Bug#964331: marked as done (RM: colorediffs-extension -- RoQA; incompatible with newer Thunderbird versions)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:35:52 +
with message-id 
and subject line Bug#964331: Removed package(s) from oldstable
has caused the Debian Bug report #964331,
regarding RM: colorediffs-extension -- RoQA; incompatible with newer 
Thunderbird versions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964331: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964331
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

colorediffs-extension does not work with Thunderbird >= 60 (#918171),
due to that it was already removed from unstable before the release
of buster (#929333).
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

colorediffs-extension | 0.6.2012.01.27.14.07.45-1 | source
xul-ext-colorediffs | 0.6.2012.01.27.14.07.45-1 | all

--- Reason ---
RoQA; incompatible with newer Thunderbird versions
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/964331

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#959430: marked as done (RM: libmicrodns -- RoM; security issues)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:33:25 +
with message-id 
and subject line Bug#959430: Removed package(s) from oldstable
has caused the Debian Bug report #959430,
regarding RM: libmicrodns -- RoM; security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
959430: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959430
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Tags: stretch

Same as #959429 but for stretch.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

libmicrodns |0.0.3-3 | source
libmicrodns-dev |0.0.3-3 | amd64, arm64, armel, armhf, i386, mips, 
mips64el, mipsel, ppc64el, s390x
libmicrodns0 |0.0.3-3 | amd64, arm64, armel, armhf, i386, mips, mips64el, 
mipsel, ppc64el, s390x

--- Reason ---
RoM; security issues
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/959430

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#964216: marked as done (RM: dynalogin -- RoQA; depends on to-be-removed simpleid)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:35:01 +
with message-id 
and subject line Bug#964216: Removed package(s) from oldstable
has caused the Debian Bug report #964216,
regarding RM: dynalogin -- RoQA; depends on to-be-removed simpleid
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964216: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964216
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Tags: stretch

Hi,

 As Bug#929575, simpleid 0.8.1-15 doesn't work with PHP7.x that is shipped
 with Debian9 "stretch" and Debian10 "buster", so I propose we'll remove it.
 And, for testing package was removed (#929832) but stable package still
 remains.


-- 
Regards,

 Hideki Yamane henrich @ debian.org/iijmio-mail.jp
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

 dynalogin |1.0.0-3 | source
dynalogin-client-php |1.0.0-3 | all
dynalogin-server | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, 
mips64el, mipsel, ppc64el, s390x
libdynalogin-1-0 | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, 
mips64el, mipsel, ppc64el, s390x
libdynaloginclient-1-0 | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, 
mips64el, mipsel, ppc64el, s390x
libpam-dynalogin | 1.0.0-3+b3 | amd64, arm64, armel, armhf, i386, mips, 
mips64el, mipsel, ppc64el, s390x
simpleid-store-dynalogin |1.0.0-3 | all

--- Reason ---
RoQA; depends on to-be-removed simpleid
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/964216

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#964342: marked as done (RM: mathematica-fonts -- RoQA; relies on unavailable download location)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:36:12 +
with message-id 
and subject line Bug#964342: Removed package(s) from oldstable
has caused the Debian Bug report #964342,
regarding RM: mathematica-fonts -- RoQA; relies on unavailable download location
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964342
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Control: clone -1 -2
Control: retitle -2 RM: mathematica-fonts/21
Control: tags -1 stretch
Control: tags -2 buster

fonts-mathematica is an installer for fonts that
are no longer downloadable. (#960466)
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

fonts-mathematica | 20 | all
mathematica-fonts | 20 | source, all

--- Reason ---
RoQA; relies on unavailable download location
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/964342

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#964883: marked as done (RM: gplaycli -- RoQA; broken by Google API changes)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:36:28 +
with message-id 
and subject line Bug#964883: Removed package(s) from oldstable
has caused the Debian Bug report #964883,
regarding RM: gplaycli -- RoQA; broken by Google API changes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964883: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964883
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

gplaycli in buster was broken by Google API changes (#950112)
and already removed in the last buster point release (#958231).

I have confirmed that the older version in stretch is also nonfunctional.
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

  gplaycli |0.2.1-1 | source, all

--- Reason ---
RoQA; broken by Google API changes
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 964...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/964883

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#965254: RM: openhackware/0.4.1+git-20140423.c559da7c-4.1

2020-07-18 Thread Michael Tokarev 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

The package openhackware builds a single binary blob, ppc_rom.bin,
which is a bios/firmware for old PowerPC machines.

This firmware were used by qemu package (namely, qemu-system-ppc)
to emulate PowerPC hardware.  However, since version 5.0, support
for this old PowerPC machine type has been removed from qemu, so
this package is basically useless now.

There's no other purpose for this single binary ROM image in the
Debian archive.

Please remove openhackware package from testing.

Thanks,

/mjt

Bug#965257: buster-pu: package clamav/0.102.4+dfsg-0+deb10u1

2020-07-18 Thread Sebastian Andrzej Siewior 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

ClamAV upstream released 0.102.4 fixing three CVEs. From their news:

- [CVE-2020-3350]
  Fix a vulnerability wherein a malicious user could replace a scan target's
  directory with a symlink to another path to trick clamscan, clamdscan, or
  clamonacc into removing or moving a different file (eg. a critical system
  file). The issue would affect users that use the --move or --remove options
  for clamscan, clamdscan, and clamonacc.

  For more information about AV quarantine attacks using links, see the
  [RACK911 Lab's 
report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).

- [CVE-2020-3327]
  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
  could cause a Denial-of-Service (DoS) condition. Improper bounds checking
  results in an out-of-bounds read which could cause a crash.
  The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
  resolves the issue.

- [CVE-2020-3481]
  Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
  could cause a Denial-of-Service (DoS) condition. Improper error handling
  may result in a crash due to a NULL pointer dereference.
  This vulnerability is mitigated for those using the official ClamAV
  signature databases because the file type signatures in daily.cvd
  will not enable the EGG archive parser in versions affected by the
  vulnerability.

I prepared the packages and gave it a brief test overnight.

Sebastian
diff -Nru clamav-0.102.3+dfsg/clamdscan/proto.c 
clamav-0.102.4+dfsg/clamdscan/proto.c
--- clamav-0.102.3+dfsg/clamdscan/proto.c   2020-05-12 03:54:49.0 
+0200
+++ clamav-0.102.4+dfsg/clamdscan/proto.c   2020-07-15 23:54:36.0 
+0200
@@ -262,9 +262,23 @@
 char *bol, *eol;
 struct RCVLN rcv;
 STATBUF sb;
+cl_error_t ret;
+char *real_filename = NULL;
+
+if (filename) {
+ret = cli_realpath((const char *) filename, &real_filename);
+if (CL_SUCCESS != ret) {
+logg("Failed to determine real filename of %s.\n", filename);
+infected = -1;
+goto done;
+}
+filename = real_filename;
+
+if (1 == chkpath(filename)) {
+goto done;
+}
+}
 
-if (filename && chkpath(filename))
-return 0;
 recvlninit(&rcv, sockd);
 
 switch (scantype) {
@@ -273,17 +287,20 @@
 case ALLMATCH:
 if (!filename) {
 logg("Filename cannot be NULL for MULTISCAN or CONTSCAN.\n");
-return -1;
+infected = -1;
+goto done;
 }
 len = strlen(filename) + strlen(scancmd[scantype]) + 3;
 if (!(bol = malloc(len))) {
 logg("!Cannot allocate a command buffer: %s\n", 
strerror(errno));
-return -1;
+infected = -1;
+goto done;
 }
 sprintf(bol, "z%s %s", scancmd[scantype], filename);
 if (sendln(sockd, bol, len)) {
 free(bol);
-return -1;
+infected = -1;
+goto done;
 }
 free(bol);
 break;
@@ -304,11 +321,15 @@
 *printok = 0;
 if (errors)
 (*errors)++;
-return len;
+infected = len;
+goto done;
 }
 
 while ((len = recvln(&rcv, &bol, &eol))) {
-if (len == -1) return -1;
+if (len == -1) {
+infected = -1;
+goto done;
+}
 beenthere = 1;
 if (!filename) logg("~%s\n", bol);
 if (len > 7) {
@@ -328,7 +349,8 @@
  (scantype < 0 || scantype > MAX_SCANTYPE) ? 
"unidentified" : scancmd[scantype]);
 else
 logg("Failed to parse reply: \"%s\"\n", bol);
-return -1;
+infected = -1;
+goto done;
 } else if (!memcmp(eol - 7, " FOUND", 6)) {
 static char last_filename[PATH_MAX + 1] = {'\0'};
 *(eol - 7)  = 0;
@@ -369,18 +391,26 @@
 if (!beenthere) {
 if (!filename) {
 logg("STDIN: noreply from clamd\n.");
-return -1;
+infected = -1;
+goto done;
 }
 if (CLAMSTAT(filename, &sb) == -1) {
 logg("~%s: stat() failed with %s, clamd may not be responding\n",
  filename, strerror(errno));
-return -1;
+infected = -1;
+goto done;
 }
 if (!S_ISDIR(sb.st_mode)) {
 logg("~%s: no reply from clamd\n", filename);
-return -1;
+infected = -1;
+goto done;
 }
 }
+
+done:
+if (NULL != real_filename) {
+free(real_filename);
+}
 retu

Bug#881871: marked as done (stretch-pu: package bacula/7.4.4+dfsg-6)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #881871,
regarding stretch-pu: package bacula/7.4.4+dfsg-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
881871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881871
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

we would like to fix the following two problems in stable:

1 ) The bacula packages are vulnerable to a security problem similar to
CVE 2017-14610 (PID files not owned by root). On the downside this
change disables a bacula feature that permits automatic tracebacks on a
crash. I've mailed the security team about this, they recommended a
stable update.

2) Bug #880529: When updating from jessie to stretch, the package
"bacula-director-common" will be removed, but the postrm will stay
around. Upon purging this package, postrm unconditionally removes the
main bacula configuration file /etc/bacula/bacula-dir.conf, leaving
bacula unusable. We fix this by introducing a transitional package that
can then be safely removed.

Regards,

Carsten

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 
'oldoldstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru bacula-7.4.4+dfsg/debian/bacula-director.init bacula-7.4.4+dfsg/debian/bacula-director.init
--- bacula-7.4.4+dfsg/debian/bacula-director.init	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-director.init	2017-11-15 22:55:15.0 +0100
@@ -67,7 +67,7 @@
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/bacula-fd.init bacula-7.4.4+dfsg/debian/bacula-fd.init
--- bacula-7.4.4+dfsg/debian/bacula-fd.init	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-fd.init	2017-11-15 22:55:15.0 +0100
@@ -54,7 +54,7 @@
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/bacula-sd.init bacula-7.4.4+dfsg/debian/bacula-sd.init
--- bacula-7.4.4+dfsg/debian/bacula-sd.init	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/bacula-sd.init	2017-11-15 22:55:15.0 +0100
@@ -53,7 +53,7 @@
 {
 	if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff -Nru bacula-7.4.4+dfsg/debian/changelog bacula-7.4.4+dfsg/debian/changelog
--- bacula-7.4.4+dfsg/debian/changelog	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/changelog	2017-11-15 22:55:15.0 +0100
@@ -1,3 +1,17 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+similar to CVE 2017-14610. Note that this change disables automatic
+tracebacks.
+
+  [ Carsten Leonhardt ]
+  * Added transitional package bacula-director-common, the old leftover
+package can't be safely purged otherwise (it deletes
+/etc/bacula/bacula-dir.conf in postrm) (Closes: #880529)
+
+ -- Carsten Leonhardt   Wed, 15 Nov 2017 22:55:15 +0100
+
 bacula (7.4.4+dfsg-6) unstable; urgency=medium
 
   [Sven Hartge]
diff -Nru bacula-7.4.4+dfsg/debian/control bacula-7.4.4+dfsg/debian/control
--- bacula-7.4.4+dfsg/debian/control	2017-02-26 13:39:25.0 +0100
+++ bacula-7.4.4+dfsg/debian/control	2017-11-15 22:55:15.0 +0100
@@ -357,3 +357,13 @@
  .
  Th

Bug#898006: marked as done (stretch-pu: package pcl/1.8.0+dfsg1-3)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #898006,
regarding stretch-pu: package pcl/1.8.0+dfsg1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
898006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898006
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

in #894656 I was asked to add libvtk6-qt-dev as a dependency to
libpcl-dev in stretch. I would like to do this, except for armel and
armhf which fails due to OpenGLES, cf. #835292.

The resulting debdiff is attached.

Thanks for consideration

Jochen
diff -Nru pcl-1.8.0+dfsg1/debian/changelog pcl-1.8.0+dfsg1/debian/changelog
--- pcl-1.8.0+dfsg1/debian/changelog2016-09-04 07:30:23.0 +
+++ pcl-1.8.0+dfsg1/debian/changelog2018-05-05 12:52:44.0 +
@@ -1,3 +1,9 @@
+pcl (1.8.0+dfsg1-4+deb9u1) stretch; urgency=medium
+
+  * Add dependency to libvtk6-qt-dev (Closes: #894656)
+
+ -- Jochen Sprickerhof   Sat, 05 May 2018 14:52:44 +0200
+
 pcl (1.8.0+dfsg1-3) unstable; urgency=medium
 
   * Disable QT on arm (Closes: #835292)
diff -Nru pcl-1.8.0+dfsg1/debian/control pcl-1.8.0+dfsg1/debian/control
--- pcl-1.8.0+dfsg1/debian/control  2016-09-04 07:22:11.0 +
+++ pcl-1.8.0+dfsg1/debian/control  2018-05-05 12:52:44.0 +
@@ -40,6 +40,7 @@
 libflann-dev,
 libvtk6-dev,
 libqhull-dev,
+libvtk6-qt-dev [!armel !armhf],
 libopenni-dev [!s390x !alpha !hppa !hurd-i386 !kfreebsd-any !m68k !sh4 
!sparc64],
 libopenni2-dev [!armel !hppa !hurd-i386 !kfreebsd-any !m68k 
!powerpcspe],
 libpcl-apps1.8 (= ${binary:Version}),
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#892932: marked as done (stretch-pu: package websockify/0.8.0+dfsg1-7+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #892932,
regarding stretch-pu: package websockify/0.8.0+dfsg1-7+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
892932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

  * Add runtime depends on python{3,}-pkg-resources (Closes: #879224).
diff -Nru websockify-0.8.0+dfsg1/debian/changelog 
websockify-0.8.0+dfsg1/debian/changelog
--- websockify-0.8.0+dfsg1/debian/changelog 2016-10-11 17:14:26.0 
+0300
+++ websockify-0.8.0+dfsg1/debian/changelog 2018-03-14 18:36:35.0 
+0200
@@ -1,3 +1,10 @@
+websockify (0.8.0+dfsg1-7+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Add runtime depends on python{3,}-pkg-resources (Closes: #879224).
+
+ -- Adrian Bunk   Wed, 14 Mar 2018 18:36:35 +0200
+
 websockify (0.8.0+dfsg1-7) unstable; urgency=medium
 
   * 4th iteration of the non-linux TCP socket option patch.
diff -Nru websockify-0.8.0+dfsg1/debian/control 
websockify-0.8.0+dfsg1/debian/control
--- websockify-0.8.0+dfsg1/debian/control   2016-10-11 17:14:26.0 
+0300
+++ websockify-0.8.0+dfsg1/debian/control   2018-03-14 18:36:17.0 
+0200
@@ -56,6 +56,7 @@
 Package: python-websockify
 Architecture: any
 Depends: python-numpy,
+ python-pkg-resources,
  websockify-common (= ${source:Version}),
  ${misc:Depends},
  ${python:Depends},
@@ -92,6 +93,7 @@
 Package: python3-websockify
 Architecture: any
 Depends: python3-numpy,
+ python3-pkg-resources,
  websockify-common (= ${source:Version}),
  ${misc:Depends},
  ${python3:Depends},
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#891657: marked as done (stretch-pu: package swt-gtk/3.8.2-3+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #891657,
regarding stretch-pu: package swt-gtk/3.8.2-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
891657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891657
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

   * libswt-webkit-gtk-3-jni: Add the missing dependency
 on libwebkitgtk-1.0-0. (Closes: #879170)
diff -Nru swt-gtk-3.8.2/debian/changelog swt-gtk-3.8.2/debian/changelog
--- swt-gtk-3.8.2/debian/changelog  2013-06-28 07:47:03.0 +0300
+++ swt-gtk-3.8.2/debian/changelog  2018-02-27 20:33:20.0 +0200
@@ -1,3 +1,11 @@
+swt-gtk (3.8.2-3+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * libswt-webkit-gtk-3-jni: Add the missing dependency
+on libwebkitgtk-1.0-0. (Closes: #879170)
+
+ -- Adrian Bunk   Tue, 27 Feb 2018 20:33:20 +0200
+
 swt-gtk (3.8.2-3) unstable; urgency=low
 
   * Fix FTBFS with glib 2.35 (Closes: #710649).
diff -Nru swt-gtk-3.8.2/debian/control swt-gtk-3.8.2/debian/control
--- swt-gtk-3.8.2/debian/control2013-06-28 07:47:03.0 +0300
+++ swt-gtk-3.8.2/debian/control2018-02-27 20:33:20.0 +0200
@@ -83,7 +83,7 @@
 
 Package: libswt-webkit-gtk-3-jni
 Architecture: any
-Depends: libswt-gtk-3-jni (= ${binary:Version}), ${shlibs:Depends}, 
${misc:Depends}
+Depends: libswt-gtk-3-jni (= ${binary:Version}), ${shlibs:Depends}, 
${misc:Depends}, libwebkitgtk-1.0-0
 Breaks: libswt-gtk-3-java (<< ${binary:Version}), libswt-gtk-3-java (>> 
${binary:Version})
 Description: Standard Widget Toolkit for GTK+ WebKit JNI library
  The Standard Widget Toolkit (SWT) is a fast and rich Java GUI toolkit.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#921319: marked as done (stretch-pu: package iptables-persistent/1.0.4+nmu2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #921319,
regarding stretch-pu: package iptables-persistent/1.0.4+nmu2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
921319: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921319
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello release team

I'd like to fix the bug #921186 in stable, only adding a dependency to
iptables-persistent the bug can be closed

debdiff attached

thanks!

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: arm64 (aarch64)

Kernel: Linux 4.19.0-1-arm64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US (charmap=UTF-8) (ignored: LC_ALL set to 
en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru iptables-persistent-1.0.4+nmu2/debian/changelog 
iptables-persistent-1.0.4+nmu3/debian/changelog
--- iptables-persistent-1.0.4+nmu2/debian/changelog 2017-03-18 
21:11:49.0 +0800
+++ iptables-persistent-1.0.4+nmu3/debian/changelog 2019-02-03 
19:18:27.0 +0800
@@ -1,3 +1,11 @@
+iptables-persistent (1.0.4+nmu3) stable; urgency=medium
+
+  * Non-maintainer upload
+  * Depend on kmod as /sbin/modprobe is called unconditionally
+Thanks Hugo, Closes (#921186)
+
+ -- gustavo panizzo   Sun, 03 Feb 2019 19:18:27 +0800
+
 iptables-persistent (1.0.4+nmu2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru iptables-persistent-1.0.4+nmu2/debian/control 
iptables-persistent-1.0.4+nmu3/debian/control
--- iptables-persistent-1.0.4+nmu2/debian/control   2017-03-17 
12:50:20.0 +0800
+++ iptables-persistent-1.0.4+nmu3/debian/control   2019-02-03 
19:18:17.0 +0800
@@ -21,7 +21,7 @@
 
 Package: iptables-persistent
 Architecture: all
-Depends: netfilter-persistent (= ${source:Version}), iptables, ${misc:Depends}
+Depends: netfilter-persistent (= ${source:Version}), iptables, kmod, 
${misc:Depends}
 Description: boot-time loader for netfilter rules, iptables plugin
  netfilter-persistent is a loader for netfilter configuration using a
  plugin-based architecture.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#912531: marked as done (stretch-pu: package exiv2/0.25-3.1+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #912531,
regarding stretch-pu: package exiv2/0.25-3.1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
912531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912531
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I have prepared an update for exiv2 in jessie (0.24-4.1+deb8u2) related
to CVE-2018-16336 and also including a minor fix to the previous patch
for CVE-2018-10958 and CVE-2018-10999.

The patch for the jessie package applied to the stretch exiv2 package
with only one small change required.  I corresponded with the exiv2
maintainers and also Salvatore about whether I should upload this as a
security update.

Salvatore indicated that for stable he was inclined to consider that
this did not warrant a DSA and he recommended that I proceed with a
stable update for the next point release.

Please find attached the source debdiff.

Regards,

-Roberto
diff -Nru exiv2-0.25/debian/changelog exiv2-0.25/debian/changelog
--- exiv2-0.25/debian/changelog	2018-06-27 08:09:36.0 -0400
+++ exiv2-0.25/debian/changelog	2018-10-20 22:43:10.0 -0400
@@ -1,3 +1,13 @@
+exiv2 (0.25-3.1+deb9u2) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Minor adjustment to the patch for CVE-2018-10958 and CVE-2018-10999.  The
+initial patch was overly restrictive in counting PNG image chunks.
+  * CVE-2018-16336: remote denial of service (heap-based buffer over-read) via
+a crafted image file.
+
+ -- Roberto C. Sanchez   Sat, 20 Oct 2018 22:43:10 -0400
+
 exiv2 (0.25-3.1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch
--- exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch	2018-06-27 08:09:36.0 -0400
+++ exiv2-0.25/debian/patches/CVE-2018-10958_10999_1_of_2.patch	2018-10-20 22:43:10.0 -0400
@@ -32,7 +32,7 @@
  }
  else if(type == iTXt_Chunk)
  {
-+const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
++const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0');
 +if (nullSeparators < 2) throw Error(58);
 +
  // Extract a deflate compressed or uncompressed UTF-8 text chunk
diff -Nru exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch
--- exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch	2018-06-27 08:09:36.0 -0400
+++ exiv2-0.25/debian/patches/CVE-2018-10958_10999_2_of_2.patch	2018-10-20 22:43:10.0 -0400
@@ -14,7 +14,7 @@
 @@ -159,14 +159,24 @@
  else if(type == iTXt_Chunk)
  {
- const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
+ const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_], '\0');
 -if (nullSeparators < 2) throw Error(58);
 +if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators");
  
diff -Nru exiv2-0.25/debian/patches/CVE-2018-16336.patch exiv2-0.25/debian/patches/CVE-2018-16336.patch
--- exiv2-0.25/debian/patches/CVE-2018-16336.patch	1969-12-31 19:00:00.0 -0500
+++ exiv2-0.25/debian/patches/CVE-2018-16336.patch	2018-10-20 22:43:10.0 -0400
@@ -0,0 +1,130 @@
+From 35b3e596edacd2437c2c5d3dd2b5c9502626163d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= 
+Date: Fri, 17 Aug 2018 16:41:05 +0200
+Subject: [PATCH] Add overflow & overread checks to PngChunk::parseTXTChunk()
+
+This function was creating a lot of new pointers and strings without
+properly checking the array bounds. This commit adds several calls
+to enforce(), making sure that the pointers stay within bounds.
+Strings are now created using the helper function
+string_from_unterminated() to prevent overreads in the constructor of
+std::string.
+
+This fixes #400
+---
+ src/pngchunk_int.cpp | 63 ++--
+ 1 file changed, 37 insertions(+), 26 deletions(-)
+
+--- exiv2-stretch.git.orig/src/pngchunk.cpp
 exiv

Bug#893439: marked as done (pu: libdbi/0.9.0-4+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #893439,
regarding pu: libdbi/0.9.0-4+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893439: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893439
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

libdbi 0.9.0-4+deb9u1 broke gnucash tests, runtime issues
with this backend were so far not reported but are not unlikely.
diff -Nru gnucash-2.6.15/debian/changelog gnucash-2.6.15/debian/changelog
--- gnucash-2.6.15/debian/changelog 2016-12-21 23:24:13.0 +0200
+++ gnucash-2.6.15/debian/changelog 2018-03-18 21:22:16.0 +0200
@@ -1,3 +1,11 @@
+gnucash (1:2.6.15-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Add upstream fix for building with libdbi 0.9.0-4+deb9u1,
+thanks to Morham Malpense for the bug report. (Closes: #893077)
+
+ -- Adrian Bunk   Sun, 18 Mar 2018 21:22:16 +0200
+
 gnucash (1:2.6.15-1) unstable; urgency=medium
 
   * New upstream release [December 2016].
diff -Nru gnucash-2.6.15/debian/patches/789928u.patch 
gnucash-2.6.15/debian/patches/789928u.patch
--- gnucash-2.6.15/debian/patches/789928u.patch 1970-01-01 02:00:00.0 
+0200
+++ gnucash-2.6.15/debian/patches/789928u.patch 2018-03-18 21:21:48.0 
+0200
@@ -0,0 +1,75 @@
+Forwarded: not-needed
+Origin: upstream, 
https://github.com/Gnucash/gnucash/commit/45bab93613e6a93b206b74ffc18f63708b07293b.patch
+From 45bab93613e6a93b206b74ffc18f63708b07293b Mon Sep 17 00:00:00 2001
+From: John Ralls 
+Date: Tue, 7 Nov 2017 18:06:04 -0800
+Subject: Bug 789928 - FTBFS with libdbi 0.9.0-5 on Debian
+
+Commit 88b8477 on libdbi calls the error handler if one attempts to run
+off the end of a result set. Since we often loop on
+dbi_result_next_row() returning 0 this breaks our logic in several
+places. This change simply returns from the error handler on a
+DB_ERROR_BADIDX allowing the logic to work as before.
+
+--- a/src/backend/dbi/gnc-backend-dbi.c
 b/src/backend/dbi/gnc-backend-dbi.c
+@@ -395,10 +395,15 @@
+ {
+ const gchar* msg;
+ GncDbiBackend *be = (GncDbiBackend*)user_data;
+ GncDbiSqlConnection *dbi_conn = (GncDbiSqlConnection*)(be->sql_be.conn);
+-
+-(void)dbi_conn_error( conn, &msg );
++int err_num = dbi_conn_error( conn, &msg );
++/* BADIDX is raised if we attempt to seek outside of a result. We
++ * handle that possibility after checking the return value of the
++ * seek. Having this raise a critical error breaks looping by
++ * testing for the return value of the seek.
++ */
++if (err_num == DBI_ERROR_BADIDX) return;
+ PERR( "DBI error: %s\n", msg );
+ gnc_dbi_set_error( dbi_conn, ERR_BACKEND_MISC, 0, FALSE );
+ }
+ 
+@@ -610,16 +615,20 @@
+ {
+ GncDbiBackend *be = (GncDbiBackend*)user_data;
+ GncDbiSqlConnection *dbi_conn = (GncDbiSqlConnection*)be->sql_be.conn;
+ const gchar* msg;
+-gint err_num;
+ #ifdef G_OS_WIN32
+ const guint backoff_msecs = 1;
+ #else
+ const guint backoff_usecs = 1000;
+ #endif
+-
+-err_num = dbi_conn_error( conn, &msg );
++int err_num = dbi_conn_error( conn, &msg );
++/* BADIDX is raised if we attempt to seek outside of a result. We
++ * handle that possibility after checking the return value of the
++ * seek. Having this raise a critical error breaks looping by
++ * testing for the return value of the seek.
++ */
++if (err_num == DBI_ERROR_BADIDX) return;
+ 
+ /* Note: the sql connection may not have been initialized yet
+  *   so let's be careful with using it
+  */
+@@ -1330,10 +1339,16 @@
+ const guint backoff_msecs = 1;
+ #else
+ const guint backoff_usecs = 1000;
+ #endif
++int err_num = dbi_conn_error( conn, &msg );
++/* BADIDX is raised if we attempt to seek outside of a result. We
++ * handle that possibility after checking the return value of the
++ * seek. Having this raise a critical error breaks looping by
++ * testing for the return value of the seek.
++ */
++if (err_num == DBI_ERROR_BADIDX) return;
+ 
+-(void)dbi_conn_error( conn, &msg );
+ if ( g_str_has_prefix( msg, "FATAL:  database" ) &&
+ g_str_has_suffix( msg, "does not exist\n" ) )
+ {
+ PINFO( "DBI error: %s\n", msg );
diff -Nru gnucash-2.6.15/debian/patches/series 
gnucash-2.6.1

Bug#944228: marked as done (stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #944228,
regarding stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
944228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This update fixes several security issues, plus an important bug.
Additionally we fix the metadata reflecting the maintainership change.

Here is the changelog, with debdiff attached.

phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium

  [ Matthias Blümel ]
  * Several security fixes
- Cross-site scripting (XSS) vulnerability in db_central_columns.php
  (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
- Remove transformation plugin includes
  (PMASA-2018-6, CVE-2018-19968)
- Fix Stored Cross-Site Scripting (XSS) in navigation tree
  (PMASA-2018-8, CVE-2018-19970)
- Fix information leak (arbitrary file read) using SQL queries
  (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
- a specially crafted username can be used to trigger a SQL injection attack
  (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
- SQL injection in Designer feature
  (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
- CSRF vulnerability in login form
  (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
  * Set Vcs-* to point to salsa
  * Remove Thijs Kinkhorst and Michal Čihař from Uploaders. Thanks for all
your work!

  [ Juri Grabowski ]
  * Fix Vcs- URLs

  [ William Desportes ]
  * Add debian gitlab pipelines config.

  [ Felipe Sateler ]
  * Set phpMyAdmin team as Maintainer

  [ Michal Čihař ]
  * Fix open_basedir setting for PHP 7 (Closes: #867882).

  > This is the non-security fix. THe default config was not updated for
  > changes in the php-gettext path for 7.0.


 -- Felipe Sateler   Wed, 06 Nov 2019 08:12:18 -0300


Thanks for your consideration

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru phpmyadmin-4.6.6/debian/changelog phpmyadmin-4.6.6/debian/changelog
--- phpmyadmin-4.6.6/debian/changelog   2017-04-07 11:54:26.0 -0300
+++ phpmyadmin-4.6.6/debian/changelog   2019-11-06 08:12:18.0 -0300
@@ -1,3 +1,40 @@
+phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
+
+  [ Matthias Blümel ]
+  * Several security fixes
+- Cross-site scripting (XSS) vulnerability in db_central_columns.php
+  (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
+- Remove transformation plugin includes
+  (PMASA-2018-6, CVE-2018-19968)
+- Fix Stored Cross-Site Scripting (XSS) in navigation tree
+  (PMASA-2018-8, CVE-2018-19970)
+- Fix information leak (arbitrary file read) using SQL queries
+  (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
+- a specially crafted username can be used to trigger a SQL injection 
attack
+  (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
+- SQL injection in Designer feature
+  (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
+- CSRF vulnerability in login form
+  (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
+  * Set Vcs-* to point to salsa
+  * Remove Thijs Kinkhorst and Michal Čihař from Uploaders. Thanks for all
+your work!
+
+  [ Juri Grabowski ]
+  * Fix Vcs- URLs
+
+  [ William Desportes ]
+  * Add debian gitlab pipelines config.
+
+  [ Felipe Sateler ]
+  * Set phpMyAdmin team as Maintainer
+
+  [ Michal Čihař ]
+  * Fix open_basedir setting for PHP 7 (Closes: #867882).
+
+
+ -- Felipe Sateler   Wed, 06 Nov 2019 08:12:18 -0300
+
 phpmyadmin (4:4.6.6-4) unstable; urgency=medium
 
   * Build depend on locales-all to ensure en_US.UTF-8 is available (see
diff -Nru phpmyadmin-4.6.6/debian/conf/apache.conf 
phpmyadmin-4.6.6/debian/conf/apache.conf
--- phpmyadmin-4.6.6/debian/conf/apache.conf2016-12-01 04:42:43.0 
-0300
+++ phpmyadmin-4.6.6/debian/conf/apache.conf2019

Bug#893548: marked as done (stretch-pu: package python-icalendar/3.8-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #893548,
regarding stretch-pu: package python-icalendar/3.8-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
893548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893548
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fix the python3-icalendar dependencies:
Depends: {+python3-pkg-resources,+} python3-tz, {+python3:any (>= 3.3.2-2~),+} 
python3-dateutil
diff -Nru python-icalendar-3.8/debian/changelog 
python-icalendar-3.8/debian/changelog
--- python-icalendar-3.8/debian/changelog   2014-07-17 08:25:31.0 
+0300
+++ python-icalendar-3.8/debian/changelog   2018-03-19 22:00:53.0 
+0200
@@ -1,3 +1,10 @@
+python-icalendar (3.8-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix the python3-icalendar dependencies. (Closes: #867436)
+
+ -- Adrian Bunk   Mon, 19 Mar 2018 22:00:53 +0200
+
 python-icalendar (3.8-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru python-icalendar-3.8/debian/control 
python-icalendar-3.8/debian/control
--- python-icalendar-3.8/debian/control 2014-07-17 08:22:48.0 +0300
+++ python-icalendar-3.8/debian/control 2018-03-19 21:58:29.0 +0200
@@ -50,7 +50,7 @@
 Architecture: all
 Depends: ${shlibs:Depends},
  ${misc:Depends},
- ${python:Depends},
+ ${python3:Depends},
  python3-tz,
  python3-dateutil
 Provides: ${python:Provides}
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#927433: marked as done (stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #927433,
regarding stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
927433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927433
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release team,

now that we could avoid the full backport of gosa from buster to stretch
(see #927306), the Debian Edu team would still like to introduce various
fixes for gosa to the next Debian 9 point release.

Some issues require a fix (RC / important), some are small fixes here and
there that caused people pain and have been resolved in Debian buster's
gosa.

Resorting the patches, the most critical come first:


Critical (appear often, problematic for the users):

++ Add 1043_smarty-add-on-function-param-types.patch.
+  Fix missing password field, caused by PHP error "parameter 2 expected
+  to be a reference, value given". (Closes: #918578).

-> definitely happens in Debian buster, I have seen it once on Debian
stretch.

++ Add 1045_dont_use_filter_caching.patch. Disable filter caching via
+  $_SESSION. The approach stores PHP object in $_SESSION; since php7.0
+  this leads to unexpected results and flawed rendering of class_management
+  based listings. (Closes: #907815).

-> issue is reproducable on Debian stretch, may be a security issue in
fact (as sort-of-random / old data gets accessed).

++ Add 1031_no-context-loose-continues.patch.
+  Avoid stray continue expression. (Closes: #879105).

-> issue occurs on PHP7, rendering of management view gets aborted with error.


Important fixes (as they can break things when they occur):

++ Add 1029_better-whitespace-cleanup-in-genuid.patch.
+  Prevent gen_uids() from generating UIDs containing blanks.

-> we saw login uids generated with blanks. If the pattern is
3 initial from last name, 3 from first name, and the user is
Chen Wu -> login uid: "wu che" (which is bad on POSIX).

++ Add 1032_fix_select_acl_role.patch.
+  Use ACL from role definition: Select the correct role.

-> When returning to ACL editing and a role was used for an
ACL and there are more than one role, always the top role (not
the one configured) gets pre-selected.

++ Add 1033_fix_unable_to_delete_acl_asignment.patch.
+  Fix removing ACLs from objects (e.g. groups).

-> self-explaining.


Really really nice to have (while at it anyway):

++ Rebase / update 1016_allow-same-user-ids-as-adduser.patch and
+  1026_fix-deprecated-constructor-format.patch.

-> required

++ Add 1035_acl_override_to_allow_delete_of_group_members.patch.
+  Support member removal from groups, if someone has the right
+  to edit the group.

-> self-explaining

++ Add 1037_fix_shadowexpire_checkbox_from_tmplate_setting.patch.
+  Propagate shadow expiry from user templates to created user objects.

-> otherwise, the user won't be able to store the shadowExpiry value.

++ Add 1039_fix_sambakickofftime_checkbox_and_sambakickofftime_date_from_
+  tmplate_setting.patch. Fix date calculations for sambaKickoffTime and
+  propagation from template to created user object.

-> self-explaining

++ Add 1040_inactive_pwd_fields_when_using_pwd_proposal.patch.
+  Disable password entry text fields when password proposal is to be used.

-> if people use the password proposal feature/hook (activatable via a
radio button), the password entry field should be disabled. Otherwise, users
are able to select the proposed password _and_ enter one of their own and
wonder, why the entered password won't work.

++ Add 1041_ref_param_error_in_My_Parser.patch.
+  Compat fix for PHP > 5.4. Hand over real variable to function.

-> self-explaining


Cosmetic fixes (while at it anyway):

++ Add 1030_column-header-titles-group-members.patch.
+  Fix column titles in member lists of POSIX groups.
++ Update 1026_fix-deprecated-constructor-format.patch. Drop an unwanted
+  find+replace artefact in class_userFilter.
++ Add 1034_remove_superfluous__get_post__call_from__save_object.patch.
+  class_sortableListing: Remove superfluous get_post() call
+  from_ save_object()
++ Add 1036_remove_double_groupList_setEditable_setting.patch.
+  Remove duplicate setE

Bug#948653: marked as done (stretch-pu: package mod-gnutls/0.8.2-3+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #948653,
regarding stretch-pu: package mod-gnutls/0.8.2-3+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
948653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

  * Avoid deprecated ciphersuites in test suite (Closes: #907008)

FTBFS, tests were broken by gnutls28 3.5.8-5+deb9u4.
diff -Nru mod-gnutls-0.8.2/debian/changelog mod-gnutls-0.8.2/debian/changelog
--- mod-gnutls-0.8.2/debian/changelog   2017-03-12 13:37:18.0 +0200
+++ mod-gnutls-0.8.2/debian/changelog   2020-01-11 12:27:37.0 +0200
@@ -1,3 +1,10 @@
+mod-gnutls (0.8.2-3+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Avoid deprecated ciphersuites in test suite (Closes: #907008)
+
+ -- Adrian Bunk   Sat, 11 Jan 2020 12:27:37 +0200
+
 mod-gnutls (0.8.2-3) unstable; urgency=medium
 
   [ Thomas Klute ]
diff -Nru 
mod-gnutls-0.8.2/debian/patches/0001-Fix-test-16-view-status-by-changing-priority-string.patch
 
mod-gnutls-0.8.2/debian/patches/0001-Fix-test-16-view-status-by-changing-priority-string.patch
--- 
mod-gnutls-0.8.2/debian/patches/0001-Fix-test-16-view-status-by-changing-priority-string.patch
  1970-01-01 02:00:00.0 +0200
+++ 
mod-gnutls-0.8.2/debian/patches/0001-Fix-test-16-view-status-by-changing-priority-string.patch
  2020-01-11 12:26:05.0 +0200
@@ -0,0 +1,38 @@
+From: Sunil Mohan Adapa 
+Date: Tue, 18 Sep 2018 09:41:47 -0700
+Subject: Fix test 16-view-status by changing priority string
+
+From gnutls 3.5.19 release notes:
+
+"The ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the 
default
+priority strings. They are not necessary for compatibility or other purpose and
+provide no advantage over their SHA1 counter-parts, as they all depend on the
+legacy TLS CBC block mode."
+
+Pick a new priority string such that the cipher suite matches the default
+negotiated by gnutls 3.5.19 server and client without explicitly setting a
+priority string.
+---
+ test/tests/16_view-status/gnutls-cli.args | 2 +-
+ test/tests/16_view-status/output  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/tests/16_view-status/gnutls-cli.args 
b/test/tests/16_view-status/gnutls-cli.args
+index aca8ac0..470925b 100644
+--- a/test/tests/16_view-status/gnutls-cli.args
 b/test/tests/16_view-status/gnutls-cli.args
+@@ -1,2 +1,2 @@
+ --x509cafile=authority/x509.pem
+---priority=NONE:+VERS-TLS1.2:+AES-128-CBC:+SHA256:+RSA:+COMP-NULL:+SIGN-RSA-SHA256
++--priority=NONE:+VERS-TLS1.2:+ECDHE-RSA:+CURVE-SECP256R1:+AES-256-GCM:+AEAD:+COMP-NULL:+SIGN-RSA-SHA1
+diff --git a/test/tests/16_view-status/output 
b/test/tests/16_view-status/output
+index 7786244..8bfb45a 100644
+--- a/test/tests/16_view-status/output
 b/test/tests/16_view-status/output
+@@ -1,5 +1,5 @@
+ Using TLS:yes
+-Current TLS session:(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)
++Current TLS 
session:(TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
+ 
+ 
+ - Peer has closed the GnuTLS connection
diff -Nru mod-gnutls-0.8.2/debian/patches/series 
mod-gnutls-0.8.2/debian/patches/series
--- mod-gnutls-0.8.2/debian/patches/series  2017-03-12 13:35:37.0 
+0200
+++ mod-gnutls-0.8.2/debian/patches/series  2020-01-11 12:26:12.0 
+0200
@@ -6,3 +6,4 @@
 0006-Test-suite-Do-not-explicitly-set-the-mutex-type-to-d.patch
 0007-Do-not-treat-warnings-about-deprecated-declarations-.patch
 0008-Wait-for-OCSP-server-to-become-available.patch
+0001-Fix-test-16-view-status-by-changing-priority-string.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#935739: marked as done (stretch-pu: package sendmail/8.15.2-8+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #935739,
regarding stretch-pu: package sendmail/8.15.2-8+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
935739: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935739
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

While doing some QA testing on sendmail to verify the start-stop-daemon
fixes for buster, I noticed that sendmail does not stop itself properly
while being removed. This has been fixed in sid, and has a buster-pu
request open, but I'd like to fix this in stretch, too.
Along this, I've cherry-picked all the bugfixes that have been applied
to the package during the buster release cycle and are relevant for
stretch, too.

Thanks for considering.


Andreas
diff --git a/debian/Makefile.in b/debian/Makefile.in
index 3c89f52..0f6e3f3 100644
--- a/debian/Makefile.in
+++ b/debian/Makefile.in
@@ -117,6 +117,7 @@ CONFIG_CLEAN_FILES = build/autoconf.mk build/autoconf.pl \
cf/ostype/debian.m4 \
examples/dhcp/dhclient-exit-hooks.d/sendmail \
examples/network/if-down.d/sendmail \
+   examples/network/if-post-down.d/sendmail \
examples/network/if-up.d/sendmail \
examples/ppp/ip-down.d/sendmail examples/ppp/ip-up.d/sendmail \
examples/resolvconf/update-libc.d/sendmail \
@@ -211,6 +212,7 @@ am__DIST_COMMON = $(srcdir)/Makefile.in 
$(srcdir)/bug-control.in \
$(top_srcdir)/cf/ostype/debian.m4.in \
$(top_srcdir)/examples/dhcp/dhclient-exit-hooks.d/sendmail.in \
$(top_srcdir)/examples/network/if-down.d/sendmail.in \
+   $(top_srcdir)/examples/network/if-post-down.d/sendmail.in \
$(top_srcdir)/examples/network/if-up.d/sendmail.in \
$(top_srcdir)/examples/ppp/ip-down.d/sendmail.in \
$(top_srcdir)/examples/ppp/ip-up.d/sendmail.in \
@@ -591,6 +593,8 @@ examples/dhcp/dhclient-exit-hooks.d/sendmail: 
$(top_builddir)/config.status $(to
cd $(top_builddir) && $(SHELL) ./config.status $@
 examples/network/if-down.d/sendmail: $(top_builddir)/config.status 
$(top_srcdir)/examples/network/if-down.d/sendmail.in
cd $(top_builddir) && $(SHELL) ./config.status $@
+examples/network/if-post-down.d/sendmail: $(top_builddir)/config.status 
$(top_srcdir)/examples/network/if-post-down.d/sendmail.in
+   cd $(top_builddir) && $(SHELL) ./config.status $@
 examples/network/if-up.d/sendmail: $(top_builddir)/config.status 
$(top_srcdir)/examples/network/if-up.d/sendmail.in
cd $(top_builddir) && $(SHELL) ./config.status $@
 examples/ppp/ip-down.d/sendmail: $(top_builddir)/config.status 
$(top_srcdir)/examples/ppp/ip-down.d/sendmail.in
diff --git a/debian/changelog b/debian/changelog
index 267dcce..c3fe5ca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,26 @@
+sendmail (8.15.2-8+deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * rmail: Add exim4 to the list of conflicting MTAs.  (Closes: #863567)
+  * Skip hook execution if /usr/share/sendmail/dynamic does not exist.
+(Closes: #873978)
+  * debian/examples/network/if-post-down.d/sendmail: Generate during build.
+  * connect-from-null.patch: New, fix "NOQUEUE: connect from (null)", thanks
+to Michael Grant and Claus Assmann.
+  * Fix finding the queue runner control process in "split daemon" mode,
+thanks to Marc Andre Selig.  (Closes: #887064)
+  * Fix prerm failure on btrfs.  (Closes: #893424)
+  * Switch Vcs-* URLs to salsa.debian.org.
+  * Fix typos in descriptions.  (Closes: #894535)
+  * sendmail-bin.prerm: Stop sendmail before removing the alternatives.
+
+ -- Andreas Beckmann   Sun, 25 Aug 2019 20:07:11 +0200
+
 sendmail (8.15.2-8) unstable; urgency=medium
 
   * QA upload.
   * Use lockfile-create (from lockfile-progs) instead of touch to manage the
-cronjob lockfiles.
+cronjob lockfiles.  (Closes: #847498)
   * Switch to debhelper compat level 10.
 
  -- Andreas Beckmann   Thu, 08 Dec 2016 18:43:49 +0100
diff --git a/debian/configure b/debian/configure
index 3ed645a..c0bd6b0 100755
--- a/debian/configure
+++ b/debian/configure
@@ -7588,6 +7588,8 @@ ac_config_files="$ac_config_files 
examples/dhcp/dhclient-exit-hooks.d/sendmail"
 
 ac_config_files="$ac_config_files examples/network/if-down.d/sendmail"
 
+ac_config_files="$ac_config_files examples/network/if-post-down.d/sendmail"
+
 ac_config_files="$a

Bug#949112: marked as done (stretch-pu: package xtrlock/2.8+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #949112,
regarding stretch-pu: package xtrlock/2.8+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
949112: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949112
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: t...@security.debian.org

Dear oldstable release managers,

Please consider xtrlock (2.8+deb9u1) for stretch:
  
  xtrlock (2.8+deb9u1) stretch; urgency=high
  
* CVE-2016-10894: Attempt to grab multitouch devices which are not
  intercepted via XGrabPointer.
  
  xtrlock did not block multitouch events so an attacker could still input
  and thus control various programs such as Chromium, etc. via so-called
  "multitouch" events such as pan scrolling, "pinch and zoom", or even being
  able to provide regular mouse clicks by depressing the touchpad once and
  then clicking with a secondary finger.
  
  This fix does not the situation where Eve plugs in a multitouch device
  *after* the screen has been locked. For more information on this angle,
  please see . (Closes: #830726)

The full diff is attached. In addition, this update has been filed at
the behest of the security team after marking this CVE as no-dsa.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/changelog b/debian/changelog
index 91ebaab..df64472 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+xtrlock (2.8+deb9u1) stretch; urgency=high
+
+  * CVE-2016-10894: Attempt to grab multitouch devices which are not
+intercepted via XGrabPointer.
+
+xtrlock did not block multitouch events so an attacker could still input
+and thus control various programs such as Chromium, etc. via so-called
+"multitouch" events such as pan scrolling, "pinch and zoom", or even being
+able to provide regular mouse clicks by depressing the touchpad once and
+then clicking with a secondary finger.
+
+This fix does not the situation where Eve plugs in a multitouch device
+*after* the screen has been locked. For more information on this angle,
+please see . (Closes: #830726)
+
+ -- Chris Lamb   Thu, 16 Jan 2020 16:00:52 +
+
 xtrlock (2.8) unstable; urgency=low
 
   * patch from Simon Tatham to add a -f option [fork, and return success
diff --git a/Imakefile b/Imakefile
index 68605d8..c792294 100644
--- a/Imakefile
+++ b/Imakefile
@@ -12,6 +12,6 @@
 #! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #! GNU General Public License for more details.
 
-SingleProgramTarget(xtrlock,xtrlock.o,-lcrypt -lX11,)
+SingleProgramTarget(xtrlock,xtrlock.o,-lcrypt -lX11 -lXi,)
 InstallProgram(xtrlock,$(BINDIR))
 InstallManPage(xtrlock,$(MANDIR))
diff --git a/debian/control b/debian/control
index c01554d..359d7a0 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: xtrlock
 Maintainer: Matthew Vernon 
 Section: x11
 Priority: optional
-Build-Depends: libx11-dev, x11proto-core-dev, xutils-dev, dpkg-dev (>= 1.16.1~)
+Build-Depends: libx11-dev, x11proto-core-dev, xutils-dev, dpkg-dev (>= 
1.16.1~), libxi-dev
 Standards-Version: 3.9.1
 
 Package: xtrlock
diff --git a/debian/rules b/debian/rules
index 91b1572..55e8b4e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,7 +11,7 @@ DPKG_EXPORT_BUILDFLAGS = 1
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 include /usr/share/dpkg/buildflags.mk
 
-CFLAGS+=-DSHADOW_PWD
+CFLAGS+=-DSHADOW_PWD -DMULTITOUCH
 
 build:
$(checkdir)
diff --git a/xtrlock.c b/xtrlock.c
index 6117c6f..a08fe4e 100644
--- a/xtrlock.c
+++ b/xtrlock.c
@@ -41,6 +41,11 @@
 #include 
 #endif
 
+#ifdef MULTITOUCH
+#include 
+#include 
+#endif
+
 #include "lock.bitmap"
 #include "mask.bitmap"
 #include "patchlevel.h"
@@ -71,6 +76,34 @@ int passwordok(const char *s) {
 #endif
 }
 
+#if MULTITOUCH
+XIEventMask evmask;
+
+/* (Optimistically) attempt to grab multitouch devices which are not
+ * intercepted via XGrabPointer. */
+void handle_multitouch(Cursor cursor) {
+  XIDeviceInfo *info;
+  int xi_ndevices;
+
+  info = XIQueryDevice(display, XIAllDevices, &xi_ndevices);
+
+  int i;
+  for (i = 0; i < xi_ndevices; i++) {
+XIDeviceInfo *dev = &inf

Bug#948651: marked as done (stretch-pu: package neon27/0.30.2-2+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #948651,
regarding stretch-pu: package neon27/0.30.2-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
948651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948651
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

  * Run OpenSSL checks but don't fail on them,
to workaround build failures due to OpenSSL changes.

Only a subset of the #907009 failures with OpenSSL 1.1,
but use the same workaround that is used for these in buster.
diff -Nru neon27-0.30.2/debian/changelog neon27-0.30.2/debian/changelog
--- neon27-0.30.2/debian/changelog  2016-11-28 18:56:00.0 +0200
+++ neon27-0.30.2/debian/changelog  2020-01-11 12:18:14.0 +0200
@@ -1,3 +1,11 @@
+neon27 (0.30.2-2+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Run OpenSSL checks but don't fail on them,
+to workaround build failures due to OpenSSL changes.
+
+ -- Adrian Bunk   Sat, 11 Jan 2020 12:18:14 +0200
+
 neon27 (0.30.2-2) unstable; urgency=low
 
   * Remove Multi-Arch field from libneon27-dev and libneon27-gnutls-dev
diff -Nru neon27-0.30.2/debian/rules neon27-0.30.2/debian/rules
--- neon27-0.30.2/debian/rules  2016-10-06 20:44:10.0 +0300
+++ neon27-0.30.2/debian/rules  2020-01-11 12:18:14.0 +0200
@@ -50,7 +50,7 @@
dh_testdir
cd $(BUILDDIR)/neon-openssl/ && $(MAKE)
 ifeq ($(filter nocheck,$(DEB_BUILD_OPTIONS)),)
-   cd $(BUILDDIR)/neon-openssl/ && $(MAKE) check
+   cd $(BUILDDIR)/neon-openssl/ && $(MAKE) check || true
 endif
touch build-openssl
 
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#948650: marked as done (stretch-pu: package nginx/1.10.3-1+deb9u3)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #948650,
regarding stretch-pu: package nginx/1.10.3-1+deb9u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
948650: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948650
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I'd like to upload nginx 1.10.3-1+deb9u4, addressing the non-critical
CVE-2019-20372.

Attaching a debdiff.

