Bug#1068815: undertow: CVE-2023-1973

2024-04-11 Thread Moritz Mühlenhoff 
Source: undertow
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for undertow.

CVE-2023-1973[0]:
The only reference is at Red Hat:

https://bugzilla.redhat.com/show_bug.cgi?id=2185662


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1973
https://www.cve.org/CVERecord?id=CVE-2023-1973

Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1068816: undertow: CVE-2024-1459

2024-04-11 Thread Moritz Mühlenhoff 
Source: undertow
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for undertow.

CVE-2024-1459[0]:
| A path traversal vulnerability was found in Undertow. This issue may
| allow a remote attacker to append a specially-crafted sequence to an
| HTTP request for an application deployed to JBoss EAP, which may
| permit access to privileged or restricted files and directories.

The only reference here is at Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=2259475

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-1459
https://www.cve.org/CVERecord?id=CVE-2024-1459

Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1068817: undertow: CVE-2024-1635

2024-04-11 Thread Moritz Mühlenhoff 
Source: undertow
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for undertow.

CVE-2024-1635[0]:
| A vulnerability was found in Undertow. This vulnerability impacts a
| server that supports the wildfly-http-client protocol. Whenever a
| malicious user opens and closes a connection with the HTTP port of
| the server and then closes the connection immediately, the server
| will end with both memory and open file limits exhausted at some
| point, depending on the amount of memory available. At HTTP
| upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks
| connections if RemotingConnection is closed by Remoting
| ServerConnectionOpenListener. Because the remoting connection
| originates in Undertow as part of the HTTP upgrade, there is an
| external layer to the remoting connection. This connection is
| unaware of the outermost layer when closing the connection during
| the connection opening procedure. Hence, the Undertow
| WriteTimeoutStreamSinkConduit is not notified of the closed
| connection in this scenario. Because WriteTimeoutStreamSinkConduit
| creates a timeout task, the whole dependency tree leaks via that
| task, which is added to XNIO WorkerThread. So, the workerThread
| points to the Undertow conduit, which contains the connections and
| causes the leak.

https://bugzilla.redhat.com/show_bug.cgi?id=2264928


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-1635
https://www.cve.org/CVERecord?id=CVE-2024-1635

Please adjust the affected versions in the BTS as needed.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed (with 1 error): tagging 1068815, tagging 1068816, tagging 1068817, tagging 168818, tagging 1068820, tagging 1068819 ...

2024-04-11 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 1068815 + upstream
Bug #1068815 [src:undertow] undertow: CVE-2023-1973
Added tag(s) upstream.
> tags 1068816 + upstream
Bug #1068816 [src:undertow] undertow: CVE-2024-1459
Added tag(s) upstream.
> tags 1068817 + upstream
Bug #1068817 [src:undertow] undertow: CVE-2024-1635
Added tag(s) upstream.
> tags 168818 + upstream
Failed to alter tags of Bug 168818: Not altering archived bugs; see unarchive.

> tags 1068820 + upstream
Bug #1068820 [src:qemu] qemu: CVE-2024-3446
Added tag(s) upstream.
> tags 1068819 + upstream
Bug #1068819 [src:qemu] qemu: CVE-2024-26327 CVE-2024-26328
Added tag(s) upstream.
> tags 1068821 + upstream
Bug #1068821 [src:qemu] qemu: CVE-2024-3447
Added tag(s) upstream.
> tags 1068822 + upstream
Bug #1068822 [src:qemu] qemu: CVE-2024-3567
Added tag(s) upstream.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1068815: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068815
1068816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068816
1068817: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068817
1068819: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068819
1068820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068820
1068821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068821
1068822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068822
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: notfound 1068806 in 1.5.0dfsg1-2, found 1068806 in 1.5.0+dfsg1-2, tagging 1068806 ...

