Bug#1034042: marked as done (openvswitch: CVE-2023-1668: Remote traffic denial of service via crafted packets with IP proto 0)

[Debian Bug Tracking System]

Your message dated Mon, 17 Apr 2023 07:04:04 +
with message-id 
and subject line Bug#1034042: fixed in openvswitch 3.1.0-2
has caused the Debian Bug report #1034042,
regarding openvswitch: CVE-2023-1668: Remote traffic denial of service via 
crafted packets with IP proto 0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034042
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openvswitch
Version: 3.1.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for openvswitch.

CVE-2023-1668[0]:
| Remote traffic denial of service via crafted packets with IP proto 0

Thomas and Luca, can you make sure the fix lands in bookworm via a
unblock request. For bullseye I'm not yet sure if we need a DSA or we
can go the near bullseye point release. 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-1668
https://www.cve.org/CVERecord?id=CVE-2023-1668
[1] https://www.openwall.com/lists/oss-security/2023/04/06/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openvswitch
Source-Version: 3.1.0-2
Done: Thomas Goirand 

We believe that the bug you reported is fixed in the latest version of
openvswitch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand  (supplier of updated openvswitch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 11 Apr 2023 11:54:40 +0200
Source: openvswitch
Architecture: source
Version: 3.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack 
Changed-By: Thomas Goirand 
Closes: 1034042
Changes:
 openvswitch (3.1.0-2) unstable; urgency=high
 .
   * CVE-2023-1668: Remote traffic denial of service via crafted packets with IP
 proto 0. Applied upstream patch: ofproto-dpif-xlate: Always mask ip proto
 field (Closes: #1034042).
Checksums-Sha1:
 a2c9226a41fdddfb93f652ddd29cbb772cfe8312 3527 openvswitch_3.1.0-2.dsc
 31ee0ac2873d9a3abd8a782ff3ed8996faa0235b 69756 
openvswitch_3.1.0-2.debian.tar.xz
 6621e5d66e7078b329d67823443d47bc7e25fafe 23053 
openvswitch_3.1.0-2_amd64.buildinfo
Checksums-Sha256:
 3dd8d5d1ae3f1a9a220cbff1d1171efc8a78e3523446231228e28b0445932a2e 3527 
openvswitch_3.1.0-2.dsc
 8c776c7cf9489900ea50cec431b58d37fdd88fd25a71466c2baff4646df7aec7 69756 
openvswitch_3.1.0-2.debian.tar.xz
 6f45b0452bc357d621366f5154ac7b06b8985089b8a3cf078e7b66d619b5356f 23053 
openvswitch_3.1.0-2_amd64.buildinfo
Files:
 717fe1e3f60c824ec9fe77bcff899ffd 3527 net optional openvswitch_3.1.0-2.dsc
 069ab4dfbe27a588932f61255d38f59e 69756 net optional 
openvswitch_3.1.0-2.debian.tar.xz
 75bc1eb36dd36a9431b0b2fed379af4e 23053 net optional 
openvswitch_3.1.0-2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmQ86/kACgkQ1BatFaxr
Q/7jBBAAhBmXYLVztClwIljJUjo+1F8yKifGrGbrUI1uLxdYuQxm1LFgq/KA+gYJ
W2oITbuXZ3Whndb28+RV766JbTA9VuSttsFgXca0dHOUTXhbkaOZdFhOHp+q6VYk
h5DjV3EvlwAHKA99sf8xDUMCEpOfSh2C9RX4ZmaGpXgVWn4cSIV4Z9yDdojtlH2S
jOFN7bzlQX7+52R4q46H5mXHy4P0linv418AoP32usrj5yLaBZ/chfyckI38FHKu
ZMYRtgbyR5pSEtsngnS1aLfOJnhYd4NVPmip7hNr0kzTmNTtPVvrhADWGy49JZfg
04/z585FQcuLqlcIcj3ncUyMSg16yQPjpnsmJ8mNDVb8//xGl67juwdAaL3qu7bQ
KA5zcbHu+cXGn87P13RTUoKE36LtRsLJjT4Z4F3AnDbxAqj6V8rVkcQvl/LZrJdf
7HNlC4m3reJAycWZo4oBARwUGRwEqL5JVoBCbUPRCNPH70bci0MPP1JwuhF/Bsab
gwO7R7UoGZqjUj4Re7A08n//Mw9sCl4hNKGnlc5qLnzwf1QFeJBzQtdTNsJbGGN/
TmE73Ie2b9FX+jvWRBUUpzJUkzYTu8VWKRTRTSkI2Mu8bll7sqPUqibRuLdXdAHb
JqMCErsqhM2roEYnMommRXFrmTfalmDqltMyvzYrhtSHkUANEtI=
=NUU0
-END PGP SIGNATURE End Message ---

