Bug#944238: buster-pu: package debian-edu-config/2.10.65+deb10u2
On Fri, Nov 08, 2019 at 10:10:54PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed [...] > Please go ahead. thanks, uploaded. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Bug#944396: transition: exiv2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition New upstream, new soversion. Ben file: title = "exiv2"; is_affected = .depends ~ "libexiv2-14" | .depends ~ "libexiv2-27"; is_good = .depends ~ "libexiv2-27"; is_bad = .depends ~ "libexiv2-14"; -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (200, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.3.0-1-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Processed: Re: stretch-pu: package python-flask-rdf/0.2.0-1.1~deb9u1
Processing control commands: > tag -1 - moreinfo Bug #887324 [release.debian.org] stretch-pu: package python-flask-rdf/0.2.0-1.1~deb9u1 Removed tag(s) moreinfo. -- 887324: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887324 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#887324: stretch-pu: package python-flask-rdf/0.2.0-1.1~deb9u1
Followup-For: Bug #887324 Control: tag -1 - moreinfo On Thu, 22 Aug 2019 15:07:42 +0200 Andreas Beckmann wrote: > On 21/08/2019 00.30, Adam D. Barratt wrote: > >> That is not sufficient: #896358, #896385 > >> > >> ImportError: No module named 'rdflib' > > > > What's the status here? > > Still reproducible in sid (same version as in buster), just reopened > the bugs. Obviously the Depends: python{3,}-rdflib has to be added manually. Seen that in sid, applied to buster and now to stretch on top of the previous patch. Andreas diff -Nru python-flask-rdf-0.2.0/debian/changelog python-flask-rdf-0.2.0/debian/changelog --- python-flask-rdf-0.2.0/debian/changelog 2016-04-04 20:59:20.0 +0200 +++ python-flask-rdf-0.2.0/debian/changelog 2019-11-09 02:45:10.0 +0100 @@ -1,3 +1,19 @@ +python-flask-rdf (0.2.0-1.1~deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Rebuild for stretch. + * Add (Build-)Depends on python{3,}-rdflib. (Closes: #896358, #896385) + + -- Andreas Beckmann Sat, 09 Nov 2019 02:45:10 +0100 + +python-flask-rdf (0.2.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix the missing dependencies in python3-flask-rdf. +(Closes: #867429) + + -- Adrian Bunk Fri, 04 Aug 2017 15:27:27 +0300 + python-flask-rdf (0.2.0-1) unstable; urgency=medium * Imported Upstream version 0.2.0 diff -Nru python-flask-rdf-0.2.0/debian/control python-flask-rdf-0.2.0/debian/control --- python-flask-rdf-0.2.0/debian/control 2016-04-04 20:57:50.0 +0200 +++ python-flask-rdf-0.2.0/debian/control 2019-11-09 02:27:06.0 +0100 @@ -9,7 +9,9 @@ python-setuptools, python3-setuptools, python-mimeparse (>= 0.1.4), - python3-mimeparse + python3-mimeparse, + python-rdflib, + python3-rdflib, Standards-Version: 3.9.7 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/python-flask-rdf.git Vcs-Git: https://anonscm.debian.org/git/collab-maint/python-flask-rdf.git @@ -19,6 +21,7 @@ Architecture: all Depends: ${python:Depends}, ${misc:Depends}, + python-rdflib, python-mimeparse (>= 0.1.4) Description: Flask decorator to output RDF using content negotiation (Python 2) Apply the @flask_rdf decorator to a view function and return an rdflib @@ -35,8 +38,9 @@ Package: python3-flask-rdf Architecture: all -Depends: ${python:Depends}, +Depends: ${python3:Depends}, ${misc:Depends}, + python3-rdflib, python3-mimeparse Description: Flask decorator to output RDF using content negotiation (Python 3) Apply the @flask_rdf decorator to a view function and return an rdflib
Bug#940595: transition: hypre
On 2019-11-09 05:45, Paul Gevers wrote: Hi Drew, On 03-11-2019 21:01, Paul Gevers wrote: On 30-10-2019 08:26, Drew Parsons wrote: So yes, the unversioned libhypre package name is certainly the option that will preserve the greatest sanity (I'll proceed directly with 2.18.2 once you give the thumbs up). Thumbs up. All migrated. Closing this bug. Thanks Paul. Since we've got this ABI-free upstream with hypre, to save overworking you with future patch updates for little patch version updates (Z in X.Y.Z), I'm thinking to treat them as minor, so proceeding without a formal transition. I can request a binNMU for petsc/sundials/slepc. Alternatively, more often than not there's a petsc upgrade waiting at the same time as a hypre upgrade (for example petsc 3.12 is waiting in experimental at the moment). Maybe next time we can consider running a joint hypre/petsc/slepc transition. To save the busywork of hypre patch version transitions. Drew
Bug#944390: buster-pu: package python-flask-rdf/0.2.1-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Let's add the missing Depends on python{3,}-rdflib. Andreas diff -Nru python-flask-rdf-0.2.1/debian/changelog python-flask-rdf-0.2.1/debian/changelog --- python-flask-rdf-0.2.1/debian/changelog 2018-07-08 18:12:13.0 +0200 +++ python-flask-rdf-0.2.1/debian/changelog 2019-11-09 01:56:51.0 +0100 @@ -1,3 +1,10 @@ +python-flask-rdf (0.2.1-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Add Depends on python{3,}-rdflib. (Closes: #896358, #896385) + + -- Andreas Beckmann Sat, 09 Nov 2019 01:56:51 +0100 + python-flask-rdf (0.2.1-1) unstable; urgency=medium * New upstream version 0.2.1 diff -Nru python-flask-rdf-0.2.1/debian/control python-flask-rdf-0.2.1/debian/control --- python-flask-rdf-0.2.1/debian/control 2018-07-08 18:00:19.0 +0200 +++ python-flask-rdf-0.2.1/debian/control 2019-11-09 01:56:43.0 +0100 @@ -21,6 +21,7 @@ Architecture: all Depends: ${python:Depends}, ${misc:Depends}, + python-rdflib, python-mimeparse (>= 0.1.4) Description: Flask decorator to output RDF using content negotiation (Python 2) Apply the @flask_rdf decorator to a view function and return an rdflib @@ -39,6 +40,7 @@ Architecture: all Depends: ${python3:Depends}, ${misc:Depends}, + python3-rdflib, python3-mimeparse Description: Flask decorator to output RDF using content negotiation (Python 3) Apply the @flask_rdf decorator to a view function and return an rdflib
Bug#943594: buster-pu: package libapache-mod-auth-kerb/5.4-2.4~deb10u1
On Fri, 2019-11-08 at 22:06 +, Adam D. Barratt wrote: > Please go ahead. Signed and uploaded the source package. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#942486: buster-pu: package shelldap/1.4.0-4+deb10u1
hi Adam, On Fri, Nov 08, 2019 at 09:52:28PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Thu, 2019-10-17 at 08:52 +0200, Salvatore Bonaccorso wrote: > > I was asked if we can address #941411 ("shelldap: sometimes falls > > back to simple auth when it should do sasl") as well for buster. The > > severity is not very high, so you might want to dispute this but it > > fixes the issue seen. > > > > Uwe reported that when calling shelldap repeatedly it sometimes fails > > and this was due in Net::LDAP in the bind() method the iteration > > through %ptype happens in different orderings. > > > > We forwarded the original issue to upstream at > > https://github.com/mahlonsmith/shelldap/issues/2 resulting in the > > changes: > > > > - Don't provide a password for sasl authentication (adressing the > >original concern) > > - Fix sasl for DIGEST-MD5, PLAIN, and LOGIN mechanisms > > Please go ahead; thanks. Thank you; done. Regards, Salvatore
Uploading linux (5.3.9-1)
I intend to upload linux version 5.3.9-1 to unstable tomorrow (Saturday). The pending changes include: * Update to upstream version 5.3.9 * debian/bin/gencontrol_signed.py: Fix code style error * Add maint scripts to meta-packages to convert doc directories to symlinks (Closes: #942861) * debian/README.source: Document code signing and how to test it * debian/tests/control: Mark python test as superficial * [arm64] linux-headers: Disable check for a 32-bit compiler (Closes: #943953) * crypto: Enable PKCS8_PRIVATE_KEY_PARSER as module (Closes: #924705) * [amd64/cloud-amd64] Re-enable RTC drivers. (closes: #931341) * [x86] Enable missing modules and setting: CONFIG_HUAWEI_WMI, CONFIG_I2C_MULTI_INSTANTIATE, CONFIG_INTEL_TURBO_MAX_3 * [arm64] udeb: Add i2c-rk3x to i2c-modules * [arm64,armhf] udeb: Add rockchip-io-domain to kernel-image * drivers/net/ethernet/amazon: Backport driver fixes from v5.4-rc5 Building a new version will probably fix #942881 (invalid signed module). There will be an ABI bump. Ben. -- Ben Hutchings The two most common things in the universe are hydrogen and stupidity. signature.asc Description: This is a digitally signed message part
Bug#944384: nmu: ros-*-msgs
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, ros-gencpp in version 0.6.2-3 doesn't sort elements before generating headers during the build of ros-*-msgs resulting in multi arch problems. This has been fixed in ros-gencpp 0.6.2-4. Please binnmu the following packages to align all headers again and make the multi arch hinter happy: nmu ros-common-msgs_1.12.7-2 . ANY . unstable . -m "rebuild against ros-gencpp 0.6.2-4" nmu ros-navigation-msgs_1.13.1-1 . ANY . unstable . -m "rebuild against ros-gencpp 0.6.2-4" nmu ros-navigation-msgs_1.13.1-1 . ANY . unstable . -m "rebuild against ros-gencpp 0.6.2-4" nmu ros-ros-comm-msgs_1.11.2-10 . ANY . unstable . -m "rebuild against ros-gencpp 0.6.2-4" nmu ros-std-msgs_0.5.12-2 . ANY . unstable . -m "rebuild against ros-gencpp 0.6.2-4" Thanks Jochen -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.8 (SMP w/8 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#943846: buster-pu: package python-cryptography/2.6.1-3+deb10u2
On Fri, Nov 08, 2019 at 10:09:07PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2019-10-30 at 16:44 +0100, Moritz Muehlenhoff wrote: > > (This is a followup update on top of the +deb10u1 already in s-p-u, > > I've reached out to Tristan beforehand) > > > > Attached debdiff fixes a memory leak in python-cryptography, which > > was noticed in an ACME-related service ( > > https://wikitech.wikimedia.org/wiki/Acme-chief) > > running on Buster. It has been verified that the updated packages > > fix the memory leak (and are otherwise working fine as well). > > > > Please go ahead. Uploaded. Cheers, Moritz
Processed: Re: Bug#944238: buster-pu: package debian-edu-config/2.10.65+deb10u2
Processing control commands: > tags -1 + confirmed Bug #944238 [release.debian.org] buster-pu: package debian-edu-config/2.10.65+deb10u2 Added tag(s) confirmed. -- 944238: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944238 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944238: buster-pu: package debian-edu-config/2.10.65+deb10u2
Control: tags -1 + confirmed On Wed, 2019-11-06 at 22:22 +0800, Holger Levsen wrote: > We'd like to update debian-edu-config in buster to fix one important > (#944013 debian-edu-config: adjusted ini files needed to match > changed behaviour of firefox-esr 68.2.0esr) and one normal bug: > > debian-edu-config (2.10.65+deb10u2) UNRELEASED; urgency=medium > > * Adjust share/debian-edu-config/d-i/finish-install: (Closes: > #941574) > - Use 'dpkg-reconfigure -u --no-reload debian-edu-config' to add > post-up > stanza to /etc/network/interfaces eth0 entry conditionally. > * Cope with Firefox-ESR ini files that need to be different (as of > version > 68.2.0esr) to further allow centralized configuration: (Closes: > #944013) > - Add share/debian-edu-config/profiles.ini.ff (Firefox-ESR > profiles.ini). > - Add share/debian-edu-config/installs.ini (now needed in > addition for users > that don't have a Firefox-ESR profile, i.e. new users). > - Adjust share/debian-edu-config/tools/gosa-create which is used > to copy > the related Firefox-ESR ini files. > - Ajust Makefile. > - Adjust ldap-tools/ldap-debian-edu-install (fix for the first > user). > Please go ahead. Regards, Adam
Bug#943846: buster-pu: package python-cryptography/2.6.1-3+deb10u2
Control: tags -1 + confirmed On Wed, 2019-10-30 at 16:44 +0100, Moritz Muehlenhoff wrote: > (This is a followup update on top of the +deb10u1 already in s-p-u, > I've reached out to Tristan beforehand) > > Attached debdiff fixes a memory leak in python-cryptography, which > was noticed in an ACME-related service ( > https://wikitech.wikimedia.org/wiki/Acme-chief) > running on Buster. It has been verified that the updated packages > fix the memory leak (and are otherwise working fine as well). > Please go ahead. Regards, Adam
Processed: Re: Bug#943846: buster-pu: package python-cryptography/2.6.1-3+deb10u2
Processing control commands: > tags -1 + confirmed Bug #943846 [release.debian.org] buster-pu: package python-cryptography/2.6.1-3+deb10u2 Added tag(s) confirmed. -- 943846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943846 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#942827: buster-pu: package ndppd/0.2.5-4+deb10u1
Processing control commands: > tags -1 + confirmed Bug #942827 [release.debian.org] buster-pu: package ndppd/0.2.5-4+deb10u1 Added tag(s) confirmed. -- 942827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942827 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#943594: buster-pu: package libapache-mod-auth-kerb/5.4-2.4~deb10u1
Control: tags -1 + confirmed On Sun, 2019-10-27 at 14:10 +0800, Paul Wise wrote: > This brings the fix for a use after free crash to buster. > Since there were no other changes between buster and bullseye, > I elected to just add a "backport to buster" changelog. Please go ahead. Regards, Adam
Processed: Re: Bug#943766: buster-pu: package libofx/1:0.9.14-1+deb10u1
Processing control commands: > tags -1 + confirmed Bug #943766 [release.debian.org] buster-pu: package libofx/1:0.9.14-1+deb10u1 Added tag(s) confirmed. -- 943766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943766 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#942827: buster-pu: package ndppd/0.2.5-4+deb10u1
Control: tags -1 + confirmed On Tue, 2019-10-22 at 09:18 +0200, Jean-Michel Vourgère wrote: > In buster, ndppd has a world writable pid file. This prevent the > daemon to be stop/restarted, which is a real pain when you set it up. Please go ahead. Regards, Adam
Bug#943766: buster-pu: package libofx/1:0.9.14-1+deb10u1
Control: tags -1 + confirmed On Tue, 2019-10-29 at 15:21 +0100, Dylan Aïssi wrote: > Upstream has fixed CVE-2019-9656, this CVE is non-dsa. I already > backported patches to unstable (#924350) and now I would like to fix > the Buster version. Please find attached a debdiff. > Please go ahead. Regards, Adam
Processed: Re: Bug#943594: buster-pu: package libapache-mod-auth-kerb/5.4-2.4~deb10u1
Processing control commands: > tags -1 + confirmed Bug #943594 [release.debian.org] buster-pu: package libapache-mod-auth-kerb/5.4-2.4~deb10u1 Added tag(s) confirmed. -- 943594: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943594 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1
Control: tags -1 + confirmed On Fri, 2019-10-18 at 13:23 +0200, Hugo Lefeuvre wrote: > as discussed in #939553[0], no DSA will be issued by the security > team for CVE-2018-21010 and this vulnerability can be fixed via -pu. > The attached debdiff addresses this issue, along with CVE-2018-20847. Please go ahead; thanks. Regards, Adam
Processed: Re: Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1
Processing control commands: > tags -1 + confirmed Bug #942575 [release.debian.org] buster-pu: package openjpeg2/2.3.0-2+deb10u1 Added tag(s) confirmed. -- 942575: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942575 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#942520: buster-pu: package oar/2.5.8-1
Processing control commands: > tags -1 + confirmed Bug #942520 [release.debian.org] buster-pu: package oar/2.5.8-1 Added tag(s) confirmed. -- 942520: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942520 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#942486: buster-pu: package shelldap/1.4.0-4+deb10u1
Control: tags -1 + confirmed On Thu, 2019-10-17 at 08:52 +0200, Salvatore Bonaccorso wrote: > I was asked if we can address #941411 ("shelldap: sometimes falls > back to simple auth when it should do sasl") as well for buster. The > severity is not very high, so you might want to dispute this but it > fixes the issue seen. > > Uwe reported that when calling shelldap repeatedly it sometimes fails > and this was due in Net::LDAP in the bind() method the iteration > through %ptype happens in different orderings. > > We forwarded the original issue to upstream at > https://github.com/mahlonsmith/shelldap/issues/2 resulting in the > changes: > > - Don't provide a password for sasl authentication (adressing the >original concern) > - Fix sasl for DIGEST-MD5, PLAIN, and LOGIN mechanisms Please go ahead; thanks. Regards, Adam
Bug#942520: buster-pu: package oar/2.5.8-1
Control: tags -1 + confirmed On Thu, 2019-10-17 at 15:48 +0200, Vincent Danjean wrote: > The default behavior of perl Storable::dclone function changed > in buster, setting a default maximum recursion in the structures > [1], [2]. > This change has not been spotted before the release, but now > that buster is released and that big clusters are switching to > buster, this bug has been found (before the release, oar was > tested only on smaller cluster). > So, we sould like to revert to the old behavior of Storable::dclone > in the oar package (it is just two variables to set), so that > oar in buster still works on big cluster (> 1000 cores). > Please go ahead. Regards, Adam
Processed: Re: Bug#942486: buster-pu: package shelldap/1.4.0-4+deb10u1
Processing control commands: > tags -1 + confirmed Bug #942486 [release.debian.org] buster-pu: package shelldap/1.4.0-4+deb10u1 Added tag(s) confirmed. -- 942486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942486 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
On 2019-11-08 19:52 +, Adam D. Barratt wrote: > On Wed, 2019-11-06 at 11:54 +, Adam D. Barratt wrote: >> Control: tags -1 + confirmed d-i >> >> On 2019-11-02 19:10, Sven Joachim wrote: >> > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, >> > fixing >> > several bugs in tic's parser which have been reported last >> > month. Two >> > of them are heap buffer overflows that have been assigned CVE >> > numbers >> > and a Debian bug[1], two others are out-of-bound-reads and one an >> > infinite loop. >> > >> > I have verified that the reported crashes and the infinite loop >> > which I >> > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be >> > fixed, >> > at >> > least with the submitted corrupt input files. Also, the compiled >> > terminfo files in ncurses-base and ncurses-term are identical to >> > the >> > ones currently in buster. >> > >> > This upload touches the tinfo library which is used in the >> > installer, >> > however to the best of my knowledge the changed functions are only >> > used >> > by tic and not by any other packages. >> >> Nevertheless I'd appreciate a formal ACK there. > > Given that the window for getting fixes into the 10.2 point release > closes this weekend, feel free to upload and we'll wait for the d-i ack > before deciding whether to include it in 10.2. Thanks, uploaded. Cheers, Sven
Bug#941713: buster-pu: package ntpsec/1.1.3+dfsg1-2+deb10u1
Control: tags -1 + confirmed On Fri, 2019-10-04 at 00:54 -0500, Richard Laager wrote: > This is my first time with the Debian proposed update process (though > I have done my own Ubuntu SRU once), so please bear with me and let > me know if I've done anything wrong. Seems OK to me. :-) > The debdiff from the current version in Buster is attached. All of > these > fixes are in the version of ntpsec in Debian unstable. > > > This upload is to fix several things, most importantly the first two: > > * Backport fix for slow DNS retries (Closes: 924192) > > The user described this pretty well, "What seems to be happening is > that if DNS is not immediately available when ntpsec starts, it waits > about 10 minutes before trying again. Ten minutes is too long." > > This is fixed by backporting an upstream commit which has made it > into an upstream point release. > > > * Fix ntpdate -s (syslog) to fix the if-up hook (Closes: 931414) [...] > It may be controversial that I'm including fixes for bugs in man > pages, including some without Debian bug numbers. The fixes below are > trivial and only affect two (related) man pages. I likely would not > have made a buster update for them alone, but since I'm making an > update anyway, it seemed reasonable to me to include those fixes. Indeed. That basically matches our policy - documentation fixes are generally fine when part of a larger update, but not usually on their own unless the incorrect documentation causes a severe bug. Please go ahead with the upload. Regards, Adam
Processed: Re: Bug#941713: buster-pu: package ntpsec/1.1.3+dfsg1-2+deb10u1
Processing control commands: > tags -1 + confirmed Bug #941713 [release.debian.org] buster-pu: package ntpsec/1.1.3+dfsg1-2+deb10u1 Added tag(s) confirmed. -- 941713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941713 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#941683: buster-pu: package node-yarnpkg/1.13.0-1+deb10u1
Control: tags -1 + confirmed On Thu, 2019-10-03 at 20:57 +0200, Xavier Guimard wrote: > node-yarnpkg is vulnerable: it exports auth data in http requests > (#941354, CVE-2019-5448). This patch imports upstream fix. Please go ahead; thanks. Regards, Adam
Processed: Re: Bug#941683: buster-pu: package node-yarnpkg/1.13.0-1+deb10u1
Processing control commands: > tags -1 + confirmed Bug #941683 [release.debian.org] buster-pu: package node-yarnpkg/1.13.0-1+deb10u1 Added tag(s) confirmed. -- 941683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941683 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#941365: buster-pu: package libimobiledevice/1.2.1~git20181030.92c5462-2
Processing control commands: > tags -1 + moreinfo Bug #941365 [release.debian.org] buster-pu: package libimobiledevice/1.2.1~git20181030.92c5462-2 Added tag(s) moreinfo. -- 941365: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941365 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#941365: buster-pu: package libimobiledevice/1.2.1~git20181030.92c5462-2
Control: tags -1 + moreinfo On Sun, 2019-09-29 at 18:48 +0200, Yves-Alexis Perez wrote: > libimobiledevice in Buster has some issue with devices running iOS > 13+. Backup using idevicebackup2 never finishes, apparently because > of some behavior change in newer iOS version. > > With coordination with upstream > (https://github.com/libimobiledevice/libimobiledevice/issues/848) a > small fix was identified. > > Would it be possible to upload a fixed package to Buster at some > point? > The fix is not yet in sid (a previous package is waiting in NEW, I'll > upload a package fix soon) so it's more a pre-approval. Sorry for the delay in getting back to you. That sounds OK, but it looks like the fix still hasn't made it to sid, so I'm tagging this as moreinfo for now. Please remove the tag and confirm the final debdiff once that's sorted. Regards, Adam
Bug#941365: buster-pu: package libimobiledevice/1.2.1~git20181030.92c5462-2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, 2019-11-08 at 20:53 +, Adam D. Barratt wrote: > Sorry for the delay in getting back to you. Yeah, this time it's me who's really sorry. > > That sounds OK, but it looks like the fix still hasn't made it to sid, > so I'm tagging this as moreinfo for now. Please remove the tag and > confirm the final debdiff once that's sorted. Indeed, I'm still waiting on upstream to actually chose the way they bump the soname… I still don't have any answer on https://github.com/libimobiledevice/libusbmuxd/issues/81 I'll keep you posted as soon as possible. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl3F1koACgkQ3rYcyPpX RFsL6ggAwAdOO596ztCsGMlHNWQ9Ch5QsXFKPLb70yJaBPOyVerr1Rq98ctNnGvH Z3U1oQRrm3GhUo5wWIZ+Z5POlByxaWKbwCcVbStUQBnVtxxuG5cfgAEyH3aO87mc BP2J3KHLQO86WYRRy0fG/b6swgl7581VEiaz97zJ1vovhckQwdpzPrSG9/NjdYLH SwGGZ5HykgUMYnyynuVOW24IVh6nqqd5vB2Q89AB9YOwzx616DL16QNC1U1t8xJX g45zciLGKW+fnxYV0QJ2oYnEVEXal8UdLcq9rC8v2KErhn5by/vADLnzttpu2h5T NtJc7uXKpG14bLO6tw233QL7kkW55A== =wUH1 -END PGP SIGNATURE-
Bug#940595: marked as done (transition: hypre)
Your message dated Fri, 8 Nov 2019 21:45:47 +0100 with message-id <85c2e705-e20f-ddc3-b2ad-525a47f01...@debian.org> and subject line Re: Bug#940595: transition: hypre has caused the Debian Bug report #940595, regarding transition: hypre to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940595 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition I'd like to proceed with the hypre transition to 2.17.0. I've tested that petsc and sundials build successfully with the new hypre. Ben file: title = "hypre"; is_affected = .depends ~ "libhypre-2.16.0" | .depends ~ "libhypre-2.17.0"; is_good = .depends ~ "libhypre-2.17.0"; is_bad = .depends ~ "libhypre-2.16.0"; -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Hi Drew, On 03-11-2019 21:01, Paul Gevers wrote: > On 30-10-2019 08:26, Drew Parsons wrote: >> So yes, the unversioned libhypre package name is certainly the option >> that will preserve the greatest sanity (I'll proceed directly with >> 2.18.2 once you give the thumbs up). > > Thumbs up. All migrated. Closing this bug. Paul signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#944162: marked as done (transition: proftpd-dfsg)
Your message dated Fri, 8 Nov 2019 21:44:12 +0100 with message-id <53c001d4-8b7c-ccd9-71b2-2f7b12830...@debian.org> and subject line Re: Bug#944162: transition: proftpd-dfsg has caused the Debian Bug report #944162, regarding transition: proftpd-dfsg to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 944162: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944162 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition This transition was already started by the recent proftpd upload, but is not caught caught automatically since it is a virtual package name that has changed. Ben file: title = "proftpd-dfsg"; is_affected = .depends ~ "/proftpd-abi-/"; is_good = .depends ~ "proftpd-abi-1.3.6b"; is_bad = .depends ~ "proftpd-abi-1.3.6"; -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 5.3.0-1-686-pae (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Hi Hilmar, On 05-11-2019 13:15, Hilmar Preusse wrote: > This transition was already started by the recent proftpd upload, but is > not caught caught automatically since it is a virtual package name that > has changed. This all migrated to testing, so closing this bug. Paul signature.asc Description: OpenPGP digital signature --- End Message ---
Processed: Re: Bug#940647: buster-pu: package libmysofa/0.6~dfsg0-3
Processing control commands: > tags -1 + confirmed Bug #940647 [release.debian.org] buster-pu: package libmysofa/0.6~dfsg0-3 Added tag(s) confirmed. -- 940647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940647 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: bug 944310 is forwarded to https://release.debian.org/transitions/html/r-api-bioc-3.10.html
Processing commands for cont...@bugs.debian.org: > forwarded 944310 > https://release.debian.org/transitions/html/r-api-bioc-3.10.html Bug #944310 [release.debian.org] transition: r-api-bioc-3.10 Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/r-api-bioc-3.10.html'. > thanks Stopping processing here. Please contact me if you need assistance. -- 944310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944310 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#940647: buster-pu: package libmysofa/0.6~dfsg0-3
Control: tags -1 + confirmed On Wed, 2019-09-18 at 14:42 +0200, IOhannes m zmoelnig wrote: > the binary package libmysofa0 is used by VLC (the ubiquitous media > player) and the ffmpeg framework (the ubiquitous media framework), > and consequently has a popcon of 43382. > > The src:libmysofa package has been assigned a number of CVEs and a > cumulative Debian bug #939735. > The issues (NULL-pointer access, out-of-bound reads, invalid reads > and writes) have been promptly fixed by upstream, who have released a > new version (0.8). > Please go ahead. Sorry for the delay. Regards, Adam
Bug#944374: buster-pu: package fonts-noto-cjk/1:20170601+repack1-3+deb10u1
Control: tags -1 + confirmed On Fri, 2019-11-08 at 14:01 -0500, Boyuan Yang wrote: > A solution for https://bugs.debian.org/907999 was recently found and > the fix has been tested and pushed onto Sid. Since this bug also > affects Stable, it would be better to have it fixed through a stable- > pu as well. > > The bug lies in a Debian-provided fontconfig file (70-fonts-noto- > cjk.conf) and the old version was using the "prepend_first" attribute > to adjust the font priority under Chinese-locale systems, which turns > out to be buggy and made font rendering to be ignoring font fallback > info in CSS files and forcefully using Noto CJK fonts under certain > scenarios in web browsers like Firefox and > Chromium. This proposed patch would solve this bug. > Please go ahead. Regards, Adam
Bug#944009: buster-pu: package ncurses/6.1+20181013-2+deb10u2
On Wed, 2019-11-06 at 11:54 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed d-i > > On 2019-11-02 19:10, Sven Joachim wrote: > > I would like to upload ncurses 6.1+20181013-2+deb10u2 to buster, > > fixing > > several bugs in tic's parser which have been reported last > > month. Two > > of them are heap buffer overflows that have been assigned CVE > > numbers > > and a Debian bug[1], two others are out-of-bound-reads and one an > > infinite loop. > > > > I have verified that the reported crashes and the infinite loop > > which I > > could reproduce in ncurses 6.1+20181013-2+deb10u1 appear to be > > fixed, > > at > > least with the submitted corrupt input files. Also, the compiled > > terminfo files in ncurses-base and ncurses-term are identical to > > the > > ones currently in buster. > > > > This upload touches the tinfo library which is used in the > > installer, > > however to the best of my knowledge the changed functions are only > > used > > by tic and not by any other packages. > > Nevertheless I'd appreciate a formal ACK there. Given that the window for getting fixes into the 10.2 point release closes this weekend, feel free to upload and we'll wait for the d-i ack before deciding whether to include it in 10.2. Regards, Adam
Processed: Re: Bug#944374: buster-pu: package fonts-noto-cjk/1:20170601+repack1-3+deb10u1
Processing control commands: > tags -1 + confirmed Bug #944374 [release.debian.org] buster-pu: package fonts-noto-cjk/1:20170601+repack1-3+deb10u1 Added tag(s) confirmed. -- 944374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944374 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944133: buster-pu: package glib2.0/2.58.3-2+deb10u2
On Wed, 2019-11-06 at 12:08 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed d-i > > On 2019-11-04 19:12, Simon McVittie wrote: > > A recent security fix to ibus (CVE-2019-14822, #940267, DSA-4525-1) > > exposed an interoperability bug between GLib's implementation of D- > > Bus > > and the reference implementation libdbus (#941018). The practical > > impact > > is that Qt clients cannot use the updated ibus input method until > > GLib > > is fixed. > > > > This has been fixed in the upstream master and 2.62.x branches and > > in unstable, and I've prepared backports for buster (this bug) > > and stretch (I'll open a separate bug when I have a successful > > build/autopkgtest/piuparts pipeline). > > This looks OK to me, but will need a d-i ACK due to the udeb build; > thanks. Given that the window for getting fixes into the 10.2 point release closes this weekend, feel free to upload and we'll wait for the d-i ack before deciding whether to include it in 10.2. Regards, Adam
Bug#944374: buster-pu: package fonts-noto-cjk/1:20170601+repack1-3+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: debian-fo...@lists.debian.org Dear Release Team, A solution for https://bugs.debian.org/907999 was recently found and the fix has been tested and pushed onto Sid. Since this bug also affects Stable, it would be better to have it fixed through a stable-pu as well. The bug lies in a Debian-provided fontconfig file (70-fonts-noto-cjk.conf) and the old version was using the "prepend_first" attribute to adjust the font priority under Chinese-locale systems, which turns out to be buggy and made font rendering to be ignoring font fallback info in CSS files and forcefully using Noto CJK fonts under certain scenarios in web browsers like Firefox and Chromium. This proposed patch would solve this bug. Please review the fix and let me know if there's any question. The full debdiff is provided as attachment. -- Regards, Boyuan Yang diff -Nru fonts-noto-cjk-20170601+repack1/debian/70-fonts-noto-cjk.conf fonts-noto-cjk-20170601+repack1/debian/70-fonts-noto-cjk.conf --- fonts-noto-cjk-20170601+repack1/debian/70-fonts-noto-cjk.conf 2018-08-28 09:44:11.0 -0400 +++ fonts-noto-cjk-20170601+repack1/debian/70-fonts-noto-cjk.conf 2019-11-08 13:10:08.0 -0500 @@ -32,7 +32,7 @@ serif - + Noto Serif CJK SC @@ -44,7 +44,7 @@ serif - + Noto Serif CJK TC @@ -80,7 +80,7 @@ sans-serif - + Noto Sans CJK SC @@ -92,7 +92,7 @@ sans-serif - + Noto Sans CJK TC @@ -128,7 +128,7 @@ monospace - + Noto Sans Mono CJK SC @@ -140,7 +140,7 @@ monospace - + Noto Sans Mono CJK TC diff -Nru fonts-noto-cjk-20170601+repack1/debian/changelog fonts-noto-cjk-20170601+repack1/debian/changelog --- fonts-noto-cjk-20170601+repack1/debian/changelog 2018-08-28 09:50:21.0 -0400 +++ fonts-noto-cjk-20170601+repack1/debian/changelog 2019-11-08 13:10:08.0 -0500 @@ -1,3 +1,13 @@ +fonts-noto-cjk (1:20170601+repack1-3+deb10u1) buster; urgency=medium + + * Team upload. + * debian/70-fonts-noto-cjk.conf: Use "prepend" instead of +"prepend_first". This fixes over-aggressive font selection +of Noto CJK fonts in modern web browsers under Chinese locale. +(Closes: #907999) + + -- Boyuan Yang Fri, 08 Nov 2019 13:10:08 -0500 + fonts-noto-cjk (1:20170601+repack1-3) unstable; urgency=medium [ Boyuan Yang ] signature.asc Description: This is a digitally signed message part
Bug#944019: marked as done (nmu: netsniff-ng_0.6.6-1)
Your message dated Fri, 8 Nov 2019 15:44:01 +0200 with message-id <99607704-4b14-b753-f263-d26fc3ab2...@debian.org> and subject line Re: nmu: netsniff-ng_0.6.6-1 has caused the Debian Bug report #944019, regarding nmu: netsniff-ng_0.6.6-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 944019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944019 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu netsniff-ng_0.6.6-1 . ANY . experimental . -m "Rebuild against libcli1.10." Rebuild for the ongoing libcli transition. Andreas --- End Message --- --- Begin Message --- > nmu netsniff-ng_0.6.6-1 . ANY . experimental . -m "Rebuild against libcli1.10." Done--- End Message ---
Bug#944351: Providing minor version somewhere in /etc/os-release in buster
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear Release Managers: I received this bug from one of the ansible upstream authors: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931197 asking to include information about minor version somewhere in /etc/os-release. I first said "not yet" because we were very close to the release of buster and the behaviour of /etc/debian_version and /etc/os-release was already "documented" or "announced" in base-files changelog, as usual. My plan was to consider that for bullseye. However, there is a glitch in lsb-release: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939733 We could revert the change in lsb-release so that it looks at /etc/debian_version again, but we could also do the change in base-files now and fix this glitch in the most standard way. So: Would you approve that base-files 10.3+deb10u2 for Debian 10.2 has VERSION_ID="10.2" in /etc/os-release (and 10.x from now on) instead of "10"? My only problem with this is how we would explain the change after having promised (sort of) that the file would not change in such way in 10.x. On the other hand, people who use constructs like {{ ansible_distribution_major_version }}, which is probably a lot better than parsing the file by hand, would not be affected at all. Thanks.
Bug#944190: release.debian.org: Allow britney to consider installability of dependencies of essential packages
Neils, On Fri, Nov 08, 2019 at 07:03:00AM +, Niels Thykier wrote: > Hi Mark > > Thanks for the investigative work and the patch. > > I have not had time to review the patch yet in details and hope to have > a look this weekend. Thanks. > Could I convince you to add a small test case for this problem to our > britney2-tests repo (https://salsa.debian.org/debian/britney2-tests) > that fails with the current master but succeeds with your patch? This > would ensure we do not inadvertently regress on this area when > refactoring code. I will happily look at that. I am busy until Sunday, but will look at it then. Many thanks. Mark
Bug#944348: buster-pu: package schleuder/3.4.0-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear SRMs, Schleuder in buster is affected by various problems, which I would like to fix with this proposed update: - Schleuder fails to recognize keywords in mails with "protected headers" and empty subject. (Ref: #940524) - Schleuder is vulnerable to signature-flooded keys. GPG does not cope well with these keys. It will either refuse to import them, or during and after the import become so slow to be effectively unusable (while hogging CPUs). By default keys are regularly updated from the keyservers (in order to receive extended expiry dates, or key revocations). Any list with an attacked key in its keyring will become practically unusable and strain the server. This is a rather severe problem. (Ref: #940526) - Schleuder doesn't report an error, if the argument provided to `refresh_keys` is not an existing list, as if the job ran successfully. (Ref: #940527) All of them are already fixed in unstable. The proposed version is in use and was tested in production for the last two weeks. I admit that this comes quite late for the upcoming point release 10.2 freeze, and the diff is rather large, however, most changes are related to test files. I would be very happy if this still could find its way into 10.2, but I haven't uploaded yet, awaiting your ACK. The full debdiff is attached. Thanks in any case for your work -- as always, highly appreciated! Cheers, Georg diff -Nru schleuder-3.4.0/debian/changelog schleuder-3.4.0/debian/changelog --- schleuder-3.4.0/debian/changelog 2019-06-21 19:05:42.0 + +++ schleuder-3.4.0/debian/changelog 2019-11-08 10:45:22.0 + @@ -1,3 +1,23 @@ +schleuder (3.4.0-2+deb10u1) buster; urgency=medium + + * debian/patches: +- Extend existing patch which fixes problems related to the use of + "protected headers": Fix recognizing keywords in mails with protected + headers and empty subject. Previously, if the subject was unset, + keywords were not recognized and the original "protected headers" could + leak. + This approach, extending the existing patch, instead of adding a new + one, reduces noise and keeps the diff small, as the same part of the + code is targeted. + (Closes: #940524) +- Add patch to strip non-self-signatures when refreshing or fetching keys. + (Closes: #940526) +- Add patch to error out if the argument provided to `refresh_keys` is not + an existing list. + (Closes: #940527) + + -- Georg Faerber Fri, 08 Nov 2019 10:45:22 + + schleuder (3.4.0-2) unstable; urgency=medium * debian/patches: diff -Nru schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch --- schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-06-21 19:05:42.0 + +++ schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-11-08 10:45:22.0 + @@ -1,31 +1,45 @@ -Description: Handle protected headers produced by Mutt 1.12.0 +Description: Fix various problems related to protected headers Mutt 1.12.0, which was recently released, introduced protected headers. These headers are just contained within the plain body of a mail produced by Mutt, they are not further wrapped into a specifically marked MIME-part. Schleuder fails to handle such messages, accordingly, this patch fixes this behaviour. + + Further, this patch fixes recognizing keywords in mails with protected + headers and empty subject: Previously, if the subject was unset, keywords + were not recognized and the original "protected headers" could leak. + (Closes: #940524) Origin: upstream Forwarded: not-needed -Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963 -Last-Update: 2019-06-20 +Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963 395a789a18e7e7e6b57af663ed70a51d6c7d1ba2 +Last-Update: 2019-11-08 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: schleuder/lib/schleuder/mail/message.rb === schleuder.orig/lib/schleuder/mail/message.rb -+++ schleuder/lib/schleuder/mail/message.rb -@@ -55,7 +55,7 @@ module Mail +--- schleuder.orig/lib/schleuder/mail/message.rb 2019-11-08 09:29:36.739321755 + schleuder/lib/schleuder/mail/message.rb 2019-11-08 09:29:36.735321752 + +@@ -53,13 +53,12 @@ + # headers, which reveals protected subjects. + if self.subject != new.subject new.protected_headers_subject = self.subject.dup - - # Delete the protected headers which might leak information. +- +-# Delete the protected headers which might leak information. -if new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1" -+if new.parts.first &&