Re: /usr-move: Do we support upgrades without apt?
Am 21.12.23 um 11:50 schrieb Christoph Berg: Re: Helmut Grohne Is it ok to call upgrade scenarios failures that cannot be reproduced using apt unsupported until we no longer deal with aliasing? If the answer is yes here, we'll close #1058937 (Ben's libnfsidmap1 bug) with no action calling the scenario unsupported. I think we should only deal with problems that can reasonably happen in practice. If an extra hammer is required to hit the problem, we should not spend extra effort on it. A (dist-)upgrade not using apt is very much a corner case/niche use case. I'd be interested if #1058937 can be reproduced using aptitude, though. While the release notes explicitly recommend using apt/apt-get, I do think that dist-upgrades using aptitude should not run into those file loss issues. If aptitude is safe, I'd consider #1058937 a bug, that is not release critical and I'd assign low(er) priority to it. Other issues, like getting all packages updated to move their files to /usr, have higher priority. Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [pkg-apparmor] Bug#1050256: autopkgtest fails on debci
Control: severity -1 important Am 09.09.23 um 14:20 schrieb intrigeri: Hi again, Thank you all for working both on workarounds for Debian CI and on a proper upstream Linux kernel fix. Impressive cross-team work! :) +1 At this stage it seems clear that the bug and the corresponding ideal fix are in the AppArmor part of src:linux, and the bug affects at least src:apparmor and src:lxc. I'd like to reflect this in the metadata of #1050256 by reassigning the bug to Linux, and adding "affects" indications. I'll do so in the next few days unless someone objects soon. It also affects at least src:systemd, src:pdns, src:policykit-1 All those packages have added workarounds for this issue. I'll revert the workaround in systemd and notify the maintainers of pdns and policykit-1. Doing so will also be an opportunity for me to sum up the problem for the maintainers of src:linux, and let them know about our desired timeline: ideally this would be fixed in the upcoming Bookworm point-release. This being said, if said timeline can't be met in src:linux, it'll be up to the maintainers of LXC in Debian to decide what they want to do in the upcoming Bookworm point-release. If I misunderstood something important, please let me know. Sounds good to me. For now, given that all the debci hosts are running the backports kernel, I'm downgrading the severity again. When you do the reassignment, you should probably merge this bug report with #1038315 and #1042880, now that we know what the root cause is. Regards, Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bug#1050256: autopkgtest fails on debci
Am 04.09.23 um 20:23 schrieb Mathias Gibbens: On Mon, 2023-09-04 at 01:00 -0700, John Johansen wrote: I took a quick look through v6.1..v6.3.1 there is a patch that I think is the likely fix, it first landed in v6.2 1cf26c3d2c4c apparmor: fix apparmor mediating locking non-fs unix sockets Thanks for the pointer John -- I think that is the fix we've been looking for! Commit 1cf26c3d2c4c doesn't apply cleanly to the v6.1 tree due to the other commits from the patchset of Oct 3, 2022 that modified a bunch of the apparmor code. Because I couldn't quickly cherry-pick all the changes without amassing a large diff, I made the small proof-of- concept patch at the end of this message and applied it to the 6.1.38- 4 kernel from bookworm. Booting with the patched kernel allows services to start up in containers without any issues. :) So, I think the next step should be to get that commit properly backported to the v6.1 longterm tree and included in an upstream release. Hopefully that would be able to happen in enough time so that it is bundled with the kernel updates for bookworm's point release next month. If not, we should be sure to get it into Debian's packaging so at least there's a proper fix available. Thanks for the update Mathias, this looks very promising. A stable update of the Linux 6.1.x kernel would obviously be the ideal solution. John, could you help with getting this fix into 6.1.x? Regards, Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bug#1050256: autopkgtest fails on debci
Am 03.09.23 um 10:50 schrieb Paul Gevers: Hi, On 03-09-2023 02:56, Michael Biebl wrote: ng? Do the debci maintainers / lxc maintainers / release team have any preference regarding a/, b/ and c/ ? One part of me likes the ci.d.n infrastructure to run stable as an example of "eat your own dogfood". Another part of me agrees with Antonio that it makes sense if it would run a backports kernel to be as close as possible to testing as we can reasonably (maintenance wise) can get. Because we have a known issue at hand, the balance goes to backports for me. If Antonio doesn't beat me to it, I'll get to it (although I don't know yet how to do that in our configuration [1] and exclude riscv64 too). I have manually upgraded the s390x host and rebooted, so that can serve as a test arch. Seems it worked, the latest run succeeded: https://ci.debian.net/data/autopkgtest/testing/s390x/s/systemd/37374052/log.gz Thanks! OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bug#1050256: autopkgtest fails on debci
Control: severity -1 serious I'm tentatively raising this to RC, mainly to make this issue more visible for other maintainers. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Bug#1050256: autopkgtest fails on debci
Hi everyone Am 02.09.23 um 13:09 schrieb Antonio Terceiro: On Fri, Sep 01, 2023 at 11:13:11PM +, Mathias Gibbens wrote: I don't think we have a good understanding of the root cause of this issue. Initially we thought this was a known upstream issue with all- but very recent versions of apparmor and a corresponding lxc profile fix [0]. However, it appears this is a different issue that somehow depends on the interaction of bookworm's versions of the kernel, apparmor, and/or lxc. Nod A minimal reproducer is to install bookworm and create a container with a systemd service using a hardening option like PrivateNetwork=yes. With the latest bookworm kernel (6.1.38-4), the service will fail. But, grab a kernel from testing (6.4.11-1) and then things work -- with no other changes required. I tried the "oldest" kernel on snapshot.d.o post 6.1 series (6.3.1+1~exp1 [1]) and the service works properly with that version as well. So, something changed in the kernel (either upstream or in Debian's packaging) between 6.1 and 6.3 that "unbreaks" services within lxc containers. Right, these are my findings as well. I also tested downgrading apparmor to 2.13.6-10 (i.e. the version from oldstable) on a bookworm system. This was also sufficient to unbreak lxc. So it "looks" like apparmor 3.x makes assumptions about the kernel that are not fulfilled by the kernel 6.1.x in bookworm. Given that simply installing a newer kernel fixes things, I am hesitant to start making changes to lxc until we actually understand what's changed when running the newer kernel and how it's affecting lxc's behavior. My main concern is to "stop the bleeding" quickly, so to speak, especially/mainly for debci. I guess we have three options here: a/ upgrade the kernels to the one from backports as suggested by Antonio b/ disable apparmor confinement for lxc on debci via some debci specific configuration c/ disable apparmor confinement for lxc in bookworm via a stable upload of the lxc package The MR I proposed is c/, as I don't know how to implement a/ or b/. That said, I would be fine with a/ and b/ as well, as this would buy us time to investigate this issue without being under the pressure of causing debci failures. Those debci failures are hard to debug and I would like to avoid having individual maintainers waste time on it. Do the debci maintainers / lxc maintainers / release team have any preference regarding a/, b/ and c/ ? Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Re: [pkg-apparmor] Bug#1050256: autopkgtest fails on debci
Am 01.09.23 um 13:23 schrieb Michael Biebl: The only way to fix the container was to use the aforementioned `lxc.apparmor.profile = unconfined`. I think we should do that as the breakage is rather widespread and I already see individual packages trying to work around that to at least keep debci afloat. See e.g.: https://salsa.debian.org/systemd-team/systemd/-/merge_requests/211 https://salsa.debian.org/debian/pdns/-/commit/637e54ef73386541086da430553b82db78266bac or disabling the systemd hardening options completely_ https://salsa.debian.org/utopia-team/polkit/-/blob/master/debian/patches/debian/Don-t-use-PrivateNetwork-yes-for-the-systemd-unit.patch This is not a good outcome of this and the problem will become more apparent with debci running on bookworm now. I went ahead and submitted https://salsa.debian.org/lxc-team/lxc/-/merge_requests/18 since I don't see another solution atm. Looping in the release team as well for their input. Regards, Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1043151: bookworm-pu: package network-manager-applet/1.32.0-2+deb12u1
Hi Jonathan Am 07.08.23 um 18:46 schrieb Jonathan Wiltshire: Control: tag -1 moreinfo On Sun, Aug 06, 2023 at 08:06:55PM +0200, Michael Biebl wrote: I'd like to make a stable upload for network-manager-applet, which fixes a crash in nm-connection-editor when importing a VPN configuration. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042712 It's a targetted fix, the patch has been cherry-picked from upstream Git and applied to the package in unstable with not reported regressions. Full debdiff is attached. There's an upload pending for bookworm which doesn't match this diff and seems to be relative to sid, not stable - is that an error? This was a mistake, yes. I'm very sorry for that. When creating the bookworm branch I accidentally picked the tag debian/1.32.0-2 instead of the intended debian/1.30.0-2. Not sure how I missed that. The debdiff was so small, that I directly uploaded. I wonder what to do now? The diff between 1.30.0 and 1.32.0 is still reasonably small (excluding translations): git diff debian/1.30.0-2 debian/1.32.0-2+deb12u1 -- ":(exclude)po" | diffstat ... 24 files changed, 269 insertions(+), 77 deletions(-) Shall I roll back the changes and upload a 1.32.0really1.30.0-something to bookworm? Shall we simply cancel the 1.32.0-2+deb12u1 upload to bookworm? Or should we go with 1.32.0 in bookworm? Given the small amount of changes, I slightly prefer the last option, but I would appreciate your feedback. Michael OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1043151: bookworm-pu: package network-manager-applet/1.32.0-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: network-manager-app...@packages.debian.org
Control: affects -1 + src:network-manager-applet
Hi,
I'd like to make a stable upload for network-manager-applet, which fixes
a crash in nm-connection-editor when importing a VPN configuration.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042712
It's a targetted fix, the patch has been cherry-picked from upstream Git
and applied to the package in unstable with not reported regressions.
Full debdiff is attached.
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 2e03baf9..e3e2fa50 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+network-manager-applet (1.32.0-2+deb12u1) bookworm; urgency=medium
+
+ * c-e: fix crash in import_vpn_from_file_cb() when importing VPN profiles
+(Closes: #1042712)
+
+ -- Michael Biebl Sun, 06 Aug 2023 20:02:05 +0200
+
network-manager-applet (1.32.0-2) unstable; urgency=medium
* Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 05e704d0..7a75dbc3 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = debian/master
+debian-branch = debian/bookworm
upstream-branch = upstream/latest
diff --git
a/debian/patches/c-e-fix-crash-in-import_vpn_from_file_cb-when-importing-V.patch
b/debian/patches/c-e-fix-crash-in-import_vpn_from_file_cb-when-importing-V.patch
new file mode 100644
index ..ebe3b089
--- /dev/null
+++
b/debian/patches/c-e-fix-crash-in-import_vpn_from_file_cb-when-importing-V.patch
@@ -0,0 +1,53 @@
+From: Thomas Haller
+Date: Tue, 2 May 2023 10:39:29 +0200
+Subject: c-e: fix crash in import_vpn_from_file_cb() when importing VPN
+ profiles
+
+Import code can create incomplete profiles, that don't have
+"connection.type" set. Avoid the crash.
+
+ #0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:314
+ #1 0x0043d177 in import_vpn_from_file_cb (dialog=0x7f4650,
response=, user_data=0x7d66e0) at
src/connection-editor/connection-helpers.c:275
+ #2 0x76f564ea in g_closure_invoke (closure=0x8d5120,
return_value=0x0, n_param_values=2, param_values=0x7fffd0f0,
invocation_hint=0x7fffd070) at ../gobject/gclosure.c:832
+ #3 0x76f84d36 in signal_emit_unlocked_R.isra.0
+ (node=node@entry=0x847c70, detail=detail@entry=0,
instance=instance@entry=0x7f4650, emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x7fffd0f0) at
../gobject/gsignal.c:3812
+ #4 0x76f75bdd in g_signal_emit_valist (instance=,
signal_id=, detail=,
var_args=var_args@entry=0x7fffd2b0) at ../gobject/gsignal.c:3565
+ #5 0x76f75e53 in g_signal_emit (instance=,
signal_id=, detail=) at ../gobject/gsignal.c:3622
+ #6 0x76f75cda in _g_closure_invoke_va (param_types=0x0,
n_params=, args=0x7fffd520, instance=0x8ee230,
return_value=0x0, closure=0x8efbf0) at ../gobject/gclosure.c:895
+ #7 g_signal_emit_valist (instance=0x8ee230, signal_id=216, detail=0,
var_args=var_args@entry=0x7fffd520) at ../gobject/gsignal.c:3472
+ #8 0x76f75e53 in g_signal_emit (instance=instance@entry=0x8ee230,
signal_id=, detail=detail@entry=0) at ../gobject/gsignal.c:3622
+ #9 0x776dd7dd in gtk_button_clicked (button=button@entry=0x8ee230)
at ../gtk/gtkbutton.c:1541
+ #10 0x776dfad6 in gtk_button_finish_activate (do_it=1,
button=0x8ee230) at ../gtk/gtkbutton.c:2042
+ #11 button_activate_timeout (data=0x8ee230) at ../gtk/gtkbutton.c:1984
+ #12 0x77eddcad in gdk_threads_dispatch (data=data@entry=0xa5f470) at
../gdk/gdk.c:769
+ #13 0x76e55c69 in g_timeout_dispatch (source=0x711550,
callback=0x77eddc80 , user_data=0xa5f470) at
../glib/gmain.c:5054
+ #14 0x76e5539c in g_main_dispatch (context=0x4e7c70) at
../glib/gmain.c:3460
+ #15 g_main_context_dispatch (context=0x4e7c70) at ../glib/gmain.c:4200
+ #16 0x76eb3438 in g_main_context_iterate.isra.0 (context=0x4e7c70,
block=1, dispatch=1, self=) at ../glib/gmain.c:4276
+ #17 0x76e52a23 in g_main_context_iteration
(context=context@entry=0x4e7c70, may_block=may_block@entry=1) at
../glib/gmain.c:4343
+ #18 0x7708a01d in g_application_run
(application=application@entry=0x4e5010, argc=,
argv=0x7fffd9e8) at ../gio/gapplication.c:2573
+ #19 0x004133ad in main (argc=, argv=)
at src/connection-editor/main.c:259
+
+https://gitlab.gnome.org/GNOME/network-manager-applet/-/issues/178
+
+Fixes: 3ff5b6cc9841 ('c-e: support importing WireGuard profiles from wg-quick
files')
+(cherry picked from commit 01281fae6b601598cd2006bc8f2d5be98810228d)
+---
+ src/connection-editor/connection-helpers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/connec
Bug#1042903: bookworm-pu: package firewalld/1.3.3-1~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: firewa...@packages.debian.org Control: affects -1 + src:firewalld Hi, I'd like to make a stable upload for firewalld, fixing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038904 The current version in stable which is affected by this issue is 1.3.0-1 and I'd like to upload 1.3.3-1 as 1.3.3-1~deb12u1 to bookworm to fix this issue. 1.3.3-1 has been in testing for several weeks with no reported regression. The relevant code changes are attached as diff.txt and were generated via # git diff debian/1.3.0-1..debian/1.3.3-1 -- src/firewall* Attached is also the full debdiff for completeness sake. It contains a lot of autogenerated test code, build system and doc changes, so for the actual changes, you might refer to diff.txt. Please let me know, if I can proceed with the upload. Regards, Michael
Re: Is an MBF and unblock for packages introducing new files in /bin or /sbin or /lib in Bookworm acceptable at this stage?
Am 22.05.23 um 21:34 schrieb Sam Hartman: enough benefit to justify breaking testing. No-one is breaking testing, as files are not moved between packages. OpenPGP_signature Description: OpenPGP digital signature
Bug#1034643: unblock: avahi/0.8-10
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: av...@packages.debian.org
Control: affects -1 + src:avahi
Please unblock package avahi
[ Reason ]
The main issue is the fix for CVE-2023-1981, a local denial of service
that can be executed by unprivileged users.
The removal of the bind9-host dependency is a change that had already
been committed to git and I didn't want to revert it.
Updating debian/watch doesn't affect the binary package itself.
[ Impact ]
If the package is not updated, users are vulnerable to CVE-2023-1981.
[ Tests ]
No automated tests for the affected code is available.
[ Risks ]
I consider the risk rather low as it's a targetted fix which has been
approved/applied upstream.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
(Anything else the release team should know.)
unblock avahi/0.8-10
diff --git a/debian/changelog b/debian/changelog
index 81e976a7..8efca465 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+avahi (0.8-10) unstable; urgency=medium
+
+ [ Felix Geyer ]
+ * Remove dependency on bind9-host.
+Originally added in #433030, no longer needed as the
+avahi-daemon-check-dns.sh script is no longer shipped.
+
+ [ Michael Biebl ]
+ * Emit error if requested service is not found.
+Fixes a potential local DoS where the avahi daemon could be crashed by
+an unprivileged user via a D-Bus call.
+(CVE-2023-1981, Closes: #1034594)
+ * Update watch file to get tarballs directly from avahi.org again.
+The recent changes in GitHub broke the current watch file.
+As new releases are again uploaded to avahi.org, get the release
+tarballs from there.
+
+ -- Michael Biebl Wed, 19 Apr 2023 13:51:49 +0200
+
avahi (0.8-9) unstable; urgency=medium
[ Gioele Barabucci ]
diff --git a/debian/control b/debian/control
index 6210237d..2ee1cdc1 100644
--- a/debian/control
+++ b/debian/control
@@ -38,7 +38,6 @@ Depends: ${shlibs:Depends},
${misc:Depends},
adduser,
default-dbus-system-bus | dbus-system-bus,
- bind9-host | host
Recommends: libnss-mdns,
Suggests: avahi-autoipd
Multi-Arch: foreign
diff --git a/debian/patches/Emit-error-if-requested-service-is-not-found.patch
b/debian/patches/Emit-error-if-requested-service-is-not-found.patch
new file mode 100644
index ..19eb2b96
--- /dev/null
+++ b/debian/patches/Emit-error-if-requested-service-is-not-found.patch
@@ -0,0 +1,54 @@
+From: =?utf-8?b?UGV0ciBNZW7FocOtaw==?=
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+(cherry picked from commit a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f)
+---
+ avahi-daemon/dbus-protocol.c | 20 ++--
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687..406d0b4 100644
+--- a/avahi-daemon/dbus-protocol.c
b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult
dbus_get_alternative_host_name(DBusConnection *c, DBusM
+ }
+
+ t = avahi_alternative_host_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
+
+-return DBUS_HANDLER_RESULT_HANDLED;
++return DBUS_HANDLER_RESULT_HANDLED;
++} else {
++return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname
not found");
++}
+ }
+
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c,
DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult
dbus_get_alternative_service_name(DBusConnection *c, DB
+ }
+
+ t = avahi_alternative_service_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
+
+-return DBUS_HANDLER_RESULT_HANDLED;
++return DBUS_HANDLER_RESULT_HANDLED;
++} else {
++return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service
not found");
++}
+ }
+
+ static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c,
DBusMessage *m, DBusError *error) {
diff --git a/debian/patches/dbus-Use-non-deprecated-installation-path.patch
b/debian/patches/dbus-Use-non-deprecated-installation-path.patch
index 796c97dc..cb348788 100644
--- a/debian/patches/dbus-Use-non-deprecated-installation-path.patch
+++ b/debian/patches/dbus-Use-non-deprecated-installation-path.patch
@@ -1,6 +1,7 @@
From: Jan Tojnar
Date: Sat, 21 May 2022 19:02:11 +0200
Bug#1034265: unblock: fsarchiver/0.8.7-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: fsarchi...@packages.debian.org Control: affects -1 + src:fsarchiver Please unblock package fsarchiver [ Reason ] Creating file systems with recent versions of btrfs-progs/e2fsprogs/xfsprogs on recent kernels might make use of kernel/fs features like nrext64 or orphan_file. Older versions of fsarchiver will not know how to handle those fs features and fail to save/restore a backup. See e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033117 [ Impact ] Not shipping an up-to-date fsarchiver might result in failures when trying to backup/restore xfs/btrfs/ext4 partitions that were created with features that are unknown to fsarchiver. [ Tests ] fsarchiver ships an autopkgtest for ext4 and xfs. Those tests use the default settings when creating a new file system and they triggered the ext4 related incompatible changes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033117 [ Risks ] fsarchiver is a leaf package, so its effect on other packages is minimal. [ Checklist ] [x] ext4 related changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing The debdiff was created filtering out auto* noise using git diff debian/0.8.6-2 ':!config.guess' ':!config.sub' ':!*Makefile.in' ':!configure' ':!aclocal.m4' unblock fsarchiver/0.8.7-1 diff --git a/ChangeLog b/ChangeLog index 39bfbda..35ebc94 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ fsarchiver: Filesystem Archiver for Linux [http://www.fsarchiver.org] = +* 0.8.7 (2023-03-19): + - Implement support for option "uuid=" for vfat (Marcos Mello) + - Update list of btrfs supported features (Marcos Mello) + - Add support for the "nrext64" feature on XFS (Marcos Mello) + - Do not error out on deleted files when option -A is used (Marcos Mello) + - Handle termination by signal in exec_command() (Marcos Mello) + - Add support for the "orphan_file" feature in EXT4 (Marcos Mello) + - Do not try to save xattrs if not supported by the filesystem (Marcos Mello) * 0.8.6 (2021-02-27): - Add support for EXT4 fast_commit feature (Marcos Mello) - Add support for XFS features inobtcount and bigtime (Marcos Mello) diff --git a/INSTALL b/INSTALL index 8865734..e82fd21 100644 --- a/INSTALL +++ b/INSTALL @@ -1,8 +1,8 @@ Installation Instructions * - Copyright (C) 1994-1996, 1999-2002, 2004-2016 Free Software -Foundation, Inc. + Copyright (C) 1994-1996, 1999-2002, 2004-2017, 2020-2021 Free +Software Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright @@ -225,7 +225,7 @@ order to use an ANSI C compiler: and if that doesn't work, install pre-built binaries of GCC for HP-UX. - HP-UX 'make' updates targets which have the same time stamps as their + HP-UX 'make' updates targets which have the same timestamps as their prerequisites, which makes it generally unusable when shipped generated files such as 'configure' are involved. Use GNU 'make' instead. diff --git a/compile b/compile index 23fcba0..df363c8 100755 --- a/compile +++ b/compile @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify diff --git a/configure.ac b/configure.ac index ec838a3..2948877 100644 --- a/configure.ac +++ b/configure.ac @@ -3,8 +3,8 @@ AC_PREREQ(2.59) -AC_INIT([fsarchiver], 0.8.6) -AC_DEFINE([PACKAGE_RELDATE], "2021-02-27", [Define the date of the release]) +AC_INIT([fsarchiver], 0.8.7) +AC_DEFINE([PACKAGE_RELDATE], "2023-03-19", [Define the date of the release]) AC_DEFINE([PACKAGE_FILEFMT], "FsArCh_002", [Define the version of the file format]) AC_DEFINE([PACKAGE_VERSION_A], 0, [Major version number]) AC_DEFINE([PACKAGE_VERSION_B], 8, [Medium version number]) diff --git a/debian/changelog b/debian/changelog index f006387..466725d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +fsarchiver (0.8.7-1) unstable; urgency=medium + + * New upstream version 0.8.7 +- Fixes compatibility with e2fsprogs >= 1.47. (Closes: #1033117) + * Update debian/watch. +Use the GitHub API when checking for new upstream releases. + * Bump Standards-Version to 4.6.2 + * Update obsolete Build-Depends e2fslibs-dev => libext2fs-dev + + -- Michael Biebl Tue, 28 Mar 2023 20:34:29 +0200 + fsarchiver (0.8.6-2) unstable; urgency=medium [ Julian Andres Klode ]
Bug#1032939: unblock: network-manager/1.42.4-1
Hi Paul, sorry for the late reply. Fortunately, the additional delay has given the changes in unstable further testing and no new bug reports have been filed since then. Am 18.03.23 um 22:17 schrieb Paul Gevers: Control: tags -1 moreinfo Hi Michael, On 14-03-2023 13:47, Michael Biebl wrote: please unblock package network-manager. The current version in testing is 1.42.0-1 and upstream has created two stable point releases 1.42.2 and 1.42.4, cherry-picking various fixes into the nm-1.42 stable branch, most notably a fix for #1031891, a regression in the dnsmasq DNS backend when using a global DNS configuration. Upstream is rather conservative in cherry-picking fixes into their stable branches and the package ships an extensive test-suite, which is run during build. What does "rather conservative" mean? Do you have a link to their policy? I don't think upstream has an explicit document here which I could link to, at least not one that I'm aware of. So the statement above is mostly from (my) past experience dealing with upstream. Normally we'd like to have a more verbose description of the changes. The diff is uncomfortably big. Please try to avoid white space changes next time too (debian/org.freedesktop.NetworkManager.rules), those are horrible to review. Noted. The man pages are generated from .xml files, so could be excluded as well. Do you want me to send an update with a more trimmed down debdiff? Is there a reason why you "Use execute_before instead of override for dh_install" now? This is a cosmetic change, mostly and something I've done in other packages as well, whenever I touched them. It doesn't change anything functionality wise but avoids having to specify a separate "dh_install" line. > I've filtered out generated files (like Makfile.in) and po/* Next time, please provide the full filter that you used. I would not have guessed from that line that you stripped a lot of docs/ too. Indeed, that's a good point. No new regressions were reported for 1.42.4-1. I would thus like to see 1.42.4-1 unblocked for bookworm. Ack. I'm leaning to let it in now, but later in the freeze, please cherry-pick or defer. Noted. No further update is planned at this point, but I'll definitely keep that in mind. Thanks, Michael OpenPGP_signature Description: OpenPGP digital signature