Bug#1031909: RC Bug tagged patch since more than one month (Was: python3-tk: bytecode not removed on upgrade)

[Andreas Tille]

Hi Matthias,

thanks to James Addison this RC bug is tagged patch.  It would help if
you could comment on this patch (either in Bug report or MR[1]).

Kind regards
   Andreas.


[1] https://salsa.debian.org/cpython-team/python3-stdlib/-/merge_requests/5

-- 
http://fam-tille.de

Bug#1033424: Please upload to delayed (Was: image-factory: FTBFS in testing: AssertionError: pylint found issues)

[Andreas Tille]

Hi Josef,

thanks for finding a patch for this problem.  I'd recommend to upload to
DELAYED (may be with 3 or up to 7 days).  We are in deep freeze and having
RC bugs closed helps everybody.

Kind regards
   Andreas.

-- 
http://fam-tille.de

Bug#999526: Taking over package into Debian Python Team maintenance and fixing bug (Was: mdp: FTBFS with numpy 1.21 (in experimental): dh_auto_test: error: pybuild --test --test-pytest -i python{versi

[Andreas Tille]

Hi Tiziano and Yaroslav,

I'd volunteer to

   a) take over package into Debian Python Team (including
  using Salsa Git and Maintainer address of DPT) and
   b) apply the patch and upload the package

I'm not interested in just doing b) and hope you will find the time to
care for the package if you are not happy with a).  Please note that
there was an NMU which is not taken over in your repository at Github.

Kind regards
Andreas.

-- 
http://fam-tille.de

Bug#1034503: telegram-desktop: segmentation fault at ../sysdeps/x86_64/dl-machine.h:463

[Brian]

Package: telegram-desktop
Version: 3.1.1+ds-1~deb11u2
Severity: grave
Justification: renders package unusable

Dear Maintainer,

Was using telegram-desktop(3.1.1+ds-1~deb11u2) for a while then it stopped 
working.

When I tried to use it again, it got a segmentation fault.

I then used GDB to figure out if it can tell me what failed.
Looks like it died somewhere at ../sysdeps/x86_64/dl-machine.h:463 due to no 
such file or directory.

```bash
$ gdb telegram-desktop 
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from telegram-desktop...
(No debugging symbols found in telegram-desktop)
(gdb) r
Starting program: /usr/bin/telegram-desktop 

Program received signal SIGSEGV, Segmentation fault.
0x77fde89b in elf_machine_rela (skip_ifunc=, 
reloc_addr_arg=0x58b4a758, version=, 
sym=0x55564688, reloc=0x558ed4b8, map=0x77ffe180)
at ../sysdeps/x86_64/dl-machine.h:463
463 ../sysdeps/x86_64/dl-machine.h: No such file or directory.
```

-- Package-specific info:

