PSA: make sure to fork projects under 'lts-team/packages' as 'public'

2025-02-03 Thread Roberto C . Sánchez 
Hello everyone,

I wanted to make a quick PSA.

If you find that you need to fork a project under lts-team/packages,
please make sure that you choose to fork it as a public project. I just
encountered an example of a project that was forked as private and it
resulted in a very confused package-operations script*.

Regards,

-Roberto

* OK, OK. The script was not at all confused. It made the request, got
  back a 404 and said "nothing there". The operator, however, was
  another story.

-- 
Roberto C. Sánchez

Bug#1095109: wget: New upstream relase available: 1.25.0

2025-02-03 Thread Santiago Ruano Rincón 
Source: wget
Severity: normal
User: debian-lts@lists.debian.org
Usertags: upstream-trixie
X-Debbugs-Cc: debian-lts@lists.debian.org

Dear Noël,

Testing (trixie) currently ships wget 1.24.5-2. FYI, upstream released
1.25.0 on November 10th 2024:
https://ftp.gnu.org/gnu/wget/wget-1.25.0.tar.gz.

While I am not aware of any release schedule and EOL policy for
wget, I would say that the more recent release can be included in
trixie, the better. And the easier would be to provide security updates
to the users during the trixie life cycle.
However, I would like to know that 1.25.0 fixes CVE-2024-10524, dropping
support for shorthand URLs, which may break existing --but uncommon--
behaviour).

Do you have any plans to upload to wget to unstable (before the trixie
freeze)? Is it worth to try to do it?

If you need or want help packaging this more recent upstream version,
please don't hesitate to speak up.  Someone from the LTS team, may be
interested in contributing (CC'ing debian-lts).

Best regards,

 -- Santiago, for the LTS Team.


signature.asc
Description: PGP signature

Re: Bug#1073508: Bug#1074338: Bug#1073508: Bug#1074338: src:libxml2: fails to migrate to testing for too long: unresolved RC issue

2025-02-03 Thread Santiago Ruano Rincón 
Hi!

El 02/02/25 a las 22:29, Aron Xu escribió:
> On 2025年1月29日周三 19:32 Santiago Ruano Rincón  wrote:
> > > On Mon, Aug 19, 2024 at 3:54 PM Emilio Pozuelo Monfort 
> > wrote:
> > > >
> > > > On 17/08/2024 11:13, Paul Gevers wrote:
> > > > > Hi,
> > > > >
> > > > > [Disclaimer: I'm not the most experienced person on transitions in
> > the team, so
> > > > > I'd like for Graham, Emilio and/or Sebastian to check if they agree
> > with me.]
> > > > >
> > > > > Thanks for working on this.
> > > > >
> > > > > On 17-08-2024 05:58, Aron Xu wrote:
> > > > >> After some research, I prefer making a t64-like transition for
> > libxml2
> > > > >> for the following reasons:
> > > > >
> > > > > I'm a bit curious in how far you think this looks like a t64-like
> > transition as
> > > > > apposed to a regular c-library transition. Is it because the
> > libraries will not
> > > > > be co-installable, you don't bump SONAME and just rename the binary
> > package
> > > > > name? Even with all the work that went into the t64 transition,
> > we're starting
> > > > > to see hidden bugs [0] (although I think this can happen with any
> > transition).
> > > > >
> > > > >>   - Upstream is not prepared to bump the SONAME to something like
> > > > >> libxml3. Given the long history of this function library,
> > determining
> > > > >> which APIs should be public and which should be private is
> > > > >> challenging.
> > > > >
> > > > > That's why earlier I proposed a Debian specific SONAME, "in between"
> > 2 and 3.
> > > > > Upstream (I think) even suggested that [1].
> > > > >
> > > > >>   - The potential for breaking locally built software is minimal.
> > > > >> Although abi-compliance-checker raises many issues, most of them are
> > > > >> not used in the real world.
> > > > >
> > > > > Isn't the fact that we *caught* an issue in Debian the proof that
> > it's not just
> > > > > academic?
> > > > >
> > > > >>   - This approach is significantly easier and safer.
> > > > >
> > > > > I'm hesitant because we have well established procedures to handle
> > ABI breakage
> > > > > with SONAME bumps and how to handle them in Debian. Can you
> > elaborate on the
> > > > > easier and safer parts? Because I mostly see risks to deviate from
> > established
> > > > > paths as the corner cases on them are less known.
> > > >
> > > > I feel like the proposed change by Aron is the best course of action.
> > The
> > > > benefits are that we get everything rebuilt against the new package,
> > effectively
> > > > avoiding any issues with the ABI breaks inside Debian. And by
> > maintaining the
> > > > same SONAME as upstream, if a user installs a binary provided by a
> > 3rd-party,
> > > > then it will just work (assuming it was built for the newer releases
> > or is not
> > > > affected by the ABI breaks). The drawbacks are that the old and new
> > packages
> > > > won't be co-installable due to the file conflicts, and so the
> > transition will
> > > > have to happen in lockstep. It will also make it harder for apt to do
> > the
> > > > dist-upgrades from bookworm to trixie, which adds up to the t64 and
> > possibly the
> > > > usr-merge changes.
> > > >
> > > > Obviously there's an even better solution, which is for upstream to
> > revert the
> > > > ABI break (if possible) or bump the SOVERSION, but unfortunately that
> > seems to
> > > > be out of the picture.
> > > >
> > >
> > > I've uploaded the debdiff to experimental, and the package should hit
> > NEW soon.
> > >
> > > Thanks,
> > > Aron
> >
> > May I ask you what are you plans for libxml2 > 2.9.x?
> >
> > The transition freeze is approaching (2025-03-15), and I would guess
> > that packaging 2.13.x is too disruptive for trixie right now. Please,
> > correct me if I am wrong! I would just like to document what are the
> > expectations regarding the libxml2 version to be shipped with the new
> > release.
> >
> >
> > For a little bit of context, I am taking a look at the packages that
> > have some CVEs open in unstable, and/or for which there is a new
> > upstream version available, from an LTS perspective. This is with the
> > idea of making it easier to provide security support for them thorough
> > the full five years of the life cycle. If you want or need help, please
> > don't hesitate to speak up. Someone from the LTS team may step up to
> > help (CC'ing the LTS team).
> >
> >
> Upstream promised to release 2.14 (with SONAME bumped) soon, and he just
> replied to your comment on GNOME gitlab that his latest plan is February.
> Let's hold breath for that and try to coordinate a transition if that
> happens... or if that fails (not release in time or too hard to transition)
> let's start maintain our branch of 2.9.x to include as many as fixes
> possible.

