Bug#1014346: buster-pu: package apache2/2.4.38-3+deb10u8
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu [ Reason ] In preparation for the final buster point release before the transition to LTS, it would be beneficial for users to update the apache2 package to address the currently open CVEs. The CVEs are addressed by backporting patches from upstream releases 2.4.53 and 2.4.54. [ Impact ] If this update is not approved then users of buster will not benefit from fixes to the currently open CVEs. [ Tests ] I have executed autopkgtest for buster, stretch, and jessie. All tests passed on all three tested suites. [ Risks ] The backports were straightforward, requiring minimal adjustment/change for the patches to apply to apache2/2.4.38-3+deb10u7 (most hunks applied cleanly, with only a few requiring manual integration). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * CVE-2022-22719: denial of service in mod_lua via crafted request body. * CVE-2022-22720: HTTP request smuggling. * CVE-2022-22721: integer overflow leading to buffer overflow write. * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed. * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. * CVE-2022-28614: read beyond bounds via ap_rwrite(). * CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). * CVE-2022-29404: Denial of service in mod_lua r:parsebody. * CVE-2022-30522: mod_sed denial of service. * CVE-2022-30556: Information Disclosure in mod_lua with websockets. * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. -- Roberto C. Sánchez diff -Nru apache2-2.4.38/debian/changelog apache2-2.4.38/debian/changelog --- apache2-2.4.38/debian/changelog 2021-12-21 11:50:43.0 -0500 +++ apache2-2.4.38/debian/changelog 2022-06-20 15:03:00.0 -0400 @@ -1,3 +1,20 @@ +apache2 (2.4.38-3+deb10u8) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2022-22719: denial of service in mod_lua via crafted request body. + * CVE-2022-22720: HTTP request smuggling. + * CVE-2022-22721: integer overflow leading to buffer overflow write. + * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed. + * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling. + * CVE-2022-28614: read beyond bounds via ap_rwrite(). + * CVE-2022-28615: Read beyond bounds in ap_strcmp_match(). + * CVE-2022-29404: Denial of service in mod_lua r:parsebody. + * CVE-2022-30522: mod_sed denial of service. + * CVE-2022-30556: Information Disclosure in mod_lua with websockets. + * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. + + -- Roberto C. Sánchez Mon, 20 Jun 2022 15:03:00 -0400 + apache2 (2.4.38-3+deb10u7) buster-security; urgency=medium * Fix possible NULL dereference or SSRF in forward proxy configurations diff -Nru apache2-2.4.38/debian/patches/CVE-2022-22719.patch apache2-2.4.38/debian/patches/CVE-2022-22719.patch --- apache2-2.4.38/debian/patches/CVE-2022-22719.patch 1969-12-31 19:00:00.0 -0500 +++ apache2-2.4.38/debian/patches/CVE-2022-22719.patch 2022-06-20 15:03:00.0 -0400 @@ -0,0 +1,95 @@ +From 1b96582269d9ec7c82ee0fea1f67934e4b8176ad Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Mon, 7 Mar 2022 14:51:19 + +Subject: [PATCH] mod_lua: Error out if lua_read_body() or lua_write_body() + fail. + +Otherwise r:requestbody() or r:parsebody() failures might go unnoticed for +the user. + + +Merge r1898689 from trunk. +Submitted by: rpluem +Reviewed by: rpluem, covener, ylavic + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898694 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/lua/lua_request.c | 33 - + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c +index 493b2bb431..1eab7b6a47 100644 +--- a/modules/lua/lua_request.c b/modules/lua/lua_request.c +@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, + { + int rc = OK; + ++*rbuf = NULL; ++*size = 0; ++ + if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) { + return (rc); + } + if (ap_should_client_block(r)) { + + /**/ +-char argsbuffer[HUGE_STRING_LEN]; +-apr_off_trsize, len_read, rpos = 0; ++apr_off_tlen_read, rpos = 0; + apr_off_t length = r->remaining; + /**/ + +@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, + return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */ + } + *rbuf = (const char
Bug#1002740: buster-pu: package rustc-mozilla/1.51.0+dfsg1-1~deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OSRM, I have prepared a follow-up update of rustc-mozilla for buster (c.f. #1001043). This update fixes build failures on i386 and armel. Please see attached debdiff for the changes in this update. Note that after investigating the s390x build failure and consulting with others involved in the ongoing firefox-esr/thunderbird work, we jointly concluded that the s390x failure should be left unresolved. The failure is a result of an upstream LLMV bug ([0] [1]). The s390x build failure occurs in the stage0 component of the rustc build, meaning that even if we updated llvm-tooclhain-11 with the patch from the upstream bug, we would still encounter the rustc-mozilla s390x build failure. The only feasible way to address the failure would be to update from rustc 1.51 to 1.52, which when we discussed it we agreed would introduce significant risk for no discernable benefit. Regards, - -Roberto [0] https://bugs.llvm.org/show_bug.cgi?id=49322 [1] https://reviews.llvm.org/D97514 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmHLSO8ACgkQLNd4Xt2n sg+FTA/8C8JBwOiI3vZMtyEvUYY59QvNDwUexTKs3qu8nInwdphT3BHsXomBdaMW YdfqTo2+1r1fgJ7QP6MS6lPGebr8dDHqbBws+7Wn0hAMVEFZzkt+fDv/B5COcI7u hjEwAimvOonLFn7LqR/6n8mQ8uAaghlnVH3VXdgROQ2lkjSe9E49viaj5TpPCkQ3 2TjPIzqimLjo40GRN6MqQMwKfIN5hQk/BNfX0waGyymYjHIj5HaRGbHn3dY9TldF 0vtgFOiF6e6Xzc6OO3Q87bC0WbDQEJ8sUjPp5gu3eRsy0RIu0/PjmLrqe2rxI0s7 S4uBSt6/pNePINwUE8BewDLrUF1d4fm+K+xOmmKK9fQfBI1QRX30V4jMkdFmOf2h +DD9Nu6QVG0kDuAqFWF9243I4DSGs8MIknuimSMKAEaXHslZLHy3DsleeoGtTr5y OKRBdL0R0t9hYNcZp9Om5zfNdi/5D0FEtfDss4P5jFEBBrqV2EiEOgiR/Q/t9Wx9 uUEMBdHlQuYGl4pnuY4ZrRZVeHkBBOALPV9S/iVk5MOVIELJN4K6vICk+mk8m6G4 H/a8qdMDHV3Ns78WPvgE0EUsEmGqapif7R2qzkXKFKLJYBATe728Phm3kY5kDtNQ kVXJTXrCObin3B/GrOQYJBZ81RspqnxYp9LX15q1gFLrsJC4Z5E= =4R3b -END PGP SIGNATURE- diff -Nru rustc-mozilla-1.51.0+dfsg1/debian/architecture.mk rustc-mozilla-1.51.0+dfsg1/debian/architecture.mk --- rustc-mozilla-1.51.0+dfsg1/debian/architecture.mk 2021-11-20 16:55:48.0 -0500 +++ rustc-mozilla-1.51.0+dfsg1/debian/architecture.mk 2021-12-23 20:31:04.0 -0500 @@ -5,8 +5,7 @@ rust_cpu = $(subst i586,i686,\ $(if $(findstring -riscv64-,-$(2)-),$(subst riscv64,riscv64gc,$(1)),\ $(if $(findstring -armhf-,-$(2)-),$(subst arm,armv7,$(1)),\ -$(if $(findstring -armel-,-$(2)-),$(subst arm,armv5te,$(1)),\ -$(1) +$(1 rust_type_setvar = $(1)_RUST_TYPE ?= $(call rust_cpu,$($(1)_GNU_CPU),$($(1)_ARCH))-unknown-$($(1)_GNU_SYSTEM) $(foreach machine,BUILD HOST TARGET,\ diff -Nru rustc-mozilla-1.51.0+dfsg1/debian/changelog rustc-mozilla-1.51.0+dfsg1/debian/changelog --- rustc-mozilla-1.51.0+dfsg1/debian/changelog 2021-11-20 16:55:48.0 -0500 +++ rustc-mozilla-1.51.0+dfsg1/debian/changelog 2021-12-23 20:31:04.0 -0500 @@ -1,3 +1,13 @@ +rustc-mozilla (1.51.0+dfsg1-1~deb10u2) buster; urgency=medium + + * Non-maintainer upload. + * stage0 build. ++ Use arm-unknown-linux-gnueabi target for armel. (This change was missed + in the previous upload and is now implemented correctly.) + * Disable build for windows targets (broken on i386) + + -- Roberto C. Sánchez Thu, 23 Dec 2021 20:31:04 -0500 + rustc-mozilla (1.51.0+dfsg1-1~deb10u1) buster; urgency=medium * Non-maintainer upload. diff -Nru rustc-mozilla-1.51.0+dfsg1/debian/rules rustc-mozilla-1.51.0+dfsg1/debian/rules --- rustc-mozilla-1.51.0+dfsg1/debian/rules 2021-11-20 16:55:48.0 -0500 +++ rustc-mozilla-1.51.0+dfsg1/debian/rules 2021-12-23 20:31:04.0 -0500 @@ -113,7 +113,8 @@ endif WINDOWS_SUPPORT := amd64 i386 -BUILD_WINDOWS := true +#BUILD_WINDOWS := true +BUILD_WINDOWS := false ifneq (,$(findstring nowindows,$(DEB_BUILD_PROFILES))) BUILD_WINDOWS := false endif
Bug#1001043: buster-pu: package rustc-mozilla/1.51.0+dfsg1-1~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OSRM, To support updates to firefox-esr and thunderbird, I have prepared a rustc update. Note that the updated source package is called rustc-mozilla and the binary packages are named rust-mozilla-*, or rustc-mozilla-*, or librust-mozilla-*, and so on. For further discussion and explanation on the precise motivations for this are in the discussion logged at #1000472. Regards, - -Roberto -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmGpZ44ACgkQLNd4Xt2n sg8IJg/8Cs36XbX71JFON2dMJvc8725oeGgmwb4QpXgYmP2amHKFLIXnmT/g6PIP 12bbJ+P1fycSRZaby/nJU/c2vqY95op3ZYdtafGyeUkXeSrtT082ouHxuSFuxuBg aq9Wi7u+aoUWBc5vQjNBX4FRJuPVI8OR5Ekbc0GitobCpkFVhW4kyfI2zBCoDFMA OMsXclAoDVOjBVy62v7numl6cdvGMSqFcaHI8Us3zzjBlwZboo5znRMqUuVauD83 G5zahb1skuXYHmeUAs7WdiBiu1CwMsq/Yq5Z51OrTZbHHZnFIDPN7JgSdGSx4nra 0Qw13gHDE0yl7XGZQ8EobQrYDlBHHHuwKW8SRUejN4w6GfPQSvaCg97mntF5mMDH wyVQiy1MhNymCE3/3JQB5wazIvyzoUaDGpSTLhsfVPeAr3MT+dF7geytF3dwHhjH 7lwLQcgm7762zXStXcG9VNXeXl4Nu2So2foST3Ys2LyUdul4hm8Xs/8iYWY6bqL2 QeOCgtDFNBXo5gtI8S8j4lJMJIkv7gxkFgHaB829w91jhOtzpcleX4KrKfqcLG/Q chpj29lgEbAgq/wLkeiZsdIhVmhKIEBhtSh2WI02PbM8HTbYFUqKdDgffu4rRG0L f8+sLCrKRKY1o7kmcYTtRzSGahSh4s8mvtRGhHI7o+nnDYKQBuc= =o2iV -END PGP SIGNATURE-
Bug#1000472: bullseye-pu: package rustc-mozilla/1.51.0+dfsg1-1~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 SRM, In preparing the rustc 1.51 upload/backport (to support backports of the latest firefox-esr and thunderbird packages) it has been suggested that to avoid some issues associated with providing a significant new version of rustc in the rustc binary package (along with the associated library packages), that I prepare the 1.51 rustc package with a different name. Following the model of what was done for gcc, nasm, and nodejs, I was considering source package rustc-mozilla with a single binary package (also rustc-mozilla) to ensure that rdeps don't end up getting surprised by a new rustc. Would this be considered acceptable for the bullseye and buster uploads of rustc 1.51? (I intend to file a separate bug for buster-pu once I receive some direction via this bug.) Regards, - -Roberto -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmGdTOEACgkQLNd4Xt2n sg+m+Q/7BN5tycR2w/9DjyOIHAlC/rrOOfsJraa1gORDKf5pT9GMk7J3oJanKLOI YsWSUlC1a+4anQWGhGE+IMz50r5U01hZ7JhdnJhcSiLv+18gWY5LZB0fgbO/TvRG 2C95uubCYAePg7TTOd9fQRhuEBCgh+h0R+jN8EdNlJRRfEGZ7pkYQ3YOlkVJYztU LQjWALZiMBbsh9ZxVq/zvys5nD2CO326M3PILGOFyqp/GFWrraEpppQlcjEqjemv v7ygEzDvSJasv0AMAVIbQGrWWO/UeqMPAcwOVR0JGhz/06gDXxr5ubV53RbuhSai Nwub60JaufIhm6clvbMmto+w0tTyeIM9IGTgyQq1j7ah9belvK43Rx2lScnfs+4c kimppFDI4xei4aMzct+3/RgSBsijibH2cWfIPwiH6R8PuBZRDglAEaABsmT08WrS EpVmT9gO+7Bkqo+v7uysvLQYlJ0R14WC4VB/yoWJSwmIqAg3yuHhdmJtSYbehFuA Y5fKNwg4/hAvdTLwU9s9Q+cCEId2RWbnIKyS0wNgEStNTe12ue9P7POSFKGnXLGx sVo4bg8FG+U2sJ12P0nVrRdxGT/OuKjqp5PpZZ+JF00sqKEArqkiphMiwnnkCnUD k1YcSIn+E0xh+k8+GK1NxkJX8V9Vsteoba34SqadJ6LRvBF3Lz0= =i90C -END PGP SIGNATURE-
Bug#998344: buster-pu: package llvm-toolchain-11/1:11.0.1-2~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello release managers, In order to support the update of rustc in buster, which in turn is needed to support the updates of firefox-esr and thunderbird, I am proposing an update of llvm-toolchain-11 in buster. The attached diff represents the change from the current package in the buster-backports repository. As a result of mips build failures with the backport package, I am running a test build on a mips porter box to verify that the mips changes result in a successfully built package. Please advise on when I can proceed with upload. Regards, - -Roberto -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmGBdTEACgkQLNd4Xt2n sg86zA/9HB/c+D/pi9eUvh8hcw/TsQXSElpbncK0rCmIx1V7TFFPSuysVONXDjgk RMuz8ZVuNd5NRlhlgF45wNivL9TgOXCdARH60J+hdEXFgAgPbsRDkRNlMy6muMSY RJEmInlK+h3s6BDs8TpMw6DVjfKw1Tj7DAcGv/lZezyCoBZsnVGq6u/SSF+qHrRf 7oV0u5rc5Q8sS0hwe12LMzR8SSWiY+B4LFc7MALuFAuhcoroEjiLHqNceq4IP1mc zQcBPANUa7PE8KHVgyDWY6RgTJXWlQWP6macFyCUYvYjfc9gzIpXHgI/REocH1QY 9MyZ/lzqhQZbukcZS5kXJw6IelQmQ7kFQk4eLbAy03ipf5bMiI2zWPSvsCqTChra U87crvx1HnBg5yZsknWMBPocUsh9VYLH1WU+IZx6ZlH9N24Z+QU0mzmyLl834Vju XjnPY+VYJpU3jDzrlMrzRbmeFvqtDElycPJrFe9ZChajjM3ojJvkutWiaZu0Xc8s clyqcX9TDfeTM0P1g29uIJgYXfWJdsA21yFS4C1qlpQS7rEEux7f4cKRP/SWGJ/9 nPrtZFjD6W2QRUVaA50VEDLCYqnL82bb3wpPoz87xspJRBGh01P0WnlhmCUAC2iq ezG1ByC3q26cgjjs8Mi1WfUdrVjwQyLbOUeJECXAdp1wl4PnCyU= =XlZX -END PGP SIGNATURE- commit b3d946dff1649aeba70269aaf68c0323439559c8 (HEAD -> master) Author: Roberto C. Sánchez Date: Sat Oct 30 13:22:03 2021 -0400 Backport to buster. * Backport to buster. - Disable tests on (big endian) mips due to timeout (i.e., test runtime exceeds 10h). diff --git a/debian/changelog b/debian/changelog index c74466b96..1ffd5c65d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +llvm-toolchain-11 (1:11.0.1-2~deb10u1) buster; urgency=medium + + * Backport to buster. +- Disable tests on (big endian) mips due to timeout (i.e., test runtime + exceeds 10h). + + -- Roberto C. Sánchez Sat, 30 Oct 2021 13:14:49 -0400 + llvm-toolchain-11 (1:11.0.1-2~bpo10+1) buster-backports; urgency=medium * Rebuild for buster-backports. diff --git a/debian/clang-tools-11.install b/debian/clang-tools-11.install index 194e30f5d..a89d42227 100755 --- a/debian/clang-tools-11.install +++ b/debian/clang-tools-11.install @@ -32,7 +32,7 @@ usr/lib/llvm-11/bin/pp-trace usr/lib/llvm-11/bin/clang-move usr/lib/llvm-11/bin/clang-offload-wrapper -[!armel !armhf !ppc64el !hurd-any !s390x !powerpc !ppc64 !mipsel !mips64el !sparc64 !riscv64] usr/lib/llvm-11/lib/clang/11.0.1/bin/hwasan_symbolize +[!armel !armhf !ppc64el !hurd-any !s390x !powerpc !ppc64 !mips !mipsel !mips64el !sparc64 !riscv64] usr/lib/llvm-11/lib/clang/11.0.1/bin/hwasan_symbolize clang/tools/scan-build-11 usr/share/clang/ clang/tools/scan-build-py-11 usr/share/clang/ diff --git a/debian/rules b/debian/rules index 5aedc9b06..2532a80e2 100755 --- a/debian/rules +++ b/debian/rules @@ -196,7 +196,7 @@ endif endif # llvm tests timeout, disable it on mipsel -ifeq (mipsel,$(DEB_HOST_ARCH)) +ifneq (,$(filter $(DEB_HOST_ARCH), mips mipsel)) RUN_TEST=no endif
Bug#989475: unblock: mongo-c-driver/1.17.6-1
ame}/mongo-c-driver-rpm-packages-${CURRENT_VERSION}.tar.gz', + content_type='${content_type|application/x-gzip}'), + s3_put(local_file='rpm.tar.gz', + remote_file='${project}/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/mongo-c-driver-rpm-packages.tar.gz', content_type='${content_type|application/x-gzip}')]), NamedTask('install-uninstall-check-mingw', depends_on=OD([('name', 'make-release-archive'), diff -Nru mongo-c-driver-1.17.3/debian/changelog mongo-c-driver-1.17.6/debian/changelog --- mongo-c-driver-1.17.3/debian/changelog 2020-12-02 08:07:59.0 -0500 +++ mongo-c-driver-1.17.6/debian/changelog 2021-06-04 12:51:50.0 -0400 @@ -1,3 +1,21 @@ +mongo-c-driver (1.17.6-1) unstable; urgency=medium + + * New upstream release + + -- Roberto C. Sanchez Fri, 04 Jun 2021 12:51:50 -0400 + +mongo-c-driver (1.17.5-1) unstable; urgency=medium + + * New upstream release + + -- Roberto C. Sanchez Mon, 19 Apr 2021 12:37:15 -0400 + +mongo-c-driver (1.17.4-1) unstable; urgency=medium + + * New upstream release + + -- Roberto C. Sanchez Wed, 03 Mar 2021 11:18:55 -0500 + mongo-c-driver (1.17.3-1) unstable; urgency=medium * New upstream release diff -Nru mongo-c-driver-1.17.3/debian/gbp.conf mongo-c-driver-1.17.6/debian/gbp.conf --- mongo-c-driver-1.17.3/debian/gbp.conf 2020-12-02 08:07:59.0 -0500 +++ mongo-c-driver-1.17.6/debian/gbp.conf 2021-06-04 12:51:50.0 -0400 @@ -11,14 +11,9 @@ # Determine list of embedded sources to exclude from Debian source package zlib_filter_files=\"$(find src/zlib-* -mindepth 1 -maxdepth 1 \! -name zconf.h.in -printf "mongo-c-driver-\${upstream_version}/%p ")\" && zlib_rm_files=\"$(find src/zlib-* -mindepth 1 -maxdepth 1 \! -name zconf.h.in -printf '%p ')\" && -# Determine if we are on a release branch and set the reference to use later -# to create the upstream tarball (when on a release branch use the most -# recent release tag, and when on any other branch use HEAD) -release_branch=$(cd $GBP_GIT_DIR/..; git symbolic-ref --short HEAD | sed -n '/^r[0-9]\./p') && -if [ -n \"\${release_branch}\" ]; then archive_ref=$(cd $GBP_GIT_DIR/..; git describe --tags --abbrev=0 --match '1.*'); else archive_ref=HEAD; fi && # Create upstream tarball from reference, exclude items that do not belong pushd $GBP_GIT_DIR/.. && -git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ \${archive_ref} | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz && +git archive --format=tar --prefix=mongo-c-driver-\${upstream_version}/ HEAD | tar -f - --delete mongo-c-driver-\${upstream_version}/debian \$zlib_filter_files | gzip > $GBP_BUILD_DIR/../mongo-c-driver_\${upstream_version}.orig.tar.gz && popd && rm -rf \$zlib_rm_files" diff -Nru mongo-c-driver-1.17.3/src/libbson/CMakeLists.txt mongo-c-driver-1.17.6/src/libbson/CMakeLists.txt --- mongo-c-driver-1.17.3/src/libbson/CMakeLists.txt2020-12-01 17:25:25.0 -0500 +++ mongo-c-driver-1.17.6/src/libbson/CMakeLists.txt2021-06-04 13:05:48.0 -0400 @@ -252,10 +252,17 @@ target_link_libraries (bson_shared PRIVATE ${RT_LIBRARY}) endif () -find_library (M_LIBRARY m) -if (M_LIBRARY) - target_link_libraries (bson_shared PRIVATE ${M_LIBRARY}) - set (BSON_LIBRARIES ${BSON_LIBRARIES} ${M_LIBRARY}) +# On macOS Big Sur, libm resolves to the SDK's tbd file, like: +# /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib/libm.tbd +# Not all consumers can easily link to a tbd file (notably golang will reject a tbd suffix by default) +# macOS includes libm as part of libSystem (along with libc). +# It does not need to be explicitly linked. +if (!APPLE) + find_library (M_LIBRARY m) + if (M_LIBRARY) + target_link_libraries (bson_shared PRIVATE ${M_LIBRARY}) + set (BSON_LIBRARIES ${BSON_LIBRARIES} ${M_LIBRARY}) + endif () endif () set (THREADS_PREFER_PTHREAD_FLAG 1) diff -Nru mongo-c-driver-1.17.3/src/libbson/NEWS mongo-c-driver-1.17.6/src/libbson/NEWS --- mongo-c-driver-1.17.3/src/libbson/NEWS 2020-12-01 17:25:25.0 -0500 +++ mongo-c-driver-1.17.6/src/libbson/NEWS 2021-06-04 13:05:48.0 -0400 @@ -1,3 +1,39 @@ +libbson 1.17.6 +== + +It is my pleasure to announce libbson 1.17.6. + +No changes since 1.17.5; release to keep pace with libmongoc's version. + +-- Kevin Albertson + + +libbson 1.17.5 +== + +It is my pleasure to announce libbson 1.17.5. + +Bug fixes: + +
