Bug#924283: jython-stilts: fails to install: Exception in thread "main" java.lang.NoSuchMethodError: java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;

[Ole Streicher]

Control: tags -1 moreinfo

Hi Andreas,

> during a test with piuparts I noticed your package fails to upgrade
> from 'stretch'. It installed fine in 'stretch', then the upgrade to
> 'buster' fails.

can you explain that? The package jython-stiltes does not exist for
Stretch, which use case did you actually test?

Installing jython-stilts for Debian Stretch is just not supported, is it?

Best

Ole

Processed: jython-stilts: fails to install: Exception in thread "main" java.lang.NoSuchMethodError: java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #924283 [jython-stilts] jython-stilts: fails to install: Exception in 
thread "main" java.lang.NoSuchMethodError: 
java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
Added tag(s) moreinfo.

-- 
924283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: [Pkg-puppet-devel] Bug#923976: Bug#923976: puppet: Reports submitte

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo + patch pending
Bug #923976 [puppet] Reports submitted by Puppet to Puppet DB fail to be stored
Removed tag(s) moreinfo.
Bug #923976 [puppet] Reports submitted by Puppet to Puppet DB fail to be stored
Added tag(s) pending and patch.
> severity -1 serious
Bug #923976 [puppet] Reports submitted by Puppet to Puppet DB fail to be stored
Severity set to 'serious' from 'normal'

-- 
923976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923976
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#923457: test_likelihood_nh (Failed)

[Julien Y. Dutheil]

Dear Andreas,

This all boils down to the fact that this unit test is badly designed: it
basically maximizes a function from initial random values. I some
particular combinations of initial values though, the convergence may fail
or take too much time. I will redesign the test, but do not have time at
the moment. Would it be possible to just deactivate that test for now?

In the meantime I also found more symbols errors in libbpp-popgen and I
fixed that. I also propagated your modification from bpp-phyl to bpp-seq
and bpp-popgen.

On a side note: how can I change my email address (the one that appears in
the changelog file) ? That one is now deprecated.

Best regards,

Julien.

On Fri, Mar 8, 2019 at 9:36 AM Julien Y. Dutheil 
wrote:

> Dear Andreas,
>
> Will give it a look asap.
>
> Best,
>
> Julien.
>
> On Fri, Mar 8, 2019 at 9:34 AM Julien Yann Dutheil <
> julien.duth...@univ-montp2.fr> wrote:
>
>> Dear Andreas,
>>
>> Will give it a look asap.
>>
>> Best,
>>
>> Julien.
>>
>> On Fri, Mar 8, 2019 at 6:30 AM Andreas Tille  wrote:
>>
>>> Hi Julien,
>>>
>>> after fixing bug #923457 I realised that the package does not
>>> build on all architectures[1]. S390x fails with[2]
>>>
>>>  4/14 Test  #5: test_likelihood_nh ...***Failed2.44 sec
>>>
>>> / 1
>>> - 2
>>> \ 3
>>> - 4
>>> / 5
>>> - 6
>>> \ 7
>>> - 8
>>> / 9
>>> - 10
>>> \ 11 nodes loaded.
>>> Theta0 set to 0.444785
>>> Theta1 set to 0.137341
>>> Theta2 set to 0.219281
>>> Theta3 set to 0.759382
>>> Theta4 set to 0.549516
>>> Theta5 set to 0.925583
>>> Theta6 set to 0.527333
>>> Theta7 set to 0.891561
>>> Theta8 set to 0.331932
>>> Theta9 set to 0.523327
>>> Initializing data structure: Done.
>>> Number of distinct sites...: 363
>>> Initializing data structure: Done.
>>> Number of distinct sites...: 363
>>>
>>> Optimizing... / 1
>>> Optimizing... - 2
>>> Optimizing... \ 3
>>> Optimizing... - 4
>>> Optimizing... / 5
>>> Optimizing... - 6
>>> Optimizing... \ 7
>>> Optimizing... - 8
>>> Optimizing... / 9
>>> Optimizing... - 10
>>> Optimizing... \ 11
>>> Optimizing... - 12
>>> Optimizing... / 13
>>> Optimizing... - 14
>>>
>>>
>>> Optimizing... / 1
>>> Optimizing... - 2
>>> Optimizing... \ 3
>>> Optimizing... - 4
>>> Optimizing... / 5
>>> Optimizing... - 6
>>> Optimizing... \ 7
>>> Optimizing... - 8
>>> Optimizing... / 9
>>> Optimizing... - 10
>>> Optimizing... \ 11
>>> Optimizing... - 12
>>> Optimizing... / 13
>>> Optimizing... - 14
>>>
>>> 15: 5347.92 15: 5347.92
>>> 0.516673 0.516673
>>> 0.184681 0.184681
>>> 0.209158 0.209158
>>> 0.795359 0.795359
>>> 0.489372 0.489372
>>> 0.918414 0.918414
>>> 0.489537 0.489537
>>> 0.913968 0.913968
>>> 0.180359 0.180359
>>> 0.797456 0.797456
>>> Initializing data structure: Done.
>>> Number of distinct sites...: 365
>>> Initializing data structure: Done.
>>> Number of distinct sites...: 365
>>>
>>> Optimizing... / 1
>>> Optimizing... - 2
>>> Optimizing... \ 3
>>> Optimizing... - 4
>>> Optimizing... / 5
>>> Optimizing... - 6
>>> Optimizing... \ 7
>>> Optimizing... - 8
>>> Optimizing... / 9
>>> Optimizing... - 10
>>> Optimizing... \ 11
>>> Optimizing... - 12
>>> Optimizing... / 13
>>> Optimizing... - 14
>>> Optimizing... \ 15
>>> Optimizing... - 16
>>> Optimizing... / 17
>>>
>>>
>>> Optimizing... / 1
>>> Optimizing... - 2
>>> Optimizing... \ 3
>>> Optimizing... - 4
>>> Optimizing... / 5
>>> Optimizing... - 6
>>> Optimizing... \ 7
>>> Optimizing... - 8
>>> Optimizing... / 9
>>> Optimizing... - 10
>>> Optimizing... \ 11
>>> Optimizing... - 12
>>> Optimizing... / 13
>>> Optimizing... - 14
>>> Optimizing... \ 15
>>> Optimizing... - 16
>>> Optimizing... / 17
>>>
>>> 18: 5391.43 18: 5391.43
>>> 0.60777 0.60777
>>> 0.127151 0.127151
>>> 0.189039 0.189039
>>> 0.788612 0.788612
>>> 0.564763 0.564763
>>> 0.941319 0.941319
>>> 0.565297 0.565297
>>> 0.844854 0.844854
>>> 0.357532 0.357532
>>> 0.717998 0.717998
>>> Initializing data structure: Done.
>>> Number of distinct sites...: 375
>>> Initializing data structure: Done.
>>> Number of distinct sites...: 375
>>>
>>> Optimizing... / 1
>>> Optimizing... - 2
>>> Optimizing... \ 3
>>> Optimizing... - 4
>>> Optimizing... / 5
>>> Optimizing... - 6
>>> Optimizing... \ 7
>>> Optimizing... - 8
>>> Optimizing... / 9
>>> Optimizing... - 10
>>> Optimizing... \ 11
>>> Optimizing... - 12
>>> Optimizing... / 13
>>> Optimizing... - 14
>>>
>>>
>>> Optimizing... / 1
>>> Optimizing... - 2
>>> Optimizing... \ 3
>>> Optimizing... - 4
>>> Optimizing... / 5
>>> Optimizing... - 6
>>> Optimizing... \ 7
>>> Optimizing... - 8
>>> Optimizing... / 9
>>> Optimizing... - 10
>>> Optimizing... \ 11
>>> Optimizing... - 12
>>> Optimizing... / 13
>>> Optimizing... - 14
>>>
>>> 15: 5401.83 15: 5401.83
>>> 0.419181 0.419181
>>> 0.140299 0.140299
>>> 0.295 0.295
>>> 0.900203 0.900203
>>> 0.411605 0.411605
>>> 0.919716 0.919716
>>> 0.563041 0.563041
>>> 0.813833 0.813

Bug#924328: javahelper regressed building -doc packages

[Matthias Klose]

looks like jh_build doesn't recognize --no-javadoc. -N correctly skips the doc
build.

But then android-platform-build/jh_build fails with

jh_build --javacopts="-source 7" -N --main=com.android.signapk.SignApk
signapk.jar tools/signapk/
warning: [options] bootstrap class path not set in conjunction with -source 7
1 warning
java.nio.file.NoSuchFileException: /tmp/signapk.jar4641574884122648833.jar ->
/home/packages/tmp/at/android-platform-build-8.1.0+r23/signapk.jar/signapk.jar
at
java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at
java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixCopyFile.move(UnixCopyFile.java:478)
at
java.base/sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:263)
at java.base/java.nio.file.Files.move(Files.java:1421)
at jdk.jartool/sun.tools.jar.Main.validateAndClose(Main.java:466)
at jdk.jartool/sun.tools.jar.Main.run(Main.java:349)
at jdk.jartool/sun.tools.jar.Main.main(Main.java:1681)
jh_build: cd debian/_jh_build.signapk && /usr/lib/jvm/default-java/bin/jar cfm
"/home/packages/tmp/at/android-platform-build-8.1.0+r23/signapk.jar/signapk.jar"
../_jh_manifest.signapk * returned exit code 1
make[1]: *** [debian/rules:26: signapk.jar] Error 2

Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

[wferi]

Salvatore Bonaccorso  writes:

> On Sat, Mar 09, 2019 at 07:25:52PM +0100, wf...@niif.hu wrote:
>
>> I reserved a CVE from Mitre, backported the probable patch to
>> xmltooling 1.6.0-4+deb9u1 in stable and prepared a tentative package
>> with it, please see the debdiff below.  I plan to add more
>> substantive info to the changelog as I get hold of any, but I expect
>> no other changes.
>
> Thanks for preparing the update, the issue is now public, so filled a
> respective Debian bug for it. 

Thanks, Salvatore!

> Were you able to test the resulting package in some extend under
> stretch?

The resulting packages works fine in my setup.  However, I failed to
reproduce the original issue under stretch.  After consulting upstream,
it turns out that the old Xerces library actually helps somewhat in this
case, please see Scott Cantor's reply below.  So the known exploit
(using an invalid XML declaration) does not work on stable, but if
somebody finds a way to trigger a DOMException in Xerces 3.1, any
xmltooling users will crash all the same.  See also his comment on
https://issues.apache.org/jira/browse/XERCESC-2016.

JFYI: we plan to upload the Shibboleth 3 stack to stretch-backports,
which will use the xerces-c 3.2 stretch backport.  These will be fixed
packages, though, in whatever form the Release Team gives its blessing
for.

> I think it sounds sensible to release a DSA for it, so in case yes
> please do upload to security-master (you might add the Debian bug
> closer as well if you need to rebuild and want to add additional
> information).

It will add the closer and the extra information, but won't upload to
security-master unless you tell me so again after reassessing the
situation based on the new information here.

"Cantor, Scott"  writes:

> Yeah, it's a Xerces change. I didn't make it, but it was applied to
> the trunk as part of XERCES-2016 and there's a very odd change that
> causes the XMLScanner to leak through versions that start with "1." It
> doesn't look correct to me, but it's not for me to say.
>
> Anything up to Xerces 3.1.x catches that and raises the old
> XMLException type that was already caught. Xerces 3.2 ends up with a
> DOMException, which is what caused the crash.
>
> Now: the bug is still a bug. I have no idea under what conditions
> other DOMExceptions could be triggered, and if it happens, you have a
> crash. And the DOMLSParser::parse method is absolutely allowed to
> throw that type of exception, that's in the docs and in the DOM
> standard. But this specific case is only exploitable under Xerces 3.2.
>
> Personally, I would just push the fix and be done with it, it's not a
> hard change, but it's certainly your call. I had to because I require
> Xerces 3.2 at this point in all my packages.
>
> I may update the advisory, but I'm not enthused about overcomplicating
> the message I'm sending with more caveats and conditions.
>
> Good catch though.
>
> -- Scott
-- 
Regards,
Feri

Bug#924382: debian-design: FTBFS (Found unknown attribute(s) passed to the constructor)

[Santiago Vila]

Package: src:debian-design
Version: 3.0.12
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules binary-indep
test -x debian/rules
dh_testroot
dh_prep 
dh_installdirs -A 
mkdir -p "."
/usr/bin/make suite=buster
make[1]: Entering directory '/<>'
mkdir -p content/desktop/animation/
cd content/desktop/animation/ \
&& boxer compose \
--nodedir /<>/nodes \
--skeldir /<>/skel \
--suite buster \
desktop-animation
Found unknown attribute(s) passed to the constructor: bugs at (eval 209) line 
49.
Boxer::Part::Reclass::new("Boxer::Part::Reclass", "id", 
"desktop-graphics", "epoch", "buster", "tweak", ARRAY(0x55d62204c110), 
"pkg-auto", ...) called at /usr/share/perl5/Boxer/Task/Classify.pm line 107
Boxer::Task::Classify::run(Boxer::Task::Classify=HASH(0x55d621f7c700)) 
called at /usr/share/perl5/Boxer/CLI/Command/Compose.pm line 74

Boxer::CLI::Command::Compose::execute(Boxer::CLI::Command::Compose=HASH(0x55d6214f8c68),
 Getopt::Long::Descriptive::Opts::__OPT__::2=HASH(0x55d6214853c8), 
ARRAY(0x55d6210ace68)) called at /usr/share/perl5/App/Cmd.pm line 468
App::Cmd::execute_command(Boxer::CLI=HASH(0x55d620859928), 
Boxer::CLI::Command::Compose=HASH(0x55d6214f8c68), 
Getopt::Long::Descriptive::Opts::__OPT__::2=HASH(0x55d6214853c8), 
"desktop-animation") called at /usr/share/perl5/App/Cmd.pm line 321
App::Cmd::run("Boxer::CLI") called at /usr/bin/boxer line 18
make[1]: *** [Makefile:18: content/desktop/animation/preseed.cfg] Error 255
make[1]: Leaving directory '/<>'
make: *** [debian/blends.mk:80: content/desktop/preseed.cfg] Error 2
dpkg-buildpackage: error: debian/rules binary-indep subprocess returned exit 
status 2


The build was made in my autobuilder with "dpkg-buildpackage -A"
and it also fails here:

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/debian-design.html

If this is really a bug in one of the build-depends, please use reassign and 
affects,
so that this is still visible in the BTS web page for this package.

Thanks.

Bug#924383: ruby-coveralls: FTBFS (dh_installman: Cannot find "debian/coveralls.1")

[Santiago Vila]

Package: src:ruby-coveralls
Version: 0.8.22-1
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules build-indep
dh build-indep --buildsystem=ruby --with ruby
   dh_update_autotools_config -i -O--buildsystem=ruby
   dh_autoreconf -i -O--buildsystem=ruby
   dh_auto_configure -i -O--buildsystem=ruby
dh_ruby --configure
   debian/rules override_dh_auto_build
make[1]: Entering directory '/<>'
dh_auto_build
dh_ruby --build
   dh_ruby --build
TZ=UTC ronn --roff debian/coveralls.mkd
 roff: debian/coveralls.mkd.1 
make[1]: Leaving directory '/<>'
   dh_auto_test -i -O--buildsystem=ruby
dh_ruby --test
   create-stamp debian/debhelper-build-stamp
 fakeroot debian/rules binary-indep
dh binary-indep --buildsystem=ruby --with ruby
   dh_testroot -i -O--buildsystem=ruby
   dh_prep -i -O--buildsystem=ruby
   dh_auto_install -i -O--buildsystem=ruby
dh_ruby --install /<>/debian/ruby-coveralls
   dh_ruby --install
Invalid gemspec in [coveralls-ruby.gemspec]: No such file or directory - git

┌──────────────────────────────────────────────────────────────────────────────┐
│ Install files   
 │
└──────────────────────────────────────────────────────────────────────────────┘

install -d /<>/debian/ruby-coveralls/usr/bin
install -D -m755 /<>/bin/coveralls 
/<>/debian/ruby-coveralls/usr/bin/coveralls
install -d /<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby
install -D -m644 /<>/lib/coveralls/api.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/api.rb
install -D -m644 /<>/lib/coveralls/command.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/command.rb
install -D -m644 /<>/lib/coveralls/version.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/version.rb
install -D -m644 /<>/lib/coveralls/output.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/output.rb
install -D -m644 /<>/lib/coveralls/rake/task.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/rake/task.rb
install -D -m644 /<>/lib/coveralls/configuration.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/configuration.rb
install -D -m644 /<>/lib/coveralls/simplecov.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls/simplecov.rb
install -D -m644 /<>/lib/coveralls.rb 
/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby/coveralls.rb
dh_installchangelogs -pruby-coveralls /<>/CHANGELOG.md upstream
Rewriting shebang line of 
/<>/debian/ruby-coveralls/usr/bin/coveralls

┌──────────────────────────────────────────────────────────────────────────────┐
│ Install Rubygems integration metadata   
 │
└──────────────────────────────────────────────────────────────────────────────┘

generating gemspec at 
/<>/debian/ruby-coveralls/usr/share/rubygems-integration/all/specifications/coveralls-0.8.22.gemspec
/usr/bin/ruby2.5 /usr/bin/gem2deb-test-runner

┌──────────────────────────────────────────────────────────────────────────────┐
│ Run tests for ruby2.5 from debian/ruby-tests.rb 
 │
└──────────────────────────────────────────────────────────────────────────────┘

RUBYLIB=/<>/debian/ruby-coveralls/usr/lib/ruby/vendor_ruby:. 
GEM_PATH=debian/ruby-coveralls/usr/share/rubygems-integration/all:/var/lib/gems/2.5.0:/usr/lib/x86_64-linux-gnu/rubygems-integration/2.5.0:/usr/share/rubygems-integration/2.5.0:/usr/share/rubygems-integration/all
 ruby2.5 debian/ruby-tests.rb
Coverage report generated for RSpec to /<>/coverage. 100 / 371 LOC 
(26.95%) covered.

┌──────────────────────────────────────────────────────────────────────────────┐
│ dh_ruby --install fi

Bug#923759: netlib-java contains nealy empty jar (Was: mtj: FTBFS in buster/sid)

[Andreas Tille]

Control: reassign -1 netlib-java
Control: tags -1 help

Hi Santiago,

thanks a lot for your QA work.

On Tue, Mar 05, 2019 at 12:19:46AM +, Santiago Vila wrote:
> 
> -do-compile:
> [mkdir] Created dir: /<>/mtj-0.9.14+dfsg/build/empty
> [mkdir] Created dir: 
> /<>/mtj-0.9.14+dfsg/build/generated-sources/ap-source-output
> [javac] Compiling 129 source files to 
> /<>/mtj-0.9.14+dfsg/build/classes
> [javac] warning: [options] bootstrap class path not set in conjunction 
> with -source 6
> [javac] warning: [options] source value 6 is obsolete and will be removed 
> in a future release
> [javac] warning: [options] target value 1.6 is obsolete and will be 
> removed in a future release
> [javac] warning: [options] To suppress warnings about obsolete options, 
> use -Xlint:-options.
> [javac] 
> /<>/mtj-0.9.14+dfsg/src/no/uib/cipr/matrix/AbstractSymmBandMatrix.java:25:
>  error: package org.netlib.blas does not exist
> [javac] import org.netlib.blas.BLAS;
> [javac]   ^
> [javac] 
> /<>/mtj-0.9.14+dfsg/src/no/uib/cipr/matrix/AbstractSymmBandMatrix.java:26:
>  error: package org.netlib.lapack does not exist
> [javac] import org.netlib.lapack.LAPACK;
> [javac] ^
...
> [javac] Note: Some input files use or override a deprecated API.
> [javac] Note: Recompile with -Xlint:deprecation for details.
> [javac] 100 errors
> [javac] 4 warnings

Mtj is corretc that classes org.netlib.blas.BLAS and
org.netlib.lapack.LAPACK do not exist.  I've reassigned the
bug to netlib-java.  I realised that

/usr/share/java/netlib-java-0.9.3.jar

is nearly empty, specifically

/org/netlib/arpack
/org/netlib/blas
/org/netlib/lapack

do not contain any classes.  Given that the last changelog for
netlib-java reads


netlib-java (0.9.3-4) unstable; urgency=medium

  * Deactivate watch file since in debian/README.source is declared that
we do not really want to package the new versions
  * debhelper 12
  * Point Vcs fields to salsa.debian.org
  * Standards-Version: 4.3.0
  * Secure URI in copyright format

 -- Andreas Tille   Sun, 13 Jan 2019 21:11:05 +0100


and the previous version on snapshots[1] contains a proper jar file with
all classes I suspect some issue with a change in the Java VM.
Unfortunately I have no idea how to fix this and hope Debian Java team
can help here.

Kind regards

   Andreas.

[1] 
https://snapshot.debian.org/archive/debian/20160625T105051Z/pool/main/n/netlib-java/libnetlib-java_0.9.3-3_all.deb

-- 
http://fam-tille.de

Processed: netlib-java contains nealy empty jar (Was: mtj: FTBFS in buster/sid)

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 netlib-java
Bug #923759 [src:mtj] mtj: FTBFS in buster/sid
Bug reassigned from package 'src:mtj' to 'netlib-java'.
No longer marked as found in versions mtj/0.9.14+dfsg-5.
Ignoring request to alter fixed versions of bug #923759 to the same values 
previously set
> tags -1 help
Bug #923759 [netlib-java] mtj: FTBFS in buster/sid
Added tag(s) help.

-- 
923759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923759
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#923457: test_likelihood_nh (Failed)

[Andreas Tille]

On Tue, Mar 12, 2019 at 09:53:10AM +0100, Julien Y. Dutheil wrote:
> This all boils down to the fact that this unit test is badly designed: it
> basically maximizes a function from initial random values. I some
> particular combinations of initial values though, the convergence may fail
> or take too much time. I will redesign the test, but do not have time at
> the moment. Would it be possible to just deactivate that test for now?

Sure.  IMHO that's the most straightforward way to deal with this issue.
Since I expect you to be more familiar with the tests I simply assumed
that you find a more elegant way to deactivate the test than I. ;-)
 
> In the meantime I also found more symbols errors in libbpp-popgen and I
> fixed that. I also propagated your modification from bpp-phyl to bpp-seq
> and bpp-popgen.

I've seen the commits.  Thanks for this.  I'll upload in case there will
be more bugs reported.  In Freeze we touch only packages with RC bugs.
 
> On a side note: how can I change my email address (the one that appears in
> the changelog file) ? That one is now deprecated.

It should be changed in debian/control in the Uploaders field as well.
Both strings need to match each other.
 
Thanks for your contribution

  Andreas.

-- 
http://fam-tille.de

Bug#924382: [Design-devel] Bug#924382: debian-design: FTBFS (Found unknown attribute(s) passed to the constructor)

[Jonas Smedegaard]

control: reassign -1 boxer-data
control: retitle: boxer-data: bogus hint "bugs" failing with recent boxer
control: affects -1 debian-design

Quoting Santiago Vila (2019-03-12 10:43:20)
> I tried to build this package in buster but it failed:
[...]
> Found unknown attribute(s) passed to the constructor: bugs at (eval 209) line 
> 49.

This is a bug in boxer-data where a wrong hint is used a few places 
which debian-design rely on.  Since boxer 1.3.0 (parsing more strictly) 
this became fatal.

Thanks for reporting, Santiago,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Processed (with 1 error): Re: [Design-devel] Bug#924382: debian-design: FTBFS (Found unknown attribute(s) passed to the constructor)

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 boxer-data
Bug #924382 [src:debian-design] debian-design: FTBFS (Found unknown 
attribute(s) passed to the constructor)
Bug reassigned from package 'src:debian-design' to 'boxer-data'.
No longer marked as found in versions debian-design/3.0.12.
Ignoring request to alter fixed versions of bug #924382 to the same values 
previously set
> retitle: boxer-data: bogus hint "bugs" failing with recent boxer
Unknown command or malformed arguments to command.

> affects -1 debian-design
Bug #924382 [boxer-data] debian-design: FTBFS (Found unknown attribute(s) 
passed to the constructor)
Added indication that 924382 affects debian-design

-- 
924382: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924382
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: retitle 924382 to boxer-data: bogus hint bugs causes FTBFS with recent boxer

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 924382 boxer-data: bogus hint bugs causes FTBFS with recent boxer
Bug #924382 [boxer-data] debian-design: FTBFS (Found unknown attribute(s) 
passed to the constructor)
Changed Bug title to 'boxer-data: bogus hint bugs causes FTBFS with recent 
boxer' from 'debian-design: FTBFS (Found unknown attribute(s) passed to the 
constructor)'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
924382: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924382
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: found 924382 in 10.7.1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 924382 10.7.1
Bug #924382 [boxer-data] boxer-data: bogus hint bugs causes FTBFS with recent 
boxer
Marked as found in versions boxer-data/10.7.1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
924382: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924382
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924382: marked as done (boxer-data: bogus hint bugs causes FTBFS with recent boxer)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 10:19:19 +
with message-id 
and subject line Bug#924382: fixed in boxer-data 10.7.6
has caused the Debian Bug report #924382,
regarding boxer-data: bogus hint bugs causes FTBFS with recent boxer
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924382: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924382
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:debian-design
Version: 3.0.12
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules binary-indep
test -x debian/rules
dh_testroot
dh_prep 
dh_installdirs -A 
mkdir -p "."
/usr/bin/make suite=buster
make[1]: Entering directory '/<>'
mkdir -p content/desktop/animation/
cd content/desktop/animation/ \
&& boxer compose \
--nodedir /<>/nodes \
--skeldir /<>/skel \
--suite buster \
desktop-animation
Found unknown attribute(s) passed to the constructor: bugs at (eval 209) line 
49.
Boxer::Part::Reclass::new("Boxer::Part::Reclass", "id", 
"desktop-graphics", "epoch", "buster", "tweak", ARRAY(0x55d62204c110), 
"pkg-auto", ...) called at /usr/share/perl5/Boxer/Task/Classify.pm line 107
Boxer::Task::Classify::run(Boxer::Task::Classify=HASH(0x55d621f7c700)) 
called at /usr/share/perl5/Boxer/CLI/Command/Compose.pm line 74

Boxer::CLI::Command::Compose::execute(Boxer::CLI::Command::Compose=HASH(0x55d6214f8c68),
 Getopt::Long::Descriptive::Opts::__OPT__::2=HASH(0x55d6214853c8), 
ARRAY(0x55d6210ace68)) called at /usr/share/perl5/App/Cmd.pm line 468
App::Cmd::execute_command(Boxer::CLI=HASH(0x55d620859928), 
Boxer::CLI::Command::Compose=HASH(0x55d6214f8c68), 
Getopt::Long::Descriptive::Opts::__OPT__::2=HASH(0x55d6214853c8), 
"desktop-animation") called at /usr/share/perl5/App/Cmd.pm line 321
App::Cmd::run("Boxer::CLI") called at /usr/bin/boxer line 18
make[1]: *** [Makefile:18: content/desktop/animation/preseed.cfg] Error 255
make[1]: Leaving directory '/<>'
make: *** [debian/blends.mk:80: content/desktop/preseed.cfg] Error 2
dpkg-buildpackage: error: debian/rules binary-indep subprocess returned exit 
status 2


The build was made in my autobuilder with "dpkg-buildpackage -A"
and it also fails here:

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/debian-design.html

If this is really a bug in one of the build-depends, please use reassign and 
affects,
so that this is still visible in the BTS web page for this package.

Thanks.
--- End Message ---
--- Begin Message ---
Source: boxer-data
Source-Version: 10.7.6

We believe that the bug you reported is fixed in the latest version of
boxer-data, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard  (supplier of updated boxer-data package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2019 11:06:49 +0100
Source: boxer-data
Architecture: source
Version: 10.7.6
Distribution: unstable
Urgency: medium
Maintainer: Boxer developers 
Changed-By: Jonas Smedegaard 
Closes: 924382
Changes:
 boxer-data (10.7.6) unstable; urgency=medium
 .
   * Fix use hint "bug" (not bogus "bugs" unsupported since boxer 1.3.0).
 Closes: Bug#924382. Thanks to Santiago Vila .
Checksums-Sha1:
 d3dbb13b2a3c3170ddd4e3e5b23e543532ab4a63 1688 boxer-data_10.7.6.dsc
 6884a6ca668367a9305d510d447e9525a316a808 81044 boxer-data_10.7.6.tar.xz
 d48b8790d46e95fc750f04b44fba35a1c0529693 7978 boxer-data_10.7.6_amd64.buildinfo
Checksums-Sha256:
 de2817b860bab99c17dba98def26f9032b05ac81ad70afe1fcda7f67852753e9 1688 
boxer-data_10.7.6.dsc
 062fa883ab3d25509a3eb030f0e6c954c33e1b7258db8a7a8f57800de3e86185 81044 
boxer-data_10.7.6.tar.xz
 c4ad5a282da505a8b99529c86115990bb264e0f919286fb602858d496a8cdc3a 7978 
boxer-data_10.7.6_amd64.buildinfo
Files:
 76e83d08fd81a845dcb48b1511035c9a

Bug#923465: fixed in freecad 0.18~pre1+dfsg1-5

[Kurt Kremitzki]

Hi Robert,

On 3/11/19 5:43 PM, Robert LeBlanc wrote:
<-snip->
> rleblanc@riker:~/code$ sudo apt -t unstable install freecad
<-snip->

Because of file replacements, it requires a `sudo apt full-upgrade`,
this installation method won't work.

Processed: Re: Bug#853016: nodm: regression: restarts during upgrade, causing data loss

[Debian Bug Tracking System]

Processing control commands:

> retitle 853016 nodm: regression: restarts during upgrade, causing data loss
Bug #853016 [nodm] restarting upon upgrade even kills APT, throws away all 
users' work
Bug #919980 [nodm] restarting upon upgrade even kills APT, throws away all 
users' work
Changed Bug title to 'nodm: regression: restarts during upgrade, causing data 
loss' from 'restarting upon upgrade even kills APT, throws away all users' 
work'.
Changed Bug title to 'nodm: regression: restarts during upgrade, causing data 
loss' from 'restarting upon upgrade even kills APT, throws away all users' 
work'.

-- 
853016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853016
919980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919980
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#853016: nodm: regression: restarts during upgrade, causing data loss

[Debian Bug Tracking System]

Processing control commands:

> retitle 853016 nodm: regression: restarts during upgrade, causing data loss
Bug #853016 [nodm] nodm: regression: restarts during upgrade, causing data loss
Bug #919980 [nodm] nodm: regression: restarts during upgrade, causing data loss
Ignoring request to change the title of bug#853016 to the same title
Ignoring request to change the title of bug#919980 to the same title

-- 
853016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853016
919980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919980
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#853016: nodm: regression: restarts during upgrade, causing data loss

[Simon McVittie]

Control: retitle 853016 nodm: regression: restarts during upgrade, causing data 
loss

(Retitling bug to something more prosaic.)

On Sun, 29 Jan 2017 at 06:06:58 +0800, 積丹尼 Dan Jacobson wrote:
> Upon reaching nodm, the entire X-windows is lost and the user thinks the
> computer has rebooted and all his work in other windows is lost.

On Sun, 03 Mar 2019 at 14:47:57 +, Mike Gabriel wrote:
> Please, can you possibly help finding a ptach for this issue?

This appears to have been a regression when raising the debhelper compat
level from 9 to 12 in 0.13-3. Each debhelper compat level causes some
incompatible behaviour changes, which is why the compat level mechanism
exists (so that maintainers can opt-in to the new behaviour at a time
that is convenient to make the necessary packaging changes).

In particular, the behaviour of dh_installinit changed in compat level 10
(see #837528 for some discussion of this), and the relationship between
dh_installinit and dh_installsystemd changed in compat level 12.

The attached patches, also available as
, seem to be
enough. Note that patches 0001 and 0002 are both necessary to fix this
on machines that boot with systemd: the change in 0001 should have been
applied on moving from debhelper compat level 9 to 10, and the change
in 0002 is for the move from debhelper compat level 11 to 12.

Patch 0003 fixes a related bug caused by the move to debhelper compat
level 12, which is arguably also RC (a missing dependency), and patch
0004 is a "would be nice" feature related to this bug (copied from dbus,
which also isn't safe to restart).

Regards,
smcv
>From 59cd62ef18a458e73a6e0f20d7140cf56a8d210c Mon Sep 17 00:00:00 2001
From: Simon McVittie 
Date: Tue, 12 Mar 2019 09:55:34 +
Subject: [PATCH 1/5] d/rules: Don't restart nodm if using sysvinit

In debhelper compat levels up to 10, dh_installinit would normally stop
the service in prerm and start it again in postinst, with the former
possible to disable via the -r option. Since compat level 11, the
default behaviour is to restart the service in postinst for reduced
downtime, and this is not disabled by -r: we have to specify
the new --no-restart-after-upgrade option.

See also #837528.

Fixes: af32a593
---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 667709f..37bcf23 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,7 +21,7 @@ override_dh_auto_test:
 	#make check
 
 override_dh_installinit:
-	dh_installinit -r -- defaults
+	dh_installinit -r --no-restart-after-upgrade -- defaults
 
 get-orig-source:
 	uscan --noconf --force-download --rename --download-current-version --destdir=..
-- 
2.20.1

>From a9901e3598e97f090f08bd67c109a543439e49c3 Mon Sep 17 00:00:00 2001
From: Simon McVittie 
Date: Tue, 12 Mar 2019 09:17:33 +
Subject: [PATCH 2/5] d/rules: Don't restart nodm if using systemd init

In debhelper compat levels up to 11, systemd services that have a
corresponding LSB init script were handled by dh_installinit.
In compat level 12, dh_installsystemd takes over responsibility for
these services, so overriding dh_installinit is no longer sufficient to
prevent the systemd unit from being restarted after upgrade:

If you have an override for dh_installinit (e.g. to call it with
--no-start) then you will probably need one for dh_installsystemd
as well now.
-- debhelper(7)

In combination with the previous commit (which fixed the sysvinit code
path), this stops nodm from restarting and ending the user's graphical
login session (#853016)

Closes: #853016
Fixes: af32a593
---
 debian/rules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
index 37bcf23..fc924e9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -23,5 +23,8 @@ override_dh_auto_test:
 override_dh_installinit:
 	dh_installinit -r --no-restart-after-upgrade -- defaults
 
+override_dh_installsystemd:
+	dh_installsystemd -r --no-restart-after-upgrade
+
 get-orig-source:
 	uscan --noconf --force-download --rename --download-current-version --destdir=..
-- 
2.20.1

>From a6f0b9d6575d31645a1a578adc04a3cd02863fcd Mon Sep 17 00:00:00 2001
From: Simon McVittie 
Date: Tue, 12 Mar 2019 09:19:23 +
Subject: [PATCH 3/5] d/control: Add missing ${misc:Pre-Depends}

In compat level 12, dh_installsystemd uses this substitution to generate
its required Pre-Depends on init-system-helpers (>= 1.54~).

Fixes: af32a593
---
 debian/control | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/control b/debian/control
index c78f35c..e6caa82 100644
--- a/debian/control
+++ b/debian/control
@@ -22,6 +22,8 @@ Homepage: https://github.com/spanezz/nodm/
 
 Package: nodm
 Architecture: linux-any
+Pre-Depends:
+ ${misc:Pre-Depends},
 Depends:
  lsb-base,
  x11-common,
-- 
2.20.1

>From 6e1b4695165f724e6f95f9a0f71eebe542759659 Mon Sep 17 00:00:00 2001
From: Simon McVittie 
Date: Tue, 12 Mar 2019 09:22:22 +0

Processed: found 866354 in gcc-8/8.3.0-2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 866354 gcc-8/8.3.0-2
Bug #866354 [libstdc++6] armel: symbol _ZTINSt13__future_base12_Result_baseE, 
version GLIBCXX_3.4.15 not defined in file libstdc++.so.6
Bug #873200 [libstdc++6] /usr/bin/llvm-config-4.0: relocation error: 
/usr/lib/llvm-4.0/bin/../lib/libLLVM-4.0.so.1: symbol 
_ZTINSt13__future_base12_Result_baseE, version GLIBCXX_3.4.15 not defined in 
file libstdc++.so.6 with link time reference
Marked as found in versions gcc-8/8.3.0-2.
Marked as found in versions gcc-8/8.3.0-2.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
866354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866354
873200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#912549: icedtea-web FTBFS with OpenJDK 11

[Andreas Tille]

Hi,

Michael Crusoe has suggested a workaround[1].  What do you think about
this?

Kind regards,

   Andreas.



[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912549#10

-- 
http://fam-tille.de

Processed: tagging 853016

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 853016 + patch
Bug #853016 [nodm] nodm: regression: restarts during upgrade, causing data loss
Bug #919980 [nodm] nodm: regression: restarts during upgrade, causing data loss
Added tag(s) patch.
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
853016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853016
919980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919980
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#893074: marked as done (gnome-control-center: external tv device freezes gnome on wayland)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 10:53:26 +
with message-id <20190312105326.ga14...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#894306: external monitor resolution higher than 
1920x1080 freezes rendering
has caused the Debian Bug report #894306,
regarding gnome-control-center: external tv device freezes gnome on wayland
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnome-control-center
Version: 1:3.27.92-1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***
I have a dell xps 13 and a tv 4k connected via adapter usb c/hdmi. It worked
flawlessy for the last 3 years. this morning after update to gnome 3.27.92 in
buster , when I connect the tv to the pc , this one freezes completely with no
other choice to power off. in gnome xorg the tv is recognized but only in full
hd resolution. on higher res, it freezes too.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (2, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-rt-amd64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-control-center depends on:
ii  accountsservice0.6.45-1
ii  apg2.2.3.dfsg.1-5
ii  colord 1.3.3-2
ii  desktop-file-utils 0.23-2
ii  gnome-control-center-data  1:3.27.92-1
ii  gnome-desktop3-data3.27.92-1
ii  gnome-settings-daemon  3.26.2-1
ii  gsettings-desktop-schemas  3.27.92-1
ii  libaccountsservice00.6.45-1
ii  libatk1.0-02.26.1-3
ii  libc6  2.27-2
ii  libcairo-gobject2  1.15.10-1
ii  libcairo2  1.15.10-1
ii  libcanberra-gtk3-0 0.30-6
ii  libcanberra0   0.30-6
ii  libcheese-gtk253.26.0-4+b1
ii  libcheese8 3.26.0-4+b1
ii  libclutter-1.0-0   1.26.2+dfsg-4
ii  libclutter-gtk-1.0-0   1.8.4-3
ii  libcolord-gtk1 0.1.26-2
ii  libcolord2 1.3.3-2
ii  libcups2   2.2.6-5
ii  libfontconfig1 2.12.6-0.1
ii  libgdk-pixbuf2.0-0 2.36.11-1
ii  libglib2.0-0   2.54.3-2
ii  libgnome-bluetooth13   3.26.1-3
ii  libgnome-desktop-3-17  3.27.92-1
ii  libgoa-1.0-0b  3.27.92-1
ii  libgoa-backend-1.0-1   3.27.92-1
ii  libgrilo-0.3-0 0.3.4-1
ii  libgtk-3-0 3.22.28-1
ii  libgtop-2.0-11 2.38.0-2
ii  libgudev-1.0-0 232-2
ii  libibus-1.0-5  1.5.17-3
ii  libkrb5-3  1.16-2
ii  libmm-glib01.7.990-1
ii  libnm0 1.10.4-1+b1
ii  libnma01.8.10-2
ii  libpango-1.0-0 1.40.14-1
ii  libpangocairo-1.0-01.40.14-1
ii  libpolkit-gobject-1-0  0.105-18
ii  libpulse-mainloop-glib011.1-4
ii  libpulse0  11.1-4
ii  libpwquality1  1.4.0-2
ii  libsmbclient   2:4.7.4+dfsg-2
ii  libsoup2.4-1   2.60.3-1
ii  libupower-glib30.99.7-2
ii  libwacom2  0.26-1
ii  libwayland-server0 1.14.0-2
ii  libx11-6   2:1.6.4-3
ii  libxi6 2:1.7.9-1
ii  libxml22.9.4+dfsg1-6.1

Versions of packages gnome-control-center recommends:
ii  cracklib-runtime  2.9.2-5+b1
ii  cups-pk-helper0.2.6-1+b1
ii  gkbd-capplet  3.26.0-3
ii  gnome-online-accounts 3.27.92-1
ii  gnome-user-docs   3.26.2.1-1
ii  gnome-user-share  3.18.3-3
ii  iso-codes 3.79-1
ii  libcanberra-pulse 0.30-6
ii  libnss-myhostname 238-2
ii  mousetweaks   3.12.0-4
ii  network-manager-gnome 1.8.10-2
ii  policykit-1   0.105-18
ii  pulseaudio-module-bluetooth   11.1-4
ii  realmd0.16.3-1
ii  rygel 0.36.0-1
ii  r

Bug#894306: marked as done (external monitor resolution higher than 1920x1080 freezes rendering)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 10:53:26 +
with message-id <20190312105326.ga14...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#894306: external monitor resolution higher than 
1920x1080 freezes rendering
has caused the Debian Bug report #894306,
regarding external monitor resolution higher than 1920x1080 freezes rendering
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
894306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnome-control-center
Version: 1:3.28.0-1
Severity: grave
Tags: upstream
Justification: renders package unusable

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation? connection of a 4k external monitor
   * What exactly did you do (or not do) that was effective (or
 ineffective)? until gnome 3.26 it was correctly detected. now it works
only on full hd resolution. higher resolutions cause the blackout of both the
displays and the only way out is to power off.
   * What was the outcome of this action? the system is unusable
   * What outcome did you expect instead?the correct resolution on both
displays

*** End of the template - remove these template lines ***



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (1000, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-control-center depends on:
ii  accountsservice0.6.45-1
ii  apg2.2.3.dfsg.1-5
ii  colord 1.3.3-2
ii  desktop-file-utils 0.23-2
ii  gnome-control-center-data  1:3.28.0-1
ii  gnome-desktop3-data3.28.0-1
ii  gnome-settings-daemon  3.28.0-1
ii  gsettings-desktop-schemas  3.28.0-1
ii  libaccountsservice00.6.45-1
ii  libatk1.0-02.28.1-1
ii  libc6  2.27-2
ii  libcairo-gobject2  1.15.10-1
ii  libcairo2  1.15.10-1
ii  libcanberra-gtk3-0 0.30-6
ii  libcanberra0   0.30-6
ii  libcheese-gtk253.28.0-1
ii  libcheese8 3.28.0-1
ii  libclutter-1.0-0   1.26.2+dfsg-4
ii  libclutter-gtk-1.0-0   1.8.4-3
ii  libcolord-gtk1 0.1.26-2
ii  libcolord2 1.3.3-2
ii  libcups2   2.2.6-5
ii  libfontconfig1 2.12.6-0.1
ii  libgdk-pixbuf2.0-0 2.36.11-2
ii  libglib2.0-0   2.56.0-4
ii  libgnome-bluetooth13   3.28.0-2
ii  libgnome-desktop-3-17  3.28.0-1
ii  libgoa-1.0-0b  3.28.0-1
ii  libgoa-backend-1.0-1   3.28.0-1
ii  libgrilo-0.3-0 0.3.4-1
ii  libgtk-3-0 3.22.29-1
ii  libgtop-2.0-11 2.38.0-2
ii  libgudev-1.0-0 232-2
ii  libibus-1.0-5  1.5.17-3
ii  libkrb5-3  1.16-2
ii  libmm-glib01.7.990-1
ii  libnm0 1.10.6-2
ii  libnma01.8.10-2
ii  libpango-1.0-0 1.40.14-1
ii  libpangocairo-1.0-01.40.14-1
ii  libpolkit-gobject-1-0  0.105-18
ii  libpulse-mainloop-glib011.1-4
ii  libpulse0  11.1-4
ii  libpwquality1  1.4.0-2
ii  libsmbclient   2:4.7.4+dfsg-2
ii  libsoup2.4-1   2.62.0-1
ii  libupower-glib30.99.7-2
ii  libwacom2  0.29-1
ii  libwayland-server0 1.14.0-2
ii  libx11-6   2:1.6.5-1
ii  libxi6 2:1.7.9-1
ii  libxml22.9.4+dfsg1-6.1

Versions of packages gnome-control-center recommends:
ii  cracklib-runtime  2.9.2-5.1
ii  cups-pk-helper0.2.6-1+b1
ii  gkbd-capplet  3.26.0-3
ii  gnome-online-accounts 3.28.0-1
ii  gnome-user-docs   3.28.0-1
ii  gnome-user-share  3.18.3-3
ii  iso-codes 3.79-1
ii  libcanberra-pulse 0.30-6
ii  libnss-myhostname 238-3
ii  mousetweaks   3.12.0-4
ii  network-manager-gnome 1.8.10-2
ii  policykit-1   0.105-18
ii  pulseaudio-module-bluetooth   11.1-4
ii  realmd0.16.3-1
ii  rygel 0.36.1-1
ii  rygel-tracker 0.36.1-1
ii  system-config

Bug#923457: test_likelihood_nh (Failed)

[Julien Y. Dutheil]

Dear Andreas,

Ok, I have committed a patch removing the test. But just realized I did not
update the changelog... should that now be version 2.4.1-3?

Cheers,

Julien.

On Tue, Mar 12, 2019 at 11:03 AM Andreas Tille  wrote:

> On Tue, Mar 12, 2019 at 09:53:10AM +0100, Julien Y. Dutheil wrote:
> > This all boils down to the fact that this unit test is badly designed: it
> > basically maximizes a function from initial random values. I some
> > particular combinations of initial values though, the convergence may
> fail
> > or take too much time. I will redesign the test, but do not have time at
> > the moment. Would it be possible to just deactivate that test for now?
>
> Sure.  IMHO that's the most straightforward way to deal with this issue.
> Since I expect you to be more familiar with the tests I simply assumed
> that you find a more elegant way to deactivate the test than I. ;-)
>
> > In the meantime I also found more symbols errors in libbpp-popgen and I
> > fixed that. I also propagated your modification from bpp-phyl to bpp-seq
> > and bpp-popgen.
>
> I've seen the commits.  Thanks for this.  I'll upload in case there will
> be more bugs reported.  In Freeze we touch only packages with RC bugs.
>
> > On a side note: how can I change my email address (the one that appears
> in
> > the changelog file) ? That one is now deprecated.
>
> It should be changed in debian/control in the Uploaders field as well.
> Both strings need to match each other.
>
> Thanks for your contribution
>
>   Andreas.
>
> --
> http://fam-tille.de
>


-- 
Julien Y. Dutheil, Ph-D
0 (+49) 4522 763 298

§ Max Planck Institute for Evolutionary Biology
Molecular Systems Evolution
Department of Evolutionary Genetics
Plön -- GERMANY

§ Institute of Evolutionary Sciences - Montpellier
University of Montpellier 2 -- FRANCE

Bug#924283: Wrong jre dependency of Jython

[Ole Streicher]

Control: reassign -1 jython 2.7.1+repack1-1
Control: affects -1 jython-stilts
Control: retitle -1 jython: does not run with older Java versions
Control: tags -1 - moreinfo + patch

Jython allows to be installed with an old version of Java, but then
fails to run:

# apt install openjdk-8-jre-headless jython --no-install-recommends
# jython
Exception in thread "main" java.lang.NoSuchMethodError: 
java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
at org.python.core.io.BufferedReader.clear(BufferedReader.java:147)
at org.python.core.io.BufferedReader.(BufferedReader.java:27)
at org.python.core.PyFile.createBuffer(PyFile.java:227)
at org.python.core.PyFile.file___init__(PyFile.java:185)
at org.python.core.PyFile.file___init__(PyFile.java:178)
at org.python.core.PyFile.(PyFile.java:101)
at org.python.core.PySystemState.(PySystemState.java:237)
at org.python.core.PySystemState.doInitialize(PySystemState.java:1112)
at org.python.core.PySystemState.initialize(PySystemState.java:1023)
at org.python.core.PySystemState.initialize(PySystemState.java:979)
at org.python.core.PySystemState.initialize(PySystemState.java:974)
at org.python.util.jython.run(jython.java:263)
at org.python.util.jython.main(jython.java:142)

This is a compatibility problem introduced with Java 9. It can be solved
by replacing the dependency "java5-runtime-headless" by
"java9-runtime-headless"; see the attached patch. Launchpad bugs
#1771476 and #1784043 report similar problems, which would be fixed as
well.

Best

Ole


>From 7ac05bfe664a289895f1fd91d096d3a60c17f082 Mon Sep 17 00:00:00 2001
From: Ole Streicher 
Date: Tue, 12 Mar 2019 11:53:25 +0100
Subject: [PATCH] Increase minimal JRE version to Java9

Java 9 introduces an incompatibility by removing java.nio.ByteBuffer,
which is used in the binary package.

Closes: #924283
LP: #1771476, #1784043
---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 9f9ccb2..24ab015 100644
--- a/debian/control
+++ b/debian/control
@@ -32,7 +32,7 @@ Homepage: http://www.jython.org
 Package: jython
 Architecture: all
 Depends: ${misc:Depends}, ${perl:Depends}, ${python:Depends}, ${java:Depends},
- default-jre-headless | java5-runtime-headless,
+ default-jre-headless | java9-runtime-headless,
 Recommends: default-jdk | java-compiler
 Suggests: jython-doc, libmariadb-java, libpostgresql-jdbc-java
 Description: Python seamlessly integrated with Java
-- 
2.20.1

Processed: Wrong jre dependency of Jython

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 jython 2.7.1+repack1-1
Bug #924283 [jython-stilts] jython-stilts: fails to install: Exception in 
thread "main" java.lang.NoSuchMethodError: 
java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
Bug reassigned from package 'jython-stilts' to 'jython'.
No longer marked as found in versions starjava-ttools/3.1.5-1.
Ignoring request to alter fixed versions of bug #924283 to the same values 
previously set
Bug #924283 [jython] jython-stilts: fails to install: Exception in thread 
"main" java.lang.NoSuchMethodError: 
java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
Marked as found in versions jython/2.7.1+repack1-1.
> affects -1 jython-stilts
Bug #924283 [jython] jython-stilts: fails to install: Exception in thread 
"main" java.lang.NoSuchMethodError: 
java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
Added indication that 924283 affects jython-stilts
> retitle -1 jython: does not run with older Java versions
Bug #924283 [jython] jython-stilts: fails to install: Exception in thread 
"main" java.lang.NoSuchMethodError: 
java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
Changed Bug title to 'jython: does not run with older Java versions' from 
'jython-stilts: fails to install: Exception in thread "main" 
java.lang.NoSuchMethodError: java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;'.
> tags -1 - moreinfo + patch
Bug #924283 [jython] jython: does not run with older Java versions
Removed tag(s) moreinfo.
Bug #924283 [jython] jython: does not run with older Java versions
Added tag(s) patch.

-- 
924283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924047: FTBFS: package don't build successful after new GCC version

[Carsten Schoenert]

Am 12.03.19 um 04:57 schrieb أحمد المحمودي:
> Yes, but this needs to be done for every gcc update !

Mostly, yes.
I remember I've have written this information early in one of our
starting conversation about systemc packaging.

> I tried unmangling the c++ symbols and using c++ tag in symbols file
> (see c++sym branch), but that failed too.

This doesn't help much in the end as the symbols are still the same in
the end. As long upstream isn't doing a versioning there is the mess
that every symbols needs to be listed. A common problem unfortunately. :/

> Anyways, I updated std ver to 4.3.0, amd pushed 2.3.3-2, here's the 
> changelog entry:
> 
> systemc (2.3.3-2) unstable; urgency=medium
> 
>   [ أحمد المحمودي (Ahmed El-Mahmoudy) ]
>   * [625f662] Revert "uscan: update watch file to catch new versions"
> This reverts commit 83ab9e15a4138b76fadd9d6ada5d0893a12f0ae8.
>   * [3886a0b] Bumped standards version to 4.3.0, no changes needed
> 
>   [ Carsten Schoenert ]
>   * [d3c60cd] libsystemc.symbols: update after GCC update

Fine, will do an upload later the day.

-- 
Regards
Carsten Schoenert

Bug#923457: test_likelihood_nh (Failed)

[Andreas Tille]

On Tue, Mar 12, 2019 at 11:56:49AM +0100, Julien Y. Dutheil wrote:
> Dear Andreas,
> 
> Ok, I have committed a patch removing the test. But just realized I did not
> update the changelog... should that now be version 2.4.1-3?

Thanks, I'll fix the changelog.  Andreas.
 
> Cheers,
> 
> Julien.
> 
> On Tue, Mar 12, 2019 at 11:03 AM Andreas Tille  wrote:
> 
> > On Tue, Mar 12, 2019 at 09:53:10AM +0100, Julien Y. Dutheil wrote:
> > > This all boils down to the fact that this unit test is badly designed: it
> > > basically maximizes a function from initial random values. I some
> > > particular combinations of initial values though, the convergence may
> > fail
> > > or take too much time. I will redesign the test, but do not have time at
> > > the moment. Would it be possible to just deactivate that test for now?
> >
> > Sure.  IMHO that's the most straightforward way to deal with this issue.
> > Since I expect you to be more familiar with the tests I simply assumed
> > that you find a more elegant way to deactivate the test than I. ;-)
> >
> > > In the meantime I also found more symbols errors in libbpp-popgen and I
> > > fixed that. I also propagated your modification from bpp-phyl to bpp-seq
> > > and bpp-popgen.
> >
> > I've seen the commits.  Thanks for this.  I'll upload in case there will
> > be more bugs reported.  In Freeze we touch only packages with RC bugs.
> >
> > > On a side note: how can I change my email address (the one that appears
> > in
> > > the changelog file) ? That one is now deprecated.
> >
> > It should be changed in debian/control in the Uploaders field as well.
> > Both strings need to match each other.
> >
> > Thanks for your contribution
> >
> >   Andreas.
> >
> > --
> > http://fam-tille.de
> >
> 
> 
> -- 
> Julien Y. Dutheil, Ph-D
> 0 (+49) 4522 763 298
> 
> § Max Planck Institute for Evolutionary Biology
> Molecular Systems Evolution
> Department of Evolutionary Genetics
> Plön -- GERMANY
> 
> § Institute of Evolutionary Sciences - Montpellier
> University of Montpellier 2 -- FRANCE

> ___
> Debian-med-packaging mailing list
> debian-med-packag...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-packaging


-- 
http://fam-tille.de

Processed: Re: [Pkg-mailman-hackers] Bug#924330: postinst function django_config_site() broken

[Debian Bug Tracking System]

Processing control commands:

> severity -1 grave
Bug #924330 [mailman3-web] postinst function django_config_site() broken
Severity set to 'grave' from 'important'

-- 
924330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924330
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924373: marked as done (qiime: Does not install due to outdated dependencies)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 12:19:24 +
with message-id 
and subject line Bug#924373: fixed in qiime 2019.1.0-2
has caused the Debian Bug report #924373,
regarding qiime: Does not install due to outdated dependencies
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: qiime
Severity: grave
Tags: patch
Justification: renders package unusable


# sudo apt install qiime
Reading package lists... Done
Building dependency tree   
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 qiime : Depends: python-burrito-fillings (>= 0.1.1) but it is not installable
 Depends: emperor (>= 0.9.51) but it is not installable
 Recommends: rtax but it is not going to be installed
E: Unable to correct problems, you have held broken packages.


The dependencies are a remaining of the old version of qiime and not
needed for the current version any more. A patch is provided by Liubov
Chuprikova in Git:

   
https://salsa.debian.org/med-team/qiime/commit/1ae71cf2f21289d4ef3519b994888c256166017a

Kind regards

  Andreas.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (501, 'testing'), (50, 'buildd-unstable'), (50, 'unstable'), (5, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: qiime
Source-Version: 2019.1.0-2

We believe that the bug you reported is fixed in the latest version of
qiime, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Liubov Chuprikova  (supplier of updated qiime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 12 Mar 2019 00:13:16 +0200
Source: qiime
Binary: qiime
Architecture: source
Version: 2019.1.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team 

Changed-By: Liubov Chuprikova 
Description:
 qiime  - Quantitative Insights Into Microbial Ecology
Closes: 924373
Changes:
 qiime (2019.1.0-2) unstable; urgency=medium
 .
   * Team upload.
   * Delete old Qiime dependencies
 Closes: #924373
Checksums-Sha1:
 4cce83d0bace03f0fc0f6d04b8ad8389d524496c 2112 qiime_2019.1.0-2.dsc
 58663a0997ddf875746a8668907a1ffcf4ed22df 11964 qiime_2019.1.0-2.debian.tar.xz
Checksums-Sha256:
 6c06d28343390d24879097c542bc636c3af6e1aad9913dc0703c7184298ca62b 2112 
qiime_2019.1.0-2.dsc
 7481b5383fa645a1d928ae309680961a002cdc802a2ec8e145ad5d837ace30a4 11964 
qiime_2019.1.0-2.debian.tar.xz
Files:
 fb9d81e375d979ad4520df35b575fa3c 2112 science optional qiime_2019.1.0-2.dsc
 92ede764c34f6bc4274bff969e53d8c9 11964 science optional 
qiime_2019.1.0-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQJCBAEBCAAsFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAlyHn/8OHHRpbGxlYUBy
a2kuZGUACgkQV4oElNHGRtFUUQ/+PXVI88DVFnEXrnRTNKdIwFaTKAB0KWo9M75b
SUbLHQMSzEt1y8VdEQSSRoUaCnZ79sBRcbHdj9959pPvn4Neh3oIuqVkdY5ieXhj
0sKvB58GOI/N2+O+hHfGPmTLVRJTSi9vtKYmIbvqv8bwpTfBZhXBPZTDsxcV3gZL
uQRJpxctkHeBSzd7eDGKz80RTKJptUgtY8wmCCip3IjJnNywv8UdtgsB+tHZuahd
7u3+15XV3RXtcmVrKAZmqI6anzaEnAJ99DLPmRNx9WjOREPdEMXVVhUGlmyB6lBK
ZV3qGBYhh+cnVeUUfzhRGlqV16x49k6MpBWw5sASYKNL6YJ1sLnLuvYg52aBV8vi
rR1S8zHfCk0W6ueQJ2R85IaMkHVHlPjekoiTjj7R/nbtD+2jOpI7AvmHylzhHN0A
aHo/ZcWf0HfApEl7NDL4YS2EsIzfqfvA2dXTJhwTruTJxhGKkR+bFwNslFoOLsFY
u5+33C2x4ywHhI0rRFb28oXmB/B9ax3qoer0mLRJHLied81zoGPV/0399f7+rMUz
BSZq7FVYPodC2HiswWN79Fb7rArliCFBSTraz52IAtdNLgT6FuIzshYGlkXz+JcJ
sLlPNJd7fASDTSMLHzP

Bug#924391: libxmlrpc-lite-perl: FTBFS randomly (failing tests)

[Santiago Vila]

Package: src:libxmlrpc-lite-perl
Version: 0.717-1
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules build-indep
dh build-indep
dh: Compatibility levels before 9 are deprecated (level 8 in use)
   dh_update_autotools_config -i
   dh_auto_configure -i
dh_auto_configure: Compatibility levels before 9 are deprecated (level 8 in use)
perl -I. Makefile.PL INSTALLDIRS=vendor
Warning: NAME must be a package name
Checking if your kit is complete...
Looks good
Generating a Unix-style Makefile
Writing Makefile for XMLRPC-Lite
Writing MYMETA.yml and MYMETA.json
   dh_auto_build -i
dh_auto_build: Compatibility levels before 9 are deprecated (level 8 in use)
make -j1
make[1]: Entering directory '/<>'
cp lib/Apache/XMLRPC/Lite.pm blib/lib/Apache/XMLRPC/Lite.pm
cp lib/XMLRPC/Transport/HTTP.pm blib/lib/XMLRPC/Transport/HTTP.pm
cp lib/XMLRPC/Lite.pm blib/lib/XMLRPC/Lite.pm
cp lib/XMLRPC/Transport/POP3.pm blib/lib/XMLRPC/Transport/POP3.pm
cp lib/XMLRPC/Transport/TCP.pm blib/lib/XMLRPC/Transport/TCP.pm
cp lib/XMLRPC/Test.pm blib/lib/XMLRPC/Test.pm
Manifying 6 pod documents
make[1]: Leaving directory '/<>'
   dh_auto_test -i
dh_auto_test: Compatibility levels before 9 are deprecated (level 8 in use)
make -j1 test TEST_VERBOSE=1
make[1]: Entering directory '/<>'
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" 
"-e" "undef *Test::Harness::Switches; test_harness(1, 'blib/lib', 'blib/arch')" 
t/*.t
t/07-xmlrpc_payload.t .. 
1..8
# Running under perl version 5.028001 for linux
# Current time local: Mon Mar 11 08:51:04 2019
# Current time GMT:   Mon Mar 11 08:51:04 2019
# Using Test.pm version 1.31
XML-RPC deserialization test(s)...
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
ok
# Failed test 1 in t/26-xmlrpc.t at line 36
#  t/26-xmlrpc.t line 36 is:   ok((XMLRPC::Lite
t/26-xmlrpc.t .. 
1..6
# Running under perl version 5.028001 for linux
# Current time local: Mon Mar 11 08:51:05 2019
# Current time GMT:   Mon Mar 11 08:51:05 2019
# Using Test.pm version 1.31
not ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
XMLRPC autodispatch and fault check test(s)...
#TODO: fix fault handling ...
Failed 1/6 subtests 
t/37-mod_xmlrpc.t .. skipped: 500 Can't connect to localhost:80 (Connection 
refused)

Test Summary Report
---
t/26-xmlrpc.t(Wstat: 0 Tests: 6 Failed: 1)
  Failed test:  1
Files=3, Tests=14,  3 wallclock secs ( 0.05 usr  0.01 sys +  0.77 cusr  0.08 
csys =  0.91 CPU)
Result: FAIL
Failed 1/3 test programs. 1/14 subtests failed.
make[1]: *** [Makefile:840: test_dynamic] Error 255
make[1]: Leaving directory '/<>'
dh_auto_test: make -j1 test TEST_VERBOSE=1 returned exit code 2
make: *** [debian/rules:4: build-indep] Error 2
dpkg-buildpackage: error: debian/rules build-indep subprocess returned exit 
status 2


This happens randomly. Sometimes it fails, sometimes it does not, but
the failure rate (> 50%) is too high.

I've put a bunch of failed build logs here:

https://people.debian.org/~sanvila/build-logs/libxmlrpc-lite-perl/

I'm experiencing this on both Scaleway instances of type 1-XS and 1-S. If you 
need a test
machine to reproduce, please contact me privately and I will gladly provide ssh 
access.

If this is really a bug in one of the build-depends, please use reassign and 
affects,
so that this is still visible in the BTS web page for this package.

Thanks.

Processed: bug 924391 is forwarded to https://rt.cpan.org/Public/Bug/Display.html?id=127761, tagging 924391

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> forwarded 924391 https://rt.cpan.org/Public/Bug/Display.html?id=127761
Bug #924391 [src:libxmlrpc-lite-perl] libxmlrpc-lite-perl: FTBFS randomly 
(failing tests)
Set Bug forwarded-to-address to 
'https://rt.cpan.org/Public/Bug/Display.html?id=127761'.
> tags 924391 + upstream
Bug #924391 [src:libxmlrpc-lite-perl] libxmlrpc-lite-perl: FTBFS randomly 
(failing tests)
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
924391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924391
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#899067: Fixed by patching def loop to def sr_loop

[Christian Schiffler]

Apparently there is now a collision with some other GEM.

Patched the internal def "loop" to "sr_loop".

diff attached.

Hope this helps
Chris


--- utils/addons_ruby.rb	2019-03-12 14:28:42.054424340 +0100
+++ utils/addons_ruby.rb	2019-03-12 14:26:47.553463725 +0100
@@ -59,7 +59,7 @@
 		list.each { |file| orig_require(file) }
 	end
 
-	def loop(from, to, step=1)
+	def sr_loop(from, to, step=1)
 		i = from
 		while i <= to
 			yield i
--- ruler_window.rb	2019-03-12 14:28:20.186240717 +0100
+++ ruler_window.rb	2019-03-12 14:29:51.403007080 +0100
@@ -244,7 +244,7 @@
 
 		# Loop, drawing ticks (top and bottom) and labels
 		repetitions, tick_index = 0, 0
-		loop(pixels_per_tick, length + OVERDRAW, pixels_per_tick) { |x|
+		sr_loop(pixels_per_tick, length + OVERDRAW, pixels_per_tick) { |x|
 			x = x.floor + 0.5		# Cairo likes lines in the 'center' of pixels
 
 			tick_size = @@tick_sizes[ unit.tick_pattern[tick_index, 1].to_s ]
@@ -333,7 +333,7 @@
 
 		# Fill with 'horizontal' lines
 		cr.set_source_color($preferences_window.foreground_color)
-		loop(@menu_box.y + 2.5, @menu_box.y + @menu_box.height + -1.5, 2) { |y|
+		sr_loop(@menu_box.y + 2.5, @menu_box.y + @menu_box.height + -1.5, 2) { |y|
 			cr.move_to(@menu_box.x + 2.0, y)
 			cr.line_to(@menu_box.x + @menu_box.width - 1, y)
 		}


signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature

Bug#924393: acme-tiny: Please update to ACMEv2 API

[Sebastian Andrzej Siewior]

Package: acme-tiny
Version: 20171115-2
Severity: serious

Hi,

the package is using the ACME-v1 API. Since v4.0.0 (available since Thu
Mar 15 22:03:38 2018 -0700) it is using the ACME-v2 API.  One difference
is that the received certificate contains the parent certificate.

The important part and the reason why I think that this version is unfit
for Buster is that the v1 API is deprecated [0]. According to the URL
starting in November 2019 you won't be able to register new accounts.
At the beginning of 2021 the v1 API will be disabled for 24h until it is
completly shutdown in JUne 2021 which is within Buster's lifetime.

Therefore I think it makes sense to prepare an update of the package and
talk to the release team.

[0] https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

Sebastian

Bug#923976: [Pkg-puppet-devel] Bug#923976: Bug#923976: puppet: Reports submitte

[Kienan Stewart]

On Tue, Mar 12, 2019 at 10:22:52AM +0200, Apollon Oikonomopoulos wrote:
> Control: tags -1 - moreinfo + patch pending
> Control: severity -1 serious
> 
> OK, thanks for confirming this and thanks for the detailed report, it's 
> very helpful!
> 
> I'm bumping this bug to RC, as I don't think Puppet report storage 
> should break merely by installing an unrelated Ruby package.  
> Additionally this is a regression from Puppet 4.x.
> 
> So, here's what's happening:
> 
>  - Puppet 5 switched from a custom wire format (PSON) to JSON for 
>transmitting facts and reports.
>  - There is no issue when using the ruby-json JSON library to parse 
>reports.
>  - Some JSON libraries (Oj and JrJackson) de-serialize floats with many 
>decimal digits - such as the timing metrics found in a Puppet agent 
>report - as BigDecimal.
>  - When BigDecimal's are serialized again to JSON, they are serialized 
>as Strings (and not floats), causing PuppetDB's schema validation to 
>fail.
>  - This path is only triggered when ruby-oj and ruby-multi-json are 
>installed, enabling Puppet to use Oj via multi-json. (JrJackson is 
>Jruby-only, and there are provisions upstream handling BigDecimal 
>conversion in this case).
> 
> Your patch fixes the issue, but it does so right before the report is 
> transmitted to PuppetDB. I think it's best to instruct Oj to never 
> deserialize floats as BigDecimals and avoid having to do any conversions 
> in the first place. Additionally, this will guard all other report 
> processors (e.g. store) which might want to handle metrics against 
> similar issues.
> 
> Can you test the attached patch and confirm that it works?
>

Hi,

I applied the patch (reloaded apache2 afterwards) and runs are able to store 
reports now.
(I did confirm before the patch was applied that the reports were not being 
stored).

Thanks for the great explanation, your effort and time, and the patch!

Thanks,
Kienan

> Regards,
> Apollon


signature.asc
Description: PGP signature

Bug#923465: fixed in freecad 0.18~pre1+dfsg1-5

[Robert LeBlanc]

Oh, I wasn't aware of that.

Sent from a mobile device, please excuse any typos.

On Tue, Mar 12, 2019, 4:23 AM Kurt Kremitzki  wrote:

> Hi Robert,
>
> On 3/11/19 5:43 PM, Robert LeBlanc wrote:
> <-snip->
> > rleblanc@riker:~/code$ sudo apt -t unstable install freecad
> <-snip->
>
> Because of file replacements, it requires a `sudo apt full-upgrade`,
> this installation method won't work.
>
>

Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

[wferi]

Moritz Muehlenhoff  writes:

> On Tue, Mar 12, 2019 at 10:19:00AM +0100, wf...@niif.hu wrote:
>
>> The resulting packages works fine in my setup.  However, I failed to
>> reproduce the original issue under stretch.  After consulting upstream,
>> it turns out that the old Xerces library actually helps somewhat in this
>> case, please see Scott Cantor's reply below.  So the known exploit
>> (using an invalid XML declaration) does not work on stable, but if
>> somebody finds a way to trigger a DOMException in Xerces 3.1, any
>> xmltooling users will crash all the same.  See also his comment on
>> https://issues.apache.org/jira/browse/XERCESC-2016.
>
> I think we can still fix this via stretch-security

OK, uploaded.

> it's better to fix the root cause nonetheless.

Even though the Xerces change is suspicious, the documentation allows
the parser to throw DOMExceptions, so they must be handled by the
callers, which this fix achieves.
-- 
Regards,
Feri

Bug#923457: test_likelihood_nh (Failed)

[Julien Y. Dutheil]

Dear Andreas,

Ok, great. Will try to fix that unit test thing upstream for next time.

Best,

Julien.

On Tue, Mar 12, 2019 at 3:18 PM Andreas Tille  wrote:

> Hi Julien
>
> On Tue, Mar 12, 2019 at 11:56:49AM +0100, Julien Y. Dutheil wrote:
> > Ok, I have committed a patch removing the test. But just realized I did
> not
> > update the changelog... should that now be version 2.4.1-3?
>
> I've updated d/changelog but will *not* upload anything since meanwhile
> the package has build on all architectures (randomness was this time on
> our side) and so there is no need to touch anything.  In case the package
> might receive another RC bug we are now on the safe side.
>
> Thanks a lot for your contribution
>
>Andreas.
>
> --
> http://fam-tille.de
>


-- 
Julien Y. Dutheil, Ph-D
0 (+49) 4522 763 298

§ Max Planck Institute for Evolutionary Biology
Molecular Systems Evolution
Department of Evolutionary Genetics
Plön -- GERMANY

§ Institute of Evolutionary Sciences - Montpellier
University of Montpellier 2 -- FRANCE

Bug#923457: test_likelihood_nh (Failed)

[Andreas Tille]

Hi Julien

On Tue, Mar 12, 2019 at 11:56:49AM +0100, Julien Y. Dutheil wrote:
> Ok, I have committed a patch removing the test. But just realized I did not
> update the changelog... should that now be version 2.4.1-3?

I've updated d/changelog but will *not* upload anything since meanwhile
the package has build on all architectures (randomness was this time on
our side) and so there is no need to touch anything.  In case the package
might receive another RC bug we are now on the safe side.

Thanks a lot for your contribution

   Andreas.

-- 
http://fam-tille.de

Bug#923772: Test suite fails in i386 architecture with strange replacement of "(" by "'" (#35)

[Mikkel Schubert]

Hi Andreas,

You're looking at a comparison between two FASTQ reads:

@Rec1
GCATGATATATACAAC
+
012345'FBcEFGHIJ

and

@Rec1
GCATGATATATACAAC
+
012345(FBcEFGHIJ


The format is roughly
  
@[name]
[N * Nucleotides]
+
[N * Phred quality scores]


So the difference is that the quality score for the 7th base (a 'T') is "'" 
instead of "(", corresponding to a Phred quality score of 6 instead of 7 
(calculated as ASCII value - 33). It is merely a coincidence that this happened 
between numerical and non-numerical values.

During the collapse step, in which two overlapping reads are merged, updated 
quality scores are calculated as a product of the scores for the two copies of 
the overlapping base-pair. This will either result in a higher quality score 
being assigned (for identical positions) or a lower quality score being 
assigned (for mismatching positions). 

The calculation to determine the updated quality score makes use of std::log10, 
which appears to produce slightly different results on i386 vs amd64, resulting 
in a small number of updated quality scores being off by one on i386 compared 
to amd64. I determined this simply by printing every single intermediate result 
for this calculation for binaries built with and without -m32.

The solution I am taking is to simply pre-calculate the lookup table and 
include a hardcoded copy of that, instead populating the table when it is first 
used. It is not the prettiest solution, but it ensures that results can be 
reproduced regardless of the architecture.

I realize that my last comment was rather vague, but I hope that this makes it 
clear what the issue was.

See https://en.wikipedia.org/wiki/FASTQ_format for a detailed description of 
the format.

-- 
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
https://github.com/MikkelSchubert/adapterremoval/issues/35#issuecomment-471948966

Bug#911768: pinentry-gnome3 fails to open a window with 'No Gcr System Prompter available, falling back to curses'

[Daniel Kahn Gillmor]

Control: severity 911768 normal

Hi Simon --

Thanks for this detailed triage!

On Sun 2019-03-10 14:35:04 +, Simon McVittie wrote:
> I think this should be considered to be a pinentry-gnome3 bug rather than
> nfs-kernel-server. I think the plausible routes forward are to either
> escalate dbus-user-session from Recommends to Depends, downgrade this bug
> to non-RC (because not working completely reliably without Recommends is
> not entirely unexpected), or consider it to be "not a bug" and close it
> (same reason).

escalating dbus-user-session to a Depends: for pinentry-gnome3 seems
like a mistake to me (pinentry-gnome3 *should* work even on sytsems
where dbus-user-session isn't installed, particularly on systems where
there is no systemd session-manager), so i'm downgrading the severity at
least here.  What do others think?

For the moment, i'm reducing severity to "normal" since it seems to only
affect certain selections of packages in combination with certain system
configurations.

This is the worst kind of sticky issue for debian generally, because
there is no clear way to apportion responsibility, and the intersection
between the packages can fall through the cracks :( If someone can
propose a concrete path forward that will resolve the problem for those
folks who have it, i'd be happy to try to incorporate it.

> It's a pity we can't make pinentry-gnome3 depend on something like
> "dbus-user-session | not(libpam-systemd)".

that would be nice, but it's still not the most robust, because of
course you can have libpam-systemd installed and not have it listed in
/etc/pam.d/common-session :/

> As a dbus upstream and Debian maintainer, I'd recommend installing
> dbus-user-session, particularly if you have bits of infrastructure that
> want to run one instance per (machine,uid) pair (typically user-services
> started by `systemd --user`) and communicate via D-Bus.

Note that gpg-agent itself, whether invoked as a systemd user-service or
manually/automagically (as upstream prefers), is precisely one of these
per (machine,uid) pair services.

The main difference is that when gpg-agent is invoked as a systemd
user-service, its lifetime terminates at the same time as the user
session (because the systemd --user manager terminates it upon session
close).  When gpg-agent is invoked manually/automagically, it has no
clear termination strategy, which means it may linger (sometimes with
unlocked key material) well after session termination, if no other
reaping mechanism is explicitly invoked.

> dbus-user-session is entirely "glue" and doesn't contain significant
> amounts of code. Depending how other packages' dependencies are set up
> and how much progress has been made on fixing my 2016 mass-bug-filing
> about dbus-launch (dbus-x11), installing dbus-user-session might let
> you remove dbus-x11, which is larger than dbus-user-session. Is that
> any help? :-)

should we discourage these two packages (dbus-user-session and dbus-x11)
from being co-installed somehow?

> For what it's worth, I couldn't reproduce this bug by installing a fairly
> minimal GUI system (xdm, xorg and openbox) plus pinentry-gnome3 and
> gpg-agent in a test VM, purging dbus-user-session, and adding and
> removing nfs-kernel-server.

Can someone provide a minimal reproducer, starting from an empty VM?

--dkg


signature.asc
Description: PGP signature

Processed: Re: Bug#911768: pinentry-gnome3 fails to open a window with 'No Gcr System Prompter available, falling back to curses'

[Debian Bug Tracking System]

Processing control commands:

> severity 911768 normal
Bug #911768 [pinentry-gnome3] nfs-kernel-server causes dbus communications to 
fail for gpg-agent and pinentry-gnome3
Severity set to 'normal' from 'serious'

-- 
911768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911768
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924397: corekeeper: insecure use of world-writable /var/crash

[Jakub Wilk]

Package: corekeeper
Version: 1.6
Severity: critical
Tags: security

(I reported this privately in 2016...)

/usr/lib/corekeeper/dump does this:

  mkdir -p "/var/crash/$owner"

This is pretty bad. /var/crash is word-writable, so anybody could have 
created a subdirectory there. "mkdir -p" will succeed if 
/var/crash/$owner/ exists, even when it's owned by another user.


An attacker could exploit this to read other users' core files. 
Additionally, on systems that have protected_symlinks or 
protected_symlinks disabled, this could be exploited to take ownership 
of arbitrary files, or to overwrite arbitrary files.


I don't understand why /var/crash is world-writable; but if it has to be 
for some reason, then the crash handler must verify that 
/var/crash/$owner is in fact a directory owned by the right user. 
Verifying that the directory has the right permissions (700) is probably 
also a good idea.


--
Jakub Wilk

Bug#924115: golang-gopkg-data-dog-go-sqlmock.v1-dev: directory vs. symlink conflict: /usr/share/gocode/src/gopkg.in/DATA-DOG/go-sqlmock.v1

[rajudev]

Shengjing Zhu writes:

> Hi Raju,

Ni Hao :)
>
> This package seems problematic in other  perspective,
Indeed it is confusing.
>
> golang-github-data-dog-go-sqlmock-dev is already in archive, and can
> be imported as gopkg.in/DATA-DOG/go-sqlmock.v1 or
> github.com/DATA-DOG/go-sqlmock.
>
> So this package is duplicated.

I think no.

>
> gopkg.in/DATA-DOG/go-sqlmock.v1 is not in
> src:golang-github-data-dog-go-sqlmock's Go-Import-Path field, this
> should be fixed in golang-github-data-dog-go-sqlmock. I think that's
> why you were not aware, and upload a new one.
I did looked at the other package and I was aware.

then I looked at https://gopkg.in/DATA-DOG/go-sqlmock.v1

The upstream maintains three different versions of the same package.
And authors of other golang packages use different versions in there code.

The efforts behind this package were made as it is a dependency for
micro text editor, which is now in upload queue.

https://ftp-master.debian.org/new/micro_1.4.1-1.html


>
> I think file a RM request for ftp-master is the solution here.

If we file an RM request for this one, it will break micro.

I am open to any suggestions, or comments on the situation.

-
rajudev

Bug#918427: nmu uploaded to delayed/3

[Matthias Klose]

Control: tags -1 + patch

nmu uploaded to delayed/3.

diff -Nru prospector-0.12.7/debian/changelog prospector-0.12.7/debian/changelog
--- prospector-0.12.7/debian/changelog	2017-12-03 17:44:21.0 +0100
+++ prospector-0.12.7/debian/changelog	2019-03-12 16:31:35.0 +0100
@@ -1,3 +1,10 @@
+prospector (0.12.7-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Run dh_python3 with --shebang=/usr/bin/python3. Closes: #918427.
+
+ -- Matthias Klose   Tue, 12 Mar 2019 16:31:35 +0100
+
 prospector (0.12.7-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru prospector-0.12.7/debian/rules prospector-0.12.7/debian/rules
--- prospector-0.12.7/debian/rules	2017-12-03 17:43:14.0 +0100
+++ prospector-0.12.7/debian/rules	2019-03-12 16:31:35.0 +0100
@@ -12,6 +12,9 @@
 
 override_dh_auto_build:
 
+override_dh_python3:
+	dh_python3 --shebang=/usr/bin/python3
+
 override_dh_auto_test:
 	PYBUILD_SYSTEM=custom PYBUILD_TEST_ARGS="{interpreter} -m nose -v tests/" dh_auto_test
 

Processed: nmu uploaded to delayed/3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #918427 [prospector] prospector: please depend on python 3.7 instead of 3.6
Added tag(s) patch.

-- 
918427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#916820: nmu uploaded to delayed/3

[Matthias Klose]

Control: tags -1 + patch

nmu uploaded to delayed/3

diff -Nru kytos-utils-2017.2b1/debian/changelog kytos-utils-2017.2b1/debian/changelog
--- kytos-utils-2017.2b1/debian/changelog	2017-11-13 17:55:41.0 +0100
+++ kytos-utils-2017.2b1/debian/changelog	2019-03-12 16:41:48.0 +0100
@@ -1,3 +1,10 @@
+kytos-utils (2017.2b1-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove build dependency on python3.6. Closes: Ã#916820.
+
+ -- Matthias Klose   Tue, 12 Mar 2019 16:41:48 +0100
+
 kytos-utils (2017.2b1-2) unstable; urgency=medium
 
   * New upload because the bug 877193 was solved.
diff -Nru kytos-utils-2017.2b1/debian/control kytos-utils-2017.2b1/debian/control
--- kytos-utils-2017.2b1/debian/control	2017-11-13 17:55:41.0 +0100
+++ kytos-utils-2017.2b1/debian/control	2019-03-12 16:41:48.0 +0100
@@ -4,7 +4,6 @@
 Maintainer: Paulo Henrique de Lima Santana (phls) 
 Build-Depends: debhelper (>= 10),
dh-python,
-   python3.6,
python3-all,
python3-docopt,
python3-jinja2 (>=2.9.6),

Processed: nmu uploaded to delayed/3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #916820 [src:kytos-utils] kytos-utils: please drop the build-dep on 
python3.6
Ignoring request to alter tags of bug #916820 to the same tags previously set

-- 
916820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916820
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924322: nmu uploaded to delayed/3

[Matthias Klose]

Control: tags -1 + patch

nmu uploaded to delayed/3

diff -Nru vitrage-3.2.0/debian/changelog vitrage-3.2.0/debian/changelog
--- vitrage-3.2.0/debian/changelog	2018-09-03 16:27:13.0 +0200
+++ vitrage-3.2.0/debian/changelog	2019-03-12 16:49:33.0 +0100
@@ -1,3 +1,10 @@
+vitrage (3.2.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Run dh_python3 with --shebang=/usr/bin/python3. Closes: #924322.
+
+ -- Matthias Klose   Tue, 12 Mar 2019 16:49:33 +0100
+
 vitrage (3.2.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru vitrage-3.2.0/debian/rules vitrage-3.2.0/debian/rules
--- vitrage-3.2.0/debian/rules	2018-09-03 16:27:13.0 +0200
+++ vitrage-3.2.0/debian/rules	2019-03-12 16:49:33.0 +0100
@@ -40,6 +40,9 @@
 override_dh_auto_install:
 	echo "Do nothing..."
 
+override_dh_python3:
+	dh_python3 --shebang=/usr/bin/python3
+
 override_dh_install:
 	for i in $(PYTHON3S) ; do \
 		python$$i setup.py install --install-layout=deb --root $(CURDIR)/debian/tmp ; \

Processed: nmu uploaded to delayed/3

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #924322 [python3-vitrage] python3-vitrage: please drop dependency on py3.6
Added tag(s) patch.

-- 
924322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924322
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924115: golang-gopkg-data-dog-go-sqlmock.v1-dev: directory vs. symlink conflict: /usr/share/gocode/src/gopkg.in/DATA-DOG/go-sqlmock.v1

[Shengjing Zhu]

On Tue, Mar 12, 2019 at 11:25 PM rajudev  wrote:
>
>
> Shengjing Zhu writes:
>
> > Hi Raju,
>
> Ni Hao :)
> >
> > This package seems problematic in other  perspective,
> Indeed it is confusing.
> >
> > golang-github-data-dog-go-sqlmock-dev is already in archive, and can
> > be imported as gopkg.in/DATA-DOG/go-sqlmock.v1 or
> > github.com/DATA-DOG/go-sqlmock.
> >
> > So this package is duplicated.
>
> I think no.
>
> >
> > gopkg.in/DATA-DOG/go-sqlmock.v1 is not in
> > src:golang-github-data-dog-go-sqlmock's Go-Import-Path field, this
> > should be fixed in golang-github-data-dog-go-sqlmock. I think that's
> > why you were not aware, and upload a new one.
> I did looked at the other package and I was aware.
>
> then I looked at https://gopkg.in/DATA-DOG/go-sqlmock.v1
>
> The upstream maintains three different versions of the same package.
> And authors of other golang packages use different versions in there code.

the current version
+ golang-gopkg-data-dog-go-sqlmock.v1-dev is 1.3.0-1
+ golang-github-data-dog-go-sqlmock-dev is 1.3.0-1

They are the same version, and same code. So it's duplicated.

And as I said before, golang-github-data-dog-go-sqlmock-dev can be
used for package which imports gopkg.in/DATA-DOG/go-sqlmock.v1.
Please just think why it installs a symlink named
/usr/share/gocode/src/gopkg.in/DATA-DOG/go-sqlmock.v1.
And take prometheus-mysqld-exporter package as example, it imports
gopkg.in/DATA-DOG/go-sqlmock.v1 and build fine with
golang-github-data-dog-go-sqlmock-dev.

>
> The efforts behind this package were made as it is a dependency for
> micro text editor, which is now in upload queue.
>
> https://ftp-master.debian.org/new/micro_1.4.1-1.html
>

I don't see golang-gopkg-data-dog-go-sqlmock.v1-dev is in micro's Build-Depends.


>
> >
> > I think file a RM request for ftp-master is the solution here.
>
> If we file an RM request for this one, it will break micro.
>
> I am open to any suggestions, or comments on the situation.
>
> -
> rajudev



--
Shengjing Zhu

Bug#888533: marked as done (openjpeg2: CVE-2018-5785: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:17:09 +
with message-id 
and subject line Bug#888533: fixed in openjpeg2 2.1.2-1.1+deb9u3
has caused the Debian Bug report #888533,
regarding openjpeg2: CVE-2018-5785: integer overflow in opj_j2k_setup_encoder 
function in openjp2/j2k.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888533: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888533
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjpeg2
Version: 2.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1057

Hi,

the following vulnerability was published for openjpeg2.

CVE-2018-5785[0]:
| In OpenJPEG 2.3.0, there is an integer overflow caused by an
| out-of-bounds left shift in the opj_j2k_setup_encoder function
| (openjp2/j2k.c). Remote attackers could leverage this vulnerability to
| cause a denial of service via a crafted bmp file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5785
[1] https://github.com/uclouvain/openjpeg/issues/1057
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1537758#c2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u3

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello  (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 16:41:30 -0500
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server 
libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 

Changed-By: Luciano Bello 
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression 
librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP 
protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP 
access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
 pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
   * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
 (closes: #889683).
   * CVE-2017-17480: Write stack buffer overflow due to missing buffer
 length formatter in fscanf call (closes: #884738).
   * CVE-2018-18088: Null pointer dereference caused by null image
 components in imagetopnm (closes: #910763).
   * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
Checksums-Sha1:
 0bb0b62c4d594aee08a9c8ad0e09600ff837fca1 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 bf7200a53237309731c0a7aeb5bb3d3521cdd2e5 25464 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 9c0984edc917655a29a4114dadd74d7448baa9d2 1104792 
libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 1884bd30286fc08ec51a9bb7e890d941e1654495 38598 
libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 f921ecfcbfeb3a7d5feabe7dc53d078d0a2b4451 122130 
libopenjp2-7_2.1.2-1.1+deb9

Bug#910763: marked as done (openjpeg2: CVE-2018-18088)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:17:09 +
with message-id 
and subject line Bug#910763: fixed in openjpeg2 2.1.2-1.1+deb9u3
has caused the Debian Bug report #910763,
regarding openjpeg2: CVE-2018-18088
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
910763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910763
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjpeg2
Version: 2.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1152

Hi,

The following vulnerability was published for openjpeg2.

CVE-2018-18088[0]:
| OpenJPEG 2.3.0 has a NULL pointer dereference for "red" in the
| imagetopnm function of jp2/convert.c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18088
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18088
[1] https://github.com/uclouvain/openjpeg/issues/1152

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u3

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello  (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 16:41:30 -0500
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server 
libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 

Changed-By: Luciano Bello 
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression 
librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP 
protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP 
access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
 pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
   * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
 (closes: #889683).
   * CVE-2017-17480: Write stack buffer overflow due to missing buffer
 length formatter in fscanf call (closes: #884738).
   * CVE-2018-18088: Null pointer dereference caused by null image
 components in imagetopnm (closes: #910763).
   * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
Checksums-Sha1:
 0bb0b62c4d594aee08a9c8ad0e09600ff837fca1 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 bf7200a53237309731c0a7aeb5bb3d3521cdd2e5 25464 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 9c0984edc917655a29a4114dadd74d7448baa9d2 1104792 
libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 1884bd30286fc08ec51a9bb7e890d941e1654495 38598 
libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 f921ecfcbfeb3a7d5feabe7dc53d078d0a2b4451 122130 
libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 e2488d27382a742a8d431a0730f4aebf50b38deb 94044 
libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 ded14698e1d569f9ecc8da5f765a6236540c8560 41600 
libopenjp3d-tools_2.1.2-1.1+deb9u3_amd64.deb
 8e49a8941eee3817d4033bbc8aa216d421ac4017 84986 
libopenjp3d7_2.1.2-1.1+de

Bug#889683: marked as done (openjpeg2: CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:17:09 +
with message-id 
and subject line Bug#889683: fixed in openjpeg2 2.1.2-1.1+deb9u3
has caused the Debian Bug report #889683,
regarding openjpeg2: CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
889683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889683
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjpeg2
Version: 2.3.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1059

Hi,

the following vulnerability was published for openjpeg2.

CVE-2018-6616[0]:
| In OpenJPEG 2.3.0, there is excessive iteration in the
| opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could
| leverage this vulnerability to cause a denial of service via a crafted
| bmp file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6616
[1] https://github.com/uclouvain/openjpeg/issues/1059

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u3

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello  (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 16:41:30 -0500
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server 
libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 

Changed-By: Luciano Bello 
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression 
librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP 
protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP 
access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
 pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
   * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
 (closes: #889683).
   * CVE-2017-17480: Write stack buffer overflow due to missing buffer
 length formatter in fscanf call (closes: #884738).
   * CVE-2018-18088: Null pointer dereference caused by null image
 components in imagetopnm (closes: #910763).
   * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
Checksums-Sha1:
 0bb0b62c4d594aee08a9c8ad0e09600ff837fca1 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 bf7200a53237309731c0a7aeb5bb3d3521cdd2e5 25464 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 9c0984edc917655a29a4114dadd74d7448baa9d2 1104792 
libopenjp2-7-dbg_2.1.2-1.1+deb9u3_amd64.deb
 1884bd30286fc08ec51a9bb7e890d941e1654495 38598 
libopenjp2-7-dev_2.1.2-1.1+deb9u3_amd64.deb
 f921ecfcbfeb3a7d5feabe7dc53d078d0a2b4451 122130 
libopenjp2-7_2.1.2-1.1+deb9u3_amd64.deb
 e2488d27382a742a8d431a0730f4aebf50b38deb 94044 
libopenjp2-tools_2.1.2-1.1+deb9u3_amd64.deb
 ded14698e1d569f9ec

Bug#924227: marked as done (fai-server: fails to remove: invoke-rc.d: unknown initscript, /etc/init.d/nfs-kernel-server not found.)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:19:30 +
with message-id 
and subject line Bug#924227: fixed in fai 5.8.3
has caused the Debian Bug report #924227,
regarding fai-server: fails to remove: invoke-rc.d: unknown initscript, 
/etc/init.d/nfs-kernel-server not found.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924227
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: fai-server
Version: 5.8.2~bpo9+2
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to remove.

>From the attached log (scroll to the bottom...):

  Removing fai-server (5.8.2~bpo9+2) ...
  Can't open /etc/exports: No such file or directory.
  invoke-rc.d: unknown initscript, /etc/init.d/nfs-kernel-server not found.
  dpkg: error processing package fai-server (--remove):
   subprocess installed pre-removal script returned error exit status 100


cheers,

Andreas


fai-server_5.8.2~bpo9+2.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Source: fai
Source-Version: 5.8.3

We believe that the bug you reported is fixed in the latest version of
fai, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Lange  (supplier of updated fai package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 12 Mar 2019 17:03:56 +0100
Source: fai
Binary: fai-client fai-doc fai-server fai-quickstart fai-nfsroot 
fai-setup-storage
Architecture: source all
Version: 5.8.3
Distribution: unstable
Urgency: medium
Maintainer: Thomas Lange 
Changed-By: Thomas Lange 
Description:
 fai-client - Fully Automatic Installation client package
 fai-doc- Documentation for FAI
 fai-nfsroot - Fully Automatic Installation nfsroot package
 fai-quickstart - Fully Automatic Installation quickstart package
 fai-server - Fully Automatic Installation server package
 fai-setup-storage - automatically prepare storage devices
Closes: 924227
Changes:
 fai (5.8.3) unstable; urgency=medium
 .
* fai-server.prerm: add test, Closes: #924227
* NFSROOT: add gpg for buster and beyond
Checksums-Sha1:
 4a2ee3ffc9a3511e220e81bc04592bca9bbff990 1913 fai_5.8.3.dsc
 196eb7adc4b81be9b3ebf81553e5d0196f34ad8d 311748 fai_5.8.3.tar.xz
 c67bcf7cb9835a97395ef3586e81a9b29ba39d9f 147692 fai-client_5.8.3_all.deb
 2c8d80516cb8e5dcd6ca32f5cc1e09757795962e 761662 fai-doc_5.8.3_all.deb
 b5bd7e7cec211a3870f676b90c75589012496fe0 77974 fai-nfsroot_5.8.3_all.deb
 1256d00c793d1755438cc45cc8a777a364702e6a 1460 fai-quickstart_5.8.3_all.deb
 f031e5a0aaee72ece98f3f18cb3c359df8b75cf2 68786 fai-server_5.8.3_all.deb
 cdfea0443fbc12d3782d217993b0df9878d2269e 118364 fai-setup-storage_5.8.3_all.deb
 af84b38324ed811e238e45a839eaad5742c93210 12558 fai_5.8.3_amd64.buildinfo
Checksums-Sha256:
 a396c0fd66daeaa305eef21f8ebce69b8ac325780b756d4dc4637e9a7dacd3da 1913 
fai_5.8.3.dsc
 317bf4ea5d8741d35a512661dd8a9fdaad8c94761c485dee7df0fade42a32519 311748 
fai_5.8.3.tar.xz
 26bff4363c03c7f6b3ac5eeb6c2b86948564086c1811e716fe653f1d3a06abd7 147692 
fai-client_5.8.3_all.deb
 ce870f7b2f87beccd00edc37895030bccdaa85273d971ab65c5ee542c9dd32af 761662 
fai-doc_5.8.3_all.deb
 f26162a4367875ee291ec9882636f914ab79d723ce1e76c93f89e57eba8792ce 77974 
fai-nfsroot_5.8.3_all.deb
 93ffd93a57a54b97114df4740e7f46b3bfb038b35f23ab896447f4e69f374b48 1460 
fai-quickstart_5.8.3_all.deb
 8e16cbe38b9f58c3ae6f0f655b1eaaa08e6d16a795105093059c8117890e4d5d 68786 
fai-server_5.8.3_all.deb
 d3b25a14bb2e2a3cc6dbe7df5ffed78e5010eea43b69b98e46cbd34fb3ce0fd9 118364 
fai-setup-storage_5.8.3_all.deb
 e9b8d6ab9f94abf99296003be93f30ba3775ee0889cec2d1208bcf3dd1810584 12558 
fai_5.8.3_amd64.buildinfo
Files:
 39a500a485ccf14e1546ab9cabc2 1913 admin optional fai_5.8.3.dsc
 19231d779da97efc318a929c26748b49 311748 admin optional fai_5.8.3.tar.xz
 f6722d8326a8b21b726041f9f414f391 147692 admin optional fai-client_5.8.3_all.deb
 cc303025a27d0538049b03096c04a834 761662 doc optional fai-doc_5.8.3_all.deb
 d0f4d78fd37ff218c80d4910d89dfd66 779

Bug#884738: marked as done (openjpeg2: CVE-2017-17480: stack-based buffer overflow in pgxtovolume function in jp3d/convert.c)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:17:09 +
with message-id 
and subject line Bug#884738: fixed in openjpeg2 2.1.2-1.1+deb9u3
has caused the Debian Bug report #884738,
regarding openjpeg2: CVE-2017-17480: stack-based buffer overflow in pgxtovolume 
function in jp3d/convert.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
884738: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884738
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openjpeg2
Version: 2.1.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/uclouvain/openjpeg/issues/1044

Hi,

the following vulnerability was published for openjpeg2.

CVE-2017-17480[0]:
| In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the
| pgxtovolume function in jp3d/convert.c. The vulnerability causes an
| out-of-bounds write, which may lead to remote denial of service or
| possibly remote code execution.

Note there is as well the CVE-2017-17479 assignment, for the
jpwl/convert.c part. But AFAICS the Debian packagagins has overall
BUILD_JPWL:BOOL=OFF, so that one can be considered unimportant since
only present as in the source, but not in the resulting binary
packages. Though if upstream fixes the both issues, then fixes could
be applied.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17480
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17480
[1] https://github.com/uclouvain/openjpeg/issues/1044

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openjpeg2
Source-Version: 2.1.2-1.1+deb9u3

We believe that the bug you reported is fixed in the latest version of
openjpeg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello  (supplier of updated openjpeg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 16:41:30 -0500
Source: openjpeg2
Binary: libopenjp2-7-dev libopenjp2-7 libopenjpip7 libopenjp3d7 
libopenjp2-7-dbg libopenjpip-dec-server libopenjpip-viewer libopenjpip-server 
libopenjp3d-tools libopenjp2-tools
Architecture: source amd64 all
Version: 2.1.2-1.1+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 

Changed-By: Luciano Bello 
Description:
 libopenjp2-7 - JPEG 2000 image compression/decompression library
 libopenjp2-7-dbg - debug symbols for libopenjp2-7, a JPEG 2000 image library
 libopenjp2-7-dev - development files for OpenJPEG, a JPEG 2000 image library
 libopenjp2-tools - command-line tools using the JPEG 2000 library
 libopenjp3d-tools - command-line tools using the JPEG 2000 - 3D library
 libopenjp3d7 - JP3D (JPEG 2000 / Part 10) image compression/decompression 
librar
 libopenjpip-dec-server - tool to allow caching of JPEG 2000 files using JPIP 
protocol
 libopenjpip-server - JPIP server for JPEG 2000 files
 libopenjpip-viewer - JPEG 2000 java based viewer for advanced remote JPIP 
access
 libopenjpip7 - JPEG 2000 Interactive Protocol
Closes: 884738 888533 889683 904873 910763
Changes:
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2018-14423: Division-by-zero vulnerabilities in the functions
 pi_next_pcrl, pi_next_cprl, and pi_next_rpcl (closes: #904873).
   * CVE-2018-6616: Excessive Iteration in opj_t1_encode_cblks
 (closes: #889683).
   * CVE-2017-17480: Write stack buffer overflow due to missing buffer
 length formatter in fscanf call (closes: #884738).
   * CVE-2018-18088: Null pointer dereference caused by null image
 components in imagetopnm (closes: #910763).
   * CVE-2018-5785: Integer overflow in convertbmp.c (closes: #888533).
Checksums-Sha1:
 0bb0b62c4d594aee08a9c8ad0e09600ff837fca1 2797 openjpeg2_2.1.2-1.1+deb9u3.dsc
 bf7200a53237309731c0a7aeb5bb3d3521cdd2e5 25464 
openjpeg2_2.1.2-1.1+deb9u3.debian.tar.xz
 9c0984edc917655a29a4114dadd74d7448baa9d2 1104

Bug#924391: Bug #924391 in libxmlrpc-lite-perl marked as pending

[gregor herrmann]

Control: tag -1 pending

Hello,

Bug #924391 in libxmlrpc-lite-perl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/perl-team/modules/packages/libxmlrpc-lite-perl/commit/62dc58b3d8e07c9ab79fa96cc4d8198df534febe


debian/rules: disable DNS resolution for tests.

t/26-xmlrpc.t calls out to the internet which is not only a policy violation
but also causes occasional test failures.
By turning off DNS queries the tests are skipped.

Thanks: Santiago Vila for the bug report.
Closes: #924391


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/924391

Processed: Bug #924391 in libxmlrpc-lite-perl marked as pending

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #924391 [src:libxmlrpc-lite-perl] libxmlrpc-lite-perl: FTBFS randomly 
(failing tests)
Added tag(s) pending.

-- 
924391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924391
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924391: marked as done (libxmlrpc-lite-perl: FTBFS randomly (failing tests))

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 16:49:02 +
with message-id 
and subject line Bug#924391: fixed in libxmlrpc-lite-perl 0.717-2
has caused the Debian Bug report #924391,
regarding libxmlrpc-lite-perl: FTBFS randomly (failing tests)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924391
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:libxmlrpc-lite-perl
Version: 0.717-1
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules build-indep
dh build-indep
dh: Compatibility levels before 9 are deprecated (level 8 in use)
   dh_update_autotools_config -i
   dh_auto_configure -i
dh_auto_configure: Compatibility levels before 9 are deprecated (level 8 in use)
perl -I. Makefile.PL INSTALLDIRS=vendor
Warning: NAME must be a package name
Checking if your kit is complete...
Looks good
Generating a Unix-style Makefile
Writing Makefile for XMLRPC-Lite
Writing MYMETA.yml and MYMETA.json
   dh_auto_build -i
dh_auto_build: Compatibility levels before 9 are deprecated (level 8 in use)
make -j1
make[1]: Entering directory '/<>'
cp lib/Apache/XMLRPC/Lite.pm blib/lib/Apache/XMLRPC/Lite.pm
cp lib/XMLRPC/Transport/HTTP.pm blib/lib/XMLRPC/Transport/HTTP.pm
cp lib/XMLRPC/Lite.pm blib/lib/XMLRPC/Lite.pm
cp lib/XMLRPC/Transport/POP3.pm blib/lib/XMLRPC/Transport/POP3.pm
cp lib/XMLRPC/Transport/TCP.pm blib/lib/XMLRPC/Transport/TCP.pm
cp lib/XMLRPC/Test.pm blib/lib/XMLRPC/Test.pm
Manifying 6 pod documents
make[1]: Leaving directory '/<>'
   dh_auto_test -i
dh_auto_test: Compatibility levels before 9 are deprecated (level 8 in use)
make -j1 test TEST_VERBOSE=1
make[1]: Entering directory '/<>'
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" 
"-e" "undef *Test::Harness::Switches; test_harness(1, 'blib/lib', 'blib/arch')" 
t/*.t
t/07-xmlrpc_payload.t .. 
1..8
# Running under perl version 5.028001 for linux
# Current time local: Mon Mar 11 08:51:04 2019
# Current time GMT:   Mon Mar 11 08:51:04 2019
# Using Test.pm version 1.31
XML-RPC deserialization test(s)...
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
ok
# Failed test 1 in t/26-xmlrpc.t at line 36
#  t/26-xmlrpc.t line 36 is:   ok((XMLRPC::Lite
t/26-xmlrpc.t .. 
1..6
# Running under perl version 5.028001 for linux
# Current time local: Mon Mar 11 08:51:05 2019
# Current time GMT:   Mon Mar 11 08:51:05 2019
# Using Test.pm version 1.31
not ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
XMLRPC autodispatch and fault check test(s)...
#TODO: fix fault handling ...
Failed 1/6 subtests 
t/37-mod_xmlrpc.t .. skipped: 500 Can't connect to localhost:80 (Connection 
refused)

Test Summary Report
---
t/26-xmlrpc.t(Wstat: 0 Tests: 6 Failed: 1)
  Failed test:  1
Files=3, Tests=14,  3 wallclock secs ( 0.05 usr  0.01 sys +  0.77 cusr  0.08 
csys =  0.91 CPU)
Result: FAIL
Failed 1/3 test programs. 1/14 subtests failed.
make[1]: *** [Makefile:840: test_dynamic] Error 255
make[1]: Leaving directory '/<>'
dh_auto_test: make -j1 test TEST_VERBOSE=1 returned exit code 2
make: *** [debian/rules:4: build-indep] Error 2
dpkg-buildpackage: error: debian/rules build-indep subprocess returned exit 
status 2


This happens randomly. Sometimes it fails, sometimes it does not, but
the failure rate (> 50%) is too high.

I've put a bunch of failed build logs here:

https://people.debian.org/~sanvila/build-logs/libxmlrpc-lite-perl/

I'm experiencing this on both Scaleway instances of type 1-XS and 1-S. If you 
need a test
machine to reproduce, please contact me privately and I will gladly provide ssh 
access.

If this is really a bug in one of the build-depends, please use reassign and 
affects,
so that this is still visible in the BTS web page for this package.

Thanks.
--- End Message ---
--- Begin Message ---
Source: libxmlrpc-lite-perl
Source-Version: 0.717-2

We believe that the bug you reported is fixed in the latest version of
libxmlrpc-lite-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.

Bug#924409: removing hiera from debian? or do not ship with buster

[Antoine Beaupre]

Package: hiera
Version: 3.2.0-2
Severity: serious

I see that Hiera in Puppet is at version 3.2.0 in buster. That's at
least two minor versions behind upstream, which is (unofficially) at
3.5:

https://github.com/puppetlabs/hiera/releases

That said, Hiera itself is deprecated as a standalone system: Hiera 5
has been part of Puppet since 4.9:

https://puppet.com/docs/hiera/3.3/index.html

The Hiera README on GitHub says the same:

https://github.com/puppetlabs/hiera/blob/master/README.md

"This project is deprecated in favor of Hiera version 5 which is
implementation in Puppet."

Since Buster will likely ship with Puppet 5.5 (or later), it doesn't
seem to make sense to ship Hiera in buster and it should be
removed. It could also be removed from unstable as well, but I wanted
to checkin with maintainers here first before filing a formal removal.

Thanks for your work!

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages hiera depends on:
ii  ruby 1:2.5.1
ii  ruby-deep-merge  1.1.1-1
ii  ruby-json2.1.0+dfsg-2+b1

hiera recommends no packages.

Versions of packages hiera suggests:
pn  mcollective-common  
pn  puppet-common   

-- debconf-show failed

Bug#923609: proposed solution

[Niko Tyni]

On Sun, Mar 10, 2019 at 07:12:43PM +, Dmitry Bogatov wrote:

> Good. Try this version of patch, please. It seems to works for me in my
> i386 chroot.

Works for me too, and light testing didn't reveal any problems.

> > It would make sense to limit this to 32-bit architectures as I believe the
> > 64-bit architectures always have LFS support no matter the build flags.
> 
> I'd leave it as-is. Yes, it may be redundant on 64 bit platforms, but it
> will go away rather soon anyway. I'd rather not complicate `debian/rules'.

Whatever, just seems strange to me to ship a -nolfs binary that's actually
LFS enabled just like the normal one.

> > Shipping these -nolfs binaries and including instructions for upgrading
> > databases in the Buster release notes would be an acceptable fix for
> > this issue IMO.

> By the way, should I file bug aganist release.debian.org now, or when we
> are settled on solution?

I'm fine with either, and I think we're pretty much settled now :)

Thanks for your work,
-- 
Niko

Bug#921542: marked as done (tc qdisc kernel crash)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 18:00:11 +
with message-id 
and subject line Bug#921542: fixed in linux 4.19.28-1
has caused the Debian Bug report #921542,
regarding tc qdisc kernel crash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
921542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921542
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:linux
Version: 4.19.16-1
Severity: critical

When I'm trying to use this script:

#!/bin/bash

ifaces[0]="tun0"
ifaces[1]="ens192"

ifaceIn="ifb0"
ifaceOut="ifb1"

#echo ${#iface[@]}
#exit

tc qdisc del dev $ifaceIn root

for iface in ${ifaces[@]}; do
echo "Delete qdisc ingress on ${iface}"
tc qdisc del dev ${iface} handle : ingress
echo "Add qdisc ingress on ${iface}"
tc qdisc add dev ${iface} handle : ingress
#tc filter add dev ${iface} parent : protocol ip u32 match u32 0 0
action mirred egress redirect dev ${ifaceIn}
done

#tc qdisc add dev $ifaceIn root handle 1: prio bands 5
#tc qdisc add dev $ifaceIn parent 1:1 handle 10: sfq
#tc qdisc add dev $ifaceIn parent 1:2 handle 20: sfq
#tc qdisc add dev $ifaceIn parent 1:3 handle 30: sfq
#tc qdisc add dev $ifaceIn parent 1:4 handle 40: sfq
#tc qdisc add dev $ifaceIn parent 1:5 handle 50: sfq


### Create a root qdisc type DSmark
echo "Add qdisc root on ${ifaceIn} type DSmark"
tc qdisc add dev $ifaceIn handle 1:0 root dsmark indices 64 set_tc_index
### filter to copy the correct DS filed from the IP packet to skb->tc_index
echo "Add filter on parent 1:0  ${ifaceIn} for set the tcindex"
tc filter add dev $ifaceIn parent 1:0 protocol ip prio 1 tcindex mask 0xfc
shift 2

### Add a PRIO class with 5 bands on 1:0
echo "Add qdisc on parent 1:0 ${ifaceIn} as PRIO with 5 bands"
tc qdisc add dev $ifaceIn parent 1:0 handle 2:0 prio bands 5

### Add a qdisc on the leaf PRIO 2:1
#tc qdisc add dev $ifaceIn parent 2:1 tbf rate 1.5Mbit burst 1.5kB limit 1.6kB
echo "Add qdisc on leaf parent 2:1 ${ifaceIn} as SFQ"
tc qdisc add dev $ifaceIn parent 2:1 sfq
### Match the traffic with DSCP EF (ToS 0xb8 / DSCP 0x2e) mark
echo "Add filter on parent 2:0 ${ifaceIn} to match DSCP EF (ToS 0xb8 / DSCP
0x2e) mark and send the traffic to class 2:1"
tc filter add dev $ifaceIn parent 2:0 protocol ip prio 1 handle 0x2e tcindex
classid 2:1 pass_on

### Add a qdisck on leaf PRIO 2:2 - IPTV services
echo "Add qdisc on leaf parent 2:1 ${ifaceIn} as SFQ"
tc qdisc add dev $ifaceIn parent 2:2 sfq
### Match the traffic with DSCP AF41 (ToS 0x88 / DSCP 0x22) mark
echo "Add filter on parent 2:0 ${ifaceIn} to match DSCP AF41 (ToS 0x88 / DSCP
0x22 mark) and send the traffic to class 2:2"
tc filter add dev $ifaceIn parent 2:0 protocol ip prio 2 handle 0x22 tcindex
classid 2:2 pass_on

### Best Effort traffic move to 2:5
#BE class(2:2)
#tc qdisc add dev $ifaceIn parent 2:5 red limit 60KB min 15KB max 45KB burst 20
avpkt 1000 bandwidth 10Mbit probability 0.4
echo "Add qdisc on leaf parent 2:5 ${ifaceIn} as SFQ"
tc qdisc add dev $ifaceIn parent 2:5 sfq
echo "Add filter on parent 2:0 ${ifaceIn} to match DSCP BE (ToS 0x0 / DSCP 0x0
mark) and send the traffic to class 2:5"
tc filter add dev $ifaceIn parent 2:0 protocol ip prio 5 handle 0 tcindex mask
0 classid 2:5 pass_on

exit


And run it 2-3 times I'm getting a severe kernel crash:

Feb  6 17:15:34 Telenet-PC kernel: [  511.608275] general protection fault:
 [#1] SMP PTI
Feb  6 17:15:34 Telenet-PC kernel: [  511.608279] CPU: 2 PID: 3889 Comm: tc Not
tainted 4.19.0-2-amd64 #1 Debian 4.19.16-1
Feb  6 17:15:34 Telenet-PC kernel: [  511.608281] Hardware name: VMware, Inc.
VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
Feb  6 17:15:34 Telenet-PC kernel: [  511.608285] RIP:
0010:__kmalloc_node+0x195/0x2b0
Feb  6 17:15:34 Telenet-PC kernel: [  511.608288] Code: fa 48 8b 74 24 08 e8 7a
54 7d 00 4c 8b 13 58 4d 85 d2 75 d7 e9 75 ff ff ff 41 8b 5a 20 49 8b 3a 48 8d
4a 01 4c 89 f8 4c 01 fb <48> 33 1b 49 33 9a 38 01 00 00 65 48 0f c7 0f 0f 94 c0
84 c0 0f 84
Feb  6 17:15:34 Telenet-PC kernel: [  511.608289] RSP: 0018:b4ad4322b978
EFLAGS: 00010286
Feb  6 17:15:34 Telenet-PC kernel: [  511.608291] RAX: d36cc438 RBX:
d36cc438 RCX: 0181
Feb  6 17:15:34 Telenet-PC kernel: [  511.608292] RDX: 0180 RSI:
006012c0 RDI: 00025120
Feb  6 17:15:34 Telenet-PC kernel: [  511.608294] RBP: 006012c0 R08:
984037ca5120 R09: 984037807900
Feb  6 17:15:34 Telenet-PC kernel: [  511.608295] R10: 984037806a00 R11:
 R12: 1c00
Feb  6 17:15:34

Bug#922306: marked as done (linux: btrfs corruption (compressed data + hole data))

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 18:00:11 +
with message-id 
and subject line Bug#922306: fixed in linux 4.19.28-1
has caused the Debian Bug report #922306,
regarding linux: btrfs corruption (compressed data + hole data)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: linux
Version: 4.19.20-1
Severity: critical
Tags: upstream patch
Justification: causes serious data loss

Hi.

Apparently there was a longer existing data corruption bug in btrfs[0],
AFAIU it happened when compression was used together with holes in data
and there was *no* recognition by checksumming.

Seems some movement got into this the last days and a patch[1] may have
been found fixing the issue.


Due to potential silent data corruptpion it makes perhaps sense to
cherry pick that fix (maybe waiting for confirmation from upstream
whether it's the final one) instead of waiting for it being released
in some upcoming stable release?

Cheers,
Chris.


[0] https://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg85407.html
[1] https://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg85492.html


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 4.19.28-1

We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings  (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2019 05:06:28 +
Source: linux
Binary: linux-doc-4.19 linux-headers-4.19.0-4-common 
linux-headers-4.19.0-4-common-rt linux-source-4.19 linux-support-4.19.0-4 
lockdep
Architecture: all source
Version: 4.19.28-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Kernel Team 
Changed-By: Ben Hutchings 
Closes: 895131 913119 913138 921542 922182 922306
Description: 
 linux-doc-4.19 - Linux kernel specific documentation for version 4.19
 linux-headers-4.19.0-4-common - Common header files for Linux 4.19.0-4
 linux-headers-4.19.0-4-common-rt - Common header files for Linux 4.19.0-4-rt
 linux-source-4.19 - Linux kernel source for version 4.19 with Debian patches
 linux-support-4.19.0-4 - Support files for Linux 4.19
 lockdep- Runtime locking correctness validator
Changes:
 linux (4.19.28-1) unstable; urgency=medium
 .
   * New upstream stable update:
 https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
 - devres: Align data[] to ARCH_KMALLOC_MINALIGN
 - drm/bufs: Fix Spectre v1 vulnerability
 - drm/vgem: Fix vgem_init to get drm device available.
 - [arm*] pinctrl: bcm2835: Use raw spinlock for RT compatibility
 - [x86] ASoC: Intel: mrfld: fix uninitialized variable access
 - gpiolib: Fix possible use after free on label
 - [armhf] drm/sun4i: Initialize registers in tcon-top driver
 - genirq/affinity: Spread IRQs to all available NUMA nodes
 - [armhf] gpu: ipu-v3: image-convert: Prevent race between run and
   unprepare
 - wil6210: fix reset flow for Talyn-mb
 - wil6210: fix memory leak in wil_find_tx_bcast_2
 - ath10k: assign 'n_cipher_suites' for WCN3990
 - ath9k: dynack: use authentication messages for 'late' ack
 - scsi: lpfc: Correct LCB RJT handling
 - scsi: mpt3sas: Call sas_remove_host before removing the target devices
 - scsi: lpfc: Fix LOGO/PLOGI handling when triggerd by ABTS Timeout event
 - [armhf] 8808/1: kexec:offline panic_smp_self_stop CPU
 - [mips] clk: boston: fix possible memory leak in clk_boston_setup()
 - dlm: Don't swamp the CPU with ca

Bug#924272: decopy: FTBFS (mv: cannot stat 'README.1': No such file or directory)

[Vincent Blut]

Package: decopy
Version: 0.2.4.1-1
Followup-For: Bug #924272

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

The attached patch fixes this issue. Please apply!

Cheers,
Vincent

-BEGIN PGP SIGNATURE-

iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyH9ZUXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4DP/w/9FRwUyxTb4xR5wMWcRXYLSOwz
2I0M+L0sjiOEFGxMd/imKhm/ekOMYr8kS+wDHbkEVRhtDNDsES33s2DSJwVrV3Cm
aRJJWPbDa/hH5QTkWbNthrST7gnGlhnMZb40MlJdnLgHHqy12mKnzgrP4ymyqSCZ
+xtnMHvU/8LxVbVeFvujTFbpSLcxBguQWG+/ilEUh8/p/fzWkrbjssX+WCm+iNAu
UxpQ0E+fH1qguPabqF88vaNLNvq39AymL/F/2BZqAYqPrQ1JOoQmvum0SzquMiO6
KPTC51J2UUfjNqKc0avESxVJdKlJw4KRyfFo4SePpG2tuvHLh//nfBlmJR7Plbxr
qLNm0UxFCDJKrvlgPAUyLI4eMiEuGuR/kQTvst5yV6siuA0ExFKtAJpLx5VlYaPA
0Va+MpxCQ3uu70oQaeUUe2rDjLpu/hw1Nsma8tYS2asEFL1egEqDWBW3EtvHUEOh
nHvHfcl3V4vyZ/dgqTZL3tIUw57WvIL6q0XeCFirYuxEcPIpt1Qs6OE9O9CjfqO6
v3ttOdfISBDksY0bd8CfW7rgpY8RcTOCGsy/rf3XcA5tpPbZatrGRPWsQc46Wx+B
ps0jsEdqIC7mYzCsGTCFtE90VlPlq8uPQ8yuXXOTRyMB1+9wiJ2nTcL0ynFyAN+s
63iakMVP3MsuFTHrZYI=
=7aks
-END PGP SIGNATURE-
>From 6a7f600b19b024e48fd38f1b1a9069d55a74c7ab Mon Sep 17 00:00:00 2001
From: Vincent Blut 
Date: Tue, 12 Mar 2019 18:36:49 +0100
Subject: [PATCH] Fix FTBFS due to incorrect filename

Closes #924272
---
 debian/rules | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/rules b/debian/rules
index f5a0731..f50f790 100755
--- a/debian/rules
+++ b/debian/rules
@@ -8,8 +8,8 @@
 override_dh_auto_build:
dh_auto_build
ronn README.md
-   mv README.1 decopy.1
-   mv README.1.html decopy.1.html
+   mv README.md.1 decopy.1
+   mv README.md.1.html decopy.1.html
 
 override_dh_auto_test:
LC_ALL=C.UTF-8 dh_auto_test
-- 
2.20.1

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 924272 patch
Bug #924272 [src:decopy] decopy: FTBFS (mv: cannot stat 'README.1': No such 
file or directory)
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
924272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924272
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: tagging 899610

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 899610 + buster-ignore
Bug #899610 {Done: Dimitri John Ledkov } [src:mdadm] mdadm: 
Invalid maintainer address pkg-mdadm-de...@lists.alioth.debian.org
Added tag(s) buster-ignore.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
899610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899610
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924383: ruby-coveralls: FTBFS (dh_installman: Cannot find "debian/coveralls.1")

[Andrey Rahmatullin]

On Tue, Mar 12, 2019 at 09:43:22AM +, Santiago Vila wrote:
> TZ=UTC ronn --roff debian/coveralls.mkd
>  roff: debian/coveralls.mkd.1 
[...]
> dh_installman: Cannot find (any matches for) "debian/coveralls.1" (tried in 
> ., debian/tmp)

So a change in ronn, I guess. The package in sid wasn't built on buildds
so nothing to compare with.

-- 
WBR, wRAR


signature.asc
Description: PGP signature

Bug#924329: xastir: FTBFS (magick/image-private.h: No such file or directory)

[Andrey Rahmatullin]

On Mon, Mar 11, 2019 at 05:09:58PM +, Santiago Vila wrote:
> In file included from /usr/include/GraphicsMagick/magick/analyze.h:18,
>  from /usr/include/GraphicsMagick/magick/api.h:55,
>  from map_geo.c:137:
> /usr/include/GraphicsMagick/magick/image.h:1108:10: fatal error: 
> magick/image-private.h: No such file or directory
>  #include "magick/image-private.h"
>   ^~~~


src/map_geo.c:

"""
#ifdef HAVE_GRAPHICSMAGICK
/*#include */
/* Define MAGICK_IMPLEMENTATION to access private interfaces
 * such as DestroyImagePixels(). This may not be a good thing,
 * but DestroyImagePixels() has been in this code for a long
 * time. Defining MAGIC_IMPLEMENTATION eliminates the warning that is
 * now (9/28/2010) being seen on some distros (Ubuntu 10.04 and
 * OpenSuSE-11.3)
 */
#define MAGICK_IMPLEMENTATION
#include 
"""

Haha NOPE.


-- 
WBR, wRAR


signature.asc
Description: PGP signature

Bug#921904: win-iconv: FTBFS (wine: chdir to /tmp/wine-I6miLw/server-29-3583b06 : No such file or directory)

[Daniel Kahn Gillmor]

Control: tags 921904 + help

On Sat 2019-02-09 23:50:03 +, Santiago Vila wrote:
> Package: src:win-iconv
> Version: 0.0.8-2
> Severity: serious
> Tags: ftbfs
>
> Dear maintainer:
>
> I tried to build this package in buster but it failed:
>
> 
> [...]
>  debian/rules build-indep
> dh build-indep
>dh_update_autotools_config -i
>dh_auto_configure -i
>debian/rules override_dh_auto_build-indep
> make[1]: Entering directory '/<>'
> for arch in x86_64-w64-mingw32 i686-w64-mingw32; do \
>  mkdir -p build-$arch && \
>  cd build-$arch && \
>   ln -s ../*.h ../*.c ../*.def ../Makefile ./ && \
>   /usr/bin/make CC=$arch-gcc AR=$arch-ar RANLIB=$arch-ranlib 
> DLLTOOL=$arch-dlltool prefix=/usr/$arch \
>   || exit 1 ; \
>   cd .. ; \
> done
> make[2]: Entering directory '/<>/build-x86_64-w64-mingw32'
> x86_64-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -c win_iconv.c -DMAKE_DLL
> x86_64-w64-mingw32-gcc -shared -o iconv.dll -Wl,-s 
> -Wl,--out-implib=libiconv.dll.a -Wl,--export-all-symbols win_iconv.o 
> x86_64-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -c win_iconv.c
> x86_64-w64-mingw32-ar rcs libiconv.a win_iconv.o
> x86_64-w64-mingw32-ranlib libiconv.a
> x86_64-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -s -o win_iconv.exe win_iconv.c -DMAKE_EXE
> make[2]: Leaving directory '/<>/build-x86_64-w64-mingw32'
> make[2]: Entering directory '/<>/build-i686-w64-mingw32'
> i686-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -c win_iconv.c -DMAKE_DLL
> i686-w64-mingw32-gcc -shared -o iconv.dll -Wl,-s 
> -Wl,--out-implib=libiconv.dll.a -Wl,--export-all-symbols win_iconv.o 
> i686-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -c win_iconv.c
> i686-w64-mingw32-ar rcs libiconv.a win_iconv.o
> i686-w64-mingw32-ranlib libiconv.a
> i686-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -s -o win_iconv.exe win_iconv.c -DMAKE_EXE
> make[2]: Leaving directory '/<>/build-i686-w64-mingw32'
> make[1]: Leaving directory '/<>'
>debian/rules override_dh_auto_test
> make[1]: Entering directory '/<>'
> cd build-x86_64-w64-mingw32 && 
> WINEPREFIX=/<>/build-x86_64-w64-mingw32/.wine /usr/bin/make 
> CC=x86_64-w64-mingw32-gcc AR=x86_64-w64-mingw32-ar 
> RANLIB=x86_64-w64-mingw32-ranlib DLLTOOL=x86_64-w64-mingw32-dlltool test
> make[2]: Entering directory '/<>/build-x86_64-w64-mingw32'
> x86_64-w64-mingw32-gcc -g -O2 -fdebug-prefix-map=/<>=. -Wformat 
> -Werror=format-security -pedantic -Wall -DUSE_LIBICONV_DLL 
> -DDEFAULT_LIBICONV_DLL=\"\" -s -o win_iconv_test.exe win_iconv_test.c
> wine ./win_iconv_test.exe
> it looks like wine32 is missing, you should install it.
> multiarch needs to be enabled first.  as root, please
> execute "dpkg --add-architecture i386 && apt-get update &&
> apt-get install wine32"
> wine: created the configuration directory 
> '/<>/build-x86_64-w64-mingw32/.wine'
> wine: chdir to /tmp/wine-I6miLw/server-29-3583b06 : No such file or directory
> make[2]: *** [Makefile:51: test] Error 1
> make[2]: Leaving directory '/<>/build-x86_64-w64-mingw32'
> make[1]: *** [debian/rules:40: override_dh_auto_test] Error 2
> make[1]: Leaving directory '/<>'
> make: *** [debian/rules:19: build-indep] Error 2
> dpkg-buildpackage: error: debian/rules build-indep subprocess returned exit 
> status 2
> E: Build killed with signal TERM after 60 minutes of inactivity
> 
>
> (Additionally, the autobuilder hangs and sbuild has to kill remaining 
> processes)
>
> The build was made in my autobuilder with "dpkg-buildpackage -A"
> and it also fails here:
>
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/win-iconv.html
>
> where you can get a full build log if you need it.
>
> If this is really a bug in one of the build-depends, please use reassign and 
> affects,
> so that this is still visible in the BTS web page for this package.
>
> Thanks.



Interesting. I can see the same behavior above (without the hanging) on
my own cowbuilder instance.

But building it directly on a dedicated amd64 VM, i see a completed run,
(output at the end).

I don't think the problem is "missing" wine32, because my run succeeds
despite not having wine32 installed.  I'm cc'ing the debian-wine mailing
list in hopes that they can point to what's happening here.

Processed: Re: Bug#921904: win-iconv: FTBFS (wine: chdir to /tmp/wine-I6miLw/server-29-3583b06 : No such file or directory)

[Debian Bug Tracking System]

Processing control commands:

> tags 921904 + help
Bug #921904 [src:win-iconv] win-iconv: FTBFS (wine: chdir to 
/tmp/wine-I6miLw/server-29-3583b06 : No such file or directory)
Added tag(s) help.

-- 
921904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921904
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#923609: marked as done (libgdbm6: binary incompatibility with old databases on at least i386)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 20:42:51 +
with message-id 
and subject line Bug#923609: fixed in gdbm 1.18.1-4
has caused the Debian Bug report #923609,
regarding libgdbm6: binary incompatibility with old databases on at least i386
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
923609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923609
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libgdbm6
Version: 1.18.1-3
Severity: serious
Control: block 923238 with -1

GDBM databases created on stretch (gdbm 1.8.3-14) are not
compatible with libgdbm in sid/buster (1.18.1-3) on at least
the i386 (32-bit x86) architecture, probably also armhf.

This means that any local user databases will break on upgrade from
stretch to buster. It also breaks a few Debian packages that use GDBM
files (known affected are libmarc-charset-perl and command-not-found).

Bug #910911 discussed a similar problem that applied to all architectures.
It seems probable that the fix for that never worked on i386 but this
was just not detected earlier. The incompatibility was reported recently
in bug #923238 and was found because Ubuntu has a better architecture
coverage on their autopkgtest setup.

Below are steps to reproduce, testing with Python 2, Python 3, and Perl.
We make a trivial GDBM database with each, containing just one key "foo"
with the value "bar". After upgrading to buster on i386, none of these
databases can be read and "Malformed database file header" is reported.
On amd64, everything works fine after the upgrade.

# start from stretch
# apt install python-gdbm python3-gdbm perl

python - <<'EOF'
import gdbm   
gdbm.open("py2-stretch.gdbm", "c")["foo"] = "bar"
EOF

python3 <<'EOF'
import dbm.gnu
dbm.gnu.open("py3-stretch.gdbm", "c")["foo"] = "bar"
EOF

perl <<'EOF'
use GDBM_File;
tie %h,  q(GDBM_File), "perl-stretch.gdbm", &GDBM_WRCREAT, 0640
  or die "opening GDBM file failed: $!";
$h{foo} = "bar"
EOF

# ls -l *.gdbm
-rw-r- 1 root root 12294 Mar  2 19:04 perl-stretch.gdbm
-rw-r--r-- 1 root root 12294 Mar  2 19:04 py2-stretch.gdbm
-rw-r--r-- 1 root root 12294 Mar  2 19:04 py3-stretch.gdbm

# upgrade to buster
# sed -i s/stretch/buster/ /etc/apt/sources.list && apt update && apt 
dist-upgrade && apt install gdbmtool

# test with gdbmtool
# gdbmtool py2-stretch.gdbm fetch foo
gdbmtool: stdin:1.1-10: cannot open database py2-stretch.gdbm: Malformed 
database file header
# gdbmtool py3-stretch.gdbm fetch foo
gdbmtool: stdin:1.1-10: cannot open database py3-stretch.gdbm: Malformed 
database file header
# gdbmtool perl-stretch.gdbm fetch foo
gdbmtool: stdin:1.1-10: cannot open database perl-stretch.gdbm: Malformed 
database file header

# similar results with any of these:

perl <<'EOF'
use GDBM_File;
 tie %h,  q(GDBM_File), "perl-stretch.gdbm", &GDBM_READER, 0640
  or die "opening GDBM file failed: $!";
print $h{foo}, "\n";
EOF

python <<'EOF'
import gdbm
print(gdbm.open("py2-stretch.gdbm", "r")["foo"])
EOF

python3 <<'EOF'
import dbm.gnu 
print(dbm.gnu.open("py3-stretch.gdbm", "r")["foo"])
EOF

-- 
Niko Tyni   nt...@debian.org
--- End Message ---
--- Begin Message ---
Source: gdbm
Source-Version: 1.18.1-4

We believe that the bug you reported is fixed in the latest version of
gdbm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 923...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Bogatov  (supplier of updated gdbm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2019 20:23:34 +
Source: gdbm
Architecture: source
Version: 1.18.1-4
Distribution: unstable
Urgency: medium
Maintainer: Dmitry Bogatov 
Changed-By: Dmitry Bogatov 
Closes: 923609
Changes:
 gdbm (1.18.1-4) unstable; urgency=medium
 .
   * Install gdbm tools without large file support to facilate transition
 of databases, created on Stretch and before. (Closes: #923609)
   * Re-export upstream signing key without extra signatures.
Checksums-Sha1:
 ecefe13d9e1b6c8f8ef9b5f22c0078e6a2faedd0 2635 gdbm_1.18.1-4.dsc
 6e6808b74e8312ae1f16fc52b2e4cd3cb1f0c0d1 16460 gdbm

Processed: severity of 913467 is serious, found 913467 in 415.27-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 913467 serious
Bug #913467 {Done: Andreas Beckmann } 
[src:nvidia-graphics-drivers] nvidia-graphics-drivers: CVE‑2018‑6260: access to 
application data processed on the GPU through a side channel exposed by the GPU 
performance counters
Severity set to 'serious' from 'important'
> found 913467 415.27-1
Bug #913467 {Done: Andreas Beckmann } 
[src:nvidia-graphics-drivers] nvidia-graphics-drivers: CVE‑2018‑6260: access to 
application data processed on the GPU through a side channel exposed by the GPU 
performance counters
Marked as found in versions nvidia-graphics-drivers/415.27-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
913467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#851771: CVE-2016-6175 and 851771

[Ivo De Decker]

control: tags -1 buster-ignore

Hi,

On Sun, Jan 22, 2017 at 10:47:32PM +0100, Ola Lundqvist wrote:
> I started checking the CVEs for php-gettext and I'm not sure I follow
> the information for CVE-2016-6175.
> Maybe you have more data than I do.
> 
> The vulnerability is that a malicous user that have permission to
> craft .mo files in the target filesystem could execute any php code on
> that system.
> I find that a quite unlikely attack vector. Based on this I also think
> the bug should have a different priority than grave.
> 
> Or have I missed anything crucial?

After a brief discussion on irc, and input from the security team, I'm marking
this buster-ignore, on the understanding that php-gettext won't be in bullseye.

"< jmm_> I'm fine with buster-ignoring it, but it should go away after buster"

Thanks,

Ivo

Processed: Re: CVE-2016-6175 and 851771

[Debian Bug Tracking System]

Processing control commands:

> tags -1 buster-ignore
Bug #851771 [src:php-gettext] php-gettext: CVE-2016-6175
Added tag(s) buster-ignore.

-- 
851771: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851771
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

[Moritz Mühlenhoff]

On Tue, Mar 12, 2019 at 02:53:14PM +0100, wf...@niif.hu wrote:
> Moritz Muehlenhoff  writes:
> 
> > On Tue, Mar 12, 2019 at 10:19:00AM +0100, wf...@niif.hu wrote:
> >
> >> The resulting packages works fine in my setup.  However, I failed to
> >> reproduce the original issue under stretch.  After consulting upstream,
> >> it turns out that the old Xerces library actually helps somewhat in this
> >> case, please see Scott Cantor's reply below.  So the known exploit
> >> (using an invalid XML declaration) does not work on stable, but if
> >> somebody finds a way to trigger a DOMException in Xerces 3.1, any
> >> xmltooling users will crash all the same.  See also his comment on
> >> https://issues.apache.org/jira/browse/XERCESC-2016.
> >
> > I think we can still fix this via stretch-security
> 
> OK, uploaded.

DSA has been released, thanks.

Cheers,
Moritz

Bug#922625: marked as done (grfcodec build loops indefinitely on failure)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 21:49:55 +
with message-id 
and subject line Bug#922625: fixed in grfcodec 6.0.6-3
has caused the Debian Bug report #922625,
regarding grfcodec build loops indefinitely on failure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922625
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: grfcodec
Version: 6.0.6-2
Severity: serious
Justification: policy 4.6
Tags: upstream

grfcodec can make the build loop indefinitely. The attached bad.patch
demonstrates the behaviour. The problem seems to be
https://sources.debian.org/src/grfcodec/6.0.6-2/Makefile/#L216:

|   $(_C)objs/$(ENDIAN_CHECK) $(ENDIAN_PARAMS) > src/endian.h || rm 
src/endian.h

If running $(ENDIAN_CHECK) fails (which is what bad.patch does), then
src/endian.h is removed, but this is counted as success. For some reason
make restarts compiling from scratch in that case and builds ad
infinitum. I aborted it after it tried building each file 18000 times.

This bug breaks Debian QA infrastructure. To paper over the bug, you
could use the following line:

|   $(_C)objs/$(ENDIAN_CHECK) $(ENDIAN_PARAMS) > src/endian.h || { rm 
src/endian.h; exit 1; }

Thus making the command fail and make aborts. In essence, the failing
behaviour is not aborting the build when a failure happens. This is
prohibited by Debian policy section 4.6 and proved fatal this time
around.

Helmut
--- End Message ---
--- Begin Message ---
Source: grfcodec
Source-Version: 6.0.6-3

We believe that the bug you reported is fixed in the latest version of
grfcodec, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Kooijman  (supplier of updated grfcodec package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 12 Mar 2019 22:19:01 +0100
Source: grfcodec
Architecture: source
Version: 6.0.6-3
Distribution: unstable
Urgency: medium
Maintainer: Matthijs Kooijman 
Changed-By: Matthijs Kooijman 
Closes: 922625
Changes:
 grfcodec (6.0.6-3) unstable; urgency=medium
 .
   [ Jordi Mallach ]
   * [e61a00b] Force build to abort upon endian_check failure. Thanks to
 Helmut Grohne for suggesting this fix (Closes: #922625)
Checksums-Sha1:
 2276082817d3682dabbc19266694b7cab7360495 1959 grfcodec_6.0.6-3.dsc
 0306690fddd28435d16ab014060bf018c1f398b7 5092 grfcodec_6.0.6-3.debian.tar.xz
 691f09b423ef1de5dbb04b920813ffb1ffa347fb 6656 grfcodec_6.0.6-3_amd64.buildinfo
Checksums-Sha256:
 1502aec1a18f2ea16e2790290d88797d7a52bdf9e48b71d6cd90d56711408c01 1959 
grfcodec_6.0.6-3.dsc
 dba5c4546501d38a0d1038d5fa1fc3926f767d05c77ee3e05ea5779a2532a872 5092 
grfcodec_6.0.6-3.debian.tar.xz
 5d7415f500fb9f127f257b66e5aa6bbd12c7144815880521452721e2686bc60c 6656 
grfcodec_6.0.6-3_amd64.buildinfo
Files:
 a89c91679d0c99255f5358e73c21a6f7 1959 devel optional grfcodec_6.0.6-3.dsc
 1c9dae438dce59dd2ebada36976091d2 5092 devel optional 
grfcodec_6.0.6-3.debian.tar.xz
 fdef700273e9c5419b967019c0aeb1da 6656 devel optional 
grfcodec_6.0.6-3_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEEMyF3AetYrDfGJ9el6ZMxy91tJYwFAlyII7ISHG1hdHRoaWpz
QHN0ZGluLm5sAAoJEOmTMcvdbSWMwDwQAL/hfLKrkLkTEbuuEhdsPvyzRSKcO3Fb
CNIEyVQUO+c6aI2PK/6GwvsP1yQYmHomg9R/QfX7M1IlUPCcJJaRwpl1ipyl4buo
OPLwqZI/xqqf/n6v7OJuLmPj+xAbwYiU5nRG5Tr9E3S8pUOruZyItnyJIZRNWCAp
XACW93R1Hmlwn+HO9/n0+JQWR8Xi4juX1EDL5OMVjfwTPrdGw2oQh/O21g1Afz/D
XKQMn6Rb5m5zaRATPbzkpYKtHCxU6oH6Hvm9RCxz3zxPt1dObjHN/WfCSpiNI1JB
86xtTiStEDWNDBfwUe98XwnA7Sk8k0ZAhq98XpuSOcc22zrJA0GRpahGl4mZ/B9y
a8mJZ1PWhaW98nC/PrFPaPZB1A+/bX7ve/UTmE1Uf/vwjyVvZA5+gyRVVrrVMPYV
bo3isPZ4YLkyM8ib+BllDnEdFB1qhN4ieCzes/NszL2fK9WsS4oEuTJBz0FxS8p5
WgSs6Xq+Rz5R90lkhRE/gNsqcmfAUADqkWactw80ZeH2AsmDiDUjj1/1tnThinGs
y8L+C+bosDyyLhdghCdHideH/9VrKKPMZUauur+SXROzAEHwufXB9gUpyh9zDNbd
wgsekGbiBmLw9GSS1W/tVr/begp+khPYdqMM6B8K3ai251CsrSmv6rJUiPlDuu1G
BZob5SH1jkGZ
=kgou
-END PGP SIGNATURE End Message ---

Processed: found 906820 in 1.3.0-2

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # Adjust affected versions (in particular, stretch is not affected)
> found 906820 1.3.0-2
Bug #906820 {Done: Rafael Laboissiere } 
[src:octave-statistics] octave-statistics: autopkgtest failure on i386
Marked as found in versions octave-statistics/1.3.0-2.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
906820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906820
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924330: marked as done (postinst function django_config_site() broken)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 22:51:01 +
with message-id 
and subject line Bug#924330: fixed in mailman-suite 0+20180916-7
has caused the Debian Bug report #924330,
regarding postinst function django_config_site() broken
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924330
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mailman3-web
Version: 0+20180916-6
Severity: important

Hello,

the postinst function django_config_site() is broken, we need to
rewrite it.

At the moment, it tries to read (and update) the default django site
domain by using `Site.objects.all()[0]`, which seems to be wrong. If at
all, then `Site.objects.last()` seems to be the default django site
domain (i.e. first one that got created), but even that one seems
error-prone.

My impression is, that there is no reliable way for us during upgrade
to determine which django site domain got created by our postinst script
earlier. Therefore I propose the following:

If we do a fresh install (i.e. "$2" is empty) *and* a django site domain
is configured via debconf, we override the default django site domain
(i.e. 'example.com') with the configured one.

If we do an upgrade *and* a django site domain is set via debconf, we
check if a django site domain with the same domain name already exists.
If that's not the case, then we add a new django site domain.

This solution occurs much more robust to me than the current
implementation.

Only downside is, that if the django site domain gets changed in
debconf at a later point, we don't override the old django site domain
but append a new one. I don't think it's a major problem though. And
given that there is no reliable way to determine *which* of the existing
django site domains got created by our postinst script before, I think
it's an acceptable tradeoff.

