Bug#883624: transition: libkf5kipi + marble 17.08
In data venerdì 8 dicembre 2017 19:53:03 CET, Emilio Pozuelo Monfort ha scritto: > On 05/12/17 22:03, Pino Toscano wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > Hi, > > > > I would like to request a slot for the transitions of libkf5kipi 17.08 > > and marble 17.08. I'm requesting a single slot for them as the impact > > of each is limited, and they boh affect digikam (big source, so one > > rebuild can be avoided). > > > > The sources affected by libkf5kipi are: > > - digikam > > - gwenview > > - kde-spectacle > > - kphotoalbum > > The sources affected by marble are: > > - digikam > > - kreport > > - libkf5kgeomap > > > > I will wait for this weekend for the batch of 17.08 uploads I did last > > weekend to migrate to testing: the reason is that the new versions of > > libkf5kipi and marble carry their translations files, right now shipped > > as part of kde-l10n (and thus a coordinated upload is needed, I will > > take care of it). > > You can go ahead. Uploaded libkf5kipi, marble and libkf5kgeomap few hours ago, and all of them already built everywhere. -- Pino Toscano signature.asc Description: This is a digitally signed message part.
Bug#883622: transition: analitza 17.08
In data venerdì 8 dicembre 2017 19:52:13 CET, Emilio Pozuelo Monfort ha scritto: > On 05/12/17 21:57, Pino Toscano wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > Hi, > > > > I would like to request a slot for the analitza 17.08.x transition. > > There are only two affected sources: > > - kalgebra (which will get a sourceful upload) > > - cantor, which just needs a rebuild > > > > I will wait for this weekend for the batch of 17.08 uploads I did last > > weekend to migrate to testing: the reason is that the new versions of > > analitza and kalgebra carry their translations files, right now shipped > > as part of kde-l10n (and thus a coordinated upload is needed, I will > > take care of it). > > Ack. Uploaded few hours ago, and analitza and kalgebra already built everywhere. -- Pino Toscano signature.asc Description: This is a digitally signed message part.
NEW changes in stable-new
Processing changes file: waagent_2.2.18-3~deb9u1_all.changes ACCEPT
Bug#883963: stretch-pu: package xchain/1.0.1-9~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the dependency problem of xchain in stretch, too. #878090 It calls /usr/bin/wish, therefore it needs to depend on wish and not tk8.5 (which no longer provides the generic wish binary, that's tk8.6 realm now). The Standards-Version and Priority bump are metadata only changes. Andreas diff -Nru xchain-1.0.1/debian/changelog xchain-1.0.1/debian/changelog --- xchain-1.0.1/debian/changelog 2017-01-15 23:25:46.0 +0100 +++ xchain-1.0.1/debian/changelog 2017-12-09 21:02:31.0 +0100 @@ -1,3 +1,25 @@ +xchain (1.0.1-9~deb9u1) stretch; urgency=medium + + * QA upload. + * Rebuild for stretch. + + -- Andreas Beckmann Sat, 09 Dec 2017 21:02:31 +0100 + +xchain (1.0.1-9) unstable; urgency=medium + + * QA upload. + * Revert path change, depend on "wish" only. Re-closes: #878090 + + -- Adam Borowski Thu, 12 Oct 2017 20:12:24 +0200 + +xchain (1.0.1-8) unstable; urgency=medium + + * QA upload. + * Update path to wish (it's /usr/bin/wish8.5 now). Closes: #878090 + * Priority optional. + + -- Adam Borowski Thu, 12 Oct 2017 09:14:07 +0200 + xchain (1.0.1-7) unstable; urgency=medium * QA upload. diff -Nru xchain-1.0.1/debian/control xchain-1.0.1/debian/control --- xchain-1.0.1/debian/control 2017-01-15 23:25:46.0 +0100 +++ xchain-1.0.1/debian/control 2017-10-12 20:12:19.0 +0200 @@ -1,15 +1,15 @@ Source: xchain Section: games -Priority: extra +Priority: optional Maintainer: Debian QA Group -Standards-Version: 3.9.8 +Standards-Version: 4.1.1 Build-Depends: debhelper (>= 10) Vcs-Browser: https://anonscm.debian.org/git/collab-maint/xchain.git Vcs-Git: https://anonscm.debian.org/git/collab-maint/xchain.git Package: xchain Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, tk8.5 | wish +Depends: ${shlibs:Depends}, ${misc:Depends}, wish Description: strategy game for 2-4 players Chain Reaction is a classic strategy game for 2-4 players. Players take turns to place tokens on an 8x8 board. When a square exceeds its maximum value, it
Bug#883959: stretch-pu: package cappuccino/0.5.1-8~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing dependency on gir1.2-gtk-3.0, #879848, by rebuilding the package from sid. This also adds a /usr/games/cappuccino -> ../bin/cappuccino symlink. Andreas diff -u cappuccino-0.5.1/debian/changelog cappuccino-0.5.1/debian/changelog --- cappuccino-0.5.1/debian/changelog +++ cappuccino-0.5.1/debian/changelog @@ -1,3 +1,24 @@ +cappuccino (0.5.1-8~deb9u1) unstable; urgency=medium + + * Non-maintainer upload. + * rebuild for stretch. + + -- Andreas Beckmann Sat, 09 Dec 2017 20:38:28 +0100 + +cappuccino (0.5.1-8) unstable; urgency=medium + + * Fixes broken symlink in /usr/games. Closes: #880714 +- Thanks to Chris Lamb. + + -- Breno Leitao Mon, 06 Nov 2017 14:25:01 -0500 + +cappuccino (0.5.1-7) unstable; urgency=medium + + * Adding gir1.2-gtk-3.0 as a dependency. Closes: #879848 + * Adding a link to /usr/games/cappuccino + + -- Breno Leitao Fri, 03 Nov 2017 07:52:46 -0400 + cappuccino (0.5.1-6) unstable; urgency=medium * Fix python dependency, moving the debian/rules file to diff -u cappuccino-0.5.1/debian/control cappuccino-0.5.1/debian/control --- cappuccino-0.5.1/debian/control +++ cappuccino-0.5.1/debian/control @@ -3,12 +3,12 @@ Priority: optional Homepage: https://labs.truelite.it/projects/cappuccino Maintainer: Breno Leitao -Standards-Version: 3.7.2 +Standards-Version: 4.1.0 Build-Depends: debhelper (>> 5.0.0), python3, python3-gi, polygen Package: cappuccino Architecture: all -Depends: python3, python3-gi, polygen, ${misc:Depends} +Depends: python3, python3-gi, polygen, ${misc:Depends}, gir1.2-gtk-3.0 Description: utility to let your boss think that you're working hard Run this software on your computer when you are not motivated to work, and enjoy doing something different. If your boss come in your cubicle, he'll diff -u cappuccino-0.5.1/debian/rules cappuccino-0.5.1/debian/rules --- cappuccino-0.5.1/debian/rules +++ cappuccino-0.5.1/debian/rules @@ -44,6 +44,10 @@ polygen -seed 0 $(CURDIR)/debian/cappuccino/usr/share/cappuccino/cappuccino.grm > /dev/null polygen -seed 0 $(CURDIR)/debian/cappuccino/usr/share/cappuccino/compileline.grm > /dev/null + # As it is considered a game, put a link at /usr/games + mkdir $(CURDIR)/debian/cappuccino/usr/games + ln -s /usr/bin/cappuccino $(CURDIR)/debian/cappuccino/usr/games/cappuccino + # Build architecture-independent files here. binary-indep: build install dh_testdir
Bug#883952: stretch-pu: package activity-log-manager/0.8.0-1.2~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing dependency on python-zeitgeist, #881438, by rebuilding the corresponding fixed package from sid. Andreas diff -Nru activity-log-manager-0.8.0/debian/changelog activity-log-manager-0.8.0/debian/changelog --- activity-log-manager-0.8.0/debian/changelog 2015-08-18 17:28:36.0 +0200 +++ activity-log-manager-0.8.0/debian/changelog 2017-12-09 20:04:56.0 +0100 @@ -1,3 +1,17 @@ +activity-log-manager (0.8.0-1.2~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann Sat, 09 Dec 2017 20:04:56 +0100 + +activity-log-manager (0.8.0-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Add dependency against python-zeitgeist (Closes: #881438) + + -- Laurent Bigonville Sun, 12 Nov 2017 18:05:38 +0100 + activity-log-manager (0.8.0-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru activity-log-manager-0.8.0/debian/control activity-log-manager-0.8.0/debian/control --- activity-log-manager-0.8.0/debian/control 2015-08-18 17:30:06.0 +0200 +++ activity-log-manager-0.8.0/debian/control 2017-11-12 18:04:24.0 +0100 @@ -17,7 +17,8 @@ python, zeitgeist-core (>= 0.7~) | zeitgeist (>= 0.7~), python-gtk2, - python-cairo + python-cairo, + python-zeitgeist Description: blacklist configuration user interface for Zeitgeist Zeitgeist is a service which logs the user's activities and events (files opened, websites visited, conversations held with other people, etc.) and
NEW changes in stable-new
Processing changes file: cron_3.0pl1-128+deb9u1_i386.changes ACCEPT
NEW changes in stable-new
Processing changes file: cron_3.0pl1-128+deb9u1_ppc64el.changes ACCEPT
Bug#872293: nmu: loads of golang stuff
> What's outdated here, built-using? If so, we rebuild those before or during > the > freeze. Not sure we need to do it more often than that, as things will get out > of date again before the freeze. Due to the way golang binaries get built, not rebuilding them outside of freeze results in binaries that become buggy during freeze and trigger more uploads and rebuilds. buildd time is cheep, and ensuring we can both get rid of old sources and find bugs is important during development. The other way we can do this is I can do routine empty uploads -- we need them rebuilt either way Thanks! Paul > > Cheers, > Emilio -- :wq
NEW changes in stable-new
Processing changes file: cron_3.0pl1-128+deb9u1_arm64.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_armel.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_armhf.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_mips.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_mips64el.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_mipsel.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_s390x.changes ACCEPT
Bug#883933: nmu: polymake_3.1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu The following crash seems cured by a rebuild: Can't locate loadable object for module Polymake::Ext in @INC (@INC contains: /usr/share/polymake/perllib /usr/lib/polymake/perlx/5.26.0 /usr/lib/polymake/perlx /home/bremner/.config/perl /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/polymake/perllib/Polymake/Namespaces.pm line 17. nmu polymake_3.1-5 . ANY . unstable . -m "rebuild for perl 5.26" -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
NEW changes in oldstable-new
Processing changes file: dns-root-data_2017072601~deb8u2_amd64.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_amd64.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_arm64.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_armel.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_armhf.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_i386.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_mips.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_mipsel.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_powerpc.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_ppc64el.changes ACCEPT Processing changes file: erlang_17.3-dfsg-4+deb8u2_s390x.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_multi.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_amd64.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_arm64.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_armel.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_armhf.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_i386.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_mips.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_mipsel.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_powerpc.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_ppc64el.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb8u1_s390x.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_allonly.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_amd64.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_arm64.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_armel.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_armhf.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_i386.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_mips.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_mipsel.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_powerpc.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_ppc64el.changes ACCEPT Processing changes file: optipng_0.7.5-1+deb8u2_s390x.changes ACCEPT Processing changes file: tor_0.2.5.16-1_weasel.changes ACCEPT Processing changes file: tor_0.2.5.16-1_amd64.changes ACCEPT Processing changes file: tor_0.2.5.16-1_arm64.changes ACCEPT Processing changes file: tor_0.2.5.16-1_armel.changes ACCEPT Processing changes file: tor_0.2.5.16-1_armhf.changes ACCEPT Processing changes file: tor_0.2.5.16-1_i386.changes ACCEPT Processing changes file: tor_0.2.5.16-1_mips.changes ACCEPT Processing changes file: tor_0.2.5.16-1_mipsel.changes ACCEPT Processing changes file: tor_0.2.5.16-1_powerpc.changes ACCEPT Processing changes file: tor_0.2.5.16-1_ppc64el.changes ACCEPT Processing changes file: tor_0.2.5.16-1_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: auto-apt-proxy_2+deb9u1_amd64.changes ACCEPT Processing changes file: cron_3.0pl1-128+deb9u1_amd64.changes ACCEPT Processing changes file: golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.changes ACCEPT Processing changes file: waagent_2.2.18-3~deb9u1_source.changes ACCEPT
Processed: Re: Bug#882158: stretch-pu: package glibc/2.24-11+deb9u2
Processing control commands: > retitle -1 stretch-pu: package glibc/2.24-11+deb9u3 Bug #882158 [release.debian.org] stretch-pu: package glibc/2.24-11+deb9u2 Changed Bug title to 'stretch-pu: package glibc/2.24-11+deb9u3' from 'stretch-pu: package glibc/2.24-11+deb9u2'. > tag -1 - pending Bug #882158 [release.debian.org] stretch-pu: package glibc/2.24-11+deb9u3 Removed tag(s) pending. > tag -1 - confirmed Bug #882158 [release.debian.org] stretch-pu: package glibc/2.24-11+deb9u3 Removed tag(s) confirmed. -- 882158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882158 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882158: stretch-pu: package glibc/2.24-11+deb9u2
control: retitle -1 stretch-pu: package glibc/2.24-11+deb9u3 control: tag -1 - pending control: tag -1 - confirmed On 2017-12-02 19:23, Adam D. Barratt wrote: > Control: tags -1 + pending > > On Fri, 2017-12-01 at 21:15 +0100, Aurelien Jarno wrote: > > On 2017-12-01 19:49, Cyril Brulebois wrote: > > > Adam D. Barratt (2017-11-24): > > > > This looks OK to me, but will need a KiBi-ack; CCing. > > > > > > lgtm; apologies for the delay. > > > > Thanks, I have just uploaded it. > > Flagged for acceptance. > Unfortunately it didn't make in 9.3 due to the regression introduced wrt /etc/ld.so.nohwcap (see bug#883394). The issue is due to the conversion of libc6-i686 into a transitional package between jessie and stretch, and dropping the postinst and postrm script handling the removal of /etc/ld.so.nohwcap after the upgrade. The problem always existed in stretch, but the probability for it to happen has been greatly increased by the fix for #882272. The issue doesn't affect buster/sid as the transitional package has been removed. I have fixed the issue in version 2.24-11+deb9u3 by reintroducing the postinst and postrm scripts in the transitional package. You will find below the corresponding patch. Thanks for considering it for 9.4. Regards, Aurelien diff --git a/debian/changelog b/debian/changelog index 15d804c1..bd4f4115 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +glibc (2.24-11+deb9u3) UNRELEASED; urgency=medium + + [ Aurelien Jarno ] + * debian/rules.d/debhelper.mk: install the libc-otherbuild postinst and +postrm in the libc6-i686 transitional package, to make sure +/etc/ld.so.nohwcap is correctly removed after an upgrade. Closes: +#883394. + + -- Aurelien Jarno Wed, 06 Dec 2017 21:58:24 +0100 + glibc (2.24-11+deb9u2) stretch; urgency=medium [ Aurelien Jarno ] diff --git a/debian/rules.d/debhelper.mk b/debian/rules.d/debhelper.mk index 23de2220..97429175 100644 --- a/debian/rules.d/debhelper.mk +++ b/debian/rules.d/debhelper.mk @@ -147,6 +147,12 @@ $(stamp)debhelper-common: esac; \ done + # We need the NOHWCAP code also for the transitional libc6-i686 package +ifeq ($(DEB_HOST_ARCH),i386) + cp debian/libc-otherbuild.postinst debian/libc6-i686.postinst + cp debian/libc-otherbuild.postrm debian/libc6-i686.postrm +endif + # Install nscd systemd files on linux ifeq ($(DEB_HOST_ARCH_OS),linux) cp nscd/nscd.service debian/nscd.service -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
On Dec/09, Adam D. Barratt wrote: > For the record, reviewing the diff of the -security upload, I notice > that the change actually adds *two* runtime dependencies - the second, > which was not mentioned in this pre-approval request, nor included in > the proposed diff, being python-pastescript. I figured python-pastescript had also been approved; I should have verified this myself instead of assuming so... Cheers, --Seb
NEW changes in stable-new
Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_amd64.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_arm64.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_armel.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_armhf.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_i386.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_mips.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_mips64el.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_mipsel.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_ppc64el.changes ACCEPT Processing changes file: erlang_19.2.1+dfsg-2+deb9u1_s390x.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_i386.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_amd64.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_arm64.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_armel.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_armhf.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_mips.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_mips64el.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_mipsel.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_ppc64el.changes ACCEPT Processing changes file: heimdal_7.1.0+dfsg-13+deb9u2_s390x.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_multi.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_amd64.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_arm64.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_armel.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_armhf.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_i386.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_mips.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_mips64el.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_mipsel.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_ppc64el.changes ACCEPT Processing changes file: libxcursor_1.1.14-1+deb9u1_s390x.changes ACCEPT Processing changes file: nova_14.0.0-4+deb9u1_amd64.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_sourceonly.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_amd64.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_arm64.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_armel.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_armhf.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_i386.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_mips.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_mips64el.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_mipsel.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_ppc64el.changes ACCEPT Processing changes file: optipng_0.7.6-1+deb9u1_s390x.changes ACCEPT Processing changes file: tor_0.2.9.14-1_weasel.changes ACCEPT Processing changes file: tor_0.2.9.14-1_all.changes ACCEPT Processing changes file: tor_0.2.9.14-1_amd64.changes ACCEPT Processing changes file: tor_0.2.9.14-1_arm64.changes ACCEPT Processing changes file: tor_0.2.9.14-1_armel.changes ACCEPT Processing changes file: tor_0.2.9.14-1_armhf.changes ACCEPT Processing changes file: tor_0.2.9.14-1_i386.changes ACCEPT Processing changes file: tor_0.2.9.14-1_mips.changes ACCEPT Processing changes file: tor_0.2.9.14-1_mips64el.changes ACCEPT Processing changes file: tor_0.2.9.14-1_mipsel.changes ACCEPT Processing changes file: tor_0.2.9.14-1_ppc64el.changes ACCEPT Processing changes file: tor_0.2.9.14-1_s390x.changes ACCEPT
Bug#879161: jessie-pu: package dns-root-data/2017072601~deb8u2
Control: tags -1 + pending On Sat, 2017-11-18 at 19:08 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Thu, 2017-10-19 at 18:36 -0400, Daniel Kahn Gillmor wrote: > > the version of dns-root-data in jessie (2017072601~deb8u1) only > > ships > > one entry in /usr/share/root.ds. see https://bugs.debian.org/87768 > > 3 > > > > I've cherry-picked a few changes from the master branch which > > accomodate the new situation at ICANN and use a different toolchain > > to produce root.ds that can handle multiple keys. This should > > probably go into jessie sooner rather than later, though we have a > > bit of a reprieve since the root key rollover has been postponed > > for > > the moment. > > +dns-root-data (2017072601~deb8u2) jessie-updates; urgency=medium > > Nope. "jessie-updates" is not a supported upload target. Updates for > jessie should use "jessie" as the changelog distribution. > > I'm not overjoyed about the tooling rewrite, particularly with the > Build-Depends changes, but it makes sense to keep it in line with > that > in newer suites. > > With the changelog fixed, please go ahead. Uploaded (during the 8.10 freeze) and flagged for acceptance. Regards, Adam
Processed: Re: Bug#879161: jessie-pu: package dns-root-data/2017072601~deb8u2
Processing control commands: > tags -1 + pending Bug #879161 [release.debian.org] jessie-pu: package dns-root-data/2017072601~deb8u2 Added tag(s) pending. -- 879161: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879161 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#883124: stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1
Processing control commands: > tags -1 + pending Bug #883124 [release.debian.org] stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1 Added tag(s) pending. -- 883124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883124 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#883066: stretch-pu: package waagent/2.2.18-3~deb9u1
Processing control commands: > tags -1 + pending Bug #883066 [release.debian.org] stretch-pu: package waagent/2.2.18-3~deb9u1 Added tag(s) pending. -- 883066: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883066 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#882773: stretch-pu: package auto-apt-proxy/2+deb9u1
Processing control commands: > tags -1 + pending Bug #882773 [release.debian.org] stretch-pu: package auto-apt-proxy/2+deb9u1 Added tag(s) pending. -- 882773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882773 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882773: stretch-pu: package auto-apt-proxy/2+deb9u1
Control: tags -1 + pending On Sat, 2017-12-02 at 12:19 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2017-11-27 at 13:57 -0200, Antonio Terceiro wrote: > > Control: tag -1 - moreinfo > > > > On Sun, Nov 26, 2017 at 10:11:12PM +0100, Andreas Beckmann wrote: > > > Control: tag -1 moreinfo > > > > > > On Sun, 26 Nov 2017 14:36:06 -0200 Antonio Terceiro > > > wrote: > > > > This fixes a RC bug that has been reported recently, and was > > > > just > > > > fixed > > > > in unstable. > > > > > > I'm missing the corresponding undo operation in the preinst. > > [..] > > I have made a new upload to unstable fixing this, and cherry-picked > > the fix into my stretch branch. Attached you will find an updated > > diff against the version in stretch. > > Please go ahead. Uploaded (during the 9.3 freeze) and flagged for acceptance. Regards, Adam
Bug#883066: stretch-pu: package waagent/2.2.18-3~deb9u1
Control: tags -1 + pending On Sat, 2017-12-02 at 12:17 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2017-11-29 at 10:00 +0100, Bastian Blank wrote: > > The Azure agent provides the provisioning part of the Microsoft > > Azure > > platform. It is necessary to tell the platform about the state of > > the systems. Therefor it is part of the "hardware" support for the > > Azure platform. > > > > This updates includes both upstream fixes for sudoer handling, > > Azure > > Stack handling and some Debian fixes for state directory > > permissions. > > > > The diff still lacks the changelog entry for the above mentioned > > version, as no further changes are scheduled and this will be a > > straight rebuild for Stretch. > > As provided, the diff doesn't include any upstream changes at all... > > On the assumption that they're sane, please go ahead. Uploaded (during the 9.3 freeze) and flagged for acceptance. Regards, Adam
Bug#883124: stretch-pu: package golang-github-go-ldap-ldap/2.4.1-1
Control: tags -1 + pending On Sun, 2017-12-03 at 21:28 +, Adam D. Barratt wrote: > On Sun, 2017-12-03 at 22:20 +0100, Dr. Tobias Quathamer wrote: > > Am 02.12.2017 um 13:12 schrieb Adam D. Barratt: > > > Control: tags -1 + confirmed > > > > > > On Wed, 2017-11-29 at 23:53 +0100, Dr. Tobias Quathamer wrote: > > > > I've prepared a fix for CVE-2017-14623, Debian BTS #876404. The > > > > security team does not intend to publish a DSA for this minor > > > > issue, > > > > so I'm asking here if you would accept an upload for stable- > > > > proposed- > > > > updates. > > > > > > As this doesn't appear to affect anything else in-archive at > > > least, > > > please go ahead. > > > > Thanks, the package has been uploaded and just accepted into > > proposed-updates. > > It's been accepted into the stable-new queue. It won't be accepted > into proposed-updates until a member of the Release Team asks the > archive software to do that (which now won't be until at least next > weekend, as things are frozen in preparation for the upcoming point > releases). Flagged for acceptance into proposed-updates. Regards, Adam
Processed: Re: Bug#877934: stretch-pu: package cron/3.0pl1-128.1
Processing control commands: > tags -1 + pending Bug #877934 [release.debian.org] stretch-pu: package cron/3.0pl1-128.1 Added tag(s) pending. -- 877934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877934 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#877934: stretch-pu: package cron/3.0pl1-128.1
Control: tags -1 + pending On Sat, 2017-12-02 at 11:08 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2017-10-07 at 15:51 +0200, Laurent Bigonville wrote: > > The version of cron currently in stretch is not properly > > transitioning the system jobs to the correct SELinux context (See: > > #857662). > > > > This is breaking cron for the people using SELinux on debian. > > > > The root cause of this is a change in the SELinux policy. > > > > The attached patch (that has been pushed to unstable) is fixing > > this > > and is also avoiding hardcoding identifiers and detect them at > > runtime instead. This is a more complete patch than the one > > proposed > > on the original bugreport. > > > > All the changes are only affecting the code path when SELinux is > > enabled. > > Assuming that the changes have been tested on stretch, please go > ahead, bearing in mind that the window for getting fixes into the 9.3 > point release closes during this weekend. Uploaded (during the 9.3 freeze) and flagged for acceptance. Regards, Adam
Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote: > As a consequence, the init script for the start of nova-placement-api > simply doesn't work. So I'd like to make use of uwsgi, which is a > very good way to run WSGI applications. I've added a runtime depends > on uwsgi, and modified the startup script to use that. [...] > Though the security team (ie: Sebastien Delafond) advised me wisely > to start the discussion with the release team about this new > dependency for nova-placement-api. For the record, reviewing the diff of the -security upload, I notice that the change actually adds *two* runtime dependencies - the second, which was not mentioned in this pre-approval request, nor included in the proposed diff, being python-pastescript. Regards, Adam
Bug#883921: transition: libical
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Please setup a libical transition tracker. title = "libical 3.0.0"; is_affected = .depends ~ /libical2|libical3/; is_good = .depends ~ /libical3/; is_bad = .depends ~ /libical2/; The new libical3 is built from the separate source libical3, so it should be a smooth transition. Please binNMU the following packages: agenda.app almanah asterisk bijiben bluez evolution evolution-data-server gnokii gnome-panel gnome-shell jana kmymoney omniorb-dfsg For the other packages I'm filing bugs for build failures, which need either fixing first by build-depending on libical2-dev, or getting patches for libical(3)-dev.