Re: Bug#1031695: dh_installsystemd doesn't handle files in /usr/lib/systemd/system
Hello Niels, hello Sebastian Am 24.03.23 um 16:28 schrieb Niels Thykier: Sebastian Ramacher: [...] Any progress here? If this issue should be fixed for bookworm, time is running short. Cheers I find that anytime I look at this bug my motivation to work on Debian instantly vanishes. In fact, I cannot even motivate myself to read the bug log to figure out what the consensus is. Accordingly, I will play the constitution 2.1.1 and step out of the way. My attempt to raise this issue with debhelper and the release-team was to gather a consensus with how to deal with the affected packages. A change to debhelper seemed liked the most straightforward approach to me. It was not meant as an attempt to force Niels into something he feels uncomfortable with, which he obviously does. I apologize to Niels for that and hereby close this bug report. Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#1032939: unblock: network-manager/1.42.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: network-mana...@packages.debian.org Control: affects -1 + src:network-manager Hi, please unblock package network-manager. The current version in testing is 1.42.0-1 and upstream has created two stable point releases 1.42.2 and 1.42.4, cherry-picking various fixes into the nm-1.42 stable branch, most notably a fix for #1031891, a regression in the dnsmasq DNS backend when using a global DNS configuration. Upstream is rather conservative in cherry-picking fixes into their stable branches and the package ships an extensive test-suite, which is run during build. No new regressions were reported for 1.42.4-1. I would thus like to see 1.42.4-1 unblocked for bookworm. Regards, Michael unblock network-manager/1.42.4-1
Bug#1032848: unblock: network-manager-pptp/1.2.12-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: network-manager-p...@packages.debian.org Control: affects -1 + src:network-manager-pptp Please unblock package network-manager-pptp The latest upload of network-manager-pptp is a minor update, consisting of 90% translation updates and a bit of build system cleanups. The regression potential is close to zero as there are not code related changes. Regards, Michael
Re: Bug#1031695: dh_installsystemd doesn't handle files in /usr/lib/systemd/system
Am 28.02.23 um 21:48 schrieb Sam Hartman: >> Moreover, I suspect in a number of the cases related to this >> current bug, replaces will be likely. I suspect that in some of >> the cases where units have been introduced that are disabled >> currently, but will be enabled by the dh_installsystemd change, >> we will discover we'd like those units disabled in some >> configurations. A logical way to handle that may be to split out >> the units into separate packages. That makes the replaces >> interacts with file moves class of bugs more likely in this >> situation than average. Sebastian> The TC advice refers to files moving between packages Sebastian> which wouldn't be the case here (at least not in Sebastian> general). Not in general, but I think that these systemd units will be more likely than average to move packages. These units have been sitting around more or less doing nothing for months. And in most cases we don't have bugs. I'm imagining the following situation: * We make the debhelper change * unit b in package a starts running * Users complain that they don't really always want that. * We release * unit b is moved back to /lib/systemd/system * Later the complaints get serious enough that package a splits into a and a-daemon, a-daemon replaces/breaks a<< version-of-split. a-daemon now has b. If a service is not supposed to be enabled, then an override for dh_installsystemd is the correct solution, setting --no-enable, but not by moving it into a subpackage. I also don't see a good reason, why a unit file, once installed in /usr/lib/systemd/system should ever move back to /lib/systemd/system. Michael OpenPGP_signature Description: OpenPGP digital signature
Re: Bug#1031695: dh_installsystemd doesn't handle files in /usr/lib/systemd/system
Am 21.02.23 um 17:45 schrieb Sam Hartman: "Michael" == Michael Biebl writes: Michael> Excluding packages that only ship overrides/drop-ins, this Michael> makes 37 affected packages in bookworm. If I'm understanding this issue correctly, the concern would be a package that moved from /lib/systemd/system to /usr/lib/systemd/system. Well, not really. I'm concerned about packages shipping files in /usr/lib/systemd/system and expecting that those services are properly enabled/started/restarted/stopped. OpenPGP_signature Description: OpenPGP digital signature
Re: Bug#1031695: dh_installsystemd doesn't handle files in /usr/lib/systemd/system
For bookworm we have $ apt-file search -x ^/usr/lib/systemd/system/ amazon-ec2-net-utils: /usr/lib/systemd/system/policy-routes@.service amazon-ec2-net-utils: /usr/lib/systemd/system/refresh-policy-routes@.service amazon-ec2-net-utils: /usr/lib/systemd/system/refresh-policy-routes@.timer arno-iptables-firewall: /usr/lib/systemd/system/arno-iptables-firewall.service boinc-client: /usr/lib/systemd/system/boinc-client.service booth: /usr/lib/systemd/system/booth-arbitrator.service caddy: /usr/lib/systemd/system/caddy-api.service caddy: /usr/lib/systemd/system/caddy.service ceph-iscsi: /usr/lib/systemd/system/rbd-target-api.service ceph-iscsi: /usr/lib/systemd/system/rbd-target-gw.service cfengine3: /usr/lib/systemd/system/cf-apache.service cfengine3: /usr/lib/systemd/system/cf-execd.service cfengine3: /usr/lib/systemd/system/cf-hub.service cfengine3: /usr/lib/systemd/system/cf-monitord.service cfengine3: /usr/lib/systemd/system/cf-postgres.service cfengine3: /usr/lib/systemd/system/cf-reactor.service cfengine3: /usr/lib/systemd/system/cf-runalerts.service cfengine3: /usr/lib/systemd/system/cf-serverd.service cfengine3: /usr/lib/systemd/system/cfengine3.service cloudflare-ddns: /usr/lib/systemd/system/cloudflare-ddns.service cloudflare-ddns: /usr/lib/systemd/system/cloudflare-ddns.timer debomatic: /usr/lib/systemd/system/debomatic.service drkonqi: /usr/lib/systemd/system/drkonqi-coredump-processor@.service fail2ban: /usr/lib/systemd/system/fail2ban.service fapolicyd: /usr/lib/systemd/system/fapolicyd.service freedombox: /usr/lib/systemd/system/avahi-daemon.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/bind9.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/calibre-server-freedombox.service freedombox: /usr/lib/systemd/system/coturn.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/deluged.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/freedombox-manual-upgrade.service freedombox: /usr/lib/systemd/system/janus.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/matrix-synapse.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/mediawiki-jobrunner.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/nmbd.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/plinth.service freedombox: /usr/lib/systemd/system/quasselcore.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/shadowsocks-libev-local@.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/smbd.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/syncthing@syncthing.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/transmission-daemon.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/tt-rss.service.d/freedombox.conf freedombox: /usr/lib/systemd/system/wordpress-freedombox.service freedombox: /usr/lib/systemd/system/wordpress-freedombox.timer freedombox: /usr/lib/systemd/system/zramswap.service.d/freedombox.conf fwknop-apparmor-profile: /usr/lib/systemd/system/usr.sbin.fwknopd gammu-smsd: /usr/lib/systemd/system/gammu-smsd.service libpam-modules-bin: /usr/lib/systemd/system/pam_namespace.service mpd: /usr/lib/systemd/system/mpd.service mpd: /usr/lib/systemd/system/mpd.socket mpdscribble: /usr/lib/systemd/system/mpdscribble.service nordugrid-arc-arex: /usr/lib/systemd/system/arc-arex-ws.service nordugrid-arc-arex: /usr/lib/systemd/system/arc-arex.service nordugrid-arc-datadelivery-service: /usr/lib/systemd/system/arc-datadelivery-service.service nordugrid-arc-gridftpd: /usr/lib/systemd/system/arc-gridftpd.service nordugrid-arc-hed: /usr/lib/systemd/system/arched.service nordugrid-arc-infosys-ldap: /usr/lib/systemd/system/arc-infosys-ldap-slapd.service nordugrid-arc-infosys-ldap: /usr/lib/systemd/system/arc-infosys-ldap.service nvme-cli: /usr/lib/systemd/system/nvmefc-boot-connections.service nvme-cli: /usr/lib/systemd/system/nvmf-autoconnect.service nvme-cli: /usr/lib/systemd/system/nvmf-connect.target nvme-cli: /usr/lib/systemd/system/nvmf-connect@.service pass-extension-tomb: /usr/lib/systemd/system/pass-close@.service pcscd: /usr/lib/systemd/system/pcscd.service pcscd: /usr/lib/systemd/system/pcscd.socket phog: /usr/lib/systemd/system/greetd.service.d/phog.conf powerman: /usr/lib/systemd/system/powerman.service pvpgn: /usr/lib/systemd/system/pvpgn.service python3-charon: /usr/lib/systemd/system/charon.service qbittorrent-nox: /usr/lib/systemd/system/qbittorrent-nox@.service shadowsocks-libev: /usr/lib/systemd/system/shadowsocks-libev-local@.service shadowsocks-libev: /usr/lib/systemd/system/shadowsocks-libev-redir@.service shadowsocks-libev: /usr/lib/systemd/system/shadowsocks-libev-server@.service shadowsocks-libev: /usr/lib/systemd/system/shadowsocks-libev-tunnel@.service systemd-oomd: /usr/lib/systemd/system/-.slice.d/10-oomd-root-slice-defaults.conf systemd-oomd: /usr/lib/systemd/system/user@.service.d/10-oomd-user-service-defaults.conf tcmu-runner: /usr/lib/systemd/system/tcmu-runner.servic
Re: Bug#1031695: dh_installsystemd doesn't handle files in /usr/lib/systemd/system
Hi Niels On Tue, 21 Feb 2023 10:47:09 +0100 Niels Thykier wrote: Sorry for being terse, I should be working on something else right now but prioritized a short message over nothing. Duplicate of #995569. Sorry, missed that... My concerns from back then still applies and I will not implement this feature until they are resolved. For the record, I do not feel the tech-ctte's resolution back then answered my question. Additionally, we are in the bookworm freeze where toolchains are frozen and have been for a month now. I am also not going to implement this change for bookwork unless there is an agreement from the release team in place that this is the direction we want to go (I do not have time to look at that discussion right now either). Looping in the release team. Quoting Helmut from IRC: helmut 'I am indeed wondering whether the ctte's acceptance of "usr-is-merged is pulled by init-system-helpers" would be sufficient to address nthykier's concerns. That's new compared to his earlier rejection.' I'm currently evaluating what the best course of action is here. The patch for dh_installsystemd would be quite simple and then we'd mostly need a couple of binNMUs. In Trixie we will need that anyway and I assume for backports it would be beneficial as well. This all speaks in favor of changing dh_installsystemd. The alternative is to basically have 35 RC bugs against affected packages and fixing those individually by moving the files to /lib Dear release team, could you please have a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031695 and share your opinion on how to proceed here. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#1031376: tzdata 2022g-3 removed /etc/timezone without a proper transition, breaking multiple packages
[Looping Benjamin in] Hi everyone, the removal of /etc/timezone was discussed in the context of a systemd upload targeting experimental, where I suggested this should be handled by the tzdata package and not by systemd, as I considered tzdata the "primary" owner of that file [1]. systemd-localed also handles that file currently via a Debian specific patch, which we'd like to get rid of. The information in /etc/timezone is basically redundant as you can just as easily get the information from looking where the /etc/localtime symlink points at. It also avoids that /etc/localtime and /etc/timezone get out-of-sync. /etc/timezone is mostly a Debianism afaiu. Benjamin was so kind to implement this suggestion swiftly and uploaded this to unstable. If this is now causing regressions in several packages, it's probably ok to revert this change for bookworm. I did briefly skim over the codesearch list, and found a lot of false positives and fixes for this issue are usually pretty simple, but yes, I'd say this could be done early in the trixie release cycle as well with an accompanying MBF. Benjamin, would it cause a lot of trouble to revert this change again or how would you prefer to proceed? Michael [1] https://salsa.debian.org/systemd-team/systemd/-/merge_requests/189 Am 16.02.23 um 13:30 schrieb Sebastian Ramacher: On 2023-02-16 12:34:29 +0100, Daniel Leidert wrote: Am Donnerstag, dem 16.02.2023 um 08:41 +0100 schrieb Paul Gevers: Control: tags -1 moreinfo Control: severity -1 normal Hi Daniel, On 16-02-2023 01:11, Daniel Leidert wrote: I ask you to find a reasonable approach to deal with this for the Bookworm release. That's not how we normally work. Please come with concrete proposals and we can evaluate them. Hi Paul. That is the release team's job. Your team should be on top of that situation and control that. There is already a freeze in process. You made that very clear. New transitions are not allowed. The date has passed that re-introductions into Testing are not allowed anymore. And people break other packages just like that? It is my expectation that your team evaluates the situation together with the maintainer of tzdata now, and then comes to a conclusion and a decision, how this should be handled. codesearch.d.o proves that multiple packages use code that relies on the existence of /etc/timezone. So, its removal should have been handled in a coordinated way in the first place. Either the maintainer of tzdata does a mass-bug filing, or this change should be reverted. I suggest you file a bug with the package that introduced any breakage first. I see no such bug against tzdata. Cheers I have already spent two dozen unpaid hours of tracking down and handling breakages introduced since February 7th(!!) by fellow DDs. I spent multiple dozen hours of bug-fixing and uploading since the new year started, to make sure users will get the software they expect in Bookworm, also unpaid of course. And now I have to evaluate the impact of the change in tzdata as well and create proposals? No. I'm not the tzdata maintainer and I'm not a member of the release team. It is your job to handle transitions. And I suggest that you finally do your job and make sure that people stop uploading breaking changes, so the work for Bookworm gets less and not constantly more. Daniel OpenPGP_signature Description: OpenPGP digital signature
Bug#1028386: Processed: bullseye-pu: package avahi/0.8-5+deb11u2
Since I hope that this changes are accepted for the next stable release, I uploaded them as outlined in the debdiff. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#1028386: bullseye-pu: package avahi/0.8-5+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: av...@packages.debian.org, car...@debian.org
Control: affects -1 + src:avahi
Hi,
as discussed (internally) with Salvatore from the security team,
I'd like to make a stable upload for avahi, fixing CVE-2021-3468 / #984938.
The patch has been applied/reviewed upstream and was also uploaded to
unstable.
Full debdiff is attached.
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 88166628..f4b6f9c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+avahi (0.8-5+deb11u2) bullseye; urgency=medium
+
+ * Avoid infinite-loop in avahi-daemon by handling HUP event in client_work.
+Fixes a local DoS that could be triggered by writing long lines to
+/run/avahi-daemon/socket. (CVE-2021-3468, Closes: #984938)
+
+ -- Michael Biebl Tue, 10 Jan 2023 09:43:16 +0100
+
avahi (0.8-5+deb11u1) bullseye; urgency=medium
[ Simon McVittie ]
diff --git
a/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
new file mode 100644
index ..a29444da
--- /dev/null
+++
b/debian/patches/Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
@@ -0,0 +1,38 @@
+From: Riccardo Schirone
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+
+(cherry picked from commit 447affe29991ee99c6b9732fc5f2c1048a611d3b)
+---
+ avahi-daemon/simple-protocol.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb1..6c0274d 100644
+--- a/avahi-daemon/simple-protocol.c
b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch,
AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+ }
+ }
+
++if (events & AVAHI_WATCH_HUP) {
++client_free(c);
++return;
++}
++
+ c->server->poll_api->watch_update(
+ watch,
+ (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/debian/patches/series b/debian/patches/series
index 7b513a9c..cdfebce3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@
build-db-Use-the-same-database-format-that-the-C-code-exp.patch
avahi-discover-Escape-strings-substituted-into-Pango-mark.patch
Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
Fix-NULL-pointer-crashes-from-175.patch
+Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
Bug#1021820: nmu: rebuild packages shipping a systemd unit file using debhelper 13.10
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu As discussed on IRC, I'd like to have all packages shipping a systemd service unit binNMUed to apply the latest changes in debhelper 13.10 wrt dh_installinit/dh_installsystemd. Details can be found at [1]. I already made source uploads of all affected arch-all packages. As for the changelog entry, I suggest: "Rebuild with debhelper 13.10 for the changes in dh_installinit/dh_installsystemd" Attached is the list of source packages. Regards, Michael [1] https://salsa.debian.org/debian/debhelper/-/merge_requests/90/ 389-ds-base accountsservice acct acmetool acpid adjtimex alertmanager-irc-relay ample ampr-ripd anacron anope anytun apcupsd apparmor approx apt apt-cacher-ng aptly argus-clients armagetronad arpon arpwatch asterisk at atftp atop audit autodir autofs avahi ayatana-indicator-application ayatana-indicator-bluetooth ayatana-indicator-datetime ayatana-indicator-display ayatana-indicator-keyboard ayatana-indicator-messages ayatana-indicator-notifications ayatana-indicator-power ayatana-indicator-printers ayatana-indicator-session ayatana-indicator-sound backuppc bacula balboa baloo-kf5 battery-stats beanstalkd bettercap bibledit-cloud biboumi bind9 binfmt-support binkd biometric-authentication bip bird bird2 bit-babbler blueman bluez bluez-alsa booth boxbackup brltty bumblebee burp burrow bzflag cadvisor canid carbon-c-relay ceph certmonger cfrpki chasquid chrony ckb-next clamav clamsmtp clevis click clickhouse cluster-glue cockpit collectd conntrack-tools conserver consolation consul containerd corosync corosync-qdevice coturn courier courier-authlib cron crossfire crowdsec csync2 cubemap cups cups-filters curvedns dante dbeacon dbus-broker dde-calendar debiman dico direvent direwolf djbdns dlm dlt-daemon dnscrypt-proxy dnsdist dnsproxy dnss dnssec-trigger docker.io docker-registry dovecot downtimed dpdk dpkg dq e2fsprogs e2guardian earlyoom eg25-manager ejabberd endlessh entropybroker espeakup etcd fastnetmon fcgiwrap fcoe-utils fence-agents fetchmail fever ffproxy filetea fio firebird3.0 fluidsynth forked-daapd fort-validator freeipa freeipmi freeradius frr fwknop fwlogwatch fwupd g810-led galera-4 gamemode ganglia garagemq gcpegg gcr gdnsd gearmand gerbera getdns gfarm gitaly gitlab-ci-multi-runner glewlwyd globus-gatekeeper globus-gridftp-server glusterfs gnome-keyring gnome-remote-desktop gnunet gnupg2 gnupg-pkcs11-scd gobgp goiardi golang-github-cloudflare-redoctober golang-github-containernetworking-plugins golang-github-coreos-discovery-etcd-io golang-github-hashicorp-serf golang-v2ray-core google-compute-engine-oslogin google-guest-agent gophernicus gortr gpaste gpm gpsd greetd group-service gsad gssproxy gtherm guacamole-server guix gvmd h2o haproxy haveged hdapsd hddemux hd-idle heartbeat hfd-service hitch htpdate hugo-mx-gateway hylafax i2pd i8kutils ibus icinga2 icingadb ifupdown ifupdown-ng iipimage ikiwiki-hosting incron influxdb infnoise inn inn2 inputlirc inspircd intel-hdcp interception-tools iodine iperf3 ipip ipmitool ipmiutil ircd-irc2 irqbalance irtt isatapd isc-kea iwd jabberd2 janus jitterentropy-rngd jool kafs-client kamailio kdump-tools keepalived kmscon knockd knot knot-resolver knxd ksmtuned kxd l2tpns ladvd laminar lbcd lcd4linux lcdproc ledmon libapache2-mod-tile libiio libratbag libreswan libvirt libvma lighttpd linux linux-atm linuxptp lirc lldpad lldpd logiops logrotate lomiri-indicator-network lsh-utils lsm ltt-control lxc lxcfs lxd lyskom-server mailavenger mailfromd mailutils mako-notifier man-db mariadb-10.6 mbpfan mcstrans mdadm mdnsd memcached memlockd micro-httpd milter-greylist minetest minidlna minissdpd miredo modemmanager mod-gearman monado monopd moonshot-trust-router morty mosquitto motion mpdscribble mptcpd mrtg msmtp mtail multipath-tools munge munin-c muroard mysql-8.0 natlog nats-server ndisc6 netatalk netdata netdiag nethack netkit-bootparamd netopeer2 net-snmp network-manager nextcloud-spreed-signaling nextepc nfdump nfs-ganesha nfs-utils nftables nftlb nghttp2 ngircd ngtcp2 niceshaper node-shiny-server nomad nsca nsca-ng nss-tls ntopng ntpsec nullmailer numad nut nutcracker nvi nvme-cli ocserv oddjob ofono oidentd omniorb-dfsg onak onedrive oomd opa-fm openafs openarena openbsd-inetd opencryptoki opendht opengnb openiked open-iscsi open-isns opennds openntpd openoverlayrouter opensm opensmtpd openssh opentracker openvswitch orthanc osspd ostree ovn owfs pacemaker packagekit pdns pdns-recursor pgbackrest pgbouncer pgpool2 pgqd phosh pimd pipewire pipewire-media-session plocate pokerth pollen poolcounter postsrsd powerline power-profiles-daemon powertop pptpd prads prelude-lml prelude-manager privoxy proftpd-dfsg prometheus-alertmanager prometheus-apache-exporter prometheus-bind-exporter prometheus-bird-exporter prometheus-blackbox-exporter prometheus-elasticsearch-exporter prometheus-exporter-exporter prometheus-hacluster-exporter prometheu
Bug#1016837: bullseye-pu: package avahi/0.8-5+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-utopia-maintain...@lists.alioth.debian.org
Hi,
I'd like to make a stable upload for avahi.
The changelog reads:
avahi (0.8-5+deb11u1) bullseye; urgency=medium
[ Simon McVittie ]
* Add patch to fix display of URLs containing '&' in avahi-discover.
Otherwise, a TXT entry containing a URL with '&' will cause an error.
[ Michael Biebl ]
* Do not disable timeout cleanup on watch cleanup.
This was causing timeouts to never be removed from the linked list that
tracks them, resulting in both memory and CPU usage to grow larger over
time. Thanks to Gustavo Noronha Silva. (Closes: #993051)
* Fix NULL pointer crashes when trying to resolve badly-formatted hostnames.
Fixes a local DoS in avahi-daemon that can be triggered by trying to
resolve badly-formatted hostnames on the /run/avahi-daemon/socket
interface. (CVE-2021-3502, Closes: #986018)
Those are 3 cherry-picks from changes that are already part of 0.8-6
from unstable/testing.
I consider the regression potential low, as those fixes have been in
unstable/testing for a long time.
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 9ec4b413..88166628 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+avahi (0.8-5+deb11u1) bullseye; urgency=medium
+
+ [ Simon McVittie ]
+ * Add patch to fix display of URLs containing '&' in avahi-discover.
+Otherwise, a TXT entry containing a URL with '&' will cause an error.
+
+ [ Michael Biebl ]
+ * Do not disable timeout cleanup on watch cleanup.
+This was causing timeouts to never be removed from the linked list that
+tracks them, resulting in both memory and CPU usage to grow larger over
+time. Thanks to Gustavo Noronha Silva. (Closes: #993051)
+ * Fix NULL pointer crashes when trying to resolve badly-formatted hostnames.
+Fixes a local DoS in avahi-daemon that can be triggered by trying to
+resolve badly-formatted hostnames on the /run/avahi-daemon/socket
+ interface. (CVE-2021-3502, Closes: #986018)
+
+ -- Michael Biebl Mon, 08 Aug 2022 11:27:46 +0200
+
avahi (0.8-5) unstable; urgency=medium
* d/avahi-daemon.maintscript: Drop removal of symlink, they're not normal
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 76a4dd12..c220725b 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/master
+debian-branch = debian/bullseye
upstream-branch = upstream/latest
patch-numbers = False
diff --git
a/debian/patches/Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
b/debian/patches/Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
new file mode 100644
index ..91d6acc5
--- /dev/null
+++ b/debian/patches/Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
@@ -0,0 +1,24 @@
+From: Gustavo Noronha Silva
+Date: Sun, 2 Jan 2022 22:29:04 -0300
+Subject: Do not disable timeout cleanup on watch cleanup
+
+This was causing timeouts to never be removed from the linked list that
+tracks them, resulting in both memory and CPU usage to grow larger over
+time.
+---
+ avahi-common/simple-watch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/avahi-common/simple-watch.c b/avahi-common/simple-watch.c
+index 08d8090..2a4a989 100644
+--- a/avahi-common/simple-watch.c
b/avahi-common/simple-watch.c
+@@ -238,7 +238,7 @@ static void cleanup_watches(AvahiSimplePoll *s, int all) {
+ destroy_watch(w);
+ }
+
+-s->timeout_req_cleanup = 0;
++s->watch_req_cleanup = 0;
+ }
+
+ static AvahiTimeout* timeout_new(const AvahiPoll *api, const struct timeval
*tv, AvahiTimeoutCallback callback, void *userdata) {
diff --git a/debian/patches/Fix-NULL-pointer-crashes-from-175.patch
b/debian/patches/Fix-NULL-pointer-crashes-from-175.patch
new file mode 100644
index ..1dc98d74
--- /dev/null
+++ b/debian/patches/Fix-NULL-pointer-crashes-from-175.patch
@@ -0,0 +1,149 @@
+From: Tommi Rantala
+Date: Mon, 8 Feb 2021 11:04:43 +0200
+Subject: Fix NULL pointer crashes from #175
+
+avahi-daemon is crashing when running "ping .local".
+The crash is due to failing assertion from NULL pointer.
+Add missing NULL pointer checks to fix it.
