Bug#883624: transition: libkf5kipi + marble 17.08

[Pino Toscano]

In data venerdì 8 dicembre 2017 19:53:03 CET, Emilio Pozuelo Monfort ha scritto:
> On 05/12/17 22:03, Pino Toscano wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > 
> > Hi,
> > 
> > I would like to request a slot for the transitions of libkf5kipi 17.08
> > and marble 17.08.  I'm requesting a single slot for them as the impact
> > of each is limited, and they boh affect digikam (big source, so one
> > rebuild can be avoided).
> > 
> > The sources affected by libkf5kipi are:
> > - digikam
> > - gwenview
> > - kde-spectacle
> > - kphotoalbum
> > The sources affected by marble are:
> > - digikam
> > - kreport
> > - libkf5kgeomap
> > 
> > I will wait for this weekend for the batch of 17.08 uploads I did last
> > weekend to migrate to testing: the reason is that the new versions of
> > libkf5kipi and marble carry their translations files, right now shipped
> > as part of kde-l10n (and thus a coordinated upload is needed, I will
> > take care of it).
> 
> You can go ahead.

Uploaded libkf5kipi, marble and libkf5kgeomap few hours ago, and all of
them already built everywhere.

-- 
Pino Toscano

signature.asc
Description: This is a digitally signed message part.

Bug#883622: transition: analitza 17.08

[Pino Toscano]

In data venerdì 8 dicembre 2017 19:52:13 CET, Emilio Pozuelo Monfort ha scritto:
> On 05/12/17 21:57, Pino Toscano wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > 
> > Hi,
> > 
> > I would like to request a slot for the analitza 17.08.x transition.
> > There are only two affected sources:
> > - kalgebra (which will get a sourceful upload)
> > - cantor, which just needs a rebuild
> > 
> > I will wait for this weekend for the batch of 17.08 uploads I did last
> > weekend to migrate to testing: the reason is that the new versions of
> > analitza and kalgebra carry their translations files, right now shipped
> > as part of kde-l10n (and thus a coordinated upload is needed, I will
> > take care of it).
> 
> Ack.

Uploaded few hours ago, and analitza and kalgebra already built
everywhere.

-- 
Pino Toscano

signature.asc
Description: This is a digitally signed message part.

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: waagent_2.2.18-3~deb9u1_all.changes
  ACCEPT

Bug#883963: stretch-pu: package xchain/1.0.1-9~deb9u1

[Andreas Beckmann]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the dependency problem of xchain in stretch, too. #878090
It calls /usr/bin/wish, therefore it needs to depend on wish and not
tk8.5 (which no longer provides the generic wish binary, that's tk8.6
realm now).

The Standards-Version and Priority bump are metadata only changes.


Andreas
diff -Nru xchain-1.0.1/debian/changelog xchain-1.0.1/debian/changelog
--- xchain-1.0.1/debian/changelog   2017-01-15 23:25:46.0 +0100
+++ xchain-1.0.1/debian/changelog   2017-12-09 21:02:31.0 +0100
@@ -1,3 +1,25 @@
+xchain (1.0.1-9~deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Sat, 09 Dec 2017 21:02:31 +0100
+
+xchain (1.0.1-9) unstable; urgency=medium
+
+  * QA upload.
+  * Revert path change, depend on "wish" only. Re-closes: #878090
+
+ -- Adam Borowski   Thu, 12 Oct 2017 20:12:24 +0200
+
+xchain (1.0.1-8) unstable; urgency=medium
+
+  * QA upload.
+  * Update path to wish (it's /usr/bin/wish8.5 now). Closes: #878090
+  * Priority optional.
+
+ -- Adam Borowski   Thu, 12 Oct 2017 09:14:07 +0200
+
 xchain (1.0.1-7) unstable; urgency=medium
 
   * QA upload.
diff -Nru xchain-1.0.1/debian/control xchain-1.0.1/debian/control
--- xchain-1.0.1/debian/control 2017-01-15 23:25:46.0 +0100
+++ xchain-1.0.1/debian/control 2017-10-12 20:12:19.0 +0200
@@ -1,15 +1,15 @@
 Source: xchain
 Section: games
-Priority: extra
+Priority: optional
 Maintainer: Debian QA Group 
-Standards-Version: 3.9.8
+Standards-Version: 4.1.1
 Build-Depends: debhelper (>= 10)
 Vcs-Browser: https://anonscm.debian.org/git/collab-maint/xchain.git
 Vcs-Git: https://anonscm.debian.org/git/collab-maint/xchain.git
 
 Package: xchain
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, tk8.5 | wish
+Depends: ${shlibs:Depends}, ${misc:Depends}, wish
 Description: strategy game for 2-4 players
  Chain Reaction is a classic strategy game for 2-4 players. Players take turns
  to place tokens on an 8x8 board. When a square exceeds its maximum value, it

Bug#883959: stretch-pu: package cappuccino/0.5.1-8~deb9u1

[Andreas Beckmann]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing dependency on gir1.2-gtk-3.0, #879848, by
rebuilding the package from sid. This also adds a 
  /usr/games/cappuccino -> ../bin/cappuccino
symlink.


Andreas
diff -u cappuccino-0.5.1/debian/changelog cappuccino-0.5.1/debian/changelog
--- cappuccino-0.5.1/debian/changelog
+++ cappuccino-0.5.1/debian/changelog
@@ -1,3 +1,24 @@
+cappuccino (0.5.1-8~deb9u1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * rebuild for stretch.
+
+ -- Andreas Beckmann   Sat, 09 Dec 2017 20:38:28 +0100
+
+cappuccino (0.5.1-8) unstable; urgency=medium
+
+  * Fixes broken symlink in /usr/games. Closes: #880714
+- Thanks to Chris Lamb.
+
+ -- Breno Leitao   Mon, 06 Nov 2017 14:25:01 -0500
+
+cappuccino (0.5.1-7) unstable; urgency=medium
+
+  * Adding gir1.2-gtk-3.0 as a dependency. Closes: #879848
+  * Adding a link to /usr/games/cappuccino
+
+ -- Breno Leitao   Fri, 03 Nov 2017 07:52:46 -0400
+
 cappuccino (0.5.1-6) unstable; urgency=medium
 
   * Fix python dependency, moving the debian/rules file to
diff -u cappuccino-0.5.1/debian/control cappuccino-0.5.1/debian/control
--- cappuccino-0.5.1/debian/control
+++ cappuccino-0.5.1/debian/control
@@ -3,12 +3,12 @@
 Priority: optional
 Homepage: https://labs.truelite.it/projects/cappuccino
 Maintainer: Breno Leitao 
-Standards-Version: 3.7.2
+Standards-Version: 4.1.0
 Build-Depends: debhelper (>> 5.0.0), python3, python3-gi, polygen
 
 Package: cappuccino
 Architecture: all
-Depends: python3, python3-gi, polygen, ${misc:Depends}
+Depends: python3, python3-gi, polygen, ${misc:Depends},  gir1.2-gtk-3.0
 Description: utility to let your boss think that you're working hard
  Run this software on your computer when you are not motivated to work, and
  enjoy doing something different. If your boss come in your cubicle, he'll
diff -u cappuccino-0.5.1/debian/rules cappuccino-0.5.1/debian/rules
--- cappuccino-0.5.1/debian/rules
+++ cappuccino-0.5.1/debian/rules
@@ -44,6 +44,10 @@
polygen -seed 0 
$(CURDIR)/debian/cappuccino/usr/share/cappuccino/cappuccino.grm > /dev/null
polygen -seed 0 
$(CURDIR)/debian/cappuccino/usr/share/cappuccino/compileline.grm > /dev/null
 
+   # As it is considered a game, put a link at /usr/games
+   mkdir $(CURDIR)/debian/cappuccino/usr/games
+   ln -s /usr/bin/cappuccino 
$(CURDIR)/debian/cappuccino/usr/games/cappuccino
+
 # Build architecture-independent files here.
 binary-indep: build install
dh_testdir

Bug#883952: stretch-pu: package activity-log-manager/0.8.0-1.2~deb9u1

[Andreas Beckmann]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing dependency on python-zeitgeist, #881438, by
rebuilding the corresponding fixed package from sid.


Andreas
diff -Nru activity-log-manager-0.8.0/debian/changelog 
activity-log-manager-0.8.0/debian/changelog
--- activity-log-manager-0.8.0/debian/changelog 2015-08-18 17:28:36.0 
+0200
+++ activity-log-manager-0.8.0/debian/changelog 2017-12-09 20:04:56.0 
+0100
@@ -1,3 +1,17 @@
+activity-log-manager (0.8.0-1.2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Sat, 09 Dec 2017 20:04:56 +0100
+
+activity-log-manager (0.8.0-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add dependency against python-zeitgeist (Closes: #881438)
+
+ -- Laurent Bigonville   Sun, 12 Nov 2017 18:05:38 +0100
+
 activity-log-manager (0.8.0-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru activity-log-manager-0.8.0/debian/control 
activity-log-manager-0.8.0/debian/control
--- activity-log-manager-0.8.0/debian/control   2015-08-18 17:30:06.0 
+0200
+++ activity-log-manager-0.8.0/debian/control   2017-11-12 18:04:24.0 
+0100
@@ -17,7 +17,8 @@
  python,
  zeitgeist-core (>= 0.7~) | zeitgeist (>= 0.7~),
  python-gtk2,
- python-cairo
+ python-cairo,
+ python-zeitgeist
 Description: blacklist configuration user interface for Zeitgeist
  Zeitgeist is a service which logs the user's activities and events (files
  opened, websites visited, conversations held with other people, etc.) and

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: cron_3.0pl1-128+deb9u1_i386.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: cron_3.0pl1-128+deb9u1_ppc64el.changes
  ACCEPT

Bug#872293: nmu: loads of golang stuff

[Paul Tagliamonte]

> What's outdated here, built-using? If so, we rebuild those before or during 
> the
> freeze. Not sure we need to do it more often than that, as things will get out
> of date again before the freeze.

Due to the way golang binaries get built, not rebuilding them outside
of freeze results in binaries that become buggy during freeze and
trigger more uploads and rebuilds.

buildd time is cheep, and ensuring we can both get rid of old sources
and find bugs is important during development.

The other way we can do this is I can do routine empty uploads -- we
need them rebuilt either way

Thanks!
  Paul

>
> Cheers,
> Emilio



-- 
:wq

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: cron_3.0pl1-128+deb9u1_arm64.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_armel.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_armhf.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_mips.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_s390x.changes
  ACCEPT

Bug#883933: nmu: polymake_3.1-5

[David Bremner]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

The following crash seems cured by a rebuild:

Can't locate loadable object for module Polymake::Ext in @INC (@INC contains: 
/usr/share/polymake/perllib /usr/lib/polymake/perlx/5.26.0 
/usr/lib/polymake/perlx /home/bremner/.config/perl /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 
/usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 
/usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at 
/usr/share/polymake/perllib/Polymake/Namespaces.pm line 17.

nmu polymake_3.1-5 . ANY . unstable . -m "rebuild for perl 5.26"

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

NEW changes in oldstable-new

[Debian FTP Masters]

Processing changes file: dns-root-data_2017072601~deb8u2_amd64.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_amd64.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_arm64.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_armel.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_armhf.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_i386.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_mips.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_mipsel.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_powerpc.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_ppc64el.changes
  ACCEPT
Processing changes file: erlang_17.3-dfsg-4+deb8u2_s390x.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_multi.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_amd64.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_arm64.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_armel.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_armhf.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_i386.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_mips.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_mipsel.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_powerpc.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_ppc64el.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb8u1_s390x.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_allonly.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_amd64.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_arm64.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_armel.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_armhf.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_i386.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_mips.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_mipsel.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_powerpc.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_ppc64el.changes
  ACCEPT
Processing changes file: optipng_0.7.5-1+deb8u2_s390x.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_weasel.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_amd64.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_arm64.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_armel.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_armhf.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_i386.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_mips.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_mipsel.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_powerpc.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_ppc64el.changes
  ACCEPT
Processing changes file: tor_0.2.5.16-1_s390x.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: auto-apt-proxy_2+deb9u1_amd64.changes
  ACCEPT
Processing changes file: cron_3.0pl1-128+deb9u1_amd64.changes
  ACCEPT
Processing changes file: golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.changes
  ACCEPT
Processing changes file: waagent_2.2.18-3~deb9u1_source.changes
  ACCEPT

Processed: Re: Bug#882158: stretch-pu: package glibc/2.24-11+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 stretch-pu: package glibc/2.24-11+deb9u3
Bug #882158 [release.debian.org] stretch-pu: package glibc/2.24-11+deb9u2
Changed Bug title to 'stretch-pu: package glibc/2.24-11+deb9u3' from 
'stretch-pu: package glibc/2.24-11+deb9u2'.
> tag -1 - pending
Bug #882158 [release.debian.org] stretch-pu: package glibc/2.24-11+deb9u3
Removed tag(s) pending.
> tag -1 - confirmed
Bug #882158 [release.debian.org] stretch-pu: package glibc/2.24-11+deb9u3
Removed tag(s) confirmed.

-- 
882158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882158
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882158: stretch-pu: package glibc/2.24-11+deb9u2

[Aurelien Jarno]

control: retitle -1 stretch-pu: package glibc/2.24-11+deb9u3
control: tag -1 - pending
control: tag -1 - confirmed

On 2017-12-02 19:23, Adam D. Barratt wrote:
> Control: tags -1 + pending
> 
> On Fri, 2017-12-01 at 21:15 +0100, Aurelien Jarno wrote:
> > On 2017-12-01 19:49, Cyril Brulebois wrote:
> > > Adam D. Barratt  (2017-11-24):
> > > > This looks OK to me, but will need a KiBi-ack; CCing.
> > > 
> > > lgtm; apologies for the delay.
> > 
> > Thanks, I have just uploaded it.
> 
> Flagged for acceptance.
> 

Unfortunately it didn't make in 9.3 due to the regression introduced wrt
/etc/ld.so.nohwcap (see bug#883394). The issue is due to the conversion
of libc6-i686 into a transitional package between jessie and stretch, and
dropping the postinst and postrm script handling the removal of
/etc/ld.so.nohwcap after the upgrade. The problem always existed in
stretch, but the probability for it to happen has been greatly increased
by the fix for #882272. The issue doesn't affect buster/sid as the
transitional package has been removed.

I have fixed the issue in version 2.24-11+deb9u3 by reintroducing the
postinst and postrm scripts in the transitional package. You will find
below the corresponding patch.

Thanks for considering it for 9.4.

Regards,
Aurelien


diff --git a/debian/changelog b/debian/changelog
index 15d804c1..bd4f4115 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+glibc (2.24-11+deb9u3) UNRELEASED; urgency=medium
+
+  [ Aurelien Jarno ]
+  * debian/rules.d/debhelper.mk: install the libc-otherbuild postinst and
+postrm in the libc6-i686 transitional package, to make sure
+/etc/ld.so.nohwcap is correctly removed after an upgrade.  Closes:
+#883394.
+
+ -- Aurelien Jarno   Wed, 06 Dec 2017 21:58:24 +0100
+
 glibc (2.24-11+deb9u2) stretch; urgency=medium
 
   [ Aurelien Jarno ]
diff --git a/debian/rules.d/debhelper.mk b/debian/rules.d/debhelper.mk
index 23de2220..97429175 100644
--- a/debian/rules.d/debhelper.mk
+++ b/debian/rules.d/debhelper.mk
@@ -147,6 +147,12 @@ $(stamp)debhelper-common:
  esac; \
done
 
+   # We need the NOHWCAP code also for the transitional libc6-i686 package
+ifeq ($(DEB_HOST_ARCH),i386)
+   cp debian/libc-otherbuild.postinst debian/libc6-i686.postinst
+   cp debian/libc-otherbuild.postrm debian/libc6-i686.postrm
+endif
+
# Install nscd systemd files on linux
 ifeq ($(DEB_HOST_ARCH_OS),linux)
cp nscd/nscd.service debian/nscd.service


-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Sébastien Delafond]

On Dec/09, Adam D. Barratt wrote:
> For the record, reviewing the diff of the -security upload, I notice
> that the change actually adds *two* runtime dependencies - the second,
> which was not mentioned in this pre-approval request, nor included in
> the proposed diff, being python-pastescript.

I figured python-pastescript had also been approved; I should have
verified this myself instead of assuming so...

Cheers,

--Seb

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_amd64.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_arm64.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_armel.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_armhf.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_i386.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_mips.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_ppc64el.changes
  ACCEPT
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_s390x.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_i386.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_amd64.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_arm64.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_armel.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_armhf.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_mips.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_mips64el.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_mipsel.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_ppc64el.changes
  ACCEPT
Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_s390x.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_multi.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_amd64.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_arm64.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_armel.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_armhf.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_i386.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_mips.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_ppc64el.changes
  ACCEPT
Processing changes file: libxcursor_1.1.14-1+deb9u1_s390x.changes
  ACCEPT
Processing changes file: nova_14.0.0-4+deb9u1_amd64.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_sourceonly.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_amd64.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_arm64.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_armel.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_armhf.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_i386.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_mips.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_mips64el.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_mipsel.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_ppc64el.changes
  ACCEPT
Processing changes file: optipng_0.7.6-1+deb9u1_s390x.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_weasel.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_all.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_amd64.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_arm64.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_armel.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_armhf.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_i386.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_mips.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_mips64el.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_mipsel.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_ppc64el.changes
  ACCEPT
Processing changes file: tor_0.2.9.14-1_s390x.changes
  ACCEPT

Bug#879161: jessie-pu: package dns-root-data/2017072601~deb8u2

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2017-11-18 at 19:08 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2017-10-19 at 18:36 -0400, Daniel Kahn Gillmor wrote:
> > the version of dns-root-data in jessie (2017072601~deb8u1) only
> > ships
> > one entry in /usr/share/root.ds.  see https://bugs.debian.org/87768
> > 3
> > 
> > I've cherry-picked a few changes from the master branch which
> > accomodate the new situation at ICANN and use a different toolchain
> > to produce root.ds that can handle multiple keys.  This should
> > probably go into jessie sooner rather than later, though we have a
> > bit of a reprieve since the root key rollover has been postponed
> > for
> > the moment.
> 
> +dns-root-data (2017072601~deb8u2) jessie-updates; urgency=medium
> 
> Nope. "jessie-updates" is not a supported upload target. Updates for
> jessie should use "jessie" as the changelog distribution.
> 
> I'm not overjoyed about the tooling rewrite, particularly with the
> Build-Depends changes, but it makes sense to keep it in line with
> that
> in newer suites.
> 
> With the changelog fixed, please go ahead.

Uploaded (during the 8.10 freeze) and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#879161: jessie-pu: package dns-root-data/2017072601~deb8u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #879161 [release.debian.org] jessie-pu: package 
dns-root-data/2017072601~deb8u2
Added tag(s) pending.

-- 
879161: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879161
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#883124: stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #883124 [release.debian.org] stretch-pu: package 
golang-github-go-ldap-ldap/2.4.1-1
Added tag(s) pending.

-- 
883124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#883066: stretch-pu: package waagent/2.2.18-3~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #883066 [release.debian.org] stretch-pu: package waagent/2.2.18-3~deb9u1
Added tag(s) pending.

-- 
883066: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883066
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#882773: stretch-pu: package auto-apt-proxy/2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #882773 [release.debian.org] stretch-pu: package auto-apt-proxy/2+deb9u1
Added tag(s) pending.

-- 
882773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882773
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882773: stretch-pu: package auto-apt-proxy/2+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2017-12-02 at 12:19 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-11-27 at 13:57 -0200, Antonio Terceiro wrote:
> > Control: tag -1 - moreinfo
> > 
> > On Sun, Nov 26, 2017 at 10:11:12PM +0100, Andreas Beckmann wrote:
> > > Control: tag -1 moreinfo
> > > 
> > > On Sun, 26 Nov 2017 14:36:06 -0200 Antonio Terceiro
> > >  wrote:
> > > > This fixes a RC bug that has been reported recently, and was
> > > > just
> > > > fixed
> > > > in unstable.
> > > 
> > > I'm missing the corresponding undo operation in the preinst.
> 
> [..]
> > I have made a new upload to unstable fixing this, and cherry-picked
> > the fix into my stretch branch. Attached you will find an updated
> > diff against the version in stretch.
> 
> Please go ahead.

Uploaded (during the 9.3 freeze) and flagged for acceptance.

Regards,

Adam

Bug#883066: stretch-pu: package waagent/2.2.18-3~deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2017-12-02 at 12:17 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2017-11-29 at 10:00 +0100, Bastian Blank wrote:
> > The Azure agent provides the provisioning part of the Microsoft
> > Azure
> > platform.  It is necessary to tell the platform about the state of
> > the systems.  Therefor it is part of the "hardware" support for the
> > Azure platform.
> > 
> > This updates includes both upstream fixes for sudoer handling,
> > Azure
> > Stack handling and some Debian fixes for state directory
> > permissions.
> > 
> > The diff still lacks the changelog entry for the above mentioned
> > version, as no further changes are scheduled and this will be a
> > straight rebuild for Stretch.
> 
> As provided, the diff doesn't include any upstream changes at all...
> 
> On the assumption that they're sane, please go ahead.

Uploaded (during the 9.3 freeze) and flagged for acceptance.

Regards,

Adam

Bug#883124: stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2017-12-03 at 21:28 +, Adam D. Barratt wrote:
> On Sun, 2017-12-03 at 22:20 +0100, Dr. Tobias Quathamer wrote:
> > Am 02.12.2017 um 13:12 schrieb Adam D. Barratt:
> > > Control: tags -1 + confirmed
> > > 
> > > On Wed, 2017-11-29 at 23:53 +0100, Dr. Tobias Quathamer wrote:
> > > > I've prepared a fix for CVE-2017-14623, Debian BTS #876404. The
> > > > security team does not intend to publish a DSA for this minor
> > > > issue,
> > > > so I'm asking here if you would accept an upload for stable-
> > > > proposed-
> > > > updates.
> > > 
> > > As this doesn't appear to affect anything else in-archive at
> > > least,
> > > please go ahead.
> > 
> > Thanks, the package has been uploaded and just accepted into
> > proposed-updates.
> 
> It's been accepted into the stable-new queue. It won't be accepted
> into proposed-updates until a member of the Release Team asks the
> archive software to do that (which now won't be until at least next
> weekend, as things are frozen in preparation for the upcoming point
> releases).

Flagged for acceptance into proposed-updates.

Regards,

Adam

Processed: Re: Bug#877934: stretch-pu: package cron/3.0pl1-128.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #877934 [release.debian.org] stretch-pu: package cron/3.0pl1-128.1
Added tag(s) pending.

-- 
877934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877934
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#877934: stretch-pu: package cron/3.0pl1-128.1

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2017-12-02 at 11:08 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-10-07 at 15:51 +0200, Laurent Bigonville wrote:
> > The version of cron currently in stretch is not properly
> > transitioning the system jobs to the correct SELinux context (See:
> > #857662).
> > 
> > This is breaking cron for the people using SELinux on debian.
> > 
> > The root cause of this is a change in the SELinux policy.
> > 
> > The attached patch (that has been pushed to unstable) is fixing
> > this
> > and is also avoiding hardcoding identifiers and detect them at
> > runtime instead. This is a more complete patch than the one
> > proposed
> > on the original bugreport.
> > 
> > All the changes are only affecting the code path when SELinux is
> > enabled.
> 
> Assuming that the changes have been tested on stretch, please go
> ahead, bearing in mind that the window for getting fixes into the 9.3
> point release closes during this weekend.

Uploaded (during the 9.3 freeze) and flagged for acceptance.

Regards,

Adam

Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Adam D. Barratt]

On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote:
> As a consequence, the init script for the start of nova-placement-api
> simply doesn't work. So I'd like to make use of uwsgi, which is a
> very good way to run WSGI applications. I've added a runtime depends
> on uwsgi, and modified the startup script to use that.
[...]
> Though the security team (ie: Sebastien Delafond) advised me wisely
> to start the discussion with the release team about this new
> dependency for nova-placement-api.

For the record, reviewing the diff of the -security upload, I notice
that the change actually adds *two* runtime dependencies - the second,
which was not mentioned in this pre-approval request, nor included in
the proposed diff, being python-pastescript.

Regards,

Adam

Bug#883921: transition: libical

[Matthias Klose]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Please setup a libical transition tracker.

title = "libical 3.0.0";
is_affected = .depends ~ /libical2|libical3/;
is_good = .depends ~ /libical3/;
is_bad = .depends ~ /libical2/;

The new libical3 is built from the separate source libical3, so it should be a
smooth transition.

Please binNMU the following packages:

agenda.app
almanah
asterisk
bijiben
bluez
evolution
evolution-data-server
gnokii
gnome-panel
gnome-shell
jana
kmymoney
omniorb-dfsg

For the other packages I'm filing bugs for build failures, which need either
fixing first by build-depending on libical2-dev, or getting patches for
libical(3)-dev.

Bug#883332: marked as done (stretch-pu: package sitesummary/0.1.28+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #883332,
regarding stretch-pu: package sitesummary/0.1.28+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883332
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

we would like to update sitesummary in stretch, fixing #883323 with
severity important: "sitesummary-client: the nagios plugin module 
'check_kernel_status' fails to detect 4.x kernels".

#883323 is fixed in sid and the the debdiff for Stretch is:

$ debdiff sitesummary_0.1.28.dsc sitesummary_0.1.28+deb9u1.dsc 
diff -Nru sitesummary-0.1.28/debian/changelog 
sitesummary-0.1.28+deb9u1/debian/changelog
--- sitesummary-0.1.28/debian/changelog 2017-01-31 12:26:50.0 +
+++ sitesummary-0.1.28+deb9u1/debian/changelog  2017-12-02 12:49:56.0 
+
@@ -1,3 +1,10 @@
+sitesummary (0.1.28+deb9u1) stretch; urgency=medium
+
+  [ Wolfgang Schweer ]
+  * Adjust nagios kernel version checking module to work with 4.x kernels.
+
+ -- Holger Levsen   Sat, 02 Dec 2017 12:49:56 +
+
 sitesummary (0.1.28) unstable; urgency=medium
 
   [ Wolfgang Schweer ]
diff -Nru sitesummary-0.1.28/nagios-plugins/check_kernel_status 
sitesummary-0.1.28+deb9u1/nagios-plugins/check_kernel_status
--- sitesummary-0.1.28/nagios-plugins/check_kernel_status   2017-01-07 
12:36:53.0 +
+++ sitesummary-0.1.28+deb9u1/nagios-plugins/check_kernel_status
2017-12-02 12:47:57.0 +
@@ -72,7 +72,7 @@
 my $dpkg;
 for my $line (split("\n", $dpkg_list)) {
chomp $line;
-   $dpkg = $line if ($line =~ m/^ii.+linux-image-(2.6|3.\d)/);
+   $dpkg = $line if ($line =~ m/^ii.+linux-image-(2.6|3.\d|4.\d)/);
 }
 
 # Now, which OS is it, and which footprint do they use?



Thanks for your ongoing work on Stretch!

-- 
cheers,
Holger


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#883344: marked as done (stretch-pu: package debian-edu-doc/1.921~20170603+deb9u3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #883344,
regarding stretch-pu: package debian-edu-doc/1.921~20170603+deb9u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883344: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883344
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

please accept debian-edu-doc/1.921~20170603+deb9u3 into 9.2, it's an
documenatation only update with this changelog:

debian-edu-doc (1.921~20170603+deb9u3) stretch; urgency=medium

  [ Holger Levsen ]
  * Merge stretch related documentation and translation updates from the
debian-edu-doc package in sid:
  * Update Debian Edu Stretch manual from the wiki.

  [ Stretch manual translation updates ]
  * Dutch: Frans Spiesschaert.
  * German: Wolfgang Schweer.
  * Italian: Claudio Carboncini.
  * Japanese: Victory.
  * Norwegian Bokmål: Petter Reinholdtsen.
  * Simplified Chinese: Ma Yong.

  [ Frans Spiesschaert ]
  * images/nl: add a Dutch images folder and Dutch screenshots for the manual.

  [ Wolfgang Schweer ]
  * documentation/common/edu.css.xml: improve HTML manual readability.

  [ ITIL manual translation updates ]
  * Dutch: Frans Spiesschaert.


$ debdiff debian-edu-doc_1.921~20170603+deb9u2.dsc 
debian-edu-doc_1.921~20170603+deb9u3.dsc | diffstat
 debian/changelog |   26 
 documentation/common/edu.css.xml |   86 
 documentation/debian-edu-itil/debian-edu-itil-manual.nb.po   |2 
 documentation/debian-edu-itil/debian-edu-itil-manual.pot |2 
 documentation/debian-edu-itil/po4a.cfg   |2 
 documentation/debian-edu-stretch/debian-edu-stretch-manual.da.po |  862 

 documentation/debian-edu-stretch/debian-edu-stretch-manual.de.po |  758 ++-
 documentation/debian-edu-stretch/debian-edu-stretch-manual.es.po |  409 +---
 documentation/debian-edu-stretch/debian-edu-stretch-manual.fr.po |  894 

 documentation/debian-edu-stretch/debian-edu-stretch-manual.it.po |  910 

 documentation/debian-edu-stretch/debian-edu-stretch-manual.ja.po |  809 ---
 documentation/debian-edu-stretch/debian-edu-stretch-manual.nb.po |  909 

 documentation/debian-edu-stretch/debian-edu-stretch-manual.nl.po | 1015 
+-
 documentation/debian-edu-stretch/debian-edu-stretch-manual.pl.po |  394 +--
 documentation/debian-edu-stretch/debian-edu-stretch-manual.pot   |  370 +--
 documentation/debian-edu-stretch/debian-edu-stretch-manual.xml   |  171 -
 documentation/debian-edu-stretch/debian-edu-stretch-manual.zh.po |  566 ++---
 documentation/debian-edu-stretch/fixme-status.txt|3 
 18 files changed, 4008 insertions(+), 4180 deletions(-)

The compressed debdiff is *not* attached but I will happily do so if you want me
to.

All of these changes are/should be available in sid any time now, most are in 
buster. 
Except that I have very bad internet here atm, so I'm not sure I'll get the 
upload
through during african daytime... (and I first need to upload 35mb source 
package
to sid and then to stable-proposed...) - I will notify this bug once the 
uploads made
it.

(also: I had originally planned to upload this before the weekend before the 
point 
release weekend but failed to keep track of the days properly...)


Thanks for your work on 9.2!

-- 
cheers,
Holger


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#883292: marked as done (jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #883292,
regarding jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883292
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi SRM

I know the window for the upcoming point release is this weekend, so
this one might not made it in time. It was reported that the version
in jessie of libio-socket-ssl-perl might segfault when using malformed
client certificates, cf. #881711.

For jessie this issue is open, and the reporter confirmed that the
patch fixes the issue there, so I cherry-picket the change for jessie.

Attached resulted debdiff, would it be fine to include it in this (or
any further point release)?

Regards,
Salvatore
diff -Nru libio-socket-ssl-perl-2.002/debian/changelog 
libio-socket-ssl-perl-2.002/debian/changelog
--- libio-socket-ssl-perl-2.002/debian/changelog2016-10-08 
17:26:51.0 +0200
+++ libio-socket-ssl-perl-2.002/debian/changelog2017-12-01 
20:40:51.0 +0100
@@ -1,3 +1,9 @@
+libio-socket-ssl-perl (2.002-2+deb8u3) jessie; urgency=medium
+
+  * Fix segfault using malformed client certificates (Closes: #881711)
+
+ -- Salvatore Bonaccorso   Fri, 01 Dec 2017 20:40:51 +0100
+
 libio-socket-ssl-perl (2.002-2+deb8u2) jessie; urgency=medium
 
   * Add 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch.
diff -Nru 
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
 
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
--- 
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
  1970-01-01 01:00:00.0 +0100
+++ 
libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
  2017-12-01 20:40:51.0 +0100
@@ -0,0 +1,25 @@
+From: Steffen Ullrich 
+Date: Sun, 26 Oct 2014 18:23:15 +0100
+Subject: Propagate error if cert/key could not be used instead of continuing
+ with an invalid context which might cause a segmentation fault
+Origin: 
https://github.com/noxxi/p5-io-socket-ssl/commit/a09f29f423859565bc0384dcfbbc75811d9e4e4a
+Bug-Debian: https://bugs.debian.org/881711
+
+---
+
+diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
+index 13c6680..2330b45 100644
+--- a/lib/IO/Socket/SSL.pm
 b/lib/IO/Socket/SSL.pm
+@@ -489,7 +489,7 @@ sub configure_SSL {
+ 
+ # create context
+ # this will fill in defaults in $arg_hash
+-$ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash);
++$ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash) || return;
+ 
+ ${*$self}{'_SSL_arguments'} = $arg_hash;
+ ${*$self}{'_SSL_ctx'} = $ctx;
+-- 
+2.15.1
+
diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series 
libio-socket-ssl-perl-2.002/debian/patches/series
--- libio-socket-ssl-perl-2.002/debian/patches/series   2016-10-08 
17:26:51.0 +0200
+++ libio-socket-ssl-perl-2.002/debian/patches/series   2017-12-01 
20:40:51.0 +0100
@@ -1,3 +1,4 @@
 0001-use-only-ICANN-part-in-public-suffix-list.patch
 0001-make-PublicSuffix-_default_data-thread-safe-by-stori.patch
 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch
+0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882869: marked as done (stretch-pu: package libxkbcommon/0.7.1-2~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882869,
regarding stretch-pu: package libxkbcommon/0.7.1-2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882869
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix a missing dependency by rebuilding the package from sid for
stretch. #872874


Andreas
diff -u libxkbcommon-0.7.1/debian/changelog libxkbcommon-0.7.1/debian/changelog
--- libxkbcommon-0.7.1/debian/changelog
+++ libxkbcommon-0.7.1/debian/changelog
@@ -1,3 +1,18 @@
+libxkbcommon (0.7.1-2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 17:50:43 +0100
+
+libxkbcommon (0.7.1-2) unstable; urgency=medium
+
+  * Remove Cyril from Uploaders.
+  * Add missing dependency libxkbcommon-x11-dev → libxkbcommon-dev
+(closes: #872874).
+
+ -- Julien Cristau   Sat, 16 Sep 2017 13:40:36 +0200
+
 libxkbcommon (0.7.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -u libxkbcommon-0.7.1/debian/control libxkbcommon-0.7.1/debian/control
--- libxkbcommon-0.7.1/debian/control
+++ libxkbcommon-0.7.1/debian/control
@@ -2,7 +2,7 @@
 Section: x11
 Priority: optional
 Maintainer: Debian X Strike Force 
-Uploaders: Cyril Brulebois , Michael Stapelberg 

+Uploaders: Michael Stapelberg 
 Build-Depends:
  debhelper (>= 10),
  quilt,
@@ -94,6 +94,7 @@
 Pre-Depends: ${misc:Pre-Depends}
 Depends:
  libxkbcommon-x11-0 (= ${binary:Version}),
+ libxkbcommon-dev (= ${binary:Version}),
  libxcb1-dev,
  libxcb-xkb-dev,
  ${shlibs:Depends},
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882959: marked as done (stretch-pu: package pdns/4.0.3-1+deb9u2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882959,
regarding stretch-pu: package pdns/4.0.3-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882959
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Security update using upstream patch, for CVE-2017-15091.
DSA has marked this no-DSA but suggested that this should
be fixed via stable-updates.

4.0.3-1+deb9u1 is already in p-u, the attached debdiff is
against that version. Please let me know if this is bad.

Thanks,
Chris
diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-10-30 07:12:17.0 +
+++ pdns-4.0.3/debian/changelog 2017-11-27 22:02:24.0 +
@@ -1,3 +1,10 @@
+pdns (4.0.3-1+deb9u2) stretch; urgency=medium
+
+  * Add upstream patch fixing security issue:
+  * Missing check on API operations. CVE-2017-15091
+
+ -- Christian Hofstaedtler   Mon, 27 Nov 2017 22:02:24 +
+
 pdns (4.0.3-1+deb9u1) stretch; urgency=medium
 
   * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch 
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch1970-01-01 
00:00:00.0 +
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch2017-11-27 
22:02:24.0 +
@@ -0,0 +1,30 @@
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc
+--- pdns-4.0.4.orig/pdns/ws-auth.cc2017-06-22 22:07:25.0 +0200
 pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100
+@@ -860,7 +860,7 @@
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -879,7 +879,7 @@
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -1191,7 +1191,7 @@
+ }
+ 
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+ 
+   DNSName canon = apiNameToDNSName(req->getvars["domain"]);
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc 
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc1970-01-01 
00:00:00.0 +
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc2017-11-27 
22:02:24.0 +
@@ -0,0 +1,11 @@
+-BEGIN PGP SIGNATURE-
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStHQaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYtRgf3bMwaR4tdR0p5f0TMCuFN
+7QbOpyLFLhatNYQFhUEFXQ7nesgNtNObu6qLOTi9fxD4zpcvnkz/a22m5S9tkf0W
+Y6E2fMy9NoLysSvTwgBCrXKbqttzFvpYRCWVzKnWgz67hjF4U57Wp1rY88XWmVHE
+5T4unYv7Kn+C2mDfBl1cOnRO2Y1VeJ79hS802q1WrnqREJkIZrN+CzpXGX/512Tg
+PLQ6Dke25kvlqGqsC7PRI8lU9Sm9UPLkR1ILKQCoIgxi7RXXYNmIE2dPgI2z06pm
+Cu9wFIYiaYtUjG+u4N6heJSfDvJZbWX+c8Xhvy16u3i1M/xPhB2Sq/IgZQV7S+NK
+=0Skb
+-END PGP SIGNATURE-
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series2017-10-30 07:12:17.0 +
+++ pdns-4.0.3/debian/patches/series2017-11-27 22:02:24.0 +
@@ -1 +1,2 @@
 869222-lowercase-qname-before-NSEC-generation.patch
+CVE-2017-15091-4.0.4.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882958: marked as done (stretch-pu: package pdns-recursor/4.0.4-1+deb9u2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882958,
regarding stretch-pu: package pdns-recursor/4.0.4-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882958
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Security update using upstream patches to fix CVE-2017-15090,
CVE-2017-15092, CVE-2017-15093, CVE-2017-15094.
DSA has marked those as non-DSA but suggested fixing through
a stable update instead.

debdiff against deb9u1 (in stable proper) attached.

Thanks,
Chris
diff -Nru pdns-recursor-4.0.4/debian/changelog 
pdns-recursor-4.0.4/debian/changelog
--- pdns-recursor-4.0.4/debian/changelog2017-06-27 12:31:08.0 
+
+++ pdns-recursor-4.0.4/debian/changelog2017-11-27 21:44:40.0 
+
@@ -1,3 +1,13 @@
+pdns-recursor (4.0.4-1+deb9u2) stretch; urgency=medium
+
+  * Add upstream patches fixing security issues:
+  * Insufficient validation of DNSSEC signatures. CVE-2017-15090
+  * Cross-Site Scripting in the web interface. CVE-2017-15092
+  * Configuration file injection in the API. CVE-2017-15093
+  * Memory leak in DNSSEC parsing. CVE-2017-15094
+
+ -- Christian Hofstaedtler   Mon, 27 Nov 2017 21:44:40 +
+
 pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium
 
   * Add new root trust anchor KSK-2017 to embedded root trust list.
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch 
pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch   
1970-01-01 00:00:00.0 +
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch   
2017-11-27 21:44:40.0 +
@@ -0,0 +1,15 @@
+diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc 
pdns-recursor-4.0.6/validate-recursor.cc
+--- pdns-recursor-4.0.6.orig/validate-recursor.cc  2017-07-04 
17:43:07.0 +0200
 pdns-recursor-4.0.6/validate-recursor.cc   2017-11-02 18:29:16.612520450 
+0100
+@@ -87,6 +87,11 @@
+ bool first = true;
+ for(const auto& csp : cspmap) {
+   for(const auto& sig : csp.second.signatures) {
++
++if (!csp.first.first.isPartOf(sig->d_signer)) {
++  return increaseDNSSECStateCounter(Bogus);
++}
++
+ vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check 
validity here
+ 
+ if (newState == Bogus) // No hope
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc 
pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc   
1970-01-01 00:00:00.0 +
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc   
2017-11-27 21:44:40.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStE4aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEbDZwf+JDDe7box5QLp+5T4gaQj
+1SyU2UaL2LVgIZbkvMoM03mGEc5LOushKLE0aoTKPwYbz2m5Oz1We3d1/Bv2OtJD
+9AXslTaaqSg0rmdeEJIPYUa393TXLXhCjKUcF/5kbo0Y6+T5dcukGMw/LkZqt4/O
+RLnj51eN0lSQrS+nCXHfREmIP2nj8+T6xAjNGIZ3NEQ9c3m1dPAzvd/skYiJkm/P
+dC3uyEYFRlN33fQp8LYL/mK3HDApX9DESfJUsqvnpJlX6qyUejxkGeJZ3ro1IStE
+NI5m1GRoI3FBbywIn9BPcllU0RkIS5X7r0wRWZ7D0e1nWHcgPqtyVkjvh6kUbRgs
+VA==
+=3aIe
+-END PGP SIGNATURE-
diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch 
pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch
--- pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch   
1970-01-01 00:00:00.0 +
+++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch   
2017-11-27 21:44:40.0 +
@@ -0,0 +1,85 @@
+diff -ru pdns-recursor-4.0.6.orig/html/local.js 
pdns-recursor-4.0.6/html/local.js
+--- pdns-recursor-4.0.6.orig/html/local.js 2017-07-04 17:43:07.0 
+0200
 pdns-recursor-4.0.6/html/local.js  2017-11-02 18:26:04.624586674 +0100
+@@ -63,7 +63,7 @@
+ 
+   $.getJSON(qstring,
+ function(data) {
+-var 
bouw="NumberDomainType";
++var table = 
$('NumberDomainType');
+ var num=0;
+ var total=0, rest=0;
+ $.each(data["entries"], function(a,b) {
+@@ -

Bug#883176: marked as done (stretch-pu: package fig2dev/1:3.2.6a-2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #883176,
regarding stretch-pu: package fig2dev/1:3.2.6a-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883176
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fix some minor security issues, which according to security team do
not warrant a DSA:

 * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
   files (Closes: #881143, #881144).
 * 32_fill-style-overflow: Sanitize input of fill patterns
   (Closes: #881396).

The patches are adapted from unstable/testing.

Greetings
Roland
diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog
--- fig2dev-3.2.6a/debian/changelog	2017-01-28 10:30:50.0 +0100
+++ fig2dev-3.2.6a/debian/changelog	2017-11-30 12:02:27.0 +0100
@@ -1,3 +1,12 @@
+fig2dev (1:3.2.6a-2+deb9u1) stable; urgency=medium
+
+  * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG
+files (Closes: #881143, #881144).
+  * 32_fill-style-overflow: Sanitize input of fill patterns
+(Closes: #881396).
+
+ -- Roland Rosenfeld   Thu, 30 Nov 2017 12:02:27 +0100
+
 fig2dev (1:3.2.6a-2) unstable; urgency=medium
 
   * build-dep on etoolbox required with current texlive (Closes: #852915).
diff -Nru fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch
--- fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch	1970-01-01 01:00:00.0 +0100
+++ fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch	2017-11-30 12:02:27.0 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2017-16899 Some input sanitizing when reading FIG files.
+Bug-Debian: https://bugs.debian.org/881143
+Bug-Debian: https://bugs.debian.org/881144
+Author: Thomas Loimer 
+
+--- a/fig2dev/read.c
 b/fig2dev/read.c
+@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp)
+ | PSFONT_TEXT;
+ 
+ 	/* keep the font number reasonable */
+-	if (t->font > MAXFONT(t))
++   if (t->font > MAXFONT(t)) {
+ 		t->font = MAXFONT(t);
++   } else if (t->font < 0 ) {
++   if (psfont_text(t) && t->font < -1)
++   t->font = -1;
++   else
++   t->font = 0;
++   }
+ 	fix_and_note_color(&t->color);
+ 	t->comments = attach_comments();	/* attach any comments */
+ 	return t;
+--- a/fig2dev/read1_3.c
 b/fig2dev/read1_3.c
+@@ -470,6 +470,15 @@ read_textobject(FILE *fp)
+ 	free((char*) t);
+ 	return(NULL);
+ 	}
++   /* keep the font number within valid range */
++   if (t->font > MAXFONT(t)) {
++   t->font = MAXFONT(t);
++   } else if (t->font < 0 ) {
++   if (psfont_text(t) && t->font < -1)
++   t->font = -1;
++   else
++   t->font = 0;
++   }
+ 	(void)strcpy(t->cstring, buf);
+ 	if (t->size == 0) t->size = 18;
+ 	return(t);
diff -Nru fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch
--- fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch	1970-01-01 01:00:00.0 +0100
+++ fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch	2017-11-30 12:02:27.0 +0100
@@ -0,0 +1,47 @@
+Description: Sanitize input of fill patterns.
+Bug-Debian: https://bugs.debian.org/881396
+Author: Thomas Loimer 
+
+--- a/fig2dev/read.c
 b/fig2dev/read.c
+@@ -71,6 +71,8 @@ static int		 save_comment(void);
+ 
+ #define		FILL_CONVERT(f)	((v2_flag || (f) < WHITE_FILL) \
+ 	? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
++#define		FILL_SANITIZE(f)	((f) < UNFILLED || (f) >= \
++			NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
+ 
+ /* input buffer size */
+ #define		BUF_SIZE	1024
+@@ -547,6 +549,7 @@ read_arcobject(FILE *fp)
+ 	}
+ 	a->thickness *= round(THICK_SCALE);
+ 	a->fill_style = FILL_CONVERT(a->fill_style);
++	a->fill_style = FILL_SANITIZE(a->fill_style);
+ 	NOTE_FILL(a);
+ 	fix_and_note_color(&a->pen_color);
+ 	if (fa) {
+@@ -730,6 +733,7 @@ read_ellipseobject(void)
+ 	fix_and_note_color(&e->pen_color);
+ 	e->thickness *= round(THICK_SCALE);
+ 	e->fill_style = FILL_CONVERT(e->fill_style);
++	e->fill_style = FILL_SANITIZE(e->fill_style);
+ 	NOTE_FILL(e);
+ 	e->comments = attach_comment

Bug#882961: marked as done (jessie-pu: package pdns/3.4.1-4+deb8u8)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882961,
regarding jessie-pu: package pdns/3.4.1-4+deb8u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882961
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Security update for CVE-2017-15091. DSA has marked this
no-DSA but suggested this goes through (old)-stable-updates.

debdiff attached.

Thanks,
Chris
diff -Nru pdns-3.4.1/debian/changelog pdns-3.4.1/debian/changelog
--- pdns-3.4.1/debian/changelog 2017-01-07 00:45:53.0 +
+++ pdns-3.4.1/debian/changelog 2017-11-27 21:19:19.0 +
@@ -1,3 +1,10 @@
+pdns (3.4.1-4+deb8u8) jessie; urgency=medium
+
+  * Add patch fixing security issue:
+  * Missing check on API operations: CVE-2017-15091
+
+ -- Christian Hofstaedtler   Mon, 27 Nov 2017 21:19:19 +
+
 pdns (3.4.1-4+deb8u7) jessie-security; urgency=high
 
   * Security upload.
diff -Nru pdns-3.4.1/debian/patches/CVE-2017-15091.patch 
pdns-3.4.1/debian/patches/CVE-2017-15091.patch
--- pdns-3.4.1/debian/patches/CVE-2017-15091.patch  1970-01-01 
00:00:00.0 +
+++ pdns-3.4.1/debian/patches/CVE-2017-15091.patch  2017-11-27 
21:19:19.0 +
@@ -0,0 +1,16 @@
+Index: pdns/pdns/ws-auth.cc
+===
+--- pdns.orig/pdns/ws-auth.cc
 pdns/pdns/ws-auth.cc
+@@ -1144,6 +1144,11 @@ void AuthWebServer::jsonstat(HttpRequest
+ {
+   string command;
+ 
++  if (::arg().mustDo("experimental-api-readonly")) {
++resp->body = returnJsonError("Unavailable when API is readonly");
++resp->status = 405;
++  }
++
+   if(req->getvars.count("command")) {
+ command = req->getvars["command"];
+ req->getvars.erase("command");
diff -Nru pdns-3.4.1/debian/patches/series pdns-3.4.1/debian/patches/series
--- pdns-3.4.1/debian/patches/series2017-01-07 00:45:53.0 +
+++ pdns-3.4.1/debian/patches/series2017-11-27 21:19:19.0 +
@@ -9,3 +9,4 @@
 CVE-2016-7072.patch
 CVE-2016-7068.patch
 CVE-2016-2120.patch
+CVE-2017-15091.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---

Bug#883071: marked as done (nmu: eclipse-titan)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #883071,
regarding nmu: eclipse-titan
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883071
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: grave

--- Please enter the report below this line. ---

The Titan compiler needs the same gcc version (major.minor) which compiled
the eclipse/titan binaries.
When the package was built for stretch, the gcc version was 6.2.x, now it
is 6.3.x
Now if the user wants to build a TTCN-3 project with the titan compiler,
then it will abort with an error:

/usr/include/titan/cversion.h:7:2: error: #error The version of GCC does
not match the expected version (GCC 6.2.0)

A simple recompile will solve this issue, the new binaries will be created
with gcc 6.3.x and Titan will work again.
So please, recompile eclipse-titan.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#883177: marked as done (jessie-pu: package transfig/1:3.2.5.e-4)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #883177,
regarding jessie-pu: package transfig/1:3.2.5.e-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
883177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883177
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Fix some minor security issues, which according to security team do
not warrant a DSA:

  * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG
files (Closes: #881143, #881144).
  * 34_fill-style-overflow: Sanitize input of fill patterns
(Closes: #881396).

The patches are adapted from unstable/testing.

Greetings
Roland
diff -Nru transfig-3.2.5.e/debian/changelog transfig-3.2.5.e/debian/changelog
--- transfig-3.2.5.e/debian/changelog	2014-08-26 10:06:01.0 +0200
+++ transfig-3.2.5.e/debian/changelog	2017-11-30 12:17:07.0 +0100
@@ -1,3 +1,12 @@
+transfig (1:3.2.5.e-4+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG
+files (Closes: #881143, #881144).
+  * 34_fill-style-overflow: Sanitize input of fill patterns
+(Closes: #881396).
+
+ -- Roland Rosenfeld   Thu, 30 Nov 2017 12:17:07 +0100
+
 transfig (1:3.2.5.e-4) unstable; urgency=low
 
   * 32_dev_Imake_typo: use gengbx.c instead of gengbx.o in SRCS, otherwise
diff -Nru transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch
--- transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch	1970-01-01 01:00:00.0 +0100
+++ transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch	2017-11-30 12:17:07.0 +0100
@@ -0,0 +1,41 @@
+Description: CVE-2017-16899 Some input sanitizing when reading FIG files.
+Bug-Debian: https://bugs.debian.org/881143
+Bug-Debian: https://bugs.debian.org/881144
+Author: Thomas Loimer 
+
+--- a/fig2dev/read.c
 b/fig2dev/read.c
+@@ -1204,8 +1204,14 @@ FILE	*fp;
+ | PSFONT_TEXT;
+ 
+ 	/* keep the font number reasonable */
+-	if (t->font > MAXFONT(t))
++	if (t->font > MAXFONT(t)) {
+ 		t->font = MAXFONT(t);
++	} else if (t->font < 0 ) {
++		if (psfont_text(t) && t->font < -1)
++			t->font = -1;
++		else
++			t->font = 0;
++	}
+ 	fix_color(&t->color);
+ 	t->comments = attach_comments();	/* attach any comments */
+ 	return t;
+--- a/fig2dev/read1_3.c
 b/fig2dev/read1_3.c
+@@ -465,6 +465,15 @@ FILE	*fp;
+ 	free((char*) t);
+ 	return(NULL);
+ 	}
++   /* keep the font number within valid range */
++   if (t->font > MAXFONT(t)) {
++   t->font = MAXFONT(t);
++   } else if (t->font < 0 ) {
++   if (psfont_text(t) && t->font < -1)
++   t->font = -1;
++   else
++   t->font = 0;
++   }
+ 	(void)strcpy(t->cstring, buf);
+ 	if (t->size == 0) t->size = 18;
+ 	return(t);
diff -Nru transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch
--- transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch	1970-01-01 01:00:00.0 +0100
+++ transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch	2017-11-30 12:17:07.0 +0100
@@ -0,0 +1,47 @@
+Description: Sanitize input of fill patterns.
+Bug-Debian: https://bugs.debian.org/881396
+Author: Thomas Loimer 
+
+--- a/fig2dev/read.c
 b/fig2dev/read.c
+@@ -61,6 +61,8 @@ static int		 save_comment();
+ #define			FILL_CONVERT(f) \
+ ((v2_flag || (f) < WHITE_FILL) \
+ 	? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5)
++#define		FILL_SANITIZE(f)	((f) < UNFILLED || (f) >= \
++			NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f
+ 
+ /* input buffer size */
+ #define		BUF_SIZE	1024
+@@ -527,6 +529,7 @@ FILE	*fp;
+ 	}
+ 	a->thickness *= round(THICK_SCALE);
+ 	a->fill_style = FILL_CONVERT(a->fill_style);
++	a->fill_style = FILL_SANITIZE(a->fill_style);
+ 	/* keep track if pattern is used */
+ 	note_pattern(a->fill_style);
+ 	fix_color(&a->pen_color);
+@@ -718,6 +721,7 @@ read_ellipseobject()
+ 	fix_color(&e->fill_color);
+ 	e->thickness *= round(THICK_SCALE);
+ 	e->fill_style = FILL_CONVERT(e->fill_style);
++	e->fill_style = FILL_SANITIZE(e->fill_style);
+ 	/* keep track if pattern is used */
+ 	note_pattern(e->fill_style);
+ 	e->comments = attach_comments();	/* attach any 

Bug#882960: marked as done (jessie-pu: package pdns-recursor/3.6.2-2+deb8u4)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882960,
regarding jessie-pu: package pdns-recursor/3.6.2-2+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Security update using upstream patch for CVE-2017-15093.
DSA has marked this non-DSA but suggested fixing this
through an (old)stable update.

debdiff attached.

Thanks,
Chris
diff -Nru pdns-recursor-3.6.2/debian/changelog 
pdns-recursor-3.6.2/debian/changelog
--- pdns-recursor-3.6.2/debian/changelog2017-01-07 00:45:53.0 
+
+++ pdns-recursor-3.6.2/debian/changelog2017-11-27 21:26:46.0 
+
@@ -1,3 +1,10 @@
+pdns-recursor (3.6.2-2+deb8u4) jessie; urgency=medium
+
+  * Add upstream patch fixing security issue:
+  * Configuration file injection in the API. CVE-2017-15093
+
+ -- Christian Hofstaedtler   Mon, 27 Nov 2017 21:26:46 +
+
 pdns-recursor (3.6.2-2+deb8u3) jessie-security; urgency=high
 
   * Security upload.
diff -Nru pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch 
pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch
--- pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch   
1970-01-01 00:00:00.0 +
+++ pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch   
2017-11-27 21:26:46.0 +
@@ -0,0 +1,48 @@
+diff -ru pdns-recursor-3.7.4.orig/ws-recursor.cc 
pdns-recursor-3.7.4/ws-recursor.cc
+--- pdns-recursor-3.7.4.orig/ws-recursor.cc2017-01-13 12:03:03.0 
+0100
 pdns-recursor-3.7.4/ws-recursor.cc 2017-11-02 18:10:54.764426426 +0100
+@@ -79,10 +79,11 @@
+   throw ApiException("'value' must be an array");
+ }
+ 
++NetmaskGroup nmg;
+ for (SizeType i = 0; i < jlist.Size(); ++i) {
+   try {
+-Netmask(jlist[i].GetString());
+-  } catch (NetmaskException &e) {
++nmg.addMask(jlist[i].GetString());
++  } catch (const NetmaskException &e) {
+ throw ApiException(e.reason);
+   }
+ }
+@@ -94,9 +95,7 @@
+ 
+ // Clear allow-from, and provide a "parent" value
+ ss << "allow-from=" << endl;
+-for (SizeType i = 0; i < jlist.Size(); ++i) {
+-  ss << "allow-from+=" << jlist[i].GetString() << endl;
+-}
++ss << "allow-from+=" << nmg.toString() << endl;
+ 
+ apiWriteConfigFile("allow-from", ss.str());
+ 
+@@ -233,10 +232,16 @@
+ string serverlist;
+ if (servers.IsArray()) {
+   for (SizeType i = 0; i < servers.Size(); ++i) {
+-if (!serverlist.empty()) {
+-  serverlist += ";";
++string server = servers[i].GetString();
++try {
++  ComboAddress ca = parseIPAndPort(server, 53);
++  if (!serverlist.empty()) {
++serverlist += ";";
++  }
++  serverlist += ca.toStringWithPort();
++} catch (const PDNSException &e) {
++  throw ApiException(e.reason);
+ }
+-serverlist += servers[i].GetString();
+   }
+ }
+ 
diff -Nru pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc 
pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc
--- pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc   
1970-01-01 00:00:00.0 +
+++ pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc   
2017-11-27 21:26:46.0 +
@@ -0,0 +1,12 @@
+-BEGIN PGP SIGNATURE-
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStJ8aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEaoHgf/dAebO/MSvtvymt0pz0Kb
+lMvmkv6INpsh7bssVyY8v9HAMtkVRBSNAEiGjAJbLaDxsfgr0a+vGCd0C2v7sDXl
+8rZHuMlNpvxU0/i6O9k4AY9T7/G+Go567xbIK1PcZhZ+ixNaP7sms9a9ooISb4/R
++1wBz3D8TXUbWQsHkxX2GE6oihhqRdhvbOWpQ7aPNglE/wI4Eb5V2bIapM3M/o8N
+jFPm2kDZvNrcEMIW60vHdujrJMY85KiMGO9LMV9LCDj0nSO6jRTGI+2CteT2jnUq
+7w4L22ODxT1g5sIH/60swoHbIJ5zXWXDcxM3jPgh5kYIa7gvZoC6v1udsMyOYFu6
+Lw==
+=Y7Eg
+-END PGP SIGNATURE-
diff -Nru pdns-recursor-3.6.2/debian/patches/series 
pdns-recursor-3.6.2/debian/patches/series
--- pdns-recursor-3.6.2/debian/patches/series   2017-01-07 00:45:53.0 
+
+++ pdns-recursor-3.6.2/debian/patches/series   2017-11-27 21:26:46.0 
+
@@ -1,3 +1,4 @@
 CVE-2015-1868.patch
 CVE-2015-1868-2.patc

Bug#882834: marked as done (stretch-pu: package libxsettings-client/0.17-9~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882834,
regarding stretch-pu: package libxsettings-client/0.17-9~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's rebuild libxsettings-client for stretch and get the missing
libxsettings-dev dependency in libxsettings-client-dev. #695584


Andreas

PS: no substvars changed, no binary debdiff this time :-)
diff -Nru libxsettings-client-0.17/debian/changelog 
libxsettings-client-0.17/debian/changelog
--- libxsettings-client-0.17/debian/changelog   2015-10-31 23:24:06.0 
+0100
+++ libxsettings-client-0.17/debian/changelog   2017-11-27 05:20:39.0 
+0100
@@ -1,3 +1,18 @@
+libxsettings-client (0.17-9~deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 05:20:39 +0100
+
+libxsettings-client (0.17-9) unstable; urgency=medium
+
+  * QA upload.
+  * Add the missing libxsettings-client-dev -> libxsettings-dev
+dependency. (Closes: #695584)
+
+ -- Adrian Bunk   Sun, 03 Sep 2017 23:36:18 +0300
+
 libxsettings-client (0.17-8) unstable; urgency=medium
 
   * QA upload.
diff -Nru libxsettings-client-0.17/debian/control 
libxsettings-client-0.17/debian/control
--- libxsettings-client-0.17/debian/control 2015-10-31 22:00:00.0 
+0100
+++ libxsettings-client-0.17/debian/control 2017-09-03 22:36:18.0 
+0200
@@ -23,7 +23,7 @@
 Section: libdevel
 Priority: optional
 Architecture: any
-Depends: libxsettings-client0 (= ${binary:Version}), libx11-dev, 
${misc:Depends}
+Depends: libxsettings-client0 (= ${binary:Version}), libx11-dev, 
${misc:Depends}, libxsettings-dev
 Description: utility functions for the Xsettings protocol (Development files)
  This package contains headers and other files required to compile
  software using the GPE scheduling library to use the Xsettings 
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882831: marked as done (stretch-pu: package libmpd/0.20.0-2~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882831,
regarding stretch-pu: package libmpd/0.20.0-2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882831
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing libglib2.0-dev dependency (according to
libmpd.pc). #518429

$ debdiff libmpd-dev_0.20.0-1.3_amd64.deb libmpd-dev_0.20.0-2~deb9u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: libmpd1 (= [-0.20.0-1.3), pkg-config-] {+0.20.0-2~deb9u1), pkg-config, 
libglib2.0-dev+}
Maintainer: [-Arnaud Cornet -] {+Debian QA Group 
+}
Version: [-0.20.0-1.3-] {+0.20.0-2~deb9u1+}


Andreas
diff -u libmpd-0.20.0/debian/changelog libmpd-0.20.0/debian/changelog
--- libmpd-0.20.0/debian/changelog
+++ libmpd-0.20.0/debian/changelog
@@ -1,3 +1,19 @@
+libmpd (0.20.0-2~deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 04:35:59 +0100
+
+libmpd (0.20.0-2) unstable; urgency=medium
+
+  * QA upload.
+  * Set maintainer to Debian QA Group. (see #876951)
+  * libmpd-dev: Add the missing dependency on libglib2.0-dev.
+(Closes: #518429)
+
+ -- Adrian Bunk   Sun, 01 Oct 2017 20:27:24 +0300
+
 libmpd (0.20.0-1.3) unstable; urgency=high
 
   * NMU
diff -u libmpd-0.20.0/debian/control libmpd-0.20.0/debian/control
--- libmpd-0.20.0/debian/control
+++ libmpd-0.20.0/debian/control
@@ -1,7 +1,7 @@
 Source: libmpd
 Section: libs
 Priority: optional
-Maintainer: Arnaud Cornet 
+Maintainer: Debian QA Group 
 Build-Depends: libglib2.0-dev, debhelper (>= 7.0.50~), quilt, dh-autoreconf
 Standards-Version: 3.8.4
 Homepage: http://gmpc.wikia.com/
@@ -29,7 +29,7 @@
 Package: libmpd-dev
 Architecture: any
 Section: libdevel
-Depends: libmpd1 (= ${binary:Version}), pkg-config, ${misc:Depends}
+Depends: libmpd1 (= ${binary:Version}), pkg-config, ${misc:Depends}, 
libglib2.0-dev
 Description: High-level client library for accessing Music Player Daemon
  LibMpd is a library that provides high-level, callback-based access to
  Music Player Daemon (mpd).
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882802: marked as done (jessie-pu: package ruby-ox/2.1.1-2+b2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882802,
regarding jessie-pu: package ruby-ox/2.1.1-2+b2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882802: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882802
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby interpreter
on a parse error.

Debdiff attached.

As mentioned in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724#10
since the debdiffs are identical for jessie and stretch,
except for version numbers and suite, the upload to jessie will follow
shortly this report.

Cheers,

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog
--- ruby-ox-2.1.1/debian/changelog  2014-04-04 12:58:15.0 +0200
+++ ruby-ox-2.1.1/debian/changelog  2017-11-26 01:08:40.0 +0100
@@ -1,3 +1,12 @@
+ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium
+
+  * Team upload
+  * Add fix_parse_obj_segfault.patch picked from upstream
++ fix CVE-2017-15928: segmentation fault in parse_obj
+(Closes: #881445)
+
+ -- Cédric Boutillier   Sun, 26 Nov 2017 01:08:40 +0100
+
 ruby-ox (2.1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf
--- ruby-ox-2.1.1/debian/gbp.conf   1970-01-01 01:00:00.0 +0100
+++ ruby-ox-2.1.1/debian/gbp.conf   2017-11-26 01:08:40.0 +0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch=jessie/master
+upstream-branch=jessie/upstream
diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 
ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch
--- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   1970-01-01 
01:00:00.0 +0100
+++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   2017-11-26 
01:08:40.0 +0100
@@ -0,0 +1,51 @@
+Description: Avoid crash with invalid XML passed to Oj.parse_obj()
+ this fixes CVE-2017-15928
+Author: Peter Ohler 
+Origin: 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
+Bug: https://github.com/ohler55/ox/issues/194
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
+Last-Update: 2017-11-25
+
+--- a/ext/ox/obj_load.c
 b/ext/ox/obj_load.c
+@@ -791,8 +791,10 @@
+   Helper  gh;
+ 
+   helper_stack_pop(&pi->helpers);
+-  gh = helper_stack_peek(&pi->helpers);
+-
++  if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
++  set_error(&pi->err, "Corrupt parse stack, container is 
wrong type", pi->str, pi->s);
++  return;
++  }
+   rb_hash_aset(gh->obj, ph->obj, h->obj);
+   }
+   break;
+--- a/ext/ox/err.c
 b/ext/ox/err.c
+@@ -42,7 +42,11 @@
+ va_end(ap);
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ ox_err_raise(Err e) {
+ rb_raise(e->clas, "%s", e->msg);
+ }
+--- a/ext/ox/ox.c
 b/ext/ox/ox.c
+@@ -990,7 +990,11 @@
+ #endif
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ _ox_raise_error(const char *msg, const char *xml, const char *current, const 
char* file, int line) {
+ int   xline = 1;
+ int   col = 1;
diff -Nru ruby-ox-2.1.1/debian/patches/series 
ruby-ox-2.1.1/debian/patches/series
--- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.0 +0100
+++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.0 +0100
@@ -1 +1,2 @@
+fix_parse_obj_segfault.patch
 000-fix-so-load-path.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jess

Bug#882863: marked as done (stretch-pu: package grok/1.20110708.1-4.3~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882863,
regarding stretch-pu: package grok/1.20110708.1-4.3~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882863
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing dependencies. #875422, #779034
And while we are at it, the pointer aliasing bugfix sounded reasonable
as well. #841668
So this is a rebuild of the sid package with 2 patches removed.
(The gperf patches are not relevant (and not backwards compatible) for
stretch.)

Andreas
diff -Nru grok-1.20110708.1/debian/changelog grok-1.20110708.1/debian/changelog
--- grok-1.20110708.1/debian/changelog  2015-01-16 23:03:19.0 +0100
+++ grok-1.20110708.1/debian/changelog  2017-11-27 17:12:13.0 +0100
@@ -1,3 +1,29 @@
+grok (1.20110708.1-4.3~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+  * Drop the gperf 3.1 patches
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 17:12:13 +0100
+
+grok (1.20110708.1-4.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * libgrok-dev: Add the missing dependencies on:
+- libgrok1 (Closes: #875422)
+- libtokyocabinet-dev (Closes: #779034)
+
+ -- Adrian Bunk   Sat, 14 Oct 2017 17:15:19 +0300
+
+grok (1.20110708.1-4.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply Steve Langasek's fix for wrong pointer alias bug
+(Closes: #841668)
+  * Apply patches to allow build grok with gperf >= 3.1
+
+ -- SZALAY Attila   Wed, 09 Aug 2017 16:36:26 -0400
+
 grok (1.20110708.1-4.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru grok-1.20110708.1/debian/control grok-1.20110708.1/debian/control
--- grok-1.20110708.1/debian/control2012-10-14 11:08:33.0 +0200
+++ grok-1.20110708.1/debian/control2017-10-14 16:15:19.0 +0200
@@ -52,6 +52,8 @@
 Section: libdevel
 Architecture: any
 Depends:
+ libgrok1 (= ${binary:Version}),
+ libtokyocabinet-dev,
  ${misc:Depends},
  ${shlibs:Depends},
 Provides: libgrok-dev
diff -Nru grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias 
grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias
--- grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias1970-01-01 
01:00:00.0 +0100
+++ grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias2017-08-09 
21:27:57.0 +0200
@@ -0,0 +1,55 @@
+From: Steve Langasek 
+Date: Fri, 21 Oct 2016 00:00:00 +
+X-Dgit-Generated: 1.20110708.1-4.1 7fc1ec5f57e2299be6b1248db82da42f569c6ab0
+Subject: fix wrong pointer alias
+
+
+---
+
+--- grok-1.20110708.1.orig/grok_pattern.c
 grok-1.20110708.1/grok_pattern.c
+@@ -33,9 +33,9 @@ int grok_pattern_add(const grok_t *grok,
+ }
+ 
+ int grok_pattern_find(const grok_t *grok, const char *name, size_t name_len,
+-  const char **regexp, size_t *regexp_len) {
++  const char **regexp, int *regexp_len) {
+   TCTREE *patterns = grok->patterns;
+-  *regexp = tctreeget(patterns, name, name_len, (int*) regexp_len);
++  *regexp = tctreeget(patterns, name, name_len, regexp_len);
+ 
+   grok_log(grok, LOG_PATTERNS, "Searching for pattern '%s' (%s): %.*s",
+name, *regexp == NULL ? "not found" : "found", *regexp_len, 
*regexp);
+--- grok-1.20110708.1.orig/grok_pattern.h
 grok-1.20110708.1/grok_pattern.h
+@@ -9,7 +9,7 @@ TCLIST *grok_pattern_name_list(const gro
+ int grok_pattern_add(const grok_t *grok, const char *name, size_t name_len,
+   const char *regexp, size_t regexp_len);
+ int grok_pattern_find(const grok_t *grok, const char *name, size_t name_len,
+-  const char **regexp, size_t *regexp_len);
++  const char **regexp, int *regexp_len);
+ int grok_patterns_import_from_file(const grok_t *grok, const char *filename);
+ int grok_patterns_import_from_string(const grok_t *grok, const char *buffer);
+ 
+--- grok-1.20110708.1.orig/grokre.c
 grok-1.20110708.1/grokre.c
+@@ -183,7 +183,7 @@ static char *grok_pattern_expand(grok_t
+ int start, end, matchlen;
+ const char *pattern_regex;
+ int patname_len;
+-size_t regexp_len;
++int regexp_len;
+ int pattern_regex_needs_free = 0;
+ 
+ grok_log(grok, LOG_REGEXPAND, "

Bug#882861: marked as done (stretch-pu: package python-diff-match-patch/20121119-3~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882861,
regarding stretch-pu: package python-diff-match-patch/20121119-3~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882861
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the python3 dependencies. #867424

The Standards-Version bump affects only metadata.

$ debdiff python3-diff-match-patch_20121119-2_all.deb 
python3-diff-match-patch_20121119-3~deb9u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

{+Depends: python3:any (>= 3.3.2-2~)+}
Version: [-20121119-2-] {+20121119-3~deb9u1+}


Andreas
diff -Nru python-diff-match-patch-20121119/debian/changelog 
python-diff-match-patch-20121119/debian/changelog
--- python-diff-match-patch-20121119/debian/changelog   2016-12-26 
02:07:45.0 +0100
+++ python-diff-match-patch-20121119/debian/changelog   2017-11-27 
16:42:28.0 +0100
@@ -1,3 +1,18 @@
+python-diff-match-patch (20121119-3~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 16:42:28 +0100
+
+python-diff-match-patch (20121119-3) unstable; urgency=medium
+
+  * Add missing python3 dependency on Python 3 package, with thanks to
+Adrian Bunk for the report (Closes: #867424).
+  * Update Standards-Version to 4.0.0 (no changes required)
+
+ -- Stuart Prescott   Sun, 30 Jul 2017 10:20:31 +1000
+
 python-diff-match-patch (20121119-2) unstable; urgency=medium
 
   * Add dh-python to build-dependencies.
diff -Nru python-diff-match-patch-20121119/debian/control 
python-diff-match-patch-20121119/debian/control
--- python-diff-match-patch-20121119/debian/control 2016-12-26 
02:07:45.0 +0100
+++ python-diff-match-patch-20121119/debian/control 2017-07-30 
02:20:31.0 +0200
@@ -9,7 +9,7 @@
  python-setuptools,
  python3-all,
  python3-setuptools
-Standards-Version: 3.9.8
+Standards-Version: 4.0.0
 Homepage: https://pypi.python.org/pypi/diff-match-patch
 Vcs-Git: 
https://anonscm.debian.org/git/collab-maint/python-diff-match-patch.git
 Vcs-Browser: 
https://anonscm.debian.org/git/collab-maint/python-diff-match-patch.git
@@ -36,7 +36,7 @@
 Architecture: all
 Depends:
  ${misc:Depends},
- ${python:Depends}
+ ${python3:Depends}
 Description: robust algorithms for synchronizing plain text (Python 3 module)
  The Diff Match and Patch libraries offer robust algorithms to perform the
  operations required for synchronizing plain text.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882832: marked as done (stretch-pu: package jdcal/1.0-1.2~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882832,
regarding stretch-pu: package jdcal/1.0-1.2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882832
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing python/python3 dependencies. #867406

$ debdiff python-jdcal_1.0-1_all.deb python-jdcal_1.0-1.2~deb9u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

{+Depends: python:any (<< 2.8), python:any (>= 2.7.5-5~)+}
Installed-Size: [-26-] {+39+}
Version: [-1.0-1-] {+1.0-1.2~deb9u1+}

$ debdiff python3-jdcal_1.0-1_all.deb python3-jdcal_1.0-1.2~deb9u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

{+Depends: python3:any (>= 3.3.2-2~)+}
Installed-Size: [-23-] {+35+}
Version: [-1.0-1-] {+1.0-1.2~deb9u1+}


Andreas
diff -Nru jdcal-1.0/debian/changelog jdcal-1.0/debian/changelog
--- jdcal-1.0/debian/changelog  2014-12-10 06:49:59.0 +0100
+++ jdcal-1.0/debian/changelog  2017-11-27 04:50:33.0 +0100
@@ -1,3 +1,26 @@
+jdcal (1.0-1.2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 04:50:33 +0100
+
+jdcal (1.0-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix a mistake in ${python:Depends} for Python3 (needs to be
+${python3:Depends}). Thanks again to Adrian Bunk. (Closes: #867406)
+
+ -- Joao Eriberto Mota Filho   Sun, 24 Sep 2017 22:15:10 
-0300
+
+jdcal (1.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Added ${python:Depends} variable to Depends field in all packages.
+Thanks to Adrian Bunk . (Closes: #867406)
+
+ -- Joao Eriberto Mota Filho   Sun, 24 Sep 2017 12:29:22 
-0300
+
 jdcal (1.0-1) unstable; urgency=low
 
   * Initial release (Closes: #772689)
diff -Nru jdcal-1.0/debian/control jdcal-1.0/debian/control
--- jdcal-1.0/debian/control2014-12-10 06:49:59.0 +0100
+++ jdcal-1.0/debian/control2017-09-25 03:15:10.0 +0200
@@ -10,7 +10,7 @@
 
 Package: python-jdcal
 Architecture: all
-Depends: ${misc:Depends}
+Depends: ${misc:Depends}, ${python:Depends}
 Description: Julian dates from proleptic Gregorian and Julian calendars
  This module contains functions for converting between Julian dates
  and calendar dates.
@@ -22,7 +22,7 @@
 
 Package: python3-jdcal
 Architecture: all
-Depends: ${misc:Depends}
+Depends: ${misc:Depends}, ${python3:Depends}
 Description: Julian dates from proleptic Gregorian and Julian calendars
  This module contains functions for converting between Julian dates
  and calendar dates.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882829: marked as done (stretch-pu: package slic3r/1.2.9+dfsg-6.1~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882829,
regarding stretch-pu: package slic3r/1.2.9+dfsg-6.1~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882829: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882829
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing perlapi dependency. #869360

$ debdiff slic3r_1.2.9+dfsg-6_amd64.deb slic3r_1.2.9+dfsg-6.1~deb9u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: libboost-geometry-utils-perl, libencode-locale-perl, 
libio-stringy-perl, libmath-convexhull-monotonechain-perl, 
libmath-geometry-voronoi-perl, libmath-planepath-perl, libmoo-perl, 
libstorable-perl, libtime-hires-perl, [-perl:any,-] {+perl (>= 
5.24.1-3+deb9u2), perlapi-5.24.1,+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), 
libstdc++6 (>= 5.2)
Installed-Size: [-4692-] {+4697+}
Version: [-1.2.9+dfsg-6-] {+1.2.9+dfsg-6.1~deb9u1+}


Andreas
diff -Nru slic3r-1.2.9+dfsg/debian/changelog slic3r-1.2.9+dfsg/debian/changelog
--- slic3r-1.2.9+dfsg/debian/changelog  2016-11-03 03:23:40.0 +0100
+++ slic3r-1.2.9+dfsg/debian/changelog  2017-11-27 04:09:35.0 +0100
@@ -1,3 +1,20 @@
+slic3r (1.2.9+dfsg-6.1~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 04:09:35 +0100
+
+slic3r (1.2.9+dfsg-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix "missing dependency on perlapi-*":
+add override_dh_perl in debian/rules to make dh_perl search for perl
+modules in the private directory as well.
+(Closes: #869360)
+
+ -- gregor herrmann   Sun, 06 Aug 2017 13:27:56 -0400
+
 slic3r (1.2.9+dfsg-6) unstable; urgency=medium
 
   * [9db9b59] Shift perl modules into private directories.
diff -Nru slic3r-1.2.9+dfsg/debian/rules slic3r-1.2.9+dfsg/debian/rules
--- slic3r-1.2.9+dfsg/debian/rules  2016-11-03 03:23:40.0 +0100
+++ slic3r-1.2.9+dfsg/debian/rules  2017-07-22 19:27:47.0 +0200
@@ -55,3 +55,7 @@
# Install example post-processing scripts
mkdir -p $(CURDIR)/debian/slic3r/usr/share/doc/slic3r/examples
cp -r utils/post-processing 
$(CURDIR)/debian/slic3r/usr/share/doc/slic3r/examples
+
+override_dh_perl:
+   # make dh_perl search for perl modules in the private directory as well
+   dh_perl /usr/lib/slic3r
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882621: marked as done (stretch-pu: package python2.7/2.7.13-2+deb9u2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882621,
regarding stretch-pu: package python2.7/2.7.13-2+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882621
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to add a fix for a minor security issue in Python 2.7 to the
as a followup update to what's already in spu. debdiff is below.

This is fixed in unstable in 2.7.13-4.

Cheers,
Moritz

diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog
--- python2.7-2.7.13/debian/changelog
+++ python2.7-2.7.13/debian/changelog
@@ -1,3 +1,10 @@
+python2.7 (2.7.13-2+deb9u2) stretch; urgency=medium
+
+  * Backport c3c9db89273fabc62ea1b48389d9a3000c1c03ae to address
+CVE-2017-1000158 / https://bugs.python.org/issue30657
+
+ -- Moritz Mühlenhoff   Fri, 24 Nov 2017 18:33:09 +0100
+
 python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload with maintainer's permission
diff -u python2.7-2.7.13/debian/patches/series.in 
python2.7-2.7.13/debian/patches/series.in
--- python2.7-2.7.13/debian/patches/series.in
+++ python2.7-2.7.13/debian/patches/series.in
@@ -72,0 +73 @@
+CVE-2017-1000158.diff
only in patch2:
unchanged:
--- python2.7-2.7.13.orig/debian/patches/CVE-2017-1000158.diff
+++ python2.7-2.7.13/debian/patches/CVE-2017-1000158.diff
@@ -0,0 +1,29 @@
+From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001
+From: Jay Bosamiya 
+Date: Sun, 18 Jun 2017 22:11:03 +0530
+Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in
+ PyString_DecodeEscape (#2174)
+
+---
+ Objects/stringobject.c | 8 +++-
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/Objects/stringobject.c b/Objects/stringobject.c
+index c78e19316a0..59d22e76946 100644
+--- a/Objects/stringobject.c
 b/Objects/stringobject.c
+@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
+ char *p, *buf;
+ const char *end;
+ PyObject *v;
+-Py_ssize_t newlen = recode_encoding ? 4*len:len;
++Py_ssize_t newlen;
++/* Check for integer overflow */
++if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
++PyErr_SetString(PyExc_OverflowError, "string is too large");
++return NULL;
++}
++newlen = recode_encoding ? 4*len:len;
+ v = PyString_FromStringAndSize((char *)NULL, newlen);
+ if (v == NULL)
+ return NULL;
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882856: marked as done (stretch-pu: package lasi/1.1.0-2~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882856,
regarding stretch-pu: package lasi/1.1.0-2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882856: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882856
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the missing -dev package dependencies. #845497

$ debdiff liblasi-dev_1.1.0-1.2_amd64.deb liblasi-dev_1.1.0-2~deb9u1_amd64.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: liblasi0 (= [-1.1.0-1.2)-] {+1.1.0-2~deb9u1), libpango1.0-dev, 
libfreetype6-dev+}
Maintainer: [-Andrew Ross -] {+Debian QA 
Group +}
Version: [-1.1.0-1.2-] {+1.1.0-2~deb9u1+}


Andreas
diff -Nru lasi-1.1.0/debian/changelog lasi-1.1.0/debian/changelog
--- lasi-1.1.0/debian/changelog 2016-07-17 07:17:35.0 +0200
+++ lasi-1.1.0/debian/changelog 2017-11-27 07:21:40.0 +0100
@@ -1,3 +1,20 @@
+lasi (1.1.0-2~deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 07:21:40 +0100
+
+lasi (1.1.0-2) unstable; urgency=medium
+
+  * QA upload.
+  * Set maintainer to Debian QA Group. (see #867050)
+  * Add the missing libpango1.0-dev and libfreetype6-dev
+dependencies to liblasi-dev. (Closes: #845497)
+  * Add ${misc:Depends} to the package dependencies.
+
+ -- Adrian Bunk   Sat, 08 Jul 2017 14:19:16 +0300
+
 lasi (1.1.0-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru lasi-1.1.0/debian/control lasi-1.1.0/debian/control
--- lasi-1.1.0/debian/control   2016-07-17 07:16:44.0 +0200
+++ lasi-1.1.0/debian/control   2017-07-08 13:19:16.0 +0200
@@ -1,6 +1,6 @@
 Source: lasi
 Priority: optional
-Maintainer: Andrew Ross 
+Maintainer: Debian QA Group 
 Build-Depends: debhelper (>= 5.0.0), cmake, libpango1.0-dev,
  cdbs (>=0.4.51), libfreetype6-dev (>= 2.2), doxygen
 Standards-Version: 3.7.3
@@ -12,7 +12,7 @@
 Package: liblasi0
 Section: libs
 Architecture: any
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: creation of PostScript documents containing Unicode symbols
  LASi is a library that provides a C++ stream output interface (with
  operator <<) for creating PostScript documents that can contain
@@ -29,7 +29,7 @@
 Package: liblasi-dev
 Section: libdevel
 Architecture: any
-Depends: liblasi0 (= ${binary:Version})
+Depends: liblasi0 (= ${binary:Version}), ${misc:Depends}, libpango1.0-dev, 
libfreetype6-dev
 Description: development files and documentation for the LASi library
  LASi is a library that provides a C++ stream output interface (with
  operator <<) for creating PostScript documents that can contain
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882836: marked as done (stretch-pu: package doit/0.28.0-1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882836,
regarding stretch-pu: package doit/0.28.0-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882836
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This update adds
  Breaks: nikola (<< 7.6.0-1~)
to python-doit, fixing #870162

nikola is neither part of stretch nor any longer in sid, but the jessie
version will survive an upgrade to stretch, where it will fail due to a
too new version of doit. For details see #870162.

Adding the Breaks will cause removal of the old nikola package.

There is no package left for fixing this in sid: doit is now python3
only.


Andreas
diff -Nru doit-0.28.0/debian/changelog doit-0.28.0/debian/changelog
--- doit-0.28.0/debian/changelog2015-06-20 21:27:14.0 +0200
+++ doit-0.28.0/debian/changelog2017-11-27 05:44:54.0 +0100
@@ -1,3 +1,12 @@
+doit (0.28.0-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * python-doit: Add Breaks: nikola (<< 7.6.0-1~). nikola is not in stretch
+(or even in sid any longer) and the jessie version needs doit <= 0.27.
+(Closes: #870162)
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 05:44:54 +0100
+
 doit (0.28.0-1) unstable; urgency=medium
 
   * Imported Upstream version 0.28.0
diff -Nru doit-0.28.0/debian/control doit-0.28.0/debian/control
--- doit-0.28.0/debian/control  2015-06-20 21:27:01.0 +0200
+++ doit-0.28.0/debian/control  2017-11-27 05:44:54.0 +0100
@@ -34,6 +34,7 @@
 Depends: ${python:Depends}, ${misc:Depends}, python-pyinotify, python-six
 Recommends: strace, python-gdbm
 Suggests: python-doit-doc
+Breaks: nikola (<< 7.6.0-1~)
 Description: Automation tool to execute any kind of task in a build-tools 
fashion
  doit is an automation tool that brings the power of build-tools to execute any
  kind of task.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882837: marked as done (stretch-pu: package python-inflect/0.2.5-1.1~deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882837,
regarding stretch-pu: package python-inflect/0.2.5-1.1~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882837
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Let's fix the python3 dependencies. #867438

$ debdiff python3-inflect_0.2.5-1_all.deb 
python3-inflect_0.2.5-1.1~deb9u1_all.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

{+Depends: python3:any (>= 3.3.2-2~)+}
Version: [-0.2.5-1-] {+0.2.5-1.1~deb9u1+}


Andreas
diff -Nru python-inflect-0.2.5/debian/changelog 
python-inflect-0.2.5/debian/changelog
--- python-inflect-0.2.5/debian/changelog   2015-12-24 16:30:47.0 
+0100
+++ python-inflect-0.2.5/debian/changelog   2017-11-27 06:40:13.0 
+0100
@@ -1,3 +1,18 @@
+python-inflect (0.2.5-1.1~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann   Mon, 27 Nov 2017 06:40:13 +0100
+
+python-inflect (0.2.5-1.1) unstable; urgency=medium
+
+  * Non-maintainer Upload
+  * Apply patch from Adrian Bunk to correctly generate dependencies for
+the python 3 package (Closes: #867438)
+
+ -- Arto Jantunen   Mon, 17 Jul 2017 08:47:48 +0300
+
 python-inflect (0.2.5-1) unstable; urgency=medium
 
   * Initial release. (Closes: #806450)
diff -Nru python-inflect-0.2.5/debian/control 
python-inflect-0.2.5/debian/control
--- python-inflect-0.2.5/debian/control 2015-12-24 16:26:41.0 +0100
+++ python-inflect-0.2.5/debian/control 2017-07-17 07:47:48.0 +0200
@@ -19,7 +19,7 @@
 
 Package: python3-inflect
 Architecture: all
-Depends: ${python:Depends}, ${misc:Depends}
+Depends: ${python3:Depends}, ${misc:Depends}
 Description: Generate plurals, singular nouns, ordinals, indefinite articles 
(Python 3)
  The inflect Python module correctly generates plurals, singular nouns,
  ordinals and indefinite articles. It can also convert numbers to words.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882724: marked as done (stretch-pu: package ruby-ox/2.1.1-2+b6)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882724,
regarding stretch-pu: package ruby-ox/2.1.1-2+b6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby interpreter
on a parse error.

Debdiff attached.

As jessie and stretch have the same version of this package, I am
willing to upload the same fix to jessie (same diff except the version
number with deb8 instead of deb9). Should I submit an independent bug
report for the jessie proposed update ?

Thanks in advance.

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog
--- ruby-ox-2.1.1/debian/changelog  2014-04-04 12:58:15.0 +0200
+++ ruby-ox-2.1.1/debian/changelog  2017-11-26 01:08:40.0 +0100
@@ -1,3 +1,12 @@
+ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Add fix_parse_obj_segfault.patch picked from upstream
++ fix CVE-2017-15928: segmentation fault in parse_obj
+(Closes: #881445)
+
+ -- Cédric Boutillier   Sun, 26 Nov 2017 01:08:40 +0100
+
 ruby-ox (2.1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf
--- ruby-ox-2.1.1/debian/gbp.conf   1970-01-01 01:00:00.0 +0100
+++ ruby-ox-2.1.1/debian/gbp.conf   2017-11-26 00:52:18.0 +0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch=stretch/master
+upstream-branch=stretch/upstream
diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 
ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch
--- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   1970-01-01 
01:00:00.0 +0100
+++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   2017-11-26 
01:08:40.0 +0100
@@ -0,0 +1,51 @@
+Description: Avoid crash with invalid XML passed to Oj.parse_obj()
+ this fixes CVE-2017-15928
+Author: Peter Ohler 
+Origin: 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
+Bug: https://github.com/ohler55/ox/issues/194
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
+Last-Update: 2017-11-25
+
+--- a/ext/ox/obj_load.c
 b/ext/ox/obj_load.c
+@@ -791,8 +791,10 @@
+   Helper  gh;
+ 
+   helper_stack_pop(&pi->helpers);
+-  gh = helper_stack_peek(&pi->helpers);
+-
++  if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
++  set_error(&pi->err, "Corrupt parse stack, container is 
wrong type", pi->str, pi->s);
++  return;
++  }
+   rb_hash_aset(gh->obj, ph->obj, h->obj);
+   }
+   break;
+--- a/ext/ox/err.c
 b/ext/ox/err.c
+@@ -42,7 +42,11 @@
+ va_end(ap);
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ ox_err_raise(Err e) {
+ rb_raise(e->clas, "%s", e->msg);
+ }
+--- a/ext/ox/ox.c
 b/ext/ox/ox.c
+@@ -990,7 +990,11 @@
+ #endif
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ _ox_raise_error(const char *msg, const char *xml, const char *current, const 
char* file, int line) {
+ int   xline = 1;
+ int   col = 1;
diff -Nru ruby-ox-2.1.1/debian/patches/series 
ruby-ox-2.1.1/debian/patches/series
--- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.0 +0100
+++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.0 +0100
@@ -1 +1,2 @@
+fix_parse_obj_segfault.patch
 000-fix-so-load-path.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bu

Bug#882649: marked as done (stretch-pu: package ruby-httparty/0.13.7-1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882649,
regarding stretch-pu: package ruby-httparty/0.13.7-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882649
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The current package in stretch provides a Ruby library that cannot be
loaded properly with Ruby 'gem' tool, because of a too strict versioned
dependency on the json Ruby library

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864723

This update adds a patch to relax this dependency in the Gemfile, which
fixes the problem.

Cédric


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ruby-httparty-0.13.7/debian/changelog 
ruby-httparty-0.13.7/debian/changelog
--- ruby-httparty-0.13.7/debian/changelog   2016-06-07 10:57:47.0 
+0200
+++ ruby-httparty-0.13.7/debian/changelog   2017-11-25 00:30:18.0 
+0100
@@ -1,3 +1,10 @@
+ruby-httparty (0.13.7-1+deb9u1) stretch; urgency=medium
+
+  * Relax dependency version in gem dependency on json.
+This fixes loading httparty with the gem command (Closes: #864723)
+
+ -- Cédric Boutillier   Sat, 25 Nov 2017 00:30:18 +0100
+
 ruby-httparty (0.13.7-1) unstable; urgency=medium
 
   * Imported Upstream version 0.13.7
diff -Nru ruby-httparty-0.13.7/debian/gbp.conf 
ruby-httparty-0.13.7/debian/gbp.conf
--- ruby-httparty-0.13.7/debian/gbp.conf1970-01-01 01:00:00.0 
+0100
+++ ruby-httparty-0.13.7/debian/gbp.conf2017-11-25 00:15:47.0 
+0100
@@ -0,0 +1,3 @@
+[buildpackage]
+debian-branch=stretch/master
+upstream-branch=stretch/upstream
diff -Nru ruby-httparty-0.13.7/debian/patches/relax_version_json.patch 
ruby-httparty-0.13.7/debian/patches/relax_version_json.patch
--- ruby-httparty-0.13.7/debian/patches/relax_version_json.patch
1970-01-01 01:00:00.0 +0100
+++ ruby-httparty-0.13.7/debian/patches/relax_version_json.patch
2017-11-25 00:28:56.0 +0100
@@ -0,0 +1,17 @@
+Author: Cédric Boutillier 
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864723
+Origin: 
https://github.com/jnunemaker/httparty/commit/1cbb101feaffcc1f11c77a71009558c6086ebb4b
+Forwarded: no
+Last-Update: 2017-11-25
+
+--- a/httparty.gemspec
 b/httparty.gemspec
+@@ -15,7 +15,7 @@
+ 
+   s.required_ruby_version = '>= 1.9.3'
+ 
+-  s.add_dependency 'json',  "~> 1.8"
++  s.add_dependency 'json',  ">= 1.8"
+   s.add_dependency 'multi_xml', ">= 0.5.2"
+ 
+   # If this line is removed, all hard partying will cease.
diff -Nru ruby-httparty-0.13.7/debian/patches/series 
ruby-httparty-0.13.7/debian/patches/series
--- ruby-httparty-0.13.7/debian/patches/series  2016-06-07 10:57:47.0 
+0200
+++ ruby-httparty-0.13.7/debian/patches/series  2017-11-25 00:26:34.0 
+0100
@@ -1 +1,2 @@
 skip_failing_test.patch
+relax_version_json.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882714: marked as done (stretch-pu: package ruby-pygments.rb/0.6.3-2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882714,
regarding stretch-pu: package ruby-pygments.rb/0.6.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882714
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

the proposed update fixes a reasonable limit to RLIMIT_NOFILE, avoiding
closing too many files at a time. This fixes  #876768

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876768

and fixes weechat.

Best regards,

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ruby-pygments.rb-0.6.3/debian/changelog 
ruby-pygments.rb-0.6.3/debian/changelog
--- ruby-pygments.rb-0.6.3/debian/changelog 2016-07-08 14:43:00.0 
+0200
+++ ruby-pygments.rb-0.6.3/debian/changelog 2017-11-25 21:48:18.0 
+0100
@@ -1,3 +1,11 @@
+ruby-pygments.rb (0.6.3-2+deb9u1) stretch; urgency=medium
+
+  * Add Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
+to avoid closing too many files when mentos starts
+(Closes: #876768)
+
+ -- Cédric Boutillier   Sat, 25 Nov 2017 21:48:18 +0100
+
 ruby-pygments.rb (0.6.3-2) unstable; urgency=medium
 
   * Team upload
diff -Nru ruby-pygments.rb-0.6.3/debian/gbp.conf 
ruby-pygments.rb-0.6.3/debian/gbp.conf
--- ruby-pygments.rb-0.6.3/debian/gbp.conf  1970-01-01 01:00:00.0 
+0100
+++ ruby-pygments.rb-0.6.3/debian/gbp.conf  2017-11-25 21:41:16.0 
+0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = stretch/master
+upstream-branch = stretch/upstream
diff -Nru 
ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
 
ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
--- 
ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
1970-01-01 01:00:00.0 +0100
+++ 
ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
2017-11-25 21:45:19.0 +0100
@@ -0,0 +1,29 @@
+commit d69d8e9ea11f9cd6652ef4cb066356792182af7e
+Author: Cédric Boutillier 
+Date:   Fri Sep 29 22:49:47 2017 +0200
+
+Set reasonable upper limit to RLIMIT_NOFILE
+
+When RLIMIT_NOFILE is too high, the number of files to close
+can be too important and the process of closing could take more time
+than the timeout set (default to 8s).
+
+This causes asciidoctor to crash on some architectures
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876768
+
+Gbp-Pq: Name 0008-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
+
+diff --git a/lib/pygments/mentos.py b/lib/pygments/mentos.py
+index 9c7c650..cf70b7b 100755
+--- a/lib/pygments/mentos.py
 b/lib/pygments/mentos.py
+@@ -334,7 +334,7 @@ def main():
+ # close fd's inherited from the ruby parent
+ import resource
+ maxfd = resource.getrlimit(resource.RLIMIT_NOFILE)[1]
+-if maxfd == resource.RLIM_INFINITY:
++if maxfd >= 65536:
+ maxfd = 65536
+ 
+ for fd in range(3, maxfd):
diff -Nru ruby-pygments.rb-0.6.3/debian/patches/series 
ruby-pygments.rb-0.6.3/debian/patches/series
--- ruby-pygments.rb-0.6.3/debian/patches/series2016-07-08 
14:43:00.0 +0200
+++ ruby-pygments.rb-0.6.3/debian/patches/series2017-11-25 
21:46:08.0 +0100
@@ -8,3 +8,4 @@
 0008-fix_test_pygments.patch
 0009-adapt-to-new-pygments.patch
 0010-no-relative-path-for-require-in-tests.patch
+0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882493: marked as done (stretch-pu: package liblog-log4perl-perl/1.48-1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882493,
regarding stretch-pu: package liblog-log4perl-perl/1.48-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882493: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882493
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi SRM,

The Debian Perl Group was asked, if #855894 could be fixed as well for
stretch, since when "syswrite" and "utf8" are used together with Perl
5.24 warnings are issued. The proposed debdiff is attached.

Thanks for considering, let me know if it looks okay for you to
include this in the upcoming point release for stretch.

Regards,
Salvatore
diff -Nru liblog-log4perl-perl-1.48/debian/changelog 
liblog-log4perl-perl-1.48/debian/changelog
--- liblog-log4perl-perl-1.48/debian/changelog  2016-12-27 01:20:02.0 
+0100
+++ liblog-log4perl-perl-1.48/debian/changelog  2017-11-23 14:36:00.0 
+0100
@@ -1,3 +1,11 @@
+liblog-log4perl-perl (1.48-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Workaround for Perl 5.24 no longer allowing syswrite and utf8 together
+(Closes: #855894)
+
+ -- Salvatore Bonaccorso   Thu, 23 Nov 2017 14:36:00 +0100
+
 liblog-log4perl-perl (1.48-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch
 
liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch
--- 
liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch
1970-01-01 01:00:00.0 +0100
+++ 
liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch
2017-11-23 14:36:00.0 +0100
@@ -0,0 +1,99 @@
+From: mschilli 
+Date: Sun, 19 Feb 2017 13:22:59 -0800
+Subject: Workaround for perl-5.24 no longer allowing syswrite+utf8 (see
+ https://github.com/mschilli/log4perl/issues/78)
+Origin: 
https://github.com/mschilli/log4perl/commit/e8d8f6600312670a156399e220998dbd0832915f
+Bug: https://github.com/mschilli/log4perl/issues/78
+Bug-Debian: https://bugs.debian.org/855894
+
+---
+ lib/Log/Log4perl/Appender/File.pm | 39 ++-
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/lib/Log/Log4perl/Appender/File.pm 
b/lib/Log/Log4perl/Appender/File.pm
+index 8b9dfd8..abdce69 100755
+--- a/lib/Log/Log4perl/Appender/File.pm
 b/lib/Log/Log4perl/Appender/File.pm
+@@ -11,6 +11,7 @@ use Fcntl;
+ use File::Path;
+ use File::Spec::Functions qw(splitpath);
+ use constant _INTERNAL_DEBUG => 0;
++use constant SYSWRITE_UTF8_OK => ( $] < 5.024 );
+ 
+ ##
+ sub new {
+@@ -26,7 +27,7 @@ sub new {
+ syswrite  => 0,
+ mode  => "append",
+ binmode   => undef,
+-utf8  => undef,
++utf8  => 0,
+ recreate  => 0,
+ recreate_check_interval => 30,
+ recreate_check_signal   => undef,
+@@ -62,12 +63,30 @@ sub new {
+ close FILE;
+ }
+ 
++$self->{syswrite_encoder} = $self->syswrite_encoder();
++
+ # This will die() if it fails
+ $self->file_open() unless $self->{create_at_logtime};
+ 
+ return $self;
+ }
+ 
++##
++sub syswrite_encoder {
++##
++my($self) = @_;
++
++if(!SYSWRITE_UTF8_OK and $self->{syswrite} and $self->{utf8}) {
++if( eval { require Encode } ) {
++return sub { Encode::encode_utf8($_[0]) };
++} else {
++die "syswrite and utf8 requires Encode.pm";
++}
++}
++
++return undef;
++}
++
+ ##
+ sub filename {
+ ##
+@@ -163,8 +182,11 @@ sub file_open {
+ binmode $self->{fh}, $self->{binmode};
+ }
+ 
+-if (defined $self->{utf8}) {
+-binmode $self->{fh}, ":utf8";
++if ($self->{utf8}) {
++  # older perls can handle syswrite+utf8 just fine
++if(SYSWRITE_UTF8_OK or !$self->{syswrite}) {
++binmode $self->{fh}, ":utf8";
++}
+ }
+ 
+ if(defined $self->{header_text}) {

Bug#882194: marked as done (stretch-pu: package spamassassin/3.4.1-6+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882194,
regarding stretch-pu: package spamassassin/3.4.1-6+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello. I'd like to fix a number of bugs in spamassassin, mostly related to
systemd service management. A debdiff against the current stretch version
is attached. All the changes have been in buster for some time. I've
tested them in fresh installation, upgrade, remove, and purge scenarios.

Thanks
noah
diff -Nru spamassassin-3.4.1/debian/65_debian.cf 
spamassassin-3.4.1/debian/65_debian.cf
--- spamassassin-3.4.1/debian/65_debian.cf  2016-10-30 09:39:27.0 
-0700
+++ spamassassin-3.4.1/debian/65_debian.cf  2017-11-19 10:43:02.0 
-0800
@@ -25,3 +25,10 @@
 metaD_SENT_BY_CRON __CRON_FROM && __CRON_HEADER
 score   D_SENT_BY_CRON -5.0
 describe D_SENT_BY_CRONSent by Cron Daemon
+
+# As documented in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861671,
+# the bb.barracudacentral.org blacklist requires users to register, making it
+# unsuitable for use in the default configuration. If you've registered your
+# use of this blacklist, remove the following line in order to re-activate
+# this service:
+score RCVD_IN_BRBL_LASTEXT 0
diff -Nru spamassassin-3.4.1/debian/changelog 
spamassassin-3.4.1/debian/changelog
--- spamassassin-3.4.1/debian/changelog 2016-10-30 09:39:27.0 -0700
+++ spamassassin-3.4.1/debian/changelog 2017-11-19 10:43:02.0 -0800
@@ -1,3 +1,21 @@
+spamassassin (3.4.1-6+deb9u1) stretch; urgency=medium
+
+  * Ensure that spamd doesn't automatically start upon initial
+installation.
+  * Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as
+it requires users to register. (Closes: #861671)
+  * Update the systemd unit file to use the same pid file as was
+used in the sysvinit script. (Closes: #808804)
+  * Update spamassassin docs to remove outdated gpg version
+compatibility note. (Closes: #853913)
+  * Update systemd unit dependencies to include network and syslog.
+(Closes: 864810)
+  * Fix inappropriate invocation of invoke-rc.d in cron script.
+(Closes: 865514)
+  * Fix spamd service manage on upgrades. (Closes: #865356)
+
+ -- Noah Meyerhans   Sun, 19 Nov 2017 10:43:02 -0800
+
 spamassassin (3.4.1-6) unstable; urgency=medium
 
   * Import upstream fix for spamassassin bug 7226: Enhance whitelist_from_dkim
diff -Nru spamassassin-3.4.1/debian/rules spamassassin-3.4.1/debian/rules
--- spamassassin-3.4.1/debian/rules 2016-10-30 09:39:27.0 -0700
+++ spamassassin-3.4.1/debian/rules 2017-11-19 10:43:02.0 -0800
@@ -125,9 +125,10 @@
dh_testroot -i
dh_installman -i sa-awl.1p sa-check_spamd.1p
dh_installdocs -i
-   dh_systemd_enable --no-enable
dh_installexamples -i
-   dh_installinit -i -- defaults 19 21
+   dh_systemd_enable -i --no-enable
+   dh_installinit -i --no-start -- defaults 19 21
+   dh_systemd_start -i --no-start
dh_installcron -i
dh_installchangelogs Changes -i
dh_link -i
diff -Nru spamassassin-3.4.1/debian/spamassassin.cron.daily 
spamassassin-3.4.1/debian/spamassassin.cron.daily
--- spamassassin-3.4.1/debian/spamassassin.cron.daily   2016-10-30 
09:39:27.0 -0700
+++ spamassassin-3.4.1/debian/spamassassin.cron.daily   2017-11-19 
10:43:02.0 -0800
@@ -53,8 +53,7 @@
 invoke-rc.d --quiet spamassassin status > /dev/null && \
   invoke-rc.d spamassassin reload > /dev/null
 else
-invoke-rc.d --quiet spamassassin status > /dev/null && \
-  /etc/init.d/spamassassin reload > /dev/null
+/etc/init.d/spamassassin reload > /dev/null
 fi
 if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
 run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
diff -Nru spamassassin-3.4.1/debian/spamassassin.postinst 
spamassassin-3.4.1/debian/spamassassin.postinst
--- spamassassin-3.4.1/debian/spamassassin.postinst 2016-10-30 
09:39:27.0 -0700
+++ spamassassin-3.4.1/debian/spamassassin.postinst 2017-11-19 
10:43:02.0 -0800
@@ -43,3 +43,9

Bug#882242: marked as done (jessie-pu: package tor/0.2.5.15-1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882242,
regarding jessie-pu: package tor/0.2.5.15-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882242: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882242
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Just like #882228 for stretch, I would like to update tor in jessie
to the maintenance update released by upstream.

In particular, the update of the directory authority set is relevant.

Please let me know if I may upload by 0.2.5.15 packages.

A debdiff (where I removed the large geoipdb diff) is attached.

Cheers,
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/
diff -Nru tor-0.2.5.14/ChangeLog tor-0.2.5.15/ChangeLog
--- tor-0.2.5.14/ChangeLog  2017-06-08 15:46:39.0 +0200
+++ tor-0.2.5.15/ChangeLog  2017-10-25 14:06:39.0 +0200
@@ -1,3 +1,48 @@
+Changes in version 0.2.5.15 - 2017-10-25
+  Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
+  series. It also adds a new directory authority, Bastet.
+
+  Note: the Tor 0.2.5 series will no longer be supported after 1 May
+  2018. If you need a release with long-term support, please upgrade to
+  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+  o Directory authority changes:
+- Add "Bastet" as a ninth directory authority to the default list.
+  Closes ticket 23910.
+- The directory authority "Longclaw" has changed its IP address.
+  Closes ticket 23592.
+
+  o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
+- Avoid an assertion failure bug affecting our implementation of
+  inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+  handling of "0xx" differs from what we had expected. Fixes bug
+  22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
+
+  o Minor features (geoip):
+- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
+  Country database.
+
+  o Minor bugfixes (defensive programming, undefined behavior, backport from 
0.3.1.4-alpha):
+- Fix a memset() off the end of an array when packing cells. This
+  bug should be harmless in practice, since the corrupted bytes are
+  still in the same structure, and are always padding bytes,
+  ignored, or immediately overwritten, depending on compiler
+  behavior. Nevertheless, because the memset()'s purpose is to make
+  sure that any other cell-handling bugs can't expose bytes to the
+  network, we need to fix it. Fixes bug 22737; bugfix on
+  0.2.4.11-alpha. Fixes CID 1401591.
+
+  o Build features (backport from 0.3.1.5-alpha):
+- Tor's repository now includes a Travis Continuous Integration (CI)
+  configuration file (.travis.yml). This is meant to help new
+  developers and contributors who fork Tor to a Github repository be
+  better able to test their changes, and understand what we expect
+  to pass. To use this new build feature, you must fork Tor to your
+  Github account, then go into the "Integrations" menu in the
+  repository settings for your fork and enable Travis, then push
+  your changes. Closes ticket 22636.
+
+
 Changes in version 0.2.5.14 - 2017-06-08
   Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
   remotely crash a hidden service with an assertion failure. Anyone
diff -Nru tor-0.2.5.14/ReleaseNotes tor-0.2.5.15/ReleaseNotes
--- tor-0.2.5.14/ReleaseNotes   2017-06-08 15:46:45.0 +0200
+++ tor-0.2.5.15/ReleaseNotes   2017-10-25 14:06:44.0 +0200
@@ -2,6 +2,50 @@
 of Tor. If you want to see more detailed descriptions of the changes in
 each development snapshot, see the ChangeLog file.
 
+Changes in version 0.2.5.15 - 2017-10-25
+  Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
+  series. It also adds a new directory authority, Bastet.
+
+  Note: the Tor 0.2.5 series will no longer be supported after 1 May
+  2018. If you need a release with long-term support, please upgrade to
+  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+  o Directo

Bug#882503: marked as done (jessie-pu: package sam2p/0.49.2-3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882503,
regarding jessie-pu: package sam2p/0.49.2-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882503
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

sam2p is currently affected by several security issues in Jessie.
Therefore I would like to update the package. I have contacted the
security team but they don't intend to release a DSA. Please find
attached the debdiff.

Regards,

Markus
diff -Nru sam2p-0.49.2/debian/changelog sam2p-0.49.2/debian/changelog
--- sam2p-0.49.2/debian/changelog   2014-08-31 18:31:23.0 +0200
+++ sam2p-0.49.2/debian/changelog   2017-11-22 21:39:20.0 +0100
@@ -1,3 +1,14 @@
+sam2p (0.49.2-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631,
+CVE-2017-14636, CVE-2017-14637, CVE-2017-16663:
+Several integer overflow or heap-based buffer overflow issues were
+discovered in sam2p that may lead to an application crash or other
+unspecified impact.
+
+ -- Markus Koschany   Wed, 22 Nov 2017 21:39:20 +0100
+
 sam2p (0.49.2-3) unstable; urgency=medium
 
   * debian/sam2p.1: correct the documentation of -m:dpi:RES and document
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14628.patch 
sam2p-0.49.2/debian/patches/CVE-2017-14628.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14628.patch1970-01-01 
01:00:00.0 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14628.patch2017-11-22 
21:39:20.0 +0100
@@ -0,0 +1,33 @@
+---
+ in_pcx.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index e65a6b8..592b678 100644
+--- a/in_pcx.cpp
 b/in_pcx.cpp
+@@ -355,7 +355,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, 
PICINFO *pinfo, byte *hdr)
+   
+   w = pinfo->w;  h = pinfo->h;
+   
+-  planes = (int) hdr[PCX_PLANES];
++  planes = (unsigned) hdr[PCX_PLANES];
+   bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
+   
+   /* allocate 24-bit image */
+@@ -379,6 +379,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, 
PICINFO *pinfo, byte *hdr)
+   if (c == EOF) { MACRO_GETC(fp); break; }
+ }
+ else cnt = 1;
++if (cnt > nbytes) FatalError("Repeat count too large.");
+ 
+ #if 0 / pts /
+ if (c > maxv)  maxv = c;
+@@ -403,6 +404,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, 
PICINFO *pinfo, byte *hdr)
+   }
+ }
+   }
++  if (nbytes != 0) pcxError(0, "Image data truncated.");
+   
+   
+ #if 0 / pts /  
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14629.patch 
sam2p-0.49.2/debian/patches/CVE-2017-14629.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14629.patch1970-01-01 
01:00:00.0 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14629.patch2017-11-22 
21:39:20.0 +0100
@@ -0,0 +1,40 @@
+---
+ in_xpm.cpp | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/in_xpm.cpp b/in_xpm.cpp
+index dce69bf..33bda0f 100644
+--- a/in_xpm.cpp
 b/in_xpm.cpp
+@@ -285,14 +285,14 @@ static Image::Sampled *in_xpm_reader(Image::Loader::UFD 
*ufd, SimBuffer::Flat co
+ memset(bin, 255, sizeof(*bin) * 65536); /* Make bin[*]=-1 */
+ for (i=0,p=tab; (unsigned)isetPal(i, rgb[i]);
+-  bin[(p[0]<<8)+p[1]]=i;
++  bin[(((unsigned char*)p)[0]<<8)+((unsigned char*)p)[1]]=i;
+ }
+ assert(p==pend);
+ while (ht--!=0) {
+   tok.getComma();
+   for (p=outbuf+ret->getRlen(); outbuf!=p; ) {
+ tok.readInStr(pend,2);
+-if ((s=bin[(pend[0]<<8)+pend[1]])<0) Error::sev(Error::EERROR) << 
"XPM: unpaletted color" << (Error*)0;
++if ((s=bin[(((unsigned char*)pend)[0]<<8)+((unsigned 
char*)pend)[1]])<0) Error::sev(Error::EERROR) << "XPM: unpaletted color" << 
(Error*)0;
+ *outbuf++=s;
+   }
+ }
+@@ -301,12 +301,12 @@ static Image::Sampled *in_xpm_reader(Image::Loader::UFD 
*ufd, SimBuffer::Flat co
+ Image::Sampled::rgb_t rgb1;
+ unsigned short *bin=new unsigned short[65536], s;
+ memset(bin, 255, sizeof(*bin) * 65536); /* Make bin[*]=max */
+-for (i=0,p=tab; (unsigned)igetRlen(); outbuf!=p; ) {
+ tok.readInStr(pend,2

Bug#882219: marked as done (stretch-pu: package corebird/1.4.1-1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882219,
regarding stretch-pu: package corebird/1.4.1-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882219
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

Twitter changed the character limit of tweets to 280 chars (see [1]). The
version of corebird in stretch does only allow to compose tweets with 140
chars. The fix is really trivial[2].

Would you allow an update of corebird?

Best,

Philip


[1]
https://blog.twitter.com/official/en_us/topics/product/2017/tweetingmadeeasier.html

[2]
https://github.com/baedert/corebird/commit/d3cc0b068b4f3b1d0d97e4bd7c9e723d002636c1
diff -Nru corebird-1.4.1/debian/changelog corebird-1.4.1/debian/changelog
--- corebird-1.4.1/debian/changelog 2017-01-09 15:16:58.0 +0100
+++ corebird-1.4.1/debian/changelog 2017-11-20 11:43:37.0 +0100
@@ -1,3 +1,9 @@
+corebird (1.4.1-1+deb9u1) stretch; urgency=medium
+
+  * Allow 280 characters per tweet
+
+ -- Philip Rinn   Mon, 20 Nov 2017 11:43:37 +0100
+
 corebird (1.4.1-1) unstable; urgency=medium
 
   * New upstream release:
diff -Nru corebird-1.4.1/debian/patches/01-allow-280-characters.patch 
corebird-1.4.1/debian/patches/01-allow-280-characters.patch
--- corebird-1.4.1/debian/patches/01-allow-280-characters.patch 1970-01-01 
01:00:00.0 +0100
+++ corebird-1.4.1/debian/patches/01-allow-280-characters.patch 2017-11-16 
12:09:28.0 +0100
@@ -0,0 +1,13 @@
+Description: Twitter changed the limit to 280 characters
+Author: Timm Bäder 
+--- a/src/CbTweet.h
 b/src/CbTweet.h
+@@ -23,7 +23,7 @@
+ #include "CbTypes.h"
+ #include "CbMedia.h"
+ 
+-#define CB_TWEET_MAX_LENGTH 140
++#define CB_TWEET_MAX_LENGTH 280
+ 
+ typedef enum
+ {
diff -Nru corebird-1.4.1/debian/patches/series 
corebird-1.4.1/debian/patches/series
--- corebird-1.4.1/debian/patches/series1970-01-01 01:00:00.0 
+0100
+++ corebird-1.4.1/debian/patches/series2017-11-16 12:09:28.0 
+0100
@@ -0,0 +1 @@
+01-allow-280-characters.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#880896: marked as done (stretch-pu: package libdbi/0.9.0-4+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #880896,
regarding stretch-pu: package libdbi/0.9.0-4+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880896
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi SRMs,

I got a private bugreport (and so I can't reference it) that libdbi is
inconsistent on error handling of the dbi_result_next_row() function.
Some digging revealed that the error handler commented out[1] years
ago with other changes. Asked upstream about that, who confirmed it
was not intended to comment out the proper error handling. He
immediately re-enabled it[2] in the Git tree.
I don't think this has any security impact (treat bad input as normal
data), but it would be good to have consistent error handling in the
libdbi library.

Thanks for considering,
Laszlo/GCS
[1] 
https://sourceforge.net/p/libdbi/libdbi/ci/7f31b680238ea464e9bad9ef97cf411a3635af55/
[2] 
https://sourceforge.net/p/libdbi/libdbi/ci/88b8477d57153b9f736dd19d432d3b7ab1c49073/
diff -Nru libdbi-0.9.0/debian/changelog libdbi-0.9.0/debian/changelog
--- libdbi-0.9.0/debian/changelog	2014-11-01 16:12:02.0 +0100
+++ libdbi-0.9.0/debian/changelog	2017-10-29 19:19:04.0 +0100
@@ -1,3 +1,10 @@
+libdbi (0.9.0-4+deb9u1) stretch; urgency=medium
+
+  * Backport fix to re-enable a call to _error_handler() that was commented
+out for no obvious reason in dbi_result_next_row() .
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 29 Oct 2017 18:19:04 +
+
 libdbi (0.9.0-4) unstable; urgency=medium
 
   * Backport fix for double-free in dbi_shutdown_r() (closes: #764130).
diff -Nru libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch
--- libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch	1970-01-01 01:00:00.0 +0100
+++ libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch	2017-10-29 19:19:04.0 +0100
@@ -0,0 +1,19 @@
+commit 88b8477d57153b9f736dd19d432d3b7ab1c49073
+Author: mhoenicka 
+Date:   Sat Oct 28 01:54:33 2017 +0200
+
+re-enabled a call to _error_handler() that was commented out for no obvious reason
+
+diff --git a/src/dbi_result.c b/src/dbi_result.c
+index 232d0ec..1e1b0be 100644
+--- a/src/dbi_result.c
 b/src/dbi_result.c
+@@ -174,7 +174,7 @@ int dbi_result_next_row(dbi_result Result) {
+   _reset_conn_error(RESULT->conn);
+ 
+   if (!dbi_result_has_next_row(Result)) {
+-/* _error_handler(RESULT->conn, DBI_ERROR_BADIDX); */
++_error_handler(RESULT->conn, DBI_ERROR_BADIDX);
+ return 0;
+   }
+   return dbi_result_seek_row(Result, RESULT->currowidx+1);
diff -Nru libdbi-0.9.0/debian/patches/series libdbi-0.9.0/debian/patches/series
--- libdbi-0.9.0/debian/patches/series	2014-11-01 16:02:53.0 +0100
+++ libdbi-0.9.0/debian/patches/series	2017-10-29 19:19:04.0 +0100
@@ -1,3 +1,4 @@
 fix_memory_leak_if_not_connected.patch
 fix_possible_access_to_unallocated_memory.patch
 fix_double-free_in_dbi_shutdown_r.patch
+re-enable_call_to_error_handler.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882391: marked as done (nmu: inn2_2.6.1-2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882391,
regarding nmu: inn2_2.6.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882391
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

inn2 needs to be rebuilt for i386 on stable to fix #882225, because the 
original package was built in a merged-/usr environment and the 
configure script picked up the wrong path for gzip.

nmu inn2_2.6.1-2 . i386 . stretch . -m "binNMU to fix the gzip path. (Closes: 
#882225)"

-- 
ciao,
Marco


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882132: marked as done (jessie-pu: package libofx/1:0.9.10-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882132,
regarding jessie-pu: package libofx/1:0.9.10-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882132
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,
Upstream has fixed 2 CVE (CVE-2017-2816 and CVE-2017-14731), these 2
CVE are non-dsa. I already backported patches to
unstable/testing/stretch (#881900) and now I would like to fix the
Jessie version. Please find attached a debdiff.

Best,
Dylan


libofx_0.9.10-1+deb8u1.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---

Bug#882061: marked as done (jessie-pu: package openssh/1:6.7p1-5+deb8u4)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #882061,
regarding jessie-pu: package openssh/1:6.7p1-5+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is the jessie version of #865986.  The WinSCP change isn't
applicable to jessie, but the fixes for #865770 and #873201 are.

I had to do some minor git surgery to integrate the previous security
updates into git-dpm's view of the world (including changing one patch
to have a proper name rather than an automatically-generated one);
apologies for the resulting noise, but I think it's still short enough
to be reasonably reviewable.  I ran the "git-dpm update-patches" step in
a jessie chroot to avoid further noise from patches generated by
different git versions.

diff -Nru openssh-6.7p1/debian/.git-dpm openssh-6.7p1/debian/.git-dpm
--- openssh-6.7p1/debian/.git-dpm   2016-04-14 18:53:01.0 +0100
+++ openssh-6.7p1/debian/.git-dpm   2017-11-18 10:52:00.0 +
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-d6139ee6bbf3bda83ebefc73d8079d0897488d1d
-d6139ee6bbf3bda83ebefc73d8079d0897488d1d
+1ec1d66c12c333a99a10d399b5f47e5636d2bcff
+1ec1d66c12c333a99a10d399b5f47e5636d2bcff
 487bdb3a5ef6075887b830ccb8a0b14f6da78e93
 487bdb3a5ef6075887b830ccb8a0b14f6da78e93
 openssh_6.7p1.orig.tar.gz
diff -Nru openssh-6.7p1/debian/changelog openssh-6.7p1/debian/changelog
--- openssh-6.7p1/debian/changelog  2016-07-22 18:22:20.0 +0100
+++ openssh-6.7p1/debian/changelog  2017-11-18 10:56:29.0 +
@@ -1,3 +1,12 @@
+openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium
+
+  * Test configuration before starting or reloading sshd under systemd
+(closes: #865770).
+  * Make "--" before the hostname terminate argument processing after the
+hostname too (closes: #873201).
+
+ -- Colin Watson   Sat, 18 Nov 2017 10:56:29 +
+
 openssh (1:6.7p1-5+deb8u3) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru openssh-6.7p1/debian/openssh-server.ssh.service 
openssh-6.7p1/debian/openssh-server.ssh.service
--- openssh-6.7p1/debian/openssh-server.ssh.service 2016-04-14 
18:53:01.0 +0100
+++ openssh-6.7p1/debian/openssh-server.ssh.service 2017-11-18 
10:52:00.0 +
@@ -5,7 +5,9 @@
 
 [Service]
 EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
diff -Nru openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch 
openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch
--- openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch   
2016-04-14 18:53:01.0 +0100
+++ openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch   
1970-01-01 01:00:00.0 +0100
@@ -1,36 +0,0 @@
-From d6139ee6bbf3bda83ebefc73d8079d0897488d1d Mon Sep 17 00:00:00 2001
-From: Yves-Alexis Perez 
-Date: Tue, 12 Jan 2016 17:14:33 -0800
-Subject: disable roaming in ssh client
-
-SSH roaming implementation in openssh client is vulnerable to an
-information leak (CVE-2016-0777) and heap-based buffer overflow
-(CVE-2016-0778). The information leak is somehow attacker-controller,
-and it is for example possible to extract the ssh client private keys.

- readconf.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/readconf.c b/readconf.c
-index 29338b6..337d914 100644
 a/readconf.c
-+++ b/readconf.c
-@@ -1640,7 +1640,7 @@ initialize_options(Options * options)
-   options->tun_remote = -1;
-   options->local_command = NULL;
-   options->permit_local_command = -1;
--  options->use_roaming = -1;
-+  options->use_roaming = 0;
-   options->visual_host_key = -1;
-   options->ip_qos_interactive = -1;
-   options->ip_qos_bulk = -1;
-@@ -1822,8 +1822,7 @@ fill_default_options(Options * options)
-   options->tun_remote = SSH_TUNID_ANY;
-   if (options->permit_local_command == -1)
-   options->permit_local_command = 0;
--  if (options->use_roaming == -1)
--  opti

Bug#882068: marked as done (stretch-pu: dehydrated/0.3.1-3+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882068,
regarding stretch-pu: dehydrated/0.3.1-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882068
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I'd like to fix https://bugs.debian.org/881974 (dehydrated using the old
license agreement URL by default) in stretch.
The issue does not concern buster, as in that version dehydrated is able
to retrieve the correct URL dinamically.

See attached a patch for the stretch version, also built and tested on
stretch.

TIA.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
diffstat for dehydrated-0.3.1 dehydrated-0.3.1

 changelog |6 +
 gbp.conf  |2 
 patches/Update-the-default-License-Subscriber-Agreement-URL.patch |   39 ++
 patches/series|1 
 4 files changed, 47 insertions(+), 1 deletion(-)

diff -Nru dehydrated-0.3.1/debian/changelog dehydrated-0.3.1/debian/changelog
--- dehydrated-0.3.1/debian/changelog	2017-02-08 18:45:09.0 +0100
+++ dehydrated-0.3.1/debian/changelog	2017-11-18 14:00:07.0 +0100
@@ -1,3 +1,9 @@
+dehydrated (0.3.1-3+deb9u1) stretch; urgency=medium
+
+  * Update the default License Subscriber Agreement URL.  Closes: #881974
+
+ -- Mattia Rizzolo   Sat, 18 Nov 2017 14:00:07 +0100
+
 dehydrated (0.3.1-3) unstable; urgency=medium
 
   * Fix typo s/know/now/ in letsencrypt.sh wrapper.
diff -Nru dehydrated-0.3.1/debian/gbp.conf dehydrated-0.3.1/debian/gbp.conf
--- dehydrated-0.3.1/debian/gbp.conf	2017-02-08 18:44:07.0 +0100
+++ dehydrated-0.3.1/debian/gbp.conf	2017-11-18 14:00:07.0 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream/master
-debian-branch = debian/master
+debian-branch = debian/stretch
 upstream-tag = v%(version)s
 pristine-tar = True
 pristine-tar-commit = True
diff -Nru dehydrated-0.3.1/debian/patches/series dehydrated-0.3.1/debian/patches/series
--- dehydrated-0.3.1/debian/patches/series	2017-02-08 18:44:07.0 +0100
+++ dehydrated-0.3.1/debian/patches/series	2017-11-18 14:00:07.0 +0100
@@ -4,3 +4,4 @@
 Update-the-location-of-WELLKNOWN-in-the-notice-message-of.patch
 honor-config-if-the-user-provided-one-to-letsencrypt.sh-w.patch
 Support-both-config.sh-and-config-as-config-filenames-for.patch
+Update-the-default-License-Subscriber-Agreement-URL.patch
diff -Nru dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch
--- dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch	1970-01-01 01:00:00.0 +0100
+++ dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch	2017-11-18 14:00:07.0 +0100
@@ -0,0 +1,39 @@
+From: Mattia Rizzolo 
+Date: Sat, 18 Nov 2017 13:54:41 +0100
+Subject: Update the default License Subscriber Agreement URL
+
+Closes: #881974
+Signed-off-by: Mattia Rizzolo 
+---
+ dehydrated| 2 +-
+ docs/examples/config  | 4 ++--
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/dehydrated b/dehydrated
+index 7b88ae9..882c6bd 100755
+--- a/dehydrated
 b/dehydrated
+@@ -105,7 +105,7 @@ load_config() {
+ 
+   # Default values
+   CA="https://acme-v01.api.letsencrypt.org/directory";
+-  LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
++  LICENSE="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
+   CERTDIR=
+   ACCOUNTDIR=
+   CHALLENGETYPE="http-01"
+diff --git a/docs/examples/config b/docs/examples/config
+index 17621d2..d28214b 100644
+--- a/docs/examples/config
 b/docs/examples/config
+@@ -18,8 +18,8 @@
+ # Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
+ #CA="https://acme

Bug#881306: marked as done (jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #881306,
regarding jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881306
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

After fixing Stretch in release team bug #879702, here's the request
for fixing Jessie, since Salvatore asks for it. Debdiff attached.
Package available from:

http://sid.gplhost.com/jessie-proposed-updates/python-tablib/

Please allow me to upload this update for Jessie.
Cheers,

Thomas Goirand (zigo)
diff -Nru python-tablib-0.9.11/debian/changelog 
python-tablib-0.9.11/debian/changelog
--- python-tablib-0.9.11/debian/changelog   2013-05-12 14:21:10.0 
+0200
+++ python-tablib-0.9.11/debian/changelog   2017-10-24 21:15:19.0 
+0200
@@ -1,3 +1,9 @@
+python-tablib (0.9.11-2+deb8u1) jessie; urgency=low
+
+  * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
+
+ -- Thomas Goirand   Tue, 24 Oct 2017 21:15:19 +0200
+
 python-tablib (0.9.11-2) unstable; urgency=low
 
   * Uploading to unstable.
diff -Nru python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 
python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch
--- python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch   
1970-01-01 01:00:00.0 +0100
+++ python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch   
2017-10-24 21:15:19.0 +0200
@@ -0,0 +1,17 @@
+Description: use safe load
+Author: Kenneth Reitz 
+Origin: 
https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e
+Bug-Debian: https://bugs.debian.org/864818
+Last-Update: 2017-10-24
+
+--- python-tablib-0.9.11.orig/tablib/formats/_yaml.py
 python-tablib-0.9.11/tablib/formats/_yaml.py
+@@ -46,7 +46,7 @@ def import_book(dbook, in_stream):
+ 
+ dbook.wipe()
+ 
+-for sheet in yaml.load(in_stream):
++for sheet in yaml.safe_load(in_stream):
+ data = tablib.Dataset()
+ data.title = sheet['title']
+ data.dict = sheet['data']
diff -Nru python-tablib-0.9.11/debian/patches/series 
python-tablib-0.9.11/debian/patches/series
--- python-tablib-0.9.11/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ python-tablib-0.9.11/debian/patches/series  2017-10-24 21:15:19.0 
+0200
@@ -0,0 +1 @@
+CVE-2017-2810-use_safe_load.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---

Bug#881900: marked as done (stretch-pu: package libofx/1:0.9.10-2+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #881900,
regarding stretch-pu: package libofx/1:0.9.10-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881900: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881900
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,
Upstream has fixed 2 CVE (CVE-2017-2816 and CVE-2017-14731), these 2
CVE are non-dsa. I already backported patches to unstable/testing and
now I would like to fix the Stretch and Jessie versions. Please find
attached a debdiff for Stretch.

Best,
Dylan


libofx_0.9.10-2+deb9u1.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#879850: marked as done (stretch-pu: package sqldeveloper-package/0.2.4+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #879850,
regarding stretch-pu: package sqldeveloper-package/0.2.4+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879850: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879850
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

I have prepared a re-upload of 0.2.4+nmu1 (upload done: 879070) targeting
stretch to fix RC bug #868673 which makes this packaging wrapper unusable in
stretch.

* Package name: sqldeveloper-package
  Version : 0.2.4+deb9u1
  Upstream Author : Lazarus Long
* URL : https://tracker.debian.org/pkg/sqldeveloper-package
* License : GPL-3+
  Section : contrib/misc

It builds those binary packages:

  sqldeveloper-package - Oracle SQL Developer Debian package builder

To access further information about this package, please visit the following
URL:

  https://mentors.debian.net/package/sqldeveloper-package


Alternatively, one can download the package with dget using this command:

  dget -x https://mentors.debian.net/debian/pool/contrib/s/sqldeveloper-
package/sqldeveloper-package_0.2.4+deb9u1.dsc

More information about sqldeveloper-package can be obtained from:

  https://manpages.debian.org/make-sqldeveloper-package

Changes since the last upload:

diff -Nru sqldeveloper-package-0.2.4/debian/changelog sqldeveloper-
package-0.2.4+deb9u1/debian/changelog
--- sqldeveloper-package-0.2.4/debian/changelog 2012-11-14 11:12:14.0
+
+++ sqldeveloper-package-0.2.4+deb9u1/debian/changelog  2017-10-26
14:00:01.0 +0100
@@ -1,3 +1,11 @@
+sqldeveloper-package (0.2.4+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Add required '--' before debian/rules target (Closes: #868673)
+  * Add --no-tgz-check as sqldeveloper is non-free
+
+ -- Phil Morrell   Thu, 26 Oct 2017 14:00:01 +0100
+
 sqldeveloper-package (0.2.4) unstable; urgency=high

   * Addressed bugs for inclusion in Wheezy's freeze:
diff -Nru sqldeveloper-package-0.2.4/make-sqldeveloper-package sqldeveloper-
package-0.2.4+deb9u1/make-sqldeveloper-package
--- sqldeveloper-package-0.2.4/make-sqldeveloper-package2012-11-14
11:03:19.0 +
+++ sqldeveloper-package-0.2.4+deb9u1/make-sqldeveloper-package 2017-07-31
12:50:06.0 +0100
@@ -1021,7 +1021,7 @@
return 1
fi

-   DEBUILD_OPTS="--no-lintian binary"
+   DEBUILD_OPTS="--no-lintian --no-tgz-check -- binary"

if [ -n "${ROOTCMD}" ] ; then
DEBUILD_OPTS="--rootcmd=${ROOTCMD} ${DEBUILD_OPTS}"

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)

--
Phil Morrell (emorrp1)
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#880861: marked as done (jessie-pu: package icu/52.1-8+deb8u6)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #880861,
regarding jessie-pu: package icu/52.1-8+deb8u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880861
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi OSRMs,

There's a security vulnerability[1] in ICU - International Components
for Unicode, which doesn't warrant a DSA. It's an one line change and
would be good to have it for Jessie.

Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2017-14952
diff -Nru icu-52.1/debian/changelog icu-52.1/debian/changelog
--- icu-52.1/debian/changelog	2017-04-17 08:41:59.0 +
+++ icu-52.1/debian/changelog	2017-10-24 17:28:29.0 +
@@ -1,3 +1,10 @@
+icu (52.1-8+deb8u6) jessie; urgency=high
+
+  * Backport upstream security fix for CVE-2017-14952: double free in
+createMetazoneMappings() (closes: #878840).
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 24 Oct 2017 17:28:29 +
+
 icu (52.1-8+deb8u5) jessie-security; urgency=high
 
   * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868,
diff -Nru icu-52.1/debian/patches/CVE-2017-14952.patch icu-52.1/debian/patches/CVE-2017-14952.patch
--- icu-52.1/debian/patches/CVE-2017-14952.patch	1970-01-01 00:00:00.0 +
+++ icu-52.1/debian/patches/CVE-2017-14952.patch	2017-10-24 17:28:29.0 +
@@ -0,0 +1,10 @@
+Index: source/i18n/zonemeta.cpp
+===
+--- a/source/i18n/zonemeta.cpp	(revision 40283)
 b/source/i18n/zonemeta.cpp	(revision 40324)
+@@ -686,5 +686,4 @@
+ if (U_FAILURE(status)) {
+ delete mzMappings;
+-deleteOlsonToMetaMappingEntry(entry);
+ uprv_free(entry);
+ break;
diff -Nru icu-52.1/debian/patches/series icu-52.1/debian/patches/series
--- icu-52.1/debian/patches/series	2017-04-17 08:41:59.0 +
+++ icu-52.1/debian/patches/series	2017-10-24 17:28:29.0 +
@@ -24,3 +24,4 @@
 CVE-2016-6293.patch  
 CVE-2016-7415.patch
 CVE-2017-7867_CVE-2017-7868.patch
+CVE-2017-14952.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---

Bug#880123: marked as done (jessie-pu: package syslinux/3:6.03+dfsg-5+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #880123,
regarding jessie-pu: package syslinux/3:6.03+dfsg-5+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal
X-Debbugs-CC: debian...@lists.debian.org, debian-b...@lists.debian.org, 
k...@debian.org

Dear release team,

I hereby ask for permission to update the syslinux package in jessie as
well.  The update fixes a bug in the isolinux isohybrid MBR causing boot
failures with some old BIOS [1].

The bug is already fixed in unstable/testing and the update for stretch,
which also includes this fix, has just been approved [2].

I tested the build in an sbuild jessie chroot and the updated package
builds the correct isohdpfx.bin file (identical to the one currently in
unstable/testing).  The debdiff is attached.

Thank you
Lukas

[1] https://bugs.debian.org/879004
[2] https://bugs.debian.org/879773
diff -Nru syslinux-6.03+dfsg/debian/changelog syslinux-6.03+dfsg/debian/changelog
--- syslinux-6.03+dfsg/debian/changelog	2015-08-18 17:23:09.0 +0200
+++ syslinux-6.03+dfsg/debian/changelog	2017-10-29 19:12:43.0 +0100
@@ -1,3 +1,11 @@
+syslinux (3:6.03+dfsg-5+deb8u2) jessie; urgency=medium
+
+  * Add patch from upstream to fix boot problem for old BIOS firmware from
+around 2005 by correcting the C/H/S order (thanks Thomas Schmitt,
+Closes: #879004).
+
+ -- Lukas Schwaighofer   Sun, 29 Oct 2017 19:12:43 +0100
+
 syslinux (3:6.03+dfsg-5+deb8u1) jessie; urgency=low
 
   * Cherry-pick upstream patches that fix booting on some Chromebooks
diff -Nru syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch
--- syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch	1970-01-01 01:00:00.0 +0100
+++ syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch	2017-10-29 19:12:43.0 +0100
@@ -0,0 +1,50 @@
+From: Martin Str|mberg 
+Date: Sun, 26 Mar 2017 07:32:11 -0400
+Subject: mbr/isohdpfx.S: correct stack for heads/sectors
+
+Heads and sectors were pushed in reverse order per isolinux.asm
+(bb519a95 reversed the order of heads/sectors on the stack).
+
+If anything goes wrong, clear CX in case it contains garbage.
+
+Signed-off-by: Gene Cumm 
+
+Bug-Debian: https://bugs.debian.org/879004
+Origin: upstream, quashed two commits together:
+ http://git.zytor.com/syslinux/syslinux.git/commit/?id=32c09027423f61c305e2423e52f5f69ecad8e2c0
+ http://git.zytor.com/syslinux/syslinux.git/commit/?id=8739e2ff9ba3f92652c8df846924fd00e1ce2753
+---
+ mbr/isohdpfx.S | 10 ++
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/mbr/isohdpfx.S b/mbr/isohdpfx.S
+index 17e1efe..4b107e4 100644
+--- a/mbr/isohdpfx.S
 b/mbr/isohdpfx.S
+@@ -167,20 +167,22 @@ next:
+ 	   read_sector_cbios: movb $0x42, %ah ;  jmp read_common */
+ 	movl	$0xeb42b4+((read_common-read_sector_cbios-4) << 24), \
+ 		(read_sector_cbios)
+-	jmp	1f
++	jmp	2f
+ 1:
++	xor	%cx, %cx	/* Clear EBIOS flag. */
++2:
+ 	popw	%dx
+ 	pushw	%cx		/* EBIOS flag */
+ 
+ 	/* Get (C)HS geometry */
+ 	movb	$0x08, %ah
+ 	int	$0x13
+-	andw	$0x3f, %cx	/* Sector count */
+ 	popw	%bx		/* EBIOS flag */
+-	pushw	%cx		/* -16: Save sectors on the stack */
+ 	movzbw	%dh, %ax	/* dh = max head */
+ 	incw	%ax		/* From 0-based max to count */
+-	pushw	%ax		/* -18: Save heads on the stack */
++	pushw	%ax		/* -16: Save heads on the stack */
++	andw	$0x3f, %cx	/* Sector count */
++	pushw	%cx		/* -18: Save sectors on the stack */
+ 	mulw	%cx		/* Heads*sectors -> sectors per cylinder */
+ 
+ 	pushw	%bx		/* -20: EBIOS flag */
diff -Nru syslinux-6.03+dfsg/debian/patches/series syslinux-6.03+dfsg/debian/patches/series
--- syslinux-6.03+dfsg/debian/patches/series	2015-08-18 17:13:25.0 +0200
+++ syslinux-6.03+dfsg/debian/patches/series	2017-10-29 19:12:43.0 +0100
@@ -4,3 +4,4 @@
 0004-gnu-efi-git.patch
 0005-load-linux-correct-type.patch
 0006-load-linux-protected-mode.patch
+0017-isohdpfx.S-correct-heads-sectors.patch


pgpFl9n1stdXY.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

E

Bug#880895: marked as done (jessie-pu: package libdbi/0.9.0-4+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #880895,
regarding jessie-pu: package libdbi/0.9.0-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi OSRMs,

I got a private bugreport (and so I can't reference it) that libdbi is
inconsistent on error handling of the dbi_result_next_row() function.
Some digging revealed that the error handler commented out[1] years
ago with other changes. Asked upstream about that, who confirmed it
was not intended to comment out the proper error handling. He
immediately re-enabled it[2] in the Git tree.
I don't think this has any security impact (treat bad input as normal
data), but it would be good to have consistent error handling in the
libdbi library.

Thanks for considering,
Laszlo/GCS
[1] 
https://sourceforge.net/p/libdbi/libdbi/ci/7f31b680238ea464e9bad9ef97cf411a3635af55/
[2] 
https://sourceforge.net/p/libdbi/libdbi/ci/88b8477d57153b9f736dd19d432d3b7ab1c49073/
diff -Nru libdbi-0.9.0/debian/changelog libdbi-0.9.0/debian/changelog
--- libdbi-0.9.0/debian/changelog	2014-11-01 16:12:02.0 +0100
+++ libdbi-0.9.0/debian/changelog	2017-10-29 19:18:56.0 +0100
@@ -1,3 +1,10 @@
+libdbi (0.9.0-4+deb8u1) jessie; urgency=medium
+
+  * Backport fix to re-enable a call to _error_handler() that was commented
+out for no obvious reason in dbi_result_next_row() .
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 29 Oct 2017 18:18:56 +
+
 libdbi (0.9.0-4) unstable; urgency=medium
 
   * Backport fix for double-free in dbi_shutdown_r() (closes: #764130).
diff -Nru libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch
--- libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch	1970-01-01 01:00:00.0 +0100
+++ libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch	2017-10-29 19:18:56.0 +0100
@@ -0,0 +1,19 @@
+commit 88b8477d57153b9f736dd19d432d3b7ab1c49073
+Author: mhoenicka 
+Date:   Sat Oct 28 01:54:33 2017 +0200
+
+re-enabled a call to _error_handler() that was commented out for no obvious reason
+
+diff --git a/src/dbi_result.c b/src/dbi_result.c
+index 232d0ec..1e1b0be 100644
+--- a/src/dbi_result.c
 b/src/dbi_result.c
+@@ -174,7 +174,7 @@ int dbi_result_next_row(dbi_result Result) {
+   _reset_conn_error(RESULT->conn);
+ 
+   if (!dbi_result_has_next_row(Result)) {
+-/* _error_handler(RESULT->conn, DBI_ERROR_BADIDX); */
++_error_handler(RESULT->conn, DBI_ERROR_BADIDX);
+ return 0;
+   }
+   return dbi_result_seek_row(Result, RESULT->currowidx+1);
diff -Nru libdbi-0.9.0/debian/patches/series libdbi-0.9.0/debian/patches/series
--- libdbi-0.9.0/debian/patches/series	2014-11-01 16:02:53.0 +0100
+++ libdbi-0.9.0/debian/patches/series	2017-10-29 19:18:56.0 +0100
@@ -1,3 +1,4 @@
 fix_memory_leak_if_not_connected.patch
 fix_possible_access_to_unallocated_memory.patch
 fix_double-free_in_dbi_shutdown_r.patch
+re-enable_call_to_error_handler.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---

Bug#881415: marked as done (stretch-pu: python2.7/2.7.13-2+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #881415,
regarding stretch-pu: python2.7/2.7.13-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881415
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to upload python2.7 to fix a problem that it can't
talk to SSL/TLS sites that use an ECDSA certificate different than
P256, like a P384 certificate.

Here is the debdiff:
diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog
--- python2.7-2.7.13/debian/changelog
+++ python2.7-2.7.13/debian/changelog
@@ -1,3 +1,10 @@
+python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload with maintainer's permission
+  * Support all groups in TLS communication (Closes: #868143)
+
+ -- Kurt Roeckx   Thu, 09 Nov 2017 21:58:19 +0100
+
 python2.7 (2.7.13-2) unstable; urgency=medium
 
   * Lower priority of interpreter packages to optional.
diff -u python2.7-2.7.13/debian/patches/series.in 
python2.7-2.7.13/debian/patches/series.in
--- python2.7-2.7.13/debian/patches/series.in
+++ python2.7-2.7.13/debian/patches/series.in
@@ -71,0 +72 @@
+Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
only in patch2:
unchanged:
--- 
python2.7-2.7.13.orig/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
+++ python2.7-2.7.13/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff
@@ -0,0 +1,28 @@
+From 97a145398ce7e36eb355f1fd75011ddbcb37d1b3 Mon Sep 17 00:00:00 2001
+From: Donald Stufft 
+Date: Thu, 2 Mar 2017 11:24:50 -0500
+Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+
+
+---
+ Modules/_ssl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: python2.7-2.7.13/Modules/_ssl.c
+===
+--- python2.7-2.7.13.orig/Modules/_ssl.c
 python2.7-2.7.13/Modules/_ssl.c
+@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject
+ options |= SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(self->ctx, options);
+ 
+-#ifndef OPENSSL_NO_ECDH
++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
+ /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+prime256v1 by default.  This is Apache mod_ssl's initialization
+policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
+  */
+-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
++#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(self->ctx, 1);
+ #else
+ {
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#880439: marked as done (stretch-pu: package getmail4/4.53.0-2+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #880439,
regarding stretch-pu: package getmail4/4.53.0-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I just uploaded to the stable-proposed-upload.

This stable package was based on 4.53.0 which was released right before
the Stretch release.  Since then, upstream found a regression in 4.53.0
and released its specific fix as 4.54.0.

I had packaged it as 4.53.0-2 to sid and had no problem migrating to
testing.  Its changes are in patch file for your review.

This upload is a simple repackaging under stretch chroot to pass the
benefit to the stable package without risk.  Please accept this to the
nest stable release.

The testing will package new getmail version 5 series.  They carry more
changes and will not be uploaded like this to stable.  Also most likely,
its package name will be changed to simple "getmail".

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#880862: marked as done (stretch-pu: package icu/57.1-6+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #880862,
regarding stretch-pu: package icu/57.1-6+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi SRMs,

There's a security vulnerability[1] in ICU - International Components
for Unicode, which doesn't warrant a DSA. It's an one line change and
would be good to have it for Stretch.

Thanks for considering,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/CVE-2017-14952
diff -Nru icu-57.1/debian/changelog icu-57.1/debian/changelog
--- icu-57.1/debian/changelog	2017-04-16 08:50:52.0 +
+++ icu-57.1/debian/changelog	2017-10-24 17:28:30.0 +
@@ -1,3 +1,10 @@
+icu (57.1-6+deb9u1) stretch; urgency=high
+
+  * Backport upstream security fix for CVE-2017-14952: double free in
+createMetazoneMappings() (closes: #878840).
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 24 Oct 2017 17:28:30 +
+
 icu (57.1-6) unstable; urgency=high
 
   * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868,
diff -Nru icu-57.1/debian/patches/CVE-2017-14952.patch icu-57.1/debian/patches/CVE-2017-14952.patch
--- icu-57.1/debian/patches/CVE-2017-14952.patch	1970-01-01 00:00:00.0 +
+++ icu-57.1/debian/patches/CVE-2017-14952.patch	2017-10-24 17:28:30.0 +
@@ -0,0 +1,10 @@
+Index: source/i18n/zonemeta.cpp
+===
+--- a/source/i18n/zonemeta.cpp	(revision 40283)
 b/source/i18n/zonemeta.cpp	(revision 40324)
+@@ -682,5 +682,4 @@
+ if (U_FAILURE(status)) {
+ delete mzMappings;
+-deleteOlsonToMetaMappingEntry(entry);
+ uprv_free(entry);
+ break;
diff -Nru icu-57.1/debian/patches/series icu-57.1/debian/patches/series
--- icu-57.1/debian/patches/series	2017-04-16 08:50:35.0 +
+++ icu-57.1/debian/patches/series	2017-10-24 17:28:30.0 +
@@ -10,3 +10,4 @@
 CVE-2016-6293.patch
 CVE-2016-7415.patch
 CVE-2017-7867_CVE-2017-7868.patch
+CVE-2017-14952.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#879629: marked as done (stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2017c)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #879629,
regarding stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2017c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879629
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I've prepared an update for libdatetime-timezone-perl in stretch which
incorporates the changes from the Olson db 2017c release.
The changes are in a quilt patch and touch only the data files in
lib/DateTime/TimeZone.

2017c contains recent changes to a couple of timezones, the first
change happening this weekend (2017-10-29) in North Cyprus, so this
might be material for stretch-updates before a next point release.
Cf. https://mm.icann.org/pipermail/tz-announce/2017-October/47.html

A manually stripped down debdiff is attached.