Bug#883332: marked as done (stretch-pu: package sitesummary/0.1.28+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #883332, regarding stretch-pu: package sitesummary/0.1.28+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883332 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, we would like to update sitesummary in stretch, fixing #883323 with severity important: "sitesummary-client: the nagios plugin module 'check_kernel_status' fails to detect 4.x kernels". #883323 is fixed in sid and the the debdiff for Stretch is: $ debdiff sitesummary_0.1.28.dsc sitesummary_0.1.28+deb9u1.dsc diff -Nru sitesummary-0.1.28/debian/changelog sitesummary-0.1.28+deb9u1/debian/changelog --- sitesummary-0.1.28/debian/changelog 2017-01-31 12:26:50.0 + +++ sitesummary-0.1.28+deb9u1/debian/changelog 2017-12-02 12:49:56.0 + @@ -1,3 +1,10 @@ +sitesummary (0.1.28+deb9u1) stretch; urgency=medium + + [ Wolfgang Schweer ] + * Adjust nagios kernel version checking module to work with 4.x kernels. + + -- Holger Levsen Sat, 02 Dec 2017 12:49:56 + + sitesummary (0.1.28) unstable; urgency=medium [ Wolfgang Schweer ] diff -Nru sitesummary-0.1.28/nagios-plugins/check_kernel_status sitesummary-0.1.28+deb9u1/nagios-plugins/check_kernel_status --- sitesummary-0.1.28/nagios-plugins/check_kernel_status 2017-01-07 12:36:53.0 + +++ sitesummary-0.1.28+deb9u1/nagios-plugins/check_kernel_status 2017-12-02 12:47:57.0 + @@ -72,7 +72,7 @@ my $dpkg; for my $line (split("\n", $dpkg_list)) { chomp $line; - $dpkg = $line if ($line =~ m/^ii.+linux-image-(2.6|3.\d)/); + $dpkg = $line if ($line =~ m/^ii.+linux-image-(2.6|3.\d|4.\d)/); } # Now, which OS is it, and which footprint do they use? Thanks for your ongoing work on Stretch! -- cheers, Holger signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#883344: marked as done (stretch-pu: package debian-edu-doc/1.921~20170603+deb9u3)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #883344, regarding stretch-pu: package debian-edu-doc/1.921~20170603+deb9u3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883344: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883344 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, please accept debian-edu-doc/1.921~20170603+deb9u3 into 9.2, it's an documenatation only update with this changelog: debian-edu-doc (1.921~20170603+deb9u3) stretch; urgency=medium [ Holger Levsen ] * Merge stretch related documentation and translation updates from the debian-edu-doc package in sid: * Update Debian Edu Stretch manual from the wiki. [ Stretch manual translation updates ] * Dutch: Frans Spiesschaert. * German: Wolfgang Schweer. * Italian: Claudio Carboncini. * Japanese: Victory. * Norwegian Bokmål: Petter Reinholdtsen. * Simplified Chinese: Ma Yong. [ Frans Spiesschaert ] * images/nl: add a Dutch images folder and Dutch screenshots for the manual. [ Wolfgang Schweer ] * documentation/common/edu.css.xml: improve HTML manual readability. [ ITIL manual translation updates ] * Dutch: Frans Spiesschaert. $ debdiff debian-edu-doc_1.921~20170603+deb9u2.dsc debian-edu-doc_1.921~20170603+deb9u3.dsc | diffstat debian/changelog | 26 documentation/common/edu.css.xml | 86 documentation/debian-edu-itil/debian-edu-itil-manual.nb.po |2 documentation/debian-edu-itil/debian-edu-itil-manual.pot |2 documentation/debian-edu-itil/po4a.cfg |2 documentation/debian-edu-stretch/debian-edu-stretch-manual.da.po | 862 documentation/debian-edu-stretch/debian-edu-stretch-manual.de.po | 758 ++- documentation/debian-edu-stretch/debian-edu-stretch-manual.es.po | 409 +--- documentation/debian-edu-stretch/debian-edu-stretch-manual.fr.po | 894 documentation/debian-edu-stretch/debian-edu-stretch-manual.it.po | 910 documentation/debian-edu-stretch/debian-edu-stretch-manual.ja.po | 809 --- documentation/debian-edu-stretch/debian-edu-stretch-manual.nb.po | 909 documentation/debian-edu-stretch/debian-edu-stretch-manual.nl.po | 1015 +- documentation/debian-edu-stretch/debian-edu-stretch-manual.pl.po | 394 +-- documentation/debian-edu-stretch/debian-edu-stretch-manual.pot | 370 +-- documentation/debian-edu-stretch/debian-edu-stretch-manual.xml | 171 - documentation/debian-edu-stretch/debian-edu-stretch-manual.zh.po | 566 ++--- documentation/debian-edu-stretch/fixme-status.txt|3 18 files changed, 4008 insertions(+), 4180 deletions(-) The compressed debdiff is *not* attached but I will happily do so if you want me to. All of these changes are/should be available in sid any time now, most are in buster. Except that I have very bad internet here atm, so I'm not sure I'll get the upload through during african daytime... (and I first need to upload 35mb source package to sid and then to stable-proposed...) - I will notify this bug once the uploads made it. (also: I had originally planned to upload this before the weekend before the point release weekend but failed to keep track of the days properly...) Thanks for your work on 9.2! -- cheers, Holger signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#883292: marked as done (jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #883292, regarding jessie-pu: package libio-socket-ssl-perl/2.002-2+deb8u3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883292 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi SRM I know the window for the upcoming point release is this weekend, so this one might not made it in time. It was reported that the version in jessie of libio-socket-ssl-perl might segfault when using malformed client certificates, cf. #881711. For jessie this issue is open, and the reporter confirmed that the patch fixes the issue there, so I cherry-picket the change for jessie. Attached resulted debdiff, would it be fine to include it in this (or any further point release)? Regards, Salvatore diff -Nru libio-socket-ssl-perl-2.002/debian/changelog libio-socket-ssl-perl-2.002/debian/changelog --- libio-socket-ssl-perl-2.002/debian/changelog2016-10-08 17:26:51.0 +0200 +++ libio-socket-ssl-perl-2.002/debian/changelog2017-12-01 20:40:51.0 +0100 @@ -1,3 +1,9 @@ +libio-socket-ssl-perl (2.002-2+deb8u3) jessie; urgency=medium + + * Fix segfault using malformed client certificates (Closes: #881711) + + -- Salvatore Bonaccorso Fri, 01 Dec 2017 20:40:51 +0100 + libio-socket-ssl-perl (2.002-2+deb8u2) jessie; urgency=medium * Add 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch. diff -Nru libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch --- libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch 1970-01-01 01:00:00.0 +0100 +++ libio-socket-ssl-perl-2.002/debian/patches/0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch 2017-12-01 20:40:51.0 +0100 @@ -0,0 +1,25 @@ +From: Steffen Ullrich +Date: Sun, 26 Oct 2014 18:23:15 +0100 +Subject: Propagate error if cert/key could not be used instead of continuing + with an invalid context which might cause a segmentation fault +Origin: https://github.com/noxxi/p5-io-socket-ssl/commit/a09f29f423859565bc0384dcfbbc75811d9e4e4a +Bug-Debian: https://bugs.debian.org/881711 + +--- + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index 13c6680..2330b45 100644 +--- a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +@@ -489,7 +489,7 @@ sub configure_SSL { + + # create context + # this will fill in defaults in $arg_hash +-$ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash); ++$ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash) || return; + + ${*$self}{'_SSL_arguments'} = $arg_hash; + ${*$self}{'_SSL_ctx'} = $ctx; +-- +2.15.1 + diff -Nru libio-socket-ssl-perl-2.002/debian/patches/series libio-socket-ssl-perl-2.002/debian/patches/series --- libio-socket-ssl-perl-2.002/debian/patches/series 2016-10-08 17:26:51.0 +0200 +++ libio-socket-ssl-perl-2.002/debian/patches/series 2017-12-01 20:40:51.0 +0100 @@ -1,3 +1,4 @@ 0001-use-only-ICANN-part-in-public-suffix-list.patch 0001-make-PublicSuffix-_default_data-thread-safe-by-stori.patch 0001-remove-r-for-checking-SSL_-cert-key-_file-since-this.patch +0001-Propagate-error-if-cert-key-could-not-be-used-instea.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---
Bug#882869: marked as done (stretch-pu: package libxkbcommon/0.7.1-2~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882869, regarding stretch-pu: package libxkbcommon/0.7.1-2~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882869 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix a missing dependency by rebuilding the package from sid for stretch. #872874 Andreas diff -u libxkbcommon-0.7.1/debian/changelog libxkbcommon-0.7.1/debian/changelog --- libxkbcommon-0.7.1/debian/changelog +++ libxkbcommon-0.7.1/debian/changelog @@ -1,3 +1,18 @@ +libxkbcommon (0.7.1-2~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 17:50:43 +0100 + +libxkbcommon (0.7.1-2) unstable; urgency=medium + + * Remove Cyril from Uploaders. + * Add missing dependency libxkbcommon-x11-dev → libxkbcommon-dev +(closes: #872874). + + -- Julien Cristau Sat, 16 Sep 2017 13:40:36 +0200 + libxkbcommon (0.7.1-1) unstable; urgency=medium * New upstream release. diff -u libxkbcommon-0.7.1/debian/control libxkbcommon-0.7.1/debian/control --- libxkbcommon-0.7.1/debian/control +++ libxkbcommon-0.7.1/debian/control @@ -2,7 +2,7 @@ Section: x11 Priority: optional Maintainer: Debian X Strike Force -Uploaders: Cyril Brulebois , Michael Stapelberg +Uploaders: Michael Stapelberg Build-Depends: debhelper (>= 10), quilt, @@ -94,6 +94,7 @@ Pre-Depends: ${misc:Pre-Depends} Depends: libxkbcommon-x11-0 (= ${binary:Version}), + libxkbcommon-dev (= ${binary:Version}), libxcb1-dev, libxcb-xkb-dev, ${shlibs:Depends}, --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882959: marked as done (stretch-pu: package pdns/4.0.3-1+deb9u2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882959, regarding stretch-pu: package pdns/4.0.3-1+deb9u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882959 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Security update using upstream patch, for CVE-2017-15091. DSA has marked this no-DSA but suggested that this should be fixed via stable-updates. 4.0.3-1+deb9u1 is already in p-u, the attached debdiff is against that version. Please let me know if this is bad. Thanks, Chris diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog --- pdns-4.0.3/debian/changelog 2017-10-30 07:12:17.0 + +++ pdns-4.0.3/debian/changelog 2017-11-27 22:02:24.0 + @@ -1,3 +1,10 @@ +pdns (4.0.3-1+deb9u2) stretch; urgency=medium + + * Add upstream patch fixing security issue: + * Missing check on API operations. CVE-2017-15091 + + -- Christian Hofstaedtler Mon, 27 Nov 2017 22:02:24 + + pdns (4.0.3-1+deb9u1) stretch; urgency=medium * Fix incorrect qname casing in NSEC3 generation (Closes: #869222) diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch --- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch1970-01-01 00:00:00.0 + +++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch2017-11-27 22:02:24.0 + @@ -0,0 +1,30 @@ +diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc +--- pdns-4.0.4.orig/pdns/ws-auth.cc2017-06-22 22:07:25.0 +0200 pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100 +@@ -860,7 +860,7 @@ + static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) { + DNSName zonename = apiZoneIdToName(req->parameters["id"]); + +- if(req->method != "PUT") ++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) + throw HttpMethodNotAllowedException(); + + UeberBackend B; +@@ -879,7 +879,7 @@ + static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) { + DNSName zonename = apiZoneIdToName(req->parameters["id"]); + +- if(req->method != "PUT") ++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) + throw HttpMethodNotAllowedException(); + + UeberBackend B; +@@ -1191,7 +1191,7 @@ + } + + void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) { +- if(req->method != "PUT") ++ if(req->method != "PUT" || ::arg().mustDo("api-readonly")) + throw HttpMethodNotAllowedException(); + + DNSName canon = apiNameToDNSName(req->getvars["domain"]); diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc --- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc1970-01-01 00:00:00.0 + +++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc2017-11-27 22:02:24.0 + @@ -0,0 +1,11 @@ +-BEGIN PGP SIGNATURE- + +iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStHQaHHJlbWkuZ2Fj +b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYtRgf3bMwaR4tdR0p5f0TMCuFN +7QbOpyLFLhatNYQFhUEFXQ7nesgNtNObu6qLOTi9fxD4zpcvnkz/a22m5S9tkf0W +Y6E2fMy9NoLysSvTwgBCrXKbqttzFvpYRCWVzKnWgz67hjF4U57Wp1rY88XWmVHE +5T4unYv7Kn+C2mDfBl1cOnRO2Y1VeJ79hS802q1WrnqREJkIZrN+CzpXGX/512Tg +PLQ6Dke25kvlqGqsC7PRI8lU9Sm9UPLkR1ILKQCoIgxi7RXXYNmIE2dPgI2z06pm +Cu9wFIYiaYtUjG+u4N6heJSfDvJZbWX+c8Xhvy16u3i1M/xPhB2Sq/IgZQV7S+NK +=0Skb +-END PGP SIGNATURE- diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series --- pdns-4.0.3/debian/patches/series2017-10-30 07:12:17.0 + +++ pdns-4.0.3/debian/patches/series2017-11-27 22:02:24.0 + @@ -1 +1,2 @@ 869222-lowercase-qname-before-NSEC-generation.patch +CVE-2017-15091-4.0.4.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882958: marked as done (stretch-pu: package pdns-recursor/4.0.4-1+deb9u2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882958, regarding stretch-pu: package pdns-recursor/4.0.4-1+deb9u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Security update using upstream patches to fix CVE-2017-15090, CVE-2017-15092, CVE-2017-15093, CVE-2017-15094. DSA has marked those as non-DSA but suggested fixing through a stable update instead. debdiff against deb9u1 (in stable proper) attached. Thanks, Chris diff -Nru pdns-recursor-4.0.4/debian/changelog pdns-recursor-4.0.4/debian/changelog --- pdns-recursor-4.0.4/debian/changelog2017-06-27 12:31:08.0 + +++ pdns-recursor-4.0.4/debian/changelog2017-11-27 21:44:40.0 + @@ -1,3 +1,13 @@ +pdns-recursor (4.0.4-1+deb9u2) stretch; urgency=medium + + * Add upstream patches fixing security issues: + * Insufficient validation of DNSSEC signatures. CVE-2017-15090 + * Cross-Site Scripting in the web interface. CVE-2017-15092 + * Configuration file injection in the API. CVE-2017-15093 + * Memory leak in DNSSEC parsing. CVE-2017-15094 + + -- Christian Hofstaedtler Mon, 27 Nov 2017 21:44:40 + + pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium * Add new root trust anchor KSK-2017 to embedded root trust list. diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch --- pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch 1970-01-01 00:00:00.0 + +++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch 2017-11-27 21:44:40.0 + @@ -0,0 +1,15 @@ +diff -ru pdns-recursor-4.0.6.orig/validate-recursor.cc pdns-recursor-4.0.6/validate-recursor.cc +--- pdns-recursor-4.0.6.orig/validate-recursor.cc 2017-07-04 17:43:07.0 +0200 pdns-recursor-4.0.6/validate-recursor.cc 2017-11-02 18:29:16.612520450 +0100 +@@ -87,6 +87,11 @@ + bool first = true; + for(const auto& csp : cspmap) { + for(const auto& sig : csp.second.signatures) { ++ ++if (!csp.first.first.isPartOf(sig->d_signer)) { ++ return increaseDNSSECStateCounter(Bogus); ++} ++ + vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here + + if (newState == Bogus) // No hope diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc --- pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc 1970-01-01 00:00:00.0 + +++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15090-4.0.6.patch.asc 2017-11-27 21:44:40.0 + @@ -0,0 +1,12 @@ +-BEGIN PGP SIGNATURE- + +iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStE4aHHJlbWkuZ2Fj +b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEbDZwf+JDDe7box5QLp+5T4gaQj +1SyU2UaL2LVgIZbkvMoM03mGEc5LOushKLE0aoTKPwYbz2m5Oz1We3d1/Bv2OtJD +9AXslTaaqSg0rmdeEJIPYUa393TXLXhCjKUcF/5kbo0Y6+T5dcukGMw/LkZqt4/O +RLnj51eN0lSQrS+nCXHfREmIP2nj8+T6xAjNGIZ3NEQ9c3m1dPAzvd/skYiJkm/P +dC3uyEYFRlN33fQp8LYL/mK3HDApX9DESfJUsqvnpJlX6qyUejxkGeJZ3ro1IStE +NI5m1GRoI3FBbywIn9BPcllU0RkIS5X7r0wRWZ7D0e1nWHcgPqtyVkjvh6kUbRgs +VA== +=3aIe +-END PGP SIGNATURE- diff -Nru pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch --- pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch 1970-01-01 00:00:00.0 + +++ pdns-recursor-4.0.4/debian/patches/CVE-2017-15092-4.0.6.patch 2017-11-27 21:44:40.0 + @@ -0,0 +1,85 @@ +diff -ru pdns-recursor-4.0.6.orig/html/local.js pdns-recursor-4.0.6/html/local.js +--- pdns-recursor-4.0.6.orig/html/local.js 2017-07-04 17:43:07.0 +0200 pdns-recursor-4.0.6/html/local.js 2017-11-02 18:26:04.624586674 +0100 +@@ -63,7 +63,7 @@ + + $.getJSON(qstring, + function(data) { +-var bouw="NumberDomainType"; ++var table = $('NumberDomainType'); + var num=0; + var total=0, rest=0; + $.each(data["entries"], function(a,b) { +@@ -
Bug#883176: marked as done (stretch-pu: package fig2dev/1:3.2.6a-2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #883176, regarding stretch-pu: package fig2dev/1:3.2.6a-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883176 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Fix some minor security issues, which according to security team do not warrant a DSA: * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG files (Closes: #881143, #881144). * 32_fill-style-overflow: Sanitize input of fill patterns (Closes: #881396). The patches are adapted from unstable/testing. Greetings Roland diff -Nru fig2dev-3.2.6a/debian/changelog fig2dev-3.2.6a/debian/changelog --- fig2dev-3.2.6a/debian/changelog 2017-01-28 10:30:50.0 +0100 +++ fig2dev-3.2.6a/debian/changelog 2017-11-30 12:02:27.0 +0100 @@ -1,3 +1,12 @@ +fig2dev (1:3.2.6a-2+deb9u1) stable; urgency=medium + + * CVE-2017-16899: 31_input_sanitizing: Some input sanitizing on FIG +files (Closes: #881143, #881144). + * 32_fill-style-overflow: Sanitize input of fill patterns +(Closes: #881396). + + -- Roland Rosenfeld Thu, 30 Nov 2017 12:02:27 +0100 + fig2dev (1:3.2.6a-2) unstable; urgency=medium * build-dep on etoolbox required with current texlive (Closes: #852915). diff -Nru fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch --- fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch 1970-01-01 01:00:00.0 +0100 +++ fig2dev-3.2.6a/debian/patches/31_input_sanitizing.patch 2017-11-30 12:02:27.0 +0100 @@ -0,0 +1,41 @@ +Description: CVE-2017-16899 Some input sanitizing when reading FIG files. +Bug-Debian: https://bugs.debian.org/881143 +Bug-Debian: https://bugs.debian.org/881144 +Author: Thomas Loimer + +--- a/fig2dev/read.c b/fig2dev/read.c +@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp) + | PSFONT_TEXT; + + /* keep the font number reasonable */ +- if (t->font > MAXFONT(t)) ++ if (t->font > MAXFONT(t)) { + t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + fix_and_note_color(&t->color); + t->comments = attach_comments(); /* attach any comments */ + return t; +--- a/fig2dev/read1_3.c b/fig2dev/read1_3.c +@@ -470,6 +470,15 @@ read_textobject(FILE *fp) + free((char*) t); + return(NULL); + } ++ /* keep the font number within valid range */ ++ if (t->font > MAXFONT(t)) { ++ t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + (void)strcpy(t->cstring, buf); + if (t->size == 0) t->size = 18; + return(t); diff -Nru fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch --- fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch 1970-01-01 01:00:00.0 +0100 +++ fig2dev-3.2.6a/debian/patches/32_fill-style-overflow.patch 2017-11-30 12:02:27.0 +0100 @@ -0,0 +1,47 @@ +Description: Sanitize input of fill patterns. +Bug-Debian: https://bugs.debian.org/881396 +Author: Thomas Loimer + +--- a/fig2dev/read.c b/fig2dev/read.c +@@ -71,6 +71,8 @@ static int save_comment(void); + + #define FILL_CONVERT(f) ((v2_flag || (f) < WHITE_FILL) \ + ? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5) ++#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \ ++ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f + + /* input buffer size */ + #define BUF_SIZE 1024 +@@ -547,6 +549,7 @@ read_arcobject(FILE *fp) + } + a->thickness *= round(THICK_SCALE); + a->fill_style = FILL_CONVERT(a->fill_style); ++ a->fill_style = FILL_SANITIZE(a->fill_style); + NOTE_FILL(a); + fix_and_note_color(&a->pen_color); + if (fa) { +@@ -730,6 +733,7 @@ read_ellipseobject(void) + fix_and_note_color(&e->pen_color); + e->thickness *= round(THICK_SCALE); + e->fill_style = FILL_CONVERT(e->fill_style); ++ e->fill_style = FILL_SANITIZE(e->fill_style); + NOTE_FILL(e); + e->comments = attach_comment
Bug#882961: marked as done (jessie-pu: package pdns/3.4.1-4+deb8u8)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882961, regarding jessie-pu: package pdns/3.4.1-4+deb8u8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882961: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Security update for CVE-2017-15091. DSA has marked this no-DSA but suggested this goes through (old)-stable-updates. debdiff attached. Thanks, Chris diff -Nru pdns-3.4.1/debian/changelog pdns-3.4.1/debian/changelog --- pdns-3.4.1/debian/changelog 2017-01-07 00:45:53.0 + +++ pdns-3.4.1/debian/changelog 2017-11-27 21:19:19.0 + @@ -1,3 +1,10 @@ +pdns (3.4.1-4+deb8u8) jessie; urgency=medium + + * Add patch fixing security issue: + * Missing check on API operations: CVE-2017-15091 + + -- Christian Hofstaedtler Mon, 27 Nov 2017 21:19:19 + + pdns (3.4.1-4+deb8u7) jessie-security; urgency=high * Security upload. diff -Nru pdns-3.4.1/debian/patches/CVE-2017-15091.patch pdns-3.4.1/debian/patches/CVE-2017-15091.patch --- pdns-3.4.1/debian/patches/CVE-2017-15091.patch 1970-01-01 00:00:00.0 + +++ pdns-3.4.1/debian/patches/CVE-2017-15091.patch 2017-11-27 21:19:19.0 + @@ -0,0 +1,16 @@ +Index: pdns/pdns/ws-auth.cc +=== +--- pdns.orig/pdns/ws-auth.cc pdns/pdns/ws-auth.cc +@@ -1144,6 +1144,11 @@ void AuthWebServer::jsonstat(HttpRequest + { + string command; + ++ if (::arg().mustDo("experimental-api-readonly")) { ++resp->body = returnJsonError("Unavailable when API is readonly"); ++resp->status = 405; ++ } ++ + if(req->getvars.count("command")) { + command = req->getvars["command"]; + req->getvars.erase("command"); diff -Nru pdns-3.4.1/debian/patches/series pdns-3.4.1/debian/patches/series --- pdns-3.4.1/debian/patches/series2017-01-07 00:45:53.0 + +++ pdns-3.4.1/debian/patches/series2017-11-27 21:19:19.0 + @@ -9,3 +9,4 @@ CVE-2016-7072.patch CVE-2016-7068.patch CVE-2016-2120.patch +CVE-2017-15091.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---
Bug#883071: marked as done (nmu: eclipse-titan)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #883071, regarding nmu: eclipse-titan to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883071 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: grave --- Please enter the report below this line. --- The Titan compiler needs the same gcc version (major.minor) which compiled the eclipse/titan binaries. When the package was built for stretch, the gcc version was 6.2.x, now it is 6.3.x Now if the user wants to build a TTCN-3 project with the titan compiler, then it will abort with an error: /usr/include/titan/cversion.h:7:2: error: #error The version of GCC does not match the expected version (GCC 6.2.0) A simple recompile will solve this issue, the new binaries will be created with gcc 6.3.x and Titan will work again. So please, recompile eclipse-titan. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#883177: marked as done (jessie-pu: package transfig/1:3.2.5.e-4)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #883177, regarding jessie-pu: package transfig/1:3.2.5.e-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883177 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Fix some minor security issues, which according to security team do not warrant a DSA: * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG files (Closes: #881143, #881144). * 34_fill-style-overflow: Sanitize input of fill patterns (Closes: #881396). The patches are adapted from unstable/testing. Greetings Roland diff -Nru transfig-3.2.5.e/debian/changelog transfig-3.2.5.e/debian/changelog --- transfig-3.2.5.e/debian/changelog 2014-08-26 10:06:01.0 +0200 +++ transfig-3.2.5.e/debian/changelog 2017-11-30 12:17:07.0 +0100 @@ -1,3 +1,12 @@ +transfig (1:3.2.5.e-4+deb8u1) jessie-proposed-updates; urgency=medium + + * CVE-2017-16899: 33_input_sanitizing: Some input sanitizing on FIG +files (Closes: #881143, #881144). + * 34_fill-style-overflow: Sanitize input of fill patterns +(Closes: #881396). + + -- Roland Rosenfeld Thu, 30 Nov 2017 12:17:07 +0100 + transfig (1:3.2.5.e-4) unstable; urgency=low * 32_dev_Imake_typo: use gengbx.c instead of gengbx.o in SRCS, otherwise diff -Nru transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch --- transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch 1970-01-01 01:00:00.0 +0100 +++ transfig-3.2.5.e/debian/patches/33_input_sanitizing.patch 2017-11-30 12:17:07.0 +0100 @@ -0,0 +1,41 @@ +Description: CVE-2017-16899 Some input sanitizing when reading FIG files. +Bug-Debian: https://bugs.debian.org/881143 +Bug-Debian: https://bugs.debian.org/881144 +Author: Thomas Loimer + +--- a/fig2dev/read.c b/fig2dev/read.c +@@ -1204,8 +1204,14 @@ FILE *fp; + | PSFONT_TEXT; + + /* keep the font number reasonable */ +- if (t->font > MAXFONT(t)) ++ if (t->font > MAXFONT(t)) { + t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + fix_color(&t->color); + t->comments = attach_comments(); /* attach any comments */ + return t; +--- a/fig2dev/read1_3.c b/fig2dev/read1_3.c +@@ -465,6 +465,15 @@ FILE *fp; + free((char*) t); + return(NULL); + } ++ /* keep the font number within valid range */ ++ if (t->font > MAXFONT(t)) { ++ t->font = MAXFONT(t); ++ } else if (t->font < 0 ) { ++ if (psfont_text(t) && t->font < -1) ++ t->font = -1; ++ else ++ t->font = 0; ++ } + (void)strcpy(t->cstring, buf); + if (t->size == 0) t->size = 18; + return(t); diff -Nru transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch --- transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch 1970-01-01 01:00:00.0 +0100 +++ transfig-3.2.5.e/debian/patches/34_fill-style-overflow.patch 2017-11-30 12:17:07.0 +0100 @@ -0,0 +1,47 @@ +Description: Sanitize input of fill patterns. +Bug-Debian: https://bugs.debian.org/881396 +Author: Thomas Loimer + +--- a/fig2dev/read.c b/fig2dev/read.c +@@ -61,6 +61,8 @@ static int save_comment(); + #define FILL_CONVERT(f) \ + ((v2_flag || (f) < WHITE_FILL) \ + ? (v30_flag? f: (f-1)) : 20 - ((f)-1)*5) ++#define FILL_SANITIZE(f) ((f) < UNFILLED || (f) >= \ ++ NUMSHADES + NUMTINTS + NUMPATTERNS) ? UNFILLED : f + + /* input buffer size */ + #define BUF_SIZE 1024 +@@ -527,6 +529,7 @@ FILE *fp; + } + a->thickness *= round(THICK_SCALE); + a->fill_style = FILL_CONVERT(a->fill_style); ++ a->fill_style = FILL_SANITIZE(a->fill_style); + /* keep track if pattern is used */ + note_pattern(a->fill_style); + fix_color(&a->pen_color); +@@ -718,6 +721,7 @@ read_ellipseobject() + fix_color(&e->fill_color); + e->thickness *= round(THICK_SCALE); + e->fill_style = FILL_CONVERT(e->fill_style); ++ e->fill_style = FILL_SANITIZE(e->fill_style); + /* keep track if pattern is used */ + note_pattern(e->fill_style); + e->comments = attach_comments(); /* attach any