Bug#984896: buster-pu: package jquery/3.3.1~dfsg-3
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Release Team, [ Reason ] I would like to fix CVE-2020-11022 and CVE-2020-11023. The same fix has been prepared for stretch and will be uploaded concurrently with the buster fix. The security team has marked these issues as no-dsa. [ Impact ] jquery would be vulnerable if not approved. [ Tests ] Backported patch was reviewed and approved by the Debian package maintainers. Sadly, no reproducers were released. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them, along with the maintainers of jquery [x] attach debdiff against the package in (old)stable [N/A] the issue is verified as fixed in unstable (jquery is not present in unstable/testing) Regards, - -Roberto -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmBH//4ACgkQldFmTdL1 kULu7w/+KzQq0SMV/rDPj/BUs+wyoeqGfvLiMhOcA019wDblB17wW2x/4kWQWCMa 75tXD7kep+6b1lLNBPj75fcC9xHNiV9XTGgAwViHOBQ85bxfbc1Zi0YEnXfrgjeG vi1xtHeLUNgDrCG/+UQP8qJn7+asURfism9v1WhmH93jd8+J9AleHOvUR0WjUVz2 tKIHXPBNQ0yDbJO34HXzvXio7IvJxXlNZ+ivK0AlUQVwam1LThy+tCk4hob8NXQg JGvomGG/GDbMnQ/yNMc3IRHVDas0nLbmaa026kcHE05pQjhdPYOYckL/Jl5MW84s 5L+foc1dfAi7A4a3Bo898FDkaJqD41VCAgKjUbjD0aBc38D310ksqGlep3scOqn0 uX5GUCWcvTg05OHCKGrd28YyYckUDDRaL1Ln0MtSfYGQGgG3DyXqAGpAPCxA6PeW gGMuBDy3t68kkCQoAqYzqkpn/oTS+3T6LWm35/c2X5FJAChM9gsDAaJ3IaofX84x pzPu6VX7O3cPLMaV7cBKj4Ix85iBdKNHKRZlbruiCxRtzWgiMyyDLhsaj4Fbp989 hWddYqdb6Wj01CCAoDkHvsfg6GuSd/WGiEt1MCP0EqDUQ6WRJjmugELCThYj7c3U PXxNmveHtehpN7+5MG1lNlLJ8hLydLS5CfphwwCrsOF2+MfRzRk= =WoIV -END PGP SIGNATURE- diff -Nru jquery-3.3.1~dfsg/debian/changelog jquery-3.3.1~dfsg/debian/changelog --- jquery-3.3.1~dfsg/debian/changelog 2019-04-19 02:52:35.0 -0400 +++ jquery-3.3.1~dfsg/debian/changelog 2021-03-09 14:42:16.0 -0500 @@ -1,3 +1,13 @@ +jquery (3.3.1~dfsg-3+deb10u1) buster; urgency=high + + * Non-maintainer upload by the LTS Team. + * Prevent untrusted code execution when passing untrusted HTML to DOM +manipulation methods. (CVE-2020-11022) + * Prevent untrusted code execution when passing HTML containing +elements to DOM manipulation methods. (CVE-2020-11023) + + -- Roberto C. Sánchez Tue, 09 Mar 2021 14:42:16 -0500 + jquery (3.3.1~dfsg-3) unstable; urgency=medium * Team upload diff -Nru jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch --- jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 1969-12-31 19:00:00.0 -0500 +++ jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 2021-03-09 14:42:16.0 -0500 @@ -0,0 +1,1749 @@ +From 1d61fd9407e6fbe82fe55cb0b938307aa0791f77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?= + +Date: Mon, 16 Mar 2020 21:49:29 +0100 +Subject: [PATCH] Manipulation: Make jQuery.htmlPrefilter an identity function + +Closes gh-4642 + +(cherry picked from 90fed4b453a5becdb7f173d9e3c1492390a1441f) +--- + src/manipulation.js | 9 +-- + test/data/testinit.js | 2 +- + test/localfile.html | 2 +- + test/unit/ajax.js | 8 +-- + test/unit/attributes.js | 46 ++--- + test/unit/basic.js| 24 +++ + test/unit/core.js | 14 ++-- + test/unit/css.js | 112 +++ + test/unit/data.js | 20 +++--- + test/unit/deprecated.js | 2 +- + test/unit/dimensions.js | 30 - + test/unit/effects.js | 22 +++--- + test/unit/event.js| 26 +++ + test/unit/manipulation.js | 138 ++ + test/unit/offset.js | 10 +-- + test/unit/selector.js | 4 +- + test/unit/traversing.js | 22 +++--- + test/unit/wrap.js | 12 ++-- + 18 files changed, 246 insertions(+), 257 deletions(-) + +--- a/src/manipulation.js b/src/manipulation.js +@@ -32,13 +32,6 @@ + + var + +- /* eslint-disable max-len */ +- +- // See https://github.com/eslint/eslint/issues/3229 +- rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, +- +- /* eslint-enable */ +- + // Support: IE <=10 - 11, Edge 12 - 13 only + // In IE/Edge using regex groups here causes severe slowdowns. + // See https://connect.microsoft.com/IE/feedback/details/1736512/ +@@ -235,7 +228,7 @@ + + jQuery.extend( { + htmlPrefilter: function( html ) { +- return html.replace( rxhtmlTag, "<$1>" ); ++ return html; + }, + + clone: function( elem, dataAndEvents, deepDataAndEvents ) { +--- a/test/data/testinit.js b/test/data/testinit.js +@@ -244,7 +244,7 @@ + } + wrapper.call( QUnit, title, function( assert ) { + var done = assert.async(), +-
Bug#956537: stretch-pu: package php-horde-trean/1.1.7-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-trean. The change fixes CVE-2020-8865, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to stretch-proposed-updates? Regards, - -Roberto - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGNIACgkQLNd4Xt2n sg/PXA//eBCpPGVarX+UZrHqBIgjEAzqc0mPE1pP/M8SQvxidQsmf4/L31ue3BTa NcOZr2m4MS9jjrbGHhKBGUUX3fMpbuzgof+/Ncp6pvOtpmuz3pi/2UZPECOhQFrf G5WerCU2aHGbNJlt06FqH7irIf6P+VaaJuhra088sh70AW8lkNpMSjGyBLcT3egT YtYFxUTz/rKvHTbHJ0Hkpbx9XKxIGh1kA/bUfJCrJLTdLJaQcWiWbWEI+iJuCwCE lg38y1MMdT9i/3ddiGFRJz+t+AzzAChwt2yNBjXCepA851qHSQNvhUBO0maC9uB8 oBlRWZRkbaEFpKiufs0SSGw7JnQK6eYdyDTnCX18nV63Ul6x6/bv3MU6IKS8TVJM WDZJqerZy83lOnMuRuxuAHOqPQ2+E24ozaEEsYqeQxxfJgX05jvQDTa4GCqp+HA9 bB7z+eUhVuZOSNyogYWW3xa3NBqFnhl7jMQjcHRb8Uj0HhQu7qdANPdglxk6aIvB OylBMF4VsO4uwGH2MnEe3rViZ92UjYdOyI4ORb3cr8rByTJgVdEcBF+ZL0b5/6E4 DD8i5arTrkXHmoIyZ7/mJ4REi5iGtcTNG1XsFf/r5qlKjpX3Zm/5L+uzPy0tCNtT VyNqD7URiqBPAAuoQ+c6/M3z/eTaR7j/Y9jFzc38pT7j/F4Zirc= =kH0t -END PGP SIGNATURE- diff -Nru php-horde-trean-1.1.7/debian/changelog php-horde-trean-1.1.7/debian/changelog --- php-horde-trean-1.1.7/debian/changelog 2016-12-18 17:01:35.0 -0500 +++ php-horde-trean-1.1.7/debian/changelog 2020-04-10 20:32:35.0 -0400 @@ -1,3 +1,13 @@ +php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high + + * Fix CVE-2020-8865: +The Horde Application Framework contained a directory traversal +vulnerability resulting from insufficient input sanitization. An +authenticated remote attacker could use this flaw to execute code in the +context of the web server user. (Closes: #955019) + + -- Roberto C. Sanchez Fri, 10 Apr 2020 20:32:35 -0400 + php-horde-trean (1.1.7-1) unstable; urgency=medium * New upstream version 1.1.7 diff -Nru php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch --- php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch 2020-04-10 20:32:35.0 -0400 @@ -0,0 +1,36 @@ +From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sun, 1 Mar 2020 15:00:46 -0500 +Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability. + +--- + lib/Block/Bookmarks.php | 2 +- + lib/Block/Mostclicked.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/trean-1.1.7/lib/Block/Bookmarks.php b/trean-1.1.7/lib/Block/Bookmarks.php +index 7027bc3..16c7ba2 100644 +--- a/trean-1.1.7/lib/Block/Bookmarks.php b/trean-1.1.7/lib/Block/Bookmarks.php +@@ -68,7 +68,7 @@ protected function _title() + */ + protected function _content() + { +-$template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc'; ++$template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc'; + + $sortby = 'title'; + $sortdir = 0; +diff --git a/trean-1.1.7/lib/Block/Mostclicked.php b/trean-1.1.7/lib/Block/Mostclicked.php +index ffbc52b..3308110 100644 +--- a/trean-1.1.7/lib/Block/Mostclicked.php b/trean-1.1.7/lib/Block/Mostclicked.php +@@ -58,7 +58,7 @@ protected function _title() + */ + protected function _content() + { +-$template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc'; ++$template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc'; + + $html = ''; + $bookmarks = $GLOBALS['trean_gateway']->listBookmarks('clicks', 1, 0, $this->_params['rows']); diff -Nru php-horde-trean-1.1.7/debian/patches/series php-horde-trean-1.1.7/debian/patches/series --- php-horde-trean-1.1.7/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ php-horde-trean-1.1.7/debian/patches/series 2020-04-10 20:32:35.0 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
Bug#956536: buster-pu: package php-horde-trean/1.1.9-3+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-trean. The change fixes CVE-2020-8865, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to buster-proposed-updates? Regards, - -Roberto - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGLQACgkQLNd4Xt2n sg+eqhAAqWuNkW46Mo1KX8bV/2JEcMEG4MizjeX+/+N5J5IG+P4ICHC9GXQ0Qj+L u1TrdqUyBN8gJXZ5ncQeDBGNMIEwCZHg9SNtAafNCIzL23cYXsOIIlDTNfq/fI6T vjuypjdNR4TQ1XwZM6XEUOxRoktlzHjJDg3UDunk9Ny4K+weXbPvsCL3UVTOmSqu XqWF/jR0lvi3IYLVTYqAYpJJuGifGU31+V4F8LCzJptNjjhBlFnaRfAVTCjQ1Tmj YyAzn//MxByoSrmjvG9xA7OP+1bXPSTAQvHiAW7mMyCkcR4ItRy86LrQz5wVrGRt BXTX3MMHuPnjPx8qM+TkBwzHwyvR2iqB7sjoJQALiLzqLjlmZF2XRtSDf0aKqR0k ub7n4kd39pHGmc+QhIRY++EmHQCT+dj2y9KtGWrEkWLVRs2u2Q4UzG+yppxPSovH LC36148/jPtmuaJbCPgbmJ7hBktQCyLFChsC5RuDJS2Gk9WietCVeQ1is0A077GJ hE0di33hHWN9LhGkmAF0t/J8ez4QViuZq73ddQQxrXry4Ywl3xmhaVtGDIfXEqWQ 8PNmajSQrqJ8Z7x1w4BX98SZ5NGQXt/v9ke/YKQaW9s/ntBZofjzA75LVHUEsvyV VvJBTx4AJ1pKZwYyInDwogRh3A5sx5Mr3wpQOHnFZUNWPlHwMNI= =sfm+ -END PGP SIGNATURE- diff -Nru php-horde-trean-1.1.9/debian/changelog php-horde-trean-1.1.9/debian/changelog --- php-horde-trean-1.1.9/debian/changelog 2018-05-15 10:52:05.0 -0400 +++ php-horde-trean-1.1.9/debian/changelog 2020-04-10 20:31:30.0 -0400 @@ -1,3 +1,13 @@ +php-horde-trean (1.1.9-3+deb10u1) buster; urgency=high + + * Fix CVE-2020-8865: +The Horde Application Framework contained a directory traversal +vulnerability resulting from insufficient input sanitization. An +authenticated remote attacker could use this flaw to execute code in the +context of the web server user. (Closes: #955019) + + -- Roberto C. Sanchez Fri, 10 Apr 2020 20:31:30 -0400 + php-horde-trean (1.1.9-3) unstable; urgency=medium * Update Standards-Version to 4.1.4, no change diff -Nru php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch --- php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-trean-1.1.9/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch 2020-04-10 20:31:30.0 -0400 @@ -0,0 +1,36 @@ +From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sun, 1 Mar 2020 15:00:46 -0500 +Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability. + +--- + lib/Block/Bookmarks.php | 2 +- + lib/Block/Mostclicked.php | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/trean-1.1.9/lib/Block/Bookmarks.php b/trean-1.1.9/lib/Block/Bookmarks.php +index 7027bc3..16c7ba2 100644 +--- a/trean-1.1.9/lib/Block/Bookmarks.php b/trean-1.1.9/lib/Block/Bookmarks.php +@@ -68,7 +68,7 @@ protected function _title() + */ + protected function _content() + { +-$template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc'; ++$template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc'; + + $sortby = 'title'; + $sortdir = 0; +diff --git a/trean-1.1.9/lib/Block/Mostclicked.php b/trean-1.1.9/lib/Block/Mostclicked.php +index ffbc52b..3308110 100644 +--- a/trean-1.1.9/lib/Block/Mostclicked.php b/trean-1.1.9/lib/Block/Mostclicked.php +@@ -58,7 +58,7 @@ protected function _title() + */ + protected function _content() + { +-$template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] . '.inc'; ++$template = TREAN_TEMPLATES . '/block/' . basename($this->_params['template']) . '.inc'; + + $html = ''; + $bookmarks = $GLOBALS['trean_gateway']->listBookmarks('clicks', 1, 0, $this->_params['rows']); diff -Nru php-horde-trean-1.1.9/debian/patches/series php-horde-trean-1.1.9/debian/patches/series --- php-horde-trean-1.1.9/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ php-horde-trean-1.1.9/debian/patches/series 2020-04-10 20:31:30.0 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
Bug#956535: buster-pu: package php-horde-data/2.1.4-5+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-data. The change fixes CVE-2020-8518, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. May I have permission to upload to stretch-proposed-updates? - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFk8ACgkQLNd4Xt2n sg+sYg//TsXLF5Ww2+2Ubc12mXOIAOtrbjgjZaZMpgXqCV3cxnQcIygUOHkwLG2N eT3mXO90y1qryjhK0H7jUuhdBMG9VA0FHmlhcScoecpOHU3dJekSz0tEa+ySewy3 ZP4pxVRq6TzYnk6HvtqUZ81GFJymWhN3HmGjkMlI25nmIN7udlWiMoYtqtzd3ZZA cxskKlaLCqnowC1L2QZQdSdgqj2ZBjWtmZRxeEwalkBDsx+aeu2wUR1lg2ibwNvD S6nR4d3ZwwmDd0RrGJemFRc0MXaAbIhpXjUT5OC35MQP7hgHqwzbtIY7CBt6s1z4 +aqLvev128e5R8bAJzgsOrWwvxJ2SeHJ5NsW5mfNDn+/1DcCu4KJmjTKzNHCGlL9 815DvmvD+l1s6Ls0E6+HvIN0GcVyOFvT7zhg2VaHcxCQxExkR05vFMxb51Bbd8zk uTt/Xj2GBXZiURRfxibB8GP6GinB8a3V0LYHAPDVx3rjqkCi2+h0zH0Y2fsQVEJ8 tdSCiNAsFDH7H6S5I6Wd3kIRpcDsIfRowsjLaUiDTNfg/ZQxbuqnFlY623Y13cO1 QEPqCq+cqMqbnVCBA/9ZFLR3DNhobqksLQzEtGTzKrKx8q9cpxqlMehNhgBX8q5j PUSOTm8kG1uuOziYe1d6WchObze2YxxNcV37Oq/N5gZ59hX1TCI= =wKCR -END PGP SIGNATURE- diff -Nru php-horde-data-2.1.4/debian/changelog php-horde-data-2.1.4/debian/changelog --- php-horde-data-2.1.4/debian/changelog 2018-05-14 18:16:00.0 -0400 +++ php-horde-data-2.1.4/debian/changelog 2020-04-10 19:57:00.0 -0400 @@ -1,3 +1,12 @@ +php-horde-data (2.1.4-5+deb10u1) buster; urgency=high + + * Fix CVE-2020-8518: +The Horde Application Framework contained a remote code execution +vulnerability. An authenticated remote attacker could use this flaw to +cause execution of uploaded CSV data. (Closes: #951537) + + -- Roberto C. Sanchez Fri, 10 Apr 2020 19:57:00 -0400 + php-horde-data (2.1.4-5) unstable; urgency=medium * Update Standards-Version to 4.1.4, no change diff -Nru php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch --- php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 2020-04-10 19:57:00.0 -0400 @@ -0,0 +1,36 @@ +From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001 +From: Jan Schneider +Date: Mon, 13 Feb 2017 18:38:59 +0100 +Subject: [PATCH] Don't use create_function(). + +It's deprecated and unsafe and closures should be used instead. +--- + lib/Horde/Data/Csv.php | 15 ++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +index c2dc7dc..c0ffa63 100644 +--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = array()) + + if ($row) { + $row = (strlen($params['quote']) && strlen($params['escape'])) +-? array_map(create_function('$a', 'return str_replace(\'' . str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row) ++? array_map( ++function ($a) use ($params) { ++return str_replace( ++str_replace( ++'\'', ++'\\\'', ++$params['escape'] . $params['quote'] ++), ++str_replace('\'', '\\\'', $params['quote']), ++$a ++); ++}, ++$row ++) + : array_map('trim', $row); + + if (!empty($params['length'])) { diff -Nru php-horde-data-2.1.4/debian/patches/series php-horde-data-2.1.4/debian/patches/series --- php-horde-data-2.1.4/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ php-horde-data-2.1.4/debian/patches/series 2020-04-10 19:57:00.0 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8518-Dont-use-create_function.patch
Bug#956534: stretch-pu: package php-horde-form/2.0.15-1+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-form. The change fixes CVE-2020-8866, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to stretch-proposed-updates? - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TF1UACgkQLNd4Xt2n sg+N0xAAgOS9VnDGU40OczhMvE38ctKKAWRUNpe/SqghC5LYkpiLC3J17NiYHitw rHUQfNRE4qsGOOMAWGZsfXlBxSRcoHbClQGHnYUqJ/cYNo3svM+NxZXwZK/GJFOj TDkOGWkYXnjhgFrZrnKPVUTgpHh9KyPO5jogM7Da02a9dm5lZ9HiJEEhMAynxWJa cgF/5I2RWW/1MthRLrIX4HilmuDHzY7AifI7trPL0Jxx3xvZSH+WqJqmyWmdQGnF zugfA9DhFMyWFUFeYI2sgmnVr13PYeabDL3O2imcN1IKqRB/5Q/OOPqrYx2eUtUP aBJl+gg+rL4upLN3ybQ9si0MQF6uCqgIvkoBzyueUDAi8Ffiov/7lgbnYpgMXs90 M/WPrlovBreQHIVFYbTeTEICuOVdqxDp347kA0TL5ZgE5PmBv/j+DwvgdAs9aKl6 d7PT/peogkc37Mt/p6kSSzyAk8/uyWkDScJ8RTctFMNmtKASbj/sBaq5eNphtmdU ePKuxs1Wd+XpvfguyBMcBt+C/DB8RQpJFFJjkh0Ngke7rqY2kTPBHBznMuJRRFyf 2v0tM3ax9/WLkZuYMAPDEPayrfIvOETXNWX5NIfMlJVoDZgnY0VQun0thenJeAe+ QhvkrRkatnlaA7THJDrq0b9aai5K+OdLFIQfdd7Xp82IhsBDouU= =w4Gy -END PGP SIGNATURE-
Bug#956533: buster-pu: package php-horde-form/2.0.18-3.1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-form. The change fixes CVE-2020-8866, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to buster-proposed-updates? - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFyUACgkQLNd4Xt2n sg+O0g/+MK8cNMqs7/njWJ7BOEz7q5M4PslbEGWEp3J03ry68NPoZxM7pWJvB+rR e4m7s2NMWJ8CtWgaNGCJbR9i+jAUAUDYLbbjoAsEAM1EmDcqgDyeZm7L7rQk6WBW zetL/vjiR0orkSswLUOXiwlTe/POBg6sCFM4jFtYXoiECs9k65G7gLWWafIYfkT9 AmglUyFSMAWn0ju/DC7X6fHjMCKl0TtMiZYCjmdUmqnRw3r+qR8MshKO7BLK2FAQ oKwuZkiAMhTR593ASPMGnddWzzOubDpQlCjmM9VckOoqmLNbKtCqgNWB6knhOkOq JOu/p1nXBGDUMCbZYxAeDPILh7FyXO8byzjftXdRplm1P27xeMKS1UkOamFqwdL0 pPfxhe9jlEQHObVgGNsYnhcvJJDtfkMXuFqE9JUX2JEhYH7fQJTxH0rDhCSo8av2 nnh27GbJLTWXlzqUX4r+9JzqRs3GT7yM8UJ5ezbYW1jNUNT6Gl5yBois0ZRnhk+H pzQljGER2l3ol6VAhjlyVE0itvljBN1UaLU6+o3lgb/2N3wOClZSUCk0XzYt0ayy Bg8kPaOD5wWshHnkCnjzn3j387zgnNjqp61xCWoE183XKGoeUmNj18btv9wr0qt1 Qs6Z/OgPp7usqRH/fPNCi0/aXDJlCm6gxvULEU1qBLCYQxQfE3s= =2qMc -END PGP SIGNATURE- diff -Nru php-horde-form-2.0.18/debian/changelog php-horde-form-2.0.18/debian/changelog --- php-horde-form-2.0.18/debian/changelog 2019-06-16 03:29:14.0 -0400 +++ php-horde-form-2.0.18/debian/changelog 2020-03-24 13:55:11.0 -0400 @@ -1,3 +1,14 @@ +php-horde-form (2.0.18-3.1+deb10u1) buster; urgency=high + + * Fix CVE-2020-8866: +The Horde Application Framework contained a remote code execution +vulnerability. An authenticated remote attacker could use this flaw to +upload arbitrary content to an arbitrary writable location on the server +and potentially execute code in the context of the web server user. +(Closes: #955020) + + -- Roberto C. Sanchez Tue, 24 Mar 2020 13:55:11 -0400 + php-horde-form (2.0.18-3.1) unstable; urgency=high * Non-maintainer upload. diff -Nru php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch --- php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-form-2.0.18/debian/patches/0002-SECURITY-Prevent-ability-to-specify-temporary-filename.patch 2020-03-24 13:55:11.0 -0400 @@ -0,0 +1,35 @@ +From 35d382cc3a0482c07d0c2272cac89a340922e0a6 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sun, 1 Mar 2020 14:46:49 -0500 +Subject: [PATCH] SECURITY: Prevent ability to specify temporary filename. + +Origin: https://github.com/horde/Form/commit/35d382cc3a0482c07d0c2272cac89a340922e0a6 +--- + lib/Horde/Form/Type.php | 11 +-- + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php +index f1e8157..e302d8d 100644 +--- a/Horde_Form-2.0.18/lib/Horde/Form/Type.php b/Horde_Form-2.0.18/lib/Horde/Form/Type.php +@@ -1200,12 +1200,11 @@ class Horde_Form_Type_image extends Horde_Form_Type { + if (!empty($upload['hash'])) { + $upload['img'] = $session->get('horde', 'form/' . $upload['hash']); + $session->remove('horde', 'form/' . $upload['hash']); +-} +- +-/* Get the temp file if already one uploaded, otherwise create a +- * new temporary file. */ +-if (!empty($upload['img']['file'])) { +-$tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']); ++if (!empty($upload['img']['file'])) { ++$tmp_file = Horde::getTempDir() . '/' . basename($upload['img']['file']); ++} else { ++$tmp_file = Horde::getTempFile('Horde', false); ++} + } else { + $tmp_file = Horde::getTempFile('Horde', false); + } +-- +2.20.1 + diff -Nru php-horde-form-2.0.18/debian/patches/series php-horde-form-2.0.18/de
Bug#956532: stretch-pu: package php-horde-data/2.1.4-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde-data. The change fixes CVE-2020-8518, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. I have prepared this update in coordination with the security team. May I have permission to upload to stretch-proposed-updates? - -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFtIACgkQLNd4Xt2n sg/D4g/9H4hyiaItmqUO+JxV4EipU4stAdflWPicDJe89KSKnRsBnCipRpnEWkXK 3NduvlxIn9YSOuMN2OZ+AfdUDSCrOVSWf2JQKZtEhWrSrbIKFuLRcl0+Q1fhLAeE qVCFi8Odh1JaNmWZ30mszbtF64Fg+THJ+RmmrpZlTXhto/1eVm1E4VvlqDtOBv7l O7KInucO3eBItIQ8b+O/o9gDFrZ5PtlLlByu9LhTGdfurhORPJ0g1YoiJZzd1Mz8 MrgW0vxK4lBrAaccMgmV3lAkJEZXFUC/k7AxUedEu4wG8BYKeZvVjkJL8ZCG2cHm oYlE4VzaTFNnRqzcsUGttKphXszY39bjpb9FPA7lnn1x7bv7PTSU7wLNrNUsqxBS JFm0tZJeRtHjTrdBmlp73rSChVqf97ylaB9oihdSD5FP+62QzaLpTfCGQF/asjrZ x/HrFD/Cc8g+aEYlimRUyUlYD3QKhq+PJsVo1fm9VEOTmODLd5r3ogbBsqxvqjhr +lrv/xcC4JicNzs75eQhtjPd793wR85WMvWzPyG0/BMbUSsROoRQXBO4qDaddfzL hyz2/vFieD6fcwQ3Yka1ACm1vwufcuCYfNUo+WoknrhtnnHjf3OmvDsfgUs46d3Q yER1uIy4pSsHxVznP005nYixJ/p8zxdKp54bp2JGQVwBZ5C9aAk= =sMeE -END PGP SIGNATURE- diff -Nru php-horde-data-2.1.4/debian/changelog php-horde-data-2.1.4/debian/changelog --- php-horde-data-2.1.4/debian/changelog 2016-06-07 16:25:17.0 -0400 +++ php-horde-data-2.1.4/debian/changelog 2020-04-10 19:58:12.0 -0400 @@ -1,3 +1,12 @@ +php-horde-data (2.1.4-3+deb9u1) stretch; urgency=high + + * Fix CVE-2020-8518: +The Horde Application Framework contained a remote code execution +vulnerability. An authenticated remote attacker could use this flaw to +cause execution of uploaded CSV data. (Closes: #951537) + + -- Roberto C. Sanchez Fri, 10 Apr 2020 19:58:12 -0400 + php-horde-data (2.1.4-3) unstable; urgency=medium * Update Standards-Version to 3.9.8, no change diff -Nru php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch --- php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch 2020-04-10 19:58:12.0 -0400 @@ -0,0 +1,36 @@ +From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001 +From: Jan Schneider +Date: Mon, 13 Feb 2017 18:38:59 +0100 +Subject: [PATCH] Don't use create_function(). + +It's deprecated and unsafe and closures should be used instead. +--- + lib/Horde/Data/Csv.php | 15 ++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +index c2dc7dc..c0ffa63 100644 +--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php +@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = array()) + + if ($row) { + $row = (strlen($params['quote']) && strlen($params['escape'])) +-? array_map(create_function('$a', 'return str_replace(\'' . str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row) ++? array_map( ++function ($a) use ($params) { ++return str_replace( ++str_replace( ++'\'', ++'\\\'', ++$params['escape'] . $params['quote'] ++), ++str_replace('\'', '\\\'', $params['quote']), ++$a ++); ++}, ++$row ++) + : array_map('trim', $row); + + if (!empty($params['length'])) { diff -Nru php-horde-data-2.1.4/debian/patches/series php-horde-data-2.1.4/debian/patches/series --- php-horde-data-2.1.4/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ php-horde-data-2.1.4/debian/patches/series 2020-04-10 19:58:12.0 -0400 @@ -0,0 +1 @@ +0001-CVE-2020-8518-Dont-use-create_function.patch
Bug#946704: stretch-pu: package php-horde/5.2.13+debian0-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Please find attached a proposed debdiff for php-horde. The change fixes CVE-2019-12095, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. May I have permission to upload to stretch-proposed-updates? -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru php-horde-5.2.13+debian0/debian/changelog php-horde-5.2.13+debian0/debian/changelog --- php-horde-5.2.13+debian0/debian/changelog 2016-12-18 16:01:07.0 -0500 +++ php-horde-5.2.13+debian0/debian/changelog 2019-12-13 21:10:06.0 -0500 @@ -1,3 +1,9 @@ +php-horde (5.2.13+debian0-1+deb9u1) stretch; urgency=high + + * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block. + + -- Roberto C. Sanchez Fri, 13 Dec 2019 21:10:06 -0500 + php-horde (5.2.13+debian0-1) unstable; urgency=medium * New upstream version 5.2.13+debian0 diff -Nru php-horde-5.2.13+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch php-horde-5.2.13+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch --- php-horde-5.2.13+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-5.2.13+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 2019-12-13 21:10:06.0 -0500 @@ -0,0 +1,50 @@ +From 81a7b53973506856db67e7f0b0263be29528aa75 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sat, 20 Apr 2019 17:34:41 -0400 +Subject: [PATCH] Fix XSS vuln in the Horde Cloud Block. + +--- + horde-5.2.13/lib/Block/Cloud.php | 6 +- + horde-5.2.13/services/portal/cloud_search.php | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/horde-5.2.13/lib/Block/Cloud.php b/horde-5.2.13/lib/Block/Cloud.php +index 92a44255..9df5bf3c 100644 +--- a/horde-5.2.13/lib/Block/Cloud.php b/horde-5.2.13/lib/Block/Cloud.php +@@ -13,6 +13,10 @@ class Horde_Block_Cloud extends Horde_Core_Block + $this->_name = _("Tag Cloud"); + } + ++protected function _escapeJs($string) ++{ ++return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\"))); ++} + /** + */ + protected function _content() +@@ -21,7 +25,7 @@ class Horde_Block_Cloud extends Horde_Core_Block + foreach ($this->_getTags() as $tag) { + $cloud->addElement( + $tag['tag_name'], '#', $tag['count'], null, +-'doSearch(\'' . $tag['tag_name'] . '\'); return false;'); ++'doSearch(\'' . htmlspecialchars($this->_escapeJs($tag['tag_name'])) . '\'); return false;'); + } + + Horde::startBuffer(); +diff --git a/horde-5.2.13/services/portal/cloud_search.php b/horde-5.2.13/services/portal/cloud_search.php +index d72da96e..0d44b5a5 100644 +--- a/horde-5.2.13/services/portal/cloud_search.php b/horde-5.2.13/services/portal/cloud_search.php +@@ -43,7 +43,7 @@ foreach ($results as $result) { + echo ' ' . + (empty($result['icon']) ? Horde_Themes_Image::tag(Horde_Themes::img($result['app'] . '.png', array('app' => $result['app'])), array('alt' => $result['app'])) : '') . + Horde::link($result['view_url'], '', '', '', '', '', '', array('style' => 'margin:4px')) . +- (empty($result['icon']) ? $result['title'] : '') . ++ (empty($result['icon']) ? htmlspecialchars($result['title']) : '') . + '' . $result['desc'] . ''; + } + echo ''; +-- +2.20.1 + diff -Nru php-horde-5.2.13+debian0/debian/patches/series php-horde-5.2.13+debian0/debian/patches/series --- php-horde-5.2.13+debian0/debian/patches/series 2016-12-18 16:01:07.0 -0500 +++ php-horde-5.2.13+debian0/debian/patches/series 2019-12-13 21:10:06.0 -0500 @@ -1 +1,2 @@ 0001-Fix-rewrite-base.patch +0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
Bug#946705: buster-pu: package php-horde/5.2.20+debian0-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please find attached a proposed debdiff for php-horde. The change fixes CVE-2019-12095, which the security team has classified as , deeming it a minor issue which can be fixed via a point release. May I have permission to upload to buster-proposed-updates? - -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAl30XTYACgkQldFmTdL1 kULRBQ/+OSNVNYn6ChtrTCHDwNqI1R1HP2LnfQOZNiANcE6IcXrHkDsRqzA8jgsX 8mXAgd2EWyW2t3BrNqP2lK1v7Aw4XBp2YMDXtIG/iQMbTOZn7OaW3UnGaaUUJQmO F8seqyVcqfufbveEvMAWOlf717ef1DPtxJQ/hOl3a//AEzvuOnU8VnmtnSHTjyOI l1Dcw8CcIR1gI6vunDzzOY2bRAiHOyLaTXj0NKmLpZY1a51B9YTGLQP0hhBb27I2 4sApY1+6DnjiCW+8x7X/L+CTjtkorbP3yAUK4cdn7dosxs5Xb8Eb251HVKhfuk8X dFPoWI0edKfJ8YIV0rFeRDhuB9PEs97fDX1o8pGfam55yNsQGXlQ/7oj/OtVC+g3 oZ62xDSGkdNkjgFygftkDT4VbmfN09g9BkthCUiqYfEPLRZYx5myngpzXOKGGkAd Ea4fqZCN4P6N/CGwITYZn5jcNguYzGOluLbXjAVc2r+r4tBwLkLjCvLvBKlYepwb yYi/lxi3xUJJdl86YZ8YehRJccXXqsfgWXXRB6U4iognWd0Cu3Q7p3MrAkzF1bKw xh04NfhyGfHJ35opVTP56TQldA8UtJHN9Db/OPaTK6nJ9sVhvhf1pgQraiJYUSyZ qoIGatMpqwG6KDCIXEXAKw9gLFRT5Y3pou3aYDuNhXizUwSGJmg= =lu3y -END PGP SIGNATURE- diff -Nru php-horde-5.2.20+debian0/debian/changelog php-horde-5.2.20+debian0/debian/changelog --- php-horde-5.2.20+debian0/debian/changelog 2018-10-25 15:08:21.0 -0400 +++ php-horde-5.2.20+debian0/debian/changelog 2019-12-13 21:13:53.0 -0500 @@ -1,3 +1,9 @@ +php-horde (5.2.20+debian0-1+deb10u1) buster; urgency=high + + * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block. + + -- Roberto C. Sanchez Fri, 13 Dec 2019 21:13:53 -0500 + php-horde (5.2.20+debian0-1) unstable; urgency=medium * New upstream version 5.2.20+debian0 diff -Nru php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch --- php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 1969-12-31 19:00:00.0 -0500 +++ php-horde-5.2.20+debian0/debian/patches/0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch 2019-12-13 21:13:53.0 -0500 @@ -0,0 +1,50 @@ +From 81a7b53973506856db67e7f0b0263be29528aa75 Mon Sep 17 00:00:00 2001 +From: Michael J Rubinsky +Date: Sat, 20 Apr 2019 17:34:41 -0400 +Subject: [PATCH] Fix XSS vuln in the Horde Cloud Block. + +--- + horde-5.2.20/lib/Block/Cloud.php | 6 +- + horde-5.2.20/services/portal/cloud_search.php | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/horde-5.2.20/lib/Block/Cloud.php b/horde-5.2.20/lib/Block/Cloud.php +index 92a44255..9df5bf3c 100644 +--- a/horde-5.2.20/lib/Block/Cloud.php b/horde-5.2.20/lib/Block/Cloud.php +@@ -13,6 +13,10 @@ class Horde_Block_Cloud extends Horde_Core_Block + $this->_name = _("Tag Cloud"); + } + ++protected function _escapeJs($string) ++{ ++return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\"))); ++} + /** + */ + protected function _content() +@@ -21,7 +25,7 @@ class Horde_Block_Cloud extends Horde_Core_Block + foreach ($this->_getTags() as $tag) { + $cloud->addElement( + $tag['tag_name'], '#', $tag['count'], null, +-'doSearch(\'' . $tag['tag_name'] . '\'); return false;'); ++'doSearch(\'' . htmlspecialchars($this->_escapeJs($tag['tag_name'])) . '\'); return false;'); + } + + Horde::startBuffer(); +diff --git a/horde-5.2.20/services/portal/cloud_search.php b/horde-5.2.20/services/portal/cloud_search.php +index d72da96e..0d44b5a5 100644 +--- a/horde-5.2.20/services/portal/cloud_search.php b/horde-5.2.20/services/portal/cloud_search.php +@@ -43,7 +43,7 @@ foreach ($results as $result) { + echo ' ' . + (empty($result['icon']) ? Horde_Themes_Image::tag(Horde_Themes::img($result['app'] . '.png', array('app' => $result['app'])), array('alt' => $result['app'])) : '') . + Horde::link($result
Bug#939346: nmu: rubyluabridge_0.8.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 My upload of rubyluabridge 0.8.0-2 was a binary upload built on amd64. This is because the package is maintained with mercurial-buildpackage and I was unable to get it to generate a source.changes. Please binNMU rubyluabridge on amd64 so that it might migrate into testing: nmu rubyluabridge_0.8.0-2 . amd64 . unstable . -m "no-change rebuild" Regards, - -Roberto - -- System Information: Debian Release: 9.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl1uuvsACgkQLNd4Xt2n sg/BCw//XXmOUoOr+7HE+WZnfQOwP+OdDCZPSrK5rIt5jljaZg/+npfHv4mcbY07 sCm45xcjW624z9i0iETujFDd8C01fGdJbRpECfTxd8q3xo2+zkKnl6HpNm3IvGhA lqgx/YwPeNnW1sCVfTT6BsscScXCHvQKZ9S3b0WSupoteNMxTyVC4mdHBTjx66K9 fyDvc/5kknThc5RucVpysvmVPDapI4Ft+VOtxi8Ax/wGbrPXwJPjQy9gjhxfhXdl rM7E3w/aBWAMFxqGKFcZ3LbaqCJZo48axfMsLGhzji+yN88f0OmlgloleZDwidDB lNJte/8qH0/7RsrWMTz1kIVqSfizEpEPpts+2rl+k8aHkIxq4Lev1d/PofIRbvw7 mTT0W/fFBRWFglps4ovTkaxcuj9Dbh6YmSRSMSjQ5IbAKnSoM8Vb9YybNWiEQ7gd FGsEtlUvRPhf6RvMjG5jQv2togDRoMq1wP+wANu3cEPprcz/5g3emraM5bYx7bk6 Ff5ajQoqmgEIdw6zr1GE3YX7ESHekFBxZzzfjRa6tqlE6/S6r772hcEFElZYws/u m8puwaGfCQWV7ZqarC2Pne72oO6y3qetwlExkEYW3aH9f+XAqQlgGwR5EbmQJ6Iy ys3l8UphebejYoJavVOgqT8IRUPGgwNQFPW0B8D018HckijAY5Q= =naOq -END PGP SIGNATURE-
Bug#925383: unblock: shorewall/5.2.3.2-1
otate ) = @_; +sub process_shorewall_conf( $$ ) { +my ( $update, $annotate ) = @_; my $file = find_file "$product.conf"; my @vars; @@ -6175,7 +6175,7 @@ sub convert_to_version_5_2() { # sub get_configuration( $$$ ) { -( my $export, $update, my $annotate ) = @_; +my ( $export, $update, $annotate ) = @_; $globals{EXPORT} = $export; @@ -6237,7 +6237,7 @@ sub get_configuration( $$$ ) { get_params( $export ); -process_shorewall_conf( $annotate ); +process_shorewall_conf( $update, $annotate ); ensure_config_path; diff --git a/changelog.txt b/changelog.txt index 435f5355..de40a1de 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,9 @@ +Changes in 5.2.3.2 + +1) Update release documents. + +2) Document fix for masq file auto-update. + Changes in 5.2.3.1 1) Update release documents. diff --git a/configure b/configure index bcef8e2e..306d0243 100755 --- a/configure +++ b/configure @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.3.1 +VERSION=5.2.3.2 case "$BASH_VERSION" in [4-9].*) diff --git a/configure.pl b/configure.pl index 0ad97954..c7f30164 100755 --- a/configure.pl +++ b/configure.pl @@ -31,7 +31,7 @@ use strict; # Build updates this # use constant { -VERSION => '5.2.3.1' +VERSION => '5.2.3.2' }; my %params; diff --git a/debian/changelog b/debian/changelog index 89e1be53..321304ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shorewall (5.2.3.2-1) unstable; urgency=medium + + * New Upstream Version + + -- Roberto C. Sanchez Sat, 23 Mar 2019 21:40:05 -0400 + shorewall (5.2.3.1-1) unstable; urgency=medium * New Upstream Version diff --git a/install.sh b/install.sh index 0248b569..6febf84d 100755 --- a/install.sh +++ b/install.sh @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.3.1 +VERSION=5.2.3.2 usage() # $1 = exit status { diff --git a/known_problems.txt b/known_problems.txt index 8704ce3f..173a5ea0 100644 --- a/known_problems.txt +++ b/known_problems.txt @@ -20,3 +20,21 @@ /etc/shorewall/policy (line 8) Corrected in Shorewall 5.2.3.1 + +5) Shorewall 5.2 automatically converts and existing 'masq' file to an +equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that +automatic update, such that the following error message was issued: + + Use of uninitialized value $Shorewall::Nat::rawcurrentline in + pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm + line 511, <$currentfile> line nnn. + +and the generted 'masq' file contains only initial comments. + +Workaround: + +After upgrading to 5.2.3, issue this command: + + 'shorewall[6] update' + +Corrected in 5.2.3.2. diff --git a/releasenotes.txt b/releasenotes.txt index 0c7c9d45..4838dcf5 100644 --- a/releasenotes.txt +++ b/releasenotes.txt @@ -1,7 +1,7 @@ - S H O R E W A L L 5 . 2 . 3 . 1 + S H O R E W A L L 5 . 2 . 3 . 2 --- - F E B R U A R Y 2 6 , 2 0 1 9 + M A R C H 1 7 , 2 0 1 9 I.PROBLEMS CORRECTED IN THIS RELEASE @@ -14,6 +14,20 @@ V.PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E +5.2.3.2 + +1) Shorewall 5.2 automatically converts and existing 'masq' file to an +equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that +automatic update, such that the following error message was issued: + + Use of uninitialized value $Shorewall::Nat::raw::currentline in + pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm + line 511, <$currentfile> line nnn. + +and the generted 'masq' file contains only initial comments. + +That has been corrected. + 5.2.3.1 1) An issue in the implementation of policy file zone exclusion, diff --git a/shorewall.spec b/shorewall.spec index b883c303..2b47369a 100644 --- a/shorewall.spec +++ b/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 5.2.3 -%define release 1 +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -155,6 +155,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Samples %changelog +* Sun Mar 17 2019 Tom Eastep t...@shorewall.net +- Updated to 5.2.3-2 * Tue Feb 26 2019 Tom Eastep t...@shorewall.net - Updated to 5.2.3-1 * Mon Feb 11 2019 Tom Eastep t...@shorewall.net diff --git a/u
Bug#912531: stretch-pu: package exiv2/0.25-3.1+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I have prepared an update for exiv2 in jessie (0.24-4.1+deb8u2) related to CVE-2018-16336 and also including a minor fix to the previous patch for CVE-2018-10958 and CVE-2018-10999. The patch for the jessie package applied to the stretch exiv2 package with only one small change required. I corresponded with the exiv2 maintainers and also Salvatore about whether I should upload this as a security update. Salvatore indicated that for stable he was inclined to consider that this did not warrant a DSA and he recommended that I proceed with a stable update for the next point release. Please find attached the source debdiff. Regards, -Roberto diff -Nru exiv2-0.25/debian/changelog exiv2-0.25/debian/changelog --- exiv2-0.25/debian/changelog 2018-06-27 08:09:36.0 -0400 +++ exiv2-0.25/debian/changelog 2018-10-20 22:43:10.0 -0400 @@ -1,3 +1,13 @@ +exiv2 (0.25-3.1+deb9u2) stretch-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Minor adjustment to the patch for CVE-2018-10958 and CVE-2018-10999. The +initial patch was overly restrictive in counting PNG image chunks. + * CVE-2018-16336: remote denial of service (heap-based buffer over-read) via +a crafted image file. + + -- Roberto C. Sanchez Sat, 20 Oct 2018 22:43:10 -0400 + exiv2 (0.25-3.1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch --- exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch 2018-06-27 08:09:36.0 -0400 +++ exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch 2018-10-20 22:43:10.0 -0400 @@ -32,7 +32,7 @@ } else if(type == iTXt_Chunk) { -+const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0'); ++const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0'); +if (nullSeparators < 2) throw Error(58); + // Extract a deflate compressed or uncompressed UTF-8 text chunk diff -Nru exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch --- exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch 2018-06-27 08:09:36.0 -0400 +++ exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch 2018-10-20 22:43:10.0 -0400 @@ -14,7 +14,7 @@ @@ -159,14 +159,24 @@ else if(type == iTXt_Chunk) { - const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0'); + const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0'); -if (nullSeparators < 2) throw Error(58); +if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators"); diff -Nru exiv2-0.25/debian/patches/CVE-2018-16336.patch exiv2-0.25/debian/patches/CVE-2018-16336.patch --- exiv2-0.25/debian/patches/CVE-2018-16336.patch 1969-12-31 19:00:00.0 -0500 +++ exiv2-0.25/debian/patches/CVE-2018-16336.patch 2018-10-20 22:43:10.0 -0400 @@ -0,0 +1,130 @@ +From 35b3e596edacd2437c2c5d3dd2b5c9502626163d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= +Date: Fri, 17 Aug 2018 16:41:05 +0200 +Subject: [PATCH] Add overflow & overread checks to PngChunk::parseTXTChunk() + +This function was creating a lot of new pointers and strings without +properly checking the array bounds. This commit adds several calls +to enforce(), making sure that the pointers stay within bounds. +Strings are now created using the helper function +string_from_unterminated() to prevent overreads in the constructor of +std::string. + +This fixes #400 +--- + src/pngchunk_int.cpp | 63 ++-- + 1 file changed, 37 insertions(+), 26 deletions(-) + +--- exiv2-stretch.git.orig/src/pngchunk.cpp exiv2-stretch.git/src/pngchunk.cpp +@@ -40,6 +40,8 @@ + #include "iptc.hpp" + #include "image.hpp" + #include "error.hpp" ++#include "helper_functions.hpp" ++#include "safe_op.hpp" + + // + standard includes + #include +@@ -127,6 +129,8 @@ + + if(type == zTXt_Chunk) + { ++if (data.size_ < Safe::add(keysize, 2)) throw Error(58); ++ + // Extract a deflate compressed Latin-1 text chunk + + // we get the compression method after the key +@@ -143,11 +147,13 @@ + // compressed string after the compression technique spec + const byte* compressedText = data.pData_ + keysiz
Bug#859658: unblock: shorewall/5.0.15.6-1, shorewall-core/5.0.15.6-1, shorewall-init/5.0.15.6-1, shorewall-lite/5.0.15.6-1, shorewall6/5.0.15.6-1, shorewall6-lite/5.0.15.6-1,
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock packages shorewall, shorewall-core, shorewall-init, shorewall-lite, shorewall6, and shorewall6-lite. The current version of the packages in stretch is 5.0.15.2 and the new version which I have uploaded to sid is 5.0.15.6. The releases between .2 and .6 fix some important upstream bugs as well as update some documentation. The most important fix relates to the .service files used by systemd. The relevant upstream release note entry: Now, when systemd stops a Shorewall-generated firewall, the placed in the safe state rather than cleared. Source debdiffs are attached. unblock shorewall/5.0.15.6-1 unblock shorewall-core/5.0.15.6-1 unblock shorewall-init/5.0.15.6-1 unblock shorewall-lite/5.0.15.6-1 unblock shorewall6/5.0.15.6-1 unblock shorewall6-lite/5.0.15.6-1 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJY5Q4NAAoJECzXeF7dp7IPuTAP/j/IJBddNHWqjgtAAinLxRCn Ebs1MoYVe4fwOZeRgymZnTNi6nJVxhMESh43kdzUDxzqACsXB3NQyOSwlDgpIx6d 03qzThrGFm36ztEgnY9dnGGERvqDJN+FtwA9z6qlLpGKen9eYRfUTWQBwzpWWJOn tgg8LNiYpv/Ct7+FJ/Se1VUjvnucKSfewY8TTUoWXJ2d3SNdRgibG7b3CZzogWBP bClo28KgG1SCRNnju6Qwunf5B3PQHzJzix6mKH2lr4w7YWMGiupDjPwri4CDZ04N L5NfocwB8363y3F0cF6f1BC3D+2lnvZc8nlZL5O3kuyjHq2GhneJbAO+W+FfNZj1 bQ6DK1uuG92ycC1hfwkuT8ayAlu7cjFFE5o4Wft9yY1kcBcX7W8CQJ//BdkBNahJ cxIcvsBIkFPSXZpKbfruJK6cF7eRVouKzrdJrwwozKpDcC90FURpcOyZxwHh2VUi DAxC/xZ7zSy9fEx0Xn6ziwW63p3jgOWNxEJTcgS9pwUH8xF9xfjjdf9fwf2Ydg3y CLl7fy6AotDR8NJ6Pyhe7n3EEFg9feHOqVhAXqjWTIZwlbMpT6OdfkQmRDJt+37x BjSfA5ZxwLXH34TWIFp8MAHF0u5hzNH/71V8wy5LUwj3D1qAq7ZUqNXhmo2Xx6aX SCHpQZeiQ9e4sVt1zk6u =+sPy -END PGP SIGNATURE- diff -Nru shorewall-core-5.0.15.2/changelog.txt shorewall-core-5.0.15.6/changelog.txt --- shorewall-core-5.0.15.2/changelog.txt 2016-12-20 17:42:48.0 -0500 +++ shorewall-core-5.0.15.6/changelog.txt 2017-03-16 11:25:42.0 -0400 @@ -1,4 +1,28 @@ -Changes in 5.0.15.1 +Changes in 5.0.15.6 + +1) Update release documents. + +2) Backport fix for two-interface snat-file. + +Changes in 5.0.15.5 + +1) Update release documents. + +2) Rebuild with corrected build50. + +Changes in 5.0.15.4 + +1) Update release documents. + +2) Merge fixes from 5.1.3.1 and earlier. + +Changes in 5.0.15.3 + +1) Update release documents. + +2) Merge three fixes from the 5.1.0 branch + +Changes in 5.0.15.2 1) Update release documents. diff -Nru shorewall-core-5.0.15.2/configure shorewall-core-5.0.15.6/configure --- shorewall-core-5.0.15.2/configure 2016-12-20 17:42:48.0 -0500 +++ shorewall-core-5.0.15.6/configure 2017-03-16 11:25:42.0 -0400 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.0.15.2 +VERSION=5.0.15.6 case "$BASH_VERSION" in [4-9].*) diff -Nru shorewall-core-5.0.15.2/configure.pl shorewall-core-5.0.15.6/configure.pl --- shorewall-core-5.0.15.2/configure.pl 2016-12-20 17:42:48.0 -0500 +++ shorewall-core-5.0.15.6/configure.pl 2017-03-16 11:25:42.0 -0400 @@ -31,7 +31,7 @@ # Build updates this # use constant { -VERSION => '5.0.15.2' +VERSION => '5.0.15.6' }; my %params; diff -Nru shorewall-core-5.0.15.2/debian/changelog shorewall-core-5.0.15.6/debian/changelog --- shorewall-core-5.0.15.2/debian/changelog 2016-12-24 17:17:28.0 -0500 +++ shorewall-core-5.0.15.6/debian/changelog 2017-04-03 11:03:18.0 -0400 @@ -1,3 +1,9 @@ +shorewall-core (5.0.15.6-1) unstable; urgency=medium + + * New Upstream Version + + -- Roberto C. Sanchez Mon, 03 Apr 2017 11:03:18 -0400 + shorewall-core (5.0.15.2-1) unstable; urgency=medium * New Upstream Version diff -Nru shorewall-core-5.0.15.2/install.sh shorewall-core-5.0.15.6/install.sh --- shorewall-core-5.0.15.2/install.sh 2016-12-20 17:42:48.0 -0500 +++ shorewall-core-5.0.15.6/install.sh 2017-03-16 11:25:42.0 -0400 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.0.15.2 +VERSION=5.0.15.6 PRODUCT=shorewall-core Product="Shorewall Core" diff -Nru shorewall-core-5.0.15.2/known_problems.txt shorewall-core-5.0.15.6/known_problems.txt --- shorewall-core-5.0.15.2/known_problems.txt 2016-12-20 17:42:48.0 -0500 +++ shorewall-core-5.0.15.6/known_problems.txt 2017-03-16 11:25:42.0 -0400 @@ -10,3 +10,39 @@ in '+'. Corrected in Shorewall 5.0.15.2 + +4) When SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4, the restore phase of a +rejected safe-restart fails. + +Corrected in Shorewall 5.0.15.3. + +5) It is not possible to include compact IPv6 addresses (those with +"::") in IP6TABLES() parameters. + +Workaround: Use fully qualified addresses. + +Corrected in Shorewall 5.0.15.3. + +6) Expansions of options appearing in shorewall[6].conf (e.g., +$TCP_FLAGS_LOG_LEVEL) are emp
Bug#801743: pu: package cpuset/1.5.6-4+deb8u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It turns out that #796893 makes cpuset effectively useless in stable. I have updated an existing quilt patch from a patch in the (now mostly dead) upstream issue tracker. I have already uploaded 1.5.6-5 into unstable to fix the bug there. The debdiff for the proposed update to stable is attached. Here is the diffstat: changelog|6 + patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch | 45 -- 2 files changed, 44 insertions(+), 7 deletions(-) Regards, - -Roberto - -- System Information: Debian Release: 7.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJWHdZ9AAoJECzXeF7dp7IPLZwP/1oIUNHuqrQiOvO+5pamEfto 6gZiBZaGes0TwLv0qAEJ1o1qLcOV/lsRqKcbHo9F6bFO6JKeA805l7WYW+lhauWD PGhxogImME32EK0qmpae+FvKnXv90F/RzZnacCb9zYq8IHyUYW7IA565dizQ+E7r Kad6sWCeqxSGYnnqej5i3cAeSrJPcPwq8fcYlqbYRFZpAe9lJiePZfi7//m2MUYD fbY94GVOEfdt/PQLADa/DRgmvREwh9lglNwMcX5HFia6kKJhrcu559h+kIRVfgaD GkTVDrvVF2OslE5zDto+xc1a3XEQXqJn1nvTklRv0GVC4CAEGXtLZx/EsQQ2Rsna sE/AATpCmVeZL+aDEstt5IbCI34bqthEA9SDz01Vo8tIo/K6DmgnY1Bd+iDXN3xz w3ssLVizyLq7vMy946+8G3ucy46cyLSeT14CYcn28JD/KwKdc+rS8H+aheCh5U0r qJSHiDzJI10f/JNn7+db6qM7x9+ls9dbYdblM5x5EBEsf8ZFxX4wYpsMU7GnAGvI YiuD19TAQWubhFWmSyzrut35tW7IqPR3DNWsCUUxdH7J93WXqED7NRprZBVJPP2H Hwy26mDHlFU8/B48SwuBOrZj4TN0DPdiaw9X/zB1NCwFIXz9vULP0LjOvmqyPnpN +Oo9VNDbP1hccUUdrntd =jxoF -END PGP SIGNATURE- diff -Nru cpuset-1.5.6/debian/changelog cpuset-1.5.6/debian/changelog --- cpuset-1.5.6/debian/changelog 2014-03-09 18:16:04.0 -0400 +++ cpuset-1.5.6/debian/changelog 2015-10-13 23:47:17.0 -0400 @@ -1,3 +1,9 @@ +cpuset (1.5.6-4+deb8u1) jessie; urgency=high + + * Update filesystem namespace prefix patch (Closes: #796893) + + -- Roberto C. Sanchez Tue, 13 Oct 2015 23:46:35 -0400 + cpuset (1.5.6-4) unstable; urgency=low * Update Standards-Version to 3.9.5 (no changes) diff -Nru cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch --- cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch 2014-03-09 18:16:04.0 -0400 +++ cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch 2015-10-13 23:47:17.0 -0400 @@ -1,7 +1,7 @@ Author: Roberto C. Sanchez Description: Account for filesystem namespace having its own prefix. The updated file was downloaded from here: http://code.google.com/p/cpuset/issues/detail?id=10 cpuset.hg.orig/cpuset/cset.py -+++ cpuset.hg/cpuset/cset.py +--- cpuset.git.orig/cpuset/cset.py cpuset.git/cpuset/cset.py @@ -32,10 +32,13 @@ class CpuSet(object): # sets is a class variable dict that keeps track of all @@ -17,7 +17,33 @@ def __init__(self, path=None): log.debug("initializing CpuSet") -@@ -104,12 +107,18 @@ +@@ -47,7 +50,16 @@ + log.debug("finding all cpusets") + path = self.locate_cpusets() + CpuSet.basepath = path +-log.debug("creating root node at %s", path) ++if not os.access(path + '/cpus', os.F_OK): ++log.debug(path + "/cpus doesn't exist, trying to add the cpuset. prefix") ++CpuSet.prefix = 'cpuset.' ++if not os.access(path + '/cpuset.cpus', os.F_OK): ++# definitely not a cpuset directory ++str = '%s is not a cpuset directory' % (path) ++log.error(str) ++raise CpusetException(str) ++ ++log.debug("creating root node at %s with prefix '%s'", path, CpuSet.prefix) + self.__root = True + self.name = 'root' + self.path = '/' +@@ -56,6 +68,7 @@ + del CpuSet.sets + CpuSet.sets = {} + CpuSet.sets[self.path] = self ++ + # bottom-up search otherwise links will not exist + log.debug("starting bottom-up discovery walk...") + for dir, dirs, files in os.walk(path, topdown=False): +@@ -104,12 +117,18 @@ log.debug("the cpuset %s already exists, skipping", path) self = CpuSet.sets[path] # questionable return @@ -41,7 +67,7 @@ self.__root = False
Bug#779462: unblock: shorewall/4.6.4.3-2 . shorewall-core/4.6.4.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock packages shorewall and shorewall-core I have uploaded version 4.6.4.3-2 of each package to fix RC bugs #779119 and #779120. debdiffs are attached. unblock shorewall/4.6.4.3-2 unblock shorewall-core/4.6.4.3-2 - -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJU8kCLAAoJECzXeF7dp7IPQ/EQAIs4+HimotvvbLXPvzM5Nan2 Wfu/oBQx5/M2vt0GxZgegypJ9rz/EjtMGNpktxJqBGSXFuvE0/BeqRHJuDF80/P4 Rie6EF/rJlAhZcni2sJ8C/RJ6wLWWt2jniKUi8Tdl5VyTcWttePnnvPI49whcmcK qr9iKZJjhy8X+uM09+ALHBjyfmCg8wGnRRVNfzkGxKe+rFOYRfuP0UgEGyskenq6 Hv75aEHzTScwYD7GX7JiFvgxN7rUukm4pqILqgXKOPcEY406etGzNBIMa6g8Hi9f 8tJSSbSmS93Qx1srkCCMLWi/V7aZJ2kH9UvKT5CNmSTAyh7x+3Q3Hji1XCGLu9e/ Yu75AoJ+h9rJUNauqwDUkWiJAnda3/DKXnILVgedzMB4llaXIhyEgpW2RuT1Gj9g 1Lc8tMJDvdSZ+TG2kXfO/jmAkhWcAeObT6EVYutbCIb/bwWrdmtMI/plKNxVitFv JqbyAiYQKzXwAiOBHmANMAgYAL1jNwC2pOmalcuLFk+OH6kHTzUL160hSq7+RJUZ fn8fcnTJjcbu1G/pAPCFrnnZ191Mv30YGAuLqCsm5yY0FU2VtOWzO3F5cqETRQZM 1yXRYnRfumxUjow2Pb4Fa1Q7z0JE23uEkZsKa0+oK92g49wl3e8A2nXsABgEhG+Z I+h80Wu9t+WsP72SoVvP =RPUM -END PGP SIGNATURE- diff -Nru shorewall-4.6.4.3/debian/changelog shorewall-4.6.4.3/debian/changelog --- shorewall-4.6.4.3/debian/changelog 2014-10-19 15:11:40.0 -0400 +++ shorewall-4.6.4.3/debian/changelog 2015-02-28 17:09:33.0 -0500 @@ -1,3 +1,9 @@ +shorewall (4.6.4.3-2) unstable; urgency=low + + * Depend upon perl instead of perl-modules (Closes: #779119) + + -- Roberto C. Sanchez Sat, 28 Feb 2015 17:07:05 -0500 + shorewall (4.6.4.3-1) unstable; urgency=low * New Upstream Version diff -Nru shorewall-4.6.4.3/debian/control shorewall-4.6.4.3/debian/control --- shorewall-4.6.4.3/debian/control 2014-10-19 15:11:40.0 -0400 +++ shorewall-4.6.4.3/debian/control 2015-02-28 17:09:33.0 -0500 @@ -10,7 +10,7 @@ Package: shorewall Architecture: all -Depends: shorewall-core (>= ${shorewall:current}), shorewall-core (<< ${shorewall:next}), iptables (>= 1.3.8), iproute2 | iproute, debconf (>= 1.4.69) | cdebconf (>= 0.39), perl-modules, bc, ${misc:Depends} +Depends: shorewall-core (>= ${shorewall:current}), shorewall-core (<< ${shorewall:next}), iptables (>= 1.3.8), iproute2 | iproute, debconf (>= 1.4.69) | cdebconf (>= 0.39), perl, bc, ${misc:Depends} Suggests: shorewall-doc, make Replaces: shorewall-common, shorewall-perl, shorewall-shell Description: Shoreline Firewall, netfilter configurator diff -Nru shorewall-core-4.6.4.3/debian/changelog shorewall-core-4.6.4.3/debian/changelog --- shorewall-core-4.6.4.3/debian/changelog 2014-10-19 15:11:23.0 -0400 +++ shorewall-core-4.6.4.3/debian/changelog 2015-02-28 17:10:31.0 -0500 @@ -1,3 +1,9 @@ +shorewall-core (4.6.4.3-2) unstable; urgency=low + + * Depend upon perl instead of perl-modules (Closes: #779120) + + -- Roberto C. Sanchez Sat, 28 Feb 2015 17:10:06 -0500 + shorewall-core (4.6.4.3-1) unstable; urgency=low * New Upstream Version diff -Nru shorewall-core-4.6.4.3/debian/control shorewall-core-4.6.4.3/debian/control --- shorewall-core-4.6.4.3/debian/control 2014-10-19 15:11:23.0 -0400 +++ shorewall-core-4.6.4.3/debian/control 2015-02-28 17:10:31.0 -0500 @@ -10,7 +10,7 @@ Package: shorewall-core Architecture: all -Depends: iptables (>= 1.3.8), iproute2 | iproute, perl-modules, bc, ${misc:Depends} +Depends: iptables (>= 1.3.8), iproute2 | iproute, perl, bc, ${misc:Depends} Breaks: shorewall (<< 4.5.0~) Description: Shorewall core components This package provides the core Shorewall components, which are required
Bug#771757: unblock: shorewall-init/4.6.4.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package shorewall-init In the default configuration, the STATEDIR variable in the init script is set incorrectly, resulting in the start and stop functions not working. This issue was identified and fixed by upstream. I have cherry picked the commit to create the minimal disturbance to the package. I have documented the issue in #771754. Debdiff against testing is attached. unblock shorewall-init/4.6.4.3-2 Regards, - -Roberto - -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJUfTCGAAoJECzXeF7dp7IPZNUP/2DYnk5amlvSxKX4eBRik0W3 nA58d0JPCrnG5zXpCzqoDfhNwIybSurbAyorbhD/3wLtDOKOPvL9IqyeGZjDa85+ bgQo97iL+I3LWTVMwBmePTXaAa1ZX3MdOaEprMGb6iUoW+3iqVTBIAlWWgOyP2UI fTQI2LsfczWELgzN2oPKy7xUOeP9fu6LSUj+lCEjaHJDWMYXpS/QNJKOkvkKC3MI P/w1r0L8a2GtCcagv9+yDHaegH7kUapKwrxDfbbLAut+gT7QY92VWqga24roR6wu UnqFfPT1MVBbu3hVyO9U84+Ise6aHplEGhRC78gS2dIRGVfcoWknLuc13l2kp9+v B1GMJmepcDuRHua4nIp1hAIMSdBKTBAPQmOHy8Dg9T84X2Uod8HqD+6rBVmE1mMl ELRUgNW+m3dcLY9OBLW8obdY6yzIPzvjSr6HTMAbRuPDFZzl4iqKEH+mjMGCaXjQ vKOZQGobMkpD7WrJI+u8FC7KraGcE/GNTw6rYIp2j6/KkSLGfv/63cmm+xFQxpLD 3ZUscJK9IFiyZNQBxQPCX30L5+vhktJHON5VHvxukfjd8UujXf5TLSXl0ksl5yZl ZskvweCgMEmhZ66GX4JdbkWFLXIfPYzwNqhzKIONrWkxbvHr6ZNYyjde/quQBpYu Z0JZK1DwodzgLYOmCBIY =cuZQ -END PGP SIGNATURE- diff -Nru shorewall-init-4.6.4.3/debian/changelog shorewall-init-4.6.4.3/debian/changelog --- shorewall-init-4.6.4.3/debian/changelog 2014-10-19 15:11:19.0 -0400 +++ shorewall-init-4.6.4.3/debian/changelog 2014-12-01 21:52:09.0 -0500 @@ -1,3 +1,10 @@ +shorewall-init (4.6.4.3-2) unstable; urgency=low + + * Fix init script so that start/stop works in the default configuration +(Closes: #771754) + + -- Roberto C. Sanchez Mon, 01 Dec 2014 21:46:54 -0500 + shorewall-init (4.6.4.3-1) unstable; urgency=low * New Upstream Version diff -Nru shorewall-init-4.6.4.3/debian/patches/01_init_script_fix_statedir.patch shorewall-init-4.6.4.3/debian/patches/01_init_script_fix_statedir.patch --- shorewall-init-4.6.4.3/debian/patches/01_init_script_fix_statedir.patch 1969-12-31 19:00:00.0 -0500 +++ shorewall-init-4.6.4.3/debian/patches/01_init_script_fix_statedir.patch 2014-12-01 21:52:09.0 -0500 @@ -0,0 +1,11 @@ +--- shorewall.git.orig/init.debian.sh shorewall.git/init.debian.sh +@@ -71,7 +71,7 @@ + statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR ) + fi + +-[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT} ++[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT} + + if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then + ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone diff -Nru shorewall-init-4.6.4.3/debian/patches/series shorewall-init-4.6.4.3/debian/patches/series --- shorewall-init-4.6.4.3/debian/patches/series 1969-12-31 19:00:00.0 -0500 +++ shorewall-init-4.6.4.3/debian/patches/series 2014-12-01 21:52:09.0 -0500 @@ -0,0 +1 @@ +01_init_script_fix_statedir.patch
Bug#742987: nmu: mumps_4.10.0.dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 nmu mumps_4.10.0.dfsg-3 . s390x . -m "Binary-only non-maintainer upload for s390x; no source changes." I am not 100% certain on this, but I believe that the mumps package needs a binNMU on s390x. Below follows what I have found so far. Please feel free to let me know if I am incorrect. While investigating why coinor-ipopt FTBFS on s390x, I encountered a strange error in the config.log: configure:2078: gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall -D_FORTIFY_SOURCE=2 -I/usr/include/mumps_seq -DHAVE_CSTDDEF -Wl,-z,relro -llapack -lblas -ldmumps -lmpi -ldl conftest.c >&5 /usr/bin/ld: warning: libblacs-mpich2.so.1, needed by /usr/lib/gcc/s390x-linux-gnu/4.8/../../../../lib/libdmumps.so, not found (try using -rpath or -rpath-link) /usr/bin/ld: warning: libmpich.so.3, needed by //usr/lib/libmumps_common-4.10.0.so, may conflict with libmpich.so.10 /usr/bin/ld: warning: libblacsCinit-mpich2.so.1, needed by //usr/lib/libscalapack-mpich2.so.1, not found (try using -rpath or -rpath-link) //usr/lib/libscalapack-mpich2.so.1: undefined reference to `strrv2d_' [continues with lots of undefined references] (sid_s390x-dchroot)roberto@zelenka:~/coinor-ipopt-3.11.7$ ldd /usr/lib/libdmumps - -4.10.0.so |grep mpich2 libscalapack-mpich2.so.1 => /usr/lib/libscalapack-mpich2.so.1 (0x03fffccf4000) libblacs-mpich2.so.1 => not found libblacsCinit-mpich2.so.1 => not found libblacs-mpich2.so.1 => not found According to packages.debian.org, the file libblacs-mpich2.so.1 is in the package libblacs-mpi1. However, here is what I found when I listed the files in that package: (sid_s390x-dchroot)roberto@zelenka:~/coinor-ipopt-3.11.7$ dpkg -L libblacs-mpi1 |grep \/usr\/lib /usr/lib /usr/lib/libblacsF77init-mpich.so.1.1 /usr/lib/libblacsCinit-mpich.so.1.1 /usr/lib/libblacs-mpich.so.1.1 /usr/lib/libblacsCinit-mpich.so.1 /usr/lib/libblacsF77init-mpich.so.1 /usr/lib/libblacs-mpich.so.1 (sid_s390x-dchroot)roberto@zelenka:~/coinor-ipopt-3.11.7$ apt-cache policy libbl acs-mpi1 libblacs-mpi1: Installed: 1.1-31.1 Candidate: 1.1-31.1 Version table: *** 1.1-31.1 0 500 http://cdn.debian.net/debian/ sid/main s390x Packages 100 /var/lib/dpkg/status It appears that the NMU of 1.1-31.1 caused a rebuild that changed the name of the library files. I downloaded the binary packages from snapshot.debian.org and here is what I found: roberto@vieques:~/s390$ ls libblacs-mpi1_1.1-31.1_s390x.deb libblacs-mpi1_1.1-31_s390x.deb roberto@vieques:~/s390$ dpkg -x libblacs-mpi1_1.1-31_s390x.deb 1.1-31 roberto@vieques:~/s390$ dpkg -x libblacs-mpi1_1.1-31.1_s390x.deb 1.1-31.1 roberto@vieques:~/s390$ ls 1.1-31/usr/lib/ libblacs-mpich2.so.1 libblacsCinit-mpich2.so.1.1 libblacs-mpich2.so.1.1 libblacsF77init-mpich2.so.1 libblacsCinit-mpich2.so.1 libblacsF77init-mpich2.so.1.1 roberto@vieques:~/s390$ ls 1.1-31.1/usr/lib/ libblacs-mpich.so.1libblacsCinit-mpich.so.1libblacsF77init-mpich.so.1 libblacs-mpich.so.1.1 libblacsCinit-mpich.so.1.1 libblacsF77init-mpich.so.1.1 It appears, according to the status page for libmumps-4.10.0 ( https://packages.debian.org/sid/libmumps-4.10.0 ) that mumps has been binNMU'd on nearly every architecture. If I understand the situation correctly, I think that a binNMU on s390x will get libmumps-4.10.0 to link against the new libraries created by the 1.1-31.1 upload of blacs-mpi. The 1.1-31.1 upload appears to have been made after the mpich maintainer uploaded the new mpich upstream version (3.0.4) which turned the mpich2 package and associated library packages into transitional dummy packages and put everything into mpich2 and new associated library packages. Those new packages resulted in the rename of the *-mpich2.so.* packages in libblacs-mpi1 to *-mpich.so.*. The binNMU, I believe, will allow coinor-ipopt to successfully build. Regards, - -Roberto - -- System Information: Debian Release: 7.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTNxSNAAoJECzXeF7dp7IPT5oP/jvmTACFalBBUNCO+HshNVaT IIu3/34y78TXsbm04mzrPWnkGFnNQ+skB+gqrDLYjsXAcISBBzC3U1vsxpnBDp92 pwd+4Os45geN6XWc1WMeY3DKkgtNYCPI77e8/6pqS94r75PMz+FfwJFVoUl7XQLv 1CtsLWvGgqmzjmo/bAHuKW2N2oP3mwQMNDyrzArCy3sraBtKvbXNJ2tqnnkA+jxi V+j9WcXtiLsOVU+RXSyFnsMSmg2A291JvKiqfn9LquwKhvWxbjXOQhgGBLH+W1oT yGVWP4xryGCdRexA8VuAkXZmW6PxXkODThwmliYn8UzwNw5IvsykhStPSCmnheRr fclkso6NRnDHlTSfp2G4k99u0ELh5zcVq8VcUjIRVotlqCL/OH4mHwxifcLlOQlv 7FEnRIIMsBcX1RVnNa9qsoxKY37totSRP3E0riAAbULVjJB2NwN1xUnH1GUuDrb6 hr+1dmuwSBYOqZNnPQfvi
Bug#737244: transition: cyrus-sasl2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Affected packages: (unstable)roberto@miami:~$ apt-cache rdepends libsasl2-2 libsasl2-2 Reverse Depends: znc ziproxy subversion libsvn1 squid3 spice-client-gtk python-spice-client-gtk libspice-client-gtk-3.0-4 libspice-client-gtk-2.0-4 libspice-client-glib-2.0-8 libspice-server1 sendmail-bin rinputd libqpidcommon2 qemu-system-x86 qemu-system-sparc qemu-system-ppc qemu-system-misc qemu-system-mips qemu-system-arm libqca2-plugin-cyrus-sasl libpt2.10.10 postfix libpurple0 php5-ldap php5-sasl libpcp3 slapd libldap-2.4-2 ldap-utils openam nuauth libnuclient4 nmh libmyproxy5 mutt-patched mutt memcached mail-notification lua-cyrussasl libvirt0 libvirt-bin libnss-ldap libetpan15 libauthen-sasl-cyrus-perl libapache2-mod-authn-sasl libkldap4 libkimap4 kdepimlibs-kio-plugins libkmanagesieve4 inn2-lfs inn2 libh323-1.24.0 python-gtk-vnc libgvnc-1.0-0 libgtk-vnc-2.0-0 libgtk-vnc-1.0-0 gvncviewer gnugk exim4-daemon-heavy ekiga dacs cyrus-imspd libcyrus-imap-perl24 cyrus-replication-2.4 cyrus-pop3d-2.4 cyrus-nntpd-2.4 cyrus-murder-2.4 cyrus-imapd-2.4 cyrus-common-2.4 cyrus-clients-2.4 cyrus-caldav-2.4 claws-mail-vcalendar-plugin claws-mail-tnef-parser claws-mail-spamassassin claws-mail-spam-report claws-mail-smime-plugin claws-mail-python-plugin claws-mail-pgpmime claws-mail-pgpinline claws-mail-perl-filter claws-mail-pdf-viewer claws-mail-newmail-plugin claws-mail-multi-notifier claws-mail-mailmbox-plugin claws-mail-gdata-plugin claws-mail-fetchinfo-plugin claws-mail-feeds-reader claws-mail-fancy-plugin claws-mail-clamd-plugin claws-mail-bsfilter-plugin claws-mail-bogofilter claws-mail-attach-warner claws-mail-attach-remover claws-mail-archiver-plugin claws-mail-address-keeper claws-mail-acpi-notifier claws-mail cairo-dock-mail-plug-in autofs-ldap 389-dsgw 389-ds-base-libs 389-ds-base 389-admin I looked over the changes introduced by the new libsasl2-3 package, and it appears to be a clean ABI bump which can by handled by binNMUs. Regards, - -Roberto Ben file: title = "cyrus-sasl2"; is_affected = .depends ~ "libsasl2-2" | .depends ~ "libsasl2-3"; is_good = .depends ~ "libsasl2-3"; is_bad = .depends ~ "libsasl2-2"; - -- System Information: Debian Release: 7.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJS6+7dAAoJECzXeF7dp7IPsDIP+gLW3YjTJH+7yuxp8eumF+CR U71v2E3lFXFE5W4N3nTbBeehjxu+x7OpHClTxgQMuJTc6O1WfXozGQ3k2LirZax6 jo5gno6VjJTFPmf6OP5AOuCFHwh5dYg8cpZ64znJSD3Nr1vWYezLPV2uyPTmDzl2 9vl0oFJxere2AXqkehVxOlKZLY1nAgjeF6CdW5XIWLsAlm8eQ3Dmcv3nnqCppQwp RGxxcpiI2bcfO40vJFTONM7KAsscNq1fzDE3zB+HoZkzQEss2fGdEbyIMEDewAOV Opz35dtyYYHgWabf/2MF1GnIbXxEIP1UvULYRuu5w1aKh8BYchP4MFMw48DuT+Kg /9g7LQSPMMftR2y3X/PsoJv6rQE3L2JM+HLsrGLzt0jkgJ5w12BsLhtXSp3apQUt 5xkSfrJRiYquHthVuXlSMik5OaErnpZv3FV1zfREX1KJzTZqRhm8txPsq1ErtNAL 39G9E5ogi3BB1cO7aLu5PZcc9O+Z/R22aQBFttp6wwFqdBKqsnWqm/ynnBIfeZpS H3dFHmWVtAqOdQIjDW6sTdPC4cyPPuor6ztqiLOw1rSfAcUlQjKXP/4hYmpWHcFi xrzdtpJxxZQ1S5EnA2AiNYP3mjdj/Vk13mYF70D5GAytPm+bfYl+7n4MtdkiXMPU TusnPr2WXY/0NYnQYvdV =gRHT -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140131184341.7395.81614.report...@miami.connexer.com
Bug#691075: unblock: shorewall/4.5.5.3-3, shorewall-core/4.5.5.3-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock packages shorewall and shorewall-core The recent 4.5.5.3-3 versions of shorewall and shorewall-core correct two significant issues reported to me by upstream. Please see attached debdiffs for details. Regards, - -Roberto unblock shorewall/4.5.5.3-3 unblock shorewall-core/4.5.5.3-3 - -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJQg2K/AAoJECzXeF7dp7IPQjMP/1Y4L0tm17q0rsYUY9g7w/Dn o750IlPcWAMUDYPHknJvQXFKTV+gpbt+e5a6mufnS3RLR03h7m75cQowdf06L3fG rTyXSR9nO/GkOAs+aGnyh3ahMs1kek8RgKufep0kV6cDdYekJy2tS0sjXYceNm3Z jlfLrun8Sy0w5WSZObEef4ajKvfD5qfVul8DKgIVlloYBws3J/pqcymLLzs6QsVE 52diXveShl6ShERmmHvI2bGi27F4SiEv0pKvkpGarOVFmU0mVnmrP+Tvcrw44rmp QiKjLmZ0tIwwJq3m7pdHx6N/FtmRVIbDz2NkyE3OtAzjySsBU6sZ2ImxpMrDVbrq NeArowyrN2Nc156M6yKbQUQqY7wa8jhIy0Onp5vjIiC2tUzFoLHl4MLE0bBE+G6O ZJVehEbzYp5wEKMa/XhoD8fTz21/2XiQBx04khzLsj7uVPQ7ESjcSQaCEEK25unP BZZb9iSBmNufs7aIUHMXGEKPwY4CTgACV8EvDAgode+7+ezkI8S4dB0BwqVC7Z8z Js6MnVjBbZADfkvNwXNaqtrW54cka2j5HfIdsexGL6tq/6hnpA5AURFTc89vghjA i6b/9qCijmiVqTtHEukL0adtXG/WiQ3Ehy7QcCJxYcqNfHcAi6MCxFrxvpq9IY19 DlJ2tcolzxY2poP6hB/9 =lIZ5 -END PGP SIGNATURE- diff -Nru shorewall-4.5.5.3/debian/changelog shorewall-4.5.5.3/debian/changelog --- shorewall-4.5.5.3/debian/changelog 2012-09-15 17:18:54.0 -0400 +++ shorewall-4.5.5.3/debian/changelog 2012-10-20 21:37:12.0 -0400 @@ -1,3 +1,9 @@ +shorewall (4.5.5.3-3) unstable; urgency=low + + * Correct deficient behavior in handling of DNAT and SNAT packets + + -- Roberto C. Sanchez Sat, 20 Oct 2012 21:36:27 -0400 + shorewall (4.5.5.3-2) unstable; urgency=low * Update README.Debian to identify correct location for default diff -Nru shorewall-4.5.5.3/debian/patches/02_correct_dnat_snat_behavior.patch shorewall-4.5.5.3/debian/patches/02_correct_dnat_snat_behavior.patch --- shorewall-4.5.5.3/debian/patches/02_correct_dnat_snat_behavior.patch 1969-12-31 19:00:00.0 -0500 +++ shorewall-4.5.5.3/debian/patches/02_correct_dnat_snat_behavior.patch 2012-10-20 21:37:12.0 -0400 @@ -0,0 +1,15 @@ +diff --git a/Perl/Shorewall/Misc.pm b/Perl/Shorewall/Misc.pm +index 8c2f55c..58322ba 100644 +--- a/Perl/Shorewall/Misc.pm b/Perl/Shorewall/Misc.pm +@@ -1375,9 +1375,9 @@ sub add_interface_jumps { + addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface ); + } + ++addnatjump 'PREROUTING', 'dnat'; + addnatjump 'PREROUTING' , 'nat_in'; + addnatjump 'POSTROUTING' , 'nat_out'; +-addnatjump 'PREROUTING', 'dnat'; + + for my $interface ( @interfaces ) { + addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface ); diff -Nru shorewall-4.5.5.3/debian/patches/series shorewall-4.5.5.3/debian/patches/series --- shorewall-4.5.5.3/debian/patches/series 2012-09-15 17:18:54.0 -0400 +++ shorewall-4.5.5.3/debian/patches/series 2012-10-20 21:37:12.0 -0400 @@ -1 +1,2 @@ 01_debian_configuration.patch +02_correct_dnat_snat_behavior.patch diff -Nru shorewall-core-4.5.5.3/debian/changelog shorewall-core-4.5.5.3/debian/changelog --- shorewall-core-4.5.5.3/debian/changelog 2012-09-15 15:10:57.0 -0400 +++ shorewall-core-4.5.5.3/debian/changelog 2012-10-20 21:39:50.0 -0400 @@ -1,3 +1,9 @@ +shorewall-core (4.5.5.3-3) unstable; urgency=low + + * Correct dynamic zone handling + + -- Roberto C. Sanchez Sat, 20 Oct 2012 21:39:18 -0400 + shorewall-core (4.5.5.3-2) unstable; urgency=low * Update lockfile relocation patch diff -Nru shorewall-core-4.5.5.3/debian/patches/01_correct_dynamic_zone_handling.patch shorewall-core-4.5.5.3/debian/patches/01_correct_dynamic_zone_handling.patch --- shorewall-core-4.5.5.3/debian/patches/01_correct_dynamic_zone_handling.patch 1969-12-31 19:00:00.0 -0500 +++ shorewall-core-4.5.5.3/debian/patches/01_correct_dynamic_zone_handling.patch 2012-10-20 21:39:50.0 -0400 @@ -0,0 +1,28 @@ +diff --git a/lib.cli b/lib.cli +index 86361d4..ae5b5e3 100644 +--- a/lib.cli b/lib.cli +@@ -507,7 +507,7 @@ find_sets() { + local junk + local setname + +-ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done ++ipset -L | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done + } + + list_zone() { +@@ -516,11 +516,11 @@ list_zone() { + local setname + + [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be l
Bug#687792: unblock: shorewall/4.5.5.3-2, shorewall6/4.5.5.3-2, shorewall-core/4.5.5.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock packages shorewall, shorewall6, shorewall-core Pre-approval has already been given (c.f., Message IDs <20120915192857.ga7...@connexer.com> <1347738215.28617.92.ca...@jacala.jungle.funky-badger.org>, or thread: http://lists.debian.org/debian-release/2012/09/msg00599.html) unblock shorewall/4.5.5.3-2 unblock shorewall6/4.5.5.3-2 unblock shorewall-core/4.5.5.3-2 - -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJQVPMfAAoJECzXeF7dp7IPms0QAJ4DbzO3sVa/MWcOR4+Qq6fR InF2siOE0sa8nJpZJI0bDMnJ39+mcST1Vgriz66kq+IszK8j9rbS1tC8qU5E6lqZ 7qdkSBrjDEROPXfdJLVdq6CJcyxmeLGGU0BHt+znr1P4dbtST5hr9HUCIFsO4YUu 7HyvHJD1VIFBTov7P4z8IKmtU4teauxNeTI1+Zy/WGQEb59mgwbCrkcZLvawppcX Qqz/S7Br+4GBMHBRy0+TLFc3zHCaCk6phDdmUhoHbXBXjwTEs0YkiGjMlii7ebUr XTQi5bohKjuR7xjnrKCpLo1pR9nrJuTWGO6hTZ+YF2lF60gM76YKICydKs95q3ET sIvH1LcrZoG/kyZokDcTmgI3ToNm+WcXZm4IaqwU4ycR6TOn3WVqtd7rChFf6W5d 1bP+OJijSRnAt6uWUvdRKOYywz9LnmzVdj1fS/XqcwITKSzFPzT/eIuXJrOOZX6L x1cv4kH6gzUN5TEz53It3uuuEPR59staSccLL/pEpaIg6Kq9XzF7rtq3IZEgrYN0 NBvbuOKKJ55kWaht1/7dQmYRxks8bvAxpPRfdbBJuEjCiRu+McNG53YPZ7L1rQjE AlzyrK41G6FWuYIwXbVpPHOylCdSAPy2yxUVo1TvXqsYxqLfENGYRhiWRLq4YUl7 SDmb79kfY3L7tujQSq6Z =rc0k -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120915212903.8229.22422.report...@miami.connexer.com
Bug#681989: unblock: shorewall-init/4.5.5.3-1 shorewall-core/4.5.5.3-1 shorewall/4.5.5.3-1 shorewall6/4.5.5.3-1 shorewall-lite/4.5.5.3-1 shorewall6-lite/4.5.5.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please unblock package shorewall New upstream point release c.f. http://lists.debian.org/debian-release/2012/07/msg00093.html unblock shorewall-init/4.5.5.3-1 unblock shorewall-core/4.5.5.3-1 unblock shorewall/4.5.5.3-1 unblock shorewall6/4.5.5.3-1 unblock shorewall-lite/4.5.5.3-1 unblock shorewall6-lite/4.5.5.3-1 - -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJQBsaXAAoJECzXeF7dp7IPs+MP/jM6rXJqNhSDZ9qOlYoNWJDJ jUIKEYhqBPRUtgsa/wvXwqUdBEFzEUxtjUUltRLlynTRS7CIvjDqMNEr22glddyY A7HOcIuTcmFEoWnPK0R19qXMj4qfb8zmLeqasEXxjLRd2V7D3nDninTXXQyRiws2 cf9ftoqApVdsr6DB4RKxmstrwcsYeIl/WNAzkNzdAgMhZ86MxZefj3wrR+7No+aT gdGvj345sE3Va/raAYaeEJ67oimJbMXqbosAc7LlXadQjaOvq3ImY8rSiLf+wQXE SOfIG0tIOW4jj+vAGehp8z9kLKzHsaKI1LWf+cOGZGpEMT8CeeUskSfId/yV2a9+ U4BTd1wYskUYglaeKm9gjs5vR/IXetyVSzEUSCk8FPZO25PgUZ6vsCOAn9k9Djqw 7PM4Zp8noOF47HzBUlIOOIKeEyqTXG4MjRrGLIDLDk/yL7hMJaer/6bkM5COTkMs eu0Xpws8FacG+vra/7IzJ33eoKNBOgEOcncT08HvynSJ/VeCCQmOlk55RhZumu7e c5PclGiED4yAJ1JkrC0SSBEaxQBzZQnScU1s4OlqyEMAGeKfbZcyTkCAtGI5Kd7r GLI8dtIkItnBnTbP3euyb5keXkXwAkqTX9D4dvVc+OkICjxCtKr00LaSzIOyoE6y UJz1ex3Fln93oFY/9B7x =McoC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120718142216.23229.56292.report...@miami.connexer.com
Bug#607473: release.debian.org: please unblock cyrus-sasl2/2.1.23.dfsg1-7
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have uploaded cyrus-sasl2/2.1.23.dfsg1-7, which fixes RC bug #601977. Please note that this version introduces a new binary package (cyrus-sasl2-mit-dbg). This was discussed and approved by Adam D. Barratt (please see the messages in #601977 for reference). I would appreciate it if the package could be unblocked. I have attached the final debdiff for reference as well. Regards, - -Roberto - -- System Information: Debian Release: 5.0.7 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJNDP46AAoJECzXeF7dp7IPnkYP/jHnfGRQ2n/cbLNcafS8LRkJ bhW684JSiU/27dHoDV6iY0wmnTi54iPjB5ddbgu0Jnxn0YukXfJN9uI9WmeLH5sx qgb4sjcHRXiNWHDUNcYZjxXwUb0vTWAgwuqov5P9NdQgu7G8FmAHlINmTuZpKi/O b9j8u25Xze73twC8UV+cvTbNE0ACSoQed5YHK5/70X9kVZdzj8/j1lraDNTI+Mhm LUzYKIL09a/BtTvE7T5QrdTEBNlR0JEuRGLkx007R24ZU/8hd2eMvARhKsdT6/Fk l7cAnF4oeeCbuaDvi9CwQ6gXp9Z9H07XfCI8ripnBOpedwtD/wU2xyuPl0qmmi/Y sOohov7e/ZlDENTjXLCCzuyvhDbBqvMwiuFsCO59Zp8cR8ERqZgpafbZH6bXVKp4 83JzHh0wOQvO8mmRKIqyQzmjR66uO02DudtN/yuW5QFSvsZSXdPjDXnJ91ZFikF+ mbYWeP0RmrqiUDriFEeLeB0Atd3FrybdrG5IoiE4+JWDic8XzzBODLuur4RlE5xV kUdrk6YFylStqaM4g5aBxpaOmb+mWX7P4H6ccqhCA9s0JU/aqx1RMxkvbf2cENj1 FhrL3q41+PxPXV6dtVK+TTvk3Zv+i92iJkr14itg9VAYSZe9SPDUobIGhHtGrQZD oz7JWF53e6R1e+k+OYou =gQ/e -END PGP SIGNATURE- diff -u cyrus-sasl2-2.1.23.dfsg1/debian/changelog cyrus-sasl2-2.1.23.dfsg1/debian/changelog --- cyrus-sasl2-2.1.23.dfsg1/debian/changelog +++ cyrus-sasl2-2.1.23.dfsg1/debian/changelog @@ -1,6 +1,30 @@ +cyrus-sasl2 (2.1.23.dfsg1-7) unstable; urgency=low + + [ Luca Capello ] + * Fix for (Closes: #601977), the idea coming from Gaudenz Steinlin +: ++ debian/control: + - cyrus-sasl2-dbg Depends: on one of the two GSSAPI dbg packages. + - new cyrus-sasl2-mit-dbg package which Conflicts: with +cyrus-sasl2-heimdal-dbg. + - cyrus-sasl2-heimdal-dbg now Conflicts: with cyrus-sasl2-mit-dbg. ++ debian/cyrus-sasl2-heimdal-dbg.preinst: + - remove, useless. ++ debian/cyrus-sasl2-heimdal-dbg.postrm: + - remove, useless. ++ debian/cyrus-sasl2-mit-dbg.dirs: + - create /usr/lib/debug/usr/lib/sasl2/. ++ debian/rules: + - mv MIT libgssapiv2.so.2.0.23 into cyrus-sasl2-mit-dbg. + + [ Roberto C. Sanchez ] + * Thanks to Luca Capello for providing the patch. + + -- Roberto C. Sanchez Sat, 18 Dec 2010 11:14:59 -0500 + cyrus-sasl2 (2.1.23.dfsg1-6) unstable; urgency=low - * Acknowlge NMU (thanks to Ben Hutchings) + * Acknowledge NMU (thanks to Ben Hutchings) * Merge cyrus-sasl2 and cyrus-sasl2-heimdal source packages (Closes: #568358) + Build against new heimdal-multidev (Closes: #591147) * Properly detect presence of Heimdal (Closes: #590912); thanks tremendously diff -u cyrus-sasl2-2.1.23.dfsg1/debian/control cyrus-sasl2-2.1.23.dfsg1/debian/control --- cyrus-sasl2-2.1.23.dfsg1/debian/control +++ cyrus-sasl2-2.1.23.dfsg1/debian/control @@ -141,7 +141,7 @@ Section: debug Architecture: any Priority: extra -Depends: libsasl2-2 (= ${binary:Version}), ${misc:Depends} +Depends: libsasl2-2 (= ${binary:Version}), ${misc:Depends}, cyrus-sasl2-mit-dbg | cyrus-sasl2-heimdal-dbg Description: Cyrus SASL - debugging symbols This is the Cyrus SASL API implementation, version 2. See package libsasl2-2 and RFC for more information. @@ -151,11 +151,28 @@ library or tools. You may be asked to install this package if you encounter such a crash. +Package: cyrus-sasl2-mit-dbg +Section: debug +Architecture: any +Priority: extra +Depends: cyrus-sasl2-dbg (= ${binary:Version}), libsasl2-modules-gssapi-mit (= ${binary:Version}), ${misc:Depends} +Conflicts: cyrus-sasl2-heimdal-dbg +Description: Cyrus SASL - debugging symbols + This is the Cyrus SASL API implementation, version 2. See package + libsasl2-2 and RFC for more information. + . + This package contains the debugging symbols for the Cyrus SASL MIT + GSSAPI modules package (libsasl2-modules-gssapi-mit). The debugging + symbols can be useful when investigating crashes in the SASL library or + tools. You may be asked to install this package if you encounter such a + crash. + Package: cyrus-sasl2-heimdal-dbg Section: debug Architecture: any Priority: extra Depends: cyrus-sasl2-dbg (= ${binary:Version}), libsasl2-modules-gssapi-heimdal (= ${binary:Version}), ${misc:Depends} +Conflicts: cyrus-sasl2-mit-dbg Description: Debugging symbols for Cyrus SASL This is the Cyrus SASL API implementation, version 2. See package libsasl2-2 and RFC for more information. reverted: --- cyrus-sasl2-2.1.23.dfsg1/debian/cyrus-sasl2-heimdal-dbg.preinst +++ cyrus-sasl2-2.1.23.dfsg1.orig/debian/cyrus-sasl2-heimdal-dbg.preins
Bug#605346: release.debian.org: Please unblock shorewall/4.4.11.6-3
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 A user has reported a bug to the upstream shorewall-users mailing list. The fix is a trivial 2-line patch. I have built and uploaded an updated version of shorewall. I would appreciate an unblock. A complete diff and diffstat are attached. Regards, - -Roberto - -- System Information: Debian Release: 5.0.7 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJM8xRTAAoJECzXeF7dp7IPIJQQAJF/+lluXEqCUpuy82wB6rbM jk5/M4r+lOboMtsXfyS41U5Kt2kafgSH6cCStp2GQTWDr3cA9HB72Y+li7PUjdTi F2NQYIUDZvCbTBlS+L4VglGPkg1ojgWWqUhk3lGKnMQ5H5v2BR3tDZVG+RfugpEU cT45tHdFleSDuoJhC9P24tGode1mN8884Facfhgr3QuPFiPeBGSk6aicm0KSANbo 7bjxcC/Ave31kxx5jzP1OigmQRFdAc9kz4JDzjRj5RlgDs7aqPVZSRow1hk0npYd o0rNs6eOtcyWByWd39vPRfIOaxVTxIyylSvJdGLjyQ/bOw6KkH3/eBnFAEp4QxPY t0gLYMY65uksc6YtDFj/Y9mPkSBRlISWbLYMiEzkmLWR9krlUyt/fgVkB6uhVaXl 7W676H/L3cUdueLnSys8KiD9Y9GwFqSqBBNleKwgsiSPKLFe5SkcfypBn3onh3Eo vrOCETZXHNtdvZuOk8npWy4vAIHB/idcZVvbX1xHU/FnRAHa5D4zJP3G19y0eEVa uDQU8FmU2HkRwWLvw0DncqkgQvXTYDoYgyLxJSdj3klCJ4K3oOZmndfdq8XXfuom BY8dIKAl8dDhmAM5PvpjFP7MhOE07T0+OKKAfjMWhH34ETBzHzlmMMz0fqQ13ntO jTpiMWfcXJjuZuou+yuW =E7+K -END PGP SIGNATURE- diff -Nru shorewall-4.4.11.6/debian/changelog shorewall-4.4.11.6/debian/changelog --- shorewall-4.4.11.6/debian/changelog 2010-10-28 22:24:07.0 -0400 +++ shorewall-4.4.11.6/debian/changelog 2010-11-28 21:36:22.0 -0500 @@ -1,3 +1,9 @@ +shorewall (4.4.11.6-3) unstable; urgency=low + + * Fix macro.JAP to correct nested macro call. + + -- Roberto C. Sanchez Sun, 28 Nov 2010 21:34:05 -0500 + shorewall (4.4.11.6-2) unstable; urgency=low * Incorporate patch from upstream: "Fix 10+ TC Interfaces." diff -Nru shorewall-4.4.11.6/debian/patches/02_macro_JAP.patch shorewall-4.4.11.6/debian/patches/02_macro_JAP.patch --- shorewall-4.4.11.6/debian/patches/02_macro_JAP.patch 1969-12-31 19:00:00.0 -0500 +++ shorewall-4.4.11.6/debian/patches/02_macro_JAP.patch 2010-11-28 21:36:22.0 -0500 @@ -0,0 +1,12 @@ +diff --git a/Macros/macro.JAP b/Macros/macro.JAP +index 86b9848..e71c35e 100644 +--- a/Macros/macro.JAP b/Macros/macro.JAP +@@ -13,5 +13,5 @@ + PARAM - - tcp 8080 # HTTP port + PARAM - - tcp 6544 # HTTP port + PARAM - - tcp 6543 # InfoService port +-HTTPS/PARAM +-SSH/PARAM ++HTTPS ++SSH diff -Nru shorewall-4.4.11.6/debian/patches/debian-changes-4.4.11.6-2 shorewall-4.4.11.6/debian/patches/debian-changes-4.4.11.6-2 --- shorewall-4.4.11.6/debian/patches/debian-changes-4.4.11.6-2 2010-10-28 22:26:06.0 -0400 +++ shorewall-4.4.11.6/debian/patches/debian-changes-4.4.11.6-2 1969-12-31 19:00:00.0 -0500 @@ -1,105 +0,0 @@ -Description: Upstream changes introduced in version 4.4.11.6-2 - This patch has been created by dpkg-source during the package build. - Here's the last changelog entry, hopefully it gives details on why - those changes were made: - . - shorewall (4.4.11.6-2) unstable; urgency=low - . - * Incorporate patch from upstream: "Fix 10+ TC Interfaces." - . - The person named in the Author field signed this changelog entry. -Author: Roberto C. Sanchez - -The information above should follow the Patch Tagging Guidelines, please -checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here -are templates for supplementary fields that you might want to add: - -Origin: , -Bug: -Bug-Debian: http://bugs.debian.org/ -Bug-Ubuntu: https://launchpad.net/bugs/ -Forwarded: -Reviewed-By: -Last-Update: - shorewall-4.4.11.6.orig/known_problems.txt -+++ shorewall-4.4.11.6/known_problems.txt -@@ -147,3 +147,17 @@ - showed an empty log when issued to one of the -lite packages. - - Corrected in Shorewall 4.4.11.6 -+ -+22) If 10 or more interfaces are configured in Complex Traffic Shaping -+(/etc/shorewall/tcdevices), the following compilation diagnostic -+is issued: -+ -+Argument "a" isn't numeric in sprintf at -+ /usr/share/shorewall/Shorewall/Config.pm line 893. -+ -+and an invalid TC configuration is generated. -+ -+A fix is available at -+http://shorewall.git.sourceforge.net/git/gitweb.cgi?p=shorewall/shorewall;a=commitdiff;h=20bb781874c739c01b798d2db31b6c1d9cfefe96 -+ -+ shorewall-4.4.11.6.orig/releasenotes.txt -+++ shorewall-4.4.11.6/releasenotes.txt -@@ -218,6 +218,17 @@ VI. PROBLEMS CORRECTED AND NEW FEATURE - I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E - - -+Post-4.4.11.6 -+ -+1) Previously, if 10 or more interfaces were configured in Complex -+Traffic Shaping (/etc/shorewall/tcdevices), the fo
Bug#603621: release.debian.org: Please unblock luabind/0.9.1+dfsg-2
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have uploaded the new upstream release of luabind (0.9.1+dfsg-2). If this could be unblocked, it would be good. However, if that is not possible, please feel free to close this bug with no action. A couple of things to note: - The primary change was incorporation upstream of a patch that was previously carried in debian/patches - The balance of the changes are mostly in the documentation and headers, to update the version number - The attached diff and diffstat were taken by unpacking the two relevant packages, and then executing: 'diff -uNr --strip-trailing-cr luabind-0.9+dfsg luabind-0.9.1+dfsg' (the upstream transition from .zip to .tar.gz also included a change in line endings, which made every line in every file appear like a change to debdiff) Please see attached for the complete changes. Regards, - -Roberto - -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJM4aYLAAoJECzXeF7dp7IPWrQP/3JJ/x3V8H1P/oXbDSpeKy40 juMi/5ARdjLhtEOcdN2x+MuluFL8mKW4xO3nmPy4u5VUkAdDmnFyH5Y7NQJ8H1VY 7beu3Rb+nUwrYce+PY2JzXG4jfJVqI+Z1sdARgNVS11L4gvUypSjMWhwRx1CEfui NjjHFGy8PqThc2gtUvu8V7rHYt6pjnfoI0FZTmrXeYirY+sld1SMgCxSTSOeerOU vTpx4DMUGvX01vJwDxzDOMMnmoq5lvq+0Ev8ggD2ZDCHH6OHbbZov3q+5vWgjB8f w2DOmWoxCDAwfN1uOD+ckbcHU8IQDiDcv8rSR+c002ZimT5345XfyG87gnFS5DU/ k0AkRkhuN+QWRg17jR+rJn3xfkzTg9rOKJyaOf+PHiLOaMo4sy6LEoysKwb8Ub7B 4Uy5JuSdzdwoMUdW5i2GRTLwU+Uw/kSKMwn9qSeRZcBcjEK3qkbzEH1H77NqKh+x NT/6yW17kaL628aTLK0eQWHWRDj/6ciZ7kF2K3RdYide0sunORFK2z5tg2rZNmDV j/dlgIOgWBQs2a+w3uOK6WeQ6WgfCkyLD3l+btNYuAs0RwWJ1gyX9EuTWMtnf78l gkCwrOnBfPev5H0ECN+3AQPxOAr8YXFmRfOjDLSx8WtjF5kpyJIQ4uRir8T2ai0Q hKBvDYzXOw04wSbryIht =0wGi -END PGP SIGNATURE- Jamroot|6 debian/changelog | 18 + debian/control |8 debian/libluabind-dbg.install |4 debian/libluabind0.9.0.install |1 debian/libluabind0.9.1.install |1 debian/luabind.pc |2 debian/patches/02_example_cleaning.diff|2 debian/patches/04_defer_longjmp.diff | 62 debian/patches/debian-changes-0.9.1+dfsg-2 | 37 ++ debian/patches/series |2 debian/repack.sh |5 debian/rules | 16 - debian/source/format |1 debian/watch |4 doc/docs.html | 410 ++--- doc/version.rst|2 examples/cln/cln_test.cpp |2 examples/glut/Makefile | 13 examples/glut/README |4 examples/glut/glut_bind.cpp|2 examples/hello_world/Makefile | 13 examples/hello_world/README|2 examples/regexp/Makefile | 13 examples/regexp/README |3 examples/regexp/cln/Makefile |9 examples/regexp/regex_wrap.cpp |2 luabind/class.hpp |1 luabind/detail/constructor.hpp |4 luabind/detail/format_signature.hpp|2 luabind/detail/get_signature.hpp | 216 --- luabind/detail/instance_holder.hpp |2 luabind/detail/object_rep.hpp |2 luabind/handle.hpp |9 luabind/lua_include.hpp|6 luabind/make_function.hpp |7 luabind/object.hpp |4 luabind/operator.hpp |2 luabind/scope.hpp |2 luabind/shared_ptr_converter.hpp |2 luabind/weak_ref.hpp |2 src/class.cpp |2 src/class_rep.cpp |8 src/inheritance.cpp| 12 src/open.cpp |6 src/scope.cpp |8 src/weak_ref.cpp |8 test/test_exceptions.cpp |8 48 files changed, 410 insertions(+), 547 deletions(-) luabind_0.9+dfsg-3_0.9.1+dfsg-2.diff.bz2 Description: BZip2 compressed data
Bug#599855: release.debian.org: Please unblock luabind/0.9.1+dfsg-1
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have uploaded the new upstream release of luabind (0.9.1+dfsg-1). If this could be unblocked, it would be good. However, if that is not possible, please feel free to close this bug with no action. A couple of things to note: - The primary change was incorporation upstream of a patch that was previously carried in debian/patches - The balance of the changes are mostly in the documentation and headers, to update the version number - The attached diff and diffstat were taken with the --ignore-space-at-eol option (the change from using upstream's .zip to using the .tar.gz caused every single line to be a change just because of the change in line endings). Please see attached for the complete changes. Regards, - -Roberto - -- System Information: Debian Release: 5.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJMs3CUAAoJECzXeF7dp7IPKwkP/RluIbFBYF0Lir2hhZfrccfc KX/x6OnmeCaxcRql+rXdJU4A4HFcql+7NiwIak/G+b4RrdaF/zL1z3CYXx5uT38p NcNZup4AlZw6Igp75omxc4dZZPkoV489WePtvd1e9glnuOvSTySBQ1+i4aY3yMU9 x2VWKO3kRpIVeZVtIVzI9xIF0YLBC8oz4IenSqBDjDUKpg0WTUh1eXGDZNDULxK9 Dg645NiA6RTBGrfT1MG1T23X8FB5AOpAhW2xAkKzB04KOkYhL8ttruFUjQlNKatb seKOIycjTTRukT0bZUBtDg+BPAJxMZEVQ06shizTRen/KvBI6GB/cxeXe1wLZkq/ NpFG/Sg/J+4vrr4us7V2l87R7TwI+d0KtsuOGjRmWZ7Rq8+EeKVXdvFAcWt1FMYh t7j4LhxaNStUv9Y5ixP4YifW3ksvVBmxRBVbUZ1MD8PekLlFH8Pbh1knyuzTTha8 axMT+w4Zw7O3zVNoWLQYsWe1N8FwKpDLodaoL6ntBhW7vns0NQk6SHfmd9Q8VjYK WgfYqln26Raes7qveneD7hd5lS8xVNXfYRrCj1Bocjo7xQUjoNBYH+Q0v4Z0K0WN TjfJCeUg9rFPtS3zgMBnh3ekdgQz6cvCzKLwx+1sU0h6ZgfzriohbhxX7diYqURy x/hCTX9V4cyUhwOM37Eq =nzvL -END PGP SIGNATURE- luabind_upstream_0.9_0.9.1.diff.bz2 Description: BZip2 compressed data b/doc/docs.html | 410 +- b/doc/version.rst |2 b/luabind/class.hpp |1 b/luabind/detail/constructor.hpp |4 b/luabind/detail/format_signature.hpp |2 b/luabind/detail/instance_holder.hpp |2 b/luabind/detail/object_rep.hpp |2 b/luabind/handle.hpp |9 b/luabind/lua_include.hpp |6 b/luabind/make_function.hpp |7 b/luabind/object.hpp |4 b/luabind/operator.hpp|2 b/luabind/scope.hpp |2 b/luabind/shared_ptr_converter.hpp|2 b/luabind/weak_ref.hpp|2 b/src/class.cpp |2 b/src/class_rep.cpp |8 b/src/inheritance.cpp | 12 b/src/open.cpp|6 b/src/scope.cpp |8 b/src/weak_ref.cpp|8 b/test/test_exceptions.cpp|8 luabind/detail/get_signature.hpp | 216 - 23 files changed, 270 insertions(+), 455 deletions(-)
Bug#595444: release.debian.org: unblock shorewall{,6,-lite,6-lite,-init}/4.4.11.4-1
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This request is for unblocking of a new upstream release of the following Shorewall project packages: shorewall/4.4.11.4-1 shorewall6/4.4.11.4-1 shorewall-lite/4.4.11.4-1 shorewall6-lite/4.4.11.4-1 shorewall-init/4.4.11.4-1 This new upstream release is specifically targeted for Squeeze. The relevant changelog entry is: shorewall (4.4.11.4-1) unstable; urgency=low . * New Upstream Version (Closes: #594144) Please note that there is no actual change to any of the other packages, but upstream's policy is to release all of the packages each time, even if there is only a change in one or two of the packages. Regards, - -Roberto - -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkyBjv0ACgkQ5SXWIKfIlGSQigCfTs/oybE5MJSvGDGH9g6GrUXa QswAn0GCCCwcEl5MqXvrVUxLoPQ9VMbD =uywU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100904001307.13891.54228.report...@miami.connexer.com
Bug#578528: release.debian.org: Please hint shorewall/shorewall6 to testing
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The shorewall and shorewall6 packages are stuck and in need of manual hinting. Regards, - -Roberto - -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkvN1BgACgkQ5SXWIKfIlGTjegCdH0hUL13Evui07HGZBE517sL4 v/UAoIECzeOsMdoza72sqFwULxaQda1m =J0fh -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100420161936.25647.59732.report...@miami.connexer.com
Bug#572591: release.debian.org: Please hint shorewall and shorewall6
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The shorewall and shorewall6 packages require manual hinting in order to propogate. Please provide the hint. Regards, - -Roberto - -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkuQTS0ACgkQ5SXWIKfIlGSDTwCgj9Uv0aAilRDn7sTjY7AdUsp/ /+cAn3As8XuaKL7poZJxY7ll5d5SNbqz =SFI3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100305001550.11634.25277.report...@miami.connexer.com
Bug#567852: release.debian.org: please manually hint shorewall and shorewall6
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The shorewall and shorewall6 packages require manual hinting in order to enter testing. Please allow them to migrate. Regards, - -Roberto - -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktl4c8ACgkQ5SXWIKfIlGTA/ACfaL/JCcxPSQeGII4H4nDTdL/y FswAnA9OVnlWUYk5XlPBnJf7EIuK4JpG =maUr -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bug#558412: binutils-dev: Please provide libbfd_pic.a
This did not seem to get any attention on debian-devel, so I am cross posting to debian-release. I would really be interested to know if others think that the binNMU approach suggested by Matthias is acceptable and/or viable. Regards, -Roberto Roberto C. Sanchez wrote: > Matthias Klose wrote: >> tags 558412 + wontfix >> thanks >> >> On 28.11.2009 19:10, Roberto C. Sanchez wrote: >>> Package: binutils-dev >>> Version: 2.18.1~cvs20080103-7 >>> Severity: normal >>> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA1 >>> >>> In order to solve #537744 (filed against oprofile), it is necessary for >>> binutils-dev to provide a libbfd_pic.a library. This is like what is >>> already done for libiberity_pic.a. >> won't fix. oprofile can be built using binary NMU's when the bfd version >> changes. > > I am not sure that is really a viable solution. What do others thing? > Is requiring a binNMU of oprofile each time that the bfd version changes > something that makes sense? > > Regards, > > -Roberto > -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: OpenPGP digital signature
Bug#563721: Please manually hint shorewall and shorewall6
Package: release.debian.org Severity: normal The shorewall and shorewall6 packages require manual hinting to move to testing. Please hint. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: OpenPGP digital signature
Bug#561713: Please hint shorewall and shorewall6
Package: release.debian.org Severity: minor It appears that both shorewall and shorewall6 are stuck and require manual hinting for testing propagation. Please hint them. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: OpenPGP digital signature
Bug#555917: release.debian.org: please hint shorewall and shorewall6
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It looks like shorewall and shorewall6 are in need of some manual hinting. Please ensure their propagation into testing. Regards, - -Roberto - -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkr8KXsACgkQ5SXWIKfIlGTjugCfbduCeiHzIK2oxnmJRkTUG0xO 1XQAoIWzLGYEnoqaQ22KRRMU+6f/tqSd =fVAU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#550430: release.debian.org: gb libalien-wxwidgets-perl on {hppa,ia64,mips}
Package: release.debian.org Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The libalien-wxwidgets-perl package Build-Depends on 'libextutils-cbuilder-perl (>= 0.24)' and it appears to have caused the recent build failures. The libextutils-cbuilder-perl package is now provided virtually by perl-modules as of 5.10.1. In any event, libalien-wxwidgets-perl needs to be given back on hppa, ia64, and mips. I provide the additional details in the event that it makes a difference. Regards, - -Roberto - -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkrP2NcACgkQ5SXWIKfIlGQNnACfVSv3uSEKL1RJS/liVW/bGj+/ FFQAnj2xyRAQQ3LZ5w7rR/fgGMBkzmce =UzL6 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: time-based realease, uh?
On Sat, Feb 10, 2007 at 04:56:09PM +0100, [EMAIL PROTECTED] wrote: > > Ok. So let's fix a deadline for the freeze then. There was a deadline set for the freeze. The freeze actually took place shortly after that deadline (by two weeks, I think). > And if you want a more specific example: I think Etch is going to ship kernel > 2.6.18, or 2.6.19. OK. Well that is for the kernel team, installer team and release managers to ultimately decide. > The past few kernels have undergone a large amount of new features, and > intrusive patches. They're simply buggy. Last version 2.6.20 as been described > by Linus as a stabilization release: this one is a good one to ship with. By > the Umm, so the solution is to release with a kernel that has received little or no testing? Wow. BTW, you do release that there is a tremendous amount of work for the kernel team and installer team whenever the default kernel changes, right? > way, why ain't you supporting Adrian Bunk 2.6.16.y branch, whose goal is > exactly > stability and security? > That's great. Of course, there are a number of things to consider. For example, whichever kernel is released will be supported by the kernel team and security team for the life of Etch plus 1 year (or until the release of Lenny). They may have concerns which need to be considered in deciding which kernel will ship. > > Yeah, I was there. I was happy to see that at least one Linux distribution > cares > about quality, and not the last bleeding-edge kernel/application. > Except that whole reason that the release continued with delay after delay was the people kept trying to get their pet project done or upgraded. The only two things that absolutely positively needed to be updated were probably the kernel (to 2.6) and X (to 4.3). Of course, since there was no hard target lots of other things "had" to go in. Like repeated updates to gcc and other toolchain utilities. There were lots of others. > > Well, it's your choice. I'm sure you would love the way Ubuntu works then. > In fact I don't. I am just saying that a large groupd of people, lacking a clearly stated obective or hard target will meander about aimlessly. Your proposed "stable kernel + stable toolchain" will not do it. There really needs to be a timeline. Since people will always debate stability and people will always push for inclusion of the next release of foo. Now, had the release managers pushed for freezing and then releasing *regardless* of stability just to meet the deadline, then you might have a point. However, they decided to delay a bit to get the RC bug count down and allow a few new things in, and then the freeze happened. Had the date target not been there in the first place, I am confident that Etch would still not be frozen. > > Really? > Welcome page of dunc tank: > > "The Dunc-Tank is an experiment to see how targetted fund raising can improve > Debian. As our first (and maybe only) project, we're trying to help the > release > of etch happen on time." > > "We're trying to help the release of Debian happen on time". Damn. > > This is my last mail. Just do it the way you like. > Well, on kidding. Where on their page does it say that want to sacrifice stability in favor of timliness. It doesn't. Their whole objective was to accelerate the release process so that it would happen "on time" *without* sacrificing the desired stability. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: time-based realease, uh?
On Sat, Feb 10, 2007 at 03:19:28PM +0100, [EMAIL PROTECTED] wrote: > > That's not a flamebait, it's a proposal: instead of deciding a precise release > date, at least decide a deadline for the freeze. Then, you take the time it > takes to solve the rc-bugs. Or, you chose to freeze when you have the right > kernel, the right toolchain. Not because someone said 2 years ago that > December > 6th would be the right time. > Your "proposal" can hardly be called that. It is more some ramblings. Anyhow, have you ever worked on a team or managed one? Ever heard of Parkinson's law? Without a hard "target" things will continue to wander "forever" without really progressing to the goal. This is because the goal is not clearly defined. Were you around for the Woody->Sarge release cycle? I started using Debian shortly after Woody was released. I remember thinking what a great operating system Debian was and not being able to wait to see what the next release would be like. Eventually, it took so long that I was forced to go to testing/unstable on many machines where this is not what I wanted. I remember after Sarge was released and hard targets started being set for the Etch release thinking that it would be a much better situation. For the most part, I think that is the case. I would rather a group of people be working toward even a missed deadline than a group working toward a nebulous "when it's ready" when "ready" has not been clearly defined. > > So you didn't even read my message. > I don't want a timely release, I want a release when it's ready, because it's > the only way to achieve quality and freedom: for example, we're still stuck > with > these non-free firmwares, and many bugs are tagged as etch-ignore, because of > this deadline. > Right. It is better that way. Please refer back to the Woody->Sarge release cycle if you still have questions. > > So you're asking someone to join the Debian team while the recent event made > some developpers quit the project, and others slow down their work? Maybe it's > time to start asking yourself what's wrong, uh? > What recent event? That had nothing to do with the timeline versus "when it's ready" debate and had everything to do with trying to accelerate the process in general. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Please unblock kqemu, second try
On Wed, Jan 17, 2007 at 01:34:44PM -0200, Otavio Salvador wrote: > > But in this case the users would use module-assistant or compile the > package by hand using kqemu-source and not the built module. > My mistake. I didn't see that the subject only concerned kqemu. Thanks for setting me straight. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Please unblock kqemu, second try
On Wed, Jan 17, 2007 at 12:34:52PM -0200, Otavio Salvador wrote: > Bastian Blank <[EMAIL PROTECTED]> writes: > > > On Wed, Jan 17, 2007 at 12:25:23PM +0100, Daniel Baumann wrote: > >> Steve Langasek wrote: > >> > -Depends: linux-image-_KVERS_ > >> > +Depends: linux-modules-_KVERS_, kqemu-common > >> > >> this is like all the newer modules are declaring their depends to the > >> kernel. it has no effect as linux-image is pulled in anyway by this. > > > > This AFAIK only applies to kernels which are built by the kernel team. > > Well it looks right to me since it would allow the user to install the > module without the linux-image on a domU, for example. Am I missing > something? > Yes. This prevents users who install a kernel with 'make menuconfig && make && ad infinitum ...' from using this package at all. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Packages still linked against libstdc++5 in unstable
On Sun, Jan 14, 2007 at 03:06:29AM -0500, Nathanael Nerode wrote: > The following packages are still linked against libstdc++5 in unstable. > > vncsnapshot > I have some minor changes queued up that I thought were not really worth an upload. However, given this, I can prepare a new upload tomorrow. Should I go ahead and upload now or wait until after the Etch release? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Will eclipse be part of etch?
On Sat, Jan 13, 2007 at 03:23:07AM -0800, Steve Langasek wrote: > > > I think its save to bring eclipse and jsch to etch. ant-optional reverse > > depends on jsch too and my tests show that ant works with the new jsch > > too. I saw no other reverse dependencies for libjsch-java. > > Unblocked, with some hesitation. > That is awesome. One of my biggest annoyances is I have is keeping Eclipse updated with its convoluted update mechanism across several machines. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: BIND 8 deprecation for the release notes
On Wed, Jan 10, 2007 at 10:02:05PM +0100, Fabio Tranchitella wrote: > > Sure, but python2.5 is not really usable: almost all the python modules are > compiled only for python2.4. For postgresql you are right and I'm wrong, > but I suppose that there are other examples in the archive where the only a > major release is released. > > Anyway, my question still applies. :) > That got me wondering and it appears that Etch will ship with Apache 1.3.34? Why? It is considered a legacy release by ASF? Is the Debian security team really willing to support it for another 2-3 years? I'm sure that there are other examples. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: why are new upstream versions of glib being uploaded?
On Wed, Dec 27, 2006 at 01:28:23AM +0100, Alexander Wirt wrote: > Thomas Bushnell BSG schrieb am Dienstag, den 26. Dezember 2006: > > > Why are new upstream releases being added to upstable of the glib2.0 > > package? We are in a freeze, I thought. And one seems perhaps to be > > responsible for a regression in gnucash (see #404585). > Eh, we are in a testing freeze, not in an unstable freeze. > IIRC, the guidance from vorlon was no new upstream versions to unstable, only to experimental. That is, until after the release. You can probably search the list archives and find the exact message if you like. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Out of date upgrade-reports page
On Sun, Dec 24, 2006 at 10:48:52AM +0100, Andreas Barth wrote: > * Roberto C. Sanchez ([EMAIL PROTECTED]) [061224 02:10]: > > A Google search for "debian upgrade reports" (no quotes) returns a page > > [0] that is out of date since it is a template for a woody -> sarge > > upgrade. I would like to recommend that it either be updated or > > replaced with a redirection to a more current page (if one such page > > does exist). > > And recommendation which new page to choose for this? > I am not sure. I Google searched, but could not find one, which is why I added "(if one such page does exist)" at the end. If one doesn't, one of the release team members could probably just update with information relevant to the Sarge -> Etch upgrade. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Out of date upgrade-reports page
A Google search for "debian upgrade reports" (no quotes) returns a page [0] that is out of date since it is a template for a woody -> sarge upgrade. I would like to recommend that it either be updated or replaced with a redirection to a more current page (if one such page does exist). Regards, -Roberto [0] http://release.debian.org/upgrade-report.html -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Question about sysklogd Etch migration
It appears that currently sysklogd 1.4.1-18 is in Etch. However, on 18 September [0], -19 was uploaded. The upload message shows urgency low, which is in conflict with [1], which shows that -19 has urgency high. I am wondering: a) which is correct? b) should -19 not be migrated (though -20 is already there, which might be a better choice)? The LSB compliant init scripts look fairly important, or at least very nice to have in Etch. Regards, -Roberto [0] http://packages.qa.debian.org/s/sysklogd/news/20060918T113208Z.html [1] http://packages.debian.org/changelogs/pool/main/s/sysklogd/sysklogd_1.4.1-20/changelog -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Sarge -> Etch upgrade: no way to prevent removal of running kernel
On Thu, Dec 21, 2006 at 04:44:07PM -0800, Kevin B. McCarty wrote: > > Hence there is currently *no way* to upgrade Sarge -> Etch without the > package manager insisting to remove the running kernel package! > Ouch. > Possible fixes: > > 1) Fix #395181 so initrd-tools can get back into Etch > 2) Make available 2.4.27/2.6.8 kernel images for a new Sarge point > release that don't depend on initrd-tools Except that this assumes someone has upgraded to the latest point release. I understand that the upgrade problem is critical, but I don't think this sort of functionality can be added in a point release and then legitimately assumed to be present by the Etch installer. I think you must assume that the person will have some previous version of the kernel with the dependency still in place. Besides, I think that releasing new kernel packages requires lots of work from the kernel team. > 3) Make available udev and/or yaird packages built against the Sarge libc6 > 4) Remove the initrd-tools conflict from libc6 in Etch (might not work > due to #364338) > 5) Others? > Introduce a dummy initrd-tools in Etch which conflicts with +1 to the Debian version of Etch's libc6? That way at the first security update to libc6 or the release of Lenny (whichever comes first) the package will be forcibly removed anyway. Another possibility would be to have it depend on exactly the version of libc6 Etch releases with. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Question about removal of cyrus-sasl2-mit
On Wed, Dec 13, 2006 at 01:34:09AM -0800, Steve Langasek wrote: > > Indeed, so I think re-adding a libsasl2-gssapi-mit binary package to > cyrus-sasl2 would be the best option. Is this in progress? > There is already a libsasl2-modules-gssapi-mit. Does the libsasl2-gssapi-mit binary package need to just be a dummy package which depends upon libsasl2-modules-gssapi-mit? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Please hint sword-text-{kjv,sparv}
On Tue, Dec 12, 2006 at 12:02:37PM +0100, Andreas Barth wrote: > * Roberto C. Sanchez ([EMAIL PROTECTED]) [061211 18:04]: > > Please hint sword-text-kjv (2.3-1) and sword-text-sparv (1.1-1) into > > Etch. Both have been in for 5 days and neither had any open bugs. > > (They would have been in sooner, but I had trouble finding a sponsor for > > the upload). > > Actually, the diff is quite high. I'm still exceptionally approving > them, as they have been uploaded in time. > Thank you. I don't recall what changed in the -kjv package (perhaps they did some reformatting). But in the -sparv package, upstream switched from an uncompressed to a compressed text format, which should save a significant amount of space on end user machines. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Question about removal of cyrus-sasl2-mit
On Mon, Dec 11, 2006 at 11:06:25AM -0800, Russ Allbery wrote: > > > Please read my original message. The new cyrus-sasl2 packages are > > linked against MIT Kerberos. > > I did, and I understand that. You're not understanding the problem, I > think. > > > In fact, the new libsasl2-modules-gssapi-mit package replaces and > > conflicts with the one produced by cyrus-sasl2-mit. Thus, the upgrade > > path has already been planned and implemented. > > No, that still doesn't provide an upgrade path. That means that the right > thing will happen if someone manually installs > libsasl2-modules-gssapi-mit, which isn't the same thing. > > OK. Makes sense now. Thanks for the explanation. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Question about removal of cyrus-sasl2-mit
On Mon, Dec 11, 2006 at 10:49:50AM -0800, Russ Allbery wrote: > > Wait, woah. You shouldn't just remove libsasl2-gssapi-mit from etch > without a transition package so that people who are upgrading from sarge > still have the MIT GSSAPI SASL module installed. That would break a bunch > of our servers. > > I agree with the removal since the base SASL libraries are now newer and > the old modules may well not work, but we should provide a better upgrade > path than just having the package disappear. > Please read my original message. The new cyrus-sasl2 packages are linked against MIT Kerberos. In fact, the new libsasl2-modules-gssapi-mit package replaces and conflicts with the one produced by cyrus-sasl2-mit. Thus, the upgrade path has already been planned and implemented. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Please hint sword-text-{kjv,sparv}
Please hint sword-text-kjv (2.3-1) and sword-text-sparv (1.1-1) into Etch. Both have been in for 5 days and neither had any open bugs. (They would have been in sooner, but I had trouble finding a sponsor for the upload). Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Question about removal of cyrus-sasl2-mit
On Mon, Dec 11, 2006 at 05:51:10PM +0100, Andreas Barth wrote: > > I can remove a package without any bug - the RC bug is required so that > the package doesn't return on its own. That is why pre-freeze an RC bug > is required - and we require the bug on ftp.debian.org for documentation > reasons. If it makes you feel better, you can still submit an RC bug - > it won't do anything bad. > OK. I did not understand that. I won't bother with another bug then. Please remove the cyrus-sasl2-mit packages (libsasl2-gssapi-mit and libsasl2-krb4-mit) from Etch. I will file a removal bug soon. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Question about removal of cyrus-sasl2-mit
On Mon, Dec 11, 2006 at 03:07:27PM +0100, Andreas Barth wrote: > > > > - File a serious bug against it to get it out of Etch > > - File a bug against the ftp.d.o pseudopackage requesting complete > > removal from Sid (since ftpmaster seems to be taking a while to > > process removal requests I think we can expect that this will not > > happen until after Etch is released) > > > > If these seem OK, can I go ahead with them? > > You can open an RC-bug, but that is no longer required because of the > freeze. The removal bug however is. > I don't understand. cyrus-sasl2-mit is still in Etch. If I do not file an RC bug against it, how will it be removed? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Question about removal of cyrus-sasl2-mit
There is still a soource package for cyrus-sasl2-mit. This has been superseded by the new version of cyrus-sasl2, which is in Etch. THe new version of cyrus-sasl2 builds against MIT Kerberos, obviating the need for the separate cyrus-sasl2-mit. What is the best way of going about removing this package? I was think this: - File a serious bug against it to get it out of Etch - File a bug against the ftp.d.o pseudopackage requesting complete removal from Sid (since ftpmaster seems to be taking a while to process removal requests I think we can expect that this will not happen until after Etch is released) If these seem OK, can I go ahead with them? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: postfix: possible RC bug?
On Wed, Dec 06, 2006 at 11:49:52AM +0100, Adrian von Bidder wrote: > Yodel! > > I'm just wondering if #397771 (SASL auth breaks with current postfix + cyrus > sasl from testing) shouldn't be RC. As far as I understand, basically > every postfix+sasl set up will break on sarge->etch upgrade. > > (latest bug activity: 25. November) > > Sorry to be unable to help. > Check the report with which it was merged (#398534). There is a much lengthier discussion there. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
New cyrus-sasl2 for etch?
[ Fabian sent this message to vorlon and to pkg-cyrus-sasl2-debian-devel early yesterday. I've not seen a response, so I am resending and adding debian-release. ] - Forwarded message from Fabian Fagerholm <[EMAIL PROTECTED]> - Hi! The cyrus-sasl2 team has now reached a point where we would like to consider inclusion in etch. We've ironed out a lot of bugs, and the package has been tested in unstable for a while. We believe that the package is at least as good as the one currently in etch -- probably better, because of the long-standing bugs we've been able to close. Also, we've introduced a debug package that could be a great help in debugging some of the harder issues that have plagued this library in the past. (See the bug reports against this package about memory leaks and segfaults.) So there are many points that support inclusion in etch. We ask you to take a look at the cyrus-sasl2 package in unstable and decide if it's fit for etch. If not, we'd appreciate a list of the blocking issues. If it is fit for inclusion, please advise on what we need to do, if anything. Please be aware that Postfix has bug #398245, which must be fixed for Postfix to work with this new cyrus-sasl2 version. It is possible that other software linking against cyrus-sasl2 will require similar adjustments. We've provided a patch for that bug and will continue to help our reverse dependencies to upgrade. Thanks, -- Fabian Fagerholm <[EMAIL PROTECTED]> ----- End forwarded message - -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Please remove zinf from etch
On Sun, Nov 12, 2006 at 07:25:39PM -0600, Luis Rodrigo Gallardo Cruz wrote: > > I did not feel confortable asking for removal because the package > still has a not-so-low popcount (~145 installed, ~40 vote). > However, since it was last uploaded two years ago and is unmaintained upstream for over a year, I think it is not right to lead the users on. I would recommend to remove the package entirely and then include something in the release notes mentioning possible alternatives. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Please remove zinf from etch
On Sun, Nov 12, 2006 at 12:27:04PM -0600, Luis Rodrigo Gallardo Cruz wrote: > Package zinf: > > * Had last maintainer upload 2 years ago. > * Has been RFAd for over a year. http://bugs.debian.org/328956 > * According to RFA, it is unmaintained upstream and has alternatives. > * Is rc-buggy: http://bugs.debian.org/397032 > > Thus, I believe it should be removed from etch. > > Please cc: I'm not subscribed. > Given those criteria, I would think the better course of action would be to remove it altogether. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Kernel Firmware issue: are GPLed sourceless firmwares legal to distribute ?
On Tue, Oct 17, 2006 at 03:35:26PM -0700, Don Armstrong wrote: > On Wed, 18 Oct 2006, Anthony Towns wrote: > > On Tue, Oct 17, 2006 at 03:49:25PM -0400, Nathanael Nerode wrote: > > > The answer to the question in the subject is simple: NO. > > > > Thankyou for your opinion. I note you seemed to neglect to mention > > that you're not a lawyer. > > That should be abundantly apparent to anyone who has been paying > attention. Regardless, it doesn't dismiss the crux of the argument: > baring competent legal advice to the contrary,[1] distributing > sourceless GPLed works is not clear of legal liability. Doing > otherwise may put ourselves and our mirror operators in peril. > So what? Distributing GPL works *with* sources is also not clear of legal liability. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Xen 3.0.3 for Etch
On Mon, Oct 02, 2006 at 06:26:27PM -0300, Otavio Salvador wrote: > > The kernels works to both, dom0 and domU. You use same kernel image. > I think that the only difference is that the domU kernels do not require any sort of traditional hardware support (chipsets, NICs, etc), but it does not hurt anything if they are still in there. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Easy removals B-G reminder
Nathanael Nerode wrote: > "Debatable" ones removed from list. > > # 364264 > remove directvnc/0.7.5-7.1 I sent Ola a patch for this one and he uploaded it on Sunday. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
Re: The powerpc port should be removed from etch release candidates ...
Sven Luther wrote: The debian installer netinst and businesscard images are now broken since almost a month, and since the d-i team kicked me out as powerpc maintainer, and removed my d-i commit rights, there is no way for me to help fix this, and this clearly demostrates that the d-i powerpc port is not maintained anymore. Perhaps my experience has been different, but I have noticed that when I don't have commit privileges to a particular repo or part of the project that submitting a patch to the responsible individual(s) usually yields results. Though, I am not (yet) a DD, which may explain why am accustomed to working without the ability to directly commit. I am not trying to make a personal attack here. I am simply saying that "I don't have write access" is a relatively lame excuse. If everyone went by that mantra, there would be no DD-wannabees and the project would likely not have as many people going through the process of becoming DDs. Caveats: IANAL, YMMV, IMHPTPCOOFMRE (I may have pulled the preceding completely out of my rear end) -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#325484: udev >= 0.060-1 and kernels >= 2.6.12
On Tue, Aug 30, 2005 at 10:16:27PM -0700, Greg KH wrote: > On Tue, Aug 30, 2005 at 08:23:02PM -0400, Roberto C. Sanchez wrote: > > > > > I also don't understand why the gcc version is an issue. I mean, you > > can compile a library with one version of gcc and link to it when > > compiling a program with a different version of gcc. We are even > > talking about C, which AFAICT doesn't suffer the same binary > > compatibility issues as C++. > > The kernel enables or disables many different things depending on the > version of gcc to work around different issues. Because of this, the > main kernel, and all kernel modules must be built with the exact same > version of gcc, otherwise very bad things can happen. > > greg k-h Thanks for explaining. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgpoOaOAO5Kwi.pgp Description: PGP signature
Re: Bug#325484: udev >= 0.060-1 and kernels >= 2.6.12
On Tue, Aug 30, 2005 at 04:59:48PM -0700, Steve Langasek wrote: > > > Becuase I roll my own kernel. If I upgrade the kernel with gcc-3.3 > > (currently the Sarge default) and then upgrade to Etch (which will have > > gcc-4.0 for a default) I will run into problems if I decide to add new > > modules to my kernel. Thus, those with a self-compiled kernel are in a > > situation where you can a) dist-upgrade without first upgrading the > > kernel and risk breakage; or b) upgrade the kernel twice. Once before > > and once after. I suppose that it is possible to build the new kernel > > inside of a chroot (or sbuild or pbuilder) if kernel-package is being > > used. > > > I am simply pointing out that there is a potential issue that needs to > > at least be addressed in the release notes. > > Ah, yes. I really don't understand why the kernel embeds the gcc > version into its version-matching logic, but I've run into this problem > as well. I agree that it warrants documenting, though I also suspect > that most users running self-compiled 2.6 kernels are going to be > running something a bit newer than 2.6.8 anyway. > I also don't understand why the gcc version is an issue. I mean, you can compile a library with one version of gcc and link to it when compiling a program with a different version of gcc. We are even talking about C, which AFAICT doesn't suffer the same binary compatibility issues as C++. As far as running newer self-compiled kernels, that certainly is not the case for me. In fact, I only compile my own kernel becuase I require the mppe patch on my machines. If not for that, I would be running a stock kernel because I have been bitten in the past by staying on the bleeding edge. I know that I am only one data point, but I am sure that I am not the only one. > Option a) doesn't seem particularly sensible to me, btw, because the > "risk" is near certain... > Incidentally, is it possible to put udev on hold, upgrade everything else, install a new kernel and then select udev for upgrade? -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgpvgPt080u54.pgp Description: PGP signature
Re: Bug#325484: udev >= 0.060-1 and kernels >= 2.6.12
On Mon, Aug 29, 2005 at 09:43:33PM -0700, Steve Langasek wrote: > > > 1) upgrade your kernel > > > 2) dist-upgrade > > > > That doesn't seem terribly elaborate to me? And if people choose not to > > > read, well, they get a failure on dist-upgrade and get to figure it out > > > for themselves, I guess. > > > Will that still apply in the case of a home-rolled kernel? > > Yes, of course. The reason this is such an issue in the first place is > because kernel dependencies are *not* expressed as package dependencies; > instead, udev checks the running kernel version in the preinst. > Thanks for the clarification. > > However, if you have to compile your own kernel, do you upgrade kernel, > > dist-upgrade and then recompile with the new gcc? > > Why? > Becuase I roll my own kernel. If I upgrade the kernel with gcc-3.3 (currently the Sarge default) and then upgrade to Etch (which will have gcc-4.0 for a default) I will run into problems if I decide to add new modules to my kernel. Thus, those with a self-compiled kernel are in a situation where you can a) dist-upgrade without first upgrading the kernel and risk breakage; or b) upgrade the kernel twice. Once before and once after. I suppose that it is possible to build the new kernel inside of a chroot (or sbuild or pbuilder) if kernel-package is being used. I am simply pointing out that there is a potential issue that needs to at least be addressed in the release notes. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgp60J4Juu0ry.pgp Description: PGP signature
Re: Bug#325484: udev >= 0.060-1 and kernels >= 2.6.12
On Mon, Aug 29, 2005 at 07:56:32PM -0700, Steve Langasek wrote: > > > The kernel is likely going to be upgraded automatically because users will > > be using the kernel-image-2.6-xxx packages. > > Is that a problem for some reason? > > > So we're going to have another release with a very elaborate upgrade > > procedure in the release notes (which a lot of users, especially desktop > > users, don't read anyway)? > > 1) upgrade your kernel > 2) dist-upgrade > > That doesn't seem terribly elaborate to me? And if people choose not to > read, well, they get a failure on dist-upgrade and get to figure it out > for themselves, I guess. > Will that still apply in the case of a home-rolled kernel? If you use the Debian-provided kernel, then you will have a kernel on your system that is compiled with the default version of gcc that is in Etch. However, if you have to compile your own kernel, do you upgrade kernel, dist-upgrade and then recompile with the new gcc? -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto pgpW7pc9GFg2D.pgp Description: PGP signature
Re: Preparation of the next stable Debian GNU/Linux update (I)
On Fri, Jul 08, 2005 at 09:18:16AM +0200, Martin Schulze wrote: > > The requirements for packages to get updated in stable are: > > 1. The package fixes a security problem. An advisory by our own > Security Team is required. Updates need to be approved by the > Security Team. > > 2. The package fixes a critical bug which can lead into data loss, > data corruption, or an overly broken system, or the package is > broken or not usable (anymore). > > 3. The stable version of the package is not installable at all due to > broken or unmet dependencies or broken installation scripts. > > 4. All released architectures have to be in sync. > > 5. The package gets all released architectures back in sync. > > It is (or (and (or 1 2 3) 4) 5) > I am adopting the httperf package. It was in Woody and was removed from Sarge/Sid because of licensing issues with linking to OpenSSL. The issue has been resolved [0] by the current upstream maintainer. Since the package was in Woody and not in Sarge [1], there is the potential for someone to have had it installed prior to upgrading and now have it still installed. This could be a problem since if the package is only allowed back into Sid/Etch, then Sarge users with the "obsolete" httperf would not receive any future security updates (if they become necessary) for the package. Is this sufficient justification to have the package added back in to Sarge? Here is a summary of the changes from the Woody version: * Move from non-US to main * Recompile against libssl0.9.7 * Update license and copyright file. * Corrected some minor lintian warnings against the man page. * Added a watch file. The last two changes can be backed out if it is necessary to get the package into Sarge. If this is sufficient, I can have a new package done and uploaded (by my sponsor) by tomorrow. Comments would be appreciated. -Roberto [0] http://lists.debian.org/debian-legal/2005/07/msg00040.html [1] http://packages.debian.org/httperf -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgp48hFSwc7Gi.pgp Description: PGP signature
Re: Release team for etch?
On Fri, Jun 10, 2005 at 06:58:35PM -0700, Thomas Bushnell BSG wrote: > > Why not? The following seems like a reasonable plan to me: > > By the end of June, decide the release criteria. > > By the end of September, have the GCC changes in place and other > infrastructural changes that we know we expect. Have filed bug > reports on whatever new RC issues will need to be fixed for etch. > (Such as the GCC change, and whatever else.) > > By the end of the year, freeze base. > > By March 2006, freeze everything else. > > Release in June 2006. > > Doesn't seem *impossible*, but it requires swinging into gear right > now. What am I missing? > I have to agree. I know that some people will truck out the classic, "But I don't want to upgrade my servers every 12 months" argument. But, I think that as long as the changes are kept more evolutionary than revolutionary, it would be possible keep the pain of upgrading rather minimal. Besides, with the security team keeping up security support of oldstable for 12 months or more (that is the number I recall seeing) it seems like nobody would be "forced" to upgrade until 12 months after whatever day the next release ships. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgptmqgMf9DR1.pgp Description: PGP signature
Question regarding kernel-source package versions
Today I noticed that the versions of kernel-source-2.4.27 and kernel-source-2.6.8 in Sarge and Sid differ. In and of itself, that is not particularly interesting. However, both packages have had one or two updates in the last few weeks. Again, nothing interesting. However, both packages have fixed a number of security vulnerabilities, yet were uploaded with urgency low. Why is that? Should those security fixes not go into Sarge? -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpc6bSoYNaPc.pgp Description: PGP signature
Re: Proposal: Bringing volatile in shape for sarge
Quoting Adrian von Bidder <[EMAIL PROTECTED]>: On Tuesday 24 May 2005 10.31, Andreas Barth wrote: volatile is also mentioned in the release notes. [...] With volatile being mentioned in the release notes (and it being a debian.net service, thus not-entirely-official), a clarifying note should imho be added to explain what the difference is between the three big places to get debian packages, namely volatile, backports.org and apt-get.org (I hope d-release is the right list for this) volatile is already covered, I propose adding a section 6.5 === Getting additional software Although the Debian GNU/Linux software archive is very big, it may happen that you want to install software not available from debian.org. Debian packages are available from many places, the two most important addresses are: I would add: "... you want to install software not available from debian.org or newer versions of software than those that are currently available in the Sarge release." - backports.org Debian's update policy is very conservative: basically, no new software versions at all are allowed into Debian sarge once it is released, the point updates (3.1r1 etc.) primarily integrate previously released security updates. backports.org releases new software versions packaged to run on Debian sarge. [#include not about security support for backports.org - I have no idea myself.] - apt-get.org apt-get.org is not a package repository itself, but many package repositories are listed in the searchable index of this site. Consequently, trustworthiness, quality and offered level of maintenance/support vary wildly depending on the source of the packages. Change to: "... maintenance/support vary widely depending ..." Please see also section 2.1.1 about 'volatile' as a source of updated packages for software like virus scanners etc. which depend on information that easily becomes outdated. === greetings -- vbi -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Should multi-gnome-terminal go away?
Torsten Werner wrote: > Steve Langasek wrote: > >> If the maintainer agrees that this package should not be included with >> sarge, then it is of course reasonable to drop it (preferably with a >> transition package providing an upgrade path to gnome-terminal, if that's >> the appropriate replacement). > > > It depends on the year, when sarge will be released. :-) Too many people > are still using MGT today because of some of its outstanding features > that are not implemented in gnome2's terminal emulator. I will MGT for > sarge and ask for removal from etch if nobody takes over the package. > I was unaware of this. I guess I should have checked its popcon rank :) Personally, I have used both and found the new gnome-terminal to be generally superior. But I guess OPMMV (other people's mileage may vary) and they may actually like it better. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr signature.asc Description: OpenPGP digital signature
Should multi-gnome-terminal go away?
I have been checking out the RFA'd and O'd package lists. I saw that multi-gnome-terminal [0] is on the RFA list. I am wondering if it would not be better to simply remove it from Debian. Here is why I think it should go: * depends on obsolete GNOME 1.4 and GTK+ 1.2 libs * functionally superseded by gnome-terminal GNOME 2+ * Has outstanding bugs that 3+ years old -Roberto [0] http://bugs.debian.org/multi-gnome-terminal -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr signature.asc Description: OpenPGP digital signature
Should kmatplot release with Sarge?
I recently noticed [0] that at least one person thinks that kmatplot should be held back from Sarge. The reason seems fairly compelling. I am wondering if this has just been overlooked. Should the bug be made RC to hold it back? -Roberto [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=303477 -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr signature.asc Description: OpenPGP digital signature
Re: RFC on mysql 4.1 in sarge
Christian Hammers wrote: > Hello > > [1st issue - dpkg symlink bug workaround] > > On 2005-05-18 Roberto C. Sanchez wrote: > >>Quoting sean finney <[EMAIL PROTECTED]>: >> >> >>>so at this point, we're not sure what to do to cover this last problem, >>>as we have no guarantee the preinst of mysql-server-4.1 will even run >>>before mysql-server/woody is removed. the only fix we can think of is >>>to remove the two directories from the files.list of the woody package. >>> >>>so we've come up with three options, none of which are great: >>> >> >> >> >>I may be misunderstanding what you are saying. But, I think that if you >>create a package called mysql-server-4.1-upgrage (or something else >>suitable) and then you make you make mysql-server-4.1 predepend on it, then >>mysql-server-4.1-upgrade can check for the existence of the symlinks. > > > No, predepends can be used to ensure that some other package has already > been completely installed i.e. postinst had been executed before the > depending package even gets unpackaged. > But that won't help here. apt-get calculates that mysql-server (3.23) has > to be removed in order to get mysql-server-4.1 installed so it would first > completely remove mysql-server (3.23) and *then* maybe install your > temporary package which would be as useless as our current preinst hack. > OK. I misunderstood then. Thanks for the clarification. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr signature.asc Description: OpenPGP digital signature
Re: RFC on mysql 4.1 in sarge
Quoting sean finney <[EMAIL PROTECTED]>: so at this point, we're not sure what to do to cover this last problem, as we have no guarantee the preinst of mysql-server-4.1 will even run before mysql-server/woody is removed. the only fix we can think of is to remove the two directories from the files.list of the woody package. so we've come up with three options, none of which are great: I may be misunderstanding what you are saying. But, I think that if you create a package called mysql-server-4.1-upgrage (or something else suitable) and then you make you make mysql-server-4.1 predepend on it, then mysql-server-4.1-upgrade can check for the existence of the symlinks. If the symlinks exist, it can move them aside, create the requisite directories, and then symlink in the new directories the contents of the directories pointed to by the old symlinks. This would at least ensure that people are not left with only empty directories and a non-function DB. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Professional blame assigner, at your service
- Steve Langasek recently posted this: We mentioned in the freeze announcement[1] that we needed volunteers to help with processing upgrade reports -- taking them apart, identifying the bugs that appear, and assigning them to the packages responsible so that they can get fixed for sarge. Our call for volunteers got us a total of, uh... one person offering to help, so we could probably use more. :) If you are an experienced user who is good at figuring out who to blame when things break, and you have some time you'd be willing to spend helping make sarge the best Debian release ever, please contact [EMAIL PROTECTED] We'll be happy to put you to work. - I'd like to volunteer to help. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr signature.asc Description: OpenPGP digital signature