st-dev_3.4.9-3+deb9u1_amd64.deb
 14069b6a75858005e7baa6e2682c0f4280a4196b 105602

Bug#900524: marked as done (prosody: CVE-2018-10847: insufficient stream header validation)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:02:16 +
with message-id 
and subject line Bug#900524: fixed in prosody 0.9.12-2+deb9u2
has caused the Debian Bug report #900524,
regarding prosody: CVE-2018-10847: insufficient stream header validation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
900524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: prosody
Version: 0.9.7-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 0.10.1-1
Control: forwarded -1 https://issues.prosody.im/1147


Hi,

The following vulnerability was published for prosody.

CVE-2018-10847[0]:
insufficient stream header validation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10847
[1] https://issues.prosody.im/1147
[2] https://blog.prosody.im/prosody-0-10-2-security-release/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: prosody
Source-Version: 0.9.12-2+deb9u2

We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated prosody package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 31 May 2018 22:08:52 +0200
Source: prosody
Binary: prosody
Architecture: source
Version: 0.9.12-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Matthew James Wild 
Changed-By: Salvatore Bonaccorso 
Closes: 900524
Description: 
 prosody- Lightweight Jabber/XMPP server
Changes:
 prosody (0.9.12-2+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * mod_c2s: Do not allow the stream 'to' to change across stream restarts
 (CVE-2018-10847) (Closes: #900524)
Checksums-Sha1: 
 8e16c8233efc84afe61481d20371ff88c0a7eb15 2221 prosody_0.9.12-2+deb9u2.dsc
 067b8131b3cf6391192ec3fb8c84a456256fd32a 13500 
prosody_0.9.12-2+deb9u2.debian.tar.xz
Checksums-Sha256: 
 760b74b9d6fb037d4459fa99e7fceee10e84eb917fa1399c750c5968f54262f3 2221 
prosody_0.9.12-2+deb9u2.dsc
 365818acd04f6d0c32832e9c74588652f803745a46e75319b93e86402219ffa4 13500 
prosody_0.9.12-2+deb9u2.debian.tar.xz
Files: 
 530a19ca7a98c8a5c00177dddbd2d7a9 2221 net extra prosody_0.9.12-2+deb9u2.dsc
 00bec6712771c4be834860f85930df8a 13500 net extra 
prosody_0.9.12-2+deb9u2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsQV0tfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuOoP+gMz6Wonm/IN5JnLfrlZT27SigAJ9cbD
+bmMQAPoGX7zI/2GEa/2xOAXaPEqA55KEYvIrd/k8VCQo4jjC1YXyG/J7ToSf+Qo
VGbuKQxT4OSjyLRJgFHZ1FX+ea3yjUOs2C/og56KU+9sQB4A4sDWacvnbaEQWwIg
FfsOan6sP6WIfiEpxtyKL4FNvIbyxGnFNkN912BBO4KU53gtlR/RNMhJYRsoFo6Q
2h3d880bQd+G2xGZh/OyvpvZcspkFjKM7au7OcHTKIWZtdbgAi/cN6DGvGhaADQs
SXKyKkMmAAYycpVJVotWjn/5lthX3UZi2CPNFENtAaQ9Ibtga/4nRsxp6KoVSXuG
XrK9nAwSH4wYNgCd7UqV6UvFv77FIFbdAoypCs3t7oBuvILh4BxnHFq6sqKh7+R0
41iV+i8qb/46xqwsP/4KRD29aF9wL+ufBrkQNsGTHtHELBuiDz+BmNFA6auyjrw9
Lm10VNP3qc9AH3OeRX8J5Mul1AGidRgs5lGk0g+n8GGumW4jeUc1JJRTsQ0B8XmC
4tir+XRzdWVQ/6kgs4mGzm4GSHFHVGX0CUhWAAP/PlpqmmRFwG11hNdnt/GKcuhk
ag+xNDGLLIAJ72gF0+uALMrovAmHF3ZGZRZAhkhkFfy3sOhTna2LGl43enltI8bg
92tuWAAUPOXQ
=QJCE
-END PGP SIGNATURE End Message ---

Bug#886532: marked as done (Coming updates for meltdown/spectre)

2018-06-03 Thread Debian Bug Tracking System 
Your message dated Sun, 03 Jun 2018 11:02:20 +
with message-id 
and subject line Bug#886532: fixed in qemu 1:2.8+dfsg-6+deb9u4
has caused the Debian Bug report #886532,
regarding Coming updates for meltdown/spectre
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
886532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: qemu
Severity: grave


Is it going to be possible to include this patch in qemu please?

https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html


ref: https://www.qemu.org/2018/01/04/spectre/


-N
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:2.8+dfsg-6+deb9u4

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 886...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev  (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 26 May 2018 13:06:04 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc 
qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc 
qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils 
qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-6+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian QEMU Team 
Changed-By: Michael Tokarev 
Description:
 qemu   - fast processor emulator
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 877890 880832 880836 882136 883399 883625 884806 886532 887392 892041
Changes:
 qemu (1:2.8+dfsg-6+deb9u4) stretch-security; urgency=high
 .
   * CVE-2017-5715 (spectre/meltdown) fixes for i386 and s390x:
 CVE-2017-5715/i386-increase-X86CPUDefinition-model_id-to-49.patch
 CVE-2017-5715/i386-add-support-for-SPEC_CTRL-MSR.patch
 CVE-2017-5715/i386-add-spec-ctrl-CPUID-bit.patch
 CVE-2017-5715/i386-add-FEAT_8000_0008_EBX-CPUID-feature-word.patch
 CVE-2017-5715/i386-add-new-IBRS-versions-of-Intel-CPU-models.patch
 CVE-2017-5715/s390x-kvm-introduce-branch-prediction-blocking-contr.patch
 CVE-2017-5715/s390x-kvm-handle-bpb-feature.patch
 Closes: #886532, CVE-2017-5715
   * multiboot-bss_end_addr-can-be-zero-CVE-2018-7550.patch
 Closes: #892041, CVE-2018-7550
   * vga-check-the-validation-of-memory-addr-when-draw-text-CVE-2018-5683.patch
 Closes: #887392, CVE-2018-5683
   * osdep-fix-ROUND_UP-64-bit-32-bit-CVE-2017-18043.patch
 Closes: CVE-2017-18043
   * virtio-check-VirtQueue-Vring-object-is-set-CVE-2017-17381.patch
 Closes: #883625, CVE-2017-17381
   * ps2-check-PS2Queue-pointers-in-post_load-routine-CVE-2017-16845.patch
 Closes: #882136, CVE-2017-16845
   * cirrus-fix-oob-access-in-mode4and5-write-functions-CVE-2017-15289.patch
 Closes: #880832, CVE-2017-15289
   * 
io-monitor-encoutput-buffer-size-from-websocket-GSource-CVE-2017-15268.patch
 Closes: #880836, CVE-2017-15268
   * nbd-server-CVE-2017-15119-Reject-options-larger-than-32M.patch
 Closes: #883399, CVE-2017-15119
   * 9pfs-use-g_malloc0-to-allocate-space-for-xattr-CVE-2017-15038.patch
 Closes: #877890, CVE-2017-15038
   * CVE-2017-15124

Bug#900677: ruby-google-protobuf: does not install pure ruby files

2018-06-03 Thread Pirate Praveen 
On Sun, 3 Jun 2018 15:06:44 +0530 Pirate Praveen 
wrote:> Adding
> X-DhRuby-Root: ruby
> 
> to ruby-google-protobuf binary section in debian/control fixes this.
> 
with the above change, I still get another error

LoadError: cannot load such file -- google/protobuf/timestamp_pb

You'll need to generate the .pb files like this,

https://salsa.debian.org/ruby-team/ruby-google-protobuf/blob/master/debian/rules#L9



signature.asc
Description: OpenPGP digital signature

Bug#900677: ruby-google-protobuf: does not install pure ruby files

2018-06-03 Thread Pirate Praveen 
On Sun, 3 Jun 2018 14:50:55 +0530 Pirate Praveen  wrote:
> package: ruby-google-protobuf
> version: 3.6.0~rc2-1
> severity: grave
> justification: makes package unusable
> 
> When trying to use ruby-google-protobuf, I get this error
> 
> LoadError: cannot load such file -- google/protobuf
> 
> if you compare with previous versions of ruby-google-protobuf (
> http://snapshot.debian.org/package/ruby-google-protobuf/3.5.2-1/),
> you'll see it does not install the pure ruby files (ruby/lib directory).
> 

Adding
X-DhRuby-Root: ruby

to ruby-google-protobuf binary section in debian/control fixes this.



signature.asc
Description: OpenPGP digital signature

Bug#900677: ruby-google-protobuf: does not install pure ruby files

2018-06-03 Thread Pirate Praveen 
package: ruby-google-protobuf
version: 3.6.0~rc2-1
severity: grave
justification: makes package unusable

When trying to use ruby-google-protobuf, I get this error

LoadError: cannot load such file -- google/protobuf

if you compare with previous versions of ruby-google-protobuf (
http://snapshot.debian.org/package/ruby-google-protobuf/3.5.2-1/),
you'll see it does not install the pure ruby files (ruby/lib directory).



signature.asc
Description: OpenPGP digital signature

Bug#900676: reportbug fails to start; unimplemented optparse subclass

2018-06-03 Thread reportbug_dead-address 
Package: rebportbug
Version: 7.1.7
Severity: grave

When trying to start reportbug it instantly crashes with following
message:

––
$
reportbug   

Traceback (most recent call last): File
"/usr/bin/reportbug", line 32, in  import optparse
  File "/usr/lib/python2.7/optparse.py", line 250
raise NotImplementedError, "subclasses must implement"
 ^
SyntaxError: invalid syntax
––
$ dpkg -S /usr/lib/python2.7/optparse.py 
libpython2.7-minimal:amd64: /usr/lib/python2.7/optparse.py
$ apt show libpython2.7-minimal:amd64
Package: libpython2.7-minimal
Version: 2.7.13-2+deb9u1

Thx for fixing

Bug#896594: Bug #896594 in gnocchi marked as pending

2018-06-03 Thread zigo 
Control: tag -1 pending

Hello,

Bug #896594 in gnocchi reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/gnocchi/commit/bc852a178ac7ec446ece48a2a4af2950d478


Add dependency on python3-distutils (Closes: #896594).



(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/896594

Processed: Bug #896594 in gnocchi marked as pending

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 pending
Bug #896594 [src:gnocchi] please avoid distutils usage at runtime
Added tag(s) pending.

-- 
896594: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896594
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#896706: pcbnew: crashes with a failed assertion on i386, starts fine on amd64

2018-06-03 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 serious
Bug #896706 [kicad] pcbnew: crashes with a failed assertion on i386, starts 
fine on amd64
Severity set to 'serious' from 'normal'

-- 
896706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896706
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems