Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

2019-05-21 Thread Xavier 



Le 21 mai 2019 21:40:35 GMT+02:00, Guilhem Moulin  a écrit :
>Hi Xavier,
>
> # Load session data into object
> if ($data) {
>+if ( $self->kind ) {
>+unless ( $data->{_session_kind} eq $self->kind ) {
>+$self->error("Session kind mistmatch");
>+return undef;
>+}
>+}
>
>Doesn't that break CDA in 1.9.7-3+deb9u1?  At least I'm no longer able
>to access a protected application under domains other than the portal.
>
>Error output shows occurrences of “Session kind mistmatch” instead, and
>further debugging suggests that $data->{_session_kind} is "CDA" while
>$self->kind is "SSO" in the execution flow that yields access denial.

Hello,

It seems that Clément has fixed something related to that feature. Could you 
try 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4
 ?

If it's OK, I'll propose a stretch update

-- 
Send with my EELO / K-9 Mail

Bug#925555: linux-image-4.19.0-4-amd64: [regression] No graphics on some IvyBridge / Haswell systems

2019-05-21 Thread Alexis Murzeau 
Hi,

On Mon, 6 May 2019 12:08:03 +0100 "Rebecca N. Palmer"
 wrote:
> Control: forcemerge -1 926193
> Control: tags -1 upstream patch
> Control: retitle -1 linux-image-4.19.0-4-amd64: [regression] No graphics on 
> some IvyBridge / Haswell systems
> Control: forwarded -1 https://bugs.freedesktop.org/show_bug.cgi?id=109806
> 
> (Summary of the merged bugs - I haven't tried any of this myself)
> 
> Workaround for individuals (from leandroembu) - install 
> xserver-xorg-video-intel and copy 
> /usr/share/doc/xserver-xorg-video-intel/xorg.conf to /etc/X11.  This is 
> probably not suitable as an official fix as it may cause problems on 
> newer hardware (e.g. #860133).
> 
> Possible patch: revert drm/i915/fbdev: Actually configure untiled 
> displays (d179b88deb3bf6fed4991a31fd6f0f2cad21fab5).  Has been applied 
> upstream, but the real bug is thought to be in xorg not linux.
> 
> 
> 

As a side note, I'm affected by this bug and your suggested workaround
of copying a xorg.conf in /etc/Xorg worked for me, thanks :)

The linux commit got reverted since v5.1-rc7.

I don't know how Xorg and modeset work and what is exactly the atomic mode.
Also, I wasn't able to find what was fixed with the commit
d179b88deb3bf6fed4991a31fd6f0f2cad21fab5 in linux, if it was possible
bugs discovered by reading the code or actual bugs users already
encountered.

But as I understand, there are several solutions to this bug:

- Revert the drm/i915/fbdev: Actually configure untiled displays
(d179b88deb3bf6fed4991a31fd6f0f2cad21fab5) commit in Linux. This revert
is in mainline since v5.1-rc7 [0]

- Rework the atomic support in Xorg, that require extensive
modifications but is in state to be tested, updated and validated [1]

- Disable atomic mode and fallback to legacy mode but that seem
suboptimal as atomic mode might be required by some drivers [2]



I guess backporting PR !36 [1] is too much changes in Xorg now that we
are in hard freeze and probably too risky given it is still
work-in-progress.

But I can't see how broken is to revert d179b88 commit in linux as I
don't what that commit fixed.
It seems to be not that critical as upstream linux has done the revert.

So I guess one solution is to just do the revert in linux and let the
next stable after Buster have the proper fix in Xorg with the time
needed to ensure it is working fine without breaking in various ways.

[0]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9fa246256e09dc30820524401cdbeeaadee94025
[1] https://gitlab.freedesktop.org/xorg/xserver/merge_requests/36
[2] https://gitlab.freedesktop.org/xorg/xserver/merge_requests/180

-- 
Alexis Murzeau
PGP: B7E6 0EBB 9293 7B06 BDBC  2787 E7BD 1904 F480 937F













signature.asc
Description: OpenPGP digital signature

Processed: Fwd: control

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forwarded 926193 https://bugs.freedesktop.org/show_bug.cgi?id=109806, 
> merged-upstream: https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved 
> to: https://gitlab.freedesktop.org/xorg/xserver/issues/542
Bug #926193 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #92 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #925967 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Changed Bug forwarded-to-address to 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542' from 
'"https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542;'.
Changed Bug forwarded-to-address to 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542' from 
'"https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542;'.
Changed Bug forwarded-to-address to 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542' from 
'"https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542;'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
92: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=92
925967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925967
926193: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929338: wordplay: Non-dfsg license

2019-05-21 Thread Moshe Piekarski 
Package: wordplay
Version: 7.22-19
Severity: serious
Justification: Policy 2.2.1

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

the license is nondfsg compatible

- -- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (990, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages wordplay depends on:
ii  libc6  2.28-10

wordplay recommends no packages.

wordplay suggests no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-

iQJNBAEBCAA3FiEEXbk7X2RxJi0NGP5lMn/Nf3K/IoEFAlzkeGwZHGRlYmlhbi5i
dWdzQG1lbGFjaGltLm5ldAAKCRAyf81/cr8igV3lD/98Hgf5dJxM2MatL728jeF9
juKhuomVIBuvjDByi6jKJEHEJiZAzpfqRbH6ZG7QYTNK9yVRpBpIzXoqEvg33jsj
HTrYLQfB9ya7f5wvgJ8UfKHW4cHvLaJIXbVcS71QOUZJF3hcWOKPXsS911qbzC+f
uMYQopK4HuRps+eTHrDG7nxspFmPvD7KKEBQKV72CIG5p6rS+VibV1CI+WrYfCv5
vNsiGO4vGy0rj/5rh/u4oy5IypsphVM2k7I2v/20fF6cyDRF0VyoAELMOx41/hBi
+uzBXj1A2ICR8uEGTSiYy2mPgPImgZSjCbIAk40akfJc4Suwoy7ZauEweYShzaH0
0kmJ4IhMgopGMhKkQsqoFR5KG1vG8nu1gllaZ0P2Qo34Pi9B1LgjI4OUSvHPNyR+
DN1Hil/xjMT8EzFXlkOMGhRKLFYqiz1Wu0dz699ZrUWlp4dSNEr70mlGEzyQsabz
Dlo0p7uv6hCL4JodGlM96DQu8xvMp38kE44OM/g77c9cWmbOMhjAB62xJcc7VlvX
Cxz62rL37PBTYSTzOd+Y5t55oLeXt+waTc+Bqty7aE6nqBXDYLRmKjiBDuJKG1R8
OfUvUwoUysW5hWDkbP+zlxTJZ/GmBUCPlLj9f1HToSkrRwYjckrn6Jl4UDnMjw1L
Pe/SW3D+9gVmz2mWd5KjOg==
=sdqo
-END PGP SIGNATURE-

Processed: control

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forwarded 926193 "https://bugs.freedesktop.org/show_bug.cgi?id=109806, 
> merged-upstream: https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved 
> to: https://gitlab.freedesktop.org/xorg/xserver/issues/542;
Bug #926193 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #92 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #925967 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Changed Bug forwarded-to-address to 
'"https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542;' from 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806,'.
Changed Bug forwarded-to-address to 
'"https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542;' from 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806,'.
Changed Bug forwarded-to-address to 
'"https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100, moved to: 
https://gitlab.freedesktop.org/xorg/xserver/issues/542;' from 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806,'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
92: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=92
925967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925967
926193: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed (with 2 errors): #925555: linux-image-4.19.0-4-amd64: [regression] No graphics on some IvyBridge / Haswell systems

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forwarded 926193 https://bugs.freedesktop.org/show_bug.cgi?id=109806,
Bug #926193 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #92 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #925967 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Changed Bug forwarded-to-address to 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806,' from 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100'.
Changed Bug forwarded-to-address to 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806,' from 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100'.
Changed Bug forwarded-to-address to 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806,' from 
'https://bugs.freedesktop.org/show_bug.cgi?id=109806, merged-upstream: 
https://bugs.freedesktop.org/show_bug.cgi?id=107100'.
> merged-upstream: https://bugs.freedesktop.org/show_bug.cgi?id=107100,
Unknown command or malformed arguments to command.
> moved to: https://gitlab.freedesktop.org/xorg/xserver/issues/542
Unknown command or malformed arguments to command.
> tags 926193 - fixed-upstream
Bug #926193 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #92 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Bug #925967 [src:linux] linux-image-4.19.0-4-amd64: [regression] No graphics on 
some IvyBridge / Haswell systems
Removed tag(s) fixed-upstream.
Removed tag(s) fixed-upstream.
Removed tag(s) fixed-upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
92: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=92
925967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925967
926193: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#923930: testsuite comes with built-in time-bomb

2019-05-21 Thread Brian May 
On Mon, May 20, 2019 at 09:53:27PM +0200, Giovanni Mascellani wrote:
> Upstream confirms that an update that handles 32 bit archs is not on the
> radar soon. I don't know what it is the best way forward now, but if it
> is decided that it is ok the ignore the error for 32 bit archs, then I
> can try to cook up the required patch.

I would appreciate any fix that will fix this for both 32bit and 64bit
- preferably as simple as possible, so I can get the recent security
  fixes into buster.

(also please do CC me in BTS emails)

Thanks!
-- 
Brian May

Bug#916375: AW: Bug#916375: AW: [debian-mysql] Bug#916375: Update libaprutil1-dbd-mysql

2019-05-21 Thread Daniel Högele - adelphi 
>How about removing all php5-packages or at least the php5-mysql package from 
>your system? 

We had to migrate a none php7 compatible 3rd party application first, therefore 
the test took a little bit longer.
I can finally confirm that removing all php5 packages did solve the problem.

Thanks!

Bug#897109: marked as done (fastqc: autopkgtest fails with new version while succeeded in the past; htsjdk.samtools.util.RuntimeIOException: java.io.IOException: Stream closed)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 20:48:35 +
with message-id 
and subject line Bug#897109: fixed in fastqc 0.11.8+dfsg-2
has caused the Debian Bug report #897109,
regarding fastqc: autopkgtest fails with new version while succeeded in the 
past; htsjdk.samtools.util.RuntimeIOException: java.io.IOException: Stream 
closed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fastqc
Version: 0.11.7+dfsg-1
Severity: normal
User: debian...@lists.debian.org
Usertags: regression

With the upload of version 0.11.7+dfsg-1 of fastqc, the autopkgtest¹
started to fail with the error copied below. As I have zero experience
with java, I don't know what to make of this error. Could you please
investigate?

Paul

¹ https://ci.debian.net/packages/f/fastqc/unstable/amd64/autopkgtest

[14:03:24]: test run-unit-test: [---
Started analysis of example.fastq
Analysis complete for example.fastq
Archive:  example_fastqc.zip
   creating: example_fastqc/
   creating: example_fastqc/Icons/
   creating: example_fastqc/Images/
  inflating: example_fastqc/Icons/fastqc_icon.png
  inflating: example_fastqc/Icons/warning.png
  inflating: example_fastqc/Icons/error.png
  inflating: example_fastqc/Icons/tick.png
  inflating: example_fastqc/summary.txt
  inflating: example_fastqc/Images/per_base_quality.png
  inflating: example_fastqc/Images/per_tile_quality.png
  inflating: example_fastqc/Images/per_sequence_quality.png
  inflating: example_fastqc/Images/per_base_sequence_content.png
  inflating: example_fastqc/Images/per_sequence_gc_content.png
  inflating: example_fastqc/Images/per_base_n_content.png
  inflating: example_fastqc/Images/sequence_length_distribution.png
  inflating: example_fastqc/Images/duplication_levels.png
  inflating: example_fastqc/Images/adapter_content.png
  inflating: example_fastqc/fastqc_report.html
  inflating: example_fastqc/fastqc_data.txt
  inflating: example_fastqc/fastqc.fo
PASSBasic Statisticsexample.fastq
WARNPer base sequence quality   example.fastq
PASSPer tile sequence quality   example.fastq
PASSPer sequence quality scores example.fastq
WARNPer base sequence content   example.fastq
WARNPer sequence GC content example.fastq
PASSPer base N content  example.fastq
PASSSequence Length Distributionexample.fastq
PASSSequence Duplication Levels example.fastq
WARNOverrepresented sequences   example.fastq
PASSAdapter Content example.fastq
Failed to process toy.sam
htsjdk.samtools.util.RuntimeIOException: java.io.IOException: Stream closed
at
htsjdk.samtools.SamReaderFactory$SamReaderFactoryImpl.open(SamReaderFactory.java:373)
at uk.ac.babraham.FastQC.Sequence.BAMFile.(BAMFile.java:64)
at
uk.ac.babraham.FastQC.Sequence.SequenceFactory.getSequenceFile(SequenceFactory.java:100)
at
uk.ac.babraham.FastQC.Sequence.SequenceFactory.getSequenceFile(SequenceFactory.java:62)
at
uk.ac.babraham.FastQC.Analysis.OfflineRunner.processFile(OfflineRunner.java:152)
at
uk.ac.babraham.FastQC.Analysis.OfflineRunner.(OfflineRunner.java:121)
at 
uk.ac.babraham.FastQC.FastQCApplication.main(FastQCApplication.java:316)
Caused by: java.io.IOException: Stream closed
at
java.base/java.io.BufferedInputStream.getInIfOpen(BufferedInputStream.java:159)
at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at
htsjdk.samtools.util.BlockCompressedInputStream.readBytes(BlockCompressedInputStream.java:436)
at
htsjdk.samtools.util.BlockCompressedInputStream.isValidFile(BlockCompressedInputStream.java:351)
at htsjdk.samtools.SamStreams.isBAMFile(SamStreams.java:51)
at
htsjdk.samtools.SamReaderFactory$SamReaderFactoryImpl.open(SamReaderFactory.java:313)
... 6 more
autopkgtest [14:03:29]: test run-unit-test: ---]



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: fastqc
Source-Version: 0.11.8+dfsg-2

We believe that the bug you reported is fixed in the latest version of
fastqc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting

Bug#923428: marked as done (fastqc: autopkgtest regression)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 20:48:35 +
with message-id 
and subject line Bug#897109: fixed in fastqc 0.11.8+dfsg-2
has caused the Debian Bug report #897109,
regarding fastqc: autopkgtest regression
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:fastqc
Version: 0.11.8+dfsg-1
Severity: important
Tags: sid buster

fastqc fails it's autopkg tests according to
https://ci.debian.net/data/packages/unstable/amd64/f/fastqc/latest-autopkgtest/log.gz

ailed to process toy.sam
htsjdk.samtools.util.RuntimeIOException: java.io.IOException: Stream closed
at
htsjdk.samtools.SamReaderFactory$SamReaderFactoryImpl.open(SamReaderFactory.java:448)
at uk.ac.babraham.FastQC.Sequence.BAMFile.(BAMFile.java:64)
at
uk.ac.babraham.FastQC.Sequence.SequenceFactory.getSequenceFile(SequenceFactory.java:100)
at
uk.ac.babraham.FastQC.Sequence.SequenceFactory.getSequenceFile(SequenceFactory.java:62)
at 
uk.ac.babraham.FastQC.Analysis.OfflineRunner.processFile(OfflineRunner.java:152)
at 
uk.ac.babraham.FastQC.Analysis.OfflineRunner.(OfflineRunner.java:121)
at 
uk.ac.babraham.FastQC.FastQCApplication.main(FastQCApplication.java:316)
Caused by: java.io.IOException: Stream closed
at 
java.base/java.io.BufferedInputStream.getInIfOpen(BufferedInputStream.java:165)
at 
java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252)
at 
java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:292)
at 
java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:351)
at
htsjdk.samtools.util.BlockCompressedInputStream.readBytes(BlockCompressedInputStream.java:583)
at
htsjdk.samtools.util.BlockCompressedInputStream.isValidFile(BlockCompressedInputStream.java:443)
at htsjdk.samtools.SamStreams.isBAMFile(SamStreams.java:51)
at
htsjdk.samtools.SamReaderFactory$SamReaderFactoryImpl.open(SamReaderFactory.java:374)
... 6 more
autopkgtest [08:36:51]: test run-unit-test: ---]
autopkgtest [08:36:51]: test run-unit-test:  - - - - - - - - - - results - - - -
- - - - - -
run-unit-testFAIL non-zero exit status 1
autopkgtest [08:36:51]:  summary
--- End Message ---
--- Begin Message ---
Source: fastqc
Source-Version: 0.11.8+dfsg-2

We believe that the bug you reported is fixed in the latest version of
fastqc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dylan Aïssi  (supplier of updated fastqc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 21 May 2019 22:20:32 +0200
Source: fastqc
Architecture: source
Version: 0.11.8+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team 

Changed-By: Dylan Aïssi 
Closes: 897109
Changes:
 fastqc (0.11.8+dfsg-2) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Jelmer Vernooij ]
   * Trim trailing whitespace.
   * Use secure copyright file specification URI.
 .
   [ Michael R. Crusoe ]
   * debian/fastqc.desktop: Update path to the icon.
 .
   [ Dylan Aïssi ]
   * Update d/patches/htsjdk-api.patch to fix processing
   of SAM/BAM files (Closes: #897109). Thanks to Chris Norman.
Checksums-Sha1:
 69238fd61b342a07fd7ac946b48d9ef720102305 2186 fastqc_0.11.8+dfsg-2.dsc
 2ef83fe649031c5c20f6b9b6018f5b71a3ceda87 16472 
fastqc_0.11.8+dfsg-2.debian.tar.xz
 da6b5dd5d4b2b551d8333cb35060aacc1fb1aad1 13495 
fastqc_0.11.8+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 0856ad80e15a40134957e48235b40e45f3886020fa27078bfde8b7dae2db23ed 2186 
fastqc_0.11.8+dfsg-2.dsc
 fbd52f751b4dfd31dfc1e47d7b696fbbe65a0e10b7e59993197ae45d7235c7d0 16472 
fastqc_0.11.8+dfsg-2.debian.tar.xz
 dfc6fc870568d9771a54dc14e2bbe965fddea3fdc5dbd848a69597f564693c09 13495 
fastqc_0.11.8+dfsg-2_amd64.buildinfo
Files:
 57eb3d71907d6e609617fe30b3dc4d05 2186 science optional fastqc_0.11.8+dfsg-2.dsc
 37d010b7f300cad240bbe97cca92cf89 16472

Bug#929232: marked as done (flycheck: FTBFS (ValueError: Invalid placeholder in string))

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 20:40:12 +
with message-id 
and subject line Bug#929232: fixed in flycheck 31-3
has caused the Debian Bug report #929232,
regarding flycheck: FTBFS (ValueError: Invalid placeholder in string)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:flycheck
Version: 31-2
Severity: serious
Tags: ftbfs

Dear maintainer:

I tried to build this package in buster but it failed:


[...]
 debian/rules build-indep
dh build-indep --with elpa,sphinxdoc
   dh_update_autotools_config -i
   dh_autoreconf -i
   dh_auto_configure -i
   debian/rules override_dh_auto_build
make[1]: Entering directory '/<>'
( cd doc && make OFFLINE=yes html )
make[2]: Entering directory '/<>/doc'
sphinx-build -b html -d _build/doctrees -j4 . -Dflycheck_offline_html=1 
_build/html
Running Sphinx v1.8.4
making output directory...
loading intersphinx inventory from https://docs.python.org/3.5/objects.inv...
fetching Texinfo htmlxref database from 
http://ftpmirror.gnu.org/texinfo/htmlxref.cnf... 
/<>/doc/info.py:135: RemovedInSphinx20Warning: app.info() is now 
deprecated. Use sphinx.util.logging instead.
  HTMLXRefDB.XREF_URL))

Exception occurred:
  File "/usr/lib/python3.7/string.py", line 105, in _invalid
(lineno, colno))
ValueError: Invalid placeholder in string: line 1, col 1
The full traceback has been saved in /tmp/sphinx-err-7maxd4u7.log, if you want 
to report the issue to the developers.
Please also report this if it was a user error, so that a better error message 
can be provided next time.
A bug report can be filed in the tracker at 
. Thanks!
make[2]: *** [Makefile:90: html] Error 2
make[2]: Leaving directory '/<>/doc'
make[1]: *** [debian/rules:11: override_dh_auto_build] Error 2
make[1]: Leaving directory '/<>'
make: *** [debian/rules:4: build-indep] Error 2
dpkg-buildpackage: error: debian/rules build-indep subprocess returned exit 
status 2


(The build was made with "dpkg-buildpackage -A" but I don't think it's relevant 
here)

The following lines are very suspicious:

 loading intersphinx inventory from https://docs.python.org/3.5/objects.inv...
 fetching Texinfo htmlxref database from 
http://ftpmirror.gnu.org/texinfo/htmlxref.cnf...

Packages must not use the network for building.

If this is really a bug in one of the build-depends, please use reassign and 
affects,
so that this is still visible in the BTS web page for this package.

Thanks.
--- End Message ---
--- Begin Message ---
Source: flycheck
Source-Version: 31-3

We believe that the bug you reported is fixed in the latest version of
flycheck, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton  (supplier of updated flycheck package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 21 May 2019 13:23:38 -0700
Source: flycheck
Architecture: source
Version: 31-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Emacs addons team 

Changed-By: Sean Whitton 
Closes: 929232
Changes:
 flycheck (31-3) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Denis Danilov ]
   * disable intersphinx and info extensions (Closes: #929232)
Checksums-Sha1:
 ef010de818610ce3962867717780fdfe5eab8748 2291 flycheck_31-3.dsc
 2a5a8cfc605e9ca41a21aef23b0a7429a615064f 31308 flycheck_31-3.debian.tar.xz
Checksums-Sha256:
 2b4eeefc8de68272cecc3eebb5b6da00c17e84e9cbfa1c2964df270ce01bca84 2291 
flycheck_31-3.dsc
 215656b8ad27134a2f82ccd352214d185d13c2338b8fdce4407ed735ea94659d 31308 
flycheck_31-3.debian.tar.xz
Files:
 7490f14c4a122b9cc9f94638f0a74011 2291 lisp optional flycheck_31-3.dsc
 75ace43acf599d7a39de6505984fa33d 31308 lisp optional 
flycheck_31-3.debian.tar.xz

-BEGIN PGP SIGNATURE-

Bug#928631: firmware-amd-graphics: Update to 20190502-1 causus hang of system directly after grub

2019-05-21 Thread Diederik de Haas 
On dinsdag 21 mei 2019 21:20:18 CEST Diederik de Haas wrote:
> What was the reason for the test?

FTR: before I did the test I had already downgraded firmware-amd-graphics and 
consequently also firmware-linux-nonfree and firmware-misc-nonfree back to 
version 20190114-1

signature.asc
Description: This is a digitally signed message part.

Bug#929334: libvirt: CVE-2019-10132: Insecure permissions for systemd socket for virtlockd/virtlogd

2019-05-21 Thread Salvatore Bonaccorso 
Source: libvirt
Version: 5.0.0-2
Severity: grave
Tags: security upstream
Control: found -1 5.0.0-2.1
Control: found -1 5.2.0-2

Hi,

The following vulnerability was published for libvirt.

CVE-2019-10132[0]:
Insecure permissions for systemd socket for virtlockd/virtlogd

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10132
[1] https://security.libvirt.org/2019/0003.html

Please adjust the affected versions in the BTS as needed, looks like
the issue is introduced upstream in v4.1.0-rc1 though.

Regards,
Salvatore

Processed: libvirt: CVE-2019-10132: Insecure permissions for systemd socket for virtlockd/virtlogd

2019-05-21 Thread Debian Bug Tracking System 
Processing control commands:

> found -1 5.0.0-2.1
Bug #929334 [src:libvirt] libvirt: CVE-2019-10132: Insecure permissions for 
systemd socket for virtlockd/virtlogd
Marked as found in versions libvirt/5.0.0-2.1.
> found -1 5.2.0-2
Bug #929334 [src:libvirt] libvirt: CVE-2019-10132: Insecure permissions for 
systemd socket for virtlockd/virtlogd
Marked as found in versions libvirt/5.2.0-2.

-- 
929334: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929334
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928631: firmware-amd-graphics: Update to 20190502-1 causus hang of system directly after grub

2019-05-21 Thread Diederik de Haas 
On dinsdag 21 mei 2019 21:20:18 CEST Diederik de Haas wrote:
> Checking 'git log' for that specific file before I did the test made me
> conclude it wouldn't make a difference with packaged version 20190114-1
> (but did the test anyway as requested).

To verify whether that single file wasn't an anomaly, I compared the vega10* 
files from the 20190114-1 package with the files from the requested commit 
using 
SHA256 and they were all exactly the same.


signature.asc
Description: This is a digitally signed message part.

Bug#918171: Broken with Thunderbird 60

2019-05-21 Thread Moritz Mühlenhoff 
On Mon, May 20, 2019 at 07:03:04PM +0200, Daniel Baumann wrote:
> Hi Moritz,
> 
> sorry for the late response, your mail slipped through the cracks on my
> end.. :(
> 
> re adoption: removal request sounds fine, I currently have not enough
> time to take on more packages in Debian.

Ack, I just filed a removal bug.

Cheers,
Moritz

Bug#929332: ironic-inspector: CVE-2019-10141: SQL Injection vulnerability when receiving introspection data

2019-05-21 Thread Salvatore Bonaccorso 
Source: ironic-inspector
Version: 8.0.0-2
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for ironic-inspector.

CVE-2019-10141[0]:
SQL Injection vulnerability when receiving introspection data

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10141
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1711722
[2] https://review.opendev.org/#/c/660234/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Processed: found 929297 in 1.2.20130907-4

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> # common anchestor for BTS graph
> found 929297 1.2.20130907-4
Bug #929297 {Done: Salvatore Bonaccorso } [minissdpd] 
minissdpd: CVE-2019-12106
Marked as found in versions minissdpd/1.2.20130907-4.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928944: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

2019-05-21 Thread Guilhem Moulin 
Hi Xavier,

 # Load session data into object
 if ($data) {
+if ( $self->kind ) {
+unless ( $data->{_session_kind} eq $self->kind ) {
+$self->error("Session kind mistmatch");
+return undef;
+}
+}

Doesn't that break CDA in 1.9.7-3+deb9u1?  At least I'm no longer able
to access a protected application under domains other than the portal.

Error output shows occurrences of “Session kind mistmatch” instead, and
further debugging suggests that $data->{_session_kind} is "CDA" while
$self->kind is "SSO" in the execution flow that yields access denial.

-- 
Guilhem.


signature.asc
Description: PGP signature

Processed: tagging 929297

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 929297 + upstream fixed-upstream
Bug #929297 {Done: Salvatore Bonaccorso } [minissdpd] 
minissdpd: CVE-2019-12106
Added tag(s) upstream and fixed-upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928631: firmware-amd-graphics: Update to 20190502-1 causus hang of system directly after grub

2019-05-21 Thread Diederik de Haas 
On dinsdag 21 mei 2019 19:24:07 CEST Romain Perier wrote:
> Hi,

Hi,

> firmware-amd-graphics 20190502-1 is based onto upstream commit
> 92e17d0dd2437140fab044ae62baf69b35d7d1fa, that is commit "amdgpu: update
> vega20 to the latest 19.10 firmware" . Two commits behind there is commit
> "amdgpu: update vega10 to the latest 19.10 firmware", that is already
> included in firmware-amd-graphics 20190502-1.
> 
> Could you try to revert "amdgpu: update vega10 to the latest 19.10
> firmware" ? So try to use the firmware for vega10 that is before this
> commit. Does it work for you ?
> 
> 1. Use linux-firmware.git with last HEAD in the master branch
> 2. git checkout 4ea5c73b96ed4a508f90047e22ccbaa477481310 (commit "amdgpu:
> update polaris11 to the latest 19.10 firmware", that is the commit before
> bumping vega10 to 19.10) 3. Copy vega10 binary blobs to
> /lib/firmware/amdgpu
> 
> Does it work ?

Yes, that does work.
What did surprise me is that I saw a blinking cursor, which I don't see with 
firmware-amd-graphics version 20190114-1.
$ git log --oneline -- amdgpu/vega10_ce.bin
0f22c85 Revert "amdgpu: update vega10 fw for 18.50 release"
ec4b0cd amdgpu: update vega10 fw for 18.50 release
ac5f8bd amdgpu: update vega10 firmware to 18.40
10e2971 amdgpu: sync up vega10 firmware with 18.20 release
0d672f7 amdgpu: sync up vega10 firmware with 18.10 release
f0698be amdgpu: add initial vega10 firmware

This tells me I'm running actually running "ac5f8bd amdgpu: update vega10 
firmware to 18.40"
https://tracker.debian.org/news/1021249/accepted-firmware-nonfree-20190114-1-source-into-unstable/
 contains:
- amd-graphics:
   + "Polaris10", "Polaris11", "Raven" firmware updates to sync with
 18.50 release
   + "Fiji", "Tonga", "Vega10", "Carrizo" firmware updates to sync with
 18.40 release

So in both cases I'm supposed to run the exact same firmware version, so even 
the minor change in behavior (blinking cursor) surprises me.

What was the reason for the test?
Checking 'git log' for that specific file before I did the test made me 
conclude 
it wouldn't make a difference with packaged version 20190114-1 (but did the 
test anyway as requested).

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#929297: found 929297 in 1.2.20130907-4.1, closing 929297

2019-05-21 Thread Salvatore Bonaccorso 
found 929297 1.2.20130907-4.1
close 929297 1.5.20190210-1
thanks

Processed: found 929297 in 1.2.20130907-4.1, closing 929297

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> found 929297 1.2.20130907-4.1
Bug #929297 [minissdpd] minissdpd: CVE-2019-12106
Marked as found in versions minissdpd/1.2.20130907-4.1.
> close 929297 1.5.20190210-1
Bug #929297 [minissdpd] minissdpd: CVE-2019-12106
Ignoring request to alter fixed versions of bug #929297 to the same values 
previously set
Bug #929297 [minissdpd] minissdpd: CVE-2019-12106
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#924393: marked as done (acme-tiny: Please update to ACMEv2 API)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 19:03:34 +
with message-id 
and subject line Bug#924393: fixed in acme-tiny 1:4.0.4-1
has caused the Debian Bug report #924393,
regarding acme-tiny: Please update to ACMEv2 API
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924393
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: acme-tiny
Version: 20171115-2
Severity: serious

Hi,

the package is using the ACME-v1 API. Since v4.0.0 (available since Thu
Mar 15 22:03:38 2018 -0700) it is using the ACME-v2 API.  One difference
is that the received certificate contains the parent certificate.

The important part and the reason why I think that this version is unfit
for Buster is that the v1 API is deprecated [0]. According to the URL
starting in November 2019 you won't be able to register new accounts.
At the beginning of 2021 the v1 API will be disabled for 24h until it is
completly shutdown in JUne 2021 which is within Buster's lifetime.

Therefore I think it makes sense to prepare an update of the package and
talk to the release team.

[0] https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

Sebastian
--- End Message ---
--- Begin Message ---
Source: acme-tiny
Source-Version: 1:4.0.4-1

We believe that the bug you reported is fixed in the latest version of
acme-tiny, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Henrique  (supplier of updated acme-tiny package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 08 Apr 2019 21:31:24 +0100
Source: acme-tiny
Architecture: source
Version: 1:4.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Let's Encrypt Team 
Changed-By: Samuel Henrique 
Closes: 905720 924393
Changes:
 acme-tiny (1:4.0.4-1) unstable; urgency=medium
 .
   * New upstream version 4.0.4
 - Support for ACMEv2 API (closes: #924393)
 - Add epoch as the previous releases were using calver, now we're
   using semver (closes: #905720)
   * Bump DH level to 12
   * Bump Standards-Version to 4.3.0
   * Remove previous Uploader (not active since 2017) and add myself instead
   * Remove legacy upstream changelog (it was a git log)
   * Update manpage
   * d/control: Add Build-Depends on python3-setuptools-scm
   * d/copyright:
 - Update entries
 - Add upstream email
   * debian/patches
 - setuptools-support.patch: Remove patch, no more needed
 - readme-replace-usr-bin-sh-by-bin-sh.patch: Update patch
   * d/watch: Bump to v4 and update version detection
Checksums-Sha1:
 e342dc3090b40680ab7bc212861b471e47b84c63 2007 acme-tiny_4.0.4-1.dsc
 9f1e42837abe5fa9cbc85251d4cff83b5929fa9a 13318 acme-tiny_4.0.4.orig.tar.gz
 0e30d4f0f03eea0effd9bc55a9cafa290e25cecf 4356 acme-tiny_4.0.4-1.debian.tar.xz
 1dd0cf79204f7b2847d4e6cf846caad3d07a0e87 6026 acme-tiny_4.0.4-1_amd64.buildinfo
Checksums-Sha256:
 5a0e7f39b8647c0f1c74d30e1f80f878527bc63061a1b65dd20a365fe3340985 2007 
acme-tiny_4.0.4-1.dsc
 c12547d4d19cb5423093d24b838e003e2a520f0605ea86477ffb4932e6ae146f 13318 
acme-tiny_4.0.4.orig.tar.gz
 b616e91a224cd2d8e2fcafaa6b418701b71936d66d2126894a70a5e9ef2f3719 4356 
acme-tiny_4.0.4-1.debian.tar.xz
 c19c5258dfd8caceb2b2b90759bdb09c3f9ef512d0d672b4a6d40aef1b77b6a7 6026 
acme-tiny_4.0.4-1_amd64.buildinfo
Files:
 7825fce10908c51f170e9303c0b4d4a4 2007 utils optional acme-tiny_4.0.4-1.dsc
 510b2257e7284c8e7a9c731c3c8cd6d9 13318 utils optional 
acme-tiny_4.0.4.orig.tar.gz
 7ee0875cabe7fd66817fba7e4a883645 4356 utils optional 
acme-tiny_4.0.4-1.debian.tar.xz
 e546e56843f238c16436eb3c85c6db5c 6026 utils optional 
acme-tiny_4.0.4-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAlzbCAwACgkQu6n6rcz7
RwcOoA//YIqTyrpYiFRduICRgnxjBOF7FbxhN0qF9PBqvqMGrXZtlAFm/LEzMaAN
14nqgVIxuEXtjlDY7AwDYDOmwkKdUEELLps+CS2gch4jfYGmRcDkyy+UDvCUDi10
q72HcAD1ZqooV8nn3xr6cws6rCy4zSHJnAlgJtLknfHyKA6NDUlaxV8PLNuX3F6Y
j0iyXyi1WsI/OcqasKFlLT5IymV6u8OIhJO0DITk43hcv2AuOGKmPwXYSgTMXx2M

Bug#927991: Fix for FTBFS

2019-05-21 Thread Gregor Riepl 
Dear maintainer,

With the latest upload of MariaDB 10.3, --libmysqld-libs is now supported by
mysql_config/mariadb_config:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928230#46

Can you please trigger a rebuild of amarok once mariadb-10.3_1:10.3.15-1 has
hit unstable?

Please also consider unblocking the package so it can still go back into
buster, if possible.

Thanks!

Bug#928631: firmware-amd-graphics: Update to 20190502-1 causus hang of system directly after grub

2019-05-21 Thread Romain Perier 
On Tue, May 21, 2019 at 09:59:21AM +0200, Diederik de Haas wrote:
> Got a new MB BIOS and after installing that, I made a new attempt with 
> firmware-amd-graphics version 20190502-1.
> It failed again, but it got slightly further this time.
> I saw a remount message, then a blinking cursor and then blank 
> screen+freeze+monitor in standby modus.
> I figured that would've produced a kern.log and it did; see attachment.
> 
> I have the upstream git repo on my machine and when I did
> "git log -- amdgpu/vega10_ce.bin" I noticed commit 
> 0f22c8527439eaaf5c3fcf87b31c89445b6fa84d with the following message:
> Revert "amdgpu: update vega10 fw for 18.50 release"
> 
> This reverts commit ec4b0cd394472ee1491df6ef5f215d1f0953f836.
> 
> This causes GPU hangs for some users.  Let's revert for now
> while we try and root cause the issue.
> 
> Sounds familiar.
> 
> What I could do is getting the various versions of amdgpu/vega10* from the 
> upstream git repo and place them in /lib/firmware/amdgpu/ to see which 
> versions 
> work and which don't.
> Would that be useful? Any specific tests I should do or data to gather 
> (please 
> indicate how I should do that)
> 
> Cheers,
>   Diederik

Hi,

firmware-amd-graphics 20190502-1 is based onto upstream commit
92e17d0dd2437140fab044ae62baf69b35d7d1fa, that is commit "amdgpu: update vega20 
to the latest 19.10 firmware"
. Two commits behind there is commit "amdgpu: update vega10 to the latest 19.10 
firmware", that is
already included in firmware-amd-graphics 20190502-1.

Could you try to revert "amdgpu: update vega10 to the latest 19.10
firmware" ? So try to use the firmware for vega10 that is before this commit. 
Does it work for you ?

1. Use linux-firmware.git with last HEAD in the master branch
2. git checkout 4ea5c73b96ed4a508f90047e22ccbaa477481310 (commit "amdgpu: 
update polaris11 to the latest 19.10 firmware", that is the commit before 
bumping vega10 to 19.10)
3. Copy vega10 binary blobs to /lib/firmware/amdgpu

Does it work ?


Thanks,
Regards,
Romain


> May 21 08:48:40 bagend kernel: [0.00] Linux version 4.19.0-5-amd64 
> (debian-ker...@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-7)) #1 SMP 
> Debian 4.19.37-3 (2019-05-15)
> May 21 08:48:40 bagend kernel: [0.00] Command line: 
> BOOT_IMAGE=/vmlinuz-4.19.0-5-amd64 
> root=UUID=a2a5e481-0ac6-4e68-818f-38255bf7dd57 ro quiet
> May 21 08:48:40 bagend kernel: [0.00] x86/fpu: Supporting XSAVE 
> feature 0x001: 'x87 floating point registers'
> May 21 08:48:40 bagend kernel: [0.00] x86/fpu: Supporting XSAVE 
> feature 0x002: 'SSE registers'
> May 21 08:48:40 bagend kernel: [0.00] x86/fpu: Supporting XSAVE 
> feature 0x004: 'AVX registers'
> May 21 08:48:40 bagend kernel: [0.00] x86/fpu: xstate_offset[2]:  
> 576, xstate_sizes[2]:  256
> May 21 08:48:40 bagend kernel: [0.00] x86/fpu: Enabled xstate 
> features 0x7, context size is 832 bytes, using 'compacted' format.
> May 21 08:48:40 bagend kernel: [0.00] BIOS-provided physical RAM map:
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x-0x0009d3ff] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0009d400-0x0009] reserved
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x000e-0x000f] reserved
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0010-0x09cf] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x09d0-0x09ff] reserved
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0a00-0x0a1f] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0a20-0x0a20afff] ACPI NVS
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0a20b000-0x0aff] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0b00-0x0b01] reserved
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0x0b02-0xd873efff] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0xd873f000-0xdb030fff] reserved
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0xdb031000-0xdb137fff] ACPI data
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0xdb138000-0xdb244fff] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0xdb245000-0xdb60afff] ACPI NVS
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0xdb60b000-0xdc68bfff] reserved
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
> 0xdc68c000-0xdeff] usable
> May 21 08:48:40 bagend kernel: [0.00] BIOS-e820: [mem 
>

Bug#915128: Dont't include in buster

2019-05-21 Thread Moritz Muehlenhoff 
On Tue, May 21, 2019 at 12:08:45PM -0400, Boyuan Yang wrote:
> On Fri, 30 Nov 2018 19:51:20 +0100 Moritz Muehlenhoff  wrote:
> > Source: swftools
> > Severity: serious
> > 
> > swftools is orphaned for a year, dead upstream and has frequent security
> > issues. Also, Flash is a thing of the past, so let's drop it from buster
> > (initially filing this bug to out it out of testing, will also sort out
> > the removal, which will take longer).
> > 
> > One one rev dep is left in testing (jquery-jplayer), I'll file a separate
> > bug against it.
> 
> Jquery-jplayer has been removed from Sid and Testing. There's no other reverse
> dependencies in Sid now. Maybe we can consider to get swftools out from Sid
> soon.

There's one more blocker: src:yui3 build-depends on swftools to generate some 
SWFs.
The only reverse dep is loggerhead-breezy and Jelmer confirmed that Loggerhead 
doesn't
use the SWFs shipped in Yui3.

So what we need is an NMU on yui3, which drops the build dep on swftools and 
strips
the SWFs from the "yui3" packages, then we're good to remove swftools.

I haven't found the time to do that for a while, but help is welcome :-)

Cheers,
Moritz

Bug#928957: marked as done (expiration task fails on non-existent files)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 16:18:33 +
with message-id 
and subject line Bug#928957: fixed in apt-cacher-ng 3.2-2
has caused the Debian Bug report #928957,
regarding expiration task fails on non-existent files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928957
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apt-cacher-ng
Version: 3.2-1
Severity: serious

This bug is basically reminder to myself and not to whoever runs into
this issue.

Looks like apt-cacher-ng expiery manages to maneuver itself into a state
which cannot be recovered. It reports non-existent files from apparently
guessed sources, like:

Error summary:
debrep/dists/jessie/main/installer-amd64/current/images/SHA256SUMS: 404 Not 
Found
debrep/dists/stretch/main/installer-amd64/20170615+deb9u5+b2/images/SHA256SUMS: 
404 Not Found
localhost/ftp.de.debian.org/debian/dists/stretch/main/installer-amd64/20170615+deb9u5+b2/images/SHA256SUMS:
 404 Not Found
localhost/ftp.de.debian.org/debian/dists/stretch/main/installer-amd64/20170615/images/SHA256SUMS:
 404 Not Found

I have a vague idea where it comes from (old heuristics which fetched
voluntarily additional metadata which was not well linked in old Debian
versions, like 10 years ago). This needs to be investigated (digging
through history) and probably removed, or fixed.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
--- End Message ---
--- Begin Message ---
Source: apt-cacher-ng
Source-Version: 3.2-2

We believe that the bug you reported is fixed in the latest version of
apt-cacher-ng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch  (supplier of updated apt-cacher-ng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 17 May 2019 22:59:21 +0200
Source: apt-cacher-ng
Architecture: source
Version: 3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Eduard Bloch 
Changed-By: Eduard Bloch 
Closes: 928957
Changes:
 apt-cacher-ng (3.2-2) unstable; urgency=medium
 .
   *  Fix for incorrect assumption of some existing SHA256SUMS files in Debian
  repositories which makes the expiration task fail without a proper way
  for the end user to recover from it. Now ignore a download error in this
  case (similar handling as for other guesses), assuming that permanent
  404ing for other reasons than removal of remote content can be considered
  unlikely (closes: #928957)
Checksums-Sha1:
 5c25358f91c089c7db1c0115df5c158af4a18322 2150 apt-cacher-ng_3.2-2.dsc
 bc3d1b91addee9db77e18715df7ac8c7a191bf95 48740 
apt-cacher-ng_3.2-2.debian.tar.xz
 f7f9757b30922a45269d801dc3c8541005eb7cce 8477 
apt-cacher-ng_3.2-2_source.buildinfo
Checksums-Sha256:
 5fedab80b01097c33afc69a9ebc20de2c63ff33cca04761a451d252cda29e6d1 2150 
apt-cacher-ng_3.2-2.dsc
 8eb2094c636118f1a593f93aba1050a2d13eff6eeb80080a531ba41fb40e3b23 48740 
apt-cacher-ng_3.2-2.debian.tar.xz
 acb8835f174750943344feab71fd2d604933ce1fa2f063c9245562a02aa662f2 8477 
apt-cacher-ng_3.2-2_source.buildinfo
Files:
 5954691834f697b5953d7d987edc23c3 2150 net optional apt-cacher-ng_3.2-2.dsc
 8e2b935a211c449a686c2df5d69aa46a 48740 net optional 
apt-cacher-ng_3.2-2.debian.tar.xz
 0e21dfe88af76677ff96c5d70de543c0 8477 net optional 
apt-cacher-ng_3.2-2_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEZI3Zj0vEgpAXyw40aXQOXLNf7DwFAlzkINAACgkQaXQOXLNf
7DyecBAAk6zIAm2Y7fVngIXsmDS/QcGjh/FDIebYoE/Bxo0sqVuHFLAUyTEzsxw9
c4nOGR0Nkp+pSZmUs0XS5JjJWksTjs716E4/Lxg8SWpRC5XJo/LCumTOSvwRMsf7
g99Ri+0qaBOzm+h8pocetMPywO45Ktm0DcM+bpD7ms+av0OWZmOpg4hpwHWsbZyT
1Nvf3xAbSLmwgvnfKkT/Gn5780nZAgtfw/U15GO3wTNQ8y0eWS+LGV2wqX/Lbfmu
5gYiM5GS5vsFSNN+ZpR7LRmVQCukyl7def/AtM6jIC2CaHlI8fapx9DynDV/hoiT
hYFfKoCqqqD+L3FOUapXauRKbXxwnO222D/CrEBQsboqjdaIua0lk22McpiKBBrt

Bug#915128: Dont't include in buster

2019-05-21 Thread Boyuan Yang 
On Fri, 30 Nov 2018 19:51:20 +0100 Moritz Muehlenhoff  wrote:
> Source: swftools
> Severity: serious
> 
> swftools is orphaned for a year, dead upstream and has frequent security
> issues. Also, Flash is a thing of the past, so let's drop it from buster
> (initially filing this bug to out it out of testing, will also sort out
> the removal, which will take longer).
> 
> One one rev dep is left in testing (jquery-jplayer), I'll file a separate
> bug against it.

Jquery-jplayer has been removed from Sid and Testing. There's no other reverse
dependencies in Sid now. Maybe we can consider to get swftools out from Sid
soon.

Thanks,
Boyuan Yang


signature.asc
Description: This is a digitally signed message part

Bug#922669: marked as done (sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection))

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 16:05:37 +
with message-id 
and subject line Bug#922669: fixed in sqlalchemy 1.2.18+ds1-2
has caused the Debian Bug report #922669,
regarding sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922669: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sqlalchemy
Version: 1.2.15+ds1-1
Severity: important
Tags: security upstream

Hi,

The following vulnerabilities were published for sqlalchemy.

CVE-2019-7164[0]:
| SQL Injection when the order_by parameter can be controlled

CVE-2019-7548[1]:
| SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be
| controlled.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-7164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7164
[1] https://security-tracker.debian.org/tracker/CVE-2019-7548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7548

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sqlalchemy
Source-Version: 1.2.18+ds1-2

We believe that the bug you reported is fixed in the latest version of
sqlalchemy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand  (supplier of updated sqlalchemy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 21 May 2019 16:23:35 +0200
Source: sqlalchemy
Binary: python-sqlalchemy python-sqlalchemy-doc python-sqlalchemy-ext 
python-sqlalchemy-ext-dbgsym python3-sqlalchemy python3-sqlalchemy-ext 
python3-sqlalchemy-ext-dbgsym
Architecture: source all amd64
Version: 1.2.18+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski 
Changed-By: Thomas Goirand 
Description:
 python-sqlalchemy - SQL toolkit and Object Relational Mapper for Python
 python-sqlalchemy-doc - documentation for the SQLAlchemy Python library
 python-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python - 
C extension
 python3-sqlalchemy - SQL toolkit and Object Relational Mapper for Python 3
 python3-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python3 
- C extensio
Closes: 922669
Changes:
 sqlalchemy (1.2.18+ds1-2) unstable; urgency=high
 .
   * Team upload.
   * CVE-2019-7164 CVE-2019-7548: SQL injection. Apply upstream backported patch
 for this. Note: This potentially impacts applications (Closes: #922669).
Checksums-Sha1:
 9f943f43e6fef9dd28a654b40e3e5754783768f7 2557 sqlalchemy_1.2.18+ds1-2.dsc
 bc05d08eb42d70aab5f7569f50c8bb2d402bea09 16052 
sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 1f661a8912b086f93f025c15d4e46384267af8ba 2319404 
python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 e65eedf1efa2de8e7044682fc60be25c9d009e94 41520 
python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 f7fc34b09a05355f7cfb539ba6febbd75e0cdf56 19248 
python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 6311846bf03c45b2fc6645e60f146abb04240b7e 728956 
python-sqlalchemy_1.2.18+ds1-2_all.deb
 b4d139d4617c0d756830283ba1bb61697cb1c155 51140 
python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 69a6522274691c0c78dd3de18282f61f23d9a0e6 19348 
python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 acf1759bc0f572b58656054256175804ccafbd4f 727452 
python3-sqlalchemy_1.2.18+ds1-2_all.deb
 79e2736de5e9585574c8a532368065365641a52c 9769 
sqlalchemy_1.2.18+ds1-2_amd64.buildinfo
Checksums-Sha256:
 1a6d35cab7b397a03f8b6b1ed3f384cf6c470db77eda53596ae0fa9470a70f1c 2557 
sqlalchemy_1.2.18+ds1-2.dsc
 482b0a206e2f316db861e2051450966c97dc3023ad4ed633ca7afa9bb5f6a41b 16052 
sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 e9ecf89fab033bfd79b511334e034c5e2816dcb73fc2a2ed96d68ae4a165cc96 2319404 
python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 1536698197a0ad4505f6ee9ce1bc9aa8e45dfcea6128ff1371d862a58659cd1f 41520 
python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb

Bug#928990: marked as done (dmarc-cat: attempts internet communication during build)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 15:33:38 +
with message-id 
and subject line Bug#928990: fixed in dmarc-cat 0.9.2-2
has caused the Debian Bug report #928990,
regarding dmarc-cat: attempts internet communication during build
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928990
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dmarc-cat
Version: 0.9.2-1
Severity: serious


Hello, as said, the package attempts to do internet communication during 
build... this is forbidden by policy.

this is an example of what happens in Ubuntu, where internet is more strictly 
disabled:

+--+
| Build|
+--+


Unpack source
-

gpgv: Signature made Tue Feb 12 16:54:32 2019 UTC
gpgv:using RSA key 7B164204D096723B019635AB3EA1B261D97B
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./dmarc-cat_0.9.2-1.dsc
dpkg-source: info: extracting dmarc-cat in dmarc-cat-0.9.2
dpkg-source: info: unpacking dmarc-cat_0.9.2.orig.tar.gz
dpkg-source: info: unpacking dmarc-cat_0.9.2-1.debian.tar.xz

Check disc space


Sufficient free space for build

User Environment


APT_CONFIG=/var/lib/sbuild/apt.conf
DEB_BUILD_OPTIONS=parallel=4
HOME=/sbuild-nonexistent
LANG=C.UTF-8
LC_ALL=C.UTF-8
LOGNAME=buildd
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
SCHROOT_ALIAS_NAME=build-PACKAGEBUILD-16663957
SCHROOT_CHROOT_NAME=build-PACKAGEBUILD-16663957
SCHROOT_COMMAND=env
SCHROOT_GID=2501
SCHROOT_GROUP=buildd
SCHROOT_SESSION_ID=build-PACKAGEBUILD-16663957
SCHROOT_UID=2001
SCHROOT_USER=buildd
SHELL=/bin/sh
TERM=unknown
USER=buildd
V=1

dpkg-buildpackage
-

dpkg-buildpackage: info: source package dmarc-cat
dpkg-buildpackage: info: source version 0.9.2-1
dpkg-buildpackage: info: source distribution unstable
 dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
 fakeroot debian/rules clean
dh clean --buildsystem=golang --with=golang
   dh_auto_clean -O--buildsystem=golang
   dh_autoreconf_clean -O--buildsystem=golang
   dh_clean -O--buildsystem=golang
 debian/rules build
dh build --buildsystem=golang --with=golang
   dh_update_autotools_config -O--buildsystem=golang
   dh_autoreconf -O--buildsystem=golang
   dh_auto_configure -O--buildsystem=golang
   dh_auto_build -O--buildsystem=golang
cd obj-x86_64-linux-gnu && go install 
-gcflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" 
-asmflags=all=\"-trimpath=/<>/obj-x86_64-linux-gnu/src\" -v -p 4 
github.com/keltia/dmarc-cat
internal/race
runtime/internal/atomic
errors
internal/cpu
runtime/internal/sys
sync/atomic
unicode
unicode/utf8
encoding
internal/bytealg
math
internal/testlog
runtime
math/bits
unicode/utf16
runtime/cgo
vendor/golang_org/x/net/dns/dnsmessage
strconv
internal/nettrace
sync
io
reflect
syscall
github.com/ivpusic/grpool
internal/singleflight
math/rand
bytes
strings
bufio
text/tabwriter
hash
path
hash/crc32
internal/syscall/unix
time
internal/poll
sort
encoding/binary
os
regexp/syntax
encoding/base64
path/filepath
fmt
regexp
io/ioutil
flag
encoding/csv
encoding/xml
encoding/json
go/token
net/url
go/scanner
text/template/parse
go/ast
compress/flate
github.com/pkg/errors
github.com/proglottis/gpgme
text/template
archive/zip
go/parser
go/printer
compress/gzip
log
context
net
go/format
github.com/intel/tfortools
github.com/keltia/archive
github.com/keltia/dmarc-cat
   dh_auto_test -O--buildsystem=golang
cd obj-x86_64-linux-gnu && go test -vet=off -v -p 4 
github.com/keltia/dmarc-cat
=== RUN   TestAnalyze
--- PASS: TestAnalyze (0.00s)
=== RUN   TestGatherRows_Empty
--- PASS: TestGatherRows_Empty (0.00s)
=== RUN   TestGatherRows_Good
--- PASS: TestGatherRows_Good (0.00s)
=== RUN   TestResolveIP_Error
--- PASS: TestResolveIP_Error (0.00s)
=== RUN   TestResolveIP_Good
--- PASS: TestResolveIP_Good (0.00s)
=== RUN   TestCheckFilename
--- PASS: TestCheckFilename (0.00s)
=== RUN   TestHandleSingleFile
--- PASS: TestHandleSingleFile (0.00s)
=== RUN   TestHandleSingleFile2
--- PASS: TestHandleSingleFile2 (0.00s)
=== RUN   TestHandleSingleFile3
--- PASS: TestHandleSingleFile3 (0.00s)
=== RUN   TestHandleSingleFile4
--- PASS: TestHandleSingleFile4 (0.00s)
=== RUN   TestHandleSingleFile_Verbose
--- PASS:

Processed: Bug#928990 marked as pending in dmarc-cat

2019-05-21 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 pending
Bug #928990 [dmarc-cat] dmarc-cat: attempts internet communication during build
Added tag(s) pending.

-- 
928990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928990
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#928990: marked as pending in dmarc-cat

2019-05-21 Thread Antoine Beaupré 
Control: tag -1 pending

Hello,

Bug #928990 in dmarc-cat reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/dmarc-cat/commit/63003873c96e06c7bcff6e47c083ea393c6c8f54


move test suite to autopkgtest because of network access (Closes: #928990)


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/928990

Bug#922669: Debdiff to fix this

2019-05-21 Thread Thomas Goirand 
Hi,

Here's, attached to this message, the debdiff to fix this CVE. Note that
the patch was backported to 1.2 by upstream himself, so it's kind of
safe to apply, however, it may potentially impact SQLAlchemy reverse
dependencies. It should be safe for OpenStack applications though.

Please, either allow me to upload as-is, or build and upload yourself
ASAP (preferably, in time for Buster).

Cheers,

Thomas Goirand (zigo)
diff -Nru sqlalchemy-1.2.18+ds1/debian/changelog 
sqlalchemy-1.2.18+ds1/debian/changelog
--- sqlalchemy-1.2.18+ds1/debian/changelog  2019-02-25 00:01:50.0 
+0100
+++ sqlalchemy-1.2.18+ds1/debian/changelog  2019-05-21 16:23:35.0 
+0200
@@ -1,3 +1,11 @@
+sqlalchemy (1.2.18+ds1-2) unstable; urgency=high
+
+  * Team upload.
+  * CVE-2019-7164 CVE-2019-7548: SQL injection. Apply upstream backported patch
+for this. Note: This potentially impacts applications (Closes: #922669).
+
+ -- Thomas Goirand   Tue, 21 May 2019 16:23:35 +0200
+
 sqlalchemy (1.2.18+ds1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru 
sqlalchemy-1.2.18+ds1/debian/patches/CVE-2019-7164_and_7548_Illustrate_fix_for_4481_in_terms_of_a_1.2_patch.patch
 
sqlalchemy-1.2.18+ds1/debian/patches/CVE-2019-7164_and_7548_Illustrate_fix_for_4481_in_terms_of_a_1.2_patch.patch
--- 
sqlalchemy-1.2.18+ds1/debian/patches/CVE-2019-7164_and_7548_Illustrate_fix_for_4481_in_terms_of_a_1.2_patch.patch
   1970-01-01 01:00:00.0 +0100
+++ 
sqlalchemy-1.2.18+ds1/debian/patches/CVE-2019-7164_and_7548_Illustrate_fix_for_4481_in_terms_of_a_1.2_patch.patch
   2019-05-21 16:23:35.0 +0200
@@ -0,0 +1,331 @@
+Description: CVE-2019-7164 / CVE-2019-7548: Illustrate fix for #4481 in terms 
of a 1.2 patch
+ Release 1.2 has decided (so far) not to backport 1.3's fix for #4481 as it is
+ backwards-incompatible with code that relied upon the feature of automatic 
text
+ coercion in SQL statements.  However, for the specific case of order_by() and
+ group_by(), we present a patch that backports the specific change in compiler
+ to have 1.3's behavior for order_by/group_by specifically.   This is much more
+ targeted than the 0.9 version of the patch as it takes advantage 1.0's
+ architecture which runs all order_by() / group_by() through a label lookup 
that
+ only warns if the label can't be matched.
+ .
+ For an example of an application that was actually impacted by 1.3's change
+ and how they had to change it, see:
+ .
+ https://github.com/ctxis/CAPE/commit/be0482294f5eb30026fe97a967ee5a768d032278
+ .
+ Basically, in the uncommon case an application is actually using the text
+ coercion feature which was generally little-known, within the order_by()
+ and group_by() an error is now raised instead of a warning; the application
+ must instead ensure the SQL fragment is passed within a text() construct.
+ The above application has also been seeing a warning about this since 1.0
+ which apparently remained unattended.
+ .
+ The patch includes adjustments to the tests that were testing for the
+ warning to now test that an exception is raised. Any distro that wants
+ to patch the specific CVE issue resolved in #4481 to SQLAlchemy 1.0, 1.1
+ or 1.2 can use this patch.
+Author: Mike Bayer 
+Date: Mon, 08 Apr 2019 22:07:35 -0400
+Change-Id: I3363b21428f1ad8797394b63197375a2e56a0bd7
+References: #4481
+Bug-Debian: https://bugs.debian.org/922669
+Origin: upstream, 
https://gerrit.sqlalchemy.org/#/c/sqlalchemy/sqlalchemy/+/1184/
+Last-Update: 2019-05-21
+
+diff --git a/lib/sqlalchemy/sql/compiler.py b/lib/sqlalchemy/sql/compiler.py
+index 5a11ed1..4780bab 100644
+--- a/lib/sqlalchemy/sql/compiler.py
 b/lib/sqlalchemy/sql/compiler.py
+@@ -757,12 +757,11 @@
+ else:
+ col = with_cols[element.element]
+ except KeyError:
+-# treat it like text()
+-util.warn_limited(
+-"Can't resolve label reference %r; converting to text()",
+-util.ellipses_string(element.element),
++elements._no_text_coercion(
++element.element,
++exc.CompileError,
++"Can't resolve label reference for ORDER BY / GROUP BY.",
+ )
+-return self.process(element._text_clause)
+ else:
+ kwargs["render_label_as_label"] = col
+ return self.process(
+diff --git a/lib/sqlalchemy/sql/elements.py b/lib/sqlalchemy/sql/elements.py
+index 299fcad..ff86deb 100644
+--- a/lib/sqlalchemy/sql/elements.py
 b/lib/sqlalchemy/sql/elements.py
+@@ -4432,6 +4432,17 @@
+ )
+ 
+ 
++def _no_text_coercion(element, exc_cls=exc.ArgumentError, extra=None):
++raise exc_cls(
++"%(extra)sTextual SQL expression %(expr)r should be "
++"explicitly declared as text(%(expr)r)"
++% {
++"expr": util.ellipses_string(element),
++"extra": "%s " % extra if extra else "",
++}
++)
++
++
+ def _no_literals(element):
+

Processed: your mail

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forwarded 897109 https://github.com/samtools/htsjdk/issues/1373
Bug #897109 [src:fastqc] fastqc: autopkgtest fails with new version while 
succeeded in the past; htsjdk.samtools.util.RuntimeIOException: 
java.io.IOException: Stream closed
Bug #923428 [src:fastqc] fastqc: autopkgtest regression
Set Bug forwarded-to-address to 
'https://github.com/samtools/htsjdk/issues/1373'.
Set Bug forwarded-to-address to 
'https://github.com/samtools/htsjdk/issues/1373'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897109
923428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923428
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#905022: gcc-8 documentation packages

2019-05-21 Thread Dmitry Eremin-Solenikov 
Hello,

I've updated gcc-doc/gcc-doc-defaults packages to support new gcc-8
documentation generation. NMU Packages are uploaded to
mentors.debian.net
for review, git trees are put on salsa.debian.org/gcc-doc (-defaults).

-- 
With best wishes
Dmitry

Bug#897109: fastqc: htsjdk.samtools.util.RuntimeIOException: java.io.IOException: Stream closed

2019-05-21 Thread Andreas Tille 
Hi Dylan,

On Tue, May 21, 2019 at 02:32:48PM +0200, Dylan Aïssi wrote:
> Control: severity -1 serious
> 
> Hi,
> I have tested the testsuite with the upstream binary (FastQC 0.11.8)
> and there is no error, so the testsuite is fine. This bug was probably
> hidden before we added the test of bam and sam files. Currently,
> fastqc from our package is unable to process bam and sam files which
> is very annoying for Buster. I guess we have to modify
> htsjdk-api.patch, but I admit I have no clue how to fix it. The
> easiest way should be to add SAMFileReader like suggested in [1]. Any
> suggestion?

Thanks for pointing out this issue.
No better suggestion than the naive one that I gave in issue #767.
May be FastQC contacting upstream is a good idea.

Kind regards

Andreas.

> [1] https://github.com/samtools/htsjdk/issues/767#issuecomment-264843094

-- 
http://fam-tille.de

Processed: libgovirt: diff for NMU version 0.3.4-3.1

2019-05-21 Thread Debian Bug Tracking System 
Processing control commands:

> tags 915270 + patch
Bug #915270 [src:libgovirt] libgovirt: FTBFS because https-cert/ca-cert.pem is 
expired
Added tag(s) patch.
> tags 915270 + pending
Bug #915270 [src:libgovirt] libgovirt: FTBFS because https-cert/ca-cert.pem is 
expired
Added tag(s) pending.

-- 
915270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#915270: libgovirt: diff for NMU version 0.3.4-3.1

2019-05-21 Thread Giovanni Mascellani 
Control: tags 915270 + patch
Control: tags 915270 + pending

Dear maintainer,

I've prepared an NMU for libgovirt (versioned as 0.3.4-3.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.

Regards, Giovanni.
-- 
Giovanni Mascellani 
Postdoc researcher - Université Libre de Bruxelles
diff -Nru libgovirt-0.3.4/debian/changelog libgovirt-0.3.4/debian/changelog
--- libgovirt-0.3.4/debian/changelog	2018-12-28 03:33:34.0 +0100
+++ libgovirt-0.3.4/debian/changelog	2019-05-21 14:32:51.0 +0200
@@ -1,3 +1,11 @@
+libgovirt (0.3.4-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Regenerate test certificates with expiration date far in the future to
+fix test failures (closes: #915270).
+
+ -- Giovanni Mascellani   Tue, 21 May 2019 14:32:51 +0200
+
 libgovirt (0.3.4-3) unstable; urgency=medium
 
   * Bump debhelper compat to 11
diff -Nru libgovirt-0.3.4/debian/patches/series libgovirt-0.3.4/debian/patches/series
--- libgovirt-0.3.4/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ libgovirt-0.3.4/debian/patches/series	2019-05-21 14:16:12.0 +0200
@@ -0,0 +1 @@
+update_certs
diff -Nru libgovirt-0.3.4/debian/patches/update_certs libgovirt-0.3.4/debian/patches/update_certs
--- libgovirt-0.3.4/debian/patches/update_certs	1970-01-01 01:00:00.0 +0100
+++ libgovirt-0.3.4/debian/patches/update_certs	2019-05-21 14:32:51.0 +0200
@@ -0,0 +1,269 @@
+From: Giovanni Mascellani 
+Subject: Regenerate test certificates
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915270
+
+Tests fail because test certificates are now expired. This patch
+regenerates them with expiration date in a century (I'll remember
+to ask my grandchildren to regenerate them before then in my
+will).
+
+Useful information about how to regenerate: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
+(but I doubt my granchildren will be able to still see that
+page).
+
+Index: libgovirt-0.3.4/tests/https-cert/ca-cert.pem
+===
+--- libgovirt-0.3.4.orig/tests/https-cert/ca-cert.pem
 libgovirt-0.3.4/tests/https-cert/ca-cert.pem
+@@ -1,32 +1,22 @@
+ -BEGIN CERTIFICATE-
+-MIIFfzCCA2egAwIBAgIJAJe68wcZuCytMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+-BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+-Q29tcGFueSBMdGQxEjAQBgNVBAMMCWdvdmlydCBDQTAeFw0xNjA0MTIxNTEyNDFa
+-Fw0xOTA0MTIxNTEyNDFaMFYxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0
+-IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEjAQBgNVBAMMCWdv
+-dmlydCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALj2s6YqG9CE
+-O7ZxudxjGRSN3rUsnc++p0I+Exo32lsPMD3AXGJ9EwGnXhoRvGnuF2piICZ3CLl2
+-nOH/7Ta8Sb/RuHj67XpJyOhgamM9HULff7ZFXyOrSVyf7YhetCqtx6QhwGfeJ88A
+-MsClJmLZ0AkC1rqtIze9r7HCHZCQxkZZHKV0EhF8RaK0oBxjt6MFIru/kzQCXvWT
+-t9/RaaxhOdboCtTEmu5oTBQfmKUzl4KT3byYVhdm70MEu/PES1XcgnI2RiHcggrI
+-jJ7IknDZTZVK6r0uYLwhBLYA7WsHjRuinTC45dfGcZo0ZTn3khO2Get1negU6wuq
+-kkxyc/Su+tU+eH74haW58Xa3DRXlRNHu91ll81W1Wtpi2osDlImIbM/a+FTSTenl
+-/bIpPOSqbncvi0yfOoZJhH/u8jgQl3hKVgcA8wYdBj/zcHknldnjeS/k0zI84jOd
+-ZrSWL/U7CRGiqJJgRpEKMlggf8Zyh+Lu5Hs6DJrSMG36nbLuukioNCzk7mzMJtOk
+-kcE2576RA/1qkYdno06ZHCR7AnOlwvOKusS8ApIti/quQy1COanBYKaiXOJOemZ2
+-n5D3cDsqRk1s/Wj53Ci9KurhGoQOoquRXHv7Z3vzBtZdqZBdwLH3r0pM85a//M6c
+-HkDwEDsZNUPlvteDahhMPt2qjJNI1ucVAgMBAAGjUDBOMB0GA1UdDgQWBBTxTMG0
+-4azCV/NN7/DhFI5tVp9t3TAfBgNVHSMEGDAWgBTxTMG04azCV/NN7/DhFI5tVp9t
+-3TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQA0OOkImczWNwgz/CaB
+-mEx6odCM0Kv2ozZ6d8ttsj4w9S3tn0HSR1xM62F/GmO1NfxQXKWTR3xYMou0fQVA
+-RskWy/I9WVN/BTD2QSPD9b3fqZvXgi5eMXVeT/1zO2LywV/APLzVl+jbB3WT9J+9
+-1CHyiMNQUUbkIULmE3Z4FPYL30TGbAj4QSIIAbJlHAxRsrTbLXqRXnqw/NxdKdBk
+-v1AOvCenu1HcbtWwDnwrIJGt8/igPB5KqsBzHVfcVmvpXUDC1oLf8w8v7nUB55hs
+-ZMFyaeEcmc+W2B/JM26npbfTCjST9D6kxBXUhIeu9oJDimfiUqYUaZOuybUM6ZEy
+-76vsO8qB06AuA+KhbvBgz8VHveMCnL516VIB8gxThvBgGIe7AQJuDHCy3+oRJ1+k
+-kQm04t2k+Gg03ZpgtzbKaOCL6zRFyy5XE8h59/92KyUh804WTiS5MQZLTnqONqS1
+-49BWXgTZgL+PvMr2xzE5ECs3lkcNpO3TvQJB6eSg0X6NQEscQRbTI1qrmszfAov3
+-teQQlwZZHwzXhJxDNAW9u4oaCWbhRsVbYIoDDdvgIeeLozNaQgJkVzQOrSDOcbrk
+-4cclYBgxgSAp1wvlje6iUFGGz6Q37GLBhqBTONjIL2ArlizqznGvBbQ/0CO1bij4
+-mePFkPdR8OZWT1+FN6HavKYtPg==
++MIIDlTCCAn2gAwIBAgIUU7iorrGTiREybI5F0KxeT7bSGkwwDQYJKoZIhvcNAQEL
++BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
++GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJZ292aXJ0IENBMCAX
++DTE5MDUyMTEyMjMyMloYDzIxMTkwNDI3MTIyMzIyWjBZMQswCQYDVQQGEwJBVTET
++MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
++dHkgTHRkMRIwEAYDVQQDDAlnb3ZpcnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
++DwAwggEKAoIBAQCukmY8BbTogh/5cRv5ZOZx2NSUGSK7XufwN6Cbi/m9DufFtTfx
++sQDy9mTNkZOghCcm1DM4Grw6T+d02JUjBFPUyDFmjyQqq2yK7Ew5DcOGY9AgmTC0
++8T2PLHQ9cZWSAicxKU1+IhSiTiT2uZJ7A1poEILg/txzpH7OiuPV2jMYXwm12gdO
++BhHb+RQMuKKTVmnl9rvmOUu4R5o/J2wgoHNjwHUbY9c2fF3OQK6vee/2UH9ASWhy
++K9qB0C4TD2OBTiU8NuDOw1mN2Wfy7bZmva0uFfHZDqHbMR+CxdPDi0P4XCo7zYMI

Processed: fastqc: htsjdk.samtools.util.RuntimeIOException: java.io.IOException: Stream closed

2019-05-21 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 serious
Bug #897109 [src:fastqc] fastqc: autopkgtest fails with new version while 
succeeded in the past; htsjdk.samtools.util.RuntimeIOException: 
java.io.IOException: Stream closed
Bug #923428 [src:fastqc] fastqc: autopkgtest regression
Severity set to 'serious' from 'important'
Severity set to 'serious' from 'important'

-- 
897109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897109
923428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923428
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable

2019-05-21 Thread Moritz Muehlenhoff 
On Tue, May 21, 2019 at 10:01:55AM +0200, Aljoscha Lautenbach wrote:
> Hi,
> 
> On Mon, 20 May 2019 at 23:11, Moritz Mühlenhoff  wrote:
> > What's considered needed is that someone should actually look through
> > https://security-tracker.debian.org/tracker/source-package/libsass and
> > triage/fix.
> >
> > The only visible action done in five weeks was to lower the severity, so
> > I'm reverting to RC status until there's some actual work happening.
> 
> I'm sorry, I have been very busy since I got back from vacation. I certainly
> see your point, I will try to show some visible progress by next week.

Great! There's also a MR on salsa, so make sure to prevent duplicated work:
https://salsa.debian.org/sass-team/libsass/merge_requests/1

Cheers,
Moritz

Bug#928393: marked as done (mariadb-10.3: CVE-2019-2614 CVE-2019-2627 CVE-2019-2628)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 09:20:54 +
with message-id 
and subject line Bug#928393: fixed in mariadb-10.3 1:10.3.15-1
has caused the Debian Bug report #928393,
regarding mariadb-10.3: CVE-2019-2614 CVE-2019-2627 CVE-2019-2628
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928393
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mariadb-10.3
Version: 1:10.3.14-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for mariadb-10.3.

CVE-2019-2614[0]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Replication). Supported versions that are
| affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior.
| Difficult to exploit vulnerability allows high privileged attacker
| with network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete DOS)
| of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS
| Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2019-2627[1]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: Server: Security: Privileges). Supported versions that
| are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and
| prior. Easily exploitable vulnerability allows high privileged
| attacker with network access via multiple protocols to compromise
| MySQL Server. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a hang or frequently repeatable crash
| (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2019-2628[2]:
| Vulnerability in the MySQL Server component of Oracle MySQL
| (subcomponent: InnoDB). Supported versions that are affected are
| 5.7.25 and prior and 8.0.15 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-2614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2614
[1] https://security-tracker.debian.org/tracker/CVE-2019-2627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2627
[2] https://security-tracker.debian.org/tracker/CVE-2019-2628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2628
[3] https://mariadb.com/kb/en/library/mariadb-10315-release-notes/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mariadb-10.3
Source-Version: 1:10.3.15-1

We believe that the bug you reported is fixed in the latest version of
mariadb-10.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Otto Kekäläinen  (supplier of updated mariadb-10.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 21 May 2019 10:45:37 +0300
Source: mariadb-10.3
Binary: libmariadb-dev libmariadbclient-dev libmariadb-dev-compat libmariadb3 
libmariadbd19 libmariadbd-dev mariadb-common mariadb-client-core-10.3 
mariadb-client-10.3 mariadb-server-core-10.3 mariadb-server-10.3 mariadb-server 
mariadb-client mariadb-backup mariadb-plugin-connect mariadb-plugin-rocksdb 
mariadb-plugin-oqgraph mariadb-plugin-tokudb mariadb-plugin-mroonga 
mariadb-plugin-spider mariadb-plugin-gssapi-server mariadb-plugin-gssapi-client 
mariadb-plugin-cracklib-password-check mariadb-test mariadb-test-data

Bug#921599: marked as done (python-mysqldb: always connects to localhost ignoring host entry in option file)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 09:20:54 +
with message-id 
and subject line Bug#921599: fixed in mariadb-10.3 1:10.3.15-1
has caused the Debian Bug report #921599,
regarding python-mysqldb: always connects to localhost ignoring host entry in 
option file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
921599: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921599
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-mysqldb
Version: 1.3.10-2
Severity: normal

When connecting like this:
connection = MySQLdb.connect(read_default_file=dbconfig)
lines in the option file specifying a remote host are ignored.
Whatever host is specified in the option file, python-mysqldb always attempts a
connection to localhost.

Named host parameters to MySQLdb.connect() are handled correctly.

-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.20.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:de:hr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-mysqldb depends on:
ii  libc62.28-5
ii  libmariadb3  1:10.3.12-2
ii  libssl1.11.1.1a-1
ii  python   2.7.15-4
ii  zlib1g   1:1.2.11.dfsg-1

python-mysqldb recommends no packages.

Versions of packages python-mysqldb suggests:
ii  mariadb-server-10.3 [virtual-mysql-server]  1:10.3.12-2
pn  python-egenix-mxdatetime
pn  python-mysqldb-dbg  

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: mariadb-10.3
Source-Version: 1:10.3.15-1

We believe that the bug you reported is fixed in the latest version of
mariadb-10.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 921...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Otto Kekäläinen  (supplier of updated mariadb-10.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 21 May 2019 10:45:37 +0300
Source: mariadb-10.3
Binary: libmariadb-dev libmariadbclient-dev libmariadb-dev-compat libmariadb3 
libmariadbd19 libmariadbd-dev mariadb-common mariadb-client-core-10.3 
mariadb-client-10.3 mariadb-server-core-10.3 mariadb-server-10.3 mariadb-server 
mariadb-client mariadb-backup mariadb-plugin-connect mariadb-plugin-rocksdb 
mariadb-plugin-oqgraph mariadb-plugin-tokudb mariadb-plugin-mroonga 
mariadb-plugin-spider mariadb-plugin-gssapi-server mariadb-plugin-gssapi-client 
mariadb-plugin-cracklib-password-check mariadb-test mariadb-test-data
Architecture: source
Version: 1:10.3.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian MySQL Maintainers 
Changed-By: Otto Kekäläinen 
Description:
 libmariadb-dev - MariaDB database development files
 libmariadb-dev-compat - MariaDB Connector/C, compatibility symlinks
 libmariadb3 - MariaDB database client library
 libmariadbclient-dev - MariaDB database development files (transitional 
package)
 libmariadbd-dev - MariaDB embedded database, development files
 libmariadbd19 - MariaDB embedded database, shared library
 mariadb-backup - Backup tool for MariaDB server
 mariadb-client - MariaDB database client (metapackage depending on the latest 
vers
 mariadb-client-10.3 - MariaDB database client binaries
 mariadb-client-core-10.3 - MariaDB database core client binaries
 mariadb-common - MariaDB common metapackage
 mariadb-plugin-connect - Connect storage engine for MariaDB
 mariadb-plugin-cracklib-password-check - CrackLib Password Validation Plugin 
for MariaDB
 mariadb-plugin-gssapi-client - GSSAPI authentication plugin for MariaDB client
 mariadb-plugin-gssapi-server - GSSAPI authentication plugin for MariaDB server
 mariadb-plugin-mroonga - Mroonga storage engine for MariaDB
 mariadb-plugin-oqgraph - OQGraph storage engine for MariaDB
 mariadb-plugin-rocksdb - RocksDB storage engine for MariaDB
 mariadb-plugin-spider - Spider storage engine for

Processed: minissdpd: fixed 929297 1.5.20190210-1

2019-05-21 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> fixed 929297 1.5.20190210-1
Bug #929297 [minissdpd] minissdpd: CVE-2019-12106
Marked as fixed in versions minissdpd/1.5.20190210-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929297: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929297: minissdpd: CVE-2019-12106

2019-05-21 Thread Thomas Goirand 
On 5/21/19 8:06 AM, Chris Lamb wrote:
> Package: minissdpd
> Version: 1.2.20130907-3+deb8u1
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for minissdpd.
> 
> CVE-2019-12106[0]:
> | The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
> | 1.5 allows a remote attacker to crash the process due to a Use After
> | Free vulnerability.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-12106
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12106
> 
> 
> Regards,
> 

Hi Chris & the security team,

The version in Sid / Buster isn't affected, as version 1.5.20190210 from
upstream already has the patch (ie: *pp = p->next). The security tracker
seems to know about it already.

Chris, thanks for your proposal to update Stretch, I very much
appreciate it.

Cheers,

Thomas Goirand (zigo)

Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable

2019-05-21 Thread Aljoscha Lautenbach 
Hi,

On Mon, 20 May 2019 at 23:11, Moritz Mühlenhoff  wrote:
> What's considered needed is that someone should actually look through
> https://security-tracker.debian.org/tracker/source-package/libsass and
> triage/fix.
>
> The only visible action done in five weeks was to lower the severity, so
> I'm reverting to RC status until there's some actual work happening.

I'm sorry, I have been very busy since I got back from vacation. I certainly
see your point, I will try to show some visible progress by next week.

Kind regards,
Aljoscha

Bug#928990: dmarc-cat: attempts internet communication during build

2019-05-21 Thread Gianfranco Costamagna 
 Hello,

>I don't know how to handle this in the package build... Maybe I should
>just disable the test suite?

maybe ask upstream for a test switch to disable a subset of tests might be good?
>Is there a knob (like an environment variable) that I can use to disable
>the test suite selectively when building under the buildds?

I'm not aware of any of them, but I'm not that good at this programming language
>In another package I maintain (monkeysign), I added an environment
>variable that disables network tests in debian/rules, but that turns off
>all network tests in the debian package build. Is this the same as what
>I should do here?
>
>Are autokgtests allowed to do network requests? Maybe I should just move
>the test suite there?

yes, autopkgtests are allowed to do a lot of things, and this is one of the 
reason forthem to exist, so I think having a subset of the testsuite running 
during build,and one full one in autopkgtest is the best thing to do.(you might 
ask upstream some hints about an environment variable to selectively disable 
them, orsomething similar?), I really don't know if go packages have something 
like that...
HTH,
G.

Bug#929034: closed by Axel Beckert (Bug#929034: fixed in evolvotron 0.7.1-3)

2019-05-21 Thread Saverio Brancaccio 
For information, I just updated evolvotron package in my debian sid with
the fixing patch and it's working very well!
Many thanks to all of you for the attention and support, the Debian
Community is great!

Bug#927126: marked as done (aqemu: after updating can't open VMs)

2019-05-21 Thread Debian Bug Tracking System 
Your message dated Tue, 21 May 2019 06:48:34 +
with message-id 
and subject line Bug#927126: fixed in aqemu 0.9.2-2.2
has caused the Debian Bug report #927126,
regarding aqemu: after updating can't open VMs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
927126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: aqemu
Version: 0.9.2-2.1
Severity: grave
Justification: renders package unusable


I recently updated aqemu and ended up in not able to open VMs.

Following is the message is what I get when I open VMs

AQEMU Error [264] >>>
Sender: QEMU return value != 0
Message:


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages aqemu depends on:
ii  libc62.28-8
ii  libgcc1  1:8.3.0-6
ii  libqt5core5a 5.11.3+dfsg1-1
ii  libqt5dbus5  5.11.3+dfsg1-1
ii  libqt5gui5   5.11.3+dfsg1-1
ii  libqt5network5   5.11.3+dfsg1-1
ii  libqt5printsupport5  5.11.3+dfsg1-1
ii  libqt5test5  5.11.3+dfsg1-1
ii  libqt5widgets5   5.11.3+dfsg1-1
ii  libstdc++6   8.3.0-6
ii  libvncclient10.9.11+dfsg-1.3
ii  qemu 1:3.1+dfsg-7

Versions of packages aqemu recommends:
ii  qemu-kvm  1:3.1+dfsg-7

aqemu suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: aqemu
Source-Version: 0.9.2-2.2

We believe that the bug you reported is fixed in the latest version of
aqemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 927...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexis Murzeau  (supplier of updated aqemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 17 May 2019 00:55:49 +0200
Source: aqemu
Binary: aqemu aqemu-dbgsym
Architecture: source amd64
Version: 0.9.2-2.2
Distribution: unstable
Urgency: medium
Maintainer: Ignace Mouzannar 
Changed-By: Alexis Murzeau 
Description:
 aqemu  - Qt5 front-end for QEMU and KVM
Closes: 927126
Changes:
 aqemu (0.9.2-2.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/patches/0002-Remove-VLAN-stuff-QEMU-doesn-t-support-it-anymore.patch
 - Fix "after updating can't open VMs": Remove vlan related options.
 (Closes: #927126)
Checksums-Sha1:
 7c9a8c8617cc5b9e8852ba2cb139ba4b63f7a49c 2064 aqemu_0.9.2-2.2.dsc
 602d9ee7dc41ca1c7c1431b8ab39605342b3f456 17832 aqemu_0.9.2-2.2.debian.tar.xz
 103b107461c65d43d0088385d1c6f4d632760f62 11705904 
aqemu-dbgsym_0.9.2-2.2_amd64.deb
 1f0ba259f8b3469bbe26ce69b5ca1b6ee0023446 2 aqemu_0.9.2-2.2_amd64.buildinfo
 722ad3a08bccbc18148fa577547095c8869ab812 1598492 aqemu_0.9.2-2.2_amd64.deb
Checksums-Sha256:
 1a46033df8e299e7007b8a36c54b96d87a3c665a18a861a8f1fbe5fba1eafa90 2064 
aqemu_0.9.2-2.2.dsc
 87279cbec0e34853f3622777bda49d27f884923b60b03abc9b429032ec212f7e 17832 
aqemu_0.9.2-2.2.debian.tar.xz
 2b340bbf61ad098482096f47dd8a6e3a1f31ac3f04ced6a0a0dc186b9690c52d 11705904 
aqemu-dbgsym_0.9.2-2.2_amd64.deb
 d09c6acb381a5b04bdd14b5e099be9bd90b2764d2d7ec7fda51fbd776f1aaea1 2 
aqemu_0.9.2-2.2_amd64.buildinfo
 1ca5ea19f949d4157ba814263d341da605ead407107d1afe59ed3a0952d340b4 1598492 
aqemu_0.9.2-2.2_amd64.deb
Files:
 065f3bbf2f3ebb33a1d23c383f6f6809 2064 x11 optional aqemu_0.9.2-2.2.dsc
 e6f3bf34e75ad286c69c4b3ee0615e14 17832 x11 optional 
aqemu_0.9.2-2.2.debian.tar.xz
 6fe767a8dbbb756b924619fd06a3f283 11705904 debug optional 
aqemu-dbgsym_0.9.2-2.2_amd64.deb
 ffc6c1f25c5982294f9920dbb478682e 2 x11 optional 
aqemu_0.9.2-2.2_amd64.buildinfo
 0dfcc3f33b6fb4eca18d54a67df1c720 1598492 x11 optional aqemu_0.9.2-2.2_amd64.deb

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlzjmmwUHGFiaGlqaXRo
QGRlYmlhbi5vcmcACgkQhj1N8u2cKO/ZHw//afQKfRb1Nl1MDHYSH9FPSLW8HEdg

Bug#929297: minissdpd: CVE-2019-12106

2019-05-21 Thread Chris Lamb 
Hi,

> minissdpd: CVE-2019-12106

Security team, would you like me to prepare an upload for stretch here?


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#929297: minissdpd: CVE-2019-12106

2019-05-21 Thread Chris Lamb 
Package: minissdpd
Version: 1.2.20130907-3+deb8u1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for minissdpd.

CVE-2019-12106[0]:
| The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and
| 1.5 allows a remote attacker to crash the process due to a Use After
| Free vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12106
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12106


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-