Bug#1024166: blist: dead upstream, no maintainer upload since 2015

On 15/11 14:51, Louis-Philippe Véronneau wrote: > I'm CC-ing Sebastien Delafond explicitly, as he seems to be the > maintainer of all the packages in the archive that depend or > build-depend on blist (python-raccoon, python-panwid, elastalert). > > In a perfect world, those packages should

Bug#988673: centreon-connectors: diff for NMU version 19.10.0-1.1

On 08/09 16:54, Adrian Bunk wrote: > I've prepared an NMU for centreon-connectors (versioned as > 19.10.0-1.1) and uploaded it to DELAYED/14. Please feel free to tell > me if I should cancel it. Hi Adrian, thanks a lot for taking of this, it's really appreciated. Cheers, -- Seb

Bug#983090: python-django: CVE-2021-23336

On 19/02 09:25, Chris Lamb wrote: > > Django is vulnerable because it embeds parse_qsl: > > > > https://www.djangoproject.com/weblog/2021/feb/19/security-releases/ > > Security team, let me know if you would like an update for stable. Hi Chris, we think this should rather go via s-p-u.

Bug#982493: openvswitch: CVE-2020-35498

On 12/02 16:07, Thomas Goirand wrote: > Please find the attached debdiff for the upload to security-master. Hi Thomas, this looks good, please upload to security-master. Cheers, -- Seb

Bug#980585: ruby-in-parallel: FTBFS: ERROR: Test "ruby2.7" failed: Failure/Error: expect(@result_3).to_not eq(true)

On 21/01 12:46, Utkarsh Gupta wrote: > I can create an issue in the original fork. However, just know that > this library is *not* being maintained at all. So there won't be much > help from anywhere. I'm not expecting upstream to fix it either, but it'd feel more comfortable to close this bug on

Bug#980585: ruby-in-parallel: FTBFS: ERROR: Test "ruby2.7" failed: Failure/Error: expect(@result_3).to_not eq(true)

On 21/01 12:31, Utkarsh Gupta wrote: > Aah, okay. So I ran sbuild + autopkgtest 10 times, all passed for me. > But when I ran these tests locally with rake, it failed for me exactly > like the report just for the first time. And then passed all 9 times > afterward. I haven't been able to

Bug#980585: ruby-in-parallel: FTBFS: ERROR: Test "ruby2.7" failed: Failure/Error: expect(@result_3).to_not eq(true)

Hi Utkarsh, since you took care of the last upload, do you also plan to fix this FTBFS? If not, please let me know and I'll look into it. Cheers, -- Seb

Bug#959180: tornado6

I plan on testing whether relaxing the constraint plus including 902ef59 is enough to get the current version of mitmproxy running with tornado6. If that doesn't work, I'll look into packaging 5.1.1. Cheers, -- Seb

Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596

On 15/06 10:49, Chris Lamb wrote: > > The full debdiffs are attached. Can you especially check the > > versioning scheme and distribution fields for me? I often get this > > wrong and end up confusing myself. Really appreciated. > > They are now attached. They look fine, please upload to

Bug#962323: python-django: CVE-2020-13254 CVE-2020-13596

On 06/06 10:15, Chris Lamb wrote: > > python-django: CVE-2020-13254 CVE-2020-13596 > > Security team, would you like an update for stretch and/or buster to > address these issues? It's fixed in sid, experimental as well as > jessie LTS. Bullseye is just pending migration time AFAICT. Hi Chris,

Bug#954614: 954614

block 954614 by 954572 thanks This is due to #954572: since ruby-method-source got bumped to 1.0.0, the requirements for ruby-pry-byebug are not satisfiable anymore. Since puppet-beaker depend on that, it also fails to run its tests. Ultimately the solution is to fix #955340. Cheers, -- Seb

