Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Control: tags -1 + confirmed On Sat, 2016-06-04 at 20:32 +0200, Petter Reinholdtsen wrote: > On my Debian Jessie machine, a security issue from 2009 is reported by > debsecan, > https://security-tracker.debian.org/tracker/CVE-2009-5147 >. > > The issue was fixed in Squeeze by the LTS team (DLA-299-1), but has not > yet been fixed in Jessie. I would like to get it fixed, to get it out > of my debsecan list. > > The attached patch is based on the squeeze patch (had to refresh it), and > should solve the problem. We'd generally prefer a bit more testing than "should solve the problem", although I agree that the patch looks sane enough as someone who knows practically nothing about Ruby... Please go ahead. Regards, Adam
Processed: Re: Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Processing control commands: > tags -1 + confirmed Bug #826348 [release.debian.org] jessie-pu: package ruby2.1/2.1.5-2+deb8u3 Added tag(s) confirmed. -- 826348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826348 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 826335
Processing commands for cont...@bugs.debian.org: > tags 826335 - moreinfo Bug #826335 [release.debian.org] jessie-pu: package e2fsprogs/1.42.12-2 Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 826335: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826335 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
On Sat, Jun 04, 2016 at 06:28:27PM +0200, Emilio Pozuelo Monfort wrote: > There's no hurd in jessie, so I think it'd be better to leave that out. But > IANASRM. One observation is that the bugfix is not just for e2fsck running on Hurd (although admittedly that's the most likely situation where it could manifest), but it also addresses the situation where e2fsck is being run on a Linux system, but operating on a file system that was meant for Hurd (e.g., in a rescue CD or a dual-boot type situation). - Ted
Bug#826348: jessie-pu: package ruby2.1/2.1.5-2+deb8u3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu On my Debian Jessie machine, a security issue from 2009 is reported by debsecan, https://security-tracker.debian.org/tracker/CVE-2009-5147 >. The issue was fixed in Squeeze by the LTS team (DLA-299-1), but has not yet been fixed in Jessie. I would like to get it fixed, to get it out of my debsecan list. The attached patch is based on the squeeze patch (had to refresh it), and should solve the problem. I asked on #debian-security how to best get this solved, and Salvatore Bonaccorso (carnil) said the security team did not plan to upload a DSA, so I should use the procedure from https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable > fix it. Is it OK to upload the fix for stable? -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru ruby2.1-2.1.5/debian/changelog ruby2.1-2.1.5/debian/changelog --- ruby2.1-2.1.5/debian/changelog 2015-07-30 14:02:04.0 +0200 +++ ruby2.1-2.1.5/debian/changelog 2016-06-04 19:00:48.0 +0200 @@ -1,3 +1,11 @@ +ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=medium + + * Non-maintainer upload to fix security problem. + * Fix CVE-2009-5147: DL::dlopen could open a library with tainted +library name. Based on patch used in DLA-299-1. + + -- Petter Reinholdtsen Sat, 04 Jun 2016 18:59:31 +0200 + ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high * Apply upstream patches to fix Request hijacking vulnerability in Rubygems diff -Nru ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch --- ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch 1970-01-01 01:00:00.0 +0100 +++ ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch 2016-06-04 19:38:20.0 +0200 @@ -0,0 +1,31 @@ +Description: CVE-2009-5147: DL::dlopen could open a library with tainted library name +Origin: upstream, https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b +Reviewed-by: Santiago R.R. + +Index: ruby2.1-2.1.5/ext/dl/handle.c +=== +--- ruby2.1-2.1.5.orig/ext/dl/handle.c 2016-06-04 19:38:16.133297957 +0200 ruby2.1-2.1.5/ext/dl/handle.c 2016-06-04 19:38:16.129297922 +0200 +@@ -5,6 +5,8 @@ + #include + #include "dl.h" + ++#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v)) ++ + VALUE rb_cDLHandle; + + #ifdef _WIN32 +@@ -132,11 +134,11 @@ + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 1: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 2: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = NUM2INT(flag); + break; + default: diff -Nru ruby2.1-2.1.5/debian/patches/series ruby2.1-2.1.5/debian/patches/series --- ruby2.1-2.1.5/debian/patches/series 2015-08-26 01:53:36.0 +0200 +++ ruby2.1-2.1.5/debian/patches/series 2016-06-04 18:52:43.0 +0200 @@ -1 +1,2 @@ debian-changes +CVE-2009-5147.patch
Re: Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3
On Sat, 2016-06-04 at 15:21 +0200, Roland Mas wrote: > Adam D. Barratt, 2016-06-04 14:02:40 +0100 : > > [...] > > > While that upload did stop producing the mediawiki plugin, I > > unfortunately failed to notice that fusionforge-full has a dependency > > on the plugin package. > > Oh shoot. Sorry about that. No worries. > > By the time we noticed this during the point release it was too late > > to resolve usefully, but if you could please prepare another upload > > that removes the dependency then we can look at getting that pushed > > out to users via jessie-updates. > > It's on its way. Thanks for the very quick turn-around. Unfortunately, the upload got rejected as it appears to have been built against and/or targetted to unstable rather than stable: " adsb@franck:~$ cat queue/reject/fusionforge_5.3.2+20141104-3+deb8u3_amd64.changes.reason Version check failed: Your upload included the source package fusionforge, version 5.3.2+20141104-3+deb8u3, however unstable already has version 6.0.4+20160504-1. Uploads to unstable must have a higher version than present in unstable. " Regards, Adam
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
On Sat, Jun 04, 2016 at 05:32:08PM +0100, Adam D. Barratt wrote:
> For future reference, the generally expected workflow for fixes in
> stable is to file this bug _first_, attaching a proposed debdiff which
> is then discussed before any uploads occur. (Had that happened, we'd
> also likely have requested that the package version be 1.42.12-1.1
> +deb8u1.)
Sorry for the process screwup. Enclosed please find the debdiff. I'm
happy to adjust and reupload if you would prefer.
Cheers,
- Ted
diff -Nru e2fsprogs-1.42.12/debian/changelog e2fsprogs-1.42.12/debian/changelog
--- e2fsprogs-1.42.12/debian/changelog 2015-02-21 21:18:20.0 -0500
+++ e2fsprogs-1.42.12/debian/changelog 2016-06-04 12:05:58.0 -0400
@@ -1,3 +1,12 @@
+e2fsprogs (1.42.12-2) jessie; urgency=medium
+
+ * NMU acknowledge (closes: #778948)
+ * Disable prompts for time skew which is fudged in e2fsck (closes: #812141)
+ * Fix potential corruption of Hurd file systems by e2fsck
+ * Fix pointer bugs that could cause crashes in e2fsck and resize2fs
+
+ -- Theodore Y. Ts'o Sat, 04 Jun 2016 11:58:06 -0400
+
e2fsprogs (1.42.12-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
---
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
1969-12-31 19:00:00.0 -0500
+++
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-corruption-of-Hurd-filesystems.patch
2016-06-04 11:51:11.0 -0400
@@ -0,0 +1,72 @@
+From 36769c606c270094df0431cbcab9932905adcedc Mon Sep 17 00:00:00 2001
+From: Justus Winter <4win...@informatik.uni-hamburg.de>
+Date: Fri, 23 Jan 2015 10:15:57 -0500
+Subject: [PATCH] e2fsck: fix corruption of Hurd filesystems
+
+Previously, e2fsck accessed the field osd2.linux2.l_i_file_acl_high
+field without checking that the filesystem is indeed created for
+Linux. This lead to e2fsck constantly complaining about certain
+nodes:
+
+i_file_acl_hi for inode XXX (/dev/console) is 32, should be zero.
+
+By "correcting" this problem, e2fsck would clobber the field
+osd2.hurd2.h_i_mode_high.
+
+Properly guard access to the OS dependent fields.
+
+Signed-off-by: Theodore Ts'o
+---
+ e2fsck/pass1.c | 14 --
+ e2fsck/pass2.c | 3 ++-
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
+index 50a8b99..3bf481f 100644
+--- a/e2fsck/pass1.c
b/e2fsck/pass1.c
+@@ -1082,7 +1082,8 @@ void e2fsck_pass1(e2fsck_t ctx)
+ if (inode->i_faddr || frag || fsize ||
+ (LINUX_S_ISDIR(inode->i_mode) && inode->i_dir_acl))
+ mark_inode_bad(ctx, ino);
+- if (!(fs->super->s_feature_incompat &
++ if ((fs->super->s_creator_os == EXT2_OS_LINUX) &&
++ !(fs->super->s_feature_incompat &
+ EXT4_FEATURE_INCOMPAT_64BIT) &&
+ inode->osd2.linux2.l_i_file_acl_high != 0)
+ mark_inode_bad(ctx, ino);
+@@ -2354,11 +2355,12 @@ static void check_blocks(e2fsck_t ctx, struct
problem_context *pctx,
+ if (LINUX_S_ISREG(inode->i_mode) &&
+ ext2fs_needs_large_file_feature(EXT2_I_SIZE(inode)))
+ ctx->large_files++;
+- if ((pb.num_blocks != ext2fs_inode_i_blocks(fs, inode)) ||
+- ((fs->super->s_feature_ro_compat &
+-EXT4_FEATURE_RO_COMPAT_HUGE_FILE) &&
+- (inode->i_flags & EXT4_HUGE_FILE_FL) &&
+- (inode->osd2.linux2.l_i_blocks_hi != 0))) {
++ if ((fs->super->s_creator_os == EXT2_OS_LINUX) &&
++ ((pb.num_blocks != ext2fs_inode_i_blocks(fs, inode)) ||
++ ((fs->super->s_feature_ro_compat &
++ EXT4_FEATURE_RO_COMPAT_HUGE_FILE) &&
++(inode->i_flags & EXT4_HUGE_FILE_FL) &&
++(inode->osd2.linux2.l_i_blocks_hi != 0 {
+ pctx->num = pb.num_blocks;
+ if (fix_problem(ctx, PR_1_BAD_I_BLOCKS, pctx)) {
+ inode->i_blocks = pb.num_blocks;
+diff --git a/e2fsck/pass2.c b/e2fsck/pass2.c
+index ddfe2eb..4acddae 100644
+--- a/e2fsck/pass2.c
b/e2fsck/pass2.c
+@@ -1365,7 +1365,8 @@ int e2fsck_process_bad_inode(e2fsck_t ctx, ext2_ino_t
dir,
+ }
+ }
+
+- if (!(fs->super->s_feature_incompat &
++ if ((fs->super->s_creator_os == EXT2_OS_LINUX) &&
++ !(fs->super->s_feature_incompat &
+EXT4_FEATURE_INCOMPAT_64BIT) &&
+ inode.osd2.linux2.l_i_file_acl_high != 0) {
+ pctx.num = inode.osd2.linux2.l_i_file_acl_high;
+--
+2.5.0
+
diff -Nru
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
e2fsprogs-1.42.12/debian/patches/e2fsck-fix-dangling-pointer-when-dir_info-array-is-resized.patch
---
e2
Processed: Re: Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
Processing control commands: > tags -1 + moreinfo Bug #826335 [release.debian.org] jessie-pu: package e2fsprogs/1.42.12-2 Added tag(s) moreinfo. -- 826335: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826335 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
Control: tags -1 + moreinfo On Sat, 2016-06-04 at 12:20 -0400, Theodore Y. Ts'o wrote: > As requested (sorry for the delay) here is an upload which contains a > cherry-pick for to address Debian Bug #812141: "Cherry-pick "e2fsck: use > PROMPT_NONE for FUTURE_SB_LAST_*_FUDGED problems" for jessie" Was that discussed with anyone on the Release Team beforehand? I can't find any correspondence in my release mail folder at least. > I've also included a bug fix which fix potential Hurd file system > corruptions by e2fsck, and some pointer bugs which (in relatively rare > circumstances) cause e2fsck and resize2fs to crash. I don't know if any > of these could be used cause security problems, but they are trivial > fixes, and they are all upstream (and in testing's 1.43 version of > e2fsprogs). Hurd isn't in jessie, so that's not really a relevant fix. For future reference, the generally expected workflow for fixes in stable is to file this bug _first_, attaching a proposed debdiff which is then discussed before any uploads occur. (Had that happened, we'd also likely have requested that the package version be 1.42.12-1.1 +deb8u1.) Regards, Adam
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
On 04/06/16 18:20, Theodore Y. Ts'o wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > As requested (sorry for the delay) here is an upload which contains a > cherry-pick for to address Debian Bug #812141: "Cherry-pick "e2fsck: use > PROMPT_NONE for FUTURE_SB_LAST_*_FUDGED problems" for jessie" > > I've also included a bug fix which fix potential Hurd file system > corruptions by e2fsck, and some pointer bugs which (in relatively rare > circumstances) cause e2fsck and resize2fs to crash. I don't know if any > of these could be used cause security problems, but they are trivial > fixes, and they are all upstream (and in testing's 1.43 version of > e2fsprogs). There's no hurd in jessie, so I think it'd be better to leave that out. But IANASRM. BTW there is no debdiff in your mail. Did you forget to attach it? Cheers, Emilio
Bug#826335: jessie-pu: package e2fsprogs/1.42.12-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu As requested (sorry for the delay) here is an upload which contains a cherry-pick for to address Debian Bug #812141: "Cherry-pick "e2fsck: use PROMPT_NONE for FUTURE_SB_LAST_*_FUDGED problems" for jessie" I've also included a bug fix which fix potential Hurd file system corruptions by e2fsck, and some pointer bugs which (in relatively rare circumstances) cause e2fsck and resize2fs to crash. I don't know if any of these could be used cause security problems, but they are trivial fixes, and they are all upstream (and in testing's 1.43 version of e2fsprogs). -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (650, 'testing'), (600, 'unstable'), (500, 'testing-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-rc6-00235-gb61e5b0 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#826327: marked as done (nmu: kde-spectacle_4:5.6.4-3)
Your message dated Sat, 4 Jun 2016 17:44:59 +0200 with message-id and subject line Re: Bug#826327: nmu: kde-spectacle_4:5.6.4-3 has caused the Debian Bug report #826327, regarding nmu: kde-spectacle_4:5.6.4-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 826327: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826327 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu kde-spectacle_4:5.6.4-3 . hurd-i386 . unstable . -m "Rebuild against libkf5screen7" Due to unlucky timing kde-spectacle was built against libkf5screen6 on hurd. Andreas --- End Message --- --- Begin Message --- On 04/06/16 17:28, Andreas Beckmann wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > nmu kde-spectacle_4:5.6.4-3 . hurd-i386 . unstable . -m "Rebuild against > libkf5screen7" > > Due to unlucky timing kde-spectacle was built against libkf5screen6 on > hurd. Scheduled. Emilio--- End Message ---
Bug#826327: nmu: kde-spectacle_4:5.6.4-3
On 04/06/16 17:44, Emilio Pozuelo Monfort wrote: > On 04/06/16 17:28, Andreas Beckmann wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: binnmu >> >> nmu kde-spectacle_4:5.6.4-3 . hurd-i386 . unstable . -m "Rebuild against >> libkf5screen7" >> >> Due to unlucky timing kde-spectacle was built against libkf5screen6 on >> hurd. > > Scheduled. Actually: pochu@wuiet:~$ wb nmu kde-spectacle_4:5.6.4-3 . hurd-i386 . unstable . -m "Rebuild against libkf5screen7." * kde-spectacle/hurd-i386 | kde-spectacle: version mismatch (16.04.1-2 by buildd_hurd-i386-mahler) Emilio
Bug#826327: nmu: kde-spectacle_4:5.6.4-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu kde-spectacle_4:5.6.4-3 . hurd-i386 . unstable . -m "Rebuild against libkf5screen7" Due to unlucky timing kde-spectacle was built against libkf5screen6 on hurd. Andreas
Bug#825533: marked as done (jessie-pu: package postgresql-9.1/9.1.22-0+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825533, regarding jessie-pu: package postgresql-9.1/9.1.22-0+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825533: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825533 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, please consider postgresql-9.1/9.1.22-0+deb8u1: postgresql-9.1 (9.1.22-0+deb8u1) jessie; urgency=medium * New upstream release: No effective changes for PL/Perl, the version must just be higher than the one in wheezy. -- Christoph Berg Fri, 27 May 2016 16:03:59 +0200 Christoph signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#825523: marked as done (jessie-pu: package glusterfs/3.5.2-2+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825523, regarding jessie-pu: package glusterfs/3.5.2-2+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825523: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825523 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, to fix the bug #824823 I would like to upload glusterfs/3.5.2-2+deb8u2 if you agree with it: diff -Naur '--exclude=.svn' tags/3.5.2-2+deb8u1/debian/changelog branches/jessie/debian/changelog --- tags/3.5.2-2+deb8u1/debian/changelog2015-07-29 23:23:00.579388299 +0200 +++ branches/jessie/debian/changelog2016-05-27 14:55:21.543800538 +0200 @@ -1,3 +1,10 @@ +glusterfs (3.5.2-2+deb8u2) jessie-proposed-updates; urgency=medium + + * Add missing glusterd hook script to glusterfs-server package. +Closes: #824823 + + -- Patrick Matthäi Fri, 27 May 2016 14:35:11 +0200 + glusterfs (3.5.2-2+deb8u1) jessie-proposed-updates; urgency=medium * Add upstream patch 02-nfs-unix-domain-socket-created-as-fifo to fix a bug diff -Naur '--exclude=.svn' tags/3.5.2-2+deb8u1/debian/glusterfs-server.install branches/jessie/debian/glusterfs-server.install --- tags/3.5.2-2+deb8u1/debian/glusterfs-server.install 2015-07-29 23:23:00.507388486 +0200 +++ branches/jessie/debian/glusterfs-server.install 2016-05-27 14:48:23.954671677 +0200 @@ -6,3 +6,4 @@ etc/glusterfs/glusterfs-georep-logrotate etc/glusterfs/gluster-rsyslog-7.2.conf etc/glusterfs/gluster-rsyslog-5.8.conf +extras/hook-scripts/S56glusterd-geo-rep-create-post.sh var/lib/glusterd/hooks/1/gsync-create/post/ -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#825530: marked as done (jessie-pu: package postgresql-9.4/9.4.8-0+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825530, regarding jessie-pu: package postgresql-9.4/9.4.8-0+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825530: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, please consider postgresql-9.4/9.4.8-0+deb8u1: postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium * New upstream bugfix release. -- Christoph Berg Fri, 27 May 2016 14:29:53 +0200 Thanks, Christoph signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#825202: marked as done (jessie-pu: package debian-edu/1.812+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #825202,
regarding jessie-pu: package debian-edu/1.812+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
825202: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825202
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
we'd like to update src:debian-edu in jessie with the following change,
to fix an important bug in this package (which is only used by Debian
Edu itself):
debian-edu (1.812+deb8u1) jessie; urgency=medium
[ Mike Gabriel ]
* Add libdns-mdns to tasks/desktop-other and tasks/main-server (together with
avahi-daemon) to make CUPS browsing really functional. This makes
automatic printer discovery via CUPS browsing work on
multicast-enabled networks. (Closes: #791995).
Also add avahi-discover, mdns-scan, avahi-autoipd and kdnssd to
tasks/main-server as suggested packages.
-- Holger Levsen Tue, 24 May 2016 16:04:32 +0200
The added suggests are mostly a no-op, I've decided to keep them as they
are a.) harmless and b.) to have an identical fix for #791995 everywhere.
$ debdiff debian-edu_1.812.dsc debian-edu_1.812+deb8u1.dsc|diffstat
debian-edu-tasks.desc |9 +++--
debian/changelog | 12
debian/control|7 +++
tasks/desktop-other |2 +-
tasks/main-server |7 +++
5 files changed, 34 insertions(+), 3 deletions(-)
I've attached the proposed diff for review and will upload to jessie
after filing this bug.
Please acceept debian-edu/1.812+deb8u1 into jessie.
This is part of a serious of uploads of Debian Edu packages to jessie,
as we are hoping to only use packages from Debian jessie 8.5 to build
our Debian Edu Jessie release isos. The other packages we need updated
for this are src:debian-edu-(install|config|doc) and src:gosa.
Thanks for your work on Jessie 8.5!
--
cheers,
Holger
diff -Nru debian-edu-1.812/debian/changelog debian-edu-1.812+deb8u1/debian/changelog
--- debian-edu-1.812/debian/changelog 2015-04-14 15:35:04.0 +0200
+++ debian-edu-1.812+deb8u1/debian/changelog 2016-05-24 16:04:36.0 +0200
@@ -1,3 +1,15 @@
+debian-edu (1.812+deb8u1) jessie; urgency=medium
+
+ [ Mike Gabriel ]
+ * Add libdns-mdns to tasks/desktop-other and tasks/main-server (together with
+avahi-daemon) to make CUPS browsing really functional. This makes
+automatic printer discovery via CUPS browsing work on
+multicast-enabled networks. (Closes: #791995).
+Also add avahi-discover, mdns-scan, avahi-autoipd and kdnssd to
+tasks/main-server as suggested packages.
+
+ -- Holger Levsen Tue, 24 May 2016 16:04:32 +0200
+
debian-edu (1.812) unstable; urgency=high
* Drop education-desktop-sugar meta package, as Jessie will be released
diff -Nru debian-edu-1.812/debian/control debian-edu-1.812+deb8u1/debian/control
--- debian-edu-1.812/debian/control 2015-04-14 15:36:21.0 +0200
+++ debian-edu-1.812+deb8u1/debian/control 2016-05-24 16:00:08.0 +0200
@@ -462,6 +462,7 @@
ktuberling,
libav-tools,
libgl1-mesa-dri,
+ libnss-mdns,
libreoffice,
libreoffice-help-el,
libreoffice-help-es,
@@ -914,6 +915,7 @@
Depends: education-tasks (= ${binary:Version})
Recommends: apache2,
atftpd | tftpd-hpa,
+ avahi-daemon,
bind9 | pdns-backend-ldap,
debian-installer-8-netboot-amd64,
debian-installer-8-netboot-i386,
@@ -944,6 +946,7 @@
krb5-kdc-ldap,
ldap2zone | pdns-recursor,
libapache2-mod-auth-kerb,
+ libnss-mdns,
libsasl2-modules-gssapi-mit,
links,
makepasswd,
@@ -968,6 +971,8 @@
syslinux-common,
tdb-tools
Suggests: apache2-doc,
+ avahi-autoipd,
+ avahi-discover,
calamaris,
debian-edu-fr-all,
debian-edu-fr-skels,
@@ -977,8 +982,10 @@
dnswalk,
dovecot-pop3d,
dsh,
+ kdnssd,
krb5-doc,
libsasl2-modules-ldap,
+ mdns-scan,
mysql-client,
nagios3-doc,
nfs-server,
diff -Nru debian-edu-1.812/debian-edu-tasks.desc debian-edu-1.812+deb8u1/debian-edu-tasks.desc
--- debian-edu-1.812/debian-edu-tasks.desc 2015-04-14 15:36:01.0 +0200
+++ debian-edu-1.812+deb8u1/debian-edu-tasks.desc 2016-05-24 15:59:56.0 +0200
@@ -542,6 +542,7 @@
gnupg2
gnupg-agent
avahi-daemon
+ libnss-mdns
cups-client
cups-bsd
unzip
@@ -1304,6 +1305,8 @@
network-manager
gosa-desktop
iptables
+ avahi-daemo
Bug#825205: marked as done (jessie-pu: package debian-edu-install/1.821+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825205, regarding jessie-pu: package debian-edu-install/1.821+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825205 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, we'd like to update src:debian-edu-install in jessie with the following change, to sync the version number used in the installer, the documentation and elsewhere: (this package is only used by Debian Edu itself) The debdiff is: $ debdiff debian-edu-install_1.821.dsc debian-edu-install_1.821+deb8u1.dsc dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert (/home/holgi/Projects/debian-edu/git/debian-edu-install_1.821+deb8u1.dsc) dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert (/home/holgi/Projects/debian-edu/git/debian-edu-install_1.821+deb8u1.dsc) diff -Nru debian-edu-install-1.821/debian/changelog debian-edu-install-1.821+deb8u1/debian/changelog --- debian-edu-install-1.821/debian/changelog 2015-04-14 19:27:13.0 +0200 +++ debian-edu-install-1.821+deb8u1/debian/changelog2016-05-24 16:23:18.0 +0200 @@ -1,3 +1,9 @@ +debian-edu-install (1.821+deb8u1) jessie; urgency=medium + + * Update version number to 8+edu0 in preparation of our first Jessie release. + + -- Holger Levsen Tue, 24 May 2016 16:20:10 +0200 + debian-edu-install (1.821) unstable; urgency=high * Update version number to 8.0+edu0~beta1 in preparation of our first Jessie diff -Nru debian-edu-install-1.821/debian/debian-edu-install.postinst debian-edu-install-1.821+deb8u1/debian/debian-edu-install.postinst --- debian-edu-install-1.821/debian/debian-edu-install.postinst 2015-04-14 19:23:20.0 +0200 +++ debian-edu-install-1.821+deb8u1/debian/debian-edu-install.postinst 2016-05-23 00:17:14.0 +0200 @@ -154,7 +154,8 @@ '7.0.0+edu+alpha0' '7.0.0+edu+alpha2' '7.0.0+edu+alpha3' \ '7.1+edu0~a3' '7.1+edu0~b0' '7.1+edu0~b1' '7.1+edu0~b2' \ '7.1+edu0' '8.0.0+edu+alpha0' '8.0+edu+alpha0' \ -'8.0+edu0~alpha0' '8.0+edu0~alpha1' '8.0+edu0~alpha2' +'8.0+edu0~alpha0' '8.0+edu0~alpha1' '8.0+edu0~alpha2' \ +'8.0+edu0~beta1' do if [ "$VERSION" = "$i" ] ; then sed -i $debian_edu_config -e \ diff -Nru debian-edu-install-1.821/version debian-edu-install-1.821+deb8u1/version --- debian-edu-install-1.821/version2015-04-14 19:23:20.0 +0200 +++ debian-edu-install-1.821+deb8u1/version 2016-05-23 00:17:14.0 +0200 @@ -1 +1 @@ -8.0+edu0~beta1 +8+edu0 I've just uploaded this to jessie. Please acceept debian-edu-install/1.821+deb8u1 into jessie. Thanks for your work on Jessie 8.5! -- cheers, Holger signature.asc Description: Digital signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#825221: marked as done (jessie-pu: package hivex/1.3.10-2+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #825221,
regarding jessie-pu: package hivex/1.3.10-2+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
825221: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825221
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to update hivex, backporting a patch from 1.3.13-2 that fixes
ruby-hivex so that it is actually usable:
hivex (1.3.10-2+deb8u2) jessie; urgency=medium
* Fix ruby-hivex installation (Closes: #819261)
-- Hilko Bengen Tue, 24 May 2016 20:37:40 +0200
Cheers,
-Hilko
diff -Nru hivex-1.3.10/debian/changelog hivex-1.3.10/debian/changelog
--- hivex-1.3.10/debian/changelog 2015-03-07 17:19:06.0 +0100
+++ hivex-1.3.10/debian/changelog 2016-05-24 20:44:27.0 +0200
@@ -1,3 +1,9 @@
+hivex (1.3.10-2+deb8u2) jessie; urgency=medium
+
+ * Fix ruby-hivex installation (Closes: #819261)
+
+ -- Hilko Bengen Tue, 24 May 2016 20:37:40 +0200
+
hivex (1.3.10-2+deb8u1) testing-proposed-updates; urgency=medium
* Added upstream patches that fix CVE-2014-9273 ("missing checks for
diff -Nru hivex-1.3.10/debian/control hivex-1.3.10/debian/control
--- hivex-1.3.10/debian/control 2015-03-07 15:30:38.0 +0100
+++ hivex-1.3.10/debian/control 2016-05-24 20:36:57.0 +0200
@@ -121,7 +121,7 @@
Architecture: any
Section: ruby
XB-Ruby-Versions: ${ruby:Versions}
-Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Ruby bindings for hivex
Ruby bindings for libhivex, a library for reading and writing
Windows Registry "hive" binary files.
diff -Nru hivex-1.3.10/debian/ruby-hivex.install hivex-1.3.10/debian/ruby-hivex.install
--- hivex-1.3.10/debian/ruby-hivex.install 2015-03-07 12:55:03.0 +0100
+++ hivex-1.3.10/debian/ruby-hivex.install 2016-05-24 20:36:57.0 +0200
@@ -1 +1,2 @@
usr/lib/ruby
+usr/lib/*-*/ruby
diff -Nru hivex-1.3.10/debian/rules hivex-1.3.10/debian/rules
--- hivex-1.3.10/debian/rules 2015-03-07 12:55:03.0 +0100
+++ hivex-1.3.10/debian/rules 2016-05-24 20:36:57.0 +0200
@@ -85,5 +85,4 @@
dh_strip --dbg-package=libhivex0-dbg
override_dh_install:
- rm debian/tmp/usr/lib/python*/dist-packages/libhivexmod.la
- dh_install
+ dh_install --fail-missing -X.la -X.so.owner
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#824484: marked as done (jessie-pu: package libksba/1.3.2-1+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #824484,
regarding jessie-pu: package libksba/1.3.2-1+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
824484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi
libksba in jessie is affected by some CVEs which do not neccessarly
seem to need a DSA. I would like to propose the attached
debdiff/update for libksba via the next jessie point release.