2024-04-11 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> notfound 1068806 1.5.0dfsg1-2
Bug #1068806 [src:osmo-bts] Update Build-Depends for the time64 library renames
The source 'osmo-bts' and version '1.5.0dfsg1-2' do not appear to match any 
binary packages
No longer marked as found in versions osmo-bts/1.5.0dfsg1-2.
> found 1068806 1.5.0+dfsg1-2
Bug #1068806 [src:osmo-bts] Update Build-Depends for the time64 library renames
Marked as found in versions osmo-bts/1.5.0+dfsg1-2.
> tags 1068806 + sid trixie
Bug #1068806 [src:osmo-bts] Update Build-Depends for the time64 library renames
Added tag(s) sid and trixie.
> found 1068730 255.4-1
Bug #1068730 [src:systemd] Fails to build from source since removal of 
liblz4-tool
Marked as found in versions systemd/255.4-1.
> tags 1068805 + sid trixie
Bug #1068805 [python3-pywt] python3-pywt: distutils not available in Python 3.12
Added tag(s) trixie and sid.
> found 1068721 5.3.0-1
Bug #1068721 {Done: Jonas Smedegaard } 
[librust-event-listener-dev] Depends on nonexistant librust-parking-2+std-dev
Marked as found in versions rust-event-listener/5.3.0-1.
> tags 1068756 + sid trixie experimental
Bug #1068756 {Done: Bill Allombert } [src:gap] gap: FTBFS: 
failing tests
Added tag(s) experimental, trixie, and sid.
> tags 1068757 + sid trixie
Bug #1068757 [src:python-musicpd] python-musicpd: FTBFS: dh_installchangelogs: 
error: could not find changelog
Added tag(s) trixie and sid.
> tags 1068609 - trixie
Bug #1068609 {Done: Rene Engelhard } [src:libreoffice] 
libreoffice: FTBFS on arrmhf: testContentGnumeric assertion failed,- 
Expression: 
xServiceInfo->supportsService("com.sun.star.sheet.SpreadsheetDocument")
Removed tag(s) trixie.
> tags 1065725 + experimental
Bug #1065725 [src:adns] adns: FTBFS on arm{el,hf}: FAILED ./case-1stservbroken 
- WRONG OUTPUT - lines of syscall remaining 0
Added tag(s) experimental.
> tags 1068066 + experimental
Bug #1068066 [src:docker-registry] docker-registry: FTBFS on armhf (test 
failure with DriverSuite.TestDeleteOnlyDeletesSubpaths)
Added tag(s) experimental.
> found 1066403 4.3.2-1
Bug #1066403 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Bug #1066452 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Bug #1066455 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Bug #1066456 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Marked as found in versions r-base/4.3.2-1.
Marked as found in versions r-base/4.3.2-1.
Marked as found in versions r-base/4.3.2-1.
Marked as found in versions r-base/4.3.2-1.
> tags 1066403 - sid trixie
Bug #1066403 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Bug #1066452 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Bug #1066455 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Bug #1066456 {Done: Dirk Eddelbuettel } [r-base-dev] 
r-base-dev: missing dependency on libtirpc-dev
Removed tag(s) sid and trixie.
Removed tag(s) sid and trixie.
Removed tag(s) trixie and sid.
Removed tag(s) sid and trixie.
> tags 1064740 - sid trixie
Bug #1064740 {Done: Sebastian Ramacher } [src:ffmpeg] 
ffmpeg: FTBFS: test.c:2:(.text.startup+0x19): undefined reference to 
`closesocket'
Removed tag(s) sid and trixie.
> tags 1068484 + experimental
Bug #1068484 {Done: Jeremy Bícha } [src:juce] 
juce-modules-source: Depends: libwebkit2gtk-4.0-dev but it is no longer built
Added tag(s) experimental.
> tags 1067636 - sid
Bug #1067636 [nodejs] nodejs: Testsuite fails with openssl 3.2
Removed tag(s) sid.
> tags 1067532 - sid
Bug #1067532 [nagios-plugins-contrib] nagios-plugins-contrib: Testsuite fails 
with openssl 3.2
Removed tag(s) sid.
> tags 1062235 + trixie experimental
Bug #1062235 [wireless-regdb] wireless-regdb: debci test fails with OpenSSL 3.2.
Added tag(s) experimental and trixie.
> tags 1061458 - sid
Bug #1061458 [src:gdm3] gdm3: Testsuite breaks with openssl 3.2
Removed tag(s) sid.
> reassign 1068796 ntpsec-ntpdate 1.2.3+dfsg1-1
Bug #1068796 {Done: Ingo Saitz } [ntpsec-netpdate] 
ntpsec-netpdate: starts ntpd if installed, leading to delayed boot
Warning: Unknown package 'ntpsec-netpdate'
Bug reassigned from package 'ntpsec-netpdate' to 'ntpsec-ntpdate'.
No longer marked as found in versions 1.2.3+dfsg1-1.
Ignoring request to alter fixed versions of bug #1068796 to the same values 
previously set
Bug #1068796 {Done: Ingo Saitz } [ntpsec-ntpdate] 
ntpsec-netpdate: starts ntpd if installed, leading to delayed boot
Marked as found in versions ntpsec/1.2.3+dfsg1-1.
> reassign 1067816 src:fuse3 3.14.0-5.1~exp1
Bug #1067816 {Done: Lukas Märdian } [libfuse3-3t64] 
libfuse3-3t46: move library to /usr (DEP17)
Warning: Unknown package 'libfuse3-3t64'
Bug reassigned from package 'libfuse3-3t64' to 'src:fuse3'.
No longer marked as found in versions fuse3/3.14.0-5.1~exp1.
Ig

Bug#1068159: openjfx: FTBFS on arm{el, hf}: /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"

2024-04-11 Thread Peter Green 

Tags 1068159 +patch
Thanks

The build failure is caused by the following in
modules/javafx.media/src/main/native/gstreamer/gstreamer-lite/projects/build/linux/common/config.h

> /* Number of bits in a file offset, on hosts where this is settable. */
> #undef _FILE_OFFSET_BITS

Looking at the file, this looks like output from autotools that was
copied to become a static configuration file when code was vendored.

One option would be to remove this line completely, however to minimise
the risk of causing regressions on architectures not involved in the
time64 transition I choose instead to place it behind a #ifndef
guard.

> /* Number of bits in a file offset, on hosts where this is settable. */
> #ifndef _TIME_BITS
> # undef _FILE_OFFSET_BITS
> #endif

With this change, I was able to build the package successfully on
armhf.

Debdiff attached, if I get no response I will probablly NMU this
in a week or so.diff -Nru openjfx-11.0.11+1/debian/changelog openjfx-11.0.11+1/debian/changelog
--- openjfx-11.0.11+1/debian/changelog  2023-07-16 03:30:26.0 +
+++ openjfx-11.0.11+1/debian/changelog  2024-04-11 15:34:39.0 +
@@ -1,3 +1,10 @@
+openjfx (11.0.11+1-3.2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Don't undefine _FILE_OFFSET_BITS if _TIME_BITS is set (Closes: #1068159)
+
+ -- root   Thu, 11 Apr 2024 15:34:39 +
+
 openjfx (11.0.11+1-3.1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
openjfx-11.0.11+1/debian/patches/40-dont-unset-file-offset-bits-if-time-bits-set.patch
 
openjfx-11.0.11+1/debian/patches/40-dont-unset-file-offset-bits-if-time-bits-set.patch
--- 
openjfx-11.0.11+1/debian/patches/40-dont-unset-file-offset-bits-if-time-bits-set.patch
  1970-01-01 00:00:00.0 +
+++ 
openjfx-11.0.11+1/debian/patches/40-dont-unset-file-offset-bits-if-time-bits-set.patch
  2024-04-11 15:34:39.0 +
@@ -0,0 +1,29 @@
+Description:  Don't undefine _FILE_OFFSET_BITS if _TIME_BITS is set.
+ Having _TIME_BITS set to 64 but _FILE_OFFSET_BITS not set on a 32-bit
+ architectureis not supported by glibc. As a result of this, unsetting
+ _FILE_OFFSET_BITS on a 32-bit architecture with 64-bit time causes a build
+ failure.
+ 
+ I suspect the unsetting of _FILE_OFFSET_BITS is a leftover from an
+ autogenerated file that became a static file rather than a deliberate
+ choice to override system settings.
+
+ I suspect that unsetting _FILE_OFFSET_BITS is unnessacery in general and the
+ line could be completely removed. However to minimise the risk of regressions
+ I instead used an ifndef gaurd
+Author: Peter Michael Green 
+Bug-Debian: https://bugs.debian.org/1068159
+
+--- 
openjfx-11.0.11+1.orig/modules/javafx.media/src/main/native/gstreamer/gstreamer-lite/projects/build/linux/common/config.h
 
openjfx-11.0.11+1/modules/javafx.media/src/main/native/gstreamer/gstreamer-lite/projects/build/linux/common/config.h
+@@ -544,7 +544,9 @@
+ #endif
+ 
+ /* Number of bits in a file offset, on hosts where this is settable. */
+-#undef _FILE_OFFSET_BITS
++#ifndef _TIME_BITS
++# undef _FILE_OFFSET_BITS
++#endif
+ 
+ /* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */
+ #undef _LARGEFILE_SOURCE
diff -Nru openjfx-11.0.11+1/debian/patches/series 
openjfx-11.0.11+1/debian/patches/series
--- openjfx-11.0.11+1/debian/patches/series 2023-07-16 03:30:26.0 
+
+++ openjfx-11.0.11+1/debian/patches/series 2024-04-11 15:34:39.0 
+
@@ -21,3 +21,4 @@
 disable-ffmpeg.patch
 38-javadoc.patch
 webkit-217079-only-use-jumpislands-with-JIT.patch
+40-dont-unset-file-offset-bits-if-time-bits-set.patch
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: re: openjfx: FTBFS on arm{el, hf}: /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"

2024-04-11 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> Tags 1068159 +patch
Bug #1068159 [src:openjfx] openjfx: FTBFS on arm{el,hf}: 
/usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed 
only with _FILE_OFFSET_BITS=64"
Added tag(s) patch.
> Thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1068159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068159
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

openrefine 3.7.8-1 MIGRATED to testing

2024-04-11 Thread Debian testing watch 
FYI: The status of the openrefine source package
in Debian's testing distribution has changed.

  Previous version: (not in testing)
  Current version:  3.7.8-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.