+
+Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
+
+(cherry picked from commit 9d31939e55280a733d930b15ac9e4dda4497680c)
+---
+ avahi-core/browse-dns-server.c | 5 -
+ avahi-core/browse-domain.c | 5 -
+ avahi-core/browse-service-type.c | 3 +++
+ avahi-core/browse-service.c | 3 +++
+ avahi-core/browse.c | 3 +++
+ avahi-core/resolve-address.c | 5 -
+ avahi-core/resolve-host-name.c | 5 -
+ avahi-core/resolve-service.c | 5 -
+ 8 files changed, 29 insertions(+), 5 deletions(-)
+
+d
Bug#1016786: bullseye-pu: package systemd/247.3-7+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org Hi, I'd like to make a stable upload for systemd fixing two issues in systemd-detect-virt https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013342 systemd - Please backport support for Hyper-V on arm64 to stable https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016157 systemd-detect-virt fails to detect Openstack on arm64 All changes are cherry-picks from upstream Git and are already in unstable/testing. While at it, I also pulled a patch to fix build failures when systemd is built against newer kernel headers (>= 5.14). debdiff is attached. Regards, Michael diff --git a/debian/changelog b/debian/changelog index ddb3701..b1b7f43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +systemd (247.3-7+deb11u1) bullseye; urgency=medium + + * Drop bundled copy of linux/if_arp.h. +Fixes build failures with newer kernel headers. + * virt: support detection for ARM64 Hyper-V guests (Closes: #1013342) + * virt: detect OpenStack instance as KVM on arm (Closes: #1016157) + + -- Michael Biebl Sun, 07 Aug 2022 15:25:09 +0200 + systemd (247.3-7) bullseye; urgency=medium * Switch debian-branch to debian/bullseye diff --git a/debian/patches/Drop-bundled-copy-of-linux-if_arp.h.patch b/debian/patches/Drop-bundled-copy-of-linux-if_arp.h.patch new file mode 100644 index 000..83a6f2c --- /dev/null +++ b/debian/patches/Drop-bundled-copy-of-linux-if_arp.h.patch @@ -0,0 +1,219 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Wed, 15 Sep 2021 16:33:05 +0200 +Subject: Drop bundled copy of linux/if_arp.h +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +As far as I can see, we use this to get a list of ARPHRD_* defines (used in +particular for Type= in .link files). If we drop our copy, and build against +old kernel headers, the user will have a shorter list of types available. This +seems OK, and I don't think it's worth carrying our own version of this file +just to have newest possible entries. + +7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd +have to update it every time the kernel adds new entries. But if we look at +the failure carefully: + +src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’? + 65 | MCTP, ARPHRD_MCTP + |^~ + |ARPHRD_FCPP + +we see that the list we were generating was from the system headers, so it was +only as good as the system headers anyway, without the newer entries in our +bundled copy, if there were any. So let's make things simpler by always using +system headers. + +And if somebody wants to fix things so that we always have the newest list, +then we should just generate and store the converted list, not the full header. + +(cherry picked from commit e7f46ee3ae1cc66a94b293957721d68dc09d7449) +--- + src/basic/linux/if_arp.h | 164 --- + src/basic/meson.build| 1 - + 2 files changed, 165 deletions(-) + delete mode 100644 src/basic/linux/if_arp.h + +diff --git a/src/basic/linux/if_arp.h b/src/basic/linux/if_arp.h +deleted file mode 100644 +index c3cc5a9..000 +--- a/src/basic/linux/if_arp.h /dev/null +@@ -1,164 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ +-/* +- * INET An implementation of the TCP/IP protocol suite for the LINUX +- *operating system. INET is implemented using the BSD Socket +- *interface as the means of communication with the user level. +- * +- *Global definitions for the ARP (RFC 826) protocol. +- * +- * Version: @(#)if_arp.h1.0.1 04/16/93 +- * +- * Authors: Original taken from Berkeley UNIX 4.3, (c) UCB 1986-1988 +- *Portions taken from the KA9Q/NOS (v2.00m PA0GRI) source. +- *Ross Biro +- *Fred N. van Kempen, +- *Florian La Roche, +- *Jonathan Layes +- *Arnaldo Carvalho de Melo ARPHRD_HWX25 +- * +- *This program is free software; you can redistribute it and/or +- *modify it under the terms of the GNU General Public License +- *as published by the Free Software Foundation; either version +- *2 of the License, or (at your option) any later version. +- */ +-#ifndef _UAPI_LINUX_IF_ARP_H +-#define _UAPI_LINUX_IF_ARP_H +- +-#include +- +-/* ARP protocol HARDWARE identifiers. */ +-#define ARPHRD_NETROM 0 /* from KA9Q: NET/ROM pseudo*/ +-#define ARPHRD_ETHER 1 /* Ethernet 10Mbps */ +-#define ARPHRD_EETHER 2 /* Experimental Ethernet */ +-#define ARPHRD_AX2
Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
Am 21.03.22 um 15:56 schrieb Julien Cristau: On Mon, Mar 21, 2022 at 03:46:01PM +0100, Michael Biebl wrote: Am 21.03.22 um 15:36 schrieb Julien Cristau: Yes. Thanks for the due diligence. Just a quick question: Which version number should I pick? a/ 1.30.6-1~deb11u1 b/ 1.30.6-1+deb11u1 c/ 1.30.6-2 I think, now that I have made changes (with the revert of the WPA3 bits) compared to 1.30.6-1, b/ is the most suitable one. But I wanted to double check before I upload. b/ sounds good :) Uploaded. Thanks a lot for your review, Julien. Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
Am 21.03.22 um 15:36 schrieb Julien Cristau: Yes. Thanks for the due diligence. Just a quick question: Which version number should I pick? a/ 1.30.6-1~deb11u1 b/ 1.30.6-1+deb11u1 c/ 1.30.6-2 I think, now that I have made changes (with the revert of the WPA3 bits) compared to 1.30.6-1, b/ is the most suitable one. But I wanted to double check before I upload. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
Hi Julien Am 18.03.22 um 16:46 schrieb Julien Cristau: Control: tag -1 moreinfo Hi Michael, Sorry it took so long to get to this. I've got a couple of questions from the NEWS file; will keep looking at the actual diff though. On Mon, Sep 20, 2021 at 01:09:00PM +0200, Michael Biebl wrote: === NetworkManager-1.30.6 Overview of changes since NetworkManager-1.30.4 === * By default, don't touch existing traffic control (TC) configuration on devices. This sounds like it could cause unexpected changes. Unsure about the risk here. The relevant bug report is https://bugzilla.redhat.com/show_bug.cgi?id=1928078 From the git commit " core,libnm: don't touch device TC configuration by default NetworkManager supports a very limited set of qdiscs. If users want to configure a unsupported qdisc, they need to do it outside of NetworkManager using tc. The problem is that NM also removes all qdiscs and filters during activation if the connection doesn't contain a TC setting. Therefore, setting TC configuration outside of NM is hard because users need to do it *after* the connection is up (for example through a dispatcher script). Let NM consider the presence (or absence) of a TC setting in the connection to determine whether NM should configure (or not) qdiscs and filters on the interface. We already do something similar for SR-IOV configuration. Since new connections don't have the TC setting, the new behavior (ignore existing configuration) will be the default. The impact of this change in different scenarios is: - the user previously configured TC settings via NM. This continues to work as before; - the user didn't set any qdiscs or filters in the connection, and expected NM to clear them from the interface during activation. Here there is a change in behavior, but it seems unlikely that anybody relied on the old one; - the user didn't care about qdiscs and filters; NM removed all qdiscs upon activation, and so the default qdisc from kernel was used. After this change, NM will not touch qdiscs and the default qdisc will be used, as before; - the user set a different qdisc via tc and NM cleared it during activation. Now this will work as expected. So, the new default behavior seems better than the previous one. " I'd say the above reasoning makes sense to me. * Prefer the IPv4 address to determine the system hostname via address lookup. Likewise. What's the reasoning to do this in a stable update? From the relevant git commit " policy: prefer IPv4 to determine the hostname When determining the hostname, it is preferable to evaluate devices in a predictable order to avoid that the hostname changes between different boots. The current order is based first on hostname priority, then on the presence of a best default route, and then on activation order. The activation order is not a very strong condition, as it is basically useless for devices that are autoactivated at boot. As we already prefer IPv4 over IPv6 within the same connection, also prefer it when 2 connections have the same priority and the same default route status, to achieve better predictability. https://bugzilla.redhat.com/show_bug.cgi?id=1970335 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/895 " Makes sense to me as well. * Enable WPA3 for Wi-Fi connections with key_mgmt=WPA-PSK What's the regression risk here, of things working without WPA3 but not with it enabled? That one I indeed missed. Thanks for spotting it. It has indeed the potential to break existing setups (as evidenced by [1]), although I think that would also need a newer wpasupplicant in stable. The relevant upstream issue is https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/638 I think reverting these commits for stable would make sense. Julien, if I revert the three commits from this MR, would you be ok with the upload? Michael [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003907 [2] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/638 OpenPGP_signature Description: OpenPGP digital signature
Bug#1003948: bullseye-pu: package systemd/247.3-7
Am 19.03.22 um 18:04 schrieb Julien Cristau: Control: tag -1 confirmed On Tue, Jan 18, 2022 at 02:46:06PM +0100, Michael Biebl wrote: * Demote systemd-timesyncd from Depends to Recommends. This avoids a dependency cycle between systemd and systemd-timesyncd and thus makes dist upgrades more predictable and robust. It also allows minimal, systemd based containers where no NTP client is strictly necessary. To ensure that systemd-timesyncd is installed in a default installation created by d-i, bump its priority to standard. (Closes: #986651, #993947) This one is probably the trickiest (and possibly also the simplest) change. It simply breaks a dependency loop between systemd and systemd-timesyncd resulting in a more predictable upgrade sequence which in turn ensures that modifications of systemd-timesyncd's conffiles are preserved on upgrades. Difficult to predict the side effects this might have, but on the whole it's probably better to do this than not. Go ahead. Uploaded. Thanks, Julien. I've CCed the FTP team for #1003949. Now that this change has been acked by the RT, please adjust the priority accordingly. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#1004265: buster-pu: package rsyslog/8.1901.0-1+deb10u1
On Sun, 23 Jan 2022 22:59:21 +0200 Adrian Bunk wrote: Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: Michael Biebl , t...@security.debian.org * CVE-2019-17041: Heap overflow in the AIX message parser. (Closes: #942067) * CVE-2019-17042: Heap overflow in the Cisco log message parser. (Closes: #942065) Adrian, can you please push your changes (once uploaded), to a debian/buster branch (including a proper tag). Thanks for the update. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#1003948: bullseye-pu: package systemd/247.3-7
Am 18.01.22 um 14:46 schrieb Michael Biebl: Touches udev code but I don't expect any effect on d-i. * Revert multipath symlink race fix. Revert upstream commits which caused a regression in udev resulting in long delays when processing partitions with the same label. (Closes: #993738) https://salsa.debian.org/biebl/systemd/-/commit/e9ec5186a719afefbff7bfd9b7514482ad896ff3 I have to add here, that in [1] test/udev-test.pl was updated to check this new behaviour. By reverting the commit, some of the tests fail now (and as a result our udev autopkgtest as well). TEST 158: errors: 25 good: 4975/5000 ... TEST 161: errors: 2 good: 418/420 ... 27 errors occurred. 6657/6684 good results. Don't really like that but I also didn't want to revert all those commits just to make test/udev-test.pl pass again. Regards, Michael [1] https://github.com/systemd/systemd/pull/17431/commits OpenPGP_signature Description: OpenPGP digital signature
Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
Am 03.11.21 um 15:33 schrieb Michael Biebl: On Sat, 18 Sep 2021 20:41:06 +0200 Michael Biebl wrote: Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to make a stable upload for network-manager. Debian bullseye currently shis 1.30.0. Upstream provides stable branches for 1.X, in this case 1.30.x, where only bug fixes are backported. The current release from that branch [1] is 1.30.6. I've been shipping 1.30.6-1 in unstable for several without any reported regressions and I'd like to ship that version for stable as well as a simple rebuild. The full debdiff is attached. If you prefer, I can provide a filtered debdiff, where changes to build system and the generated .html files are excluded. Thanks for considering. Regards, Michael [1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/tree/nm-1-30 Any news here? Anything I can do to help move this along? If there is no interest from the Debian side for such stable releases I can pass that along to network-manager upstream to avoid them doing unnecessary work. This would be a shame though as they are very much interested in Debian (stable). Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#1003948: bullseye-pu: package systemd/247.3-7
On Tue, 18 Jan 2022 14:46:06 +0100 Michael Biebl wrote: I've CCed the ftp-master team for their input and will also file a corresponding override bug report. This is now https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003949 OpenPGP_signature Description: OpenPGP digital signature
Bug#1003948: bullseye-pu: package systemd/247.3-7
ades more predictable and robust.
+It also allows minimal, systemd based containers where no NTP client is
+strictly necessary.
+To ensure that systemd-timesyncd is installed in a default installation
+created by d-i, bump its priority to standard.
+(Closes: #986651, #993947)
+
+ -- Michael Biebl Tue, 18 Jan 2022 13:51:41 +0100
+
systemd (247.3-6) unstable; urgency=high
* Non-maintainer upload (acked by maintainers)
diff --git a/debian/control b/debian/control
index be7c47b..c0cc0dc 100644
--- a/debian/control
+++ b/debian/control
@@ -65,7 +65,8 @@ Architecture: linux-any
Multi-Arch: foreign
Section: admin
Priority: important
-Recommends: dbus
+Recommends: dbus,
+systemd-timesyncd | time-daemon,
Suggests: systemd-container,
policykit-1
Pre-Depends: ${shlibs:Pre-Depends},
@@ -73,7 +74,6 @@ Pre-Depends: ${shlibs:Pre-Depends},
Depends: ${shlibs:Depends},
${misc:Depends},
libsystemd0 (= ${binary:Version}),
- systemd-timesyncd | time-daemon,
util-linux (>= 2.27.1),
mount (>= 2.26),
adduser,
@@ -185,7 +185,7 @@ Package: systemd-timesyncd
Architecture: linux-any
Multi-Arch: foreign
Section: admin
-Priority: optional
+Priority: standard
Depends: ${shlibs:Depends},
${misc:Depends},
adduser,
diff --git a/debian/gbp.conf b/debian/gbp.conf
index fb40ad3..a34c597 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = debian/master
+debian-branch = debian/bullseye
upstream-branch = upstream/latest
[dch]
diff --git a/debian/patches/basic-unit-name-adjust-comments.patch
b/debian/patches/basic-unit-name-adjust-comments.patch
index d46e0c9..d83b1d7 100644
--- a/debian/patches/basic-unit-name-adjust-comments.patch
+++ b/debian/patches/basic-unit-name-adjust-comments.patch
@@ -1,18 +1,19 @@
-From cbcea9f517bfe79b019fcec5c364952ea33d24f2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?=
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?=
Date: Wed, 23 Jun 2021 11:52:56 +0200
Subject: basic/unit-name: adjust comments
MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
+Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
We already checked for "too long" right above…
+
+(cherry picked from commit 4e2544c30bfb95e7cb4d1551ba066b1a56520ad6)
---
src/basic/unit-name.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
-index a22763443fdd..1deead74588b 100644
+index 9b6cacd..e286831 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -528,7 +528,7 @@ int unit_name_from_path(const char *path, const char
*suffix, char **ret) {
@@ -33,6 +34,3 @@ index a22763443fdd..1deead74588b 100644
if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE))
return -EINVAL;
---
-2.32.0
-
diff --git a/debian/patches/basic-unit-name-do-not-use-strdupa-on-a-path.patch
b/debian/patches/basic-unit-name-do-not-use-strdupa-on-a-path.patch
index 0faa7d1..b080d25 100644
--- a/debian/patches/basic-unit-name-do-not-use-strdupa-on-a-path.patch
+++ b/debian/patches/basic-unit-name-do-not-use-strdupa-on-a-path.patch
@@ -1,5 +1,4 @@
-From bae2f0d1109a8c75a7fb89ae6b8d1b6ef8dfab16 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?=
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?=
Date: Wed, 23 Jun 2021 11:46:41 +0200
Subject: basic/unit-name: do not use strdupa() on a path
@@ -19,12 +18,17 @@ simplification, which in turns uses a copy of the string we
can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
+(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce)
+(cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b)
+(cherry picked from commit b00674347337b7531c92fdb65590ab253bb57538)
---
src/basic/unit-name.c | 13 +
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
-index 284a77348316..a22763443fdd 100644
+index 5f595af..9b6cacd 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
@@ -59,6 +63,3 @@ index 284a77348316..a22763443fdd 100644
}
if (!s)
return -ENOMEM;
---
-2.32.0
-
diff --git
a/debian/patches/btrfs-util-add-helper-that-abstracts-might-be-btrfs-subvo.patch
b/debian/patches/btrfs-util-add-helper-that-abstracts-might-be-btrfs-subvo.patch
new file mode 100644
index 000..0dffcf3
--- /dev/null
+++
b/debian/patches/btrfs-util-add-helper-that-abst
Bug#993100: bullseye-pu: package udisks2/2.9.2-2+deb11u1
Hi Sven, thanks for chiming in On 05.12.21 21:46, Sven Hoexter wrote: Looking just at the case of udisks2 the invocation of mkfs.exfat and exfatlabel are compatible. Though I did not try it out myself, did someone already try out udisks2 on bullseye with exfatprogs? I did a basic test inside a VM where I (successfully) created an exfat partition using gnome-disks with exfatprogs installed. Regarding the patch proposed here, I would use an alternation for the recommends, exfatprogs | exfat-utils? If you (as maintainer of exfatprogs and exfat-utils) prefer that, I'm happy to update the stable upload accordingly. Julien, would you be ok with that change? Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Re: Bug#1000239: Rescue system won't find root partition, but insists on /usr
Am 03.12.2021 um 22:08 schrieb Nicholas D Steeves: 2. Reassign to src:rescue, and fix the rescue system. Looks like a duplicate of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769738
Bug#993100: bullseye-pu: package udisks2/2.9.2-2+deb11u1
Am 03.12.2021 um 15:21 schrieb Julien Cristau: Control: tag -1 moreinfo Hi Michael, On Fri, Aug 27, 2021 at 01:58:19PM +0200, Michael Biebl wrote: I'd like to make a stable upload for udisks2, fixing #992152: "udisks2: please update Recommends on exfat-utils to exfatprogs for Linux kernel 5" This issue has already been fixed in unstable/testing and the relevant changes for bullseye are an upstream cherry-pick and a packaging cherry-pick. How compatible are exfat-utils/exfatprogs? E.g. could this cause unexpected results (outside of udisks) for a user system that switched to exfatprogs as a result of this? The command line tools are (mostly) compatible. I'm only aware of the issue detailed at https://github.com/storaged-project/udisks/issues/882 i.e. exfat-utils provides a mkextfatfs tool, whereas exfatprogs doesn't It is my understanding that exfatprogs is the vastly superior implementation and we should prefer it over the FUSE based one. I've CCed Sven, as exfatprogs maintainer, for his input. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#993100: bullseye-pu: package udisks2/2.9.2-2+deb11u1
On 03.11.21 15:32, Michael Biebl wrote:
On Fri, 27 Aug 2021 13:58:19 +0200 Michael Biebl wrote:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-utopia-maintain...@lists.alioth.debian.org
Hi,
I'd like to make a stable upload for udisks2, fixing #992152:
"udisks2: please update Recommends on exfat-utils to exfatprogs for Linux
kernel 5"
This issue has already been fixed in unstable/testing and the relevant
changes for bullseye are an upstream cherry-pick and a packaging
cherry-pick.
The changes themselves are trivial. Full debdiff is attached.
Any news here?
I've updated the debdiff to include the fix for CVE-2021-3802
https://security-tracker.debian.org/tracker/CVE-2021-3802
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 51c3b887..0cd4c0d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+udisks2 (2.9.2-2+deb11u1) bullseye; urgency=medium
+
+ * Switch debian-branch to debian/bullseye
+ * Use the mkfs command to format exfat partitions
+ * Recommend exfatprogs instead of exfat-utils (Closes: #992152)
+ * mount options: Always use errors=remount-ro for ext filesystems
+(CVE-2021-3802)
+
+ -- Michael Biebl Fri, 05 Nov 2021 13:15:50 +0100
+
udisks2 (2.9.2-2) unstable; urgency=medium
* udisksclient: Make get_block_for_drive deterministic.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 05e704d0..a64b3aab 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = debian/master
+debian-branch = debian/bullseye
upstream-branch = upstream/latest
diff --git
a/debian/patches/Use-the-mkfs-command-to-format-exfat-partitions.patch
b/debian/patches/Use-the-mkfs-command-to-format-exfat-partitions.patch
new file mode 100644
index ..8ae84c05
--- /dev/null
+++ b/debian/patches/Use-the-mkfs-command-to-format-exfat-partitions.patch
@@ -0,0 +1,26 @@
+From: Sebastien Bacher
+Date: Wed, 21 Apr 2021 13:48:36 +0200
+Subject: Use the mkfs command to format exfat partitions
+
+The currently used mkexfatfs is only available in exfat-utils and not in
+the new exfatprogs.
+
+https://github.com/storaged-project/udisks/issues/882
+(cherry picked from commit 1c13dc64213554f979b24788b40398fee7a5039f)
+---
+ src/udiskslinuxfsinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxfsinfo.c b/src/udiskslinuxfsinfo.c
+index 15af26c..8f08242 100644
+--- a/src/udiskslinuxfsinfo.c
b/src/udiskslinuxfsinfo.c
+@@ -121,7 +121,7 @@ const FSInfo _fs_info[] =
+ NULL,
+ FALSE, /* supports_online_label_rename */
+ FALSE, /* supports_owners */
+- "mkexfatfs -n $LABEL $DEVICE",
++ "mkfs.exfat -n $LABEL $DEVICE",
+ NULL,
+ NULL, /* option_no_discard */
+ },
diff --git
a/debian/patches/mount-options-Always-use-errors-remount-ro-for-ext-filesy.patch
b/debian/patches/mount-options-Always-use-errors-remount-ro-for-ext-filesy.patch
new file mode 100644
index ..627b5668
--- /dev/null
+++
b/debian/patches/mount-options-Always-use-errors-remount-ro-for-ext-filesy.patch
@@ -0,0 +1,55 @@
+From: Tomas Bzatek
+Date: Wed, 15 Sep 2021 14:34:49 +0200
+Subject: mount options: Always use errors=remount-ro for ext filesystems
+
+Default mount options are focused primarily on data safety, mounting
+damaged ext2/3/4 filesystem as readonly would indicate something's wrong.
+
+(cherry picked from commit 2d5d2b7570b0f44c14b34b5dc831f174205c10f2)
+(cherry picked from commit 38d90a433bda0fc0f2a409f6baa12c3958893571)
+---
+ data/builtin_mount_options.conf| 9 +
+ src/tests/dbus-tests/test_80_filesystem.py | 6 ++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/data/builtin_mount_options.conf b/data/builtin_mount_options.conf
+index 6e50927..962c469 100644
+--- a/data/builtin_mount_options.conf
b/data/builtin_mount_options.conf
+@@ -27,3 +27,12 @@
f2fs_allow=discard,nodiscard,compress_algorithm,compress_log_size,compress_exten
+ xfs_allow=discard,nodiscard,inode32,largeio,wsync
+
+ reiserfs_allow=hashed_relocation,no_unhashed_relocation,noborder,notail
++
++ext2_defaults=errors=remount-ro
++ext2_allow=errors=remount-ro
++
++ext3_defaults=errors=remount-ro
++ext3_allow=errors=remount-ro
++
++ext4_defaults=errors=remount-ro
++ext4_allow=errors=remount-ro
+diff --git a/src/tests/dbus-tests/test_80_filesystem.py
b/src/tests/dbus-tests/test_80_filesystem.py
+index c8bb9f0..c16d32c 100644
+--- a/src/tests/dbus-tests/test_80_filesystem.py
b/src/tests/dbus-tests/test_80_filesystem.py
+@@ -315,6 +315,8 @@ class UdisksFSTestCase(udiskstestcase.UdisksTestCase):
+ _ret, out = self.run_command('mount | grep %s' % block_fs_dev)
+ self.assertIn(mnt_path, out)
+ self.assertIn('ro', out)
++if self._fs_name.
Bug#994622: bullseye-pu: package network-manager/1.30.6-1~deb11u1
On Sat, 18 Sep 2021 20:41:06 +0200 Michael Biebl wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > I'd like to make a stable upload for network-manager. > > Debian bullseye currently shis 1.30.0. > Upstream provides stable branches for 1.X, in this case 1.30.x, where > only bug fixes are backported. The current release from that branch [1] > is 1.30.6. > > I've been shipping 1.30.6-1 in unstable for several without any reported > regressions and I'd like to ship that version for stable as well as a > simple rebuild. > > The full debdiff is attached. If you prefer, I can provide a filtered > debdiff, where changes to build system and the generated .html files are > excluded. > > Thanks for considering. > > Regards, > Michael > > > [1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/tree/nm-1-30 Any news here? Anything I can do to help move this along? Regards, Michael signature.asc Description: This is a digitally signed message part
Bug#993100: bullseye-pu: package udisks2/2.9.2-2+deb11u1
On Fri, 27 Aug 2021 13:58:19 +0200 Michael Biebl wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: pkg-utopia-maintain...@lists.alioth.debian.org > > > Hi, > > I'd like to make a stable upload for udisks2, fixing #992152: > "udisks2: please update Recommends on exfat-utils to exfatprogs for Linux kernel 5" > > This issue has already been fixed in unstable/testing and the relevant > changes for bullseye are an upstream cherry-pick and a packaging > cherry-pick. > > The changes themselves are trivial. Full debdiff is attached. > Any news here? signature.asc Description: This is a digitally signed message part
Bug#995636: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
Hi Kurt, hi Luca, hi everyone, regarding the impending transition to OpenSSL 3.0 in unstable (which is now licensed under Apache 2.0), I wonder what that means for Debian, given that apparently GPL-2 (and also LGPL-2) and Apache 2.0 are incompatible with each other. If I read Luca correctly[1], any library or executable using GPL-2+ effectively becomes GPL-3+ once they link against OpenSSL 3.0. And especially for libraries, this would have a ripple effect through the whole distribution and cause issues e.g for GPL-2 only packages. Fwiw, I'm surprised that this also apparently affects LGPL-2. That said, I'm not a lawyer and reading license texts hurts my brain. So my goal is is mainly to raise awareness of this issue and seek input from the community. Regards, Michael Am 03.10.21 um 14:59 schrieb Kurt Roeckx: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, We would like to transition to OpenSSL 3.0.0. It's currently in experimental. It has an soname change, so the binary packages got renamed and binNMUs will be required. We did a rebuild of packages and currently have 105 packages that FTBFS with OpenSSL 3.0.0 that build with 1.1.1. I've started filing bugs for that: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-openssl-de...@lists.alioth.debian.org&tag=ftbfs-3.0 Kurt [1] https://github.com/systemd/systemd/pull/20915 OpenPGP_signature Description: OpenPGP digital signature
Bug#995003: nmu: systemd_247.9-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, systemd currently has an open RC bug #994931 which was caused by debhelper 13.5 using the dpkg remove-on-upgrade feature, resulting in conffiles in systemd-timesyncd being nuked on upgrades. This feature in debhelper has been reverted in 13.5.2 again. It would thus be great if you can quickly schedule a binNMU avoid unnecessary breakage for our users. Thanks, Michael nmu systemd_247.9-2 . ANY . unstable . -m "rebuild with debhelper 13.5.2"
Bug#994905: override: systemd-timesyncd:admin/standard
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: override X-Debbugs-Cc: debian-b...@lists.debian.org, pkg-systemd-maintain...@lists.alioth.debian.org, debian-release@lists.debian.org Hi FTP team, I just uploaded systemd 247.9-2 to fix #986651 [0] and #993947 [1] In this upload, I demoted systemd-timesyncd from a Depends to Recommends. As discussed in the above bug report, to ensure that systemd-timesycnd is still installed in a default d-i based installation (including the standard task), I'd like to see the priority of systemd-timesyncd bumped accordingly. This is similar to what's has been done to libpam-systemd in [2] I'd like to make this change for both unstable/testing and stable. I've CCed the debian-release mailing list accordingly for their input. Regards, Michael [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986651 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993947 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803184
Bug#993100: bullseye-pu: package udisks2/2.9.2-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-utopia-maintain...@lists.alioth.debian.org Hi, I'd like to make a stable upload for udisks2, fixing #992152: "udisks2: please update Recommends on exfat-utils to exfatprogs for Linux kernel 5" This issue has already been fixed in unstable/testing and the relevant changes for bullseye are an upstream cherry-pick and a packaging cherry-pick. The changes themselves are trivial. Full debdiff is attached. Regards, Michael diff --git a/debian/changelog b/debian/changelog index 51c3b887..a5335640 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +udisks2 (2.9.2-2+deb11u1) bullseye; urgency=medium + + * Switch debian-branch to debian/bullseye + * Use the mkfs command to format exfat partitions + * Recommend exfatprogs instead of exfat-utils. +Prefer the native, in-kernel exFAT implementation over the FUSE-based one. +(Closes: #992152) + + -- Michael Biebl Fri, 27 Aug 2021 13:41:28 +0200 + udisks2 (2.9.2-2) unstable; urgency=medium * udisksclient: Make get_block_for_drive deterministic. diff --git a/debian/gbp.conf b/debian/gbp.conf index 05e704d0..a64b3aab 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = debian/master +debian-branch = debian/bullseye upstream-branch = upstream/latest diff --git a/debian/patches/Use-the-mkfs-command-to-format-exfat-partitions.patch b/debian/patches/Use-the-mkfs-command-to-format-exfat-partitions.patch new file mode 100644 index ..8ae84c05 --- /dev/null +++ b/debian/patches/Use-the-mkfs-command-to-format-exfat-partitions.patch @@ -0,0 +1,26 @@ +From: Sebastien Bacher +Date: Wed, 21 Apr 2021 13:48:36 +0200 +Subject: Use the mkfs command to format exfat partitions + +The currently used mkexfatfs is only available in exfat-utils and not in +the new exfatprogs. + +https://github.com/storaged-project/udisks/issues/882 +(cherry picked from commit 1c13dc64213554f979b24788b40398fee7a5039f) +--- + src/udiskslinuxfsinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/udiskslinuxfsinfo.c b/src/udiskslinuxfsinfo.c +index 15af26c..8f08242 100644 +--- a/src/udiskslinuxfsinfo.c b/src/udiskslinuxfsinfo.c +@@ -121,7 +121,7 @@ const FSInfo _fs_info[] = + NULL, + FALSE, /* supports_online_label_rename */ + FALSE, /* supports_owners */ +- "mkexfatfs -n $LABEL $DEVICE", ++ "mkfs.exfat -n $LABEL $DEVICE", + NULL, + NULL, /* option_no_discard */ + }, diff --git a/debian/patches/series b/debian/patches/series index b5f3547a..cf88582d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ udisksclient-Make-get_block_for_drive-deterministic.patch +Use-the-mkfs-command-to-format-exfat-partitions.patch diff --git a/debian/rules b/debian/rules index a649602a..7f936111 100755 --- a/debian/rules +++ b/debian/rules @@ -42,11 +42,11 @@ override_dh_install: override_dh_missing: dh_missing --fail-missing -# Ubuntu is hesitant about exfat-utils in default install +# Ubuntu is hesitant about exfatprogs in default install # https://launchpad.net/bugs/1649537 override_dh_gencontrol: ifneq ($(shell dpkg-vendor --query vendor),Ubuntu) - dh_gencontrol -- -Vexfat:Recommends='exfat-utils' + dh_gencontrol -- -Vexfat:Recommends='exfatprogs' else - dh_gencontrol -- -Vexfat:Suggests='exfat-utils' + dh_gencontrol -- -Vexfat:Suggests='exfatprogs' endif
Bug#990990: unblock: libcgroup/2.0
Hi Adrian Am 12.07.21 um 14:51 schrieb Adrian Bunk: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Background: https://www.debian.org/releases/testing/amd64/release-notes/ch-information.en.html#openstack-cgroups https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959022#66 I noticed a version of libcgroup with support for control groups v2 is now in experimental. Given then known problems with the libcgroup currently in bullseye (it only works when booting with special kernel parameters), this bug is a question to the release team and the OpenStack maintainer whether updating libcgroup in bullseye to the version currently in experimental might be the smaller evil compared to the current release notes approach. Complete diffstat compared to the version in testing: 223 files changed, 73421 insertions(+), 34626 deletions(-) Diff of debian/ is attached. The new version adds autopkgtests, but they aren't currently run: SKIP Test requires machine-level isolation but testbed does not provide that No new bugs are reported in the BTS. This was already discussed in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959022 My takeaway from that discussion was, that rdeps of cgroup-tools, would itself have to be made cgroupv2 aware, especially OpenStack and its components. Have those rdeps been tested successfully with libcgroup/cgroup-tools from experimental? Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#990515: release.debian.org: buster->bullseye upgrade issue: sshfs is not upgraded due to fuse/fuse3
Am 01.07.21 um 09:32 schrieb Paul Gevers:
Hi Andreas, Laszlo,
On 01-07-2021 08:27, Andreas Beckmann wrote:
Package: release.debian.org
Severity: normal
let's start a discussion here and once we found a package to upgrade,
turn this into an unblock request.
And let's add the fuse and fuse3 maintainer to the discussion.
sshfs is sometimes kept at the buster version because of some dependency
mess of fuse/fuse3.
This usually shows up in large metapackages like freedombox or kde-full
with --install-recommends enabled. Probably because there are additional
dependency paths on fuse.
* sshfs/buster depends on fuse
* sshfs/bullseye depends on fuse3
* fuse still exists in bullseye as a real package
* fuse3/bullseye has Conflicts/Replaces: fuse and a
versioned Provides: fuse (= ${source:Version})
Upgrading would require kicking out fuse and installing fuse3 but apt
does not do that, as so often.
This isn't solved by a followup distupgrade either.
I haven't found a solution adding more Breaks: fuse to various packages
to solve this cleanly. Naturally I would have suggested to add a
transitional fuse binary package to src:fuse3 which just
Depends: fuse3 (= ${binary:Version}) and adjust the Breaks/Replaces in
fuse3 to fuse (<< 3). src:fuse then should drop its fuse package (or
rename it to fuse2 while adding a '2' to all filenames).
I'm also not convinced that fuse3 is a real replacement for fuse: it has
symlinks foo -> foo3 for all binaries and manpages. But the initramfs
hook only does 'copy_exec /sbin/mount.fuse3 /sbin', it does not care
about /sbin/mount.fuse
If fuse3 is a full replacement, then it should take over the fuse binary
package name (and not use a versioned Provides).
If it's not a full replacement, then the versioned Provides should be
removed.
Laszlo, what do you think?
Related issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984
OpenPGP_signature
Description: OpenPGP digital signature
Bug#990197: unblock: amanda/3.5.1-6
Am 22.06.21 um 23:32 schrieb Jose M Calhariz: On 22/06/2021 22:15, Michael Biebl wrote: Am 22.06.21 um 21:49 schrieb Jose M Calhariz: My first build was with MAILER only on config and tested on a bullseye server. This appears to be correct/sufficient Then I was point into #475771 and that my change was not complete enough so I I don't think you need to set it for MAKE. I think it was done so mistakenly in the past. If it helps, there is packaging/deb/rules which also sets MAILER only during ./configure. So you prefer the following patch and that I upload a 3.5.1-7 with only that change, right? Personally, I would prefer this patch, yes. But I also need to clarify that I'm not a member of the release team, so I don't really have any authority here. I merely wanted to provide some feedback on the debdiff. Regards OpenPGP_signature Description: OpenPGP digital signature
Bug#990197: unblock: amanda/3.5.1-6
Am 22.06.21 um 21:49 schrieb Jose M Calhariz: My first build was with MAILER only on config and tested on a bullseye server. This appears to be correct/sufficient Then I was point into #475771 and that my change was not complete enough so I I don't think you need to set it for MAKE. I think it was done so mistakenly in the past. If it helps, there is packaging/deb/rules which also sets MAILER only during ./configure. OpenPGP_signature Description: OpenPGP digital signature
Bug#990197: unblock: amanda/3.5.1-6
Am 22.06.21 um 18:39 schrieb Jose M Calhariz: On 22/06/2021 17:13, Michael Biebl wrote: Am 22.06.21 um 16:55 schrieb Jose M Calhariz: +override_dh_auto_build: + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" dh_auto_build Are you sure this bit is necessary? Once MAILER has been set by ./configure, the generated Makefiles should have MAILER set up properly. Can you grep over the generate Makefiles if MAILER is set correctly? Michael I have included that diff, because of #475771. So in the past it was necessary. Doing grep in all Makefiles I am seeing this: DEFAULT_MAILER = /usr/bin/mail MAILER = /usr/bin/mail I can upload a new package with your request, but because of #475771 I prefer amanda/3.5.1-6 as is. It is your call. Well, if you drop the override_dh_auto_build bit, does the resulting deb work or not? I assume you have tested the patch? OpenPGP_signature Description: OpenPGP digital signature
Bug#990197: unblock: amanda/3.5.1-6
Am 22.06.21 um 16:55 schrieb Jose M Calhariz: +override_dh_auto_build: + # MAILER: Fix for #296022, #475771 and #990080 + MAILER="/usr/bin/mail" dh_auto_build Are you sure this bit is necessary? Once MAILER has been set by ./configure, the generated Makefiles should have MAILER set up properly. Can you grep over the generate Makefiles if MAILER is set correctly? Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#987678: unblock: udisks2/2.9.2-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-utopia-maintain...@lists.alioth.debian.org
Please unblock package udisks2
It fixes #987582:
udisks_client_get_block_for_drive() always returns the wrong block of eMMC
It's an upstream cherry-pick which ensure eMMC block devices are
detected correctly.
[ Tests ]
No automated tests for this code, but the fix was confirmed by the
original bug submitter.
[ Risks ]
udisks2 is a key package, but the change is rather small, see
https://github.com/storaged-project/udisks/commit/5d0ac7ebefb8b7aad73871936f5011545cc66344
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock udisks2/2.9.2-2
diff --git a/debian/changelog b/debian/changelog
index fabe2505..51c3b887 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+udisks2 (2.9.2-2) unstable; urgency=medium
+
+ * udisksclient: Make get_block_for_drive deterministic.
+Fixes "udisks_client_get_block_for_drive() always returns the wrong
+block of eMMC". (Closes: #987582)
+
+ -- Michael Biebl Mon, 26 Apr 2021 21:12:10 +0200
+
udisks2 (2.9.2-1) unstable; urgency=medium
* New upstream version 2.9.2
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index ..b5f3547a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+udisksclient-Make-get_block_for_drive-deterministic.patch
diff --git
a/debian/patches/udisksclient-Make-get_block_for_drive-deterministic.patch
b/debian/patches/udisksclient-Make-get_block_for_drive-deterministic.patch
new file mode 100644
index ..e33737f0
--- /dev/null
+++ b/debian/patches/udisksclient-Make-get_block_for_drive-deterministic.patch
@@ -0,0 +1,71 @@
+From: Will Thompson
+Date: Wed, 21 Apr 2021 10:56:30 +0100
+Subject: udisksclient: Make get_block_for_drive deterministic
+
+While any given Block object has at most one corresponding Drive, many
+Block objects may share the same Drive. One example is eMMC devices
+which provide a block device for the main data area (e.g. /dev/mmcblk0)
+as well as additional logical block devices for device partitions (e.g.
+/dev/mmcblk0boot0 and /dev/mmcblk0boot1).
+
+This behaviour was introduced in #834 to resolve issue #619 that these
+device partitions caused a phantom additional Drive object to be
+exposed. On that issue, I wrote:
+
+> I believe that Block.Drive on the boot partitions should point to the
+> same data area as the main data area (and its logical partitions);
+> udisks_client_get_block_for_drive() on the drive should return
+> /org/freedesktop/UDisks2/block_devices/mmcblk0.
+
+The first part is now true, but as described on #879 the second part is
+not true. It is now non-deterministic which Block will be returned,
+based only on the order of objects returned by
+g_dbus_object_manager_get_objects().
+
+Make the return value of udisks_client_get_block_for_drive()
+deterministic by sorting the list of candidate Block objects by their
+device path in lexicographic order. Since (e.g.) /dev/mmcblk0 sorts
+before /dev/mmcblk0boot0, this has the desirable side-effect that
+calling udisks_client_get_block_for_drive() on an eMMC Drive returns the
+'real' Block for the main data area.
+
+Fixes #879.
+
+(cherry picked from commit 5d0ac7ebefb8b7aad73871936f5011545cc66344)
+---
+ udisks/udisksclient.c | 15 +++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/udisks/udisksclient.c b/udisks/udisksclient.c
+index 463b15a..1855209 100644
+--- a/udisks/udisksclient.c
b/udisks/udisksclient.c
+@@ -816,6 +816,20 @@ udisks_client_get_block_for_dev (UDisksClient *client,
+
+ /*
*/
+
++static int
++compare_blocks_by_device (gconstpointer a,
++ gconstpointer b)
++{
++ UDisksBlock *block_a = udisks_object_get_block (UDISKS_OBJECT (a));
++ UDisksBlock *block_b = udisks_object_get_block (UDISKS_OBJECT (b));
++
++ g_assert (block_a != NULL);
++ g_assert (block_b != NULL);
++
++ return g_strcmp0 (udisks_block_get_device (block_a),
++udisks_block_get_device (block_b));
++}
++
+ static GList *
+ get_top_level_blocks_for_drive (UDisksClient *client,
+ const gchar *drive_object_path)
+@@ -847,6 +861,7 @@ get_top_level_blocks_for_drive (UDisksClient *client,
+ }
+ g_object_unref (block);
+ }
++ ret = g_list_sort (ret, compare_blocks_by_device);
+ g_list_free_full (object_proxies, g_object_unref);
+ return ret;
+ }
Bug#986758: unblock: systemd/247.3-5
Am 14.04.21 um 14:27 schrieb Ivo De Decker:
Control: tags -1 confirmed d-i
Hi,
On Mon, Apr 12, 2021 at 08:54:51PM +0200, Michael Biebl wrote:
control: retitle -1 unblock: systemd/247.3-5
This look ok. Kibi was already in Cc for the unblock-udeb (the original
mail
is quoted below).
Oops, I mixed up the order of the git tags when generating the debdiff.
So in the diff, please replace + with - and vice versa.
I think this mistake was quite obvious, that said, a corrected debdiff
is attached.
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 0588fec..22a8ad2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+systemd (247.3-5) unstable; urgency=medium
+
+ * udev-udeb: setup /dev/fd, /dev/std{in,out,err} symlinks.
+As systemd-udevd no longer sets them up itself, we create them manually
+after mounting devtmpfs. This avoids breaking applications which expect
+those symlinks. (Closes: #975018)
+
+ -- Michael Biebl Mon, 12 Apr 2021 20:21:24 +0200
+
+systemd (247.3-4) unstable; urgency=medium
+
+ [ Luca Boccassi ]
+ * Backport patch to fix assert with invalid LoadCredentials=
+Regression introduced in v247, fixed in v249, see:
+https://github.com/systemd/systemd/issues/19178
+(Closes: #986302)
+
+ [ Michael Biebl ]
+ * network: Delay addition of IPv6 Proxy NDP addresses.
+Fixes "IPv6 Proxy NDP addresses are being lost from interfaces after
+networkd adds them". (Closes: #985510)
+
+ -- Michael Biebl Sun, 11 Apr 2021 16:06:46 +0200
+
systemd (247.3-3) unstable; urgency=medium
* pkg-config: make prefix overridable again (Closes: #984763)
diff --git a/debian/extra/start-udev b/debian/extra/start-udev
index 6048925..0a8b284 100755
--- a/debian/extra/start-udev
+++ b/debian/extra/start-udev
@@ -6,6 +6,11 @@ fi
if ! grep -E -q "^[^[:space:]]+ /dev devtmpfs" /proc/mounts; then
mount -n -o mode=0755 -t devtmpfs devtmpfs /dev
+# Setup a few /dev symlinks, see #975018
+[ ! -h /dev/fd ] && ln -s /proc/self/fd /dev/fd
+[ ! -h /dev/stdin ] && ln -s /proc/self/fd/0 /dev/stdin
+[ ! -h /dev/stdout ] && ln -s /proc/self/fd/1 /dev/stdout
+[ ! -h /dev/stderr ] && ln -s /proc/self/fd/2 /dev/stderr
fi
SYSTEMD_LOG_LEVEL=notice /lib/systemd/systemd-udevd --daemon
--resolve-names=never
diff --git
a/debian/patches/LoadCredentials-do-not-assert-on-invalid-syntax.patch
b/debian/patches/LoadCredentials-do-not-assert-on-invalid-syntax.patch
new file mode 100644
index 000..c9e3500
--- /dev/null
+++ b/debian/patches/LoadCredentials-do-not-assert-on-invalid-syntax.patch
@@ -0,0 +1,34 @@
+From: Luca Boccassi
+Date: Thu, 1 Apr 2021 22:18:29 +0100
+Subject: LoadCredentials: do not assert on invalid syntax
+
+LoadCredentials=foo causes an assertion to be triggered, as we
+are not checking that the rvalue's right hand side part is non-empty
+before using it in unit_full_printf.
+
+Fixes #19178
+
+# printf [Service]nLoadCredential=passwd.hashed-password.rootn > hello.service
+# systemd-analyze verify ./hello.service
+...
+Assertion 'format' failed at src/core/unit-printf.c:232, function
unit_full_printf(). Aborting.
+Aborted (core dumped)
+
+(cherry picked from commit f7a6f1226e800f7695c2073675523062ea697aa4)
+---
+ src/core/load-fragment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
+index 4964249..5b66fb1 100644
+--- a/src/core/load-fragment.c
b/src/core/load-fragment.c
+@@ -4569,7 +4569,7 @@ int config_parse_load_credential(
+ r = extract_first_word(&p, &word, ":",
EXTRACT_DONT_COALESCE_SEPARATORS);
+ if (r == -ENOMEM)
+ return log_oom();
+-if (r <= 0) {
++if (r <= 0 || isempty(p)) {
+ log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid
syntax, ignoring: %s", rvalue);
+ return 0;
+ }
diff --git
a/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
b/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
index 466a232..1b5b03d 100644
--- a/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
+++ b/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
@@ -16,7 +16,7 @@ Closes: #981407
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
-index 4964249..2d48783 100644
+index 5b66fb1..df5669a 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -372,6 +372,7 @@ static int patch_var_run(
diff --git
a/debian/patches/network-Delay-addition-of-IPv6-Proxy-NDP-addresses.patch
b/debian/patches/network-Delay-addition-of-IPv6-Proxy-NDP-addresses.patch
new file mode 100644
index 000..055c598
--- /dev/null
+++ b/debian/patches/network-Delay-addition-of-IPv6-Proxy-NDP-addresses.patch
@@
Bug#986847: unblock: network-manager/1.30.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package network-manager
It cherry-picks an upstream commit to fix
#986809 / CVE-2021-20297
Full debdiff attached.
Regards,
Michael
unblock network-manager/1.30.0-2
diff --git a/debian/changelog b/debian/changelog
index 44ae3264f7..3431459d47 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+network-manager (1.30.0-2) unstable; urgency=medium
+
+ * core: fix crash in nm_wildcard_match_check()
+(CVE-2021-20297, Closes: #986809)
+
+ -- Michael Biebl Mon, 12 Apr 2021 21:15:36 +0200
+
network-manager (1.30.0-1) unstable; urgency=medium
* New upstream version 1.30.0
diff --git a/debian/control b/debian/control
index 06146cd204..d95f09bd03 100644
--- a/debian/control
+++ b/debian/control
@@ -65,7 +65,7 @@ Breaks: ${misc:Breaks}
Description: network management framework (daemon and userspace tools)
NetworkManager is a system network service that manages your network devices
and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
devices, and provides VPN integration with a variety of different VPN
services.
.
@@ -100,7 +100,7 @@ Depends: ${shlibs:Depends},
Description: GObject-based client library for NetworkManager
NetworkManager is a system network service that manages your network devices
and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
devices, and provides VPN integration with a variety of different VPN
services.
.
@@ -118,7 +118,7 @@ Depends: ${misc:Depends},
Description: GObject-based client library for NetworkManager (development
files)
NetworkManager is a system network service that manages your network devices
and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
devices, and provides VPN integration with a variety of different VPN
services.
.
@@ -136,7 +136,7 @@ Replaces: gir1.2-networkmanager-1.0 (<< 1.8.0-2)
Description: GObject introspection data for the libnm library
NetworkManager is a system network service that manages your network devices
and connections, attempting to keep active network connectivity when
- available. It manages ethernet, WiFi, mobile broadband (WWAN), and PPPoE
+ available. It manages ethernet, Wi-Fi, mobile broadband (WWAN), and PPPoE
devices, and provides VPN integration with a variety of different VPN
services.
.
diff --git a/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch
b/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch
new file mode 100644
index 00..02d4484dd0
--- /dev/null
+++ b/debian/patches/core-fix-crash-in-nm_wildcard_match_check.patch
@@ -0,0 +1,74 @@
+From: Thomas Haller
+Date: Wed, 24 Mar 2021 21:05:19 +0100
+Subject: core: fix crash in nm_wildcard_match_check()
+
+It's not entirely clear how to treat %NULL.
+Clearly "match.interface-name=eth0" should not
+match with an interface %NULL. But what about
+"match.interface-name=!eth0"? It's now implemented
+that negative matches still succeed against %NULL.
+What about "match.interface-name=*"? That probably
+should also match with %NULL. So we treat %NULL really
+like "".
+
+Against commit 11cd443448bc ('iwd: Don't call IWD methods when device
+unmanaged'), we got this backtrace:
+
+#0 0x7f1c164069f1 in __strnlen_avx2 () at
../sysdeps/x86_64/multiarch/strlen-avx2.S:62
+#1 0x7f1c1637ac9e in __fnmatch (pattern=,
string=, string@entry=0x0, flags=flags@entry=0) at fnmatch.c:379
+p = 0x0
+res =
+orig_pattern =
+n =
+wpattern = 0x7fff8d860730 L"pci-:03:00.0"
+ps = {__count = 0, __value = {__wch = 0, __wchb = "\000\000\000"}}
+wpattern_malloc = 0x0
+wstring_malloc = 0x0
+wstring =
+alloca_used = 80
+__PRETTY_FUNCTION__ = "__fnmatch"
+#2 0x564484a978bf in nm_wildcard_match_check (str=0x0,
patterns=, num_patterns=) at
src/core/nm-core-utils.c:1959
+is_inverted = 0
+is_mandatory = 0
+match =
+p = 0x564486c43fa0 "pci-:03:00.0"
+has_optional = 0
+has_any_optional = 0
+i =
+#3 0x564484bf4797 in check_connection_compatible (self=, connection=, error=0x0) at
src/core/devices/nm-device.c:7499
+patterns =
+
Bug#986758: unblock: systemd/247.3-5
control: retitle -1 unblock: systemd/247.3-5
Am 11.04.21 um 18:48 schrieb Luca Boccassi:
Please unblock package systemd
As requested by Michael, opening unblock ticket. Debdiff attached. Two
high-impact patches are backported from upstream and should be included
in Bullseye.
Thanks Luca!
* Backport patch to fix assert with invalid LoadCredentials=
Regression introduced in v247, fixed in v249, see:
https://github.com/systemd/systemd/issues/19178
(Closes: #986302)
* network: Delay addition of IPv6 Proxy NDP addresses.
Fixes "IPv6 Proxy NDP addresses are being lost from interfaces after
networkd adds them". (Closes: #985510)
The first patch fixes a crash when a malformed option is set in any
unit.
unblock systemd/247.3-4
I decided to make a 247.3-5 upload to fix #975018 as well:
udev-udeb: setup /dev/fd, /dev/std{in,out,err} symlinks
As systemd-udevd no longer sets them up itself, we create them manually
after mounting devtmpfs. This avoids breaking applications which expect
Somehow this issue did not show up on the systemd bug tracker, so I
completely forgot about it. Apologies for that.
This fixes a regression which e.g. broke fetch-url and triggered a
workaround in debian-installer-utils_1.134:
[ Raphaël Hertzog ]
* Use /proc/self/fd/4 instead of /dev/fd/4 to unbreak fetch-url with
recent
udev versions that no longer setup the /dev/fd symlink. Closes: #967546
I'd rather see this fixed for good. It's possible that other
applications expect those symlinks as well.
This does affect udev-udeb, so kibi's ack would be appreciated.
Thanks for considering,
Michael
unblock systemd/247.3-5
diff --git a/debian/changelog b/debian/changelog
index 22a8ad2..0588fec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,27 +1,3 @@
-systemd (247.3-5) unstable; urgency=medium
-
- * udev-udeb: setup /dev/fd, /dev/std{in,out,err} symlinks.
