Processed: Add more blocking bugs

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 930404 by 929829
Bug #930404 [gitlab] [Meta] move gitlab back to main from contrib
930404 was blocked by: 930262 930372 863294 863293
930404 was not blocking any bugs.
Added blocking bug(s) of 930404: 929829
> Thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930404
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930256: marked as done (Ignoring Provides line with non-equal DepCompareOp for package firefox-l10n-bn-bd)

[Debian Bug Tracking System]

Your message dated Wed, 12 Jun 2019 01:21:33 +
with message-id 
and subject line Bug#930256: fixed in firefox 68.0~b9-1
has caused the Debian Bug report #930256,
regarding Ignoring Provides line with non-equal DepCompareOp for package 
firefox-l10n-bn-bd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930256
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: firefox-l10n-bn-bd

# apt-get update
W: Ignoring Provides line with non-equal DepCompareOp for package 
firefox-l10n-bn-bd
W: Ignoring Provides line with non-equal DepCompareOp for package 
firefox-l10n-bn-in
--- End Message ---
--- Begin Message ---
Source: firefox
Source-Version: 68.0~b9-1

We believe that the bug you reported is fixed in the latest version of
firefox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey  (supplier of updated firefox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 12 Jun 2019 06:52:54 +0900
Source: firefox
Architecture: source
Version: 68.0~b9-1
Distribution: experimental
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages 

Changed-By: Mike Hommey 
Closes: 930256
Changes:
 firefox (68.0~b9-1) experimental; urgency=medium
 .
   * New upstream beta release.
 .
   * debian/l10n/browser-l10n.control.in: Remove versions from Provides line
 for browser-l10n-bn. Closes: #930256.
   * debian/rules: Disable JIT at build time on mips because it fails to build.
 .
   * config/system-headers.mozbuild, Cargo.lock,
 third_party/rust/lmdb-rkv-sys/.cargo-checksum.json,
 third_party/rust/lmdb-rkv-sys/Cargo.toml,
 third_party/rust/lmdb-rkv-sys/lmdb/libraries/liblmdb/mdb.c,
 third_party/rust/lmdb-rkv-sys/src/lib.rs,
 toolkit/library/rust/shared/Cargo.toml: Fix FTBFS in lmdb-rkv-sys on mips.
 bz#1557171.
Checksums-Sha1:
 444f8cf07f869e39870e24f29f5c109e98a27aa9 34820 firefox_68.0~b9-1.dsc
 61fd39b5e1103dd21e2b5d4dbe40de0fcb7e9a8f 263962 
firefox_68.0~b9.orig-l10n-ach.tar.bz2
 bba754b7040b84be5ab7cc3c698ee5d5920ee184 282479 
firefox_68.0~b9.orig-l10n-af.tar.bz2
 ce6ae024cd7e27f55613d89a40f2bd54c2650588 638621 
firefox_68.0~b9.orig-l10n-an.tar.bz2
 8fde1557fbb1238b6b14cb499ff1f8651a1f3303 450676 
firefox_68.0~b9.orig-l10n-ar.tar.bz2
 2e26686dd54f72f2d9c27173841a4554d757ed2b 370612 
firefox_68.0~b9.orig-l10n-ast.tar.bz2
 a5ff92a65e6967bc033b598eb0cbad06ba41ffef 309515 
firefox_68.0~b9.orig-l10n-az.tar.bz2
 70f1e11bb85e35cfb5e011f076fb7109fcf7cf37 787316 
firefox_68.0~b9.orig-l10n-be.tar.bz2
 149c1fd7d4ccaace5b4263f337200a9733095096 1696047 
firefox_68.0~b9.orig-l10n-bg.tar.bz2
 2f5fdeb3fbd263745a9165f00f735e2fc43c17f7 391600 
firefox_68.0~b9.orig-l10n-bn.tar.bz2
 e3d5f760454dd7630ffb00b6022b9a39bf3b04c4 1867375 
firefox_68.0~b9.orig-l10n-br.tar.bz2
 be44c561ef95f2f49672ae4c79c06c9a861e7e03 562171 
firefox_68.0~b9.orig-l10n-bs.tar.bz2
 064f57c8a8db6030382eacbd43aa5185c9bb5a8d 1289704 
firefox_68.0~b9.orig-l10n-ca.tar.bz2
 cb1fe2b538c381947004a8b7be8fc6fb7324765b 457893 
firefox_68.0~b9.orig-l10n-cak.tar.bz2
 7882b474a02ffd9cab1bc9b9781686f77ba1bcf4 935029 
firefox_68.0~b9.orig-l10n-cs.tar.bz2
 de8f365e163dbb41b1e2b10a120f88be35d8c4f0 497475 
firefox_68.0~b9.orig-l10n-cy.tar.bz2
 81ae48c03943af14d502609bd75b2366e664a4e4 1135305 
firefox_68.0~b9.orig-l10n-da.tar.bz2
 ecd1bb5b2b05577787a06f85bbf6f2b1d5684178 895353 
firefox_68.0~b9.orig-l10n-de.tar.bz2
 00f0a919f28d573c963407e7aa4f62b7f1430a13 504347 
firefox_68.0~b9.orig-l10n-dsb.tar.bz2
 acb26393e4c399d874b147cf344198c02770fe82 2320745 
firefox_68.0~b9.orig-l10n-el.tar.bz2
 a2a725aabd4bf9cca32fadc74f224ec63568cc23 1068656 
firefox_68.0~b9.orig-l10n-en-CA.tar.bz2
 eaf091f45f878b12082ba2794cfa73ff52c982a5 847386 
firefox_68.0~b9.orig-l10n-en-GB.tar.bz2
 26b9c0debb817db1b8ea18df0a32bf8810c83079 469073 
firefox_68.0~b9.orig-l10n-eo.tar.bz2
 c481282c525674f144255205470955467aad8720 855907 
firefox_68.0~b9.orig-l10n-es-AR.tar.bz2
 9f416642ab59aa5caab2584b179843451839a392 593888 

Bug#930299: marked as done (apt: A warning "Ignoring Provides line with non-equal DepCompareOp for package" for two packages)

[Debian Bug Tracking System]

Your message dated Wed, 12 Jun 2019 01:21:33 +
with message-id 
and subject line Bug#930256: fixed in firefox 68.0~b9-1
has caused the Debian Bug report #930256,
regarding apt: A warning "Ignoring Provides line with non-equal DepCompareOp 
for package" for two packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930256
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 1.8.2
Severity: normal

Dear Maintainer,

After yesterday's apt-get update, I get this message everytime I run it

W: Ignoring Provides line with non-equal DepCompareOp for package
firefox-l10n-bn-bd
W: Ignoring Provides line with non-equal DepCompareOp for package
firefox-l10n-bn-in

And I am pretty sure I saw it on some output of apt-cache.
Everything else works fine however, so it is just a minor issue for these 2
packages I guess.



-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "0";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-source-4\.19\.0-5-amd64$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-image";
APT::VersionedKernelPackages:: "linux-headers";
APT::VersionedKernelPackages:: "linux-image-extra";
APT::VersionedKernelPackages:: "linux-modules";
APT::VersionedKernelPackages:: "linux-modules-extra";
APT::VersionedKernelPackages:: "linux-signed-image";
APT::VersionedKernelPackages:: "linux-image-unsigned";
APT::VersionedKernelPackages:: "kfreebsd-image";
APT::VersionedKernelPackages:: "kfreebsd-headers";
APT::VersionedKernelPackages:: "gnumach-image";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::VersionedKernelPackages:: "linux-backports-modules-.*";
APT::VersionedKernelPackages:: "linux-modules-.*";
APT::VersionedKernelPackages:: "linux-tools";
APT::VersionedKernelPackages:: "linux-cloud-tools";
APT::VersionedKernelPackages:: "linux-buildinfo";
APT::VersionedKernelPackages:: "linux-source";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "contrib/metapackages";
APT::Never-MarkAuto-Sections:: "non-free/metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Move-Autobit-Sections "";
APT::Move-Autobit-Sections:: "oldlibs";
APT::Move-Autobit-Sections:: "contrib/oldlibs";
APT::Move-Autobit-Sections:: "non-free/oldlibs";
APT::Move-Autobit-Sections:: "restricted/oldlibs";
APT::Move-Autobit-Sections:: "universe/oldlibs";
APT::Move-Autobit-Sections:: "multiverse/oldlibs";
APT::Default-Release "testing";
APT::AutoRemove "";
APT::AutoRemove::SuggestsImportant "false";
APT::AutoRemove::RecommendsImportant "false";
APT::Architectures "";
APT::Architectures:: "amd64";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name 

Bug#930260: marked as done (Ignoring Provides line with non-equal DepCompareOp for package firefox-l10n-bn-bd)

[Debian Bug Tracking System]

Your message dated Wed, 12 Jun 2019 01:21:33 +
with message-id 
and subject line Bug#930256: fixed in firefox 68.0~b9-1
has caused the Debian Bug report #930256,
regarding Ignoring Provides line with non-equal DepCompareOp for package 
firefox-l10n-bn-bd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930256
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 1.8.2
Severity: normal

Dear Maintainer,

I got the following errors while updating the apt index -

2 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Ignoring Provides line with non-equal DepCompareOp for package
firefox-l10n-bn-bd
W: Ignoring Provides line with non-equal DepCompareOp for package
firefox-l10n-bn-in

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-5-amd64$";
APT::NeverAutoRemove:: "^linux-source-4\.19\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-source-4\.19\.0-5-amd64$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-image";
APT::VersionedKernelPackages:: "linux-headers";
APT::VersionedKernelPackages:: "linux-image-extra";
APT::VersionedKernelPackages:: "linux-modules";
APT::VersionedKernelPackages:: "linux-modules-extra";
APT::VersionedKernelPackages:: "linux-signed-image";
APT::VersionedKernelPackages:: "linux-image-unsigned";
APT::VersionedKernelPackages:: "kfreebsd-image";
APT::VersionedKernelPackages:: "kfreebsd-headers";
APT::VersionedKernelPackages:: "gnumach-image";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::VersionedKernelPackages:: "linux-backports-modules-.*";
APT::VersionedKernelPackages:: "linux-modules-.*";
APT::VersionedKernelPackages:: "linux-tools";
APT::VersionedKernelPackages:: "linux-cloud-tools";
APT::VersionedKernelPackages:: "linux-buildinfo";
APT::VersionedKernelPackages:: "linux-source";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: 

Bug#881566: Epydoc will be removed after buster

[Kenneth Pronovici]

Hi,

This bug report is now over 18 months old with no reply.

I intend to have the eypdoc package removed from unstable a few weeks after
buster is released. Besides its lack of support for Python 3, epydoc has
been completely unsupported upstream for close to a decade.  It really
should have been removed from the archive years ago.

If you are in the process of migrating and simply need more time, *please*
reply to this bug and we can come to some sort of arrangement.  Otherwise,
I'm going to have the package removed as planned.  Once the package is
removed, your best short-term solution is to just stop building API
documentation until you find time to convert to another tool.

Thanks,

KEN

-- 
Kenneth J. Pronovici gmail.com>

Bug#930168: Confirming the bug on Debian

[Alexander Kernozhitsky]

I also encounter this bug on Debian Buster.

But I manually disabled all the AppStream and DEP-11 metadata from apt 
configs, so this may be the reason.

Can anyone reproduce this on a clean system?

-- 
Alexander Kernozhitsky

Processed: retitle 930376 to CVE-2019-12795: gvfsd GetConnection() missing authorization check

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 930376 CVE-2019-12795: gvfsd GetConnection() missing authorization 
> check
Bug #930376 {Done: Simon McVittie } [gvfs-daemons] gvfsd 
GetConnection() missing authorization check
Changed Bug title to 'CVE-2019-12795: gvfsd GetConnection() missing 
authorization check' from 'gvfsd GetConnection() missing authorization check'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#929617: marked as done (d3-format: latest-debian-changelog-entry-reuses-existing-version)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 22:03:42 +
with message-id 
and subject line Bug#929617: fixed in d3-format 1:1.0.2-3.1
has caused the Debian Bug report #929617,
regarding d3-format: latest-debian-changelog-entry-reuses-existing-version
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: d3-format
Version: 1:1.0.2-1
Severity: serious

W: libjs-d3-format: latest-debian-changelog-entry-reuses-existing-version 
1:1.0.2-1 == 1.0.2-1 (last used: Sat, 19 Nov 2016 04:00:20 +0100)
N: 
N:The latest changelog entry has a version that matches one used in the
N:specified previous entry. All versions of a source package must be
N:unique even after a leading epoch has been stripped off.
N:
N:Files generated by the current version of this source package would
N:conflict with some historical files. This is because the Debian archive
N:does not allow multiple files with the same name and different contents
N:and the generated .dsc, .deb, etc. do not embed the epoch in their
N:filenames.
N:
N:Please pick another version, for example by increasing the Debian
N:revision.
N:
N:Severity: normal, Certainty: certain
N:
N:Check: changelog-file, Type: binary

Changelog and snapshot.debian.org know about 1.0.2-2, so 1:1.0.2-3 should
be the next safe version number to use.


Andreas

PS: I do not want to repeat https://bugs.debian.org/929614
--- End Message ---
--- Begin Message ---
Source: d3-format
Source-Version: 1:1.0.2-3.1

We believe that the bug you reported is fixed in the latest version of
d3-format, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Balint Reczey  (supplier of updated d3-format package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 08 Jun 2019 22:52:37 +0200
Source: d3-format
Binary: libjs-d3-format node-d3-format
Architecture: source
Version: 1:1.0.2-3.1
Distribution: unstable
Urgency: medium
Maintainer: Ximin Luo 
Changed-By: Balint Reczey 
Description:
 libjs-d3-format - Formatting numbers for human consumption - browser library
 node-d3-format - Formatting numbers for human consumption - NodeJS module
Closes: 929617
Changes:
 d3-format (1:1.0.2-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload (Closes: #929617)
 - Bumping the version to over 1:1.0.2-3 because 1.0.2-3 was used by
   src:node-d3-format
Checksums-Sha1:
 5c52544cb8583dd3afc037f1e0238e76ec2bcae9 2030 d3-format_1.0.2-3.1.dsc
 523c3a7a49194573be693b59571746507d714a52 4856 d3-format_1.0.2-3.1.debian.tar.xz
 708e7d89c50b15fb4ef53e2b743dbaaf3ce02cdd 6747 
d3-format_1.0.2-3.1_source.buildinfo
Checksums-Sha256:
 3168f89a0d05083fa268fe74c76341b0980ccb0a63c3cdeaca202889898d9334 2030 
d3-format_1.0.2-3.1.dsc
 7ccb2ec5a155f075fdcb5ca874e71726c510088a9877d6b72be74eeeceaedcc6 4856 
d3-format_1.0.2-3.1.debian.tar.xz
 7acc8c349029882f31b9977cc3ad0dfbb39d8cf7e6c82251f774084e12cd28a0 6747 
d3-format_1.0.2-3.1_source.buildinfo
Files:
 0d7bde880e1426d4dc7b711ca3598537 2030 web extra d3-format_1.0.2-3.1.dsc
 a1d16083c1f52547d6d87b9a3c89659f 4856 web extra 
d3-format_1.0.2-3.1.debian.tar.xz
 5e697914022a11e2dcbda136c22114db 6747 web extra 
d3-format_1.0.2-3.1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEI/PvTgXX55rLQUfDg6KBkWslS0UFAlz8JDkACgkQg6KBkWsl
S0Uc8hAAsH9JHFvphZtgutl4NbC2ibaOVy6XDFJiiw0aBpQ9QB64RlL1tquPmh4x
jIyeI5FXJ1hUqGpvaTkMGbT7vQRxk4WF4Wzr4Y0+RLGxkz/e9I6DNpH33GLgke1g
kMQwHbx/jcgNiFbvjLi/AMLI1yeljSsDkRAdFurWy6AeUOBJMAlc9KrREr1+2vjb
nDFbSE8195I+GwpICqZjZ6VbG7pEwivPTnyKMLNcg6fDKEINnV1Vjjoqr4piKzBa
KzlvuQ1/YcC3GVlXPhD62mJWF1K1QWWCWyciFSSdOerUcgtJb29uWd3j0cFgN3/m
2MP/HEBfksAKExoAQ7kOzeAukLB5WCs0BXunjbuSxCcUd8099vVORwXhlQtmZz2t
tQGF1vASKmY2El43QOpZNo2MSD1h0xWYHmKxth1MDhgcmE/4Y01/E4KB70KKB9WJ
weEa35ryuCIvZGOm+HgvIizYQd7qBx5NFKq3zsJwjfO5NbhvHjayuwbI5xvgFcRo
5z5ef2+l66t8CJTcVdXzgGtZn6ZC2WFmtl3Kqjyd2VU7z9jJmZNn1K3WHggSHAzw

Processed: tagging 930356

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 930356 + upstream
Bug #930356 [src:parso] CVE-2019-12760
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930356: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930356
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#927126: Fwd: Bug#929342: unblock: aqemu/0.9.2-2.2

[Alexis Murzeau]

Le 11/06/2019 à 21:58, Paul Gevers a écrit :
> Hi Alexis,
> 
> [Note: when you think you have covered questions asked, please remove
> the moreinfo tag, as it will make the bug show up in the list of bugs
> that need attention from us].

Ok, I guess that tag should be removed once aqemu/0.9.2-2.3 enter
unstable, right ?

> 
> On 06-06-2019 22:16, Alexis Murzeau wrote:
>> The modification I've done in version aqemu/0.9.2-2.3 specifically fix
>> descriptions that was referring to VLAN or Virtual LAN (all instances)
>> as reported by Jonathan.
>> I've reused the description of the various command line arguments that
>> no longer accept the vlan parameter from the qemu man page.
>>
>> (aqemu/0.9.2-2.3 is not in unstable as of now).
>>
>> This is the diff between aqemu/0.9.2-2.2 (unstable) and aqemu/0.9.2-2.3
>> (upload candidate on mentors.debian.net):
>>
>> https://salsa.debian.org/amurzeau-guest/aqemu/compare/debian%2F0.9.2-2.2...debian%2F0.9.2-2.3#380c8035425c8dcf8fb5ead9e2d4e5bc1a9f7192
> 
> This looks OK, so I think it is best to find a sponsor to upload that,
> such that we can proceed with unblocking when the full patch is reviewed.
> 
>> And the diff between actual buster version (aqemu/0.9.2-2.1) and
>> aqemu/0.9.2-2.3:
>>
>> https://salsa.debian.org/amurzeau-guest/aqemu/compare/debian%2F0.9.2-2.1...debian%2F0.9.2-2.3
> 
> I specifically note that I have *not* checked the full diff.
> 
> Paul
> 

I will make an RFS since Abhijith does not seem available to do the upload.

-- 
Alexis Murzeau
PGP: B7E6 0EBB 9293 7B06 BDBC  2787 E7BD 1904 F480 937F



signature.asc
Description: OpenPGP digital signature

Bug#927126: Fwd: Bug#929342: unblock: aqemu/0.9.2-2.2

[Paul Gevers]

Hi Alexis,

[Note: when you think you have covered questions asked, please remove
the moreinfo tag, as it will make the bug show up in the list of bugs
that need attention from us].

On 06-06-2019 22:16, Alexis Murzeau wrote:
> The modification I've done in version aqemu/0.9.2-2.3 specifically fix
> descriptions that was referring to VLAN or Virtual LAN (all instances)
> as reported by Jonathan.
> I've reused the description of the various command line arguments that
> no longer accept the vlan parameter from the qemu man page.
> 
> (aqemu/0.9.2-2.3 is not in unstable as of now).
> 
> This is the diff between aqemu/0.9.2-2.2 (unstable) and aqemu/0.9.2-2.3
> (upload candidate on mentors.debian.net):
> 
> https://salsa.debian.org/amurzeau-guest/aqemu/compare/debian%2F0.9.2-2.2...debian%2F0.9.2-2.3#380c8035425c8dcf8fb5ead9e2d4e5bc1a9f7192

This looks OK, so I think it is best to find a sponsor to upload that,
such that we can proceed with unblocking when the full patch is reviewed.

> And the diff between actual buster version (aqemu/0.9.2-2.1) and
> aqemu/0.9.2-2.3:
> 
> https://salsa.debian.org/amurzeau-guest/aqemu/compare/debian%2F0.9.2-2.1...debian%2F0.9.2-2.3

I specifically note that I have *not* checked the full diff.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#930388: ruby-openid: CVE-2019-11027

[Salvatore Bonaccorso]

Source: ruby-openid
Version: 2.7.0debian-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/openid/ruby-openid/issues/122

Hi,

The following vulnerability was published for ruby-openid.

CVE-2019-11027[0]:
| Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable
| flaw. This library is used by Rails web applications to integrate with
| OpenID Providers. Severity can range from medium to critical,
| depending on how a web application developer chose to employ the ruby-
| openid library. Developers who based their OpenID integration heavily
| on the "example app" provided by the project are at highest risk.

Unfortunately there very scarce information available for this issue.
SuSE folks did try to ask upstream in [1]. Originally the assignement
seems to come from [2], but this as well does practiaclly not give
enough information.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11027
[1] https://github.com/openid/ruby-openid/issues/122
[2] https://marc.info/?l=openid-security=155154717027534=2

Regards,
Salvatore

Bug#930387: closing 930387

[Salvatore Bonaccorso]

close 930387 1.8.6-1
thanks

Processed: closing 930387

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> close 930387 1.8.6-1
Bug #930387 [src:rdesktop] rdekstop: security issues fixed in 1.8.5 and 1.8.6
Ignoring request to alter fixed versions of bug #930387 to the same values 
previously set
Bug #930387 [src:rdesktop] rdekstop: security issues fixed in 1.8.5 and 1.8.6
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930387: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930387
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930387: rdekstop: security issues fixed in 1.8.5 and 1.8.6

[Salvatore Bonaccorso]

Source: rdesktop
Version: 1.8.4-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Control: fixed -1 1.8.6-1

Hi

1.8.6-1 mentions a new upstream release with many security fixes, but
none of those apparently have (yet) a CVE. Filling this bug for having
an unique identifier for the tracker in meanwhile.

Reference: 
https://tracker.debian.org/news/1041036/accepted-rdesktop-186-1-source-into-unstable/

Regards,
Salvatore

Bug#928770: closed by Laszlo Boszormenyi (GCS) (Bug#928770: fixed in sqlite3 3.27.2-3)

[Salvatore Bonaccorso]

Hi!

On Tue, Jun 11, 2019 at 07:24:06AM +0200, László Böszörményi (GCS) wrote:
> Hi Salvatore,
> 
> On Tue, Jun 11, 2019 at 6:18 AM Salvatore Bonaccorso  
> wrote:
> > On Mon, Jun 10, 2019 at 05:06:07PM +, Debian Bug Tracking System wrote:
> > >  sqlite3 (3.27.2-3) unstable; urgency=high
> > >  .
> > >* Backport security related patches:
> > [...]
> > >  - prevent aliases of window functions expressions from being used as
> > >arguments to aggregate or other window functions (probably fixing
> > >CVE-2019-5018) (closes: #928770),
> >
> > Did you got any upstream confirmation or from TALOS project that this
> > one was the right fixes to pick for the CVE-2019-5018 issue?
>  I can't find a contact method for TALOS project. Upstream says they
> don't know what's CVE-2019-5018 but I can assemble the PoC from the
> TALOS report page. As they know / read the issue it is fixed in
> sqlite3 3.28.0 and I should use that - being tested in every sense by
> their closed source detailed test cases.
> But upstream says that the commit (I've used for the package) is a
> good to have fix for window functions.
> Then it was asked publicly again and all that upstream say about which
> version / commit fixes this: "it appears to be 3.28.0, as best as I
> can tell"[1]. Anyone can interpret this as s/he would like. :-/

Okay, very sad that this is so much intransparent from upstream.

Thanks for your research and try of contact!

Regards,
Salvatore

Processed: rdekstop: security issues fixed in 1.8.5 and 1.8.6

[Debian Bug Tracking System]

Processing control commands:

> fixed -1 1.8.6-1
Bug #930387 [src:rdesktop] rdekstop: security issues fixed in 1.8.5 and 1.8.6
Marked as fixed in versions rdesktop/1.8.6-1.

-- 
930387: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930387
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: found 930356 in 0.3.1-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 930356 0.3.1-1
Bug #930356 [src:parso] CVE-2019-12760
Marked as found in versions parso/0.3.1-1.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930356: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930356
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: change outlook of 865975

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> outlook 865975 enable net.ipv4.ip_forward before starting docker
Outlook replaced with message bug 865975 message 
Outlook replaced with message bug 865975 message 
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
865975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975
930302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930302
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#916610: spacenavd: diff for NMU version 0.6-1.1

[sur5r]

Control: tags 916610 + pending


Dear maintainer,

I've prepared an NMU for spacenavd (versioned as 0.6-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru spacenavd-0.6/debian/changelog spacenavd-0.6/debian/changelog
--- spacenavd-0.6/debian/changelog  2015-05-18 10:04:05.0 +
+++ spacenavd-0.6/debian/changelog  2019-06-01 11:13:33.0 +
@@ -1,3 +1,11 @@
+spacenavd (0.6-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix "conflict with /dev/input/js0" (Closes: #916610)
+- Fixed upstream in 34ddda1246ad07e8ff2e6606224e710852e3e3d8
+
+ -- Jakob Haufe   Sat, 01 Jun 2019 11:13:33 +
+
 spacenavd (0.6-1) unstable; urgency=medium
 
   * Imported Upstream version 0.6
diff -Nru spacenavd-0.6/debian/patches/series 
spacenavd-0.6/debian/patches/series
--- spacenavd-0.6/debian/patches/series 2015-05-18 10:04:05.0 +
+++ spacenavd-0.6/debian/patches/series 2019-06-01 11:04:55.0 +
@@ -1,2 +1,3 @@
 add-buildflags-to-makefile.patch
 run.patch
+skip-joystick-devices.patch
diff -Nru spacenavd-0.6/debian/patches/skip-joystick-devices.patch 
spacenavd-0.6/debian/patches/skip-joystick-devices.patch
--- spacenavd-0.6/debian/patches/skip-joystick-devices.patch1970-01-01 
00:00:00.0 +
+++ spacenavd-0.6/debian/patches/skip-joystick-devices.patch2019-06-01 
11:13:33.0 +
@@ -0,0 +1,37 @@
+Description: Skip joystick device files
+Author: John Tsiombikas 
+Origin: upstream, 
https://github.com/FreeSpacenav/spacenavd/commit/34ddda1246ad07e8ff2e6606224e710852e3e3d8
+Bug-Debian: https://bugs.debian.org/916610
+---
+commit 34ddda1246ad07e8ff2e6606224e710852e3e3d8
+Author: John Tsiombikas 
+Date:   Sat Oct 11 05:07:58 2014 +
+
+added code to skip joystick device files while parsing 
/proc/bus/input/devices
+
+
+git-svn-id: svn+ssh://svn.code.sf.net/p/spacenav/code/trunk/spacenavd@183 
ef983eb1-d774-4af8-acfd-baaf7b16a646
+
+diff --git a/src/dev_usb_linux.c b/src/dev_usb_linux.c
+index 30db579..5f4baad 100644
+--- a/src/dev_usb_linux.c
 b/src/dev_usb_linux.c
+@@ -342,11 +342,16 @@ struct usb_device_info *find_usb_devices(int 
(*match)(const struct usb_device_in
+   case 'H':
+   keyptr = strstr(cur_line, "Handlers=");
+   if(keyptr) {
+-  char *devfile, *valptr = keyptr 
+ strlen("Handlers=");
++  char *devfile = 0, *valptr = 
keyptr + strlen("Handlers=");
+   static const char *prefix = 
"/dev/input/";
+ 
+   int idx = 0;
+-  while((devfile = strtok(idx ? 0 
: valptr, " \t\v\n\r"))) {
++  while((devfile = strtok(devfile 
? 0 : valptr, " \t\v\n\r"))) {
++  if(strstr(devfile, 
"js") == devfile) {
++  /* ignore 
joystick device files, can't use them */
++  continue;
++  }
++
+   
if(!(devinfo.devfiles[idx] = malloc(strlen(devfile) + strlen(prefix) + 1))) {
+   perror("failed 
to allocate device filename buffer");
+   continue;

Processed: spacenavd: diff for NMU version 0.6-1.1

[Debian Bug Tracking System]

Processing control commands:

> tags 916610 + pending
Bug #916610 [spacenavd] spacenavd: conflict with /dev/input/js0
Added tag(s) pending.

-- 
916610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916610
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: .

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 929617 pending patch
Bug #929617 [src:d3-format] d3-format: 
latest-debian-changelog-entry-reuses-existing-version
Added tag(s) pending and patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
929617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930375: marked as done (CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 19:28:00 +0100
with message-id <20190611182800.gb8...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#930375: CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 
authentication bypass
has caused the Debian Bug report #930375,
regarding CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930375
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdbus-1-3
Version: 1.0.0-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: https://gitlab.freedesktop.org/dbus/dbus/issues/269

Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.

This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.

However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).

For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
bug when I have a bug number.

For stretch this has been fixed in upstream release 1.10.28 and I am
discussing with the security team whether it is DSA-worthy, and if so,
whether to upload 1.10.28-0+deb9u1 or a minimal backport.

For experimental this will be fixed by upstream release 1.13.12 when
I've tested it.

If the Debian LTS team want to address this vulnerability
in jessie (which has an EOL dbus branch that we no
longer support upstream), they should backport upstream commit

and optionally also the build-time test coverage found in
.

Regards,
smcv
--- End Message ---
--- Begin Message ---
Version: 1.13.12-1

On Tue, 11 Jun 2019 at 17:34:40 +0100, Simon McVittie wrote:
> For experimental this will be fixed by upstream release 1.13.12 when
> I've tested it.

Now uploaded.--- End Message ---

Bug#930375: marked as done (CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 19:27:05 +0100
with message-id <20190611182705.ga8...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#930375: CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 
authentication bypass
has caused the Debian Bug report #930375,
regarding CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930375
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdbus-1-3
Version: 1.0.0-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: https://gitlab.freedesktop.org/dbus/dbus/issues/269

Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.

This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.

However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).

For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
bug when I have a bug number.

For stretch this has been fixed in upstream release 1.10.28 and I am
discussing with the security team whether it is DSA-worthy, and if so,
whether to upload 1.10.28-0+deb9u1 or a minimal backport.

For experimental this will be fixed by upstream release 1.13.12 when
I've tested it.

If the Debian LTS team want to address this vulnerability
in jessie (which has an EOL dbus branch that we no
longer support upstream), they should backport upstream commit

and optionally also the build-time test coverage found in
.

Regards,
smcv
--- End Message ---
--- Begin Message ---
Version: 1.12.16-1

On Tue, 11 Jun 2019 at 17:44:18 +0100, Simon McVittie wrote:
> On Tue, 11 Jun 2019 at 17:34:40 +0100, Simon McVittie wrote:
> > For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
> > bug when I have a bug number.

Now with correct -done address...--- End Message ---

Bug#930348: chromium: missing intrinsics on armhf

[Riku Voipio]

The build is fixed in:

https://salsa.debian.org/chromium-team/chromium/commits/arm-fixes/debian

I can make an upload if you prefer, or I can wait for you.

Cheers,
Riku

Processed: Re: Bug#930373: Shotwell: double clicking on the image viewer freezes an image of the picture. Reboot required

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 930373 + moreinfo
Bug #930373 [shotwell] Shotwell: double clicking on the image viewer freezes an 
image of the picture. Reboot required
Added tag(s) moreinfo.
> severity 930373 important
Bug #930373 [shotwell] Shotwell: double clicking on the image viewer freezes an 
image of the picture. Reboot required
Severity set to 'important' from 'critical'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#930376: marked as done (gvfsd GetConnection() missing authorization check)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 17:58:59 +0100
with message-id <20190611165859.ga4...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#930376: gvfsd GetConnection() missing authorization 
check
has caused the Debian Bug report #930376,
regarding gvfsd GetConnection() missing authorization check
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gvfs-daemons
Version: 1.14.1-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: 
https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

While looking for services that might be vulnerable to CVE-2019-12749
or a similar vulnerability, I noticed that gvfsd has a mechanism to open
a private D-Bus server socket, and does not configure an authorization
check for clients connecting to that socket. An attacker who learns the
abstract socket address from netstat(8) or similar could connect to it
and issue D-Bus method calls.

Mitigation: the attacker would have to win a race with the user owning
gvfsd, who is probably also trying to connect to the same socket. gvfsd
closes the socket after it has accepted one connection.

I have requested a CVE ID from MITRE but not received one yet.

For buster/sid this has been fixed in gvfs 1.38.1-5.

For experimental this has been fixed in gvfs 1.40.1-2.

I do not have a tested patch for stretch or jessie, but the same change
would probably work as-is.

It would probably be a good idea to also backport
https://gitlab.gnome.org/GNOME/gvfs/commit/16a275041de2e70063da8aa5cfb2804de9a2f60a
for additional hardening. This forces authentication to use the
simple, robust EXTERNAL (credentials-passing) mechanism, disabling
DBUS_COOKIE_SHA1, which is somewhat fragile and seems more likely to
contain unknown vulnerabilities.

Regards,
smcv
--- End Message ---
--- Begin Message ---
Version: 1.38.1-5

On Tue, 11 Jun 2019 at 17:45:56 +0100, Simon McVittie wrote:
> For buster/sid this has been fixed in gvfs 1.38.1-5.--- End Message ---

Bug#930376: marked as done (gvfsd GetConnection() missing authorization check)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 18:00:41 +0100
with message-id <20190611170041.gc4...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#930376: gvfsd GetConnection() missing authorization 
check
has caused the Debian Bug report #930376,
regarding gvfsd GetConnection() missing authorization check
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
930376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gvfs-daemons
Version: 1.14.1-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: 
https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

While looking for services that might be vulnerable to CVE-2019-12749
or a similar vulnerability, I noticed that gvfsd has a mechanism to open
a private D-Bus server socket, and does not configure an authorization
check for clients connecting to that socket. An attacker who learns the
abstract socket address from netstat(8) or similar could connect to it
and issue D-Bus method calls.

Mitigation: the attacker would have to win a race with the user owning
gvfsd, who is probably also trying to connect to the same socket. gvfsd
closes the socket after it has accepted one connection.

I have requested a CVE ID from MITRE but not received one yet.

For buster/sid this has been fixed in gvfs 1.38.1-5.

For experimental this has been fixed in gvfs 1.40.1-2.

I do not have a tested patch for stretch or jessie, but the same change
would probably work as-is.

It would probably be a good idea to also backport
https://gitlab.gnome.org/GNOME/gvfs/commit/16a275041de2e70063da8aa5cfb2804de9a2f60a
for additional hardening. This forces authentication to use the
simple, robust EXTERNAL (credentials-passing) mechanism, disabling
DBUS_COOKIE_SHA1, which is somewhat fragile and seems more likely to
contain unknown vulnerabilities.

Regards,
smcv
--- End Message ---
--- Begin Message ---
Version: 1.40.1-3

On Tue, 11 Jun 2019 at 17:45:56 +0100, Simon McVittie wrote:
> For buster/sid this has been fixed in gvfs 1.40.1-2

Correction: 1.40.1-2 is vulnerable, 1.40.1-3 is fixed.

smcv--- End Message ---

Bug#930375: CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass

[Simon McVittie]

Version: 1.12.16-1

On Tue, 11 Jun 2019 at 17:34:40 +0100, Simon McVittie wrote:
> For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
> bug when I have a bug number.

Bug#930376: gvfsd GetConnection() missing authorization check

[Simon McVittie]

Package: gvfs-daemons
Version: 1.14.1-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: 
https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

While looking for services that might be vulnerable to CVE-2019-12749
or a similar vulnerability, I noticed that gvfsd has a mechanism to open
a private D-Bus server socket, and does not configure an authorization
check for clients connecting to that socket. An attacker who learns the
abstract socket address from netstat(8) or similar could connect to it
and issue D-Bus method calls.

Mitigation: the attacker would have to win a race with the user owning
gvfsd, who is probably also trying to connect to the same socket. gvfsd
closes the socket after it has accepted one connection.

I have requested a CVE ID from MITRE but not received one yet.

For buster/sid this has been fixed in gvfs 1.38.1-5.

For experimental this has been fixed in gvfs 1.40.1-2.

I do not have a tested patch for stretch or jessie, but the same change
would probably work as-is.

It would probably be a good idea to also backport
https://gitlab.gnome.org/GNOME/gvfs/commit/16a275041de2e70063da8aa5cfb2804de9a2f60a
for additional hardening. This forces authentication to use the
simple, robust EXTERNAL (credentials-passing) mechanism, disabling
DBUS_COOKIE_SHA1, which is somewhat fragile and seems more likely to
contain unknown vulnerabilities.

Regards,
smcv

Bug#930375: CVE-2019-12749: DBusServer DBUS_COOKIE_SHA1 authentication bypass

[Simon McVittie]

Package: libdbus-1-3
Version: 1.0.0-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: https://gitlab.freedesktop.org/dbus/dbus/issues/269

Joe Vennix of Apple Information Security discovered an implementation flaw
in the DBUS_COOKIE_SHA1 authentication mechanism. A malicious client with
write access to its own home directory could manipulate a ~/.dbus-keyrings
symlink to cause a DBusServer with a different uid to read and write
in unintended locations. In the worst case, this could result in the
DBusServer reusing a cookie that is known to the malicious client, and
treating that cookie as evidence that a subsequent client connection
came from an attacker-chosen uid, allowing authentication bypass.

This vulnerability does not normally affect the standard system
dbus-daemon, which only allows the EXTERNAL authentication mechanism.
In supported branches of dbus it also does not normally affect the standard
session dbus-daemon, for the same reason.

However, this vulnerability can affect third-party users of DBusServer
(such as Upstart in Ubuntu 14.04 LTS), third-party dbus-daemon instances,
standard dbus-daemon instances with non-standard configuration, and the
session bus in older/unsupported dbus branches (such as dbus 1.6.x in
Ubuntu 14.04 LTS).

For buster this has been fixed in libdbus-1-3 1.12.16-1. I'll close this
bug when I have a bug number.

For stretch this has been fixed in upstream release 1.10.28 and I am
discussing with the security team whether it is DSA-worthy, and if so,
whether to upload 1.10.28-0+deb9u1 or a minimal backport.

For experimental this will be fixed by upstream release 1.13.12 when
I've tested it.

If the Debian LTS team want to address this vulnerability
in jessie (which has an EOL dbus branch that we no
longer support upstream), they should backport upstream commit

and optionally also the build-time test coverage found in
.

Regards,
smcv

Bug#930373: Shotwell: double clicking on the image viewer freezes an image of the picture. Reboot required

[Fran Glais]

Package: shotwell
Version: 0.30.1-1
Severity: critical
Tags: patch
Justification: breaks unrelated software

Dear Maintainer,

In a Wayland session (gnome-shell in my case), double-clicking on an image when
using the Shotwell Viewer fullscreens the image, but then fails to close the
picture.

This picture will remain on-screen even after logging out. I need to reboot the
system to get rid of it.

I consider this a critical bug, as it renders the system unusable, and can
somewhat lead to data loss. It so happened that I manages to properly close and
save my work using purely the keyboard, but without being able to see what's on
the screen. This is due to an image being stuck on my screen, hiding everything
else.

In a way, this could also be a (local) security bug, considering that the user 
can't
make the image on screen disappear, even after logging out. This information may
be leaked to any other user of the same system.

This is a known bug, which was fixed upstream on version 0.32. Due to the Debian
freeze policy, this fix never made it into Buster.

Upstream fix: 
https://gitlab.gnome.org/GNOME/shotwell/commit/6031f8a285c1599fa692905eaa0475faced08415

Best,
Fran

-- Package-specific info:

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8), 
LANGUAGE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shotwell depends on:
ii  dbus-x11 [dbus-session-bus] 1.12.14-1
ii  dconf-cli   0.30.1-2
ii  libc6   2.28-10
ii  libcairo2   1.16.0-4
ii  libexif12   0.6.21-5.1
ii  libgcr-base-3-1 3.28.1-1
ii  libgcr-ui-3-1   3.28.1-1
ii  libgdata22  0.17.9-3
ii  libgdk-pixbuf2.0-0  2.38.1+dfsg-1
ii  libgee-0.8-20.20.1-2
ii  libgexiv2-2 0.10.9-1
ii  libglib2.0-02.58.3-2
ii  libgphoto2-62.5.22-3
ii  libgphoto2-port12   2.5.22-3
ii  libgstreamer-plugins-base1.0-0  1.14.4-2
ii  libgstreamer1.0-0   1.14.4-1
ii  libgtk-3-0  3.24.5-1
ii  libgudev-1.0-0  232-2
ii  libjson-glib-1.0-0  1.4.4-2
ii  libpango-1.0-0  1.42.4-6
ii  libpangocairo-1.0-0 1.42.4-6
ii  libraw190.19.2-2
ii  librsvg2-common 2.44.10-2.1
ii  libsoup2.4-12.64.2-2
ii  libsqlite3-03.27.2-2
ii  libwebkit2gtk-4.0-372.24.2-1
ii  libxml2 2.9.4+dfsg1-7+b3
ii  shotwell-common 0.30.1-1

shotwell recommends no packages.

shotwell suggests no packages.

-- no debconf information

Bug#930368: gatb-core: FTBFS due to inaccurate symbols file

[Gilles Filippini]

Source: gatb-core
Version: 1.4.1+git20181225.44d5a44+dfsg-2
Severity: serious
Justification: FTBFS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

During a rebuild of gatb-core for unstable on amd64 I experienced a FTBFS at the
dh_makeshlibs step:

   dh_makeshlibs -O--sourcedirectory=gatb-core
dpkg-gensymbols: error: some symbols or patterns disappeared in the symbols 
file: see diff output below
dpkg-gensymbols: warning: debian/libgatbcore2/DEBIAN/symbols doesn't match 
completely debian/libgatbcore2.symbols.amd64
- --- debian/libgatbcore2.symbols.amd64 
(libgatbcore2_1.4.1+git20181225.44d5a44+dfsg-2_amd64)
+++ dpkg-gensymbolsErQvax   2019-06-11 09:56:28.965481025 +
@@ -8997,7 +8997,7 @@
  
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi1EEEjjjEESaIS7_EE12emplace_backIJS7_EEEvDpOT_@Base
 1.4.1+git20181225.44d5a44+dfsg
  
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi1EEEjjjEESaIS7_EE17_M_realloc_insertIJS7_EEEvN9__gnu_cxx17__normal_iteratorIPS7_S9_EEDpOT_@Base
 1.4.1
  
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi1EEEjjjEESaIS7_EE7reserveEm@Base
 1.4.1
- - 
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi2EEEjjjEESaIS7_EE12emplace_backIJS7_EEEvDpOT_@Base
 1.4.1+git20181225.44d5a44+dfsg
+#MISSING: 1.4.1+git20181225.44d5a44+dfsg-2# 
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi2EEEjjjEESaIS7_EE12emplace_backIJS7_EEEvDpOT_@Base
 1.4.1+git20181225.44d5a44+dfsg
  
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi2EEEjjjEESaIS7_EE17_M_realloc_insertIJS7_EEEvN9__gnu_cxx17__normal_iteratorIPS7_S9_EEDpOT_@Base
 1.4.1
  
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi2EEEjjjEESaIS7_EE7reserveEm@Base
 1.4.1
  
_ZNSt6vectorISt5tupleIJjN4gatb4core5tools4math8LargeIntILi3EEEjjjEESaIS7_EE17_M_realloc_insertIJS7_EEEvN9__gnu_cxx17__normal_iteratorIPS7_S9_EEDpOT_@Base
 1.4.1
@@ -9007,7 +9007,7 @@
  
_ZNSt6vectorISt5tupleIJmiEESaIS1_EE17_M_realloc_insertIJS1_EEEvN9__gnu_cxx17__normal_iteratorIPS1_S3_EEDpOT_@Base
 1.4.1
  
_ZNSt6vectorISt5tupleIJmiNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcESaIS7_EE17_M_realloc_insertIJS7_EEEvN9__gnu_cxx17__normal_iteratorIPS7_S9_EEDpOT_@Base
 1.4.1
  
_ZNSt6vectorISt6threadSaIS0_EE17_M_realloc_insertIJZN10ThreadPoolC4EmEUlvE_EEEvN9__gnu_cxx17__normal_iteratorIPS0_S2_EEDpOT_@Base
 1.4.1
- - _ZNSt6vectorIbSaIbEE13_M_initializeEm@Base 1.4.1+git20181225.44d5a44+dfsg
+#MISSING: 1.4.1+git20181225.44d5a44+dfsg-2# 
_ZNSt6vectorIbSaIbEE13_M_initializeEm@Base 1.4.1+git20181225.44d5a44+dfsg
  _ZNSt6vectorIbSaIbEE13_M_insert_auxESt13_Bit_iteratorb@Base 1.4.1
  _ZNSt6vectorIbSaIbEE13_M_reallocateEm@Base 1.4.1
  _ZNSt6vectorIbSaIbEE14_M_fill_insertESt13_Bit_iteratormb@Base 1.4.1
dh_makeshlibs: failing due to earlier errors
make: *** [debian/rules:10: binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit 
status 2

Thanks,

_g.

- -- System Information:
Debian Release: buster/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAlz/ttsACgkQ7+hsbH/+
z4P/bgf/aI8Kn2N0XrowNHz05+Hw9zTryiLdxmSgqs3HYJwq+bUjzbpZQTbwFb+U
Fgosu7yUAzPQSc0XeWAHbE9zosOVH5pqsvIVCvOOcwIrMJ1w28arh0YtsVTNIs71
4Cn1/x22ZZNHe6rbbb1Kzf0gf1JBMm6riKVqXDh1iJf0S4a1O63w1O6gNXGvXPsj
cwfqbP6En5Wmqys51FH3ZTAWK/ZF/3LPAyGlxgrK7KiFpub1ckph0WiKlaRFOYAv
uzG8Wy7MeVBaG9fpUd/oF+qQiUM+OrHWCXZLLuWKj7UCdCfRgzu3D+t7R5NlTFVr
Rh/mAr/U0rbFG7nDa8g0wOCQNrGBIw==
=2Gnd
-END PGP SIGNATURE-

Bug#929469: systemd-networkd: systemd-networkd: fails with "could not set address: Permission denied"

[Raphael Hertzog]

Hi,

On Wed, 05 Jun 2019, Michael Biebl wrote:
> systemd-networkd.service in v241 is locked down more tightly then v232.
> It might be worth a try to comment out the hardening features one by one
> to see if one of them causes your problem.

Thanks for the idea! I tried that but it did not help. I found the issue
after a few more tries tweaking the network configuration file. It's
simply that the system has IPv6 disabled in the kernel policy while the
.network file instructs to configure an IPv6 address.

Both are contradictory but they happily lived together up-to-now.
I don't know what changed but if we don't improve systemd-networkd
to just skip IPv6 configuration when the kernel has a policy disabling
IPv6, then we will have plenty of servers broken on upgrades because
it's quite common to keep the network configuration file provided by
the hoster and just disable IPv6 at the kernel level with sysctl:

$ grep ipv6 /etc/sysctl.conf
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/


signature.asc
Description: PGP signature

Processed: found 930248 in 1.0-1.2, tagging 930248

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 930248 1.0-1.2
Bug #930248 [gnome-xcf-thumbnailer] RM: gnome-xcf-thumbnailer -- RC buggy, 
dead-upstream, unmaintained, obsolete
Marked as found in versions gnome-xcf-thumbnailer/1.0-1.2.
> tags 930248 + sid buster
Bug #930248 [gnome-xcf-thumbnailer] RM: gnome-xcf-thumbnailer -- RC buggy, 
dead-upstream, unmaintained, obsolete
Added tag(s) sid and buster.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#767572: marked as done (libthunar-vfs-1-2-dbg: fails to upgrade from squeeze - trying to overwrite /usr/lib/debug/usr/lib/libthunar-vfs-1.so.2.3.1)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 13:47:21 +0200
with message-id <896bc054-7b27-6941-b707-e70dc3be9...@debian.org>
and subject line thunar-vfs has been removed from Debian
has caused the Debian Bug report #767572,
regarding libthunar-vfs-1-2-dbg: fails to upgrade from squeeze - trying to 
overwrite /usr/lib/debug/usr/lib/libthunar-vfs-1.so.2.3.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
767572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767572
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libthunar-vfs-1-2-dbg
Version: 1.2.0-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package fails to upgrade from
'squeeze'.
It installed fine in 'squeeze', then the upgrade to 'wheezy' fails
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
http://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces

>From the attached log (scroll to the bottom...):

  Selecting previously deselected package libthunar-vfs-1-2-dbg.
  Unpacking libthunar-vfs-1-2-dbg (from 
.../libthunar-vfs-1-2-dbg_1.2.0-3+b1_amd64.deb) ...
  dpkg: error processing 
/var/cache/apt/archives/libthunar-vfs-1-2-dbg_1.2.0-3+b1_amd64.deb (--unpack):
   trying to overwrite '/usr/lib/debug/usr/lib/libthunar-vfs-1.so.2.3.1', which 
is also in package thunar-dbg 1.0.2-1+b1
  configured to not write apport reports
  dpkg-deb: subprocess paste killed by signal (Broken pipe)
  Errors were encountered while processing:
   /var/cache/apt/archives/libthunar-vfs-1-2-dbg_1.2.0-3+b1_amd64.deb


cheers,

Andreas


thunar-dbg=1.0.2-1+b1_libthunar-vfs-1-2-dbg=1.2.0-3+b1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Version: 1.2.0-4+rm

thunar-vfs was last released with Debian 7.0 (wheezy) in May 2013
and was removed from the Debian archive afterwards.
See https://bugs.debian.org/709897 for details on the removal.
Since support for wheezy and wheezy-LTS has now ended and the suites
have been archived, I'm closing all the remaining bugs reported against
this package.


Andreas--- End Message ---

Bug#774290: marked as done (worldwind: Immediate crash (HeadlessException) with 'Java(TM) SE Runtime Environment (build 1.7.0_45-b18')

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 13:38:40 +0200
with message-id <93beecac-7712-51e6-3701-97bbbd1ba...@debian.org>
and subject line worldwind has been removed from Debian
has caused the Debian Bug report #774290,
regarding worldwind: Immediate crash (HeadlessException) with 'Java(TM) SE 
Runtime Environment (build 1.7.0_45-b18'
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
774290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774290
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: worldwind
Version: 0.5.0-10
Severity: grave
Justification: renders package unusable

Dear Maintainer,

when trying to start worldwind in xterm it crashes immediatly with a
HeadlessException:

––
$ worldwind 
java.awt.HeadlessException
at 
java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:207)
at java.awt.Window.(Window.java:535)
at java.awt.Frame.(Frame.java:420)
at java.awt.Frame.(Frame.java:385)
at javax.swing.JFrame.(JFrame.java:174)
at 
gov.nasa.worldwind.examples.ApplicationTemplate$AppFrame.(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at java.lang.Class.newInstance(Class.java:379)
at gov.nasa.worldwind.examples.ApplicationTemplate.start(Unknown Source)
at gov.nasa.worldwind.examples.ApplicationTemplate.main(Unknown Source)

$ java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

––
Thx, Alek

-- System Information:
Debian Release: jessie/sid
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'testing-updates'), (500, 
'testing-proposed-updates'), (500, 'stable-updates'), (500, 
'proposed-updates'), (500, 'oldstable-updates'), (500, 
'oldstable-proposed-updates'), (500, 'testing'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages worldwind depends on:
ii  java-wrappers  0.1.28
ii  libworldwind-java  0.5.0-10

worldwind recommends no packages.

worldwind suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 0.5.0-10+rm

worldwind was last released with Debian 7.0 (wheezy) in May 2013
and was removed from the Debian archive afterwards.
See http://bugs.debian.org/721853 for details on the removal.
Since support for wheezy and wheezy-LTS has now ended and the suites
have been archived, I'm closing all the remaining bugs reported against
this package.

Andreas--- End Message ---

Bug#930356: CVE-2019-12760

[Moritz Muehlenhoff]

Source: parso
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212

Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7

Cheers,
Moritz

Processed: reassign 930256 to src:firefox, severity of 930256 is grave

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 930256 src:firefox 68.0~b8-1
Bug #930256 [firefox-l10n-bn] Ignoring Provides line with non-equal 
DepCompareOp for package firefox-l10n-bn-bd
Bug #930260 [firefox-l10n-bn] Ignoring Provides line with non-equal 
DepCompareOp for package firefox-l10n-bn-bd
Bug #930299 [firefox-l10n-bn] apt: A warning "Ignoring Provides line with 
non-equal DepCompareOp for package" for two packages
Warning: Unknown package 'firefox-l10n-bn'
Bug reassigned from package 'firefox-l10n-bn' to 'src:firefox'.
Bug reassigned from package 'firefox-l10n-bn' to 'src:firefox'.
Bug reassigned from package 'firefox-l10n-bn' to 'src:firefox'.
No longer marked as found in versions firefox/68.0~b8-1.
No longer marked as found in versions firefox/68.0~b8-1.
No longer marked as found in versions firefox/68.0~b8-1.
Ignoring request to alter fixed versions of bug #930256 to the same values 
previously set
Ignoring request to alter fixed versions of bug #930260 to the same values 
previously set
Ignoring request to alter fixed versions of bug #930299 to the same values 
previously set
Bug #930256 [src:firefox] Ignoring Provides line with non-equal DepCompareOp 
for package firefox-l10n-bn-bd
Bug #930260 [src:firefox] Ignoring Provides line with non-equal DepCompareOp 
for package firefox-l10n-bn-bd
Bug #930299 [src:firefox] apt: A warning "Ignoring Provides line with non-equal 
DepCompareOp for package" for two packages
Marked as found in versions firefox/68.0~b8-1.
Marked as found in versions firefox/68.0~b8-1.
Marked as found in versions firefox/68.0~b8-1.
> severity 930256 grave
Bug #930256 [src:firefox] Ignoring Provides line with non-equal DepCompareOp 
for package firefox-l10n-bn-bd
Bug #930260 [src:firefox] Ignoring Provides line with non-equal DepCompareOp 
for package firefox-l10n-bn-bd
Bug #930299 [src:firefox] apt: A warning "Ignoring Provides line with non-equal 
DepCompareOp for package" for two packages
Severity set to 'grave' from 'serious'
Severity set to 'grave' from 'serious'
Severity set to 'grave' from 'serious'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
930256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930256
930260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930260
930299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930299
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#865975: docker.io changes iptables default FORWARD policy to DROP, breaks VM and others

[Shengjing Zhu]

Hi,

I checked more carefully on https://github.com/moby/moby/pull/28257
and https://github.com/moby/moby/issues/14041
Then I concluded that docker does nothing wrong in this case.

If you didn't set net.ipv4.ip_forward=1 before starting docker, then
docker will set this for you by default, otherwise the containers
can't access the network. This causes security issue as described in
https://github.com/moby/moby/issues/14041.
So if docker set net.ipv4.ip_forward=1 itself, it will set the default
FORWARD policy to DROP. This looks quite correct.

So when docker will not touch your FORWARD policy? just don't let
docker enable ip_forward itself. You can set net.ipv4.ip_forward=1 in
/etc/sysctl.conf(enable it before starting docker). Then docker will
know that user want the host to forward all traffic and it will touch
your default FORWARD policy.

I've verified it by adding net.ipv4.ip_forward=1 to /etc/sysctl.conf,
then reboot. And my FORWARD policy is ACCEPT.

So as for your VM scenario, why didn't you set ip_forward manually?
How docker know it's not a vulnerability if it didn't set FORWARD
chain to DROP when it enables ip_forward.

-- 
Shengjing Zhu

Processed: Re: Bug#865975: #865975 docker.io breaks (bridged) network for VMs

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 865975 critical
Bug #865975 [docker.io] docker.io changes iptables default FORWARD policy to 
DROP, breaks VM and others
Bug #930302 [docker.io] docker.io changes iptables default FORWARD policy to 
DROP, breaks VM and others
Severity set to 'critical' from 'important'
Severity set to 'critical' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
865975: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975
930302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930302
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#911844: okular: Prints to the wrong printer

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 911844 important
Bug #911844 [okular] okular: Prints to the wrong printer
Severity set to 'important' from 'critical'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
911844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911844
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#911844: okular: Prints to the wrong printer

[Martin Steigerwald]

severity: important
thanks

Hi Brian,

Brian Potkin - 10.06.19, 21:32:
> Severity: critical
> thanks
> 
> On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote:
> > Package: okular
> > Version: 4:17.12.2-2
> > Severity: critical
> > Tags: upstream security
> > 
> > 
> > 
> > "critical" because a document should always go to where it is sent.
> > Please reduce the severity if I have overestimated the security
> > implications.
> > 
> > The CUPS version being used is 2.2.8-5 and cups-browsed is not
> > running. The issue was encountered while taking another look at
> > #911702.> 
[…]
> > The job is always sent to a local queue when its destination
> > precedes
> > realq_desktop alphabetically.
[…]
> I have retested this. There is no change on the present unstable. I
> cannot see why a confidential print job going to a staff printer is
> anything but a security issue. Maybe this is something that merits
> the tag of normal but explanations are in short supply.

Brian, before raising a bug severity to the highest severity possible, 
please read and understand the Debian's release team guidelines 
regarding release critical bugs¹ as well as the general descriptions of 
bug severities².

A "critical" bug is a bug that introduces a (remotely exploitable) 
security hole on systems you install the package to. A "grave" bug is a 
bug that introduces a (remotely exploitable) security hole allowing 
access to the accounts of users using the package.

None of this is the case here.

If at all, the bug might be "serious" if in the maintainers opinion it 
would make the package unsuitable for release.

Now please respect the reduced bug severity. Raising the severity again 
won't get you any priority handling with an already understaffed Debian 
Qt/KDE team. This is a community of people who are mostly doing unpaid 
work.


Two ways to use your (and our) time in a more productive manner are:

1) Retest with Okular 18.04 from Debian experimental (in case you run 
buster/sid). Or start KDE Neon in a machine and try with the newest 
Okular available there.

2) Remind upstream in a friendly way to have a look at the issue. Once 
there is a patch upstream it is very likely it could be backported for 
buster. Maybe it would be an idea to raise the upstream bug to KDE's 
security team.


[1] https://release.debian.org/testing/rc_policy.txt

[2] https://www.debian.org/Bugs/Developer

Thanks,
-- 
Martin

Bug#929916: marked as done (libreswan: CVE-2019-12312)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 06:49:02 +
with message-id 
and subject line Bug#929916: fixed in libreswan 3.29-1
has caused the Debian Bug report #929916,
regarding libreswan: CVE-2019-12312
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929916
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libreswan
Version: 3.27-4
Severity: grave
Tags: patch security upstream fixed-upstream
Justification: user security hole
Forwarded: https://github.com/libreswan/libreswan/issues/246
Control: fixed -1 3.28-1

Hi,

The following vulnerability was published for libreswan.

CVE-2019-12312[0]:
| In Libreswan before 3.28, an assertion failure can lead to a pluto IKE
| daemon restart. An attacker can trigger a NULL pointer dereference by
| sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode
| to a Libreswan server. This affects send_v2N_spi_response_from_state
| in programs/pluto/ikev2_send.c when built with Network Security
| Services (NSS).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12312
[1] https://github.com/libreswan/libreswan/issues/246
[2] 
https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libreswan
Source-Version: 3.29-1

We believe that the bug you reported is fixed in the latest version of
libreswan, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor  (supplier of updated libreswan 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jun 2019 07:24:44 +0100
Source: libreswan
Architecture: source
Version: 3.29-1
Distribution: experimental
Urgency: medium
Maintainer: Daniel Kahn Gillmor 
Changed-By: Daniel Kahn Gillmor 
Closes: 929916 930338
Changes:
 libreswan (3.29-1) experimental; urgency=medium
 .
   * New upstream release
- fixes CVE 2019-10155 and CVE-2019-12312
 (Closes: #930338, #929916)
   * refresh patches
   * d/watch: avoid development releases
Checksums-Sha1:
 9a897e46ef384bce3b54dcac95d0fbfaeec00f36 2001 libreswan_3.29-1.dsc
 492cd1cf18c06e47b2864a57a355a7f5393f80cc 3848730 libreswan_3.29.orig.tar.gz
 b192b07cfbe1ae25f1f487aba9f2a4d44b6a1443 862 libreswan_3.29.orig.tar.gz.asc
 8503c2190e8290f26200eb2e7380876e518c87a4 18484 libreswan_3.29-1.debian.tar.xz
 91881ebecbd06a313f060c3fe4c263bd89cfcc1f 10110 libreswan_3.29-1_amd64.buildinfo
Checksums-Sha256:
 db03223700a0683d119428e7a3b3c74c2979f75b2666a71071bc1bb9cd631854 2001 
libreswan_3.29-1.dsc
 d60e4160f43272b6307b697a13f79f56b5ec2bca61d83097ddadd8586a58ab3e 3848730 
libreswan_3.29.orig.tar.gz
 60af75e5178b0667d00075aa84ff0b14562906417538d59d25a38ff70393880e 862 
libreswan_3.29.orig.tar.gz.asc
 a5fff20d7aedd8045cff8a560d584186e66df492c09cb8d6f80045cd92a87f48 18484 
libreswan_3.29-1.debian.tar.xz
 228ba94b6e2499ce7fb53cb659d55c9c9d778f9d7036fc092fcfc40354f4e6a1 10110 
libreswan_3.29-1_amd64.buildinfo
Files:
 f44b572f8fc05c15d29f6396738bc965 2001 net optional libreswan_3.29-1.dsc
 5b35b39a04f63a8e528b965aad515c01 3848730 net optional 
libreswan_3.29.orig.tar.gz
 37ba796f047b2be272f574eba451d8ab 862 net optional 
libreswan_3.29.orig.tar.gz.asc
 d416fb2b31cf646279bc536cf6600379 18484 net optional 
libreswan_3.29-1.debian.tar.xz
 502f510e42a489b8488fb1b5f6b7dac2 10110 net optional 
libreswan_3.29-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXP9NdgAKCRB2GBllKa5f
+Gn+AQDHcxrEGjzLB5upUlhbuePIdjakBRJ1v/2Ftut/GVMjIQD/QhVCgVJ8nC4T
8ZwY18zy0XlcJxKuavgfUB5RBWxkewg=
=8ccY
-END PGP SIGNATURE End Message ---

Bug#928097: marked as done (chromium: crc32 build errors on arm64)

[Debian Bug Tracking System]

Your message dated Tue, 11 Jun 2019 02:07:04 -0400
with message-id 

and subject line Re: Bug#928097: chromium: crc32 build errors on arm64
has caused the Debian Bug report #928097,
regarding chromium: crc32 build errors on arm64
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928097
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:chromium
severity: serious
version: 74.0.3729.108-1

The latest upload fails to build on arm64 due to errors in crc32 [0].

Best wishes,
Mike

[0]https://buildd.debian.org/status/fetch.php?pkg=chromium=arm64=74.0.3729.108-1=1556085401=0
--- End Message ---
--- Begin Message ---
version: 75.0.3770.80-1

Fixed upstream.--- End Message ---

Bug#930348: chromium: missing intrinsics on armhf

[Michael Gilbert]

package: src:chromium
severity: serious
version: 75.0.3770.80-1

The latest upload fails to build on armhf due to missing intrinsics [0].

Best wishes,
Mike

[0]https://buildd.debian.org/status/fetch.php?pkg=chromium=armhf=75.0.3770.80-1=1560141959=0