Processed: transition: jpeg-xl
Processing control commands: > affects -1 + src:jpeg-xl Bug #1073537 [release.debian.org] transition: jpeg-xl Added indication that 1073537 affects src:jpeg-xl -- 1073537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073537 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073537: transition: jpeg-xl
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: jpeg...@packages.debian.org Control: affects -1 + src:jpeg-xl As discussed previously I am filling a bug report for jpeg-xl 0.9 transition: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053866#79 Thanks Ben file: title = "jpeg-xl"; is_affected = .depends ~ "libjxl0.8" | .depends ~ "libjxl0.9"; is_good = .depends ~ "libjxl0.9"; is_bad = .depends ~ "libjxl0.8";
NEW changes in stable-new
Processing changes file: gnutls28_3.7.9-2+deb12u3_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_armel-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_i386-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: aide_0.18.3-1+deb12u3_mipsel-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_mips64el-buildd.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_armel-buildd.changes ACCEPT
Re: Requesting for the loong64 port could be included in the Official ports
Hi Dandan, On Fri, 14 Jun 2024, zhangdandan wrote: In this email, I have added partners and products information for LoongArch. There are also download links under some of the partner and product links. (...) thanks a lot for all the information. That list is really helpful. Loongson team will always maintain the LoongArch architecture with Debian Community. I hope you don't mind if I already make use of the Loongson team. Do you have any idea why package cups does occasionally fail to build on loong64? (-> https://buildd.debian.org/status/logs.php?pkg=cups&arch=loong64) - How to buy LoongArch hardware in Europe? Which of the international buying channels, such as Amazon, eBay, Ozon, etc., is preferred in Europe? This is only my opinion, but I would prefer to buy at Amazon. Best regards Thorsten
NEW changes in stable-new
Processing changes file: aide_0.18.3-1+deb12u3_mips64el-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_armel-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_armhf-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_i386-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_s390x-buildd.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_armel-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_i386-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_i386-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_arm64-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: aide_0.18.3-1+deb12u3_all-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_amd64-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_arm64-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_armel-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_armhf-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_i386-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_ppc64el-buildd.changes ACCEPT Processing changes file: aide_0.18.3-1+deb12u3_s390x-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_all-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_amd64-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_arm64-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_ppc64el-buildd.changes ACCEPT Processing changes file: golang-github-google-nftables_0.1.0-4~deb12u1_all-buildd.changes ACCEPT Processing changes file: lacme_0.8.2-1+deb12u1_all-buildd.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_all-buildd.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_i386-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_armel-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: node-babel7_7.20.15+ds1+~cs214.269.168-3+deb12u2_all-buildd.changes ACCEPT Processing changes file: node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4_all-buildd.changes ACCEPT Processing changes file: node-v8-compile-cache_2.3.0-3+deb12u1_all-buildd.changes ACCEPT Processing changes file: node-zx_7.1.1+~cs6.7.23-2+deb12u1_all-buildd.changes ACCEPT Processing changes file: php-composer-pcre_3.1.0-1+deb12u1_all-buildd.changes ACCEPT Processing changes file: python-aiosmtpd_1.4.3-1.1+deb12u1_all-buildd.changes ACCEPT Processing changes file: python-idna_3.3-1+deb12u1_all-buildd.changes ACCEPT Processing changes file: python-jwcrypto_1.1.0-1+deb12u1_all-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_amd64-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_armhf-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_i386-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_ppc64el-buildd.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_s390x-buildd.changes ACCEPT
Processed: Re: Bug#1073529: Acknowledgement (bookworm-pu: package pymongo/3.11.0-1+deb11u1)
Processing commands for cont...@bugs.debian.org: > retitle 1073529 bullseye-pu: package pymongo/3.11.0-1+deb11u1 Bug #1073529 [release.debian.org] bookworm-pu: package pymongo/3.11.0-1+deb11u1 Changed Bug title to 'bullseye-pu: package pymongo/3.11.0-1+deb11u1' from 'bookworm-pu: package pymongo/3.11.0-1+deb11u1'. > thanks Stopping processing here. Please contact me if you need assistance. -- 1073529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073529 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073529: bookworm-pu: package pymongo/3.11.0-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: pymo...@packages.debian.org Control: affects -1 + src:pymongo User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2024-5629 [ Impact ] An out-of-bounds read in the 'bson' module allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory [ Tests ] Test suite of package [ Risks ] code is near trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * QA upload * Fix CVE-2024-5629: An out-of-bounds read in the 'bson' module allowed deserialization of malformed BSON * Use correct salsa CI [ Other info ] QA upload package is orphaned diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog --- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.0 + +++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.0 + @@ -1,3 +1,13 @@ +pymongo (3.11.0-1+deb11u1) bullseye; urgency=medium + + * QA upload + * Fix CVE-2024-5629: An out-of-bounds read in the +'bson' module allowed deserialization of malformed BSON +provided by a Server to raise an exception which may +contain arbitrary application memory + + -- Bastien Roucari??s Sun, 16 Jun 2024 17:42:49 + + pymongo (3.11.0-1) unstable; urgency=medium [ Federico Ceratto ] diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control --- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.0 + +++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.0 + @@ -1,7 +1,7 @@ Source: pymongo Section: python Priority: optional -Maintainer: Federico Ceratto +Maintainer: Debian QA Group Build-Depends: debhelper-compat (= 13), dh-python, python3-all-dev, diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml --- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.0 + +++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.0 + @@ -1,9 +1,7 @@ -image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml -build: - artifacts: -paths: -- "*.deb" -expire_in: 1 day - script: -- gitlab-ci-git-buildpackage-all +variables: + RELEASE: 'bullseye' diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch --- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.0 + +++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.0 + @@ -0,0 +1,51 @@ +From: Shane Harvey +Date: Wed, 27 Mar 2024 13:16:55 -0700 +Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check + +An out-of-bounds read in the 'bson' module allows deserialization +of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory. + +bug: https://jira.mongodb.org/browse/PYTHON-4305 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629 +origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch +--- + bson/_cbsonmodule.c | 11 +-- + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c +index f457f96..02d9105 100644 +--- a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c +@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, + uint32_t c_w_s_size; + uint32_t code_size; + uint32_t scope_size; ++uint32_t len; + PyObject* code; + PyObject* scope; + PyObject* code_type; +@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, + memcpy(&code_size, buffer + *position, 4); + code_size = BSON_UINT32_FROM_LE(code_size); + /* code_w_scope length + code length + code + scope length */ +-if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) { ++len = 4 + 4 + code_size + 4; ++if (!code_size || max < code_size || max < len || len < code_size) { + goto invalid; + } + *position += 4; +@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, + + memcpy(&scope_size, buffer + *position, 4); + scope_size = BSON_UINT32_FROM_LE(scope_size); +-if (
Processed: bookworm-pu: package pymongo/3.11.0-1+deb11u1