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-21-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_BAD_PAGE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages telegram-desktop depends on:
ii  libavcodec58  7:4.3.5-0+deb11u1
ii  libavformat58 7:4.3.5-0+deb11u1
ii  libavutil56   7:4.3.5-0+deb11u1
ii  libc6 2.31-13+deb11u5
ii  libdbusmenu-qt5-2 0.9.3+16.04.20160218-2+b1
ii  libgcc-s1 10.2.1-6
ii  libglib2.0-0  2.66.8-1
ii  libglibmm-2.4-1v5 2.64.2-2
ii  libhunspell-1.7-0 1.7.0-3
ii  libjpeg62-turbo   1:2.0.6-4
ii  libkf5waylandclient5  4:5.78.0-2
ii  liblz4-1  1.9.3-2
ii  libminizip1   1.1-8+b1
ii  libopenal11:1.19.1-2
ii  libopus0  1.3.1-0.1
ii  libqrcodegencpp1  1.6.0-1
ii  libqt5core5a [qtbase-abi-5-15-2]  5.15.2+dfsg-9
ii  libqt5dbus5   5.15.2+dfsg-9
ii  libqt5gui55.15.2+dfsg-9
ii  libqt5network55.15.2+dfsg-9
ii  libqt5svg55.15.2-3
ii  libqt5waylandclient5 [qtwayland-client-abi-5-15-  5.15.2-3
ii  libqt5widgets55.15.2+dfsg-9
ii  librlottie0-1 0.1+dfsg-2
ii  libsigc++-2.0-0v5 2.10.4-2
ii  libssl1.1 1.1.1n-0+deb11u4
ii  libstdc++610.2.1-6
ii  libswresample37:4.3.5-0+deb11u1
ii  libswscale5   7:4.3.5-0+deb11u1
ii  libx11-6  2:1.7.2-1
ii  libxcb-keysyms1   0.4.0-1+b2
ii  libxcb-record01.14-3
ii  libxcb-screensaver0   1.14-3
ii  libxcb1   1.14-3
ii  libxcomposite11:0.4.5-1
ii  libxdamage1   1:1.1.5-2
ii  libxext6  2:1.3.3-1.1
ii  libxfixes31:5.0.3-2
ii  libxrandr22:1.5.1-1
ii  libxtst6  2:1.2.3-1
ii  libxxhash0 

Bug#1033424: Uploaded (Was: image-factory: FTBFS in testing: AssertionError: pylint found issues:)

[Theppitak Karoonboonyanan]

I have uploaded Josef Schneider's NMU to the 3-day DELAYED queue, as
per his request.

Regards,
-- 
Theppitak Karoonboonyanan
http://linux.thai.net/~thep/

Processed: Re: inkscape, etc. crashing with mismatched libpoppler102 and libpoppler-glib8

[Debian Bug Tracking System]

Processing control commands:

> tag -1 patch
Bug #969907 [libpoppler-glib8] inkscape, etc. crashing with mismatched 
libpoppler102 and libpoppler-glib8
Bug #1012532 [libpoppler-glib8] inkscape: PDF import no longer works
Added tag(s) patch.
Added tag(s) patch.

-- 
1012532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012532
969907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#969907: inkscape, etc. crashing with mismatched libpoppler102 and libpoppler-glib8

[Andreas Beckmann]

Followup-For: Bug #969907
Control: tag -1 patch

https://salsa.debian.org/freedesktop-team/poppler/-/merge_requests/14
https://salsa.debian.org/multimedia-team/inkscape/-/merge_requests/4

Andreas

Processed: tagging 1031476

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 1031476 - bookworm
Bug #1031476 [src:ruby-celluloid-io] ruby-celluloid-io: FTBFS: ERROR: Test 
"ruby3.1" failed: Failure/Error:
Removed tag(s) bookworm.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1031476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031476
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#1032647: nvidia-driver: Intermittent black screen after updating to 525.89.02-1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #1032647 {Done: Andreas Beckmann } [nvidia-driver] 
nvidia-driver: Intermittent black screen after updating to 525.89.02-1
Added tag(s) moreinfo.

-- 
1032647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032647
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1032647: nvidia-driver: Intermittent black screen after updating to 525.89.02-1

[Andreas Beckmann]

Control: tag -1 moreinfo

On 10/03/2023 14.28, Julien-Benjamin wrote:

Package: nvidia-driver
Version: 525.89.02-1


Could you retry with 525.105.17-1 from unstable?
And if that still doesn't work, with 530.41.03-1 from experimental?
(The packaged version of the 530 driver, not the one installed from the 
.run installer.)


Thanks

Andreas

Bug#1034221: caddy: dh_installsystemd doesn't handle files in /usr/lib/systemd/system

[Peymaneh]

Hi

Am 16.04.23 um 17:37 schrieb Nilesh Patra:

Can you take care of this?


thanks for the mail Nilesh, I missed the bugreport.

I uploaded a fix just now and will contact the release team for 
unblocking :)


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1034221: marked as done (caddy: dh_installsystemd doesn't handle files in /usr/lib/systemd/system)

[Debian Bug Tracking System]

Your message dated Mon, 17 Apr 2023 16:04:00 +
with message-id 
and subject line Bug#1034221: fixed in caddy 2.6.2-5
has caused the Debian Bug report #1034221,
regarding caddy: dh_installsystemd doesn't handle files in 
/usr/lib/systemd/system
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034221
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: caddy
Version: 2.6.2-4
Severity: serious
Tags: sid bookworm
User: debhel...@packages.debian.org
Usertags: systemd-files-in-usr-bookworm

Dear Maintainer,

It seems that your package caddy is shipping files (.service, .socket or
.timer) in /usr/lib/systemd/system.

