Bug#779112: marked as done (libjnr-constants-java, libconstantine-java: error when trying to install together)

2015-03-09 Thread Debian Bug Tracking System 
Your message dated Mon, 9 Mar 2015 16:11:29 +
with message-id <1f3cfa9e-e967-484d-9f06-9822dfe6c...@hp.com>
and subject line 
has caused the Debian Bug report #779112,
regarding libjnr-constants-java, libconstantine-java: error when trying to 
install together
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
779112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779112
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libjnr-constants-java,libconstantine-java
Severity: serious
User: trei...@debian.org
Usertags: edos-file-overwrite

Architecture: amd64
Distribution: sid + experimental

Hi,

automatic installation tests of packages that share a file and at the
same time do not conflict by their package dependency relationships has
detected the following problem:

  Selecting previously unselected package libconstantine-java.
  Preparing to unpack .../libconstantine-java_0.8.5-1_all.deb ...
  Unpacking libconstantine-java (0.8.5-1) ...
  dpkg: error processing archive 
/var/cache/apt/archives/libconstantine-java_0.8.5-1_all.deb (--unpack):
   trying to overwrite '/usr/share/java/jnr-constants.jar', which is also in 
package libjnr-constants-java 0.8.6-2
  dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
  Errors were encountered while processing:
   /var/cache/apt/archives/libconstantine-java_0.8.5-1_all.deb

This is a serious bug as it makes installation fail, and violates
sections 7.6.1 and 10.1 of the policy. An optimal solution would
consist in only one of the packages installing that file, and renaming
or removing the file in the other package. Depending on the
circumstances you might also consider Replace relations or file
diversions. If the conflicting situation cannot be resolved then, as a
last resort, the two packages have to declare a mutual
Conflict. Please take into account that Replaces, Conflicts and
diversions should only be used when packages provide different
implementations for the same functionality.

Here is a list of files that are known to be shared by both packages
(according to the Contents file for sid/amd64, which may be
slightly out of sync):

   usr/share/java/constantine.jar
   usr/share/java/jnr-constants.jar
   usr/share/java/libconstantine.jar
   
usr/share/maven-repo/com/github/jnr/jnr-constants/debian/jnr-constants-debian.jar
   
usr/share/maven-repo/com/github/jnr/jnr-constants/debian/jnr-constants-debian.pom

This bug is assigned to both packages. If you, the maintainers of
the two packages in question, have agreed on which of the packages will
resolve the problem please reassign the bug to that package. You may
also register in the BTS that the other package is affected by the bug.

Cheers,

Andreas

PS: for more information about the detection of file overwrite errors
of this kind see https://qa.debian.org/dose/file-overwrites.html


libjnr-constants-java=0.8.6-2_libconstantine-java=0.8.5-1.log.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Closed, this time for sure, by upload of jnr-constants  0.8.6-4.--- End Message ---
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

maven_3.0.5-4_amd64.changes ACCEPTED into experimental

2015-03-09 Thread Debian FTP Masters 


Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 08 Mar 2015 19:25:12 -0300
Source: maven
Binary: maven
Architecture: source all
Version: 3.0.5-4
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Miguel Landaeta 
Description:
 maven  - Java software project management and comprehension tool
Changes:
 maven (3.0.5-4) experimental; urgency=medium
 .
   * Team upload.
   * Refresh patch plugins_version.diff:
 - Bump maven-compiler-plugin version to be used with Maven 3, from
   2.5.1 to 3.2.
 - Update maven-antrun-plugin and maven-dependency-plugin versions to
   match current Debian versions.
Checksums-Sha1:
 2777a93ec3306f989f2726dd558e92769b8df8e0 2506 maven_3.0.5-4.dsc
 86f9e592de4243c2e904f57a42aa6ffe0af5d8b9 14760 maven_3.0.5-4.debian.tar.xz
 c2aa5147819f650b2eeff3e85bfe984d3da10d7b 1282254 maven_3.0.5-4_all.deb
Checksums-Sha256:
 bf0e6276cab92f41cbf47f8124b2cef0296532b91d23e05b1d3be0f69ae4967d 2506 
maven_3.0.5-4.dsc
 fe5a426cf1001ba4efe14356a1e722a365bef2d1e6ab8dd2313c457ca9497e1c 14760 
maven_3.0.5-4.debian.tar.xz
 b78bf4ff4c4e04b4e263d44dd4a978f6b81aafc128cde57c48ed47b0b88eb878 1282254 
maven_3.0.5-4_all.deb
Files:
 fa6b1e4c0952faf1952fc621e4f52647 2506 java optional maven_3.0.5-4.dsc
 a63f8eb4f0ec291a637808700f420012 14760 java optional 
maven_3.0.5-4.debian.tar.xz
 ada28b6ac07e9c3414d4a8a5c6ca2d07 1282254 java optional maven_3.0.5-4_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJU/OXaAAoJEGIODQuJV82l2TwQAJx9Q71/t7g8CfOZTTE8FpU4
ZD+WXzKbQZ9prVLiU68ktVxU5CLP5T8jyedYFSRDvwMSdyWams2Sp+WNSSGAAk4c
FqvggTdmzxk1YaVsu5S5wlKhK0Wep3mVo2BFpL0wzEC7YwUU5t8Uod17hLHsQNSw
1APkshhuPEjCClRew0iBy+M/K5c39v7ezUfcwQQQrsyMGQNTox6TLkwg8FDoLYcE
DZQgfEg6uzi+BRyXRTknsvdlUAPUYW9HalpA5CR2J0igeSNZig2x8zim2Ur9r1Sd
qK5NpIr9NRfIEKVNeYbSJedEnzt9gsj0bGYWuoMI17/DMv7A19X3kk66jeu5G484
8eOgqDF3dLwbkHU2yEJMW2dtZDPaRGUWmMXf8gPPhLfgUbBH2csdgLEhol3tlHvU
fF1xugfpDxc0VyEmWq3Giyo1n7s607vWs9k4nqkwawYrODJ1AKSm5P2UTB3tMhzr
ksnrO4UamDtqyEtbZG44+AjZeA/ud/eXwlHpzo8LnuW4utJcG1ey3TE/1gpiEmuR
YbZV8LwCOltdSZRz4ixDoaSPIw+Rkxm71NzPIoQowhKZ5WvDOlS/02pHw2oS+WdR
0xipFHWwXXU/ClcyVHa3uJzHle3Ca7Jr0ETRTa3oIdgj22uPJu1//jnXBnpeDqTR
qlUU6T6CtZnPe10xSo3k
=sfnx
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: squeeze update of libspring-2.5-java?

2015-03-09 Thread Raphael Hertzog 
Hello Emmanuel,

On Tue, 24 Feb 2015, Emmanuel Bourg wrote:
> CVE-2011-3923 seems to be a Struts vulnerability, why is it assigned to
> Spring?

I asked Salvatore Bonaccorso  to review this since
he confirmed that assignation a while ago... he double checked and
it was a mistake (the CVE assignation has been fixed now).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780102: libjbcrypt-java: CVE-2015-0886

2015-03-09 Thread Emmanuel Bourg 
Thank you for the report Moritz.

According to the Bugzilla report the issue happens when BCrypt.gensalt()
is called with the value 31. jenkins is the only package using this
library and it calls this method with no parameter [1], the default
value being 10 [2].

So I don't think this issue is critical for Jessie.

Emmanuel Bourg

[1]
https://sources.debian.net/src/jenkins/1.565.3-3/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java/#L645
[2] https://sources.debian.net/src/libjbcrypt-java/0.3-4/BCrypt.java/#L66

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of maven_3.0.5-4_amd64.changes

2015-03-09 Thread Debian FTP Masters 
maven_3.0.5-4_amd64.changes uploaded successfully to localhost
along with the files:
  maven_3.0.5-4.dsc
  maven_3.0.5-4.debian.tar.xz
  maven_3.0.5-4_all.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780102: libjbcrypt-java: CVE-2015-0886

2015-03-09 Thread Moritz Muehlenhoff 
Package: libjbcrypt-java
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2097

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.