Processed: tags

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 961843 - moreinfo
Bug #961843 [release.debian.org] buster-pu: package lighttpd/1.4.53-4
Removed tag(s) moreinfo.
>
End of message, stopping processing here.

Please contact me if you need assistance.
-- 
961843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961843
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#961843: tags

[Glenn Strauss]

tags 961843 - moreinfo

Bug#961843: buster-pu: package lighttpd/1.4.53-4

[Glenn Strauss]

reattaching debdiff
diff -Nru lighttpd-1.4.53/debian/changelog lighttpd-1.4.53/debian/changelog
--- lighttpd-1.4.53/debian/changelog2019-04-13 00:00:00.0 -0400
+++ lighttpd-1.4.53/debian/changelog2020-03-21 19:30:00.0 -0400
@@ -1,11 +1,67 @@
+lighttpd (1.4.53-4+deb10u1) UNRELEASED; urgency=high
+
+  * QA upload.
+  * backport security, bug, portability fixes from lighttpd 1.4.54, 1.4.55
+  * mod_evhost, mod_flv_streaming:
+[regression] %0 pattern does not match hostnames without the domain part
+https://redmine.lighttpd.net/issues/2932
+  * mod_magnet: Lighttpd crashes on wrong return type in lua script
+https://redmine.lighttpd.net/issues/2938
+  * failed assertion on incoming bad request with server.error-handler
+https://redmine.lighttpd.net/issues/2941
+  * mod_wstunnel: fix wstunnel.ping-interval for big-endian architectures
+https://redmine.lighttpd.net/issues/2944
+  * fix abort in server.http-parseopts with url-path-2f-decode enabled
+https://redmine.lighttpd.net/issues/2945
+  * remove repeated slashes in server.http-parseopts with 
url-path-dotseg-remove, including leading "//"
+  * [regression][Bisected] lighttpd uses way more memory with POST since 1.4.52
+https://redmine.lighttpd.net/issues/2948
+  * OPTIONS should return 2xx status for non-existent resources if Allow is set
+https://redmine.lighttpd.net/issues/2939
+  * use high precision stat timestamp (on systems where available) in etag
+  * mod_authn_ldap/mod_cgi race condition, "Can't contact LDAP server"
+https://redmine.lighttpd.net/issues/2940
+  * SUN_LEN in sock_addr.c (1.4.53, 1.4.54)
+https://redmine.lighttpd.net/issues/2962
+  * Embedded vim command line in conf file with no comment (#) hangs server
+https://redmine.lighttpd.net/issues/2980
+  * mod_authn_gssapi: 500 if fail to delegate creds
+https://redmine.lighttpd.net/issues/2967
+  * mod_authn_gssapi: option to store delegated creds
+https://redmine.lighttpd.net/issues/2967
+  * mod_auth: require digest uri= match original URI
+HTTP digest authentication not compatible with some clients
+https://redmine.lighttpd.net/issues/2974
+  * mod_auth: send Authentication-Info nextnonce when nonce is approaching 
expiration
+  * mod_auth: http_auth_const_time_memeq improvement
+  * mod_auth: http_auth_const_time_memeq_pad()
+  * mod_auth: use constant time comparison when comparing digests
+  * stricter request header parsing: reject WS following header field-name
+https://redmine.lighttpd.net/issues/2985
+  * stricter request header parsing: reject Transfer-Encoding + Content-Length
+https://redmine.lighttpd.net/issues/2985
+  * mod_openssl: reject invalid ALPN
+  * mod_accesslog: parse multiple cookies
+https://redmine.lighttpd.net/issues/2986
+  * preserve %2b and %2B in query string
+https://redmine.lighttpd.net/issues/2999
+  * mod_auth: close connection after bad password
+mitigation slows down brute force password attacks
+https://redmine.lighttpd.net/boards/3/topics/8885
+  * do not accept() > server.max-connections
+  * update /var/run -> /run for systemd (closes: #929203)
+
+ -- Glenn Strauss   Sat, 21 Mar 2020 18:30:00 -0500
+
 lighttpd (1.4.53-4) unstable; urgency=high
 
+  * QA upload.
   * fix mixed use of srv->split_vals array (regression)
   * mod_magnet:fix invalid script return-type crash
   * fix assertion with server.error-handler
   * mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures
   * fix abort in server.http-parseopts with url-path-2f-decode enabled
-CVE-2019-11072 (closes #926885)
+CVE-2019-11072 (closes: #926885)
 
  -- Glenn Strauss   Sat, 13 Apr 2019 00:00:00 -0400
 
diff -Nru lighttpd-1.4.53/debian/.gitlab-ci.yml 
lighttpd-1.4.53/debian/.gitlab-ci.yml
--- lighttpd-1.4.53/debian/.gitlab-ci.yml   2019-04-13 00:00:00.0 
-0400
+++ lighttpd-1.4.53/debian/.gitlab-ci.yml   2020-03-21 19:30:00.0 
-0400
@@ -1,13 +1,7 @@
-include: 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
-build:
-extends: .build-unstable
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
+variables:
+  # Disable reprotest until salsa-ci-team/pipeline#26 is resolved.
+  SALSA_CI_DISABLE_REPROTEST: 1
diff -Nru 
lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch 
lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch
--- lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch  
1969-12-31 19:00:00.0 -0500
+++ lighttpd-1.4.53/debian/patches/config-update-var-run-run-for-systemd.patch  
2020-03-21 19:30:00.0 -0400
@@ -0,0 +1,67 @@
+From 15cdc313b500e2473de7bafdcf1c703dbfd11e56 Mon Sep 

Bug#963703: 963703: gnutls28 3.5.8-5+deb9u5 flagged for acceptance

[R hertoric]

--
*From:* Adam D Barratt 
*Sent:* Friday, July 3, 2020 1:55:08 PM
*To:* 963...@bugs.debian.org <963...@bugs.debian.org>
*Cc:* 963703-submit...@bugs.debian.org <963703-submit...@bugs.debian.org>
*Subject:* Bug#963703: gnutls28 3.5.8-5+deb9u5 flagged for acceptance

package nnn.d...@debian.org

tags 963703 = stretch pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance
into the proposed-updates queue for Debian stretch.

Thanks for your contribution!

Upload details
==

Package: gnutls28
Version: 3.5.8-5+deb9u5

Explanation: fix memory corruption issue [CVE-2019-3829]; fix memory leak;
add support for zero length session tickets, fix connection errors on
TLS1.2 sessions to some hosting providers

Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1

[R hertoric]

Freeze {diffstat:
 changelog  |   8 ++
 debian/changelog   |  19 
 intel-ucode/06-4e-03   | Bin 104448 -> 101376
bytes
 intel-ucode/06-5e-03   | Bin 104448 -> 101376
bytes
 microcode-20200609.d => microcode-20200616.d   |   0
 releasenote|  32
-
 s000406E3_m00C0_r00D6.fw   | Bin 101376 -> 0 bytes
 bin => supplementary-ucode-20200616_BDX-ML.bin |   0
 8 files changed, 32 insertions(+), 27 deletions(-)

On Sun, Jul 5, 2020, 3:51 PM Henrique de Moraes Holschuh 
wrote:

> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
>
> I'd like to update the intel-microcode packages in buster and stretch to
> 3.202006016.1~deb{9,10}u1.
>
> This is basically the same packages already in buster and stretch via
> buster/strech-security, with one extra microcode revert.  It effectively
> fixes a regression introduced by the security updates for a single
> processor model (Xeon E3 with signature 0x506e3).
>
> The upload via s-p-u/os-p-u was suggested by the security team: we
> agreed the revert of microcode 0x506e3 did not really deserve a DSA and
> could be handled through the upcoming point releases (it affects only
> *some* motherboards with such processors).
>
> The git diff is attached.  Unfortunately, stable debdiff gets mightly
> confused by a directory rename that only has binary files inside, so git
> diff does a much better job here.
>
> diffstat:
>  changelog  |   8 ++
>  debian/changelog   |  19 
>  intel-ucode/06-4e-03   | Bin 104448 -> 101376
> bytes
>  intel-ucode/06-5e-03   | Bin 104448 -> 101376
> bytes
>  microcode-20200609.d => microcode-20200616.d   |   0
>  releasenote|  32
> -
>  s000406E3_m00C0_r00D6.fw   | Bin 101376 -> 0 bytes
>  bin => supplementary-ucode-20200616_BDX-ML.bin |   0
>  8 files changed, 32 insertions(+), 27 deletions(-)
>
> --
>   Henrique Holschuh
>

Bug#963267: buster-pu: package multipath-tools/0.7.9-3+deb10u1

[R hertoric]

Send reply to edre...@gmail.com

On Sun, Jun 21, 2020, 11:57 AM Chris Hofstaedtler  wrote:

> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Dear Stable Release Managers,
>
> I'd like to push a fix for #959727 to buster. The bug causes us some
> trouble with block devices that are -sometimes- missing. I've tested
> the fix a while ago (on buster), and it seemed to help.
>
> Please consider this.
>
> Thanks,
> Chris
>
> diff -Nru multipath-tools-0.7.9/debian/changelog
> multipath-tools-0.7.9/debian/changelog
> --- multipath-tools-0.7.9/debian/changelog  2019-03-18
> 15:26:38.0 +
> +++ multipath-tools-0.7.9/debian/changelog  2020-06-21
> 16:41:48.0 +
> @@ -1,3 +1,9 @@
> +multipath-tools (0.7.9-3+deb10u1) buster; urgency=medium
> +
> +  * [775fe68] kpartx: use correct path to partx in udev rule (Closes:
> #959727)
> +
> + -- Chris Hofstaedtler   Sun, 21 Jun 2020 16:41:48 +
> +
>  multipath-tools (0.7.9-3) unstable; urgency=medium
>
>* [51a7724] Reliably extract the running systemd version
> diff -Nru multipath-tools-0.7.9/debian/patches/partx-path.patch
> multipath-tools-0.7.9/debian/patches/partx-path.patch
> --- multipath-tools-0.7.9/debian/patches/partx-path.patch   1970-01-01
> 00:00:00.0 +
> +++ multipath-tools-0.7.9/debian/patches/partx-path.patch   2020-06-21
> 16:41:48.0 +
> @@ -0,0 +1,14 @@
> +Use Debian-specific path for partx (from util-linux).
> +
> +Index: multipath-tools/kpartx/del-part-nodes.rules
> +===
> +--- multipath-tools.orig/kpartx/del-part-nodes.rules
>  multipath-tools/kpartx/del-part-nodes.rules
> +@@ -28,6 +28,6 @@ GOTO="end_del_part_nodes"
> + LABEL="del_part_nodes"
> + IMPORT{db}="DM_DEL_PART_NODES"
> + ENV{DM_DEL_PART_NODES}!="1", ENV{DM_DEL_PART_NODES}="1", \
> +-  RUN+="/usr/sbin/partx -d --nr 1-1024 $env{DEVNAME}"
> ++  RUN+="/usr/bin/partx -d --nr 1-1024 $env{DEVNAME}"
> +
> + LABEL="end_del_part_nodes"
> diff -Nru multipath-tools-0.7.9/debian/patches/series
> multipath-tools-0.7.9/debian/patches/series
> --- multipath-tools-0.7.9/debian/patches/series 2019-02-08
> 13:38:26.0 +
> +++ multipath-tools-0.7.9/debian/patches/series 2020-06-21
> 16:41:48.0 +
> @@ -6,3 +6,4 @@
>  fix-usrmerge-paths.patch
>  11-dm-mpath-fix-DM_UDEV_RULES_VSN-check.patch
>  enable-cross-build.patch
> +partx-path.patch
>
>

Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1

[Henrique de Moraes Holschuh]

On Sun, 05 Jul 2020, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> On Sun, 2020-07-05 at 17:46 -0300, Henrique de Moraes Holschuh wrote:
> > I'd like to update the intel-microcode packages in buster and stretch
> > to 3.202006016.1~deb{9,10}u1.
> > 
> > This is basically the same packages already in buster and stretch via
> > buster/strech-security, with one extra microcode revert.  It
> > effectively fixes a regression introduced by the security updates for
> > a single processor model (Xeon E3 with signature 0x506e3).
> > 
> 
> Please go ahead.

Uploaded, thanks!

-- 
  Henrique Holschuh

Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[Henrique de Moraes Holschuh]

On Sun, 05 Jul 2020, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> On Sun, 2020-07-05 at 17:45 -0300, Henrique de Moraes Holschuh wrote:
> > I'd like to update the intel-microcode packages in buster and stretch
> > to 3.202006016.1~deb{9,10}u1.
> > 
> > This is basically the same packages already in buster and stretch via
> > buster/strech-security, with one extra microcode revert.  It
> > effectively fixes a regression introduced by the security updates for
> > a single processor model (Xeon E3 with signature 0x506e3).
> 
> Please go ahead.

Uploded, thanks!

-- 
  Henrique Holschuh

Bug#964228: buster-pu: package nmap/7.70+dfsg1-6+deb10u1

[R hertoric]

Yes, it is correct.

On Sun, Jul 5, 2020, 7:00 PM Samuel Henrique  wrote:

> Hello, I believe you picked the wrong bug id, could you double check that,
> please?
>
> Thanks
>

Bug#964228: buster-pu: package nmap/7.70+dfsg1-6+deb10u1

[Samuel Henrique]

Hello, I believe you picked the wrong bug id, could you double check that,
please?

Thanks

Bug#964228: buster-pu: package nmap/7.70+dfsg1-6+deb10u1

[R hertoric]

> tags -1 + confirmed
Bug #964350 [release.debian.org] buster-pu: package
intel-microcode/3.20200616.1~deb10u1
Added tag(s) confirmed.