This is not supported by the version of dh_installsystemd/debhelper currently
in unstable and bookworm (See: #1031695). That means that currently your
service might not be enabled at boot and/or started as expected.

With the freeze currently in effect, debhelper will not be fixed for bookworm.

As a result, could you please move these files to /lib/systemd/system instead
so they are properly detected by debhelper?
As soon as debhelper is supporting (not until bookworm+1 aka Trixie) you will
be able to move them back to the newer location.

Note that bookworm is currently in hard freeze, please limit the changes you
are uploading to the ones fixing RC bugs.  Also note that you might have to
request a freeze exception to the release team.
See: https://release.debian.org/testing/freeze_policy.html

Feel free to contact me if you have any questions.

Kind regards,
Laurent Bigonville

The list of packages has been generated with the following command:
apt-file search -x '^/usr/lib/systemd/system/.*\.(service|timer|socket)$'|cut 
-d: -f1|sort -u
--- End Message ---
--- Begin Message ---
Source: caddy
Source-Version: 2.6.2-5
Done: Peymaneh 

We believe that the bug you reported is fixed in the latest version of
caddy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peymaneh  (supplier of updated caddy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 17 Apr 2023 15:11:12 +0200
Source: caddy
Architecture: source
Version: 2.6.2-5
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team 
Changed-By: Peymaneh 
Closes: 1034221
Changes:
 caddy (2.6.2-5) unstable; urgency=high
 .
   * d/caddy.install: Fix location for systemd files (Closes: #1034221)
Checksums-Sha1:
 406f4a695d5dd8cbceab0417b37bf25da0379641 2797 caddy_2.6.2-5.dsc
 a3b7ad72ff4ce4b42b03a6f3775f9a2bee9176ae 432700 caddy_2.6.2-5.debian.tar.xz
 98f413d9ed89fe7c0919b5daf12a2df65fbc35e3 16632 caddy_2.6.2-5_amd64.buildinfo
Checksums-Sha256:
 875c3c01c8afd1cd394ba5939c48dcc49101af939510b0ae16f334075c5b61e2 2797 
caddy_2.6.2-5.dsc
 611fee5736ead68296cf2289c1845ac24946ecd41eac205f96e67047a7be6c66 432700 
caddy_2.6.2-5.debian.tar.xz
 e1641f1c6d5fca4609f52a529f4b897dec4795f8a7df370a8226afec08ce7711 16632 
caddy_2.6.2-5_amd64.buildinfo
Files:
 8f982336e898961d4b8e140969f75bb1 2797 httpd optional caddy_2.6.2-5.dsc
 962e72dcf8e62351f6f7e03ec6e53196 432700 httpd optional 
caddy_2.6.2-5.debian.tar.xz
 12b507a7fe3d0a7db7d1ae05ddcf24d7 16632 httpd optional 
caddy_2.6.2-5_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iHUEARYIAB0WIQSxU0gdtznMh6PWXc8GICPKPga91QUCZD1UkQAKCRAGICPKPga9
1UiJAQCo7sdqiWVDEl01WcDyQ9ZVHPoKNp8CcqQTaLFfxlfzwQEAmHVvjfzkp1+Q
CtYBIh6OdsREkeW4Vlt7ZCOqk/NkVgw=
=v+RP
-END PGP SIGNATURE End Message ---

Bug#1034524: libretro-bsnes-mercury: uses invalid architecture wildcards

[Graham Inggs]

Source: libretro-bsnes-mercury
Version: 094+git20220807-6
Severity: serious

Hi Maintainer

Since the upload of 094+git20220807-6, the
kodi-game-libretro-bsnes-mercury-* binary packages are no longer built
on armel and armhf [1][2][3].  This is due to the use of invalid
architecture wildcards 'any-armel' and 'any-armhf'.  These should be
replaced by 'any-arm' for each of three
kodi-game-libretro-bsnes-mercury-* binary packages in debian/control,
as follows:

-Architecture: any-amd64 any-arm64 any-armel any-armhf any-i386
any-powerpc any-ppc64 any-ppc64el any-riscv64 any-s390x any-sparc64

+Architecture: any-amd64 any-arm64 any-arm any-i386 any-powerpc
any-ppc64 any-ppc64el any-riscv64 any-s390x any-sparc64

Regards
Graham


[1] 
https://packages.debian.org/unstable/kodi-game-libretro-bsnes-mercury-accuracy
[2] 
https://packages.debian.org/unstable/kodi-game-libretro-bsnes-mercury-balanced
[3] 
https://packages.debian.org/unstable/kodi-game-libretro-bsnes-mercury-performance

Bug#1034221: caddy: dh_installsystemd doesn't handle files in /usr/lib/systemd/system

[Nilesh Patra]

On Mon, Apr 17, 2023 at 03:47:43PM +, Peymaneh wrote:
> Am 16.04.23 um 17:37 schrieb Nilesh Patra:
> > Can you take care of this?
> 
> thanks for the mail Nilesh, I missed the bugreport.

In your fix, why not use Andreas' suggestion to install it via
"pkg-config --variable=systemdsystemunitdir systemd" ?
You might need to revert your fix again otherwise.

> I uploaded a fix just now and will contact the release team for unblocking.

I think that won't be needed. Caddy is a non-key package with (hopefully)
passing autopkgtest. You'll need to ask release team if full-freeze starts
before the next 20 days.

-- 
Best,
Nilesh


signature.asc
Description: PGP signature

Bug#1033783: marked as done (nvidia-open-gpu-kernel-modules: CVE-2023-0184, CVE-2023-0189, CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-

[Debian Bug Tracking System]

Your message dated Mon, 17 Apr 2023 16:49:20 +
with message-id 
and subject line Bug#1033783: fixed in nvidia-open-gpu-kernel-modules 
525.105.17-1
has caused the Debian Bug report #1033783,
regarding nvidia-open-gpu-kernel-modules: CVE-2023-0184, CVE-2023-0189, 
CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, 
CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, 
CVE-2023-0191
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033783: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033783
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nvidia-graphics-drivers
Severity: serious
Tags: security upstream
X-Debbugs-Cc: Debian Security Team 
Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9 -10
Control: reassign -2 src:nvidia-graphics-drivers-legacy-340xx 340.76-6
Control: retitle -2 nvidia-graphics-drivers-legacy-340xx: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0198, CVE-2023-0199, 
CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191
Control: tag -2 + wontfix
Control: reassign -3 src:nvidia-graphics-drivers-legacy-390xx 390.48-4
Control: retitle -3 nvidia-graphics-drivers-legacy-390xx: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0198, CVE-2023-0199, 
CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191
Control: tag -3 + wontfix
Control: reassign -4 src:nvidia-graphics-drivers-tesla-418 418.87.01-1
Control: retitle -4 nvidia-graphics-drivers-tesla-418: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0198, CVE-2023-0199, 
CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191
Control: tag -4 + wontfix
Control: reassign -5 src:nvidia-graphics-drivers-tesla-450 450.51.05-1
Control: retitle -5 nvidia-graphics-drivers-tesla-450: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0198, CVE-2023-0199, 
CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0191
Control: reassign -6 src:nvidia-graphics-drivers-tesla-460 460.32.03-1
Control: retitle -6 nvidia-graphics-drivers-tesla-460: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, 
CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, 
CVE-2023-0191
Control: tag -6 + wontfix
Control: close -6 460.106.00-3
Control: reassign -7 src:nvidia-graphics-drivers-tesla-470 470.57.02-1
Control: retitle -7 nvidia-graphics-drivers-tesla-470: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0185, CVE-2023-0187, CVE-2023-0198, 
CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, 
CVE-2023-0191
Control: reassign -8 src:nvidia-graphics-drivers-tesla-510 510.47.03-1
Control: retitle -8 nvidia-graphics-drivers-tesla-510: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, 
CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, 
CVE-2023-0195, CVE-2023-0191
Control: tag -8 + wontfix
Control: close -8 510.85.02-2
Control: reassign -9 src:nvidia-graphics-drivers-tesla 510.85.02-1
Control: retitle -9 nvidia-graphics-drivers-tesla: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, 
CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, 
CVE-2023-0195, CVE-2023-0191
Control: found -9 515.48.07-1
Control: found -9 525.60.13-1
Control: reassign -10 src:nvidia-open-gpu-kernel-modules 515.43.04-1
Control: retitle -10 nvidia-open-gpu-kernel-modules: CVE-2023-0184, 
CVE-2023-0189, CVE-2023-0180, CVE-2023-0183, CVE-2023-0185, CVE-2023-0187, 
CVE-2023-0198, CVE-2023-0199, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, 
CVE-2023-0195, CVE-2023-0191
Control: found -10 520.56.06-1
Control: found -10 525.85.12-1
Control: found -10 530.30.02-1
Control: found -1 340.24-1
Control: found -1 343.22-1
Control: found -1 396.18-1
Control: found -1 430.14-1
Control: found -1 455.23.04-1
Control: found -1 465.24.02-1
Control: found -1 495.44-1
Control: found -1 515.48.07-1
Control: found -1 520.56.06-1
Control: found -1 525.53-1
Control: found -1 530.30.02-1
Control: fixed -1 530.41.03-1