Yeah, let's see. I guess it also a question of balance (as always),
between having tested library and a bleeding-edge available in trixie.

In any case, when it gets released, please don't hesitate to ask if you
would like some help to t

Bug#1095072: orthanc: Orthanc crashes with lastest dcmtk or libdcmtk15 security update

2025-02-03 Thread inframan 
Package: orthanc
Version: 1.9.2+really1.9.1+dfsg-1+deb11u1
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: debian-lts@lists.debian.org

Dear Maintainer,

The last dcmtk/libdcmtk15 security update (3.6.5-1+deb11u1) causes
orthanc server to segfault as soon as a dicom file is received.

Here is the content of syslog : 
Feb  3 14:02:27 quaoar systemd[1]: Started Lightweight, RESTful DICOM server 
for healthcare and medical research.
Feb  3 14:02:46 quaoar kernel: [ 2559.234663] Orthanc[16701]: segfault at 
312e42 ip 7fea92533c90 sp 7fea857f9988 error 4 in libdcmnet.so.15.3.6.5 
(deleted)[7fea924cf000+ad000]
Feb  3 14:02:46 quaoar kernel: [ 2559.248240] Code: 48 89 c2 48 c7 40 10 00 00 
00 00 c6 40 18 00 48 8d 05 04 37 07 00 48 89 02 48 89 5a 20 5b 5d 41 5c e9 64 
b4 f9 ff 0f 1f 40 00 <48> 83 7f 10 00 41 54 74 27 48 8b 47 08 48 8b 70 08 80 7e 
18 00 75
Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Main process exited, 
code=killed, status=11/SEGV
Feb  3 14:02:46 quaoar systemd[1]: orthanc.service: Failed with result 'signal'.

I have been able to reproduce this crash on a fresh bullseye install with 
default
configuration for everything (and just sending a dicom file on port 4242).

Reverting the dcmtk/libdcmtk15 to the previous version (3.6.5-1) solves the 
problem, but is obviously not an acceptable solution, as it leaves the system 
with a security hole.

Thank you by advance,

Nicolas Chamouard


-- System Information:
Debian Release: 11.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-33-cloud-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages orthanc depends on:
ii  adduser3.118+deb11u1
ii  dcmtk  3.6.5-1
ii  init-system-helpers1.60
ii  libboost-filesystem1.74.0  1.74.0-9
ii  libboost-iostreams1.74.0   1.74.0-9
ii  libboost-locale1.74.0  1.74.0-9
ii  libboost-regex1.74.0 [libboost-regex1.74.0-icu67]  1.74.0-9
ii  libboost-thread1.74.0  1.74.0-9
ii  libc6  2.31-13+deb11u11
ii  libcivetweb1   1.13+dfsg-5
ii  libcurl4   7.74.0-1.3+deb11u14
ii  libdcmtk15 3.6.5-1
ii  libgcc-s1  10.2.1-6
ii  libjpeg62-turbo1:2.0.6-4
ii  libjsoncpp24   1.9.4-4
ii  liblua5.3-05.3.3-1.1+deb11u1
ii  libpng16-161.6.37-3
ii  libpugixml1v5  1.11.4-1
ii  libsqlite3-0   3.34.1-3+deb11u1
ii  libssl1.1  1.1.1w-0+deb11u2
ii  libstdc++6 10.2.1-6
ii  libuuid1   2.36.1-8+deb11u2
ii  locales2.31-13+deb11u11
ii  lsb-base   11.1.0
ii  tzdata 2024b-0+deb11u1
ii  zlib1g 1:1.2.11.dfsg-2+deb11u2

orthanc recommends no packages.

orthanc suggests no packages.

-- Configuration Files:
/etc/orthanc/credentials.json [Errno 13] Permission non accordée: 
'/etc/orthanc/credentials.json'
/etc/orthanc/orthanc.json changed [not included]

-- no debconf information