Bug#835108: lepton: probably using its own "md5.h" but calling system library functions

[Edmund Grimley Evans]

It seems to me likely that both #835108 and #853479 are caused by the
thing I mentioned at 2.1 in #863446: the program uses the "md5.h"
included in the package's source, but calls the system library
functions, which use a different MD5_CTX.

Processed: user release.debian....@packages.debian.org, usertagging 851545, tagging 851545

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> user release.debian@packages.debian.org
Setting user to release.debian@packages.debian.org (was ni...@thykier.net).
> usertags 851545 stretch-can-defer
There were no usertags set.
Usertags are now: stretch-can-defer.
> tags 851545 + stretch-ignore
Bug #851545 [libpam-modules] libpam-modules: multiarch packages with differing 
files
Added tag(s) stretch-ignore.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
851545: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851545
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863416: jackeq: segmentation fault

[Chris Lamb]

tags 863416 + pending patch
thanks

I've uploaded jackeq 0.5.9-2.1 to DELAYED/5:
  
  jackeq (0.5.9-2.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix segmentation fault caused by passing a truncated pointer instead of a
  GtkType. (Closes: #863416)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for jackeq-0.5.9 jackeq-0.5.9

 changelog   |8 
 patches/04-gtkmeter-truncated-pointer.patch |   26 ++
 patches/series  |1 +
 3 files changed, 35 insertions(+)

diff -Nru jackeq-0.5.9/debian/changelog jackeq-0.5.9/debian/changelog
--- jackeq-0.5.9/debian/changelog   2011-02-09 11:33:40.0 +
+++ jackeq-0.5.9/debian/changelog   2017-05-27 09:41:06.0 +0100
@@ -1,3 +1,11 @@
+jackeq (0.5.9-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix segmentation fault caused by passing a truncated pointer instead of a
+GtkType. (Closes: #863416)
+
+ -- Chris Lamb   Sat, 27 May 2017 09:41:06 +0100
+
 jackeq (0.5.9-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru jackeq-0.5.9/debian/patches/04-gtkmeter-truncated-pointer.patch 
jackeq-0.5.9/debian/patches/04-gtkmeter-truncated-pointer.patch
--- jackeq-0.5.9/debian/patches/04-gtkmeter-truncated-pointer.patch 
1970-01-01 01:00:00.0 +0100
+++ jackeq-0.5.9/debian/patches/04-gtkmeter-truncated-pointer.patch 
2017-05-27 09:41:06.0 +0100
@@ -0,0 +1,26 @@
+--- jackeq-0.5.9.orig/src/gtkmeter.c
 jackeq-0.5.9/src/gtkmeter.c
+@@ -54,10 +54,10 @@ static float iec_scale(float db);
+ 
+ static GtkWidgetClass *parent_class = NULL;
+ 
+-guint
++GtkType
+ gtk_meter_get_type ()
+ {
+-  static guint meter_type = 0;
++  static GtkType meter_type = 0;
+ 
+   if (!meter_type)
+ {
+--- jackeq-0.5.9.orig/src/gtkmeter.h
 jackeq-0.5.9/src/gtkmeter.h
+@@ -104,7 +104,7 @@ GtkWidget* gtk_meter_new
+gfloat min,
+gfloat max);
+ 
+-guint  gtk_meter_get_type   (void);
++GtkTypegtk_meter_get_type   (void);
+ GtkAdjustment* gtk_meter_get_adjustment (GtkMeter *meter);
+ 
+ void   gtk_meter_set_adjustment (GtkMeter *meter,
diff -Nru jackeq-0.5.9/debian/patches/series jackeq-0.5.9/debian/patches/series
--- jackeq-0.5.9/debian/patches/series  2010-11-25 15:46:51.0 +
+++ jackeq-0.5.9/debian/patches/series  2017-05-27 09:41:06.0 +0100
@@ -1,3 +1,4 @@
 01-binutils_gold.patch
 02-l10n.patch
 03-pathmax.patch
+04-gtkmeter-truncated-pointer.patch

Bug#863420: timemachine: segfaults on startup

[Chris Lamb]

tags 863420 + pending patch
thanks

I've uploaded timemachine 0.3.3-2.1 to DELAYED/5:
  
  timemachine (0.3.3-2.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix segmentation fault caused by passing a truncated pointer instead of a
  GtkType. (Closes: #863420)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for timemachine-0.3.3 timemachine-0.3.3

 changelog |8 
 patches/0002-gtkmeter-truncated-pointer.patch |   26 ++
 patches/series|1 +
 3 files changed, 35 insertions(+)

diff -Nru timemachine-0.3.3/debian/changelog timemachine-0.3.3/debian/changelog
--- timemachine-0.3.3/debian/changelog  2013-10-06 14:13:24.0 +0100
+++ timemachine-0.3.3/debian/changelog  2017-05-27 09:41:19.0 +0100
@@ -1,3 +1,11 @@
+timemachine (0.3.3-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix segmentation fault caused by passing a truncated pointer instead of a
+GtkType. (Closes: #863420)
+
+ -- Chris Lamb   Sat, 27 May 2017 09:41:19 +0100
+
 timemachine (0.3.3-2) unstable; urgency=low
 
   * Team upload.
diff -Nru 
timemachine-0.3.3/debian/patches/0002-gtkmeter-truncated-pointer.patch 
timemachine-0.3.3/debian/patches/0002-gtkmeter-truncated-pointer.patch
--- timemachine-0.3.3/debian/patches/0002-gtkmeter-truncated-pointer.patch  
1970-01-01 01:00:00.0 +0100
+++ timemachine-0.3.3/debian/patches/0002-gtkmeter-truncated-pointer.patch  
2017-05-27 09:41:19.0 +0100
@@ -0,0 +1,26 @@
+--- timemachine-0.3.3.orig/src/gtkmeter.c
 timemachine-0.3.3/src/gtkmeter.c
+@@ -48,10 +48,10 @@ static float iec_scale(float db);
+ 
+ static GtkWidgetClass *parent_class = NULL;
+ 
+-guint
++GtkType
+ gtk_meter_get_type ()
+ {
+-  static guint meter_type = 0;
++  static GtkType meter_type = 0;
+ 
+   if (!meter_type)
+ {
+--- timemachine-0.3.3.orig/src/gtkmeter.h
 timemachine-0.3.3/src/gtkmeter.h
+@@ -87,7 +87,7 @@ struct _GtkMeterClass
+ GtkWidget* gtk_meter_new(GtkAdjustment *adjustment,
+gint direction);
+ 
+-guint  gtk_meter_get_type   (void);
++GtkTypegtk_meter_get_type   (void);
+ GtkAdjustment* gtk_meter_get_adjustment (GtkMeter *meter);
+ 
+ void   gtk_meter_set_adjustment (GtkMeter *meter,
diff -Nru timemachine-0.3.3/debian/patches/series 
timemachine-0.3.3/debian/patches/series
--- timemachine-0.3.3/debian/patches/series 2013-10-06 14:09:12.0 
+0100
+++ timemachine-0.3.3/debian/patches/series 2017-05-27 09:41:19.0 
+0100
@@ -1 +1,2 @@
 0001-ldflags.patch
+0002-gtkmeter-truncated-pointer.patch

Processed: Re: jackeq: segmentation fault

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863416 + pending patch
Bug #863416 [jackeq] jackeq: segmentation fault
Added tag(s) patch and pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863416: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863416
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863421: kluppe: segfaults when pressing 'new looper'

[Chris Lamb]

tags 863421 + pending patch
thanks

I've uploaded kluppe 0.6.20-1.1 to DELAYED/5:
  
  kluppe (0.6.20-1.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix segmentation fauled caused by passing a truncated pointer instead of a
  GtkType. (Closes: #863421)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for kluppe-0.6.20 kluppe-0.6.20

 changelog  |8 
 patches/90_gtkmeter_truncated_pointer.diff |   26 ++
 patches/series |1 +
 3 files changed, 35 insertions(+)

diff -Nru kluppe-0.6.20/debian/changelog kluppe-0.6.20/debian/changelog
--- kluppe-0.6.20/debian/changelog  2016-11-25 16:19:10.0 +
+++ kluppe-0.6.20/debian/changelog  2017-05-27 09:41:28.0 +0100
@@ -1,3 +1,11 @@
+kluppe (0.6.20-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix segmentation fauled caused by passing a truncated pointer instead of a
+GtkType. (Closes: #863421)
+
+ -- Chris Lamb   Sat, 27 May 2017 09:41:28 +0100
+
 kluppe (0.6.20-1) unstable; urgency=medium
 
   * Imported Upstream version 0.6.20 (closes: #749205)
diff -Nru kluppe-0.6.20/debian/patches/90_gtkmeter_truncated_pointer.diff 
kluppe-0.6.20/debian/patches/90_gtkmeter_truncated_pointer.diff
--- kluppe-0.6.20/debian/patches/90_gtkmeter_truncated_pointer.diff 
1970-01-01 01:00:00.0 +0100
+++ kluppe-0.6.20/debian/patches/90_gtkmeter_truncated_pointer.diff 
2017-05-27 09:41:28.0 +0100
@@ -0,0 +1,26 @@
+--- kluppe-0.6.20.orig/src/frontend/kluppe/gtkmeter.c
 kluppe-0.6.20/src/frontend/kluppe/gtkmeter.c
+@@ -48,10 +48,10 @@ static float iec_scale(float db);
+ 
+ static GtkWidgetClass *parent_class = NULL;
+ 
+-guint
++GtkType
+ gtk_meter_get_type ()
+ {
+-  static guint meter_type = 0;
++  static GtkType meter_type = 0;
+ 
+   if (!meter_type)
+ {
+--- kluppe-0.6.20.orig/src/frontend/kluppe/gtkmeter.h
 kluppe-0.6.20/src/frontend/kluppe/gtkmeter.h
+@@ -87,7 +87,7 @@ struct _GtkMeterClass
+ GtkWidget* gtk_meter_new(GtkAdjustment *adjustment,
+gint direction);
+ 
+-guint  gtk_meter_get_type   (void);
++GtkTypegtk_meter_get_type   (void);
+ GtkAdjustment* gtk_meter_get_adjustment (GtkMeter *meter);
+ 
+ void   gtk_meter_set_adjustment (GtkMeter *meter,
diff -Nru kluppe-0.6.20/debian/patches/series 
kluppe-0.6.20/debian/patches/series
--- kluppe-0.6.20/debian/patches/series 2016-11-25 16:19:10.0 +
+++ kluppe-0.6.20/debian/patches/series 2017-05-27 09:41:28.0 +0100
@@ -4,3 +4,4 @@
 #50_g_mutex.diff
 70_cflags.diff
 80_manpage_email.diff
+90_gtkmeter_truncated_pointer.diff

Processed: Re: timemachine: segfaults on startup

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863420 + pending patch
Bug #863420 [timemachine] timemachine: segfaults on startup
Added tag(s) patch and pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: kluppe: segfaults when pressing 'new looper'

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863421 + pending patch
Bug #863421 [kluppe] kluppe: segfaults when pressing 'new looper'
Added tag(s) pending and patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863421: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863421
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#859307: marked as done (cracklib-runtime: Please migrate to a -noawait trigger)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 10:04:18 +
with message-id 
and subject line Bug#854554: fixed in cracklib2 2.9.2-5
has caused the Debian Bug report #854554,
regarding cracklib-runtime: Please migrate to a -noawait trigger
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854554
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cracklib-runtime
Version: 2.9.2-3
Severity: important

Hi,

cracklib-runtime correctly use "interest" triggers, which is the same
as an "interest-await" trigger. 

Please consider migrating to an "interest-noawait" trigger:

 * It is more future proof as it cannot cause trigger-cycles
   - Somewhat realated: #854554.  I have not confirmed that to be
 caused by cracklib-runtime's trigger (hench this being non-RC
 at the moment).

 * It has better performance (dpkg is free to defer calling the
   trigger until later, so it may cause fewer calls to
   cracklib-runtime's postinst script)

 * cracklib's usage has no strict requirements on when dpkg should
   trigger it as the trigger is basically refreshing a cache (of
   sorts).

Thanks,
~Niels
--- End Message ---
--- Begin Message ---
Source: cracklib2
Source-Version: 2.9.2-5

We believe that the bug you reported is fixed in the latest version of
cracklib2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Dittberner  (supplier of updated cracklib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 11:41:18 +0200
Source: cracklib2
Binary: libcrack2 libcrack2-udeb libcrack2-dev cracklib-runtime python-cracklib 
python3-cracklib
Architecture: source amd64
Version: 2.9.2-5
Distribution: unstable
Urgency: medium
Maintainer: Jan Dittberner 
Changed-By: Jan Dittberner 
Description:
 cracklib-runtime - runtime support for password checker library cracklib2
 libcrack2  - pro-active password checker library
 libcrack2-dev - pro-active password checker library - development files
 libcrack2-udeb - pro-active password checker library (udeb)
 python-cracklib - Python bindings for password checker library cracklib2
 python3-cracklib - Python3 bindings for password checker library cracklib2
Closes: 854554
Changes:
 cracklib2 (2.9.2-5) unstable; urgency=medium
 .
   * Add Breaks: cracklib-runtime (<< 2.9.2-4) to libcrack2 to configure
 cracklib-runtime in the correct order (Closes: #854554)
Checksums-Sha1:
 f083918d63df98413e01a3701fbe932fd368760a 2174 cracklib2_2.9.2-5.dsc
 53bbf8e3bbd29098648619f9ded8de9014c3d1d9 26224 cracklib2_2.9.2-5.debian.tar.xz
 f05b48f90e38f851b4f908c7a6ccf5bd32a0ad2c 10642 
cracklib-runtime-dbgsym_2.9.2-5_amd64.deb
 ec0e06f4bf15b308c30e26e604ffef5ea61f71cb 148732 
cracklib-runtime_2.9.2-5_amd64.deb
 fe3c0ae66afc292e54d4e00370caf14378db8fc1 11725 
cracklib2_2.9.2-5_amd64.buildinfo
 0f591d4719f319875d5892882ca6f3b27e5b9b51 21572 
libcrack2-dbgsym_2.9.2-5_amd64.deb
 856582c77e72f514db5e77d77d58cb7caa1dd1be 31948 libcrack2-dev_2.9.2-5_amd64.deb
 98b2eeffe19a82f31b7d078555e7717809df609b 120096 
libcrack2-udeb_2.9.2-5_amd64.udeb
 2766313b55e7968fa23b998b4fe07be57231936f 54802 libcrack2_2.9.2-5_amd64.deb
 e8f5ec2a56da1860ebd81f107f4cae8b799f75ed 13114 
python-cracklib-dbgsym_2.9.2-5_amd64.deb
 d487e538e31bd90df5c1da6c2a06abbfe522fe03 23206 
python-cracklib_2.9.2-5_amd64.deb
 b9399a0ed11236dc8c775c4b2268de87b0814659 14076 
python3-cracklib-dbgsym_2.9.2-5_amd64.deb
 a75238b3d313c2b8618ee5f86ed5a223f22a9cb4 23258 
python3-cracklib_2.9.2-5_amd64.deb
Checksums-Sha256:
 15ae2af08b2adc3c496d0a76678bd1ad53dcb992737bda4ac774e2482e49db9e 2174 
cracklib2_2.9.2-5.dsc
 bc6d25f1adb3c9c259e46b9205b0c2a7f992d7220436a40dc2c0e55f27576a70 26224 
cracklib2_2.9.2-5.debian.tar.xz
 69c943dbf9ed25a51fe6c97e90bc8d1ef401279adec8a55d2dd6503be8a690a1 10642 
cracklib-runtime-dbgsym_2.9.2-5_amd64.deb
 eb20908878615ea61710ac3ec8714c660ba11ad31e99c3b50c2292d55f99e95b 148732 
cracklib-runtime_2.9.2-5_amd64.deb
 12a62269517917206ebee43a27aff698e3ed56e9db1d4ed3205dd1d47cb1c48f 11725 
cracklib2_2.9.2-5

Bug#854554: marked as done (dpkg: trigger problem with cracklib-runtime while upgrading libcrypt-cracklib-perl from jessie to stretch)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 10:04:18 +
with message-id 
and subject line Bug#854554: fixed in cracklib2 2.9.2-5
has caused the Debian Bug report #854554,
regarding dpkg: trigger problem with cracklib-runtime while upgrading 
libcrypt-cracklib-perl from jessie to stretch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854554
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dpkg
Version: 1.18.18
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Control: affects -1 + libcrypt-cracklib-perl

Hi,

I just noticed this trigger related problem during a piuparts upgrade
test of libcrypt-cracklib-perl from jessie to stretch. I can reproduce
it on both amd64 and i386, but it requires --install-recommends to show
up. If you need more debug info, I can now easily rerun the failed tests
and enter the chroot after the failure to collect more info.

>From the attached log (scroll to the bottom...):

[...]
  Preparing to unpack .../archives/bash_4.4-4_i386.deb ...
  Unpacking bash (4.4-4) over (4.3-11+deb8u1) ...
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg: dependency problems prevent processing triggers for cracklib-runtime:
   cracklib-runtime depends on libcrack2 (>= 2.9.2-1); however:
Package libcrack2:i386 is not configured yet.
  
  dpkg: error processing package cracklib-runtime (--configure):
   dependency problems - leaving triggers unprocessed
  dpkg:

Bug#863367: apt does not find solutions that involve libssl1.0-dev -> libssl-dev

[s3v]

Thanks for investigating.

Il 27/05/2017 08:32, Adrian Bunk ha scritto:
> libecryptfs-dev Is not actually uninstallable, the core problem is that 
> you have libssl1.0-dev installed and apt fails to find the solution to
> solve the dependencies:

Yep, I haven't libssl-dev:

$ dpkg -l | grep -i libssl
ii  libssl1.0-dev:amd64  1.0.2k-1  amd64  Secure Sockets Layer toolkit - 
development
files
ii  libssl1.0.0:amd641.0.2d-1  amd64  Secure Sockets Layer toolkit - shared
libraries
ii  libssl1.0.2:amd641.0.2k-1  amd64  Secure Sockets Layer toolkit - shared
libraries
ii  libssl1.1:amd64  1.1.0e-2  amd64  Secure Sockets Layer toolkit - shared
libraries

Aptitude seems to handle the situation in the right way:

# aptitude install libecryptfs-dev
The following NEW packages will be installed:
  libassuan-dev{a} libecryptfs-dev libecryptfs1{a} libgpg-error-dev{a}
libgpgme-dev{a} libkeyutils-dev{a} libpam0g-dev{a} libssl-dev{a} libtspi-dev{a}
  libtspi1{a}
The following packages are RECOMMENDED but will NOT be installed:
  libssl-doc
0 packages upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 3223 kB of archives. After unpacking 11.1 MB will be used.
The following packages have unmet dependencies:
 libssl1.0-dev : Conflicts: libssl-dev but 1.1.0e-2 is to be installed
The following actions will resolve these dependencies:

 Remove the following packages:
1) libssl1.0-dev [1.0.2k-1 (now, testing)]
2) node-gyp [3.4.0-1 (now, testing)]
3) nodejs-dev [4.8.2~dfsg-1 (now, testing)]
4) npm [1.4.21+ds-2 (now)]


Accept this solution? [Y/n/q/?] q


apt version (updated today):

$ apt -v
apt 1.4.4 (amd64)


Regards

Bug#852675: marked as done (cfengine3: always updates from /usr/share/cfengine3 instead of /var/lib/cfengine3)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 11:34:32 +
with message-id 
and subject line Bug#852675: fixed in cfengine3 3.9.1-4.2
has caused the Debian Bug report #852675,
regarding cfengine3: always updates from /usr/share/cfengine3 instead of 
/var/lib/cfengine3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
852675: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852675
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cfengine3
Version: 3.9.1-4.1
Severity: important

Dear Maintainer,

After bootstrapping on the policyhub cfengine always updates
/var/lib/cfengine3/inputs on the policyhub from
/usr/share/cfengine3/masterfiles instead of /var/lib/cfengine3/masterfiles.
So no changes I do to eg. acl in control/defs.cf will get in effect

cf-execd seams to run cf-agent -f /var/lib/cfengine3/inputs/failsafe.cf

See:

 verbose: P: BEGIN promise
'failsafe_cfe_internal_bootstrap_update_files_sys_wor
kdir_inputs_shortcut' of type "files" (pass 1)
 verbose: P:Promiser/affected object: '/var/lib/cfengine3/inputs'
 verbose: P:Part of bundle: failsafe_cfe_internal_update
 verbose: P:Base context class: any
 verbose: P:Container path : '/default/main/methods/'Fetch
Inputs'/default/f
ailsafe_cfe_internal_update/files/'/var/lib/cfengine3/inputs'[0]'
 verbose: P: .
 verbose:
 verbose: File '/var/lib/cfengine3/inputs' copy_from
'/usr/share/cfengine3/masterfiles'
 verbose: Entering directory '/usr/share/cfengine3/masterfiles'

I did not find a way to change this behavior.

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (700, 'stable-updates'), (700, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cfengine3 depends on:
ii  libacl1   2.2.52-2
ii  libc6 2.19-18+deb8u7
ii  liblmdb0  0.9.14-1
ii  libpam0g  1.1.8-3.1+deb8u2
ii  libpcre3  2:8.35-3.3+deb8u4
ii  libpromises3  3.9.1-4.1
ii  libssl1.1 1.1.0c-4
ii  libvirt0  1.2.9-9+deb8u3
ii  libxml2   2.9.1+dfsg1-5+deb8u4
ii  lsb-base  4.1+Debian13+nmu1

Versions of packages cfengine3 recommends:
ii  python  2.7.9-1

cfengine3 suggests no packages.

-- no debconf information

-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)
<>

signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: cfengine3
Source-Version: 3.9.1-4.2

We believe that the bug you reported is fixed in the latest version of
cfengine3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 852...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin  (supplier of updated cfengine3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 18 May 2017 14:14:45 +0200
Source: cfengine3
Binary: cfengine3 cfengine3-dbg libpromises3
Architecture: source amd64
Version: 3.9.1-4.2
Distribution: unstable
Urgency: medium
Maintainer: Antonio Radici 
Changed-By: Christoph Martin 
Description:
 cfengine3  - tool for configuring and maintaining network machines
 cfengine3-dbg - debugging symbols for cfengine3
 libpromises3 - libpromises library for cfengine3 binaries
Closes: 852675 862903
Changes:
 cfengine3 (3.9.1-4.2) unstable; urgency=medium
 .
   * fix masterdir configuration (closes: 852675)
   * revert ssl1.1 patch which leads to segfaults with older clients
 (closes: #862903)
Checksums-Sha1:
 67154a46d39267b2c07b3eb3efbf875170abf232 2422 cfengine3_3.9.1-4.2.dsc
 a9e167275cbb441db979893d912dc099e08ed826 21712 
cfengine3_3.9.1-4.2.debian.tar.xz
 2384c377a3feec82d9e6c1424375e15d870bcada 1430056 
cfengine3-dbg_3.9.1-4.2_amd64.deb
 4982

Bug#863474: python-cryptography: FTBFS with openssl 1.1.0f

[Kurt Roeckx]

Package: python-cryptography
Version: 1.7.1-2
Severity: serious

Hi,

OpenSSL made ASN1_TIME_to_generalizedtime() take a const. But it
seems that python-cryptography has a local copy of the header
files, which now conflict with the one from OpenSSL.

It was discussed with python-cryptography and they agreed it was
their problem and they fixed it.

See:
https://github.com/openssl/openssl/pull/3360#issuecomment-304053330
https://github.com/pyca/cryptography/commit/6e7ea2e73e3baf31541c9533dc621d8913152848


Kurt

Processed: swftools: diff for NMU version 0.9.2+git20130725-4.1

[Debian Bug Tracking System]

Processing control commands:

> tags 861693 + pending
Bug #861693 [src:swftools] swftools: CVE-2017-8400: out-of-bound write of heap 
data issue can occur in function png_load()
Added tag(s) pending.

-- 
861693: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861693
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861693: swftools: diff for NMU version 0.9.2+git20130725-4.1

[Salvatore Bonaccorso]

Control: tags 861693 + pending

Dear maintainer,

I've prepared an NMU for swftools (versioned as 0.9.2+git20130725-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru swftools-0.9.2+git20130725/debian/changelog swftools-0.9.2+git20130725/debian/changelog
--- swftools-0.9.2+git20130725/debian/changelog	2016-01-04 23:07:22.0 +0100
+++ swftools-0.9.2+git20130725/debian/changelog	2017-05-27 13:25:12.0 +0200
@@ -1,3 +1,10 @@
+swftools (0.9.2+git20130725-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix an integer overflow issue in png.c (CVE-2017-8400) (Closes: #861693)
+
+ -- Salvatore Bonaccorso   Sat, 27 May 2017 13:25:12 +0200
+
 swftools (0.9.2+git20130725-4) unstable; urgency=medium
 
   * Build using giflib5 (patch by Matthias Klose )
diff -Nru swftools-0.9.2+git20130725/debian/patches/Fix-an-integer-overflow-issue-in-png.c.patch swftools-0.9.2+git20130725/debian/patches/Fix-an-integer-overflow-issue-in-png.c.patch
--- swftools-0.9.2+git20130725/debian/patches/Fix-an-integer-overflow-issue-in-png.c.patch	1970-01-01 01:00:00.0 +0100
+++ swftools-0.9.2+git20130725/debian/patches/Fix-an-integer-overflow-issue-in-png.c.patch	2017-05-06 17:39:04.0 +0200
@@ -0,0 +1,32 @@
+From 7139f3cf7c8bc576bea1dbd07c58ce1ad92b774a Mon Sep 17 00:00:00 2001
+From: Matthias Kramm 
+Date: Wed, 26 Apr 2017 09:02:20 -0700
+Subject: [PATCH] Fix an integer overflow issue in png.c
+
+This aims to fix https://github.com/matthiaskramm/swftools/issues/13
+---
+ lib/png.c | 8 ++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/png.c b/lib/png.c
+index 66eebb4..44a4b42 100644
+--- a/lib/png.c
 b/lib/png.c
+@@ -575,8 +575,12 @@ EXPORT int png_load(const char*sname, unsigned*destwidth, unsigned*destheight, u
+ 
+ *destwidth = header.width;
+ *destheight = header.height;
+-	
+-data2 = (unsigned char*)malloc(header.width*header.height*4);
++
++unsigned long long alloclen_64 = (unsigned long long)header.width * header.height * 4;
++if (alloclen_64 > 0xl) {
++return 0;
++}
++data2 = (unsigned char*)malloc((size_t)alloclen_64);
+ 
+ if(header.mode == 4)
+ {
+-- 
+2.1.4
+
diff -Nru swftools-0.9.2+git20130725/debian/patches/series swftools-0.9.2+git20130725/debian/patches/series
--- swftools-0.9.2+git20130725/debian/patches/series	2016-01-04 22:46:04.0 +0100
+++ swftools-0.9.2+git20130725/debian/patches/series	2017-05-27 13:24:58.0 +0200
@@ -7,3 +7,4 @@
 spelling.patch
 remove-fontconfig.patch
 giflib5.patch
+Fix-an-integer-overflow-issue-in-png.c.patch

Bug#862967: Will try tomorrow

[Salvatore Bonaccorso]

Hi Bastien,

On Sun, May 21, 2017 at 04:14:55PM +0200, Bastien ROUCARIES wrote:
> Hi,
> 
> I plan to release a stable version tomorrow

Could you as well do a targetted upload able to enter stretch for the
open CVEs in stetch+unstable?

Regards,
Salvatore

Bug#863475: [prosody] Fails to initiate s2s when lua-event 0.4.3 is installed

[Charlemagne Lasse]

Package: prosody
Version: 0.9.12-1
Severity: serious
Tags: patch stretch

Prosody fails to intiate S2S connections when lua-event 0.4.3 is
installed. This bug was already fixed in the 0.10 branch of prosody
but is still present on Debian stretch (which is shipped with
lua-event 0.4.3)

The fix can be found at https://prosody.im/issues/issue/555

Errors in the log are:

May 27 13:47:24 adnswarnDNS socket for 8.8.8.8
disconnected: connection timeout
May 27 13:47:39 adnswarnDNS socket for 8.8.4.4
disconnected: connection timeout
May 27 13:47:59 adnswarnDNS socket for 8.8.8.8
disconnected: connection timeout
May 27 13:47:59 adnserror   Exhausted all 2 configured DNS
servers, next lookup will try 8.8.4.4 again
May 27 13:48:04 s2sout55ea3204b2d0  infoOut of connection
options, can't connect to jabber.linux.it
May 27 13:48:04 s2sout55ea3204b2d0  infoSending error
replies for 2 queued stanzas because of failed outgoing connection to
jabber.linux.it

The problem can either be resolved by backporting the fix or marking
lua-event 0.4.3 as conflict (and remove it from the Recommended
field).

Marking this as serious bug because federation is an extreme important
part of XMPP/Jabber

--- System information. ---
Architecture:
Kernel:   Linux 4.9.0-3-amd64

Debian Release: 9.0
  500 testing-debug   debug.mirrors.debian.org
  500 testing httpredir.debian.org

Bug#861521: marked as done (libxstream-java: CVE-2017-7957)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 12:33:35 +
with message-id 
and subject line Bug#861521: fixed in libxstream-java 1.4.7-2+deb8u2
has caused the Debian Bug report #861521,
regarding libxstream-java: CVE-2017-7957
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861521: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.7-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libxstream-java.

CVE-2017-7957[0]:
| XStream through 1.4.9, when a certain denyTypes workaround is not used,
| mishandles attempts to create an instance of the primitive type 'void'
| during unmarshalling, leading to a remote application crash, as
| demonstrated by an xstream.fromXML("") call.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7957
[1] https://x-stream.github.io/CVE-2017-7957.html

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.7-2+deb8u2

We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg  (supplier of updated libxstream-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 02 May 2017 17:21:00 +0200
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.7-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Emmanuel Bourg 
Description:
 libxstream-java - Java library to serialize objects to XML and back again
Closes: 861521
Changes:
 libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high
 .
   * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
 type 'void' during unmarshalling lead to a remote application crash.
 (Closes: #861521)
Checksums-Sha1:
 d25f4281ba672a2464854d0784e528a0399d8be6 2379 
libxstream-java_1.4.7-2+deb8u2.dsc
 afb5b08722242b85a216e1b4c4831a04337507e7 8672 
libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
 89559bdaa63ee5d57e0b7462c0f4789bb75f74d1 585434 
libxstream-java_1.4.7-2+deb8u2_all.deb
Checksums-Sha256:
 cdf41bea7486afaacf0dbc367514871beacffddd36564ed5cf0b596b28f14c61 2379 
libxstream-java_1.4.7-2+deb8u2.dsc
 62a1c99b99dc6466149708827e13f945047e7e97c590375061d44b7849b39533 8672 
libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
 f21a9c0f661849d3d13d77e1ee8ee00189370fa34b1a93713c591cabbdb9c443 585434 
libxstream-java_1.4.7-2+deb8u2_all.deb
Files:
 9c0b26bc15f1d7bc2632018ee91c3504 2379 java optional 
libxstream-java_1.4.7-2+deb8u2.dsc
 ea1a4f81161faa5543a846be8aca3305 8672 java optional 
libxstream-java_1.4.7-2+deb8u2.debian.tar.xz
 b66a0b5b4d706151bdbb83aa882e30c2 585434 java optional 
libxstream-java_1.4.7-2+deb8u2_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJZCOXGAAoJEPUTxBnkudCss58P/0vthytF/PN94TAsVnW/uGVy
xua2V2dctuBAPPzTfKdGfuNQjjgnlklWlwXlWguXqcqUBq+fvoWcUXm/ZSDfaQPp
wFG7G+A1xoumRTorwZr0A45041A9qfcbbyokZjS3UA1+/NSjm5NA5Uqjz5Gv1Ff6
t8XVtCdvbzJWf84kuhSoXoOxPhZXZVPF1q4rFQ+XsAIVjctMiTp+4Wj+MO7JveNm
nC5IJIy7a1PyB3Z/JeM8pqxPye3zaTOpgRinxfVZ2sP/tlfBQKyA4KkdirmekXw4
PNoLUq6zi3BC/1Uttl/sZ+fEPVdFQ8kRFa1FlWqNgESR0nWXePrkQ/FUleYmriNB
8juIXKs04hPYITWQAhUFDZupunuHvEjd+ATae3ps6loq+tBHb9W9BOHBrca9ge42
uOQ4FVIUpRJXmyo274tbi6XKT7r1NpgAMJiAFqw2+0qJ5recUq3SvT7t9CmfGBdf
M+FFIaGSwOZouI8TjCoYUp2UWiO5hY3ssVqEhLUOFhqBy1/O+gPvCAkUF95K/bMv
ShoBRnFS+gxoqkXDU7Rx5KCPVmS0MjKYrXv3NC+5t4We9ryfSk9zsEBPRaeIuq6f
PPwj9z50EYQTMj0Cp3VxVsiWX75QXee5BsIP+Mx2at3gh1gVUlBH9QVDhUzegg1i
FGnLKSkEmooiMrVcH1Sd
=MSAA
-END PGP SIGNATURE End Message ---

Bug#859560: marked as done (xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV guest breakout (XSA-212))

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 12:34:02 +
with message-id 
and subject line Bug#859560: fixed in xen 4.4.1-9+deb8u9
has caused the Debian Bug report #859560,
regarding xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV 
guest breakout (XSA-212)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859560
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: xen
Version: 4.8.1~pre.2017.01.23-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerability was published for xen.

CVE-2017-7228[0]:
| An issue (known as XSA-212) was discovered in Xen, with fixes available
| for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix
| introduced an insufficient check on XENMEM_exchange input, allowing the
| caller to drive hypervisor memory accesses outside of the guest
| provided input/output arrays.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7228
[1] https://xenbits.xen.org/xsa/advisory-212.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xen
Source-Version: 4.4.1-9+deb8u9

We believe that the bug you reported is fixed in the latest version of
xen, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ian Jackson  (supplier of updated xen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 08 May 2017 15:04:37 +0100
Source: xen
Binary: libxen-4.4 libxenstore3.0 libxen-dev xenstore-utils xen-utils-common 
xen-utils-4.4 xen-hypervisor-4.4-amd64 xen-system-amd64 
xen-hypervisor-4.4-arm64 xen-system-arm64 xen-hypervisor-4.4-armhf 
xen-system-armhf
Architecture: all i386 source
Version: 4.4.1-9+deb8u9
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Xen Team 
Changed-By: Ian Jackson 
Closes: 848081 859560 861659 861660 861662
Description: 
 libxen-4.4 - Public libs for Xen
 libxen-dev - Public headers and libs for Xen
 libxenstore3.0 - Xenstore communications library for Xen
 xen-hypervisor-4.4-amd64 - Xen Hypervisor on AMD64
 xen-hypervisor-4.4-arm64 - Xen Hypervisor on ARM64
 xen-hypervisor-4.4-armhf - Xen Hypervisor on ARMHF
 xen-system-amd64 - Xen System on AMD64 (meta-package)
 xen-system-arm64 - Xen System on ARM64 (meta-package)
 xen-system-armhf - Xen System on ARMHF (meta-package)
 xen-utils-4.4 - XEN administrative tools
 xen-utils-common - Xen administrative tools - common files
 xenstore-utils - Xenstore command line utilities for Xen
Changes:
 xen (4.4.1-9+deb8u9) jessie-security; urgency=medium
 .
   Security updates:
   * XSA-200: Closes:#848081: CVE-2016-9932: x86 emulation operand size
   * XSA-202: CVE-2016-10024: x86 PV guests may be able to mask interrupts
   * XSA-204: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep
   * XSA-212: Closes:#859560: CVE-2017-7228: x86: broken memory_exchange()
   * XSA-213: Closes:#861659: 64bit PV guest breakout
   * XSA-214: Closes:#861660: grant transfer PV privilege escalation
   * XSA-215: Closes:#861662: memory corruption via failsafe callback
Checksums-Sha1: 
 dccdc1d672c7715990dd985a8283e8cc15ff312e 2691 xen_4.4.1-9+deb8u9.dsc
 a8f99df8862e1f2ab9c866f11cafad85961dc2ba 117608 
xen_4.4.1-9+deb8u9.debian.tar.xz
 728d82a4aa8e6927326164dd85ef6de79d88ad01 122470 
xen-utils-common_4.4.1-9+deb8u9_all.deb
 627996f4388cd9fe72f29ddb14d1d12e58509f75 746102 
xen-hypervisor-4.4-amd64_4.4.1-9+deb8u9_i386.deb
 0c35fb0bac9ee7f66f6e92f62c304b3f0792fbce 21188 
xen-system-amd64_4.4.1-9+deb8u9_i386.deb
 a486f18e797783937a180525817d2a8a7b8b1893 32896 
libxenstore3.0_4.4.1-9+deb8u9_i386.deb
 915a7ab0980fb731d0d9645c45f64bf568b2644a 317442 
libxen-4.4_4.4.1-9+deb8u9_i386.deb
 657d2355f55543bae8b8402f459f3bfa265e316b 496778 
libxen-dev_4.4.

Bug#857561: marked as done (polarssl: CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 12:33:40 +
with message-id 
and subject line Bug#857561: fixed in polarssl 1.3.9-2.1+deb8u2
has caused the Debian Bug report #857561,
regarding polarssl: CVE-2017-2784: Freeing of memory allocated on stack when 
validating a public key with a secp224k1 curve
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libmbedcrypto0
Version: 2.4.0-1
Severity: grave
Tags: security
Control: clone -1 -2
Control: reassign -2 libpolarssl7 1.3.9-2.1+deb8u1
Control: retitle -2 polarssl: CVE-2017-2748 - Freeing of memory allocated on 
stack when validating a public key with a secp224k1 curve

Hi all,

This security advisory was recently published and contains one "high"
severity bug:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01

The security changelog for 2.4.2 also contains fixes for some other
bugs as well. The 3rd bug (relating to SLOTH) does not affect polarssl.

= mbed TLS 2.4.2 branch released 2017-03-08

Security
   * Add checks to prevent signature forgeries for very large messages while
 using RSA through the PK module in 64-bit systems. The issue was caused by
 some data loss when casting a size_t to an unsigned int value in the
 functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
 mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
   * Fixed potential livelock during the parsing of a CRL in PEM format in
 mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
 characters after the footer could result in the execution of an infinite
 loop. The issue can be triggered remotely. Found by Greg Zaverucha,
 Microsoft.
   * Removed MD5 from the allowed hash algorithms for CertificateRequest and
 CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
 Introduced by interoperability fix for #513.
   * Fixed a bug that caused freeing a buffer that was allocated on the stack,
 when verifying the validity of a key on secp224k1. This could be
 triggered remotely for example with a maliciously constructed certificate
 and potentially could lead to remote code execution on some platforms.
 Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
 team. #569 CVE-2017-2784

Thanks,
James



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: polarssl
Source-Version: 1.3.9-2.1+deb8u2

We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill  (supplier of updated polarssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 09 May 2017 09:42:21 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl7
Architecture: source
Version: 1.3.9-2.1+deb8u2
Distribution: jessie
Urgency: high
Maintainer: Roland Stigge 
Changed-By: James Cowgill 
Description:
 libpolarssl-dev - lightweight crypto and SSL/TLS library
 libpolarssl-runtime - lightweight crypto and SSL/TLS library
 libpolarssl7 - lightweight crypto and SSL/TLS library
Closes: 857561
Changes:
 polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high
 .
   * Fix CVE-2017-2784: Freeing of memory allocated on stack when
 validating a public key with a secp224k1 curve. (Closes: #857561)
Checksums-Sha1:
 917394c6dc4bc3b6d52631e4966bf3dc36890852 1898 polarssl_1.3.9-2.1+deb8u2.dsc
 dbdf2ef546952e9c1c163266074b3d9a579d7b8b 9600 
polarssl_1.3.9-2.1+deb8u2.debian.tar.xz
 affd95436ea21972e41ec193401f01591ef44f3c 5575 
polarssl_1.3.9-2.1+deb8u2_source.buildinfo
Checksums-Sha256:
 924b06b5bb03ab5cd9981b57fca713ff156df04b43ceb06587d6559d8265125a 1898 
polarssl_1.3.9-2.1+deb8u2.dsc
 3a445eb6efb0207b1d949019ee4e2ddadde6807a9d96eac724a3ba2762d2483f 9600 
polarssl_1.3.9-2.1+deb8u2.debian.tar.xz
 73d80573ddc8658e3d513698ee1f220667a3675f186f40827f54f4fa4dd0cc11 

Bug#860225: marked as done (bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 12:32:09 +
with message-id 
and subject line Bug#860225: fixed in bind9 1:9.9.5.dfsg-9+deb8u11
has caused the Debian Bug report #860225,
regarding bind9: CVE-2017-3137: A response packet can cause a resolver to 
terminate when processing an answer containing a CNAME or DNAME
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
860225: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860225
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bind9
Version: 1:9.9.5.dfsg-9
Severity: grave
Tags: patch upstream security fixed-upstream

Hi,

the following vulnerability was published for bind9.

CVE-2017-3137[0]:
|A response packet can cause a resolver to terminate when processing an
|answer containing a CNAME or DNAME

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137
[1] https://kb.isc.org/article/AA-01466

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
--- End Message ---
--- Begin Message ---
Source: bind9
Source-Version: 1:9.9.5.dfsg-9+deb8u11

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 11 May 2017 08:39:19 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-90 
libdns100 libisc95 liblwres90 libisccc90 libisccfg90 dnsutils lwresd 
libbind-export-dev libdns-export100 libdns-export100-udeb libisc-export95 
libisc-export95-udeb libisccfg-export90 libisccfg-export90-udeb libirs-export91 
libirs-export91-udeb
Architecture: all source
Version: 1:9.9.5.dfsg-9+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: LaMont Jones 
Changed-By: Salvatore Bonaccorso 
Closes: 860224 860225 860226
Description: 
 bind9  - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host   - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-90 - BIND9 Shared Library used by BIND
 libdns-export100 - Exported DNS Shared Library
 libdns-export100-udeb - Exported DNS library for debian-installer (udeb)
 libdns100  - DNS Shared Library used by BIND
 libirs-export91 - Exported IRS Shared Library
 libirs-export91-udeb - Exported IRS library for debian-installer (udeb)
 libisc-export95 - Exported ISC Shared Library
 libisc-export95-udeb - Exported ISC library for debian-installer (udeb)
 libisc95   - ISC Shared Library used by BIND
 libisccc90 - Command Channel Library used by BIND
 libisccfg-export90 - Exported ISC CFG Shared Library
 libisccfg-export90-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg90 - Config File Handling Library used by BIND
 liblwres90 - Lightweight Resolver Library used by BIND
 lwresd - Lightweight Resolver Daemon
Changes:
 bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Dns64 with "break-dnssec yes;" can result in a assertion failure.
 (CVE-2017-3136) (Closes: #860224)
   * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
 If not cherry-picking this change the fix for CVE-2017-3137 can cause an
 assertion failure to

Bug#861484: The bug is in llvm-toolchain-3.8

[Adrian Bunk]

Control: unblock -1 by 862360
Control: reassign -1 src:llvm-toolchain-3.8
Control: forcemerge 862360 -1
Control: retitle -1 llvm-toolchain-3.8: Fix R_AARCH64_MOVW_UABS_G3 relocation
Control: affects -1 src:julia

The bug is in llvm-toolchain-3.8, all julia needs is a gb after the
fixed llvm-toolchain-3.8 is in unstable.

The main part of the discussion of this bug is in #862360.

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Processed: The bug is in llvm-toolchain-3.8

[Debian Bug Tracking System]

Processing control commands:

> unblock -1 by 862360
Bug #861484 [src:julia] julia: FTBFS on arm64
861484 was blocked by: 862360
861484 was not blocking any bugs.
Removed blocking bug(s) of 861484: 862360
> reassign -1 src:llvm-toolchain-3.8
Bug #861484 [src:julia] julia: FTBFS on arm64
Bug reassigned from package 'src:julia' to 'src:llvm-toolchain-3.8'.
No longer marked as found in versions julia/0.4.7-5.
Ignoring request to alter fixed versions of bug #861484 to the same values 
previously set
> forcemerge 862360 -1
Bug #862360 [src:llvm-toolchain-3.8] llvm-toolchain-3.8: Fix 
R_AARCH64_MOVW_UABS_G3 relocation
Bug #861484 [src:llvm-toolchain-3.8] julia: FTBFS on arm64
Marked as found in versions llvm-toolchain-3.8/1:3.8.1-23.
Merged 861484 862360
> retitle -1 llvm-toolchain-3.8: Fix R_AARCH64_MOVW_UABS_G3 relocation
Bug #861484 [src:llvm-toolchain-3.8] julia: FTBFS on arm64
Bug #862360 [src:llvm-toolchain-3.8] llvm-toolchain-3.8: Fix 
R_AARCH64_MOVW_UABS_G3 relocation
Changed Bug title to 'llvm-toolchain-3.8: Fix R_AARCH64_MOVW_UABS_G3 
relocation' from 'julia: FTBFS on arm64'.
Ignoring request to change the title of bug#862360 to the same title
> affects -1 src:julia
Bug #861484 [src:llvm-toolchain-3.8] llvm-toolchain-3.8: Fix 
R_AARCH64_MOVW_UABS_G3 relocation
Bug #862360 [src:llvm-toolchain-3.8] llvm-toolchain-3.8: Fix 
R_AARCH64_MOVW_UABS_G3 relocation
Added indication that 861484 affects src:julia
Added indication that 862360 affects src:julia

-- 
861484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861484
862360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862360
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837091: firefox-esr: EME DRM extention present and enabled

[Simon McVittie]

On Thu, 08 Sep 2016 at 20:14:28 +0200, Tjeerd Pinkert wrote:
> after reading up a bit (late(ly)) on the W3C EME proposed standard for
> embedding of DRM managed content in web pages, I decided to have a
> look if it is present in the firefox browser
[...]
> I think the presence of code that requires closed source components to
> function, might violate the DFSG for the main section? On the other
> hand, no package relation is available in the non-free section as far
> as I see that is actively depended on. If a decision has been taken on
> this already, then please close.

I don't see a freeness problem here.

Firefox with the EME API enabled at compile time, but no CDM (DRM
implementation) installed, is presumably no less functional than Firefox
with the EME API disabled at compile time - so the CDM is not a
dependency, because Firefox without a CDM is a perfectly acceptable web
browser (just missing an optional feature). If we shipped CDMs in
non-free, I don't think Firefox would have a stronger relationship to
them than Suggests (or more likely, the CDMs would declare an Enhances
relationship on Firefox, which means the same thing). Packages in main
are allowed to have Suggests on non-free or even not-in-Debian packages,
just not (Pre-)Depends or Recommends.

Free CDMs do seem to exist -
https://github.com/fraunhoferfokus/open-content-decryption-module is one
example. It is fairly likely that content publishers will not actually
*use* those CDMs, but that's between you and the content providers whose
products you choose to buy. So from a freeness point of view, this
doesn't seem any worse than any other plugin interface that can accept
both Free and non-Free plugins - for example glibc NSS, PAM, GStreamer,
Firefox NPAPI, kernel modules, and OpenGL/EGL/Vulkan drivers.

I understand your desire to avoid DRM, but I don't think opening
release-critical bugs requesting that features are removed from our
builds of Firefox is an appropriate way to go about it.

> P.S. yes I know, having flash installed as a plugin is as bad as
> having EME enabled...

In particular, I believe having the Flash NPAPI plugin installed means
your copy of Firefox already loads a DRM implementation, because there's
one in Flash. You might as well use one that is better-sandboxed, which
is the purpose of EME.

S

Bug#863479: perl-base should add Breaks: debconf (<< 1.5.57~)

[Adrian Bunk]

Package: perl-base
Version: 5.24.1-2
Severity: serious

Technically #786705 is just a harmless warning, but when
during a jessie -> stretch upgrade perl-base is upgraded
before debconf is upgraded the user might see a lot scary
warnings as if something was seriously broken.

Example with debconf 1.5.56 and perl-base 5.24.1-2 installed:

# apt-get install libpam-modules
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following additional packages will be installed:
  libpam-modules-bin
The following packages will be upgraded:
  libpam-modules libpam-modules-bin
2 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 0 B/412 kB of archives.
After this operation, 18.4 kB disk space will be freed.
Do you want to continue? [Y/n] 
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at 
/usr/share/perl5/Debconf/Question.pm line 72.
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 
30.
Preconfiguring packages ...
(Reading database ... 10801 files and directories currently installed.)
Preparing to unpack .../libpam-modules-bin_1.1.8-3.5_amd64.deb ...
Unpacking libpam-modules-bin (1.1.8-3.5) over (1.1.8-3.1+deb8u2) ...
Setting up libpam-modules-bin (1.1.8-3.5) ...
(Reading database ... 10801 files and directories currently installed.)
Preparing to unpack .../libpam-modules_1.1.8-3.5_amd64.deb ...
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at 
/usr/share/perl5/Debconf/Question.pm line 72.
Unescaped left brace in regex is deprecated, passed through in regex; marked by 
<-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 
30.
Unpacking libpam-modules:amd64 (1.1.8-3.5) over (1.1.8-3.1+deb8u2) ...
Setting up libpam-modules:amd64 (1.1.8-3.5) ...
Installing new version of config file /etc/security/namespace.init ...
Processing triggers for man-db (2.7.6.1-2) ...
#


perl-base should add a Breaks: debconf (<< 1.5.57~).

Bug#863479: perl-base should add Breaks: debconf (<< 1.5.57~)

[Julien Cristau]

Control: severity -1 wishlist
Control: tag -1 moreinfo

On Sat, May 27, 2017 at 16:36:50 +0300, Adrian Bunk wrote:

> Package: perl-base
> Version: 5.24.1-2
> Severity: serious
> 
> Technically #786705 is just a harmless warning, but when
> during a jessie -> stretch upgrade perl-base is upgraded
> before debconf is upgraded the user might see a lot scary
> warnings as if something was seriously broken.
> 
[...]
> 
> perl-base should add a Breaks: debconf (<< 1.5.57~).

Adding Breaks in a core package a couple of weeks before the release
sounds like a very, very, very bad idea.

Cheers,
Julien

Processed: Unlikely to be a problem in jessie

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863416 stretch sid
Bug #863416 [jackeq] jackeq: segmentation fault
Added tag(s) sid and stretch.
> tags 863420 stretch sid
Bug #863420 [timemachine] timemachine: segfaults on startup
Added tag(s) sid and stretch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863416: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863416
863420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863479: perl-base should add Breaks: debconf (<< 1.5.57~)

[Debian Bug Tracking System]

Processing control commands:

> severity -1 wishlist
Bug #863479 [perl-base] perl-base should add Breaks: debconf (<< 1.5.57~)
Severity set to 'wishlist' from 'serious'
> tag -1 moreinfo
Bug #863479 [perl-base] perl-base should add Breaks: debconf (<< 1.5.57~)
Added tag(s) moreinfo.

-- 
863479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863479
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#863367: libecryptfs-dev: unable to install because of unmet dependency

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 libssl-dev 1.1.0e-2
Bug #863367 [apt] apt does not find solutions that involve libssl1.0-dev -> 
libssl-dev
Bug reassigned from package 'apt' to 'libssl-dev'.
Ignoring request to alter found versions of bug #863367 to the same values 
previously set
Ignoring request to alter fixed versions of bug #863367 to the same values 
previously set
Bug #863367 [libssl-dev] apt does not find solutions that involve libssl1.0-dev 
-> libssl-dev
Marked as found in versions openssl/1.1.0e-2.
> retitle -1 libssl-dev: declare conflict with libssl1.0-dev to help apt find 
> solutions
Bug #863367 [libssl-dev] apt does not find solutions that involve libssl1.0-dev 
-> libssl-dev
Changed Bug title to 'libssl-dev: declare conflict with libssl1.0-dev to help 
apt find solutions' from 'apt does not find solutions that involve 
libssl1.0-dev -> libssl-dev'.

-- 
863367: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863367
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863367: libecryptfs-dev: unable to install because of unmet dependency

[David Kalnischkies]

Control: reassign -1 libssl-dev 1.1.0e-2
Control: retitle -1 libssl-dev: declare conflict with libssl1.0-dev to help apt 
find solutions

On Sat, May 27, 2017 at 09:32:34AM +0300, Adrian Bunk wrote:
> Control: reassign -1 apt
> Control: retitle -1 apt does not find solutions that involve libssl1.0-dev -> 
> libssl-dev
> 
> On Thu, May 25, 2017 at 09:16:30PM +0200, s3v wrote:
> > Package: libecryptfs-dev
> > Severity: grave
> > Justification: renders package unusable

(technically wishlist, but people might disagree in practice, so I will
leave severity decisions at this stage to maintainers/release team –
please realize that this means this bug is RELEASE CRITICAL atm)

General advice:
Don't (re)assign package uninstallabilites to apt. The team has neither
the knowledge nor the manpower to deal with the installation problems of
more than 5 packages in existance. All it does achieve is that it
will get downgraded on the spot to normal or lower and left to die^Wbe
closed in a couple years in the already existing bugpile; in short:

Not being installable is the problem of the package which isn't
installable – even if that is due to bugs in a package manager!


> libecryptfs-dev Is not actually uninstallable, the core problem is that 
> you have libssl1.0-dev installed and apt fails to find the solution to
> solve the dependencies:
> 
> # apt-get install libtspi-dev
[…]
> root@localhost:/# apt-get install libtspi-dev libssl-dev
[…]
> The other direction works:
> 
> # apt-get install libh323plus-dev

The defining difference between the two is that libssl1.0-dev conflicts
with libssl-dev while the later doesn't with the first.

As you are trying to express a mutially exclusive relationship between
two packages which should both be shipped in the release it would be
a good idea to declare this exclusiveness on both sides and indeed in
a quick test that is already enough to give apt the hint it needs as
this changes the scoring for the little 1on1 cagefights happening behind
the scenes.

Have a look at them with -o Debug::pkgProblemResolver=1
(kids-friendly as no violence is depicted)


That wasn't all to hard to figure out and I am pretty sure that would
have happened just as fast/good if assigned to one of the involved
packages rather than to apt, which always carries the risk of getting
ignored instead… I was actually 2 seconds away from tagging it
'wishlist'¹ for apt and get on with never looking at it again in my
lifetime.

Note that this solution might not be a good one, but that requires
knowledge about the packages involved which I just don't have as hinted
above. Please CC de...@lists.debian.org if there are any questions you
think we could answer.


Best regards

David Kalnischkies

¹ The cagefights are a design decision in the current default resolver,
which is impossible^Whard to change and absolutely not going to happen
any time soon yet alone days before release. As such it would qualify
for 'wishlist'.


signature.asc
Description: PGP signature

Bug#863480: [node-static-module] Uninitialized Memory Exposure

[Bastien ROUCARIÈS]

Package: node-static-module
Version: 1.3.1-1
Severity: grave
Tags: patch security fixed-upstream
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
forwarded: https://snyk.io/vuln/npm:concat-stream:20160901

concat-stream is writable stream that concatenates strings or binary data and 
calls a callback with the result. Affected versions of the package are 
vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number 
is provided to the stringConcat() method and results in concatination of 
uninitialized memory to the stream collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure 
default constructor increases the odds of memory leakage.
Details

Constructing a Buffer class with integer N creates a Buffer of length N with 
raw (not "zero-ed") memory.

In the following example, the first call would allocate 100 bytes of memory, 
while the second example will allocate the memory needed for the string "100":

// uninitialized Buffer of length 100
x = new Buffer(100);
// initialized Buffer with value of '100'
x = new Buffer('100');

concat-stream's stringConcat function uses the default Buffer constructor as-
is, making it easy to append uninitialized memory to an existing list. If the 
value of the buffer list is exposed to users, it may expose raw server side 
memory, potentially holding secrets, private data and code. This is a similar 
vulnerability to the infamous Heartbleed flaw in OpenSSL.

You can read more about the insecure Buffer behavior on our blog.

Similar vulnerabilities were discovered in request, mongoose, ws and 
sequelize.


signature.asc
Description: This is a digitally signed message part.

Bug#863367: [Pkg-openssl-devel] Bug#863367: libecryptfs-dev: unable to install because of unmet dependency

[Kurt Roeckx]

On Sat, May 27, 2017 at 04:00:58PM +0200, David Kalnischkies wrote:
> Control: reassign -1 libssl-dev 1.1.0e-2
> Control: retitle -1 libssl-dev: declare conflict with libssl1.0-dev to help 
> apt find solutions
[...]
> Not being installable is the problem of the package which isn't
> installable – even if that is due to bugs in a package manager!

So why does this bug get assigned to libssl-dev then and not to
libecryptfs-dev, with maybe a wishlist bug against libssl-dev (and
apt)?

In general, I disagree that we should declare a conflict at both
sides of the conflict and that the package manager should be able
to deal with a conflict on just one side. It's not a conflict that
involves version numbers.

However, if everybody agrees that this is the best solution for
the next release, I will need permission from the release team
to make such a change.


Kurt

Bug#863420: timemachine: segfaults on startup

[James Cowgill]

Hi Chris,

On 27/05/17 10:02, Chris Lamb wrote:
> tags 863420 + pending patch
> thanks
> 
> I've uploaded timemachine 0.3.3-2.1 to DELAYED/5:
>   
>   timemachine (0.3.3-2.1) unstable; urgency=medium
>   
> * Non-maintainer upload.
> * Fix segmentation fault caused by passing a truncated pointer instead of 
> a
>   GtkType. (Closes: #863420)
> 
> The full debdiff is attached.

I tested your fixes, unfortunately timemachine still segfaults on
startup. This time it occurs in gtk_meterscale_new and it looks like the
same pointer truncation problem there. I notice this code is in jackeq
as well, but maybe jackeq doesn't use it on startup?

James

Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

[Bastien ROUCARIÈS]

Package: node-concat-stream
Version: 1.5.1-1
Severity: grave
Tags: patch security fixed-upstream fixed-in-experimental
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
forwarded: https://snyk.io/vuln/npm:concat-stream:20160901

Overview

concat-stream is writable stream that concatenates strings or binary data and 
calls a callback with the result. Affected versions of the package are 
vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number 
is provided to the stringConcat() method and results in concatination of 
uninitialized memory to the stream collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure 
default constructor increases the odds of memory leakage.

signature.asc
Description: This is a digitally signed message part.

Bug#835108: marked as done (lepton: FTBFS [i386]: Test failures)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 15:11:03 +
with message-id 
and subject line Bug#835108: fixed in lepton 1.2.1+20170405-2
has caused the Debian Bug report #835108,
regarding lepton: FTBFS [i386]: Test failures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
835108: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835108
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lepton
Version: 1.2.1-2
Severity: serious

>From my pbuilder build log (and this is also reproducible at
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/i386/lepton.html
):

...
FAIL: test_suite/test_last_block.sh
===

lepton v1.0-
lepton v1.0-
34686404 bytes needed to decompress this file
2210440 23658057
09.34%
filetype of file "-" is unknown4096 bytes needed to decompress this file
UNSUPPORTED_JPEG
FAIL test_suite/test_last_block.sh (exit status: 1)

FAIL: test_suite/test_truncated_zero_run


Loading 100971
./lepton -hugepages -decode -recodememory=24M - (NULL)
./lepton -hugepages -recode -recodememory=24M - (NULL)
Huge pages unsupported: falling back to ordinary pages
Huge pages unsupported: falling back to ordinary pages
lepton v1.0-
lepton v1.0-
7283097 bytes needed to decompress this file
65996 100971
65.36%
SHORT_READ
Timing encode: 0.042751 encode process exit: 0.042773
test_suite/timing_driver.cc:400: ret > 0filetype of file "-" is
unknown4096 bytes needed to decompress this file
UNSUPPORTED_JPEG
FAIL test_suite/test_truncated_zero_run (exit status: 134)


Testsuite summary for lepton 0.01

# TOTAL: 40
# PASS:  8
# SKIP:  0
# XFAIL: 0
# FAIL:  32
# XPASS: 0
# ERROR: 0

See ./test-suite.log
Please report to danie...@dropbox.com

Makefile:2320: recipe for target 'test-suite.log' failed
make[4]: *** [test-suite.log] Error 1
make[4]: Leaving directory '/build/lepton-1.2.1'
Makefile:2426: recipe for target 'check-TESTS' failed
make[3]: *** [check-TESTS] Error 2
make[3]: Leaving directory '/build/lepton-1.2.1'
Makefile:2905: recipe for target 'check-am' failed
make[2]: *** [check-am] Error 2
make[2]: Leaving directory '/build/lepton-1.2.1'
Makefile:3060: recipe for target 'test' failed
make[1]: *** [test] Error 2
make[1]: Leaving directory '/build/lepton-1.2.1'
dh_auto_test: make -j1 test VERBOSE=1 returned exit code 2
debian/rules:7: recipe for target 'build-arch' failed
make: *** [build-arch] Error 2
dpkg-buildpackage: error: debian/rules build-arch gave error exit status 2
-- 
Daniel Schepler
--- End Message ---
--- Begin Message ---
Source: lepton
Source-Version: 1.2.1+20170405-2

We believe that the bug you reported is fixed in the latest version of
lepton, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 835...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬)  (supplier of updated lepton package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 22:46:57 +0800
Source: lepton
Binary: lepton
Architecture: source
Version: 1.2.1+20170405-2
Distribution: unstable
Urgency: medium
Maintainer: Debian PhotoTools Maintainers 

Changed-By: ChangZhuo Chen (陳昌倬) 
Description:
 lepton - tool to compress JPEGs losslessly
Closes: 835108 863446
Changes:
 lepton (1.2.1+20170405-2) unstable; urgency=medium
 .
   * Add patches to support non-Intel architecture (Closes: #835108, #863446).
 Thanks Edmund Grimley Evans.
Checksums-Sha1:
 09fd89805c9e14a91a8533bc95c03e00ffce347b 2074 lepton_1.2.1+20170405-2.dsc
 ed7368dd2b08bf7edcd87d1498fced430721be4d 6108 
lepton_1.2.1+20170405-2.debian.tar.xz
 ae89604ca40a5fbe590bdcf38499321bead5ed07 6304 
lepton_1.2.1+20170405-2_source.buildinfo
Checksums-Sha256:
 ad335292c12208c163071f23bee43b13583daa628f737a6bd4a012d3d179c260 2074 
lepton_1.2.1+20170405-2.dsc
 411e15bc5dbc151

Bug#863286: completely broken in non-US locales

[Santiago Ruano Rincón]

Control: tags -1 + patch

On Thu, 25 May 2017 11:35:42 +1000 Daurnimator  wrote:
> On 25 May 2017 at 08:03, Steinar H. Gunderson  wrote:
> > lua-http cannot construct legal requests if a non-US locale (or more 
> > precisely,
> > anything using comma as decimal separator) is in use.
> 
> Fixed upstream in
> https://github.com/daurnimator/lua-http/commit/f822bbef48f8ee6b42ce4cca843d4cc10cd0f775
> 
> 

Hi,

In case you want to test it, I've uploaded a patched version to my
personal repo:
https://people.debian.org/~santiago/debian/santiago-unstable/

Cheers,

Santiago


signature.asc
Description: PGP signature

Processed: Re: Bug#863286: completely broken in non-US locales

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #863286 [lua-http] completely broken in non-US locales
Added tag(s) patch.

-- 
863286: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863286
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863123: marked as done (imagemagick: CVE-2017-9143: Specially crafted arts file could lead to memory leak)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 16:06:53 +
with message-id 
and subject line Bug#863123: fixed in imagemagick 8:6.9.7.4+dfsg-9
has caused the Debian Bug report #863123,
regarding imagemagick: CVE-2017-9143: Specially crafted arts file could lead to 
memory leak
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863123: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/456

origin: 
https://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4
bug: https://github.com/ImageMagick/ImageMagick/issues/456
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 15:54:06 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 
libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 
libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev 
libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 
libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev 
libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 
libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common 
imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev 
imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy 
package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics 
routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files 
(Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum 
depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation lib

Bug#863125: marked as done (imagemagick: CVE-2017-9142: A crafted file revealed an assertion failure in blob.c)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 16:06:53 +
with message-id 
and subject line Bug#863125: fixed in imagemagick 8:6.9.7.4+dfsg-9
has caused the Debian Bug report #863125,
regarding imagemagick: CVE-2017-9142: A crafted file revealed an assertion 
failure in blob.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863125: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863125
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/490
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 15:54:06 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 
libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 
libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev 
libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 
libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev 
libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 
libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common 
imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev 
imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy 
package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics 
routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files 
(Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum 
depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra 
codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - 
development files (Q16HDRI
 libmagickcore-dev - low-level ima

Bug#862967: marked as done (imagemagick: CVE-2017-9098: use of uninitialized memory in RLE decoder)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 16:06:53 +
with message-id 
and subject line Bug#862967: fixed in imagemagick 8:6.9.7.4+dfsg-9
has caused the Debian Bug report #862967,
regarding imagemagick: CVE-2017-9098: use of uninitialized memory in RLE decoder
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: imagemagick
Version: 8:6.9.7.4+dfsg-8
Severity: grave
Tags: security upstream patch

Hi

See 

https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

for details, which has been addressed via

https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 15:54:06 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 
libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 
libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev 
libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 
libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev 
libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 
libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common 
imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev 
imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy 
package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics 
routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files 
(Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum 
depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra 
codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - 
development files (Q16HDRI

Bug#863124: marked as done (imagemagick: CVE-2017-9141: A crafted file revealed an assertion failure in profile.c)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 16:06:53 +
with message-id 
and subject line Bug#863124: fixed in imagemagick 8:6.9.7.4+dfsg-9
has caused the Debian Bug report #863124,
regarding imagemagick: CVE-2017-9141: A crafted file revealed an assertion 
failure in profile.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/489
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 15:54:06 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 
libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 
libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev 
libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 
libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev 
libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 
libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common 
imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev 
imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy 
package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics 
routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files 
(Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum 
depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra 
codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - 
development files (Q16HDRI
 libmagickcore-dev - low-level 

Bug#863126: marked as done (imagemagick: CVE-2017-9144: Check for EOF conditions for RLE image format)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 16:06:53 +
with message-id 
and subject line Bug#863126: fixed in imagemagick 8:6.9.7.4+dfsg-9
has caused the Debian Bug report #863126,
regarding imagemagick: CVE-2017-9144: Check for EOF conditions for RLE image 
format
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: t...@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.7.7.10-5+deb7u13
control: found -1 8:6.7.7.10-5+deb7u4


Waiting for CVE

  origin: 
https://github.com/ImageMagick/ImageMagick/commit/7fdf9ea808caa3c81a0eb42656e5fafc59084198
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès  (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 15:54:06 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 
libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 
libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev 
libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 
libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev 
libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 
libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common 
imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev 
imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 

Changed-By: Bastien Roucariès 
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy 
package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics 
routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files 
(Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum 
depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra 
codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - 
development fi

Bug#840572: ruby-benchmark-suite: FTBFS randomly (failing tests)

[Santiago Vila]

retitle 840572 ruby-benchmark-suite: FTBFS randomly (failing tests)
severity 840572 important
thanks

I built this package a lot of times today. So far I have one failure
and several hundred successful builds, so the probability of failure
may well be below 1% and this is really a "FTBFS randomly" bug.

I asked Release Managers what to do with bugs like this but it's still
undecided. The only thing I have is a guideline by Julien Cristau:

[...] if the failure rate is low enough I think a lower severity
can make sense.

(See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844264 for details)

Based on the above, it does not make sense to keep this as "serious".
I'm adding this bug to the collection of "FTBFS randomly" bugs:

https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=sanv...@debian.org;tag=ftbfs-randomly

Thanks.

Processed: Re: ruby-benchmark-suite: FTBFS randomly (failing tests)

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 840572 ruby-benchmark-suite: FTBFS randomly (failing tests)
Bug #840572 [src:ruby-benchmark-suite] ruby-benchmark-suite: FTBFS (failing 
tests)
Changed Bug title to 'ruby-benchmark-suite: FTBFS randomly (failing tests)' 
from 'ruby-benchmark-suite: FTBFS (failing tests)'.
> severity 840572 important
Bug #840572 [src:ruby-benchmark-suite] ruby-benchmark-suite: FTBFS randomly 
(failing tests)
Severity set to 'important' from 'serious'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
840572: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840572
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#851545: marked as done (libpam-modules: multiarch packages with differing files)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 16:33:52 +
with message-id 
and subject line Bug#851545: fixed in pam 1.1.8-3.6
has caused the Debian Bug report #851545,
regarding libpam-modules: multiarch packages with differing files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
851545: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851545
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpam-modules
Version: 1.1.8-3.1+deb8u2
Severity: important

Upon trying to upgrade to the latest Debian stable:

Preparing to unpack .../libpam-modules_1.1.8-3.1+deb8u2_i386.deb ...
Unpacking libpam-modules:i386 (1.1.8-3.1+deb8u2) over (1.1.8-3.1+deb8u1+b1) ...
dpkg: error processing archive 
/var/cache/apt/archives/libpam-modules_1.1.8-3.1+deb8u2_i386.deb (--unpack):
 trying to overwrite shared '/usr/share/man/man8/pam_unix.8.gz', which is 
different from other instances of package libpam-modules:i386

-- System Information:
Debian Release: 8.7
  APT prefers stable
  APT policy: (600, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=nb_NO.utf8, LC_CTYPE=nb_NO.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 1.1.8-3.6

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk  (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 18:44:02 +0300
Source: pam
Binary: libpam0g libpam-modules libpam-modules-bin libpam-runtime libpam0g-dev 
libpam-cracklib libpam-doc
Architecture: source
Version: 1.1.8-3.6
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek 
Changed-By: Adrian Bunk 
Description:
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-modules-bin - Pluggable Authentication Modules for PAM - helper binaries
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 851545
Changes:
 pam (1.1.8-3.6) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * cve-2015-3238.patch: Add the changes in the generated pam_exec.8
 and pam_unix.8 in addition to (and after) the changes to the
 source .xml files. This avoids unwanted rebuilds that can cause
 problems due to differing files on different architectures of
 the Multi-Arch: same libpam-modules. (Closes: #851545)
Checksums-Sha1:
 be772eeb76a53036402450ffc8696c4f3a3ddc23 2572 pam_1.1.8-3.6.dsc
 630a45a9ea8a8aca41f7f9c8f5c51351916e2dd6 139492 pam_1.1.8-3.6.diff.gz
Checksums-Sha256:
 7bd7a3059c6ea5b97f5ce0460cbe20788f21bc59bd31ef5a28d7968f53373f5f 2572 
pam_1.1.8-3.6.dsc
 beba99299941c5648ff412d75ebd3407e4d769f5e5ab1fce6a5f2e58c40341ae 139492 
pam_1.1.8-3.6.diff.gz
Files:
 5b2447bdd934551ff6f4a4aad1a1e78d 2572 libs optional pam_1.1.8-3.6.dsc
 a7f9712e6aeb5e343ef27d718550f869 139492 libs optional pam_1.1.8-3.6.diff.gz

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlkppTgACgkQiNJCh6LY
mLHbqg/+Lt/Fa1HImVj77b32thWBfbA313+MODsDwu+ysIRQ/cpS4w5IgR2nkN29
FWivK0G3uAkm/QPIisudmD7qg2i8CMM35NWu1srQBl++ooIdZUho/zK4Y4VAgvYY
8adGN9SleYeONLcWYmt/mvm/OuVUVIHFmGV883dI5hIUKTJcVoBHcNJc1RlIDvlw
u9suXpNRcYbrsBtzeAlCKGdbTJlIoL+sHKeKKHMSN7/KKkSUerK3kW2Y3nJBZav6
Vi0X5JlnjRq7td8Nv0dJ5Afu6j9H5mwi5QWHN1lfc+r+X1OnZFystFlj2FQsds4t
rMDT82TwekxBy4fwo7F1nzD3k/DMZItktg+OYQgzoBTwZXAnfx4bwQ1BWajYH+85
d/0gfJUevyZVKHiLfmHVLsaR0QhqO+47bq4nbDDMYwM7T8FbS0UpAhbq39OJ8fzH
ZBlbyBWFmL1n18Ba52xsEUto1J6l+/AQuWvOdMowrPYhi0Ku4kTNBYoq24D0ljJU
Lnf0vJRAc1RPAAuDugFDaKiPXCFjLiHo4ah89w2BYLirjWi1xzPwM5LFGgmp8sPC
E46A0pm2GFzFAdCGuSoHY2xSmwNYOJ1bzAPv1ptUQySANh2BE68zJP4P+7H8lLwG
+XnaePBrKI8D0LddEac5zTOCYjgH1Mg+a0mYqetVZQOT5PiDYtc=
=zWPi
-END PGP SIGNATURE End Message ---

Bug#863481: [Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

[Ross Gammon]

Hi Bastien,

If you would like me to prepare an upload to unstable for this (&
unblock request), let me know. I have some time today & tomorrow - but
travelling with work next week. I have DM upload rights for it.

Only asking in case you are already working on it.

Cheers,

Ross

On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:
> Package: node-concat-stream
> Version: 1.5.1-1
> Severity: grave
> Tags: patch security fixed-upstream fixed-in-experimental
> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
> forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
>
> Overview
>
> concat-stream is writable stream that concatenates strings or binary data and 
> calls a callback with the result. Affected versions of the package are 
> vulnerable to Uninitialized Memory Exposure.
>
> A possible memory disclosure vulnerability exists when a value of type number 
> is provided to the stringConcat() method and results in concatination of 
> uninitialized memory to the stream collection.
>
> This is a result of unobstructed use of the Buffer constructor, whose 
> insecure 
> default constructor increases the odds of memory leakage.
>
>

Bug#863420: timemachine: segfaults on startup

[Chris Lamb]

James Cowgill wrote:

> I tested your fixes, unfortunately timemachine still segfaults on
> startup. This time it occurs in gtk_meterscale_new and it looks like the
> same pointer truncation problem there.

Huh, how did I miss that. Anyway, I've re-uploaded timemachine 0.3.3-2.1 to
DELAYED/5:
  
  timemachine (0.3.3-2.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix two segmentation faults in src/gtkmeter.c and gtkmeterscale.c caused
  by passing a truncated pointers using guint instead of a GtkType.
  (Closes: #863420)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for timemachine-0.3.3 timemachine-0.3.3

 changelog |9 +
 patches/0002-truncated-pointers.patch |   52 ++
 patches/series|1 
 3 files changed, 62 insertions(+)

diff -Nru timemachine-0.3.3/debian/changelog timemachine-0.3.3/debian/changelog
--- timemachine-0.3.3/debian/changelog  2013-10-06 14:13:24.0 +0100
+++ timemachine-0.3.3/debian/changelog  2017-05-27 09:41:19.0 +0100
@@ -1,3 +1,12 @@
+timemachine (0.3.3-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix two segmentation faults in src/gtkmeter.c and gtkmeterscale.c caused
+by passing a truncated pointers using guint instead of a GtkType.
+(Closes: #863420)
+
+ -- Chris Lamb   Sat, 27 May 2017 09:41:19 +0100
+
 timemachine (0.3.3-2) unstable; urgency=low
 
   * Team upload.
diff -Nru timemachine-0.3.3/debian/patches/0002-truncated-pointers.patch 
timemachine-0.3.3/debian/patches/0002-truncated-pointers.patch
--- timemachine-0.3.3/debian/patches/0002-truncated-pointers.patch  
1970-01-01 01:00:00.0 +0100
+++ timemachine-0.3.3/debian/patches/0002-truncated-pointers.patch  
2017-05-27 09:41:19.0 +0100
@@ -0,0 +1,52 @@
+--- timemachine-0.3.3.orig/src/gtkmeter.c
 timemachine-0.3.3/src/gtkmeter.c
+@@ -48,10 +48,10 @@ static float iec_scale(float db);
+ 
+ static GtkWidgetClass *parent_class = NULL;
+ 
+-guint
++GtkType
+ gtk_meter_get_type ()
+ {
+-  static guint meter_type = 0;
++  static GtkType meter_type = 0;
+ 
+   if (!meter_type)
+ {
+--- timemachine-0.3.3.orig/src/gtkmeter.h
 timemachine-0.3.3/src/gtkmeter.h
+@@ -87,7 +87,7 @@ struct _GtkMeterClass
+ GtkWidget* gtk_meter_new(GtkAdjustment *adjustment,
+gint direction);
+ 
+-guint  gtk_meter_get_type   (void);
++GtkTypegtk_meter_get_type   (void);
+ GtkAdjustment* gtk_meter_get_adjustment (GtkMeter *meter);
+ 
+ void   gtk_meter_set_adjustment (GtkMeter *meter,
+--- timemachine-0.3.3.orig/src/gtkmeterscale.c
 timemachine-0.3.3/src/gtkmeterscale.c
+@@ -45,10 +45,10 @@ static void meterscale_draw_notch(GtkMet
+ 
+ static GtkWidgetClass *parent_class = NULL;
+ 
+-guint
++GtkType
+ gtk_meterscale_get_type ()
+ {
+-  static guint meterscale_type = 0;
++  static GtkType meterscale_type = 0;
+ 
+   if (!meterscale_type)
+ {
+--- timemachine-0.3.3.orig/src/gtkmeterscale.h
 timemachine-0.3.3/src/gtkmeterscale.h
+@@ -67,7 +67,7 @@ GtkWidget* gtk_meterscale_new
+gfloat min,
+gfloat max);
+ 
+-guint  gtk_meterscale_get_type  (void);
++GtkTypegtk_meterscale_get_type  (void);
+ 
+ #ifdef __cplusplus
+ }
diff -Nru timemachine-0.3.3/debian/patches/series 
timemachine-0.3.3/debian/patches/series
--- timemachine-0.3.3/debian/patches/series 2013-10-06 14:09:12.0 
+0100
+++ timemachine-0.3.3/debian/patches/series 2017-05-27 09:41:19.0 
+0100
@@ -1 +1,2 @@
 0001-ldflags.patch
+0002-truncated-pointers.patch

Bug#855577: numba: FTBFS: several tests fail

[Daniel Stender]

For the latest upload (0.33.0 in experimental), the tests have been failsafed
again so that there are even packages building to try out.

Bug reports on the individual test failures and other remaining things to fix
are coming up.

Failsafe is going to be removed again when the package hits unstable.

DS

-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#855577: marked as done (numba: FTBFS: several tests fail)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 18:49:38 +
with message-id 
and subject line Bug#855577: fixed in numba 0.33.0-1
has caused the Debian Bug report #855577,
regarding numba: FTBFS: several tests fail
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855577: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855577
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: numba
Version: 0.30.0-3
Severity: serious
Justification: fails to build from source

Looks like the maintainer upload for amd64 was built without running the
tests, since several tests fail on all platforms on the buildds
(and also if I rebuild it for amd64):

https://buildd.debian.org/status/package.php?p=numba&suite=experimental


Andreas
--- End Message ---
--- Begin Message ---
Source: numba
Source-Version: 0.33.0-1

We believe that the bug you reported is fixed in the latest version of
numba, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Stender  (supplier of updated numba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 27 May 2017 20:24:54 +0200
Source: numba
Binary: python-numba python3-numba numba-doc
Architecture: source all amd64
Version: 0.33.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Science Maintainers 

Changed-By: Daniel Stender 
Description:
 numba-doc  - native machine code compiler for Python (docs)
 python-numba - native machine code compiler for Python 2
 python3-numba - native machine code compiler for Python 3
Closes: 855577
Changes:
 numba (0.33.0-1) experimental; urgency=medium
 .
   * New upstream release.
   * deb/control: bump llvmlite deps.
   * deb/copyright: expand copyright spans.
   * deb/rules: failsafe still failing testsuite (Closes: #855577).
Checksums-Sha1:
 476c3ea867170f40bd2183fd0e4113bfb73b2395 2320 numba_0.33.0-1.dsc
 e2d3d28cef0d0d2d6ab152ca5adefadff415a3e3 1218612 numba_0.33.0.orig.tar.xz
 f9829d874583b21e5ebbfb49ecc53745a52a3d13 8364 numba_0.33.0-1.debian.tar.xz
 91d06d2fac7ae374f31cc07446ac9cd0997d27ee 634588 numba-doc_0.33.0-1_all.deb
 f1af1a0ea9308c2b01a4083959b634c1321bbfc4 9331 numba_0.33.0-1_amd64.buildinfo
 fa1bd3343ef968fd87842d20fae8da3ca5efac4b 327566 
python-numba-dbgsym_0.33.0-1_amd64.deb
 141182fd2547d930897b7c839a372f7c8303a795 861032 python-numba_0.33.0-1_amd64.deb
 c3ed61e83ea24a63c206176e374c2d94d61a69ee 348306 
python3-numba-dbgsym_0.33.0-1_amd64.deb
 49ce9a939dc4508d573cd925d0c23f1b24149c0f 860664 
python3-numba_0.33.0-1_amd64.deb
Checksums-Sha256:
 89fab810428fc578c8fb11a827475b781907aff18975d4caa18ddd2b71e1027b 2320 
numba_0.33.0-1.dsc
 3c48ceb65eb039d2516b22881bb2b0fcb06b9d305f47b944a08ff6b7ef22badd 1218612 
numba_0.33.0.orig.tar.xz
 b7cc6d72345ad399a9504994cb0dbeaed3d3218b07bbfc6e744bfa204eb2dccc 8364 
numba_0.33.0-1.debian.tar.xz
 3637a6de38b461d57363340ca0dbfe5ab3786ded5ce3d0d7c159522ba03e5ced 634588 
numba-doc_0.33.0-1_all.deb
 ec3e0f024cad111c809e5170ec082dba0b5385695eea1757bd8b4b64a02c73f0 9331 
numba_0.33.0-1_amd64.buildinfo
 b4530250d4d0e03c09c5c16a99dd36be615e4da04bd19ce2fc00822b8fc2d365 327566 
python-numba-dbgsym_0.33.0-1_amd64.deb
 333f97c65076b8d2d7c1e5d4df28991837de0f00b7de3cd7faa68e8ee48004b5 861032 
python-numba_0.33.0-1_amd64.deb
 1db8085be0d023642c33c2463238231b3b2b1d2facd3f523bb0c52796945393d 348306 
python3-numba-dbgsym_0.33.0-1_amd64.deb
 463512b1eb3a857e5cade4d33bb034dfa4e70507bbb6ab1424c4e96e639faab8 860664 
python3-numba_0.33.0-1_amd64.deb
Files:
 c31d14e34d632e55e836323541dcb025 2320 science optional numba_0.33.0-1.dsc
 ab55e6ec48ab176199bbccc18a6e911d 1218612 science optional 
numba_0.33.0.orig.tar.xz
 95531f32cdce29b9787473694db8 8364 science optional 
numba_0.33.0-1.debian.tar.xz
 985fae5063a6e253e3de42a0ae45f18f 634588 doc optional numba-doc_0.33.0-1_all.deb
 f2249595a039d517338d9d47e8da9994 9331 science optional 
numba_0.33.0-1_amd64.buildinfo
 503e4b6bc192d8705d8552f1bdc7bab3 327566 debug extra 
python-numba-dbgsym_0.33.0-1_amd64.deb
 3dac9692643156f142d606976682a957 861032 python optional 
python-numba_0.33.0-1_amd64.deb
 7237499be33

Bug#863492: pavuk: segmentation fault when opening graphical "Limitations" window

[Chris Lamb]

Package: pavuk
Version: 0.9.35-6
Severity: serious

Hi,

Pavuk segmentation faults when opening the "Limitations" config window:

 $ pavuk -x https://debian.org/

 Select "Config" → "Limitations"


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#863493: FTBFS with PHP 7.0.18+

[James Clarke]

Source: symfony
Version: 2.8.7+dfsg-1.2
Severity: serious
Tags: patch upstream fixed-upstream

Hi,
I noticed that symfony now FTBFS after the upload of php7.0 7.0.18-1,
with the following error in the test suite:

> 1) Symfony\Component\VarDumper\Tests\CliDumperTest::testThrowingCaster
> Failed asserting that format description matches text.
> --- Expected
> +++ Actual
> @@ @@
>  stream resource {@239
> -%Awrapper_type: "PHP"
> +  timed_out: false
> +  blocked: true
> +  eof: false
> +  wrapper_type: "PHP"
>stream_type: "MEMORY"
> -  mode: "%s+b"
> +  mode: "w+b"
>unread_bytes: 0
>seekable: true
>uri: "php://memory"
> -%Aoptions: []
> -  ⚠: Symfony\Component\VarDumper\Exception\ThrowingCasterException {#%d
> +  options: []
> +  ⚠: Symfony\Component\VarDumper\Exception\ThrowingCasterException {#411
>  #message: "Unexpected Exception thrown from a caster: Foobar"
>  -trace: {
> -  %d. __TwigTemplate_VarDumperFixture_u75a09->doDisplay() ==> new 
> Exception(): {
> +  22. __TwigTemplate_VarDumperFixture_u75a09->doDisplay() ==> new 
> Exception(): {
>  src: {
> -  %sTwig.php:19: """
> +  
> /<>/symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/Fixtures/Twig.php:19:
>  """
> 
> @@ @@
>}
> -  %d. Twig_Template->displayWithErrorHandling() ==> 
> __TwigTemplate_VarDumperFixture_u75a09->doDisplay(): {
> +  21. Twig_Template->displayWithErrorHandling() ==> 
> __TwigTemplate_VarDumperFixture_u75a09->doDisplay(): {
>  src: {
> -  %sTemplate.php:%d: """
> +  /usr/share/php/Twig/Template.php:381: """
> 
> @@ @@
>}
> -  %d. Twig_Template->display() ==> 
> Twig_Template->displayWithErrorHandling(): {
> +  20. Twig_Template->display() ==> 
> Twig_Template->displayWithErrorHandling(): {
>  src: {
> -  %sTemplate.php:%d: """
> +  /usr/share/php/Twig/Template.php:355: """
> 
> @@ @@
>}
> -  %d. Twig_Template->render() ==> Twig_Template->display(): {
> +  19. Twig_Template->render() ==> Twig_Template->display(): {
>  src: {
> -  %sTemplate.php:%d: """
> +  /usr/share/php/Twig/Template.php:366: """
> 
> @@ @@
>}
> -  %d. %slosure%s() ==> Twig_Template->render(): {
> +  18. Symfony\Component\VarDumper\Tests\CliDumperTest->{closure}() ==> 
> Twig_Template->render(): {
>  src: {
> -  %sCliDumperTest.php:189: """
> -}\n
> -};'),\n
> -));\n
> +  
> /<>/symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php:183:
>  """
> +$cloner->addCasters(array(\n
> +':stream' => eval('return function () use ($twig) {\n
> +try {\n
>  """
>  }
>}
>  }
>}
>  }
> 
> /<>/symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php:277

The difference is that the line number for CliDumperTest.php right at
the end is no longer correct, and has some different code after it.
Upstream fixed this already[1,2], and these changes are also in #863441,
but there are other changes not required for PHP 7.0, hence the separate
bug. I am happy to NMU again with just the changes needed, and will do
so if I do not hear anything soon, as the release is approaching and
this will otherwise become a stretch-will-remove bug.

Regards,
James

[1] 
https://github.com/symfony/symfony/commit/3672c01e3c7182888a42b74e2864a20e21cfe7f5
[2] 
https://github.com/symfony/symfony/commit/6ef78ec55317ac473fa045706244ef1f97d4b2de
(only the change to CliDumperTest.php)

Bug#863495: Broken on (at least) amd64, looks in wrong path for libporg-log.so

[Andreas Moog]

Package: porg
Version: 2:0.10-1
Severity: serious

Hi there,

porg on (at least) amd64 is broken:

$ sudo porg -lp foo-1.0 "touch /usr/bin/foo"
ERROR: ld.so: object '/usr/lib/x86_64-linux-gnu/libporg-log.so' from LD_PRELOAD 
cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/lib/x86_64-linux-gnu/libporg-log.so' from LD_PRELOAD 
cannot be preloaded (cannot open shared object file): ignored.
porg: foo-1.0: No files to log

Let me know if you need any more information from me.

There is a Ubuntu report about the same issue in Ubuntu:
https://bugs.launchpad.net/bugs/1664429

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (650, 'unstable'), (500, 'unstable-debug'), (450, 
'experimental'), (1, 'experimental-debug')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages porg depends on:
ii  libc6   2.24-10
ii  libgcc1 1:6.3.0-18
ii  libstdc++6  6.3.0-18

porg recommends no packages.

porg suggests no packages.

-- no debconf information

Bug#863492: pavuk: segmentation fault when opening graphical "Limitations" window

[Chris Lamb]

tags 863492 + pending patch
thanks

I've uploaded pavuk 0.9.35-6.1 to DELAYED/5:
  
  pavuk (0.9.35-6.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix segmentation fault when opening graphical "Limitations" window due to
  pointer truncation in src/gtkmulticol.[ch]. (Closes: #863492)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for pavuk-0.9.35 pavuk-0.9.35

 changelog   |8 
 patches/18-fix-pointer-truncation.patch |   25 +
 patches/series  |1 +
 3 files changed, 34 insertions(+)

diff -Nru pavuk-0.9.35/debian/changelog pavuk-0.9.35/debian/changelog
--- pavuk-0.9.35/debian/changelog   2016-12-14 20:03:37.0 +
+++ pavuk-0.9.35/debian/changelog   2017-05-27 20:17:22.0 +0100
@@ -1,3 +1,11 @@
+pavuk (0.9.35-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix segmentation fault when opening graphical "Limitations" window due to
+pointer truncation in src/gtkmulticol.[ch]. (Closes: #863492)
+
+ -- Chris Lamb   Sat, 27 May 2017 20:17:22 +0100
+
 pavuk (0.9.35-6) unstable; urgency=low
 
   * debian/watch: update to v4 to make it work
diff -Nru pavuk-0.9.35/debian/patches/18-fix-pointer-truncation.patch 
pavuk-0.9.35/debian/patches/18-fix-pointer-truncation.patch
--- pavuk-0.9.35/debian/patches/18-fix-pointer-truncation.patch 1970-01-01 
01:00:00.0 +0100
+++ pavuk-0.9.35/debian/patches/18-fix-pointer-truncation.patch 2017-05-27 
20:17:22.0 +0100
@@ -0,0 +1,25 @@
+--- pavuk-0.9.35.orig/src/gtkmulticol.c
 pavuk-0.9.35/src/gtkmulticol.c
+@@ -48,9 +48,9 @@ static void gtk_multicol_size_request(Gt
+ static void gtk_multicol_size_allocate(GtkWidget * widget,
+   GtkAllocation * allocation);
+ 
+-guint gtk_multicol_get_type()
++GtkType gtk_multicol_get_type()
+ {
+-  static guint multicol_type = 0;
++  static GtkType multicol_type = 0;
+ 
+   if(!multicol_type)
+   {
+--- pavuk-0.9.35.orig/src/gtkmulticol.h
 pavuk-0.9.35/src/gtkmulticol.h
+@@ -41,7 +41,7 @@ extern "C"
+ GtkBoxClass parent_class;
+   };
+ 
+-  guint gtk_multicol_get_type(void);
++  GtkType gtk_multicol_get_type(void);
+   GtkWidget *gtk_multicol_new(gint nrows);
+   void gtk_multicol_set_number_of_rows(GtkMultiCol * multicol, gint nrows);
+   void gtk_multicol_set_spacing(GtkMultiCol * multicol,
diff -Nru pavuk-0.9.35/debian/patches/series pavuk-0.9.35/debian/patches/series
--- pavuk-0.9.35/debian/patches/series  2016-12-14 20:03:37.0 +
+++ pavuk-0.9.35/debian/patches/series  2017-05-27 20:17:22.0 +0100
@@ -6,3 +6,4 @@
 15-pavuk-nossl3.patch
 16-reproducible-build.patch
 #17-mozjs185.patch
+18-fix-pointer-truncation.patch

Processed: Re: pavuk: segmentation fault when opening graphical "Limitations" window

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863492 + pending patch
Bug #863492 [pavuk] pavuk: segmentation fault when opening graphical 
"Limitations" window
Added tag(s) pending and patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863492: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863492
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863493: [pkg-php-pear] Bug#863493: FTBFS with PHP 7.0.18+

[David Prévot]

Hi James,

Le 27/05/2017 à 09:08, James Clarke a écrit :
> Source: symfony
> Version: 2.8.7+dfsg-1.2

> I noticed that symfony now FTBFS after the upload of php7.0 7.0.18-1,

Thanks!

> I am happy to NMU again with just the changes needed

Please, go ahead, I don’t have much time currently, and haven’t heard of
Daniel for quite some time either. Your help is much appreciated.

Regards



signature.asc
Description: OpenPGP digital signature

Bug#863481: [Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

[roucaries bastien]

I can do it but I do not know that is the best:
- let 1.6 go to unstable
- patch old version

Could you ask release team.

The debdiff between the two version is so small that I have doubt

On Sat, May 27, 2017 at 6:53 PM, Ross Gammon  wrote:
> Hi Bastien,
>
> If you would like me to prepare an upload to unstable for this (& unblock
> request), let me know. I have some time today & tomorrow - but travelling
> with work next week. I have DM upload rights for it.
>
> Only asking in case you are already working on it.
>
> Cheers,
>
> Ross
>
>
> On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:
>
> Package: node-concat-stream
> Version: 1.5.1-1
> Severity: grave
> Tags: patch security fixed-upstream fixed-in-experimental
> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
> forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
>
> Overview
>
> concat-stream is writable stream that concatenates strings or binary data
> and
> calls a callback with the result. Affected versions of the package are
> vulnerable to Uninitialized Memory Exposure.
>
> A possible memory disclosure vulnerability exists when a value of type
> number
> is provided to the stringConcat() method and results in concatination of
> uninitialized memory to the stream collection.
>
> This is a result of unobstructed use of the Buffer constructor, whose
> insecure
> default constructor increases the odds of memory leakage.
>
>
>
>

Bug#863493: symfony: diff for NMU version 2.8.7+dfsg-1.3

[James Clarke]

Dear maintainer,

I've prepared an NMU for symfony (versioned as 2.8.7+dfsg-1.3) and
uploaded it to unstable. The diff is attached to this message.

Regards,
James
diff -Nru symfony-2.8.7+dfsg/debian/changelog symfony-2.8.7+dfsg/debian/changelog
--- symfony-2.8.7+dfsg/debian/changelog	2017-01-29 16:05:28.0 +
+++ symfony-2.8.7+dfsg/debian/changelog	2017-05-27 20:39:09.0 +0100
@@ -1,3 +1,13 @@
+symfony (2.8.7+dfsg-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport additional upstream patches needed after PHP 7.0.18 upload
+(Closes: #863493):
+- [VarDumper] Relax tests to adapt for php 7.1rc4
+- [VarDumper] Relax line number for CliDumperTest
+
+ -- James Clarke   Sat, 27 May 2017 20:39:09 +0100
+
 symfony (2.8.7+dfsg-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru symfony-2.8.7+dfsg/debian/patches/series symfony-2.8.7+dfsg/debian/patches/series
--- symfony-2.8.7+dfsg/debian/patches/series	2017-01-29 16:05:28.0 +
+++ symfony-2.8.7+dfsg/debian/patches/series	2017-05-27 20:39:09.0 +0100
@@ -7,3 +7,5 @@
 do-not-depend-on-a-fixed-date-in-layout-
 update-ipvalidatortest-data-set-with-a-v
 relax-1-test-failing-with-latest-php-ver
+vardumper-relax-tests-to-adapt-for-php-7
+vardumper-relax-line-number-for-clidumpe
diff -Nru symfony-2.8.7+dfsg/debian/patches/vardumper-relax-line-number-for-clidumpe symfony-2.8.7+dfsg/debian/patches/vardumper-relax-line-number-for-clidumpe
--- symfony-2.8.7+dfsg/debian/patches/vardumper-relax-line-number-for-clidumpe	1970-01-01 01:00:00.0 +0100
+++ symfony-2.8.7+dfsg/debian/patches/vardumper-relax-line-number-for-clidumpe	2017-05-27 20:39:09.0 +0100
@@ -0,0 +1,28 @@
+From: James Clarke 
+Date: Sat, 27 May 2017 19:48:09 +0100
+X-Dgit-Generated: 2.8.7+dfsg-1.3 d28625b7a6b1b5e9be0b3e2af3e79cbabf6a8bbe
+Subject: [VarDumper] Relax line number for CliDumperTest
+
+Origin: backport, https://github.com/symfony/symfony/commit/6ef78ec55317ac473fa045706244ef1f97d4b2de
+
+---
+
+--- symfony-2.8.7+dfsg.orig/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php
 symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php
+@@ -188,7 +188,6 @@ EOTXT
+ }
+ };'),
+ ));
+-$line = __LINE__ - 2;
+ $ref = (int) $out;
+ 
+ $data = $cloner->cloneVar($out);
+@@ -261,7 +260,7 @@ stream resource {@{$ref}
+   }
+   %d. %slosure%s() ==> Twig_Template->render(): {
+ src: {
+-  %sCliDumperTest.php:{$line}: """
++  %sCliDumperTest.php:%d: """
+ %A
+ """
+ }
diff -Nru symfony-2.8.7+dfsg/debian/patches/vardumper-relax-tests-to-adapt-for-php-7 symfony-2.8.7+dfsg/debian/patches/vardumper-relax-tests-to-adapt-for-php-7
--- symfony-2.8.7+dfsg/debian/patches/vardumper-relax-tests-to-adapt-for-php-7	1970-01-01 01:00:00.0 +0100
+++ symfony-2.8.7+dfsg/debian/patches/vardumper-relax-tests-to-adapt-for-php-7	2017-05-27 20:39:09.0 +0100
@@ -0,0 +1,22 @@
+From: Nicolas Grekas 
+Date: Fri, 7 Apr 2017 11:49:35 +0200
+X-Dgit-Generated: 2.8.7+dfsg-1.3 0d8f420c173478e3c199b75e16417bdee99faedf
+Subject: [VarDumper] Relax tests to adapt for php 7.1rc4
+
+Origin: https://github.com/symfony/symfony/commit/3672c01e3c7182888a42b74e2864a20e21cfe7f5
+
+---
+
+--- symfony-2.8.7+dfsg.orig/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php
 symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php
+@@ -262,9 +262,7 @@ stream resource {@{$ref}
+   %d. %slosure%s() ==> Twig_Template->render(): {
+ src: {
+   %sCliDumperTest.php:{$line}: """
+-}\\n
+-};'),\\n
+-));\\n
++%A
+ """
+ }
+   }

Bug#863501: numba: RuntimeError: cannot cache function 'simple_usecase' [amd64, i386, arm64]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=i386&ver=0.33.0-1&stamp=1495914429&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=arm64&ver=0.33.0-1&stamp=1495916190&raw=0

This failure appeared in the tests:


_ TestCache.test_non_creatable_pycache _

self = 

@unittest.skipIf(os.name == "nt",
 "cannot easily make a directory read-only on Windows")
def test_non_creatable_pycache(self):
# Make it impossible to create the __pycache__ directory
old_perms = os.stat(self.tempdir).st_mode
os.chmod(self.tempdir, 0o500)
self.addCleanup(os.chmod, self.tempdir, old_perms)

>   self._test_pycache_fallback()

numba/tests/test_dispatcher.py:954: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
numba/tests/test_dispatcher.py:926: in _test_pycache_fallback
mod = self.import_module()
numba/tests/test_dispatcher.py:623: in import_module
mod = import_dynamic(self.modname)
numba/tests/support.py:527: in import_dynamic
__import__(modname)
/tmp/numba-tests.1000/test_cache-jXZpdc/dispatcher_caching_test_fodder.py:19: 
in 
@jit(cache=True, nopython=True)
numba/decorators.py:175: in wrapper
disp.enable_caching()
numba/dispatcher.py:490: in enable_caching
self._cache = FunctionCache(self.py_func)
numba/caching.py:594: in __init__
self._impl = self._impl_class(py_func)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = 
py_func = 

def __init__(self, py_func):
self._is_closure = bool(py_func.__closure__)
self._lineno = py_func.__code__.co_firstlineno
# Get qualname
try:
qualname = py_func.__qualname__
except AttributeError:
qualname = py_func.__name__
# Find a locator
source_path = inspect.getfile(py_func)
for cls in self._locator_classes:
locator = cls.from_function(py_func, source_path)
if locator is not None:
break
else:
raise RuntimeError("cannot cache function %r: no locator available "
>  "for file %r" % (qualname, source_path))
E   RuntimeError: cannot cache function 'simple_usecase': no locator 
available for file 
'/tmp/numba-tests.1000/test_cache-jXZpdc/dispatcher_caching_test_fodder.py'

numba/caching.py:330: RuntimeError


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863503: numba: numba/compiler.py:243: ConstantInferenceError [amd64, i386, arm64]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=i386&ver=0.33.0-1&stamp=1495914429&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=arm64&ver=0.33.0-1&stamp=1495916190&raw=0

This failure appears among the tests several times:


__ TestRaising.test_assert_statement_nopython __

self = 

def test_assert_statement_nopython(self):
>   self.check_assert_statement(flags=no_pyobj_flags)

numba/tests/test_exceptions.py:199: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
numba/tests/test_exceptions.py:188: in check_assert_statement
cres = compile_isolated(pyfunc, (types.int32,), flags=flags)
numba/compiler.py:150: in compile_isolated
flags, locals)
numba/compiler.py:704: in compile_extra
return pipeline.compile_extra(func)
numba/compiler.py:357: in compile_extra
return self._compile_bytecode()
numba/compiler.py:665: in _compile_bytecode
return self._compile_core()
numba/compiler.py:652: in _compile_core
res = pm.run(self.status)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = 
status = fail_reason=None, can_fallback=False, can_giveup=False

def run(self, status):
assert self._finalized, "PM must be finalized before run()"
res = None
for pipeline_name in self.pipeline_order:
event(pipeline_name)
is_final_pipeline = pipeline_name == self.pipeline_order[-1]
for stage, stage_name in self.pipeline_stages[pipeline_name]:
try:
event(stage_name)
stage()
except _EarlyPipelineCompletion as e:
return e.result
except BaseException as e:
msg = "Failed at %s (%s)" % (pipeline_name, stage_name)
patched_exception = self._patch_error(msg, e)
# No more fallback pipelines?
if is_final_pipeline:
>   raise patched_exception
E   ConstantInferenceError: Caused By:
E   Traceback (most recent call last):
E File 
"/<>/.pybuild/pythonX.Y_2.7/build/numba/compiler.py", line 235, in 
run
E   stage()
E File 
"/<>/.pybuild/pythonX.Y_2.7/build/numba/compiler.py", line 466, in 
stage_generic_rewrites
E   self, self.func_ir)
E File 
"/<>/.pybuild/pythonX.Y_2.7/build/numba/rewrites/registry.py", 
line 71, in apply
E   pipeline.calltypes)
E File 
"/<>/.pybuild/pythonX.Y_2.7/build/numba/rewrites/static_raise.py", 
line 43, in match
E   const = interp.infer_constant(inst.exception)
E File 
"/<>/.pybuild/pythonX.Y_2.7/build/numba/ir.py", line 873, in 
infer_constant
E   return self._consts.infer_constant(name)
E File 
"/<>/.pybuild/pythonX.Y_2.7/build/numba/consts.py", line 44, in 
infer_constant
E   raise exc(*args)
E   ConstantInferenceError: constant inference not possible 
for call $108.23(@py_format6)
E   
E   Failed at nopython (nopython rewrites)
E   constant inference not possible for call 
$108.23(@py_format6)

numba/compiler.py:243: ConstantInferenceError


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#854819: marked as done (GnuPG support broken in Horde / Debian 9)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 22:42:33 +0200
with message-id 

and subject line Done in php-horde-crypt 2.7.8-1
has caused the Debian Bug report #854819,
regarding GnuPG support broken in Horde / Debian 9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854819: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854819
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: php-horde-crypt
Version: 2.7.5-1
Severity: important
Control: tag -1 patch
Control: forwarded -1 https://bugs.horde.org/ticket/14014

Just upgraded my Horde Instance to Debian 9 and realized that GnuPG  
support is broken. The below patch fixes things here:


```
Index: Horde/Crypt/Pgp/Backend/Binary.php
===
--- Horde.orig/Crypt/Pgp/Backend/Binary.php	2017-02-10  
18:29:32.322658432 +0100

+++ Horde/Crypt/Pgp/Backend/Binary.php  2017-02-10 18:27:56.686190299 +0100
@@ -77,6 +77,11 @@
 '--yes',
 '--homedir ' . $this->_tempdir
 );
+$result = $this->_callGpg(array('--version'), 'r', null,  
false, false, true);

+/* gpg > 1.x requires specifying the pinentry-mode */
+if (!preg_match('/gpg \(GnuPG\) = (1\.[0-9\.]+)/',  
$result->stdout, $m)) {

+$this->_gnupg[] = '--pinentry-mode loopback';
+}
 }

```

However, in https://bugs.horde.org/ticket/14548, there was the above  
patch (I just picked the non-unit-testing part from it) and with that  
patch I can use GnuPG with Horde 5 and gpg2 again.


Greets,
Mike


--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgp5oXv5LJKzD.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Version: 2.7.8-1

Unfortunately I forgot to put this in the changelog:

php-horde-crypt (2.7.8-1) unstable; urgency=medium

  * New upstream version 2.7.8
- with GnuPG 2 support (incomplete)
- Remove 0001-Escape-user-provided-recipients-and-charset-data.patch, merged
  * Add gnupg as a test dependency (Closes: #849151)
  * Fix GnuPG 2 support (from https://github.com/horde/horde/pull/221)

 -- Mathieu Parent   Sat, 27 May 2017 22:14:43 +0200

Regards

-- 
Mathieu Parent--- End Message ---

Bug#863504: numba: AssertionError in TestRaising.test_assert_statement_objmode [amd64, i386, arm64]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=arm64&ver=0.33.0-1&stamp=1495916190&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=i386&ver=0.33.0-1&stamp=1495914429&raw=0

This test failure appears:


__ TestRaising.test_assert_statement_objmode ___

self = 

def test_assert_statement_objmode(self):
>   self.check_assert_statement(flags=force_pyobj_flags)

numba/tests/test_exceptions.py:196: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
numba/tests/test_exceptions.py:193: in check_assert_statement
self.assertEqual(str(cm.exception), "bar")
E   AssertionError: 'bar\nassert 2 == 1' != 'bar'


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863505: numba: AssertionError in TestTimedeltaArithmeticNoPython.test_mul and others [arm64]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=arm64&ver=0.33.0-1&stamp=1495916190&raw=0

There are a couple of supposedly related test failures on arm64:


___ TestTimedeltaArithmeticNoPython.test_mul ___

self = 

def test_mul(self):
f = self.jit(mul_usecase)
def check(a, b, expected):
self.assertPreciseEqual(f(a, b), expected)
self.assertPreciseEqual(f(b, a), expected)

# non-int64 int * timedelta64
check(TD(3), np.uint32(2), TD(6))
# int * timedelta64
check(TD(3), 2, TD(6))
check(TD(3, 'ps'), 2, TD(6, 'ps'))
check(TD('NaT', 'ps'), 2, TD('NaT', 'ps'))
# float * timedelta64
check(TD(7), 1.5, TD(10))
check(TD(-7), 1.5, TD(-10))
check(TD(7, 'ps'), -1.5, TD(-10, 'ps'))
check(TD(-7), -1.5, TD(10))
check(TD('NaT', 'ps'), -1.5, TD('NaT', 'ps'))
>   check(TD(7, 'ps'), float('nan'), TD('NaT', 'ps'))

numba/tests/test_npdatetime.py:328: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
numba/tests/test_npdatetime.py:313: in check
self.assertPreciseEqual(f(a, b), expected)
numba/tests/support.py:257: in assertPreciseEqual
self.fail("when comparing %s and %s: %s" % (first, second, failure_msg))
E   AssertionError: when comparing 0 picoseconds and NaT: 
numpy.timedelta64(0,'ps') != numpy.timedelta64('NaT','ps')



___ TestLoopTypesDatetimeNoPython.test_multiply_dm_m ___

self = 

def test_template(self):
fn = _make_ufunc_usecase(ufunc)
>   self._check_loop(fn, ufunc, loop)

numba/tests/test_ufuncs.py:1514: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
numba/tests/test_ufuncs.py:1471: in _check_loop
self._check_ufunc_with_dtypes(fn, ufunc, letter_types)
numba/tests/test_ufuncs.py:1500: in _check_ufunc_with_dtypes
ulps=ulps)
numba/tests/support.py:257: in assertPreciseEqual
self.fail("when comparing %s and %s: %s" % (first, second, failure_msg))
E   AssertionError: when comparing [   -4 0 3 'NaT' 'NaT' 0-7 
'NaT'] and [   -4 0 3 'NaT' 'NaT' 0-7 0]: 
numpy.timedelta64('NaT','D') != numpy.timedelta64(0,'D') : ufunc 'multiply' 
arrays differ ([array([ 1.5,  0. ,  1.5,  nan, -3.5,  0. , -3.5,  nan]), 
array([   -3, 0, 2, 'NaT', 'NaT',-3, 2, 0], 
dtype='timedelta64[D]'), array([   -4, 0, 3, 'NaT', 'NaT', 0,
-7, 0], dtype='timedelta64[D]')]):
E   args: exact
E   expected [   -4 0 3 'NaT' 'NaT' 0-7 'NaT']
E   got [   -4 0 3 'NaT' 'NaT' 0-7 0]



___ TestLoopTypesDatetimeNoPython.test_multiply_md_m ___

self = 

def test_template(self):
fn = _make_ufunc_usecase(ufunc)
>   self._check_loop(fn, ufunc, loop)

numba/tests/test_ufuncs.py:1514: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
numba/tests/test_ufuncs.py:1471: in _check_loop
self._check_ufunc_with_dtypes(fn, ufunc, letter_types)
numba/tests/test_ufuncs.py:1500: in _check_ufunc_with_dtypes
ulps=ulps)
numba/tests/support.py:257: in assertPreciseEqual
self.fail("when comparing %s and %s: %s" % (first, second, failure_msg))
E   AssertionError: when comparing [   -7 'NaT' 3 0 0 'NaT'-4 
'NaT'] and [   -7 'NaT' 3 0 0 'NaT'-4 0]: 
numpy.timedelta64('NaT','D') != numpy.timedelta64(0,'D') : ufunc 'multiply' 
arrays differ ([array([2, 'NaT', 2, 0,-3, 'NaT',-3, 0], 
dtype='timedelta64[D]'), array([-3.5,  nan,  1.5,  0. ,  0. , -3.5,  1.5,  
nan]), array([   -7, 'NaT', 3, 0, 0, 'NaT',-4, 0], 
dtype='timedelta64[D]')]):
E   args: exact
E   expected [   -7 'NaT' 3 0 0 'NaT'-4 'NaT']
E   got [   -7 'NaT' 3 0 0 'NaT'-4 0]


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863506: numba: KeyError in numba/tracing.py [amd64, i386, arm64]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=i386&ver=0.33.0-1&stamp=1495914429&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=arm64&ver=0.33.0-1&stamp=1495916190&raw=0

This test failure appears:


_ test _

args = (), kwds = {}, fname = 'numba.tests.test_tracing.test', ftype = None

def wrapper(*args, **kwds):
if not logger.isEnabledFor(logging.INFO) or tls.tracing:
return func(*args, **kwds)

fname, ftype = find_function_info(func, spec, args)

try:
tls.tracing = True
>   enter, leave = create_events(fname, spec, args, kwds)

numba/tracing.py:103: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

fname = 'numba.tests.test_tracing.test'
spec = ArgSpec(args=['x', 'y', 'z'], varargs=None, keywords=None, 
defaults=(True,))
args = (), kwds = {}

def create_events(fname, spec, args, kwds):

values = dict()
if spec.defaults:
values = dict(zip(spec.args[-len(spec.defaults):],spec.defaults))
values.update(kwds)
values.update(list(zip(spec.args[:len(args)], args)))
>   positional = ['%s=%r'%(a, values.pop(a)) for a in spec.args]
E   KeyError: 'x'

numba/tracing.py:66: KeyError


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863507: numba: tests are not running/immediately breaking (plugin custom failed with: exit code=1) [armel, armhf]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=armel&ver=0.33.0-1&stamp=1495912245&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=armhf&ver=0.33.0-1&stamp=1495912383&raw=0

Tests are immediately breaking on armel and armhf:


PYBUILD_SYSTEM=custom PYBUILD_TEST_ARGS="cd {build_dir} && {interpreter} -Wd -m 
pytest numba/tests -v -rs" dh_auto_test || true
I: pybuild base:184: cd /«PKGBUILDDIR»/.pybuild/pythonX.Y_2.7/build && 
python2.7 -Wd -m pytest numba/tests -v -rs
= test session starts ==
platform linux2 -- Python 2.7.13, pytest-3.0.6, py-1.4.32, pluggy-0.4.0 -- 
/usr/bin/python2.7
cachedir: ../../../.cache
rootdir: /«PKGBUILDDIR», inifile: 
collecting ... E: pybuild pybuild:283: test: plugin custom failed with: exit 
code=1: cd /«PKGBUILDDIR»/.pybuild/pythonX.Y_2.7/build && python2.7 -Wd -m 
pytest numba/tests -v -rs
dh_auto_test: pybuild --test --test-pytest -i python{version} -p 2.7 returned 
exit code 13


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863508: numba: FTBFS: LLVM ERROR: Program used external function '__aeabi_unwind_cpp_pr0' [armel, armhf]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=armel&ver=0.33.0-1&stamp=1495912245&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=armhf&ver=0.33.0-1&stamp=1495912383&raw=0

FTBFS on armel and armhf:


http_proxy='127.0.0.1:9' sphinx-build -N -bhtml 
.pybuild/pythonX.Y_2.7/build/docs/source/ 
debian/numba-doc/usr/share/doc/numba-doc/html/
Running Sphinx v1.4.9
making output directory...
LLVM ERROR: Program used external function '__aeabi_unwind_cpp_pr0' which could 
not be resolved!
debian/rules:22: recipe for target 'override_dh_installdocs' failed
make[1]: *** [override_dh_installdocs] Error 1


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863511: numba: segfault on test_array_reshape [ppc64el]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=ppc64el&ver=0.33.0-1&stamp=1495912133&raw=0

Tests break with a segault on s390x:


numba/tests/test_array_manipulation.py::TestArrayManipulation::test_add_axis2_npm
 PASSED
numba/tests/test_array_manipulation.py::TestArrayManipulation::test_array_reshape
 Segmentation fault
E: pybuild pybuild:283: test: plugin custom failed with: exit code=139: cd 
/«PKGBUILDDIR»/.pybuild/pythonX.Y_2.7/build && python2.7 -Wd -m pytest 
numba/tests -v -rs
dh_auto_test: pybuild --test --test-pytest -i python{version} -p 2.7 returned 
exit code 13


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863509: numba: test_mean_magnitude breaks (plugin custom failed with: exit code=1) [mips, mipsel]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=mips&ver=0.33.0-1&stamp=1495913987&raw=0
https://buildd.debian.org/status/fetch.php?pkg=numba&arch=mipsel&ver=0.33.0-1&stamp=1495915594&raw=0

This test breaks appears on the mips archs:


numba/tests/test_array_reductions.py::TestArrayReductions::test_mean_basic 
PASSED
numba/tests/test_array_reductions.py::TestArrayReductions::test_mean_magnitude 
E: pybuild pybuild:283: test: plugin custom failed with: exit code=1: cd 
/«PKGBUILDDIR»/.pybuild/pythonX.Y_2.7/build && python2.7 -Wd -m pytest 
numba/tests -v -rs
dh_auto_test: pybuild --test --test-pytest -i python{version} -p 2.7 returned 
exit code 13


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863512: numba: segfault on test_shape [s390x]

[Daniel Stender]

Source: numba
Version: 0.33.0-1
Severity: serious

https://buildd.debian.org/status/fetch.php?pkg=numba&arch=s390x&ver=0.33.0-1&stamp=1495911986&raw=0

This test breaks on s390x:


numba/tests/test_array_attr.py::TestNestedArrayAttr::test_shape Segmentation 
fault
E: pybuild pybuild:283: test: plugin custom failed with: exit code=139: cd 
/«PKGBUILDDIR»/.pybuild/pythonX.Y_2.7/build && python2.7 -Wd -m pytest 
numba/tests -v -rs
dh_auto_test: pybuild --test --test-pytest -i python{version} -p 2.7 returned 
exit code 13


-- 
4096R/DF5182C8
Debian Developer (sten...@debian.org)
http://www.danielstender.com/

Bug#863493: marked as done (FTBFS with PHP 7.0.18+)

[Debian Bug Tracking System]

Your message dated Sat, 27 May 2017 21:09:00 +
with message-id 
and subject line Bug#863493: fixed in symfony 2.8.7+dfsg-1.3
has caused the Debian Bug report #863493,
regarding FTBFS with PHP 7.0.18+
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863493
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: symfony
Version: 2.8.7+dfsg-1.2
Severity: serious
Tags: patch upstream fixed-upstream

Hi,
I noticed that symfony now FTBFS after the upload of php7.0 7.0.18-1,
with the following error in the test suite:

> 1) Symfony\Component\VarDumper\Tests\CliDumperTest::testThrowingCaster
> Failed asserting that format description matches text.
> --- Expected
> +++ Actual
> @@ @@
>  stream resource {@239
> -%Awrapper_type: "PHP"
> +  timed_out: false
> +  blocked: true
> +  eof: false
> +  wrapper_type: "PHP"
>stream_type: "MEMORY"
> -  mode: "%s+b"
> +  mode: "w+b"
>unread_bytes: 0
>seekable: true
>uri: "php://memory"
> -%Aoptions: []
> -  ⚠: Symfony\Component\VarDumper\Exception\ThrowingCasterException {#%d
> +  options: []
> +  ⚠: Symfony\Component\VarDumper\Exception\ThrowingCasterException {#411
>  #message: "Unexpected Exception thrown from a caster: Foobar"
>  -trace: {
> -  %d. __TwigTemplate_VarDumperFixture_u75a09->doDisplay() ==> new 
> Exception(): {
> +  22. __TwigTemplate_VarDumperFixture_u75a09->doDisplay() ==> new 
> Exception(): {
>  src: {
> -  %sTwig.php:19: """
> +  
> /<>/symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/Fixtures/Twig.php:19:
>  """
> 
> @@ @@
>}
> -  %d. Twig_Template->displayWithErrorHandling() ==> 
> __TwigTemplate_VarDumperFixture_u75a09->doDisplay(): {
> +  21. Twig_Template->displayWithErrorHandling() ==> 
> __TwigTemplate_VarDumperFixture_u75a09->doDisplay(): {
>  src: {
> -  %sTemplate.php:%d: """
> +  /usr/share/php/Twig/Template.php:381: """
> 
> @@ @@
>}
> -  %d. Twig_Template->display() ==> 
> Twig_Template->displayWithErrorHandling(): {
> +  20. Twig_Template->display() ==> 
> Twig_Template->displayWithErrorHandling(): {
>  src: {
> -  %sTemplate.php:%d: """
> +  /usr/share/php/Twig/Template.php:355: """
> 
> @@ @@
>}
> -  %d. Twig_Template->render() ==> Twig_Template->display(): {
> +  19. Twig_Template->render() ==> Twig_Template->display(): {
>  src: {
> -  %sTemplate.php:%d: """
> +  /usr/share/php/Twig/Template.php:366: """
> 
> @@ @@
>}
> -  %d. %slosure%s() ==> Twig_Template->render(): {
> +  18. Symfony\Component\VarDumper\Tests\CliDumperTest->{closure}() ==> 
> Twig_Template->render(): {
>  src: {
> -  %sCliDumperTest.php:189: """
> -}\n
> -};'),\n
> -));\n
> +  
> /<>/symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php:183:
>  """
> +$cloner->addCasters(array(\n
> +':stream' => eval('return function () use ($twig) {\n
> +try {\n
>  """
>  }
>}
>  }
>}
>  }
> 
> /<>/symfony-2.8.7+dfsg/src/Symfony/Component/VarDumper/Tests/CliDumperTest.php:277

The difference is that the line number for CliDumperTest.php right at
the end is no longer correct, and has some different code after it.
Upstream fixed this already[1,2], and these changes are also in #863441,
but there are other changes not required for PHP 7.0, hence the separate
bug. I am happy to NMU again with just the changes needed, and will do
so if I do not hear anything soon, as the release is approaching and
this will otherwise become a stretch-will-remove bug.

Regards,
James

[1] 
https://github.com/symfony/symfony/commit/3672c01e3c7182888a42b74e2864a20e21cfe7f5
[2] 
https://github.com/symfony/symfony/commit/6ef78ec55317ac473fa045706244ef1f97d4b2de
(only the change to CliDumperTest.php)
--- End Message ---
--- Begin Message ---
Source: symfony
Source-Version: 2.8.7+dfsg-1.3

We believe that the bug you reported is fixed in the latest version of
symfony, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Clarke  (s

Bug#863515: CVE-2017-0350 CVE-2017-0351 CVE-2017-0352

[Moritz Muehlenhoff]

Source: nvidia-graphics-drivers
Severity: grave
Tags: security

Please see http://nvidia.custhelp.com/app/answers/detail/a_id/4462

Cheers,
Moritz

Bug#861536: runit-init: Cannot reboot or shutdown after installing (or removing) the package.

[Ivo De Decker]

Hi,

On Fri, May 26, 2017 at 12:04:59PM +0200, John Paul Adrian Glaubitz wrote:
> > > As the init system is a rather fundamental component of a Linux
> > > distribution, it affects many other packages, directly or indirectly
> > > and it's therefore too much of a burden to provide support for all
> > > init systems available in Debian. Although runit is available in
> > > Debian, it does not mean that it has to be fully supported.
> > 
> > If an init system is shipped in a stable release, it has to be supported.
> > Otherwise it should not be in a stable release.
> 
> Well, there is also ulibc being shipped with Debian stable. Yet, when
> someone tries to use it and breaks their system, it's not supported
> either. So, I don't think this policy can be sweepingly applied to
> every package.

There is no package named 'ulibc', so I guess that's a typo. If you meant
uclibc, that package only ships uclibc-source, so installing that doesn't
break anything.

> > > A possible solution would be to modify the runit postinst scripts
> > > in a way that it does not automatically overwrite the symlinks
> > > for the the above commands until the machine has been rebooted
> > > (e.g. by placing a script which is run only once after the system
> > > has been first rebooted with runit) so that the 'poweroff' and
> > > 'reboot' commands are still sent to systemd. However, the lack of
> > > a reply of the runit maintainer to this particular bug report seems
> > > to indicate that there is currently no interest for such a solution.
> > 
> > If the maintainer isn't interested in making sure that this package works as
> > expected, it isn't fit for a stable release...
> 
> I fully agree. However, runit is one of the packages which is not
> automatically removed.

No. But it can be manually removed.

> > > Thus, in order to prevent this bug report from blocking the release
> > > of Debian Stretch, I have reduced its severity to 'normal'. You
> > > are still welcome to propose a patch to address this issue though,
> > > it's just not relevant for the upcoming Debian release.
> > 
> > This is not a good reason to downgrade a bug.
> 
> Again, Debian has decided to adopt systemd as the standard init
> system, the same way we have decided to adopt glibc and the Linux
> kernel as the standard C libraries and kernels.
> 
> You really cannot expect a fundamental component like an init system
> to be easily replace by the end user the same way they can swap their
> default text editor.

Well, in that case there shouldn't be a package that tries to swap the init
system. If there is a package that provides the tools to do so, but lets you
do it on your own, that's a different story. It will still allow you to break
your system, but you can do that with lots of tools (certainly with your text
editor).

As there doesn't seem to be an easy way to get an acceptable runit-init
package, which replaces the init system by just installing a package, I don't
see how the current src:runit package can stay in stretch. If someone wants to
keep it, the best option is probably to remove the runit-init binary package,
so that the other binary packages can stay. As Roger noted, that would require
an NMU to do so.

I'd be happy to unblock such a change (if it happens in the next few days,
given the release timing announced in
https://lists.debian.org/debian-devel-announce/2017/05/msg2.html).

Cheers,

Ivo

Processed: tagging 863475

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863475 - stretch
Bug #863475 [prosody] [prosody] Fails to initiate s2s when lua-event 0.4.3 is 
installed
Removed tag(s) stretch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863475: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863475
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863414: coyim FTBFS: xmpp: failed to verify TLS certificate: x509: certificate signed by unknown authority

[Chris Lamb]

Hi,

> coyim FTBFS: xmpp: failed to verify TLS certificate: x509:
> certificate signed by unknown authority

Adding `ca-certificates` to Build-Depends works, but then I get different
test failures in the same area (so not tagging as patch).

(Not that the package should really be accessing the internet in the first
place...)



Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Processed: tagging 863283

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # probably unstable only, see #861333
> tags 863283 + sid
Bug #863283 [cantor-backend-r] cantor-backend-r: Cantor fails to start R 
server/session
Added tag(s) sid.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Broken on (at least) amd64, looks in wrong path for libporg-log.so

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863495 + pending patch
Bug #863495 [porg] Broken on (at least) amd64, looks in wrong path for 
libporg-log.so
Added tag(s) patch and pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863495: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863495
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863495: Broken on (at least) amd64, looks in wrong path for libporg-log.so

[Chris Lamb]

tags 863495 + pending patch
thanks

I've uploaded porg 0.10-1.1 to DELAYED/5:
  
  porg (2:0.10-1.1) unstable; urgency=medium
  
* Non-maintainer upload.
* Fix broken LD_PRELOAD path for libporg-log.so. (Closes: #863495)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for porg-0.10 porg-0.10

 changelog |7 +++
 rules |2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff -Nru porg-0.10/debian/changelog porg-0.10/debian/changelog
--- porg-0.10/debian/changelog  2016-06-15 05:02:24.0 +0100
+++ porg-0.10/debian/changelog  2017-05-27 23:11:56.0 +0100
@@ -1,3 +1,10 @@
+porg (2:0.10-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix broken LD_PRELOAD path for libporg-log.so. (Closes: #863495)
+
+ -- Chris Lamb   Sat, 27 May 2017 23:11:56 +0100
+
 porg (2:0.10-1) unstable; urgency=low
 
   * Initial release (Closes: #827932)
diff -Nru porg-0.10/debian/rules porg-0.10/debian/rules
--- porg-0.10/debian/rules  2016-06-15 05:02:24.0 +0100
+++ porg-0.10/debian/rules  2017-05-27 23:11:56.0 +0100
@@ -14,4 +14,4 @@
dh $@  --with autotools-dev
 
 override_dh_auto_configure:
-   dh_auto_configure -- --with-porg-logdir=/var/lib/porg
+   dh_auto_configure -- --with-porg-logdir=/var/lib/porg 
--libdir=/usr/lib/porg

Processed: tagging 863474

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 863474 + patch
Bug #863474 [python-cryptography] python-cryptography: FTBFS with openssl 1.1.0f
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863474
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed (with 2 errors): nftables: "workstation" example causes unkillable application hangs

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 863518 nftables: "workstation" example causes unkillable
Bug #863518 [nftables] nftables: "workstation" example breaks alternate 
keyboard layout in gdm
Changed Bug title to 'nftables: "workstation" example causes unkillable' from 
'nftables: "workstation" example breaks alternate keyboard layout in gdm'.
> application hangs
Unknown command or malformed arguments to command.
> severity 863518 grave
Bug #863518 [nftables] nftables: "workstation" example causes unkillable
Severity set to 'grave' from 'important'
> submitter !
Unknown command or malformed arguments to command.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: your mail

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 863518 nftables: workstation example causes unkillable application 
> hangs
Bug #863518 [nftables] nftables: "workstation" example causes unkillable
Changed Bug title to 'nftables: workstation example causes unkillable 
application hangs' from 'nftables: "workstation" example causes unkillable'.
> submitter 863518 !
Bug #863518 [nftables] nftables: workstation example causes unkillable 
application hangs
Changed Bug submitter to 'Harlan Lieberman-Berg ' from 
'Harlan Lieberman-Berg '.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863286: completely broken in non-US locales

[Daurnimator]

On 28 May 2017 at 01:38, Santiago Ruano Rincón  wrote:
> In case you want to test it, I've uploaded a patched version to my
> personal repo:
> https://people.debian.org/~santiago/debian/santiago-unstable/


If patching the upstream, please update the version in
http/version.lua to something like version="0.1.debian-1"

However I'm hoping to make a 0.2 release today that includes the fix
(as well as others that weren't reported to debian directly): please
consider packaging that instead.

Bug#863474: marked as done (python-cryptography: FTBFS with openssl 1.1.0f)

[Debian Bug Tracking System]

Your message dated Sun, 28 May 2017 03:03:43 +
with message-id 
and subject line Bug#863474: fixed in python-cryptography 1.7.1-3
has caused the Debian Bug report #863474,
regarding python-cryptography: FTBFS with openssl 1.1.0f
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863474: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863474
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-cryptography
Version: 1.7.1-2
Severity: serious

Hi,

OpenSSL made ASN1_TIME_to_generalizedtime() take a const. But it
seems that python-cryptography has a local copy of the header
files, which now conflict with the one from OpenSSL.

It was discussed with python-cryptography and they agreed it was
their problem and they fixed it.

See:
https://github.com/openssl/openssl/pull/3360#issuecomment-304053330
https://github.com/pyca/cryptography/commit/6e7ea2e73e3baf31541c9533dc621d8913152848


Kurt
--- End Message ---
--- Begin Message ---
Source: python-cryptography
Source-Version: 1.7.1-3

We believe that the bug you reported is fixed in the latest version of
python-cryptography, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tristan Seligmann  (supplier of updated 
python-cryptography package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 28 May 2017 04:20:33 +0200
Source: python-cryptography
Binary: python-cryptography python3-cryptography python-cryptography-doc
Architecture: source
Version: 1.7.1-3
Distribution: unstable
Urgency: medium
Maintainer: Tristan Seligmann 
Changed-By: Tristan Seligmann 
Description:
 python-cryptography - Python library exposing cryptographic recipes and 
primitives (Pyt
 python-cryptography-doc - Python library exposing cryptographic recipes and 
primitives (doc
 python3-cryptography - Python library exposing cryptographic recipes and 
primitives (Pyt
Closes: 863474
Changes:
 python-cryptography (1.7.1-3) unstable; urgency=medium
 .
   * Apply patch 6e7ea2e7 from upstream to fix compilation against OpenSSL
 1.1.0f (closes: #863474).
Checksums-Sha1:
 650df88645aae964928e1ce1f9b998fe4bb95cd4 3328 python-cryptography_1.7.1-3.dsc
 e02677ccf1d9cb806618d619bf1123bc21fb6f55 26192 
python-cryptography_1.7.1-3.debian.tar.xz
 8bdcd91d118adbb8c6eac7e5b358e4420576d81b 7354 
python-cryptography_1.7.1-3_source.buildinfo
Checksums-Sha256:
 4a4b8135450a95970dd64a7260eed7897d5e95c332cbff08eae12dc0d1ac8d6c 3328 
python-cryptography_1.7.1-3.dsc
 3c269fcbbff4696bad24ba6d6ab03bac3ec8ed7d0fedcb9ffe40706406461485 26192 
python-cryptography_1.7.1-3.debian.tar.xz
 f47899bb71f4d90c8dd50302a51e3fd23aad9f35adfe4ab4faafcfff87be2ef5 7354 
python-cryptography_1.7.1-3_source.buildinfo
Files:
 572bd54241b16a80947b407967503615 3328 python optional 
python-cryptography_1.7.1-3.dsc
 c4494b76765760f37ed30abdaeaa2fe4 26192 python optional 
python-cryptography_1.7.1-3.debian.tar.xz
 2edc89b0a8b096f9dbb248953e40bf95 7354 python optional 
python-cryptography_1.7.1-3_source.buildinfo

-BEGIN PGP SIGNATURE-

iQGpBAEBCgCTFiEEXAZWhXVRbQoz/6ejwImQ+x9jeJMFAlkqONFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD
MDY1Njg1NzU1MTZEMEEzM0ZGQTdBM0MwODk5MEZCMUY2Mzc4OTMVHG1pdGhyYW5k
aUBkZWJpYW4ub3JnAAoJEMCJkPsfY3iTsX8H/2KPYzEZcOZlo5e+NXIRytAyXWK3
dxmR48+vL/jwV6Vh1rm5+/6222Bhfh7V0qS3mKC4Y1x0q3vw9wDBub5qFZApz5RQ
Y3yn6pp2LRWoTD+yhJ0FxwmbHlo7rJWqqimK5Y3qEqx0nBaRLECk2dcxxrppatZs
urYKB3g7XpVb7Q5hqKPNnMJ+FdV6yFHtCQJ+LqyZBirdh2gtRi2PtnYGRbM+Lg7O
psdk0fjHVjx1lxOeY/IlM7Snhc5GTVH6Sd14jRexyanfPXQ6vcorze+ELVQM9hdF
y2WZTwLFoItkm+PcJdBxnyNHYef5q8DDFGdV+UfNS5PImkst8+QE9RBOZ18=
=32iW
-END PGP SIGNATURE End Message ---

Processed: retitle 863445 to gajim: CVE-2016-10376: possible to remote extract plain-text from encrypted sessions

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 863445 gajim: CVE-2016-10376: possible to remote extract plain-text 
> from encrypted sessions
Bug #863445 {Done: deba...@debian.org (W. Martin Borgert)} [gajim] possible to 
remote extract plain-text from encrypted sessions
Changed Bug title to 'gajim: CVE-2016-10376: possible to remote extract 
plain-text from encrypted sessions' from 'possible to remote extract plain-text 
from encrypted sessions'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
863445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#863286: completely broken in non-US locales

[Daurnimator]

On 28 May 2017 at 12:53, Daurnimator  wrote:
> However I'm hoping to make a 0.2 release today that includes the fix
> (as well as others that weren't reported to debian directly): please
> consider packaging that instead.

See http://daurnimator.com/post/161154248644/lua-http-v02-released and
https://github.com/daurnimator/lua-http/releases/tag/v0.2