Processing control commands: > affects -1 + src:pymongo Bug #1073529 [release.debian.org] bookworm-pu: package pymongo/3.11.0-1+deb11u1 Added indication that 1073529 affects src:pymongo -- 1073529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073529 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: aide_0.18.3-1+deb12u3_source.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_source.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: chromium_126.0.6478.56-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: crowdsec-firewall-bouncer_0.0.25-4~deb12u1_source.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_source.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_all-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_amd64-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_arm64-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_armel-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_armhf-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_i386-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_mipsel-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: ffmpeg_5.1.5-0+deb12u1_s390x-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_source.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: firefox-esr_115.12.0esr-1~deb12u1_s390x-buildd.changes ACCEPT Processing changes file: gnutls28_3.7.9-2+deb12u3_multi.changes ACCEPT Processing changes file: golang-github-google-nftables_0.1.0-4~deb12u1_source.changes ACCEPT Processing changes file: lacme_0.8.2-1+deb12u1_source.changes ACCEPT Processing changes file: libkf5ksieve_22.12.3-1+deb12u1_source.changes ACCEPT Processing changes file: libseccomp_2.5.4-1+deb12u1_source.changes ACCEPT Processing changes file: lua5.4_5.4.4-3+deb12u1_source.changes ACCEPT Processing changes file: node-babel7_7.20.15+ds1+~cs214.269.168-3+deb12u2_source.changes ACCEPT Processing changes file: node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4_source.changes ACCEPT Processing changes file: node-v8-compile-cache_2.3.0-3+deb12u1_source.changes ACCEPT Processing changes file: node-zx_7.1.1+~cs6.7.23-2+deb12u1_source.changes ACCEPT Processing changes file: php-composer-pcre_3.1.0-1+deb12u1_source.changes ACCEPT Processing changes file: python-aiosmtpd_1.4.3-1.1+deb12u1_source.changes ACCEPT Processing changes file: python-idna_3.3-1+deb12u1_source.changes ACCEPT Processing changes file: python-jwcrypto_1.1.0-1+deb12u1_source.changes ACCEPT Processing changes file: systemd_252.26-1~deb12u2_source.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_source.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_mips64el-buildd.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: thunderbird_115.12.0-1~deb12u1_s390x-buildd.changes ACCEPT
Bug#1073524: bookworm-pu: package pymongo/3.11.0-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: pymo...@packages.debian.org Control: affects -1 + src:pymongo User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2024-5629 [ Impact ] An out-of-bounds read in the 'bson' module allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory [ Tests ] Test suite of package [ Risks ] code is near trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * QA upload * Fix CVE-2024-5629: An out-of-bounds read in the 'bson' module allowed deserialization of malformed BSON * Use correct salsa CI +provided by a Server to raise an exception which may +contain arbitrary application memory [ Other info ] QA upload package is orphaned diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog --- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.0 + +++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.0 + @@ -1,3 +1,13 @@ +pymongo (3.11.0-1+deb12u1) bookworm; urgency=medium + + * QA upload + * Fix CVE-2024-5629: An out-of-bounds read in the +'bson' module allowed deserialization of malformed BSON +provided by a Server to raise an exception which may +contain arbitrary application memory + + -- Bastien Roucari??s Sun, 16 Jun 2024 17:42:49 + + pymongo (3.11.0-1) unstable; urgency=medium [ Federico Ceratto ] diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control --- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.0 + +++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.0 + @@ -1,7 +1,7 @@ Source: pymongo Section: python Priority: optional -Maintainer: Federico Ceratto +Maintainer: Debian QA Group Build-Depends: debhelper-compat (= 13), dh-python, python3-all-dev, diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml --- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.0 + +++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.0 + @@ -1,9 +1,7 @@ -image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml -build: - artifacts: -paths: -- "*.deb" -expire_in: 1 day - script: -- gitlab-ci-git-buildpackage-all +variables: + RELEASE: 'bookworm' diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch --- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.0 + +++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.0 + @@ -0,0 +1,51 @@ +From: Shane Harvey +Date: Wed, 27 Mar 2024 13:16:55 -0700 +Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check + +An out-of-bounds read in the 'bson' module allows deserialization +of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory. + +bug: https://jira.mongodb.org/browse/PYTHON-4305 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629 +origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch +--- + bson/_cbsonmodule.c | 11 +-- + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c +index f457f96..02d9105 100644 +--- a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c +@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, + uint32_t c_w_s_size; + uint32_t code_size; + uint32_t scope_size; ++uint32_t len; + PyObject* code; + PyObject* scope; + PyObject* code_type; +@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, + memcpy(&code_size, buffer + *position, 4); + code_size = BSON_UINT32_FROM_LE(code_size); + /* code_w_scope length + code length + code + scope length */ +-if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) { ++len = 4 + 4 + code_size + 4; ++if (!code_size || max < code_size || max < len || len < code_size) { + goto invalid; + } + *position += 4; +@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, + + memcpy(&scope_size, bu
Processed: bookworm-pu: package pymongo/3.11.0-1+deb12u1
Processing control commands: > affects -1 + src:pymongo Bug #1073524 [release.debian.org] bookworm-pu: package pymongo/3.11.0-1+deb12u1 Added indication that 1073524 affects src:pymongo -- 1073524: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073524 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 1061594, retitle 1061594 to RM: vasttrafik-cli -- RoM; API withdrawn, tagging 1068719 ...
Processing commands for cont...@bugs.debian.org: > tags 1061594 + pending Bug #1061594 [release.debian.org] RM: vasttrafik-cli/1.5-1 -- RoM; API withdrawn Added tag(s) pending. > retitle 1061594 RM: vasttrafik-cli -- RoM; API withdrawn Bug #1061594 [release.debian.org] RM: vasttrafik-cli/1.5-1 -- RoM; API withdrawn Changed Bug title to 'RM: vasttrafik-cli -- RoM; API withdrawn' from 'RM: vasttrafik-cli/1.5-1 -- RoM; API withdrawn'. > tags 1068719 + pending Bug #1068719 [release.debian.org] RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x Added tag(s) pending. > retitle 1068719 RM: ruby-arel -- RoQA; obsolete, integrated into > ruby-activerecord, incompatible with ruby-activerecord 6.1.x Bug #1068719 [release.debian.org] RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x Changed Bug title to 'RM: ruby-arel -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x' from 'RM: ruby-arel/9.0.0-2 -- RoQA; obsolete, integrated into ruby-activerecord, incompatible with ruby-activerecord 6.1.x'. > thanks Stopping processing here. Please contact me if you need assistance. -- 1061594: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061594 1068719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068719 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: systemd 252.26-1~deb12u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1072716 = bookworm pending Bug #1072716 [release.debian.org] bookworm-pu: package systemd/252.26-1~deb12u2 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 1072716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072716 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
On Sun, 2024-06-16 at 20:09 +, Bastien Roucariès wrote: > Le dimanche 16 juin 2024, 20:08:42 UTC Adam D. Barratt a écrit : > > On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > > > "slightly non-conformant" really good justification for a pop-up > > > news item on upgrades? I don't recall the other MTAs doing this. > > > > > > It's up to you, either way please go ahead. > > > > As with the bookworm upload, the NEWS file won't work as designed: > > > > +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS > > I have uploaded should I reupload ? If you want the NEWS file to actually be displayed to users, yes. :-) A deb11u2 / deb12u2 that simply renames the file appropriately would be fine in each case. Regards, Adam
Bug#1072716: systemd 252.26-1~deb12u2 flagged for acceptance
package release.debian.org tags 1072716 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: systemd Version: 252.26-1~deb12u2 Explanation: libnss-myhostname.nss: Install after "files"; libnss-mymachines.nss: Install before "resolve" and "dns"
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Le dimanche 16 juin 2024, 20:08:42 UTC Adam D. Barratt a écrit : > On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > > "slightly non-conformant" really good justification for a pop-up > > news item on upgrades? I don't recall the other MTAs doing this. > > > > It's up to you, either way please go ahead. > > As with the bookworm upload, the NEWS file won't work as designed: > > +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS I have uploaded should I reupload ? Bastien > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > "slightly non-conformant" really good justification for a pop-up > news item on upgrades? I don't recall the other MTAs doing this. > > It's up to you, either way please go ahead. As with the bookworm upload, the NEWS file won't work as designed: +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS Regards, Adam
Processed: python-jwcrypto 1.1.0-1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1070249 = bookworm pending Bug #1070249 [release.debian.org] bookworm-pu: package python-jwcrypto/1.1.0-1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1070249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070249 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: python-aiosmtpd 1.4.3-1.1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1073202 = bookworm pending Bug #1073202 [release.debian.org] bookworm-pu: package python-aiosmtpd/1.4.3-1.1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1073202: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: python-idna 3.3-1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1073116 = bookworm pending Bug #1073116 [release.debian.org] bookworm-pu: package python-idna/3.3-1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1073116: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073116 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-v8-compile-cache 2.3.0-3+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068932 = bookworm pending Bug #1068932 [release.debian.org] bookworm-pu: package node-v8-compile-cache/2.3.0-3+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068932 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: php-composer-pcre 3.1.0-1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1070431 = bookworm pending Bug #1070431 [release.debian.org] bookworm-pu: package php-composer-pcre/3.1.0-1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1070431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070431 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-zx 7.1.1+~cs6.7.23-2+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068920 = bookworm pending Bug #1068920 [release.debian.org] bookworm-pu: package node-zx/7.1.1+~cs6.7.23-2+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073116: python-idna 3.3-1+deb12u1 flagged for acceptance
package release.debian.org tags 1073116 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: python-idna Version: 3.3-1+deb12u1 Explanation: fix denial of service issue [CVE-2024-3651]
Bug#1073202: python-aiosmtpd 1.4.3-1.1+deb12u1 flagged for acceptance
package release.debian.org tags 1073202 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: python-aiosmtpd Version: 1.4.3-1.1+deb12u1 Explanation: fix SMTP smuggling issue [CVE-2024-27305]; fix STARTTLS unencrypted command injection issue [CVE-2024-34083]
Bug#1070431: php-composer-pcre 3.1.0-1+deb12u1 flagged for acceptance
package release.debian.org tags 1070431 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: php-composer-pcre Version: 3.1.0-1+deb12u1 Explanation: add missing Breaks+Replaces: composer (<< 2.2)
Bug#1070249: python-jwcrypto 1.1.0-1+deb12u1 flagged for acceptance
package release.debian.org tags 1070249 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: python-jwcrypto Version: 1.1.0-1+deb12u1 Explanation: fix denial of service issue [CVE-2024-28102]
Bug#1068932: node-v8-compile-cache 2.3.0-3+deb12u1 flagged for acceptance
package release.debian.org tags 1068932 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-v8-compile-cache Version: 2.3.0-3+deb12u1 Explanation: fix tests when a newer nodejs version is used
Bug#1068920: node-zx 7.1.1+~cs6.7.23-2+deb12u1 flagged for acceptance
package release.debian.org tags 1068920 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-zx Version: 7.1.1+~cs6.7.23-2+deb12u1 Explanation: fix flaky test
Processed: node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068912 = bookworm pending Bug #1068912 [release.debian.org] bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068912: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068912 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: lua5.4 5.4.4-3+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1072476 = bookworm pending Bug #1072476 [release.debian.org] bookworm-pu: package lua5.4/5.4.4-3+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1072476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072476 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: node-babel7 7.20.15+ds1+~cs214.269.168-3+deb12u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1068016 = bookworm pending Bug #1068016 [release.debian.org] bookworm-pu: package node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u2 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: libseccomp 2.5.4-1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1071920 = bookworm pending Bug #1071920 [release.debian.org] bookworm-pu: package libseccomp/2.5.4-1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1071920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: lacme 0.8.2-1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1073175 = bookworm pending Bug #1073175 [release.debian.org] bookworm-pu: package lacme/0.8.2-1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1073175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073175 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: libkf5ksieve 22.12.3-1+deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1069690 = bookworm pending Bug #1069690 [release.debian.org] bookworm-pu: package libkf5ksieve/4:22.12.3-1+deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1069690: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069690 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: gnutls28 3.7.9-2+deb12u3 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1073262 = bookworm pending Bug #1073262 [release.debian.org] bookworm-pu: package gnutls28/3.7.9-2+deb12u3 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1073262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073262 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: golang-github-google-nftables 0.1.0-4~deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1072983 = bookworm pending Bug #1072983 [release.debian.org] bookworm-pu: package golang-github-google-nftables/0.1.0-4~deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1072983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072983 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: aide 0.18.3-1+deb12u3 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1071564 = bookworm pending Bug #1071564 [release.debian.org] bookworm-pu: package aide/0.18.3-1+deb12u3 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1071564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071564 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073262: gnutls28 3.7.9-2+deb12u3 flagged for acceptance
package release.debian.org tags 1073262 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: gnutls28 Version: 3.7.9-2+deb12u3 Explanation: fix certtool crash when verifying a certificate chain with more than 16 certificates [CVE-2024-28835]; fix side-channel in the deterministic ECDSA [CVE-2024-28834]; fix a memory leak; fix two segfault issues
Processed: crowdsec-firewall-bouncer 0.0.25-4~deb12u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1072984 = bookworm pending Bug #1072984 [release.debian.org] bookworm-pu: package crowdsec-firewall-bouncer/0.0.25-4~deb12u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1072984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072984 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1072984: crowdsec-firewall-bouncer 0.0.25-4~deb12u1 flagged for acceptance
package release.debian.org tags 1072984 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: crowdsec-firewall-bouncer Version: 0.0.25-4~deb12u1 Explanation: rebuild against golang-github-google-nftables version with fixed little-endian architecture support
Bug#1072983: golang-github-google-nftables 0.1.0-4~deb12u1 flagged for acceptance
package release.debian.org tags 1072983 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: golang-github-google-nftables Version: 0.1.0-4~deb12u1 Explanation: fix AddSet() function on little-endian architectures
Bug#1073175: lacme 0.8.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1073175 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: lacme Version: 0.8.2-1+deb12u1 Explanation: fix post-issuance validation logic
Bug#1071920: libseccomp 2.5.4-1+deb12u1 flagged for acceptance
package release.debian.org tags 1071920 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: libseccomp Version: 2.5.4-1+deb12u1 Explanation: add support for syscalls up to Linux 6.7
Bug#1071564: aide 0.18.3-1+deb12u3 flagged for acceptance
package release.debian.org tags 1071564 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: aide Version: 0.18.3-1+deb12u3 Explanation: fix concurrent reading of extended attributes
Bug#1072476: lua5.4 5.4.4-3+deb12u1 flagged for acceptance
package release.debian.org tags 1072476 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: lua5.4 Version: 5.4.4-3+deb12u1 Explanation: debian/version-script: Export additional missing symbols for lua 5.4.4
Bug#1069690: libkf5ksieve 22.12.3-1+deb12u1 flagged for acceptance
package release.debian.org tags 1069690 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: libkf5ksieve Version: 22.12.3-1+deb12u1 Explanation: prevent leaking passwords into server-side logs
Bug#1068912: node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 flagged for acceptance
package release.debian.org tags 1068912 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-undici Version: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 Explanation: properly export typescript types
Bug#1068016: node-babel7 7.20.15+ds1+~cs214.269.168-3+deb12u2 flagged for acceptance
package release.debian.org tags 1068016 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-babel7 Version: 7.20.15+ds1+~cs214.269.168-3+deb12u2 Explanation: fix building against nodejs 18.19.0+dfsg-6~deb12u1; add Breaks/Replaces against obsolete node-babel-* packages
Bug#1070484: bookworm-pu: package tryton-client/tryton-client_6.0.26-1+deb12u1
* Adam D. Barratt: " Re: Bug#1070484: bookworm-pu: package tryton-client/tryton-client_6.0.26-1+deb12u1" (Sat, 15 Jun 2024 16:17:47 +0100): > Control: tags -1 + confirmed > > On Mon, 2024-05-06 at 11:19 +0200, Mathias Behrle wrote: > > Backport the patch to send only compressed content from > > authenticated sessions. > > https://foss.heptapod.net/tryton/tryton/-/commit/96ccd17bd4db4be46bb42eb4217ba5c7dcb7de82 > > > > Please go ahead. > > Regards, > > Adam Thanks, uploaded. Cheers -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2
* Adam D. Barratt: " Re: Bug#1070478: bookworm-pu: package tryton-server/tryton-server_6.0.29-2+deb12u2" (Sat, 15 Jun 2024 16:16:32 +0100): > Control: tags -1 + confirmed > > On Mon, 2024-05-06 at 10:35 +0200, Mathias Behrle wrote: > > Backport the patch to fix the vulnerabilty to zip bomb > > attacks via decoded gzip content from unauthenticated users. > > https://discuss.tryton.org/t/security-release-for-issue-13142/7196 > > Please go ahead. > > Regards, > > Adam Thanks, uploaded. Cheers -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
Bug#1073519: bullseye-pu: cups/2.3.3op2-3+deb11u7