https://nvidia.custhelp.com/app/answers/detail/a_id/5452

CVE-2023-0189   NVIDIA GPU Display Driver for Linux contains a
vulnerability in the kernel mode layer handler, which may lead to code
execution, denial of service, escalation of privileges, information
disclosure, and data tampering.

CVE-2023-0184   NVIDIA GPU Display Driver for Windows and Linux contains
a vulnerability i

Bug#1034221: caddy: dh_installsystemd doesn't handle files in /usr/lib/systemd/system

[Peymaneh]

Am 17. April 2023 18:35:02 MESZ schrieb Nilesh Patra :
>In your fix, why not use Andreas' suggestion to install it via
>"pkg-config --variable=systemdsystemunitdir systemd" ?
>You might need to revert your fix again otherwise.

That's true, my thinking was that, being in the middle of the freeze, going 
with the smallest possible change can cause the least issues, but I wrote 
myself a todo to go with Andreas' suggestion once that's over :)

Bug#1029504: marked as done (bat: /usr/bin/bat vs. /usr/sbin/bat in bacula-console-qt)

[Debian Bug Tracking System]

Your message dated Mon, 17 Apr 2023 20:50:35 +
with message-id 
and subject line Bug#1029504: fixed in rust-bat 0.22.1-4
has caused the Debian Bug report #1029504,
regarding bat: /usr/bin/bat vs. /usr/sbin/bat in bacula-console-qt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1029504: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029504
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bat
Version: 0.22.1-3
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Undoing the bat/batcat rename was not a good idea: while src:bacula no
longer ships the (transitional) /usr/bin/bat -> /usr/sbin/bat symlink in
bacula-console-qt, it still has the /usr/sbin/bat binary (and its
bat.1.gz manpage which is now causing a file conflict) and thus src:bat
may not use the /usr/bin/bat filename.

(bacula-console-qt should probably better move the manpage to section 8
if the binary resides in sbin, but that is not the point here.)


Andreas
--- End Message ---
--- Begin Message ---
Source: rust-bat
Source-Version: 0.22.1-4
Done: Sylvestre Ledru 

We believe that the bug you reported is fixed in the latest version of
rust-bat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1029...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvestre Ledru  (supplier of updated rust-bat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 17 Apr 2023 22:26:25 +0200
Source: rust-bat
Architecture: source
Version: 0.22.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers 

Changed-By: Sylvestre Ledru 
Closes: 1029504
Changes:
 rust-bat (0.22.1-4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * revert the renaming (closes: #1029504)
Checksums-Sha1:
 324bdcb4dc879abbfd8b8bf9f87960d51b29d7d8 3870 rust-bat_0.22.1-4.dsc
 64964d525cfedcbcbdf97c904b5c4eb7d3f7a5e8 8468 rust-bat_0.22.1-4.debian.tar.xz
 c756f013ed3079df160250ca533dc96ebc08bd4d 18518 
rust-bat_0.22.1-4_amd64.buildinfo
Checksums-Sha256:
 bf846c698cb367870b5c0e0377c9df3b5fb55eba37204b9edbd0a81adfbd03de 3870 
rust-bat_0.22.1-4.dsc
 b789e1744185ef5f257b0c2df117bc1f4986b66c9a275926902d78fa78bce2a3 8468 
rust-bat_0.22.1-4.debian.tar.xz
 35c8c70c6eb68bac8440c2c25f835e38047210bd01fae40d8882bbd6c4851c6d 18518 
rust-bat_0.22.1-4_amd64.buildinfo
Files:
 4cde086ba9872518e48aad20e20a928d 3870 utils optional rust-bat_0.22.1-4.dsc
 ac8b9513c78d0b00b8e81286279674cf 8468 utils optional 
rust-bat_0.22.1-4.debian.tar.xz
 17d5353fa8c5c40e23dc824a418742ab 18518 utils optional 
rust-bat_0.22.1-4_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAmQ9rX8ACgkQfmUo2nUv
G+H97hAAhX9k8fP4qfYAPtF7rOVDqlgtWftuuXgW/It9GlJtTpDTxM6fvt4iVY+E
hIzZzFyxZ9VP9z9SwDB+EgXlgYnBuYLNyg5QGmI4TR+HEaWMJuR/Hl4mtDfiBCKo
QHMDc3DMpQGKTCaANZhR0oeHwk3iWxdYruTMjeNqV6GSNxysBw/hyMgWXYZn7DNe
n9qCN4MpKA4m17DsTOYTktM+G8HRQN21Wqgz3R8K6pU6b32T4RMrKm5SjZNiOJrD
/ivfEU1dZ2F/nTE0y4cGvk0IGSiKI7Y6ZfCUR1llnqyL05Cdlt80idGCxmvdBhEK
ZYSyFEAStEUTJcZv95UXyt8qCtof0OwsBBoOjAoinlq+PcqO21lsUUh2rv3DhM9j
xW00+m3+qaBIp6L0slEFVhLIMRvYUNJV7JuOhqax4pn6rrpT/04HL2Wo32ZaK9/m
whl6KlpUHjQXrvqMa3rHNxk6ipv1aPcA+7IaA8EQ4G7wVF386YIc0DIGKEF7p66m
b1k4xeTWaoRec7cIK/aHcQ+KFpNn8OyERL+a1th/bS5kR7h3o79IezJjc2WKFjJh
7iUkjk75/gg0noAszjmKAvYxqB4SROLUbyBtzBbkYJ6HIhClHULLWaJI9ouWiQ6x
qy1XrRlwMQWPPZLjyKczKVMKIlEigAB5yaT9yRNj9EIxcByCrok=
=VTuL
-END PGP SIGNATURE End Message ---

Bug#999526: Taking over package into Debian Python Team maintenance and fixing bug (Was: mdp: FTBFS with numpy 1.21 (in experimental): dh_auto_test: error: pybuild --test --test-pytest -i python{versi

[Yaroslav Halchenko]

Hi Andreas,

Thank you very much for offering help.  I think Tiziano would not mind,
so please feel very welcome to a) for the sake of b) or any other
goodness you would like to bring ;)

Note though that MDP is pretty much inactive project since a few years
back.  It seems it is still used by some and somewhat maintained
upstream, so might indeed be worthwhile keeping afloat in Debian but I
would not cry if it got RMed.

After/if packaging moves to a new repo on salsa, we can submit a
PR to add an empty out debian/ and add stub debian/README to that
upstream repo to signal that packaging moved to salsa.

Cheers,

On Mon, 17 Apr 2023, Andreas Tille wrote:

> Hi Tiziano and Yaroslav,

> I'd volunteer to

>a) take over package into Debian Python Team (including
>   using Salsa Git and Maintainer address of DPT) and
>b) apply the patch and upload the package

> I'm not interested in just doing b) and hope you will find the time to
> care for the package if you are not happy with a).  Please note that
> there was an NMU which is not taken over in your repository at Github.
-- 
Yaroslav O. Halchenko
Center for Open Neuroscience http://centerforopenneuroscience.org
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
WWW:   http://www.linkedin.com/in/yarik



signature.asc
Description: PGP signature

Bug#1034182: marked as done (owslib: CVE-2023-27476)

[Debian Bug Tracking System]

Your message dated Tue, 18 Apr 2023 05:34:15 +
with message-id 
and subject line Bug#1034182: fixed in owslib 0.27.2-3
has caused the Debian Bug report #1034182,
regarding owslib: CVE-2023-27476
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034182
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: owslib
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for owslib.

