Bug#990651: unblock: nx-libs/2:3.5.99.26-2

[Mike Gabriel]

Control: tags -1 - moreinfo

On  So 04 Jul 2021 21:15:15 CEST, Sebastian Ramacher wrote:


Control: tags -1 moreinfo

The debdiff appears to be missing.


Ouch. I forgot that. Now attached.

Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net

diff -Nru nx-libs-3.5.99.26/debian/changelog nx-libs-3.5.99.26/debian/changelog
--- nx-libs-3.5.99.26/debian/changelog  2021-02-04 14:46:49.0 +0100
+++ nx-libs-3.5.99.26/debian/changelog  2021-07-03 20:42:32.0 +0200
@@ -1,3 +1,22 @@
+nx-libs (2:3.5.99.26-2) unstable; urgency=medium
+
+  * debian/patches:
++ Add 0001_Compext.c-fix-comparisons-of-16bit-sequence-numbers.patch.
+  Compext.c: fix comparisons of 16bit sequence numbers. (Closes:
+  #990647).
++ Add 0002_Forward-ClientMessages-to-nxproxy-side.patch.
+  Forward ClientMessages to nxproxy side. (Closes: #990649).
++ Add 0003_randr-Do-not-update-ConnectionInfo-if-NULL.patch.
+  randr: Do not update ConnectionInfo if NULL (and avoid the nxagent
+  Xserver from crashing). (Closes: #990650).
++ Add 0004_document-additional-options-only-nxagent-knows-about.patch.
+  Update man page and --help documentation of nxproxy/nxagent.
++ Adjust 0004_document-additional-options-only-nxagent-knows-about.patch.
+  Version 3.5.99.26 does not yet have the textclipboard= session
+  parameter.
+
+ -- Mike Gabriel   Sat, 03 Jul 2021 20:42:32 +0200
+
 nx-libs (2:3.5.99.26-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
nx-libs-3.5.99.26/debian/patches/0001_Compext.c-fix-comparisons-of-16bit-sequence-numbers.patch
 
nx-libs-3.5.99.26/debian/patches/0001_Compext.c-fix-comparisons-of-16bit-sequence-numbers.patch
--- 
nx-libs-3.5.99.26/debian/patches/0001_Compext.c-fix-comparisons-of-16bit-sequence-numbers.patch
 1970-01-01 01:00:00.0 +0100
+++ 
nx-libs-3.5.99.26/debian/patches/0001_Compext.c-fix-comparisons-of-16bit-sequence-numbers.patch
 2021-06-09 09:25:13.0 +0200
@@ -0,0 +1,86 @@
+From 1b4ebce2ce8ef29c01bd124ed56c9d6a14c9a82d Mon Sep 17 00:00:00 2001
+From: Ulrich Sibiller 
+Date: Wed, 17 Mar 2021 22:17:55 +0100
+Subject: [PATCH] Compext.c: fix comparisons of 16bit sequence numbers
+
+rep->generic.sequenceNumber is of type CARD16
+state->sequence is of type unsigned long
+
+Converting state->sequence to an int as it has been done since the
+first version of nxcomp I know of (1.3.0-18 from 2003) is wrong here
+because for numbers > INT_MAX this will result in a negative number,
+which, after applying the 16bit modulo, will not match
+rep->generic.sequenceNumber.
+
+Example with numbers:
+
+CARD16 c = 24565
+unsigned long u = 3179110389
+
+c % 65536 = 24565
+u % 65536 = 24565
+
+(int)(u) = -1115856907
+(int)(u) % 65536 = -40971
+
+-40971 will not match 24565
+
+To fix this we need to ensure the number stays positive. We use CARD16
+for this to match the type in the request which is a 16bit number. On
+my system CARD16 is unsigned short which is guaranteed to contain _at
+least_ the 0-65,535 range. As there is no upper limit of the range we
+cannot drop the modulo because we need this value to be 16bit and not
+more.
+
+Thanks to Norm Green for providing log after log until we could
+finally identify the reason for him seeing "Xlib: unexpected async
+reply (sequence 0x94b01439)!" when pasting stopped working.
+
+Signed-off-by: Mike Gabriel 
+---
+ nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c 
b/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c
+index 4a8dacaf4..7a6cb9e30 100644
+--- a/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c
 b/nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c
+@@ -3435,7 +3435,7 @@ static Bool _NXCollectImageHandler(Display *dpy, xReply 
*rep, char *buf,
+   state = (_NXCollectImageState *) data;
+ 
+   if ((rep -> generic.sequenceNumber % 65536) !=
+-  ((int)(state -> sequence) % 65536))
++  ((CARD16)(state -> sequence) % 65536))
+   {
+ #ifdef TEST
+ fprintf(stderr, "**_NXCollectImageHandler: Unmatched sequence [%d] 
for opcode [%d] "
+@@ -3819,7 +3819,7 @@ static Bool _NXCollectPropertyHandler(Display *dpy, 
xReply *rep, char *buf,
+   state = (_NXCollectPropertyState *) data;
+ 
+   if ((rep -> generic.sequenceNumber % 65536) !=
+-  ((int)(state -> sequence) % 65536))
++  ((CARD16)(state -> sequence) % 65536))
+   {
+ #ifdef TEST
+ fprintf(stderr, "**_NXCollectPropertyHandler: Unmatched sequence [%d] 
for opcode [%d] "
+@@ -4173,7 +4173,7 @@ static Bool _NXCollectGrabPointerHandler(Display *dpy, 
xReply *rep, char *buf,
+   state = (_NXCollectGrabPointerState *) data;
+ 
+   if ((rep -> generic.sequenceNumber 

Processed: Re: Bug#990651: unblock: nx-libs/2:3.5.99.26-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 - moreinfo
Bug #990651 [release.debian.org] unblock: nx-libs/2:3.5.99.26-2
Removed tag(s) moreinfo.

-- 
990651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990651
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990695: side note about 1.1.9-4

[Mike Gabriel]

Sometime ago, I uploaded uif 1.1.9-4 to fix the debian/watch file  
regarding Github URL changes and retrieval of upstream releases. This  
fix is also included in 1.1.9-5.


Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpeOQLnTWf3T.pgp
Description: Digitale PGP-Signatur

Bug#990699: release.debian.org: Sorting out bug 990059 in bullseye

[Mike Hommey]

Package: release.debian.org
Severity: important
Usertags: binnmu transition

Hi,

Recent versions of libnss3 had a backwards incompatible change that made
packages built with the newer versions fail to work properly with the older
version of the package that is in bullseye.

That wouldn't be a problem if 2 packages that use the problematic symbol
and are built with the newer version hadn't themselves made it to
bullseye. The packages are, namely, firefox-esr and curl (curl has only
become a problem this week).

I uploaded a version of nss (2:3.67-2) that works around the issue and
will make rebuilds of those packages work with the version of nss in
bullseye, meaning we'd need binNMUs of both curl and firefox-esr and
subsequent transitions.

However, firefox-esr is due for a security update next tuesday/wednesday,
so it will be rebuilt anyways. I guess we might as well wait.

Which leaves us with just curl.

 nmu curl_7.74.0-1.3 . ANY . -m 'Rebuild against newer libnss3-dev'

Mike

Re: Bug#990059: Bug#989839: Thunderbird 1:78.11.0-1 in testing lacks full functionality

[Mike Hommey]

On Mon, Jul 05, 2021 at 08:14:45AM +0900, Mike Hommey wrote:
> On Mon, Jul 05, 2021 at 07:57:30AM +0900, Mike Hommey wrote:
> > reopen 990059
> > affects 990059 firefox-esr firefox libcurl3-nss
> > thanks
> > 
> > On Sat, Jun 19, 2021 at 09:00:13AM +0200, Carsten Schoenert wrote:
> > > Hello Kevin, hello Sebastian,
> > > 
> > > thanks for working on this issue in between times, I wasn't able to do
> > > anything practically the last days.
> > > 
> > > Am 18.06.21 um 23:31 schrieb Kevin Locke:
> > > > Hi Sebastian,
> > > > 
> > > > On Fri, 2021-06-18 at 22:26 +0200, Sebastian Ramacher wrote:
> > > >> Thanks for this detailed analysis. That actually means that the symbol
> > > >> file for libnss3 2:3.67-1 is broken. It would need to bump the minimum
> > > >> version requirement for all symbols that works with SSLChannelInfo. 
> > > >> From
> > > >> your description, at least the version for SSL_GetChannelInfo would 
> > > >> need
> > > >> to be bumped. If thunderbird would then be built against a libnss3
> > > >> version with a fixed symbol files, it would pick up tight enought
> > > >> dependencies.
> > > >>
> > > >> So ideally the bug against thunderbird would be reassigned to libnss3
> > > >> 2:3.67-1 and its severits raised to serious. Once fixed, we can rebuild
> > > >> thunderbird to pick up the correct depedencies.
> > > > 
> > > > Good point.  Fixing the libnss3 symbol file sounds like the right fix to
> > > > me.  As far as I can tell SSL_GetChannelInfo is the only symbol which
> > > > takes SSLChannelInfo.  I've opened https://bugs.debian.org/990058 with
> > > > the proposed fix.
> > > 
> > > Fixing libnss3 is obviously the correct thing anyway. But this will take
> > > its time to get it landed into bullseye.
> > > 
> > > >> But since that version of libnss3 is not in bullseye, the rebuild would
> > > >> not be abile to migrate. Ideally libnss3 would be reverted to the
> > > >> version in bullseye to avoid this issue. Otherwise I can schedule
> > > >> binNMUs of thunderbird in tpu, but that means that we would need to do
> > > >> that for any thunderbird upload that we want in bullseye until the
> > > >> release. That is suboptimal - it's more work with less testing.
> > > > 
> > > > That may be tricky.  firefox 88.0.1-1 in unstable depends on
> > > > libnss3 (>= 2:3.63~).  If the maintainers are willing to upload an NSS
> > > > version between 2:3.63 and 2:3.65, I believe that would solve the issue
> > > > without breaking firefox.  (2:3.63-1 is the only suitable version
> > > > in debian/changelog.)  I've opened https://bugs.debian.org/990059 to
> > > > discuss.
> > > 
> > > To prevent quite a lot of work on all involved parties with not that
> > > much gain in the end I'd suggest to go back to my option B that was to
> > > (re)build Thunderbird with it's internal shipped NSS version.
> > 
> > Unfortunately, this affects more than Thunderbird. It also affects
> > Firefox ESR (although not on amd64 because for some reason it was built
> > against an older version of NSS, but it affects other architectures). It
> > also affects the latest upload of curl.
> 
> It also affects openjdk-17, openjdk-8 and pcp in sid, if they're ever
> meant to transition to testing (which, from the look of it, is probably
> not the case).

Scrap that, openjdk* and pcp are not using the problematic symbol.

Mike

Bug#990697: unblock: gnome-desktop3/3.38.5-3

[Gunnar Hjalmarsson]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-gnome-maintain...@lists.alioth.debian.org

Please unblock package gnome-desktop3.

[ Reason ]

Cherry picked upstream commit to fix segfault when adding input sources 
while show-all-sources is "true". The problem was reported in 
.


[ Impact ]

Without the fix, GNOME users can't make use of the so-called "exotic" 
XKB keyboard layouts. Let's not ship Debian 11 with that bug, even if 
only a minor portion of the users are affected.


[ Tests ]

Manually installed the binaries built by version 3.38.5-3 of the 
gnome-desktop3 source, and confirmed that the bug was fixed as expected.


[ Risks ]

The change is a targeted fix to address the issue at hand. It was 
committed upstream on April 22, and no reported regression.


[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

--
Cheers,
Gunnar Hjalmarsson
diff --git a/debian/changelog b/debian/changelog
index 80634e36..d39f84fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+gnome-desktop3 (3.38.5-3) unstable; urgency=medium
+
+  * Team upload
+  * d/p/xkbinfo-only-insert-new-layouts-skip-over-duplicate-ones.patch:
+Fix segfault when adding input sources while show-all-sources is
+"true" (closes: #989045).
+
+ -- Gunnar Hjalmarsson   Sun, 04 Jul 2021 15:40:52 +0200
+
 gnome-desktop3 (3.38.5-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/series b/debian/patches/series
index 6b64c79b..0630c1a8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ xkbinfo-refactor-some-of-the-rules-parsing.patch
 test-convert-the-xkbinfo-test-to-produce-YAML.patch
 xkbinfo-use-libxkbregistry-to-parse-the-rules-files-for-u.patch
 xkbinfo-Update-iso639Ids-correctly-in-evdev.patch
+xkbinfo-only-insert-new-layouts-skip-over-duplicate-ones.patch
diff --git 
a/debian/patches/xkbinfo-only-insert-new-layouts-skip-over-duplicate-ones.patch 
b/debian/patches/xkbinfo-only-insert-new-layouts-skip-over-duplicate-ones.patch
new file mode 100644
index ..1274aae8
--- /dev/null
+++ 
b/debian/patches/xkbinfo-only-insert-new-layouts-skip-over-duplicate-ones.patch
@@ -0,0 +1,53 @@
+From: Peter Hutterer 
+Date: Thu, 22 Apr 2021 01:29:18 +
+Subject: xkbinfo: only insert new layouts, skip over duplicate ones
+
+This matches the behavior to the one in the old code path before
+libxkbregistry.
+
+This also fixes a use-after-free bug when a duplicate layout is present. The
+same layout struct is a member of multiple hashtables, specifically
+priv->layouts_table, priv->layouts_by_language and  priv->layouts_by_country.
+
+When the duplicate layout is added, add_layouts calls g_hash_table_replace
+(priv->layouts_table, l->id, l) which frees the original layout - but the
+layouts_by_{country|language} still have that now-freed layout.
+Immediately afterwards, add_layouts calls add_layout_to_locale_tables () which
+calls add_layout_to_table () which triggers a use-after-free.
+
+Avoid all this by simply skipping any duplicate layout.
+
+Reproducible with
+  gsettings set org.gnome.desktop.input-sources show-all-sources true
+  valgrind /usr/libexec/gnome-desktop-debug/test-xkb-info
+
+Requires xkeyboard-config <= 2.32, it has a duplicate cm(mmuock) entry
+(one is marked exotic, hence the need for show-all-sources).
+
+Origin: concatenation of:
+ https://gitlab.gnome.org/GNOME/gnome-desktop/-/commit/a39dd0d2
+ https://gitlab.gnome.org/GNOME/gnome-desktop/-/commit/81c6cd79
+Bug: https://gitlab.gnome.org/GNOME/gnome-desktop/-/issues/190
+Bug-Debian: https://bugs.debian.org/989045
+Bug-Ubuntu: https://launchpad.net/bugs/1933022
+---
+ libgnome-desktop/gnome-xkb-info.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libgnome-desktop/gnome-xkb-info.c 
b/libgnome-desktop/gnome-xkb-info.c
+index b2eca699..f2a3214b 100644
+--- a/libgnome-desktop/gnome-xkb-info.c
 b/libgnome-desktop/gnome-xkb-info.c
+@@ -268,6 +268,12 @@ add_layouts (GnomeXkbInfo*self,
+   l->iso3166Ids = g_slist_prepend (l->iso3166Ids, id);
+ }
+ 
++  if (g_hash_table_contains (priv->layouts_table, l->id))
++{
++  g_clear_pointer (&l, free_layout);
++  continue;
++}
++
+   g_hash_table_replace (priv->layouts_table, l->id, l);
+   add_layout_to_locale_tables (l,
+priv->layouts_by_language,


OpenPGP_signature
Description: OpenPGP digital signature

Re: Bug#990059: Bug#989839: Thunderbird 1:78.11.0-1 in testing lacks full functionality

[Mike Hommey]

On Mon, Jul 05, 2021 at 07:57:30AM +0900, Mike Hommey wrote:
> reopen 990059
> affects 990059 firefox-esr firefox libcurl3-nss
> thanks
> 
> On Sat, Jun 19, 2021 at 09:00:13AM +0200, Carsten Schoenert wrote:
> > Hello Kevin, hello Sebastian,
> > 
> > thanks for working on this issue in between times, I wasn't able to do
> > anything practically the last days.
> > 
> > Am 18.06.21 um 23:31 schrieb Kevin Locke:
> > > Hi Sebastian,
> > > 
> > > On Fri, 2021-06-18 at 22:26 +0200, Sebastian Ramacher wrote:
> > >> Thanks for this detailed analysis. That actually means that the symbol
> > >> file for libnss3 2:3.67-1 is broken. It would need to bump the minimum
> > >> version requirement for all symbols that works with SSLChannelInfo. From
> > >> your description, at least the version for SSL_GetChannelInfo would need
> > >> to be bumped. If thunderbird would then be built against a libnss3
> > >> version with a fixed symbol files, it would pick up tight enought
> > >> dependencies.
> > >>
> > >> So ideally the bug against thunderbird would be reassigned to libnss3
> > >> 2:3.67-1 and its severits raised to serious. Once fixed, we can rebuild
> > >> thunderbird to pick up the correct depedencies.
> > > 
> > > Good point.  Fixing the libnss3 symbol file sounds like the right fix to
> > > me.  As far as I can tell SSL_GetChannelInfo is the only symbol which
> > > takes SSLChannelInfo.  I've opened https://bugs.debian.org/990058 with
> > > the proposed fix.
> > 
> > Fixing libnss3 is obviously the correct thing anyway. But this will take
> > its time to get it landed into bullseye.
> > 
> > >> But since that version of libnss3 is not in bullseye, the rebuild would
> > >> not be abile to migrate. Ideally libnss3 would be reverted to the
> > >> version in bullseye to avoid this issue. Otherwise I can schedule
> > >> binNMUs of thunderbird in tpu, but that means that we would need to do
> > >> that for any thunderbird upload that we want in bullseye until the
> > >> release. That is suboptimal - it's more work with less testing.
> > > 
> > > That may be tricky.  firefox 88.0.1-1 in unstable depends on
> > > libnss3 (>= 2:3.63~).  If the maintainers are willing to upload an NSS
> > > version between 2:3.63 and 2:3.65, I believe that would solve the issue
> > > without breaking firefox.  (2:3.63-1 is the only suitable version
> > > in debian/changelog.)  I've opened https://bugs.debian.org/990059 to
> > > discuss.
> > 
> > To prevent quite a lot of work on all involved parties with not that
> > much gain in the end I'd suggest to go back to my option B that was to
> > (re)build Thunderbird with it's internal shipped NSS version.
> 
> Unfortunately, this affects more than Thunderbird. It also affects
> Firefox ESR (although not on amd64 because for some reason it was built
> against an older version of NSS, but it affects other architectures). It
> also affects the latest upload of curl.

It also affects openjdk-17, openjdk-8 and pcp in sid, if they're ever
meant to transition to testing (which, from the look of it, is probably
not the case).

Mike

Re: Bug#990059: Bug#989839: Thunderbird 1:78.11.0-1 in testing lacks full functionality

[Mike Hommey]

reopen 990059
affects 990059 firefox-esr firefox libcurl3-nss
thanks

On Sat, Jun 19, 2021 at 09:00:13AM +0200, Carsten Schoenert wrote:
> Hello Kevin, hello Sebastian,
> 
> thanks for working on this issue in between times, I wasn't able to do
> anything practically the last days.
> 
> Am 18.06.21 um 23:31 schrieb Kevin Locke:
> > Hi Sebastian,
> > 
> > On Fri, 2021-06-18 at 22:26 +0200, Sebastian Ramacher wrote:
> >> Thanks for this detailed analysis. That actually means that the symbol
> >> file for libnss3 2:3.67-1 is broken. It would need to bump the minimum
> >> version requirement for all symbols that works with SSLChannelInfo. From
> >> your description, at least the version for SSL_GetChannelInfo would need
> >> to be bumped. If thunderbird would then be built against a libnss3
> >> version with a fixed symbol files, it would pick up tight enought
> >> dependencies.
> >>
> >> So ideally the bug against thunderbird would be reassigned to libnss3
> >> 2:3.67-1 and its severits raised to serious. Once fixed, we can rebuild
> >> thunderbird to pick up the correct depedencies.
> > 
> > Good point.  Fixing the libnss3 symbol file sounds like the right fix to
> > me.  As far as I can tell SSL_GetChannelInfo is the only symbol which
> > takes SSLChannelInfo.  I've opened https://bugs.debian.org/990058 with
> > the proposed fix.
> 
> Fixing libnss3 is obviously the correct thing anyway. But this will take
> its time to get it landed into bullseye.
> 
> >> But since that version of libnss3 is not in bullseye, the rebuild would
> >> not be abile to migrate. Ideally libnss3 would be reverted to the
> >> version in bullseye to avoid this issue. Otherwise I can schedule
> >> binNMUs of thunderbird in tpu, but that means that we would need to do
> >> that for any thunderbird upload that we want in bullseye until the
> >> release. That is suboptimal - it's more work with less testing.
> > 
> > That may be tricky.  firefox 88.0.1-1 in unstable depends on
> > libnss3 (>= 2:3.63~).  If the maintainers are willing to upload an NSS
> > version between 2:3.63 and 2:3.65, I believe that would solve the issue
> > without breaking firefox.  (2:3.63-1 is the only suitable version
> > in debian/changelog.)  I've opened https://bugs.debian.org/990059 to
> > discuss.
> 
> To prevent quite a lot of work on all involved parties with not that
> much gain in the end I'd suggest to go back to my option B that was to
> (re)build Thunderbird with it's internal shipped NSS version.

Unfortunately, this affects more than Thunderbird. It also affects
Firefox ESR (although not on amd64 because for some reason it was built
against an older version of NSS, but it affects other architectures). It
also affects the latest upload of curl.

I'm going to upload a new version of 3.67 that will restore the binary
compat so that things built against the new version will work with the
older one. That should allow to binNMU the affected packages.

Mike

Bug#990696: unblock: netselect/0.3.ds1-29

[Javier Fernández-Sanguino Peña]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package netselect

[ Reason ]

Netselect-apt is not able to properly parse the URLs in the mirror list
available in the Debian website. This version fixes the bug in parsing which
makes it work again.

[ Impact ]
If the unblock is not implemented users will not be able to use netselect-apt

[ Tests ]
I have run manually tests in my unstable system to confi

[ Risks ]
The change is very simple. This is a package which is used by a small number of
users. 

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock netselect/0.3.ds1-29

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 5.10.0-1-686-pae (SMP w/4 CPU threads)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru netselect-0.3.ds1/debian/changelog netselect-0.3.ds1/debian/changelog
--- netselect-0.3.ds1/debian/changelog  2021-07-05 00:14:53.0 +0200
+++ netselect-0.3.ds1/debian/changelog  2021-07-04 23:04:35.0 +0200
@@ -1,3 +1,14 @@
+netselect (0.3.ds1-29) unstable; urgency=high
+
+  * netselect-apt:
+- Fix bug that makes it output some hosts with negative value (Closes: 
920907)
+- Fix bug in the Pelr parsing which prevented it from processing properly
+  the mirrors listed in the Debian website (Closes: 989674)
+  * debian/control: Move curl to depends as it is required by netselect-apt
+   (Closes: 788793)
+
+ -- Javier Fernández-Sanguino Peña   Sun, 04 Jul 2021 
23:04:35 +0200
+
 netselect (0.3.ds1-28) unstable; urgency=medium
 
   * Use debhelper files properly to relocation binaries and
diff -Nru netselect-0.3.ds1/debian/control netselect-0.3.ds1/debian/control
--- netselect-0.3.ds1/debian/control2021-07-05 00:14:53.0 +0200
+++ netselect-0.3.ds1/debian/control2021-07-04 23:04:35.0 +0200
@@ -22,8 +22,7 @@
 
 Package: netselect-apt
 Architecture: all
-Depends: wget, netselect (>= 0.3.ds1-17), ${misc:Depends}
-Recommends: curl
+Depends: wget, netselect (>= 0.3.ds1-17), curl, ${misc:Depends}
 Enhances: apt
 Suggests: dpkg-dev
 Description: speed tester for choosing a fast Debian mirror
diff -Nru netselect-0.3.ds1/netselect-apt netselect-0.3.ds1/netselect-apt
--- netselect-0.3.ds1/netselect-apt 2021-07-05 00:14:53.0 +0200
+++ netselect-0.3.ds1/netselect-apt 2021-07-04 23:04:35.0 +0200
@@ -35,7 +35,7 @@
 # Default distribution
 distro="stable"
 # Default protocol
-protocol="HTTP"
+protocol="http"
 # Number of fastest hosts that will be validated
 test_hosts="10"
 # URL where the mirror list is retrieved from 
@@ -120,7 +120,7 @@
 
 # Second test: do we have the test file we are looking for?
 [ -n "$DEBUG" ] && log "DEBUG: Checking if the file '$test_file' is 
available in site"
-temp=`tempfile`
+temp=`mktemp`
 [ ! -e "$temp" ] && return 0 # Return without error if we cannot create
  # a temporary file
 curl -m 2 -q -s "$host/$test_file"  >$temp 2>&1
@@ -156,12 +156,14 @@
SEARCH="$1"
PROTO="$2"
 hosts=$(cat "$infile" \
-   | perl -n -e '
+   | perl -n -e '
+use warnings;
+use strict;
$/="";
-$country_name  = ".*";
-$country_iso  = "..";
-$country = "'"$country"'";
-$my_country = 1;
+my $country_name  = ".*";
+my $country_iso  = "..";
+my $country = "'"$country"'";
+my $my_country = 1;
 if ( $country ne "" ) {
   $my_country = 0;
   if ( $country =~ /^\w{2}$/ ) {
@@ -184,7 +186,7 @@
next if $_ !~ /Site:/;
if( ( /Includes architectures:.+'"$arch"'.+/i ||
$_ !~ /Includes architectures:/ 
) &&
-   
m@'"$SEARCH"':.*@i && $my_country == 1
+   
m@'"$SEARCH"':.*@i && $my_country == 1
){
print("$1\n");
}}')
@@ -197,7 +199,7 @@
corruptedhosts=$(echo "$out" | egrep '^ *-')
if [ $? -eq 0 ]; then
log "Detected corrupt scores from bug in netselect: 
$corruptedhosts"
-   out=$(echo "$out" | sed -e '/^-/d')
+   out=$(echo "$out" | s

Bug#990690: marked as done (unblock: pillow/8.1.2+dfsg-0.2)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 21:57:10 +
with message-id 
and subject line unblock pillow
has caused the Debian Bug report #990690,
regarding unblock: pillow/8.1.2+dfsg-0.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990690: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990690
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,j...@debian.org

Hi Release team,

Please unblock package pillow

Moritz fixed several CVEs affecting pillow in unstable, and the fixes
should be present in bullseye before the relese to avoid an early need
oa possible DSA or having the CVEs just unfixed in bullseye.

Can you please unblock the package?

Regards,
Salvatore
diff -Nru pillow-8.1.2+dfsg/debian/changelog pillow-8.1.2+dfsg/debian/changelog
--- pillow-8.1.2+dfsg/debian/changelog  2021-04-24 15:51:24.0 +0200
+++ pillow-8.1.2+dfsg/debian/changelog  2021-06-13 18:11:04.0 +0200
@@ -1,3 +1,12 @@
+pillow (8.1.2+dfsg-0.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherrypick security fixes from 8.2:
+- CVE-2021-25287 / CVE-2021-25288 / CVE-2021-28675 / CVE-2021-28676
+  CVE-2021-28677 / CVE-2021-28678 (Closes: #989062)
+
+ -- Moritz Muehlenhoff   Sun, 13 Jun 2021 18:11:04 +0200
+
 pillow (8.1.2+dfsg-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch 
pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch
--- pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch
1970-01-01 01:00:00.0 +0100
+++ pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch
2021-06-13 18:08:32.0 +0200
@@ -0,0 +1,69 @@
+From 3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87 Mon Sep 17 00:00:00 2001
+From: Eric Soroos 
+Date: Sun, 7 Mar 2021 12:32:12 +0100
+Subject: [PATCH] Fix OOB Read in Jpeg2KDecode CVE-2021-25287,CVE-2021-25288
+
+* For J2k images with multiple bands, it's legal in to have different
+  widths for each band, e.g. 1 byte for L, 4 bytes for A
+* This dates to Pillow 2.4.0
+
+--- pillow-8.1.2+dfsg.orig/src/libImaging/Jpeg2KDecode.c
 pillow-8.1.2+dfsg/src/libImaging/Jpeg2KDecode.c
+@@ -589,7 +589,7 @@ j2k_decode_entry(Imaging im, ImagingCode
+ j2k_unpacker_t unpack = NULL;
+ size_t buffer_size = 0, tile_bytes = 0;
+ unsigned n, tile_height, tile_width;
+-int components;
++int total_component_width = 0;
+ 
+ 
+ stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
+@@ -753,23 +753,40 @@ j2k_decode_entry(Imaging im, ImagingCode
+ goto quick_exit;
+ }
+ 
++if (tile_info.nb_comps != image->numcomps) {
++state->errcode = IMAGING_CODEC_BROKEN;
++state->state = J2K_STATE_FAILED;
++goto quick_exit;
++}
++  
+ /* Sometimes the tile_info.datasize we get back from openjpeg
+-   is less than numcomps*w*h, and we overflow in the
++   is less than sum(comp_bytes)*w*h, and we overflow in the
+shuffle stage */
+ 
+ tile_width = tile_info.x1 - tile_info.x0;
+ tile_height = tile_info.y1 - tile_info.y0;
+-components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps;
+-if (( tile_width > UINT_MAX / components ) ||
+-( tile_height > UINT_MAX / components ) ||
+-( tile_width > UINT_MAX / (tile_height * components )) ||
+-( tile_height > UINT_MAX / (tile_width * components ))) {
++
++/* Total component width = sum (component_width) e.g, it's
++ legal for an la file to have a 1 byte width for l, and 4 for
++ a. and then a malicious file could have a smaller tile_bytes
++*/
++
++for (n=0; n < tile_info.nb_comps; n++) {
++// see csize /acsize calcs
++int csize = (image->comps[n].prec + 7) >> 3;
++csize = (csize == 3) ? 4 : csize;
++total_component_width += csize;
++}
++if ((tile_width > UINT_MAX / total_component_width) ||
++(tile_height > UINT_MAX / total_component_width) ||
++(tile_width > UINT_MAX / (tile_height * total_component_width)) ||
++(tile_height > UINT_MAX / (tile_width * total_component_width))) {
+ state->errcode = IMAGING_CODEC_BROKEN;
+ state->state = J2K_STATE_FAILED;
+ goto quick_exit;
+ }
+-
+-t

Bug#990689: marked as done (unblock: node-nodemailer/6.4.17-3)

[Debian Bug Tracking System]

Your message dated Sun, 4 Jul 2021 23:58:15 +0200
with message-id 
and subject line Re: Bug#990689: unblock: node-nodemailer/6.4.17-3
has caused the Debian Bug report #990689,
regarding unblock: node-nodemailer/6.4.17-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990689
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,y...@debian.org

Hi Release team,

Please unblock package node-nodemailer

Yadd fixed #990485, CVE-2021-23400 for node-nodemailer in unstable.
Can you please unblock the package (it would not need to, if I
understand correctly, not beeing a key package and having autopkgtests
passing) still to make sure it lands in testing and so in bullseeye
before the release?

Regards,
Salvatore
diff -Nru node-nodemailer-6.4.17/debian/changelog 
node-nodemailer-6.4.17/debian/changelog
--- node-nodemailer-6.4.17/debian/changelog 2021-01-21 06:26:01.0 
+0100
+++ node-nodemailer-6.4.17/debian/changelog 2021-06-30 14:59:47.0 
+0200
@@ -1,3 +1,11 @@
+node-nodemailer (6.4.17-3) unstable; urgency=medium
+
+  * Fix GitHub tags regex
+  * Fix header injection vulnerability in address object
+(Closes: #990485, CVE-2021-23400)
+
+ -- Yadd   Wed, 30 Jun 2021 14:59:47 +0200
+
 node-nodemailer (6.4.17-2) unstable; urgency=medium
 
   * Ignore cookie test (Closes: #980702)
diff -Nru node-nodemailer-6.4.17/debian/control 
node-nodemailer-6.4.17/debian/control
--- node-nodemailer-6.4.17/debian/control   2021-01-21 06:09:40.0 
+0100
+++ node-nodemailer-6.4.17/debian/control   2021-04-15 20:35:08.0 
+0200
@@ -2,7 +2,7 @@
 Section: javascript
 Priority: optional
 Maintainer: Debian Javascript Maintainers 

-Uploaders: Xavier Guimard 
+Uploaders: Yadd 
 Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper-compat (= 13)
diff -Nru node-nodemailer-6.4.17/debian/copyright 
node-nodemailer-6.4.17/debian/copyright
--- node-nodemailer-6.4.17/debian/copyright 2021-01-21 06:09:40.0 
+0100
+++ node-nodemailer-6.4.17/debian/copyright 2021-04-15 20:35:08.0 
+0200
@@ -8,7 +8,7 @@
 License: Expat
 
 Files: debian/*
-Copyright: 2019-2020, Xavier Guimard 
+Copyright: 2019-2020, Yadd 
 License: Expat
 
 Files: debian/tests/test_modules/base32.js/*
diff -Nru node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch 
node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch
--- node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch  1970-01-01 
01:00:00.0 +0100
+++ node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch  2021-06-30 
14:58:51.0 +0200
@@ -0,0 +1,80 @@
+Description: fix header injection vulnerability in address object
+Author: Andris Reinman 
+Origin: upstream, https://github.com/nodemailer/nodemailer/commit/7e02648c
+Bug: https://github.com/nodemailer/nodemailer/issues/1289
+Bug-Debian: https://bugs.debian.org/990485
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2021-06-30
+
+--- a/lib/mime-node/index.js
 b/lib/mime-node/index.js
+@@ -1130,9 +1130,9 @@
+ address.address = this._normalizeAddress(address.address);
+ 
+ if (!address.name) {
+-values.push(address.address);
++values.push(address.address.indexOf(' ') >= 0 ? 
`<${address.address}>` : `${address.address}`);
+ } else if (address.name) {
+-values.push(this._encodeAddressName(address.name) + ' <' 
+ address.address + '>');
++values.push(`${this._encodeAddressName(address.name)} 
<${address.address}>`);
+ }
+ 
+ if (address.address) {
+@@ -1141,9 +1141,8 @@
+ }
+ }
+ } else if (address.group) {
+-values.push(
+-this._encodeAddressName(address.name) + ':' + 
(address.group.length ? this._convertAddresses(address.group, uniqueList) : 
'').trim() + ';'
+-);
++let groupListAddresses = (address.group.length ? 
this._convertAddresses(address.group, uniqueList) : '').trim();
++
values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
+ }
+ });
+ 
+@@ -1157,13 +1156,17 @@
+  * @return {String} address string
+  */
+ _normalizeAddress(address) {
+-address = (address || '').toString().trim();
++  

Bug#990695: unblock: uif/1.1.9-5

[Mike Gabriel]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package uif

[ Reason ]
I recently discovered that uif stopped setting up the kernel firewall
(via iptables-legacy still) on a Debian bullseye systems.

I only got around to investigating this today, so I came up with a patch
that replaces single quotes by double quotes when opening pipes.

[ Impact ]
People using uif will have a dysfunctional firewall.

[ Tests ]
Manual tests and debugging to come up with a patch.

[ Risks ]
None, uif is a leaf package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None.

unblock uif/1.1.9-5
diff -Nru uif-1.1.9/debian/changelog uif-1.1.9/debian/changelog
--- uif-1.1.9/debian/changelog  2021-03-26 21:09:26.0 +0100
+++ uif-1.1.9/debian/changelog  2021-07-04 22:59:36.0 +0200
@@ -1,3 +1,17 @@
+uif (1.1.9-5) unstable; urgency=medium
+
+  * debian/patches:
++ Add 1003_correctly-quote-when-opening-pipe.patch. Use double quotes in
+  open statement to properly evaluate variables. (Closes: #990692).
+
+ -- Mike Gabriel   Sun, 04 Jul 2021 22:59:36 +0200
+
+uif (1.1.9-4) unstable; urgency=medium
+
+  * debian/watch: Fix Github watch URL.
+
+ -- Mike Gabriel   Wed, 28 Apr 2021 22:27:57 +0200
+
 uif (1.1.9-3) unstable; urgency=medium
 
   * debian/control:
diff -Nru uif-1.1.9/debian/patches/1003_correctly-quote-when-opening-pipe.patch 
uif-1.1.9/debian/patches/1003_correctly-quote-when-opening-pipe.patch
--- uif-1.1.9/debian/patches/1003_correctly-quote-when-opening-pipe.patch   
1970-01-01 01:00:00.0 +0100
+++ uif-1.1.9/debian/patches/1003_correctly-quote-when-opening-pipe.patch   
2021-07-04 22:54:57.0 +0200
@@ -0,0 +1,32 @@
+Description: Use double quotes in open statement to properly evaluate 
variables.
+Author: Mike Gabriel 
+
+--- a/uif.pl
 b/uif.pl
+@@ -1490,7 +1490,7 @@
+ 
+   @$Listing=map { $_."\n" } @$Listing;
+ 
+-  open (IPT, '$iptables_save|');
++  open (IPT, "$iptables_save|");
+ 
+   @oldrules = ;
+   close (IPT);
+@@ -1500,7 +1500,7 @@
+   $SIG{'QUIT'} = 'signalCatcher';
+   $SIG{'TERM'} = 'signalCatcher';
+ 
+-  open (IPT, '|$iptables_restore');
++  open (IPT, "|$iptables_restore");
+ 
+   print IPT @$Listing;
+   close (IPT);
+@@ -1510,7 +1510,7 @@
+   sleep $timeout;
+   }
+   if ($timeout || $SignalCatched || $error) {
+-  open (IPT, '|$iptables_restore');
++  open (IPT, "|$iptables_restore");
+ 
+   print IPT @oldrules;
+   close (IPT);
diff -Nru uif-1.1.9/debian/patches/series uif-1.1.9/debian/patches/series
--- uif-1.1.9/debian/patches/series 2021-03-26 09:01:55.0 +0100
+++ uif-1.1.9/debian/patches/series 2021-07-04 22:50:02.0 +0200
@@ -1,2 +1,3 @@
 1001_use-iptables-legacy.patch
 1002_use-iptables-from-usr-sbin.patch
+1003_correctly-quote-when-opening-pipe.patch
diff -Nru uif-1.1.9/debian/watch uif-1.1.9/debian/watch
--- uif-1.1.9/debian/watch  2018-08-20 12:19:45.0 +0200
+++ uif-1.1.9/debian/watch  2021-04-28 22:27:41.0 +0200
@@ -1,4 +1,4 @@
 version=3
 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/uif-$1.tar.gz/ \
-https://github.com/cajus/uif/tags .*/archive/v?([\d\.]+).tar.gz
+https://github.com/cajus/uif/tags .*/archive/refs/tags/v?([\d\.]+).tar.gz
 

Bug#989918: marked as done (unblock: aeskeyfind/1:1.0-11)

[Debian Bug Tracking System]

Your message dated Sun, 4 Jul 2021 22:29:47 +0200
with message-id 
and subject line Re: Bug#989918: unblock: aeskeyfind/1:1.0-11
has caused the Debian Bug report #989918,
regarding unblock: aeskeyfind/1:1.0-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
989918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989918
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: samuel...@debian.org
Severity: normal

Please unblock package aeskeyfind

[ Reason ]
The recent introduction of integration tests, thanks to Jan Gru <
j4n...@gmail.com> uncovered two critical issues with aeskeyfind:
1. A somewhat recent regression caused by compiler's change and
aeskeyfind's code with undefined behavior
2. Failure to retrieve AES keys on a non-corrupted memory dump for archs
arm64, armhf and ppc64el (integration tests only pass for amd64 and i386).

Problem 1 is fixed by a patch provided by Adrian Bunk  and
problem 2 is mitigated by disabling the other archs (restricting it to
amd64 and i386).

More details at the bugreport:
https://bugs.debian.org/989179

[ Impact ]
aeskeyfind will fail to fulfill its only purpose of finding AES keys on
memory dumps.

[ Tests ]
The new integration tests allowed us to identify the issues in the first
place.

[ Risks ]
Since aeskeyfind is also used to recover AES keys out of corrupted memory
dumps, it **could** be possible that our fix for the non-corrupted scenario
broke the detection for corrupted dumps. I'm very confident that this
cannot be the case because of the way aeskeyfind looks for keys; without
the fix it was still possible to retrieve the key by making use of the
threshold (-t 50) parameter (which tweaks the heuristics of the algorithm).
The fix allows us to use the default threshold value (-t 10) which means
the algorithm gets the key with more confidence.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock aeskeyfind/1:1.0-11


aeskeyfind_1.0-11.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
On 2021-06-16 12:38:13 +0200, Graham Inggs wrote:
> Control: tags -1 + moreinfo
> 
> Hi Samuel
> 
> As can be seen in aeskeyfind's excuses [1]:
> 
> not blocked: has successful autopkgtest
> 
> You'll need to file a RoM; ANAIS bug against ftp.debian.org [2]
> requesting removal of aeskyfind's binaries on the architectures where
> it no longer builds.
> Please close this bug, or remove the moreinfo tag once the removals
> have been done, if aeskeyfind still needs aging.

The old binaries were removed and the package should be able to migrate
on its own tonight or tomorrow.

Cheers

> 
> Regards
> Graham
> 
> 
> [1] https://qa.debian.org/excuses.php?package=aeskeyfind
> [2] https://wiki.debian.org/ftpmaster_Removals
> 

-- 
Sebastian Ramacher


signature.asc
Description: PGP signature
--- End Message ---

Bug#990512: marked as done (unblock: mirtop/0.4.23-2)

[Debian Bug Tracking System]

Your message dated Sun, 4 Jul 2021 22:25:27 +0200
with message-id 
and subject line Re: Bug#990512: unblock: mirtop/0.4.23-2
has caused the Debian Bug report #990512,
regarding unblock: mirtop/0.4.23-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990512: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990512
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-med-packag...@lists.alioth.debian.org

Please unblock package mirtop

our GSoC Student Shruti Sridhar has written an autopkgtest for
this package which uncovers a real bug.  This is fixed in the
really late upload.

[ Reason ]
The upload fixes a circular import in the code which was fixed
in a patch.  The according autopkgtest is included in the change
as well.

[ Impact ]
The program would not work without the patch.

[ Tests ]
The autopkgtest is part of the changes of this upload.

[ Risks ]
There are no real risks since the package is a leaf package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock mirtop/0.4.23-2
diff -Nru mirtop-0.4.23/debian/changelog mirtop-0.4.23/debian/changelog
--- mirtop-0.4.23/debian/changelog  2019-12-05 11:43:49.0 +0100
+++ mirtop-0.4.23/debian/changelog  2021-06-30 20:18:19.0 +0200
@@ -1,3 +1,15 @@
+mirtop (0.4.23-2) unstable; urgency=medium
+
+  * Team Upload.
+
+  [ Shruti Sridhar ]
+  * Add autopkgtests
+
+  [ Nilesh Patra ]
+  * d/p/fix-circular-import.patch: Fix circular import
+
+ -- Nilesh Patra   Wed, 30 Jun 2021 18:18:19 +
+
 mirtop (0.4.23-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru mirtop-0.4.23/debian/patches/fix-circular-import.patch 
mirtop-0.4.23/debian/patches/fix-circular-import.patch
--- mirtop-0.4.23/debian/patches/fix-circular-import.patch  1970-01-01 
01:00:00.0 +0100
+++ mirtop-0.4.23/debian/patches/fix-circular-import.patch  2021-06-30 
20:18:19.0 +0200
@@ -0,0 +1,29 @@
+Description: import module in needed functions to fix circular import
+Author: Nilesh Patra 
+Last-Update: 2021-06-30
+--- a/mirtop/bam/bam.py
 b/mirtop/bam/bam.py
+@@ -15,7 +15,6 @@
+ from mirtop.mirna.realign import isomir, hits, reverse_complement
+ from mirtop.mirna.mapper import get_primary_transcript, guess_database
+ from mirtop.bam import filter
+-from mirtop.gff import body
+ from mirtop.mirna.annotate import annotate
+ from mirtop.libs import sql
+ 
+@@ -72,6 +71,7 @@
+ def low_memory_bam(bam_fn, sample, out_handle, args):
+ if args.genomic:
+ raise ValueError("low-memory option is not compatible with genomic 
coordinates.")
++from mirtop.gff import body
+ precursors = args.precursors
+ bam_fn = _sam_to_bam(bam_fn)
+ bam_fn = _bam_sort(bam_fn)
+@@ -100,6 +100,7 @@
+ def low_memory_genomic_bam(bam_fn, sample, out_handle, args):
+ logger.info("Reading BAM file in low memory mode.")
+ logger.warning("This is under development and variants can be unexact.")
++from mirtop.gff import body
+ precursors = args.precursors
+ bam_fn = _sam_to_bam(bam_fn)
+ bam_fn = _bam_sort(bam_fn)
diff -Nru mirtop-0.4.23/debian/patches/series 
mirtop-0.4.23/debian/patches/series
--- mirtop-0.4.23/debian/patches/series 2019-12-05 11:42:13.0 +0100
+++ mirtop-0.4.23/debian/patches/series 2021-06-30 20:18:19.0 +0200
@@ -1 +1,2 @@
 spelling
+fix-circular-import.patch
diff -Nru mirtop-0.4.23/debian/tests/control mirtop-0.4.23/debian/tests/control
--- mirtop-0.4.23/debian/tests/control  1970-01-01 01:00:00.0 +0100
+++ mirtop-0.4.23/debian/tests/control  2021-06-30 20:18:19.0 +0200
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @, python3-nose, samtools, bedtools, seqan-apps
+Restrictions: allow-stderr
diff -Nru mirtop-0.4.23/debian/tests/run-unit-test 
mirtop-0.4.23/debian/tests/run-unit-test
--- mirtop-0.4.23/debian/tests/run-unit-test1970-01-01 01:00:00.0 
+0100
+++ mirtop-0.4.23/debian/tests/run-unit-test2021-06-30 20:18:19.0 
+0200
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+CUR_DIR=`pwd`
+if [ "$AUTOPKGTEST_TMP" = "" ] ; then
+  AUTOPKGTEST_TMP=`mktemp -d /tmp/${pkg}-test.XX`
+  trap "rm -rf $AUTOPKGTEST_TMP" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a ${CUR_DIR}/test/ $AUTOPKGTEST_TMP
+cp -a ${CUR_DIR}/data/ $AUTOPKGTEST_TMP
+
+cd $AUTOPKGTEST_TMP
+
+for py in $(py3versions -s 2> /dev/null)
+do

Bug#990688: marked as done (unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3)

[Debian Bug Tracking System]

Your message dated Sun, 4 Jul 2021 22:23:37 +0200
with message-id 
and subject line Re: Bug#990688: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3
has caused the Debian Bug report #990688,
regarding unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990688
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,y...@debian.org

Hi Release team,

Please unblock package node-mermaid

Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a
targetted fix from upstream. Can you please unlbock the package and
make sure it lands in testing and so bullseye in time before the
release?

I'm attaching the debdiff as generated by the upload from Yadd.

Regards,
Salvatore
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog  2020-10-19 
14:00:00.0 +0200
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog  2021-06-29 
14:46:20.0 +0200
@@ -1,3 +1,10 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
+
+  * Team upload
+  * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513)
+
+ -- Yadd   Tue, 29 Jun 2021 14:46:20 +0200
+
 node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium
 
   * Source-only-upload 
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch   
1970-01-01 01:00:00.0 +0100
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch   
2021-06-29 14:44:46.0 +0200
@@ -0,0 +1,33 @@
+Description: Small positoining fix for parallell processes and nested
+Author: Knut Sveidqvist 
+Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files
+Bug: https://github.com/mermaid-js/mermaid/issues/2122
+Bug-Debian: https://bugs.debian.org/990449
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2021-06-29
+
+--- a/src/dagre-wrapper/clusters.js
 b/src/dagre-wrapper/clusters.js
+@@ -194,7 +194,7 @@
+   const rectBox = rect.node().getBBox();
+   node.width = rectBox.width;
+   node.height = rectBox.height;
+-
++  node.diff = -node.padding / 2;
+   node.intersect = function(point) {
+ return intersectRect(node, point);
+   };
+--- a/src/diagrams/common/common.js
 b/src/diagrams/common/common.js
+@@ -26,6 +26,10 @@
+   break;
+ }
+   }
++
++  rs = rs.replace('javascript:', '#');
++  rs = rs.replace('--- End Message ---
--- Begin Message ---
On 2021-07-04 22:14:49 +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: car...@debian.org,y...@debian.org
> 
> Hi Release team,
> 
> Please unblock package node-mermaid
> 
> Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a
> targetted fix from upstream. Can you please unlbock the package and
> make sure it lands in testing and so bullseye in time before the
> release?
> 
> I'm attaching the debdiff as generated by the upload from Yadd.

Aged to 5 days.

Cheers

> 
> Regards,
> Salvatore

> diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog
> --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog2020-10-19 
> 14:00:00.0 +0200
> +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog2021-06-29 
> 14:46:20.0 +0200
> @@ -1,3 +1,10 @@
> +node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
> +
> +  * Team upload
> +  * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513)
> +
> + -- Yadd   Tue, 29 Jun 2021 14:46:20 +0200
> +
>  node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium
>  
>* Source-only-upload 
> diff -Nru 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch
> --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
> 1970-01-01 01:00:00.0 +0100
> +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
> 2021-06-29 14:44:46.0 +0200
> @@ -0,0 +1,33 @@
> +Description: Small positoining fix fo

Bug#990690: unblock: pillow/8.1.2+dfsg-0.2

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,j...@debian.org

Hi Release team,

Please unblock package pillow

Moritz fixed several CVEs affecting pillow in unstable, and the fixes
should be present in bullseye before the relese to avoid an early need
oa possible DSA or having the CVEs just unfixed in bullseye.

Can you please unblock the package?

Regards,
Salvatore
diff -Nru pillow-8.1.2+dfsg/debian/changelog pillow-8.1.2+dfsg/debian/changelog
--- pillow-8.1.2+dfsg/debian/changelog  2021-04-24 15:51:24.0 +0200
+++ pillow-8.1.2+dfsg/debian/changelog  2021-06-13 18:11:04.0 +0200
@@ -1,3 +1,12 @@
+pillow (8.1.2+dfsg-0.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherrypick security fixes from 8.2:
+- CVE-2021-25287 / CVE-2021-25288 / CVE-2021-28675 / CVE-2021-28676
+  CVE-2021-28677 / CVE-2021-28678 (Closes: #989062)
+
+ -- Moritz Muehlenhoff   Sun, 13 Jun 2021 18:11:04 +0200
+
 pillow (8.1.2+dfsg-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch 
pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch
--- pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch
1970-01-01 01:00:00.0 +0100
+++ pillow-8.1.2+dfsg/debian/patches/CVE-2021-25287_CVE-2021-25288.patch
2021-06-13 18:08:32.0 +0200
@@ -0,0 +1,69 @@
+From 3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87 Mon Sep 17 00:00:00 2001
+From: Eric Soroos 
+Date: Sun, 7 Mar 2021 12:32:12 +0100
+Subject: [PATCH] Fix OOB Read in Jpeg2KDecode CVE-2021-25287,CVE-2021-25288
+
+* For J2k images with multiple bands, it's legal in to have different
+  widths for each band, e.g. 1 byte for L, 4 bytes for A
+* This dates to Pillow 2.4.0
+
+--- pillow-8.1.2+dfsg.orig/src/libImaging/Jpeg2KDecode.c
 pillow-8.1.2+dfsg/src/libImaging/Jpeg2KDecode.c
+@@ -589,7 +589,7 @@ j2k_decode_entry(Imaging im, ImagingCode
+ j2k_unpacker_t unpack = NULL;
+ size_t buffer_size = 0, tile_bytes = 0;
+ unsigned n, tile_height, tile_width;
+-int components;
++int total_component_width = 0;
+ 
+ 
+ stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
+@@ -753,23 +753,40 @@ j2k_decode_entry(Imaging im, ImagingCode
+ goto quick_exit;
+ }
+ 
++if (tile_info.nb_comps != image->numcomps) {
++state->errcode = IMAGING_CODEC_BROKEN;
++state->state = J2K_STATE_FAILED;
++goto quick_exit;
++}
++  
+ /* Sometimes the tile_info.datasize we get back from openjpeg
+-   is less than numcomps*w*h, and we overflow in the
++   is less than sum(comp_bytes)*w*h, and we overflow in the
+shuffle stage */
+ 
+ tile_width = tile_info.x1 - tile_info.x0;
+ tile_height = tile_info.y1 - tile_info.y0;
+-components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps;
+-if (( tile_width > UINT_MAX / components ) ||
+-( tile_height > UINT_MAX / components ) ||
+-( tile_width > UINT_MAX / (tile_height * components )) ||
+-( tile_height > UINT_MAX / (tile_width * components ))) {
++
++/* Total component width = sum (component_width) e.g, it's
++ legal for an la file to have a 1 byte width for l, and 4 for
++ a. and then a malicious file could have a smaller tile_bytes
++*/
++
++for (n=0; n < tile_info.nb_comps; n++) {
++// see csize /acsize calcs
++int csize = (image->comps[n].prec + 7) >> 3;
++csize = (csize == 3) ? 4 : csize;
++total_component_width += csize;
++}
++if ((tile_width > UINT_MAX / total_component_width) ||
++(tile_height > UINT_MAX / total_component_width) ||
++(tile_width > UINT_MAX / (tile_height * total_component_width)) ||
++(tile_height > UINT_MAX / (tile_width * total_component_width))) {
+ state->errcode = IMAGING_CODEC_BROKEN;
+ state->state = J2K_STATE_FAILED;
+ goto quick_exit;
+ }
+-
+-tile_bytes = tile_width * tile_height * components;
++  
++tile_bytes = tile_width * tile_height * total_component_width;
+ 
+ if (tile_bytes > tile_info.data_size) {
+ tile_info.data_size = tile_bytes;
diff -Nru pillow-8.1.2+dfsg/debian/patches/CVE-2021-28675.patch 
pillow-8.1.2+dfsg/debian/patches/CVE-2021-28675.patch
--- pillow-8.1.2+dfsg/debian/patches/CVE-2021-28675.patch   1970-01-01 
01:00:00.0 +0100
+++ pillow-8.1.2+dfsg/debian/patches/CVE-2021-28675.patch   2021-06-13 
18:09:24.0 +0200
@@ -0,0 +1,132 @@
+From 22e9bee4ef225c0edbb9323f94c26cee0c623497 Mon Sep 17 00:00:00 2001
+From: Eric Soroos 
+Date: Sun, 7 Mar 2021 19:04:25 +0100
+Subject: [PATCH] Fix DOS in PSDImagePlugin -- CVE-2021-28675
+
+* PSD

Bug#989037: Bug#988214: fixed in rails 2:6.0.3.7+dfsg-1

[Salvatore Bonaccorso]

Hi Utkarsh,

On Fri, Jun 18, 2021 at 10:23:39PM +0200, Paul Gevers wrote:
> Hi Utkarsh
> 
> On 06-06-2021 06:14, Paul Gevers wrote:
> > I am hoping it's possible to just downgrade the *dependency* in rails
> > only, such that the upload can happen via unstable. There is no "direct
> > bullseye" route. Or do you expect you'll have to make (lots) of changes
> > to rails to match the right ruby-marcel package? If that's the case,
> > than ruby-marcel/unstable isn't a drop in replacement for
> > ruby-marcel/bullseye and I'd expect that ruby-marcel/unstable would need
> > a versioned Breaks for reverse dependent packages (ruby-activestorage),
> > but I'm not seeing that.
> 
> Did your experimenting (as discussed on IRC last week) yield anything?

Since the bullseye release is fastly approaching, do you have any news
on the above?

Regards,
Salvatore

Bug#990687: marked as done (unblock: mutt/2.0.5-4.1)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 20:16:41 +
with message-id 
and subject line unblock mutt
has caused the Debian Bug report #990687,
regarding unblock: mutt/2.0.5-4.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990687: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990687
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org

Hi release team,

Please unblock package mutt

[ Reason ]
mutt in bullseye is affected by CVE-2021-32055, #988106. Should thoug
be noted that the $imap_qresync setting for QRESYNC is not enabled by
default. It looked to me still worth trying to get the fix into
bullseye before the release.

Note, the same issue would have affected as well neomutt, but back
when I prepared the NMU for mutt, I did unfortunately not found time
to do as well the neomutt NMU. This is surely kind of unfortunate :(

[ Impact ]
CVE-2021-32055 would remain open.

[ Tests ]
None specifically.

[ Risks ]
Would consider it low, and it is a feature not used by default. The
package was 22 days now in unstable without any regression report
reported specifically targetting this update.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None.

unblock mutt/2.0.5-4.1

Regards,
Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog
--- mutt-2.0.5/debian/changelog 2021-03-20 17:26:12.0 +0100
+++ mutt-2.0.5/debian/changelog 2021-06-06 21:11:36.0 +0200
@@ -1,3 +1,11 @@
+mutt (2.0.5-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix seqset iterator when it ends in a comma (CVE-2021-32055)
+(Closes: #988106)
+
+ -- Salvatore Bonaccorso   Sun, 06 Jun 2021 21:11:36 +0200
+
 mutt (2.0.5-4) unstable; urgency=medium
 
   * debian/patches:
diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series
--- mutt-2.0.5/debian/patches/series2021-03-20 17:24:06.0 +0100
+++ mutt-2.0.5/debian/patches/series2021-06-06 21:11:36.0 +0200
@@ -13,3 +13,4 @@
 upstream/528233-readonly-open.patch
 upstream/980924-updated-german-translation.patch
 upstream/985152-body-color-slowness.patch
+upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
diff -Nru 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
--- 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
1970-01-01 01:00:00.0 +0100
+++ 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
2021-06-06 21:11:36.0 +0200
@@ -0,0 +1,39 @@
+From: Kevin McCarthy 
+Date: Mon, 3 May 2021 13:11:30 -0700
+Subject: Fix seqset iterator when it ends in a comma.
+Origin: 
https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
+Bug-Debian: https://bugs.debian.org/988106
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32055
+
+If the seqset ended with a comma, the substr_end marker would be just
+before the trailing nul.  In the next call, the loop to skip the
+marker would iterate right past the end of string too.
+
+The fix is simple: place the substr_end marker and skip past it
+immediately.
+---
+ imap/util.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/imap/util.c b/imap/util.c
+index c529fd8fba3c..488e8396d269 100644
+--- a/imap/util.c
 b/imap/util.c
+@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, 
unsigned int *next)
+ if (iter->substr_cur == iter->eostr)
+   return 1;
+ 
+-while (!*(iter->substr_cur))
+-  iter->substr_cur++;
+ iter->substr_end = strchr (iter->substr_cur, ',');
+ if (!iter->substr_end)
+   iter->substr_end = iter->eostr;
+ else
+-  *(iter->substr_end) = '\0';
++  *(iter->substr_end++) = '\0';
+ 
+ range_sep = strchr (iter->substr_cur, ':');
+ if (range_sep)
+-- 
+2.32.0.rc0
+
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Processed: Re: Bug#990214: unblock: dovecot-fts-xapian/1.4.9a-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo confirmed
Bug #990214 [release.debian.org] unblock: dovecot-fts-xapian/1.4.9a-1
Added tag(s) moreinfo and confirmed.

-- 
990214: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990214: unblock: dovecot-fts-xapian/1.4.9a-1

[Sebastian Ramacher]

Control: tags -1 moreinfo confirmed

On 2021-06-22 22:50:00 -0400, Joseph Nahmias wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package dovecot-fts-xapian
> 
> This version (1.4.9a) fixes a number of important bugs in the indexer 
> including:
> 
>  + fix indexing of attachments, closes: #985654
>  + fix indexing of accented characters
>  + fix memory errors / segfaults when indexing large mailboxes
> 
> Source debdiff from 1.4.7-1 (currently in testing) to 1.4.9a-1 is attached
> here. Please let me know when approved so I can upload to unstable.
> 
> unblock dovecot-fts-xapian/1.4.9a-1

Assuming that the upload happens soon, please go ahead and remove the
moreinfo tag once the new version is available in unstable.

Cheers

> 
> Thanks,
> --Joe

> diffstat for dovecot-fts-xapian-1.4.7 dovecot-fts-xapian-1.4.9a
> 
>  .gitignore   |   65 ++
>  Makefile.am  |4 
>  PACKAGES/RPM/README.md   |   20 +++
>  PACKAGES/RPM/fts-xapian.spec |   41 ++
>  README.md|   46 +--
>  configure.ac |2 
>  debian/changelog |   11 +
>  debian/watch |4 
>  fts-xapian-config.h.in   |2 
>  src/fts-backend-xapian-functions.cpp |  175 +
>  src/fts-backend-xapian.cpp   |  211 
> ++-
>  src/fts-xapian-plugin.c  |2 
>  src/fts-xapian-plugin.h  |9 -
>  13 files changed, 425 insertions(+), 167 deletions(-)
> 
> diff -Nru -w dovecot-fts-xapian-1.4.7/.gitignore 
> dovecot-fts-xapian-1.4.9a/.gitignore
> --- dovecot-fts-xapian-1.4.7/.gitignore   1969-12-31 19:00:00.0 
> -0500
> +++ dovecot-fts-xapian-1.4.9a/.gitignore  2021-04-24 16:27:55.0 
> -0400
> @@ -0,0 +1,65 @@
> +# http://www.gnu.org/software/automake
> +
> +Makefile.in
> +/ar-lib
> +/mdate-sh
> +/py-compile
> +/test-driver
> +/ylwrap
> +.deps/
> +.dirstamp
> +
> +# http://www.gnu.org/software/autoconf
> +
> +autom4te.cache
> +/autoscan.log
> +/autoscan-*.log
> +/aclocal.m4
> +/compile
> +/config.guess
> +/config.h.in
> +/config.log
> +/config.status
> +/config.sub
> +/configure
> +/configure.scan
> +/depcomp
> +/install-sh
> +/missing
> +/stamp-h1
> +/stamp-h2
> +/stamp.h
> +
> +# https://www.gnu.org/software/libtool/
> +
> +/ltmain.sh
> +/libtool
> +
> +# http://www.gnu.org/software/texinfo
> +
> +/texinfo.tex
> +
> +# http://www.gnu.org/software/m4/
> +
> +m4/libtool.m4
> +m4/ltoptions.m4
> +m4/ltsugar.m4
> +m4/ltversion.m4
> +m4/lt~obsolete.m4
> +
> +# Generated Makefile 
> +# (meta build system like autotools, 
> +# can automatically generate from config.status script
> +# (which is called by configure script))
> +Makefile
> +
> +/dummy-config.h
> +/dummy-config.h.in
> +/fts-xapian-config.h
> +/run-test.sh
> +
> +src/*.o
> +src/*.lo
> +src/*.la
> +
> +src/.libs/**
> diff -Nru -w dovecot-fts-xapian-1.4.7/Makefile.am 
> dovecot-fts-xapian-1.4.9a/Makefile.am
> --- dovecot-fts-xapian-1.4.7/Makefile.am  2021-01-31 14:06:29.0 
> -0500
> +++ dovecot-fts-xapian-1.4.9a/Makefile.am 2021-04-24 16:27:55.0 
> -0400
> @@ -2,5 +2,5 @@
>  
>  ACLOCAL_AMFLAGS = -I m4
>  
> -PACKAGE_VERSION = "1.4.7"
> -VERSION = "1.4.7"
> +PACKAGE_VERSION = "1.4.9a"
> +VERSION = "1.4.9a"
> diff -Nru -w dovecot-fts-xapian-1.4.7/PACKAGES/RPM/README.md 
> dovecot-fts-xapian-1.4.9a/PACKAGES/RPM/README.md
> --- dovecot-fts-xapian-1.4.7/PACKAGES/RPM/README.md   1969-12-31 
> 19:00:00.0 -0500
> +++ dovecot-fts-xapian-1.4.9a/PACKAGES/RPM/README.md  2021-04-24 
> 16:27:55.0 -0400
> @@ -0,0 +1,20 @@
> +As root:
> +
> +Install the development environment and required devel packages:
> +-- dnf groupinstall "Development Tools"
> +-- dnf install rpm-build rpm-devel rpmlint make coreutils diffutils 
> patch rpmdevtools
> +-- dnf install dovecot-devel dovecot libicu-devel icu xapian-core 
> xapian-core-devel
> +
> +As a normal user:
> +
> +Create the ~/rpmbuild tree as a normal user (never build rpms as root):
> +-- rpmdev-setuptree
> +Place the spec file under:
> +~/rpmbuild/SPECS/fts-xapian.spec
> +Place the tar.gz sources under:
> +~/rpmbuild/SOURCES/fts-xapian-1.4.9a.tar.gz
> +Generate the binary rpm with:
> +-- QA_RPATHS=$(( 0x0001|0x0010 )) rpmbuild -bb 
> ~/rpmbuild/SPECS/fts-xapian.spec
> +
> +Your RPM packages will be under ~/rpmbuild/RPMS/x86_64/
> +
> diff -Nru -w dovecot-fts-xapian-1.4.7/PACKAGES/RPM/fts-xapian.spec 
> dovecot-fts-xapian-1.4.9a/PACKAGES/RPM/fts-xapian.spec
> --- dovecot-fts-xapian-1.4.7/PACKAGES/RPM/fts-xapian.spec 1969-12-31 
> 19:00:00.0 -0500
> +++ dovecot-fts-xapian-1.4.9a/PACKAGES/RPM/fts-xapian.spec2021-04-24 
> 16:27:55.0 -0400
> @@ -0,0 +1,41 @@
> +Name:  

Bug#990689: unblock: node-nodemailer/6.4.17-3

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,y...@debian.org

Hi Release team,

Please unblock package node-nodemailer

Yadd fixed #990485, CVE-2021-23400 for node-nodemailer in unstable.
Can you please unblock the package (it would not need to, if I
understand correctly, not beeing a key package and having autopkgtests
passing) still to make sure it lands in testing and so in bullseeye
before the release?

Regards,
Salvatore
diff -Nru node-nodemailer-6.4.17/debian/changelog 
node-nodemailer-6.4.17/debian/changelog
--- node-nodemailer-6.4.17/debian/changelog 2021-01-21 06:26:01.0 
+0100
+++ node-nodemailer-6.4.17/debian/changelog 2021-06-30 14:59:47.0 
+0200
@@ -1,3 +1,11 @@
+node-nodemailer (6.4.17-3) unstable; urgency=medium
+
+  * Fix GitHub tags regex
+  * Fix header injection vulnerability in address object
+(Closes: #990485, CVE-2021-23400)
+
+ -- Yadd   Wed, 30 Jun 2021 14:59:47 +0200
+
 node-nodemailer (6.4.17-2) unstable; urgency=medium
 
   * Ignore cookie test (Closes: #980702)
diff -Nru node-nodemailer-6.4.17/debian/control 
node-nodemailer-6.4.17/debian/control
--- node-nodemailer-6.4.17/debian/control   2021-01-21 06:09:40.0 
+0100
+++ node-nodemailer-6.4.17/debian/control   2021-04-15 20:35:08.0 
+0200
@@ -2,7 +2,7 @@
 Section: javascript
 Priority: optional
 Maintainer: Debian Javascript Maintainers 

-Uploaders: Xavier Guimard 
+Uploaders: Yadd 
 Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper-compat (= 13)
diff -Nru node-nodemailer-6.4.17/debian/copyright 
node-nodemailer-6.4.17/debian/copyright
--- node-nodemailer-6.4.17/debian/copyright 2021-01-21 06:09:40.0 
+0100
+++ node-nodemailer-6.4.17/debian/copyright 2021-04-15 20:35:08.0 
+0200
@@ -8,7 +8,7 @@
 License: Expat
 
 Files: debian/*
-Copyright: 2019-2020, Xavier Guimard 
+Copyright: 2019-2020, Yadd 
 License: Expat
 
 Files: debian/tests/test_modules/base32.js/*
diff -Nru node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch 
node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch
--- node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch  1970-01-01 
01:00:00.0 +0100
+++ node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch  2021-06-30 
14:58:51.0 +0200
@@ -0,0 +1,80 @@
+Description: fix header injection vulnerability in address object
+Author: Andris Reinman 
+Origin: upstream, https://github.com/nodemailer/nodemailer/commit/7e02648c
+Bug: https://github.com/nodemailer/nodemailer/issues/1289
+Bug-Debian: https://bugs.debian.org/990485
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2021-06-30
+
+--- a/lib/mime-node/index.js
 b/lib/mime-node/index.js
+@@ -1130,9 +1130,9 @@
+ address.address = this._normalizeAddress(address.address);
+ 
+ if (!address.name) {
+-values.push(address.address);
++values.push(address.address.indexOf(' ') >= 0 ? 
`<${address.address}>` : `${address.address}`);
+ } else if (address.name) {
+-values.push(this._encodeAddressName(address.name) + ' <' 
+ address.address + '>');
++values.push(`${this._encodeAddressName(address.name)} 
<${address.address}>`);
+ }
+ 
+ if (address.address) {
+@@ -1141,9 +1141,8 @@
+ }
+ }
+ } else if (address.group) {
+-values.push(
+-this._encodeAddressName(address.name) + ':' + 
(address.group.length ? this._convertAddresses(address.group, uniqueList) : 
'').trim() + ';'
+-);
++let groupListAddresses = (address.group.length ? 
this._convertAddresses(address.group, uniqueList) : '').trim();
++
values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
+ }
+ });
+ 
+@@ -1157,13 +1156,17 @@
+  * @return {String} address string
+  */
+ _normalizeAddress(address) {
+-address = (address || '').toString().trim();
++address = (address || '')
++.toString()
++.replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters
++.trim();
+ 
+ let lastAt = address.lastIndexOf('@');
+ if (lastAt < 0) {
+ // Bare username
+ return address;
+ }
++
+ let user = address.substr(0, lastAt);
+ let domain = address.substr(lastAt + 1);
+ 
+@@ -1172,7 +1175,24 @@
+ // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee'
+ // non-unicode domains are left as is
+ 
+-return user + '@' + punycode.toASCII(domain.toLowerCase());
++let encodedDomain;
++
++try {
++encodedDomain = punycode.toASCII(domain.toLowerCase());
++} catch (err) {
++// keep as is?
++

Bug#990688: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,y...@debian.org

Hi Release team,

Please unblock package node-mermaid

Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a
targetted fix from upstream. Can you please unlbock the package and
make sure it lands in testing and so bullseye in time before the
release?

I'm attaching the debdiff as generated by the upload from Yadd.

Regards,
Salvatore
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog  2020-10-19 
14:00:00.0 +0200
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog  2021-06-29 
14:46:20.0 +0200
@@ -1,3 +1,10 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
+
+  * Team upload
+  * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513)
+
+ -- Yadd   Tue, 29 Jun 2021 14:46:20 +0200
+
 node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium
 
   * Source-only-upload 
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch   
1970-01-01 01:00:00.0 +0100
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch   
2021-06-29 14:44:46.0 +0200
@@ -0,0 +1,33 @@
+Description: Small positoining fix for parallell processes and nested
+Author: Knut Sveidqvist 
+Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files
+Bug: https://github.com/mermaid-js/mermaid/issues/2122
+Bug-Debian: https://bugs.debian.org/990449
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2021-06-29
+
+--- a/src/dagre-wrapper/clusters.js
 b/src/dagre-wrapper/clusters.js
+@@ -194,7 +194,7 @@
+   const rectBox = rect.node().getBBox();
+   node.width = rectBox.width;
+   node.height = rectBox.height;
+-
++  node.diff = -node.padding / 2;
+   node.intersect = function(point) {
+ return intersectRect(node, point);
+   };
+--- a/src/diagrams/common/common.js
 b/src/diagrams/common/common.js
+@@ -26,6 +26,10 @@
+   break;
+ }
+   }
++
++  rs = rs.replace('javascript:', '#');
++  rs = rs.replace('

Bug#990687: unblock: mutt/2.0.5-4.1

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org

Hi release team,

Please unblock package mutt

[ Reason ]
mutt in bullseye is affected by CVE-2021-32055, #988106. Should thoug
be noted that the $imap_qresync setting for QRESYNC is not enabled by
default. It looked to me still worth trying to get the fix into
bullseye before the release.

Note, the same issue would have affected as well neomutt, but back
when I prepared the NMU for mutt, I did unfortunately not found time
to do as well the neomutt NMU. This is surely kind of unfortunate :(

[ Impact ]
CVE-2021-32055 would remain open.

[ Tests ]
None specifically.

[ Risks ]
Would consider it low, and it is a feature not used by default. The
package was 22 days now in unstable without any regression report
reported specifically targetting this update.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None.

unblock mutt/2.0.5-4.1

Regards,
Salvatore
diff -Nru mutt-2.0.5/debian/changelog mutt-2.0.5/debian/changelog
--- mutt-2.0.5/debian/changelog 2021-03-20 17:26:12.0 +0100
+++ mutt-2.0.5/debian/changelog 2021-06-06 21:11:36.0 +0200
@@ -1,3 +1,11 @@
+mutt (2.0.5-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix seqset iterator when it ends in a comma (CVE-2021-32055)
+(Closes: #988106)
+
+ -- Salvatore Bonaccorso   Sun, 06 Jun 2021 21:11:36 +0200
+
 mutt (2.0.5-4) unstable; urgency=medium
 
   * debian/patches:
diff -Nru mutt-2.0.5/debian/patches/series mutt-2.0.5/debian/patches/series
--- mutt-2.0.5/debian/patches/series2021-03-20 17:24:06.0 +0100
+++ mutt-2.0.5/debian/patches/series2021-06-06 21:11:36.0 +0200
@@ -13,3 +13,4 @@
 upstream/528233-readonly-open.patch
 upstream/980924-updated-german-translation.patch
 upstream/985152-body-color-slowness.patch
+upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
diff -Nru 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
--- 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
1970-01-01 01:00:00.0 +0100
+++ 
mutt-2.0.5/debian/patches/upstream/Fix-seqset-iterator-when-it-ends-in-a-comma.patch
2021-06-06 21:11:36.0 +0200
@@ -0,0 +1,39 @@
+From: Kevin McCarthy 
+Date: Mon, 3 May 2021 13:11:30 -0700
+Subject: Fix seqset iterator when it ends in a comma.
+Origin: 
https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
+Bug-Debian: https://bugs.debian.org/988106
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32055
+
+If the seqset ended with a comma, the substr_end marker would be just
+before the trailing nul.  In the next call, the loop to skip the
+marker would iterate right past the end of string too.
+
+The fix is simple: place the substr_end marker and skip past it
+immediately.
+---
+ imap/util.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/imap/util.c b/imap/util.c
+index c529fd8fba3c..488e8396d269 100644
+--- a/imap/util.c
 b/imap/util.c
+@@ -1036,13 +1036,11 @@ int mutt_seqset_iterator_next (SEQSET_ITERATOR *iter, 
unsigned int *next)
+ if (iter->substr_cur == iter->eostr)
+   return 1;
+ 
+-while (!*(iter->substr_cur))
+-  iter->substr_cur++;
+ iter->substr_end = strchr (iter->substr_cur, ',');
+ if (!iter->substr_end)
+   iter->substr_end = iter->eostr;
+ else
+-  *(iter->substr_end) = '\0';
++  *(iter->substr_end++) = '\0';
+ 
+ range_sep = strchr (iter->substr_cur, ':');
+ if (range_sep)
+-- 
+2.32.0.rc0
+

Processed: Re: Bug#990500: unblock: lxml/4.6.3+dfsg-0.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #990500 [release.debian.org] unblock: lxml/4.6.3+dfsg-0.1
Added tag(s) moreinfo.

-- 
990500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990500
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990500: unblock: lxml/4.6.3+dfsg-0.1

[Sebastian Ramacher]

Control: tags -1 moreinfo

On 2021-06-30 23:02:33 +0200, Paul Gevers wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Please unblock package lxml
> 
> [ Reason ]
> The source of lxml contained a file that's marked as unacceptable by
> ftp-master and as such a future upload of lxml would hit the
> auto-reject list. To avoid problems with security uploads, I prefer to
> fix the issue now. The file was a image shipped with the
> documentation, which wasn't even used.
> 
> In the process of fixing this issue, I discovered that the
> documentation package was nearly empty and didn't contain any
> documentation. This is fixed by enabling the build of the
> documentation.
> 
> [ Impact ]
> If not unblocked, security or plain pu uploads will have to take
> remove the file at that time.
> 
> [ Tests ]
> The removed file is just an unlinked image. I have checked that the
> package now contains the documentation files.
> 
> [ Risks ]
> Close to 0 risk as it's just removing an image and building
> documentation files.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock lxml/4.6.3+dfsg-0.1

> diff -Nru lxml-4.6.3/debian/changelog lxml-4.6.3+dfsg/debian/changelog
> --- lxml-4.6.3/debian/changelog   2021-03-22 14:31:55.0 +0100
> +++ lxml-4.6.3+dfsg/debian/changelog  2021-06-26 19:40:37.0 +0200
> @@ -1,3 +1,11 @@
> +lxml (4.6.3+dfsg-0.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload
> +  * Repack upstream to drop non-free and unused file (Closes: #988717)
> +  * Build and ship documentation (Closes: #799334)
> +
> + -- Paul Gevers   Sat, 26 Jun 2021 19:40:37 +0200
> +
>  lxml (4.6.3-1) unstable; urgency=high
>  
>* New upstream version.
> diff -Nru lxml-4.6.3/debian/control lxml-4.6.3+dfsg/debian/control
> --- lxml-4.6.3/debian/control 2020-12-07 14:42:24.0 +0100
> +++ lxml-4.6.3+dfsg/debian/control2021-06-26 19:40:37.0 +0200
> @@ -9,6 +9,7 @@
>python3-setuptools (>= 0.6.29),
>python3-bs4,
>python3-html5lib,
> +  python3-lxml ,
>cython3, cython3-dbg,
>python3-sphinx-autoapi,
>  X-Python-Version: all
> diff -Nru lxml-4.6.3/debian/rules lxml-4.6.3+dfsg/debian/rules
> --- lxml-4.6.3/debian/rules   2020-07-17 11:16:59.0 +0200
> +++ lxml-4.6.3+dfsg/debian/rules  2021-06-26 19:40:37.0 +0200
> @@ -24,6 +24,9 @@
>   touch $@
>  build3-python%: prebuild
>   python$* setup.py build
> +ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS)))
> + python$* doc/mkhtml.py doc/html . $(UPSTREAMVER)
> +endif

Shouldn't this use the just built version of lxml, e.g., by setting the
appropriate PYTHONPATH, instead of the old packaged lxml in python3-lxml?

Cheers

>   touch $@
>  dbg-build3-python%: prebuild
>   python$*-dbg setup.py build
> Binary files /tmp/nGluINxi3b/lxml-4.6.3/doc/html/flattr-badge-large.png and 
> /tmp/DP0ayk9l1g/lxml-4.6.3+dfsg/doc/html/flattr-badge-large.png differ





-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Processed: Re: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #990679 [release.debian.org] unblock: [pre-approval] 
privacybadger/2021.6.8-1
Added tag(s) moreinfo.

-- 
990679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1

[Sebastian Ramacher]

Control: tags -1 moreinfo

On 2021-07-04 17:10:49 +, John Scott wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: 981...@bugs.debian.org
> Control: block 981702 by -1
> 
> Please unblock package privacybadger
> 
> [ Reason ]
> Privacy Badger is unique and different from other anti-tracking
> extensions in that instead of using artificial whitelists and
> blacklists, it learns based on one's browsing behavior. However, it was
> privately disclosed by Google's Security Team that Privacy Badger's
> learning, which is unique to each user, can itself enable
> fingerprinting:
> https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better
> 
> To address this, newer versions of Privacy Badger work by everyone
> using the same whitelists, yellowlists, and blacklists, which are
> aggregated from everyone's learning data.
> 
> [ Impact ]
> If this unblock isn't granted, or it's not possible for Privacy Badger
> to be shipped in bullseye-updates during the release cycle, then users
> would be left more vulnerable to fingerprinting, as they could be
> identified based on their older Privacy Badger versions. Upstream has
> indicated that this situation would be unacceptable (and I concur), so
> it would be better to remove the package altogether then.
> 
> This situation is not unlike the need to ship up-to-date ClamAV data in
> stable-updates.
> 
> [ Tests ]
> Since this is a browser extension it's difficult to automate testing. I
> have tested with Firefox ESR, Firefox non-ESR, and Chromium that it
> works.
> 
> [ Risks ]
> This package is a leaf package, and if this package were to be instead
> removed from Bullseye, users would need to install it manually by
> fetching the extension from another source. The debdiff is quite large,
> but consists mostly of changes to the website data and translations.
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing
> 
> This is a request for pre-approval since I need to seek a sponsor to
> update the package anyway. My debdiff was detected as malware so you'll
> have to fetch it from
> https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff

 119 files changed, 37556 insertions(+), 16534 deletions(-)

This is too much for us to sensibly review. If possible, please provide
a filtered debdiff (e.g., by filtering the website data and
translations).

Cheers

> 
> unblock privacybadger/2021.6.8-1
> 
> 



-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#990559: Please unblock package mdevctl 0.81-1

[Sebastian Ramacher]

Control: tags -1 moreinfo

On 2021-07-02 07:37:22 +0200, Christian Ehrhardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi,
> please unblock mdevctl 0.81-1.
> 
> It fixes a problem with an allowed combined usage two parameters.
> v0.78 -> 0.81 sounds a lot, but that is due to the way upstream creates
> versions which essentially is a counter of git commits.
> Therefore the only real change is [1] which should be ok for the freeze time.
> 
> There are two packaging-only changes which I had in git but not
> uploaded yes (as they didn't qualify for an upload without any fix.
> But both are no-impact changes (compat level while the package has not much
> that is affected by it and the drop of the unused d/source/local-options.
> 
> The builds all LGTM, see [2]. I have installed the new build and it works
> as expected:
> 
> Before
> # mdevctl define -p 0.0.0033 --jsonfile mdev_nodedev.json
> /usr/sbin/mdevctl: line 183:
> /etc/mdevctl.d/0.0.0033/eea1c8dc-ce6d-42dd-bd26-02e3b707ff95: No such
> file or directory
> After
> # mdevctl define -p 0.0.0033 --jsonfile mdev_nodedev.json
> 83123a52-3147-44d1-9154-1175e266804e
> 
> The package has no autopkgtests as they would be superficial and not much
> worth or would need mdev splittable GPUs or such on the test systems which we
> can not assume/expect to have. Therefore I need to ask you via this ubblock
> request. I hope that this is sufficient to unblock, if you need anything
> else please let me know.
> 
> [1]: https://github.com/mdevctl/mdevctl/commit/e6cf620b4b04c6
> [2]: 
> https://buildd.debian.org/status/fetch.php?pkg=mdevctl&arch=all&ver=0.78-1&stamp=1606290427

Please attach a debdiff between the version in testing and unstable.

Regarding the packaging changes: it's too late to bump debhelper compat.
See https://release.debian.org/bullseye/freeze_policy.html. Please
revert that change (or show that the change does not cause any
differences in the produced binary packages).

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Processed: Re: Bug#990559: Please unblock package mdevctl 0.81-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #990559 [release.debian.org] Please unblock package mdevctl 0.81-1
Added tag(s) moreinfo.

-- 
990559: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990559
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990558: marked as done (unblock: etbemon/1.3.5-6)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:36:03 +
with message-id 
and subject line unblock etbemon
has caused the Debian Bug report #990558,
regarding unblock: etbemon/1.3.5-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990558: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990558
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package etbemon

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Reason ]
Improvements to imapnew.monitor, added hp-temp.monitor for HP server
temperature monitoring, and added support for MegaRAID and NVMe to
smartctl.monitor

[ Impact ]
Less functionality for users with MegaRAID (Dell servers among others) and
people using HP servers.

[ Risks ]
No risks regarding hp-temp.monitor as people can use linux-temp.monitor if
hp-temp.monitor doesn't work for them.

smartctl.monitor has been tested and found to work OK on the SATA scenarios
that the previous version supported.

imapnew.monitor has been extensively tested, and also has better quality code.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock etbemon/1.3.5-6


diff -u etbemon-1.3.5/debian/changelog etbemon-1.3.5/debian/changelog
--- etbemon-1.3.5/debian/changelog
+++ etbemon-1.3.5/debian/changelog
@@ -1,3 +1,13 @@
+etbemon (1.3.5-6) unstable; urgency=medium
+
+  * Better fix for headers in imapnew.monitor that doesn't need
+libhash-case-perl.
+  * Added hp-temp.monitor to use /sbin/hplog to monitor HP server temperature
+  * Added -M option to smartctl.monitor for MegaRAID AKA PERC support and
+added support for NVMe devices
+
+ -- Russell Coker   Mon, 07 Jun 2021 16:34:01 +1000
+
 etbemon (1.3.5-5) unstable; urgency=medium
 
   * Make the deleted-mapped check avoid perl privsep processes, don't want
reverted:
--- etbemon-1.3.5/debian/control
+++ etbemon-1.3.5.orig/debian/control
@@ -13,7 +13,7 @@
 Package: mon
 Architecture: any
 Depends: mon-client (>= 1.2.0), libtime-period-perl, adduser, 
${shlibs:Depends}, ${misc:Depends}
+Recommends: fping, libauthen-pam-perl, libfilesys-df-perl, libnet-perl, 
libnet-dns-perl, libnet-ldap-perl, libnet-telnet-perl, libsnmp-perl, 
libstatistics-descriptive-perl, libtime-parsedate-perl, libcrypt-ssleay-perl, 
libmail-imapclient-perl, libtimedate-perl, swaks, libcgi-pm-perl, bc, 
libproc-processtable-perl, libsys-filesystem-perl
-Recommends: fping, libauthen-pam-perl, libfilesys-df-perl, libnet-perl, 
libnet-dns-perl, libnet-ldap-perl, libnet-telnet-perl, libsnmp-perl, 
libstatistics-descriptive-perl, libtime-parsedate-perl, libcrypt-ssleay-perl, 
libmail-imapclient-perl, libtimedate-perl, swaks, libcgi-pm-perl, bc, 
libproc-processtable-perl, libsys-filesystem-perl, libhash-case-perl
 Suggests: mon-contrib
 Conflicts: mon-contrib (<= 1.0+dfsg-3+nmu1)
 Description: monitor hosts/services/whatever and alert about problems
diff -u etbemon-1.3.5/mon-local.d/smartctl.monitor 
etbemon-1.3.5/mon-local.d/smartctl.monitor
--- etbemon-1.3.5/mon-local.d/smartctl.monitor
+++ etbemon-1.3.5/mon-local.d/smartctl.monitor
@@ -5,38 +5,67 @@
 # copyright 2020 Russell Coker, Licensed under GPLv3 or higher.
 #
 # Monitor script to run smartctl and parse output.  By default checks
-# /dev/sd[a-z] and /dev/sd[a-z][a-z] but you can give a list of devices on the
-# command line
+# /dev/sd[a-z] /dev/sd[a-z][a-z] /dev/nvme[0-9] /dev/nvme[0-9][0-9] but
+# you can give a list of devices on the command line
 #
-# -f to treat marginal as failed
+# -f to treat all marginal conditions as failed
 # -m ATTRIBUTE_NAME to treat attribute as marginal
+#
+# -M for MegaRAID support, takes parameters of a device node on the MegaRAID
+# and a list of disk IDs separated by commas, eg "-M /dev/sda,0,1,7" for
+# disks 0, 1, and 7 on the MegaRAID controller that runs /dev/sda.
 
 my $summary;
 my $margsummary;
 my $detail;
 my $margdetail;
+my $megadev;
+my @ids;
 
 our $opt_f;
 our $opt_m;
-getopts("fm:") or die;
+our $opt_M;
+getopts("fm:M:") or die;
 
-if(-1 == $#ARGV)
+if($opt_M)
+{
+  @ids = split(/,/, $opt_M);
+  $megadev = $ids[0];
+  shift @ids;
+}
+else
 {
-  @ARGV = glob( "/dev/sd[a-z] /dev/sd[a-z][a-z]" );
   if(-1 == $#ARGV)
   {
-print "No devices found\n";
-exit(1);
+@ids = glob( "/dev/sd[a-z] /dev/sd[a-z][a-z] /dev/nvme[

Bug#990390: marked as done (unblock: nfs-utils/1:1.3.4-6)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:32:44 +
with message-id 
and subject line unblock nfs-utils
has caused the Debian Bug report #990390,
regarding unblock: nfs-utils/1:1.3.4-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990390: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990390
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,883...@bugs.debian.org,dpars...@debian.org

Hi Release team,

Please unblock package nfs-utils, or rather this is a pre-approval
request for it.

It was requested that we fix #883194 for python2 removal for the
nfs-utils package. I'm including as well a longstanding resource leak
fix (#513284).

[ Reason ]
Main reason is the python2 -> python3 switch, allowing to have systems
without the python2 interpreter to be installed.

[ Impact ]
Systems will keep the python binary package around and so the
python2.7 interpreter.

[ Tests ]
None specifically. We take the switch from upstream and switch the
recommentes from python to python3.

[ Risks ]
Low, user have tested the python3 compatiblity according to the
#883194 buglog. The patc hfor #513284 was upstreamed and applied
upstream.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None

Okay to upload?

unblock nfs-utils/1:1.3.4-6

Regards,
Salvatore
diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog2021-03-09 17:17:42.0 +0100
+++ nfs-utils-1.3.4/debian/changelog2021-06-28 09:15:06.0 +0200
@@ -1,3 +1,12 @@
+nfs-utils (1:1.3.4-6) unstable; urgency=medium
+
+  * mountstats:  Remove a shebang
+  * Convert remaining python scripts to python3 (Closes: #883194)
+  * debian/control: Switch Recommends from python to python3
+  * Removed a resource leak from mountd/fsloc.c (Closes: #513284)
+
+ -- Salvatore Bonaccorso   Mon, 28 Jun 2021 09:15:06 +0200
+
 nfs-utils (1:1.3.4-5) unstable; urgency=medium
 
   [ Felix Lechner ]
diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control
--- nfs-utils-1.3.4/debian/control  2021-03-09 17:17:42.0 +0100
+++ nfs-utils-1.3.4/debian/control  2021-06-28 09:14:54.0 +0200
@@ -31,7 +31,7 @@
 Package: nfs-common
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, rpcbind, adduser, ucf, lsb-base 
(>= 1.3-9ubuntu3), keyutils
-Recommends: python
+Recommends: python3
 Suggests: open-iscsi, watchdog
 Provides: nfs-client
 Conflicts: nfs-client
diff -Nru 
nfs-utils-1.3.4/debian/patches/Convert-remaining-python-scripts-to-python3.patch
 
nfs-utils-1.3.4/debian/patches/Convert-remaining-python-scripts-to-python3.patch
--- 
nfs-utils-1.3.4/debian/patches/Convert-remaining-python-scripts-to-python3.patch
1970-01-01 01:00:00.0 +0100
+++ 
nfs-utils-1.3.4/debian/patches/Convert-remaining-python-scripts-to-python3.patch
2021-06-28 09:14:54.0 +0200
@@ -0,0 +1,44 @@
+From: "Signed-off-by: NeilBrown" 
+Date: Mon, 31 Aug 2020 10:48:04 -0400
+Subject: Convert remaining python scripts to python3
+Origin: 
https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=d1683f356bd920d93f2db007902b2c46f97a2e49
+Bug-Debian: https://bugs.debian.org/883194
+
+nfs-utils contains 4 python scripts, two request
+ /usr/bin/python3
+in their shebang line, two request
+ /usr/bin/python
+
+Those latter two run perfectly well with python3 and as python2 is on the
+way out, change them so they requrest /usr/bin/python3.
+
+Signed-off-by: NeilBrown 
+Signed-off-by: Steve Dickson 
+---
+ tools/mountstats/mountstats.py | 2 +-
+ tools/nfs-iostat/nfs-iostat.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/mountstats/mountstats.py b/tools/mountstats/mountstats.py
+index 1054f698c8e3..00adc96bafeb 100755
+--- a/tools/mountstats/mountstats.py
 b/tools/mountstats/mountstats.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python
++#!/usr/bin/python3
+ # -*- python-mode -*-
+ """Parse /proc/self/mountstats and display it in human readable form
+ """
+diff --git a/tools/nfs-iostat/nfs-iostat.py b/tools/nfs-iostat/nfs-iostat.py
+index 50fd6a92977b..4f5e8a664ae8 100755
+--- a/tools/nfs-iostat/nfs-iostat.py
 b/tools/nfs-iostat/nfs-iostat.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python
++#!/usr/bin/python3
+ # -*- python-mode -*-
+ """Emulate iostat for NFS mount points using /proc/self/

Bug#990523: marked as done (unblock: expeyes/4.8.8+repack-2)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:31:40 +
with message-id 
and subject line unblock expeyes
has caused the Debian Bug report #990523,
regarding unblock: expeyes/4.8.8+repack-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package expeyes

[ Reason ]
As Andreas Beckman reported, in bug #990489, this package did
not allow a smooth upgrade from buster to bullseye. The reason was
a declared conflict with package modemmanager.

Now this bug has been fixed.

[ Impact ]
The binary package eyes17, built from expeyes, is used by
a few thousands of students and teachers in Kerala (a southern
Indian state), since the Eyes17 box has been officially endorsed
by Kerala's academic authorities to teach experimental physics in
high schools. Some people there update their system with Debian,
most with Ubuntu. Having expeyes in Debian stable is useful for
this community.

[ Tests ]
Manual tests only:
- the Eyes17 box communicates smoothly by the serial link, with
  the package modemmanager installed, so expeyes software and
  modemmanager are no longer conflicting.
- installation/uninstallation of package eyes17 work as
  expected.

[ Risks ]
Expeyes software are leaf packages, so there is no reverse
dependency.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Thank you in advance.

unblock expeyes/4.8.8+repack-2
diff -Nru expeyes-4.8.7+repack/debian/changelog 
expeyes-4.8.8+repack/debian/changelog
--- expeyes-4.8.7+repack/debian/changelog   2020-12-10 16:45:11.0 
+0100
+++ expeyes-4.8.8+repack/debian/changelog   2021-07-01 10:50:55.0 
+0200
@@ -1,3 +1,30 @@
+expeyes (4.8.8+repack-2) unstable; urgency=medium
+
+  * removed clauses conflicting with modemmanager. Closes: #990489
+  * replaced calls to "service" by calls to "invoke-rc.d", thanks to
+Andreas Beckman's hint.
+
+ -- Georges Khaznadar   Thu, 01 Jul 2021 10:50:55 +0200
+
+expeyes (4.8.8+repack-1) unstable; urgency=medium
+
+  * new upstream changes
+  * removed stale symlinks
+  * restored documentation files in the upstream archive
+  * made the clean target less agressive
+
+ -- Georges Khaznadar   Mon, 26 Apr 2021 15:39:18 +0200
+
+expeyes (4.8.7+repack-5) unstable; urgency=medium
+
+  * included Camaleón's translation for po-debconf files, thanks!
+Closes: #987479
+  * added a command in d/rules to remove broken symlinks. Closes: #986480
+  * removed python doctrees and .gitignore files from the package
+(warned by lintian)
+
+ -- Georges Khaznadar   Sun, 25 Apr 2021 18:41:30 +0200
+
 expeyes (4.8.7+repack-4) unstable; urgency=medium
 
   * defined a conflict between packages eyes17 and older python-expeyes
diff -Nru expeyes-4.8.7+repack/debian/control 
expeyes-4.8.8+repack/debian/control
--- expeyes-4.8.7+repack/debian/control 2020-12-10 16:45:11.0 +0100
+++ expeyes-4.8.8+repack/debian/control 2021-07-01 10:50:55.0 +0200
@@ -56,8 +56,7 @@
  python3-serial
 Recommends: fonts-lohit-mlym,
  libreoffice
-Conflicts: modemmanager,
- python3-expeyes (<< 4.5.8+dfsg-2),
+Conflicts: python3-expeyes (<< 4.5.8+dfsg-2),
  python-expeyes (<< 4.5.8+dfsg-2),
  eyes17 (<< 4.5.8+dfsg-2)
 Description: hardware & software framework for developing science experiments
@@ -121,8 +120,8 @@
 Architecture: all
 Depends: python3, ${misc:Depends}, ${python3:Depends},
  python3-scipy, python3-serial (>= 2.6), udev
-Conflicts: modemmanager,
- python-expeyes, python3-expeyes (<< 4.3)
+Conflicts: python-expeyes,
+ python3-expeyes (<< 4.3)
 Replaces: python-expeyes
 Description: Python3 library for expeyes
  This package provides low level interfaces for making science experiments
@@ -158,7 +157,6 @@
  avr-libc,
  avrdude
 Suggests: firm-phoenix-ware
-Conflicts: modemmanager, microhope-dbgsym(<<4.6.0-3)
 Description: hardware & software framework to learn microcontrollers
  This package provides a set of example programs to drive an ATmega32
  microcontroller, together with a tutorqial explaining how to compile
diff -Nru expeyes-4.8.7+repack/debian/expeyes-web.postinst 
expeyes-4.8.8+repack/debian/expeyes-web.postinst
--- expeyes-4.8.7+repack/debian/expeyes-web.postinst2020-05-15 
19:43:12.0 +0200
+++ expeyes-4.8.8+repack/debian/expeye

Bug#990670: [pre-approval] unblock: python-apt/2.2.1

[Sebastian Ramacher]

Control: tags -1 confirmed moreinfo

On 2021-07-04 14:25:00 +0200, Julian Andres Klode wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: j...@debian.org
> 
> Please unblock package python-apt
> 
> [ Reason ]
> 
> - Mark python-apt-common as Multi-Arch: common to unblock the
>   crossgrader script (#968458). People have very varied understanding
>   about severity of this; it's just a single line anyway.
> - update the mirror lists.
> 
> [ Impact ]
> People can't crossgrade and might see outdated mirror information
> in mirror selection tools like software-properties
> 
> [ Tests ]
> No code changed, just metadata. Unit tests are run at
> build time and during autopkgtest.
> 
> 
> [ Risks ]
> 
> It's just metadata changes, only risk is like regressions
> in toolchain since last upload.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock python-apt/2.2.1

ACK, please remove the moreinfo tag once the ne wversion is available in
unstable.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Processed: Re: Bug#990670: [pre-approval] unblock: python-apt/2.2.1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed moreinfo
Bug #990670 [release.debian.org] [pre-approval] unblock: python-apt/2.2.1
Added tag(s) confirmed and moreinfo.

-- 
990670: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990670
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990646: marked as done (unblock: nodejs/12.21.0~dfsg-5)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:25:51 +
with message-id 
and subject line unblock nodejs
has caused the Debian Bug report #990646,
regarding unblock: nodejs/12.21.0~dfsg-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990646
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package nodejs

[ Reason ]
nodejs have been using its own copy of libuv for a while,
without me noticing.

[ Impact ]
nodejs using own copy of libuv, bad for security fixes.

[ Tests ]
nodejs own test suite is thorough.

[ Risks ]
None. But I might have overlooked a risk. Please tell me.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
The problem should have been discovered one year ago. Sorry for this.

unblock nodejs/12.21.0~dfsg-5
diff -Nru nodejs-12.21.0~dfsg/debian/changelog 
nodejs-12.21.0~dfsg/debian/changelog
--- nodejs-12.21.0~dfsg/debian/changelog2021-04-21 12:42:46.0 
+0200
+++ nodejs-12.21.0~dfsg/debian/changelog2021-07-03 20:50:29.0 
+0200
@@ -1,3 +1,9 @@
+nodejs (12.21.0~dfsg-5) unstable; urgency=medium
+
+  * Patch uvwasi.gyp to honour --shared-libuv. Closes: #990569.
+
+ -- Jérémy Lal   Sat, 03 Jul 2021 20:50:29 +0200
+
 nodejs (12.21.0~dfsg-4) unstable; urgency=medium
 
   [ Andreas Beckmann ]
diff -Nru nodejs-12.21.0~dfsg/debian/patches/series 
nodejs-12.21.0~dfsg/debian/patches/series
--- nodejs-12.21.0~dfsg/debian/patches/series   2021-03-19 18:28:07.0 
+0100
+++ nodejs-12.21.0~dfsg/debian/patches/series   2021-07-03 16:18:02.0 
+0200
@@ -1,3 +1,4 @@
+shared_uv_from_uvwasi.patch
 large_pages_assembly_gnu_stack.patch
 dfhs_module_path_arch_triplet.patch
 # 2012_kfreebsd.patch
diff -Nru nodejs-12.21.0~dfsg/debian/patches/shared_uv_from_uvwasi.patch 
nodejs-12.21.0~dfsg/debian/patches/shared_uv_from_uvwasi.patch
--- nodejs-12.21.0~dfsg/debian/patches/shared_uv_from_uvwasi.patch  
1970-01-01 01:00:00.0 +0100
+++ nodejs-12.21.0~dfsg/debian/patches/shared_uv_from_uvwasi.patch  
2021-07-03 17:43:00.0 +0200
@@ -0,0 +1,26 @@
+Description: uvwasi depends on uv.gyp and ignores shared_libuv
+Author: Jérémy Lal 
+Last-Update: 2021-07-03
+Forwarded: https://github.com/nodejs/node/issues/39248
+--- a/deps/uvwasi/uvwasi.gyp
 b/deps/uvwasi/uvwasi.gyp
+@@ -18,9 +18,6 @@
+ 'src/wasi_rights.c',
+ 'src/wasi_serdes.c',
+   ],
+-  'dependencies': [
+-'../uv/uv.gyp:libuv',
+-  ],
+   'direct_dependent_settings': {
+ 'include_dirs': ['include']
+   },
+@@ -31,6 +28,9 @@
+ '_POSIX_C_SOURCE=200112',
+   ],
+ }],
++[ 'node_shared_libuv=="false"', {
++  'dependencies': [ '../uv/uv.gyp:libuv' ],
++}],
+   ],
+ }
+   ]
diff -Nru nodejs-12.21.0~dfsg/debian/rules nodejs-12.21.0~dfsg/debian/rules
--- nodejs-12.21.0~dfsg/debian/rules2021-02-23 19:22:31.0 +0100
+++ nodejs-12.21.0~dfsg/debian/rules2021-07-03 15:48:04.0 +0200
@@ -16,19 +16,20 @@
 export LANG
 DEB_CONFIGURE_NORMAL_ARGS =
 DEB_CONFIGURE_EXTRA_FLAGS = \
+--verbose \
 --without-npm \
 --shared \
 --shared-zlib \
 --shared-cares \
---shared-nghttp2 \
 --shared-brotli \
 --with-intl=system-icu \
 --prefix=/usr \
 --openssl-use-def-ca-store \
 --arch-triplet=$(DEB_HOST_MULTIARCH) \
---node-relative-path="lib/$(DEB_HOST_MULTIARCH)/nodejs:share/nodejs:lib/nodejs"
 \
---shared-libuv
+--node-relative-path="lib/$(DEB_HOST_MULTIARCH)/nodejs:share/nodejs:lib/nodejs"
 
+DEB_CONFIGURE_EXTRA_FLAGS += --shared-nghttp2
+DEB_CONFIGURE_EXTRA_FLAGS += --shared-libuv
 DEB_CONFIGURE_EXTRA_FLAGS += --shared-openssl
 
 # map HOST ARCH AND OS, and if unknown let upstream guess
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#990621: marked as done (unblock: python-duckpy/3.1.0-2)

[Debian Bug Tracking System]

Your message dated Sun, 4 Jul 2021 21:23:21 +0200
with message-id 
and subject line Re: Bug#990621: unblock: python-duckpy/3.1.0-2
has caused the Debian Bug report #990621,
regarding unblock: python-duckpy/3.1.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990621
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: nil...@debian.org, debian-med-packag...@lists.alioth.debian.org

Please unblock package python-duckpy

[ Reason ]
python-duckpy is an unusable package w/o having a Depends on python3-h2
More details with salsa CI links in the corresponding RC bug: #990620 which the 
latest upload closes

[ Impact ]
The package will be unusable for bullseye users w/o explicitly
installing python3-h2 on their own

[ Tests ]
Non-superficial autopkgtests have been added in the upload, which helped
to uncover the bug in the first place. Both superficial and
non-superficial autopkgtests are green now.
I also did a bit of manual testing -- looks good!

[ Risks ]
This is a leaf package, no risks

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-duckpy/3.1.0-2

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru python-duckpy-3.1.0/debian/changelog 
python-duckpy-3.1.0/debian/changelog
--- python-duckpy-3.1.0/debian/changelog2020-09-29 16:16:00.0 
+0530
+++ python-duckpy-3.1.0/debian/changelog2021-07-03 01:37:34.0 
+0530
@@ -1,3 +1,12 @@
+python-duckpy (3.1.0-2) unstable; urgency=medium
+
+  * Team Upload.
+  * Add autopkgtests
+  * d/examples: Add d/tests/test_duckpy_basic.py as example
+  * d/control: Add Depends on python3-h2 (Closes: #990620)
+
+ -- Nilesh Patra   Sat, 03 Jul 2021 01:37:34 +0530
+
 python-duckpy (3.1.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru python-duckpy-3.1.0/debian/control python-duckpy-3.1.0/debian/control
--- python-duckpy-3.1.0/debian/control  2020-09-29 16:16:00.0 +0530
+++ python-duckpy-3.1.0/debian/control  2021-07-03 00:55:00.0 +0530
@@ -24,7 +24,8 @@
 Section: python
 Depends: ${misc:Depends},
  ${python3:Depends},
- python3-bs4
+ python3-bs4,
+ python3-h2
 Recommends: ${python3:Recommends}
 Suggests: ${python3:Suggests}
 Description: simple Python library for searching on DuckDuckGo
diff -Nru python-duckpy-3.1.0/debian/examples 
python-duckpy-3.1.0/debian/examples
--- python-duckpy-3.1.0/debian/examples 1970-01-01 05:30:00.0 +0530
+++ python-duckpy-3.1.0/debian/examples 2021-07-03 00:55:00.0 +0530
@@ -0,0 +1 @@
+debian/tests/test_duckpy_basic.py
diff -Nru python-duckpy-3.1.0/debian/tests/control 
python-duckpy-3.1.0/debian/tests/control
--- python-duckpy-3.1.0/debian/tests/control1970-01-01 05:30:00.0 
+0530
+++ python-duckpy-3.1.0/debian/tests/control2021-07-03 00:54:17.0 
+0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @, python3-pytest
+Restrictions: allow-stderr, needs-internet
diff -Nru python-duckpy-3.1.0/debian/tests/run-unit-test 
python-duckpy-3.1.0/debian/tests/run-unit-test
--- python-duckpy-3.1.0/debian/tests/run-unit-test  1970-01-01 
05:30:00.0 +0530
+++ python-duckpy-3.1.0/debian/tests/run-unit-test  2021-07-03 
00:55:00.0 +0530
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+pkg='duckpy'
+CUR_DIR=`pwd`
+
+if [ "$AUTOPKGTEST_TMP" = "" ] ; then
+  AUTOPKGTEST_TMP=`mktemp -d /tmp/${pkg}-test.XX`
+  trap "rm -rf $AUTOPKGTEST_TMP" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp /usr/share/doc/python3-${pkg}/examples/test_duckpy_basic.py 
"$AUTOPKGTEST_TMP"
+
+cd $AUTOPKGTEST_TMP
+
+for py in $(py3versions -s 2> /dev/null)
+do
+echo "Testing with $py in $(pwd):"
+$py -m pytest -v
+done
+echo "PASS"
diff -Nru python-duckpy-3.1.0/debian/tests/test_duckpy_basic.py 
python-duckpy-3.1.0/debian/tests/test_duckpy_basic.py
--- python-duckpy-3.1.0/debian/tests/test_duckpy_basic.py   1970-01-01 
05:30:00.0 +0530

Bug#990632: marked as done (unblock: fdroidserver/2.0.3-1)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:19:01 +
with message-id 
and subject line unblock fdroidserver
has caused the Debian Bug report #990632,
regarding unblock: fdroidserver/2.0.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990632: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990632
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package fdroidserver

[ Reason ]
fdroidserver has successful autopkgtests but fails on ppc64el due to
zipalign not being available on that platform (Not a regression). I
believe that is #980087.

For the patch itself, it fixes two warnings in the linting part of
fdroidserver. ruamel deprecated one function and a restriction for the
Version field in the F-Droid metadata was lifted.

Note that I opted for a new upstream version cause adding those two
change would have resulted in basically the same patch plus/minus the
version noise. Hope that is fine.

[ Impact ]
bullseye users would would get a lot of false warnings when linting a
metadata file.

[ Tests ]
I tested the new version manually. Also upstream is using it in
production.

[ Risks ]
The code change for the Version field is only changing a regex so it
seems trivial to me. For ruamel the deprecated function was replaced by
it's content.

[ Checklist ]
  [X] all changes are documented in the d/changelog (through upstream
  changelog)
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock fdroidserver/2.0.3-1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 99a5f430..945e237c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,21 @@ All notable changes to this project will be documented in this 
file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
-## [2.0.1] - 2020-03-09
+## [2.0.3] - 2021-07-01
+
+### Fixed
+
+* Support AutoUpdateMode: Version without pattern
+  [931](https://gitlab.com/fdroid/fdroidserver/-/merge_requests/931)
+
+## [2.0.2] - 2021-06-01
+
+### Fixed
+
+* fix "ruamel round_trip_dump will be removed"
+  [932](https://gitlab.com/fdroid/fdroidserver/-/merge_requests/932)
+
+## [2.0.1] - 2021-03-09
 
 ### Fixed
 
@@ -18,7 +32,7 @@ The format is based on [Keep a 
Changelog](https://keepachangelog.com/en/1.0.0/)
 * checkupdates: set User-Agent to make gitlab.com happy
 * Run push_binary_transparency only once
 
-## [2.0] - 2020-01-31
+## [2.0] - 2021-01-31
 
 For a more complete overview, see the [2.0
 milestone](https://gitlab.com/fdroid/fdroidserver/-/milestones/10)
diff --git a/PKG-INFO b/PKG-INFO
index 1c5616cd..3188aba8 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fdroidserver
-Version: 2.0.1
+Version: 2.0.3
 Summary: F-Droid Server Tools
 Home-page: https://f-droid.org
 Author: The F-Droid Project
diff --git a/debian/changelog b/debian/changelog
index 59e519f1..d45c4c20 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+fdroidserver (2.0.3-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream version 2.0.3
+
+ -- Jochen Sprickerhof   Thu, 01 Jul 2021 14:48:57 +0200
+
 fdroidserver (2.0.1-1) unstable; urgency=medium
 
   * New upstream version 2.0.1
diff --git a/fdroidserver.egg-info/PKG-INFO b/fdroidserver.egg-info/PKG-INFO
index 1c5616cd..3188aba8 100644
--- a/fdroidserver.egg-info/PKG-INFO
+++ b/fdroidserver.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fdroidserver
-Version: 2.0.1
+Version: 2.0.3
 Summary: F-Droid Server Tools
 Home-page: https://f-droid.org
 Author: The F-Droid Project
diff --git a/fdroidserver/checkupdates.py b/fdroidserver/checkupdates.py
index f5d0d450..b9e723df 100644
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@@ -492,7 +492,7 @@ def checkupdates_app(app):
 logging.warning("Can't auto-update app with no CurrentVersionCode: 
" + app.id)
 elif mode in ('None', 'Static'):
 pass
-elif mode.startswith('Version '):
+elif mode.startswith('Version'):
 pattern = mode[8:]
 suffix = ''
 if pattern.startswith('+'):
diff --git a/fdroidserver/metadata.py b/fdroidserver/metadata.py
index 6c3c4815..8b27c991 100644
--- a/fdroidserver/metadata.py
+++ b/fdroidserver/metadata.py
@@ -448,7 +448,7 @@ valuetypes = {
["AntiFeatures"]),
 
 FieldValidator("Auto Update Mode",
-   r"^(Version .+|None)$",
+   

Bug#990619: marked as done (unblock: qtbase-opensource-src/5.15.2+dfsg-9)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:17:00 +
with message-id 
and subject line unblock qtbase-opensource-src
has caused the Debian Bug report #990619,
regarding unblock: qtbase-opensource-src/5.15.2+dfsg-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990619
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package qtbase-opensource-src 5.15.2+dfsg-9.

[ Reason ]
Unfortunately the patch I added in 5.15.2+dfsg-6 introduced some regressions.

The original purpose of that patch was to fix the bug described here:
- https://bugs.launchpad.net/bugs/1857824
- https://bugs.kde.org/show_bug.cgi?id=417761

However that patch also contained an unrelated change. Quoting the commit
message:

> This change also optimizes QMimeBinaryProvider::addFileNameMatches
> to have the same logic as xdgmime for glob matching:
> literals > extensions > other globs
> As soon as one category matches, we can stop there.
> This makes no difference in the overall results, in practice.

It turns out this optimization causes various problems, which can be seen in
the following bug reports:
- https://bugs.debian.org/989255 (problems with qbittorrent-nox)
- https://bugs.debian.org/989744 (problems with dolphin and all/all MIME type)
- https://bugs.debian.org/990129 (problems with Qt WebEngine)

[ Impact ]
According to the bugs, the previous patch causes issues in different
applications. All issues are in some way related to determining MIME types.

[ Tests ]
I have prepared a locally built .deb where the part of the patch causing
problems was removed:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989744#37

In all three bugs, I got feedback that the issue is fixed with that:
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989255#36
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989744#42
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990129#27

[ Risks ]
The risks are all related to MIME types handling. But at least it should be
no worse than before -6 upload. I hope these two parts of the patch were
really independent.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
The 5.15.2+dfsg-8 upload contained another fix that was contributed to us via
a merge request. Apparently that fix also causes a regression, so I decided to
remove it in -9.

unblock qtbase-opensource-src/5.15.2+dfsg-9

Of course there is no urgency, this package can wait its N-day quarantine
in unstable.

--
Dmitry Shachnev
diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/changelog qtbase-opensource-src-5.15.2+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.2+dfsg/debian/changelog	2021-06-03 15:55:29.0 +0300
+++ qtbase-opensource-src-5.15.2+dfsg/debian/changelog	2021-07-02 18:58:04.0 +0300
@@ -1,3 +1,23 @@
+qtbase-opensource-src (5.15.2+dfsg-9) unstable; urgency=medium
+
+  * Revert adding fix-misplacement-of-placeholder-text-in-QLineEdit.diff.
+Unfortunately it causes a regression (see QTBUG-94824).
+
+ -- Dmitry Shachnev   Fri, 02 Jul 2021 18:58:04 +0300
+
+qtbase-opensource-src (5.15.2+dfsg-8) unstable; urgency=medium
+
+  [ Lu Yaning ]
+  * Backport upstream patch to fix misplacement of placeholder text in
+QLineEdit with RTL content.
+
+  [ Dmitry Shachnev ]
+  * Remove the qmimeprovider.cpp part of mime_globs.diff. It is unrelated
+to the original purpose of that patch, and causes various problems
+(closes: #989255, #989744, #990129).
+
+ -- Dmitry Shachnev   Mon, 28 Jun 2021 20:38:59 +0300
+
 qtbase-opensource-src (5.15.2+dfsg-7) unstable; urgency=medium
 
   [ Lu Yaning ]
diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/patches/mime_globs.diff qtbase-opensource-src-5.15.2+dfsg/debian/patches/mime_globs.diff
--- qtbase-opensource-src-5.15.2+dfsg/debian/patches/mime_globs.diff	2021-06-03 15:37:49.0 +0300
+++ qtbase-opensource-src-5.15.2+dfsg/debian/patches/mime_globs.diff	2021-07-02 18:58:04.0 +0300
@@ -2,14 +2,8 @@
  When multiple globs match, and the result from magic sniffing is
  unrelated to any of those globs, globs have priority and one of them
  should be picked up.
- .
- This change also optimizes QMimeBinaryProvider::addFileNameMatches
- to have the same logic as xdgmime for glob matching:
- literals > extensions > other globs
- As soon as one categ

Bug#990663: marked as done (unblock: libuv1/1.40.0-1)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:15:21 +
with message-id 
and subject line unblock libuv1
has caused the Debian Bug report #990663,
regarding unblock: libuv1/1.40.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990663
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libuv1

[ Reason ]
libuv1 1.40.0-1 is affected by CVE-2021-22918
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561

In more details:

> Node.js (through libuv1) is vulnerable to out-of-bounds read in
> libuv's uv__idna_toascii() function which is used to convert strings
> to ASCII. This is called by Node's dns module's lookup() function and
> can lead to information disclosures or crashes.

See https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

I've applied a patch prepared by upstream.
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829

Debdiff does not give much information besides the changelog.

The patch is:
https://salsa.debian.org/debian/libuv1/-/blob/debian/sid/debian/patches/fix-cve-2021-22918


[ Impact ] Without this patch, libuv1 (hence nodejs and may be raku)
are vulnerable to specially crafted host names encoded in punicode.

[ Tests ]
Upstream patch contains specific tests that check that the
vulnerability was fixed.

[ Risks ] Hmm. I guess risk is low as the patch is not so big. I also
trust the judgment of upstream.

[ Checklist ]
  [X ] all changes are documented in the d/changelog
  [X ] I reviewed all changes and I approve them
  [X ] attach debdiff against the package in testing


unblock libuv1/1.40.0-1
diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog
--- libuv1-1.40.0/debian/changelog  2020-10-31 18:43:46.0 +0100
+++ libuv1-1.40.0/debian/changelog  2021-07-04 09:43:38.0 +0200
@@ -1,3 +1,9 @@
+libuv1 (1.40.0-2) unstable; urgency=medium
+
+  * add patch for CVE-2021-22918 (Closes: #990561)
+
+ -- Dominique Dumont   Sun, 04 Jul 2021 09:43:38 +0200
+
 libuv1 (1.40.0-1) unstable; urgency=medium
 
   * new upstream version
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#990651: unblock: nx-libs/2:3.5.99.26-2

[Sebastian Ramacher]

Control: tags -1 moreinfo

On 2021-07-03 22:17:59 +0200, Mike Gabriel wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package nx-libs
> 
> [ Reason ]
> Several important upstream issues have recently been resolved in nx-libs.
> The fixes for those issues have been cherry-picked into this version of
> Debian's nx-libs package.
> 
> +  * debian/patches:
> ++ Add 0001_Compext.c-fix-comparisons-of-16bit-sequence-numbers.patch.
> +  Compext.c: fix comparisons of 16bit sequence numbers. (Closes:
> +  #990647).
> 
> -> Fixes flawed 16 bit comparison. This resolves an "Xlib: unexpected async
> reply (sequence 0x94b01439)!" and clipboard pasting being broken afterwards.
> 
> ++ Add 0002_Forward-ClientMessages-to-nxproxy-side.patch.
> +  Forward ClientMessages to nxproxy side. (Closes: #990649).
> 
> -> Resolve window control problems with client side decorated windows if
> nxagent is used in rootless/seamless session mode.
> 
> ++ Add 0003_randr-Do-not-update-ConnectionInfo-if-NULL.patch.
> +  randr: Do not update ConnectionInfo if NULL (and avoid the nxagent
> +  Xserver from crashing). (Closes: #990650).
> 
> -> Regression fix of unknown origin. Could be resolved by cherry-picking
> a commit original from X.Org upstream. 
> 
> ++ Add 0004_document-additional-options-only-nxagent-knows-about.patch.
> +  Update man page and --help documentation of nxproxy/nxagent.
> 
> -> Recently, upstream added a documentation improvement that now
> documents various session options that were undocumented before.
> 
> ++ Adjust 0004_document-additional-options-only-nxagent-knows-about.patch.
> +  Version 3.5.99.26 does not yet have the textclipboard= session
> +  parameter.
> 
> -> The above patch added one option that is not yet available in 3.5.99.26,
> So we removed this bit of documenation for nx-libs in Debian (bullseye).
> 
> 
> [ Impact ]
> The "connect to local X11 desktop" (shadow session support) would be broken, 
> 
> The clipboard between nxagent and the local Xserver might break in some 
> situations.
> 
> There would be problems with client side decorated windows.
> 
> There would be undocumented options.
> 
> [ Tests ]
> Manual tests.
> 
> [ Risks ]
> X2Go sessions being busted if some of the above commits is flawed.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing

The debdiff appears to be missing.

Cheers

> 
> [ Other info ]
> None.
> 
> unblock nx-libs/2:3.5.99.26-2
> 

-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Processed: Re: Bug#990651: unblock: nx-libs/2:3.5.99.26-2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 moreinfo
Bug #990651 [release.debian.org] unblock: nx-libs/2:3.5.99.26-2
Added tag(s) moreinfo.

-- 
990651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990651
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990365: marked as done (unblock: nemo/4.8.6-2)

[Debian Bug Tracking System]

Your message dated Sun, 04 Jul 2021 19:03:41 +
with message-id 
and subject line unblock nemo
has caused the Debian Bug report #990365,
regarding unblock: nemo/4.8.6-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990365: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990365
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package nemo

[ Reason ]
The patch taken upstream and applied in nemo 4.8.6-2 avoid some issues 
with favorites


[ Impact ]
Using favorites there is an easy risk to have issue including nemo crash 
(as reported by users in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988924)


[ Tests ]
I did some test the favorites and I was unable to reproduce issues with 
them using 4.8.6-2, instead with 4.8.6-1 is easy to reproduce


[ Risks ]
the risk should be minimal, is small patch taken upstream was introduced 
in nemo 5.0.1 (latest stable version is now 5.0.2) already used in linux 
mint and other distros and from a fast search I not found regression 
about it.


The diff: 
https://salsa.debian.org/cinnamon-team/nemo/-/compare/debian%2F4.8.6-1...debian%2F4.8.6-2


unblock nemo/4.8.6-2
--- End Message ---
--- Begin Message ---
Unblocked.--- End Message ---

Bug#990365: unblock: nemo/4.8.6-2

[Sebastian Ramacher]

On 2021-07-03 16:32:44 +0200, Fabio Fantoni wrote:
> Il 29/06/2021 22:52, Sebastian Ramacher ha scritto:
> > > The diff: 
> > > https://salsa.debian.org/cinnamon-team/nemo/-/compare/debian%2F4.8.6-1...debian%2F4.8.6-2
> > Please attach a debdiff of the source packages in testing and unstable to 
> > the bug.
> > 
> > Cheers
> 
> Thanks for reply, the link to salsa with diff from 4.8.6-1 to 4.8.6-2 was
> correct and working, however now I attached the diff generates from debdiff
> dsc of testing and unstable as requested.

It's not that the salsa diff isn't working, but we want the debdiffs in
the bug report so that if we spot anything we can directly address those
issues. It also saves us a context switch which makes it more likely
that we actually process the unblock request.

Cheers

> 

> diff -Nru nemo-4.8.6/debian/changelog nemo-4.8.6/debian/changelog
> --- nemo-4.8.6/debian/changelog   2021-03-12 23:47:45.0 +0100
> +++ nemo-4.8.6/debian/changelog   2021-06-20 15:51:07.0 +0200
> @@ -1,3 +1,10 @@
> +nemo (4.8.6-2) unstable; urgency=medium
> +
> +  * d/patches: nemo-tree-sidebar.c: Fix states for pin/unpin and
> +create-folder menu items (Closes: #988924)
> +
> + -- Fabio Fantoni   Sun, 20 Jun 2021 15:51:07 +0200
> +
>  nemo (4.8.6-1) unstable; urgency=medium
>  
>* New upstream version 4.8.6
> diff -Nru nemo-4.8.6/debian/patches/fix-states-pin-create-folder-menu.patch 
> nemo-4.8.6/debian/patches/fix-states-pin-create-folder-menu.patch
> --- nemo-4.8.6/debian/patches/fix-states-pin-create-folder-menu.patch 
> 1970-01-01 01:00:00.0 +0100
> +++ nemo-4.8.6/debian/patches/fix-states-pin-create-folder-menu.patch 
> 2021-06-20 15:51:07.0 +0200
> @@ -0,0 +1,134 @@
> +Author: Michael Webster 
> +Description: nemo-tree-sidebar.c: Fix states for pin/unpin and
> + create-folder menu items.
> +
> +- Don't allow pinning of items in the root tree level.
> +- Correctly set visiblity/sensitivity of the create-folder menu item -
> +  disallow in non-writeable locations and in favorites (this is
> +  already forbidden elsewhere).
> +- Fix incorrect jump when right-clicking a non-selected tree entry.
> +
> +Fixes #2759
> +Origin: 
> https://github.com/linuxmint/nemo/commit/d1807d43898861cf159d4bdf8be2f912b396ff05
> +---
> + src/nemo-tree-sidebar.c | 44 +
> + 1 file changed, 31 insertions(+), 13 deletions(-)
> +
> +--- a/src/nemo-tree-sidebar.c
>  b/src/nemo-tree-sidebar.c
> +@@ -93,11 +93,13 @@
> + GtkWidget *popup_open_in_new_window;
> + GtkWidget *popup_open_in_new_tab;
> + GtkWidget *popup_create_folder;
> ++GtkWidget *popup_post_create_folder_separator;
> + GtkWidget *popup_cut;
> + GtkWidget *popup_copy;
> + GtkWidget *popup_paste;
> + GtkWidget *popup_rename;
> + GtkWidget *popup_pin;
> ++GtkWidget *popup_post_pin_separator;
> + GtkWidget *popup_unpin;
> + GtkWidget *popup_trash;
> + GtkWidget *popup_delete;
> +@@ -689,13 +691,14 @@
> + button_pressed_callback (GtkTreeView *treeview, GdkEventButton *event,
> +  FMTreeView *view)
> + {
> +-GtkTreePath *path, *cursor_path;
> ++GtkTreePath *path;
> + gboolean parent_file_is_writable;
> + gboolean file_is_home_or_desktop;
> + gboolean file_is_special_link;
> + gboolean can_move_file_to_trash;
> + gboolean can_delete_file;
> + gboolean using_browser;
> ++gint is_toplevel;
> + 
> + using_browser = g_settings_get_boolean (nemo_preferences,
> + 
> NEMO_PREFERENCES_ALWAYS_USE_BROWSER);
> +@@ -719,12 +722,11 @@
> + gtk_tree_path_free (path);
> + return FALSE;
> + }
> +-gtk_tree_view_get_cursor (view->details->tree_widget, 
> &cursor_path, NULL);
> +-
> +-gtk_tree_path_free (path);
> + 
> + create_popup_menu (view);
> + 
> ++is_toplevel = gtk_tree_path_get_depth (path) == 1;
> ++
> + if (using_browser) {
> + gtk_widget_set_sensitive 
> (view->details->popup_open_in_new_window,
> +   nemo_file_is_directory 
> (view->details->popup_file));
> +@@ -735,6 +737,15 @@
> + gtk_widget_set_sensitive (view->details->popup_create_folder,
> + nemo_file_is_directory (view->details->popup_file) &&
> + nemo_file_can_write (view->details->popup_file));
> ++
> ++if (nemo_file_is_in_favorites (view->details->popup_file)) {
> ++gtk_widget_hide (view->details->popup_create_folder);
> ++gtk_widget_hide 
> (view->details->popup_post_create_folder_separator);
> ++} else {
> ++gtk_widget_show (view->details->popup_create_folder);
> ++gtk_widget_show 
> (view->details->popup_post_create_folder_separator);
> ++}
> ++
> + gtk_widget_set_sensitive (view->deta

Bug#990630: marked as done (unblock: fuse3/3.10.3-2)

[Debian Bug Tracking System]

Your message dated Sun, 4 Jul 2021 20:21:35 +0200
with message-id <132b5ff2-2d24-e906-0c30-bdf70bf18...@debian.org>
and subject line Re: Bug#990630: unblock: fuse3/3.10.3-2
has caused the Debian Bug report #990630,
regarding unblock: fuse3/3.10.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990630
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi RMs,

I would like to update the fuse3 package for Bullseye.

[ Reason ]
The fuse3 package has an old postinst snippet to alter cuse device
permissions. That's double wrong, doesn't work with RO /dev and can
fail in chroot environments.

[ Impact ]
Failed package install [1] in some cases.

[ Tests ]
Tested chroot installation and now it works.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Builds an udeb and needs a d-i hint as well.

unblock fuse3/3.10.3-2

Thanks,
Laszlo/GCS
[1] https://bugs.debian.org/989977
--- End Message ---
--- Begin Message ---
Hi,

On 03-07-2021 07:17, László Böszörményi (GCS) wrote:
> unblock fuse3/3.10.3-2

unblocked.

Paul



OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---

Bug#990530: unblock: horizon/18.6.2-4 and all of its plugins

[Thomas Goirand]

On 7/1/21 10:48 PM, Sebastian Ramacher wrote:
>> magnum-ui/7.0.0-2
> 
> This seems to be missing an upload.

magnum-ui uploaded.

>> sahara-dashboard/13.0.0-2
> 
> This introduces piuparts regressions.
> 
>> vitrage-dashboard/3.2.0-3
> 
> This only seems to have a changelog entry.

I'll fix these tomorrow morning and let will let you know.

Cheers,

Thomas Goirand (zigo)

Re: Bug#990069: openssh-server: Not accepting new connections during Debian 10 -> 11 upgrade

[Paul Gevers]

Hi all,

On 04-07-2021 00:42, Colin Watson wrote:
> Sorry for my delay - it took me a while to spot the problem.  libc6's
> postinst does arrange to restart services where needed, but in this case
> it doesn't realize that you have the ssh service installed because you
> only have the openssh-server package installed, not the ssh metapackage
> (i.e. the package with the same name as the service).
> 
> I've proposed
> https://salsa.debian.org/glibc-team/glibc/-/merge_requests/3 to fix
> this.  glibc maintainers, if there's any way to get this into bullseye,
> I'm sure it would help avoid some people upgrading remote systems ending
> up being unable to fix them if something goes wrong between configuring
> libc6 and configuring openssh-server.  Also CCing debian-release for
> their information, as I know it's pretty late for glibc changes.

I think we really want this. I *think* I ran into exactly this issue two
days ago when I upgraded my NAS. It's really scary to notice that you
can't log into your system and your only connection is the current one
running the upgrade. In my case, it was asking questions along the way.
I had considered running the upgrade in screen. In the end it look
longer than expected and I left my laptop on. If I would have run in
screen and disconnected, I would have had no idea what hit me.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Processed: unblock: [pre-approval] privacybadger/2021.6.8-1

[Debian Bug Tracking System]

Processing control commands:

> block 981702 by -1
Bug #981702 {Done: ba...@debian.org} [sponsorship-requests] RFS: 
privacybadger/2021.2.2-1 -- browser extension automatically learns to block 
invisible trackers
981702 was not blocked by any bugs.
981702 was not blocking any bugs.
Added blocking bug(s) of 981702: 990679

-- 
981702: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981702
990679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990679
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1

[John Scott]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: 981...@bugs.debian.org
Control: block 981702 by -1

Please unblock package privacybadger

[ Reason ]
Privacy Badger is unique and different from other anti-tracking
extensions in that instead of using artificial whitelists and
blacklists, it learns based on one's browsing behavior. However, it was
privately disclosed by Google's Security Team that Privacy Badger's
learning, which is unique to each user, can itself enable
fingerprinting:
https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better

To address this, newer versions of Privacy Badger work by everyone
using the same whitelists, yellowlists, and blacklists, which are
aggregated from everyone's learning data.

[ Impact ]
If this unblock isn't granted, or it's not possible for Privacy Badger
to be shipped in bullseye-updates during the release cycle, then users
would be left more vulnerable to fingerprinting, as they could be
identified based on their older Privacy Badger versions. Upstream has
indicated that this situation would be unacceptable (and I concur), so
it would be better to remove the package altogether then.

This situation is not unlike the need to ship up-to-date ClamAV data in
stable-updates.

[ Tests ]
Since this is a browser extension it's difficult to automate testing. I
have tested with Firefox ESR, Firefox non-ESR, and Chromium that it
works.

[ Risks ]
This package is a leaf package, and if this package were to be instead
removed from Bullseye, users would need to install it manually by
fetching the extension from another source. The debdiff is quite large,
but consists mostly of changes to the website data and translations.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

This is a request for pre-approval since I need to seek a sponsor to
update the package anyway. My debdiff was detected as malware so you'll
have to fetch it from
https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff

unblock privacybadger/2021.6.8-1




signature.asc
Description: This is a digitally signed message part

Bug#990630: unblock: fuse3/3.10.3-2

[Cyril Brulebois]

Paul Gevers  (2021-07-03):
> On 03-07-2021 07:17, László Böszörményi (GCS) wrote:
> > [ Other info ]
> > Builds an udeb and needs a d-i hint as well.
> 
> So, let's make kibi aware of this too (via boot).

Looks good, thanks.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: how to patch package rhonabwy before bullseye release?

[Nicolas Mora]

Salut Pierre-Elliott, thanks for your help!

Le 2021-07-04 à 06 h 12, Pierre-Elliott Bécue a écrit :



Have a look at [0].

Yes, that's why I'm asking for help. The full freeze is close but the 
bugs fixed are quite important, and since rhonabwy is a crypto library, 
they can lead to security issues.



We are in the hard freeze part. If your package has passing non-trivial
autopkgtest, it'll migrate from unstable to bullseye after 20 days
without an unblock request. It is expected that your changes are non big
and non-disruptive.


The package salsa repo [0] has been updated with the fix.

There's a d/rules minor change which isn't related to the bugs fixed:
d/rules: remove dpkg-shlibdeps from override_dh_auto_install
It's a remaining I forgot to remove before, but I can cancel this change 
since it's not important.


The bugfix itself is a single patch file [2].


BUT, as the full freeze will probably start before the 20 days limit is
reached, I can't say how your package migration will be handled. I guess
it will be blocked. I would therefore recommend you confirm with a release
team member what to do, but I guess an unblock bug with the debdiff opened
right now could be a good idea and would probably allow your changes to be
part of bullseye if the release-team see it fit. :)

  1. Uploading to unstable for now is not a bad idea if the upload is
 what you expect to see in testing
  2. The urgency field is ignored during the currents and future parts
 of the freeze.


Therefore I'm relying on the team wisdom.

Would you accept a new package in unstable, maybe with a high urgency?

I can also wait for bullseye release and push the new package in 
proposed-updates?


Thanks!

/Nicolas

[0] https://salsa.debian.org/debian-iot-team/oauth2/rhonabwy
[2] 
https://salsa.debian.org/debian-iot-team/oauth2/rhonabwy/-/blob/master/debian/patches/bugfixes.patch

Bug#990670: [pre-approval] unblock: python-apt/2.2.1

[Julian Andres Klode]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: j...@debian.org

Please unblock package python-apt

[ Reason ]

- Mark python-apt-common as Multi-Arch: common to unblock the
  crossgrader script (#968458). People have very varied understanding
  about severity of this; it's just a single line anyway.
- update the mirror lists.

[ Impact ]
People can't crossgrade and might see outdated mirror information
in mirror selection tools like software-properties

[ Tests ]
No code changed, just metadata. Unit tests are run at
build time and during autopkgtest.


[ Risks ]

It's just metadata changes, only risk is like regressions
in toolchain since last upload.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-apt/2.2.1

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer  i speak de, en


python-apt_2.2.1.diff.gz
Description: application/gzip

Re: how to patch package rhonabwy before bullseye release?

[Pierre-Elliott Bécue]

Salut Nicolas,

Nicolas Mora  writes:

> Hello release team,
>
> I'm maintaining the package rhonaby [1] in the debian IoT tem, as well
> as being the upstream author.
>
> Recently, I've fixed two bugs in the library that I'd like to backport
> to the debian package in the bullseye release, I consider them to be 
> important bugfixes.
>
> Do I have to open a RC bug before pushing the package or can I just
> push a new package?
> Also, do I have to set the urgency higher than medium?
>
> Thanks in advance, sorry if my questions are dumb.
>
> /Nicolas
>
> [1] https://tracker.debian.org/pkg/rhonabwy

Have a look at [0].

We are in the hard freeze part. If your package has passing non-trivial
autopkgtest, it'll migrate from unstable to bullseye after 20 days
without an unblock request. It is expected that your changes are non big
and non-disruptive.

BUT, as the full freeze will probably start before the 20 days limit is
reached, I can't say how your package migration will be handled. I guess
it will be blocked. I would therefore recommend you confirm with a release
team member what to do, but I guess an unblock bug with the debdiff opened
right now could be a good idea and would probably allow your changes to be
part of bullseye if the release-team see it fit. :)

 1. Uploading to unstable for now is not a bad idea if the upload is
what you expect to see in testing
 2. The urgency field is ignored during the currents and future parts
of the freeze.

Cheers!
--
PEB

[0] https://release.debian.org/bullseye/freeze_policy.html


signature.asc
Description: PGP signature

Bug#990663: unblock: libuv1/1.40.0-1

[Dominique Dumont]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libuv1

[ Reason ]
libuv1 1.40.0-1 is affected by CVE-2021-22918
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561

In more details:

> Node.js (through libuv1) is vulnerable to out-of-bounds read in
> libuv's uv__idna_toascii() function which is used to convert strings
> to ASCII. This is called by Node's dns module's lookup() function and
> can lead to information disclosures or crashes.

See https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

I've applied a patch prepared by upstream.
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829

Debdiff does not give much information besides the changelog.

The patch is:
https://salsa.debian.org/debian/libuv1/-/blob/debian/sid/debian/patches/fix-cve-2021-22918


[ Impact ] Without this patch, libuv1 (hence nodejs and may be raku)
are vulnerable to specially crafted host names encoded in punicode.

[ Tests ]
Upstream patch contains specific tests that check that the
vulnerability was fixed.

[ Risks ] Hmm. I guess risk is low as the patch is not so big. I also
trust the judgment of upstream.

[ Checklist ]
  [X ] all changes are documented in the d/changelog
  [X ] I reviewed all changes and I approve them
  [X ] attach debdiff against the package in testing


unblock libuv1/1.40.0-1
diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog
--- libuv1-1.40.0/debian/changelog  2020-10-31 18:43:46.0 +0100
+++ libuv1-1.40.0/debian/changelog  2021-07-04 09:43:38.0 +0200
@@ -1,3 +1,9 @@
+libuv1 (1.40.0-2) unstable; urgency=medium
+
+  * add patch for CVE-2021-22918 (Closes: #990561)
+
+ -- Dominique Dumont   Sun, 04 Jul 2021 09:43:38 +0200
+
 libuv1 (1.40.0-1) unstable; urgency=medium
 
   * new upstream version