Bug#1011758: marked as done (smarty3: CVE-2022-29221 - template authors can inject php code by choosing malicious filenames)
Your message dated Mon, 30 May 2022 06:50:05 + with message-id and subject line Bug#1011758: fixed in smarty3 3.1.45-1 has caused the Debian Bug report #1011758, regarding smarty3: CVE-2022-29221 - template authors can inject php code by choosing malicious filenames to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: smarty3 Version: 3.1.39-2 Severity: important Tags: security upstream X-Debbugs-Cc: codeh...@debian.org, Debian Security Team Hi, The following vulnerability was published for smarty3. CVE-2022-29221[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. Prior to versions | 3.1.45 and 4.1.1, template authors could inject php code by choosing a | malicious {block} name or {include} file name. Sites that cannot fully | trust template authors should upgrade to versions 3.1.45 or 4.1.1 to | receive a patch for this issue. There are currently no known | workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29221 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Source: smarty3 Source-Version: 3.1.45-1 Done: Mike Gabriel We believe that the bug you reported is fixed in the latest version of smarty3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1011...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel (supplier of updated smarty3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 30 May 2022 08:24:30 +0200 Source: smarty3 Architecture: source Version: 3.1.45-1 Distribution: unstable Urgency: medium Maintainer: Mike Gabriel Changed-By: Mike Gabriel Closes: 1011758 Changes: smarty3 (3.1.45-1) unstable; urgency=medium . * New upstream release. - CVE-2021-21408: Prevent template authors from running restricted static php methods. (see smarty4 bug #1010375). - CVE-2021-29454: Prevent template authors from running arbitrary PHP code by crafting a malicious math string. (see smarty4 bug #1010375, as well). - CVE-2022-29221: Prevent template authors from injecting PHP code by choosing malicious filenames. (Closes: #1011758). * debian/watch: + Only watch 3.x versions of Smarty. * debian/control: + Bump Standards-Version: to 4.6.1. No changes needed. * debian/copyright: + Update copyright attributions. Checksums-Sha1: 63ceee77103b035d6f069c36e24d7172d4bd72dc 1980 smarty3_3.1.45-1.dsc 5125692feefb89d40e5a08ea586d22a2b1e21c0d 265781 smarty3_3.1.45.orig.tar.gz 4c25d3866cf57a4863f765a5ec617842457b051a 5780 smarty3_3.1.45-1.debian.tar.xz 1103fce3b88174d4b4669176d63bb655981d2823 6780 smarty3_3.1.45-1_source.buildinfo Checksums-Sha256: 19dae472ffbc91d1834036fce8b9f5862e479f83e8c737b72562e817b1947da9 1980 smarty3_3.1.45-1.dsc 4e8dcc8b52ea097b93d32aa432cb552547568ae328505d25af078d63354a9a83 265781 smarty3_3.1.45.orig.tar.gz c4edf77410cae38bf829f0a90ee1f7fb18d62b6386101e851450eb9abd07a8b7 5780 smarty3_3.1.45-1.debian.tar.xz b86b89e55e7eccfe82ec1f9f751ae079694aef9fa542908b6926dfe59284c358 6780 smarty3_3.1.45-1_source.buildinfo Files: 266cff1a53aca7cb2e77ffa9a2d8b007 1980 web optional smarty3_3.1.45-1.dsc c1b5d7acb43485c43973f0fb1e0d64c6 265781 web optional smarty3_3.1.45.orig.tar.gz 8ebcbddef610a7961748465ee462bf29 5780 web optional smarty
Bug#1012077: linuxinfo FTBFS on riscv64
Hello Alan, On Sun, May 29, 2022 at 02:45:29PM -0400, Alan Beadle wrote: > Package: linuxinfo > Version: 3.3.3-1 > Severity: serious > Tags: ftbfs patch upstream > Justification: fails to build from source > X-Debbugs-Cc: ab.bea...@gmail.com > > Dear Maintainer, > > linuxinfo currently fails to build on riscv64 due to this architecture not > being > supported by upstream. I am attaching a patch which adds placeholder support > for > this architecture and allows building the riscv64 debian package from source. > > Please consider applying this patch (or similar) for the next upload. > In addition, the /proc information below is for a riscv64 VisionFive V1 SBC. Thanks a lot! This was on my wishlist already. I'll review and possibly ammend your patch next weekend and then will proceed with an upload. Greetings Helge -- Dr. Helge Kreutzmann deb...@helgefjell.de Dipl.-Phys. http://www.helgefjell.de/debian.php 64bit GNU powered gpg signed mail preferred Help keep free software "libre": http://www.ffii.de/ signature.asc Description: PGP signature
Processed: Bug#1011794 marked as pending in node-jsdom
Processing control commands: > tag -1 pending Bug #1011794 [src:node-jsdom] node-jsdom: FTBFS: tests fail Added tag(s) pending. -- 1011794: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011794 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1011794: marked as pending in node-jsdom
Control: tag -1 pending Hello, Bug #1011794 in node-jsdom reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-jsdom/-/commit/ec62560e4e89524bd3ef5767360e21219b4610bb Fix test Closes: #1011794 (this message was generated automatically) -- Greetings https://bugs.debian.org/1011794
Processed: fixed 1005189 in 2.4.0-2, closing 1005189
Processing commands for cont...@bugs.debian.org: > fixed 1005189 2.4.0-2 Bug #1005189 [src:gcolor3] gcolor3: FTBFS libportal/portal-gtk3.h: No such file or directory Marked as fixed in versions gcolor3/2.4.0-2. > close 1005189 2.4.0-2 Bug #1005189 [src:gcolor3] gcolor3: FTBFS libportal/portal-gtk3.h: No such file or directory Ignoring request to alter fixed versions of bug #1005189 to the same values previously set Bug #1005189 [src:gcolor3] gcolor3: FTBFS libportal/portal-gtk3.h: No such file or directory Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 1005189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005189 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1012021: [Pkg-javascript-devel] Bug#1012021: unreproducible here
Il 29/05/22 21:34, Pirate Praveen ha scritto: On തി, മേയ് 30 2022 at 12:56:53 രാവിലെ +05:30:00 +05:30:00, Pirate Praveen wrote: On ഞാ, മേയ് 29 2022 at 09:34:45 രാവിലെ +02:00:00 +02:00:00, Paolo Greppi wrote: Hi Andreas! thanks for your report. To try to reproduce it, I set ... Finally there is more trouble ahead when building this package, because I also tried: apt install git git clone https://salsa.debian.org/pkg-security-team/greenbone-security-assistant cd greenbone-security-assistant yarnpkg yarnpkg build and the last command failed with: ... Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at module.exports (/greenbone-security-assistant/node_modules/webpack/lib/util/createHash.js:135:53) at NormalModule._initBuildHash (/greenbone-security-assistant/node_modules/webpack/lib/NormalModule.js:417:16) at /greenbone-security-assistant/node_modules/webpack/lib/NormalModule.js:452:10 at /greenbone-security-assistant/node_modules/webpack/lib/NormalModule.js:323:13 at /greenbone-security-assistant/node_modules/loader-runner/lib/LoaderRunner.js:367:11 at /greenbone-security-assistant/node_modules/loader-runner/lib/LoaderRunner.js:233:18 at context.callback (/greenbone-security-assistant/node_modules/loader-runner/lib/LoaderRunner.js:111:13) at /greenbone-security-assistant/node_modules/babel-loader/lib/index.js:59:103 at processTicksAndRejections (node:internal/process/task_queues:96:5) { opensslErrorStack: [ 'error:0386:digital envelope routines::initialization error' ], library: 'digital envelope routines', reason: 'unsupported', code: 'ERR_OSSL_EVP_UNSUPPORTED' } error Command failed with exit code 1. (this also happens on amd64 BTW). According to the interwebs this should only occur with node v17 (whereas in unstable we have v16.15.0) and indeed the commonly proposed workaround fails: NODE_OPTIONS=--openssl-legacy-provider yarnpkg build /usr/bin/node: --openssl-legacy-provider is not allowed in NODE_OPTIONS I was also seeing this error while looking at node-babel-loader We might need to fix node-babel-loader https://github.com/babel/babel-loader/issues/923 Even though the pull request is merged https://github.com/babel/babel-loader/pull/924 I get same error on master branch of upstream babel-loader repo with yarnpkg test. It seems ad-hoc fixes may be required for each package, such as this other one: https://salsa.debian.org/js-team/node-cacache/-/commit/214b963bd02fd74d445789b184d344777dda8ee2 What is mysterious is that all that should only happen with nodejs v17 ... P.
Bug#1012083: quickfix FTBFS on riscv64
Source: quickfix Version: 1.15.1+dfsg-4 Severity: serious Tags: ftbfs patch upstream Justification: fails to build from source (but built successfully in the past) X-Debbugs-Cc: ab.bea...@gmail.com Dear Maintainer, Currently, quickfix fails to build on riscv64. The problem occues due to the inclusion of an old version of the double-conversion utility in the following subdirectory: src/C++/double-conversion/ You can view the (trivial) upstream commit to add riscv64 support here: https://github.com/google/double-conversion/commit/8316ed5bf405835558a476e528d8e1d0adf69dd9 You can review the failed build log here: https://buildd.debian.org/status/fetch.php?pkg=quickfix&arch=riscv64&ver=1.15.1%2Bdfsg-4&stamp=1652988337&raw=0 The least intrusive solution is to patch the included utility in the same way that the upstream source for this utility already has. I am including a patch which does this. I have confirmed that this patch allows building quickfix on actual riscv64 hardware (StatFive VisionFive V1). Please consider applying the included patch (or similar) for the next upload. Thank you, -Alan Beadle -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: riscv64 Kernel: Linux 5.18.0-starfive-5.18 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Index: quickfix-1.15.1+dfsg/src/C++/double-conversion/utils.h === --- quickfix-1.15.1+dfsg.orig/src/C++/double-conversion/utils.h +++ quickfix-1.15.1+dfsg/src/C++/double-conversion/utils.h @@ -69,7 +69,8 @@ defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ defined(__SH4__) || defined(__alpha__) || \ defined(_MIPS_ARCH_MIPS32R2) || \ -defined(__AARCH64EL__) || defined(__aarch64__) +defined(__AARCH64EL__) || defined(__aarch64__) || \ +defined(__riscv) #define DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS 1 #elif defined(__mc68000__) #undef DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS
Processed: Fixed package already in unstable
Processing commands for cont...@bugs.debian.org: > fixed #1012060 8.15.0-2 Bug #1012060 [src:coq, src:coq-bignums] coq breaks coq-bignums autopkgtest: Compiled library Bignums.BigN.BigN makes inconsistent assumptions over library Coq.Init.Ltac The source 'coq' and version '8.15.0-2' do not appear to match any binary packages Marked as fixed in versions coq/8.15.0-2 and coq-bignums/8.15.0-2. > thanks Stopping processing here. Please contact me if you need assistance. -- 1012060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012060 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Fixed already
Processing commands for cont...@bugs.debian.org: > fixed #1012061 3.2.0-3 Bug #1012061 [src:coq, src:coquelicot] coq breaks coquelicot autopkgtest: Compiled library Coquelicot.Rcomplements makes inconsistent assumptions over library Coq.Init.Ltac The source 'coq' and version '3.2.0-3' do not appear to match any binary packages Marked as fixed in versions coquelicot/3.2.0-3 and coq/3.2.0-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 1012061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: add forwarded info
Processing commands for cont...@bugs.debian.org: > forwarded 1003502 https://github.com/digitalbazaar/jsonld.js/issues/485 Bug #1003502 [src:node-jsonld] node-jsonld: FTBFS with webpack 5: Invalid configuration object Set Bug forwarded-to-address to 'https://github.com/digitalbazaar/jsonld.js/issues/485'. > thanks Stopping processing here. Please contact me if you need assistance. -- 1003502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003502 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#965762: marked as done (opusfile: Removal of obsolete debhelper compat 5 and 6 in bookworm)
Your message dated Sun, 29 May 2022 19:49:07 + with message-id and subject line Bug#965762: fixed in opusfile 0.12-1~exp1 has caused the Debian Bug report #965762, regarding opusfile: Removal of obsolete debhelper compat 5 and 6 in bookworm to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 965762: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: opusfile Version: 0.9+20170913-1 Severity: normal Usertags: compat-5-6-removal Hi, The package opusfile uses debhelper with a compat level of 5 or 6, which is deprecated and scheduled for removal[1]. Please bump the debhelper compat at your earliest convenience /outside the freeze/! * Compat 13 is recommended (supported in stable-backports) * Compat 7 is the bare minimum PLEASE KEEP IN MIND THAT the release team *DOES NOT* accept uploads with compat bumps during the freeze. If there is any risk that the fix for this bug might not migrate to testing before 2021-01-01[3] then please postpone the fix until after the freeze. At the time of filing this bug, compat 5 and 6 are expected to be removed "some time during the development cycle of bookworm". Thanks, ~Niels [1] https://lists.debian.org/debian-devel/2020/07/msg00065.html [2] https://release.debian.org/bullseye/FAQ.html [3] The choice of 2021-01-01 as a "deadline" is set before the actual freeze deadline to provide a safe cut off point for most people. Mind you, it is still your responsibility to ensure that the upload makes it into testing even if you upload before that date. --- End Message --- --- Begin Message --- Source: opusfile Source-Version: 0.12-1~exp1 Done: IOhannes m zmölnig (Debian/GNU) We believe that the bug you reported is fixed in the latest version of opusfile, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 965...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. IOhannes m zmölnig (Debian/GNU) (supplier of updated opusfile package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 18 May 2022 15:30:03 +0200 Source: opusfile Binary: libopusfile-dev libopusfile-doc libopusfile0 libopusfile0-dbgsym Architecture: source amd64 all Version: 0.12-1~exp1 Distribution: experimental Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: IOhannes m zmölnig (Debian/GNU) Description: libopusfile-dev - development files for libopusfile libopusfile-doc - libopusfile API documentation libopusfile0 - High-level API for basic manipulation of Ogg Opus audio streams Closes: 881788 899138 923031 935590 935591 965762 1007053 1009854 Changes: opusfile (0.12-1~exp1) experimental; urgency=medium . * New upstream version 0.12 (Closes: #935591, #881788) . * Salvage the package on behalf of the multimedia-team (Closes: #1009854) * Install libraries into multi-arch locations (Closes: #935590, #923031, #899138) (LP: #1883753) * Drop empty dbg package (switching to automatic dbgsym packages) * Add build-dependency hints to .symbols file * Mark lib*.la files as not-installed * Install AUTHORS and README.md * Remove trailing whitespace from d/changelog * d/control + Declare that building this package does not require 'root' powers. + Use Priority "optional" instead of the obsolete "extra" + ${misc:Depends} for libopusfile-doc + Fix package descriptions + Update Vcs-* stanzas + Make the doc-package "suggest" the dev-package * d/copyright + Convert to DEP-5 + Add 'licensecheck' target to d/rules + Generate d/copyright_hints * Add salsa-ci configuration * Add watch file * Add gbp.conf * Switch to 3.0 source format (Closes: #1007053) * Bump dh-compat to 13 (Closes: #965762) + Drop old build script in favour of shortform 'dh' * Bump standards version to 4.6.0 Checksums-Sha1: 1d600d13347ede654a5f49ec2617831f0f9a1aa7 2217 opusfile_0.12-1~exp1.dsc 3e86971fef28292f982a32730632b1d531059ed5 471354 opusfile_0.12.orig.tar.gz 5c3b8be607204639f3098eaea14ab48115e5c336 5504 opusfile_0.12-1~exp1.debian.tar.xz 99c39374c
Processed: severity of 1011758 is grave
Processing commands for cont...@bugs.debian.org: > # was fixed in bullseye-security but not in unstable > severity 1011758 grave Bug #1011758 [src:smarty3] smarty3: CVE-2022-29221 - template authors can inject php code by choosing malicious filenames Severity set to 'grave' from 'important' > thanks Stopping processing here. Please contact me if you need assistance. -- 1011758: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1012077: linuxinfo FTBFS on riscv64
Package: linuxinfo Version: 3.3.3-1 Severity: serious Tags: ftbfs patch upstream Justification: fails to build from source X-Debbugs-Cc: ab.bea...@gmail.com Dear Maintainer, linuxinfo currently fails to build on riscv64 due to this architecture not being supported by upstream. I am attaching a patch which adds placeholder support for this architecture and allows building the riscv64 debian package from source. Please consider applying this patch (or similar) for the next upload. In addition, the /proc information below is for a riscv64 VisionFive V1 SBC. Thank you, -Alan Beadle -- Package-specific info: /proc/cpuinfo: processor : 0 hart: 1 isa : rv64imafdc mmu : sv39 uarch : sifive,u74-mc processor : 1 hart: 0 isa : rv64imafdc mmu : sv39 uarch : sifive,u74-mc Size of /proc/kcore: -r 1 root root 18446744000862892032 May 25 19:58 /proc/kcore /proc/meminfo: MemTotal:7351200 kB MemFree: 1778728 kB MemAvailable:6685728 kB Buffers: 75344 kB Cached: 4719384 kB SwapCached:0 kB Active: 894708 kB Inactive:4391724 kB Active(anon):460 kB Inactive(anon): 497556 kB Active(file): 894248 kB Inactive(file): 3894168 kB Unevictable: 15396 kB Mlocked: 15396 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 912 kB Writeback: 0 kB AnonPages:507140 kB Mapped: 260068 kB Shmem: 628 kB KReclaimable: 204236 kB Slab: 241012 kB SReclaimable: 204236 kB SUnreclaim:36776 kB KernelStack:1696 kB PageTables: 3264 kB NFS_Unstable: 0 kB Bounce:0 kB WritebackTmp: 0 kB CommitLimit: 3675600 kB Committed_AS: 687620 kB VmallocTotal: 67108864 kB VmallocUsed:6316 kB VmallocChunk: 0 kB Percpu: 552 kB CmaTotal: 655360 kB CmaFree: 650112 kB HugePages_Total: 0 HugePages_Free:0 HugePages_Rsvd:0 HugePages_Surp:0 Hugepagesize: 2048 kB Hugetlb: 0 kB -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: riscv64 Kernel: Linux 5.18.0-starfive-5.18 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages linuxinfo depends on: ii libc6 2.33-7 linuxinfo recommends no packages. linuxinfo suggests no packages. -- no debconf information Index: linuxinfo-3.3.3/linuxinfo.h === --- linuxinfo-3.3.3.orig/linuxinfo.h +++ linuxinfo-3.3.3/linuxinfo.h @@ -103,6 +103,10 @@ #define system_avr32 #endif +#if defined(__riscv) +#define system_riscv +#endif + #if (SIZEOF_LONG > 4) #define LONGLONG long int #define LONGSPEC "%ld" Index: linuxinfo-3.3.3/linuxinfo_riscv.c === --- /dev/null +++ linuxinfo-3.3.3/linuxinfo_riscv.c @@ -0,0 +1,25 @@ +/* +linuxinfo_riscv.c + + This allows compilation on riscv + +*/ + +#include +#include "linuxinfo.h" + +#ifdef system_riscv + +void GetHardwareInfo(int fd, struct hw_stat *hw) +{ + sprintf(hw->hw_memory, LONGSPEC, 0); + + hw->hw_processors = 0; + + sprintf(hw->hw_cpuinfo, "%s", "Unknown"); + sprintf(hw->hw_bogomips, "%0.2f", 0.0); + sprintf(hw->hw_megahertz, "?"); + hw->hw_processors = 0; +} + +#endif /* system_riscv */ Index: linuxinfo-3.3.3/Makefile.am === --- linuxinfo-3.3.3.orig/Makefile.am +++ linuxinfo-3.3.3/Makefile.am @@ -4,7 +4,8 @@ linuxinfo_SOURCES = linuxinfo.c linuxinf linuxinfo_alpha.c linuxinfo_ia64.c linuxinfo_intel.c \ linuxinfo_m68k.c linuxinfo_ppc.c linuxinfo_sh.c \ linuxinfo_hppa.c linuxinfo_s390.c linuxinfo_avr.c \ - linuxinfo_sparc.c linuxinfo_mips.c linuxinfo_unknown.c + linuxinfo_sparc.c linuxinfo_mips.c linuxinfo_riscv.c \ + linuxinfo_unknown.c man_MANS = po4a/linuxinfo.1 EXTRA_DIST= config.rpath CREDITS VERSION = 3.3.3
Bug#1010619: marked as done (rsyslog: CVE-2022-24903: Potential heap buffer overflow in TCP syslog server (receiver) components)
Your message dated Sun, 29 May 2022 18:32:39 + with message-id and subject line Bug#1010619: fixed in rsyslog 8.1901.0-1+deb10u2 has caused the Debian Bug report #1010619, regarding rsyslog: CVE-2022-24903: Potential heap buffer overflow in TCP syslog server (receiver) components to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010619 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: rsyslog Version: 8.2204.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rsyslog. Filling for now as grave, but we might downgrade. Probably affected configurations are not that common if I understood correctly, the advisory has some comments about it as well[1]. CVE-2022-24903[0]: | Potential heap buffer overflow in TCP syslog server (receiver) | components If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24903 [1] https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: rsyslog Source-Version: 8.1901.0-1+deb10u2 Done: Michael Biebl We believe that the bug you reported is fixed in the latest version of rsyslog, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl (supplier of updated rsyslog package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 25 May 2022 16:51:45 +0200 Source: rsyslog Architecture: source Version: 8.1901.0-1+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Michael Biebl Changed-By: Michael Biebl Closes: 1010619 Changes: rsyslog (8.1901.0-1+deb10u2) buster-security; urgency=medium . * Fix potential heap buffer overflow in TCP syslog server (receiver) components when octet-counted framing is used (CVE-2022-24903, Closes: #1010619) Checksums-Sha1: fcf5ef844da6715aaa059b1579b725cca8844342 2974 rsyslog_8.1901.0-1+deb10u2.dsc 7223f77a4ea75a7740130cc04ea3df052e82bdfd 2750872 rsyslog_8.1901.0.orig.tar.gz a1dc51c9bf3836f8272bf4bd57ae07c971145414 28772 rsyslog_8.1901.0-1+deb10u2.debian.tar.xz d35fba8d49763a589a0411839a2980a57b1efa62 7230 rsyslog_8.1901.0-1+deb10u2_source.buildinfo Checksums-Sha256: 85ead922b9cb2f3d9cb4b0fa350f8b2ad3183be15e5493f1fd7b7d3b750061c3 2974 rsyslog_8.1901.0-1+deb10u2.dsc ab02c1f11e21b54cfaa68797f083d6f73d9d72ce7a1c04037fbe0d4cee6f27c4 2750872 rsyslog_8.1901.0.orig.tar.gz bb5e081bad738a9af2c66116fac01a345f46cf64a3e112d0b5d7eba028c21fd6 28772 rsyslog_8.1901.0-1+deb10u2.debian.tar.xz 709da22c040b6f53564ed7bbed681cd992ef9ef8896714ddd33211f54d64b9c1 7230 rsyslog_8.1901.0-1+deb10u2_source.buildinfo Files: d77fea21530435c1cbcd3054413789d8 2974 admin important rsyslog_8.1901.0-1+deb10u2.dsc f068dadcf81a559db3be760abda0aaf8 2750872 admin important rsyslog_8.1901.0.orig.tar.gz b1350272bcd3912981cbaa61a0c867d3 28772 admin important rsyslog_8.1901.0-1+deb10u2.debian.tar.xz a56d263ffd185393eb42c51059ce8ced 7230 admin important rsyslog_8.1901.0-1+deb10u2_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmKOjGcACgkQauHfDWCP ItyobA/8DviZDvuAKa4YiGSfrzDPvlIyZdVB+SwbGzMtoRAsuxOL+k+kxKF8gxBg V2ZeQSe1ceo4qQUOW9xkWwr9K7kvg+aO/M1ulnUlTxHH0t2uW3+YrH97UVUxqhGm ZQtHOC+FOA/jhpMF6h6zF+8c4SZTOe+/fNo/TkrY+ndlyui7zMj1fb+O0b4a0Ojt fqGmb7IypWE8mjOXY5LuuMMLk87CxKqPFNzSbAeENPf2fyU5YKK4v6nJ1jUV16q5 wLqn7F1/F3qAxtkyOXM8csJIJRQZdfQQKq0MXjnz3m2efiFXe/jo7UZDI5Nlws7I fWgGePEGWon1OWaSGU2JNiG0g219q0NReb9cY7c4HYUtJ7Q98JvJZRg0nSE/RtiE njaKvhCe/i/qnapCSydn1F9wWvrNnkkAUrnnT9sNgrxGfo94j08fZt1Dzfpz9w8Q 5Cc4/g+C0nXZtSXk+rvGVxZnThm9c+ScMAs2j03Gh9lRD/9IPZ
Bug#953530: marked as done (samba-common-bin: post-install fails with "lock directory /run/samba does not exist")
Your message dated Sun, 29 May 2022 18:02:22 + with message-id and subject line Bug#953530: fixed in samba 2:4.13.13+dfsg-1~deb11u4 has caused the Debian Bug report #953530, regarding samba-common-bin: post-install fails with "lock directory /run/samba does not exist" to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 953530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: samba-common-bin Version: 2:4.11.5+dfsg-1+b1 Severity: normal While upgrading samba-common-bin from 2:4.11.5+dfsg-1 to 2:4.11.5+dfsg-1+b1: --- Performing actions... Setting up samba-common-bin (2:4.11.5+dfsg-1+b1) ... Checking smb.conf with testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. ERROR: lock directory /run/samba does not exist ERROR: pid directory /run/samba does not exist Server role: ROLE_STANDALONE dpkg: error processing package samba-common-bin (--configure): installed samba-common-bin package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: samba-common-bin E: Sub-process /usr/bin/dpkg returned an error code (1) --- samba-common-bin was installed as a dependency of smbclient, the "server role" message is misleading as I don't have any need for a SMB server (and for any lock or pidfile, afaik). Thank you, Gian Piero. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages samba-common-bin depends on: ii libbsd00.10.0-1 ii libc6 2.29-10 ii libgnutls303.6.12-2 ii libldap-2.4-2 2.4.49+dfsg-2 ii libncurses66.2-1 ii libpopt0 1.16-14 ii libreadline8 8.0-4 ii libtalloc2 2.3.0-5 ii libtdb11.4.2-3+b1 ii libtevent0 0.10.1-4 ii libtinfo6 6.2-1 ii libwbclient0 2:4.11.5+dfsg-1+b1 ii python33.8.2-1 ii python3-samba 2:4.11.5+dfsg-1+b1 ii samba-common 2:4.11.5+dfsg-1 ii samba-libs 2:4.11.5+dfsg-1+b1 Versions of packages samba-common-bin recommends: ii samba-dsdb-modules 2:4.11.5+dfsg-1+b1 Versions of packages samba-common-bin suggests: pn heimdal-clients ii python3-dnspython 1.16.0-2 pn python3-markdown -- no debconf information --- End Message --- --- Begin Message --- Source: samba Source-Version: 2:4.13.13+dfsg-1~deb11u4 Done: Michael Tokarev We believe that the bug you reported is fixed in the latest version of samba, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 953...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev (supplier of updated samba package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 28 May 2022 22:52:59 +0300 Source: samba Architecture: source Version: 2:4.13.13+dfsg-1~deb11u4 Distribution: bullseye-proposed-updates Urgency: medium Maintainer: Debian Samba Maintainers Changed-By: Michael Tokarev Closes: 953530 998423 999876 1001053 1004691 1005642 1006935 1009855 Changes: samba (2:4.13.13+dfsg-1~deb11u4) bullseye-proposed-updates; urgency=medium . * fix the order of everything during build by exporting PYTHONHASHSEED=1 for waf. This should fix the broken i386 build of the last security upload. Closes: #1006935, #1009855 * Import the left-over patches from 4.13.17 upstream stable branch: - s3-winbindd-fix-allow-trusted-domains-no-regression.patch https://bugzilla.samba.org/show_bug.cgi?id=14899 Closes: #999876, winbind fails to start with `allow trusted domains: no` - IPA-DC-add-missing-checks.patch https://bugzilla.samba.org/show_bug.cgi?id=14903 - CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch https://bugzilla.samba.org/show_bug.cgi?id=14922 Closes: #1001053, MIT-kerberos auth broken after 4.1
Bug#1010837: marked as done (CVE-2022-30333 (unrar file write vulnerability) patch not yet available for Debian 10 packages)
Your message dated Sun, 29 May 2022 18:02:23 + with message-id and subject line Bug#1010837: fixed in unrar-nonfree 1:6.0.3-1+deb11u1 has caused the Debian Bug report #1010837, regarding CVE-2022-30333 (unrar file write vulnerability) patch not yet available for Debian 10 packages to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010837 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- package: unrar severity: grave tags: security -- Forwarded Message - From: Simon Scannell Subject: CVE-2022-30333 (unrar file write vulnerability) patch not yet available for Debian 10 packages Date: May 11 2022, at 6:08 am To: m...@debian.org Cc: Vulnerability Research Team > Dear Martin, > > I am contacting you as you are listed as the maintainer for the unrar > package for Debian 10 as listed here: > https://debian.pkgs.org/10/debian-nonfree-arm64/unrar_5.6.6-1_arm64.deb.html > > We recently reported a vulnerability (CVE-2022-30333) to RarLab. It is > a File Write vulnerability that allows an attacker to write a file > outside of a target extraction dir when unarchiving an untrusted RAR > archive. We have identified a high profile software that is affected > by this vulnerability. > > The vulnerability has been patched in RarLab's upstream version 6.12 > (https://www.rarlab.com/download.htm ). > > If the changelog file is up to date, it seems like the package has not > been updated yet, so no fix is available for users. > > Please view this email as a friendly heads up about this issue. Once > the package is updated, users can secure themselves. > > Thank you, > Simon Scannell | Sonar > > Vulnerability Researcher > Twitter: @scannell_simon > https://sonarsource.com --- End Message --- --- Begin Message --- Source: unrar-nonfree Source-Version: 1:6.0.3-1+deb11u1 Done: YOKOTA Hiroshi We believe that the bug you reported is fixed in the latest version of unrar-nonfree, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. YOKOTA Hiroshi (supplier of updated unrar-nonfree package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 10 May 2022 20:26:16 +0900 Source: unrar-nonfree Architecture: source Version: 1:6.0.3-1+deb11u1 Distribution: bullseye Urgency: high Maintainer: UnRar maintainer team Changed-By: YOKOTA Hiroshi Closes: 1010837 Changes: unrar-nonfree (1:6.0.3-1+deb11u1) bullseye; urgency=high . * Fix CVE-2022-30333 (Closes: #1010837) Checksums-Sha1: ee17fdc4b521a63ac0af502bb85d9a52e5800171 2343 unrar-nonfree_6.0.3-1+deb11u1.dsc b64c1bd7b4df78e3e228df5495591ec73e9c5535 10472 unrar-nonfree_6.0.3-1+deb11u1.debian.tar.xz e3f33ee836ccf0732fbdbd5fb8715cb9ac453d81 5656 unrar-nonfree_6.0.3-1+deb11u1_source.buildinfo Checksums-Sha256: 25d0659782d6b07a6772e994bb27cb668037790d4e9665f73ef76189a07d1e34 2343 unrar-nonfree_6.0.3-1+deb11u1.dsc d7b04a071d770b75b0b3fc3aee5ecce20c2a74fc875d6277f9c96954deee2575 10472 unrar-nonfree_6.0.3-1+deb11u1.debian.tar.xz f66a5401d49a57d1619527d8b1241fe186683e2901edda62afb69403f3304b04 5656 unrar-nonfree_6.0.3-1+deb11u1_source.buildinfo Files: 151645b25a458c7b1e193202b45335fe 2343 non-free/utils optional unrar-nonfree_6.0.3-1+deb11u1.dsc a9665e3a45c512ca6b88b558c17f883e 10472 non-free/utils optional unrar-nonfree_6.0.3-1+deb11u1.debian.tar.xz 02732f88a165fa9d2dcefd92ce9f3dae 5656 non-free/utils optional unrar-nonfree_6.0.3-1+deb11u1_source.buildinfo -BEGIN PGP SIGNATURE- iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmKS69cWHHlva290YS5o Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tyqs2EACsqs+0OfW8uNVr5ypQ7yhtfD/5 qFgj3a50x2s+H5lEH1U79niTL3+ZlWdpYhjD7iUfVsl21uLWawckYJXlN420VrVh fRSrdXGp1TANnMnr1Vsi0TqoTzswJo+LfEdcwnoEETlMP+2nd07gdpcGnv9uEsF9 yNwmtht3RKn05+SGFTfrlN4mGs95xgh83B9CLUl3wHbrphq3V9h1aRrdJZC4FOd3 qKtd2/zRrruRVuQRRupgFuRMpJvJBoBHnpXAU3bmHxKamXHOaembxvVh3l5MBi4C 3tuXXaz86kvYQvPS1kd7dCpZ7IYUnT+vjduuO0EJ7xG9eggvJkuaeKtcZNm4+E4B dr2K+BFXJDoSQDIYZMEAXovhNHYJsCaFku8u8Y9xdpOT3ZyqKqHwz/9Lb7kvP5tV g1ADEHLucRoeaHpViu/RnySXc+Jh08/Cc
Bug#1005642: marked as done (possible gross file corruption due to windows client cache poisoning)
Your message dated Sun, 29 May 2022 18:02:22 + with message-id and subject line Bug#1005642: fixed in samba 2:4.13.13+dfsg-1~deb11u4 has caused the Debian Bug report #1005642, regarding possible gross file corruption due to windows client cache poisoning to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1005642: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005642 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: samba Version: 2:4.13.13+dfsg-1~deb11u2 Severity: critical Tags: patch upstream Please see https://lists.samba.org/archive/samba/2022-February/239548.html and https://lists.samba.org/archive/samba/2022-February/239577.html for the description of the problem and how serious can it be, this bugreport: https://bugzilla.samba.org/show_bug.cgi?id=14928 for the actual bug and the fixes. 3 patches mentioned at the end of the samba.org bugreport are needed for bullseye version of samba to fix this (not counting first patch which modifies the tests, and the last patch which just fixes comments - I mean the actual code changes needed for the fix). First code fix has a chunk for tests/ which also needs to be deleted for 4.13. With these 3 patches, and adding nt_time_to_unix_timespec_raw@SAMBA_UTIL_0.0.1 to d/libwbclient0.symbols, our problem with windows profile corruption immediately went away. Gosh, that was gross... Thanks, /mjt --- End Message --- --- Begin Message --- Source: samba Source-Version: 2:4.13.13+dfsg-1~deb11u4 Done: Michael Tokarev We believe that the bug you reported is fixed in the latest version of samba, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1005...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev (supplier of updated samba package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 28 May 2022 22:52:59 +0300 Source: samba Architecture: source Version: 2:4.13.13+dfsg-1~deb11u4 Distribution: bullseye-proposed-updates Urgency: medium Maintainer: Debian Samba Maintainers Changed-By: Michael Tokarev Closes: 953530 998423 999876 1001053 1004691 1005642 1006935 1009855 Changes: samba (2:4.13.13+dfsg-1~deb11u4) bullseye-proposed-updates; urgency=medium . * fix the order of everything during build by exporting PYTHONHASHSEED=1 for waf. This should fix the broken i386 build of the last security upload. Closes: #1006935, #1009855 * Import the left-over patches from 4.13.17 upstream stable branch: - s3-winbindd-fix-allow-trusted-domains-no-regression.patch https://bugzilla.samba.org/show_bug.cgi?id=14899 Closes: #999876, winbind fails to start with `allow trusted domains: no` - IPA-DC-add-missing-checks.patch https://bugzilla.samba.org/show_bug.cgi?id=14903 - CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch https://bugzilla.samba.org/show_bug.cgi?id=14922 Closes: #1001053, MIT-kerberos auth broken after 4.13.13+dfsg-1~deb11u2 - dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch https://bugzilla.samba.org/show_bug.cgi?id=14656 https://bugzilla.samba.org/show_bug.cgi?id=14902 - s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch https://bugzilla.samba.org/show_bug.cgi?id=13979 Closes: #1004691, CVE-2021-43566: mkdir race condition allows share escape * 4 patches from upstream to fix possible serious data corruption issue with windows client cache poisoning, Closes: #1005642 https://bugzilla.samba.org/show_bug.cgi?id=14928 * two patches from upstream to fix coredump when connecting to shares with var substitutions, Closes: #998423 https://bugzilla.samba.org/show_bug.cgi?id=14809 * samba-common-bin.postinst: mkdir /run/samba before invoking samba binaries Closes: #953530 * remove file creation+deletion from previously applied combined patches CVE-2021-23192-only-4.13-v2.patch & CVE-2021-3738-dsdb-crash-4.13-v03.patch to make patch deapply happy (quilt does not notice this situation) * d/salsa-ci.yml: target bullseye Checksums-Sha1: 0ca51aa2da29720bbd031f3312a2cd9b1510e2e1 4034 samba_
Bug#1010619: marked as done (rsyslog: CVE-2022-24903: Potential heap buffer overflow in TCP syslog server (receiver) components)
Your message dated Sun, 29 May 2022 18:02:08 + with message-id and subject line Bug#1010619: fixed in rsyslog 8.2102.0-2+deb11u1 has caused the Debian Bug report #1010619, regarding rsyslog: CVE-2022-24903: Potential heap buffer overflow in TCP syslog server (receiver) components to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010619 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: rsyslog Version: 8.2204.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for rsyslog. Filling for now as grave, but we might downgrade. Probably affected configurations are not that common if I understood correctly, the advisory has some comments about it as well[1]. CVE-2022-24903[0]: | Potential heap buffer overflow in TCP syslog server (receiver) | components If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24903 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24903 [1] https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: rsyslog Source-Version: 8.2102.0-2+deb11u1 Done: Michael Biebl We believe that the bug you reported is fixed in the latest version of rsyslog, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl (supplier of updated rsyslog package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 20 May 2022 23:05:15 +0200 Source: rsyslog Architecture: source Version: 8.2102.0-2+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Michael Biebl Changed-By: Michael Biebl Closes: 1010619 Changes: rsyslog (8.2102.0-2+deb11u1) bullseye-security; urgency=medium . * Fix potential heap buffer overflow in TCP syslog server (receiver) components when octet-counted framing is used (CVE-2022-24903, Closes: #1010619) Checksums-Sha1: da1f3f8b5246cb6d755999b56e17d72d032256c2 3109 rsyslog_8.2102.0-2+deb11u1.dsc fdda78ed808e7a0dca03ead9227a0a5d913a050f 3123684 rsyslog_8.2102.0.orig.tar.gz 8392d443c5fc4ea6e2064a93c9bc595ac45f6ab4 30620 rsyslog_8.2102.0-2+deb11u1.debian.tar.xz 6717f7e4ac63ea1942a1c91bcd50a3a8fd7dd7e1 8326 rsyslog_8.2102.0-2+deb11u1_source.buildinfo Checksums-Sha256: a1939d9d33c87007c259245a6f57a51fe4a7885a8964af3e4ec31acdc8d4e24f 3109 rsyslog_8.2102.0-2+deb11u1.dsc 94ee0d0312c2edea737665594cbe4a9475e4e3b593e12b5b8ae3a743ac9c72a7 3123684 rsyslog_8.2102.0.orig.tar.gz a8af4719b549b006bfe8be7278c3fb743037db8b8c85715c1b0da5e492dee73a 30620 rsyslog_8.2102.0-2+deb11u1.debian.tar.xz b38eacec08d7084812ec16f1650142d5f48d0daa620406dffbe68b8102a3322e 8326 rsyslog_8.2102.0-2+deb11u1_source.buildinfo Files: 4f4f68f33db2f3d5e5ced58dd3ac7ee6 3109 admin important rsyslog_8.2102.0-2+deb11u1.dsc 1f6150dfd2ef38db37c2165e98d2f2b1 3123684 admin important rsyslog_8.2102.0.orig.tar.gz 1526ed39ebbeb52e3f3f89d1bd0ebee2 30620 admin important rsyslog_8.2102.0-2+deb11u1.debian.tar.xz e1d9ec20262888447553f571ccdc6803 8326 admin important rsyslog_8.2102.0-2+deb11u1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmKIHJIACgkQauHfDWCP Itxykw//WGZSrd482oLaf85bTR7D15/V5DxcmC5uKp+PgLW/WRCSiBfsVhr5fpOH 1UMjbqNeKIXDtL7tf5+EduAJp8nRDgKpokJsfEUljKv+mRTag7lbxyLE4mGT/+3d DwDO3DWt56Hz+0SNKJb5mpNS0FB0++xhQH/0FarVIkK1Myb+JkLDlSu/Lv4sLouw pWrOKNcXcSJUz7K5zUjs+K9NzamdhMvspaz+aaOggERMTA2Ames//MrzdPiTmCXH 0oe6K/jJPrHV+COx9eHv2ShrFHyanuDz4BI2gpBlw4MQia+9JakuMAhPjUlAXe4k 7I45c3XO2oldHwQodV1j/LHODJv+Zde6OETUFwdK5Vto7uz9RfRlvONSBJAF+VAG 8k7vI6idlUg0Dxufm6TMvJG5XTFP+2AYBjDefkf+Its8yqI/1a3HTTNh27HrTX0Q Nt363BbVn0TFhlnbtOK0TnGp24XpLCE6n6mrSYiO+yu2FA
Bug#1004691: marked as done (samba: CVE-2021-43566)
Your message dated Sun, 29 May 2022 18:02:22 + with message-id and subject line Bug#1004691: fixed in samba 2:4.13.13+dfsg-1~deb11u4 has caused the Debian Bug report #1004691, regarding samba: CVE-2021-43566 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1004691: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004691 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: samba Version: 2:4.13.14+dfsg-1 Severity: grave Tags: security upstream Forwarded: https://bugzilla.samba.org/show_bug.cgi?id=13979 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2:4.13.13+dfsg-1~deb11u2 Control: found -1 2:4.9.5+dfsg-5+deb10u2 Hi, The following vulnerability was published for samba. CVE-2021-43566[0]: | All versions of Samba prior to 4.13.16 are vulnerable to a malicious | client using an SMB1 or NFS race to allow a directory to be created in | an area of the server file system not exported under the share | definition. Note that SMB1 has to be enabled, or the share also | available via NFS in order for this attack to succeed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-43566 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43566 [1] https://www.samba.org/samba/security/CVE-2021-43566.html [2] https://bugzilla.samba.org/show_bug.cgi?id=13979 Regards, Salvatore --- End Message --- --- Begin Message --- Source: samba Source-Version: 2:4.13.13+dfsg-1~deb11u4 Done: Michael Tokarev We believe that the bug you reported is fixed in the latest version of samba, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1004...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev (supplier of updated samba package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 28 May 2022 22:52:59 +0300 Source: samba Architecture: source Version: 2:4.13.13+dfsg-1~deb11u4 Distribution: bullseye-proposed-updates Urgency: medium Maintainer: Debian Samba Maintainers Changed-By: Michael Tokarev Closes: 953530 998423 999876 1001053 1004691 1005642 1006935 1009855 Changes: samba (2:4.13.13+dfsg-1~deb11u4) bullseye-proposed-updates; urgency=medium . * fix the order of everything during build by exporting PYTHONHASHSEED=1 for waf. This should fix the broken i386 build of the last security upload. Closes: #1006935, #1009855 * Import the left-over patches from 4.13.17 upstream stable branch: - s3-winbindd-fix-allow-trusted-domains-no-regression.patch https://bugzilla.samba.org/show_bug.cgi?id=14899 Closes: #999876, winbind fails to start with `allow trusted domains: no` - IPA-DC-add-missing-checks.patch https://bugzilla.samba.org/show_bug.cgi?id=14903 - CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch https://bugzilla.samba.org/show_bug.cgi?id=14922 Closes: #1001053, MIT-kerberos auth broken after 4.13.13+dfsg-1~deb11u2 - dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch https://bugzilla.samba.org/show_bug.cgi?id=14656 https://bugzilla.samba.org/show_bug.cgi?id=14902 - s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch https://bugzilla.samba.org/show_bug.cgi?id=13979 Closes: #1004691, CVE-2021-43566: mkdir race condition allows share escape * 4 patches from upstream to fix possible serious data corruption issue with windows client cache poisoning, Closes: #1005642 https://bugzilla.samba.org/show_bug.cgi?id=14928 * two patches from upstream to fix coredump when connecting to shares with var substitutions, Closes: #998423 https://bugzilla.samba.org/show_bug.cgi?id=14809 * samba-common-bin.postinst: mkdir /run/samba before invoking samba binaries Closes: #953530 * remove file creation+deletion from previously applied combined patches CVE-2021-23192-only-4.13-v2.patch & CVE-2021-3738-dsdb-crash-4.13-v03.patch to make patch deapply happy (quilt does not notice
Bug#1009733: src:exempi: fails to migrate to testing for too long: FTBFS on armel and armhf
Hi, On Sat, 16 Apr 2022 00:21:46 +0200 Michael Biebl wrote: Dear arm porters, > can you please take a look at this? Ping from the Release Team. This package is a key package (so the RC bug can't be "fixed" by removal from testing). Am 15.04.22 um 21:19 schrieb Paul Gevers: > Source: exempi > Version: 2.5.2-1 > Severity: serious > Control: close -1 2.6.1-1 > Tags: sid bookworm ftbfs > User: release.debian@packages.debian.org > Usertags: out-of-sync > > Dear maintainer(s), > > The Release Team considers packages that are out-of-sync between testing > and unstable for more than 60 days as having a Release Critical bug in > testing [1]. Your package src:exempi has been trying to migrate for 61 > days [2]. Hence, I am filing this bug. You package failed to build from > source on armel and armhf where it built successfully in the past. > > If a package is out of sync between unstable and testing for a longer > period, this usually means that bugs in the package in testing cannot be > fixed via unstable. Additionally, blocked packages can have impact on > other packages, which makes preparing for the release more difficult. > Finally, it often exposes issues with the package and/or > its (reverse-)dependencies. We expect maintainers to fix issues that > hamper the migration of their package in a timely manner. > > This bug will trigger auto-removal when appropriate. As with all new > bugs, there will be at least 30 days before the package is auto-removed. > > I have immediately closed this bug with the version in unstable, so if > that version or a later version migrates, this bug will no longer affect > testing. I have also tagged this bug to only affect sid and bookworm, so > it doesn't affect (old-)stable. > > If you believe your package is unable to migrate to testing due to > issues beyond your control, don't hesitate to contact the Release Team. > > Paul > > [1] https://lists.debian.org/debian-devel-announce/2020/02/msg5.html > [2] https://qa.debian.org/excuses.php?package=exempi Paul OpenPGP_signature Description: OpenPGP digital signature
Processed: coq breaks coquelicot autopkgtest: Compiled library Coquelicot.Rcomplements makes inconsistent assumptions over library Coq.Init.Ltac
Processing control commands: > found -1 coq/8.15.1+dfsg-2 Bug #1012061 [src:coq, src:coquelicot] coq breaks coquelicot autopkgtest: Compiled library Coquelicot.Rcomplements makes inconsistent assumptions over library Coq.Init.Ltac Marked as found in versions coq/8.15.1+dfsg-2. > found -1 coquelicot/3.2.0-2 Bug #1012061 [src:coq, src:coquelicot] coq breaks coquelicot autopkgtest: Compiled library Coquelicot.Rcomplements makes inconsistent assumptions over library Coq.Init.Ltac Marked as found in versions coquelicot/3.2.0-2. -- 1012061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1012061: coq breaks coquelicot autopkgtest: Compiled library Coquelicot.Rcomplements makes inconsistent assumptions over library Coq.Init.Ltac
Source: coq, coquelicot Control: found -1 coq/8.15.1+dfsg-2 Control: found -1 coquelicot/3.2.0-2 Severity: serious Tags: sid bookworm User: debian...@lists.debian.org Usertags: breaks needs-update Dear maintainer(s), With a recent upload of coq the autopkgtest of coquelicot fails in testing when that autopkgtest is run with the binary packages of coq from unstable. It passes when run with only packages from testing. In tabular form: passfail coqfrom testing8.15.1+dfsg-2 coquelicot from testing3.2.0-2 all others from testingfrom testing I copied some of the output at the bottom of this report. Currently this regression is blocking the migration of coq to testing [1]. Due to the nature of this issue, I filed this bug report against both packages. Can you please investigate the situation and reassign the bug to the right package? More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [1] https://qa.debian.org/excuses.php?package=coq https://ci.debian.net/data/autopkgtest/testing/amd64/c/coquelicot/22188156/log.gz File "./BacS2013.v", line 24, characters 0-112: Error: Compiled library Coquelicot.Rcomplements (in file /usr/lib/ocaml/coq/user-contrib/Coquelicot/Rcomplements.vo) makes inconsistent assumptions over library Coq.Init.Ltac autopkgtest [11:12:10]: test examples OpenPGP_signature Description: OpenPGP digital signature
Bug#997435: marked as done (jupyter-sphinx-theme: FTBFS: error in jupyter-sphinx-theme setup command: use_2to3 is invalid.)
Your message dated Sun, 29 May 2022 15:33:52 + with message-id and subject line Bug#997435: fixed in jupyter-sphinx-theme 0.0.6+ds1-11 has caused the Debian Bug report #997435, regarding jupyter-sphinx-theme: FTBFS: error in jupyter-sphinx-theme setup command: use_2to3 is invalid. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 997435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997435 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: jupyter-sphinx-theme Version: 0.0.6+ds1-10 Severity: serious Justification: FTBFS Tags: bookworm sid ftbfs User: lu...@debian.org Usertags: ftbfs-20211023 ftbfs-bookworm Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part (hopefully): > fakeroot debian/rules clean > dh clean --with python3 --buildsystem=pybuild >dh_auto_clean -O--buildsystem=pybuild > I: pybuild base:232: python3.9 setup.py clean > error in jupyter-sphinx-theme setup command: use_2to3 is invalid. > E: pybuild pybuild:354: clean: plugin distutils failed with: exit code=1: > python3.9 setup.py clean > dh_auto_clean: error: pybuild --clean -i python{version} -p 3.9 returned exit > code 13 > make: *** [debian/rules:9: clean] Error 25 The full build log is available from: http://qa-logs.debian.net/2021/10/23/jupyter-sphinx-theme_0.0.6+ds1-10_unstable.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! If you reassign this bug to another package, please marking it as 'affects'-ing this package. See https://www.debian.org/Bugs/server-control#affects If you fail to reproduce this, please provide a build log and diff it with mine so that we can identify if something relevant changed in the meantime. --- End Message --- --- Begin Message --- Source: jupyter-sphinx-theme Source-Version: 0.0.6+ds1-11 Done: Jerome Benoit We believe that the bug you reported is fixed in the latest version of jupyter-sphinx-theme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 997...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jerome Benoit (supplier of updated jupyter-sphinx-theme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 29 May 2022 15:15:35 + Source: jupyter-sphinx-theme Architecture: source Version: 0.0.6+ds1-11 Distribution: unstable Urgency: medium Maintainer: Debian Python Team Changed-By: Jerome Benoit Closes: 997435 Changes: jupyter-sphinx-theme (0.0.6+ds1-11) unstable; urgency=medium . [ Ondřej Nový ] * d/control: Update Maintainer field with new Debian Python Team contact address. * d/control: Update Vcs-* fields with new Debian Python Team Salsa layout. . [ Debian Janitor ] * Apply multi-arch hints. + jupyter-sphinx-theme-doc: Add Multi-Arch: foreign. . [ Jerome Benoit ] * d/patches/debianization.patch: setup.py, set use_2to3 to False (closes: #997435). * d/copyright: referesh copyright year-tuples. * d/copyright: update Source. * d/control: bump Standards-Version to 4.6.1 (no change). * d/jupyter-sphinx-theme{-doc,-common}.lintian-overrides: discard. * d/control: introduce Rules-Requires-Root and set it to no. * d/tests/control: add tex-gyre to Depends list. * d/control, jupyter-sphinx-theme-doc Package: add tex-gyre to Recommends list. * d/adhoc/examples/Makefile: refresh header. * d/adhoc/examples/samples/helloworld.py: migrate to Python 3. Checksums-Sha1: dee3282c3667a618f76cc8614c1803783910f983 3482 jupyter-sphinx-theme_0.0.6+ds1-11.dsc 3c1914920edf233835d279765f5d49daa2764f3b 13396 jupyter-sphinx-theme_0.0.6+ds1-11.debian.tar.xz 4b318b01da070f48b298733fa5d68a8ae1c604ab 6202 jupyter-sphinx-theme_0.0.6+ds1-11_source.buildinfo Checksums-Sha256: f8618a5b98d5b78587a23182e079f78b593057e104203429c5a27785b198f74f 3482 jupyter-sphinx-theme_0.0.6+ds1-11.dsc 4627872e43d3709513e2b63677551ebf7aa162747c136a82f504384faf927640 13396 jupyter-sphinx-theme_0.0.6+ds1-11.debian.tar.xz 44ce3376ab41d58bc3238dff8a05afee708443db535ede5e6a6f33e
Processed: coq breaks coq-bignums autopkgtest: Compiled library Bignums.BigN.BigN makes inconsistent assumptions over library Coq.Init.Ltac
Processing control commands: > found -1 coq/8.15.1+dfsg-2 Bug #1012060 [src:coq, src:coq-bignums] coq breaks coq-bignums autopkgtest: Compiled library Bignums.BigN.BigN makes inconsistent assumptions over library Coq.Init.Ltac Marked as found in versions coq/8.15.1+dfsg-2. > found -1 coq-bignums/8.15.0-1 Bug #1012060 [src:coq, src:coq-bignums] coq breaks coq-bignums autopkgtest: Compiled library Bignums.BigN.BigN makes inconsistent assumptions over library Coq.Init.Ltac Marked as found in versions coq-bignums/8.15.0-1. -- 1012060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012060 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1012060: coq breaks coq-bignums autopkgtest: Compiled library Bignums.BigN.BigN makes inconsistent assumptions over library Coq.Init.Ltac
Source: coq, coq-bignums Control: found -1 coq/8.15.1+dfsg-2 Control: found -1 coq-bignums/8.15.0-1 Severity: serious Tags: sid bookworm User: debian...@lists.debian.org Usertags: breaks needs-update Dear maintainer(s), With a recent upload of coq the autopkgtest of coq-bignums fails in testing when that autopkgtest is run with the binary packages of coq from unstable. It passes when run with only packages from testing. In tabular form: passfail coqfrom testing8.15.1+dfsg-2 coq-bignumsfrom testing8.15.0-1 all others from testingfrom testing I copied some of the output at the bottom of this report. Currently this regression is blocking the migration of coq to testing [1]. Due to the nature of this issue, I filed this bug report against both packages. Can you please investigate the situation and reassign the bug to the right package? More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [1] https://qa.debian.org/excuses.php?package=coq https://ci.debian.net/data/autopkgtest/testing/amd64/c/coq-bignums/22188155/log.gz make: Entering directory '/tmp/autopkgtest-lxc.1xnd4upm/downtmp/build.b30/src/tests' coqc success/NumberScopes.v File "./success/NumberScopes.v", line 7, characters 0-33: Error: Compiled library Bignums.BigN.BigN (in file /usr/lib/ocaml/coq/user-contrib/Bignums/BigN/BigN.vo) makes inconsistent assumptions over library Coq.Init.Ltac make: *** [Makefile:10: success/NumberScopes.vo] Error 1 make: Leaving directory '/tmp/autopkgtest-lxc.1xnd4upm/downtmp/build.b30/src/tests' autopkgtest [11:12:08]: test command1 OpenPGP_signature Description: OpenPGP digital signature
Bug#1012059: bind9: autopkgtest regression on amd64 and armhf: connection refused
Source: bind9 Version: 1:9.18.3-1 Severity: serious User: debian...@lists.debian.org Usertags: regression Dear maintainer(s), With a recent upload of bind9 the autopkgtest of bind9 fails in testing on amd64 and armhf when that autopkgtest is run with the binary packages of bind9 from unstable. It passes when run with only packages from testing. In tabular form: passfail bind9 from testing1:9.18.3-1 versioned deps [0] from testingfrom unstable all others from testingfrom testing I copied some of the output at the bottom of this report. Currently this regression is blocking the migration to testing [1]. Can you please investigate the situation and fix it? More information about this bug and the reason for filing it can be found on https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation Paul [0] You can see what packages were added from the second line of the log file quoted below. The migration software adds source package from unstable to the list if they are needed to install packages from bind9/1:9.18.3-1. I.e. due to versioned dependencies or breaks/conflicts. [1] https://qa.debian.org/excuses.php?package=bind9 https://ci.debian.net/data/autopkgtest/testing/amd64/b/bind9/22188154/log.gz ;; communications error to 127.0.0.1#53: connection refused autopkgtest [11:11:37]: test simpletest OpenPGP_signature Description: OpenPGP digital signature
Bug#1011146: upgrade-system is marked for autoremoval from testing
Hi all, As other dev/maintainers, I got a the autoremoval notification for package resource-agents-paf, which has nothing to do with nvidia things. Maybe what maintainers should do might be clarified here? Should we just sit & wait for the next notification about the false positive bug being fixed? Regards, On Thu, 26 May 2022 09:31:00 +0300 =?UTF-8?Q?Martin=2D=C3=89ric_Racine?= wrote: > I'd really like to know how anyone could ever come to the conclusion > that a package that has nothing to do with graphic drivers needs to be > auto-removed. > > Martin-Éric > > On Thu, May 26, 2022 at 9:01 AM Debian testing autoremoval watch > wrote: > > > > upgrade-system 1.9.1.0 is marked for autoremoval from testing on 2022-06-30 > > > > It (build-)depends on packages with these RC bugs: > > 1011146: nvidia-graphics-drivers-tesla-470: CVE-2022-28181, CVE-2022-28183, > > CVE-2022-28184, CVE-2022-28185, CVE-2022-28191, CVE-2022-28192 > > https://bugs.debian.org/1011146 > > > > > > > > This mail is generated by: > > https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl > > > > Autoremoval data is generated by: > > https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl > >
Bug#1012017: marked as pending in librsvg
Control: tag -1 pending Hello, Bug #1012017 in librsvg reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/gnome-team/librsvg/-/commit/7bb4b0b3a7fe699ddc068190bf7e666c3303 d/clean: Fix build-twice-in-a-row Closes: #1012017 (this message was generated automatically) -- Greetings https://bugs.debian.org/1012017
Processed: Bug#1012017 marked as pending in librsvg
Processing control commands: > tag -1 pending Bug #1012017 [src:librsvg] librsvg: fails to clean after successful build Added tag(s) pending. -- 1012017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012017 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1011603: FTBFS with systemd v251 in dh_auto_test
On Wed, 25 May 2022 10:34:15 +0200 Michael Biebl wrote: Source: bolt Version: 0.9.2-1 Severity: serious bolt currently FTBFS during dh_auto_test and also fails its autopktest. This is due to a change in systemd v251. See https://github.com/systemd/systemd/issues/23499 where this is being discussed. I've created a MR. See https://salsa.debian.org/freedesktop-team/bolt/-/merge_requests/5 OpenPGP_signature Description: OpenPGP digital signature
Processed: Re: Bug#1005873: marked as done (gbp 0.9.26 will break dgit --gbp)
Processing commands for cont...@bugs.debian.org: > fixed 1012024 0.9.25 Bug #1012024 [git-buildpackage] Please declare Breaks: dgit (<< 9.16~) Marked as fixed in versions git-buildpackage/0.9.25. > End of message, stopping processing here. Please contact me if you need assistance. -- 1012024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012024 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1011913: marked as done (haskell-devscripts: DEB_ENABLE_TESTS ignored)
Your message dated Sun, 29 May 2022 09:20:47 + with message-id and subject line Bug#1011913: fixed in haskell-swish 0.10.2.0-1 has caused the Debian Bug report #1011913, regarding haskell-devscripts: DEB_ENABLE_TESTS ignored to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: haskell-swish Version: 0.10.1.0-1 Severity: serious Justification: FTBFS Tags: bookworm sid ftbfs User: lu...@debian.org Usertags: ftbfs-20220525 ftbfs-bookworm Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part (hopefully): > debian/rules binary > test -x debian/rules > dh_testroot > dh_prep > dh_installdirs -A > mkdir -p "." > CDBS WARNING:DEB_DH_STRIP_ARGS is deprecated since 0.4.85 > CDBS WARNING:DEB_COMPRESS_EXCLUDE is deprecated since 0.4.85 > Adding cdbs dependencies to debian/libghc-swish-doc.substvars > dh_installdirs -plibghc-swish-doc \ > > perl -d:Confess -MDebian::Debhelper::Buildsystem::Haskell::Recipes=/.*/ \ > -E 'make_setup_recipe' > Running ghc --make Setup.hs -o debian/hlibrary.setup > [1 of 1] Compiling Main ( Setup.hs, Setup.o ) > Linking debian/hlibrary.setup ... > perl -d:Confess -MDebian::Debhelper::Buildsystem::Haskell::Recipes=/.*/ \ > -E 'configure_recipe; haddock_recipe; build_recipe; check_recipe' > Running find . ! -newer /tmp/imU_Njjw2l -exec touch -d "1998-01-01 UTC" {} ; > Running dh_listpackages > swish > libghc-swish-dev > libghc-swish-doc > libghc-swish-prof > Running dh_listpackages > swish > libghc-swish-dev > libghc-swish-doc > libghc-swish-prof > Running dpkg-buildflags --get LDFLAGS > -Wl,-z,relro > Running debian/hlibrary.setup configure --ghc -v2 > --package-db=/var/lib/ghc/package.conf.d --prefix=/usr > --libdir=/usr/lib/haskell-packages/ghc/lib --libexecdir=/usr/lib > --builddir=dist-ghc --ghc-option=-optl-Wl,-z,relro > --haddockdir=/usr/lib/ghc-doc/haddock/swish-0.10.1.0/ --datasubdir=swish > --htmldir=/usr/share/doc/libghc-swish-doc/html/ --enable-library-profiling > Using Parsec parser > Configuring swish-0.10.1.0... > Flags chosen: network-uri=True, w3ctests=False > Dependency base >=4.8 && <4.17: using base-4.13.0.0 > Dependency containers >=0.5 && <0.7: using containers-0.6.2.1 > Dependency directory >=1.0 && <1.4: using directory-1.3.6.0 > Dependency filepath >=1.1 && <1.5: using filepath-1.4.2.1 > Dependency hashable ==1.1.* || >=1.2.0.6 && <1.5: using hashable-1.3.0.0 > Dependency intern >=0.8 && <1.0: using intern-0.9.4 > Dependency mtl ==2.*: using mtl-2.2.2 > Dependency network-uri >=2.6 && <2.8: using network-uri-2.6.3.0 > Dependency old-locale ==1.0.*: using old-locale-1.0.0.7 > Dependency polyparse >=1.6 && <1.14: using polyparse-1.13 > Dependency text >=0.11 && <2.1: using text-1.2.4.0 > Dependency time >=1.1 && <1.9 || >=1.9.1 && <1.14: using time-1.9.3 > Dependency base -any: using base-4.13.0.0 > Dependency swish -any: using swish-0.10.1.0 > Source component graph: > component lib > component exe:Swish dependency lib > Configured component graph: > component swish-0.10.1.0-Kawc1ubQ52B9qGYTs7vWTz > include base-4.13.0.0 > include containers-0.6.2.1 > include directory-1.3.6.0 > include filepath-1.4.2.1 > include hashable-1.3.0.0-AOP4LTmShW4Dax9brHgY53 > include intern-0.9.4-m004RHcdtDDlNtFZdgm3E > include mtl-2.2.2 > include network-uri-2.6.3.0-CPjS2hnZr1IIlGhZ1dITqG > include old-locale-1.0.0.7-KOGgqu8HfWChZyQBUEp1c > include polyparse-1.13-4iUooCvGMcnC0mPzTcZKJt > include text-1.2.4.0 > include time-1.9.3 > component swish-0.10.1.0-ExQXwXGM3Nh5lYjcuuCptL-Swish > include base-4.13.0.0 > include swish-0.10.1.0-Kawc1ubQ52B9qGYTs7vWTz > Linked component graph: > unit swish-0.10.1.0-Kawc1ubQ52B9qGYTs7vWTz > include base-4.13.0.0 > include containers-0.6.2.1 > include directory-1.3.6.0 > include filepath-1.4.2.1 > include hashable-1.3.0.0-AOP4LTmShW4Dax9brHgY53 > include intern-0.9.4-m004RHcdtDDlNtFZdgm3E > include mtl-2.2.2 > include network-uri-2.6.3.0-CPjS2hnZr1IIlGhZ1dITqG > include old-locale-1.0.0.7-KOGgqu8HfWChZyQBUEp1c > include polyparse-1.13-4iUooCvGMcnC0mPzTcZKJt > include text-1.2.4.0 > include time-1.9.3 > > Data.Interned.URI=swish-0.10.1.0-Kawc1ubQ52B9qGYTs7vWTz:Data.Interned.URI,Data.Ord.Par
Bug#1003190: marked as done (tcpslice: CVE-2021-41043: use-after-free in extract_slice())
Your message dated Sun, 29 May 2022 08:35:32 + with message-id and subject line Bug#1003190: fixed in tcpslice 1.5-1 has caused the Debian Bug report #1003190, regarding tcpslice: CVE-2021-41043: use-after-free in extract_slice() to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003190 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: tcpslice Version: 1.3-2 Severity: grave Tags: security upstream Forwarded: https://github.com/the-tcpdump-group/tcpslice/issues/11 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for tcpslice. CVE-2021-41043[0]: | Use after free in tcpslice triggers AddressSanitizer, no other | confirmed impact. The impact is not confirmed to be exploitable TTBOMK so far, but the severity is choosen as better safe than sorry afterwards. Can you update tcpslice first in unstable? Possibly ideally directly to 1.5 containing other fixes. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41043 [1] https://github.com/the-tcpdump-group/tcpslice/issues/11 [2] https://github.com/the-tcpdump-group/tcpslice/commit/030859fce9c77417de657b9bb29c0f78c2d68f4a Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: tcpslice Source-Version: 1.5-1 Done: Bruno Naibert de Campos We believe that the bug you reported is fixed in the latest version of tcpslice, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bruno Naibert de Campos (supplier of updated tcpslice package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 28 May 2022 20:56:55 -0300 Source: tcpslice Architecture: source Version: 1.5-1 Distribution: unstable Urgency: medium Maintainer: Bruno Naibert de Campos Changed-By: Bruno Naibert de Campos Closes: 1003190 Changes: tcpslice (1.5-1) unstable; urgency=medium . * New upstream version 1.5. (includes a fix for CVE-2021-41043) (Closes: #1003190) * Enable GPG-checking of orig tarball. - debian/upstream/signing-key.asc: upstream public key. - debian/watch: ~ Add "pgpmode=auto" as an option. ~ Changed the URL. * debian/control: - Added libnids-dev and libosip2-dev to Build-Depends field. - Bumped Standards-Version to 4.6.0. * debian/copyright: - Added licensing for diag-control.h file. - Updated the packaging and upstream copyright years. * debian/docs: changed from README to README.md. * debian/patches: removed. The upstream fixed the source code. Thanks. * debian/upstream/metadata: fixed spelling error. Checksums-Sha1: 5e316072ff73c389f7232a5f46d3806360f2ca9c 1992 tcpslice_1.5-1.dsc 37573df884edbd9c8bc123124f3ef1ea874d6d16 136597 tcpslice_1.5.orig.tar.gz 56f9a573fa908d4db4c098fae9bf9fab6ad347b8 667 tcpslice_1.5.orig.tar.gz.asc f926a0a7ad314e751dcdb8effcf0fa0ce11dc772 6108 tcpslice_1.5-1.debian.tar.xz 1ef0a653b9bfdf1def40bda92a9a348975208928 5413 tcpslice_1.5-1_source.buildinfo Checksums-Sha256: cdbb7e4c130ee88042d088b972a9899101ee491cce9cf08ef1cf7aa4d9ed9a03 1992 tcpslice_1.5-1.dsc f6935e3e7ca00ef50c515d062fddd410868467ec5b6d8f2eca12066f8d91dda2 136597 tcpslice_1.5.orig.tar.gz b3568bd486c89f6c334f0139170e9ffa25995d6a923fe9c77aa71b0b43c52438 667 tcpslice_1.5.orig.tar.gz.asc 12bc9a0f38a601dba96f5feecbc9a3345611348ed0cebc740d747cc63ef1344e 6108 tcpslice_1.5-1.debian.tar.xz 4039af3ff1c6903781108dceabaa746b7018626780613bc65cc29a197eb6c9ce 5413 tcpslice_1.5-1_source.buildinfo Files: bc03c2d1f5ed5875731225605d9249ea 1992 net optional tcpslice_1.5-1.dsc 8907e60376e629f6e6ce2255988aaf47 136597 net optional tcpslice_1.5.orig.tar.gz 01f66966d2afa86774c7ef983a3a93a4 667 net optional tcpslice_1.5.orig.tar.gz.asc fb7b
Processed: Re: Bug#1011913: haskell-swish: FTBFS: make: *** [/usr/share/cdbs/1/class/hlibrary.mk:153: build-ghc-stamp] Error 25
Processing control commands: > reassign -1 haskell-swish Bug #1011913 [haskell-devscripts] haskell-devscripts: DEB_ENABLE_TESTS ignored Bug reassigned from package 'haskell-devscripts' to 'haskell-swish'. Ignoring request to alter found versions of bug #1011913 to the same values previously set Ignoring request to alter fixed versions of bug #1011913 to the same values previously set > tag -1 pending Bug #1011913 [haskell-swish] haskell-devscripts: DEB_ENABLE_TESTS ignored Added tag(s) pending. -- 1011913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1011913: haskell-swish: FTBFS: make: *** [/usr/share/cdbs/1/class/hlibrary.mk:153: build-ghc-stamp] Error 25
Control: reassign -1 haskell-swish Control: tag -1 pending Quoting Scott Talbert (2022-05-29 03:48:43) > On Sat, 28 May 2022, Jonas Smedegaard wrote: > > > Control: reassign -1 haskell-devscripts > > Control: retitle -1 haskell-devscripts: DEB_ENABLE_TESTS ignored > > Control: affects -1 haskell-swish > > > > Quoting Lucas Nussbaum (2022-05-26 21:04:50) > >> During a rebuild of all packages in sid, [haskell-swish] failed to build > >> on amd64. > > [...] > >>> Running debian/hlibrary.setup test --builddir=dist-ghc > >>> --show-details=direct > >>> Non-zero exit code 1. > >>> hlibrary.setup: No test suites enabled. Did you remember to configure with > >>> '--enable-tests'? > > > > haskell-swish built successfully when released in January, and contains > > this in debian/rules: > > > >> DEB_ENABLE_TESTS = yes > > > > Perhaps this really is bug#1010179 and the "fix" only papered over the > > underlying problem: @Scott, did you test packages _enabling_ tests or > > only the default of having tests disabled? > > Hi Jonas, > > Actually, it looks like DEB_ENABLE_TESTS=yes had been broken in > haskell-devscripts for quite some time (even before Felix's changes). If > you look at the January build log for haskell-swish, the tests were not > run at that time. In the case of haskell-swish, DEB_ENABLE_TESTS needs to > be defined *before* including hlibrary.mk. After fixing that, it seems > there are some missing test dependencies. Oh! This means haskell-swish hasn't ever run its tests since initial packaging in 2013. Thanks a lot for (indirectly) pointing that out to me. The missing build-dependencies was another bug in my rules file - a silly missing comma in a macro call :-/ - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#1012021: unreproducible here
Hi Andreas! thanks for your report. To try to reproduce it, I set up multiarch for docker (https://github.com/multiarch/qemu-user-static) then: docker run --rm -it arm64v8/debian:unstable bash apt update apt upgrade apt install curl yarnpkg curl -o package.json https://salsa.debian.org/pkg-security-team/greenbone-security-assistant/-/raw/debian/master/package.json?inline=false curl -o yarn.lock https://salsa.debian.org/pkg-security-team/greenbone-security-assistant/-/raw/debian/master/yarn.lock?inline=false yarnpkg (this command reads the list of dependencies from package.json + the exact versions from yarn.lock and downloads them all in node_modules/ dir). While the command runs, top reports that the node process is using quite some memory: PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 595069 root 20 0 2202764 688100 44356 R 128,2 2,9 9:06.30 node but ultimately it succeeds: root@f679258d6a63:/# yarnpkg yarn install v1.22.19 [1/5] Validating package.json... [2/5] Resolving packages... [3/5] Fetching packages... [4/5] Linking dependencies... warning "@greenbone/ui-components > bootstrap@4.6.0" has unmet peer dependency "jquery@1.9.1 - 3". warning "@greenbone/ui-components > bootstrap@4.6.0" has unmet peer dependency "popper.js@^1.16.1". warning "@greenbone/ui-components > styled-components@5.2.1" has unmet peer dependency "react-is@>= 16.8.0". warning " > babel-loader@8.1.0" has unmet peer dependency "webpack@>=2". warning "react-scripts > @typescript-eslint/eslint-plugin > tsutils@3.17.1" has unmet peer dependency "typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta". warning "@storybook/react > react-docgen-typescript-plugin@0.6.2" has unmet peer dependency "typescript@>= 3.x". warning "@storybook/react > react-docgen-typescript-plugin > react-docgen-typescript@1.20.5" has unmet peer dependency "typescript@>= 3.x". warning "@storybook/react > react-docgen-typescript-plugin > react-docgen-typescript-loader@3.7.2" has unmet peer dependency "typescript@*". warning " > @testing-library/user-event@13.1.9" has unmet peer dependency "@testing-library/dom@>=7.21.4". warning " > eslint-config-prettier@8.3.0" has unmet peer dependency "eslint@>=7.0.0". [5/5] Building fresh packages... Done in 448.36s. root@f679258d6a63:/# uname -a Linux f679258d6a63 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) aarch64 GNU/Linux Could it be an issue of low-memory on the !amd64 builder machines ? Also I was looking for logs here but no luck: https://buildd.debian.org/status/package.php?p=greenbone-security-assistant Finally there is more trouble ahead when building this package, because I also tried: apt install git git clone https://salsa.debian.org/pkg-security-team/greenbone-security-assistant cd greenbone-security-assistant yarnpkg yarnpkg build and the last command failed with: ... Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at module.exports (/greenbone-security-assistant/node_modules/webpack/lib/util/createHash.js:135:53) at NormalModule._initBuildHash (/greenbone-security-assistant/node_modules/webpack/lib/NormalModule.js:417:16) at /greenbone-security-assistant/node_modules/webpack/lib/NormalModule.js:452:10 at /greenbone-security-assistant/node_modules/webpack/lib/NormalModule.js:323:13 at /greenbone-security-assistant/node_modules/loader-runner/lib/LoaderRunner.js:367:11 at /greenbone-security-assistant/node_modules/loader-runner/lib/LoaderRunner.js:233:18 at context.callback (/greenbone-security-assistant/node_modules/loader-runner/lib/LoaderRunner.js:111:13) at /greenbone-security-assistant/node_modules/babel-loader/lib/index.js:59:103 at processTicksAndRejections (node:internal/process/task_queues:96:5) { opensslErrorStack: [ 'error:0386:digital envelope routines::initialization error' ], library: 'digital envelope routines', reason: 'unsupported', code: 'ERR_OSSL_EVP_UNSUPPORTED' } error Command failed with exit code 1. (this also happens on amd64 BTW). According to the interwebs this should only occur with node v17 (whereas in unstable we have v16.15.0) and indeed the commonly proposed workaround fails: NODE_OPTIONS=--openssl-legacy-provider yarnpkg build /usr/bin/node: --openssl-legacy-provider is not allowed in NODE_OPTIONS Paolo
Bug#1011971: marked as done (libmobi: CVE-2022-1533 CVE-2022-1534 CVE-2022-1907 CVE-2022-1908)
Your message dated Sun, 29 May 2022 09:29:01 +0200 with message-id and subject line ftpmas...@ftp-master.debian.org: Accepted libmobi 0.11+dfsg-1 (source) into unstable has caused the Debian Bug report #1011971, regarding libmobi: CVE-2022-1533 CVE-2022-1534 CVE-2022-1907 CVE-2022-1908 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libmobi Version: 0.10+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for libmobi. CVE-2022-1533[0]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. This vulnerability is capable of arbitrary code execution. CVE-2022-1534[1]: | Buffer Over-read at parse_rawml.c:1416 in GitHub repository | bfabiszewski/libmobi prior to 0.11. The bug causes the program reads | data past the end of the intented buffer. Typically, this can allow | attackers to read sensitive information from other memory locations or | cause a crash. CVE-2022-1907[2]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. CVE-2022-1908[3]: | Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to | 0.11. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. We can probably wait until upstream releases 0.11, but the RC severity makes sure we do not go unfixed in bookworm. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1533 [1] https://security-tracker.debian.org/tracker/CVE-2022-1534 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1534 [2] https://security-tracker.debian.org/tracker/CVE-2022-1907 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1907 [3] https://security-tracker.debian.org/tracker/CVE-2022-1908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1908 Regards, Salvatore --- End Message --- --- Begin Message --- Source: libmobi Source-Version: 0.11+dfsg-1 - Forwarded message from Debian FTP Masters - From: Debian FTP Masters Resent-From: debian-devel-chan...@lists.debian.org Reply-To: debian-de...@lists.debian.org Date: Sat, 28 May 2022 23:05:07 + To: debian-devel-chan...@lists.debian.org Subject: Accepted libmobi 0.11+dfsg-1 (source) into unstable Message-Id: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 28 May 2022 15:38:22 + Source: libmobi Architecture: source Version: 0.11+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Bartek Fabiszewski Changed-By: Bartek Fabiszewski Changes: libmobi (0.11+dfsg-1) unstable; urgency=medium . * New upstream release. . * fixed multiple buffer over-reads and null pointer dereferences that can be triggered with crafted input. The security impact of these bugs is low, they can cause crashes. These bugs were identified by extensive fuzzing by various researchers: jimoyong, dupingxin (NSFOCUS Tianji Lab), jieyongma (TDHX ICS Security), cnitlrt, beidasoft-cobot-oss-fuzz, han0nly. Some of these vulnerabilities has been assigned CVEs: CVE-2022-1533, CVE-2022-1534, CVE-2022-1907, CVE-2022-1908. * fixed potential leak in dictionary parsing on corrupt data * improved portability of encryption key generation * updated Xcode and MSVC projects Checksums-Sha1: 930fa7696a7e83be1327dab2dcf16e2505f5688e 1847 libmobi_0.11+dfsg-1.dsc f2bf33d7885a25d99611b4abeb5d778d0b7a2da8 1369040 libmobi_0.11+dfsg.orig.tar.xz ead1238c7f79d2974e34eede44d6c88d3710 8148 libmobi_0.11+dfsg-1.debian.tar.xz 9cef077796ca5049515d00e148f0a10aec310587 5395 libmobi_0.11+dfsg-1_source.buildinfo Checksums-Sha256: 4f2d772a3e6bbd8d2a8902a060a6cda799c0c2b81d286e88db792810f1b61d2e 1847 libmobi_0.11+dfsg-1.dsc 1c5c3d780c69b0c143444ad91ca31d4eeac69d0b65e1c5f36c65b4c380236894 1369040 libmobi_0.11+dfsg.orig.tar.xz 6dff3c107e0532e932182cedae99f8ca1db4a3ad83266316719688dfca476de8 8148 libmobi_0.11+dfsg-1.debian.tar.xz 93629109b14b04239570ec4ada8ae31cd93bf89c5020965c1db26c7ef3407b34 5395 libmobi_0.11+dfsg-1_source.buildinfo Files: e088af38f0be425c2572694d11d7de02 1847 libs optional libmobi_0.11+dfsg-1.dsc 76c77a60dfdd5ba518a99cbb9abe781b 1369040 libs optional libmobi_0.11+dfsg.orig.tar.xz 7fc2b3d9bc71977c69b59d0acda66bd4 814