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu The attached debdiff for cups fixes CVE-2024-35235 in Bullseye. The CVE has been marked as no-dsa by the security team. The same patch has been already uploaded to unstable. Thorsten diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog --- cups-2.3.3op2/debian/changelog 2023-10-05 16:35:27.0 +0200 +++ cups-2.3.3op2/debian/changelog 2024-06-11 19:33:32.0 +0200 @@ -1,3 +1,10 @@ +cups (2.3.3op2-3+deb11u7) bullseye; urgency=medium + + * CVE-2024-35235 (Closes: #1073002) +fix domain socket handling + + -- Thorsten Alteholz Tue, 11 Jun 2024 22:16:49 +0200 + cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium * remove debian/NEWS again to avoid too much information when only diff -Nru cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch --- cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.3.3op2/debian/patches/0021-CVE-2024-35235.patch 2024-06-11 13:16:28.0 +0200 @@ -0,0 +1,108 @@ +commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8 +Author: Zdenek Dohnal +Date: Mon Jun 3 18:53:58 2024 +0200 + +Fix domain socket handling + +- Check status of unlink and bind system calls. +- Don't allow extra domain sockets when running from launchd/systemd. +- Validate length of domain socket path (< sizeof(sun_path)) + +Fixes CVE-2024-35235, written by Mike Sweet + +Index: cups-2.3.3op2/cups/http-addr.c +=== +--- cups-2.3.3op2.orig/cups/http-addr.c2024-06-11 13:15:45.109860935 +0200 cups-2.3.3op2/cups/http-addr.c 2024-06-11 13:16:25.961881895 +0200 +@@ -1,6 +1,7 @@ + /* + * HTTP address routines for CUPS. + * ++ * Copyright 2024 by OpenPrinting + * Copyright 2007-2019 by Apple Inc. + * Copyright 1997-2006 by Easy Software Products, all rights reserved. + * +@@ -200,27 +201,31 @@ + * Remove any existing domain socket file... + */ + +-unlink(addr->un.sun_path); +- +- /* +-* Save the current umask and set it to 0 so that all users can access +-* the domain socket... +-*/ +- +-mask = umask(0); +- +- /* +-* Bind the domain socket... +-*/ +- +-status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); +- +- /* +-* Restore the umask and fix permissions... +-*/ +- +-umask(mask); +-chmod(addr->un.sun_path, 0140777); ++if ((status = unlink(addr->un.sun_path)) < 0) ++{ ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ ++ if (errno == ENOENT) ++ status = 0; ++} ++ ++ ++if (!status) ++{ ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); ++ ++ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } ++ ++ // Restore the umask... ++ umask(mask); ++} + } + else + #endif /* AF_LOCAL */ +Index: cups-2.3.3op2/scheduler/conf.c +=== +--- cups-2.3.3op2.orig/scheduler/conf.c2024-06-11 13:15:45.109860935 +0200 cups-2.3.3op2/scheduler/conf.c 2024-06-11 13:15:45.109860935 +0200 +@@ -3074,6 +3074,26 @@ + + + /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++continue; ++ } ++ ++ /* + * Get the address list... + */ + diff -Nru cups-2.3.3op2/debian/patches/series cups-2.3.3op2/debian/patches/series --- cups-2.3.3op2/debian/patches/series 2023-10-05 16:35:27.0 +0200 +++ cups-2.3.3op2/debian/patches/series 2024-06-11 13:15:04.0 +0200 @@ -18,3 +18,4 @@ 0018-CVE-2023-34241.patch 0019-CVE-2023-32360.patch 0020-CVE-2023-4504.patch +0021-CVE-2024-35235.patch
Bug#1073518: bookworm-pu: cups/2.4.2-3+deb12u6
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu The attached debdiff for cups fixes CVE-2024-35235 in Bookworm. The CVE has been marked as no-dsa by the security team. The same patch has been already uploaded to unstable. Thorstendiff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog --- cups-2.4.2/debian/changelog 2023-12-01 20:35:27.0 +0100 +++ cups-2.4.2/debian/changelog 2024-06-11 19:32:57.0 +0200 @@ -1,3 +1,10 @@ +cups (2.4.2-3+deb12u6) bookworm; urgency=medium + + * CVE-2024-35235 (Closes: #1073002) +fix domain socket handling + + -- Thorsten Alteholz Tue, 11 Jun 2024 22:16:49 +0200 + cups (2.4.2-3+deb12u5) bookworm; urgency=medium * 0017-check-colormodel-also-for-CMYK.patch diff -Nru cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch --- cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 1970-01-01 01:00:00.0 +0100 +++ cups-2.4.2/debian/patches/0019-CVE-2024-35235.patch 2024-06-11 13:11:25.0 +0200 @@ -0,0 +1,108 @@ +commit 2f87c46b719e6edf0b6900e5eb307b7154e183e8 +Author: Zdenek Dohnal +Date: Mon Jun 3 18:53:58 2024 +0200 + +Fix domain socket handling + +- Check status of unlink and bind system calls. +- Don't allow extra domain sockets when running from launchd/systemd. +- Validate length of domain socket path (< sizeof(sun_path)) + +Fixes CVE-2024-35235, written by Mike Sweet + +Index: cups-2.4.2/cups/http-addr.c +=== +--- cups-2.4.2.orig/cups/http-addr.c 2024-06-11 13:11:20.465733904 +0200 cups-2.4.2/cups/http-addr.c2024-06-11 13:11:20.465733904 +0200 +@@ -1,6 +1,7 @@ + /* + * HTTP address routines for CUPS. + * ++ * Copyright © 2023-2024 by OpenPrinting + * Copyright © 2007-2021 by Apple Inc. + * Copyright © 1997-2006 by Easy Software Products, all rights reserved. + * +@@ -206,27 +207,31 @@ + * Remove any existing domain socket file... + */ + +-unlink(addr->un.sun_path); +- +- /* +-* Save the current umask and set it to 0 so that all users can access +-* the domain socket... +-*/ +- +-mask = umask(0); +- +- /* +-* Bind the domain socket... +-*/ +- +-status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); +- +- /* +-* Restore the umask and fix permissions... +-*/ +- +-umask(mask); +-chmod(addr->un.sun_path, 0140777); ++if ((status = unlink(addr->un.sun_path)) < 0) ++{ ++ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ ++ if (errno == ENOENT) ++ status = 0; ++} ++ ++ ++if (!status) ++{ ++ // Save the current umask and set it to 0 so that all users can access ++ // the domain socket... ++ mask = umask(0); ++ ++ ++ // Bind the domain socket... ++ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) ++ { ++ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); ++ } ++ ++ // Restore the umask... ++ umask(mask); ++} + } + else + #endif /* AF_LOCAL */ +Index: cups-2.4.2/scheduler/conf.c +=== +--- cups-2.4.2.orig/scheduler/conf.c 2024-06-11 13:11:20.465733904 +0200 cups-2.4.2/scheduler/conf.c2024-06-11 13:11:20.465733904 +0200 +@@ -3077,6 +3077,26 @@ + + + /* ++ * If we are launched on-demand, do not use domain sockets from the config ++ * file. Also check that the domain socket path is not too long... ++ */ ++ ++#ifdef HAVE_ONDEMAND ++ if (*value == '/' && OnDemand) ++ { ++if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) ++ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); ++continue; ++ } ++#endif // HAVE_ONDEMAND ++ ++ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) ++ { ++cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); ++continue; ++ } ++ ++ /* + * Get the address list... + */ + diff -Nru cups-2.4.2/debian/patches/series cups-2.4.2/debian/patches/series --- cups-2.4.2/debian/patches/series2023-12-01 20:35:27.0 +0100 +++ cups-2.4.2/debian/patches/series2024-06-11 13:11:18.0 +0200 @@ -16,3 +16,4 @@ 0016-CVE-2023-32360.patch 0017-check-colormodel-also-for-CMYK.patch 0018-dont-override-color-settings-from-print-dialoag.patch +0019-CVE-2024-35235.patch
Processed: notfound 1068016 in 7.20.15+ds1+~cs214.269.168-3+deb12u1 ..., notfound 1068932 in 2.3.0-3 ...
Processing commands for cont...@bugs.debian.org: > # the package bugs need the versioning, not the p-u bugs... > notfound 1068016 7.20.15+ds1+~cs214.269.168-3+deb12u1 Bug #1068016 [release.debian.org] bookworm-pu: package node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u2 There is no source info for the package 'release.debian.org' at version '7.20.15+ds1+~cs214.269.168-3+deb12u1' with architecture '' Unable to make a source version for version '7.20.15+ds1+~cs214.269.168-3+deb12u1' No longer marked as found in versions 7.20.15+ds1+~cs214.269.168-3+deb12u1. > found 1068933 7.20.15+ds1+~cs214.269.168-3+deb12u1 Bug #1068933 [src:node-babel7] node-babel7: FTBFS in bookworm against nodejs 18.19.0+dfsg-6~deb12u1 Marked as found in versions node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u1. > notfound 1068932 2.3.0-3 Bug #1068932 [release.debian.org] bookworm-pu: package node-v8-compile-cache/2.3.0-3+deb12u1 There is no source info for the package 'release.debian.org' at version '2.3.0-3' with architecture '' Unable to make a source version for version '2.3.0-3' No longer marked as found in versions 2.3.0-3. > found 1068921 2.3.0-3 Bug #1068921 [src:node-v8-compile-cache] node-v8-compile-cache: FTBFS in bookworm, test suite fails Marked as found in versions node-v8-compile-cache/2.3.0-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068016 1068921: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068921 1068932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068932 1068933: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068933 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 1068932 in 2.3.0-3
Processing commands for cont...@bugs.debian.org: > found 1068932 2.3.0-3 Bug #1068932 [release.debian.org] bookworm-pu: package node-v8-compile-cache/2.3.0-3+deb12u1 There is no source info for the package 'release.debian.org' at version '2.3.0-3' with architecture '' Unable to make a source version for version '2.3.0-3' Marked as found in versions 2.3.0-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068932 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 1068932 in
Processing commands for cont...@bugs.debian.org: > found 1068932 Bug #1068932 [release.debian.org] bookworm-pu: package node-v8-compile-cache/2.3.0-3+deb12u1 Ignoring request to alter fixed versions of bug #1068932 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1068932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068932 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 1068016 in 7.20.15+ds1+~cs214.269.168-3+deb12u1
Processing commands for cont...@bugs.debian.org: > found 1068016 7.20.15+ds1+~cs214.269.168-3+deb12u1 Bug #1068016 [release.debian.org] bookworm-pu: package node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u2 There is no source info for the package 'release.debian.org' at version '7.20.15+ds1+~cs214.269.168-3+deb12u1' with architecture '' Unable to make a source version for version '7.20.15+ds1+~cs214.269.168-3+deb12u1' Marked as found in versions 7.20.15+ds1+~cs214.269.168-3+deb12u1. > thanks Stopping processing here. Please contact me if you need assistance. -- 1068016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: found 1068016 in
