Bug#908678: Update on the security-tracker git discussion

[Salvatore Bonaccorso]

Hi Daniel,

On Thu, Jan 24, 2019 at 12:23:31PM +0100, Daniel Lange wrote:
> Zobel brought up the security-tracker git discussion in the #debian-security
> irc channel again and I'd like to record a few of the items touched there
> for others that were not present:
> 
> DLange has a running mirror of the git repo with split files since three
> months. This is based on anarcat's scripts published previously in this bug.
> The rewriting mirror repo works flawlessly. All history is retained sans gpg
> commit signatures.
> 
> Corsac noted that "redoing the tooling is a pain" and anarcat and DLange
> iterated we are willing to help fix the tools. But we need a commitment from
> the security-team that the migration to a split file repo is wanted. And we
> need a prioritized list of tools that need to be split-files enabled.
> 
> The discussion iterated that "moving elsewhere" doesn't really fix the
> underlying git-usage issue. So while this would take load off salsa, it will
> not improve clone times and hamper collaboration with Debian people outside
> the security team.
> 
> Still - to gain some data - DLange tried to push the security-tracker repo
> to github. This bails out as the history contains a file > 100MB (hard limit
> for Github):
> 
> remote: error: GH001: Large files detected. You may want to try Git Large
> File Storage - https://git-lfs.github.com.
> [..]
> remote: error: File data/CVE/allitems.html is 111.44 MB; this exceeds
> GitHub's file size limit of 100.00 MB
> 
> So we would have to re-write history for pushing to GitHub. Commits from
> 2017-12-29 that introduce "data/CVE/allitems.html" and drop it again would
> need to be modified. Technically all commits after these have to be
> re-written as well. I have not tested whether Github supports refs/replace
> substitutes which would be a work-around.
> 
> As noticeable on Salsa and per
> https://gitlab.com/gitlab-com/support-forum/issues/230 Gitlab does not
> enforce per-file size limits.
> But the pain of hosting and using this repo is not really different for any
> Gitlab instance.
> 
> So that means self-hosting of a non-split-file repo would probably have to
> be on a security DSA machine or similar.
> 
> Again, as said above, discussion participants outside the security team
> would prefer a commitment to split the offending data/CVE/list file into
> annual chunks, enable the tooling and stay on salsa.

I was planning to take so time in the next days to to re-evaluate your
findings. As this was missing in previous reply thanks Daniel for your
time so far for the above summarization.

Thanks as well for your effort in finding a solution which involves
retaining the history.

Could you again point me to your splitted up variant mirror?

Regards,
Salvatore

Bug#929829: [Pkg-javascript-devel] Bug#929829: Bug#929829: Bug#929829: gulp 4 cannot build node-babel 7 - Cannot convert undefined or null to object

[Xavier]

Le 05/06/2019 à 22:48, Xavier a écrit :
> Le 03/06/2019 à 22:23, Xavier a écrit :
>> Le 01/06/2019 à 12:14, Pirate Praveen a écrit :
>>> ...
>>> gulp build
>>> [15:37:17] Local modules not found in ~/forge/debian/git/js-team/node-babel
>>> [15:37:17] Try running: npm install
>>> [15:37:17] Using globally installed gulp
>>> [15:37:17] Using gulpfile ~/forge/debian/git/js-team/node-babel/Gulpfile.js
>>> [15:37:17] Starting 'build'...
>>> [15:37:17] Cannot convert undefined or null to object
>>
>> This error is reported by node-extend-shallow. Looking at yarn.lock, an
>> older extend-shallow is required by :
>>  - braces@2.3.0
>>  - expand-brackets@2.1.4
>>  - extglob@2.0.4
>>  - fill-range@4.0.0
>>  - plugin-error@0.1.2
>>  - regex-not@1.0.0
>>  - set-value@2.0.0
>>  - snapdragon@0.8.1
>>  - to-regex@^3.0.2
>>
>> I think the best for now it to upgrade all gulp dependencies in experimental
> 
> Updates:
>  - braces@2.3.0  => 3.0.2
>  - expand-brackets@2.1.4 => 4.0.0
>  - extglob@2.0.4 => 3.0.0
>  - fill-range@4.0.0  => 7.0.1
>  - set-value@2.0.0   => 3.0.0
>  - snapdragon@0.8.1  => 0.12.0
>  - to-regex@^3.0.1   => 3.0.2+
> And also
>  - to-regex-range => 5.0.1

My reducejs tool gives a new analysis:
 * updates needed:
   - gulp-babel : 7.0.1 => 8.0.0
   - rollup-plugin-babel : 3.0.3 => 4.3.2
 * downgraded modules to embed
   - process-nextick-args : 2.0.0 => 1.0.7
 * problems:
   - build fails with our readable-stream (2.3.6) but succeeds with
 upstream readable-stream (2.3.6 also)

Bug#930040: marked as done (umis: add Build-Depends-Arch: python3-pysam)

[Debian Bug Tracking System]

Your message dated Thu, 06 Jun 2019 05:18:25 +
with message-id 
and subject line Bug#930040: fixed in umis 1.0.3-2
has caused the Debian Bug report #930040,
regarding umis: add Build-Depends-Arch: python3-pysam
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930040: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930040
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: umis
Version: 1.0.3-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

please add a
  Build-Depends-Arch: python3-pysam
to not generate binary packages that are uninstallable on platforms
without python3-pysam. You'll have to file a 
  RM: umis [armel armhf i386 mips mipsel s390x] -- RoM; uninstallable without 
python3-pysam
bug afterwards.


Andreas
--- End Message ---
--- Begin Message ---
Source: umis
Source-Version: 1.0.3-2

We believe that the bug you reported is fixed in the latest version of
umis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille  (supplier of updated umis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 06 Jun 2019 06:50:09 +0200
Source: umis
Binary: umis umis-examples
Architecture: source
Version: 1.0.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team 

Changed-By: Andreas Tille 
Description:
 umis   - tools for processing UMI RNA-tag data
 umis-examples - tools for processing UMI RNA-tag data (examples)
Closes: 930040
Changes:
 umis (1.0.3-2) unstable; urgency=medium
 .
   * Build-Depends-Arch: python3-pysam
 Closes: #930040
Checksums-Sha1:
 42a0615e417ce01a9ae0a84c4994cea94502242d 2055 umis_1.0.3-2.dsc
 5c5efa7733e2013aa64c6862f72cb7db3e784684 4516 umis_1.0.3-2.debian.tar.xz
Checksums-Sha256:
 a5d41f8415988197fc6e7040fdc3579be87c0cee9adb842de7a913f2e325eb9b 2055 
umis_1.0.3-2.dsc
 fa8773c3a5fe1874525d3d1de2ceed7133aac2635993e6c1dbe12274237a84fc 4516 
umis_1.0.3-2.debian.tar.xz
Files:
 71ad6af16a2d43c0ce1be6e74171ba8b 2055 science optional umis_1.0.3-2.dsc
 7403ae599a39ab60b44f7997fa64d85c 4516 science optional 
umis_1.0.3-2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQJFBAEBCAAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAlz4npARHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtGeMxAAivHK28CqqFUjL0fF73epe23IWjldOc0b
JB2YNjJqot7qvl//sp4/4MTJyz4RvudZFQsjuMbnvJiuelw0nNCqiEEcBDshgDb4
vXz8L4J2IZnCAZRN2F344LU8NGIq8S/5To4aFMuOsQTDp2PTCGyk01P0ElT2fnG8
2QdErETNTutccz3ScnNdrEfoY9el3uOXh0UP2gxNUbBknhpEiu6V76EuPapbHuJ0
lfLuv8ftFF9wbYlNEgv5HycIRlsOcRM2q7uxuOICl29Lkgq3L/KvVYV93eCgJ5x/
2G0fTru5ZPdwt0mmpFZH6IFJ1Xid5jFZH3ywwofYObt/TnLBezB9PCxTiQkho4Ui
Xq/nLf7hOcb78yuaNlBb5/5DJ90cf6NrX8RJtTEDHdhrMsRzPy106zmmmNl43r7W
jET6bYVUlwIYsH3E0A/48SeX6QfaGhvMH2m2KcVe/noPNqSf1il/VHCSNWMdSPIc
l47sOcnPOotZ1mnMNCqzqet1Et2yptz8SsFSdat7qG4NeFZ4cx0i1ZbGOPbL0K3B
cY6IqyxIA8yZa3A9r86S0Ez+it51d05ukn6aDtiTAo0/BEXZQAq+K4vReh3k+4Pi
+Bfr1zSqwozZfK2WNRqIIkWlWlpYH3KhRdC7fPYLdryYXh4vDgbRga8F7xNYpRvt
QHRhXAEr9bI=
=qbx3
-END PGP SIGNATURE End Message ---

Bug#907135: [Box Backup] Debian now requires 2048bit RSA keys

[Chris Wilson]

Hi Reinhard,

Could you have a look at this patch
 (documented
here
)
to see if it's something like what you were hoping for?

Thanks, Chris.

On Fri, 31 May 2019 at 22:55, Reinhard Tartler  wrote:

>
>
> On Fri, May 31, 2019 at 5:03 PM Chris Wilson 
> wrote:
>
>> Hi Reinhard,
>>
>> Presumably the many other affected packages have had similar difficulty
>> in developing a comprehensive solution? I also wasn't aware of a time
>> constraint. Not that it would have helped me much, as I was moving house,
>> but it would have been good to know that there was a risk of not making
>> Debian 10.
>>
>
> I'm sorry, I should have communicated that point earlier. I've been bitten
> by this with other packages as well.
> The release schedule is documented here:
> https://wiki.debian.org/DebianBuster
> The most recent update from the release team is
> https://lists.debian.org/debian-devel-announce/2019/04/msg3.html -
> and newer updates will be linked from https://release.debian.org/.
>
> In short: The team is minimizing changes as much as possible, and getting
> updates in becomes more and more a similar big deal as updating something
> in stable.
>
> I could create a special branch with a cut-down version of the solution,
>> e.g. forcing the SecurityLevel to -1 (compatibility and warn) for the time
>> being, in order to get the fix out in time for Debian 10, and then put the
>> full version into backports?
>>
>
> That would be amazing, if the patch is easy to review, I'd be happy to
> upload it as a distro patch based on the current package and try to get
> this approved by the release team. It might even be accepted as a stable
> update, depending on how invasive it is.
>
>
> Thanks,
> -rt
>
>

Bug#930017: updated merge-request with patches for PMASA-2019-{3,4}

[Matthias Blümel]

I updated the merge-request 
https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/6
with patches for stretch of the two new PMASA-2019-{3,4}

I also updated 
https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/5
for jessie and PMASA-2019-4 (CVE-2019-12616)

PMASA-2019-3 (CVE-2019-11768) does not affect jessie. This bug came
with 
https://github.com/phpmyadmin/phpmyadmin/commit/e04f56a04f506c1a0a884c81c209ae2ffbf80baf
in PhpMyAdmin 4.3.0alpha1

PMASA-2019-3 (CVE-2019-11768) does not yet have a debian-bug. how
should this be done? by the security-team via the security-tracker? can
I do this? how do i reference all the stuff?

BTW: Why is jessie mentioned in the security-tracker of this CVE but
not in this bug?

Processed: affects 846219, affects 926180, found 804369 in 0.22-2, affects 911569, affects 914352 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> affects 846219 + fusionforge-plugin-admssw
Bug #846219 [src:fusionforge] Missing runtime dependencies (former libarc-php, 
libgraphite-php and php-http)
Added indication that 846219 affects fusionforge-plugin-admssw
> affects 926180 + scilab-ann scilab-celestlab cantor-backend-scilab 
> python-sciscipy
Bug #926180 [src:scilab] scilab: FTBFS on all
Added indication that 926180 affects scilab-ann, scilab-celestlab, 
cantor-backend-scilab, and python-sciscipy
> found 804369 0.22-2
Bug #804369 [src:netexpect] netexpect: FTBFS with wireshark 2.0
Marked as found in versions netexpect/0.22-2.
> affects 911569 + libghc-hit-dev libghc-hit-prof
Bug #911569 [src:haskell-hit] src:haskell-hit: dead upstream, not worth the 
maintenance burden?
Added indication that 911569 affects libghc-hit-dev and libghc-hit-prof
> affects 914352 + libghc-hmt-dev libghc-hmt-doc libghc-hmt-prof
Bug #914352 [src:haskell-hmt] haskell-hmt: Missing build-dependency on 
modular-arithmetic
Added indication that 914352 affects libghc-hmt-dev, libghc-hmt-doc, and 
libghc-hmt-prof
> user debian...@lists.debian.org
Setting user to debian...@lists.debian.org (was a...@debian.org).
> usertags 914352 piuparts
There were no usertags set.
Usertags are now: piuparts.
> notfound 914352 0.15
Bug #914352 [src:haskell-hmt] haskell-hmt: Missing build-dependency on 
modular-arithmetic
The source 'haskell-hmt' and version '0.15' do not appear to match any binary 
packages
No longer marked as found in versions haskell-hmt/0.15.
> found 914352 0.15-2
Bug #914352 [src:haskell-hmt] haskell-hmt: Missing build-dependency on 
modular-arithmetic
Marked as found in versions haskell-hmt/0.15-2.
> affects 914449 + libghc-blogliterately-dev
Bug #914449 [src:haskell-blogliterately] haskell-blogliterately: FTBFS with 
ghc-8.4
Added indication that 914449 affects libghc-blogliterately-dev
> found 868202 0.10.6-3
Bug #868202 [python3-qtile] Remove build-depends and depends on python3-trollius
Marked as found in versions qtile/0.10.6-3.
> found 877496 eliom/4.2-3
Bug #877496 [src:sexplib310] sexplib310 FTBFS: Error: This expression has type 
Obj.t but an expression was expected of type extension_constructor
Marked as found in versions eliom/4.2-3.
> usertags 780620 piuparts
There were no usertags set.
Usertags are now: piuparts.
> affects 911570 + libghc-cabal-file-th-prof
Bug #911570 [src:haskell-cabal-file-th] src:haskell-cabal-file-th: needs to be 
patched for newer Cabal
Added indication that 911570 affects libghc-cabal-file-th-prof
> affects 913053 + libghc-cabal-helper-prof
Bug #913053 [src:haskell-cabal-helper] src:haskell-cabal-helper: ftbfs
Added indication that 913053 affects libghc-cabal-helper-prof
> affects 880879 + libghc-dpkg-prof
Bug #880879 [src:haskell-dpkg] haskell-dpkg FTBFS: hlibrary.setup: parsing 
output of pkg-config --modversion failed
Added indication that 880879 affects libghc-dpkg-prof
> affects 911571 + libghc-hastache-prof
Bug #911571 [src:haskell-hastache] src:haskell-hastache: deprecated and broken
Added indication that 911571 affects libghc-hastache-prof
> affects 914353 + libghc-hdbc-odbc-prof
Bug #914353 [src:hdbc-odbc] hdbc-odbc: Missing build-dependency on 
concurrent-extra
Added indication that 914353 affects libghc-hdbc-odbc-prof
> affects 903619 + libghc-language-python-prof
Bug #903619 [haskell-language-python] haskell-language-python FTBFS build hangs.
Added indication that 903619 affects libghc-language-python-prof
> affects 928174 + libghc-raaz-prof
Bug #928174 [src:haskell-raaz] haskell-raaz: FTBFS: hlibrary.setup: Encountered 
missing dependencies: base >=4.6 && <4.11
Added indication that 928174 affects libghc-raaz-prof
> usertags 927166 piuparts
There were no usertags set.
Usertags are now: piuparts.
> usertags 913561 piuparts
There were no usertags set.
Usertags are now: piuparts.
> affects 913561 + python3-qiskit
Bug #913561 [src:qiskit-terra] qiskit-terra: binary-any FTBFS
Added indication that 913561 affects python3-qiskit
> affects 856966 + libcore-ocaml
Bug #856966 [src:janest-core] Uninstallable on sid
Bug #843312 [src:janest-core] FTBFS: libsexplib-camlp4-dev is no longer 
available
Bug #852890 [src:janest-core] ocaml-textutils: FTBFS: build-dependency not 
installable: libcore-ocaml-dev (>= 113.00.00-4~)
Added indication that 856966 affects libcore-ocaml
Added indication that 843312 affects libcore-ocaml
Added indication that 852890 affects libcore-ocaml
> affects 877507 + libppx-core-ocaml-dev
Bug #877507 [src:ppx-core] ppx-core FTBFS: E: Cannot find external tool 
'ocamlbuild'
Added indication that 877507 affects libppx-core-ocaml-dev
> affects 843320 + libcore-extended-ocaml
Bug #843320 [src:janest-core-extended] FTBFS: libsexplib-camlp4-dev is no 
longer available
Added indication that 843320 affects libcore-extended-ocaml
> usertags 928311 piuparts
There were no usertags set.
Usertags are now: piuparts.
> affects 928311 + geany-plugin-projectorganizer 

Bug#930040: umis: add Build-Depends-Arch: python3-pysam

[Andreas Beckmann]

Source: umis
Version: 1.0.3-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

please add a
  Build-Depends-Arch: python3-pysam
to not generate binary packages that are uninstallable on platforms
without python3-pysam. You'll have to file a 
  RM: umis [armel armhf i386 mips mipsel s390x] -- RoM; uninstallable without 
python3-pysam
bug afterwards.


Andreas

Bug#926392: licensecheck chokes on long lines

[Jonas Smedegaard]

Quoting gregor herrmann (2019-06-05 21:46:36)
> On Wed, 17 Apr 2019 07:08:00 +, Niels Thykier wrote:
> 
> > On Thu, 04 Apr 2019 18:13:43 +0200 Jonas Smedegaard  wrote:
> > > Quoting Sandro Mani (2019-04-04 13:36:28)
> > > > $ wget 
> > > > https://files.pythonhosted.org/packages/source/x/xonsh/xonsh-0.8.12.tar.gz
> > > > $ tar xf xonsh-0.8.12.tar.gz
> > > > $ licensecheck xonsh-0.8.12/xonsh/parser_table.py
> > > > 
> > > > => Licensecheck hangs eating cpu cycles (the file has lines with 
> > > > 33k and 71k characters).
> > > 
> > > Indeed. Thanks for reporting!
> 
> > I have been digging in the code (admittedly using the master branch 
> > of the libregexp-pattern-license-perl and licensecheck rather than 
> > the packages) and basically, it is a DOS from suboptimal regex.
> 
> Thanks for your investigation, Niels!

Agreed, thanks a lot for your investigation, Niels: I was _very_ happy 
when you posted it, but then got distracted by other business before 
getting around to replying back then - sorry!


> AFAICS this is the only buster-relevant RC bug we have.
>  
> 
> Jonas, my hope is that you have a chance to look into this issue, as
> you are also the upstream maintainer of this module :)

Yes, I will sure look into this.

It was not high on my list, however - I was under the impression that 
this does not affect Buster.

I will prioritize at least verifying that detail.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#929829: [Pkg-javascript-devel] Bug#929829: Bug#929829: gulp 4 cannot build node-babel 7 - Cannot convert undefined or null to object

[Xavier]

Le 03/06/2019 à 22:23, Xavier a écrit :
> Le 01/06/2019 à 12:14, Pirate Praveen a écrit :
>> ...
>> gulp build
>> [15:37:17] Local modules not found in ~/forge/debian/git/js-team/node-babel
>> [15:37:17] Try running: npm install
>> [15:37:17] Using globally installed gulp
>> [15:37:17] Using gulpfile ~/forge/debian/git/js-team/node-babel/Gulpfile.js
>> [15:37:17] Starting 'build'...
>> [15:37:17] Cannot convert undefined or null to object
> 
> This error is reported by node-extend-shallow. Looking at yarn.lock, an
> older extend-shallow is required by :
>  - braces@2.3.0
>  - expand-brackets@2.1.4
>  - extglob@2.0.4
>  - fill-range@4.0.0
>  - plugin-error@0.1.2
>  - regex-not@1.0.0
>  - set-value@2.0.0
>  - snapdragon@0.8.1
>  - to-regex@^3.0.2
> 
> I think the best for now it to upgrade all gulp dependencies in experimental

Updates:
 - braces@2.3.0  => 3.0.2
 - expand-brackets@2.1.4 => 4.0.0
 - extglob@2.0.4 => 3.0.0
 - fill-range@4.0.0  => 7.0.1
 - set-value@2.0.0   => 3.0.0
 - snapdragon@0.8.1  => 0.12.0
 - to-regex@^3.0.1   => 3.0.2+
And also
 - to-regex-range => 5.0.1

Bug#926392: licensecheck chokes on long lines

[gregor herrmann]

On Wed, 17 Apr 2019 07:08:00 +, Niels Thykier wrote:

> On Thu, 04 Apr 2019 18:13:43 +0200 Jonas Smedegaard  wrote:
> > Quoting Sandro Mani (2019-04-04 13:36:28)
> > > $ wget 
> > > https://files.pythonhosted.org/packages/source/x/xonsh/xonsh-0.8.12.tar.gz
> > > $ tar xf xonsh-0.8.12.tar.gz
> > > $ licensecheck xonsh-0.8.12/xonsh/parser_table.py
> > > 
> > > => Licensecheck hangs eating cpu cycles (the file has lines with 33k and 
> > > 71k characters).
> > 
> > Indeed. Thanks for reporting!

> I have been digging in the code (admittedly using the master branch of
> the libregexp-pattern-license-perl and licensecheck rather than the
> packages) and basically, it is a DOS from suboptimal regex.

Thanks for your investigation, Niels!

AFAICS this is the only buster-relevant RC bug we have.
 

Jonas, my hope is that you have a chance to look into this issue, as
you are also the upstream maintainer of this module :)


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

Bug#924616: marked as done (CVE-2018-15587: Signature Spoofing in PGP encrypted email)

[Debian Bug Tracking System]

Your message dated Wed, 05 Jun 2019 17:33:40 +
with message-id 
and subject line Bug#924616: fixed in evolution 3.30.5-1.1
has caused the Debian Bug report #924616,
regarding CVE-2018-15587: Signature Spoofing in PGP encrypted email
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: evolution
Severity: grave
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15587:

https://bugzilla.gnome.org/show_bug.cgi?id=796424
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85

Cheers,
Moritz
   
--- End Message ---
--- Begin Message ---
Source: evolution
Source-Version: 3.30.5-1.1

We believe that the bug you reported is fixed in the latest version of
evolution, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer  (supplier of updated evolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 05 Jun 2019 14:31:36 +0200
Source: evolution
Architecture: source
Version: 3.30.5-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers 

Changed-By: Jonas Meurer 
Closes: 924616
Changes:
 evolution (3.30.5-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2018-15587: backport patch to mitigate possible signature/encryption:
 Show security bar above message headers. (Closes: #924616)
Checksums-Sha1:
 40a4da8c6ae43a70483b0eaadbb27e4adb407a49 3803 evolution_3.30.5-1.1.dsc
 8e7703b0177e660226597b196156c24c8cab4d12 37676 
evolution_3.30.5-1.1.debian.tar.xz
 a093941aac5c0b5b28bc87c4f64d3178383abebb 26969 
evolution_3.30.5-1.1_amd64.buildinfo
Checksums-Sha256:
 fbe51c304c0747d8d8979a497ce8c30b631a0b618c2c8aff4d1965dcc0f0f246 3803 
evolution_3.30.5-1.1.dsc
 bb0dfab835329074cd7ec0aad82b2c3ead344737065bfd291920d57aaec6cf85 37676 
evolution_3.30.5-1.1.debian.tar.xz
 30f4ec6058c8656987c91526960ef9cbf732c50d541c86830611fc05e01e8575 26969 
evolution_3.30.5-1.1_amd64.buildinfo
Files:
 2fdd94a64c01540a0924ae0b6a92bc4c 3803 gnome optional evolution_3.30.5-1.1.dsc
 881114371458bed4a6b997c66057dfa6 37676 gnome optional 
evolution_3.30.5-1.1.debian.tar.xz
 5b15673ca4e71ce6c79cacb5c6e2fb2f 26969 gnome optional 
evolution_3.30.5-1.1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlz3+PsACgkQUmLn/0kQ
Sf5xJw/+JWPrngT7kZ1rbgE8EI1AxBkE55NlfCtN/ChSPNyPbLN8dItFEPR3JNEY
Qe0r2+bNQxcwqTLrzWMyS8blynhVA8pbPEZfkDeT30LzfLr3tmaJsIadGg5P8DA7
BU8ykDsgrMjWnyCzdTykq/KzDlfemVk0XI//oFL1XeGfchejRWm0nkev2/M0w5/F
813Ze9SOqWv5QWZqmCPYdJhpjY/YDTLCX3euzopCaL5jHiwLrA9icC3kNZBJH+rv
kY+Vh9RlXEahwsz0/6aLsbxyqMVhcItZRGkexMuUMTbkUqt63UfLBorJVk8mvN4w
T4S6E19umX+Kg0ocVlblVTixEv6prjkKtVRKZ7q2Cd9BH5DNQeRLbL0Nz2nVlDG6
Tj7TYuGYGfOi/UEsQ6ZN1iPtGvEwM2vXnSLK2fFKZ4gHkr20fOu3RMajG4tdKLp+
tlXUSdwxhIMpwmJyz69YWoh+gb8U0IxljH5/GVgB52S+NeNw+jAZcI6b6ikVI1fu
1osfVEmKuG1ljuEmSx3T57y2RlHEKUkBcuclOtkJ5/CflosCtj1tNiPKmwd/Ff/h
zMKx47xmT7cntfG7+8qVYPgH7vk2jd+N1GyoXQlEPgVZUC3uiYU1FdAZlQgnxfI5
QoFQgf30UD9lHzxwmhdYwfiHCmmWcSON9oLsQu4nOwY2MD0TS1s=
=snRd
-END PGP SIGNATURE End Message ---

Bug#864299: marked as done (libclass-c3-perl: FTBFS due to base.pm changes in July 2016)

[Debian Bug Tracking System]

Your message dated Wed, 5 Jun 2019 16:46:28 +0100
with message-id <20190605154628.cijsags4eaxul...@urchin.earth.li>
and subject line Fixed by upload of perl
has caused the Debian Bug report #864299,
regarding libclass-c3-perl: FTBFS due to base.pm changes in July 2016
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864299
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libclass-c3-perl
Version: 0.26-1
Severity: serious
Justification: ftbfs
Tags: jessie patch

As per

http://perl.debian.net/rebuild-logs/jessie/libclass-c3-perl_0.26-1/libclass-c3-perl_0.26-1_amd64-2017-06-05T20:11:30Z.build

building this package was broken by the changes in perl to fix the '.'
in @INC vulnerability.

The package was fixed in unstable by the upstream version 0.31 by 
commit

https://anonscm.debian.org/cgit/pkg-perl/packages/libclass-c3-perl.git/commit/?id=47a367d0930224e392be71678bddff77e4ddee82

Dominic.
--- End Message ---
--- Begin Message ---
This was fixed by the upload of perl 5.20.2-3+deb8u8 to jessie in
July 2017.--- End Message ---

Bug#929567:

[J. Smith]

See https://debbugs.gnu.org/30045 (fixed in Emacs 26.2).

Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

[Chris Lamb]

[adding 929...@bugs.debian.org to CC]

Hi Moritz,

> > Sure. Here's my updated patch:

Uploaded zookeeper_3.4.9-3+deb9u2_amd64.changes to security-master.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#929469: systemd-networkd: systemd-networkd: fails with "could not set address: Permission denied"

[Michael Biebl]

Am 05.06.19 um 14:03 schrieb Raphael Hertzog:
> Hi,
> 
> On Wed, 05 Jun 2019, Michael Biebl wrote:
>> What's the status of this bug?
> 
> No progress.
> 
>> Can you reproduce it with v242 from experimental?
> 
> Yes.
> 
>> I guess upstream is waiting for your feedback:
>> https://github.com/systemd/systemd/issues/12656#issuecomment-496293294
> 
> I will provide my result with systemd from git master soon. But there's
> not much else that I can do.

systemd-networkd.service in v241 is locked down more tightly then v232.
It might be worth a try to comment out the hardening features one by one
to see if one of them causes your problem.

Regards,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#930029: linux-image-4.19.0-5-amd64: Kernel stucks at load initramfs on ASUS KGPE-D16

[Leon Gehling]

Package: src:linux
Version: 4.19.37-3
Severity: critical
Justification: breaks the whole system

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***
System not bootable.
Kernel stucks at loading initramfs. no debug output shown or accesible
Corebooted KGPE-D16
Kernel 4.9 from stretch works flawless
This is a really important Platform for FOSS Projects. Pls do something
about this.

-- Package-specific info:
** Kernel log: boot messages should be attached

** Model information
sys_vendor: ASUS
product_name: KGPE-D16
product_version: 1.0
chassis_vendor: ASUS
chassis_version: 
bios_vendor: coreboot
bios_version: 4.9-1859-gf3510cbe36
board_vendor: ASUS
board_name: KGPE-D16
board_version: 1.0

** PCI devices:
00:00.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD/ATI] RD890 
Northbridge only dual slot (2x16) PCI-e GFX Hydra part [1002:5a10] (rev 02)
Subsystem: Advanced Micro Devices, Inc. [AMD/ATI] RD890 Northbridge 
only dual slot (2x16) PCI-e GFX Hydra part [1002:5a10]
Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- 

00:00.2 IOMMU [0806]: Advanced Micro Devices, Inc. [AMD/ATI] RD890S/RD990 I/O 
Memory Management Unit (IOMMU) [1002:5a23]
Subsystem: Advanced Micro Devices, Inc. [AMD/ATI] RD890S/RD990 I/O 
Memory Management Unit (IOMMU) [1002:5a23]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- 

00:02.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] 
RD890/RD9x0/RX980 PCI to PCI bridge (PCI Express GFX port 0) [1002:5a16] 
(prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- TAbort- Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: 
Kernel driver in use: pcieport
Kernel modules: shpchp

00:04.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] 
RD890/RD9x0/RX980 PCI to PCI bridge (PCI Express GPP Port 0) [1002:5a18] 
(prog-if 00 [Normal decode])
Control: I/O- Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- TAbort- Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: 
Kernel driver in use: pcieport
Kernel modules: shpchp

00:09.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] 
RD890/RD9x0/RX980 PCI to PCI bridge (PCI Express GPP Port 4) [1002:5a1c] 
(prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- TAbort- Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: 
Kernel driver in use: pcieport
Kernel modules: shpchp

00:0a.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] 
RD890/RD9x0/RX980 PCI to PCI bridge (PCI Express GPP Port 5) [1002:5a1d] 
(prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- TAbort- Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: 
Kernel driver in use: pcieport
Kernel modules: shpchp

00:0b.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] RD890/RD990 
PCI to PCI bridge (PCI Express GFX2 port 0) [1002:5a1f] (prog-if 00 [Normal 
decode])
Control: I/O- Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- TAbort- Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: 
Kernel driver in use: pcieport
Kernel modules: shpchp

00:0c.0 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD/ATI] RD890/RD990 
PCI to PCI bridge (PCI Express GFX2 port 1) [1002:5a20] (prog-if 00 [Normal 
decode])
Control: I/O- Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- 

Bug#929469: systemd-networkd: systemd-networkd: fails with "could not set address: Permission denied"

[Raphael Hertzog]

Hi,

On Wed, 05 Jun 2019, Michael Biebl wrote:
> What's the status of this bug?

No progress.

> Can you reproduce it with v242 from experimental?

Yes.

> I guess upstream is waiting for your feedback:
> https://github.com/systemd/systemd/issues/12656#issuecomment-496293294

I will provide my result with systemd from git master soon. But there's
not much else that I can do.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/


signature.asc
Description: PGP signature

Bug#929469: systemd-networkd: systemd-networkd: fails with "could not set address: Permission denied"

[Michael Biebl]

On Fri, 24 May 2019 09:30:50 +0200 =?utf-8?q?Rapha=C3=ABl_Hertzog?=
 wrote:
> Package: systemd
> Version: 241-3
> Severity: serious
> File: systemd-networkd
> User: de...@kali.org
> Usertags: origin-kali
> 
> I upgraded an (OVH) dedicated server to Debian buster with systemd 241-3 and
> while it rebooted correctly, the network did not came back. Looking into
> the logs I saw the following messages:
> 
> May 20 12:37:10 euterpe systemd-networkd[756]: eno3: Could not bring up 
> interface: Invalid argument
> May 20 12:37:14 euterpe systemd-networkd[756]: eno3: Gained carrier
> May 20 12:37:14 euterpe systemd-networkd[756]: eno3: could not set address: 
> Permission denied

What's the status of this bug?
Can you reproduce it with v242 from experimental?
I guess upstream is waiting for your feedback:
https://github.com/systemd/systemd/issues/12656#issuecomment-496293294

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#930004: fixed in gitlab 11.10.5+dfsg-1

[Pirate Praveen]

On Wed, 05 Jun 2019 08:39:18 + Pirate Praveen 
wrote:
>  gitlab (11.10.5+dfsg-1) experimental; urgency=medium

Uploading to experimental because of freeze and libgit2 transition (even
though its a security update).



signature.asc
Description: OpenPGP digital signature

Processed: notfixed 929067 in 1:2.8+dfsg-6+deb9u6, found 929067 in 1:2.8+dfsg-6+deb9u6

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> notfixed 929067 1:2.8+dfsg-6+deb9u6
Bug #929067 {Done: Michael Tokarev } [qemu-system-x86] Support 
for MDS
No longer marked as fixed in versions qemu/1:2.8+dfsg-6+deb9u6.
> found 929067 1:2.8+dfsg-6+deb9u6
Bug #929067 {Done: Michael Tokarev } [qemu-system-x86] Support 
for MDS
Marked as found in versions qemu/1:2.8+dfsg-6+deb9u6.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930015: patroni: pg_createconfig_patroni writes unusable configuration for some ip-route outputs

[Michael Banck]

Hi,

On Wed, Jun 05, 2019 at 11:06:42AM +0200, Christoph Berg wrote:
> Re: Michael Banck 2019-06-05 
> <20190605090028.ga10...@nighthawk.caipicrew.dd-dns.de>
> > if "ip -4 route get 8.8.8.8" reports additional output after the "src
> 
> Is that the same bug as this one?
> 
> Cluster 11/test doesn't exist yet.
> 
> $ sudo pg_createconfig_patroni 11 test
> sed: -e Ausdruck #8, Zeichen 76: Unbekannte Option für »s«
> 
> Now I have an empty yml file:
> 
> -rw-rw 1 postgres postgres0 Mai 29 11:19 /etc/patroni/11-bar.yml
> -rw-rw 1 postgres postgres0 Jun  5 11:04 /etc/patroni/11-test.yml
> -rw-r--r-- 1 root root 3813 Feb 15 23:36 /etc/patroni/config.yml.in
> -rw-r--r-- 1 root root  140 Nov  5  2018 /etc/patroni/dcs.yml
> -rw-r--r-- 1 root root 2481 Feb  7  2018 /etc/patroni/postgres0.yml
> 
> Christoph

No, that's 930016, which I fixed in git a while ago already.


Michael

Bug#930018: phpmyadmin: should phpmyadmin removed from unstable?

[Salvatore Bonaccorso]

Source: phpmyadmin
Severity: serious
Justification: unfit for a stable release

Hi

In meanwhile phpmyadmin could be removed from unstable without
disturbing reverse dependencies.

Should phpmyadmin be removed from the archive?

Regards,
Salvatore

Processed: phpmyadmin: CVE-2019-12616

[Debian Bug Tracking System]

Processing control commands:

> found -1 4:4.6.6-5
Bug #930017 [src:phpmyadmin] phpmyadmin: CVE-2019-12616
Marked as found in versions phpmyadmin/4:4.6.6-5.

-- 
930017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930017
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930017: phpmyadmin: CVE-2019-12616

[Salvatore Bonaccorso]

Source: phpmyadmin
Version: 4:4.6.6-4
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 4:4.6.6-5

Hi,

The following vulnerability was published for phpmyadmin.

CVE-2019-12616[0]:
| An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability
| was found that allows an attacker to trigger a CSRF attack against a
| phpMyAdmin user. The attacker can trick the user, for instance through
| a broken img tag pointing at the victim's phpMyAdmin database,
| and the attacker can potentially deliver a payload (such as a specific
| INSERT or DELETE statement) to the victim.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12616
[1] https://www.phpmyadmin.net/security/PMASA-2019-4/

Regards,
Salvatore

Processed: Bug#930015 marked as pending in patroni

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #930015 [patroni] patroni: pg_createconfig_patroni writes unusable 
configuration for some ip-route outputs
Added tag(s) pending.

-- 
930015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930015
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930015: marked as pending in patroni

[Michael Banck]

Control: tag -1 pending

Hello,

Bug #930015 in patroni reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/postgresql/patroni/commit/3d12adbb69e561504e2bbf673132ae79dabb8124


* debian/pg_createconfig_patroni: Fix determination of host IP/network if `ip
route get' reports additional output (Closes: #930015).


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/930015

Bug#929283: closing 929283

[Salvatore Bonaccorso]

close 929283 3.4.13-2
thanks

Processed: closing 929283

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> close 929283 3.4.13-2
Bug #929283 [src:zookeeper] zookeeper: CVE-2019-0201: information disclosure 
vulnerability
Marked as fixed in versions zookeeper/3.4.13-2.
Bug #929283 [src:zookeeper] zookeeper: CVE-2019-0201: information disclosure 
vulnerability
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930016: patroni: pg_createconfig_patroni writes empty configuration file if default dcs.yml is used

[Michael Banck]

Package: patroni
Version: 1.5.5-1
Severity: serious

Dear Maintainer,

the default /etc/patroni/dcs.yml file includes some comments for othe
DCS systems like etcd and consul.

If those comments are not removed, pg_createconfig_patroni fails to
write the configuration file and renders the package unusable without
further manual intervention:

root@pg1:~# cat /etc/patroni/dcs.yml 
#etcd:
#  host: 127.0.0.1:2379

#consul:
#  host: http://127.0.0.1:8500
#  host: https://127.0.0.1:8500

zookeeper:
  hosts: 127.0.0.1:2181
root@pg1:~# pg_createconfig_patroni 11 test
sed: -e expression #8, char 76: unknown option to `s'
root@pg1:~# ls -l /etc/patroni/11-test.yml
-rw-rw 1 postgres postgres 0 Jun  5 09:04 /etc/patroni/11-test.yml
root@pg1:~#  


Michael

-- System Information:
Debian Release: 8.10
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#930015: patroni: pg_createconfig_patroni writes unusable configuration for some ip-route outputs

[Christoph Berg]

Re: Michael Banck 2019-06-05 
<20190605090028.ga10...@nighthawk.caipicrew.dd-dns.de>
> if "ip -4 route get 8.8.8.8" reports additional output after the "src

Is that the same bug as this one?

Cluster 11/test doesn't exist yet.

$ sudo pg_createconfig_patroni 11 test
sed: -e Ausdruck #8, Zeichen 76: Unbekannte Option für »s«

Now I have an empty yml file:

-rw-rw 1 postgres postgres0 Mai 29 11:19 /etc/patroni/11-bar.yml
-rw-rw 1 postgres postgres0 Jun  5 11:04 /etc/patroni/11-test.yml
-rw-r--r-- 1 root root 3813 Feb 15 23:36 /etc/patroni/config.yml.in
-rw-r--r-- 1 root root  140 Nov  5  2018 /etc/patroni/dcs.yml
-rw-r--r-- 1 root root 2481 Feb  7  2018 /etc/patroni/postgres0.yml

Christoph

Processed: Re: Bug#929954: [python-reportlab] 3.5.21-1 breaks rst2pdf

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 rst2pdf
Bug #929954 [python-reportlab] [python-reportlab] 3.5.21-1 breaks rst2pdf
Bug reassigned from package 'python-reportlab' to 'rst2pdf'.
No longer marked as found in versions python-reportlab/3.5.21-1.
Ignoring request to alter fixed versions of bug #929954 to the same values 
previously set

-- 
929954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929954
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929954: [python-reportlab] 3.5.21-1 breaks rst2pdf

[Matthias Klose]

Control: reassign -1 rst2pdf

not sure how that worked in the past, but flowables.py is using
reportlab.Version without importing it.

On 04.06.19 10:40, Sébastien Kalt wrote:
> Package: python-reportlab
> Version: 3.5.21-1
> Severity: grave
> 
> --- Please enter the report below this line. ---
> Dear maintainer,
> 
> Since last update of python-reportlab to 3.2.21-1, rst2pdf is unusable :
> 
> $ rst2pdf test.rst -o test.pdf
> Traceback (most recent call last):
>   File "/usr/bin/rst2pdf", line 11, in 
> load_entry_point('rst2pdf==0.93.dev0', 'console_scripts', 'rst2pdf')()
>   File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line
> 489, in load_entry_point
> return get_distribution(dist).load_entry_point(group, name)
>   File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line
> 2793, in load_entry_point
> return ep.load()
>   File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line
> 2411, in load
> return self.resolve()
>   File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line
> 2417, in resolve
> module = __import__(self.module_name, fromlist=['__name__'], level=0)
>   File "/usr/lib/python2.7/dist-packages/rst2pdf/createpdf.py", line 85, in
> 
> from rst2pdf import flowables
>   File "/usr/lib/python2.7/dist-packages/rst2pdf/flowables.py", line 875,
> in 
> if reportlab.Version == '2.1':
> NameError: name 'reportlab' is not defined
> 
> I use a minimal rst test.rst file :
> 
> #
> 
> Tests
> 
> #
> 
> 
> This is just a test.
> 
> 
> Installing testing 3.5.13-1 version of python-reportlab works.
> 
> 
> I'm not sure on which package to report this bug, python-reportlab or
> rst2pdf.
> 
> 
> Regards,
> 
> 
> Sébastien KALT
> 
> 
>  --- System information. ---
> Architecture:
> Kernel: Linux 4.19.0-5-amd64
> 
> Debian Release: 10.0
> 980 unstable ftp.fr.debian.org
> 970 testing ftp.fr.debian.org
> 500 testing-debug debug.mirrors.debian.org
> 500 stable dl.google.com
> 500 oldstable ftp.fr.debian.org
> 1 experimental-debug debug.mirrors.debian.org
> 
> --- Package information. ---
> Depends (Version) | Installed
> -+-==
> python-pil | 5.4.1-2
> python:any (<< 2.8) |
> python:any (>= 2.7~) |
> python-reportlab-accel (>= 3.5.21-1) | 3.5.21-1
> 
> 
> Recommends (Version) | Installed
> ==-+-===
> python-renderpm |
> 
> 
> Suggests (Version) | Installed
> -+-===
> pdf-viewer |
> python-egenix-mxtexttools (>= 2.0.6-3.1) |
> python-reportlab-doc |
> 

Bug#930015: patroni: pg_createconfig_patroni writes unusable configuration for some ip-route outputs

[Michael Banck]

Package: patroni
Version: 1.5.5-1
Severity: serious

Dear Maintainer,

if "ip -4 route get 8.8.8.8" reports additional output after the "src
" (e.g. "uid 0"), the pg_createconfig_patroni script
(which runs the above command to determine the default interface) will
not properly filter this out and write it into the network at several
places including pg_hba.conf as e.g. "10.10.10.33uid0", leading to
PostgreSQL not starting up and rendering the package unusable without
further manual intervention.


Michael

-- System Information:
Debian Release: 8.10
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#930004: marked as done (gitlab: CVE-2019-12428 CVE-2019-12431 CVE-2019-12432 CVE-2019-12433 CVE-2019-12434 CVE-2019-12441 CVE-2019-12442 CVE-2019-12443 CVE-2019-12444 CVE-2019-12445 CVE-2019-12446

[Debian Bug Tracking System]

Your message dated Wed, 05 Jun 2019 08:39:18 +
with message-id 
and subject line Bug#930004: fixed in gitlab 11.10.5+dfsg-1
has caused the Debian Bug report #930004,
regarding gitlab: CVE-2019-12428 CVE-2019-12431 CVE-2019-12432 CVE-2019-12433 
CVE-2019-12434 CVE-2019-12441 CVE-2019-12442 CVE-2019-12443 CVE-2019-12444 
CVE-2019-12445 CVE-2019-12446
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930004
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for gitlab, see [11] for
a complete listing.

CVE-2019-12428[0]:
Mandatory External Authentication Provider Sign-In Restrictions Bypass

CVE-2019-12431[1]:
Disclosure of Milestone Metadata through the Search API

CVE-2019-12432[2]:
Confidential Issue Titles Revealed to Restricted Users on Unsubscribe

CVE-2019-12433[3]:
Internal Projects Allowed to Be Created on in Private Groups

CVE-2019-12434[4]:
Private Project Discovery via Comment Links

CVE-2019-12441[5]:
Protected Branches Restriction Rules Bypass

CVE-2019-12442[6]:
Stored Cross-Site Scripting Vulnerability on Child Epics

CVE-2019-12443[7]:
Server-Side Request Forgery Through DNS Rebinding

CVE-2019-12444[8]:
Stored Cross-Site Scripting on Wiki Pages

CVE-2019-12445[9]:
Stored Cross-Site Scripting on Notes

CVE-2019-12446[10]:
Repository Password Disclosed on Import Error Page

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12428
[1] https://security-tracker.debian.org/tracker/CVE-2019-12431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12431
[2] https://security-tracker.debian.org/tracker/CVE-2019-12432
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12432
[3] https://security-tracker.debian.org/tracker/CVE-2019-12433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12433
[4] https://security-tracker.debian.org/tracker/CVE-2019-12434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12434
[5] https://security-tracker.debian.org/tracker/CVE-2019-12441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12441
[6] https://security-tracker.debian.org/tracker/CVE-2019-12442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12442
[7] https://security-tracker.debian.org/tracker/CVE-2019-12443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12443
[8] https://security-tracker.debian.org/tracker/CVE-2019-12444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12444
[9] https://security-tracker.debian.org/tracker/CVE-2019-12445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12445
[10] https://security-tracker.debian.org/tracker/CVE-2019-12446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12446
[11] 
https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gitlab
Source-Version: 11.10.5+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen  (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 05 Jun 2019 12:35:18 +0530
Source: gitlab
Architecture: source
Version: 11.10.5+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Pirate Praveen 
Closes: 930004
Changes:
 gitlab (11.10.5+dfsg-1) experimental; urgency=medium
 .
   [ Pirate Praveen ]
   * New upstream security release 11.10.5+dfsg (Closes: #930004)
 (Fixes: CVE-2019-12428, CVE-2019-12431, CVE-2019-12432, CVE-2019-12433,
 

Processed: user release.debian....@packages.debian.org, usertagging 558422, tagging 558422

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was ni...@thykier.net).
> usertags 558422 buster-can-defer
There were no usertags set.
Usertags are now: buster-can-defer.
> tags 558422 + buster-ignore
Bug #558422 [grub-pc] grub-pc: upgrade hangs
Added tag(s) buster-ignore.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
558422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558422
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: user release.debian....@packages.debian.org, usertagging 926699, tagging 926699

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was ni...@thykier.net).
> usertags 926699 buster-can-defer
There were no usertags set.
Usertags are now: buster-can-defer.
> tags 926699 + buster-ignore
Bug #926699 [libc6-x32,libc6-i386] libc6-{i386,x32}: installing, removing, 
reinstalling in a --merged-usr system results in unmerged /lib{32,x32}
Added tag(s) buster-ignore.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
926699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926699
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems