Bug#987510: unblock: cqrlog/2.5.1-2

[Christoph Berg]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Debian Hamradio Maintainers 

Please unblock package cqrlog.

[ Reason ]
The new version fixes import of .adif files which is the standard
hamradio logbook interchange format. (#987032)

[ Impact ]
This logbook program wouldn't be able to read logbooks.

[ Tests ]
Manual testing by Federico Grau.

[ Risks ]
The change was tested and the patch is small.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock cqrlog/2.5.1-2

Thanks,
Christoph

No differences were encountered between the control files

diff -Nru cqrlog-2.5.1/debian/changelog cqrlog-2.5.1/debian/changelog
--- cqrlog-2.5.1/debian/changelog	2021-02-02 12:46:56.0 +0100
+++ cqrlog-2.5.1/debian/changelog	2021-04-17 20:23:46.0 +0200
@@ -1,3 +1,10 @@
+cqrlog (2.5.1-2) unstable; urgency=medium
+
+  * Team upload.
+  * Patch from upstream commits to fix ADIF import (Closes: #987032)
+
+ -- Federico Grau   Sat, 17 Apr 2021 14:23:46 -0400
+
 cqrlog (2.5.1-1) unstable; urgency=medium
 
   * New upstream version 2.5.1.
diff -Nru cqrlog-2.5.1/debian/patches/adif_import_regex_fix_2021-04-17.patch cqrlog-2.5.1/debian/patches/adif_import_regex_fix_2021-04-17.patch
--- cqrlog-2.5.1/debian/patches/adif_import_regex_fix_2021-04-17.patch	1970-01-01 01:00:00.0 +0100
+++ cqrlog-2.5.1/debian/patches/adif_import_regex_fix_2021-04-17.patch	2021-04-17 20:23:46.0 +0200
@@ -0,0 +1,27 @@
+Patch to fix Debian#987032: cqrlog: Importing ADIF-logs results in 0 byte logs - https://bugs.debian.org/987032
+Applies upstream commits:
+42d1ad402affd0af0f3087562c101fc34940ffc5
+Original_Author: Petr Hlozek 
+Date:   Sun Feb 7 07:19:57 2021 +0100
+
+fix: workaround for 'TRegExpr exec: empty input string' error in fpc compiler
+Author: donf...@casagrau.org
+diff --git a/src/fAdifImport.pas b/src/fAdifImport.pas
+index 2481086..934b158 100644
+--- a/src/fAdifImport.pas
 b/src/fAdifImport.pas
+@@ -420,8 +420,12 @@ begin
+ d.IOTA  := UpperCase(d.IOTA);
+ d.NAME  := Copy(d.NAME, 1 ,40);
+ d.QTH   := Copy(d.QTH, 1, 60);
+-d.DARC_DOK := ReplaceRegExpr('Ø', d.DARC_DOK, '0', True);
+-d.DARC_DOK := LeftStr(Uppercase(ReplaceRegExpr('[^a-zA-Z0-9]',d.DARC_DOK, '', True)), 12);
++//workaround for 'TRegExpr exec: empty input string' error in fpc compiler
++if (trim(d.DARC_DOK) <> '') then
++begin
++  d.DARC_DOK := ReplaceRegExpr('Ø', d.DARC_DOK, '0', True);
++  d.DARC_DOK := LeftStr(Uppercase(ReplaceRegExpr('[^a-zA-Z0-9]',d.DARC_DOK, '', True)), 12);
++end;
+ 
+ d.QSL_VIA := UpperCase(d.QSL_VIA);
+ if Pos('QSL VIA',d.QSL_VIA) > 0 then
diff -Nru cqrlog-2.5.1/debian/patches/series cqrlog-2.5.1/debian/patches/series
--- cqrlog-2.5.1/debian/patches/series	2021-02-02 12:46:56.0 +0100
+++ cqrlog-2.5.1/debian/patches/series	2021-04-17 20:23:46.0 +0200
@@ -1,2 +1,3 @@
 apparmor-fix.patch
 icon-patch
+adif_import_regex_fix_2021-04-17.patch

Bug#987506: unblock: inventor/2.1.5-10-23.1

[Chris Hofstaedtler]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package inventor.
At the vBSP Salzburg I have uploaded an NMU to fix the empty
inventor-doc package. By accident I forgot to properly close the bug,
but have done so manually.

unblock inventor/2.1.5-10-23.1

debdiff below:

diff -Nru inventor-2.1.5-10/debian/changelog inventor-2.1.5-10/debian/changelog
--- inventor-2.1.5-10/debian/changelog  2020-10-20 02:15:34.0 +
+++ inventor-2.1.5-10/debian/changelog  2021-04-24 11:51:14.0 +
@@ -1,3 +1,11 @@
+inventor (2.1.5-10-23.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove arch-specific filter used when building the arch: all
+packages, hopefully fixing #889189.
+
+ -- Chris Hofstaedtler   Sat, 24 Apr 2021 11:51:14 +
+
 inventor (2.1.5-10-23) unstable; urgency=medium
 
   [ Steve Robbins ]
diff -Nru inventor-2.1.5-10/debian/rules inventor-2.1.5-10/debian/rules
--- inventor-2.1.5-10/debian/rules  2020-10-20 02:15:34.0 +
+++ inventor-2.1.5-10/debian/rules  2021-04-24 11:51:14.0 +
@@ -48,7 +48,10 @@
 # ensure that the uploader builds on a favoured architecture, e.g.
 # i386.
 #
-ifneq (,$(findstring $(DEB_BUILD_ARCH),i386 sparc powerpc mips mipsel))
+# NMU note: "all" is now built on an amd64 buildd. Lets just hope
+# ivman works on amd64; hardcoding a list of archs that are not used
+# to build "all" certainly does not help.
+ifneq (,$(findstring $(DEB_BUILD_ARCH),amd64 i386 sparc powerpc mips mipsel))
 export BUILDMAN=true
 endif
 

Bug#987501: marked as done (unblock ruby-librarian/0.6.4-3)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 22:29:18 +0200
with message-id 
and subject line Re: Bug#987501: unblock ruby-librarian/0.6.4-3
has caused the Debian Bug report #987501,
regarding unblock ruby-librarian/0.6.4-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987501
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock bsp-2021-04-AT-Salzburg

Hello,

This upload fixes #987113 and is actually a one-liner change:
```
-  project_path = Pathname.new(__FILE__).expand_path
+  project_path = Pathname.pwd.expand_path
```

A more formal debdiff is attached. Requesting you to please unblock
this. Should you need any more details, please let me know. TIA!


- u


ruby-librarian-sid.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Hi,

On 24-04-2021 22:08, Utkarsh Gupta wrote:
> A more formal debdiff is attached. Requesting you to please unblock
> this.

unblocked, thanks.

Paul



OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#987504: imagemagick: attempt to perform an operation not allowed by the security policy `EPS'

[Adrian Bunk]

Package: imagemagick
Version: 8:6.9.11.60+dfsg-1.2
Severity: serious
Tags: ftbfs
Control: found -1 8:6.9.10.23+dfsg-2.1+deb10u1
Control: affects -1 src:ftgl src:foxtrotgps src:gri src:kannel src:mlpost 
src:muttprint src:ns3 src:sctk src:texworks-manual src:therion src:vlfeat 
src:x4d-icons src:xnee

https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ftgl.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/foxtrotgps.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/gri.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/kannel.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/mlpost.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/muttprint.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/ns3.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/sctk.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/texworks-manual.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/therion.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/vlfeat.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/x4d-icons.html
https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/xnee.html

...
convert-im6.q16: attempt to perform an operation not allowed by the security 
policy `EPS' @ error/constitute.c/IsCoderAuthorized/408.
convert-im6.q16: attempt to perform an operation not allowed by the security 
policy `EPS' @ error/constitute.c/IsCoderAuthorized/408.
make[3]: *** [Makefile:931: screenshots/map-download.eps] Error 1


A security change that went just went into imagemagick in unstable,
but already went into imagemagick in buster last autumn,
makes around a dozen packages FTBFS in unstable resp. buster.

Background:
https://bugs.launchpad.net/ubuntu/+source/kannel/+bug/1838425

Options are either reverting the imagemagick change or fixing
the packages that got broken in bullseye and buster.

Security and release teams are Cc'ed.

Bug#987501: unblock ruby-librarian/0.6.4-3

[Utkarsh Gupta]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock bsp-2021-04-AT-Salzburg

Hello,

This upload fixes #987113 and is actually a one-liner change:
```
-  project_path = Pathname.new(__FILE__).expand_path
+  project_path = Pathname.pwd.expand_path
```

A more formal debdiff is attached. Requesting you to please unblock
this. Should you need any more details, please let me know. TIA!


- u


ruby-librarian-sid.debdiff
Description: Binary data

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: freediameter_1.2.1-7+deb10u1_s390x-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_s390x-buildd.changes
  ACCEPT

Bug#987400: [Pkg-tcltk-devel] Bug#987397: tcltls: build conflict with openssl requires removal of too many packages

[Sergei Golovan]

Control: tags -1 - moreinfo

The package is uploaded.

On Sat, Apr 24, 2021 at 1:43 PM Andrej Shadura  wrote:
>
> Hi,
>
> On Sat, 24 Apr 2021, at 12:38, Graham Inggs wrote:
> > On Fri, 23 Apr 2021 at 13:12, Andrej Shadura  wrote:
> > > I finally came back from lunch, the latest debdiff and the diffoscope 
> > > output are attached.
> >
> > The diffoscope output of a no-change rebuild of 1.7.22-1 and 1.7.22-2
> > should show fewer differences.
> >
> > I don't see the upload of 1.7.22-2 yet, so in case you were wanting
> > pre-approval, please go ahead and upload, and remove the moreinfo tag
> > once the new version is available in unstable.
>
> Right, I should have clarified — I didn't rebuild -1.
>
> Sergei, will you upload this? I'll only be back at the keyboard in the 
> evening.
>
> --
> Cheers,
>   Andrej



-- 
Sergei Golovan

Processed: Re: Bug#987400: [Pkg-tcltk-devel] Bug#987397: tcltls: build conflict with openssl requires removal of too many packages

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #987400 [release.debian.org] unblock: tcltls/1.7.22-2
Removed tag(s) moreinfo.

-- 
987400: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987400
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Tentative summary of the AMD/ATI/NVidia issue

[Moritz Mühlenhoff]

Du schriebst in gmane.linux.debian.devel.release:
> Lucas Nussbaum writes:
>> It looks like the three open paths for resolution are:
>>
>> A) understand and restore the behaviour from Debian 10, that is, get X
>> to work in a degraded mode after installation. How it worked with Debian
>> 10 (and why it doesn't with Debian 11) is unknown.
>>
>> B) In the installer, detect that firmware-amd-graphics or
>> firmware-misc-nonfree should be installed, and either install it (?),
>> or redirect the user to the unofficial installer that includes them.
>>
>> C) Do nothing and document this in the release notes
>
> There is at least also
>
> D) Install (non-free) firmware and include it in official install media.
>
> I don't think degraded operation (just vesa, no sound, no wifi, known
> issues in microcode, ...) will continue to be an attractive option.
> So maybe we should revisit whether we should just include firmware; I
> wanted to suggest so at least for Bookworm.

+100

Let's postpone the tentative release date and use the time to create
a separate non-free/firmware section which contains the various
firmwares and amd64-microcode/intel-microcode and which gets included
in our default installation media.

There can still be special images for use in virtualisation, containers
and special hardware for those who care, but let's end this fallacy.

If the involved teams (FTP masters, d-i, debian-cd) feel they
need some educated opinion from the rest of the project, then by all
means let's settle this with a GR, but A-C are just wasted efforts
or provide a horrible user experience for no benefit at all.

Cheers,
Moritz

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_mipsel-buildd.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: freediameter_1.2.1-7+deb10u1_mips64el-buildd.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_mipsel-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_mips64el-buildd.changes
  ACCEPT

Bug#987472: marked as done (unblock: consul/1.8.7+dfsg1-2)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 19:38:15 +0200
with message-id <7bd54a11-7c86-f7be-3e96-94605741e...@debian.org>
and subject line Re: Bug#987472: unblock: consul/1.8.7+dfsg1-2
has caused the Debian Bug report #987472,
regarding unblock: consul/1.8.7+dfsg1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987472
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package consul

New release only adds the patch for CVE-2020-25864 fixing the RC bug #987351.

debdiff below also includes the config for Salsa CI that was not present in
the previous version for some reason.

unblock consul/1.8.7+dfsg1-2


diff -Nru consul-1.8.7+dfsg1/debian/changelog 
consul-1.8.7+dfsg1/debian/changelog
--- consul-1.8.7+dfsg1/debian/changelog 2021-01-10 16:37:17.0 +0100
+++ consul-1.8.7+dfsg1/debian/changelog 2021-04-24 12:06:56.0 +0200
@@ -1,3 +1,9 @@
+consul (1.8.7+dfsg1-2) unstable; urgency=medium
+
+  * Add patch for CVE-2020-25864 (Closes: #987351)
+
+ -- Valentin Vidic   Sat, 24 Apr 2021 12:06:56 +0200
+
 consul (1.8.7+dfsg1-1) unstable; urgency=medium
 
   [ Arnaud Rebillout ]
diff -Nru consul-1.8.7+dfsg1/debian/.gitlab-ci.yml 
consul-1.8.7+dfsg1/debian/.gitlab-ci.yml
--- consul-1.8.7+dfsg1/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 
+0100
+++ consul-1.8.7+dfsg1/debian/.gitlab-ci.yml2021-04-24 12:06:56.0 
+0200
@@ -0,0 +1,37 @@
+---
+# https://docs.gitlab.com/ce/ci/yaml/#include
+include:
+  - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
+
+## "amd64-unstable" always runs by default followed by lintian.
+
+## Only for arch:all packages:
+binary-indep:
+  extends: .build-indep
+
+## Job to check Build-Depends versioning:
+amd64-testing_unstable:
+  extends: .build
+  variables:
+arch: amd64
+dist: testing_unstable
+
+i386-unstable:
+  extends: .build
+  variables:
+arch: i386
+dist: unstable
+
+amd64-experimental:
+  extends: .build
+  variables:
+arch: amd64
+dist: experimental
+
+amd64-stable:
+  extends: .build
+  when: manual
+  allow_failure: true
+  variables:
+arch: amd64
+dist: stable
diff -Nru consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch 
consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch
--- consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch  1970-01-01 
01:00:00.0 +0100
+++ consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch  2021-04-24 
12:06:56.0 +0200
@@ -0,0 +1,139 @@
+From 447dd528f64d8bf481da9ac8445dd446bd4aa5c0 Mon Sep 17 00:00:00 2001
+From: Kent 'picat' Gruber 
+Date: Wed, 14 Apr 2021 18:49:14 -0400
+Subject: [PATCH] Merge pull request #10023 from hashicorp/fix-raw-kv-xss
+
+Add content type headers to raw KV responses
+---
+ .changelog/10023.txt   |  3 ++
+ agent/kvs_endpoint.go  | 13 +--
+ agent/kvs_endpoint_test.go | 71 ++
+ 3 files changed, 85 insertions(+), 2 deletions(-)
+ create mode 100644 .changelog/10023.txt
+
+diff --git a/.changelog/10023.txt b/.changelog/10023.txt
+new file mode 100644
+index 000..92d85dbd0b9
+--- /dev/null
 b/.changelog/10023.txt
+@@ -0,0 +1,3 @@
++```release-note:security
++Add content-type headers to raw KV responses to prevent XSS attacks 
[CVE-2020-25864](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25864)
++```
+\ No newline at end of file
+diff --git a/agent/kvs_endpoint.go b/agent/kvs_endpoint.go
+index feb6b7bfd26..2b54fb783e2 100644
+--- a/agent/kvs_endpoint.go
 b/agent/kvs_endpoint.go
+@@ -80,11 +80,20 @@ func (s *HTTPServer) KVSGet(resp http.ResponseWriter, req 
*http.Request, args *s
+   return nil, nil
+   }
+ 
+-  // Check if we are in raw mode with a normal get, write out
+-  // the raw body
++  // Check if we are in raw mode with a normal get, write out the raw body
++  // while setting the Content-Type, Content-Security-Policy, and
++  // X-Content-Type-Options headers to prevent XSS attacks from malicious 
KV
++  // entries. Otherwise, the net/http server will sniff the body to set 
the
++  // Content-Type. The nosniff option then indicates to the browser that 
it
++  // should also skip sniffing the body, otherwise it might ignore the 
Content-Type
++  // header in some situations. The sandbox option provides another layer 
of defense
++  // using the browser's content security policy to 

Bug#987494: buster-pu: package fluidsynth/1.1.11-1+deb10u1

[Utkarsh Gupta]

Package: release.debian.org
User: release.debian@packages.debian.org
X-Debbugs-Cc: t...@security.debian.org, a...@debian.org
Usertags: pu bsp-2021-04-AT-Salzburg
Tags: buster
Severity: normal

Hello,

src:fluidsynth has been affected by CVE-2021-28421 which is fixed in
sid and unblocked for bullseye. Since this affects buster as well, I'm
hereby opening a pu update bug for tracking.

Thanks to Reiner Herrmann for preparing and testing the update. I've
reviewed and it looks good; the debdiff is duly attached. Let me know
if you need any more information. TIA!


- u


fluidsynth-buster.debdiff
Description: Binary data

Bug#987485: marked as done (unblock: jhead/1:3.04-6)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 19:21:43 +0200
with message-id <787e5402-8d2e-5bad-3330-a562cdeca...@debian.org>
and subject line Re: Bug#987485: unblock: jhead/1:3.04-6
has caused the Debian Bug report #987485,
regarding unblock: jhead/1:3.04-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987485
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package jhead

It fixes a number of buffer overflows and related issues, applying
upstream fixes only.

The changelog is

jhead (1:3.04-6) unstable; urgency=medium

  * QA upload (Salzburg BSP).
  * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
Closes: #986923.
  * Check IPTC lengths. Closes: #968999.
  * Allocate extra room when reading JPEG sections to avoid overflows.
Closes: #972617.

 -- Stephen Kitt   Sat, 24 Apr 2021 14:59:38 +0200

and the debdiff is attached.

unblock jhead/1:3.04-6

Regards,

Stephen


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable'), 
(100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 4.19.0-12-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 2584ce0..2198041 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+jhead (1:3.04-6) UNRELEASED; urgency=medium
+
+  * QA upload (Salzburg BSP).
+  * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
+Closes: #986923.
+  * Check IPTC lengths. Closes: #968999.
+  * Allocate extra room when reading JPEG sections to avoid overflows.
+Closes: #972617.
+
+ -- Stephen Kitt   Sat, 24 Apr 2021 13:59:35 +0200
+
 jhead (1:3.04-5) unstable; urgency=medium
 
   * QA upload.
diff --git a/debian/patches/allocate-extra.patch 
b/debian/patches/allocate-extra.patch
new file mode 100644
index 000..f060a3d
--- /dev/null
+++ b/debian/patches/allocate-extra.patch
@@ -0,0 +1,32 @@
+commit 5186ddcf9e35a7aa0ff0539489a930434a1325f4
+Author: Matthias 
+Date:   Fri Oct 23 10:17:20 2020 -0300
+
+Just allocate 20 bytes extra at the end of a section. Otherwise, we end
+up with a whole lot of little checks for structures that the file says
+are there but are unexpectedly cut off in fuzz tests
+
+--- a/jpgfile.c
 b/jpgfile.c
+@@ -170,7 +170,11 @@
+ 
+ Sections[SectionsRead].Size = itemlen;
+ 
+-Data = (uchar *)malloc(itemlen);
++// Allocate an extra 20 bytes more than needed, because sometimes 
when reading structures,
++// if the section erroneously ends before short structures that 
should be there, that can trip
++// memory checkers in combination with fuzzers.
++Data = (uchar *)malloc(itemlen+20);
++  
+ if (Data == NULL){
+ ErrFatal("Could not allocate memory");
+ }
+@@ -477,7 +481,7 @@
+  return FALSE;
+ }
+ 
+-ThumbLen = 0;
++ThumbLen = 0;
+ ThumbnailFile = NULL;
+ }
+ 
diff --git a/debian/patches/cve-2021-3496.patch 
b/debian/patches/cve-2021-3496.patch
new file mode 100644
index 000..1a7ce58
--- /dev/null
+++ b/debian/patches/cve-2021-3496.patch
@@ -0,0 +1,33 @@
+commit ca2973f4ce79279c15a09cf400648a757c1721b0
+Author: matthias wandel 
+Date:   Wed Apr 14 09:01:30 2021 -0300
+
+Fix another fuztest access too far beyond allocated bug
+
+--- a/makernote.c
 b/makernote.c
+@@ -64,7 +64,7 @@
+ unsigned OffsetVal;
+ OffsetVal = Get32u(DirEntry+8);
+ // If its bigger than 4 bytes, the dir entry contains an offset.
+-if (OffsetVal+ByteCount > ExifLength){
++if (OffsetVal+ByteCount > (unsigned)ExifLength || OffsetVal > 
65536){
+ // Bogus pointer offset and / or bytecount value
+ ErrNonfatal("Illegal value pointer for Exif maker tag %04x", 
Tag,0);
+ continue;
+@@ -119,6 +119,7 @@
+ }
+ }
+ if (Ta

Bug#987471: marked as done (unblock: fluidsynth/2.1.7-1.1)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 19:05:02 +0200
with message-id <127a44c8-9176-a2ce-dcf8-4669aee12...@debian.org>
and subject line Re: Bug#987471: unblock: fluidsynth/2.1.7-1.1
has caused the Debian Bug report #987471,
regarding unblock: fluidsynth/2.1.7-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987471: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987471
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: utka...@debian.org, debian-multime...@lists.debian.org

Please unblock package fluidsynth

I intend to NMU version 2.1.7-1.1 to DELAYED/3, which imports
an upstream security fix.

[ Reason ]
The package has a use-after-free vulnerability.

[ Impact ]
Arbitrary code execute or denial of service.

[ Tests ]
I tested that it compiles, installs and tested running it
against the vulnerable example file from the upstream bug
tracker. With the patch applied, it no longer crashes.

unblock fluidsynth/2.1.7-1.1
diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
--- fluidsynth-2.1.7/debian/changelog	2021-02-09 21:43:23.0 +0100
+++ fluidsynth-2.1.7/debian/changelog	2021-04-24 13:37:51.0 +0200
@@ -1,3 +1,11 @@
+fluidsynth (2.1.7-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
+(Closes: #987168)
+
+ -- Reiner Herrmann   Sat, 24 Apr 2021 13:37:51 +0200
+
 fluidsynth (2.1.7-1) unstable; urgency=medium
 
   * New upstream version 2.1.7
diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
--- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	1970-01-01 01:00:00.0 +0100
+++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	2021-04-24 13:35:20.0 +0200
@@ -0,0 +1,84 @@
+From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
+From: Tom M 
+Date: Mon, 15 Mar 2021 20:12:51 +0100
+Subject: [PATCH] Invalid generators were not removed from zone list (#810)
+Bug: https://github.com/FluidSynth/fluidsynth/issues/808
+Bug-Debian: https://bugs.debian.org/987168
+
+fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
+---
+ src/sfloader/fluid_sffile.c | 20 
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
+index 001a0a0a4..47ab98d97 100644
+--- a/src/sfloader/fluid_sffile.c
 b/src/sfloader/fluid_sffile.c
+@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
+  * --- */
+ static int load_pgen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
+ /* traverse through all presets */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFPreset *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
+ 
+ if(p2)
+ {
+@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
+   ((SFPreset *)(p->data))->name);
+-*hz = fluid_list_remove(*hz, p2->data);
+-delete_zone((SFZone *)fluid_list_get(p2));
++fluid_list_remove(start_of_zone_list, z);
++delete_zone(z);
++continue;
+ }
+ }
+ 
+@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
+ /* load instrument generators (see load_pgen for loading rules) */
+ static int load_igen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount ge

Bug#987493: unblock: gutenprint/5.3.3-5

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gutenpr...@packages.debian.org

This is a pre-approval request for package package gutenprint.

[ Reason ]
It was reported on #987457 that the gutenprint-locales packages contained no…
locales. This has apparently slipped through almost a full release cycle.

Anyway. I'd like to fix this in unstable, by building and installing the .mo
files.

[ Impact ]
No translations for gutenprint.

[ Tests ]
The patch I propose adds a non-regression test in dh_install.

[ Risks ]
I can't think of any, besides taking more disk-space for potentially unused
translations.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

unblock gutenprint/5.3.3-5
diff -Nru gutenprint-5.3.3/debian/changelog gutenprint-5.3.3/debian/changelog
--- gutenprint-5.3.3/debian/changelog   2020-02-17 08:36:42.0 +0100
+++ gutenprint-5.3.3/debian/changelog   2021-04-24 17:37:27.0 +0200
@@ -1,3 +1,9 @@
+gutenprint (5.3.3-5) unstable; urgency=medium
+
+  * Build and install translations in gettext-locales (Closes: #987457)
+
+ -- Didier Raboud   Sat, 24 Apr 2021 17:37:27 +0200
+
 gutenprint (5.3.3-4) unstable; urgency=medium
 
   * Backport upstream patch:
diff -Nru gutenprint-5.3.3/debian/rules gutenprint-5.3.3/debian/rules
--- gutenprint-5.3.3/debian/rules   2020-02-17 08:36:42.0 +0100
+++ gutenprint-5.3.3/debian/rules   2021-04-24 17:37:27.0 +0200
@@ -26,9 +26,15 @@
  $(MAINTAINER_MODE) \
  --enable-nls
 
+execute_after_dh_auto_build-indep:
+   # Build the gettext translations (#987457)
+   cd po && make update-gmo
+
 override_dh_install-indep:
dh_install -i
rm -f debian/gutenprint-locales/usr/share/locale/*/*.po
+   # Make sure at least some locales are installed (#987457)
+   test -n "$$(find debian/gutenprint-locales/usr/share/locale -name 
gutenprint.mo)"
 
 override_dh_installdocs:
dh_installdocs -pescputil --link-doc=libgutenprint9

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: freediameter_1.2.1-7+deb10u1_armhf-buildd.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_ppc64el-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_armel-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_armhf-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_mips-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_ppc64el-buildd.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: crmsh_4.0.0~git20190108.3d56538-3+deb10u1_all.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_all.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_amd64-buildd.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_arm64-buildd.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_armel-buildd.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_i386-buildd.changes
  ACCEPT
Processing changes file: freediameter_1.2.1-7+deb10u1_mips-buildd.changes
  ACCEPT
Processing changes file: node-glob-parent_3.1.0-1+deb10u1_all.changes
  ACCEPT
Processing changes file: node-handlebars_4.1.0-1+deb10u3_all.changes
  ACCEPT
Processing changes file: node-hosted-git-info_2.7.1-1+deb10u1_all.changes
  ACCEPT
Processing changes file: plinth_19.1+deb10u2_all-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_amd64-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_arm64-buildd.changes
  ACCEPT
Processing changes file: 
xfce4-weather-plugin_0.8.10-1+deb10u1_i386-buildd.changes
  ACCEPT

Bug#987488: (no subject)

[Jan Wagner]

user debian-release@lists.debian.org 


usertags -1 + bsp-2021-04-AT-Salzburg
thank you

Bug#987489: buster-pu: package jackson-databind/2.9.8-3+deb10u3

[Utkarsh Gupta]

Package: release.debian.org
User: release.debian@packages.debian.org
X-Debbugs-Cc: t...@security.debian.org, a...@debian.org
Usertags: pu bsp-2021-04-AT-Salzburg
Tags: buster
Severity: normal

Hello,

src:jackson-databind has been affected by 18 CVEs which are fixed in
unstable and bullseye (and also jessie). Therefore, I'd like them to
be fixed in buster as well. And hence this pu update.

The debdiff is duly attached. Let me know if you need any more information. TIA!


- u


jackson-databind-buster.debdiff
Description: Binary data

Bug#987485: unblock: jhead/1:3.04-6

[Stephen Kitt]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package jhead

It fixes a number of buffer overflows and related issues, applying
upstream fixes only.

The changelog is

jhead (1:3.04-6) unstable; urgency=medium

  * QA upload (Salzburg BSP).
  * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
Closes: #986923.
  * Check IPTC lengths. Closes: #968999.
  * Allocate extra room when reading JPEG sections to avoid overflows.
Closes: #972617.

 -- Stephen Kitt   Sat, 24 Apr 2021 14:59:38 +0200

and the debdiff is attached.

unblock jhead/1:3.04-6

Regards,

Stephen


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable'), 
(100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 4.19.0-12-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 2584ce0..2198041 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+jhead (1:3.04-6) UNRELEASED; urgency=medium
+
+  * QA upload (Salzburg BSP).
+  * CVE-2021-3496: check access boundaries in ProcessCanonMakerNoteDir().
+Closes: #986923.
+  * Check IPTC lengths. Closes: #968999.
+  * Allocate extra room when reading JPEG sections to avoid overflows.
+Closes: #972617.
+
+ -- Stephen Kitt   Sat, 24 Apr 2021 13:59:35 +0200
+
 jhead (1:3.04-5) unstable; urgency=medium
 
   * QA upload.
diff --git a/debian/patches/allocate-extra.patch 
b/debian/patches/allocate-extra.patch
new file mode 100644
index 000..f060a3d
--- /dev/null
+++ b/debian/patches/allocate-extra.patch
@@ -0,0 +1,32 @@
+commit 5186ddcf9e35a7aa0ff0539489a930434a1325f4
+Author: Matthias 
+Date:   Fri Oct 23 10:17:20 2020 -0300
+
+Just allocate 20 bytes extra at the end of a section. Otherwise, we end
+up with a whole lot of little checks for structures that the file says
+are there but are unexpectedly cut off in fuzz tests
+
+--- a/jpgfile.c
 b/jpgfile.c
+@@ -170,7 +170,11 @@
+ 
+ Sections[SectionsRead].Size = itemlen;
+ 
+-Data = (uchar *)malloc(itemlen);
++// Allocate an extra 20 bytes more than needed, because sometimes 
when reading structures,
++// if the section erroneously ends before short structures that 
should be there, that can trip
++// memory checkers in combination with fuzzers.
++Data = (uchar *)malloc(itemlen+20);
++  
+ if (Data == NULL){
+ ErrFatal("Could not allocate memory");
+ }
+@@ -477,7 +481,7 @@
+  return FALSE;
+ }
+ 
+-ThumbLen = 0;
++ThumbLen = 0;
+ ThumbnailFile = NULL;
+ }
+ 
diff --git a/debian/patches/cve-2021-3496.patch 
b/debian/patches/cve-2021-3496.patch
new file mode 100644
index 000..1a7ce58
--- /dev/null
+++ b/debian/patches/cve-2021-3496.patch
@@ -0,0 +1,33 @@
+commit ca2973f4ce79279c15a09cf400648a757c1721b0
+Author: matthias wandel 
+Date:   Wed Apr 14 09:01:30 2021 -0300
+
+Fix another fuztest access too far beyond allocated bug
+
+--- a/makernote.c
 b/makernote.c
+@@ -64,7 +64,7 @@
+ unsigned OffsetVal;
+ OffsetVal = Get32u(DirEntry+8);
+ // If its bigger than 4 bytes, the dir entry contains an offset.
+-if (OffsetVal+ByteCount > ExifLength){
++if (OffsetVal+ByteCount > (unsigned)ExifLength || OffsetVal > 
65536){
+ // Bogus pointer offset and / or bytecount value
+ ErrNonfatal("Illegal value pointer for Exif maker tag %04x", 
Tag,0);
+ continue;
+@@ -119,6 +119,7 @@
+ }
+ }
+ if (Tag == 1 && Components > 16){
++if (ByteCount < 17 * sizeof(short)) continue; // Fuzztest -- not 
enough allocated.
+ int IsoCode = Get16u(ValuePtr + 16*sizeof(unsigned short));
+ if (IsoCode >= 16 && IsoCode <= 24){
+ ImageInfo.ISOequivalent = 50 << (IsoCode-16);
+@@ -126,6 +127,7 @@
+ }
+ 
+ if (Tag == 4 && Format == FMT_USHORT){
++if (ByteCount < 20 * sizeof(short)) continue; // Fuzztest -- not 
enough allocated.
+ if (Components > 7){
+ int WhiteBalance = Get16u(ValuePtr + 7*sizeof(unsigned 
short));
+ switch(WhiteBalance){
diff --git a/debian/patches/invalid-IPTC-lengths.patch 
b/debian/patches/invalid-IPTC-lengths.patch
new file mode 100644
index 000..02626f1
--- /dev/null
+++ b/debian/patches/inval

Bug#986908: unblock: snort 2.9.15.1-5

[Jan Wagner]

Control: tags -1 - moreinfo

Hi there,

Am 22.04.21 um 11:03 schrieb Javier Fernandez-Sanguino:


On Mon, 19 Apr 2021 at 23:24, Chris Hofstaedtler > wrote:


 > $ debdiff snort_2.9.15.1-4_i386.deb snort_2.9.15.1-5_i386.deb
[..]

The debdiff does not seem to show any actual packaging changes. Are
you sure you diffed the correct files?


Apologies, I sent a debdiff of the binary packages. I will send a 
debdiff of the source packages soon.


here is the debdiff between 2.9.15.1-4 and 2.9.15.1-5.

Cheers, Jan.
--
Never write mail to , you have been warned!
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M+ V- PS 
PE Y++

PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y
--END GEEK CODE BLOCK--
diff -Nru snort-2.9.15.1/debian/changelog snort-2.9.15.1/debian/changelog
--- snort-2.9.15.1/debian/changelog 2020-12-06 17:23:14.0 +0100
+++ snort-2.9.15.1/debian/changelog 2021-04-10 22:55:04.0 +0200
@@ -1,3 +1,30 @@
+snort (2.9.15.1-5) unstable; urgency=medium
+
+  * debian/snort-common.{preinst,postinst,postrm}:
+- Handle using dpkg-maintscript-helper mv_conffile the relocation
+  of the cronjob /etc/cron.daily/5snort to /etc/cron.daily/snort-common
+  instead of moving it manually to prevent dpkg from prompting the
+  user upon upgrades from older snort version. Thank you
+  Chris Hofstaedtler for the tip (Closes: #984614)
+  * debian/control: Add  Pre-Depends: dpkg (>= 1.17.14) as we
+are now using dpkg-maintscript-helper
+  * debian/snort-common.{postrm,preinst},
+debian/snort.{postinst,postrm,preinst,prerm}:
+Add DEBIAN_SCRIPT_DEBUG to all maintainer scripts
+  * debian/snort.logrotate: Correct name of the alert files (snort.alert
+and not 'alert') this error prevented files from being properly
+logrotated
+  * configure.in: Added patch to check if rpc/rpc.h is required and is 
+provided by libtirpc-dev to warn Ubuntu users that libtirpc-dev is 
+required. 
+Note: not added libtirpc-dev to Build-Depends as Debian's glibc6-dev
+includes the RPC headers (LP: #1906572)
+  * debian/patches/decoding_do_not_assume_ipv4: Add patch provided by Hugh
+Davenport to not assume that all raw packets are IPv4 packets.
+(Closes: 633066)
+
+ -- Javier Fernández-Sanguino Peña   Sat, 10 Apr 2021 
22:55:04 +0200
+
 snort (2.9.15.1-4) unstable; urgency=high
 
   * debian/snort.docs, debian/snort-doc.docs debian/rules: Add README.csv and
@@ -21,6 +48,9 @@
   * debian/rules, debian/snort-common-libraries.dirs, debian/patches/config:
   Do not use multi-arch directories for the Snort libraries, instead, locate 
all
   of the compiled under libraries /usr/lib/snort  (Closes: #962275)
+  This fixes the error "FATAL ERROR: /etc/snort/snort.conf(271) Could not stat
+  dynamic module path "/usr/lib/i386-linux-gnu/snort_dynamicpreprocessor/": No
+  such file or directory" (LP: #1901466, #1902405, #1905164)
   * debian/rules: Drop configure options which are not anymore relevant
   * debian/po: 
 - Update Dutch translation, thanks to Frans Spiesschaert (Closes: #961214)
@@ -101,7 +131,8 @@
 (LP: #1570517, #1484733, #1398969, #1310182, #1273021, #1231833)
 (LP: #1222754, #1215408, #1207981, #1207237, #1181514, #1175892)
 (LP: #1175264, #1161358, #1158169, #1116013, #1065121, #1064478)
-(LP: #1061459, #1031917)
+(LP: #1061459, #1031917, #1905137, #1897344, #1896849, #1882601)
+(LP: #1881141, #1877638)
   - Add also debugging messages as, based on the number of reports in
 Ubuntu, there seems to be many cases where the users install the
 package (with high debconf priority) and the proper network interface
diff -Nru snort-2.9.15.1/debian/control snort-2.9.15.1/debian/control
--- snort-2.9.15.1/debian/control   2020-12-06 17:23:14.0 +0100
+++ snort-2.9.15.1/debian/control   2021-04-10 22:55:04.0 +0200
@@ -65,7 +65,7 @@
 
 Package: snort-common
 Architecture: all
-Pre-Depends: adduser (>= 3.11), ${misc:Pre-Depends}
+Pre-Depends: adduser (>= 3.11), dpkg (>= 1.17.14), ${misc:Pre-Depends}
 Depends: 
 perl, 
 debconf (>= 0.2.80) | debconf-2.0,
diff -Nru snort-2.9.15.1/debian/patches/decoding_do_not_assume_ipv4 
snort-2.9.15.1/debian/patches/decoding_do_not_assume_ipv4
--- snort-2.9.15.1/debian/patches/decoding_do_not_assume_ipv4   1970-01-01 
01:00:00.0 +0100
+++ snort-2.9.15.1/debian/patches/decoding_do_not_assume_ipv4   2021-04-10 
22:55:04.0 +0200
@@ -0,0 +1,48 @@
+Description: Do not assume IPv4 packets when decoding
+ When using Snort on a interface without a link level layer, for example a
+ AIYIA tunnel for IPv6 through SixXs, then snort assumes that the packets will
+ be IPv4. I have a patch that adds a check on the IP version number in the
+ header, and if it is not an IPv4 packet, try decoding as IPv6.
+.
+ Without this patc

Processed: Re: Bug#986908: unblock: snort 2.9.15.1-5

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #986908 [release.debian.org] unblock: snort 2.9.15.1-5
Removed tag(s) moreinfo.

-- 
986908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986908
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#987481: unblock: virt-top/1.0.9-1.1

[魏銘廷]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package virt-top

This fixes RC bug #973188 which causes FTBFS, and a lintian error on
missing OCaml depednencies.

I was misuploading this package without --delay, then I reupload the
package into DELAYED/2 queue.

[ Reason ]
 - Fixes FTBFS bug (#973188), by removing --runtime-variant _pic from
   OCAMLCLIBS
 - Add missing dependencies

[ Impact ]
This package would be blocked from release if not accepted.

[ Tests ]
This package was failed to build.  If removing --runtime-variant _pic,
it could build but with Lintian error on missing OCaml dependencies.

Both fixes are added in order to build without Lintian error.

Also manually tested the package and used virt-manager to control the
VM, virt-top correctly reflected the status of the virtual machines.

[ Risks ]
There should be minimal risks by introducing this changeset.

unblock virt-top/1.0.9-1.1
diff -Nru virt-top-1.0.9/debian/changelog virt-top-1.0.9/debian/changelog
--- virt-top-1.0.9/debian/changelog 2019-08-25 22:27:13.0 +0800
+++ virt-top-1.0.9/debian/changelog 2021-04-24 19:57:06.0 +0800
@@ -1,3 +1,12 @@
+virt-top (1.0.9-1.1) unstable; urgency=medium
+
+  * Non-maintainer Upload
+  * debian/patches/ocamlclibs-no-runtime-variant.patch: Do not supply
+runtime-variant (Closes: #973188)
+  * debian/control: Fix missing dependencies
+
+ -- Yao Wei (魏銘廷)   Sat, 24 Apr 2021 19:57:06 +0800
+
 virt-top (1.0.9-1) unstable; urgency=medium
 
   * Team upload
diff -Nru virt-top-1.0.9/debian/control virt-top-1.0.9/debian/control
--- virt-top-1.0.9/debian/control   2019-08-25 22:27:13.0 +0800
+++ virt-top-1.0.9/debian/control   2021-04-24 19:57:06.0 +0800
@@ -20,7 +20,11 @@
 
 Package: virt-top
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Depends: ocaml-base-nox | ocaml-base | ocaml-nox | ocaml,
+ libcurses-ocaml,
+ libgettext-ocaml,
+ libvirt-ocaml,
+ ${misc:Depends}, ${shlibs:Depends}
 Description: show stats of virtualized domains
  virt-top is a top-like utility for showing stats of virtualized domains. Many
  keys and command line options are the same as for ordinary top.
diff -Nru virt-top-1.0.9/debian/patches/ocamlclibs-no-runtime-variant.patch 
virt-top-1.0.9/debian/patches/ocamlclibs-no-runtime-variant.patch
--- virt-top-1.0.9/debian/patches/ocamlclibs-no-runtime-variant.patch   
1970-01-01 08:00:00.0 +0800
+++ virt-top-1.0.9/debian/patches/ocamlclibs-no-runtime-variant.patch   
2021-04-24 19:57:06.0 +0800
@@ -0,0 +1,21 @@
+From: =?utf-8?b?IllhbyBXZWkgKOmtj+mKmOW7tyki?= 
+Date: Sat, 24 Apr 2021 19:23:41 +0800
+Subject: Do not supply runtime-variant (Closes: #973188)
+
+---
+ src/Makefile.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.in b/src/Makefile.in
+index a2ac09b..a2a8883 100644
+--- a/src/Makefile.in
 b/src/Makefile.in
+@@ -65,7 +65,7 @@ OBJS += main.cmo
+ XOBJS := $(OBJS:.cmo=.cmx)
+ 
+ OCAMLCFLAGS   := -g -warn-error CDEFLMPSUVYZX-3 -ccopt '@CFLAGS@'
+-OCAMLCLIBS:= -linkpkg -runtime-variant _pic -cclib '@LDFLAGS@'
++OCAMLCLIBS:= -linkpkg -cclib '@LDFLAGS@'
+ 
+ OCAMLOPTPACKAGES := $(OCAMLCPACKAGES)
+ OCAMLOPTFLAGS := $(OCAMLCFLAGS)
diff -Nru virt-top-1.0.9/debian/patches/series 
virt-top-1.0.9/debian/patches/series
--- virt-top-1.0.9/debian/patches/series2019-08-25 22:27:13.0 
+0800
+++ virt-top-1.0.9/debian/patches/series2021-04-24 19:57:06.0 
+0800
@@ -1,2 +1,3 @@
 10_add-opt-and-byte-compile-targets.patch
 libvirt-Handle-VIR_DOMAIN_PMSUSPENDED-state.patch
+ocamlclibs-no-runtime-variant.patch


signature.asc
Description: PGP signature

Bug#987447: marked as done (unblock: ddskk/17.1-4+deb11u1)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 13:06:56 +
with message-id 
and subject line unblock ddskk
has caused the Debian Bug report #987447,
regarding unblock: ddskk/17.1-4+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987447: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987447
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ddskk.

[ Reason ]
The RC bug #987383, byte-compiling skk-bayesian.el conditionally fails.
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987383

[ Impact ]
The testing version causes hang during dist-upgrading from buster
if ddskk is upgraded before emacs.

[ Tests ]
I did manual testing with the buster chroot environment, installing the
testing version failed as the RC bug and the updated version succeeded.

[ Risks ]
The skk-bayesian feature is optional and minor.  The fix may
decrease the speed of loading skk-bayesian.el, but it's trivial.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock ddskk/17.1-4+deb11u1

Thanks,
-- 
Tatsuya Kinoshita
diffstat for ddskk-17.1 ddskk-17.1

 changelog |7 +++
 rules |1 +
 2 files changed, 8 insertions(+)

diff -Nru ddskk-17.1/debian/changelog ddskk-17.1/debian/changelog
--- ddskk-17.1/debian/changelog	2021-01-20 21:30:01.0 +0900
+++ ddskk-17.1/debian/changelog	2021-04-23 22:30:33.0 +0900
@@ -1,3 +1,10 @@
+ddskk (17.1-4+deb11u1) unstable; urgency=medium
+
+  * Don't byte-compile skk-bayesian.el to avoid hang during installation
+(closes: #987383)
+
+ -- Tatsuya Kinoshita   Fri, 23 Apr 2021 22:30:33 +0900
+
 ddskk (17.1-4) unstable; urgency=medium
 
   * New patch 030_skk-wrap.patch for org-mode and markdown-mode
diff -Nru ddskk-17.1/debian/rules ddskk-17.1/debian/rules
--- ddskk-17.1/debian/rules	2020-08-16 00:03:30.0 +0900
+++ ddskk-17.1/debian/rules	2021-04-23 22:26:23.0 +0900
@@ -31,6 +31,7 @@
 	dh_installdirs
 
 	cp -R *.el *.in SKK-* maint nicola tut-code/*.el bayesian/*.el debian/$(PACKAGE)/usr/share/$(PACKAGE)
+	perl -pwi -e 's/skk-bayesian/;;skk-bayesian/' debian/$(PACKAGE)/usr/share/$(PACKAGE)/SKK-MK
 	cp -f experimental/*.el debian/$(PACKAGE)/usr/share/$(PACKAGE)
 
 	rm -f debian/$(PACKAGE)/usr/share/$(PACKAGE)/nicola/Makefile


pgpxw2ApYgyfW.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Please tag 6 of the GCC-10 RC bugs with "bullseye-ignore"

[Steve Cotton]

Hi Release Team,

Several bugs in GCC-10 that cause other packages to FTBFS have been fixed in
experimental, but according to [1] aren't going to be fixed in Bullseye. Please
could all of these be tagged with bullseye-ignore, so that people looking at
the lists of RC bugs don't spend time wondering what is happening with them?

* #980429 g++-10: spurious c++17 mode segmentation fault in appe
* #980596 mkvtoolnix: FTBFS: src/merge/reader_detection_and_crea
* #980609 missing i386-cpuinfo.h
* #980629 nheko: FTBFS: internal compiler error
* #981174 gcc-10 in testing is broken, cannot build linux kernel
* #983393 gcc-10: Segmentation fault when building mkvtoolnix

Of the above, #980906 and #981174 are currently tagged "bullseye"; all of the
others have neither "bullseye" nor "bullseye-ignore".

For the affected packages which have already worked around this:
* mkvtoolnix switched to an older version of the affected package
* nheko switched to an older version of the affected package
* odb switched to GCC-9

[1] https://lists.debian.org/debian-release/2021/03/msg00027.html

Thanks, and hi from the Salzburg virtual BSP
Steve

Bug#987429: marked as done (unblock: fdroidcl/0.5.0-3)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 13:04:26 +
with message-id 
and subject line unblock fdroidcl
has caused the Debian Bug report #987429,
regarding unblock: fdroidcl/0.5.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package fdroidcl

[ Reason ]
The F-Droid metadata json format changed slightly moving the App name to
the localized part. The update adds a upstream accepted patch to prefer
that over the general field in case that is empty. It is basically a
copy and paste of what is already done for the summary and description
fields in the lines below the patch.

[ Impact ]
The name of an app is not shown:
$ fdroidcl show org.fdroid.fdroid | grep "^Name"
Name :

[ Tests ]
I tested the change manually.

[ Risks ]
Code change is trivial and popcon is low.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock fdroidcl/0.5.0-3
diff --git a/debian/changelog b/debian/changelog
index a061ba6..d52170b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+fdroidcl (0.5.0-3) unstable; urgency=medium
+
+  * Add patch in case the app name is empty
+
+ -- Jochen Sprickerhof   Fri, 23 Apr 2021 18:42:52 +0200
+
 fdroidcl (0.5.0-2) unstable; urgency=medium
 
   * bump policy and debhelper versions
diff --git 
a/debian/patches/0002-Use-English-app-name-if-the-other-is-empty.patch 
b/debian/patches/0002-Use-English-app-name-if-the-other-is-empty.patch
new file mode 100644
index 000..2dc860a
--- /dev/null
+++ b/debian/patches/0002-Use-English-app-name-if-the-other-is-empty.patch
@@ -0,0 +1,30 @@
+From: Jochen Sprickerhof 
+Date: Fri, 23 Apr 2021 18:34:00 +0200
+Subject: Use English app name if the other is empty
+
+---
+ fdroid/index.go | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fdroid/index.go b/fdroid/index.go
+index 1716c19..119ea7e 100644
+--- a/fdroid/index.go
 b/fdroid/index.go
+@@ -59,6 +59,7 @@ type App struct {
+ }
+ 
+ type Localization struct {
++  Namestring `json:"name"`
+   Summary string `json:"summary"`
+   Description string `json:"description"`
+ }
+@@ -274,6 +275,9 @@ func LoadIndexJSON(r io.Reader) (*Index, error) {
+   english, enOK = app.Localized["en-US"]
+   }
+ 
++  if app.Name == "" && enOK {
++  app.Name = english.Name
++  }
+   // TODO: why does the json index contain html escapes?
+   app.Name = html.UnescapeString(app.Name)
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 0890fce..08f194a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Drop-main_test.go.patch
+0002-Use-English-app-name-if-the-other-is-empty.patch
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#987408: marked as done (unblock: bookletimposer/0.3+ds-3)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 13:01:35 +
with message-id 
and subject line unblock bookletimposer
has caused the Debian Bug report #987408,
regarding unblock: bookletimposer/0.3+ds-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987408: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package bookletimposer.

The package has autopkgtests, but since it's a GUI app, they are all
marked as superficial (they only test the CLI interface). This means it
won't automigrate.

The only relevant change is a fix for an autopkgtests bug in
bookletimposer created by a security fix in imagemagick (#987249). The
other changes are very minor changes to d/control that had been pending
for a while.

Here is a link to a debci run proving the autopkgtests fix works as
intended:

https://ci.debian.net/data/autopkgtest/testing/amd64/b/bookletimposer/11867373/log.gz

Note that the package jumps from ds-1 to ds-3 since the upload I made
for ds-2 contained a debhelper-compat bump (that has now been reverted).
Thanks to ivodd for pointing that wasn't accepted.

Cheers,

-- 
  ⢀⣴⠾⠻⢶⣦⠀
  ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
  ⢿⡄⠘⠷⠚⠋   po...@debian.org / veronneau.org
  ⠈⠳⣄
diff -Nru bookletimposer-0.3+ds/debian/changelog 
bookletimposer-0.3+ds/debian/changelog
--- bookletimposer-0.3+ds/debian/changelog  2020-02-24 16:45:06.0 
-0500
+++ bookletimposer-0.3+ds/debian/changelog  2021-04-23 07:41:14.0 
-0400
@@ -1,3 +1,34 @@
+bookletimposer (0.3+ds-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Louis-Philippe Véronneau ]
+  * d/control: revert back to dh 12 for inclusion in Bullseye.
+
+ -- Louis-Philippe Véronneau   Fri, 23 Apr 2021 07:41:14 
-0400
+
+bookletimposer (0.3+ds-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Louis-Philippe Véronneau ]
+  * d/control: use debhelper 13.
+  * d/tests/integration: replace imagemagick with gs to generate blank PDFs.
+(Closes: #987249)
+
+  [ intrigeri ]
+  * Replace pollo with Taowa in the Uploaders control field.
+Thank you pollo for taking care of this package recently,
+and welcome Taowa! :)
+
+  [ Ondřej Nový ]
+  * d/control: Update Maintainer field with new Debian Python Team
+contact address.
+  * d/control: Update Vcs-* fields with new Debian Python Team Salsa
+layout.
+
+ -- Louis-Philippe Véronneau   Thu, 22 Apr 2021 22:07:35 
-0400
+
 bookletimposer (0.3+ds-1) unstable; urgency=medium
 
   * New upstream version (Closes: #945165, #945167, #945168).
diff -Nru bookletimposer-0.3+ds/debian/control 
bookletimposer-0.3+ds/debian/control
--- bookletimposer-0.3+ds/debian/control2020-02-24 16:45:06.0 
-0500
+++ bookletimposer-0.3+ds/debian/control2021-04-23 07:41:14.0 
-0400
@@ -1,6 +1,6 @@
 Source: bookletimposer
-Maintainer: Python Applications Packaging Team 

-Uploaders: intrigeri , Louis-Philippe Véronneau 

+Maintainer: Debian Python Team 
+Uploaders: intrigeri , Taowa Munene-Tardif 

 Rules-Requires-Root: no
 Section: python
 Priority: optional
@@ -11,8 +11,8 @@
pandoc,
 Build-Depends-Indep: python3-distutils-extra
 Standards-Version: 4.5.0.0
-Vcs-Browser: https://salsa.debian.org/python-team/applications/bookletimposer
-Vcs-Git: https://salsa.debian.org/python-team/applications/bookletimposer.git
+Vcs-Browser: https://salsa.debian.org/python-team/packages/bookletimposer
+Vcs-Git: https://salsa.debian.org/python-team/packages/bookletimposer.git
 Homepage: https://kjo.herbesfolles.org/bookletimposer/
 
 Package: bookletimposer
diff -Nru bookletimposer-0.3+ds/debian/tests/control 
bookletimposer-0.3+ds/debian/tests/control
--- bookletimposer-0.3+ds/debian/tests/control  2020-02-24 16:45:06.0 
-0500
+++ bookletimposer-0.3+ds/debian/tests/control  2021-04-22 21:54:42.0 
-0400
@@ -10,5 +10,5 @@
 Depends:
  bookletimposer,
  poppler-utils,
- imagemagick
+ ghostscript
 Restrictions: superficial
diff -Nru bookletimposer-0.3+ds/debian/tests/integration 
bookletimposer-0.3+ds/debian/tests/integration
--- bookletimposer-0.3+ds/debian/tests/integration  2020-02-24 
16:45:06.0 -0500
+++ bookletimposer-0.3+ds/debian/tests/integration  2021-04-22 
21:53:13.0 -0400
@@ -7,7 +7,7 @@
 
 for i in 1 2 3 4
 do
-  convert xc:none -page A4 $i.pdf
+  gs -q -sDEVICE=pdfwrite -sPAPERSIZE=a4 -o $i.pdf
 done
 
 pdfunite 1.pdf 2.pdf 3.pdf 4.pdf linear.pdf
--- End Mes

Bug#987471:

[Utkarsh Gupta]

user debian-release@lists.debian.org
usertags -1 + bsp-2021-04-AT-Salzburg
thank you

Bug#987472: unblock: consul/1.8.7+dfsg1-2

[Valentin Vidic]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package consul

New release only adds the patch for CVE-2020-25864 fixing the RC bug #987351.

debdiff below also includes the config for Salsa CI that was not present in
the previous version for some reason.

unblock consul/1.8.7+dfsg1-2


diff -Nru consul-1.8.7+dfsg1/debian/changelog 
consul-1.8.7+dfsg1/debian/changelog
--- consul-1.8.7+dfsg1/debian/changelog 2021-01-10 16:37:17.0 +0100
+++ consul-1.8.7+dfsg1/debian/changelog 2021-04-24 12:06:56.0 +0200
@@ -1,3 +1,9 @@
+consul (1.8.7+dfsg1-2) unstable; urgency=medium
+
+  * Add patch for CVE-2020-25864 (Closes: #987351)
+
+ -- Valentin Vidic   Sat, 24 Apr 2021 12:06:56 +0200
+
 consul (1.8.7+dfsg1-1) unstable; urgency=medium
 
   [ Arnaud Rebillout ]
diff -Nru consul-1.8.7+dfsg1/debian/.gitlab-ci.yml 
consul-1.8.7+dfsg1/debian/.gitlab-ci.yml
--- consul-1.8.7+dfsg1/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 
+0100
+++ consul-1.8.7+dfsg1/debian/.gitlab-ci.yml2021-04-24 12:06:56.0 
+0200
@@ -0,0 +1,37 @@
+---
+# https://docs.gitlab.com/ce/ci/yaml/#include
+include:
+  - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
+
+## "amd64-unstable" always runs by default followed by lintian.
+
+## Only for arch:all packages:
+binary-indep:
+  extends: .build-indep
+
+## Job to check Build-Depends versioning:
+amd64-testing_unstable:
+  extends: .build
+  variables:
+arch: amd64
+dist: testing_unstable
+
+i386-unstable:
+  extends: .build
+  variables:
+arch: i386
+dist: unstable
+
+amd64-experimental:
+  extends: .build
+  variables:
+arch: amd64
+dist: experimental
+
+amd64-stable:
+  extends: .build
+  when: manual
+  allow_failure: true
+  variables:
+arch: amd64
+dist: stable
diff -Nru consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch 
consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch
--- consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch  1970-01-01 
01:00:00.0 +0100
+++ consul-1.8.7+dfsg1/debian/patches/CVE-2020-25864.patch  2021-04-24 
12:06:56.0 +0200
@@ -0,0 +1,139 @@
+From 447dd528f64d8bf481da9ac8445dd446bd4aa5c0 Mon Sep 17 00:00:00 2001
+From: Kent 'picat' Gruber 
+Date: Wed, 14 Apr 2021 18:49:14 -0400
+Subject: [PATCH] Merge pull request #10023 from hashicorp/fix-raw-kv-xss
+
+Add content type headers to raw KV responses
+---
+ .changelog/10023.txt   |  3 ++
+ agent/kvs_endpoint.go  | 13 +--
+ agent/kvs_endpoint_test.go | 71 ++
+ 3 files changed, 85 insertions(+), 2 deletions(-)
+ create mode 100644 .changelog/10023.txt
+
+diff --git a/.changelog/10023.txt b/.changelog/10023.txt
+new file mode 100644
+index 000..92d85dbd0b9
+--- /dev/null
 b/.changelog/10023.txt
+@@ -0,0 +1,3 @@
++```release-note:security
++Add content-type headers to raw KV responses to prevent XSS attacks 
[CVE-2020-25864](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25864)
++```
+\ No newline at end of file
+diff --git a/agent/kvs_endpoint.go b/agent/kvs_endpoint.go
+index feb6b7bfd26..2b54fb783e2 100644
+--- a/agent/kvs_endpoint.go
 b/agent/kvs_endpoint.go
+@@ -80,11 +80,20 @@ func (s *HTTPServer) KVSGet(resp http.ResponseWriter, req 
*http.Request, args *s
+   return nil, nil
+   }
+ 
+-  // Check if we are in raw mode with a normal get, write out
+-  // the raw body
++  // Check if we are in raw mode with a normal get, write out the raw body
++  // while setting the Content-Type, Content-Security-Policy, and
++  // X-Content-Type-Options headers to prevent XSS attacks from malicious 
KV
++  // entries. Otherwise, the net/http server will sniff the body to set 
the
++  // Content-Type. The nosniff option then indicates to the browser that 
it
++  // should also skip sniffing the body, otherwise it might ignore the 
Content-Type
++  // header in some situations. The sandbox option provides another layer 
of defense
++  // using the browser's content security policy to prevent code 
execution.
+   if _, ok := params["raw"]; ok && method == "KVS.Get" {
+   body := out.Entries[0].Value
+   resp.Header().Set("Content-Length", 
strconv.FormatInt(int64(len(body)), 10))
++  resp.Header().Set("Content-Type", "text/plain")
++  resp.Header().Set("X-Content-Type-Options", "nosniff")
++  resp.Header().Set("Content-Security-Policy", "sandbox")
+   resp.Write(body)
+   return nil, nil
+   }
+diff --git a/agent/kvs_endpoint_test.go b/agent/kvs_endpoint_test.go
+index ceb6d907f10..5a3017214a4 100644
+--- a/agent/kvs_endpoint_test.go
 b/agent/kvs_endpoint_test.go
+@@ -422,6 +422,31 @@ func TestKVSEndpoint_GET_Raw(t *testing.T) {
+   }
+   assertIndex(t, resp)
+ 
++  // Check the headers
++  contentTypeHdr := re

Bug#987471: unblock: fluidsynth/2.1.7-1.1

[Reiner Herrmann]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: utka...@debian.org, debian-multime...@lists.debian.org

Please unblock package fluidsynth

I intend to NMU version 2.1.7-1.1 to DELAYED/3, which imports
an upstream security fix.

[ Reason ]
The package has a use-after-free vulnerability.

[ Impact ]
Arbitrary code execute or denial of service.

[ Tests ]
I tested that it compiles, installs and tested running it
against the vulnerable example file from the upstream bug
tracker. With the patch applied, it no longer crashes.

unblock fluidsynth/2.1.7-1.1
diff -Nru fluidsynth-2.1.7/debian/changelog fluidsynth-2.1.7/debian/changelog
--- fluidsynth-2.1.7/debian/changelog	2021-02-09 21:43:23.0 +0100
+++ fluidsynth-2.1.7/debian/changelog	2021-04-24 13:37:51.0 +0200
@@ -1,3 +1,11 @@
+fluidsynth (2.1.7-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Import patch that fixes use-after-free vulnerability. (CVE-2021-28421)
+(Closes: #987168)
+
+ -- Reiner Herrmann   Sat, 24 Apr 2021 13:37:51 +0200
+
 fluidsynth (2.1.7-1) unstable; urgency=medium
 
   * New upstream version 2.1.7
diff -Nru fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch
--- fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	1970-01-01 01:00:00.0 +0100
+++ fluidsynth-2.1.7/debian/patches/CVE-2021-28421.patch	2021-04-24 13:35:20.0 +0200
@@ -0,0 +1,84 @@
+From 005719628aef0bd48dc7b2f860c7e4ca16b81044 Mon Sep 17 00:00:00 2001
+From: Tom M 
+Date: Mon, 15 Mar 2021 20:12:51 +0100
+Subject: [PATCH] Invalid generators were not removed from zone list (#810)
+Bug: https://github.com/FluidSynth/fluidsynth/issues/808
+Bug-Debian: https://bugs.debian.org/987168
+
+fluid_list_remove() should receive the beginning of a list, so it can adjust the predecessor of the element to be removed. Otherwise the element would remain in the list, which in this case led to a use-after-free afterwards.
+---
+ src/sfloader/fluid_sffile.c | 20 
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/sfloader/fluid_sffile.c b/src/sfloader/fluid_sffile.c
+index 001a0a0a4..47ab98d97 100644
+--- a/src/sfloader/fluid_sffile.c
 b/src/sfloader/fluid_sffile.c
+@@ -1355,7 +1355,7 @@ static int load_pmod(SFData *sf, int size)
+  * --- */
+ static int load_pgen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1369,7 +1369,7 @@ static int load_pgen(SFData *sf, int size)
+ /* traverse through all presets */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFPreset *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFPreset *)(p->data))->zone;
+ 
+ if(p2)
+ {
+@@ -1516,11 +1516,13 @@ static int load_pgen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Preset '%s': Discarding invalid global zone",
+   ((SFPreset *)(p->data))->name);
+-*hz = fluid_list_remove(*hz, p2->data);
+-delete_zone((SFZone *)fluid_list_get(p2));
++fluid_list_remove(start_of_zone_list, z);
++delete_zone(z);
++continue;
+ }
+ }
+ 
+@@ -1864,7 +1866,7 @@ static int load_imod(SFData *sf, int size)
+ /* load instrument generators (see load_pgen for loading rules) */
+ static int load_igen(SFData *sf, int size)
+ {
+-fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+ SFZone *z;
+ SFGen *g;
+ SFGenAmount genval;
+@@ -1878,7 +1880,7 @@ static int load_igen(SFData *sf, int size)
+ /* traverse through all instruments */
+ gzone = FALSE;
+ discarded = FALSE;
+-p2 = ((SFInst *)(p->data))->zone;
++start_of_zone_list = p2 = ((SFInst *)(p->data))->zone;
+ 
+ if(p2)
+ {
+@@ -2024,11 +2026,13 @@ static int load_igen(SFData *sf, int size)
+ }
+ else
+ {
++p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ /* previous global zone exists, discard */
+ FLUID_LOG(FLUID_WARN, "Instrument '%s': Discarding invalid global zone",
+   ((SFInst *)(p->data))->name);
+-*hz = fluid_list_remove(*hz, p2->data);
+-   

Bug#987427: marked as done (unblock: nvidia-graphics-drivers-tesla-460/460.73.01-1)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 12:55:37 +0200
with message-id 

and subject line Re: Bug#987427: unblock: 
nvidia-graphics-drivers-tesla-460/460.73.01-1
has caused the Debian Bug report #987427,
regarding unblock: nvidia-graphics-drivers-tesla-460/460.73.01-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
987427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-nvidia-de...@lists.alioth.debian.org

Please unblock package nvidia-graphics-drivers-tesla-460

The new upstream version 460.73.01 fixes a CVE and a several bugs,
all of which affect Bullseye. It also adds support for a few new cards.

X.org crash under certain conditions, and a security vulnerability
(CVE-2021-1076 and CVE-2021-1077, and #987222) has been found in the kernel 
driver:
https://nvidia.custhelp.com/app/answers/detail/a_id/5172

The inlined debdiff excludes the binary blobs.

unblock nvidia-graphics-drivers-tesla-460/460.73.01-1

-- 
Kind regards,
Luca Boccassi

diff -Nru --exclude 'NVIDIA*.run' 
nvidia-graphics-drivers-tesla-460-460.32.03/debian/changelog 
nvidia-graphics-drivers-tesla-460-460.73.01/debian/changelog
--- nvidia-graphics-drivers-tesla-460-460.32.03/debian/changelog
2021-03-13 20:31:33.0 +
+++ nvidia-graphics-drivers-tesla-460-460.73.01/debian/changelog
2021-04-23 14:20:03.0 +0100
@@ -1,3 +1,87 @@
+nvidia-graphics-drivers-tesla-460 (460.73.01-1) unstable; urgency=medium
+
+  * New upstream production branch release 460.73.01 (2021-04-14).
+* Fixed CVE-2021-1076, CVE-2021-1077.  (Closes: #987222)
+  https://nvidia.custhelp.com/app/answers/detail/a_id/5172
+- Added support for the following GPUs: A10, A10G, A30, PG506-232,
+  RTX A4000, RTX A5000, T400, T600.
+
+  [ Andreas Beckmann ]
+  * Update nv-readme.ids.
+
+ -- Andreas Beckmann   Fri, 23 Apr 2021 15:20:03 +0200
+
+nvidia-graphics-drivers (460.73.01-1) unstable; urgency=medium
+
+  * New upstream production branch release 460.73.01 (2021-04-14).
+* Fixed CVE-2021-1076, CVE-2021-1077.  (Closes: #987216)
+  https://nvidia.custhelp.com/app/answers/detail/a_id/5172
+- Added support for the following GPUs: A10, A10G, A30, PG506-232,
+  RTX A4000, RTX A5000, T400, T600.
+
+  [ Andreas Beckmann ]
+  * Update nv-readme.ids.
+  * Restrict watch file to releases from the 460.xx production branch.
+
+ -- Andreas Beckmann   Fri, 23 Apr 2021 08:59:01 +0200
+
+nvidia-graphics-drivers (460.67-1) unstable; urgency=medium
+
+  * New upstream production branch release 460.67 (2021-03-18).
+- Fixed a bug where using ray tracing extensions on multi-GPU setups could
+  result in application instability if the GPUs did not match.
+- Fixed an issue that prevented G-SYNC from working properly after a mode
+  switch on Kepler-based GPUs.
+
+  [ Luca Boccassi ]
+  * Update nv-readme.ids.
+
+ -- Andreas Beckmann   Sun, 21 Mar 2021 20:51:46 +0100
+
+nvidia-graphics-drivers (460.56-2) unstable; urgency=medium
+
+  * nvidia-alternative: Add libnvidia-ml.so slave alternative if
+libnvidia-ml-dev is installed.  (Closes: #984881)
+
+ -- Andreas Beckmann   Wed, 10 Mar 2021 21:03:59 +0100
+
+nvidia-graphics-drivers (460.56-1) unstable; urgency=medium
+
+  * New upstream production branch release 460.56 (2021-02-25).
+- Added support for the following GPUs: GeForce RTX 3060, CMP 40HX,
+  CMP 30HX.
+- Fixed a bug with indexed ray payloads in Vulkan.
+
+  [ Luca Boccassi ]
+  * Update nv-readme.ids.
+
+  [ Andreas Beckmann ]
+  * Switch to dh-sequence-dkms.
+  * Simplify dh_dkms usage.
+
+ -- Andreas Beckmann   Sun, 28 Feb 2021 00:26:36 +0100
+
+nvidia-graphics-drivers (460.39-1) unstable; urgency=medium
+
+  * New upstream production branch release 460.39 (2021-01-26).
+- Updated the NVIDIA driver to restore functionality of some features,
+  including runtime power management, hotplugging audio-capable display
+  devices, and S0ix-based system suspend, with recent kernels such as
+  Linux 5.10.  (Closes: #981187)
+- Fixed a bug that caused bindless texture samplers to be incorrectly
+  counted towards the MAX_COMPUTE_TEXTURE_IMAGE_UNITS limit.
+- Fixed a bug that could cause the GPU to hang when attempting to
+  perform link training on an HDMI 2.1 Fixed Rate Link (FRL) display,
+  while the display is powered off.
+- Added support for the following GPUs: GeFor

Re: Tentative summary of the AMD/ATI/NVidia issue

[Ansgar]

Lucas Nussbaum writes:
> It looks like the three open paths for resolution are:
>
> A) understand and restore the behaviour from Debian 10, that is, get X
> to work in a degraded mode after installation. How it worked with Debian
> 10 (and why it doesn't with Debian 11) is unknown.
>
> B) In the installer, detect that firmware-amd-graphics or
> firmware-misc-nonfree should be installed, and either install it (?),
> or redirect the user to the unofficial installer that includes them.
>
> C) Do nothing and document this in the release notes

There is at least also

D) Install (non-free) firmware and include it in official install media.

I don't think degraded operation (just vesa, no sound, no wifi, known
issues in microcode, ...) will continue to be an attractive option.
So maybe we should revisit whether we should just include firmware; I
wanted to suggest so at least for Bookworm.

Ansgar

Bug#987400: [Pkg-tcltk-devel] Bug#987397: tcltls: build conflict with openssl requires removal of too many packages

[Andrej Shadura]

Hi,

On Sat, 24 Apr 2021, at 12:38, Graham Inggs wrote:
> On Fri, 23 Apr 2021 at 13:12, Andrej Shadura  wrote:
> > I finally came back from lunch, the latest debdiff and the diffoscope 
> > output are attached.
> 
> The diffoscope output of a no-change rebuild of 1.7.22-1 and 1.7.22-2
> should show fewer differences.
> 
> I don't see the upload of 1.7.22-2 yet, so in case you were wanting
> pre-approval, please go ahead and upload, and remove the moreinfo tag
> once the new version is available in unstable.

Right, I should have clarified — I didn't rebuild -1.

Sergei, will you upload this? I'll only be back at the keyboard in the evening.

-- 
Cheers,
  Andrej

Processed: Re: Bug#987400: [Pkg-tcltk-devel] Bug#987397: tcltls: build conflict with openssl requires removal of too many packages

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo confirmed
Bug #987400 [release.debian.org] unblock: tcltls/1.7.22-2
Added tag(s) confirmed and moreinfo.

-- 
987400: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987400
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#987400: [Pkg-tcltk-devel] Bug#987397: tcltls: build conflict with openssl requires removal of too many packages

[Graham Inggs]

Control: tags -1 + moreinfo confirmed

Hi Andrej

On Fri, 23 Apr 2021 at 13:12, Andrej Shadura  wrote:
> I finally came back from lunch, the latest debdiff and the diffoscope output 
> are attached.

The diffoscope output of a no-change rebuild of 1.7.22-1 and 1.7.22-2
should show fewer differences.

I don't see the upload of 1.7.22-2 yet, so in case you were wanting
pre-approval, please go ahead and upload, and remove the moreinfo tag
once the new version is available in unstable.

Regards
Graham

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: 
crmsh_4.0.0~git20190108.3d56538-3+deb10u1_source.changes
  ACCEPT

Processed: crmsh 4.0.0~git20190108.3d56538-3+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 986014 = buster pending
Bug #986014 [release.debian.org] buster-pu: package 
crmsh/4.0.0~git20190108.3d56538-3+deb10u1
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
986014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986014
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#986014: crmsh 4.0.0~git20190108.3d56538-3+deb10u1 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 986014 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: crmsh
Version: 4.0.0~git20190108.3d56538-3+deb10u1

Explanation: fix code execution issue [CVE-2020-35459]

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: freediameter_1.2.1-7+deb10u1_source.changes
  ACCEPT
Processing changes file: node-glob-parent_3.1.0-1+deb10u1_sourceonly.changes
  ACCEPT
Processing changes file: node-handlebars_4.1.0-1+deb10u3_sourceonly.changes
  ACCEPT
Processing changes file: node-hosted-git-info_2.7.1-1+deb10u1_sourceonly.changes
  ACCEPT
Processing changes file: plinth_19.1+deb10u2_source.changes
  ACCEPT
Processing changes file: xfce4-weather-plugin_0.8.10-1+deb10u1_source.changes
  ACCEPT

Processed: plinth 19.1+deb10u2 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 986224 = buster pending
Bug #986224 [release.debian.org] buster-pu: package plinth/19.1+deb10u1
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
986224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986224
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: xfce4-weather-plugin 0.8.10-1+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 987164 = buster pending
Bug #987164 [release.debian.org] buster-pu: package 
xfce4-weather-plugin/0.8.10-2
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
987164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987164
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: node-glob-parent 3.1.0-1+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 987048 = buster pending
Bug #987048 [release.debian.org] buster-pu: package 
node-glob-parent/3.1.0-1+deb10u1
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
987048: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987048
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: node-hosted-git-info 2.7.1-1+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 985943 = buster pending
Bug #985943 [release.debian.org] buster-pu: package 
node-hosted-git-info/2.7.1-1+deb10u1
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
985943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985943
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#987042: node-handlebars 4.1.0-1+deb10u3 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 987042 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: node-handlebars
Version: 4.1.0-1+deb10u3

Explanation: fix code execution issues [CVE-2019-20920 CVE-2021-23369]

Processed: node-handlebars 4.1.0-1+deb10u3 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 987042 = buster pending
Bug #987042 [release.debian.org] buster-pu: package 
node-handlebars/4.1.0-1+deb10u3
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
987042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987042
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#987164: xfce4-weather-plugin 0.8.10-1+deb10u1 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 987164 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: xfce4-weather-plugin
Version: 0.8.10-1+deb10u1

Explanation: move to version 2.0 met.no API

Processed: freediameter 1.2.1-7+deb10u1 flagged for acceptance

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 986112 = buster pending
Bug #986112 [release.debian.org] buster-pu: package freediameter/1.2.1-7
Added tag(s) pending; removed tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
986112: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986112
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#986224: plinth 19.1+deb10u2 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 986224 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: plinth
Version: 19.1+deb10u2

Explanation: use session to verify first boot welcome step

Bug#986112: freediameter 1.2.1-7+deb10u1 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 986112 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: freediameter
Version: 1.2.1-7+deb10u1

Explanation: fix denial of service issue [CVE-2020-6098]

Bug#987048: node-glob-parent 3.1.0-1+deb10u1 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 987048 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: node-glob-parent
Version: 3.1.0-1+deb10u1

Explanation: fix regular expression denial of service issue [CVE-2020-28469]

Bug#985943: node-hosted-git-info 2.7.1-1+deb10u1 flagged for acceptance

[Adam D Barratt]

package release.debian.org
tags 985943 = buster pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian buster.

Thanks for your contribution!

Upload details
==

Package: node-hosted-git-info
Version: 2.7.1-1+deb10u1

Explanation: fix regular expression denial of service issue [CVE-2021-23362]

Tentative summary of the AMD/ATI/NVidia issue (was: Finding a tentative bullseye release date)

[Lucas Nussbaum]

On 24/04/21 at 09:25 +0200, Holger Wansing wrote:
> Hi,
> 
> Cyril Brulebois  wrote (Fri, 23 Apr 2021 15:13:15 +0200):
> > D-I Bullseye RC 1 was published a few hours ago. And at the risk of
> > sounding like a broken record: I have *absolutely no guarantee* to
> > have a fix or workaround for the amdgpu issue in less than a month,
> > that would be tested somewhat.
> > 
> > Can we please *not* release with black screens for AMD users?
> 
> Moreover, it's not just an AMD issue.
> We got a confirmation just now on debian-boot, that also NVIDIA users can
> get affected by this:
> https://lists.debian.org/debian-boot/2021/04/msg00225.html
> Some months ago, I have confirmed with that user, that missing firmware
> is indeed the issue there!

Hi,

Disclaimer: I read the "[AMD/ATI graphics] Missing firmware not declared
/ kernel modules not included in initrd" thread. While my understanding
of the issue is not complete, I'm trying to summarize what I undertood
so far in the hope that others can jump in and fill in the blanks or
correct me.


There are graphic cards whose in-kernel drivers require non-free
firmwares. Typically AMD/ATI cards that require firmware-amd-graphics[1]
to work with the radeon, amdgpu and r128 drivers; or NVIDIA cards that
require firmware-misc-nonfree to work with the nouveau driver.

[1] https://packages.debian.org/unstable/firmware-amd-graphics


With Debian 10, the behaviour was that the installation succeeded
without installing firmware-* packages, and then, and the first boot, X
would start in a "degraded" mode (using, for example, the vesa driver).
The user would generally then install the firmware package (or, in the
case of NVidia, switch to the proprietary drivers).

With Debian 11, the installation also succeeds, but then at first boot,
X fails to work correctly. What happens here is unclear: reports vary
between "black screen" (but does the system works if the user switches to
console mode?), "garbled screen", "system crash" (but maybe the user did
not notice that the system works in console mode).


It looks like the three open paths for resolution are:

A) understand and restore the behaviour from Debian 10, that is, get X
to work in a degraded mode after installation. How it worked with Debian
10 (and why it doesn't with Debian 11) is unknown.

B) In the installer, detect that firmware-amd-graphics or
firmware-misc-nonfree should be installed, and either install it (?),
or redirect the user to the unofficial installer that includes them.

C) Do nothing and document this in the release notes

The main blocking factor for progress seems to be that not enough people
have both hardware that is not supported (laptops/desktops with AMD or
NVidia graphic cards), and the knowledge and time to investigate this.

Lucas

Re: Finding a tentative bullseye release date

[Holger Wansing]

Hi,

Cyril Brulebois  wrote (Fri, 23 Apr 2021 15:13:15 +0200):
> D-I Bullseye RC 1 was published a few hours ago. And at the risk of
> sounding like a broken record: I have *absolutely no guarantee* to
> have a fix or workaround for the amdgpu issue in less than a month,
> that would be tested somewhat.
> 
> Can we please *not* release with black screens for AMD users?

Moreover, it's not just an AMD issue.
We got a confirmation just now on debian-boot, that also NVIDIA users can
get affected by this:
https://lists.debian.org/debian-boot/2021/04/msg00225.html
Some months ago, I have confirmed with that user, that missing firmware
is indeed the issue there!


Holger

-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Processed: oops

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 987015 confirmed moreinfo
Bug #987015 [release.debian.org] [pre-approval] unblock: python-apt/2.2.0
Added tag(s) confirmed and moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
987015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987015
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#986040: marked as done (unblock: refcard/11.0)

[Debian Bug Tracking System]

Your message dated Sat, 24 Apr 2021 09:01:52 +0200
with message-id <27356595-445a-a699-d4c1-113b44220...@debian.org>
and subject line Re: unblock: refcard/11.0
has caused the Debian Bug report #986040,
regarding unblock: refcard/11.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
986040: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986040
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Usertags: unblock


I would like to request an unblock for version 11.0 of the Debian
reference card (source package 'refcard'). 
I have uploaded the 11.0 version to unstable recently.

The changings include some latest changes to make package fit for Bullseye.

The debdiff is attached.


Thanks
Holger

-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076
diff -Nru refcard-10.7/debian/changelog refcard-11.0/debian/changelog
--- refcard-10.7/debian/changelog	2020-06-06 19:07:58.0 +0200
+++ refcard-11.0/debian/changelog	2021-03-14 16:17:33.0 +0100
@@ -1,8 +1,16 @@
+refcard (11.0) unstable; urgency=medium
+
+  * Refer to ifupdown for activating/deactivating network interfaces.
+Closes: #975420
+  * Let's release for Bullseye.
+
+ -- Holger Wansing   Sun, 14 Mar 2021 16:17:33 +0100
+
 refcard (10.7) unstable; urgency=medium
 
   [ Holger Wansing ]
   * dblatex corrupts visible URL to GPL, since it adds a hyphen at line-break.
-Inlcude it in .., to avoid that.
+Include it in .., to avoid that.
   * Correct some wrong line-breaks in translations.
   * Add Korean translation by sebul .
   * Add texlive-lang-chinese and -korean as build-depends (additionally needed
diff -Nru refcard-10.7/entries.dbk refcard-11.0/entries.dbk
--- refcard-10.7/entries.dbk	2020-05-23 10:09:53.0 +0200
+++ refcard-11.0/entries.dbk	2021-03-14 16:17:33.0 +0100
@@ -535,9 +535,9 @@
Interface configuration (if not controlled
 	via network-manager).
   
-  
-	ip link set
-	device updown
+  
+	if updown
+	device
 	Start, stop network interfaces according to the
 	file above.
   
diff -Nru refcard-10.7/po4a/bg.po refcard-11.0/po4a/bg.po
--- refcard-10.7/po4a/bg.po	2020-05-29 13:30:07.0 +0200
+++ refcard-11.0/po4a/bg.po	2021-03-14 16:17:33.0 +0100
@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: refcard 10.0\n"
-"POT-Creation-Date: 2020-04-26 12:27+0200\n"
+"POT-Creation-Date: 2020-11-27 19:21+0100\n"
 "PO-Revision-Date: 2020-04-30 18:42+0300\n"
 "Last-Translator: Kamen Naydenov \n"
 "Language-Team: Bulgarian \n"
@@ -230,7 +230,9 @@
 #: entries.dbk:103
 msgid ""
 "E.g. to set up the network w/o DHCP or to adapt bootloader installation."
-msgstr "Например за настройка на мрежа без DHCP или конфигуриране на зареждащата програма."
+msgstr ""
+"Например за настройка на мрежа без DHCP или конфигуриране на зареждащата "
+"програма."
 
 #. type: Content of: 
 #: entries.dbk:109
@@ -666,7 +668,7 @@
 #: entries.dbk:307
 msgid "ln -s file link"
 msgstr ""
-"ln -s име-на-файл име-на-"
+"ln -s име-на-файл име-на- "
 "препратката"
 
 #. type: Content of: 
@@ -1122,11 +1124,11 @@
 #. type: Content of: 
 #: entries.dbk:539
 msgid ""
-"ip link set device updown"
+"if updown device"
 msgstr ""
-"ip link set интерфейс updown"
+"if updown интерфейс"
 
 #. type: Content of: 
 #: entries.dbk:541
@@ -1173,6 +1175,13 @@
 msgid "Copy files to other machine (and vice versa)."
 msgstr "Копиране на файлове върху отдалечена машина (и обратното)."
 
+#~ msgid ""
+#~ "ip link set device updown"
+#~ msgstr ""
+#~ "ip link set интерфейс updown"
+
 #~ msgid "/sbin/ip"
 #~ msgstr "/sbin/ip"
 
diff -Nru refcard-10.7/po4a/ca.po refcard-11.0/po4a/ca.po
--- refcard-10.7/po4a/ca.po	2020-05-29 13:30:17.0 +0200
+++ refcard-11.0/po4a/ca.po	2021-03-14 16:17:33.0 +0100
@@ -8,7 +8,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: refcard 10.0\n"
-"POT-Creation-Date: 2020-04-26 12:27+0200\n"
+"POT-Creation-Date: 2020-11-27 19:21+0100\n"
 "PO-Revision-Date: 2016-05-03 19:46+0200\n"
 "Last-Translator: Innocent De Marchi \n"
 "Language-Team: Catalan \n"
@@ -1137,11 +1137,11 @@
 #. type: Content of: 
 #: entries.dbk:539
 msgid ""
-"ip link set device updown"
+"if updown device"
 msgstr ""
-"ip link set dispositiu updown"
+"if updown dispositiu"
 
 #. type: Content of: 
 #: entr