CVE-2023-27476[0]:
| OWSLib is a Python package for client programming with Open Geospatial
| Consortium (OGC) web service interface standards, and their related
| content models. OWSLib's XML parser (which supports both `lxml` and
| `xml.etree`) does not disable entity resolution, and could lead to
| arbitrary file reads from an attacker-controlled XML payload. This
| affects all XML parsing in the codebase. This issue has been addressed
| in version 0.28.1. All users are advised to upgrade. The only known
| workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc`
| for details.

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
https://www.cve.org/CVERecord?id=CVE-2023-27476

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: owslib
Source-Version: 0.27.2-3
Done: Bas Couwenberg 

We believe that the bug you reported is fixed in the latest version of
owslib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bas Couwenberg  (supplier of updated owslib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 11 Apr 2023 06:30:11 +0200
Source: owslib
Architecture: source
Version: 0.27.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GIS Project 
Changed-By: Bas Couwenberg 
Closes: 1034182
Changes:
 owslib (0.27.2-3) unstable; urgency=medium
 .
   * Team upload.
   * Add Rules-Requires-Root to control file.
   * Add py3dist overrides for dataclasses.
   * Fix 'Recommends' typo.
   * Bump Standards-Version to 4.6.2, no changes.
   * Add upstream patch to fix CVE-2023-27476.
 (closes: #1034182)
   * Add python3-lxml to build dependencies.
Checksums-Sha1:
 a492ce8bb49c1024589db7f22ab6d24002768b26 2094 owslib_0.27.2-3.dsc
 4868a1e870a2372a81c8f04e15c3b576b0f141a9 7656 owslib_0.27.2-3.debian.tar.xz
 afc10485c10a963fa33dd8ca38e0adb177e7aa5c 8340 owslib_0.27.2-3_amd64.buildinfo
Checksums-Sha256:
 5184d8976bf9cc66c8c5759f416466f4f06b6935c1470a415461f75fc89fdc86 2094 
owslib_0.27.2-3.dsc
 cba4162fdb1c50019a46bc30d9f9d3250e6fe7789b17d2fe191a1eb4b30fccd5 7656 
owslib_0.27.2-3.debian.tar.xz
 fd69c0eb64b21d036dd86b5f4125fa1848a006c322244e9d026870c9085a8ec8 8340 
owslib_0.27.2-3_amd64.buildinfo
Files:
 1a438b2865934510ea1d8ea2f74cf0a3 2094 python optional owslib_0.27.2-3.dsc
 1f0907cd5a81797e182e25a27120e4ab 7656 python optional 
owslib_0.27.2-3.debian.tar.xz
 a6ce2412c1d8ee9eb837e3ef20e634c8 8340 python optional 
owslib_0.27.2-3_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmQ+JSoACgkQZ1DxCuiN
SvE2/RAAzGHdcismzjKUb+eK3GzP3B3f9eQQyo3xyHE5hFegB3m/xjcSvEFCPQlX
Bu+wpNUjYnF9H0D6ByAodWlTzuvJG1s+56RaG97rfHD2ymIzCXYB+WQdI3WjyYBf
j59KZnimXNDcfQYOzPpgE27AnoAAIqnfrm7VbfQdcICyNrKz9HIFHbZkYZc+gOUU
ENZCMaiK8bLu5aEBu590gU74F9sQeWlp9Su0/FeJFZzbTcOAV9JJFNhPuRo2LoXd
bnRirGUgxxBzha7ilLefuWepWNXV87SR3Vzh4KuCHUR7ZtZ7l5wPKTjhAJLV2egb
5OrOgqlBz1qAjEuMSsAryUJCFdYnJgH4UdIZq8kzu9vyLFQPH+i8MO6tNpHV1L2O
kbzTdLZYyA10kl/iM4g6fXJlMU0ETgeQFfmIeKt8Eb9lySKR3KfgQQeSnlkqTRjC
M/h8bIgsEz1Uot3UFVjPBcX2WnHjL9Z/YqJp8pUMNFej9XRKpaQQ3J9z6l9VQ4TQ
KFxVlEZIYtqpmiwC+SW9HiGabKXjxLrFp0hKRaF5O4SQlnCMKUeqj7/+pdu0JXZk
M76V0RMTl2YZHaqbvvjNRQmdN+XRf3/kSAxatzkYT1VNAlz1v+VlRXcp6Nvq+Z6N
Rsh9mhqR2QCQmRW6X9ERGHJSb5z+jqgUGMs