-As systemd-udevd no longer sets them up itself, we create them manually
-after mounting devtmpfs. This avoids breaking applications which expect
-those symlinks. (Closes: #975018)
-
- -- Michael Biebl Mon, 12 Apr 2021 20:21:24 +0200
-
-systemd (247.3-4) unstable; urgency=medium
-
- [ Luca Boccassi ]
- * Backport patch to fix assert with invalid LoadCredentials=
-Regression introduced in v247, fixed in v249, see:
-https://github.com/systemd/systemd/issues/19178
-(Closes: #986302)
-
- [ Michael Biebl ]
- * network: Delay addition of IPv6 Proxy NDP addresses.
-Fixes "IPv6 Proxy NDP addresses are being lost from interfaces after
-networkd adds them". (Closes: #985510)
-
- -- Michael Biebl Sun, 11 Apr 2021 16:06:46 +0200
-
systemd (247.3-3) unstable; urgency=medium
* pkg-config: make prefix overridable again (Closes: #984763)
diff --git a/debian/extra/start-udev b/debian/extra/start-udev
index 0a8b284..6048925 100755
--- a/debian/extra/start-udev
+++ b/debian/extra/start-udev
@@ -6,11 +6,6 @@ fi
if ! grep -E -q "^[^[:space:]]+ /dev devtmpfs" /proc/mounts; then
mount -n -o mode=0755 -t devtmpfs devtmpfs /dev
-# Setup a few /dev symlinks, see #975018
-[ ! -h /dev/fd ] && ln -s /proc/self/fd /dev/fd
-[ ! -h /dev/stdin ] && ln -s /proc/self/fd/0 /dev/stdin
-[ ! -h /dev/stdout ] && ln -s /proc/self/fd/1 /dev/stdout
-[ ! -h /dev/stderr ] && ln -s /proc/self/fd/2 /dev/stderr
fi
SYSTEMD_LOG_LEVEL=notice /lib/systemd/systemd-udevd --daemon
--resolve-names=never
diff --git
a/debian/patches/LoadCredentials-do-not-assert-on-invalid-syntax.patch
b/debian/patches/LoadCredentials-do-not-assert-on-invalid-syntax.patch
deleted file mode 100644
index c9e3500..000
--- a/debian/patches/LoadCredentials-do-not-assert-on-invalid-syntax.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Luca Boccassi
-Date: Thu, 1 Apr 2021 22:18:29 +0100
-Subject: LoadCredentials: do not assert on invalid syntax
-
-LoadCredentials=foo causes an assertion to be triggered, as we
-are not checking that the rvalue's right hand side part is non-empty
-before using it in unit_full_printf.
-
-Fixes #19178
-
-# printf [Service]nLoadCredential=passwd.hashed-password.rootn > hello.service
-# systemd-analyze verify ./hello.service
-...
-Assertion 'format' failed at src/core/unit-printf.c:232, function
unit_full_printf(). Aborting.
-Aborted (core dumped)
-
-(cherry picked from commit f7a6f1226e800f7695c2073675523062ea697aa4)
- src/core/load-fragment.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
-index 4964249..5b66fb1 100644
a/src/core/load-fragment.c
-+++ b/src/core/load-fragment.c
-@@ -4569,7 +4569,7 @@ int config_parse_load_credential(
- r = extract_first_word(&p, &word, ":",
EXTRACT_DONT_COALESCE_SEPARATORS);
- if (r == -ENOMEM)
- return log_oo
Re: cgroup-tools: does not work in cgroup2 / unified hierarchy
Hi Am 23.03.21 um 17:08 schrieb Santiago Ruano Rincón: Dear Release Team, Could you please take a look at https://bugs.debian.org/959022 Would you agree to tag it bullseye-ignore, as pointed out by zigo here below (and proposed also by mbiebl on irc)? Just to clarify: Ignoring the issue is not something I'd propose, but it is an available option. If we leave libgroup as-is, it means rdeps of libcgroup/cgroup-tools would have to disable cgroupv2 in systemd and boot with the cgroupv1 / the old hybrid setup if they want to use cgroup functionality in those rdeps. They can do that via the systemd.unified_cgroup_hierarchy=false kernel command line parameter. The old, hybrid cgroup setup is no longer actively used by systemd upstream and generally discouraged. I would consider such a setup as unsupported/semi-supported by systemd upstream. So this should be used with care, especially considering that cgroupv1 support will deteriorate 3 years down the lane. If this libcgroup bug is tagged bullseye-ignore, it should probably have a section in the release notes with a warning in that regards. I appologize for this. Somehow this slipped through the cracks. I didn't really check that libcgroup had relevant rdeps. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#985472: buster-pu: package systemd/241-7~deb10u6
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: k...@debian.org, debian-b...@debian.org,
pkg-systemd-maintain...@lists.alioth.debian.org
Hi,
I'd like to make a stable upload for systemd fixing two issues which
users explictly requested.
Both issues are fixed in unstable and direct cherry-picks from upstream.
Here's the annotated changelog
systemd (241-7~deb10u7) buster; urgency=medium
* core: make sure to restore the control command id, too.
Fixes a segfault in systemd that can be triggered when both
daemon-reload and a service restart happen concurrently. (Closes: #984495)
https://salsa.debian.org/systemd-team/systemd/-/commit/99b743134a64d35506bdea0aac36eda47a19fc1a
Happens rarely and is not easy to trigger. But a segfault in PID 1 is
never nice, so seems worthwile to fix.
* seccomp: allow turning off of seccomp filtering via env var.
Since glibc 2.33 faccessat() is implemented via faccessat2(), which
is breaking running containers that use such a version of glibc under
systemd-nspawn in Buster.
Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
possible to run such new containers. (Closes: #984573)
https://salsa.debian.org/systemd-team/systemd/-/commit/e3268f6d9a2bdc739c55292d579a818f1190b77a
With buster becoming older, we have more and more distros that use glibc
2.33 (like Arch or Fedora) and can't be run under systemd-nspawn.
With the above env var it is possible to do so.
There are no changes related to udev, so d-i should not be affected.
But as we need an ack because of the udeb, I've CCed kibi/debian-boot as
usual.
Complete debdiff is attached.
Regards,
Michael
diff --git a/debian/changelog b/debian/changelog
index 61dcee2..d9b9f23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+systemd (241-7~deb10u7) buster; urgency=medium
+
+ * core: make sure to restore the control command id, too.
+Fixes a segfault in systemd that can be triggered when both
+daemon-reload and a service restart happen concurrently. (Closes: #984495)
+ * seccomp: allow turning off of seccomp filtering via env var.
+Since glibc 2.33 faccessat() is implemented via faccessat2(), which
+is breaking running containers that use such a version of glibc under
+systemd-nspawn in Buster.
+Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
+possible to run such new containers. (Closes: #984573)
+
+ -- Michael Biebl Thu, 18 Mar 2021 20:59:14 +0100
+
systemd (241-7~deb10u6) buster; urgency=medium
* journal: do not trigger assertion when journal_file_close() get NULL
diff --git
a/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
new file mode 100644
index 000..5df25ac
--- /dev/null
+++ b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
@@ -0,0 +1,27 @@
+From: Lennart Poettering
+Date: Wed, 22 Apr 2020 20:34:02 +0200
+Subject: core: make sure to restore the control command id, too
+
+Fixes: #15356
+(cherry picked from commit e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac)
+---
+ src/core/service.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 5f5bcb3..eb66884 100644
+--- a/src/core/service.c
b/src/core/service.c
+@@ -2689,9 +2689,10 @@ static int service_deserialize_exec_command(Unit *u,
const char *key, const char
+ break;
+ }
+
+-if (command && control)
++if (command && control) {
+ s->control_command = command;
+-else if (command)
++s->control_command_id = id;
++} else if (command)
+ s->main_command = command;
+ else
+ log_unit_warning(u, "Current command vanished from the unit
file, execution of the command list won't be resumed.");
diff --git
a/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
new file mode 100644
index 000..12d823f
--- /dev/null
+++
b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
@@ -0,0 +1,79 @@
+From: Lennart Poettering
+Date: Mon, 2 Nov 2020 14:51:10 +0100
+Subject: seccomp: allow turning off of seccomp filtering via env var
+
+Fixes: #17504
+
+Also suggested in:
https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
+
+(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
+---
+ docs/ENVIRONMENT.md | 3 +++
+ src/nspawn/nspawn-seccomp.c | 2 +-
+ src/shared/seccomp-util.c | 19 +++
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/docs/ENVIRONMENT.md b/do
Bug#985096: unblock: systemd/247.3-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org, debian-b...@lists.debian.org, k...@debian.org Please unblock package systemd I'd like to see systemd 247.3 unblocked. It contains a number of fixes which are not critical but which I consider polishing. Given the importance of the systemd package, I think those changes are worthwile. An annotated changelog follows: systemd (247.3-3) unstable; urgency=medium * pkg-config: make prefix overridable again (Closes: #984763) https://salsa.debian.org/systemd-team/systemd/-/commit/deaf89e4cbb5d1347a1e17f782df2e56ee58e42c cherry-pick from upstream, low risk change, was explicitly requested for development environments like jhbuild * Downgrade a couple of warnings to debug. If a package still ships only a SysV init script or if a service file or tmpfile uses /var/run, downgrade those messages to debug. We can use lintian to detect those issues. For service files and tmpfiles in /etc, keep the warning, as those files are typically added locally and aren't checked by lintian. (Closes: #981407) https://salsa.debian.org/systemd-team/systemd/-/commit/0c6d90f783093fc255e529f8a33b2ed2a8e6c2d6 given that it only downgrades a couple of warnings, low regression potential. * core: fix mtime calculation of dropin files (Closes: #975289) https://salsa.debian.org/systemd-team/systemd/-/commit/39391c55cf5cee23f934e8ee29c9613ff4d33ed0 cherry-pick from upstream, probably the highest regression potential from all changes. Fixes an annoying issue where systemd would incorrectly report, that a .service file with .drop-in config was modified on disk and requires a daemon-reload. * analyze: slightly reword PrivateTmp= message (Closes: #931753) https://salsa.debian.org/systemd-team/systemd/-/commit/2ab3ec0387b12be15a2b61d3edc90929ec64d6a2 cherry-pick from upstream, trivial documentation update * rules: move ID_SMARTCARD_READER definition to a <70 configuration (Closes: #978011) https://salsa.debian.org/systemd-team/systemd/-/commit/7d68acb67f2ff402fb764664a3b686ff7df424ae cherry-pick from upstream, trivial change * table: drop trailing white spaces of the last cell in row (Closes: #980820) https://salsa.debian.org/systemd-team/systemd/-/commit/7018915f046893bb013ac7fa09f3c95824e3cbc3 cherry-pick from upstream, fixes a regression compared to v241, i.e. the current version in buster. It's more of a cosmetic issue, but the change is rather small and if by chance it helps to fix scripts which parse the output of systemd's tools, then it's probably worthwile to have this change. -- Michael Biebl Sat, 06 Mar 2021 22:32:14 +0100 We run a rather extensive test-suite and a we also have a lot of reverse dependencies which were triggered by the upload, so the chances of a (major) regression are small. Full debdiff is attached. I've CCed kibi/debian-boot, since we build a udeb. Thanks for considering. If there are chances above which you don't consider appropriate, please let me know and I will revert them in a -4 upload. Regards, Michael unblock systemd/247.3-3 diff --git a/debian/changelog b/debian/changelog index d1b21bb..0588fec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,37 @@ +systemd (247.3-3) unstable; urgency=medium + + * pkg-config: make prefix overridable again (Closes: #984763) + * Revert "units: turn off DNSSEC validation when timesyncd resolves +hostnames" +Support for SYSTEMD_NSS_RESOLVE_VALIDATE=0 requires the changes from +https://github.com/systemd/systemd/pull/17823 for the dnssec bypass +logic. Those are rather invasive changes and not suitable for a stable +backport. + + -- Michael Biebl Thu, 11 Mar 2021 18:09:35 +0100 + +systemd (247.3-2) unstable; urgency=medium + + * Downgrade a couple of warnings to debug. +If a package still ships only a SysV init script or if a service file or +tmpfile uses /var/run, downgrade those messages to debug. We can use +lintian to detect those issues. +For service files and tmpfiles in /etc, keep the warning, as those files +are typically added locally and aren't checked by lintian. +(Closes: #981407) + * core: fix mtime calculation of dropin files +(Closes: #975289) + * analyze: slightly reword PrivateTmp= message +(Closes: #931753) + * rules: move ID_SMARTCARD_READER definition to a <70 configuration +(Closes: #978011) + * units: turn off DNSSEC validation when timesyncd resolves hostnames +(Closes: #898530) + * table: drop trailing white spaces of the last cell in row +(Closes: #980820) + + -- Michael Biebl Sat, 06 Mar 2021 22:32:14 +0100 + systemd (247.3-1) unstable; urgency=medium [ Michael Biebl ] diff --git a/debian/patches/analyze-slightly-reword-PrivateTmp-message.patch b/debian/patc
Re: util-linux/2.36.1-7 blocked on flaky systemd/247.3-1 test on ppc64el
Am 09.02.2021 um 20:46 schrieb Paul Gevers: Hi Chris, On 09-02-2021 20:19, Chris Hofstaedtler wrote: currently, util-linux/2.36.1-7 is blocked from migration because of a failed test of systemd/247.3-1 on ppc64el. It's not. I'm told "networkd-test.py" is known to be flaky. Could very well be, didn't check. As I can't seem to make that happen reproducibly for ci.debian.net, could you please mark the test as known bad on ppc64el for now? (And thus let util-linux migrate.) Flaky tests are one reason why britney will retrigger failed test after one day. True flaky tests shouldn't matter too much (unless one is afraid to miss some deadline). Afaics, this sorted itself out https://ci.debian.net/packages/s/systemd/testing/ppc64el/ Sorry for the inconvenience, Chris. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#981345: buster-pu: package systemd/241-7~deb10u6
Am 30.01.21 um 09:42 schrieb Cyril Brulebois: Michael Biebl (2021-01-29): CCed kibi/debian-boot, as usual. The udev package should not be affected, as the above change only affects the journal, which is not used in d-i. The regression potential is rather low. The fix itself is a cherry-pick from upstream and has been part of sid/testing since quite a while. Sure thing, fine with me! Uploaded. Thanks all for the quick replies. Regards, Michael OpenPGP_signature Description: OpenPGP digital signature
Bug#981345: buster-pu: package systemd/241-7~deb10u6
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org, k...@debian.org,
debian-b...@lists.debian.org
Hi,
I'd like to make a stable upload for systemd fixing #975561:
journal: do not trigger assertion when journal_file_close() get NULL
The rest is autopkgtest updates, as the current state is a bit sad [1]
on stable.
The full (annotated) changelog is
systemd (241-7~deb10u6) buster; urgency=medium
* journal: do not trigger assertion when journal_file_close() get NULL
(Closes: #975561)
https://salsa.debian.org/systemd-team/systemd/-/commit/42f62d560748cf79353d0a66d1ccf49517f951d3
* test-bpf: skip test when run inside containers.
The test reliably fails inside LXC and Docker when run on a new enough
kernel. It's unclear whether this is a kernel, LXC/Docker or systemd
issue and apparently there is no real interest to get this fixed, so
let's skip this test.
https://salsa.debian.org/systemd-team/systemd/-/commit/de5350a0090a51ba391baf57e5d3e549bf126a6b
* autopkgtest: mark networkd-test.py as flaky.
See https://github.com/systemd/systemd/issues/18357
and https://github.com/systemd/systemd/issues/18196
https://salsa.debian.org/systemd-team/systemd/-/commit/996babe874059cc70f54f4edbd3e00a46a208bb7
CCed kibi/debian-boot, as usual.
The udev package should not be affected, as the above change only
affects the journal, which is not used in d-i.
The regression potential is rather low. The fix itself is a cherry-pick
from upstream and has been part of sid/testing since quite a while.
Regards,
Michael
[1] https://ci.debian.net/packages/s/systemd/
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 8c3b276..61dcee2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+systemd (241-7~deb10u6) buster; urgency=medium
+
+ * journal: do not trigger assertion when journal_file_close() get NULL
+(Closes: #975561)
+ * test-bpf: skip test when run inside containers.
+The test reliably fails inside LXC and Docker when run on a new enough
+kernel. It's unclear whether this is a kernel, LXC/Docker or systemd
+issue and apparently there is no real interest to get this fixed, so
+let's skip this test.
+ * autopkgtest: mark networkd-test.py as flaky.
+See https://github.com/systemd/systemd/issues/18357
+and https://github.com/systemd/systemd/issues/18196
+
+ -- Michael Biebl Fri, 29 Jan 2021 15:16:06 +0100
+
systemd (241-7~deb10u5) buster; urgency=medium
* basic/cap-list: parse/print numerical capabilities (Closes: #964926)
diff --git a/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
b/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
index 231158c..78c2d01 100644
--- a/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
+++ b/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
@@ -30,7 +30,7 @@ index 2791678..3a9e20a 100644
systemd.journald.forward_to_syslog,
systemd.journald.forward_to_kmsg,
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
-index 2a960eb..7fe0f82 100644
+index ba0b35d..cd45212 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1835,6 +1835,7 @@ int server_init(Server *s) {
diff --git
a/debian/patches/journal-do-not-trigger-assertion-when-journal_file_close-.patch
b/debian/patches/journal-do-not-trigger-assertion-when-journal_file_close-.patch
new file mode 100644
index 000..9cb536b
--- /dev/null
+++
b/debian/patches/journal-do-not-trigger-assertion-when-journal_file_close-.patch
@@ -0,0 +1,46 @@
+From: Yu Watanabe
+Date: Tue, 28 May 2019 12:40:17 +0900
+Subject: journal: do not trigger assertion when journal_file_close() get NULL
+
+We generally expect destructors to not complain if a NULL argument is passed.
+
+Closes #12400.
+
+(cherry picked from commit c377a6f3ad3d9bed4ce7e873e8e9ec6b1650c57d)
+---
+ src/journal/journal-file.c| 3 ++-
+ src/journal/journald-server.c | 7 ++-
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
+index 56827f9..04cf1ef 100644
+--- a/src/journal/journal-file.c
b/src/journal/journal-file.c
+@@ -335,7 +335,8 @@ bool journal_file_is_offlining(JournalFile *f) {
+ }
+
+ JournalFile* journal_file_close(JournalFil
Bug#972839: buster-pu: package systemd/241-7~deb10u5
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org
Hi,
I'd like to make a stable upload for systemd fixing two issues:
- #963488
systemd-network assigns a random network address to bridge interfaces
Helmut Grohne explicitly asked for a back port of this specific fix
https://salsa.debian.org/systemd-team/systemd/-/commit/99e4b8f0c74731b4a80fa7ed8c31c540a69cc997
- #964926
systemctl show prints "Failed to parse bus message: Invalid
argument" before output
Reported by several people running buster with a kernel >= 5.8 (either
self-compiled or via bpo)
https://salsa.debian.org/systemd-team/systemd/-/commit/efe7d941f7b23d13c87be0b018eea67a56b9378c
https://salsa.debian.org/systemd-team/systemd/-/commit/4bdc4f8c5ed82ea5fe515b9a8b71d321e439cfe9
The package is build tested and tested via the (extensive) autopkgtest
suite, and users also confirmed the fix at least for #964926
The complete debdiff is attached.
The changes do not touch udev code so shouldn't affect d-i. That said, I've CC
kibi for an ACK.
Regards,
Michael
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 14ef57f..8c3b276 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+systemd (241-7~deb10u5) buster; urgency=medium
+
+ * basic/cap-list: parse/print numerical capabilities (Closes: #964926)
+ * missing: add new Linux capabilities.
+Linux kernel v5.8 adds two new capabilities. Make sure we can recognize
+them even when built with an older kernel.
+ * networkd: do not generate MAC for bridge device (Closes: #963488)
+
+ -- Michael Biebl Sat, 24 Oct 2020 20:44:48 +0200
+
systemd (241-7~deb10u4) buster; urgency=medium
* polkit: when authorizing via PolicyKit re-resolve callback/userdata
diff --git
a/debian/patches/basic-cap-list-parse-print-numerical-capabilities.patch
b/debian/patches/basic-cap-list-parse-print-numerical-capabilities.patch
new file mode 100644
index 000..3b9eb09
--- /dev/null
+++ b/debian/patches/basic-cap-list-parse-print-numerical-capabilities.patch
@@ -0,0 +1,87 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?=
+Date: Thu, 9 Jul 2020 23:15:47 +0200
+Subject: basic/cap-list: parse/print numerical capabilities
+
+We would refuse to print capabilities which were didn't have a name
+for. The kernel adds new capabilities from time to time, most recently
+cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
+"Failed to parse bus message: Invalid argument" because
+capability_set_to_string_alloc() would fail with -EINVAL. So let's
+print such capabilities in hexadecimal:
+
+CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
+ cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
+ cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin
+ cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16
+ 0x17 0x18 0x19 0x1a ...
+
+For symmetry, also allow capabilities that we don't know to be specified.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
+
+(cherry picked from commit 417770f3033c426ca848b158d0bf057cd8ad1329)
+---
+ src/basic/cap-list.c | 10 +++---
+ src/test/test-cap-list.c | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
+index 29a17d9..b72b037 100644
+--- a/src/basic/cap-list.c
b/src/basic/cap-list.c
+@@ -10,6 +10,7 @@
+ #include "macro.h"
+ #include "missing.h"
+ #include "parse-util.h"
++#include "stdio-util.h"
+ #include "util.h"
+
+ static const struct capability_name* lookup_capability(register const char
*str, register GPERF_LEN_TYPE len);
+@@ -37,7 +38,7 @@ int capability_from_name(const char *name) {
+ /* Try to parse numeric capability */
+ r = safe_atoi(name, &i);
+ if (r >= 0) {
+-if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names))
++if (i >= 0 && i < 64)
+ return i;
+ else
+ return -EINVAL;
+@@ -65,11 +66,14 @@ int capability_set_to_string_alloc(uint64_t set, char **s)
{
+ for (i = 0; i < cap_last_cap(); i++)
+ if (set & (UINT64_C(1) << i)) {
Bug#971989: unblock: thunderbird/1:78.3.2-1
Hi everyone Am 20.10.20 um 15:49 schrieb Michael Biebl: > Am 20.10.20 um 15:42 schrieb Carsten Schoenert: >> Hello Michael, >> >> Am 20.10.20 um 14:54 schrieb Michael Biebl: >>> Shouldn't we rather wait, until such an updated enigmail package is >>> available? I see, that the enigmail package has a bug report with >>> attached patches, maybe it's time to NMU (that said, I've explicitly >>> CCed Daniel, maybe he can chime in here) >>> >>> I don't think forcing TB 78 into testing is the answer, your users would >>> be quite unhappy. >> >> I personally think that we already break the user experience as we >> released TB for buster through stable-security and some days ago also >> for LTS users. So I see no need to wait any longer. Currently the >> upgrade path for buster users is at least broken for Thunderbird. > > I guess the solution for that is to upload enigmail 2.2 as quickly as > possible to stable(-security). > It is not justification to break more stuff. > > Fwiw, I'm willing to NMU enigmail, if there is no progress on #970111. > So I decided to do that, and NMU enigmail. I used Gregors patches from [1] (thanks for that!) with some minor changes - Updated to 2.2.4 (instead of 2.2.2) - Marked the upload as NMU (versioned as 2:2.2.4-0.1) and removed Gregor from Uploaders again. It seemed a bit controversial to add oneself to Uploaders as part of an NMU - Removed Files-Excluded from debian/copyright as the offending files are no longer part of the dist tarball, so a repack is not necessary anymore I gave the package some light testing and the migration wizard did properly show up and import my private and public keys (it skipped one public key, haven't investigated yet, why) and the account settings. I've pushed my work to https://salsa.debian.org/biebl/enigmail and uploaded to DELAYED/14. Daniel, please holler if you want me to cancel the NMU. Hopefully this helps, to unbreak the current situation a bit. Regards, Michael [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970111#10 P.S: This is my first message with TB 78. Let's see if it's properly signed... OpenPGP_signature Description: OpenPGP digital signature
Bug#971989: unblock: thunderbird/1:78.3.2-1
Am 20.10.20 um 15:42 schrieb Carsten Schoenert: > Hello Michael, > > Am 20.10.20 um 14:54 schrieb Michael Biebl: >> Shouldn't we rather wait, until such an updated enigmail package is >> available? I see, that the enigmail package has a bug report with >> attached patches, maybe it's time to NMU (that said, I've explicitly >> CCed Daniel, maybe he can chime in here) >> >> I don't think forcing TB 78 into testing is the answer, your users would >> be quite unhappy. > > I personally think that we already break the user experience as we > released TB for buster through stable-security and some days ago also > for LTS users. So I see no need to wait any longer. Currently the > upgrade path for buster users is at least broken for Thunderbird. I guess the solution for that is to upload enigmail 2.2 as quickly as possible to stable(-security). It is not justification to break more stuff. Fwiw, I'm willing to NMU enigmail, if there is no progress on #970111.
Bug#971989: unblock: thunderbird/1:78.3.2-1
Am 11.10.20 um 10:21 schrieb Carsten Schoenert: > So I'd like to suggest to remove (if this is possible) the auto > migration testing of enigmail and jsunit against thunderbird. At least > please allow the migration of the Thunderbird related packages into > testing. I'm condidering removal requests for enigmail and jsunit in > testing. Shouldn't we rather wait, until such an updated enigmail package is available? I see, that the enigmail package has a bug report with attached patches, maybe it's time to NMU (that said, I've explicitly CCed Daniel, maybe he can chime in here) I don't think forcing TB 78 into testing is the answer, your users would be quite unhappy. Regards, Michael
Bug#956216: buster-pu: package systemd/241-7~deb10u3
Am 25.04.20 um 21:41 schrieb Adam D. Barratt:
> On Wed, 2020-04-08 at 16:11 +0200, Michael Biebl wrote:
> I'd be OK with that, but this will need a KiBi-ack, so CCing and
> tagging accordingly.
After talking to KiBi on IRC, we decided to include the fix for #958397
as well. I kept the changes minimal and only included 60-rules in
udev-udeb and the initramfs.
We might consider a different, opt-out approach for udev-rules in the
future as suggested by Steve [1] and Marco [2]. But that's probably too
invasive for a stable upload.
Updated debdiff is attached. The changes to the previous debdiff can be
found at
https://salsa.debian.org/systemd-team/systemd/-/commit/4b7f1d2b1763574cfc9ef43e728045518d440c1a
Regards,
Michael
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958397#12
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958397#22
diff --git a/debian/changelog b/debian/changelog
index 1d263f7..14ef57f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+systemd (241-7~deb10u4) buster; urgency=medium
+
+ * polkit: when authorizing via PolicyKit re-resolve callback/userdata
+instead of caching it.
+This fixes a heap use-after-free vulnerability in systemd, when
+asynchronous PolicyKit queries are performed while handling DBus messages.
+CVE-2020-1712 (Closes: #950732)
+ * Install 60-block.rules in udev-udeb and initramfs-tools.
+The block device rules were split out from 60-persistent-storage.rules
+into its own rules file in v220. Those rules ensure that change events
+are emitted and the udev db is updated after metadata changes.
+Thanks to Pascal Hambourg (Closes: #958397)
+
+ -- Michael Biebl Mon, 27 Apr 2020 19:02:57 +0200
+
systemd (241-7~deb10u3) buster; urgency=medium
* core: set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX.
diff --git a/debian/extra/initramfs-tools/hooks/udev
b/debian/extra/initramfs-tools/hooks/udev
index 6305d09..bbbd351 100755
--- a/debian/extra/initramfs-tools/hooks/udev
+++ b/debian/extra/initramfs-tools/hooks/udev
@@ -28,7 +28,8 @@ if [ -d /etc/systemd/network ]; then
fi
mkdir -p "$DESTDIR/lib/udev/rules.d/"
-for rules in 50-firmware.rules 50-udev-default.rules
60-persistent-storage.rules \
+for rules in 50-firmware.rules 50-udev-default.rules \
+60-block.rules 60-persistent-storage.rules \
61-persistent-storage-android.rules 71-seat.rules
73-special-net-names.rules \
73-usb-net-by-mac.rules 75-net-description.rules \
80-net-setup-link.rules 80-drivers.rules; do
diff --git a/debian/patches/Fix-typo-in-function-name.patch
b/debian/patches/Fix-typo-in-function-name.patch
new file mode 100644
index 000..4f3c521
--- /dev/null
+++ b/debian/patches/Fix-typo-in-function-name.patch
@@ -0,0 +1,77 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?=
+Date: Tue, 4 Feb 2020 18:39:04 +0100
+Subject: Fix typo in function name
+
+(cherry picked from commit bc130b6858327b382b07b3985cf48e2aa9016b2d)
+(cherry picked from commit b4eb8848240c3540180e4768216a0b884a5ed783)
+(cherry picked from commit f14fa558ae9e139c94ee3af4a1ef1df313b2ff66)
+(cherry picked from commit dd8aa0871d9cafa60a916d4ec01dd82d64edf7ed)
+---
+ TODO| 2 +-
+ src/libsystemd/sd-bus/bus-message.h | 2 +-
+ src/libsystemd/sd-bus/sd-bus.c | 8
+ src/shared/bus-polkit.c | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/TODO b/TODO
+index 462db57..327fead 100644
+--- a/TODO
b/TODO
+@@ -138,7 +138,7 @@ Features:
+
+ * the a-posteriori stopping of units bound to units that disappeared logic
+ should be reworked: there should be a queue of units, and we should only
+- enqeue stop jobs from a defer event that processes queue instead of
++ enqueue stop jobs from a defer event that processes queue instead of
+ right-away when we find a unit that is bound to one that doesn't exist
+ anymore. (similar to how the stop-unneeded queue has been reworked the same
+ way)
+diff --git a/src/libsystemd/sd-bus/bus-message.h
b/src/libsystemd/sd-bus/bus-message.h
+index 7fd3f11..849d638 100644
+--- a/src/libsystemd/sd-bus/bus-message.h
b/src/libsystemd/sd-bus/bus-message.h
+@@ -211,4 +211,4 @@ int bus_message_remarshal(sd_bus *bus, sd_bus_message **m);
+
+ void bus_message_set_sender_driver(sd_bus *bus, sd_bus_message *m);
+ void bus_message_set_sender_local(sd_bus *bus, sd_bus_message *m);
+-int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m);
++int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m);
+diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
+index 94380af..c20adcf 100644
+--- a/src/libsystemd/sd-bus/sd-bus.c
b/src/libsystemd/sd-bus/sd-bus.c
+@@ -4145,7 +4145,7 @@ _public_ int sd_bus_get_close_on_exit(sd_bus *bus) {
+ return bus->close_on_exit;
+ }
+
+-int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m) {
++in
Bug#956216: buster-pu: package systemd/241-7~deb10u4
Control: retitle -1 buster-pu: package systemd/241-7~deb10u4 Sorry, messed up the version in the Subject
Bug#956216: buster-pu: package systemd/241-7~deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to make a stable/buster upload for systemd fixing CVE-2020-1712
https://security-tracker.debian.org/tracker/CVE-2020-1712
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950732
After talking to the security team (namely Salvatore), we decided to fix
this issue via a stable upload.
The debdiff is a bit on the larger side, unfortunately.
Salvatore made a smaller backport avoiding some of the refactorings
that were done upstream
https://salsa.debian.org/systemd-team/systemd/-/merge_requests/69
I decided to go with the backport provided by upstream that was done for
the v241-stable branch mainly for two reasons:
- It makes potential future cherry-picks easier
- Doing our own backport has the potential to introduce Debian specific
bugs
That said, if you prefer the more minimal backport from Salvatore,
please let me know and I'll redo the upload accordingly.
The changes are available at
https://salsa.debian.org/systemd-team/systemd/-/commits/debian/buster-proposed/
The debdiff is attached.
udev should not be affected (I've CCed kibi for his review/ACK)
Regards,
Michael
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 1d263f7..f8b017d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+systemd (241-7~deb10u4) buster; urgency=medium
+
+ * polkit: when authorizing via PolicyKit re-resolve callback/userdata
+instead of caching it.
+This fixes a heap use-after-free vulnerability in systemd, when
+asynchronous PolicyKit queries are performed while handling DBus messages.
+(CVE-2020-1712, Closes: #950732)
+
+ -- Michael Biebl Wed, 08 Apr 2020 15:58:24 +0200
+
systemd (241-7~deb10u3) buster; urgency=medium
* core: set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX.
diff --git a/debian/patches/Fix-typo-in-function-name.patch
b/debian/patches/Fix-typo-in-function-name.patch
new file mode 100644
index 000..4f3c521
--- /dev/null
+++ b/debian/patches/Fix-typo-in-function-name.patch
@@ -0,0 +1,77 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?=
+Date: Tue, 4 Feb 2020 18:39:04 +0100
+Subject: Fix typo in function name
+
+(cherry picked from commit bc130b6858327b382b07b3985cf48e2aa9016b2d)
+(cherry picked from commit b4eb8848240c3540180e4768216a0b884a5ed783)
+(cherry picked from commit f14fa558ae9e139c94ee3af4a1ef1df313b2ff66)
+(cherry picked from commit dd8aa0871d9cafa60a916d4ec01dd82d64edf7ed)
+---
+ TODO| 2 +-
+ src/libsystemd/sd-bus/bus-message.h | 2 +-
+ src/libsystemd/sd-bus/sd-bus.c | 8
+ src/shared/bus-polkit.c | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/TODO b/TODO
+index 462db57..327fead 100644
+--- a/TODO
b/TODO
+@@ -138,7 +138,7 @@ Features:
+
+ * the a-posteriori stopping of units bound to units that disappeared logic
+ should be reworked: there should be a queue of units, and we should only
+- enqeue stop jobs from a defer event that processes queue instead of
++ enqueue stop jobs from a defer event that processes queue instead of
+ right-away when we find a unit that is bound to one that doesn't exist
+ anymore. (similar to how the stop-unneeded queue has been reworked the same
+ way)
+diff --git a/src/libsystemd/sd-bus/bus-message.h
b/src/libsystemd/sd-bus/bus-message.h
+index 7fd3f11..849d638 100644
+--- a/src/libsystemd/sd-bus/bus-message.h
b/src/libsystemd/sd-bus/bus-message.h
+@@ -211,4 +211,4 @@ int bus_message_remarshal(sd_bus *bus, sd_bus_message **m);
+
+ void bus_message_set_sender_driver(sd_bus *bus, sd_bus_message *m);
+ void bus_message_set_sender_local(sd_bus *bus, sd_bus_message *m);
+-int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m);
++int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m);
+diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
+index 94380af..c20adcf 100644
+--- a/src/libsystemd/sd-bus/sd-bus.c
b/src/libsystemd/sd-bus/sd-bus.c
+@@ -4145,7 +4145,7 @@ _public_ int sd_bus_get_close_on_exit(sd_bus *bus) {
+ return bus->close_on_exit;
+ }
+
+-int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message *m) {
++int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m) {
+ int r;
+
+ assert_return(bus, -EINVAL);
+@@ -4157,9 +4157,9 @@ int sd_bus_enqeue_for_read(sd_bus *bus, sd_bus_message
*m) {
+ if (!BUS_IS_OPEN(bus-
Bug#950166: buster-pu: package systemd/241-7~deb10u3
Hi Adam Am 29.01.20 um 20:11 schrieb Adam D. Barratt: > I think I'd be OK with either, looking over the changes, so am happy to > leave the choice up to your judgement. If you decide to include all of > the changes, please could you update the diff attached here for > completeness. Thanks for your quick reply. I decided to not do any further changes and uploaded systemd_241-7~deb10u3 as-is after seeing kibi's ack. Regards, Michael signature.asc Description: OpenPGP digital signature
Bug#950166: buster-pu: package systemd/241-7~deb10u3
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, first of all, apologies, that this pu request comes rather late. I first didn't plan to prepare a release for 10.3, but today #930178 was reassigned to systemd, which reminded me, that this is an issue we should fix for stable. So here it goes: I'd like to fix the following two issues in systemd: systemd (241-7~deb10u3) buster; urgency=medium * core: set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX. Since kernel 5.2 (but also stable kernels like 4.19.53) the kernel thankfully returns proper errors when we write a value out of range to the sysctl. Which however breaks writing ULONG_MAX to request the maximum value. Hence let's write the new maximum value instead, LONG_MAX. (Closes: #945018) https://salsa.debian.org/systemd-team/systemd/commit/673e108907baf1a242c4842ace6e9e3a23b11d52 Upstream cherry-pick, fixed in unstable/testing. Rather straight-forward fix. I wasn't planning doing a stable upload for this issue alone but only in combination with other fixes. * core: change ownership/mode of the execution directories also for static users. This ensures that execution directories like CacheDirectory and StateDirectory are properly chowned to the user specified in User= before launching the service. (Closes: #919231) https://salsa.debian.org/systemd-team/systemd/commit/e9c8637d06e373430b8986643cfb537a23b0b1fd This is an upstream cherry-pick from https://github.com/systemd/systemd/pull/12005 I'm a bit undecided whether to cherry-pick all changes from this PR (which look like worthwile changes to have) or only commit 206e9864de460dd79d9edd7bedb47dee168765e1. I decided for the latter for now, as it keeps the changes minimal and seems to fix the issue at hand. That said, would welcome your feedback here. Would you prefer that we pull in the complete upstream PR #12005 or keep the changes minimal? PR #12005 is part of v242, i.e. fixed in unstable/testing. Those changes don't touch udev, but will need an ack from kibi (which I've CCed). Regards, Michael -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index f63e21d..1d263f7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +systemd (241-7~deb10u3) buster; urgency=medium + + * core: set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX. +Since kernel 5.2 (but also stable kernels like 4.19.53) the kernel +thankfully returns proper errors when we write a value out of range to +the sysctl. Which however breaks writing ULONG_MAX to request the +maximum value. Hence let's write the new maximum value instead, +LONG_MAX. (Closes: #945018) + * core: change ownership/mode of the execution directories also for static +users. +This ensures that execution directories like CacheDirectory and +StateDirectory are properly chowned to the user specified in User= before + launching the service. (Closes: #919231) + + -- Michael Biebl Wed, 29 Jan 2020 19:07:53 +0100 + systemd (241-7~deb10u2) buster; urgency=medium * core: never propagate reload failure to service result. diff --git a/debian/gbp.conf b/debian/gbp.conf index b0e0001..9591e25 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,7 +1,8 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = buster +debian-branch = debian/buster +upstream-branch = upstream/latest [dch] full = True diff --git a/debian/patches/core-change-ownership-mode-of-the-execution-directories-a.patch b/debian/patches/core-change-ownership-mode-of-the-execution-directories-a.patch new file mode 100644 index 000..6f8b0fc --- /dev/null +++ b/debian/patches/core-change-ownership-mode-of-the-execution-directories-a.patch @@ -0,0 +1,85 @@ +From: Lennart Poettering +Date: Thu, 14 Mar 2019 17:19:30 +0100 +Subject: core: change ownership/mode of the execution directories also for + static users + +It's probably unexpected if we do a recursive chown() when dynamic users +are used but not on static users. + +hence, let's tweak the logic slightly, and recursively chown in both +cases, except when operating on the configuration directory. + +Fixes: #11842 +(cherry picked from commit 206e9864de460dd79d9edd7bedb47dee168765e1) +--- + src/core/execute.c | 47 ++- + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index
Bug#941738: buster-pu: package network-manager/1.14.6-2+deb10u1
retitle 941738 buster-pu: package network-manager/1.14.6-2+deb10u1
thanks
Am 04.10.19 um 15:20 schrieb Michael Biebl:
> Am 04.10.19 um 15:09 schrieb Michael Biebl:
>> +network-manager (1.14.6-3) stable; urgency=medium
>
> 1.14.6-3 is unused so far, but I guess it would be better us use
> 1.14.6-2+deb10u1 instead?
I guess the latter is more in line with current practice, so retitling
the bug report accordingly. Updated debdiff attached.
Please let me know if I can proceed with the upload.
Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
diff --git a/debian/changelog b/debian/changelog
index 7cb171e5a..13658c1c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+network-manager (1.14.6-2+deb10u1) stable; urgency=medium
+
+ * core: fix file permissions for "/var/lib/NetworkManager/secret_key"
+Patch cherry-picked from upstream.
+ * Fix permissions of /var/lib/NetworkManager/secret_key on upgrades.
+The file mode is supposed to be 0600. (Closes: #941609)
+ * Install directories as created by upstream build system.
+Drop network-manager.dirs and instead use the directories created by the
+upstream build system. Fix permissions of /var/lib/NetworkManager to be
+0700 as it contains possibly sensitive data and should not be
+world-readable.
+ * d/gbp.conf: Set debian-branch to buster
+
+ -- Michael Biebl Fri, 04 Oct 2019 15:03:20 +0200
+
network-manager (1.14.6-2) unstable; urgency=medium
* supplicant: fix setting pmf when the supplicant doesn't advertise support
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 478d845ce..3c81df87a 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = master
+debian-branch = buster
diff --git a/debian/network-manager.dirs b/debian/network-manager.dirs
deleted file mode 100644
index e09403be4..0
--- a/debian/network-manager.dirs
+++ /dev/null
@@ -1,10 +0,0 @@
-etc/NetworkManager/conf.d/
-etc/NetworkManager/dispatcher.d/no-wait.d/
-etc/NetworkManager/dispatcher.d/pre-down.d/
-etc/NetworkManager/dispatcher.d/pre-up.d/
-etc/NetworkManager/dnsmasq.d/
-etc/NetworkManager/dnsmasq-shared.d/
-etc/NetworkManager/system-connections/
-usr/lib/NetworkManager/conf.d/
-usr/lib/NetworkManager/VPN/
-var/lib/NetworkManager/
diff --git a/debian/network-manager.install b/debian/network-manager.install
index 0f1e82ae5..3f94d7a46 100644
--- a/debian/network-manager.install
+++ b/debian/network-manager.install
@@ -2,10 +2,7 @@ usr/sbin/NetworkManager
usr/bin/nm-online
usr/bin/nmcli
usr/bin/nmtui*
-usr/lib/NetworkManager/nm-dhcp-helper
-usr/lib/NetworkManager/nm-iface-helper
-usr/lib/NetworkManager/nm-dispatcher
-usr/lib/NetworkManager/nm-initrd-generator
+usr/lib/NetworkManager/
usr/lib/*/NetworkManager/*/libnm-settings-plugin-ifupdown.so
usr/lib/*/NetworkManager/*/libnm-device-plugin-*.so
usr/lib/*/NetworkManager/*/libnm-ppp-plugin.so
@@ -18,7 +15,8 @@ usr/share/dbus-1/system.d/org.freedesktop.NetworkManager.conf
usr/share/dbus-1/system.d/nm-dispatcher.conf
usr/share/polkit-1/
usr/share/bash-completion/
-etc/NetworkManager/dispatcher.d/
+etc/NetworkManager/
+var/lib/NetworkManager/
lib/udev/rules.d/*.rules
lib/systemd/system/NetworkManager.service
lib/systemd/system/NetworkManager-dispatcher.service
diff --git a/debian/network-manager.postinst b/debian/network-manager.postinst
index 0f95087f8..7f0589da6 100644
--- a/debian/network-manager.postinst
+++ b/debian/network-manager.postinst
@@ -24,6 +24,9 @@ case "$1" in
# org.freedesktop.NetworkManager.settings.modify.system without prior
authentication
addgroup --quiet --system netdev
+# This directory can contain sensitive data and should not be
world-readable
+chmod 0700 /var/lib/NetworkManager
+
NIF=/etc/network/interfaces
if [ -z "$2" ] && [ -f $NIF ]; then
ifaces=`grep -v '^#' $NIF | awk '/iface/ {print $2}' | sort -u |
sed -e 's/lo//' -e '/^$/d' -e 's/^/- /'`
@@ -44,6 +47,12 @@ case "$1" in
ln -sf /run/NetworkManager/resolv.conf /etc/resolv.conf
fi
fi
+
+if dpkg --compare-versions "$2" lt-nl "1.14.6-3"; then
+if [ -f /var/lib/NetworkManager/secret_key ]; then
+chmod 0600 /var/lib/NetworkManager/secret_key
+fi
+fi
;;
abort-upgrade|abort-deconfigure|abort-remove)
diff --git
a/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
b/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
new file mode 100644
index 0..8e51fa6a4
--- /dev/null
+++
b/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
@@
Bug#942446: buster-pu: package systemd/241-7~deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to make a stable upload for systemd, fixing various issues, including a CVE. A full debdiff is attached, an annotated changelog follows. I've also CC d-i/kibi, as we build a udeb. I don't think we have any changes that affect the installer, that said, a test run/review by kibi would be very much appreciated. systemd (241-7~deb10u2) buster; urgency=medium * core: never propagate reload failure to service result. Fixes a regression introduced in v239 where the main process of a service unit gets killed on reload if ExecReload fails. (Closes: #936032) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936032 https://salsa.debian.org/systemd-team/systemd/commit/3802da815587058dedc75e7fec7e1de993a6c549 * shared/seccomp: add sync_file_range2. Some architectures need the arguments to be reordered because of alignment issues. Otherwise, it's the same as sync_file_range. Fixes sync_file_range failures in nspawn containers on arm, ppc. (Closes: #935091) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935091 https://salsa.debian.org/systemd-team/systemd/commit/e050f84ccbf3f6c689c706fdf7a5d759b8a49d60 * core: factor root_directory application out of apply_working_directory. Fixes RootDirectory not working when used in combination with User. (Closes: #939408) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939408 https://salsa.debian.org/systemd-team/systemd/commit/0686cb963a02990f5b9c3e04c3da6a7c44a1e96c * shared/bus-util: drop trusted annotation from bus_open_system_watch_bind_with_description(). This ensures that access controls on systemd-resolved's D-Bus interface are enforced properly. (CVE-2019-15718, Closes: #939353) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939353 https://salsa.debian.org/systemd-team/systemd/commit/d1cd6601c96c8b00e35ab84142a628f5838b5473 * login: add a missing error check for session_set_leader() Fixes assertion due to insufficient function return check. (Closes: #939998) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939998 https://salsa.debian.org/systemd-team/systemd/commit/6ffdf1f33fc11aeafdcd5b62e3083d40fd43b36e * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices (Closes: #934589) * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by user-space https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934589 https://salsa.debian.org/systemd-team/systemd/commit/933b0b9c546bcc0c1ff5cdfec8b528ac80926622 https://salsa.debian.org/systemd-team/systemd/commit/93da42a3ecfee7731ddb843aec307f84f3843788 * namespace: make MountFlags=shared work again (Closes: #939551) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939551 https://salsa.debian.org/systemd-team/systemd/commit/ee6f86d86cb791a09b9de6b43f8fa5f832c757e2 * mount/generators: do not make unit wanted by its device unit. Among other things, this fixes StopWhenUnneeded=true being broken for mount units. (Closes: #941758) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941758 https://salsa.debian.org/systemd-team/systemd/commit/e1be83ad48df9743cabc0c23c086f6f53e8eb46d -- Michael Biebl Wed, 16 Oct 2019 15:24:54 +0200 All patches are cherry-picks from upstream, all bugs have been fixed in sid/bullseye, so have seem some wider testing without any reported regressions so far. Regards, Michael -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index 498f68a..f63e21d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,34 @@ +systemd (241-7~deb10u2) buster; urgency=medium + + * core: never propagate reload failure to service result. +Fixes a regression introduced in v239 where the main process of a +service unit gets killed on reload if ExecReload fails. (Closes: #936032) + * shared/seccomp: add sync_file_range2. +Some architectures need the arguments to be reordered because of alignment +issues. Otherwise, it's the same as sync_file_range. +Fixes sync_file_range failures in nspawn containers on arm, ppc. +(Closes: #935091) + * core: factor root_directory application out of apply_working_directory. +Fixes RootDirectory not working when used in combination with User. +(Closes: #939408) + * shared/bus-util: drop trusted annotation from +bus_open_system_watch_bind_with_description(). +This ensures that acc
Bug#941738: buster-pu: package network-manager/1.14.6-3
Am 04.10.19 um 15:09 schrieb Michael Biebl: > +network-manager (1.14.6-3) stable; urgency=medium 1.14.6-3 is unused so far, but I guess it would be better us use 1.14.6-2+deb10u1 instead? Let me know what you prefer. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#941738: buster-pu: package network-manager/1.14.6-3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi stable release team,
I'd like to make a stable upload for network-manager fixing
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941609
"network-manager: generates world-{read,execut}able secret_key file (in
buster)"
The fix is already in unstable (uploaded as 1.20.4-2).
In addition to fixing the file permissions of
/var/lib/NetworkManager/secret_key I've also applied some hardening by
changing the directory permissions of /var/lib/NetworkManager/ to 0700
as recommended by upstream.
I talked to upstream and the security team and they consider the issue
not severe enough for a stable-security upload.
Full debdiff is attached.
Regards,
Michael
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 7cb171e5a..24bb332fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+network-manager (1.14.6-3) stable; urgency=medium
+
+ * core: fix file permissions for "/var/lib/NetworkManager/secret_key"
+Patch cherry-picked from upstream.
+ * Fix permissions of /var/lib/NetworkManager/secret_key on upgrades.
+The file mode is supposed to be 0600. (Closes: #941609)
+ * Install directories as created by upstream build system.
+Drop network-manager.dirs and instead use the directories created by the
+upstream build system. Fix permissions of /var/lib/NetworkManager to be
+0700 as it contains possibly sensitive data and should not be
+world-readable.
+ * d/gbp.conf: Set debian-branch to buster
+
+ -- Michael Biebl Fri, 04 Oct 2019 15:03:20 +0200
+
network-manager (1.14.6-2) unstable; urgency=medium
* supplicant: fix setting pmf when the supplicant doesn't advertise support
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 478d845ce..3c81df87a 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = master
+debian-branch = buster
diff --git a/debian/network-manager.dirs b/debian/network-manager.dirs
deleted file mode 100644
index e09403be4..0
--- a/debian/network-manager.dirs
+++ /dev/null
@@ -1,10 +0,0 @@
-etc/NetworkManager/conf.d/
-etc/NetworkManager/dispatcher.d/no-wait.d/
-etc/NetworkManager/dispatcher.d/pre-down.d/
-etc/NetworkManager/dispatcher.d/pre-up.d/
-etc/NetworkManager/dnsmasq.d/
-etc/NetworkManager/dnsmasq-shared.d/
-etc/NetworkManager/system-connections/
-usr/lib/NetworkManager/conf.d/
-usr/lib/NetworkManager/VPN/
-var/lib/NetworkManager/
diff --git a/debian/network-manager.install b/debian/network-manager.install
index 0f1e82ae5..3f94d7a46 100644
--- a/debian/network-manager.install
+++ b/debian/network-manager.install
@@ -2,10 +2,7 @@ usr/sbin/NetworkManager
usr/bin/nm-online
usr/bin/nmcli
usr/bin/nmtui*
-usr/lib/NetworkManager/nm-dhcp-helper
-usr/lib/NetworkManager/nm-iface-helper
-usr/lib/NetworkManager/nm-dispatcher
-usr/lib/NetworkManager/nm-initrd-generator
+usr/lib/NetworkManager/
usr/lib/*/NetworkManager/*/libnm-settings-plugin-ifupdown.so
usr/lib/*/NetworkManager/*/libnm-device-plugin-*.so
usr/lib/*/NetworkManager/*/libnm-ppp-plugin.so
@@ -18,7 +15,8 @@ usr/share/dbus-1/system.d/org.freedesktop.NetworkManager.conf
usr/share/dbus-1/system.d/nm-dispatcher.conf
usr/share/polkit-1/
usr/share/bash-completion/
-etc/NetworkManager/dispatcher.d/
+etc/NetworkManager/
+var/lib/NetworkManager/
lib/udev/rules.d/*.rules
lib/systemd/system/NetworkManager.service
lib/systemd/system/NetworkManager-dispatcher.service
diff --git a/debian/network-manager.postinst b/debian/network-manager.postinst
index 0f95087f8..7f0589da6 100644
--- a/debian/network-manager.postinst
+++ b/debian/network-manager.postinst
@@ -24,6 +24,9 @@ case "$1" in
# org.freedesktop.NetworkManager.settings.modify.system without prior
authentication
addgroup --quiet --system netdev
+# This directory can contain sensitive data and should not be
world-readable
+chmod 0700 /var/lib/NetworkManager
+
NIF=/etc/network/interfaces
if [ -z "$2" ] && [ -f $NIF ]; then
ifaces=`grep -v '^#' $NIF | awk '/iface/ {print $2}' | sort -u |
sed -e 's/lo//' -e '/^$/d' -e 's/^/- /'`
@@ -44,6 +47,12 @@ case "$1" in
ln -sf /run/NetworkManager/resolv.conf /etc/resolv.conf
f
Bug#934132: Unblock elogind 241.3-1+debian1 migration to bullseye
Am 03.09.19 um 16:29 schrieb Mark Hindley: > On Wed, Aug 14, 2019 at 07:22:47PM +0100, Jonathan Wiltshire wrote: >> I think your summary is fine. However, this is not my area of expertise and >> I'm rather hoping Julien or Ansgar will chime in with an update. >> >> It certainly wouldn't be appropriate for me to remove a block put in place >> by someone else without extenuating circumstances. > > Julien, > > I am still waiting for some constructive engagement over this. > > As Jonathan's comment above makes clear and is echoed by this exchange on > #debian-release yesterday: > > Hello. #934132 is still outstanding and is now preventing resolution >of RC bug in bullseye #939101. [12:13] > Can we find a resolution to #934132? Thanks. [12:17] > weasel: zwiebelbot is missing here [12:34] > jcristau: ^ (#934132) [13:12] > jmw: well i still think shipping this thing is a bad idea. but i'm > ok with somebody else removing the block. [13:21] > I don't know enough about it to make a call on that > but I think LeePen would appreciate some sort of response > > it is obvious and completely understandable that other members of the Release > Team will not overrule your hint blocking elogind migration to bullseye. So, > resolution of this bug (and the resulting FTBFS in bullseye) is down to you. > > I have tried to answer your concerns in detail. If you think my answers are > inadequate or still think there are issues that need to be addressed, please > specify them. If not, please remove your block of elogind's migration to > testing. > > Thank you. > > Mark > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934491 This bug report should be taken into account here. Not sure why this is not marked as RC given that it can pretty much hose your system. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Bug#933125: buster-pu: package systemd/241-5+deb10u1
Hi Adam Am 16.08.19 um 22:08 schrieb Adam D. Barratt: > Control: tags -1 + confirmed > > On Fri, 2019-07-26 at 21:43 +0200, Michael Biebl wrote: >> I'd like to make a stable upload for systemd, fixing the following >> issues: > [...] >> 241-5+deb10u1 is identical to 241-7 which has been uploaded to >> unstable/bullseye and we haven't received any regression reports so >> far. > > In that case, feel free to make it -7~deb10u1, with the appropriate > changelog wrangling, if that would be preferable. I considered adding a changelog entry like this as it seemed the most obvious correct one: --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +systemd (241-7~deb10u1) buster; urgency=medium + + * Rebuild for buster + + -- Michael Biebl Sat, 17 Aug 2019 11:00:59 +0200 + systemd (241-7) unstable; urgency=medium [ Michael Biebl ] But this then triggers warnings from dpkg-genchanges: dpkg-genchanges: warning: the current version (241-7~deb10u1) is earlier than the previous one (241-7) and lintian: W: systemd: latest-debian-changelog-entry-without-new-version To avoid that, I could rewrite the old changelog entry for 241-7 like this --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -systemd (241-7) unstable; urgency=medium +systemd (241-7~deb10u1) buster; urgency=medium [ Michael Biebl ] * network: Fix failure to bring up interface with Linux kernel 5.2. Rewriting the old changelog entry for 241-7 feels wrong though. Adam, so I wonder, what's the proper changelog wrangling in this case? Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#933125: buster-pu: package systemd/241-5+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to make a stable upload for systemd, fixing the following issues: systemd (241-5+deb10u1) buster; urgency=medium * ask-password: Prevent buffer overflow when reading from keyring. Fixes a possible memory corruption that causes systemd-cryptsetup to crash either when a single large password is used or when multiple passwords have already been pushed to the keyring. (Closes: #929726) https://salsa.debian.org/systemd-team/systemd/commit/3baec22e1fcd89a3b6d93d9a3e59bf7fa7114714 * Clarify documentation regarding %h/%u/%U specifiers. Make it clear, that setting "User=" has no effect on those specifiers. Also ensure that "%h" is actually resolved to "/root" for the system manager instance as documented in the systemd.unit man page. (Closes: #927911) https://salsa.debian.org/systemd-team/systemd/commit/fef3138711bd858d1718b458d257fa73317d532d * network: Behave more gracefully when IPv6 has been disabled. Ignore any configured IPv6 settings when IPv6 has been disabled in the kernel via sysctl. Instead of failing completely, continue and log a warning instead. (Closes: #929469) https://salsa.debian.org/systemd-team/systemd/commit/2f37176282a3f02d8839158441ba70fe3975d2b0 * network: Fix failure to bring up interface with Linux kernel 5.2. Backport two patches from systemd master in order to fix a bug with 5.2 kernels where the network interface fails to come up with the following error: "enp3s0: Could not bring up interface: Invalid argument" (Closes: #931636) https://salsa.debian.org/systemd-team/systemd/commit/cce6b9e2c23c315659147cb28ad1a8947995a997 * Use /usr/sbin/nologin as nologin shell. In Debian the nologin shell is installed in /usr/sbin, not /sbin. (Closes: #931850) https://salsa.debian.org/systemd-team/systemd/commit/b0c697c519b731094d4ad11ae59afd76c1901aae [ Mert Dirik ] * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset (Closes: #931719) https://salsa.debian.org/systemd-team/systemd/commit/3f1c8e9d4c9bc5f49a13b2415f8f8845423f347f 241-5+deb10u1 is identical to 241-7 which has been uploaded to unstable/bullseye and we haven't received any regression reports so far. None of those changes should touch udev-udeb, i.e. d-i. That said, I've added kibi/debian-boot to CC for his ack. Regards, Michael -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index ed55c95..a421cb9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +systemd (241-5+deb10u1) buster; urgency=medium + + * ask-password: Prevent buffer overflow when reading from keyring. +Fixes a possible memory corruption that causes systemd-cryptsetup to +crash either when a single large password is used or when multiple +passwords have already been pushed to the keyring. (Closes: #929726) + * Clarify documentation regarding %h/%u/%U specifiers. +Make it clear, that setting "User=" has no effect on those specifiers. +Also ensure that "%h" is actually resolved to "/root" for the system +manager instance as documented in the systemd.unit man page. +(Closes: #927911) + * network: Behave more gracefully when IPv6 has been disabled. +Ignore any configured IPv6 settings when IPv6 has been disabled in the +kernel via sysctl. Instead of failing completely, continue and log a +warning instead. (Closes: #929469) + * network: Fix failure to bring up interface with Linux kernel 5.2. +Backport two patches from systemd master in order to fix a bug with 5.2 +kernels where the network interface fails to come up with the following +error: "enp3s0: Could not bring up interface: Invalid argument" +(Closes: #931636) + * Use /usr/sbin/nologin as nologin shell. +In Debian the nologin shell is installed in /usr/sbin, not /sbin. +(Closes: #931850) + + [ Mert Dirik ] + * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset +(Closes: #931719) + + -- Michael Biebl Fri, 26 Jul 2019 21:32:04 +0200 + systemd (241-5) unstable; urgency=medium * Revert "Add check to switch VTs only between K_XLATE or K_UNICODE" diff --git a/debian/extra/init-functions.d/40-systemd b/debian/extra/init-functions.d/40-systemd index 4fa9b9c..e944acb 100644 --- a/debian
Bug#932665: stretch-pu: package systemd/232-25+deb9u12
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to make a stable upload for stretch.
It fixes an issue in networkd, which is not enabled by default, but
apparently sees increased usage, so it seems worthwile fixing it, as it
can result in loss of IPv4 connectivity on DHCPv4 lease expirations.
Full debdiff is attached.
Regards,
Michael
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 5971d52..a985539 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+systemd (232-25+deb9u12) stretch; urgency=medium
+
+ * networkd: Do not stop ndisc client in case of conf error.
+When an NDisc error happens, e.g. in case of a prefix change, do not shut
+down the dhcp client. Instead log about it and continue.
+Otherwise networkd might fail to renew the DHCPv4 address and lose IPv4
+connectivity. (Closes: #930353)
+
+ -- Michael Biebl Sun, 21 Jul 2019 20:43:29 +0200
+
systemd (232-25+deb9u11) stretch-security; urgency=high
* pam-systemd: use secure_getenv() rather than getenv()
diff --git
a/debian/patches/networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
b/debian/patches/networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
new file mode 100644
index 000..015fb35
--- /dev/null
+++
b/debian/patches/networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
@@ -0,0 +1,32 @@
+From: Susant Sahani
+Date: Tue, 26 Sep 2017 17:17:32 +0530
+Subject: networkd: ndisc Do not stop ndisc client incase of conf error.
+
+Now in ndisc_netlink_handler if route or address fails we stop the clients.
+link_enter_failed->link_stop_clients that is dhcp, ndisc etc.
+
+The clients should be keep on running .
+
+Fixes #5625
+
+(cherry picked from commit 7f676aa324cb5498a5f9c3d51ecfe53242e0)
+---
+ src/network/networkd-ndisc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
+index d3fa56b..1513d66 100644
+--- a/src/network/networkd-ndisc.c
b/src/network/networkd-ndisc.c
+@@ -37,10 +37,8 @@ static int ndisc_netlink_handler(sd_netlink *rtnl,
sd_netlink_message *m, void *
+ link->ndisc_messages--;
+
+ r = sd_netlink_message_get_errno(m);
+-if (r < 0 && r != -EEXIST) {
++if (r < 0 && r != -EEXIST)
+ log_link_error_errno(link, r, "Could not set NDisc route or
address: %m");
+-link_enter_failed(link);
+-}
+
+ if (link->ndisc_messages == 0) {
+ link->ndisc_configured = true;
diff --git a/debian/patches/series b/debian/patches/series
index ddd4a0b..411780d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,6 +100,7 @@
mount-util-accept-that-name_to_handle_at-might-fail-with-.patch
automount-ack-automount-requests-even-when-already-mounte.patch
backport-read_line-from-systemd-master.patch
core-when-deserializing-state-always-use-read_line-LONG_L.patch
+networkd-ndisc-Do-not-stop-ndisc-client-incase-of-conf-er.patch
debian/Use-Debian-specific-config-files.patch
debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
Bug#932588: buster-pu: package libblockdev/2.20-7+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to make a stable upload for libblockdev fixing (at least partially) #928893 (which was severe enough to be mentioned in the release notes. Full debdiff is attached. CCing the excellent changelog entry from intrigeri here: libblockdev (2.20-7+deb10u1) buster; urgency=medium [ intrigeri ] * Use existing cryptsetup API for changing keyslot passphrase. Cherry-pick upstream fix to use existing cryptsetup API for atomically changing a keyslot passphrase, instead of deleting the old keyslot before adding the new one. This avoids data loss when attempting to change the passphrase of a LUKS2 device via udisks2, e.g. from GNOME Disks. Deleting a keyslot and then adding one is risky: if anything goes wrong before the new keyslot is successfully added, no usable keyslot is left and the device cannot be unlocked anymore. There's little chances this causes actual problems with LUKS1, but LUKS2 defaults to the memory-hard Argon2 key derivation algorithm, which is implemented in cryptsetup with the assumption that it runs as root with no MEMLOCK ulimit; this assumption is wrong when run by udisks2.service under LimitMEMLOCK=65536, which breaks adding the new keyslot, and makes us hit the problematic situation (user data loss) every time. With this change, changing a LUKS2 passphrase via udisks2 will still fail in some cases, until the MEMLOCK ulimit problem is solved in cryptsetup or workaround'ed in udisks2. But at least, if it fails, it will fail _atomically_ and the original passphrase will still work. (Closes: #928893) Huge thanks to intrigeri and Guilem for debugging this issue. Regarding the version number: 2.20-8 was never released to the archive (the next upload was 2.22-1). Do you prefer to use 2.20-8 for stable uploads in such a case or is 2.20-7+deb10u1 preferred? Regards, Michael -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index c9bfefa..9b8fd89 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,29 @@ +libblockdev (2.20-7+deb10u1) buster; urgency=medium + + [ intrigeri ] + * Use existing cryptsetup API for changing keyslot passphrase. +Cherry-pick upstream fix to use existing cryptsetup API for atomically +changing a keyslot passphrase, instead of deleting the old keyslot +before adding the new one. This avoids data loss when attempting to +change the passphrase of a LUKS2 device via udisks2, e.g. from GNOME +Disks. +Deleting a keyslot and then adding one is risky: if anything goes wrong +before the new keyslot is successfully added, no usable keyslot is left +and the device cannot be unlocked anymore. There's little chances this +causes actual problems with LUKS1, but LUKS2 defaults to the memory-hard +Argon2 key derivation algorithm, which is implemented in cryptsetup with +the assumption that it runs as root with no MEMLOCK ulimit; this +assumption is wrong when run by udisks2.service under +LimitMEMLOCK=65536, which breaks adding the new keyslot, and makes us +hit the problematic situation (user data loss) every time. +With this change, changing a LUKS2 passphrase via udisks2 will still +fail in some cases, until the MEMLOCK ulimit problem is solved in +cryptsetup or workaround'ed in udisks2. But at least, if it fails, it +will fail _atomically_ and the original passphrase will still work. +(Closes: #928893) + + -- Michael Biebl Sat, 20 Jul 2019 23:18:18 +0200 + libblockdev (2.20-7) unstable; urgency=medium * Cherry-pick Use-512bit-keys-in-LUKS-by-default.patch: diff --git a/debian/gbp.conf b/debian/gbp.conf index 206bbd0..7d49ad9 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/sid +debian-branch = debian/buster upstream-branch = upstream/latest pristine-tar = True sign-tags = True diff --git a/debian/patches/Use-existing-cryptsetup-API-for-changing-keyslot-passphra.patch b/debian/patches/Use-existing-cryptsetup-API-for-changing-keyslot-passphra.patch new file mode 100644 index 000..a125583 --- /dev/null +++ b/debian/patches/Use-existing-cryptsetup-API-for-changing-keyslot-passphra.patch @@ -0,0 +1,91 @@ +From: Vojtech Trefny +Date: Tue, 12 Mar 2019 09:28:05 +0100 +Subject: Use existing c
Re: Bug#932421: systemd : Depends: libip4tc0 (>= 1.6.0+snapshot20161117) but it is not going to be installed
reassign 932421 release.debian.org severity 932421 normal retitle 932421 nmu: systemd_242-2 user release.debian@packages.debian.org usertag 932421 + binnmu thanks Am 19.07.19 um 04:43 schrieb 積丹尼 Dan Jacobson: > Package: systemd > Version: 242-2 > Severity: minor > > # aptitude search ~o > i libip4tc0 - netfilter libip4tc library > # aptitude purge libip4tc0 > ... > The following packages have unmet dependencies: > systemd : Depends: libip4tc0 (>= 1.6.0+snapshot20161117) but it is not going > to be installed > > You are depending on a package that doesn't exist. No matter in sid or > in experimental. nmu systemd_242-2 . ANY . experimental . -m "rebuild against libip4tc2" -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
NEW queue and src-only uploads [Re: Bits from the Release Team: ride like the wind, Bullseye!]
Am 07.07.19 um 15:43 schrieb Ben Hutchings: > On Sun, 2019-07-07 at 02:47 +0100, Jonathan Wiltshire wrote: > [...] >> No binary maintainer uploads for bullseye >> = >> >> The release of buster also means the bullseye release cycle is about to >> begin. >> From now on, we will no longer allow binaries uploaded by maintainers to >> migrate to testing. This means that you will need to do source-only uploads >> if >> you want them to reach bullseye. > > I support this move in principle, but: > >> Q: I already did a binary upload, do I need to do a new (source-only) >> upload? >> A: Yes (preferably with other changes, not just a version bump). >> >> Q: I needed to do a binary upload because my upload went to the NEW queue, >> do I need to do a new (source-only) upload for it to reach bullseye? >> A: Yes. We also suggest going through NEW in experimental instead of >> unstable >> where possible, to avoid disruption in unstable. > [...] > > This is not going to fly for src:linux. We can't stage ABI bumps in > experimental as we typically have a different upstream versions in > unstable and experimental. We even need to do ABI bumps in stable from > time to time. > > I think that the requirement to upload binary packages for binary-NEW > (but not source-NEW) needs to go. I would go even further and drop the (manual) NEW queue for binary-NEW packages. Is there a good reason why new binary packages need manual processing by the FTP team? Couldn't this be fully automated? Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#931186: unblock: init-system-helpers/1.57
debdiff attached -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? diff -Nru init-system-helpers-1.56+nmu1/debian/changelog init-system-helpers-1.57/debian/changelog --- init-system-helpers-1.56+nmu1/debian/changelog 2018-12-04 00:10:03.0 +0100 +++ init-system-helpers-1.57/debian/changelog 2019-06-21 20:56:55.0 +0200 @@ -1,9 +1,11 @@ -init-system-helpers (1.56+nmu1) unstable; urgency=medium +init-system-helpers (1.57) unstable; urgency=medium - * Non-maintainer upload. - * Add `runit-init' as alternative pre-dependency (Closes: #838480) + [ Dmitry Bogatov ] + * Document that `service` does not check /usr/sbin/policy-rc.d. +It is an administrator interface, so it is meant to be able to start +disabled services. (Closes: #656081) - -- Dmitry Bogatov Mon, 03 Dec 2018 23:10:03 + + -- Michael Biebl Fri, 21 Jun 2019 20:56:55 +0200 init-system-helpers (1.56) unstable; urgency=medium diff -Nru init-system-helpers-1.56+nmu1/debian/rules init-system-helpers-1.57/debian/rules --- init-system-helpers-1.56+nmu1/debian/rules 2018-12-04 00:10:03.0 +0100 +++ init-system-helpers-1.57/debian/rules 2019-06-21 20:56:55.0 +0200 @@ -35,7 +35,7 @@ if dpkg-vendor --derives-from ubuntu; then \ dh_gencontrol -- -Valt:sysvinit=""; \ else \ - dh_gencontrol -- -Valt:sysvinit="| sysvinit-core | runit-init"; \ + dh_gencontrol -- -Valt:sysvinit="| sysvinit-core"; \ fi %: diff -Nru init-system-helpers-1.56+nmu1/man8/service.rst init-system-helpers-1.57/man8/service.rst --- init-system-helpers-1.56+nmu1/man8/service.rst 2018-11-22 00:15:24.0 +0100 +++ init-system-helpers-1.57/man8/service.rst 2019-06-21 20:56:55.0 +0200 @@ -50,7 +50,8 @@ All scripts should support at least the ``start`` and ``stop`` commands. As a special case, if *COMMAND* is ``--full-restart``, the script is run twice, first with the ``stop`` command, then with the ``start`` -command. +command. Note, that unlike ``update-rc.d``\(8\), ``service`` does not +check ``/usr/sbin/policy-rc.d``. ``service --status-all`` runs all init scripts, in alphabetical order, with the ``status`` command. The status is [ + ] for running services, [ - ] for
Bug#931186: unblock: init-system-helpers/1.57
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I know this is unblock request is rather late, apologies for that. The current version of init-system-helpers in buster has a change which was not acked by its maintainers. The bug submitter ignored that feedback and NMUed the package anyway. Not adding runit-init as alternative means, that when installing runit-init, dpkg/apt will prompt you, if you really want to do that change. Given the experience I and Martin Pitt had, when evaluating runit, this is probably not a bad thing. After all, the init meta package is merely a safety net to prevent users from shooting themselves in the foot. The init meta-package doesn't provide any functionality and serves no other purpose otherwise. I've seen that [1] was just filed, I hope this doesn't block testing migration Regards, Michael [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931181 unblock init-system-helpers/1.57 -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Re: Bug#927667: gnome: please confirm or revert choice of Wayland for default desktop
Am 20.06.19 um 11:25 schrieb Jonathan Carter: > I just have a small proposal: > > Selecting "Gnome on Xorg" is really easy from GDM for anyone who has > trouble on Wayland. It might be worth while adding that to the release > notes so that users who are not quite ready for Wayland yet know that > there's an easy way to get the old behavior back without having to > re-install stretch or some other distro. That seems like a very good idea to document this prominently in the release notes. After all, we do install both Xorg and Wayland support, so switching the desktop session is indeed trivial. I was about to file a bug report against release-notes to add such a section, but then it probably makes sense to wait for a final decision. Related to that, we already have https://salsa.debian.org/ddp-team/release-notes/commit/5496e24 Assuming it is decided, that the default is switched back to Xorg, this existing paragraph in the release notes should be adapted accordingly. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Re: Bug#927667: gnome: please confirm or revert choice of Wayland for default desktop
Hi everyone Am 20.06.19 um 11:12 schrieb Iain Lane: >> I've left some comments on >> https://salsa.debian.org/gnome-team/gdm/merge_requests/8 regarding the >> technical side of the proposed change. > Someone could probably look in Ubuntu's gdm3 package to see what we're > doing. We provide "GNOME" (Xorg, the default) and "GNOME on Wayland" > sessions. Afair, this required changing gnome-session. I left a comment in the gdm MR. If the point is, to not switch the desktop session automatically on upgrades, then the session files would have to be renamed (back again) to gnome.desktop (Xorg) and gnome-wayland.desktop from gnome.desktop (Wayland) and gnome-xorg.desktop. At least this is how I remember the details from back then in 2016. I haven't checked if the situation is still the same today. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#929215: unblock: systemd/241-5
Control: retitle -1 unblock: systemd/241-5 Am 27.05.19 um 07:35 schrieb Niels Thykier: > Ack, thanks for handling this. The changes in 241-5 lgtm. :) Hi KiBi, 241-5 is waiting for an ack from d-i. Since the AMD related RDRAND breakage is rather nasty for users of those affected systemd, it would be good to have that version in testing. While I don't expect any issues on the udeb/udev related parts, it would be great if you can have a look and give this version a try wrt to d-i. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#929215: unblock: systemd/241-4
Am 20.05.19 um 14:06 schrieb Michael Biebl: > Am 19.05.19 um 12:47 schrieb Niels Thykier: > >>> * Add check to switch VTs only between K_XLATE or K_UNICODE. >>> Switching to K_UNICODE from other than L_XLATE can make the keyboard >>> unusable and possibly leak keypresses from X. >>> (CVE-2018-20839, Closes: #929116) >>> >>> https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a > > In the mean time a regression was reported caused by this patch. > I marked the bug as RC. Given how long it takes to find a solution > upstream, I will either upload a fix for that or revert/drop the patch > again. I've reverted this patch in 241-5, as no fix is available yet. No other changes were made in 241-5. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#929215: unblock: systemd/241-4
Am 19.05.19 um 12:47 schrieb Niels Thykier: >> * Add check to switch VTs only between K_XLATE or K_UNICODE. >> Switching to K_UNICODE from other than L_XLATE can make the keyboard >> unusable and possibly leak keypresses from X. >> (CVE-2018-20839, Closes: #929116) >> >> https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a In the mean time a regression was reported caused by this patch. I marked the bug as RC. Given how long it takes to find a solution upstream, I will either upload a fix for that or revert/drop the patch again. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#929215: unblock: systemd/241-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package systemd
All patches are cherry-picked from upstream git.
Annotated changelog:
systemd (241-4) unstable; urgency=medium
* journal-remote: Do not request Content-Length if Transfer-Encoding is
chunked (Closes: #927008)
https://salsa.debian.org/systemd-team/systemd/commit/d8e4bc4487b0f32b39b15152040351261329e92a
Without this fix, systemd-journal-remote is pretty much completely
broken, that's why I had marked this bug RC for the
systemd-journal-remote package
* systemctl: Restore "systemctl reboot ARG" functionality.
Fixes a regression introduced in v240. (Closes: #928659)
https://salsa.debian.org/systemd-team/systemd/commit/8127cbd86fadf245dd28666c1bfe82a3eb116448
* random-util: Eat up bad RDRAND values seen on AMD CPUs.
Some AMD CPUs return bogus data via RDRAND after a suspend/resume cycle
while still reporting success via the carry flag.
Filter out invalid data like -1 (and also 0, just to be sure).
(Closes: #921267)
https://salsa.debian.org/systemd-team/systemd/commit/efbcf5102f0ac7b43a2f7b8c79084fdfd2d1fa72
RDRAND is used by systemd for its hashmap implementation. On some AMD
CPUs (AMD CPU family 22), RDRAND returns bogus data after
suspend/resume, leading to severe mis-behaviour of systemd. Typical
symptoms are failure to shutdown properly or when trying suspend again.
* Add check to switch VTs only between K_XLATE or K_UNICODE.
Switching to K_UNICODE from other than L_XLATE can make the keyboard
unusable and possibly leak keypresses from X.
(CVE-2018-20839, Closes: #929116)
https://salsa.debian.org/systemd-team/systemd/commit/5a564c6ef3906c0f3885a3a2aafce772393f760a
* Document that DRM render nodes are now owned by group "render"
(Closes: #926886)
https://salsa.debian.org/systemd-team/systemd/commit/e3772a013721083a740ab9dedbf060cf5b3c3709
Documentation update, which was explicitly requested for the
video->render change of the the /dev/dri/renderD* devices.
KiBi (and debian-boot) is in CC
Full debdiff is attached.
Regards,
Michael
unblock systemd/241-4
-- System Information:
Debian Release: 10.0
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 231cbb6..e13fd93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+systemd (241-4) unstable; urgency=medium
+
+ * journal-remote: Do not request Content-Length if Transfer-Encoding is
+chunked (Closes: #927008)
+ * systemctl: Restore "systemctl reboot ARG" functionality.
+Fixes a regression introduced in v240. (Closes: #928659)
+ * random-util: Eat up bad RDRAND values seen on AMD CPUs.
+Some AMD CPUs return bogus data via RDRAND after a suspend/resume cycle
+while still reporting success via the carry flag.
+Filter out invalid data like -1 (and also 0, just to be sure).
+(Closes: #921267)
+ * Add check to switch VTs only between K_XLATE or K_UNICODE.
+Switching to K_UNICODE from other than L_XLATE can make the keyboard
+unusable and possibly leak keypresses from X.
+(CVE-2018-20839, Closes: #929116)
+ * Document that DRM render nodes are now owned by group "render"
+(Closes: #926886)
+
+ -- Michael Biebl Fri, 17 May 2019 21:16:33 +0200
+
systemd (241-3) unstable; urgency=high
[ Michael Biebl ]
diff --git
a/debian/patches/Add-check-to-switch-VTs-only-between-K_XLATE-or-K_UNICODE.patch
b/debian/patches/Add-check-to-switch-VTs-only-between-K_XLATE-or-K_UNICODE.patch
new file mode 100644
index 000..6efd7ec
--- /dev/null
+++
b/debian/patches/Add-check-to-switch-VTs-only-between-K_XLATE-or-K_UNICODE.patch
@@ -0,0 +1,56 @@
+From: Balint Reczey
+Date: Wed, 24 Apr 2019 17:24:02 +0200
+Subject: Add check to switch VTs only between K_XLATE or K_UNICODE
+
+Switching to K_UNICODE from other than L_XLATE can make the keyboard
+unusable and possibly leak keypresses from X.
+
+BugLink: https://launchpad.net/bugs/1803993
+(cherry picked from commit 13a43c73d8cbac4b65472de04bb88ea1bacdeb89)
+---
+ src/basic/terminal-util.c | 9 -
+ src/vconsole/vconsole-setup.c | 7 +++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/terminal-util.c b/src/basic/terminal-util.c
+index 48ede7d..c7a7455 100644
+--- a/src/basic/terminal-util.c
b/src/basic/terminal-util.c
+@@ -1273,11 +1273,18 @@ int vt_verify_kbmode(int fd) {
+ }
+
+ int vt_reset_keyboard(int fd) {
+-int kb;
++int kb, r;
+
+
Re: How to handle daemon-not-running bugs of debhelper compat level 11?
Hi Niels
Am 07.05.19 um 08:22 schrieb Niels Thykier:
> We would still have to issue binNMUs and we can only do this for
> arch:any packages with a "Pre-Depends: ${misc:Pre-Depends}" already
> (otherwise, it will cause upgrade issues - or for arch:all, the binNMU
> will be rejected).
>
> Do you have an estimate of how many packages can be binNMUed vs. how
> many will require a manual upload regardless?
I don't have such a list. This would require parsing debian/control and
I haven't done that before so I don't know if tools for that exist
already or if I need to use Perl to do that. It's been some time since I
last used Perl, so this could take a while.
Regards,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
Re: How to handle daemon-not-running bugs of debhelper compat level 11?
Am 30.04.19 um 17:26 schrieb Michael Biebl: > Am 29.04.19 um 21:53 schrieb Niels Thykier: >> override_dh_installinit: >> DH_COMPAT=12 dh_installinit ... >> >> override_dh_installsystemd: >> DH_COMPAT=12 dh_installsystemd ... >> >> Note the exact runes needed depend on your existing compat level and >> package; the above runes are geared towards compat 11 but are untested. >> For compat 10 and earlier you want a similar but slightly different >> approach. >> >> I believe that is the (general) route/path of "least evil/problematic" >> for buster (without having looked at the concrete packaging at all). > > I picked a package from list.txt at random: uptimed > I verified that a "apt install uptimed; apt remove uptimed; apt install > uptimed" sequence results in a non-running uptimed.service. > > I then followed the hints from Niels and tried the attached patch. > It seems to fix the issue at hand. > > > I'd be interested to know, how the release team would like to this issue > handled. While I did spot a few false positives when glancing over the > list (e.g. packages which use --no-start, so are not affected), I would > expect the majority of packages to be affected. > > I can offer to do a MBF if the release team thinks this issue is > important enough to be fixed for buster. If the release teams thinks that this should be fixed for buster, I wonder if we shouldn't consider a second approach: Updating debhelper to use compat mode 12 behaviour for dh_installinit/dh_installsystemd if compat mode is set to 11. This would avoid a lot of churn. If we basically update all packages to use compat mode 12 behaviour explicitly, we might just as well do that change in a single package. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: How to handle daemon-not-running bugs of debhelper compat level 11?
Am 29.04.19 um 21:53 schrieb Niels Thykier: > wf...@niif.hu: >> On Wed, 27 Mar 2019 20:12:00 + Niels Thykier wrote: >> >>> Related note (with my RT hat on): Please defer debhelper compat bumps >>> for anything targeting buster as it is not considered a "minimal change". >> >> Dear Release Team, >> >> I recently realised that #887904 (dh_installsystemd will unmask services >> *after* an attempt to start them) affects pacemaker (and probably every >> other debhelper compat level 11 daemons with a native systemd unit). >> The symptom: >> >> apt install pacemeker => pacemaker is running, good; >> apt remove pacemaker => pacemaker is not running, good; >> apt install pacemaker => pacemaker is still not running, NOT good; >> service pacemaker start => pacemaker is running, good. >> >> I think this is a bug, although probably not a policy violation. What >> should one do for buster? >> 1. Don't care, >> 2. try to fix this somehow on compat level 11 (how?), I wanted to see, how many packages are potentially affected. The criteria I used was: - the package needs to ship a systemd.service file and SysV init script with a matching name - debian/compat contains 11 or debian/control the string "debhelper-compat (= 11)" The resulting list shows 185 potentially affected source packages, which is unfortunately quite a lot (attached as list.txt) > Another package had a similar issue and here I recommended the use of > DH_COMPAT (and override targets) to selectively bump the compat level of > dh_installinit and dh_installsystemd to compat 12. > > E.g. > > override_dh_installinit: > DH_COMPAT=12 dh_installinit ... > > override_dh_installsystemd: > DH_COMPAT=12 dh_installsystemd ... > > Note the exact runes needed depend on your existing compat level and > package; the above runes are geared towards compat 11 but are untested. > For compat 10 and earlier you want a similar but slightly different > approach. > > I believe that is the (general) route/path of "least evil/problematic" > for buster (without having looked at the concrete packaging at all). I picked a package from list.txt at random: uptimed I verified that a "apt install uptimed; apt remove uptimed; apt install uptimed" sequence results in a non-running uptimed.service. I then followed the hints from Niels and tried the attached patch. It seems to fix the issue at hand. I'd be interested to know, how the release team would like to this issue handled. While I did spot a few false positives when glancing over the list (e.g. packages which use --no-start, so are not affected), I would expect the majority of packages to be affected. I can offer to do a MBF if the release team thinks this issue is important enough to be fixed for buster. As the original bug reporter of #887904 I should have probably done that much earlier. Apologies for raising this topic this late in the release cycle. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? acpid-2.0.31 alljoyn-core-1504-15.04b+dfsg.1 alljoyn-core-1509-15.09a+dfsg.1 alljoyn-core-1604-16.04a+dfsg.1 alsa-utils-1.1.8 anacron-2.3 anytun-0.3.7 apache-directory-server-2.0.0~M24 apcupsd-3.14.14 apertium-apy-0.11.4 apparmor-2.13.2 arno-iptables-firewall-2.0.3 arpon-3.0-ng+dfsg1 arpwatch-2.1a15 autolog-0.40+debian bip-0.9.0~rc3 bitz-server-2.0.3 booth-1.0-162-g27f917f bzflag-2.4.18 certmonger-0.79.6 clamav-0.101.2+dfsg clamsmtp-1.10 cluster-glue-1.0.12 connman-1.36 conntrack-tools-1.4.5 coturn-4.5.1.1 courier-1.0.6 courier-authlib-0.69.0 cups-filters-1.21.6 curvedns-0.87 dbab-1.3.2 dbus-1.12.12 debomatic-0.24 dhcpcd5-7.1.0 diamond-4.0.515 dico-2.7 dkimpy-milter-1.0.1 dnssec-trigger-0.17+repack docker.io-18.09.1+dfsg1 dovecot-2.3.4.1 downtimed-1.0 dphys-swapfile-20100506 earlyoom-1.2 ejabberd-18.12.1 etbemon-1.3.3 etcd-3.2.26+dfsg fastnetmon-1.1.3+dfsg fcgiwrap-1.1.0 fcoe-utils-1.0.31+git20160622.5dfd3e4 fio-3.12 firebird3.0-3.0.5.33100.ds4 firehol-3.1.6+ds game-data-packager-63 gdnsd-2.4.2 gfarm-2.7.11+dfsg glances-3.1.0 goiardi-0.11.9 greenbone-security-assistant-7.0.3+dfsg.1 groonga-9.0.0 h2o-2.2.5+dfsg2 heartbeat-3.0.6 htpdate-1.2.0 ifupdown-extra-0.28 inputlirc-30 ipmitool-1.8.18 iptables-persistent-1.0.11 isso-0.12.2 iwatch-0.2.2 jabberd2-2.7.0 jetty9-9.4.15 keepalived-2.0.10 kgb-bot-1.54 knot-2.7.6 laptop-mode-tools-1.72 lbcd-3.5.2 lemonldap-ng-2.0.2+ds lirc-0.10.1 lizardfs-3.12.0+dfsg lldpad-1.0.1+git20180808.4e642bd lvm2-2.03.02 lxc-3.1.0+really3.0.3 lxcfs-3.0.3 mailavenger-0.8.5 mailgraph-1.14 mailman-suite-0+20180916 mailman3-3.2.1 mdadm-4.1 minetest-0.4.17.1+repack monopd-0.10.2 mosquitto-1.5.7 munge-0.5.13 natlog-2.01.01 ndisc6-1.0.4 net-snmp-5.7.3+dfsg netconsole-0.2 netdiag-1.2 nethack-3.6.1 nomad-0.8.7+dfsg1 nsd-4.1.26 ocfs2-tools-1.8.5 opa-fm-10.8.0.0.202+dfsg.1 open-vm-tools-10.3.10 openntpd-6.2p3 opensmtpd-6.0.3p1 openvas-manager-7.0.3 openvas-scanner-5.1.3 openvpn-2.4.7 osmo-ggsn-1.2.2 ovirt-guest
Bug#927434: unblock: network-manager-applet/1.8.20-1.1 (pre-approval)
Hi Am 19.04.19 um 19:56 schrieb Boyuan Yang: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-CC: bi...@debian.org pkg-utopia-maintain...@lists.alioth.debian.org > > This is a pre-approval for NMU that would fix https://bugs.debian.org/926328 . > > The one-liner patch is taken from commits in upstream git trunk. > > I haven't make any upload yet. Michael, please let me know if this > patch looks okay for you. I can open a Merge Request for this NMU on > Salsa if necessary. Looks fine to me, thanks. A MR would be great. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#926703: unblock: systemd/241-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi release team, I'd like to request an unblock for the systemd package. A full debdiff is attached but for easier review I've also created an annotated changelog to the individual changes. It fixes a security issue (CVE-2019-3842) which should enter testing as soon as possible. The package itself builds a udeb, so requires an unblock by kibi (in CC). Two of the patches touch udev (see the fix for #925190 and #924199), everything else should not be relevant for the udebs. systemd (241-3) unstable; urgency=high [ Michael Biebl ] * Drop systemd-shim alternative from libpam-systemd. A fixed systemd-shim package which works with newer versions of systemd is unlikely to happen given that the systemd-shim package has been removed from the archive. Drop the alternative dependency from libpam-systemd accordingly. https://salsa.debian.org/systemd-team/systemd/commit/8d292a0afd3abaa3e393ee731cb346a61dfa2bf2 This change is basically not changing anything, as the alternative dependency "systemd-shim (>= 10-4~)" was never available in the archive. It's mostly clean-up and making the life of apt a bit easier by not having to consider non-available alternatives. It's also confusing to users to still see systemd-shim listed as alternative when it has been removed from the archive. * Properly remove duplicate directories from systemd package. When removing duplicate directories from the systemd package, sort the list of directories in reverse order so we properly delete nested directories. https://salsa.debian.org/systemd-team/systemd/commit/cdd220dd3ef632c76406d02366733713235dcfa2 Mostly cleanup. The systemd package mistakenly shipped an empty /usr/lib/systemd/tests/testdata/ and /etc/udev/ directory. Those directories are supposed to be shipped by the systemd-tests and udev binary package. * udev: Run programs in the specified order (Closes: #925190) https://salsa.debian.org/systemd-team/systemd/commit/95a57c2179fcd7beb52c9d73d08473469034d059 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925190 This fixes an important regression in udev and should definitly be fixed in buster. * bash-completion: Use default completion for redirect operators (Closes: #924541) https://salsa.debian.org/systemd-team/systemd/commit/d4eebefd0b41ff58a7bf6d9c7f1898c011e7576f https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924541 Minor issue, mostly polish. No regression potential as it's an isolated fix to the bash completion file. * networkd: Clarify that IPv6 RA uses our own stack, no the kernel's (Closes: #815582) https://salsa.debian.org/systemd-team/systemd/commit/0ceb922acc4e7ff4c6d8ed1d853c232da12af906 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815582 Simple doc update, no regression potential. * Revert "Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf" Apparently Conflicts= are not a reliable mechanism to ensure alternative NTP implementations take precedence over systemd-timesyncd. (Closes: #902026) https://salsa.debian.org/systemd-team/systemd/commit/e1b3868e8b297a40e3dbfef1dfab80f3e5e0e8ef https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902026 This basically reverts back to what we had in stretch. We tried a different approach during the buster development cycle, but it didn't work out. * network: Fix routing policy rule issue. When multiple links request a routing policy, make sure they are all applied correctly. (Closes: #924406) https://salsa.debian.org/systemd-team/systemd/commit/2d871ae4727dcad604cba6d92156882dadf69ab6 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924406 Explicitly requested fix. Isolated fix to systemd-networkd, so regression potential is small. * pam-systemd: Use secure_getenv() rather than getenv() Fixes a vulnerability in the systemd PAM module which insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. (CVE-2019-3842) https://salsa.debian.org/systemd-team/systemd/commit/996e854fef1554829b757e7c1a515805b7f08d7a https://www.debian.org/security/2019/dsa-4428 Fixes a security issue which was fixed in stable and should also enter buster. [ Martin Pitt ] * Enable udev autopkgtest in containers. This test doesn't actually need udev.service (which is disabled in containers) and works fine in LXC. * Enable boot-and-service autopkgtest in containers - Skip tests which can't work in containers. - Add missing rsyslog test dependency. - e2scrub_reap.service fails in containers, ignore (filed as #926138) - Relax pgrep pattern for gdm, as there's no wayland session in containers. https://salsa.debian.org/systemd-team/systemd/commit/c923cd4a7edf9f103f079c864ef47575e5d8a868 https://salsa.debian.org/s
Bug#925489: unblock: elogind/241.1-1+debian1
Am 26.03.19 um 19:45 schrieb Adam Borowski: > On Tue, Mar 26, 2019 at 06:52:11PM +0100, Michael Biebl wrote: >> Just to set the record straight here: >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923244 >> >> This bug report is from Mon, 25 Feb 2019 11:49:14 + > > That's the "plan 3" bug. We had plan 1 over a year ago. I'm not aware of such a bug report. References please. >> That this all is getting rushed on the last minute is not the fault of >> the policykit-1 maintainers and I'm not amused that Adam tries to paint >> it like that. > > I'm not amused either how long it takes to get any response to even a > single-line patch that had been discussed before. But, the blame game is > counterproductive. Why did you start it then? > It had been requested that the point of alternative gets moved. That > request is now fulfilled, the code is uploaded, and has seen 12 days of > testing. At this point, I kindly request your review. Is the current > version of elogind, as packaged by Mark Hindley, good enough for you? You honestly think with a behaviour like yours I'm motivated to review your package and spend my time on it? The motivation/time I had dropped basically to zero reading what you wrote. If you had a carefully layed out plan, why do we have chaotic and rushed bug reports like [1]. That doesn't look like a well thought out plan to me. Anyway, I don't have any interest anymore to spend more time on this, so don't expect any responses from me from now on. Michael [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922160#31 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#925489: unblock: elogind/241.1-1+debian1
Am 26.03.19 um 14:54 schrieb Adam Borowski: > It's not a "niche" area. Without this, any modern GUI desktop environments > are not installable with any pid 1 other than systemd. That'd be a massive > regression that's certainly not acceptable (and it's caused by removal of a > systemd component with a hard dependency). > > This regression had a plan, with coded and tested patches by January 2018 > (with a refresh + retesting in June, then November, December). In that > plan, policykit packages had alternatives built against elogind. Yet > patches did not get applied. Plan 2 was to dlopen() relevant libraries. > Just to set the record straight here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923244 This bug report is from Mon, 25 Feb 2019 11:49:14 + That this all is getting rushed on the last minute is not the fault of the policykit-1 maintainers and I'm not amused that Adam tries to paint it like that. signature.asc Description: OpenPGP digital signature
Bug#925409: unblock: systemd/241-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package systemd
This version has a couple of fixes we'd like to see land in buster. The
package has been in unstable without a reported regression.
The changelog is
systemd (241-2) unstable; urgency=medium
[ Martin Pitt ]
* debian/tests/boot-smoke: Create journal and udevdb artifacts on all
failures
* autopkgtests: Replace obsolete $ADT_* variables
* networkd-test: Ignore failures of test_route_only_dns* in containers.
This test exposes a race condition when running in LXC, see issue #11848
for details. Until that is understood and fixed, skip the test as it's
not a recent regression. (Closes: #924539)
* Bump Standards-Version to 4.3.0.
No changes necessary.
* debian/tests/boot-smoke: Only check current boot for connection timeouts.
Otherwise we'll catch some
Failed to resolve group 'render': Connection timed out
messages that happen in earlier boots during VM setup, before the
"render" group is created.
Fixes https://github.com/systemd/systemd/issues/11875
* timedated: Fix emitted value when ntp client is enabled/disabled.
Fixes a regression introduced in 241.
* debian/tests/timedated: Check enabling/disabling NTP.
Assert that `timedatectl set-ntp` correctly controls the service, sets
the `org.freedesktop.timedate1 NTP` property, and sends the right
`PropertiesChanged` signal.
This reproduces <https://github.com/systemd/systemd/issues/11944> and
also the earlier <https://github.com/systemd/systemd/issues/9672>.
[ Michael Biebl ]
* Disable fallback DNS servers in resolved (Closes: #923081)
* cgtop: Fix processing of controllers other than CPU (Closes: #921280)
* udev: Restore debug level when logging a failure in the external prog
called by IMPORT{program} (Closes: #924199)
* core: Remove "." path components from required mount paths.
Fixes mount related failures when a user's home directory contains "/./"
(Closes: #923881)
* udev.init: Use new s-s-d --notify-await to start udev daemon.
Fixes a race condition during startup under SysV init.
Add versioned dependency on dpkg (>= 1.19.3) to ensure that a version
of start-stop-daemon which supports --notify-await is installed.
(Closes: #908796)
* Make /dev/dri/renderD* accessible to group "render"
Follow upstream and make render nodes available to a dedicated system
group "render" instead of "video". Keep the uaccess tag for local,
active users.
-- Michael Biebl Fri, 15 Mar 2019 18:33:54 +0100
CCed debian-boot/kibi for the udeb unblock
unblock systemd/241-2
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Bug#924255: stretch-pu: package systemd/232-25+deb9u10
Am 10.03.19 um 16:55 schrieb Michael Biebl:
> I'd like to make a stable upload for systemd, fixing 5 separate issues.
> Two of them have a CVE.
...
> The fix for CVE-2018-15686/#912005 is the most invasive one. I based it
> partially on what was uploaded to old-stable by the debian-lts team.
> With this patch applied, the demo exploit from [1] no longer causes
> systemctl stop to hang.
> That said, I would appreciate a second pair of eyes to look over the
> patch.
Sorry, forgot to attach the debdiff.
Doing that now...
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
diff --git a/debian/changelog b/debian/changelog
index ecb5bc7..9adb6f5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+systemd (232-25+deb9u10) stretch; urgency=medium
+
+ * journald: fix assertion failure on journal_file_link_data (Closes: #916880)
+ * tmpfiles: fix "e" to support shell style globs (Closes: #918400)
+ * mount-util: accept that name_to_handle_at() might fail with EPERM.
+Container managers frequently block name_to_handle_at(), returning
+EACCES or EPERM when this is issued. Accept that, and simply fall back
+to fdinfo-based checks. (Closes: #917122)
+ * automount: ack automount requests even when already mounted.
+Fixes a race condition in systemd which could result in automount requests
+not being serviced and processes using them to hang, causing denial of
+service. (CVE-2018-1049)
+ * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
+Fixes improper serialization on upgrade which can influence systemd
+execution environment and lead to root privilege escalation.
+(CVE-2018-15686, Closes: #912005)
+
+ -- Michael Biebl Sun, 10 Mar 2019 15:52:46 +0100
+
systemd (232-25+deb9u9) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
diff --git
a/debian/patches/automount-ack-automount-requests-even-when-already-mounte.patch
b/debian/patches/automount-ack-automount-requests-even-when-already-mounte.patch
new file mode 100644
index 000..36d5ee1
--- /dev/null
+++
b/debian/patches/automount-ack-automount-requests-even-when-already-mounte.patch
@@ -0,0 +1,86 @@
+From: Anchor Cat
+Date: Wed, 10 May 2017 21:23:58 +1000
+Subject: automount: ack automount requests even when already mounted (#5916)
+
+If a process accesses an autofs filesystem while systemd is in the
+middle of starting the mount unit on top of it, it is possible for the
+autofs_ptype_missing_direct request from the kernel to be received after
+the mount unit has been fully started:
+
+ systemd forks and execs mount ...
+... access autofs, blocks
+ mount exits ...
+ systemd receives SIGCHLD ...
+... kernel sends request
+ systemd receives request ...
+
+systemd needs to respond to this request, otherwise the kernel will
+continue to block access to the mount point.
+
+(cherry picked from commit e7d54bf58789545a9eb0b3964233defa0b007318)
+---
+ src/core/automount.c | 33 ++---
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/src/core/automount.c b/src/core/automount.c
+index f091a9a..a64374b 100644
+--- a/src/core/automount.c
b/src/core/automount.c
+@@ -742,8 +742,9 @@ static void automount_stop_expire(Automount *a) {
+ (void) sd_event_source_set_enabled(a->expire_event_source,
SD_EVENT_OFF);
+ }
+
+-static void automount_enter_runnning(Automount *a) {
++static void automount_enter_running(Automount *a) {
+ _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
++Unit *trigger;
+ struct stat st;
+ int r;
+
+@@ -772,22 +773,24 @@ static void automount_enter_runnning(Automount *a) {
+ goto fail;
+ }
+
+-if (!S_ISDIR(st.st_mode) || st.st_dev != a->dev_id)
++/* The mount unit may have been explicitly started before we got the
++ * autofs request. Ack it to unblock anything waiting on the mount
point. */
++if (!S_ISDIR(st.st_mode) || st.st_dev != a->dev_id) {
+ log_unit_info(UNIT(a), "Automount point already active?");
+-else {
+-Unit *trigger;
++automount_send_ready(a, a->tokens, 0);
++return;
++}
+
+-trigger = UNIT_TRIGGER(UNIT(a));
+-if (!trigger) {
+-log_unit_error(UNIT(a), "Unit to trigger vanished.");
+-goto fail;
+-}
++trigger = UNIT_TRIGGER(UNIT(a));
++if (!trigger) {
++log_unit_error(UNIT(a), "Unit to trigger vanished.");
++goto fail;
++}
+
+-r =
Bug#924255: stretch-pu: package systemd/232-25+deb9u10
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to make a stable upload for systemd, fixing 5 separate issues. Two of them have a CVE. The changelog is systemd (232-25+deb9u10) stretch; urgency=medium * journald: fix assertion failure on journal_file_link_data (Closes: #916880) https://salsa.debian.org/systemd-team/systemd/commit/67a3135d9c9b66b64544dd96a6741a86058ba7a8 * tmpfiles: fix "e" to support shell style globs (Closes: #918400) https://salsa.debian.org/systemd-team/systemd/commit/a1f9aa01624edc01bbbf50203fd35dd261d7480f * mount-util: accept that name_to_handle_at() might fail with EPERM. Container managers frequently block name_to_handle_at(), returning EACCES or EPERM when this is issued. Accept that, and simply fall back to fdinfo-based checks. (Closes: #917122) https://salsa.debian.org/systemd-team/systemd/commit/169eb2b486b832ef88746e9d25c4b181cabac5c2 * automount: ack automount requests even when already mounted. Fixes a race condition in systemd which could result in automount requests not being serviced and processes using them to hang, causing denial of service. (CVE-2018-1049) https://salsa.debian.org/systemd-team/systemd/commit/2cae426a3e753f74ec8e829217dc9090abcfcf4d * core: when deserializing state always use read_line(…, LONG_LINE_MAX, …) Fixes improper serialization on upgrade which can influence systemd execution environment and lead to root privilege escalation. (CVE-2018-15686, Closes: #912005) https://salsa.debian.org/systemd-team/systemd/commit/82a114295a4ef123925d02081255fe88bec4867c The fix for CVE-2018-15686/#912005 is the most invasive one. I based it partially on what was uploaded to old-stable by the debian-lts team. With this patch applied, the demo exploit from [1] no longer causes systemctl stop to hang. That said, I would appreciate a second pair of eyes to look over the patch. As usual, KiBi is in CC as we build a udeb. Though the code changes above should not affect udev. Regards, Michael [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1687 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