Would you accept that upload? I took the git commits without
modifying, thus the first patch as well updates the copyright years
notice in one file. I can drop that if you prefer.
The "Fix an OOB read access in _ksba_dn_to_str" patch is an addition
to CVE-2016-4356 required. If we do not apply that one libskba will be
affected by CVE-2016-4574.
Thanks a lot for your time and review already,
Regards,
Salvatore
diff -Nru libksba-1.3.2/debian/changelog libksba-1.3.2/debian/changelog
--- libksba-1.3.2/debian/changelog 2014-11-25 20:08:22.0 +0100
+++ libksba-1.3.2/debian/changelog 2016-05-16 17:18:48.0 +0200
@@ -1,3 +1,14 @@
+libksba (1.3.2-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Do not abort on decoder stack overflow (CVE-2016-4353)
+ * Fix integer overflow in the BER decoder (CVE-2016-4354 CVE-2016-4355)
+ * Fix encoding of invalid utf-8 strings in dn.c (CVE-2016-4356)
+ * Fix an OOB read access in _ksba_dn_to_str
+ * Fix possible read access beyond the buffer (CVE-2016-4579)
+
+ -- Salvatore Bonaccorso Mon, 16 May 2016 17:18:33 +0200
+
libksba (1.3.2-1) unstable; urgency=high
* New upstream security release, fixing a buffer overflow in ksba_oid_to_str
diff -Nru
libksba-1.3.2/debian/patches/Do-not-abort-on-decoder-stack-overflow.patch
libksba-1.3.2/debian/patches/Do-not-abort-on-decoder-stack-overflow.patch
--- libksba-1.3.2/debian/patches/Do-not-abort-on-decoder-stack-overflow.patch
1970-01-01 01:00:00.0 +0100
+++ libksba-1.3.2/debian/patches/Do-not-abort-on-decoder-stack-overflow.patch
2016-05-16 17:18:48.0 +0200
@@ -0,0 +1,137 @@
+From 07116a314f4dcd4d96990bbd74db95a03a9f650a Mon Sep 17 00:00:00 2001
+From: Werner Koch
+Date: Thu, 9 Apr 2015 11:50:03 +0200
+Subject: [PATCH] Do not abort on decoder stack overflow.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* src/ber-decoder.c (push_decoder_state, pop_decoder_state): Return an
+error code.
+(set_error): Prefix error message with "ksba:". Act on new return code.
+(decoder_next): Act on new return code.
+--
+
+This changes the behaviour from
+
+ gpgsm: unknown hash algorithm '1.8.48.48.48.48.48.48.48.48'
+ gpgsm: detached signature w/o data - assuming certs-only
+ ERROR: decoder stack overflow!
+ Aborted
+
+to
+
+ gpgsm: detached signature w/o data - assuming certs-only
+ ksba: ber-decoder: stack overflow!
+ gpgsm: ksba_cms_parse failed: Limit reached
+
+Use "gpgsm --verify FILE" to exhibit the problem. FILE is
+-BEGIN PGP ARMORED FILE-
+
+MDAGCSqGSIb3DQEHAqCAMDACAQExDzANBgkwMDAwMDAwMDAwADCABgkwMDAwMDAw
+MDAAMDEwoIGTMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+MDAwMDAwMDAwMDAwMDAjMDA=
+=PQdP
+-END PGP ARMORED FILE-
+
+Reported-by: Hanno B??ck
+Signed-off-by: Werner Koch
+---
+ src/ber-decoder.c | 30 ++
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/src/ber-decoder.c b/src/ber-decoder.c
+index b4689fa..9e70d92 100644
+--- a/src/ber-decoder.c
b/src/ber-decoder.c
+@@ -1,5 +1,5 @@
+ /* ber-decoder.c - Basic Encoding Rules Decoder
+- * Copyright (C) 2001, 2004, 2006, 2012 g10 Code GmbH
++ * Copyright (C) 2001, 2004, 2006, 2012, 2015 g10 Code GmbH
+ *
+ * This file is part of KSBA.
+ *
+@@ -175,26 +175,28 @@ dump_decoder_state (DECODER_STATE ds)
+ }
+
+ /* Push ITEM onto the stack */
+-static void
++static gpg_error_t
+ push_decoder_state (DECODER_STATE ds)
+ {
+ if (ds->idx >= ds->stacksize)
+ {
+- fprintf (stderr, "ERROR: decoder stack overflow!\n");
+- abort ();
++ fpri
Bug#825232: marked as done (jessie-pu: package nmap/6.47.3+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #825232,
regarding jessie-pu: package nmap/6.47.3+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
825232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I would like to update nmap in jessie, fixing a packaging issue with the
ndiff package that renders it unusable (unless zenmap which pulls in a
bunch of GUI-related libraries is also installed) and two upstream
issues that make the nmap itself unusable under certain conditions.
nmap (6.47-3+deb8u1) jessie; urgency=medium
* Added upstream patch to deal with unuseable socks proxy (Closes:
#773817)
* Apply patch by Jan Nordholz to ignore unenumerable interfaces (Closes:
#821913)
* Moved ndiff.py from zenmap to ndiff, added versioned Breaks/Replaces
(Closes: #789776, #789897)
-- Hilko Bengen Tue, 24 May 2016 22:04:40 +0200
Cheers,
-Hilko
diff -Nru nmap-6.47/debian/changelog nmap-6.47/debian/changelog
--- nmap-6.47/debian/changelog 2014-10-11 19:37:20.0 +0200
+++ nmap-6.47/debian/changelog 2016-05-24 22:05:41.0 +0200
@@ -1,3 +1,14 @@
+nmap (6.47-3+deb8u1) jessie; urgency=medium
+
+ * Added upstream patch to deal with unuseable socks proxy (Closes:
+#773817)
+ * Apply patch by Jan Nordholz to ignore unenumerable interfaces (Closes:
+#821913)
+ * Moved ndiff.py from zenmap to ndiff, added versioned Breaks/Replaces
+(Closes: #789776, #789897)
+
+ -- Hilko Bengen Tue, 24 May 2016 22:04:40 +0200
+
nmap (6.47-3) unstable; urgency=medium
* Updated German translation of zenmap, thanks to Chris Leick (Closes:
diff -Nru nmap-6.47/debian/control nmap-6.47/debian/control
--- nmap-6.47/debian/control 2014-10-11 19:36:35.0 +0200
+++ nmap-6.47/debian/control 2016-05-24 22:01:36.0 +0200
@@ -54,6 +54,8 @@
Architecture: all
Recommends: nmap
Conflicts: nmap (<< ${source:Version})
+Breaks: zenmap (<< 6.47-5~)
+Replaces: zenmap (<< 6.47-5~)
Depends: ${python:Depends}, ${misc:Depends}, python-lxml,
Description: The Network Mapper - result compare utility
Ndiff is a tool to aid in the comparison of Nmap scans. It takes two
diff -Nru nmap-6.47/debian/ndiff.install nmap-6.47/debian/ndiff.install
--- nmap-6.47/debian/ndiff.install 2014-05-30 21:40:10.0 +0200
+++ nmap-6.47/debian/ndiff.install 2016-05-24 21:06:33.0 +0200
@@ -1,2 +1,3 @@
usr/bin/ndiff
usr/share/man/man1/ndiff.1
+usr/lib/python2.7/*/ndiff.py
diff -Nru nmap-6.47/debian/patches/0004-Fail-early-when-unable-to-properly-resolve-proxy-nam.patch nmap-6.47/debian/patches/0004-Fail-early-when-unable-to-properly-resolve-proxy-nam.patch
--- nmap-6.47/debian/patches/0004-Fail-early-when-unable-to-properly-resolve-proxy-nam.patch 1970-01-01 01:00:00.0 +0100
+++ nmap-6.47/debian/patches/0004-Fail-early-when-unable-to-properly-resolve-proxy-nam.patch 2016-05-24 21:05:44.0 +0200
@@ -0,0 +1,31 @@
+From: Hilko Bengen
+Date: Mon, 27 Apr 2015 00:05:21 +0200
+Subject: Fail early when unable to properly resolve proxy names.
+
+This is a backported patch from r33198 from upstream SVN.
+---
+ nsock/src/nsock_proxy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nsock/src/nsock_proxy.c b/nsock/src/nsock_proxy.c
+index 4850869..8b19ef2 100644
+--- a/nsock/src/nsock_proxy.c
b/nsock/src/nsock_proxy.c
+@@ -368,7 +368,7 @@ static struct proxy_node *proxy_node_new(char *proxystr) {
+ break;
+
+ if (pspec->ops->node_new(&proxy, &uri) < 0)
+-proxy = NULL;
++fatal("Cannot initialize proxy node %s", proxystr);
+
+ uri_free(&uri);
+
+@@ -455,7 +455,7 @@ int proxy_resolve(const char *host, struct sockaddr *addr, size_t *addrlen) {
+
+ rc = getaddrinfo(host, NULL, NULL, &res);
+ if (rc)
+-return -rc;
++return -abs(rc);
+
+ *addr = *res->ai_addr;
+ *addrlen = res->ai_addrlen;
diff -Nru nmap-6.47/debian/patches/0005-Ignore-errors-when-enumerating-interfaces.patch nmap-6.47/debian/patches/0005-Ignore-errors-when-enumerating-interfaces.patch
--- nmap-6.47/debian/patches/0005-Ignore-errors-when-enumerating-interfaces.patch 1970-01-01 01:00:00.0 +0100
+++ nmap-6.47/debian/patches/0005-Ignore-errors-when-enumerating-interfaces.patch 2016-05-24 22:0
Bug#825259: marked as done (jessie-pu: package debian-edu-config/1.818+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825259, regarding jessie-pu: package debian-edu-config/1.818+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825259: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825259 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, we'd like to update src:debian-edu-changes in jessie with the following changes, fixing a number of rather important bugs for Debian Edu. The debian-edu-config package is also only *used* by Debian Edu itself, so potential harm is limited on us ;-) The changelog reads: debian-edu-config (1.818+deb8u1) jessie; urgency=low [ Petter Reinholdtsen ] * Translation updates: - Updated Brazilian Portuguese translation for debconf questions (Closes: #785467). Translated by Adriano Rafael Gomes. [ Mike Gabriel ] * Add quotes around DNs when evoking kadmin.local in gosa-create and gosa-create-host. (Closes: #792042). * debian-edu-fsautoresize: Always use mapper names instead of kernel names when detecting supported mount points. (Closes: #800651). Thanks to Wolfgang Schweer and Giorgio Pioda. * gosa-sync: Test if a given user account actually is a Kerberos account. If not, don't try to set the Kerberos password for this account. (Closes: #798435). * gosa-sync: Fix escaping double quotes and semicolons. (Closes: #794000). * exim4 mainserver configuration: Allow Debian Edu clients on the default Debian Edu network to directly send mails to the main server (by white- listing the 10./8 network). This fixes console mailing and system mails on Debian Edu clients (Closes: #794602). * Set configVersion="Managed-by-Debian-Edu" in gosa.conf. (Closes: #794189). This requires gosa (>= 2.7.4+reloaded2-1+deb8u2~) to be installed on the main server. * wpad.dat: Use DIRECT connects for URL hosts being in network 127./8 and for hosts being in the .local domain. (Closes: #803911). * GOsa: Add POSTLOCK and POSTUNLOCK hooks for GOsa password locking. These hook scripts (gosa-lock-user, gosa-unlock-user) take care of locking/ unlocking the Kerberos part of user accounts. (Closes: #804207). * Adapt to a code injection prevention fix in GOsa (starting with Debian package gosa 2.7.4+reloaded2-1+deb8u2): Don't mention the sambaHashHook parameter in gosa.conf anymore (as hashed passwords now have to be base64 encoded). Already existing gosa.conf files on deployed servers should drop the sambaHashHook from the gosa.conf file, as well, once gosa is updated to the above referenced GOsa version. * CUPS: Do hostname lookups, so https redirects are done to the FQDN of the CUPS server instead of to its IP address. (Closes: #805402). * Improve gosa-lock-user, gosa-unlock-user: When logging success/failure, differentiate between non-existent and non-kerberized accounts. * Don't create home dir and Kerberos principal for GOsa user template account. (Closes: #815040). [ Wolfgang Schweer ] * Adjust tools/subnet-change for squid3. (Closes: #800654) * Fix XML syntax error in gosa.conf. (Closes: #820551). * Add script sbin/debian-edu-nscd-netgroup-cache (workaround for #791562). -- Holger Levsen Wed, 25 May 2016 00:21:53 +0200 The diffstat is: $ debdiff debian-edu-config_1.818.dsc debian-edu-config_1.818+deb8u1.dsc | diffstat Makefile |3 + debian/changelog | 49 + debian/po/pt_BR.po | 31 +++ etc/cups/cupsd-debian-edu.conf |2 - etc/exim4/exim-ldap-server-v4.conf |5 +- etc/gosa/gosa.conf |9 ++-- ldap-bootstrap/sudo.ldif |2 + sbin/debian-edu-fsautoresize |8 sbin/debian-edu-nscd-netgroup-cache| 32 share/debian-edu-config/tools/gosa-create |4 +- share/debian-edu-config/tools/gosa-create-host |2 - share/debian-edu-config/tools/gosa-lock-user | 48 share/debian-edu-config/tools/gosa-sync| 15 +++ share/debian-edu-config/tools/gosa-unlock-user | 48 share/debian-edu-config/tools/su
Bug#825260: marked as done (jessie-pu: package debian-edu-doc/1.6~20160519~8+edu0)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825260, regarding jessie-pu: package debian-edu-doc/1.6~20160519~8+edu0 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825260 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, we'd like to update src:debian-edu-doc in jessie with the following documentation and translation only changes: debian-edu-doc (1.6~20160519~8+edu0) jessie; urgency=medium [ Holger Levsen ] * Update Debian Edu Jessie and Wheezy manuals from the wiki. * Update debian/copyright from the wiki using the update-copyright target. [ Wolfgang Schweer ] * Adjust Danish po file to fix building the Jessie PDF manual. [ Jessie Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin. * German: Wolfgang Schweer. * Dutch: Frans Spiesschaert. [ Wheezy Manual translation updates ] * Norwegian Bokmål: Ingrid Yrvin. The package however is not ready yet, as we want to give translators more time to finish the remaining fuzzy strings. So basically we would like to upload this as late as possible *at your convinience* - when is that? Is Sunday morning fine or rather Saturday evening? (european time) The current debdiff is like the following and won't see any major changes: $ git diff 1.6_20150422_8_+edu0_beta1..jessie|diffstat debian/changelog | 46 debian/copyright |3 documentation/audacity/audacity-manual.nb.po | 21 documentation/audacity/audacity-manual.pot |2 documentation/debian-edu-jessie/debian-edu-jessie-manual.da.po | 753 ++--- documentation/debian-edu-jessie/debian-edu-jessie-manual.de.po | 639 ++-- documentation/debian-edu-jessie/debian-edu-jessie-manual.es.po | 505 +-- documentation/debian-edu-jessie/debian-edu-jessie-manual.fr.po | 779 ++--- documentation/debian-edu-jessie/debian-edu-jessie-manual.it.po | 878 +++--- documentation/debian-edu-jessie/debian-edu-jessie-manual.nb.po | 1018 +++ documentation/debian-edu-jessie/debian-edu-jessie-manual.nl.po | 860 +++--- documentation/debian-edu-jessie/debian-edu-jessie-manual.pot | 325 -- documentation/debian-edu-jessie/debian-edu-jessie-manual.xml | 182 - documentation/debian-edu-jessie/images/de/worldmap.png |binary documentation/debian-edu-jessie/images/es/worldmap.png |binary documentation/debian-edu-jessie/images/fr/worldmap.png |binary documentation/debian-edu-jessie/images/worldmap.png|binary documentation/debian-edu-jessie/version|2 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.da.po | 90 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.de.po | 100 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.es.po | 72 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.fr.po | 90 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.it.po | 90 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.nb.po | 1426 +- documentation/debian-edu-wheezy/debian-edu-wheezy-manual.nl.po | 101 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.pot | 40 documentation/debian-edu-wheezy/debian-edu-wheezy-manual.xml | 13 documentation/debian-edu-wheezy/images/de/worldmap.png |binary documentation/debian-edu-wheezy/images/es/worldmap.png |binary documentation/debian-edu-wheezy/images/fr/worldmap.png |binary documentation/debian-edu-wheezy/images/worldmap.png|binary documentation/rosegarden/rosegarden-manual.nb.po | 344 +- documentation/rosegarden/rosegarden-manual.pot |2 33 files changed, 4285 insertions(+), 4096 deletions(-) Please acceept debian-edu-doc/1.6~20160519~8+edu into jessie eventually ;) I've also decided to use this version number, as 1.6~20150422~8+edu0~beta1+deb8u1 would have be too weird IMO. Thanks for your work on Jessie 8.5! -- cheers, Holger signature.asc Description: Digital signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam-
Bug#825087: marked as done (jessie-pu: package chrony/1.30-2+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #825087, regarding jessie-pu: package chrony/1.30-2+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825087: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825087 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, Could you please accept chrony 1.30-2+deb8u2 in the next jessie point release? It fixes three issues of different magnitudes. The most important one is the fix for CVE-2016-1567 though it didn’t warrant a DSA. The next one might sound probably not important enough to be fixed in a stable point release but it has some nasty consequences. We are mistakenly deleting the content of /var/lib/chrony on package removal. This directory contains the driftfile and the measurement history for each time source. The former file has a particularly important role, it stores the gain or loss rate of the system clock relative to the RTC which could take some time to calculate depending of how crappy the RTC is so it would be definitely better if we could avoid to delete it each time chrony is upgraded or installed from Config-Files state. To conclude, the last fix revises the postrotate script from the logrotate configuration file. It suffers from two issues, the first one is that it assumes the commandkey directive from chrony.conf takes ID 1, that’s not necessarily true! Also, as leading tabs aren’t ignored in the heredoc, the delimiting identifier is passed to chronyc option causing some noise (Unrecognized command) in logs. To fix that issue, I could have appended a minus sign to “<<” but that wouldn’t have solved the other the other one, consequently I decided to just make use of the dedicated option provided by chronyc to fix both problems. Voilà, hope that’s receivable! Have a good day, Vincent -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#823678: marked as done (jessie-pu: package ngspice/26-1.1~deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #823678, regarding jessie-pu: package ngspice/26-1.1~deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 823678: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823678 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, ngspice [non-free] FTBFS with recent pbuilder/sbuild that undefine HOME. This is just a rebuild of the fix theat I NMUed into sid: Pass an explicit -userdir to lyx to not fall back to $HOME/.lyx Andreas diff -Nru ngspice-26/debian/changelog ngspice-26/debian/changelog --- ngspice-26/debian/changelog 2014-07-05 23:49:29.0 +0200 +++ ngspice-26/debian/changelog 2016-05-07 14:51:06.0 +0200 @@ -1,3 +1,18 @@ +ngspice (26-1.1~deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * Rebuild for jessie. + + -- Andreas Beckmann Sat, 07 May 2016 14:50:10 +0200 + +ngspice (26-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Run lyx with a temporary -userdir to not rely on $HOME, thanks to +Johann Klammer. (Closes: #813119) + + -- Andreas Beckmann Mon, 25 Apr 2016 20:50:13 +0200 + ngspice (26-1) unstable; urgency=low * New upstream release (Closes: #706821) diff -Nru ngspice-26/debian/rules ngspice-26/debian/rules --- ngspice-26/debian/rules 2014-07-05 23:49:29.0 +0200 +++ ngspice-26/debian/rules 2016-04-25 19:30:19.0 +0200 @@ -33,6 +33,7 @@ #cp -f /usr/share/misc/config.sub build/ngspice/doc/config.sub #cp -f /usr/share/misc/config.guess build/ngspice/doc/config.guess cp -a manual build/ + mkdir -p build/manual/.lyx # Make build dir for tclspice mkdir -p build/tclspice cp -Rl `ls . |grep -v build|grep -v debian` build/tclspice @@ -77,9 +78,9 @@ build-indep: config.status # Build documentation dh_testdir - #cd build/manual && lyx --export ps manual.lyx - cd build/manual && lyx --export pdf2 manual.lyx - cd build/manual && lyx --export html manual.lyx + #cd build/manual && lyx -userdir ./.lyx -batch --export ps manual.lyx + cd build/manual && lyx -userdir ./.lyx -batch --export pdf2 manual.lyx + cd build/manual && lyx -userdir ./.lyx -batch --export html manual.lyx touch $@ clean: --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#825226: marked as done (jessie-pu: package evince/3.14.1-2+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #825226,
regarding jessie-pu: package evince/3.14.1-2+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
825226: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825226
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
I would like to patch a couple of bugs in the stable release of evince.
* reload-page-count.patch. Fix crash when document has pages removed and
is reloaded. Update the end page index when the document is reloaded
(Closes: #805276). This effects people who use evince as a previewer while
working in latex or a similar typesetter.
* check-load-job-success.patch. Fix crash in recent documents view when
a recent document fails to load. Check whether a document's load job failed
before creating it's thumbnail (Closes: #762719). It's possible to get into a
situation where evince is unusable because you've recently viewed a password
protected PDF. Evince is unable to create a thumbnail for the PDF and crashes
on startup.
debdiff is attached
diff -Nru evince-3.14.1/debian/changelog evince-3.14.1/debian/changelog
--- evince-3.14.1/debian/changelog 2015-03-06 02:36:49.0 -0600
+++ evince-3.14.1/debian/changelog 2016-05-19 13:40:51.0 -0500
@@ -1,3 +1,14 @@
+evince (3.14.1-2+deb8u1) stable; urgency=medium
+
+ * Add reload-page-count.patch. Fix crash when document has pages removed and
+is reloaded. Update the end page index when the document is reloaded.
+(Closes: #805276)
+ * Add check-load-job-success.patch. Fix crash in recent documents view when
+a recent document fails to load. Check whether a document's load job
+failed before creating it's thumbnail. (Closes: #762719)
+
+ -- Jason Crain Thu, 19 May 2016 13:03:32 -0500
+
evince (3.14.1-2) unstable; urgency=medium
* Team upload.
diff -Nru evince-3.14.1/debian/patches/check-load-job-success.patch
evince-3.14.1/debian/patches/check-load-job-success.patch
--- evince-3.14.1/debian/patches/check-load-job-success.patch 1969-12-31
18:00:00.0 -0600
+++ evince-3.14.1/debian/patches/check-load-job-success.patch 2016-05-19
13:40:50.0 -0500
@@ -0,0 +1,23 @@
+Description: Check whether load job succeeded
+ Check whether document load job succeeded before creating it's thumbnail.
+ This fixes a crash in the recent documents view when a document fails to load.
+Origin: upstream,
https://git.gnome.org/browse/evince/commit/?id=921211ea2dfcff79df172e39a380074883e2b1a2
+Author: Marek Kasik
+Bug: https://bugzilla.gnome.org/744049
+Bug-Debian: https://bugs.debian.org/762719
+Last-Update: 2016-05-19
+
+Index: evince-3.14.1/shell/ev-recent-view.c
+===
+--- evince-3.14.1.orig/shell/ev-recent-view.c
evince-3.14.1/shell/ev-recent-view.c
+@@ -366,7 +366,8 @@ document_load_job_completed_callback (Ev
+ EvRecentViewPrivate *priv = data->ev_recent_view->priv;
+ EvDocument *document = EV_JOB (job_load)->document;
+
+-if (g_cancellable_is_cancelled (data->cancellable) || !document) {
++if (g_cancellable_is_cancelled (data->cancellable) ||
++ev_job_is_failed (EV_JOB (job_load))) {
+ get_document_info_async_data_free (data);
+ return;
+ }
diff -Nru evince-3.14.1/debian/patches/reload-page-count.patch
evince-3.14.1/debian/patches/reload-page-count.patch
--- evince-3.14.1/debian/patches/reload-page-count.patch1969-12-31
18:00:00.0 -0600
+++ evince-3.14.1/debian/patches/reload-page-count.patch2016-05-19
13:40:44.0 -0500
@@ -0,0 +1,29 @@
+Description: Check legal boundaries of accessable pages
+ Keep the accessible view end page under the limits of the document. Sometimes
+ when a document is reloaded, it may have fewer pages making the end page
+ higher than the actual number of pages.
+Origin: backport,
https://git.gnome.org/browse/evince/commit/?id=e6e0d29d9fed63599e736003f06428a1aea87121
+Author: Germán Poo-Caamaño
+Bug: https://bugzilla.gnome.org/735744
+Bug-Debian: https://bugs.debian.org/805276
+Last-Update: 2016-05-17
+
+Index: evince-3.14.1/libview/ev-view-accessible.c
+===
+--- evince-3.14.1
Bug#824859: marked as done (jessie-pu: package pepperflashplugin-nonfree/1.8.1+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #824859, regarding jessie-pu: package pepperflashplugin-nonfree/1.8.1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 824859: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824859 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi This makes pepperflash work again on jessie, it fix rc bug #823005 and #816848. But not #818540, which isn't relevant for jessie, as jessie isn't getting APT 1.2.7. - Kristian diff -Nru pepperflashplugin-nonfree-1.8.1/debian/changelog pepperflashplugin-nonfree-1.8.1+deb8u1/debian/changelog --- pepperflashplugin-nonfree-1.8.1/debian/changelog2014-12-21 11:38:47.0 +0100 +++ pepperflashplugin-nonfree-1.8.1+deb8u1/debian/changelog 2016-05-20 15:25:49.0 +0200 @@ -1,3 +1,11 @@ +pepperflashplugin-nonfree (1.8.1+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * Update Google public key. Closes: #823005. + * Remove 32 bit support. Closes: #816848. + + -- Kristian Klausen Fri, 20 May 2016 15:08:52 +0200 + pepperflashplugin-nonfree (1.8.1) unstable; urgency=medium * debian/control: Pre-Depends: ca-certificates. Closes: #773629. diff -Nru pepperflashplugin-nonfree-1.8.1/pubkey-google.txt pepperflashplugin-nonfree-1.8.1+deb8u1/pubkey-google.txt --- pepperflashplugin-nonfree-1.8.1/pubkey-google.txt 2013-07-07 23:30:38.0 +0200 +++ pepperflashplugin-nonfree-1.8.1+deb8u1/pubkey-google.txt2016-05-20 15:09:27.0 +0200 @@ -1,5 +1,5 @@ -BEGIN PGP PUBLIC KEY BLOCK- -Version: GnuPG v1.4.12 (GNU/Linux) +Version: GnuPG v1.4.2.2 (GNU/Linux) mQGiBEXwb0YRBADQva2NLpYXxgjNkbuP0LnPoEXruGmvi3XMIxjEUFuGNCP4Rj/a kv2E5VixBP1vcQFDRJ+p1puh8NU0XERlhpyZrVMzzS/RdWdyXf7E5S8oqNXsoD1z @@ -11,89 +11,88 @@ 4XmfTg4Jl8BNjWyvm2Wmjfet41LPmYJKsux3g0b8yzQxeOA4pQKKAU3Z4+rgzGmf HdwCG5MNT2A5XxD/eDd+L4fRx0HbFkIQoAi1J3YWQSiTk15fw7RMR29vZ2xlLCBJ bmMuIExpbnV4IFBhY2thZ2UgU2lnbmluZyBLZXkgPGxpbnV4LXBhY2thZ2VzLWtl -eW1hc3RlckBnb29nbGUuY29tPohGBBARAgAGBQJI0l69AAoJEOX7qSII6c/vXlAA -nRMVIdPPqa3pK5spqHhTm5ousadaAJ4/R1aIaCBuXZ7USVxAG4XZJSy4MohGBBAR -AgAGBQJI6REUAAoJEB/WbxUKhkqxtRMAoMPojw3H7kfP06xbTBcV6l4iL/C3AJ98 -nOh6qM4/P7WiIKmnT85zTThqL4hGBBARAgAGBQJI6lFPAAoJEIYuYz+rQ7NyBkEA -mgNkqNBIDVilTtYcmHQAY85o8IlaAJ9NjeoM2kbcm0jZF1T6s9BXSumdF4hGBBAR -AgAGBQJJDe71AAoJEPtAr6/rDx3gTqEAoLj8mkNVfhZtuZc//dUc/+CT+wy5AJ9I -GZ+DJxo1Uw88O3/JmTNY+E1UMohGBBARAgAGBQJJytn7AAoJELHZ4eeDAWJpb5QA -njQH8SI8gYJe+pOwslqnxkvqMi36AKCFJ5BT72qPwUi2yU78tL0/RFavlYhGBBAR -AgAGBQJJzsFXAAoJEPaz08bs2Ur9dK4AoIl6RPzXvTP8yfp0seh4kRC5uUQMAJ40 -K5qygoSMgEiUkSbePn/bY9Xal4hGBBARAgAGBQJJ0uWaAAoJEK2TkXqe2Mfq/RgA -njEsJepPsxEis/lDD7YuM/t85FliAJ0d0Ddbp8ifzIZOLBLvUouw+wl2k4hGBBAR -AgAGBQJLhWfpAAoJEO982nELrv7lkLcAoMMz2LXDqwm5zNvgDzfk4TK359RMAJ42 -WbSlBnHBse8opPGZxP5OGTxOCohGBBARAgAGBQJLmFHwAAoJEPbGY9YaoejMdW4A -oMBWV6GZPH7xh18Grvesqhdmt6JDAKCjSVQQj3qqVo9TfixY9wqfl6C1JohGBBAR -AgAGBQJMhzgkAAoJEI1KrrtrN/ZMWDYAnj18QFBbCKR+91iRgk9f9ZLlPBanAJ9Q -2TwtmywhpbSPTIKeHofbQAlQGohJBBARAgAJBQJI6JhfAgcAAAoJEDl7jO4+/nb3 -mvgAoMLktv7ux+CWSAYt3596ieWdmCWAAJ9jkPCZ7Y3IDDft1FpJF+B6o1gIaIhJ -BBARAgAJBQJI6JiJAgcAAAoJEFU+IjujcFDZxR8An2tmuQcxpz+G0Hi3BSH+qSLY -2UexAJsG2mT5eU64GLg4Nv/0n1IVooCd+ohJBBARAgAJBQJI6Ji/AgcAAAoJEEgY -SAfSQni5F1EAn0125ALPoZkC8lcgWCtaCqa7E+mKAKCGbXJl6Yp8xO+VzmU2Y6AI -UP1Ia4hJBBARAgAJBQJI6lluAgcAAAoJEDUGMV/UfORJRSwAmwcMo8TpMMdpolFH -nr9qbrG0OZFzAJ40G4I0ppq1JCXbgkqP/gz31S2ozYhjBBMRAgAjAhsDBgsJCAcD -AgQVAggDBBYCAwECHgECF4AFAkYVdn8CGQEACgkQoECDD3+sWZHKSgCfdq3HtNYJ -Lv+XZleb6HN4zOcFAJEAniSFbuv8V5FSHxeRimHx25671az+iQEcBBABAgAGBQJG -i+tTAAoJEO703Vx2zDVi0G8H/0uf1abwRVQ6/3gB5NtwNyNDZjcglrhvrjEerrBf -W2PDNwCw2eZ7tiBIdWzv4gPCEr7U3PiuJGcPr6vVKplIGHIatNP4DySilg8WT8Rk -I5ng+qhZl1VslcOf1tXRqn+ual3DJeDiE8P4EGdMmDwHzNXJ1g4ZzJGQ0Px5fSvS -f6l+yma5/YRcEKP1AqkWbcA0aIX3yYYWhBxOpZSF0FIQEJiSU3AUkclq+nkvOHc+ -gyJWh3UMEdNmbwizYB+AZxHOTduPCJGxMVFPFHz258owhmFE4KaCuVqDg2wjvGED -fFMlY1BPrCZJv8wRIi43Z7etj08fG+r7NbKYf0+gN3+xQWiJARwEEAECAAYFAkwf -8fMACgkQytrzOKUJG1b1XAgAi4W4zCU32w9QIGpVRL5x6Zh8XaRV5PDhyYYwBHqO -wIXs6ukG2BweCN3tpLZwKJBnKsBpfMzctZu4sR7g7P2fLgwmf108XIB3lk0SPc2+ -2clVkw3FD4riTNdydwKJweVSVRDngnsShwA11UwGZd3oo2Vol3lyu6P1vw6G8vTI -68E6hBDwoEWHVGuBezJNr7mMklp3RGzL9jpI7weGseP3FNFdiWLo1xRpx0RLbQZC -k6PiK6SMb7hfeSZ6x96IHDmPrcoZOKas8nLT58JMhGdy8aI3h1jj5bT3FCWIeB3n -6j9C/YJb9Ho3/caLfve
Bug#823752: marked as done (jessie-pu: package xarchiver/1:0.5.4-1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #823752,
regarding jessie-pu: package xarchiver/1:0.5.4-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
823752: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823752
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I would like to update xarchiver in Jessie because of bug
https://bugs.debian.org/822115
The attempt to cancel the archive extraction with Xarchiver's Thunar
plugin currently crashes the application and sometimes even the X
session is killed which may cause data loss. I have applied a patch
in Sid/Testing and tested the same one in Jessie. It works for me.
Please find attached the debdiff.
Regards,
Markus
diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog
--- xarchiver-0.5.4/debian/changelog 2014-09-29 16:06:53.0 +0200
+++ xarchiver-0.5.4/debian/changelog 2016-05-08 15:41:37.0 +0200
@@ -1,3 +1,12 @@
+xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium
+
+ * Add cancel-extraction-crash.patch.
+When using the "extract here" feature of Xarchiver's Thunar plugin, the
+attempt to cancel the extraction could crash the application or even the
+whole desktop session. (Closes: #802019)
+
+ -- Markus Koschany Sun, 08 May 2016 15:40:11 +0200
+
xarchiver (1:0.5.4-1) unstable; urgency=medium
* Imported Upstream version 0.5.4.
diff -Nru xarchiver-0.5.4/debian/patches/cancel-extraction-crash.patch xarchiver-0.5.4/debian/patches/cancel-extraction-crash.patch
--- xarchiver-0.5.4/debian/patches/cancel-extraction-crash.patch 1970-01-01 01:00:00.0 +0100
+++ xarchiver-0.5.4/debian/patches/cancel-extraction-crash.patch 2016-05-08 15:41:37.0 +0200
@@ -0,0 +1,62 @@
+From: Markus Koschany
+Date: Sun, 24 Apr 2016 19:46:41 +0200
+Subject: cancel extraction crash
+
+Fix crash when cancelling the progress bar of Xarchiver's Thunar plugin.
+This patch was taken from Xarchiver's Github fork. The original development has
+stopped at sourceforge.net.
+
+Origin: https://github.com/ib/xarchiver/commit/cfa1d536312abb8d81f9cd74c15cf21038f03a8c
+Forwarded: no
+---
+ src/interface.c | 18 ++
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/interface.c b/src/interface.c
+index 79ffd36..b9aa4f9 100644
+--- a/src/interface.c
b/src/interface.c
+@@ -47,8 +47,8 @@ static const GtkTargetEntry drop_targets[] =
+
+ extern gboolean unrar,batch_mode;
+
+-static gboolean xa_progress_dialog_delete_event (GtkWidget *caller,GdkEvent *event,GPid pid);
+-static void xa_progress_dialog_stop_action (GtkWidget *widget,GPid pid);
++static gboolean xa_progress_dialog_delete_event (GtkWidget *caller,GdkEvent *event,GPid *pid);
++static void xa_progress_dialog_stop_action (GtkWidget *widget,GPid *pid);
+
+ void xa_create_main_window (GtkWidget *xa_main_window,gboolean show_location,gboolean show_output_menu_item,gboolean show_sidebar)
+ {
+@@ -1577,8 +1577,8 @@ Progress_bar_data *xa_create_progress_bar(gboolean flag,XArchive *archive)
+ cancel_button = gtk_button_new_from_stock ("gtk-cancel");
+ gtk_box_pack_end (GTK_BOX (action_area),cancel_button,TRUE,TRUE,12);
+
+- g_signal_connect (G_OBJECT (cancel_button), "clicked", G_CALLBACK (xa_progress_dialog_stop_action), GINT_TO_POINTER (archive->child_pid));
+- g_signal_connect (G_OBJECT (pb->progress_window),"delete_event",G_CALLBACK (xa_progress_dialog_delete_event),GINT_TO_POINTER (archive->child_pid));
++ g_signal_connect (G_OBJECT (cancel_button), "clicked", G_CALLBACK (xa_progress_dialog_stop_action), &archive->child_pid);
++ g_signal_connect (G_OBJECT (pb->progress_window),"delete_event",G_CALLBACK (xa_progress_dialog_delete_event),&archive->child_pid);
+ }
+ gtk_widget_show_all(pb->progress_window);
+ return pb;
+@@ -1616,15 +1616,17 @@ void xa_icon_theme_changed (GtkIconTheme *icon_theme,gpointer data)
+ * time as the filenames currently displayed. What of the other tabs then?
+ }*/
+
+-static gboolean xa_progress_dialog_delete_event (GtkWidget *caller,GdkEvent *event,GPid pid)
++static gboolean xa_progress_dialog_delete_event (GtkWidget *caller,GdkEvent *event,GPid *pid)
+ {
+- kill (pid,SIGINT);
++ if(pid != NULL && *pid != 0)
++ kill (*pid,SIGINT);
+ return TRUE;
+ }
+
+-static void xa_progress_dialog_s
Bug#823433: marked as done (jessie-pu: package openjdk-7/7u101-2.6.6-2~deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #823433, regarding jessie-pu: package openjdk-7/7u101-2.6.6-2~deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 823433: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823433 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu The latest openjdk-7 security update broke the arm32 JIT. This was disabled in experimental (7u101-2.6.6-2) and wheezy LTS (7u101-2.6.6-2~deb7u1), but not in jessie-security, so armel and armhf now FTBFS. This pulls in the changes from 7u101-2.6.6-2. Cheers, Julien diff -Nru openjdk-7-7u101-2.6.6/debian/changelog openjdk-7-7u101-2.6.6/debian/changelog --- openjdk-7-7u101-2.6.6/debian/changelog 2016-04-25 09:11:46.0 +0200 +++ openjdk-7-7u101-2.6.6/debian/changelog 2016-05-04 19:20:09.0 +0200 @@ -1,8 +1,15 @@ -openjdk-7 (7u101-2.6.6-1~deb8u1) jessie-security; urgency=medium +openjdk-7 (7u101-2.6.6-2~deb8u1) jessie; urgency=medium - * Rebuild for jessie-security + * Non-maintainer upload. + * Rebuild for jessie. - -- Moritz Mühlenhoff Mon, 25 Apr 2016 09:11:12 +0200 + -- Julien Cristau Wed, 04 May 2016 19:20:03 +0200 + +openjdk-7 (7u101-2.6.6-2) experimental; urgency=medium + + * Configure with --disable-arm32-jit, broken by the security update. + + -- Matthias Klose Sat, 23 Apr 2016 02:28:28 +0200 openjdk-7 (7u101-2.6.6-1) experimental; urgency=medium diff -Nru openjdk-7-7u101-2.6.6/debian/control openjdk-7-7u101-2.6.6/debian/control --- openjdk-7-7u101-2.6.6/debian/control2016-04-25 09:11:04.0 +0200 +++ openjdk-7-7u101-2.6.6/debian/control2016-05-04 19:21:19.0 +0200 @@ -16,7 +16,7 @@ libpulse-dev (>= 0.9.12), libnss3-dev (>= 2:3.17.1), systemtap-sdt-dev, mauve, xvfb, xauth, xfonts-base, libgl1-mesa-dri [!x32], twm | metacity, twm | dbus-x11, x11-xkb-utils, -Standards-Version: 3.9.5 +Standards-Version: 3.9.8 Homepage: http://openjdk.java.net/ Vcs-Bzr: http://bazaar.launchpad.net/~openjdk/openjdk/openjdk7 Vcs-Browser: https://code.launchpad.net/~openjdk/openjdk/openjdk7 diff -Nru openjdk-7-7u101-2.6.6/debian/control.in openjdk-7-7u101-2.6.6/debian/control.in --- openjdk-7-7u101-2.6.6/debian/control.in 2016-04-25 09:10:48.0 +0200 +++ openjdk-7-7u101-2.6.6/debian/control.in 2016-04-26 14:26:01.0 +0200 @@ -16,7 +16,7 @@ @bd_pulsejava@ @bd_nss@ @bd_systemtap@ @bd_mauve@ @bd_xvfb@ -Standards-Version: 3.9.5 +Standards-Version: 3.9.8 Homepage: http://openjdk.java.net/ Vcs-Bzr: http://bazaar.launchpad.net/~openjdk/openjdk/openjdk7 Vcs-Browser: https://code.launchpad.net/~openjdk/openjdk/openjdk7 diff -Nru openjdk-7-7u101-2.6.6/debian/rules openjdk-7-7u101-2.6.6/debian/rules --- openjdk-7-7u101-2.6.6/debian/rules 2016-04-22 21:18:43.0 +0200 +++ openjdk-7-7u101-2.6.6/debian/rules 2016-04-23 02:28:24.0 +0200 @@ -590,9 +590,9 @@ --with-langtools-src-zip=$(CURDIR)/langtools.tar.bz2 ifneq (,$(filter $(DEB_HOST_ARCH), armel armhf)) - #CONFIGURE_ARGS += \ - --disable-arm32-jit CONFIGURE_ARGS += \ + --disable-arm32-jit + #CONFIGURE_ARGS += \ --enable-arm32-jit endif signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#821326: marked as done (jessie-pu: package initramfs-tools/0.120+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #821326,
regarding jessie-pu: package initramfs-tools/0.120+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
821326: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie patch
User: release.debian@packages.debian.org
Usertags: pu
This update fixes:
- Regression when upgrading Linux to version 4.4+ if / or /usr is on
an NVMe device (#807000)
- Regression in version 0.119 if there are non-scripts (such as
.svn directories) under /etc/initramfs-tools/scripts (#814965)
Both of these regressions cause boot failure on the affected systems.
debdiff is below.
Ben.
diff -Nru initramfs-tools-0.120+deb8u1/debian/changelog
initramfs-tools-0.120+deb8u2/debian/changelog
--- initramfs-tools-0.120+deb8u1/debian/changelog 2016-02-20
15:51:48.0 +
+++ initramfs-tools-0.120+deb8u2/debian/changelog 2016-04-17
18:20:20.0 +0100
@@ -1,3 +1,12 @@
+initramfs-tools (0.120+deb8u2) jessie; urgency=medium
+
+ * [7863219] hook-functions: Include drivers/nvme in block driver modules
+(Closes: #807000)
+ * [fcef753] hook-functions: Create ORDER files even if there are no valid
+scripts (Closes: #814965)
+
+ -- Ben Hutchings Sun, 17 Apr 2016 18:20:09 +0100
+
initramfs-tools (0.120+deb8u1) jessie; urgency=medium
[ Ben Hutchings ]
diff -Nru initramfs-tools-0.120+deb8u1/hook-functions
initramfs-tools-0.120+deb8u2/hook-functions
--- initramfs-tools-0.120+deb8u1/hook-functions 2016-02-20 15:43:54.0
+
+++ initramfs-tools-0.120+deb8u2/hook-functions 2016-04-17 17:58:11.0
+0100
@@ -581,6 +581,7 @@
;;
block)
copy_modules_dir kernel/drivers/block
+ copy_modules_dir kernel/drivers/nvme
;;
ubi)
modules="$modules deflate zlib lzo ubi ubifs"
@@ -723,6 +724,7 @@
initdir=${DESTDIR}${scriptdir}
[ ! -d ${initdir} ] && return
+ > ${initdir}/ORDER
runlist=$(get_prereq_pairs | tsort)
for crs_x in ${runlist}; do
[ -f ${initdir}/${crs_x} ] || continue
-- System Information:
Debian Release: stretch/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#822481: marked as done (jessie-pu: package wmforecast/0.8-1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #822481,
regarding jessie-pu: package wmforecast/0.8-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
822481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hello!
In March 2016, Yahoo! changed their weather API in a non-backwards compatible
way. This made wmforecast, a Window Maker dockapp which relies on this API
to display weather information, nonfunctional.
A new release, version 0.10, was prepared to fix this problem, and additional
improvements were made in 0.11, now available in stretch.
However, jessie still has version 0.8. I have backported the appropriate
changes from 0.10 and 0.11 into a small patch which makes version 0.8
functional. I would like to propose that the jessie wmforecast package be
updated with these changes.
Thank you!
Doug Torrance
diff -Nru wmforecast-0.8/debian/changelog wmforecast-0.8/debian/changelog
--- wmforecast-0.8/debian/changelog 2014-10-21 12:47:35.0 -0400
+++ wmforecast-0.8/debian/changelog 2016-04-24 17:34:10.0 -0400
@@ -1,3 +1,13 @@
+wmforecast (0.8-1+deb8u1) jessie; urgency=medium
+
+ * debian/control
+- Update Maintainer and add Uploaders.
+ * debian/patches/new_yahoo_api.patch
+- New patch; modifications to work with new Yahoo! weather API.
+ Backported from upstream.
+
+ -- Doug Torrance Sun, 24 Apr 2016 17:32:19 -0400
+
wmforecast (0.8-1) unstable; urgency=medium
* New upstream release.
diff -Nru wmforecast-0.8/debian/control wmforecast-0.8/debian/control
--- wmforecast-0.8/debian/control 2014-10-21 12:44:33.0 -0400
+++ wmforecast-0.8/debian/control 2016-04-24 17:28:25.0 -0400
@@ -1,7 +1,8 @@
Source: wmforecast
Section: utils
Priority: extra
-Maintainer: Doug Torrance
+Maintainer: Debian Window Maker Team
+Uploaders: Doug Torrance
Build-Depends: debhelper (>= 9), libxml2-dev, libcurl4-gnutls-dev, libwings-dev, help2man, dh-autoreconf
Standards-Version: 3.9.6
Homepage: https://github.com/d-torrance/wmforecast
diff -Nru wmforecast-0.8/debian/patches/new_yahoo_api.patch wmforecast-0.8/debian/patches/new_yahoo_api.patch
--- wmforecast-0.8/debian/patches/new_yahoo_api.patch 1969-12-31 19:00:00.0 -0500
+++ wmforecast-0.8/debian/patches/new_yahoo_api.patch 2016-04-24 17:23:15.0 -0400
@@ -0,0 +1,72 @@
+Description: Update to work with new Yahoo! weather API
+ Backported from upstream versions 0.10 and 0.11.
+Origin: https://github.com/d-torrance/wmforecast/commit/720f907
+Origin: https://github.com/d-torrance/wmforecast/commit/dcf081f
+Origin: https://github.com/d-torrance/wmforecast/commit/f19e666
+Last-Update: 2016-04-24
+
+--- a/wmforecast.c
b/wmforecast.c
+@@ -296,7 +296,7 @@
+ text = wstrappend(text, ", ");
+ text = wstrappend(text, weather->temp);
+ text = wstrappend(text, "°\n\nForecast:\n");
+- for (i = 0; i < weather->forecasts->length; i++) {
++ for (i = 0; i < weather->forecasts->length && i < 7; i++) {
+ text = wstrappend(text,weather->forecasts->forecasts[i].day);
+ text = wstrappend(text," - ");
+ text = wstrappend(text,weather->forecasts->forecasts[i].text);
+@@ -348,16 +348,23 @@
+ Weather *weather;
+ xmlDocPtr doc;
+ xmlNodePtr cur;
++ int i;
+
+- url = wstrconcat("http://weather.yahooapis.com/forecastrss?u=",prefs->units);
++ url = wstrdup("https://query.yahooapis.com/v1/public/yql?q=";
++ "select%20*%20from%20weather.forecast%20where%20woeid");
+ if (strcmp(prefs->woeid_or_zip,"w") == 0) {
+- url = wstrappend(url,"&w=");
++ url = wstrappend(url, "%20%3D%20");
+ url = wstrappend(url, prefs->woeid);
+ }
+ else {
+- url = wstrappend(url,"&p=");
++ url = wstrappend(url, "%20in%20(select%20woeid%20from%20"
++ "geo.places(1)%20where%20text%3D%22");
+ url = wstrappend(url, prefs->zip);
+- }
++ url = wstrappend(url, "%22)");
++ }
++ url = wstrappend(url, "%20and%20u%3D'");
++ url = wstrappend(url, prefs->units);
++ url = wstrappend(url, "'&format=xml");
+
+ weather = newWeather();
+ chunk.memory = wmalloc(1);
+@@ -394,17 +401,16 @@
+ return weather;
+ }
+
+- if (xmlStrcmp(cur->name, (const xmlChar *) "rss")) {
+- setError(weather, screen,"Empty document");
+- fprintf(stderr,"document of the wrong type, root node != rss");
+- xmlF
Bug#823430: marked as done (jessie-pu: package icedove/38.7.0-1~deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #823430,
regarding jessie-pu: package icedove/38.7.0-1~deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
823430: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823430
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
The icedove package currently on security.d.o and proposed-updates fails
to build on armhf because some files get built with -mfloat-abi=softfp.
This should hopefully fix that.
Cheers,
Julien
diff -Nru icedove-38.7.0/debian/changelog icedove-38.7.0/debian/changelog
--- icedove-38.7.0/debian/changelog 2016-03-16 12:39:57.0 +0100
+++ icedove-38.7.0/debian/changelog 2016-05-04 17:22:43.0 +0200
@@ -1,3 +1,14 @@
+icedove (38.7.0-1~deb8u2) jessie; urgency=medium
+
+ * Non-maintainer upload: steal arm build fixes from the firefox package.
+
+ [ Mike Hommey ]
+ * media/libvpx/moz.build: Build libvpx neon code without -mthumb and
+-mfloat-abi=softfp. Closes: #795337.
+ * configure.in: Build libvpx neon code with -mfloat-abi=softfp on armel.
+
+ -- Julien Cristau Wed, 04 May 2016 17:14:38 +0200
+
icedove (38.7.0-1~deb8u1) stable-security; urgency=medium
* [cb9c003] Imported Upstream version 38.7.0
diff -Nru
icedove-38.7.0/debian/patches/fixes/Bug-1194905-Build-libvpx-neon-code-without-mthumb-an.patch
icedove-38.7.0/debian/patches/fixes/Bug-1194905-Build-libvpx-neon-code-without-mthumb-an.patch
---
icedove-38.7.0/debian/patches/fixes/Bug-1194905-Build-libvpx-neon-code-without-mthumb-an.patch
1970-01-01 01:00:00.0 +0100
+++
icedove-38.7.0/debian/patches/fixes/Bug-1194905-Build-libvpx-neon-code-without-mthumb-an.patch
2016-05-04 17:22:43.0 +0200
@@ -0,0 +1,33 @@
+From 78393b4bd35ea4f8d92c6cbfcce5919fcbaa4f44 Mon Sep 17 00:00:00 2001
+From: Mike Hommey
+Date: Sat, 15 Aug 2015 08:53:54 +0900
+Subject: [PATCH 1/2] Bug 1194905 - Build libvpx neon code without -mthumb and
+ -mfloat-abi=softfp
+
+-mfloat-abi=softfp is hardcoding an ABI that may not match everything else
+in Gecko, which is bound to fail. It's also unrelated to building NEON code.
+-mthumb is also unrelated to building NEON code, and should be left as it
+is for everything else.
+Now, interestingly, we also have a VPX_ASFLAGS variable that just contains
+the right things instead of hardcoding them in the moz.build, so just use
+that instead.
+---
+ mozilla/media/libvpx/moz.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mozilla/media/libvpx/moz.build b/mozilla/media/libvpx/moz.build
+index a1138f4..a8298d4 100644
+--- a/mozilla/media/libvpx/moz.build
b/mozilla/media/libvpx/moz.build
+@@ -65,7 +65,7 @@ if CONFIG['VPX_ARM_ASM']:
+
+ for f in SOURCES:
+ if f.endswith('.c') and 'neon' in f:
+-SOURCES[f].flags += ['-march=armv7-a', '-mthumb',
'-mfloat-abi=softfp', '-mfpu=neon']
++SOURCES[f].flags += CONFIG['VPX_ASFLAGS'].split()
+
+ # boolhuff_armv5te.asm defines the same functions as boolhuff.c instead of
+ # using RTCD, so we have to make sure we only add one of the two.
+--
+2.8.1
+
diff -Nru
icedove-38.7.0/debian/patches/fixes/Followup-to-bug-1194905-add-mfloat-abi-softfp-when-t.patch
icedove-38.7.0/debian/patches/fixes/Followup-to-bug-1194905-add-mfloat-abi-softfp-when-t.patch
---
icedove-38.7.0/debian/patches/fixes/Followup-to-bug-1194905-add-mfloat-abi-softfp-when-t.patch
1970-01-01 01:00:00.0 +0100
+++
icedove-38.7.0/debian/patches/fixes/Followup-to-bug-1194905-add-mfloat-abi-softfp-when-t.patch
2016-05-04 17:22:43.0 +0200
@@ -0,0 +1,30 @@
+From 53156c9af7d9ac4ee5d30274976856718f95aa77 Mon Sep 17 00:00:00 2001
+From: Mike Hommey
+Date: Fri, 28 Aug 2015 17:46:29 +0900
+Subject: [PATCH 2/2] Followup to bug 1194905: add -mfloat-abi=softfp when
+ toolchain abi is soft
+
+---
+ mozilla/configure.in | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/mozilla/configure.in b/mozilla/configure.in
+index 4c217e5..3edcfa4 100644
+--- a/mozilla/configure.in
b/mozilla/configure.in
+@@ -5527,6 +5527,12 @@ if test -n "$MOZ_VPX" -a -z "$MOZ_NATIVE_LIBVPX"; then
+ VPX_AS_CONVERSION='$(PERL)
$(topsrcdir)/media/libvpx/build/make/ads2gas.pl'
+ VPX_ASM_SUFFIX="$ASM_SUFFIX"
+ VPX_ARM_ASM=1
++AC_TRY_C
Bug#822487: marked as done (jessie-pu: package mathematica-fonts/17+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #822487,
regarding jessie-pu: package mathematica-fonts/17+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
822487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822487
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi!
Mathematica-fonts is a downloader for a set of fonts from Wolfram.
The version in jessie wants upstream version 7, however, it's no longer
available on their website. This makes the package uninstallable.
The proposed fix is to point the downloader to upstream version 10.
The debdiff is quite hefty, this includes changed sha512 sums and dropping
no longer provided Type1 fonts.
There are two unrelated changes:
* adopting the package (Maintainer: the Fonts Team, Uploader: me)
* missing dependency on wget (also RC)
Debdiff attached, but you probably prefer git:
ssh://git.debian.org/git/pkg-fonts/fonts-mathematica.git -b jessie
https://anonscm.debian.org/cgit/pkg-fonts/fonts-mathematica.git/log/?h=jessie
dget
https://angband.pl/debian/pool/main/m/mathematica-fonts/mathematica-fonts_17+deb8u1.dsc
As the version in jessie is currently completely useless, if this update is
too big for stable please instead RM it.
diff -Nru mathematica-fonts-17/debian/README.Debian mathematica-fonts-17+deb8u1/debian/README.Debian
--- mathematica-fonts-17/debian/README.Debian 2010-03-26 04:54:21.0 +0100
+++ mathematica-fonts-17+deb8u1/debian/README.Debian 1970-01-01 01:00:00.0 +0100
@@ -1,26 +0,0 @@
-mathematica-fonts for Debian
--
-
-Installer of Mathematica Fonts. It might help to use Mathematica from
-a remote terminal.
-
-Important Note:
-When one starts Mathematica from remote machine, one will see an error
-messages something as follows:
-
-xset: bad font path element (#23), possible causes are:
-Directory does not exist or has wrong permissions
-Directory missing fonts.dir
-Incorrect font server address or syntax
-
-It seems Mathematica searches its fonts only in a predefined directory
-so one might do the following steps.
-
-1. mkdir -p /usr/local/Wolfram/Mathematica/7.0/SystemFiles/Fonts
-2. ln -s /usr/share/fonts/type1/mathematica /usr/local/Wolfram/Mathematica/7.0/SystemFiles/Fonts/Type1
-
-The directory depends on a version of Mathematica so please check
-a directory structure of Mathematica on a server and change the above
-directory correspondingly.
-
- -- Atsuhito KOHDA Fri, 14 Mar 2008 10:39:25 +0900
diff -Nru mathematica-fonts-17/debian/changelog mathematica-fonts-17+deb8u1/debian/changelog
--- mathematica-fonts-17/debian/changelog 2014-10-22 08:46:55.0 +0200
+++ mathematica-fonts-17+deb8u1/debian/changelog 2016-04-25 00:28:58.0 +0200
@@ -1,3 +1,15 @@
+mathematica-fonts (17+deb8u1) jessie; urgency=medium
+
+ * Adopt the package.
+ * New upstream release (10).
++ Version 7 is no longer downloadable (closes: #789211)
++ Server-side fonts are no longer included (closes: #573479)
++ Neither is a copy of Bitstream Vera (closes: #670216)
+ * Drop README.Debian, it talked about type1 X integration.
+ * Add missing Depends: wget (closes: #817820).
+
+ -- Adam Borowski Mon, 25 Apr 2016 00:06:16 +0200
+
mathematica-fonts (17) unstable; urgency=medium
* Updated Debconf Dutch translations. Thanks to Frans Spiesschaert
diff -Nru mathematica-fonts-17/debian/control mathematica-fonts-17+deb8u1/debian/control
--- mathematica-fonts-17/debian/control 2012-09-25 02:22:53.0 +0200
+++ mathematica-fonts-17+deb8u1/debian/control 2016-04-25 00:28:58.0 +0200
@@ -1,13 +1,14 @@
Source: mathematica-fonts
Section: contrib/fonts
Priority: extra
-Maintainer: Atsuhito KOHDA
+Maintainer: Debian Fonts Task Force
+Uploaders: Adam Borowski
Build-Depends: debhelper (>= 7), po-debconf
Standards-Version: 3.8.0
Package: mathematica-fonts
Architecture: all
-Depends: ${misc:Depends}, unzip
+Depends: ${misc:Depends}, unzip, wget
Pre-Depends: debconf (>= 0.5) | debconf-2.0
Provides: ttf-mathematica4.1
Conflicts: ttf-mathematica4.1 (<< 9)
@@ -18,7 +19,7 @@
Please note that it may fail if the web site no longer offers them for
download.
.
- This package will currently only install AFM, TTF, and Type1 fonts.
+ Only TTF fonts are available in this versi
Bug#822229: marked as done (jessie-pu: package autofs/5.0.8-2.1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #89,
regarding jessie-pu: package autofs/5.0.8-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
89: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=89
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi
If one accesses an automount map via a query programm / executable
maps, then in Jessie automount logs quite some irrelevant debug
messages.
It has been reported a while back in the BTS as #755019, fixed
upstream with
https://git.kernel.org/cgit/linux/storage/autofs/autofs.git/commit/?id=ffc26908973bb6fbdcd3f69874a4d8686f7172fd
and thus included in the upload to experimental as 5.1.0-1. The fix is
as well available in unstable by now.
Can we have the removal of the debugging output as well in Jessie via
the next point release? I'm attaching the proposed debdiff for this.
Regards,
Salvatore
diff -Nru autofs-5.0.8/debian/changelog autofs-5.0.8/debian/changelog
--- autofs-5.0.8/debian/changelog 2015-03-19 08:53:22.0 +0100
+++ autofs-5.0.8/debian/changelog 2016-04-22 10:35:36.0 +0200
@@ -1,3 +1,10 @@
+autofs (5.0.8-2.1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Remove macro debugging prints from macro_setenv (Closes: #755019)
+
+ -- Salvatore Bonaccorso Fri, 22 Apr 2016 10:34:58 +0200
+
autofs (5.0.8-2) unstable; urgency=medium
[ Salvatore Bonaccorso ]
diff -Nru autofs-5.0.8/debian/patches/autofs-5.0.8-remove-macro-debug-prints.patch autofs-5.0.8/debian/patches/autofs-5.0.8-remove-macro-debug-prints.patch
--- autofs-5.0.8/debian/patches/autofs-5.0.8-remove-macro-debug-prints.patch 1970-01-01 01:00:00.0 +0100
+++ autofs-5.0.8/debian/patches/autofs-5.0.8-remove-macro-debug-prints.patch 2016-04-22 10:35:36.0 +0200
@@ -0,0 +1,27 @@
+From ffc26908973bb6fbdcd3f69874a4d8686f7172fd Mon Sep 17 00:00:00 2001
+From: Ian Kent
+Date: Tue, 25 Feb 2014 10:01:26 +0800
+Subject: [PATCH] autofs-5.0.8 - remove macro debug prints
+
+Remove a couple of missed debugging prints from macro_setenv();
+---
+ lib/macros.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/lib/macros.c b/lib/macros.c
+index d7c392f..c858f41 100644
+--- a/lib/macros.c
b/lib/macros.c
+@@ -437,9 +437,6 @@ void macro_setenv(struct substvar *table)
+ sv = sv->next;
+ }
+
+- error(LOGOPT_ANY, "table %p", table);
+- dump_table(table);
+-
+ /* Next set environment from the local table */
+ while (lv) {
+ if (lv->def)
+--
+2.8.0.rc3
+
diff -Nru autofs-5.0.8/debian/patches/series autofs-5.0.8/debian/patches/series
--- autofs-5.0.8/debian/patches/series 2015-03-19 08:36:02.0 +0100
+++ autofs-5.0.8/debian/patches/series 2016-04-22 10:35:36.0 +0200
@@ -19,3 +19,4 @@
link-daemon-with-lpthread.patch
fix-ldflags.patch
remove-kernel-mount.nfs-version-check.patch
+autofs-5.0.8-remove-macro-debug-prints.patch
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#821835: marked as done (jessie-pu: package libcrypto++/5.6.1-6+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #821835, regarding jessie-pu: package libcrypto++/5.6.1-6+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 821835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821835 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi Release Team, There's a vulnerability in Crypto++, the C++ class library of cryptographic schemes. It's CVE-2016-3995, bogus protection from timing attacks in AES (Rijndael) cipher. GCC could optimize the protection out. The patch (already in Sid + Stretch) prevents this. It's minor for a security update, but can be enough for a normal package update. Thanks for consideration, Laszlo/GCS diff -Nru libcrypto++-5.6.1/debian/changelog libcrypto++-5.6.1/debian/changelog --- libcrypto++-5.6.1/debian/changelog 2015-06-28 13:41:08.0 + +++ libcrypto++-5.6.1/debian/changelog 2016-04-11 16:16:44.0 + @@ -1,3 +1,9 @@ +libcrypto++ (5.6.1-6+deb8u2) jessie; urgency=medium + + * Fix CVE-2016-3995, Rijndael timing attack counter measure. + + -- Laszlo Boszormenyi (GCS) Mon, 11 Apr 2016 16:13:56 + + libcrypto++ (5.6.1-6+deb8u1) jessie-security; urgency=high * Fix CVE-2015-2141, misuse of blinding technique that is aimed at diff -Nru libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch --- libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch 1970-01-01 00:00:00.0 + +++ libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch 2016-04-16 11:42:14.0 + @@ -0,0 +1,52 @@ +From 9f335d719ebc27f58251559240de0077ec42c583 Mon Sep 17 00:00:00 2001 +From: Pierre Lestringant +Date: Wed, 6 Apr 2016 15:51:17 +0200 +Subject: [PATCH] Fix the Rijndael timing attack counter measure + +--- + rijndael.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rijndael.cpp b/rijndael.cpp +index f394960..92f9dea 100644 +--- a/rijndael.cpp b/rijndael.cpp +@@ -372,10 +372,12 @@ void Rijndael::Enc::ProcessAndXorBlock(c + t3 = rk[7]; + rk += 8; + +- // timing attack countermeasure. see comments at top for more details ++ // timing attack countermeasure. see comments at top for more details. ++ // also see http://github.com/weidai11/cryptopp/issues/146 + const int cacheLineSize = GetCacheLineSize(); + unsigned int i; +- word32 u = 0; ++ volatile word32 _u = 0; ++ word32 u = _u; + #ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS + for (i=0; i<2048; i+=cacheLineSize) + #else +@@ -448,10 +450,12 @@ void Rijndael::Dec::ProcessAndXorBlock(c + t3 = rk[7]; + rk += 8; + +- // timing attack countermeasure. see comments at top for more details ++ // timing attack countermeasure. see comments at top for more details. ++ // also see http://github.com/weidai11/cryptopp/issues/146 + const int cacheLineSize = GetCacheLineSize(); + unsigned int i; +- word32 u = 0; ++ volatile word32 _u = 0; ++ word32 u = _u; + #ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS + for (i=0; i<2048; i+=cacheLineSize) + #else +@@ -491,7 +495,7 @@ void Rijndael::Dec::ProcessAndXorBlock(c + // timing attack countermeasure. see comments at top for more details + // If CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS is defined, + // QUARTER_ROUND_LD will use Td, which is already preloaded. +- u = 0; ++ u = _u; + for (i=0; i<256; i+=cacheLineSize) + u &= *(const word32 *)(Sd+i); + u &= *(const word32 *)(Sd+252); diff -Nru libcrypto++-5.6.1/debian/patches/series libcrypto++-5.6.1/debian/patches/series --- libcrypto++-5.6.1/debian/patches/series 2015-06-28 13:37:49.0 + +++ libcrypto++-5.6.1/debian/patches/series 2016-04-11 16:25:58.0 + @@ -7,3 +7,4 @@ salsa.patch gcc-4.7-ftbfs.diff CVE-2015-2141.patch +CVE-2016-3995.patch --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#823609: marked as done (jessie-pu: package openssl/1.0.1t-1+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #823609,
regarding jessie-pu: package openssl/1.0.1t-1+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
823609: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823609
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
So I've prepared an update for jessie with version
1.0.1t-1+deb8u1. This are the changes:
--- debian/changelog 2016-05-06 15:36:05.976438113 +0200
+++ debian/changelog 2016-05-06 15:56:17.562695936 +0200
@@ -1,3 +1,15 @@
+openssl (1.0.1t-1+deb8u1) jessie; urgency=medium
+
+ [ Sebastian Andrzej Siewior ]
+ * Update to 1.0.1t stable release (drop applied patches and refresh existing
+ones).
+- Use alternate trust chains part of 1.0.1n (Closes: #774882).
+- Use correct digest when exporting keying material (Closes: #807057)
+- Fix CVE-2015-3197 (not affected, SSLv2 disabled)
+- Fix CVE-2015-1793 (1.0.1n+ is affected and last upload was k)
+
+ -- Kurt Roeckx Fri, 06 May 2016 15:56:09 +0200
+
openssl (1.0.1k-3+deb8u5) jessie-security; urgency=medium
* Fix CVE-2016-2105
--- debian/rules 2014-10-15 19:11:07.097579808 +0200
+++ debian/rules 2016-05-06 14:16:42.757075129 +0200
@@ -50,6 +50,7 @@
# perl util/ssldir.pl /usr/lib/ssl
# chmod +x debian/libtool
./Configure no-shared $(CONFARGS) debian-$(DEB_HOST_ARCH)
+ make depend
make -f Makefile all
$(MAKE_TEST)
mv libcrypto.a libcrypto.static
@@ -100,6 +101,7 @@
rm -f test/asn1test test/wp_test test/srptest test/jpaketest
rm -f certs/demo/*.0
rm -rf crypto/aes/aes-armv4.S crypto/bn/armv4-gf2m.S
crypto/modes/ghash-armv4.S crypto/sha/*.S
+ find . -type l -exec rm '{}' \;
dh_clean
install: build
The patches in debian/patches have whitespace changes, and for the
rest it removes a whole bunch of patches.
Kurt
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#823496: marked as done (jessie-pu: package icedove/38.7.0-1~deb8u3)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #823496, regarding jessie-pu: package icedove/38.7.0-1~deb8u3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 823496: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823496 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu One further build fix for icedove, which was applied to unstable but not jessie-security *sigh*. Cheers, Julien diff -Nru icedove-38.7.0/debian/changelog icedove-38.7.0/debian/changelog --- icedove-38.7.0/debian/changelog 2016-05-04 17:22:43.0 +0200 +++ icedove-38.7.0/debian/changelog 2016-05-04 23:53:22.0 +0200 @@ -1,3 +1,11 @@ +icedove (38.7.0-1~deb8u3) jessie; urgency=medium + + * Non-maintainer upload. + * Try to fix the build on mips: disable jit. Per the iceweasel changelog, +only mipsel is supported. + + -- Julien Cristau Wed, 04 May 2016 23:53:17 +0200 + icedove (38.7.0-1~deb8u2) jessie; urgency=medium * Non-maintainer upload: steal arm build fixes from the firefox package. diff -Nru icedove-38.7.0/debian/mozconfig.default icedove-38.7.0/debian/mozconfig.default --- icedove-38.7.0/debian/mozconfig.default 2016-03-16 12:39:57.0 +0100 +++ icedove-38.7.0/debian/mozconfig.default 2016-05-04 23:52:11.0 +0200 @@ -97,6 +97,9 @@ kfreebsd-amd64) ac_add_options --disable-necko-wifi ;; + mips) +ac_add_options --disable-ion +;; ppc64) ac_add_options --disable-optimize ;; signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#822854: marked as done (jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2016d)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #822854,
regarding jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2016d
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
822854: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822854
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I've prepared an update for libdatetime-timezone-perl for
jessie(-updates) to incorporate the olson db 2016d release as a quilt
patch.
Manually stripped down debdiff attached.
Cheers,
gregor
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQJ8BAEBCgBmBQJXIe/WXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGz5EP/2F8vRw/Ulwjp6uTwso/MuJJ
K3qAGRsAm1JxK8hf2g+FdER7un1IBEScxexovdH088Sw3YariwucF7qAIVw+OCFL
g4bxslF2Hnl5lktRFkxN0hm3OrlwjEfYfsYAJXB0py6O/hsj/dz+sEKXAUvHctUn
GhDnsC+OFdeyUxvBuPOJtugLJc7OajqxDFzOiW5qObQi5ERxOCuGP7vVKrhPsY6a
Ywaq3hX64G/TAGuuDKU6Pw6/ws2NwTYzzMZZFbT4lNNcgVFhfexxCTIujyTx587b
B8zar0Agh+EUO+tQqfVO6YszawiQfQ1LUG1GQGKRqvr8hqi28OYz9cXqCEr6fFr/
CrfLGwYXCLusWIBxf0WMv9hvhD39Iq3TCm9wjxd0KHpPRQHx3OHHCAO4MWjisuCs
miYcfUYlNa6JaBKebl6HtCxP3fbaEYJmD1l1GdULSsfjdfg7zjU2N7xo47hmNbHE
m4vUxQIpu83KZEa69I4X+uw0xNMdzQXnx/KbomDeFvkRcRn1J/OL5zDdmZ/DGuPa
LZuFc/AskeDkHEVIqrlXC9CgoTfbyEbJqagFemUicEN0OI5DWEEWa5wTriVzTkeB
AIZdW3mYDSuSLVlSd9gxUI7fhtsuhczbTdFwnzZedX96zM9gYbg7LfgQaJMShuFc
JAxvlkCeywglyB6jYyuB
=m8z2
-END PGP SIGNATURE-
diff -Nru libdatetime-timezone-perl-1.75/debian/changelog libdatetime-timezone-perl-1.75/debian/changelog
--- libdatetime-timezone-perl-1.75/debian/changelog 2016-03-24 20:55:02.0 +0100
+++ libdatetime-timezone-perl-1.75/debian/changelog 2016-04-28 12:48:33.0 +0200
@@ -1,3 +1,12 @@
+libdatetime-timezone-perl (1:1.75-2+2016d) UNRELEASED; urgency=medium
+
+ * Update to Olson database version 2016d.
+Add patch debian/patches olson-2016d, which updates the timezone *.pm
+files, using upstream's tools/parse_olson script.
+This update contains contemporary changes for Russia and Venezuela.
+
+ -- gregor herrmann Thu, 28 Apr 2016 12:47:35 +0200
+
libdatetime-timezone-perl (1:1.75-2+2016c) jessie; urgency=medium
* Update to Olson database version 2016c.
diff -Nru libdatetime-timezone-perl-1.75/debian/patches/olson-2016d libdatetime-timezone-perl-1.75/debian/patches/olson-2016d
--- libdatetime-timezone-perl-1.75/debian/patches/olson-2016d 1970-01-01 01:00:00.0 +0100
+++ libdatetime-timezone-perl-1.75/debian/patches/olson-2016d 2016-04-28 12:48:33.0 +0200
@@ -0,0 +1,14519 @@
+Description: update to olson db 2016d
+Origin: vendor
+Author: gregor herrmann
+Last-Update: 2016-04-28
+
+--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm
b/lib/DateTime/TimeZone/Africa/Abidjan.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+
+ #
+-# Generated from debian/tzdata/africa. Olson data version 2016c
++# Generated from debian/tzdata/africa. Olson data version 2016d
+ #
+ # Do not edit this file directly.
+ #
+@@ -39,7 +39,7 @@
+ ],
+ ];
+
+-sub olson_version { '2016c' }
++sub olson_version { '2016d' }
+
+ sub has_dst_changes { 0 }
+
+--- a/lib/DateTime/TimeZone/Catalog.pm
b/lib/DateTime/TimeZone/Catalog.pm
+@@ -236,6 +236,7 @@
+ Asia/Tehran
+ Asia/Thimphu
+ Asia/Tokyo
++ Asia/Tomsk
+ Asia/Ulaanbaatar
+ Asia/Urumqi
+ Asia/Ust-Nera
+@@ -286,6 +287,7 @@
+ Europe/Istanbul
+ Europe/Kaliningrad
+ Europe/Kiev
++ Europe/Kirov
+ Europe/Lisbon
+ Europe/London
+ Europe/Luxembourg
+@@ -611,6 +613,7 @@
+ Tehran
+ Thimphu
+ Tokyo
++Tomsk
+ Ulaanbaatar
+ Urumqi
+ Ust-Nera
+@@ -662,6 +665,7 @@
+ Istanbul
+ Kaliningrad
+ Kiev
++Kirov
+ Lisbon
+ London
+ Luxembourg
+@@ -1428,6 +1432,7 @@
+ Europe/Moscow
+ Europe/Simferopol
+ Europe/Volgograd
++Europe/Kirov
+ Europe/Astrakhan
+ Europe/Samara
+ Europe/Ulyanovsk
+@@ -1435,6 +1440,7 @@
+ Asia/Omsk
+ Asia/Novosibirsk
+ Asia/Barnaul
++Asia/Tomsk
+ Asia/Novokuznetsk
+ Asia/Krasnoyarsk
+ Asia/Irkutsk
+@@ -1876,7 +1882,7 @@
+
+ ;
+
+-sub OlsonVersion { '2016c' }
++sub OlsonVersion { '2016d' }
+
+
+ 1;
+@@ -2135,6 +2141,7 @
Bug#821042: marked as done (jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #821042, regarding jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 821042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, As agreed with the security team, Iâd like to fix another potential entropy vulnerability has been fixed in zendframework. The fix also gets rid of openssl_random_pseudo_bytes() introduced in the previous ZF2015-09 fix, and I also added a regression fix from the CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). Please find attached the proposed debdiff for Jessie (a similar request for Wheezy follows), the changelog entry is: zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 Regards David diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog --- zendframework-1.12.9+dfsg/debian/changelog 2015-11-24 18:25:30.0 -0400 +++ zendframework-1.12.9+dfsg/debian/changelog 2016-04-13 17:12:29.0 -0400 @@ -1,6 +1,15 @@ +zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: +- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Prévot Wed, 13 Apr 2016 16:37:00 -0400 + zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2015-11-24 18:18:19.0 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2016-04-13 17:12:29.0 -0400 @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php| 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php| 17 +- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 47 deletions(-) diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php -index 84a76f3..7699d7a 100644 +index 84a76f3..e12b602 100644 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php -@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract - if (is_int($value
Bug#821205: marked as done (jessie-pu: package gitolite3/3.6.1-2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #821205,
regarding jessie-pu: package gitolite3/3.6.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
821205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821205
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
This is a fix for a missing functionality bug (819841) in jessie. The
fix has been in several subsequent upstream releases, so it should be
safe, even if it does involve regex-soup.
diff -u gitolite3-3.6.1/debian/changelog gitolite3-3.6.1/debian/changelog
--- gitolite3-3.6.1/debian/changelog
+++ gitolite3-3.6.1/debian/changelog
@@ -1,3 +1,11 @@
+gitolite3 (3.6.1-2+deb8u1) stable; urgency=medium
+
+ * Bug fix: "Git-annex-shell not working", thanks to risca (Closes:
+#819941). Enable repository paths without '~/'. Cherry picked from
+upstream commit, 276cf761de0522a19b0312f4466fc497a2a38b5f
+
+ -- David Bremner Sat, 16 Apr 2016 13:16:24 -0300
+
gitolite3 (3.6.1-2) unstable; urgency=low
[ Rhonda D'Vine ]
only in patch2:
unchanged:
--- gitolite3-3.6.1.orig/src/commands/git-annex-shell
+++ gitolite3-3.6.1/src/commands/git-annex-shell
@@ -18,12 +18,13 @@
# Expect commands like:
# git-annex-shell 'configlist' '/~/repo'
+# git-annex-shell 'configlist' '/repo'
# git-annex-shell 'sendkey' '/~/repo' 'key'
# The parameters are always single quoted, and the repo path is always
# the second parameter.
# Further parameters are not validated here (see below).
die "bad git-annex-shell command: $cmd"
- unless $cmd =~ m#^(git-annex-shell '\w+'
')/\~/([0-9a-zA-Z][0-9a-zA-Z._\@/+-]*)('( .*|))$#;
+ unless $cmd =~ m#^(git-annex-shell '\w+'
')/(?:\~/)?([0-9a-zA-Z][0-9a-zA-Z._\@/+-]*)('( .*|))$#;
my $start = $1;
my $repo = $2;
my $end = $3;
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#820540: marked as done (jessie-pu: package bareos/14.2.1+20141017gitc6c5b56-3+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #820540,
regarding jessie-pu: package bareos/14.2.1+20141017gitc6c5b56-3+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820540: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820540
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to update bareos in jessie to fix bug #819807 (TLS completely broken).
This involves backporting 3 commits from upstream.
Similar changes are in the 14.2.6-3 upload but for jessie another backported
commit
is necessary.
The debdiff is attached. Most of the diff is the addition of tls autopkgtests.
Cheers,
Felix
diff -Nru bareos-14.2.1+20141017gitc6c5b56/debian/changelog bareos-14.2.1+20141017gitc6c5b56/debian/changelog
--- bareos-14.2.1+20141017gitc6c5b56/debian/changelog 2015-08-30 09:08:32.0 +0200
+++ bareos-14.2.1+20141017gitc6c5b56/debian/changelog 2016-04-09 16:27:23.0 +0200
@@ -1,3 +1,14 @@
+bareos (14.2.1+20141017gitc6c5b56-3+deb8u2) jessie; urgency=medium
+
+ * Fix GnuTLS backend initialization. (Closes: #819807)
+- Backport upstream commits in d/patches/fix-tls-backend-initalization
+ * Add autopkgtests for TLS.
+ * Add breaks-testbed to all tests.
+ * Fix TLS negotiation for passive filedaemons.
+- Backport upstream commit in d/patches/fix-tls-passive-fds
+
+ -- Felix Geyer Sat, 09 Apr 2016 16:25:33 +0200
+
bareos (14.2.1+20141017gitc6c5b56-3+deb8u1) stable; urgency=medium
[ Felix Geyer ]
diff -Nru bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix-tls-backend-initalization bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix-tls-backend-initalization
--- bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix-tls-backend-initalization 1970-01-01 01:00:00.0 +0100
+++ bareos-14.2.1+20141017gitc6c5b56/debian/patches/fix-tls-backend-initalization 2016-04-09 16:22:04.0 +0200
@@ -0,0 +1,84 @@
+Description: Fix GnuTLS backend by postponing initialization after it daemonized.
+ Backport upstream commits from version 15.2.
+Origin: https://github.com/bareos/bareos/commit/9097aaeaefe904b40af602caddf5d9cd59959625
+ https://github.com/bareos/bareos/commit/ecb539bc44c0224b378e6e9626b86ea718da5c2c
+
+--- bareos-14.2.6.orig/src/dird/dird.c
bareos-14.2.6/src/dird/dird.c
+@@ -285,6 +285,13 @@ int main (int argc, char *argv[])
+my_config = new_config_parser();
+parse_dir_config(my_config, configfile, M_ERROR_TERM);
+
++ if (!test_config) {/* we don't need to do this block in test mode */
++ if (background) {
++ daemon_start();
++ init_stack_dump(); /* grab new pid */
++ }
++ }
++
+if (init_crypto() != 0) {
+ Jmsg((JCR *)NULL, M_ERROR_TERM, 0, _("Cryptography library initialization failed.\n"));
+ goto bail_out;
+@@ -296,10 +303,6 @@ int main (int argc, char *argv[])
+}
+
+if (!test_config) {/* we don't need to do this block in test mode */
+- if (background) {
+- daemon_start();
+- init_stack_dump(); /* grab new pid */
+- }
+ /* Create pid must come after we are a daemon -- so we have our final pid */
+ create_pid_file(me->pid_directory, "bareos-dir",
+ get_first_port_host_order(me->DIRaddrs));
+--- bareos-14.2.6.orig/src/filed/filed.c
bareos-14.2.6/src/filed/filed.c
+@@ -213,6 +213,11 @@ int main (int argc, char *argv[])
+my_config = new_config_parser();
+parse_fd_config(my_config, configfile, M_ERROR_TERM);
+
++ if (!foreground && !test_config) {
++ daemon_start();
++ init_stack_dump(); /* set new pid */
++ }
++
+if (init_crypto() != 0) {
+ Emsg0(M_ERROR, 0, _("Cryptography library initialization failed.\n"));
+ terminate_filed(1);
+@@ -237,11 +242,6 @@ int main (int argc, char *argv[])
+ terminate_filed(0);
+}
+
+- if (!foreground) {
+- daemon_start();
+- init_stack_dump(); /* set new pid */
+- }
+-
+set_thread_concurrency(me->MaxConcurrentJobs + 10);
+lmgr_init_thread(); /* initialize the lockmanager stack */
+
+--- bareos-14.2.6.orig/src/stored/stored.c
bareos-14.2.6/src/stored/stored.c
+@@ -219,6 +219,11 @@ int main (int argc, char *argv[])
+my_config = new_config_parser();
+
Bug#820589: marked as done (jessie-pu: package opam/1.2.0-1+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #820589,
regarding jessie-pu: package opam/1.2.0-1+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820589
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
Following a recommendation from the Security team[1], I'd like to update
Opam in Jessie to fix #818081.
Please find attached my diff.
[1] https://lists.debian.org/debian-ocaml-maint/2016/04/msg00012.html
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+opam (1.2.0-1+deb8u1) jessie; urgency=medium
+
+ * Stop using insecure and no-check-certificate flags when fetching
+files using wget and curl.
+
+ -- Mehdi Dogguy Sun, 10 Apr 2016 12:27:13 +0200
+
opam (1.2.0-1) unstable; urgency=medium
* New upstream release.
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,6 @@
[DEFAULT]
+debian-branch = "debian/jessie"
+upstream-branch = "upstream/1.2.0"
pristine-tar = True
filter-pristine-tar = True
filter = [
--- /dev/null
+++ b/debian/patches/0003-remove-insecure-no-check-certificate-flags.patch
@@ -0,0 +1,30 @@
+From: Mehdi Dogguy
+Date: Sun, 10 Apr 2016 12:26:17 +0200
+Subject: remove insecure / no-check-certificate flags
+
+---
+ src/core/opamSystem.ml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/opamSystem.ml b/src/core/opamSystem.ml
+index a8e3168..c4151e9 100644
+--- a/src/core/opamSystem.ml
b/src/core/opamSystem.ml
+@@ -597,7 +597,7 @@ let download_command =
+ let wget ~compress:_ src =
+ let wget = [
+ "wget";
+- "--content-disposition"; "--no-check-certificate";
++ "--content-disposition";
+ "-t"; retry;
+ src
+ ] in
+@@ -605,7 +605,7 @@ let download_command =
+ let curl command ~compress src =
+ let curl = [
+ command;
+- "--write-out"; "%{http_code}\\n"; "--insecure";
++ "--write-out"; "%{http_code}\\n";
+ "--retry"; retry; "--retry-delay"; "2";
+ ] @ (if compress then ["--compressed"] else []) @ [
+ "-OL"; src
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-Fix-some-spelling-errors.patch
0002-Import-uutf-and-jsonm-temporarily.patch
+0003-remove-insecure-no-check-certificate-flags.patch
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#820502: marked as done (jessie-pu: package gpa/0.9.5-2+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #820502,
regarding jessie-pu: package gpa/0.9.5-2+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820502: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820502
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi!
I would like to fix #820342 [1] in stable, It is an upstream bug, which is
already fixed upstream, and in the versions available in testing and unstable.
Alert dialogs asking to send public GPG keys to servers or not results in
sending both when pressing Yes, but also in those cases when you can close the
alert dialog by pressing the window close button of the dialog, this
also results in a yes.
The patch fixes it by making only the yes button result in yes, and not "any
button except the no button", which is the case in the version in stable.
debdiff attached.
1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820342
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.utf8, LC_CTYPE=sv_SE.utf8 (charmap=UTF-8)
diff -Nru gpa-0.9.5/debian/changelog gpa-0.9.5/debian/changelog
--- gpa-0.9.5/debian/changelog 2014-09-25 17:04:38.0 +0200
+++ gpa-0.9.5/debian/changelog 2016-04-09 08:55:19.0 +0200
@@ -1,3 +1,9 @@
+gpa (0.9.5-2+deb8u1) jessie; urgency=high
+
+ * Add patch fixing checks of dialog return values (Closes: #820342)
+
+ -- Andreas Rönnquist Fri, 08 Apr 2016 21:25:19 +0200
+
gpa (0.9.5-2) unstable; urgency=medium
[ Daniel Kahn Gilmor ]
diff -Nru gpa-0.9.5/debian/patches/fix_handling_of_confirmation_dialog.patch gpa-0.9.5/debian/patches/fix_handling_of_confirmation_dialog.patch
--- gpa-0.9.5/debian/patches/fix_handling_of_confirmation_dialog.patch 1970-01-01 01:00:00.0 +0100
+++ gpa-0.9.5/debian/patches/fix_handling_of_confirmation_dialog.patch 2016-04-08 21:23:49.0 +0200
@@ -0,0 +1,34 @@
+Author: Wener Koch
+Description: Fix the handling of windows close button in confirmation dialogs.
+ * src/gpaexportserverop.c (confirm_send): Only act upon the Yes button.
+ * src/gpgmetools.c (check_overwriting): Ditto.
+ .
+ Checking for GTK_RESPONSE_NO was a bad idea because that catches only
+ the No button and no other events, like the window's close button.
+ .
+ Minor modification to make it apply to the version of GPA in Debian
+ Stable.
+Origin: upstream, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpa.git;a=commit;h=071ed43fac92c68c46a1a8fb19a435eebb8927e6
+Bug-Debian: http://bugs.debian.org/820342
+--- a/src/gpaexportserverop.c
b/src/gpaexportserverop.c
+@@ -133,7 +133,7 @@
+ gtk_dialog_add_buttons (GTK_DIALOG (msgbox),
+ _("_Yes"), GTK_RESPONSE_YES,
+ _("_No"), GTK_RESPONSE_NO, NULL);
+- if (gtk_dialog_run (GTK_DIALOG (msgbox)) == GTK_RESPONSE_NO)
++ if (gtk_dialog_run (GTK_DIALOG (msgbox)) != GTK_RESPONSE_YES)
+ {
+ gtk_widget_destroy (msgbox);
+ return FALSE;
+--- a/src/gpgmetools.c
b/src/gpgmetools.c
+@@ -174,7 +174,7 @@
+ gtk_dialog_add_buttons (GTK_DIALOG (msgbox),
+ _("_Yes"), GTK_RESPONSE_YES,
+ _("_No"), GTK_RESPONSE_NO, NULL);
+- if (gtk_dialog_run (GTK_DIALOG (msgbox)) == GTK_RESPONSE_NO)
++ if (gtk_dialog_run (GTK_DIALOG (msgbox)) != GTK_RESPONSE_YES)
+ {
+ gtk_widget_destroy (msgbox);
+ return FALSE;
diff -Nru gpa-0.9.5/debian/patches/series gpa-0.9.5/debian/patches/series
--- gpa-0.9.5/debian/patches/series 2014-09-02 16:03:17.0 +0200
+++ gpa-0.9.5/debian/patches/series 2016-04-08 21:10:27.0 +0200
@@ -1,3 +1,4 @@
+fix_handling_of_confirmation_dialog.patch
gnupg2.patch
add_desktop_file_keywords.patch
enable_cardman_close.patch
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#820945: marked as done (pu: package xscreensaver/5.30-1+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #820945, regarding pu: package xscreensaver/5.30-1+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 820945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820945 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Bug #819703: Disable Easter egg about "outdated" version There is an outcry from users because the xscreensaver preference dialog / demo / splash screen since a few days displays a message "This version is old, please upgrade". This was an "Easter egg" from upstream, since he is annoyed by people using old versions. The message appears if current time is 18 months from upstream's release date. The patch in proposed 5.30-1+deb8u2 simply disables this date check. The same fix is in 5.34-2 which is now in "testing". Thanks, Tormod xscreensaver_5.30-1+deb8u2.debdiff Description: Binary data --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#820995: marked as done (jessie-pu: package lvm2/2.02.111-2.2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #820995, regarding jessie-pu: package lvm2/2.02.111-2.2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 820995: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820995 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu On request of Mehdi Dogguy, I would like to fix the use of /var/run in early-boot in lvm2. Patch is as follows: diff -Nru lvm2-2.02.111/debian/changelog lvm2-2.02.111/debian/changelog --- lvm2-2.02.111/debian/changelog 2015-04-10 00:43:40.0 + +++ lvm2-2.02.111/debian/changelog 2016-04-14 11:36:07.0 + @@ -1,3 +1,9 @@ +lvm2 (2.02.111-3) UNRELEASED; urgency=medium + + * Set default pid directory to /run. (closes: #783120) + + -- Bastian Blank Thu, 14 Apr 2016 11:35:55 + + lvm2 (2.02.111-2.2) unstable; urgency=medium * Non-maintainer upload diff -Nru lvm2-2.02.111/debian/rules lvm2-2.02.111/debian/rules --- lvm2-2.02.111/debian/rules 2015-01-17 17:13:22.0 + +++ lvm2-2.02.111/debian/rules 2016-04-14 12:08:29.0 + @@ -82,7 +82,9 @@ --with-device-gid=6 \ --with-device-mode=0660 \ --with-default-run-dir=/run/lvm \ + --with-default-dm-run-dir=/run \ --with-default-locking-dir=/run/lock/lvm \ + --with-default-pid-dir=/run \ --with-thin=internal \ --with-thin-check=/usr/sbin/thin_check \ --with-thin-dump=/usr/sbin/thin_dump \ Bastian -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#819801: marked as done (jessie-pu: package postgresql-9.4/9.4.7-0+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #819801, regarding jessie-pu: package postgresql-9.4/9.4.7-0+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819801: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819801 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I've just uploaded postgresql-9.4/9.4.7-0+deb8u1 for inclusion in Jessie 8.4. There are no security fixes or major bugfixes, but given that any future release including any of these would include the 9.4.7 fixes, I'd think uploading now makes sense. postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium * New upstream bugfix release. * Remove obsolete .bzr-builddeb/default.conf. -- Christoph Berg Sat, 02 Apr 2016 13:22:58 +0200 Christoph signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#820193: marked as done (jessie-pu: package quota/4.01-8)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #820193,
regarding jessie-pu: package quota/4.01-8
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820193: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820193
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to update quota in stable because a lot more people than anticipated
seem to be hit by #788963. The attached debdiff shows the changes that have
been made in the current package to resolve the issue and, judging from the
feedback, it works well for all who tested it.
Michael
diff -u quota-4.01/debian/changelog quota-4.01/debian/changelog
--- quota-4.01/debian/changelog
+++ quota-4.01/debian/changelog
@@ -1,3 +1,11 @@
+quota (4.01-8+deb8u1) stable-proposed-updates; urgency=medium
+
+ * Change invocation of quota services, so systemd takes over most of the work.
+Only the initial check is still performed by the service file provide by
+quota.
+
+ -- Michael Meskes Wed, 06 Apr 2016 14:12:06 +0200
+
quota (4.01-8) unstable; urgency=medium
* Use libtirpc include files to prevent a segfault due to incompatible
diff -u quota-4.01/debian/install quota-4.01/debian/install
--- quota-4.01/debian/install
+++ quota-4.01/debian/install
@@ -4,6 +4,7 @@
debian/quotaon.sh /usr/share/quota/
debian/quotaoff.sh /usr/share/quota/
debian/quotarpc.sh /usr/share/quota/
+debian/quota-initial-check.sh /usr/share/quota/
ldap-scripts/applySystemQuotas.pl /usr/share/quota/ldap
ldap-scripts/edquota_editor /usr/share/quota/ldap
diff -u quota-4.01/debian/quota.service quota-4.01/debian/quota.service
--- quota-4.01/debian/quota.service
+++ quota-4.01/debian/quota.service
@@ -1,19 +1,15 @@
[Unit]
-Description=Check And Enable File System Quotas
-Documentation=man:quotaon(8)
+Description=Initial Check File System Quotas
+Documentation=man:quotacheck(8)
DefaultDependencies=no
-After=systemd-readahead-collect.service systemd-readahead-replay.service systemd-remount-fs.service
-Before=sysinit.target shutdown.target
-ConditionPathExists=/usr/share/quota/quotaon.sh
-
-# Make sure quota is correctly stopped.
-Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=systemd-quotacheck.service shutdown.target
+ConditionPathExists=/usr/share/quota/quota-initial-check.sh
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart=/usr/share/quota/quotaon.sh
-ExecStop=/usr/share/quota/quotaoff.sh
+ExecStart=/usr/share/quota/quota-initial-check.sh
StandardOutput=journal+console
[Install]
only in patch2:
unchanged:
--- quota-4.01.orig/debian/quota-initial-check.sh
+++ quota-4.01/debian/quota-initial-check.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# names of binaries
+check=/sbin/quotacheck
+on=/sbin/quotaon
+quotaisnew=/var/lib/quota/new
+
+ALLFLAGS=-aug
+CHECKALLFLAGS=${ALLFLAGS}m
+
+set -e
+
+. /lib/lsb/init-functions
+
+# Check if quota has been enabled already
+LC_MESSAGES=C $on -ap|grep -q "is on" && exit 0
+
+# option 'skip' takes precedence even for newly installed quota package
+skip="no"
+if grep "quotacheck.mode=skip" /proc/cmdline >/dev/null 2>&1; then
+ skip="yes"
+fi
+
+# Check all filesystems if quota is new
+if [ -x $check -a $skip = "no" -a -f $quotaisnew ] ; then
+ log_action_begin_msg 'Checking quotas';
+ $check -c $CHECKALLFLAGS
+ log_action_end_msg 0
+fi
+
+# Remove special file
+rm -f $quotaisnew
+
+exit 0
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#820403: marked as done (jessie-pu: package linux/3.16.7-ckt25-2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #820403, regarding jessie-pu: package linux/3.16.7-ckt25-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 820403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820403 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu The recent point release (8.4) introduced several regressions in src:linux. In particular bug #819881 (radeon crasher) is affecting a fair number of users. Bug #820176 (usb crasher) was also reported several times and there is a second crash bug in radeon which had many reports upstream. All three regressions are caused by single commits that have been reverted in the next 3.16.7-ckt update; two were also reverted upstream. I would like to apply those reversions through jessie-updates rather than waiting for the next point release or security update. As I haven't done this before (so far as I can remember, anyway), please let me know whether I have to do anything different compared to an upload that's destined for the next point release. The debdiff is below, with changes to generated files debian/config.defines.dump, debian/control.md5sum and debian/rules.gen omitted. Ben. diff -Nru linux-3.16.7-ckt25/debian/changelog linux-3.16.7-ckt25/debian/changelog --- linux-3.16.7-ckt25/debian/changelog 2016-03-06 22:19:35.0 + +++ linux-3.16.7-ckt25/debian/changelog 2016-04-07 22:34:44.0 +0100 @@ -1,3 +1,14 @@ +linux (3.16.7-ckt25-2) jessie-updates; urgency=medium + + * Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new" +(Closes: #819881) + * Revert "drm/radeon: call hpd_irq_event on resume", reported to cause +regressions (crash/hang) on some systems + * Revert "usb: hub: do not clear BOS field during reset device" +(Closes: #820176) + + -- Ben Hutchings Thu, 07 Apr 2016 22:34:43 +0100 + linux (3.16.7-ckt25-1) jessie; urgency=medium * New upstream stable update: diff -Nru linux-3.16.7-ckt25/debian/patches/bugfix/all/revert-drm-radeon-call-hpd_irq_event-on-resume.patch linux-3.16.7-ckt25/debian/patches/bugfix/all/revert-drm-radeon-call-hpd_irq_event-on-resume.patch --- linux-3.16.7-ckt25/debian/patches/bugfix/all/revert-drm-radeon-call-hpd_irq_event-on-resume.patch 1970-01-01 01:00:00.0 +0100 +++ linux-3.16.7-ckt25/debian/patches/bugfix/all/revert-drm-radeon-call-hpd_irq_event-on-resume.patch 2016-04-07 22:33:40.0 +0100 @@ -0,0 +1,42 @@ +From: Linus Torvalds +Date: Mon, 7 Mar 2016 13:15:09 -0800 +Subject: Revert "drm/radeon: call hpd_irq_event on resume" +Origin: https://git.kernel.org/linus/256faedcfd646161477d47a1a78c32a562d2e845 + +This reverts commit dbb17a21c131eca94eb31136eee9a7fe5aff00d9. + +It turns out that commit can cause problems for systems with multiple +GPUs, and causes X to hang on at least a HP Pavilion dv7 with hybrid +graphics. + +This got noticed originally in 4.4.4, where this patch had already +gotten back-ported, but 4.5-rc7 was verified to have the same problem. + +Alexander Deucher says: + "It looks like you have a muxed system so I suspect what's happening is + that one of the display is being reported as connected for both the + IGP and the dGPU and then the desktop environment gets confused or + there some sort problem in the detect functions since the mux is not + switched to the dGPU. I don't see an easy fix unless Dave has any + ideas. I'd say just revert for now" + +Reported-by: Jörg-Volker Peetz +Acked-by: Alexander Deucher +Cc: Dave Airlie +Signed-off-by: Linus Torvalds +--- + drivers/gpu/drm/radeon/radeon_device.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index f7296ca6510c..ca470fb17aa4 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +@@ -1649,7 +1649,6 @@ int radeon_resume_kms(struct drm_device *dev, bool resume, bool fbcon) + } + + drm_kms_helper_poll_enable(dev); +- drm_helper_hpd_irq_event(dev); + + /* set the power state here in case we are a PX system or headless */ + if ((rdev->pm.pm_method == PM_METHOD_DPM) && rdev->pm.dpm_enabled) diff -Nru linux-3.16.7-ckt25/debian/patches/bugfix/all/revert-drm-radeon-hold-reference-to-fences-in-radeon.patch
Bug#820101: marked as done (jessie-pu: package nam/1.15-3)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #820101, regarding jessie-pu: package nam/1.15-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 820101: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820101 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, Package nam[0] has a RC bug[1]. I did a NMU and it is on 'testing' (1.15-3.1). [0] - https://packages.qa.debian.org/n/nam.html [1] - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784433 Could the fix be send to stable ? Already tested. debdiff: $ cat Documentos/debdiff.patch diff -Nru nam-1.15/debian/changelog nam-1.15/debian/changelog --- nam-1.15/debian/changelog 2014-02-09 14:15:52.0 -0200 +++ nam-1.15/debian/changelog 2016-03-30 14:43:25.0 -0300 @@ -1,3 +1,13 @@ +nam (1.15-3.1+deb8u1) stable; urgency=medium + + * Non-maintainer upload. (Closes: #784433) + * debian/control: + - set tcl-dev and tk-dev to '>=8.6'. + * debian/patches: + - init_tcltk_with_stub.diff unused. Commented (#) in series file. + + -- Herbert Parentes Fortes Neto Wed, 30 Mar 2016 13:52:18 -0300 + nam (1.15-3) unstable; urgency=low [ Sergei Golovan ] diff -Nru nam-1.15/debian/control nam-1.15/debian/control --- nam-1.15/debian/control 2014-02-09 14:09:46.0 -0200 +++ nam-1.15/debian/control 2016-03-30 14:04:13.0 -0300 @@ -4,8 +4,9 @@ Maintainer: Debian Network Simulators Team Uploaders: YunQiang Su Build-Depends: debhelper (>= 8), quilt (>= 0.46-7~), cmake, - tcl-dev, tk-dev, libxt-dev, libxmu-headers, zlib1g-dev, - libotcl1-dev (>= 1.14+dfsg), tclcl, libtclcl1-dev (>= 1.20-4) + tcl-dev (>=8.6), tk-dev (>=8.6), libxt-dev, libxmu-headers, +zlib1g-dev, libotcl1-dev (>= 1.14+dfsg), tclcl, +libtclcl1-dev (>= 1.20-4) Standards-Version: 3.9.5 Vcs-git: git://anonscm.debian.org/pkg-netsim/nam.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-netsim/nam.git diff -Nru nam-1.15/debian/patches/series nam-1.15/debian/patches/series --- nam-1.15/debian/patches/series 2014-02-09 13:57:49.0 -0200 +++ nam-1.15/debian/patches/series 2016-03-30 14:08:22.0 -0300 @@ -1,4 +1,4 @@ netmodel_cc_void_int.patch -init_tcltk_with_stub.diff +#init_tcltk_with_stub.diff group_cc_void_int.patch lib_underlinkage.patch -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#819912: marked as done (jessie-pu: package postgresql-9.1/9.1.21-0+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #819912, regarding jessie-pu: package postgresql-9.1/9.1.21-0+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819912: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819912 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I've uploaded postgresql-9.1/9.1.21-0+deb8u1 for inclusion into jessie. As usual, that upload is needed to follow the postgresql-9.1/9.1.21-0+deb7u1 upload in wheezy-pu (see #819805). postgresql-9.1 (9.1.21-0+deb8u1) jessie; urgency=medium * New upstream version, relevant PL/Perl change: + Correctly handle empty arrays in plperl_ref_from_pg_array. -- Christoph Berg Sat, 02 Apr 2016 16:16:53 +0200 (The good news is that we won't be doing the plperl dance anymore in future releases, tests have shown that PostgreSQL clusters are upgradeable even without plperl.so present. I guess we could even remove postgresql-(plperl-)9.1 from jessie if we adjusted the release notes.) Christoph --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#820059: marked as done (jessie-pu: package xapian-core/1.2.19-1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #820059,
regarding jessie-pu: package xapian-core/1.2.19-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
820059: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
I'd like to update xapian-core in jessie to fix a bug which can cause
database corruption. This is triggered by certain usage patterns, which
the recoll package performs:
https://bugs.debian.org/808610
It also affects some other users, but recoll is one I'm sure is affected
in jessie.
The attached patch is from the upstream git repo - it's been on git
master since 2015-04-28, and in upstream stable releases since
2015-05-20.
(wheezy is similarly affected - I can make a separate request for that
if you OK this one, but if you want to OK both now that's fine with me.
The patch for wheezy should be essentially identical).
Cheers,
Olly
Description: Increment cursor version of cancel or reopen
Potentially increment the cursor version on cancel() or when the database is
reopened, and flag the current cursor version as used when a cursor is
rebuilt.
.
Fixes database corruption issues with certain usage patterns, which recoll
can trigger.
Author: Olly Betts
Origin: upstream, https://trac.xapian.org/changeset/826d1a19cc356e7bf66c1681626e70af32967447/git and https://trac.xapian.org/changeset/d784290ce015958474f965817f7a41f1483c3e03/git
Bug: https://trac.xapian.org/ticket/675
Bug-Debian: https://bugs.debian.org/808610
Forwarded: https://trac.xapian.org/ticket/675
Last-Update: 2016-04-05
--- a/backends/brass/brass_cursor.cc
+++ b/backends/brass/brass_cursor.cc
@@ -1,7 +1,7 @@
/* brass_cursor.cc: Btree cursor implementation
*
* Copyright 1999,2000,2001 BrightStation PLC
- * Copyright 2002,2003,2004,2005,2006,2007,2008,2009,2010,2012 Olly Betts
+ * Copyright 2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2015 Olly Betts
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
@@ -99,6 +99,7 @@
C[level].n = B->C[level].n;
C[level].p = B->C[level].p;
version = B->cursor_version;
+B->cursor_created_since_last_modification = true;
}
BrassCursor::~BrassCursor()
--- a/backends/brass/brass_table.cc
+++ b/backends/brass/brass_table.cc
@@ -1446,6 +1446,11 @@
base_letter = ch;
+if (cursor_created_since_last_modification) {
+ cursor_created_since_last_modification = false;
+ ++cursor_version;
+}
+
/* ready to open the main file */
RETURN(true);
@@ -1985,6 +1990,11 @@
changed_n = 0;
changed_c = DIR_START;
seq_count = SEQ_START_POINT;
+
+if (cursor_created_since_last_modification) {
+ cursor_created_since_last_modification = false;
+ ++cursor_version;
+}
}
/ B-tree reading /
--- a/backends/chert/chert_cursor.cc
+++ b/backends/chert/chert_cursor.cc
@@ -1,7 +1,7 @@
/* chert_cursor.cc: Btree cursor implementation
*
* Copyright 1999,2000,2001 BrightStation PLC
- * Copyright 2002,2003,2004,2005,2006,2007,2008,2009,2010,2012 Olly Betts
+ * Copyright 2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2015 Olly Betts
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
@@ -97,6 +97,7 @@
C[level].n = B->C[level].n;
C[level].p = B->C[level].p;
version = B->cursor_version;
+B->cursor_created_since_last_modification = true;
}
ChertCursor::~ChertCursor()
--- a/backends/chert/chert_table.cc
+++ b/backends/chert/chert_table.cc
@@ -1449,6 +1449,11 @@
base_letter = ch;
+if (cursor_created_since_last_modification) {
+ cursor_created_since_last_modification = false;
+ ++cursor_version;
+}
+
/* ready to open the main file */
RETURN(true);
@@ -2007,6 +2012,11 @@
changed_n = 0;
changed_c = DIR_START;
seq_count = SEQ_START_POINT;
+
+if (cursor_created_since_last_modification) {
+ cursor_created_since_last_modification = false;
+ ++cursor_version;
+}
}
/ B-tree reading /
--- a/backends/flint/flint_cursor.cc
+++ b/backends/flint/flint_cursor.cc
@@ -1,7 +1,7 @@
/* flint_cursor.cc: Btree cursor implementation
*
*
Bug#820175: marked as done (jessie-pu: package tklib/0.6-1+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #820175, regarding jessie-pu: package tklib/0.6-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 820175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820175 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi release team, I'd like to update the tklib package (a collection of libraries for Tk) in stable and fix one small but annoying bug with one of the packages (Plotchart). A typo makes it unloadable. A few users poked me recently about this, though without a proper bug report. Is it reasonable to fix this bug in stble? I've already uploaded the fix for sid and testing. The diff for the proposed update is shown below: === --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +tklib (0.6-1+deb8u1) stable; urgency=medium + + * Fixed typo in Plotchart version which prevented its loading. + + -- Sergei Golovan Wed, 06 Apr 2016 11:02:10 +0300 + tklib (0.6-1) unstable; urgency=low * New upstream release. --- a/debian/patches/plotchart.diff +++ b/debian/patches/plotchart.diff @@ -0,0 +1,11 @@ +Author: Sergei Golovan +Description: Patch fixes Plotchart version. + +--- a/modules/plotchart/plotchart.tcl b/modules/plotchart/plotchart.tcl +@@ -2849,4 +2849,4 @@ + + # Announce our presence + # +-package provide Plotchart 2.0.1 ++package provide Plotchart 2.1.0 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ manpages.diff osm.diff doc.diff +plotchart.diff === -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (600, 'stable'), (500, 'proposed-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#819933: marked as done (jessie-pu: package redmine/3.0~20140825-8~deb8u3)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #819933,
regarding jessie-pu: package redmine/3.0~20140825-8~deb8u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
819933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819933
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
This fixes an issue when upgrading from 3.0~20140825-5 (original version
release with jessie) to any of the later stable updates, when there are
multiple redmine instances or when the `default` has been removed.
