Re: Hints für Haskell
On Tue, Dec 20, 2011 at 12:34:03PM +0100, Joachim Breitner wrote: > unless I am mistaken, a large number of Haskell packages can now > migrate, please try the attached easy hints file. It worked, thanks. :) Kind regards Philipp Kern signature.asc Description: Digital signature
Bug#648775: transition: mono 2.10
Hi there, On Tue, Dec 20, 2011 at 10:58:50PM +0100, Niels Thykier wrote: > […] > If you haven't already done so, please head to [1] (or [2]) to verify > the list of affected source packages. I think that's right. > > […] > > * Upload all of mono & cli-common from experimental to unstable > > * Upload build tools (nant) > > * Remove mono-debugger > > * Get LO bindings disabled > > * No-change rebuild / binNMU all applications against the 4.0 > > profile > > * No-change rebuild / binNMU all libraries against the 4.0 profile, in > > leaf-first order > > > > Do you have a list/table of the ~30 binNMUable packages that tells us > which of them are libs and which are not? Alternatively can we just go > by "dependency level" from the transition tracker package (starting with > the bottom/level 10)? No, but here is one: libraries - libindicate libgwibber gstreamer-sharp gdata-sharp gnome-desktop-sharp2 libgpod (U) gnome-sharp2 gnome-keyring-sharp gmime2.4 activiz.net (U) zeroc-ice libkarma (U) gtk-sharp2 mummy (U) plugins --- banshee-community-extensions applications fsgateway ikvm antlr tangerine gnome-do banshee tomboy mistelix longomatch gnome-subtitles f-spot bareftp gdcm There were some unclear cases, but you should be able to rebuild all applications once mono and nant are uploaded, the plugins after their applications are rebuilt and then finally the libraries, in leaf-first order (with the exception below). The main thing to remember is that once stuff has been rebuilt it will be 4.0, and 2.0 code cannot load 4.0. As an additional complication, some libraries are packaged 'unstable', (marked as (U) above) meaning that they are copied by their consumers at build time. These libraries should be rebuilt /before/ their library rdeps, otherwise you'll get 2.0 copies inside 4.0 libraries and have to do a second rebuild. This will be unavoidable in some cases where applications depend on unstable libraries. We can let you know when binNMUs should be issued if you like, as we'll be doing the no-change source uploads at the same time. Also I just noticed that mummy FTBFS with 2.10, and filed this as #652976. This is a new package since we prepared the transition. If not fixed by the maintainer, I'll look at NMUing. > […] Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ] PhD student [ i...@cs.nott.ac.uk ] signature.asc Description: Digital signature
Re: [SRM] rpm/CVE-2011-3378
On Thu, 2011-12-22 at 19:45 +0100, Moritz Mühlenhoff wrote: > I'd like to fix rpm/CVE-2011-3378 in the next stable point update. Please go ahead; thanks. > Debdiff atttached. "debdiff.rpm" is a somewhat unusual and slightly confusing way of naming the diff. ;-) Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1324588122.24673.1.ca...@hathi.jungle.funky-badger.org
Re: [SRM] Fixing #648441 (CVE-2011-4128) in stable
On Thu, 2011-12-22 at 18:53 +0100, Andreas Metzler wrote: > I would like to upload gnutls26_2.8.6-1+squeeze1 to stable. > --- > * Pull fixes for buffer overflow in gnutls_session_get_data() from upstream > git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441 > 20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff > --- Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1324587864.24673.0.ca...@hathi.jungle.funky-badger.org
[SRM] rpm/CVE-2011-3378
Hi, I'd like to fix rpm/CVE-2011-3378 in the next stable point update. Debdiff atttached. Cheers, Moritz debdiff.rpm Description: application/redhat-package-manager
[SRM] Fixing #648441 (CVE-2011-4128) in stable
On 2011-12-22 Moritz Muehlenhoff wrote:
> On Fri, Nov 11, 2011 at 04:35:56PM +0100, Simon Josefsson wrote:
[...]
> > As far as I understand, the client also has to be written in a
> > vulnerable way. The example code doesn't, and likely there are few
> > clients like that around. More investigation is warranted...
> Andreas, can you fix this for the upcoming stable point update?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> Although it's minor it would be nice to fix it up in stable.
Hello,
I would like to upload gnutls26_2.8.6-1+squeeze1 to stable.
---
* Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
---
diff to 2.8.6-1 attached.
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
File lists identical on package level (after any substitutions)
Control files of package gnutls-bin: lines which differ (wdiff format)
--
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package gnutls-doc: lines which differ (wdiff format)
--
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package guile-gnutls: lines which differ (wdiff format)
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package libgnutls-dev: lines which differ (wdiff format)
-
Depends: libgnutls26 (= [-2.8.6-1),-] {+2.8.6-1+squeeze1),+} libgcrypt11-dev
(>= 1.3.0), libc6-dev | libc-dev, zlib1g-dev, libtasn1-3-dev (>= 0.3.4)
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package libgnutls26: lines which differ (wdiff format)
---
Installed-Size: [-1268-] {+1264+}
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
Control files of package libgnutls26-dbg: lines which differ (wdiff format)
---
Depends: libgnutls26 (= [-2.8.6-1)-] {+2.8.6-1+squeeze1)+}
Version: [-2.8.6-1-] {+2.8.6-1+squeeze1+}
changelog |8 ++
patches/20_CVE-2011-4128.part1.diff | 44
patches/20_CVE-2011-4128.part2.diff | 24 +++
patches/series |2 +
4 files changed, 78 insertions(+)
diff -Nru gnutls26-2.8.6/debian/changelog gnutls26-2.8.6/debian/changelog
--- gnutls26-2.8.6/debian/changelog 2010-03-20 16:06:34.0 +0100
+++ gnutls26-2.8.6/debian/changelog 2011-12-22 18:19:27.0 +0100
@@ -1,3 +1,11 @@
+gnutls26 (2.8.6-1+squeeze1) stable; urgency=low
+
+ * Pull fixes for buffer overflow in gnutls_session_get_data() from upstream
+git. (CVE-2011-4128: GNUTLS-SA-2011-2) Closes: #648441
+20_CVE-2011-4128.part1.diff 20_CVE-2011-4128.part2.diff
+
+ -- Andreas Metzler Thu, 22 Dec 2011 18:07:26 +0100
+
gnutls26 (2.8.6-1) unstable; urgency=low
* Use dh_lintian.
diff -Nru gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff
gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff
--- gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff 1970-01-01
01:00:00.0 +0100
+++ gnutls26-2.8.6/debian/patches/20_CVE-2011-4128.part1.diff 2011-12-22
18:17:52.0 +0100
@@ -0,0 +1,44 @@
+From 190cef6eed37d0e73a73c1e205eb31d45ab60a3c Mon Sep 17 00:00:00 2001
+From: Alban Crequy
+Date: Mon, 7 Nov 2011 18:51:27 +
+Subject: [PATCH] gnutls_session_get_data: fix possible buffer overflow
+
+The test to avoid the buffer overflow was always false because
+session_data_size was set at the wrong place. This problem has been introduced
+by this commit:
+
+|commit ad4ed44c65e753e6d3a00104c049dd81826ccbf3
+|Author: Nikos Mavrogiannopoulos
+|Date: Mon Nov 7 22:24:48 2005 +
+|
+|This is the initial commit in the 1.3 branch. Ported from the PSK branch:
+|* PSK ciphersuites have been added.
+|* The session resumption data are now system independent.
+
+Signed-off-by: Nikos Mavrogiannopoulos
+---
+ lib/gnutls_session.c |2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c
+index 8028d5a..418a2ba 100644
+--- a/lib/gnutls_session.c
b/lib/gnutls_session.c
+@@ -63,13 +63,13 @@ gnutls_session_get_data (gnutls_session_t session,
+ gnutls_assert ();
+ return ret;
+ }
+- *session_data_size = psession.size;
+
+ if (psession.size > *session_data_size)
+ {
+ ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ goto error;
+ }
++ *session_data_size = pse
Re: Request to upload linux-2.6 (various suites)
On Thu, Dec 22, 2011 at 01:17:16AM +, Ben Hutchings wrote: > unstable: 3.1.6-1 > Upstream stable update and a few other fixes. 3.1.5-1 should go into > testing first. 3.1.5-1 is in testing. Bastian -- Without followers, evil cannot spread. -- Spock, "And The Children Shall Lead", stardate 5029.5 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111222115105.ga3...@wavehammer.waldi.eu.org
Re: Request to upload linux-2.6 (various suites)
On Thu, Dec 22, 2011 at 01:17:16AM +, Ben Hutchings wrote:
> I think the following versions should be uploaded soon:
>
> stable-proposed-updates: 2.6.32-40
>
> Upstream stable updates 2.6.32.{47,48,49,50,51}, a few other fixes, and
> backport of isci driver.
>
> unstable: 3.1.6-1
>
> Upstream stable update and a few other fixes. 3.1.5-1 should go into
> testing first.
>
> experimental: 3.2~rc6-1~experimental.1
>
> New upstream release candidate, and various config changes.
>
> I will spend much of the rest of the year offline, so I do *not*
> currently plan to make these uploads myself. Any volunteers?
I can do them the upcoming week, maybe some before.
--
maks
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111222105308.gf12...@vostochny.stro.at