Cheers
 jonas
--- End Message ---
--- Begin Message ---
Source: mailman-suite
Source-Version: 0+20180916-7

We believe that the bug you reported is fixed in the latest version of
mailman-suite, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer  (supplier of updated mailman-suite package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2019 13:07:32 +0100
Source: mailman-suite
Architecture: source
Version: 0+20180916-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Mailman Team 
Changed-By: Jonas Meurer 
Closes: 924330
Changes:
 mailman-suite (0+20180916-7) unstable; urgency=medium
 .
   * d/templates, d/po/*.po, d/mailman3-web.{config,postinst}:
 - Remove the whole logic to configure django site domain and name via
   debconf. The code was very error-prone and it's better to leave this
   exercise to the local admin. (Closes: #924330)
   * d/mailman3-web-postinst:
 - Fix logic to run init_django at install and update_django at upgrade.
Checksums-Sha1:
 fe94a85b434b2f2ed74344399397289d8ef6eb06 2053 mailman-suite_0+20180916-7.dsc
 f6dc686bea5cc9695a05c0732c7a917182973cae 25364 
mailman-suite_0+20180916-7.debian.tar.xz
 5d1ab143035055fa93b439950e247d3a3c55730f 5666 
mailman-suite_0+20180916-7_amd64.buildinfo
Checksums-Sha256:
 047cc3c74cd9e15add6055c977ed416857933fee15488fa5027fb273733d4348 2053 
mailman-suite_0+20180916-7.dsc
 0aaf99a0ff4c4845d1882bca497788611dce9a050735992da53765dd4e6ff427 25364 
mailman-suite_0+20180916-7.debian.tar.xz
 6647ace2c3ba42b76c3fc4f0a24f0bc1271ed5b2357094cd9bc0e52745afbec8 5666 
mailman-suite_0+20180916-7_amd64.buildinfo
Files:
 1bac972702ed0d54ef24789b957697d1 2053 web optional 
mailman-suite_0+20180916-7.dsc
 71c6de864519544e7a2b8f0db7a2dd73 25364 web optional 
mailman-suite_0+20180916-7.debian.tar.xz
 8e4d78aea76944d03ce2584d15660417 5666 web optional 
mailman-suite_0+20180916-7_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlyIM9kACgkQUmLn/0kQ
Sf4/9g//RJiubO4VycJh6NzhblCYJIUMSglknaesQkh9rsrOhQ8okXNU0sHKyr04
wkhu/7gbO3kImPXan7aTGj5rOoNq8XVOWef/f6xKiifJ5PDF7W5s+aD/H5lT2wXp
K1U6oj48Pwb1WYZ

Processed: restore original severity for epiphany: can't browse anything

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 922730 grave
Bug #922730 [epiphany-browser] cannot browse anything
Severity set to 'grave' from 'important'
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
922730: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922730
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#916347: marked as done (epiphany-browser: Don't include in Buster)

[Debian Bug Tracking System]

Your message dated Tue, 12 Mar 2019 18:54:32 -0400
with message-id 

and subject line Re: epiphany-browser: Don't include in Buster
has caused the Debian Bug report #916347,
regarding epiphany-browser: Don't include in Buster
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
916347: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916347
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: epiphany-browser
Version: 3.30.2-1
Severity: serious
Tags: buster
X-Debbugs-CC: mcatanz...@gnome.org

I was contacted today by the Epiphany upstream developer Michael
Catanzaro. He requested that Debian Buster not include Epiphany. While
he is ok with Epiphany being in Unstable (and Testing), he has serious
concerns about how well Epiphany will work during the long lifecycle
of a Debian Stable release when critical dependencies like
glib-networking and gstreamer can't really be updated.

As a specific example, YouTube's website changed a few months ago. To
display that website, webkitgtk requires new features from gstreamer
1.14.

Michael intends to make this request to other LTS distros too.

He recommends that LTS users install the Flatpak version of Epiphany.
(I imagine there will eventually be a Snap version of Epiphany for
those who prefer that system.)

Thanks,
Jeremy Bicha
--- End Message ---
--- Begin Message ---
My understanding is that the primary issue Michael was concerned about
for epiphany in Debian 10 "Buster" was whether webkit2gtk would get
security updates.

The current plan is to provide security updates for webkit2gtk for
Debian 10 similar to how security support has been offered for Ubuntu
16.04 LTS and 18.04 LTS. It's best-effort: there is no guarantee that
Debian will be able to provide security updates for the full normal
life of Debian 10, but we'll try to do the updates as long as it seems
practical to the ones doing the work. [1]

Therefore, I am closing this bug.

[1] In Ubuntu 16.04 LTS's case, this ended up being about 2 years of
support.For further reference, see
https://trac.webkit.org/wiki/WebKitGTK/DependenciesPolicy (the GCC
bump was what finally ended Ubuntu 16.04's supportability.)

Thanks,
Jeremy Bicha--- End Message ---

Bug#923282: freezegun breaks cached-property autopkgtest

[Mathias Behrle]

* Paul Gevers: " Fwd: Bug#923282: freezegun breaks cached-property
  autopkgtest" (Tue, 12 Mar 2019 21:51:28 +0100):

Hi all,

> [ bounced, trying again.
> 
>  Forwarded Message 
> Subject: Re: Bug#923282: freezegun breaks cached-property autopkgtest
> Date: Tue, 5 Mar 2019 19:35:35 +0100
> From: Paul Gevers 
> To: 923...@bugs.debian.org, Mathias Behrle , Dominik
> George 
> 
> Hi all,
> 
> On Wed, 27 Feb 2019 00:38:16 +0100 Mathias Behrle 
> wrote:> I don't see how
> > anything could be done from the side of cached_property at this stage of the
> > freeze. Therefore I am bumping the bug to severity serious to be safe this
> > version of freezegun will not migrate to testing and assigning to
> > freezegun.  
> 
> Keeping this version of freezegun out of buster for this is trading one
> RC bug versus another.
> 
> Mathias, could you please check if you can make cached_property
> compatible with the current freezegun in unstable, as that means we
> could move things forward.

My research shows that the issue is known for cached_property since 5 Nov 2018
[1], related issues for freezegun date from 21 Oct 2018 [2] resp. 17 Oct 2018
[3]. Indeed freezegun obviously introduced substantial API changes from 0.3.10
to 0.3.11 (btw in no way following semver).

What can be done in the current situation:

1) I really don't see what can be done on the side of cached_property. No
solution so far was able to workaround the test failures acording to [1]. If
there is any input from the freezegun maintainers how the tests could be
changed to pass I am all open for it.

2) freezegun 0.3.11 was released on 15 Oct 2018 [4] and there seem to be some
more recent commits related to this issue (e.g. [5]). I would propose to
cherry-pick some relevant commits or to package current trunk from git to see
if it solves the issues.

3) As a last resort the release team should be involved to evtl. mark the issue
as ignore for buster.

4) If that should be impossible/not desired I would be willing as a very very
last resort to disable temporarily the relevant autopkgtests in cached_property.
Basically cached_property *is* and *was* working, it is only that the tests are
failing due to API incompatibilities introduced by a test utility (freezegun)
during or shortly before the soft freeze. 


> Dominik, did you investigate if a different solution for the FTBFS of
> freezegun in bug 916702 [1] was possible?
> 
> Federico, I would appreciate it when you would share your opinion on how
> to solve the freezegun situation for buster.
> 
> Time is ticking.

My personal preference obviously goes to 1) or 2). Please advise on how to
proceed further.

Mathias

[1] https://github.com/pydanny/cached-property/issues/131
[2] https://github.com/ktosiek/pytest-freezegun/issues/6
[3] https://github.com/spulec/freezegun/issues/269
[4] https://pypi.org/project/freezegun/#history
[5]
https://github.com/spulec/freezegun/commit/028dee229f06d200d0f79a130deaad65b14779ef


-- 

Mathias Behrle ✧ Debian Developer
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71  7681 D6D0 9BE4 8405 BBF6

Bug#924397: corekeeper: insecure use of world-writable /var/crash

[Paul Wise]

On Tue, 2019-03-12 at 15:50 +0100, Jakub Wilk wrote:

> I don't understand why /var/crash is world-writable

I guess that is for when the core dump handler is unused and probably I
forgot to change it when switching to the core dump handler.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



signature.asc
Description: This is a digitally signed message part

Bug#740893: ‘libjs-jquery-hotkeys’ 0.2.0 works with ‘python-coverage’

[Ben Finney]

On 10-Oct-2018, Thomas Goirand wrote:

> I've prepared an update of this package to the version available at:
> https://github.com/jeresig/jquery.hotkeys
> 
> Can you please try?

Testing this manually, I find that the “0.2.0” version you've prepared
means that it works for the dependency in ‘python-coverage’ for
hotkeys support.

Are there more checks you would like to be done?

-- 
 \   “Two hands working can do more than a thousand clasped in |
  `\   prayer.” —Anonymous |
_o__)  |
Ben Finney 


signature.asc
Description: PGP signature

Bug#923695: libczmq-dev: pkg-config --cflags libczmq.pc fails without uuid-dev and libsystemd-dev installed

[John Morris]

Package: czmq
Version: 4.2.0-1
Followup-For: Bug #923695

Dear Maintainer,

The version 4.2.0-2 pushed to Sid fixes this problem, but the problem
still exists in Buster, still at 4.2.0-1.

Thanks!

  John

-- System Information:
Debian Release: Buster

Processed: gitlab: CVE-2019-9170 CVE-2019-9171 CVE-2019-9172 CVE-2019-9174 CVE-2019-9175 CVE-2019-9176 CVE-2019-9178 CVE-2019-9179 CVE-2019-9217 CVE-2019-9219 CVE-2019-9220 CVE-2019-9221 CVE-2019-9222

[Debian Bug Tracking System]

Processing control commands:

> found -1 11.8.0-1
Bug #924447 [src:gitlab] gitlab: CVE-2019-9170 CVE-2019-9171 CVE-2019-9172 
CVE-2019-9174 CVE-2019-9175 CVE-2019-9176 CVE-2019-9178 CVE-2019-9179 
CVE-2019-9217 CVE-2019-9219 CVE-2019-9220 CVE-2019-9221 CVE-2019-9222 
CVE-2019-9223 CVE-2019-9224 CVE-2019-9225 CVE-2019-9485
Marked as found in versions gitlab/11.8.0-1.

-- 
924447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924447
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924447: gitlab: CVE-2019-9170 CVE-2019-9171 CVE-2019-9172 CVE-2019-9174 CVE-2019-9175 CVE-2019-9176 CVE-2019-9178 CVE-2019-9179 CVE-2019-9217 CVE-2019-9219 CVE-2019-9220 CVE-2019-9221 CVE-2019-922

[Salvatore Bonaccorso]

Source: gitlab
Version: 11.5.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.8.0-1

Hi,

The following vulnerabilities were published for gitlab, filling for
tracking purpose.

CVE-2019-9170[0]:
IDOR milestone name information disclosure

CVE-2019-9171[1]:
Milestone name disclosure

CVE-2019-9172[2]:
Merge request information disclosure

CVE-2019-9174[3]:
Blind SSRF in prometheus integration

CVE-2019-9175[4]:
Burndown chart information disclosure

CVE-2019-9176[5]:
CSRF add Kubernetes cluster integration

CVE-2019-9178[6]:
Private merge request titles in public project information disclosure

CVE-2019-9179[7]:
Private namespace disclosure in email notification when issue is moved

CVE-2019-9217[8]:
NPM automatic package referencer

CVE-2019-9219[9]:
Issue board name disclosure

CVE-2019-9220[10]:
Issue DoS via Mermaid

CVE-2019-9221[11]:
Arbitrary file read via MergeRequestDiff

CVE-2019-9222[12]:
Path traversal snippet mover

CVE-2019-9223[13]:
Information disclosure repo existence

CVE-2019-9224[14]:
Milestone name disclosure

CVE-2019-9225[15]:
Issue board name disclosure

CVE-2019-9485[16]:
Privilege escalation impersonate user

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9170
[1] https://security-tracker.debian.org/tracker/CVE-2019-9171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171
[2] https://security-tracker.debian.org/tracker/CVE-2019-9172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9172
[3] https://security-tracker.debian.org/tracker/CVE-2019-9174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9174
[4] https://security-tracker.debian.org/tracker/CVE-2019-9175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9175
[5] https://security-tracker.debian.org/tracker/CVE-2019-9176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9176
[6] https://security-tracker.debian.org/tracker/CVE-2019-9178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9178
[7] https://security-tracker.debian.org/tracker/CVE-2019-9179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9179
[8] https://security-tracker.debian.org/tracker/CVE-2019-9217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9217
[9] https://security-tracker.debian.org/tracker/CVE-2019-9219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9219
[10] https://security-tracker.debian.org/tracker/CVE-2019-9220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9220
[11] https://security-tracker.debian.org/tracker/CVE-2019-9221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9221
[12] https://security-tracker.debian.org/tracker/CVE-2019-9222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9222
[13] https://security-tracker.debian.org/tracker/CVE-2019-9223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9223
[14] https://security-tracker.debian.org/tracker/CVE-2019-9224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224
[15] https://security-tracker.debian.org/tracker/CVE-2019-9225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9225
[16] https://security-tracker.debian.org/tracker/CVE-2019-9485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9485

Regards,
Salvatore

Bug#922263: marked as done (turbogears2-doc: FTBFS (ImportError: cannot import name flatten_arguments))

[Debian Bug Tracking System]

Your message dated Wed, 13 Mar 2019 06:58:04 +0100
with message-id 

and subject line Re: Bug#922263: turbogears2-doc: FTBFS (ImportError: cannot 
import name flatten_arguments)
has caused the Debian Bug report #922263,
regarding turbogears2-doc: FTBFS (ImportError: cannot import name 
flatten_arguments)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922263
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:turbogears2-doc
Version: 2.3.7-1
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules build-indep
dh_testdir
cd docs/ && /usr/bin/make html
make[1]: Entering directory '/<>/docs'
mkdir -p _build/html _build/doctrees
sphinx-build -b html -d _build/doctrees  -w sphinxlog.txt . _build/html
Running Sphinx v1.8.3

Configuration error:
There is a programmable error in your configuration file:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/sphinx/config.py", line 368, in 
eval_config_file
execfile_(filename, namespace)
  File "/usr/lib/python2.7/dist-packages/sphinx/util/pycompat.py", line 150, in 
execfile_
exec_(code, _globals)
  File "/usr/lib/python2.7/dist-packages/six.py", line 709, in exec_
exec("""exec _code_ in _globs_, _locs_""")
  File "", line 1, in 
  File "/<>/docs/conf.py", line 15, in 
from tg.release import version as tg_release_version
  File "/usr/lib/python2.7/dist-packages/tg/__init__.py", line 52, in 
from tg.controllers import TGController, RestController, redirect, url, 
lurl, abort
  File "/usr/lib/python2.7/dist-packages/tg/controllers/__init__.py", line 2, 
in 
from tg.controllers.decoratedcontroller import DecoratedController
  File 
"/usr/lib/python2.7/dist-packages/tg/controllers/decoratedcontroller.py", line 
14, in 
from crank.util import get_params_with_argspec, flatten_arguments
ImportError: cannot import name flatten_arguments

make[1]: *** [Makefile:42: html] Error 2
make[1]: Leaving directory '/<>/docs'
make: *** [debian/rules:25: build-indep] Error 2
dpkg-buildpackage: error: debian/rules build-indep subprocess returned exit 
status 2


(The above is just how the build ends and not necessarily the most relevant 
part)

The build was made in my autobuilder with "dpkg-buildpackage -A"
and it also fails here:

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/turbogears2-doc.html

where you can get a full build log if you need it.

If this is really a bug in one of the build-depends, please use reassign and 
affects,
so that this is still visible in the BTS web page for this package.

Thanks.
--- End Message ---
--- Begin Message ---
On Wed, Feb 13, 2019 at 9:18 PM Santiago Vila  wrote:
> I tried to build this package in buster but it failed:
[...]
> If this is really a bug in one of the build-depends, please use reassign and 
> affects,
> so that this is still visible in the BTS web page for this package.
 It was a transitional problem via turbogears2 which was fixed and
migrated to Buster.
Closing this bug accordingly.

Regards,
Laszlo/GCS--- End Message ---

Bug#924397: corekeeper: insecure use of world-writable /var/crash

[Paul Wise]

Control: tags -1 + patch

On Wed, 13 Mar 2019 08:16:16 +0800 Paul Wise  wrote:
> On Tue, 2019-03-12 at 15:50 +0100, Jakub Wilk wrote:
> 
> > I don't understand why /var/crash is world-writable
> 
> I guess that is for when the core dump handler is unused and probably I
> forgot to change it when switching to the core dump handler.

I confirmed that when the alternate kernel.core_pattern is in use, the
/var/crash directory must be world-writeable otherwise the core files
will not be written.

I intend to use the attached patch to fix this issue, please review it.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

From c3791a6999820b00071167e965571e6cd2acc62d Mon Sep 17 00:00:00 2001
From: Paul Wise 
Date: Wed, 13 Mar 2019 14:10:36 +0800
Subject: [PATCH 1/3] Do not use a world-writable /var/crash with the dumper
 script

Fixes: https://bugs.debian.org/924397
---
 debian/changelog| 7 +++
 debian/corekeeper.lintian-overrides | 2 +-
 debian/rules| 2 +-
 debian/sysctl-linux/corekeeper.conf | 5 -
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 43ec51f..8916e17 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+corekeeper (1.7) UNRELEASED; urgency=medium
+
+  * Do not use a world-writable /var/crash with the dumper script
+(Closes: #924397)
+
+ -- Paul Wise   Wed, 13 Mar 2019 14:09:50 +0800
+
 corekeeper (1.6) unstable; urgency=medium
 
   * Prevent installation with other core dump handlers:
diff --git a/debian/corekeeper.lintian-overrides b/debian/corekeeper.lintian-overrides
index 1e248d9..955d7e6 100644
--- a/debian/corekeeper.lintian-overrides
+++ b/debian/corekeeper.lintian-overrides
@@ -1,6 +1,6 @@
 # /var/crash is intentionally world-writable to allow for
 # centralized core dumps.
-non-standard-dir-perm
+[kfreebsd-any]: non-standard-dir-perm
 
 # The postrm script checks if systemd is running before
 # using the systemctl command
diff --git a/debian/rules b/debian/rules
index a44b38b..7348673 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,7 +10,7 @@ script=debian/corekeeper/usr/lib/corekeeper/dump
 
 override_dh_fixperms:
 	dh_fixperms
-	chmod 1777 debian/corekeeper/var/crash
+	if [ ! -e $(script) ; then chmod 1777 debian/corekeeper/var/crash ; fi
 	if [ -e $(script) ] ; then chmod 0755 $(script) ; fi
 
 override_dh_installinit:
diff --git a/debian/sysctl-linux/corekeeper.conf b/debian/sysctl-linux/corekeeper.conf
index e6fcb90..66bebb4 100644
--- a/debian/sysctl-linux/corekeeper.conf
+++ b/debian/sysctl-linux/corekeeper.conf
@@ -4,8 +4,11 @@
 # Non-root users can see that something crashed, no way to fix that.
 # It requires Linux 3.7-rc1, see v3.6-6800-g12a2b4b in linux.git for info.
 # If you use it with an earlier kernel then only root can access core dumps.
-# If you don't want to use it, comment core_pattern below and uncomment this:
+# If you don't want to use it, comment core_pattern below, dpkg-statoverride
+# /var/crash to mode 1777 and uncomment this alternate core_pattern:
 #kernel.core_pattern = /var/crash/%p-%u-%g-%s-%t-%h-%E.core
+# When switching back to the default core pattern use mode 0755 for /var/crash
+# as it is unsafe to use the dumper with a world-writable directory.
 kernel.core_pattern = |/usr/lib/corekeeper/dump %d %u %p-%u-%g-%s-%t-%h-%E.core
 kernel.core_uses_pid = 1
 fs.suid_dumpable = 2
-- 
2.20.1



signature.asc
Description: This is a digitally signed message part

Processed: Re: Bug#924397: corekeeper: insecure use of world-writable /var/crash

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #924397 [corekeeper] corekeeper: insecure use of world-writable /var/crash
Added tag(s) patch.

-- 
924397: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924397
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#924397: corekeeper: insecure use of world-writable /var/crash

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #924397 [corekeeper] corekeeper: insecure use of world-writable /var/crash
Ignoring request to alter tags of bug #924397 to the same tags previously set

-- 
924397: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924397
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems