Bug#773712: unblock: jenkins-job-builder/0.9.0-0.1
retitle 773712 pre-approval: unblock: jenkins-job-builder/0.9.0-0.1 tag 773712 + confirmed thanks On Mon, Dec 22, 2014 at 03:29:36PM +0100, Michael Prokop wrote: The version of jenkins-job-builder as available in current jessie is totally broken with regards to its feature to delete Jenkins jobs. There's a fix available from upstream which I included in version 0.9.0-0.2. I've also verified that the fix works as needed. Please unblock package jenkins-job-builder: unblock jenkins-job-builder/0.9.0-0.2 Debdiff of the package versions as in jessie vs. what I just uploaded to Debian/unstable (not yet accepted there though/disclaimer): Looks good to me, but still not accepted. Kind regards Philipp Kern signature.asc Description: Digital signature
Processed: Re: Bug#773712: unblock: jenkins-job-builder/0.9.0-0.1
Processing commands for cont...@bugs.debian.org: retitle 773712 pre-approval: unblock: jenkins-job-builder/0.9.0-0.1 Bug #773712 [release.debian.org] unblock: jenkins-job-builder/0.9.0-0.2 Changed Bug title to 'pre-approval: unblock: jenkins-job-builder/0.9.0-0.1' from 'unblock: jenkins-job-builder/0.9.0-0.2' tag 773712 + confirmed Bug #773712 [release.debian.org] pre-approval: unblock: jenkins-job-builder/0.9.0-0.1 Added tag(s) confirmed. thanks Stopping processing here. Please contact me if you need assistance. -- 773712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773712 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141932601610288.transcr...@bugs.debian.org
Bug#773515: unblock: mono/3.2.8+dfsg-9
tag 773515 + confirmed thanks On Fri, Dec 19, 2014 at 11:55:00AM +, Jo Shields wrote: Please unblock package mono There are a couple of long-standing bugs in the Mono package, which are fixed by this proposed upload to Unstable. #771389 prevents IPv6 from working in Mono-based apps It's a behavior change, but I'm inclined to let you fix the resolver here to be in line with the remainder of the distribution. #773509 and #773511 relate to the mono-runtime-dbg package not being correctly populated (and currently being useless) Looks fine. Please go ahead with the upload and report back once it has been accepted. Kind regards and thanks for your efforts Philipp Kern signature.asc Description: Digital signature
Processed: Re: Bug#773515: unblock: mono/3.2.8+dfsg-9
Processing commands for cont...@bugs.debian.org: tag 773515 + confirmed Bug #773515 [release.debian.org] pre-approval: mono/3.2.8+dfsg-9 Added tag(s) confirmed. thanks Stopping processing here. Please contact me if you need assistance. -- 773515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773515 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.c.141932615611291.transcr...@bugs.debian.org
Bug#773782: unblock: znc/1.4-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package znc. The upload adds an upstream patch that allows to disable SSL protocols, and disables SSLv2 and SSLv3. unblock znc/1.4-2 Thanks, Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141223093202.3886.66717.report...@tetraquark.soleus.nu
Bug#773712: unblock: jenkins-job-builder/0.9.0-0.1
* Philipp Kern [Tue Dec 23, 2014 at 10:13:28AM +0100]: On Mon, Dec 22, 2014 at 03:29:36PM +0100, Michael Prokop wrote: The version of jenkins-job-builder as available in current jessie is totally broken with regards to its feature to delete Jenkins jobs. There's a fix available from upstream which I included in version 0.9.0-0.2. I've also verified that the fix works as needed. Please unblock package jenkins-job-builder: unblock jenkins-job-builder/0.9.0-0.2 Debdiff of the package versions as in jessie vs. what I just uploaded to Debian/unstable (not yet accepted there though/disclaimer): Looks good to me, but still not accepted. Hmpf, again caused by misleading DEBSIGN_KEYID handling of ~/.devscripts vs. environment variable and never getting a reject mail about that. :-/ I just removed jenkins-job-builder* files from ftp-master and reuploaded it with the according key id signature, just got the acceptance mail now. Sorry about that. Thanks! regards, -mika- signature.asc Description: Digital signature
Bug#773515: unblock: mono/3.2.8+dfsg-9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/12/14 09:15, Philipp Kern wrote: Please go ahead with the upload and report back once it has been accepted. mono_3.2.8+dfsg-9_amd64.changes ACCEPTED into unstable -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUmVYfAAoJEMkPnLkOH60Mwr0H/R28lJ2a3FAjSG7crXU7fsQz A8SLS9F492OuAHHGvdWTRSikSQfRufQH4ZeYwHDIYhbOGQWtmyWNzV38OMLxhekf KrQdPosw3NUgwpEtAM1oml6y0bzFMZKC5BcCpsd7iK7GMqi6LYD6ssmv1639KTxe yTGoND/LJZF0Qez3LmXZ2anuGqfy1wz/ikzx3Jd3XZKEVSQlrgvvTbaI9jDpk2Hv sl9vbqy6+2pCvSbsfv/5ijsA42KM0pfb5ZJNsfexSS5eqaAA0UjNLpUiPdXBeF9x S4BT34F0QgDAPKb4D+ejFq/XvSXm6Dqu1Hitabjo8bq8eIHbVx/O6SlUeqbZmG4= =LlGU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5499561f.7080...@apebox.org
Bug#773796: wheezy-pu: package mercurial/2.2.2-4
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in handling case-sensitive directories allow for remote code execution on pull). The security team says that few users are affected by it as it only affects you if you are running on a case-sensitive filesystem. They say it should go through stable-proposed-updates. Upstream has said that three patches[1] need to be backported to fix it. I've done it for wheezy and prepared an upload, see the attached debdiff against the current version in wheezy: 2.2.2-3. [0] https://security-tracker.debian.org/tracker/CVE-2014-9390 [1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru mercurial-2.2.2/debian/changelog mercurial-2.2.2/debian/changelog --- mercurial-2.2.2/debian/changelog 2013-02-23 20:53:41.0 +0100 +++ mercurial-2.2.2/debian/changelog 2014-12-23 12:42:25.0 +0100 @@ -1,3 +1,10 @@ +mercurial (2.2.2-4) stable; urgency=high + + * Security update for CVE-2014-9390: errors in handling case-sensitive +directories allow for remote code execution on pull. + + -- Javi Merino vi...@debian.org Tue, 23 Dec 2014 12:42:20 +0100 + mercurial (2.2.2-3) unstable; urgency=low * Fix Backport improvement to vimdiff configuration by adding diff -Nru mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch --- mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 1970-01-01 01:00:00.0 +0100 +++ mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2014-12-23 10:33:58.0 +0100 @@ -0,0 +1,43 @@ +Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 +Description: encoding: add hfsignoreclean to clean out HFS-ignored characters + According to Apple Technote 1150 (unavailable from Apple as far as I + can tell, but archived in several places online), HFS+ ignores sixteen + specific unicode runes when doing path normalization. We need to + handle those cases, so this function lets us efficiently strip the + offending characters from a UTF-8 encoded string (which is the only + way it seems to matter on OS X.) + . + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/mercurial/encoding.py b/mercurial/encoding.py +@@ -8,6 +8,28 @@ + import error + import unicodedata, locale, os + ++# These unicode characters are ignored by HFS+ (Apple Technote 1150, ++# Unicode Subtleties), so we need to ignore them in some places for ++# sanity. ++_ignore = [unichr(int(x, 16)).encode(utf-8) for x in ++ 200c 200d 200e 200f 202a 202b 202c 202d 202e ++ 206a 206b 206c 206d 206e 206f feff.split()] ++# verify the next function will work ++assert set([i[0] for i in _ignore]) == set([\xe2, \xef]) ++ ++def hfsignoreclean(s): ++Remove codepoints ignored by HFS+ from s. ++ ++ hfsignoreclean(u'.h\u200cg'.encode('utf-8')) ++'.hg' ++ hfsignoreclean(u'.h\ufeffg'.encode('utf-8')) ++'.hg' ++ ++if \xe2 in s or \xef in s: ++for c in _ignore: ++s = s.replace(c, '') ++return s ++ + def _getpreferredencoding(): + ''' + On darwin, getpreferredencoding ignores the locale environment and diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch --- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 1970-01-01 01:00:00.0 +0100 +++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2014-12-23 10:33:58.0 +0100 @@ -0,0 +1,59 @@ +Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e +Description: pathauditor: check for codepoints ignored on OS X + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/tests/test-commit.t b/tests/test-commit.t +@@ -216,7 +216,23 @@ subdir log + summary: commit-foo-subdir + + $ cd .. +- $ cd .. ++ ++verify pathauditor blocks evil filepaths ++ $ cat evil-commit.py EOF ++ from mercurial import ui, hg, context, node ++ notrc = u.h\u200cg.encode('utf-8') + '/hgrc' ++ u = ui.ui() ++ r = hg.repository(u, '.') ++ def filectxfn(repo, memctx,
Processed: Re: Bug#773796: wheezy-pu: package mercurial/2.2.2-4
Processing control commands: tags -1 + moreinfo Bug #773796 [release.debian.org] wheezy-pu: package mercurial/2.2.2-4 Added tag(s) moreinfo. -- 773796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773796 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b773796.14193408209902.transcr...@bugs.debian.org
Bug#773796: wheezy-pu: package mercurial/2.2.2-4
Control: tags -1 + moreinfo Hi, On 2014-12-23 12:15, Javi Merino wrote: mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in handling case-sensitive directories allow for remote code execution on pull). The security team says that few users are affected by it as it only affects you if you are running on a case-sensitive filesystem. They say it should go through stable-proposed-updates. Upstream has said that three patches[1] need to be backported to fix it. I've done it for wheezy and prepared an upload, see the attached debdiff against the current version in wheezy: 2.2.2-3. [0] https://security-tracker.debian.org/tracker/CVE-2014-9390 [1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html Thanks for looking at fixing this in stable. The patches look okay, but it appears that this hasn't been fixed in unstable yet. Is that correct? If so then we generally prefer to get unstable fixed first, so that the changes can get some testing there. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/aef1dcf938d92ba34b48fab97ddd8...@mail.adsl.funky-badger.org
Bug#773712: marked as done (pre-approval: unblock: jenkins-job-builder/0.9.0-0.1)
Your message dated Tue, 23 Dec 2014 15:14:40 +0100 with message-id 20141223141440.gc6...@ugent.be and subject line Re: Bug#773712: unblock: jenkins-job-builder/0.9.0-0.1 has caused the Debian Bug report #773712, regarding pre-approval: unblock: jenkins-job-builder/0.9.0-0.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773712 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock The version of jenkins-job-builder as available in current jessie is totally broken with regards to its feature to delete Jenkins jobs. There's a fix available from upstream which I included in version 0.9.0-0.2. I've also verified that the fix works as needed. Please unblock package jenkins-job-builder: unblock jenkins-job-builder/0.9.0-0.2 Debdiff of the package versions as in jessie vs. what I just uploaded to Debian/unstable (not yet accepted there though/disclaimer): diff -Nru jenkins-job-builder-0.9.0/debian/changelog jenkins-job-builder-0.9.0/debian/changelog --- jenkins-job-builder-0.9.0/debian/changelog 2014-10-08 08:54:37.0 +0200 +++ jenkins-job-builder-0.9.0/debian/changelog 2014-12-22 14:42:20.0 +0100 @@ -1,3 +1,10 @@ +jenkins-job-builder (0.9.0-0.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix deletion of jobs. (Closes: #773642) + + -- Michael Prokop m...@debian.org Mon, 22 Dec 2014 13:42:13 +0100 + jenkins-job-builder (0.9.0-0.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru jenkins-job-builder-0.9.0/debian/patches/0006-fix-delete-job-command-and-add-tests.patch jenkins-job-builder-0.9.0/debian/patches/0006-fix-delete-job-command-and-add-tests.patch --- jenkins-job-builder-0.9.0/debian/patches/0006-fix-delete-job-command-and-add-tests.patch 1970-01-01 01:00:00.0 +0100 +++ jenkins-job-builder-0.9.0/debian/patches/0006-fix-delete-job-command-and-add-tests.patch 2014-12-22 13:41:19.0 +0100 @@ -0,0 +1,80 @@ +From b7ff37ca5dfa1e7387c636b8b0108404a0bf Mon Sep 17 00:00:00 2001 +From: Khai Do zaro0...@gmail.com +Date: Thu, 9 Oct 2014 15:08:18 -0700 +Subject: [PATCH] fix delete job command and add tests + +change I126751e3 introduced recursive file definition feature however it broke +the ability to delete jobs. This changes fixes it and adds a few tests for it. + +This was the error when trying to delete a job: + +(py27)~/jenkins-job-builder$ jenkins-jobs --conf jenkins_jobs.ini delete myjob +INFO:root:Deleting jobs in [myjob] +Traceback (most recent call last): + File /jenkins-job-builder/.tox/py27/bin/jenkins-jobs, line 10, in module +sys.exit(main()) + File /jenkins-job-builder/jenkins_jobs/cmd.py, line 122, in main +execute(options, config) + File /jenkins-job-builder/jenkins_jobs/cmd.py, line 207, in execute +builder.delete_job(job, options.path) + File /jenkins-job-builder/jenkins_jobs/builder.py, line 611, in delete_job +self.load_files(fn) + File /jenkins-job-builder/jenkins_jobs/builder.py, line 576, in load_files +if os.path.isdir(path): + File /jenkins-job-builder/.tox/py27/lib/python2.7/genericpath.py, line 41, +in isdir st = os.stat(s) +TypeError: coercing to Unicode: need string or buffer, NoneType found + +Closes-Bug: #1349634 +Change-Id: Ib87fa497d80ba33470c049f875658a3878afb664 +--- + jenkins_jobs/cmd.py | 2 +- + tests/cmd/test_cmd.py | 22 ++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/jenkins_jobs/cmd.py b/jenkins_jobs/cmd.py +index 224ee49..3d9a62a 100755 +--- a/jenkins_jobs/cmd.py b/jenkins_jobs/cmd.py +@@ -193,7 +193,7 @@ def execute(options, config): + ignore_cache=ignore_cache, + flush_cache=options.flush_cache) + +-if hasattr(options, 'path'): ++if getattr(options, 'path', None): + if options.path == sys.stdin: + logger.debug(Input file is stdin) + if options.path.isatty(): +diff --git a/tests/cmd/test_cmd.py b/tests/cmd/test_cmd.py +index 792b5f3..61bdc6c 100644 +--- a/tests/cmd/test_cmd.py b/tests/cmd/test_cmd.py +@@ -208,3 +208,25 @@ class CmdTests(testtools.TestCase): + cmd.execute(args, config) # probably better to fail here + + update_job_mock.assert_called_with(paths, [], output=args.output_dir) ++ ++@mock.patch('jenkins_jobs.cmd.Builder.delete_job') ++def test_delete_single_job(self, delete_job_mock): ++ ++
Bug#773782: marked as done (unblock: znc/1.4-2)
Your message dated Tue, 23 Dec 2014 15:27:32 +0100 with message-id 20141223142732.ge6...@ugent.be and subject line Re: Bug#773782: unblock: znc/1.4-2 has caused the Debian Bug report #773782, regarding unblock: znc/1.4-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773782 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package znc. The upload adds an upstream patch that allows to disable SSL protocols, and disables SSLv2 and SSLv3. unblock znc/1.4-2 Thanks, Thijs ---End Message--- ---BeginMessage--- Hi, On Tue, Dec 23, 2014 at 10:32:02AM +0100, Thijs Kinkhorst wrote: unblock znc/1.4-2 Unblocked. Cheers, Ivo---End Message---
Bug#773515: marked as done (pre-approval: mono/3.2.8+dfsg-9)
Your message dated Tue, 23 Dec 2014 15:26:28 +0100 with message-id 20141223142628.gd6...@ugent.be and subject line Re: Bug#773515: unblock: mono/3.2.8+dfsg-9 has caused the Debian Bug report #773515, regarding pre-approval: mono/3.2.8+dfsg-9 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773515 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock package mono There are a couple of long-standing bugs in the Mono package, which are fixed by this proposed upload to Unstable. #771389 prevents IPv6 from working in Mono-based apps #773509 and #773511 relate to the mono-runtime-dbg package not being correctly populated (and currently being useless) diff --git a/data/net_1_1/machine.config b/data/net_1_1/machine.config index 2e346ad..c44f11f 100644 - --- a/data/net_1_1/machine.config +++ b/data/net_1_1/machine.config @@ -75,7 +75,7 @@ add prefix=file type=System.Net.FileWebRequestCreator, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 / /webRequestModules settings - - ipv6 enabled=false/ + ipv6 enabled=true/ /settings /system.net system.web diff --git a/data/net_2_0/machine.config b/data/net_2_0/machine.config index c6d1b2c..9da7be9 100644 - --- a/data/net_2_0/machine.config +++ b/data/net_2_0/machine.config @@ -119,7 +119,7 @@ add prefix=ftp type=System.Net.FtpRequestCreator, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 / /webRequestModules settings - - ipv6 enabled=false/ + ipv6 enabled=true/ /settings /system.net diff --git a/data/net_4_0/machine.config b/data/net_4_0/machine.config index b98a4d3..12839c1 100644 - --- a/data/net_4_0/machine.config +++ b/data/net_4_0/machine.config @@ -136,7 +136,7 @@ add prefix=ftp type=System.Net.FtpRequestCreator, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 / /webRequestModules settings - - ipv6 enabled=false/ + ipv6 enabled=true/ /settings /system.net diff --git a/data/net_4_5/machine.config b/data/net_4_5/machine.config index b98a4d3..12839c1 100644 - --- a/data/net_4_5/machine.config +++ b/data/net_4_5/machine.config @@ -136,7 +136,7 @@ add prefix=ftp type=System.Net.FtpRequestCreator, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 / /webRequestModules settings - - ipv6 enabled=false/ + ipv6 enabled=true/ /settings /system.net diff --git a/debian/changelog b/debian/changelog index bfdd9f5..bc81216 100644 - --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +mono (3.2.8+dfsg-9) unstable; urgency=medium + + [ Mirco Bauer ] + * [c8efb3b] Enable IPv6 support by default (closes: #771389) + + [ Jo Shields ] + * [0d67f80] Fix missing contents in mono-runtime-dbg package +(Closes: #773509, #773511) + + -- Mirco Bauer mee...@meebey.net Fri, 19 Dec 2014 11:47:22 + + mono (3.2.8+dfsg-7) unstable; urgency=medium * [10016c2] Build libmono-2.0-1 and libmono-2.0-dev for mipsel diff --git a/debian/rules b/debian/rules index ac1c33b..f2cc3b7 100755 - --- a/debian/rules +++ b/debian/rules @@ -367,10 +367,10 @@ binary-arch: build-stamp install-stamp test-stamp dh_installman -s dh_installexamples -s dh_installexamples -pmono-jay $(CURDIR)/mcs/jay/skeleton.cs - - dh_strip -pmono-runtime --dbg-package=mono-runtime-dbg + dh_strip -pmono-runtime-sgen -pmono-runtime-boehm - --dbg-package=mono-runtime-dbg dh_strip -plibmonoboehm-2.0-1 --dbg-package=libmonoboehm-2.0-1-dbg dh_strip -plibmonosgen-2.0-1 --dbg-package=libmonosgen-2.0-1-dbg - - dh_strip -s -Xbin/mono-sgen + dh_strip -s -Xbin/mono-sgen -Xbin/mono-boehm dh_compress -s -Xskeleton.cs dh_fixperms -s unblock mono/3.2.8+dfsg-9 - -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
Bug#773748: marked as done (unblock: unrtf/0.21.5-2)
Your message dated Tue, 23 Dec 2014 15:29:13 +0100 with message-id 20141223142913.gf6...@ugent.be and subject line Re: Bug#773748: unblock: unrtf/0.21.5-2 has caused the Debian Bug report #773748, regarding unblock: unrtf/0.21.5-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773748: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773748 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package unrtf It fixes two security holes reported in #772811, CVE-2014-9274 and CVE-2014-9275. Additionally, it fixes an access to already freed memory (these two patches, 0004 and 0005 have to go together). debdiff attached. unblock unrtf/0.21.5-2 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog --- unrtf-0.21.5/debian/changelog 2013-11-30 12:30:28.0 +0100 +++ unrtf-0.21.5/debian/changelog 2014-12-22 20:20:50.0 +0100 @@ -1,3 +1,14 @@ +unrtf (0.21.5-2) unstable; urgency=medium + + * Security fixes, closes: #772811 +- Fix CVE-2014-9274: check that accesses to color table stay within bounds +- Fix CVE-2014-9275: various crashes + * possible security fixes: +- Fix Invalid read of size 4 in attr_get_param +- attr_get_param(): Silence a warning message again + + -- Willi Mann wi...@debian.org Mon, 22 Dec 2014 20:20:33 +0100 + unrtf (0.21.5-1) unstable; urgency=low * Imported Upstream version 0.21.5 diff -Nru unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch --- unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch 1970-01-01 01:00:00.0 +0100 +++ unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch 2014-12-21 22:04:20.0 +0100 @@ -0,0 +1,55 @@ +From: Jean-Francois Dockes j...@recoll.org +Date: Sun, 21 Dec 2014 10:08:26 +0100 +Subject: check that accesses to color table stay within bounds, + esp that the color number is positive. This fixes {\cb-999} crashing + unrtf + +This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15 + +Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/ +Bug-Debian: http://bugs.debian.org/772811 +--- + src/convert.c | 9 ++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/convert.c b/src/convert.c +index e563473..96bf438 100644 +--- a/src/convert.c b/src/convert.c +@@ -868,6 +868,9 @@ process_color_table (Word *w) + r=g=b=0; + + while(w) { ++if (total_colors = MAX_COLORS) { ++break; ++} + char *s = word_string (w); + + if (!strncmp(\\red,s,4)) { +@@ -921,7 +924,7 @@ static int + cmd_cf (Word *w, int align, char has_param, int num) { + char str[40]; + +- if (!has_param || num=total_colors) { ++ if (!has_param || num 0 || num=total_colors) { + warning_handler (font color change attempted is invalid); + } + else +@@ -948,7 +951,7 @@ static int + cmd_cb (Word *w, int align, char has_param, int num) { + char str[40]; + +- if (!has_param || num=total_colors) { ++ if (!has_param || num 0 || num=total_colors) { + warning_handler (font color change attempted is invalid); + } + else +@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) + { + char str[40]; + +- if (!has_param || num=total_colors) { ++ if (!has_param || num 0 || num=total_colors) { + warning_handler (font background color change attempted is invalid); + } + else diff -Nru unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch --- unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch 1970-01-01 01:00:00.0 +0100 +++ unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch 2014-12-21 22:04:20.0 +0100 @@ -0,0 +1,29 @@ +From: Jean-Francois Dockes
Bug#773740: marked as done (unblock: postgresql-9.4/9.4.0-1)
Your message dated Tue, 23 Dec 2014 15:31:49 +0100 with message-id 20141223143149.gg6...@ugent.be and subject line Re: Bug#773740: unblock: postgresql-9.4/9.4.0-1 has caused the Debian Bug report #773740, regarding unblock: postgresql-9.4/9.4.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773740: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773740 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package postgresql-9.4. This is the first production version of the package, namely version 9.4.0. The function PQhostaddr got removed since rc1, but as that was new in the 9.4 series, it is very unlikely that there are any users of it out there. That was also upstream's reasoning for making such a change post-rc, and indeed, sources.debian.net doesn't know any source with that symbol. unblock postgresql-9.4/9.4.0-1 Debian part of the changes: diff -Nru postgresql-9.4-9.4~rc1/debian/changelog postgresql-9.4-9.4.0/debian/changelog --- postgresql-9.4-9.4~rc1/debian/changelog 2014-11-20 14:51:11.0 +0100 +++ postgresql-9.4-9.4.0/debian/changelog 2014-12-17 22:21:24.0 +0100 @@ -1,3 +1,10 @@ +postgresql-9.4 (9.4.0-1) unstable; urgency=medium + + * 9.4 released. + * libpq5.symbols: PQhostaddr removed; it was new in 9.4. + + -- Christoph Berg m...@debian.org Wed, 17 Dec 2014 22:21:22 +0100 + postgresql-9.4 (9.4~rc1-1) unstable; urgency=medium * First 9.4 RC release. diff -Nru postgresql-9.4-9.4~rc1/debian/libpq5.symbols postgresql-9.4-9.4.0/debian/libpq5.symbols --- postgresql-9.4-9.4~rc1/debian/libpq5.symbols2014-11-20 14:51:11.0 +0100 +++ postgresql-9.4-9.4.0/debian/libpq5.symbols 2014-12-14 21:03:54.0 +0100 @@ -62,7 +62,6 @@ PQgetssl@Base 0 PQgetvalue@Base 0 PQhost@Base 0 - PQhostaddr@Base 9.4~ PQinitOpenSSL@Base 8.4~ PQinitSSL@Base 0 PQinstanceData@Base 8.4~ Thanks, Christoph -- c...@df7cb.de | http://www.df7cb.de/ signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Hi, On Mon, Dec 22, 2014 at 09:40:16PM +0100, Christoph Berg wrote: Please unblock package postgresql-9.4. This is the first production version of the package, namely version 9.4.0. Unblocked by Julien a few days ago. Cheers, Ivo---End Message---
Bug#773796: wheezy-pu: package mercurial/2.2.2-4
On Tue, Dec 23, 2014 at 01:20:10PM +, Adam D. Barratt wrote: Control: tags -1 + moreinfo Hi, On 2014-12-23 12:15, Javi Merino wrote: mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in handling case-sensitive directories allow for remote code execution on pull). The security team says that few users are affected by it as it only affects you if you are running on a case-sensitive filesystem. They say it should go through stable-proposed-updates. Upstream has said that three patches[1] need to be backported to fix it. I've done it for wheezy and prepared an upload, see the attached debdiff against the current version in wheezy: 2.2.2-3. [0] https://security-tracker.debian.org/tracker/CVE-2014-9390 [1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html Thanks for looking at fixing this in stable. The patches look okay, but it appears that this hasn't been fixed in unstable yet. Is that correct? If so then we generally prefer to get unstable fixed first, so that the changes can get some testing there. That's correct, I'm preparing an upload for jessie. If I upload the same fix to unstable, it would be unblocked? signature.asc Description: Digital signature
Bug#773796: wheezy-pu: package mercurial/2.2.2-4
On 2014-12-23 14:55, Javi Merino wrote: On Tue, Dec 23, 2014 at 01:20:10PM +, Adam D. Barratt wrote: The patches look okay, but it appears that this hasn't been fixed in unstable yet. Is that correct? If so then we generally prefer to get unstable fixed first, so that the changes can get some testing there. That's correct, I'm preparing an upload for jessie. If I upload the same fix to unstable, it would be unblocked? I'd be inclined to do so assuming it was in the near future, yes. Please file a separate unblock bug for that. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cc789203a95118cc67ae02a7565f1...@mail.adsl.funky-badger.org
Bug#773174: marked as done (unblock: debdelta/0.55 , or discuss on the matter)
Your message dated Tue, 23 Dec 2014 17:46:56 +0100 with message-id 20141223164656.ga8...@ugent.be and subject line Re: Bug#773174: unblock: debdelta/0.55 , or discuss on the matter has caused the Debian Bug report #773174, regarding unblock: debdelta/0.55 , or discuss on the matter to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773174: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773174 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release team, I uploaded a new version of debdelta ; unfortunately (my fault) I did not realize that this time the freeze policy is so tight. Please unblock package debdelta, or let us discuss if there is some set of changes that you are willing to let into Jessie. Note that the package 'debdelta' contains both the server code and the client code . The server code is quite old, but this is not a problem, since few people (if any) need to use the server code. (The up-to-date server code is in GIT, and is in use in the server that generates deltas for 'debdelta-upgrade' , that is the client tool). The client code is agnostic, it can apply deltas generated by server code that is much more advanced than what is shipped in the package (as long as the GPG key matches!) Let me highlight all the changes between the version 0.50+2 in stable, and 0.55 in unstable; I will list them in decreasing order of importance. 'S' means : affects server code 'C' means : affects client code 'P' means : affects packaging 1C) ship new GPG key; the key currently available in the clients in wheezy and in testing will expire 2015-08-24 so it will need to be updated during the lifetime of Jessie. 2P) Bug fix: owned and unowned files after purge (policy 6.8 + 10.7.3), (Closes: #617481). These are all the changes in debian/postrm and debian/postinst that you see in the debdiff 3C) Portuguese translation (Closes: #760731). 4C) add a stanza in etc/sources.conf to tell the client where to find deltas for backports 5P) ship in .dsc , and then build, only what is committed in git archive; so the following files are not shipped any more debdelta-0.55/contrib/debmirror-delta-security.ubuntu debdelta-0.55/old/README debdelta-0.55/old/README.upgrade debdelta-0.55/po/pt.po debdelta-0.55/preunpacking/tarpu.py 6CS) close unneeded file descriptor when invoking subprocesses 7P) bump Standards Version (no change) 8C) do not get confused by broken symlinks 9P) debian/rules : add build-arch, build-indep 10S) support data.tar.xz, with XZ parameter autodetection 11P) update location of GIT repository in debian/control 12S) add ability to cache intermediate data 13C) wait for subprocesses to avoid zombies 15CS) change code to be more ready for a future switch to Python 3 , and some other minor code improvements If you think that there are too many changes, but some of the above changes may enter into testing (and then in Jessie) please tell me which one, and I will upload a new version. All server-code related changes may be omitted w/o affecting the client. I attach the 'cleaned up' debdiff. In this debdiff I deleted all references to the files listed in (5P) that simply disappeared from the package, and the portuguese translation. I also deleted duplicates (since my package uses symlinks, each change is reported 5 times by debdiff). If you wish, unblock debdelta/0.55 otherwise please tell me which changes may be accepted. I personally would love to see changes 1 to 4 included; these do not really affect the code, but have large positive impact. Thanks and sorry for the mess. a. signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Hi, On Fri, Dec 19, 2014 at 06:25:06PM +, Jonathan Wiltshire wrote: Looks good, apart from the last line of the changelog. Please remove that and go ahead, and remove the moreinfo tag. Approved. Cheers, Ivo---End Message---
Bug#773149: what to do with x52pro???
Control: tags -1 moreinfo Hi, On Thu, Dec 18, 2014 at 01:08:46PM +0100, Andreas Beckmann wrote: Upgrade path seems fine now. OK. Please go ahead with the upload and remove the moreinfo tag once the new version is in unstable. The updated udev rules are not used, just integrated in case someone wants to play with the source package. Could you mention that in the patch comment? Instead I replaced the wheezy conffile (that uses outdated syntax and could trigger udev warnings) with a dummy one, too (to avoid dpkg-maintscript-helper rm_conffile) Cheers, Ivo -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141223165505.gb8...@ugent.be
Processed: Re: Bug#773149: what to do with x52pro???
Processing control commands: tags -1 moreinfo Bug #773149 [release.debian.org] unblock: x52pro/0.1.1-2.2 (pre-approval) Added tag(s) moreinfo. -- 773149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773149 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b773149.141935371329310.transcr...@bugs.debian.org
Bug#773837: unblock: tiff/4.0.3-11
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package tiff This is a very localized patch to the tiffcp utility (doesn't even affect the tiff library) to fix a potential crash, fixing RC bug #741451. The originated from upstream where it was based on a fix previously submitted by the original reporter. (include/attach the debdiff against the package in testing) unblock tiff/4.0.3-11 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru tiff-4.0.3/debian/changelog tiff-4.0.3/debian/changelog --- tiff-4.0.3/debian/changelog 2014-06-29 17:32:44.0 -0400 +++ tiff-4.0.3/debian/changelog 2014-12-23 15:52:13.0 -0500 @@ -1,3 +1,10 @@ +tiff (4.0.3-11) unstable; urgency=medium + + * Don't crash on JPEG = non-JPEG conversion (Closes: #741451) + * Thanks Tomasz Buchert tomasz.buch...@inria.fr for preparing the fix! + + -- Jay Berkenbilt q...@debian.org Tue, 23 Dec 2014 15:51:40 -0500 + tiff (4.0.3-10) unstable; urgency=medium * Remove libtiff4-dev, completing the tiff transition. Packages that diff -Nru tiff-4.0.3/debian/patches/jpeg-colorspace.patch tiff-4.0.3/debian/patches/jpeg-colorspace.patch --- tiff-4.0.3/debian/patches/jpeg-colorspace.patch 1969-12-31 19:00:00.0 -0500 +++ tiff-4.0.3/debian/patches/jpeg-colorspace.patch 2014-12-23 15:52:13.0 -0500 @@ -0,0 +1,38 @@ +Description: fix for Debian bug #741451 + tiffcp crashes when converting JPEG-encoded TIFF to a different + encoding (like none or lzw). For example this will probably fail: + . +tiffcp -c none jpeg_encoded_file.tif output.tif + . + The reason is that when the input file contains JPEG data, + the tiffcp code forces conversion to RGB space. However, + the output normally inherits YCbCr subsampling parameters + from the input, which leads to a smaller working buffer + than necessary. The buffer is subsequently overrun inside + cpStripToTile() (called from writeBufferToContigTiles). + Note that the resulting TIFF file would be scrambled even + if tiffcp wouldn't crash, since the output file would contain + RGB data intepreted as subsampled YCbCr values. + . + This patch fixes the problem by forcing RGB space on the output + TIF if the input is JPEG-encoded and output is *not* JPEG-encoded. +Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2480 +Author: Tomasz Buchert tomasz.buch...@inria.fr +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2480 +Bug-Debian: http://bugs.debian.org/741451 + +--- a/tools/tiffcp.c b/tools/tiffcp.c +@@ -629,6 +629,12 @@ + TIFFSetField(out, TIFFTAG_PHOTOMETRIC, + samplesperpixel == 1 ? + PHOTOMETRIC_LOGL : PHOTOMETRIC_LOGLUV); ++ else if (input_compression == COMPRESSION_JPEG ++ samplesperpixel == 3) { ++ /* RGB conversion was forced above ++ hence the output will be of the same type */ ++ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_RGB); ++ } + else + CopyTag(TIFFTAG_PHOTOMETRIC, 1, TIFF_SHORT); + if (fillorder != 0) diff -Nru tiff-4.0.3/debian/patches/series tiff-4.0.3/debian/patches/series --- tiff-4.0.3/debian/patches/series 2014-06-29 17:32:44.0 -0400 +++ tiff-4.0.3/debian/patches/series 2014-12-23 15:52:13.0 -0500 @@ -6,3 +6,4 @@ CVE-2013-4232.patch CVE-2013-4244.patch CVE-2013-4243.patch +jpeg-colorspace.patch
Bug#773844: wheezy-pu: package apache2/2.2.22-13+deb7u4
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi, please review the update for apache2 for inclusion into s-p-u. It fixes a low-impact security issue and also includes two one-line bug fixes. The changelog is below, debdiff is attached. As I couldn't find any mail about it, I guess that 7.8 Not yet planned; likely mid-December is not yet closed? Thanks in advance. Cheers, Stefan * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could use this flaw to bypass intended mod_headers restrictions, allowing them to send requests to applications that include headers that should have been removed by mod_headers. The new behavior is to not merge trailers into the headers autmatically. A new directive MergeTrailers is introduced to restore the old behavior. * Fix hostname comparison with SNI to be case insensitive. Closes: #771199 * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15). Closes: #773841 * Add paragraph about session ticket key life-time and forward secrecy to README.Debian. Closes: #762619 README.Debian| 15 + changelog| 17 + patches/CVE-2013-5704_trailers.patch | 383 +++ patches/SNI_case_insensitve.diff | 13 + patches/mod_ssl_SSL_CLIENT_S_DN_UID.diff | 13 + patches/series |3 diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog --- apache2-2.2.22/debian/changelog 2014-07-24 17:32:33.0 +0200 +++ apache2-2.2.22/debian/changelog 2014-12-23 23:44:50.0 +0100 @@ -1,3 +1,20 @@ +apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium + + * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could +use this flaw to bypass intended mod_headers restrictions, allowing +them to send requests to applications that include headers that should +have been removed by mod_headers. +The new behavior is to not merge trailers into the headers autmatically. +A new directive MergeTrailers is introduced to restore the old +behavior. + * Fix hostname comparison with SNI to be case insensitive. Closes: #771199 + * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15). +Closes: #773841 + * Add paragraph about session ticket key life-time and forward secrecy to +README.Debian. Closes: #762619 + + -- Stefan Fritsch s...@debian.org Tue, 23 Dec 2014 23:44:24 +0100 + apache2 (2.2.22-13+deb7u3) wheezy-security; urgency=high * CVE-2014-0226: Fix a race condition in scoreboard handling, diff -Nru apache2-2.2.22/debian/patches/CVE-2013-5704_trailers.patch apache2-2.2.22/debian/patches/CVE-2013-5704_trailers.patch --- apache2-2.2.22/debian/patches/CVE-2013-5704_trailers.patch 1970-01-01 01:00:00.0 +0100 +++ apache2-2.2.22/debian/patches/CVE-2013-5704_trailers.patch 2014-12-22 21:59:22.0 +0100 @@ -0,0 +1,383 @@ +# http://svn,apache.org/r1619489 +# +# *) SECURITY: CVE-2013-5704 (cve.mitre.org) +# core: HTTP trailers could be used to replace HTTP headers +# late during request processing, potentially undoing or +# otherwise confusing modules that examined or modified +# request headers earlier. Adds MergeTrailers directive to restore +# legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] +# +Index: apache2/modules/loggers/mod_log_config.c +=== +--- apache2.orig/modules/loggers/mod_log_config.c apache2/modules/loggers/mod_log_config.c +@@ -412,6 +412,12 @@ + return ap_escape_logitem(r-pool, apr_table_get(r-headers_in, a)); + } + ++static const char *log_trailer_in(request_rec *r, char *a) ++{ ++return ap_escape_logitem(r-pool, apr_table_get(r-trailers_in, a)); ++} ++ ++ + static APR_INLINE char *find_multiple_headers(apr_pool_t *pool, + const apr_table_t *table, + const char *key) +@@ -495,6 +501,11 @@ + return ap_escape_logitem(r-pool, cp); + } + ++static const char *log_trailer_out(request_rec *r, char *a) ++{ ++return ap_escape_logitem(r-pool, apr_table_get(r-trailers_out, a)); ++} ++ + static const char *log_note(request_rec *r, char *a) + { + return ap_escape_logitem(r-pool, apr_table_get(r-notes, a)); +@@ -813,7 +824,7 @@ + static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa) + { + const char *s = *sa; +-ap_log_handler *handler; ++ap_log_handler *handler = NULL; + + if (*s != '%') { + return parse_log_misc_string(p, it, sa); +@@ -883,7 +894,16 @@ + break; + + default: +-handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); ++/* check for '^' + two character format first */ ++if (*s == '^' *(s+1)
Bug#773847: unblock: mercurial/3.1.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mercurial. It fixes #773640[0] (CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull). Upstream has confirmed[1] that the three patches that this update adds are the ones needed to fix it. See below the debdiff against 3.1.2-1, the version currently in jessie. [0] https://bugs.debian.org/773640 [1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html ---8--- diff -Nru mercurial-3.1.2/debian/changelog mercurial-3.1.2/debian/changelog --- mercurial-3.1.2/debian/changelog2014-10-03 00:34:41.0 +0200 +++ mercurial-3.1.2/debian/changelog2014-12-23 16:01:50.0 +0100 @@ -1,3 +1,15 @@ +mercurial (3.1.2-2) unstable; urgency=high + + * Fix CVE-2014-9390: Errors in handling case-sensitive directories +allow for remote code execution on pull by adding patches + from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch, +from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch, +and +from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch +(Closes: #773640) + + -- Javi Merino vi...@debian.org Tue, 23 Dec 2014 16:01:50 +0100 + mercurial (3.1.2-1) unstable; urgency=medium * New upstream version diff -Nru mercurial-3.1.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-3.1.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch --- mercurial-3.1.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 1970-01-01 01:00:00.0 +0100 +++ mercurial-3.1.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2014-12-23 15:57:51.0 +0100 @@ -0,0 +1,44 @@ +Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 +Description: encoding: add hfsignoreclean to clean out HFS-ignored characters + According to Apple Technote 1150 (unavailable from Apple as far as I + can tell, but archived in several places online), HFS+ ignores sixteen + specific unicode runes when doing path normalization. We need to + handle those cases, so this function lets us efficiently strip the + offending characters from a UTF-8 encoded string (which is the only + way it seems to matter on OS X.) + . + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +diff --git a/mercurial/encoding.py b/mercurial/encoding.py +--- a/mercurial/encoding.py b/mercurial/encoding.py +@@ -8,6 +8,28 @@ + import error + import unicodedata, locale, os + ++# These unicode characters are ignored by HFS+ (Apple Technote 1150, ++# Unicode Subtleties), so we need to ignore them in some places for ++# sanity. ++_ignore = [unichr(int(x, 16)).encode(utf-8) for x in ++ 200c 200d 200e 200f 202a 202b 202c 202d 202e ++ 206a 206b 206c 206d 206e 206f feff.split()] ++# verify the next function will work ++assert set([i[0] for i in _ignore]) == set([\xe2, \xef]) ++ ++def hfsignoreclean(s): ++Remove codepoints ignored by HFS+ from s. ++ ++ hfsignoreclean(u'.h\u200cg'.encode('utf-8')) ++'.hg' ++ hfsignoreclean(u'.h\ufeffg'.encode('utf-8')) ++'.hg' ++ ++if \xe2 in s or \xef in s: ++for c in _ignore: ++s = s.replace(c, '') ++return s ++ + def _getpreferredencoding(): + ''' + On darwin, getpreferredencoding ignores the locale environment and diff -Nru mercurial-3.1.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-3.1.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch --- mercurial-3.1.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 1970-01-01 01:00:00.0 +0100 +++ mercurial-3.1.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2014-12-23 15:57:51.0 +0100 @@ -0,0 +1,59 @@ +Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e +Description: pathauditor: check for codepoints ignored on OS X + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/mercurial/pathutil.py b/mercurial/pathutil.py +@@ -1,8 +1,12 @@ + import os, errno, stat + ++import encoding + import util + from i18n import _ + ++def _lowerclean(s): ++return encoding.hfsignoreclean(s.lower()) ++ + class pathauditor(object): + '''ensure that a filesystem path contains no banned components. + the following properties of a path are checked: +@@ -39,11 +43,11 @@ class pathauditor(object): + raise util.Abort(_(path ends in directory separator: %s) % path) + parts = util.splitpath(path) + if (os.path.splitdrive(path)[0] +-or parts[0].lower() in ('.hg', '.hg.', '')
Bug#773848: unblock: apt/1.0.9.5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: de...@lists.debian.org Hi release team, nearly as surprised as you might be now, I was then I found a little early present in my inbox for the coming days of package management: A new apt version fixing all currently outstanding RC-bugs (in apt) as well as some translation updates – aka as condensed changelog: * dispose http(s) 416 error page as non-content (Closes: 768797) * do not make PTY slave the controlling terminal (Closes: 772641) * always run 'dpkg --configure -a' at the end of our dpkg callings (Closes: 769609) * pass-through stdin fd instead of content if not a terminal (Closes: 773061) * tighten filtering of kernel images in apt.auto-removal (Closes: 772732) * fr manpage, th, zh_CN ja program translation updates (Closes: various) [Note that this isn't changing anything in regards to triggers (the dpkg calling change is a no-op at the moment as dpkg carries a workaround for it in jessie, but will not for stretch, which apt/jessie has to work with at upgrade time to stretch).] The attached diff is 'git log -p' format of the code changing commits, leaving out translation updates and general po-file churn. All the gory^Wglory details can be found in git, like in the webview here, with a bunch of additional comments in the commit messages: https://anonscm.debian.org/cgit/apt/apt.git/log/ I have some hope for being a bit quicker on the response side again, too, in case you have any concerns; otherwise I hope you enjoy the upload as much as I do (thanks Michael!) and honor us with a: unblock apt/1.0.9.5 Best regards happy package management days David Kalnischkies commit e5ef23145f0dc6523a5c5321a21407c955777ad2 Author: James McCoy james...@debian.org Date: Wed Dec 10 10:16:02 2014 -0500 tighten filtering of kernel images in apt.auto-removal The current filtering matches the names of the image metapackages on the i386 architecture: $ dpkg-query -l | awk '/^ii[ ]+(linux|kfreebsd|gnumach)-image-[0-9]/ $2 !~ /-dbg$/ { print $2 }' linux-image-3.16.0-4-586 linux-image-586 This results in an extra image package being removed from APT::NeverAutoRemove, losing the intended effect of keeping the {current, previous, latest} set of images installed. Requiring a “.” in the package name tightens the matched package names to those that are installing a specific version of the image, thus eliding the meta-packages. Closes: 772732 diff --git a/debian/apt.auto-removal.sh b/debian/apt.auto-removal.sh index c004161..807c6f7 100644 --- a/debian/apt.auto-removal.sh +++ b/debian/apt.auto-removal.sh @@ -41,7 +41,7 @@ version_test_gt () return $? } -list=$(${DPKG} -l | awk '/^ii[ ]+(linux|kfreebsd|gnumach)-image-[0-9]/ $2 !~ /-dbg$/ { print $2 }' | sed -e 's#\(linux\|kfreebsd\|gnumach\)-image-##') +list=$(${DPKG} -l | awk '/^ii[ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ $2 !~ /-dbg$/ { print $2 }' | sed -e 's#\(linux\|kfreebsd\|gnumach\)-image-##') latest_version= previous_version= commit 748a2177dcf8ff72bca90f5c7d516559ddd67352 Author: David Kalnischkies da...@kalnischkies.de Date: Mon Dec 22 23:14:08 2014 +0100 pass-through stdin fd instead of content if not a terminal Commit 299aea924ccef428219ed6f1a026c122678429e6 fixes the problem of not logging terminal in case stdin stdout are not a terminal. The problem is that we are then trying to pass-through stdin content by reading from the apt-process stdin and writing it to the stdin of the child (dpkg), which works great for users who can control themselves, but pipes and co are a bit less forgiving causing us to pass everything to the first child process, which if the sending part of the pipe is e.g. 'yes' we will never see the end of it (as the pipe is full at some point and further writing blocks). There is a simple solution for that of course: If stdin isn't a terminal, we us the apt-process stdin as stdin for the child directly (We don't do this if it is a terminal to be able to save the typed input in the log). Closes: 773061 diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index d54b7b5..e23ca46 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -73,7 +73,8 @@ public: pkgDPkgPMPrivate() : stdin_is_dev_null(false), dpkgbuf_pos(0), term_out(NULL), history_out(NULL), progress(NULL), tt_is_valid(false), master(-1), - slave(NULL), protect_slave_from_dying(-1) + slave(NULL), protect_slave_from_dying(-1), + direct_stdin(false) { dpkgbuf[0] = '\0'; } @@ -100,6 +101,7 @@ public: sigset_t sigmask; sigset_t original_sigmask; + bool direct_stdin; }; namespace @@ -1079,6 +1081,9 @@ void pkgDPkgPM::StartPtyMagic() return; } + if (isatty(STDIN_FILENO) == 0) + d-direct_stdin = true; +
Bug#773256: pre-approval: unblock: dpkg/1.17.23
Hi! On Tue, 2014-12-23 at 02:52:01 +0100, Guillem Jover wrote: On Sun, 2014-12-21 at 21:38:31 +0100, Niels Thykier wrote: I do not recall (all of?) these trigger cycles being known. @Guiliem, can you have a look at them and file bugs as necessary for these? These smell like instances of #771730 (more so when libc-bin is noawait), but I fired up a test upgrade with 1.17.23 to make sure. Ok, after several GiBs of downloads and unpacks, the upgrade went fine with dpkg 1.17.23 for education-thin-client-server. I'll leave one of the other ones testing during the night, but I don't expect any problems either. On Tue, 2014-12-23 at 04:36:07 +0100, Guillem Jover wrote: On Sun, 2014-12-21 at 09:57:51 +0100, Niels Thykier wrote: It possibly still is since the version that introduced the trigger checks. I hope we can have it resolved shortly. Yeah, I'm planning to upload tomorrow, sorry about the delay, was not feeling quite well the past couple of days. Actually, I just noticed the bug was not tagged confirmed, so given this, the wordpress situation, and the questions you posed in the previous email, I'll hold off the upload, which is tested and ready for when I get a go. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141224012624.ga24...@gaara.hadrons.org
Bug#773852: unblock: zodb/1:3.9.7-5 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello, Some time ago I uploaded python-zodb to fix RC bug #767554 but I forgot to remove some headers files, sorry about that. Would it be possible to upload python-zodb with the (really straightforward) diff attached? Thank you very much in advance. Regards, -- Arnaud Fontaine diff -Nru zodb-3.9.7/debian/changelog zodb-3.9.7/debian/changelog --- zodb-3.9.7/debian/changelog 2014-12-16 17:16:27.0 +0900 +++ zodb-3.9.7/debian/changelog 2014-12-24 12:17:32.0 +0900 @@ -1,3 +1,11 @@ +zodb (1:3.9.7-5) unstable; urgency=medium + + * Team upload. + * persistent module was removed in the previous upload, but some headers +were not. Thanks to Kirill Smelkov. Closes: #773699. + + -- Arnaud Fontaine ar...@debian.org Wed, 24 Dec 2014 12:16:03 +0900 + zodb (1:3.9.7-4) unstable; urgency=medium * Team upload. diff -Nru zodb-3.9.7/debian/patches/persistent-module-4.x-no-headers.patch zodb-3.9.7/debian/patches/persistent-module-4.x-no-headers.patch --- zodb-3.9.7/debian/patches/persistent-module-4.x-no-headers.patch 1970-01-01 09:00:00.0 +0900 +++ zodb-3.9.7/debian/patches/persistent-module-4.x-no-headers.patch 2014-12-24 12:15:57.0 +0900 @@ -0,0 +1,25 @@ +Description: Don't provide persistent headers in python-zodb + python-zodb now depends on separate python-persistent and to be compatible + with that in python-zodb, after building the package, we remove installed + persistent completely. However ZODB also used to install persistent headers in + ZODB namespace which were left and now correspond to nothing provided in + python-zodb and duplicate persistent headers in python-persistent. +After splitting persistent into separate package, upstream already removed + that 'headers install' in zodb package: +- 57dca750 (Fixed: An unneeded left-over setting in setup.py caused + installation with pip to fail). +- f5b98e96 (ZODB w/ externally-distributed 'persistent'.) + so do it here too. + +--- zodb-3.9.7.orig/setup.py zodb-3.9.7/setup.py +@@ -188,9 +188,6 @@ setup(name=ZODB3, + packages = find_packages('src'), + package_dir = {'': 'src'}, + ext_modules = exts, +- headers = ['src/persistent/cPersistence.h', +- 'src/persistent/py24compat.h', +- 'src/persistent/ring.h'], + license = ZPL 2.1, + platforms = [any], + description = doclines[0], diff -Nru zodb-3.9.7/debian/patches/series zodb-3.9.7/debian/patches/series --- zodb-3.9.7/debian/patches/series 2014-12-16 16:51:28.0 +0900 +++ zodb-3.9.7/debian/patches/series 2014-12-24 12:15:57.0 +0900 @@ -1,5 +1,6 @@ lp_135108.patch persistent-module-4.x-compat.patch +persistent-module-4.x-no-headers.patch test-spurious-failure-under-python27.patch testUtils.patch new-transaction.patch
Bug#773854: unblock: ntp/1:4.2.6.p5+dfsg-3.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ntp version 1:4.2.6.p5+dfsg-3.2. This version contains the security fixes described in bug 773576 and released for stable in DSA 3108-1. diffstat: changelog | 11 + patches/ntp-4.2.6p5-cve-2014-9293.patch | 37 ++ patches/ntp-4.2.6p5-cve-2014-9294.patch | 111 +++ patches/ntp-4.2.6p5-cve-2014-9295.patch | 107 +++ patches/ntp-4.2.6p5-cve-2014-9296.patch | 15 patches/series |4 +++ See attached diff for the change details. unblock ntp/1:4.2.6.p5+dfsg-3.2 -- System Information: Debian Release: 7.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog --- ntp-4.2.6.p5+dfsg/debian/changelog 2014-07-16 09:49:08.0 -0700 +++ ntp-4.2.6.p5+dfsg/debian/changelog 2014-12-21 12:01:59.0 -0800 @@ -1,3 +1,14 @@ +ntp (1:4.2.6.p5+dfsg-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Apply fixes for security updates (Closes: 773576) +- cve-2014-9293 +- cve-2014-9294 +- cve-2014-9295 +- cve-2014-9296 + + -- Noah Meyerhans no...@debian.org Sun, 21 Dec 2014 12:01:50 -0800 + ntp (1:4.2.6.p5+dfsg-3.1) unstable; urgency=low * Non-maintainer upload. diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch 1969-12-31 16:00:00.0 -0800 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch 2014-12-21 12:00:30.0 -0800 @@ -0,0 +1,37 @@ +Index: git/ntpd/ntp_config.c +=== +--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100 git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100 +@@ -1866,13 +1866,16 @@ + req_hashlen = digest_len; + #endif + } else { +- int rankey; ++ unsigned char rankey[16]; ++ ++ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) { ++ msyslog(LOG_ERR, ntp_crypto_random_buf() failed.); ++ exit(1); ++ } + +- rankey = ntp_random(); + req_keytype = NID_md5; + req_hashlen = 16; +- MD5auth_setkey(req_keyid, req_keytype, +- (u_char *)rankey, sizeof(rankey)); ++ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey)); + authtrust(req_keyid, 1); + } + +Index: git/ntpd/ntpd.c +=== +--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100 git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100 +@@ -597,6 +597,7 @@ + get_systime(now); + + ntp_srandom((int)(now.l_i * now.l_uf)); ++ ntp_crypto_srandom(); + + #if !defined(VMS) + # ifndef NODETACH diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch 1969-12-31 16:00:00.0 -0800 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch 2014-12-21 12:00:30.0 -0800 @@ -0,0 +1,111 @@ +Index: git/include/ntp_random.h +=== +--- git.orig/include/ntp_random.h 2014-12-20 18:45:44.712861496 +0100 git/include/ntp_random.h 2014-12-20 18:45:52.817027062 +0100 +@@ -1,6 +1,9 @@ + + #include ntp_types.h + ++void ntp_crypto_srandom(void); ++int ntp_crypto_random_buf(void *buf, size_t nbytes); ++ + long ntp_random (void); + void ntp_srandom (unsigned long); + void ntp_srandomdev (void); +Index: git/libntp/ntp_random.c +=== +--- git.orig/libntp/ntp_random.c 2014-12-20 18:45:44.712861496 +0100 git/libntp/ntp_random.c 2014-12-20 18:45:52.817027062 +0100 +@@ -481,3 +481,63 @@ + } + return(i); + } ++ ++/* ++ * Crypto-quality random number functions ++ * ++ * Author: Harlan Stenn, 2014 ++ * ++ * This file is Copyright (c) 2014 by Network Time Foundation. ++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details. ++ */ ++ ++#include openssl/err.h ++#include openssl/rand.h ++ ++int crypto_rand_init = 0; ++ ++/* ++ * ntp_crypto_srandom: ++ * ++ * Initialize the random number generator, if needed by the underlying ++ * crypto random number generation mechanism. ++ */ ++ ++void ++ntp_crypto_srandom( ++ void ++ ) ++{ ++ if (!crypto_rand_init) { ++ RAND_poll(); ++
Bug#773256: pre-approval: unblock: dpkg/1.17.23
On Wed, 2014-12-24 at 02:26:24 +0100, Guillem Jover wrote: On Tue, 2014-12-23 at 02:52:01 +0100, Guillem Jover wrote: On Sun, 2014-12-21 at 21:38:31 +0100, Niels Thykier wrote: I do not recall (all of?) these trigger cycles being known. @Guiliem, can you have a look at them and file bugs as necessary for these? These smell like instances of #771730 (more so when libc-bin is noawait), but I fired up a test upgrade with 1.17.23 to make sure. Ok, after several GiBs of downloads and unpacks, the upgrade went fine with dpkg 1.17.23 for education-thin-client-server. I'll leave one of the other ones testing during the night, but I don't expect any problems either. … And the haskell one went well too. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141224064301.ga24...@gaara.hadrons.org