Bug#948491: centengine crashes regulary

On 09/01 14:24, Pascal Vibet - ADACIS wrote: > I have an seg-fault in centengine process > [...] Hi Pascal, thanks for opening this; could you report it upstream at https://github.com/centreon/centreon-engine/issues/ ? Cheers, -- Seb

Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943

On 02/10 09:43, Salvatore Bonaccorso wrote: > Whilst I'm not yet sure if we should really release a futher DSA for > jackson-databind (we will come back to you on that), a possible idea > for bullseye (might be better cloned/filled as new bug, but want to > mention it here already): Let's do a

Bug#939626: Upstream

Upstream indicates that: We are working actively on that subject. So the next release of centreon-broker won't need qt4 nor qt5. Qt will be completely removed from it. We hope this change to be finish for the next release of Centreon. This is targetted for 19.10, to be released in

Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235

On 08/08 11:02, Chris Lamb wrote: > +python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high > [...] > +python-django (1:1.11.23-1~deb10u1) buster-security; urgency=high Thanks, these both look good; please upload to security-master. Cheers, -- Seb

Bug#934026: python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235

On 06/08 10:20, Chris Lamb wrote: > Security team (added to CC), would you be interested in uploads for > buster (currently 1:1.11.22-1~deb10u1) and stretch (currently > 1:1.10.7-2+deb9u5)? Hi Chris, yes, thank you. Can you email us debdiffs ? I'll then take care of the review and DSAs. Cheers,

Bug#921725: libu2f-host: CVE-2018-20340

On Feb/09, Nicolas Braud-Santoni wrote: > Ah, I was bitten in the arse by #884428 again. > The upload to security-master should now be fine :) > > Sorry for accidentally duplicating your work, I didn't realise you had > prepared a backported fix for stable before the issue went public :) Thanks

Bug#921725: libu2f-host: CVE-2018-20340

On Feb/08, Nicolas Braud-Santoni wrote: > I backported the fix and prepared an upload. > The debdiff is attached, and the commands used to produced it are documented > below. > > May I proceed with an upload to security-master? It looks OK to me, so if it passes testing on your end please

Bug#921726: libu2f-host: CVE-2018-20340

Package: libu2f-host X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for libu2f-host. CVE-2018-20340[0]: Unchecked buffer in libu2f-host before 1.1.7 ... If you fix the vulnerability please also make sure to include the CVE

Bug#888903: [Pkg-javascript-devel] Bug#888903: 888903

On Jan/31, Jonas Smedegaard wrote: > The underlying issue is that the "js" in python-jsbeautifier stands > for JavaScript, and python-jsbeautifier fail to properly expose the > JavaScript part of the project as a shared library! > > The straightforward solution is for python-jsbeautifier to also

Bug#888903: 888903

To me the straightforward solution here is not dpkg-alternative, but what Ivo recommended, since it only involves modifying *one* package. Cheers, -- Seb

Bug#917200: Fixed

https://salsa.debian.org/qt-kde-team/qt/pyside2/merge_requests/2

Bug#917001: MR

Here is the corresponding MR: https://salsa.debian.org/python-team/modules/python-twilio/merge_requests/1 Cheers, -- Seb

Bug#915765: MR

Here is the corresponding MR: https://salsa.debian.org/python-team/modules/pystaticconfiguration/merge_requests/1 Cheers, -- Seb

Bug#915765: FTBFS with pytest 3.10

Control: forwarded -1 Control: tag -1 + upstream Let's wait a bit for upstream's take on this issue, that was triggered when pytest 3.10 entered unstable last month. If need be, we could disable TestConfigurationWatcher::* when building the python2 package. Cheers, -- Seb

Bug#893723: 1.9.10 closing 4 bugs

Hi fellows, I've got a 1.9.10 nagvis package ready in salsa[0], that fixes four of the currently open bugs including this one. I've also manually included 1:1.7.10+dfsg1-3.2, which wasn't present in the salsa repository. Would you like an actual MR ? I'm also attaching a debdiff of debian/* to

Bug#893723: 893723

Control: tag -1 + upstream Control: forwarded -1 https://github.com/NagVis/nagvis/issues/79 This has apparently been closed in "recent releases", although upstream doesn't mention when that happened exactly. Scouring through git log, it appears to be in this commit: commit

Bug#910228: NMU

Hi, I just uploaded ruby-gitlab 4.5.0-2 to DELAYED/10. Don't hesitate to cancel or reschedule it if you need to. Cheers, --Seb

Bug#910228: Renaming to /usr/bin/ruby-gitlab

https://salsa.debian.org/ruby-team/ruby-gitlab/merge_requests/1

Bug#912106: test_auth_aws_region

The test_auth_aws_region test tries to make an actual HTTP request, it should be disabled in debian/rules. Cheers, -- Seb

Bug#910228: /usr/bin/ruby-gitlab

I'm OK with ruby-gitlab shipping /usr/bin/ruby-gitlab and /usr/share/man/man1/ruby-gitlab.1.gz, so unless someone disagrees I will do that this week. Cheers, -- Seb

Bug#906976: mitmproxy: FTBFS in buster/sid

Control: retitle -1 FTBFS in buster Control: tags -1 - sid + buster thanks In sid it builds fine during the 1st run, as shown here: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/mitmproxy.html The 2nd reproducible run fails because of the "date in the future" thing:

Bug#876400: php-horde-image 2.3.6-1+deb9u1 (CVE-2017-9773, CVE-2017-9774 & CVE-2017-14650)

On Jun/23, Chris Lamb wrote: > I've prepared an upload to fix the following: > > php-horde-image (2.3.6-1+deb9u1) stretch-security; urgency=high > > * CVE-2017-9773: [...] > > * CVE-2017-9774: [...] > > * CVE-2017-14650: [...] > > The full debdiff is attached. Please let me know if

Bug#903325: delayed/10

Hi, I have just uploaded blinker 1.4+dfsg1-0.2, fixing this FTBFS, to DELAYED/10. Don't hesitate to cancel or reschedule it if you need to. Cheers, --Seb

Bug#894423: mlbviewer: No longer works starting in 2018

On Jun/25, Andreas Beckmann wrote: > On Fri, 30 Mar 2018 08:41:38 +0200 Sebastien Delafond > wrote: > > mlbviewer no longer works, starting in 2018[0]. A new implementation > > is in the works[1], with corresponding instructions[2]. It will be > > packaged later, but in the meantime I've filed

Bug#893668: adminer: CVE-2018-7667

On Mar/22, Chris Lamb wrote: > > Can I get an ACK from you to upload those to *-security? > > Gentle ping on this? :) Salvatore is mostly away till the end of the week, but he marked those no-dsa on the 21st, so I guess that would go toward s-p-u instead. Cheers, --Seb

Bug#888316: jackson-databind: CVE-2018-5968

On Jan/27, Markus Koschany wrote: > I have prepared security updates of jackson-databind for Stretch and > Jessie and would appreciate another look at the patches. > > The fix for CVE-2018-5968 is straightforward. The blacklist is simply > extended. > > However upstream decided to refactor the

Bug#886433: #886433

Control: tag -1 confirmed pending The testing/ directory is new in recent in org-mode releases, and I missed it when repacking org-mode-doc. I'll fix correct this with the next upstream release. Cheers, --Seb

Bug#882808: construct: construct 2.8 is not compatible with 2.5.

Hi Jonathan, I have just uploaded construct/2.8.16-0.2, closing #882808, to DELAYED/10. Don't hesitate to cancel or reschedule it if you need to. Cheers, --Seb

Bug#882808: construct: construct 2.8 is not compatible with 2.5.

On Nov/26, Hilko Bengen wrote: > The plaso and dfvfs packages are maintained by me and are affected by > the API breakage. > [...] > I think I am going to package construct-legacy, based upon > . This makes the most sense: I don't think it's

Bug#879718: aptly: Aptly can't handle deb packages built using dpkg 1.19.0+

On Nov/13, Boyuan Yang wrote: > Pushing changes only into backports repository might not be enough > since the backports repository is not enabled by default. Users of > Debian Stable will still encounter this bug with default installation. > > Could you please consider pushing the changes into

Bug#879718: aptly: Aptly can't handle deb packages built using dpkg 1.19.0+

On Nov/11, Boyuan Yang wrote: > However, aptly in Stretch and Jessie are still left unfixed. Will you > backport the patch and provide stable updates later? It's already in stretch-backports, but I don't plan on doing jessie-backports. Cheers, --Seb

Bug#879718: aptly: Aptly can't handle deb packages built using dpkg 1.19.0+

On Nov/02, Boyuan Yang wrote: > Control: severity -1 grave > Control: tags -1 + fixed-upstream > > Upstream now has a fix in trunk code. Just cherry-picked the fix and > confirmed that everything works well. I'm looking forward to seeing a > fixed version into Debian testing/unstable and

Bug#873088: git-annex security issue backports

On Oct/26, Antoine Beaupré wrote: > Right, how does that look then? > > https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04 Nah, +deb8u1 ;) > Then I can just upload this to security-master? Yep. Cheers, --Seb

Bug#873088: git-annex security issue backports

On Oct/26, Antoine Beaupré wrote: > I have also backported joey's patch to jessie. It was simpler than > wheezy because the code is much more similar. The resulting patch is > available here: > > https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 > > As

Bug#872078: confirmed

Control: tag -1 confirmed Indeed, the new libconfuse in sid (3.2+dfsg-1) causes i3status to first generate this statement: internal error in cfg_init_defaults(order) After that, it will fail to parse whatever follows, for instance: * no such option 'general' Downgrading libconfuse* to

Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

On Aug/12, Thorsten Glaser wrote: > I’m attaching one for stretch, and if it pleases you, I’ll do them in > the same vain for jessie and wheezy and upload them. (As I said, they > will all look identical, the code has not changed in quite a while… > the file in question did not change *at all*,

Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

On Aug/11, Thorsten Glaser wrote: > For {,{,old}old}stable-security, this should suffice: > [...] Would you be able to produce debdiffs for jessie and stretch, so we can review them and give you the go-ahead to upload to security-master ? Cheers, --Seb

Bug#867421: python3-certifi: missing python3 dependency

Ah, thanks a lot, I'll fix it tomorrow ! Cheers, --Seb On Jul/06, Adrian Bunk wrote: > Package: python3-certifi > Version: 2016.2.28-1 > Severity: serious > Tags: patch > > Due to a cut'n'paste error the python3 dependency is missing. > > Fix: > > --- debian/control.old2017-07-06

Bug#867278: mitmproxy: DistributionNotFound: The 'typing==3.5.2.2' distribution was not found and is required by mitmproxy

I'm in the process of packaging the latest mitmproxy and its dependencies, and this unfortunately can't quite be done atomically. In the meantime, the failing/missing dependencies in sid can be gotten from jessie; I know it's a sub-par solution, but at this point there isn't much else I can do.

Bug#867250: 867250

I'm in the process of packaging the latest mitmproxy and its dependencies, and this unfortunately can't quite be done atomically. In the meantime, the missing dependencies in sid can be gotten from jessie; I know it's a sub-par solution, but at this point there isn't much else I can do. Cheers,

Bug#857343: #857343: logback deserialization vulnerability

On Mar/28, Markus Koschany wrote: > apparently logback < 1.2.0 is vulnerable to a deserialization issue. > They announced it on February 8th 2017 but it appears no CVE has been > assigned yet. [1] Fixing commit is at [2] The bug reporter claims it is > the same issue as CVE-2015-6420 but I cannot

Bug#856117: tnef update in unstable

Hi Kevin, those 4 security issues were fixed via DSA-3798-1 in jessie-security, by backporting the appropriate upstream changes (thanks to Thorsten for doing that). I've verified 1.4.13 only contains those security fixes, and no new major evolution or feature, so could you please prepare and

Bug#855142: security bug closed without fix

On Feb/16, Henri Salo wrote: > Shouldn't this be closed AFTER the fix is available? Especially since this is > a > security issue. Yes. Bastien, can you please reopen this ? Cheers, --Seb

Bug#853082: dfvfs

Hello, I think this should be tracked as an upstream wishlist bug in dfvfs, so it supports construct >= 2.8.8. Do you want to file that upstream ? As for the freeze, I definitely agree python-construct 2.8.8 shouldn't enter stretch. Cheers, --Seb

Bug#851927: 851927

I see the same problem, even with -enable-rmeote-extensions (which seems to be about *installing* remote extensions, not enabling already-installed ones). However, my local extensions are still present (see ~/.config/chromium/Default/Extensions/*), and downgading to the version in stretch

Bug#849849: CVE-2016-9877 / #849849 fix for Jessie

On Jan/11, Thomas Goirand wrote: > Debdiff is attached (and also available from there). Please allow me > to upload. Thanks for your contribution, please upload. Cheers, --Seb

Bug#849531: Possible security problem, new logwatch sends mails with charset UTF-8

On Dec/31, Willi Mann wrote: > I would like to get your input on bug #849531 [1]. > [...] > So my question is: Is it a security issue if a script sends e-mails > with encoding=utf-8, but potentially containing invalid utf-8 strings? > If yes, what would be the (minimum) requirements to address

Bug#831857: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

On Dec/13, Uwe Kleine-König wrote: > I had the impression that the 2nd might be bad, too. There is no > public exploit available, but AFAIK writing to unallocated memory is > dangerous? Yes, it is, you're right. But the first one is such an obvious flaw, that it doesn't require any sort of

Bug#831857: Security update for libupnp (CVE-2016-6255, CVE-2016-8863)

On Dec/13, Uwe Kleine-König wrote: > Do you consider CVE-2016-6255 and CVE-2016-8863 bad enough to make a > security update for it? If so, I suggest the following debdiff. Yes, the first one is bad, so let's fix both via a DSA. Could you please provide a debdiff with

Bug#843687: mitmproxy: FTBFS: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

On Nov/09, Chris Lamb wrote: > > mitmproxy builds fine in an up-to-date sid amd64 chroot here. How can I > > reproduce your problem ? > > How up-to-date? :) I've just updated mine (again) and it fails with the same > error. tag 843687 + confirmed You're right, I just tried it this morning, and

Bug#835725: #835725

python-netlib is now part of the mitmproxy source, and will disappear from unstable once a newer mitmproxy is packaged and uploaded. Cheers, --Seb

Bug#832908:

FWIW, the vendor has closed https://jira.mongodb.org/browse/SERVER-25335 with "Works as Designed". If someone wants to follow up on explaining to mongodb upstream why umask shouldn't prevent them from applying proper permissions where needed, they're welcome to do so. ssh-keygen(1) would be a

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

On Feb/06, Guido Günther wrote: > > A few things on the debdiff you just posted: > > - The attachment came though in ISO-8859-1 instead of UTF-8 and > >   lintian didn't like it. Hopefully the file is ok on your machine > >   though. > > - I think the ssl-server-test needs an 'isolation-container'

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

On Feb/06, Guido Günther wrote: > Attached. I've trimmed the CC: list a little to reduce the noise. Feel > free to readd lists as you see fit. All good, please upload. Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

On Jan/31, Guido Günther wrote: > Uploaded now. Thanks! Hi Guido, have you looked into fixing the jessie version (1.3.9-2.1) as well ? If not, I'll need to look into it later this week, so that a DSA for CVE-2015-5291 fixes both wheezy and jessie. Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

On Jan/29, Sébastien Delafond wrote: > thanks for the debdiff. It looks OK, so feel free to upload it. Once > that's done, I'll release the DSA. Hi Guido, are you still willing to upload polarssl to security-master ? :) Cheers, --Seb

Bug#801413: wheezy: update for polarssl's CVE-2015-5291

Hi Guido, thanks for the debdiff. It looks OK, so feel free to upload it. Once that's done, I'll release the DSA. Cheers, --Seb On Jan/23, Guido Günther wrote: > Hi, > I've forward ported Thorsten's fix fow squeeze to wheezy and added some > autopkgtest (debdiff attached). Please find the

Bug#796108: [PKG-Openstack-devel] Bug#796108: CVE-2015-5694 CVE-2015-5695

On Aug/21, Thomas Goirand wrote: Should I prepare a security upload for Jessie, or do it through the release team oversight? Hi Thomas, CVE-2015-5695 is not that severe, so this should go through a PU request. I'll mark the issue as no-dsa in the tracker. Cheers, --Seb

Bug#787100: [Pkg-javascript-devel] Bug#787100: libjs-jquery-ui: Security patch CVE-2010-5312 breaks ui dialog

Thanks for the report. It will be fixed this week. Cheers, --Seb On May/28, Antonino Murador wrote: Package: libjs-jquery-ui Version: 1.8.ooops.21+dfsg-2+deb7u1 Severity: grave Tags: patch Dear Maintainer, After upgrading from version 1.8.ooops.21+dfsg-2 to

Bug#784303: mitmproxy: missing dependencies on python-configargparse, python-tornado = 4.0.2, python-netlib = 0.11.2

tag 784303 + confirmed block 784303 779035 thanks Ouch. I've ITP'ed python-configargparse, and will follow up on the python-tornado front. In the meantime, the version in testing is the best fallback option. Cheers, --Seb On May/04, Vagrant Cascadian wrote: Package: mitmproxy Version:

Bug#758086: CVE-2014-3577: Apache HttpComponents hostname verification bypass

On Apr/15, Markus Koschany wrote: I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The patch is identical to the Jessie / Sid fix. Do you consider this vulnerability important enough for a DSA or do you prefer a point release update? Hi Markus, this issue was marked no-dsa

Bug#770133: 770133

The github version (7c37de0) works fine here with python-gflags 1.5.1-2. Extra packages I had to install: python-gflags:all 1.5.1-2 python-httplib2:all 0.9+dfsg-2 python-tz:all 2012c+dfsg-0.1 python-google-apputils:all 0.4.1-1 python-uritemplate:all 0.6-1 python-oauth2client:all 1.2-3

Bug#734821: 734821

notfixed 734821 1.4.7-1 thanks This bug was actually never in Debian, since it was introduced in 1.4.5 and closed in 1.4.7. If anyone is interested in verifying this, the following code can be run against the JARs present at http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/:

Bug#722658: ruby-god: god depends on ruby-god but ruby-god breaks god

On Sep/13, Jeremy Bicha wrote: Package: ruby-god Version: 1.6.2-1 Severity: serious User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu saucy ruby-god should break/replace god ( 0.13.2-3). Without the versioning, god is uninstallable. Indeed, god has been removed from the

Bug#717259: 717259

Hi, paros is to be removed from the archive shortly; see: http://bugs.debian.org/717045 Cheers, --Seb -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#639436: package no longer installable

See ROM at http://bugs.debian.org/641117 Cheers, --Seb -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#602803: Compilation failed with xemacs21

Hi Julien, could you please provide the corresponding /tmp/elc_d95S5l.log that describes what happened in details ? Thanks for your time, cheers, --Seb On Nov/08, Julien Danjou wrote: Package: org-mode Version: 7.3-1 Severity: serious Setting up org-mode (7.3-1) ... install/org-mode: