Bug#818104: Possible MBF: Packages depending on iceweasel but not firefox/firefox-esr
David Prévot: > Le 18/03/2016 18:06, Josh Triplett a écrit : > >> I would suggest that Firefox addon packages should depend on "firefox | >> firefox-esr" > > Most of those packages are mozilla-devscripts for the build and just > need to be rebuilt to get fixed. Even if our infrastructure has all the > needed tools to binNMU all of them as a proper transition, some > limitations on the way arch:all binNMU are handled currently prevents us > from having most of them already fixed, see #818104. > > What is currently needed if the arch:all binNMU doesn’t get fixed, is > “just” to upload all of them. I’m currently dragged into doing that for > hundred of PHP classes packages because of this no arch:all binNMU > limitation, so I hope someone else from the Debian Mozilla Extension > Maintainers could take the lead on it (new members are welcome ;). > > Regards > > David > For those wondering about the reasons: * dak has a "no arch:all binNMU" check that rejects arch:all binNMUs. - It might be time to lift this restriction. * These days we could in theory binNMU source packages building only arch:all packages. * There is a caveat with source packages building both arch:all and arch:any packages, where the substvars no longer ensures installability (because they assume that version of arch:all is the version of the source package). - I have tried to device a lintian check which might help us get an overview of this situation. Thanks, ~Niels signature.asc Description: OpenPGP digital signature
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
Control: tags -1 + confirmed On Sat, 2016-03-19 at 19:23 -0300, Henrique de Moraes Holschuh wrote: > This is the non-free oldstable companion update for the same issue reported > in #818689: > > Unfortunately, the microcode for the earlier AMD Piledriver processors being > distributed in the amd64-microcode packages currently in non-free oldstable, > stable, testing and unstable has been found to be extremely dangerous. Please go ahead. Regards, Adam
Processed: Re: Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
Processing control commands: > tags -1 + confirmed Bug #818710 [release.debian.org] wheezy-pu: package amd64-microcode/1.20160316.1 Ignoring request to alter tags of bug #818710 to the same tags previously set -- 818710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818710 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
Processing control commands: > tags -1 + confirmed Bug #818710 [release.debian.org] wheezy-pu: package amd64-microcode/1.20160316.1 Added tag(s) confirmed. -- 818710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818710 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818150: jessie-pu: package php5/5.6.19+dfsg-0+deb8u1
On Mon, Mar 14, 2016 at 11:00:12AM +0100, Ondřej Surý wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > security team still seems to be heavily overloaded, so I am hoping we > can do this via jessie-pu again. > > We need to update 5.6.17+dfsg-0+deb8u1 to 5.6.19+dfsg-0+deb8u1 as > there were several security updates between the releases: Ack from my side, there's nothing urgent in there, these could go via spu. Cheers, Moritz
Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2
Hi Adam.
A fix was prepared to solve several CVE. Security team already answered me
they on't plan any DSA released for this patch. All fixes are already
included into unstable.
Can we push it into stable ? It fixes the following CVE:
* Fix CVE-2016-1912 (Closes: #812496)
* Fix CVE-2015-8685 (Closes: #812449)
* Fix CVE-2015-3935 (Closes: #787762)
This is the debdiff.
diff -Nru dolibarr-3.5.5+dfsg1/debian/changelog
dolibarr-3.5.5+dfsg1/debian/changelog
--- dolibarr-3.5.5+dfsg1/debian/changelog 2014-12-07 15:52:53.0
+0100
+++ dolibarr-3.5.5+dfsg1/debian/changelog 2016-02-08 21:30:58.0
+0100
@@ -1,3 +1,11 @@
+dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high
+
+ * Fix CVE-2016-1912 (Closes: #812496)
+ * Fix CVE-2015-8685 (Closes: #812449)
+ * Fix CVE-2015-3935 (Closes: #787762)
+
+ -- Laurent Destailleur (eldy) Tue, 08 Sep
2015 15:22:52 +0200
+
dolibarr (3.5.5+dfsg1-1) unstable; urgency=medium
* New upstream release with 3.5.5
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/FIX-4291-GETPOSTs.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,35 @@
+diff --git a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+index ac105cf..bf68c61 100644
+--- a/htdocs/admin/agenda_extsites.php
b/htdocs/admin/agenda_extsites.php
+@@ -1,6 +1,7 @@
+
+- * Copyright (C) 2011-2014 Juanjo Menent
++/* Copyright (C) 2008-2011 Laurent Destailleur <
e...@users.sourceforge.net>
++ * Copyright (C) 2011-2014 Juanjo Menent
++ * Copyright (C) 2016 Raphaël Doursenaud <
rdoursen...@gpcsolutions.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -88,7 +89,7 @@
+ // Save nb of agenda
+ if (! $error)
+ {
+-
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
++
$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
+ if (! $res > 0) $error++;
+ if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
+
$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
+@@ -201,9 +202,9 @@
+ // Nb
+ print ''.$langs->trans("AgendaExtNb",$key)."";
+ // Name
+- print '';
++ print '';
+ // URL
+- print '';
++ print '';
+ // Color (Possible colors are limited by Google)
+ print '';
+ //print $formadmin->selectColor($conf->global->$color,
"google_agenda_color".$key, $colorlist);
diff -Nru dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch
--- dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 1970-01-01
01:00:00.0 +0100
+++ dolibarr-3.5.5+dfsg1/debian/patches/Fix-787762-CVE20153935.patch 2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,22 @@
+diff --git a/debian/changelog b/debian/changelog
+index 7d3e2e1..09dd3e0 100644
+--- a/htdocs/societe/societe.php
b/htdocs/societe/societe.php
+@@ -272,7 +272,7 @@
+ $num = $db->num_rows($resql);
+ $i = 0;
+
+- $params =
"&socname=".$socname."&search_nom=".$search_nom."&search_town=".$search_town;
++ $params =
"&socname=".urlencode($socname)."&search_nom=".urlencode($search_nom)."&search_town=".urlencode($search_town);
+ $params.= ($sbarcode?"&sbarcode=".$sbarcode:"");
+ $params.= '&search_idprof1='.$search_idprof1;
+ $params.= '&search_idprof2='.$search_idprof2;
+@@ -348,7 +348,7 @@
+ print '';
+ print '';
+ if (! empty($search_nom_only) && empty($search_nom))
$search_nom=$search_nom_only;
+- print '';
++ print '';
+ print '';
+ // Barcode
+ if (! empty($conf->barcode->enabled))
diff -Nru
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
---
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
1970-01-01
01:00:00.0 +0100
+++
dolibarr-3.5.5+dfsg1/debian/patches/FIX-CVE-CVE20158685-CVE-2016-1912.patch
2016-02-08
21:30:58.0 +0100
@@ -0,0 +1,37 @@
+diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
+index 7fba7f5..90eac77 100644
+--- a/htdocs/main.inc.php
b/htdocs/main.inc.php
+@@ -80,13 +80,15 @@
+ // For SQL Injection (only GET and POST are used to be included into
bad escaped SQL requests)
+ if ($type != 2)
+ {
+-$sql_inj += preg_match('/delete[\s]+from/i', $val);
+-$sql_inj += preg_match('/create[\s]+table/i', $val);
+-$sql_inj += preg_match('/update.+set.+=/i', $val);
+-$sql_inj += preg_match('/insert[\s]+into/i', $val);
+-$sql_inj += preg_match('/select.+from/i', $val);
+-$sql_inj += preg_match('/union.+select/i', $val);
+-
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
On Sun, 20 Mar 2016, Adam D. Barratt wrote: > On Sat, 2016-03-19 at 19:23 -0300, Henrique de Moraes Holschuh wrote: > > This is the non-free oldstable companion update for the same issue reported > > in #818689: > > > > Unfortunately, the microcode for the earlier AMD Piledriver processors being > > distributed in the amd64-microcode packages currently in non-free oldstable, > > stable, testing and unstable has been found to be extremely dangerous. > > Please go ahead. I have uploaded it through the ftp queue about one hour ago, but I have still not received any email back either from the upload queue daemon, or from dak (and the packages disappeared from the ftp upload queue). I will try to reupload. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
On Sun, 2016-03-20 at 12:20 -0300, Henrique de Moraes Holschuh wrote: > I have uploaded it through the ftp queue about one hour ago, but I have > still not received any email back either from the upload queue daemon, or > from dak (and the packages disappeared from the ftp upload queue). > > I will try to reupload. dinstall's running, hence the lack of response from dak combined with the "disappearing" packages (although I'm not sure why you've not had a response from the queued). I can confirm that the packages have reached the "unchecked" queue so should get processed by dak once dinstall finishes; there's no need to re-upload. Regards, Adam
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
On Sun, 20 Mar 2016, Adam D. Barratt wrote: > On Sun, 2016-03-20 at 12:20 -0300, Henrique de Moraes Holschuh wrote: > > I have uploaded it through the ftp queue about one hour ago, but I have > > still not received any email back either from the upload queue daemon, or > > from dak (and the packages disappeared from the ftp upload queue). > > > > I will try to reupload. > > dinstall's running, hence the lack of response from dak combined with > the "disappearing" packages (although I'm not sure why you've not had a > response from the queued). > > I can confirm that the packages have reached the "unchecked" queue so > should get processed by dak once dinstall finishes; there's no need to > re-upload. Thanks! I did try to re-upload before I got your reply, and promptly got an email from the upload queue daemon about an existing previous upload. So, the first try was processed normaly, but the email reply from the queue daemon got lost in the MTA network. I assume it will arrive eventually, due to graylisting or something else of that sort. If it does, I will look at the received headers to try to understand where it got delayed... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2
Control: tags -1 + confirmed On Sun, 2016-03-20 at 15:09 +0100, Laurent Destailleur (aka Eldy) wrote: > A fix was prepared to solve several CVE. Security team already > answered me they on't plan any DSA released for this patch. All fixes > are already included into unstable. [...] > +dolibarr (3.5.5+dfsg1-1+deb8u1) UNRELEASED; urgency=high > + > + * Fix CVE-2016-1912 (Closes: #812496) > + * Fix CVE-2015-8685 (Closes: #812449) > + * Fix CVE-2015-3935 (Closes: #787762) > + > + -- Laurent Destailleur (eldy) Tue, 08 Sep > 2015 15:22:52 +0200 I assume the changelog trailer simply needs updating, as I doubt all of the patches were added by September. :-) With that and the changelog distribution set to "jessie", please go ahead. Regards, Adam
Processed: Re: Bug#797906: jessie-pu: package dolibarr/3.5.5+dfsg1-2
Processing control commands: > tags -1 + confirmed Bug #797906 [release.debian.org] jessie-pu: package dolibarr/3.5.5+dfsg1-2 Added tag(s) confirmed. -- 797906: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797906 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1
Processing control commands: > tags -1 + confirmed Bug #818672 [release.debian.org] jessie-pu: package pgplot5/5.2.2-19+deb8u1 Added tag(s) confirmed. -- 818672: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818672 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#818679: jessie-pu: package sus/7.20160312~deb8u1
Processing control commands: > tags -1 + confirmed Bug #818679 [release.debian.org] jessie-pu: package sus/7.20160312~deb8u1 Added tag(s) confirmed. -- 818679: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818679 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818679: jessie-pu: package sus/7.20160312~deb8u1
Control: tags -1 + confirmed On Sat, 2016-03-19 at 17:17 +0100, Andreas Beckmann wrote: > sus is a downloader package and one of the external tarballs being > downloaded has changed, again. Yay downloader packages. :-( > This is a rebuild of the package from sid for jessie. Please go ahead. Regards, Adam
Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1
Control: tags -1 + confirmed On Sat, 2016-03-19 at 16:23 +0100, Andreas Beckmann wrote: > pgplot5 FTBFS in jessie due to a hardcoded non-multiarch path to > zconf.h. > > This is a backport of the 5.2.2-19.1 NMU to sid excluding the spurious > addition of some .f files in debian/. +pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * Use multiarch path to zconf.h (Closes: #784783) +(thanks to Edmund Grimley Evans and Vincent McIntyre) The bug number is typoed (and was in the unstable upload) - it should be #784743. With that changed, please go ahead. Regards, Adam
Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to update cairo for the next jessie point update for
CVE-2016-3190.
I've been using the updated package for a day on my jessie workstation.
Cheers,
Moritz
debdiff:
diff -Nru cairo-1.14.0/debian/changelog cairo-1.14.0/debian/changelog
--- cairo-1.14.0/debian/changelog 2014-10-24 21:38:48.0 +0200
+++ cairo-1.14.0/debian/changelog 2016-03-19 22:38:11.0 +0100
@@ -1,3 +1,9 @@
+cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
+
+ * Fix CVE-2016-3190
+
+ -- Moritz Mühlenhoff Sat, 19 Mar 2016 22:37:18 +0100
+
cairo (1.14.0-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch
cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch
--- cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch1970-01-01
01:00:00.0 +0100
+++ cairo-1.14.0/debian/patches/0009-CVE-2016-3190.patch2016-03-19
22:35:25.0 +0100
@@ -0,0 +1,32 @@
+From 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 Mon Sep 17 00:00:00 2001
+From: Bryce Harrington
+Date: Wed, 3 Dec 2014 19:28:15 -0800
+Subject: image: Fix crash in _fill_xrgb32_lerp_opaque_spans
+
+If a span length is negative don't go out of bounds processing the fill
+data.
+
+Patch thanks to Ilya Sakhnenko on mailing list.
+
+Signed-off-by: Bryce Harrington
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 6ff0f09..48072f8 100644
+--- a/src/cairo-image-compositor.c
b/src/cairo-image-compositor.c
+@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void
*abstract_renderer, int y, int h,
+spans[0].x, y, len, 1, r->u.fill.pixel);
+ } else {
+ uint32_t *d = (uint32_t*)(r->u.fill.data +
r->u.fill.stride*y + spans[0].x*4);
+- while (len--)
++ while (len-- > 0)
+ *d++ = r->u.fill.pixel;
+ }
+- } else while (len--) {
++ } else while (len-- > 0) {
+ *d = lerp8x4 (r->u.fill.pixel, a, *d);
+ d++;
+ }
+--
+cgit v0.10.2
+
diff -Nru cairo-1.14.0/debian/patches/series cairo-1.14.0/debian/patches/series
--- cairo-1.14.0/debian/patches/series 2014-10-24 21:36:09.0 +0200
+++ cairo-1.14.0/debian/patches/series 2016-03-19 22:36:20.0 +0100
@@ -4,3 +4,4 @@
06_hurd-map-noreserve.patch
0005-CFF-Fix-unaligned-access.patch
0008-tor-scan-converter-can-t-do_fullrow-when-intersectio.patch
+0009-CVE-2016-3190.patch
Processed: Re: Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1
Processing control commands: > tags -1 + confirmed Bug #818801 [release.debian.org] jessie-pu: package cairo/1.14.0-2.1+deb8u1 Added tag(s) confirmed. -- 818801: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818801 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1
Control: tags -1 + confirmed On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote: > +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium > + > + * Fix CVE-2016-3190 I'd prefer a slightly more detailed changelog, but please go ahead. Regards, Adam
Bug#818837: nmu: libdbi-drivers_0.9.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hello, There are some memory issues when running the test suite for the package openbsc. These disappears if libdbi-drivers is first rebuilt with GCC 5. It is hard to track down exactly what the problem is, but rebuilding it seems to make the test suite pass for openbsc.. Ruben nmu libdbi-drivers_0.9.0-3 . ANY . unstable . -m "" -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, powerpc Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#818801: jessie-pu: package cairo/1.14.0-2.1+deb8u1
On Sun, Mar 20, 2016 at 06:43:48PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2016-03-20 at 19:33 +0100, Moritz Muehlenhoff wrote: > > +cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium > > + > > + * Fix CVE-2016-3190 > > I'd prefer a slightly more detailed changelog, but please go ahead. Thanks, uploaded. Cheers, Moritz
Bug#818672: jessie-pu: package pgplot5/5.2.2-19+deb8u1
On 2016-03-20 17:11, Adam D. Barratt wrote: > +pgplot5 (5.2.2-19+deb8u1) jessie; urgency=medium > + > + * Non-maintainer upload. > + * Use multiarch path to zconf.h (Closes: #784783) > +(thanks to Edmund Grimley Evans and Vincent McIntyre) > > The bug number is typoed (and was in the unstable upload) - it should be > #784743. With that changed, please go ahead. I just took the changelog entry from sid and rewrote it to mention the actual problem fixed, keeping the other bits. Bug number updated and uploaded - but I still didn't verify that this references the correct bug :-) Andreas