On Fri, Jul 3, 2020, 4:24 PM Samuel Henrique  wrote:

> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> A backported upstream patch [0] is required to fix #940284 [1] on nmap;
> Bug title: autogeneration of ssl key in ssl server mode of ncat is broken
>
> The issue itself is well described in both BTS [1] and the upstream
> bug report [2], but the summary of it is that the openssl shipped with
> Buster requires a key with minimum size of 2048b, while nmap 7.70
> generates one sized 1024b. This has been fixed in 7.80 (which is the
> version on Testing right now).
>
> The debdiff is attached to this email,
>
> Thanks,
>
> [0]
> https://github.com/nmap/nmap/commit/25db5fbb0d8fb88b6e7f4f298c862cd05ed0f8b1
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940284
> [2] https://github.com/nmap/nmap/pull/1310
>
> --
> Samuel Henrique 
>

Bug#963267: buster-pu: package multipath-tools/0.7.9-3+deb10u1

[R hertoric]

Id rather talk about call me 5045038792

On Sun, Jun 21, 2020, 11:57 AM Chris Hofstaedtler  wrote:

> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> Dear Stable Release Managers,
>
> I'd like to push a fix for #959727 to buster. The bug causes us some
> trouble with block devices that are -sometimes- missing. I've tested
> the fix a while ago (on buster), and it seemed to help.
>
> Please consider this.
>
> Thanks,
> Chris
>
> diff -Nru multipath-tools-0.7.9/debian/changelog
> multipath-tools-0.7.9/debian/changelog
> --- multipath-tools-0.7.9/debian/changelog  2019-03-18
> 15:26:38.0 +
> +++ multipath-tools-0.7.9/debian/changelog  2020-06-21
> 16:41:48.0 +
> @@ -1,3 +1,9 @@
> +multipath-tools (0.7.9-3+deb10u1) buster; urgency=medium
> +
> +  * [775fe68] kpartx: use correct path to partx in udev rule (Closes:
> #959727)
> +
> + -- Chris Hofstaedtler   Sun, 21 Jun 2020 16:41:48 +
> +
>  multipath-tools (0.7.9-3) unstable; urgency=medium
>
>* [51a7724] Reliably extract the running systemd version
> diff -Nru multipath-tools-0.7.9/debian/patches/partx-path.patch
> multipath-tools-0.7.9/debian/patches/partx-path.patch
> --- multipath-tools-0.7.9/debian/patches/partx-path.patch   1970-01-01
> 00:00:00.0 +
> +++ multipath-tools-0.7.9/debian/patches/partx-path.patch   2020-06-21
> 16:41:48.0 +
> @@ -0,0 +1,14 @@
> +Use Debian-specific path for partx (from util-linux).
> +
> +Index: multipath-tools/kpartx/del-part-nodes.rules
> +===
> +--- multipath-tools.orig/kpartx/del-part-nodes.rules
>  multipath-tools/kpartx/del-part-nodes.rules
> +@@ -28,6 +28,6 @@ GOTO="end_del_part_nodes"
> + LABEL="del_part_nodes"
> + IMPORT{db}="DM_DEL_PART_NODES"
> + ENV{DM_DEL_PART_NODES}!="1", ENV{DM_DEL_PART_NODES}="1", \
> +-  RUN+="/usr/sbin/partx -d --nr 1-1024 $env{DEVNAME}"
> ++  RUN+="/usr/bin/partx -d --nr 1-1024 $env{DEVNAME}"
> +
> + LABEL="end_del_part_nodes"
> diff -Nru multipath-tools-0.7.9/debian/patches/series
> multipath-tools-0.7.9/debian/patches/series
> --- multipath-tools-0.7.9/debian/patches/series 2019-02-08
> 13:38:26.0 +
> +++ multipath-tools-0.7.9/debian/patches/series 2020-06-21
> 16:41:48.0 +
> @@ -6,3 +6,4 @@
>  fix-usrmerge-paths.patch
>  11-dm-mpath-fix-DM_UDEV_RULES_VSN-check.patch
>  enable-cross-build.patch
> +partx-path.patch
>
>

Re: Processed: Re: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[R hertoric]

On Sun, Jul 5, 2020, 7:27 AM Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> Processing control commands:
>
> > retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
> Bug #962067 [release.debian.org] buster-pu: package dbus/1.12.18-0+deb10u1
> Changed Bug title to 'buster-pu: package dbus/1.12.20-0+deb10u1' from
> 'buster-pu: package dbus/1.12.18-0+deb10u1'.
>
> --
> 962067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962067
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>
>

Re: Processed: Re: Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[R hertoric]

On Sun, Jul 5, 2020, 4:03 PM Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> Processing control commands:
>
> > tags -1 + confirmed
> Bug #964350 [release.debian.org] buster-pu: package
> intel-microcode/3.20200616.1~deb10u1
> Added tag(s) confirmed.
>
> --
> 964350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964350
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>
>

Bug#964346: buster-pu: package wav2cdr/2.3.4-2+deb10u1

[R hertoric]

 * Use C99 fixed-size integer types to fix runtime assertion on
64bit architectures other than amd64 and alpha. (Closes: #956927)
  * Stop linking to the dead Homepage
Stop sending all packages thru broken  security needs to update tty

On Sun, Jul 5, 2020, 3:24 PM Adrian Bunk  wrote:

> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
>   * Use C99 fixed-size integer types to fix runtime assertion on
> 64bit architectures other than amd64 and alpha. (Closes: #956927)
>   * Stop linking to the dead Homepage.
>

Re: Processed: Re: Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[R hertoric]

Adam.D Barratt HAULT messages to > tags -1 + confirmed
Bug #964350 [release.debian.org] buster-pu: package
intel-microcode/3.20200616.1~deb10u1
Added tag(s) confirmed.

On Sun, Jul 5, 2020, 4:03 PM Debian Bug Tracking System <
ow...@bugs.debian.org> wrote:

> Processing control commands:
>
> > tags -1 + confirmed
> Bug #964350 [release.debian.org] buster-pu: package
> intel-microcode/3.20200616.1~deb10u1
> Added tag(s) confirmed.
>
> --
> 964350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964350
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>
>

Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[R hertoric]

3.202006016.1~deb{9,10}u1{ፈርeeዝ}

On Sun, Jul 5, 2020, 3:48 PM Henrique de Moraes Holschuh 
wrote:

> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
>
> I'd like to update the intel-microcode packages in buster and stretch to
> 3.202006016.1~deb{9,10}u1.
>
> This is basically the same packages already in buster and stretch via
> buster/strech-security, with one extra microcode revert.  It effectively
> fixes a regression introduced by the security updates for a single
> processor model (Xeon E3 with signature 0x506e3).
>
> The upload via s-p-u/os-p-u was suggested by the security team: we
> agreed the revert of microcode 0x506e3 did not really deserve a DSA and
> could be handled through the upcoming point releases (it affects only
> *some* motherboards with such processors).
>
> The git diff is attached.  Unfortunately, stable debdiff gets mightly
> confused by a directory rename that only has binary files inside, so git
> diff does a much better job here.
>
> diffstat:
>  changelog  |   8 ++
>  debian/changelog   |  19 
>  intel-ucode/06-4e-03   | Bin 104448 -> 101376
> bytes
>  intel-ucode/06-5e-03   | Bin 104448 -> 101376
> bytes
>  microcode-20200609.d => microcode-20200616.d   |   0
>  releasenote|  32
> -
>  s000406E3_m00C0_r00D6.fw   | Bin 101376 -> 0 bytes
>  bin => supplementary-ucode-20200616_BDX-ML.bin |   0
>  8 files changed, 32 insertions(+), 27 deletions(-)
>
> --
>   Henrique Holschuh
>

Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1

[R hertoric]

Package intel-microcode} freeze{3.20200616.1~deb9u1

On Sun, Jul 5, 2020, 4:03 PM Adam D. Barratt 
wrote:

> Control: tags -1 + confirmed
>
> On Sun, 2020-07-05 at 17:46 -0300, Henrique de Moraes Holschuh wrote:
> > I'd like to update the intel-microcode packages in buster and stretch
> > to 3.202006016.1~deb{9,10}u1.
> >
> > This is basically the same packages already in buster and stretch via
> > buster/strech-security, with one extra microcode revert.  It
> > effectively fixes a regression introduced by the security updates for
> > a single processor model (Xeon E3 with signature 0x506e3).
> >
>
> Please go ahead.
>
> Regards,
>
> Adam
>
>

Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2020-07-05 at 17:45 -0300, Henrique de Moraes Holschuh wrote:
> I'd like to update the intel-microcode packages in buster and stretch
> to 3.202006016.1~deb{9,10}u1.
> 
> This is basically the same packages already in buster and stretch via
> buster/strech-security, with one extra microcode revert.  It
> effectively fixes a regression introduced by the security updates for
> a single processor model (Xeon E3 with signature 0x506e3).

Please go ahead.

Regards,

Adam

Processed: Re: Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #964350 [release.debian.org] buster-pu: package 
intel-microcode/3.20200616.1~deb10u1
Added tag(s) confirmed.

-- 
964350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964350
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #964351 [release.debian.org] stretch-pu: package 
intel-microcode/3.20200616.1~deb9u1
Added tag(s) confirmed.

-- 
964351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#964346: buster-pu: package wav2cdr/2.3.4-2+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #964346 [release.debian.org] buster-pu: package wav2cdr/2.3.4-2+deb10u1
Added tag(s) confirmed.

-- 
964346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964346
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2020-07-05 at 17:46 -0300, Henrique de Moraes Holschuh wrote:
> I'd like to update the intel-microcode packages in buster and stretch
> to 3.202006016.1~deb{9,10}u1.
> 
> This is basically the same packages already in buster and stretch via
> buster/strech-security, with one extra microcode revert.  It
> effectively fixes a regression introduced by the security updates for
> a single processor model (Xeon E3 with signature 0x506e3).
> 

Please go ahead.

Regards,

Adam

Bug#964346: buster-pu: package wav2cdr/2.3.4-2+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2020-07-05 at 23:20 +0300, Adrian Bunk wrote:
>   * Use C99 fixed-size integer types to fix runtime assertion on
> 64bit architectures other than amd64 and alpha. (Closes: #956927)
>   * Stop linking to the dead Homepage.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#964340: stretch-pu: package sogo-connector/68.0.1-2~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #964340 [release.debian.org] stretch-pu: package 
sogo-connector/68.0.1-2~deb9u1
Added tag(s) confirmed.

-- 
964340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964340
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964325: stretch-pu: package compactheader/3.0.0~beta5-2~deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2020-07-05 at 20:51 +0300, Adrian Bunk wrote:
> The version of compactheader in stretch does not work
> with the version of thunderbird in stretch. (#944021)
> 
> The attached debdiff is against the version in unstable,
> which has already been backported to buster. (#948203)
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#964325: stretch-pu: package compactheader/3.0.0~beta5-2~deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #964325 [release.debian.org] stretch-pu: package 
compactheader/3.0.0~beta5-2~deb9u1
Added tag(s) confirmed.

-- 
964325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964325
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964340: stretch-pu: package sogo-connector/68.0.1-2~deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2020-07-05 at 23:02 +0300, Adrian Bunk wrote:
> The version of sogo-connector in stretch does not work
> with the version of thunderbird in stretch. (#945061)
> 
> The attached debdiff is against the version in unstable,
> which has already been backported to buster. (#948205)
> 

Please go ahead.

Regards,

Adam

Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1

[Henrique de Moraes Holschuh]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update the intel-microcode packages in buster and stretch to
3.202006016.1~deb{9,10}u1.

This is basically the same packages already in buster and stretch via
buster/strech-security, with one extra microcode revert.  It effectively
fixes a regression introduced by the security updates for a single
processor model (Xeon E3 with signature 0x506e3).

The upload via s-p-u/os-p-u was suggested by the security team: we
agreed the revert of microcode 0x506e3 did not really deserve a DSA and
could be handled through the upcoming point releases (it affects only
*some* motherboards with such processors).

The git diff is attached.  Unfortunately, stable debdiff gets mightly
confused by a directory rename that only has binary files inside, so git
diff does a much better job here.

diffstat:
 changelog  |   8 ++
 debian/changelog   |  19 
 intel-ucode/06-4e-03   | Bin 104448 -> 101376 bytes
 intel-ucode/06-5e-03   | Bin 104448 -> 101376 bytes
 microcode-20200609.d => microcode-20200616.d   |   0
 releasenote|  32 -
 s000406E3_m00C0_r00D6.fw   | Bin 101376 -> 0 bytes
 bin => supplementary-ucode-20200616_BDX-ML.bin |   0
 8 files changed, 32 insertions(+), 27 deletions(-)

-- 
  Henrique Holschuh
diff --git a/changelog b/changelog
index d033202..b0565f2 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+2020-06-16:
+  * Downgraded microcodes (to a previously shipped revision):
+sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+  * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * This update *removes* the SRBDS mitigations from the above processors
+
 2020-06-09:
   * Implements mitigation for CVE-2020-0543 Special Register Buffer Data
 Sampling (SRBDS), aka INTEL-SA-00320
diff --git a/debian/changelog b/debian/changelog
index 9a576a8..863eecf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+intel-microcode (3.20200616.1~deb9u1) stretch; urgency=high
+
+  * Rebuild for Debian oldstable (stretch), no changes
+
+ -- Henrique de Moraes Holschuh   Sun, 05 Jul 2020 15:26:41 
-0300
+
+intel-microcode (3.20200616.1) unstable; urgency=high
+
+  * New upstream microcode datafile 20200616
++ Downgraded microcodes (to a previously shipped revision):
+  sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+  sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+  * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * This update *removes* the SRBDS mitigations from the above processors
+  * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2
+
+ -- Henrique de Moraes Holschuh   Sun, 28 Jun 2020 18:38:57 
-0300
+
 intel-microcode (3.20200609.2~deb9u1) stretch-security; urgency=high
 
   * Rebuild for stretch-security, no changes
diff --git a/intel-ucode/06-4e-03 b/intel-ucode/06-4e-03
index 33b963e..1fabcf8 100644
Binary files a/intel-ucode/06-4e-03 and b/intel-ucode/06-4e-03 differ
diff --git a/intel-ucode/06-5e-03 b/intel-ucode/06-5e-03
index 4e947ea..a3119d5 100644
Binary files a/intel-ucode/06-5e-03 and b/intel-ucode/06-5e-03 differ
diff --git a/microcode-20200609.d b/microcode-20200616.d
similarity index 100%
rename from microcode-20200609.d
rename to microcode-20200616.d
diff --git a/releasenote b/releasenote
index 9b60007..f7302d5 100644
--- a/releasenote
+++ b/releasenote
@@ -82,37 +82,15 @@ OS vendors must ensure that the late loader patches 
(provided in
 linux-kernel-patches\) are included in the distribution before packaging the
 BDX-ML microcode for late-loading.
 
-== 20200609 Release ==
--- Updates upon 20200520 release --
+== 20200616 Release ==
+-- Updates upon 20200609 release --
 Processor Identifier Version   Products
 ModelStepping F-MO-S/PI  Old->New
  new platforms 
 
  updated platforms 
-HSW  C0   6-3c-3/32 0027->0028 Core Gen4
-BDW-U/Y  E0/F06-3d-4/c0 002e->002f Core Gen5
-HSW-UC0/D06-45-1/72 0025->0026 Core Gen4
-HSW-HC0   6-46-1/32 001b->001c Core Gen4
-BDW-H/E3 E0/G06-47-1/22 0021->0022 Core Gen5
-SKL-U/Y  D0   6-4e-3/c0 00d6->00dc Core Gen6 Mobile
-SKL-U23e K1   6-4e-3/c0 00d6->00dc Core Gen6 Mobile
-SKX-SP   B1   6-55-3/97 

Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1

[Henrique de Moraes Holschuh]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update the intel-microcode packages in buster and stretch to
3.202006016.1~deb{9,10}u1.

This is basically the same packages already in buster and stretch via
buster/strech-security, with one extra microcode revert.  It effectively
fixes a regression introduced by the security updates for a single
processor model (Xeon E3 with signature 0x506e3).

The upload via s-p-u/os-p-u was suggested by the security team: we
agreed the revert of microcode 0x506e3 did not really deserve a DSA and
could be handled through the upcoming point releases (it affects only
*some* motherboards with such processors).

The git diff is attached.  Unfortunately, stable debdiff gets mightly
confused by a directory rename that only has binary files inside, so git
diff does a much better job here.

diffstat:
 changelog  |   8 ++
 debian/changelog   |  19 
 intel-ucode/06-4e-03   | Bin 104448 -> 101376 bytes
 intel-ucode/06-5e-03   | Bin 104448 -> 101376 bytes
 microcode-20200609.d => microcode-20200616.d   |   0
 releasenote|  32 -
 s000406E3_m00C0_r00D6.fw   | Bin 101376 -> 0 bytes
 bin => supplementary-ucode-20200616_BDX-ML.bin |   0
 8 files changed, 32 insertions(+), 27 deletions(-)

-- 
  Henrique Holschuh
diff --git a/changelog b/changelog
index d033202..b0565f2 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+2020-06-16:
+  * Downgraded microcodes (to a previously shipped revision):
+sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+  * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * This update *removes* the SRBDS mitigations from the above processors
+
 2020-06-09:
   * Implements mitigation for CVE-2020-0543 Special Register Buffer Data
 Sampling (SRBDS), aka INTEL-SA-00320
diff --git a/debian/changelog b/debian/changelog
index 89ee06e..67308d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+intel-microcode (3.20200616.1~deb10u1) buster; urgency=high
+
+  * Rebuild for Debian stable (buster), no changes
+
+ -- Henrique de Moraes Holschuh   Sun, 05 Jul 2020 15:18:54 
-0300
+
+intel-microcode (3.20200616.1) unstable; urgency=high
+
+  * New upstream microcode datafile 20200616
++ Downgraded microcodes (to a previously shipped revision):
+  sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+  sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+  * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * This update *removes* the SRBDS mitigations from the above processors
+  * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2
+
+ -- Henrique de Moraes Holschuh   Sun, 28 Jun 2020 18:38:57 
-0300
+
 intel-microcode (3.20200609.2~deb10u1) buster-security; urgency=high
 
   * Rebuild for buster-security, no changes
diff --git a/intel-ucode/06-4e-03 b/intel-ucode/06-4e-03
index 33b963e..1fabcf8 100644
Binary files a/intel-ucode/06-4e-03 and b/intel-ucode/06-4e-03 differ
diff --git a/intel-ucode/06-5e-03 b/intel-ucode/06-5e-03
index 4e947ea..a3119d5 100644
Binary files a/intel-ucode/06-5e-03 and b/intel-ucode/06-5e-03 differ
diff --git a/microcode-20200609.d b/microcode-20200616.d
similarity index 100%
rename from microcode-20200609.d
rename to microcode-20200616.d
diff --git a/releasenote b/releasenote
index 9b60007..f7302d5 100644
--- a/releasenote
+++ b/releasenote
@@ -82,37 +82,15 @@ OS vendors must ensure that the late loader patches 
(provided in
 linux-kernel-patches\) are included in the distribution before packaging the
 BDX-ML microcode for late-loading.
 
-== 20200609 Release ==
--- Updates upon 20200520 release --
+== 20200616 Release ==
+-- Updates upon 20200609 release --
 Processor Identifier Version   Products
 ModelStepping F-MO-S/PI  Old->New
  new platforms 
 
  updated platforms 
-HSW  C0   6-3c-3/32 0027->0028 Core Gen4
-BDW-U/Y  E0/F06-3d-4/c0 002e->002f Core Gen5
-HSW-UC0/D06-45-1/72 0025->0026 Core Gen4
-HSW-HC0   6-46-1/32 001b->001c Core Gen4
-BDW-H/E3 E0/G06-47-1/22 0021->0022 Core Gen5
-SKL-U/Y  D0   6-4e-3/c0 00d6->00dc Core Gen6 Mobile
-SKL-U23e K1   6-4e-3/c0 00d6->00dc Core Gen6 Mobile
-SKX-SP   B1   6-55-3/97 

Bug#964346: buster-pu: package wav2cdr/2.3.4-2+deb10u1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

  * Use C99 fixed-size integer types to fix runtime assertion on
64bit architectures other than amd64 and alpha. (Closes: #956927)
  * Stop linking to the dead Homepage.
diff -Nru wav2cdr-2.3.4/debian/changelog wav2cdr-2.3.4/debian/changelog
--- wav2cdr-2.3.4/debian/changelog  2017-11-02 12:46:02.0 +0200
+++ wav2cdr-2.3.4/debian/changelog  2020-07-05 23:09:10.0 +0300
@@ -1,3 +1,12 @@
+wav2cdr (2.3.4-2+deb10u1) buster; urgency=medium
+
+  * QA upload.
+  * Use C99 fixed-size integer types to fix runtime assertion on
+64bit architectures other than amd64 and alpha. (Closes: #956927)
+  * Stop linking to the dead Homepage.
+
+ -- Adrian Bunk   Sun, 05 Jul 2020 23:09:10 +0300
+
 wav2cdr (2.3.4-2) unstable; urgency=medium
 
   * QA upload.
diff -Nru wav2cdr-2.3.4/debian/control wav2cdr-2.3.4/debian/control
--- wav2cdr-2.3.4/debian/control2017-11-02 12:46:02.0 +0200
+++ wav2cdr-2.3.4/debian/control2020-07-05 23:09:10.0 +0300
@@ -4,7 +4,6 @@
 Maintainer: Debian QA Group 
 Build-Depends: debhelper (>= 10), bsdmainutils, gawk
 Standards-Version: 4.1.1
-Homepage: http://volker.dnsalias.net/soft/index.html#wav2cdr
 
 Package: wav2cdr
 Architecture: any
diff -Nru wav2cdr-2.3.4/debian/patches/50_fix-inttypes.patch 
wav2cdr-2.3.4/debian/patches/50_fix-inttypes.patch
--- wav2cdr-2.3.4/debian/patches/50_fix-inttypes.patch  1970-01-01 
02:00:00.0 +0200
+++ wav2cdr-2.3.4/debian/patches/50_fix-inttypes.patch  2020-07-05 
23:09:10.0 +0300
@@ -0,0 +1,57 @@
+Description: Use C99 fixed-size integer types
+ This fixes runtime assertion on 64bit architectures
+ other than amd64 and alpha.
+Author: Adrian Bunk 
+Bug-Debian: https://bugs.debian.org/956927
+
+--- wav2cdr-2.3.4.orig/chelp.h
 wav2cdr-2.3.4/chelp.h
+@@ -76,6 +76,7 @@ HISTORY:
+ #ifndef CHELP_H
+ #define CHELP_H
+ 
++#include 
+ 
+ /* Mnemonics for logical and bit-wise operators
+ */
+@@ -166,32 +167,18 @@ typedef charstring;
+ */
+ #ifndef HAS_FIXEDSIZES
+ #define HAS_FIXEDSIZES
+-typedef unsigned char   UINT8, byte;/*  8 bits */
+-typedef unsigned short  UINT16, dbyte, word;/* 16 bits */
+-#if defined(__alpha) OR defined(__x86_64__)
+-  typedef unsigned int  UINT32,
++typedef uint8_t UINT8, byte;/*  8 bits */
++typedef uint16_tUINT16, dbyte, word;/* 16 bits */
++typedef uint32_tUINT32,
+ qbyte, dword, lword;/* 32 bits */
+-#else
+-  typedef unsigned long UINT32,
+-qbyte, dword, lword;/* 32 bits */
+-#endif
+ 
+-typedef signed char SINT8;  /*  8 bits signed */
+-typedef signed shortSINT16; /* 16 bits signed */
+-#if defined(__alpha) OR defined(__x86_64__)
+-  typedef signed intSINT32; /* 32 bits signed */
+-#else
+-  typedef signed long   SINT32; /* 32 bits signed */
+-#endif
++typedef int8_t  SINT8;  /*  8 bits signed */
++typedef int16_t SINT16; /* 16 bits signed */
++typedef int32_t SINT32; /* 32 bits signed */
+ 
+ #ifdef ANSIEXT
+-#ifdef __alpha
+-  typedef unsigned long UINT64, llword; /* 64 bits */
+-  typedef signed long   SINT64; /* 64 bits signed */
+-#else
+-  typedef unsigned long long  UINT64, llword;   /* 64 bits */
+-  typedef signed long longSINT64;   /* 64 bits signed */
+-#endif
++  typedef uint64_t  UINT64, llword;   /* 64 bits */
++  typedef int64_t   SINT64;   /* 64 bits signed */
+ #endif
+ /* check the sizes here? then we would depend on limits.h
+better to require the user to use assert():
diff -Nru wav2cdr-2.3.4/debian/patches/series 
wav2cdr-2.3.4/debian/patches/series
--- wav2cdr-2.3.4/debian/patches/series 2017-11-02 12:46:02.0 +0200
+++ wav2cdr-2.3.4/debian/patches/series 2020-07-05 23:09:10.0 +0300
@@ -2,3 +2,4 @@
 20_make-uninstall.patch
 30_add-GCC-hardening.patch
 40_fix-typo.patch
+50_fix-inttypes.patch

Processed: RM: mathematica-fonts/20

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #964342 [release.debian.org] RM: mathematica-fonts/20
Bug 964342 cloned as bug 964343
> retitle -2 RM: mathematica-fonts/21
Bug #964343 [release.debian.org] RM: mathematica-fonts/20
Changed Bug title to 'RM: mathematica-fonts/21' from 'RM: mathematica-fonts/20'.
> tags -1 stretch
Bug #964342 [release.debian.org] RM: mathematica-fonts/20
Added tag(s) stretch.
> tags -2 buster
Bug #964343 [release.debian.org] RM: mathematica-fonts/21
Added tag(s) buster.

-- 
964342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964342
964343: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964342: RM: mathematica-fonts/20

[Adrian Bunk]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Control: clone -1 -2
Control: retitle -2 RM: mathematica-fonts/21
Control: tags -1 stretch
Control: tags -2 buster

fonts-mathematica is an installer for fonts that
are no longer downloadable. (#960466)

Bug#964340: stretch-pu: package sogo-connector/68.0.1-2~deb9u1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

The version of sogo-connector in stretch does not work
with the version of thunderbird in stretch. (#945061)

The attached debdiff is against the version in unstable,
which has already been backported to buster. (#948205)

Despite the dh compat difference the resulting package works,
and debdiff reports no differences.
diff -Nru sogo-connector-68.0.1/debian/changelog 
sogo-connector-68.0.1/debian/changelog
--- sogo-connector-68.0.1/debian/changelog  2020-02-05 13:31:44.0 
+0200
+++ sogo-connector-68.0.1/debian/changelog  2020-07-05 21:47:13.0 
+0300
@@ -1,3 +1,11 @@
+sogo-connector (68.0.1-2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+- Lower dh compat to 10.
+
+ -- Adrian Bunk   Sun, 05 Jul 2020 21:47:13 +0300
+
 sogo-connector (68.0.1-2) unstable; urgency=medium
 
   * [2bfa6a2] d/control: bump Standards-Version to 4.5.0
diff -Nru sogo-connector-68.0.1/debian/compat 
sogo-connector-68.0.1/debian/compat
--- sogo-connector-68.0.1/debian/compat 1970-01-01 02:00:00.0 +0200
+++ sogo-connector-68.0.1/debian/compat 2020-07-05 21:47:13.0 +0300
@@ -0,0 +1 @@
+10
diff -Nru sogo-connector-68.0.1/debian/control 
sogo-connector-68.0.1/debian/control
--- sogo-connector-68.0.1/debian/control2020-02-05 13:30:39.0 
+0200
+++ sogo-connector-68.0.1/debian/control2020-07-05 21:47:13.0 
+0300
@@ -7,7 +7,7 @@
  Christoph Goehre ,
 Standards-Version: 4.5.0
 Build-Depends:
- debhelper-compat (= 12),
+ debhelper (>= 10),
 Rules-Requires-Root: no
 Homepage: https://github.com/inverse-inc/sogo-connector
 X-Debian-Homepage: http://wiki.debian.org/SOGoConnector

Bug#963792: transition: ros-*

[R hertoric]

Lilly kill all


On Sat, Jun 27, 2020, 4:54 AM Jochen Sprickerhof 
wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
>
> Hi release team,
>
> I would like to transition these packages to unstable:
>
> ros-roscpp-core
> ros-ros-comm
> ros-geometric-shapes
> ros-urdf
> ros-interactive-markers
> ros-actionlib
> ros-geometry2
> ros-vision-opencv
>
> Would you be ok with doing all of them at the same time?
> (Otherwise I would start with ros-roscpp-core.)
>
> The generated Ben files are ok.
>
> Cheers Jochen
>
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 5.7.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
> LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
>

Bug#964331: RM: colorediffs-extension/0.6.2012.01.27.14.07.45-1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

colorediffs-extension does not work with Thunderbird >= 60 (#918171),
due to that it was already removed from unstable before the release
of buster (#929333).

Bug#964325: stretch-pu: package compactheader/3.0.0~beta5-2~deb9u1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

The version of compactheader in stretch does not work
with the version of thunderbird in stretch. (#944021)

The attached debdiff is against the version in unstable,
which has already been backported to buster. (#948203)

Despite the dh compat difference the resulting package works,
and debdiff reports no differences.
diff -Nru compactheader-3.0.0~beta5/debian/changelog 
compactheader-3.0.0~beta5/debian/changelog
--- compactheader-3.0.0~beta5/debian/changelog  2019-12-06 19:59:16.0 
+0200
+++ compactheader-3.0.0~beta5/debian/changelog  2020-07-05 20:17:59.0 
+0300
@@ -1,3 +1,11 @@
+compactheader (3.0.0~beta5-2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+- Lower dh compat to 10.
+
+ -- Adrian Bunk   Sun, 05 Jul 2020 20:17:59 +0300
+
 compactheader (3.0.0~beta5-2) unstable; urgency=medium
 
   * [25489aa] d/control: fix depending TB version
diff -Nru compactheader-3.0.0~beta5/debian/compat 
compactheader-3.0.0~beta5/debian/compat
--- compactheader-3.0.0~beta5/debian/compat 1970-01-01 02:00:00.0 
+0200
+++ compactheader-3.0.0~beta5/debian/compat 2020-07-05 20:17:59.0 
+0300
@@ -0,0 +1 @@
+10
diff -Nru compactheader-3.0.0~beta5/debian/control 
compactheader-3.0.0~beta5/debian/control
--- compactheader-3.0.0~beta5/debian/control2019-12-06 19:13:03.0 
+0200
+++ compactheader-3.0.0~beta5/debian/control2020-07-05 20:17:59.0 
+0300
@@ -4,7 +4,7 @@
 Maintainer: Debian Mozilla Extension Maintainers 

 Uploaders: Carsten Schoenert 
 Build-Depends:
- debhelper-compat (= 12),
+ debhelper (>= 10),
 Rules-Requires-Root: no
 Standards-Version: 4.4.1
 Homepage: https://github.com/jmozmoz/compactheader

Bug#949367: stretch-pu: package wpa/2:2.4-1+deb9u5

[Cyril Brulebois]

Andrej Shadura  (2020-05-03):
> Oh, I somehow forgot about it. Please see attached debdiff; I have
> also added the same minor fix I wanted to push into buster, I think
> it’s worth it.

First thing first: it builds! :D

Additionally, a d-i netboot-gtk image built with the resulting udeb,
with the contents of the firmware-iwlwifi package dumped into it, works
fine on my X230. So there are at least no obvious regressions hidden in
there (for this specific piece of hardware).

No objections, thanks.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#963267: buster-pu: package multipath-tools/0.7.9-3+deb10u1

[Cyril Brulebois]

Adam D. Barratt  (2020-07-02):
> I'd be OK with that, but as multipath-tools creates a udeb, this will
> need a KiBi-ack.

Looks good, of course, thanks!


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Processed: limit package to release.debian.org, user release.debian....@packages.debian.org ..., tagging 898826 ...

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> limit package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was 
a...@adam-barratt.org.uk).
> retitle 898826 RM: profphd -- RoM; unusable
Bug #898826 [release.debian.org] stretch-pu: package profphd in strech unusable
Changed Bug title to 'RM: profphd -- RoM; unusable' from 'stretch-pu: package 
profphd in strech unusable'.
> usertags 898826 = rm
Usertags were: pu.
Usertags are now: rm.
> tags 898826 = stretch pending
Bug #898826 [release.debian.org] RM: profphd -- RoM; unusable
Added tag(s) pending; removed tag(s) confirmed.
> clone 898826 -1
Bug #898826 [release.debian.org] RM: profphd -- RoM; unusable
Bug 898826 cloned as bug 964316
> usertags -1 = rm
There were no usertags set.
Usertags are now: rm.
> retitle -1 RM: predictprotein -- RoM; depends on to-be-removed profphd
Bug #964316 [release.debian.org] RM: profphd -- RoM; unusable
Changed Bug title to 'RM: predictprotein -- RoM; depends on to-be-removed 
profphd' from 'RM: profphd -- RoM; unusable'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
898826: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898826
964316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Adam D. Barratt]

On Sun, 2020-07-05 at 13:24 +0100, Simon McVittie wrote:
> Control: retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
> 
> On Sat, 20 Jun 2020 at 20:26:24 +0100, Adam D. Barratt wrote:
> > On Tue, 2020-06-02 at 21:22 +0100, Simon McVittie wrote:
> > > dbus 1.12.18 fixes a local denial of service vulnerability for
> > > which the Security Team have indicated they do not intend to
> > > issue a DSA.
> > > 
> > > If possible I would like to use upstream 1.12.x versions of dbus
> > > for buster (security and) stable updates, similar to the policy
> > > used in stretch and jessie. This branch includes security fixes
> > > and selected non-intrusive bug fixes (and unfortunately also the
> > > usual Autotools noise).
> > > 
> > 
> > That sounds OK to me, but will need the usual KiBi-ack due to the
> > udeb.
> 
> I have now released 1.12.20 upstream. This fixes a long-standing
> use-after-free if two usernames have the same numeric uid (which is
> potentially a security fix if you have such usernames), and a
> regression on Solaris derivatives. Does this still look OK for
> buster-pu? (Diff since the version you already saw attached - I
> haven't bothered to filter out the Autotools noise this time, because
> there is much less of it.)

I'd be OK with that from the SRM side (with the remaining d-i caveat).

> I've asked the security team whether they will now want a DSA for the
> use-after-free, but I suspect the answer will be "no, talk to the
> stable release team" so I'm asking preemptively.
> 
> For #962068, dbus 1.10.30 -> 1.10.32 has a remarkably similar diff
> (it's a cherry-pick of the same commits as in 1.12.20). I assume the
> judgement on that from both the security team and the stable release
> team will be the same as for buster, unless the stretch EOL has
> already happened by the time we get there.

My understanding is that security support for stretch ended yesterday.
(We've ended up with an extra week for fixes via opu due to
availability of people for the point release.)

Regards,

Adam

Bug#898826: Re: stretch-pu: package profphd in strech unusable

[Andreas Tille]

On Thu, Jul 02, 2020 at 10:27:53PM +0100, Adam D. Barratt wrote:
> > Sorry, I lost track with this.  I admit I have no idea.  The tag is
> > set in Git so I hopefully uploaded in connection with setting the
> > tag. 
> 
> No package ever appeared for our review at least.

That's strange - but hard to track down.
 
> > Given that the package has continuous issues in autopkgtest and we
> > are discussing with upstream about some replacement I would prefer
> > asking ftpmaster to remove the package from stretch.  Should I re-
> > assign the bug or open a new one?
> 
> Removal bugs for (old)stable live on release.d.o still, and ftp-master
> then process them for us during point releases.
> 
> Asking dak about a removal says:
> 
> # Broken Depends:
> predictprotein: predictprotein

Feel free to remove this as well.

Kind regards

 Andreas. 

-- 
http://fam-tille.de

Processed: Re: Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1
Bug #962067 [release.debian.org] buster-pu: package dbus/1.12.18-0+deb10u1
Changed Bug title to 'buster-pu: package dbus/1.12.20-0+deb10u1' from 
'buster-pu: package dbus/1.12.18-0+deb10u1'.

-- 
962067: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#962067: buster-pu: package dbus/1.12.20-0+deb10u1

[Simon McVittie]

Control: retitle -1 buster-pu: package dbus/1.12.20-0+deb10u1

On Sat, 20 Jun 2020 at 20:26:24 +0100, Adam D. Barratt wrote:
> On Tue, 2020-06-02 at 21:22 +0100, Simon McVittie wrote:
> > dbus 1.12.18 fixes a local denial of service vulnerability for which
> > the Security Team have indicated they do not intend to issue a DSA.
> > 
> > If possible I would like to use upstream 1.12.x versions of dbus for
> > buster (security and) stable updates, similar to the policy used in
> > stretch and jessie. This branch includes security fixes and selected
> > non-intrusive bug fixes (and unfortunately also the usual Autotools
> > noise).
> > 
> 
> That sounds OK to me, but will need the usual KiBi-ack due to the udeb.

I have now released 1.12.20 upstream. This fixes a long-standing
use-after-free if two usernames have the same numeric uid (which is
potentially a security fix if you have such usernames), and a regression
on Solaris derivatives. Does this still look OK for buster-pu? (Diff since
the version you already saw attached - I haven't bothered to filter out
the Autotools noise this time, because there is much less of it.)

I've asked the security team whether they will now want a DSA for the
use-after-free, but I suspect the answer will be "no, talk to the
stable release team" so I'm asking preemptively.

For #962068, dbus 1.10.30 -> 1.10.32 has a remarkably similar diff (it's
a cherry-pick of the same commits as in 1.12.20). I assume the judgement
on that from both the security team and the stable release team will be
the same as for buster, unless the stretch EOL has already happened by
the time we get there.

smcv
diff --git a/Makefile.in b/Makefile.in
index 2ef174ae..c3973629 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Tue Jun  2 13:56:47 BST 2020
+# from AX_AM_MACROS_STATIC on Thu Jul  2 11:10:39 BST 2020
 
 VPATH = @srcdir@
 am__is_gnu_make = { \
diff --git a/NEWS b/NEWS
index a38c5992..2fca1455 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,27 @@
+dbus 1.12.20 (2020-07-02)
+=
+
+The “temporary nemesis” release.
+
+Maybe security fixes:
+
+• On Unix, avoid a use-after-free if two usernames have the same
+  numeric uid. In older versions this could lead to a crash (denial of
+  service) or other undefined behaviour, possibly including incorrect
+  authorization decisions if  is used.
+  Like Unix filesystems, D-Bus' model of identity cannot distinguish
+  between users of different names with the same numeric uid, so this
+  configuration is not advisable on systems where D-Bus will be used.
+  Thanks to Daniel Onaca.
+  (dbus#305, dbus!166; Simon McVittie)
+
+Other fixes:
+
+• On Solaris and its derivatives, if a cmsg header is truncated, ensure
+  that we do not overrun the buffer used for fd-passing, even if the
+  kernel tells us to.
+  (dbus#304, dbus!165; Andy Fiddaman)
+
 dbus 1.12.18 (2020-06-02)
 =
 
diff --git a/aminclude_static.am b/aminclude_static.am
index 7b415587..3dabd131 100644
--- a/aminclude_static.am
+++ b/aminclude_static.am
@@ -1,6 +1,6 @@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Tue Jun  2 13:56:47 BST 2020
+# from AX_AM_MACROS_STATIC on Thu Jul  2 11:10:39 BST 2020
 
 
 # Code coverage
diff --git a/bus/Makefile.in b/bus/Makefile.in
index 5367203e..fa44d2b6 100644
--- a/bus/Makefile.in
+++ b/bus/Makefile.in
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 # aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Tue Jun  2 13:56:47 BST 2020
+# from AX_AM_MACROS_STATIC on Thu Jul  2 11:10:39 BST 2020
 
 
 VPATH = @srcdir@
diff --git a/configure b/configure
index c1b736f4..38db1dd4 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for dbus 1.12.18.
+# Generated by GNU Autoconf 2.69 for dbus 1.12.20.
 #
 # Report bugs to .
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='dbus'
 PACKAGE_TARNAME='dbus'
-PACKAGE_VERSION='1.12.18'
-PACKAGE_STRING='dbus 1.12.18'
+PACKAGE_VERSION='1.12.20'
+PACKAGE_STRING='dbus 1.12.20'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=dbus'
 PACKAGE_URL=''
 
@@ -1579,7 +1579,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures dbus 1.12.18 to adapt to many kinds of systems.
+\`configure' configures dbus 1.12.20 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1654,7 +1654,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of dbus 

Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Adam D. Barratt]

On Sun, 2020-07-05 at 11:00 +0300, Otto Kekäläinen wrote:
> For unstable the plan is to upload MariaDB 10.5 soon, and therefore
> uploads of MariaDB 10.3 are already discontinued.

How soon is "soon"?

> Since we already
> have MariaDB 10.4 in Debian experimental, it is not even possible to
> do any uploads of MariaDB 10.3 because of triggering the NEW queue
> and version conflicts/downgrades.

I'm not sure I understand this comment.

mariadb 10.3 is still in unstable and, as far as I can see, no other
version of mariadb is. Therefore, uploading a new revision there should
neither trigger NEW, nor any version issues.

Yes, unstable and experimental share overrides, but that simply means
that an upload of 10.4 to unstable wouldn't hit NEW, it doesn't imply
anything about uploads of 10.3 in the meantime.

Regards,

Adam

Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Otto Kekäläinen]

For unstable the plan is to upload MariaDB 10.5 soon, and therefore
uploads of MariaDB 10.3 are already discontinued. Since we already
have MariaDB 10.4 in Debian experimental, it is not even possible to
do any uploads of MariaDB 10.3 because of triggering the NEW queue and
version conflicts/downgrades.

A stable update for Buster with latest MariaDB 10.3 is in the works.

Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Adam D. Barratt]

On Sun, 2020-07-05 at 09:59 +0300, Otto Kekäläinen wrote:
> mariadb-10.1 (10.1.45-0+deb9u1) stretch; urgency=high
> 
>   * SECURITY UPDATE: New upstream version 10.1.45. Includes fixes for
> the
> following security vulnerabilities:
> - CVE-2020-2752
> - CVE-2020-2812
> - CVE-2020-2814

According to the security tracker, none of those are currently resolved
in unstable. What's the plan there?

Regards,

Adam

Processed: Re: Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo
Bug #964291 [release.debian.org] stretch-pu: package mariadb-10.1 
10.1.45-0+deb9u1
Removed tag(s) moreinfo.

-- 
964291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Otto Kekäläinen]

Control: tags -1 -moreinfo

> Tagging your bug "moreinfo" means that it's not ready for processing by
> SRM. Is that what you intended?

Thanks for a quick response. I just copied the previous stable update
email I've sent without realizing that it wasn't directly suited.
Sorry for the mistakes.

The package is ready for processing by the SRM and it is a normal
request (but with security fixes included).

Processed: Re: Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> severity -1 normal
Bug #964291 [release.debian.org] stretch-pu: package mariadb-10.1 
10.1.45-0+deb9u1
Ignoring request to change severity of Bug 964291 to the same value.

-- 
964291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Adam D. Barratt]

Control: severity -1 normal

On Sun, 2020-07-05 at 09:59 +0300, Otto Kekäläinen wrote:
> Package: release.debian.org
> Severity: serious

No. p-u bugs (and basically all release.d.o bugs) are (still) normal at
most. Please don't inflate severity like that. It may be RC for your
individual package, it is not so for the release management process.

> Tags: stretch, moreinfo

Tagging your bug "moreinfo" means that it's not ready for processing by
SRM. Is that what you intended?

Regards,

Adam

Processed: Re: Bug#964291: stretch-pu: package mariadb-10.1 10.1.45-0+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> severity -1 normal
Bug #964291 [release.debian.org] stretch-pu: package mariadb-10.1 
10.1.45-0+deb9u1
Severity set to 'normal' from 'serious'

-- 
964291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems