Bug#801617: marked as done (RM: vimperator -- RoM; incompatible with newer iceweasel versions)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 10:22:05 +
with message-id 
and subject line Bug#801617: Removed package(s) from stable
has caused the Debian Bug report #801617,
regarding RM: vimperator -- RoM; incompatible with newer iceweasel versions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801617: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ftp.debian.org
Severity: normal

I would like to request removal of vimperator from stable since it
constantly gets out of sync with new security releases of Iceweasel and
breaks. In fact, it is currently broken at the moment (800508). There is
also some uncertainty around the upcoming add-on signing enforcement.

The alternative is for users to install it directly from upstream:

  https://addons.mozilla.org/en-US/firefox/addon/vimperator/

Updates will be handled automatically by Iceweasel.

Note: it has already been removed from unstable (801473).

Francois
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

iceweasel-vimperator |3.8.2-2 | all
vimperator |3.8.2-2 | source

--- Reason ---
RoM; incompatible with newer iceweasel versions
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/801617

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#803590: marked as done (RM: core-network -- RoST; security issues)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 10:22:57 +
with message-id 
and subject line Bug#803590: Removed package(s) from stable
has caused the Debian Bug report #803590,
regarding RM: core-network -- RoST; security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803590: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803590
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi Stable Release managers,

Joao Eriberto Mota Filho (maintainer of core-network) is
X-Debbug-CC'ed.

If the core-network daemon is started, then #799756 explains
core-network allows privilege escalation through the
core-network-daemon.

https://github.com/coreemu/core/issues/75
http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-October/001872.html
http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html

Please remove core-network in the next jessie point release.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

core-network |  4.7-2 | source, all
core-network-daemon |  4.7-2 | amd64, arm64, armel, armhf, i386, mips, 
mipsel, powerpc, ppc64el, s390x
core-network-gui |  4.7-2 | all

--- Reason ---
RoST; security issues
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 803...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/803590

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#805586: marked as done (RM: elasticsearch -- RoST; no longer supported)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 10:24:00 +
with message-id 
and subject line Bug#805586: Removed package(s) from stable
has caused the Debian Bug report #805586,
regarding RM: elasticsearch -- RoST; no longer supported
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805586: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805586
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,
please remove elasticsearch in the next jessie point release. It has
been EOLed, see
https://lists.debian.org/debian-security-announce/2015/msg00290.html

There will also be a corresponding debian-security-support upload
soon.

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

elasticsearch | 1.0.3+dfsg-5+deb8u1 | source, all

--- Reason ---
RoST; no longer supported
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 805...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/805586

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#808439: marked as done (RM: libnsbmp -- RoST; unmaintained, security issues)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 10:25:49 +
with message-id 
and subject line Bug#808439: Removed package(s) from stable
has caused the Debian Bug report #808439,
regarding RM: libnsbmp -- RoST; unmaintained, security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
808439: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi Stable Release Managers,

libnsbmp recently got two CVEs assigned, CVE-2015-7507 and
CVE-2015-7508. There was only one NMU after the initial release in
2009 and the library is unused in Debian itself (netsurf though has an
embedded copy).

Can you please remove libnsbmp in the next Jessie point release?

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

  libnsbmp |  0.0.1-1.1 | source
 libnsbmp0 |  0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, 
powerpc, ppc64el, s390x
libnsbmp0-dbg |  0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, 
powerpc, ppc64el, s390x
libnsbmp0-dev |  0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, 
powerpc, ppc64el, s390x

--- Reason ---
RoST; unmaintained, security issues
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 808...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/808439

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#806468: marked as done (RM: googlecl -- RoM; broken due to using obsolete Google APIs)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 10:24:24 +
with message-id 
and subject line Bug#806468: Removed package(s) from stable
has caused the Debian Bug report #806468,
regarding RM: googlecl -- RoM; broken due to using obsolete Google APIs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806468
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Per Bug #787111[1], this package is non-functional in stable. There isn't much
movement upstream[2], and it turns out that most of the APIs it uses have been
turned off.

Fixing the package would require a substantial re-write, so I am regretfully
requesting its removal from stable.


[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787111
[2]: https://code.google.com/p/googlecl/issues/detail?id=573
-- System Information:
Debian Release: jessie/sid
  APT prefers wily-updates
  APT policy: (500, 'wily-updates'), (500, 'wily-security'), (500, 'wily')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-18-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

  googlecl |   0.9.13-2 | source, all

--- Reason ---
RoM; broken due to relying on obsolete APIs
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 806...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/806468

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#808436: marked as done (RM: libnsgif -- RoST; unmaintained, security issues)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 10:25:05 +
with message-id 
and subject line Bug#808436: Removed package(s) from stable
has caused the Debian Bug report #808436,
regarding RM: libnsgif -- RoST; unmaintained, security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
808436: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808436
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi SRM,

libnsgif recently got two CVE's assigned, CVE-2015-7505 and
CVE-2015-7506. It turns out that there was exactly one NMU after the
initial release in 2009; furthermore the library is not used in Debian
(netsurf though has an embedded copy).

Can you please remove libnsgif in the next Jessie point release?

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from stable:

  libnsgif |  0.0.1-1.1 | source
 libnsgif0 |  0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, 
powerpc, ppc64el, s390x
libnsgif0-dbg |  0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, 
powerpc, ppc64el, s390x
libnsgif0-dev |  0.0.1-1.1 | amd64, arm64, armel, armhf, i386, mips, mipsel, 
powerpc, ppc64el, s390x

--- Reason ---
RoST; unmaintained, security issues
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 808...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/808436

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#787021: marked as done (jessie-pu: package webkitgtk/2.4.8-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #787021,
regarding jessie-pu: package webkitgtk/2.4.8-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
787021: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787021
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

webkitgtk 2.4.9 was released containing several bug fixes, including
the one for CVE-2015-2330.

I contacted the Debian security team in order to make a security
release with this fix. However, and since webkitgtk is in the
limited-support set of packages it's very unlikely that the fix can be
released through a DSA. They suggested to check if the
proposed-updates mechanism would be suitable.

The 2.4 branch of webkit is a stable branch and there's no active
development there. However it's still maintained and there are
releases with important bugfixes periodically, so I think it's the
kind of releases that would make sense in a stable distribution.

Should I upload webkitgtk 2.4.9 to wheezy-pu?

For reference here's the changelog of the latest release:

   * Check TLS errors as soon as they are set in the SoupMessage to
 prevent any data from being sent to the server in case of invalid
 certificate. [CVE-2015-2330]
   * Clear the GObject DOM bindings internal cache when frames are
 destroyed or web view contents are updated.
   * Add HighDPI support for non-accelerated compositing contents.
   * Fix some transfer annotations used in GObject DOM bindings.
   * Use latin1 instead of UTF-8 for HTTP header values.
   * Fix synchronous loads when maximum connection limits are reached.
   * Fix a crash ScrollView::contentsToWindow() when GtkPluginWidget
 doesn’t have a parent.
   * Fix a memory leak in webkit_web_policy_decision_new.
   * Fix g_closure_unref runtime warning.
   * Fix a crash due to empty drag image during drag and drop.
   * Fix rendering of scrollbars with GTK+ >= 3.16.
   * Fix the build on mingw32/msys.
   * Fix the build with WebKit2 disabled.
   * Fix the build with accelerated compositing disabled.
   * Fix clang version check in configure.
   * Fix the build with recent versions of GLib that have
 GMutexLocker.
   * Fix the build for Linux/MIPS64EL.

Regards,

Berto

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#784944: marked as done (jessie-pu: package redmine/3.0~20140825-7~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #784944,
regarding jessie-pu: package redmine/3.0~20140825-7~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
784944: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This release fixes several bugs related to upgrades from wheezy. The
equivalent version is already in testing. I have tested it extensively,
and received positive feedback from multiple bug submitters.

debdiff attached.

-- System Information:
Debian Release: stretch/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), 
(1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Antonio Terceiro 
diff -Nru redmine-3.0~20140825/debian/changelog redmine-3.0~20140825/debian/changelog
--- redmine-3.0~20140825/debian/changelog	2015-02-22 11:35:14.0 -0300
+++ redmine-3.0~20140825/debian/changelog	2015-05-10 19:27:42.0 -0300
@@ -1,3 +1,61 @@
+redmine (3.0~20140825-7~deb8u1) jessie; urgency=medium
+
+  * Backport as a stable update for Jessie.
+
+ -- Antonio Terceiro   Sun, 10 May 2015 19:26:43 -0300
+
+redmine (3.0~20140825-7) unstable; urgency=medium
+
+  * debian/postinst: always remove and recreate Gemfile.lock to handle the
+case where dependencies are being upgraded.
+
+ -- Antonio Terceiro   Sun, 03 May 2015 19:18:34 -0300
+
+redmine (3.0~20140825-6) unstable; urgency=medium
+
+  * debian/doc/examples/apache2-host.conf: fix typo in package name user is
+told to install Closes: #36
+  * Fix upgrades when there are locally-installed plugins Closes: #779273
+- debian/postinst: run rake under `bundle exec` to correctly handle
+  upgrades when the local admin installed non-packaged plugins (i.e.
+  ~100% of them).
+- 2003_externalize_session_config.patch, 2002_FHS_through_env_vars.patch,
+  gemfile-adjustments.patch: always set RAILS_ETC, RAILS_* unconditionally
+  from X_DEBIAN_SITEID because the load order under `bundle exec` seems to
+  be a little different.
+- change Gemfile.lock handling:
+  + symlink Gemfile.lock to /var/lib/redmine/Gemfile.lock
+  + always update it at the beginning of debian/postinst
+  + trigger postinst Ruby packages are upgraded
+  * Don't leave unowned files after purge. Closes: #781534
+- debian/postinst:
+  - don't create files under /usr/share/redmine/app
+  - pass SCHEMA=/dev/null to rake `db:migrate` so it won't create
+/usr/share/redmine/db/schema.rb
+- debian/postrm: remove the aforementioned files
+  * debian/postinst: fix several programming errors
+- initialize variable that will hold the return code of a potentially
+  failing command to 0 so it is not undefined if the command suceeeds.
+  Closes: #780894
+- add missing quotes around $fHasOldSessionName
+- fix logic when testing whether session.yml file exists
+- restrict usage of $2 as a version number when triggered, since $2 will
+  contain the trigger names instead.
+  * debian/patches/fix-move-issue-between-projects.patch: applied patch by
+Tristam Fenton-May to fix moving issues across projects (Closes: #783717)
+  * debian/install:
+- install bin/ directory so rails detects redmine as a proper Rails app
+  + This fixes running `rails console`, `rails dbconsole` etc from within
+the installed package at /usr/share/redmine.
+- don't install deprecated script/ directory
+  * debian/doc/examples/apache2-passenger-*.conf: document line that must
+be changed in extra instances.
+  * debian/patches/gemfile-adjustments.patch:
+- bump dependency on redcarpet
+- don't try to read database.yml is it's not readable
+
+ -- Antonio Terceiro   Sat, 02 May 2015 11:33:20 -0300
+
 redmine (3.0~20140825-5) unstable; urgency=high
 
   * debian/patches/0001-Escape-flash-messages-19117.patch
diff -Nru redmine-3.0~20140825/debian/doc/examples/apache2-host.conf redmine-3.0~20140825/debian/doc/examples/apache2-host.conf
--- redmine-3.0~20140825/debian/doc/examples/apache2-host.conf	2015-02-22 11:35:14

Bug#791403: marked as done (pu: ganglia-modules-linux/1.3.6-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #791403,
regarding pu: ganglia-modules-linux/1.3.6-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
791403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791403
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
UserTags: unblock


This is a proposed upload to stable for jessie.  It resolves a problem
that causes dist-upgrade to fail.

Here is the patch that is added:

https://anonscm.debian.org/cgit/pkg-monitoring/ganglia-modules-linux.git/commit/?id=29c5f380aa46d2b1b678a63c1daa5054d119f066

and the changelog entry from the unstable upload:

https://anonscm.debian.org/cgit/pkg-monitoring/ganglia-modules-linux.git/commit/?id=80641de7ace1a93adf02a9088f4da7c13d32d771

The main reason for this request:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790951

The general issue of plugin package service restarts is discussed in
this bug:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790949
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#792468: marked as done (jessie-pu: package plowshare4/1.0.5-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #792468,
regarding jessie-pu: package plowshare4/1.0.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
792468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792468
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Plowshare is a series of shell scripts for interacting with file sharing
websites. Some of the scripts use the js binary provided by rhino to execute
fragments of javascript downloaded from the internet. The RC bug #791467 was
opened to point out that this is a bad idea.

The targeted fix in 1.0.5-2 simply removes the dependency on rhino and causes
plowshare to act as though javascript is unavailable. This decisively fixes the
issue at the expense of breaking compatibility with a few supported websites.
However these break over time as the sites change so most users are likely to
be using a backported version.

I'm currently working on packaging new upstream versions and looking into a
less aggressive fix which might execute the javascript in a sandboxed
environment. I hope those packages will eventually make it into backports but
for the meantime I think this crude fix is a reasonable compromise for now.

I am hoping a mentor will upload 1.0.5-2 into unstable soon, but I would also
like to have it uploaded to stable.

Cheers,
Carl

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru plowshare4-1.0.5/debian/changelog plowshare4-1.0.5/debian/changelog
--- plowshare4-1.0.5/debian/changelog	2014-09-04 11:43:49.0 +1000
+++ plowshare4-1.0.5/debian/changelog	2015-07-15 11:45:00.0 +1000
@@ -1,3 +1,9 @@
+plowshare4 (1.0.5-2) stable; urgency=high
+
+  * Disable javascript support (Closes: #791467)
+
+ -- Carl Suster   Tue, 14 Jul 2015 18:45:22 +1000
+
 plowshare4 (1.0.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru plowshare4-1.0.5/debian/control plowshare4-1.0.5/debian/control
--- plowshare4-1.0.5/debian/control	2014-09-01 13:24:42.0 +1000
+++ plowshare4-1.0.5/debian/control	2015-07-15 11:45:00.0 +1000
@@ -10,7 +10,7 @@
 
 Package: plowshare4
 Architecture: all
-Depends: ${misc:Depends}, bash (>=4.1), curl (>=7.24), recode | libhtml-parser-perl, rhino
+Depends: ${misc:Depends}, bash (>=4.1), curl (>=7.24), recode | libhtml-parser-perl
 Recommends: qiv | feh | sxiv | imagemagick
 Suggests: aview | caca-utils, fbi
 Description: Download and upload files from file sharing websites
diff -Nru plowshare4-1.0.5/debian/gbp.conf plowshare4-1.0.5/debian/gbp.conf
--- plowshare4-1.0.5/debian/gbp.conf	2014-09-01 13:28:38.0 +1000
+++ plowshare4-1.0.5/debian/gbp.conf	2015-07-15 13:01:39.0 +1000
@@ -10,7 +10,7 @@
 
 [buildpackage]
 sign-tags = True
-prebuild = git describe --always --tags --abbrev=0 > debian/git-describe
+prebuild = echo "v1.0.5" > debian/git-describe
 postbuild = lintian $GBP_CHANGES_FILE
 dist = sid
 pbuilder = True
diff -Nru plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch
--- plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch	1970-01-01 10:00:00.0 +1000
+++ plowshare4-1.0.5/debian/patches/01-diasble-javascript.patch	2015-07-15 11:45:00.0 +1000
@@ -0,0 +1,56 @@
+Author: Carl Suster 
+Bug-Debian: http://bugs.debian.org/791467
+Description: Disable javascript execution
+ Plowshare uses rhino CLI to execute javascript downloaded from the Internet.
+ Since this is not filtered or sandboxed at all, the javascript can obtain
+ arbitrary access to the system and so this patch disables it.
+ .
+ Some modules will be broken by this change, but since the modules will break
+ anyway it is expected that most users will be using a more recent version of
+ this package, and in future less aggressive fixes will be investigated.
+
+Index: plowshare/src/core.sh
+===
+--- plowshare.orig/src/core.sh
 plowshare/src/core.sh
+@@ -1175,34 +1175,22 

Bug#787423: marked as done (jessie-pu: package getmail4/4.46.0-1+debu8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #787423,
regarding jessie-pu: package getmail4/4.46.0-1+debu8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
787423: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787423
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is related to CVE-2013-1752: poplib: Limit maximum line lengths to
2048 of Python. https://bugs.python.org/issue16041 introduced in Python
2.7.9

With python version of jessie bumped at the last moment to 2.7.9 as:

| python-defaults (2.7.9-1) unstable; urgency=medium
| 
|   * Bump version to 2.7.9.
| 
|  -- Matthias Klose   Mon, 16 Mar 2015 23:32:04 +0100

This caused surprises to programs using the poplib.

 See https://bugs.debian.org/782614 (for now it is important bug but
 really grave one)

At least, getmail upstream thinks this arbitual untested limit of 2048
bytes is stupid.  The getmail upstream thinks 1MB is reasonable value.

He has added following effectively 1 line patch with the latest
release. (uploaded to sid)

I would like to apply this to the jessie package since this cause normal
users to loose capability to retrieve mail.

--- getmail-4.47.0/getmailcore/_retrieverbases.py   2015-02-26 
10:10:44.0 +0900
+++ getmail-4.48.0/getmailcore/_retrieverbases.py   2015-06-01 
23:49:04.499564781 +0900
@@ -233,6 +233,15 @@
 # Constant for POPSSL
 POP3_SSL_PORT = 995
 
+
+# Python added poplib._MAXLINE somewhere along the way.  As far as I can
+# see, it serves no purpose except to introduce bugs into any software
+# using poplib.  Any computer running Python will have at least some megabytes
+# of userspace memory; arbitrarily causing message retrieval to break if any
+# "line" exceeds 2048 bytes is absolutely stupid.
+poplib._MAXLINE = 1 << 20   # 1MB; decrease this if you're running on a VIC-20
+
+
 #
 # Mix-in classes
 #

I am not going to change anything else. (4.46.0 and 4.47.0 are the same
for this part.)

-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable'), 
(100, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#792779: marked as done (nmu: android-platform-frameworks-base_21-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #792779,
regarding nmu: android-platform-frameworks-base_21-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
792779: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792779
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Something weird happened on the buildd build of
android-platform-frameworks-base/i386:
* /usr/bin/aapt wants libhost.so instead of libhost.so.0
* the aapt package has no dependency on android-libhost
==> #786943: aapt: error while loading shared libraries: libhost.so:
 cannot open shared object file: No such file or directory

I cannot reproduce this weird build result in neither sid nor jessie, so
binNMUs for jessie and sid (should probably get +b2 to be newer than
the one in jessie) are sufficient to fix this.

It picks up the android-libhost dependency:

$ debdiff aapt_21-2_i386.deb jessie-i386/aapt_21-2_i386.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Depends: android-libcutils, {+android-libhost,+} android-liblog,
android-libutils, libc6 (>= 2.7), libexpat1 (>= 2.0.1), libgcc1 (>=
1:4.1.1), libpng12-0 (>= 1.2.13-4), libstdc++6 (>= 4.1.1), zlib1g (>=
1:1.1.4), android-libandroidfw

and ldd output looks sane, too:

# ldd /usr/bin/aapt
linux-gate.so.1 (0xf7705000)
librt.so.1 => /lib/i386-linux-gnu/librt.so.1 (0xf76f7000)
libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xf76f2000)
libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xf76d6000)
libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xf76b9000)
libexpat.so.1 => /lib/i386-linux-gnu/libexpat.so.1 (0xf769)
libpng12.so.0 => /lib/i386-linux-gnu/libpng12.so.0 (0xf7663000)
libcutils.so.0 => /usr/lib/android/libcutils.so.0 (0xf7654000)
libhost.so.0 => /usr/lib/android/libhost.so.0 (0xf764e000)
liblog.so.0 => /usr/lib/android/liblog.so.0 (0xf7645000)
libutils.so.0 => /usr/lib/android/libutils.so.0 (0xf7612000)
libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xf7511000)
libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf74cc000)
libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xf74ae000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf733d000)
/lib/ld-linux.so.2 (0xf7708000)
libbsd.so.0 => /lib/i386-linux-gnu/libbsd.so.0 (0xf732b000)


nmu android-platform-frameworks-base_21-2 . i386 . jessie-proposed-updates . -m 
"Rebuild to pick up a dependency on android-libhost."
nmu $UNDOCUMENTED_OPTION_TO_USE_PLUSb2 android-platform-frameworks-base_21-2 . 
i386 . -m "Rebuild to pick up a dependency on android-libhost."

Or would the jessie one use just 'jessie'?
I remember seeing it mentioned once that there is an option to set the
binNMU number.


Andreas
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#792806: marked as done (jessie-pu: package ieee-data/20150531.1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #792806,
regarding jessie-pu: package ieee-data/20150531.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
792806: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792806
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Following the recommendation from https://bugs.debian.org/783096

/luciano

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#793556: marked as done (jessie-pu: package mkvmlinuz/37+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #793556,
regarding jessie-pu: package mkvmlinuz/37+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
793556: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

mkvmlinuz/37+deb8u1 is fixing bug #741642 already fixed in sid/testing 
to allow for smooth upgrade from wheezy to jessie. See attached diff.

 changelog |6 ++
 kernel-image/postinst |2 ++
 kernel-image/postrm   |2 ++
 3 files changed, 10 insertions(+)

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: powerpc (ppc64)

Kernel: Linux 3.16.0-4-powerpc64 (SMP w/4 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mkvmlinuz-37/debian/changelog mkvmlinuz-37+deb8u1/debian/changelog
--- mkvmlinuz-37/debian/changelog	2015-04-10 07:14:08.0 -0400
+++ mkvmlinuz-37+deb8u1/debian/changelog	2015-07-23 23:40:49.0 -0400
@@ -1,3 +1,9 @@
+mkvmlinuz (37+deb8u1) stable; urgency=medium
+
+  * Push run-parts output to stderr. (Closes: #741642)
+
+ -- Milan Kupcevic   Thu, 23 Jul 2015 23:00:46 -0400
+
 mkvmlinuz (37) unstable; urgency=medium
 
   * Include only necessary modules to further reduce vmlinuz size on Pegasos. 
diff -Nru mkvmlinuz-37/debian/kernel-image/postinst mkvmlinuz-37+deb8u1/debian/kernel-image/postinst
--- mkvmlinuz-37/debian/kernel-image/postinst	2012-06-28 21:01:13.0 -0400
+++ mkvmlinuz-37+deb8u1/debian/kernel-image/postinst	2015-07-23 22:45:48.0 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+echo >&2
+
 set -e
 
 . /usr/share/debconf/confmodule
diff -Nru mkvmlinuz-37/debian/kernel-image/postrm mkvmlinuz-37+deb8u1/debian/kernel-image/postrm
--- mkvmlinuz-37/debian/kernel-image/postrm	2012-06-28 21:01:13.0 -0400
+++ mkvmlinuz-37+deb8u1/debian/kernel-image/postrm	2015-07-23 22:45:48.0 -0400
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+echo >&2
+
 set -e
 
 . /usr/share/debconf/confmodule
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#794940: marked as done (jessie-pu: package sparse/0.4.5~rc1-2~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #794940,
regarding jessie-pu: package sparse/0.4.5~rc1-2~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
794940: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794940
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

sparse FTBFS in jessie and sid since the llvm default version was updated
to 3.5. Unfortunately nobody rebuilt contrib and non-free before the
release so this was not noticed in time :-(


Andreas
diff -Nru sparse-0.4.5~rc1/debian/.gitignore sparse-0.4.5~rc1/debian/.gitignore
--- sparse-0.4.5~rc1/debian/.gitignore	1970-01-01 01:00:00.0 +0100
+++ sparse-0.4.5~rc1/debian/.gitignore	2015-08-08 13:34:52.0 +0200
@@ -0,0 +1 @@
+!patches
diff -Nru sparse-0.4.5~rc1/debian/changelog sparse-0.4.5~rc1/debian/changelog
--- sparse-0.4.5~rc1/debian/changelog	2013-06-15 01:10:11.0 +0200
+++ sparse-0.4.5~rc1/debian/changelog	2015-08-08 13:34:52.0 +0200
@@ -1,3 +1,25 @@
+sparse (0.4.5~rc1-2~deb8u1) jessie; urgency=medium
+
+  * QA upload.
+  * Rebuild for jessie.
+
+ -- Andreas Beckmann   Sat, 08 Aug 2015 13:33:23 +0200
+
+sparse (0.4.5~rc1-2) unstable; urgency=medium
+
+  [ Andreas Beckmann ]
+  * QA upload.
+  * Set maintainer to Debian QA Group.  (See #794643)
+  * Fix Homepage and Vcs-Browser URLs.
+  * Refresh patch to apply without fuzz.
+
+  [ Uwe Kleine-König ]
+  * Cherry-pick commit from upstream to fix build failure with llvm-3.5.
+  * Temporarily build-depend on libedit-dev because llvm-config claims to need
+that.  (Closes: #793197)
+
+ -- Andreas Beckmann   Sat, 08 Aug 2015 13:17:27 +0200
+
 sparse (0.4.5~rc1-1) unstable; urgency=low
 
   [ Uwe Kleine-König ]
diff -Nru sparse-0.4.5~rc1/debian/control sparse-0.4.5~rc1/debian/control
--- sparse-0.4.5~rc1/debian/control	2013-06-15 01:09:43.0 +0200
+++ sparse-0.4.5~rc1/debian/control	2015-08-08 13:34:52.0 +0200
@@ -1,21 +1,22 @@
 Source: sparse
-Maintainer: Pierre Habouzit 
+Maintainer: Debian QA Group 
 Uploaders: Loïc Minier 
 Section: non-free/devel
 Priority: optional
 Build-Depends: debhelper (>= 9),
libxml2-dev,
libgtk2.0-dev,
-   llvm-dev (>= 1:3.0~)
+   llvm-dev (>= 1:3.0~),
+   libedit-dev
 Standards-Version: 3.9.4
 Vcs-Git: git://anonscm.debian.org/collab-maint/sparse.git
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/sparse.git
+Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/sparse.git
 XS-autobuild: yes
+Homepage: https://sparse.wiki.kernel.org/
 
 Package: sparse
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}, ${perl:Depends}
-Homepage: http://sparse.wiki.kernel.org/index.php/Main_Page
 Description: semantic parser of source files
  Sparse, the semantic parser, provides a compiler frontend capable of
  parsing most of ANSI C as well as many GCC extensions, and a collection
diff -Nru sparse-0.4.5~rc1/debian/patches/ld-as-needed.patch sparse-0.4.5~rc1/debian/patches/ld-as-needed.patch
--- sparse-0.4.5~rc1/debian/patches/ld-as-needed.patch	2013-06-15 00:42:08.0 +0200
+++ sparse-0.4.5~rc1/debian/patches/ld-as-needed.patch	2015-08-08 13:34:52.0 +0200
@@ -37,4 +37,4 @@
 +LDFLAGS += -Wl,--no-as-needed $(shell llvm-config --ldflags) -Wl,--as-needed
  LLVM_CFLAGS := $(shell llvm-config --cflags | sed -e "s/-DNDEBUG//g")
  LLVM_LIBS := $(shell llvm-config --libs)
- PROGRAMS += $(LLVM_PROGS)
+ LLVM_LIBS += $(shell llvm-config --system-libs 2>/dev/null)
diff -Nru sparse-0.4.5~rc1/debian/patches/series sparse-0.4.5~rc1/debian/patches/series
--- sparse-0.4.5~rc1/debian/patches/series	2013-06-15 00:49:59.0 +0200
+++ sparse-0.4.5~rc1/debian/patches/series	2015-08-08 13:34:52.0 +0200
@@ -1,3 +1,4 @@
+sparse-llvm-Fix-LLVM-3.5-linker-errors.patch
 shut-down-upstream-version-detection.patch
 ld-as-needed.patch
 pass-down-cflags.patch
diff -Nru sparse-0.4.5~rc1/debian/patches/sparse-llvm-Fix-LLVM-3.5-linker-errors.patch sparse-0.4.5~rc1/debian/patches/sparse-llvm-Fix-LLVM-3.5-linker-errors.patch
--- sparse-0.4.5~rc1/debian/patches/sparse-llvm-Fix-LLVM-3.5-linker-errors.patch	1970-01-01 01:00:00.0 +0100
+++ sparse-0.4.5~rc1/debian/patches/sparse-llvm-Fix-LLVM-3.5-linker-errors.patch	2015-08-08 13:34:52.0 +0200
@@ -0,0 +1,2

Bug#797170: marked as done (jessie-pu: package python-yaql/0.2.3-2 (removal of Python3 support to fix #795910).)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #797170,
regarding jessie-pu: package python-yaql/0.2.3-2 (removal of Python3 support to 
fix #795910).
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
797170: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797170
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The python3-yaql binary package in Jessie is completely broken, and has
no reverse dependency. Therefore, I'd like to remove it from Jessie
completely (ie: remove Python 3 support from python-yaql).

Please find attached the debdiff doing this. The package is built and
available here:

http://sid.gplhost.com/jessie-proposed-updates/python-yaql/

Please allow me to upload the package to jessie-p-u to fix the
RC bug #795910.

Cheers,

Thomas Goirand (zigo)
diff -Nru python-yaql-0.2.3/debian/changelog python-yaql-0.2.3/debian/changelog
--- python-yaql-0.2.3/debian/changelog	2014-10-13 09:04:17.0 +
+++ python-yaql-0.2.3/debian/changelog	2015-08-28 08:51:44.0 +
@@ -1,3 +1,10 @@
+python-yaql (0.2.3-2+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * Removed python3-yaql package: it's not working, and nothing depends on it
+(Closes: #795910).
+
+ -- Thomas Goirand   Fri, 28 Aug 2015 10:46:10 +0200
+
 python-yaql (0.2.3-2) unstable; urgency=medium
 
   * Also build-depends on python3-ply. This avoids FTBFS, because the package
diff -Nru python-yaql-0.2.3/debian/control python-yaql-0.2.3/debian/control
--- python-yaql-0.2.3/debian/control	2014-10-13 09:04:17.0 +
+++ python-yaql-0.2.3/debian/control	2015-08-28 08:51:44.0 +
@@ -6,9 +6,7 @@
 Build-Depends: debhelper (>= 9),
python-all (>= 2.6.6-3~),
python-setuptools,
-   python3-all,
-   python3-setuptools
-Build-Depends-Indep: python-ply, python3-ply
+Build-Depends-Indep: python-ply
 Standards-Version: 3.9.6
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=openstack/python-yaql.git
 Vcs-Git: git://anonscm.debian.org/openstack/python-yaql.git
@@ -39,29 +37,3 @@
  one of the implementations in Python.
  .
  This package contains the Python 2.x module.
-
-Package: python3-yaql
-Architecture: all
-Pre-Depends: dpkg (>= 1.15.6~)
-Depends: ${misc:Depends}, ${python3:Depends}
-Description: Yet Another Query Language - Python 3.x
- At the beginning of millennium the growing trend towards data formats
- standardization and application integrability made XML extremely popular. XML
- became lingua franca of the data. Applications tended to process lots of XML
- files ranging from small config files to very large datasets. As these data
- often had a complex structure with many levels of nestedness it is quickly
- became obvious that there is a need for specially crafted domain specific
- languages to query these data sets. This is how XPath and later XQL were born.
- .
- With later popularization of REST services and Web 2.0 JSON started to take
- XML’s place. JSON’s main advantage (besides being simpler than XML) is that is
- closely reassembles data structures found in most programming languages
- (arrays, dictionaries, scalars) making it very convenient for data
- serialization. As JSON lacked all the brilliant XML-related technologies like
- XSLT, XML Schema, XPath etc. various attempts to develop similar languages for
- JSON were made. One of those efforts was JSONPath library developed in 2007 by
- Stefan Gössner. Initial implementation was for PHP and JavaScript languages,
- but later on ports to other languages including Python were written. YAQL is
- one of the implementations in Python.
- .
- This package contains the Python 3.x module.
diff -Nru python-yaql-0.2.3/debian/gbp.conf python-yaql-0.2.3/debian/gbp.conf
--- python-yaql-0.2.3/debian/gbp.conf	2014-10-13 09:04:17.0 +
+++ python-yaql-0.2.3/debian/gbp.conf	2015-08-28 08:51:44.0 +
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = master
-debian-branch = debian/unstable
+debian-branch = debian/jessie
 upstream-tag = %(version)s
 compression = xz
 
diff -Nru python-yaql-0.2.3/debian/python3-yaql.postinst python-yaql-0.2.3/debian/python3-yaql.postinst
--- python-yaql-0.2.3/debian/python3-yaql.postinst	2014-10-13 09:04:17.0 +
+++ python-yaql-0.2.3/debian/python3-yaql.postinst	1970-01-01 0

Bug#796281: marked as done (jessie-pu: package pcre3/2:8.35-3.3+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #796281,
regarding jessie-pu: package pcre3/2:8.35-3.3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
796281: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796281
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This update fixes four minor security issues which don't warrant
a DSA. These have been tested in a production setup and were
working fine there.

Debdiff below.

Cheers,
Moritz

diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog 2014-12-06 19:58:27.0 +0100
+++ pcre3-8.35/debian/changelog 2015-08-16 13:38:23.0 +0200
@@ -1,3 +1,9 @@
+pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium
+
+  * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
+
+ -- Moritz Muehlenhoff   Sun, 16 Aug 2015 11:37:39 +
+
 pcre3 (2:8.35-3.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
 
pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
--- 
pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
 1970-01-01 01:00:00.0 +0100
+++ 
pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
 2015-08-16 13:36:47.0 +0200
@@ -0,0 +1,492 @@
+https://security-tracker.debian.org/tracker/CVE-2015-5073
+https://security-tracker.debian.org/tracker/CVE-2015-3210
+https://security-tracker.debian.org/tracker/CVE-2015-2326
+https://security-tracker.debian.org/tracker/CVE-2015-2325
+
+--- pcre3-8.35.orig/pcre_compile.c
 pcre3-8.35/pcre_compile.c
+@@ -549,6 +549,7 @@ static const char error_texts[] =
+   "group name must start with a non-digit\0"
+   /* 85 */
+   "parentheses are too deeply nested (stack check)\0"
++  "digits missing in \\x{} or \\o{}\0"
+   ;
+ 
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -3936,14 +3937,14 @@ Arguments:
+   adjust the amount by which the group is to be moved
+   utfTRUE in UTF-8 / UTF-16 / UTF-32 mode
+   cd contains pointers to tables etc.
+-  save_hwm   the hwm forward reference pointer at the start of the group
++  save_hwm_offset   the hwm forward reference offset at the start of the group
+ 
+ Returns: nothing
+ */
+ 
+ static void
+ adjust_recurse(pcre_uchar *group, int adjust, BOOL utf, compile_data *cd,
+-  pcre_uchar *save_hwm)
++  size_t save_hwm_offset)
+ {
+ pcre_uchar *ptr = group;
+ 
+@@ -3955,7 +3956,8 @@ while ((ptr = (pcre_uchar *)find_recurse
+   /* See if this recursion is on the forward reference list. If so, adjust the
+   reference. */
+ 
+-  for (hc = save_hwm; hc < cd->hwm; hc += LINK_SIZE)
++  for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
++   hc += LINK_SIZE)
+ {
+ offset = (int)GET(hc, 0);
+ if (cd->start_code + offset == ptr + 1)
+@@ -4400,7 +4402,7 @@ const pcre_uchar *tempptr;
+ const pcre_uchar *nestptr = NULL;
+ pcre_uchar *previous = NULL;
+ pcre_uchar *previous_callout = NULL;
+-pcre_uchar *save_hwm = NULL;
++size_t save_hwm_offset = 0;
+ pcre_uint8 classbits[32];
+ 
+ /* We can fish out the UTF-8 setting once and for all into a BOOL, but we
+@@ -5912,7 +5914,7 @@ for (;; ptr++)
+ if (repeat_max <= 1)/* Covers 0, 1, and unlimited */
+   {
+   *code = OP_END;
+-  adjust_recurse(previous, 1, utf, cd, save_hwm);
++  adjust_recurse(previous, 1, utf, cd, save_hwm_offset);
+   memmove(previous + 1, previous, IN_UCHARS(len));
+   code++;
+   if (repeat_max == 0)
+@@ -5936,7 +5938,7 @@ for (;; ptr++)
+   {
+   int offset;
+   *code = OP_END;
+-  adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm);
++  adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm_offset);
+   memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len));
+   code += 2 + LINK_SIZE;
+   *previous++ = OP_BRAZERO + repeat_type;
+@@ -5999,26 +6001,25 @@ for (;; ptr++)
+ for (i = 1; i < repeat_min; i++)
+   {
+   pcre_uchar *hc;
+-  pcre_uchar *this_hwm = cd->hwm;
++  size_

Bug#797710: marked as done (jessie-pu: package ben/0.7.0)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #797710,
regarding jessie-pu: package ben/0.7.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
797710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: jessie-pu: package ben/0.7.0
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Hi,

I'd like to fix a few issues in Ben:
- Semi-broken HTML links to buildd status pages (compact parameter
  not taken into account)
- Fix broken call to dose-debcheck which results into Ben not
  getting installability issues right. This issue has been filed
  against dose-distcheck as #770802. The fix is to pass --deb-native-arch=$arch
  to dose-debcheck and parse output correctly.
- Ignore potential errors when deleting lock file.