Processing commands for cont...@bugs.debian.org: > found 1068016 Bug #1068016 [release.debian.org] bookworm-pu: package node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u2 Ignoring request to alter fixed versions of bug #1068016 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1068016: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068016: bookworm-pu: package node-babel7/7.20.15+ds1+~cs214.269.168-3+deb12u2
On Sat, 2024-04-13 at 18:36 +0200, Jérémy Lal wrote: > Also, even with that, the current debdiff *will FTBFS*, see #1068933. The metadata for that bug claims that it affects the package in unstable/testing, and not the package in bookworm. I assume that's incorrect (and should be fixed). Regards, Adam
Bug#1068932: bookworm-pu: package node-v8-compile-cache/2.3.0-3+deb12u1
On Sat, 2024-04-13 at 18:01 +0200, Jérémy Lal wrote: > FTBFS because of test failures, see #1068921 > These are regressions caused by nodejs 18.19.0+dfsg-6~deb12u1 For the record, the metadata on that bug is confus{ed,ing} - it claims to be about a bug in the bookworm version of node-v8-compile-cache, but is filed against the version of the package in unstable/testing. Regards, Adam
Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1
On Sun, 2024-06-16 at 00:17 +0100, Jonathan Wiltshire wrote: > With a couple of fixes please go ahead. One more fix is needed: +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS Regards, Adam
Processed: reopening 1072716
Processing commands for cont...@bugs.debian.org: > reopen 1072716 Bug #1072716 {Done: Jonathan Wiltshire } [release.debian.org] bookworm-pu: package systemd/252.26-1~deb12u2 Bug reopened Ignoring request to alter fixed versions of bug #1072716 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1072716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072716 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070153: bookworm-pu: qtbase-opensource-src/5.15.8+dfsg-11+deb12u2
On 15.06.24 17:06, Adam D. Barratt wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
another libxml2 ABI break, might need RM attention (Re: Bug#1073313: gnustep-base: FTBFS: GSXML.m:2674:22: error: ‘xmlEntity’ {aka ‘struct _xmlEntity’} has no member named ‘checked’)
On Sun, 16 Jun 2024, Thorsten Glaser wrote: >Better prevent this from landing in trixie until the package >gets its soname bumped. In fact, unless someone has the tuits to diff every single API and ABI surface of the package between trixie (ideally bookworm) and sid versions, it would be best if any package built against libxml2 >2.12 be binNMU’d in trixie, and once 2.12 is renamed to libxml3 or something, they are to be rebuilt in sid anyway. Who knows what other API and ABI breaks are hiding herein… bye, //mirabilos -- Infrastrukturexperte • Qvest Digital AG Am Dickobskreuz 10, D-53121 Bonn • https://www.qvest-digital.com/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 18196 • USt-ID (VAT): DE274355441 Vorstand: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg Vorsitzender Aufsichtsrat: Peter Nöthen
Processed: Re: Bug#1073498: transition: openimageio
Processing control commands: > tags -1 confirmed Bug #1073498 [release.debian.org] transition: openimageio Added tag(s) confirmed. -- 1073498: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073498 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073498: transition: openimageio
Control: tags -1 confirmed On 2024-06-16 16:52:11 +0200, Matteo F. Vescovi wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: openimag...@packages.debian.org > Control: affects -1 + src:openimageio > User: release.debian@packages.debian.org > Usertags: transition > > Hi Release Team! > > I'm filing this bug report to track down the transition of openimageio > library. > > Following the auto-openimageio checklist[1], here is the list of source > packages reverse-depending on openimageio and the results of the builds: > > * blender_4.0.2+dfsg-1 => OK > * olive-editor_20230614+ds-2 => OK > * opencolorio_2.1.3+dfsg-1.1 => OK Nove of these packages is in testing. Fell free to go ahead whenever you are ready. Cheers -- Sebastian Ramacher
Bug#1061075: release.debian.org: Cross compilation of kernel modules for arm64 on bookworm is broken
Control: tags -1 moreinfo Hi, On Wed, 17 Jan 2024 15:10:55 +0100 Felix Moessbauer wrote: Package: release.debian.org Severity: normal The following dependencies need to be installed to cross compile a kernel module on debian bookworm, arm64: build-essential:amd64 crossbuild-essential-arm64:amd64 linux-headers-arm64 Currently, these have conflicting dependencies around gcc or binutils: | The following packages have unmet dependencies: | g++-12 : Depends: gcc-12 (= 12.2.0-14) but it is not installable | cpp : Depends: cpp-12 (>= 12.2.0-1~) but it is not installable | g++ : Depends: gcc-12 (>= 12.2.0-1~) but it is not installable | gcc : Depends: gcc-12 (>= 12.2.0-1~) but it is not installable | dpkg-dev : Depends: binutils but it is not installable | gcc-12-aarch64-linux-gnu : Depends: binutils-aarch64-linux-gnu (>= 2.40) What kind of action do you expect from the Release Team with regard to this bug report? Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Processed: Re: release.debian.org: Cross compilation of kernel modules for arm64 on bookworm is broken
Processing control commands: > tags -1 moreinfo Bug #1061075 [release.debian.org] release.debian.org: Cross compilation of kernel modules for arm64 on bookworm is broken Added tag(s) moreinfo. -- 1061075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061075 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1062339: marked as done (Cross-building broken for riscv64 due to libgssapi-krb5-2 version mismatch)
Your message dated Sun, 16 Jun 2024 17:19:12 +0200 with message-id <0292a7a3-dcd0-45bc-abf6-0a741a027...@debian.org> and subject line Re: Cross-building broken for riscv64 due to libgssapi-krb5-2 version mismatch has caused the Debian Bug report #1062339, regarding Cross-building broken for riscv64 due to libgssapi-krb5-2 version mismatch to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1062339: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062339 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Please align the uploaded versions of libgssapi-krb5-2 so that cross-building is working again for riscv64. TIA, Jan --- End Message --- --- Begin Message --- Hi On Thu, 1 Feb 2024 06:54:21 +0100 Jan Kiszka wrote: Please align the uploaded versions of libgssapi-krb5-2 so that cross-building is working again for riscv64. They are aligned now. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1072920: release.debian.org: force-skiptest debusine/0.3.2/riscv64
Hi, On 10-06-2024 1:30 p.m., Colin Watson wrote: Would you please consider skipping debusine's autopkgtests on riscv64 (I think the hint in the subject line is correct, but I certainly wouldn't swear to it)? armel and armhf are having issues too (they were disabled due to time_t but I enabled them again recently). I fixed most of the issues in debusine 0.3.2, but the remaining failure happens persistently on ci.debian.net and refuses to reproduce for me in an emulated local environment. It doesn't appear that the package is terribly broken on riscv64 in general, and so I don't think this needs to block its migration to testing. ci.d.n maintainer hat on: I can give you access to a testbed where the test just ran if that would help you. Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Processed: wishlist
Processing commands for cont...@bugs.debian.org: > severity 785570 wishlist Bug #785570 [release.debian.org] britney: Use w-b to provide more detailed reports on missing/o-o-d binaries Severity set to 'wishlist' from 'normal' > severity 956590 wishlist Bug #956590 [release.debian.org] release.debian.org: britney: publish a dose report for each non-migrable item Severity set to 'wishlist' from 'normal' > severity 980520 wishlist Bug #980520 [release.debian.org] britney: excuses: reduce verbosity of autopkgtest results Severity set to 'wishlist' from 'normal' > severity 1064427 wishlist Bug #1064427 [release.debian.org] [Britney] blocks a binNMU if a binary takeover of that package is in progress Severity set to 'wishlist' from 'normal' > thanks Stopping processing here. Please contact me if you need assistance. -- 1064427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064427 785570: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785570 956590: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956590 980520: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980520 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073498: transition: openimageio
Package: release.debian.org Severity: normal X-Debbugs-Cc: openimag...@packages.debian.org Control: affects -1 + src:openimageio User: release.debian@packages.debian.org Usertags: transition Hi Release Team! I'm filing this bug report to track down the transition of openimageio library. Following the auto-openimageio checklist[1], here is the list of source packages reverse-depending on openimageio and the results of the builds: * blender_4.0.2+dfsg-1 => OK * olive-editor_20230614+ds-2 => OK * opencolorio_2.1.3+dfsg-1.1 => OK Thanks for your time and patience. [1] https://release.debian.org/transitions/html/auto-openimageio.html Ben file: title = "openimageio"; is_affected = .depends ~ "libopenimageio2.4t64" | .depends ~ "libopenimageio2.5"; is_good = .depends ~ "libopenimageio2.5"; is_bad = .depends ~ "libopenimageio2.4t64"; -- Matteo F. Vescovi || Debian Developer GnuPG KeyID: 4096R/0x8062398983B2CF7A signature.asc Description: PGP signature
Processed: transition: openimageio
Processing control commands: > affects -1 + src:openimageio Bug #1073498 [release.debian.org] transition: openimageio Added indication that 1073498 affects src:openimageio -- 1073498: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073498 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#980088: marked as done (britney adds reference link for removed packages)
Your message dated Sun, 16 Jun 2024 16:46:37 +0200 with message-id <141a85f2-0764-4b89-9231-6c71fed22...@debian.org> and subject line Re: silxs autopkgtest has caused the Debian Bug report #980088, regarding britney adds reference link for removed packages to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 980088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release. User: release.debian@package.debian.org Severity: minor Usertag: britney Control: retitle -1 britney adds reference link for removed packages Hi Frederic-Emmanuel On 14-01-2021 09:26, PICCA Frederic-Emmanuel wrote: > I try to understand something about autopkgtest and britney migration. Good that you reach out. However, the excuses are generated by the code under the responsibility of the Release Team, hence CC-ing (via the BTS). > If you look here, > > https://tracker.debian.org/pkg/silx > > the autopkgtest on ppc64el says, regression, but If I look here > > https://ci.debian.net/packages/s/silx/testing/ppc64el/ Even more interesting, if you click on the link to the log of the ppc64el reference log you'll find that it ends with command1 FAIL badpkg command2 FAIL badpkg > it failes from the begining, so to my opinion this is not a regression. We consider it a regression if the package is new in testing (it was removed) and the "new" test fails. We declared failing autopkgtests RC-buggy, so with the migration we would *add* an RC buggy package. I agree there is a bug, britney shouldn't show the "reference run" result. > for info this test faild because the pacakge does not build on ppc64el, du to > the pyopencl dependency :). For new tests in source packages that build both arch:all and arch:any packages this situation unfortunately requires either specifying the Architectures in the d/t/control file, or overruling by the Release Team. You *can* add the (recently supported) Architecture field to your package, but Graham already overruled it for now anyways. > Is there something wrong or should I mark the test not for ppc64el ? The latter gives *you* control, so that's good. On the other hand, I can understand it when you don't want to remember to keep that in sync with which archs your package builds on. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message --- --- Begin Message --- Hi, On Thu, 14 Jan 2021 11:53:31 +0100 Paul Gevers wrote: > it failes from the begining, so to my opinion this is not a regression. We consider it a regression if the package is new in testing (it was removed) and the "new" test fails. We declared failing autopkgtests RC-buggy, so with the migration we would *add* an RC buggy package. I agree there is a bug, britney shouldn't show the "reference run" result. I believe this has been fix earlier this year (or somewhere last year). Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Processed (with 4 errors): wishlist/wontfix
Processing commands for cont...@bugs.debian.org: > tag 785570 wishlist Unknown tag/s: wishlist. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore forky forky-ignore. > tag 956590 wishlist Unknown tag/s: wishlist. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore forky forky-ignore. > tag 980520 wishlist Unknown tag/s: wishlist. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore forky forky-ignore. > tag 1064427 wishlist Unknown tag/s: wishlist. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore forky forky-ignore. > # for now > tag 980087 wontfix Bug #980087 [release.debian.org] release.debian.org: autopkgtest fails trying to install packages not in arch Added tag(s) wontfix. > thanks Stopping processing here. Please contact me if you need assistance. -- 980087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980087 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1070249: bookworm-pu: package python-jwcrypto/1.1.0-1+deb12u1
On Sat, Jun 15, 2024 at 04:07:53PM +0100, Adam Barratt wrote: >Control: tags -1 + confirmed > >On Thu, 2024-05-02 at 18:53 +0100, Steve McIntyre wrote: >> I've backported the upstream fix for CVE-2024-28102 (#1065688) to >> bookworm. It's not considered critical as a security fix by the >> security team, but would still be good to have in bookworm. > >Please go ahead. Done -- Steve McIntyre, Cambridge, UK.st...@einval.com Into the distance, a ribbon of black Stretched to the point of no turning back
Bug#992787: marked as done (release.debian.org: state/autopkgtest-results.cache keeps on growing)
Your message dated Sun, 16 Jun 2024 16:31:22 +0200 with message-id <3f3c32c8-c277-4774-ad38-f1c6c7280...@debian.org> and subject line Re: release.debian.org: state/autopkgtest-results.cache keeps on growing has caused the Debian Bug report #992787, regarding release.debian.org: state/autopkgtest-results.cache keeps on growing to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 992787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992787 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: britney I'm filing this bug to remind myself (and others) that britney never cleans up its autopkgtest-results.cache file. Today I used an out-of-band script to reduce the file a bit (from 529M to 50M), but britney should do that somehow by itself. As far as I understand, this isn't so much an issue for Ubuntu because they start over again with each release. IIRC we could do that as well as it would be just a bit more churn at the start of the release, so it's probably smarter to drop results of versions that don't exist anymore in the involved suites. Paul -rw-rw-r-- 1 release debian-release 50M aug 23 11:10 autopkgtest-results.cache -rw-rw-r-- 1 release debian-release 529M aug 23 10:13 autopkgtest-results.cache.old (Ugly) Code used elbrus@respighi:~$ cat bin/strip-britney-autopkgtest.cache #!/usr/bin/python3 import json import time from copy import deepcopy ref_time = round(time.time()) - 150 * 86000 with open('/home/release/britney/state/autopkgtest-results.cache') as f: test_results = json.load(f) test_results_new = deepcopy(test_results) for (trigger, trigger_data) in test_results.items(): for (src, results) in trigger_data.items(): for (arch, result) in results.items(): if result[3] < ref_time: del test_results_new[trigger][src][arch] if len(test_results_new[trigger][src]) == 0: del test_results_new[trigger][src] if len(test_results_new[trigger]) == 0: del test_results_new[trigger] with open('/home/elbrus/autopkgtest-results.cache.new', 'w') as f: json.dump(test_results_new, f, indent=2) --- End Message --- --- Begin Message --- Hi, On Mon, 23 Aug 2021 14:05:45 +0200 Paul Gevers wrote: I'm filing this bug to remind myself (and others) that britney never cleans up its autopkgtest-results.cache file. This has been fixed earlier this year. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1017926: marked as done (RM: node-request-capture-har/1.2.2-2)
Your message dated Sun, 16 Jun 2024 16:21:21 +0200 with message-id and subject line Re: RM: node-request-capture-har/1.2.2-2 has caused the Debian Bug report #1017926, regarding RM: node-request-capture-har/1.2.2-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1017926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017926 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, node-request-capture-har is a wrapper around deprecated node-request (#1002901). Its reverse-dependency (node-yarnpkg) has already been removed from testing. Could you remove it from testing ? Cheers, Yadd --- End Message --- --- Begin Message --- Hi On Mon, 22 Aug 2022 17:31:27 +0200 Yadd wrote: node-request-capture-har is a wrapper around deprecated node-request (#1002901). Its reverse-dependency (node-yarnpkg) has already been removed from testing. Could you remove it from testing ? Apparently this happend by autoremoval, so the reverse build depends were probably fixed. Closing this bug request. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1017925: marked as done (RM: node-request/2.88.1-5)
Your message dated Sun, 16 Jun 2024 16:20:43 +0200 with message-id <43651df0-cc93-468e-852a-7c5269208...@debian.org> and subject line Re: RM: node-request/2.88.1-5 has caused the Debian Bug report #1017925, regarding RM: node-request/2.88.1-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1017925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, could you remove node-request from testing ? Following #956423, it shouldn't be part of next stable release. All its reverse dependencies are already removed from testing (yarnpkg, node-matrix-sdk). Cheers, Yadd --- End Message --- --- Begin Message --- On Mon, 22 Aug 2022 17:26:31 +0200 Yadd wrote: could you remove node-request from testing ? Following #956423, it shouldn't be part of next stable release. All its reverse dependencies are already removed from testing (yarnpkg, node-matrix-sdk). Apparently this happend by autoremoval, so the reverse build depends were probably fixed. Closing this bug request. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1055955: marked as done (transition: perl 5.38)
