Bug#1057265: cron: Uncheck return values of set*id() family functions

[Jeffrey Bencteux]

Package: cron
Version: 3.0pl1-149
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: georg...@debian.org

Hi,

Both setuid() and setgid() return values are not checked in cron's code used to 
execute user-provided commands:

do_command.c:
> 63 static void
> 64 child_process(entry *e, user *u) {
> ...
> 243 setgid(e->pwd->pw_gid);
> 244 initgroups(usernm, e->pwd->pw_gid);
> 245 #if (defined(BSD)) && (BSD >= 199103)
> 246 setlogin(usernm);
> 247 #endif /* BSD */
> 248 setuid(e->pwd->pw_uid); /* we aren't root after this... */
> 249
> 250 #endif /* LOGIN_CAP */

man 2 setuid() states the following:

> RETURN VALUE
>   On success, zero is returned.  On error, -1 is returned, and errno is 
> set to indicate the error.
>
>   Note: there are cases where setuid() can fail even when the caller is 
> UID 0; it is a grave security error to omit checking for a failure return 
> from setuid().

In the unlikely event where setuid() (or setgid()) fails, privileges of cron 
would not be dropped and commands would be run as root. 
This would lead to privilege escalation.

The attached patch fixes this by aborting execution when such an event occurs.

Regards,


-- Package-specific info:
--- EDITOR:


--- /usr/bin/editor:
/usr/bin/nano

--- /usr/bin/crontab:
-rwxr-sr-x 1 root crontab 43648 Jul 25  2022 /usr/bin/crontab

--- /var/spool/cron:
drwxr-xr-x 5 root root 4096 Jun 27 17:17 /var/spool/cron

--- /var/spool/cron/crontabs:
drwx-wx--T 2 root crontab 4096 Jul 25  2022 /var/spool/cron/crontabs

--- /etc/cron.d:
drwxr-xr-x 2 root root 4096 Jun 29 15:08 /etc/cron.d

--- /etc/cron.daily:
drwxr-xr-x 2 root root 4096 Jun 16 17:34 /etc/cron.daily

--- /etc/cron.hourly:
drwxr-xr-x 2 root root 4096 Aug  8  2022 /etc/cron.hourly

--- /etc/cron.monthly:
drwxr-xr-x 2 root root 4096 Nov 30  2022 /etc/cron.monthly

--- /etc/cron.weekly:
drwxr-xr-x 2 root root 4096 Oct 30  2022 /etc/cron.weekly


-- System Information:
Distributor ID: Kali
Description:Kali GNU/Linux Rolling
Release:2022.3
Codename:   kali-rolling
Architecture: x86_64

Kernel: Linux 5.18.0-kali5-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cron depends on:
ii  cron-daemon-common   3.0pl1-149
ii  init-system-helpers  1.64+kali2
ii  libc62.36-9
ii  libpam-runtime   1.5.2-6
ii  libpam0g 1.5.2-6
ii  libselinux1  3.4-1+b5
ii  lsb-base 11.2
ii  sensible-utils   0.0.17

Versions of packages cron recommends:
ii  exim4-daemon-light [mail-transport-agent]  4.96-14

Versions of packages cron suggests:
pn  anacron
pn  checksecurity  
ii  logrotate  3.20.1-1

Versions of packages cron is related to:
pn  libnss-ldap   
pn  libnss-ldapd  
pn  libpam-ldap   
pn  libpam-mount  
pn  nis   
pn  nscd  

-- no debconf information
>From 42309c1fdcc192f356c84221954331b4e64be29e Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux 
Date: Fri, 1 Dec 2023 12:27:21 +0100
Subject: [PATCH] fix unchecked set*id() return values

In the unlikely event where setuid() (or setgid()) fails, privileges of cron 
would not be dropped and commands would be run as root.
This would lead to privilege escalation. The below patch fixes this by aborting 
execution when such an event occurs.

Signed-off-by: Jeffrey Bencteux 
---
 do_command.c | 18 +++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/do_command.c b/do_command.c
index 4083c32..db5227f 100644
--- a/do_command.c
+++ b/do_command.c
@@ -28,7 +28,7 @@ static char rcsid[] = "$Id: do_command.c,v 2.12 1994/01/15 
20:43:43 vixie Exp $"
 #if defined(SYSLOG)
 # include 
 #endif
-
+#include 
 
 static voidchild_process __P((entry *, user *)),
do_univ __P((user *));
@@ -206,11 +206,23 @@ child_process(e, u)
/* set our directory, uid and gid.  Set gid first, since once
 * we set uid, we've lost root privledges.
 */
-   setgid(e->gid);
+   if (setgid(e->gid) == -1)
+   {
+   fprintf(stderr,
+   "could not drop privileges, setgid() failed: %s",
+   strerror(errno));
+   _exit(ERROR_EXIT);
+   }
 # if defined(BSD)
initgroups(env_get("LOGNAME", e->envp), e->gid);
 # endif
-   setuid(e->uid); /* we aren't root after this... */
+   if (setuid(e->uid) == -1)   /* we aren't root after 
this... */
+   {
+   fprintf(stderr,
+   "could not drop privileges, setuid() failed: %s",
+   st

Bug#1057269: modemmanager: FTBFS dh_missing: warning: lib/systemd/system/ModemManager.service exists in debian/tmp ...

[Chris Hofstaedtler]

Source: modemmanager
Version: 1.22.0-1
Severity: serious
Tags: ftbfs
User: helm...@debian.org
Usertags: dep17m2


Dear Maintainer,

modemmanager currently FTBFS in unstable, like this:

...
dh_auto_configure -- -Dgtk_doc=true \
-Ddbus_policy_dir=/usr/share/dbus-1/system.d \
-Dpolkit=permissive \
-Dsystemdsystemunitdir=/lib/systemd/system \
...
Installing /<>/obj-x86_64-linux-gnu/data/ModemManager.service to 
/<>/debian/tmp/lib/systemd/system
...
dh_missing: warning: lib/systemd/system/ModemManager.service exists in 
debian/tmp but is not installed to anywhere
dh_missing: error: missing files, aborting
...
make: *** [debian/rules:17: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2


I see you're already preparing a new build hopefully fixing this in
experimental. Hope it works!

Thanks,
Chris

Processed: libimager-perl: FTBFS: t/t10tiff.t failure

[Debian Bug Tracking System]

Processing control commands:

> block 1055955 with -1
Bug #1055955 [release.debian.org] transition: perl 5.38
1055955 was blocked by: 1042521 1040396 1042525 1042845 1042844 1050451 1042853
1055955 was not blocking any bugs.
Added blocking bug(s) of 1055955: 1057270

-- 
1055955: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055955
1057270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[Niko Tyni]

Source: libimager-perl
Version: 1.020+dfsg-1
Severity: serious
Tags: ftbfs
Control: block 1055955 with -1
X-Debbugs-Cc: t...@packages.debian.org

This package fails to build from source on current sid.

It regressed with tiff_4.5.1+git230720-2 which is currently blocked from
migrating to trixie because libimager-perl autopkgtests are failing too.

Changes:
 tiff (4.5.1+git230720-2) unstable; urgency=high
 .
   * Backport security fix for CVE-2023-6277, passing a crafted tiff file to
 TIFFOpen() API may allow a remote attacker to cause a denial of service
 (closes: #1056751).

I see libimager-perl upstream has released 1.021 with some tiff related
changes. I haven't checked if those fix the issue, or whether libtiff
is actually broken. Feel free to reassign as needed.

I'm marking this as a blocker for the Perl 5.38 transition as we need
to be able to rebuild libimager-perl for that.

>From the build log:

  # libtiff release 4.5.1
  
  #   Failed test 'read low-level'
  #   at t/t10tiff.t line 49.
  Use of uninitialized value in subroutine entry at t/t10tiff.t line 53.
  Use of uninitialized value in subroutine entry at t/t10tiff.t line 53.
  im2 is not of type Imager::ImgRaw at t/t10tiff.t line 53.
  # Looks like your test exited with 25 just after 4.
  t/t10tiff.t .. 
  1..247
  ok 1 - use Imager::File::TIFF;
  ok 2 - extract library version
  ok 3 - write low level
  not ok 4 - read low-level
  Dubious, test returned 25 (wstat 6400, 0x1900)
  Failed 244/247 subtests 
  
  Test Summary Report
  ---
  t/t10tiff.t (Wstat: 6400 (exited 25) Tests: 4 Failed: 1)
Failed test:  4
Non-zero exit status: 25
Parse errors: Bad plan.  You planned 247 tests but ran 4.
  Files=1, Tests=4,  0 wallclock secs ( 0.01 usr  0.01 sys +  0.10 cusr  0.02 
csys =  0.14 CPU)
  Result: FAIL

A full build log is at

  
http://perl.debian.net/rebuild-logs/sid/libimager-perl_1.020%2Bdfsg-1/libimager-perl_1.020%2Bdfsg-1_amd64-2023-12-02T11%3A49%3A48Z.build

-- 
Niko Tyni   nt...@debian.org

Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[gregor herrmann]

On Sat, 02 Dec 2023 14:24:01 +0200, Niko Tyni wrote:

> It regressed with tiff_4.5.1+git230720-2 which is currently blocked from
> migrating to trixie because libimager-perl autopkgtests are failing too.
> 
> Changes:
>  tiff (4.5.1+git230720-2) unstable; urgency=high
>  .
>* Backport security fix for CVE-2023-6277, passing a crafted tiff file to
>  TIFFOpen() API may allow a remote attacker to cause a denial of service
>  (closes: #1056751).
> 
> I see libimager-perl upstream has released 1.021 with some tiff related
> changes. I haven't checked if those fix the issue, or whether libtiff
> is actually broken. Feel free to reassign as needed.

I've imported 1.021 into our git repo yesterday, and there it fails
the same way (I hadn't nticed that 1.020 in sid also fails …)

So -- is this a bug in Imager or in tiff?
 
Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

Bug#1056270: marked as done (RM: gtimer -- RoQA; low popcon; depends on gtk2)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 13:36:22 +
with message-id 
and subject line Bug#1051070: Removed package(s) from unstable
has caused the Debian Bug report #1056270,
regarding RM: gtimer -- RoQA; low popcon; depends on gtk2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: gtimer
Severity: serious

gtimer does not seem to be used a lot and is unmaintained upstream.

I intend to file a RM bug.
If you have any reasons to keep it in Debian please voice them here.
To get people's attention, I am filing as a serious bug and will reassign to the FTP team when the package is 
autoremoved from testing.
--- End Message ---
--- Begin Message ---
Version: 2.0.0-1.2+rm

Dear submitter,

as the package gtimer has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1051070

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)--- End Message ---

Bug#1056271: marked as done (RM: gpr -- RoQA; dead upstream; depends on gtk2)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 13:37:58 +
with message-id 
and subject line Bug#1050359: Removed package(s) from unstable
has caused the Debian Bug report #1056271,
regarding RM: gpr -- RoQA; dead upstream; depends on gtk2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056271: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056271
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: gpr
Severity: serious
Version: 0.15deb-2

gpr does not seem to be used a lot and is dead upstream. The Debian 
version is essentially a fork that is also not updated since 2011.


I intend to file a RM bug.
If you have any reasons to keep it in Debian please voice them here.
To get people's attention, I am filing as a serious bug and will 
reassign to the FTP team when the package is autoremoved from testing.
--- End Message ---
--- Begin Message ---
Version: 0.15deb-2+rm

Dear submitter,

as the package gpr has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1050359

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)--- End Message ---

Bug#1004596: marked as done (kino: FTBFS with ffmpeg 5.0)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 13:38:59 +
with message-id 
and subject line Bug#1051888: Removed package(s) from unstable
has caused the Debian Bug report #1004596,
regarding kino: FTBFS with ffmpeg 5.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: kino
Version: 1.3.4+dfsg0-1.1
Severity: important
Tags: ftbfs sid bookworm
X-Debbugs-Cc: sramac...@debian.org
Usertags: ffmpeg5.0

kino FTBFS with ffmpeg 5.0 (in experimental):
| g++ -DHAVE_CONFIG_H -I. -I.. -Wall -I/usr/include/lqt  
-I/usr/include/libxml2 -pthread -I/usr/include/libglade-2.0 
-I/usr/include/libxml2 -I/usr/include/gtk-2.0 
-I/usr/lib/x86_64-linux-gnu/gtk-2.0/include -I/usr/include/pango-1.0 
-I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 
-I/usr/include/x86_64-linux-gnu -I/usr/include/pango-1.0 
-I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/libmount 
-I/usr/include/blkid -I/usr/include/fribidi -I/usr/include/cairo 
-I/usr/include/pixman-1 -I/usr/include/harfbuzz -I/usr/include/glib-2.0 
-I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/uuid 
-I/usr/include/freetype2 -I/usr/include/libpng16 
-I/usr/include/x86_64-linux-gnu -I/usr/include/x86_64-linux-gnu  
-D_FILE_OFFSET_BITS=64 -DKINO_PLUGINDIR=\""/usr/lib/kino-gtk2"\" 
-DDATADIR=\""/usr/share"\" -D_REENTRANT -D__STDC_CONSTANT_MACROS-g -O2 -MT 
frame.o -MD -MP -MF .deps/frame.Tpo -c -o frame.o frame.cc
| frame.cc: In constructor ‘Frame::Frame()’:
| frame.cc:103:9: error: ‘av_register_all’ was not declared in this scope
|   103 | av_register_all();
|   | ^~~
| frame.cc: In member function ‘void Frame::GetUpperField(void*, int)’:
| frame.cc:898:22: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   898 | register int width = GetWidth( ) * bpp;
|   |  ^
| frame.cc:899:22: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   899 | register int height = GetHeight( );
|   |  ^~
| frame.cc:900:28: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   900 | for ( register int i = 0; i < height; i += 2 )
|   |^
| frame.cc: In member function ‘void Frame::GetLowerField(void*, int)’:
| frame.cc:907:22: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   907 | register int width = GetWidth( ) * bpp;
|   |  ^
| frame.cc:908:22: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   908 | register int height = GetHeight( );
|   |  ^~
| frame.cc:909:28: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   909 | for ( register int i = 0; i < height; i += 2 )
|   |^
| frame.cc: In member function ‘void Frame::Deinterlace(uint8_t*, uint8_t*, 
int, int)’:
| frame.cc:932:22: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   932 | register int x, y;
|   |  ^
| frame.cc:932:25: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   932 | register int x, y;
|   | ^
| frame.cc:933:27: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   933 | register uint8_t *l0, *l1, *l2, *l3;
|   |   ^~
| frame.cc:933:32: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   933 | register uint8_t *l0, *l1, *l2, *l3;
|   |^~
| frame.cc:933:37: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   933 | register uint8_t *l0, *l1, *l2, *l3;
|   | ^~
| frame.cc:933:42: warning: ISO C++17 does not allow ‘register’ storage class 
specifier [-Wregister]
|   933 | register uint8_t *l0, *l1, *l2, *l3;
|   |  ^~
| frame.cc: In member function ‘int Frame::ExtractRGB(void*)’:
| frame.cc:1063:9: error: ‘AVPicture’ was not declared in this scope; did you 
mean ‘AVPictureType’?
|  1063 | AVPicture dest;
|   | ^
|   | AVPictureTyp

Bug#1041799: marked as done (lv2-c++-tools: depends on unmaintained gtkmm2.4, and indirectly on GTK 2)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 13:39:34 +
with message-id 
and subject line Bug#1052169: Removed package(s) from unstable
has caused the Debian Bug report #1041799,
regarding lv2-c++-tools: depends on unmaintained gtkmm2.4, and indirectly on 
GTK 2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1041799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041799
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lv2-c++-tools
Version: 1.0.5-4
Severity: normal
Tags: trixie sid
User: pkg-gnome-maintain...@lists.alioth.debian.org
Usertags: gtk2 oldlibs
Control: block 947713 by -1
Control: block 967497 by -1

This package depends on packages from src:gtkmm2.4, a C++
binding for GTK 2. GTK 2 was superseded by GTK 3 in 2011 (see
). It has been discontinued by its
upstream developer and no longer receives any upstream maintenance at all.

The direct replacement for gtkmm2.4 is gtkmm3.0, a C++ API for GTK 3.
Please see  for
information about porting from gtkmm2.4 to gtkmm3.0, and
 for general information
about porting from GTK 2 to GTK 3.

Thanks,
smcv
--- End Message ---
--- Begin Message ---
Version: 1.0.5-4+rm

Dear submitter,

as the package lv2-c++-tools has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1052169

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)--- End Message ---

Processed: block 1055955 with 1054793

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 1055955 with 1054793
Bug #1055955 [release.debian.org] transition: perl 5.38
1055955 was blocked by: 1042521 1042525 1042845 1050451 1042853 1057270 1040396 
1042844
1055955 was not blocking any bugs.
Added blocking bug(s) of 1055955: 1054793
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1055955: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055955
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#853750: marked as done (hdfview: HDF5 files appear empty)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 13:50:42 +
with message-id 
and subject line Bug#1053595: Removed package(s) from unstable
has caused the Debian Bug report #853750,
regarding hdfview: HDF5 files appear empty
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
853750: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853750
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hdfview
Version: 2.11.0+dfsg-2+b1
Severity: important

The current version of hdfview does not show the content of any of my
HDF5 files.

Downgrading to the 2.9-3+b2 version of libjhdf{4,5}-{java, jni}, which
also installs libhdf5-8 version 1.8.13+docs-15, seems to fix the issue
for me, even if hdfview is kept at the 2.11 version. This seems to
suggest that the problem lies in libjhdf rather than in hdfview itself,
and/or in the API of libhdf5 used by jhdf.

FWIW, a similar bug seems to affect also jhdf 2.9-5 as found in Ubuntu,
which is using libhdf5-10 (1.8.16), which would further support the idea
of a breaking API change between version 1.8.13 and 1.8.16 of libhdf5.


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages hdfview depends on:
ii  default-jre 2:1.8-58
ii  java-wrappers   0.1.28
ii  libjgraph-java  5.12.4.2+dfsg-5
ii  libjhdf4-java   2.11.0+dfsg-2+b1
ii  libjhdf5-java   2.11.0+dfsg-2+b1
ii  libslf4j-java   1.7.22-1

hdfview recommends no packages.

Versions of packages hdfview suggests:
ii  chromium [www-browser]  55.0.2883.75-6
ii  dillo [www-browser] 3.0.5-3
ii  elinks [www-browser]0.12~pre6-12
ii  firefox [www-browser]   51.0-1
ii  iceape [www-browser]2.7.12-1+b1
ii  konqueror [www-browser] 4:16.08.3-1
ii  links2 [www-browser]2.14-2
ii  lynx [www-browser]  2.8.9dev11-1
ii  netsurf-fb [www-browser]3.6-3
ii  opera [www-browser] 12.16.1860
ii  surf [www-browser]  0.7-2
ii  vivaldi-snapshot [www-browser]  1.7.735.11-1
ii  w3m [www-browser]   0.5.3-34

-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2.11.0+dfsg-5+rm

Dear submitter,

as the package jhdf has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1053595

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)--- End Message ---

Processed: block 1055955 with 1054776

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 1055955 with 1054776
Bug #1055955 [release.debian.org] transition: perl 5.38
1055955 was blocked by: 1042521 1040396 1054793 1042844 1057270 1042853 1042845 
1050451 1042525
1055955 was not blocking any bugs.
Added blocking bug(s) of 1055955: 1054776
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1055955: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055955
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1053769: marked as done (nghttp2: CVE-2023-44487)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 15:32:26 +
with message-id 
and subject line Bug#1053769: fixed in nghttp2 1.52.0-1+deb12u1
has caused the Debian Bug report #1053769,
regarding nghttp2: CVE-2023-44487
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nghttp2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nghttp2.

CVE-2023-44487[0]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: nghttp2
Source-Version: 1.52.0-1+deb12u1
Done: Moritz Mühlenhoff 

We believe that the bug you reported is fixed in the latest version of
nghttp2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff  (supplier of updated nghttp2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 24 Nov 2023 15:57:26 +0100
Source: nghttp2
Architecture: source
Version: 1.52.0-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Tomasz Buchert 
Changed-By: Moritz Mühlenhoff 
Closes: 1053769
Changes:
 nghttp2 (1.52.0-1+deb12u1) bookworm-security; urgency=medium
 .
   * CVE-2023-44487 (Closes: #1053769)
Checksums-Sha1:
 1b60f91749246e07d35b16ba8068ab813dc3bbdc 2541 nghttp2_1.52.0-1+deb12u1.dsc
 88b51cc1f474df906ce3c3dc363bdf0cae3d76d0 1064232 nghttp2_1.52.0.orig.tar.gz
 9d83d2f05b563b09768ec06893bacfddfdd2c5d4 17412 
nghttp2_1.52.0-1+deb12u1.debian.tar.xz
 fca2bb5ae15ad6e31b98128dbf40b96f733a0c82 11222 
nghttp2_1.52.0-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 5f2e625f4df5c63e64a0b6806e085c994e38462d099bca0d214c7712f55e3133 2541 
nghttp2_1.52.0-1+deb12u1.dsc
 6b71561a9950b4a90fa36aa3160763f1437f3730d7a12434e416aa3f4ab145e0 1064232 
nghttp2_1.52.0.orig.tar.gz
 9c3c66fe7d570a2de3c9b746db8ef55d4d1ee2251912e7c94299976b555ca006 17412 
nghttp2_1.52.0-1+deb12u1.debian.tar.xz
 56883a552242a51346370d73393a3e9ab89454367d31602f1fde842003fa3a39 11222 
nghttp2_1.52.0-1+deb12u1_amd64.buildinfo
Files:
 42a561a6c75c18905a91de54a7bde10f 2541 httpd optional 
nghttp2_1.52.0-1+deb12u1.dsc
 1a6b9d0a167cda033c7525818576dbd7 1064232 httpd optional 
nghttp2_1.52.0.orig.tar.gz
 d50f412e551e139171b4ecf96722ab5c 17412 httpd optional 
nghttp2_1.52.0-1+deb12u1.debian.tar.xz
 4c34fde31f1e3f3d52b5f3e7d0585527 11222 httpd optional 
nghttp2_1.52.0-1+deb12u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVgu+oACgkQEMKTtsN8
TjZ1MRAAjcEQsAE1tVSyt2EOaFVLfno2+EXT7/ltrV2pZn8XbQ2i0+5HZ1AbrNT0
ponaifa8WsbpcBA/X7rM81ECVJOAFSqup+L39tjJWvXJ/KdCJByP0hjtTxAzach6
5KlWjavQ2d1UdBwuqSqTt5JL/Ix/LnbkvjK93FbyJnYIVDGnlfYi4w5uN49w43Vq
O1Fb/dJ7xkzURkAE5F4o4A6PxkXSBY3y1UnUsA0NP37fySwqxn+rL7WDInEVgHSh
Vsav/8k8eXPglkWIku93YzOoti9n+zyqcwalzhEApDZusv0nAqWjEzdUSrmYsvSr
0B3xsUehqyEY1nQGG81+zcOhjL+Y8+6VYSrbURuySaMZBJvGz66S+WrQMY+EtXBe
b+0az/Th5DbmSActHprO/ZL6Modfc35GNfuSQKcq2+gIV/+jf4XGNxjTPMtlaeFO
a0qLbwr4gpj2vjt/rdnc4X6qLIy2kCC0y09rX1EUc51MPxDf/A3WVf1GtUMilFgX
8OLgrr3wvZmrxYdupMPq4asxv1izXbN6v18qft0N8XkVmCX8Yf1WksGOYQn8jfHe
rGZ/PcJh74+BcuNeNUJaF3rvY7x7xwsolMZmPEAVDeAff5d8mCzolY9BFJSMdU2r
vewrcKnTx8V1NsKENP7erZOmdY2YGVB3TAbA0WrMlqBGSTaEMYM=
=T+sC
-END PGP SIGNATURE End Message ---

Bug#1054163: marked as done (fastdds: CVE-2023-42459)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 15:32:18 +
with message-id 
and subject line Bug#1054163: fixed in fastdds 2.9.1+ds-1+deb12u2
has caused the Debian Bug report #1054163,
regarding fastdds: CVE-2023-42459
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fastdds
Version: 2.11.2+ds-5
Severity: important
Tags: security upstream
Forwarded: https://github.com/eProsima/Fast-DDS/issues/3207
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for fastdds.

CVE-2023-42459[0]:
| Fast DDS is a C++ implementation of the DDS (Data Distribution
| Service) standard of the OMG (Object Management Group). In affected
| versions specific DATA submessages can be sent to a discovery
| locator which may trigger a free error. This can remotely crash any
| Fast-DDS process. The call to free() could potentially leave the
| pointer in the attackers control which could lead to a double free.
| This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3,
| and 2.6.7. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42459
https://www.cve.org/CVERecord?id=CVE-2023-42459
[1] https://github.com/eProsima/Fast-DDS/issues/3207
[2] https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fastdds
Source-Version: 2.9.1+ds-1+deb12u2
Done: Timo Röhling 

We believe that the bug you reported is fixed in the latest version of
fastdds, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Röhling  (supplier of updated fastdds package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 24 Oct 2023 23:01:43 +0200
Source: fastdds
Architecture: source
Version: 2.9.1+ds-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Robotics Team 
Changed-By: Timo Röhling 
Closes: 1054163
Changes:
 fastdds (2.9.1+ds-1+deb12u2) bookworm-security; urgency=medium
 .
   * Backport security fix
 - CVE-2023-42459 Bad-free when receiving malformed DATA submessage
 (Closes: #1054163)
Checksums-Sha1:
 b6a141610d8aa53e39ecf37317288437c0d2e4d3 3027 fastdds_2.9.1+ds-1+deb12u2.dsc
 dfd5de1a211a655502eedda7cd154cdbe266338e 24400 
fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz
 0a4eefad7c1c125cb1bacf00ef913362d2308ae8 10780 
fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
 5209c8e37915a57427046b385562e5d1901a21c09c56d22c2fe59c297f026e8a 3027 
fastdds_2.9.1+ds-1+deb12u2.dsc
 c4b5dbf9cb5ad43d5d9883ca86767d378d0c4ece920c4fdcbd63e2ab9a3fe270 24400 
fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz
 a45278da147024fb0eb5b39cd04067c06c14230d49f3b311a9b068ce94252ee0 10780 
fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo
Files:
 e7f8c5933cb7ae9a99a372b29157ba35 3027 libs optional 
fastdds_2.9.1+ds-1+deb12u2.dsc
 2ef99c013d9ef595e8daf911dd22fe4e 24400 libs optional 
fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz
 88b2adfec5dc4340392139714d0755eb 10780 libs optional 
fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmU6N3QUHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQ+C8H+466LVnU8wv/cGB4++Pa98lzHvD+6i5kZNYqsVRC
CksO+mjiYl3xy4sgJQrxRTc7Z0TIoywtHuHJ7gYHJemxdN/0nGy7Zdn/KETVMegO
EMDJA3svUJfECuLCjW1c7MIRkJb2X0mHmEaf03K/pOADJdMaC1nRJp1U43gQ18Fc
AULa357rEHWoMCAeK3E9edNI4U1t9IKuIrJV81C6Et01NQeoSzwjVPJdkdl2AaHU
O0xl4m4PGtHjk6uUIYpeeMObgDLvw86Jb/I2IhBMzcWhEX3jZJwCfUeIrzWoFfEq
FpQ8nrj+1Ajd20vRmXW06DYdre9A+NRfCC1Ik9wz8LajyVNj/pPUoRthUEN7C75/
JorTObsWqT+8SVvFtBrgK7DnUv3PxKG01CTnt1ufjylpt8KvwGqRg2Qu9S3LGfmv
xCTUSCQIcznrn/awqw4j3hXgpPVX2tfIDJ+aMQS3oTWb0myI61tl0tuOgAgpnvuK
VbGOI9v

Bug#1056723: marked as done (rabbitmq-server: CVE-2023-46118)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 15:32:34 +
with message-id 
and subject line Bug#1056723: fixed in rabbitmq-server 3.10.8-1.1+deb12u1
has caused the Debian Bug report #1056723,
regarding rabbitmq-server: CVE-2023-46118
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056723: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056723
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rabbitmq-server
Version: 3.10.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/rabbitmq/rabbitmq-server/pull/9708
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for rabbitmq-server.

CVE-2023-46118[0]:
| RabbitMQ is a multi-protocol messaging and streaming broker. HTTP
| API did not enforce an HTTP request body limit, making it vulnerable
| for denial of service (DoS) attacks with very large messages. An
| authenticated user with sufficient credentials can publish a very
| large messages over the HTTP API and cause target node to be
| terminated by an "out-of-memory killer"-like mechanism. This
| vulnerability has been patched in versions 3.11.24 and 3.12.7.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46118
https://www.cve.org/CVERecord?id=CVE-2023-46118
[1] 
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg
[2] https://github.com/rabbitmq/rabbitmq-server/pull/9708

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rabbitmq-server
Source-Version: 3.10.8-1.1+deb12u1
Done: Thomas Goirand 

We believe that the bug you reported is fixed in the latest version of
rabbitmq-server, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1056...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand  (supplier of updated rabbitmq-server package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 27 Nov 2023 08:25:34 +0100
Source: rabbitmq-server
Architecture: source
Version: 3.10.8-1.1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian OpenStack 
Changed-By: Thomas Goirand 
Closes: 1056723
Changes:
 rabbitmq-server (3.10.8-1.1+deb12u1) bookworm-security; urgency=high
 .
   * CVE-2023-46118: Denial of Service by publishing large messages over the
 HTTP API. Applied upstream patches that introduce a limit of 10MB:
 - Reduce_default_HTTP_API_request_body_size_limit_to_10_MiB.patch
 - Introduce_HTTP_request_body_limit_for_definition_uploads.patch
 (Closes: #1056723).
Checksums-Sha1:
 928f60e760c56e43a260ba59183941d1a2196283 2735 
rabbitmq-server_3.10.8-1.1+deb12u1.dsc
 6c499dc16f1691500fe551323e506668450a0de8 3586524 
rabbitmq-server_3.10.8.orig.tar.xz
 b043bc517c44bf60d48aed91b37d7097ec21cecd 26104 
rabbitmq-server_3.10.8-1.1+deb12u1.debian.tar.xz
 e8c7f956764c005b3d0bfabb125110a1243f49e2 8577 
rabbitmq-server_3.10.8-1.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 9970b73e2083332cc4dbb1ee50dbd2bb5c6a87540658794130311f8b5fb92c6c 2735 
rabbitmq-server_3.10.8-1.1+deb12u1.dsc
 903b761ee541c3cf3374506c0d71cd80254392f58c55e033ac8ce3ebcf8d3b29 3586524 
rabbitmq-server_3.10.8.orig.tar.xz
 2c40a7236185c86906293b412e66940bbd2f84971c80914560d4463ab8c47f33 26104 
rabbitmq-server_3.10.8-1.1+deb12u1.debian.tar.xz
 ab17b52dbf6f5954510ed1c830c494653d4e454f57eae3ef10a5fced4dce974b 8577 
rabbitmq-server_3.10.8-1.1+deb12u1_amd64.buildinfo
Files:
 39008cd549675e49dff21867ffcfb756 2735 net optional 
rabbitmq-server_3.10.8-1.1+deb12u1.dsc
 0bcb3b160fb4f3b469655a7c4ce82743 3586524 net optional 
rabbitmq-server_3.10.8.orig.tar.xz
 93778e239e8a122be053dae9393db777 26104 net optional 
rabbitmq-server_3.10.8-1.1+deb12u1.debian.tar.xz
 57f7f2c67ed7923de2ca5871444d0914 8577 net optional 
rabbitmq-server_3.10.8-1.1+deb12u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmVoOlAACgkQ1BatFaxr
Q/41T

Bug#1054429: marked as done (fastdds: CVE-2023-42459)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 15:32:18 +
with message-id 
and subject line Bug#1054163: fixed in fastdds 2.9.1+ds-1+deb12u2
has caused the Debian Bug report #1054163,
regarding fastdds: CVE-2023-42459
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fastdds
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for fastdds.

CVE-2023-42459[0]:
| Fast DDS is a C++ implementation of the DDS (Data Distribution
| Service) standard of the OMG (Object Management Group). In affected
| versions specific DATA submessages can be sent to a discovery
| locator which may trigger a free error. This can remotely crash any
| Fast-DDS process. The call to free() could potentially leave the
| pointer in the attackers control which could lead to a double free.
| This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3,
| and 2.6.7. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.

https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm
https://github.com/eProsima/Fast-DDS/issues/3207
https://github.com/eProsima/Fast-DDS/pull/3824
https://github.com/eProsima/Fast-DDS/commit/1e978c6f3d0ca1df6b323b37fd4902b0762ececb


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42459
https://www.cve.org/CVERecord?id=CVE-2023-42459

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: fastdds
Source-Version: 2.9.1+ds-1+deb12u2
Done: Timo Röhling 

We believe that the bug you reported is fixed in the latest version of
fastdds, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Röhling  (supplier of updated fastdds package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 24 Oct 2023 23:01:43 +0200
Source: fastdds
Architecture: source
Version: 2.9.1+ds-1+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Robotics Team 
Changed-By: Timo Röhling 
Closes: 1054163
Changes:
 fastdds (2.9.1+ds-1+deb12u2) bookworm-security; urgency=medium
 .
   * Backport security fix
 - CVE-2023-42459 Bad-free when receiving malformed DATA submessage
 (Closes: #1054163)
Checksums-Sha1:
 b6a141610d8aa53e39ecf37317288437c0d2e4d3 3027 fastdds_2.9.1+ds-1+deb12u2.dsc
 dfd5de1a211a655502eedda7cd154cdbe266338e 24400 
fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz
 0a4eefad7c1c125cb1bacf00ef913362d2308ae8 10780 
fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
 5209c8e37915a57427046b385562e5d1901a21c09c56d22c2fe59c297f026e8a 3027 
fastdds_2.9.1+ds-1+deb12u2.dsc
 c4b5dbf9cb5ad43d5d9883ca86767d378d0c4ece920c4fdcbd63e2ab9a3fe270 24400 
fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz
 a45278da147024fb0eb5b39cd04067c06c14230d49f3b311a9b068ce94252ee0 10780 
fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo
Files:
 e7f8c5933cb7ae9a99a372b29157ba35 3027 libs optional 
fastdds_2.9.1+ds-1+deb12u2.dsc
 2ef99c013d9ef595e8daf911dd22fe4e 24400 libs optional 
fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz
 88b2adfec5dc4340392139714d0755eb 10780 libs optional 
fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmU6N3QUHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQ+C8H+466LVnU8wv/cGB4++Pa98lzHvD+6i5kZNYqsVRC
CksO+mjiYl3xy4sgJQrxRTc7Z0TIoywtHuHJ7gYHJemxdN/0nGy7Zdn/KETVMegO
EMDJA3svUJfECuLCjW1c7MIRkJb2X0mHmEaf03K/pOADJdMaC1nRJp1U43gQ18Fc
AULa357rEHWoMCAeK3E9edNI4U1t9IKuIrJV81C6Et01NQeoSzwjVPJdkdl2AaHU
O0xl4m4PGtHjk6uUIYpeeMObgDLvw86Jb/I2IhBMzcWhEX3jZJwCfUeIrzWoFfEq
FpQ8nrj+1Ajd20vRmXW06DYdre9A+NRfCC1Ik9wz8LajyVNj/pPUoRthUEN7C75/
JorTObsWqT+8SVvFtBrgK7DnUv3PxKG01CTnt1ufjylpt8KvwGqRg2Qu9S3LGfmv
xCTUSCQIcznrn/awqw4j3hXgpPVX2tfIDJ+aMQS3oTWb0myI61tl0tuOgAgpnvuK
VbGOI9vynjfU

Bug#1057190: libhackrf0: udev rules file lost in upgrade

[Maitland Bottoms]

Helmut Grohne  writes:

> Then when you retry it, please go for experimental first. Then have
> Chris or me check your upload is ok and only then proceed with uploading
> to unstable.

hackrf_2023.01.1-6 now in experimental is the retry with upstream
updates and the udev rules handling.

Thanks for your attention on this, indeed my lack of attention before
making uploads is the problem. I am happier with -6 though.

-Maitland

Bug#1057122: marked as done (initscripts has an undeclared file conflict on /usr/lib/udev/hwclock-set)

[Debian Bug Tracking System]

Your message dated Sat, 2 Dec 2023 16:23:28 +
with message-id 
and subject line Re: Bug#1057122: initscripts has an undeclared file conflict 
on /usr/lib/udev/hwclock-set
has caused the Debian Bug report #1057122,
regarding initscripts has an undeclared file conflict on 
/usr/lib/udev/hwclock-set
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057122
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: initscripts
Version: 3.08-3~bpo12+1
Severity: serious
User: debian...@lists.debian.org
Usertags: fileconflict
Control: affects -1 + util-linux
Tags: bookworm

initscripts has an undeclared file conflict. This may result in an
unpack error from dpkg.

The file /usr/lib/udev/hwclock-set is contained in the packages
 * initscripts/3.08-3~bpo12+1 as present in bookworm-backports
 * util-linux/2.36.1-8+deb11u1 as present in bullseye|bullseye-security

These packages can be unpacked concurrently, because there is no
relevant Replaces or Conflicts relation. Attempting to unpack these
packages concurrently results in an unpack error from dpkg, because none
of the packages installs a diversion for the affected file.

Kind regards

The Debian Usr Merge Analysis Tool

This bug report has been automatically filed with no human intervention.
The source code is available at https://salsa.debian.org/helmutg/dumat.
If the filing is unclear or in error, don't hesitate to contact
hel...@subdivi.de for assistance.
--- End Message ---
--- Begin Message ---
Version: 3.08-3~bpo12+2

Closing manually as not closed by upload.

Mark--- End Message ---

Bug#999955: marked as done (sqlite3-pcre: depends on obsolete pcre3 library)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 17:15:59 +
with message-id 
and subject line Bug#1054509: Removed package(s) from unstable
has caused the Debian Bug report #55,
regarding sqlite3-pcre: depends on obsolete pcre3 library
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
55: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=55
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: sqlite3-pcre
Severity: important
User: matthew-pcre...@debian.org
Usertags: obsolete-pcre3

Dear maintainer,

Your package still depends on the old, obsolete PCRE3[0] libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, I
would like to remove the pcre3 libraries from Debian, preferably in
time for the release of Bookworm.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Regards,

Matthew [0] Historical reasons mean that old PCRE is packaged as
pcre3 in Debian 
--- End Message ---
--- Begin Message ---
Version: 0~git20070120091816+4229ecc-2+rm

Dear submitter,

as the package sqlite3-pcre has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1054509

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)--- End Message ---

Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[Niko Tyni]

(re-adding Cc: tiff@pdo)

On Sat, Dec 02, 2023 at 01:40:51PM +0100, gregor herrmann wrote:
> On Sat, 02 Dec 2023 14:24:01 +0200, Niko Tyni wrote:
> 
> > It regressed with tiff_4.5.1+git230720-2 which is currently blocked from
> > migrating to trixie because libimager-perl autopkgtests are failing too.
> > 
> > Changes:
> >  tiff (4.5.1+git230720-2) unstable; urgency=high
> >  .
> >* Backport security fix for CVE-2023-6277, passing a crafted tiff file to
> >  TIFFOpen() API may allow a remote attacker to cause a denial of service
> >  (closes: #1056751).
> > 
> > I see libimager-perl upstream has released 1.021 with some tiff related
> > changes. I haven't checked if those fix the issue, or whether libtiff
> > is actually broken. Feel free to reassign as needed.
> 
> I've imported 1.021 into our git repo yesterday, and there it fails
> the same way (I hadn't nticed that 1.020 in sid also fails …)
> 
> So -- is this a bug in Imager or in tiff?

Can't quite say, but sharing what I found:

The test creates TIFF/testout/t106.tiff with
Imager::File::TIFF::i_writetiff_wiol() and then tries to read it back with

  open(FH,"testout/t106.tiff") or die "cannot open testout/t106.tiff\n";
  binmode(FH);
  $IO = Imager::io_new_fd(fileno(FH));
  my $cmpimg = Imager::File::TIFF::i_readtiff_wiol($IO);

Adding an Imager->_error_as_msg() call after that gives

  Error opening file: Failed to read directory at offset 37014 at 
TIFF/t/t10tiff.t line 49.

Also there's t106tiff.log with plenty of diagnostics including

  [2023/12/02 16:29:42]   imtiff.c:237 1: tiff warning Requested memory 
size for TIFF directory of 168 is greather than filesize 0. Memory not 
allocated, TIFF directory not read

which matches the CVE-2023-6277 changes in libtiff, see

  
https://sources.debian.org/src/tiff/4.5.1%2Bgit230720-2/debian/patches/CVE-2023-6277.patch/

It can be reproduced like this with the libimager-perl binaries
currently in sid and every tiff file I tried with, for example
test/images/palette-1c-8b.tiff in src:tiff.

  
https://sources.debian.org/src/tiff/4.5.1%2Bgit230720-2/test/images/palette-1c-8b.tiff/

  $ perl -MImager::File::TIFF -E '$i = Imager::io_new_fd(*STDIN); 
Imager::init_log(); Imager::File::TIFF::i_readtiff_wiol($i) or die 
Imager->_error_as_msg' < tiff/test/images/palette-1c-8b.tiff
  [2023/12/02 17:16:03]  log.c:56  0: Imager - log started (level = 1)
  [2023/12/02 17:16:03]  Imager.xs:267 1: Imager 1.020 starting
  [2023/12/02 17:16:03]   imtiff.c:700 1: i_readtiff_wiol(ig 
0x55a6ece33890, allow_incomplete 0, page 0)
  [2023/12/02 17:16:03]   io.c:242 1: mymalloc(size 8192) -> 
0x55a6ed426e70
  [2023/12/02 17:16:03]   imtiff.c:237 1: tiff warning Requested memory 
size for TIFF directory of 180 is greather than filesize 0. Memory not 
allocated, TIFF directory not read
  [2023/12/02 17:16:03]   io.c:266 1: myrealloc(block (nil), size 124)
  [2023/12/02 17:16:03]   imtiff.c:201 1: tiff error fmt Failed to read 
directory at offset %lu
  [2023/12/02 17:16:03]   io.c:242 1: mymalloc(size 41) -> 
0x55a6ece1d480
  [2023/12/02 17:16:03]   imtiff.c:715 1: i_readtiff_wiol: Unable to open 
tif file
  [2023/12/02 17:16:03]   io.c:242 1: mymalloc(size 19) -> 
0x55a6ed36be90
  [2023/12/02 17:16:03]   io.c:253 1: myfree(p 0x55a6ed42e250)
  Error opening file: Failed to read directory at offset 23716 at -e line 1.
  [2023/12/02 17:16:03]  iolayer.c:424 1: io_glue_DESTROY(ig 0x55a6ece33890)
 
I note it says "filesize 0". The patch determines the file size with

  uint64_t filesize = TIFFGetFileSize(tif);

and TIFFGetFileSize() is in src:tiff libtiff/tiffiop.h as follows:

  #define TIFFGetFileSize(tif) ((*(tif)->tif_sizeproc)((tif)->tif_clientdata))

which is where I called it a day :)

So I suppose the way Imager reads the file here does not initialize the
data structure in a way that the patched libtiff expects?
-- 
Niko

Processed: owner 1057166

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> owner 1057166 !
Bug #1057166 [src:pgpainless] pgpainless: FTBFS with bouncycastle 1.77
Owner recorded as Jérôme Charaoui .
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1057166: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057166
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1034188: marked as done (dmraid's last Debian stable release is bookworm)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 18:05:41 +
with message-id 
and subject line Bug#1056944: Removed package(s) from unstable
has caused the Debian Bug report #1034188,
regarding dmraid's last Debian stable release is bookworm
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034188
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: dmraid
Severity: serious
Tags: sid trixie bookworm bookworm-ignore

Hi,

As discussed in bug 864423 and soon to be documented in the 
release-notes, dmraid is not to be shipped in Debian stable after the 
release of bookworm. This bug should ensure that dmraid will not be in 
trixie.


