NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: linux_6.1.66-1_mipsel-buildd.changes
  ACCEPT

Re: Planning for 12.3

2023-12-09 Thread Luna Jernberg 
Did not really go as planned yesterday as a kernel bug with ext4 that
can corrupt data was found midway

any plans for when we do 12.4 testing instead?

Today Sunday 10th December or next weekend 15-17th December ?

Should be able to help 10th, 16th and 17th

Den lör 9 dec. 2023 kl 09:42 skrev Luna Jernberg :
>
> Reminder Debian 12.3 testing UK afternoon time today
>
> Den tors 30 nov. 2023 kl 00:51 skrev Luna Jernberg :
> >
> > Hey!
> >
> > As i said on IRC earlier yesterday i should be able to help with some
> > ISO CD testing this round too
> >
> > Den lör 7 okt. 2023 kl 19:59 skrev Jonathan Wiltshire :
> > >
> > > Hi,
> > >
> > > The next point release for bookworm should be around the end of November
> > > 2023. We're about a week behind cadence anyway, but I already know the 
> > > 28th
> > > November will be unsuitable (Cambridge mini-debconf) and the weekend
> > > following is probably recovery time for a lot of people.
> > >
> > > Much after that we get into holidays and well off cadence.
> > >
> > > How about:
> > >   4th December (better for cadence)
> > >  11th December (more likely suitable in practice)
> > >
> > > Thanks,
> > >
> > > --
> > > Jonathan Wiltshire  j...@debian.org
> > > Debian Developer http://people.debian.org/~jmw
> > >
> > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
> > > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
> > >

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: linux_6.1.66-1_i386-buildd.changes
  ACCEPT

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: base-files_12.4+deb12u4_amd64-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_i386-buildd.changes
  ACCEPT
Processing changes file: linux_6.1.66-1_amd64-buildd.changes
  ACCEPT

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: base-files_12.4+deb12u4_arm64-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_armel-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_armhf-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_mips64el-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_mipsel-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_ppc64el-buildd.changes
  ACCEPT
Processing changes file: base-files_12.4+deb12u4_s390x-buildd.changes
  ACCEPT
Processing changes file: linux_6.1.66-1_arm64-buildd.changes
  ACCEPT
Processing changes file: linux_6.1.66-1_armel-buildd.changes
  ACCEPT
Processing changes file: linux_6.1.66-1_armhf-buildd.changes
  ACCEPT

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: linux_6.1.66-1_s390x-buildd.changes
  ACCEPT

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: linux_6.1.66-1_ppc64el-buildd.changes
  ACCEPT

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: base-files_12.4+deb12u4_source.changes
  ACCEPT
Processing changes file: linux_6.1.66-1_all-buildd.changes
  ACCEPT

Bug#1055955: transition: perl 5.38

2023-12-09 Thread gregor herrmann 
On Sat, 09 Dec 2023 13:15:23 +0200, Niko Tyni wrote:

> We have one new blocker, not related to Perl 5.38 but preventing
> the necessary rebuild:
>   libgit-raw-perl #1057318

I've uploaded libgit-raw-perl 0.90+ds-2 with a patch to fix the test
failures.
 
> The (unrelated) pandoc mess causes quite a few failures in sid that
> interfered with the testing though.

According to my last aptitude run pandoc seems to be fixed as well.
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

NEW changes in oldstable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: tzdata_2021a-1+deb11u11_all-buildd.changes
  ACCEPT

NEW changes in stable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: linux_6.1.66-1_source.changes
  ACCEPT

NEW changes in oldstable-new

2023-12-09 Thread Debian FTP Masters 
Processing changes file: tzdata_2021a-1+deb11u11_source.changes
  ACCEPT

Processed: tzdata 2021a-1+deb11u11 flagged for acceptance

2023-12-09 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> package release.debian.org
Limiting to bugs with field 'package' containing at least one of 
'release.debian.org'
Limit currently set to 'package':'release.debian.org'

> tags 1057235 = bullseye pending
Bug #1057235 [release.debian.org] bullseye-pu: package tzdata/2021a-1+deb11u11
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1057235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057235
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1057235: tzdata 2021a-1+deb11u11 flagged for acceptance

2023-12-09 Thread Adam D Barratt 
package release.debian.org
tags 1057235 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into 
the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==

Package: tzdata
Version: 2021a-1+deb11u11

Explanation: update leap seconds file; fix a typo in the Egypt change 
introduced in tzdata 2021a-1+deb11u9

Bug#1057179: Acknowledgement (bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1)

2023-12-09 Thread Salvatore Bonaccorso 
Hi Otto,

On Sat, Dec 09, 2023 at 10:58:09PM +0800, Otto Kekäläinen wrote:
> Hi Debian security team!
> 
> MariaDB 1:10.11.6-1 entered Trixie only today after being stuck in
> pending migration since Nov 28th from unstable. This
> 1:10.11.6-0+deb12u1 missed the point update window.
> 
> Are you OK if we proceed with this as a security upload?

I do not think we really need that. There is only scarce informtaion
on the only CVE fixed, CVE-2023-22084, and the official description
seem to require a high privileged attacker.

But maybe you could reach out to MariaDB upstream so we can have a
better idea on the fixed issue?

I would suggest you just upload what you prepared to the
proposed-updates queues so it can exposed by further testing of the
release team tooling, and it will be included in the 12.4 point
release. 

That is not even a problem if there will be a later incremental update
on it.

Regards,
Salvatore

Bug#1057179: Acknowledgement (bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1)

2023-12-09 Thread Otto Kekäläinen 
Hi Debian security team!

MariaDB 1:10.11.6-1 entered Trixie only today after being stuck in
pending migration since Nov 28th from unstable. This
1:10.11.6-0+deb12u1 missed the point update window.

Are you OK if we proceed with this as a security upload?

Changes visible at
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/60

Debdiff equivalent visible at
https://salsa.debian.org/otto/mariadb-server/-/compare/e9eb6f72...ab7b8417?from_project_id=74127&straight=false

Re: Bug#1057843: linux: ext4 data corruption in 6.1.64-1

2023-12-09 Thread Salvatore Bonaccorso 
Hi,

On Sat, Dec 09, 2023 at 03:07:37PM +0100, Salvatore Bonaccorso wrote:
> Source: linux
> Version: 6.1.64-1
> Severity: grave
> Tags: upstream
> Justification: causes non-serious data loss
> X-Debbugs-Cc: debian-release@lists.debian.org, car...@debian.org, 
> a...@debian.org
> 
> Hi
> 
> I'm filling this for visibility.
> 
> There might be a ext4 data corruption issue with the kernel released
> in the 12.3 bookworm point release (which is addressed in 6.1.66
> upstream already).
> 
> The report about the regression and some details:
> 
> https://lore.kernel.org/stable/20231205122122.dfhhoaswsfscuhc3@quack3/

6.1.66 upstream fixes the issue:

# uname -a
Linux bookworm-amd64 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 
(2023-12-06) x86_64 GNU/Linux
# LTP_SINGLE_FS_TYPE=ext4 LTP_DEV_FS_TYPE=ext4 ./preadv03_64
tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
tst_test.c:1690: TINFO: LTP version: 20230929-194-g5c096b2cf
tst_test.c:1574: TINFO: Timeout per run is 0h 00m 30s
tst_supported_fs_types.c:149: TINFO: WARNING: testing only ext4
tst_supported_fs_types.c:90: TINFO: Kernel supports ext4
tst_supported_fs_types.c:55: TINFO: mkfs.ext4 does exist
tst_test.c:1650: TINFO: === Testing on ext4 ===
tst_test.c:1105: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts=''
mke2fs 1.47.0 (5-Feb-2023)
tst_test.c:1119: TINFO: Mounting /dev/loop0 to /tmp/LTP_preGGYjTj/mntpoint 
fstyp=ext4 flags=0
preadv03.c:102: TINFO: Using block size 512
preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 
'a' expectedly
preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 
'a' expectedly
preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 
'b' expectedly

Summary:
passed   3
failed   0
broken   0
skipped  0
warnings 0

Regards,
Salvatore

Bug#1057843: linux: ext4 data corruption in 6.1.64-1

2023-12-09 Thread Salvatore Bonaccorso 
Source: linux
Version: 6.1.64-1
Severity: grave
Tags: upstream
Justification: causes non-serious data loss
X-Debbugs-Cc: debian-release@lists.debian.org, car...@debian.org, 
a...@debian.org

Hi

I'm filling this for visibility.

There might be a ext4 data corruption issue with the kernel released
in the 12.3 bookworm point release (which is addressed in 6.1.66
upstream already).

The report about the regression and some details:

https://lore.kernel.org/stable/20231205122122.dfhhoaswsfscuhc3@quack3/

Regards,
Salvatore

Bug#1055955: transition: perl 5.38

2023-12-09 Thread Niko Tyni 
On Tue, Nov 14, 2023 at 08:28:01PM +0200, Niko Tyni wrote:

> this has taken me much longer than necessary for various reasons, but I
> think we're almost ready to push Perl 5.38 to sid now.

>   
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=perl-5.38-transition;users=debian-p...@lists.debian.org
> 
> There's a few packages that are nontrivially broken and will probably
> need to be removed from testing.
> 
>   libapache-db-perl #1040396
> 
>   libembperl-perl #1042845
> 
>   polymake #1042521

The polymake bug was fixed recently (yay!). The other two remain, but
libapache-db-perl got removed from testing already. I don't see any
rdeps for libembperl-perl so presumably it can be removed as well.

We have one new blocker, not related to Perl 5.38 but preventing
the necessary rebuild:

  libgit-raw-perl #1057318

The only reverse dependencies I can see are libgit-objectstore-perl
and torrus-common, so seems like testing removal is a viable option
here as well.

I uploaded 5.38.2 to experimental in the meantime, and have re-run
the rebuild and autopkgtest checks. I found no new Perl 5.38 related
regressions, and the new rebuild blockers I found are already fixed.
The (unrelated) pandoc mess causes quite a few failures in sid that
interfered with the testing though.

I think we're as ready as can reasonably be, assuming you're OK with the
above testing removals. Please let me know when a suitable transition
slot becomes available.

Thanks for your work,
-- 
Niko

Bug#1053681: marked as done (bookworm-pu: package systemd/252.19-1~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053681,
regarding bookworm-pu: package systemd/252.19-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053681: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053681
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org

Dear Release Team,

We would like to upload the latest stable point release of systemd 252
to bookworm-p-u. Stable release branches are maintained upstream with
the intention of providing bug fixes only and no compatibility
breakages, and with automated non-trivial CI jobs that also cover
Debian and Ubuntu. I have already uploaded to p-u.

Debdiff attached. No packaging changes besides refreshing patches.

-- 
Kind regards,
Luca Boccassi
diff -Nru systemd-252.17/debian/changelog systemd-252.18/debian/changelog
--- systemd-252.17/debian/changelog	2023-09-20 13:15:14.0 +0100
+++ systemd-252.18/debian/changelog	2023-10-08 16:14:12.0 +0100
@@ -1,3 +1,10 @@
+systemd (252.18-1~deb12u1) bookworm; urgency=medium
+
+  * New upstream version 252.18
+  * Refresh patches
+
+ -- Luca Boccassi   Sun, 08 Oct 2023 16:14:12 +0100
+
 systemd (252.17-1~deb12u1) bookworm; urgency=medium
 
   * New upstream version 252.17. Fixes minor security issue in arm64
diff -Nru systemd-252.17/debian/patches/debian/Don-t-enable-audit-by-default.patch systemd-252.18/debian/patches/debian/Don-t-enable-audit-by-default.patch
--- systemd-252.17/debian/patches/debian/Don-t-enable-audit-by-default.patch	2023-09-20 13:15:08.0 +0100
+++ systemd-252.18/debian/patches/debian/Don-t-enable-audit-by-default.patch	2023-10-08 16:14:01.0 +0100
@@ -29,10 +29,10 @@
  

 diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
-index bced165..6356be2 100644
+index 3e55795..314f684 100644
 --- a/src/journal/journald-server.c
 +++ b/src/journal/journald-server.c
-@@ -2275,7 +2275,7 @@ int server_init(Server *s, const char *namespace) {
+@@ -2273,7 +2273,7 @@ int server_init(Server *s, const char *namespace) {
  .compress.threshold_bytes = UINT64_MAX,
  .seal = true,
  
diff -Nru systemd-252.17/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch systemd-252.18/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
--- systemd-252.17/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch	2023-09-20 13:15:08.0 +0100
+++ systemd-252.18/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch	2023-10-08 16:14:01.0 +0100
@@ -30,10 +30,10 @@
  systemd.journald.forward_to_kmsg,
  systemd.journald.forward_to_console, and
 diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
-index 6faf48d..bced165 100644
+index 4c5eadc..3e55795 100644
 --- a/src/journal/journald-server.c
 +++ b/src/journal/journald-server.c
-@@ -2285,6 +2285,7 @@ int server_init(Server *s, const char *namespace) {
+@@ -2283,6 +2283,7 @@ int server_init(Server *s, const char *namespace) {
  .ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL,
  .ratelimit_burst = DEFAULT_RATE_LIMIT_BURST,
  
diff -Nru systemd-252.17/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch systemd-252.18/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
--- systemd-252.17/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch	2023-09-20 13:15:08.0 +0100
+++ systemd-252.18/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch	2023-10-08 16:14:01.0 +0100
@@ -19,7 +19,7 @@
  2 files changed, 1 insertion(+), 21 deletions(-)
 
 diff --git a/src/core/main.c b/src/core/main.c
-index a84fafa..5e61df8 100644
+index c3b1a35..59ea0c6 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
 @@ -1650,24 +1650,6 @@ static void cmdline_take_random_seed(void) {
diff -Nru systemd-252.17/debian/patches/p11kit-switch-to-dlopen.patch systemd-252.18/debian/patches/p11kit-switch-to-dlopen.patch
--- systemd-252.17/debian/patches/p11kit-switch-to-dlopen.patch	2023-09-20 13:15:08.0 +0100
+++ systemd-252.18/debian/patches/p11kit-switch-to

Bug#1057327: marked as done (bookworm-pu: package amanda/3.5.1-11+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057327,
regarding bookworm-pu: package amanda/3.5.1-11+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057327: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057327
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ama...@packages.debian.org
Control: affects -1 + src:amanda

This upload fixes CVE-2023-30577, a backup-user-to-root
vulnerability.

After fixing this CVE already for unstable (NMU pending, ETA Friday),
buster and stretch, I'd also like to fix it for bookworm
and bullseye.

The patch is taken from upstream [1] and has been merged already there.
Package test suite is still happy.

[1] https://github.com/zmanda/amanda/pull/228

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  (as said, pending NMU)

I've uploaded the package already to the s-p-u queue.

-- 
Cheers,
tobi
diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog
--- amanda-3.5.1/debian/changelog	2023-03-21 18:35:47.0 +0100
+++ amanda-3.5.1/debian/changelog	2023-12-03 14:17:07.0 +0100
@@ -1,3 +1,10 @@
+amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Apply upstream fix for CVE-2023-30577 (Closes: #1055253)
+
+ -- Tobias Frost   Sun, 03 Dec 2023 14:17:07 +0100
+
 amanda (1:3.5.1-11) unstable; urgency=medium
 
   * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use
diff -Nru amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch
--- amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch	1970-01-01 01:00:00.0 +0100
+++ amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch	2023-12-03 13:55:48.0 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2023-30577 - Local privilege escalation.
+Origin: https://github.com/zmanda/amanda/pull/228
+Bug: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055253
+--- a/client-src/runtar.c
 b/client-src/runtar.c
+@@ -39,6 +39,11 @@
+ #include "amutil.h"
+ #include "conffile.h"
+ #include "client_util.h"
++#include 
++
++static const char *whitelisted_args[] = {"--blocking-factor", "--file", "--directory", "--exclude", "--transform", "--listed-incremental", "--newer", "--exclude-from", "--files-from", NULL};
++
++bool check_whitelist(char* option);
+ 
+ int main(int argc, char **argv);
+ 
+@@ -49,6 +54,7 @@
+ {
+ #ifdef GNUTAR
+ int i;
++char **j;
+ char *e;
+ char *dbf;
+ char *cmdline;
+@@ -182,20 +188,23 @@
+ 		g_str_has_prefix(argv[i],"--verbose")) {
+ 		/* Accept theses options */
+ 		good_option++;
+-	} else if (g_str_has_prefix(argv[i],"--blocking-factor") ||
+-		g_str_has_prefix(argv[i],"--file") ||
+-		g_str_has_prefix(argv[i],"--directory") ||
+-		g_str_has_prefix(argv[i],"--exclude") ||
+-		g_str_has_prefix(argv[i],"--transform") ||
+-		g_str_has_prefix(argv[i],"--listed-incremental") ||
+-		g_str_has_prefix(argv[i],"--newer") ||
+-		g_str_has_prefix(argv[i],"--exclude-from") ||
+-		g_str_has_prefix(argv[i],"--files-from")) {
++	} else if (check_whitelist(argv[i])) {
+ 		if (strchr(argv[i], '=')) {
+ 		good_option++;
+ 		} else {
+ 		/* Accept theses options with the following argument */
+ 		good_option += 2;
++
++/* Whitelisting only the allowed arguments*/
++for(j=whitelisted_args; *j; j++) {
++if (strcmp(argv[i], *j) == 0) {
++break;
++}
++}
++
++if (!*j) {
++good_option = 0; // not allowing arguments absent in the whitelist
++}
+ 		}
+ } else if (argv[i][0] != '-') {
+ 		good_option++;
+@@ -239,3 +248,23 @@
+ return 1;
+ #endif
+ }
++
++bool
++check_whitelist(
++gchar* option)
++{
++bool result = TRUE;
++char** i;
++
++for(i=whitelisted_args; *i; i++) {
++if (g_str_has_prefix(option, *i)) {
++break;
++}
++}
++
++if (!*i) {
++res

Bug#1057274: marked as done (bookworm-pu: package gimp/2.10.34-1+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057274,
regarding bookworm-pu: package gimp/2.10.34-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Salvatore Bonaccorso 

  * Add Conflicts+Replaces: gimp-dds to remove old versions of this
plugin shipped by gimp itself since 2.10.10. (Closes: #1057149)

gimp-dds is an older version of a plugin already included
in gimp in bookworm, it also has CVE-2023-1 (DSA-5564-1)
unfixed.

Removal of gimp-dds from bookworm has already been requested
in #1056710, this update additionally removes stale versions
a user might still have installed.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1057239: marked as done (bookworm-pu: cups/2.4.2-3+deb12u5)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057239,
regarding bookworm-pu: cups/2.4.2-3+deb12u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057239: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057239
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for cups fixes a nasty bug in Bookworm.
If the PPD file for a printer has a ColorModel option and the only choice 
for printing in color is not named RGB but CMYK instead, the printer 
cannot be made printing in color with intuitive methods, usually 
by selecting the color choice in the print dialog.


The fix was already applied in Unstable/Testing and also uploaded 
to Ubuntu-Lunar and seems to work as expected.


  Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-10-05 16:35:27.0 +0200
+++ cups-2.4.2/debian/changelog 2023-12-01 20:35:27.0 +0100
@@ -1,3 +1,15 @@
+cups (2.4.2-3+deb12u5) bookworm; urgency=medium
+
+  * 0017-check-colormodel-also-for-CMYK.patch
+Take into account that on some printers the ColorModel option's
+choice for color printing is CMYK and not RGB.
+  * 0018-dont-override-color-settings-from-print-dialoag.patch
+Prioritize the ColorModel PPD file option over the print-color-mode
+IPP attribute. (Closes: #1056581)
+(Thanks a lot to Till Kamppeter for the patches)
+
+ -- Thorsten Alteholz   Fri, 01 Dec 2023 20:35:27 +0100
+
 cups (2.4.2-3+deb12u4) bookworm; urgency=medium
 
   * remove debian/NEWS again to avoid too much information when only
diff -Nru cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch 
cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch
--- cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch 
1970-01-01 01:00:00.0 +0100
+++ cups-2.4.2/debian/patches/0017-check-colormodel-also-for-CMYK.patch 
2023-12-01 20:35:27.0 +0100
@@ -0,0 +1,21 @@
+From: Thorsten Alteholz 
+Date: Sat, 2 Dec 2023 00:00:38 +0100
+Subject: check colormodel also for CMYK
+
+---
+ scheduler/printers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index 4efa613..2fbdaad 100644
+--- a/scheduler/printers.c
 b/scheduler/printers.c
+@@ -4509,7 +4509,7 @@ load_ppd(cupsd_printer_t *p) /* I - Printer 
*/
+ ppd_option_t *color_model = ppdFindOption(ppd, "ColorModel");
+   // ColorModel PPD option
+ 
+-if (color_model && strcmp(color_model->defchoice, "RGB"))
++if (color_model && strcmp(color_model->defchoice, "RGB") && 
strcmp(color_model->defchoice, "CMYK"))
+   p->num_options = cupsAddOption("print-color-mode", "monochrome", 
p->num_options, &p->options);
+   }
+ }
diff -Nru 
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
 
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
--- 
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
1970-01-01 01:00:00.0 +0100
+++ 
cups-2.4.2/debian/patches/0018-dont-override-color-settings-from-print-dialoag.patch
2023-12-01 20:35:27.0 +0100
@@ -0,0 +1,78 @@
+From: Thorsten Alteholz 
+Date: Sat, 2 Dec 2023 00:01:23 +0100
+Subject: dont override color settings from print dialoag
+
+---
+ cups/ppd-cache.c | 39 +++
+ scheduler/ipp.c  |  3 +++
+ 2 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 8861813..f72d834 100644
+--- a/cups/ppd-cache.c
 b/cups/ppd-cache.c
+@@ -259,15 +259,46 @@ _cupsConvertOptions(
+ 
+   color_attr_name = print_color_mode_sup ? "print-color-mode" : "output-mode";
+ 
+-  if ((keyword = cupsGetOption("print-color-mode", num_options, options)) == 
NULL)
++ /*
++  * If we use PPD with standardized PPD option for color support - ColorModel,
++  * prefer it to don't break color/grayscale support for PPDs, either classic
++  * or the ones generated from IPP Get-Printer-Attributes response.
++  */
++
++  if ((keyword = cupsGetOption("ColorModel", num_options, options)) == NULL)
+   {
++   /*
++*

Bug#1057236: marked as done (bookworm-pu: package gosa-plugins-sudo/2.8~git20211022.7ff3ed2-2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057236,
regarding bookworm-pu: package 
gosa-plugins-sudo/2.8~git20211022.7ff3ed2-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gosa-plugins-s...@packages.debian.org
Control: affects -1 + src:gosa-plugins-sudo

Please accept updated package gosa-plugins-sudo to bookworm.

[ Reason ]
Fix processing sudoUser regexp when processing LDAP sudo rules.

[ Impact ]
GOsa²'s sudo plugin will behave buggy. This will be noticed by sysadmins
of Debian Edu 12.

[ Tests ]
Manual tests.

[ Risks ]
Merely none, only for users of GOsa² and its sudo plugin.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * debian/patches:
++ Add 1001_plugins-admin-sudo-class_sudoGeneric.inc-Assign-vari.patch.
+  Assign variable before using it.

[ Other info ]
none
diff -Nru gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/changelog 
gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/changelog
--- gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/changelog  2023-01-23 
13:03:23.0 +0100
+++ gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/changelog  2023-12-01 
23:27:03.0 +0100
@@ -1,3 +1,11 @@
+gosa-plugins-sudo (2.8~git20211022.7ff3ed2-2+deb12u1) bookworm; urgency=medium
+
+  * debian/patches:
++ Add 1001_plugins-admin-sudo-class_sudoGeneric.inc-Assign-vari.patch.
+  Assign variable before using it.
+
+ -- Mike Gabriel   Fri, 01 Dec 2023 23:27:03 +0100
+
 gosa-plugins-sudo (2.8~git20211022.7ff3ed2-2) unstable; urgency=medium
 
   * Source-only upload to unstable.
diff -Nru 
gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/1001_plugins-admin-sudo-class_sudoGeneric.inc-Assign-vari.patch
 
gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/1001_plugins-admin-sudo-class_sudoGeneric.inc-Assign-vari.patch
--- 
gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/1001_plugins-admin-sudo-class_sudoGeneric.inc-Assign-vari.patch
1970-01-01 01:00:00.0 +0100
+++ 
gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/1001_plugins-admin-sudo-class_sudoGeneric.inc-Assign-vari.patch
2023-12-01 23:26:43.0 +0100
@@ -0,0 +1,33 @@
+From a82b03aa40ee147ddc2a2a440dad18da8be5b5e1 Mon Sep 17 00:00:00 2001
+From: root 
+Date: Thu, 17 Aug 2023 22:16:03 +0200
+Subject: [PATCH 06/13] plugins/admin/sudo/class_sudoGeneric.inc: Assign
+ variable before using it.
+
+---
+ admin/sudo/class_sudoGeneric.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/admin/sudo/class_sudoGeneric.inc 
b/admin/sudo/class_sudoGeneric.inc
+index f1b1f31..d55679f 100644
+--- a/admin/sudo/class_sudoGeneric.inc
 b/admin/sudo/class_sudoGeneric.inc
+@@ -297,6 +297,7 @@ class sudo extends plugin
+ /* Acceptable characters for various fields */
+ $ipv4_regex = 
"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$";
+ $fqdn_regex = 
"^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$";
++$c = preg_quote(' *+-?_|!\'"()','/');
+ $attr_regex = array(
+ "sudoUser" => "/^[a-z0-9{$c}]*$/i",
+ "sudoHost" => "/$ipv4_regex|$fqdn_regex/i",
+@@ -310,7 +311,6 @@ class sudo extends plugin
+ isset($_POST['new_'.$attr]) && 
+ !empty($_POST['new_'.$attr])){
+ 
+-$c = preg_quote(' *+-?_|!\'"()','/');
+ if(preg_match($attr_regex[$attr],get_post('new_'.$attr))){
+ $attrs = $this->$attr;
+ $attrs[] =  trim(get_post('new_'.$attr)); 
+-- 
+2.39.2
+
diff -Nru gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/README 
gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/README
--- gosa-plugins-sudo-2.8~git20211022.7ff3ed2/debian/patches/README 
1970-01-01 01:00:00.0 +0100
+++ gosa-plugins-sudo-2.8~git20211022.7ff3e

Bug#1057157: marked as done (bookworm-pu: package spyder/5.4.2+ds-5+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057157,
regarding bookworm-pu: package spyder/5.4.2+ds-5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057157
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spy...@packages.debian.org, Samuel Thibault 
Control: affects -1 + src:spyder

[ Reason ]
This is a patch for
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054475

This bug prevents auto-detection of the environment language (using
the Python locale.getdefaultlocale() function) when Spyder is first
run.  After that, Spyder saves the language and uses that saved value
for future use; this setting can be changed in the Spyder preferences.
The upstream patch fixes the error that caused this bug by updating
the list of available translations.

The Debian bug was filed as "normal" severity.  It should probably be
"important", but I have not changed the severity.  (It is definitely
not more that "important", as the language can still be changed by the
user after Spyder has started in English.)  The reporter specifically
suggested that this should be fixed in stable, and with such a simple
patch, I tend to agree.

The patch I have used is the complete upstream patch, minus a minor
tweak to some function documentation.  This is a little larger than
the proposed patch in the Debian bug report, but it protects against
any other oversight in the list of translations.

[ Impact ]
When starting Spyder for the first time in a non-English locale, the
interface will be in English rather than the locale language, even if
a translation for that locale is provided by Spyder.

[ Tests ]
It appears that there are no tests for this piece of code (hence why
this bug was not caught automatically).  The package's autopkgtest
suite still passes, and the updated package has been manually tested
on a bookworm system to ensure that it no longer has this bug.

[ Risks ]
There seem to be few risks with this minor patch.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
See the patch: it fixes the list of available translations and no
longer defaults to English if the list of translations is out of
date.

[ Other info ]
I have not yet uploaded the new version to ftp-master.d.o; I await
your approval before doing so.
diff -Nru spyder-5.4.2+ds/debian/changelog spyder-5.4.2+ds/debian/changelog
--- spyder-5.4.2+ds/debian/changelog2023-02-23 10:59:49.0 +
+++ spyder-5.4.2+ds/debian/changelog2023-11-30 20:22:17.0 +
@@ -1,3 +1,9 @@
+spyder (5.4.2+ds-5+deb12u1) stable; urgency=medium
+
+  * Fix interface language auto-configuration (closes: #1054475)
+
+ -- Julian Gilbey   Thu, 30 Nov 2023 20:22:17 +
+
 spyder (5.4.2+ds-5) unstable; urgency=medium
 
   * Fix translation-loading patch (see discussion at
diff -Nru spyder-5.4.2+ds/debian/patches/enable-i18n.patch 
spyder-5.4.2+ds/debian/patches/enable-i18n.patch
--- spyder-5.4.2+ds/debian/patches/enable-i18n.patch1970-01-01 
01:00:00.0 +0100
+++ spyder-5.4.2+ds/debian/patches/enable-i18n.patch2023-11-30 
20:22:17.0 +
@@ -0,0 +1,76 @@
+From: Carlos Cordoba 
+Date: Thu, 26 Oct 2023 13:52:55 -0500
+Subject: [PATCH] Backport PR #21451: Fix interface language auto-configuration
+Description:
+  Commit 7d99df57dc977ee00d92c959102409be1683df24
+  This bug prevented auto-configuration of the interface language when
+  Spyder is started for the first time.  (After that, the interface language
+  is stored in the preferences file and can be changed via the preferences
+  dialog.)
+  A minor cosmetic fix to the function documentation has been removed from
+  this patch.
+Last-Update: 2023-11-30
+Origin: upstream, https://github.com/spyder-ide/spyder/pull/21461
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054475
+
+--- a/spyder/config/base.py
 b/spyder/config/base.py
+@@ -366,20 +366,24 @@
+ # This needs to be updated every time a new language is added to spyder, and 
is
+ # used by the Preferences configuration to popula

Bug#1057128: marked as done (bookworm-pu: package gnutls28/3.7.9-2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057128,
regarding bookworm-pu: package gnutls28/3.7.9-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057128: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057128
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 + src:gnutls28

Hello,

I would like to fix CVE-2023-5981 / GNUTLS-SA-2023-10-23 for stable (no
DSA forthcoming, to fixed by stable update.) The patch is cherrypicked
from upstream 3.8.2 release. Ubuntu's 3.7.8-5ubuntu1.1 has the same
patch (except for being U3 instead of U5 format).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.7.9/debian/changelog gnutls28-3.7.9/debian/changelog
--- gnutls28-3.7.9/debian/changelog	2023-04-15 13:45:57.0 +0200
+++ gnutls28-3.7.9/debian/changelog	2023-11-30 07:50:48.0 +0100
@@ -1,3 +1,10 @@
+gnutls28 (3.7.9-2+deb12u1) bookworm; urgency=medium
+
+  * Backport fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23 (timing sidechannel
+in RSA-PSK key exchange) from 3.8.2. Closes: #1056188
+
+ -- Andreas Metzler   Thu, 30 Nov 2023 07:50:48 +0100
+
 gnutls28 (3.7.9-2) unstable; urgency=medium
 
   * CI: Do not try to run tests/ktls.sh, it uses a helper binary. (Plus gnutls
diff -Nru gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch
--- gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.7.9/debian/patches/60-auth-rsa_psk-side-step-potential-side-channel.patch	2023-11-30 07:50:48.0 +0100
@@ -0,0 +1,229 @@
+From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Mon, 23 Oct 2023 09:26:57 +0900
+Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+
+This removes branching that depends on secret data, porting changes
+for regular RSA key exchange from
+4804febddc2ed958e5ae774de2a8f85edeeff538 and
+80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
+allow_wrong_pms as it was used sorely to control debug output
+depending on the branching.
+
+Signed-off-by: Daiki Ueno 
+---
+ lib/auth/rsa.c |  2 +-
+ lib/auth/rsa_psk.c | 90 ++
+ lib/gnutls_int.h   |  4 ---
+ lib/priority.c |  1 -
+ 4 files changed, 35 insertions(+), 62 deletions(-)
+
+--- a/lib/auth/rsa.c
 b/lib/auth/rsa.c
+@@ -205,11 +205,11 @@ proc_rsa_client_kx(gnutls_session_t sess
+ 	gnutls_privkey_decrypt_data2(session->internals.selected_key,
+  0, &ciphertext, session->key.key.data,
+  session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+-	 * channel that can be used as an oracle, so treat very carefully */
++	 * channel that can be used as an oracle, so tread carefully */
+ 
+ 	/* Error handling logic:
+ 	 * In case decryption fails then don't inform the peer. Just use the
+ 	 * random key previously generated. (in order to avoid attack against
+ 	 * pkcs-1 formatting).
+--- a/lib/auth/rsa_psk.c
 b/lib/auth/rsa_psk.c
+@@ -262,18 +262,17 @@ static int
+ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 			   size_t _data_size)
+ {
+ 	gnutls_datum_t username;
+ 	psk_auth_info_t info;
+-	gnutls_datum_t plaintext;
+ 	gnutls_datum_t ciphertext;
+ 	gnutls_datum_t pwd_psk = { NULL, 0 };
+ 	int ret, dsize;
+-	int randomize_key = 0;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+ 	gnutls_datum_t premaster_secret = { NULL, 0 };
++	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+ 	_gnutls_get_cred(session, GNUTLS_CRD_PSK);
+ 
+ 	if (cred == NULL) {
+@@ -327,75 +326,53 @@ _gnutls_proc_rsa_psk_client_kx(gnut

Bug#1057116: marked as done (bookworm-pu: package lxc/1:5.0.2-1+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057116,
regarding bookworm-pu: package lxc/1:5.0.2-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057116: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057116
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-lxc-de...@lists.alioth.debian.org, gib...@debian.org
Control: affects -1 + src:lxc

[ Reason ]
The version of lxc in bookworm fails to create ephemeral copies of
containers. This is affecting Debian users, as two different bugs have
been reported in addition to an upstream bug report.

A fix was merged into the upstream repo earlier today, and I have
cherry-picked it into the packaging for unstable which I have just
uploaded. I would like to get this fix into bookworm, as it is a
regression compared to lxc in bullseye.

[ Impact ]
The version of lxc currently in bookworm cannot create ephemeral copies
of containers.

[ Tests ]
The changes have been reviewed and accepted by the upstream developers.
I have tested that creation of normal and ephemeral containers works as
expected in bookworm with this patch.

[ Risks ]
Minor/none -- the specific variable being checked was fixed to be a
more correct one that could never be NULL, which was the root cause of
the bug. This does technically change the behavior of lxc by fixing the
bug, but I don't think there is any risk of a regression in other lxc
behavior.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Cherry-pick and rebase upstream commit
0e932812ae2ac4dec58e413c0d95d581385b9756, which has been merged into
the upstream repo. There is also renaming of the `bdev_type` variable
to `__bdev_type` which was included in the upstream commit; I have left
that in, so the changes to bookworm packaging can be a direct cherry-
pick of the upstream fix.

[ Other info ]
The source debdiff is attached.
diff -Nru lxc-5.0.2/debian/changelog lxc-5.0.2/debian/changelog
--- lxc-5.0.2/debian/changelog	2023-09-22 16:35:52.0 +
+++ lxc-5.0.2/debian/changelog	2023-11-30 01:17:33.0 +
@@ -1,3 +1,9 @@
+lxc (1:5.0.2-1+deb12u2) bookworm; urgency=medium
+
+  * Cherry-pick upstream fix for creating ephemeral copies (See #1001713)
+
+ -- Mathias Gibbens   Thu, 30 Nov 2023 01:17:33 +
+
 lxc (1:5.0.2-1+deb12u1) bookworm; urgency=medium
 
   * Cherry-pick upstream "fix nftables syntax for IPv6 NAT" (Closes: #1049976)
diff -Nru lxc-5.0.2/debian/patches/0101-cherry-pick-fix-ephemeral-copies.patch lxc-5.0.2/debian/patches/0101-cherry-pick-fix-ephemeral-copies.patch
--- lxc-5.0.2/debian/patches/0101-cherry-pick-fix-ephemeral-copies.patch	1970-01-01 00:00:00.0 +
+++ lxc-5.0.2/debian/patches/0101-cherry-pick-fix-ephemeral-copies.patch	2023-11-30 01:17:33.0 +
@@ -0,0 +1,155 @@
+From 0e932812ae2ac4dec58e413c0d95d581385b9756 Mon Sep 17 00:00:00 2001
+From: Christian Brauner 
+Date: Wed, 29 Nov 2023 15:57:04 +0100
+Subject: [PATCH] conf: fix ephemeral copies
+
+Don't rely on rootfs->bdev_type because that may be NULL. Use storage->type
+instead which can't be NULL.
+
+Co-Developed-by: Mathias Gibbens 
+Signed-off-by: Mathias Gibbens 
+Reported-by: Mathias Gibbens 
+Signed-off-by: Christian Brauner 
+---
+ src/lxc/conf.c| 21 -
+ src/lxc/conf.h|  4 ++--
+ src/lxc/confile.c |  4 ++--
+ src/lxc/storage/storage.c |  4 ++--
+ src/lxc/storage/storage.h |  2 +-
+ 5 files changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 9158713..e338ed7 100644
+--- a/src/lxc/conf.c
 b/src/lxc/conf.c
+@@ -536,16 +536,21 @@ int lxc_rootfs_init(struct lxc_conf *conf, bool userns)
+ 	struct stat st;
+ 	struct statfs stfs;
+ 	struct lxc_rootfs *rootfs = &conf->rootfs;
++	const char *type;
+ 
+ 	ret = lxc_storage_prepare(conf);
+ 	if (ret)
+ 		return syserror_set(-EINVAL, "Failed to prepare rootfs storage");
++	type = rootfs->storage->type;
++
++	if (!type)
++		return syserror_set(-EINVAL, "Storage type neither set nor automatically detected");
+ 
+ 	if (!is_empty_string(rootfs->m

Bug#1057103: marked as done (bookworm-pu: package debian-edu-doc/2.12.20~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057103,
regarding bookworm-pu: package debian-edu-doc/2.12.20~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057103: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057103
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
x-debbugs-cc: debian-...@lists.debian.org

[ Reason ]
Update to the latest version of the Debian Edu bookworm & bullseye manuals and
their translations. This update also adds a build-depends on inkscape which
will cause some PDFs for some languages to be build again.

[ Impact ]
Updated debian-edu-doc and translations. Some users will be happy about having
a PDF manual again too.

[ Tests ]
Build and smoke-tests.

[ Risks ]
Hardly any & definitly none for anyone not using the package.

 debian/changelog   
  |   38 
 debian/control 
  |1 
 debian/mail_stats_to_list  
  |5 
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual-stripped.xml  
  |   42 +++--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.da.po 
  |  118 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.de.po 
  |  124 +--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.es.po 
  |  558 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.fr.po 
  |  118 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.it.po 
  |  368 ++
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.ja.po 
  |  118 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.nb-no.po  
  |  114 +++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.nl.po 
  |  206 +++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pl.po 
  |   95 +---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pot   
  |   88 ---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt-br.po  
  |  776 
++-
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt-pt.po  
  |  676 
--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.pt.po 
  |  704 
++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.ro.po 
  |  104 ++---
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.sv.po 
  |  699 
+++--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.xml   
  |  133 +++-
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.zh-cn.po  
  |  124 +--
 documentation/debian-edu-bookworm/debian-edu-bookworm-manual.zh-tw.po  
  |   94 +--
 documentation/debian-edu-bookworm/images/installer-logo.svg
  |  177 ++
 
documentation/debian-edu-bookworm/source/AllInOne-debian-edu-bookworm-manual.xml
 |   97 +++-
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.es.po 
  |  599 
+++-
 documentation/debian-edu-bullseye/debian-edu-bullseye-manual.pt-br.po  
  |   16 +-
 26 files changed, 3943 insertions(+), 2249 deletions(-)



[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
(will do attach the 90kb compressed diff one the bug has made it to the 
list)
  [x] the issu

Bug#1057099: marked as done (bookworm-pu: package tzdata/2023c-5+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057099,
regarding bookworm-pu: package tzdata/2023c-5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057099: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057099
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: tzd...@packages.debian.org, debian-gl...@lists.debian.org
Control: affects -1 + src:tzdata

[ Reason ]
tzdata contains a leap second file which is updated twice a year, and
which has an expiration date on 28 December 2023. Usually this file is
updated along with timezones changes, but 2023 has seen surprising low
number of timezone changes, and there hasn't been a new upstream version
since March! Therefore we need to do a specific upload to update this
file with only this change.

[ Impact ]
There is no leap second added at the end of 2023, so the impact is
relatively low, but NTP servers using this file usually emit warnings
28 days before the expiration date.

[ Tests ]
There is no test for this change.

[ Risks ]
The risk is quite low, the changes are minimal and routinely done twice
a year.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
This is the full changelog entry with explanations:

  * Update leap-seconds.list from upstream

The leap-seconds.list change is taken from upstream, who took it from
NIST following an IERS Bulletin.
  
  * Remove leapseconds during clean target

The cleanup of the leapseconds file, is needed as following the above
change, the one shipped in the upstream tarball do not match anymore the
one generated during build from leap-seconds.list. This is needed to
avoid a FTBFS after successful build.

[ Other info ]
Given the limited changes, I have already uploaded the package to the
archive. Thanks for considering.
diff -Nru tzdata-2023c/debian/changelog tzdata-2023c/debian/changelog
--- tzdata-2023c/debian/changelog   2023-05-28 21:54:34.0 +0200
+++ tzdata-2023c/debian/changelog   2023-11-28 20:21:17.0 +0100
@@ -1,3 +1,10 @@
+tzdata (2023c-5+deb12u1) bookworm; urgency=medium
+
+  * Update leap-seconds.list from upstream
+  * Remove leapseconds during clean target
+
+ -- Aurelien Jarno   Tue, 28 Nov 2023 20:21:17 +0100
+
 tzdata (2023c-5) unstable; urgency=medium
 
   * Update German debconf translation.
diff -Nru tzdata-2023c/debian/clean tzdata-2023c/debian/clean
--- tzdata-2023c/debian/clean   1970-01-01 01:00:00.0 +0100
+++ tzdata-2023c/debian/clean   2023-11-28 18:10:17.0 +0100
@@ -0,0 +1 @@
+leapseconds
diff -Nru tzdata-2023c/debian/patches/01-no-leap-second-on-2023-12-31.patch 
tzdata-2023c/debian/patches/01-no-leap-second-on-2023-12-31.patch
--- tzdata-2023c/debian/patches/01-no-leap-second-on-2023-12-31.patch   
1970-01-01 01:00:00.0 +0100
+++ tzdata-2023c/debian/patches/01-no-leap-second-on-2023-12-31.patch   
2023-11-28 18:10:13.0 +0100
@@ -0,0 +1,41 @@
+From c3e966c59b02b1f47f0b7b0e4aa6a86563c07062 Mon Sep 17 00:00:00 2001
+From: Tim Parenti 
+Date: Mon, 14 Aug 2023 15:29:57 -0400
+Subject: [PATCH] No leap second on 2023-12-31
+
+Per IERS Bulletin C 66 (2023-07-04).
+https://hpiers.obspm.fr/iers/bul/bulc/bulletinc.66
+
+* leap-seconds.list: Update file from NIST, retrieved from
+ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list
+---
+ leap-seconds.list | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/leap-seconds.list b/leap-seconds.list
+index 17e3a100..3fe9a121 100644
+--- a/leap-seconds.list
 b/leap-seconds.list
+@@ -204,10 +204,10 @@
+ # current -- the update time stamp, the data and the name of the file
+ # will not change.
+ #
+-# Updated through IERS Bulletin C65
+-# File expires on:  28 December 2023
++# Updated through IERS Bulletin C66
++# File expires on:  28 June 2024
+ #
+-#@3912710400
++#@3928521600
+ #
+ 227206080010  # 1 Jan 1972
+ 228778560011  # 1 Jul 1972
+@@ -252,4 +252,4 @@
+ # the hash line is also ignored in the
+ # computation.
+ #
+-#he76a99dc 65f15cc7 e613e040 f5078b5e b23834fe
++#h16

Bug#1057069: marked as done (bookworm-pu: package midge/0.2.41+dfsg-1~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057069,
regarding bookworm-pu: package midge/0.2.41+dfsg-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057069
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
This is a rebuild of the package from sid to remove some likely not
dfsg-free files.

[ Impact ]
Some possibly not dfsg-free files are installed.

[ Tests ]
none

[ Risks ]
Low, the removed files were only shipped as examples.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Modernized d/copyright in order to use files-Excluded for repacking.

 debian/changelog|  17 -
 debian/control  |   2 ++
 debian/copyright|  38 
+++---
 debian/gbp.conf |   2 ++
 debian/rules|   5 +
 debian/watch|   2 +-
 examples/covers/bobby_brown.mg  | 141 
-
 examples/covers/dont_fear_the_reaper.mg |  46 
--
 examples/covers/motorhead.mg|  60 

 examples/covers/one_drop.mg |  71 
---
 examples/covers/paranoid.mg |  38 
--
 examples/covers/stir_it_up.mg   | 105 
-
 examples/covers/too_much_to_dream.mg| 207 
---
 examples/covers/wieh.mg |  82 
--
 examples/covers/wish_you_were_here.mg   |  78 
--
 15 files changed, 49 insertions(+), 845 deletions(-)

$ debdiff midge_0.2.41-4_all.deb midge_0.2.41+dfsg-1~deb12u1_all.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in first .deb but not in second
-
-rw-r--r--  root/root   /usr/share/doc/midge/examples/covers/bobby_brown.mg
-rw-r--r--  root/root   
/usr/share/doc/midge/examples/covers/dont_fear_the_reaper.mg
-rw-r--r--  root/root   /usr/share/doc/midge/examples/covers/motorhead.mg
-rw-r--r--  root/root   /usr/share/doc/midge/examples/covers/one_drop.mg
-rw-r--r--  root/root   /usr/share/doc/midge/examples/covers/paranoid.mg
-rw-r--r--  root/root   /usr/share/doc/midge/examples/covers/stir_it_up.mg
-rw-r--r--  root/root   
/usr/share/doc/midge/examples/covers/too_much_to_dream.mg
-rw-r--r--  root/root   /usr/share/doc/midge/examples/covers/wieh.mg
-rw-r--r--  root/root   
/usr/share/doc/midge/examples/covers/wish_you_were_here.mg

Control files: lines which differ (wdiff format)

Installed-Size: [-356-] {+339+}
Version: [-0.2.41-4-] {+0.2.41+dfsg-1~deb12u1+}

[ Other info ]
n/a

Andreas
diff --git a/debian/changelog b/debian/changelog
index b1294a4..6023474 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+midge (0.2.41+dfsg-1~deb12u1) bookworm; urgency=medium
+
+  * QA upload.
+  * Rebuild for bookworm.
+
+ -- Andreas Beckmann   Wed, 29 Nov 2023 07:07:30 +0100
+
+midge (0.2.41+dfsg-1) unstable; urgency=medium
+
+  * QA upload.
+  * Switch to copyright-format 1.0.
+  * Repack without examples/covers/*.  (Closes: #1056147)
+  * Import package history into GIT.
+
+ -- Andreas Beckmann   Wed, 22 Nov 2023 14:07:43 +0100
+
 midge (0.2.41-4) unstable;

Bug#1057071: marked as done (bookworm-pu: package rust-sd/0.7.6-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057071,
regarding bookworm-pu: package rust-sd/0.7.6-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057071: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057071
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: rust...@packages.debian.org

[ Reason ]
squeeze had a sd binary package built from (unrelated) src:sd at
version 0.74-1 which is higher than the 0.7.6-1 currently in bookworm
from src:rust-sd, violating version ordering contraints.
0.80 is a made up version higher than any src:sd version ever in the
archive and lower than src:rust-sd 1.0 in sid.

[ Impact ]
Upgrade failures in CI.

[ Tests ]
Local piuparts tests of (hopefully) all affected upgrade paths.

[ Risks ]
Low, the package has no rdepends that could be affectd by the changed
version number.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Add the '0.80.really.' prefix to the binary package, needs pkg-info.mk.

$ debdiff sd_0.7.6-1+b3_amd64.deb sd_0.80.really.0.7.6-1+deb12u1_amd64.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in first .deb but not in second
-
-rw-r--r--  root/root   /usr/share/doc/sd/changelog.Debian.amd64.gz

Control files: lines which differ (wdiff format)

Installed-Size: [-1919-] {+1918+}
Source: rust-sd [-(0.7.6-1)-] {+(0.7.6-1+deb12u1)+}
Version: [-0.7.6-1+b3-] {+0.80.really.0.7.6-1+deb12u1+}
X-Cargo-Built-Using: rust-aho-corasick (= 0.7.19-1), rust-ansi-term (= 
0.12.1-1), rust-atty (= 0.2.14-2), rust-bitflags (= [-1.3.2-2),-] {+1.3.2-3),+} 
rust-cfg-if (= 1.0.0-1), rust-clap-2 (= 2.34.0-3), rust-crossbeam-channel (= 
0.5.6-1), rust-crossbeam-deque (= 0.8.1-1), rust-crossbeam-epoch (= 0.9.13-1), 
rust-crossbeam-utils (= 0.8.12-1), rust-either (= 1.6.1-1), rust-fastrand (= 
1.8.0-1), rust-lazy-static (= 1.4.0-2), rust-libc (= 0.2.139-1), rust-memchr (= 
2.5.0-1), rust-memmap (= 0.7.0-1), rust-memoffset (= 0.6.5-1), rust-num-cpus (= 
1.14.0-1), rust-rayon-core (= 1.10.1-1), rust-rayon (= 1.6.1-1), rust-regex (= 
[-1.7.0-1),-] {+1.7.1-1),+} rust-regex-syntax (= 0.6.27-1), rust-remove-dir-all 
(= 0.7.0-1), rust-scopeguard (= 1.1.0-1), rust-smawk (= 0.3.1-2), rust-strsim 
(= 0.10.0-1), rust-structopt (= 0.3.26-2), rust-tempfile (= 3.3.0-1), 
rust-textwrap (= 0.16.0-2), rust-thiserror (= [-1.0.37-1),-] {+1.0.38-1),+} 
rust-unescape (= 0.1.0-1), rust-unicode-linebreak (= 0.1.4-1), 
rust-unicode-width (= 0.1.10-1), rust-vec-map (= 0.8.1-2), rustc (= 
1.63.0+dfsg1-2)

[ Other info ]
n/a

Andreas
diff -Nru rust-sd-0.7.6/debian/changelog rust-sd-0.7.6/debian/changelog
--- rust-sd-0.7.6/debian/changelog  2022-10-09 03:54:37.0 +0200
+++ rust-sd-0.7.6/debian/changelog  2023-11-28 22:27:45.0 +0100
@@ -1,3 +1,12 @@
+rust-sd (0.7.6-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Prefix the version of the binary package with '0.80.really.' to sort
+between 0.74-1 in squeeze (from unrelated src:sd) and 1.0.0-1 in sid.
+(Closes: #1037192)
+
+ -- Andreas Beckmann   Tue, 28 Nov 2023 22:27:45 +0100
+
 rust-sd (0.7.6-1) unstable; urgency=medium
 
   * Package sd 0.7.6 from crates.io using debcargo 2.5.0
diff -Nru rust-sd-0.7.6/debian/rules rust-sd-0.7.6/debian/rules
--- rust-sd-0.7.6/debian/rules  2022-10-09 03:54:37.0 +0200
+++ rust-sd-0.7.6/debian/rules  2023-11-28 22:27:45.0 +0100
@@ -1,7 +1,13 @@
 #!/usr/bin/make -f
+
+include /usr/share/dpkg/pkg-info.mk
+
 %:
dh $@ --buildsystem cargo
 
 override_dh_installman:
cp $$(find . -name sd.1 | grep release) debian/sd.1
dh_installman -O--buildsystem=cargo
+
+override_dh_gencontrol:
+   dh_gencontrol -- -v0.80.really.$(DEB_VERSION)
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End

Bug#1056987: marked as done (bookworm-pu: package ca-certificates-java/20230710~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056987,
regarding bookworm-pu: package ca-certificates-java/20230710~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056987: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056987
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
After openjdk was updated in bookworm, we can backport the proper fixes for
the dependency and trigger loops and defer java certificate population
to a trigger. That allows to remove the HACK needed to allow
configuration with a not yet configured jre package.

[ Impact ]
Certain package combinations can result in dpkg failing with trigger
loops on installation or upgrade.

[ Tests ]
Local piuparts tests of all upgrade paths starting in buster or bullseye
and going to bookworm that involve ca-certificates-java as a dependency.

[ Risks ]
Most trigger infrastructure was already prepared in
ca-certificates-java, it just needed activation (after making the jre
packages ready). There haven't been any problems reported since that was
activated in sid, so it should be low-risk to do the same in bookworm.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Postpone java certificate setup to triggers from jre packages that get
activated only after a java binary is usable.
Stop searching for a java binary in a possibly not yet configured jre
package.
Break dependency cycle.

[ Other info ]
This is a rebuild of the package from sid with no further changes.


Andreas
diff --git a/debian/ca-certificates-java.postinst 
b/debian/ca-certificates-java.postinst
index 963e248..f53c4ee 100644
--- a/debian/ca-certificates-java.postinst
+++ b/debian/ca-certificates-java.postinst
@@ -18,37 +18,6 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
 ETCCERTSDIR=/etc/ssl/certs
 CACERTS=$ETCCERTSDIR/java/cacerts
 
-setup_path()
-{
-   for version in 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ; do
-   for jvm in \
-   java-${version}-openjdk-${arch} \
-   java-${version}-openjdk \
-   oracle-java${version}-jre-${arch} \
-   oracle-java${version}-server-jre-${arch} \
-   oracle-java${version}-jdk-${arch}
-   do
-   if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
-   export JAVA_HOME=/usr/lib/jvm/$jvm
-   PATH=$JAVA_HOME/bin:$PATH
-   # copy java.security to allow import to function
-   
security_conf=/etc/java-${version}-openjdk/security
-   if [ -f ${security_conf}/java.security.dpkg-new 
] \
-   && [ ! -f 
${security_conf}/java.security ]; then
-   cp 
${security_conf}/java.security.dpkg-new \
-   
${security_conf}/java.security
-   fi
-   break 2
-   fi
-   done
-   done
-
-   if ! which java >/dev/null; then
-   echo "No JRE found. Skipping Java certificates setup."
-   exit 0
-   fi
-}
-
 check_proc()
 {
 if ! mountpoint -q /proc; then
@@ -97,7 +66,10 @@ update_cacerts()
exit 0
fi
 
-   setup_path
+   if ! which java >/dev/null; then
+   echo "No JRE found. Skipping Java certificates setup."
+   exit 0
+   fi
 
if [ -f /var/lib/ca-certificates-java/convert_pkcs12_keystore_to_jks ]; 
then
convert_pkcs12_keystore_to_jks
@@ -110,7 +82,17 @@ update_cacerts()
 
if [ -f "$CACERTS" ]; then
check_proc
-   cacerts_aliases=$(keytool -cacerts -storepass 
"$storepass" -list -rfc | sed -n 's/^Alias name: *debian://ip' | tr '\n' ' ')
+
+   # Java 8 does not have -cacerts option
+   if java -version 2>&1 | grep "1.8" > /dev/null

Bug#1057070: marked as done (bookworm-pu: package adequate/0.15.9~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057070,
regarding bookworm-pu: package adequate/0.15.9~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057070
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
This is a rebuild of the package from sid to fix the autopkgtests on
!amd64. The symbol-size-mismatch issue can only happen on amd64,
therefore it cannot be reproduced elsewhere. Skip the specific test on
!amd64 (in a generic way).

[ Impact ]
Only failing autopkgtests.

[ Tests ]
autopkgtests in sid passed.

[ Risks ]
Low, only autopkgtests affected.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Fix suppression of some perl warnings.
Add support for skipping the build of some test packages.
Skip generating the symbol-size-mismatch test package if the symbol to
be tested has a size of 0.

 adequate   |  3 ++-
 debian/changelog   | 27 +++
 tests/testpkg/debian/rules |  8 
 3 files changed, 37 insertions(+), 1 deletion(-)

[ Other info ]
n/a

Andreas
diff --git a/adequate b/adequate
index 0267a0e..dee5442 100755
--- a/adequate
+++ b/adequate
@@ -25,7 +25,8 @@ use warnings;
 
 use v5.14;
 no feature 'unicode_strings';
-no if $] >= 5.018, warnings => 'experimental::smartmatch';
+no if $] >= 5.017011, warnings => 'experimental::smartmatch';
+no if $] >= 5.037010, warnings => 'deprecated::smartmatch';
 
 use Attribute::Handlers;
 use Cwd;
diff --git a/debian/changelog b/debian/changelog
index f049be2..09eb42b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
+adequate (0.15.9~deb12u1) bookworm; urgency=medium
+
+  * QA upload.
+  * Rebuild for bookworm.
+
+ -- Andreas Beckmann   Wed, 29 Nov 2023 07:29:20 +0100
+
+adequate (0.15.9) unstable; urgency=medium
+
+  * QA upload.
+  * Skip symbol-size-mismatch test on architectures where array symbols don't
+include a specific length.  (Closes: #1050066)
+
+ -- Andreas Beckmann   Thu, 23 Nov 2023 10:06:17 +0100
+
+adequate (0.15.8) unstable; urgency=medium
+
+  * QA upload.
+  * Disable deprecation warnings about smartmatch, given, when in Perl
+5.38.
+This is only a band aid but it buys us time before the feature will be
+removed in perl 5.42 in roughly 2 years.
+Also fix version comparison for smartmatch being experimental warnings.
+(Closes: #1043228)
+
+ -- gregor herrmann   Tue, 08 Aug 2023 18:06:34 +0200
+
 adequate (0.15.7) unstable; urgency=medium
 
   * QA upload.
diff --git a/tests/testpkg/debian/rules b/tests/testpkg/debian/rules
index f2ad455..f21ebd2 100755
--- a/tests/testpkg/debian/rules
+++ b/tests/testpkg/debian/rules
@@ -35,6 +35,8 @@ override_dh_auto_install:
ln -sf lib$(at)-symsize.so.0 $(tmp)/lib$(at)-symsize.so
$(CC) symsize.c -L$(tmp) -o $(tmp)/$(at)-symsize -l$(at)-symsize
$(CC) -shared -Wl,--soname=lib$(at)-symsize.so.0 
-DADEQUATE_SYMBOL_SIZE=42 lib.c -o $(tmp)/lib$(at)-symsize.so.0
+   readelf --wide --symbols $(tmp)/$(at)-symsize | grep 
this_symbol_size_varies
+   test "$$(readelf --wide --symbols $(tmp)/$(at)-symsize | grep 
this_symbol_size_varies | head -n 1 | awk '{print $$3}')" != "0" || touch 
$(tmp)/skip-symbol-size-mismatch
# undefined-symbol
$(CC) -shared -Wl,--soname=lib$(at)-versioning.so.0 lib.c -o 
$(tmp)/lib$(at)-versioning.so.0
ln -sf lib$(at)-versioning.so.0 $(tmp)/lib$(at)-versioning.so
@@ -60,6 +62,12 @@ override_dh_strip:
 # we build binaries with missing symbols
 override_dh_shlibdeps:
 
+override_dh_gencontrol:
+   dh_gencontrol $(patsubst $(tmp)/skip-%,-N adequate-testpkg-%,$(wildcard 
$(tmp)/skip-*))
+
+override_dh_builddeb:
+   dh_builddeb $(patsubst $(tmp)/skip-%,-N adequate-testpkg-%,$(wildcard 
$(tmp)/skip-*))
+
 execute_after_dh_builddeb:
rm 
debian/adequate-testpkg-obsolete-conffile/etc/adequate/test-obsolete-conffile
sed -i -e '/test-obsolete/d' 
debian/adequate-testpkg-obsolete-conffile/DEBIAN/conffiles
--- End Message ---
--- Begin M

Bug#1056934: marked as done (bookworm-pu: libde265/1.0.11-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056934,
regarding bookworm-pu: libde265/1.0.11-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056934
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for libde265 fixes CVE-2023-27102, CVE-2023-27103, 
CVE-2023-43887 and CVE-2023-47471 in Bookworm.
Except CVE-2023-43887 all others are marked as no-dsa by the security team 
(CVE-2023-43887 appeared recently and was not evaluated yet).


The fix was already uploaded to Stretch and nobody complained up to now.

  Thorsten
diff -Nru libde265-1.0.11/debian/changelog libde265-1.0.11/debian/changelog
--- libde265-1.0.11/debian/changelog2023-02-02 16:06:20.0 +0100
+++ libde265-1.0.11/debian/changelog2023-11-26 13:03:02.0 +0100
@@ -1,3 +1,19 @@
+libde265 (1.0.11-1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27102 (Closes: #1033257)
+fix segmentation violation in the
+function decoder_context::process_slice_segment_header
+  * CVE-2023-27103
+fix heap buffer overflow in the
+function derive_collocated_motion_vectors
+  * CVE-2023-43887
+fix buffer over-read in pic_parameter_set::dump
+  * CVE-2023-47471 (Closes: #1056187)
+fix buffer overflow in the slice_segment_header function
+
+ -- Thorsten Alteholz   Sun, 26 Nov 2023 13:03:02 +0100
+
 libde265 (1.0.11-1) unstable; urgency=medium
 
   [ Tobias Frost ]
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27102.patch 
libde265-1.0.11/debian/patches/CVE-2023-27102.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27102.patch 1970-01-01 
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27102.patch 2023-11-21 
14:10:17.0 +0100
@@ -0,0 +1,23 @@
+commit 0b1752abff97cb542941d317a0d18aa50cb199b1
+Author: Dirk Farin 
+Date:   Sat Mar 4 10:32:43 2023 +0100
+
+check whether referenced PPS exists (fixes #393)
+
+Index: libde265-1.0.11/libde265/decctx.cc
+===
+--- libde265-1.0.11.orig/libde265/decctx.cc2023-11-19 19:08:18.703219858 
+0100
 libde265-1.0.11/libde265/decctx.cc 2023-11-19 19:08:18.703219858 +0100
+@@ -2276,9 +2276,10 @@
+   // get PPS and SPS for this slice
+ 
+   int pps_id = hdr->slice_pic_parameter_set_id;
+-  if (pps[pps_id]->pps_read==false) {
++  if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) {
+ logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
+-assert(false); // TODO
++img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++return false;
+   }
+ 
+   current_pps = pps[pps_id];
diff -Nru libde265-1.0.11/debian/patches/CVE-2023-27103.patch 
libde265-1.0.11/debian/patches/CVE-2023-27103.patch
--- libde265-1.0.11/debian/patches/CVE-2023-27103.patch 1970-01-01 
01:00:00.0 +0100
+++ libde265-1.0.11/debian/patches/CVE-2023-27103.patch 2023-11-21 
14:10:17.0 +0100
@@ -0,0 +1,54 @@
+commit d6bf73e765b7a23627bfd7a8645c143fd9097995
+Author: Dirk Farin 
+Date:   Sat Mar 4 10:27:59 2023 +0100
+
+check for valid slice header index access (fixes #394)
+
+Index: libde265-1.0.11/libde265/de265.cc
+===
+--- libde265-1.0.11.orig/libde265/de265.cc 2023-11-19 19:08:22.851224558 
+0100
 libde265-1.0.11/libde265/de265.cc  2023-11-19 19:08:22.847224554 +0100
+@@ -174,6 +174,8 @@
+ return "Bit-depth of current image does not match SPS";
+   case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
+ return "Chroma format of reference image does not match current image";
++  case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
++return "Access with invalid slice header index";
+ 
+   default: return "unknown error";
+   }
+Index: libde265-1.0.11/libde265/de265.h
+===
+--- libde265-1.0.11.orig/libde265/de265.h  2023-11-19 19:08:22.851224558 
+0100
 libde265-1.0.11/libde265/de265.h   2023-11-19 19:08:22.847224554 +0100
+@@ -145,7 +145,8 @@
+   DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
+   DE265_WARNING_CHROMA

Bug#1056958: marked as done (bookworm-pu: package nvidia-graphics-drivers-tesla/525.147.05-3~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056958,
regarding bookworm-pu: package 
nvidia-graphics-drivers-tesla/525.147.05-3~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056958
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
In oder to fix CVE-2023-31022 we need to upgrade
nvidia-graphics-drivers-tesla to a new upstream release.

[ Impact ]
A proprietary graphics driver with more CVEs open.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in (old-)stable is an
established procedure.

[ Checklist ]
  [+] *all* changes are documented in the d/changelog
  [+] I reviewed all changes and I approve them
  (excluding the blobs)
  [+] attach debdiff against the package in (old)stable
  (excluding the blobs)
  [+] the issue is verified as fixed in unstable

[ Changes ]
There is infrastructure prepared for a new binary package
(nvidia-suspend-common) that will not yet be enabled in the backport for
bookworm (but it is built in sid).
(I expect that to be enabled once we switch to the 535 series in
bookworm.)
There are only minor additional packaging changes.

[ Other info ]
This is a rebuild of the package from sid with only a minimal change:
not enabling nvidia-suspend-common.
This package is functionally equivalent to
src:nvidia-graphics-drivers 525.147.05-1(~deb12u1).


Andreas


ngd-tesla-525.147.05-3~deb12u1.diff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1057038: marked as done (bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1057038,
regarding bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057038: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057038
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3

Hi,

Please allow to fix CVE-2023-49316 (#1057008) in the next point release.
I assume from the bug report wording that it isn’t worth a DSA (security
team X-Debbugs-Cced in case I misunderstood).

The changelog refers to a trivial change (gbp.conf and control) for the
build process, and the three line upstream patch (+comments +test) to
fix the issue.

  * Track bookworm
  * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316]
(Closes: #1057008)

It passes its (updated) testsuite, but I didn’t have time to test this
update thoroughly.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance for your consideration.

Regards,

taffit
diff -Nru php-phpseclib3-3.0.19/debian/changelog php-phpseclib3-3.0.19/debian/changelog
--- php-phpseclib3-3.0.19/debian/changelog	2023-03-06 08:00:12.0 +0100
+++ php-phpseclib3-3.0.19/debian/changelog	2023-11-28 08:33:28.0 +0100
@@ -1,3 +1,11 @@
+php-phpseclib3 (3.0.19-1+deb12u1) bookworm; urgency=medium
+
+  * Track bookworm
+  * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316]
+(Closes: #1057008)
+
+ -- David Prévot   Tue, 28 Nov 2023 08:33:28 +0100
+
 php-phpseclib3 (3.0.19-1) unstable; urgency=medium
 
   [ Alexander Vlasov ]
diff -Nru php-phpseclib3-3.0.19/debian/control php-phpseclib3-3.0.19/debian/control
--- php-phpseclib3-3.0.19/debian/control	2023-03-06 08:00:12.0 +0100
+++ php-phpseclib3-3.0.19/debian/control	2023-11-28 08:32:24.0 +0100
@@ -13,7 +13,7 @@
pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.2
 Homepage: https://phpseclib.sourceforge.net/
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib
 Rules-Requires-Root: no
 
diff -Nru php-phpseclib3-3.0.19/debian/gbp.conf php-phpseclib3-3.0.19/debian/gbp.conf
--- php-phpseclib3-3.0.19/debian/gbp.conf	2023-03-06 07:51:57.0 +0100
+++ php-phpseclib3-3.0.19/debian/gbp.conf	2023-11-28 08:32:24.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 pristine-tar = True
 filter = [ '.gitattributes' ]
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch
--- php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch	2023-11-28 08:32:28.0 +0100
@@ -0,0 +1,56 @@
+From: terrafrost 
+Date: Tue, 21 Nov 2023 19:10:46 -0600
+Subject: Math/BinaryField: fix for excessively large degrees
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f
+Bug-Debian: https://bugs.debian.org/1057008
+---
+ phpseclib/Math/BinaryField.php  |  9 +
+ tests/Unit/Crypt/EC/KeyTest.php | 16 
+ 2 files changed, 25 insertions(+)
+
+diff --git a/phpseclib/Math/BinaryField.php b/phpseclib/Math/BinaryField.php
+index 3e21a67..5da8c93 100644
+--- a/phpseclib/Math/BinaryField.php
 b/phpseclib/Math/BinaryField.php
+@@ -48,6 +48,15 @@ class BinaryField extends FiniteField
+ public function __construct(...$indices)
+ {
+ $m = array_shift($indices);
++if ($m > 571) {
++/* sect571r1 and sect571k1 are the largest binary curves that https://www.secg.org/sec2-

Bug#1056917: marked as done (bookworm-pu: package perl/5.36.0-7+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056917,
regarding bookworm-pu: package perl/5.36.0-7+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056917: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056917
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: p...@packages.debian.org, Salvatore Bonaccorso 
Control: affects -1 + src:perl

[ Reason ]
I'd like to fix #1056746 / CVE-2023-47038 in perl for bookworm.  It's a
non-DSA security issue that was made public yesterday and fixed upstream
in 5.36.2.

[ Impact ]
CVE-2023-47038 has security impact for applications that use untrusted
regular expressions to match input.

[ Tests ]
The fix augments the test suite to check for this issue. I have also
checked manually that the crash is gone with the patch. I reviewed amd64
binary debdiffs too and did some installation tests.

[ Risks ]
The fix is minimal and identical to the one in sid / 5.36.0-10.  I don't
expect any fallout, but obviously I'll report here if any problems are
found in the testing migration checks.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The only change is a patch to the regexp engine in regcomp.c
and the associated new tests. The patch description has
a long explanation of the issue.

[ Other info ]
I'm uploading right away as I don't expect any of this to be
controversial. Hope that's fine by you.

Thanks for your work on Debian.
diff -Nru perl-5.36.0/debian/changelog perl-5.36.0/debian/changelog
--- perl-5.36.0/debian/changelog2023-01-08 23:28:47.0 +0200
+++ perl-5.36.0/debian/changelog2023-11-25 22:59:54.0 +0200
@@ -1,3 +1,10 @@
+perl (5.36.0-7+deb12u1) bookworm; urgency=medium
+
+  * [SECURITY] CVE-2023-47038: Write past buffer end via illegal
+user-defined Unicode property. (Closes: #1056746)
+
+ -- Niko Tyni   Sat, 25 Nov 2023 22:59:54 +0200
+
 perl (5.36.0-7) unstable; urgency=medium
 
   * Break backuppc (<< 4.4.0-7~) due to Data::Dumper changes in 5.36
diff -Nru perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff 
perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff
--- perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff1970-01-01 
02:00:00.0 +0200
+++ perl-5.36.0/debian/patches/fixes/CVE-2023-47038.diff2023-11-25 
22:59:54.0 +0200
@@ -0,0 +1,119 @@
+From: Karl Williamson 
+Date: Sat, 9 Sep 2023 11:59:09 -0600
+Subject: Fix read/write past buffer end: perl-security#140
+
+A package name may be specified in a \p{...} regular expression
+construct.  If unspecified, "utf8::" is assumed, which is the package
+all official Unicode properties are in.  By specifying a different
+package, one can create a user-defined property with the same
+unqualified name as a Unicode one.  Such a property is defined by a sub
+whose name begins with "Is" or "In", and if the sub wishes to refer to
+an official Unicode property, it must explicitly specify the "utf8::".
+S_parse_uniprop_string() is used to parse the interior of both \p{} and
+the user-defined sub lines.
+
+In S_parse_uniprop_string(), it parses the input "name" parameter,
+creating a modified copy, "lookup_name", malloc'ed with the same size as
+"name".  The modifications are essentially to create a canonicalized
+version of the input, with such things as extraneous white-space
+stripped off.  I found it convenient to strip off the package specifier
+"utf8::".  To to so, the code simply pretends "lookup_name" begins just
+after the "utf8::", and adjusts various other values to compensate.
+However, it missed the adjustment of one required one.
+
+This is only a problem when the property name begins with "perl" and
+isn't "perlspace" nor "perlword".  All such ones are undocumented
+internal properties.
+
+What happens in this case is that the input is reparsed with slightly
+different rules in effect as to what is legal versus illegal.  The
+problem is that "lookup_name" no longer is pointing to its initial
+value, but "name" is.  Thus the space allocated for filling "lookup_name"
+is now shorter than "name", and as this sho

Bug#1056741: marked as done (bookworm-pu: package nvidia-open-gpu-kernel-modules/525.147.05-1~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056741,
regarding bookworm-pu: package 
nvidia-open-gpu-kernel-modules/525.147.05-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056741: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056741
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
In order to fix CVE-2023-31022 we need to upgrade
nvidia-open-gpu-kernel-modules to a new upstream release.
(This package must match the version of src:nvidia-graphics-drivers
and/or src:nvidia-graphics-drivers-tesla to be useful, and these two
packages in non-free need to be updated for CVE-2023-31022, too.)

[ Impact ]
An unusable package with open CVEs.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in (old-)stable is an
established procedure.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [ ] I reviewed all changes and I approve them
  I didn't read the upstream diff (114 files changed, 7240
  insertions(+), 830 deletions(-)), but this corresponds to the
  changes in the driver blobs in non-free.
  [*] attach debdiff against the package in (old)stable
  only for debian/*, upstream changes are excessive
  [*] the issue is verified as fixed in unstable

[ Changes ]
Mainly patch refresh for the new upstream release. This is a subset of
the changes also found in the pu requests for
src:nvidia-graphics-drivers{-tesla}.

Upstream changes diffstat, changes not included in the patch
(500kb uncompressed)

 CHANGELOG.md|6 
+
 README.md   |   15 
+-
 kernel-open/Kbuild  |3 
+-
 kernel-open/common/inc/nv-hypervisor.h  |1 
+
 kernel-open/common/inc/nv-mm.h  |   59 
+-
 kernel-open/conftest.sh |  327 
--
 kernel-open/nvidia-drm/nvidia-drm-drv.c |   15 
+
 kernel-open/nvidia-drm/nvidia-drm.Kbuild|2 
+
 kernel-open/nvidia-modeset/nvidia-modeset-linux.c   |8 
+
 kernel-open/nvidia-modeset/nvidia-modeset-os-interface.h|2 
+
 kernel-open/nvidia-uvm/nvidia-uvm.Kbuild|2 
+-
 kernel-open/nvidia-uvm/uvm_ce_test.c|4 
+-
 kernel-open/nvidia-uvm/uvm_migrate_pageable.h   |2 
+-
 kernel-open/nvidia/nv-p2p.c |5 
+
 kernel-open/nvidia/nv.c |   14 
+-
 kernel-open/nvidia/nvlink_export.h  |5 
+
 kernel-open/nvidia/nvlink_os.h  |3 
+
 src/common/displayport/src/dp_evoadapter.cpp|6 
+-
 src/common/inc/nvBldVer.h   |   20 
+-
 src/common/inc/nvUnixVersion.h  |2 
+-
 src/common/inc/nvlog_defs.h |   17 
+-
 src/common/inc/swref/published/hopper/gh100/dev_fb.h|   23 
+-
 src/common/inc/swref/published/hopper/gh100/dev_fbpa.h  |   29 
+
 src/common/inc/swref/published/hopper/gh100/dev_ltc.h   |   33 
+
 src/common/inc/swref/published/hopper/gh100/dev_nv_xpl.h|   52 
++
 src/common/inc/swref/published/hopper/gh100/dev_xtl_ep_pri.h|3 
+
 src/common/inc/swref/published/hopper/gh100/hwproject.h |6 
+
 src/common/inc/swref/published/hopper/gh100/pri_nv_xal_ep.h |   12 
+
 src/common/inc/swref/published/nvswitch/ls10/dev_nvlipt_lnk_ip.h|5 
+-
 src/common/inc/swref/published/nvswitch/ls10/ptop_discovery_ip.h|   28 
+
 src/common/nvlink/interface/nvlink.h|5 
+
 src/common/nvlink/interface/nvlink_export.h

Bug#1056744: marked as done (bookworm-pu: package nvidia-graphics-drivers/525.147.05-1~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056744,
regarding bookworm-pu: package nvidia-graphics-drivers/525.147.05-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056744: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056744
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
In oder to fix CVE-2023-31022 we need to upgrade
nvidia-graphics-drivers-tesla-470 to a new upstream release.

[ Impact ]
A proprietary graphics driver with more CVEs open.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in (old-)stable is an
established procedure.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  (excluding the blobs)
  [*] attach debdiff against the package in (old)stable
  (excluding the blobs)
  [*] the issue is verified as fixed in unstable

[ Changes ]
There is infrastructure prepared for a new binary package
(nvidia-suspend-common) that will not yet be enabled in the backport for
bookworm (but it is built in sid from the -tesla package). 
(I expect that to be enabled once we switch to the 535 series in
bookworm.)
The nvidia-powerd package is not built from this source but from the
-tesla package. The changes were synced from there.
There are only minor additional packaging changes, most changes
originate from keeping the many driver packages in sync.

 debian/README.source|  
 9 +-
 debian/changelog| 
175 
 debian/control  |  
 2 +-
 debian/control.in   |  
13 ++-
 debian/control.md5sum   |  
 8 +-
 debian/copyright|  
 3 +-
 debian/detect/nvidia-tesla.ids  |  
 4 +
 debian/not-installed.in |  
14 ++-
 debian/nv-readme.ids|  
 4 +
 debian/nvidia-options.conf.in   |  
12 ++-
 debian/nvidia-powerd.examples   |  
 2 +
 debian/nvidia-powerd.install|  
 2 +-
 debian/nvidia-suspend-common.install|  
 5 ++
 debian/nvidia-suspend-common.lintian-overrides  |  
18 
 .../patches/module/0001-bump-minimum-supported-kernel-version-to-3.10.patch |  
 4 +-
 .../module/0002-conftest.sh-remove-empty-lines-from-uts_release-outp.patch  |  
 6 +-
 debian/patches/module/0010-backport-pci-dma-changes-for-ppc64el.patch   |  
68 --
 debian/patches/module/bashisms.patch|  
 2 +-
 debian/patches/module/cc_version_check-gcc5.patch   |  
 2 +-
 debian/patches/module/conftest-verbose.patch|  
 8 +-
 debian/patches/module/series.in |  
 1 -
 debian/rules|  
12 ++-
 debian/rules.defs   |  
 6 +-
 debian/xserver-xorg-video-nvidia.examples   |  
 1 -
 24 files changed, 259 insertions(+), 122 deletions(-)

[ Other info ]
This is a rebuild of the package from sid with only a minimal change:
not enabling nvidia-suspend-common.


Andreas


ngd-525.147.05-1~deb12u1.diff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056732: marked as done (bookworm-pu: package opendkim/2.11.0~beta2-8+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056732,
regarding bookworm-pu: package opendkim/2.11.0~beta2-8+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056732: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056732
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: opend...@packages.debian.org
Control: affects -1 + src:opendkim

After sponsoring the maintainer David Bürgin I've offered them to tackle
s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285)

Before the upload, stable and sid were at the same version, 
namely 2.11.0~beta2-8, so the patch could been applied as is,
without changes needed. Additional changes, not suitable for s-p-u
have been dropped.

The patch is authored by David Bürgin and they confirm that they have
tested the patch and it indeeds fix the issue (quote from #1056285#19):

> Hello Tobi,
> 
> > A question to that: Can you elaborate a bit on the testing you have
> > done to verify that this patch indeed fixes the vulnerability?
> > (Asking, becasue unfortunatly there is not lot of information available
> > e.g from the upstream issue and upstream seems to be generally very
> > silent…

> I developed the upstream patch, and so did do the necessary testing
> locally. You can simply prepare a crafted message containing some
> Authentication-Results headers and then see if the right ones get
> deleted.

(I've uploaded the package to the s-p-u queue already.)

debdiff attached.

-- 
Cheers,
tobi
diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog
--- opendkim-2.11.0~beta2/debian/changelog	2022-12-20 09:10:44.0 +0100
+++ opendkim-2.11.0~beta2/debian/changelog	2023-11-25 17:19:13.0 +0100
@@ -1,3 +1,13 @@
+opendkim (2.11.0~beta2-8+deb12u1) bookworm; urgency=medium
+
+  * Non-Maintainer upload by the security team.
+
+  [ David Bürgin ]
+  * Add patch "rev-ares-deletion.patch" for CVE-2022-48521:
+Delete Authentication-Results headers in reverse (Closes: #1041107).
+
+ -- Tobias Frost   Sat, 25 Nov 2023 17:19:13 +0100
+
 opendkim (2.11.0~beta2-8) unstable; urgency=medium
 
   [ David Bürgin ]
diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch
--- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch	1970-01-01 01:00:00.0 +0100
+++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch	2023-11-25 17:19:13.0 +0100
@@ -0,0 +1,33 @@
+Description: Delete Authentication-Results headers in reverse (CVE-2022-48521)
+Author: David Bürgin 
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189
+
+--- a/opendkim/opendkim.c
 b/opendkim/opendkim.c
+@@ -13651,9 +13651,16 @@
+ 			return SMFIS_TEMPFAIL;
+ 		}
+ 
+-		c = 0;
++		c = 1;
++
+ 		for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next)
+ 		{
++			if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
++c++;
++		}
++
++		for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev)
++		{
+ 			memset(ares, '\0', sizeof(struct authres));
+ 
+ 			if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
+@@ -13664,7 +13671,7 @@
+ char *slash;
+ 
+ /* remember index */
+-c++;
++c--;
+ 
+ /* parse the header */
+ arstat = ares_parse((u_char *) hdr->hdr_val,
diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series
--- opendkim-2.11.0~beta2/debian/patches/series	2022-12-12 14:41:20.0 +0100
+++ opendkim-2.11.0~beta2/debian/patches/series	2023-11-25 17:19:13.0 +0100
@@ -12,3 +12,4 @@
 conf_refcnt.patch
 lua-5.3.patch
 fix-RSA_Sign-call.patch
+rev-ares-deletion.patch


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056716: marked as done (bookworm-pu: package nvidia-graphics-drivers-tesla-470/470.223.02-1~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056716,
regarding bookworm-pu: package 
nvidia-graphics-drivers-tesla-470/470.223.02-1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056716
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Control: clone -1 -2
Control: usertags -2 pu
Control: tags -2 = bookworm
Control: retitle -2 bookworm-pu: package 
nvidia-graphics-drivers-tesla-470/470.223.02-1~deb12u1

[ Reason ]
In oder to fix CVE-2023-31022 we need to upgrade
nvidia-graphics-drivers-tesla-470 to a new upstream release.

[ Impact ]
A proprietary graphics driver with more CVEs open.

[ Tests ]
Only module building has been tested. Anything else would require
certain hardware and driver usage.

[ Risks ]
Low. Upgrading to a new nvidia driver release in (old-)stable is an
established procedure.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  (excluding the blobs)
  [*] attach debdiff against the package in (old)stable
  (excluding the blobs)
  [*] the issue is verified as fixed in unstable

[ Changes ]
There is a new patch added which is only relevant for using this driver
with a backported Linux 6.2+ on a recent Intel CPU. As the blob parts
are not built with Indirect Branch Tracking (IBT) support, the module
cannot be used on a CPU+kernel combination that enables IBT by default
unless it is booted with ibt=off.
There are only minor additional packaging changes.

 debian/README.source|  
 9 +-
 debian/changelog| 
165 
 debian/control  |  
 2 +-
 debian/control.in   |  
 2 +-
 debian/control.md5sum   |  
 8 +-
 debian/copyright|  
 3 +-
 .../module/debian/patches/0010-backport-pci-dma-changes-for-ppc64el.patch   |  
68 ---
 .../patches/0033-refuse-to-load-legacy-module-if-IBT-is-enabled.patch   |  
63 ++
 debian/module/debian/patches/bashisms.patch |  
 2 +-
 debian/module/debian/patches/cc_version_check-gcc5.patch|  
 2 +-
 debian/module/debian/patches/conftest-verbose.patch |  
 6 +-
 debian/module/debian/patches/linux-2.6.34-dev_pm_info-runtime_auto.patch|  
 2 +-
 debian/module/debian/patches/series.in  |  
 2 +-
 debian/nvidia-options.conf.in   |  
12 ++-
 debian/rules|  
 7 +-
 debian/rules.defs   |  
 4 +-
 debian/tests/control|  
 8 +-
 debian/tests/control.in |  
 8 +-
 18 files changed, 256 insertions(+), 117 deletions(-)

[ Other info ]
This is a rebuild of the package from sid with no further changes.
The bullseye upload will get an additional "rebuild for bullseye"
changelog entry.

Andreas


ngd-470-470.223.02-1~deb12u1.diff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056737: marked as done (bookworm-pu: minizip/1.1-8+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056737,
regarding bookworm-pu: minizip/1.1-8+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056737
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for minizip fixes CVE-2023-45853 in Bookworm. This 
CVE has been marked as no-dsa by the security team.


Chrome upstream added a test for their internal copy of minizip. Running 
this test against libminizip1 of this package worked as well, so I don't 
expect any problems.


  Thorsten
diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog
--- minizip-1.1/debian/changelog2016-01-03 04:24:26.0 +0100
+++ minizip-1.1/debian/changelog2023-11-25 13:03:02.0 +0100
@@ -1,3 +1,11 @@
+minizip (1.1-8+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-45853 (Closes: #1056719)
+Reject overflows of zip header fields in minizip.
+
+ -- Thorsten Alteholz   Sat, 25 Nov 2023 13:03:02 +0100
+
 minizip (1.1-8) unstable; urgency=medium
 
   * Fix implicit function declaration.
diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch 
minizip-1.1/debian/patches/CVE-2023-45853.patch
--- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 
01:00:00.0 +0100
+++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 
17:51:11.0 +0100
@@ -0,0 +1,34 @@
+commit 73331a6a0481067628f065ffe87bb1d8f787d10c
+Author: Hans Wennborg 
+Date:   Fri Aug 18 11:05:33 2023 +0200
+
+Reject overflows of zip header fields in minizip.
+
+This checks the lengths of the file name, extra field, and comment
+that would be put in the zip headers, and rejects them if they are
+too long. They are each limited to 65535 bytes in length by the zip
+format. This also avoids possible buffer overflows if the provided
+fields are too long.
+
+Index: minizip-1.1/zip.c
+===
+--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100
 minizip-1.1/zip.c  2023-11-18 17:51:05.539763813 +0100
+@@ -1082,6 +1082,17 @@
+   return ZIP_PARAMERROR;
+ #endif
+ 
++// The filename and comment length must fit in 16 bits.
++if ((filename!=NULL) && (strlen(filename)>0x))
++return ZIP_PARAMERROR;
++if ((comment!=NULL) && (strlen(comment)>0x))
++return ZIP_PARAMERROR;
++// The extra field length must fit in 16 bits. If the member also requires
++// a Zip64 extra block, that will also need to fit within that 16-bit
++// length, but that will be checked for later.
++if ((size_extrafield_local>0x) || (size_extrafield_global>0x))
++return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+ 
+ if (zi->in_opened_file_inzip == 1)
diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series
--- minizip-1.1/debian/patches/series   2016-01-03 04:14:08.0 +0100
+++ minizip-1.1/debian/patches/series   2023-11-18 17:50:30.0 +0100
@@ -1,3 +1,5 @@
 include.patch
 automake.patch
 traversal.patch
+
+CVE-2023-45853.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056521: marked as done (bookworm-pu: package qbittorrent/4.5.2-3)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056521,
regarding bookworm-pu: package qbittorrent/4.5.2-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: qbittorr...@packages.debian.org, maril...@debian.org
Control: affects -1 + src:qbittorrent

[ Reason ]
By default the option "Use UPnP / NAT-PMP to forward the port from my router" 
in "WebUI" settings is enabled by default. That means by default you expose 
your client to the internet, even if you are behind a NAT.

[ Impact ]
Outside parties can gain access to webUI through the UPnP, downloaded a dummy 
torrent, and ran a script via the "run command on torrent completion."

[ Tests ]
This bug has been fixed in qbittorrent 4.5.3 (Released May 28 2023) and work 
fine.

[ Risks ]
Patch is really simple and break nothing.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
diff -Nru qbittorrent-4.5.2/debian/changelog qbittorrent-4.5.2/debian/changelog
--- qbittorrent-4.5.2/debian/changelog  2023-11-22 16:26:29.0 +0100
+++ qbittorrent-4.5.2/debian/changelog  2023-04-21 23:56:17.0 +0200
@@ -1,9 +1,3 @@
-qbittorrent (4.5.2-3+deb12u1) bookworm; urgency=medium
-
-  * Disable UPnP for web UI by default in qbittorrent-nox (Closes: #1056379)
-
- -- Christian Marillat   Wed, 22 Nov 2023 16:26:29 +0100
-
 qbittorrent (4.5.2-3) unstable; urgency=medium
 
   * Really install service file in /lib/systemd/system (Closes: #1034678)
diff -Nru qbittorrent-4.5.2/debian/patches/02_Disable-UPnP-for-web-UI.patch 
qbittorrent-4.5.2/debian/patches/02_Disable-UPnP-for-web-UI.patch
--- qbittorrent-4.5.2/debian/patches/02_Disable-UPnP-for-web-UI.patch   
2023-11-22 15:59:08.0 +0100
+++ qbittorrent-4.5.2/debian/patches/02_Disable-UPnP-for-web-UI.patch   
1970-01-01 01:00:00.0 +0100
@@ -1,14 +0,0 @@
 a/src/base/preferences.cpp
-+++ b/src/base/preferences.cpp
-@@ -599,11 +599,7 @@ void Preferences::setWebUiPort(const qui
- 
- bool Preferences::useUPnPForWebUIPort() const
- {
--#ifdef DISABLE_GUI
--return value(u"Preferences/WebUI/UseUPnP"_qs, true);
--#else
- return value(u"Preferences/WebUI/UseUPnP"_qs, false);
--#endif
- }
- 
- void Preferences::setUPnPForWebUIPort(const bool enabled)
diff -Nru qbittorrent-4.5.2/debian/patches/series 
qbittorrent-4.5.2/debian/patches/series
--- qbittorrent-4.5.2/debian/patches/series 2023-11-22 15:57:29.0 
+0100
+++ qbittorrent-4.5.2/debian/patches/series 2023-02-12 18:11:35.0 
+0100
@@ -1,2 +1 @@
 01_remove-Windows-HDPI.diff
-02_Disable-UPnP-for-web-UI.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056721: marked as done (bookworm-pu: package speech-dispatcher-contrib/0.11.4-3+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056721,
regarding bookworm-pu: package speech-dispatcher-contrib/0.11.4-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056721: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056721
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: speech-dispatcher-cont...@packages.debian.org
Control: affects -1 + src:speech-dispatcher-contrib

Hello,

I have uploaded the attached changes for inclusion in bookworm.

Samuel

[ Reason ]
This is not really a bug but a missing feature :)

More and more blind users use arm64/armhf hardware, so that speech
synthesis availability becomes more and more important on that arch. The
French reseller of the voxin speech synthesis contacted us because they
wish to provide voxin support on arm64 & armhf, which boils down to
simply building the speech-dispatcher-voxin package on these archs. We'd
rather not have to wait for 1.5 years for this to become available when
no code change is actually needed.

(previously we didn't build it there because there was no support
available).

[ Impact ]
Without this update, it would be much more complex for our users to
install high-quality speech synthesis from voxin.

[ Tests ]
No code is affected

[ Risks ]
The change is trivial and not actually in the code

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
It just enables the arch for the package at stake.

(and actually build it by hand in a clean chroot since the whole package
depends on non-free packages).
diff -Nru speech-dispatcher-contrib-0.11.4/debian/changelog 
speech-dispatcher-contrib-0.11.4/debian/changelog
--- speech-dispatcher-contrib-0.11.4/debian/changelog   2023-04-27 
01:08:20.0 +0200
+++ speech-dispatcher-contrib-0.11.4/debian/changelog   2023-11-22 
18:37:46.0 +0100
@@ -1,3 +1,9 @@
+speech-dispatcher-contrib (0.11.4-3+deb12u1) bookworm; urgency=medium
+
+  * control: Enable voxin on armhf and arm64 archs.
+
+ -- Samuel Thibault   Wed, 22 Nov 2023 18:37:46 +0100
+
 speech-dispatcher-contrib (0.11.4-3) unstable; urgency=medium
 
   * control: Add missing breaks+replaces between speech-dispatcher-ivona and
diff -Nru speech-dispatcher-contrib-0.11.4/debian/control 
speech-dispatcher-contrib-0.11.4/debian/control
--- speech-dispatcher-contrib-0.11.4/debian/control 2023-04-27 
01:08:20.0 +0200
+++ speech-dispatcher-contrib-0.11.4/debian/control 2023-11-22 
18:37:46.0 +0100
@@ -140,7 +140,7 @@
  which needs to be installed separately.
 
 Package: speech-dispatcher-voxin
-Architecture: amd64 i386
+Architecture: arm64 armhf amd64 i386
 Multi-Arch: foreign
 Section: contrib/sound
 Depends:
diff -Nru speech-dispatcher-contrib-0.11.4/debian/salsa-ci.yml 
speech-dispatcher-contrib-0.11.4/debian/salsa-ci.yml
--- speech-dispatcher-contrib-0.11.4/debian/salsa-ci.yml2023-04-27 
01:00:31.0 +0200
+++ speech-dispatcher-contrib-0.11.4/debian/salsa-ci.yml2023-11-22 
18:37:46.0 +0100
@@ -9,5 +9,6 @@
 
 variables:
   SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1
+  RELEASE: bookworm
 
 # vim: ts=2 sw=2 et sts=2 ft=yaml
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056330: marked as done (bookworm-pu: package toil/5.9.2-2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056330,
regarding bookworm-pu: package toil/5.9.2-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056330
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:toil

[ Reason ]
This upload fixes Bug#1031192. FTBFS on single-cpu systems.

[ Impact ]
Anybody trying to build the package from source in stable on a single-cpu
system will see that the package unexpectedly FTBFS.

[ Tests ]
I've tested that the updated package builds ok in all systems.

[ Risks ]
There are no actual code changes in the program, only in the
way the tests are executed.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Backport patch from unstable to run the tests using
a single CPU.

[ Other info ]
The package is already uploaded.diff -Nru toil-5.9.2/debian/changelog toil-5.9.2/debian/changelog
--- toil-5.9.2/debian/changelog 2023-02-06 19:04:14.0 +0100
+++ toil-5.9.2/debian/changelog 2023-11-21 00:35:00.0 +0100
@@ -1,3 +1,11 @@
+toil (5.9.2-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Apply patch by Michael R. Crusoe to request a single core
+in the tests. Closes: #1031192.
+
+ -- Santiago Vila   Tue, 21 Nov 2023 00:35:00 +0100
+
 toil (5.9.2-2) unstable; urgency=medium
 
   * Add patch to handle errors when testing on ec2.
diff -Nru toil-5.9.2/debian/patches/fewer_cores 
toil-5.9.2/debian/patches/fewer_cores
--- toil-5.9.2/debian/patches/fewer_cores   1970-01-01 01:00:00.0 
+0100
+++ toil-5.9.2/debian/patches/fewer_cores   2023-11-21 00:34:08.0 
+0100
@@ -0,0 +1,37 @@
+From: Michael R. Crusoe 
+Subject: Tests: only request a single core
+Bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031192
+
+--- a/src/toil/test/src/helloWorldTest.py
 b/src/toil/test/src/helloWorldTest.py
+@@ -24,7 +24,7 @@
+ 
+ class HelloWorld(Job):
+ def __init__(self):
+-Job.__init__(self,  memory=10, cores=2, disk="3G")
++Job.__init__(self,  memory=10, cores=1, disk="3G")
+ 
+ def run(self, fileStore):
+ fileID = self.addChildJobFn(childFn, cores=1, memory="1M", 
disk="3G").rv()
+--- a/src/toil/test/src/realtimeLoggerTest.py
 b/src/toil/test/src/realtimeLoggerTest.py
+@@ -57,7 +57,7 @@
+ 
+ class LogTest(Job):
+ def __init__(self):
+-Job.__init__(self, memory=10, cores=2, disk='3G')
++Job.__init__(self, memory=10, cores=1, disk='3G')
+ 
+ def run(self, fileStore):
+ RealtimeLogger.info('This should be logged at info level')
+--- a/src/toil/test/src/userDefinedJobArgTypeTest.py
 b/src/toil/test/src/userDefinedJobArgTypeTest.py
+@@ -59,7 +59,7 @@
+ 
+ class JobClass(Job):
+ def __init__(self, level, foo):
+-Job.__init__(self, memory=10, cores=2, disk="300M")
++Job.__init__(self, memory=10, cores=1, disk="300M")
+ self.level = level
+ self.foo = foo
+ 
diff -Nru toil-5.9.2/debian/patches/series toil-5.9.2/debian/patches/series
--- toil-5.9.2/debian/patches/series2023-02-06 19:01:55.0 +0100
+++ toil-5.9.2/debian/patches/series2023-11-21 00:34:08.0 +0100
@@ -10,3 +10,4 @@
 atomic_copy_as_alternative.patch
 python3_in_doc.patch
 avoid_boto
+fewer_cores
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056696: marked as done (bookworm-pu: package unadf/0.7.11a-5+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056696,
regarding bookworm-pu: package unadf/0.7.11a-5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056696: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056696
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: un...@packages.debian.org
Control: affects -1 + src:unadf

Fixes two minor security issues. These have actually been in
past releases (wheezy/jessie), but the patch wasn't actually
applied to unstable in -4, so it regressed for later releases.

Debdiff below.

Cheers,
Moritz

diff -Nru unadf-0.7.11a/debian/changelog unadf-0.7.11a/debian/changelog
--- unadf-0.7.11a/debian/changelog  2021-12-22 18:05:25.0 +0100
+++ unadf-0.7.11a/debian/changelog  2023-11-24 16:23:25.0 +0100
@@ -1,3 +1,9 @@
+unadf (0.7.11a-5+deb12u1) bookworm; urgency=medium
+
+  * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248)
+
+ -- Moritz Mühlenhoff   Fri, 24 Nov 2023 18:20:14 +0100
+
 unadf (0.7.11a-5) unstable; urgency=medium
 
   * QA upload.
diff -Nru unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 
unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244
--- unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12441970-01-01 
01:00:00.0 +0100
+++ unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12442023-11-24 
16:25:05.0 +0100
@@ -0,0 +1,146 @@
+Description: Fix unsafe extraction by using mkdir() instead of shell command
+  This commit fixes following vulnerabilities:
+
+  - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
+pathname lengths of archived files
+
+Stack allocated buffer sysbuf was filled with sprintf() without any
+bounds checking in extracTree() function.
+
+  - CVE-2016-1244: execution of unsanitized input
+
+Shell command used for creating directory paths was constructed by
+concatenating names of archived files to the end of the command
+string.
+
+  So, if the user was tricked to extract a specially crafted .adf file,
+  the attacker was able to execute arbitrary code with privileges of the
+  user.
+
+  This commit fixes both issues by
+
+1) replacing mkdir shell commands with mkdir() function calls
+2) removing redundant sysbuf buffer
+
+Author: Tuomas Räsänen 
+Last-Update: 2016-09-20
+--
+--- a/Demo/unadf.c
 b/Demo/unadf.c
+@@ -24,6 +24,8 @@
+ 
+ #define UNADF_VERSION "1.0"
+ 
++#include 
++#include 
+ 
+ #include
+ #include
+@@ -31,17 +33,15 @@
+ 
+ #include "adflib.h"
+ 
+-/* The portable way used to create a directory is to call the MKDIR command 
via the
+- * system() function.
+- * It is used to create the 'dir1' directory, like the 'dir1/dir11' directory
++/* The portable way used to create a directory is to call mkdir()
++ * which is defined by following standards: SVr4, BSD, POSIX.1-2001
++ * and POSIX.1-2008
+  */
+ 
+ /* the portable way to check if a directory 'dir1' already exists i'm using 
is to
+  * do fopen('dir1','rb'). NULL is returned if 'dir1' doesn't exists yet, an 
handle instead
+  */
+ 
+-#define MKDIR "mkdir"
+-
+ #ifdef WIN32
+ #define DIRSEP '\\'
+ #else
+@@ -51,6 +51,13 @@
+ #define EXTBUFL 1024*8
+ 
+ 
++static void mkdirOrLogErr(const char *const path)
++{
++  if (mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO))
++  fprintf(stderr, "mkdir: cannot create directory '%s': %s\n",
++  path, strerror(errno));
++}
++
+ void help()
+ {
+ puts("unadf [-lrcsp -v n] dumpname.adf [files-with-path] [-d 
extractdir]");
+@@ -152,7 +159,6 @@ void extractTree(struct Volume *vol, str
+ {
+   struct Entry* entry;
+ char *buf;
+-char sysbuf[200];
+ 
+ while(tree) {
+ entry = (struct Entry*)tree->content;
+@@ -162,16 +168,14 @@ void extractTree(struct Volume *vol, str
+ buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1);
+ if (!buf) return;
+ sprintf(buf,"%s%c%s",path,DIRSEP,entry->name);
+-sprintf(sysbuf,"%s %s",MKDIR,buf);
+ if (!qflag) printf("x - %s%c\n",buf,DIRSEP);
++if (!pflag) mkdirOrLogErr(buf);
+ }
+ else {
+-sprintf(sysbuf,"%s %s",MKDIR,entry->name);
+

Bug#1056318: marked as done (bookworm-pu: package dhcpcd5/9.4.1-24~deb12u3)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056318,
regarding bookworm-pu: package dhcpcd5/9.4.1-24~deb12u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056318: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056318
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dhcp...@packages.debian.org
Control: affects -1 + src:dhcpcd5

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

[ Reason ]
As per bug #1053657, files moved between binary targets and between /lib and 
/usr/lib may cause problems when upgrading from Bullseye due to the 
introduction of usrmerge.

[ Impact ]
As per bug report, the issue is not trivially reproducible and probably does 
not affect the majority of users. However, given how moving files between /lib 
and /usr/lib was considered an RC issue during the transition to usrmerge, 
mitigation is desirable just to be safe.

[ Tests ]
Manual upgrade tested in chroot and confirmed to work as expected.

[ Risks ]
None.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
1) Migrate Breaks/Replaces dhcpcd5 (<< 9.4.1-2) to Conflicts (Closes: #1053657).
2) Update dhcpcd.preinst version check for previous bookworm-pu fix.

[ Other info ]

diff -Nru dhcpcd5-9.4.1/debian/changelog dhcpcd5-9.4.1/debian/changelog
- --- dhcpcd5-9.4.1/debian/changelog2023-07-22 17:56:49.0 +0300
+++ dhcpcd5-9.4.1/debian/changelog  2023-10-20 11:12:13.0 +0300
@@ -1,3 +1,10 @@
+dhcpcd5 (9.4.1-24~deb12u3) bookworm; urgency=medium
+
+  * Move Breaks/Replaces dhcpcd5 (<< 9.4.1-2) to Conflicts (Closes: #1053657).
+  * Update dhcpcd.preinst version check.
+
+ -- Martin-Éric Racine   Fri, 20 Oct 2023 11:12:13 
+0300
+
 dhcpcd5 (9.4.1-24~deb12u2) bookworm; urgency=medium
 
   * Fixed dhcpcd.preinst with the tilde version.
diff -Nru dhcpcd5-9.4.1/debian/control dhcpcd5-9.4.1/debian/control
- --- dhcpcd5-9.4.1/debian/control  2023-05-28 05:57:38.0 +0300
+++ dhcpcd5-9.4.1/debian/control2023-10-20 11:11:34.0 +0300
@@ -14,8 +14,7 @@
 Package: dhcpcd-base
 Architecture: any
 Provides: dhcp-client
- -Replaces: dhcpcd5 (<< 9.4.1-2)
- -Breaks: dhcpcd5 (<< 9.4.1-2)
+Conflicts: dhcpcd5 (<< 9.4.1-2)
 Depends: adduser,
  ${misc:Depends},
  ${shlibs:Depends}
diff -Nru dhcpcd5-9.4.1/debian/dhcpcd.preinst 
dhcpcd5-9.4.1/debian/dhcpcd.preinst
- --- dhcpcd5-9.4.1/debian/dhcpcd.preinst   2023-07-22 17:56:40.0 
+0300
+++ dhcpcd5-9.4.1/debian/dhcpcd.preinst 2023-10-20 11:12:08.0 +0300
@@ -2,7 +2,7 @@
 # As per Debian bug #1037190.
 # Copyright 2023 Andreas Beckmann 
 set -e
- -if dpkg --compare-versions "$2" lt-nl "1:9.4.1-24~deb12u2~" ; then
+if dpkg --compare-versions "$2" lt-nl "1:9.4.1-24~deb12u3~" ; then
   # Cleanup leftovers from dhcpcd 1:3.* in Wheezy.
   # Can be removed after Trixie is released.
   update-alternatives --remove dhcpcd /sbin/dhcpcd3

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmVbgpUACgkQrh+Cd8S0
17bfkw/+NBPz3yOtdFHOzIDzD7DGvAQOFgtxJ2FDSu6nEvwTqc1Mlfv35x2Dqu/T
6Q9m9z2d655vuDkmVQIEbSFh5weATtCbpqLM29cZZFho5SUO7yHqB5vTqA4kQMJk
FD1FlkTjA0qFn/f8nkzCnljG2Vt3BQhLnoz70dzGV044ohKowm9q1sVXIgHADhxr
wL7mRCS3zTQe6SVvkLK9nUvmItCnn03/C3jadzZOVepowu6im5SnVULO/YFEelmA
JYsG9Oa9v0eeTv68BR0ybGG5kpVhGIF71BvELVJaZWu9VLfivXJwFug/mecq9nGO
AWqDL8bVyRfIPs8xpLXH7T5dWBVaMAA2UaYHPy4yZcFB1xwY+E01AGDTf8vFIOVP
mos75buvypjESkPetNeam1AleH2f2RM1t/mtusdJ3y3oFId5mg1S6tyEANws7VZM
TJwY7UFFA48z1Ua1/6AoFEjm0qu1eeKWEPc0hrL3L9MFZrmXTIp/mDTbjfN9vBG1
RvkxaWsBQQCoT/mLOKm68MWy7nCM9OXPJhZwBVceAQudtbIsNDcPmZM2OrmytKUw
n2Uuy+KS/Grb3seXkXjy0DWKheSaaFMrVlM3/rigWzSHxrhWfFuZ2sphiOybZbKW
zxNlwCG1fl3mWMspY8W4WTtVcSXIOaGmFT//3H2ZOg6KL31qJ/o=
=HavW
-END PGP SIGNATURE-
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056307: marked as done (bookworm-pu: package lastpass-cli/1.3.7-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056307,
regarding bookworm-pu: package lastpass-cli/1.3.7-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056307
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release managers,

Please consider lastpass-cli (1.3.7-1+deb12u1) for bookworm:
  
  lastpass-cli (1.3.7-1+deb12u1) bookworm; urgency=medium
  .
* Upload latest upstream version to fix compatability with Lastpass's
  SSL keys. (Closes: #1055876)


Currently, lastpass-cli is completely non-functioning in bookworm, so
it should either be updated or removed.

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/changelog b/debian/changelog
index 800751f..68e0043 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,42 @@
+lastpass-cli (1.3.7-1+deb12u1) bookworm; urgency=medium
+
+  * Upload latest upstream version to fix compatability with Lastpass's
+SSL keys. (Closes: #1055876)
+
+ -- Chris Lamb   Mon, 20 Nov 2023 10:14:54 +
+
+lastpass-cli (1.3.7-1) unstable; urgency=medium
+
+  * New upstream release. (Closes: #1055876)
+  * Drop 0001-Fix-FTBFS-with-GCC-10.0.patch; applied upstream.
+
+ -- Chris Lamb   Mon, 13 Nov 2023 12:40:41 +
+
+lastpass-cli (1.3.6-1) unstable; urgency=medium
+
+  * New upstream release.
+  * Refresh patches.
+
+ -- Chris Lamb   Sat, 09 Sep 2023 09:52:20 -0700
+
+lastpass-cli (1.3.5-2) unstable; urgency=medium
+
+  * Always use the Debian version number. (Closes: #1051218)
+
+ -- Chris Lamb   Tue, 05 Sep 2023 10:12:30 -0700
+
+lastpass-cli (1.3.5-1) unstable; urgency=medium
+
+  * New upstream release. (Closes: #1050973)
+
+ -- Chris Lamb   Thu, 31 Aug 2023 16:37:52 -0700
+
+lastpass-cli (1.3.4-2) unstable; urgency=medium
+
+  * Also clean test/.lpass directory. (Closes: #1048723)
+
+ -- Chris Lamb   Tue, 22 Aug 2023 13:44:44 -0700
+
 lastpass-cli (1.3.4-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/.gitignore b/.gitignore
index 495a746..9383e25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ version.h
 
 # IDE
 /.idea
+/.vs
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 21c854d..e953cee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
+# Vesion 1.3.7
+* Add support for reading encrypted URLs (Tibor Komlossy)
+* Fix GCC 10 compatibility issue #532 (Tibor Komlossy)
+
+# Version 1.3.6
+* Fix version (Béla Ormos)
+
+# Version 1.3.5
+* Updating certificate hashes (Béla Ormos)
+
 # Version 1.3.4
 * Updating post parameter (Gergely Der)
 
diff --git a/LASTPASS-VERSION-GEN b/LASTPASS-VERSION-GEN
index d9b0f48..8f75701 100755
--- a/LASTPASS-VERSION-GEN
+++ b/LASTPASS-VERSION-GEN
@@ -4,7 +4,7 @@
 # You can find the original at 
https://github.com/git/git/blob/master/GIT-VERSION-GEN
 
 LPVF=version.h
-DEF_VER=v1.3.4.GIT
+DEF_VER=v1.3.7.GIT
 
 LF='
 '
diff --git a/blob.c b/blob.c
index 69d9f44..f95305f 100644
--- a/blob.c
+++ b/blob.c
@@ -104,6 +104,7 @@ void account_free_contents(struct account *account)
free(account->note);
free(account->name_encrypted);
free(account->group_encrypted);
+   free(account->url_encrypted);
free(account->username_encrypted);
free(account->password_encrypted);
free(account->note_encrypted);
@@ -320,6 +321,10 @@ static int read_boolean(struct chunk *chunk)
return item.data[0] == '1';
 }
 
+static bool check_next_entry_encrypted(struct chunk *chunk) {
+   return (chunk->data + sizeof(uint32_t))[0] == '!';
+}
+
 #define entry_plain_at(base, var) do { \
char *__entry_val__ = read_plain_string(chunk); \
if (!__entry_val__) \
@@ -360,6 +365,9 @@ static struct account *account_parse(struct chunk *chunk, 
const unsigned char ke
entry_plain(id);
entry_crypt(name);
entry_crypt(group);
+   if (check_next_entry_encrypted(chunk))
+   entry_crypt(url);
+   else
entry_hex(url);
entry_crypt(note);
entry_boolean(fav);
diff --git a/blob.h b/blob.h
index d6c480a..ab6c32d 100644
--- a/blob.h
+++ b/blob.h
@@ -59,7 +59,7 @@ struct a

Bug#1056228: marked as done (bookworm-pu: package sitesummary/0.1.56~deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056228,
regarding bookworm-pu: package sitesummary/0.1.56~deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: sitesumm...@packages.debian.org, debian-...@lists.debian.org
Control: affects -1 + src:sitesummary

A small adjustment had to be made to sitesummary for Debian Edu.

[ Reason ]
On systems running systemd it was discovered that sitesummary-client's
CRON jobs where pausing all other CRON job executions when triggered via
anacron. To avoid this, sitesummary-client needs to use the newly introduced
systemd-timerd rules instead of CRON.

[ Impact ]
CRON job execution being paused at boot for max 1h.

[ Tests ]
Manually on Debian Edu 12 systems.

[ Risks ]
Only for Debian Edu users mostly. Only a few other installations seem to
use sitesummary.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+sitesummary (0.1.56~deb12u2) bookworm; urgency=medium
+
+  [ Guido Berhoerster ]
+  * Use systemd timer for running sitesummary-client if available.
+(Cherry-picked from release 0.1.58).
+
+ -- Mike Gabriel   Sun, 19 Nov 2023 10:38:35 +0100

[ Other info ]
This upload to bookworm is required for the Debian Edu 12 release. Thanks.
diff -Nru sitesummary-0.1.56~deb12u1/debian/changelog 
sitesummary-0.1.56~deb12u2/debian/changelog
--- sitesummary-0.1.56~deb12u1/debian/changelog 2023-08-28 16:31:34.0 
+0200
+++ sitesummary-0.1.56~deb12u2/debian/changelog 2023-11-19 10:38:35.0 
+0100
@@ -1,3 +1,11 @@
+sitesummary (0.1.56~deb12u2) bookworm; urgency=medium
+
+  [ Guido Berhoerster ]
+  * Use systemd timer for running sitesummary-client if available.
+(Cherry-picked from release 0.1.58).
+
+ -- Mike Gabriel   Sun, 19 Nov 2023 10:38:35 +0100
+
 sitesummary (0.1.56~deb12u1) bookworm; urgency=medium
 
   * Release to bookworm as 0.1.56~deb12u1.
diff -Nru sitesummary-0.1.56~deb12u1/debian/sitesummary-client.cron.daily 
sitesummary-0.1.56~deb12u2/debian/sitesummary-client.cron.daily
--- sitesummary-0.1.56~deb12u1/debian/sitesummary-client.cron.daily 
2022-02-11 22:11:15.0 +0100
+++ sitesummary-0.1.56~deb12u2/debian/sitesummary-client.cron.daily 
2023-11-19 10:37:55.0 +0100
@@ -2,7 +2,10 @@
 #
 # Author: Petter Reinholdtsen
 
-[ -x /usr/sbin/sitesummary-client ] || exit 0
+if [ ! -x /usr/sbin/sitesummary-client ] || \
+[ -d /run/systemd/system ]; then
+exit 0
+fi
 
 # Read the package default.  Make sure this is identical to the code
 # in sitesummar-client
diff -Nru 
sitesummary-0.1.56~deb12u1/debian/sitesummary-client.sitesummary-client.timer 
sitesummary-0.1.56~deb12u2/debian/sitesummary-client.sitesummary-client.timer
--- 
sitesummary-0.1.56~deb12u1/debian/sitesummary-client.sitesummary-client.timer   
2023-08-23 13:01:58.0 +0200
+++ 
sitesummary-0.1.56~deb12u2/debian/sitesummary-client.sitesummary-client.timer   
2023-11-19 10:37:55.0 +0100
@@ -3,6 +3,9 @@
 
 [Timer]
 OnBootSec=5min
+OnCalendar=*-*-* 00:00:00
+RandomizedDelaySec=1h
+FixedRandomDelay=true
 
 [Install]
 WantedBy=timers.target
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056194: marked as done (bookworm-pu: package python3-onelogin-saml2/1.12.0-2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056194,
regarding bookworm-pu: package python3-onelogin-saml2/1.12.0-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python3-onelogin-sa...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:python3-onelogin-saml2

[ Reason ]
This upload fixes Bug #1036255: FTBFS due to expired certificates in the tests

[ Impact ]
Anybody trying to build the package from source in bookworm will
get a build error.

[ Tests ]
I've verified that the package builds from source again.

[ Risks ]
Low risk. There are no real code changes, just the tests.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
I've cherry-picked three commits from upstream repository,
required to fix the tests.

[ Other info ]
I've already uploaded the package.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056164: marked as done (bookworm-pu: package libervia-backend/0.9.0~hg3993-4+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056164,
regarding bookworm-pu: package libervia-backend/0.9.0~hg3993-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056164
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-xmpp-de...@lists.alioth.debian.org

Fixes three bugs:

#1056163  libervia-backend: start fails without pre-existing configuration
#1055445  libervia-backend: manual page says it is autorun, but it is not
#1055446  libervia-backend: requires python3-txdbus

Debdiff is attached.

diff -Nru libervia-backend-0.9.0~hg3993/debian/changelog 
libervia-backend-0.9.0~hg3993/debian/changelog
--- libervia-backend-0.9.0~hg3993/debian/changelog  2023-02-07 
08:34:29.0 +
+++ libervia-backend-0.9.0~hg3993/debian/changelog  2023-11-17 
23:29:54.0 +
@@ -1,3 +1,11 @@
+libervia-backend (0.9.0~hg3993-4+deb12u1) bookworm; urgency=medium
+
+  * Fix dependencies on python3-txdbus/python3-dbus (Closes: #1055446)
+  * Add patch to make exec path absolute in dbus service file (Closes: 
#1055445)
+  * Fix start failure without pre-existing configuration (Closes: #1056163)
+
+ -- Martin   Fri, 17 Nov 2023 23:29:54 +
+
 libervia-backend (0.9.0~hg3993-4) unstable; urgency=medium
 
   * add patch to not use SCM version (Closes: #1030429)
diff -Nru libervia-backend-0.9.0~hg3993/debian/control 
libervia-backend-0.9.0~hg3993/debian/control
--- libervia-backend-0.9.0~hg3993/debian/control2023-02-07 
00:01:12.0 +
+++ libervia-backend-0.9.0~hg3993/debian/control2023-11-17 
23:29:54.0 +
@@ -31,7 +31,7 @@
python3-alembic,
python3-babel,
python3-dateutil (>= 2.7.3~),
-   python3-dbus,
+   python3-txdbus,
python3-idna,
python3-lxml,
python3-mutagen,
@@ -113,6 +113,7 @@
${python3:Depends},
python3,
 libervia-backend (= ${source:Version}),
+   python3-dbus,
python3-gi,
 Recommends: python3-progressbar,
python3-pygments,
diff -Nru libervia-backend-0.9.0~hg3993/debian/patches/fix-exec-path.patch 
libervia-backend-0.9.0~hg3993/debian/patches/fix-exec-path.patch
--- libervia-backend-0.9.0~hg3993/debian/patches/fix-exec-path.patch
1970-01-01 00:00:00.0 +
+++ libervia-backend-0.9.0~hg3993/debian/patches/fix-exec-path.patch
2023-11-17 23:29:54.0 +
@@ -0,0 +1,14 @@
+Description: Exec path must be absolute
+Author: Martin 
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/1055445
+Last-Update: 2023-11-08
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/misc/org.libervia.Libervia.service
 b/misc/org.libervia.Libervia.service
+@@ -1,3 +1,3 @@
+ [D-BUS Service]
+ Name=org.libervia.Libervia
+-Exec=libervia-backend
++Exec=/usr/bin/libervia-backend
diff -Nru libervia-backend-0.9.0~hg3993/debian/patches/fix-startup-error.patch 
libervia-backend-0.9.0~hg3993/debian/patches/fix-startup-error.patch
--- libervia-backend-0.9.0~hg3993/debian/patches/fix-startup-error.patch
1970-01-01 00:00:00.0 +
+++ libervia-backend-0.9.0~hg3993/debian/patches/fix-startup-error.patch
2023-11-17 23:29:54.0 +
@@ -0,0 +1,18 @@
+Description: fix exception on startup without pre-existing configuration
+Author: Martin 
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/1056163
+Last-Update: 2023-11-18
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sat/memory/migration/env.py
 b/sat/memory/migration/env.py
+@@ -3,6 +3,8 @@
+ from sqlalchemy import pool
+ from sqlalchemy.ext.asyncio import create_async_engine
+ from alembic import context
++import sys
++sys.path.append("/usr/share/libervia")
+ from sat.memory import sqla_config
+ from sat.memory.sqla_mapping import Base
+ 
diff -Nru libervia-backend-0.9.0~hg3993/debian/patches/series 
libervia-backend-0.9.0~hg3993/debian/patches/series
--- libervia-backend-0.9.0~hg3993/debian/patches/series 2023-02-07 
08:27:18.0 +
+++ libervia-backend-0.9.0~hg3993/debian/patches/series 2023-11-17 
23:29:54.0 +
@@ -1,3 +1,5 @@
+fix-startup-error.patch
+fix-exec-path.patch
 replace-geta

Bug#1056006: marked as done (bookworm-pu: package libsolv/0.7.23-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056006,
regarding bookworm-pu: package libsolv/0.7.23-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056006
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Both Fedora Rawhide and SUSE Tumbleweed started to compress their
respective RepoData with zstd. The libsolv version in bookworm is not
build with zstd support, so using zypper/dnf from any Ubuntu version to
build a new Fedora/SUSE chroot started to fail this week.

[ Impact ]
$ mkdir -p repos.d img
$ cat 
Building repository 'test.repo' cache 
.[error]
Error building the cache:
[test.repo|https://download.opensuse.org/tumbleweed/repo/oss/] Failed to cache 
repo (1).
History:
 - 'repo2solv' '-o' '/tmp/img/var/cache/zypp/solv/test.repo/solv' '-X' 
'/tmp/img/var/cache/zypp/raw/test.repo'
   
/tmp/img/var/cache/zypp/raw/test.repo/repodata/d6fbf1152bab99fc7ceacf974422a9799694274b64c36015b10288e6cabadd81e4649b19f52570efc5f3ab5b28817c9561fa8eeca117a05f3caea6c33e48cb69-primary.xml.zst:
 No such file or directory
   Command exited with status 1.

[ Tests ]
libsolv in bookworm already supports zstd, but it is not enabled. The
fix is simply to build-depend on libzstd and enable the relevant cmake
flag, and then it works:

$ zypper --reposd-dir=/tmp/repos.d --root=/tmp/img --gpg-auto-import-keys 
install distribution-release filesystem
Building repository 'mkosi.repo' cache 
.[done]
Loading repository data...
Reading installed packages...
'distribution-release' not found in package names. Trying capabilities.
Resolving package dependencies...

The following 20 NEW packages are going to be installed:
  bash bash-sh compat-usrmerge-tools filesystem glibc glibc-extra libgcc_s1 
libncurses6 libpcre2-8-0 libreadline8
  libselinux1 libstdc++6 ncurses-utils openSUSE-release 
openSUSE-release-appliance-custom
  patterns-glibc-hwcaps-x86_64_v3 system-user-root terminfo-base 
terminfo-screen timezone

The following 4 recommended packages were automatically selected:
  glibc-extra ncurses-utils terminfo-screen timezone

The following 9 packages are suggested, but will not be installed:
  branding-openSUSE distribution-logos-openSUSE-Tumbleweed java-11-openjdk 
mariadb mariadb-client openssl-1_1
  openSUSE-build-key openSUSE-repos-Tumbleweed procps

20 new packages to install.
Overall download size: 7.3 MiB. Already cached: 0 B. After the operation, 
additional 16.3 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
<...>
$ cat img/usr/lib/os-release 
NAME="openSUSE Tumbleweed"
# VERSION="20231114"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20231114"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20231114"
BUG_REPORT_URL="https://bugzilla.opensuse.org";
SUPPORT_URL="https://bugs.opensuse.org";
HOME_URL="https://www.opensuse.org";
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed";
LOGO="distributor-logo-Tumbleweed"

[ Risks ]
Minimal, support for zstd is old and the change is simply a new build
dependency and build flag. Worst case scenario is that zstd doesn't
work, and the situation is not any different from status quo.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Other info ]
I have already updated this change. It is fixed in the latest unstable
upload as well. I am also proposing the same fix for Ubuntu stable
releases:

https://bugs.launchpad.net/ubuntu/+source/libsolv/+bug/2043625

-- 
Kind regards,
Luca Boccassi
diff -Nru libsolv-0.7.23/debian/changelog libsolv-0.7.23/debian/changelog
--- libsolv-0.7.23/debian/changelog	2023-02-06

Bug#1056169: marked as done (bookworm-pu: package di-netboot-assistant/0.78~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056169,
regarding bookworm-pu: package di-netboot-assistant/0.78~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056169: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056169
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: di-netboot-assist...@packages.debian.org, a...@debian.org
Control: affects -1 + src:di-netboot-assistant

[ Reason ]
With Bookworm, a few modifications have happened to the Debian Live ISO
images' meta data [1].  These changes make di-netboot-assistant
partially fail when bookworm ISO images are in use (the menus for the
network boot loaders like grub and iPXE are not generated properly).

The Live ISO images side has improved and stabilized [2], and also
di-netboot-assistant has been made more robust to account for these
modifications.  In addition a few minor fixes to documentation and
examples (bookworm, preseed file) have been applied.

[1] https://lists.debian.org/debian-live/2023/06/msg00023.html
[2] https://lists.debian.org/debian-live/2023/07/msg00030.html

[ Impact ]
The inclusion of bookworm live ISO images fails.

[ Tests ]
I tested the changes with the 12.2.0 gnome, kde and standard ISOs.
Grub and iPXE menu.

[ Risks ]
There are almost no risks involved.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Mostly parsing latest meta data from the live images and more robust
handling of kernel/initrd (with/without version number).

[ Other info ]
I'll already upload the updated package.
The release team is doing a great job, thank you!
diff -Nru di-netboot-assistant-0.76/config/grub.cfg.HEAD 
di-netboot-assistant-0.78~deb12u1/config/grub.cfg.HEAD
--- di-netboot-assistant-0.76/config/grub.cfg.HEAD  2023-03-16 
17:05:12.0 +0100
+++ di-netboot-assistant-0.78~deb12u1/config/grub.cfg.HEAD  2023-06-18 
09:11:47.0 +0200
@@ -18,7 +18,7 @@
 set default='Boot from local disk..'
 #set timeout=10
 
-if background_image 
/d-i/n-pkg/images/11/amd64/text/debian-installer/amd64/boot-screens/splash.png; 
then
+if background_image 
/d-i/n-pkg/images/12/amd64/text/debian-installer/amd64/boot-screens/splash.png; 
then
   set color_normal=light-gray/black
   set color_highlight=white/black
 elif background_image /d-i/n-a/stable/amd64/boot-screens/splash.png; then
diff -Nru di-netboot-assistant-0.76/debian/changelog 
di-netboot-assistant-0.78~deb12u1/debian/changelog
--- di-netboot-assistant-0.76/debian/changelog  2023-03-16 17:05:12.0 
+0100
+++ di-netboot-assistant-0.78~deb12u1/debian/changelog  2023-06-18 
09:11:47.0 +0200
@@ -1,3 +1,10 @@
+di-netboot-assistant (0.78~deb12u1) bookworm; urgency=medium
+
+  * Fixes for bookworm live iso image inclusion.
+  * Update/add/fix preseed examples.  Thanks to Holger Wansing.
+
+ -- Andreas B. Mundt   Sun, 18 Jun 2023 09:11:47 +0200
+
 di-netboot-assistant (0.76) unstable; urgency=medium
 
   * Fix typo in preseeding example.
diff -Nru di-netboot-assistant-0.76/di-netboot-assistant 
di-netboot-assistant-0.78~deb12u1/di-netboot-assistant
--- di-netboot-assistant-0.76/di-netboot-assistant  2023-03-16 
17:05:12.0 +0100
+++ di-netboot-assistant-0.78~deb12u1/di-netboot-assistant  2023-06-18 
09:11:47.0 +0200
@@ -26,7 +26,7 @@
 
 # -- Declare the constants --- #
 PACKAGE_NAME=di-netboot-assistant
-PACKAGE_VERSION=0.76
+PACKAGE_VERSION=0.78
 
 # -- Initialize the global variables - #
 OFFLINE=false
@@ -253,8 +253,8 @@
 # Returns: (EXIT STATUS) 0=Success, 1=Error
 #  #
 prepare_grub() {
-local v="" opt=$1 VERS V GRUB AR DIR 
-
+local v="" opt=$1 VERS V GRUB AR DIR
+
 $VERBOSE && v="-v"
 [ -z "$opt"  ] && [ -d $TFTP_ROOT/$N_A_DIR/grub ] && return 0
 
@@ -263,7 +263,7 @@
 [ ! -e "$TFTP_ROOT/debian-installer" ] && \
 ln -srv $TFTP_ROOT/$N_A_DIR/ $TFTP_ROOT/debian-installer
 
-for AR in x64 aa64 ; do 
+for AR in x64 aa64 ; do
 ## We link bootnet*.efi and grub

Bug#1056136: marked as done (bookworm-pu: package intel-graphics-compiler/1.0.12504.6-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056136,
regarding bookworm-pu: package intel-graphics-compiler/1.0.12504.6-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
Control: block 1055874 with -1

[ Reason ]
A recent rebuild of all packages in bookworm discovered an
incompatibility of intel-graphics-compiler/bookworm with
intel-vc-intrinsics/bookworm, causing the former to FTBFS.
#1055874
The intel-graphics-compiler binaries in bookworm were built against an
older version of intel-vc-intrinsics (0.8.1) than what was shipped in
bookworm (0.11.0).

[ Impact ]
src:intel-graphics-compiler does FTBFS in bookworm in case someone wants
to rebuild it or a security update needs to happen.

[ Tests ]
Unfortunately there is no testsuite here, but src:intel-compute-runtime
(which heavily uses this package) has one.

[ Risks ]
The upstream commits required for the fix are larger than I would have
liked, but they apply cleanly. There seems to have been some major
reorganization in intel-vc-intrinsics.

intel-graphics-compiler has only one user: intel-compute-runtime (which
is a leaf package), so we cannot break much.
intel-vc-intrinsics also has only one user (intel-graphics-compiler),
therefore no similar bugs could have occurred elsewhere.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
* Replace our patches with the corresponding upstream commits (which are
  larger, but fix all occurrences of the problems and do this more
  thoroughly), s.t. subsequent patches apply cleanly. (Only two minor
  adjustments were needed to make
  0002-Changed-relative-paths-in-include-directives.patch apply.)
* Cherry-pick (without any adjustments needed) two patches which update
  the codebase for the changes in intel-vc-intrinsics 0.11.0, making it
  incompatible with older versions (therefore bumping the b-d version).

[ Other info ]
I'll upload the fixed package right now.

 b/debian/changelog   |   10
 b/debian/control |2
 b/debian/patches/0001-Preinstalled-SPIRV-Tools-CMakeFile-fix.patch   |   51
 b/debian/patches/0002-Changed-relative-paths-in-include-directives.patch |  
524 
 b/debian/patches/0003-Add-multi-indirect-byte-regioning-feature.patch|  
162 +
 b/debian/patches/0004-VC-subtarget-refactoring.patch | 
1075 ++
 b/debian/patches/series  |7
 debian/patches/fix-relative-includes.patch   |   15
 debian/patches/fix-spirv-check.diff  |   13
 9 files changed, 1827 insertions(+), 32 deletions(-)


Andreas


intel-graphics-compiler_1.0.12504.6-1+deb12u1.diff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1056158: marked as done (bookworm-pu: package proftpd-dfsg/1.3.8+dfsg-4+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1056158,
regarding bookworm-pu: package proftpd-dfsg/1.3.8+dfsg-4+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056158
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: proftpd-d...@packages.debian.org
Control: affects -1 + src:proftpd-dfsg

[ Reason ]
In Proftp 1.3.8 the buffer size for SSL communicatio set to small,
so some SFTP client connections fail, in case the "KEXINIT"
messages from both sides are too large. The patch solves the
regression, which was caused by bullseye -> bookworm upgrade.

[ Impact ]
Currently in some situations (large "KEXINIT" messages from
both sides) the SSL communication may fail.

[ Tests ]
I provided a fixed package to the bug submitter for testing.
He confirmed that his specific issue is solved. The package
itself passes the built it test suite.

[ Risks ]
Patch is trivial, there are no real functional changes, but
rather changes in buffer sizes.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Debdiff is here 
https://release.debian.org/proposed-updates/bookworm_diffs/proftpd-dfsg_1.3.8+dfsg-4+deb12u2.debdiff

[ Changes ]
The patch extends the buffer length to do SSL computation.
In Proftp 1.3.8 the size set to small, so some SFTP client
connections fail. The patch solves the regression, which
was caused by bullseye -> bookworm upgrade.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055944: marked as done (bookworm-pu: package vips/8.14.1-3+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055944,
regarding bookworm-pu: package vips/8.14.1-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
Control: affects -1 + src:vips

Hi RMs,

[ Reason ]
A specially crafted SVG input can cause libvips versions 8.14.3 or
earlier to segfault when attempting to parse a malformed UTF-8
character. It is considered a security issue and has the
CVE-2023-40032 identifier.

[ Impact ]
It is an application crash and can't be used for more. Hence the
Security Team decided it doesn't get a DSA. But it would be nice to
get the package updated.

[ Tests ]
Upstream testsuite and Sid update doesn't report any regressions.

[ Risks ]
The proposed change has very little risk of side-effects.

[ Checklist ]
  [x] *all* changes are documents in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in bookworm
  [x] the issue is verified as fixed in unstable

Thanks for considering,
Laszlo/GCS
diff -Nru vips-8.14.1/debian/changelog vips-8.14.1/debian/changelog
--- vips-8.14.1/debian/changelog	2023-02-13 10:48:58.0 +0100
+++ vips-8.14.1/debian/changelog	2023-11-14 16:05:39.0 +0100
@@ -1,3 +1,10 @@
+vips (8.14.1-3+deb12u1) bookworm; urgency=medium
+
+  * Backport upstream security fix for CVE-2023-40032: svgload: fix
+null-pointer dereference.
+
+ -- Laszlo Boszormenyi (GCS)   Tue, 14 Nov 2023 16:05:39 +0100
+
 vips (8.14.1-3) unstable; urgency=medium
 
   * Double self-testing timeout on mips64el and mipsel architectures.
diff -Nru vips-8.14.1/debian/patches/CVE-2023-40032.patch vips-8.14.1/debian/patches/CVE-2023-40032.patch
--- vips-8.14.1/debian/patches/CVE-2023-40032.patch	1970-01-01 01:00:00.0 +0100
+++ vips-8.14.1/debian/patches/CVE-2023-40032.patch	2023-11-14 16:05:39.0 +0100
@@ -0,0 +1,71 @@
+From e091d65835966ef56d53a4105a7362cafdb1582b Mon Sep 17 00:00:00 2001
+From: Kleis Auke Wolthuizen 
+Date: Sun, 13 Aug 2023 15:48:54 +0200
+Subject: [PATCH] svgload: fix null-pointer dereference (#3604)
+
+`g_utf8_find_next_char()` might return NULL when called with a
+non-NULL second argument, indicating that the end of the string
+has been reached.
+---
+ ChangeLog |  4 
+ libvips/foreign/svgload.c | 18 +++---
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index e47ee86bb4..b7544219e5 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,7 @@
++TBD 8.14.4
++
++- fix null-pointer dereference during svgload [kleisauke]
++
+ TBD 8.14.2
+ 
+ - dedupe FITS header write [ewelot]
+diff --git a/libvips/foreign/svgload.c b/libvips/foreign/svgload.c
+index 94072581d4..aefd412ed2 100644
+--- a/libvips/foreign/svgload.c
 b/libvips/foreign/svgload.c
+@@ -145,7 +145,7 @@ vips_foreign_load_svg_zfree( void *opaque, void *ptr )
+ /* Find a utf-8 substring within the first len_bytes (not characters). 
+  *
+  *   - case-insensitive
+- *   - needle must be zero-terminated, but hackstack need not be
++ *   - needle must be zero-terminated, but haystack need not be
+  *   - haystack can be null-terminated
+  *   - if haystack is shorter than len bytes, that'll end the search 
+  *   - if we hit invalid utf-8, we return NULL
+@@ -191,11 +191,14 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
+ b == (gunichar) -2 )
+ return( NULL );
+ 
+-/* End of haystack. There can't be a complete needle
+- * anywhere.
++/* Disallow codepoint U+ as it's a nul byte.
++ * This is redundant with GLib >= 2.63.0, see:
++ * https://gitlab.gnome.org/GNOME/glib/-/merge_requests/967
+  */
++#if !GLIB_CHECK_VERSION( 2, 63, 0 )
+ if( a == (gunichar) 0 )
+ return( NULL );
++#endif
+ 
+ /* Mismatch.
+  */
+@@ -205,6 +208,15 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,

Bug#1055986: marked as done (bookworm-pu: package symfony/5.4.23+dfsg-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055986,
regarding bookworm-pu: package symfony/5.4.23+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055986
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: symf...@packages.debian.org, Debian PHP PEAR Maintainers 

Control: affects -1 + src:symfony

Hi,

I’d like to fix the following two security issues in the next point
release, as advised by the security team (they do not intend to issue a
DSA for that).

[TwigBridge] Ensure CodeExtension's filters properly escape their input
[CVE-2023-46734] (Closes: #1055774)
[Security] Fix possible session fixation when only the *token* changes
[CVE-2023-46733] (Closes: #1055775)

I didn’t test the packages thoroughly (and I’m not sure to have much
time for a while), but at least the testsuites pass.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance,

taffit
diff -Nru symfony-5.4.23+dfsg/debian/changelog symfony-5.4.23+dfsg/debian/changelog
--- symfony-5.4.23+dfsg/debian/changelog	2023-04-29 18:41:44.0 +0200
+++ symfony-5.4.23+dfsg/debian/changelog	2023-11-11 18:59:39.0 +0100
@@ -1,3 +1,14 @@
+symfony (5.4.23+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * debian/gbp.conf: Track bookworm branch
+  * Backport security fixes from Symfony 5.4.31
+- [TwigBridge] Ensure CodeExtension's filters properly escape their input
+  [CVE-2023-46734] (Closes: #1055774)
+- [Security] Fix possible session fixation when only the *token* changes
+  [CVE-2023-46733] (Closes: #1055775)
+
+ -- David Prévot   Sat, 11 Nov 2023 18:59:39 +0100
+
 symfony (5.4.23+dfsg-1) unstable; urgency=medium
 
   [ Fabien Potencier ]
diff -Nru symfony-5.4.23+dfsg/debian/gbp.conf symfony-5.4.23+dfsg/debian/gbp.conf
--- symfony-5.4.23+dfsg/debian/gbp.conf	2023-02-28 19:54:32.0 +0100
+++ symfony-5.4.23+dfsg/debian/gbp.conf	2023-11-11 18:59:39.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 pristine-tar = True
 filter = [ '.gitattributes' ]
 
diff -Nru symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch
--- symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch	1970-01-01 01:00:00.0 +0100
+++ symfony-5.4.23+dfsg/debian/patches/Security-Fix-possible-session-fixation-when-only-the-toke.patch	2023-11-11 18:59:39.0 +0100
@@ -0,0 +1,65 @@
+From: Robert 
+Date: Fri, 3 Nov 2023 17:09:59 +0100
+Subject: [Security] Fix possible session fixation when only the *token*
+ changes
+
+Origin: upstream, https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
+Bug: https://symfony.com/blog/cve-2023-46733-possible-session-fixation
+Bug-Debian: https://bugs.debian.org/1055775
+---
+ .../Http/EventListener/SessionStrategyListener.php  |  2 +-
+ .../EventListener/SessionStrategyListenerTest.php   | 21 +
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php b/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
+index 311a52f..c6fcba8 100644
+--- a/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
 b/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
+@@ -48,7 +48,7 @@ class SessionStrategyListener implements EventSubscriberInterface
+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+ 
+-if ('' !== ($user ?? '') && $user === $previousUser) {
++if ('' !== ($user ?? '') && $user === $previousUser && \get_class($token) =

Bug#1055965: marked as done (bookworm-pu: package network-manager-openconnect/1.2.8-3+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055965,
regarding bookworm-pu: package network-manager-openconnect/1.2.8-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055965
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: network-manager-openconn...@packages.debian.org, Florian Echtler 
, Luca Boccassi , car...@debian.org
Control: affects -1 + src:network-manager-openconnect

Hi Stable release managers,

[ Reason ]
In recent cases where institutions updated their Cisco AnyConnect
server, connecting with openconnect requires to pass an appropriate
UserAgent. Cf. for instance
https://gitlab.com/openconnect/openconnect/-/issues/544 .
network-manager-openconnect plugin for NetworkManager had no
possibilty to configure this. As result after such updates users using
the NetworkManager plugin cannot connect to the VPN servers.

[ Impact ]
Impossibility to use the NetworkManager plugin for openconnect in
situations where the Cisco AnyConnect server has been updated.

[ Tests ]
I manually tested the plugin in one affected configuration. After the
update the GUI field for configuring the UserAgent can be configured
for the specific configuration.

[ Risks ]
Patches have been taken from upstream and apply with minor context
tewak to the older version. Luca has reviewed and acked the MR in 
https://salsa.debian.org/debian/network-manager-openconnect/-/merge_requests/6

[ Checklist ]
  [x] *all* changes are documented in the d/changelog

(the salsa pipleline one is not, but has not a user impact)

  [x] I reviewed all changes and I approve them
  [x ] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Adds support for the mentioned UserAgent field and setting.

[ Other info ]
Nothing.

Regards,
Salvatore
diff -Nru network-manager-openconnect-1.2.8/debian/changelog 
network-manager-openconnect-1.2.8/debian/changelog
--- network-manager-openconnect-1.2.8/debian/changelog  2022-05-21 
15:35:15.0 +0200
+++ network-manager-openconnect-1.2.8/debian/changelog  2023-11-14 
15:15:44.0 +0100
@@ -1,3 +1,14 @@
+network-manager-openconnect (1.2.8-3+deb12u1) bookworm; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * Add User Agent to Openconnect VPN for NetworkManager (Closes:
+#1053467)
+  * Use openconnect_set_useragent() where available
+  * Add support for GTK4 in user-agent calls
+  * Add Build-Depends on libgtk-4-bin for gtk4-builder-tool
+
+ -- Luca Boccassi   Tue, 14 Nov 2023 14:15:44 +
+
 network-manager-openconnect (1.2.8-3) unstable; urgency=medium
 
   * Bump Standards-Version to 4.6.1, no changes
diff -Nru network-manager-openconnect-1.2.8/debian/control 
network-manager-openconnect-1.2.8/debian/control
--- network-manager-openconnect-1.2.8/debian/control2022-05-21 
15:35:15.0 +0200
+++ network-manager-openconnect-1.2.8/debian/control2023-11-14 
15:15:44.0 +0100
@@ -8,6 +8,7 @@
libgcr-3-dev,
libglib2.0-dev,
libgtk-3-dev,
+   libgtk-4-bin,
libgtk-4-dev,
libnm-dev,
libnma-dev,
diff -Nru network-manager-openconnect-1.2.8/debian/gbp.conf 
network-manager-openconnect-1.2.8/debian/gbp.conf
--- network-manager-openconnect-1.2.8/debian/gbp.conf   2022-03-14 
00:08:09.0 +0100
+++ network-manager-openconnect-1.2.8/debian/gbp.conf   2023-11-14 
15:15:44.0 +0100
@@ -1,5 +1,6 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = debian/bookworm
 
 [import-orig]
 upstream-vcs-tag = %(version)s
diff -Nru 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
--- 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
1970-01-01 01:00:00.0 +0100
+++ 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
2023-11-14 15:15:44.0 +0100
@@ -0,0 +1,302 @@
+From: Debasish Patra 
+Date: Sat

Bug#1055894: marked as done (bookworm-pu: package gnome-session/43.0-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055894,
regarding bookworm-pu: package gnome-session/43.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055894: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055894
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gnome-sess...@packages.debian.org, 
debian-gtk-gn...@lists.debian.org
Control: affects -1 + src:gnome-session

Please consider including my recent gnome-session upload in Debian 12.3.

[ Reason ]
Open text files in gnome-text-editor if gedit is not installed,
fixing https://bugs.debian.org/1055838

[ Impact ]
If not fixed, in a default task-gnome-desktop installation, plain text
files (including XML, CSS, various programming languages, etc.) default
to being opened in Libreoffice Writer (a word processor), and not in
GNOME Text Editor (a text editor) as intended.

Mitigation: if the system was upgraded from Debian 11, it will probably
still have the gedit package installed. If so, plain text files will open
in gedit by default, which is an entirely reasonable choice too.

For context, GNOME Text Editor is a simple text editor like Windows
Notepad, whereas gedit is more of a programmers' editor; which one gets to
open text files by default if both are installed is a matter of opinion
and taste, but the default on a GNOME desktop ought to be one of those two,
and certainly not a word processor.

[ Tests ]
Manually tested:
* Start from a Debian 12 VM with task-gnome-desktop and no other desktop
  environments
* Ensure gedit is *not* installed (by default, it will not be)
* echo "Hello, world!" > ~/Documents/hello.txt
* nautilus ~/Documents
* Right-click hello.txt
* Good result: the top choice is "Open With Text Editor [Return]"
* Bad result: the top choice is "Open With LibreOffice Writer [Return]"
* After verifying good result with the proposed gnome-session installed,
  additionally install gedit
* Right-click hello.txt
* Good result: the top choice is "Open With gedit [Return]"
* Bad result: anything else

[ Risks ]
Low risk: no code change, just adjusting desktop-specific defaults for
GNOME (including derivatives like Budgie and GNOME Flashback).

To minimize observable behaviour changes for systems that were already
upgraded from Debian 11 to 12, I have chosen to make gedit the default
text editor for GNOME if happens to be installed (no change for upgraded
systems), falling back to GNOME Text Editor if gedit is not present
(a fresh task-gnome-desktop installation will use this fallback in practice).
This is the opposite of my recent upload to unstable, where I made
gnome-text-editor higher priority (I think it's reasonable to expect the
default text editor to change in a major-version upgrade).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
d/gnome-mimeapps.list: Fix the bug. It might be helpful to know that
values after the equals sign in mimeapps.list are semicolon-delimited
lists, and canonically end with a single semicolon after the last item
(but it's optional and frequently omitted, particularly for single-item
lists).

d/gbp.conf: administrivia since this is the first Debian 12 update proposed
for this package.
diffstat for gnome-session-43.0 gnome-session-43.0

 changelog   |   21 +
 gbp.conf|4 +--
 gnome-mimeapps.list |   62 ++--
 3 files changed, 54 insertions(+), 33 deletions(-)

diff -Nru gnome-session-43.0/debian/changelog gnome-session-43.0/debian/changelog
--- gnome-session-43.0/debian/changelog	2022-10-11 19:08:35.0 +0100
+++ gnome-session-43.0/debian/changelog	2023-11-13 18:34:53.0 +
@@ -1,3 +1,24 @@
+gnome-session (43.0-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * d/gbp.conf: Configure branches for Debian 12 stable updates
+  * Open text files in gnome-text-editor if gedit is not installed.
+The preinstalled text editor for Debian GNOME systems was changed
+from gedit in Debian 11 to gnome-text-editor in Debian 12, but this
+file wa

Bug#1055859: marked as done (bookworm-pu: package pyzoltan/1.0.1-5+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055859,
regarding bookworm-pu: package pyzoltan/1.0.1-5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055859: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055859
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pyzol...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:pyzoltan

[ Reason ]
This upload fixes Bug#1055625 FTBFS on single-cpu systems.

[ Impact ]
Anybody trying to build the package using a single-cpu
system will get an unexpected build error.

[ Tests ]
There are no real code changes. The package builds the same.

[ Risks ]
Very low risk.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The only change has been to change NPROCS=2 to NPROCS=1
in debian/rules.

[ Other info ]
The package is already uploaded.diff -Nru pyzoltan-1.0.1/debian/changelog pyzoltan-1.0.1/debian/changelog
--- pyzoltan-1.0.1/debian/changelog 2022-10-31 08:07:44.0 +0100
+++ pyzoltan-1.0.1/debian/changelog 2023-11-12 23:25:00.0 +0100
@@ -1,3 +1,11 @@
+pyzoltan (1.0.1-5+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * debian/rules: Set NPROC to 1 so that the package may be
+built on systems with a single core. Closes: #1055625.
+
+ -- Santiago Vila   Sun, 12 Nov 2023 23:25:00 +0100
+
 pyzoltan (1.0.1-5) unstable; urgency=medium
 
   * Standards version bumped to 4.6.1 (non changes).
diff -Nru pyzoltan-1.0.1/debian/rules pyzoltan-1.0.1/debian/rules
--- pyzoltan-1.0.1/debian/rules 2022-10-31 08:07:44.0 +0100
+++ pyzoltan-1.0.1/debian/rules 2023-11-12 23:20:43.0 +0100
@@ -4,7 +4,7 @@
 export USE_TRILINOS=1
 export ZOLTAN_INCLUDE=/usr/include/trilinos
 export ZOLTAN_LIBRARY=/usr/lib
-export NPROCS=2
+export NPROCS=1
 
 export PYBUILD_NAME=pyzoltan
 
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055611: marked as done (bookworm-pu: package oscrypto/1.3.0-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055611,
regarding bookworm-pu: package oscrypto/1.3.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055611
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: oscry...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:oscrypto

[ Reason ]
This upload fixes FTBFS bug #1033822 in stable.
It fixes also the autopkgtests, which are currently broken in stable.

[ Impact ]
The package currently fails to build in stable.

[ Tests ]
I've verified that the package builds again with the changes.
The fixed autopkgtests are already working ok in trixie/sid.

[ Risks ]
Risk is low, the patches are taken from upstream.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Fix OpenSSL version parsing.
Fix autopkgtests by switching to autopkgtest-pkg-pybuild.

[ Other info ]
- I'll await for approval before upload.
- These changes would actually make 1.3.0-1+deb12u1
identical to version 1.3.0-4 currently in trixie/sid,
except for the Standards-Version control field.diff -Nru oscrypto-1.3.0/debian/changelog oscrypto-1.3.0/debian/changelog
--- oscrypto-1.3.0/debian/changelog 2022-07-04 08:53:23.0 +0200
+++ oscrypto-1.3.0/debian/changelog 2023-11-08 21:38:44.0 +0100
@@ -1,3 +1,15 @@
+oscrypto (1.3.0-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  [ Jochen Sprickerhof ]
+  * Fix autopkgtest by switching to autopkgtest-pkg-pybuild. Closes: #1033822.
+  [ Bastian Germann ]
+  * Fix OpenSSL version parsing, take 1.
+  [ Arnaud Rebillout ]
+  * Fix OpenSSL version parsing, take 2. Closes: #1055598.
+
+ -- Santiago Vila   Wed, 08 Nov 2023 21:38:44 +0100
+
 oscrypto (1.3.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru oscrypto-1.3.0/debian/control oscrypto-1.3.0/debian/control
--- oscrypto-1.3.0/debian/control   2022-07-04 08:53:23.0 +0200
+++ oscrypto-1.3.0/debian/control   2023-11-08 21:36:27.0 +0100
@@ -17,6 +17,7 @@
 Vcs-Browser: https://salsa.debian.org/python-team/packages/oscrypto
 Vcs-Git: https://salsa.debian.org/python-team/packages/oscrypto.git
 Rules-Requires-Root: no
+Testsuite: autopkgtest-pkg-pybuild
 
 Package: python3-oscrypto
 Architecture: all
diff -Nru oscrypto-1.3.0/debian/patches/libcrypto_ctypes_regex.patch 
oscrypto-1.3.0/debian/patches/libcrypto_ctypes_regex.patch
--- oscrypto-1.3.0/debian/patches/libcrypto_ctypes_regex.patch  1970-01-01 
01:00:00.0 +0100
+++ oscrypto-1.3.0/debian/patches/libcrypto_ctypes_regex.patch  2023-11-08 
21:36:39.0 +0100
@@ -0,0 +1,22 @@
+Origin: https://github.com/wbond/oscrypto/pull/76
+From: Martin Journois 
+Date: Thu, 10 Aug 2023 13:58:14 +0200
+Subject: MJ: Add fix suggested by @vcunat on _libcrypto_ctypes regex
+
+---
+ oscrypto/_openssl/_libcrypto_ctypes.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/oscrypto/_openssl/_libcrypto_ctypes.py 
b/oscrypto/_openssl/_libcrypto_ctypes.py
+index e33ebbc..9cb294a 100644
+--- a/oscrypto/_openssl/_libcrypto_ctypes.py
 b/oscrypto/_openssl/_libcrypto_ctypes.py
+@@ -40,7 +40,7 @@
+ 
+ is_libressl = 'LibreSSL' in version_string
+ 
+-version_match = re.search('\\b(\\d\\.\\d\\.\\d[a-z]*)\\b', version_string)
++version_match = re.search('\\b(\\d\\.\\d\\.\\d+[a-z]*)\\b', version_string)
+ if not version_match:
+ version_match = re.search('(?<=LibreSSL )(\\d\\.\\d(\\.\\d)?)\\b', 
version_string)
+ if not version_match:
diff -Nru 
oscrypto-1.3.0/debian/patches/Make_OpenSSL_version_regexes_more_robust.patch 
oscrypto-1.3.0/debian/patches/Make_OpenSSL_version_regexes_more_robust.patch
--- 
oscrypto-1.3.0/debian/patches/Make_OpenSSL_version_regexes_more_robust.patch
1970-01-01 01:00:00.0 +0100
+++ 
oscrypto-1.3.0/debian/patches/Make_OpenSSL_version_regexes_more_robust.patch
2023-11-08 21:36:39.0 +0100
@@ -0,0 +1,52 @@
+Origin: 
https://github.com/wbond/oscrypto/commit/d5f3437ed24257895ae1edd9e503cfb352e635a8
+From: wbond 
+Date: Thu, 17 Aug 20

Bug#1055588: marked as done (bookworm-pu: package jdupes/1.21.3-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055588,
regarding bookworm-pu: package jdupes/1.21.3-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055588
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jdu...@packages.debian.org
Control: affects -1 + src:jdupes

[ Reason ]
jdupes is a fork from fdupes. A bug was introduced by the initial fork some
years ago. The current fdupes on Debian is already fixed. A warning about this
bug was sent by the jdupes upstream (Jody Bruchon) for me via email message.

The help option for jdupes says:
  -d --delete: prompt user for files to preserve and delete all
   others; [...]

Using the command 'jdupes -d .', a prompt will appear:

  Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink 
all):

It is a mistake to set 2-4 because the jdupes considers one file only. Setting
'2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The
sentence 'keep which files? (1 - 5' induces the users to use a range and it is
not valid. Currently, jdupes is not denying this behaviour and it is generating
a data loss.

[ Impact ]
If the update isn't approved, the users can be induced to select a range of
files and it will cause a possible data loss.

[ Tests ]
Some manual tests have been done over jdupes with a patch created by the
upstream. I also tested fdupes to verify if it would be necessary to open a bug
against this package. The current fdupes has no issues.

[ Risks ]
There are no risks, because the patch to fix the issue is trivial, making a
check for data inputs and generating better messages for the users.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A patch, created by the upstream, will improve the messages to be shown to
users and will add checks for inputs.

[ Other info ]
No more info.
diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog
--- jdupes-1.21.3/debian/changelog  2023-02-20 06:51:57.0 -0300
+++ jdupes-1.21.3/debian/changelog  2023-11-08 11:24:57.0 -0300
@@ -1,3 +1,12 @@
+jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+  * debian/patches/010_fix-data-loss.patch: created to avoid a potential data
+loss caused by a wrong message that induces the users to use a range of
+values with -d option. Currently, the -d option doesn't understand ranges.
+(Closes: #1054237)
+
+ -- Joao Eriberto Mota Filho   Wed, 08 Nov 2023 11:24:57 
-0300
+
 jdupes (1.21.3-1) unstable; urgency=medium
 
   * New upstream version 1.21.3.
diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 
jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
--- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch1969-12-31 
21:00:00.0 -0300
+++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch2023-11-08 
11:24:57.0 -0300
@@ -0,0 +1,78 @@
+Description: fix potential data loss
+ The help option for jdupes says:
+   -d --delete: prompt user for files to preserve and delete all
+others; [...]
+ .
+ Using the command 'jdupes -d .', a prompt will appear:
+   Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink 
all, [s]ymlink all):
+ It is a mistake to set 2-4 because the jdupes considers one file
+ only. Setting '2-4', the file 2 will be kept and the files 3 and 4
+ will be deleted. The sentence 'keep which files? (1 - 5' induces
+ the users to use a range and it is not valid. Currently, jdupes is
+ not denying this behaviour and it is generating a data loss.
+ .
+ This patch fixes this issue.
+Author: Jody Bruchon 
+Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85
+Bug-Debian: https://bugs.debian.org/1054237
+Last-Update: 2023-10-19
+Index: jdupes/act_deletefiles.c
+===
+--- jdupes.orig/act_deletefiles.c
 jdup

Bug#1055539: marked as done (bookworm-pu: package opensc/0.23.0-0.3+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055539,
regarding bookworm-pu: package opensc/0.23.0-0.3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055539
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Control: affects -1 + src:opensc
X-Debbugs-Cc: ope...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
opensc in bookworm is vulnerable for CVE-2023-4535, CVE-2023-40660, 
CVE-2023-40661.

[ Impact ]
User can be attacked via the CVE vectors.

[ Tests ]
No automated tests. I have not exploited the CVEs.

[ Risks ]
I have left out two patches of CVE-2023-40661 because they change code that is not yet available in 
the bookworm release. There might be side effects of not applying them


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055350: marked as done (bookworm-pu: package exfatprogs/1.2.0-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055350,
regarding bookworm-pu: package exfatprogs/1.2.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055350
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: exfatpr...@packages.debian.org
Control: affects -1 + src:exfatprogs

[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2023-45897
Low priority security issue, out-of-bounds memory access
in the exFAT fsck utility exfat2img helper.

[ Impact ]
Low priority security issue is fixed.

[ Tests ]
Manual tests performed that effected tools still work.

[ Risks ]
-

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Adds a patch bundling the three upstream commits
which are referenced together with the CVE ID.

gbp.conf and Vcs-Git reference the bookworm branch


[ Other info ]
There wasn't a bug filled for this CVE in the BTS.
The regular upload of 1.2.2 to unstable fixed the
issue before the CVE ID was published, so there
is not yet a CVE ID mentioned in the unstable
changelog.
diff -Nru exfatprogs-1.2.0/debian/changelog exfatprogs-1.2.0/debian/changelog
--- exfatprogs-1.2.0/debian/changelog   2022-10-28 14:48:05.0 +0200
+++ exfatprogs-1.2.0/debian/changelog   2023-11-04 17:56:01.0 +0100
@@ -1,3 +1,11 @@
+exfatprogs (1.2.0-1+deb12u1) bookworm; urgency=medium
+
+  * CVE-2023-45897 Add 
debian/patches/CVE-2023-45897-out-of-bounds-memory-access
+to fix three out-of-bounds memory access issues.
+  * Add bookworm branch information to Vcs-Git and gbp.conf.
+
+ -- Sven Hoexter   Sat, 04 Nov 2023 17:56:01 +0100
+
 exfatprogs (1.2.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru exfatprogs-1.2.0/debian/control exfatprogs-1.2.0/debian/control
--- exfatprogs-1.2.0/debian/control 2022-10-28 14:47:18.0 +0200
+++ exfatprogs-1.2.0/debian/control 2023-11-04 17:38:34.0 +0100
@@ -6,7 +6,7 @@
 Standards-Version: 4.6.1
 Rules-Requires-Root: no
 Homepage: https://github.com/exfatprogs/exfatprogs
-Vcs-Git: https://git.sven.stormbind.net/exfatprogs.git
+Vcs-Git: https://git.sven.stormbind.net/exfatprogs.git -b bookworm
 Vcs-Browser: https://git.sven.stormbind.net/?p=sven/exfatprogs.git
 
 Package: exfatprogs
diff -Nru exfatprogs-1.2.0/debian/gbp.conf exfatprogs-1.2.0/debian/gbp.conf
--- exfatprogs-1.2.0/debian/gbp.conf2022-10-28 14:19:18.0 +0200
+++ exfatprogs-1.2.0/debian/gbp.conf2023-11-04 16:39:40.0 +0100
@@ -1,2 +1,3 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = bookworm
diff -Nru 
exfatprogs-1.2.0/debian/patches/CVE-2023-45897-out-of-bounds-memory-access 
exfatprogs-1.2.0/debian/patches/CVE-2023-45897-out-of-bounds-memory-access
--- exfatprogs-1.2.0/debian/patches/CVE-2023-45897-out-of-bounds-memory-access  
1970-01-01 01:00:00.0 +0100
+++ exfatprogs-1.2.0/debian/patches/CVE-2023-45897-out-of-bounds-memory-access  
2023-11-04 16:39:40.0 +0100
@@ -0,0 +1,67 @@
+Description: CVE-2023-45897 out-of-bounds memory access
+Origin: 
https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf
+ 
https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4
+ 
https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae
+Last-Update: 2023-10-31
+Index: exfatprogs/exfat2img/exfat2img.c
+===
+--- exfatprogs.orig/exfat2img/exfat2img.c
 exfatprogs/exfat2img/exfat2img.c
+@@ -319,7 +319,7 @@ static int read_file_dentry_set(struct e
+   if (!node)
+   return -ENOMEM;
+ 
+-  for (i = 2; i <= file_de->file_num_ext; i++) {
++  for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); 
i++) {
+   ret = exfat_de_iter_get(iter, i, &dentry);
+   if (ret || dentry->type != EXFAT_NAME)
+   break;
+Index: exfatprogs/fsck/fsck.c
+===
+--- exfatprogs.ori

Bug#1055241: marked as done (bookworm-pu: package crun/1.8.1-1+deb12u1 (bookworm regression))

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055241,
regarding bookworm-pu: package crun/1.8.1-1+deb12u1 (bookworm regression)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055241: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055241
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org
Control: affects -1 + src:crun

[ Reason ]
Linux v6.6 blocked the mode change of symlinks, with commit
5d1f903f75a80daa4dfb3d84e114ec8ecbf29956 ("attr: block mode changes of
symlinks").

This was in turn backported to v6.1.55, with
6a84939cc7dd6f970c2621ded82c4d9ea0068b1b, and is part of src:linux
6.1.55-1, which is the version currently in bookworm.

This breaks crun 1.8.1, as found in bookworm, when running containers
with systemd as the init system.

The issue has been addressed upstream with commit
57262a2710c83fa08767f0ce3ba7a80993515bb2 ("ignore ENOTSUP when chmod a
symlink"), as well as 14afa8a46e2e83608a3a219402bce8ea8d071192 ("utils:
fix ignore ENOTSUP when chmod a symlink"), both part of crun 1.9.1.

[ Impact ]
Users are unable to start containers running systemd as their init
system. For example this now fails:
  podman run --rm -d docker.io/jrei/systemd-debian:12

[ Tests ]
The manual test as mentioned above, as well as non-systemd images that
continue to work, like:
  podman run --rm -it debian:sid

(Sadly we don't have any automated tests. crun in unstable now has
autopkgtests, but even these have the isolation-machine restriction and
are thus inoperable in Debian's CI, so I've elected to not backport them
here.)

[ Risks ]
The code is pretty trivial, I think, and has been part of upstream since
v1.9.1, released in September 26. trixie has v1.11, and sid has v1.11.1.

No alternatives that I know of.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
One change, effectively: to ignore ENOTSUP when chmod'ing a symlink,
/run/shm in the most popular broken case.

[ Other info ]
This has been reported by multiple users, cf. #1053821.

Given this constitutes a regression introduced by another package's
stable update, I consider this is an urgent issue, and ask for RMs to
copy this to stable-updates.

Thanks,
Faidon
diff -Nru crun-1.8.1/debian/changelog crun-1.8.1/debian/changelog
--- crun-1.8.1/debian/changelog 2023-02-27 22:01:38.0 +0200
+++ crun-1.8.1/debian/changelog 2023-11-02 18:52:46.0 +0200
@@ -1,3 +1,13 @@
+crun (1.8.1-1+deb12u1) bookworm; urgency=medium
+
+  * Backport two commits from upstream ("ignore ENOTSUP when chmod a
+symlink"), that restore containers with systemd as their init system, when
+running under Linux >= v6.6 and >= v6.1.55, i.e. bookworm's current stable
+kernel. (Closes: #1053821)
+  * Move myself to Maintainer, and Dmitry to Uploaders.
+
+ -- Faidon Liambotis   Thu, 02 Nov 2023 18:52:46 +0200
+
 crun (1.8.1-1) unstable; urgency=medium
 
   * New bugfix upstream release.
diff -Nru crun-1.8.1/debian/control crun-1.8.1/debian/control
--- crun-1.8.1/debian/control   2023-02-27 22:01:38.0 +0200
+++ crun-1.8.1/debian/control   2023-11-02 18:52:46.0 +0200
@@ -2,9 +2,9 @@
 Section: admin
 Priority: optional
 Standards-Version: 4.6.2
-Maintainer: Dmitry Smirnov 
+Maintainer: Faidon Liambotis 
 Uploaders:
- Faidon Liambotis ,
+ Dmitry Smirnov ,
  Reinhard Tartler ,
 Build-Depends:
  automake,
diff -Nru crun-1.8.1/debian/patches/series crun-1.8.1/debian/patches/series
--- crun-1.8.1/debian/patches/series1970-01-01 02:00:00.0 +0200
+++ crun-1.8.1/debian/patches/series2023-11-02 18:52:46.0 +0200
@@ -0,0 +1,2 @@
+utils-ignore-ENOTSUP-when-chmod-a-symlink.patch
+utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
diff -Nru 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch
--- 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symlink.patch   
1970-01-01 02:00:00.0 +0200
+++ 
crun-1.8.1/debian/patches/utils-fix-ignore-ENOTSUP-when-chmod-a-symli

Bug#1055155: marked as done (bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug))

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055155,
regarding bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055155: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055155
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
Control: affects -1 + src:exim4

Hello,

I would like to push another round of cherry-picked upstream fixes to
bookworm, including the update to 4.96.2 to fix two non-DSA minor
security issues.

The changes are included in the new upstream (4.97 rc) uploads to sid which=
 are present in sid and testing.


* Multiple bugfixes from upstream GIT master:
  + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch
  + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch
(Upstream bug 2998)
  + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch
  + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch
(Upstream bug 3013)
> ${run expansion breakage, similar to #1025420.
  + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand
TLS cert expiry date. Closes: #1043233
(Upstream bug 3014)
> This is major hickup, bordering on RC.

  + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch
> Another patch for ${run} expansion breakage.
  + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023)
  + 76-12-DNS-more-hardening-against-crafted-responses.patch
* tests/basic: Add isolation-container restriction (needs a running
  exim daemon).
* Add ${run } expansion test to tests/basic.
* Update code to 4.96.2, fixing issues with the proxy protocol
  (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It
  also includes additional hardening for spf lookups, however CVE-2023-42218
  was diagnosed as a vulnerability in the libspf2 library and needs to be
  addressed there. Closes: #1053310

cu Andreas
diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog
--- exim4-4.96/debian/changelog	2023-09-29 22:38:02.0 +0200
+++ exim4-4.96/debian/changelog	2023-11-01 07:07:57.0 +0100
@@ -1,3 +1,29 @@
+exim4 (4.96-15+deb12u3) bookworm; urgency=medium
+
+  * Multiple bugfixes from upstream GIT master:
++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch
++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch
+  (Upstream bug 2998)
++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch
++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch
+  (Upstream bug 3013)
++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand
+  TLS cert expiry date. Closes: #1043233
+  (Upstream bug 3014)
++ 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch
++ 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023)
++ 76-12-DNS-more-hardening-against-crafted-responses.patch
+  * tests/basic: Add isolation-container restriction (needs a running
+exim daemon).
+  * Add ${run } expansion test to tests/basic.
+  * Update code to 4.96.2, fixing issues with the proxy protocol
+(CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It
+also includes additional hardening for spf lookups, however CVE-2023-42218
+was diagnosed as a vulnerability in the libspf2 library and needs to be
+addressed there. Closes: #1053310
+
+ -- Andreas Metzler   Wed, 01 Nov 2023 07:07:57 +0100
+
 exim4 (4.96-15+deb12u2) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch
--- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch	1970-01-01 01:00:00.0 +0100
+++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch	2023-11-01 07:03:21.0 +0100
@@ -0,0 +1,35 @@
+From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris 
+Date: Mon, 12 Jun 2023 22:13:46 +0100
+Subject: [PATCH] Cancel early-pipe on an observed advertising change
+
+---
+

Bug#1055419: marked as done (bookworm-pu: package pcs/0.11.5-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055419,
regarding bookworm-pu: package pcs/0.11.5-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055419: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055419
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: p...@packages.debian.org
Control: affects -1 + src:pcs

[ Reason ]
Running the 'crm resource move' command results in a Python
stack trace due to missing arguments in a function call. The
bug was introduced in version 0.11.5 and fixed upstream in
0.11.6.

[ Impact ]
'crm resource move' command does not work correctly.

[ Tests ]
Package tests pass for the updated package and also manual
test confirm the move command works correctly now.

[ Risks ]
The code change is simple (adding the missing function argument),
so the risk should be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Function calls to tools.get_tmp_file() are replaced with
tools.get_tmp_file(None) to avoid the error:

TypeError: get_tmp_file() missing 1 required positional argument: 'data'


diff -Nru pcs-0.11.5/debian/changelog pcs-0.11.5/debian/changelog
--- pcs-0.11.5/debian/changelog 2023-03-03 08:57:59.0 +0100
+++ pcs-0.11.5/debian/changelog 2023-11-05 16:27:07.0 +0100
@@ -1,3 +1,9 @@
+pcs (0.11.5-1+deb12u1) bookworm; urgency=medium
+
+  * d/patches: add fix for resource move (Closes: #1042893)
+
+ -- Valentin Vidic   Sun, 05 Nov 2023 16:27:07 +0100
+
 pcs (0.11.5-1) unstable; urgency=medium
 
   * New upstream version 0.11.5
diff -Nru pcs-0.11.5/debian/patches/Fix-resource-move.patch 
pcs-0.11.5/debian/patches/Fix-resource-move.patch
--- pcs-0.11.5/debian/patches/Fix-resource-move.patch   1970-01-01 
01:00:00.0 +0100
+++ pcs-0.11.5/debian/patches/Fix-resource-move.patch   2023-11-05 
16:27:07.0 +0100
@@ -0,0 +1,25 @@
+--- a/pcs/lib/pacemaker/live.py
 b/pcs/lib/pacemaker/live.py
+@@ -384,7 +384,10 @@
+ string cib_xml -- CIB XML to simulate
+ """
+ try:
+-with tools.get_tmp_file() as new_cib_file, tools.get_tmp_file() as 
transitions_file:
++with (
++tools.get_tmp_file(None) as new_cib_file,
++tools.get_tmp_file(None) as transitions_file,
++):
+ cmd = [
+ __exec("crm_simulate"),
+ "--simulate",
+--- a/pcs_test/tools/custom_mock.py
 b/pcs_test/tools/custom_mock.py
+@@ -98,7 +98,7 @@
+ except StopIteration:
+ pass
+ 
+-def _mock_side_effect(self, data=None, binary=False):
++def _mock_side_effect(self, data, binary=False):
+ def _seek_callback(offset):
+ if offset != 0:
+ raise AssertionError(
diff -Nru pcs-0.11.5/debian/patches/series pcs-0.11.5/debian/patches/series
--- pcs-0.11.5/debian/patches/series1970-01-01 01:00:00.0 +0100
+++ pcs-0.11.5/debian/patches/series2023-11-05 16:27:07.0 +0100
@@ -0,0 +1 @@
+Fix-resource-move.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055086: marked as done (bookworm-pu: package libmateweather/1_1.26.0-1.1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055086,
regarding bookworm-pu: package libmateweather/1_1.26.0-1.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055086
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libmateweat...@packages.debian.org
Control: affects -1 + src:libmateweather

Please unblock the recent bookworm-pu upload of libmateweather.

[ Reason ]
Main reason for providing the pu is that Aviation Weather change their
data server URL for retrieving weather information from their servers.

While at it, more data changes have been cherry-picked from upstream (see
below).

[ Impact ]
If this pu does not get accepted, Debian users will have a broken
weather-applet on MATE desktop. No weather information can be retrieved.

Furthermore, users will experience typos and spelling issue in location
names, etc.

[ Tests ]
Manually installed the new .deb version and test the MATE weather applet
regarding the introduced changes.

[ Risks ]
Regressions are always possible. MATE users will be affected. Esp. when using
weather reports on their desktop.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * debian/patches: Cherry-pick (and re-arrange) upstream fixes.
+ + rename: timezones.patch => 0001_Kyiv-timezone.patch (100%)
+ + add city: 0002_add-San-Miguel-de-Tucuman-Argentina.patch
+ + update Chicago area codes: 0003_Chicago-area-updates.patch
+ + update data server URL: 0004_data-server-url-changed.patch (Closes:
+   #1054248, #1054268)
+ + typo fixes in location names: 0005_fix-some-location-names.patch
+ + new Tbilisi airport code: 0006_tbilisi-IATA-airport-code-changed.patch

[ Other info ]
None.
diff -Nru libmateweather-1.26.0/debian/changelog 
libmateweather-1.26.0/debian/changelog
--- libmateweather-1.26.0/debian/changelog  2022-10-15 17:45:15.0 
+0200
+++ libmateweather-1.26.0/debian/changelog  2023-10-31 08:25:09.0 
+0100
@@ -1,3 +1,16 @@
+libmateweather (1.26.0-1.1+deb12u1) bookworm; urgency=medium
+
+  * debian/patches: Cherry-pick (and re-arrange) upstream fixes.
+ + rename: timezones.patch => 0001_Kyiv-timezone.patch (100%)
+ + add city: 0002_add-San-Miguel-de-Tucuman-Argentina.patch
+ + update Chicago area codes: 0003_Chicago-area-updates.patch
+ + update data server URL: 0004_data-server-url-changed.patch (Closes:
+   #1054248, #1054268)
+ + typo fixes in location names: 0005_fix-some-location-names.patch
+ + new Tbilisi airport code: 0006_tbilisi-IATA-airport-code-changed.patch
+
+ -- Mike Gabriel   Tue, 31 Oct 2023 08:25:09 +0100
+
 libmateweather (1.26.0-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libmateweather-1.26.0/debian/patches/0001_Kyiv-timezone.patch 
libmateweather-1.26.0/debian/patches/0001_Kyiv-timezone.patch
--- libmateweather-1.26.0/debian/patches/0001_Kyiv-timezone.patch   
1970-01-01 01:00:00.0 +0100
+++ libmateweather-1.26.0/debian/patches/0001_Kyiv-timezone.patch   
2023-10-31 08:12:39.0 +0100
@@ -0,0 +1,32 @@
+Author: Reiner Herrmann 
+Bug-Debian: https://bugs.debian.org/1017304
+Description: Update spelling of Kiev/Kyiv to match tzdata
+ tzdata 2022b-1 changed it from Kiev to Kyiv.
+
+--- a/data/Locations.xml.in
 b/data/Locations.xml.in
+@@ -20618,13 +20618,13 @@
+   UA
+   UP
+   
+-
++
+   Europe/Simferopol
+   Europe/Uzhgorod
+   Europe/Zaporozhye
+ 
+   
+-  Europe/Kiev
++  Europe/Kyiv
+   
+ 
+ Boryspil'
+@@ -20700,7 +20700,7 @@
+  "Kiev" is the traditional English name.
+  The local name in Ukrainian is "Kyyiv".
+   -->
+-Kiev
++Kyiv
+ 50.43 30.516667
+ 
+   Kyiv
diff -Nru 
libmateweather-1.26.0/debian/patches/0002_add-San-Miguel-de-Tucuman-Argentina.patch
 
libmateweather-1.26.0/debian/patches/0002_add-San-Miguel-de-Tucuman-Argentina.patch
--- 
libmateweather-1

Bug#1055226: marked as done (bookworm-pu: package yuzu/0-1335-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055226,
regarding bookworm-pu: package yuzu/0-1335-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055226: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055226
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: b...@debian.org, and...@pappacoda.it
Severity: normal

[ Reason ]
The package FTBFS in stable: #1041491.

[ Impact ]
Rebuilding is impossible.

[ Risks ]
Just a build-dependency correction. No risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstablediff -Nru yuzu-0-1335+ds/debian/changelog yuzu-0-1335+ds/debian/changelog
--- yuzu-0-1335+ds/debian/changelog 2023-02-11 12:29:45.0 +0100
+++ yuzu-0-1335+ds/debian/changelog 2023-11-02 13:48:32.0 +0100
@@ -1,3 +1,9 @@
+yuzu (0-1335+ds-1+deb12u1) bookworm; urgency=medium
+
+  * strip :native from glslang-tools build dependency (Closes: #1041491)
+
+ -- Bastian Germann   Thu, 02 Nov 2023 13:48:32 +0100
+
 yuzu (0-1335+ds-1) unstable; urgency=medium
 
   * New upstream version 0-1335+ds
diff -Nru yuzu-0-1335+ds/debian/control yuzu-0-1335+ds/debian/control
--- yuzu-0-1335+ds/debian/control   2023-02-11 12:27:17.0 +0100
+++ yuzu-0-1335+ds/debian/control   2023-11-02 13:47:35.0 +0100
@@ -5,7 +5,7 @@
 Build-Depends: debhelper-compat (= 13)
 Build-Depends-Arch: catch2 (>= 2.13.7) ,
 cmake (>= 3.15),
-glslang-tools:native,
+glslang-tools,
 libavcodec-dev,
 libavutil-dev,
 libboost-context-dev,
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055031: marked as done (bookworm-pu: package mda-lv2/1.2.10-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055031,
regarding bookworm-pu: package mda-lv2/1.2.10-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055031
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mda-...@packages.debian.org, sramac...@debian.org
Control: affects -1 + src:mda-lv2

[ Reason ]
LV2 plugins are supposed to be installed in /usr/lib/lv2 as these
plugins are also consumed by third-party software. mda-lv2 installed the
plugins in a multi-arch location and were unable to be found.

[ Impact ]
LV2 plugins provided by mda-lv2 is not found by some LV2 consuming
software packages.

[ Risks ]
The change is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
With the updated version, lv2dir is set during the build to the correct
location. The same fix has been uploaded to unstable.

Cheers
-- 
Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog
index 7df9ad7..b02aed1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+mda-lv2 (1.2.10-1+deb12u1) bookworm; urgency=medium
+
+  * debian/gbp.conf: Work in bookworm branch
+  * debian/rules: Fix LV2 plugin installation location (Closes: #1055029)
+
+ -- Sebastian Ramacher   Sun, 29 Oct 2023 19:49:22 +0100
+
 mda-lv2 (1.2.10-1) unstable; urgency=medium
 
   * New upstream version 1.2.10
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 0a3b09a..b5f4317 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,4 @@
 [DEFAULT]
 sign-tags = True
 pristine-tar = True
+debian-branch = bookworm
diff --git a/debian/rules b/debian/rules
index 87ee2a8..4744f87 100755
--- a/debian/rules
+++ b/debian/rules
@@ -9,5 +9,8 @@ CONFIG += strict
 %:
dh $@ --buildsystem=meson
 
+override_dh_auto_configure:
+   dh_auto_configure -- -Dlv2dir=/usr/lib/lv2
+
 # No tests available
 override_dh_auto_test:
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055229: marked as done (bookworm-pu: package redis/5:7.0.11-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055229,
regarding bookworm-pu: package redis/5:7.0.11-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055229: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055229
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release managers,

Please consider redis (5:7.0.11-1+deb12u1) for bookworm:
  
  redis (5:7.0.11-1+deb12u1) bookworm; urgency=medium
  .
* Drop ProcSubset=pid hardening flag from the systemd unit files it causes
  difficult-to-reproduce crashes with memory allocation errors. A big thanks
  to Arnaud Rebillout  for the extensive investigation.
  (Closes: #1055039)
* Update debian/gbp.conf for the debian/bookworm branch.


The full diff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/changelog b/debian/changelog
index 2c77a5d1..2f74a30f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+redis (5:7.0.11-1+deb12u1) bookworm; urgency=medium
+
+  * Drop ProcSubset=pid hardening flag from the systemd unit files it causes
+difficult-to-reproduce crashes with memory allocation errors. A big thanks
+to Arnaud Rebillout  for the extensive investigation.
+(Closes: #1055039)
+  * Update debian/gbp.conf for the debian/bookworm branch.
+
+ -- Chris Lamb   Thu, 02 Nov 2023 15:24:45 +0100
+
 redis (5:7.0.11-1) unstable; urgency=high
 
   * New upstream security release:
diff --git a/debian/bin/generate-systemd-service-files 
b/debian/bin/generate-systemd-service-files
index b1e43c86..c7eafabe 100755
--- a/debian/bin/generate-systemd-service-files
+++ b/debian/bin/generate-systemd-service-files
@@ -96,7 +96,6 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateUsers=true
-ProcSubset=pid
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 24e95b17..14717f8e 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch=debian/sid
-upstream-branch=upstream/sid
+debian-branch=debian/bookworm
+upstream-branch=upstream/bookworm
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1054589: marked as done (bookworm-pu: package libapache2-mod-python)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054589,
regarding bookworm-pu: package libapache2-mod-python
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054589: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054589
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libapache2-mod-pyt...@packages.debian.org
Control: affects -1 + src:libapache2-mod-python

Please unblock package libapache2-mod-python

[ Reason ]
* In 03_debian-version.patch, strip the debian part of the version. BinNMUs
  were resulting in invalid PEP-440 versions. (Closes: #1054587)
* Patch: Fix segfaults when releasing threads. (Closes: #1019299)

[ Impact ]
The segfault issue seems rather serious.

The PEP-440 issue breaks any attempt to enumerate installed packages on
the system with pkg_resources.

[ Tests ]
Manually tested that mod_python runs and serves content.

[ Risks ]
Segfault patch is trivial and taken from upstream.

Version patch is trivial, and Debian-specific.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock libapache2-mod-python/3.5.0+git20211031.e6458ec-1+b1
diff -Nru libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog
--- libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog
2022-04-18 06:22:40.0 +0200
+++ libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/changelog
2023-10-26 15:07:51.0 +0200
@@ -1,3 +1,12 @@
+libapache2-mod-python (3.5.0+git20211031.e6458ec-1+deb12u1) bookworm; 
urgency=medium
+
+  * Team upload.
+  * In 03_debian-version.patch, strip the debian part of the version. BinNMUs
+were resulting in invalid PEP-440 versions. (Closes: #1054587)
+  * Patch: Fix segfaults when releasing threads. (Closes: #1019299)
+
+ -- Stefano Rivera   Thu, 26 Oct 2023 15:07:51 +0200
+
 libapache2-mod-python (3.5.0+git20211031.e6458ec-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
--- 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
  2022-04-18 06:22:40.0 +0200
+++ 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/03_debian-version.patch
  2023-10-26 15:07:51.0 +0200
@@ -9,7 +9,7 @@
  1 file changed, 2 insertions(+), 19 deletions(-)
 
 diff --git a/dist/version.sh b/dist/version.sh
-index e5d..9ee18ac 100755
+index e5d..f97084a 100755
 --- a/dist/version.sh
 +++ b/dist/version.sh
 @@ -1,21 +1,4 @@
@@ -35,4 +35,4 @@
 -
 -echo $MAJ.$MIN.$PCH$GIT
 +cd $(dirname $0)/..
-+exec dpkg-parsechangelog -S Version
++dpkg-parsechangelog -S Version | cut -d - -f 1
diff -Nru 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
--- 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
 1970-01-01 02:00:00.0 +0200
+++ 
libapache2-mod-python-3.5.0+git20211031.e6458ec/debian/patches/15_py310_threadstate_clear.patch
 2023-10-26 15:07:51.0 +0200
@@ -0,0 +1,27 @@
+From: Gregory Trubetskoy 
+Date: Fri, 16 Jun 2023 18:29:50 -0400
+Subject: 3.10 and up do not need a PyThreadState_Clear()
+
+Closes #100
+
+Bug-Upstream: https://github.com/grisha/mod_python/issues/100
+Bug-Debian: https://bugs.debian.org/1019299
+Origin: upstream, 
https://github.com/grisha/mod_python/commit/7e863bb4652ca4edeb158bf42eb26120e0e54040
+---
+ src/mod_python.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mod_python.c b/src/mod_python.c
+index 6259c1b..11af968 100644
+--- a/src/mod_python.c
 b/src/mod_python.c
+@@ -303,7 +303,9 @@ static void release_interpreter(interpreterdata *idata)
+ {
+ PyThreadState *tstate = PyThreadState_Get();
+ #ifdef WITH_THREAD
++#if PY_MAJOR_VERSION <= 3 && PY_MINOR_VERSION < 10 
+ PyThreadState_Clear(tstate);
++#endif
+ if (idata)
+ APR_ARRAY_PUS

Bug#1054470: marked as done (bookworm-pu: package wormhole-william/1.0.6-2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054470,
regarding bookworm-pu: package wormhole-william/1.0.6-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054470
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: wormhole-will...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:wormhole-william

[ Reason ]
This upload fixes "Bug #1031063 FTBFS randomly because of failing tests".

[ Impact ]
Without this update, the package fails to build randomly in stable
because of flaky tests (in some systems, with high probability).

[ Tests ]
There are no real code changes, only some tests are disabled.

[ Risks ]
Low risk. The program is the same as before. After this was fixed
in unstable, the package reached reproducible status in the
reproducible-builds framework.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Three flaky tests have been disabled. Such change is the same
that was applied in unstable two months ago.

[ Other info ]
The package has been uploaded.diff -Nru wormhole-william-1.0.6/debian/changelog 
wormhole-william-1.0.6/debian/changelog
--- wormhole-william-1.0.6/debian/changelog 2022-10-10 18:19:50.0 
+0200
+++ wormhole-william-1.0.6/debian/changelog 2023-10-24 09:50:00.0 
+0200
@@ -1,3 +1,10 @@
+wormhole-william (1.0.6-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Disable flaky tests. Closes: #1031063.
+
+ -- Santiago Vila   Tue, 24 Oct 2023 09:50:00 +0200
+
 wormhole-william (1.0.6-2) unstable; urgency=medium
 
   * Don't run help2man at build time, instead generate man page
diff -Nru wormhole-william-1.0.6/debian/gbp.conf 
wormhole-william-1.0.6/debian/gbp.conf
--- wormhole-william-1.0.6/debian/gbp.conf  2022-10-10 18:19:50.0 
+0200
+++ wormhole-william-1.0.6/debian/gbp.conf  2023-10-24 09:50:00.0 
+0200
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = debian/sid
+debian-branch = debian/bookworm
 dist = DEP14
diff -Nru wormhole-william-1.0.6/debian/patches/disable-flaky-tests.patch 
wormhole-william-1.0.6/debian/patches/disable-flaky-tests.patch
--- wormhole-william-1.0.6/debian/patches/disable-flaky-tests.patch 
1970-01-01 01:00:00.0 +0100
+++ wormhole-william-1.0.6/debian/patches/disable-flaky-tests.patch 
2023-10-24 09:50:00.0 +0200
@@ -0,0 +1,34 @@
+Description: Disable some flaky tests
+  These tests are flaky on the upstream CI as well but it doesn't appear to
+  impact the program when it runs
+Author: Stephen Gelman 
+Last-Update: 2023-08-14
+Forwarded: no
+
+-- 
+--- a/wormhole/wormhole_test.go
 b/wormhole/wormhole_test.go
+@@ -155,6 +155,7 @@
+ }
+ 
+ func TestVerifierAbort(t *testing.T) {
++  t.Skip()
+   ctx := context.Background()
+ 
+   rs := rendezvousservertest.NewServer()
+@@ -409,6 +410,7 @@
+ }
+ 
+ func TestWormholeFileTransportSendMidStreamCancel(t *testing.T) {
++  t.Skip()
+   ctx := context.Background()
+ 
+   rs := rendezvousservertest.NewServer()
+@@ -627,6 +629,7 @@
+ }
+ 
+ func TestWormholeDirectoryTransportSendRecvDirect(t *testing.T) {
++  t.Skip()
+   ctx := context.Background()
+ 
+   rs := rendezvousservertest.NewServer()
diff -Nru wormhole-william-1.0.6/debian/patches/series 
wormhole-william-1.0.6/debian/patches/series
--- wormhole-william-1.0.6/debian/patches/series1970-01-01 
01:00:00.0 +0100
+++ wormhole-william-1.0.6/debian/patches/series2023-10-24 
09:50:00.0 +0200
@@ -0,0 +1 @@
+disable-flaky-tests.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1055009: marked as done (bookworm-pu: package distro-info-data/0.58+deb12u1, distro-info/1.5+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055009,
regarding bookworm-pu: package distro-info-data/0.58+deb12u1, 
distro-info/1.5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1055009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055009
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: distro-info-d...@packages.debian.org
Control: affects -1 + src:distro-info-data

[ Reason ]
This is a regular distro-info-data update, adding Ubuntu 24.04 LTS.
It includes some corrections to historical data, one of which affects
the distro-info test-suite.

So, included is a coupled update of distro-info to expect the new values
in its test-suite. In unstable, I updated Build-Depends and Depends on
distro-info-data to help autopkgtests. For stable I just updated the
Build-Depends.

[ Impact ]
Stable systems would be unaware of the new Ubuntu LTS.

[ Tests ]
distro-info-data is just CSV data, with some automated tests to verify
the structure and sanity-check the values.

distro-info has a more complex test suite that covers real-world tests
with old stable releases. This needed to be updated for the data
changes.

Build tests and autopkgtests pass in both packages.

[ Risks ]
Trivial, low risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

 distro-info-data (0.58+deb12u1) bookworm; urgency=medium
   * Update data to 0.59:
 - Add Ubuntu 24.04 LTS Noble Numbat (LP: #2041662).
 - Correct Ubuntu 6.10 EOL date to 2008-04-25
 - Correct Ubuntu 16.04 ESM begin to 2021-04-30
 - Move Ubuntu 12.04 ESM end date back to Friday, 2019-04-26
 - Correct Debian 3.1 EOL date to 2008-03-31
 - Correct Debian 7 EOL date to 2016-04-25
 - Move Debian 9 EOL to the 9.13 release date 2020-07-18
 - Move Debian 10 EOL to the 10.13 release date 2022-09-10

 distro-info (1.5+deb12u1) bookworm; urgency=medium
   * Update tests for distro-info-data 0.58+deb12u1, which adjusted Debian 7's
 EoL (Closes: #1054946)
diff --git a/debian.csv b/debian.csv
index 8272895..2646246 100644
--- a/debian.csv
+++ b/debian.csv
@@ -6,14 +6,14 @@ version,codename,series,created,release,eol,eol-lts,eol-elts
 2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
 2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
 3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
-3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
+3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-31
 4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31,2016-02-29
-7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26,2018-05-31,2020-06-30
+7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-25,2018-05-31,2020-06-30
 8,Jessie,jessie,2013-05-04,2015-04-26,2018-06-17,2020-06-30,2025-06-30
-9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-06,2022-06-30,2027-06-30
-10,Buster,buster,2017-06-17,2019-07-06,2022-08-14,2024-06-30,2029-06-30
+9,Stretch,stretch,2015-04-26,2017-06-17,2020-07-18,2022-06-30,2027-06-30
+10,Buster,buster,2017-06-17,2019-07-06,2022-09-10,2024-06-30,2029-06-30
 11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14
 12,Bookworm,bookworm,2021-08-14,2023-06-10,2026-06-10
 13,Trixie,trixie,2023-06-10
diff --git a/debian/changelog b/debian/changelog
index 7550d74..c01e3fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+distro-info-data (0.58+deb12u1) bookworm; urgency=medium
+
+  * Update data to 0.59:
+- Add Ubuntu 24.04 LTS Noble Numbat (LP: #2041662).
+- Correct Ubuntu 6.10 EOL date to 2008-04-25
+- Correct Ubuntu 16.04 ESM begin to 2021-04-30
+- Move Ubuntu 12.04 ESM end date back to Friday, 2019-04-26
+- Correct Debian 3.1 EOL date to 2008-03-31
+- Correct Debian 7 EOL date to 2016-04-25
+- Move Debian 9 EOL to the 9.13 release date 2020-07-18
+- Move Debian 10 EOL to the 10.13 release date 2022-09-10
+
+ -- Stefano Rivera   Sun, 29 Oct 2023 12:12:45 +0200
+
 distro-info-data (0.58) unstable; urgency=medium
 
   * Add Ubuntu 23.10 Mantic Minotaur (LP: #2018028)
diff --git a/ubuntu.

Bug#1054442: marked as done (bookworm-pu: package hash-slinger/3.1-1.1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054442,
regarding bookworm-pu: package hash-slinger/3.1-1.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hash-slin...@packages.debian.org, ond...@debian.org, 
team+...@tracker.debian.org
Control: affects -1 + src:hash-slinger

[ Reason ]
When upgrading our Puppet server to bullseye, our DNS server couldn't
generate TLSA rules anymore because it was relying on a unpackaged
program. We eventually migrated to hash-slinger but in doing so
noticed it was generating broken TLSA records.

This has been reported as #1053483 against unstable, where it was
fixed and migrated to testing without known ill effects.

[ Impact ]
TLSA records cannot be generated.

[ Tests ]
Reproducer:

tlsa --create --usage=3 --selector=1 --mtype=1 --certificate 
example.com.crt --port 443 example.com --output=generic

Expected:

_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35 
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c

Actual:

_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0 
030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c

Notice the float ("35.0") which should obviously be an integer. This
chokes the DNS server completely.

[ Risks ]
Code is a relatively trivial Python 3 tweak, minimal risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
This consists of a single, one-line patch, which has been submitted
and accepted upstream:

https://github.com/letoams/hash-slinger/pull/46

[ Other info ]
This is the second NMU on this package. I have tried to work on the
Git repository as well, but it's seriously lagging behind the versions
even in stable, so I haven't been able to do this. I understand the
maintainer is looking for help for the package but I unfortunately
cannot offer much help but patching this very issue for now...
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1054340: marked as done (bookworm-pu:package dav4tbsync)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054340,
regarding bookworm-pu:package dav4tbsync
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054340
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dav4tbs...@packages.debian.org, mechti...@debian.org
Control: affects -1 + src:dav4tbsync

[ Reason ]

This package is a dependency of the extension tbsync to thunderbird. 
After thunderbird is updated to version 115.* in bookwork it is 
necessary to update this extension too.


[ Impact ]

Otherwise this extension doesn't work anymore

[ Risks ]

Only tbsync, dav4tbsync and eas4tbsync are affected and will be updated too

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

There is a new version of dav4tbsync to work with thunderbird 115.x

[ Other info ]

The output of debdiff (stable vs stable-pu is attached)

eas4tbsync will follow. Tbsync is already updated

Kind regards to the release team

Mechtilde

--
Mechtilde Stehmann
## Debian Developer
## PGP encryption welcome
## F0E3 7F3D C87A 4998 2899  39E7 F287 7BBA 141A AD7F
diffstat for dav4tbsync-4.3 dav4tbsync-4.7

 _locales/bg/messages.json |6 
 _locales/cs/messages.json |6 
 _locales/es/messages.json |8 
 _locales/fr/messages.json |8 
 _locales/gl/messages.json |  347 +
 _locales/hu/messages.json |6 
 _locales/it/messages.json |6 
 _locales/ja/messages.json |6 
 _locales/pl/messages.json |6 
 _locales/pt_BR/messages.json  |6 
 _locales/ro/messages.json |  347 +
 content/api/BootstrapLoader/CHANGELOG.md  |   15 
 content/api/BootstrapLoader/implementation.js |  676 --
 content/api/BootstrapLoader/schema.json   |4 
 content/bootstrap.js  |   12 
 content/manager/createAccount.xhtml   |   25 
 debian/changelog  |   22 
 debian/control|4 
 debian/gbp.conf   |2 
 manifest.json |4 
 20 files changed, 1341 insertions(+), 175 deletions(-)

diff -Nru dav4tbsync-4.3/content/api/BootstrapLoader/CHANGELOG.md dav4tbsync-4.7/content/api/BootstrapLoader/CHANGELOG.md
--- dav4tbsync-4.3/content/api/BootstrapLoader/CHANGELOG.md	2022-10-12 21:39:58.0 +0200
+++ dav4tbsync-4.7/content/api/BootstrapLoader/CHANGELOG.md	2023-08-18 16:52:10.0 +0200
@@ -1,3 +1,18 @@
+Version: 1.21
+-
+- Explicitly set hasAddonManagerEventListeners flag to false on uninstall
+
+Version: 1.20
+-
+- hard fork BootstrapLoader v1.19 implementation and continue to serve it for
+  Thunderbird 111 and older
+- BootstrapLoader v1.20 has removed a lot of unnecessary code used for backward
+  compatibility
+
+Version: 1.19
+-
+- fix race condition which could prevent the AOM tab to be monkey patched correctly
+
 Version: 1.18
 -
 - be precise on which revision the wrench symbol should be displayed, instead of
diff -Nru dav4tbsync-4.3/content/api/BootstrapLoader/implementation.js dav4tbsync-4.7/content/api/BootstrapLoader/implementation.js
--- dav4tbsync-4.3/content/api/BootstrapLoader/implementation.js	2022-10-12 21:39:58.0 +0200
+++ dav4tbsync-4.7/content/api/BootstrapLoader/implementation.js	2023-08-18 16:52:10.0 +0200
@@ -2,7 +2,7 @@
  * This file is provided by the addon-developer-support repository at
  * https://github.com/thundernest/addon-developer-support
  *
- * Version: 1.18
+ * Version: 1.21
  *
  * Author: John Bieling (j...@thunderbird.net)
  *
@@ -17,70 +17,65 @@
 var { AddonManager } = ChromeUtils.import("resource://gre/modules/AddonManager.jsm");
 var { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
 
-var BootstrapLoader = class ext

Bug#1054421: marked as done (bookworm-pu: package weborf/0.19)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054421,
regarding bookworm-pu: package weborf/0.19
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054421
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it
Control: affects -1 + src:weborf

I have found a denial of service in all versions of weborf.

It is tracked in #1054417 and solved in 1.0 upstream. 
https://github.com/ltworf/weborf/pull/88

The issue is fixed in unstable but remains in stable and oldstable.

[ Reason ]
The bug has been there undetected for years. The fix is minimal.

[ Impact ]
The denial of service and extremely unlikely but theoretically possible
remote execution issue will remain.

The issue exists only if the process has CGI enabled (not the default).

[ Tests ]

There are no automated tests covering the issue.

[ Risks ]

The patch is just 3 lines.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]

A patch to remove a memory allocation and copy, where I forgot a +1 in the copy.

The resulting code just reuses the same buffer instead of copying, which was not
needed to begin with.

[ Other info ]

Tracked in CVE-2023-46586
diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog
--- weborf-0.19/debian/changelog2022-10-15 12:57:06.0 +0200
+++ weborf-0.19/debian/changelog2023-10-23 18:38:21.0 +0200
@@ -1,3 +1,9 @@
+weborf (0.19-3) bookworm; urgency=medium
+
+  * Backport patch from upstream to fix denial of service (Closes: 1054417)
+
+ -- Salvo 'LtWorf' Tomaselli   Mon, 23 Oct 2023 18:38:21 
+0200
+
 weborf (0.19-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru weborf-0.19/debian/patches/cgi_buffer_fix.patch 
weborf-0.19/debian/patches/cgi_buffer_fix.patch
--- weborf-0.19/debian/patches/cgi_buffer_fix.patch 1970-01-01 
01:00:00.0 +0100
+++ weborf-0.19/debian/patches/cgi_buffer_fix.patch 2023-10-23 
18:38:15.0 +0200
@@ -0,0 +1,25 @@
+Description: Fix incorrect memory operation
+ The original code failed to take into account the space needed for the
+ null terminator.
+ .
+ The patch just avoids the copy altogether, because it was not needed.
+Author: Salvo "LtWorf" Tomaselli 
+Origin: upstream
+Bug: 
+Bug-Debian: https://bugs.debian.org/1054417
+Forwarded: not-needed
+Applied-Upstream: 1.0
+Last-Update: 2023-10-23
+
+--- weborf-0.19.orig/cgi.c
 weborf-0.19/cgi.c
+@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
+ environ = NULL; //Clear env vars
+ 
+ if (strlen(executor) == 0) {
+-executor = malloc(connection_prop->strfile_len + 1);
+-strncpy(executor, connection_prop->strfile, 
connection_prop->strfile_len);
++executor = connection_prop->strfile;
+ }
+ 
+ cgi_set_http_env_vars(connection_prop->http_param);
diff -Nru weborf-0.19/debian/patches/series weborf-0.19/debian/patches/series
--- weborf-0.19/debian/patches/series   2022-03-15 09:08:11.0 +0100
+++ weborf-0.19/debian/patches/series   2023-10-23 18:29:47.0 +0200
@@ -0,0 +1 @@
+cgi_buffer_fix.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1054363: marked as done (bookworm-pu: package eas4tbsync)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054363,
regarding bookworm-pu: package eas4tbsync
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054363: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054363
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: eas4tbs...@packages.debian.org, mechti...@debian.org
Control: affects -1 + src:eas4tbsync

[ Reason ]

This package is a dependency of the extension tbsync to thunderbird. 
After thunderbird is updated to version 115.* in bookwork it is 
necessary to update this extension too.


[ Impact ]

Otherwise this extension doesn't work anymore

[ Risks ]

Only tbsync, dav4tbsync and eas4tbsync are affected and will be updated too

[ Checklist ]
   [X] *all* changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in (old)stable
   [X] the issue is verified as fixed in unstable

[ Changes ]

There is a new version of dav4tbsync to work with thunderbird 115.x

[ Other info ]

The output of debdiff (stable vs stable-pu is attached)

Tbsync and dav4tbsync are already updated

Kind regards to the release team

Mechtilde

--
Mechtilde Stehmann
## Debian Developer
## PGP encryption welcome
## F0E3 7F3D C87A 4998 2899  39E7 F287 7BBA 141A AD7F
diffstat for eas4tbsync-4.1.5 eas4tbsync-4.7

 Makefile  |   25 
 background.js |2 
 content/api/BootstrapLoader/CHANGELOG.md  |   15 
 content/api/BootstrapLoader/implementation.js |  676 --
 content/api/BootstrapLoader/schema.json   |4 
 content/bootstrap.js  |   10 
 content/includes/calendarsync.js  |   13 
 content/includes/network.js   |   25 
 content/includes/tasksync.js  |   32 +
 content/includes/tools.js |   16 
 content/manager/createAccount.xhtml   |2 
 content/provider.js   |   21 
 debian/changelog  |   22 
 debian/control|4 
 debian/gbp.conf   |2 
 manifest.json |6 
 16 files changed, 677 insertions(+), 198 deletions(-)

diff -Nru eas4tbsync-4.1.5/background.js eas4tbsync-4.7/background.js
--- eas4tbsync-4.1.5/background.js	2022-10-13 11:05:56.0 +0200
+++ eas4tbsync-4.7/background.js	2023-08-18 16:51:43.0 +0200
@@ -16,7 +16,7 @@
 let manifest = browser.runtime.getManifest();
 browser.notifications.create({
   type: "basic",
-  iconUrl: browser.runtime.getURL("content/skin/sabredav32.png"),
+  iconUrl: browser.runtime.getURL("content/skin/eas32.png"),
   title: `${manifest.name}`,
   message: "Please update Thunderbird to at least 102.3.3 to be able to use this provider.",
 });
diff -Nru eas4tbsync-4.1.5/content/api/BootstrapLoader/CHANGELOG.md eas4tbsync-4.7/content/api/BootstrapLoader/CHANGELOG.md
--- eas4tbsync-4.1.5/content/api/BootstrapLoader/CHANGELOG.md	2022-10-13 11:05:56.0 +0200
+++ eas4tbsync-4.7/content/api/BootstrapLoader/CHANGELOG.md	2023-08-18 16:51:43.0 +0200
@@ -1,3 +1,18 @@
+Version: 1.21
+-
+- Explicitly set hasAddonManagerEventListeners flag to false on uninstall
+
+Version: 1.20
+-
+- hard fork BootstrapLoader v1.19 implementation and continue to serve it for
+  Thunderbird 111 and older
+- BootstrapLoader v1.20 has removed a lot of unnecessary code used for backward
+  compatibility
+
+Version: 1.19
+-
+- fix race condition which could prevent the AOM tab to be monkey patched correctly
+
 Version: 1.18
 -
 - be precise on which revision the wrench symbol should be displayed, instead of
diff -Nru eas4tbsync-4.1.5/content/api/BootstrapLoader/implementation.js eas4tbsync-4.7/content/api/BootstrapLoader/implementation.js
--- eas4tbsync-4.1.5/content/api/BootstrapLoader/implementation.js	2022-10-13 11:05:56.0 +0200
+++ eas4tbsync-4.7/content/api/BootstrapLoader/implementation.js	2023-08-18 16:51:43.0 +0200
@@ -2,7 +2,7 @@
  * This file is provided by the addon-developer-support repository at

Bug#1054401: marked as done (bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054401,
regarding bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054401
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: monitoring-plug...@packages.debian.org
Control: affects -1 + src:nagios-plugins-contrib

[ Reason ]
As reported in #1033791, check_running_kernel fails to find version on 
bookworm/(arm64|armhf).


[ Impact ]
check_running_kernel doesn't work on arm64 and armhf as expected, this 
is a regression.


[ Tests ]
The patch was verified to work in #1033791

[ Risks ]
Low, trivial change.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]
The patch is required to fix check_running_kernel on arm64 and armhf.

[ Other info ]
This is a request for pre approval, if you are okay with the changes, 
I'll upload it.


Kind Regards,

Jan
--
Never write mail to , you have been warned!
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M+ V- PS 
PE Y++

PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y
--END GEEK CODE BLOCK--diff --git a/debian/changelog b/debian/changelog
index 1ce2330..2360b0b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+nagios-plugins-contrib (42.20230308+deb12u1) bookworm; urgency=medium
+
+  [ Manfred Stock ]
+  * [f5a0186] Extend fix for on-disk version detection on Bookworm
+(Closes: #1033791)
+
+ -- Jan Wagner   Mon, 23 Oct 2023 13:03:28 +0200
+
 nagios-plugins-contrib (42.20230308) unstable; urgency=high
 
   * [4ab7834] Adding d/p/dsa/check_running_kernel_bookworm_fix
diff --git a/debian/patches/dsa/check_running_kernel_bookworm_fix 
b/debian/patches/dsa/check_running_kernel_bookworm_fix
index fe5e75d..d98b929 100644
--- a/debian/patches/dsa/check_running_kernel_bookworm_fix
+++ b/debian/patches/dsa/check_running_kernel_bookworm_fix
@@ -9,3 +9,12 @@
if [ -x /usr/bin/lsb_release ] ; then
vendor=$(lsb_release -i -s)
if [ -n "$vendor" ] && [ "xDebian" != 
"x$vendor" ] ; then
+@@ -211,7 +211,7 @@
+   fi
+   fi
+   [ -z "$on_disk_version" ] || continue
+-  on_disk_version="`cat "$on_disk" | $STRINGS | grep 
'Linux version' | head -n1`"
++  on_disk_version="`cat "$on_disk" | $STRINGS | grep 
'Linux version' | tail -n1`"
+   [ -z "$on_disk_version" ] || continue
+ 
+   echo "UNKNOWN: Failed to get a version string from 
image $on_disk"
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1053918: marked as done (bookworm-pu: package tbsync)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053918,
regarding bookworm-pu: package tbsync
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053918
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: tbs...@packages.debian.org, mechti...@debian.org
Control: affects -1 + src:tbsync

[ Reason ]

This package is an extension to thunderbird. After thunderbird is 
updated to version 115.* in bookwork it is necessary to update this 
extension too.


[ Impact ]

Otherwise this extension doesn't work anymore

[ Risks ]

Only dav4tbsync and eas4tbsync are affected and will be updated too

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

There is a new version of tbsync to work with thunderbird 115.x

[ Other info ]

The output von debdiff (stable vs stable-pu is attached)

dav4tbsync and eas4tbsync will follow

Kind regards to the release team

Mechtilde


--
Mechtilde Stehmann
## Debian Developer
## PGP encryption welcome
## F0E3 7F3D C87A 4998 2899  39E7 F287 7BBA 141A AD7F
diffstat for tbsync-4.3 tbsync-4.7

 _locales/bg/messages.json |7 
 _locales/cs/messages.json |7 
 _locales/de/messages.json |   91 +--
 _locales/en-US/messages.json  |7 
 _locales/es/messages.json |7 
 _locales/et/messages.json |7 
 _locales/fr/messages.json |7 
 _locales/gl/messages.json |9 
 _locales/hu/messages.json |7 
 _locales/it/messages.json |7 
 _locales/ja/messages.json |7 
 _locales/ko/messages.json |7 
 _locales/pl/messages.json |7 
 _locales/pt_BR/messages.json  |7 
 _locales/ro/messages.json |7 
 _locales/ru/messages.json |7 
 _locales/sv/messages.json |7 
 content/api/BootstrapLoader/CHANGELOG.md  |   15 
 content/api/BootstrapLoader/implementation.js |  676 --
 content/api/BootstrapLoader/schema.json   |4 
 content/manager/accounts.js   |   12 
 content/manager/accounts.xhtml|4 
 content/manager/editAccount.js|3 
 content/manager/editAccount.xhtml |7 
 content/manager/eventlog/eventlog.js  |9 
 content/manager/eventlog/eventlog.xhtml   |   14 
 content/modules/db.js |   13 
 content/modules/io.js |4 
 content/modules/lightning.js  |2 
 content/modules/manager.js|   11 
 content/passwordPrompt/passwordPrompt.css |   13 
 content/passwordPrompt/passwordPrompt.js  |8 
 content/passwordPrompt/passwordPrompt.xhtml   |   44 -
 content/tbsync.jsm|3 
 debian/changelog  |   26 +
 debian/control|6 
 debian/gbp.conf   |2 
 manifest.json |4 
 38 files changed, 800 insertions(+), 285 deletions(-)

diff -Nru tbsync-4.3/content/api/BootstrapLoader/CHANGELOG.md tbsync-4.7/content/api/BootstrapLoader/CHANGELOG.md
--- tbsync-4.3/content/api/BootstrapLoader/CHANGELOG.md	2022-10-12 21:40:25.0 +0200
+++ tbsync-4.7/content/api/BootstrapLoader/CHANGELOG.md	2023-08-29 22:22:49.0 +0200
@@ -1,3 +1,18 @@
+Version: 1.21
+-
+- Explicitly set hasAddonManagerEventListeners flag to false on uninstall
+
+Version: 1.20
+-
+- hard fork BootstrapLoader v1.19 implementation and continue to serve it for
+  Thunderbird 111 and older
+- BootstrapLoader v1.20 has removed a lot of unnecessary code used for backward
+  compatibility
+
+Version: 1.19
+-
+- fix race condition which could prevent the AOM tab to be monkey patched correctly
+
 Version: 1.18
 -

Bug#1054286: marked as done (bookworm-pu: package python-cogent/2023.2.12a1+dfsg-2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054286,
regarding bookworm-pu: package python-cogent/2023.2.12a1+dfsg-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: python-cog...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:python-cogent

[ Reason ]
This upload fixes #1030885. FTBFS on single-CPU systems.

[ Impact ]
Users who try to build the package from source on a single-cpu system
will see that the build fails unexpectedly.

[ Tests ]
I've tested that the fixed package builds ok on a single-cpu system.

[ Risks ]
Risk is minimal because the package builds the same. The only difference
is that a test which required more than one cpu to work is now disabled.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The only change has been to disable a test in the test suite.

[ Other info ]
I'm going to upload the package shortly after submitting this report.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1054119: marked as done (bookworm-pu: package qpdf/11.3.0-1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054119,
regarding bookworm-pu: package qpdf/11.3.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
X-Debbugs-CC: q...@debian.org

The attached patch to qpdf 11.3.0 fixes a bug that could potentially
result in loss of data. I'd like permission from the release team to
upload this to stable. I've been a debian developer since 2005, but
it's been years since I've last prepared a release to the stable
distribution. As far as I can tell, the current procedure is to upload
with the target distribution as "stable" and upload to ftp-master.
This will direct the package the proposed-updates queue. Is this
correct?

The nature of the bug is that, if a quoted octal character with one or
two digits instead of three digits appears in the file, the following
character will be dropped from the string. This bug snuck in in a pull
request I accepted that performed significant performance optimization
on the tokenizer. Because it only affects strings in metadata when
qpdf is used in its default configuration, and because such quoted
characters of this type don't appear very often, it's somewhat of a
corner case, but I think the bug is critical to fix because there is a
chance that it could silently damage files in ways that would be hard
to detect.

Please let me know if I should proceed with an update to stable.

--Jay Berkenbilt (a.k.a. q...@debian.org)--- libqpdf/QPDFTokenizer.cc.orig	2023-10-17 07:19:31.829119946 -0400
+++ libqpdf/QPDFTokenizer.cc	2023-10-17 07:20:55.689510562 -0400
@@ -739,17 +739,22 @@
 void
 QPDFTokenizer::inCharCode(char ch)
 {
+bool handled = false;
 if (('0' <= ch) && (ch <= '7')) {
 this->char_code = 8 * this->char_code + (int(ch) - int('0'));
 if (++(this->digit_count) < 3) {
 return;
 }
-// We've accumulated \ddd.  PDF Spec says to ignore
-// high-order overflow.
+handled = true;
 }
+// We've accumulated \ddd or we have \d or \dd followed by other
+// than an octal digit. The PDF Spec says to ignore high-order
+// overflow.
 this->val += char(this->char_code % 256);
 this->state = st_in_string;
-return;
+if (!handled) {
+inString(ch);
+}
 }
 
 void
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1054287: marked as done (bookworm-pu: package devscripts/2.23.4+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054287,
regarding bookworm-pu: package devscripts/2.23.4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054287
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: devscri...@packages.debian.org
Control: affects -1 + src:devscripts

[ Reason ]
`dch --bpo` & `dch --stable` still use bullseye in 2.23.4.

Now that bookworm is releases it should be used instead.

[ Impact ]
Needs to manually change the version and codename to correct the changelog.

[ Tests ]
Package test suite.

[ Risks ]
Low, only the commit for debchange was cherry-picked.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The gbp.conf & Vcs-Git changes are required to let git-buildpackage and 
debcheckout use the correct branch.

The debchange changes are cherry-picked from 2.23.5 which is in testing for a 
while now.

[ Other info ]
N/A

Kind Regards,

Bas
diff -Nru devscripts-2.23.4/debian/changelog 
devscripts-2.23.4+deb12u1/debian/changelog
--- devscripts-2.23.4/debian/changelog  2023-04-05 12:40:28.0 +0200
+++ devscripts-2.23.4+deb12u1/debian/changelog  2023-10-20 18:54:42.0 
+0200
@@ -1,3 +1,16 @@
+devscripts (2.23.4+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+
+  [ Bas Couwenberg ]
+  * Update branch in gbp.conf & Vcs-Git URL.
+
+  [ Benjamin Drung ]
+  * debchange: Update to current Debian distributions
+(closes: #1037336, #1038389, #1043021)
+
+ -- Bas Couwenberg   Fri, 20 Oct 2023 18:54:42 +0200
+
 devscripts (2.23.4) unstable; urgency=medium
 
   [ Johannes Schauer Marin Rodrigues ]
diff -Nru devscripts-2.23.4/debian/control 
devscripts-2.23.4+deb12u1/debian/control
--- devscripts-2.23.4/debian/control2023-04-05 12:36:46.0 +0200
+++ devscripts-2.23.4+deb12u1/debian/control2023-10-20 18:54:42.0 
+0200
@@ -66,7 +66,7 @@
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Vcs-Browser: https://salsa.debian.org/debian/devscripts
-Vcs-Git: https://salsa.debian.org/debian/devscripts.git
+Vcs-Git: https://salsa.debian.org/debian/devscripts.git -b bookworm
 
 Package: devscripts
 Architecture: any
diff -Nru devscripts-2.23.4/debian/gbp.conf 
devscripts-2.23.4+deb12u1/debian/gbp.conf
--- devscripts-2.23.4/debian/gbp.conf   2022-06-18 18:14:16.0 +0200
+++ devscripts-2.23.4+deb12u1/debian/gbp.conf   2023-10-20 18:54:42.0 
+0200
@@ -1,2 +1,3 @@
 [DEFAULT]
 debian-tag = v%(version)s
+debian-branch = bookworm
diff -Nru devscripts-2.23.4/scripts/debchange.bash_completion 
devscripts-2.23.4+deb12u1/scripts/debchange.bash_completion
--- devscripts-2.23.4/scripts/debchange.bash_completion 2022-06-18 
18:14:15.0 +0200
+++ devscripts-2.23.4+deb12u1/scripts/debchange.bash_completion 2023-10-20 
18:54:42.0 +0200
@@ -25,11 +25,11 @@
 #--
 #FIXME: I don't want hard-coding codename...
 #--
-oldstable_codename='squeeze'
-stable_codename='wheezy'
-testing_codename='jessie'
+oldstable_codename='bullseye'
+stable_codename='bookworm'
+testing_codename='trixie'
 
-lts='squeeze-lts'
+lts='buster-lts'
 
 distro="oldstable-security oldstable-proposed-updates\
 "$oldstable_codename"-security\
diff -Nru devscripts-2.23.4/scripts/debchange.pl 
devscripts-2.23.4+deb12u1/scripts/debchange.pl
--- devscripts-2.23.4/scripts/debchange.pl  2023-04-03 01:03:09.0 
+0200
+++ devscripts-2.23.4+deb12u1/scripts/debchange.pl  2023-10-20 
18:54:42.0 +0200
@@ -163,7 +163,7 @@
  distribution name
   --bpo
  Increment the Debian release number for a backports upload
- to "bullseye-backports"
+ to "bookworm-backports"
   --stable
  Increment the Debian release number for a stable upload.
   -l, --local 
@@ -507,7 +507,7 @@
 if (defined $opt_D) {
 if ($vendor eq 'Debian') {
 unless ($opt_D
-

Bug#1054100: marked as done (bookworm-pu: package iotop-c/1.23-1+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054100,
regarding bookworm-pu: package iotop-c/1.23-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054100: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054100
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ioto...@packages.debian.org
Control: affects -1 + src:iotop-c

[ Reason ]
This update fixes 3 bugs in iotop-c:
- the program will busy loop after pressing ESC key, eating 100% on one core
- pseudo graphs in ASCII mode display incorrect/garbage values
- the logic behind showing only IO active processes incorrectly hides active 
ones

All the bugs were reported via IRC or via the upstream tracker and have no 
debian bug ids

[ Impact ]
Each of those 3 bugs severly affects user experience

[ Tests ]
Fixes were verified by manual testing and also confirmed as fixed by the 
reporters

[ Risks ]
Risks are very low - it is a leaf package, fixes are near trivial

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
All changes are cherry-picked upstream commits

[ Other info ]
N/A
diff -Nru iotop-c-1.23/debian/changelog iotop-c-1.23/debian/changelog
--- iotop-c-1.23/debian/changelog   2023-01-23 22:56:03.0 +
+++ iotop-c-1.23/debian/changelog   2023-10-17 01:06:47.0 +
@@ -1,3 +1,13 @@
+iotop-c (1.23-1+deb12u1) bookworm; urgency=medium
+
+  * Backport fixes from 1.25
+- Fix ESC makes iotop busy loop
+- Fix the logic in 'only' option
+  * Backport fixes from 1.24
+- Fix ASCII graph problem in R, W & RW modes
+
+ -- Boian Bonev   Tue, 17 Oct 2023 01:06:47 +
+
 iotop-c (1.23-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru iotop-c-1.23/debian/patches/fix-ascii-graph.patch 
iotop-c-1.23/debian/patches/fix-ascii-graph.patch
--- iotop-c-1.23/debian/patches/fix-ascii-graph.patch   1970-01-01 
00:00:00.0 +
+++ iotop-c-1.23/debian/patches/fix-ascii-graph.patch   2023-10-17 
01:06:47.0 +
@@ -0,0 +1,33 @@
+From: Boian Bonev 
+Date: Tue Oct 17 01:23:35 UTC 2023
+Forwarded: 629d80290c34b3a6a2e6f6400d8e277597547c93
+Subject: Fix ASCII graph problem in R, W & RW modes
+
+---
+--- a/src/view_curses.c
 b/src/view_curses.c
+@@ -969,21 +969,21 @@ static inline void view_curses(struct xx
+   
v1=value2scale(s->readhist[j*2],maxvisible);
+   
v2=value2scale(s->readhist[j*2+gi],maxvisible);
+   } else
+-  
v1=value2scale(s->readhist[j*2],maxvisible);
++  
v1=value2scale(s->readhist[j],maxvisible);
+   break;
+   case E_GR_W:
+   if 
(has_unicode&&config.f.unicode) {
+   
v1=value2scale(s->writehist[j*2],maxvisible);
+   
v2=value2scale(s->writehist[j*2+gi],maxvisible);
+   } else
+-  
v1=value2scale(s->writehist[j*2],maxvisible);
++  
v1=value2scale(s->writehist[j],maxvisible);
+   break;
+   case E_GR_RW:
+   if 
(has_unicode&&config.f.unicode) {
+   
v1=value2scale(s->readhist[j*2]+s->writehist[j*2],maxvisible);
+   
v2=value2scale(s->readhist[j*2+gi]+s->writehist[j*2+gi],maxvisible);
+   } else
+-

Bug#1054122: marked as done (bookworm-pu: package axis/1.4-28)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054122,
regarding bookworm-pu: package axis/1.4-28
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054122
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-40743: Axis allows potentially dangerous lookup
mechanisms which may lead to DoS, SSRF or even RCE.

[ Tests ]

The fix is trivial. If the name of the JNDI service contains a certain
string then do nothing. That filters out unsupported protocols
effectively.

[ Risks ]

Axis in Debian is mainly used to build other software packages and
serves no other purpose. It is very unlikely that it is used in third
party applications outside of Debian but better safe than sorry.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus
diff -Nru axis-1.4/debian/changelog axis-1.4/debian/changelog
--- axis-1.4/debian/changelog   2018-12-03 08:25:51.0 +0100
+++ axis-1.4/debian/changelog   2023-10-17 14:05:20.0 +0200
@@ -1,3 +1,15 @@
+axis (1.4-28+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+When integrating Apache Axis 1.x in an application, it may not have been
+obvious that looking up a service through "ServiceFactory.getService"
+allows potentially dangerous lookup mechanisms such as LDAP. When passing
+untrusted input to this API method, this could expose the application to
+DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+
+ -- Markus Koschany   Tue, 17 Oct 2023 14:05:20 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)
diff -Nru axis-1.4/debian/patches/CVE-2023-40743.patch 
axis-1.4/debian/patches/CVE-2023-40743.patch
--- axis-1.4/debian/patches/CVE-2023-40743.patch1970-01-01 
01:00:00.0 +0100
+++ axis-1.4/debian/patches/CVE-2023-40743.patch2023-10-17 
14:05:20.0 +0200
@@ -0,0 +1,32 @@
+From: Markus Koschany 
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: 
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java 
b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
 b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+ 
+ if (context != null) {
+ String name = (String)environment.get("jndiName");
++
++  if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || 
name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 
|| name.toUpperCase().indexOf("JMX")!=-1) || 
name.toUpperCase().indexOf("JRMP")!=-1 || 
name.toUpperCase().indexOf("JAVA")!=-1 || 
name.toUpperCase().indexOf("DNS")!=-1)  {
++  return null;
++}
+ if (name == null) {
+ name = "axisServiceName";
+ }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends 
javax.xml.rpc.ServiceFactory
+ context.bind(name, service);
+ } catch (NamingException e1) {
+ // !!! Couldn't do it, what should we do here?
++  return null;
+ }
+ }
+ } else {
diff -Nru axis-1.4/debian/patches/series axis-1.4/debian/patches/series
--- axis-1.4/debian/patches/series  2018-12-03 00:33:50.0 +0100
+++ axis-1.4/debian/patches/series  2023-10-17 14:05:20.0 +0200
@@ -8,3 +8,4 @@
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookw

Bug#1053895: marked as done (bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053895,
regarding bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici doesn't clear Cookie and Host headers on cross-origin
redirect.

[ Impact ]
Medium security issue

[ Tests ]
No new test here

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Drop headers Host/Cookie unless same-origin

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 92c0de8..168ee34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium
+
+  * Delete cookie and host headers on cross-origin redirect
+(Closes: #1053879, CVE-2023-45143)
+
+ -- Yadd   Fri, 13 Oct 2023 22:14:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
 
   * Fix security issues (Closes: #1031418):
diff --git a/debian/patches/CVE-2023-45143.patch 
b/debian/patches/CVE-2023-45143.patch
new file mode 100644
index 000..c196bd2
--- /dev/null
+++ b/debian/patches/CVE-2023-45143.patch
@@ -0,0 +1,24 @@
+Description: delete 'cookie' and 'host' headers on cross-origin redirect
+Author: Khafra 
+Origin: upstream, https://github.com/nodejs/undici/commit/e041de35
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
+ https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
+Bug-Debian: https://bugs.debian.org/1053879
+Forwarded: not-needed
+Applied-Upstream: 5.26.2, commit:e041de35
+Reviewed-By: Yadd 
+Last-Update: 2023-10-13
+
+--- a/lib/fetch/index.js
 b/lib/fetch/index.js
+@@ -1204,6 +1204,10 @@
+   if (!sameOrigin(requestCurrentURL(request), locationURL)) {
+ // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
+ request.headersList.delete('authorization')
++
++// "Cookie" and "Host" are forbidden request-headers, which undici 
doesn't implement.
++request.headersList.delete('cookie')
++request.headersList.delete('host')
+   }
+ 
+   // 14. If request’s body is non-null, then set request’s body to the first 
return
diff --git a/debian/patches/series b/debian/patches/series
index ce1440a..297000a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ drop-ssl-tests.patch
 CVE-2023-23936.patch
 CVE-2023-24807.patch
 update-httpbin.org-test-timeout.patch
+CVE-2023-45143.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1054096: marked as done (bookworm-pu: package llvm-toolchain-16/16.0.6-15~deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054096,
regarding bookworm-pu: package llvm-toolchain-16/16.0.6-15~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054096: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054096
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Here's the update to stable for clang-16, like we recently did for 
oldstable.


[ Reason ]

Chromium 118 wouldn't build on clang-13, so we added clang-16 to 
oldstable (#1053761). In order to be consistent across distributions 
(and also allowing us to drop a bunch of clang-14 & clang-15 workaround 
patches from chromium), we should add clang-16 to stable as well.


[ Impact ]

There's no impact for users, as packages in stable must explicitly 
choose to build against clang-16.


[ Tests ]

Chromium 118.0.5993.70 succeeded in building and running on bookworm 
with the clang-16 packages from llvm-toolchain-16_16.0.6-15~deb12u1.


[ Risks ]

Low/no risk. Clang-16 is not currently in stable.

On oldstable, it built for all archs except mipsel 
(https://buildd.debian.org/status/package.php?p=llvm-toolchain-16&suite=bullseye), 
so I'm not anticipating any other architecture build issues on stable.


[ Checklist ]

 [x] *all* changes are documented in the d/changelog
 [x] I reviewed all changes and I approve them
 [x] attach debdiff against the package in (old)stable
 [x] the issue is verified as fixed in unstable

[ Changes ]

This is the diff against llvm-toolchain-16_16.0.6-15 in trixie, since 
llvm-toolchain-16 isn't currently in bookworm:


diff -urN a/llvm-toolchain-16-16.0.6/debian/changelog 
b/llvm-toolchain-16-16.0.6/debian/changelog
--- a/llvm-toolchain-16-16.0.6/debian/changelog	2023-09-11 
13:40:42.0 +
+++ b/llvm-toolchain-16-16.0.6/debian/changelog	2023-10-16 
13:14:10.0 +

@@ -1,3 +1,11 @@
+llvm-toolchain-16 (1:16.0.6-15~deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bullseye.
+  * Change build-dep from sid's llvm-spirv-16 to bookworm's 
llvm-spirv-14.

+
+ -- Andres Salomon   Mon, 16 Oct 2023 13:14:10 
+

+
llvm-toolchain-16 (1:16.0.6-15) unstable; urgency=medium

  * Second attempt to refresh D158066.patch (Closes: #1049362)
diff -urN a/llvm-toolchain-16-16.0.6/debian/control 
b/llvm-toolchain-16-16.0.6/debian/control
--- a/llvm-toolchain-16-16.0.6/debian/control	2023-09-10 
06:14:34.0 +
+++ b/llvm-toolchain-16-16.0.6/debian/control	2023-10-16 
13:14:10.0 +

@@ -23,7 +23,7 @@
libctypes-ocaml-dev [amd64 arm64 armhf ppc64el riscv64 s390x],
dh-exec, dh-ocaml [amd64 arm64 armhf ppc64el riscv64 s390x],
libpfm4-dev [linux-any], python3-setuptools, libz3-dev,
-llvm-spirv-16 [ amd64 arm64 armel armhf i386 mips64el ppc64el 
riscv64 s390x ]  | hello [!i386],
+llvm-spirv-14 [ amd64 arm64 armel armhf i386 mips64el ppc64el 
riscv64 s390x ]  | hello [!i386],

spirv-tools [ linux-any ] | hello [ !i386],
wasi-libc | hello [ !any-i386],
libcurl4-openssl-dev | libcurl-dev,
diff -urN a/llvm-toolchain-16-16.0.6/debian/control.in 
b/llvm-toolchain-16-16.0.6/debian/control.in
--- a/llvm-toolchain-16-16.0.6/debian/control.in	2023-09-10 
06:14:36.0 +
+++ b/llvm-toolchain-16-16.0.6/debian/control.in	2023-10-16 
13:14:10.0 +

@@ -23,7 +23,7 @@
libctypes-ocaml-dev [amd64 arm64 armhf ppc64el riscv64 s390x],
dh-exec, dh-ocaml [amd64 arm64 armhf ppc64el riscv64 s390x],
libpfm4-dev [linux-any], python3-setuptools, libz3-dev,
-llvm-spirv-16 [ amd64 arm64 armel armhf i386 mips64el ppc64el 
riscv64 s390x ]  | hello [!i386],
+llvm-spirv-14 [ amd64 arm64 armel armhf i386 mips64el ppc64el 
riscv64 s390x ]  | hello [!i386],

spirv-tools [ linux-any ] | hello [ !i386],
wasi-libc | hello [ !any-i386],
libcurl4-openssl-dev | libcurl-dev,



[ Other info ]
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1053908: marked as done (bookworm-pu: package calibre/6.13.0+repack-2+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053908,
regarding bookworm-pu: package calibre/6.13.0+repack-2+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053908
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cali...@packages.debian.org, yokota.h...@gmail.com
Control: affects -1 + src:calibre


[ Reason ]
Fix Debian bug 1053899
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053899

[ Impact ]
"Get books" window not working

[ Tests ]
Build time test passed.
Trivial manual test passed.

[ Risks ]
Tests are done on Debian unstable, not Debian bookworm.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add patch "fix crash in Get Books when regenerating UIC files".

[ Other info ]
Upstream fix:
https://github.com/kovidgoyal/calibre/commit/f4fe3f254d3de0dd51722b3b5e08112ae82ebf51
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Bug#1053461: marked as done (bookworm-pu: package openrefine/3.6.2-2+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053461,
regarding bookworm-pu: package openrefine/3.6.2-2+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053461
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org

[ Reason ]

Fixing CVE-2023-41886 and CVE-2023-41887.

OpenRefine is a powerful free, open source tool for working with messy
data. Prior to this version, a remote code execution vulnerability
allows any unauthenticated user to execute code on the server.

[ Tests ]

I have verified that the new test case works as expected.

[ Risks ]

Low, leaf package, all tests work as expected.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Other info ]

Please note that I have previously uploaded another bookworm-pu,
#1051429, to fix CVE-2023-37476. This update addresses the new CVE
mentioned in this bug report. CVE-2023-37476 has been fixed with
3.6.2-2+deb12u1 already.
diff --git a/debian/changelog b/debian/changelog
index 16033d8..37acbbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium
+
+  * Fix CVE-2023-41887 and CVE-2023-41886:
+OpenRefine is a powerful free, open source tool for working with messy
+data. Prior to this version, a remote code execution vulnerability allows
+any unauthenticated user to execute code on the server.
+
+ -- Markus Koschany   Wed, 04 Oct 2023 15:02:45 +0200
+
 openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
 
   * Fix CVE-2023-37476:
diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch 
b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
new file mode 100644
index 000..274b758
--- /dev/null
+++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
@@ -0,0 +1,183 @@
+From: Markus Koschany 
+Date: Wed, 4 Oct 2023 14:39:55 +0200
+Subject: CVE-2023-41887 and CVE-2023-41886
+
+Origin: 
https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
+---
+ .../extension/database/DatabaseConfiguration.java   | 16 
+ .../database/mariadb/MariaDBConnectionManager.java  | 12 +---
+ .../database/mysql/MySQLConnectionManager.java  | 11 +--
+ .../database/pgsql/PgSQLConnectionManager.java  | 11 +--
+ .../database/sqlite/SQLiteConnectionManager.java|  9 -
+ .../database/DatabaseConfigurationTest.java | 21 +
+ 6 files changed, 48 insertions(+), 32 deletions(-)
+ create mode 100644 
extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+
+diff --git 
a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
 
b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+index 47dad7f..3f0dd57 100644
+--- 
a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
 
b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+@@ -29,6 +29,9 @@
+ package com.google.refine.extension.database;
+ 
+ 
++import java.net.URI;
++import java.net.URISyntaxException;
++
+ public class DatabaseConfiguration {
+ 
+ private String connectionName;
+@@ -128,4 +131,17 @@ public class DatabaseConfiguration {
+ 
+ 
+ 
++public URI toURI() {
++try {
++return new URI(
++"jdbc:" + databaseType.toLowerCase(),
++databaseHost + ((databasePort == 0) ? "" : (":" + 
databasePort)),
++"/" + databaseName,
++useSSL ? "useSSL=true" : null,
++null
++);
++} catch (URISyntaxException e) {
++throw new IllegalArgumentException(e);
++}
++}
+ }
+diff --git 
a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
 
b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.

Bug#1053141: marked as done (bookworm-pu: package mrtg/2.17.10-5+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053141,
regarding bookworm-pu: package mrtg/2.17.10-5+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: m...@packages.debian.org
Control: affects -1 + src:mrtg

[ Reason ]
The last SPU was broken by #1041332. This new SPU fixes the issue using a new
approach. Now a debconf message is used to warn the user about a change of the
configuration place.

[ Impact ]
The impact is the final user will not know the new place of the configuration
file. Consequently, the mrtg will not use the configuration parameters created
by the user before the last upgrade (from Bullseye to Bookworm).

[ Tests ]
Several tests were made to make sure that a warning will be shown when needed.

[ Risks ]
No risks because this is only a debconf warning for the user.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
In 2.17.10-5+deb12u1 the confile was moved from /etc/ to /etc/mrtg/ via a
debconf process. This process was cancelled and, now, the user will receive
a warning telling that is needed to move this file manually. Consequently,
the Debian Policy 10.7.3 is being honored.

[ Other info ]
No more info.

Regards,

Eriberto
diff -Nru mrtg-2.17.10/debian/changelog mrtg-2.17.10/debian/changelog
--- mrtg-2.17.10/debian/changelog   2023-07-10 14:04:14.0 -0300
+++ mrtg-2.17.10/debian/changelog   2023-09-27 22:59:14.0 -0300
@@ -1,3 +1,24 @@
+mrtg (2.17.10-5+deb12u2) bookworm; urgency=medium
+
+  * Changed a debconf template to honor Debian Policy (10.7.3), not
+changing the place a conffile, discarding any user changes.
+Thanks to Andreas Beckmann . Consequently:
+  - debian/mrtg.config: changed a comment.
+  - debian/mrtg.postinst: dropped the first conditional block,
+related to moving the /etc/mrtg.cfg to /etc/mrtg/.
+  - debian/mrtg.templates: updated to show a specific message to
+users.
+  - debian/po/: ran debconf-updatepo to update all templates.
+  - Closes: #1039103, #1041332
+  * debian/po/:
+  - mrtg.templates: reviewed all messages. Thanks to Justin B Rye
+ for all help in debian-l10n-english
+list and to Jonathan Wiltshire  for the suggestion
+to ask for help in that list.
+  - Updated all translations. Thanks to all translators.
+
+ -- Joao Eriberto Mota Filho   Wed, 27 Sep 2023 22:59:14 
-0300
+
 mrtg (2.17.10-5+deb12u1) bookworm; urgency=medium
 
   * Added a debconf dialog to allow the user to decide if /etc/mrtg.cfg must
diff -Nru mrtg-2.17.10/debian/mrtg.config mrtg-2.17.10/debian/mrtg.config
--- mrtg-2.17.10/debian/mrtg.config 2023-07-10 14:04:14.0 -0300
+++ mrtg-2.17.10/debian/mrtg.config 2023-09-24 11:26:07.0 -0300
@@ -7,7 +7,7 @@
 # Source debconf library.
 . /usr/share/debconf/confmodule
 
-# Move /etc/mrtg.cfg to /etc/mrtg/mrtg.cfg?
+# /etc/mrtg.cfg should be moved to /etc/mrtg/mrtg.cfg
 if [ -e /etc/mrtg.cfg ]
 then
 db_input high mrtg/move_config_file || true
diff -Nru mrtg-2.17.10/debian/mrtg.postinst mrtg-2.17.10/debian/mrtg.postinst
--- mrtg-2.17.10/debian/mrtg.postinst   2023-07-10 14:04:14.0 -0300
+++ mrtg-2.17.10/debian/mrtg.postinst   2023-09-24 11:26:07.0 -0300
@@ -28,17 +28,6 @@
 
 if [ "$1" = "configure" ]
 then
-# Move /etc/mrtg.cfg to /etc/mrtg/mrtg.cfg?
-db_get mrtg/move_config_file || RET="false"
-if [ "$RET" = "true" ]
-then
-   if [ -e /etc/mrtg/mrtg.cfg ]
-   then
-  mv /etc/mrtg/mrtg.cfg /etc/mrtg/mrtg.cfg.NEW
-   fi
-   mv -f /etc/mrtg.cfg /etc/mrtg/
-fi
-
 # Fix owner, group and permissions for /var/www/html/mrtg/?
 db_get mrtg/fix_permissions || RET="false"
 if [ "$RET" = "true" ]
diff -Nru mrtg-2.17.10/debian/mrtg.templates mrtg-2.17.10/debian/mrtg.templates
--- mrtg-2.17.10/debian/mrtg.templates  2023-07-10 14:04:14.0 -0300
+++ mrtg-2.17.10/debian/mrtg.templates  2023-09-24 11:26:07.000

Bug#1053532: marked as done (bookworm-pu: package arctica-greeter/0.99.3.0-1+deb12u2)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053532,
regarding bookworm-pu: package arctica-greeter/0.99.3.0-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: arctica-gree...@packages.debian.org
Control: affects -1 + src:arctica-greeter

This is a follow-up upload of artica-greeter, +deb12u1 has already been
accepted for the next bookworm point release, but here comes another one
(explanation see below).

I have attached two debdiffs, one against arctica-greeter in bookworm,
one against arctica-greeter in bookworm-pu.

[ Reason ]
During the preparation of the Debian Edu 12 artwork I encountered a
problem with the logo positioning code in Arctica Greeter.

The previous code version would make assumptions of the logo height and
in the past we always used logo images of a certain pixel height.

However, the Debian 12 logo and the Debian Edu 12 logo differ in height
by design and the Debian Edu 12 would lap very far towards the bottom
border of the screen. Really not beautiful.

With Arctica Greeter upstream hat on I developed a patch that now allows
logos of any height with Arctica Greeter. This patch is shipped in
another bookworm-pu upload.

[ Impact ]
This is a change that makes Arctica Greeter in Debian Edu 12 more
beautiful. (We use Arctica Greeter for the MATE variant of Debian Edu).

If it does not get accepted, it won't leave anything in a broken or so,
it is merely an aesthetic fix.

[ Tests ]
Manual tests on a Debian bookworm and Debian Edu bookworm system.

[ Risks ]
Regression in arctica-greeter. Minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * debian/patches:
++ Add 0008_better-positioning-of-logo.patch. Move logo in bottom-left
+  corner one grid-size count away from the border.

Patch cherry-picked from upstream PR:
https://github.com/ArcticaProject/arctica-greeter/pull/87

[ Other info ]
None.
diff -Nru 
arctica-greeter-0.99.3.0/debian/30_arctica-greeter-theme-debian.gschema.override
 
arctica-greeter-0.99.3.0/debian/30_arctica-greeter-theme-debian.gschema.override
--- 
arctica-greeter-0.99.3.0/debian/30_arctica-greeter-theme-debian.gschema.override
2023-03-01 19:35:03.0 +0100
+++ 
arctica-greeter-0.99.3.0/debian/30_arctica-greeter-theme-debian.gschema.override
2023-08-24 07:40:47.0 +0200
@@ -1,5 +1,5 @@
 [org.ArcticaProject.arctica-greeter]
-background='/usr/share/desktop-base/emerald-theme/login/background-nologo.svg'
+background='/usr/share/desktop-base/active-theme/login/background-nologo.svg'
 background-color='#032F3D'
 togglebox-button-bgcolor='#032F3D'
 togglebox-button-bordercolor='#032F3D'
diff -Nru arctica-greeter-0.99.3.0/debian/changelog 
arctica-greeter-0.99.3.0/debian/changelog
--- arctica-greeter-0.99.3.0/debian/changelog   2023-03-01 21:21:03.0 
+0100
+++ arctica-greeter-0.99.3.0/debian/changelog   2023-10-05 20:48:16.0 
+0200
@@ -1,3 +1,30 @@
+arctica-greeter (0.99.3.0-1+deb12u2) bookworm; urgency=medium
+
+  * debian/patches:
++ Add 0008_better-positioning-of-logo.patch. Move logo in bottom-left
+  corner one grid-size count away from the border.
+
+ -- Mike Gabriel   Thu, 05 Oct 2023 20:48:16 +0200
+
+arctica-greeter (0.99.3.0-1+deb12u1) bookworm; urgency=medium
+
+  * debian/patches:
++ [a11y] Add patches 0001 and 0002. Support configuring the onscreen
+  keyboard theme via ArcticaGreeter's gsettings.
++ [a11y, i18n]  Use 'Compact' OSK layout (instead of Small) which include
+  special keys such as German Umlauts, etc.
++ Add 0004-src-session-list.vala-Treat-gnome-xorg-as-GNOME-and-.patch. Show
+  correct icon for GNOME/X.Org session in session chooser list.
++ Add patches 0005, 0006 and 0007. Make PAM messages (esp. on login 
failure,
+  password expiry, etc.) be displayed fully and in readable colors.
+  * debian/30_arctica-greeter-theme-debian.gschema.override:
++ Use active theme rather then emerald (although t

Bug#1052229: marked as done (bookworm-pu: gnome-shell/43.9-0+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1052229,
regarding bookworm-pu: gnome-shell/43.9-0+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052229: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052229
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gnome-sh...@packages.debian.org, debian-gtk-gn...@lists.debian.org
Control: affects -1 + src:gnome-shell

[ Reason ]
Several new upstream bugfix releases. I've been trying to get these into
a suitable state for a stable update since 12.1, but every time I've
been testing one long enough to think about asking for upload approval,
there have been more bugfixes upstream and the cycle starts again.

This is probably going to be the last upstream release in the 43.x series,
although we might get a 43.10.

[ Impact ]
Various fixes for crashes and other bugs. This also converts the fix
for CVE-2023-43090 (which was fixed via a DSA) from a patch to part of
the upstream source.

[ Tests ]
A prerelease build differing only in changelog and version is available at
https://people.debian.org/~smcv/12.3/pool/main/g/gnome-shell/
and is in use on my household's bookworm laptop/desktop systems, with
no obvious regressions seen immediately (but I only installed it recently).
The diff is not small and the 12.2 deadline is coming up, so I think we
should continue testing this until after 12.2 is out, and then upload. I
would appreciate any testing that the rest of the GNOME team can provide.

43.7-1 was in testing for a while, and 43.7-2 was briefly in unstable
before it was superseded by version 44. I also tested bookworm backports
of 43.7-2 and 43.8 on my household's bookworm laptop/desktop systems for
a while.

I confirmed that CVE-2023-43090 is not reproducible in this version.
I generally haven't specifically attempted to reproduce other bugs.

[ Risks ]
I am not any sort of expert on compositor development, but upstream
have generally been good about backporting only bug fixes to their
stable branches. There have been some regressions in the past because
this stuff is difficult. If there are regressions from these changes,
they're likely to be of the same magnitude as the bugs that were fixed.

The changes in subprojects/gvc/ are a larger diffstat than I would like
(including performance improvements as well as bug fixes), but also
relatively straightforward if we look closely.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  - the diff given here is between patched trees, using the fix for
CVE-2023-43090 in bookworm-security as its reference point, and
is lightly filtered to avoid wasting the release team's time
(see top of diff for the exact filterdiff command)
  [x] the issue is verified as fixed in unstable

[ Changes ]

js/misc/ibusManager.js:
- Add missing environment variables required to launch ibus-daemon
  (gnome-shell#6998, fixed in 44.5 for unstable)
- Report focus events to ibus when using Wayland (gnome-shell#6415)
  and fix a regression caused by the initial version of that change
  (both changes were in 44.4 for unstable)

js/misc/inputMethod.js:
- Better compatibility with Debian 12's version of ibus
  (gnome-shell#6405, fixed in 44.4 for unstable)

js/misc/parentalControlsManager.js:
- Don't log an error when AccountsService signals a change while
  parental controls are disabled globally
  (gnome-shell#6749, fixed in 44.3 for unstable)

js/misc/weather.js:
- When showing weather, avoid getting meaningless location names like
  "WiFi" or "GeoIP" from GeoClue >= 2.7 (fixed in 44.4 for unstable)

js/ui/barLevel.js, js/ui/slider.js:
- Reverse the direction of volume/brightness sliders in right-to-left
  locales (Arabic, Hebrew) to match user expectations
  (fixed in 44.5 for unstable)

js/ui/keyboard.js:
- When using the on-screen keyboard in numeric mode, don't go back to
  alphabetical mode after each keypress
  (gnome-shell#5763, fixed in 44.5 for unstable)

js/ui/lookingGlass.js:
- In the "looking glass" debug interface, cope with objects that
  cannot be conve

Bug#1052227: marked as done (bookworm-pu: mutter/43.8-0+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1052227,
regarding bookworm-pu: mutter/43.8-0+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052227
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: mut...@packages.debian.org, debian-gtk-gn...@lists.debian.org
Control: affects -1 + src:mutter

[ Reason ]
Several new upstream bugfix releases. I've been trying to get these into
a suitable state for a stable update since 12.1, but every time I've
been testing one long enough to think about asking for upload approval,
there have been more bugfixes upstream and the cycle starts again.

This might be the last upstream bugfix release in the 43.x series,
or we might get a 43.9.

[ Impact ]
If not accepted, various crashes and other bugs will remain unfixed,
despite having solutions known to upstream.

[ Tests ]
A prerelease build is available at
https://people.debian.org/~smcv/12.3/pool/main/m/mutter/
and is in use on my household's bookworm laptop/desktop systems, with
no obvious regressions so far.

The diff is not small and the 12.2 deadline is coming up, so I think we
should continue testing this until after 12.2 is out, and then upload. I
would appreciate any testing that the rest of the GNOME team can provide.

43.7-1 was in testing for a while before being superseded by version 44.
I also tested a bookworm backport of 43.7-1 on my household's bookworm
laptop/desktop systems for a while.

[ Risks ]
I am not any sort of expert on compositor development, but upstream
have generally been good about backporting only bug fixes to their
stable branches. There have been some regressions in the past because
this stuff is difficult. If there are regressions from these changes,
they're likely to be of the same magnitude as the bugs that were fixed.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  (lightly filtered, see top of debdiff)
  [x] the issue is verified as fixed in unstable

[ Changes ]
clutter/clutter/clutter-paint-volume.c:
- Improve GNOME Shell app grid performance by avoiding repainting
  monitors other than the one it is displayed on
  (partially fixes gnome-shell#6819, a full fix needs gnome-shell 43.9
  which I am also proposing as a stable update; fixed in 44.4 for
  unstable)

clutter/clutter/clutter-stage.c, src/core/window.c,
src/core/display-private.h, src/core/display.c:
  Give focus to new app windows when launched from the gnome-shell
  overview, fixing a regression in 43.3-5 and upstream 43.4
  (Closes: #1035092, #1049934; fixed in 43.7 and 44.4 for unstable)

cogl/cogl/driver/gl/cogl-gl-framebuffer-fbo.c:
Fix a test failure with recent Mesa (Closes: #1042055, LP: #2025287;
fixed in 44.4 for unstable)

src/backends/meta-stage-impl.c:
- Fix flickering and rendering artifacts when using software rendering,
  for example on older Intel hardware unsupported by the Gallium i915
  driver (mutter#2602; fixed in 44.4 for unstable)

src/backends/native/meta-output-kms.c:
  Make the choice of preferred video mode consistent between code
  paths, fixing choice of video mode on some monitors (mutter!3055;
  fixed in 44.4 for unstable)

src/tests/: More test coverage, especially for #1035092
  (included in 43.7 and 44.4 for unstable)

src/wayland/meta-wayland-touch.c:
- Fix the ability to drag libdecor windows by their title bar on
  touchscreens (mutter#2872; fixed in 44.4 for unstable)

.gitlab-ci.yml: Upstream CI changes, filtered out of the diff

[ Other info ]
I've only tested this in conjunction with an accompanying gnome-shell
update, so it would be best if the same release team member can look
at both.

The attached diff corresponds to packaging commit 225a383fa6, test-builds
are labelled as 43.8-0+deb12u1~43.7+2+22+g225a383fa6.

smcv
filterdiff -p1 -x.gitlab-ci.yml -x'debian/patches/*.patch'

diff --git a/NEWS b/NEWS
index 410519419e..824ba51285 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,23 @@
+43.8
+
+* Fix restoring focus when leaving the overview [Jonas; #2690]
+* Fix touch mo

Bug#1050868: marked as done (bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1050868,
regarding bookworm-pu: package debootstrap/1.0.128+nmu2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050868
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debootst...@packages.debian.org, hel...@subdivi.de
Control: affects -1 + src:debootstrap
Control: block 1025708 by -1

[ Reason ]
Part of the transition to merged-/usr, and more specifically, allowing
us to stop shipping files in trixie whose physical path on disk does
not match their path in the dpkg database due to directory aliasing.

This change needs to be in bookworm (and bullseye, and maybe buster)
before that process can continue, because official buildds run debootstrap
from stable (or older).

I also took the opportunity to backport changes that make the autopkgtests
pass.

[ Impact ]
If not accepted, trixie will continue to be stuck in a
mostly-but-not-entirely merged-/usr limbo, with the moratorium from #1035831
remaining in place.

[ Tests ]
More details of testing on
.
A prerelease (differing only in the changelog) is available from
.

I used this version of debootstrap to install sid, trixie, bookworm,
bullseye and buster on amd64, in the default, minbase and buildd
variants, and compared the results to corresponding pairs of reference
chroots. The reference chroots were installed with the Debian 12.1
version of debootstrap, explicitly forcing --[no-]merged-usr.

All default and minbase chroots continue to be merged-/usr by default.

The sid and trixie buildd chroots are now merged-/usr by default (this
is an intentional change).

The bookworm, bullseye and buster buildd chroots continue to be
non-merged-/usr by default.

When I used diffoscope to compare each chroot tarball to the reference
chroot tarball with the same suite, variant and (non-)merged-/usr status,
all differences were expected or ignorable:

- /lib32, /libx32 symlinks not created (an intentional change)
- empty /usr/lib32/, /usr/libx32/ not created (an intentional change)
- non-reproducible timestamps (ignorable)
- non-reproducible machine ID (ignorable)
- non-reproducible ldconfig cache (ignorable)
- non-reproducible systemd-journald message catalog in buster (ignorable)
- non-reproducible /var/log (ignorable)

Philip Hands built a d-i mini.iso with the proposed version, and it seems
to have installed GNOME successfully under openQA.

There is also an autopkgtest which bootstraps Debian testing and
inspects various subtleties of the resulting chroot. It now passes under
autopkgtest-virt-qemu (which previously failed), autopkgtest-virt-lxc
and Salsa-CI.

The changes were backported from testing/unstable, where there were
no regression reports that I've seen. The last of them migrated to
trixie today.

[ Risks ]
Packages that were relying on sid and trixie buildds to be non-merged-/usr
could break or misbehave. This is intentional: only merged-/usr is
supported, and this change is mainly to get the buildds into a supported
state for the future.

Packages that were relying on the existence of compat symlinks for
non-default multilib flavours (for example /lib32 and /libx32 on amd64)
will no longer find that they exist in all cases. I would say this is only
a minor risk. In principle it could be mitigated by creating the compat
symlinks unconditionally when bootstrapping older suites (<= bookworm)
but if that's wanted, we should do it in unstable first.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable (and trixie)

[ Changes ]

* debootstrap:
  - Add --merged-usr to the --help (#1031828). Minor documentation fix,
no functional change.

* functions:
  - can_usrmerge_symlink(), merge_usr_entry(), merge_usr():
Helmut Grohne's implementation of a new bootstrap protocol for
merged-/usr, which unpacks Essential packages and then does the
equivalent of the usrmerge package's convert-usrmerg

Bug#1040860: marked as done (bookworm-pu: package mrtg/2.17.10-5+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1040860,
regarding bookworm-pu: package mrtg/2.17.10-5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1040860: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040860
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: m...@packages.debian.org
Control: affects -1 + src:mrtg

[ Reason ]
Older versions of the MRTG on Debian had the /etc/mrtg.cfg configuration
file. Currently, this file is located in /etc/mrtg/ directory. This PU
introduces changes from Sid (revision 2.17.10-6) to ask to user if the
configuration file must be moved to /etc/mrtg/, if it exists in /etc/.
Some updated and new translations for the debconf template are being sent
with this PU (from revisions 2.17.10-7 and 2.17.10-8). This PU closes
#1039103.

[ Impact ]
If the update isn't approved, a user migrating MRTG from an older version
will need to handle manually the configuration file, moving it to the
right current place.

[ Tests ]
Some manual tests over unstable and stable environments were done to check
if the purposed action is occurring.

[ Risks ]
No risks because this is a trivial change.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A new action, via debconf, was implemented. If the /etc/mrtg.cfg file exists
when the system is being updated, the user will be asked about moving the
file to /etc/mrtg/ directory. If yes, the system will rename a possible new
conf file in /etc/mrtg/ and move /etc/mrtg.cfg to /etc/mrtg/.

[ Other info ]
No more info.
diff -Nru mrtg-2.17.10/debian/changelog mrtg-2.17.10/debian/changelog
--- mrtg-2.17.10/debian/changelog   2023-04-19 00:10:02.0 -0300
+++ mrtg-2.17.10/debian/changelog   2023-07-10 14:04:14.0 -0300
@@ -1,3 +1,17 @@
+mrtg (2.17.10-5+deb12u1) bookworm; urgency=medium
+
+  * Added a debconf dialog to allow the user to decide if /etc/mrtg.cfg must
+be moved to /etc/mrtg/mrtg.cfg. Consequently:
+  - Added a new debconf template (files debian/mrtg.config and
+debian/mrtg.templates).
+  - Updated debian/mrtg.postinst.
+  - Updated translations in debian/po/ (es.po, fr.po, nl.po, pt.po,
+pt_BR.po, ro.po and sv.po).
+  - Added new translations to debian/po/ (gl.po and vi_VN.po).
+  - Closes: #1039103
+
+ -- Joao Eriberto Mota Filho   Mon, 10 Jul 2023 14:04:14 
-0300
+
 mrtg (2.17.10-5) unstable; urgency=medium
 
   * debian/control: bumped Standards-Version to 4.6.2.
diff -Nru mrtg-2.17.10/debian/mrtg.config mrtg-2.17.10/debian/mrtg.config
--- mrtg-2.17.10/debian/mrtg.config 2023-04-19 00:09:56.0 -0300
+++ mrtg-2.17.10/debian/mrtg.config 2023-07-10 14:04:14.0 -0300
@@ -1,12 +1,21 @@
 #!/bin/sh
 
-# 2021 - Eriberto
+# 2021-2023 - Eriberto
 
 set -e
 
 # Source debconf library.
 . /usr/share/debconf/confmodule
 
+# Move /etc/mrtg.cfg to /etc/mrtg/mrtg.cfg?
+if [ -e /etc/mrtg.cfg ]
+then
+db_input high mrtg/move_config_file || true
+db_go || true
+else
+db_set mrtg/move_config_file false
+fi
+
 # Fix permissions for /var/www/html/mrtg/?
 if [ -d /var/www/html/mrtg ]
 then
diff -Nru mrtg-2.17.10/debian/mrtg.postinst mrtg-2.17.10/debian/mrtg.postinst
--- mrtg-2.17.10/debian/mrtg.postinst   2023-04-19 00:09:56.0 -0300
+++ mrtg-2.17.10/debian/mrtg.postinst   2023-07-10 14:04:14.0 -0300
@@ -28,6 +28,17 @@
 
 if [ "$1" = "configure" ]
 then
+# Move /etc/mrtg.cfg to /etc/mrtg/mrtg.cfg?
+db_get mrtg/move_config_file || RET="false"
+if [ "$RET" = "true" ]
+then
+   if [ -e /etc/mrtg/mrtg.cfg ]
+   then
+  mv /etc/mrtg/mrtg.cfg /etc/mrtg/mrtg.cfg.NEW
+   fi
+   mv -f /etc/mrtg.cfg /etc/mrtg/
+fi
+
 # Fix owner, group and permissions for /var/www/html/mrtg/?
 db_get mrtg/fix_permissions || RET="false"
 if [ "$RET" = "true" ]
diff -Nru mrtg-2.17.10/debian/mrtg.templates mrtg-2.17.10/debian/mrtg.templates
--- mrtg-2.17.10/debian/mrtg.templates  2023-04-19 00:09:56.0 -0300
+++ mrtg-2.17.10/debian/mrtg.templates  2023-07-10 14:04:14.0 -0300
@@ -1,3 +

Bug#1050384: marked as done (bookworm-pu: package awstats/7.8-3+deb12u1)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 10:20:37 +
with message-id 
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1050384,
regarding bookworm-pu: package awstats/7.8-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1050384: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: awst...@packages.debian.org, lourisva...@figueredo.tec.br
Control: affects -1 + src:awstats

[ Reason ]
The package has a policy violation caused by an error in the postinst file.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037213

The bug was introduced in version 7.8-2+deb11u1 (bullseye), and I am fixing it
backwards.

[ Impact ]
If not fixed, the package will not be able to move on to testing and will be
out of trixie.

[ Tests ]
Manual tests only. I have tested following the upgrade from buster to bullseye
and then to bookworm and sid.

[ Risks ]
Trivial

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
  * debian/awstats.postinst: part of the code was moved to the awstats.preinst
file, to avoid creating the
/etc/logrotate.d/httpd-prerotate/awstats.dpkg-new file, and thus requiring
user interaction when updating. See #1037213.
  * debian/awstats.preinst: created.
diffstat for awstats-7.8 awstats-7.8

 awstats.postinst |7 ---
 awstats.preinst  |   28 
 changelog|   11 +++
 3 files changed, 39 insertions(+), 7 deletions(-)

diff -Nru awstats-7.8/debian/awstats.postinst 
awstats-7.8/debian/awstats.postinst
--- awstats-7.8/debian/awstats.postinst 2022-12-04 16:52:31.0 -0300
+++ awstats-7.8/debian/awstats.postinst 2023-08-22 22:10:53.0 -0300
@@ -17,13 +17,6 @@
chown www-data:www-data /var/cache/awstats
chmod 750 /var/cache/awstats
fi
-   # clean-up old script that didn't run
-   if [ -n "$2" ]; then
-   if dpkg --compare-versions "$2" lt '7.8-1~'; then
-   rm -f /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
-   rmdir /etc/logrotate.d/httpd-prerotate/awstats/ || true
-   fi
-   fi
 ;;
 
 abort-upgrade|abort-remove|abort-deconfigure)
diff -Nru awstats-7.8/debian/awstats.preinst awstats-7.8/debian/awstats.preinst
--- awstats-7.8/debian/awstats.preinst  1969-12-31 21:00:00.0 -0300
+++ awstats-7.8/debian/awstats.preinst  2023-08-22 22:10:53.0 -0300
@@ -0,0 +1,28 @@
+#! /bin/sh
+
+set -e
+
+case "$1" in
+upgrade)
+   # clean-up old script that didn't run
+   if [ -n "$2" ]; then
+   if dpkg --compare-versions "$2" lt '7.8-1~'; then
+   rm -f /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
+   rmdir /etc/logrotate.d/httpd-prerotate/awstats/ || true
+   fi
+   fi
+;;
+
+install|abort-upgrade|abort-remove|abort-deconfigure)
+
+;;
+
+*)
+echo "preinst called with unknown argument \`$1'" >&2
+exit 0
+;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog
--- awstats-7.8/debian/changelog2022-12-04 16:52:31.0 -0300
+++ awstats-7.8/debian/changelog2023-08-22 22:10:53.0 -0300
@@ -1,3 +1,14 @@
+awstats (7.8-3+deb12u1) bookworm; urgency=medium
+
+  * QA upload.
+  * debian/awstats.postinst: part of the code was moved to the awstats.preinst
+file, to avoid creating the
+/etc/logrotate.d/httpd-prerotate/awstats.dpkg-new file, and thus requiring
+user interaction when updating. See #1037213.
+  * debian/awstats.preinst: created.
+
+ -- Lourisvaldo Figueredo Junior   Tue, 22 Aug 
2023 22:10:53 -0300
+
 awstats (7.8-3) unstable; urgency=medium
 
   * QA upload.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam--- End Message ---

Re: Planning for 12.3

2023-12-09 Thread Luna Jernberg 
Reminder Debian 12.3 testing UK afternoon time today

Den tors 30 nov. 2023 kl 00:51 skrev Luna Jernberg :
>
> Hey!
>
> As i said on IRC earlier yesterday i should be able to help with some
> ISO CD testing this round too
>
> Den lör 7 okt. 2023 kl 19:59 skrev Jonathan Wiltshire :
> >
> > Hi,
> >
> > The next point release for bookworm should be around the end of November
> > 2023. We're about a week behind cadence anyway, but I already know the 28th
> > November will be unsuitable (Cambridge mini-debconf) and the weekend
> > following is probably recovery time for a lot of people.
> >
> > Much after that we get into holidays and well off cadence.
> >
> > How about:
> >   4th December (better for cadence)
> >  11th December (more likely suitable in practice)
> >
> > Thanks,
> >
> > --
> > Jonathan Wiltshire  j...@debian.org
> > Debian Developer http://people.debian.org/~jmw
> >
> > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
> > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
> >

Bug#1056710: marked as done (RM: gimp-dds -- RoQA; no longer required; integrated into GIMP)

2023-12-09 Thread Debian Bug Tracking System 
Your message dated Sat, 09 Dec 2023 08:26:56 +
with message-id 
and subject line Bug#1056710: Removed package(s) from stable
has caused the Debian Bug report #1056710,
regarding RM: gimp-dds -- RoQA; no longer required; integrated into GIMP
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1056710: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: t...@security.debian.org, b...@debian.org, car...@debian.org

Dear stable release managers,

Please remove src:gimp-dds in the next bookworm point release. It has
since gimp 2.10.10 upstream been integrated upstream.

Removal is possible:

carnil@coccia:~$ dak rm --suite=bookworm -n -R gimp-dds
Will remove the following packages from bookworm:

  gimp-dds |3.0.1-3 | source, amd64, arm64, armel, armhf, i386, mips64el, 
mipsel, ppc64el, s390x

Maintainer: Debian QA Group 

--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

carnil@coccia:~$

For unstable it has been removed this year with #1043520. Additionally
a gimp point release update might add a Breaks so the package get as
well deinstalled.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

  gimp-dds |3.0.1-3 | source, amd64, arm64, armel, armhf, i386, mips64el, 
mipsel, ppc64el, s390x

--- Reason ---
RoQA; no longer required; integrated into GIMP
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1056...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/1056710

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---