Bug#991081: marked as done (gir1.2-diodon-1.0 lacks dependencies)
Your message dated Sun, 08 Aug 2021 21:18:39 + with message-id and subject line Bug#991081: fixed in diodon 1.11.1-1 has caused the Debian Bug report #991081, regarding gir1.2-diodon-1.0 lacks dependencies to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991081: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991081 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: gir1.2-diodon-1.0 Version: 1.8.0-1 Severity: serious ${gir:Depends} needs "dh --with gir" in debian/rules. The manual dependency on gir1.2-glib-2.0 is no longer necessary when this is fixed. Something still seems to go wrong afterwards, when trying it did not generate a dependency on libdiodon0. --- End Message --- --- Begin Message --- Source: diodon Source-Version: 1.11.1-1 Done: Oliver Sauder We believe that the bug you reported is fixed in the latest version of diodon, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Oliver Sauder (supplier of updated diodon package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 23 Jul 2021 22:00:54 +0400 Source: diodon Architecture: source Version: 1.11.1-1 Distribution: unstable Urgency: medium Maintainer: Oliver Sauder Changed-By: Oliver Sauder Closes: 990137 990435 991081 Changes: diodon (1.11.1-1) unstable; urgency=medium . * New upstream release. * Removed obsolete apport configuration files (Closes: #990435) * Properly handled previously renamed autostart config file (Closes: 990137) * Use dh gir addon to properly calcuate gir:Depends (Closes: 991081) * Bump Standard Version to 4.5.1 Checksums-Sha1: c4d28130b0e6d69b0326139e0facb962b18e150f 2521 diodon_1.11.1-1.dsc ecfc85836fd28852a7f533a34ff45bb0f7856d91 92464 diodon_1.11.1.orig.tar.xz 3c28b3da5605b6ad837d72226c892865d440e1df 833 diodon_1.11.1.orig.tar.xz.asc 2efdd2721755202c49dffe71fe89093e348b022d 6764 diodon_1.11.1-1.debian.tar.xz ee91c12380ea547ac20eecbe0f5f6177b2228335 14878 diodon_1.11.1-1_source.buildinfo Checksums-Sha256: c1d9739976b988a8d8835cc464f4d6c7d16281d887326dd6479c074a710e322a 2521 diodon_1.11.1-1.dsc 7dee23c28f417d8bcbbe274a7bd00bf319c4a2382348325e6dc315a38312662d 92464 diodon_1.11.1.orig.tar.xz c405782e4b95a4769640643b47f08a82ccfd743f6a5184d52c243668c11aaec2 833 diodon_1.11.1.orig.tar.xz.asc bd96a222118773494b14c2127e81d9ef7238e3bff41a467d1e7c6a4cb174abf8 6764 diodon_1.11.1-1.debian.tar.xz 228710cee8cae4c8130252a4b5ab0cb05a6893b69058a6f8cdbae592da0ae259 14878 diodon_1.11.1-1_source.buildinfo Files: 51c0a895e7e62d103c66861bcf6610c2 2521 utils optional diodon_1.11.1-1.dsc a78d46cd069104e607a73b264147c512 92464 utils optional diodon_1.11.1.orig.tar.xz 2067fac4b032a335644210cccef44cb1 833 utils optional diodon_1.11.1.orig.tar.xz.asc e82e969edc04b9278cdd30c42418cf71 6764 utils optional diodon_1.11.1-1.debian.tar.xz 0079bd687677bae9c818a483589b1884 14878 utils optional diodon_1.11.1-1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmEQRfUACgkQweDZLphv fH4YOA//TUIBPo0i1r8hndLSyoBHz+fMm6WnkY0R308umap/bTubRS6oJ+xAApW7 Y2dCfTJPxLr/6lnUmT9ShZMEGGulYqyWWw9djnK+Yb1hDY+CX1fauYL3rykOAHIZ +uvN1qy+tGQSOwFjkM0f7u+5+FTfFK0idXOGjMRUM4M7kfC5/SRfCY7obShV9IJ2 cAKwrbIbB1pbH1ZWidpUeh82SwSZmgu13qWR8Rsi4nZ3fykdQwukO6YjuWEzk3DB RZYU24sVSZAwu0NFtgGATB0usB36PAhqXOnRpksw+JHlQP64+GyPB8mcfy6aCht0 FDFgc20OuafmxEGcsp9PeVBDtpgfLoyco3Q/14m8kxGGrHddMiZRjYNDP1QUSRYI jg4ViM2sjFjCptpXbUzE6Ugo85ayIcIx0C16TrLHzERNE0p+ITFZYFzRLMJjS9k1 Po1zZVKWKCHBXHP0KzeGqbfBVvZW9ETe6FppCXtNnzKMhC318qZke0HDVJ3y2cG/ Wgqu6WHhil9nBCvZ9k86ATSCzayC0kuCdNXzj3BSueG06wql/a7M/t2hu+pip5Oo COm6OVwqZLe73oNunpRz8/zSPPmv+hSBFANBWh4ssmKia+KPOn1ANyqDJ9n2YtS8 2FZj1eyZKo9+VAPoXNKYCzXXlit9uiJgQMNwRm+ndxUK/p6l9A8= =6o22 -END PGP SIGNATURE End Message ---
Bug#992008: ruby-google-protobuf: Missing lib/google/protobuf directory and fails require
On Mon, Aug 9, 2021 at 12:12 am, Pirate Praveen wrote: [copying debian-ruby list] On Sun, 08 Aug 2021 22:08:39 +0530 Akshay S Dinesh wrote: > Package: ruby-google-protobuf > Version: 3.17.3-1 > Severity: grave > Justification: renders package unusable > > Dear Maintainer, > > I was trying to install gitlab to reproduce #966653 > > Installed ruby-google-protobuf from experimental > > The pg_query library was erroring at startup, > with failure to require 'google/protobuf' > > I tried to isolate it to debian by `gem install google-protobuf` > > It worked correctly with that. > > On comparing stable version > http://ftp.debian.org/debian/pool/main/p/protobuf/ruby-google-protobuf_3.12.4-1_amd64.deb > with the experimental version > http://ftp.debian.org/debian/pool/main/p/protobuf/ruby-google-protobuf_3.17.3-1_amd64.deb > > I could see that the latter lacks the /2.7.0/gems/lib/google/protobuf directory altogether > > The upstream gem at https://rubygems.org/downloads/google-protobuf-3.17.3.gem includes > this lib directory with lots of ruby files > > I'm suspecting that this folder is critical to the functioning of this package > I think this is a problem with gem2deb not including the pure ruby files along with the extention. I think we have seen such issues before, but don't remember how we fixed it. Another possibility is that the rules is calling ruby build only in override_dh_auto_build-arch. Adding, ruby/lib/google usr/lib/ruby/vendor_ruby to debian/ruby-google-protobuf.install makes require 'google/protobuf' to pass. This can be used as a workaround until we figure out why gem2deb is not installing these files even though gemspec includes them in files.
Bug#992008: ruby-google-protobuf: Missing lib/google/protobuf directory and fails require
[copying debian-ruby list] On Sun, 08 Aug 2021 22:08:39 +0530 Akshay S Dinesh wrote: > Package: ruby-google-protobuf > Version: 3.17.3-1 > Severity: grave > Justification: renders package unusable > > Dear Maintainer, > > I was trying to install gitlab to reproduce #966653 > > Installed ruby-google-protobuf from experimental > > The pg_query library was erroring at startup, > with failure to require 'google/protobuf' > > I tried to isolate it to debian by `gem install google-protobuf` > > It worked correctly with that. > > On comparing stable version > http://ftp.debian.org/debian/pool/main/p/protobuf/ruby-google-protobuf_3.12.4-1_amd64.deb > with the experimental version > http://ftp.debian.org/debian/pool/main/p/protobuf/ruby-google-protobuf_3.17.3-1_amd64.deb > > I could see that the latter lacks the /2.7.0/gems/lib/google/protobuf directory altogether > > The upstream gem at https://rubygems.org/downloads/google-protobuf-3.17.3.gem includes > this lib directory with lots of ruby files > > I'm suspecting that this folder is critical to the functioning of this package > I think this is a problem with gem2deb not including the pure ruby files along with the extention. I think we have seen such issues before, but don't remember how we fixed it. Another possibility is that the rules is calling ruby build only in override_dh_auto_build-arch.
Bug#962439: sctk: diff for NMU version 2.4.10-20151007-1312Z+dfsg2-3.1
Dear Adrian, thank you for taking care of this issue. Several months ago I filed a RFS bug #981030 taking care of this and other issues. Unfortunately the RFS is still open. If I update the package in order to include this NMU changes, will you consider sponsoring the package? Best regards, Giulio Il mar 3 ago 2021, 08:51 Adrian Bunk ha scritto: > Dear maintainer, > > I've prepared an NMU for sctk (versioned as > 2.4.10-20151007-1312Z+dfsg2-3.1). > The diff is attached to this message. > > cu > Adrian >
Bug#992008: ruby-google-protobuf: Missing lib/google/protobuf directory and fails require
Package: ruby-google-protobuf Version: 3.17.3-1 Severity: grave Justification: renders package unusable Dear Maintainer, I was trying to install gitlab to reproduce #966653 Installed ruby-google-protobuf from experimental The pg_query library was erroring at startup, with failure to require 'google/protobuf' I tried to isolate it to debian by `gem install google-protobuf` It worked correctly with that. On comparing stable version http://ftp.debian.org/debian/pool/main/p/protobuf/ruby-google-protobuf_3.12.4-1_amd64.deb with the experimental version http://ftp.debian.org/debian/pool/main/p/protobuf/ruby-google-protobuf_3.17.3-1_amd64.deb I could see that the latter lacks the /2.7.0/gems/lib/google/protobuf directory altogether The upstream gem at https://rubygems.org/downloads/google-protobuf-3.17.3.gem includes this lib directory with lots of ruby files I'm suspecting that this folder is critical to the functioning of this package -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/1 CPU thread) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8), LANGUAGE=en_IN:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ruby-google-protobuf depends on: ii libc6 2.31-13 ii libruby2.7 2.7.4-1 ii ruby1:2.7+2 ruby-google-protobuf recommends no packages. ruby-google-protobuf suggests no packages. -- no debconf information
Bug#991982: nano does not work with TERM unset
Le dimanche 8 août 2021, 10:04:30 UTC Benno Schulenberg a écrit : > > $env -i nano > > command fail because TERM is unset > > I can work around an unset TERM. But what if TERM=="" or TERM=="nonsense"? > Checking whether TERM is a valid terminal name goes too far, in my opinion. > > Also, is the 'vt100' terminal description guaranteed to exist? I ask, > because 'dumb' and 'vt52' are not good enough for nano (ncurses) to work > properly, and 'ansi' leaves the cursor invisible on a VTE-based terminal. I do not know but I think the only sensible way to behave is like vi under POSIX (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/ex.html): TERM Determine the name of the terminal type. If this variable is unset or null, an unspecified default terminal type shall be used. The other way are broken. > > Benno signature.asc Description: This is a digitally signed message part.
Bug#991971: [pkg-lynx-maint] Bug#991971: Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Hi Salvatore, Salvatore Bonaccorso wrote: > > > bullseye-security is operational, so we can do both at the same time > > > so that bullseye will be fixed from day one. > > > > That'd be great, thanks! > > > > Feel free to base the security upload upon 2.9.0dev.6-3 which I > > uploaded just recently. From my point of view nothing except the first > > and last line of the debian/changelog entry needs to be changed for > > bullseye-security. > > Do I understand correctly you currently have not capactity to prepare > that upload? Yes, but I also wasn't aware that I could do that upload. > If so I can happily chime in, but if you as maintainr > will that will be perfectly preferable. I'm bit short of time for the rest of the day, so it'd be nice if someone else could do that upload. > If so: I suggest: just do a ~deb11u1 on top of the current unstable > upload, with changelog entry "Rebuild for bullseye-security", then > pass -v2.9.0dev.6-2 to dpkg-genchanges invocation, to include all > changelog entries from 2.9.0dev.6-3 up to 2.9.0dev.6-3~deb11u1 in to > changes file. Make sure to build with -sa, as lynx/2.9.0dev.6 is new > for dak on security-master. Interesting. I'd have done a 2.9.0dev.6-2+deb11u1 by reusing the 2.9.0dev.6-3 upload and just modifying the changelog entry. I thought that would be cleaner. But I'm fine with both variants. > > I can also look into how well the patch applies to buster's version of > > Lynx, but it might take until Monday. > > Thank you! Do they need to go into the same DSA? Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: PGP signature
Bug#991971: [pkg-lynx-maint] Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Axel, On Sun, Aug 08, 2021 at 12:14:16PM +0200, Axel Beckert wrote: > Hi Moritz, > > Moritz Mühlenhoff wrote: > > > Security Team: Do you think the fix for CVE-2021-38165 should get a > > > DSA? Or do you think it's not important enough and we should target a > > > minor stable update for it? > > > > This breaks a pretty fundamental security assumption for a browser, > > Ack. > > > so we should fix it via -security, even though lynx is a fringe > > browser. > > Good. Anything which gets the fix into bullseye (and preferably also > buster) rather sooner than later is fine for me. > > > bullseye-security is operational, so we can do both at the same time > > so that bullseye will be fixed from day one. > > That'd be great, thanks! > > Feel free to base the security upload upon 2.9.0dev.6-3 which I > uploaded just recently. From my point of view nothing except the first > and last line of the debian/changelog entry needs to be changed for > bullseye-security. Do I understand correctly you currently have not capactity to prepare that upload? If so I can happily chime in, but if you as maintainr will that will be perfectly preferable. If so: I suggest: just do a ~deb11u1 on top of the current unstable upload, with changelog entry "Rebuild for bullseye-security", then pass -v2.9.0dev.6-2 to dpkg-genchanges invocation, to include all changelog entries from 2.9.0dev.6-3 up to 2.9.0dev.6-3~deb11u1 in to changes file. Make sure to build with -sa, as lynx/2.9.0dev.6 is new for dak on security-master. > > I can also look into how well the patch applies to buster's version of > Lynx, but it might take until Monday. Thank you! Salvatore
Bug#991982: nano does not work with TERM unset
> $env -i nano > command fail because TERM is unset I can work around an unset TERM. But what if TERM=="" or TERM=="nonsense"? Checking whether TERM is a valid terminal name goes too far, in my opinion. Also, is the 'vt100' terminal description guaranteed to exist? I ask, because 'dumb' and 'vt52' are not good enough for nano (ncurses) to work properly, and 'ansi' leaves the cursor invisible on a VTE-based terminal. Benno OpenPGP_signature Description: OpenPGP digital signature
Bug#991971: [pkg-lynx-maint] Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Hi Moritz, Moritz Mühlenhoff wrote: > > Security Team: Do you think the fix for CVE-2021-38165 should get a > > DSA? Or do you think it's not important enough and we should target a > > minor stable update for it? > > This breaks a pretty fundamental security assumption for a browser, Ack. > so we should fix it via -security, even though lynx is a fringe > browser. Good. Anything which gets the fix into bullseye (and preferably also buster) rather sooner than later is fine for me. > bullseye-security is operational, so we can do both at the same time > so that bullseye will be fixed from day one. That'd be great, thanks! Feel free to base the security upload upon 2.9.0dev.6-3 which I uploaded just recently. From my point of view nothing except the first and last line of the debian/changelog entry needs to be changed for bullseye-security. I can also look into how well the patch applies to buster's version of Lynx, but it might take until Monday. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: PGP signature
Bug#991706: marked as done (exiv2: CVE-2021-31292)
Your message dated Sun, 08 Aug 2021 10:03:29 + with message-id and subject line Bug#991706: fixed in exiv2 0.27.3-3+deb11u1 has caused the Debian Bug report #991706, regarding exiv2: CVE-2021-31292 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991706 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: exiv2 Version: 0.27.3-3 Severity: important Tags: security upstream Forwarded: https://github.com/Exiv2/exiv2/issues/1530 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for exiv2. CVE-2021-31292[0]: | An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows | attackers to trigger a heap-based buffer overflow and cause a denial | of service (DOS) via crafted metadata. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31292 [1] https://github.com/Exiv2/exiv2/issues/1530 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: exiv2 Source-Version: 0.27.3-3+deb11u1 Done: Moritz Muehlenhoff We believe that the bug you reported is fixed in the latest version of exiv2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Muehlenhoff (supplier of updated exiv2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 06 Aug 2021 10:57:42 +0200 Source: exiv2 Architecture: source Version: 0.27.3-3+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian KDE Extras Team Changed-By: Moritz Muehlenhoff Closes: 991705 991706 Changes: exiv2 (0.27.3-3+deb11u1) bullseye-security; urgency=medium . * CVE-2021-31291 (Closes: #991705) * CVE-2021-31292 (Closes: #991706) Checksums-Sha1: f74c6ed0393c24471c0ceb9584e28696f7c7a12f 2295 exiv2_0.27.3-3+deb11u1.dsc 5f1b460b10171c3b12cd540d699e9b815f6f3058 26185201 exiv2_0.27.3.orig.tar.gz 2ce7ef3a747a8bc1559acf3796210acd57fc04e7 26040 exiv2_0.27.3-3+deb11u1.debian.tar.xz d81ce13164df5c4e417fe4d06fe7b0503d4f04ed 10538 exiv2_0.27.3-3+deb11u1_amd64.buildinfo Checksums-Sha256: 64da774dd45f4faadaa7e841f0cecf22c4de385cd3abc9ecc45a065eda5bf9f7 2295 exiv2_0.27.3-3+deb11u1.dsc 6398bc743c32b85b2cb2a604273b8c90aa4eb0fd7c1700bf66cbb2712b4f00c1 26185201 exiv2_0.27.3.orig.tar.gz 9fb59fbc12e3270951c5a34741813eb5474803ba08bb80700dfdabfbdb5a585b 26040 exiv2_0.27.3-3+deb11u1.debian.tar.xz 679d2a05a54732ad05b719669c510e09ff277fdbd153b017f1332aced5362048 10538 exiv2_0.27.3-3+deb11u1_amd64.buildinfo Files: b248243d8f0506fefd347942fe4a3fb1 2295 graphics optional exiv2_0.27.3-3+deb11u1.dsc 652fe107af5b9ba6891b3887a96ed8be 26185201 graphics optional exiv2_0.27.3.orig.tar.gz 1e06208ac69c50914e3db54e2c81eb59 26040 graphics optional exiv2_0.27.3-3+deb11u1.debian.tar.xz 3195ff6e6e99af94d274c8d548773bc7 10538 graphics optional exiv2_0.27.3-3+deb11u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEM+xcACgkQEMKTtsN8 Tjaz2Q//UJJBQVxJbPMePSaCMwkdyjDCDNGLP1EcPhIZA91L4F3sPgnI9BzvslST 5oHw3yWQiF5DnfHhBjeoRkmJQ6P5KYOmgKW6ezymQG0UtZBh7iBsk8gA/fF+40m3 zK4pUmLtyuLmnAM0AVYeZhF88SFOntZJkBoaMo6jvoIy6Vs7N9I038h0U8WRrtaF hiY0FJlBcEUNmXW7EpSPFXcUb0jxSOvkY/mosjGw/ESF62ccw4fK1+HILhGcRK48 SvaBzMRJ+DoJlOHK4XtGyy+D4wqrGqnBDlgx27K6UqL/YzTbA4tbIHgtqPpVxEYl VgFUnDQ/X5OJR4lFHzYig+cX8VgRPW0Bt3cmLVKBP7WRhPbsW2kT3JguaK1fLmiN 2eYRsfvbfBbhMUovptEk/AmDLH1Qy97e3oWI3G4oxsoBqgQwGvr3QZV376FG7Vb6 ScsCic38fWOcyotCd9kVvjGHuz9cOEk1mdhlNMczueirJFYQjWnnyRse3cY+oNSM ql0b8wbHtQdY7m9Z/mVZ32QbW2XFnYbivUTd1bPUJ9WXSqecDZ9YE1F6wUQFIEI0 AZKMb0OxilR8iVYatrdeLUzbYoNATCdp0DHyfw80oi+jHErF7DmfsFrwrJTh8GyG fR3c9MHg3k2VxtWJl44ekdxH//scLcM7xW2ERApPxMdUvPE/4fg= =K3QG -END PGP SIGNATURE End Message ---
Bug#991705: marked as done (exiv2: CVE-2021-29457)
Your message dated Sun, 08 Aug 2021 10:03:29 + with message-id and subject line Bug#991705: fixed in exiv2 0.27.3-3+deb11u1 has caused the Debian Bug report #991705, regarding exiv2: CVE-2021-29457 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991705 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: exiv2 Version: 0.27.3-3 Severity: important Tags: security upstream Forwarded: https://github.com/Exiv2/exiv2/issues/1529 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for exiv2. CVE-2021-31291[0]: | A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 | 0.27.3 allows attackers to cause a denial of service (DOS) via crafted | metadata. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-31291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31291 [1] https://github.com/Exiv2/exiv2/issues/1529 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: exiv2 Source-Version: 0.27.3-3+deb11u1 Done: Moritz Muehlenhoff We believe that the bug you reported is fixed in the latest version of exiv2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Muehlenhoff (supplier of updated exiv2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 06 Aug 2021 10:57:42 +0200 Source: exiv2 Architecture: source Version: 0.27.3-3+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian KDE Extras Team Changed-By: Moritz Muehlenhoff Closes: 991705 991706 Changes: exiv2 (0.27.3-3+deb11u1) bullseye-security; urgency=medium . * CVE-2021-31291 (Closes: #991705) * CVE-2021-31292 (Closes: #991706) Checksums-Sha1: f74c6ed0393c24471c0ceb9584e28696f7c7a12f 