I am attaching a debdiff with the proposed changes.

These bugs have been found after upgrading release.debian.org to
Jessie. Ben has been running there with those fixes since then.

All Best,

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 0347597..266fc68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+ben (0.7.0+deb8u1) jessie; urgency=medium
+
+  [ Emilio Pozuelo Monfort ]
+  * Fix buildd.debian.org compact links
+
+  [ Mehdi Dogguy ]
+  * Ignore potential errors when deleting lock file
+  * Call dose-debcheck with --deb-native-arch
+
+ -- Mehdi Dogguy   Tue, 01 Sep 2015 21:30:42 +
+
 ben (0.7.0) unstable; urgency=medium
 
   * Add --no-clean to "ben tracker" to leave unknown generated
diff --git a/frontends/ben_tracker.ml b/frontends/ben_tracker.ml
index f52c0c2..6d6bd99 100644
--- a/frontends/ben_tracker.ml
+++ b/frontends/ben_tracker.ml
@@ -445,7 +445,9 @@ let tracker template profiles =
 Benl_error.error_exn "Failed to generate index.html" exn
 
 let () = at_exit (fun () ->
-  rm [lockf ()]
+  try
+rm [lockf ()]
+  with _ -> ()
 )
 
 let main args =
diff --git a/lib/benl_data.ml b/lib/benl_data.ml
index fabe51a..856a609 100644
--- a/lib/benl_data.ml
+++ b/lib/benl_data.ml
@@ -322,6 +322,13 @@ let read_debcheck =
   let () = Buffer.reset buf in
   r
 in
+let get_package_name p =
+  let p = Re_pcre.get_substring p 1 in
+  try
+snd (ExtString.String.split p ":")
+  with _ ->
+p
+in
 let rec read_pkg accu =
   begin match (try Some (input_line ic) with End_of_file -> None) with
   | None ->
@@ -329,7 +336,7 @@ let read_debcheck =
   | Some line ->
 try
   let r = Re_pcre.exec ~rex line in
-  let package = Re_pcre.get_substring r 1 in
+  let package = get_package_name r in
   let buf = Buffer.create 1024 in
   let () = Buffer.add_string buf line in
   let () = Buffer.add_char buf '\n' in
@@ -360,7 +367,8 @@ let inject_debcheck_data =
 let a, b = if !Benl_clflags.quiet then ("\n", "") else ("", "\n") in
 let all_uninstallable_packages = Benl_parallel.fold (fun map arch_ref ->
   Benl_clflags.progress "Running dose-debcheck on %s...\n" arch_ref;
-  let (ic, oc) as p = Unix.open_process "dose-debcheck --explain --quiet --failures" in
+  let dose_debcheck_cmd = Printf.sprintf "dose-debcheck --deb-native-arch=%s --explain --quiet --failures" arch_ref in
+  let (ic, oc) as p = Unix.open_process dose_debcheck_cmd in
   (* inefficiency: for each architecture, we iterate on all binary
  packages, not only on binary packages of said architectures *)
   PAMap.iter (fun (name, arch) pkg ->
diff --git a/templates/debian.ml b/templates/debian.ml
index 77c62cb..0bd3c0b 100644
--- a/templates/debian.ml
+++ b/templates/debian.ml
@@ -43,7 +43,7 @@ let () =
 buildd = (fun ~src ~ver -> sprintf "https://buildd.debian.org/status/package.php?p=%s"; src);
 buildds = (fun ~srcs ->
   let srcs = String.concat "," srcs in
-  Some (sprintf "https://buildd.debian.org/status/package.php?p=%s&compact=compact"; srcs));
+  Some (sprintf "https://buildd.debian.org/status/package.p

Bug#798584: marked as done (jessie-pu: package chrony/1.30-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798584,
regarding jessie-pu: package chrony/1.30-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798584: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798584
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Please accept chrony 1.30-2+deb8u1 for the next Jessie point release;
it fixes a missing build dependency on libcap-dev which prevent user
from configuring chronyd to drop root privileges. That would close
#768803.

diff -Nru chrony-1.30/debian/changelog chrony-1.30/debian/changelog
--- chrony-1.30/debian/changelog2015-04-10 11:43:39.0 +0200
+++ chrony-1.30/debian/changelog2015-09-09 20:00:38.0 +0200
@@ -1,3 +1,10 @@
+chrony (1.30-2+deb8u1) jessie; urgency=medium
+
+  * Build depend on libcap-dev. Without it, chronyd can’t drop root
+privileges. (Closes: #768803)
+
+ -- Vincent Blut   Wed, 09 Sep 2015 19:50:09 +0200
+
 chrony (1.30-2) unstable; urgency=medium

   * With the following security bugfixes (Closes: #782160):
diff -Nru chrony-1.30/debian/control chrony-1.30/debian/control
--- chrony-1.30/debian/control 2015-04-09 00:05:48.0 +0200
+++ chrony-1.30/debian/control 2015-09-09 19:35:25.0 +0200
@@ -8,7 +8,8 @@
  texinfo, bison,
  libedit-dev,
  libnss3-dev,
- libtomcrypt-dev
+ libtomcrypt-dev,
+ libcap-dev
 Homepage: http://chrony.tuxfamily.org
 Vcs-Git: git://anonscm.debian.org/collab-maint/chrony.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/chrony.git

Cheers,
Vincent

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#798891: marked as done (php-doctrine-cache/1.3.1-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798891,
regarding php-doctrine-cache/1.3.1-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798891: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798891
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: clone -1 -2 -3 -4
Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1
Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1
Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1

Hi,

As already discussed with the security team [1], please accept the fixes
for CVE-2015-5723 in doctrine and
php-doctrine-{annotations,cache,common}. Source debdiff attached.

1:
https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html

Please note there is also a bit of noise in the binary debdiff for
php-doctrine-common, because the pkg-php-tools version that was in Sid
over a year ago was not as effective as the version that made it into
Jessie (hence the php5-common version instead of plain php5 or php5-cli,
and the version boundary changes), so that was expected:

Control files: lines which differ (wdiff format)

Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2),
php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<<
[-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+}
php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>=
[-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+}
php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-]
{+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+}
php-doctrine-annotations (<< [-2~)-] {+2~~)+}
Installed-Size: [-320-] {+255+}
Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+}

Regards

David
diff --git a/debian/changelog b/debian/changelog
index dffb472..4fad3b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 22:57:23 -0400
+
 php-doctrine-common (2.4.2-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
new file mode 100644
index 000..5135152
--- /dev/null
+++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
@@ -0,0 +1,23 @@
+From: Marco Pivetta 
+Date: Mon, 31 Aug 2015 15:38:45 +0100
+Subject: Applying patch for CVE-2015-5723
+
+See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
+
+Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389
+---
+ lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+index 4c5a239..3941f17 100644
+--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
 b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+@@ -302,6 +302,7 @@ class  extends \ implements \diff --git a/debian/changelog b/debian/changelog
index 7dc2075..f5c757f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 23:07:58 -0400
+
 php-doctrine-cache (1.3.1-1) unstable; urgency=medium
 
   [ David Prévot ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
new file mode 100644
index 000..4922520
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
@@ -

Bug#798889: marked as done (jessie-pu: package doctrine/2.4.6-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798889,
regarding jessie-pu: package doctrine/2.4.6-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798889
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: clone -1 -2 -3 -4
Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1
Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1
Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1

Hi,

As already discussed with the security team [1], please accept the fixes
for CVE-2015-5723 in doctrine and
php-doctrine-{annotations,cache,common}. Source debdiff attached.

1:
https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html

Please note there is also a bit of noise in the binary debdiff for
php-doctrine-common, because the pkg-php-tools version that was in Sid
over a year ago was not as effective as the version that made it into
Jessie (hence the php5-common version instead of plain php5 or php5-cli,
and the version boundary changes), so that was expected:

Control files: lines which differ (wdiff format)

Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2),
php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<<
[-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+}
php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>=
[-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+}
php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-]
{+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+}
php-doctrine-annotations (<< [-2~)-] {+2~~)+}
Installed-Size: [-320-] {+255+}
Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+}

Regards

David
diff --git a/debian/changelog b/debian/changelog
index dffb472..4fad3b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 22:57:23 -0400
+
 php-doctrine-common (2.4.2-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
new file mode 100644
index 000..5135152
--- /dev/null
+++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
@@ -0,0 +1,23 @@
+From: Marco Pivetta 
+Date: Mon, 31 Aug 2015 15:38:45 +0100
+Subject: Applying patch for CVE-2015-5723
+
+See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
+
+Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389
+---
+ lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+index 4c5a239..3941f17 100644
+--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
 b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+@@ -302,6 +302,7 @@ class  extends \ implements \diff --git a/debian/changelog b/debian/changelog
index 7dc2075..f5c757f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 23:07:58 -0400
+
 php-doctrine-cache (1.3.1-1) unstable; urgency=medium
 
   [ David Prévot ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
new file mode 100644
index 000..4922520
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.p

Bug#798890: marked as done (php-doctrine-annotations/1.2.1-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798890,
regarding php-doctrine-annotations/1.2.1-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798890
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: clone -1 -2 -3 -4
Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1
Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1
Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1

Hi,

As already discussed with the security team [1], please accept the fixes
for CVE-2015-5723 in doctrine and
php-doctrine-{annotations,cache,common}. Source debdiff attached.

1:
https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html

Please note there is also a bit of noise in the binary debdiff for
php-doctrine-common, because the pkg-php-tools version that was in Sid
over a year ago was not as effective as the version that made it into
Jessie (hence the php5-common version instead of plain php5 or php5-cli,
and the version boundary changes), so that was expected:

Control files: lines which differ (wdiff format)

Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2),
php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<<
[-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+}
php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>=
[-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+}
php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-]
{+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+}
php-doctrine-annotations (<< [-2~)-] {+2~~)+}
Installed-Size: [-320-] {+255+}
Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+}

Regards

David
diff --git a/debian/changelog b/debian/changelog
index dffb472..4fad3b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 22:57:23 -0400
+
 php-doctrine-common (2.4.2-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
new file mode 100644
index 000..5135152
--- /dev/null
+++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
@@ -0,0 +1,23 @@
+From: Marco Pivetta 
+Date: Mon, 31 Aug 2015 15:38:45 +0100
+Subject: Applying patch for CVE-2015-5723
+
+See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
+
+Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389
+---
+ lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+index 4c5a239..3941f17 100644
+--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
 b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+@@ -302,6 +302,7 @@ class  extends \ implements \diff --git a/debian/changelog b/debian/changelog
index 7dc2075..f5c757f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 23:07:58 -0400
+
 php-doctrine-cache (1.3.1-1) unstable; urgency=medium
 
   [ David Prévot ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
new file mode 100644
index 000..4922520
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patc

Bug#798028: marked as done (jessie-pu: package pykerberos/1.1.5-0.1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798028,
regarding jessie-pu: package pykerberos/1.1.5-0.1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798028
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
I'd like to fix CVE-2015-3206 (a loack (missing KDC authenticity
verification) for jessie via a point release. The debdiff is
attached. The bug is fixed in unstable as well as squeeze-lts already.

As in squeeze-lts the KDC check is disabled by default to not break existing
installations.

Cheers,
 -- Guido.


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000..490dd3d
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,42 @@
+pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium
+ 
+  The python-kerberos checkPassword() method has been badly insecure in
+  previous releases. It used to do (and still does by default) a kinit
+  (AS-REQ) to ask a KDC for a TGT for the given user principal, and
+  interprets the success or failure of that as indicating whether the
+  password is correct. It does not, however, verify that it actually spoke
+  to a trusted KDC: an attacker may simply reply instead with an AS-REP
+  which matches the password he just gave you.
+  .
+  Imagine you were verifying a password using LDAP authentication rather
+  than Kerberos: you would, of course, use TLS in conjunction with LDAP to
+  make sure you were talking to a real, trusted LDAP server. The same
+  requirement applies here. kinit is not a password-verification service.
+  .
+  The usual way of doing this is to take the TGT you've obtained with the
+  user's password, and then obtain a ticket for a principal for which the
+  verifier has keys (e.g. a web server processing a username/password form
+  login might get a ticket for its own HTTP/host@REALM principal), which
+  it can then verify. Note that this requires that the verifier has its
+  own Kerberos identity, which is mandated by the symmetric nature of
+  Kerberos (whereas in the LDAP case, the use of public-key cryptography
+  allows anonymous verification).
+  .
+  The fact of pykerberos being susceptible to KDC spoofing attacks has
+  been filed as CVE-2015-3206.
+  .
+  With this version of the pykerberos package a new option is introduced
+  for the checkPassword() method. Setting verify to True when using
+  checkPassword() will perform a KDC verification. For this to work, you
+  need to provide a krb5.keytab file containing service principal keys for
+  the service you intend to use.
+  .
+  As the default krb5.keytab file in /etc is normally not accessible by
+  non-root users/processes, you have to make sure a custom krb5.keytab
+  file containing the correct principal keys is provided to your
+  application using the KRB5_KTNAME environment variable.
+  .
+  Note: In Debian Jessie, KDC verification support is disabled by default in
+  ordner not to break existing setups.
+ 
+ -- Guido Günther   Sat, 22 Aug 2015 12:08:41 +0200
diff --git a/debian/changelog b/debian/changelog
index 9521150..e382a4a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+pykerberos (1.1.5-0.1+deb8u1) jessie; urgency=medium
+
+  * Add KDC authenticity verification support (CVE-2015-3206)
+Obtained from upstream, ignoring white-space changes, URL:
+https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
+(Closes: #796195)
+
+ -- Guido Günther   Sat, 22 Aug 2015 13:48:57 +0200
+
 pykerberos (1.1.5-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/examples b/debian/examples
index de45608..10845a7 100644
--- a/debian/examples
+++ b/debian/examples
@@ -1 +1,2 @@
 bin/ftp-gss
+bin/login
diff --git a/debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch b/debian/patches/Add-KDC-authenticity-verificatio

Bug#798892: marked as done (php-doctrine-common/2.4.2-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798892,
regarding php-doctrine-common/2.4.2-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798892
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Control: clone -1 -2 -3 -4
Control: retitle -2 php-doctrine-annotations/1.2.1-1+deb8u1
Control: retitle -3 php-doctrine-cache/1.3.1-1+deb8u1
Control: retitle -4 php-doctrine-common/2.4.2-2+deb8u1

Hi,

As already discussed with the security team [1], please accept the fixes
for CVE-2015-5723 in doctrine and
php-doctrine-{annotations,cache,common}. Source debdiff attached.

1:
https://lists.alioth.debian.org/pipermail/pkg-php-pear/2015-September/005785.html

Please note there is also a bit of noise in the binary debdiff for
php-doctrine-common, because the pkg-php-tools version that was in Sid
over a year ago was not as effective as the version that made it into
Jessie (hence the php5-common version instead of plain php5 or php5-cli,
and the version boundary changes), so that was expected:

Control files: lines which differ (wdiff format)

Depends: [-php5 (>= 5.3.2) | php5-cli-] {+php5-common+} (>= 5.3.2),
php-doctrine-inflector (>= [-1~),-] {+1),+} php-doctrine-inflector (<<
[-2~),-] {+2~~),+} php-doctrine-cache (>= [-1~),-] {+1),+}
php-doctrine-cache (<< [-2~),-] {+2~~),+} php-doctrine-collections (>=
[-1~),-] {+1),+} php-doctrine-collections (<< [-2~),-] {+2~~),+}
php-doctrine-lexer (>= [-1~),-] {+1),+} php-doctrine-lexer (<< [-2~),-]
{+2~~),+} php-doctrine-annotations (>= [-1~),-] {+1),+}
php-doctrine-annotations (<< [-2~)-] {+2~~)+}
Installed-Size: [-320-] {+255+}
Version: [-2.4.2-2-] {+2.4.2-2+deb8u1+}

Regards

David
diff --git a/debian/changelog b/debian/changelog
index dffb472..4fad3b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-common (2.4.2-2+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 22:57:23 -0400
+
 php-doctrine-common (2.4.2-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
new file mode 100644
index 000..5135152
--- /dev/null
+++ b/debian/patches/0002-Applying-patch-for-CVE-2015-5723.patch
@@ -0,0 +1,23 @@
+From: Marco Pivetta 
+Date: Mon, 31 Aug 2015 15:38:45 +0100
+Subject: Applying patch for CVE-2015-5723
+
+See http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
+
+Origin: upstream, https://github.com/doctrine/common/commit/4824569127daa9784bf35219a1cd49306c795389
+---
+ lib/Doctrine/Common/Proxy/ProxyGenerator.php | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Doctrine/Common/Proxy/ProxyGenerator.php b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+index 4c5a239..3941f17 100644
+--- a/lib/Doctrine/Common/Proxy/ProxyGenerator.php
 b/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+@@ -302,6 +302,7 @@ class  extends \ implements \diff --git a/debian/changelog b/debian/changelog
index 7dc2075..f5c757f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-doctrine-cache (1.3.1-1+deb8u1) jessie; urgency=medium
+
+  * gbp.conf: Track the jessie branch
+  * Fix security misconfiguration vulnerability [CVE-2015-5723]
+
+ -- David Prévot   Mon, 31 Aug 2015 23:07:58 -0400
+
 php-doctrine-cache (1.3.1-1) unstable; urgency=medium
 
   [ David Prévot ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
new file mode 100644
index 000..4922520
--- /dev/null
+++ b/debian/patches/0002-DCOM-293-Fix-for-CVE-2015-5723-Security-Misconfigura.patch
@@ 

Bug#798893: marked as done (jessie-pu: package php-dropbox/1.0.0-3+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798893,
regarding jessie-pu: package php-dropbox/1.0.0-3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798893
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As already discussed with the security team, please accept the fix for
CVE-2015-4715 in php-dropbox. Source debdiff attached.

As noted in the ownCloud tracker, the issue is only relevant if a server
runs PHP below 5.6.0, or if some default has been changed. Yet, since
the owncloud (and php-dropbox) packages from Jessie can be used (and I
know they are actually used) out of the box on Wheezy, having the fix in
the next point release makes sense.

1: https://owncloud.org/security/advisory/?id=oc-sa-2015-005

Regards

David
diff --git a/debian/changelog b/debian/changelog
index aa86e22..c643681 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+php-dropbox (1.0.0-3+deb8u1) jessie; urgency=medium
+
+  * Refuse to handle any files containing a @ [CVE-2015-4715]
+  * Track Jessie
+
+ -- David Prévot   Sat, 05 Sep 2015 14:19:37 -0400
+
 php-dropbox (1.0.0-3) unstable; urgency=medium
 
   * Include ownCloud specific patches
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch
new file mode 100644
index 000..acd912b
--- /dev/null
+++ b/debian/patches/0002-Revert-custom-patch-that-can-cause-problems.patch
@@ -0,0 +1,30 @@
+From: Lukas Reschke 
+Date: Tue, 7 Apr 2015 15:12:10 +0200
+Subject: Revert custom patch that can cause problems
+
+Origin: upstream, https://github.com/owncloud/core/commit/7071cf15c25be4a0e4178019c625c57b898e4216
+---
+ Dropbox-1.0.0/Dropbox/OAuth/Curl.php | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
+index 6ea6873..9aa6852 100644
+--- a/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
 b/Dropbox-1.0.0/Dropbox/OAuth/Curl.php
+@@ -72,8 +72,14 @@ class Dropbox_OAuth_Curl extends Dropbox_OAuth {
+ 		if (strtoupper($method) == 'POST') {
+ 			curl_setopt($ch, CURLOPT_URL, $uri);
+ 			curl_setopt($ch, CURLOPT_POST, true);
+-// 			if (is_array($arguments))
+-// $arguments=http_build_query($arguments);
++
++ 			//if (is_array($arguments))
++ 			//	$arguments=http_build_query($arguments);
++ 			foreach ($arguments as $key => $value) {
++ if($value[0] === '@') {
++	exit();
++}
++			}
+ 			curl_setopt($ch, CURLOPT_POSTFIELDS, $arguments);
+ // 			$httpHeaders['Content-Length']=strlen($arguments);
+ 		} else {
diff --git a/debian/patches/series b/debian/patches/series
index 5c66984..a104f36 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Include-ownCloud-specific-patches.patch
+0002-Revert-custom-patch-that-can-cause-problems.patch


signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#798895: marked as done (jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #798895,
regarding jessie-pu: package owncloud/7.0.4+dfsg-4~deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
798895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As already discussed with the security team, please accept the fixes for
CVE-2015-{471{6..8},6670} in owncloud. Source debdiff attached.

As noted in the ownCloud tracker, CVE-2015-4716 is only relevant on
Windows, yet I’d still like to include its fix in order to avoid making
any assumptions about how safely people are setting their servers: the
one-liner fix is just about sanitizing variables, that should anyway be
a good idea.

1: https://owncloud.org/security/advisory/?id=oc-sa-2015-006

Regards

David
diff --git a/debian/changelog b/debian/changelog
index fe8558d..503bd03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+owncloud (7.0.4+dfsg-4~deb8u2) jessie; urgency=medium
+
+  * Backport security fixes from 7.0.6 and 7.0.8:
+- Local file inclusion on MS Windows Platform
+  [OC-SA-2015-006] [CVE-2015-4716]
+- Resource exhaustion when sanitizing filenames
+  [OC-SA-2015-007] [CVE-2015-4717]
+- Command injection when using external SMB storage
+  [OC-SA-2015-008] [CVE-2015-4718]
+- Calendar export: Authorization Bypass Through User-Controlled Key
+  [OC-SA-2015-015] [CVE-2015-6670]
+
+ -- David Prévot   Thu, 03 Sep 2015 19:38:32 -0400
+
 owncloud (7.0.4+dfsg-4~deb8u1) jessie-security; urgency=medium
 
   * Upload to jessie-security as agreed with the security team
diff --git a/debian/patches/0013-Clean-application-identifier-before-processing.patch b/debian/patches/0013-Clean-application-identifier-before-processing.patch
new file mode 100644
index 000..925066d
--- /dev/null
+++ b/debian/patches/0013-Clean-application-identifier-before-processing.patch
@@ -0,0 +1,22 @@
+From: Lukas Reschke 
+Date: Tue, 31 Mar 2015 14:58:24 +0200
+Subject: Clean application identifier before processing
+
+Origin: upstream, https://github.com/owncloud/core/commit/a15710afad054953cc348f2dd719c73b60985bce
+---
+ lib/private/route/router.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/private/route/router.php b/lib/private/route/router.php
+index 9c973d7..a6ff51b 100644
+--- a/lib/private/route/router.php
 b/lib/private/route/router.php
+@@ -204,6 +204,8 @@ class Router implements IRouter {
+ 		if (substr($url, 0, 6) === '/apps/') {
+ 			// empty string / 'apps' / $app / rest of the route
+ 			list(, , $app,) = explode('/', $url, 4);
++
++			$app = \OC_App::cleanAppId($app);
+ 			\OC::$REQUESTEDAPP = $app;
+ 			$this->loadRoutes($app);
+ 		} else if (substr($url, 0, 6) === '/core/' or substr($url, 0, 10) === '/settings/') {
diff --git a/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
new file mode 100644
index 000..b9b252d
--- /dev/null
+++ b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
@@ -0,0 +1,50 @@
+From: Lukas Reschke 
+Date: Fri, 13 Feb 2015 12:49:34 +0100
+Subject: Ensure that passed argument is always a string
+
+Some code paths called the `normalizePath` functionality with types other than a string which resulted in unexpected behaviour.
+
+Thus the function is now manually casting the type to a string and I corrected the usage in list.php as well.
+
+Origin: upstream, https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e
+---
+ apps/files/ajax/list.php | 2 +-
+ lib/private/files/filesystem.php | 9 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php
+index 4908016..21c88e2 100644
+--- a/apps/files/ajax/list.php
 b/apps/files/ajax/list.php
+@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn();
+ $l = OC_L10N::get('files');
+ 
+ // Load the files
+-$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
++$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
+ $dir = \OC\Files\Filesystem::normalizePath($dir);
+ 
+ try {
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 492d9f1..a4d361d 100644
+--- a/lib/private/files/filesys

Bug#799070: marked as done (jessie-pu: package apt/1.0.9.8.2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799070,
regarding jessie-pu: package apt/1.0.9.8.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799070: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799070
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

The APT team would like to update APT to 1.0.9.8.2 in stable, with
the following changes (full diff | filterdiff -p1 -x "po/*.po*"
is attached):

+  [ David Kalnischkies ]
+  * hide first pdiff merge failure debug message (Closes: 793444)

-> This was a debugging message that was printed by default

+  * mark again deps of pkgs in APT::Never-MarkAuto-Sections as manual.
+Thanks to Raphaël Hertzog and Adam Conrad for detailed reports and initial 
patches
+(Closes: 793360) (LP: 1479207)

-> Dependencies of meta packages were not marked as manually installed

+
+  [ Julian Andres Klode ]
+  * Do not parse Status fields from remote sources

-> Remote sources could set "Status: install ok installed" on a package making
   APT believe that the package was already installed, and causing APT to
   "upgrade" it during an 'apt upgrade' or 'apt-get dist-upgrade' run.

   While this sounds like a horrible security issue, because it can be used
   to forcibly install new packages, the impact is not high: Sources could
   set the Essential field on any package which has almost the same effect,
   although being listed in the NEW installs section instead of the upgrade
   section.

+  [ Michael Vogt ]
+  * Use xgettext --no-location in make update-pot

-> This (and two other sorting changes) in po/makefile are just there to clean
   up our pot file handling, as that currently depends on the order in the
   file system, and thus produces a huge diff with every release, as the files
   are found in a different order and because line numbers have changed.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (100, 'experimental'), (1, 
'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
- If you don't I might ignore you.
diff -Nru apt-1.0.9.8.1/apt-pkg/acquire-item.cc apt-1.0.9.8.2/apt-pkg/acquire-item.cc
--- apt-1.0.9.8.1/apt-pkg/acquire-item.cc	2015-06-10 09:40:35.0 +0200
+++ apt-1.0.9.8.2/apt-pkg/acquire-item.cc	2015-09-15 17:08:27.0 +0200
@@ -834,7 +834,8 @@
 
// first failure means we should fallback
State = StateErrorDiff;
-   std::clog << "Falling back to normal index file acquire" << std::endl;
+   if (Debug)
+  std::clog << "Falling back to normal index file acquire" << std::endl;
new pkgAcqIndex(Owner, RealURI, Description,Desc.ShortDesc,
 		   ExpectedHash);
 }
diff -Nru apt-1.0.9.8.1/apt-pkg/deb/debindexfile.cc apt-1.0.9.8.2/apt-pkg/deb/debindexfile.cc
--- apt-1.0.9.8.1/apt-pkg/deb/debindexfile.cc	2015-06-10 09:40:35.0 +0200
+++ apt-1.0.9.8.2/apt-pkg/deb/debindexfile.cc	2015-09-15 17:08:27.0 +0200
@@ -621,7 +621,7 @@
FileFd Pkg(File,FileFd::ReadOnly, FileFd::Extension);
if (_error->PendingError() == true)
   return false;
-   debListParser Parser(&Pkg);
+   debStatusListParser Parser(&Pkg);
if (_error->PendingError() == true)
   return false;
 
diff -Nru apt-1.0.9.8.1/apt-pkg/deb/deblistparser.cc apt-1.0.9.8.2/apt-pkg/deb/deblistparser.cc
--- apt-1.0.9.8.1/apt-pkg/deb/deblistparser.cc	2015-06-10 09:40:35.0 +0200
+++ apt-1.0.9.8.2/apt-pkg/deb/deblistparser.cc	2015-09-15 17:08:27.0 +0200
@@ -333,7 +333,7 @@
return Result;
 }
 	/*}}}*/
-// ListParser::ParseStatus - Parse the status field			/*{{{*/
+// StatusListParser::ParseStatus - Parse the status field		/*{{{*/
 // -
 /* Status lines are of the form,
  Status: want flag status
@@ -345,6 +345,11 @@
 bool debListParser::ParseStatus(pkgCache::PkgIterator &Pkg,
 pkgCache::VerIterator &Ver)
 {
+

Bug#799229: marked as done (jessie-pu: package php-mail-mimedecode/1.5.5-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799229,
regarding jessie-pu: package php-mail-mimedecode/1.5.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799229: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799229
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Some php-* packages, built with an older pkg-php-tools, incorrectly depends on 
php5 instead of php5-common.

php5 pulls a web-server which is not intented.

As php-mail-mimedecode can be used in a non-webserver setup, it deserves a fix 
(#793947).

Actually, I went too fast, and already uploaded to sid and jessie-updates. 
Sorry :-(

Regards

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#799033: marked as done (jessie-pu: package file/1:5.22+15-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799033,
regarding jessie-pu: package file/1:5.22+15-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799033: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799033
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

for the next jessie point relase, I'd like to upload a new version
of the file package, in order to fix the bug described in

https://bugs.debian.org/798410
http://mx.gw.com/pipermail/file/2015/001777.html

Short version: The handling of file's --parameter command line option
is broken, the program segfaults upon every usage. Additionally,
--parameter has no effect when used with --files-from.

Triggering the first issue is as simple as running "file --parameter";
for the second one I have a no public reproducer so far but can provide
a file in private upon request.

Both issues have been fixed upstream recently, my proposed upload adds
the cherry-picked commits, two one-liners. The debdiff is attached.

Regards,

Christoph

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.1.6 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru file-5.22+15/debian/changelog file-5.22+15/debian/changelog
--- file-5.22+15/debian/changelog   2015-03-10 22:13:50.0 +0100
+++ file-5.22+15/debian/changelog   2015-09-13 18:33:51.0 +0200
@@ -1,3 +1,13 @@
+file (1:5.22+15-2+deb8u1) stable; urgency=medium
+
+  * Fix handling of file's --parameter option. Closes: #798410
+- The file program segfaults after processing the --parameter
+  parameter. [commit FILE5_24-22-g27b4e34]
+- Any --parameter values have no effect if used with
+  --files-from. [commit FILE5_24-23-g4ddb783]
+
+ -- Christoph Biedl   Sun, 13 Sep 2015 
18:27:47 +0200
+
 file (1:5.22+15-2) unstable; urgency=medium
 
   * Restore detection of some jpeg files. Closes: #780095
diff -Nru 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-22-g27b4e34.parameter-1.patch 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-22-g27b4e34.parameter-1.patch
--- 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-22-g27b4e34.parameter-1.patch  
1970-01-01 01:00:00.0 +0100
+++ 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-22-g27b4e34.parameter-1.patch  
2015-09-13 18:25:31.0 +0200
@@ -0,0 +1,16 @@
+Subject: --parameter takes a parameter
+Origin: FILE5_24-22-g27b4e34
+Upstream-Author: Christos Zoulas 
+Date: Tue Sep 8 13:46:01 2015 +
+
+--- a/src/file_opts.h
 b/src/file_opts.h
+@@ -43,7 +43,7 @@
+ #if defined(HAVE_UTIME) || defined(HAVE_UTIMES)
+ OPT('p', "preserve-date", 0, "preserve access times on files\n")
+ #endif
+-OPT('P', "parameter", 0, "set file engine parameter limits\n"
++OPT('P', "parameter", 1, "set file engine parameter limits\n"
+ "   indir15 recursion limit for 
indirection\n"
+ "   name 30 use limit for name/use 
magic\n"
+ "   elf_notes   256 max ELF notes processed\n"
diff -Nru 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-23-g4ddb783.parameter-2.patch 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-23-g4ddb783.parameter-2.patch
--- 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-23-g4ddb783.parameter-2.patch  
1970-01-01 01:00:00.0 +0100
+++ 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-23-g4ddb783.parameter-2.patch  
2015-09-13 18:25:32.0 +0200
@@ -0,0 +1,15 @@
+Subject: apply parameters before unwrapping() the list of files
+Origin: FILE5_24-23-g4ddb783
+Upstream-Author: Christos Zoulas 
+Date: Tue Sep 8 13:46:49 2015 +
+
+--- a/src/file.c
 b/src/file.c
+@@ -233,6 +233,7 @@
+   if (magic == NULL)
+   if ((magic = load(magicfile, flags)) == NULL)
+   return 1;
++  applyparam(magic);
+   e |= unwrap(magic, optarg);
+   ++didsomefiles;
+   break;
diff -Nr

Bug#799477: marked as done (jessie-pu: package mpm-itk/2.4.7-02-1.1jessie0)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799477,
regarding jessie-pu: package mpm-itk/2.4.7-02-1.1jessie0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799477: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799477
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I've already uploaded a version of mpm-itk to stable, but I've told this is the
wrong order of things. So, in short:

I'd like to upload a fix for mpm-itk in stable (jessie), because the current
version breaks SSL with IE and Safari (in most common configurations, and 
certainly
the default), plus doesn't respect “Connection: close”. The diff is small, 
simple
and from upstream, since I am upstream myself. :-) The fix is already in 
testing,
with no complaints, and has been tested by several users.

The diff can be found at:

  
https://release.debian.org/proposed-updates/stable_diffs/mpm-itk_2.4.7-02-1.1jessie0.debdiff

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (750, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.4 (SMP w/40 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#799230: marked as done (jessie-pu: package php-auth-sasl/1.0.6-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799230,
regarding jessie-pu: package php-auth-sasl/1.0.6-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799230: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799230
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Some php-* packages, built with an older pkg-php-tools, incorrectly depends on 
php5 instead of php5-common.

php5 pulls a web-server which is not intented.

As php-auth-sasl can be used in a non-webserver setup, it deserves a fix 
(#793948).

Actually, I went too fast, and already uploaded to sid and jessie-updates. 
Sorry :-(

Regards

Mathieu Parent

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#799369: marked as done (jessie-pu: package swift/2.2.0-1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799369,
regarding jessie-pu: package swift/2.2.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799369: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799369
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable release team,

I'd like to upload an update of Swift through s-p-u, in order to fix a
number of issues listed below:
- User creation was done in a non-OpenStack package standard way, namely
missing the --disabled-login option.
- On removal, the package was calling userdel, which I consider dangerous
(potential reuse of the UUID).
- On purge, /var/cache/swift wasn't removed.
- The swift-container-sync init script wasn't installed.

More importantly, there's 2 CVEs which needs to be fixed:
- CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
  object.
- CVE-2015-5223: Information leak via Swift tempurls.

The above CVEs were considered not critical enough by the security team
to deserve a DSA, though they still deserve fixing.

I have attached a debdiff with all of the above problems corrected. The
pre-built package is also available here:
http://sid.gplhost.com/jessie-proposed-updates/swift/

Please allow me to upload swift/2.2.0-1+deb8u1 to jessie-proposed-updates.

Cheers,

Thomas Goirand (zigo)
diff -Nru swift-2.2.0/debian/changelog swift-2.2.0/debian/changelog
--- swift-2.2.0/debian/changelog	2014-10-16 12:48:43.0 +
+++ swift-2.2.0/debian/changelog	2015-09-15 19:29:22.0 +
@@ -1,3 +1,20 @@
+swift (2.2.0-1+deb8u1) jessie-proposed-updates; urgency=medium
+
+  [ Thomas Goirand ]
+  * Fixed swift user creation (standardized on pkgos way).
+  * CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
+object. Applied upstream patch: Prevent unauthorized delete in versioned
+container (Closes: #783163).
+
+  [ Ondřej Nový ]
+  * Fixed service name of object-expirer.
+  * Added container-sync init script.
+  * CVE-2015-5223: Information leak via Swift tempurls.
+Applied upstream patch: Disallow unsafe tempurl operations to point
+to unauthorized data (Closes: #797032).
+
+ -- Thomas Goirand   Tue, 15 Sep 2015 21:28:14 +0200
+
 swift (2.2.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch
--- swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch	1970-01-01 00:00:00.0 +
+++ swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch	2015-09-15 19:29:22.0 +
@@ -0,0 +1,242 @@
+Description: CVE-2015-1856: Prevent unauthorized delete in versioned container
+ An authenticated user can delete the most recent version of any versioned
+ object who's name is known if the user has listing access to the
+ x-versions-location container. Only Swift setups with allow_version setting
+ are affected.
+ .
+ This patch closes this bug, tracked as CVE-2015-1856.
+Author: Alistair Coles 
+Date: Fri, 3 Apr 2015 16:05:36 + (+0100)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fswift.git;a=commitdiff_plain;h=85afe9316570855c87ea731d0627f6f8f2b73264
+Co-Authored-By: Clay Gerrard 
+Co-Authored-By: Christian Schwede 
+Co-Authored-By: Alistair Coles 
+Bug-Ubuntu: https://bugs.launchpad.net/swift/+bug/1430645
+Change-Id: I74448c12bc4d4cd07d4300f452cf3dd6f66ca70a
+Bug-Debian: https://bugs.debian.org/783163
+
+diff --git a/swift/proxy/controllers/obj.py b/swift/proxy/controllers/obj.py
+index abd4cc2..36c1058 100644
+--- a/swift/proxy/controllers/obj.py
 b/swift/proxy/controllers/obj.py
+@@ -783,6 +783,10 @@ class ObjectController(Controller):
+ req.acl = container_info['write_acl']
+ req.environ['swift_sync_key'] = container_info['sync_key']
+ object_versions = container_info['versions']
++if 'swift.authorize' in req.environ:
++aresp = req.environ['swift.authorize'](req)
++if aresp:
++return aresp
+ if object_versions:
+ # this is a version manifest and needs to be handled differently
+ obje

Bug#800881: marked as done (jessie-pu: package nvidia-graphics-drivers/340.93-0+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #800881,
regarding jessie-pu: package nvidia-graphics-drivers/340.93-0+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
800881: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800881
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Second PU request for fixing CVE-2015-5950.

This requires a new upstream release, too, that is two or three releases
ahead of what is currently in jessie.

The proposed changes are all already included and tested in sid.
This includes changes from several uploads to sid (up to 340.76-4) that
are a new upstream release and several bugfixes and minor features that
I consider appropriate for jessie.
The big changes done in sid 340.76-5 onwards are excluded, instead the
changes needed for jessie were cherry-picked into 340.93-0+deb8u1.

Regarding the version number, 340.93-1 was uploaded to sid (before the
CVE was made public), so we need to use 340.93-0+deb8u1 this time (or
would 340.93-0 be ok?). (A shorter version number reduces version string
inflation when rebuilding nvidia-graphics-modules.)


Annotated, reordered and merged changelog:

+nvidia-graphics-drivers (340.93-0+deb8u1) jessie; urgency=medium
+
+  * New upstream legacy 340xx branch release 340.93 (2015-09-02).
+* Fixed CVE-2015-5950: Memory corruption due to an unsanitized pointer.
+  (Closes: #800566)
+  * New upstream legacy 340xx branch release 340.76 (2015-01-27).
+* Improved compatibility with recent Linux kernels.  (Closes: #778698)
+  * Update lintian overrides.

New upstream blob with security bugfix.

+  * nvidia-driver-bin, libnvidia-compiler, libnvidia-eglcore,
+libgl1-nvidia-glx: Add Provides+Conflicts: $pkg-${nvidia:Version} to
+forbid co-installation with the respective legacy packages from the same
+upstream version due to file conflicts on versioned files that are not
+handled via alternatives.

improve and simplify co-existence with legacy packages

+  * bug-script: Report file information in arm-linux-gnueabihf directories.
+  * bug-script: Collect information from /etc/modules{,-load.d/}.

get better information from reportbug

+  * README.source: Document my schroot setup for testing module compilation.
+  * README.source: Document armhf setup for testing module compilation.

maintainer documentation

+  * Add ignore_xen_on_arm.patch needed for dkms build on armhf: armmp
+kernel headers ship with CONFIG_XEN enabled, which breaks the build,
+so since running this driver on XEN is currently not supported,
+ignore the check for XEN in nv-linux.h as a workaround on arm, and
+also disable CONFIG_XEN and CONFIG_XEN_DOM0 if building on <= 3.16.
+(Closes: #794435)

Allow the kernel module to be compiled for the Debian armhf kernels.
The driver is packaged for armhf, but cannot be tested due to lack of hardware.

+  * nvidia-detect: Detect stretch as supported suite, and parse -h as --help.
+(Closes: #792801)

+  * Fix nvidia-modprobe.conf module unload ordering, to stop nvidia-uvm
+getting stuck until a second modprobe -r nvidia-current is issued.
+Fix provided by Jö Fahlke. Thanks! (Closes: #793386)

important bugfix for bumblebee users

+  * Add Luca Boccassi to Uploaders.

+  * nvidia-driver, nvidia-kernel-*: Report the latest tested Linux version
+that can build the kernel module in the package description.

Maybe that gives some hints to people complaining about the jessie
driver not supporting the latest kernels from jessie-backports ...

+  * Split some old UNRELEASED changelog entries to linearize the BTS history.

+  * nvidia-kernel-source: Use reproducible timestamps and file order inside
+/usr/src/nvidia-kernel.tar.xz.

+  * conftest.h:
+- Implement new conftest.sh function nvidia_grid_build (352.41).
+- Implement new conftest.sh functions backing_dev_info (346.82),
+  phys_to_dma, dma_ops, get_dma_ops, noncoherent_swiotlb_dma_ops (352.09).
+- Implement new conftest.sh function dma_map_ops (352.30).
+- Reorder conftest.h to match conftest.sh.
+- Implement check for linux/log2.h (346.16).
+- Implement check for xen/ioemu.h (346.59).
+- Implement new conftest.sh functions write_cr4, xen_ioemu_inject_msi
+  (346.59), list_cut_position (349.12).
+- Implement new co

Bug#800006: marked as done (jessie-pu: package isc-dhcp/4.3.1-6)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #86,
regarding jessie-pu: package isc-dhcp/4.3.1-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
86: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

i wonder if #795227 warrants an upload to jessie-pu (and maybe also to
wheezy-pu) to be fixed with the next point release. We run into that
issue at work, when we want to effectivly publish static IP addresses in
cloud environments.

Cheers,
Martin
-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
 Martin Zobel-Helas Debian System Administrator
 Debian & GNU/Linux Developer   Debian Listmaster
 http://about.me/zobel   Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B 


signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801095: marked as done (jessie-pu: package uqm/0.6.2.dfsg-9.1~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801095,
regarding jessie-pu: package uqm/0.6.2.dfsg-9.1~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801095
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

uqm FTBFS in jessie due to a missing -lm (#792920).


Andreas
diff -u uqm-0.6.2.dfsg/sc2/build.vars.in uqm-0.6.2.dfsg/sc2/build.vars.in
--- uqm-0.6.2.dfsg/sc2/build.vars.in
+++ uqm-0.6.2.dfsg/sc2/build.vars.in
@@ -30,7 +30,7 @@
 REZ='@REZ@'
 WINDRES='@WINDRES@'
 uqm_CFLAGS='@CFLAGS@ -g'
-uqm_LDFLAGS='@LDFLAGS@'
+uqm_LDFLAGS='@LDFLAGS@ -lm'
 uqm_INSTALL_BINDIR=$DESTDIR'@INSTALL_BINDIR@'
 uqm_INSTALL_LIBDIR=$DESTDIR'@INSTALL_LIBDIR@'
 uqm_INSTALL_SHAREDIR=$DESTDIR'@INSTALL_SHAREDIR@'
diff -u uqm-0.6.2.dfsg/debian/changelog uqm-0.6.2.dfsg/debian/changelog
--- uqm-0.6.2.dfsg/debian/changelog
+++ uqm-0.6.2.dfsg/debian/changelog
@@ -1,3 +1,17 @@
+uqm (0.6.2.dfsg-9.1~deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for jessie.
+
+ -- Andreas Beckmann   Tue, 06 Oct 2015 11:24:46 +0200
+
+uqm (0.6.2.dfsg-9.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix missing -lm, thanks to Peter Piwowarski.  (Closes: #792920)
+
+ -- Andreas Beckmann   Fri, 18 Sep 2015 12:37:50 +0200
+
 uqm (0.6.2.dfsg-9) unstable; urgency=low
 
   * Added .desktop file, closes: #452650,
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#799777: marked as done (jessie-pu: package docbook2x/0.8.8.9+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799777,
regarding jessie-pu: package docbook2x/0.8.8.9+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799777: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799777
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Usertags: pu
Tags: jessie
Severity: normal


Please update docboox2x for jessie too, fixing bug #799700 and duplicates.
(just removing a bad installed file on some archs)

debdiff attached.

cheers,

Gianfranco


debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#800664: marked as done (jessie-pu: package wxmaxima/13.04.2-4+b1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #800664,
regarding jessie-pu: package wxmaxima/13.04.2-4+b1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
800664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800664
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Subject: jessie-pu: package wxmaxima/13.04.2-4+b1
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear all,

A few weeks ago I was informed about Bug#796954: wxmaxima segfaults 
when given some special 
characters.(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796954)
The problem is that if a parenthesis is entered in any of wxMaxima's 
many wizard dialogs this sends wxMaxima into an infinitive recursion 
loop that crashes as soon as all of the stack is used up.


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752528#40 now 
proposes a 4-line-bugfix and since I tested it on my system - (it seems 
to work at least for me) and the bug is very easy to trigger I would 
like to ask if the corrected version can be added to 
jessie-proposed-updates.

devref 5.5.1 tells me that the first step to do so is to ask you.
The second step would be to build a package that can be uploaded (I 
already have the package with the patch ready), so if you tell me i can 
do so I will upload it to debian mentors.


And I do have a practical question: The current package has the version 
number 13.04.2-4+b1. If I upload my new version it will be 13.04.2-4u1. 
Is this correct?



Thanks a lot,
and kind regards,

Gunter.

-- System Information:
Debian Release: jessie/sid
 APT prefers wily
 APT policy: (500, 'wily')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-040200rc8-lowlatency (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#799758: marked as done (jessie-pu: package apt-dater-host/1.0.0-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #799758,
regarding jessie-pu: package apt-dater-host/1.0.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
799758: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799758
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

could I upload this package for the next jessie-pu? It fixes #794630
Thanks :)

Full diff:

diff -Naur '--exclude=.svn' tags/1.0.0-2/debian/changelog 
branches/jessie/debian/changelog
--- tags/1.0.0-2/debian/changelog   2014-10-29 09:32:46.208286390 +0100
+++ branches/jessie/debian/changelog2015-09-22 10:18:16.324279386 +0200
@@ -1,3 +1,11 @@
+apt-dater-host (1.0.0-2+deb8u1) stable; urgency=low
+
+  * Add patch 01-jessie-kernel-detection to fix Linux Kernel status detection
+with newer Jessie images. Thanks to Robert Bihlmeyer.
+Closes: #794630
+
+ -- Patrick Matthäi   Tue, 22 Sep 2015 10:17:50 +0200
+
 apt-dater-host (1.0.0-2) unstable; urgency=low

   * Move needrestart from depends to recommends.
diff -Naur '--exclude=.svn' 
tags/1.0.0-2/debian/patches/01-jessie-kernel-detection.diff 
branches/jessie/debian/patches/01-jessie-kernel-detection.diff
--- tags/1.0.0-2/debian/patches/01-jessie-kernel-detection.diff 1970-01-01 
01:00:00.0 +0100
+++ branches/jessie/debian/patches/01-jessie-kernel-detection.diff  
2015-09-22 10:15:08.152818869 +0200
@@ -0,0 +1,24 @@
+# Fix Linux Kernel status detection with newer Debian jessie kernel images.
+# Closes: #794630
+
+diff -Naur apt-dater-host-1.0.0.orig/dpkg/apt-dater-host 
apt-dater-host-1.0.0/dpkg/apt-dater-host
+--- apt-dater-host-1.0.0.orig/dpkg/apt-dater-host  2014-09-24 
23:05:00.0 +0200
 apt-dater-host-1.0.0/dpkg/apt-dater-host   2015-09-22 09:54:39.688185200 
+0200
+@@ -368,7 +368,7 @@
+ else {
+   my $vstr = `cat $verfile`;
+   unless($vstr =~ /^\S+ \S+ \S+ \(Debian ([^\)]+)\)/ ||
+- $vstr =~ /^\S+ \S+ \S+ \(debian-kernel\@lists\.debian\.org\) .+ 
Debian (\S+)$/) {
++ $vstr =~ /^\S+ \S+ \S+ \(debian-kernel\@lists\.debian\.org\) .+ 
Debian (\S+)(?: \(\d{4}-\d\d-\d\d\))?$/) {
+   print "$infostr 2 $version\n";
+   return;
+   }
+@@ -376,7 +376,7 @@
+ }
+
+ my $reboot = 0;
+-unless(open(HDPKG, "dpkg-query -W -f='\${Version} \${Status;20} 
\${Maintainer} \${Provides}\n' 'linux-image*'|grep -E 'install ok installed 
(Debian|Ubuntu) Kernel Team'|grep linux-image|")) {
++  unless(open(HDPKG, "dpkg-query -W -f='\${Version} \${Status;20} 
\${Maintainer} \${Provides}\n' 'linux-image*'|")) {
+   print "$infostr 9 $version\n";
+   return;
+ }
diff -Naur '--exclude=.svn' tags/1.0.0-2/debian/patches/series 
branches/jessie/debian/patches/series
--- tags/1.0.0-2/debian/patches/series  1970-01-01 01:00:00.0 +0100
+++ branches/jessie/debian/patches/series   2015-09-22 10:15:08.152818869 
+0200
@@ -0,0 +1 @@
+01-jessie-kernel-detection.diff


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801098: marked as done (jessie-pu: package human-icon-theme/0.28.debian-3.4~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801098,
regarding jessie-pu: package human-icon-theme/0.28.debian-3.4~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801098: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801098
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

human-icon-theme has a flaw in its build system that can cause a race
between internal cleanup (running in the background) and removal of the
build chroot which results in hanging processes blocking the pty.


Andreas
diff -Nru human-icon-theme-0.28.debian/debian/changelog human-icon-theme-0.28.debian/debian/changelog
--- human-icon-theme-0.28.debian/debian/changelog	2011-10-19 22:26:39.0 +0200
+++ human-icon-theme-0.28.debian/debian/changelog	2015-10-06 11:41:20.0 +0200
@@ -1,3 +1,17 @@
+human-icon-theme (0.28.debian-3.4~deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for jessie.
+
+ -- Andreas Beckmann   Tue, 06 Oct 2015 11:40:30 +0200
+
+human-icon-theme (0.28.debian-3.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/cleanup.sh: Do not run processes in background.  (Closes: #793062)
+
+ -- Andreas Beckmann   Sat, 12 Sep 2015 18:05:10 +0200
+
 human-icon-theme (0.28.debian-3.3) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru human-icon-theme-0.28.debian/debian/clean-up.sh human-icon-theme-0.28.debian/debian/clean-up.sh
--- human-icon-theme-0.28.debian/debian/clean-up.sh	2011-03-12 18:51:38.0 +0100
+++ human-icon-theme-0.28.debian/debian/clean-up.sh	2015-09-12 18:01:36.0 +0200
@@ -1,15 +1,15 @@
 #!/bin/sh
 
 # Manually clean-up 
-find ./ -name Makefile.in* | xargs rm -f &>/dev/null
-rm -f ./po/Makefile.in.in &>/dev/null
-rm -f ./configure &>/dev/null
-rm -f ./intltool-update.in &>/dev/null
-rm -f ./intltool-merge.in &>/dev/null
-rm -r ./intltool-extract.in &>/dev/null
-rm -f ./config.guess &>/dev/null
-rm -f ./config.sub &>/dev/null
-rm -f ./install-sh &>/dev/null
-rm -f ./missing &>/dev/null
-rm -f ./aclocal.m4 &>/dev/null
+find ./ -name Makefile.in* | xargs rm -f >/dev/null
+rm -f ./po/Makefile.in.in >/dev/null
+rm -f ./configure >/dev/null
+rm -f ./intltool-update.in >/dev/null
+rm -f ./intltool-merge.in >/dev/null
+rm -r ./intltool-extract.in >/dev/null
+rm -f ./config.guess >/dev/null
+rm -f ./config.sub >/dev/null
+rm -f ./install-sh >/dev/null
+rm -f ./missing >/dev/null
+rm -f ./aclocal.m4 >/dev/null
 
diff -Nru human-icon-theme-0.28.debian/debian/control human-icon-theme-0.28.debian/debian/control
--- human-icon-theme-0.28.debian/debian/control	2011-10-19 22:27:51.0 +0200
+++ human-icon-theme-0.28.debian/debian/control	2015-10-06 11:42:45.0 +0200
@@ -2,7 +2,6 @@
 # 
 # Modifications should be made to debian/control.in instead.
 # This file is regenerated automatically in the clean target.
-
 Source: human-icon-theme
 Section: non-free/x11
 Priority: optional
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#800793: marked as done (jessie-pu: package netcfg/1.131+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #800793,
regarding jessie-pu: package netcfg/1.131+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
800793: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800793
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I would like to fix netcfg in stable and allow KVM on s390x to boot the
installer with working networking. The simple patch is this and is
already in testing.

diff --git a/debian/changelog b/debian/changelog
index 8dc90b9..4f2d3bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+netcfg (1.131+deb8u1) stable; urgency=medium
+
+  * Fix is_layer3_qeth on s390x to avoid bailing out if the network
+driver is not qeth. (Closes: #798376)
+
+ -- Philipp Kern   Sat, 03 Oct 2015 18:42:26 +0200
+
 netcfg (1.131) unstable; urgency=medium
 
   * Kill the DHCP client on Linux again and keep it running on kFreeBSD.
diff --git a/netcfg-common.c b/netcfg-common.c
index 7c2c002..376e6ca 100644
--- a/netcfg-common.c
+++ b/netcfg-common.c
@@ -293,11 +293,11 @@ int is_layer3_qeth(const char *iface)
 goto out;
 }
 
-buf[slen + 1] = '\0';
+buf[slen] = '\0';
 
 driver = strrchr(buf, '/') + 1;
 if (strcmp(driver, "qeth") != 0) {
-di_error("no qeth found: %s", driver);
+di_info("no qeth found: %s", driver);
 goto out;
 }

Kind regards and thanks
Philipp Kern
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801100: marked as done (jessie-pu: package tangerine-icon-theme/0.26.debian-3.1~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801100,
regarding jessie-pu: package tangerine-icon-theme/0.26.debian-3.1~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801100
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

tangerine-icon-theme has a flaw in its build system that can cause a race
between internal cleanup (running in the background) and removal of the
build chroot which results in hanging processes blocking the pty.


Andreas
diff -u tangerine-icon-theme-0.26.debian/debian/changelog tangerine-icon-theme-0.26.debian/debian/changelog
--- tangerine-icon-theme-0.26.debian/debian/changelog
+++ tangerine-icon-theme-0.26.debian/debian/changelog
@@ -1,3 +1,17 @@
+tangerine-icon-theme (0.26.debian-3.1~deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for jessie.
+
+ -- Andreas Beckmann   Tue, 06 Oct 2015 11:46:38 +0200
+
+tangerine-icon-theme (0.26.debian-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/cleanup.sh: Do not run processes in background.  (Closes: #793161)
+
+ -- Andreas Beckmann   Sat, 12 Sep 2015 18:26:08 +0200
+
 tangerine-icon-theme (0.26.debian-3) unstable; urgency=high
 
   * Use "libmagickcore-dev | libmagick9-dev" as the imagemagick build-dep,
diff -u tangerine-icon-theme-0.26.debian/debian/clean-up.sh tangerine-icon-theme-0.26.debian/debian/clean-up.sh
--- tangerine-icon-theme-0.26.debian/debian/clean-up.sh
+++ tangerine-icon-theme-0.26.debian/debian/clean-up.sh
@@ -3,13 +3,13 @@
 # Manually clean-up 
-find ./ -name Makefile.in* | xargs rm -f &>/dev/null
-rm -f ./po/Makefile.in.in &>/dev/null
-rm -f ./configure &>/dev/null
-rm -f ./intltool-update.in &>/dev/null
-rm -f ./intltool-merge.in &>/dev/null
-rm -r ./intltool-extract.in &>/dev/null
-rm -f ./config.guess &>/dev/null
-rm -f ./config.sub &>/dev/null
-rm -f ./install-sh &>/dev/null
-rm -f ./missing &>/dev/null
-rm -f ./aclocal.m4 &>/dev/null
+find ./ -name Makefile.in* | xargs rm -f >/dev/null
+rm -f ./po/Makefile.in.in >/dev/null
+rm -f ./configure >/dev/null
+rm -f ./intltool-update.in >/dev/null
+rm -f ./intltool-merge.in >/dev/null
+rm -r ./intltool-extract.in >/dev/null
+rm -f ./config.guess >/dev/null
+rm -f ./config.sub >/dev/null
+rm -f ./install-sh >/dev/null
+rm -f ./missing >/dev/null
+rm -f ./aclocal.m4 >/dev/null
 
diff -u tangerine-icon-theme-0.26.debian/debian/control tangerine-icon-theme-0.26.debian/debian/control
--- tangerine-icon-theme-0.26.debian/debian/control
+++ tangerine-icon-theme-0.26.debian/debian/control
@@ -1,3 +1,7 @@
+# This file is autogenerated. DO NOT EDIT!
+# 
+# Modifications should be made to debian/control.in instead.
+# This file is regenerated automatically in the clean target.
 Source: tangerine-icon-theme
 Section: non-free/x11
 Priority: optional
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801580: marked as done (jessie-pu: package apt-offline/1.5)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801580,
regarding jessie-pu: package apt-offline/1.5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801580: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801580
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

The python-apt module is not really a drop-in replacement for apt.
Unfortunately, for Jessie, apt-offline has python-apt as the default
backend.

This update for Jessie will change that to standard apt, something that
is the default in newer releases too.

Please see attached debdiff for the exact change. Please respond to this
bug report with an ACK and then I'll upload it to the archive.



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.3+ (SMP w/4 CPU cores)
Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru apt-offline-1.5/apt_offline_core/AptOfflineCoreLib.py apt-offline-1.5.1/apt_offline_core/AptOfflineCoreLib.py
--- apt-offline-1.5/apt_offline_core/AptOfflineCoreLib.py	2014-09-15 23:58:05.0 +0530
+++ apt-offline-1.5.1/apt_offline_core/AptOfflineCoreLib.py	2015-10-12 14:19:10.0 +0530
@@ -1798,7 +1798,7 @@
 
 
 #Instantiate Apt based on what we have. For now, fall to apt only
-AptInst = AptManip(Str_SetArg, Simulate=Bool_TestWindows, AptType="python-apt")
+AptInst = AptManip(Str_SetArg, Simulate=Bool_TestWindows, AptType="apt")
 
 if Bool_SetUpdate:
 if platform.system() in supported_platforms:
diff -Nru apt-offline-1.5/debian/changelog apt-offline-1.5.1/debian/changelog
--- apt-offline-1.5/debian/changelog	2014-09-16 00:12:42.0 +0530
+++ apt-offline-1.5.1/debian/changelog	2015-10-12 14:20:25.0 +0530
@@ -1,3 +1,10 @@
+apt-offline (1.5.1) jessie; urgency=medium
+
+  * [3726fa8] Use apt backend. python-apt doesn't really work
+(Closes: #801502)
+
+ -- Ritesh Raj Sarraf   Mon, 12 Oct 2015 14:19:48 +0530
+
 apt-offline (1.5) unstable; urgency=medium
 
   * New Major Release
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801304: marked as done (jessie-pu: package ejabberd/14.07-4+deb8u3)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801304,
regarding jessie-pu: package ejabberd/14.07-4+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to upload ejabberd 14.07-4+deb8u3 to Jessie.
It closes a bug regarding broken LDAP queries: #797645

The only difference is a small additional patch that has been tested
and included upstream.

The complete output of
 git diff debian/14.07-4+deb8u2 debian/14.07-4+deb8u3
is attached.

Regards,
Philipp
diff --git a/debian/changelog b/debian/changelog
index fdf5242..36879a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ejabberd (14.07-4+deb8u3) jessie; urgency=medium
+
+  * Add patch to fix broken ldap queries (Closes: #797645)
+
+ -- Philipp Huebner   Tue, 01 Sep 2015 14:57:47 +0200
+
 ejabberd (14.07-4+deb8u2) jessie; urgency=medium
 
   * Adjust logrotate postrotate command in case ejabberd is not running (Closes: #786588)
diff --git a/debian/patches/ELDAPv3.diff b/debian/patches/ELDAPv3.diff
new file mode 100644
index 000..ffa08dc
--- /dev/null
+++ b/debian/patches/ELDAPv3.diff
@@ -0,0 +1,22 @@
+Description: fix broken ldap queries
+ Occuring with any LDAP server when ldap_uid is set to
+ ldap_uids: "someAttribute" : "%u...@anydomain.com"
+ ejabberd is unable to create proper LDAP queries for retrieving list of users,
+ as a result list of server users remains empty.
+Author: Holger Weiss 
+
+diff --git a/src/ELDAPv3.erl b/src/ELDAPv3.erl
+index 4945731..c66fa97 100644
+--- a/src/ELDAPv3.erl
 b/src/ELDAPv3.erl
+@@ -1765,6 +1765,10 @@ encode_tags(TagIn, BytesSoFar, LenSoFar).
+   {EncBytes,EncLen} = 'enc_SubstringFilter_substrings_components'(Val,[],0),
+encode_tags(TagIn, EncBytes, EncLen).
+ 
++'enc_SubstringFilter_substrings_components'({'SubstringFilter_substrings', L}, AccBytes, AccLen)
++   when is_list(L) ->
++   'enc_SubstringFilter_substrings_components'(L, AccBytes, AccLen);
++
+ 'enc_SubstringFilter_substrings_components'([], AccBytes, AccLen) -> 
+{lists:reverse(AccBytes),AccLen};
+ 
diff --git a/debian/patches/series b/debian/patches/series
index cd8897c..a2b4827 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ avoid_hanging_c2s.patch
 base64.patch
 fix_muc_logs.patch
 fix_ldap_dn_filter.patch
+ELDAPv3.diff
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801318: marked as done (jessie-pu: package postgresql-9.1/9.1.19-0+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801318,
regarding jessie-pu: package postgresql-9.1/9.1.19-0+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801318: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801318
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

please consider postgresql-9.1/9.1.19-0+deb8u1 for the next jessie
point release:

postgresql-9.1 (9.1.19-0+deb8u1) jessie; urgency=medium

  * New upstream version, relevant PL/Perl change:
+ Fix plperl to handle non-ASCII error message texts correctly.

 -- Christoph Berg   Thu, 08 Oct 2015 15:17:23 +0200

As usual, this upload is to mirror an upload of postgresql-9.1 to
wheezy to keep the version number higher. (The good news is that
libperl is said to be coinstallable in the future so we will hopefully
not to have to do this versioning dance for jessie.)

Christoph
-- 
c...@df7cb.de | http://www.df7cb.de/


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801743: marked as done (pu: package cpuset/1.5.6-4+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801743,
regarding pu: package cpuset/1.5.6-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801743: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801743
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

It turns out that #796893 makes cpuset effectively useless in stable.  I
have updated an existing quilt patch from a patch in the (now mostly
dead) upstream issue tracker.  I have already uploaded 1.5.6-5 into
unstable to fix the bug there.  The debdiff for the proposed update to
stable is attached.  Here is the diffstat:

 changelog|6 +
 patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch |   45 
--
 2 files changed, 44 insertions(+), 7 deletions(-)

Regards,

- -Roberto

- -- System Information:
Debian Release: 7.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJWHdZ9AAoJECzXeF7dp7IPLZwP/1oIUNHuqrQiOvO+5pamEfto
6gZiBZaGes0TwLv0qAEJ1o1qLcOV/lsRqKcbHo9F6bFO6JKeA805l7WYW+lhauWD
PGhxogImME32EK0qmpae+FvKnXv90F/RzZnacCb9zYq8IHyUYW7IA565dizQ+E7r
Kad6sWCeqxSGYnnqej5i3cAeSrJPcPwq8fcYlqbYRFZpAe9lJiePZfi7//m2MUYD
fbY94GVOEfdt/PQLADa/DRgmvREwh9lglNwMcX5HFia6kKJhrcu559h+kIRVfgaD
GkTVDrvVF2OslE5zDto+xc1a3XEQXqJn1nvTklRv0GVC4CAEGXtLZx/EsQQ2Rsna
sE/AATpCmVeZL+aDEstt5IbCI34bqthEA9SDz01Vo8tIo/K6DmgnY1Bd+iDXN3xz
w3ssLVizyLq7vMy946+8G3ucy46cyLSeT14CYcn28JD/KwKdc+rS8H+aheCh5U0r
qJSHiDzJI10f/JNn7+db6qM7x9+ls9dbYdblM5x5EBEsf8ZFxX4wYpsMU7GnAGvI
YiuD19TAQWubhFWmSyzrut35tW7IqPR3DNWsCUUxdH7J93WXqED7NRprZBVJPP2H
Hwy26mDHlFU8/B48SwuBOrZj4TN0DPdiaw9X/zB1NCwFIXz9vULP0LjOvmqyPnpN
+Oo9VNDbP1hccUUdrntd
=jxoF
-END PGP SIGNATURE-
diff -Nru cpuset-1.5.6/debian/changelog cpuset-1.5.6/debian/changelog
--- cpuset-1.5.6/debian/changelog	2014-03-09 18:16:04.0 -0400
+++ cpuset-1.5.6/debian/changelog	2015-10-13 23:47:17.0 -0400
@@ -1,3 +1,9 @@
+cpuset (1.5.6-4+deb8u1) jessie; urgency=high
+
+  * Update filesystem namespace prefix patch (Closes: #796893)
+
+ -- Roberto C. Sanchez   Tue, 13 Oct 2015 23:46:35 -0400
+
 cpuset (1.5.6-4) unstable; urgency=low
 
   * Update Standards-Version to 3.9.5 (no changes)
diff -Nru cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch
--- cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch	2014-03-09 18:16:04.0 -0400
+++ cpuset-1.5.6/debian/patches/02_prefix_in_case_filesystem_has_its_own_namespace.patch	2015-10-13 23:47:17.0 -0400
@@ -1,7 +1,7 @@
 Author: Roberto C. Sanchez 
 Description: Account for filesystem namespace having its own prefix.  The updated file was downloaded from here: http://code.google.com/p/cpuset/issues/detail?id=10
 cpuset.hg.orig/cpuset/cset.py
-+++ cpuset.hg/cpuset/cset.py
+--- cpuset.git.orig/cpuset/cset.py
 cpuset.git/cpuset/cset.py
 @@ -32,10 +32,13 @@
  class CpuSet(object):
  # sets is a class variable dict that keeps track of all 
@@ -17,7 +17,33 @@
  
  def __init__(self, path=None):
  log.debug("initializing CpuSet")
-@@ -104,12 +107,18 @@
+@@ -47,7 +50,16 @@
+ log.debug("finding all cpusets")
+ path = self.locate_cpusets()
+ CpuSet.basepath = path
+-log.debug("creating root node at %s", path)
++if not os.access(path + '/cpus', os.F_OK):
++log.debug(path + "/cpus doesn't exist, trying to add the cpuset. prefix")
++CpuSet.prefix = 'cpuset.'
++if not os.access(path + '/cpuset.cpus', os.F_OK):
++# definitely not a cpuset directory
++str = '%s is not a cpuset directory' % (path)
++log.error(str)
++raise CpusetException(str)
++
++log.debug("creating root node at %s with prefix '%s'", path, CpuSet.prefix)
+

Bug#801851: marked as done (jessie-pu: package multipath-tools/0.5.0-6+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801851,
regarding jessie-pu: package multipath-tools/0.5.0-6+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801851
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This update to multipath-tools fixes a couple of problems. Details are
referenced in the changelog, and further details are present in
referenced bugs.

All these changes are already available in Unstable

Please let me know when I can upload.


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.3+ (SMP w/4 CPU cores)
Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru multipath-tools-0.5.0/debian/changelog multipath-tools-0.5.0/debian/changelog
--- multipath-tools-0.5.0/debian/changelog	2015-05-28 01:01:37.0 +0530
+++ multipath-tools-0.5.0/debian/changelog	2015-10-15 14:49:35.0 +0530
@@ -1,3 +1,19 @@
+multipath-tools (0.5.0-6+deb8u3) jessie; urgency=medium
+
+  * fix discovery of devices with blank rev
+- 0014-libmultipath-discovery-blank-rev-attr.patch:  
+  * Updates for compatibility with commit "multipath: Implement
+'property' blacklist".
+- 0015-libmultipath-property-whitelist-SCSI_IDENT.patch
+Thanks to Mauricio Faria de Oliveira (Closes: #782400, #782488)
+  * [5ffc2f4] Add documentation to cover additional friendly names
+scenarios. Thanks to Scott Moser (Closes: #788841)
+  * [af3f228] init: Fix stop failure when no root device is found
+(Closes: #795278)
+  * [b77859e] Add debian/gbp.conf to use pristine-tar branch
+
+ -- Ritesh Raj Sarraf   Thu, 15 Oct 2015 14:16:45 +0530
+
 multipath-tools (0.5.0-6+deb8u1) jessie; urgency=medium
 
   * [b40599e] Add dm-service-time path checked.
diff -Nru multipath-tools-0.5.0/debian/gbp.conf multipath-tools-0.5.0/debian/gbp.conf
--- multipath-tools-0.5.0/debian/gbp.conf	1970-01-01 05:30:00.0 +0530
+++ multipath-tools-0.5.0/debian/gbp.conf	2015-10-15 14:49:35.0 +0530
@@ -0,0 +1,2 @@
+[DEFAULT]
+pristine-tar = True
diff -Nru multipath-tools-0.5.0/debian/multipath-tools.init multipath-tools-0.5.0/debian/multipath-tools.init
--- multipath-tools-0.5.0/debian/multipath-tools.init	2015-05-28 01:01:37.0 +0530
+++ multipath-tools-0.5.0/debian/multipath-tools.init	2015-10-15 14:47:24.0 +0530
@@ -63,16 +63,20 @@
 	;;
   stop)
 	DONT_STOP_MPATHD=0
-root_dev=$(awk '{ if ($1 !~ /^[ \t]*#/ && $1 ~ /\// && $2 == "/") { print $1; }}' /etc/mtab)
-	dm_num=$(dmsetup info -c --noheadings -o minor $root_dev 2>/dev/null)
-	if [ $? -ne 0 ]; then
+	root_dev=$(awk '{ if ($1 !~ /^[ \t]*#/ && $1 ~ /\// && $2 == "/") { print $1; }}' /etc/mtab)
+	if [ -n "$root_dev" ]; then
+		dm_num=$(dmsetup info -c --noheadings -o minor $root_dev 2>/dev/null)
+	else
+		dm_num=
+	fi
+	if [ $? -ne 0 -o -z "$dm_num" ]; then
 		# Looks like we couldn't find a device mapper root device
 		# But we shouldn't bail out here, otherwise the stop target and the
 		# upgrade processes will break. See DBUG #674733
-		echo;
+		:
 	else
 		root_dm_device="dm-$dm_num"
-		[ -d $syspath/$root_dm_device ] && teardown_slaves $syspath/$root_dm_device
+		[ -d "$syspath/$root_dm_device" ] && teardown_slaves $syspath/$root_dm_device
 	fi
 
 	if [ x$DONT_STOP_MPATHD = x0 ]; then
diff -Nru multipath-tools-0.5.0/debian/multipath-tools.README.Debian multipath-tools-0.5.0/debian/multipath-tools.README.Debian
--- multipath-tools-0.5.0/debian/multipath-tools.README.Debian	2015-05-28 01:01:37.0 +0530
+++ multipath-tools-0.5.0/debian/multipath-tools.README.Debian	2015-10-15 14:47:24.0 +0530
@@ -25,6 +25,20 @@
 This device should be accessible as /dev/mapper/diskbox1-lun0.
 
 
+
+If using user_friendly_names = yes, please ensure that your /etc/multipath/bindings
+file gets propagated to the initramfs.
+
+For that, please follow the following steps:
+
+1) set "user_friendly_names = yes" in /etc/multipath.conf
+2) Run `multipath -F` to flush your device maps. For root on multipath devices,
+   this could still be tricky
+3) Run `multipa

Bug#802851: marked as done (jessie-pu: package qpsmtpd/0.84-11)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #802851,
regarding jessie-pu: package qpsmtpd/0.84-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
802851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802851
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I propose a patch to qpsmtpd in jessie-proposed-updates; this is a one-line
patch to address a compatibility breaking API change introduced in
libnet-dns-perl 0.81.  The effect of the incompatibility causes qpsmtpd (an
SMTP daemon) to abruptly disconnect incoming SMTP sessions, breaking
functionality pretty much completely and justifying severity=grave (in the
context of a package with a few dozen installs on stable.)

Proposed 0.84-12 updates a method name to the one in libnet-dns-perl_0.81
from jessie, and bumps the Depends: accordingly.

This closes bug#795836 (originally tagged for wheezy, I believe erroneously; my
testing on a wheezy install and the version of libnet-dns-perl from that
release does not reproduce the behavior).

Proposed quilt patch attached.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Index: qpsmtpd-0.84/qpsmtpd-forkserver
===
--- qpsmtpd-0.84.orig/qpsmtpd-forkserver	2015-10-24 05:35:24.0 +
+++ qpsmtpd-0.84/qpsmtpd-forkserver	2015-10-24 07:23:18.815328768 +
@@ -281,7 +281,7 @@
 # all children should have different seeds, to prevent conflicts
 srand();
 for (0 .. rand(65536)) {
-	Net::DNS::Header::nextid();
+	Net::DNS::Header::id();
 }
   
 close $_ for $select->handles;
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#801892: marked as done (jessie-pu: package nvidia-graphics-drivers-legacy-304xx/304.128-1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #801892,
regarding jessie-pu: package nvidia-graphics-drivers-legacy-304xx/304.128-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
801892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801892
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

this is the next update in the series for fixing CVE-2015-5950.

The diff is essentially the same as in nvidia-graphics-drivers 304.128-1
(wheezy) and nvidia-graphics-drivers 340.93-0+deb8u1 (jessie) merged
into the legacy package.

This version is currently not in unstable, but it will be there (and at
a release of -5 or so to leave some space (-1 .. -4) for further jessie
updates) at the time I would upload this for jessie.

Again trying to avoid long 1+deb8u1 version numbers ...



Andreas
Index: debian/README.source
===
--- debian/README.source	(revision 5221)
+++ debian/README.source	(revision 5678)
@@ -77,6 +77,39 @@
  -- Andreas Beckmann   Sun, 09 Nov 2014 14:49:10 +0100
 
 
+Testing kernel module compilation
+
+The following approach has been useful to test nvidia-kernel-source (or
+a corresponding legacy variant) against a range of kernel headers. The
+dkms packages are less suited for semi-automatic testing.
+
+Initial setup amd64/i386:
+* setup a minimal sid chroot for the target architecture (debootstrap)
+* setup a schroot configuration for easy usage
+* include all releases to be tested in the sources.list
+  (the linux-headers-*-all metapackages from oldstable/stable/backports/
+  testing/ sid/experimental/*-backports are co-installable)
+* install as many linux-headers-* (meta-)packages as you want to test
+
+Initial setup armhf:
+* install the package: qemu-user-static (MUST be version >= 1:2.3)
+* cowbuilder yields best results compared to chroot/schroot/pbuilder, for
+  detailed instructions see: https://wiki.debian.org/cowbuilder
+* define or export DEBOOTSTRAP="qemu-debootstrap" ARCH="armhf" before every
+  step
+
+Testing a new nvidia*-kernel-source package:
+* enter the chroot as root, update it, install new linux-headers-*
+* install the new package to be tested with dpkg
+* run 
+  sh /usr/share/doc/nvidia-kernel-source/build-module-packages.sh
+* and wait, this will iterate over all available linux-headers
+* should any fail to build, module-assistant will print an error and
+  wait for return being pressed before continuing
+
+ -- Andreas Beckmann   Tue, 04 Aug 2015 11:54:28 +0200
+
+
 Importing a new upstream release that moved support for some legacy cards
 to a new legacy driver
 
Index: debian/bug-control.in
===
--- debian/bug-control.in	(revision 5221)
+++ debian/bug-control.in	(revision 5678)
@@ -1,3 +1,3 @@
 report-with: #NVIDIA#-driver nvidia-glx#LEGACY# libgl1-#NVIDIA#-glx xserver-xorg-video-#NVIDIA# #NVIDIA_ALTERNATIVE# #NVIDIA#-kernel-dkms #NVIDIA#-kernel-source glx-alternative-nvidia xserver-xorg-video-intel
 
-package-status: #NVIDIA#-driver nvidia-glx#LEGACY# #NVIDIA#-kernel-dkms #NVIDIA#-kernel-source nvidia-glx-any libgl1-nvidia-glx-any libgl1-nvidia-glx-ia32-any libgl1-nvidia-glx-ia32 libgl1-nvidia-legacy-173xx-glx-ia32 libgl1-nvidia-legacy-96xx-glx-ia32 libgl1-nvidia-alternatives-ia32 xserver-xorg-video-nvidia-any nvidia-settings nvidia-xconfig nvidia-support nvidia-kernel-common nvidia-modprobe xserver-xorg xserver-xorg-core linux-headers libdrm-nouveau1 libdrm-nouveau1a libdrm-nouveau2 xserver-xorg-video-nouveau ia32-libs make
+package-status: #NVIDIA#-driver nvidia-glx#LEGACY# #NVIDIA#-kernel-dkms #NVIDIA#-kernel-source nvidia-kernel-support-any nvidia-glx-any libgl1-nvidia-glx-any libgl1-nvidia-glx-ia32-any libgl1-nvidia-glx-ia32 libgl1-nvidia-legacy-173xx-glx-ia32 libgl1-nvidia-legacy-96xx-glx-ia32 libgl1-nvidia-alternatives-ia32 xserver-xorg-video-nvidia-any libcuda1 libcuda1-any nvidia-settings nvidia-xconfig nvidia-support nvidia-kernel-common nvidia-modprobe xserver-xorg xserver-xorg-core linux-headers libdrm-nouveau1 libdrm-nouveau1a libdrm-nouveau2 xserver-xorg-video-nouveau ia32-libs make
Index: debian/rules.defs
===

Bug#802900: marked as done (jessie-pu: package gnome-shell-extension-weather/0~20140924.git7e28508-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #802900,
regarding jessie-pu: package 
gnome-shell-extension-weather/0~20140924.git7e28508-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
802900: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802900
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I'd like to do a stable update for gnome-shell-extension-weather, which is a
GNOME Shell extension which displays weather forecasts (and is pulled by the 
gnome
metapackage, though not activated by default).

The applet relies on a web service (openweather.org) which recently changed its
policy: users must now generate an API key to fetch forecast data (previously
the API key was optional).

As a consequence, the extension no longer works unless the user has added an
API key in the configuration settings. But nothing is there to inform the user
that he now has to do so. The extension therefore appears to be broken (see bug
#801979).

The attached debdiff implements a warning notification if the API key is
missing, in order to guide the user towards the action to be implemented.

Best,

-- 
 .''`.Sébastien Villemot
: :' :Debian Developer
`. `' http://sebastien.villemot.name
  `-  GPG Key: 4096R/381A7594
diff -Nru gnome-shell-extension-weather-0~20140924.git7e28508/debian/changelog gnome-shell-extension-weather-0~20140924.git7e28508/debian/changelog
--- gnome-shell-extension-weather-0~20140924.git7e28508/debian/changelog	2014-09-24 20:20:37.0 +0200
+++ gnome-shell-extension-weather-0~20140924.git7e28508/debian/changelog	2015-10-24 22:21:39.0 +0200
@@ -1,3 +1,11 @@
+gnome-shell-extension-weather (0~20140924.git7e28508-1+deb8u1) jessie; urgency=medium
+
+  * d/p/missing-api-key.patch: new patch. Displays a warning if API key
+has not been supplied by the user, since querying openweather.org no
+longer works without such a key. (Closes: #801979)
+
+ -- Sébastien Villemot   Fri, 23 Oct 2015 21:26:28 +
+
 gnome-shell-extension-weather (0~20140924.git7e28508-1) unstable; urgency=medium
 
   * New upstream snapshot.
diff -Nru gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/missing-api-key.patch gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/missing-api-key.patch
--- gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/missing-api-key.patch	1970-01-01 01:00:00.0 +0100
+++ gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/missing-api-key.patch	2015-10-24 22:17:45.0 +0200
@@ -0,0 +1,20 @@
+Description: Add notification if API key is missing
+ The API is now mandatory for using openweather.org.
+Origin: backport, https://github.com/jenslody/gnome-shell-extension-openweather/commit/f9f97dcaaa0b7d51a4b4193ba3802b3d0ba10441
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801979
+Reviewed-by: Sébastien Villemot 
+Last-Update: 2015-10-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/extension.js
 b/src/extension.js
+@@ -138,6 +138,9 @@ const OpenweatherMenuButton = new Lang.C
+ // Load settings
+ this.loadConfig();
+ 
++if (this._appid.toString().trim() == '')
++Main.notify("Openweather", _("Openweathermap.org does not work without an api-key.\nPlease register at http://openweathermap.org/appid and paste your personal key into the preferences dialog."));
++
+ // Label
+ this._weatherInfo = new St.Label({
+ y_align: Clutter.ActorAlign.CENTER,
diff -Nru gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/series gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/series
--- gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/series	2014-05-09 21:42:23.0 +0200
+++ gnome-shell-extension-weather-0~20140924.git7e28508/debian/patches/series	2015-10-23 23:25:11.0 +0200
@@ -0,0 +1 @@
+missing-api-key.patch


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#803467: marked as done (jessie-pu: package redis/2:2.8.17-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #803467,
regarding jessie-pu: package redis/2:2.8.17-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like update redis in stable to fix an issue when running under
systemd (#803233). Most documentation on the internet assumes that this
should Just Work and it is a little more secure than using /tmp or a TCP
port, etc.

Tested debdiff:

  diff --git a/debian/changelog b/debian/changelog
  index d8fa3ff..f736d1d 100644
  --- a/debian/changelog
  +++ b/debian/changelog
  @@ -1,3 +1,11 @@
  +redis (2:2.8.17-1+deb8u2) stable; urgency=medium
  +
  +  * Backport debian/redis-server.tmpfile from unstable so that a
  valid runtime
  +directory is created when running under systemd. This ensures
  that there is
  +a secure and sensible location for the UNIX socket. (Closes:
  #803233)
  +
  + -- Chris Lamb   Fri, 30 Oct 2015 11:31:58 +
  +
   redis (2:2.8.17-1+deb8u1) jessie-security; urgency=high
   
 * Fix Lua sandbox bypass by disabling Lua bytecode loading
  diff --git a/debian/redis-server.tmpfile b/debian/redis-server.tmpfile
  new file mode 100644
  index 000..740e1ae
  --- /dev/null
  +++ b/debian/redis-server.tmpfile
  @@ -0,0 +1 @@
  +d /run/redis 2775 redis redis -


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#802879: marked as done (jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2015g)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #802879,
regarding jessie-pu: package libdatetime-timezone-perl/1:1.75-2+2015g
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
802879: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802879
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I've prepared an update for libdatetime-timezone-perl in jessie to
include the data from the Olson DB 2015g release.

As usual, the changes are in a quilt patch which only touches the
timezone data.

Manually stripped debdiff attached.

Since one change is already effective (Norfolk) and another happens
this weekend (Turkey) and another one in a week (Fort Nelson), it
would probably good to have the package in jessie-updates as well.


Cheers,
gregor

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJWK40lXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGeE0P/35Il+1/tdWg06gj0C9GKmxr
xdBUYH22P0bgINkMmGZdJpX+ish+BVTvu5l0LeUXaVXVfaC4XU+hIOzZPHQKxuf1
ZMCo+NadrxKf0Tav8WOAwkmiAnvD+dBvUq2hVTugauuhEZu271D4cQTRnKVkbtMl
htyRPGcCwSJVYV/XjPM8mvohzqdBGDTSqR4vh6H8/KdgaMsAlhLix2zbAHHur9p3
dTqI1lOlz6VOvXrT6JF7lYzXo7eJgxCE3TXpIv+XL3qZhHCU4pCgeweqLpzSUbCC
LRJqC+lxq6NC4IfNyFJS/Kw0R8i9GzBLa9K4/Mbt1MviNXYABCY7JN6TKYp/eL6D
3CIaKkC6B0m3+z08yuY5vFIWIKw7vzmhDPaVKQLwW+RJXd9sYZu/nuier1D5OM6/
FgeTpUY+tFJ+lwZUXf39HzZruZmbgaVgKXOI5x9qN2j8vGcRfWICx42SnvMNKhdE
OSq21v9JSLx3zsM5zqOzY/kSAg4YT8GJSF9E7iQp/DcSQt9tBoyk+fLDV+ZMkj02
AQfW6u5hTjAFPNwL3GpBmgXvEoAz4KlgnwNZAk4Wy7CJR2u0S158kC3Bxj8imRGB
o3sC5bW5+Z48hG2h3h303jyOHTOKb5yvjnsRVFNzBMFQGaAFC3EY0F9MYoXzwqMh
ZafpS6jeCy1UxShiNPkq
=QLXV
-END PGP SIGNATURE-
diff -Nru libdatetime-timezone-perl-1.75/debian/changelog libdatetime-timezone-perl-1.75/debian/changelog
--- libdatetime-timezone-perl-1.75/debian/changelog	2015-08-11 14:41:23.0 +0200
+++ libdatetime-timezone-perl-1.75/debian/changelog	2015-10-24 15:27:17.0 +0200
@@ -1,3 +1,13 @@
+libdatetime-timezone-perl (1:1.75-2+2015g) UNRELEASED; urgency=medium
+
+  * Update to Olson database version 2015g.
+Add patch debian/patches/olson-2015g, which updates the timezone *.pm
+files, using upstream's tools/parse_olson script.
+This update contains contemporary changes for Turkey, Norfolk, Fiji, and
+Fort Nelson.
+
+ -- gregor herrmann   Sat, 24 Oct 2015 15:26:32 +0200
+
 libdatetime-timezone-perl (1:1.75-2+2015f) jessie; urgency=medium
 
   * Update to Olson database version 2015f.
diff -Nru libdatetime-timezone-perl-1.75/debian/patches/olson-2015g libdatetime-timezone-perl-1.75/debian/patches/olson-2015g
--- libdatetime-timezone-perl-1.75/debian/patches/olson-2015g	1970-01-01 01:00:00.0 +0100
+++ libdatetime-timezone-perl-1.75/debian/patches/olson-2015g	2015-10-24 15:27:17.0 +0200
@@ -0,0 +1,11413 @@
+Description: update to olson db 2015g
+Origin: vendor
+Author: gregor herrmann 
+Last-Update: 2015-10-24
+
+--- a/lib/DateTime/TimeZone/Africa/Abidjan.pm
 b/lib/DateTime/TimeZone/Africa/Abidjan.pm
+@@ -3,7 +3,7 @@
+ # DateTime::TimeZone module distribution in the tools/ directory
+ 
+ #
+-# Generated from debian/tzdata/africa.  Olson data version 2015f
++# Generated from debian/tzdata/africa.  Olson data version 2015g
+ #
+ # Do not edit this file directly.
+ #
+@@ -39,7 +39,7 @@
+ ],
+ ];
+ 
+-sub olson_version { '2015f' }
++sub olson_version { '2015g' }
+ 
+ sub has_dst_changes { 0 }
+ 
+--- /dev/null
 b/lib/DateTime/TimeZone/America/Fort_Nelson.pm
+@@ -0,0 +1,1361 @@
++# This file is auto-generated by the Perl DateTime Suite time zone
++# code generator (0.07) This code generator comes with the
++# DateTime::TimeZone module distribution in the tools/ directory
++
++#
++# Generated from debian/tzdata/northamerica.  Olson data version 2015g
++#
++# Do not edit this file directly.
++#
++package DateTime::TimeZone::America::Fort_Nelson;
++$DateTime::TimeZone::America::Fort_Nelson::VERSION = '1.75';
++use strict;
++
++use Class::Singleton 1.03;
++use DateTime::TimeZone;
++use DateTime::TimeZone::OlsonDB;
++
++@DateTime::TimeZone::America::Fort_Nelson::ISA = ( 'Class::Singleton', 'DateTime::TimeZone' );
++
++my $spans =
++[
++[
++DateTime::TimeZone::NEG_INFINITY, #utc_sta

Bug#803569: marked as done (jessie-pu: package exim4/4.84-8+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #803569,
regarding jessie-pu: package exim4/4.84-8+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803569: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803569
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to fix 803562 in jessie. Exim's MIME checking ACL
(available in exim4-daemon-heavy)  was found to not correctly handle
some broken MIME containers. Jessie contains most of the fixes, but
some additional issues were found later.

Debian's default setup does not set either acl_not_smtp_mime nor
acl_smtp_mime and is therefore not affected.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
File lists identical (after any substitutions)

Control files of package exim4: lines which differ (wdiff format)
-
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 
0.39), exim4-base (>= [-4.84-8),-] {+4.84-8+deb8u1),+} exim4-base (<< 
[-4.84-8.1),-] {+4.84-8+deb8u1.1),+} exim4-daemon-light | exim4-daemon-heavy | 
exim4-daemon-custom
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-base: lines which differ (wdiff format)
--
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-config: lines which differ (wdiff format)

Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-daemon-heavy: lines which differ (wdiff format)
--
Depends: exim4-base (>= 4.84), libc6 (>= 2.15), libdb5.3, libgnutls-deb0-28 (>= 
3.3.0), libldap-2.4-2 (>= 2.4.7), libmysqlclient18 (>= 5.5.24+dfsg-1), libpam0g 
(>= 0.99.7.1), libpcre3 (>= 1:8.35), libperl5.20 (>= [-5.20.1),-] {+5.20.2),+} 
libpq5, libsasl2-2, libsqlite3-0 (>= 3.5.9), debconf (>= 0.5) | debconf-2.0
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-daemon-heavy-dbg: lines which differ (wdiff 
format)
--
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-daemon-light: lines which differ (wdiff format)
--
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-daemon-light-dbg: lines which differ (wdiff 
format)
--
Installed-Size: [-2078-] {+2079+}
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-dbg: lines which differ (wdiff format)
-
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package exim4-dev: lines which differ (wdiff format)
-
Version: [-4.84-8-] {+4.84-8+deb8u1+}

Control files of package eximon4: lines which differ (wdiff format)
---
Version: [-4.84-8-] {+4.84-8+deb8u1+}
diff -Nru exim4-4.84/debian/changelog exim4-4.84/debian/changelog
--- exim4-4.84/debian/changelog 2015-02-17 18:00:49.0 +0100
+++ exim4-4.84/debian/changelog 2015-10-31 13:55:10.0 +0100
@@ -1,3 +1,12 @@
+exim4 (4.84-8+deb8u1) jessie; urgency=medium
+
+  * Pull 85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
+and 86_Avoid-crash-with-badly-terminated-non-recognised-mim.patch from
+upstream GIT to fixup more MIME ACL related crashes. (Thanks, Lutz
+Preßler) Closes: #803562
+
+ -- Andreas Metzler   Mon, 26 Oct 2015 17:42:16 +0100
+
 exim4 (4.84-8) unstable; urgency=medium
 
   * Pull 83_Remove-limit-on-remove_headers-item-size.-Bug-1533.patch and
diff -Nru 
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
 
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
--- 
exim4-4.84/debian/patches/85_Fix-crash-in-mime-acl-when-a-parameter-is-unterminat.patch
 1970-01-01 01:00:00.0 

Bug#804157: marked as done (jessie-pu: package commons-httpclient/3.1-11)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804157,
regarding jessie-pu: package commons-httpclient/3.1-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804157: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804157
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

the Debian Java Team would like to update commons-httpclient in Jessie
to fix CVE-2015-5262. We don't think that this issue warrants a DSA
from the security team but nevertheless it is important enough that it
should be fixed in an upcoming point release.

This is Debian bug:
https://bugs.debian.org/798650

I am attaching the proposed debdiff against the current version in
Jessie. I will also file another bug report for an wheezy-pu soon.

Regards,

Markus
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog	2015-04-13 18:15:49.0 +0200
+++ commons-httpclient-3.1/debian/changelog	2015-11-05 15:37:42.0 +0100
@@ -1,3 +1,12 @@
+commons-httpclient (3.1-11+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Add CVE-2015-5262.patch.
+Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
+http.socket.timeout during SSL Handshake. (Closes: #798650)
+
+ -- Markus Koschany   Thu, 05 Nov 2015 15:31:50 +0100
+
 commons-httpclient (3.1-11) unstable; urgency=high
 
   * Team upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch
--- commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch	1970-01-01 01:00:00.0 +0100
+++ commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch	2015-11-05 15:37:42.0 +0100
@@ -0,0 +1,38 @@
+From: Markus Koschany 
+Date: Mon, 2 Nov 2015 15:15:37 +0100
+Subject: CVE-2015-5262
+
+Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during
+SSL Handshake
+See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892
+Thanks to Mikolaj Izdebski for the patch.
+
+Bug: https://bugs.debian.org/798650
+Forwarded: no
+---
+ .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
 b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ }
+ int timeout = params.getConnectionTimeout();
+ if (timeout == 0) {
+-Socket sslSocket =  createSocket(host, port, localAddress, localPort);
++Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++host, port, localAddress, localPort);
++sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ 	sslSocket = ControllerThreadSocketFactory.createSocket(
+ this, host, port, localAddress, localPort, timeout);
+ }
++sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ }
diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series
--- commons-httpclient-3.1/debian/patches/series	2015-04-13 18:15:49.0 +0200
+++ commons-httpclient-3.1/debian/patches/series	2015-11-05 15:37:42.0 +0100
@@ -6,3 +6,4 @@
 05_osgi_metadata
 06_fix_CVE-2012-5783.patch
 CVE-2014-3577.patch
+CVE-2015-5262.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#804208: marked as done (jessie-pu: package fuse-exfat/1.1.0-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804208,
regarding jessie-pu: package fuse-exfat/1.1.0-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804208: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804208
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
since exfat-utils and fuse-exfat share the same code base, but are released
as seperate source packages, I've now prepared updates for fuse-exfat as well
to fix the issues found by The Fuzzing Project.

Changes:
 fuse-exfat (1.1.0-2+deb8u1) jessie; urgency=medium
 .
   * Add the fix for https://github.com/relan/exfat/issues/5 found
 and reported by The Fuzzing Project. Check sector and cluster size.
   * Add the fix for https://github.com/relan/exfat/issues/6 found
 and reported by The Fuzzing Project. Detect infinite loop.


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u fuse-exfat-1.1.0/debian/changelog fuse-exfat-1.1.0/debian/changelog
--- fuse-exfat-1.1.0/debian/changelog
+++ fuse-exfat-1.1.0/debian/changelog
@@ -1,3 +1,12 @@
+fuse-exfat (1.1.0-2+deb8u1) jessie; urgency=medium
+
+  * Add the fix for https://github.com/relan/exfat/issues/5 found
+and reported by The Fuzzing Project. Check sector and cluster size.
+  * Add the fix for https://github.com/relan/exfat/issues/6 found
+and reported by The Fuzzing Project. Detect infinite loop. 
+
+ -- Sven Hoexter   Fri, 06 Nov 2015 08:08:13 +0100
+
 fuse-exfat (1.1.0-2) unstable; urgency=low
 
   * Remove debian/watch - recent changes at Google code required
diff -u fuse-exfat-1.1.0/debian/gbp.conf fuse-exfat-1.1.0/debian/gbp.conf
--- fuse-exfat-1.1.0/debian/gbp.conf
+++ fuse-exfat-1.1.0/debian/gbp.conf
@@ -2,0 +3 @@
+debian-branch = jessie-updates
only in patch2:
unchanged:
--- fuse-exfat-1.1.0.orig/libexfat/mount.c
+++ fuse-exfat-1.1.0/libexfat/mount.c
@@ -30,23 +30,32 @@
 
 static uint64_t rootdir_size(const struct exfat* ef)
 {
-	uint64_t clusters = 0;
+	uint32_t clusters = 0;
+	uint32_t clusters_max = le32_to_cpu(ef->sb->cluster_count);
 	cluster_t rootdir_cluster = le32_to_cpu(ef->sb->rootdir_cluster);
 
-	while (!CLUSTER_INVALID(rootdir_cluster))
+	/* Iterate all clusters of the root directory to calculate its size.
+	   It can't be contiguous because there is no flag to indicate this. */
+	do
 	{
-		clusters++;
-		/* root directory cannot be contiguous because there is no flag
-		   to indicate this */
+		if (clusters == clusters_max) /* infinite loop detected */
+		{
+			exfat_error("root directory cannot occupy all %d clusters",
+	clusters);
+			return 0;
+		}
+		if (CLUSTER_INVALID(rootdir_cluster))
+		{
+			exfat_error("bad cluster %#x while reading root directory",
+	rootdir_cluster);
+			return 0;
+		}
 		rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
+		clusters++;
 	}
-	if (rootdir_cluster != EXFAT_CLUSTER_END)
-	{
-		exfat_error("bad cluster %#x while reading root directory",
-rootdir_cluster);
-		return 0;
-	}
-	return clusters * CLUSTER_SIZE(*ef->sb);
+	while (rootdir_cluster != EXFAT_CLUSTER_END);
+
+	return (uint64_t) clusters * CLUSTER_SIZE(*ef->sb);
 }
 
 static const char* get_option(const char* options, const char* option_name)
@@ -208,6 +217,23 @@
 		exfat_error("exFAT file system is not found");
 		return -EIO;
 	}
+	/* sector cannot be smaller than 512 bytes */
+	if (ef->sb->sector_bits < 9)
+	{
+		exfat_close(ef->dev);
+		exfat_error("too small sector size: 2^%hhd", ef->sb->sector_bits);
+		free(ef->sb);
+		return -EIO;
+	}
+	/* officially exFAT supports cluster size up to 32 MB */
+	if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
+	{
+		exfat_close(ef->dev);
+		exfat_error("too big cluster size: 2^(%hhd+%hhd)",
+ef->sb->sector_bits, ef->sb->spc_bits);
+		free(ef->sb);
+		return -EIO;
+	}
 	ef->zero_cluster = malloc(CLUSTER_SIZE(*ef->sb));
 	if (ef->zero_cluster == NULL)
 	{
@@ -242,16 +268,6 @@
 		free(ef->sb);
 		return -EIO;
 	}
-	/* officially exFAT supports cluster size up to 32 MB */
-	

Bug#803678: marked as done (jessie-pu: package nvidia-graphics-modules/340.93+3.16.0+1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #803678,
regarding jessie-pu: package nvidia-graphics-modules/340.93+3.16.0+1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803678: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803678
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is a rebuild of the pre-built kernel modules for the 340.93
driver in jessie-pu.
Nonstandard PU version since we are doing some magic with it ...
(version ordering is correct, sid only had 340.93+4.*+*).

This builds the following binary packages:

nvidia-kernel-3.16.0-4-586_340.93+1+0+deb8u1+3.16.7-ckt17-1_i386.deb
nvidia-kernel-3.16.0-4-686-pae_340.93+1+0+deb8u1+3.16.7-ckt17-1_i386.deb
nvidia-kernel-3.16.0-4-amd64_340.93+1+0+deb8u1+3.16.7-ckt17-1_amd64.deb
nvidia-kernel-3.16.0-4-amd64_340.93+1+0+deb8u1+3.16.7-ckt17-1_i386.deb
nvidia-kernel-486_340.93+3.16.0+1_i386.deb
nvidia-kernel-586_340.93+3.16.0+1_i386.deb
nvidia-kernel-686-pae_340.93+3.16.0+1_i386.deb
nvidia-kernel-amd64_340.93+3.16.0+1_amd64.deb
nvidia-kernel-amd64_340.93+3.16.0+1_i386.deb
nvidia-kernel-dummy_340.93+3.16.0+1_amd64.deb

source debdiff is attached, note that d/control is a generated file.


Andreas
diff -Nru nvidia-graphics-modules-340.65+3.16.0+1/debian/changelog nvidia-graphics-modules-340.93+3.16.0+1/debian/changelog
--- nvidia-graphics-modules-340.65+3.16.0+1/debian/changelog	2014-12-13 17:02:53.0 +0100
+++ nvidia-graphics-modules-340.93+3.16.0+1/debian/changelog	2015-11-01 18:42:19.0 +0100
@@ -1,3 +1,16 @@
+nvidia-graphics-modules (340.93+3.16.0+1) jessie; urgency=medium
+
+  * Use nvidia-kernel-source 340.93.
+  * Rebuild for jessie.
+
+ -- Andreas Beckmann   Sun, 01 Nov 2015 18:39:36 +0100
+
+nvidia-graphics-modules (340.76+3.16.0+1) unstable; urgency=medium
+
+  * Use nvidia-kernel-source 340.76.
+
+ -- Andreas Beckmann   Wed, 01 Apr 2015 09:47:42 +0200
+
 nvidia-graphics-modules (340.65+3.16.0+1) unstable; urgency=medium
 
   * Use nvidia-kernel-source 340.65.
diff -Nru nvidia-graphics-modules-340.65+3.16.0+1/debian/control nvidia-graphics-modules-340.93+3.16.0+1/debian/control
--- nvidia-graphics-modules-340.65+3.16.0+1/debian/control	2014-12-13 17:02:53.0 +0100
+++ nvidia-graphics-modules-340.93+3.16.0+1/debian/control	2015-11-01 18:42:19.0 +0100
@@ -8,18 +8,18 @@
  Vincent Cheng 
 Build-Depends: debhelper (>= 9),
  linux-headers-3.16.0-4-amd64 [i386 amd64], linux-headers-3.16.0-4-586 [i386], linux-headers-3.16.0-4-686-pae [i386],
- nvidia-kernel-source (>= 340.65), nvidia-kernel-source (<< 340.65.~),
+ nvidia-kernel-source (>= 340.93), nvidia-kernel-source (<< 340.93.~),
 Standards-Version: 3.9.6
 Homepage: http://www.nvidia.com/
-Vcs-Git: git://anonscm.debian.org/pkg-nvidia/nvidia-graphics-modules.git
+Vcs-Git: git://anonscm.debian.org/pkg-nvidia/nvidia-graphics-modules.git -b jessie
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nvidia/nvidia-graphics-modules.git
 XS-Autobuild: yes
 
 Package: nvidia-kernel-dummy
 Architecture: amd64
 Priority: extra
-Depends: nvidia-kernel-source (>= 340.65), ${misc:Depends}
-Description: NVIDIA kernel module for Linux 2.6 (dummy package)
+Depends: nvidia-kernel-source (>= 340.93), ${misc:Depends}
+Description: NVIDIA kernel module for Linux (dummy package)
  This dummy package exists solely to ensure that the prebuilt modules do not
  migrate to testing before the corresponding driver is available. Nothing is
  done to prevent the other way around, i.e. an updated driver without prebuilt
@@ -39,7 +39,7 @@
 
 Package: nvidia-kernel-amd64
 Architecture: i386 amd64
-Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-amd64 (>= 340.65)
+Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-amd64 (>= 340.93)
 Conflicts: nvidia-kernel-2.6-amd64
 Replaces: nvidia-kernel-2.6-amd64
 Description: NVIDIA kernel module for Linux (amd64 flavor)
@@ -57,7 +57,7 @@
 
 Package: nvidia-kernel-586
 Architecture: i386
-Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-586 (>= 340.65)
+Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-586 (>= 340.93)
 Conflicts: nvidia-kernel-2.6-586
 Replaces: nvidia-kernel-2.6-586
 Description: NVIDIA kernel module for Linux (586 flavor)
@@ -75,7 +75,7 @@
 
 Package: nvidia-kernel-686-pae
 Architecture: i386
-Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-686-pae (>= 340.65)
+Depends

Bug#802942: marked as done (jessie-pu: package lldpd/0.7.11-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #802942,
regarding jessie-pu: package lldpd/0.7.11-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
802942: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802942
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi!

I would like to push the attached patch to jessie-pu to fix some
security problems present in lldpd: lldpd can crash when receiving
malformed LLDP management addresses. I have been in contact with
security team and they think a stable update is good enough. Patches
come from upstream.

I will also have to upload an update for wheezy which is affected as
well. Should I use this same bug number or open a new one?

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWLM2OAAoJEJWkL+g1NSX5XPIP/3Ph55SbIng0TD4sZyk/yTwv
k/30N3Xe7EAO9SQeNeQ/anBQOjJkowZTdWbSx7JspMWf6K8y8UO8+9oRAC2EeQe3
810N8Mj2NFyK8LDWiwZgGnsBjIdtwg0N7c05gUG26z+LepchJ01FP6e7SE+tk877
OuwJxU6QooCBJcAh+VHu0zqiRdR/TkCL4Yr5mIgcQnI8Kxk/f9U77gGruiOeb/jr
YeN5JbrF6yH46Bg/loHgt+iyck7KSnlXgiKqCsd/Vcc4s/nF3KHular0oii/8oec
DHhbrr+1yZWF605WJbK9rRrrKKQFr4+uPRlg5AbQBAZOb3C6rhGDiS4xlpFE6QVU
CL3/aEkLqRPQ5LV+ps8XBFAvj+3PQaJjpOeksOAcVUJVXLRvZsI1BDTb9ArPXtX9
baMqSpmGjRdSj3b99sGIKnfyzZbOgiM5N5SFQXB/mgr2m40YlzfkeWAJrGIS9TEa
0NFp2QEg8pCfQeFo1S3T7FCX8TO/JPyLPVmQvTe+80g11lpIFhqXD1JwAkj4wDoo
YtMK8F9bocJaPEsJ3tHVblD+zRKld9LDASWKEPj6czj/uAA+ZvaHQ2AyYhD/lhHT
DLJs0hKWZs4CC3Ht8n5/0OFA3UQEpI1npioR0+Qi36smfb+9yTtuL6S9ip3+edwm
NeW8E4mLWj3OvpdCVM1+
=ZmXr
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index f3e44f04b0e6..f9097375eee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lldpd (0.7.11-2+deb8u1) jessie; urgency=medium
+
+  * Fix a segfault when receiving incorrectly formed LLDP management
+addresses:
+ - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+  * Fix an assert error when receiving incorrectly formed LLDP management
+addresses:
+ - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
+
+ -- Vincent Bernat   Sun, 25 Oct 2015 13:20:22 +0100
+
 lldpd (0.7.11-2) unstable; urgency=medium
 
   * Cherry-pick 0001-lib-fix-pkgconfig-file-substitutions.patch to fix
diff --git a/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
new file mode 100644
index ..ee73682ad2a2
--- /dev/null
+++ b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
@@ -0,0 +1,36 @@
+From 805fbe5f18ef170c63aa2e529acf92c95d3b83b1 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat 
+Date: Sun, 4 Oct 2015 01:50:38 +0200
+Subject: [PATCH 1/2] lldp: fix a buffer overflow when handling management
+ address TLV
+
+When a remote device was advertising a too large management address
+while still respecting TLV boundaries, lldpd would crash due to a buffer
+overflow. However, the buffer being a static one, this buffer overflow
+is not exploitable if hardening was not disabled. This bug exists since
+version 0.5.6.
+---
+ src/daemon/lldp.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index ae01ccc5078a..cc3585623476 100644
+--- a/src/daemon/lldp.c
 b/src/daemon/lldp.c
+@@ -625,7 +625,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ 		case LLDP_TLV_MGMT_ADDR:
+ 			CHECK_TLV_SIZE(1, "Management address");
+ 			addr_str_length = PEEK_UINT8;
+-			CHECK_TLV_SIZE(addr_str_length, "Management address");
++			if (addr_str_length > sizeof(addr_str_buffer)) {
++log_warnx("lldp", "too large management address on %s",
++hardware->h_ifname);
++goto malformed;
++			}
++			CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
+ 			PEEK_BYTES(addr_str_buffer, addr_str_length);
+ 			addr_length = addr_str_length - 1;
+ 			addr_f

Bug#803362: marked as done (jessie-pu: package exfat-utils/1.1.0-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #803362,
regarding jessie-pu: package exfat-utils/1.1.0-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803362
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,
The Fuzzing Project found two issues in the exfat-utils package and the security
team asked me to fix them via a stable update.

Changelog:
exfat-utils (1.1.0-2+deb8u1) jessie; urgency=medium

  * Add quilt to build-deps.
  * Add --with quilt to dh invocation in d/rules.
  * Add d/patches/check-sector-and-cluster-size. Fix for
https://github.com/relan/exfat/issues/5 found and reported by
The Fuzzing Project.
  * Add d/patches/detect-infinite-loop. Fix for
https://github.com/relan/exfat/issues/6 found and reported by
The Fuzzing Project.

 -- Sven Hoexter   Thu, 29 Oct 2015 09:40:20 +0100

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u exfat-utils-1.1.0/debian/changelog exfat-utils-1.1.0/debian/changelog
--- exfat-utils-1.1.0/debian/changelog
+++ exfat-utils-1.1.0/debian/changelog
@@ -1,3 +1,16 @@
+exfat-utils (1.1.0-2+deb8u1) jessie; urgency=medium
+
+  * Add quilt to build-deps.
+  * Add --with quilt to dh invocation in d/rules.
+  * Add d/patches/check-sector-and-cluster-size. Fix for
+https://github.com/relan/exfat/issues/5 found and reported by
+The Fuzzing Project.
+  * Add d/patches/detect-infinite-loop. Fix for
+https://github.com/relan/exfat/issues/6 found and reported by
+The Fuzzing Project.
+
+ -- Sven Hoexter   Thu, 29 Oct 2015 09:40:20 +0100
+
 exfat-utils (1.1.0-2) unstable; urgency=low
 
   * Remove debian/watch - recent changes at Google code required
diff -u exfat-utils-1.1.0/debian/control exfat-utils-1.1.0/debian/control
--- exfat-utils-1.1.0/debian/control
+++ exfat-utils-1.1.0/debian/control
@@ -2,7 +2,7 @@
 Section: otherosfs
 Priority: optional
 Maintainer: Sven Hoexter 
-Build-Depends: debhelper (>= 9), scons
+Build-Depends: debhelper (>= 9), scons, quilt
 Standards-Version: 3.9.5
 Homepage: http://code.google.com/p/exfat/
 Vcs-Git: git://git.sven.stormbind.net/git/sven/exfat-utils.git
diff -u exfat-utils-1.1.0/debian/gbp.conf exfat-utils-1.1.0/debian/gbp.conf
--- exfat-utils-1.1.0/debian/gbp.conf
+++ exfat-utils-1.1.0/debian/gbp.conf
@@ -2,0 +3 @@
+debian-branch = jessie-updates
diff -u exfat-utils-1.1.0/debian/rules exfat-utils-1.1.0/debian/rules
--- exfat-utils-1.1.0/debian/rules
+++ exfat-utils-1.1.0/debian/rules
@@ -6,7 +6,7 @@
 export CCFLAGS = $(CFLAGS) -Wall -std=c99 -D_GNU_SOURCE
 
 %:
-	dh $@
+	dh $@ --with quilt
 
 override_dh_auto_build:
 	scons
only in patch2:
unchanged:
--- exfat-utils-1.1.0.orig/debian/README.source
+++ exfat-utils-1.1.0/debian/README.source
@@ -0,0 +1,5 @@
+This package uses quilt to manage the patches in debian/patches.
+For further information please install the quilt package and read
+/usr/share/doc/quilt/README.source.
+
+ -- sven , Thu, 29 Oct 2015 09:05:34 +0100
only in patch2:
unchanged:
--- exfat-utils-1.1.0.orig/debian/patches/check-sector-and-cluster-size
+++ exfat-utils-1.1.0/debian/patches/check-sector-and-cluster-size
@@ -0,0 +1,48 @@
+Patch for https://github.com/relan/exfat/issues/5
+See also:
+https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
+Index: exfat-utils/libexfat/mount.c
+===
+--- exfat-utils.orig/libexfat/mount.c
 exfat-utils/libexfat/mount.c
+@@ -208,6 +208,23 @@ int exfat_mount(struct exfat* ef, const
+ 		exfat_error("exFAT file system is not found");
+ 		return -EIO;
+ 	}
++	/* sector cannot be smaller than 512 bytes */
++	if (ef->sb->sector_bits < 9)
++	{
++		exfat_close(ef->dev);
++		exfat_error("too small sector size: 2^%hhd", ef->sb->sector_bits);
++		free(ef->sb);
++		return -EIO;
++	}
++	/* officially exFAT supports cluster size up to 32 MB */
++	if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits

Bug#804381: marked as done (jessie-pu: package s390-dasd/0.0.32~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804381,
regarding jessie-pu: package s390-dasd/0.0.32~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804381: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804381
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update s390-dasd 0.0.32 from stretch to sid, as
0.0.32~deb8u1. The debdiff is attached. It fixes installation of Debian
within KVM on System z and within full-system emulation using qemu.

The critical hunk is this:

@@ -233,7 +235,8 @@
return get_channel_input ();
else if (di_tree_size (channels) > 0)
return get_channel_select ();
-   return WANT_ERROR;
+   di_info("s390-dasd: no channel found");
+   return WANT_FINISH;
 }

This lets s390-dasd exit cleanly if no DASD disks are found. Within qemu
virtio is used to provide disks, which is totally different from what
traditionally used to happen on the mainframe.

The remaining changes are .po updates, mainly in the comments, and
the logging of the various error conditions s390-dasd emits. Without
the logging you cannot deduce why it exited with a failure.

I'm also happy to skip the .po changes if needed, but it seemed cleaner
to just backport stretch's current version.

Kind regards and thanks
Philipp Kern
diff -Nru s390-dasd-0.0.30/dasd-config.c s390-dasd-0.0.32/dasd-config.c
--- s390-dasd-0.0.30/dasd-config.c	2013-12-04 00:53:16.0 +0100
+++ s390-dasd-0.0.32/dasd-config.c	2015-11-01 22:37:03.0 +0100
@@ -1,4 +1,5 @@
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -224,6 +225,7 @@
 	channel_current = di_tree_lookup (channels, &dev);
 	if (channel_current)
 		return WANT_NEXT;
+	di_error("s390-dasd: could not get selected channel device %d", dev);
 	return WANT_ERROR;
 }
 
@@ -233,7 +235,8 @@
 		return get_channel_input ();
 	else if (di_tree_size (channels) > 0)
 		return get_channel_select ();
-	return WANT_ERROR;
+	di_info("s390-dasd: no channel found");
+	return WANT_FINISH;
 }
 
 static enum state_wanted enable (void)
@@ -242,14 +245,23 @@
 	struct sysfs_attribute *attr;
 
 	device = sysfs_open_device ("ccw", channel_current->name);
-	if (!device)
+	if (!device) {
+		di_error("s390-dasd: could not open device %s",
+			channel_current->name);
 		return WANT_ERROR;
+	}
 
 	attr = sysfs_get_device_attr (device, "online");
-	if (!attr)
+	if (!attr) {
+		di_error("s390-dasd: could not read online attribute for %s",
+			channel_current->name);
 		return WANT_ERROR;
-	if (sysfs_write_attribute (attr, "1", 1) < 0)
+	}
+	if (sysfs_write_attribute (attr, "1", 1) < 0) {
+		di_error("s390-dasd: could not set %s online: %s",
+			channel_current->name, strerror(errno));
 		return WANT_ERROR;
+	}
 
 	sysfs_close_device (device);
 
diff -Nru s390-dasd-0.0.30/debian/changelog s390-dasd-0.0.32/debian/changelog
--- s390-dasd-0.0.30/debian/changelog	2014-03-14 22:59:51.0 +0100
+++ s390-dasd-0.0.32/debian/changelog	2015-11-01 22:59:19.0 +0100
@@ -1,3 +1,18 @@
+s390-dasd (0.0.32) unstable; urgency=medium
+
+  * If no channel is found, exit cleanly. This allows s390-dasd to step
+out of the way on VMs with virtio disks.
+  * Log error conditions.
+
+ -- Philipp Kern   Sun, 01 Nov 2015 22:59:11 +0100
+
+s390-dasd (0.0.31) unstable; urgency=medium
+
+  [ Updated translations ]
+  * Turkish (tr.po) by Mert Dirik
+
+ -- Christian Perrier   Sun, 26 Jul 2015 09:15:33 +0200
+
 s390-dasd (0.0.30) unstable; urgency=low
 
   [ Dmitrijs Ledkovs ]
diff -Nru s390-dasd-0.0.30/debian/po/be.po s390-dasd-0.0.32/debian/po/be.po
--- s390-dasd-0.0.30/debian/po/be.po	2013-12-04 00:53:16.0 +0100
+++ s390-dasd-0.0.32/debian/po/be.po	2015-05-23 19:12:43.0 +0200
@@ -11,11 +11,13 @@
 # Nasciona Piatrouskaja , 2006.
 # Paul Petruk , 2007.
 # Pavel Piatruk , 2008, 2009, 2011.
-# Viktar Siarheichyk , 2010, 2011, 2012.
+# Viktar Siarheichyk , 2010, 2011, 2012, 2015.
 # Translations from iso-codes:
 # Alastair McKinstry , 2004.
 # Alexander Nyakhaychyk , 2009.
 # Ihar Hrachyshka , 2007, 2010.
+# Viktar Siarheichyk , 2014.
+# Viktar Siarheichyk , 2014, 2015.
 msgid ""
 msgstr ""
 "Project-Id-Version: be\n"
@@ -23,8 +25,7 @@
 "POT-Creation-Date: 2010-03-30 23:19+\n"
 "PO-Revision-Date: 2010-07-06 01:58+0300\n"
 "Last-Translator: Viktar Siarh

Bug#803490: marked as done (jessie-pu: package pdns/3.4.1-4+deb8u4)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #803490,
regarding jessie-pu: package pdns/3.4.1-4+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803490: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803490
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear Release Team,

there's a bug affecting pdns in stable (jessie): #798773

Upgrading -to- the jessie version from wheezy works fine, but
subsequent upgrades in jessie fail if users don't strip the config
file of comments.

This is quite bad for security updates, so please consider the
attached debdiff.

(Fixed in sid.)

Many thanks,
-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-
diff -Nru pdns-3.4.1/debian/changelog pdns-3.4.1/debian/changelog
--- pdns-3.4.1/debian/changelog 2015-08-26 11:02:28.0 +
+++ pdns-3.4.1/debian/changelog 2015-10-30 14:35:13.0 +
@@ -1,3 +1,14 @@
+pdns (3.4.1-4+deb8u4) jessie; urgency=medium
+
+  * Fix upgrades with default configuration.
+The postinst script used to do a "grep include" on pdns.conf, which
+in older versions would work (mostly), because the default config
+only had a single "include=" entry. Now this is no longer true,
+so remove that. Also, changing the include directory would have
+never worked. (Closes: #798773)
+
+ -- Christian Hofstaedtler   Fri, 30 Oct 2015 14:34:36 +
+
 pdns (3.4.1-4+deb8u3) jessie-security; urgency=high
 
   * Security update: apply patches for CVE-2015-5230
diff -Nru pdns-3.4.1/debian/pdns-server.postinst 
pdns-3.4.1/debian/pdns-server.postinst
--- pdns-3.4.1/debian/pdns-server.postinst  2015-07-08 09:30:11.0 
+
+++ pdns-3.4.1/debian/pdns-server.postinst  2015-10-30 14:35:13.0 
+
@@ -16,12 +16,7 @@
 
 PDNSCONF=/etc/powerdns/pdns.conf
 PDNSDEFAULT=/etc/default/pdns
-if [ -e $PDNSCONF ]; then
-  PDNSDIR=`cat $PDNSCONF | grep include | awk -F '=' '{print $2}'`
-fi
-if [ -z "$PDNSDIR" ]; then
-  PDNSDIR=/etc/powerdns/pdns.d
-fi
+PDNSDIR=/etc/powerdns/pdns.d
 PDNSLOCAL=$PDNSDIR/pdns.local.conf
 
 # Temporary files
@@ -121,7 +116,7 @@
   [ -d $PDNSDIR ] && chmod 0755 $PDNSDIR
   [ -e $PDNSDEFAULT ] && chmod 0644 $PDNSDEFAULT
 fi
-
+
 # If we still have the default config, make sure bindbackend.conf exists
 PDNSBIND="/etc/powerdns/pdns.d/pdns.simplebind.conf"
 PDNSBINDBACKENDCONF="/etc/powerdns/bindbackend.conf"
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#804734: marked as done (jessie-pu: package gnome-orca/3.14.0-4)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804734,
regarding jessie-pu: package gnome-orca/3.14.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804734: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804734
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

In Bug#800602, a blind user reported that when using the
greeter-hide-users=false option of lightdm, on reboot the focus is as
expected initially on the password field, so the user can directly type
it. The Orca screen reader however happens to speak the password letters
out loud instead of just "star"!

This is due to the way Orca discovers widgets, it does not notice that
this is a password field, and thus continues to speak typed letters out.
Upstream fixed this by checking hard, before speaking typed letters
out, whether the current widget is a password widget, and we have been
testing this fix in unstable & testing since 20th october now.

Since speaking passwords out loud is a security issue, I'd like to
upload the attached change which backports the fix.

Samuel

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'oldoldstable'), (500, 
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 
'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.4 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Samuel
Actually, typing random strings in the Finder does the equivalent of
filename completion.
(Discussion in comp.os.linux.misc on the intuitiveness of commands: file
completion vs. the Mac Finder.)
diff -Nru gnome-orca-3.14.0/debian/changelog gnome-orca-3.14.0/debian/changelog
--- gnome-orca-3.14.0/debian/changelog  2015-02-15 23:51:26.0 +0100
+++ gnome-orca-3.14.0/debian/changelog  2015-11-11 01:20:47.0 +0100
@@ -1,3 +1,10 @@
+gnome-orca (3.14.0-4+deb8u1) jessie; urgency=medium
+
+  * patches/password-not-spoken.diff: Make sure to bring focus on password
+entry when typing a key, so we don't echo it. (Closes: #800602).
+
+ -- Samuel Thibault   Wed, 11 Nov 2015 01:19:34 +0100
+
 gnome-orca (3.14.0-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru gnome-orca-3.14.0/debian/patches/password-not-spoken.diff 
gnome-orca-3.14.0/debian/patches/password-not-spoken.diff
--- gnome-orca-3.14.0/debian/patches/password-not-spoken.diff   1970-01-01 
01:00:00.0 +0100
+++ gnome-orca-3.14.0/debian/patches/password-not-spoken.diff   2015-11-11 
01:17:29.0 +0100
@@ -0,0 +1,89 @@
+commit 4d23f948e15dcdc741ee8b8c45b5aca2a4ee7fc3
+Author: Joanmarie Diggs 
+Date:   Tue Oct 20 16:33:03 2015 -0400
+
+Be sure we have an active window and focused object when a key is pressed
+
+--- a/src/orca/orca.py
 b/src/orca/orca.py
+@@ -250,6 +250,8 @@ def _processKeyboardEvent(event):
+ return False
+ 
+ if isPressedEvent:
++if not orca_state.activeWindow:
++orca_state.activeWindow = script.utilities.activeWindow()
+ script.presentationInterrupt()
+ script.presentKeyboardEvent(keyboardEvent)
+ if keyboardEvent.isModifierKey() and not isOrcaModifier:
+--- a/src/orca/script_utilities.py
 b/src/orca/script_utilities.py
+@@ -661,6 +661,9 @@ class Utilities:
+ the FOCUSED state can be found.
+ """
+ 
++if not root:
++return None
++
+ if root.getState().contains(pyatspi.STATE_FOCUSED):
+ return root
+ 
+--- a/src/orca/scripts/default.py
 b/src/orca/scripts/default.py
+@@ -2527,6 +2527,11 @@ class Script(script.Script):
+ - event: the Event
+ """
+ 
++role = event.source.getRole()
++state = event.source.getState()
++if role == pyatspi.ROLE_PASSWORD_TEXT and 
state.contains(pyatspi.STATE_FOCUSED):
++orca.setLocusOfFocus(event, event.source, False)
++
+ # Ignore text deletions from non-focused objects, unless the
+ # currently focused object is the parent of the object from which
+ # text was deleted
+@@ -2538,7 +2543,7 @@ class Script(script.Script):
+ # We'll also ignore sliders because we get their out

Bug#803730: marked as done (jessie-pu: package fglrx-driver/1:15.9-3~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #803730,
regarding jessie-pu: package fglrx-driver/1:15.9-3~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
803730: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803730
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

The only option to fix CVE-2015-7723, CVE-2015-7724 (#803517) in
fglrx-driver is to update to a new upstream release of the blob.

I have prepared a backport of the current sid version to jessie and only
reverted the changes that are problematic for jessie (removal of the
libxvbaw-dev package and related changes).
I've currently included a commit "undo patch renaming" to reduce the
size of the diff to something better readable, that won't be included in
the final upload (because now the patch naming is really confusing).
Also there are some fixes pending an upload of 1:15.9-3 to sid first.

There are a few packaging features being added (similarily to what we
did in nvidia-driver)
* reproducibility fixes
* support for kernels up to 4.2
* reporting supported kernel versions in the description
* new translation
* some fixes (typos...) and description updates
Since amd does not provide long term supported branches this is the
latest upstream release and brings a few features, too
* newer xorg supported
* libfglrx-amdxvba1 can be used as a va-driver backend directly (without
  the xvba-va-driver wrapper)
* opencl support needs another shared library (in existing package)

Attached are a diff of the debian/ directories generated from svn
(excluding the blob changes) and a debdiff from amd64 since file lists
and package relationships change with the new upstream version.

diffstat for the attached patch:

 amd-clinfo.lintian-overrides  |1 
 amd-opencl-icd.install.amd64.in   |1 
 amd-opencl-icd.install.i386.in|1 
 amd-opencl-icd.lintian-overrides  |5 
 changelog |  135 ++
 control   |   26 ++--
 control.models|8 -
 fglrx-atieventsd.fglrx-atieventsd.init|   11 -
 fglrx-driver.lintian-overrides|1 
 import/signature  |2 
 libfglrx-amdxvba1.links.in|2 
 libfglrx-amdxvba1.lintian-overrides   |1 
 libfglrx.preinst  |2 
 libgl1-fglrx-glx.lintian-overrides|1 
 patches/05-4.0.0-build.patch  |   33 +
 patches/07-4.1.0-build.patch  |   25 
 patches/08-4.2.0-build.patch  |  110 +
 patches/09-4.2.0-build.fpregs_active.patch|   17 ++
 patches/10-4.2.0-build.copy_xregs_to_kernel.patch |   63 ++
 patches/11-4.1.0-gpl-only.patch   |   19 +++
 patches/fglrx_3.17rc6-no_hotplug.patch|   31 +
 patches/series|7 +
 po/nl.po  |  113 ++
 rules |   16 ++
 rules.defs|   10 -
 watch |5 
 26 files changed, 608 insertions(+), 38 deletions(-)

diffstat for renaming the patches:

 changelog|1 
 patches/01-dkms-arch_compat.patch|   14 ++
 patches/02-authatieventsd.sh.patch   |   68 +++
 patches/02-dkms-arch_compat.patch|   14 --
 patches/03-authatieventsd.sh.patch   |   68 ---
 patches/03-stub-for-agpless-kernel.patch |   20 +
 patches/04-3.17rc6-no_hotplug.patch  |   31 ++
 patches/06-stub-for-agpless-kernel.patch |   20 -
 patches/fglrx_3.17rc6-no_hotplug.patch   |   31 --
 patches/series   |8 +--
 10 files changed, 137 insertions(+), 138 deletions(-)


Andreas
Index: debian/libfglrx-amdxvba1.lintian-overrides
===
--- debian/libfglrx-amdxvba1.lintian-overrides	(.../tags/1:14.9+ga14.201-2)	(revision 

Bug#804172: marked as done (jessie-pu: package spip/3.0.17-2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804172,
regarding jessie-pu: package spip/3.0.17-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804172: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, the two XSS fixes from the latest
upstream version do not deserve a DSA, yet I’d like to fix them via pu
if you agree, debdiff attached. There is no upstream fix available (yet)
for the 2.1 branch (that is still supported), so I won’t follow up with
a pu request for Wheezy for the moment.

Regards

David
diff -Nru spip-3.0.17/debian/changelog spip-3.0.17/debian/changelog
--- spip-3.0.17/debian/changelog	2014-10-25 20:52:48.0 -0400
+++ spip-3.0.17/debian/changelog	2015-11-01 15:34:31.0 -0400
@@ -1,3 +1,10 @@
+spip (3.0.17-2+deb8u1) jessie; urgency=medium
+
+  * Track Jessie
+  * Backport XSS fixes in private content from 3.0.21
+
+ -- David Prévot   Sun, 01 Nov 2015 15:34:00 -0400
+
 spip (3.0.17-2) unstable; urgency=medium
 
   [ Frans Spiesschaert ]
diff -Nru spip-3.0.17/debian/gbp.conf spip-3.0.17/debian/gbp.conf
--- spip-3.0.17/debian/gbp.conf	2014-10-25 20:50:16.0 -0400
+++ spip-3.0.17/debian/gbp.conf	2015-11-01 15:11:01.0 -0400
@@ -1,3 +1,3 @@
 [DEFAULT]
-debian-branch = 3.0
+debian-branch = jessie
 upstream-branch = upstream-3.0
diff -Nru spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch
--- spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	1969-12-31 20:00:00.0 -0400
+++ spip-3.0.17/debian/patches/0005-Fix-XSS-in-private-content.patch	2015-11-01 15:31:01.0 -0400
@@ -0,0 +1,173 @@
+From: =?utf-8?q?C=C3=A9dric_Morin?= 
+Date: Sat, 10 Oct 2015 10:44:19 +
+Subject: Fix XSS in private content
+
+Bug: https://core.spip.net/issues/3371
+Origin: Upstream, http://zone.spip.org/trac/spip-zone/changeset/92236,
+ https://core.spip.net/projects/spip/repository/revisions/22427,
+ https://core.spip.net/projects/spip/repository/revisions/22450,
+ https://core.spip.net/projects/spip/repository/revisions/22429
+---
+ ecrire/inc/texte.php   |  7 
+ ecrire/inc/texte_mini.php  | 43 --
+ plugins-dist/revisions/inc/revisions.php   |  3 ++
+ .../prive/squelettes/contenu/revision.html |  6 +--
+ prive/squelettes/ajax.html |  2 +-
+ prive/squelettes/head/dist.html|  2 +-
+ prive/squelettes/structure.html|  4 +-
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
+index af706b3..c0cec0b 100644
+--- a/ecrire/inc/texte.php
 b/ecrire/inc/texte.php
+@@ -156,6 +156,7 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if (is_null($connect)){
+ 		$connect = '';
+ 		$interdire_script = true;
++		$env['espace_prive'] = 1;
+ 	}
+ 
+ 	// Echapper les codes  etc
+@@ -183,6 +184,12 @@ function typo($letexte, $echapper=true, $connect=null, $env=array()) {
+ 	if ($interdire_script)
+ 		$letexte = interdire_scripts($letexte);
+ 
++	// Dans l'espace prive on se mefie de tout contenu dangereux
++	// https://core.spip.net/issues/3371
++	if (isset($env['espace_prive']) AND $env['espace_prive']){
++		$letexte = echapper_html_suspect($letexte);
++	}
++
+ 	return $letexte;
+ }
+ 
+diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
+index f3c2429..901d903 100644
+--- a/ecrire/inc/texte_mini.php
 b/ecrire/inc/texte_mini.php
+@@ -385,15 +385,52 @@ function echapper_faux_tags($letexte){
+   $letexte = "";
+   while (count($textMatches)) {
+   	// un texte a echapper
+-  	$letexte .= str_replace(array("<"),array('<'),array_shift($textMatches));
++  	$letexte .= str_replace("<",'<',array_shift($textMatches));
+   	// un tag html qui a servit a faite le split
+  		$letexte .= array_shift($textMatches);
+   }
+   return $letexte;
+ }
+ 
+-// Securite : utiliser SafeHTML s'il est present dans ecrire/safehtml/
+-// http://doc.spip.org/@safehtml
++/**
++ * Si le html contenu dans un texte ne passe pas sans transformation a travers safehtml
++ * on l'echappe
++ * si safehtml ne r

Bug#804885: marked as done (jessie-pu: package openvpn/2.3.4-5)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804885,
regarding jessie-pu: package openvpn/2.3.4-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804885: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804885
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hiya Release Team,

I'd like to upload openvpn for the next point release. The reason is a
serious bug (#785200 and #787090) hitting multiple users. Diff is pretty
small:

diff -Nru openvpn-2.3.4/debian/changelog openvpn-2.3.4/debian/changelog
--- openvpn-2.3.4/debian/changelog  2014-12-01 18:11:08.0 +0100
+++ openvpn-2.3.4/debian/changelog  2015-11-12 17:19:14.0 +0100
@@ -1,3 +1,10 @@
+openvpn (2.3.4-5+deb8u1) stable; urgency=medium
+
+  * Add --no-block to if-up.d script to avoid hanging boot on
+interfaces with openvpn instances. (Closes: #787090, #785200)
+
+ -- Alberto Gonzalez Iniesta   Thu, 12 Nov 2015 17:16:28 
+0100
+
 openvpn (2.3.4-5) unstable; urgency=high

   * Apply upstream patch that fixes possible DoS by authenticated
diff -Nru openvpn-2.3.4/debian/openvpn.if-up.d 
openvpn-2.3.4/debian/openvpn.if-up.d
--- openvpn-2.3.4/debian/openvpn.if-up.d2014-03-17 17:48:14.0 
+0100
+++ openvpn-2.3.4/debian/openvpn.if-up.d2015-11-12 17:20:19.0 
+0100
@@ -13,7 +13,7 @@
   for vpn in $IF_OPENVPN; do
 ## check systemd present
 if [ -d $SYSTEMD ]; then
-  $SYSTEMCTL start openvpn@$vpn
+  $SYSTEMCTL --no-block start openvpn@$vpn
 else
   $OPENVPN_INIT start $vpn
 fi

Thanks,

Alberto

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-rc7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#805190: marked as done (jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805190,
regarding jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805190: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805190
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi, please consider the attached debdiff for a stable update.

Changes:
 libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium
 .
   * Apply upstream 2.0.9 patches fixing crashes in
 modperl_interp_unselect(). Thanks to Patrick Matthäi.
 (Closes: #803043)

I understand source-only uploads to stable-p-u aren't supported?
How about source+all?

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/changelog libapache2-mod-perl2-2.0.9~1624218/debian/changelog
--- libapache2-mod-perl2-2.0.9~1624218/debian/changelog	2014-10-15 09:32:24.0 +0300
+++ libapache2-mod-perl2-2.0.9~1624218/debian/changelog	2015-11-15 20:42:37.0 +0200
@@ -1,3 +1,11 @@
+libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium
+
+  * Apply upstream 2.0.9 patches fixing crashes in
+modperl_interp_unselect(). Thanks to Patrick Matthäi.
+(Closes: #803043)
+
+ -- Niko Tyni   Sun, 15 Nov 2015 20:42:27 +0200
+
 libapache2-mod-perl2 (2.0.9~1624218-2) unstable; urgency=medium
 
   * Add autopkgtest support.
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch	1970-01-01 02:00:00.0 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch	2015-11-15 20:36:06.0 +0200
@@ -0,0 +1,53 @@
+From 514800554f704d0fe90fefd70016583099d7944b Mon Sep 17 00:00:00 2001
+From: Steve Hay 
+Date: Mon, 3 Nov 2014 08:41:03 +
+Subject: [PATCH] Decrement interp->refcnt when freeing interpreter in
+ modperl_interp_unselect()
+
+The case where interp->refcnt==1 was not being handled correctly. Prior to r1562772 the refcnt was decremented to 0 but then the function returned early, wrongly not freeing the interpreter, leading to deadlock in the event MPM. Following that change the interpreter was now freed, but the refcnt was wrongly no longer decremented.
+
+This change decrements the refcnt (always) and frees the interpreter as well (unless the refcnt is still > 0). An extra safety check is also made, to return early if the interpreter has already been unselected, although with correct refcnting now, we do not expect this to happen.
+
+This patch is based on investigations and a tentative patch suggested by Richard M Kandarian:
+http://marc.info/?t=14019121874&r=1&w=2
+
+git-svn-id: https://svn.apache.org/repos/asf/perl/modperl/trunk@1636289 13f79535-47bb-0310-9956-ffa450edef68
+---
+ src/modules/perl/modperl_interp.c | 13 ++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/modules/perl/modperl_interp.c b/src/modules/perl/modperl_interp.c
+index 430a2af..a984006 100644
+--- a/src/modules/perl/modperl_interp.c
 b/src/modules/perl/modperl_interp.c
+@@ -273,17 +273,24 @@ apr_status_t modperl_interp_unselect(void *data)
+ modperl_interp_t *interp = (modperl_interp_t *)data;
+ modperl_interp_pool_t *mip = interp->mip;
+ 
+-MP_ASSERT(interp && MpInterpIN_USE(interp));
++MP_ASSERT(interp && MpInterpIN_USE(interp) && interp->refcnt > 0);
+ MP_TRACE_i(MP_FUNC, "unselect(interp=%pp): refcnt=%d",
+interp, interp->refcnt);
+ 
+-if (interp->refcnt > 1) {
+---interp->refcnt;
++--interp->refcnt;
++
++if (interp->refcnt > 0) {
+ MP_TRACE_i(MP_FUNC, "interp=0x%lx, refcnt=%d -- interp still in use",
+(unsigned long)interp, interp->refcnt);
+ return APR_S

Bug#805383: marked as done (jessie-pu: package shadow/1:4.2-3+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805383,
regarding jessie-pu: package shadow/1:4.2-3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805383: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805383
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

deluser -f does not really force the removal of users, as it contains
missing cleanups in error paths.  This problem is fixed in Stretch with
1:4.2-3.1.

diff -Nru shadow-4.2/debian/changelog shadow-4.2/debian/changelog
--- shadow-4.2/debian/changelog 2014-11-19 20:59:09.0 +
+++ shadow-4.2/debian/changelog 2015-11-17 15:23:03.0 +
@@ -1,3 +1,10 @@
+shadow (1:4.2-3+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix error handling in busy user detection. (Closes: #778287)
+
+ -- Bastian Blank   Thu, 12 Nov 2015 14:33:33 +
+
 shadow (1:4.2-3) unstable; urgency=low
 
   * Enforce hardened builds to workaround cdbs sometimes not building
diff -Nru shadow-4.2/debian/patches/1020_fix_user_busy_errors 
shadow-4.2/debian/patches/1020_fix_user_busy_errors
--- shadow-4.2/debian/patches/1020_fix_user_busy_errors 1970-01-01 
00:00:00.0 +
+++ shadow-4.2/debian/patches/1020_fix_user_busy_errors 2015-11-17 
15:20:08.0 +
@@ -0,0 +1,38 @@
+Description: Fix user_busy to not leave subuid open in case of error.
+Author: William Grant 
+Bug: https://bugs.launchpad.net/ubuntu/vivid/+source/shadow/+bug/1436937
+
+Index: shadow-4.2/libmisc/user_busy.c
+===
+--- shadow-4.2.orig/libmisc/user_busy.c
 shadow-4.2/libmisc/user_busy.c
+@@ -175,6 +175,9 @@ static int user_busy_processes (const ch
+   if (stat ("/", &sbroot) != 0) {
+   perror ("stat (\"/\")");
+   (void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++  sub_uid_close();
++#endif/* ENABLE_SUBIDS */
+   return 0;
+   }
+ 
+@@ -212,6 +215,9 @@ static int user_busy_processes (const ch
+ 
+   if (check_status (name, tmp_d_name, uid) != 0) {
+   (void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++  sub_uid_close();
++#endif/* ENABLE_SUBIDS */
+   fprintf (stderr,
+_("%s: user %s is currently used by process 
%d\n"),
+Prog, name, pid);
+@@ -232,6 +238,9 @@ static int user_busy_processes (const ch
+   }
+   if (check_status (name, task_path+6, uid) != 0) 
{
+   (void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++  sub_uid_close();
++#endif/* ENABLE_SUBIDS */
+   fprintf (stderr,
+_("%s: user %s is currently 
used by process %d\n"),
+Prog, name, pid);
diff -Nru shadow-4.2/debian/patches/series shadow-4.2/debian/patches/series
--- shadow-4.2/debian/patches/series2014-11-19 20:48:40.0 +
+++ shadow-4.2/debian/patches/series2015-11-17 15:20:08.0 +
@@ -34,3 +34,4 @@
 #userns/16_add-argument-sanity-checking.patch
 1000_configure_userns
 1010_vietnamese_translation
+1020_fix_user_busy_errors

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#805127: marked as done (jessie-pu: package charybdis/3.4.2-4+b1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805127,
regarding jessie-pu: package charybdis/3.4.2-4+b1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805127
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Charybdis is unfortunately in very bad shape in stable right now. There
was an oversight during the release process that made this bug not
appear as release critical:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768339

Yet because of this bug, charybdis is basically unusable with TLS
enabled (which is the default). The error message is obscure and it is
unlikely that anyone can fix this problem on their own without having a
strong intuition.

I have therefore made a small upload for the package on sid. It fixes
that issue, but also a minor security vulnerability that was also
unfixed in jessie (and wheezy):

https://tracker.debian.org/news/725820

I have talked with the security team and they agree that a DSA is not
necessary because of the workaround (and the fact that charybdis is
broken anyways). The CVE has been marked as no-dsa by the team here:

https://security-tracker.debian.org/tracker/CVE-2015-5290

So i would like to upload the -5 release to stable (jessie) directly. I
attached the debdiff between -4 and -5 to this mail.

Since upstream is not maintaining 3.3 anymore and the upgrade is
transparent, i would also suggest that -5 is uploaded to wheezy as well,
but i understand that would be quite a stretch (no pun intended).

Wheezy, as far as i know, is not affected by #768339 so is more stable,
but it *is* affected by the security vulnerability. The patch I
cherry-picked for -5 *seems* to apply to the wheezy version, but i don't
have an environment to test this right now.

Thanks for any feedback.

A.

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#805024: marked as done (jessie-pu: package glance/2014.1.3-12 (CVE-2015-5251))

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805024,
regarding jessie-pu: package glance/2014.1.3-12 (CVE-2015-5251)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805024: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805024
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I've prepared an update for Glance CVE-2015-5251. The debdiff is attached.
The resulting binaries may be found here:
http://sid.gplhost.com/jessie-proposed-updates/glance/

Please authorize me to upload this to jessie-proposed-updates.

Cheers,

Thomas Goirand (zigo)
diff -Nru glance-2014.1.3/debian/changelog glance-2014.1.3/debian/changelog
--- glance-2014.1.3/debian/changelog	2015-01-29 15:22:59.0 +
+++ glance-2014.1.3/debian/changelog	2015-11-13 13:30:43.0 +
@@ -1,3 +1,10 @@
+glance (2014.1.3-12+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * CVE-2015-5251: Glance image status manipulation. Applied upstream patch
+after rebasing it from Juno to Icehouse (Closes: #799931).
+
+ -- Thomas Goirand   Fri, 13 Nov 2015 14:22:12 +0100
+
 glance (2014.1.3-12) unstable; urgency=high
 
   * CVE-2014-9623: Glance user storage quota bypass. Applied upstream patch:
diff -Nru glance-2014.1.3/debian/patches/CVE-2015-5251_Prevent_image_status_being_directly_modified_via_v1.patch glance-2014.1.3/debian/patches/CVE-2015-5251_Prevent_image_status_being_directly_modified_via_v1.patch
--- glance-2014.1.3/debian/patches/CVE-2015-5251_Prevent_image_status_being_directly_modified_via_v1.patch	1970-01-01 00:00:00.0 +
+++ glance-2014.1.3/debian/patches/CVE-2015-5251_Prevent_image_status_being_directly_modified_via_v1.patch	2015-11-13 13:30:43.0 +
@@ -0,0 +1,171 @@
+Description: Prevent image status being directly modified via v1
+ Users shouldn't be able to change an image's status directly via the v1 API.
+ .
+ Some existing consumers of Glance set the x-image-meta-status header in
+ requests to the Glance API, eg:
+ .
+  https://github.com/openstack/nova/blob/master/plugins/xenserver/xenapi/etc/xapi.d/plugins/glance#L184
+ .
+ We should try to prevent users setting 'status' via v1, but without breaking
+ existing benign API calls such as these.
+ .
+ I've adopted the following approach (which has some prior art in 'protected properties').
+ .
+ If a PUT request is received which contains an x-image-meta-status header:
+ .
+  * The user provided status is ignored if it matches the current image
+status (this prevents benign calls such as the nova one above from
+breaking). The usual code (eg 200) will be returned.
+ .
+  * If the user provided status doesn't match the current image status (ie
+there is a real attempt to change the value) 403 will be returned. This
+will break any calls which currently intentionally change the status.
+Author: Stuart McLaren 
+Date: Tue, 11 Aug 2015 10:37:09 + (+)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fglance.git;a=commitdiff_plain;h=45be8e1c620c50f3cbca76f561945200a8843bc8
+Bug-Ubuntu: https://bugs.launchpad.net/glance/+bug/1482371
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799931
+Change-Id: I44fadf32abb57c962b67467091c3f51c1ccc25e6
+Origin: upstream, https://review.openstack.org/#/c/226338/
+Last-Update: 2015-10-13
+
+--- glance-2014.1.3.orig/glance/api/v1/__init__.py
 glance-2014.1.3/glance/api/v1/__init__.py
+@@ -21,3 +21,6 @@ SUPPORTED_PARAMS = ('limit', 'marker', '
+ 
+ # Metadata which only an admin can change once the image is active
+ ACTIVE_IMMUTABLE = ('size', 'checksum')
++
++# Metadata which cannot be changed (irrespective of the current image state)
++IMMUTABLE = ('status',)
+--- glance-2014.1.3.orig/glance/api/v1/images.py
 glance-2014.1.3/glance/api/v1/images.py
+@@ -53,6 +53,7 @@ LOG = logging.getLogger(__name__)
+ SUPPORTED_PARAMS = glance.api.v1.SUPPORTED_PARAMS
+ SUPPORTED_FILTERS = glance.api.v1.SUPPORTED_FILTERS
+ ACTIVE_IMMUTABLE = glance.api.v1.ACTIVE_IMMUTABLE
++IMMUTABLE = glance.api.v1.IMMUTABLE
+ 
+ CONF = cfg.CONF
+ CONF.import_opt('disk_formats', 'glance.common.config', group='image_format')
+@@ -843,6 +844,14 @@ class Controller(controller.BaseControll
+ request=req,
+ content_type="te

Bug#805721: marked as done (jessie-pu: package exim4/4.84-8+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805721,
regarding jessie-pu: package exim4/4.84-8+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805721: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805721
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to fix 805576 for jessie:

JH/05 Fix results-pipe from transport process.  Several recipients, combined
  with certificate use, exposed issues where response data items
  split over buffer boundaries were not parsed properly.  This
  eventually resulted in duplicates being sent.  This issue only
  became common enough to notice due to the introduction of
  conection certificate information, the item size being so much
  larger.  Found and fixed by Wolfgang Breyha

Thanks for considering, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#805260: marked as done (jessie-pu: package ruby-bson/1.10.0-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805260,
regarding jessie-pu: package ruby-bson/1.10.0-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805260
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Please accept the fixes for CVE-2015-4410 in ruby-bson. I already discussed
with the security team (tagged as no-dsa).