Paul


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 1.0.0.rc16-12+rm

Dear submitter,

as the package dmraid has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1056944

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)--- End Message ---

Processed: Re: Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[Debian Bug Tracking System]

Processing control commands:

> forwarded -1 https://github.com/tonycoz/imager/issues/522
Bug #1057270 [src:libimager-perl] libimager-perl: FTBFS: t/t10tiff.t failure
Set Bug forwarded-to-address to 'https://github.com/tonycoz/imager/issues/522'.

-- 
1057270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[Niko Tyni]

Control: forwarded -1 https://github.com/tonycoz/imager/issues/522

On Sat, Dec 02, 2023 at 07:24:39PM +0200, Niko Tyni wrote:
> On Sat, Dec 02, 2023 at 01:40:51PM +0100, gregor herrmann wrote:
> > On Sat, 02 Dec 2023 14:24:01 +0200, Niko Tyni wrote:

> It can be reproduced like this with the libimager-perl binaries
> currently in sid and every tiff file I tried with, for example
> test/images/palette-1c-8b.tiff in src:tiff.

Further simplifying, this fails in the exact same way:

  $ perl -MImager -e '$i=Imager->new; Imager::init_log(); $i->read(file => 
shift) or die $i->_error_as_msg()' tiff/test/images/palette-1c-8b.tiff

> I note it says "filesize 0". The patch determines the file size with
> 
>   uint64_t filesize = TIFFGetFileSize(tif);
> 
> and TIFFGetFileSize() is in src:tiff libtiff/tiffiop.h as follows:
> 
>   #define TIFFGetFileSize(tif) ((*(tif)->tif_sizeproc)((tif)->tif_clientdata))
 
>From http://www.simplesystems.org/libtiff/functions/TIFFOpen.html

  TIFFClientOpen() is like TIFFOpen() except that the caller supplies a
  collection of functions that the library will use to do UNIX-like I/O
  operations. The readproc and writeproc functions are called to read and
  write data at the current file position. seekproc is called to change
  the current file position à la lseek() (2). closeproc is invoked to
  release any resources associated with an open file. sizeproc is invoked
  to obtain the size in bytes of a file. mapproc and unmapproc are called
  to map and unmap a file's contents in memory; c.f. mmap() (2) and
  munmap() (2). The clientdata parameter is an opaque "handle" passed to
  the client-specified routines passed as parameters to TIFFClientOpen().

>From 
>https://sources.debian.org/src/libimager-perl/1.020%2Bdfsg-1/TIFF/imtiff.c/#L302

  static toff_t sizeproc(thandle_t x) {
return 0;
  }

which is used as the TIFFClientOpen() argument in i_readtiff_wiol():

  
https://sources.debian.org/src/libimager-perl/1.020%2Bdfsg-1/TIFF/imtiff.c/#L710

So it looks like libimager-perl is always saying the file size is 0,
and this hasn't hurt earlier but now does with the src:tiff CVE-2023-6277
patch.

Not sure where this leaves us, but I've just reported it at

  https://github.com/tonycoz/imager/issues/522

-- 
Niko

Bug#1057265: cron: Uncheck return values of set*id() family functions

[Christian Kastner]

Hi Jeffrey,

On 2023-12-02 11:39, Jeffrey Bencteux wrote:
> Hi,
> 
> Both setuid() and setgid() return values are not checked in cron's code used 
> to execute user-provided commands:

This issue was reported as CVD-2006-2607 and fixed a long time ago.

Here's the relevant patch:

https://sources.debian.org/src/cron/3.0pl1-162/debian/patches/fixes/Check-privilege-drop-results-CVE-2006-2607.patch/

Are you perhaps looking at the unpatched source?

Best,
Christian

Processed: severity of 1051877 is serious

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 1051877 serious
Bug #1051877 [src:rust-libgit2-sys] rust-libgit2-sys: please prepare for 
libgit2 transition
Severity set to 'serious' from 'normal'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1051877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051877
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1033822: marked as done (oscrypto: autopkgtest regression: certificate expired 2023-01-01 00:00:00Z)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 19:47:15 +
with message-id 
and subject line Bug#1033822: fixed in oscrypto 1.3.0-1+deb12u1
has caused the Debian Bug report #1033822,
regarding oscrypto: autopkgtest regression: certificate expired 2023-01-01 
00:00:00Z
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033822
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: oscrypto
Version: 1.3.0-1
Severity: serious
Control: tags -1 bookworm-ignore
User: debian...@lists.debian.org
Usertags: regression

Dear maintainer(s),

Your package has an autopkgtest, great. However, it started to fail on 
2023-01-01. Can you please investigate the situation and fix it? I 
copied some of the output at the bottom of this report.


The release team has announced [1] that failing autopkgtest on amd64 and 
arm64 are considered RC in testing. [Release Team member hat on] Because 
we're currently in the hard freeze for bookworm, I have marked this bug 
as bookworm-ignore. Targeted fixes are still welcome.


More information about this bug and the reason for filing it can be 
found on 
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation


Paul

[1] https://lists.debian.org/debian-devel-announce/2019/07/msg2.html

https://ci.debian.net/data/autopkgtest/testing/amd64/o/oscrypto/32095523/log.gz

==
ERROR: test_tls_connect_dh1024 
(tests.test_tls.TLSTests.test_tls_connect_dh1024)

--
Traceback (most recent call last):
  File 
"/tmp/autopkgtest-lxc.a4kfr24h/downtmp/autopkgtest_tmp/tests/unittest_data.py", 
line 51, in generated_test_function

original_function(self, *params)
  File 
"/tmp/autopkgtest-lxc.a4kfr24h/downtmp/autopkgtest_tmp/tests/test_tls.py", 
line 75, in wrapped

f(*args)
  File 
"/tmp/autopkgtest-lxc.a4kfr24h/downtmp/autopkgtest_tmp/tests/test_tls.py", 
line 102, in tls_connect

connection = tls.TLSSocket(hostname, port, session=session)
 ^^
  File "/usr/lib/python3/dist-packages/oscrypto/_openssl/tls.py", line 
456, in __init__

self._handshake()
  File "/usr/lib/python3/dist-packages/oscrypto/_openssl/tls.py", line 
674, in _handshake

raise_expired_not_yet_valid(cert)
  File "/usr/lib/python3/dist-packages/oscrypto/_tls.py", line 509, in 
raise_expired_not_yet_valid

raise TLSVerificationError(message, certificate)
oscrypto.errors.TLSVerificationError: Server certificate verification 
failed - certificate expired 2023-01-01 00:00:00Z


OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: oscrypto
Source-Version: 1.3.0-1+deb12u1
Done: Santiago Vila 

We believe that the bug you reported is fixed in the latest version of
oscrypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila  (supplier of updated oscrypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 01 Dec 2023 22:38:00 +0100
Source: oscrypto
Architecture: source
Version: 1.3.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team 
Changed-By: Santiago Vila 
Closes: 1033822 1055598
Changes:
 oscrypto (1.3.0-1+deb12u1) bookworm; urgency=medium
 .
   * Team upload.
   [ Jochen Sprickerhof ]
   * Fix autopkgtest by switching to autopkgtest-pkg-pybuild. Closes: #1033822.
   [ Bastian Germann ]
   * Fix OpenSSL version parsing, take 1.
   [ Arnaud Rebillout ]
   * Fix OpenSSL version parsing, take 2. Closes: #1055598.
Checksums-Sha1:
 605eec34f127c22e8a1e6f6729c2abba4e5bace0 1838 oscrypto_1.3.0-1+deb12u1.dsc
 faaaedc1859781b3f24b4d3f08baf7171f488f76 4300 
oscrypto_1.3.0-1+deb12u1.debian.tar.xz
 ba8f3b4a6f2ef34c746b8cfbc17dbcfce5a5257b 6024 
oscrypto_1.3.0-1+deb12u1_source.buildinfo
Checksums-Sha256:
 182399a22491ae41d7846edd3525be68a3a8a3e2fa2436eae461a74b320c05d6 1838 
oscrypto_1.3.0-1+deb12u1.dsc
 2

Bug#1053483: marked as done (tlsa can produce invalid records)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 19:47:11 +
with message-id 
and subject line Bug#1053483: fixed in hash-slinger 3.1-1.1+deb12u1
has caused the Debian Bug report #1053483,
regarding tlsa can produce invalid records
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053483
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hash-slinger
X-Debbugs-Cc: lavam...@torproject.org
Version: 3.1-1.1~bpo11+1
Severity: grave

On Debian bullseye, running the following command here generates an
invalid DNS record:

pauli# ./tlsa --create --usage=3 --selector=1 --mtype=1 --certificate 
/srv/puppet.torproject.org/from-letsencrypt/cdn-fastly-backend.torproject.org.crt
 --port 443 cdn-fastly-backend.torproject.org --output=generic
Got a certificate for cdn-fastly-backend.torproject.org. with Subject:
/CN=cdn-fastly-backend.torproject.org
_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0 
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c

Notice the float (35.0) there? That, of course, crashes bind with:

Notice: /Stage[main]/Dnsextras::Entries/Exec[rebuild torproject.org
zone]/returns: dns_rdata_fromtext:
/srv/dns.torproject.org/puppet-extra/include-torproject.org:945: near
'35.0': not a valid number

I suspect this wasn't caught by other users because it happens when the
len() of the cert string is an odd number, which, oddly, I guess it is
here.

I believe this is a release critical bug that should be fixed in
bookworm because it keeps the server from functioning at all. 

For a little background, we used hash-slinger as a replacement for
"swede" here (not packaged) that wasn't ported to Python 3. It *almost*
worked but crashed on some records with the above error, taking down our
main DNS server...

This was also reported in:

https://github.com/letoams/hash-slinger/issues/45

And is being tracked on our side at:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/41350

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-25-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages hash-slinger depends on:
ii  ca-certificates20210119
ii  dns-root-data  2021011101
ii  openssh-client 1:8.4p1-5+deb11u1
ii  python33.9.2-3
ii  python3-dnspython  2.0.0-1
ii  python3-gnupg  0.4.6-1
ii  python3-m2crypto   0.37.1-2
ii  python3-unbound1.13.1-1+deb11u1

hash-slinger recommends no packages.

hash-slinger suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/bin/tlsa (from hash-slinger package)

-- 
Antoine Beaupré
torproject.org system administration
--- End Message ---
--- Begin Message ---
Source: hash-slinger
Source-Version: 3.1-1.1+deb12u1
Done: Antoine Beaupré 

We believe that the bug you reported is fixed in the latest version of
hash-slinger, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré  (supplier of updated hash-slinger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 05 Oct 2023 10:37:58 -0400
Source: hash-slinger
Architecture: source
Version: 3.1-1.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian DNS Team 
Changed-By: Antoine Beaupré 
Closes: 1053483
Changes:
 hash-slinger (3.1-1.1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Bug fix: "tlsa can produce invalid records" (Closes: #1053483)
Checksums-Sha1:
 7b1bbff92542f4744db3a41bf6ff0462e7040bf7 1377 hash-slinger_3.1-1.1+deb12u1.dsc
 c74beb18125f882fd41af74c61da0c1115c4 4388 
hash-slinger_3.1-1.1+deb12u1.debian.tar.xz
 946e98904fa446b323ad0329add40183a11bd0f9 6174 
hash-slinger_3.1-1.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 0defe8388891774e7eb0240c88

Bug#1054417: marked as done (weborf: Denial of service when executing cgi executables)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 19:47:16 +
with message-id 
and subject line Bug#1054417: fixed in weborf 0.19-2.1+deb12u1
has caused the Debian Bug report #1054417,
regarding weborf: Denial of service when executing cgi executables
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054417: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054417
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: weborf
Version: 0.20
Severity: grave
Tags: patch upstream security
X-Debbugs-Cc: tipos...@tiscali.it

Dear Maintainer,

there is an error in the code to execute cgi.

Best


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages weborf depends on:
ii  libc6  2.37-12
ii  libmagic1  1:5.45-2
ii  libssl33.0.11-1

weborf recommends no packages.

Versions of packages weborf suggests:
pn  php-cgi  

-- no debconf information
commit 49824204add55aab0568d90a6b1e7c822d32120d
Author: Salvo 'LtWorf' Tomaselli 
Date:   Wed Oct 11 23:48:19 2023 +0200

Solve issue with unterminated buffer

diff --git a/cgi.c b/cgi.c
index 08d664d..f8276b1 100644
--- a/cgi.c
+++ b/cgi.c
@@ -233,8 +233,7 @@ static inline void cgi_execute_child(connection_t* 
connection_prop,string_t* pos
 environ = NULL; //Clear env vars
 
 if (strlen(executor) == 0) {
-executor = malloc(connection_prop->strfile_len + 1);
-strncpy(executor, connection_prop->strfile, 
connection_prop->strfile_len);
+executor = connection_prop->strfile;
 }
 
 cgi_set_http_env_vars(connection_prop->http_param);
--- End Message ---
--- Begin Message ---
Source: weborf
Source-Version: 0.19-2.1+deb12u1
Done: Salvo 'LtWorf' Tomaselli 

We believe that the bug you reported is fixed in the latest version of
weborf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvo 'LtWorf' Tomaselli  (supplier of updated weborf 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 30 Nov 2023 10:58:16 +0100
Source: weborf
Architecture: source
Version: 0.19-2.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Salvo 'LtWorf' Tomaselli 
Changed-By: Salvo 'LtWorf' Tomaselli 
Closes: 1054417
Changes:
 weborf (0.19-2.1+deb12u1) bookworm; urgency=medium
 .
   * Backport patch from upstream to fix denial of service (Closes: 1054417)
Checksums-Sha1:
 3629fe4079d386fee648c2b3c0d25b6301646577 2246 weborf_0.19-2.1+deb12u1.dsc
 d0fd86befb61726fc5315d3c2d88e1f95f734e8d 15964 
weborf_0.19-2.1+deb12u1.debian.tar.xz
 a52776f9e392406ced5bbd41f44763f092d2afae 11620 
weborf_0.19-2.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 260adca24c146f2e1445a4d2a0e2870a8730b6872d02d03e9f86b532e4e72a8b 2246 
weborf_0.19-2.1+deb12u1.dsc
 2913bc45b06110ac6a5a5d681d011cc852e090368e50307ad7cb17b88ff2388b 15964 
weborf_0.19-2.1+deb12u1.debian.tar.xz
 0d8e150f6619e0bdafac2385e3dee67ca1f6e26c4f2b122547facf3130a3a715 11620 
weborf_0.19-2.1+deb12u1_amd64.buildinfo
Files:
 f278f837040337f7487ec3819c09b508 2246 httpd optional 
weborf_0.19-2.1+deb12u1.dsc
 df24e107c697a9a74c92c17e9530e962 15964 httpd optional 
weborf_0.19-2.1+deb12u1.debian.tar.xz
 4235ae73b0b83c9cff5d6d5e9d74a548 11620 httpd optional 
weborf_0.19-2.1+deb12u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmVoXYQACgkQs6fPDIAY
hs+nSQ//RZbjPafr9oWzHsQINDHxHsXFPl40i6yagAanfZpIYPf76HSbtdBtQxci
C/a5YqJxYg2nscTZrm69kjUJxh/xz4vhYHGyiw2TKnjBHL8QZJ76WhFFFtya5TV9
3BCCGovZOolxMQYBcDHp9/PeJYzWtA4OXJ4igmlJ6OTmT0KRZMkH/dcVNGEH7vy9
rWgfmuYZQSKs3AFdU8lCyguwDMQILHTtXBZLyGMWnoXLftoUnLC0uT/6nR8O9rru
iuVWKxtvurLl29kK1V4pMZEt/+sVbscTAZ4gux6Yr6Wg1Ut9eZrdnd1Je6as9dO/
8lUpBGTIUn3msfMAO5E2ysy0UCej37JOueuMSqEI/sjqr7xpsxpyjNvhEVqMt7om
it

Bug#1055598: marked as done (oscrypto: FTBFS in bookworm (Error detecting the version of libcrypto))

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 19:47:15 +
with message-id 
and subject line Bug#1055598: fixed in oscrypto 1.3.0-1+deb12u1
has caused the Debian Bug report #1055598,
regarding oscrypto: FTBFS in bookworm (Error detecting the version of libcrypto)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055598
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: src:oscrypto
Version: 1.3.0-1
Severity: serious
Tags: ftbfs
Control: close -1 1.3.0-4

Hello. This package currently FTBFS in bookworm:

[...]
oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
[...]

Full log here:

https://tests.reproducible-builds.org/debian/rbuild/bookworm/amd64/oscrypto_1.3.0-1.rbuild.log.gz

but I see that the source package in unstable builds ok in bookworm.

Since packages in stable must build in stable, we should
make an upload for bookworm to fix this.

I believe the relevant changes are all that show
when we do this:

git diff debian/1.3.0-2 debian/1.3.0-4

i.e. these three additional patches:

--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,4 @@
 do_not_put_LICENSE_in_egg_info.patch
+libcrypto_ctypes_regex.patch
+openssl_3.0.10.patch
+Make_OpenSSL_version_regexes_more_robust.patch

Note: I joined the Python team recently to fix bugs
like this in stable, so I'd just need the confirmation
that the above is actually what we need to do.

(Unless somebody else wants to take care of this, of course)

Thanks.
--- End Message ---
--- Begin Message ---
Source: oscrypto
Source-Version: 1.3.0-1+deb12u1
Done: Santiago Vila 

We believe that the bug you reported is fixed in the latest version of
oscrypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1055...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila  (supplier of updated oscrypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 01 Dec 2023 22:38:00 +0100
Source: oscrypto
Architecture: source
Version: 1.3.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team 
Changed-By: Santiago Vila 
Closes: 1033822 1055598
Changes:
 oscrypto (1.3.0-1+deb12u1) bookworm; urgency=medium
 .
   * Team upload.
   [ Jochen Sprickerhof ]
   * Fix autopkgtest by switching to autopkgtest-pkg-pybuild. Closes: #1033822.
   [ Bastian Germann ]
   * Fix OpenSSL version parsing, take 1.
   [ Arnaud Rebillout ]
   * Fix OpenSSL version parsing, take 2. Closes: #1055598.
Checksums-Sha1:
 605eec34f127c22e8a1e6f6729c2abba4e5bace0 1838 oscrypto_1.3.0-1+deb12u1.dsc
 faaaedc1859781b3f24b4d3f08baf7171f488f76 4300 
oscrypto_1.3.0-1+deb12u1.debian.tar.xz
 ba8f3b4a6f2ef34c746b8cfbc17dbcfce5a5257b 6024 
oscrypto_1.3.0-1+deb12u1_source.buildinfo
Checksums-Sha256:
 182399a22491ae41d7846edd3525be68a3a8a3e2fa2436eae461a74b320c05d6 1838 
oscrypto_1.3.0-1+deb12u1.dsc
 2e98dcc646a6c85f280daee51aff62a753a66a586c89b33ceb82fcd941b7492c 4300 
oscrypto_1.3.0-1+deb12u1.debian.tar.xz
 e2e55285af150c9d684591243714125baa4748bfa8aeeada476ecd69d2c913b1 6024 
oscrypto_1.3.0-1+deb12u1_source.buildinfo
Files:
 7dccf1452499f07928b6b99aec61f650 1838 python optional 
oscrypto_1.3.0-1+deb12u1.dsc
 de63e1d2a94e2463780914d1ec768a6e 4300 python optional 
oscrypto_1.3.0-1+deb12u1.debian.tar.xz
 41c902f24fb21aa89665cbe15d54300a 6024 python optional 
oscrypto_1.3.0-1+deb12u1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAmVqUu4ACgkQQc5/C58b
izJQvwf/eWTM8JQFSnwCt6sErDysHcSWXOqs1dOK+1kc92WxVkFjVq54Yy0tp0bh
vcTqfdjV6g0lbVPZYUaMxGeXL7e/s9H0RL3GlaQeAAqru1bfjGjgS3znP1UBNuxp
LK5mYK0E3/4HR6eXXCk0KQrn+UJl2cz5oYG9gQ/h1XS4URwJidsSOBnXMXRsKGPh
giohx3CcfIF9qqsL9eQYZmV5OEzdpH97vgQLZUhC+xzcLxmUzcmKmS4fnt0Ckfho
SwQnLuKUZp50GqMDP3JUX6+pOka+nb+kJjf37ugeH6LA2m8hnx2iUKJHur87gkV/
hMv9x980eisabZPTPWmt9jUU1EmqUQ==
=2vlo
-END PGP SIGNATURE End Message ---

Bug#1057149: marked as done (gimp: Please add Conflicts+Replaces: gimp-dds)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 19:47:10 +
with message-id 
and subject line Bug#1057149: fixed in gimp 2.10.34-1+deb12u2
has caused the Debian Bug report #1057149,
regarding gimp: Please add Conflicts+Replaces: gimp-dds
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057149
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gimp
Version: 2.10.12-1
Severity: serious

gimp-dds was included in 2.10.10, and the old version of the
plugin in gimp-dds is also vulnerable to CVE-2023-1.

Please add[1]
  Conflicts: gimp-dds
  Replaces: gimp-dds
to get rid of the stale version of this plugin.

A fast upload would be appreciated so that I can also submit
this change for the next bookworm (and bullseye) point releases.

Thanks in advance


[1] https://lists.debian.org/deity/2023/11/msg00037.html
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 2.10.34-1+deb12u2
Done: Adrian Bunk 

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk  (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 02 Dec 2023 15:31:27 +0200
Source: gimp
Architecture: source
Version: 2.10.34-1+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers 

Changed-By: Adrian Bunk 
Closes: 1057149
Changes:
 gimp (2.10.34-1+deb12u2) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Add Conflicts+Replaces: gimp-dds to remove old versions of this
 plugin shipped by gimp itself since 2.10.10. (Closes: #1057149)
Checksums-Sha1:
 0b98f769e4b72a8baa899be511b5f4c2a0303359 3534 gimp_2.10.34-1+deb12u2.dsc
 776e0601f6b40eb19323906b3bf36cdfb9f51110 60936 
gimp_2.10.34-1+deb12u2.debian.tar.xz
Checksums-Sha256:
 224735c01f32f4dc985f20a00fd3bcad2005bb55cc2e41894e508c55e7052b50 3534 
gimp_2.10.34-1+deb12u2.dsc
 deabf6f600a1aa5e6679c412a2aeb726e0e754547a01c7dca0e730e0c2585c1c 60936 
gimp_2.10.34-1+deb12u2.debian.tar.xz
Files:
 c01b81932a9bd90ff31cdd054721f040 3534 graphics optional 
gimp_2.10.34-1+deb12u2.dsc
 0f832f0358aa1b69470cc6c66982e42f 60936 graphics optional 
gimp_2.10.34-1+deb12u2.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmVrQEYACgkQiNJCh6LY
mLFXaRAAh2X+DIYva+Eo074gbFdepGz0qDKVkq2pbT2BwRkV1g6LgktWHOJ6sZZt
aP4X2Yw+TaU/mCpt9BHtQNyyP4yag5nf4DJVUEuivA3Bwo40EkNc+K3RU2dOYq6l
oOZ6CFIMs0xELoC7rovGqNndcSdEZzHSm/Yl/EESjSReEFm+crs39vujdoee3Fch
2krlMZoa4BpfrdNS10HgBw17hxmax5CJ0MIegtZ3+Ba8q1z01iM/4r290Aus/uIs
waqyb7OIKsqaKE0JN68ia+/kjJLw1icVnMh1Ddbpng4t0kOMe/zVRsqFikaNaJMT
s96h/9cXbX/4eVm5g2ltyL6j/gN5UejuKv4NgoDbWoZOc2ScRLNVcWA+Z7B2VHPl
SEPPj/cOQHaIChd53tYU9yxgb7eHYR1osssgqsUFoIbU+cj2ta/rR8wcQ4wuyTD2
cuG82aL/OBVhr+qyVTBDgkztfsVqO0sboSIQuy/oKSo5hjFTvaIPTrUgt8SfZSnf
9LkoMcs8iP3ruS89FU+h93hv+enHIOK+LzAk+pECE0ieUFT0eurvngewPkcJ7CIG
gcnCFjeRqtxKSTEcUbCzEdkrkdYFFgHZggP/5fWcrwSHQxMaz8DrhEw/WOUWpm5T
4pqs6WEpWMACXBaowme2ZX/MtsuCmhmsadjztcGM2YEi9eIu7xU=
=jbKx
-END PGP SIGNATURE End Message ---

Bug#1056163: marked as done (libervia-backend: start fails without pre-existing configuration)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 19:47:12 +
with message-id 
and subject line Bug#1056163: fixed in libervia-backend 0.9.0~hg3993-4+deb12u1
has caused the Debian Bug report #1056163,
regarding libervia-backend: start fails without pre-existing configuration
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libervia-backend
Severity: serious
Version: 0.9.0~hg3993-4
Tags: bookworm

When there is no pre-existing configuration (`~/.local/share/libervia/`),
starting `libervia-backend fg` fails with an exception:

```
  File "/usr/share/libervia/sat/memory/migration/env.py", line 8, in 
from sat.memory import sqla_config
ModuleNotFoundError: No module named 'sat'
2023-11-18T00:00:00+ /!\ Can't upgrade database (exit code 1)
```
--- End Message ---
--- Begin Message ---
Source: libervia-backend
Source-Version: 0.9.0~hg3993-4+deb12u1
Done: Martin 

We believe that the bug you reported is fixed in the latest version of
libervia-backend, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1056...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin  (supplier of updated libervia-backend package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 17 Nov 2023 23:29:54 +
Source: libervia-backend
Architecture: source
Version: 0.9.0~hg3993-4+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian XMPP Maintainers 
Changed-By: Martin 
Closes: 1055445 1055446 1056163
Changes:
 libervia-backend (0.9.0~hg3993-4+deb12u1) bookworm; urgency=medium
 .
   * Fix dependencies on python3-txdbus/python3-dbus (Closes: #1055446)
   * Add patch to make exec path absolute in dbus service file (Closes: 
#1055445)
   * Fix start failure without pre-existing configuration (Closes: #1056163)
Checksums-Sha1:
 b0ce6dc06aaf9d8028e40f21fbf5543fd14cb71a 2588 
libervia-backend_0.9.0~hg3993-4+deb12u1.dsc
 9205047171896772d8d1a3cfc5a90bee46331c00 50068 
libervia-backend_0.9.0~hg3993-4+deb12u1.debian.tar.xz
 50b99637bb212e2d2292a26cfd09d75e55c3d74c 9000 
libervia-backend_0.9.0~hg3993-4+deb12u1_amd64.buildinfo
Checksums-Sha256:
 ed8ec00836f1d5b66da8874235180ecebd6876c26b78ea6e1853f2da744ae1a0 2588 
libervia-backend_0.9.0~hg3993-4+deb12u1.dsc
 9e91b357d7f5ee448846f6dbd273cba750f93dffe7e4ff64d3037f197b20688d 50068 
libervia-backend_0.9.0~hg3993-4+deb12u1.debian.tar.xz
 f67cdf11e175379300fa318e06d0804d2a03d528e866c4e57f4ebfcd6d522e8f 9000 
libervia-backend_0.9.0~hg3993-4+deb12u1_amd64.buildinfo
Files:
 d7c47b9a2eef81c33b2137adc4ca0ec9 2588 net optional 
libervia-backend_0.9.0~hg3993-4+deb12u1.dsc
 0734f0fcfbfb1b787e8ab3664fb39ec1 50068 net optional 
libervia-backend_0.9.0~hg3993-4+deb12u1.debian.tar.xz
 5672771a35dbe3b29314e0cdf208ac56 9000 net optional 
libervia-backend_0.9.0~hg3993-4+deb12u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEftHeo0XZoKEY1KdA4+Chwoa5Y+oFAmVo7PMACgkQ4+Chwoa5
Y+rnDBAArf0W2qC6rkl1RDH46JLaN8NXfvG5SjBPdWp9F1WA8KvHiESZdhNYud4p
hvFL3o6aILN8U97+nxa92CsfCZ+nvoHIZ5K/JMQc2COFUBBGTarfNqL2MN3horF0
M3FtUuegJbdah0DSGqMy8GKs3SV07FiudSuKLFxuSQOobWJupg/dAn1ysT2T0tW2
rlRJvUKYcGebyibYcJYx6iduLxoSiRkC1vk6h+KvUPRoM+3WaW2Uj3FJX/BpLIFx
bdv7/pl+XC3+tFji+Z9n+7zypS8GvxKW++jCa3QfbtckXqKtJnT772AxZmHl7qHt
tAx54nf43xGBz9vrjZQRivdogcZZkAHM3nmNw2SAxREXtmTtan85Zyuufgm9XeIG
DeXveCPKbLFKUI2xpLv7C1bwBGMh/8rPuY60ct996dg46w0dVoExHJK54dyxosan
iExxZtO9ovn70bAoDMBes9jiet4MY5J5PRs/4tq7tMWDHBBjvWKVMbY/5JQwCVK9
HBk1IPag5E3kGmk5oTOfWgSAIy7oFHII6CNEFvPgH7XqooNfHrpJtDTqN46p+uq/
GSAKfjp/EKXojSJbQQyBd+BmSFdDS+8j9+cw/vw5aXt9l84kDDECcDKWKs2b3K0k
5Jf4JQRoOTVY8F8l1T7M2kBoOkziHW6mmXXsTWOrvL5ar3VAtcQ=
=X47x
-END PGP SIGNATURE End Message ---

Bug#1054317: Removal notice: obsolete

[Ilias Tsitsimpis]

Control: clone -1 -2
Control: reassign -2 ftp.debian.org
Control: retitle -2 RM: haskell-numtype -- ROM; obsolete
Control: severity -2 normal

On Sat, Oct 21, 2023 at 08:10PM, Ilias Tsitsimpis wrote:
> I intend to remove this package:
> 
>   * It has no rev dependencies
>   * The current version FTBFS with GHC 9.4
>   * Seems unmaintained; Last upload more than 5 years ago
>   * It's not part of the latest Stackage LTS

Dear FTP masters, please remove haskell-numtype from unstable.

-- 
Ilias

Processed: Re: Bug#1054317: Removal notice: obsolete

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #1054317 [src:haskell-numtype] Removal notice: obsolete
Bug 1054317 cloned as bug 1057291
> reassign -2 ftp.debian.org
Bug #1057291 [src:haskell-numtype] Removal notice: obsolete
Bug reassigned from package 'src:haskell-numtype' to 'ftp.debian.org'.
No longer marked as found in versions haskell-numtype/1.2-7.
Ignoring request to alter fixed versions of bug #1057291 to the same values 
previously set
> retitle -2 RM: haskell-numtype -- ROM; obsolete
Bug #1057291 [ftp.debian.org] Removal notice: obsolete
Changed Bug title to 'RM: haskell-numtype -- ROM; obsolete' from 'Removal 
notice: obsolete'.
> severity -2 normal
Bug #1057291 [ftp.debian.org] RM: haskell-numtype -- ROM; obsolete
Severity set to 'normal' from 'serious'

-- 
1054317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054317
1057291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1054355: Removal notice: obsolete

[Ilias Tsitsimpis]

Control: clone -1 -2
Control: reassign -2 ftp.debian.org
Control: retitle -2 RM: haskell-parallel-tree-search -- ROM; obsolete
Control: severity -2 normal

On Sun, Oct 22, 2023 at 04:26PM, Ilias Tsitsimpis wrote:
> I intend to remove this package:
> 
>   * It has no rev dependencies
>   * The current version FTBFS
>   * Seems unmaintained; Last upload more than 3 years ago
>   * It's not part of the latest Stackage LTS

Dear FTP masters, please remove haskell-parallel-tree-search from unstable.

-- 
Ilias

Processed: Re: Bug#1054355: Removal notice: obsolete

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #1054355 [src:haskell-parallel-tree-search] Removal notice: obsolete
Bug 1054355 cloned as bug 1057292
> reassign -2 ftp.debian.org
Bug #1057292 [src:haskell-parallel-tree-search] Removal notice: obsolete
Bug reassigned from package 'src:haskell-parallel-tree-search' to 
'ftp.debian.org'.
No longer marked as found in versions haskell-parallel-tree-search/0.4.2-2.
Ignoring request to alter fixed versions of bug #1057292 to the same values 
previously set
> retitle -2 RM: haskell-parallel-tree-search -- ROM; obsolete
Bug #1057292 [ftp.debian.org] Removal notice: obsolete
Changed Bug title to 'RM: haskell-parallel-tree-search -- ROM; obsolete' from 
'Removal notice: obsolete'.
> severity -2 normal
Bug #1057292 [ftp.debian.org] RM: haskell-parallel-tree-search -- ROM; obsolete
Severity set to 'normal' from 'serious'

-- 
1054355: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054355
1057292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057292
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1054318: Removal notice: obsolete

[Ilias Tsitsimpis]

Control: clone -1 -2
Control: reassign -2 ftp.debian.org
Control: retitle -2 RM: haskell-syb-with-class -- ROM; obsolete
Control: severity -2 normal

On Sat, Oct 21, 2023 at 08:35PM, Ilias Tsitsimpis wrote:
> I intend to remove this package:
> 
>   * The current version FTBFS with GHC 9.4
>   * It's not part of the latest Stackage LTS

Dear FTP masters, please remove haskell-syb-with-class from unstable.

-- 
Ilias

Bug#1054495: Removal notice: obsolete

[Ilias Tsitsimpis]

Control: clone -1 -2
Control: reassign -2 ftp.debian.org
Control: retitle -2 RM: haskell-repa -- ROM; obsolete
Control: severity -2 normal

On Tue, Oct 24, 2023 at 06:23PM, Ilias Tsitsimpis wrote:
> I intend to remove this package:
> 
>   * It has no rev dependencies
>   * The current version FTBFS
>   * It's not part of the latest Stackage LTS

Dear FTP masters, please remove haskell-repa from unstable.

-- 
Ilias

Processed: Re: Bug#1054318: Removal notice: obsolete

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #1054318 [src:haskell-syb-with-class] Removal notice: obsolete
Bug 1054318 cloned as bug 1057293
> reassign -2 ftp.debian.org
Bug #1057293 [src:haskell-syb-with-class] Removal notice: obsolete
Bug reassigned from package 'src:haskell-syb-with-class' to 'ftp.debian.org'.
No longer marked as found in versions haskell-syb-with-class/0.6.1.14-1.
Ignoring request to alter fixed versions of bug #1057293 to the same values 
previously set
> retitle -2 RM: haskell-syb-with-class -- ROM; obsolete
Bug #1057293 [ftp.debian.org] Removal notice: obsolete
Changed Bug title to 'RM: haskell-syb-with-class -- ROM; obsolete' from 
'Removal notice: obsolete'.
> severity -2 normal
Bug #1057293 [ftp.debian.org] RM: haskell-syb-with-class -- ROM; obsolete
Severity set to 'normal' from 'serious'

-- 
1054318: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054318
1057293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057293
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#1054495: Removal notice: obsolete

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #1054495 [src:haskell-repa] Removal notice: obsolete
Bug 1054495 cloned as bug 1057294
> reassign -2 ftp.debian.org
Bug #1057294 [src:haskell-repa] Removal notice: obsolete
Bug reassigned from package 'src:haskell-repa' to 'ftp.debian.org'.
No longer marked as found in versions haskell-repa/3.4.1.5-1.
Ignoring request to alter fixed versions of bug #1057294 to the same values 
previously set
> retitle -2 RM: haskell-repa -- ROM; obsolete
Bug #1057294 [ftp.debian.org] Removal notice: obsolete
Changed Bug title to 'RM: haskell-repa -- ROM; obsolete' from 'Removal notice: 
obsolete'.
> severity -2 normal
Bug #1057294 [ftp.debian.org] RM: haskell-repa -- ROM; obsolete
Severity set to 'normal' from 'serious'

-- 
1054495: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054495
1057294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057294
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1054959: marked as done (haskell-irc-core: FTBFS: unsatisfiable build-dependencies: libghc-primitive-dev (< 0.8), libghc-vector-dev (< 0.13))

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 20:46:17 +
with message-id 
and subject line Bug#1054959: fixed in haskell-irc-core 2.12-1
has caused the Debian Bug report #1054959,
regarding haskell-irc-core: FTBFS: unsatisfiable build-dependencies: 
libghc-primitive-dev (< 0.8), libghc-vector-dev (< 0.13)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054959
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: haskell-irc-core
Version: 2.11-1
Severity: serious
Justification: FTBFS
Tags: trixie sid ftbfs
User: lu...@debian.org
Usertags: ftbfs-20231028 ftbfs-trixie

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.


Relevant part (hopefully):
> +--+
> | Install package build dependencies  
>  |
> +--+
> 
> 
> Setup apt archive
> -
> 
> Merged Build-Depends: haskell-devscripts (>= 0.13), cdbs, debhelper (>= 10), 
> ghc (>= 8.4.3), ghc-prof, libghc-attoparsec-dev (>= 0.14), 
> libghc-attoparsec-dev (<< 0.15), libghc-attoparsec-prof, 
> libghc-base64-bytestring-dev (>= 1.0.0.1), libghc-base64-bytestring-dev (<< 
> 1.3), libghc-base64-bytestring-prof, libghc-hashable-dev (>= 1.2), 
> libghc-hashable-dev (<< 1.5), libghc-hashable-prof, libghc-primitive-dev (>= 
> 0.6), libghc-primitive-dev (<< 0.8), libghc-primitive-prof, libghc-vector-dev 
> (>= 0.11), libghc-vector-dev (<< 0.13), libghc-vector-prof, libghc-hunit-dev 
> (>= 1.3), libghc-hunit-dev (<< 1.7), build-essential, fakeroot, ghc-doc, 
> libghc-attoparsec-doc, libghc-base64-bytestring-doc, libghc-hashable-doc, 
> libghc-primitive-doc, libghc-vector-doc
> Filtered Build-Depends: haskell-devscripts (>= 0.13), cdbs, debhelper (>= 
> 10), ghc (>= 8.4.3), ghc-prof, libghc-attoparsec-dev (>= 0.14), 
> libghc-attoparsec-dev (<< 0.15), libghc-attoparsec-prof, 
> libghc-base64-bytestring-dev (>= 1.0.0.1), libghc-base64-bytestring-dev (<< 
> 1.3), libghc-base64-bytestring-prof, libghc-hashable-dev (>= 1.2), 
> libghc-hashable-dev (<< 1.5), libghc-hashable-prof, libghc-primitive-dev (>= 
> 0.6), libghc-primitive-dev (<< 0.8), libghc-primitive-prof, libghc-vector-dev 
> (>= 0.11), libghc-vector-dev (<< 0.13), libghc-vector-prof, libghc-hunit-dev 
> (>= 1.3), libghc-hunit-dev (<< 1.7), build-essential, fakeroot, ghc-doc, 
> libghc-attoparsec-doc, libghc-base64-bytestring-doc, libghc-hashable-doc, 
> libghc-primitive-doc, libghc-vector-doc
> dpkg-deb: building package 'sbuild-build-depends-main-dummy' in 
> '/<>/apt_archive/sbuild-build-depends-main-dummy.deb'.
> Ign:1 copy:/<>/apt_archive ./ InRelease
> Get:2 copy:/<>/apt_archive ./ Release [615 B]
> Ign:3 copy:/<>/apt_archive ./ Release.gpg
> Get:4 copy:/<>/apt_archive ./ Sources [1344 B]
> Get:5 copy:/<>/apt_archive ./ Packages [1332 B]
> Fetched 3291 B in 0s (0 B/s)
> Reading package lists...
> Reading package lists...
> 
> Install main build dependencies (apt-based resolver)
> 
> 
> Installing build dependencies
> Reading package lists...
> Building dependency tree...
> Reading state information...
> Some packages could not be installed. This may mean that you have
> requested an impossible situation or if you are using the unstable
> distribution that some required packages have not yet been created
> or been moved out of Incoming.
> The following information may help to resolve the situation:
> 
> The following packages have unmet dependencies:
>  sbuild-build-depends-main-dummy : Depends: libghc-primitive-dev (< 0.8) but 
> 0.8.0.0-1+b1 is to be installed
>Depends: libghc-vector-dev (< 0.13) but 
> 0.13.1.0-1 is to be installed
> E: Unable to correct problems, you have held broken packages.
> apt-get failed.


The full build log is available from:
http://qa-logs.debian.net/2023/10/28/haskell-irc-core_2.11-1_unstable.log

All bugs filed during this archive rebuild are listed at:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=ftbfs-20231028;users=lu...@debian.org
or:
https://udd.debian.org/bugs/?release=na&merged=ign&fnewerval=7&flastmodval=7&fusertag=only&fusertagtag=ftbfs-20231028&fusertaguser=lu...@debian.org&allbugs=1&cseverity=1&ctags=1&caffected=1#results

A list of current common problems and possible solutions is available at
http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!

Bug#1057296: src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest failure on 32 bits

[Paul Gevers]

Source: r-cran-data.table
Version: 1.14.8+dfsg-1
Severity: serious
Control: close -1 1.14.8+dfsg2-1
Tags: sid trixie
User: release.debian@packages.debian.org
Usertags: out-of-sync

Dear maintainer(s),

The Release Team considers packages that are out-of-sync between testing 
and unstable for more than 30 days as having a Release Critical bug in 
testing [1]. Your package src:r-cran-data.table has been trying to 
migrate for 40 days [2]. Hence, I am filing this bug. The version in 
unstable fails its autopkgtest on 32 bit architectures.


If a package is out of sync between unstable and testing for a longer 
period, this usually means that bugs in the package in testing cannot be 
fixed via unstable. Additionally, blocked packages can have impact on 
other packages, which makes preparing for the release more difficult. 
Finally, it often exposes issues with the package and/or
its (reverse-)dependencies. We expect maintainers to fix issues that 
hamper the migration of their package in a timely manner.


This bug will trigger auto-removal when appropriate. As with all new 
bugs, there will be at least 30 days before the package is auto-removed.


I have immediately closed this bug with the version in unstable, so if 
that version or a later version migrates, this bug will no longer affect 
testing. I have also tagged this bug to only affect sid and trixie, so 
it doesn't affect (old-)stable.


If you believe your package is unable to migrate to testing due to 
issues beyond your control, don't hesitate to contact the Release Team.


Paul

[1] https://lists.debian.org/debian-devel-announce/2023/06/msg1.html
[2] https://qa.debian.org/excuses.php?package=r-cran-data.table



OpenPGP_signature.asc
Description: OpenPGP digital signature

Processed: src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest failure on 32 bits

[Debian Bug Tracking System]

Processing control commands:

> close -1 1.14.8+dfsg2-1
Bug #1057296 [src:r-cran-data.table] src:r-cran-data.table: fails to migrate to 
testing for too long: autopkgtest failure on 32 bits
Marked as fixed in versions r-cran-data.table/1.14.8+dfsg2-1.
Bug #1057296 [src:r-cran-data.table] src:r-cran-data.table: fails to migrate to 
testing for too long: autopkgtest failure on 32 bits
Marked Bug as done

-- 
1057296: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057296
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1040901: marked as done (linux modules must not be signed with CA key, bump ABI every upload)

[Debian Bug Tracking System]

Your message dated Sat, 02 Dec 2023 21:00:10 +
with message-id 
and subject line Bug#1040901: fixed in linux 6.6.3-1~exp1
has caused the Debian Bug report #1040901,
regarding linux modules must not be signed with CA key, bump ABI every upload
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040901
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: linux
Version: 6.3.0-7.7
Severity: grave
Tags: security
X-Debbugs-Cc: j...@debian.org

I know there's some work in progress but it appears we don't have a bug
for it yet. I raised this yesterday in our weekly upstream shim/grub
cabal meetings and Debian's current approach to sign modules with the
same key and not bump ABI on every upload should be considered a bug.

The current approach means that a kernel cannot be easily revoked,
you would need to add its kernel modules to the dbx as well, which
is a grave security bug.

The state of the art solution is to sign everything using an ephemeral key,
which yes, it will cause the package to be unreproducible, but if nobody
commits to working on that merkle tree of modules, than this is very
well going to have to be the solution to the issue.

A reasonable compromise at a first step for a limited time is to
ensure that

1) the kernel refuses to load modules for a different ABI in lockdown,
   for example, the modprobe --force-vermagic does not work anymore.
2) each upload bumps the ABI [this is also required for the ephemeral
   key and merkle tree approaches as otherwise the modules become
   no longer loadable]

This is still somewhat problematic as there may be bugs in the code
validating parsing the kernel module sections that could be exploited
if there were some weird modules, but it's a significant improvement
(turning this from grave to serious I guess).

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer  i speak de, en
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 6.6.3-1~exp1
Done: Bastian Blank 

We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1040...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank  (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 02 Dec 2023 20:03:34 +0100
Source: linux
Architecture: source
Version: 6.6.3-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Kernel Team 
Changed-By: Bastian Blank 
Closes: 950324 1011986 1032604 1040901 1050782 1051365 1053503 1053764 1055069 
1055244
Changes:
 linux (6.6.3-1~exp1) experimental; urgency=medium
 .
   * New upstream release: https://kernelnewbies.org/Linux_6.6
   * New upstream stable update:
 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.1
 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.2
 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.3
 .
   [ Vincent Blut ]
   * [armhf] drivers/input/keyboard: Enable KEYBOARD_TCA8418 as module
 (Closes: #1050782)
   * drivers/net/wwan: Enable MTK_T7XX as module (Closes: #1055244)
   * drivers/video/fbdev: Disable FB_UDL on all architectures (Closes: #1011986)
 .
   [ Bastian Blank ]
   * [powerpc,ppc64] Remove unused arch specific bootwrapper.
   * Generate installer packages according to own config.
   * Sign modules using an ephemeral key: (closes: #1040901)
 - Set MODULE_SIG_ALL to sign all modules.
 - Not longer request Secure Boot signing for modules.
 - Don't trust Secure Boot key any longer.
   * Sign modules and support lockdown always.
   * Compress all modules:
 - Set MODULE_COMPRESS_XZ.
   * Drop deprecated build profile stage1. (closes: #1051365)
   * Generate information for signed template package early.
   * Copy installer config into signed source.
   * Make it possible to run debian/rules.real without root.
   * Drop linux-compiler packages and use normal compiler packages again.
   * [hppa] Drop transitional m

Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[Tony Cook]

On Sat, Dec 02, 2023 at 08:35:38PM +0200, Niko Tyni wrote:
> >From 
> >https://sources.debian.org/src/libimager-perl/1.020%2Bdfsg-1/TIFF/imtiff.c/#L302
> 
>   static toff_t sizeproc(thandle_t x) {
>   return 0;
>   }
> 
> which is used as the TIFFClientOpen() argument in i_readtiff_wiol():
> 
>   
> https://sources.debian.org/src/libimager-perl/1.020%2Bdfsg-1/TIFF/imtiff.c/#L710
> 
> So it looks like libimager-perl is always saying the file size is 0,
> and this hasn't hurt earlier but now does with the src:tiff CVE-2023-6277
> patch.
> 
> Not sure where this leaves us, but I've just reported it at
> 
>   https://github.com/tonycoz/imager/issues/522

Fixed in 1.022, please let me know if you have any more problems.

d54ea521f63ec1ed7d8c0fd11c23507600d51143 should be safe to cherry pick
back to 1.020 if you don't want all of the 1.021 TIFF changes in
the debian stable libimager-perl.

Thanks,
Tony

Bug#1057270: libimager-perl: FTBFS: t/t10tiff.t failure

[gregor herrmann]

On Sun, 03 Dec 2023 10:46:50 +1100, Tony Cook wrote:

> >   https://github.com/tonycoz/imager/issues/522
> Fixed in 1.022, please let me know if you have any more problems.

Thank you!
1.022 builds fine in Debian unstable, so I've uploaded it.
 
> d54ea521f63ec1ed7d8c0fd11c23507600d51143 should be safe to cherry pick
> back to 1.020 if you don't want all of the 1.021 TIFF changes in
> the debian stable libimager-perl.

Hm, Debian stable (which has 1.019) is a good question. If libtiff is
updated there too [0] we might see the same issue there.

Same experimentation later: It looks like building libimager-perl
1.019+dfsg-1 from stable in a stable chroot with an additional source
stable-security which pulls in libtiff-dev 4.5.0-6+deb12u1 -- still
succeeds.

So I guess we don't have to do anything here, and if reality is
different than my tests, we can pull in
d54ea521f63ec1ed7d8c0fd11c23507600d51143 -- thanks for the pointer!

Cheers,
gregor

[0]
tiff   | 4.5.0-6   | stable | source
tiff   | 4.5.0-6+deb12u1   | proposed-updates   | source


-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

Bug#1057270: marked as done (libimager-perl: FTBFS: t/t10tiff.t failure)

[Debian Bug Tracking System]

Your message dated Sun, 03 Dec 2023 01:05:51 +
with message-id 
and subject line Bug#1057270: fixed in libimager-perl 1.022+dfsg-1
has caused the Debian Bug report #1057270,
regarding libimager-perl: FTBFS: t/t10tiff.t failure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057270
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libimager-perl
Version: 1.020+dfsg-1
Severity: serious
Tags: ftbfs
Control: block 1055955 with -1
X-Debbugs-Cc: t...@packages.debian.org

This package fails to build from source on current sid.

It regressed with tiff_4.5.1+git230720-2 which is currently blocked from
migrating to trixie because libimager-perl autopkgtests are failing too.

Changes:
 tiff (4.5.1+git230720-2) unstable; urgency=high
 .
   * Backport security fix for CVE-2023-6277, passing a crafted tiff file to
 TIFFOpen() API may allow a remote attacker to cause a denial of service
 (closes: #1056751).

I see libimager-perl upstream has released 1.021 with some tiff related
changes. I haven't checked if those fix the issue, or whether libtiff
is actually broken. Feel free to reassign as needed.

I'm marking this as a blocker for the Perl 5.38 transition as we need
to be able to rebuild libimager-perl for that.

>From the build log:

  # libtiff release 4.5.1
  
  #   Failed test 'read low-level'
  #   at t/t10tiff.t line 49.
  Use of uninitialized value in subroutine entry at t/t10tiff.t line 53.
  Use of uninitialized value in subroutine entry at t/t10tiff.t line 53.
  im2 is not of type Imager::ImgRaw at t/t10tiff.t line 53.
  # Looks like your test exited with 25 just after 4.
  t/t10tiff.t .. 
  1..247
  ok 1 - use Imager::File::TIFF;
  ok 2 - extract library version
  ok 3 - write low level
  not ok 4 - read low-level
  Dubious, test returned 25 (wstat 6400, 0x1900)
  Failed 244/247 subtests 
  
  Test Summary Report
  ---
  t/t10tiff.t (Wstat: 6400 (exited 25) Tests: 4 Failed: 1)
Failed test:  4
Non-zero exit status: 25
Parse errors: Bad plan.  You planned 247 tests but ran 4.
  Files=1, Tests=4,  0 wallclock secs ( 0.01 usr  0.01 sys +  0.10 cusr  0.02 
csys =  0.14 CPU)
  Result: FAIL

A full build log is at

  
http://perl.debian.net/rebuild-logs/sid/libimager-perl_1.020%2Bdfsg-1/libimager-perl_1.020%2Bdfsg-1_amd64-2023-12-02T11%3A49%3A48Z.build

-- 
Niko Tyni   nt...@debian.org
--- End Message ---
--- Begin Message ---
Source: libimager-perl
Source-Version: 1.022+dfsg-1
Done: gregor herrmann 

We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann  (supplier of updated libimager-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 03 Dec 2023 01:05:23 +0100
Source: libimager-perl
Architecture: source
Version: 1.022+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: gregor herrmann 
Closes: 1057270
Changes:
 libimager-perl (1.022+dfsg-1) unstable; urgency=medium
 .
   * Import upstream version 1.021+dfsg.
   * Import upstream version 1.022+dfsg.
 Closes: #1057270
Checksums-Sha1:
 b5704e9c7fb4143686a375d6b24d1df064fdaab4 2650 libimager-perl_1.022+dfsg-1.dsc
 b61bc35915b6e1fb89774c14d01a8aae9a875580 929036 
libimager-perl_1.022+dfsg.orig.tar.xz
 4164ebe28019620334c42f6a82fccc5a8dc76f84 12588 
libimager-perl_1.022+dfsg-1.debian.tar.xz
Checksums-Sha256:
 01e30eb3fc6fd7139bf1c0c6ac7da2ef0b32ee185bbea0303d01932b44d9b490 2650 
libimager-perl_1.022+dfsg-1.dsc
 3d37b565911090540498b3b11b0fbf046b756fb61cccec80652965c19abe2ada 929036 
libimager-perl_1.022+dfsg.orig.tar.xz
 c61f42b5bc458dd7f593d5449aae27227e188485be1c512948db4960efdd44af 12588 
libimager-perl_1.022+dfsg-1.debian.tar.xz
Files:
 d913e9c4fa6884b1750e4efd5525bbd5 2650 perl optional 
libimager-perl_1.022+dfsg-1.dsc
 38c88303a4aa50040e12b19c4b3acd43 929036 perl optional 
libimager-perl_1.022+dfsg.orig.tar.xz
 8590dcabe5859edfda717a76525ba38a 125

Bug#1057307: sioyek: FTBFS with mupdf 0.23

[Victor Westerhuis]

Package: sioyek
Version: 2.0.0+dfsg-3+b5
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: mu...@packages.debian.org

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

mupdf 0.23 drops the pdf_parse_link_uri symbol, causing sioyek to fail
to build from source. I am preparing a new upload to fix the issue.

@mupdf maintainers: Could you test if reverse dependencies still build
before pushing a new version in the future?

- --
Groet, Regards,

Victor Westerhuis

- -- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_NL.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en_US:en:nl_NL:nl
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sioyek depends on:
ii  libc62.37-12
ii  libfreetype6 2.13.2+dfsg-1
ii  libgcc-s113.2.0-7
ii  libgl1   1.7.0-1
ii  libgumbo20.12.0+dfsg-2
ii  libharfbuzz0b8.0.1-1+~optimized
ii  libjbig2dec0 0.19-3
ii  libjpeg62-turbo  1:2.1.5-2
ii  libjs-sphinxdoc  7.2.6-2
ii  libmujs3 1.3.3-3
ii  libopenjp2-7 2.5.0-2
ii  libqt5core5a 5.15.10+dfsg-5
ii  libqt5gui5   5.15.10+dfsg-5
ii  libqt5network5   5.15.10+dfsg-5
ii  libqt5widgets5   5.15.10+dfsg-5
ii  libsqlite3-0 3.44.2-1
ii  libstdc++6   13.2.0-7
ii  libsynctex2  2023.20230311.66589-8
ii  sphinx-rtd-theme-common  2.0.0~rc3+dfsg-2
ii  zlib1-ng [zlib1g]2.0.6-0+~local1+b1
ii  zlib1g   1:1.3.dfsg-3

sioyek recommends no packages.

sioyek suggests no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-

iQJHBAEBCAAxFiEE6OxII3T+o0Ujs6ECQz2Rq5dHQPsFAmVr4EQTHHZpY3RvckB3
ZXN0ZXJodS5pcwAKCRBDPZGrl0dA+xTaD/9MoSE02oPgj/bc6EWqumd/iTnk7aHe
VIR7IfeJkvjIvnxEXr518se9Fy8E7V8eLS2shOYM0YWT4e/7kKgnB2trCyD7cMnw
jJLrrBsRf0WEIpvg2J6EwbUoZpExBieD7hdXCWbezCPeNsQNDuhTvC1/0rpttt7v
ZPwUtj0T1wfZwpryLbTMkZxX4Avb5ZLgplu6Hkomf9sfrF0/xCEU8bG3X5Blxy6q
j+nDG49ALo8hKepdWwT5J/FAOY9wn9vLovWHv2S8LrHIkFbpvT71fGy/JnPpcoiD
/KaUsWSf7DQGJ/A7V/85OMSVahFiXvK13VEGFA9d6wLPeO4d4VeoGbsvl2d/0yA8
U4Z6zwwZfgQ1eqJPxhr98Znv5cNFzULuinVXcHgRGW/TWX9SBiy3LU54z3VsjTDw
96++mVz79n6dZt5yAe1mzcniVzSi0bZA3opDeOZbCwY0kq+QXntO39Dgko9D9Pwy
c9HMYBcXMZqf4buEUrnMrHsKA89VdW5YhEuaBVqR0PadljHkoHIadu6poADZUeCD
ckeweCZCP96J4ICGUzXunKZ0uOUQcFAcKJKNTZDG9eGMbx2XTJ5sVCIEDEnYOXww
cPgVVjMpW0XIRp76hgFV9FGBxO8GGNE0pLOCq6JZON0Wovo4ayntYSyB/5CfSUun
o356ZnKsr2hzGw==
=wLiO
-END PGP SIGNATURE-

Bug#1057307: sioyek: FTBFS with mupdf 0.23

[Victor Westerhuis]

On Sun, 03 Dec 2023 02:56:20 +0100 Victor Westerhuis 
 wrote:

Package: sioyek
Version: 2.0.0+dfsg-3+b5
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: mu...@packages.debian.org

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

mupdf 0.23 drops the pdf_parse_link_uri symbol, causing sioyek to fail
to build from source. I am preparing a new upload to fix the issue.
Apologies, the symbol is not dropped, but the declaration is moved to an 
internal header in 
https://github.com/ArtifexSoftware/mupdf/commit/254f77c41049cf8229ecb878e6c641c7ccfdf9df. 
It's still an API change that was not tested before uploading.


@mupdf maintainers: Could you test if reverse dependencies still build
before pushing a new version in the future?