2295 exiv2_0.27.3-3+deb11u1.dsc 5f1b460b10171c3b12cd540d699e9b815f6f3058 26185201 exiv2_0.27.3.orig.tar.gz 2ce7ef3a747a8bc1559acf3796210acd57fc04e7 26040 exiv2_0.27.3-3+deb11u1.debian.tar.xz d81ce13164df5c4e417fe4d06fe7b0503d4f04ed 10538 exiv2_0.27.3-3+deb11u1_amd64.buildinfo Checksums-Sha256: 64da774dd45f4faadaa7e841f0cecf22c4de385cd3abc9ecc45a065eda5bf9f7 2295 exiv2_0.27.3-3+deb11u1.dsc 6398bc743c32b85b2cb2a604273b8c90aa4eb0fd7c1700bf66cbb2712b4f00c1 26185201 exiv2_0.27.3.orig.tar.gz 9fb59fbc12e3270951c5a34741813eb5474803ba08bb80700dfdabfbdb5a585b 26040 exiv2_0.27.3-3+deb11u1.debian.tar.xz 679d2a05a54732ad05b719669c510e09ff277fdbd153b017f1332aced5362048 10538 exiv2_0.27.3-3+deb11u1_amd64.buildinfo Files: b248243d8f0506fefd347942fe4a3fb1 2295 graphics optional exiv2_0.27.3-3+deb11u1.dsc 652fe107af5b9ba6891b3887a96ed8be 26185201 graphics optional exiv2_0.27.3.orig.tar.gz 1e06208ac69c50914e3db54e2c81eb59 26040 graphics optional exiv2_0.27.3-3+deb11u1.debian.tar.xz 3195ff6e6e99af94d274c8d548773bc7 10538 graphics optional exiv2_0.27.3-3+deb11u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEM+xcACgkQEMKTtsN8 Tjaz2Q//UJJBQVxJbPMePSaCMwkdyjDCDNGLP1EcPhIZA91L4F3sPgnI9BzvslST 5oHw3yWQiF5DnfHhBjeoRkmJQ6P5KYOmgKW6ezymQG0UtZBh7iBsk8gA/fF+40m3 zK4pUmLtyuLmnAM0AVYeZhF88SFOntZJkBoaMo6jvoIy6Vs7N9I038h0U8WRrtaF hiY0FJlBcEUNmXW7EpSPFXcUb0jxSOvkY/mosjGw/ESF62ccw4fK1+HILhGcRK48 SvaBzMRJ+DoJlOHK4XtGyy+D4wqrGqnBDlgx27K6UqL/YzTbA4tbIHgtqPpVxEYl VgFUnDQ/X5OJR4lFHzYig+cX8VgRPW0Bt3cmLVKBP7WRhPbsW2kT3JguaK1fLmiN 2eYRsfvbfBbhMUovptEk/AmDLH1Qy97e3oWI3G4oxsoBqgQwGvr3QZV376FG7Vb6 ScsCic38fWOcyotCd9kVvjGHuz9cOEk1mdhlNMczueirJFYQjWnnyRse3cY+oNSM ql0b8wbHtQdY7m9Z/mVZ32QbW2XFnYbivUTd1bPUJ9WXSqecDZ9YE1F6wUQFIEI0 AZKMb0OxilR8iVYatrdeLUzbYoNATCdp0DHyfw80oi+jHErF7DmfsFrwrJTh8GyG fR3c9MHg3k2VxtWJl44ekdxH//scLcM7xW2ERApPxMdUvPE/4fg= =K3QG -END PGP SIGNATURE End Message ---
Bug#991971: [pkg-lynx-maint] Bug#991971: [CVE-2021-38165] lynx: bug in SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Am Sun, Aug 08, 2021 at 01:54:56AM +0200 schrieb Axel Beckert: > Hi Andreas, > > Andreas Metzler wrote: > > > > tags 991971 fixed-upstream > > > Bug #991971 [lynx] lynx: SSL certificate validation fails with URLs > > > containing user name or user name and password, i.e. > > > https://user:password@host/ and https://user@host/; leaks password in > > > clear text via SNI > > > Added tag(s) fixed-upstream. > > > > Hello, > > > > I have just uploaded .9 to experimental. > > Thanks a lot! Went to bed in the morning last night, so I was really > happy to see at least Experimental already being fixed when I woke up > again. > > > The deadline for bulleye unblock requests has passed, so we will > > need to fix this by security/point release. > > Hrm, right, thanks for the reminder. > > I nevertheless will update Unstable with a fix. It might be helpful > for the Security Team (Cc'ed) or us to prepare a stable-update for > Bullseye. > > Security Team: Do you think the fix for CVE-2021-38165 should get a > DSA? Or do you think it's not important enough and we should target a > minor stable update for it? This breaks a pretty fundamental security assumption for a browser, so we should fix it via -security, even though lynx is a fringe browser. bullseye-security is operational, so we can do both at the same time so that bullseye will be fixed from day one. Cheers, Moritz