This has been fixed in unstable on 3.2.1-2. The diff for jessie is
attached.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Antonio Terceiro
diff --git a/debian/changelog b/debian/changelog
index c4db2f7..ec0e42a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+redmine (3.0~20140825-8~deb8u3) jessie; urgency=medium
+
+ * gemfile-adjustments.patch: load all database drivers for all Redmine
+instances (Closes: #819815)
+
+ -- Antonio Terceiro Sun, 03 Apr 2016 20:47:00 -0300
+
redmine (3.0~20140825-8~deb8u2) jessie-security; urgency=high
* Security update. Includes fixes for the following vulnerabilities:
diff --git a/debian/patches/gemfile-adjustments.patch b/debian/patches/gemfile-adjustments.patch
index 3a2f6e1..0db0aa3 100644
--- a/debian/patches/gemfile-adjustments.patch
+++ b/debian/patches/gemfile-adjustments.patch
@@ -37,24 +37,33 @@
end
end
-@@ -46,8 +46,11 @@ end
+@@ -46,12 +46,16 @@ end
# configuration file
require 'erb'
require 'yaml'
-database_file = File.join(File.dirname(__FILE__), "config/database.yml")
-if File.exist?(database_file)
-+# FIXME duplicating logic in config/application.rb
-+ENV['X_DEBIAN_SITEID'] ||= 'default'
-+ENV['RAILS_ETC'] = "/etc/redmine/#{ENV['X_DEBIAN_SITEID']}"
-+database_file = File.join(ENV['RAILS_ETC'], "database.yml")
-+if File.readable?(database_file)
++seen_adapters = {}
++Dir['{config,/etc/redmine/*}/database.yml'].select do |f|
++ File.exists?(f)
++end.each do |database_file|
database_config = YAML::load(ERB.new(IO.read(database_file)).result)
adapters = database_config.values.map {|c| c['adapter']}.compact.uniq
if adapters.any?
-@@ -78,21 +81,6 @@ else
- warn("Please configure your config/database.yml first")
- end
-
+ adapters.each do |adapter|
++ next if seen_adapters[adapter]
++ seen_adapters[adapter] = true
+ case adapter
+ when 'mysql2'
+ gem "mysql2", "~> 0.3.11", :platforms => [:mri, :mingw]
+@@ -74,23 +78,6 @@ if File.exist?(database_file)
+ else
+ warn("No adapter found in config/database.yml, please configure it first")
+ end
+-else
+- warn("Please configure your config/database.yml first")
+-end
+-
-group :development do
- gem "rdoc", ">= 2.4.2"
- gem "yard"
@@ -68,8 +77,6 @@
- # For running UI tests
- gem "capybara", "~> 2.1.0"
- gem "selenium-webdriver"
--end
--
+ end
+
local_gemfile = File.join(File.dirname(__FILE__), "Gemfile.local")
- if File.exists?(local_gemfile)
- eval_gemfile local_gemfile
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#819758: marked as done (jessie-pu: package perl/5.20.2-3+deb8u5)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #819758, regarding jessie-pu: package perl/5.20.2-3+deb8u5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819758: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819758 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu The attached patch improves binary compatibility for debugperl (provided in the perl-debug package) and fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816280 Thanks, Dominic. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) diff --git a/debian/.git-dpm b/debian/.git-dpm index 1ea6490..23337bd 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 -1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 +b40a8334d0a81d88be7371fa2124ce30994d4f94 +b40a8334d0a81d88be7371fa2124ce30994d4f94 708ce0747a55640ef1136be276185cc1a5a82564 708ce0747a55640ef1136be276185cc1a5a82564 perl_5.20.2.orig.tar.bz2 diff --git a/debian/changelog b/debian/changelog index df53340..d1e9660 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +perl (5.20.2-3+deb8u5) UNRELEASED; urgency=medium + + * Apply patch from Niko Tyni fixing debugperl crashes with XS +modules (Closes: #816280) + + -- Dominic Hargreaves Fri, 01 Apr 2016 22:13:30 +0100 + perl (5.20.2-3+deb8u4) jessie-security; urgency=high * Work around a t/op/stat.t failure on GNU/kFreeBSD, possibly related diff --git a/debian/patches/debian/debugperl-compat-fix.diff b/debian/patches/debian/debugperl-compat-fix.diff new file mode 100644 index 000..07547e4 --- /dev/null +++ b/debian/patches/debian/debugperl-compat-fix.diff @@ -0,0 +1,30 @@ +From b40a8334d0a81d88be7371fa2124ce30994d4f94 Mon Sep 17 00:00:00 2001 +From: Niko Tyni +Date: Fri, 8 Jan 2016 14:27:36 +0200 +Subject: Disable PERL_TRACK_MEMPOOL for debugging builds + +This is a workaround for an ABI incompatibility between +-DDEBUGGING and normal builds. + +Bug-Debian: https://bugs.debian.org/810326 +Bug: https://rt.perl.org/Public/Bug/Display.html?id=127212 +Patch-Name: debian/debugperl-compat-fix.diff +--- + perl.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/perl.h b/perl.h +index 1325de9..8f19b28 100644 +--- a/perl.h b/perl.h +@@ -176,7 +176,9 @@ + # define pTHX_8 9 + # define pTHX_9 10 + # define pTHX_12 13 +-# if defined(DEBUGGING) && !defined(PERL_TRACK_MEMPOOL) ++/* PERL_TRACK_MEMPOOL temporarily disabled for DEBUGGING */ ++/* see https://bugs.debian.org/810326 */ ++# if 0 && defined(DEBUGGING) && !defined(PERL_TRACK_MEMPOOL) + #define PERL_TRACK_MEMPOOL + # endif + #else diff --git a/debian/patches/series b/debian/patches/series index 3251835..0f4ce8a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,3 +45,4 @@ fixes/encode-unicode-bom.diff debian/encode-unicode-bom-doc.diff debian/kfreebsd-softupdates.diff fixes/CVE-2016-2381_duplicate_env.diff +debian/debugperl-compat-fix.diff diff --git a/perl.h b/perl.h index 1325de9..8f19b28 100644 --- a/perl.h +++ b/perl.h @@ -176,7 +176,9 @@ # define pTHX_8 9 # define pTHX_9 10 # define pTHX_12 13 -# if defined(DEBUGGING) && !defined(PERL_TRACK_MEMPOOL) +/* PERL_TRACK_MEMPOOL temporarily disabled for DEBUGGING */ +/* see https://bugs.debian.org/810326 */ +# if 0 && defined(DEBUGGING) && !defined(PERL_TRACK_MEMPOOL) #define PERL_TRACK_MEMPOOL # endif #else --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#819797: marked as done (jessie-pu: package libreoffice/1:4.3.3-2+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #819797, regarding jessie-pu: package libreoffice/1:4.3.3-2+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819797 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, OpenJDK changed soe JDK paths on ppc64el which made the last security update FTBFS... See #819375. That should be fixed soon so that a) a eventual new security update can build and b) the existing one has a chance of going into stable. While at it I think we can also include the trivial fix for #780497. Diff attached. Regards, Rene -- System Information: Debian Release: 8.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/changelog b/changelog index 9770009..9a27363 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,13 @@ +libreoffice (1:4.3.3-2+deb8u4) jessie; urgency=medium + + * debian/patches/ppc64el-jdk-paths.diff: fix ppc64el FTBFS due to changed +OpenJDK paths, thanks Slavek Banko (closes: #819375) + + * debian/rules: +- fix logic to not install sound files (closes: #780497) + + -- Rene Engelhard Mon, 28 Mar 2016 14:09:18 +0200 + libreoffice (1:4.3.3-2+deb8u3) jessie-security; urgency=high * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro diff --git a/patches/ppc64el-jdk-paths.diff b/patches/ppc64el-jdk-paths.diff new file mode 100644 index 000..4b08462 --- /dev/null +++ b/patches/ppc64el-jdk-paths.diff @@ -0,0 +1,148 @@ +commit 7a66dbe982623be620ad6ac426fe689a434e5f51 +Author: David Tardon +Date: Tue May 12 10:37:53 2015 +0200 + +java dir for powepc64 and powepc64le can differ + +E.g., RHEL >= 7.1 uses ppc64le for reasons listed in +https://bugs.openjdk.java.net/browse/JDK-8073139 . + +Change-Id: I982e65cdf9e8a5ed23cf444ccb2aee764c4c + +diff --git a/configure.ac b/configure.ac +index 26071dc..55157a9 100644 +--- a/configure.ac b/configure.ac +@@ -6997,9 +6997,12 @@ then + powerpc) + my_java_arch=ppc + ;; +-powerpc64*) ++powerpc64) + my_java_arch=ppc64 + ;; ++powerpc64le) ++AS_IF([test -d "$JAVA_HOME/jre/lib/ppc64le"], [my_java_arch=ppc64le], [my_java_arch=ppc64]) ++;; + x86_64) + my_java_arch=amd64 + ;; +commit d8eee8e4d1a303044bf34b28c2e95bd6da23fd79 +Author: David Tardon +Date: Tue May 12 12:10:16 2015 +0200 + +java dir for powepc64 and powepc64le can differ + +E.g., RHEL >= 7.1 uses ppc64le for reasons listed in +https://bugs.openjdk.java.net/browse/JDK-8073139 . + +This is a follow-up to commit 7a66dbe982623be620ad6ac426fe689a434e5f51. + +Change-Id: I685f76d51e9775788a7fb225c6a5e2309a45ceb7 + +diff --git a/config_host/config_java.h.in b/config_host/config_java.h.in +new file mode 100644 +index 000..8b23de9 +--- /dev/null b/config_host/config_java.h.in +@@ -0,0 +1,6 @@ ++#ifndef CONFIG_JAVA_H ++#define CONFIG_JAVA_H ++ ++#undef JAVA_ARCH ++ ++#endif +diff --git a/configure.ac b/configure.ac +index 55157a9..5414754 100644 +--- a/configure.ac b/configure.ac +@@ -7002,6 +7002,7 @@ then + ;; + powerpc64le) + AS_IF([test -d "$JAVA_HOME/jre/lib/ppc64le"], [my_java_arch=ppc64le], [my_java_arch=ppc64]) ++JAVA_ARCH=$my_java_arch + ;; + x86_64) + my_java_arch=amd64 +@@ -7011,6 +7012,7 @@ then + ;; + esac + JAWTLIB="-L$JAVA_HOME/jre/lib/$my_java_arch -ljawt" ++AS_IF([test "$JAVA_ARCH" != ""], [AC_DEFINE_UNQUOTED([JAVA_ARCH], ["$JAVA_ARCH"])]) + fi + AC_MSG_RESULT([$JAWTLIB]) + fi +@@ -12988,6 +12990,7 @@ AC_CONFIG_HEADERS([config_host/config_folders.h]) + AC_CONFIG_HEADERS([config_host/config_gcc.h]) + AC_CONFIG_HEADERS([config_host/config_global.h]) + AC_CONFIG_HEADERS([config_host/config_graphite.h]) ++AC_CONFIG_HEADERS([config_host/config_java.h]) + AC_CONFIG_HEADERS([config_host/config_lgpl.h]) + AC_C
Bug#819658: marked as done (jessie-pu: package hexchat/2.10.1-1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #819658, regarding jessie-pu: package hexchat/2.10.1-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819658: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819658 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I have prepared a patch for hexchat_2.10.1-1 in jessie for this issue, https://security-tracker.debian.org/tracker/TEMP-0776609-026A07 It is also referenced in debian bug # 818009. I am the hexchat maintainer and this patch comes from upstream, via the following 2 commits: https://github.com/hexchat/hexchat/commit/c99f2ba645d1f4d01d6d2bb0cc1238825e15c604 https://github.com/hexchat/hexchat/commit/b6fa8574cb8e57db311fff2ada7ede3548617dd3 (The first commit depends on the changes made in the second.) I built the updated package in a jessie pbuilder and tested it in a jessie vm. I can verify that: - hexchat now verifies hostnames when ssl is in use - hexchat appears to behave normally otherwise I spoke with the debian security team and they advised me that they would not issue a DSA for this, and that I should submit it to jessie-proposed-updates instead. Please let me know if you require anything else. Thanks sney -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#819444: marked as done (jessie-pu: package libreoffice-nlpsolver/0.9~beta1-10+deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #819444,
regarding jessie-pu: package libreoffice-nlpsolver/0.9~beta1-10+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
819444: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819444
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
While doing the bug for wheezy, and when fixing #728792 there I think
we of course should also do it in stable :)
Diff:
diff -Nru nlpsolver-0.9~beta1/debian/changelog
nlpsolver-0.9~beta1/debian/changelog
--- nlpsolver-0.9~beta1/debian/changelog2014-11-03 19:07:53.0
+0100
+++ nlpsolver-0.9~beta1/debian/changelog2016-03-28 16:40:18.0
+0200
@@ -1,3 +1,9 @@
+nlpsolver (0.9~beta1-10+deb8u1) jessie; urgency=medium
+
+ * add missing Depends: on libreoffice-java-common (closes: #728792)
+
+ -- Rene Engelhard Mon, 28 Mar 2016 15:14:02 +0200
+
nlpsolver (0.9~beta1-10) unstable; urgency=medium
* merge from Ubuntu:
diff -Nru nlpsolver-0.9~beta1/debian/control nlpsolver-0.9~beta1/debian/control
--- nlpsolver-0.9~beta1/debian/control 2014-11-03 19:07:30.0 +0100
+++ nlpsolver-0.9~beta1/debian/control 2016-03-28 15:14:54.0 +0200
@@ -9,7 +9,7 @@
Package: libreoffice-nlpsolver
Architecture: all
-Depends: ${misc:Depends}, libreoffice-calc (>= 1:3.0~), libreoffice-core (>=
1:3.3~), default-jre-headless | java5-runtime | java6-runtime
+Depends: ${misc:Depends}, libreoffice-calc (>= 1:3.0~), libreoffice-core (>=
1:3.3~), libreoffice-java-common, default-jre-headless | java5-runtime |
java6-runtime
Description: "Solver for Nonlinear Programming" extension for LibreOffice
By default LibreOffice Calc ships with a solver engine for linear
programming only. This allows the optimization of models to a certain degree.
Regards,
Rene
-- System Information:
Debian Release: 8.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#818908: marked as done (jessie-pu: package dpkg/1.17.27)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #818908, regarding jessie-pu: package dpkg/1.17.27 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 818908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818908 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi! Here's a proposed dpkg 1.17.27, with cherry picked fixes from master (already in unstable). These include fixes for regressions, memory leaks, portability, interaction with tools such as GNU tar or the system shell, install-info transition, and a sync of the architectures supported (in case some of these end up accepted in the archive). The change for Config-Version should be safe, as at worst it will have no effect, otherwise packages relying on the correct behavior will start to work now, it will also make upgrades easier, for example for systemd, which I'm aware suffered from this problem. The «git log» fix is not yet in master though, but it should also be safe, otherwise the build would simply fail. And I've just realized it's not documented in debian/changelog, it will be in the ChangeLog, but I could add it to debian/changelog too. The changes have passed all unit tests which are part of the build, and all functional test in the dpkg-tests git repo. Attached a diff with translation updates filtered. Thanks, Guillem diff --git a/Makefile.am b/Makefile.am index aa13270..c9f63d3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -172,6 +172,7 @@ dist-hook: exit 1 ; \ fi ; \ done ; \ + XDG_CONFIG_HOME= HOME= \ git log -C --stat 1.15.0.. >$(distdir)/ChangeLog; \ fi diff --git a/check.am b/check.am index 458214d..5e0d3cf 100644 --- a/check.am +++ b/check.am @@ -30,6 +30,7 @@ check-local: $(test_data) $(test_programs) $(test_scripts) $(TEST_ENV_VARS) \ srcdir=$(srcdir) builddir=$(builddir) \ PERL_DL_NONLAZY=1 \ + PERL5LIB=$(abs_top_srcdir)/scripts:$(abs_top_srcdir)/dselect/methods \ PERL5OPT=$(TEST_COVERAGE) \ $(PERL) -MTAP::Harness -e $(TEST_RUNNER) \ $(addprefix $(builddir)/,$(test_programs)) \ diff --git a/cputable b/cputable index b8b2da2..b376aa0 100644 --- a/cputable +++ b/cputable @@ -29,6 +29,7 @@ mips mips mips(eb)? 32 big mipsel mipsel mipsel 32 little mips64 mips64 mips64 64 big mips64el mips64el mips64el 64 little +nios2 nios2 nios2 32 little or1k or1k or1k 32 big powerpc powerpc (powerpc|ppc) 32 big powerpcel powerpcle powerpcle 32 little diff --git a/debian/changelog b/debian/changelog index 8b2a4d0..eca2d78 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,45 @@ +dpkg (1.17.27) jessie; urgency=medium + + [ Guillem Jover ] + * Add more Conflicts for removed packages expecting dpkg to ship +install-info. Namely ada-mode and octave2.1-info. Closes: #783657 +Thanks to Andreas Beckmann . + * Remove trailing space before handling blank line dot-separator in +Dpkg::Control::HashCore. Regression introduced in dpkg 1.17.25. +Reported by Jakub Wilk . Closes: #789580 + * Only use the SHELL environment variable for interactive shells. +Closes: #788819 + * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the +--no-recursion option is now positional, and needs to be passed before +the -T option, otherwise the tarball will end up with duplicated entries. +Thanks to Richard Purdie . +Closes: #807940 + * Initialize Config-Version also for packages previously in triggers-pending +state, otherwise we end up not passing the previously configured version +to «postinst configure», which might consider this a first install instead +of an upgrade. Closes: #801156 + * Fix memory leak in dpkg infodb format upgrade logic. + * Fix physical file offset comparison in dpkg. Closes: #808912 +Thanks to Yuri Gribov . + * Add kfreebsd-armhf support to ostable and triplettable. Closes: #796283 +Thanks to Steven Chamberlain . + * Add NIOS2 support to cputable. Thanks to Marek Vasut . + * Build system: +- Set PERL5LIB globally for the test suite to the local modules directory, + to avoid using the system modules. Regression introduced in dpkg 1.17.8. + Reported by Jérémy Bobbio . Closes: #801329 +- When sys_siglist is defined in the system, try to use NSIG as we cannot + compute the a
Bug#818549: marked as done (jessie-pu: package icedtea-web/1.5.3-1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #818549, regarding jessie-pu: package icedtea-web/1.5.3-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 818549: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818549 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to update icedtea-web in jessie to 1.5.3 in the next jessie point release. This fixes two security issues (CVE-2015-5234, CVE-2015-5235), which are not easily backportable, so I rather made the update to the minor point update which fixes those (similar to what we do with openjdk-7 itself). I've tested this on a jessie with various web applets I could find (fortunately finding these in the wild is becoming increasingly difficult!). The debdiff is here: https://people.debian.org/~jmm/icedtea-web.debdiff (the actual change to the debian/ directory is just the changelog entry bump). Ubuntu has also updated to those point bugfix updates in USNs for a while now. Cheers, Moritz --- End Message --- --- Begin Message --- Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam--- End Message ---
Bug#819284: marked as done (jessie-pu: package ext4magic/0.3.2-2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #819284,
regarding jessie-pu: package ext4magic/0.3.2-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
819284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819284
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi!
The ext4magic has a misinterpretation of the physical block addresses and
block lengths of ext4 inode.
The error is permanent and 100% reproducible (also on i386)
The upstream provides a patch to fix this problem and this problem has
been fixed en unstable/testing.
The changelog is:
ext4magic (0.3.2-2+deb8u1) jessie; urgency=medium
* debian/patches/fix-recover-examine.patch: added as a temporary work
around to fix an issue which makes impossible to recover or examine
Ext4 filesystems. Thanks to Roberto Maar , the
ext4magic upstream. (Closes: #802089)
-- Giovani Augusto Ferreira Fri, 25 Mar 2016 21:19:47
-0300
Thanks a lot in advance.
Regards,
Giovani
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ext4magic-0.3.2/debian/changelog ext4magic-0.3.2/debian/changelog
--- ext4magic-0.3.2/debian/changelog 2014-10-26 19:52:45.0 -0200
+++ ext4magic-0.3.2/debian/changelog 2016-03-25 21:42:36.0 -0300
@@ -1,3 +1,12 @@
+ext4magic (0.3.2-2+deb8u1) jessie; urgency=medium
+
+ * debian/patches/fix-recover-examine.patch: added as a temporary work
+ around to fix an issue which makes impossible to recover or examine
+ Ext4 filesystems. Thanks to Roberto Maar , the
+ ext4magic upstream. (Closes: #802089)
+
+ -- Giovani Augusto Ferreira Fri, 25 Mar 2016 21:19:47 -0300
+
ext4magic (0.3.2-2) unstable; urgency=medium
* Bumped Standards-Version to 3.9.6.
diff -Nru ext4magic-0.3.2/debian/patches/fix-recover-examine ext4magic-0.3.2/debian/patches/fix-recover-examine
--- ext4magic-0.3.2/debian/patches/fix-recover-examine 1969-12-31 21:00:00.0 -0300
+++ ext4magic-0.3.2/debian/patches/fix-recover-examine 2016-03-25 21:39:17.0 -0300
@@ -0,0 +1,56 @@
+Description: temporary work around to fix an issue which makes impossible to
+ recover or examine Ext4 filesystems. (see #802089)
+Author: Roberto Maar
+Last-Update: 2015-10-18
+Index: ext4magic-0.3.2/src/block.c
+===
+--- ext4magic-0.3.2.orig/src/block.c
ext4magic-0.3.2/src/block.c
+@@ -130,7 +130,8 @@ int read_block64 ( ext2_filsys fs, blk64
+
+
+
+-
++//FIXME : Debian Bug #802089 (temporary work around)
++/*
+ errcode_t local_ext2fs_extent_open(ext2_filsys fs, struct ext2_inode inode,
+ ext2_extent_handle_t *ret_handle) {
+
+@@ -189,7 +190,7 @@ errcode_t local_ext2fs_extent_open(ext2_
+
+ return 0;
+ }
+-
++*/
+
+ static int mark_extent_block(ext2_filsys fs, char *extent_block ){
+ struct ext3_extent_header *eh;
+@@ -613,7 +614,10 @@ errcode_t local_block_iterate3(ext2_fils
+ int uninit;
+ unsigned int j;
+
+- ctx.errcode = local_ext2fs_extent_open(fs, inode, &handle);
++//FIXME : Debian Bug #802089 (temporary work around)
++// ctx.errcode = local_ext2fs_extent_open(fs, inode, &handle);
++ ctx.errcode = ext2fs_extent_open2(fs,0,&inode,&handle);
++//
+ if (ctx.errcode)
+ goto abort_exit;
+
+Index: ext4magic-0.3.2/src/inode.c
+===
+--- ext4magic-0.3.2.orig/src/inode.c
ext4magic-0.3.2/src/inode.c
+@@ -112,8 +112,10 @@ static void local_dump_extents(FILE *f,
+ unsigned intprinted = 0;
+ errcode_t errcode;
+
+-
+-errcode = local_ext2fs_extent_open(current_fs, *inode, &handle);
++//FIXME : Debian Bug #802089 (temporary work around)
++// errcode = local_ext2fs_extent_open(current_fs, *inode, &handle);
++errcode = ext2fs_extent_open2(current_fs,0,inode,&handle);
++//
+ if (errcode)
+ return;
+
diff -Nru ext4magic-0.3.2/debian/patches/series ext4magic-0.3.2/debian/patches/series
--- ext
Bug#802331: marked as done (jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-0~deb8u1)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #802331,
regarding jessie-pu: package cyrus-imapd-2.4/2.4.17+nocaldav-0~deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
802331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802331
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi release team,
there's a RC bug in 2.4.17+caldav~beta10 upstream package that
prevents the replication from working (#799724). Unfortunately the
bug is caused by caldav module and the code is quite complex and
upstream author doesn't have a time to debug the issue, so we might be
forced to drop the *experimental* caldav support (and drop the
cyrus-caldav package along the way).
I would also recommend disabling SSLv3 and TLS compression in the same
update as it's really unsafe to use them nowadays.
Rough proposed patch generated from git is attached.
Also there seems to be a security issue fixed in 2.4.18, so I might be
updating the cyrus-imapd-2.4 package via security, so I might bundle
this update together, but it will need the release team ack.
Cheers,
Ondrej
- -- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.19.0-18-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iQJ8BAEBCgBmBQJWJQh0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHlKUQALm+MWMEe9KC+D3HvBRcupSJ
xp8JL0brZNrB5C/1PK/IA1F9DEXP2zsdd9NbawdoggTcXeojhcZA9w6HG0LbwB5S
14H8m5qJfPdTdnvN8olYBu9plLyKSwPsD/8KgDL+tVkVJUE9RKBHtlMWeQuphWOG
83EQHLtRh9WbgwCRCoYSyoZygm/hbfl1tVH3u77s3LrtnBYtXqoWHlxTEpaP3zNZ
cmKIrDIJRiTxVzr3CB6/6Y84zMFc7RWy1GsAvQlmnKa/png+OhNfEJLohOqUedBS
FdV0yyvgvgsOLLu2vMQFabMtTpEba+yhWIgskxb/Mkp1Sld/RNlwzvIbS0h6HnBm
a/pzkxMmqX+nFCvIZ4r3P16wKzvrhuWrWDd9e3wiBuB1LUp/WjRFb5YOa56LDAB9
Bwek+KQEOndt1i4BiYNUYxzQYBA6XwhdM+RFSApGA+Z3igL7YuHqZHGKRLOfxz6j
7mMuEfRv6snT2MzendRkeYN58JNIXiKRaDTn5Arzuh5nm/b+jBaw+ochOgWBhfbZ
Q3BmzWhv3fpdzWyOjtRfoZ1LuQ9El2ZrWX4RBipuFAz5F5g2qbpCf6pyE6oZYS4P
tQt6sw0gN/76Z+4ZXWzS/Mu5QiidWXbxUfvjrHmYITgYpuNGLG5PZO3aJnGe6isv
r+YXMBaqBVkIkzZb9ohS
=ub5P
-END PGP SIGNATURE-
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000..665ee47
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,9 @@
+cyrus-imapd-2.4 (2.4.17+nocaldav-1) unstable; urgency=medium
+
+ * The experimental CalDAV support has been disabled due to the
+regressions it caused in replication code.
+ * The SSLv2, SSLv3 and TLS Compression has been disabled as their
+usage is unsecure and makes the cyrus-imapd vulnerable to known
+attacks.
+
+ -- Ondřej Surý Mon, 19 Oct 2015 17:08:00 +0200
diff --git a/debian/changelog b/debian/changelog
index 0b01412..5519f9e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+cyrus-imapd-2.4 (2.4.17+nocaldav-1) unstable; urgency=medium
+
+ * Update the gbp.conf
+ * Imported Upstream version 2.4.17+nocaldav
+ * Remove the experimental caldav support (Closes: #799724)
+ * Always disable SSLv3 and TLS compression
+
+ -- Ondřej Surý Mon, 19 Oct 2015 15:49:48 +0200
+
cyrus-imapd-2.4 (2.4.17+caldav~beta10-18) unstable; urgency=medium
* Fix PIDFile location in sysvinit script (Closes: #778781)
diff --git a/debian/control b/debian/control
index 64816a5..57019bc 100644
--- a/debian/control
+++ b/debian/control
@@ -55,10 +55,9 @@ Depends: adduser,
${misc:Depends},
${perl:Depends},
${shlibs:Depends}
-Recommends: cyrus-imapd | cyrus-pop3d | cyrus-murder | cyrus-nntpd | cyrus-admin | cyrus-caldav
+Recommends: cyrus-imapd | cyrus-pop3d | cyrus-murder | cyrus-nntpd | cyrus-admin
Suggests: apt-listchanges (>= 2.35),
cyrus-admin,
- cyrus-caldav,
cyrus-clients,
cyrus-doc,
cyrus-imapd,
@@ -77,7 +76,6 @@ Description: Cyrus mail system - common files
including support for:
- running the daemon without root privileges;
- POP3 and NNTP in addition to plain IMAP;
- - CalDAV and CardDAV;
- secur
Bug#793984: marked as done (jessie-pu: package groovy/1.8.6-4)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #793984,
regarding jessie-pu: package groovy/1.8.6-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
793984: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793984
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
It was reported a vulnerability on groovy that allow to execute
arbitrary code remotely. For more information you can take a look at:
https://bugs.debian.org/793397.
I already uploaded a fix to unstable but given the low popcon of
groovy I don't think it warrant a DSA so I'm proposing to fix this in
stable with the next point release.
I'm attaching a debdiff with the proposed changes.
Thanks,
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog
--- groovy-1.8.6/debian/changelog 2014-05-18 16:33:10.0 -0300
+++ groovy-1.8.6/debian/changelog 2015-07-25 18:30:00.0 -0300
@@ -1,3 +1,10 @@
+groovy (1.8.6-4+deb8u1) stable; urgency=high
+
+ * Fix remote execution of untrusted code and possible DoS vulnerability.
+(CVE-2015-3253) (Closes: #793397).
+
+ -- Miguel Landaeta Sat, 25 Jul 2015 18:27:24 -0300
+
groovy (1.8.6-4) unstable; urgency=medium
* Implement alternatives usage to allow co-installation with groovy 2.x.
diff -Nru groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch
groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch
--- groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch1969-12-31
21:00:00.0 -0300
+++ groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch2015-07-25
18:26:18.0 -0300
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing
(CVE-2015-3253)
+Author: Cédric Champeau
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream,
https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+ */
+ public class MethodClosure extends Closure {
+
++public static boolean ALLOW_RESOLVE = false;
++
+ private String method;
+
+ public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+ }
+ }
+
++private Object readResolve() {
++if (ALLOW_RESOLVE) {
++return this;
++}
++throw new UnsupportedOperationException();
++}
++
+ public String getMethod() {
+ return method;
+ }
diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series
--- groovy-1.8.6/debian/patches/series 2014-05-07 20:29:08.0 -0300
+++ groovy-1.8.6/debian/patches/series 2015-07-25 18:26:18.0 -0300
@@ -2,3 +2,4 @@
0002-ant-build.diff.patch
0003-disable-bnd.diff.patch
0004-java8-compatibility.patch
+0005-CVE-2015-3253.patch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 8.5
Hi,
The fixes referred to by each of these bugs were included in today's 8.5
point release.
Regards,
Adam--- End Message ---
Bug#796823: marked as done (jessie-pu: package gosa/2.7.4+reloaded2-1+deb8u2)
Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #796823, regarding jessie-pu: package gosa/2.7.4+reloaded2-1+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 796823: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796823 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Please consider accepting the following changes for packages GOsa² in jessie-proposed-updates. + * debian/patches: After deployment of two Debian Edu sites based on Debian jessie, several experiences have been made with GOsa² in Debian jessie that require some post-release fixups: ++ Add 1009_fix-insertDhcp-icon-in-dhcp-section-overview.patch. Fix + label stripping in GOsa²'s image() function. This fixes displaying the + insertDhcp* icon in the DHCP service plugin. (Closes: #794117). It is not possible to insert DHCP subsections due to a bug in the image() function of gosa-core. Patch 1009 resolves this. ++ Add 2009_allow-Debian-blends-to-override-gosa-conf.patch. Allow + Debian blends to provide their own version of gosa.conf and not get + bugged by GOsa's notification message on gosa.conf template changes. + Debian blends using GOsa (e.g., Edu, LAN) must handle gosa.conf + updates themselves. (Closes: #794118). For Debian Edu (and Debian LAN), a special configVersion key value is needed to suppress warning messages about changes of the gosa.conf template (this happens whenever the gosa.conf template is updated in gosa src:package). Such a change just occurred in a previous gosa upload to jessie-pu (2.7.4+reloaded2-1+deb8u2) and GOsa² in Debian Edu / Debian LAN should not be affected by such changes. In debian-edu-config, the Debian Edu team wants to make use of this special configVersion key value for Debian Edu jessie. ++ Add 0004_fix-get-post.patch. Fix transferral of POST variables. Nasty bug, fix cherry-picked from upstream. ++ Add 1010_fix-entry-removal-in-mail-plugin.patch. Fix entry deletion + of items in "alternatives addresses" and "forward messages to + non-group members" for group mail objects. (LP:#1307483). A fix for gosa-plugin-mail provided via Launchpad which should also qualify for a jessie-pu. ++ Add 0005_fix-password-expiry-status.patch. Fix expiration status + for passwords if shadowMax is used in POSIX/shadow accounts. Cherry-picked from upstream. Relevant for correct display of account expiration in Debian Edu. ++ Add 1011_define-isPluginModified.patch. Fix undefined property + error for non-defined usertags::$isPluginModified. (Closes: #794690). Fixes a PHP error bugging admins in /var/log/syslog on nearly every click within the GOsa² WebUI. ++ Add 1012_allow-one-level-domains-in-email-addresses.patch. Allow + one-level domains in email addresses (such as @intern, as used + in Debian Edu by default). (Closes: #794738). A fix required for Debian Edu. GOsa²'s is_email function expects mail address of style u...@domain.tld. Debian Edu, though, uses mail addresses of the form user@intern. Such addresses cannot be configured in Debian jessie's GOsa² (but they should). My general impression of GOsa² 2.7.4 is that it is rather buggy. The upstream SVN repository contains +200 commits on top of 2.7.4, most of them maintenance fixes (no new features). As GOsa² 2.7.4 is the core tool in Debian Edu, please understand that there may be more jessie-pu requests coming in the future. (I don't upload to patch-in all those +200 commits, but it may become necessary to backport some of them). Thanks. light+love Mike -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru gosa-2.7.4+reloaded2/debian/changelog gosa-2.7.4+reloaded2/debian/changelog --- gosa-2.7.4+reloaded2/debian/changelog 2015-07-25 22:09:03.0 +0200 +++ gosa-2.7.4+reloaded2/debian/changelog 2015-08-24 21:24:28.0 +0200 @@ -1,3 +1,28 @@ +gosa (2.7.4+reloaded2-1+deb8u2) jessie-proposed-updates;
Bug#822853: marked as done (wheezy-pu: package libdatetime-timezone-perl/1:1.58-1+2016d)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #822853,
regarding wheezy-pu: package libdatetime-timezone-perl/1:1.58-1+2016d
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
822853: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822853
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I've prepared an update for libdatetime-timezone-perl for
wheezy(-updates) to incorporate the olson db 2016d release as a quilt
patch.
Manually stripped down debdiff attached.
Cheers,
gregor
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQJ8BAEBCgBmBQJXIe/OXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGo6MQAJRq+lYpfTqC7qiLV6k/MCDu
tNELIh3RDjOCLs7pxm+MzCix7+vUNTCkOmHzOXtzT/Qvnqihr492RhzwcK3HLHSZ
Tfw9n0oFhtGJhLKXp8MIBgEJ4T9I+RfmMc94+4Uh9Cq3FPVumpe6LIOAHRrO6Ayt
y7Bl1lhQAVYee6wGDPLPyw/iMnYrxBUYgVvz4+RIvDbgigOvbwKBmkwq8bNccSxE
i5XpdMxP1ObPbpDRrsvrzzXpttYo5JvAQHCFPIpp/q1zYC2gRruam5uEtS/vDDIx
ZfpGuroLd59Ixm7R4syKZvchq3AWGZrhgpI5KSu4bUKG97rsq4DsfOlp0B4QmGBB
BpkQ5Eru4Qh+XKHxw/Q66XP5MA9q0pjNelP45u8bXb1UN0oOjMGkObz2eJdvBaQR
145RHGTQoHoN7CJF2UmCIP/TDeyq3uikujF8dlVh4bWd3tH7TLYhzqDyE/RpTSOj
W98Ipgsw3OPcTRnArtWM/hL/4g9iMLW4QZqMNrTV1Fyhzt7smGJBdiYiMTULWbgG
rHlThHzpKQXDdvFpDpmJDIYuyqsZtIBO85kgbYp8mePwt5TYPtRJ5UaRUnnnXOAv
a5zrCc0rRLLiwEvlwVuKZM9N8lyPgYrCW2Z5IFajTWURlFUnt5zM3vp5s1mnGLno
wSHz/MpM98QEAgbiGzXS
=UvH+
-END PGP SIGNATURE-
diff -Nru libdatetime-timezone-perl-1.58/debian/changelog libdatetime-timezone-perl-1.58/debian/changelog
--- libdatetime-timezone-perl-1.58/debian/changelog 2016-03-24 20:57:10.0 +0100
+++ libdatetime-timezone-perl-1.58/debian/changelog 2016-04-28 13:05:03.0 +0200
@@ -1,3 +1,9 @@
+libdatetime-timezone-perl (1:1.58-1+2016d) UNRELEASED; urgency=medium
+
+ * Update to Olson database version 2016d.
+
+ -- gregor herrmann Thu, 28 Apr 2016 12:57:08 +0200
+
libdatetime-timezone-perl (1:1.58-1+2016c) wheezy; urgency=medium
* Update to Olson database version 2016c.
diff -Nru libdatetime-timezone-perl-1.58/debian/patches/olson-2016d libdatetime-timezone-perl-1.58/debian/patches/olson-2016d
--- libdatetime-timezone-perl-1.58/debian/patches/olson-2016d 1970-01-01 01:00:00.0 +0100
+++ libdatetime-timezone-perl-1.58/debian/patches/olson-2016d 2016-04-28 13:05:03.0 +0200
@@ -0,0 +1,14496 @@
+Description: Update to Olson database version 2016d.
+Origin: vendor
+Author: gregor herrmann
+Last-Update: 2016-04-28
+
+--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm
b/lib/DateTime/TimeZone/Africa/Abidjan.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+
+ #
+-# Generated from debian/tzdata/africa. Olson data version 2016c
++# Generated from debian/tzdata/africa. Olson data version 2016d
+ #
+ # Do not edit this file directly.
+ #
+@@ -42,7 +42,7 @@
+ ],
+ ];
+
+-sub olson_version { '2016c' }
++sub olson_version { '2016d' }
+
+ sub has_dst_changes { 0 }
+
+--- a/lib/DateTime/TimeZone/Catalog.pm
b/lib/DateTime/TimeZone/Catalog.pm
+@@ -239,6 +239,7 @@
+ Asia/Tehran
+ Asia/Thimphu
+ Asia/Tokyo
++ Asia/Tomsk
+ Asia/Ulaanbaatar
+ Asia/Urumqi
+ Asia/Ust-Nera
+@@ -289,6 +290,7 @@
+ Europe/Istanbul
+ Europe/Kaliningrad
+ Europe/Kiev
++ Europe/Kirov
+ Europe/Lisbon
+ Europe/London
+ Europe/Luxembourg
+@@ -614,6 +616,7 @@
+ Tehran
+ Thimphu
+ Tokyo
++Tomsk
+ Ulaanbaatar
+ Urumqi
+ Ust-Nera
+@@ -665,6 +668,7 @@
+ Istanbul
+ Kaliningrad
+ Kiev
++Kirov
+ Lisbon
+ London
+ Luxembourg
+@@ -1431,6 +1435,7 @@
+ Europe/Moscow
+ Europe/Simferopol
+ Europe/Volgograd
++Europe/Kirov
+ Europe/Astrakhan
+ Europe/Samara
+ Europe/Ulyanovsk
+@@ -1438,6 +1443,7 @@
+ Asia/Omsk
+ Asia/Novosibirsk
+ Asia/Barnaul
++Asia/Tomsk
+ Asia/Novokuznetsk
+ Asia/Krasnoyarsk
+ Asia/Irkutsk
+@@ -1879,7 +1885,7 @@
+
+ ;
+
+-sub OlsonVersion { '2016c' }
++sub OlsonVersion { '2016d' }
+
+
+ 1;
+@@ -2140,6 +2146,7 @@
+ Asia/Omsk
+ Asia/Sakhalin
+ Asia/Srednekolymsk
++ Asia/Tomsk
+ Asia/Ust-Nera
+ Asia/Vladivostok
+ Asia/Yakutsk
+@@ -2191,6 +2198,7 @@
+ Europe/Istanbul
+ Europe/Kalin
Bug#822465: marked as done (wheezy-pu: package highlight/3.9-1)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #822465,
regarding wheezy-pu: package highlight/3.9-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
822465: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822465
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
André (upstream) asked for this bug to be fixed in oldstable, based on
a discussion with a user. Since he also provided the one line patch,
this seems OK to me.
Debdiff attached, unless reportbug outwits me.
- -- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQGcBAEBCAAGBQJXHSEAAAoJEPIClx2kp54sJpcL/2tyWVxKFBOr9uojMNa1f6EK
+sbyvgbxuWZX60QhbOmEleX78sQc+M8kp21+jNmlBz+2zCCDd9m+k9gUSLjH2eYo
AfHy8Ug2p4wNkxUyCFfGiv89ujz37xdhSGAw4f7h746F7DUtal0K0h00B4RiFWkH
fltPV4ZzSZ0vmL3/KhGOLfa7WOGiwSRILDY2tExhU+rqWUci8lPfODdf6273xYiJ
4j0k74N2iaLrDSLbtfdUBprP7+iYn9FKBBU1g1+SHIn9VVucgGH/qXb5H5Q5HCmi
pKWrPmlsQ1h6HM2g0jTjVa5TtbT5whwpCNfTuSKnoi+ibzZycLmn5cdOC0dg/9vV
H8ZasJ+FoH2Cjh3mmgj199Mp4zpOslhZbcxw0h0RG90dHpN8LmuPWm9I+kqNgy10
HRfU7cBiNiZ9xLx7CPBe10Q80WTAAe6AQZuaJmmrkfI/AbzfOQHtvd/gsRdAX5MH
kkdMurYzrs/+RHQx5FyW3Hq7CMiObSu0Sqb+hKetQg==
=ossO
-END PGP SIGNATURE-
diff -Nru highlight-3.9/debian/changelog highlight-3.9/debian/changelog
--- highlight-3.9/debian/changelog 2012-05-23 13:32:13.0 -0300
+++ highlight-3.9/debian/changelog 2016-04-24 16:29:43.0 -0300
@@ -1,3 +1,10 @@
+highlight (3.9-1+deb7u1) oldstable; urgency=medium
+
+ * Backport fix for segfault with undefined syntax and --force
+(Closes: #698718)
+
+ -- David Bremner Sun, 24 Apr 2016 15:30:00 -0300
+
highlight (3.9-1) unstable; urgency=low
* New upstream release.
diff -Nru highlight-3.9/debian/patches/0001-3.13-fixed-segfault-with-undefined-syntax-and-applie.patch highlight-3.9/debian/patches/0001-3.13-fixed-segfault-with-undefined-syntax-and-applie.patch
--- highlight-3.9/debian/patches/0001-3.13-fixed-segfault-with-undefined-syntax-and-applie.patch 1969-12-31 20:00:00.0 -0400
+++ highlight-3.9/debian/patches/0001-3.13-fixed-segfault-with-undefined-syntax-and-applie.patch 2016-04-24 16:30:11.0 -0300
@@ -0,0 +1,22 @@
+From 8431b43d76ee8109295cc516dc934e84372f6f21 Mon Sep 17 00:00:00 2001
+From: saalen
+Date: Tue, 22 Jan 2013 19:20:10 +
+Subject: [PATCH] 3.13 fixed segfault with undefined syntax and applied --force
+
+git-svn-id: svn://svn.code.sf.net/p/syntaxhighlight/code@83 b214f192-c5d8-4e29-a392-b12ed3af51bf
+---
+ src/cli/main.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cli/main.cpp b/src/cli/main.cpp
+index 93addd1..c88 100644
+--- a/src/cli/main.cpp
b/src/cli/main.cpp
+@@ -581,6 +581,7 @@ int HLCmdLineApp::run ( const int argc, const char*argv[] )
+ {
+ suffix = guessFileType ( getFileSuffix ( inFileList[i] ), inFileList[i] );
+ }
++if ( suffix.empty() && options.forceOutput()) suffix="txt"; //avoid segfault
+ if ( suffix.empty() )
+ {
+ if ( !options.enableBatchMode() )
diff -Nru highlight-3.9/debian/patches/series highlight-3.9/debian/patches/series
--- highlight-3.9/debian/patches/series 1969-12-31 20:00:00.0 -0400
+++ highlight-3.9/debian/patches/series 2016-04-24 16:30:11.0 -0300
@@ -0,0 +1,2 @@
+# exported from git by git-debcherry
+0001-3.13-fixed-segfault-with-undefined-syntax-and-applie.patch
--- End Message ---
--- Begin Message ---
Version: 7.11
Hi,
The fixes referred to in each of these bugs were included in today's
7.11 point release.
Regards,
Adam--- End Message ---
Bug#821834: marked as done (wheezy-pu: package libcrypto++/5.6.1-6+deb7u2)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100 with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixed included in 7.11 has caused the Debian Bug report #821834, regarding wheezy-pu: package libcrypto++/5.6.1-6+deb7u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 821834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi Release Team, There's a vulnerability in Crypto++, the C++ class library of cryptographic schemes. It's CVE-2016-3995, bogus protection from timing attacks in AES (Rijndael) cipher. GCC could optimize the protection out. The patch (already in Sid + Stretch) prevents this. It's minor for a security update, but can be enough for a normal package update. Thanks for consideration, Laszlo/GCS diff -Nru libcrypto++-5.6.1/debian/changelog libcrypto++-5.6.1/debian/changelog --- libcrypto++-5.6.1/debian/changelog 2015-06-28 13:58:22.0 + +++ libcrypto++-5.6.1/debian/changelog 2016-04-11 16:16:30.0 + @@ -1,3 +1,9 @@ +libcrypto++ (5.6.1-6+deb7u2) wheezy; urgency=medium + + * Fix CVE-2016-3995, Rijndael timing attack counter measure. + + -- Laszlo Boszormenyi (GCS) Mon, 11 Apr 2016 16:13:54 + + libcrypto++ (5.6.1-6+deb7u1) wheezy-security; urgency=high * Fix CVE-2015-2141, misuse of blinding technique that is aimed at diff -Nru libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch --- libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch 1970-01-01 00:00:00.0 + +++ libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch 2016-04-16 11:38:13.0 + @@ -0,0 +1,52 @@ +From 9f335d719ebc27f58251559240de0077ec42c583 Mon Sep 17 00:00:00 2001 +From: Pierre Lestringant +Date: Wed, 6 Apr 2016 15:51:17 +0200 +Subject: [PATCH] Fix the Rijndael timing attack counter measure + +--- + rijndael.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rijndael.cpp b/rijndael.cpp +index f394960..92f9dea 100644 +--- a/rijndael.cpp b/rijndael.cpp +@@ -372,10 +372,12 @@ void Rijndael::Enc::ProcessAndXorBlock(c + t3 = rk[7]; + rk += 8; + +- // timing attack countermeasure. see comments at top for more details ++ // timing attack countermeasure. see comments at top for more details. ++ // also see http://github.com/weidai11/cryptopp/issues/146 + const int cacheLineSize = GetCacheLineSize(); + unsigned int i; +- word32 u = 0; ++ volatile word32 _u = 0; ++ word32 u = _u; + #ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS + for (i=0; i<2048; i+=cacheLineSize) + #else +@@ -448,10 +450,12 @@ void Rijndael::Dec::ProcessAndXorBlock(c + t3 = rk[7]; + rk += 8; + +- // timing attack countermeasure. see comments at top for more details ++ // timing attack countermeasure. see comments at top for more details. ++ // also see http://github.com/weidai11/cryptopp/issues/146 + const int cacheLineSize = GetCacheLineSize(); + unsigned int i; +- word32 u = 0; ++ volatile word32 _u = 0; ++ word32 u = _u; + #ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS + for (i=0; i<2048; i+=cacheLineSize) + #else +@@ -491,7 +495,7 @@ void Rijndael::Dec::ProcessAndXorBlock(c + // timing attack countermeasure. see comments at top for more details + // If CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS is defined, + // QUARTER_ROUND_LD will use Td, which is already preloaded. +- u = 0; ++ u = _u; + for (i=0; i<256; i+=cacheLineSize) + u &= *(const word32 *)(Sd+i); + u &= *(const word32 *)(Sd+252); diff -Nru libcrypto++-5.6.1/debian/patches/series libcrypto++-5.6.1/debian/patches/series --- libcrypto++-5.6.1/debian/patches/series 2015-06-28 13:58:08.0 + +++ libcrypto++-5.6.1/debian/patches/series 2016-04-11 16:25:12.0 + @@ -7,3 +7,4 @@ salsa.patch gcc-4.7-ftbfs.diff CVE-2015-2141.patch +CVE-2016-3995.patch --- End Message --- --- Begin Message --- Version: 7.11 Hi, The fixes referred to in each of these bugs were included in today's 7.11 point release. Regards, Adam--- End Message ---
Bug#821757: marked as done (wheezy-pu: package xapian-core/1.2.12-2)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #821757,
regarding wheezy-pu: package xapian-core/1.2.12-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
821757: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821757
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
I'd like to update xapian-core in wheezy to fix a bug which can cause
database corruption. This is triggered by certain usage patterns, and
the recoll package is known to be affected:
https://bugs.debian.org/808610
I've attached a debdiff for the proposed upload. The patch added is
from the upstream git repo - it's been on git master since 2015-04-28,
and in upstream stable releases since 2015-05-20.
There's already a pending request to address this in jessie:
https://bugs.debian.org/820059
The patch for wheezy is exactly the same as that for jessie, except with
a "quilt refresh" to adjust the line numbers of some of the hunks.
Cheers,
Olly
diff -Nru xapian-core-1.2.12/debian/changelog
xapian-core-1.2.12/debian/changelog
--- xapian-core-1.2.12/debian/changelog 2012-12-11 17:22:23.0 +1300
+++ xapian-core-1.2.12/debian/changelog 2016-04-19 13:14:15.0 +1200
@@ -1,3 +1,10 @@
+xapian-core (1.2.12-2+deb7u1) oldstable; urgency=medium
+
+ * New patch increment-cursor-version-on-cancel-or-reopen.patch fixing
+possible database corruption, especially with recoll. (Closes: #808610)
+
+ -- Olly Betts Tue, 19 Apr 2016 13:13:31 +1200
+
xapian-core (1.2.12-2) unstable; urgency=low
* New patch fix-db-write-lock.patch which fixes database write locking to
diff -Nru
xapian-core-1.2.12/debian/patches/increment-cursor-version-on-cancel-or-reopen.patch
xapian-core-1.2.12/debian/patches/increment-cursor-version-on-cancel-or-reopen.patch
---
xapian-core-1.2.12/debian/patches/increment-cursor-version-on-cancel-or-reopen.patch
1970-01-01 12:00:00.0 +1200
+++
xapian-core-1.2.12/debian/patches/increment-cursor-version-on-cancel-or-reopen.patch
2016-04-19 13:13:25.0 +1200
@@ -0,0 +1,197 @@
+Description: Increment cursor version of cancel or reopen
+ Potentially increment the cursor version on cancel() or when the database is
+ reopened, and flag the current cursor version as used when a cursor is
+ rebuilt.
+ .
+ Fixes database corruption issues with certain usage patterns, which recoll
+ can trigger.
+Author: Olly Betts
+Origin: upstream,
https://trac.xapian.org/changeset/826d1a19cc356e7bf66c1681626e70af32967447/git
and
https://trac.xapian.org/changeset/d784290ce015958474f965817f7a41f1483c3e03/git
+Bug: https://trac.xapian.org/ticket/675
+Bug-Debian: https://bugs.debian.org/808610
+Forwarded: https://trac.xapian.org/ticket/675
+Last-Update: 2016-04-19
+
+--- a/backends/brass/brass_cursor.cc
b/backends/brass/brass_cursor.cc
+@@ -1,7 +1,7 @@
+ /* brass_cursor.cc: Btree cursor implementation
+ *
+ * Copyright 1999,2000,2001 BrightStation PLC
+- * Copyright 2002,2003,2004,2005,2006,2007,2008,2009,2010,2012 Olly Betts
++ * Copyright 2002,2003,2004,2005,2006,2007,2008,2009,2010,2012,2015 Olly Betts
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+@@ -99,6 +99,7 @@
+ C[level].n = B->C[level].n;
+ C[level].p = B->C[level].p;
+ version = B->cursor_version;
++B->cursor_created_since_last_modification = true;
+ }
+
+ BrassCursor::~BrassCursor()
+--- a/backends/brass/brass_table.cc
b/backends/brass/brass_table.cc
+@@ -1435,6 +1435,11 @@
+
+ base_letter = ch;
+
++if (cursor_created_since_last_modification) {
++ cursor_created_since_last_modification = false;
++ ++cursor_version;
++}
++
+ /* ready to open the main file */
+
+ RETURN(true);
+@@ -1975,6 +1980,11 @@
+ changed_n = 0;
+ changed_c = DIR_START;
+ seq_count = SEQ_START_POINT;
++
++if (cursor_created_since_last_modification) {
++ cursor_created_since_last_modification = false;
++ ++cursor_version;
++}
+ }
+
+ / B-tree reading /
+--- a/backends/chert/chert_cursor.cc
b/backends/chert/chert_cursor.cc
+@@ -1,7 +1,7 @@
+ /* chert_cursor.cc: Btree cursor implementation
+ *
+ * Copyright 1999,2000,2001 BrightStation PLC
+- * Copyright 2002,2003,2004,2
Bug#819805: marked as done (wheezy-pu: package postgresql-9.1/9.1.21-0+deb7u1)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100 with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixed included in 7.11 has caused the Debian Bug report #819805, regarding wheezy-pu: package postgresql-9.1/9.1.21-0+deb7u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819805: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819805 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi, I've just uploaded postgresql-9.1/9.1.21-0+deb7u1 for inclusion in Wheezy. As in 9.4, there are no security fixes or major bugfixes, but given that any future release including any of these would include the 9.1.21 fixes, I'd think uploading now makes sense. postgresql-9.1 (9.1.21-0+deb7u1) wheezy; urgency=medium * New upstream bugfix release. -- Christoph Berg Sat, 02 Apr 2016 14:02:53 +0200 Thanks, Christoph signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 7.11 Hi, The fixes referred to in each of these bugs were included in today's 7.11 point release. Regards, Adam--- End Message ---
Bug#793986: marked as done (wheezy-pu: package groovy/1.8.6-1)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #793986,
regarding wheezy-pu: package groovy/1.8.6-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
793986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793986
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Hi,
It was reported a vulnerability on groovy that allow to execute
arbitrary code remotely. For more information you can take a look at:
https://bugs.debian.org/793397.
I don't think it warrant a DSA so I'm proposing to fix this in
stable with the next point release.
I'm attaching a debdiff with the proposed changes.
Thanks,
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog
--- groovy-1.8.6/debian/changelog 2012-02-14 22:23:05.0 -0300
+++ groovy-1.8.6/debian/changelog 2015-07-25 19:59:33.0 -0300
@@ -1,3 +1,10 @@
+groovy (1.8.6-1+deb7u1) oldstable; urgency=high
+
+ * Fix remote execution of untrusted code and possible DoS vulnerability.
+(CVE-2015-3253) (Closes: #793397).
+
+ -- Miguel Landaeta Sat, 25 Jul 2015 19:59:19 -0300
+
groovy (1.8.6-1) unstable; urgency=low
* New upstream release.
diff -Nru groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch
groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch
--- groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch1969-12-31
21:00:00.0 -0300
+++ groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch2015-07-25
19:57:30.0 -0300
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing
(CVE-2015-3253)
+Author: Cédric Champeau
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream,
https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+ */
+ public class MethodClosure extends Closure {
+
++public static boolean ALLOW_RESOLVE = false;
++
+ private String method;
+
+ public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+ }
+ }
+
++private Object readResolve() {
++if (ALLOW_RESOLVE) {
++return this;
++}
++throw new UnsupportedOperationException();
++}
++
+ public String getMethod() {
+ return method;
+ }
diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series
--- groovy-1.8.6/debian/patches/series 2011-10-14 15:41:49.0 -0300
+++ groovy-1.8.6/debian/patches/series 2015-07-25 20:00:25.0 -0300
@@ -1,3 +1,4 @@
0001-start-scripts.patch
0002-ant-build.diff.patch
0003-disable-bnd.diff.patch
+0005-CVE-2015-3253.patch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 7.11
Hi,
The fixes referred to in each of these bugs were included in today's
7.11 point release.
Regards,
Adam--- End Message ---
Bug#821044: marked as done (wheezy-pu: package zendframework/1.11.13-1.1+deb7u6)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100 with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixed included in 7.11 has caused the Debian Bug report #821044, regarding wheezy-pu: package zendframework/1.11.13-1.1+deb7u6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 821044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821044 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi, As agreed with the security team, Iâd like to fix another potential entropy vulnerability that has been fixed in zendframework. The fix also gets rid of openssl_random_pseudo_bytes() introduced in the previous ZF2015-09 fix, and I also added a regression fix from the CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). Please find attached the proposed debdiff for Wheezy, itâs pretty similar to the one from #821042. zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 Regards David diff -u zendframework-1.11.13/debian/changelog zendframework-1.11.13/debian/changelog --- zendframework-1.11.13/debian/changelog +++ zendframework-1.11.13/debian/changelog @@ -1,6 +1,15 @@ +zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: +- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Prévot Wed, 13 Apr 2016 16:34:02 -0400 + zendframework (1.11.13-1.1+deb7u5) wheezy; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 @@ -8,7 +17,7 @@ zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high - * Backport security fixes from 1.12.16 + * Backport security fixes from 1.12.16: - ZF2015-07: Filesystem Permissions Issues in Multiple Components http://framework.zend.com/security/advisory/ZF2015-07 [CVE-2015-5723] diff -u zendframework-1.11.13/debian/patches/series zendframework-1.11.13/debian/patches/series --- zendframework-1.11.13/debian/patches/series +++ zendframework-1.11.13/debian/patches/series @@ -15,0 +16 @@ +0016-Fixed-the-rand-usage.patch diff -u zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch +++ zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php| 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php| 19 +-- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 10 ++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 48 deletions(-) diff --gi
Bug#819362: marked as done (wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100 with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixed included in 7.11 has caused the Debian Bug report #819362, regarding wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819362 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to upate gtk+3.0 in wheezy to fix CVE-2013-7447.patch with the attached debiff. Wheezy is currnelty the only unfixed gtk+3.0 version. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index 999a883..37c3d67 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +gtk+3.0 (3.4.2-7+deb7u1) oldstable-proposed-updates; urgency=medium + + * Non-maintainer upload. + * CVE-2013-7447.patch: Avoid integer overflow when allocating a large block +of memory in gdk_cairo_set_source_pixbuf (Closes: #818090) + + -- Guido Günther Sun, 13 Mar 2016 16:22:28 +0100 + gtk+3.0 (3.4.2-7) stable; urgency=low [ Raphaël Geissert ] diff --git a/debian/patches/CVE-2013-7447.patch b/debian/patches/CVE-2013-7447.patch new file mode 100644 index 000..cb851a2 --- /dev/null +++ b/debian/patches/CVE-2013-7447.patch @@ -0,0 +1,24 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= +Date: Sun, 13 Mar 2016 15:38:37 +0100 +Subject: CVE-2013-7447 + +Cherry-pick of upstream commit + +https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6 +--- + gdk/gdkcairo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk/gdkcairo.c b/gdk/gdkcairo.c +index 19bed04..2e1d8dc 100644 +--- a/gdk/gdkcairo.c b/gdk/gdkcairo.c +@@ -213,7 +213,7 @@ gdk_cairo_set_source_pixbuf (cairo_t *cr, + format = CAIRO_FORMAT_ARGB32; + + cairo_stride = cairo_format_stride_for_width (format, width); +- cairo_pixels = g_malloc (height * cairo_stride); ++ cairo_pixels = g_malloc_n (height, cairo_stride); + surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels, + format, + width, height, cairo_stride); diff --git a/debian/patches/series b/debian/patches/series index e9942cf..866e6e9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,3 +15,4 @@ 074_try-harder-to-discriminate-Shift-F10-and-F10.patch 075_gtkplug-fix-handling-of-key-events-for-layouts.patch 076_check_wm_supports_hint.patch +CVE-2013-7447.patch --- End Message --- --- Begin Message --- Version: 7.11 Hi, The fixes referred to in each of these bugs were included in today's 7.11 point release. Regards, Adam--- End Message ---
Bug#818906: marked as done (wheezy-pu: package dpkg/1.16.18)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #818906,
regarding wheezy-pu: package dpkg/1.16.18
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
818906: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818906
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Hi!
Here's a proposed dpkg 1.16.18, with cherry picked fixes from master
(already in unstable). These include fixes for regressions, memory leaks,
segmentation faults, portability and interaction with tools such as
GNU tar or the system shell.
The change for Config-Version should be safe, as at worst it will have
no effect, otherwise packages relying on the correct behavior will
start to work now.
The «git log» fix is not yet in master though, but it should also be safe,
otherwise the build would simply fail. And I've just realized it's not
documented in debian/changelog, it will be in the ChangeLog, but I could
add it to debian/changelog too.
The changes have passed all unit tests which are part of the build,
and all functional test in the dpkg-tests git repo. Attached a diff
with translation updates filtered.
Thanks,
Guillem
diff --git a/Makefile.am b/Makefile.am
index 406d3dd..cb12880 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -140,7 +140,7 @@ update-po:
DISTCLEANFILES = ChangeLog
ChangeLog:
- git log -C --stat 1.15.0.. >$@
+ XDG_CONFIG_HOME= HOME= git log -C --stat 1.15.0.. >$@
# If we create the dist tarball from the git repository, make sure
# that we're not forgetting some files...
diff --git a/debian/changelog b/debian/changelog
index 1c5a662..19b76f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+dpkg (1.16.18) wheezy; urgency=medium
+
+ * Remove trailing space before handling blank line dot-separator in
+Dpkg::Control::Hash. Regression introduced in dpkg 1.16.16.
+Reported by Jakub Wilk . Closes: #789580
+ * Only use the SHELL environment variable for interactive shells.
+Closes: #788819
+ * Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the
+--no-recursion option is now positional, and needs to be passed before
+the -T option, otherwise the tarball will end up with duplicated entries.
+Thanks to Richard Purdie .
+Closes: #807940
+ * Initialize Config-Version also for packages previously in triggers-pending
+state, otherwise we end up not passing the previously configured version
+to «postinst configure», which might consider this a first install instead
+of an upgrade. Closes: #801156
+ * Fix memory leaks in dpkg infodb format upgrade logic.
+ * Fix physical file offset comparison in dpkg. Closes: #808912
+Thanks to Yuri Gribov .
+ * Do not accept empty field names in dpkg. Closes: #769111
+ * When sys_siglist is defined in the system, try to use NSIG as we cannot
+compute the array size with sizeof(). If NSIG is missing fallback to 32
+items. Prompted by Igor Pashev .
+
+ -- Guillem Jover Sun, 20 Mar 2016 10:23:24 +0100
+
dpkg (1.16.17) wheezy-security; urgency=high
[ Guillem Jover ]
diff --git a/dpkg-deb/build.c b/dpkg-deb/build.c
index b798b1f..e83ed51 100644
--- a/dpkg-deb/build.c
+++ b/dpkg-deb/build.c
@@ -545,7 +545,8 @@ do_build(const char *const *argv)
m_dup2(p2[1],1); close(p2[0]); close(p2[1]);
if (chdir(dir))
ohshite(_("failed to chdir to `%.255s'"), dir);
-execlp(TAR, "tar", "-cf", "-", "--format=gnu", "--null", "-T", "-", "--no-recursion", NULL);
+execlp(TAR, "tar", "-cf", "-", "--format=gnu", "--null", "--no-recursion",
+ "-T", "-", NULL);
ohshite(_("unable to execute %s (%s)"), "tar -cf", TAR);
}
close(p1[0]);
diff --git a/lib/compat/strsignal.c b/lib/compat/strsignal.c
index 92fad03..7ff23e2 100644
--- a/lib/compat/strsignal.c
+++ b/lib/compat/strsignal.c
@@ -52,7 +52,12 @@ const char *const sys_siglist[] = {
"SIGTTIN", /* 21 */
"SIGTTOU", /* 22 */
};
+# define COMPAT_NSIGLIST (int)(sizeof(sys_siglist) / sizeof(sys_siglist[0]))
#else
+# ifndef NSIG
+# define NSIG 32
+# endif
+# define COMPAT_NSIGLIST NSIG
extern const char *const sys_siglist[];
#endif
@@ -61,7 +66,7 @@ strsignal(int s)
{
static char buf[100];
- if (s > 0 && s < sizeof(sys_siglist) / sizeof(sys_siglist[0]))
+ if (s > 0 && s < COMPAT_NSIGLIST)
return sys_siglist[s];
Bug#819282: marked as done (wheezy-pu: package openldap/2.4.31-2+deb7u2)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100 with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk> and subject line Closing bugs for fixed included in 7.11 has caused the Debian Bug report #819282, regarding wheezy-pu: package openldap/2.4.31-2+deb7u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819282: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819282 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi debian-release, The last update of openldap in wheezy-security has never built on powerpc. I got access to the porterbox and found that the ppc64 kernel in jessie (presumably the buildds run the same kernel) uses a 64KB page size, while the MDB backend in wheezy only works with 4KB pages. This limitation has been resolved [ITS#7713] in jessie, but the changes are not trivial to backport, and I'm very concerned about regressing all arches if I were to make a mistake. Therefore I'm proposing that we disable the test suite on powerpc so that the package can build. I have built the proposed package on wheezy under qemu-system-ppc and run the entire test suite to ensure it passes. I also built it on the powerpc porterbox, installed the binaries on the qemu VM, and performed some additional manual testing. Of course I've also done my usual pre-upload testing (on amd64, in a clean wheezy chroot). Would you consider allowing this change into wheezy? [ITS#7713]: http://www.openldap.org/its/?findid=7713 -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -u openldap-2.4.31/debian/rules openldap-2.4.31/debian/rules --- openldap-2.4.31/debian/rules +++ openldap-2.4.31/debian/rules @@ -7,6 +7,12 @@ export DEB_CFLAGS_MAINT_APPEND := -Wall -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow +# Avoid running back-mdb tests on ppc64 builders +DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) +ifeq ($(DEB_HOST_ARCH),powerpc) + export DEB_BUILD_OPTIONS += nocheck +endif + # Workaround for bad glibc behavior when resolving localhost export RESOLV_MULTI = off diff -u openldap-2.4.31/debian/changelog openldap-2.4.31/debian/changelog --- openldap-2.4.31/debian/changelog +++ openldap-2.4.31/debian/changelog @@ -1,3 +1,10 @@ +openldap (2.4.31-2+deb7u2) wheezy; urgency=medium + + * Disable the test suite on powerpc to work around back-mdb tests failing on +buildds running the jessie ppc64 kernel, which uses 64KB pages. (ITS#7713) + + -- Ryan Tandy Fri, 25 Mar 2016 11:45:18 -0700 + openldap (2.4.31-2+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. --- End Message --- --- Begin Message --- Version: 7.11 Hi, The fixes referred to in each of these bugs were included in today's 7.11 point release. Regards, Adam--- End Message ---
Bug#819499: marked as done (wheezy-pu: package optipng/0.6.4-1)
Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #819499,
regarding wheezy-pu: package optipng/0.6.4-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
819499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819499
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Hello,
I have prepared a security update for optipng in wheezy to address
CVE-2015-7801. I have contacted the security team but they don't think
this issue warrants a DSA. Please find attached the debdiff.
Regards,
Markus
diff -Nru optipng-0.6.4/debian/changelog optipng-0.6.4/debian/changelog
--- optipng-0.6.4/debian/changelog 2010-03-17 16:26:21.0 +0100
+++ optipng-0.6.4/debian/changelog 2016-03-28 23:41:09.0 +0200
@@ -1,3 +1,12 @@
+optipng (0.6.4-1+deb7u1) wheezy; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7801:
+Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+free.
+
+ -- Markus Koschany Mon, 28 Mar 2016 23:15:19 +0200
+
optipng (0.6.4-1) unstable; urgency=low
* New upstream release;
diff -Nru optipng-0.6.4/debian/patches/CVE-2015-7801.patch optipng-0.6.4/debian/patches/CVE-2015-7801.patch
--- optipng-0.6.4/debian/patches/CVE-2015-7801.patch 1970-01-01 01:00:00.0 +0100
+++ optipng-0.6.4/debian/patches/CVE-2015-7801.patch 2016-03-28 23:41:09.0 +0200
@@ -0,0 +1,34 @@
+From: Markus Koschany
+Date: Mon, 28 Mar 2016 23:13:51 +0200
+Subject: CVE-2015-7801
+
+Fix Use-after-free vulnerability in optipng 0.6.4 is causing an invalid/double
+free.
+---
+ src/opngoptim.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/opngoptim.c b/src/opngoptim.c
+index aab5580..cf55ed6 100644
+--- a/src/opngoptim.c
b/src/opngoptim.c
+@@ -1877,7 +1877,7 @@ opng_initialize(const struct opng_options *init_options,
+ int
+ opng_optimize(const char *infile_name)
+ {
+- const char *err_msg;
++ const char *err_msg = "";
+volatile int result; /* needs not be volatile, but keeps compilers happy */
+
+OPNG_ENSURE(engine.started, "The OptiPNG engine is not running");
+@@ -1906,7 +1906,9 @@ opng_optimize(const char *infile_name)
+ opng_print_error(err_msg);
+ result = -1;
+}
+- opng_destroy_image_info();
++ // Don't attempt to free if libpng is confused
++ if (strcmp(err_msg, "Inconsistent data in libpng"))
++ opng_destroy_image_info();
+usr_printf("\n");
+return result;
+ }
diff -Nru optipng-0.6.4/debian/patches/series optipng-0.6.4/debian/patches/series
--- optipng-0.6.4/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ optipng-0.6.4/debian/patches/series 2016-03-28 23:41:09.0 +0200
@@ -0,0 +1 @@
+CVE-2015-7801.patch
--- End Message ---
--- Begin Message ---
Version: 7.11
Hi,
The fixes referred to in each of these bugs were included in today's
7.11 point release.
Regards,
Adam--- End Message ---
Re: Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3
Adam D. Barratt, 2016-06-04 14:02:40 +0100 : [...] > While that upload did stop producing the mediawiki plugin, I > unfortunately failed to notice that fusionforge-full has a dependency > on the plugin package. Oh shoot. Sorry about that. > By the time we noticed this during the point release it was too late > to resolve usefully, but if you could please prepare another upload > that removes the dependency then we can look at getting that pushed > out to users via jessie-updates. It's on its way. Roland. -- Roland Mas Indépendant en informatique libre -- Free software freelance http://www.gnurandal.com/
Re: Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3
[to -release@ldo rather than the bug, as the removal itself is done] On Wed, 2016-05-25 at 11:16 +0200, Roland Mas wrote: > Adam D. Barratt, 2016-05-24 19:08:32 +0100 : > > [...] > > > A package built against stable, yes. (Using 5.3.2+20141104-3+deb8u2 as > > the package version and "jessie" as the distribution.) > > Built, signed, on its way to the upload queues. While that upload did stop producing the mediawiki plugin, I unfortunately failed to notice that fusionforge-full has a dependency on the plugin package. By the time we noticed this during the point release it was too late to resolve usefully, but if you could please prepare another upload that removes the dependency then we can look at getting that pushed out to users via jessie-updates. Regards, Adam
Bug#825127: marked as done (RM: mediawiki -- RoST; unsupported)
Your message dated Sat, 04 Jun 2016 12:30:08 + with message-id and subject line Bug#825127: Removed package(s) from stable has caused the Debian Bug report #825127, regarding RM: mediawiki -- RoST; unsupported to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825127 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, please remove mediawiki in the upcoming jessie point release. Security support for it was limited for a year as mentioned in the release notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mediawiki-security Cheers, Moritz --- End Message --- --- Begin Message --- We believe that the bug you reported is now fixed; the following package(s) have been removed from stable: mediawiki | 1:1.19.20+dfsg-2.3 | source, all mediawiki-classes | 1:1.19.20+dfsg-2.3 | all --- Reason --- RoST; unsupported -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 825...@bugs.debian.org. The full log for this bug can be viewed at https://bugs.debian.org/825127 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Archive Administrator (the ftpmaster behind the curtain)--- End Message ---
Bug#821343: marked as done (RM: zotero-standalone-build -- RoQA; unusable in jessie)
Your message dated Sat, 04 Jun 2016 12:26:38 + with message-id and subject line Bug#821343: Removed package(s) from stable has caused the Debian Bug report #821343, regarding RM: zotero-standalone-build -- RoQA; unusable in jessie to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 821343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821343 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Dear Release Team, Please remove zotero-standalone-build from jessie. The package is affected by two RC bugs (#795343, #788277) which are not easy to address via a minimal patch. I'll try to provide a backport. In the meantime, packages directly taken from stretch are working fine. Cheers, -- .''`.Sébastien Villemot : :' :Debian Developer `. `' http://sebastien.villemot.name `- GPG Key: 4096R/381A7594 signature.asc Description: PGP signature --- End Message --- --- Begin Message --- We believe that the bug you reported is now fixed; the following package(s) have been removed from stable: libreoffice-zotero-integration | 4.0.22-1 | all xul-ext-zotero | 4.0.22-1 | all zotero-standalone | 4.0.22-1 | all zotero-standalone-build | 4.0.22-1 | source --- Reason --- RoQA; unusable in jessie -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 821...@bugs.debian.org. The full log for this bug can be viewed at https://bugs.debian.org/821343 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Archive Administrator (the ftpmaster behind the curtain)--- End Message ---
Bug#825308: marked as done (RM: mediawiki-math -- RoST; depends on mediawiki)
Your message dated Sat, 04 Jun 2016 12:29:15 + with message-id and subject line Bug#825308: Removed package(s) from stable has caused the Debian Bug report #825308, regarding RM: mediawiki-math -- RoST; depends on mediawiki to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825308: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825308 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, please remove mediawiki in the upcoming jessie point release. Security support for it was limited for a year as mentioned in the release notes: https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#mediawiki-security Cheers, Moritz --- End Message --- --- Begin Message --- We believe that the bug you reported is now fixed; the following package(s) have been removed from stable: mediawiki-extensions-math | 2:1.0+git20120528-8 | all mediawiki-math | 2:1.0+git20120528-8 | source, amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x mediawiki-math-texvc | 2:1.0+git20120528-8 | amd64, arm64, armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x --- Reason --- RoST; depends on mediawiki, to be removed -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 825...@bugs.debian.org. The full log for this bug can be viewed at https://bugs.debian.org/825308 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Archive Administrator (the ftpmaster behind the curtain)--- End Message ---
Bug#824345: marked as done (RM: lyz -- RoQA; depends on to-be-removed zotero-standalone-build)
Your message dated Sat, 04 Jun 2016 12:28:01 + with message-id and subject line Bug#824345: Removed package(s) from stable has caused the Debian Bug report #824345, regarding RM: lyz -- RoQA; depends on to-be-removed zotero-standalone-build to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 824345: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824345 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Dear Release Team, Please remove zotero-standalone-build from jessie. The package is affected by two RC bugs (#795343, #788277) which are not easy to address via a minimal patch. I'll try to provide a backport. In the meantime, packages directly taken from stretch are working fine. Cheers, -- .''`.Sébastien Villemot : :' :Debian Developer `. `' http://sebastien.villemot.name `- GPG Key: 4096R/381A7594 signature.asc Description: PGP signature --- End Message --- --- Begin Message --- We believe that the bug you reported is now fixed; the following package(s) have been removed from stable: lyz | 2.1.5-3-g895ff3a-1 | source xul-ext-lyz | 2.1.5-3-g895ff3a-1 | all --- Reason --- RoQA; broken, dependency zotero-standalone-build removed -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 824...@bugs.debian.org. The full log for this bug can be viewed at https://bugs.debian.org/824345 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Archive Administrator (the ftpmaster behind the curtain)--- End Message ---
Bug#825860: marked as done (RM: kfreebsd-headers-9.0-2 [armel armhf ia64 mips powerpc s390 s390x sparc] -- RoQA; ANAIS)
Your message dated Sat, 04 Jun 2016 11:16:12 + with message-id and subject line Bug#825860: Removed package(s) from oldstable has caused the Debian Bug report #825860, regarding RM: kfreebsd-headers-9.0-2 [armel armhf ia64 mips powerpc s390 s390x sparc] -- RoQA; ANAIS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 825860: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825860 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: rm Tags: wheezy pending kfreebsd-headers-9.0-2 was inadvertently built on a number of architectures in wheezy-pu some time ago. The wanna-build side seems to have been cleaned up in the meantime but the cruft should be cleaned up. --- End Message --- --- Begin Message --- We believe that the bug you reported is now fixed; the following package(s) have been removed from oldstable: kfreebsd-headers-9.0-2 | 9.0-10+deb70.7 | armel, armhf, ia64, mips, powerpc, s390, s390x, sparc --- Reason --- RoQA; ANAIS -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 825...@bugs.debian.org. The full log for this bug can be viewed at https://bugs.debian.org/825860 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Archive Administrator (the ftpmaster behind the curtain)--- End Message ---
Bug#826102: marked as done (nmu: phonetisaurus_0.7.8-6 opengrm-ngram_1.2.2-1)
Your message dated Sat, 4 Jun 2016 12:55:50 +0200 with message-id and subject line Re: Bug#826102: nmu: phonetisaurus_0.7.8-6 opengrm-ngram_1.2.2-1 has caused the Debian Bug report #826102, regarding nmu: phonetisaurus_0.7.8-6 opengrm-ngram_1.2.2-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 826102: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826102 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu phonetisaurus_0.7.8-6 . ANY . experimental . -m "Rebuild against libfst4." nmu opengrm-ngram_1.2.2-1 . ANY . experimental . -m "Rebuild against libfst4." openfst did a SONAME bump when uploaded to unstable initially, only a "transition" in experimental is needed. Andreas --- End Message --- --- Begin Message --- On 02/06/16 11:14, Andreas Beckmann wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > nmu phonetisaurus_0.7.8-6 . ANY . experimental . -m "Rebuild against libfst4." > nmu opengrm-ngram_1.2.2-1 . ANY . experimental . -m "Rebuild against libfst4." > > openfst did a SONAME bump when uploaded to unstable initially, > only a "transition" in experimental is needed. Scheduled. Cheers, Emilio--- End Message ---
Processed: Re: Bug#823667: transition: poppler 0.42
Processing commands for cont...@bugs.debian.org: > tags 823667 pending Bug #823667 [release.debian.org] transition: poppler 0.44 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 823667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823667 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#822744: marked as done (transition: gloox)
Your message dated Sat, 4 Jun 2016 12:07:52 +0200 with message-id <577dd46f-e126-d7d0-6804-f110e272c...@debian.org> and subject line Re: Bug#822744: transition: gloox has caused the Debian Bug report #822744, regarding transition: gloox to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 822744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822744 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: transition Severity: normal Hi, I'd like to request a transition slot for src:gloox. This is a relatively small transition, with only 3 source packages affected (tested builds against newer gloox, currently in experimental, results are as follows): licq (FTBFS not related to gloox, #820106, pending autoremoval) 0ad (build ok, needs binNMU) uwsgi (build ok, needs binNMU) Ben file: (https://release.debian.org/transitions/html/auto-gloox.html is accurate) Regards, Vincent --- End Message --- --- Begin Message --- On 28/04/16 01:20, Vincent Cheng wrote: > On Wed, Apr 27, 2016 at 12:12 AM, Emilio Pozuelo Monfort > wrote: >> Control: tags -1 confirmed >> >> On 27/04/16 03:59, Vincent Cheng wrote: >>> Package: release.debian.org >>> User: release.debian@packages.debian.org >>> Usertags: transition >>> Severity: normal >>> >>> Hi, >>> >>> I'd like to request a transition slot for src:gloox. This is a relatively >>> small >>> transition, with only 3 source packages affected (tested builds against >>> newer >>> gloox, currently in experimental, results are as follows): >>> >>> licq (FTBFS not related to gloox, #820106, pending autoremoval) >>> 0ad (build ok, needs binNMU) >>> uwsgi (build ok, needs binNMU) >> >> Go ahead. > > Uploaded, built and installed on all archs. Thanks in advance for > scheduling binNMUs! This is now finished. Cheers, Emilio--- End Message ---