- --
Groet, Regards,

Victor Westerhuis

- -- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_NL.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en_US:en:nl_NL:nl
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sioyek depends on:
ii  libc62.37-12
ii  libfreetype6 2.13.2+dfsg-1
ii  libgcc-s113.2.0-7
ii  libgl1   1.7.0-1
ii  libgumbo20.12.0+dfsg-2
ii  libharfbuzz0b8.0.1-1+~optimized
ii  libjbig2dec0 0.19-3
ii  libjpeg62-turbo  1:2.1.5-2
ii  libjs-sphinxdoc  7.2.6-2
ii  libmujs3 1.3.3-3
ii  libopenjp2-7 2.5.0-2
ii  libqt5core5a 5.15.10+dfsg-5
ii  libqt5gui5   5.15.10+dfsg-5
ii  libqt5network5   5.15.10+dfsg-5
ii  libqt5widgets5   5.15.10+dfsg-5
ii  libsqlite3-0 3.44.2-1
ii  libstdc++6   13.2.0-7
ii  libsynctex2  2023.20230311.66589-8
ii  sphinx-rtd-theme-common  2.0.0~rc3+dfsg-2
ii  zlib1-ng [zlib1g]2.0.6-0+~local1+b1
ii  zlib1g   1:1.3.dfsg-3

sioyek recommends no packages.

sioyek suggests no packages.

- -- no debconf information


--
Victor Westerhuis 

Bug#1057296: src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest failure on 32 bits

[Andreas Tille]

Control: tags -1 upstream
Control: forwarded -1 https://github.com/Rdatatable/data.table/issues/5785
Control: reopen -1

Forwarded upstream
Reopening to stay visible in our sentinel

-- 
http://fam-tille.de

Processed: Re: Bug#1057296: src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest failure on 32 bits

[Debian Bug Tracking System]

Processing control commands:

> tags -1 upstream
Bug #1057296 {Done: Paul Gevers } [src:r-cran-data.table] 
src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest 
failure on 32 bits
Added tag(s) upstream.
> forwarded -1 https://github.com/Rdatatable/data.table/issues/5785
Bug #1057296 {Done: Paul Gevers } [src:r-cran-data.table] 
src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest 
failure on 32 bits
Set Bug forwarded-to-address to 
'https://github.com/Rdatatable/data.table/issues/5785'.
> reopen -1
Bug #1057296 {Done: Paul Gevers } [src:r-cran-data.table] 
src:r-cran-data.table: fails to migrate to testing for too long: autopkgtest 
failure on 32 bits
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions r-cran-data.table/1.14.8+dfsg2-1.

-- 
1057296: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057296
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1057166: marked as done (pgpainless: FTBFS with bouncycastle 1.77)

[Debian Bug Tracking System]

Your message dated Sun, 03 Dec 2023 06:03:59 +
with message-id 
and subject line Bug#1057166: fixed in pgpainless 1.6.4-1
has caused the Debian Bug report #1057166,
regarding pgpainless: FTBFS with bouncycastle 1.77
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057166: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057166
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pgpainless
Version: 1.3.16-2
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

pgpainless fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log. It seems, in this case, just a test is
failing now.

Failures (1):
  JUnit Jupiter:CertifyCertificateTest:testKeyDelegation()
MethodSource [className =
'org.pgpainless.key.certification.CertifyCertificateTest', methodName =
'testKeyDelegation', methodParameterTypes = '']
=> org.pgpainless.exception.SignatureValidationException: Cannot verify
direct-key signature correctness
  
org.pgpainless.signature.consumer.SignatureValidator$17.verify(SignatureValidat
or.java:547)
  
org.pgpainless.signature.consumer.SignatureVerifier.verifyDirectKeySignature(Si
gnatureVerifier.java:328)
  
org.pgpainless.key.certification.CertifyCertificateTest.testKeyDelegation(Certi
fyCertificateTest.java:98)
   java.base/java.lang.reflect.Method.invoke(Method.java:568)
   java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
   [...]
 Caused by: org.bouncycastle.openpgp.PGPException: signature is not a key
binding signature.
   org.bouncycastle.openpgp.PGPSignature.verifyCertification(Unknown
Source)
  
org.pgpainless.signature.consumer.SignatureValidator$17.verify(SignatureValidat
or.java:539)
   [...]

Test run finished after 44748 ms
[   240 containers found  ]
[ 0 containers skipped]
[   240 containers started]
[ 0 containers aborted]
[   240 containers successful ]
[ 0 containers failed ]
[   732 tests found   ]
[ 1 tests skipped ]
[   731 tests started ]
[ 0 tests aborted ]
[   730 tests successful  ]
[ 1 tests failed  ]





signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: pgpainless
Source-Version: 1.6.4-1
Done: Jérôme Charaoui 

We believe that the bug you reported is fixed in the latest version of
pgpainless, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérôme Charaoui  (supplier of updated pgpainless package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 02 Dec 2023 21:08:44 -0500
Source: pgpainless
Architecture: source
Version: 1.6.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Jérôme Charaoui 
Closes: 1043471 1057166
Changes:
 pgpainless (1.6.4-1) unstable; urgency=medium
 .
   * New upstream version 1.6.4 (Closes: #1057166, #1043471)
   * d/control: bump dependencies for new upstream version
   * d/control: bump Standards-Version, no changes needed
   * d/patches:
 + re-roll patches for new upstream version
 + add patch removing compileJava target
 + fix dependency on sop-java test fixtures
 + fix bouncycastle class names
 - remove obsolete expired keys patch
   * d/rules: resolve junit warnings
   * d/tests: add new sop-java-testfixtures jar on classpath
Checksums-Sha1:
 e1154f79c75e2325053b8ee73f11db935952490b 2268 pgpainless_1.6.4-1.dsc
 e44ee55dd8b3b64bb1f263f59972b52ab2f6ae0d 784272 pgpainless_1.6.4.orig.tar.xz
 fe12b57178fd1205635ad22409ea68d4950a9de2 38796 pgpainless_1.6.4-1.debian.tar.xz
 f010fff72e862a289c1e3bb2c69168e0502e41b5 19522 
pgpainless_1.6.4-1_amd64.buildinfo
Checksums-Sha256:
 fc6858225cd81413b61d48818a44d151f48aa2deac1d25d17e5d0b5954264f5a 2268 
pgpainless_1.6.4-1.dsc
 0dd042d3f7d23ab5114dc82901cf

Processed: owner 1057170

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> owner 1057170 !
Bug #1057170 [src:ssl-utils-clojure] ssl-utils-clojure: FTBFS with bouncycastle 
1.77
Owner changed from Jérôme  to Jérôme Charaoui 
.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1057170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057170
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: owner 1057170

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> owner 1057170 !
Bug #1057170 [src:ssl-utils-clojure] ssl-utils-clojure: FTBFS with bouncycastle 
1.77
Owner recorded as Jérôme .
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1057170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057170
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1057170: marked as done (ssl-utils-clojure: FTBFS with bouncycastle 1.77)

[Debian Bug Tracking System]

Your message dated Sun, 03 Dec 2023 07:07:53 +
with message-id 
and subject line Bug#1057170: fixed in ssl-utils-clojure 3.5.3-1
has caused the Debian Bug report #1057170,
regarding ssl-utils-clojure: FTBFS with bouncycastle 1.77
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057170
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ssl-utils-clojure
Version: 3.5.0-2
Severity: serious
Tags: ftbfs sid
User: a...@debian.org
Usertags: bouncycastle-1.77
X-Debbugs-Cc: a...@debian.org

Dear maintainer,

ssl-utils-clojure fails to build from source with bouncycastle 1.77. The reason
is the removal of long deprecated methods. The (hopefully) relevant
error message from the build log.


lein jar
Compiling 2 source files to /<>/target/classes
/<>/src/java/com/puppetlabs/ssl_utils/ExtensionsUtils.java:632:
error: cannot find symbol
return asn1ObjToObj(taggedObj.getObject());
 ^
  symbol:   method getObject()
  location: variable taggedObj of type ASN1TaggedObject
1 error
Compilation of Java sources(lein javac) failed.
make[1]: *** [debian/rules:19: override_dh_auto_build] Error 1
make[1]: Leaving directory '/<>'
make: *** [debian/rules:11: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
---
-



signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: ssl-utils-clojure
Source-Version: 3.5.3-1
Done: Jérôme Charaoui 

We believe that the bug you reported is fixed in the latest version of
ssl-utils-clojure, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérôme Charaoui  (supplier of updated ssl-utils-clojure 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 03 Dec 2023 01:30:43 -0500
Source: ssl-utils-clojure
Architecture: source
Version: 3.5.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Clojure Maintainers 
Changed-By: Jérôme Charaoui 
Closes: 1048019 1057170
Changes:
 ssl-utils-clojure (3.5.3-1) unstable; urgency=medium
 .
   * New upstream version 3.5.3 (Closes: #1057170)
   * d/rules: fix typo in override_dh_clean target (Closes: #1048019)
   * d/patches: update patches for new upstream version
Checksums-Sha1:
 6d18b0d937319251c1bbb08b023b8eb49c1e0560 1868 ssl-utils-clojure_3.5.3-1.dsc
 c91add746805283105836c4b6f887f7eb9348282 97432 
ssl-utils-clojure_3.5.3.orig.tar.xz
 69cee937862eb60c576593647dee47811e79abf2 4824 
ssl-utils-clojure_3.5.3-1.debian.tar.xz
 4208517dab01a82b5e2e6af4bb5f545457db4e2b 10321 
ssl-utils-clojure_3.5.3-1_amd64.buildinfo
Checksums-Sha256:
 b1bd5217b5c71230df783607f59e90692b99811a4c07c68578ed7511e065728d 1868 
ssl-utils-clojure_3.5.3-1.dsc
 60548fcc7b31dd1e9e916765efd3329df82426906402ef311ca53e2d743fe59d 97432 
ssl-utils-clojure_3.5.3.orig.tar.xz
 b0811079f74e2f59c02aece282556fdf7f1c9ffaac5b66d84d110d6936a2b9ff 4824 
ssl-utils-clojure_3.5.3-1.debian.tar.xz
 8805a10040c30d1c6a7ff12a3d9186def164c61bc6655600c49abf3aa8295011 10321 
ssl-utils-clojure_3.5.3-1_amd64.buildinfo
Files:
 79929e1400b5791bd41805eea54eb40c 1868 java optional 
ssl-utils-clojure_3.5.3-1.dsc
 4c1e27ab19bb3cc92b08bae875cd423a 97432 java optional 
ssl-utils-clojure_3.5.3.orig.tar.xz
 feb236f3e6d8d01c6a9481a72c6f4554 4824 java optional 
ssl-utils-clojure_3.5.3-1.debian.tar.xz
 18b0d46351eafc8de2e6ed4e253ad2af 10321 java optional 
ssl-utils-clojure_3.5.3-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iHUEARYIAB0WIQTAq04Rv2xblqv/eu5pxS9ljpiFQgUCZWwj6QAKCRBpxS9ljpiF
QmOCAP9/ShvoAvhIE0GGE8UlFRIKHxrleOcg88feoHSeLRm75AD/SpysEfIbuMZ+
t26JK+AfdXvmqncicmmeLKms8Z2yCAc=
=dY5z
-END PGP SIGNATURE End Message ---

Processed: src:haskell-pandoc binary package names conflict with src:pandoc binary packages

[Debian Bug Tracking System]

Processing control commands:

> affects -1 src:pandoc
Bug #1057309 [src:haskell-pandoc] src:haskell-pandoc binary package names 
conflict with src:pandoc binary packages
Added indication that 1057309 affects src:pandoc

-- 
1057309: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057309
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1057309: src:haskell-pandoc binary package names conflict with src:pandoc binary packages

[Hannes von Haugwitz]

Source: haskell-pandoc
Version: 3.0.1-2
Severity: serious
Control: affects -1 src:pandoc

Hi,

The binary packages provided by src:haskell-pandoc conflict with the
binary packages of src:pandoc; violationg Debian Policy 3.1 ("Every
package must have a name that’s unique within the Debian archive.").

This also makes the pandoc binary package from src:pandoc uninstallable
in unstable:


# apt policy pandoc pandoc-data
pandoc:
  Installed: (none)
  Candidate: 2.17.1.1-3
  Version table:
 2.17.1.1-3 500
500 mirror+file:/etc/apt/mirrors/debian.list unstable/main amd64 
Packages
pandoc-data:
  Installed: (none)
  Candidate: 3.0.1-2
  Version table:
 3.0.1-2 500
500 mirror+file:/etc/apt/mirrors/debian.list unstable/main amd64 
Packages
 2.17.1.1-3 500
500 mirror+file:/etc/apt/mirrors/debian.list unstable/main amd64 
Packages

# apt install pandoc
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 pandoc : Depends: pandoc-data (< 2.17.1.1-3.~) but 3.0.1-2 is to be installed
E: Unable to correct problems, you have held broken packages.


As a workaround you can specify the matching version of pandoc-data:

# apt install pandoc pandoc-data=2.17.1.1-3

Best regards

Hannes

Bug#1057203: r-bioc-rhdf5filters: missing build-dependency on big-endian architectures

[Andreas Tille]

Hi Graham,

thanks for bringing this up.

I have a totally different question concerning the transition.  At

https://buildd.debian.org/status/package.php?p=r-bioc-ioniser

the build logs are lagging now nearly two days for all architectures.
Do you know whom to ask for the reason?

Kind regards
   Andreas.

Am Fri, Dec 01, 2023 at 02:45:33PM -0100 schrieb Graham Inggs:
> Source: r-bioc-rhdf5filters
> Version: 1.12.1+dfsg2-1
> Severity: serious
> Tags: ftbfs
> X-Debbugs-Cc: debian-s...@lists.debian.org
> 
> Hi Maintainer
> 
> A commit on 2023-08-01 [1] added a build-dependency on
> libvbz-hdf-plugin-dev, which is not available on big-endian
> architectures, and prevents r-bioc-rhdf5filters from building on s390x
> [2], where it built previously, thus blocking migration.
> 
> The package libvbz-hdf-plugin does not build on big-endian
> architectures [3] due to a missing build-dependency on
> libstreamvbyte-dev, and libstreamvbyte itself FTBFS on big-endian
> architectures [4].
> 
> According to:
> reverse-depends --release sid --recursive r-bioc-rhdf5filters
> 
> r-bioc-rhdf5filters has many reverse-dependencies on s390x, so rather
> than dealing with all of these, it may be simplest to fix
> libstreamvbyte.
> 
> Regards
> Graham
> 
> 
> [1] 
> https://salsa.debian.org/r-pkg-team/r-bioc-rhdf5filters/-/commit/78ced3f3c70fe29db3ba16bc2b57da5ab0e4fa6c
> [2] https://buildd.debian.org/status/package.php?p=r-bioc-rhdf5filters
> [3] https://buildd.debian.org/status/package.php?p=libvbz-hdf-plugin
> [4] https://buildd.debian.org/status/package.php?p=libstreamvbyte
> 
> ___
> R-pkg-team mailing list
> r-pkg-t...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/r-pkg-team
> 

-- 
http://fam-tille.de