Source debdiff attached.

 https://security-tracker.debian.org/CVE-2015-4410

Regards,
Prach

diff -Nru ruby-bson-1.10.0/debian/changelog ruby-bson-1.10.0/debian/changelog
--- ruby-bson-1.10.0/debian/changelog	2014-05-15 12:00:35.0 +0700
+++ ruby-bson-1.10.0/debian/changelog	2015-11-16 08:59:15.0 +0700
@@ -1,3 +1,9 @@
+ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
+
+ -- Prach Pongpanich   Mon, 16 Nov 2015 08:55:51 +0700
+
 ruby-bson (1.10.0-1) unstable; urgency=medium
 
   [ Cédric Boutillier ]
diff -Nru ruby-bson-1.10.0/debian/gbp.conf ruby-bson-1.10.0/debian/gbp.conf
--- ruby-bson-1.10.0/debian/gbp.conf	1970-01-01 07:00:00.0 +0700
+++ ruby-bson-1.10.0/debian/gbp.conf	2015-11-16 08:59:15.0 +0700
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/jessie
diff -Nru ruby-bson-1.10.0/debian/patches/series ruby-bson-1.10.0/debian/patches/series
--- ruby-bson-1.10.0/debian/patches/series	2014-05-15 12:00:35.0 +0700
+++ ruby-bson-1.10.0/debian/patches/series	2015-11-15 00:59:01.0 +0700
@@ -4,3 +4,4 @@
 #change_require_activesupport.patch
 #add_to_bson_code.patch
 remove_rubygems_from_bins.patch
+Update_BSON_ObjectId_validation.patch
diff -Nru ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch
--- ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	1970-01-01 07:00:00.0 +0700
+++ ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	2015-11-15 00:59:01.0 +0700
@@ -0,0 +1,18 @@
+From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001
+From: Emily Stolfo 
+Date: Thu, 4 Jun 2015 11:19:36 -0400
+Subject: [PATCH] RUBY-941 Update BSON ObjectId validation
+
+diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb
+index 5de7f66..6e44efa 100644
+--- a/lib/bson/types/object_id.rb
 b/lib/bson/types/object_id.rb
+@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil)
+ #
+ # @return [Boolean]
+ def self.legal?(str)
+-  str =~ /^[0-9a-f]{24}$/i ? true : false
++  str =~ /\A[0-9a-f]{24}\z/i ? true : false
+ end
+ 
+ # Create an object id from the given time. This is useful for doing range


signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#805634: marked as done (jessie-pu: torbrowser-launcher/0.2.2-2~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805634,
regarding jessie-pu: torbrowser-launcher/0.2.2-2~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805634
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: release.debian.org
x-debbugs-cc: pkg-privacy-maintain...@lists.alioth.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

torbrowser-launcher 0.1.9-1+deb8u1 in jessie is affected by 3 serious bugs
(#804184 #784041 #804274) which are all fixed in the version in stretch
(=0.2.1-2), plus there is one annoying bug left in stretch (#805078) which
is fixed in the sid version = 0.2.2-2.

That last bug again breaks torbrowser-launcher completly but can be worked 
around by removing ~/.cache/torbrowser/, ~/.local/share/torbrowser/ and
~/.config/torbrowser/ so it's a bummer from the user experience too.

The diff is a bit longer than I would like, but given the commits were
reviewed several times by several people and given the purpose of the package
(to install another rather large bit of software…) I think it's sane to accept
this. Especially as the alternative would mean cherry-picking most of the
commits anyway and having to do the same when upstream (=torbrowser, and thus
the launcher) changes again…

$ git diff debian/0.1.9-1+deb8u1 debian/0.2.2-2|diffstat
 apparmor/torbrowser.start-tor-browser  
|   53 -
 b/.gitignore   
|2 
 b/BUILD.md 
|4 
 b/CHANGELOG.md 
|   24 
 b/README.md
|   24 
 b/apparmor/torbrowser.Browser.firefox  
|   18 
 b/apparmor/torbrowser.Tor.tor  
|3 
 b/apparmor/usr.bin.torbrowser-launcher 
|4 
 b/build_rpm.sh 
|2 
 b/debian/changelog 
|   58 +-
 b/debian/control   
|6 
 b/debian/copyright 
|   22 
 b/debian/gbp.conf  
|2 
 b/debian/patches/Include-local-overrides-file-in-AppArmor-profiles.-C.patch
|   38 +
 b/debian/patches/Set-torbrowser.start-tor-browser-and-usr.bin.torbrow.patch
|   26 
 b/debian/patches/series
|2 
 b/screenshot.png   
|binary
 b/setup.py 
|1 
 b/share/applications/torbrowser-settings.desktop   
|7 
 b/share/applications/torbrowser.desktop
|8 
 b/share/torbrowser-launcher/version
|2 
 b/stdeb.cfg
|5 
 b/torbrowser_launcher/__init__.py  
|7 
 b/torbrowser_launcher/common.py
|  102 ---
 b/torbrowser_launcher/launcher.py  
|  276 +++---
 b/torbrowser_launcher/settings.py  
|  116 +---
 debian/patches/0001-Update-location-of-start-tor-browser-for-TBB-4.5-and.patch 
|   93 ---
 debian/patches/0002-execute-.-start-tor-browser.desktop-instead-of-.-Bro.patch 
|   41 -
 debian/patches/0003-Stop-letting-Tor-Browser-act-as-a-default-browser.patch
|   21 
 share/torbrowser-launcher/erinn.asc
|   51 -
 30 files changed, 353 insertions(+), 665 deletions(-)

If you want to look yourself in more detail, please use 
git.debian.org/git/collab-maint/torbrowser-launcher.git and the tags 
debian/$version.

(I've confirmed the tags correspond to what has been uploaded. Attached is the 
output
of debdiff torbrowser-launcher_0.1.9-1+d

Bug#805214: marked as done (jessie-pu: package libhtml-scrubber-perl/0.11-1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805214,
regarding jessie-pu: package libhtml-scrubber-perl/0.11-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805214: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805214
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Please consider the attached debdiff for a stable update.

Changes:
 libhtml-scrubber-perl (0.11-1+deb8u1) jessie; urgency=medium
 .
   * [SECURITY] CVE-2015-5667: Backport upstream patch fixing
 a cross-site scripting vulnerability in comments.
 (Closes: #803943)

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libhtml-scrubber-perl-0.11/debian/changelog libhtml-scrubber-perl-0.11/debian/changelog
--- libhtml-scrubber-perl-0.11/debian/changelog	2013-10-22 20:19:05.0 +0300
+++ libhtml-scrubber-perl-0.11/debian/changelog	2015-11-15 22:32:52.0 +0200
@@ -1,3 +1,11 @@
+libhtml-scrubber-perl (0.11-1+deb8u1) jessie; urgency=medium
+
+  * [SECURITY] CVE-2015-5667: Backport upstream patch fixing
+a cross-site scripting vulnerability in comments.
+(Closes: #803943)
+
+ -- Niko Tyni   Sun, 15 Nov 2015 21:07:33 +0200
+
 libhtml-scrubber-perl (0.11-1) unstable; urgency=low
 
   * Team upload.
diff -Nru libhtml-scrubber-perl-0.11/debian/patches/0001-Test-and-fix-for-JVN53973084.patch libhtml-scrubber-perl-0.11/debian/patches/0001-Test-and-fix-for-JVN53973084.patch
--- libhtml-scrubber-perl-0.11/debian/patches/0001-Test-and-fix-for-JVN53973084.patch	1970-01-01 02:00:00.0 +0200
+++ libhtml-scrubber-perl-0.11/debian/patches/0001-Test-and-fix-for-JVN53973084.patch	2015-11-15 22:32:52.0 +0200
@@ -0,0 +1,65 @@
+From 3f871371cf40baf37981bc829036d4a444e20124 Mon Sep 17 00:00:00 2001
+From: Nigel Metheringham 
+Date: Sat, 10 Oct 2015 15:01:14 +0100
+Subject: [PATCH] Test and fix for JVN53973084
+
+Malformed tags can pass through as comments.
+Thus comments are now only passed through if
+they are well formed - currently defined as
+matching a regular expression.
+
+Origin: backport, https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd
+Bug-Debian: https://bugs.debian.org/803943
+---
+ lib/HTML/Scrubber.pm |  6 +-
+ t/jvn53973084.t  | 21 +
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+ create mode 100644 t/jvn53973084.t
+
+diff --git a/lib/HTML/Scrubber.pm b/lib/HTML/Scrubber.pm
+index e8ee4ba..e7c1d42 100644
+--- a/lib/HTML/Scrubber.pm
 b/lib/HTML/Scrubber.pm
+@@ -284,7 +284,11 @@ sub _scrub_str {
+ }
+ }
+ elsif ( $e eq 'comment' ) {
+-$outstr .= $text if $s->{_comment};
++if ( $s->{_comment} ) {
++
++# only copy comments through if they are well formed...
++$outstr .= $text if ( $text =~ m|^$|ms );
++}
+ }
+ elsif ( $e eq 'process' ) {
+ $outstr .= $text if $s->{_process};
+diff --git a/t/jvn53973084.t b/t/jvn53973084.t
+new file mode 100644
+index 000..7767609
+--- /dev/null
 b/t/jvn53973084.t
+@@ -0,0 +1,21 @@
++# Tests related to JVN53973084
++
++use strict;
++use warnings;
++use Test::More;
++
++use_ok('HTML::Scrubber');
++
++my @allow = qw[
++hr
++];
++
++my $html_1 = q[abc];
++my $html_2 = q[new( allow => \@allow, comment => $comment_value );
++is( $scrubber->scrub($html_1), 'abc', "correct result (1) - with comment => $comment_value" );
++is( $scrubber->scrub($html_2), '',"correct result (2) - with comment => $comment_value" );
++}
++
++done_testing;
+-- 
+2.6.2
+
diff -Nru libhtml-scrubber-perl-0.11/debian/patches/series libhtml-scrubber-perl-0.11/debian/patches/series
--- libhtml-scrubber-perl-0.11/debian/patches/series	1970-01-01 02:00:00.0 +0200
+++ libhtml-scrubber-perl-0.11/debian/patches/series	2015-11-15 21:11:47.0 +0200
@@ -0,0 +1 @@
+0001-Test-and-fix-for-JVN53973084.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End

Bug#804383: marked as done (jessie-pu: package libinfinity/0.6.7-1~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #804383,
regarding jessie-pu: package libinfinity/0.6.7-1~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
804383: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804383
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I would like to upload libinfinity 0.6.7-1 from stretch as
0.6.7-1~deb8u1 to jessie (debdiff of 0.6.6-1 to 0.6.7-1 attached). To
quote the upstream NEWS file of this maintenance release:

 * Fix a possible crash when an entry is removed from the document
   browser.
 * Fix a possible crash in infinoted when access control lists are
   enabled.
 * Fix an assertion failure when operating with text documents and
   using glib 2.46 or newer.

The release contains a little bit of autotools, changelog, and po
churn, but apart from that does only contain the above changes.

If needed I can back out the glib 2.46 change, although I'd prefer
to upload the whole thing as the change is arguably more correct
even with older glibs.

Kind regards and thanks
Philipp Kern
diff -Nru libinfinity-0.6.6/ChangeLog libinfinity-0.6.7/ChangeLog
--- libinfinity-0.6.6/ChangeLog	2015-05-13 02:57:57.089748067 +0200
+++ libinfinity-0.6.7/ChangeLog	2015-10-14 01:34:53.805216085 +0200
@@ -1,6 +1,115 @@
+commit a7bdd262474898d180285129f5aed3e87b04461a
+Author: Armin Burgmeier 
+Date:   Tue Oct 13 19:34:35 2015 -0400
+
+Release libinfinity 0.6.7
+
+ NEWS | 8 
+ 1 file changed, 8 insertions(+)
+
+commit d447fc406c0ceb2766f69ffec28f017baa7ed7a9
+Author: Armin Burgmeier 
+Date:   Mon Oct 12 19:51:50 2015 -0400
+
+InfTextChunk: fix segment lookup for offset=0 (#10)
+
+This used to work with glib 2.42, but it seems that the semantics of
+g_sequence_search() have changed with respect to what item is returned
+when the comparison function returns 0. The behavior in that case is not
+documented. Fix this by passing a different comparison function that
+never returns 0, so that there is no ambiguity in which segment is
+returned.
+
+ libinftext/inf-text-chunk.c | 29 -
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+commit 3fb2be4fb355ed44541d6da486dc73c5dd739ca3
+Author: Armin Burgmeier 
+Date:   Mon Oct 12 19:51:40 2015 -0400
+
+Fix integrity check in inf_text_chunk_get_byte_index_utf8()
+
+ libinftext/inf-text-chunk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 4fc1227317eea35b87e10686daf467642c9abe1e
+Author: Armin Burgmeier 
+Date:   Tue Jun 9 21:20:23 2015 -0400
+
+Fix uninitialized variable when suggesting a SASL mechanism
+
+ libinfinity/common/inf-xmpp-connection.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+commit 28dd0736c7618861dd9a23e8793e4db865ce6a5e
+Author: Armin Burgmeier 
+Date:   Sun Jun 7 21:27:23 2015 -0400
+
+InfXmppConnection: Fix strncmp invocation when suggesting SASL mechanism
+
+ libinfinity/common/inf-xmpp-connection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 4dfaf22925dbe12008627d0a604b179fd6e4b7b4
+Author: Armin Burgmeier 
+Date:   Wed May 27 22:21:22 2015 -0400
+
+Fix g_free / g_slice_free mismatch
+
+ libinfinity/server/infd-directory.c | 18 --
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+commit d17398a0f850a79ffbe78c10bbe8ebfd0cd5e63c
+Author: Armin Burgmeier 
+Date:   Wed May 27 21:12:28 2015 -0400
+
+InfdDirectory: Fix error reply to client when session proxy cannot
+be created
+
+ libinfinity/server/infd-directory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+commit 822b227c662e5fcaab3c1bdfdf224eebaefe7728
+Author: Armin Burgmeier 
+Date:   Sat May 23 14:39:59 2015 -0400
+
+Fix session becoming inconsistent with active local users during
+subscription
+
+When the server sends the vector time of local users during subscription,
+it now sends the last send vector instead of the real value of the
+user time,
+so that subsequent state vector diffs are consistent for the newly joined
+client.
+
+Conflicts:
+	libinfinity/adopted/inf-adopted-session.c
+
+ libinfinity/adopted/inf-adopted-session.c | 34 -
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+commit cf4588011a5023af36d6393f1f724a11742b84f1
+Author: Armin Burgmeier 
+Date:	Fri May 

Bug#805894: marked as done (jessie-pu: package mdadm/3.3.2-5+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #805894,
regarding jessie-pu: package mdadm/3.3.2-5+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805894: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805894
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I prepared a package for mdadm containing a patch to fix bug #784070
(https://bugs.debian.org/784070) which prevents booting a software RAID
1 in degraded mode. The diff is attached to this message.

The previous package maintainer (Michael Tokarev) confirmed the source of the
problem (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784070#49) and
several users confirmed that the patch fixes the bug. Moreover, the new
package maintainer (Dimitri John Ledkov, CC of this mail) agreed with this
solution and gave me his consent to proceed with the upload
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784070#230).

The source package can be found at
http://mentors.debian.net/debian/pool/main/m/mdadm/mdadm_3.3.2-5+deb8u1.dsc

Regards,

Yann Soubeyrand

diff -Nru mdadm-3.3.2/debian/changelog mdadm-3.3.2/debian/changelog
--- mdadm-3.3.2/debian/changelog2014-12-20 09:48:54.0 +0100
+++ mdadm-3.3.2/debian/changelog2015-11-23 17:22:41.0 +0100
@@ -1,3 +1,11 @@
+mdadm (3.3.2-5+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * disable-incremental-assembly.patch: incremental assembly prevents booting
+in degraded mode (Closes: #784070)
+
+ -- Yann Soubeyrand   Mon, 23 Nov 2015 
17:22:27 +0100
+
 mdadm (3.3.2-5) unstable; urgency=medium
 
   * use-tempnode-not-devnode.patch: change udev rules file to use
diff -Nru mdadm-3.3.2/debian/patches/disable-incremental-assembly.patch 
mdadm-3.3.2/debian/patches/disable-incremental-assembly.patch
--- mdadm-3.3.2/debian/patches/disable-incremental-assembly.patch   
1970-01-01 01:00:00.0 +0100
+++ mdadm-3.3.2/debian/patches/disable-incremental-assembly.patch   
2015-11-10 11:13:53.0 +0100
@@ -0,0 +1,12 @@
+--- a/udev-md-raid-assembly.rules
 b/udev-md-raid-assembly.rules
+@@ -25,6 +25,9 @@ GOTO="md_inc_end"
+
+ LABEL="md_inc"
+
++# Disable incremental assembly to fix Debian bug #784070
++GOTO="md_inc_end"
++
+ # remember you can limit what gets auto/incrementally assembled by
+ # mdadm.conf(5)'s 'AUTO' and selectively whitelist using 'ARRAY'
+ ACTION=="add|change", IMPORT{program}="BINDIR/mdadm --incremental --export 
$tempnode --offroot ${DEVLINKS}"
diff -Nru mdadm-3.3.2/debian/patches/series mdadm-3.3.2/debian/patches/series
--- mdadm-3.3.2/debian/patches/series   2014-12-05 16:59:42.0 +0100
+++ mdadm-3.3.2/debian/patches/series   2015-11-10 11:13:53.0 +0100
@@ -7,3 +7,4 @@
 rebuildmap-strip-local-host-name-from-device-name.patch
 readlink-path.patch
 mdmonitor-service-simplify.diff
+disable-incremental-assembly.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#806252: marked as done (jessie-pu: package nvidia-graphics-drivers/340.96-1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806252,
regarding jessie-pu: package nvidia-graphics-drivers/340.96-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806252: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806252
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

next nvidia package in non-free to be updated for CVE-2015-7869.

Annotated changelog:

+nvidia-graphics-drivers (340.96-1) jessie; urgency=medium

uncommon version for the benefit of shorter version numbers in
nvidia-graphics-modules, sid has an initial upload of 340.96 as
340.96-2.

+  * New upstream legacy 340xx branch release 340.96 (2015-11-16).
+* Fixed CVE-2015-7869: Unsanitized User Mode Input.  (Closes: #805917)
+  * Merge changes from 304.131-1.
+  * Add xorg-video-abi-20 as alternative dependency.
+  * conftest.h:
+- Implement new conftest.sh functions hlist_for_each_entry,
+  of_parse_phandle, for_each_online_node, node_end_pfn (358.09).
+- Update conftest.sh function scatterlist for logic reversal in
+  304.131/340.96/352.63, support both ways.

The new upstream bits.

+  * d/rules: Move tar option --no-recursion before the list of files.

Not a problem in jessie, but when working with the packaging in
stretch/sid.

+  * d/control: Make dependencies on nvidia-alternative strictly versioned to
+prevent partial upgrades.

partial upgrades allowed mismatching upstream versions of libcuda1 and
nvidia-driver to be installed concurrently - but we can load only one
version of the kernel module, and that needs to match the libraries
exactly.

+  * d/module/debian/control.template: Add armhf to the Architecture list,
+otherwise module-assistant can't build any module packages from
+nvidia-kernel-source on armhf.

That package was useless on armhf so far ...
but only noticed after I added a qemu armhf pbuilder chroot locally ...

+nvidia-graphics-drivers (304.131-1) UNRELEASED; urgency=medium
+
+  * New upstream legacy 304xx branch release 304.131 (2015-11-16).
+- Fixed a bug that could cause texture corruption in some OpenGL
+  applications when video memory is exhausted by a combination of
+  simultaneously running graphical and compute workloads.
+- Added support for X.Org xserver ABI 20 (xorg-server 1.18).
+* Improved compatibility with recent Linux kernels.

Upstream now supports Linux 4.3 out of the box (except on armhf, but
we have a patch there in sid and jessie-backports).

+  * Add xorg-video-abi-20 as alternative dependency.
+  * conftest.h:
+- Implement new conftest.sh functions hlist_for_each_entry,
+  of_parse_phandle, for_each_online_node, node_end_pfn (358.09).
+- Update conftest.sh function scatterlist for logic reversal in
+  304.131/340.96/352.63, support both ways.

the new upstream bits from wheezy-pu ...

+  * debian/control: Add Breaks between mismatching upstream versions of
+libcuda1 and nvidia-alternative to prevent partial upgrades. 

This we had done differently for wheezy.

There is also an undocumented addition of some comments to some lintian
overrides to prevent me from "optimizing" them and breaking multiarch
installation on the way ...


Andreas
Index: debian/rules.defs
===
--- debian/rules.defs	(.../tags/340.93-0+deb8u1)	(revision 5913)
+++ debian/rules.defs	(.../branches/340)	(revision 5913)
@@ -3,13 +3,13 @@
 WATCH_VERSION		 = 340
 NVIDIA_SETTINGS		 = nvidia-settings (>= $(version_major))
 
-XORG_ABI_LIST		 = 19 18 15 14 13 12 11 10 8 6.0
-XORG_BOUND		 = (<< 2:1.17.99)
+XORG_ABI_LIST		 = 20 19 18 15 14 13 12 11 10 8 6.0
+XORG_BOUND		 = (<< 2:1.18.99)
 
-LINUX_KMOD_TESTED	 = 4.2
+LINUX_KMOD_TESTED	 = 4.3
 LINUX_KMOD_TESTED_amd64	 =
 LINUX_KMOD_TESTED_i386	 =
-LINUX_KMOD_TESTED_armhf	 =
+LINUX_KMOD_TESTED_armhf	 = 4.2
 
 ARCH_LIST		 = i386 amd64 armhf
 NVIDIA_DIRNAME_X86	 = NVIDIA-Linux-x86-${NVIDIA_RELEASE}
Index: debian/module/conftest.h
===
--- debian/module/conftest.h	(.../tags/340.93-0+deb8u1)	(revision 5913)
+++ debian/module/conftest.h	(.../branches/340)	(revision 5913)
@@ -1,4 +1,4 @@
-/* synchronized with conftest.sh from 352.41, 349.16, 346.96, 343.36, 340.93, 304.128, 173.14.39, 96.43.23, 71.86.15 */
+/* sync

Bug#806165: marked as done (jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u5)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806165,
regarding jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806165: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806165
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, this update aims to fix a security
issue in zendframework (request for Wheezy follows) via pu. Please find
attached the debdiff, as well as the actual patch with some formating
noise removed.

  * Backport security fix from 1.12.17:
- ZF2015-09: Fixed entropy issue in word CAPTCHA
  http://framework.zend.com/security/advisory/ZF2015-09

Thanks in advance for considering.

Regards

David
diff --git a/debian/changelog b/debian/changelog
index 915004f..9977720 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium
+
+  * Backport security fix from 1.12.17
+- ZF2015-09: Fixed entropy issue in word CAPTCHA
+  http://framework.zend.com/security/advisory/ZF2015-09
+
+ -- David Prévot   Tue, 24 Nov 2015 18:21:26 -0400
+
 zendframework (1.12.9+dfsg-2+deb8u4) jessie-security; urgency=high
 
   * Backport security fixes from 1.12.16:
diff --git a/debian/patches/0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch b/debian/patches/0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch
new file mode 100644
index 000..412b779
--- /dev/null
+++ b/debian/patches/0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch
@@ -0,0 +1,347 @@
+From: Enrico Zimuel 
+Date: Mon, 9 Nov 2015 17:26:45 +0100
+Subject: ZF2015-09: Fixed entropy issue in word CAPTCHA
+
+This patch fixes a potential entropy fixation vector with `Zend_Captcha_Word`.
+Prior to the fix, when selecting letters for the CAPTCHA, `array_rand()` was
+used, which does not use sufficient entropy during randomization. The patch
+backports randomization routines from ZF2 in order to provide a more
+cryptographically secure RNG.
+
+Origin: upstream, https://github.com/zendframework/zf1/commit/4a41392f89bf510a8ab801eacb117fe7ea25b575
+---
+ library/Zend/Captcha/Word.php |  29 +++-
+ library/Zend/Crypt/Math.php   | 100 +++---
+ tests/Zend/Crypt/MathTest.php |  75 +--
+ 3 files changed, 183 insertions(+), 21 deletions(-)
+
+diff --git a/library/Zend/Captcha/Word.php b/library/Zend/Captcha/Word.php
+index 1f0e0fc..ba39580 100644
+--- a/library/Zend/Captcha/Word.php
 b/library/Zend/Captcha/Word.php
+@@ -22,6 +22,9 @@
+ /** @see Zend_Captcha_Base */
+ require_once 'Zend/Captcha/Base.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Word-based captcha adapter
+  *
+@@ -39,10 +42,10 @@ abstract class Zend_Captcha_Word extends Zend_Captcha_Base
+ /**#@+
+  * @var array Character sets
+  */
+-static $V  = array("a", "e", "i", "o", "u", "y");
+-static $VN = array("a", "e", "i", "o", "u", "y","2","3","4","5","6","7","8","9");
+-static $C  = array("b","c","d","f","g","h","j","k","m","n","p","q","r","s","t","u","v","w","x","z");
+-static $CN = array("b","c","d","f","g","h","j","k","m","n","p","q","r","s","t","u","v","w","x","z","2","3","4","5","6","7","8","9");
++static public $V  = array("a", "e", "i", "o", "u", "y");
++static public $VN = array("a", "e", "i", "o", "u", "y","2","3","4","5","6","7","8","9");
++static public $C  = array("b","c","d","f","g","h","j","k","m","n","p","q","r","s","t","u","v","w","x","z");
++static public $CN = array("b","c","d","f","g","h","j","k","m","n","p","q","r","s","t","u","v","w","x","z","2","3","4","5","6","7","8","9");
+ /**#@-*/
+ 
+ /**
+@@ -175,7 +178,7 @@ abstract class Zend_Captcha_Word extends Zend_Captcha_Base
+  *
+  * @return string
+  */
+-public function getId ()
++public function getId()
+ {
+ if (null === $this->_id) {
+ $this->_setId($this->_generateRandomId());
+@@ -189,7 +192,7 @@ abstract class Zend_Captcha_Word extends Zend_Captcha_Base
+  * @param string $id
+  * @return Zend_Captcha_Word
+  */
+-protected function _setId ($id)
++protected function _setId($id)
+ {
+ $this->_id = $id;
+ retur

Bug#806129: marked as done (jessie-pu: package augeas/1.2.0-0.2+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806129,
regarding jessie-pu: package augeas/1.2.0-0.2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806129
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear release managers,

I prepared a package for augeas containing a patch to fix bug #764699
(https://bugs.debian.org/764699) which affects httpd lens: files under
/etc/apache2/conf-enabled directory are not taken into account by this lens.
The diff is attached to this message.

The source package can be found at
http://mentors.debian.net/debian/pool/main/a/augeas/augeas_1.2.0-0.2+deb8u1.dsc

Regards,

Yann Soubeyrand

diff -Nru augeas-1.2.0/debian/changelog augeas-1.2.0/debian/changelog
--- augeas-1.2.0/debian/changelog   2014-08-27 19:45:17.0 +0200
+++ augeas-1.2.0/debian/changelog   2015-11-24 13:55:49.0 +0100
@@ -1,3 +1,10 @@
+augeas (1.2.0-0.2+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix httpd lens (Closes: #764699)
+
+ -- Yann Soubeyrand   Tue, 24 Nov 2015 
13:55:31 +0100
+
 augeas (1.2.0-0.2) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru augeas-1.2.0/debian/patches/0003-Fix-httpd-lens.patch 
augeas-1.2.0/debian/patches/0003-Fix-httpd-lens.patch
--- augeas-1.2.0/debian/patches/0003-Fix-httpd-lens.patch   1970-01-01 
01:00:00.0 +0100
+++ augeas-1.2.0/debian/patches/0003-Fix-httpd-lens.patch   2015-10-28 
16:50:48.0 +0100
@@ -0,0 +1,13 @@
+Description: fix httpd lens
+Origin: upstream, 
https://github.com/hercules-team/augeas/commit/f99de5dfe072f20f4c2f7c79083c6ddd04aef26c
+Bug-Debian: https://bugs.debian.org/764699
+--- a/lenses/httpd.aug
 b/lenses/httpd.aug
+@@ -91,6 +91,7 @@
+  (incl "/etc/apache2/httpd.conf") .
+  (incl "/etc/apache2/ports.conf") .
+  (incl "/etc/apache2/conf.d/*") .
++ (incl "/etc/apache2/conf-available/*") .
+  (incl "/etc/apache2/mods-available/*") .
+  (incl "/etc/apache2/sites-available/*") .
+  (incl "/etc/httpd/conf.d/*.conf") .
diff -Nru augeas-1.2.0/debian/patches/series augeas-1.2.0/debian/patches/series
--- augeas-1.2.0/debian/patches/series  2014-08-25 18:56:18.0 +0200
+++ augeas-1.2.0/debian/patches/series  2015-10-28 16:50:48.0 +0100
@@ -1,2 +1,3 @@
 0001-Install-vim-addons-into-correct-directory.patch
 0002-Skip-tests-that-need-root-privileges-when-fakeroot-h.patch
+0003-Fix-httpd-lens.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#806247: marked as done (jessie-pu: package dbconfig-common/1.8.47+nmu3+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806247,
regarding jessie-pu: package dbconfig-common/1.8.47+nmu3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806247
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie wheezy
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Stable Release Managers,

I come to you with this request after discussion with the security
team. Because the issue I describe below only manifest itself upon database
upgrades, which are extremely rare in a stable release, they consider it more
appropriate for a SRU than for a DSA.

Recently a security issue¹ was reported against my package
dbconfig-common. dbconfig-common is a Debian helper package for packages that
require data in a database. The issue is that backups made by dbconfig-common
during updates that involve PostgreSQL databases end up in files that may be
readable by every user on the system (depending on the umask) because file
permissions are not properly enforced. The code sets the umask but only after
the file is created. The fix is simple, move the lines creating the files and
setting the ownership to after the change of the umask (see below the patch for
unstable).

Apart from fixing the issue for creation of new files, the original reporter
was suggesting to fix the permissions of already created files as well. What
would your opinion be on that matter? I haven't created a proper patch for that
yet, but it should simply chmod all the files in
/var/cache/dbconfig-common/backups during installation of dbconfig-common.

I will start to work on a proper debdiff, but I appreciate it to know if I
should include the fixing of existing files in it.

Paul
Current maintainer of dbconfig-common

¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805638

- --- /usr/share/dbconfig-common/internal/pgsql.orig2014-11-02
21:54:07.0 +0100
+++ /usr/share/dbconfig-common/internal/pgsql   2015-11-21
13:49:04.863637686 +0100
@@ -174,14 +174,14 @@
local extra retval PGSSLMODE localuser _dbc_asuser dumpfile old_umask
dumpfile=$1
localuser=`_dbc_psql_local_username`
- - touch $dumpfile
- - chown $localuser $dumpfile
PGSSLMODE="prefer"
retval=0
_dbc_psql_cmd_setup
if [ "$dbc_ssl" ]; then PGSSLMODE="require"; fi
old_umask=`umask`
umask 0066
+   touch $dumpfile
+   chown $localuser $dumpfile
extra=`_dbc_psql_cmd_args`
extra="-f \"$dumpfile\" $extra"
_dbc_debug "su -s /bin/sh $localuser -c \"env
HOME='$_dbc_pgsql_tmpdir' PGPASSFILE='$_dbc_pgsql_tmpdir/.pgpass'
PGSSLMODE='$PGSSLMODE' pg_dump $extra $dbc_dbname\" 2>&1"

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJWVhO9AAoJEJxcmesFvXUKH/AIAMC+y4ZZc8kmeF09lqv1U4/b
vqvTjovDu0X9vSrK7/Urfdzo38mlOgrufRFlqFqbkMhXCph5nm+OQyRagxRbTl9K
dFSD3fhf5axzpQThnim+qBbYNl/yzq+J4W/NQQGws+TO1xGlMTnNmb6W8Uf1+ca1
kFIFa370+Rv+d21NaJk6Y/RE1uR9V7yGnJNRSM5zwTo/zzN6XECJPCYklMRpnmA/
DVxnKT0LZHqAFr5q1L07bvjgGhx0xMk0ObVUvkgPH2fnxdWlBVXoXQQ6L7C0OcJq
thYQqGVH1Ef9g93gtjkBAGVaUjBFcHfApHHLZojX3Jg0P324GC3NCvM14ZrTObk=
=4Qe0
-END PGP SIGNATURE-
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#806640: marked as done (jessie-pu: package gummi/0.6.5-3+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806640,
regarding jessie-pu: package gummi/0.6.5-3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806640
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

I propose an update of Gummi in Jessie.

The applied patch is a fix of security problem CVE 2015-7758 [1].

The security team marked this issue as minor/no-DSA [2], so I would upload
it to stable as proposed update.

Please see the attached debdiff for details of changes. I've build the
package against stable [3].

Thank you,
Daniel Stender

[1] https://bugs.debian.org/756432

[2] https://security-tracker.debian.org/tracker/source-package/gummi

[3] 
http://www.danielstender.com/buildlogs/gummi_0.6.5-3+deb8u1_amd64-20151129-1811.build

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru gummi-0.6.5/debian/changelog gummi-0.6.5/debian/changelog
--- gummi-0.6.5/debian/changelog	2014-02-10 00:51:22.0 +0100
+++ gummi-0.6.5/debian/changelog	2015-11-29 18:07:36.0 +0100
@@ -1,3 +1,9 @@
+gummi (0.6.5-3+deb8u1) stable; urgency=medium
+
+  * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432).
+
+ -- Daniel Stender   Sun, 29 Nov 2015 18:07:12 +0100
+
 gummi (0.6.5-3) unstable; urgency=low
 
   * Fix "FTBFS: automake errors":
diff -Nru gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch
--- gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch	1970-01-01 01:00:00.0 +0100
+++ gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch	2015-11-29 16:30:54.0 +0100
@@ -0,0 +1,39 @@
+Description: don't generate predictable tmpfile names if filename is given
+ Quick fix for CVE-2015-7758 (#756432).
+Author: Daniel Stender 
+Bug: https://bugs.debian.org/756432
+Forwarded: https://github.com/alexandervdm/gummi/issues/20
+Last-Update: 2015-11-29
+
+--- a/src/editor.c
 b/src/editor.c
+@@ -204,10 +204,9 @@
+ gchar* base = g_path_get_basename (filename);
+ gchar* dir = g_path_get_dirname (filename);
+ ec->filename = g_strdup (filename);
+-ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
+-ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
+-ec->pdffile =  g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
+-   G_DIR_SEPARATOR, base);
++ec->basename = g_strdup (ec->fdname);
++ec->workfile = g_strdup (ec->fdname);
++ec->pdffile =  g_strdup_printf ("%s.pdf", ec->fdname);
+ g_free (base);
+ g_free (dir);
+ } else {
+@@ -237,12 +236,9 @@
+ if (ec->filename) {
+ gchar* dirname = g_path_get_dirname (ec->filename);
+ gchar* basename = g_path_get_basename (ec->filename);
+-auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR,
+-G_DIR_SEPARATOR, basename);
+-logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR,
+-G_DIR_SEPARATOR, basename);
+-syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR,
+-G_DIR_SEPARATOR, basename);
++auxfile = g_strdup_printf ("%s.aux", ec->fdname);
++logfile = g_strdup_printf ("%s.log", ec->fdname);
++syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname);
+ g_free (basename);
+ g_free (dirname);
+ } else {
diff -Nru gummi-0.6.5/debian/patches/series gummi-0.6.5/debian/patches/series
--- gummi-0.6.5/debian/patches/series	2014-02-10 00:48:38.0 +0100
+++ gummi-0.6.5/debian/patches/series	2015-11-29 16:31:22.0 +0100
@@ -1,3 +1,4 @@
 gummi.desktop.patch
 automake-subdirs.patch
 libgthread-2.0_link.patch
+no-predictable-tmpfiles.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#806338: marked as done (jessie-pu: package libiptables-parse-perl/1.1-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806338,
regarding jessie-pu: package libiptables-parse-perl/1.1-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806338: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806338
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi

libiptables-parse-perl uses temporary files in an unsafe way, this was
assigned CVE-2015-8326 and already fixed in unstable with the 1.6-1
upload.

Attached is a debdiff to fix this issue for jessie. Can you consider
accepting it for the next jessie point release?

Regards,
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru libiptables-parse-perl-1.1/debian/changelog libiptables-parse-perl-1.1/debian/changelog
--- libiptables-parse-perl-1.1/debian/changelog	2012-03-05 21:36:00.0 +0100
+++ libiptables-parse-perl-1.1/debian/changelog	2015-11-26 17:40:19.0 +0100
@@ -1,3 +1,11 @@
+libiptables-parse-perl (1.1-1+deb8u1) jessie; urgency=medium
+
+  * Team upload.
+  * Add CVE-2015-8326.patch patch.
+CVE-2015-8326: Use of predictable names for temporary files.
+
+ -- Salvatore Bonaccorso   Thu, 26 Nov 2015 17:39:36 +0100
+
 libiptables-parse-perl (1.1-1) unstable; urgency=low
 
   * Imported Upstream version 1.1
diff -Nru libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch
--- libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch	1970-01-01 01:00:00.0 +0100
+++ libiptables-parse-perl-1.1/debian/patches/CVE-2015-8326.patch	2015-11-26 17:40:19.0 +0100
@@ -0,0 +1,46 @@
+Description: Don't use predictable names for temporary files
+ This allows an attacker on a multi-user system to set up symlinks to
+ overwrite any file the current user has write access to.
+ .
+ Don't recommend users of this module to use predictable names either.
+Origin: backport, https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1267962
+Forwarded: not-needed
+Author: Salvatore Bonaccorso 
+Last-Update: 2015-11-26
+Applied-Upstream: 1.6
+
+---
+ lib/IPTables/Parse.pm | 7 +++
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/lib/IPTables/Parse.pm
 b/lib/IPTables/Parse.pm
+@@ -17,6 +17,7 @@ package IPTables::Parse;
+ use 5.006;
+ use POSIX ":sys_wait_h";
+ use Carp;
++use File::Temp;
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -29,8 +30,8 @@ sub new() {
+ 
+ my $self = {
+ _iptables => $args{'iptables'} || $args{'ip6tables'} || '/sbin/iptables',
+-_iptout=> $args{'iptout'}|| '/tmp/ipt.out',
+-_ipterr=> $args{'ipterr'}|| '/tmp/ipt.err',
++_iptout=> $args{'iptout'}|| mktemp('/tmp/ipt.out.XX'),
++_ipterr=> $args{'ipterr'}|| mktemp('/tmp/ipt.err.XX'),
+ _ipt_alarm => $args{'ipt_alarm'} || 30,
+ _debug => $args{'debug'} || 0,
+ _verbose   => $args{'verbose'}   || 0,
+@@ -701,8 +702,6 @@ IPTables::Parse - Perl extension for par
+ 
+   my %opts = (
+   'iptables' => $ipt_bin,
+-  'iptout'   => '/tmp/iptables.out',
+-  'ipterr'   => '/tmp/iptables.err',
+   'debug'=> 0,
+   'verbose'  => 0
+   );
diff -Nru libiptables-parse-perl-1.1/debian/patches/series libiptables-parse-perl-1.1/debian/patches/series
--- libiptables-parse-perl-1.1/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ libiptables-parse-perl-1.1/debian/patches/series	2015-11-26 17:40:19.0 +0100
@@ -0,0 +1 @@
+CVE-2015-8326.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#806529: marked as done (jessie-pu: package apache2/2.4.10-10+deb8u4)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #806529,
regarding jessie-pu: package apache2/2.4.10-10+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
806529: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806529
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

please review apache2/2.4.10-10+deb8u4 for inclusion in s-p-u. It
includes a fixed version of the deferred mpm switch patch that was
pulled from the last s-p-u upload due to a bug. It also fixes some other
annoying but easy to fix issues.

Changelog:

 * Add versioned replaces/breaks for libapache2-mod-macro to apache2,
   for the config files in /etc. Closes: #806326
 * Fix split-logfile to work with current perl. Closes: #803472
 * Fix tests on deferred mpm switch. Add special casing for mpm_itk,
   which is not an mpm anymore, despite the name. Closes: #789914
   Closes: #791902
 * Fix secondary-init-script to not source the main init script with
   'set -e'. Closes: #803177

Debdiff is attached.

Cheers,
Stefan
diff -Nru apache2-2.4.10/debian/a2enmod apache2-2.4.10/debian/a2enmod
--- apache2-2.4.10/debian/a2enmod	2015-08-27 23:03:43.0 +0200
+++ apache2-2.4.10/debian/a2enmod	2015-11-28 14:08:16.0 +0100
@@ -430,7 +430,7 @@
 if ( $? != 0 ) {
 
 # config doesn't work
-if ( -e "$enabldir/mpm_prefork.load" || -e "$enabldir/mpm_itk.load" )
+if ( -e "$enabldir/mpm_prefork.load" )
 {
 return 0;
 }
diff -Nru apache2-2.4.10/debian/a2query.in apache2-2.4.10/debian/a2query.in
--- apache2-2.4.10/debian/a2query.in	2015-08-07 23:33:37.0 +0200
+++ apache2-2.4.10/debian/a2query.in	2015-11-28 14:07:43.0 +0100
@@ -209,10 +209,10 @@
 		my $file = $_;
 		next if $file !~ m/\.load$/;
 		$file =~ s/\.load//;
-		if ($file =~ /mpm_(\w+)/ && $file ne 'mpm_itk')
+		if ($file =~ /mpm_(?:event|worker|prefork)/)
 		{
 			$MPM = $1 if $MPM eq 'invalid';
-			if(grep { $_ =~ m/^mpm_/ } @MODULES)
+			if(grep { $_ =~ m/^mpm_(?:event|worker|prefork)/ } @MODULES)
 			{
 fail("There is more than one MPM loaded. Do not proceed due to undefined results", 1);
 			}
diff -Nru apache2-2.4.10/debian/apache2.postinst apache2-2.4.10/debian/apache2.postinst
--- apache2-2.4.10/debian/apache2.postinst	2015-08-28 18:11:59.0 +0200
+++ apache2-2.4.10/debian/apache2.postinst	2015-11-28 14:08:41.0 +0100
@@ -432,21 +432,21 @@
 			esac
 			;;
 		apache2_switch_mpm)
-			local MPM="mpm_$ARG1"
-			local CUR_MPM="$(ls /etc/apache2/mods-enabled/mpm_*.load)"
+			local MPM="$ARG1"
+			local CUR_MPM="$(ls /etc/apache2/mods-enabled/mpm_*.load | grep -e event -e prefork -e worker)"
 			CUR_MPM="${CUR_MPM##*/mpm_}"
 			CUR_MPM="${CUR_MPM%.load}"
-			if [ ! -e /etc/apache2/mods-available/$MPM.load ] ; then
-msg "error" "$MPM not found in 'apache2_switch_mpm $ARG1' for package $PACKAGE"
+			if [ ! -e /etc/apache2/mods-available/mpm_$MPM.load ] ; then
+msg "error" "mpm $MPM not found in 'apache2_switch_mpm $ARG1' for package $PACKAGE"
 error=true
-			elif [ ! -e /etc/apache2/mods-enabled/$MPM.load ] ; then
-msg "info" "$MPM: No action required"
+			elif [ -e /etc/apache2/mods-enabled/mpm_$MPM.load ] ; then
+msg "info" "Switch to mpm $MPM for package $PACKAGE: No action required"
 			else
-msg "info" "Switch to $MPM for package $PACKAGE"
+msg "info" "Switch to mpm $MPM for package $PACKAGE"
 if ! a2dismod -m -q "mpm_$CUR_MPM" ||
    ! a2enmod -m -q "mpm_$MPM"
 then
-	msg "error" "Switching to $MPM failed"
+	msg "error" "Switching to mpm $MPM failed"
 	error=true
 fi
 			fi
diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog	2015-08-28 18:26:05.0 +0200
+++ apache2-2.4.10/debian/changelog	2015-11-28 15:02:23.0 +0100
@@ -1,3 +1,16 @@
+apache2 (2.4.10-10+deb8u4) jessie; urgency=medium
+
+  * Add versioned replaces/breaks for libapache2-mod-macro to apache2,
+for the config files in /etc. Closes: #806326
+  * Fix split-logfile to work with current perl. Closes: #803472
+  * Fix tests on deferred mpm switch. Add special casing for mpm_itk,
+which is not an mpm anymore, despite the name. Closes: #789914
+Closes: #791902
+  * Fix secondary-init-script to not source the main init script with

Bug#807140: marked as done (jessie-pu: package madfuload/1.2-4+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807140,
regarding jessie-pu: package madfuload/1.2-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807140: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807140
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

madfuload FTBFS in jessie due to automake 1.14. Switching from
'autoreconf -f' to 'autoreconf -fi' is sufficient to install the missing
file.

(Note to self: package in non-free, no autobuilding support, needs
binary upload for i386 and amd64)


Andreas
diff -u madfuload-1.2/debian/rules madfuload-1.2/debian/rules
--- madfuload-1.2/debian/rules
+++ madfuload-1.2/debian/rules
@@ -5,3 +5,3 @@
 override_dh_auto_configure:
-	autoreconf -f
+	autoreconf -fi
 	dh_auto_configure -- --with-udev=/lib/udev
diff -u madfuload-1.2/debian/changelog madfuload-1.2/debian/changelog
--- madfuload-1.2/debian/changelog
+++ madfuload-1.2/debian/changelog
@@ -1,3 +1,10 @@
+madfuload (1.2-4+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Use autoreconf -fi to fix FTBFS with automake 1.14.  (Closes: #793190)
+
+ -- Andreas Beckmann   Sat, 05 Dec 2015 23:19:42 +0100
+
 madfuload (1.2-4) unstable; urgency=low
 
   * Imported changes from Ubuntu 1.2-2ubuntu3~karmic~ppa2 (Closes: #547336,
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807129: marked as done (jessie-pu: package flash-kernel/3.35+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807129,
regarding jessie-pu: package flash-kernel/3.35+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807129
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

[ X-D-Cc: debian-b...@lists.debian.org ]

Hi,

We'd like to fix #791794 in stable, that is a possible hang when a given
script is running under d-i. The fix widens the DEBIAN_FRONTEND check to
avoid waiting for Ctrl-C (initially only when non-interactive is used,
now if any debconf frontend is in use). The fix reached testing some
weeks ago, and Ian is rather confident. See the few mails under this:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791794#105

Changelog entry:
| flash-kernel (3.35+deb8u2) stable; urgency=medium
| 
|   [ Ian Campbell ]
|   * Avoid waiting for Ctrl-C if any debconf frontend is in use, not just
| non-interactive. (Closes: #791794)
| 
|  -- Cyril Brulebois   Sat, 05 Dec 2015 19:16:33 +0100

Thanks for your time.

Mraw,
KiBi.
diff -Nru flash-kernel-3.35+deb8u1/debian/changelog flash-kernel-3.35+deb8u2/debian/changelog
--- flash-kernel-3.35+deb8u1/debian/changelog	2015-06-17 09:22:41.0 +0200
+++ flash-kernel-3.35+deb8u2/debian/changelog	2015-12-05 19:16:35.0 +0100
@@ -1,3 +1,11 @@
+flash-kernel (3.35+deb8u2) stable; urgency=medium
+
+  [ Ian Campbell ]
+  * Avoid waiting for Ctrl-C if any debconf frontend is in use, not just
+non-interactive. (Closes: #791794)
+
+ -- Cyril Brulebois   Sat, 05 Dec 2015 19:16:33 +0100
+
 flash-kernel (3.35+deb8u1) stable; urgency=medium
 
   * Combine i.MX53 QSB and LOCO board entries, they are the same thing and the
diff -Nru flash-kernel-3.35+deb8u1/initramfs-tools/hooks/flash_kernel_set_root flash-kernel-3.35+deb8u2/initramfs-tools/hooks/flash_kernel_set_root
--- flash-kernel-3.35+deb8u1/initramfs-tools/hooks/flash_kernel_set_root	2015-06-17 09:22:41.0 +0200
+++ flash-kernel-3.35+deb8u2/initramfs-tools/hooks/flash_kernel_set_root	2015-12-05 19:15:53.0 +0100
@@ -34,7 +34,7 @@
 	# If debconf appears to be running then it is important that
 	# we do not block on stdin since this would hang the
 	# installer.
-	if [ "$DEBIAN_HAS_FRONTEND" ] || [ "$DEBIAN_FRONTEND" = "noninteractive" ]; then
+	if [ "$DEBIAN_HAS_FRONTEND" ] || [ "$DEBIAN_FRONTEND" ]; then
 		echo "Unable to abort; system will probably be broken!" >&2
 	else
 		echo "Press Ctrl-C to abort build, or Enter to continue" >&2
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807515: marked as done (jessie-pu: package debian-handbook/8.20151209~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807515,
regarding jessie-pu: package debian-handbook/8.20151209~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807515
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to update the Debian Administrator's Handbook in jessie
so that it documents jessie instead of wheezy. We finished the update
about a month ago and basicly I'd like to upload a copy of what's
in unstable (just uploaded 8.20151209 a few minutes ago) into jessie.

I don't post any debdiff as it would be really huge and it doesn't
add much value. This is a plain documentation package.

I would just add a new changelog entry just like for a backport
and rebuild it for jessie.

Can I upload the package?

Compared to the current version in jessie, we now ship all translations
(only in HTML form) so the new package is significantly larger.

Cheers,
  Raphaël.
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807280: marked as done (jessie-pu: package keepassx/0.4.3+dfsg-0.1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807280,
regarding jessie-pu: package keepassx/0.4.3+dfsg-0.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807280: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807280
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I'm writing you to request approving my recent upload of
keepassx_0.4.3+dfsg-0.1+deb8u1. This update addresses
CVE-2015-8378/#791858. I'm copying Moritz, since he asked me to prepare
an upload to stable (I've already uploaded keepassx_0.4.3+dfsg-1, which
also has a fix for this included, to unstable).

Thanks,
Reinhard

-- System Information:
Debian Release: jessie/sid
  APT prefers vivid-updates
  APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-33-generic (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807489: marked as done (jessie-pu: package nvidia-graphics-modules/340.96+3.16.0+1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807489,
regarding jessie-pu: package nvidia-graphics-modules/340.96+3.16.0+1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807489: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807489
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is just a rebuild of nvidia-graphics-modules against the new
nvidia-graphics-drivers 340.96-1.


Andreas
diff -Nru nvidia-graphics-modules-340.93+3.16.0+1/debian/changelog nvidia-graphics-modules-340.96+3.16.0+1/debian/changelog
--- nvidia-graphics-modules-340.93+3.16.0+1/debian/changelog	2015-11-07 21:19:17.0 +0100
+++ nvidia-graphics-modules-340.96+3.16.0+1/debian/changelog	2015-12-09 14:23:39.0 +0100
@@ -1,3 +1,10 @@
+nvidia-graphics-modules (340.96+3.16.0+1) jessie; urgency=medium
+
+  * Use nvidia-kernel-source 340.96.
+  * Upload to jessie.
+
+ -- Andreas Beckmann   Wed, 09 Dec 2015 14:22:48 +0100
+
 nvidia-graphics-modules (340.93+3.16.0+1) jessie; urgency=medium
 
   * Use nvidia-kernel-source 340.93.
diff -Nru nvidia-graphics-modules-340.93+3.16.0+1/debian/control nvidia-graphics-modules-340.96+3.16.0+1/debian/control
--- nvidia-graphics-modules-340.93+3.16.0+1/debian/control	2015-11-07 21:19:17.0 +0100
+++ nvidia-graphics-modules-340.96+3.16.0+1/debian/control	2015-12-09 14:23:39.0 +0100
@@ -8,7 +8,7 @@
  Vincent Cheng 
 Build-Depends: debhelper (>= 9),
  linux-headers-3.16.0-4-amd64 [i386 amd64], linux-headers-3.16.0-4-586 [i386], linux-headers-3.16.0-4-686-pae [i386],
- nvidia-kernel-source (>= 340.93), nvidia-kernel-source (<< 340.93.~),
+ nvidia-kernel-source (>= 340.96), nvidia-kernel-source (<< 340.96.~),
 Standards-Version: 3.9.6
 Homepage: http://www.nvidia.com/
 Vcs-Git: git://anonscm.debian.org/pkg-nvidia/nvidia-graphics-modules.git -b jessie
@@ -18,7 +18,7 @@
 Package: nvidia-kernel-dummy
 Architecture: amd64
 Priority: extra
-Depends: nvidia-kernel-source (>= 340.93), ${misc:Depends}
+Depends: nvidia-kernel-source (>= 340.96), ${misc:Depends}
 Description: NVIDIA kernel module for Linux (dummy package)
  This dummy package exists solely to ensure that the prebuilt modules do not
  migrate to testing before the corresponding driver is available. Nothing is
@@ -39,7 +39,7 @@
 
 Package: nvidia-kernel-amd64
 Architecture: i386 amd64
-Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-amd64 (>= 340.93)
+Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-amd64 (>= 340.96)
 Conflicts: nvidia-kernel-2.6-amd64
 Replaces: nvidia-kernel-2.6-amd64
 Description: NVIDIA kernel module for Linux (amd64 flavor)
@@ -57,7 +57,7 @@
 
 Package: nvidia-kernel-586
 Architecture: i386
-Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-586 (>= 340.93)
+Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-586 (>= 340.96)
 Conflicts: nvidia-kernel-2.6-586
 Replaces: nvidia-kernel-2.6-586
 Description: NVIDIA kernel module for Linux (586 flavor)
@@ -75,7 +75,7 @@
 
 Package: nvidia-kernel-686-pae
 Architecture: i386
-Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-686-pae (>= 340.93)
+Depends: ${misc:Depends}, nvidia-kernel-3.16.0-4-686-pae (>= 340.96)
 Conflicts: nvidia-kernel-2.6-686-pae
 Replaces: nvidia-kernel-2.6-686-pae
 Description: NVIDIA kernel module for Linux (686-pae flavor)
diff -Nru nvidia-graphics-modules-340.93+3.16.0+1/debian/control.md5sum nvidia-graphics-modules-340.96+3.16.0+1/debian/control.md5sum
--- nvidia-graphics-modules-340.93+3.16.0+1/debian/control.md5sum	2015-11-07 21:19:17.0 +0100
+++ nvidia-graphics-modules-340.96+3.16.0+1/debian/control.md5sum	2015-12-09 14:23:39.0 +0100
@@ -1,7 +1,7 @@
-6cd7d7bfdcb70e9bce467762de30ba92  debian/control
+c1e0284ab90035ad346ff9ae821183b4  debian/control
 cebaad312eecf5eb135ccc2acc8525aa  debian/control.source
 fffd77960b50d626b720a23ee441a9ed  debian/control.flavor
 3fb001417b44d7fcc3af963390d49a9f  debian/rules
 11f3f9885d447eb0c3968882ecd33c68  debian/rules.defs
-#UPSTREAM_VERSION=340.93#
+#UPSTREAM_VERSION=340.96#
 #KERNEL_VERSION=3.16.0-4#
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807467: marked as done (jessie-pu: package libapache-mod-fastcgi/2.4.7~0910052141-1.1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807467,
regarding jessie-pu: package libapache-mod-fastcgi/2.4.7~0910052141-1.1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

libapache-mod-fastcgi FTBFS in jessie due to missing libtool.
The fix is trivial: switching B-D from libtool to libtool-bin.


Andreas

(Note to self: non-free package, upload amd64+i386 binaries)
diff -u libapache-mod-fastcgi-2.4.7~0910052141/debian/control libapache-mod-fastcgi-2.4.7~0910052141/debian/control
--- libapache-mod-fastcgi-2.4.7~0910052141/debian/control
+++ libapache-mod-fastcgi-2.4.7~0910052141/debian/control
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Tatsuki Sugiura 
 Standards-Version: 3.9.1
-Build-Depends: debhelper (>> 5.0.0), cdbs, dh-apache2, apache2-dev (>= 2.2.4), dpatch (>= 2.0.0), libtool, libapr1-dev, pkg-config
+Build-Depends: debhelper (>> 5.0.0), cdbs, dh-apache2, apache2-dev (>= 2.2.4), dpatch (>= 2.0.0), libtool-bin, libapr1-dev, pkg-config
 Uploaders: Taku YASUI 
 Homepage: http://www.fastcgi.com/
 
diff -u libapache-mod-fastcgi-2.4.7~0910052141/debian/changelog libapache-mod-fastcgi-2.4.7~0910052141/debian/changelog
--- libapache-mod-fastcgi-2.4.7~0910052141/debian/changelog
+++ libapache-mod-fastcgi-2.4.7~0910052141/debian/changelog
@@ -1,3 +1,10 @@
+libapache-mod-fastcgi (2.4.7~0910052141-1.1+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Switch B-D from libtool to libtool-bin to fix FTBFS.  (Closes: #793189)
+
+ -- Andreas Beckmann   Wed, 09 Dec 2015 06:55:41 +0100
+
 libapache-mod-fastcgi (2.4.7~0910052141-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807142: marked as done (jessie-pu: package linux-tools/3.16.7-ckt20-1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807142,
regarding jessie-pu: package linux-tools/3.16.7-ckt20-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807142: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807142
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This version of linux-tools adds a new binary package (hyperv-daemons)
containing programs built from the previously-unused tools/hv
directory.  This will improve support for running Debian as a Hyper-V
guest.  Many upstream bug fixes to these programs are applied as
patches.

It also includes some bug fixes to the perf tool and the module
building tools from the 3.16-ckt stable branch. as listed in the
changelog.

Finally, the rules and control file have been updated to work with the
kernel team's git repository.

The debdiff is below.  I've excluded upstream changes to these files
which I believe are unused in this source package:

- arch/*/Makefile
- arch/*/include/asm/cacheflush.h
- arch/*/include/asm/elf.h
- arch/*/include/asm/kvm*.h
- arch/*/include/asm/mmu_context.h
- arch/*/include/asm/pgtable*.h
- arch/*/include/asm/ptrace.h
- arch/*/include/asm/suspend.h
- arch/*/include/asm/thread_info.h
- arch/arc/**
- arch/arm/include/asm/tls.h
- arch/arm/include/asm/unistd.h
- arch/arm/include/asm/xen/page.h
- arch/arm64/include/asm/arch_timer.h
- arch/arm64/include/asm/compat.h
- arch/arm64/include/asm/cputype.h
- arch/arm64/include/asm/hw_breakpoint.h
- arch/arm64/include/asm/hwcap.h
- arch/arm64/include/asm/tlbflush.h
- arch/m68k/**
- arch/metag/**
- arch/mips/include/asm/asm-eva.h
- arch/mips/include/asm/asmmacro.h
- arch/mips/include/asm/eva.h
- arch/mips/include/asm/ftrace.h
- arch/mips/include/asm/mach-**
- arch/mips/include/asm/mipsregs.h
- arch/mips/include/asm/r4kcache.h
- arch/mips/include/asm/reg.h
- arch/mips/include/asm/stackframe.h
- arch/mips/include/asm/syscall.h
- arch/mips/include/asm/uaccess.h
- arch/parisc/**
- arch/powerpc/include/asm/iommu.h
- arch/powerpc/include/asm/machdep.h
- arch/powerpc/include/asm/pte-hash64-64k.h
- arch/powerpc/include/asm/reg.h
- arch/powerpc/include/asm/rtas.h
- arch/powerpc/include/asm/spinlock.h
- arch/sh/**
- arch/sparc/**
- arch/unicore32/**
- arch/x86/include/asm/desc.h
- arch/x86/include/asm/efi.h
- arch/x86/include/asm/fixmap.h
- arch/x86/include/asm/fpu-internal.h
- arch/x86/include/asm/mmu.h
- arch/x86/include/asm/mwait.h
- arch/x86/include/asm/page_*_types.h
- arch/x86/include/asm/preempt.h
- arch/x86/include/asm/pvclock.h
- arch/x86/include/asm/segment.h
- arch/x86/include/asm/traps.h
- arch/x86/include/asm/vga.h
- arch/x86/include/asm/vsyscall.h
- arch/x86/include/asm/xen/page.h
- arch/xtensa/**
- include/acpi/**
- include/asm-generic/preempt.h
- include/asm-generic/sections.h
- include/drm/**
- include/dt-bindings/**
- include/kvm/**
- include/linux/acpi.h
- include/linux/audit.h
- include/linux/bitops.h
- include/linux/blkdev.h
- include/linux/blk_types.h
- include/linux/bootmem.h
- include/linux/buffer_head.h
- include/linux/capability.h
- include/linux/ccp.h
- include/linux/clk-provider.h
- include/linux/clocksource.h
- include/linux/cpuidle.h
- include/linux/crash_dump.h
- include/linux/cred.h
- include/linux/crypto.h
- include/linux/dcache.h
- include/linux/device-mapper.h
- include/linux/efi.h
- include/linux/etherdevice.h
- include/linux/fs.h
- include/linux/fsl_devices.h
- include/linux/fsnotify*.h
- include/linux/fsnotify.h
- include/linux/ftrace.h
- include/linux/hid.h
- include/linux/hugetlb.h
- include/linux/if_vlan.h
- include/linux/iio/*
- include/linux/inetdevice.h
- include/linux/jbd2.h
- include/linux/jhash.h
- include/linux/jiffies.h
- include/linux/kernel_stat.h
- include/linux/kernfs.h
- include/linux/kgdb.h
- include/linux/khugepaged.h
- include/linux/libata.h
- include/linux/memory.h
- include/linux/mm.h
- include/linux/mount.h
- include/linux/mtd/*
- include/linux/netdevice.h
- include/linux/netlink.h
- include/linux/nfs_*.h
- include/linux/nilfs2_fs.h
- include/linux/of.h
- include/linux/oom.h
- include/linux/pagemap.h
- include/linux/pci.h
- include/linux/pci_ids.h
- include/linux/perf_event.h
- include/linux/power/charger-manager.h
- include/linux/preempt*.h
- include/linux/pstore_ram.h
- include/linux/quota*.h
- include/linux/ring_buffer.h
- include/linux/rmap.h
- include/linux/

Bug#807612: marked as done (jessie-pu: package rsyslog/8.4.2-1+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807612,
regarding jessie-pu: package rsyslog/8.4.2-1+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807612: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807612
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to make a stable upload for rsyslog in jessie to fix a bug in
the imfile module. If more then one file is monitored, rsyslog segfaults
when using the inotify backend (which is used by default).

This issue has been fixed upstream and the fixed version is in
sid/stretch for quite a while.

In http://bugs.debian.org/770998 I was asked if I can pull this fix for
stable.

I cherry-picked the upstream commit and I could confirm that this fixes
the segfault.
Complete debdiff is attached.

Please let me know if I can proceed with the upload so this fix can make
it into 8.3

Regards,
Michael


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 0b01623..f9a8ae8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rsyslog (8.4.2-1+deb8u2) jessie; urgency=medium
+
+  * Fix crash in imfile module when using inotify mode.
+Patch cherry-picked from upstream Git. (Closes: #770998)
+
+ -- Michael Biebl   Thu, 10 Dec 2015 22:20:45 +0100
+
 rsyslog (8.4.2-1+deb8u1) jessie; urgency=medium
 
   * Disable transactions in ompgsql as they were not working properly.
diff --git a/debian/patches/0003-bugfix-imfile-segfault-on-startup-in-inotify-mode.patch b/debian/patches/0003-bugfix-imfile-segfault-on-startup-in-inotify-mode.patch
new file mode 100644
index 000..baae04b
--- /dev/null
+++ b/debian/patches/0003-bugfix-imfile-segfault-on-startup-in-inotify-mode.patch
@@ -0,0 +1,24 @@
+From: Rainer Gerhards 
+Date: Thu, 9 Oct 2014 08:22:39 +0200
+Subject: bugfix imfile: segfault on startup in "inotify" mode
+
+A segfault happened when more than one file was monitored.
+
+(cherry-picked from commit 8bf43525fe1bf08fd542ad054c987ccf7c97616c)
+---
+ plugins/imfile/imfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
+index d37cb03..1dde52f 100644
+--- a/plugins/imfile/imfile.c
 b/plugins/imfile/imfile.c
+@@ -1093,7 +1093,7 @@ dirsAddFile(int i)
+ 
+ 	if(dir->currMaxFiles == dir->allocMaxFiles) {
+ 		newMax = 2 * allocMaxFiles;
+-		newFileTab = realloc(dirs, newMax * sizeof(dirInfoFiles_t));
++		newFileTab = realloc(dirs->files, newMax * sizeof(dirInfoFiles_t));
+ 		if(newFileTab == NULL) {
+ 			errmsg.LogError(0, RS_RET_OUT_OF_MEMORY,
+ 	"cannot alloc memory to map directory '%s' file relationship "
diff --git a/debian/patches/series b/debian/patches/series
index 8351e07..b0c49c1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001-Don-t-create-a-database.patch
 0002-bugfix-ompgsql-transaction-were-improperly-handled.patch
+0003-bugfix-imfile-segfault-on-startup-in-inotify-mode.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807576: marked as done (jessie-pu: package arb/6.0.2-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807576,
regarding jessie-pu: package arb/6.0.2-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807576: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807576
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

arb FTBFS in jessie due to an overly strict gcc version check: arb only
knows about versions up to 4.9.1 while jessie has 4.9.2. For sid the
version check has been disabled, a change I'd like to backport to
jessie.

debdiff is attached. The maintainer Andreas Tille has acked the patch
and will perform a maintainer upload, so you won't see the "NMU" bits in
the uploaded package.


Andreas
diff -Nru arb-6.0.2/debian/changelog arb-6.0.2/debian/changelog
--- arb-6.0.2/debian/changelog	2014-09-09 09:12:14.0 +0200
+++ arb-6.0.2/debian/changelog	2015-12-09 07:32:10.0 +0100
@@ -1,3 +1,14 @@
+arb (6.0.2-1+deb8u1) jessie; urgency=medium
+
+  [ Andreas Beckmann ]
+  * Non-maintainer upload.
+
+  [ Andreas Tille ]
+  * Skip compiler version check at all
+Closes: #793187
+
+ -- Andreas Beckmann   Wed, 09 Dec 2015 07:30:47 +0100
+
 arb (6.0.2-1) unstable; urgency=medium
 
   [ Andreas Tille ]
diff -Nru arb-6.0.2/debian/patches/70_skip_compler_version_check.patch arb-6.0.2/debian/patches/70_skip_compler_version_check.patch
--- arb-6.0.2/debian/patches/70_skip_compler_version_check.patch	1970-01-01 01:00:00.0 +0100
+++ arb-6.0.2/debian/patches/70_skip_compler_version_check.patch	2015-12-09 07:30:36.0 +0100
@@ -0,0 +1,32 @@
+Description: Skip compiler version check at all
+Author: Andreas Tille 
+Bug-Debian: http://bugs.debian.org/793187
+Last-Update: Wed, 22 Jul 2015 22:45:32 +0200
+
+--- a/Makefile
 b/Makefile
+@@ -736,23 +736,7 @@ check_same_GCC_VERSION:
+ 		$(ARBHOME)/SOURCE_TOOLS/check_same_compiler_version.pl $(COMPILER_NAME) $(COMPILER_VERSION_ALLOWED)
+ 
+ check_GCC_VERSION:
+-		@echo 'Compiler version check:'
+-ifeq ('$(COMPILER_VERSION_ALLOWED)', '')
+-		@echo "  - Your compiler is '$(COMPILER_NAME)' version '$(COMPILER_VERSION)'"
+-		@echo 'This version is not in the list of supported $(COMPILER_NAME)-versions:'
+-		@$(foreach version,$(ALLOWED_COMPILER_VERSIONS),echo '* $(version)';)
+-		@echo '  - You may either ..'
+-		@echo '- add your version to ALLOWED_$(COMPILER_NAME)_VERSIONS in the Makefile and try it out or'
+-		@echo '- switch to one of the allowed versions (see arb_README_gcc.txt for installing'
+-		@echo '  a different version of gcc)'
+-		@echo ''
+-		@false
+-else
+-		@echo "  - Supported $(COMPILER_NAME) version '$(COMPILER_VERSION_ALLOWED)' detected - fine!"
+-		@echo ''
+-		$(MAKE) check_same_GCC_VERSION
+-
+-endif
++		@echo 'Skip compiler version check in Debian - we need to fix the code if it does not work'
+ 
+ #-- check ARBHOME
+ 
diff -Nru arb-6.0.2/debian/patches/series arb-6.0.2/debian/patches/series
--- arb-6.0.2/debian/patches/series	2014-09-07 22:38:14.0 +0200
+++ arb-6.0.2/debian/patches/series	2015-12-09 07:30:36.0 +0100
@@ -4,3 +4,4 @@
 40_upstream_r12815__lintian_spelling
 50_private_nameservers
 60_use_packaged_phyml
+70_skip_compler_version_check.patch
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#807828: marked as done (jessie-pu: package libencode-perl/2.63-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807828,
regarding jessie-pu: package libencode-perl/2.63-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807828
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

I'd like to upload libencode-perl to s-p-u to fix #799086 (cf. also
#798727 for the perl core variant).

The patch is taken from upstream's 2.77 release and changes the
behaviour of decode() in the absence of a BOM: previously it died,
now it assumes BE accordingly to RFC2781 and the Unicode Standard
version 8.0.

Full debdiff attached.


Thanks in advance,
gregor

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJWbZFHXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGC+8QAJ8SUzYcTZ/5t4z4MTsl81bn
VdPjtlW1VqILmbdbfKOVuzyFVx0IidFyCNwaxkca2ncCiwSZbdhA5m/A92TPhKe5
6hcRVCcuWmnIj4xxAfdsATPwUGqPtoe5BWze89S9AYd118rW2vLgFqgbXTn4+zd+
PYVTG3IJjik68wZcpMHi979PEPUkG1lIlJdWrp10YdriaD1H9NDqC8YUQJXVgRIq
jdrTvy1WiV940V1O2q61XdKMoLq/zvtkpTm5Ic5k5jeHSN6gEtfywnuqJrk/86i/
BO49YHwMhNO+vwDWHS6EOEa5EB5lDc29UdXU+yxtqjTE77mZVssJR9VDnCTerluw
K73ju3b095h1ABG3Gd8yYhVWvdQ/DQH//0VMwEFmfEwJsZSqyn+iv1Fw+WlmCYeC
8Qua1tvvOiA7NyLkt35oCjgm1FzOKzK7NL0UoIf07aBHOz/3xuNeR1YaWeKWu2JE
hXK13tluoTO5Xee0VF2tLBcxdvIJpzY4WmmRayXJZax0Tusg1Y5dnVDpdIohnlja
PzselS885sfITliBW7e0LT+ViIqVpJmR4YKF48A86lQ2tiodD5HmuU/jm5CLhK0u
OIc516T3EecP8iEzifuE7b6iwBUXa50vX7blic3/mxs06Boa8HkPSw5wtePJfbrQ
qpUAj2rgD+T4u1clVgXj
=p8zm
-END PGP SIGNATURE-
diff -Nru libencode-perl-2.63/debian/changelog libencode-perl-2.63/debian/changelog
--- libencode-perl-2.63/debian/changelog	2014-10-20 20:21:35.0 +0200
+++ libencode-perl-2.63/debian/changelog	2015-12-13 16:31:13.0 +0100
@@ -1,3 +1,13 @@
+libencode-perl (2.63-1+deb8u1) UNRELEASED; urgency=medium
+
+  * Add patch dont-die-without-bom.patch.
+The decode() routine died when no BOM was found. This patch, backported
+from upstream's 2.77 release, changes the behaviour to fall back to BE
+according to RFC2781 and the Unicode Standard version 8.0.
+(Closes: #799086)
+
+ -- gregor herrmann   Sun, 13 Dec 2015 16:30:29 +0100
+
 libencode-perl (2.63-1) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru libencode-perl-2.63/debian/patches/dont-die-without-bom.patch libencode-perl-2.63/debian/patches/dont-die-without-bom.patch
--- libencode-perl-2.63/debian/patches/dont-die-without-bom.patch	1970-01-01 01:00:00.0 +0100
+++ libencode-perl-2.63/debian/patches/dont-die-without-bom.patch	2015-12-13 16:31:13.0 +0100
@@ -0,0 +1,56 @@
+From 27682d02f7ac0669043faeb419dd5a104eecfb73 Mon Sep 17 00:00:00 2001
+From: Dan Kogai 
+Date: Tue, 15 Sep 2015 22:49:12 +0900
+Subject: [PATCH] Address https://rt.cpan.org/Public/Bug/Display.html?id=107043
+
+  ! Unicode/Unicode.xs Unicode/Unicode.pm
+Address RT#107043: If no BOM is found, the routine dies.
+When you decode from UTF-(16|32) without -BE or LE without BOM,
+Encode now assumes BE accordingly to RFC2781 and the Unicode
+Standard version 8.0
+
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=107043
+Bug-Debian: https://bugs.debian.org/799086
+
+--- a/Unicode/Unicode.pm
 b/Unicode/Unicode.pm
+@@ -176,7 +176,13 @@
+ 
+ When BE or LE is omitted during decode(), it checks if BOM is at the
+ beginning of the string; if one is found, the endianness is set to
+-what the BOM says.  If no BOM is found, the routine dies.
++what the BOM says.
++
++=item Default Byte Order
++
++When no BOM is found, Encode 2.76 and below croaked.  Since Encode
++2.77 (and 2.63-1+deb8u1), it falls back to BE accordingly to RFC2781 and the Unicode
++Standard version 8.0
+ 
+ =item *
+ 
+--- a/Unicode/Unicode.xs
 b/Unicode/Unicode.xs
+@@ -164,9 +164,19 @@
+ 		endian = 'V';
+ 	}
+ 	else {
+-		croak("%"SVf":Unrecognised BOM %"UVxf,
+-		  *hv_fetch((HV *)SvRV(obj),"Name",4,0),
+-		  bom);
++   /* No BOM found, use big-endian fallback as specified in
++* RFC2781 and the Unicode Standard version 8.0:
++*
++*  The UTF-16 encoding scheme may or may not begin with
++   

Bug#807917: marked as done (jessie-pu: package nvidia-graphics-drivers-legacy-304xx/304.131-1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #807917,
regarding jessie-pu: package nvidia-graphics-drivers-legacy-304xx/304.131-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
807917: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807917
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

This is the last pu request for fixing CVE-2015-7869 in the
non-free nvidia driver. Same changes as in the other packages.


Andreas
Index: debian/control
===
--- debian/control	(.../tags/304.128-1)	(revision 5951)
+++ debian/control	(.../branches/jessie)	(revision 5951)
@@ -98,7 +98,7 @@
  nvidia-installer-cleanup,
  ${misc:Pre-Depends}
 Depends:
- ${nvidia-alternative},
+ ${nvidia-alternative} (= ${binary:Version}),
  nvidia-installer-cleanup (>= 20130816) [i386],
  nvidia-support,
  ${shlibs:Depends}, ${misc:Depends}
Index: debian/rules.defs
===
--- debian/rules.defs	(.../tags/304.128-1)	(revision 5951)
+++ debian/rules.defs	(.../branches/jessie)	(revision 5951)
@@ -2,8 +2,8 @@
 NVIDIA_LEGACY		 = 304
 #WATCH_VERSION		 =
 
-XORG_ABI_LIST		 = 19 18 15 14 13 12 11 10 8 6.0
-XORG_BOUND		 = (<< 2:1.17.99)
+XORG_ABI_LIST		 = 20 19 18 15 14 13 12 11 10 8 6.0
+XORG_BOUND		 = (<< 2:1.18.99)
 
 LINUX_KMOD_TESTED	 = 4.2
 LINUX_KMOD_TESTED_amd64	 =
Index: debian/module/conftest.h
===
--- debian/module/conftest.h	(.../tags/304.128-1)	(revision 5951)
+++ debian/module/conftest.h	(.../branches/jessie)	(revision 5951)
@@ -1,4 +1,4 @@
-/* synchronized with conftest.sh from 352.41, 349.16, 346.96, 343.36, 340.93, 304.128, 173.14.39, 96.43.23, 71.86.15 */
+/* synchronized with conftest.sh from 358.16, 355.11, 352.63, 349.16, 346.96, 343.36, 340.96, 304.131, 173.14.39, 96.43.23, 71.86.15 */
 
 #ifndef LINUX_VERSION_CODE
 #include 
@@ -348,9 +348,13 @@
 #endif
 
 /* Implement conftest.sh function scatterlist */
+/* The logic and the define were reversed from HAS_PAGE
+   to HAS_PAGE_LINK in 304.131/340.96/352.63 */
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24)
+ #undef NV_SCATTERLIST_HAS_PAGE_LINK
  #define NV_SCATTERLIST_HAS_PAGE
 #else
+ #define NV_SCATTERLIST_HAS_PAGE_LINK
  #undef NV_SCATTERLIST_HAS_PAGE
 #endif
 
@@ -548,6 +552,13 @@
  #undef NV_LIST_CUT_POSITION_PRESENT
 #endif
 
+/* Implement conftest.sh function hlist_for_each_entry */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,9,0)
+ #define NV_HLIST_FOR_EACH_ENTRY_ARGUMENT_COUNT 3
+#else
+ #define NV_HLIST_FOR_EACH_ENTRY_ARGUMENT_COUNT 4
+#endif
+
 /* Implement conftest.sh function file_inode */
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,9,0)
  #define NV_FILE_HAS_INODE
@@ -630,6 +641,29 @@
  #undef NV_WRITE_CR4_PRESENT
 #endif
 
+/* Implement conftest.sh function of_parse_phandle */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31)
+ #define NV_OF_PARSE_PHANDLE_PRESENT
+#else
+ #undef NV_OF_PARSE_PHANDLE_PRESENT
+#endif
+
+/* Implement conftest.sh function for_each_online_node */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
+ #define NV_FOR_EACH_ONLINE_NODE_PRESENT
+#else
+ #undef NV_FOR_EACH_ONLINE_NODE_PRESENT
+#endif
+
+/* Implement conftest.sh function node_end_pfn */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,0) || \
+((IS_ENABLED(CONFIG_X86) || IS_ENABLED(CONFIG_PPC)) && \
+LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24))
+ #define NV_NODE_END_PFN_PRESENT
+#else
+ #undef NV_NODE_END_PFN_PRESENT
+#endif
+
 /* Check for linux/semaphore.h */
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26)
  #define NV_LINUX_SEMAPHORE_H_PRESENT
Index: debian/changelog
===
--- debian/changelog	(.../tags/304.128-1)	(revision 5951)
+++ debian/changelog	(.../branches/jessie)	(revision 5951)
@@ -1,3 +1,25 @@
+nvidia-graphics-drivers-legacy-304xx (304.131-1) jessie; urgency=medium
+
+  * New upstream legacy 304xx branch release 304.131 (2015-11-16).
+* Fixed CVE-2015-7869: Unsanitized User Mode Input.  (Closes: #805918)
+- Fixed a bug that could cause texture corruption in some OpenGL
+  applications when video memory is exhausted by a combination of
+  simultaneously running graphical and compute workloads.
+- Added support for X.

Bug#808890: marked as done (jessie-pu: package libssh/0.6.3-4)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #808890,
regarding jessie-pu: package libssh/0.6.3-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
808890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808890
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Greetings.

I would like to update libssh in Jessie via a sponsored NMU to fix
CVE-2015-3146, which is a non-DSA security bug and so would need to be fixed
via stable-proposed-updates.  I updated libssh in Sid via sponsored NMU for
this and another CVE in Nov 2015.

The patch used to fix this came from upstream at:

   https://www.libssh.org/security/patches/

Thanks.

  -- Chris

--
Chris Knadle
chris.kna...@coredump.us
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#808559: marked as done (jessie-pu: package glibc/2.19-18+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #808559,
regarding jessie-pu: package glibc/2.19-18+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
808559: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808559
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release team,

We would like to update the glibc package in Jessie to fix the known
security issues, fix an issue with nscd affecting debian-edu and a
workaround for possible data corruption on Broadwell CPUs when not
using BIOS or microcode updates.

This is done partly by updating to the latest commit of the stable
branch and using a few additional patches. The diff can be found at the
bottom of this mail. It might looks big, but this is mostly due to the
new tests matching the issues fixed in the upstream stable branch and
the renaming of the Intel blacklisting patch to extend it to Broadwell
CPUs. All the corresponding changes are already in testing and unstable.

Thanks,
Aurelien


Index: debian/patches/git-updates.diff
===
--- debian/patches/git-updates.diff (révision 6511)
+++ debian/patches/git-updates.diff (copie de travail)
@@ -1,10 +1,75 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from 
glibc-2.19
 
 diff --git a/ChangeLog b/ChangeLog
-index 81c393a..0eb6c3f 100644
+index 81c393a..e82ba7d 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,341 @@
+@@ -1,3 +1,406 @@
++2015-12-20  Siddhesh Poyarekar  
++
++  [BZ #16758]
++  * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has
++  blank values.
++
++  [BZ #16759]
++  * inet/getnetgrent_r.c (get_nonempty_val): New function.
++  (nscd_getnetgrent): Use it.
++
++  [BZ #16760]
++  * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead
++  of stpcpy.
++
++2015-11-24  Andreas Schwab  
++
++  [BZ #17062]
++  * posix/fnmatch_loop.c (FCT): Rerrange loop for skipping over rest
++  of a bracket expr not to run off the end of the string.
++  * posix/Makefile (tests): Add tst-fnmatch3.
++  * posix/tst-fnmatch3.c: New file.
++
++2015-04-29  Florian Weimer  
++
++  [BZ #18007]
++  * nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
++  (CVE-2014-8121)
++  * nss/tst-nss-getpwent.c: New file.
++  * nss/Makefile (tests): Add new test.
++
++2015-02-22  Paul Pluzhnikov  
++
++  [BZ #17269]
++  * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
++  (enlarge_userbuf): Likewise.
++
++2015-02-26  Andreas Schwab  
++
++  [BZ #18032]
++  * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
++  over collating symbol inside a bracket expression.  Minor cleanup.
++
++2014-06-23  Andreas Schwab  
++
++  [BZ #17079]
++  * nss/nss_files/files-XXX.c (get_contents): Store overflow marker
++  before reading the next line.
++
++2015-10-02  Andreas Schwab  
++
++  * sysdeps/posix/getaddrinfo.c (gaih_inet): Advance address pointer
++  when skipping over non-matching result from nscd.
++
++2015-09-11  Alan Modra  
++
++  [BZ #17153]
++  * elf/elf.h (DT_PPC64_NUM): Correct value.
++  * NEWS: Add to fixed bug list.
++
++2014-03-20  Andreas Schwab  
++
++  [BZ #16743]
++  * sysdeps/posix/getaddrinfo.c (gaih_inet): Properly skip over
++  non-matching result from nscd.
++
 +2015-04-21  Arjun Shankar  
 +
 +  [BZ #18287]
@@ -347,10 +412,10 @@
  
[BZ #16529]
 diff --git a/NEWS b/NEWS
-index 98b479e..7f9388f 100644
+index 98b479e..2972c4a 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,59 @@ See the end for copying conditions.
+@@ -5,6 +5,65 @@ See the end for copying conditions.
  Please send GNU C library bug reports via 
  using `glibc' in the "product" field.
  
@@ -358,8 +423,9 @@
 +
 +* The following bugs are resolved with this release:
 +
-+  15946, 16545, 16574, 16623, 16657, 16695, 16878, 16882, 16885, 16916,
-+  16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555,
++  15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
++  16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
++  17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032,

Bug#809200: marked as done (jessie-pu: package quassel/1:0.10.0-2.3+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809200,
regarding jessie-pu: package quassel/1:0.10.0-2.3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear all,

A security issue was found in quassel-core (CVE-2015-8547), allowing an
authenticated remote client to cause a denial of service.
Given the fact that Quassel isn't widely used in the client/server model
nowadays, the Debian Security Team has asked the issue to be fixed with the
next Jessie point release.

You'll find attached the dsc and the debdiff for the proposed upload against
Jessie.

Cheers

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog	2015-05-10 16:41:35.0 +0200
+++ quassel-0.10.0/debian/changelog	2015-12-28 00:02:39.0 +0100
@@ -1,3 +1,12 @@
+quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-8547: remote DoS in quassel core, using /op * command.
+(Closes: #807801)
+- Add debian/patches/CVE-2015-8547.patch, cherry-picked from upstream.
+
+ -- Pierre Schweitzer   Sun, 13 Dec 2015 11:04:05 +0100
+
 quassel (1:0.10.0-2.3+deb8u1) jessie-security; urgency=high
 
   * Fix CVE-2015-3427: SQL injection vulnerability in PostgreSQL backend.
diff -Nru quassel-0.10.0/debian/patches/CVE-2015-8547.patch quassel-0.10.0/debian/patches/CVE-2015-8547.patch
--- quassel-0.10.0/debian/patches/CVE-2015-8547.patch	1970-01-01 01:00:00.0 +0100
+++ quassel-0.10.0/debian/patches/CVE-2015-8547.patch	2015-12-28 00:02:13.0 +0100
@@ -0,0 +1,22 @@
+From 476aaa050f26d6a31494631d172724409e4c569b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konstantin=20Bl=C3=A4si?= 
+Date: Wed, 21 Oct 2015 03:26:02 +0200
+Subject: [PATCH] Fixes a crash of the core when executing "/op *" in a query.
+
+---
+ src/core/coreuserinputhandler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/coreuserinputhandler.cpp b/src/core/coreuserinputhandler.cpp
+index 7887a92..73aac48 100644
+--- a/src/core/coreuserinputhandler.cpp
 b/src/core/coreuserinputhandler.cpp
+@@ -232,7 +232,7 @@ void CoreUserInputHandler::doMode(const BufferInfo &bufferInfo, const QChar& add
+ if (!isNumber || maxModes == 0) maxModes = 1;
+ 
+ QStringList nickList;
+-if (nicks == "*") { // All users in channel
++if (nicks == "*" && bufferInfo.type() == BufferInfo::ChannelBuffer) { // All users in channel
+ const QList users = network()->ircChannel(bufferInfo.bufferName())->ircUsers();
+ foreach(IrcUser *user, users) {
+ if ((addOrRemove == '+' && !network()->ircChannel(bufferInfo.bufferName())->userModes(user).contains(mode))
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series	2015-05-05 16:48:55.0 +0200
+++ quassel-0.10.0/debian/patches/series	2015-12-28 00:02:13.0 +0100
@@ -2,3 +2,4 @@
 CVE-2014-8483.patch
 CVE-2015-2778.patch
 CVE-2015-3427.patch
+CVE-2015-8547.patch
Format: 3.0 (quilt)
Source: quassel
Binary: quassel-core, quassel-client, quassel, quassel-data, 
quassel-client-kde4, quassel-kde4, quassel-data-kde4
Architecture: any all
Version: 1:0.10.0-2.3+deb8u2
Maintainer: Thomas Mueller 
Homepage: http://www.quassel-irc.org
Standards-Version: 3.9.5
Build-Depends: debhelper (>= 9.20120417), libqt4-dev, cmake, 
libfontconfig1-dev, libfreetype6-dev, libpng-dev, libsm-dev, libice-dev, 
libxi-dev, libxrandr-dev, libxrender-dev, zlib1g-dev, libssl-dev, 
libdbus-1-dev, pkg-kde-tools, kdelibs5-dev, libqca2-dev, qt4-dev-tools, 
libqtwebkit-dev, libindicate-qt-dev, libdbusmenu-qt-dev
Package-List:
 quassel deb net optional arch=any
 quassel-client deb net optional arch=any
 quassel-client-kde4 deb net optional arch=any
 quassel-core deb net optional arch=any
 quassel-data deb net optional arch=all
 quassel-data-kde4 deb net option

Bug#809255: marked as done (jessie-pu: package intel-microcode/3.20151106.1~deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809255,
regarding jessie-pu: package intel-microcode/3.20151106.1~deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809255: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809255
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I would like to update the intel-microcode package in Debian stable
(jessie), to the microcode that is already being shipped in unstable since
2015-11-10, in testing since 2015-11-15, and in jessie-backports since
2015-11-28.

In fact, I'd like to update Debian stable to the same package that is
already in unstable/testing *and* in jessie-backports, with changes only to
the version numbering (and related changelog entry).


This update fixes several critical Intel processor errata on widely used
Intel processors (Haswell and Broadwell, as well as their related Xeons).

Without this microcode update, Intel Broadwell systems [running outdated
firmware] have a very high chance of crashing or locking up.  It fixes a
number of nasty issues on Intel Haswell Refresh and Intel Haswell processors
as well.

Please refer to https://bugzilla.kernel.org/show_bug.cgi?id=103351 for a
comprehensive crash report that is fixed by this microcode update.


The debdiff is a bit bigger than usual because I kept all the changes from
the intel-microcode package in unstable / testing / jessie-backports.  These
changes cover documentation updates, and also an improved Makefile to allow
for a safer (against human error) way to add "emergency" microcode updates,
which are likely to be needed soon.

The Makefile changes only affect the build, and they have been extensively
tested.


As usual, you will find attached the debdiff output with the changes in the
two microcode data files removed for brevity...

Diffstat below:
 Makefile   |  119 
 changelog  |   12 
 debian/README.source   |  190 
 debian/changelog   |   44 
 debian/control |2 
 debian/rules   |6 
 debian/ucode-blacklist.txt |5 
 microcode-20150121.dat |41591 ---
 microcode-20151106.dat |43449 +
 9 files changed, 43726 insertions(+), 41692 deletions(-)

(diffstat of the abridged debdiff, for better resolution):
 Makefile   |  119 +++-
 changelog  |   12 ++
 debian/README.source   |  190 ++---
 debian/changelog   |   44 ++
 debian/control |2 
 debian/rules   |6 -
 debian/ucode-blacklist.txt |5 +
 7 files changed, 277 insertions(+), 101 deletions(-)

Thank you!

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
diff -Nru intel-microcode-3.20150121.1/changelog 
intel-microcode-3.20151106.1~deb8u1/changelog
--- intel-microcode-3.20150121.1/changelog  2015-01-29 20:57:13.0 
-0200
+++ intel-microcode-3.20151106.1~deb8u1/changelog   2015-12-28 
11:54:52.0 -0200
@@ -1,3 +1,15 @@
+2015-11-06:
+  * New Microcodes:
+sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336
+sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264
+
+  * Updated Microcodes:
+sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288
+sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504
+sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384
+sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720
+sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480
+
 2015-01-21:
   * Downgraded microcodes (to a previously shipped revision):
 sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
diff -Nru intel-microcode-3.20150121.1/debian/changelog 
intel-microcode-3.20151106.1~deb8u1/debian/changelog
--- intel-microcode-3.20150121.1/debian/changelog   2015-01-29 
20:57:19.0 -0200
+++ intel-microcode-3.20151106.1~deb8u1/debian/changelog2015-12-28 
16:06:24.0 -0200
@@ -1,3 +1,47 @@
+intel-microcode (3.20151106.1~deb8u1) stable; ur

Bug#809258: marked as done (jessie-pu: package libraw/0.16.0-9+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809258,
regarding jessie-pu: package libraw/0.16.0-9+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809258
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I'd like to upload a new version of libraw to stable/jessie.

LibRaw package version in jessie is 0.16.0-9+deb8u1 at the moment and
it's now affected by the security issues stated in CVE-2015-8366[0] and
CVE-2015-8367[1], as reported in #806809 (reporting the problem against
the version in unstable/sid).

Upstream has already fixed the problem in 0.17.1 version and released it
on November 24th.

Debian Security Team marked the issues as "no-DSA"[2], so no need to go
through the Debian Security procedures but a simple proposed-update via
the Debian Release Team.

Cherry-picking the fixing git commit[3], I've prepared a new libraw
0.16.0-9+deb8u2 package bundling the new patch.

Attached, you'll find a debdiff for it.

Thanks for considering.


[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
[2] https://security-tracker.debian.org/tracker/source-package/libraw
[3] 
https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2


-- System Information:
Debian Release: stretch/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Matteo F. Vescovi || Debian Developer
GnuPG KeyID: 4096R/0x8062398983B2CF7A
diff -Nru libraw-0.16.0/debian/changelog libraw-0.16.0/debian/changelog
--- libraw-0.16.0/debian/changelog  2015-05-27 14:10:09.0 +0200
+++ libraw-0.16.0/debian/changelog  2015-12-28 20:26:32.0 +0100
@@ -1,3 +1,12 @@
+libraw (0.16.0-9+deb8u2) stable; urgency=high
+
+  * debian/patches/: patchset updated
+- 0002-Fix_CVE-2015-8366_CVE-2015-8367.patch added
+  | CVE-2015-8366: Index overflow in smal_decode_segment
+  | CVE-2015-8367: Memory objects are not intialized properly
+
+ -- Matteo F. Vescovi   Sat, 12 Dec 2015 21:55:04 +0100
+
 libraw (0.16.0-9+deb8u1) stable; urgency=high
 
   * debian/patches/: patchset updated
diff -Nru 
libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 
libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch
--- libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 
1970-01-01 01:00:00.0 +0100
+++ libraw-0.16.0/debian/patches/0002-Fix_CVE-2015-8366_CVE-2015-8367.patch 
2015-12-12 21:51:33.0 +0100
@@ -0,0 +1,70 @@
+From: Alex Tutubalin 
+Date: Sat, 12 Dec 2015 21:51:27 +0100
+Subject: Fix_CVE-2015-8366_CVE-2015-8367
+
+---
+ dcraw/dcraw.c | 4 
+ internal/dcraw_common.cpp | 4 
+ src/libraw_cxx.cpp| 5 +
+ 3 files changed, 13 insertions(+)
+
+diff --git a/dcraw/dcraw.c b/dcraw/dcraw.c
+index 4f72aee..7ff8fe7 100644
+--- a/dcraw/dcraw.c
 b/dcraw/dcraw.c
+@@ -2559,6 +2559,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int 
holes)
+   diff = diff ? -diff : 0x80;
+ if (ftell(ifp) + 12 >= seg[1][1])
+   diff = 0;
++#ifdef LIBRAW_LIBRARY_BUILD
++if(pix>=raw_width*raw_height)
++  throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+ raw_image[pix] = pred[pix & 1] += diff;
+ if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+diff --git a/internal/dcraw_common.cpp b/internal/dcraw_common.cpp
+index ac55074..1e423fe 100644
+--- a/internal/dcraw_common.cpp
 b/internal/dcraw_common.cpp
+@@ -2816,6 +2816,10 @@ void CLASS smal_decode_segment (unsigned seg[2][2], int 
holes)
+   diff = diff ? -diff : 0x80;
+ if (ftell(ifp) + 12 >= seg[1][1])
+   diff = 0;
++#ifdef LIBRAW_LIBRARY_BUILD
++if(pix>=raw_width*raw_height)
++  throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+ raw_image[pix] = pred[pix & 1] += diff;
+ if (!(pix & 1) && HOLE(pix / raw_width)) pix += 2;
+   }
+diff --git a/src/libraw_cxx.cpp b/src/libraw_cxx.cpp
+index 433323b..7d61d81 100644
+--- a/sr

Bug#809307: marked as done (jessie-pu: package pcre3/2:8.35-3.3+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809307,
regarding jessie-pu: package pcre3/2:8.35-3.3+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809307: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809307
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi SRM,

I prepared a (rather huge) pcre3 update addressing several CVEs
assigned in the recent months but which do not warrant a DSA. The
debdiff is rather big, so I want to check with you if you see any
problem in having this update.

I still would like to expose more the actual build packages (I have
done several tests with given reproducers).

I adjusted as well the previous +deb8u1 entry (package sitting in
jessie-p-u), which has three more CVEs addressed (partially only
assigned later and two having the same fixing commit).

The proposed debdiff is attached.

Regards,
Salvatore

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog	2015-08-16 13:38:23.0 +0200
+++ pcre3-8.35/debian/changelog	2015-12-29 09:19:29.0 +0100
@@ -1,6 +1,59 @@
+pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Add additional CVE references and bug closer to previous changelog.
+CVE-2015-2327 fix was included in the previous 2:8.35-3.3+deb8u1 upload.
+CVE-2015-8384 different issue than CVE-2015-3210 but fixed with same
+commit.
+CVE-2015-8388 different issue than CVE-2015-5073 but fixed with same
+commit.
+Add bug closer to bugs in the BTS retrospectively.
+  * Add 0001-Fix-compile-time-loop-for-recursive-reference-within.patch.
+CVE-2015-2328: Stack-based buffer overflow in compile_regex().
+  * Add 794589-information-disclosure.patch.
+CVE-2015-8382: Fix "pcre_exec does not fill offsets for certain regexps"
+leading to information disclosure. (Closes: #794589)
+  * Add 0001-Fix-buffer-overflow-for-repeated-conditional-when-re.patch.
+CVE-2015-8383: Buffer overflow caused by repeated conditional group.
+  * Add 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch.
+CVE-2015-8385: Buffer overflow caused by forward reference by name to
+certain group.
+  * Add 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch.
+CVE-2015-8386: Buffer overflow caused by lookbehind assertion.
+  * Add 0001-Add-integer-overflow-check-to-n-code.patch.
+CVE-2015-8387: Integer overflow in subroutine calls.
+  * Add 0001-Fix-overflow-when-ovector-has-size-1.patch.
+CVE-2015-8380: Heap-based buffer overflow in pcre_exec. (Closes: #806467)
+  * Add 0001-Fix-infinite-recursion-in-the-JIT-compiler-when-cert.patch.
+CVE-2015-8389: nfinite recursion in JIT compiler when processing certain
+patterns.
+  * Add 0001-Fix-bug-for-classes-containing-sequences.patch.
+CVE-2015-8390: Reading from uninitialized memory when processing certain
+patterns.
+  * Add 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch.
+CVE-2015-8391: Some pathological patterns causes pcre_compile() to run
+for a very long time.
+  * Add 0001-Fix-buffer-overflow-for-named-references-in-situatio.patch.
+CVE-2015-8392: Buffer overflow caused by certain patterns with
+duplicated named groups.
+  * Add 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch.
+CVE-2015-8393: Information leak when running pcgrep -q on crafted
+binary.
+  * Add 0001-Add-missing-integer-overflow-checks.patch.
+CVE-2015-8394: Integer overflow caused by missing check for certain
+conditions.
+  * Add 0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch.
+CVE-2015-8381: Heap Overflow in compile_regex().
+CVE-2015-8395: Buffer overflow caused by certain references.
+(Closes: #796762)
+
+ -- Salvatore Bonaccorso   Tue, 29 Dec 2015 09:19:11 +0100
+
 pcre3 (2:8.35-3.3+deb8u1) jessie; urgency=medium
 
-  * CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073
+  * CVE-2015-2325 CVE-

Bug#809561: marked as done (jessie-pu: package perl/5.20.2-3+deb8u3)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809561,
regarding jessie-pu: package perl/5.20.2-3+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Please find attached a proposed patch for #798727 in perl, which I would
like to include in an upload to stable. The same issues has already
been fixed for libencode-perl in s-p-u (see #807828).

Thanks,
Dominic.
diff --git a/cpan/Encode/Unicode/Unicode.pm b/cpan/Encode/Unicode/Unicode.pm
index 6b35cb7..87bd99c 100644
--- a/cpan/Encode/Unicode/Unicode.pm
+++ b/cpan/Encode/Unicode/Unicode.pm
@@ -176,7 +176,15 @@ simply treated as a normal character (ZERO WIDTH NO-BREAK SPACE).
 
 When BE or LE is omitted during decode(), it checks if BOM is at the
 beginning of the string; if one is found, the endianness is set to
-what the BOM says.  If no BOM is found, the routine dies.
+what the BOM says.  
+
+=item Default Byte Order
+
+When no BOM is found, Encode 2.76 and blow croaked.  Since Encode
+2.77, it falls back to BE accordingly to RFC2781 and the Unicode
+Standard version 8.0. This behaviour has also been backported to
+Encode 2.60 and later as shipped in the Debian perl package since
+version 5.20.2-3+deb8u2 (see L).
 
 =item *
 
diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs
index cf42ab8..831708c 100644
--- a/cpan/Encode/Unicode/Unicode.xs
+++ b/cpan/Encode/Unicode/Unicode.xs
@@ -164,9 +164,19 @@ CODE:
 		endian = 'V';
 	}
 	else {
-		croak("%"SVf":Unrecognised BOM %"UVxf,
-		  *hv_fetch((HV *)SvRV(obj),"Name",4,0),
-		  bom);
+   /* No BOM found, use big-endian fallback as specified in
+* RFC2781 and the Unicode Standard version 8.0:
+*
+*  The UTF-16 encoding scheme may or may not begin with
+*  a BOM. However, when there is no BOM, and in the
+*  absence of a higher-level protocol, the byte order
+*  of the UTF-16 encoding scheme is big-endian.
+*
+*  If the first two octets of the text is not 0xFE
+*  followed by 0xFF, and is not 0xFF followed by 0xFE,
+*  then the text SHOULD be interpreted as big-endian.
+*/
+s -= size;
 	}
 	}
 #if 1
diff --git a/debian/control b/debian/control
index aae4f45..ad2264c 100644
--- a/debian/control
+++ b/debian/control
@@ -316,7 +316,7 @@ Breaks: perl-doc (<< ${Upstream-Version}-1),
  libthreads-perl (<< 1.93),
  libthreads-shared-perl (<< 1.46),
  libtime-piece-perl (<< 1.27),
- libencode-perl (<< 2.60),
+ libencode-perl (<< 2.63-1+deb8u1),
  mrtg (<< 2.16.3-3.1),
  libhtml-template-compiled-perl (<< 0.95-1),
  libperl-apireference-perl (<< 0.09-1),
diff --git a/debian/patches/debian/encode-unicode-bom-doc.diff b/debian/patches/debian/encode-unicode-bom-doc.diff
new file mode 100644
index 000..ccd0108
--- /dev/null
+++ b/debian/patches/debian/encode-unicode-bom-doc.diff
@@ -0,0 +1,26 @@
+From c6c7ea3c32d8de7bec4e4e155db9b54b9315ebf0 Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves 
+Date: Wed, 30 Dec 2015 20:45:28 +
+Subject: Document Debian backport of Encode::Unicode fix
+
+Bug-Debian: https://bugs.debian.org/798727
+Patch-Name: debian/encode-unicode-bom-doc.diff
+---
+ cpan/Encode/Unicode/Unicode.pm | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cpan/Encode/Unicode/Unicode.pm b/cpan/Encode/Unicode/Unicode.pm
+index 9b197d9..87bd99c 100644
+--- a/cpan/Encode/Unicode/Unicode.pm
 b/cpan/Encode/Unicode/Unicode.pm
+@@ -182,7 +182,9 @@ what the BOM says.
+ 
+ When no BOM is found, Encode 2.76 and blow croaked.  Since Encode
+ 2.77, it falls back to BE accordingly to RFC2781 and the Unicode
+-Standard version 8.0
++Standard version 8.0. This behaviour has also been backported to
++Encode 2.60 and later as shipped in the Debian perl package since
++version 5.20.2-3+deb8u2 (see L).
+ 
+ =item *
+ 
diff --git a/debian/patches/fixes/encode-unicode-bom.diff b/debian/patches/fixes/encode-unicode-bom.diff
new file mode 100644
index 000..7b8a512
--- /dev/null
+++ b/debian/patches/fixes/e

Bug#809757: marked as done (jessie-pu: package openldap/2.4.40+dfsg-1+deb8u2)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #809757,
regarding jessie-pu: package openldap/2.4.40+dfsg-1+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809757: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809757
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear SRM,

I would like to fix #806909 in jessie. It has been reported by different 
people upstream, in Ubuntu, and now in Debian as well, so the impact 
seems to be at least moderately widespread.

The fix originates upstream and has been in testing since July.

The patch changes a macro in a public header. I used codesearch.d.n to 
check the archive for possible users of the macro that would need to be 
rebuilt. The only packages I found actually using the libldap version of 
it are 389-ds-base and 389-dsgw, however these appear to not actually be 
affected, due to internal confusion in the API: they end up allocating 
enough memory to wrap text at 76 columns (actually 77, because of the 
bug), while actually wrapping it at 78, and this difference is enough to 
avoid any overflow according to my testing.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+openldap (2.4.40+dfsg-1+deb8u2) jessie; urgency=medium
+
+  * debian/patches/ITS8003-fix-off-by-one-in-LDIF-length.patch: Import
+upstream patch to fix a crash when adding a large attribute value with the
+auditlog overlay enabled. (Closes: #806909)
+
+ -- Ryan Tandy   Sat, 12 Dec 2015 16:11:38 -0800
+
 openldap (2.4.40+dfsg-1+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -27,0 +28 @@
+ITS8003-fix-off-by-one-in-LDIF-length.patch
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS8003-fix-off-by-one-in-LDIF-length.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS8003-fix-off-by-one-in-LDIF-length.patch
@@ -0,0 +1,33 @@
+From c8353f7acdec4a42f537b0d475aaae005ba72363 Mon Sep 17 00:00:00 2001
+From: Howard Chu 
+Date: Mon, 15 Dec 2014 14:36:55 +
+Subject: [PATCH] ITS#8003 fix off-by-one in LDIF length
+
+must account for leading space when counting total number of lines
+---
+ include/ldif.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/ldif.h b/include/ldif.h
+index f638ef9..69bb0c9 100644
+--- a/include/ldif.h
 b/include/ldif.h
+@@ -52,12 +52,12 @@ LDAP_LDIF_V (int) ldif_debug;
+  */
+ #define LDIF_SIZE_NEEDED(nlen,vlen) \
+ ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \
+-+ ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / LDIF_LINE_WIDTH * 2 ))
+++ ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (LDIF_LINE_WIDTH-1) * 2 ))
+ 
+ #define LDIF_SIZE_NEEDED_WRAP(nlen,vlen,wrap) \
+ ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \
+-+ ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH ) * 2 ) : \
+-	((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap) * 2 
+++ ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH-1 ) * 2 ) : \
++	((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap-1) * 2 
+ 
+ LDAP_LDIF_F( int )
+ ldif_parse_line LDAP_P((
+-- 
+2.1.4
+
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---

Bug#810111: marked as done (jessie-pu: package base-files/8+deb8u3)

[Debian Bug Tracking System]

Your message dated Sat, 23 Jan 2016 13:57:15 +
with message-id <1453557435.1835.52.ca...@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #810111,
regarding jessie-pu: package base-files/8+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
810111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810111
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Managers:

For Debian 8.3, I'd like to include a fix for a typo in the os-release
file in addition to the usual base-files update.

Note 1: In Debian 8, the os-release file is actually in /usr/lib so
dpkg on upgrades will just replace the old file by the new one without
bothering the user with new questions.

Note 2: Thanks to Paul Wise from DSA we have a redirection for this,
but this is a workaround and I would much prefer that we are able to
remove such redirection some day in the not too distant future.

Debdiff attached.

Thanks.diff -Nru base-files-8+deb8u2/debian/changelog 
base-files-8+deb8u3/debian/changelog
--- base-files-8+deb8u2/debian/changelog2015-08-26 18:30:17.0 
+0200
+++ base-files-8+deb8u3/debian/changelog2016-01-06 16:16:35.0 
+0100
@@ -1,3 +1,11 @@
+base-files (8+deb8u3) stable; urgency=low
+
+  * Changed /etc/debian_version to 8.3, for Debian 8.3 point release.
+  * os-release: Drop trailing slash in SUPPORT_URL variable, as the URL
+is not supposed to have it. Closes: #781809, #800791.
+
+ -- Santiago Vila   Wed, 06 Jan 2016 16:11:48 +0100
+
 base-files (8+deb8u2) stable; urgency=low
 
   * Changed /etc/debian_version to 8.2, for Debian 8.2 point release.
diff -Nru base-files-8+deb8u2/etc/debian_version 
base-files-8+deb8u3/etc/debian_version
--- base-files-8+deb8u2/etc/debian_version  2015-08-26 18:30:23.0 
+0200
+++ base-files-8+deb8u3/etc/debian_version  2016-01-06 12:00:00.0 
+0100
@@ -1 +1 @@
-8.2
+8.3
diff -Nru base-files-8+deb8u2/etc/os-release base-files-8+deb8u3/etc/os-release
--- base-files-8+deb8u2/etc/os-release  2014-11-30 12:00:00.0 +0100
+++ base-files-8+deb8u3/etc/os-release  2016-01-06 12:00:00.0 +0100
@@ -4,5 +4,5 @@
 VERSION="8 (jessie)"
 ID=debian
 HOME_URL="http://www.debian.org/";
-SUPPORT_URL="http://www.debian.org/support/";
+SUPPORT_URL="http://www.debian.org/support";
 BUG_REPORT_URL="https://bugs.debian.org/";
--- End Message ---
--- Begin Message ---
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam--- End Message ---