Your message dated Sun, 16 Jun 2024 16:17:19 +0200 with message-id and subject line Re: transition: perl 5.38 has caused the Debian Bug report #1055955, regarding transition: perl 5.38 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1055955: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055955 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: p...@packages.debian.org Hi release team, this has taken me much longer than necessary for various reasons, but I think we're almost ready to push Perl 5.38 to sid now. We should aim to release trixie with 5.40 (which will be released in May 2024 or so), but it's still better to do these transitions one at a time. TL;DR: - can we raise the remaining bugs to severity:serious? - I'll request a transition slot once the easy ones are fixed - should we worry about time64? Perl 5.38 been in experimental since July, and we've been running continuous amd64 rebuilds on perl.debian.net all the time. I also checked for related autopkgtest regressions back in August/September in all packages declaring Testsuite: autopkgtest-pkg-perl or having Testsuite-Triggers: perl. The bugs we found are tracked with the usual usertags: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=perl-5.38-transition;users=debian-p...@lists.debian.org There's a few packages that are nontrivially broken and will probably need to be removed from testing. libapache-db-perl #1040396 libembperl-perl #1042845 polymake #1042521 AFAICS polymake has one reverse dependency (gap-polymaking) and the others have none, so removal shouldn't be too difficult. Then there's some that already have patches or where the fixes are trivial, but just need an upload: docknot #1042853 elinks #1042844 libgtk3-imageview-perl #1050445 libperl-languageserver-perl #1050451 libregexp-debuggperl-perl #1050454 localehelper #1042525 I haven't checked reverse dependencies as I'm hoping they will be fixed. Can we raise these bugs to severity:serious? I can report back when these are fixed and request a transition slot. Finally I just ran one more rebuild test for all the packages that will need binNMUs, and found a couple of unrelated FTBFS bugs. These would block binNMUs. cod-tools #1055896 (fixed in sid today, needs to migrate) os-autoinst #1054776 libprelude #1054793 libauthen-sasl-cyrus-perl #1052871 (not in testing) I haven't checked for version skew between testing and unstable, or for any architecture specific issues on !amd64 as I don't have any good tools for those. I suppose we'll need to handle them during the transition if we hit any. One more thing to mention: I'm slightly worried about the time64 transition that I think was supposed to happen this release cycle. As I mentioned in July [1] I think it will need a perlapi-* bump and the related binNMUs of the same set of packages. [1] https://lists.debian.org/debian-devel/2023/07/msg00302.html But things seem to be quiet and I still haven't looked at the perl side of that at all. (I also have no idea how it can be done without a flag day but I hope somebody does.) I don't think we should block on this unless there's some activity that I've missed? Ben file proposal, just copy-pasting from last year: title = "perl"; is_affected = .depends ~ "libperl5.36|perlapi-5.36" | .pre-depends ~ "libperl5.36|perlapi-5.36"; is_good = .depends ~ "libperl5.38|perlapi-5.38" | .pre-depends ~ "libperl5.38|perlapi-5.38"; is_bad = .depends ~ "libperl5.36|perlapi-5.36" | .pre-depends ~ "libperl5.36|perlapi-5.36"; Thanks for your work on Debian, -- Niko --- End Message --- --- Begin Message --- Hi, On Tue, 14 Nov 2023 20:28:01 +0200 Niko Tyni wrote: this has taken me much longer than necessary for various reasons, but I think we're almost ready to push Perl 5.38 to sid now. The ben tracker for Perl 5.38 has been moved to old in the beginning of March, thus closing this bug. Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1071564: bookworm-pu: package aide/0.18.3-1+deb12u3
On Sat, Jun 15, 2024 at 04:23:25PM +0100, Adam D. Barratt wrote: > On Tue, 2024-05-21 at 12:00 +0200, Marc Haber wrote: > > aide 0.18 has introduced some concurrency in processing. There is a > > bug > > that makes fail to concurrently read extended attributes (xattrs) due > > to > > variables shared between worker threads. > > Please go ahead. Uploaded! Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#803633: marked as done (britney-tests-live-data/live-2012-05-09 fails randomly)
Your message dated Sun, 16 Jun 2024 15:40:44 +0200 with message-id <0fd3fa3b-f126-4e19-be09-f6f956602...@debian.org> and subject line Re: britney-tests-live-data/live-2012-05-09 fails randomly has caused the Debian Bug report #803633, regarding britney-tests-live-data/live-2012-05-09 fails randomly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 803633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803633 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: britney If run in a loop, live-2012-05-09 will eventually fail with: AssertionError: NUNINST OUT OF SYNC The problem is with hurd-i386 (fucked/break arch in this test) and I've seen problems such as: E: [Sun Nov 1 10:31:41 2015] - hurd-i386 - invalid nuninst: {'tar'} and: E: [Sun Nov 1 09:41:45 2015] - hurd-i386 - unnoticed nuninst: {'libtinfo5', 'libtinfo-dev'} Emilio --- End Message --- --- Begin Message --- Hi, On Thu, 29 Jun 2023 17:56:58 +0200 Paul Gevers wrote: This remains. I have now 10 different possible end states of britney. I'm trying to add sorted() to a bunch of for loops on sets. It seems I'm able to make it more deterministic, but I'm not there yet. I ensured deterministic results in tests three months ago by using PYTHONHASHSEED: https://salsa.debian.org/debian/britney2-tests/-/commit/98c84268a3f45a44a2e9432eb0755049dd543d3b Paul OpenPGP_signature.asc Description: OpenPGP digital signature --- End Message ---
Bug#1073194: bookworm-pu: package lxc-templates/3.0.4.48.g4765da8-1+deb12u1
"Adam D. Barratt" wrote on 16/06/2024 at 13:55:09+0200: > On Sun, 2024-06-16 at 13:00 +0200, Pierre-Elliott Bécue wrote: >> Hey, >> >> Jonathan Wiltshire wrote on 15/06/2024 at >> 23:34:32+0200: >> >> > Control: tag -1 moreinfo >> > >> > On Fri, Jun 14, 2024 at 11:53:38AM +0200, Pierre-Elliott Bécue >> > wrote: >> > > [ Reason ] >> > > Two bugs within the lxc-debian template were spotted. Each one >> > > prevents >> > > using a custom mirror when generating a debian-based container >> > > with the >> > > lxc-debian template. >> > > >> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073130 >> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073131 >> > >> > These need to be fixed in unstable before an upload to bookworm >> > will be >> > authorised. >> >> I thought I marked it in my mail, but both these bugs are already >> fixed in unstable and testing (the current upstream version in here >> fixed these two bugs). >> > > The BTS doesn't know that. The version graphs on both show the unstable > package as affected. And ticking a box in the p-u request doesn't > change that. :-) > > This is specifically included on the list of criteria for updates to > stable: > >* Bug meta-data - particularly affected versions - must be > up to date My bad. "fixed" tags added to both bugs. > Regards, Bests, -- PEB signature.asc Description: PGP signature
Bug#1073194: bookworm-pu: package lxc-templates/3.0.4.48.g4765da8-1+deb12u1
On Sun, 2024-06-16 at 13:00 +0200, Pierre-Elliott Bécue wrote: > Hey, > > Jonathan Wiltshire wrote on 15/06/2024 at > 23:34:32+0200: > > > Control: tag -1 moreinfo > > > > On Fri, Jun 14, 2024 at 11:53:38AM +0200, Pierre-Elliott Bécue > > wrote: > > > [ Reason ] > > > Two bugs within the lxc-debian template were spotted. Each one > > > prevents > > > using a custom mirror when generating a debian-based container > > > with the > > > lxc-debian template. > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073130 > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073131 > > > > These need to be fixed in unstable before an upload to bookworm > > will be > > authorised. > > I thought I marked it in my mail, but both these bugs are already > fixed in unstable and testing (the current upstream version in here > fixed these two bugs). > The BTS doesn't know that. The version graphs on both show the unstable package as affected. And ticking a box in the p-u request doesn't change that. :-) This is specifically included on the list of criteria for updates to stable: * Bug meta-data - particularly affected versions - must be up to date Regards, Adam
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
On Sun, 2024-06-16 at 11:12 +, Bastien Roucariès wrote: > control: tag -1 - moreinfo > Le samedi 15 juin 2024, 22:49:24 UTC Jonathan Wiltshire a écrit : > > > [...] > > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER- > > > 4799-Refactor-ACL-check-in-.patch 1970-01-01 > > > 00:00:00.0 + > > > +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER- > > > 4799-Refactor-ACL-check-in-.patch 2024-03-25 > > > 08:30:56.0 + > > > @@ -0,0 +1,1223 @@ > > > > > > This patch confuses me. It seems to contain a whole series of > > nested > > patches? How do they get applied to the source package? > > ??? > > I do not understand, see patch 0027 joined it is a simple patch... Is the source of the confusion here potentially that the patch adds new files, as well as changing existing ones? Regards, Adam
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
control: tag -1 - moreinfo Le samedi 15 juin 2024, 22:49:24 UTC Jonathan Wiltshire a écrit : Hi, Thanks for the review > Control: tag -1 moreinfo > > Hi, > > On Fri, Apr 12, 2024 at 10:18:02PM +, Bastien Roucariès wrote: > > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog > > --- zookeeper-3.8.0/debian/changelog2023-10-29 07:57:11.0 > > + > > +++ zookeeper-3.8.0/debian/changelog2024-03-25 08:30:56.0 > > + > > @@ -1,3 +1,22 @@ > > +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium > > Target should be bookworm.* Done > > > > diff -Nru > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > --- > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > 1970-01-01 00:00:00.0 + > > +++ > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > 2024-03-25 08:30:56.0 + > > @@ -0,0 +1,1223 @@ > > > This patch confuses me. It seems to contain a whole series of nested > patches? How do they get applied to the source package? ??? I do not understand, see patch 0027 joined it is a simple patch... > > > > diff -Nru zookeeper-3.8.0/debian/patches/series > > zookeeper-3.8.0/debian/patches/series > > --- zookeeper-3.8.0/debian/patches/series 2023-10-29 07:57:11.0 > > + > > +++ zookeeper-3.8.0/debian/patches/series 2024-03-25 08:30:56.0 > > + > > @@ -1,19 +1,10 @@ > > -#01-add-jtoaster-to-zooinspector.patch > > -#02-patch-build-system.patch > > 03-disable-cygwin-detection.patch > > 05-ZOOKEEPER-770.patch > > 06-ftbfs-gcc-4.7.patch > > 07-remove-non-reproducible-manifest-entries.patch > > -#08-reproducible-javadoc.patch > > 10-cppunit-pkg-config.patch > > 11-disable-minikdc-tests.patch > > 12-add-yetus-annotations.patch > > -#13-disable-netty-connection-factory.patch > > -#14-ftbfs-with-gcc-8.patch > > -#15-javadoc-doclet.patch > > -#16-ZOOKEEPER-1392.patch > > -#17-gcc9-ftbfs-925869.patch > > -#18-java17-compatibility.patch > > 19-add_missing-plugins-versions.patch > > 20-no-Timeout-in-tests.patch > > 21-use-ValueSource-with-ints.patch > > @@ -33,3 +24,4 @@ > > 35-flaky-test.patch > > 36-JUnitPlatform-deprecation.patch > > CVE-2023-44981.patch > > +0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > Presumably these dropped patches get integrated into the nested set in > 0027? Or are they actually dropped? they are droped because disabled but I have re-added to series as disabled patch, thanks it is clearer now Bastien > > > > > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + +++ zookeeper-3.8.0/debian/changelog 2024-06-16 10:40:07.0 + @@ -1,3 +1,22 @@ +zookeeper (3.8.0-11+deb12u2) bookworm; urgency=medium + + * Team upload + * Bug fix: CVE-2024-23944 (Closes: #1066947): +An information disclosure in persistent watchers handling was found in +Apache ZooKeeper due to missing ACL check. It allows an attacker to +monitor child znodes by attaching a persistent watcher (addWatch +command) to a parent which the attacker has already access +to. ZooKeeper server doesn't do ACL check when the persistent watcher +is triggered and as a consequence, the full path of znodes that a +watch event gets triggered upon is exposed to the owner of the +watcher. It's important to note that only the path is exposed by this +vulnerability, not the data of znode, but since znode path can contain +sensitive information like user name or login ID, this issue is +potentially critical. + * Add salsa CI + + -- Bastien Roucari??s Sun, 16 Jun 2024 10:40:07 + + zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium * Team upload: diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch --- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.0 + +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-06-16 10:40:07.0 + @@ -0,0 +1,1223 @@ +From: Andor Molnar +Date: Tue, 28 Nov 2023 21:25:00 +0100 +Subject: CVE-2024-23944: ZOOKEEPER-4799: Refactor ACL check in 'addWatch' + command + +As of today, it is impossible to diagnose which watch events are dropped +because of ACLs. Let's centralize, systematize, and log the checks at +the 'process()' site in the Netty and NIO connections. + +(These 'process()' methods contain some duplicated code, and should also +be refactored
Processed: Re: Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Processing control commands: > tag -1 - moreinfo Bug #106 [release.debian.org] bookworm-pu: package zookeeper/3.8.0-11+deb12u2 Removed tag(s) moreinfo. -- 106: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=106 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073194: bookworm-pu: package lxc-templates/3.0.4.48.g4765da8-1+deb12u1
Hey, Jonathan Wiltshire wrote on 15/06/2024 at 23:34:32+0200: > Control: tag -1 moreinfo > > On Fri, Jun 14, 2024 at 11:53:38AM +0200, Pierre-Elliott Bécue wrote: >> [ Reason ] >> Two bugs within the lxc-debian template were spotted. Each one prevents >> using a custom mirror when generating a debian-based container with the >> lxc-debian template. >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073130 >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073131 > > These need to be fixed in unstable before an upload to bookworm will be > authorised. I thought I marked it in my mail, but both these bugs are already fixed in unstable and testing (the current upstream version in here fixed these two bugs). Are you just issing a fixed-in tag on both bugs? -- PEB signature.asc Description: PGP signature
Processed: Re: Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Processing control commands: > tag -1 - moreinfo Bug #1070998 [release.debian.org] bookworm-pu: package fossil/2.24-5~deb11u1 Removed tag(s) moreinfo. -- 1070998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070998 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1072716: bookworm-pu: package systemd/252.26-1~deb12u2
On Sun, 16 Jun 2024 00:23:32 +0100 Jonathan Wiltshire wrote: > On Thu, Jun 06, 2024 at 03:34:33PM -0700, Noah Meyerhans wrote: > > I'd like to get the release team's approval for a proposed change to > > bookworm's libnss-myhostname and libnss-mymachines packages, which are both > > generated from src:systemd. > > I would have no objection to this, assuming the package maintainers agree > with it. Thanks, uploaded. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#1068920: bookworm-pu: package node-zx/7.1.1+~cs6.7.23-2+deb12u1
Processing control commands: > tag -1 = bookworm confirmed Bug #1068920 [release.debian.org] bookworm-pu: package node-zx/7.1.1+~cs6.7.23-2+deb12u1 Added tag(s) confirmed; removed tag(s) moreinfo. -- 1068920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068920 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068920: bookworm-pu: package node-zx/7.1.1+~cs6.7.23-2+deb12u1
Control: tag -1 = bookworm confirmed On Sun, Jun 16, 2024 at 01:44:47AM +0200, Jérémy Lal wrote: > Package: release.debian.org > Followup-For: Bug #1068920 > > > Here it is. Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1073287: transition: lrslib
Processing control commands: > tags -1 confirmed Bug #1073287 [release.debian.org] transition: lrslib Added tag(s) confirmed. -- 1073287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073287 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1073287: transition: lrslib
Control: tags -1 confirmed On 2024-06-15 21:17:58 -0300, David Bremner wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: lrs...@packages.debian.org > Control: affects -1 + src:lrslib > User: release.debian@packages.debian.org > Usertags: transition > > There is only one build-rdep, that I also maintain. The Ben file is a > guess, since something ate the automatic transition. Please go ahead Cheers -- Sebastian Ramacher
Bug#1073261: bookworm-pu: package dhcpcd5/9.4.1-24~deb12u4
la 15. kesäk. 2024 klo 18.04 Martin-Éric Racine (martin-eric.rac...@iki.fi) kirjoitti: > > la 15. kesäk. 2024 klo 17.48 Adam D. Barratt > (a...@adam-barratt.org.uk) kirjoitti: > > > > Control: tags -1 + confirmed > > > > On Sat, 2024-06-15 at 14:38 +0300, Martin-Éric Racine wrote: > > > RC bug #1050805 was fixed in Testing with src:dhcpcd 10.0.2, but > > > upstream only got around back-porting the fix to Stable src:dhcpcd5 > > > 9.x.x today. > > > > Please go ahead. > > Thanks. Awaiting confirmation from the bug reporter that it fixes the > issue for him and I'll upload. Fixing this for Stable apparently requires cherry-picking a third patch. Updated debdiff attached. Martin-Éric diff -Nru dhcpcd5-9.4.1/debian/changelog dhcpcd5-9.4.1/debian/changelog --- dhcpcd5-9.4.1/debian/changelog 2023-10-20 11:12:13.0 +0300 +++ dhcpcd5-9.4.1/debian/changelog 2024-06-15 12:37:49.0 +0300 @@ -1,3 +1,11 @@ +dhcpcd5 (9.4.1-24~deb12u4) bookworm; urgency=medium + + * Add --no-stop-on-upgrade --no-restart-after-upgrade (Closes: #1057959). + * Cherry-pick upstream backported fixes for RC bug (Closes: #1050805). + * Update dhcpcd.preinst version check to match current one. + + -- Martin-Éric Racine Sat, 15 Jun 2024 12:37:49 +0300 + dhcpcd5 (9.4.1-24~deb12u3) bookworm; urgency=medium * Move Breaks/Replaces dhcpcd5 (<< 9.4.1-2) to Conflicts (Closes: #1053657). diff -Nru dhcpcd5-9.4.1/debian/dhcpcd.preinst dhcpcd5-9.4.1/debian/dhcpcd.preinst --- dhcpcd5-9.4.1/debian/dhcpcd.preinst 2023-10-20 11:12:08.0 +0300 +++ dhcpcd5-9.4.1/debian/dhcpcd.preinst 2023-12-13 22:50:19.0 +0200 @@ -2,7 +2,7 @@ # As per Debian bug #1037190. # Copyright 2023 Andreas Beckmann set -e -if dpkg --compare-versions "$2" lt-nl "1:9.4.1-24~deb12u3~" ; then +if dpkg --compare-versions "$2" lt-nl "1:9.4.1-24~deb12u4~" ; then # Cleanup leftovers from dhcpcd 1:3.* in Wheezy. # Can be removed after Trixie is released. update-alternatives --remove dhcpcd /sbin/dhcpcd3 diff -Nru dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch --- dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch 1970-01-01 02:00:00.0 +0200 +++ dhcpcd5-9.4.1/debian/patches/53e2f6de4ba87d0534c89cae674e6c1a48724ef0.patch 2024-06-15 12:34:41.0 +0300 @@ -0,0 +1,121 @@ +From 53e2f6de4ba87d0534c89cae674e6c1a48724ef0 Mon Sep 17 00:00:00 2001 +From: Roy Marples +Date: Sat, 15 Jun 2024 10:04:06 +0100 +Subject: [PATCH] privsep: Allow zero length messages through + +They should be handled gracefully without privsep anyway. +Fix for #179. +--- + src/privsep-inet.c | 12 ++-- + src/privsep.c | 15 +++ + src/privsep.h | 2 +- + 3 files changed, 10 insertions(+), 19 deletions(-) + +diff --git a/src/privsep-inet.c b/src/privsep-inet.c +index 3a192ee0..7f7494f6 100644 +--- a/src/privsep-inet.c b/src/privsep-inet.c +@@ -53,7 +53,7 @@ ps_inet_recvbootp(void *arg) + { + struct dhcpcd_ctx *ctx = arg; + +- if (ps_recvmsg(ctx, ctx->udp_rfd, PS_BOOTP, ctx->ps_inet_fd) == -1) ++ if (ps_recvmsg(ctx->udp_rfd, PS_BOOTP, ctx->ps_inet_fd) == -1) + logerr(__func__); + } + #endif +@@ -67,12 +67,12 @@ ps_inet_recvra(void *arg) + struct rs_state *state = RS_STATE(ifp); + struct dhcpcd_ctx *ctx = ifp->ctx; + +- if (ps_recvmsg(ctx, state->nd_fd, PS_ND, ctx->ps_inet_fd) == -1) ++ if (ps_recvmsg(state->nd_fd, PS_ND, ctx->ps_inet_fd) == -1) + logerr(__func__); + #else + struct dhcpcd_ctx *ctx = arg; + +- if (ps_recvmsg(ctx, ctx->nd_fd, PS_ND, ctx->ps_inet_fd) == -1) ++ if (ps_recvmsg(ctx->nd_fd, PS_ND, ctx->ps_inet_fd) == -1) + logerr(__func__); + #endif + } +@@ -84,7 +84,7 @@ ps_inet_recvdhcp6(void *arg) + { + struct dhcpcd_ctx *ctx = arg; + +- if (ps_recvmsg(ctx, ctx->dhcp6_rfd, PS_DHCP6, ctx->ps_inet_fd) == -1) ++ if (ps_recvmsg(ctx->dhcp6_rfd, PS_DHCP6, ctx->ps_inet_fd) == -1) + logerr(__func__); + } + #endif +@@ -374,7 +374,7 @@ ps_inet_recvinbootp(void *arg) + { + struct ps_process *psp = arg; + +- if (ps_recvmsg(psp->psp_ctx, psp->psp_work_fd, ++ if (ps_recvmsg(psp->psp_work_fd, + PS_BOOTP, psp->psp_ctx->ps_data_fd) == -1) + logerr(__func__); + } +@@ -463,7 +463,7 @@ ps_inet_recvin6dhcp6(void *arg) + { + struct ps_process *psp = arg; + +- if (ps_recvmsg(psp->psp_ctx, psp->psp_work_fd, ++ if (ps_recvmsg(psp->psp_work_fd, + PS_DHCP6, psp->psp_ctx->ps_data_fd) == -1) + logerr(__func__); + } +diff --git a/src/privsep.c b/src/privsep.c +index ab29bb7b..0f78907a 100644 +--- a/src/privsep.c b/src/privsep.c +@@ -897,7 +897,7 @@ ps_sendcmdmsg(int fd, uint16_t cmd, const struct msghdr *msg) + } + + ssize_t +-ps_recvmsg(struct dhcpcd_ctx *ctx, int rfd, uint16_t cmd, int wfd) ++ps