NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: xvba-video_0.8.0-9+deb8u1_amd64.changes
  ACCEPT
Processing changes file: xvba-video_0.8.0-9+deb8u1_i386.changes
  ACCEPT

Bug#813237: transition: ruby2.3 / followup with -rm transition?

[Emilio Pozuelo Monfort]

On 21/03/16 19:20, Christian Hofstaedtler wrote:

Hello,

I think we're done with the ruby2.3 transition now (apart from
libguestfs/mips).

It'd be good if we could do the followup ruby2.2-rm transition
soonish. What does -release think about that?


Sure. I have added a tracker and scheduled the required binNMUs.

Cheers,
Emilio

Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Henrique de Moraes Holschuh]

On Mon, Mar 21, 2016, at 19:29, Adam D. Barratt wrote
> Flagged for acceptance.

Thank you!

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique de Moraes Holschuh 

Bug#815520: Bug#815561: jessie-pu: package xvba-video_0.8.0-9+deb8u1

[Andreas Beckmann]

On 2016-03-21 21:53, Adam D. Barratt wrote:
> On a related note, xvba-video has non-free build-dependencies, so will
> need binary uploads for both amd64 and i386.

Oops, I remember there was something ... uploaded 2 binaries, too.


Andreas

PS: fglrx-driver is still in my ToDo queue ... I wanted to do one more
upgrade test, but that involves snapshot.d.o packages ...

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: amd64-microcode_1.20160316.1_multi.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: cairo_1.14.0-2.1+deb8u1_amd64.changes
  ACCEPT
Processing changes file: dolibarr_3.5.5+dfsg1-1+deb8u1_amd64.changes
  ACCEPT
Processing changes file: pgplot5_5.2.2-19+deb8u1_source.changes
  ACCEPT
Processing changes file: sus_7.20160312~deb8u1_amd64.changes
  ACCEPT

Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2016-03-20 at 12:38 -0300, Henrique de Moraes Holschuh wrote:
> On Sun, 20 Mar 2016, Adam D. Barratt wrote:
> > On Sun, 2016-03-20 at 12:20 -0300, Henrique de Moraes Holschuh wrote:
> > > I have uploaded it through the ftp queue about one hour ago, but I have
> > > still not received any email back either from the upload queue daemon, or
> > > from dak (and the packages disappeared from the ftp upload queue).
> > > 
> > > I will try to reupload.
> > 
> > dinstall's running, hence the lack of response from dak combined with
> > the "disappearing" packages (although I'm not sure why you've not had a
> > response from the queued).
> > 
> > I can confirm that the packages have reached the "unchecked" queue so
> > should get processed by dak once dinstall finishes; there's no need to
> > re-upload.
> 
> Thanks!
> 
> I did try to re-upload before I got your reply, and promptly got an email
> from the upload queue daemon about an existing previous upload.

Flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #818710 [release.debian.org] wheezy-pu: package amd64-microcode/1.20160316.1
Added tag(s) pending.

-- 
818710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #818672 [release.debian.org] jessie-pu: package pgplot5/5.2.2-19+deb8u1
Added tag(s) pending.

-- 
818672: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818672
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #818801 [release.debian.org] jessie-pu: package cairo/1.14.0-2.1+deb8u1
Added tag(s) pending.

-- 
818801: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818801
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#818679: jessie-pu: package sus/7.20160312~deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #818679 [release.debian.org] jessie-pu: package sus/7.20160312~deb8u1
Added tag(s) pending.

-- 
818679: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#818679: jessie-pu: package sus/7.20160312~deb8u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2016-03-20 at 16:07 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2016-03-19 at 17:17 +0100, Andreas Beckmann wrote:
> > sus is a downloader package and one of the external tarballs being
> > downloaded has changed, again.
> 
> Yay downloader packages. :-(
> 
> > This is a rebuild of the package from sid for jessie.
> 
> Please go ahead.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2016-03-20 at 23:11 +0100, Moritz Mühlenhoff wrote:
> On Sun, Mar 20, 2016 at 06:43:48PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote:
> > > +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
> > > +
> > > +  * Fix CVE-2016-3190
> > 
> > I'd prefer a slightly more detailed changelog, but please go ahead.
> 
> Thanks, uploaded.

Flagged for acceptance.

Regards,

Adam

Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1

[Adam D. Barratt]

Control: tags -1 + pending

On Mon, 2016-03-21 at 01:23 +0100, Andreas Beckmann wrote:
> On 2016-03-20 17:11, Adam D. Barratt wrote:
> > +pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium
> > +
> > +  * Non-maintainer upload.
> > +  * Use multiarch path to zconf.h  (Closes: #784783)
> > +(thanks to Edmund Grimley Evans and Vincent McIntyre)
> > 
> > The bug number is typoed (and was in the unstable upload) - it should be
> > #784743. With that changed, please go ahead.
> 
> I just took the changelog entry from sid and rewrote it to mention the
> actual problem fixed, keeping the other bits. Bug number updated and
> uploaded - but I still didn't verify that this references the correct
> bug :-)

Flagged for acceptance.

Regards,

Adam

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

[Adam D. Barratt]

Control: tags -1 + pending

On Mon, 2016-03-21 at 13:13 +0100, Raphael Hertzog wrote:
> Hi,
> 
> On Sun, 20 Mar 2016, Adam D. Barratt wrote:
> > > +dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
> > > +
> > > +  * Fix CVE-2016-1912 (Closes: #812496)
> > > +  * Fix CVE-2015-8685 (Closes: #812449)
> > > +  * Fix CVE-2015-3935 (Closes: #787762)
> > > +
> > > + -- Laurent Destailleur (eldy)   Tue, 08 Sep 
> > > 2015 15:22:52 +0200
> > 
> > I assume the changelog trailer simply needs updating, as I doubt all of
> > the patches were added by September. :-) With that and the changelog
> > distribution set to "jessie", please go ahead.
> 
> Done and uploaded the package for Laurent.

Flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #797906 [release.debian.org] jessie-pu: package dolibarr/3.5.5+dfsg1-2
Added tag(s) pending.

-- 
797906: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797906
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Qt and OpenSSL transition metadata in relation to Mumble package

[Chris Knadle]

Julien Cristau:
> On Mon, Mar 21, 2016 at 20:20:22 +, Chris Knadle wrote:
> 
>> Julien Cristau:
>>> On Sun, Mar 20, 2016 at 01:55:55 +, Chris Knadle wrote:
>>>
 Emilio Pozuelo Monfort:
> On 19/03/16 19:23, Chris Knadle wrote:
>> Greetings.
>>
>> Executive summary:
>> I'd like to know if there is metadata that can be added to the Qt4 and 
>> Qt5
>> packages (qt4-x11 and qtbase-opensource-src) which will indicate that 
>> they
>> need to be binNMUed for OpenSSL transitions at nearly the same time that
>> Mumble gets binNMUed.
 [...]
>> Is this possible?
>
> There's no way to express that kind of relationship. Not unless you get 
> into
> complex territory which isn't really worth it in this case. Normally 
> binNMUs
> are scheduled at the same time, so in theory this shouldn't be such a big
> issue. And it would only affect unstable users, only for a short amount of
> time.

 Ehhh... okay.  The last OpenSSL binNMU had an 11-day difference between
 Mumble getting rebuilt and qt4-x11 being rebuilt in Sid.  That's a short
 time in release terms, but a long time in terms of users finding Mumble
 broken and waiting for it to be fixed.

 Either way I have my answer.  Thank you very much.

>>> What would it take to fix qt to properly link with libssl?
>>
>> There's an -openssl-linked ./configure option for building Qt with:
>>
>>https://doc.qt.io/qt-4.8/ssl.html
>>
>> However it's thought that the -openssl-linked option isn't viable due to
>> licensing concerns that would result:
>>
>>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804487#147
>>
> I don't think dlopen(libssl) vs gcc -lssl makes any difference
> licensing-wise, I suspect either they're both ok or they're both not
> ok...
> 
> Cheers,
> Julien

I could try to talk to the maintainers of the Qt packages to see if they
know if using -openssl-linked is possible... I've been wanting to talk to
them about this for a while anyway.

   -- Chris

-- 
Chris Knadle
chris.kna...@coredump.us

Re: Qt and OpenSSL transition metadata in relation to Mumble package

[Julien Cristau]

On Mon, Mar 21, 2016 at 20:20:22 +, Chris Knadle wrote:

> Julien Cristau:
> > On Sun, Mar 20, 2016 at 01:55:55 +, Chris Knadle wrote:
> > 
> >> Emilio Pozuelo Monfort:
> >>> On 19/03/16 19:23, Chris Knadle wrote:
>  Greetings.
> 
>  Executive summary:
>  I'd like to know if there is metadata that can be added to the Qt4 and 
>  Qt5
>  packages (qt4-x11 and qtbase-opensource-src) which will indicate that 
>  they
>  need to be binNMUed for OpenSSL transitions at nearly the same time that
>  Mumble gets binNMUed.
> >> [...]
>  Is this possible?
> >>>
> >>> There's no way to express that kind of relationship. Not unless you get 
> >>> into
> >>> complex territory which isn't really worth it in this case. Normally 
> >>> binNMUs
> >>> are scheduled at the same time, so in theory this shouldn't be such a big
> >>> issue. And it would only affect unstable users, only for a short amount of
> >>> time.
> >>
> >> Ehhh... okay.  The last OpenSSL binNMU had an 11-day difference between
> >> Mumble getting rebuilt and qt4-x11 being rebuilt in Sid.  That's a short
> >> time in release terms, but a long time in terms of users finding Mumble
> >> broken and waiting for it to be fixed.
> >>
> >> Either way I have my answer.  Thank you very much.
> >>
> > What would it take to fix qt to properly link with libssl?
> 
> There's an -openssl-linked ./configure option for building Qt with:
> 
>https://doc.qt.io/qt-4.8/ssl.html
> 
> However it's thought that the -openssl-linked option isn't viable due to
> licensing concerns that would result:
> 
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804487#147
> 
I don't think dlopen(libssl) vs gcc -lssl makes any difference
licensing-wise, I suspect either they're both ok or they're both not
ok...

Cheers,
Julien

Re: Opinion about linux-grsec in a stable release

[Julien Cristau]

On Wed, Mar  2, 2016 at 10:09:47 +0100, Yves-Alexis Perez wrote:

> Hi teams,
> 
> [first of all, I'm writing this with my linux-grsec hat, not my Debian
> security team member hat, obviously]
> 
> As you may know, src:linux-grsec was accepted in unstable earlier this year.
> As a quick summary, this is a source linux package (forked from and
> periodically rebased against src:linux) which generates a linux kernel with
> the grsecurity hardening patch (the patch is mostly about fighting memory
> corruptions bugs, but not only, I won't enter into details here to keep it
> short, but more information can be found in the ITP bug #605090).
> 
At this point I think it's not a good fit for stable.  Something very
much like backports, where you can update the package easily and often,
seems like it'd make supporting the package easier.  We only update
(old)stable every few months, which depending on timing vs upstream
releases could become quite awkward.

Cheers,
Julien

Bug#815561: Bug#815520: jessie-pu: package fglrx-driver/1:15.9-4~deb8u2 xvba-video_0.8.0-9+deb8u1

[Adam D. Barratt]

On Sat, 2016-03-19 at 21:39 +, Adam D. Barratt wrote:
> Control: tags -1 + pending
> 
> On Mon, 2016-02-22 at 13:23 +, Adam D. Barratt wrote:
> [...]
> > On 2016-02-22 1:05, Andreas Beckmann wrote:
> > > the last fglrx-driver update in jessie brought a small regression:
> > > updates with xvba-va-driver installed fail due to a file overwrite
> > > conflict (#813427).
> > > xvba-va-driver is currently uninstallable in jessie.
> > > xvba-va-driver is no longer needed as a separate package, instead
> > > libfglrx-amdxvba1 brings equivalent files.
> > > 
> > > We need to update both packages to fix this issue.
> [...]
> > > Let's do the discussion with this one bug here and clone it once it
> > > reached confirmed state.
> > 
> > Looks okay to me.
> > 
> > Assuming that the install and upgrade paths have been tested (I imagine 
> > they have :-), please go ahead.
> 
> xvba-video uploaded and flagged for acceptance.

Oops, that was actually the fglrx-driver bug that I tagged as pending -
I assume the upload for that's still planned?

On a related note, xvba-video has non-free build-dependencies, so will
need binary uploads for both amd64 and i386.

Regards,

Adam

Processed: tagging 815520, tagging 815561

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # Tag right half of cloned pair
> tags 815520 - pending
Bug #815520 [release.debian.org] jessie-pu: package fglrx-driver/1:15.9-4~deb8u2
Removed tag(s) pending.
> tags 815561 + pending
Bug #815561 [release.debian.org] xvba-video_0.8.0-9+deb8u1
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
815520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815520
815561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Qt and OpenSSL transition metadata in relation to Mumble package

[Chris Knadle]

Julien Cristau:
> On Sun, Mar 20, 2016 at 01:55:55 +, Chris Knadle wrote:
> 
>> Emilio Pozuelo Monfort:
>>> On 19/03/16 19:23, Chris Knadle wrote:
 Greetings.

 Executive summary:
 I'd like to know if there is metadata that can be added to the Qt4 and Qt5
 packages (qt4-x11 and qtbase-opensource-src) which will indicate that they
 need to be binNMUed for OpenSSL transitions at nearly the same time that
 Mumble gets binNMUed.
>> [...]
 Is this possible?
>>>
>>> There's no way to express that kind of relationship. Not unless you get into
>>> complex territory which isn't really worth it in this case. Normally binNMUs
>>> are scheduled at the same time, so in theory this shouldn't be such a big
>>> issue. And it would only affect unstable users, only for a short amount of
>>> time.
>>
>> Ehhh... okay.  The last OpenSSL binNMU had an 11-day difference between
>> Mumble getting rebuilt and qt4-x11 being rebuilt in Sid.  That's a short
>> time in release terms, but a long time in terms of users finding Mumble
>> broken and waiting for it to be fixed.
>>
>> Either way I have my answer.  Thank you very much.
>>
> What would it take to fix qt to properly link with libssl?

There's an -openssl-linked ./configure option for building Qt with:

   https://doc.qt.io/qt-4.8/ssl.html

However it's thought that the -openssl-linked option isn't viable due to
licensing concerns that would result:

   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804487#147

Right now Qt5 (qtbase-opensource-src) uses the -openssl ./configure option
but not -openssl-linked, Qt4 (qt4-x11) uses neither.  Both Qt4 and Qt5 pull
in libssl-dev and libssl during the build, FWIW.

   -- Chris

-- 
Chris Knadle
chris.kna...@coredump.us

Bug#818837: nmu: libdbi-drivers_0.9.0-3

[Julien Cristau]

Control: tag -1 moreinfo

On Sun, Mar 20, 2016 at 21:35:43 +0100, Ruben Undheim wrote:

> There are some memory issues when running the test suite for the package
> openbsc. These disappears if libdbi-drivers is first rebuilt with GCC 5. It is
> hard to track down exactly what the problem is, but rebuilding it seems to 
> make
> the test suite pass for openbsc..
> 
We (well, at least I) don't like to schedule binNMUs without knowing why.

Cheers,
Julien

Processed: Re: Bug#818837: nmu: libdbi-drivers_0.9.0-3

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #818837 [release.debian.org] nmu: libdbi-drivers_0.9.0-3
Added tag(s) moreinfo.

-- 
818837: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818837
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Qt and OpenSSL transition metadata in relation to Mumble package

[Julien Cristau]

On Sun, Mar 20, 2016 at 01:55:55 +, Chris Knadle wrote:

> Emilio Pozuelo Monfort:
> > On 19/03/16 19:23, Chris Knadle wrote:
> >> Greetings.
> >>
> >> Executive summary:
> >> I'd like to know if there is metadata that can be added to the Qt4 and Qt5
> >> packages (qt4-x11 and qtbase-opensource-src) which will indicate that they
> >> need to be binNMUed for OpenSSL transitions at nearly the same time that
> >> Mumble gets binNMUed.
> [...]
> >> Is this possible?
> > 
> > There's no way to express that kind of relationship. Not unless you get into
> > complex territory which isn't really worth it in this case. Normally binNMUs
> > are scheduled at the same time, so in theory this shouldn't be such a big
> > issue. And it would only affect unstable users, only for a short amount of
> > time.
> 
> Ehhh... okay.  The last OpenSSL binNMU had an 11-day difference between
> Mumble getting rebuilt and qt4-x11 being rebuilt in Sid.  That's a short
> time in release terms, but a long time in terms of users finding Mumble
> broken and waiting for it to be fixed.
> 
> Either way I have my answer.  Thank you very much.
> 
What would it take to fix qt to properly link with libssl?

Cheers,
Julien

Bug#813237: transition: ruby2.3 / followup with -rm transition?

[Christian Hofstaedtler]

Hello,

I think we're done with the ruby2.3 transition now (apart from
libguestfs/mips).

It'd be good if we could do the followup ruby2.2-rm transition
soonish. What does -release think about that?

Thanks,
-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

Bug#818908: jessie-pu: package dpkg/1.17.27

[Guillem Jover]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi!

Here's a proposed dpkg 1.17.27, with cherry picked fixes from master
(already in unstable). These include fixes for regressions, memory
leaks, portability, interaction with tools such as GNU tar or the
system shell, install-info transition, and a sync of the architectures
supported (in case some of these end up accepted in the archive).

The change for Config-Version should be safe, as at worst it will have
no effect, otherwise packages relying on the correct behavior will
start to work now, it will also make upgrades easier, for example for
systemd, which I'm aware suffered from this problem.

The «git log» fix is not yet in master though, but it should also be
safe, otherwise the build would simply fail. And I've just realized it's
not documented in debian/changelog, it will be in the ChangeLog, but I
could add it to debian/changelog too.

The changes have passed all unit tests which are part of the build,
and all functional test in the dpkg-tests git repo. Attached a diff
with translation updates filtered.

Thanks,
Guillem
diff --git a/Makefile.am b/Makefile.am
index aa13270..c9f63d3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -172,6 +172,7 @@ dist-hook:
 exit 1 ; \
 			fi ; \
 		done ; \
+		XDG_CONFIG_HOME= HOME= \
 		git log -C --stat 1.15.0.. >$(distdir)/ChangeLog; \
 	fi
 
diff --git a/check.am b/check.am
index 458214d..5e0d3cf 100644
--- a/check.am
+++ b/check.am
@@ -30,6 +30,7 @@ check-local: $(test_data) $(test_programs) $(test_scripts)
 	  $(TEST_ENV_VARS) \
 	  srcdir=$(srcdir) builddir=$(builddir) \
 	  PERL_DL_NONLAZY=1 \
+	  PERL5LIB=$(abs_top_srcdir)/scripts:$(abs_top_srcdir)/dselect/methods \
 	  PERL5OPT=$(TEST_COVERAGE) \
 	  $(PERL) -MTAP::Harness -e $(TEST_RUNNER) \
 	$(addprefix $(builddir)/,$(test_programs)) \
diff --git a/cputable b/cputable
index b8b2da2..b376aa0 100644
--- a/cputable
+++ b/cputable
@@ -29,6 +29,7 @@ mips		mips		mips(eb)?		32	big
 mipsel		mipsel		mipsel			32	little
 mips64		mips64		mips64			64	big
 mips64el	mips64el	mips64el		64	little
+nios2		nios2		nios2			32	little
 or1k		or1k		or1k			32	big
 powerpc		powerpc		(powerpc|ppc)		32	big
 powerpcel	powerpcle	powerpcle		32	little
diff --git a/debian/changelog b/debian/changelog
index 8b2a4d0..eca2d78 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,45 @@
+dpkg (1.17.27) jessie; urgency=medium
+
+  [ Guillem Jover ]
+  * Add more Conflicts for removed packages expecting dpkg to ship
+install-info. Namely ada-mode and octave2.1-info. Closes: #783657
+Thanks to Andreas Beckmann .
+  * Remove trailing space before handling blank line dot-separator in
+Dpkg::Control::HashCore. Regression introduced in dpkg 1.17.25.
+Reported by Jakub Wilk . Closes: #789580
+  * Only use the SHELL environment variable for interactive shells.
+Closes: #788819
+  * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the
+--no-recursion option is now positional, and needs to be passed before
+the -T option, otherwise the tarball will end up with duplicated entries.
+Thanks to Richard Purdie .
+Closes: #807940
+  * Initialize Config-Version also for packages previously in triggers-pending
+state, otherwise we end up not passing the previously configured version
+to «postinst configure», which might consider this a first install instead
+of an upgrade. Closes: #801156
+  * Fix memory leak in dpkg infodb format upgrade logic.
+  * Fix physical file offset comparison in dpkg. Closes: #808912
+Thanks to Yuri Gribov .
+  * Add kfreebsd-armhf support to ostable and triplettable. Closes: #796283
+Thanks to Steven Chamberlain .
+  * Add NIOS2 support to cputable. Thanks to Marek Vasut .
+  * Build system:
+- Set PERL5LIB globally for the test suite to the local modules directory,
+  to avoid using the system modules. Regression introduced in dpkg 1.17.8.
+  Reported by Jérémy Bobbio . Closes: #801329
+- When sys_siglist is defined in the system, try to use NSIG as we cannot
+  compute the array size with sizeof(). If NSIG is missing fallback to 32
+  items. Prompted by Igor Pashev .
+
+  [ Updated scripts translations ]
+  * German (Helge Kreutzmann). (Various fixes)
+
+  [ Updated manpages translations ]
+  * German (Helge Kreutzmann). (Various fixes)
+
+ -- Guillem Jover   Sun, 20 Mar 2016 11:40:28 +0100
+
 dpkg (1.17.26) jessie-security; urgency=high
 
   [ Guillem Jover ]
diff --git a/debian/control b/debian/control
index ade9839..97f06d2 100644
--- a/debian/control
+++ b/debian/control
@@ -80,11 +80,13 @@ Conflicts:
  gcc-4.2-doc (<< 4.2.4.nf1-4~), gcj-4.2-doc (<< 4.2.4.nf1-4~),
  gfortran-4.2-doc (<< 4.2.4.nf1-4~), 

Bug#818906: wheezy-pu: package dpkg/1.16.18

[Guillem Jover]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Hi!

Here's a proposed dpkg 1.16.18, with cherry picked fixes from master
(already in unstable). These include fixes for regressions, memory leaks,
segmentation faults, portability and interaction with tools such as
GNU tar or the system shell.

The change for Config-Version should be safe, as at worst it will have
no effect, otherwise packages relying on the correct behavior will
start to work now.

The «git log» fix is not yet in master though, but it should also be safe,
otherwise the build would simply fail. And I've just realized it's not
documented in debian/changelog, it will be in the ChangeLog, but I could
add it to debian/changelog too.

The changes have passed all unit tests which are part of the build,
and all functional test in the dpkg-tests git repo. Attached a diff
with translation updates filtered.

Thanks,
Guillem
diff --git a/Makefile.am b/Makefile.am
index 406d3dd..cb12880 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -140,7 +140,7 @@ update-po:
 DISTCLEANFILES = ChangeLog
 
 ChangeLog:
-	git log -C --stat 1.15.0.. >$@
+	XDG_CONFIG_HOME= HOME= git log -C --stat 1.15.0.. >$@
 
 # If we create the dist tarball from the git repository, make sure
 # that we're not forgetting some files...
diff --git a/debian/changelog b/debian/changelog
index 1c5a662..19b76f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+dpkg (1.16.18) wheezy; urgency=medium
+
+  * Remove trailing space before handling blank line dot-separator in
+Dpkg::Control::Hash. Regression introduced in dpkg 1.16.16.
+Reported by Jakub Wilk . Closes: #789580
+  * Only use the SHELL environment variable for interactive shells.
+Closes: #788819
+  * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the
+--no-recursion option is now positional, and needs to be passed before
+the -T option, otherwise the tarball will end up with duplicated entries.
+Thanks to Richard Purdie .
+Closes: #807940
+  * Initialize Config-Version also for packages previously in triggers-pending
+state, otherwise we end up not passing the previously configured version
+to «postinst configure», which might consider this a first install instead
+of an upgrade. Closes: #801156
+  * Fix memory leaks in dpkg infodb format upgrade logic.
+  * Fix physical file offset comparison in dpkg. Closes: #808912
+Thanks to Yuri Gribov .
+  * Do not accept empty field names in dpkg. Closes: #769111
+  * When sys_siglist is defined in the system, try to use NSIG as we cannot
+compute the array size with sizeof(). If NSIG is missing fallback to 32
+items. Prompted by Igor Pashev .
+
+ -- Guillem Jover   Sun, 20 Mar 2016 10:23:24 +0100
+
 dpkg (1.16.17) wheezy-security; urgency=high
 
   [ Guillem Jover ]
diff --git a/dpkg-deb/build.c b/dpkg-deb/build.c
index b798b1f..e83ed51 100644
--- a/dpkg-deb/build.c
+++ b/dpkg-deb/build.c
@@ -545,7 +545,8 @@ do_build(const char *const *argv)
 m_dup2(p2[1],1); close(p2[0]); close(p2[1]);
 if (chdir(dir))
   ohshite(_("failed to chdir to `%.255s'"), dir);
-execlp(TAR, "tar", "-cf", "-", "--format=gnu", "--null", "-T", "-", "--no-recursion", NULL);
+execlp(TAR, "tar", "-cf", "-", "--format=gnu", "--null", "--no-recursion",
+   "-T", "-", NULL);
 ohshite(_("unable to execute %s (%s)"), "tar -cf", TAR);
   }
   close(p1[0]);
diff --git a/lib/compat/strsignal.c b/lib/compat/strsignal.c
index 92fad03..7ff23e2 100644
--- a/lib/compat/strsignal.c
+++ b/lib/compat/strsignal.c
@@ -52,7 +52,12 @@ const char *const sys_siglist[] = {
 	"SIGTTIN",	/* 21 */
 	"SIGTTOU",	/* 22 */
 };
+# define COMPAT_NSIGLIST (int)(sizeof(sys_siglist) / sizeof(sys_siglist[0]))
 #else
+# ifndef NSIG
+#  define NSIG 32
+# endif
+# define COMPAT_NSIGLIST NSIG
 extern const char *const sys_siglist[];
 #endif
 
@@ -61,7 +66,7 @@ strsignal(int s)
 {
 	static char buf[100];
 
-	if (s > 0 && s < sizeof(sys_siglist) / sizeof(sys_siglist[0]))
+	if (s > 0 && s < COMPAT_NSIGLIST)
 		return sys_siglist[s];
 
 	sprintf(buf, _("Unknown signal %d"), s);
diff --git a/lib/dpkg/command.c b/lib/dpkg/command.c
index 859f8a1..f9b3302 100644
--- a/lib/dpkg/command.c
+++ b/lib/dpkg/command.c
@@ -216,14 +216,16 @@ command_shell(const char *cmd, const char *name)
 	const char *shell;
 	const char *mode;
 
-	shell = getenv("SHELL");
-	if (str_is_unset(shell))
-		shell = DEFAULTSHELL;
-
-	if (cmd == NULL)
+	if (cmd == NULL) {
 		mode = "-i";
-	else
+		shell = getenv("SHELL");
+	} else {
 		mode = "-c";
+		shell = NULL;
+	}
+
+	if (str_is_unset(shell))
+		shell = DEFAULTSHELL;
 
 	execlp(shell, shell, mode, cmd, NULL);
 	ohshite(_("unable to execute %s (%s)"), name, cmd);
diff --git a/lib/dpkg/parse.c b/lib/dpkg/parse.c
index 

Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2

[Raphael Hertzog]

Hi,

On Sun, 20 Mar 2016, Adam D. Barratt wrote:
> > +dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
> > +
> > +  * Fix CVE-2016-1912 (Closes: #812496)
> > +  * Fix CVE-2015-8685 (Closes: #812449)
> > +  * Fix CVE-2015-3935 (Closes: #787762)
> > +
> > + -- Laurent Destailleur (eldy)   Tue, 08 Sep 
> > 2015 15:22:52 +0200
> 
> I assume the changelog trailer simply needs updating, as I doubt all of
> the patches were added by September. :-) With that and the changelog
> distribution set to "jessie", please go ahead.

Done and uploaded the package for Laurent.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/