Bug#882960: marked as done (jessie-pu: package pdns-recursor/3.6.2-2+deb8u4)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882960, regarding jessie-pu: package pdns-recursor/3.6.2-2+deb8u4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882960 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Security update using upstream patch for CVE-2017-15093. DSA has marked this non-DSA but suggested fixing this through an (old)stable update. debdiff attached. Thanks, Chris diff -Nru pdns-recursor-3.6.2/debian/changelog pdns-recursor-3.6.2/debian/changelog --- pdns-recursor-3.6.2/debian/changelog2017-01-07 00:45:53.0 + +++ pdns-recursor-3.6.2/debian/changelog2017-11-27 21:26:46.0 + @@ -1,3 +1,10 @@ +pdns-recursor (3.6.2-2+deb8u4) jessie; urgency=medium + + * Add upstream patch fixing security issue: + * Configuration file injection in the API. CVE-2017-15093 + + -- Christian Hofstaedtler Mon, 27 Nov 2017 21:26:46 + + pdns-recursor (3.6.2-2+deb8u3) jessie-security; urgency=high * Security upload. diff -Nru pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch --- pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch 1970-01-01 00:00:00.0 + +++ pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch 2017-11-27 21:26:46.0 + @@ -0,0 +1,48 @@ +diff -ru pdns-recursor-3.7.4.orig/ws-recursor.cc pdns-recursor-3.7.4/ws-recursor.cc +--- pdns-recursor-3.7.4.orig/ws-recursor.cc2017-01-13 12:03:03.0 +0100 pdns-recursor-3.7.4/ws-recursor.cc 2017-11-02 18:10:54.764426426 +0100 +@@ -79,10 +79,11 @@ + throw ApiException("'value' must be an array"); + } + ++NetmaskGroup nmg; + for (SizeType i = 0; i < jlist.Size(); ++i) { + try { +-Netmask(jlist[i].GetString()); +- } catch (NetmaskException &e) { ++nmg.addMask(jlist[i].GetString()); ++ } catch (const NetmaskException &e) { + throw ApiException(e.reason); + } + } +@@ -94,9 +95,7 @@ + + // Clear allow-from, and provide a "parent" value + ss << "allow-from=" << endl; +-for (SizeType i = 0; i < jlist.Size(); ++i) { +- ss << "allow-from+=" << jlist[i].GetString() << endl; +-} ++ss << "allow-from+=" << nmg.toString() << endl; + + apiWriteConfigFile("allow-from", ss.str()); + +@@ -233,10 +232,16 @@ + string serverlist; + if (servers.IsArray()) { + for (SizeType i = 0; i < servers.Size(); ++i) { +-if (!serverlist.empty()) { +- serverlist += ";"; ++string server = servers[i].GetString(); ++try { ++ ComboAddress ca = parseIPAndPort(server, 53); ++ if (!serverlist.empty()) { ++serverlist += ";"; ++ } ++ serverlist += ca.toStringWithPort(); ++} catch (const PDNSException &e) { ++ throw ApiException(e.reason); + } +-serverlist += servers[i].GetString(); + } + } + diff -Nru pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc --- pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc 1970-01-01 00:00:00.0 + +++ pdns-recursor-3.6.2/debian/patches/CVE-2017-15093-3.7.4.patch.asc 2017-11-27 21:26:46.0 + @@ -0,0 +1,12 @@ +-BEGIN PGP SIGNATURE- + +iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStJ8aHHJlbWkuZ2Fj +b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEaoHgf/dAebO/MSvtvymt0pz0Kb +lMvmkv6INpsh7bssVyY8v9HAMtkVRBSNAEiGjAJbLaDxsfgr0a+vGCd0C2v7sDXl +8rZHuMlNpvxU0/i6O9k4AY9T7/G+Go567xbIK1PcZhZ+ixNaP7sms9a9ooISb4/R ++1wBz3D8TXUbWQsHkxX2GE6oihhqRdhvbOWpQ7aPNglE/wI4Eb5V2bIapM3M/o8N +jFPm2kDZvNrcEMIW60vHdujrJMY85KiMGO9LMV9LCDj0nSO6jRTGI+2CteT2jnUq +7w4L22ODxT1g5sIH/60swoHbIJ5zXWXDcxM3jPgh5kYIa7gvZoC6v1udsMyOYFu6 +Lw== +=Y7Eg +-END PGP SIGNATURE- diff -Nru pdns-recursor-3.6.2/debian/patches/series pdns-recursor-3.6.2/debian/patches/series --- pdns-recursor-3.6.2/debian/patches/series 2017-01-07 00:45:53.0 + +++ pdns-recursor-3.6.2/debian/patches/series 2017-11-27 21:26:46.0 + @@ -1,3 +1,4 @@ CVE-2015-1868.patch CVE-2015-1868-2.patc
Bug#882834: marked as done (stretch-pu: package libxsettings-client/0.17-9~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882834, regarding stretch-pu: package libxsettings-client/0.17-9~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882834: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's rebuild libxsettings-client for stretch and get the missing libxsettings-dev dependency in libxsettings-client-dev. #695584 Andreas PS: no substvars changed, no binary debdiff this time :-) diff -Nru libxsettings-client-0.17/debian/changelog libxsettings-client-0.17/debian/changelog --- libxsettings-client-0.17/debian/changelog 2015-10-31 23:24:06.0 +0100 +++ libxsettings-client-0.17/debian/changelog 2017-11-27 05:20:39.0 +0100 @@ -1,3 +1,18 @@ +libxsettings-client (0.17-9~deb9u1) stretch; urgency=medium + + * QA upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 05:20:39 +0100 + +libxsettings-client (0.17-9) unstable; urgency=medium + + * QA upload. + * Add the missing libxsettings-client-dev -> libxsettings-dev +dependency. (Closes: #695584) + + -- Adrian Bunk Sun, 03 Sep 2017 23:36:18 +0300 + libxsettings-client (0.17-8) unstable; urgency=medium * QA upload. diff -Nru libxsettings-client-0.17/debian/control libxsettings-client-0.17/debian/control --- libxsettings-client-0.17/debian/control 2015-10-31 22:00:00.0 +0100 +++ libxsettings-client-0.17/debian/control 2017-09-03 22:36:18.0 +0200 @@ -23,7 +23,7 @@ Section: libdevel Priority: optional Architecture: any -Depends: libxsettings-client0 (= ${binary:Version}), libx11-dev, ${misc:Depends} +Depends: libxsettings-client0 (= ${binary:Version}), libx11-dev, ${misc:Depends}, libxsettings-dev Description: utility functions for the Xsettings protocol (Development files) This package contains headers and other files required to compile software using the GPE scheduling library to use the Xsettings --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882831: marked as done (stretch-pu: package libmpd/0.20.0-2~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882831, regarding stretch-pu: package libmpd/0.20.0-2~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882831 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing libglib2.0-dev dependency (according to libmpd.pc). #518429 $ debdiff libmpd-dev_0.20.0-1.3_amd64.deb libmpd-dev_0.20.0-2~deb9u1_amd64.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: libmpd1 (= [-0.20.0-1.3), pkg-config-] {+0.20.0-2~deb9u1), pkg-config, libglib2.0-dev+} Maintainer: [-Arnaud Cornet -] {+Debian QA Group +} Version: [-0.20.0-1.3-] {+0.20.0-2~deb9u1+} Andreas diff -u libmpd-0.20.0/debian/changelog libmpd-0.20.0/debian/changelog --- libmpd-0.20.0/debian/changelog +++ libmpd-0.20.0/debian/changelog @@ -1,3 +1,19 @@ +libmpd (0.20.0-2~deb9u1) stretch; urgency=medium + + * QA upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 04:35:59 +0100 + +libmpd (0.20.0-2) unstable; urgency=medium + + * QA upload. + * Set maintainer to Debian QA Group. (see #876951) + * libmpd-dev: Add the missing dependency on libglib2.0-dev. +(Closes: #518429) + + -- Adrian Bunk Sun, 01 Oct 2017 20:27:24 +0300 + libmpd (0.20.0-1.3) unstable; urgency=high * NMU diff -u libmpd-0.20.0/debian/control libmpd-0.20.0/debian/control --- libmpd-0.20.0/debian/control +++ libmpd-0.20.0/debian/control @@ -1,7 +1,7 @@ Source: libmpd Section: libs Priority: optional -Maintainer: Arnaud Cornet +Maintainer: Debian QA Group Build-Depends: libglib2.0-dev, debhelper (>= 7.0.50~), quilt, dh-autoreconf Standards-Version: 3.8.4 Homepage: http://gmpc.wikia.com/ @@ -29,7 +29,7 @@ Package: libmpd-dev Architecture: any Section: libdevel -Depends: libmpd1 (= ${binary:Version}), pkg-config, ${misc:Depends} +Depends: libmpd1 (= ${binary:Version}), pkg-config, ${misc:Depends}, libglib2.0-dev Description: High-level client library for accessing Music Player Daemon LibMpd is a library that provides high-level, callback-based access to Music Player Daemon (mpd). --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882802: marked as done (jessie-pu: package ruby-ox/2.1.1-2+b2)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882802, regarding jessie-pu: package ruby-ox/2.1.1-2+b2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882802: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882802 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, this update fixes bug #881445 [CVE-2017-15928] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 by cherrypicking a patch from upstream, to crash of the ruby interpreter on a parse error. Debdiff attached. As mentioned in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724#10 since the debdiffs are identical for jessie and stretch, except for version numbers and suite, the upload to jessie will follow shortly this report. Cheers, Cédric -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog --- ruby-ox-2.1.1/debian/changelog 2014-04-04 12:58:15.0 +0200 +++ ruby-ox-2.1.1/debian/changelog 2017-11-26 01:08:40.0 +0100 @@ -1,3 +1,12 @@ +ruby-ox (2.1.1-2+deb8u1) jessie; urgency=medium + + * Team upload + * Add fix_parse_obj_segfault.patch picked from upstream ++ fix CVE-2017-15928: segmentation fault in parse_obj +(Closes: #881445) + + -- Cédric Boutillier Sun, 26 Nov 2017 01:08:40 +0100 + ruby-ox (2.1.1-2) unstable; urgency=medium * Team upload. diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf --- ruby-ox-2.1.1/debian/gbp.conf 1970-01-01 01:00:00.0 +0100 +++ ruby-ox-2.1.1/debian/gbp.conf 2017-11-26 01:08:40.0 +0100 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=jessie/master +upstream-branch=jessie/upstream diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch --- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 1970-01-01 01:00:00.0 +0100 +++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 2017-11-26 01:08:40.0 +0100 @@ -0,0 +1,51 @@ +Description: Avoid crash with invalid XML passed to Oj.parse_obj() + this fixes CVE-2017-15928 +Author: Peter Ohler +Origin: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch +Bug: https://github.com/ohler55/ox/issues/194 +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 +Last-Update: 2017-11-25 + +--- a/ext/ox/obj_load.c b/ext/ox/obj_load.c +@@ -791,8 +791,10 @@ + Helper gh; + + helper_stack_pop(&pi->helpers); +- gh = helper_stack_peek(&pi->helpers); +- ++ if (NULL == (gh = helper_stack_peek(&pi->helpers))) { ++ set_error(&pi->err, "Corrupt parse stack, container is wrong type", pi->str, pi->s); ++ return; ++ } + rb_hash_aset(gh->obj, ph->obj, h->obj); + } + break; +--- a/ext/ox/err.c b/ext/ox/err.c +@@ -42,7 +42,11 @@ + va_end(ap); + } + ++#if __GNUC__ > 4 ++_Noreturn void ++#else + void ++#endif + ox_err_raise(Err e) { + rb_raise(e->clas, "%s", e->msg); + } +--- a/ext/ox/ox.c b/ext/ox/ox.c +@@ -990,7 +990,11 @@ + #endif + } + ++#if __GNUC__ > 4 ++_Noreturn void ++#else + void ++#endif + _ox_raise_error(const char *msg, const char *xml, const char *current, const char* file, int line) { + int xline = 1; + int col = 1; diff -Nru ruby-ox-2.1.1/debian/patches/series ruby-ox-2.1.1/debian/patches/series --- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.0 +0100 +++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.0 +0100 @@ -1 +1,2 @@ +fix_parse_obj_segfault.patch 000-fix-so-load-path.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jess
Bug#882863: marked as done (stretch-pu: package grok/1.20110708.1-4.3~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882863, regarding stretch-pu: package grok/1.20110708.1-4.3~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882863 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing dependencies. #875422, #779034 And while we are at it, the pointer aliasing bugfix sounded reasonable as well. #841668 So this is a rebuild of the sid package with 2 patches removed. (The gperf patches are not relevant (and not backwards compatible) for stretch.) Andreas diff -Nru grok-1.20110708.1/debian/changelog grok-1.20110708.1/debian/changelog --- grok-1.20110708.1/debian/changelog 2015-01-16 23:03:19.0 +0100 +++ grok-1.20110708.1/debian/changelog 2017-11-27 17:12:13.0 +0100 @@ -1,3 +1,29 @@ +grok (1.20110708.1-4.3~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + * Drop the gperf 3.1 patches + + -- Andreas Beckmann Mon, 27 Nov 2017 17:12:13 +0100 + +grok (1.20110708.1-4.3) unstable; urgency=medium + + * Non-maintainer upload. + * libgrok-dev: Add the missing dependencies on: +- libgrok1 (Closes: #875422) +- libtokyocabinet-dev (Closes: #779034) + + -- Adrian Bunk Sat, 14 Oct 2017 17:15:19 +0300 + +grok (1.20110708.1-4.2) unstable; urgency=medium + + * Non-maintainer upload. + * Apply Steve Langasek's fix for wrong pointer alias bug +(Closes: #841668) + * Apply patches to allow build grok with gperf >= 3.1 + + -- SZALAY Attila Wed, 09 Aug 2017 16:36:26 -0400 + grok (1.20110708.1-4.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru grok-1.20110708.1/debian/control grok-1.20110708.1/debian/control --- grok-1.20110708.1/debian/control2012-10-14 11:08:33.0 +0200 +++ grok-1.20110708.1/debian/control2017-10-14 16:15:19.0 +0200 @@ -52,6 +52,8 @@ Section: libdevel Architecture: any Depends: + libgrok1 (= ${binary:Version}), + libtokyocabinet-dev, ${misc:Depends}, ${shlibs:Depends}, Provides: libgrok-dev diff -Nru grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias --- grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias1970-01-01 01:00:00.0 +0100 +++ grok-1.20110708.1/debian/patches/fix-wrong-pointer-alias2017-08-09 21:27:57.0 +0200 @@ -0,0 +1,55 @@ +From: Steve Langasek +Date: Fri, 21 Oct 2016 00:00:00 + +X-Dgit-Generated: 1.20110708.1-4.1 7fc1ec5f57e2299be6b1248db82da42f569c6ab0 +Subject: fix wrong pointer alias + + +--- + +--- grok-1.20110708.1.orig/grok_pattern.c grok-1.20110708.1/grok_pattern.c +@@ -33,9 +33,9 @@ int grok_pattern_add(const grok_t *grok, + } + + int grok_pattern_find(const grok_t *grok, const char *name, size_t name_len, +- const char **regexp, size_t *regexp_len) { ++ const char **regexp, int *regexp_len) { + TCTREE *patterns = grok->patterns; +- *regexp = tctreeget(patterns, name, name_len, (int*) regexp_len); ++ *regexp = tctreeget(patterns, name, name_len, regexp_len); + + grok_log(grok, LOG_PATTERNS, "Searching for pattern '%s' (%s): %.*s", +name, *regexp == NULL ? "not found" : "found", *regexp_len, *regexp); +--- grok-1.20110708.1.orig/grok_pattern.h grok-1.20110708.1/grok_pattern.h +@@ -9,7 +9,7 @@ TCLIST *grok_pattern_name_list(const gro + int grok_pattern_add(const grok_t *grok, const char *name, size_t name_len, + const char *regexp, size_t regexp_len); + int grok_pattern_find(const grok_t *grok, const char *name, size_t name_len, +- const char **regexp, size_t *regexp_len); ++ const char **regexp, int *regexp_len); + int grok_patterns_import_from_file(const grok_t *grok, const char *filename); + int grok_patterns_import_from_string(const grok_t *grok, const char *buffer); + +--- grok-1.20110708.1.orig/grokre.c grok-1.20110708.1/grokre.c +@@ -183,7 +183,7 @@ static char *grok_pattern_expand(grok_t + int start, end, matchlen; + const char *pattern_regex; + int patname_len; +-size_t regexp_len; ++int regexp_len; + int pattern_regex_needs_free = 0; + + grok_log(grok, LOG_REGEXPAND, "
Bug#882861: marked as done (stretch-pu: package python-diff-match-patch/20121119-3~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882861, regarding stretch-pu: package python-diff-match-patch/20121119-3~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882861 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the python3 dependencies. #867424 The Standards-Version bump affects only metadata. $ debdiff python3-diff-match-patch_20121119-2_all.deb python3-diff-match-patch_20121119-3~deb9u1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) {+Depends: python3:any (>= 3.3.2-2~)+} Version: [-20121119-2-] {+20121119-3~deb9u1+} Andreas diff -Nru python-diff-match-patch-20121119/debian/changelog python-diff-match-patch-20121119/debian/changelog --- python-diff-match-patch-20121119/debian/changelog 2016-12-26 02:07:45.0 +0100 +++ python-diff-match-patch-20121119/debian/changelog 2017-11-27 16:42:28.0 +0100 @@ -1,3 +1,18 @@ +python-diff-match-patch (20121119-3~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 16:42:28 +0100 + +python-diff-match-patch (20121119-3) unstable; urgency=medium + + * Add missing python3 dependency on Python 3 package, with thanks to +Adrian Bunk for the report (Closes: #867424). + * Update Standards-Version to 4.0.0 (no changes required) + + -- Stuart Prescott Sun, 30 Jul 2017 10:20:31 +1000 + python-diff-match-patch (20121119-2) unstable; urgency=medium * Add dh-python to build-dependencies. diff -Nru python-diff-match-patch-20121119/debian/control python-diff-match-patch-20121119/debian/control --- python-diff-match-patch-20121119/debian/control 2016-12-26 02:07:45.0 +0100 +++ python-diff-match-patch-20121119/debian/control 2017-07-30 02:20:31.0 +0200 @@ -9,7 +9,7 @@ python-setuptools, python3-all, python3-setuptools -Standards-Version: 3.9.8 +Standards-Version: 4.0.0 Homepage: https://pypi.python.org/pypi/diff-match-patch Vcs-Git: https://anonscm.debian.org/git/collab-maint/python-diff-match-patch.git Vcs-Browser: https://anonscm.debian.org/git/collab-maint/python-diff-match-patch.git @@ -36,7 +36,7 @@ Architecture: all Depends: ${misc:Depends}, - ${python:Depends} + ${python3:Depends} Description: robust algorithms for synchronizing plain text (Python 3 module) The Diff Match and Patch libraries offer robust algorithms to perform the operations required for synchronizing plain text. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882832: marked as done (stretch-pu: package jdcal/1.0-1.2~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882832, regarding stretch-pu: package jdcal/1.0-1.2~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing python/python3 dependencies. #867406 $ debdiff python-jdcal_1.0-1_all.deb python-jdcal_1.0-1.2~deb9u1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) {+Depends: python:any (<< 2.8), python:any (>= 2.7.5-5~)+} Installed-Size: [-26-] {+39+} Version: [-1.0-1-] {+1.0-1.2~deb9u1+} $ debdiff python3-jdcal_1.0-1_all.deb python3-jdcal_1.0-1.2~deb9u1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) {+Depends: python3:any (>= 3.3.2-2~)+} Installed-Size: [-23-] {+35+} Version: [-1.0-1-] {+1.0-1.2~deb9u1+} Andreas diff -Nru jdcal-1.0/debian/changelog jdcal-1.0/debian/changelog --- jdcal-1.0/debian/changelog 2014-12-10 06:49:59.0 +0100 +++ jdcal-1.0/debian/changelog 2017-11-27 04:50:33.0 +0100 @@ -1,3 +1,26 @@ +jdcal (1.0-1.2~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 04:50:33 +0100 + +jdcal (1.0-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix a mistake in ${python:Depends} for Python3 (needs to be +${python3:Depends}). Thanks again to Adrian Bunk. (Closes: #867406) + + -- Joao Eriberto Mota Filho Sun, 24 Sep 2017 22:15:10 -0300 + +jdcal (1.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Added ${python:Depends} variable to Depends field in all packages. +Thanks to Adrian Bunk . (Closes: #867406) + + -- Joao Eriberto Mota Filho Sun, 24 Sep 2017 12:29:22 -0300 + jdcal (1.0-1) unstable; urgency=low * Initial release (Closes: #772689) diff -Nru jdcal-1.0/debian/control jdcal-1.0/debian/control --- jdcal-1.0/debian/control2014-12-10 06:49:59.0 +0100 +++ jdcal-1.0/debian/control2017-09-25 03:15:10.0 +0200 @@ -10,7 +10,7 @@ Package: python-jdcal Architecture: all -Depends: ${misc:Depends} +Depends: ${misc:Depends}, ${python:Depends} Description: Julian dates from proleptic Gregorian and Julian calendars This module contains functions for converting between Julian dates and calendar dates. @@ -22,7 +22,7 @@ Package: python3-jdcal Architecture: all -Depends: ${misc:Depends} +Depends: ${misc:Depends}, ${python3:Depends} Description: Julian dates from proleptic Gregorian and Julian calendars This module contains functions for converting between Julian dates and calendar dates. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882829: marked as done (stretch-pu: package slic3r/1.2.9+dfsg-6.1~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882829, regarding stretch-pu: package slic3r/1.2.9+dfsg-6.1~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882829: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882829 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing perlapi dependency. #869360 $ debdiff slic3r_1.2.9+dfsg-6_amd64.deb slic3r_1.2.9+dfsg-6.1~deb9u1_amd64.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: libboost-geometry-utils-perl, libencode-locale-perl, libio-stringy-perl, libmath-convexhull-monotonechain-perl, libmath-geometry-voronoi-perl, libmath-planepath-perl, libmoo-perl, libstorable-perl, libtime-hires-perl, [-perl:any,-] {+perl (>= 5.24.1-3+deb9u2), perlapi-5.24.1,+} libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5.2) Installed-Size: [-4692-] {+4697+} Version: [-1.2.9+dfsg-6-] {+1.2.9+dfsg-6.1~deb9u1+} Andreas diff -Nru slic3r-1.2.9+dfsg/debian/changelog slic3r-1.2.9+dfsg/debian/changelog --- slic3r-1.2.9+dfsg/debian/changelog 2016-11-03 03:23:40.0 +0100 +++ slic3r-1.2.9+dfsg/debian/changelog 2017-11-27 04:09:35.0 +0100 @@ -1,3 +1,20 @@ +slic3r (1.2.9+dfsg-6.1~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 04:09:35 +0100 + +slic3r (1.2.9+dfsg-6.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix "missing dependency on perlapi-*": +add override_dh_perl in debian/rules to make dh_perl search for perl +modules in the private directory as well. +(Closes: #869360) + + -- gregor herrmann Sun, 06 Aug 2017 13:27:56 -0400 + slic3r (1.2.9+dfsg-6) unstable; urgency=medium * [9db9b59] Shift perl modules into private directories. diff -Nru slic3r-1.2.9+dfsg/debian/rules slic3r-1.2.9+dfsg/debian/rules --- slic3r-1.2.9+dfsg/debian/rules 2016-11-03 03:23:40.0 +0100 +++ slic3r-1.2.9+dfsg/debian/rules 2017-07-22 19:27:47.0 +0200 @@ -55,3 +55,7 @@ # Install example post-processing scripts mkdir -p $(CURDIR)/debian/slic3r/usr/share/doc/slic3r/examples cp -r utils/post-processing $(CURDIR)/debian/slic3r/usr/share/doc/slic3r/examples + +override_dh_perl: + # make dh_perl search for perl modules in the private directory as well + dh_perl /usr/lib/slic3r --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882621: marked as done (stretch-pu: package python2.7/2.7.13-2+deb9u2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882621, regarding stretch-pu: package python2.7/2.7.13-2+deb9u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882621 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to add a fix for a minor security issue in Python 2.7 to the as a followup update to what's already in spu. debdiff is below. This is fixed in unstable in 2.7.13-4. Cheers, Moritz diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog --- python2.7-2.7.13/debian/changelog +++ python2.7-2.7.13/debian/changelog @@ -1,3 +1,10 @@ +python2.7 (2.7.13-2+deb9u2) stretch; urgency=medium + + * Backport c3c9db89273fabc62ea1b48389d9a3000c1c03ae to address +CVE-2017-1000158 / https://bugs.python.org/issue30657 + + -- Moritz Mühlenhoff Fri, 24 Nov 2017 18:33:09 +0100 + python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium * Non-maintainer upload with maintainer's permission diff -u python2.7-2.7.13/debian/patches/series.in python2.7-2.7.13/debian/patches/series.in --- python2.7-2.7.13/debian/patches/series.in +++ python2.7-2.7.13/debian/patches/series.in @@ -72,0 +73 @@ +CVE-2017-1000158.diff only in patch2: unchanged: --- python2.7-2.7.13.orig/debian/patches/CVE-2017-1000158.diff +++ python2.7-2.7.13/debian/patches/CVE-2017-1000158.diff @@ -0,0 +1,29 @@ +From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001 +From: Jay Bosamiya +Date: Sun, 18 Jun 2017 22:11:03 +0530 +Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in + PyString_DecodeEscape (#2174) + +--- + Objects/stringobject.c | 8 +++- + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/Objects/stringobject.c b/Objects/stringobject.c +index c78e19316a0..59d22e76946 100644 +--- a/Objects/stringobject.c b/Objects/stringobject.c +@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, + char *p, *buf; + const char *end; + PyObject *v; +-Py_ssize_t newlen = recode_encoding ? 4*len:len; ++Py_ssize_t newlen; ++/* Check for integer overflow */ ++if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { ++PyErr_SetString(PyExc_OverflowError, "string is too large"); ++return NULL; ++} ++newlen = recode_encoding ? 4*len:len; + v = PyString_FromStringAndSize((char *)NULL, newlen); + if (v == NULL) + return NULL; --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882856: marked as done (stretch-pu: package lasi/1.1.0-2~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882856, regarding stretch-pu: package lasi/1.1.0-2~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882856: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882856 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the missing -dev package dependencies. #845497 $ debdiff liblasi-dev_1.1.0-1.2_amd64.deb liblasi-dev_1.1.0-2~deb9u1_amd64.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: liblasi0 (= [-1.1.0-1.2)-] {+1.1.0-2~deb9u1), libpango1.0-dev, libfreetype6-dev+} Maintainer: [-Andrew Ross -] {+Debian QA Group +} Version: [-1.1.0-1.2-] {+1.1.0-2~deb9u1+} Andreas diff -Nru lasi-1.1.0/debian/changelog lasi-1.1.0/debian/changelog --- lasi-1.1.0/debian/changelog 2016-07-17 07:17:35.0 +0200 +++ lasi-1.1.0/debian/changelog 2017-11-27 07:21:40.0 +0100 @@ -1,3 +1,20 @@ +lasi (1.1.0-2~deb9u1) stretch; urgency=medium + + * QA upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 07:21:40 +0100 + +lasi (1.1.0-2) unstable; urgency=medium + + * QA upload. + * Set maintainer to Debian QA Group. (see #867050) + * Add the missing libpango1.0-dev and libfreetype6-dev +dependencies to liblasi-dev. (Closes: #845497) + * Add ${misc:Depends} to the package dependencies. + + -- Adrian Bunk Sat, 08 Jul 2017 14:19:16 +0300 + lasi (1.1.0-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru lasi-1.1.0/debian/control lasi-1.1.0/debian/control --- lasi-1.1.0/debian/control 2016-07-17 07:16:44.0 +0200 +++ lasi-1.1.0/debian/control 2017-07-08 13:19:16.0 +0200 @@ -1,6 +1,6 @@ Source: lasi Priority: optional -Maintainer: Andrew Ross +Maintainer: Debian QA Group Build-Depends: debhelper (>= 5.0.0), cmake, libpango1.0-dev, cdbs (>=0.4.51), libfreetype6-dev (>= 2.2), doxygen Standards-Version: 3.7.3 @@ -12,7 +12,7 @@ Package: liblasi0 Section: libs Architecture: any -Depends: ${shlibs:Depends} +Depends: ${shlibs:Depends}, ${misc:Depends} Description: creation of PostScript documents containing Unicode symbols LASi is a library that provides a C++ stream output interface (with operator <<) for creating PostScript documents that can contain @@ -29,7 +29,7 @@ Package: liblasi-dev Section: libdevel Architecture: any -Depends: liblasi0 (= ${binary:Version}) +Depends: liblasi0 (= ${binary:Version}), ${misc:Depends}, libpango1.0-dev, libfreetype6-dev Description: development files and documentation for the LASi library LASi is a library that provides a C++ stream output interface (with operator <<) for creating PostScript documents that can contain --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882836: marked as done (stretch-pu: package doit/0.28.0-1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882836, regarding stretch-pu: package doit/0.28.0-1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This update adds Breaks: nikola (<< 7.6.0-1~) to python-doit, fixing #870162 nikola is neither part of stretch nor any longer in sid, but the jessie version will survive an upgrade to stretch, where it will fail due to a too new version of doit. For details see #870162. Adding the Breaks will cause removal of the old nikola package. There is no package left for fixing this in sid: doit is now python3 only. Andreas diff -Nru doit-0.28.0/debian/changelog doit-0.28.0/debian/changelog --- doit-0.28.0/debian/changelog2015-06-20 21:27:14.0 +0200 +++ doit-0.28.0/debian/changelog2017-11-27 05:44:54.0 +0100 @@ -1,3 +1,12 @@ +doit (0.28.0-1+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * python-doit: Add Breaks: nikola (<< 7.6.0-1~). nikola is not in stretch +(or even in sid any longer) and the jessie version needs doit <= 0.27. +(Closes: #870162) + + -- Andreas Beckmann Mon, 27 Nov 2017 05:44:54 +0100 + doit (0.28.0-1) unstable; urgency=medium * Imported Upstream version 0.28.0 diff -Nru doit-0.28.0/debian/control doit-0.28.0/debian/control --- doit-0.28.0/debian/control 2015-06-20 21:27:01.0 +0200 +++ doit-0.28.0/debian/control 2017-11-27 05:44:54.0 +0100 @@ -34,6 +34,7 @@ Depends: ${python:Depends}, ${misc:Depends}, python-pyinotify, python-six Recommends: strace, python-gdbm Suggests: python-doit-doc +Breaks: nikola (<< 7.6.0-1~) Description: Automation tool to execute any kind of task in a build-tools fashion doit is an automation tool that brings the power of build-tools to execute any kind of task. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882837: marked as done (stretch-pu: package python-inflect/0.2.5-1.1~deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882837, regarding stretch-pu: package python-inflect/0.2.5-1.1~deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882837 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Let's fix the python3 dependencies. #867438 $ debdiff python3-inflect_0.2.5-1_all.deb python3-inflect_0.2.5-1.1~deb9u1_all.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) {+Depends: python3:any (>= 3.3.2-2~)+} Version: [-0.2.5-1-] {+0.2.5-1.1~deb9u1+} Andreas diff -Nru python-inflect-0.2.5/debian/changelog python-inflect-0.2.5/debian/changelog --- python-inflect-0.2.5/debian/changelog 2015-12-24 16:30:47.0 +0100 +++ python-inflect-0.2.5/debian/changelog 2017-11-27 06:40:13.0 +0100 @@ -1,3 +1,18 @@ +python-inflect (0.2.5-1.1~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + + -- Andreas Beckmann Mon, 27 Nov 2017 06:40:13 +0100 + +python-inflect (0.2.5-1.1) unstable; urgency=medium + + * Non-maintainer Upload + * Apply patch from Adrian Bunk to correctly generate dependencies for +the python 3 package (Closes: #867438) + + -- Arto Jantunen Mon, 17 Jul 2017 08:47:48 +0300 + python-inflect (0.2.5-1) unstable; urgency=medium * Initial release. (Closes: #806450) diff -Nru python-inflect-0.2.5/debian/control python-inflect-0.2.5/debian/control --- python-inflect-0.2.5/debian/control 2015-12-24 16:26:41.0 +0100 +++ python-inflect-0.2.5/debian/control 2017-07-17 07:47:48.0 +0200 @@ -19,7 +19,7 @@ Package: python3-inflect Architecture: all -Depends: ${python:Depends}, ${misc:Depends} +Depends: ${python3:Depends}, ${misc:Depends} Description: Generate plurals, singular nouns, ordinals, indefinite articles (Python 3) The inflect Python module correctly generates plurals, singular nouns, ordinals and indefinite articles. It can also convert numbers to words. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882724: marked as done (stretch-pu: package ruby-ox/2.1.1-2+b6)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882724, regarding stretch-pu: package ruby-ox/2.1.1-2+b6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, this update fixes bug #881445 [CVE-2017-15928] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 by cherrypicking a patch from upstream, to crash of the ruby interpreter on a parse error. Debdiff attached. As jessie and stretch have the same version of this package, I am willing to upload the same fix to jessie (same diff except the version number with deb8 instead of deb9). Should I submit an independent bug report for the jessie proposed update ? Thanks in advance. Cédric -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog --- ruby-ox-2.1.1/debian/changelog 2014-04-04 12:58:15.0 +0200 +++ ruby-ox-2.1.1/debian/changelog 2017-11-26 01:08:40.0 +0100 @@ -1,3 +1,12 @@ +ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium + + * Team upload + * Add fix_parse_obj_segfault.patch picked from upstream ++ fix CVE-2017-15928: segmentation fault in parse_obj +(Closes: #881445) + + -- Cédric Boutillier Sun, 26 Nov 2017 01:08:40 +0100 + ruby-ox (2.1.1-2) unstable; urgency=medium * Team upload. diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf --- ruby-ox-2.1.1/debian/gbp.conf 1970-01-01 01:00:00.0 +0100 +++ ruby-ox-2.1.1/debian/gbp.conf 2017-11-26 00:52:18.0 +0100 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=stretch/master +upstream-branch=stretch/upstream diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch --- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 1970-01-01 01:00:00.0 +0100 +++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 2017-11-26 01:08:40.0 +0100 @@ -0,0 +1,51 @@ +Description: Avoid crash with invalid XML passed to Oj.parse_obj() + this fixes CVE-2017-15928 +Author: Peter Ohler +Origin: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch +Bug: https://github.com/ohler55/ox/issues/194 +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 +Last-Update: 2017-11-25 + +--- a/ext/ox/obj_load.c b/ext/ox/obj_load.c +@@ -791,8 +791,10 @@ + Helper gh; + + helper_stack_pop(&pi->helpers); +- gh = helper_stack_peek(&pi->helpers); +- ++ if (NULL == (gh = helper_stack_peek(&pi->helpers))) { ++ set_error(&pi->err, "Corrupt parse stack, container is wrong type", pi->str, pi->s); ++ return; ++ } + rb_hash_aset(gh->obj, ph->obj, h->obj); + } + break; +--- a/ext/ox/err.c b/ext/ox/err.c +@@ -42,7 +42,11 @@ + va_end(ap); + } + ++#if __GNUC__ > 4 ++_Noreturn void ++#else + void ++#endif + ox_err_raise(Err e) { + rb_raise(e->clas, "%s", e->msg); + } +--- a/ext/ox/ox.c b/ext/ox/ox.c +@@ -990,7 +990,11 @@ + #endif + } + ++#if __GNUC__ > 4 ++_Noreturn void ++#else + void ++#endif + _ox_raise_error(const char *msg, const char *xml, const char *current, const char* file, int line) { + int xline = 1; + int col = 1; diff -Nru ruby-ox-2.1.1/debian/patches/series ruby-ox-2.1.1/debian/patches/series --- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.0 +0100 +++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.0 +0100 @@ -1 +1,2 @@ +fix_parse_obj_segfault.patch 000-fix-so-load-path.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bu
Bug#882649: marked as done (stretch-pu: package ruby-httparty/0.13.7-1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882649, regarding stretch-pu: package ruby-httparty/0.13.7-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, The current package in stretch provides a Ruby library that cannot be loaded properly with Ruby 'gem' tool, because of a too strict versioned dependency on the json Ruby library https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864723 This update adds a patch to relax this dependency in the Gemfile, which fixes the problem. Cédric -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru ruby-httparty-0.13.7/debian/changelog ruby-httparty-0.13.7/debian/changelog --- ruby-httparty-0.13.7/debian/changelog 2016-06-07 10:57:47.0 +0200 +++ ruby-httparty-0.13.7/debian/changelog 2017-11-25 00:30:18.0 +0100 @@ -1,3 +1,10 @@ +ruby-httparty (0.13.7-1+deb9u1) stretch; urgency=medium + + * Relax dependency version in gem dependency on json. +This fixes loading httparty with the gem command (Closes: #864723) + + -- Cédric Boutillier Sat, 25 Nov 2017 00:30:18 +0100 + ruby-httparty (0.13.7-1) unstable; urgency=medium * Imported Upstream version 0.13.7 diff -Nru ruby-httparty-0.13.7/debian/gbp.conf ruby-httparty-0.13.7/debian/gbp.conf --- ruby-httparty-0.13.7/debian/gbp.conf1970-01-01 01:00:00.0 +0100 +++ ruby-httparty-0.13.7/debian/gbp.conf2017-11-25 00:15:47.0 +0100 @@ -0,0 +1,3 @@ +[buildpackage] +debian-branch=stretch/master +upstream-branch=stretch/upstream diff -Nru ruby-httparty-0.13.7/debian/patches/relax_version_json.patch ruby-httparty-0.13.7/debian/patches/relax_version_json.patch --- ruby-httparty-0.13.7/debian/patches/relax_version_json.patch 1970-01-01 01:00:00.0 +0100 +++ ruby-httparty-0.13.7/debian/patches/relax_version_json.patch 2017-11-25 00:28:56.0 +0100 @@ -0,0 +1,17 @@ +Author: Cédric Boutillier +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864723 +Origin: https://github.com/jnunemaker/httparty/commit/1cbb101feaffcc1f11c77a71009558c6086ebb4b +Forwarded: no +Last-Update: 2017-11-25 + +--- a/httparty.gemspec b/httparty.gemspec +@@ -15,7 +15,7 @@ + + s.required_ruby_version = '>= 1.9.3' + +- s.add_dependency 'json', "~> 1.8" ++ s.add_dependency 'json', ">= 1.8" + s.add_dependency 'multi_xml', ">= 0.5.2" + + # If this line is removed, all hard partying will cease. diff -Nru ruby-httparty-0.13.7/debian/patches/series ruby-httparty-0.13.7/debian/patches/series --- ruby-httparty-0.13.7/debian/patches/series 2016-06-07 10:57:47.0 +0200 +++ ruby-httparty-0.13.7/debian/patches/series 2017-11-25 00:26:34.0 +0100 @@ -1 +1,2 @@ skip_failing_test.patch +relax_version_json.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882714: marked as done (stretch-pu: package ruby-pygments.rb/0.6.3-2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882714, regarding stretch-pu: package ruby-pygments.rb/0.6.3-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882714 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, the proposed update fixes a reasonable limit to RLIMIT_NOFILE, avoiding closing too many files at a time. This fixes #876768 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876768 and fixes weechat. Best regards, Cédric -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru ruby-pygments.rb-0.6.3/debian/changelog ruby-pygments.rb-0.6.3/debian/changelog --- ruby-pygments.rb-0.6.3/debian/changelog 2016-07-08 14:43:00.0 +0200 +++ ruby-pygments.rb-0.6.3/debian/changelog 2017-11-25 21:48:18.0 +0100 @@ -1,3 +1,11 @@ +ruby-pygments.rb (0.6.3-2+deb9u1) stretch; urgency=medium + + * Add Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch +to avoid closing too many files when mentos starts +(Closes: #876768) + + -- Cédric Boutillier Sat, 25 Nov 2017 21:48:18 +0100 + ruby-pygments.rb (0.6.3-2) unstable; urgency=medium * Team upload diff -Nru ruby-pygments.rb-0.6.3/debian/gbp.conf ruby-pygments.rb-0.6.3/debian/gbp.conf --- ruby-pygments.rb-0.6.3/debian/gbp.conf 1970-01-01 01:00:00.0 +0100 +++ ruby-pygments.rb-0.6.3/debian/gbp.conf 2017-11-25 21:41:16.0 +0100 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = stretch/master +upstream-branch = stretch/upstream diff -Nru ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch --- ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch 1970-01-01 01:00:00.0 +0100 +++ ruby-pygments.rb-0.6.3/debian/patches/0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch 2017-11-25 21:45:19.0 +0100 @@ -0,0 +1,29 @@ +commit d69d8e9ea11f9cd6652ef4cb066356792182af7e +Author: Cédric Boutillier +Date: Fri Sep 29 22:49:47 2017 +0200 + +Set reasonable upper limit to RLIMIT_NOFILE + +When RLIMIT_NOFILE is too high, the number of files to close +can be too important and the process of closing could take more time +than the timeout set (default to 8s). + +This causes asciidoctor to crash on some architectures + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876768 + +Gbp-Pq: Name 0008-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch + +diff --git a/lib/pygments/mentos.py b/lib/pygments/mentos.py +index 9c7c650..cf70b7b 100755 +--- a/lib/pygments/mentos.py b/lib/pygments/mentos.py +@@ -334,7 +334,7 @@ def main(): + # close fd's inherited from the ruby parent + import resource + maxfd = resource.getrlimit(resource.RLIMIT_NOFILE)[1] +-if maxfd == resource.RLIM_INFINITY: ++if maxfd >= 65536: + maxfd = 65536 + + for fd in range(3, maxfd): diff -Nru ruby-pygments.rb-0.6.3/debian/patches/series ruby-pygments.rb-0.6.3/debian/patches/series --- ruby-pygments.rb-0.6.3/debian/patches/series2016-07-08 14:43:00.0 +0200 +++ ruby-pygments.rb-0.6.3/debian/patches/series2017-11-25 21:46:08.0 +0100 @@ -8,3 +8,4 @@ 0008-fix_test_pygments.patch 0009-adapt-to-new-pygments.patch 0010-no-relative-path-for-require-in-tests.patch +0011-Set-reasonable-upper-limit-to-RLIMIT_NOFILE.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882493: marked as done (stretch-pu: package liblog-log4perl-perl/1.48-1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882493, regarding stretch-pu: package liblog-log4perl-perl/1.48-1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882493: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882493 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi SRM, The Debian Perl Group was asked, if #855894 could be fixed as well for stretch, since when "syswrite" and "utf8" are used together with Perl 5.24 warnings are issued. The proposed debdiff is attached. Thanks for considering, let me know if it looks okay for you to include this in the upcoming point release for stretch. Regards, Salvatore diff -Nru liblog-log4perl-perl-1.48/debian/changelog liblog-log4perl-perl-1.48/debian/changelog --- liblog-log4perl-perl-1.48/debian/changelog 2016-12-27 01:20:02.0 +0100 +++ liblog-log4perl-perl-1.48/debian/changelog 2017-11-23 14:36:00.0 +0100 @@ -1,3 +1,11 @@ +liblog-log4perl-perl (1.48-1+deb9u1) stretch; urgency=medium + + * Team upload. + * Workaround for Perl 5.24 no longer allowing syswrite and utf8 together +(Closes: #855894) + + -- Salvatore Bonaccorso Thu, 23 Nov 2017 14:36:00 +0100 + liblog-log4perl-perl (1.48-1) unstable; urgency=medium * Team upload. diff -Nru liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch --- liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch 1970-01-01 01:00:00.0 +0100 +++ liblog-log4perl-perl-1.48/debian/patches/0005-Workaround-for-perl-5.24-no-longer-allowing-syswrite.patch 2017-11-23 14:36:00.0 +0100 @@ -0,0 +1,99 @@ +From: mschilli +Date: Sun, 19 Feb 2017 13:22:59 -0800 +Subject: Workaround for perl-5.24 no longer allowing syswrite+utf8 (see + https://github.com/mschilli/log4perl/issues/78) +Origin: https://github.com/mschilli/log4perl/commit/e8d8f6600312670a156399e220998dbd0832915f +Bug: https://github.com/mschilli/log4perl/issues/78 +Bug-Debian: https://bugs.debian.org/855894 + +--- + lib/Log/Log4perl/Appender/File.pm | 39 ++- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/lib/Log/Log4perl/Appender/File.pm b/lib/Log/Log4perl/Appender/File.pm +index 8b9dfd8..abdce69 100755 +--- a/lib/Log/Log4perl/Appender/File.pm b/lib/Log/Log4perl/Appender/File.pm +@@ -11,6 +11,7 @@ use Fcntl; + use File::Path; + use File::Spec::Functions qw(splitpath); + use constant _INTERNAL_DEBUG => 0; ++use constant SYSWRITE_UTF8_OK => ( $] < 5.024 ); + + ## + sub new { +@@ -26,7 +27,7 @@ sub new { + syswrite => 0, + mode => "append", + binmode => undef, +-utf8 => undef, ++utf8 => 0, + recreate => 0, + recreate_check_interval => 30, + recreate_check_signal => undef, +@@ -62,12 +63,30 @@ sub new { + close FILE; + } + ++$self->{syswrite_encoder} = $self->syswrite_encoder(); ++ + # This will die() if it fails + $self->file_open() unless $self->{create_at_logtime}; + + return $self; + } + ++## ++sub syswrite_encoder { ++## ++my($self) = @_; ++ ++if(!SYSWRITE_UTF8_OK and $self->{syswrite} and $self->{utf8}) { ++if( eval { require Encode } ) { ++return sub { Encode::encode_utf8($_[0]) }; ++} else { ++die "syswrite and utf8 requires Encode.pm"; ++} ++} ++ ++return undef; ++} ++ + ## + sub filename { + ## +@@ -163,8 +182,11 @@ sub file_open { + binmode $self->{fh}, $self->{binmode}; + } + +-if (defined $self->{utf8}) { +-binmode $self->{fh}, ":utf8"; ++if ($self->{utf8}) { ++ # older perls can handle syswrite+utf8 just fine ++if(SYSWRITE_UTF8_OK or !$self->{syswrite}) { ++binmode $self->{fh}, ":utf8"; ++} + } + + if(defined $self->{header_text}) {
Bug#882194: marked as done (stretch-pu: package spamassassin/3.4.1-6+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882194, regarding stretch-pu: package spamassassin/3.4.1-6+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882194 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello. I'd like to fix a number of bugs in spamassassin, mostly related to systemd service management. A debdiff against the current stretch version is attached. All the changes have been in buster for some time. I've tested them in fresh installation, upgrade, remove, and purge scenarios. Thanks noah diff -Nru spamassassin-3.4.1/debian/65_debian.cf spamassassin-3.4.1/debian/65_debian.cf --- spamassassin-3.4.1/debian/65_debian.cf 2016-10-30 09:39:27.0 -0700 +++ spamassassin-3.4.1/debian/65_debian.cf 2017-11-19 10:43:02.0 -0800 @@ -25,3 +25,10 @@ metaD_SENT_BY_CRON __CRON_FROM && __CRON_HEADER score D_SENT_BY_CRON -5.0 describe D_SENT_BY_CRONSent by Cron Daemon + +# As documented in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861671, +# the bb.barracudacentral.org blacklist requires users to register, making it +# unsuitable for use in the default configuration. If you've registered your +# use of this blacklist, remove the following line in order to re-activate +# this service: +score RCVD_IN_BRBL_LASTEXT 0 diff -Nru spamassassin-3.4.1/debian/changelog spamassassin-3.4.1/debian/changelog --- spamassassin-3.4.1/debian/changelog 2016-10-30 09:39:27.0 -0700 +++ spamassassin-3.4.1/debian/changelog 2017-11-19 10:43:02.0 -0800 @@ -1,3 +1,21 @@ +spamassassin (3.4.1-6+deb9u1) stretch; urgency=medium + + * Ensure that spamd doesn't automatically start upon initial +installation. + * Disable bb.barracudacentral.org (RCVD_IN_BRBL_LASTEXT), as +it requires users to register. (Closes: #861671) + * Update the systemd unit file to use the same pid file as was +used in the sysvinit script. (Closes: #808804) + * Update spamassassin docs to remove outdated gpg version +compatibility note. (Closes: #853913) + * Update systemd unit dependencies to include network and syslog. +(Closes: 864810) + * Fix inappropriate invocation of invoke-rc.d in cron script. +(Closes: 865514) + * Fix spamd service manage on upgrades. (Closes: #865356) + + -- Noah Meyerhans Sun, 19 Nov 2017 10:43:02 -0800 + spamassassin (3.4.1-6) unstable; urgency=medium * Import upstream fix for spamassassin bug 7226: Enhance whitelist_from_dkim diff -Nru spamassassin-3.4.1/debian/rules spamassassin-3.4.1/debian/rules --- spamassassin-3.4.1/debian/rules 2016-10-30 09:39:27.0 -0700 +++ spamassassin-3.4.1/debian/rules 2017-11-19 10:43:02.0 -0800 @@ -125,9 +125,10 @@ dh_testroot -i dh_installman -i sa-awl.1p sa-check_spamd.1p dh_installdocs -i - dh_systemd_enable --no-enable dh_installexamples -i - dh_installinit -i -- defaults 19 21 + dh_systemd_enable -i --no-enable + dh_installinit -i --no-start -- defaults 19 21 + dh_systemd_start -i --no-start dh_installcron -i dh_installchangelogs Changes -i dh_link -i diff -Nru spamassassin-3.4.1/debian/spamassassin.cron.daily spamassassin-3.4.1/debian/spamassassin.cron.daily --- spamassassin-3.4.1/debian/spamassassin.cron.daily 2016-10-30 09:39:27.0 -0700 +++ spamassassin-3.4.1/debian/spamassassin.cron.daily 2017-11-19 10:43:02.0 -0800 @@ -53,8 +53,7 @@ invoke-rc.d --quiet spamassassin status > /dev/null && \ invoke-rc.d spamassassin reload > /dev/null else -invoke-rc.d --quiet spamassassin status > /dev/null && \ - /etc/init.d/spamassassin reload > /dev/null +/etc/init.d/spamassassin reload > /dev/null fi if [ -d /etc/spamassassin/sa-update-hooks.d ]; then run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d diff -Nru spamassassin-3.4.1/debian/spamassassin.postinst spamassassin-3.4.1/debian/spamassassin.postinst --- spamassassin-3.4.1/debian/spamassassin.postinst 2016-10-30 09:39:27.0 -0700 +++ spamassassin-3.4.1/debian/spamassassin.postinst 2017-11-19 10:43:02.0 -0800 @@ -43,3 +43,9
Bug#882242: marked as done (jessie-pu: package tor/0.2.5.15-1)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882242, regarding jessie-pu: package tor/0.2.5.15-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882242: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882242 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Just like #882228 for stretch, I would like to update tor in jessie to the maintenance update released by upstream. In particular, the update of the directory authority set is relevant. Please let me know if I may upload by 0.2.5.15 packages. A debdiff (where I removed the large geoipdb diff) is attached. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/ diff -Nru tor-0.2.5.14/ChangeLog tor-0.2.5.15/ChangeLog --- tor-0.2.5.14/ChangeLog 2017-06-08 15:46:39.0 +0200 +++ tor-0.2.5.15/ChangeLog 2017-10-25 14:06:39.0 +0200 @@ -1,3 +1,48 @@ +Changes in version 0.2.5.15 - 2017-10-25 + Tor 0.2.5.15 backports a collection of bugfixes from later Tor release + series. It also adds a new directory authority, Bastet. + + Note: the Tor 0.2.5 series will no longer be supported after 1 May + 2018. If you need a release with long-term support, please upgrade to + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Directory authority changes: +- Add "Bastet" as a ninth directory authority to the default list. + Closes ticket 23910. +- The directory authority "Longclaw" has changed its IP address. + Closes ticket 23592. + + o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): +- Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() + handling of "0xx" differs from what we had expected. Fixes bug + 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. + + o Minor features (geoip): +- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): +- Fix a memset() off the end of an array when packing cells. This + bug should be harmless in practice, since the corrupted bytes are + still in the same structure, and are always padding bytes, + ignored, or immediately overwritten, depending on compiler + behavior. Nevertheless, because the memset()'s purpose is to make + sure that any other cell-handling bugs can't expose bytes to the + network, we need to fix it. Fixes bug 22737; bugfix on + 0.2.4.11-alpha. Fixes CID 1401591. + + o Build features (backport from 0.3.1.5-alpha): +- Tor's repository now includes a Travis Continuous Integration (CI) + configuration file (.travis.yml). This is meant to help new + developers and contributors who fork Tor to a Github repository be + better able to test their changes, and understand what we expect + to pass. To use this new build feature, you must fork Tor to your + Github account, then go into the "Integrations" menu in the + repository settings for your fork and enable Travis, then push + your changes. Closes ticket 22636. + + Changes in version 0.2.5.14 - 2017-06-08 Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone diff -Nru tor-0.2.5.14/ReleaseNotes tor-0.2.5.15/ReleaseNotes --- tor-0.2.5.14/ReleaseNotes 2017-06-08 15:46:45.0 +0200 +++ tor-0.2.5.15/ReleaseNotes 2017-10-25 14:06:44.0 +0200 @@ -2,6 +2,50 @@ of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.5.15 - 2017-10-25 + Tor 0.2.5.15 backports a collection of bugfixes from later Tor release + series. It also adds a new directory authority, Bastet. + + Note: the Tor 0.2.5 series will no longer be supported after 1 May + 2018. If you need a release with long-term support, please upgrade to + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Directo
Bug#882503: marked as done (jessie-pu: package sam2p/0.49.2-3)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882503, regarding jessie-pu: package sam2p/0.49.2-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882503 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, sam2p is currently affected by several security issues in Jessie. Therefore I would like to update the package. I have contacted the security team but they don't intend to release a DSA. Please find attached the debdiff. Regards, Markus diff -Nru sam2p-0.49.2/debian/changelog sam2p-0.49.2/debian/changelog --- sam2p-0.49.2/debian/changelog 2014-08-31 18:31:23.0 +0200 +++ sam2p-0.49.2/debian/changelog 2017-11-22 21:39:20.0 +0100 @@ -1,3 +1,14 @@ +sam2p (0.49.2-3+deb8u1) jessie; urgency=high + + * Non-maintainer upload. + * Fix CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631, +CVE-2017-14636, CVE-2017-14637, CVE-2017-16663: +Several integer overflow or heap-based buffer overflow issues were +discovered in sam2p that may lead to an application crash or other +unspecified impact. + + -- Markus Koschany Wed, 22 Nov 2017 21:39:20 +0100 + sam2p (0.49.2-3) unstable; urgency=medium * debian/sam2p.1: correct the documentation of -m:dpi:RES and document diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14628.patch sam2p-0.49.2/debian/patches/CVE-2017-14628.patch --- sam2p-0.49.2/debian/patches/CVE-2017-14628.patch1970-01-01 01:00:00.0 +0100 +++ sam2p-0.49.2/debian/patches/CVE-2017-14628.patch2017-11-22 21:39:20.0 +0100 @@ -0,0 +1,33 @@ +--- + in_pcx.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/in_pcx.cpp b/in_pcx.cpp +index e65a6b8..592b678 100644 +--- a/in_pcx.cpp b/in_pcx.cpp +@@ -355,7 +355,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr) + + w = pinfo->w; h = pinfo->h; + +- planes = (int) hdr[PCX_PLANES]; ++ planes = (unsigned) hdr[PCX_PLANES]; + bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8); + + /* allocate 24-bit image */ +@@ -379,6 +379,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr) + if (c == EOF) { MACRO_GETC(fp); break; } + } + else cnt = 1; ++if (cnt > nbytes) FatalError("Repeat count too large."); + + #if 0 / pts / + if (c > maxv) maxv = c; +@@ -403,6 +404,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr) + } + } + } ++ if (nbytes != 0) pcxError(0, "Image data truncated."); + + + #if 0 / pts / diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14629.patch sam2p-0.49.2/debian/patches/CVE-2017-14629.patch --- sam2p-0.49.2/debian/patches/CVE-2017-14629.patch1970-01-01 01:00:00.0 +0100 +++ sam2p-0.49.2/debian/patches/CVE-2017-14629.patch2017-11-22 21:39:20.0 +0100 @@ -0,0 +1,40 @@ +--- + in_xpm.cpp | 8 + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/in_xpm.cpp b/in_xpm.cpp +index dce69bf..33bda0f 100644 +--- a/in_xpm.cpp b/in_xpm.cpp +@@ -285,14 +285,14 @@ static Image::Sampled *in_xpm_reader(Image::Loader::UFD *ufd, SimBuffer::Flat co + memset(bin, 255, sizeof(*bin) * 65536); /* Make bin[*]=-1 */ + for (i=0,p=tab; (unsigned)isetPal(i, rgb[i]); +- bin[(p[0]<<8)+p[1]]=i; ++ bin[(((unsigned char*)p)[0]<<8)+((unsigned char*)p)[1]]=i; + } + assert(p==pend); + while (ht--!=0) { + tok.getComma(); + for (p=outbuf+ret->getRlen(); outbuf!=p; ) { + tok.readInStr(pend,2); +-if ((s=bin[(pend[0]<<8)+pend[1]])<0) Error::sev(Error::EERROR) << "XPM: unpaletted color" << (Error*)0; ++if ((s=bin[(((unsigned char*)pend)[0]<<8)+((unsigned char*)pend)[1]])<0) Error::sev(Error::EERROR) << "XPM: unpaletted color" << (Error*)0; + *outbuf++=s; + } + } +@@ -301,12 +301,12 @@ static Image::Sampled *in_xpm_reader(Image::Loader::UFD *ufd, SimBuffer::Flat co + Image::Sampled::rgb_t rgb1; + unsigned short *bin=new unsigned short[65536], s; + memset(bin, 255, sizeof(*bin) * 65536); /* Make bin[*]=max */ +-for (i=0,p=tab; (unsigned)igetRlen(); outbuf!=p; ) { + tok.readInStr(pend,2
Bug#882219: marked as done (stretch-pu: package corebird/1.4.1-1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882219, regarding stretch-pu: package corebird/1.4.1-1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882219 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, Twitter changed the character limit of tweets to 280 chars (see [1]). The version of corebird in stretch does only allow to compose tweets with 140 chars. The fix is really trivial[2]. Would you allow an update of corebird? Best, Philip [1] https://blog.twitter.com/official/en_us/topics/product/2017/tweetingmadeeasier.html [2] https://github.com/baedert/corebird/commit/d3cc0b068b4f3b1d0d97e4bd7c9e723d002636c1 diff -Nru corebird-1.4.1/debian/changelog corebird-1.4.1/debian/changelog --- corebird-1.4.1/debian/changelog 2017-01-09 15:16:58.0 +0100 +++ corebird-1.4.1/debian/changelog 2017-11-20 11:43:37.0 +0100 @@ -1,3 +1,9 @@ +corebird (1.4.1-1+deb9u1) stretch; urgency=medium + + * Allow 280 characters per tweet + + -- Philip Rinn Mon, 20 Nov 2017 11:43:37 +0100 + corebird (1.4.1-1) unstable; urgency=medium * New upstream release: diff -Nru corebird-1.4.1/debian/patches/01-allow-280-characters.patch corebird-1.4.1/debian/patches/01-allow-280-characters.patch --- corebird-1.4.1/debian/patches/01-allow-280-characters.patch 1970-01-01 01:00:00.0 +0100 +++ corebird-1.4.1/debian/patches/01-allow-280-characters.patch 2017-11-16 12:09:28.0 +0100 @@ -0,0 +1,13 @@ +Description: Twitter changed the limit to 280 characters +Author: Timm Bäder +--- a/src/CbTweet.h b/src/CbTweet.h +@@ -23,7 +23,7 @@ + #include "CbTypes.h" + #include "CbMedia.h" + +-#define CB_TWEET_MAX_LENGTH 140 ++#define CB_TWEET_MAX_LENGTH 280 + + typedef enum + { diff -Nru corebird-1.4.1/debian/patches/series corebird-1.4.1/debian/patches/series --- corebird-1.4.1/debian/patches/series1970-01-01 01:00:00.0 +0100 +++ corebird-1.4.1/debian/patches/series2017-11-16 12:09:28.0 +0100 @@ -0,0 +1 @@ +01-allow-280-characters.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#880896: marked as done (stretch-pu: package libdbi/0.9.0-4+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #880896, regarding stretch-pu: package libdbi/0.9.0-4+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880896 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi SRMs, I got a private bugreport (and so I can't reference it) that libdbi is inconsistent on error handling of the dbi_result_next_row() function. Some digging revealed that the error handler commented out[1] years ago with other changes. Asked upstream about that, who confirmed it was not intended to comment out the proper error handling. He immediately re-enabled it[2] in the Git tree. I don't think this has any security impact (treat bad input as normal data), but it would be good to have consistent error handling in the libdbi library. Thanks for considering, Laszlo/GCS [1] https://sourceforge.net/p/libdbi/libdbi/ci/7f31b680238ea464e9bad9ef97cf411a3635af55/ [2] https://sourceforge.net/p/libdbi/libdbi/ci/88b8477d57153b9f736dd19d432d3b7ab1c49073/ diff -Nru libdbi-0.9.0/debian/changelog libdbi-0.9.0/debian/changelog --- libdbi-0.9.0/debian/changelog 2014-11-01 16:12:02.0 +0100 +++ libdbi-0.9.0/debian/changelog 2017-10-29 19:19:04.0 +0100 @@ -1,3 +1,10 @@ +libdbi (0.9.0-4+deb9u1) stretch; urgency=medium + + * Backport fix to re-enable a call to _error_handler() that was commented +out for no obvious reason in dbi_result_next_row() . + + -- Laszlo Boszormenyi (GCS) Sun, 29 Oct 2017 18:19:04 + + libdbi (0.9.0-4) unstable; urgency=medium * Backport fix for double-free in dbi_shutdown_r() (closes: #764130). diff -Nru libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch --- libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch 1970-01-01 01:00:00.0 +0100 +++ libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch 2017-10-29 19:19:04.0 +0100 @@ -0,0 +1,19 @@ +commit 88b8477d57153b9f736dd19d432d3b7ab1c49073 +Author: mhoenicka +Date: Sat Oct 28 01:54:33 2017 +0200 + +re-enabled a call to _error_handler() that was commented out for no obvious reason + +diff --git a/src/dbi_result.c b/src/dbi_result.c +index 232d0ec..1e1b0be 100644 +--- a/src/dbi_result.c b/src/dbi_result.c +@@ -174,7 +174,7 @@ int dbi_result_next_row(dbi_result Result) { + _reset_conn_error(RESULT->conn); + + if (!dbi_result_has_next_row(Result)) { +-/* _error_handler(RESULT->conn, DBI_ERROR_BADIDX); */ ++_error_handler(RESULT->conn, DBI_ERROR_BADIDX); + return 0; + } + return dbi_result_seek_row(Result, RESULT->currowidx+1); diff -Nru libdbi-0.9.0/debian/patches/series libdbi-0.9.0/debian/patches/series --- libdbi-0.9.0/debian/patches/series 2014-11-01 16:02:53.0 +0100 +++ libdbi-0.9.0/debian/patches/series 2017-10-29 19:19:04.0 +0100 @@ -1,3 +1,4 @@ fix_memory_leak_if_not_connected.patch fix_possible_access_to_unallocated_memory.patch fix_double-free_in_dbi_shutdown_r.patch +re-enable_call_to_error_handler.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882391: marked as done (nmu: inn2_2.6.1-2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882391, regarding nmu: inn2_2.6.1-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882391 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu inn2 needs to be rebuilt for i386 on stable to fix #882225, because the original package was built in a merged-/usr environment and the configure script picked up the wrong path for gzip. nmu inn2_2.6.1-2 . i386 . stretch . -m "binNMU to fix the gzip path. (Closes: #882225)" -- ciao, Marco signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#882132: marked as done (jessie-pu: package libofx/1:0.9.10-1+deb8u1)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882132, regarding jessie-pu: package libofx/1:0.9.10-1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882132 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear release team, Upstream has fixed 2 CVE (CVE-2017-2816 and CVE-2017-14731), these 2 CVE are non-dsa. I already backported patches to unstable/testing/stretch (#881900) and now I would like to fix the Jessie version. Please find attached a debdiff. Best, Dylan libofx_0.9.10-1+deb8u1.debdiff Description: Binary data --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---
Bug#882061: marked as done (jessie-pu: package openssh/1:6.7p1-5+deb8u4)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #882061, regarding jessie-pu: package openssh/1:6.7p1-5+deb8u4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu This is the jessie version of #865986. The WinSCP change isn't applicable to jessie, but the fixes for #865770 and #873201 are. I had to do some minor git surgery to integrate the previous security updates into git-dpm's view of the world (including changing one patch to have a proper name rather than an automatically-generated one); apologies for the resulting noise, but I think it's still short enough to be reasonably reviewable. I ran the "git-dpm update-patches" step in a jessie chroot to avoid further noise from patches generated by different git versions. diff -Nru openssh-6.7p1/debian/.git-dpm openssh-6.7p1/debian/.git-dpm --- openssh-6.7p1/debian/.git-dpm 2016-04-14 18:53:01.0 +0100 +++ openssh-6.7p1/debian/.git-dpm 2017-11-18 10:52:00.0 + @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -d6139ee6bbf3bda83ebefc73d8079d0897488d1d -d6139ee6bbf3bda83ebefc73d8079d0897488d1d +1ec1d66c12c333a99a10d399b5f47e5636d2bcff +1ec1d66c12c333a99a10d399b5f47e5636d2bcff 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 487bdb3a5ef6075887b830ccb8a0b14f6da78e93 openssh_6.7p1.orig.tar.gz diff -Nru openssh-6.7p1/debian/changelog openssh-6.7p1/debian/changelog --- openssh-6.7p1/debian/changelog 2016-07-22 18:22:20.0 +0100 +++ openssh-6.7p1/debian/changelog 2017-11-18 10:56:29.0 + @@ -1,3 +1,12 @@ +openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium + + * Test configuration before starting or reloading sshd under systemd +(closes: #865770). + * Make "--" before the hostname terminate argument processing after the +hostname too (closes: #873201). + + -- Colin Watson Sat, 18 Nov 2017 10:56:29 + + openssh (1:6.7p1-5+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru openssh-6.7p1/debian/openssh-server.ssh.service openssh-6.7p1/debian/openssh-server.ssh.service --- openssh-6.7p1/debian/openssh-server.ssh.service 2016-04-14 18:53:01.0 +0100 +++ openssh-6.7p1/debian/openssh-server.ssh.service 2017-11-18 10:52:00.0 + @@ -5,7 +5,9 @@ [Service] EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure diff -Nru openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch --- openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch 2016-04-14 18:53:01.0 +0100 +++ openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch 1970-01-01 01:00:00.0 +0100 @@ -1,36 +0,0 @@ -From d6139ee6bbf3bda83ebefc73d8079d0897488d1d Mon Sep 17 00:00:00 2001 -From: Yves-Alexis Perez -Date: Tue, 12 Jan 2016 17:14:33 -0800 -Subject: disable roaming in ssh client - -SSH roaming implementation in openssh client is vulnerable to an -information leak (CVE-2016-0777) and heap-based buffer overflow -(CVE-2016-0778). The information leak is somehow attacker-controller, -and it is for example possible to extract the ssh client private keys. - readconf.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/readconf.c b/readconf.c -index 29338b6..337d914 100644 a/readconf.c -+++ b/readconf.c -@@ -1640,7 +1640,7 @@ initialize_options(Options * options) - options->tun_remote = -1; - options->local_command = NULL; - options->permit_local_command = -1; -- options->use_roaming = -1; -+ options->use_roaming = 0; - options->visual_host_key = -1; - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; -@@ -1822,8 +1822,7 @@ fill_default_options(Options * options) - options->tun_remote = SSH_TUNID_ANY; - if (options->permit_local_command == -1) - options->permit_local_command = 0; -- if (options->use_roaming == -1) -- opti
Bug#882068: marked as done (stretch-pu: dehydrated/0.3.1-3+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #882068, regarding stretch-pu: dehydrated/0.3.1-3+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882068 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I'd like to fix https://bugs.debian.org/881974 (dehydrated using the old license agreement URL by default) in stretch. The issue does not concern buster, as in that version dehydrated is able to retrieve the correct URL dinamically. See attached a patch for the stretch version, also built and tested on stretch. TIA. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- diffstat for dehydrated-0.3.1 dehydrated-0.3.1 changelog |6 + gbp.conf |2 patches/Update-the-default-License-Subscriber-Agreement-URL.patch | 39 ++ patches/series|1 4 files changed, 47 insertions(+), 1 deletion(-) diff -Nru dehydrated-0.3.1/debian/changelog dehydrated-0.3.1/debian/changelog --- dehydrated-0.3.1/debian/changelog 2017-02-08 18:45:09.0 +0100 +++ dehydrated-0.3.1/debian/changelog 2017-11-18 14:00:07.0 +0100 @@ -1,3 +1,9 @@ +dehydrated (0.3.1-3+deb9u1) stretch; urgency=medium + + * Update the default License Subscriber Agreement URL. Closes: #881974 + + -- Mattia Rizzolo Sat, 18 Nov 2017 14:00:07 +0100 + dehydrated (0.3.1-3) unstable; urgency=medium * Fix typo s/know/now/ in letsencrypt.sh wrapper. diff -Nru dehydrated-0.3.1/debian/gbp.conf dehydrated-0.3.1/debian/gbp.conf --- dehydrated-0.3.1/debian/gbp.conf 2017-02-08 18:44:07.0 +0100 +++ dehydrated-0.3.1/debian/gbp.conf 2017-11-18 14:00:07.0 +0100 @@ -1,6 +1,6 @@ [DEFAULT] upstream-branch = upstream/master -debian-branch = debian/master +debian-branch = debian/stretch upstream-tag = v%(version)s pristine-tar = True pristine-tar-commit = True diff -Nru dehydrated-0.3.1/debian/patches/series dehydrated-0.3.1/debian/patches/series --- dehydrated-0.3.1/debian/patches/series 2017-02-08 18:44:07.0 +0100 +++ dehydrated-0.3.1/debian/patches/series 2017-11-18 14:00:07.0 +0100 @@ -4,3 +4,4 @@ Update-the-location-of-WELLKNOWN-in-the-notice-message-of.patch honor-config-if-the-user-provided-one-to-letsencrypt.sh-w.patch Support-both-config.sh-and-config-as-config-filenames-for.patch +Update-the-default-License-Subscriber-Agreement-URL.patch diff -Nru dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch --- dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch 1970-01-01 01:00:00.0 +0100 +++ dehydrated-0.3.1/debian/patches/Update-the-default-License-Subscriber-Agreement-URL.patch 2017-11-18 14:00:07.0 +0100 @@ -0,0 +1,39 @@ +From: Mattia Rizzolo +Date: Sat, 18 Nov 2017 13:54:41 +0100 +Subject: Update the default License Subscriber Agreement URL + +Closes: #881974 +Signed-off-by: Mattia Rizzolo +--- + dehydrated| 2 +- + docs/examples/config | 4 ++-- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/dehydrated b/dehydrated +index 7b88ae9..882c6bd 100755 +--- a/dehydrated b/dehydrated +@@ -105,7 +105,7 @@ load_config() { + + # Default values + CA="https://acme-v01.api.letsencrypt.org/directory"; +- LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; ++ LICENSE="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"; + CERTDIR= + ACCOUNTDIR= + CHALLENGETYPE="http-01" +diff --git a/docs/examples/config b/docs/examples/config +index 17621d2..d28214b 100644 +--- a/docs/examples/config b/docs/examples/config +@@ -18,8 +18,8 @@ + # Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) + #CA="https://acme
Bug#881306: marked as done (jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #881306, regarding jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881306: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881306 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, After fixing Stretch in release team bug #879702, here's the request for fixing Jessie, since Salvatore asks for it. Debdiff attached. Package available from: http://sid.gplhost.com/jessie-proposed-updates/python-tablib/ Please allow me to upload this update for Jessie. Cheers, Thomas Goirand (zigo) diff -Nru python-tablib-0.9.11/debian/changelog python-tablib-0.9.11/debian/changelog --- python-tablib-0.9.11/debian/changelog 2013-05-12 14:21:10.0 +0200 +++ python-tablib-0.9.11/debian/changelog 2017-10-24 21:15:19.0 +0200 @@ -1,3 +1,9 @@ +python-tablib (0.9.11-2+deb8u1) jessie; urgency=low + + * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818). + + -- Thomas Goirand Tue, 24 Oct 2017 21:15:19 +0200 + python-tablib (0.9.11-2) unstable; urgency=low * Uploading to unstable. diff -Nru python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch --- python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 1970-01-01 01:00:00.0 +0100 +++ python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 2017-10-24 21:15:19.0 +0200 @@ -0,0 +1,17 @@ +Description: use safe load +Author: Kenneth Reitz +Origin: https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e +Bug-Debian: https://bugs.debian.org/864818 +Last-Update: 2017-10-24 + +--- python-tablib-0.9.11.orig/tablib/formats/_yaml.py python-tablib-0.9.11/tablib/formats/_yaml.py +@@ -46,7 +46,7 @@ def import_book(dbook, in_stream): + + dbook.wipe() + +-for sheet in yaml.load(in_stream): ++for sheet in yaml.safe_load(in_stream): + data = tablib.Dataset() + data.title = sheet['title'] + data.dict = sheet['data'] diff -Nru python-tablib-0.9.11/debian/patches/series python-tablib-0.9.11/debian/patches/series --- python-tablib-0.9.11/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ python-tablib-0.9.11/debian/patches/series 2017-10-24 21:15:19.0 +0200 @@ -0,0 +1 @@ +CVE-2017-2810-use_safe_load.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---
Bug#881900: marked as done (stretch-pu: package libofx/1:0.9.10-2+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #881900, regarding stretch-pu: package libofx/1:0.9.10-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881900: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881900 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, Upstream has fixed 2 CVE (CVE-2017-2816 and CVE-2017-14731), these 2 CVE are non-dsa. I already backported patches to unstable/testing and now I would like to fix the Stretch and Jessie versions. Please find attached a debdiff for Stretch. Best, Dylan libofx_0.9.10-2+deb9u1.debdiff Description: Binary data --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#879850: marked as done (stretch-pu: package sqldeveloper-package/0.2.4+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #879850, regarding stretch-pu: package sqldeveloper-package/0.2.4+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879850: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879850 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello release team, I have prepared a re-upload of 0.2.4+nmu1 (upload done: 879070) targeting stretch to fix RC bug #868673 which makes this packaging wrapper unusable in stretch. * Package name: sqldeveloper-package Version : 0.2.4+deb9u1 Upstream Author : Lazarus Long * URL : https://tracker.debian.org/pkg/sqldeveloper-package * License : GPL-3+ Section : contrib/misc It builds those binary packages: sqldeveloper-package - Oracle SQL Developer Debian package builder To access further information about this package, please visit the following URL: https://mentors.debian.net/package/sqldeveloper-package Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/contrib/s/sqldeveloper- package/sqldeveloper-package_0.2.4+deb9u1.dsc More information about sqldeveloper-package can be obtained from: https://manpages.debian.org/make-sqldeveloper-package Changes since the last upload: diff -Nru sqldeveloper-package-0.2.4/debian/changelog sqldeveloper- package-0.2.4+deb9u1/debian/changelog --- sqldeveloper-package-0.2.4/debian/changelog 2012-11-14 11:12:14.0 + +++ sqldeveloper-package-0.2.4+deb9u1/debian/changelog 2017-10-26 14:00:01.0 +0100 @@ -1,3 +1,11 @@ +sqldeveloper-package (0.2.4+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Add required '--' before debian/rules target (Closes: #868673) + * Add --no-tgz-check as sqldeveloper is non-free + + -- Phil Morrell Thu, 26 Oct 2017 14:00:01 +0100 + sqldeveloper-package (0.2.4) unstable; urgency=high * Addressed bugs for inclusion in Wheezy's freeze: diff -Nru sqldeveloper-package-0.2.4/make-sqldeveloper-package sqldeveloper- package-0.2.4+deb9u1/make-sqldeveloper-package --- sqldeveloper-package-0.2.4/make-sqldeveloper-package2012-11-14 11:03:19.0 + +++ sqldeveloper-package-0.2.4+deb9u1/make-sqldeveloper-package 2017-07-31 12:50:06.0 +0100 @@ -1021,7 +1021,7 @@ return 1 fi - DEBUILD_OPTS="--no-lintian binary" + DEBUILD_OPTS="--no-lintian --no-tgz-check -- binary" if [ -n "${ROOTCMD}" ] ; then DEBUILD_OPTS="--rootcmd=${ROOTCMD} ${DEBUILD_OPTS}" -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) -- Phil Morrell (emorrp1) --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#880861: marked as done (jessie-pu: package icu/52.1-8+deb8u6)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #880861, regarding jessie-pu: package icu/52.1-8+deb8u6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880861 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi OSRMs, There's a security vulnerability[1] in ICU - International Components for Unicode, which doesn't warrant a DSA. It's an one line change and would be good to have it for Jessie. Thanks for considering, Laszlo/GCS [1] https://security-tracker.debian.org/tracker/CVE-2017-14952 diff -Nru icu-52.1/debian/changelog icu-52.1/debian/changelog --- icu-52.1/debian/changelog 2017-04-17 08:41:59.0 + +++ icu-52.1/debian/changelog 2017-10-24 17:28:29.0 + @@ -1,3 +1,10 @@ +icu (52.1-8+deb8u6) jessie; urgency=high + + * Backport upstream security fix for CVE-2017-14952: double free in +createMetazoneMappings() (closes: #878840). + + -- Laszlo Boszormenyi (GCS) Tue, 24 Oct 2017 17:28:29 + + icu (52.1-8+deb8u5) jessie-security; urgency=high * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868, diff -Nru icu-52.1/debian/patches/CVE-2017-14952.patch icu-52.1/debian/patches/CVE-2017-14952.patch --- icu-52.1/debian/patches/CVE-2017-14952.patch 1970-01-01 00:00:00.0 + +++ icu-52.1/debian/patches/CVE-2017-14952.patch 2017-10-24 17:28:29.0 + @@ -0,0 +1,10 @@ +Index: source/i18n/zonemeta.cpp +=== +--- a/source/i18n/zonemeta.cpp (revision 40283) b/source/i18n/zonemeta.cpp (revision 40324) +@@ -686,5 +686,4 @@ + if (U_FAILURE(status)) { + delete mzMappings; +-deleteOlsonToMetaMappingEntry(entry); + uprv_free(entry); + break; diff -Nru icu-52.1/debian/patches/series icu-52.1/debian/patches/series --- icu-52.1/debian/patches/series 2017-04-17 08:41:59.0 + +++ icu-52.1/debian/patches/series 2017-10-24 17:28:29.0 + @@ -24,3 +24,4 @@ CVE-2016-6293.patch CVE-2016-7415.patch CVE-2017-7867_CVE-2017-7868.patch +CVE-2017-14952.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---
Bug#880123: marked as done (jessie-pu: package syslinux/3:6.03+dfsg-5+deb8u1)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #880123, regarding jessie-pu: package syslinux/3:6.03+dfsg-5+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880123 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: jessie Severity: normal X-Debbugs-CC: debian...@lists.debian.org, debian-b...@lists.debian.org, k...@debian.org Dear release team, I hereby ask for permission to update the syslinux package in jessie as well. The update fixes a bug in the isolinux isohybrid MBR causing boot failures with some old BIOS [1]. The bug is already fixed in unstable/testing and the update for stretch, which also includes this fix, has just been approved [2]. I tested the build in an sbuild jessie chroot and the updated package builds the correct isohdpfx.bin file (identical to the one currently in unstable/testing). The debdiff is attached. Thank you Lukas [1] https://bugs.debian.org/879004 [2] https://bugs.debian.org/879773 diff -Nru syslinux-6.03+dfsg/debian/changelog syslinux-6.03+dfsg/debian/changelog --- syslinux-6.03+dfsg/debian/changelog 2015-08-18 17:23:09.0 +0200 +++ syslinux-6.03+dfsg/debian/changelog 2017-10-29 19:12:43.0 +0100 @@ -1,3 +1,11 @@ +syslinux (3:6.03+dfsg-5+deb8u2) jessie; urgency=medium + + * Add patch from upstream to fix boot problem for old BIOS firmware from +around 2005 by correcting the C/H/S order (thanks Thomas Schmitt, +Closes: #879004). + + -- Lukas Schwaighofer Sun, 29 Oct 2017 19:12:43 +0100 + syslinux (3:6.03+dfsg-5+deb8u1) jessie; urgency=low * Cherry-pick upstream patches that fix booting on some Chromebooks diff -Nru syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch --- syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch 1970-01-01 01:00:00.0 +0100 +++ syslinux-6.03+dfsg/debian/patches/0017-isohdpfx.S-correct-heads-sectors.patch 2017-10-29 19:12:43.0 +0100 @@ -0,0 +1,50 @@ +From: Martin Str|mberg +Date: Sun, 26 Mar 2017 07:32:11 -0400 +Subject: mbr/isohdpfx.S: correct stack for heads/sectors + +Heads and sectors were pushed in reverse order per isolinux.asm +(bb519a95 reversed the order of heads/sectors on the stack). + +If anything goes wrong, clear CX in case it contains garbage. + +Signed-off-by: Gene Cumm + +Bug-Debian: https://bugs.debian.org/879004 +Origin: upstream, quashed two commits together: + http://git.zytor.com/syslinux/syslinux.git/commit/?id=32c09027423f61c305e2423e52f5f69ecad8e2c0 + http://git.zytor.com/syslinux/syslinux.git/commit/?id=8739e2ff9ba3f92652c8df846924fd00e1ce2753 +--- + mbr/isohdpfx.S | 10 ++ + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/mbr/isohdpfx.S b/mbr/isohdpfx.S +index 17e1efe..4b107e4 100644 +--- a/mbr/isohdpfx.S b/mbr/isohdpfx.S +@@ -167,20 +167,22 @@ next: + read_sector_cbios: movb $0x42, %ah ; jmp read_common */ + movl $0xeb42b4+((read_common-read_sector_cbios-4) << 24), \ + (read_sector_cbios) +- jmp 1f ++ jmp 2f + 1: ++ xor %cx, %cx /* Clear EBIOS flag. */ ++2: + popw %dx + pushw %cx /* EBIOS flag */ + + /* Get (C)HS geometry */ + movb $0x08, %ah + int $0x13 +- andw $0x3f, %cx /* Sector count */ + popw %bx /* EBIOS flag */ +- pushw %cx /* -16: Save sectors on the stack */ + movzbw %dh, %ax /* dh = max head */ + incw %ax /* From 0-based max to count */ +- pushw %ax /* -18: Save heads on the stack */ ++ pushw %ax /* -16: Save heads on the stack */ ++ andw $0x3f, %cx /* Sector count */ ++ pushw %cx /* -18: Save sectors on the stack */ + mulw %cx /* Heads*sectors -> sectors per cylinder */ + + pushw %bx /* -20: EBIOS flag */ diff -Nru syslinux-6.03+dfsg/debian/patches/series syslinux-6.03+dfsg/debian/patches/series --- syslinux-6.03+dfsg/debian/patches/series 2015-08-18 17:13:25.0 +0200 +++ syslinux-6.03+dfsg/debian/patches/series 2017-10-29 19:12:43.0 +0100 @@ -4,3 +4,4 @@ 0004-gnu-efi-git.patch 0005-load-linux-correct-type.patch 0006-load-linux-protected-mode.patch +0017-isohdpfx.S-correct-heads-sectors.patch pgpFl9n1stdXY.pgp Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Version: 8.10 Hi, E
Bug#880895: marked as done (jessie-pu: package libdbi/0.9.0-4+deb8u1)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #880895, regarding jessie-pu: package libdbi/0.9.0-4+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi OSRMs, I got a private bugreport (and so I can't reference it) that libdbi is inconsistent on error handling of the dbi_result_next_row() function. Some digging revealed that the error handler commented out[1] years ago with other changes. Asked upstream about that, who confirmed it was not intended to comment out the proper error handling. He immediately re-enabled it[2] in the Git tree. I don't think this has any security impact (treat bad input as normal data), but it would be good to have consistent error handling in the libdbi library. Thanks for considering, Laszlo/GCS [1] https://sourceforge.net/p/libdbi/libdbi/ci/7f31b680238ea464e9bad9ef97cf411a3635af55/ [2] https://sourceforge.net/p/libdbi/libdbi/ci/88b8477d57153b9f736dd19d432d3b7ab1c49073/ diff -Nru libdbi-0.9.0/debian/changelog libdbi-0.9.0/debian/changelog --- libdbi-0.9.0/debian/changelog 2014-11-01 16:12:02.0 +0100 +++ libdbi-0.9.0/debian/changelog 2017-10-29 19:18:56.0 +0100 @@ -1,3 +1,10 @@ +libdbi (0.9.0-4+deb8u1) jessie; urgency=medium + + * Backport fix to re-enable a call to _error_handler() that was commented +out for no obvious reason in dbi_result_next_row() . + + -- Laszlo Boszormenyi (GCS) Sun, 29 Oct 2017 18:18:56 + + libdbi (0.9.0-4) unstable; urgency=medium * Backport fix for double-free in dbi_shutdown_r() (closes: #764130). diff -Nru libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch --- libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch 1970-01-01 01:00:00.0 +0100 +++ libdbi-0.9.0/debian/patches/re-enable_call_to_error_handler.patch 2017-10-29 19:18:56.0 +0100 @@ -0,0 +1,19 @@ +commit 88b8477d57153b9f736dd19d432d3b7ab1c49073 +Author: mhoenicka +Date: Sat Oct 28 01:54:33 2017 +0200 + +re-enabled a call to _error_handler() that was commented out for no obvious reason + +diff --git a/src/dbi_result.c b/src/dbi_result.c +index 232d0ec..1e1b0be 100644 +--- a/src/dbi_result.c b/src/dbi_result.c +@@ -174,7 +174,7 @@ int dbi_result_next_row(dbi_result Result) { + _reset_conn_error(RESULT->conn); + + if (!dbi_result_has_next_row(Result)) { +-/* _error_handler(RESULT->conn, DBI_ERROR_BADIDX); */ ++_error_handler(RESULT->conn, DBI_ERROR_BADIDX); + return 0; + } + return dbi_result_seek_row(Result, RESULT->currowidx+1); diff -Nru libdbi-0.9.0/debian/patches/series libdbi-0.9.0/debian/patches/series --- libdbi-0.9.0/debian/patches/series 2014-11-01 16:02:53.0 +0100 +++ libdbi-0.9.0/debian/patches/series 2017-10-29 19:18:56.0 +0100 @@ -1,3 +1,4 @@ fix_memory_leak_if_not_connected.patch fix_possible_access_to_unallocated_memory.patch fix_double-free_in_dbi_shutdown_r.patch +re-enable_call_to_error_handler.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---
Bug#881415: marked as done (stretch-pu: python2.7/2.7.13-2+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #881415, regarding stretch-pu: python2.7/2.7.13-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881415 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I would like to upload python2.7 to fix a problem that it can't talk to SSL/TLS sites that use an ECDSA certificate different than P256, like a P384 certificate. Here is the debdiff: diff -u python2.7-2.7.13/debian/changelog python2.7-2.7.13/debian/changelog --- python2.7-2.7.13/debian/changelog +++ python2.7-2.7.13/debian/changelog @@ -1,3 +1,10 @@ +python2.7 (2.7.13-2+deb9u1) stretch; urgency=medium + + * Non-maintainer upload with maintainer's permission + * Support all groups in TLS communication (Closes: #868143) + + -- Kurt Roeckx Thu, 09 Nov 2017 21:58:19 +0100 + python2.7 (2.7.13-2) unstable; urgency=medium * Lower priority of interpreter packages to optional. diff -u python2.7-2.7.13/debian/patches/series.in python2.7-2.7.13/debian/patches/series.in --- python2.7-2.7.13/debian/patches/series.in +++ python2.7-2.7.13/debian/patches/series.in @@ -71,0 +72 @@ +Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff only in patch2: unchanged: --- python2.7-2.7.13.orig/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff +++ python2.7-2.7.13/debian/patches/Dont_use_OpenSSL_1.0.2_fallback_on_1.1.diff @@ -0,0 +1,28 @@ +From 97a145398ce7e36eb355f1fd75011ddbcb37d1b3 Mon Sep 17 00:00:00 2001 +From: Donald Stufft +Date: Thu, 2 Mar 2017 11:24:50 -0500 +Subject: [PATCH] bpo-29697: Don't use OpenSSL <1.0.2 fallback on 1.1+ + +--- + Modules/_ssl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: python2.7-2.7.13/Modules/_ssl.c +=== +--- python2.7-2.7.13.orig/Modules/_ssl.c python2.7-2.7.13/Modules/_ssl.c +@@ -2166,12 +2166,12 @@ context_new(PyTypeObject *type, PyObject + options |= SSL_OP_NO_SSLv3; + SSL_CTX_set_options(self->ctx, options); + +-#ifndef OPENSSL_NO_ECDH ++#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) + /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use +prime256v1 by default. This is Apache mod_ssl's initialization +policy, so we should be safe. OpenSSL 1.1 has it enabled by default. + */ +-#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) ++#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(self->ctx, 1); + #else + { --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#880439: marked as done (stretch-pu: package getmail4/4.53.0-2+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #880439, regarding stretch-pu: package getmail4/4.53.0-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880439 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I just uploaded to the stable-proposed-upload. This stable package was based on 4.53.0 which was released right before the Stretch release. Since then, upstream found a regression in 4.53.0 and released its specific fix as 4.54.0. I had packaged it as 4.53.0-2 to sid and had no problem migrating to testing. Its changes are in patch file for your review. This upload is a simple repackaging under stretch chroot to pass the benefit to the stable package without risk. Please accept this to the nest stable release. The testing will package new getmail version 5 series. They carry more changes and will not be uploaded like this to stable. Also most likely, its package name will be changed to simple "getmail". -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#880862: marked as done (stretch-pu: package icu/57.1-6+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #880862, regarding stretch-pu: package icu/57.1-6+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880862 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi SRMs, There's a security vulnerability[1] in ICU - International Components for Unicode, which doesn't warrant a DSA. It's an one line change and would be good to have it for Stretch. Thanks for considering, Laszlo/GCS [1] https://security-tracker.debian.org/tracker/CVE-2017-14952 diff -Nru icu-57.1/debian/changelog icu-57.1/debian/changelog --- icu-57.1/debian/changelog 2017-04-16 08:50:52.0 + +++ icu-57.1/debian/changelog 2017-10-24 17:28:30.0 + @@ -1,3 +1,10 @@ +icu (57.1-6+deb9u1) stretch; urgency=high + + * Backport upstream security fix for CVE-2017-14952: double free in +createMetazoneMappings() (closes: #878840). + + -- Laszlo Boszormenyi (GCS) Tue, 24 Oct 2017 17:28:30 + + icu (57.1-6) unstable; urgency=high * Backport upstream security fix for CVE-2017-7867 and CVE-2017-7868, diff -Nru icu-57.1/debian/patches/CVE-2017-14952.patch icu-57.1/debian/patches/CVE-2017-14952.patch --- icu-57.1/debian/patches/CVE-2017-14952.patch 1970-01-01 00:00:00.0 + +++ icu-57.1/debian/patches/CVE-2017-14952.patch 2017-10-24 17:28:30.0 + @@ -0,0 +1,10 @@ +Index: source/i18n/zonemeta.cpp +=== +--- a/source/i18n/zonemeta.cpp (revision 40283) b/source/i18n/zonemeta.cpp (revision 40324) +@@ -682,5 +682,4 @@ + if (U_FAILURE(status)) { + delete mzMappings; +-deleteOlsonToMetaMappingEntry(entry); + uprv_free(entry); + break; diff -Nru icu-57.1/debian/patches/series icu-57.1/debian/patches/series --- icu-57.1/debian/patches/series 2017-04-16 08:50:35.0 + +++ icu-57.1/debian/patches/series 2017-10-24 17:28:30.0 + @@ -10,3 +10,4 @@ CVE-2016-6293.patch CVE-2016-7415.patch CVE-2017-7867_CVE-2017-7868.patch +CVE-2017-14952.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#879629: marked as done (stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2017c)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #879629, regarding stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2017c to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879629 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've prepared an update for libdatetime-timezone-perl in stretch which incorporates the changes from the Olson db 2017c release. The changes are in a quilt patch and touch only the data files in lib/DateTime/TimeZone. 2017c contains recent changes to a couple of timezones, the first change happening this weekend (2017-10-29) in North Cyprus, so this might be material for stretch-updates before a next point release. Cf. https://mm.icann.org/pipermail/tz-announce/2017-October/47.html A manually stripped down debdiff is attached. Cheers, gregor -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlnuKTpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgYFHQ/9GnSly2C/fEM9MeXIOhI4TPUiO9VvYRiCj1LeKglDjkEW0CkvVrcM7ZRX THyMwXHcHsvKQy55Qsu4pZM8/zO0whuOplaeDS+WahWr770tKCTS3tZvVjNdzYdo cTK70/zryhXy6Ycdd91UuYu1yE39eBR9iVbLQLZcG2vMMWo5yXZX7UyuAtZFKHxx bZmxDwnCVYgnfQJXqY09dmIyfoY7UuOo8Z8bKeWGrSuwaG10u7J9mMqlNYEPMH6G 9MZ5i6+OSn+mCLaU+/o78UshGMxFoWI6shFHyXg3LBN2XFzlU66cnqb2zXA4PHaA gj17aooxGGxW+T0vwY8Pw3VrNZlnDENA8XJCOkqdNqBJVfFuhffExsb8YbiL2O4O iIQMjC9tWnskyWpz+BY6I8W1M1OYI3cxmG1QG5S6YvAeIM4F8AdgF/UHX6tcvJ9H MuQZe9mB8mMmfIypwxodU/YRmmLBCl72kQfVTOZOmM/yXy2b3YK77byDIdpveq6l /CJRMguTZpDa4UG+ZL66ViayLoiL6jfFrmNq6rqRwiDA9hiwHhawqlN6vfIr1Qp3 wIll1weOiEg+c7POpsM0AHUDxHJa0tclL0FcERF8e3tzAlLv6qKqe4DwqRLtcTv8 6KW8sQib7dMCrk/X0Zln3Zn/694oqj1IvKL4AWLLCmdynvDvedA= =l9J2 -END PGP SIGNATURE- diff -Nru libdatetime-timezone-perl-2.09/debian/changelog libdatetime-timezone-perl-2.09/debian/changelog --- libdatetime-timezone-perl-2.09/debian/changelog 2017-03-24 20:02:23.0 +0100 +++ libdatetime-timezone-perl-2.09/debian/changelog 2017-10-23 19:24:29.0 +0200 @@ -1,3 +1,11 @@ +libdatetime-timezone-perl (1:2.09-1+2017c) UNRELEASED; urgency=medium + + * Update to Olson database version 2017c. +This update contains contemporary changes for Northern Cyprus, Fiji, +Namibia, Sudan, Tonga, and Turks & Caicos. + + -- gregor herrmann Mon, 23 Oct 2017 19:24:29 +0200 + libdatetime-timezone-perl (1:2.09-1+2017b) unstable; urgency=medium * Update to Olson database version 2017b. diff -Nru libdatetime-timezone-perl-2.09/debian/patches/olson-2017c libdatetime-timezone-perl-2.09/debian/patches/olson-2017c --- libdatetime-timezone-perl-2.09/debian/patches/olson-2017c 1970-01-01 01:00:00.0 +0100 +++ libdatetime-timezone-perl-2.09/debian/patches/olson-2017c 2017-10-23 19:24:29.0 +0200 @@ -0,0 +1,11512 @@ +Description: update to olson db 2017c +Origin: vendor +Author: gregor herrmann +Last-Update: 2017-10-23 + +--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm b/lib/DateTime/TimeZone/Africa/Abidjan.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/africa. Olson data version 2017b ++# Generated from debian/tzdata/africa. Olson data version 2017c + # + # Do not edit this file directly. + # +@@ -43,7 +43,7 @@ + ], + ]; + +-sub olson_version {'2017b'} ++sub olson_version {'2017c'} + + sub has_dst_changes {0} + +--- a/lib/DateTime/TimeZone/Asia/Famagusta.pm b/lib/DateTime/TimeZone/Asia/Famagusta.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/asia. Olson data version 2017b ++# Generated from debian/tzdata/asia. Olson data version 2017c + # + # Do not edit this file directly. + # +@@ -799,18 +799,216 @@ + ], + [ + 63608965200, #utc_start 2016-09-07 21:00:00 (Wed) +-DateTime::TimeZone::INFINITY, # utc_end ++63644922000, # utc_end 2017-10-29 01:00:00 (Sun) + 63608976000, # local_start 2016-09-08 00:00:00 (Thu) +-DateTime::TimeZone::INFINITY, #local_end ++63644932800, #local_end 2017-10-29 04:00:00 (Sun) + 10800, + 0, + '+03', +
Bug#879773: marked as done (stretch-pu: package syslinux/3:6.03+dfsg-14.1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #879773, regarding stretch-pu: package syslinux/3:6.03+dfsg-14.1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879773 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch Severity: normal X-Debbugs-CC: debian...@lists.debian.org, debian-b...@lists.debian.org, k...@debian.org Dear release team and other involved parties, I hereby ask for permission to update the syslinux package in stretch. There has been a short discussion about this on debian-cd already [1]. The request is about fixing the following three problems: 1. Booting from ext4 filesystems created with Debian stretch does not work, because ext4's 64bit feature is enabled by default (since Debian stretch) and not supported by syslinux [2]. 2. Booting from btrfs does not work either for a similar reason [3]. 3. A bug in the isolinux isohybrid MBR causing boot failures with some old BIOS [4]. [1] https://lists.debian.org/debian-cd/2017/10/msg00032.html [2] https://bugs.debian.org/833057 [3] https://bugs.debian.org/865462 [4] https://bugs.debian.org/879004 Problems 1 and 2 are regressions from jessie (due to changes in default options when creating ext4/btrfs filesystems), while problem 3 affects jessie as well. The fix for each of the three bugs has been cherry-picked from upstream and has a reasonably sized diff. Debian testing and unstable already have the fixes. I've tested the proposed version. In those tests, the problems 1 and 2 were solved as expected. As for problem 3, I've verified that the isohdpfx.bin image built is identical to a known good and tested version. Additionally we got a report that the debian-cd images for testing (which are built using the fixed isohdpfx.bin) boot correctly on affected hardware [5]. A debdiff of the proposed update is attached. Alternatively it's also available from the debian/stretch branch of the git repository [6]. Thank you for your time and consideration Lukas PS: If this request gets ACKed, I also intend to fix the isohybrid MBR in jessie (as advised by Steve McIntyre). [5] https://bugs.debian.org/857597#117 [6] https://anonscm.debian.org/git/debian-cd/syslinux.git syslinux_6.03+dfsg-14.1+deb9u1.debdiff Description: Binary data pgpH2q0ivfL3y.pgp Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#880630: marked as done (jessie-pu: package liblouis/2.5.3-3)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #880630, regarding jessie-pu: package liblouis/2.5.3-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880630 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, Bug#880621 reports that Jessie is affected by CVE-2014-8184. I'm proposing to upload there the RedHat fix plus a fix for that fix (it didn't actually take care of issues in the strncpy call). Debdiff is attached. Samuel -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog --- liblouis-2.5.3/debian/changelog 2014-06-24 23:33:27.0 +0200 +++ liblouis-2.5.3/debian/changelog 2017-11-03 01:14:02.0 +0100 @@ -1,3 +1,10 @@ +liblouis (2.5.3-3+deb8u1) jessie; urgency=medium + + * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621). + * Fix RedHat's patch. + + -- Samuel Thibault Fri, 03 Nov 2017 01:14:02 +0100 + liblouis (2.5.3-3) unstable; urgency=low [ Samuel Thibault ] diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 liblouis-2.5.3/debian/patches/CVE-2014-8184 --- liblouis-2.5.3/debian/patches/CVE-2014-8184 1970-01-01 01:00:00.0 +0100 +++ liblouis-2.5.3/debian/patches/CVE-2014-8184 2017-11-03 01:14:02.0 +0100 @@ -0,0 +1,99 @@ +https://github.com/liblouis/liblouis/issues/425 +https://bugzilla.redhat.com/show_bug.cgi?id=1492701 +https://access.redhat.com/errata/RHSA-2017:3111 + +From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001 +From: Raphael Sanchez Prudencio +Date: Mon, 18 Sep 2017 18:44:31 +0200 +Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable(). + +Fixes CVE-2014-8184. +--- + liblouis/compileTranslationTable.c | 35 +++ + 1 file changed, 11 insertions(+), 24 deletions(-) + +diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c +index ec4963f0..25c0208f 100644 +--- a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c +@@ -4502,8 +4502,7 @@ findTable (const char *tableName) + char trialPath[MAXSTRING]; + if (tableName == NULL || tableName[0] == 0) + return NULL; +- strcpy (trialPath, tablePath); +- strcat (trialPath, tableName); ++ snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + return tableFile; + pathEnd[0] = DIR_SEP; +@@ -4522,18 +4521,15 @@ findTable (const char *tableName) + break; + if (k == listLength || k == 0) + { /* Only one file */ +- strcpy (trialPath, pathList); +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + break; + } + else + { /* Compile a list of files */ +- strncpy (trialPath, pathList, k); +- trialPath[k] = 0; +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ char path[MAXSTRING]; ++ strncpy (path, pathList, k); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + currentListPos = k + 1; + if ((tableFile = fopen (trialPath, "rb"))) + break; +@@ -4542,11 +4538,8 @@ findTable (const char *tableName) + for (k = currentListPos; k < listLength; k++) + if (pathList[k] == ',') + break; +- strncpy (trialPath, +-
Bug#880020: marked as done (stretch-pu: package lxc/1:2.0.7-2+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #880020, regarding stretch-pu: package lxc/1:2.0.7-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 880020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880020 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, this update brings two changes, both needed for ci.debian.net: lxc (1:2.0.7-2+deb9u1) stretch; urgency=medium * 0003-lxc-debian-don-t-hardcode-valid-releases.patch: don't hardcode list of valid Debian release. Allows creating stable, buster, testing, and unstable containers. * 0004-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch: don't insert C.* locales into /etc/locale.gen (Closes: #879595) -- Antonio Terceiro Fri, 27 Oct 2017 15:13:31 -0200 The first will allow to create containers with our "symlink" release names, i.e. stable, testing, etc, and also removes the need to make a new change after buster is released to add support for creting bullseye containers. The second fixes an issue where the C.UTF-8 locale, used by debci, in injected into /etc/locale.gen in containers, causing warnings that can cause bogus test failures under autopkgtest. The diff is attached. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index d7d10c1..512a09d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +lxc (1:2.0.7-2+deb9u1) stretch; urgency=medium + + * 0003-lxc-debian-don-t-hardcode-valid-releases.patch: don't +hardcode list of valid Debian release. Allows creating stable, buster, +testing, and unstable containers. + * 0004-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch: don't +insert C.* locales into /etc/locale.gen (Closes: #879595) + + -- Antonio Terceiro Fri, 27 Oct 2017 15:13:31 -0200 + lxc (1:2.0.7-2) unstable; urgency=high * use bash-completion's pkg-config support and don't move files around diff --git a/debian/patches/0003-lxc-debian-don-t-hardcode-valid-releases.patch b/debian/patches/0003-lxc-debian-don-t-hardcode-valid-releases.patch new file mode 100644 index 000..b57c3be --- /dev/null +++ b/debian/patches/0003-lxc-debian-don-t-hardcode-valid-releases.patch @@ -0,0 +1,51 @@ +From: Antonio Terceiro +Date: Thu, 26 Oct 2017 20:42:49 -0200 +Subject: lxc-debian: don't hardcode valid releases + +This avoids the dance of updating the list of valid releases every time +Debian makes a new release. + +It also fixes the following bug: even though lxc-debian will default to +creating containers of the latest stable by querying the archive, it +won't allow you to explicitly request `stable` because the current list +of valid releases don't include it. + +Last, but not least, avoid hitting the mirror in the case the desired +release is one of the ones we know will always be there, i.e. stable, +testing, sid, and unstable. + +Signed-off-by: Antonio Terceiro + + + +This is a combination of upstream commits +61fa13293d735d922ba6e5ceb66f6d8718f1a829 and +dba285d5dfa7e9f3452dc180e64158d9bedfb410 +--- + templates/lxc-debian.in | 13 +++-- + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in +index 54ada05..f6dbd4f 100644 +--- a/templates/lxc-debian.in b/templates/lxc-debian.in +@@ -623,12 +623,13 @@ if [ "$(id -u)" != "0" ]; then + exit 1 + fi + +-current_release=$(wget "${MIRROR}/dists/stable/Release" -O - 2> /dev/null | head |awk '/^Codename: (.*)$/ { print $2; }') +-release=${release:-${current_release}} +-valid_releases=('wheezy' 'jessie' 'stretch' 'sid') +-if [[ ! "${valid_releases[*]}" =~ (^|[^[:alpha:]])$release([^[:alpha:]]|$) ]]; then +-echo "Invalid release ${release}, valid ones are: ${valid_releases[*]}" +-exit 1 ++
Bug#878668: marked as done (stretch-pu: package simutrans/120.1.3+repack-3)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #878668, regarding stretch-pu: package simutrans/120.1.3+repack-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878668 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I would like to fix Debian bug #869029 [1] in Stretch. It is currently not possible to enable sound for simutrans which was not intended. The solution for Stretch differs from Buster/Sid. In Stretch the 0500-config.diff patch is applied but the configuration options are overwritten during the auto-reconfiguration step. There are multiple ways to correct this issue and I opted for patching configure.ac directly. I simply changed the backend from SDL to mixer_sdl and now the sound is working again. Please find attached the debdiff for Stretch. Jessie is not affected. Regards, Markus [1] https://bugs.debian.org/869029 diff -Nru simutrans-120.1.3+repack/debian/changelog simutrans-120.1.3+repack/debian/changelog --- simutrans-120.1.3+repack/debian/changelog 2016-11-17 11:03:50.0 +0100 +++ simutrans-120.1.3+repack/debian/changelog 2017-10-15 01:03:51.0 +0200 @@ -1,3 +1,11 @@ +simutrans (120.1.3+repack-3+deb9u1) stretch; urgency=medium + + * Team upload. + * Enable sound for simutrans again. Switch from SDL to mixer_sdl backend. +(Closes: #869029) + + -- Markus Koschany Sun, 15 Oct 2017 01:03:51 +0200 + simutrans (120.1.3+repack-3) unstable; urgency=medium [ Jörg Frings-Fürst ] diff -Nru simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch --- simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch 1970-01-01 01:00:00.0 +0100 +++ simutrans-120.1.3+repack/debian/patches/mixer-sdl.patch 2017-10-15 01:03:51.0 +0200 @@ -0,0 +1,27 @@ +From: Markus Koschany +Date: Sun, 15 Oct 2017 01:02:45 +0200 +Subject: mixer sdl + +Enable sound for simutrans. + +Bug-Debian: https://bugs.debian.org/869029 +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 05a2143..f447a3f 100644 +--- a/configure.ac b/configure.ac +@@ -74,9 +74,9 @@ then + AC_MSG_WARN([Using SDL2 backend!]) + elif test "$ac_cv_lib_SDL_SDL_Init" == yes + then +- AC_SUBST(backend, sdl) ++ AC_SUBST(backend, mixer_sdl) + AC_SUBST(color, 16) +- AC_MSG_WARN([Using SDL backend!]) ++ AC_MSG_WARN([Using Mixer SDL backend!]) + elif test "$ac_cv_lib_allegro_get_desktop_resolution" == yes + then + AC_SUBST(backend, allegro) diff -Nru simutrans-120.1.3+repack/debian/patches/series simutrans-120.1.3+repack/debian/patches/series --- simutrans-120.1.3+repack/debian/patches/series 2016-11-17 11:03:50.0 +0100 +++ simutrans-120.1.3+repack/debian/patches/series 2017-10-15 01:03:51.0 +0200 @@ -6,3 +6,4 @@ #0510-missing_uncommon_mk.patch reproducible-build.patch sha1.patch +mixer-sdl.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#879702: marked as done (stretch-pu: package python-tablib/0.9.11-2 (CVE-2017-2810))
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #879702, regarding stretch-pu: package python-tablib/0.9.11-2 (CVE-2017-2810) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879702 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, The attached debdiff shows the fix for CVE-2017-2810. The package is available here: http://sid.gplhost.com/stretch-proposed-updates/python-tablib/ The security team thinks we should go for a stretch-pu. Please allow me to upload the fix. Should I upload the .changes including the orig file? Cheers, Thomas Goirand (zigo) diff -Nru python-tablib-0.9.11/debian/changelog python-tablib-0.9.11/debian/changelog --- python-tablib-0.9.11/debian/changelog 2013-05-12 14:21:10.0 +0200 +++ python-tablib-0.9.11/debian/changelog 2017-10-24 21:15:19.0 +0200 @@ -1,3 +1,9 @@ +python-tablib (0.9.11-2+deb9u1) stretch; urgency=low + + * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818). + + -- Thomas Goirand Tue, 24 Oct 2017 21:15:19 +0200 + python-tablib (0.9.11-2) unstable; urgency=low * Uploading to unstable. diff -Nru python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch --- python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 1970-01-01 01:00:00.0 +0100 +++ python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 2017-10-24 21:15:19.0 +0200 @@ -0,0 +1,17 @@ +Description: use safe load +Author: Kenneth Reitz +Origin: https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e +Bug-Debian: https://bugs.debian.org/864818 +Last-Update: 2017-10-24 + +--- python-tablib-0.9.11.orig/tablib/formats/_yaml.py python-tablib-0.9.11/tablib/formats/_yaml.py +@@ -46,7 +46,7 @@ def import_book(dbook, in_stream): + + dbook.wipe() + +-for sheet in yaml.load(in_stream): ++for sheet in yaml.safe_load(in_stream): + data = tablib.Dataset() + data.title = sheet['title'] + data.dict = sheet['data'] diff -Nru python-tablib-0.9.11/debian/patches/series python-tablib-0.9.11/debian/patches/series --- python-tablib-0.9.11/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ python-tablib-0.9.11/debian/patches/series 2017-10-24 21:15:19.0 +0200 @@ -0,0 +1 @@ +CVE-2017-2810-use_safe_load.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#879215: marked as done (stretch-pu: package live-config/5.20170112)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #879215, regarding stretch-pu: package live-config/5.20170112 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879215 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu [ debian-cd/debian-live in copy. ] Hi, We've been having issues with KDE live images, and since this popped up on #debian-cd again, a few days ago, I've looked into backporting a fix from unstable to stable. The source debdiff is attached, and here's the changelog entry: | live-config (5.20170112+deb9u1) stretch; urgency=medium | | [ Cyril Brulebois ] | * Cherry-pick the change below to improve KDE live images. | | [ Алексей Шилин ] | * Add components/0085-sddm to configure autologin for KDE / Plasma live | images. Closes: #865382. | | -- Cyril Brulebois Fri, 20 Oct 2017 16:53:40 +0200 Until this gets reviewed and ACK/NACKed by the release team, I've pushed a stretch branch to live-config.git, except for the final “dch -r”, in case something needs fixing before the upload. Thanks for your attention & time. KiBi. diff -Nru live-config-5.20170112/components/0085-sddm live-config-5.20170112+deb9u1/components/0085-sddm --- live-config-5.20170112/components/0085-sddm 1970-01-01 01:00:00.0 +0100 +++ live-config-5.20170112+deb9u1/components/0085-sddm 2017-10-19 13:18:15.0 +0200 @@ -0,0 +1,81 @@ +#!/bin/sh + +## live-config(7) - System Configuration Components +## Copyright (C) 2006-2015 Daniel Baumann +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +#set -e + +Cmdline () +{ + # Reading kernel command line + for _PARAMETER in ${LIVE_CONFIG_CMDLINE} + do + case "${_PARAMETER}" in + live-config.noautologin|noautologin) + LIVE_CONFIG_NOAUTOLOGIN="true" + ;; + + live-config.nox11autologin|nox11autologin) + LIVE_CONFIG_NOX11AUTOLOGIN="true" + ;; + + live-config.username=*|username=*) + LIVE_USERNAME="${_PARAMETER#*username=}" + ;; + esac + done +} + +Init () +{ + # Disables both console and graphical autologin. + case "${LIVE_CONFIG_NOAUTOLOGIN}" in + true) + exit 0 + ;; + esac + + # Disables graphical autologin, no matter what mechanism + case "${LIVE_CONFIG_NOX11AUTOLOGIN}" in + true) + exit 0 + ;; + esac + + # Checking if package is installed or already configured + if [ ! -e /var/lib/dpkg/info/sddm.list ] || \ + [ -e /var/lib/live/config/sddm ] + then + exit 0 + fi + + echo -n " sddm" +} + +Config () +{ + # autologin + if [ -n "${LIVE_USERNAME}" ] + then + cat > /etc/sddm.conf << EOF +[Autologin] +User=${LIVE_USERNAME} +Session=plasma.desktop +EOF + fi + + # Avoid xinit + touch /var/lib/live/config/xinit + + # Creating state file + touch /var/lib/live/config/sddm +} + +Cmdline +Init +Config diff -Nru live-config-5.20170112/debian/changelog live-config-5.20170112+deb9u1/debian/changelog --- live-config-5.20170112/debian/changelog 2017-01-12 18:11:22.0 +0100 +++ live-config-5.20170112+deb9u1/debian/changelog 2017-10-20 16:53:40.0 +0200 @@ -1,3 +1,14 @@ +live-config (5.20170112+deb9u1) stretch; urgency=medium + + [ Cyril Brulebois ] + * Cherry-pick the change below to improve KDE live images. + + [ Алексей Шилин ] + * Add components/0085-sddm to configure autologin for KDE / Plasma live +images. Closes: #865382. + + -- Cyril Brulebois Fri, 20 Oct 2017 16:53:40 +0200 + live-config (5.20170112) unstable; urgency=medium * Team upload. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was include
Bug#879599: marked as done (stretch-pu: package charmtimetracker/1.11.4-1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #879599, regarding stretch-pu: package charmtimetracker/1.11.4-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879599: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879599 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hey, charmtimetracker is currently not installable in stable (#873918), this pu fixes this. Additionally I also fixed #873917, to have a better wording in the short discription. I made sure, that it still builds for stable on amd64. Best Regards, sandro -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru charmtimetracker-1.11.4/debian/changelog charmtimetracker-1.11.4/debian/changelog --- charmtimetracker-1.11.4/debian/changelog2016-11-10 09:33:30.0 +0100 +++ charmtimetracker-1.11.4/debian/changelog2017-10-23 11:20:46.0 +0200 @@ -1,3 +1,12 @@ +charmtimetracker (1.11.4-1+deb9u1) stretch; urgency=medium + + * Fix "Missing binary dependency on libqt5sql5-sqlite" (Closes: #873918) +- Adding libqt5sql5-sqlite to depends list of charmtimetracker. + * Fix "Please drop "Cross-Platform" from package description" rewrite +discription for the pacakge (Closes: #873917) + + -- Sandro Knauß Mon, 23 Oct 2017 11:20:46 +0200 + charmtimetracker (1.11.4-1) unstable; urgency=medium [ Sandro Knauß ] diff -Nru charmtimetracker-1.11.4/debian/control charmtimetracker-1.11.4/debian/control --- charmtimetracker-1.11.4/debian/control 2016-11-10 09:27:15.0 +0100 +++ charmtimetracker-1.11.4/debian/control 2017-10-23 11:20:46.0 +0200 @@ -20,8 +20,8 @@ Package: charmtimetracker Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends} -Description: Cross-Platform Time Tracker +Depends: libqt5sql5-sqlite, ${misc:Depends}, ${shlibs:Depends} +Description: a task based Time Tracker It is built around two major ideas - tasks and events. Tasks are the things time is spend on, repeatedly. Tasks are done in events. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#878685: marked as done (stretch-pu: package udftools/1.3-2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #878685, regarding stretch-pu: package udftools/1.3-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Package udftools in version 1.3-1 has specified incorrect path to the pktsetup binary in the /etc/init.d/udftools init script which cause that init script does not work at all. Binary path was changed from bin to sbin in upstream between 1.2 and 1.3 period. It leads to the reported bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878180 This problem is fixed in the udftools version 1.3-2 which is now available in the sid and buster. Diff between versions 1.3-1 and 1.3-2 is attached and contains just fix for this problem. Please update udftools to version 1.3-2 also for stretch to make /etc/init.d/udftools init script working again in stretch. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=sk_SK.UTF-8, LC_CTYPE=sk_SK.UTF-8 (charmap=UTF-8), LANGUAGE=sk_SK (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) diff -Nru udftools-1.3/debian/changelog udftools-1.3/debian/changelog --- udftools-1.3/debian/changelog 2017-01-24 00:28:05.0 +0100 +++ udftools-1.3/debian/changelog 2017-10-03 21:41:57.0 +0200 @@ -1,3 +1,9 @@ +udftools (1.3-2) unstable; urgency=low + + * Fix path to pktsetup in udftools init script + + -- Pali Rohár Tue, 03 Oct 2017 21:41:57 +0200 + udftools (1.3-1) unstable; urgency=low * New upstream release diff -Nru udftools-1.3/debian/udftools.init udftools-1.3/debian/udftools.init --- udftools-1.3/debian/udftools.init 2017-01-24 00:26:46.0 +0100 +++ udftools-1.3/debian/udftools.init 2017-10-03 21:40:26.0 +0200 @@ -30,7 +30,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="udftools packet writing" -PKTSETUP=/usr/bin/pktsetup +PKTSETUP=/usr/sbin/pktsetup DEFAULTFILE=/etc/default/udftools DEVICES="" NEWINTNAMES="0 1 2 3" --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#879630: marked as done (jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2017c)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #879630, regarding jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2017c to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879630 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've prepared an update for libdatetime-timezone-perl in jessie which incorporates the changes from the Olson db 2017c release. The changes are in a quilt patch and touch only the data files in lib/DateTime/TimeZone. 2017c contains recent changes to a couple of timezones, the first change happening this weekend (2017-10-29) in North Cyprus, so this might be material for jessie-updates before a next point release. Cf. https://mm.icann.org/pipermail/tz-announce/2017-October/47.html A manually stripped down debdiff is attached. Cheers, gregor -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlnuKTxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgaJQw/9HvCfmTSa3DP1Cmezxsw68+ot9CHjzYO3+3zk53NiB8wECj3TT5Ot8RNq q49w0gxMj+ACmW44GYwHbT9+IUkkvtWMLWG2z304Ko0ykOJEB1UdLC4Ev4/HE5Dp NUMWq1ZVWG7HskuKSoD1yrmJUnsutMbFAMvLwWmuxkP7RBThmNrdv8Yo5GrFWc1f yIOLI5tD4y9k7eR89EB0iiTib7mE1hJZxkIf6DKhPur+uq+us4M0eW60HG4TV63P MLK0jBdQ+AJZyvsBdtd0y1LBWujvHjAj0+YTf39mBUetRPpdTHYp5w4D65i/k08C gS71acqF2hDBsbJ2v2kX19Lo87RNdVNyt1ie05VzVmpwXSQ2lPXLSlv1BoTqP+Ii ke/kLsoJfdKJbEQIw6ROzOQ/PsFrIlAPQIhUsHp0qERrmQ3hAFd3zffBmgUR6R1R JIIe0iwFUOkcayQkdBSJ642Xme3jiJixTA3TBEC97Z0+9csJc2HqHxXMVq7WMO8j jr+453kued5QL4PK7dNdAMIkRftEG+WLdCvpdlSH5z6OZfpJyFgjUkHAzDfhhMHt FTH9IPLCYxfP7J9KdUz7l/+DoRoLIQQdAftBEIy6XOE8eiDYrOWXLJZIGlSyifPd ZD2N8drZ6gE0tcOeMBORdYUxZDa9XTS0l5/XRIbaUiKH/3PB2cg= =UfK7 -END PGP SIGNATURE- diff -Nru libdatetime-timezone-perl-1.75/debian/changelog libdatetime-timezone-perl-1.75/debian/changelog --- libdatetime-timezone-perl-1.75/debian/changelog 2017-04-02 22:32:45.0 +0200 +++ libdatetime-timezone-perl-1.75/debian/changelog 2017-10-23 19:10:12.0 +0200 @@ -1,3 +1,11 @@ +libdatetime-timezone-perl (1:1.75-2+2017c) UNRELEASED; urgency=medium + + * Update to Olson database version 2017c. +This update contains contemporary changes for Northern Cyprus, Fiji, +Namibia, Sudan, Tonga, and Turks & Caicos. + + -- gregor herrmann Mon, 23 Oct 2017 19:10:12 +0200 + libdatetime-timezone-perl (1:1.75-2+2017b) jessie; urgency=medium * Update to Olson database version 2017b. diff -Nru libdatetime-timezone-perl-1.75/debian/patches/olson-2017c libdatetime-timezone-perl-1.75/debian/patches/olson-2017c --- libdatetime-timezone-perl-1.75/debian/patches/olson-2017c 1970-01-01 01:00:00.0 +0100 +++ libdatetime-timezone-perl-1.75/debian/patches/olson-2017c 2017-10-23 19:10:12.0 +0200 @@ -0,0 +1,11569 @@ +Description: update to olson db 2017c +Origin: vendor +Author: gregor herrmann +Last-Update: 2017-10-23 + +--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm b/lib/DateTime/TimeZone/Africa/Abidjan.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/africa. Olson data version 2017b ++# Generated from debian/tzdata/africa. Olson data version 2017c + # + # Do not edit this file directly. + # +@@ -39,7 +39,7 @@ + ], + ]; + +-sub olson_version { '2017b' } ++sub olson_version { '2017c' } + + sub has_dst_changes { 0 } + +--- a/lib/DateTime/TimeZone/Asia/Famagusta.pm b/lib/DateTime/TimeZone/Asia/Famagusta.pm +@@ -3,7 +3,7 @@ + # DateTime::TimeZone module distribution in the tools/ directory + + # +-# Generated from debian/tzdata/asia. Olson data version 2017b ++# Generated from debian/tzdata/asia. Olson data version 2017c + # + # Do not edit this file directly. + # +@@ -795,18 +795,216 @@ + ], + [ + 63608965200, #utc_start 2016-09-07 21:00:00 (Wed) +-DateTime::TimeZone::INFINITY, # utc_end ++63644922000, # utc_end 2017-10-29 01:00:00 (Sun) + 63608976000, # local_start 2016-09-08 00:00:00 (Thu) +-DateTime::TimeZone::INFINITY, #local_end ++63644932800, #local_end 2017-10-29 04:00:00 (Sun) + 10800, + 0, + '+03', +
Bug#878576: marked as done (stretch-pu: package berusky/1.7-1+b1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #878576, regarding stretch-pu: package berusky/1.7-1+b1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878576: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878576 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I would like to update berusky in Stretch. The Jessie version is not affected. The game crashes on startup with certain video card configurations. This makes the game unplayable. This is Debian bug #877979. https://bugs.debian.org/877979 The issue is already fixed in sid and buster. Please find attached the debdiff for stretch. Regards, Markus diff -Nru berusky-1.7/debian/changelog berusky-1.7/debian/changelog --- berusky-1.7/debian/changelog2016-06-12 13:50:54.0 +0200 +++ berusky-1.7/debian/changelog2017-10-14 19:55:16.0 +0200 @@ -1,3 +1,10 @@ +berusky (1.7-1+deb9u1) stretch; urgency=medium + + * Add crash-on-startup.patch and fix the startup crash with certain +video card configurations. (Closes: #877979) + + -- Markus Koschany Sat, 14 Oct 2017 19:55:16 +0200 + berusky (1.7-1) unstable; urgency=medium * Imported Upstream version 1.7. (Closes: #687690) diff -Nru berusky-1.7/debian/patches/crash-on-startup.patch berusky-1.7/debian/patches/crash-on-startup.patch --- berusky-1.7/debian/patches/crash-on-startup.patch 1970-01-01 01:00:00.0 +0100 +++ berusky-1.7/debian/patches/crash-on-startup.patch 2017-10-14 19:55:16.0 +0200 @@ -0,0 +1,24 @@ +From: Markus Koschany +Date: Sat, 14 Oct 2017 19:53:16 +0200 +Subject: crash on startup + +Bug-Debian: https://bugs.debian.org/877979 +--- + src/2d_graph.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/2d_graph.h b/src/2d_graph.h +index 1f012dd..1a66076 100644 +--- a/src/2d_graph.h b/src/2d_graph.h +@@ -749,7 +749,9 @@ public: + void check(void); + + graph_2d(tpos dx, tpos dy, int depth, bool fullscreen) +-: store(SURFACES, SPRITES), ++ : p_screen_surface(NULL), ++ p_screen(NULL), ++ store(SURFACES, SPRITES), + rect_last(0) + { + /* sdl init */ diff -Nru berusky-1.7/debian/patches/series berusky-1.7/debian/patches/series --- berusky-1.7/debian/patches/series 2016-06-12 13:50:54.0 +0200 +++ berusky-1.7/debian/patches/series 2017-10-14 19:55:16.0 +0200 @@ -3,3 +3,4 @@ 05-no-editor.patch 11-german-po.patch 12-locale.patch +crash-on-startup.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#877627: marked as done (stretch-pu: package kde-gtk-config/5.8.6-1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877627, regarding stretch-pu: package kde-gtk-config/5.8.6-1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877627: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877627 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: debian-qt-...@lists.debian.org Dear release team, I would like to push a fix for src:kde-gtk-config package in stable. Without this fix package kde-config-gtk-style lacks one very convenient feature (previewing GTK+ 2.x and GTK+ 3.x themes before applying them) and package kde-config-gtk-style-preview is absolutely useless (because binaries from it cannot be used). Proposed changes have been applied in package in unstable since 04 Aug 2017 (kde-gtk-config/4:5.10.4-1) and all works fine. Please consider accepting this as a stretch-pu. Thanks, Boris diff -Nru kde-gtk-config-5.8.6/debian/changelog kde-gtk-config-5.8.6/debian/changelog --- kde-gtk-config-5.8.6/debian/changelog 2017-03-14 17:23:29.0 +0300 +++ kde-gtk-config-5.8.6/debian/changelog 2017-10-03 17:31:46.0 +0300 @@ -1,3 +1,15 @@ +kde-gtk-config (4:5.8.6-1+deb9u1) stable; urgency=medium + + * Update debian/rules: +set DATA_INSTALL_DIR variable in configuration options: it is required +for correct search of preview.ui file in gtk*_preview programs. +(These programs have not been working since version 4:5.1.95-0ubuntu1) + * Add patch fix-search-of-gtk-preview-executables. +It is required for showing preview buttons in KDE-GTK-config UI. +(These buttons have not been working since version 4:5.1.95-0ubuntu1) + + -- Boris Pek Tue, 03 Oct 2017 17:31:46 +0300 + kde-gtk-config (4:5.8.6-1) unstable; urgency=medium * New upstream release (5.8.6) diff -Nru kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch --- kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch 1970-01-01 03:00:00.0 +0300 +++ kde-gtk-config-5.8.6/debian/patches/fix-search-of-gtk-preview-executables.patch 2017-08-04 17:00:50.0 +0300 @@ -0,0 +1,43 @@ +Forwarded: no +Description: Fix search of gtk*_preview executables + Due to Debian multiarch support gtk_preview and gtk3_preview executables are + installed into non-standard path (/usr/lib/*/libexec/) which is out of + search scope of QStandardPaths::findExecutable() function. + . + This patch is required for showing preview buttons in KDE-GTK-config UI. +Author: Boris Pek +Last-Update: 2017-08-04 + +diff --git a/CMakeLists.txt b/CMakeLists.txt +--- a/CMakeLists.txt b/CMakeLists.txt +@@ -26,6 +26,8 @@ + + # Set KI18n translation domain + add_definitions(-DTRANSLATION_DOMAIN=\"kde-gtk-config\") ++add_definitions(-DCMAKE_INSTALL_PREFIX=\"${CMAKE_INSTALL_PREFIX}\") ++add_definitions(-DLIBEXEC_INSTALL_DIR=\"${LIBEXEC_INSTALL_DIR}\") + + set(kcm_SRCS + src/iconthemesmodel.cpp +diff --git a/src/gtkconfigkcmodule.cpp b/src/gtkconfigkcmodule.cpp +--- a/src/gtkconfigkcmodule.cpp b/src/gtkconfigkcmodule.cpp +@@ -87,6 +87,17 @@ + QString gtk2Preview = QStandardPaths::findExecutable("gtk_preview"); + QString gtk3Preview = QStandardPaths::findExecutable("gtk3_preview"); + ++// KStandardDirs::findExe was replaced by QStandardPaths::findExecutable ++// in a wrong way. See for details: ++// https://community.kde.org/Frameworks/Porting_Notes/KStandardDirs ++static const QString searchPath = CMAKE_INSTALL_PREFIX "/" LIBEXEC_INSTALL_DIR; ++if(gtk2Preview.isEmpty()) { ++gtk2Preview = QStandardPaths::findExecutable("gtk_preview", QStringList() << searchPath); ++} ++if(gtk3Preview.isEmpty()) { ++gtk3Preview = QStandardPaths::findExecutable("gtk3_preview", QStringList() << searchPath); ++} ++ + m_p2 = new KProcess(this); + m_p2->setEnv("GTK2_RC_FILES", m_tempGtk2Preview, true); + if(!gtk2Preview.isEmpty()) { diff -Nru kde-gtk-config-5.8.6/debian/patches/series kde-gtk-config-5.8.6/debian/patches/series --- kde-gtk-config-5.8.6/debian/patches/series 1970-01-01 03:00:00.0 +0300 +++ kde-gtk-config-5.8.6/debian/patches/series 2017-08-04 17:00:50.0 +0300 @@ -0,0 +1 @@ +fi
Bug#878996: marked as done (stretch-pu: package xrdp/0.9.1-9)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #878996, regarding stretch-pu: package xrdp/0.9.1-9 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878996: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878996 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear stable release managers, I would like to update xrdp in stretch. xrdp 0.9.1-9 has a bug marked as important in the BTS, causing xrdp to go into an endless loop whewn shutting down an SSL context and causing very high load on the system when it does. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876976 Find attached the debdiff between the current stable version and the proposed update. Cheers, Nik - -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlnnJwkxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8pZwuRAApyqFBZMpTFICL5NOrVXnC43+W0I5 q2ft6ukZ+9nhSMYsFCohxtqthfzn3YW2CcSHBmfk5Ig/+UST+zARiw48qM+a0/pW Wr9gsK2UMlnSve1R/4kw5NKfFfAxTF1L+JGvvAbEwfsM42jLdQkQOb/7uc8oe+bE OEKs+HvU5PcsAGv4beoLANtWzikg1nIoukppyRPaZx3HY3iGZv5NVRmrY68mWYHM /Z8dv4spg6qpCOt8PrMmIe7K2SbS4apUKNDjbgh/BFAkHSKQs3xpBKeGmtFak4oM mc2GmvHfcDG74qqNOn0Z/NwKaQhBUWjEx/Ok45ctNWcKObk5WZ02G5zrhYz7K7J6 Y0QKoC+f1E8zH0iQAhW80AaOIFZfT1OonNLpxQcc/JECQYSIxZsr/e6EAEeQWCeV OUCLZh/7tBpnRwzXKAEr36QGlKfyjtchCnbgfFO+2yiaOIc2mn8Lx5QgSUnv+vlV HGqVvdtZecDKz862zKew495Xuf16gBxg95zS5sfKzLEG+xzspr41Pve+QC25rJry BV3OsrS4IhpMaOUQEyJhY+AncWX0ZvWQraPF7Ise5YWiI5sjIFGmQkjqjoT2QiB/ pFYnOUaPv7zkPaBI3NL4+GZyMskPba16gnL0032HrIRhFdAerXd6bUBtX50Gq9FF jfjCKuq2/VZbMzY= =z88f -END PGP SIGNATURE- diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-05-04 18:59:10.0 +0200 +++ xrdp-0.9.1/debian/changelog 2017-10-18 11:56:31.0 +0200 @@ -1,3 +1,11 @@ +xrdp (0.9.1-9+deb9u1) stable; urgency=medium + + * Fix high CPU load on SSL shutdown. (Closes: #876976) ++ xrdp could in some situations cause permanent high load on a + system if an SSL shutdown got into an endless loop. + + -- Dominik George Wed, 18 Oct 2017 11:56:31 +0200 + xrdp (0.9.1-9) unstable; urgency=high * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143) diff -Nru xrdp-0.9.1/debian/patches/fix-876976.patch xrdp-0.9.1/debian/patches/fix-876976.patch --- xrdp-0.9.1/debian/patches/fix-876976.patch 1970-01-01 01:00:00.0 +0100 +++ xrdp-0.9.1/debian/patches/fix-876976.patch 2017-10-18 11:53:29.0 +0200 @@ -0,0 +1,16 @@ +From: Jay Sorg +Origin: https://github.com/neutrinolabs/xrdp/commit/2c96908ea500880c71d3593dd2b2b5b5275bdbf5 +Subject: if SSL_shutdown fails, only call one more time +Bug: https://github.com/neutrinolabs/xrdp/issues/872 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876976 +--- a/common/ssl_calls.c b/common/ssl_calls.c +@@ -754,7 +754,7 @@ ssl_tls_disconnect(struct ssl_tls *self) + return 0; + } + status = SSL_shutdown(self->ssl); +-while (status != 1) ++if (status != 1) + { + status = SSL_shutdown(self->ssl); + if (status <= 0) diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series --- xrdp-0.9.1/debian/patches/series2017-04-27 12:48:33.0 +0200 +++ xrdp-0.9.1/debian/patches/series2017-10-18 11:50:09.0 +0200 @@ -10,3 +10,4 @@ kb_jp.diff highres.diff cve-2017-6967.diff +fix-876976.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#878173: marked as done (stretch-pu: package pdns/4.0.3-1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #878173, regarding stretch-pu: package pdns/4.0.3-1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 878173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878173 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear Release Team, pdns before 4.0.4 replies incorrectly to DNS questions with the DNSSEC query bit (DO) set, when the query also uses the "0x20" mechanism to increase spoofing resistance. Unfortunately this is the configuration letsencrypt uses to check for CAA records on domains. This implies letsencrypt being broken for all users that have domains on pdns from stretch. Upstream has fixed this in 4.0.4, but that didn't make it into stretch. There is more discussion on this in Debian bug #869222 and at https://github.com/PowerDNS/pdns/issues/5546 and at https://community.letsencrypt.org/t/caa-servfail-changes/38298/2 I have imported a minimal patch from upstream and attached the debdiff. Please let me know if this looks good or if I got something wrong. Thanks, Chris diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog --- pdns-4.0.3/debian/changelog 2017-01-19 23:05:09.0 + +++ pdns-4.0.3/debian/changelog 2017-10-10 18:08:15.0 + @@ -1,3 +1,9 @@ +pdns (4.0.3-1+deb9u1) stable; urgency=medium + + * Fix incorrect qname casing in NSEC3 generation (Closes: #869222) + + -- Christian Hofstaedtler Tue, 10 Oct 2017 18:08:15 + + pdns (4.0.3-1) unstable; urgency=medium * New upstream version 4.0.3, fixing bug when running bindbackend diff -Nru pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch --- pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch 1970-01-01 00:00:00.0 + +++ pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch 2017-10-10 18:08:15.0 + @@ -0,0 +1,25 @@ +From b91cfe5c069df975176f5fd944540f72fc5d01bb Mon Sep 17 00:00:00 2001 +From: Kees Monshouwer +Date: Wed, 3 May 2017 21:49:11 +0200 +Subject: [PATCH] auth: lowercase qname before NSEC generation + +[z...@debian.org]: Patch from upstream PR #5289. +https://github.com/PowerDNS/pdns/commit/b91cfe5c069df975176f5fd944540f72fc5d01bb + +--- + pdns/dnsbackend.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc +index 4e43ffc2b1..2454d6efb8 100644 +--- a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc +@@ -273,7 +273,7 @@ bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const DNSName& zonename, co + // lcqname=labelReverse(lcqname); + DNSName dnc; + string relqname, sbefore, safter; +- relqname=labelReverse(makeRelative(qname.toStringNoDot(), zonename.toStringNoDot())); // FIXME400 ++ relqname=labelReverse(makeRelative(toLower(qname.toStringNoDot()), zonename.toStringNoDot())); + //sbefore = before.toString(); + //safter = after.toString(); + bool ret = this->getBeforeAndAfterNamesAbsolute(id, relqname, dnc, sbefore, safter); diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series --- pdns-4.0.3/debian/patches/series1970-01-01 00:00:00.0 + +++ pdns-4.0.3/debian/patches/series2017-10-10 18:08:15.0 + @@ -0,0 +1 @@ +869222-lowercase-qname-before-NSEC-generation.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#877342: marked as done (stretch-pu: package qtcurve/1.8.18+git20160320-3d8622c-3+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877342, regarding stretch-pu: package qtcurve/1.8.18+git20160320-3d8622c-3+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877342 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear release team, I would like to push a fix for qtcurve bug #865765 (crash when using QtCurve widget style with Breeze preset). Debdiff looks big but in fact it is very simple: just s/memcmp/strncmp/ Please consider accepting this as a stretch-pu. Thanks, Boris diff -Nru qtcurve-1.8.18+git20160320-3d8622c/debian/changelog qtcurve-1.8.18+git20160320-3d8622c/debian/changelog --- qtcurve-1.8.18+git20160320-3d8622c/debian/changelog 2016-05-11 23:52:09.0 +0300 +++ qtcurve-1.8.18+git20160320-3d8622c/debian/changelog 2017-09-30 19:37:12.0 +0300 @@ -1,3 +1,11 @@ +qtcurve (1.8.18+git20160320-3d8622c-3+deb9u1) stable; urgency=medium + + * Add patch replace-memcmp-with-strncmp. It fixes crash when using QtCurve +widget style and Breeze preset. (Closes: #865765) +[Thanks to Sergey Sharybin] + + -- Boris Pek Sat, 30 Sep 2017 19:37:12 +0300 + qtcurve (1.8.18+git20160320-3d8622c-3) unstable; urgency=medium * Add workaround-for-kwin-x11-crashes.patch. (Closes: #823674) diff -Nru qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch --- qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch 1970-01-01 03:00:00.0 +0300 +++ qtcurve-1.8.18+git20160320-3d8622c/debian/patches/replace-memcmp-with-strncmp.patch 2017-09-07 18:52:54.0 +0300 @@ -0,0 +1,1337 @@ +Description: Replace memcmp with strncmp + Do not exceed string buffer length while parsing config file. +Origin: upstream, https://cgit.kde.org/qtcurve.git/commit/?id=f164a4b69 +Bug: https://bugs.kde.org/show_bug.cgi?id=374046 +Bug-Debian: https://bugs.debian.org/865765 +Last-Update: 2017-08-03 + +--- a/gtk2/common/config_file.cpp b/gtk2/common/config_file.cpp +@@ -88,17 +88,17 @@ + { + if(str && 0!=str[0]) + { +-if(0==memcmp(str, "dashes", 6)) ++if(0==strncmp(str, "dashes", 6)) + return LINE_DASHES; +-if(0==memcmp(str, "none", 4)) ++if(0==strncmp(str, "none", 4)) + return LINE_NONE; +-if(0==memcmp(str, "sunken", 6)) ++if(0==strncmp(str, "sunken", 6)) + return LINE_SUNKEN; +-if(0==memcmp(str, "dots", 4)) ++if(0==strncmp(str, "dots", 4)) + return LINE_DOTS; +-if(0==memcmp(str, "flat", 4)) ++if(0==strncmp(str, "flat", 4)) + return LINE_FLAT; +-if(0==memcmp(str, "1dot", 5)) ++if(0==strncmp(str, "1dot", 5)) + return LINE_1DOT; + } + return def; +@@ -108,12 +108,12 @@ + { + if(str && 0!=str[0]) + { +-if(0==memcmp(str, "dark", 4)) +-return 0==memcmp(&str[4], "-all", 4) ? TB_DARK_ALL : TB_DARK; +-if(0==memcmp(str, "none", 4)) ++if(0==strncmp(str, "dark", 4)) ++return 0==strncmp(&str[4], "-all", 4) ? TB_DARK_ALL : TB_DARK; ++if(0==strncmp(str, "none", 4)) + return TB_NONE; +-if(0==memcmp(str, "light", 5)) +-return 0==memcmp(&str[5], "-all", 4) ? TB_LIGHT_ALL : TB_LIGHT; ++if(0==strncmp(str, "light", 5)) ++return 0==strncmp(&str[5], "-all", 4) ? TB_LIGHT_ALL : TB_LIGHT; + } + return def; + } +@@ -122,15 +122,15 @@ + { + if(str && 0!=str[0]) + { +-if(0==memcmp(str, "true", 4) || 0==memcmp(str, "colored", 7)) ++if(0==strncmp(str, "true", 4) || 0==strncmp(str, "colored", 7)) + return MO_COLORED; +-if(0==memcmp(str, "thickcolored", 12)) ++if(0==strncmp(str, "thickcolored", 12)) + return MO_COLORED_THICK; +-if(0==memcmp(str, "plastik", 7)) ++if(0==strncmp(str, "plastik", 7)) + return MO_PLASTIK; +-if(0==memcmp(str, "glow", 4)) ++if(0==strncmp(str, "glow", 4)) + return MO_GLOW; +-if(0==memcmp(str, "false", 4) || 0==memcmp(str, "none", 4)) ++if(0==strncmp(str, "
Bug#877937: marked as done (stretch-pu: package libdbd-firebird-perl/1.24-1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877937, regarding stretch-pu: package libdbd-firebird-perl/1.24-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877937 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu libdbd-firebird-perl before 1.25 suffers from a bug (#877720) leading to data corruption when fetching decimal(x,y) values between -1 and 0. The fetched data is positive, instead of negative. (libdbd-firebird-perl is a driver for connecting DBI, the standard Perl database interface, to Firebird SQL server) The fix is taken from the upstream commit (of which I am also the author). Targeted patch and full source debdiff attached. -- dam b4fad5d264abafeb26e1333b74f6a5c2f75f4869 dbd_st_fetch: fix conversion of numerics between -1 and 0 diff --git a/dbdimp.c b/dbdimp.c index 1c48d7c..ff7b510 100644 --- a/dbdimp.c +++ b/dbdimp.c @@ -1431,20 +1431,28 @@ AV *dbd_st_fetch(SV *sth, imp_sth_t *imp_sth) #endif if (var->sqlscale == 0) { snprintf(buf, sizeof(buf), "%"DBD_IB_INT64f, i); +sv_setpvn(sv, buf, strlen(buf)); } else { +bool sign = ( i < 0 ); ISC_INT64 divisor, remainder; divisor = scales[-var->sqlscale]; +if (sign) divisor = -divisor; remainder = (i%divisor); if (remainder < 0) remainder = -remainder; -snprintf(buf, sizeof(buf), +snprintf(buf+1, sizeof(buf)-1, "%"DBD_IB_INT64f".%0*"DBD_IB_INT64f, i/divisor, -var->sqlscale, remainder); DBI_TRACE_imp_xxh(imp_sth, 3, (DBIc_LOGPIO(imp_sth), "-->SQLINT64=%"DBD_IB_INT64f".%0*"DBD_IB_INT64f,i/divisor, -var->sqlscale, remainder )); +if (sign) { +*buf = '-'; +sv_setpvn(sv, buf, strlen(buf)); +} +else { +sv_setpvn(sv, buf+1, strlen(buf+1)); +} } - -sv_setpvn(sv, buf, strlen(buf)); } break; #endif diff -Nru libdbd-firebird-perl-1.24/debian/changelog libdbd-firebird-perl-1.24/debian/changelog --- libdbd-firebird-perl-1.24/debian/changelog 2016-10-11 12:02:22.0 +0300 +++ libdbd-firebird-perl-1.24/debian/changelog 2017-10-07 18:45:00.0 +0300 @@ -1,3 +1,10 @@ +libdbd-firebird-perl (1.24-1+deb9u1) stretch; urgency=medium + + * add upstream patch fixing fetching of decimal(x,y) values between -1 and 0 +(Closes: #877720) + + -- Damyan Ivanov Sat, 07 Oct 2017 15:45:00 + + libdbd-firebird-perl (1.24-1) unstable; urgency=medium * New upstream version 1.24 diff -Nru libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch --- libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch 1970-01-01 02:00:00.0 +0200 +++ libdbd-firebird-perl-1.24/debian/patches/decimal-fetch-between-minus-one-and-zero.patch 2017-10-07 18:42:15.0 +0300 @@ -0,0 +1,37 @@ +b4fad5d264abafeb26e1333b74f6a5c2f75f4869 dbd_st_fetch: fix conversion of numerics between -1 and 0 +diff --git a/dbdimp.c b/dbdimp.c +index 1c48d7c..ff7b510 100644 +--- a/dbdimp.c b/dbdimp.c +@@ -1431,20 +1431,28 @@ AV *dbd_st_fetch(SV *sth, imp_sth_t *imp_sth) + #endif + if (var->sqlscale == 0) { + snprintf(buf, sizeof(buf), "%"DBD_IB_INT64f, i); ++sv_setpvn(sv, buf, strlen(buf)); + } else { ++bool sign = ( i < 0 ); + ISC_INT64 divisor, remainder; + divisor = scales[-var->sqlscale]; ++if (sign) divisor = -divisor; + remainder = (i%divisor); + if (remainder < 0)
Bug#877420: marked as done (stretch-pu: xml2/0.4-3.1+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877420, regarding stretch-pu: xml2/0.4-3.1+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Tags: stretch Hello, I am dealing with the package "xml2" to fix its RC bugs. A previous QA upload into Unstable was uploaded and migrated into Testing. Now I want to do some stable uploads and fix this bug inside Stretch. For previous QA upload, see https://bugs.debian.org/876286 . All fixes are taken from upstream's release tarball of next version. Debdiff attached: diff -u xml2-0.4/debian/control xml2-0.4/debian/control --- xml2-0.4/debian/control +++ xml2-0.4/debian/control @@ -1,7 +1,7 @@ Source: xml2 Section: utils Priority: optional -Maintainer: Patrick Schoenfeld +Maintainer: Debian QA Group Homepage: http://ofb.net/~egnor/xml2/ Vcs-Git: git://git.debian.org/git/collab-maint/xml2.git Vcs-Browser: http://git.debian.org/?p=collab-maint/xml2.git diff -u xml2-0.4/debian/changelog xml2-0.4/debian/changelog --- xml2-0.4/debian/changelog +++ xml2-0.4/debian/changelog @@ -1,3 +1,14 @@ +xml2 (0.4-3.1+deb9u1) stretch; urgency=medium + + * QA upload. + * Set maintainer to Debian QA Group. + * Backport patch to fix corruption when dealing with UTF-8 files. +(Closes: #506805; Closes: #698072) + * Backport patch to fix usage string for 2csv tool. +(Closes: #506788) + + -- Boyuan Yang <073p...@gmail.com> Sun, 01 Oct 2017 23:30:42 +0800 + xml2 (0.4-3.1) unstable; urgency=low * Non-maintainer upload. diff -u xml2-0.4/debian/patches/series xml2-0.4/debian/patches/series --- xml2-0.4/debian/patches/series +++ xml2-0.4/debian/patches/series @@ -2,0 +3,2 @@ +0003-Fix-corrupted-handling-with-UTF-8-text.patch +0004-Fix-help-msg-of-2csv-tool.patch only in patch2: unchanged: --- xml2-0.4.orig/debian/patches/0003-Fix-corrupted-handling-with-UTF-8- text.patch +++ xml2-0.4/debian/patches/0003-Fix-corrupted-handling-with-UTF-8-text.patch @@ -0,0 +1,22 @@ +From: Vincent Lefevre +Date: Sun, 1 Oct 2017 23:27:14 +0800 +Subject: Fix corrupted handling with UTF-8 text + +--- + xml2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/xml2.c b/xml2.c +index fc94d69..d786021 100644 +--- a/xml2.c b/xml2.c +@@ -247,8 +247,7 @@ int main(int argc,char *argv[]) + init(&sax); + + if (1 == argc && !strcmp(name,"html2")) { +- ctxt = htmlCreatePushParserCtxt(&sax,NULL,NULL,0,"stdin", +- XML_CHAR_ENCODING_8859_1); ++ ctxt = htmlCreatePushParserCtxt(&sax,NULL,NULL,0,"stdin",0); + parseChunk = htmlParseChunk; + freeCtxt = htmlFreeParserCtxt; + do_compress_whitespace = 1; only in patch2: unchanged: --- xml2-0.4.orig/debian/patches/0004-Fix-help-msg-of-2csv-tool.patch +++ xml2-0.4/debian/patches/0004-Fix-help-msg-of-2csv-tool.patch @@ -0,0 +1,22 @@ +From: Boyuan Yang <073p...@gmail.com> +Date: Sun, 1 Oct 2017 23:30:13 +0800 +Subject: Fix help msg of 2csv tool + +--- + 2csv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/2csv.c b/2csv.c +index 7370e8c..c672b56 100644 +--- a/2csv.c b/2csv.c +@@ -4,7 +4,8 @@ + #include + + void usage(void) { +- fputs("usage: 2csv record field [field ...] < in > csv\n",stderr); ++ fputs("usage: 2csv [-q quote] [-d comma] " ++ "record field [field ...] < in > csv\n",stderr); + exit(2); + } + signature.asc Description: This is a digitally signed message part. --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#877722: marked as done (stretch-pu: package gunicorn/19.6.0-10+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877722, regarding stretch-pu: package gunicorn/19.6.0-10+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877722: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877722 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I'd like update gunicorn in stable to fix an issue where installing gunicorn brings a compilers as dependenciess: Diff (with further explanation) is: diff --git a/debian/changelog b/debian/changelog index d6473f3..507009e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +gunicorn (19.6.0-10+deb9u1) stable; urgency=medium + + * Drop unnecessary Pre-Depends on dpkg-dev which was causing gunicorn and +python-gunicorn to bring in a compiler as dependencies. + +It was orignally added as dpkg-maintscript-helper was being used in the +preinst script, requires a pre-dependency to ensure that the required +version of dpkg has been unpacked before. However, this version of +dpkg-dev is satisfiable in stretch. + +Thanks to Neil Williams for the bug report. (Closes: #877712) + + -- Chris Lamb Wed, 04 Oct 2017 21:11:20 +0100 + gunicorn (19.6.0-10) unstable; urgency=medium * Move debian/README.Debian → debian/NEWS. diff --git a/debian/control b/debian/control index 3b0c8fe..3d060b8 100644 --- a/debian/control +++ b/debian/control @@ -19,7 +19,6 @@ Homepage: http://gunicorn.org/ Package: gunicorn Architecture: all -Pre-Depends: dpkg-dev (>= 1.15.7.2) Depends: python-gunicorn (= ${binary:Version}), python-pkg-resources, @@ -83,7 +82,6 @@ Description: Event-based HTTP/WSGI server (Python 3 version) Package: python-gunicorn Architecture: all -Pre-Depends: dpkg-dev (>= 1.15.7.2) Depends: python-pkg-resources, python-setuptools, @@ -138,7 +136,6 @@ Description: Event-based HTTP/WSGI server (Python 3 libraries) Package: gunicorn-examples Architecture: all -Pre-Depends: dpkg-dev (>= 1.15.7.2) Depends: ${misc:Depends}, ${python3:Depends}, Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#877503: marked as done (stretch-pu: package mongodb/1:3.2.11-2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877503, regarding stretch-pu: package mongodb/1:3.2.11-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877503 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear SRMs, I would like to update MongoDB in Stretch to address a couple of issues, namely: - #876755: GCC 6 and later optimizes out some null pointer checks. It appears that this breaks the bundled version of spidermonkey (38) and causes null pointer dereferences. This is fixed by disabling the relevant GCC optimizations for the spidermonkey build. - #871906: Since Stretch, our kernels have enabled 48-bit virtual addressing on aarch64. MongoDB's embedded spidermonkey crashes on kernels with 48-bit VA support, as it assumes that all pointers have 17 bits clear that can be used for tagging. This is fixed by cherry-picking a patch from Mozilla upstream that uses manual malloc(3) hints to make sure the malloc()'d regions comply with this requirement. - #864407: mongodb.service lacks an `After=network.target' statement, so startup will fail on system boot if mongodb is asked to bind to a non-wildcard, non-localhost address. Full source debdiff attached. Regards, Apollon diff -Nru mongodb-3.2.11/debian/changelog mongodb-3.2.11/debian/changelog --- mongodb-3.2.11/debian/changelog 2016-12-15 20:04:56.0 +0200 +++ mongodb-3.2.11/debian/changelog 2017-10-02 11:14:03.0 +0300 @@ -1,3 +1,11 @@ +mongodb (1:3.2.11-2+deb9u1) stretch; urgency=medium + + * Fix segfault/FTBFS on ARM64 with 48-bit virtual addresses (Closes: #871906) + * Fix spidermonkey GC segfault when built with GCC 6 (Closes: #876755) + * mongodb.service: start after network.target (Closes: #864407) + + -- Apollon Oikonomopoulos Mon, 02 Oct 2017 11:14:03 +0300 + mongodb (1:3.2.11-2) unstable; urgency=medium * Drop armhf builds; currently FTBFS and is unsupported upstream diff -Nru mongodb-3.2.11/debian/gbp.conf mongodb-3.2.11/debian/gbp.conf --- mongodb-3.2.11/debian/gbp.conf 2016-12-15 12:23:28.0 +0200 +++ mongodb-3.2.11/debian/gbp.conf 2017-10-02 11:13:41.0 +0300 @@ -1,5 +1,7 @@ [DEFAULT] pristine-tar = True +debian-branch = stable/stretch +dist = stretch [git-import-orig] filter = ['debian/*','lib/*'] diff -Nru mongodb-3.2.11/debian/mongodb-server.mongodb.service mongodb-3.2.11/debian/mongodb-server.mongodb.service --- mongodb-3.2.11/debian/mongodb-server.mongodb.service 2016-12-15 12:23:28.0 +0200 +++ mongodb-3.2.11/debian/mongodb-server.mongodb.service 2017-10-02 11:13:06.0 +0300 @@ -1,6 +1,7 @@ [Unit] Description=An object/document-oriented database Documentation=man:mongod(1) +After=network.target [Service] User=mongodb diff -Nru mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch --- mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch 1970-01-01 02:00:00.0 +0200 +++ mongodb-3.2.11/debian/patches/arm64-48bit-va-compat.patch 2017-10-02 11:11:46.0 +0300 @@ -0,0 +1,61 @@ +Author: Zheng Xu + Description: Manually mmap on arm64 to ensure high 17 bits are clear. r=ehoogeveen + There might be 48-bit VA on arm64 depending on kernel configuration. + Manually mmap heap memory to align with the assumption made by JS engine. +Comment: Obtained from https://hg.mozilla.org/mozilla-central/raw-rev/dfaafbaaa291 +Last-Update: 2017-09-25 +Forwarded: no +Bug-Debian: https://bugs.debian.org/871906 +--- a/src/third_party/mozjs-38/extract/js/src/gc/Memory.cpp b/src/third_party/mozjs-38/extract/js/src/gc/Memory.cpp +@@ -379,7 +379,7 @@ + MapMemoryAt(void* desired, size_t length, int prot = PROT_READ | PROT_WRITE, + int flags = MAP_PRIVATE | MAP_ANON, int fd = -1, off_t offset = 0) + { +-#if defined(__ia64__) || (defined(__sparc64__) && defined(__NetBSD__)) ++#if defined(__ia64__) || (defined(__sparc64__) && defined(__NetBSD__)) || defined(__aarch64__) + MOZ_ASSERT(0x8000ULL & (uintptr_t(desired) + length - 1) == 0); + #endif + void* region = mmap(desired, length, prot, flags, fd, offset); +@@ -429,6 +429,41 @@ + return nullptr; + } + return
Bug#877640: marked as done (stretch-pu: package sqlite3/3.16.2-5+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877640, regarding stretch-pu: package sqlite3/3.16.2-5+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877640 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi SRMs, I'd like to fix CVE-2017-10989 in SQLite3 for Stretch, which is a heap-based buffer over-read via undersized RTree blobs. It's considered remotely exploitable, still marked as no-DSA by the Security Team. Still, worth fixing via the point update, proposed patch is attached. Thanks for considering, Laszlo/GCSdiff -Nru sqlite3-3.16.2/debian/changelog sqlite3-3.16.2/debian/changelog --- sqlite3-3.16.2/debian/changelog 2017-06-08 22:07:42.0 + +++ sqlite3-3.16.2/debian/changelog 2017-10-03 16:13:44.0 + @@ -1,3 +1,10 @@ +sqlite3 (3.16.2-5+deb9u1) stretch; urgency=medium + + * Fix CVE-2017-10989 , heap-based buffer over-read via undersized RTree +blobs (closes: #867618). + + -- Laszlo Boszormenyi (GCS) Tue, 03 Oct 2017 16:13:44 + + sqlite3 (3.16.2-5) unstable; urgency=medium * Backport fix for corruption due to REPLACE in an auto-vacuumed database. diff -Nru sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch --- sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch 1970-01-01 00:00:00.0 + +++ sqlite3-3.16.2/debian/patches/51-CVE-2017-10989.patch 2017-10-03 16:13:44.0 + @@ -0,0 +1,47 @@ +Index: sqlite3/ext/rtree/rtree.c +== +--- sqlite3/ext/rtree/rtree.c sqlite3/ext/rtree/rtree.c +@@ -3207,10 +3207,14 @@ + pRtree->zDb, pRtree->zName + ); + rc = getIntFromStmt(db, zSql, &pRtree->iNodeSize); + if( rc!=SQLITE_OK ){ + *pzErr = sqlite3_mprintf("%s", sqlite3_errmsg(db)); ++}else if( pRtree->iNodeSize<(512-64) ){ ++ rc = SQLITE_CORRUPT; ++ *pzErr = sqlite3_mprintf("undersize RTree blobs in \"%q_node\"", ++ pRtree->zName); + } + } + + sqlite3_free(zSql); + return rc; + +Index: sqlite3/ext/rtree/rtreeA.test +== +--- sqlite3/ext/rtree/rtreeA.test sqlite3/ext/rtree/rtreeA.test +@@ -213,8 +213,21 @@ + } {} + do_corruption_tests rtreeA-6.1 { + 1 "DELETE FROM t1 WHERE rowid = 5" + 2 "UPDATE t1 SET x1=x1+1, x2=x2+1" + } ++ ++#- ++# Truncated blobs in the _node table. ++# ++create_t1 ++populate_t1 ++sqlite3 db test.db ++do_execsql_test rtreeA-7.100 { ++ UPDATE t1_node SET data=x'' WHERE rowid=1; ++} {} ++do_catchsql_test rtreeA-7.110 { ++ SELECT * FROM t1 WHERE x1>0 AND x1<100 AND x2>0 AND x2<100; ++} {1 {undersize RTree blobs in "t1_node"}} + + + finish_test + diff -Nru sqlite3-3.16.2/debian/patches/series sqlite3-3.16.2/debian/patches/series --- sqlite3-3.16.2/debian/patches/series 2017-06-08 22:07:42.0 + +++ sqlite3-3.16.2/debian/patches/series 2017-10-03 16:13:44.0 + @@ -13,3 +13,4 @@ 42-JSON-2_2.patch 43-JSON-3.patch 50-REPLACE_corruption_fix.patch +51-CVE-2017-10989.patch --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#877403: marked as done (stretch-pu: package dbus/1.10.24-0+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877403, regarding stretch-pu: package dbus/1.10.24-0+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877403 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I've made another upstream stable release of dbus, and as usual I'd like to update stretch via stretch-p-u, to minimize weirdness and diffstat if I have to do a security release later. There is nothing particularly vital here, and I can revert or fix anything that the SRMs are not happy with. If you want to say "yes but only after 9.2", that would also be fine. This upstream release is in testing already (versioned as 1.11.16+really1.10.24-1 due to an unfortunate dch -r accident). This will probably be the last 1.10.x release in testing/unstable, since I'm planning to move to the 1.11.x branch in preparation for starting a 1.12.0 stable branch upstream. The attached debdiff excludes ./configure, which gets regenerated during the build. (I still need to smoke-test this on a real stretch system, which I'll do before upload; it passes autopkgtests though.) Thanks, smcv debdiff dbus_1.10.{22,24}-0+deb9u1.dsc | filterdiff --exclude='*/configure' diffstat for dbus-1.10.22 dbus-1.10.24 NEWS | 26 ++ aclocal.m4|2 bus/activation.c | 10 +- bus/config-loader-expat.c | 14 +++ bus/connection.c | 13 +-- bus/connection.h |2 bus/dispatch.c| 56 ++--- bus/driver.c |4 bus/signals.c | 15 ++- config.h.in |3 configure | 48 +++ configure.ac | 12 ++ dbus/dbus-sysdeps-unix.c | 11 +- debian/changelog | 21 test/monitor.c| 197 +++--- tools/dbus-send.c |2 16 files changed, 363 insertions(+), 73 deletions(-) diff -Nru dbus-1.10.22/aclocal.m4 dbus-1.10.24/aclocal.m4 --- dbus-1.10.22/aclocal.m4 2017-07-27 14:03:36.0 +0100 +++ dbus-1.10.24/aclocal.m4 2017-09-25 21:03:14.0 +0100 @@ -883,7 +883,7 @@ dnl supported. (2.0 was released on October 16, 2000). dnl FIXME: Remove the need to hard-code Python versions here. m4_define_default([_AM_PYTHON_INTERPRETER_LIST], -[python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 dnl +[python python2 python3 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 dnl python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0]) AC_ARG_VAR([PYTHON], [the Python interpreter]) diff -Nru dbus-1.10.22/bus/activation.c dbus-1.10.24/bus/activation.c --- dbus-1.10.22/bus/activation.c 2017-02-16 13:46:23.0 + +++ dbus-1.10.24/bus/activation.c 2017-09-25 14:54:34.0 +0100 @@ -1967,6 +1967,7 @@ DBusString service_string; BusService *service; BusRegistry *registry; + DBusConnection *systemd = NULL; /* OK, we have a systemd service configured for this entry, hence let's enqueue an activation request message. This @@ -2015,11 +2016,14 @@ _dbus_string_init_const (&service_string, "org.freedesktop.systemd1"); service = bus_registry_lookup (registry, &service_string); + if (service) +systemd = bus_service_get_primary_owners_connection (service); + /* Following the general principle of "log early and often", * we capture that we *want* to send the activation message, even if * systemd is not actually there to receive it yet */ if (!bus_transaction_capture (activation_transaction, -NULL, message)) +NULL, systemd, message)) { dbus_message_unref (message); BUS_SET_OOM (error); @@ -2033,8 +2037,8 @@ service_name, entry->systemd_service); /* Wonderful, systemd is connected, let's just send the msg */ - retval = bus_dispatch_matches (activation_transaction, NULL,
Bug#877043: marked as done (stretch-pu: package weechat/1.6-1+deb9u2)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877043, regarding stretch-pu: package weechat/1.6-1+deb9u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877043 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi weechat in stretch is affected by CVE-2017-14727, tracked as #876553. > * logger: call strftime before replacing buffer local variables >(CVE-2017-14727) (Closes: #876553) https://weechat.org/news/98/20170923-Version-1.9.1-security-release/ Attached proposed debdiff for the stretch point release. Regards, Salvatore diff -Nru weechat-1.6/debian/changelog weechat-1.6/debian/changelog --- weechat-1.6/debian/changelog2017-04-29 16:31:58.0 +0200 +++ weechat-1.6/debian/changelog2017-09-27 20:53:31.0 +0200 @@ -1,3 +1,11 @@ +weechat (1.6-1+deb9u2) stretch; urgency=medium + + * Non-maintainer upload. + * logger: call strftime before replacing buffer local variables +(CVE-2017-14727) (Closes: #876553) + + -- Salvatore Bonaccorso Wed, 27 Sep 2017 20:53:31 +0200 + weechat (1.6-1+deb9u1) stretch; urgency=medium * Non-maintainer upload. diff -Nru weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch --- weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch 1970-01-01 01:00:00.0 +0100 +++ weechat-1.6/debian/patches/03_logger-call-strftime-before-replacing-buffer-local-v.patch 2017-09-27 20:53:31.0 +0200 @@ -0,0 +1,158 @@ +From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= +Date: Sat, 23 Sep 2017 09:36:09 +0200 +Subject: logger: call strftime before replacing buffer local variables +Origin: https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 +Bug-Debian: https://bugs.debian.org/876553 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14727 + +--- + src/plugins/logger/logger.c | 88 ++--- + 2 files changed, 51 insertions(+), 44 deletions(-) + + +diff --git a/src/plugins/logger/logger.c b/src/plugins/logger/logger.c +index 1abc3efc7..347f1d5a6 100644 +--- a/src/plugins/logger/logger.c b/src/plugins/logger/logger.c +@@ -295,71 +295,71 @@ logger_get_mask_for_buffer (struct t_gui_buffer *buffer) + char * + logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask) + { +-char *mask2, *mask_decoded, *mask_decoded2, *mask_decoded3, *mask_decoded4; +-char *mask_decoded5; ++char *mask2, *mask3, *mask4, *mask5, *mask6, *mask7; + const char *dir_separator; + int length; + time_t seconds; + struct tm *date_tmp; + + mask2 = NULL; +-mask_decoded = NULL; +-mask_decoded2 = NULL; +-mask_decoded3 = NULL; +-mask_decoded4 = NULL; +-mask_decoded5 = NULL; ++mask3 = NULL; ++mask4 = NULL; ++mask5 = NULL; ++mask6 = NULL; ++mask7 = NULL; + + dir_separator = weechat_info_get ("dir_separator", ""); + if (!dir_separator) + return NULL; + ++/* replace date/time specifiers in mask */ ++length = strlen (mask) + 256 + 1; ++mask2 = malloc (length); ++if (!mask2) ++goto end; ++seconds = time (NULL); ++date_tmp = localtime (&seconds); ++mask2[0] = '\0'; ++if (strftime (mask2, length - 1, mask, date_tmp) == 0) ++mask2[0] = '\0'; ++ + /* + * we first replace directory separator (commonly '/') by \01 because + * buffer mask can contain this char, and will be replaced by replacement + * char ('_' by default) + */ +-mask2 = weechat_string_replace (mask, dir_separator, "\01"); +-if (!mask2) ++mask3 = weechat_string_replace (mask2, dir_separator, "\01"); ++if (!mask3) + goto end; + +-mask_decoded = weechat_buffer_string_replace_local_var (buffer, mask2); +-if (!mask_decoded) ++mask4 = weechat_buffer_string_replace_local_var (buffer, mask3); ++if (!mask4) + goto end; + +-mask_decoded2 = weechat_string_replace (mask_decoded, +-dir_separator, +-weec
Bug#877366: marked as done (stretch-pu: package abiword/3.0.2-2+deb9u1)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #877366, regarding stretch-pu: package abiword/3.0.2-2+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877366 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org X-Debbugs-Cc:abiw...@packages.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch Severity: normal The attached debdiff fixes a flickering bug that makes Abiword nearly unusable for some users. https://bugs.debian.org/851052 The patch was rejected upstream because it doesn't work for GNOME on Wayland. But Debian's GNOME does not default to Wayland in Stretch. And Abiword is more commonly used on less powerful desktop environments instead of the resource-intensive GNOME. This patch was uploaded to unstable (and Ubuntu 17.10 Beta) as 3.0.2-3 just now. The package was uploaded with urgency: high so it should be in testing in a few days. It builds on all architectures so far. I didn't want to delay filing this bug in case it wasn't quite too late for Debian 9.2. Sorry for the late request. Thanks, Jeremy Bicha abiword-flickering-stretch.debdiff Description: Binary data --- End Message --- --- Begin Message --- Version: 9.3 Hi, Each of the updates referenced in these bugs was included in this morning's stretch point release. Thanks! Regards, Adam--- End Message ---
Bug#876527: marked as done (stretch-pu: package gdm3/3.22.3-3)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #876527, regarding stretch-pu: package gdm3/3.22.3-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876527 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, XDMCP support in gdm 3.22 is currently completely broken (see: #873199) I've backported some patches from the later releases and from git master fix this. The majority of the patches are already included in sid/buster version, the other ones will be included in the 2nd of Octobre point release. I've tested this locally with one client (both direct and indirect connections) and it's working as expected. Regards, Laurent Bigonville -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) diff -Nru gdm3-3.22.3/debian/changelog gdm3-3.22.3/debian/changelog --- gdm3-3.22.3/debian/changelog2017-06-06 20:17:04.0 +0200 +++ gdm3-3.22.3/debian/changelog2017-09-23 11:56:40.0 +0200 @@ -1,3 +1,10 @@ +gdm3 (3.22.3-3+deb9u1) stretch; urgency=medium + + * Backports a bunch of patches to fix XDMCP support including a potential +cracher (Closes: #873199, #814989) + + -- Laurent Bigonville Sat, 23 Sep 2017 11:56:40 +0200 + gdm3 (3.22.3-3) unstable; urgency=medium * libgdm1: add breaks/replaces on good old gdm. Who knows how many users diff -Nru gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch --- gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch 1970-01-01 01:00:00.0 +0100 +++ gdm3-3.22.3/debian/patches/chooser-filter-out-duplicate-hostnames.patch 2017-09-23 11:56:40.0 +0200 @@ -0,0 +1,72 @@ +From 2738cc21830eee9468c83608504d6bf719f8ac03 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Fri, 31 Mar 2017 15:40:21 -0400 +Subject: [PATCH] chooser: filter out duplicate hostnames + +One host may report itself on multiple interfaces. +GDM only supports based on hostname not interface, +so that leads duplicate entries in the list. + +This commit filters out the dupes. + +https://bugzilla.gnome.org/show_bug.cgi?id=780787 +--- + chooser/gdm-host-chooser-widget.c | 34 +- + 1 file changed, 33 insertions(+), 1 deletion(-) + +diff --git a/chooser/gdm-host-chooser-widget.c b/chooser/gdm-host-chooser-widget.c +index f8aabf3e..e2507900 100644 +--- a/chooser/gdm-host-chooser-widget.c b/chooser/gdm-host-chooser-widget.c +@@ -119,6 +119,33 @@ chooser_host_remove (GdmHostChooserWidget *widget, + } + #endif + ++static gboolean ++address_hostnames_equal (GdmAddress *address, ++ GdmAddress *other_address) ++{ ++char *hostname, *other_hostname; ++gboolean are_equal; ++ ++if (gdm_address_equal (address, other_address)) { ++return TRUE; ++} ++ ++if (!gdm_address_get_hostname (address, &hostname)) { ++gdm_address_get_numeric_info (address, &hostname, NULL); ++} ++ ++if (!gdm_address_get_hostname (other_address, &other_hostname)) { ++gdm_address_get_numeric_info (other_address, &other_hostname, NULL); ++} ++ ++are_equal = g_strcmp0 (hostname, other_hostname) == 0; ++ ++g_free (hostname); ++g_free (other_hostname); ++ ++return are_equal; ++} ++ + static GdmChooserHost * + find_known_host (GdmHostChooserWidget *widget, + GdmAddress *address) +@@ -127,8 +154,13 @@ find_known_host (GdmHostChooserWidget *widget, + GdmChooserHost *host; + + for (li = widget->priv->chooser_hosts; li != NULL; li = li->next) { ++GdmAddress *other_address; ++ + host = li->data; +-if (gdm_address_equal (gdm_choo
Bug#877045: marked as done (jessie-pu: package weechat/1.0.1-1+deb8u2)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #877045, regarding jessie-pu: package weechat/1.0.1-1+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 877045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877045 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi weechat in jessie is affected by CVE-2017-14727, tracked as #876553. > * logger: call strftime before replacing buffer local variables >(CVE-2017-14727) (Closes: #876553) https://weechat.org/news/98/20170923-Version-1.9.1-security-release/ Attached proposed debdiff for the jessie point release. Regards, Salvatore diff -Nru weechat-1.0.1/debian/changelog weechat-1.0.1/debian/changelog --- weechat-1.0.1/debian/changelog 2017-04-25 07:01:43.0 +0200 +++ weechat-1.0.1/debian/changelog 2017-09-27 21:27:15.0 +0200 @@ -1,3 +1,11 @@ +weechat (1.0.1-1+deb8u2) jessie; urgency=medium + + * Non-maintainer upload. + * logger: call strftime before replacing buffer local variables +(CVE-2017-14727) (Closes: #876553) + + -- Salvatore Bonaccorso Wed, 27 Sep 2017 21:27:15 +0200 + weechat (1.0.1-1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch --- weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch 1970-01-01 01:00:00.0 +0100 +++ weechat-1.0.1/debian/patches/0001-logger-call-strftime-before-replacing-buffer-local-v.patch 2017-09-27 21:27:15.0 +0200 @@ -0,0 +1,152 @@ +From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= +Date: Sat, 23 Sep 2017 09:36:09 +0200 +Subject: logger: call strftime before replacing buffer local variables +Origin: https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 +Bug-Debian: https://bugs.debian.org/876553 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14727 + +--- + src/plugins/logger/logger.c | 88 ++--- + 2 files changed, 51 insertions(+), 44 deletions(-) + + +--- a/src/plugins/logger/logger.c b/src/plugins/logger/logger.c +@@ -316,71 +316,71 @@ logger_get_mask_for_buffer (struct t_gui + char * + logger_get_mask_expanded (struct t_gui_buffer *buffer, const char *mask) + { +-char *mask2, *mask_decoded, *mask_decoded2, *mask_decoded3, *mask_decoded4; +-char *mask_decoded5; ++char *mask2, *mask3, *mask4, *mask5, *mask6, *mask7; + const char *dir_separator; + int length; + time_t seconds; + struct tm *date_tmp; + + mask2 = NULL; +-mask_decoded = NULL; +-mask_decoded2 = NULL; +-mask_decoded3 = NULL; +-mask_decoded4 = NULL; +-mask_decoded5 = NULL; ++mask3 = NULL; ++mask4 = NULL; ++mask5 = NULL; ++mask6 = NULL; ++mask7 = NULL; + + dir_separator = weechat_info_get ("dir_separator", ""); + if (!dir_separator) + return NULL; + ++/* replace date/time specifiers in mask */ ++length = strlen (mask) + 256 + 1; ++mask2 = malloc (length); ++if (!mask2) ++goto end; ++seconds = time (NULL); ++date_tmp = localtime (&seconds); ++mask2[0] = '\0'; ++if (strftime (mask2, length - 1, mask, date_tmp) == 0) ++mask2[0] = '\0'; ++ + /* + * we first replace directory separator (commonly '/') by \01 because + * buffer mask can contain this char, and will be replaced by replacement + * char ('_' by default) + */ +-mask2 = weechat_string_replace (mask, dir_separator, "\01"); +-if (!mask2) ++mask3 = weechat_string_replace (mask2, dir_separator, "\01"); ++if (!mask3) + goto end; + +-mask_decoded = weechat_buffer_string_replace_local_var (buffer, mask2); +-if (!mask_decoded) ++mask4 = weechat_buffer_string_replace_local_var (buffer, mask3); ++if (!mask4) + goto end; + +-mask_decoded2 = weechat_string_replace (mask_decoded, +-dir_separator, +-weechat_config_string (logger_config_file_replacement_char)); +-if
Bug#876706: marked as done (stretch-pu: package liblouis/3.0.0-3)
Your message dated Sat, 09 Dec 2017 10:46:36 + with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in stretch point release has caused the Debian Bug report #876706, regarding stretch-pu: package liblouis/3.0.0-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876706 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, Several CVEs have been reported against liblouis in Bug#874302. The upstream fixes have been tested for 6 days in Debian unstable then 5 days in Debian testing. I propose to upload them to stable too, as attached debdiff shows. Samuel -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru liblouis-3.0.0/debian/changelog liblouis-3.0.0/debian/changelog --- liblouis-3.0.0/debian/changelog 2016-09-14 00:46:35.0 +0200 +++ liblouis-3.0.0/debian/changelog 2017-09-25 01:16:30.0 +0200 @@ -1,3 +1,14 @@ +liblouis (3.0.0-3+deb9u1) stretch; urgency=medium + + * debian/patches/CVE-2017-13738-and-2017-13744.patch: New patch. + * debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: New +patch + * debian/patches/CVE-2017-13741.patch: New patch. + * debian/patches/CVE-2017-13741-2.patch: New patch. + * debian/patches/CVE-2017-13743.patch: New patch. + + -- Samuel Thibault Mon, 25 Sep 2017 01:16:30 +0200 + liblouis (3.0.0-3) unstable; urgency=medium * Upload to unstable. diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 1970-01-01 01:00:00.0 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 2017-09-25 01:14:10.0 +0200 @@ -0,0 +1,19 @@ +From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001 +From: Mike Gorse +Date: Tue, 29 Aug 2017 16:55:29 -0500 +Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by + multiple newlines + +Fixes CVE-2017-13738 and CVE-2017-13744. +Index: liblouis-3.0.0/liblouis/compileTranslationTable.c +=== +--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c liblouis-3.0.0/liblouis/compileTranslationTable.c +@@ -573,6 +573,7 @@ getALine (FileInfo * nested) + if (pch == '\\' && ch == 10) + { + nested->linelen--; ++pch = ch; + continue; + } + if (ch == 10 || nested->linelen >= MAXSTRING) diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 1970-01-01 01:00:00.0 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 2017-09-25 01:14:10.0 +0200 @@ -0,0 +1,28 @@ +From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001 +From: Mike Gorse +Date: Wed, 30 Aug 2017 12:53:02 -0500 +Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed + table + +The subtable's name can theoretically be up to MAXSTRING characters long. +The base name is then copied into a buffer, and the subtable's name is +appended, so we should allocate more than MAXSTRING bytes for the buffer. + +Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742. +--- + liblouis/compileTranslationTable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: liblouis-3.0.0/liblouis/compileTranslationTable.c +=== +--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c liblouis-3.0.0/liblouis/compileTranslat
Bug#876638: marked as done (jessie-pu: package db/5.1.29-9+deb8u1)
Your message dated Sat, 09 Dec 2017 10:47:53 + with message-id <1512816473.1994.32.ca...@adam-barratt.org.uk> and subject line Closing bugs for updates included in jessie point release has caused the Debian Bug report #876638, regarding jessie-pu: package db/5.1.29-9+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876638 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu db in jessie is affected by the CVE-2017-10140 ("Berkeley DB reads DB_CONFIG from cwd)", no bug in BTS filled for that since src;db removed from unstable. The NMU for src:db5.3 to unstable back on end of august has not raised any regression reports we would be aware of. We though think it's still safer to have it via point release and have it for a short time exposed as well via proposed-updates (once, and if accepted). The changelog reads as: >db (5.1.29-9+deb8u1) jessie; urgency=medium > > * Non-maintainer upload. > * CVE-2017-10140: Reads DB_CONFIG from the current working directory. >Do not access DB_CONFIG when db_home is not set. > > -- Salvatore Bonaccorso Sun, 24 Sep 2017 11:12:52 +0200 Attached ist the full proposed debdiff. Regards, Salvatore diff -Nru db-5.1.29/debian/changelog db-5.1.29/debian/changelog --- db-5.1.29/debian/changelog 2014-08-19 14:49:46.0 +0200 +++ db-5.1.29/debian/changelog 2017-09-24 11:12:52.0 +0200 @@ -1,3 +1,11 @@ +db (5.1.29-9+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2017-10140: Reads DB_CONFIG from the current working directory. +Do not access DB_CONFIG when db_home is not set. + + -- Salvatore Bonaccorso Sun, 24 Sep 2017 11:12:52 +0200 + db (5.1.29-9) unstable; urgency=medium * Fix for FTBFS on ppc64el (Courtesy of Matthias Klose/Ubuntu) diff -Nru db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch --- db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 1970-01-01 01:00:00.0 +0100 +++ db-5.1.29/debian/patches/CVE-2017-10140-cwd-db_config.patch 2017-09-24 11:12:52.0 +0200 @@ -0,0 +1,22 @@ +Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory + Do not access DB_CONFIG when db_home is not set. +Origin: vendor, https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-10140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032 +Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886 +Forwarded: no +Author: Petr Kubat +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2017-08-17 + +--- db-5.3.28/src/env/env_open.c.old 2017-06-26 10:32:11.011419981 +0200 db-5.3.28/src/env/env_open.c 2017-06-26 10:32:46.893721233 +0200 +@@ -473,7 +473,7 @@ + env->db_mode = mode == 0 ? DB_MODE_660 : mode; + + /* Read the DB_CONFIG file. */ +- if ((ret = __env_read_db_config(env)) != 0) ++ if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0) + return (ret); + + /* diff -Nru db-5.1.29/debian/patches/series db-5.1.29/debian/patches/series --- db-5.1.29/debian/patches/series 2014-08-19 14:49:46.0 +0200 +++ db-5.1.29/debian/patches/series 2017-09-24 11:12:52.0 +0200 @@ -6,3 +6,4 @@ 006-mutex_alignment.patch 007-link-sql-libs.patch libtool-update.diff +CVE-2017-10140-cwd-db_config.patch --- End Message --- --- Begin Message --- Version: 8.10 Hi, Each of the updates referenced in these bugs was included in this morning's jessie point release. Thanks! Regards, Adam--- End Message ---