Cheers,
gregor

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlnuKTpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYFHQ/9GnSly2C/fEM9MeXIOhI4TPUiO9VvYRiCj1LeKglDjkEW0CkvVrcM7ZRX
THyMwXHcHsvKQy55Qsu4pZM8/zO0whuOplaeDS+WahWr770tKCTS3tZvVjNdzYdo
cTK70/zryhXy6Ycdd91UuYu1yE39eBR9iVbLQLZcG2vMMWo5yXZX7UyuAtZFKHxx
bZmxDwnCVYgnfQJXqY09dmIyfoY7UuOo8Z8bKeWGrSuwaG10u7J9mMqlNYEPMH6G
9MZ5i6+OSn+mCLaU+/o78UshGMxFoWI6shFHyXg3LBN2XFzlU66cnqb2zXA4PHaA
gj17aooxGGxW+T0vwY8Pw3VrNZlnDENA8XJCOkqdNqBJVfFuhffExsb8YbiL2O4O
iIQMjC9tWnskyWpz+BY6I8W1M1OYI3cxmG1QG5S6YvAeIM4F8AdgF/UHX6tcvJ9H
MuQZe9mB8mMmfIypwxodU/YRmmLBCl72kQfVTOZOmM/yXy2b3YK77byDIdpveq6l
/CJRMguTZpDa4UG+ZL66ViayLoiL6jfFrmNq6rqRwiDA9hiwHhawqlN6vfIr1Qp3
wIll1weOiEg+c7POpsM0AHUDxHJa0tclL0FcERF8e3tzAlLv6qKqe4DwqRLtcTv8
6KW8sQib7dMCrk/X0Zln3Zn/694oqj1IvKL4AWLLCmdynvDvedA=
=l9J2
-END PGP SIGNATURE-
diff -Nru libdatetime-timezone-perl-2.09/debian/changelog 
libdatetime-timezone-perl-2.09/debian/changelog
--- libdatetime-timezone-perl-2.09/debian/changelog 2017-03-24 
20:02:23.0 +0100
+++ libdatetime-timezone-perl-2.09/debian/changelog 2017-10-23 
19:24:29.0 +0200
@@ -1,3 +1,11 @@
+libdatetime-timezone-perl (1:2.09-1+2017c) UNRELEASED; urgency=medium
+
+  * Update to Olson database version 2017c.
+This update contains contemporary changes for Northern Cyprus, Fiji,
+Namibia, Sudan, Tonga, and Turks & Caicos.
+
+ -- gregor herrmann   Mon, 23 Oct 2017 19:24:29 +0200
+
 libdatetime-timezone-perl (1:2.09-1+2017b) unstable; urgency=medium
 
   * Update to Olson database version 2017b.
diff -Nru libdatetime-timezone-perl-2.09/debian/patches/olson-2017c 
libdatetime-timezone-perl-2.09/debian/patches/olson-2017c
--- libdatetime-timezone-perl-2.09/debian/patches/olson-2017c   1970-01-01 
01:00:00.0 +0100
+++ libdatetime-timezone-perl-2.09/debian/patches/olson-2017c   2017-10-23 
19:24:29.0 +0200
@@ -0,0 +1,11512 @@
+Description: update to olson db 2017c
+Origin: vendor
+Author: gregor herrmann 
+Last-Update: 2017-10-23
+
+--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm
 b/lib/DateTime/TimeZone/Africa/Abidjan.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/africa.  Olson data version 2017b
++# Generated from debian/tzdata/africa.  Olson data version 2017c
+ #
+ # Do not edit this file directly.
+ #
+@@ -43,7 +43,7 @@
+ ],
+ ];
+ 
+-sub olson_version {'2017b'}
++sub olson_version {'2017c'}
+ 
+ sub has_dst_changes {0}
+ 
+--- a/lib/DateTime/TimeZone/Asia/Famagusta.pm
 b/lib/DateTime/TimeZone/Asia/Famagusta.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/asia.  Olson data version 2017b
++# Generated from debian/tzdata/asia.  Olson data version 2017c
+ #
+ # Do not edit this file directly.
+ #
+@@ -799,18 +799,216 @@
+ ],
+ [
+ 63608965200, #utc_start 2016-09-07 21:00:00 (Wed)
+-DateTime::TimeZone::INFINITY, #  utc_end
++63644922000, #  utc_end 2017-10-29 01:00:00 (Sun)
+ 63608976000, #  local_start 2016-09-08 00:00:00 (Thu)
+-DateTime::TimeZone::INFINITY, #local_end
++63644932800, #local_end 2017-10-29 04:00:00 (Sun)
+ 10800,
+ 0,
+ '+03',
+

Bug#879773: marked as done (stretch-pu: package syslinux/3:6.03+dfsg-14.1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #879773,
regarding stretch-pu: package syslinux/3:6.03+dfsg-14.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879773
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
X-Debbugs-CC: debian...@lists.debian.org, debian-b...@lists.debian.org, 
k...@debian.org


Dear release team and other involved parties,

I hereby ask for permission to update the syslinux package in stretch.
There has been a short discussion about this on debian-cd already [1].
The request is about fixing the following three problems:

1. Booting from ext4 filesystems created with Debian stretch does not
   work, because ext4's 64bit feature is enabled by default (since
   Debian stretch) and not supported by syslinux [2].
2. Booting from btrfs does not work either for a similar reason [3].
3. A bug in the isolinux isohybrid MBR causing boot failures with some
   old BIOS [4].

[1] https://lists.debian.org/debian-cd/2017/10/msg00032.html
[2] https://bugs.debian.org/833057
[3] https://bugs.debian.org/865462
[4] https://bugs.debian.org/879004

Problems 1 and 2 are regressions from jessie (due to changes in default
options when creating ext4/btrfs filesystems), while problem 3 affects
jessie as well.  The fix for each of the three bugs has been
cherry-picked from upstream and has a reasonably sized diff.  Debian
testing and unstable already have the fixes.

I've tested the proposed version.  In those tests, the problems 1 and 2
were solved as expected.  As for problem 3, I've verified that the
isohdpfx.bin image built is identical to a known good and tested
version.  Additionally we got a report that the debian-cd images for
testing (which are built using the fixed isohdpfx.bin) boot correctly on
affected hardware [5].

A debdiff of the proposed update is attached.  Alternatively it's also
available from the debian/stretch branch of the git repository [6].

Thank you for your time and consideration
Lukas

PS: If this request gets ACKed, I also intend to fix the isohybrid MBR
in jessie (as advised by Steve McIntyre).

[5] https://bugs.debian.org/857597#117
[6] https://anonscm.debian.org/git/debian-cd/syslinux.git


syslinux_6.03+dfsg-14.1+deb9u1.debdiff
Description: Binary data


pgpH2q0ivfL3y.pgp
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#880630: marked as done (jessie-pu: package liblouis/2.5.3-3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #880630,
regarding jessie-pu: package liblouis/2.5.3-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880630
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

Bug#880621 reports that Jessie is affected by CVE-2014-8184.  I'm
proposing to upload there the RedHat fix plus a fix for that fix (it
didn't actually take care of issues in the strncpy call). Debdiff is
attached.

Samuel

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog
--- liblouis-2.5.3/debian/changelog 2014-06-24 23:33:27.0 +0200
+++ liblouis-2.5.3/debian/changelog 2017-11-03 01:14:02.0 +0100
@@ -1,3 +1,10 @@
+liblouis (2.5.3-3+deb8u1) jessie; urgency=medium
+
+  * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621).
+  * Fix RedHat's patch.
+
+ -- Samuel Thibault   Fri, 03 Nov 2017 01:14:02 +0100
+
 liblouis (2.5.3-3) unstable; urgency=low
 
   [ Samuel Thibault ]
diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 
liblouis-2.5.3/debian/patches/CVE-2014-8184
--- liblouis-2.5.3/debian/patches/CVE-2014-8184 1970-01-01 01:00:00.0 
+0100
+++ liblouis-2.5.3/debian/patches/CVE-2014-8184 2017-11-03 01:14:02.0 
+0100
@@ -0,0 +1,99 @@
+https://github.com/liblouis/liblouis/issues/425
+https://bugzilla.redhat.com/show_bug.cgi?id=1492701
+https://access.redhat.com/errata/RHSA-2017:3111
+
+From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001
+From: Raphael Sanchez Prudencio 
+Date: Mon, 18 Sep 2017 18:44:31 +0200
+Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable().
+
+Fixes CVE-2014-8184.
+---
+ liblouis/compileTranslationTable.c | 35 +++
+ 1 file changed, 11 insertions(+), 24 deletions(-)
+
+diff --git a/liblouis/compileTranslationTable.c 
b/liblouis/compileTranslationTable.c
+index ec4963f0..25c0208f 100644
+--- a/liblouis/compileTranslationTable.c
 b/liblouis/compileTranslationTable.c
+@@ -4502,8 +4502,7 @@ findTable (const char *tableName)
+   char trialPath[MAXSTRING];
+   if (tableName == NULL || tableName[0] == 0)
+ return NULL;
+-  strcpy (trialPath, tablePath);
+-  strcat (trialPath, tableName);
++  snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+ return tableFile;
+   pathEnd[0] = DIR_SEP;
+@@ -4522,18 +4521,15 @@ findTable (const char *tableName)
+   break;
+   if (k == listLength || k == 0)
+ { /* Only one file */
+-  strcpy (trialPath, pathList);
+-  strcat (trialPath, pathEnd);
+-  strcat (trialPath, tableName);
++  snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, 
tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+ break;
+ }
+   else
+ { /* Compile a list of files */
+-  strncpy (trialPath, pathList, k);
+-  trialPath[k] = 0;
+-  strcat (trialPath, pathEnd);
+-  strcat (trialPath, tableName);
++  char path[MAXSTRING];
++  strncpy (path, pathList, k);
++  snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, 
tableName);
+   currentListPos = k + 1;
+   if ((tableFile = fopen (trialPath, "rb")))
+ break;
+@@ -4542,11 +4538,8 @@ findTable (const char *tableName)
+   for (k = currentListPos; k < listLength; k++)
+ if (pathList[k] == ',')
+   break;
+-  strncpy (trialPath,
+-  

Bug#880020: marked as done (stretch-pu: package lxc/1:2.0.7-2+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #880020,
regarding stretch-pu: package lxc/1:2.0.7-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880020
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi, this update brings two changes, both needed for ci.debian.net:

lxc (1:2.0.7-2+deb9u1) stretch; urgency=medium

  * 0003-lxc-debian-don-t-hardcode-valid-releases.patch: don't
hardcode list of valid Debian release. Allows creating stable, buster,
testing, and unstable containers.
  * 0004-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch: don't
insert C.* locales into /etc/locale.gen (Closes: #879595)

 -- Antonio Terceiro   Fri, 27 Oct 2017 15:13:31 -0200

The first will allow to create containers with our "symlink" release
names, i.e. stable, testing, etc, and also removes the need to make a
new change after buster is released to add support for creting bullseye
containers.

The second fixes an issue where the C.UTF-8 locale, used by debci, in
injected into /etc/locale.gen in containers, causing warnings that can
cause bogus test failures under autopkgtest.

The diff is attached.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), 
LANGUAGE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index d7d10c1..512a09d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+lxc (1:2.0.7-2+deb9u1) stretch; urgency=medium
+
+  * 0003-lxc-debian-don-t-hardcode-valid-releases.patch: don't
+hardcode list of valid Debian release. Allows creating stable, buster,
+testing, and unstable containers.
+  * 0004-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch: don't
+insert C.* locales into /etc/locale.gen (Closes: #879595)
+
+ -- Antonio Terceiro   Fri, 27 Oct 2017 15:13:31 -0200
+
 lxc (1:2.0.7-2) unstable; urgency=high
 
   * use bash-completion's pkg-config support and don't move files around
diff --git a/debian/patches/0003-lxc-debian-don-t-hardcode-valid-releases.patch b/debian/patches/0003-lxc-debian-don-t-hardcode-valid-releases.patch
new file mode 100644
index 000..b57c3be
--- /dev/null
+++ b/debian/patches/0003-lxc-debian-don-t-hardcode-valid-releases.patch
@@ -0,0 +1,51 @@
+From: Antonio Terceiro 
+Date: Thu, 26 Oct 2017 20:42:49 -0200
+Subject: lxc-debian: don't hardcode valid releases
+
+This avoids the dance of updating the list of valid releases every time
+Debian makes a new release.
+
+It also fixes the following bug: even though lxc-debian will default to
+creating containers of the latest stable by querying the archive, it
+won't allow you to explicitly request `stable` because the current list
+of valid releases don't include it.
+
+Last, but not least, avoid hitting the mirror in the case the desired
+release is one of the ones we know will always be there, i.e. stable,
+testing, sid, and unstable.
+
+Signed-off-by: Antonio Terceiro 
+
+
+
+This is a combination of upstream commits
+61fa13293d735d922ba6e5ceb66f6d8718f1a829 and
+dba285d5dfa7e9f3452dc180e64158d9bedfb410
+---
+ templates/lxc-debian.in | 13 +++--
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
+index 54ada05..f6dbd4f 100644
+--- a/templates/lxc-debian.in
 b/templates/lxc-debian.in
+@@ -623,12 +623,13 @@ if [ "$(id -u)" != "0" ]; then
+ exit 1
+ fi
+ 
+-current_release=$(wget "${MIRROR}/dists/stable/Release" -O - 2> /dev/null | head |awk '/^Codename: (.*)$/ { print $2; }')
+-release=${release:-${current_release}}
+-valid_releases=('wheezy' 'jessie' 'stretch' 'sid')
+-if [[ ! "${valid_releases[*]}" =~ (^|[^[:alpha:]])$release([^[:alpha:]]|$) ]]; then
+-echo "Invalid release ${release}, valid ones are: ${valid_releases[*]}"
+-exit 1
++

Bug#878668: marked as done (stretch-pu: package simutrans/120.1.3+repack-3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #878668,
regarding stretch-pu: package simutrans/120.1.3+repack-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to fix Debian bug #869029 [1] in Stretch. It is currently
not possible to enable sound for simutrans which was not intended.

The solution for Stretch differs from Buster/Sid. In Stretch the
0500-config.diff patch is applied but the configuration options are
overwritten during the auto-reconfiguration step. There are multiple
ways to correct this issue and I opted for patching configure.ac
directly. I simply changed the backend from SDL to mixer_sdl and now
the sound is working again.

Please find attached the debdiff for Stretch. Jessie is not affected.

Regards,

Markus

[1] https://bugs.debian.org/869029
diff -Nru simutrans-120.1.3+repack/debian/changelog 
simutrans-120.1.3+repack/debian/changelog
--- simutrans-120.1.3+repack/debian/changelog   2016-11-17 11:03:50.0 
+0100
+++ simutrans-120.1.3+repack/debian/changelog   2017-10-15 01:03:51.0 
+0200
@@ -1,3 +1,11 @@
+simutrans (120.1.3+repack-3+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Enable sound for simutrans again. Switch from SDL to mixer_sdl backend.
+(Closes: #869029)
+
+ -- Markus Koschany   Sun, 15 Oct 2017 01:03:51 +0200
+
 simutrans (120.1.3+repack-3) unstable; urgency=medium
 
   [ Jörg Frings-Fürst ]
diff -Nru simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch 
simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch
--- simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch 1970-01-01 
01:00:00.0 +0100
+++ simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch 2017-10-15 
01:03:51.0 +0200
@@ -0,0 +1,27 @@
+From: Markus Koschany 
+Date: Sun, 15 Oct 2017 01:02:45 +0200
+Subject: mixer sdl
+
+Enable sound for simutrans.
+
+Bug-Debian: https://bugs.debian.org/869029
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 05a2143..f447a3f 100644
+--- a/configure.ac
 b/configure.ac
+@@ -74,9 +74,9 @@ then
+   AC_MSG_WARN([Using SDL2 backend!])
+ elif test "$ac_cv_lib_SDL_SDL_Init" == yes
+ then
+-  AC_SUBST(backend, sdl)
++  AC_SUBST(backend, mixer_sdl)
+   AC_SUBST(color, 16)
+-  AC_MSG_WARN([Using SDL backend!])
++  AC_MSG_WARN([Using Mixer SDL backend!])
+ elif test "$ac_cv_lib_allegro_get_desktop_resolution" == yes
+ then
+   AC_SUBST(backend, allegro)
diff -Nru simutrans-120.1.3+repack/debian/patches/series 
simutrans-120.1.3+repack/debian/patches/series
--- simutrans-120.1.3+repack/debian/patches/series  2016-11-17 
11:03:50.0 +0100
+++ simutrans-120.1.3+repack/debian/patches/series  2017-10-15 
01:03:51.0 +0200
@@ -6,3 +6,4 @@
 #0510-missing_uncommon_mk.patch
 reproducible-build.patch
 sha1.patch
+mixer-sdl.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#879702: marked as done (stretch-pu: package python-tablib/0.9.11-2 (CVE-2017-2810))

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #879702,
regarding stretch-pu: package python-tablib/0.9.11-2 (CVE-2017-2810)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879702
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The attached debdiff shows the fix for CVE-2017-2810. The package is
available here:

http://sid.gplhost.com/stretch-proposed-updates/python-tablib/

The security team thinks we should go for a stretch-pu. Please allow me
to upload the fix.

Should I upload the .changes including the orig file?

Cheers,

Thomas Goirand (zigo)
diff -Nru python-tablib-0.9.11/debian/changelog 
python-tablib-0.9.11/debian/changelog
--- python-tablib-0.9.11/debian/changelog   2013-05-12 14:21:10.0 
+0200
+++ python-tablib-0.9.11/debian/changelog   2017-10-24 21:15:19.0 
+0200
@@ -1,3 +1,9 @@
+python-tablib (0.9.11-2+deb9u1) stretch; urgency=low
+
+  * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
+
+ -- Thomas Goirand   Tue, 24 Oct 2017 21:15:19 +0200
+
 python-tablib (0.9.11-2) unstable; urgency=low
 
   * Uploading to unstable.
diff -Nru python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 
python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch
--- python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch   
1970-01-01 01:00:00.0 +0100
+++ python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch   
2017-10-24 21:15:19.0 +0200
@@ -0,0 +1,17 @@
+Description: use safe load
+Author: Kenneth Reitz 
+Origin: 
https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e
+Bug-Debian: https://bugs.debian.org/864818
+Last-Update: 2017-10-24
+
+--- python-tablib-0.9.11.orig/tablib/formats/_yaml.py
 python-tablib-0.9.11/tablib/formats/_yaml.py
+@@ -46,7 +46,7 @@ def import_book(dbook, in_stream):
+ 
+ dbook.wipe()
+ 
+-for sheet in yaml.load(in_stream):
++for sheet in yaml.safe_load(in_stream):
+ data = tablib.Dataset()
+ data.title = sheet['title']
+ data.dict = sheet['data']
diff -Nru python-tablib-0.9.11/debian/patches/series 
python-tablib-0.9.11/debian/patches/series
--- python-tablib-0.9.11/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ python-tablib-0.9.11/debian/patches/series  2017-10-24 21:15:19.0 
+0200
@@ -0,0 +1 @@
+CVE-2017-2810-use_safe_load.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#879215: marked as done (stretch-pu: package live-config/5.20170112)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #879215,
regarding stretch-pu: package live-config/5.20170112
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879215
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

[ debian-cd/debian-live in copy. ]

Hi,

We've been having issues with KDE live images, and since this popped up
on #debian-cd again, a few days ago, I've looked into backporting a fix
from unstable to stable. The source debdiff is attached, and here's the 
changelog entry:
| live-config (5.20170112+deb9u1) stretch; urgency=medium
| 
|   [ Cyril Brulebois ]
|   * Cherry-pick the change below to improve KDE live images.
| 
|   [ Алексей Шилин ]
|   * Add components/0085-sddm to configure autologin for KDE / Plasma live
| images. Closes: #865382.
| 
|  -- Cyril Brulebois   Fri, 20 Oct 2017 16:53:40 +0200

Until this gets reviewed and ACK/NACKed by the release team, I've pushed
a stretch branch to live-config.git, except for the final “dch -r”, in
case something needs fixing before the upload.

Thanks for your attention & time.


KiBi.
diff -Nru live-config-5.20170112/components/0085-sddm 
live-config-5.20170112+deb9u1/components/0085-sddm
--- live-config-5.20170112/components/0085-sddm 1970-01-01 01:00:00.0 
+0100
+++ live-config-5.20170112+deb9u1/components/0085-sddm  2017-10-19 
13:18:15.0 +0200
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+## live-config(7) - System Configuration Components
+## Copyright (C) 2006-2015 Daniel Baumann 
+##
+## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
+## This is free software, and you are welcome to redistribute it
+## under certain conditions; see COPYING for details.
+
+
+#set -e
+
+Cmdline ()
+{
+   # Reading kernel command line
+   for _PARAMETER in ${LIVE_CONFIG_CMDLINE}
+   do
+   case "${_PARAMETER}" in
+   live-config.noautologin|noautologin)
+   LIVE_CONFIG_NOAUTOLOGIN="true"
+   ;;
+
+   live-config.nox11autologin|nox11autologin)
+   LIVE_CONFIG_NOX11AUTOLOGIN="true"
+   ;;
+
+   live-config.username=*|username=*)
+   LIVE_USERNAME="${_PARAMETER#*username=}"
+   ;;
+   esac
+   done
+}
+
+Init ()
+{
+   # Disables both console and graphical autologin.
+   case "${LIVE_CONFIG_NOAUTOLOGIN}" in
+   true)
+   exit 0
+   ;;
+   esac
+
+   # Disables graphical autologin, no matter what mechanism
+   case "${LIVE_CONFIG_NOX11AUTOLOGIN}" in
+   true)
+   exit 0
+   ;;
+   esac
+
+   # Checking if package is installed or already configured
+   if [ ! -e /var/lib/dpkg/info/sddm.list ] || \
+  [ -e /var/lib/live/config/sddm ]
+   then
+   exit 0
+   fi
+
+   echo -n " sddm"
+}
+
+Config ()
+{
+   # autologin
+   if [ -n "${LIVE_USERNAME}" ]
+   then
+   cat > /etc/sddm.conf << EOF
+[Autologin]
+User=${LIVE_USERNAME}
+Session=plasma.desktop
+EOF
+   fi
+
+   # Avoid xinit
+   touch /var/lib/live/config/xinit
+
+   # Creating state file
+   touch /var/lib/live/config/sddm
+}
+
+Cmdline
+Init
+Config
diff -Nru live-config-5.20170112/debian/changelog 
live-config-5.20170112+deb9u1/debian/changelog
--- live-config-5.20170112/debian/changelog 2017-01-12 18:11:22.0 
+0100
+++ live-config-5.20170112+deb9u1/debian/changelog  2017-10-20 
16:53:40.0 +0200
@@ -1,3 +1,14 @@
+live-config (5.20170112+deb9u1) stretch; urgency=medium
+
+  [ Cyril Brulebois ]
+  * Cherry-pick the change below to improve KDE live images.
+
+  [ Алексей Шилин ]
+  * Add components/0085-sddm to configure autologin for KDE / Plasma live
+images. Closes: #865382.
+
+ -- Cyril Brulebois   Fri, 20 Oct 2017 16:53:40 +0200
+
 live-config (5.20170112) unstable; urgency=medium
 
   * Team upload.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was include

Bug#879599: marked as done (stretch-pu: package charmtimetracker/1.11.4-1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #879599,
regarding stretch-pu: package charmtimetracker/1.11.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879599: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879599
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hey,

charmtimetracker is currently not installable in stable (#873918), this
pu fixes this. Additionally I also fixed #873917, to have a better
wording in the short discription. I made sure, that it still builds for stable 
on amd64.

Best Regards,

sandro

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru charmtimetracker-1.11.4/debian/changelog 
charmtimetracker-1.11.4/debian/changelog
--- charmtimetracker-1.11.4/debian/changelog2016-11-10 09:33:30.0 
+0100
+++ charmtimetracker-1.11.4/debian/changelog2017-10-23 11:20:46.0 
+0200
@@ -1,3 +1,12 @@
+charmtimetracker (1.11.4-1+deb9u1) stretch; urgency=medium
+
+  * Fix "Missing binary dependency on libqt5sql5-sqlite" (Closes: #873918)
+- Adding libqt5sql5-sqlite to depends list of charmtimetracker.
+  * Fix "Please drop "Cross-Platform" from package description" rewrite
+discription for the pacakge (Closes: #873917)
+
+ -- Sandro Knauß   Mon, 23 Oct 2017 11:20:46 +0200
+
 charmtimetracker (1.11.4-1) unstable; urgency=medium
 
   [ Sandro Knauß ]
diff -Nru charmtimetracker-1.11.4/debian/control 
charmtimetracker-1.11.4/debian/control
--- charmtimetracker-1.11.4/debian/control  2016-11-10 09:27:15.0 
+0100
+++ charmtimetracker-1.11.4/debian/control  2017-10-23 11:20:46.0 
+0200
@@ -20,8 +20,8 @@
 
 Package: charmtimetracker
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}
-Description: Cross-Platform Time Tracker
+Depends: libqt5sql5-sqlite, ${misc:Depends}, ${shlibs:Depends}
+Description: a task based Time Tracker
  It is built around two major ideas - tasks and events.
  Tasks are the things time is spend on, repeatedly. Tasks
  are done in events.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#878685: marked as done (stretch-pu: package udftools/1.3-2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #878685,
regarding stretch-pu: package udftools/1.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Package udftools in version 1.3-1 has specified incorrect path to the
pktsetup binary in the /etc/init.d/udftools init script which cause that
init script does not work at all. Binary path was changed from bin to
sbin in upstream between 1.2 and 1.3 period.

It leads to the reported bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878180

This problem is fixed in the udftools version 1.3-2 which is now
available in the sid and buster. Diff between versions 1.3-1 and 1.3-2
is attached and contains just fix for this problem. Please update
udftools to version 1.3-2 also for stretch to make /etc/init.d/udftools
init script working again in stretch.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=sk_SK.UTF-8, LC_CTYPE=sk_SK.UTF-8 (charmap=UTF-8), LANGUAGE=sk_SK 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru udftools-1.3/debian/changelog udftools-1.3/debian/changelog
--- udftools-1.3/debian/changelog   2017-01-24 00:28:05.0 +0100
+++ udftools-1.3/debian/changelog   2017-10-03 21:41:57.0 +0200
@@ -1,3 +1,9 @@
+udftools (1.3-2) unstable; urgency=low
+
+  * Fix path to pktsetup in udftools init script
+
+ -- Pali Rohár   Tue, 03 Oct 2017 21:41:57 +0200
+
 udftools (1.3-1) unstable; urgency=low
 
   * New upstream release
diff -Nru udftools-1.3/debian/udftools.init udftools-1.3/debian/udftools.init
--- udftools-1.3/debian/udftools.init   2017-01-24 00:26:46.0 +0100
+++ udftools-1.3/debian/udftools.init   2017-10-03 21:40:26.0 +0200
@@ -30,7 +30,7 @@
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin
 DESC="udftools packet writing"
-PKTSETUP=/usr/bin/pktsetup
+PKTSETUP=/usr/sbin/pktsetup
 DEFAULTFILE=/etc/default/udftools
 DEVICES=""
 NEWINTNAMES="0 1 2 3"
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#879630: marked as done (jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2017c)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #879630,
regarding jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2017c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879630
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I've prepared an update for libdatetime-timezone-perl in jessie which
incorporates the changes from the Olson db 2017c release.
The changes are in a quilt patch and touch only the data files in
lib/DateTime/TimeZone.

2017c contains recent changes to a couple of timezones, the first
change happening this weekend (2017-10-29) in North Cyprus, so this
might be material for jessie-updates before a next point release.
Cf. https://mm.icann.org/pipermail/tz-announce/2017-October/47.html

A manually stripped down debdiff is attached.


Cheers,
gregor

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlnuKTxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaJQw/9HvCfmTSa3DP1Cmezxsw68+ot9CHjzYO3+3zk53NiB8wECj3TT5Ot8RNq
q49w0gxMj+ACmW44GYwHbT9+IUkkvtWMLWG2z304Ko0ykOJEB1UdLC4Ev4/HE5Dp
NUMWq1ZVWG7HskuKSoD1yrmJUnsutMbFAMvLwWmuxkP7RBThmNrdv8Yo5GrFWc1f
yIOLI5tD4y9k7eR89EB0iiTib7mE1hJZxkIf6DKhPur+uq+us4M0eW60HG4TV63P
MLK0jBdQ+AJZyvsBdtd0y1LBWujvHjAj0+YTf39mBUetRPpdTHYp5w4D65i/k08C
gS71acqF2hDBsbJ2v2kX19Lo87RNdVNyt1ie05VzVmpwXSQ2lPXLSlv1BoTqP+Ii
ke/kLsoJfdKJbEQIw6ROzOQ/PsFrIlAPQIhUsHp0qERrmQ3hAFd3zffBmgUR6R1R
JIIe0iwFUOkcayQkdBSJ642Xme3jiJixTA3TBEC97Z0+9csJc2HqHxXMVq7WMO8j
jr+453kued5QL4PK7dNdAMIkRftEG+WLdCvpdlSH5z6OZfpJyFgjUkHAzDfhhMHt
FTH9IPLCYxfP7J9KdUz7l/+DoRoLIQQdAftBEIy6XOE8eiDYrOWXLJZIGlSyifPd
ZD2N8drZ6gE0tcOeMBORdYUxZDa9XTS0l5/XRIbaUiKH/3PB2cg=
=UfK7
-END PGP SIGNATURE-
diff -Nru libdatetime-timezone-perl-1.75/debian/changelog 
libdatetime-timezone-perl-1.75/debian/changelog
--- libdatetime-timezone-perl-1.75/debian/changelog 2017-04-02 
22:32:45.0 +0200
+++ libdatetime-timezone-perl-1.75/debian/changelog 2017-10-23 
19:10:12.0 +0200
@@ -1,3 +1,11 @@
+libdatetime-timezone-perl (1:1.75-2+2017c) UNRELEASED; urgency=medium
+
+  * Update to Olson database version 2017c.
+This update contains contemporary changes for Northern Cyprus, Fiji,
+Namibia, Sudan, Tonga, and Turks & Caicos.
+
+ -- gregor herrmann   Mon, 23 Oct 2017 19:10:12 +0200
+
 libdatetime-timezone-perl (1:1.75-2+2017b) jessie; urgency=medium
 
   * Update to Olson database version 2017b.
diff -Nru libdatetime-timezone-perl-1.75/debian/patches/olson-2017c 
libdatetime-timezone-perl-1.75/debian/patches/olson-2017c
--- libdatetime-timezone-perl-1.75/debian/patches/olson-2017c   1970-01-01 
01:00:00.0 +0100
+++ libdatetime-timezone-perl-1.75/debian/patches/olson-2017c   2017-10-23 
19:10:12.0 +0200
@@ -0,0 +1,11569 @@
+Description: update to olson db 2017c
+Origin: vendor
+Author: gregor herrmann 
+Last-Update: 2017-10-23
+
+--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm
 b/lib/DateTime/TimeZone/Africa/Abidjan.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/africa.  Olson data version 2017b
++# Generated from debian/tzdata/africa.  Olson data version 2017c
+ #
+ # Do not edit this file directly.
+ #
+@@ -39,7 +39,7 @@
+ ],
+ ];
+ 
+-sub olson_version { '2017b' }
++sub olson_version { '2017c' }
+ 
+ sub has_dst_changes { 0 }
+ 
+--- a/lib/DateTime/TimeZone/Asia/Famagusta.pm
 b/lib/DateTime/TimeZone/Asia/Famagusta.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/asia.  Olson data version 2017b
++# Generated from debian/tzdata/asia.  Olson data version 2017c
+ #
+ # Do not edit this file directly.
+ #
+@@ -795,18 +795,216 @@
+ ],
+ [
+ 63608965200, #utc_start 2016-09-07 21:00:00 (Wed)
+-DateTime::TimeZone::INFINITY, #  utc_end
++63644922000, #  utc_end 2017-10-29 01:00:00 (Sun)
+ 63608976000, #  local_start 2016-09-08 00:00:00 (Thu)
+-DateTime::TimeZone::INFINITY, #local_end
++63644932800, #local_end 2017-10-29 04:00:00 (Sun)
+ 10800,
+ 0,
+ '+03',
+ 

Bug#878576: marked as done (stretch-pu: package berusky/1.7-1+b1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #878576,
regarding stretch-pu: package berusky/1.7-1+b1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878576: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878576
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to update berusky in Stretch. The Jessie version is not
affected. The game crashes on startup with certain video card
configurations. This makes the game unplayable.

This is Debian bug #877979.
https://bugs.debian.org/877979

The issue is already fixed in sid and buster. Please find attached the
debdiff for stretch.

Regards,

Markus
diff -Nru berusky-1.7/debian/changelog berusky-1.7/debian/changelog
--- berusky-1.7/debian/changelog2016-06-12 13:50:54.0 +0200
+++ berusky-1.7/debian/changelog2017-10-14 19:55:16.0 +0200
@@ -1,3 +1,10 @@
+berusky (1.7-1+deb9u1) stretch; urgency=medium
+
+  * Add crash-on-startup.patch and fix the startup crash with certain
+video card configurations. (Closes: #877979)
+
+ -- Markus Koschany   Sat, 14 Oct 2017 19:55:16 +0200
+
 berusky (1.7-1) unstable; urgency=medium
 
   * Imported Upstream version 1.7. (Closes: #687690)
diff -Nru berusky-1.7/debian/patches/crash-on-startup.patch 
berusky-1.7/debian/patches/crash-on-startup.patch
--- berusky-1.7/debian/patches/crash-on-startup.patch   1970-01-01 
01:00:00.0 +0100
+++ berusky-1.7/debian/patches/crash-on-startup.patch   2017-10-14 
19:55:16.0 +0200
@@ -0,0 +1,24 @@
+From: Markus Koschany 
+Date: Sat, 14 Oct 2017 19:53:16 +0200
+Subject: crash on startup
+
+Bug-Debian: https://bugs.debian.org/877979
+---
+ src/2d_graph.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/2d_graph.h b/src/2d_graph.h
+index 1f012dd..1a66076 100644
+--- a/src/2d_graph.h
 b/src/2d_graph.h
+@@ -749,7 +749,9 @@ public:
+   void check(void);
+ 
+   graph_2d(tpos dx, tpos dy, int depth, bool fullscreen) 
+-: store(SURFACES, SPRITES), 
++  : p_screen_surface(NULL),
++  p_screen(NULL),
++  store(SURFACES, SPRITES),
+   rect_last(0)
+   {
+ /* sdl init */
diff -Nru berusky-1.7/debian/patches/series berusky-1.7/debian/patches/series
--- berusky-1.7/debian/patches/series   2016-06-12 13:50:54.0 +0200
+++ berusky-1.7/debian/patches/series   2017-10-14 19:55:16.0 +0200
@@ -3,3 +3,4 @@
 05-no-editor.patch
 11-german-po.patch
 12-locale.patch
+crash-on-startup.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#877627: marked as done (stretch-pu: package kde-gtk-config/5.8.6-1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877627,
regarding stretch-pu: package kde-gtk-config/5.8.6-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877627: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877627
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: debian-qt-...@lists.debian.org


Dear release team,

I would like to push a fix for src:kde-gtk-config package in stable. Without
this fix package kde-config-gtk-style lacks one very convenient feature
(previewing GTK+ 2.x and GTK+ 3.x themes before applying them) and package
kde-config-gtk-style-preview is absolutely useless (because binaries from it
cannot be used).

Proposed changes have been applied in package in unstable since 04 Aug 2017
(kde-gtk-config/4:5.10.4-1) and all works fine.

Please consider accepting this as a stretch-pu.

Thanks,
Boris
diff -Nru kde-gtk-config-5.8.6/debian/changelog kde-gtk-config-5.8.6/debian/changelog
--- kde-gtk-config-5.8.6/debian/changelog	2017-03-14 17:23:29.0 +0300
+++ kde-gtk-config-5.8.6/debian/changelog	2017-10-03 17:31:46.0 +0300
@@ -1,3 +1,15 @@
+kde-gtk-config (4:5.8.6-1+deb9u1) stable; urgency=medium
+
+  * Update debian/rules:
+set DATA_INSTALL_DIR variable in configuration options: it is required
+for correct search of preview.ui file in gtk*_preview programs.
+(These programs have not been working since version 4:5.1.95-0ubuntu1)
+  * Add patch fix-search-of-gtk-preview-executables.
+It is required for showing preview buttons in KDE-GTK-config UI.
+(These buttons have not been working since version 4:5.1.95-0ubuntu1)
+
+ -- Boris Pek   Tue, 03 Oct 2017 17:31:46 +0300
+
 kde-gtk-config (4:5.8.6-1) unstable; urgency=medium
 
   * New upstream release (5.8.6)
diff -Nru kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch
--- kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch	1970-01-01 03:00:00.0 +0300
+++ kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch	2017-08-04 17:00:50.0 +0300
@@ -0,0 +1,43 @@
+Forwarded: no
+Description: Fix search of gtk*_preview executables
+ Due to Debian multiarch support gtk_preview and gtk3_preview executables are
+ installed into non-standard path (/usr/lib/*/libexec/) which is out of
+ search scope of QStandardPaths::findExecutable() function.
+ .
+ This patch is required for showing preview buttons in KDE-GTK-config UI.
+Author: Boris Pek 
+Last-Update: 2017-08-04
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+--- a/CMakeLists.txt
 b/CMakeLists.txt
+@@ -26,6 +26,8 @@
+ 
+ # Set KI18n translation domain
+ add_definitions(-DTRANSLATION_DOMAIN=\"kde-gtk-config\")
++add_definitions(-DCMAKE_INSTALL_PREFIX=\"${CMAKE_INSTALL_PREFIX}\")
++add_definitions(-DLIBEXEC_INSTALL_DIR=\"${LIBEXEC_INSTALL_DIR}\")
+ 
+ set(kcm_SRCS
+  src/iconthemesmodel.cpp
+diff --git a/src/gtkconfigkcmodule.cpp b/src/gtkconfigkcmodule.cpp
+--- a/src/gtkconfigkcmodule.cpp
 b/src/gtkconfigkcmodule.cpp
+@@ -87,6 +87,17 @@
+ QString gtk2Preview = QStandardPaths::findExecutable("gtk_preview");
+ QString gtk3Preview = QStandardPaths::findExecutable("gtk3_preview");
+ 
++// KStandardDirs::findExe was replaced by QStandardPaths::findExecutable
++// in a wrong way. See for details:
++// https://community.kde.org/Frameworks/Porting_Notes/KStandardDirs
++static const QString searchPath = CMAKE_INSTALL_PREFIX "/" LIBEXEC_INSTALL_DIR;
++if(gtk2Preview.isEmpty()) {
++gtk2Preview = QStandardPaths::findExecutable("gtk_preview", QStringList() << searchPath);
++}
++if(gtk3Preview.isEmpty()) {
++gtk3Preview = QStandardPaths::findExecutable("gtk3_preview", QStringList() << searchPath);
++}
++
+ m_p2 = new KProcess(this);
+ m_p2->setEnv("GTK2_RC_FILES", m_tempGtk2Preview, true);
+ if(!gtk2Preview.isEmpty()) {
diff -Nru kde-gtk-config-5.8.6/debian/patches/series kde-gtk-config-5.8.6/debian/patches/series
--- kde-gtk-config-5.8.6/debian/patches/series	1970-01-01 03:00:00.0 +0300
+++ kde-gtk-config-5.8.6/debian/patches/series	2017-08-04 17:00:50.0 +0300
@@ -0,0 +1 @@
+fi

Bug#878996: marked as done (stretch-pu: package xrdp/0.9.1-9)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #878996,
regarding stretch-pu: package xrdp/0.9.1-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878996: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878996
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear stable release managers,

I would like to update xrdp in stretch.

xrdp 0.9.1-9 has a bug marked as important in the BTS, causing xrdp to
go into an endless loop whewn shutting down an SSL context and causing
very high load on the system when it does.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876976

Find attached the debdiff between the current stable version and the
proposed update.

Cheers,
Nik

- -- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlnnJwkxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8pZwuRAApyqFBZMpTFICL5NOrVXnC43+W0I5
q2ft6ukZ+9nhSMYsFCohxtqthfzn3YW2CcSHBmfk5Ig/+UST+zARiw48qM+a0/pW
Wr9gsK2UMlnSve1R/4kw5NKfFfAxTF1L+JGvvAbEwfsM42jLdQkQOb/7uc8oe+bE
OEKs+HvU5PcsAGv4beoLANtWzikg1nIoukppyRPaZx3HY3iGZv5NVRmrY68mWYHM
/Z8dv4spg6qpCOt8PrMmIe7K2SbS4apUKNDjbgh/BFAkHSKQs3xpBKeGmtFak4oM
mc2GmvHfcDG74qqNOn0Z/NwKaQhBUWjEx/Ok45ctNWcKObk5WZ02G5zrhYz7K7J6
Y0QKoC+f1E8zH0iQAhW80AaOIFZfT1OonNLpxQcc/JECQYSIxZsr/e6EAEeQWCeV
OUCLZh/7tBpnRwzXKAEr36QGlKfyjtchCnbgfFO+2yiaOIc2mn8Lx5QgSUnv+vlV
HGqVvdtZecDKz862zKew495Xuf16gBxg95zS5sfKzLEG+xzspr41Pve+QC25rJry
BV3OsrS4IhpMaOUQEyJhY+AncWX0ZvWQraPF7Ise5YWiI5sjIFGmQkjqjoT2QiB/
pFYnOUaPv7zkPaBI3NL4+GZyMskPba16gnL0032HrIRhFdAerXd6bUBtX50Gq9FF
jfjCKuq2/VZbMzY=
=z88f
-END PGP SIGNATURE-
diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog
--- xrdp-0.9.1/debian/changelog 2017-05-04 18:59:10.0 +0200
+++ xrdp-0.9.1/debian/changelog 2017-10-18 11:56:31.0 +0200
@@ -1,3 +1,11 @@
+xrdp (0.9.1-9+deb9u1) stable; urgency=medium
+
+  * Fix high CPU load on SSL shutdown. (Closes: #876976)
++ xrdp could in some situations cause permanent high load on a
+  system if an SSL shutdown got into an endless loop.
+
+ -- Dominik George   Wed, 18 Oct 2017 11:56:31 +0200
+
 xrdp (0.9.1-9) unstable; urgency=high
 
   * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143)
diff -Nru xrdp-0.9.1/debian/patches/fix-876976.patch 
xrdp-0.9.1/debian/patches/fix-876976.patch
--- xrdp-0.9.1/debian/patches/fix-876976.patch  1970-01-01 01:00:00.0 
+0100
+++ xrdp-0.9.1/debian/patches/fix-876976.patch  2017-10-18 11:53:29.0 
+0200
@@ -0,0 +1,16 @@
+From: Jay Sorg 
+Origin: 
https://github.com/neutrinolabs/xrdp/commit/2c96908ea500880c71d3593dd2b2b5b5275bdbf5
+Subject: if SSL_shutdown fails, only call one more time
+Bug: https://github.com/neutrinolabs/xrdp/issues/872
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876976
+--- a/common/ssl_calls.c
 b/common/ssl_calls.c
+@@ -754,7 +754,7 @@ ssl_tls_disconnect(struct ssl_tls *self)
+ return 0;
+ }
+ status = SSL_shutdown(self->ssl);
+-while (status != 1)
++if (status != 1)
+ {
+ status = SSL_shutdown(self->ssl);
+ if (status <= 0)
diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series
--- xrdp-0.9.1/debian/patches/series2017-04-27 12:48:33.0 +0200
+++ xrdp-0.9.1/debian/patches/series2017-10-18 11:50:09.0 +0200
@@ -10,3 +10,4 @@
 kb_jp.diff
 highres.diff
 cve-2017-6967.diff
+fix-876976.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#878173: marked as done (stretch-pu: package pdns/4.0.3-1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #878173,
regarding stretch-pu: package pdns/4.0.3-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878173
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

pdns before 4.0.4 replies incorrectly to DNS questions with the
DNSSEC query bit (DO) set, when the query also uses the "0x20"
mechanism to increase spoofing resistance.

Unfortunately this is the configuration letsencrypt uses to check
for CAA records on domains. This implies letsencrypt being broken
for all users that have domains on pdns from stretch.

Upstream has fixed this in 4.0.4, but that didn't make it into
stretch.

There is more discussion on this in Debian bug #869222 and
at https://github.com/PowerDNS/pdns/issues/5546 and at
https://community.letsencrypt.org/t/caa-servfail-changes/38298/2

I have imported a minimal patch from upstream and attached the
debdiff. Please let me know if this looks good or if I got something
wrong.

Thanks,
Chris

diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-01-19 23:05:09.0 +
+++ pdns-4.0.3/debian/changelog 2017-10-10 18:08:15.0 +
@@ -1,3 +1,9 @@
+pdns (4.0.3-1+deb9u1) stable; urgency=medium
+
+  * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
+
+ -- Christian Hofstaedtler   Tue, 10 Oct 2017 18:08:15 +
+
 pdns (4.0.3-1) unstable; urgency=medium
 
   * New upstream version 4.0.3, fixing bug when running bindbackend
diff -Nru 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
--- 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch   
1970-01-01 00:00:00.0 +
+++ 
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch   
2017-10-10 18:08:15.0 +
@@ -0,0 +1,25 @@
+From b91cfe5c069df975176f5fd944540f72fc5d01bb Mon Sep 17 00:00:00 2001
+From: Kees Monshouwer 
+Date: Wed, 3 May 2017 21:49:11 +0200
+Subject: [PATCH] auth: lowercase qname before NSEC generation
+
+[z...@debian.org]: Patch from upstream PR #5289.
+https://github.com/PowerDNS/pdns/commit/b91cfe5c069df975176f5fd944540f72fc5d01bb
+
+---
+ pdns/dnsbackend.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
+index 4e43ffc2b1..2454d6efb8 100644
+--- a/pdns/dnsbackend.cc
 b/pdns/dnsbackend.cc
+@@ -273,7 +273,7 @@ bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const 
DNSName& zonename, co
+   // lcqname=labelReverse(lcqname);
+   DNSName dnc;
+   string relqname, sbefore, safter;
+-  relqname=labelReverse(makeRelative(qname.toStringNoDot(), 
zonename.toStringNoDot())); // FIXME400
++  relqname=labelReverse(makeRelative(toLower(qname.toStringNoDot()), 
zonename.toStringNoDot()));
+   //sbefore = before.toString();
+   //safter = after.toString();
+   bool ret = this->getBeforeAndAfterNamesAbsolute(id, relqname, dnc, sbefore, 
safter);
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series1970-01-01 00:00:00.0 +
+++ pdns-4.0.3/debian/patches/series2017-10-10 18:08:15.0 +
@@ -0,0 +1 @@
+869222-lowercase-qname-before-NSEC-generation.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#877342: marked as done (stretch-pu: package qtcurve/1.8.18+git20160320-3d8622c-3+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877342,
regarding stretch-pu: package qtcurve/1.8.18+git20160320-3d8622c-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877342
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I would like to push a fix for qtcurve bug #865765 (crash when using QtCurve
widget style with Breeze preset).

Debdiff looks big but in fact it is very simple: just s/memcmp/strncmp/

Please consider accepting this as a stretch-pu.

Thanks,
Boris
diff -Nru qtcurve-1.8.18+git20160320-3d8622c/debian/changelog qtcurve-1.8.18+git20160320-3d8622c/debian/changelog
--- qtcurve-1.8.18+git20160320-3d8622c/debian/changelog	2016-05-11 23:52:09.0 +0300
+++ qtcurve-1.8.18+git20160320-3d8622c/debian/changelog	2017-09-30 19:37:12.0 +0300
@@ -1,3 +1,11 @@
+qtcurve (1.8.18+git20160320-3d8622c-3+deb9u1) stable; urgency=medium
+
+  * Add patch replace-memcmp-with-strncmp. It fixes crash when using QtCurve
+widget style and Breeze preset. (Closes: #865765)
+[Thanks to Sergey Sharybin]
+
+ -- Boris Pek   Sat, 30 Sep 2017 19:37:12 +0300
+
 qtcurve (1.8.18+git20160320-3d8622c-3) unstable; urgency=medium
 
   * Add workaround-for-kwin-x11-crashes.patch. (Closes: #823674)
diff -Nru qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch
--- qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch	1970-01-01 03:00:00.0 +0300
+++ qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch	2017-09-07 18:52:54.0 +0300
@@ -0,0 +1,1337 @@
+Description: Replace memcmp with strncmp
+ Do not exceed string buffer length while parsing config file.
+Origin: upstream, https://cgit.kde.org/qtcurve.git/commit/?id=f164a4b69
+Bug: https://bugs.kde.org/show_bug.cgi?id=374046
+Bug-Debian: https://bugs.debian.org/865765
+Last-Update: 2017-08-03
+
+--- a/gtk2/common/config_file.cpp
 b/gtk2/common/config_file.cpp
+@@ -88,17 +88,17 @@
+ {
+ if(str && 0!=str[0])
+ {
+-if(0==memcmp(str, "dashes", 6))
++if(0==strncmp(str, "dashes", 6))
+ return LINE_DASHES;
+-if(0==memcmp(str, "none", 4))
++if(0==strncmp(str, "none", 4))
+ return LINE_NONE;
+-if(0==memcmp(str, "sunken", 6))
++if(0==strncmp(str, "sunken", 6))
+ return LINE_SUNKEN;
+-if(0==memcmp(str, "dots", 4))
++if(0==strncmp(str, "dots", 4))
+ return LINE_DOTS;
+-if(0==memcmp(str, "flat", 4))
++if(0==strncmp(str, "flat", 4))
+ return LINE_FLAT;
+-if(0==memcmp(str, "1dot", 5))
++if(0==strncmp(str, "1dot", 5))
+ return LINE_1DOT;
+ }
+ return def;
+@@ -108,12 +108,12 @@
+ {
+ if(str && 0!=str[0])
+ {
+-if(0==memcmp(str, "dark", 4))
+-return 0==memcmp(&str[4], "-all", 4) ? TB_DARK_ALL : TB_DARK;
+-if(0==memcmp(str, "none", 4))
++if(0==strncmp(str, "dark", 4))
++return 0==strncmp(&str[4], "-all", 4) ? TB_DARK_ALL : TB_DARK;
++if(0==strncmp(str, "none", 4))
+ return TB_NONE;
+-if(0==memcmp(str, "light", 5))
+-return 0==memcmp(&str[5], "-all", 4) ? TB_LIGHT_ALL : TB_LIGHT;
++if(0==strncmp(str, "light", 5))
++return 0==strncmp(&str[5], "-all", 4) ? TB_LIGHT_ALL : TB_LIGHT;
+ }
+ return def;
+ }
+@@ -122,15 +122,15 @@
+ {
+ if(str && 0!=str[0])
+ {
+-if(0==memcmp(str, "true", 4) || 0==memcmp(str, "colored", 7))
++if(0==strncmp(str, "true", 4) || 0==strncmp(str, "colored", 7))
+ return MO_COLORED;
+-if(0==memcmp(str, "thickcolored", 12))
++if(0==strncmp(str, "thickcolored", 12))
+ return MO_COLORED_THICK;
+-if(0==memcmp(str, "plastik", 7))
++if(0==strncmp(str, "plastik", 7))
+ return MO_PLASTIK;
+-if(0==memcmp(str, "glow", 4))
++if(0==strncmp(str, "glow", 4))
+ return MO_GLOW;
+-if(0==memcmp(str, "false", 4) || 0==memcmp(str, "none", 4))
++if(0==strncmp(str, "

Bug#877937: marked as done (stretch-pu: package libdbd-firebird-perl/1.24-1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877937,
regarding stretch-pu: package libdbd-firebird-perl/1.24-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

libdbd-firebird-perl before 1.25 suffers from a bug (#877720) leading to 
data corruption when fetching decimal(x,y) values between -1 and 0. The 
fetched data is positive, instead of negative.

(libdbd-firebird-perl is a driver for connecting DBI, the standard Perl 
database interface, to Firebird SQL server)

The fix is taken from the upstream commit (of which I am also the 
author).

Targeted patch and full source debdiff attached.


-- dam
b4fad5d264abafeb26e1333b74f6a5c2f75f4869 dbd_st_fetch: fix conversion of 
numerics between -1 and 0
diff --git a/dbdimp.c b/dbdimp.c
index 1c48d7c..ff7b510 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -1431,20 +1431,28 @@ AV *dbd_st_fetch(SV *sth, imp_sth_t *imp_sth)
 #endif
 if (var->sqlscale == 0) {
 snprintf(buf, sizeof(buf), "%"DBD_IB_INT64f, i);
+sv_setpvn(sv, buf, strlen(buf));
 } else {
+bool sign = ( i < 0 );
 ISC_INT64 divisor, remainder;
 divisor   = scales[-var->sqlscale];
+if (sign) divisor = -divisor;
 remainder = (i%divisor);
 if (remainder < 0) remainder = -remainder;
 
-snprintf(buf, sizeof(buf),
+snprintf(buf+1, sizeof(buf)-1,
 "%"DBD_IB_INT64f".%0*"DBD_IB_INT64f,
 i/divisor, -var->sqlscale, remainder);
DBI_TRACE_imp_xxh(imp_sth, 3, (DBIc_LOGPIO(imp_sth), 
"-->SQLINT64=%"DBD_IB_INT64f".%0*"DBD_IB_INT64f,i/divisor, 
-var->sqlscale, remainder ));
 
+if (sign) {
+*buf = '-';
+sv_setpvn(sv, buf, strlen(buf));
+}
+else {
+sv_setpvn(sv, buf+1, strlen(buf+1));
+}
 }
-
-sv_setpvn(sv, buf, strlen(buf));
 }
 break;
 #endif
diff -Nru libdbd-firebird-perl-1.24/debian/changelog 
libdbd-firebird-perl-1.24/debian/changelog
--- libdbd-firebird-perl-1.24/debian/changelog  2016-10-11 12:02:22.0 
+0300
+++ libdbd-firebird-perl-1.24/debian/changelog  2017-10-07 18:45:00.0 
+0300
@@ -1,3 +1,10 @@
+libdbd-firebird-perl (1.24-1+deb9u1) stretch; urgency=medium
+
+  * add upstream patch fixing fetching of decimal(x,y) values between -1 and 0
+(Closes: #877720)
+
+ -- Damyan Ivanov   Sat, 07 Oct 2017 15:45:00 +
+
 libdbd-firebird-perl (1.24-1) unstable; urgency=medium
 
   * New upstream version 1.24
diff -Nru 
libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch
 
libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch
--- 
libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch
 1970-01-01 02:00:00.0 +0200
+++ 
libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch
 2017-10-07 18:42:15.0 +0300
@@ -0,0 +1,37 @@
+b4fad5d264abafeb26e1333b74f6a5c2f75f4869 dbd_st_fetch: fix conversion of 
numerics between -1 and 0
+diff --git a/dbdimp.c b/dbdimp.c
+index 1c48d7c..ff7b510 100644
+--- a/dbdimp.c
 b/dbdimp.c
+@@ -1431,20 +1431,28 @@ AV *dbd_st_fetch(SV *sth, imp_sth_t *imp_sth)
+ #endif
+ if (var->sqlscale == 0) {
+ snprintf(buf, sizeof(buf), "%"DBD_IB_INT64f, i);
++sv_setpvn(sv, buf, strlen(buf));
+ } else {
++bool sign = ( i < 0 );
+ ISC_INT64 divisor, remainder;
+ divisor   = scales[-var->sqlscale];
++if (sign) divisor = -divisor;
+ remainder = (i%divisor);
+ if (remainder < 0)

Bug#877420: marked as done (stretch-pu: xml2/0.4-3.1+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877420,
regarding stretch-pu: xml2/0.4-3.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch

Hello,

I am dealing with the package "xml2" to fix its RC bugs. A previous QA upload 
into Unstable was uploaded and migrated into Testing. Now I want to do some 
stable uploads and fix this bug inside Stretch.

For previous QA upload, see https://bugs.debian.org/876286 .

All fixes are taken from upstream's release tarball of next version.

Debdiff attached:

diff -u xml2-0.4/debian/control xml2-0.4/debian/control
--- xml2-0.4/debian/control
+++ xml2-0.4/debian/control
@@ -1,7 +1,7 @@
 Source: xml2
 Section: utils
 Priority: optional
-Maintainer: Patrick Schoenfeld 
+Maintainer: Debian QA Group 
 Homepage: http://ofb.net/~egnor/xml2/
 Vcs-Git: git://git.debian.org/git/collab-maint/xml2.git
 Vcs-Browser: http://git.debian.org/?p=collab-maint/xml2.git
diff -u xml2-0.4/debian/changelog xml2-0.4/debian/changelog
--- xml2-0.4/debian/changelog
+++ xml2-0.4/debian/changelog
@@ -1,3 +1,14 @@
+xml2 (0.4-3.1+deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Set maintainer to Debian QA Group.
+  * Backport patch to fix corruption when dealing with UTF-8 files.
+(Closes: #506805; Closes: #698072)
+  * Backport patch to fix usage string for 2csv tool.
+(Closes: #506788)
+
+ -- Boyuan Yang <073p...@gmail.com>  Sun, 01 Oct 2017 23:30:42 +0800
+
 xml2 (0.4-3.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u xml2-0.4/debian/patches/series xml2-0.4/debian/patches/series
--- xml2-0.4/debian/patches/series
+++ xml2-0.4/debian/patches/series
@@ -2,0 +3,2 @@
+0003-Fix-corrupted-handling-with-UTF-8-text.patch
+0004-Fix-help-msg-of-2csv-tool.patch
only in patch2:
unchanged:
--- xml2-0.4.orig/debian/patches/0003-Fix-corrupted-handling-with-UTF-8-
text.patch
+++ xml2-0.4/debian/patches/0003-Fix-corrupted-handling-with-UTF-8-text.patch
@@ -0,0 +1,22 @@
+From: Vincent Lefevre 
+Date: Sun, 1 Oct 2017 23:27:14 +0800
+Subject: Fix corrupted handling with UTF-8 text
+
+---
+ xml2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/xml2.c b/xml2.c
+index fc94d69..d786021 100644
+--- a/xml2.c
 b/xml2.c
+@@ -247,8 +247,7 @@ int main(int argc,char *argv[])
+   init(&sax);
+ 
+   if (1 == argc && !strcmp(name,"html2")) {
+-  ctxt = htmlCreatePushParserCtxt(&sax,NULL,NULL,0,"stdin",
+-  XML_CHAR_ENCODING_8859_1);
++  ctxt = htmlCreatePushParserCtxt(&sax,NULL,NULL,0,"stdin",0);
+   parseChunk = htmlParseChunk;
+   freeCtxt = htmlFreeParserCtxt;
+   do_compress_whitespace = 1;
only in patch2:
unchanged:
--- xml2-0.4.orig/debian/patches/0004-Fix-help-msg-of-2csv-tool.patch
+++ xml2-0.4/debian/patches/0004-Fix-help-msg-of-2csv-tool.patch
@@ -0,0 +1,22 @@
+From: Boyuan Yang <073p...@gmail.com>
+Date: Sun, 1 Oct 2017 23:30:13 +0800
+Subject: Fix help msg of 2csv tool
+
+---
+ 2csv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/2csv.c b/2csv.c
+index 7370e8c..c672b56 100644
+--- a/2csv.c
 b/2csv.c
+@@ -4,7 +4,8 @@
+ #include 
+ 
+ void usage(void) {
+-  fputs("usage: 2csv record field [field ...] < in > csv\n",stderr);
++  fputs("usage: 2csv [-q quote] [-d comma] "
++  "record field [field ...] < in > csv\n",stderr);
+   exit(2);
+ }
+


signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#877722: marked as done (stretch-pu: package gunicorn/19.6.0-10+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877722,
regarding stretch-pu: package gunicorn/19.6.0-10+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877722: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877722
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like update gunicorn in stable to fix an issue where installing
gunicorn brings a compilers as dependenciess:

Diff (with further explanation) is:

  diff --git a/debian/changelog b/debian/changelog
  index d6473f3..507009e 100644
  --- a/debian/changelog
  +++ b/debian/changelog
  @@ -1,3 +1,17 @@
  +gunicorn (19.6.0-10+deb9u1) stable; urgency=medium
  +
  +  * Drop unnecessary Pre-Depends on dpkg-dev which was causing gunicorn and
  +python-gunicorn to bring in a compiler as dependencies.
  +
  +It was orignally added as dpkg-maintscript-helper was being used in the
  +preinst script, requires a pre-dependency to ensure that the required
  +version of dpkg has been unpacked before. However, this version of
  +dpkg-dev is satisfiable in stretch.
  +
  +Thanks to Neil Williams for the bug report. (Closes: #877712)
  +
  + -- Chris Lamb   Wed, 04 Oct 2017 21:11:20 +0100
  +
   gunicorn (19.6.0-10) unstable; urgency=medium
   
 * Move debian/README.Debian → debian/NEWS.
  diff --git a/debian/control b/debian/control
  index 3b0c8fe..3d060b8 100644
  --- a/debian/control
  +++ b/debian/control
  @@ -19,7 +19,6 @@ Homepage: http://gunicorn.org/
   
   Package: gunicorn
   Architecture: all
  -Pre-Depends: dpkg-dev (>= 1.15.7.2)
   Depends:
python-gunicorn (= ${binary:Version}),
python-pkg-resources,
  @@ -83,7 +82,6 @@ Description: Event-based HTTP/WSGI server (Python 3 version)
   
   Package: python-gunicorn
   Architecture: all
  -Pre-Depends: dpkg-dev (>= 1.15.7.2)
   Depends:
python-pkg-resources,
python-setuptools,
  @@ -138,7 +136,6 @@ Description: Event-based HTTP/WSGI server (Python 3 
libraries)
   
   Package: gunicorn-examples
   Architecture: all
  -Pre-Depends: dpkg-dev (>= 1.15.7.2)
   Depends:
${misc:Depends},
${python3:Depends},


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#877503: marked as done (stretch-pu: package mongodb/1:3.2.11-2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877503,
regarding stretch-pu: package mongodb/1:3.2.11-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877503
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear SRMs,

I would like to update MongoDB in Stretch to address a couple of issues, 
namely:

 - #876755: GCC 6 and later optimizes out some null pointer checks. It 
   appears that this breaks the bundled version of spidermonkey (38) and 
   causes null pointer dereferences. This is fixed by disabling the 
   relevant GCC optimizations for the spidermonkey build.

 - #871906: Since Stretch, our kernels have enabled 48-bit virtual 
   addressing on aarch64. MongoDB's embedded spidermonkey crashes on 
   kernels with 48-bit VA support, as it assumes that all pointers have 
   17 bits clear that can be used for tagging. This is fixed by 
   cherry-picking a patch from Mozilla upstream that uses manual 
   malloc(3) hints to make sure the malloc()'d regions comply with this 
   requirement.

 - #864407: mongodb.service lacks an `After=network.target' statement, 
   so startup will fail on system boot if mongodb is asked to bind to a 
   non-wildcard, non-localhost address.

Full source debdiff attached.

Regards,
Apollon
diff -Nru mongodb-3.2.11/debian/changelog mongodb-3.2.11/debian/changelog
--- mongodb-3.2.11/debian/changelog	2016-12-15 20:04:56.0 +0200
+++ mongodb-3.2.11/debian/changelog	2017-10-02 11:14:03.0 +0300
@@ -1,3 +1,11 @@
+mongodb (1:3.2.11-2+deb9u1) stretch; urgency=medium
+
+  * Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses (Closes: #871906)
+  * Fix spidermonkey GC segfault when built with GCC 6 (Closes: #876755)
+  * mongodb.service: start after network.target (Closes: #864407)
+
+ -- Apollon Oikonomopoulos   Mon, 02 Oct 2017 11:14:03 +0300
+
 mongodb (1:3.2.11-2) unstable; urgency=medium
 
   * Drop armhf builds; currently FTBFS and is unsupported upstream
diff -Nru mongodb-3.2.11/debian/gbp.conf mongodb-3.2.11/debian/gbp.conf
--- mongodb-3.2.11/debian/gbp.conf	2016-12-15 12:23:28.0 +0200
+++ mongodb-3.2.11/debian/gbp.conf	2017-10-02 11:13:41.0 +0300
@@ -1,5 +1,7 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = stable/stretch
+dist = stretch
 
 [git-import-orig]
 filter = ['debian/*','lib/*']
diff -Nru mongodb-3.2.11/debian/mongodb-server.mongodb.service mongodb-3.2.11/debian/mongodb-server.mongodb.service
--- mongodb-3.2.11/debian/mongodb-server.mongodb.service	2016-12-15 12:23:28.0 +0200
+++ mongodb-3.2.11/debian/mongodb-server.mongodb.service	2017-10-02 11:13:06.0 +0300
@@ -1,6 +1,7 @@
 [Unit]
 Description=An object/document-oriented database
 Documentation=man:mongod(1)
+After=network.target
 
 [Service]
 User=mongodb
diff -Nru mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch
--- mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch	1970-01-01 02:00:00.0 +0200
+++ mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch	2017-10-02 11:11:46.0 +0300
@@ -0,0 +1,61 @@
+Author: Zheng Xu 
+ Description: Manually mmap on arm64 to ensure high 17 bits are clear. r=ehoogeveen
+ There might be 48-bit VA on arm64 depending on kernel configuration.
+ Manually mmap heap memory to align with the assumption made by JS engine.
+Comment: Obtained from https://hg.mozilla.org/mozilla-central/raw-rev/dfaafbaaa291
+Last-Update: 2017-09-25
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/871906
+--- a/src/third_party/mozjs-38/extract/js/src/gc/Memory.cpp
 b/src/third_party/mozjs-38/extract/js/src/gc/Memory.cpp
+@@ -379,7 +379,7 @@
+ MapMemoryAt(void* desired, size_t length, int prot = PROT_READ | PROT_WRITE,
+ int flags = MAP_PRIVATE | MAP_ANON, int fd = -1, off_t offset = 0)
+ {
+-#if defined(__ia64__) || (defined(__sparc64__) && defined(__NetBSD__))
++#if defined(__ia64__) || (defined(__sparc64__) && defined(__NetBSD__)) || defined(__aarch64__)
+ MOZ_ASSERT(0x8000ULL & (uintptr_t(desired) + length - 1) == 0);
+ #endif
+ void* region = mmap(desired, length, prot, flags, fd, offset);
+@@ -429,6 +429,41 @@
+ return nullptr;
+ }
+ return 

Bug#877640: marked as done (stretch-pu: package sqlite3/3.16.2-5+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877640,
regarding stretch-pu: package sqlite3/3.16.2-5+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877640
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi SRMs,

I'd like to fix CVE-2017-10989 in SQLite3 for Stretch, which is a
heap-based buffer over-read via undersized RTree blobs.
It's considered remotely exploitable, still marked as no-DSA by the
Security Team. Still, worth fixing via the point update, proposed patch
is attached.

Thanks for considering,
Laszlo/GCSdiff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog
--- sqlite3-3.16.2/debian/changelog	2017-06-08 22:07:42.0 +
+++ sqlite3-3.16.2/debian/changelog	2017-10-03 16:13:44.0 +
@@ -1,3 +1,10 @@
+sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree 
+blobs (closes: #867618).
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 03 Oct 2017 16:13:44 +
+
 sqlite3 (3.16.2-5) unstable; urgency=medium
 
   * Backport fix for corruption due to REPLACE in an auto-vacuumed database.
diff -Nru sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch
--- sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch	1970-01-01 00:00:00.0 +
+++ sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch	2017-10-03 16:13:44.0 +
@@ -0,0 +1,47 @@
+Index: sqlite3/ext/rtree/rtree.c
+==
+--- sqlite3/ext/rtree/rtree.c
 sqlite3/ext/rtree/rtree.c
+@@ -3207,10 +3207,14 @@
+ pRtree->zDb, pRtree->zName
+ );
+ rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize);
+ if( rc!=SQLITE_OK ){
+   *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db));
++}else if( pRtree->iNodeSize<(512-64) ){
++  rc = SQLITE_CORRUPT;
++  *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"",
++   pRtree->zName);
+ }
+   }
+ 
+   sqlite3_free(zSql);
+   return rc;
+
+Index: sqlite3/ext/rtree/rtreeA.test
+==
+--- sqlite3/ext/rtree/rtreeA.test
 sqlite3/ext/rtree/rtreeA.test
+@@ -213,8 +213,21 @@
+ } {}
+ do_corruption_tests rtreeA-6.1 {
+   1   "DELETE FROM t1 WHERE rowid = 5"
+   2   "UPDATE t1 SET x1=x1+1, x2=x2+1"
+ }
++
++#-
++# Truncated blobs in the _node table.
++#
++create_t1
++populate_t1
++sqlite3 db test.db
++do_execsql_test rtreeA-7.100 { 
++  UPDATE t1_node SET data=x'' WHERE rowid=1;
++} {}
++do_catchsql_test rtreeA-7.110 {
++  SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100;
++} {1 {undersize RTree blobs in "t1_node"}}
+ 
+ 
+ finish_test
+
diff -Nru sqlite3-3.16.2/debian/patches/series sqlite3-3.16.2/debian/patches/series
--- sqlite3-3.16.2/debian/patches/series	2017-06-08 22:07:42.0 +
+++ sqlite3-3.16.2/debian/patches/series	2017-10-03 16:13:44.0 +
@@ -13,3 +13,4 @@
 42-JSON-2_2.patch
 43-JSON-3.patch
 50-REPLACE_corruption_fix.patch
+51-CVE-2017-10989.patch
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#877403: marked as done (stretch-pu: package dbus/1.10.24-0+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877403,
regarding stretch-pu: package dbus/1.10.24-0+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877403
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I've made another upstream stable release of dbus, and as usual I'd like
to update stretch via stretch-p-u, to minimize weirdness and diffstat
if I have to do a security release later. There is nothing particularly
vital here, and I can revert or fix anything that the SRMs are not
happy with.

If you want to say "yes but only after 9.2", that would also be fine.

This upstream release is in testing already (versioned as
1.11.16+really1.10.24-1 due to an unfortunate dch -r accident).
This will probably be the last 1.10.x release in testing/unstable,
since I'm planning to move to the 1.11.x branch in preparation for
starting a 1.12.0 stable branch upstream.

The attached debdiff excludes ./configure, which gets
regenerated during the build.

(I still need to smoke-test this on a real stretch system, which I'll
do before upload; it passes autopkgtests though.)

Thanks,
smcv
debdiff dbus_1.10.{22,24}-0+deb9u1.dsc | filterdiff --exclude='*/configure'

diffstat for dbus-1.10.22 dbus-1.10.24

 NEWS  |   26 ++
 aclocal.m4|2 
 bus/activation.c  |   10 +-
 bus/config-loader-expat.c |   14 +++
 bus/connection.c  |   13 +--
 bus/connection.h  |2 
 bus/dispatch.c|   56 ++---
 bus/driver.c  |4 
 bus/signals.c |   15 ++-
 config.h.in   |3 
 configure |   48 +++
 configure.ac  |   12 ++
 dbus/dbus-sysdeps-unix.c  |   11 +-
 debian/changelog  |   21 
 test/monitor.c|  197 +++---
 tools/dbus-send.c |2 
 16 files changed, 363 insertions(+), 73 deletions(-)

diff -Nru dbus-1.10.22/aclocal.m4 dbus-1.10.24/aclocal.m4
--- dbus-1.10.22/aclocal.m4	2017-07-27 14:03:36.0 +0100
+++ dbus-1.10.24/aclocal.m4	2017-09-25 21:03:14.0 +0100
@@ -883,7 +883,7 @@
   dnl supported. (2.0 was released on October 16, 2000).
   dnl FIXME: Remove the need to hard-code Python versions here.
   m4_define_default([_AM_PYTHON_INTERPRETER_LIST],
-[python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 dnl
+[python python2 python3 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 dnl
  python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0])
 
   AC_ARG_VAR([PYTHON], [the Python interpreter])
diff -Nru dbus-1.10.22/bus/activation.c dbus-1.10.24/bus/activation.c
--- dbus-1.10.22/bus/activation.c	2017-02-16 13:46:23.0 +
+++ dbus-1.10.24/bus/activation.c	2017-09-25 14:54:34.0 +0100
@@ -1967,6 +1967,7 @@
   DBusString service_string;
   BusService *service;
   BusRegistry *registry;
+  DBusConnection *systemd = NULL;
 
   /* OK, we have a systemd service configured for this entry,
  hence let's enqueue an activation request message. This
@@ -2015,11 +2016,14 @@
   _dbus_string_init_const (&service_string, "org.freedesktop.systemd1");
   service = bus_registry_lookup (registry, &service_string);
 
+  if (service)
+systemd = bus_service_get_primary_owners_connection (service);
+
   /* Following the general principle of "log early and often",
* we capture that we *want* to send the activation message, even if
* systemd is not actually there to receive it yet */
   if (!bus_transaction_capture (activation_transaction,
-NULL, message))
+NULL, systemd, message))
 {
   dbus_message_unref (message);
   BUS_SET_OOM (error);
@@ -2033,8 +2037,8 @@
service_name,
entry->systemd_service);
   /* Wonderful, systemd is connected, let's just send the msg */
-  retval = bus_dispatch_matches (activation_transaction, NULL,

Bug#877043: marked as done (stretch-pu: package weechat/1.6-1+deb9u2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877043,
regarding stretch-pu: package weechat/1.6-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877043
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi

weechat in stretch is affected by CVE-2017-14727, tracked as #876553.

>  * logger: call strftime before replacing buffer local variables
>(CVE-2017-14727) (Closes: #876553)

https://weechat.org/news/98/20170923-Version-1.9.1-security-release/

Attached proposed debdiff for the stretch point release.

Regards,
Salvatore
diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog
--- weechat-1.6/debian/changelog2017-04-29 16:31:58.0 +0200
+++ weechat-1.6/debian/changelog2017-09-27 20:53:31.0 +0200
@@ -1,3 +1,11 @@
+weechat (1.6-1+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * logger: call strftime before replacing buffer local variables
+(CVE-2017-14727) (Closes: #876553)
+
+ -- Salvatore Bonaccorso   Wed, 27 Sep 2017 20:53:31 +0200
+
 weechat (1.6-1+deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch
 
weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch
--- 
weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch
1970-01-01 01:00:00.0 +0100
+++ 
weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch
2017-09-27 20:53:31.0 +0200
@@ -0,0 +1,158 @@
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= 
+Date: Sat, 23 Sep 2017 09:36:09 +0200
+Subject: logger: call strftime before replacing buffer local variables
+Origin: 
https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556
+Bug-Debian: https://bugs.debian.org/876553
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14727
+
+---
+ src/plugins/logger/logger.c | 88 ++---
+ 2 files changed, 51 insertions(+), 44 deletions(-)
+
+
+diff --git a/src/plugins/logger/logger.c b/src/plugins/logger/logger.c
+index 1abc3efc7..347f1d5a6 100644
+--- a/src/plugins/logger/logger.c
 b/src/plugins/logger/logger.c
+@@ -295,71 +295,71 @@ logger_get_mask_for_buffer (struct t_gui_buffer *buffer)
+ char *
+ logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask)
+ {
+-char *mask2, *mask_decoded, *mask_decoded2, *mask_decoded3, 
*mask_decoded4;
+-char *mask_decoded5;
++char *mask2, *mask3, *mask4, *mask5, *mask6, *mask7;
+ const char *dir_separator;
+ int length;
+ time_t seconds;
+ struct tm *date_tmp;
+ 
+ mask2 = NULL;
+-mask_decoded = NULL;
+-mask_decoded2 = NULL;
+-mask_decoded3 = NULL;
+-mask_decoded4 = NULL;
+-mask_decoded5 = NULL;
++mask3 = NULL;
++mask4 = NULL;
++mask5 = NULL;
++mask6 = NULL;
++mask7 = NULL;
+ 
+ dir_separator = weechat_info_get ("dir_separator", "");
+ if (!dir_separator)
+ return NULL;
+ 
++/* replace date/time specifiers in mask */
++length = strlen (mask) + 256 + 1;
++mask2 = malloc (length);
++if (!mask2)
++goto end;
++seconds = time (NULL);
++date_tmp = localtime (&seconds);
++mask2[0] = '\0';
++if (strftime (mask2, length - 1, mask, date_tmp) == 0)
++mask2[0] = '\0';
++
+ /*
+  * we first replace directory separator (commonly '/') by \01 because
+  * buffer mask can contain this char, and will be replaced by replacement
+  * char ('_' by default)
+  */
+-mask2 = weechat_string_replace (mask, dir_separator, "\01");
+-if (!mask2)
++mask3 = weechat_string_replace (mask2, dir_separator, "\01");
++if (!mask3)
+ goto end;
+ 
+-mask_decoded = weechat_buffer_string_replace_local_var (buffer, mask2);
+-if (!mask_decoded)
++mask4 = weechat_buffer_string_replace_local_var (buffer, mask3);
++if (!mask4)
+ goto end;
+ 
+-mask_decoded2 = weechat_string_replace (mask_decoded,
+-dir_separator,
+-weec

Bug#877366: marked as done (stretch-pu: package abiword/3.0.2-2+deb9u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #877366,
regarding stretch-pu: package abiword/3.0.2-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877366
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
X-Debbugs-Cc:abiw...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

The attached debdiff fixes a flickering bug that makes Abiword nearly
unusable for some users.

https://bugs.debian.org/851052

The patch was rejected upstream because it doesn't work for GNOME on
Wayland. But Debian's GNOME does not default to Wayland in Stretch.
And Abiword is more commonly used on less powerful desktop
environments instead of the resource-intensive GNOME.

This patch was uploaded to unstable (and Ubuntu 17.10 Beta) as 3.0.2-3
just now. The package was uploaded with urgency: high so it should be
in testing in a few days. It builds on all architectures so far. I
didn't want to delay filing this bug in case it wasn't quite too late
for Debian 9.2. Sorry for the late request.

Thanks,
Jeremy Bicha


abiword-flickering-stretch.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam--- End Message ---

Bug#876527: marked as done (stretch-pu: package gdm3/3.22.3-3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #876527,
regarding stretch-pu: package gdm3/3.22.3-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
876527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876527
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

XDMCP support in gdm 3.22 is currently completely broken (see: #873199)

I've backported some patches from the later releases and from git master
fix this. The majority of the patches are already included in sid/buster
version, the other ones will be included in the 2nd of Octobre point
release.

I've tested this locally with one client (both direct and indirect
connections) and it's working as expected.

Regards,

Laurent Bigonville

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru gdm3-3.22.3/debian/changelog gdm3-3.22.3/debian/changelog
--- gdm3-3.22.3/debian/changelog2017-06-06 20:17:04.0 +0200
+++ gdm3-3.22.3/debian/changelog2017-09-23 11:56:40.0 +0200
@@ -1,3 +1,10 @@
+gdm3 (3.22.3-3+deb9u1) stretch; urgency=medium
+
+  * Backports a bunch of patches to fix XDMCP support including a potential
+cracher (Closes: #873199, #814989)
+
+ -- Laurent Bigonville   Sat, 23 Sep 2017 11:56:40 +0200
+
 gdm3 (3.22.3-3) unstable; urgency=medium
 
   * libgdm1: add breaks/replaces on good old gdm. Who knows how many users
diff -Nru 
gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch 
gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch
--- gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch 
1970-01-01 01:00:00.0 +0100
+++ gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch 
2017-09-23 11:56:40.0 +0200
@@ -0,0 +1,72 @@
+From 2738cc21830eee9468c83608504d6bf719f8ac03 Mon Sep 17 00:00:00 2001
+From: Ray Strode 
+Date: Fri, 31 Mar 2017 15:40:21 -0400
+Subject: [PATCH] chooser: filter out duplicate hostnames
+
+One host may report itself on multiple interfaces.
+GDM only supports based on hostname not interface,
+so that leads duplicate entries in the list.
+
+This commit filters out the dupes.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=780787
+---
+ chooser/gdm-host-chooser-widget.c | 34 +-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/chooser/gdm-host-chooser-widget.c 
b/chooser/gdm-host-chooser-widget.c
+index f8aabf3e..e2507900 100644
+--- a/chooser/gdm-host-chooser-widget.c
 b/chooser/gdm-host-chooser-widget.c
+@@ -119,6 +119,33 @@ chooser_host_remove (GdmHostChooserWidget *widget,
+ }
+ #endif
+ 
++static gboolean
++address_hostnames_equal (GdmAddress *address,
++ GdmAddress *other_address)
++{
++char *hostname, *other_hostname;
++gboolean are_equal;
++
++if (gdm_address_equal (address, other_address)) {
++return TRUE;
++}
++
++if (!gdm_address_get_hostname (address, &hostname)) {
++gdm_address_get_numeric_info (address, &hostname, NULL);
++}
++
++if (!gdm_address_get_hostname (other_address, &other_hostname)) {
++gdm_address_get_numeric_info (other_address, &other_hostname, 
NULL);
++}
++
++are_equal = g_strcmp0 (hostname, other_hostname) == 0;
++
++g_free (hostname);
++g_free (other_hostname);
++
++return are_equal;
++}
++
+ static GdmChooserHost *
+ find_known_host (GdmHostChooserWidget *widget,
+  GdmAddress   *address)
+@@ -127,8 +154,13 @@ find_known_host (GdmHostChooserWidget *widget,
+ GdmChooserHost *host;
+ 
+ for (li = widget->priv->chooser_hosts; li != NULL; li = li->next) {
++GdmAddress *other_address;
++
+ host = li->data;
+-if (gdm_address_equal (gdm_choo

Bug#877045: marked as done (jessie-pu: package weechat/1.0.1-1+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #877045,
regarding jessie-pu: package weechat/1.0.1-1+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
877045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877045
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi

weechat in jessie is affected by CVE-2017-14727, tracked as #876553.

>  * logger: call strftime before replacing buffer local variables
>(CVE-2017-14727) (Closes: #876553)

https://weechat.org/news/98/20170923-Version-1.9.1-security-release/

Attached proposed debdiff for the jessie point release.

Regards,
Salvatore
diff -Nru weechat-1.0.1/debian/changelog weechat-1.0.1/debian/changelog
--- weechat-1.0.1/debian/changelog  2017-04-25 07:01:43.0 +0200
+++ weechat-1.0.1/debian/changelog  2017-09-27 21:27:15.0 +0200
@@ -1,3 +1,11 @@
+weechat (1.0.1-1+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * logger: call strftime before replacing buffer local variables
+(CVE-2017-14727) (Closes: #876553)
+
+ -- Salvatore Bonaccorso   Wed, 27 Sep 2017 21:27:15 +0200
+
 weechat (1.0.1-1+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru 
weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch
 
weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch
--- 
weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch
1970-01-01 01:00:00.0 +0100
+++ 
weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch
2017-09-27 21:27:15.0 +0200
@@ -0,0 +1,152 @@
+From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= 
+Date: Sat, 23 Sep 2017 09:36:09 +0200
+Subject: logger: call strftime before replacing buffer local variables
+Origin: 
https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556
+Bug-Debian: https://bugs.debian.org/876553
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14727
+
+---
+ src/plugins/logger/logger.c | 88 ++---
+ 2 files changed, 51 insertions(+), 44 deletions(-)
+
+
+--- a/src/plugins/logger/logger.c
 b/src/plugins/logger/logger.c
+@@ -316,71 +316,71 @@ logger_get_mask_for_buffer (struct t_gui
+ char *
+ logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask)
+ {
+-char *mask2, *mask_decoded, *mask_decoded2, *mask_decoded3, 
*mask_decoded4;
+-char *mask_decoded5;
++char *mask2, *mask3, *mask4, *mask5, *mask6, *mask7;
+ const char *dir_separator;
+ int length;
+ time_t seconds;
+ struct tm *date_tmp;
+ 
+ mask2 = NULL;
+-mask_decoded = NULL;
+-mask_decoded2 = NULL;
+-mask_decoded3 = NULL;
+-mask_decoded4 = NULL;
+-mask_decoded5 = NULL;
++mask3 = NULL;
++mask4 = NULL;
++mask5 = NULL;
++mask6 = NULL;
++mask7 = NULL;
+ 
+ dir_separator = weechat_info_get ("dir_separator", "");
+ if (!dir_separator)
+ return NULL;
+ 
++/* replace date/time specifiers in mask */
++length = strlen (mask) + 256 + 1;
++mask2 = malloc (length);
++if (!mask2)
++goto end;
++seconds = time (NULL);
++date_tmp = localtime (&seconds);
++mask2[0] = '\0';
++if (strftime (mask2, length - 1, mask, date_tmp) == 0)
++mask2[0] = '\0';
++
+ /*
+  * we first replace directory separator (commonly '/') by \01 because
+  * buffer mask can contain this char, and will be replaced by replacement
+  * char ('_' by default)
+  */
+-mask2 = weechat_string_replace (mask, dir_separator, "\01");
+-if (!mask2)
++mask3 = weechat_string_replace (mask2, dir_separator, "\01");
++if (!mask3)
+ goto end;
+ 
+-mask_decoded = weechat_buffer_string_replace_local_var (buffer, mask2);
+-if (!mask_decoded)
++mask4 = weechat_buffer_string_replace_local_var (buffer, mask3);
++if (!mask4)
+ goto end;
+ 
+-mask_decoded2 = weechat_string_replace (mask_decoded,
+-dir_separator,
+-weechat_config_string 
(logger_config_file_replacement_char));
+-if 

Bug#876706: marked as done (stretch-pu: package liblouis/3.0.0-3)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #876706,
regarding stretch-pu: package liblouis/3.0.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
876706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876706
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

Several CVEs have been reported against liblouis in Bug#874302. The
upstream fixes have been tested for 6 days in Debian unstable then 5
days in Debian testing.

I propose to upload them to stable too, as attached debdiff shows.

Samuel

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-3.0.0/debian/changelog liblouis-3.0.0/debian/changelog
--- liblouis-3.0.0/debian/changelog 2016-09-14 00:46:35.0 +0200
+++ liblouis-3.0.0/debian/changelog 2017-09-25 01:16:30.0 +0200
@@ -1,3 +1,14 @@
+liblouis (3.0.0-3+deb9u1) stretch; urgency=medium
+
+  * debian/patches/CVE-2017-13738-and-2017-13744.patch: New patch.
+  * debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: New
+patch
+  * debian/patches/CVE-2017-13741.patch: New patch.
+  * debian/patches/CVE-2017-13741-2.patch: New patch.
+  * debian/patches/CVE-2017-13743.patch: New patch.
+
+ -- Samuel Thibault   Mon, 25 Sep 2017 01:16:30 +0200
+
 liblouis (3.0.0-3) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 
liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch   
1970-01-01 01:00:00.0 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch   
2017-09-25 01:14:10.0 +0200
@@ -0,0 +1,19 @@
+From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001
+From: Mike Gorse 
+Date: Tue, 29 Aug 2017 16:55:29 -0500
+Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by
+ multiple newlines
+
+Fixes CVE-2017-13738 and CVE-2017-13744.
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
 liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -573,6 +573,7 @@ getALine (FileInfo * nested)
+   if (pch == '\\' && ch == 10)
+   {
+ nested->linelen--;
++pch = ch;
+ continue;
+   }
+   if (ch == 10 || nested->linelen >= MAXSTRING)
diff -Nru 
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
 
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
--- 
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
1970-01-01 01:00:00.0 +0100
+++ 
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
2017-09-25 01:14:10.0 +0200
@@ -0,0 +1,28 @@
+From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001
+From: Mike Gorse 
+Date: Wed, 30 Aug 2017 12:53:02 -0500
+Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed
+ table
+
+The subtable's name can theoretically be up to MAXSTRING characters long.
+The base name is then copied into a buffer, and the subtable's name is
+appended, so we should allocate more than MAXSTRING bytes for the buffer.
+
+Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
 liblouis-3.0.0/liblouis/compileTranslat

Bug#876638: marked as done (jessie-pu: package db/5.1.29-9+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:47:53 +
with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #876638,
regarding jessie-pu: package db/5.1.29-9+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
876638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876638
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

db in jessie is affected by the CVE-2017-10140 ("Berkeley DB reads
DB_CONFIG from cwd)", no bug in BTS filled for that since src;db
removed from unstable. The NMU for src:db5.3 to unstable back on end
of august has not raised any regression reports we would be aware of.
We though think it's still safer to have it via point release and have
it for a short time exposed as well via proposed-updates (once, and if
accepted).

The changelog reads as:

>db (5.1.29-9+deb8u1) jessie; urgency=medium
>
>  * Non-maintainer upload.
>  * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
>Do not access DB_CONFIG when db_home is not set.
>
> -- Salvatore Bonaccorso   Sun, 24 Sep 2017 11:12:52 +0200

Attached ist the full proposed debdiff.

Regards,
Salvatore
diff -Nru db-5.1.29/debian/changelog db-5.1.29/debian/changelog
--- db-5.1.29/debian/changelog  2014-08-19 14:49:46.0 +0200
+++ db-5.1.29/debian/changelog  2017-09-24 11:12:52.0 +0200
@@ -1,3 +1,11 @@
+db (5.1.29-9+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2017-10140: Reads DB_CONFIG from the current working directory.
+Do not access DB_CONFIG when db_home is not set.
+
+ -- Salvatore Bonaccorso   Sun, 24 Sep 2017 11:12:52 +0200
+
 db (5.1.29-9) unstable; urgency=medium
 
   * Fix for FTBFS on ppc64el (Courtesy of Matthias Klose/Ubuntu)
diff -Nru db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 
db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch
--- db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 1970-01-01 
01:00:00.0 +0100
+++ db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 2017-09-24 
11:12:52.0 +0200
@@ -0,0 +1,22 @@
+Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory
+ Do not access DB_CONFIG when db_home is not set.
+Origin: vendor, 
https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10140
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032
+Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886
+Forwarded: no
+Author: Petr Kubat 
+Reviewed-by: Salvatore Bonaccorso 
+Last-Update: 2017-08-17
+
+--- db-5.3.28/src/env/env_open.c.old   2017-06-26 10:32:11.011419981 +0200
 db-5.3.28/src/env/env_open.c   2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+   env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+   /* Read the DB_CONFIG file. */
+-  if ((ret = __env_read_db_config(env)) != 0)
++  if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+   return (ret);
+ 
+   /*
diff -Nru db-5.1.29/debian/patches/series db-5.1.29/debian/patches/series
--- db-5.1.29/debian/patches/series 2014-08-19 14:49:46.0 +0200
+++ db-5.1.29/debian/patches/series 2017-09-24 11:12:52.0 +0200
@@ -6,3 +6,4 @@
 006-mutex_alignment.patch
 007-link-sql-libs.patch
 libtool-update.diff
+CVE-2017-10140-cwd-db_config.patch
--- End Message ---
--- Begin Message ---
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam--- End Message ---