[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579

-- System Information:
Debian Release: 10.2
 APT prefers unstable-debug
 APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), 
(4, 'unstable'), (2, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru nginx-1.10.3/debian/changelog nginx-1.10.3/debian/changelog
--- nginx-1.10.3/debian/changelog   2019-08-19 12:31:19.0 +0300
+++ nginx-1.10.3/debian/changelog   2020-01-11 09:28:05.0 +0200
@@ -1,3 +1,10 @@
+nginx (1.10.3-1+deb9u4) stretch; urgency=medium
+
+  * Handle CVE-2019-20372, error page request smuggling
+(Closes: #948579)
+
+ -- Christos Trochalakis   Sat, 11 Jan 2020 09:28:05 
+0200
+
 nginx (1.10.3-1+deb9u3) stretch-security; urgency=high
 
   * Backport upstream fixes for 3 CVEs (Closes: #935037)
diff -Nru nginx-1.10.3/debian/patches/CVE-2019-20372.patch 
nginx-1.10.3/debian/patches/CVE-2019-20372.patch
--- nginx-1.10.3/debian/patches/CVE-2019-20372.patch1970-01-01 
02:00:00.0 +0200
+++ nginx-1.10.3/debian/patches/CVE-2019-20372.patch2020-01-11 
09:28:05.0 +0200
@@ -0,0 +1,31 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov 
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c 
b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- a/src/http/ngx_http_special_response.c
 b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, 
ngx_http_err_page_t *err_page)
+ return ngx_http_named_location(r, &uri);
+ }
+ 
++r->expect_tested = 1;
++
++if (ngx_http_discard_request_body(r) != NGX_OK) {
++r->keepalive = 0;
++}
++
+ location = ngx_list_push(&r->headers_out.headers);
+ 
+ if (location == NULL) {
+-- 
+2.23.0
+
diff -Nru nginx-1.10.3/debian/patches/series nginx-1.10.3/debian/patches/series
--- nginx-1.10.3/debian/patches/series  2019-08-19 12:31:19.0 +0300
+++ nginx-1.10.3/debian/patches/series  2020-01-11 09:28:05.0 +0200
@@ -13,3 +13,4 @@
 CVE-2019-9516.patch
 CVE-2019-9511.patch
 CVE-2019-9513.patch
+CVE-2019-20372.patch


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#949925: marked as done (stretch-pu: package cram/0.7-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #949925,
regarding stretch-pu: package cram/0.7-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
949925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949925
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

https://tests.reproducible-builds.org/debian/rb-pkg/stretch/amd64/cram.html

  * Accept any test result to work around build failures.

Same workaround as in buster/bullseye/sid.
diff -Nru cram-0.7/debian/changelog cram-0.7/debian/changelog
--- cram-0.7/debian/changelog   2016-03-04 21:37:27.0 +0200
+++ cram-0.7/debian/changelog   2020-01-27 11:02:31.0 +0200
@@ -1,3 +1,10 @@
+cram (0.7-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Accept any test result to work around build failures.
+
+ -- Adrian Bunk   Mon, 27 Jan 2020 11:02:31 +0200
+
 cram (0.7-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru cram-0.7/debian/rules cram-0.7/debian/rules
--- cram-0.7/debian/rules   2016-03-04 21:43:04.0 +0200
+++ cram-0.7/debian/rules   2020-01-27 11:02:31.0 +0200
@@ -26,8 +26,10 @@
 
 override_dh_auto_test:
dh_auto_test
-   PYTHON=python COVERAGE=python-coverage   $(MAKE) test
-   PYTHON=python3 COVERAGE=python3-coverage $(MAKE) test
+   # accept any test result until the relation between cram and coverage 
is clarified
+   # see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897516#53
+   PYTHON=python COVERAGE=python-coverage   $(MAKE) test || true
+   PYTHON=python3 COVERAGE=python3-coverage $(MAKE) test || true
 
 override_dh_clean:
dh_clean -O--buildsystem=python_distutils
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#948678: marked as done (stretch-pu: package libbusiness-hours-perl/0.13-0+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #948678,
regarding stretch-pu: package libbusiness-hours-perl/0.13-0+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
948678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948678
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

  * New upstream release.
- Only change is a fix for a build and runtime failure
  with dates after 2018-12-31. (Closes: #934842)

Except for upstream metadata not shipped in the binary package
the changes in the new upstream version are this bugfix and
the version bump.
diff -Nru libbusiness-hours-perl-0.12/Changes 
libbusiness-hours-perl-0.13/Changes
--- libbusiness-hours-perl-0.12/Changes 2013-08-22 18:13:59.0 +0300
+++ libbusiness-hours-perl-0.13/Changes 2019-01-11 21:27:48.0 +0200
@@ -1,5 +1,10 @@
 Revision history for Perl module Business::Hours
 
+0.13
+  * Use explicit 4 digit years when using localtime. This fixes
+some test failures that started after 2018-12-31 because of
+date math.
+
 0.12
   * merge of 0.11 and 0.10_01:
   ** support shifts over midnight
diff -Nru libbusiness-hours-perl-0.12/debian/changelog 
libbusiness-hours-perl-0.13/debian/changelog
--- libbusiness-hours-perl-0.12/debian/changelog2016-03-17 
19:31:02.0 +0200
+++ libbusiness-hours-perl-0.13/debian/changelog2020-01-11 
21:36:25.0 +0200
@@ -1,3 +1,12 @@
+libbusiness-hours-perl (0.13-0+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release.
+- Only change is a fix for a build and runtime failure
+  with dates after 2018-12-31. (Closes: #934842)
+
+ -- Adrian Bunk   Sat, 11 Jan 2020 21:36:25 +0200
+
 libbusiness-hours-perl (0.12-1) unstable; urgency=low
 
   * Initial Release. (Closes: #810812)
diff -Nru libbusiness-hours-perl-0.12/lib/Business/Hours.pm 
libbusiness-hours-perl-0.13/lib/Business/Hours.pm
--- libbusiness-hours-perl-0.12/lib/Business/Hours.pm   2013-08-22 
18:14:59.0 +0300
+++ libbusiness-hours-perl-0.13/lib/Business/Hours.pm   2019-01-11 
21:18:25.0 +0200
@@ -7,7 +7,7 @@
 use Set::IntSpan;
 use Time::Local qw/timelocal_nocheck/;
 
-our $VERSION = '0.12';
+our $VERSION = '0.13';
 
 =head1 NAME
 
@@ -272,6 +272,7 @@
 # jump back to the first day (Sunday) of the last week before the period
 # began.
 my @start= localtime( $args{'Start'} );
+$start[5] += 1900;  # Set 4 digit year, see perldoc localtime
 my $month= $start[4];
 my $year = $start[5];
 my $first_sunday = $start[3] - $start[6];
@@ -320,6 +321,7 @@
 
 my @today = (localtime($week_start))[3, 4, 5];
 $today[0]--; # compensate next increment
+$today[2] += 1900;  # Set 4 digit year
 
 # foreach day in the week, find that day's business hours in
 # seconds since the epoch.
@@ -352,6 +354,7 @@
 if ( my @holidays = $self->holidays ) {
 my $start_year = $year;
 my $end_year = (localtime $args{'End'})[5];
+$end_year += 1900;  # Set 4 digit year
 foreach my $holiday (@holidays) {
 my ($year, $month, $date) = ($holiday =~ 
/^(?:(\d\d\d\d)\D)?(\d\d)\D(\d\d)$/);
 $month--;
diff -Nru libbusiness-hours-perl-0.12/META.json 
libbusiness-hours-perl-0.13/META.json
--- libbusiness-hours-perl-0.12/META.json   2013-08-22 18:16:00.0 
+0300
+++ libbusiness-hours-perl-0.13/META.json   2019-01-11 21:32:15.0 
+0200
@@ -4,7 +4,7 @@
   "Jesse Vincent (je...@cpan.org)"
],
"dynamic_config" : 1,
-   "generated_by" : "ExtUtils::MakeMaker version 6.72, CPAN::Meta::Converter 
version 2.131560",
+   "generated_by" : "ExtUtils::MakeMaker version 7.3, CPAN::Meta::Converter 
version 2.150005",
"license" : [
   "unknown"
],
@@ -38,5 +38,6 @@
   }
},
"release_status" : "stable",
-   "version" : "0.12"
+   "version" : "0.13",
+   "x_serialization_backend" : "JSON::PP version 2.27300"
 }
diff -Nru libbusiness-hours-perl-0.12/META.yml 
libbusiness-hours-perl-0.13/META.yml
--- libbusiness-hours-perl-0.12/META.yml2013-08-22 18:16:00.0 
+0300
+++ libbusiness-hours-perl-0.13/META.yml2019-01-11 21:32:15.0 
+0200
@@ -3,21 +3,22 @@
 author:
   - 'Jesse Vincent (je...@cpan.org)'
 build_requires:
-  ExtUtil

Bug#955394: marked as done (stretch-pu: package libvncserver/0.9.11+dfsg-1.3~deb9u4)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #955394,
regarding stretch-pu: package libvncserver/0.9.11+dfsg-1.3~deb9u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
955394: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955394
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Please accept the recent upload of libvncserver to stretch containing the
following low impact security fix:

+  [ Antoni Villalonga ]
+  * debian/patches:
++ Add CVE-2019-15690 patch. libvncclient/cursor: limit
+  width/height input values. Avoids a possible heap overflow reported
+  by Pavel Cheremushkin. (Closes: #954163).

Thanks,
Mike

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog 
libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog   2020-01-08 08:22:51.0 
+0100
+++ libvncserver-0.9.11+dfsg/debian/changelog   2020-03-31 07:56:01.0 
+0200
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3~deb9u4) stretch; urgency=medium
+
+  [ Antoni Villalonga ]
+  * debian/patches:
++ Add CVE-2019-15690 patch. libvncclient/cursor: limit
+  width/height input values. Avoids a possible heap overflow reported
+  by Pavel Cheremushkin. (Closes: #954163).
+
+ -- Mike Gabriel   Tue, 31 Mar 2020 07:56:01 +0200
+
 libvncserver (0.9.11+dfsg-1.3~deb9u3) stretch; urgency=medium
 
   * Regression update.
diff -Nru 
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
 
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
--- 
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
  1970-01-01 01:00:00.0 +0100
+++ 
libvncserver-0.9.11+dfsg/debian/patches/CVE-2019-15690/0001-heap-buffer-overflow.patch
  2020-03-31 07:55:29.0 +0200
@@ -0,0 +1,34 @@
+Commit: 54220248886b5001fbbb9fa73c4e1a2cb9413fed
+Author: Christian Beier 
+Date:   Sun Nov 17 17:18:35 2019 +0100
+
+libvncclient/cursor: limit width/height input values
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+.
+
+re #275
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f4572..40ffb3b 100644
+--- a/libvncclient/cursor.c
 b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE 0
+ #define OPER_RESTORE  1
+ 
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b)   \
+uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 
\
+ << client->format.redShift |  
\
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int 
yhot, int width, int h
+   if (width * height == 0)
+ return TRUE;
+ 
++  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++return FALSE;
++
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+ free(client->rcSource);
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series 
libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series  2020-01-08 
08:22:51.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series  2020-03-31 
07:55:29.0 +0200
@@ -29,3 +29,4 @@
 use-after-free/5.patch
 use-after-free/6.patch
 0002-set-true-color-flag-to-1.patch
+CVE-2019-15690/0001-heap-buffer-overflow.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#953745: marked as done (stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #953745,
regarding stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
953745: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953745
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release managers,

the package fixes two critical issues, which impact the usability of the
mod_sftp proftp module and the proftp package itself.
There are situations, where users can't connect to an proftp server using
sftp in case the client is recent enough.  Further I removed the debconf
call as it causes a hang in postinst.  Debconf integration has been removed
for buster anyway.

- Issue is solved in Debian unstable since 1.3.6c-1
- Both bugs are set to important
- debdiff is attached

I tested a build on Debian oldstable and the reporters confirmed that the
patch solved both issues.  The debdiff is against deb9u4, which has been
uploaded by the sec team.

Consider to include it in Debian oldstable. Thanks!

Thanks, Hilmar!
-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
sigmentation fault
diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog	2020-02-25 22:43:05.0 +0100
+++ proftpd-dfsg-1.3.5b/debian/changelog	2020-02-13 15:39:08.0 +0100
@@ -1,3 +1,12 @@
+proftpd-dfsg (1.3.5b-4+deb9u5) stretch; urgency=medium
+
+  * Add patch from upstream to solve bug4385. (Closes: #949622).
+  * Disable call to /usr/share/debconf/confmodule. Causes hangs during
+postinst and it is unsure why we have it at all.
+(Closes: #870624)
+
+ -- Hilmar Preusse   Thu, 12 Mar 2020 15:52:02 +0100
+
 proftpd-dfsg (1.3.5b-4+deb9u4) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/Issue-903-We-want-to-remove-the-data-transfer-comman.patch proftpd-dfsg-1.3.5b/debian/patches/Issue-903-We-want-to-remove-the-data-transfer-comman.patch
--- proftpd-dfsg-1.3.5b/debian/patches/Issue-903-We-want-to-remove-the-data-transfer-comman.patch	2020-02-25 22:43:05.0 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/Issue-903-We-want-to-remove-the-data-transfer-comman.patch	2020-02-13 15:39:08.0 +0100
@@ -11,11 +11,11 @@
  src/data.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/data.c b/src/data.c
-index 6ef6d420ef4d..e7b03e231b80 100644
 a/src/data.c
-+++ b/src/data.c
-@@ -897,7 +897,7 @@ void pr_data_abort(int err, int quiet) {
+Index: proftpd/src/data.c
+===
+--- proftpd.orig/src/data.c	2020-03-12 15:11:56.34400 +0100
 proftpd/src/data.c	2020-03-12 15:11:56.34000 +0100
+@@ -955,7 +955,7 @@
  /* Forcibly clear the data-transfer instigating command pool from the
   * Response API.
   */
@@ -24,6 +24,3 @@
}
  
if (true_abort) {
--- 
-2.20.1
-
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/kbdint-packets-bug4385.patch proftpd-dfsg-1.3.5b/debian/patches/kbdint-packets-bug4385.patch
--- proftpd-dfsg-1.3.5b/debian/patches/kbdint-packets-bug4385.patch	1970-01-01 01:00:00.0 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/kbdint-packets-bug4385.patch	2020-02-13 15:39:08.0 +0100
@@ -0,0 +1,126 @@
+Index: proftpd_build/contrib/mod_sftp/kbdint.c
+===
+--- proftpd_build.orig/contrib/mod_sftp/kbdint.c	2019-12-08 23:19:15.037069504 +0100
 proftpd_build/contrib/mod_sftp/kbdint.c	2020-02-13 15:17:13.0 +0100
+@@ -31,6 +31,8 @@
+ 
+ #define SFTP_KBDINT_MAX_RESPONSES	500
+ 
++extern pr_response_t *resp_list, *resp_err_list;
++
+ struct kbdint_driver {
+   struct kbdint_driver *next, *prev;
+ 
+@@ -252,6 +254,77 @@
+   return res;
+ }
+ 
++static struct ssh2_packet *read_response_packet(pool *p) {
++  struct ssh2_packet *pkt = NU

Bug#954664: marked as done (stretch-pu: package rails/2:4.2.7.1-1+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #954664,
regarding stretch-pu: package rails/2:4.2.7.1-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
954664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954664
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.

Here's the debdiff:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog
--- rails-4.2.7.1/debian/changelog2019-04-18 20:21:20.0 +0530
+++ rails-4.2.7.1/debian/changelog2020-03-22 18:05:32.0 +0530
@@ -1,3 +1,11 @@
+rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high
+
+  * Team upload.
+  * Add patch to fix possible XSS vector in JS escape helper.
+(Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta   Sun, 22 Mar 2020 18:05:32 +0530
+
 rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium

   * CVE-2018-16476 (Closes: #914847)
diff -Nru rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
--- rails-4.2.7.1/debian/patches/CVE-2020-5267.patch1970-01-01
05:30:00.0 +0530
+++ rails-4.2.7.1/debian/patches/CVE-2020-5267.patch2020-03-22
18:05:00.0 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson 
+Author: Utkarsh Gupta 
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
 b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -10,7 +10,9 @@
+ "\n"=> '\n',
+ "\r"=> '\n',
+ '"' => '\\"',
+-"'" => "\\'"
++"'" => "\\'",
++"`" => "\\`",
++"$" => "\\$"
+   }
+
+   JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!]
= '
'
+@@ -24,7 +26,7 @@
+   #   $('some_element').replaceWith('<%=j render
'some/element_template' %>');
+   def escape_javascript(javascript)
+ if javascript
+-  result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u)
{|match| JS_ESCAPE_MAP[match] }
++  result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+   javascript.html_safe? ? result.html_safe : result
+ else
+   ''
+--- a/actionview/test/template/javascript_helper_test.rb
 b/actionview/test/template/javascript_helper_test.rb
+@@ -33,6 +33,14 @@
+ assert_equal %(dont <\\/close> tags), j(%(dont  tags))
+   end
+
++  def test_escape_backtick
++assert_equal "\\`", escape_javascript("`")
++  end
++
++  def test_escape_dollar_sign
++assert_equal "\\$", escape_javascript("$")
++  end
++
+   def test_escape_javascript_with_safebuffer
+ given = %('quoted' "double-quoted" new-line:\n )
+ expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-4.2.7.1/debian/patches/series
rails-4.2.7.1/debian/patches/series
--- rails-4.2.7.1/debian/patches/series2019-04-18 20:18:04.0 +0530
+++ rails-4.2.7.1/debian/patches/series2020-03-22 18:04:25.0 +0530
@@ -4,3 +4,4 @@
 0005-relax-json.patch
 006-CVE-2018-16476.patch
 007-CVE-2019-5418_CVE-2019-5419.patch
+CVE-2020-5267.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#949367: marked as done (stretch-pu: package wpa/2:2.4-1+deb9u6)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #949367,
regarding stretch-pu: package wpa/2:2.4-1+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
949367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949367
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Please let wpa 2:2.4-1+deb9u5 into stretch.

This upload backports the following security patch:

 wpa (2:2.4-1+deb9u5) stretch; urgency=medium
 .
   * SECURITY UPDATE:
 - AP mode PMF disconnection protection bypass.
   More details:
+ https://w1.fi/security/2019-7/
   Closes: #940080 (CVE-2019-16275)

Please see the debdiff attached.

Thanks!

-- 
Andrej
diff --git a/debian/changelog b/debian/changelog
index 689d552..216a678 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+wpa (2:2.4-1+deb9u5) stretch; urgency=medium
+
+  * SECURITY UPDATE:
+- AP mode PMF disconnection protection bypass.
+  More details:
+   + https://w1.fi/security/2019-7/
+  Closes: #940080 (CVE-2019-16275)
+
+ -- Andrej Shadura   Mon, 13 Jan 2020 11:06:28 +0100
+
 wpa (2:2.4-1+deb9u4) stretch-security; urgency=high
 
   * SECURITY UPDATE (2019-5):
diff --git 
a/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 
b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
new file mode 100644
index 000..12ff79b
--- /dev/null
+++ 
b/debian/patches/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen 
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen 
+---
+ src/ap/drv_callbacks.c | 13 +
+ src/ap/ieee802_11.c| 12 
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
 b/src/ap/drv_callbacks.c
+@@ -62,6 +62,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 
*addr,
+  "no address");
+   return -1;
+   }
++
++  if (is_multicast_ether_addr(addr) ||
++  is_zero_ether_addr(addr) ||
++  os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++  /* Do not process any frames with unexpected/invalid SA so that
++   * we do not add any state for unexpected STA addresses or end
++   * up sending out frames to unexpected destination. */
++  wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++ " in received indication - ignore this indication 
silently",
++ __func__, MAC2STR(addr));
++  return 0;
++  }
++
+   random_add_randomness(addr, ETH_ALEN);
+ 
+   hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
 b/src/ap/ieee802_11.c
+@@ -2210,6 +2210,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 
*buf, size_t len,
+   fc = le_to_host16(mgmt->frame_control);
+   stype = WLAN_FC_GET_STYPE(fc);
+ 
++  if (is_multicast_ether_addr(mgmt->sa) ||
++  is_zero_ether_addr(mgmt->sa) ||
++  os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++  /* Do not process any frames with unexpected/invalid SA so that
++   * we do not add any state for unexpected STA addresses or end
++   * up sending out frames to unexpected destination. */
++  wpa_printf(MSG_DEBUG, "MGMT: Invalid SA="

Bug#954863: marked as done (stretch-pu: package checkstyle/6.15-1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #954863,
regarding stretch-pu: package checkstyle/6.15-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
954863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954863
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle.
The security team marked this issue as no-dsa. Please find attached
the debdiff for Stretch.

Regards,

Markus
diff -Nru checkstyle-6.15/debian/changelog checkstyle-6.15/debian/changelog
--- checkstyle-6.15/debian/changelog2016-02-04 21:52:02.0 +0100
+++ checkstyle-6.15/debian/changelog2020-03-24 13:18:16.0 +0100
@@ -1,3 +1,14 @@
+checkstyle (6.15-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-9658 and CVE-2019-10782:
+Security researchers from Snyk discovered that the fix for CVE-2019-9658
+was incomplete. Checkstyle, a development tool to help programmers write
+Java code that adheres to a coding standard, was still vulnerable to XML
+External Entity (XXE) injection. (Closes: #924598)
+
+ -- Markus Koschany   Tue, 24 Mar 2020 13:18:16 +0100
+
 checkstyle (6.15-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 
checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
--- checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch   
1970-01-01 01:00:00.0 +0100
+++ checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch   
2020-03-24 13:18:16.0 +0100
@@ -0,0 +1,95 @@
+From: Markus Koschany 
+Date: Thu, 12 Mar 2020 13:06:45 +0100
+Subject: CVE-2019-9658 and CVE-2019-10782
+
+Bug-Debian: https://bugs.debian.org/924598
+
+Origin: 
https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+Origin: 
https://github.com/checkstyle/checkstyle/pull/7495/commits/3af187f81ab33c9a8e471cc629ff10fe722a7a56
+---
+ .../tools/checkstyle/api/AbstractLoader.java   | 45 ++
+ src/xdocs/config_reporting.xml | 11 ++
+ 2 files changed, 56 insertions(+)
+
+diff --git 
a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java 
b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+index 2e60e6d..6ea678b 100644
+--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
 b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+@@ -80,6 +80,7 @@ public abstract class AbstractLoader
+ this.publicIdToResourceNameMap =
+ Maps.newHashMap(publicIdToResourceNameMap);
+ final SAXParserFactory factory = SAXParserFactory.newInstance();
++LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory);
+ factory.setValidating(true);
+ factory.setNamespaceAware(true);
+ parser = factory.newSAXParser().getXMLReader();
+@@ -124,4 +125,48 @@ public abstract class AbstractLoader
+ public void fatalError(SAXParseException exception) throws SAXException {
+ throw exception;
+ }
++
++/**
++ * Used for setting specific for secure java installations features to 
SAXParserFactory.
++ * Pulled out as a separate class in order to suppress Pitest mutations.
++ */
++public static final class LoadExternalDtdFeatureProvider {
++
++/** System property name to enable external DTD load. */
++public static final String ENABLE_EXTERNAL_DTD_LOAD = 
"checkstyle.enableExternalDtdLoad";
++
++/** Feature that enables loading external DTD when loading XML files. 
*/
++public static final String LOAD_EXTERNAL_DTD =
++
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++/** Feature that enables including external general entities in XML 
files. */
++public static final String EXTERNAL_GENERAL_ENTITIES =
++"http://xml.org/sax/features/external-general-entities";;
++/** Feature that enables including external parameter entities in XML 
files. */
++public static final String EXTERNAL_PARAMETER_ENTITIES =
++"http://xml.org/sax/features/external-parameter-entities";;
++
++/** Stop instances being creat

Bug#955409: marked as done (stretch-pu: package tinyproxy/1.8.4-3~deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #955409,
regarding stretch-pu: package tinyproxy/1.8.4-3~deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
955409: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955409
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I have just uploaded (via Utkarsh Gupti as sponsor) an update of tinyproxy in 
stretch with the following changes:

+  * debian/patches:
++ Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+  CVE-2017-11747: Create PID file before dropping privileges to non-root
+  account. (Closes: #870307).

CVE-2017-11747 is a no-dsa issue.

+  * debian/tinyproxy.init:
++ Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+  #948283).

RC bug fix.

Thanks+Greets,
Mike


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tinyproxy-1.8.4/debian/changelog tinyproxy-1.8.4/debian/changelog
--- tinyproxy-1.8.4/debian/changelog2018-02-28 18:33:56.0 +0100
+++ tinyproxy-1.8.4/debian/changelog2020-03-31 12:15:15.0 +0200
@@ -1,3 +1,15 @@
+tinyproxy (1.8.4-3~deb9u2) stretch; urgency=medium
+
+  * debian/patches:
++ Add CVE-2017-11747-drop-privileges-after-PID-file-creation.patch.
+  CVE-2017-11747: Create PID file before dropping privileges to non-root
+  account. (Closes: #870307).
+  * debian/tinyproxy.init:
++ Only set PIDDIR, if PIDFILE is a non-zero length string. (Closes:
+  #948283).
+
+ -- Mike Gabriel   Tue, 31 Mar 2020 12:15:15 +0200
+
 tinyproxy (1.8.4-3~deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru tinyproxy-1.8.4/debian/init tinyproxy-1.8.4/debian/init
--- tinyproxy-1.8.4/debian/init 2017-11-15 01:38:47.0 +0100
+++ tinyproxy-1.8.4/debian/init 2020-03-31 12:13:31.0 +0200
@@ -37,7 +37,9 @@
 GROUP=$(grep   -i '^Group[[:space:]]'   "$CONFIG" | awk '{print $2}')
 PIDFILE=$(grep -i '^PidFile[[:space:]]' "$CONFIG" | awk '{print $2}' |\
   sed -e 's/"//g')
-PIDDIR=`dirname "$PIDFILE"`
+if [ -n "$PIDFILE" ];then
+PIDDIR=$(dirname "$PIDFILE")
+fi
 if [ -n "$PIDDIR" -a "$PIDDIR" != "/run" ]; then
if [ ! -d "$PIDDIR" ]; then
 mkdir "$PIDDIR"
diff -Nru 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
--- 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
 1970-01-01 01:00:00.0 +0100
+++ 
tinyproxy-1.8.4/debian/patches/CVE-2017-11747-drop-privileges-after-PID-file-creation.patch
 2020-03-31 12:14:05.0 +0200
@@ -0,0 +1,47 @@
+From 9acb0cb16cb65a554c5443f0409f827390379249 Mon Sep 17 00:00:00 2001
+From: Michael Adam 
+Date: Thu, 16 Nov 2017 01:52:55 +0100
+Subject: [PATCH] Fix CVE-2017-11747: Create PID file before dropping
+ privileges.
+
+Resolves #106
+
+Signed-off-by: Michael Adam 
+---
+ src/main.c | 18 +-
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/src/main.c
 b/src/main.c
+@@ -407,6 +407,15 @@
+ exit (EX_OSERR);
+ }
+ 
++/* Create pid file before we drop privileges */
++if (config.pidpath) {
++if (pidfile_create (config.pidpath) < 0) {
++fprintf (stderr, "%s: Could not create PID file.\n",
++ argv[0]);
++exit (EX_OSERR);
++}
++}
++
+ /* Switch to a different user if we're running as root */
+ if (geteuid () == 0)
+ change_user (argv[0]);
+@@ -419,15 +428,6 @@
+ exit (EX_SOFTWARE);
+ }
+ 
+-/* Create pid file after we

Bug#951564: marked as done (stretch-pu: package postfix/3.1.14-0+10debu1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #951564,
regarding stretch-pu: package postfix/3.1.14-0+10debu1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
951564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This is the next in the series of postfix 3.1 updates.  It includes the
postfix 3.1 relevant fixes from 3.4.8 and 3.4.9 (as there was no
companion 3.1 release with 3.4.8).  The only other change is to add the
upstream signing key to make it easier for me to verify upstream
signatures when preparing future updates.

All the fixes in this update are already in Testing and will be in
Buster once the recently requested pu for 3.4.9 is accepted.  I have
this version running on a system and have given it basic testing.  Given
upstream's history with maintenance updates, I have confidence this is
very low risk.  Details follow:

  [Scott Kitterman]

  * Check GPG signature when downloading new versions via uscan

  [Wietse Venema]

  * 3.1.15
- Bugfix (introduced: Postfix 2.8): don't gratuitously enable
  all after-220 tests when only one such test is enabled.
  This made selective tests impossible with 'good' clients.
  File: postscreen/postscreen_smtpd.c.
- Bugfix (introduced: Postfix 3.1): support for
  smtp_dns_resolver_options was broken while adding support
  for negative DNS response caching in postscreen. Postfix
  was inadvertently changed to call res_query() instead of
  res_search(). Reported by Jaroslav Skarvada. File:
  dns/dns_lookup.c.
- Bugfix (introduced: Postfix 3.0): sanitize server responses
  before storing them in the verify database, to avoid Postfix
  warnings about malformed UTF8. File: verify/verify.c.
- Bugfix (introduced: Postfix 2.5): the Milter connect event
  macros were evaluated before the Milter connection itself
  had been negotiated. Problem reported by David Bürgin.
  Files: milter/milter.h, milter/milter.c, milter/milter8.c

Scott K
diff -Nru postfix-3.1.14/debian/changelog postfix-3.1.15/debian/changelog
--- postfix-3.1.14/debian/changelog 2019-10-01 19:28:19.0 -0400
+++ postfix-3.1.15/debian/changelog 2020-02-16 14:59:05.0 -0500
@@ -1,3 +1,32 @@
+postfix (3.1.15-0+deb9u1) stretch; urgency=medium
+
+  [Scott Kitterman]
+
+  * Check GPG signature when downloading new versions via uscan
+
+  [Wietse Venema]
+
+  * 3.1.15
+- Bugfix (introduced: Postfix 2.8): don't gratuitously enable
+  all after-220 tests when only one such test is enabled.
+  This made selective tests impossible with 'good' clients.
+  File: postscreen/postscreen_smtpd.c.
+- Bugfix (introduced: Postfix 3.1): support for
+  smtp_dns_resolver_options was broken while adding support
+  for negative DNS response caching in postscreen. Postfix
+  was inadvertently changed to call res_query() instead of
+  res_search(). Reported by Jaroslav Skarvada. File:
+  dns/dns_lookup.c.
+- Bugfix (introduced: Postfix 3.0): sanitize server responses
+  before storing them in the verify database, to avoid Postfix
+  warnings about malformed UTF8. File: verify/verify.c.
+- Bugfix (introduced: Postfix 2.5): the Milter connect event
+  macros were evaluated before the Milter connection itself
+  had been negotiated. Problem reported by David Bürgin.
+  Files: milter/milter.h, milter/milter.c, milter/milter8.c
+
+ -- Scott Kitterman   Sun, 16 Feb 2020 14:59:05 -0500
+
 postfix (3.1.14-0+deb9u1) stretch; urgency=medium
 
   [Wietse Venema]
diff -Nru postfix-3.1.14/debian/upstream/signing-key.asc 
postfix-3.1.15/debian/upstream/signing-key.asc
--- postfix-3.1.14/debian/upstream/signing-key.asc  1969-12-31 
19:00:00.0 -0500
+++ postfix-3.1.15/debian/upstream/signing-key.asc  2020-02-16 
14:53:17.0 -0500
@@ -0,0 +1,154 @@
+-BEGIN PGP PUBLIC KEY BLOCK-
+Version: GnuPG v2.0.18 (FreeBSD)
+
+mQMuBFYZbx0RCADaN3/xzcSgTh/Zdpn5Ia0cRAGF/0ZKbd6azuiFTvXQd/JLZkYj
+DkNHHGZImtQhPf+aa7JXCUSqrbgvSyYOYUI6enx+W8RBzvYBWEccW1Ls4D7mxUmA
+CbHfcGn7gdEXaQaHS4sJzoYCGRboOKyLCGHvSajxr+HidAv9JEzuGb20TRZ9bL9B
+P3LrKIleSSJICH5qU+mGtCE0nZspAhpbLizCAx9jkS5lKfmPI7ua2q+nDQJ3/Q9I
+mfJGM6HR2SvPR5hl9ZoZF0p44bl30hmwezbkx151+Zt23MW+OWUtpoZQBiW5q3J0
+wa6t

Bug#953123: marked as done (stretch-pu: package rake/10.5.0-2+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #953123,
regarding stretch-pu: package rake/10.5.0-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
953123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953123
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.

Here's the debdiff:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog
rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelog2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/changelog2020-02-29 20:57:18.0 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta   Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch1970-01-01
05:30:00.0 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch2020-02-29
20:54:24.0 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA 
+Author: Utkarsh Gupta 
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
 b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+   matched = 0
+   each do |fn|
+ begin
+-  open(fn, "r", *options) do |inf|
++  File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+   count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/patches/series2020-02-29 20:54:08.0 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch
g2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/changelog2020-02-29 20:57:18.0 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta   Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch1970-01-01
05:30:00.0 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch2020-02-29
20:54:24.0 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA 
+Author: Utkarsh Gupta 
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
 b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+   matched = 0
+   each do |fn|
+ begin
+-  open(fn, "r", *options) do |inf|
++  File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+   count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series2016-03-01 23:45:05.0 +0530
+++ rake-10.5.0/debian/patches/series2020-02-29 20:54:08.0 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (c

Bug#956534: marked as done (stretch-pu: package php-horde-form/2.0.15-1+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956534,
regarding stretch-pu: package php-horde-form/2.0.15-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
956534: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956534
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Please find attached a proposed debdiff for php-horde-form.  The change
fixes CVE-2020-8866, which the security team has classified as ,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to stretch-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TF1UACgkQLNd4Xt2n
sg+N0xAAgOS9VnDGU40OczhMvE38ctKKAWRUNpe/SqghC5LYkpiLC3J17NiYHitw
rHUQfNRE4qsGOOMAWGZsfXlBxSRcoHbClQGHnYUqJ/cYNo3svM+NxZXwZK/GJFOj
TDkOGWkYXnjhgFrZrnKPVUTgpHh9KyPO5jogM7Da02a9dm5lZ9HiJEEhMAynxWJa
cgF/5I2RWW/1MthRLrIX4HilmuDHzY7AifI7trPL0Jxx3xvZSH+WqJqmyWmdQGnF
zugfA9DhFMyWFUFeYI2sgmnVr13PYeabDL3O2imcN1IKqRB/5Q/OOPqrYx2eUtUP
aBJl+gg+rL4upLN3ybQ9si0MQF6uCqgIvkoBzyueUDAi8Ffiov/7lgbnYpgMXs90
M/WPrlovBreQHIVFYbTeTEICuOVdqxDp347kA0TL5ZgE5PmBv/j+DwvgdAs9aKl6
d7PT/peogkc37Mt/p6kSSzyAk8/uyWkDScJ8RTctFMNmtKASbj/sBaq5eNphtmdU
ePKuxs1Wd+XpvfguyBMcBt+C/DB8RQpJFFJjkh0Ngke7rqY2kTPBHBznMuJRRFyf
2v0tM3ax9/WLkZuYMAPDEPayrfIvOETXNWX5NIfMlJVoDZgnY0VQun0thenJeAe+
QhvkrRkatnlaA7THJDrq0b9aai5K+OdLFIQfdd7Xp82IhsBDouU=
=w4Gy
-END PGP SIGNATURE-
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#955861: marked as done (stretch-pu: package csync2/2.0-8-g175a01c-4+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #955861,
regarding stretch-pu: package csync2/2.0-8-g175a01c-4+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
955861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955861
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Please approve the following update for stretch fixing a CVE:

diff -Nru csync2-2.0-8-g175a01c/debian/changelog 
csync2-2.0-8-g175a01c/debian/changelog
--- csync2-2.0-8-g175a01c/debian/changelog  2016-10-23 15:38:46.0 
+0200
+++ csync2-2.0-8-g175a01c/debian/changelog  2020-04-05 15:26:41.0 
+0200
@@ -1,3 +1,9 @@
+csync2 (2.0-8-g175a01c-4+deb9u1) stretch; urgency=medium
+
+  * Add patch for CVE-2019-15522 (Closes: #955445)
+
+ -- Valentin Vidic   Sun, 05 Apr 2020 15:26:41 +0200
+
 csync2 (2.0-8-g175a01c-4) unstable; urgency=medium
 
   [ Christoph Berg ]
diff -Nru csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch 
csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch
--- csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch   1970-01-01 
01:00:00.0 +0100
+++ csync2-2.0-8-g175a01c/debian/patches/CVE-2019-15522.patch   2020-04-05 
15:25:58.0 +0200
@@ -0,0 +1,21 @@
+From 0ecfc333da51575f188dd7cf6ac4974d13a800b1 Mon Sep 17 00:00:00 2001
+From: Malte Kraus 
+Date: Tue, 13 Aug 2019 11:25:57 +0200
+Subject: [PATCH] fail HELLO command when SSL is required
+
+---
+ daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemon.c b/daemon.c
+index 2d8407d..2a1a8af 100644
+--- a/daemon.c
 b/daemon.c
+@@ -747,6 +747,7 @@ void csync_daemon_session()
+   goto conn_without_ssl_ok;
+   }
+   cmd_error = conn_response(CR_ERR_SSL_EXPECTED);
++  peer = NULL;
+   }
+ conn_without_ssl_ok:;
+ #endif
diff -Nru csync2-2.0-8-g175a01c/debian/patches/series 
csync2-2.0-8-g175a01c/debian/patches/series
--- csync2-2.0-8-g175a01c/debian/patches/series 2016-10-23 15:38:46.0 
+0200
+++ csync2-2.0-8-g175a01c/debian/patches/series 2020-04-05 15:26:06.0 
+0200
@@ -1,3 +1,4 @@
 fix-MAXPATHLEN-for-hurd-i386.patch
 fix-libsqlite3-name.patch
 fix-xinetd.patch
+CVE-2019-15522.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#958192: marked as done (stretch-pu: package xdg-utils/1.1.1-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #958192,
regarding stretch-pu: package xdg-utils/1.1.1-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958192
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release managers,

Along with 1.1.3-1+deb10u1 for buster I propose an update for stretch
with the same fixes that applicable for 1.1.1 version.

As #958141 the update can be found in Git repository[1] or on
mentors.d.n[2]. The debdiff is attached also.

 [1]: https://salsa.debian.org/freedesktop-team/xdg-utils/-/tree/stretch
 [2]: https://mentors.debian.net/package/xdg-utils


-- System Information:
Debian Release: buster/sid
  APT prefers eoan-updates
  APT policy: (500, 'eoan-updates'), (500, 'eoan-security'), (500, 'eoan')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-46-generic (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE=ru 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diffstat for xdg-utils-1.1.1 xdg-utils-1.1.1

 changelog |   12 ++
 patches/Create-data-apps-dir.patch|   19 +
 patches/Directories-with-spaces.patch |   35 +++
 patches/Sanitise-window-name.patch|   38 ++
 patches/series|3 ++
 5 files changed, 107 insertions(+)

diff -Nru xdg-utils-1.1.1/debian/changelog xdg-utils-1.1.1/debian/changelog
--- xdg-utils-1.1.1/debian/changelog2018-05-20 12:44:40.0 +0300
+++ xdg-utils-1.1.1/debian/changelog2020-04-19 16:47:09.0 +0300
@@ -1,3 +1,15 @@
+xdg-utils (1.1.1-1+deb9u2) stretch; urgency=medium
+
+  * Apply patches:
+- Sanitise-window-name.patch fixes crash in xdg-screensaver.
+  Closes: #910070, LP: #1743216, Upstream: BR108121.
+- Directories-with-spaces.patch corrects handling directories with spaces
+  in the name. LP: #1848335, Upstream: #166.
+- Create-data-apps-dir.patch fixes xdg-mime with temporary $XDG_DATA_HOME.
+  Closes: #652038.
+
+ -- Nicholas Guriev   Sun, 19 Apr 2020 16:47:09 +0300
+
 xdg-utils (1.1.1-1+deb9u1) stretch-security; urgency=high
 
   * Fix CVE-2017-18266, closes: #898317.
diff -Nru xdg-utils-1.1.1/debian/patches/Create-data-apps-dir.patch 
xdg-utils-1.1.1/debian/patches/Create-data-apps-dir.patch
--- xdg-utils-1.1.1/debian/patches/Create-data-apps-dir.patch   1970-01-01 
03:00:00.0 +0300
+++ xdg-utils-1.1.1/debian/patches/Create-data-apps-dir.patch   2020-04-19 
16:45:54.0 +0300
@@ -0,0 +1,19 @@
+Description: Create applications directory if it does not exist yet
+Bug-Debian: https://bugs.debian.org/652038
+Author: Nicholas Guriev 
+Last-Update: Sun, 19 Apr 2020 16:25:49 +0300
+
+---
+ scripts/xdg-mime.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/scripts/xdg-mime.in
 b/scripts/xdg-mime.in
+@@ -244,6 +244,7 @@ make_default_generic()
+ default_file="$xdg_user_dir/applications/mimeapps.list"
+ DEBUG 2 "make_default_generic $1 $2"
+ DEBUG 1 "Updating $default_file"
++mkdir -p "$xdg_user_dir/applications"
+ [ -f "$default_file" ] || touch "$default_file"
+ awk -v mimetype="$2" -v application="$1" '
+ BEGIN {
diff -Nru xdg-utils-1.1.1/debian/patches/Directories-with-spaces.patch 
xdg-utils-1.1.1/debian/patches/Directories-with-spaces.patch
--- xdg-utils-1.1.1/debian/patches/Directories-with-spaces.patch
1970-01-01 03:00:00.0 +0300
+++ xdg-utils-1.1.1/debian/patches/Directories-with-spaces.patch
2020-04-19 16:27:38.0 +0300
@@ -0,0 +1,35 @@
+Author: Andrea Tarocchi 
+Desciption: xdg-open dos not search correctly in directories with spaces in 
the name
+Bug: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/166
+Bug-Ubuntu: https://launchpad.net/bugs/1848335
+Origin: https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/9816ebb3
+Acked-by: Nicholas Guriev 
+Last-Update: Sun, 19 Apr 2020 16:25:49 +0300
+
+---
+ scripts/xdg-mime.in | 2 +-
+ scripts/xdg-open.in | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/scri

Bug#956929: marked as done (stretch-pu: package nvidia-graphics-drivers/390.132-1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956929,
regarding stretch-pu: package nvidia-graphics-drivers/390.132-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
956929: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956929
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to update the non-free nvidia-graphics-drivers in stretch from
390.116-1 to 390.132-1.
There are a few upstream fixes but no known CVE fixes.
The majority of the changes are packaging related ... because the
packaging is mainly generated (since we build 4 source packages from
it in sid nowadays) and I'd like to keep it in sync to be able to
propagate fixes through it without running into a merge nightmare at
some point. Most changes were triggered by adding support for the
separately packaged Tesla drivers - a huge textual diff (e.g. renaming
of variables and substvars from "legacy" to the more generic "variant")
without causing differences in the generated binaries.
All packaging changes are backports from sid and should be documented
in the changelog. (Some documentation changes may not be documented.)
Some of these changes were already included in previous point releases
when we updated nvidia-graphics-drivers-legacy-340xx for its EoL state.
With these changes I hope to cover most changes to be backported through
the bullseye release cycle and further updates will only include new
upstream releases (with CVE fixes?) without significant packaging
updates.

The proposed package is very similar to
src:nvidia-graphics-drivers-legacy-390xx in sid/bullseye.

As always for nvidia-graphics-drivers, the attached patch is a git diff
of debian/ excluding the blobs (*.run).
In case it would help your review, I could also provide (like in
#956913):
* a binary debdiff of 390.116-1 in stretch against 390.116-1 rebuilt
  with the proposed packaging updates
* a split source debdiff of debian/control for the actual changes
  without reordering and the reordering part


Andreas


ngd-390.132-1.stretch.diff.xz
Description: application/xz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#961579: marked as done (stretch-pu: package erlang/1:19.2.1+dfsg-2+deb9u3)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961579,
regarding stretch-pu: package erlang/1:19.2.1+dfsg-2+deb9u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961579
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi release team!

Recently, a weak ciphers vulnerability was discovered in the Yaws web server,
and reported as CVE-2020-12872 (see [1] and [2]).
It turnes out that Yaws uses the default ciphers provided by Erlang, so I
think it's better to fix this bug there. If we consider only Erlang packages
in stretch, buster, bullseye/sid then only the version in stretch is
vulnerable, so I'd like to propose an update for it.

The proposed patch is attached. It's a minimal patch which jusr removes the
3DES based ciphers from the offered list for TLS v1.0. The later Erlang
versions do just that - remove these ciphers from the list.

If the patch is okay then I'll upload the fixed version.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12872
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961422

-- System Information:
Debian Release: 10.4
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'proposed-updates'), (500, 
'oldoldstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental'), (1, 
'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru erlang-19.2.1+dfsg/debian/changelog 
erlang-19.2.1+dfsg/debian/changelog
--- erlang-19.2.1+dfsg/debian/changelog 2019-02-09 01:28:34.0 +0300
+++ erlang-19.2.1+dfsg/debian/changelog 2020-05-26 11:30:58.0 +0300
@@ -1,3 +1,10 @@
+erlang (1:19.2.1+dfsg-2+deb9u3) stretch; urgency=medium
+
+  * Applied a patch which fixes CVE-2020-12872 vulnerability revealed
+for the Yaws web server (TLS server offers weak ciphers for TLS 1.0).
+
+ -- Sergei Golovan   Tue, 26 May 2020 11:30:58 +0300
+
 erlang (1:19.2.1+dfsg-2+deb9u2) stretch; urgency=medium
 
   [ Andreas Beckmann ]
diff -Nru erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch 
erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch
--- erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch  1970-01-01 
03:00:00.0 +0300
+++ erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch  2020-05-26 
11:30:58.0 +0300
@@ -0,0 +1,25 @@
+From: Sergei Golovan 
+Subject: Patch removes ciphers which are now considered weak
+ from the default TLS ciphers list. The vulnerability was found
+ in the Yaws web server and described as CVE-2020-12872.
+ It is fixed in the later Erlang releases.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961422
+Forwarded: no
+
+--- a/lib/ssl/src/tls_v1.erl
 b/lib/ssl/src/tls_v1.erl
+@@ -204,14 +204,6 @@
+   ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+   ?TLS_RSA_WITH_AES_256_CBC_SHA,
+ 
+-  ?TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+-  ?TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+-  ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+-  ?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+-  ?TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+-  ?TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+-  ?TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+-
+   ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+   ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+   ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
diff -Nru erlang-19.2.1+dfsg/debian/patches/series 
erlang-19.2.1+dfsg/debian/patches/series
--- erlang-19.2.1+dfsg/debian/patches/series2017-03-22 15:31:29.0 
+0300
+++ erlang-19.2.1+dfsg/debian/patches/series2020-05-26 11:30:58.0 
+0300
@@ -12,3 +12,4 @@
 x32.patch
 cve-2016-10253.patch
 cve-2017-1000385.patch
+cve-2020-12872.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#956532: marked as done (stretch-pu: package php-horde-data/2.1.4-3+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956532,
regarding stretch-pu: package php-horde-data/2.1.4-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
956532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Please find attached a proposed debdiff for php-horde-data.  The change
fixes CVE-2020-8518, which the security team has classified as ,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to stretch-proposed-updates?

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TFtIACgkQLNd4Xt2n
sg/D4g/9H4hyiaItmqUO+JxV4EipU4stAdflWPicDJe89KSKnRsBnCipRpnEWkXK
3NduvlxIn9YSOuMN2OZ+AfdUDSCrOVSWf2JQKZtEhWrSrbIKFuLRcl0+Q1fhLAeE
qVCFi8Odh1JaNmWZ30mszbtF64Fg+THJ+RmmrpZlTXhto/1eVm1E4VvlqDtOBv7l
O7KInucO3eBItIQ8b+O/o9gDFrZ5PtlLlByu9LhTGdfurhORPJ0g1YoiJZzd1Mz8
MrgW0vxK4lBrAaccMgmV3lAkJEZXFUC/k7AxUedEu4wG8BYKeZvVjkJL8ZCG2cHm
oYlE4VzaTFNnRqzcsUGttKphXszY39bjpb9FPA7lnn1x7bv7PTSU7wLNrNUsqxBS
JFm0tZJeRtHjTrdBmlp73rSChVqf97ylaB9oihdSD5FP+62QzaLpTfCGQF/asjrZ
x/HrFD/Cc8g+aEYlimRUyUlYD3QKhq+PJsVo1fm9VEOTmODLd5r3ogbBsqxvqjhr
+lrv/xcC4JicNzs75eQhtjPd793wR85WMvWzPyG0/BMbUSsROoRQXBO4qDaddfzL
hyz2/vFieD6fcwQ3Yka1ACm1vwufcuCYfNUo+WoknrhtnnHjf3OmvDsfgUs46d3Q
yER1uIy4pSsHxVznP005nYixJ/p8zxdKp54bp2JGQVwBZ5C9aAk=
=sMeE
-END PGP SIGNATURE-
diff -Nru php-horde-data-2.1.4/debian/changelog 
php-horde-data-2.1.4/debian/changelog
--- php-horde-data-2.1.4/debian/changelog   2016-06-07 16:25:17.0 
-0400
+++ php-horde-data-2.1.4/debian/changelog   2020-04-10 19:58:12.0 
-0400
@@ -1,3 +1,12 @@
+php-horde-data (2.1.4-3+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2020-8518:
+The Horde Application Framework contained a remote code execution
+vulnerability. An authenticated remote attacker could use this flaw to
+cause execution of uploaded CSV data. (Closes: #951537)
+
+ -- Roberto C. Sanchez   Fri, 10 Apr 2020 19:58:12 -0400
+
 php-horde-data (2.1.4-3) unstable; urgency=medium
 
   * Update Standards-Version to 3.9.8, no change
diff -Nru 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
--- 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
   1969-12-31 19:00:00.0 -0500
+++ 
php-horde-data-2.1.4/debian/patches/0001-CVE-2020-8518-Dont-use-create_function.patch
   2020-04-10 19:58:12.0 -0400
@@ -0,0 +1,36 @@
+From 78ad0c2390176cdde7260a271bc6ddd86f4c9c0e Mon Sep 17 00:00:00 2001
+From: Jan Schneider 
+Date: Mon, 13 Feb 2017 18:38:59 +0100
+Subject: [PATCH] Don't use create_function().
+
+It's deprecated and unsafe and closures should be used instead.
+---
+ lib/Horde/Data/Csv.php | 15 ++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php 
b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+index c2dc7dc..c0ffa63 100644
+--- a/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
 b/Horde_Data-2.1.4/lib/Horde/Data/Csv.php
+@@ -332,7 +332,20 @@ public static function getCsv($file, array $params = 
array())
+ 
+ if ($row) {
+ $row = (strlen($params['quote']) && strlen($params['escape']))
+-? array_map(create_function('$a', 'return str_replace(\'' . 
str_replace('\'', '\\\'', $params['escape'] . $params['quote']) . '\', \'' . 
str_replace('\'', '\\\'', $params['quote']) . '\', $a);'), $row)
++? array_map(
++function ($a) use ($params) {
++return str_replace(
++str_replace(
++'\'',
++

Bug#956537: marked as done (stretch-pu: package php-horde-trean/1.1.7-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956537,
regarding stretch-pu: package php-horde-trean/1.1.7-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
956537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956537
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Please find attached a proposed debdiff for php-horde-trean.  The change
fixes CVE-2020-8865, which the security team has classified as ,
deeming it a minor issue which can be fixed via a point release.  I have
prepared this update in coordination with the security team.  May I have
permission to upload to stretch-proposed-updates?

Regards,

- -Roberto

- -- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6TGNIACgkQLNd4Xt2n
sg/PXA//eBCpPGVarX+UZrHqBIgjEAzqc0mPE1pP/M8SQvxidQsmf4/L31ue3BTa
NcOZr2m4MS9jjrbGHhKBGUUX3fMpbuzgof+/Ncp6pvOtpmuz3pi/2UZPECOhQFrf
G5WerCU2aHGbNJlt06FqH7irIf6P+VaaJuhra088sh70AW8lkNpMSjGyBLcT3egT
YtYFxUTz/rKvHTbHJ0Hkpbx9XKxIGh1kA/bUfJCrJLTdLJaQcWiWbWEI+iJuCwCE
lg38y1MMdT9i/3ddiGFRJz+t+AzzAChwt2yNBjXCepA851qHSQNvhUBO0maC9uB8
oBlRWZRkbaEFpKiufs0SSGw7JnQK6eYdyDTnCX18nV63Ul6x6/bv3MU6IKS8TVJM
WDZJqerZy83lOnMuRuxuAHOqPQ2+E24ozaEEsYqeQxxfJgX05jvQDTa4GCqp+HA9
bB7z+eUhVuZOSNyogYWW3xa3NBqFnhl7jMQjcHRb8Uj0HhQu7qdANPdglxk6aIvB
OylBMF4VsO4uwGH2MnEe3rViZ92UjYdOyI4ORb3cr8rByTJgVdEcBF+ZL0b5/6E4
DD8i5arTrkXHmoIyZ7/mJ4REi5iGtcTNG1XsFf/r5qlKjpX3Zm/5L+uzPy0tCNtT
VyNqD7URiqBPAAuoQ+c6/M3z/eTaR7j/Y9jFzc38pT7j/F4Zirc=
=kH0t
-END PGP SIGNATURE-
diff -Nru php-horde-trean-1.1.7/debian/changelog 
php-horde-trean-1.1.7/debian/changelog
--- php-horde-trean-1.1.7/debian/changelog  2016-12-18 17:01:35.0 
-0500
+++ php-horde-trean-1.1.7/debian/changelog  2020-04-10 20:32:35.0 
-0400
@@ -1,3 +1,13 @@
+php-horde-trean (1.1.7-1+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2020-8865:
+The Horde Application Framework contained a directory traversal
+vulnerability resulting from insufficient input sanitization. An
+authenticated remote attacker could use this flaw to execute code in the
+context of the web server user. (Closes: #955019)
+
+ -- Roberto C. Sanchez   Fri, 10 Apr 2020 20:32:35 -0400
+
 php-horde-trean (1.1.7-1) unstable; urgency=medium
 
   * New upstream version 1.1.7
diff -Nru 
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
 
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
--- 
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
 1969-12-31 19:00:00.0 -0500
+++ 
php-horde-trean-1.1.7/debian/patches/0001-CVE-2020-8865-SECURITY-Fix-Directory-Traversal-Vulerability.patch
 2020-04-10 20:32:35.0 -0400
@@ -0,0 +1,36 @@
+From db0714a0c04d87bda9e2852f1b0d259fc281ca75 Mon Sep 17 00:00:00 2001
+From: Michael J Rubinsky 
+Date: Sun, 1 Mar 2020 15:00:46 -0500
+Subject: [PATCH] SECURITY: Fix Directory Traversal Vulerability.
+
+---
+ lib/Block/Bookmarks.php   | 2 +-
+ lib/Block/Mostclicked.php | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/trean-1.1.7/lib/Block/Bookmarks.php 
b/trean-1.1.7/lib/Block/Bookmarks.php
+index 7027bc3..16c7ba2 100644
+--- a/trean-1.1.7/lib/Block/Bookmarks.php
 b/trean-1.1.7/lib/Block/Bookmarks.php
+@@ -68,7 +68,7 @@ protected function _title()
+  */
+ protected function _content()
+ {
+-$template = TREAN_TEMPLATES . '/block/' . $this->_params['template'] 
. '.inc';
++$template = TREAN_TEMPLATES . '/block/' . 
basename($this->_params['template']) . '.inc';
+ 
+ $sortby = 'title';
+ $sortdir = 0;
+diff --git a/trean-1.1.7/lib/Block/Mostclicked.php 
b/trean-1.1.7/lib/Block/Mostclicked.php
+index ffbc52b..3308110 100644
+--- a/trean-1.1.7/lib/Block/Mostclicked.php
 b/trean-1

Bug#961020: marked as done (stretch-pu: package libexif/0.6.21-2+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961020,
regarding stretch-pu: package libexif/0.6.21-2+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961020
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

libexif 0.6.21-2+deb9u1 contains five security vulnerabilities currently marked
as "no DSA".

The attached debdiff fixes these vulnerabilities.

CVE-2020-12767 - division-by-zero errors
CVE-2020-0093  - read buffer overflow
CVE-2018-20030 - denial of service by wasting CPU
CVE-2017-7544  - out-of-bounds heap read
CVE-2016-6328  - integer overflow

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-02 07:54:38.0 +1100
+++ libexif-0.6.21/debian/changelog 2020-05-19 18:41:18.0 +1000
@@ -1,3 +1,19 @@
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+  * Team upload.
+  * Add upstream patches to fix multiple security issues:
+- cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+  entry data of the input file (CVE-2016-6328) (Closes: #873022).
+- cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+  exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+- cve-2018-20030.patch: Improve deep recursion detection in the function
+  exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+- cve-2020-12767.patch: Prevent some possible division-by-zero errors
+  in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+- cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Hugh McMaster   Tue, 19 May 2020 19:40:10 +1000
+
 libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch 
libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch   2020-05-19 
18:36:53.0 +1000
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of 
the input file (CVE-2016-6328)
+Author: Marcus Meissner 
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+===
+--- libexif-0.6.21.orig/libexif/pentax/mnote-pentax-entry.c
 libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePenta
+   case EXIF_FORMAT_SHORT:
+ {
+   const unsigned char *data = entry->data;
+-  size_t k, len = strlen(val);
++  size_t k, len = strlen(val), sizeleft;
++
++  sizeleft = entry->size;
+   for(k=0; kcomponents; k++) {
++  if (sizeleft < 2)
++  break;
+   vs = exif_get_short (data, entry->order);
+   snprintf (val+len, maxlen-len, "%i ", vs);
+   len = strlen(val);
+   data += 2;
++  sizeleft -= 2;
+   }
+ }
+ break;
+   case EXIF_FORMAT_LONG:
+ {
+   const unsigned char *data = entry->data;
+-  size_t k, len = strlen(val);
++  size_t k, len = strlen(val), sizeleft;
++
++  sizeleft = entry->size;
+   for(k=0; kcomponents; k++) {
++  if (sizeleft < 4)
++

Bug#961440: marked as done (stretch-pu: package clamav/0.102.3+dfsg-0~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961440,
regarding stretch-pu: package clamav/0.102.3+dfsg-0~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961440: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961440
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

ClamAV upstream released 0.102.3 fixing two CVEs. From their news:

|ClamAV 0.102.3 is a bug patch release to address the following issues.
|
|- 
[CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
|  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
|  could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
|  an unsigned variable results in an out-of-bounds read which causes a crash.
|
|  Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
|  parsing vulnerability.
|
|- 
[CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
|  Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
|  could cause a Denial-of-Service (DoS) condition. Improper size checking of
|  a buffer used to initialize AES decryption routines results in an out-of-
|  bounds read which may cause a crash. Bug found by OSS-Fuzz.
|
|- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
|
|- Fix a couple of minor memory leaks.

The 0.102.3 version is in unstable since 16th and migrated to testing.

Sebastian
diff -Nru clamav-0.102.2+dfsg/configure clamav-0.102.3+dfsg/configure
--- clamav-0.102.2+dfsg/configure	2020-02-04 15:59:26.0 +0100
+++ clamav-0.102.3+dfsg/configure	2020-05-12 03:54:49.0 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for ClamAV 0.102.2.
+# Generated by GNU Autoconf 2.69 for ClamAV 0.102.3.
 #
 # Report bugs to .
 #
@@ -592,8 +592,8 @@
 # Identity of this package.
 PACKAGE_NAME='ClamAV'
 PACKAGE_TARNAME='clamav'
-PACKAGE_VERSION='0.102.2'
-PACKAGE_STRING='ClamAV 0.102.2'
+PACKAGE_VERSION='0.102.3'
+PACKAGE_STRING='ClamAV 0.102.3'
 PACKAGE_BUGREPORT='https://bugzilla.clamav.net/'
 PACKAGE_URL='https://www.clamav.net/'
 
@@ -1601,7 +1601,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ClamAV 0.102.2 to adapt to many kinds of systems.
+\`configure' configures ClamAV 0.102.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1682,7 +1682,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
- short | recursive ) echo "Configuration of ClamAV 0.102.2:";;
+ short | recursive ) echo "Configuration of ClamAV 0.102.3:";;
esac
   cat <<\_ACEOF
   --enable-dependency-tracking
@@ -1911,7 +1911,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ClamAV configure 0.102.2
+ClamAV configure 0.102.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2539,7 +2539,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ClamAV $as_me 0.102.2, which was
+It was created by ClamAV $as_me 0.102.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4297,7 +4297,7 @@
 
 # Define the identity of the package.
  PACKAGE='clamav'
- VERSION='0.102.2'
+ VERSION='0.102.3'
 
 
 # Some tools Automake needs.
@@ -6025,7 +6025,7 @@
 $as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h
 
 
-VERSION="0.102.2"
+VERSION="0.102.3"
 
 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/^0-9//g"`
 minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/^0-9//g"`
@@ -31630,7 +31630,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.102.2, which was
+This file was extended by ClamAV $as_me 0.102.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES= $CONFIG_FILES
@@ -31697,7 +31697,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | s

Bug#958953: marked as done (stretch-pu: package cups/2.2.1-8+deb9u6)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #958953,
regarding stretch-pu: package cups/2.2.1-8+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958953
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

CVE-2020-3898 and CVE-2019-8842 got fixed in unstable and pending for stable
(#958814), after coordinated disclosure.

I'd like to fix these in an oldstable upload too:

cups (2.2.1-8+deb9u6) stretch; urgency=medium

  * Backport upstream security fixes:
- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
  function in ppd-mark.c
- CVE-2019-8842: The `ippReadIO` function may under-read an extension
  field

 -- Didier Raboud   Mon, 27 Apr 2020 08:50:13 +0200

Debdiff and direct patches attached.

Regards,

OdyX

-- System Information:
Debian Release: bullseye/sid
  APT prefers buildd-unstable
  APT policy: (990, 'buildd-unstable'), (500, 'unstable-debug'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru cups-2.2.1/debian/changelog cups-2.2.1/debian/changelog
--- cups-2.2.1/debian/changelog 2020-01-19 09:53:03.0 +0100
+++ cups-2.2.1/debian/changelog 2020-04-27 08:50:13.0 +0200
@@ -1,3 +1,13 @@
+cups (2.2.1-8+deb9u6) stretch; urgency=medium
+
+  * Backport upstream security fixes:
+- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
+  function in ppd-mark.c
+- CVE-2019-8842: The `ippReadIO` function may under-read an extension
+  field
+
+ -- Didier Raboud   Mon, 27 Apr 2020 08:50:13 +0200
+
 cups (2.2.1-8+deb9u5) stretch; urgency=medium
 
   * Backport upstream security fix:
diff -Nru cups-2.2.1/debian/.git-dpm cups-2.2.1/debian/.git-dpm
--- cups-2.2.1/debian/.git-dpm  2020-01-19 09:53:03.0 +0100
+++ cups-2.2.1/debian/.git-dpm  2020-04-27 08:49:57.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-44f7d84856de97443c6785cd9ab9c6915224b7a2
-44f7d84856de97443c6785cd9ab9c6915224b7a2
+70cf04f3bfe8b7387f3c45c27cf7b48fb7959614
+70cf04f3bfe8b7387f3c45c27cf7b48fb7959614
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 a3ed22ee480a278acc27433ecbc16eaa63cf2b2e
 cups_2.2.1.orig.tar.gz
diff -Nru 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
--- 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
   1970-01-01 01:00:00.0 +0100
+++ 
cups-2.2.1/debian/patches/0056-CVE-2020-3898-heap-buffer-overflow-in-libcups-s-ppdF.patch
   2020-04-27 08:49:57.0 +0200
@@ -0,0 +1,56 @@
+From 8d851ace388e2f272770ec4dec361b2ae7007ea4 Mon Sep 17 00:00:00 2001
+From: Stephan Zeisberg 
+Date: Fri, 10 Apr 2020 17:14:34 +0200
+Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
+ =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ cups/ppd.c   |  3 +--
+ ppdc/ppdc-source.cxx | 14 --
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/cups/ppd.c b/cups/ppd.c
+index 44a22c5cb..b806b22a5 100644
+--- a/cups/ppd.c
 b/cups/ppd.c
+@@ -1737,8 +1737,7 @@ _ppdOpen(
+  constraint->choice1, constraint->option2,
+constraint->choice2))
+   {
+-case 0 : /* Error */
+-  case 1 : /* Error */
++default : /* Error */
+   pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+   goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index 27f5c342d..47bce26c3 100644
+--- a/ppdc/ppdc-source.cxx
 b/ppdc/ppdc-source.cxx
+@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to 
read
+ 
+   sw

Bug#956805: marked as done (stretch-pu: package megatools/1.9.98-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #956805,
regarding stretch-pu: package megatools/1.9.98-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
956805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956805
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

megatools can be used (among other things) to download files from the
Mega cloud storage service.

Files can be downloaded using a link that contains a file handle and
an encryption key.

The format of these links has changed recently and megatools 1.9.98
doesn't recognize them.

This upload includes a simple patch (already committed upstream) to
add support for these new links.

Debdiff attached.

Berto

P.S: a similar upload is proposed for buster (#956801).

-- System Information:
Debian Release: 10.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru megatools-1.9.98/debian/changelog megatools-1.9.98/debian/changelog
--- megatools-1.9.98/debian/changelog   2016-11-03 15:02:16.0 +0100
+++ megatools-1.9.98/debian/changelog   2020-04-15 14:28:54.0 +0200
@@ -1,3 +1,10 @@
+megatools (1.9.98-1+deb9u1) stretch; urgency=medium
+
+  * debian/patches/support-new-links.patch:
+- Add support for the new format of mega.nz links.
+
+ -- Alberto Garcia   Wed, 15 Apr 2020 14:28:54 +0200
+
 megatools (1.9.98-1) unstable; urgency=medium
 
   * New upstream release (Closes: #828434, #838651).
diff -Nru megatools-1.9.98/debian/patches/series 
megatools-1.9.98/debian/patches/series
--- megatools-1.9.98/debian/patches/series  2016-11-03 15:02:16.0 
+0100
+++ megatools-1.9.98/debian/patches/series  2020-04-15 14:28:54.0 
+0200
@@ -1 +1,2 @@
 make-verbose.patch
+support-new-links.patch
diff -Nru megatools-1.9.98/debian/patches/support-new-links.patch 
megatools-1.9.98/debian/patches/support-new-links.patch
--- megatools-1.9.98/debian/patches/support-new-links.patch 1970-01-01 
01:00:00.0 +0100
+++ megatools-1.9.98/debian/patches/support-new-links.patch 2020-04-15 
14:28:54.0 +0200
@@ -0,0 +1,49 @@
+From: Alberto Garcia 
+Subject: Support new format of mega.nz links
+Origin: 
https://megous.com/git/megatools/commit/?id=5d04a6203a231e8a3ea19bd1f203faee88e4b3a9
+Index: megatools/tools/dl.c
+===
+--- megatools.orig/tools/dl.c
 megatools/tools/dl.c
+@@ -145,6 +145,7 @@ int main(int ac, char* av[])
+ {
+   gc_error_free GError *local_err = NULL;
+   gc_regex_unref GRegex *file_regex = NULL, *folder_regex = NULL;
++  gc_regex_unref GRegex *file_regex2 = NULL, *folder_regex2 = NULL;;
+   gint i;
+   int status = 0;
+ 
+@@ -179,9 +180,15 @@ int main(int ac, char* av[])
+   file_regex = 
g_regex_new("^https?://mega(?:\\.co)?\\.nz/#!([a-z0-9_-]{8})!([a-z0-9_-]{43})$",
 G_REGEX_CASELESS, 0, NULL);
+   g_assert(file_regex != NULL);
+ 
++  file_regex2 = 
g_regex_new("^https?://mega\\.nz/file/([a-z0-9_-]{8})#([a-z0-9_-]{43})$", 
G_REGEX_CASELESS, 0, NULL);
++  g_assert(file_regex2 != NULL);
++
+   folder_regex = 
g_regex_new("^https?://mega(?:\\.co)?\\.nz/#F!([a-z0-9_-]{8})!([a-z0-9_-]{22})$",
 G_REGEX_CASELESS, 0, NULL);
+   g_assert(folder_regex != NULL);
+ 
++  folder_regex2 = 
g_regex_new("^https?://mega\\.nz/folder/([a-z0-9_-]{8})#([a-z0-9_-]{22})$", 
G_REGEX_CASELESS, 0, NULL);
++  g_assert(folder_regex2 != NULL);
++
+   // create session
+ 
+   s = tool_start_session(0);
+@@ -197,7 +204,7 @@ int main(int ac, char* av[])
+ gc_free gchar* handle = NULL;
+ gc_free gchar* link = tool_convert_filename(av[i], FALSE);
+ 
+-if (g_regex_match(file_regex, link, 0, &m1))
++if (g_regex_match(file_regex, link, 0, &m1) || g_regex_match(file_regex2, 
link, 0, &m1))
+ {
+   handle = g_match_info_fetch(m1, 1);
+   key = g_match_info_fetch(m1, 2);
+@@ -219,7 +226,7 @@ int main(int ac, char* av[])
+   g_print("%s\n", cur_file);
+   }
+ }
+-else if (g_regex_match(folder_regex, link, 0, &m2))
++

Bug#958850: marked as done (stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #958850,
regarding stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958850: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958850
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

this is a follow-up for #927433 (about +deb9u2).

+  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+encode+json_decode.patch:
++ Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+  injection (CVE-2019-14466).

Since I last uploaded the stretch-pu of gosa, one more CVE issue got
known and already addressed in the Git branch.

I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
this one is not as massive as the +deb9u2 one.

Greets,
Mike


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru gosa-2.7.4+reloaded2/debian/changelog 
gosa-2.7.4+reloaded2/debian/changelog
--- gosa-2.7.4+reloaded2/debian/changelog   2019-04-19 19:03:52.0 
+0200
+++ gosa-2.7.4+reloaded2/debian/changelog   2020-04-25 21:51:15.0 
+0200
@@ -1,3 +1,12 @@
+gosa (2.7.4+reloaded2-13+deb9u3) stretch; urgency=medium
+
+  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+encode+json_decode.patch:
++ Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+  injection (CVE-2019-14466).
+
+ -- Mike Gabriel   Sat, 25 Apr 2020 21:51:15 +0200
+
 gosa (2.7.4+reloaded2-13+deb9u2) stretch; urgency=medium
 
   [ Mike Gabriel ]
diff -Nru 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
--- 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
1970-01-01 01:00:00.0 +0100
+++ 
gosa-2.7.4+reloaded2/debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_encode+json_decode.patch
2020-04-25 21:50:26.0 +0200
@@ -0,0 +1,47 @@
+From e1504e9765db2adde8b4685b5c93fbba57df868b Mon Sep 17 00:00:00 2001
+From: Fabian Henneke 
+Date: Mon, 29 Jul 2019 15:54:29 +0200
+Subject: [PATCH] Replace (un)serialize with json_encode/json_decode
+
+---
+ gosa-core/html/index.php | 4 ++--
+ gosa-core/html/main.php  | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/gosa-core/html/index.php
 b/gosa-core/html/index.php
+@@ -338,9 +338,9 @@
+ if(isset($_COOKIE['GOsa_Filter_Settings']) || 
isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])) {
+ 
+ if(isset($_COOKIE['GOsa_Filter_Settings'])) {
+-$cookie_all = 
unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++$cookie_all = 
json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }else{
+-$cookie_all = 
unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++$cookie_all = 
json_decode(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
+ }
+ if(isset($cookie_all[$ui->dn])) {
+ $cookie = $cookie_all[$ui->dn];
+--- a/gosa-core/html/main.php
 b/gosa-core/html/main.php
+@@ -480,9 +480,9 @@
+ $cookie = array();
+ 
+ if(isset($_COOKIE['GOsa_Filter_Settings'])){
+-  $cookie = unserialize(base64_decode($_COOKIE['GOsa_Filter_Settings']));
++  $cookie = json_decode(base64_decode($_COOKIE['GOsa_Filter_Settings']));
+ }elseif(isset($HTTP_COOKIE_VARS['GOsa_Filter_Settings'])){
+-  $cookie = 
unserialize(base64_decode($HTTP_COOKIE_VARS['GOsa_Filter_Settings']));
++  $cookie = 
json_decode(base64_decode($HTTP_COOKIE_VAR

Bug#958995: marked as done (stretch-pu: package tzdata/2020a-0+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #958995,
regarding stretch-pu: package tzdata/2020a-0+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958995
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear oldstable release team,

The world is improving and for once we don't need to go through
oldstable-updates to distribute the new version in tzdata. The changes
in version 2020a-0+deb9u1 are the following:
 - Morocco springs forward on 2020-05-31, not 2020-05-24.
 - Canada's Yukon advanced to -07 year-round on 2020-03-08.

Despite the Yukon change happening on 2020-03-08 for the time zone
change, the impact on the actual time will happen on 2020-11-01.

I have just uploaded this new version to oldstable-new.

Regards,
Aurelien

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-1-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#961922: marked as done (stretch-pu: package php-horde-gollem/3.0.10-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961922,
regarding stretch-pu: package php-horde-gollem/3.0.10-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961922
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I just uploaded an update for php-horde-gollem to stretch, fixing
CVE-2020-8034.

+  * debian/patches:
++ Add CVE-2020-8034.patch. Fix XSS vulnerability in breadcrumb output
+  (Reported by: polict of Shielder). (Closes: #961649, CVE-2020-8034).

Greets,
Mike

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru php-horde-gollem-3.0.10/debian/changelog 
php-horde-gollem-3.0.10/debian/changelog
--- php-horde-gollem-3.0.10/debian/changelog2016-12-18 21:55:24.0 
+0100
+++ php-horde-gollem-3.0.10/debian/changelog2020-05-31 16:43:57.0 
+0200
@@ -1,3 +1,11 @@
+php-horde-gollem (3.0.10-1+deb9u1) stretch; urgency=medium
+
+  * debian/patches:
++ Add CVE-2020-8034.patch. Fix XSS vulnerability in breadcrumb output
+  (Reported by: polict of Shielder). (Closes: #961649, CVE-2020-8034).
+
+ -- Mike Gabriel   Sun, 31 May 2020 16:43:57 +0200
+
 php-horde-gollem (3.0.10-1) unstable; urgency=medium
 
   * New upstream version 3.0.10
diff -Nru php-horde-gollem-3.0.10/debian/patches/CVE-2020-8034.patch 
php-horde-gollem-3.0.10/debian/patches/CVE-2020-8034.patch
--- php-horde-gollem-3.0.10/debian/patches/CVE-2020-8034.patch  1970-01-01 
01:00:00.0 +0100
+++ php-horde-gollem-3.0.10/debian/patches/CVE-2020-8034.patch  2020-05-31 
16:43:57.0 +0200
@@ -0,0 +1,44 @@
+From a73bef1aef27d4cbfc7b939c2a81dea69aabb083 Mon Sep 17 00:00:00 2001
+From: Jan Schneider 
+Date: Wed, 4 Mar 2020 18:54:06 +0100
+Subject: [PATCH] [jan] SECURITY: Fix XSS vulnerability in breadcrumb output
+ (Reported by: polict of Shielder, CVE-2020-8034).
+
+---
+ doc/changelog.yml | 3 ++-
+ lib/Gollem.php| 5 +++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+#diff --git a/doc/changelog.yml b/doc/changelog.yml
+#index dbad6ef..3e429bd 100644
+#--- a/doc/changelog.yml
+#+++ b/doc/changelog.yml
+#@@ -18,7 +18,8 @@
+#   license:
+# identifier: GPL-2.0
+# uri: http://www.horde.org/licenses/gpl
+#-  notes:
+#+  notes: |
+#+[jan] SECURITY: Fix XSS vulnerability in breadcrumb output (Reported by: 
polict of Shielder, CVE-2020-8034).
+# 3.0.12:
+#   api: 3.0.0
+#   state:
+diff --git a/gollem-3.0.10/lib/Gollem.php b/gollem-3.0.10/lib/Gollem.php
+index 9a4a7cd..ec255e7 100644
+--- a/gollem-3.0.10/lib/Gollem.php
 b/gollem-3.0.10/lib/Gollem.php
+@@ -692,10 +692,11 @@ public static function directoryNavLink($currdir, $url)
+ $dir = implode('/', $part);
+ if ((strstr($dir, self::$backend['root']) !== false) &&
+ (self::$backend['root'] != $dir)) {
++$part = htmlspecialchars($parts[($i - 1)]);
+ if ($i == $parts_count) {
+-$label[] = $parts[($i - 1)];
++$label[] = $part;
+ } else {
+-$label[] = Horde::link($url->add('dir', $dir), 
sprintf(_("Up to %s"), $dir)) . htmlspecialchars($parts[($i - 1)]) . '';
++$label[] = Horde::link($url->add('dir', $dir), 
sprintf(_("Up to %s"), $dir)) . $part . '';
+ }
+ }
+ }
+
diff -Nru php-horde-gollem-3.0.10/debian/patches/series 
php-horde-gollem-3.0.10/debian/patches/series
--- php-horde-gollem-3.0.10/debian/patches/series   1970-01-01 
01:00:00.0 +0100
+++ php-horde-gollem-3.0.10/debian/patches/series   2020-05-31 
16:40:31.0 +0200
@@ -0,0 +1 @@
+CVE-2020-8034.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version

Bug#963942: marked as done (stretch-pu: package nvidia-graphics-drivers/390.138-1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #963942,
regarding stretch-pu: package nvidia-graphics-drivers/390.138-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
963942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963942
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This is a new upstream release fixing CVE-2020-5963 and CVE-2020-5967.
The packaging changes are minimal this time ;-) (renamed lintian tags,
removed/refreshed patches and a new trivial patch for Linux 5.7).
The upload is comparable to the nvidia-graphics-drivers-legacy-390xx
390.138-1 upload to sid a few minutes ago.

Andreas


ngd-390.138-1.diff.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#962068: marked as done (stretch-pu: package dbus/1.10.30-0+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #962068,
regarding stretch-pu: package dbus/1.10.30-0+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962068
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

dbus 1.10.30 fixes a local denial of service vulnerability for which
the Security Team have indicated they do not intend to issue a DSA
(the same one as 1.12.18).

If possible I would like to continue to fix dbus issues in stretch via
new upstream releases; this one only contains the CVE fix, plus its
regression test and the usual Autotools noise.

Proposed diff (modulo `dch -r`) attached, filtered through:

git diff --stat -p origin/debian/stretch.. | \
filterdiff -p1 \
--exclude=Makefile.in --exclude='**/Makefile.in' \
--exclude=aclocal.m4 \
--exclude=aminclude_static.am \
--exclude=build-aux/compile \
--exclude=build-aux/depcomp \
--exclude=build-aux/install-sh \
--exclude=build-aux/ltmain.sh \
--exclude=build-aux/missing \
--exclude=build-aux/tap-driver.sh \
--exclude=configure \
--exclude=m4/libtool.m4

Thanks,
smcv
 Makefile.in| 39 --
 NEWS   | 33 +
 aclocal.m4 | 52 --
 build-aux/compile  |  6 +++---
 build-aux/depcomp  |  2 +-
 build-aux/install-sh   | 13 +++-
 build-aux/ltmain.sh| 10 +
 build-aux/missing  |  2 +-
 build-aux/tap-driver.sh|  2 +-
 bus/Makefile.in|  4 ++--
 bus/connection.c   |  7 ---
 configure  | 36 +---
 configure.ac   |  4 ++--
 dbus/Makefile.in   |  4 ++--
 dbus/dbus-sysdeps-unix.c   | 32 +---
 debian/changelog   |  8 +++
 doc/Makefile.in|  4 ++--
 m4/libtool.m4  |  6 +++---
 test/Makefile.in   |  4 ++--
 test/fdpass.c  | 14 +
 test/name-test/Makefile.in |  4 ++--
 tools/Makefile.in  |  4 ++--
 22 files changed, 189 insertions(+), 101 deletions(-)

diff --git a/NEWS b/NEWS
index 46652396..9b33a786 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,36 @@
+dbus 1.10.x end-of-life plans
+==
+
+The dbus 1.10.x branch was originally released in 2015. It currently
+receives security-fix releases whenever necessary, but it is planned to
+reach end-of-life status at the end of Debian 9's official security
+support (approximately July 2020). If you are a dbus downstream
+maintainer in a long-lived OS distribution and you want to use the
+upstream dbus-1.10 git branch as a place to share backported security
+fixes with other distributions, please contact the dbus maintainers via
+the dbus-security mailing list on lists.freedesktop.org.
+
+dbus 1.10.30 (2020-06-02)
+==
+
+The “centaur bus” release.
+
+Denial of service fixes:
+
+• CVE-2020-12049: If a message contains more file descriptors than can
+  be sent, close those that did get through before reporting error.
+  Previously, a local attacker could cause the system dbus-daemon (or
+  another system service with its own DBusServer) to run out of file
+  descriptors, by repeatedly connecting to the server and sending fds that
+  would get leaked.
+  Thanks to Kevin Backhouse of GitHub Security Lab.
+  (dbus#294, GHSL-2020-057; Simon McVittie)
+
+Other fixes:
+
+• Fix a crash when the dbus-daemon is terminated while one or more
+  monitors are active (dbus#291, dbus!140; Simon McVittie)
+
 dbus 1.10.28 (2019-06-11)
 ==
 
diff --git a/bus/connection.c b/bus/connection.c
index 31ed6be7..05daa6a4 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -540,9 +540,6 @@ bus_connections_unref (BusConnections *connections)
 
   _dbus_assert (connections->n_incomplete == 0);
 
-  /* drop all monitors */
-  _dbus_list_clear (&connections->monitors);
-
   /* drop all real connections */
   while (connections->completed != NULL)
 {
@@ -558,6 +555,10 @@ bus_connections_unref (BusConnections *connections)
 
   _dbus_assert (connections->n_completed == 0);
 
+  /* disconnecting all the connections should have emptied the list of
+   * monitors (each link is removed in bus_connection_disconnected) */
+

Bug#961937: marked as done (stretch-pu: package ssvnc/1.0.29-3+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961937,
regarding stretch-pu: package ssvnc/1.0.29-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I just uploaded this ssvnc update to Debian stretch:

+  * Non-maintainer upload by the LTS team.

@Magnus: Thanks for fixing ssnvc in testing/unstable regarding below CVE
issues. I saw that those issues haven't been covered for in stretch+buster,
so I was so brisk and dput fixes straight away.

+  * Porting of libvncclient security patches (Closes: #945827):
+- CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+  in VNC client code.
+- CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+- CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+- CVE-2018-20024: null pointer dereference that can result DoS.

@release team: The upload fixes the not-so-critical CVEs given above.

Thanks+Greets,
Mike

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru ssvnc-1.0.29/debian/changelog ssvnc-1.0.29/debian/changelog
--- ssvnc-1.0.29/debian/changelog   2016-07-30 23:10:11.0 +0200
+++ ssvnc-1.0.29/debian/changelog   2020-05-31 20:59:43.0 +0200
@@ -1,3 +1,15 @@
+ssvnc (1.0.29-3+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Porting of libvncclient security patches (Closes: #945827):
+- CVE-2018-20020: heap out-of-bound write vulnerability inside structure
+  in VNC client code.
+- CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code.
+- CVE-2018-20022: CWE-665: Improper Initialization vulnerability.
+- CVE-2018-20024: null pointer dereference that can result DoS.
+
+ -- Mike Gabriel   Sun, 31 May 2020 20:59:43 +0200
+
 ssvnc (1.0.29-3) unstable; urgency=low
 
   * debian/rules: Add call to dh_strip_nondeterminism.
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch 
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch   
1970-01-01 01:00:00.0 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20020.patch   
2019-12-16 19:37:52.0 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20020
+ heap out-of-bound write vulnerability inside structure in VNC client code that
+ can result remote code execution
+---
+
+Author: Abhijith PA 
+Origin: 
https://github.com/LibVNC/libvncserver/commit/7b1ef0ffc4815cab9a96c7278394152bdc89dc4d
+Bug: https://github.com/LibVNC/libvncserver/issues/250
+Bug-Debian: https://bugs.debian.org/916941
+Last-Update: 2018-12-23
+
+--- a/vnc_unixsrc/vncviewer/corre.c
 b/vnc_unixsrc/vncviewer/corre.c
+@@ -76,7 +76,7 @@
+ FillRectangle(rx, ry, rw, rh, gcv.foreground);
+ #endif
+ 
+-if (!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8
++if (hdr.nSubrects > BUFFER_SIZE / (4 + (BPP / 8)) || 
!ReadFromRFBServer(buffer, hdr.nSubrects * (4 + (BPP / 8
+   return False;
+ 
+ ptr = (CARD8 *)buffer;
diff -Nru ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch 
ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch
--- ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch   
1970-01-01 01:00:00.0 +0100
+++ ssvnc-1.0.29/debian/patches/libvncclient_CVE-2018-20021.patch   
2019-12-16 19:37:52.0 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2018-20021
+ CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows
+ attacker to consume excessive amount of resources like CPU and RAM
+---
+
+Author: Abhijith PA 
+Origin: 
https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38

Bug#963614: marked as done (stretch-pu: package nfs-utils/1:1.3.4-2.1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #963614,
regarding stretch-pu: package nfs-utils/1:1.3.4-2.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
963614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963614
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi Stable release managers,

This is similar to #963595 for buster.

nfs-utils in stretch is affected by CVE-2019-3689, cf. #940848 the fix
was now exposed for a while in unstable and I would like fix the issue
ass well in stretch. I have picked those changes and adjusted the
version in the postinst accordingly.

Additionally I added the change to the Vcs fields in debian/control
but I can revert that if you don't want me to do it.

Attached is the debdiff, is this okay to have included in the next
stretch point release?

Regards,
Salvatore
diff -Nru nfs-utils-1.3.4/debian/changelog nfs-utils-1.3.4/debian/changelog
--- nfs-utils-1.3.4/debian/changelog2017-03-20 16:07:55.0 +0100
+++ nfs-utils-1.3.4/debian/changelog2020-06-24 10:20:47.0 +0200
@@ -1,3 +1,13 @@
+nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium
+
+  * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848)
+  * Don't make /var/lib/nfs owned by statd.
+Only sm and sm.bak need to be accessible by statd or sm-notify after
+they drop privileges.
+  * debian/control: Point Vcs URLs to kernel-team namespace repository
+
+ -- Salvatore Bonaccorso   Wed, 24 Jun 2020 10:20:47 +0200
+
 nfs-utils (1:1.3.4-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nfs-utils-1.3.4/debian/control nfs-utils-1.3.4/debian/control
--- nfs-utils-1.3.4/debian/control  2016-12-15 14:30:00.0 +0100
+++ nfs-utils-1.3.4/debian/control  2020-06-24 10:20:24.0 +0200
@@ -6,8 +6,8 @@
 Build-Depends: debhelper (>= 7), libwrap0-dev, libevent-dev, libnfsidmap-dev 
(>= 0.24), libkrb5-dev, libblkid-dev, libkeyutils-dev, pkg-config, 
libldap2-dev, libcap-dev, libtirpc-dev (>= 0.2.4-2~), libdevmapper-dev, 
dh-autoreconf, libmount-dev, libsqlite3-dev, dh-systemd
 Standards-Version: 3.9.8
 Homepage: http://linux-nfs.org/
-Vcs-Git: git://anonscm.debian.org/collab-maint/nfs-utils.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/nfs-utils.git
+Vcs-Git: https://salsa.debian.org/kernel-team/nfs-utils.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/nfs-utils
 
 Package: nfs-kernel-server
 Priority: optional
diff -Nru nfs-utils-1.3.4/debian/nfs-common.postinst 
nfs-utils-1.3.4/debian/nfs-common.postinst
--- nfs-utils-1.3.4/debian/nfs-common.postinst  2016-12-15 14:30:00.0 
+0100
+++ nfs-utils-1.3.4/debian/nfs-common.postinst  2020-06-24 10:19:58.0 
+0200
@@ -21,9 +21,14 @@
 fi
 fi
 
+# Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be
+# accessible by statd or sm-notify after they drop privileges.
+# https://bugs.debian.org/940848 (CVE-2019-3689)
+if dpkg --compare-versions "$2" lt 1:1.3.4-2.1+deb9u1; then
+chown root:root /var/lib/nfs
+fi
 chown statd: /var/lib/nfs/sm \
-/var/lib/nfs/sm.bak \
-/var/lib/nfs
+/var/lib/nfs/sm.bak
 if [ -f /var/lib/nfs/state ]; then
 chown statd /var/lib/nfs/state
 fi
diff -Nru nfs-utils-1.3.4/debian/patches/series 
nfs-utils-1.3.4/debian/patches/series
--- nfs-utils-1.3.4/debian/patches/series   2016-12-17 11:47:35.0 
+0100
+++ nfs-utils-1.3.4/debian/patches/series   2020-06-24 10:18:19.0 
+0200
@@ -10,3 +10,4 @@
 unbreak-gssd-rpc_pipefs-run.patch
 28-nfs-utils_env-location.patch
 29-start-statd-fd-9.patch
+statd-take-user-id-from-var-lib-nfs-sm.patch
diff -Nru 
nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 
nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch
--- nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 
1970-01-01 01:00:00.0 +0100
+++ nfs-utils-1.3.4/debian/patches/statd-take-user-id-from-var-lib-nfs-sm.patch 
2020-06-24 10:17:56.0 +0200
@@ -0,0 +1,102 @@
+From: NeilBrown 
+Date: Mon, 14 Oct 2019 14:12:49 -0400
+Subject: statd: take user-id from /var/lib/nfs/sm
+Origin: 
https://git.linux-nfs.org/?p=steve

Bug#962256: marked as done (stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #962256,
regarding stretch-pu: package ruby-json/2.0.1+dfsg-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962256: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962256
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby-json was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for stretch-pu:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby-json-2.0.1+dfsg/debian/changelog
ruby-json-2.0.1+dfsg/debian/changelog
--- ruby-json-2.0.1+dfsg/debian/changelog2016-12-06 05:03:24.0 +0530
+++ ruby-json-2.0.1+dfsg/debian/changelog2020-06-05 12:33:14.0 +0530
@@ -1,3 +1,10 @@
+ruby-json (2.0.1+dfsg-3+deb9u1) stretch; urgency=high
+
+  * Add patch to fix unsafe object creation vulnerability.
+(Fixes: CVE-2020-10663
+
+ -- Utkarsh Gupta   Fri, 05 Jun 2020 12:33:14 +0530
+
 ruby-json (2.0.1+dfsg-3) unstable; urgency=medium

   * Add Conflicts: ruby-json-pure (Closes: #847141)
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
--- ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
1970-01-01 05:30:00.0 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/CVE-2020-10663.patch
2020-06-05 12:32:48.0 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa 
+Date: Mon, 30 Mar 2020 22:22:10 +
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta 
+
+--- a/ext/json/ext/parser/parser.c
 b/ext/json/ext/parser/parser.c
+@@ -1791,7 +1791,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/ext/parser/parser.rl
 b/ext/json/ext/parser/parser.rl
+@@ -686,7 +686,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby-json-2.0.1+dfsg/debian/patches/series
ruby-json-2.0.1+dfsg/debian/patches/series
--- ruby-json-2.0.1+dfsg/debian/patches/series2016-12-06
05:03:24.0 +0530
+++ ruby-json-2.0.1+dfsg/debian/patches/series2020-06-05
12:32:29.0 +0530
@@ -1,3 +1,4 @@
 02-fix-fuzz.rb-shebang.patch
 04-fix-tests-path.patch
 0003-Remove-additional-gemspec-files.patch
+CVE-2020-10663.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#963693: marked as done (stretch-pu: package libexif/0.6.21-2+deb9u4)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #963693,
regarding stretch-pu: package libexif/0.6.21-2+deb9u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
963693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963693
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release managers,

Two further security vulnerabilities were discovered in libexif, including
libexif 0.6.21-2+deb9u3.

This proposed update adds upstream patches to fix these vulnerabilities. The
package replaces the existing accepted version.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-05-25 21:28:10.0 +1000
+++ libexif-0.6.21/debian/changelog 2020-06-24 23:25:22.0 +1000
@@ -1,3 +1,12 @@
+libexif (0.6.21-2+deb9u4) stretch; urgency=medium
+
+  * Add upstream patches to fix two security issues:
+- Fix a buffer read overflow in exif_entry_get_value() (CVE-2020-0182).
+- Fix an unsigned integer overflow in libexif/exif-data.c (CVE-2020-0198)
+  (Closes: #962345).
+
+ -- Hugh McMaster   Wed, 24 Jun 2020 23:25:22 +1000
+
 libexif (0.6.21-2+deb9u3) stretch; urgency=medium
 
   * Add upstream patches to fix multiple security issues:
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0182.patch 
libexif-0.6.21/debian/patches/cve-2020-0182.patch
--- libexif-0.6.21/debian/patches/cve-2020-0182.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0182.patch   2020-06-24 
23:25:22.0 +1000
@@ -0,0 +1,28 @@
+Description: Fix a buffer read overflow in exif_entry_get_value() 
(CVE-2020-0182)
+ While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
+ the end of a heap buffer. This was detected by the OSS Fuzz project.
+Origin: commit:f9bb9f263fb00f0603ecbefa8957cad24168cbff
+Author: Dan Fandrich 
+Last-Update: 2020-06-13
+
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/libexif/exif-entry.c
 b/libexif/exif-entry.c
+@@ -1043,12 +1043,12 @@
+   d = 0.;
+   entry = exif_content_get_entry (
+   e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
+-  if (entry && entry->data &&
++  if (entry && entry->data && entry->size >= 7 &&
+   !strncmp ((char *)entry->data, "Minolta", 7)) {
+   entry = exif_content_get_entry (
+   e->parent->parent->ifd[EXIF_IFD_0],
+   EXIF_TAG_MODEL);
+-  if (entry && entry->data) {
++  if (entry && entry->data && entry->size >= 8) {
+   if (!strncmp ((char *)entry->data, "DiMAGE 7", 
8))
+   d = 3.9;
+   else if (!strncmp ((char *)entry->data, "DiMAGE 
5", 8))
diff -Nru libexif-0.6.21/debian/patches/cve-2020-0198.patch 
libexif-0.6.21/debian/patches/cve-2020-0198.patch
--- libexif-0.6.21/debian/patches/cve-2020-0198.patch   1970-01-01 
10:00:00.0 +1000
+++ libexif-0.6.21/debian/patches/cve-2020-0198.patch   2020-06-24 
23:25:22.0 +1000
@@ -0,0 +1,52 @@
+Description: Fix an unsigned integer overflow in libexif/exif-data.c 
(CVE-2020-0198)
+ Use a more generic overflow check method and also check the second overflow 
instance.
+Origin: commit:ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
+Author: Marcus Meissner 
+Bug-Debian: https://bugs.debian.org/962345
+Last-Update: 2020-06-08
+
+---
+ libexif/exif-data.c | 10 ++
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/libexif/exif-data.c
 b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+ 
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || 
(structsize > datasize

Bug#962155: marked as done (stretch-pu: package ca-certificates/20200601~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #962155,
regarding stretch-pu: package ca-certificates/20200601~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962155: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962155
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu


* Note: Please, upload this to stretch-updates as well to fix ongoing 
issues with failing web services from the expired AddTrust certificate. 
See #961907 for details.


I would like to upload ca-certificates_20200601~deb9u1 with the 
following fixes:


ca-certificates (20200601~deb9u1) stretch; urgency=medium

  * Rebuild for stretch.
  * Merge changes from 20200601
- d/control
  * This release updates the Mozilla CA bundle to 2.40, blacklists
distrusted Symantec roots, and blacklists expired "AddTrust External
Root". Closes: #956411, #955038, #911289, #961907
  * Fix permissions on /usr/local/share/ca-certificates when using 
symlinks.

Closes: #916833


diffstat for ca-certificates-20161130+nmu1+deb9u1 
ca-certificates-20200601~deb9u1


 .gitignore  |   12
 debian/ca-certificates.postinst |8
 debian/changelog|  228 +
 debian/copyright|   14
 mozilla/blacklist.txt   |   54
 mozilla/certdata.txt| 4927 


 mozilla/nssckbi.h   |6
 7 files changed, 2731 insertions(+), 2518 deletions(-)

Full debdiff.gz attached, due to the size of certdata changes.

--
Kind regards,
Michael Shuler


ca-certificates_20200601~deb9u1.debdiff.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#962264: marked as done (stretch-pu: package ruby2.3/2.3.3-1+deb9u8)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #962264,
regarding stretch-pu: package ruby2.3/2.3.3-1+deb9u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962264: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962264
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby2.3 was affected by CVE-2020-10663, which was an unsafe object
creation vulnerability.
This has been fixed in Sid, Bullseye, and Jessie already.

Here's the debdiff for stretch-pu:
8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby2.3-2.3.3/debian/changelog ruby2.3-2.3.3/debian/changelog
--- ruby2.3-2.3.3/debian/changelog2019-12-15 21:58:25.0 +0530
+++ ruby2.3-2.3.3/debian/changelog2020-06-05 14:25:50.0 +0530
@@ -1,3 +1,11 @@
+ruby2.3 (2.3.3-1+deb9u8) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Add patch to fix unsafe object creation vulnerability.
+(Fixes: CVE-2020-10663)
+
+ -- Utkarsh Gupta   Fri, 05 Jun 2020 14:25:50 +0530
+
 ruby2.3 (2.3.3-1+deb9u7) stretch-security; urgency=high

   * Non-maintainer upload by the Security Team.
diff -Nru ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch
ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch
--- ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch1970-01-01
05:30:00.0 +0530
+++ ruby2.3-2.3.3/debian/patches/CVE-2020-10663.patch2020-06-05
14:25:21.0 +0530
@@ -0,0 +1,36 @@
+From b379ecd8b6832dfcd5dad353b6bfd41701e2d678 Mon Sep 17 00:00:00 2001
+From: usa 
+Date: Mon, 30 Mar 2020 22:22:10 +
+Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01:
+ [Backport #16698]
+
+backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
+ securify fix for CVE-2020-10663. The patch was provided by
Jeremy Evans.
+
+git-svn-id:
svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869
b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+Author: Utkarsh Gupta 
+
+--- a/ext/json/parser/parser.c
 b/ext/json/parser/parser.c
+@@ -1739,7 +1739,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
+--- a/ext/json/parser/parser.rl
 b/ext/json/parser/parser.rl
+@@ -723,7 +723,7 @@
+ } else {
+ json->max_nesting = 100;
+ json->allow_nan = 0;
+-json->create_additions = 1;
++json->create_additions = 0;
+ json->create_id = rb_funcall(mJSON, i_create_id, 0);
+ json->object_class = Qnil;
+ json->array_class = Qnil;
diff -Nru ruby2.3-2.3.3/debian/patches/series
ruby2.3-2.3.3/debian/patches/series
--- ruby2.3-2.3.3/debian/patches/series2019-12-15 21:58:25.0 +0530
+++ ruby2.3-2.3.3/debian/patches/series2020-06-05 14:25:01.0 +0530
@@ -4,3 +4,4 @@
 Loop-with-String-scan-without-creating-substrings.patch
 WEBrick-prevent-response-splitting-and-header-inject.patch
 lib-shell-command-processor.rb-Shell-prevent-unknown.patch
+CVE-2020-10663.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#961804: marked as done (stretch-pu: package libexif/0.6.21-2+deb9u3)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961804,
regarding stretch-pu: package libexif/0.6.21-2+deb9u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961804: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961804
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Three additional CVEs were found in the upstream source after libexif
0.6.21-2+deb9u2 was uploaded.

This +deb9u3 version fixes those CVEs.

System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Version in base suite: 0.6.21-2
Version in overlay suite: 0.6.21-2+deb9u1

Base version: libexif_0.6.21-2+deb9u1
Target version: libexif_0.6.21-2+deb9u3
Base file: 
/srv/ftp-master.debian.org/ftp/pool/main/libe/libexif/libexif_0.6.21-2+deb9u1.dsc
Target file: 
/srv/ftp-master.debian.org/policy/pool/main/libe/libexif/libexif_0.6.21-2+deb9u3.dsc

 changelog   |   34 
 patches/cve-2016-6328.patch |   53 +++
 patches/cve-2017-7544.patch |   20 ++
 patches/cve-2018-20030.patch|  111 +++
 patches/cve-2020-0093.patch |   24 +++
 patches/cve-2020-12767.patch|   34 
 patches/cve-2020-13112.patch|  296 
 patches/cve-2020-13113.patch|   52 +++
 patches/cve-2020-13114.patch|   63 
 patches/extra_colorspace_check  |2 
 patches/fix-CVE-2019-9278.patch |   15 --
 patches/series  |8 +
 12 files changed, 701 insertions(+), 11 deletions(-)

diff -Nru libexif-0.6.21/debian/changelog libexif-0.6.21/debian/changelog
--- libexif-0.6.21/debian/changelog 2020-02-01 20:54:38.0 +
+++ libexif-0.6.21/debian/changelog 2020-05-25 11:28:10.0 +
@@ -1,3 +1,37 @@
+libexif (0.6.21-2+deb9u3) stretch; urgency=medium
+
+  * Add upstream patches to fix multiple security issues:
+- cve-2020-13112.patch: Fix MakerNote tag size overflow issues at
+  read time (CVE-2020-13112) (Closes: #961407).
+- cve-2020-13113.patch: Ensure MakerNote data pointers are
+  NULL-initialized (CVE-2020-13113) (Closes: #961409).
+- cve-2020-13114.patch: Add a failsafe on the maximum number of
+  Canon MakerNote subtags to catch extremely large values in tags
+  (CVE-2020-13114) (Closes: #961410).
+
+ -- Hugh McMaster   Mon, 25 May 2020 21:28:10 +1000
+
+libexif (0.6.21-2+deb9u2) stretch; urgency=medium
+
+  [ Mike Gabriel ]
+  * Sponsored upload.
+  * debian/patches: trivial rebasing of several patches.
+
+  [ Hugh McMaster ]
+  * Team upload.
+  * Add upstream patches to fix multiple security issues:
+- cve-2016-6328.patch: Fix an integer overflow while parsing the MNOTE
+  entry data of the input file (CVE-2016-6328) (Closes: #873022).
+- cve-2017-7544.patch: Fix an out-of-bounds heap read in the function
+  exif_data_save_data_entry() (CVE-2017-7544) (Closes: #876466).
+- cve-2018-20030.patch: Improve deep recursion detection in the function
+  exif_data_load_data_content() (CVE-2018-20030) (Closes: #918730).
+- cve-2020-12767.patch: Prevent some possible division-by-zero errors
+  in exif_entry_get_value() (CVE-2020-12767) (Closes: #960199).
+- cve-2020-0093.patch: Prevent read buffer overflow (CVE-2020-0093).
+
+ -- Mike Gabriel   Thu, 21 May 2020 11:22:40 +0200
+
 libexif (0.6.21-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libexif-0.6.21/debian/patches/cve-2016-6328.patch 
libexif-0.6.21/debian/patches/cve-2016-6328.patch
--- libexif-0.6.21/debian/patches/cve-2016-6328.patch   1970-01-01 
00:00:00.0 +
+++ libexif-0.6.21/debian/patches/cve-2016-6328.patch   2020-05-21 
09:21:25.0 +
@@ -0,0 +1,53 @@
+Description: Fixes an integer overflow while parsing the MNOTE entry data of 
the input file (CVE-2016-6328)
+Author: Marcus Meissner 
+Bug-Debian: http://bugs.debian.org/873022
+Last-Update: 2017-07-25
+
+Index: libexif-0.6.21/libexif/pentax/mn

Bug#961945: marked as done (stretch-pu: package php-horde/5.2.13+debian0-1+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #961945,
regarding stretch-pu: package php-horde/5.2.13+debian0-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961945: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961945
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I have just uploaded this php-horde update to stretch, fixing a no-dsa CVE:

+  * CVE-2020-8035: Don't allow to view images inline if opened directly.
+  * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.

Greets,
Mike

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru php-horde-5.2.13+debian0/debian/changelog 
php-horde-5.2.13+debian0/debian/changelog
--- php-horde-5.2.13+debian0/debian/changelog   2019-12-14 03:10:06.0 
+0100
+++ php-horde-5.2.13+debian0/debian/changelog   2020-05-31 21:45:26.0 
+0200
@@ -1,3 +1,10 @@
+php-horde (5.2.13+debian0-1+deb9u2) stretch; urgency=medium
+
+  * CVE-2020-8035: Don't allow to view images inline if opened directly.
+  * debian/patches/0001-Fix-rewrite-base.patch: Trivial rebase.
+
+ -- Mike Gabriel   Sun, 31 May 2020 21:45:26 +0200
+
 php-horde (5.2.13+debian0-1+deb9u1) stretch; urgency=high
 
   * Fix CVE-2019-12095: Stored XSS vuln in the Horde Cloud Block.
diff -Nru php-horde-5.2.13+debian0/debian/patches/0001-Fix-rewrite-base.patch 
php-horde-5.2.13+debian0/debian/patches/0001-Fix-rewrite-base.patch
--- php-horde-5.2.13+debian0/debian/patches/0001-Fix-rewrite-base.patch 
2019-12-14 03:10:06.0 +0100
+++ php-horde-5.2.13+debian0/debian/patches/0001-Fix-rewrite-base.patch 
2020-05-31 21:45:26.0 +0200
@@ -6,11 +6,9 @@
  horde-5.2.13/.htaccess | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/horde-5.2.13/.htaccess b/horde-5.2.13/.htaccess
-index 89eaf0a..348046e 100644
 --- a/horde-5.2.13/.htaccess
 +++ b/horde-5.2.13/.htaccess
-@@ -5,6 +5,7 @@ allow from all
+@@ -10,6 +10,7 @@
  
  
  RewriteEngine On
diff -Nru 
php-horde-5.2.13+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
 
php-horde-5.2.13+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
--- 
php-horde-5.2.13+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
   1970-01-01 01:00:00.0 +0100
+++ 
php-horde-5.2.13+debian0/debian/patches/0003-CVE-2020-8035-dont-allow-to-view-images-inline.patch
   2020-05-31 21:45:26.0 +0200
@@ -0,0 +1,28 @@
+From 64127fe3c2b9843c9760218e59dae9731cc56bdf Mon Sep 17 00:00:00 2001
+From: Jan Schneider 
+Date: Mon, 20 Apr 2020 23:07:51 +0200
+Subject: [PATCH] Don't allow to view images inline if opened directly.
+
+This services is supposed to process and view images inside a web page.
+---
+ services/images/view.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/horde-5.2.13/services/images/view.php 
b/horde-5.2.13/services/images/view.php
+index bc7da534..f5b0cb25 100644
+--- a/horde-5.2.13/services/images/view.php
 b/horde-5.2.13/services/images/view.php
+@@ -84,6 +84,7 @@
+ 
+ /* Check if no editing action required and send the image to browser. */
+ if (empty($action)) {
++header('Content-Disposition: attachment');
+ $image->display();
+ exit;
+ }
+@@ -132,4 +133,5 @@
+ /* Write out any changes to the temporary file. */
+ file_put_contents($file_name, $image->raw());
+ 
++header('Content-Disposition: attachment');
+ $image->display();
diff -Nru php-horde-5.2.13+debian0/debian/patches/series 
php-horde-5.2.13+debian0/debian/patches/series
--- php-horde-5.2.13+debian0/debian/patches/series  2019-12-14 
03:10:06.0 +0100
+++ php-horde-5.2.13+debian0/debian/patches/series  2020-05-31 
21:45:26.0 +0200
@@ -1,2 +1,3 @@
 0001-Fix-rewrite-base.patch
 0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch
+0003-CVE-2020-8035-do

Bug#964713: marked as done (stretch-pu: package storebackup/3.2.1-2~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964713,
regarding stretch-pu: package storebackup/3.2.1-2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964713
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

  * Set maintainer to Debian QA Group. (see #856299)
  * Add patch to change the way the lockfile is opened in the Perl code.
(Fixes: CVE-2020-7040) (Closes: #949393)

CVE-2020-7040 is "no DSA" in stretch and buster.
diff -Nru storebackup-3.2.1/debian/changelog storebackup-3.2.1/debian/changelog
--- storebackup-3.2.1/debian/changelog  2012-06-17 07:31:31.0 +0300
+++ storebackup-3.2.1/debian/changelog  2020-07-09 14:54:23.0 +0300
@@ -1,3 +1,19 @@
+storebackup (3.2.1-2~deb9u1) stretch; urgency=medium
+
+  * QA upload.
+  * Rebuild for stretch.
+
+ -- Adrian Bunk   Thu, 09 Jul 2020 14:54:23 +0300
+
+storebackup (3.2.1-2) unstable; urgency=medium
+
+  * QA upload.
+  * Set maintainer to Debian QA Group. (see #856299)
+  * Add patch to change the way the lockfile is opened in the Perl code.
+(Fixes: CVE-2020-7040) (Closes: #949393)
+
+ -- Adrian Bunk   Wed, 08 Jul 2020 15:54:21 +0300
+
 storebackup (3.2.1-1) unstable; urgency=low
 
   * change short description, recommendation from Heinz-Josef Claes
diff -Nru storebackup-3.2.1/debian/control storebackup-3.2.1/debian/control
--- storebackup-3.2.1/debian/control2012-06-16 13:21:56.0 +0300
+++ storebackup-3.2.1/debian/control2020-07-08 15:54:21.0 +0300
@@ -1,7 +1,7 @@
 Source: storebackup
 Section: utils
 Priority: optional
-Maintainer: Ryan Niebur 
+Maintainer: Debian QA Group 
 Build-Depends: debhelper (>= 7.2), perl
 Standards-Version: 3.9.3
 Homepage: http://www.nongnu.org/storebackup/
diff -Nru storebackup-3.2.1/debian/patches/CVE-2020-7040.patch 
storebackup-3.2.1/debian/patches/CVE-2020-7040.patch
--- storebackup-3.2.1/debian/patches/CVE-2020-7040.patch1970-01-01 
02:00:00.0 +0200
+++ storebackup-3.2.1/debian/patches/CVE-2020-7040.patch2020-07-08 
15:54:21.0 +0300
@@ -0,0 +1,27 @@
+Description: changing the way the lockfile is opened in the Perl code
+Author: Jan Ritzerfeld
+Author: Utkarsh Gupta 
+Bug-Debian: https://bugs.debian.org/949393
+Origin: https://www.openwall.com/lists/oss-security/2020/01/20/3/1
+Last-Update: 2020-02-04
+
+--- a/lib/fileDir.pl
 b/lib/fileDir.pl
+@@ -22,7 +22,7 @@
+ 
+ push @VERSION, '$Id: fileDir.pl 364 2012-02-12 14:14:44Z hjc $ ';
+ 
+-use Fcntl qw(O_RDWR O_CREAT);
++use Fcntl qw(O_RDWR O_CREAT O_WRONLY O_EXCL);
+ use POSIX;
+ 
+ require 'prLog.pl';
+@@ -404,7 +404,7 @@
+ '-str' => ["creating lock file <$lockFile>"]);
+ 
+ &::checkDelSymLink($lockFile, $prLog, 0x01);
+-open(FILE, "> $lockFile") or
++sysopen(FILE, $lockFile, O_WRONLY | O_CREAT | O_EXCL) or
+   $prLog->print('-kind' => 'E',
+ '-str' => ["cannot create lock file <$lockFile>"],
+ '-exit' => 1);
diff -Nru storebackup-3.2.1/debian/patches/series 
storebackup-3.2.1/debian/patches/series
--- storebackup-3.2.1/debian/patches/series 2012-06-16 13:19:48.0 
+0300
+++ storebackup-3.2.1/debian/patches/series 2020-07-08 15:54:21.0 
+0300
@@ -1 +1,2 @@
 fix-spelling-error-in-manpage
+CVE-2020-7040.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#963703: marked as done (stretch-pu: package gnutls28/3.5.8-5+deb9u5)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #963703,
regarding stretch-pu: package gnutls28/3.5.8-5+deb9u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
963703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963703
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to make a last bugfix upload to stretch:
* Pull fixes for CVE-2019-3836 / [GNUTLS-SA-2019-03-27, #694].
  + 40_casts_related_to_fix_CVE-2019-3829.patch
  + 40_rel3.6.7_01-Automatically-NULLify-after-gnutls_free.patch
  + 40_rel3.6.7_01-fuzz-added-fuzzer-for-certificate-verification.patch
  + 41_use_datefudge_to_trigger_CVE-2019-3829_testcase.diff
* More important fixes:
  + 43_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch
[One-line-fix for memleak]

  + 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
Handle zero length session tickets, fixing connection errors on TLS1.2
sessions to some big hosting providers. (See LP 1876286)
[Fixes connections to e.g. verizon popserver.]

TIA, cu Andreas
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964325: marked as done (stretch-pu: package compactheader/3.0.0~beta5-2~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964325,
regarding stretch-pu: package compactheader/3.0.0~beta5-2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964325
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

The version of compactheader in stretch does not work
with the version of thunderbird in stretch. (#944021)

The attached debdiff is against the version in unstable,
which has already been backported to buster. (#948203)

Despite the dh compat difference the resulting package works,
and debdiff reports no differences.
diff -Nru compactheader-3.0.0~beta5/debian/changelog 
compactheader-3.0.0~beta5/debian/changelog
--- compactheader-3.0.0~beta5/debian/changelog  2019-12-06 19:59:16.0 
+0200
+++ compactheader-3.0.0~beta5/debian/changelog  2020-07-05 20:17:59.0 
+0300
@@ -1,3 +1,11 @@
+compactheader (3.0.0~beta5-2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+- Lower dh compat to 10.
+
+ -- Adrian Bunk   Sun, 05 Jul 2020 20:17:59 +0300
+
 compactheader (3.0.0~beta5-2) unstable; urgency=medium
 
   * [25489aa] d/control: fix depending TB version
diff -Nru compactheader-3.0.0~beta5/debian/compat 
compactheader-3.0.0~beta5/debian/compat
--- compactheader-3.0.0~beta5/debian/compat 1970-01-01 02:00:00.0 
+0200
+++ compactheader-3.0.0~beta5/debian/compat 2020-07-05 20:17:59.0 
+0300
@@ -0,0 +1 @@
+10
diff -Nru compactheader-3.0.0~beta5/debian/control 
compactheader-3.0.0~beta5/debian/control
--- compactheader-3.0.0~beta5/debian/control2019-12-06 19:13:03.0 
+0200
+++ compactheader-3.0.0~beta5/debian/control2020-07-05 20:17:59.0 
+0300
@@ -4,7 +4,7 @@
 Maintainer: Debian Mozilla Extension Maintainers 

 Uploaders: Carsten Schoenert 
 Build-Depends:
- debhelper-compat (= 12),
+ debhelper (>= 10),
 Rules-Requires-Root: no
 Standards-Version: 4.4.1
 Homepage: https://github.com/jmozmoz/compactheader
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964456: marked as done (stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964456,
regarding stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964456
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi there,

In a recent post roundcube webmail upstream has announced the following
security fix:

CVE-2020-15562: Prevent cross-site scripting (XSS) via HTML messages
with malicious svg/namespace.

This is tracker as #964355.  The security team gave the green light for
an upload of 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested
to target old-p-u for stretch.   stretch currently has 1.2.3+dfsg.1-4+deb9u3
wwhile stretch-security and stretch-pu have 1.2.3+dfsg.1-4+deb9u5.  Both
debdiffs attached.

unblock roundcube/1.2.3+dfsg.1-4+deb9u6
cheers
-- 
Guilhem.
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog|8 
 patches/CVE-2020-15562.patch |   33 +
 patches/series   |1 +
 3 files changed, 42 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog 
roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.0 
+0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-07-06 16:14:59.0 
+0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
+
+  * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+vulnerability via HTML messages with malicious svg/namespace
+(Closes: #964355)
+
+ -- Guilhem Moulin   Mon, 06 Jul 2020 16:14:59 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
 
   * Backport security fixes from 1.3.12:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch 
roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch  1970-01-01 
01:00:00.0 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-15562.patch  2020-07-06 
16:14:59.0 +0200
@@ -0,0 +1,33 @@
+From f3d1566cf223eb04f47b6dfffcd88753f66c36ee Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak 
+Date: Fri, 3 Jul 2020 11:29:50 +0200
+Subject: Fix cross-site scripting (XSS) via HTML messages with malicious 
svg/namespace
+
+Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
+---
+ program/lib/Roundcube/rcube_washtml.php |7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
 b/program/lib/Roundcube/rcube_washtml.php
+@@ -445,7 +445,10 @@ class rcube_washtml
+ $xpath = new DOMXPath($node->ownerDocument);
+ foreach ($xpath->query('namespace::*') as $ns) {
+ if ($ns->nodeName != 'xmlns:xml') {
+-$dump .= ' ' . $ns->nodeName . '="' . 
$ns->nodeValue . '"';
++$dump .= sprintf(' %s="%s"',
++$ns->nodeName,
++htmlspecialchars($ns->nodeValue, 
ENT_QUOTES, $this->config['charset'])
++);
+ }
+ }
+ }
+@@ -507,7 +510,7 @@ class rcube_washtml
+ $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+ 
+ // SVG need to be parsed as XML
+-$this->is_xml = stripos($html, 'is_xml = !preg_match('/<(html|head|body)/i', $html) && 
stripos($html, 'is_xml ? 'loadXML' : 'loadHTML';
+ $options  = 0;
+ 
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series 
roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series2020-06-09 
13:46:01.0 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series2020-07-06 
16:14:59.0 +0200
@@ -20,3 +20,4 @@
 CVE-2020-12626.patch
 CVE-2020-13964.patch
 CVE-2020-13965.patch
+CVE-2020-15562.patch
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog|8 
 patches/CVE-2020-15562.patch |   33 +
 patches/series   |1 +
 3 files changed, 42 insertions(+)

diff -Nr

Bug#964244: marked as done (stretch-pu: package xml-security-c/1.7.3-4+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964244,
regarding stretch-pu: package xml-security-c/1.7.3-4+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964244
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Stable Release Team,

There's an old bug reported against xml-security-c (#922984), which was fixed
in the 2.0 branch in buster but still lingers around in 1.7 in stretch.  I'm
ready to upload with the following debdiff:

$ debdiff xml-security-c_1.7.3-4+deb9u[23].dsc 
diff -Nru xml-security-c-1.7.3/debian/changelog 
xml-security-c-1.7.3/debian/changelog
--- xml-security-c-1.7.3/debian/changelog   2018-12-10 11:45:41.0 
+0100
+++ xml-security-c-1.7.3/debian/changelog   2020-07-04 12:47:24.0 
+0200
@@ -1,3 +1,10 @@
+xml-security-c (1.7.3-4+deb9u3) stretch; urgency=medium
+
+  * [02c3993] New patch: Fix a length bug in concat method.
+Thanks to Scott Cantor (Closes: #922984 )
+
+ -- Ferenc Wágner   Sat, 04 Jul 2020 12:47:24 +0200
+
 xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
 
   * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
diff -Nru 
xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch 
xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch
--- xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch 
1970-01-01 01:00:00.0 +0100
+++ xml-security-c-1.7.3/debian/patches/Fix-a-length-bug-in-concat-method.patch 
2020-07-04 12:47:01.0 +0200
@@ -0,0 +1,24 @@
+From: Scott Cantor 
+Date: Mon, 4 Sep 2017 18:41:41 +
+Subject: Fix a length bug in concat method.
+
+git-svn-id: 
https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk@1807280 
13f79535-47bb-0310-9956-ffa450edef68
+
+Closes: #922984
+---
+ xsec/utils/XSECSafeBuffer.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xsec/utils/XSECSafeBuffer.cpp b/xsec/utils/XSECSafeBuffer.cpp
+index 71ae9a0..6d0798b 100644
+--- a/xsec/utils/XSECSafeBuffer.cpp
 b/xsec/utils/XSECSafeBuffer.cpp
+@@ -639,7 +639,7 @@ void safeBuffer::sbXMLChCat(const char * str) {
+ 
+   assert (t != NULL);
+ 
+-  len += XMLString::stringLen(t);
++  len += XMLString::stringLen(t) * size_XMLCh;
+   len += (xsecsize_t) (2 * size_XMLCh);
+ 
+   checkAndExpand(len);
diff -Nru xml-security-c-1.7.3/debian/patches/series 
xml-security-c-1.7.3/debian/patches/series
--- xml-security-c-1.7.3/debian/patches/series  2018-12-10 11:45:41.0 
+0100
+++ xml-security-c-1.7.3/debian/patches/series  2020-07-04 12:47:01.0 
+0200
@@ -24,3 +24,4 @@
 Default-KeyInfo-resolver-doesn-t-check-for-empty-element-.patch
 SANTUARIO-496-DSA-verification-crashes-OpenSSL-on-invalid.patch
 SANTUARIO-496-Prevent-KeyInfoResolver-returning-NONE-keys.patch
+Fix-a-length-bug-in-concat-method.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964351: marked as done (stretch-pu: package intel-microcode/3.20200616.1~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964351,
regarding stretch-pu: package intel-microcode/3.20200616.1~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update the intel-microcode packages in buster and stretch to
3.202006016.1~deb{9,10}u1.

This is basically the same packages already in buster and stretch via
buster/strech-security, with one extra microcode revert.  It effectively
fixes a regression introduced by the security updates for a single
processor model (Xeon E3 with signature 0x506e3).

The upload via s-p-u/os-p-u was suggested by the security team: we
agreed the revert of microcode 0x506e3 did not really deserve a DSA and
could be handled through the upcoming point releases (it affects only
*some* motherboards with such processors).

The git diff is attached.  Unfortunately, stable debdiff gets mightly
confused by a directory rename that only has binary files inside, so git
diff does a much better job here.

diffstat:
 changelog  |   8 ++
 debian/changelog   |  19 
 intel-ucode/06-4e-03   | Bin 104448 -> 101376 bytes
 intel-ucode/06-5e-03   | Bin 104448 -> 101376 bytes
 microcode-20200609.d => microcode-20200616.d   |   0
 releasenote|  32 -
 s000406E3_m00C0_r00D6.fw   | Bin 101376 -> 0 bytes
 bin => supplementary-ucode-20200616_BDX-ML.bin |   0
 8 files changed, 32 insertions(+), 27 deletions(-)

-- 
  Henrique Holschuh
diff --git a/changelog b/changelog
index d033202..b0565f2 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+2020-06-16:
+  * Downgraded microcodes (to a previously shipped revision):
+sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+  * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * This update *removes* the SRBDS mitigations from the above processors
+
 2020-06-09:
   * Implements mitigation for CVE-2020-0543 Special Register Buffer Data
 Sampling (SRBDS), aka INTEL-SA-00320
diff --git a/debian/changelog b/debian/changelog
index 9a576a8..863eecf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+intel-microcode (3.20200616.1~deb9u1) stretch; urgency=high
+
+  * Rebuild for Debian oldstable (stretch), no changes
+
+ -- Henrique de Moraes Holschuh   Sun, 05 Jul 2020 15:26:41 
-0300
+
+intel-microcode (3.20200616.1) unstable; urgency=high
+
+  * New upstream microcode datafile 20200616
++ Downgraded microcodes (to a previously shipped revision):
+  sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+  sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+  * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+  * This update *removes* the SRBDS mitigations from the above processors
+  * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2
+
+ -- Henrique de Moraes Holschuh   Sun, 28 Jun 2020 18:38:57 
-0300
+
 intel-microcode (3.20200609.2~deb9u1) stretch-security; urgency=high
 
   * Rebuild for stretch-security, no changes
diff --git a/intel-ucode/06-4e-03 b/intel-ucode/06-4e-03
index 33b963e..1fabcf8 100644
Binary files a/intel-ucode/06-4e-03 and b/intel-ucode/06-4e-03 differ
diff --git a/intel-ucode/06-5e-03 b/intel-ucode/06-5e-03
index 4e947ea..a3119d5 100644
Binary files a/intel-ucode/06-5e-03 and b/intel-ucode/06-5e-03 differ
diff --git a/microcode-20200609.d b/microcode-20200616.d
similarity index 100%
rename from microcode-20200609.d
rename to microcode-20200616.d
diff --git a/releasenote b/releasenote
index 9b60007..f7302d5 100644
--- a/releasenote
+++ b/releasenote
@@ -82,37 +82,15 @@ OS vendors must ensure that the late loader patches 
(provided in
 linux-kernel-patches\) are included in the distribution before packaging the
 BDX-ML microcode for late-loadi

Bug#922170: marked as done (nmu: Four packages for golang)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #922170,
regarding nmu: Four packages for golang
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922170
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

These packages need to be rebuilt to pick up the recent golang DSA:

nmu acmetool_0.0.58-5 . ANY . stretch . -m "rebuilt against current golang"
nmu chasquid_0.01+git20161124.6479138-2 . ANY . stretch . -m "rebuilt against 
current golang"
nmu heartbleeder_0.1.1-5 . ANY . stretch . -m "rebuilt against current golang"
nmu mongo-tools_3.2.11-1 . ANY . stretch . -m "rebuilt against current golang"

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964398: marked as done (stretch-pu: package libembperl-perl/2.5.0-10+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964398,
regarding stretch-pu: package libembperl-perl/2.5.0-10+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964398
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

As part of a security fix the changed Apache output was backported,
the #941926 fix for libembperl-perl is needed to fix the resulting
FTBFS due to test failure.
diff -Nru libembperl-perl-2.5.0/debian/changelog 
libembperl-perl-2.5.0/debian/changelog
--- libembperl-perl-2.5.0/debian/changelog  2016-10-26 06:51:02.0 
+0300
+++ libembperl-perl-2.5.0/debian/changelog  2020-07-06 16:04:21.0 
+0300
@@ -1,3 +1,11 @@
+libembperl-perl (2.5.0-10+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Update debian/patches/apache2.4-compat.patch to work with Apache
+2.4.40+ error pages. (Closes: #941926)
+
+ -- Adrian Bunk   Mon, 06 Jul 2020 16:04:21 +0300
+
 libembperl-perl (2.5.0-10) unstable; urgency=medium
 
   * Team upload.
diff -Nru libembperl-perl-2.5.0/debian/patches/apache2.4-compat.patch 
libembperl-perl-2.5.0/debian/patches/apache2.4-compat.patch
--- libembperl-perl-2.5.0/debian/patches/apache2.4-compat.patch 2016-10-26 
06:51:02.0 +0300
+++ libembperl-perl-2.5.0/debian/patches/apache2.4-compat.patch 2020-07-06 
16:04:15.0 +0300
@@ -1,7 +1,7 @@
 From bcce23a15de55a39478f83a7923d8a89f681cc19 Mon Sep 17 00:00:00 2001
 From: Niko Tyni 
 Date: Tue, 29 Jul 2014 14:34:35 +0300
-Subject: [PATCH] Adapt to an Apache 2.4.10 error page change
+Subject: [PATCH] Adapt to an Apache 2.4.10 + 2.4.40 error page change
 
 The "Forbidden" error page was slightly changed by Apache commit
 
@@ -10,22 +10,34 @@
 
 breaking the EmbperlObject/epobase.htm test. The fix works
 with both the old and the new page format.
+
+Some years and versions later:
+Apache changed the output again (in 2.4.40):
+ 
https://github.com/apache/httpd/commit/c0ce3a729218279a6b4b03aab7a71bb8ae9d6259
+
+Update the patch to hopefully work with all versions.
+
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/756382
+ https://bugs.debian.org/941926
+Reviewed-by: gregor herrmann 
+Last-Update: 2019-10-07
+
 ---
  test/cmp/epobase.htm | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/test/cmp/epobase.htm b/test/cmp/epobase.htm
-index ba29386..9d0269c 100644
 --- a/test/cmp/epobase.htm
 +++ b/test/cmp/epobase.htm
-@@ -5,6 +5,7 @@
+@@ -3,8 +3,9 @@
+ 403 Forbidden
+ 
  Forbidden
- ^.*?You don't have permission to access /embperl/EmbperlObject/epobase.htm
- ^on this server
+-^.*?You don't have permission to access /embperl/EmbperlObject/epobase.htm
+-^on this server
++^.*?You don't have permission to access 
(/embperl/EmbperlObject/epobase.htm|this resource)
++^-on this server
 +^-
  
  
  
--- 
-2.0.1
-
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964340: marked as done (stretch-pu: package sogo-connector/68.0.1-2~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964340,
regarding stretch-pu: package sogo-connector/68.0.1-2~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964340
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

The version of sogo-connector in stretch does not work
with the version of thunderbird in stretch. (#945061)

The attached debdiff is against the version in unstable,
which has already been backported to buster. (#948205)

Despite the dh compat difference the resulting package works,
and debdiff reports no differences.
diff -Nru sogo-connector-68.0.1/debian/changelog 
sogo-connector-68.0.1/debian/changelog
--- sogo-connector-68.0.1/debian/changelog  2020-02-05 13:31:44.0 
+0200
+++ sogo-connector-68.0.1/debian/changelog  2020-07-05 21:47:13.0 
+0300
@@ -1,3 +1,11 @@
+sogo-connector (68.0.1-2~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+- Lower dh compat to 10.
+
+ -- Adrian Bunk   Sun, 05 Jul 2020 21:47:13 +0300
+
 sogo-connector (68.0.1-2) unstable; urgency=medium
 
   * [2bfa6a2] d/control: bump Standards-Version to 4.5.0
diff -Nru sogo-connector-68.0.1/debian/compat 
sogo-connector-68.0.1/debian/compat
--- sogo-connector-68.0.1/debian/compat 1970-01-01 02:00:00.0 +0200
+++ sogo-connector-68.0.1/debian/compat 2020-07-05 21:47:13.0 +0300
@@ -0,0 +1 @@
+10
diff -Nru sogo-connector-68.0.1/debian/control 
sogo-connector-68.0.1/debian/control
--- sogo-connector-68.0.1/debian/control2020-02-05 13:30:39.0 
+0200
+++ sogo-connector-68.0.1/debian/control2020-07-05 21:47:13.0 
+0300
@@ -7,7 +7,7 @@
  Christoph Goehre ,
 Standards-Version: 4.5.0
 Build-Depends:
- debhelper-compat (= 12),
+ debhelper (>= 10),
 Rules-Requires-Root: no
 Homepage: https://github.com/inverse-inc/sogo-connector
 X-Debian-Homepage: http://wiki.debian.org/SOGoConnector
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964588: marked as done (stretch-pu: package fwupd/0.7.4-2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964588,
regarding stretch-pu: package fwupd/0.7.4-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964588
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi folks,

We'd like to push an update into the last stretch point release for
fwupd. The last version in stretch (0.7.4-2) is now considered so old
that it's (a) not really functional any more, and (b) no longer
supported by upstream. There are also security worries
(CVE-2020-10759) with this version. We've discussed this with the
security team (in CC) and they're keen to see this addressed, but
maybe via the PU process before it hits LTS.

To fix all this, we'd like to switch to a supported stable release
branch as supported by upstream (0.8.x); Mario, the primary maintainer
in Debian, is also part of the upstream development team and has been
working to maintain that. Apparently Ubuntu and other distros have
switched to this already.

This *does* mean that the debdiff is *way* too large to fit in mail,
sorry. :-( I've put a copy up at

 https://www.einval.com/~steve/debian/fwupd_0.8.3-1_amd64.debdiff.gz

for reference.

Sorry this is so big and so late... :-(

-- System Information:
Debian Release: 10.4
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.118+ (SMP w/4 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964411: marked as done (stretch-pu: package c-icap-modules/1:0.4.4-1+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964411,
regarding stretch-pu: package c-icap-modules/1:0.4.4-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964411
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

ClamAV was updated to 0.102, which needs a fix in c-icap-modules.
diff -Nru c-icap-modules-0.4.4/debian/changelog 
c-icap-modules-0.4.4/debian/changelog
--- c-icap-modules-0.4.4/debian/changelog   2019-03-10 23:00:14.0 
+0200
+++ c-icap-modules-0.4.4/debian/changelog   2020-07-06 23:32:58.0 
+0300
@@ -1,3 +1,10 @@
+c-icap-modules (1:0.4.4-1+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport support for ClamAV 0.102. (Closes: #952009)
+
+ -- Adrian Bunk   Mon, 06 Jul 2020 23:32:58 +0300
+
 c-icap-modules (1:0.4.4-1+deb9u1) stretch; urgency=medium
 
   * Non-maintainer upload.
diff -Nru c-icap-modules-0.4.4/debian/patches/c-icap-modules-clamav-0.102.patch 
c-icap-modules-0.4.4/debian/patches/c-icap-modules-clamav-0.102.patch
--- c-icap-modules-0.4.4/debian/patches/c-icap-modules-clamav-0.102.patch   
1970-01-01 02:00:00.0 +0200
+++ c-icap-modules-0.4.4/debian/patches/c-icap-modules-clamav-0.102.patch   
2020-07-06 23:32:58.0 +0300
@@ -0,0 +1,43 @@
+Description: Backport support for ClamAV 0.102
+Author: Adrian Bunk 
+Bug-Debian: https://bugs.debian.org/952009
+
+--- c-icap-modules-0.4.4.orig/services/virus_scan/clamav_mod.c
 c-icap-modules-0.4.4/services/virus_scan/clamav_mod.c
+@@ -104,8 +104,8 @@ extern ci_off_t CLAMAV_MAXFILESIZE;
+ extern ci_off_t CLAMAV_MAXSCANSIZE;
+ extern char *CLAMAV_TMP;
+ 
+-#define CLAMAV_VERSION_SIZE 64
+-static char CLAMAV_VERSION[CLAMAV_VERSION_SIZE];
++#define CLAMAVLIB_VERSION_SIZE 64
++static char CLAMAVLIB_VERSION[CLAMAVLIB_VERSION_SIZE];
+ #define CLAMAV_SIGNATURE_SIZE SERVICE_ISTAG_SIZE + 1
+ static char CLAMAV_SIGNATURE[CLAMAV_SIGNATURE_SIZE];
+ 
+@@ -631,7 +631,7 @@ void clamav_set_versions()
+ {
+ char str_version[64];
+ int cfg_version = 0;
+-unsigned int version, level;
++unsigned int version = 0, level = 0;
+ 
+ clamav_get_versions(&level, &version, str_version, sizeof(str_version));
+ 
+@@ -641,13 +641,13 @@ void clamav_set_versions()
+ CLAMAV_SIGNATURE[CLAMAV_SIGNATURE_SIZE - 1] = '\0';
+ 
+  /*set the clamav version*/
+- snprintf(CLAMAV_VERSION, CLAMAV_VERSION_SIZE - 1, "%s/%d", str_version, 
version);
+- CLAMAV_VERSION[CLAMAV_VERSION_SIZE - 1] = '\0';
++ snprintf(CLAMAVLIB_VERSION, CLAMAVLIB_VERSION_SIZE - 1, "%s/%d", 
str_version, version);
++ CLAMAVLIB_VERSION[CLAMAVLIB_VERSION_SIZE - 1] = '\0';
+ }
+ 
+ const char *clamav_version()
+ {
+-return CLAMAV_VERSION;
++return CLAMAVLIB_VERSION;
+ }
+ 
+ const char *clamav_signature()
diff -Nru c-icap-modules-0.4.4/debian/patches/series 
c-icap-modules-0.4.4/debian/patches/series
--- c-icap-modules-0.4.4/debian/patches/series  2019-03-10 22:59:27.0 
+0200
+++ c-icap-modules-0.4.4/debian/patches/series  2020-07-06 23:32:58.0 
+0300
@@ -1 +1,2 @@
 c-icap-modules-clamav-backport.patch
+c-icap-modules-clamav-0.102.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam--- End Message ---

Bug#964764: marked as done (stretch-pu: package file-roller/3.22.3-1+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964764,
regarding stretch-pu: package file-roller/3.22.3-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964764
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This fixes CVE-2020-11736 for stretch. I have confirmed that the update fixes
that bug, and that basic package functionality didn't regress. Debdiff attached,
package already uploaded.

Cheers,
Emilio
diff -Nru file-roller-3.22.3/debian/changelog 
file-roller-3.22.3/debian/changelog
--- file-roller-3.22.3/debian/changelog 2019-09-22 15:10:05.0 +0200
+++ file-roller-3.22.3/debian/changelog 2020-07-09 09:31:47.0 +0200
@@ -1,3 +1,9 @@
+file-roller (3.22.3-1+deb9u2) stretch; urgency=medium
+
+  * CVE-2020-11736 (Closes: #956638)
+
+ -- Emilio Pozuelo Monfort   Thu, 09 Jul 2020 09:31:47 +0200
+
 file-roller (3.22.3-1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru file-roller-3.22.3/debian/control file-roller-3.22.3/debian/control
--- file-roller-3.22.3/debian/control   2019-09-22 15:07:13.0 +0200
+++ file-roller-3.22.3/debian/control   2020-07-09 09:31:47.0 +0200
@@ -1,12 +1,12 @@
 # This file is autogenerated. DO NOT EDIT!
-# 
+#
 # Modifications should be made to debian/control.in instead.
 # This file is regenerated automatically in the clean target.
 Source: file-roller
 Section: gnome
 Priority: optional
 Maintainer: Debian GNOME Maintainers 

-Uploaders: Andreas Henriksson , Laurent Bigonville 
, Michael Biebl 
+Uploaders: Emilio Pozuelo Monfort , Laurent Bigonville 
, Michael Biebl 
 Build-Depends: debhelper (>= 10),
desktop-file-utils,
gettext,
diff -Nru file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch 
file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch
--- file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch   1970-01-01 
01:00:00.0 +0100
+++ file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch   2020-07-09 
09:31:47.0 +0200
@@ -0,0 +1,201 @@
+--- a/src/fr-archive-libarchive.c
 b/src/fr-archive-libarchive.c
+@@ -601,6 +601,149 @@ _g_output_stream_add_padding (ExtractDat
+ }
+ 
+ 
++static gboolean
++_symlink_is_external_to_destination (GFile  *file,
++   const char *symlink,
++   GFile  *destination,
++   GHashTable *external_links);
++
++
++static gboolean
++_g_file_is_external_link (GFile  *file,
++GFile  *destination,
++GHashTable *external_links)
++{
++  GFileInfo *info;
++  gboolean   external;
++
++  if (g_hash_table_lookup (external_links, file) != NULL)
++  return TRUE;
++
++  info = g_file_query_info (file,
++G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK "," 
G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
++G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
++NULL,
++NULL);
++
++  if (info == NULL)
++  return FALSE;
++
++  external = FALSE;
++
++  if (g_file_info_get_is_symlink (info)) {
++  if (_symlink_is_external_to_destination (file,
++   
g_file_info_get_symlink_target (info),
++   destination,
++   external_links))
++  {
++  g_hash_table_insert (external_links, g_object_ref 
(file), GINT_TO_POINTER (1));
++  external = TRUE;
++  }
++  }
++
++  g_object_unref (info);
++
++  return external;
++}
++
++
++static gboolean
++_symlink_is_external_to_destination (GFile  *file,
++   const char *symlink,
++   GFile  *destination,
++   GHashTable *external_links)
++{
++  gboolean  external = FALSE;
++  GFile*parent;
++  char**components;
++  int   i;
++
++  if ((file == NULL) || (symlink == NULL))
++  return FALSE;

Bug#964809: marked as done (stretch-pu: package batik/1.8-4+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964809,
regarding stretch-pu: package batik/1.8-4+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964809: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964809
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This update addresses CVE-2019-17566. Since there may be legitimate uses
for SVG files with external resources, the upstream fix is to add an
option that disables those. I have verified that those are fetched without
the option and that with it, they are blocked.

debdiff attached, package uploaded.

Thanks,
Emilio
diff -Nru batik-1.8/debian/changelog batik-1.8/debian/changelog
--- batik-1.8/debian/changelog  2018-05-30 18:59:04.0 +0200
+++ batik-1.8/debian/changelog  2020-07-10 19:30:17.0 +0200
@@ -1,3 +1,11 @@
+batik (1.8-4+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+(Closes: #964510)
+
+ -- Emilio Pozuelo Monfort   Fri, 10 Jul 2020 19:30:17 +0200
+
 batik (1.8-4+deb9u1) stretch-security; urgency=high
 
   * Team upload.
diff -Nru batik-1.8/debian/patches/CVE-2019-17566.patch 
batik-1.8/debian/patches/CVE-2019-17566.patch
--- batik-1.8/debian/patches/CVE-2019-17566.patch   1970-01-01 
01:00:00.0 +0100
+++ batik-1.8/debian/patches/CVE-2019-17566.patch   2020-07-10 
18:25:27.0 +0200
@@ -0,0 +1,98 @@
+--- a/sources/org/apache/batik/apps/rasterizer/Main.java
 b/sources/org/apache/batik/apps/rasterizer/Main.java
+@@ -502,6 +502,12 @@ public class Main implements SVGConverte
+ public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+ = Messages.get("Main.cl.option.constrain.script.origin.description", 
"No description");
+ 
++public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++= Messages.get("Main.cl.option.block.external.resources", 
"-blockExternalResources");
++
++public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++= 
Messages.get("Main.cl.option.block.external.resources.description", "No 
description");
++
+ /**
+  * Option to turn off secure execution of scripts
+  */
+@@ -830,6 +836,17 @@ public class Main implements SVGConverte
+   return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+   }
+   });
++
++optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++new NoValueOptionHandler(){
++public void handleOption(SVGConverter c){
++c.allowExternalResources = false;
++}
++
++public String getOptionDescription(){
++return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++}
++});
+ }
+ 
+ /**
+--- a/sources/org/apache/batik/apps/rasterizer/SVGConverter.java
 b/sources/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,6 +253,8 @@ public class SVGConverter {
+ the document which references them. */
+ protected boolean constrainScriptOrigin = true;
+ 
++protected boolean allowExternalResources = true;
++
+ /** Controls whether scripts should be run securely or not */
+ protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@ public class SVGConverter {
+ map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, 
Boolean.FALSE);
+ }
+ 
++if (!allowExternalResources) {
++map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, 
Boolean.FALSE);
++}
++
+ return map;
+ }
+ 
+--- a/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java
 b/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -33,8 +33,10 @@ import org.apache.batik.bridge.BaseScrip
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVG

Bug#964777: marked as done (stretch-pu: package atril/1.16.1-2+deb9u2)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964777,
regarding stretch-pu: package atril/1.16.1-2+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964777
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This fixes three CVEs in atril, two of them fixed in buster via spu (#946819)
with the other one not affecting the version in buster.

Tested on a stretch VM. debdiff attached and package uploaded.

Thanks,
Emilio
diff -Nru atril-1.16.1/debian/changelog atril-1.16.1/debian/changelog
--- atril-1.16.1/debian/changelog   2017-07-21 06:59:09.0 +0200
+++ atril-1.16.1/debian/changelog   2020-07-10 12:35:24.0 +0200
@@ -1,3 +1,13 @@
+atril (1.16.1-2+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * dvi: Mitigate command injection attacks by quoting filename
+(CVE-2017-1000159)
+  * Fix overflow checks in tiff backend (CVE-2019-1010006)
+  * tiff: Handle failure from TIFFReadRGBAImageOriented (CVE-2019-11459)
+
+ -- Emilio Pozuelo Monfort   Fri, 10 Jul 2020 12:35:24 +0200
+
 atril (1.16.1-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload
diff -Nru 
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
 
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
--- 
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
   1970-01-01 01:00:00.0 +0100
+++ 
atril-1.16.1/debian/patches/03_dvi-Mitigate-command-injection-attacks-by-quoting-fi.patch
   2020-07-10 12:18:10.0 +0200
@@ -0,0 +1,43 @@
+From: Tobias Mueller 
+Date: Fri, 14 Jul 2017 12:52:14 +0200
+Subject: dvi: Mitigate command injection attacks by quoting filename
+Origin: 
https://gitlab.gnome.org/GNOME/evince/commit/350404c76dc8601e2cdd2636490e2afc83d3090e
+Bug-Debian-Security: 
https://security-tracker.debian.org/tracker/CVE-2017-1000159
+
+With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
+It exports to PDF via the dvipdfm tool.
+It calls that tool with the filename of the currently loaded document.
+If that filename is cleverly crafted, it can escape the currently
+used manual quoting of the filename.  Instead of manually quoting the
+filename, we use g_shell_quote.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=784947
+---
+ backend/dvi/dvi-document.c | 8 +---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
+index 4a896e215273..28877700880f 100644
+--- a/backend/dvi/dvi-document.c
 b/backend/dvi/dvi-document.c
+@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
+   gboolean success;
+   
+   DviDocument *dvi_document = DVI_DOCUMENT(exporter);
++  gchar* quoted_filename = g_shell_quote 
(dvi_document->context->filename);
+   
+-  command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm 
-s 1,2,.., -o exporter_filename dvi_filename */
++  command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 
1,2,.., -o exporter_filename dvi_filename */
+   dvi_document->exporter_opts->str,
+   dvi_document->exporter_filename,
+-  dvi_document->context->filename);
+-  
++  quoted_filename);
++  g_free (quoted_filename);
++
+   success = g_spawn_command_line_sync (command_line,
+NULL,
+NULL,
+-- 
+2.25.0
+
diff -Nru 
atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch 
atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
--- atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
1970-01-01 01:00:00.0 +0100
+++ atril-1.16.1/debian/patches/04_Fix-overflow-checks-in-tiff-backend.patch
2020-07-10 12:18:10.0 +0200
@@ -0,0 +1,57 @@
+From: Jason Crain 
+Date: Sat, 2 Dec 2017 20:24:33 -0600
+Subject: [1/2] Fix overflow checks in tiff backend
+Origin: 
https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362
+Bug-Debian-Security: 
http

Bug#964727: marked as done (stretch-pu: package jackson-databind/2.8.6-1+deb9u6)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964727,
regarding stretch-pu: package jackson-databind/2.8.6-1+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964727: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964727
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I would like to update jackson-databind in Stretch. It is currently
affected by 20 CVE which are deemed as no-dsa by the security team.
I have added a patch that extends the blacklist to block more classes
from polymorphic deserialization.

Regards,

Markus
diff -Nru jackson-databind-2.8.6/debian/changelog 
jackson-databind-2.8.6/debian/changelog
--- jackson-databind-2.8.6/debian/changelog 2019-10-05 19:21:48.0 
+0200
+++ jackson-databind-2.8.6/debian/changelog 2020-07-09 16:42:01.0 
+0200
@@ -1,3 +1,16 @@
+jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium
+
+  * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
+polymorphic deserialization.
+This fixes 20 CVE that currently affect the package namely,
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
+CVE-2020-11619, CVE-2020-3, CVE-2020-2, CVE-2020-1,
+CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
+CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.
+
+ -- Markus Koschany   Thu, 09 Jul 2020 16:42:01 +0200
+
 jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
 
   * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
diff -Nru 
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
 
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
--- 
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
1970-01-01 01:00:00.0 +0100
+++ 
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
2020-07-09 16:42:01.0 +0200
@@ -0,0 +1,189 @@
+From: Markus Koschany 
+Date: Thu, 9 Jul 2020 16:39:09 +0200
+Subject: multiple CVE BeanDeserializerFactory
+
+This is the fix for
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
+CVE-2020-3, CVE-2020-2, CVE-2020-1, CVE-2020-10969, CVE-2020-10968,
+CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and
+CVE-2019-17267.
+---
+ .../databind/deser/BeanDeserializerFactory.java| 109 ++---
+ 1 file changed, 96 insertions(+), 13 deletions(-)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 77d426c..a594f08 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -54,6 +54,7 @@ public class BeanDeserializerFactory
+ Set s = new HashSet<>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599])
++
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ 
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -69,10 +70,14 @@ public class BeanDeserializerFactory
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+-
s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
 // deprecated by [databind#1855]
+ 
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+-//s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // 
deprecated by [databind#1931]
+-//s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - 
"" -
++// [databind#2680]
++s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++
s.add("org.springframework.beans.f

Bug#964861: marked as done (stretch-pu: package glib-networking/2.50.0-1+deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964861,
regarding stretch-pu: package glib-networking/2.50.0-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964861
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This fixes CVE-2020-13645 for stretch. balsa in stretch doesn't
use GIO for connecting to the servers or validating the certificates,
so we don't need any further changes here.

Thanks,
Emilio
diff -Nru glib-networking-2.50.0/debian/changelog 
glib-networking-2.50.0/debian/changelog
--- glib-networking-2.50.0/debian/changelog 2016-09-19 21:01:51.0 
+0200
+++ glib-networking-2.50.0/debian/changelog 2020-07-07 16:57:37.0 
+0200
@@ -1,3 +1,11 @@
+glib-networking (2.50.0-1+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * d/p/Return-bad-identity-error-if-identity-is-unset.patch:
+Backport fix for CVE-2020-13645 from upstream (Closes: #961756)
+
+ -- Emilio Pozuelo Monfort   Tue, 07 Jul 2020 16:57:37 +0200
+
 glib-networking (2.50.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch 
glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch
--- glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch  1970-01-01 
01:00:00.0 +0100
+++ glib-networking-2.50.0/debian/patches/CVE-2020-13645.patch  2020-07-07 
16:56:41.0 +0200
@@ -0,0 +1,139 @@
+Backported from upstream patch:
+From 29513946809590c4912550f6f8620468f9836d94 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro 
+Date: Mon, 4 May 2020 17:47:28 -0500
+Subject: [PATCH] Return bad identity error if identity is unset
+
+When the server-identity property of GTlsClientConnection is unset, the
+documentation sasy we need to fail the certificate verification with
+G_TLS_CERTIFICATE_BAD_IDENTITY. This is important because otherwise,
+it's easy for applications to fail to specify server identity.
+
+Unfortunately, we did not correctly implement the intended, documented
+behavior. When server identity is missing, we check the validity of the
+TLS certificate, but do not check if it corresponds to the expected
+server (since we have no expected server). Then we assume the identity
+is good, instead of returning bad identity, as documented. This means,
+for example, that evil.com can present a valid certificate issued to
+evil.com, and we would happily accept it for paypal.com.
+
+Fixes #135
+---
+ tls/gnutls/gtlsconnection-gnutls.c | 20 +-
+ tls/tests/connection.c | 70 ++
+ 2 files changed, 81 insertions(+), 9 deletions(-)
+
+--- a/tls/gnutls/gtlsconnection-gnutls.c
 b/tls/gnutls/gtlsconnection-gnutls.c
+@@ -1174,18 +1174,18 @@ verify_peer_certificate (GTlsConnectionG
+GTlsCertificate  *peer_certificate)
+ {
+   GTlsConnection *conn = G_TLS_CONNECTION (gnutls);
+-  GSocketConnectable *peer_identity;
++  GSocketConnectable *peer_identity = NULL;
+   GTlsDatabase *database;
+-  GTlsCertificateFlags errors;
++  GTlsCertificateFlags errors = 0;
+   gboolean is_client;
+ 
+   is_client = G_IS_TLS_CLIENT_CONNECTION (gnutls);
+   if (is_client)
+-peer_identity = g_tls_client_connection_get_server_identity 
(G_TLS_CLIENT_CONNECTION (gnutls));
+-  else
+-peer_identity = NULL;
+-
+-  errors = 0;
++{
++  peer_identity = g_tls_client_connection_get_server_identity 
(G_TLS_CLIENT_CONNECTION (gnutls));
++  if (!peer_identity)
++errors |= G_TLS_CERTIFICATE_BAD_IDENTITY;
++}
+ 
+   database = g_tls_connection_get_database (conn);
+   if (database == NULL)
+--- a/tls/tests/connection.c
 b/tls/tests/connection.c
+@@ -1964,6 +1964,74 @@ test_output_stream_close (TestConnection
+   g_assert (ret);
+ }
+ 
++static void
++test_connection_missing_server_identity (TestConnection *test,
++ gconstpointer   data)
++{
++  GIOStream *connection;
++  GError *error = NULL;
++
++  test->database = g_tls_file_database_new (tls_test_file_path 
("ca-roots.pem"), &error);
++  g_assert_no_error (error);
++  g_assert_nonnull (test->database);
++
++  /* We pass NULL instead of test->identity when creating the client
++   * connection. This means verification must fail with
++   * G_TLS_CERT

Bug#964813: marked as done (stretch-pu: package debian-security-support/2020.06.21~deb9u1)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 

and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964813,
regarding stretch-pu: package debian-security-support/2020.06.21~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
964813: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964813
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

hi,

I'd like to update debian-security-support in stretch to 2020.06.21~deb9u1
with the following changes to document the state of security support today:

$ debdiff debian-security-support_2019.12.12~deb9u2.dsc 
debian-security-support_2020.06.21~deb9u1.dsc | diffstat
 debian/changelog |   38 ++
 security-support-ended.deb10 |1 +
 security-support-ended.deb8  |   16 
 security-support-ended.deb9  |8 +++-
 security-support-limited |3 ++-
 5 files changed, 64 insertions(+), 2 deletions(-)

$ debdiff debian-security-support_2019.12.12~deb9u2.dsc 
debian-security-support_2020.06.21~deb9u1.dsc 
dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert 
(/home/user/Projects/debian-security-support/debian-security-support_2020.06.21~deb9u1.dsc)
diff -Nru debian-security-support-2019.12.12~deb9u2/debian/changelog 
debian-security-support-2020.06.21~deb9u1/debian/changelog
--- debian-security-support-2019.12.12~deb9u2/debian/changelog  2020-01-30 
22:04:07.0 +0100
+++ debian-security-support-2020.06.21~deb9u1/debian/changelog  2020-07-10 
19:58:12.0 +0200
@@ -1,3 +1,41 @@
+debian-security-support (2020.06.21~deb9u1) stretch; urgency=medium
+
+  * This update for stretch only contains changes to the files
+security-support-limited and security-support-ended.deb(8|9|10) from
+version 2020.06.21 from unstable, the changes in detail are:
+- from 2020.06.21:
+  * Add cinder (OpenStack component) to security-support-ended.deb8.
+- from 2020.06.11:
+  * Also add unbound to security-support-ended.deb8 - see DSA 4694-1
+and https://lists.debian.org/debian-lts/2020/06/msg00024.html and
+follow-ups.
+- from 2020.06.09:
+  * Add unbound to security-support-ended.deb9 (see DSA 4694-1).
+- from 2020.05.22:
+  * Add pdns-recursor to security-support-ended.deb9 as explained in
+DSA-4691-1.
+- from 2020.05.08:
+  * Mark OpenStack packages as being unsupported in LTS; "jessie lost 
support
+from upstream just a few weeks after the release."
+- from 2020.04.16:
+  * Add tor to security-support-ended.deb8 as well, see DSA 4644-1.
+  * Add libperlspeak-perl to security-support-ended.deb(8|9|10), because of
+CVE-2020-10674 (#954238), also see #954297, #954298 and #954299.
+- from 2020.03.22:
+  * Add tor to security-support-ended.deb9, see DSA 4644-1.
+- from 2020.03.15:
+  * security-support-limited/zoneminder: declare limited support behind an
+authenticated HTTP zone (see #922724).
+- from 2020.03.05:
+  * Add xen to security-support-ended.deb8.
+- from 2020.02.21:
+  * Add nodejs to security-support-ended.deb8 and .deb9.
+- from 2020.01.21:
+  * Add nethack to security-support-ended.deb8.
+  * Mark xen as end-of-life for Stretch (DSA 4602-1).
+
+ -- Holger Levsen   Fri, 10 Jul 2020 19:58:12 +0200
+
 debian-security-support (2019.12.12~deb9u2) stretch-security; urgency=medium
 
   * Rebuild for stretch-security.
diff -Nru 
debian-security-support-2019.12.12~deb9u2/security-support-ended.deb10 
debian-security-support-2020.06.21~deb9u1/security-support-ended.deb10
--- debian-security-support-2019.12.12~deb9u2/security-support-ended.deb10  
2020-01-30 20:57:55.0 +0100
+++ debian-security-support-2020.06.21~deb9u1/security-support-ended.deb10  
2020-07-10 19:46:36.0 +0200
@@ -11,3 +11,4 @@
 #In the program's output, this is prefixed with "Details:"
 
 # none yet (please remove this line once this is not true anymore)
+libperlspeak-perl2.01-2  2020-04-16  
https://bugs.debian.org/954238 (CVE-2020-10674) and 
https://bugs.debian.org/954297 and 954298
diff -Nru debian-security-support-2019.12.12~deb9u2/security-support-ended.deb8 
debian-security-support-2020.06.21~deb9u1/security-support-ended.deb8
--- debian-security-support-2019.12.12~deb9u2/security-support-ended.deb8   
2020-01-3

Re: Arch qualification for buster: call for DSA, Security, toolchain concerns

2020-07-18 Thread Philipp Kern 
Hey,

On 08.07.20 21:21, Paul Gevers wrote:
> As part of the interim architecture qualification for bullseye, we
> request that DSA, the security team, Wanna build, and the toolchain
> maintainers review and update their list of known concerns for bullseye
> release architectures.

I'd also suggest to do a roll call of porters and have them reconfirm
their involvement and what is expected from them. I don't think any such
thing happened in years now.

Kind regards
Philipp Kern



signature.asc
Description: OpenPGP digital signature

Re: Optional Build-Depends

2020-07-18 Thread Johannes Schauer 
Quoting Adrian Bunk (2020-07-18 10:36:11)
> On Thu, Jul 16, 2020 at 07:27:52PM +0200, Julian Andres Klode wrote:
> >...
> > We have came up with a syntax, one goal being to break parsers and not
> > silently ignore optional deps:
> > 
> >   Build-Depends: foo? (>= 1) | baz
> 
> Any suggestion has to equally cover runtime dependencies,
> the same situation is common there.
>
> [...]
> > 1. You can start optionally build-depending on stuff available only on some
> >architectures, without having to use arch restriction lists.
> > 
> >   Arch restriction lists are tediuous, especially also because in
> >   the case of libraries, they need to be recursively applied:
> >
> > libfoo is only available on bar
> > libbaz depends on libfoo
> >
> >   results in build-depends: libbaz [bar]
> >
> >   With optional build-depends, you can just write libbaz? and
> >   not have to update the dep each time libfoo appears on a new
> >   arch. (apply argument to longer recursive chains)
> >...
> 
> It was never necessary to use arch restriction lists for that.
> 
> When several reverse dependencies are affected, the correct solution
> for this problem is one package (or Provides) foobaz that selects the package
> for an architecture.

plus, that solution would also cover runtime dependencies.

I do not yet see sufficient evidence that we really need a new syntax element
and adjust all the tools involved with parsing Build-Depends. Last time I did
that for introducing the build-profile syntax and it wasn't fun at all. See the
list of software that needed to be changed here:

https://wiki.debian.org/BuildProfileSpec

I think you should have a really strong reason before making changes to the
syntax. Is there something that cannot be covered by existing mechanisms?

Thanks!

cheers, josch

signature.asc
Description: signature

NEW changes in oldstable-new

2020-07-18 Thread Debian FTP Masters 
Processing changes file: heartbleeder_0.1.1-5+b3_ppc64el.changes
  ACCEPT

Re: stretch EOL point release (9.13) and 10.5 planning

2020-07-18 Thread Adam D. Barratt 
On Sun, 2020-07-12 at 15:35 +0100, Adam D. Barratt wrote:
> Hi Steve,
> 
> On Sun, 2020-07-12 at 12:46 +0100, Steve McIntyre wrote:
> > Argh, massive apologies...
> > 
> > On Thu, Jun 25, 2020 at 10:38:14AM +0200, Laura Arjona Reina wrote:
> > > El 15/6/20 a las 18:44, Adam D. Barratt escribió:
> > > > - July 18/19
> > 
> > Massive apologies for dropping a spanner in the works, but
> > something major has come up. I won't be able to do *all* of that
> > weekend after all. As Stretch EOL is already a thing, can I suggest
> > that we keep that to plan and push back the Buster 10.5 release a
> > little?
> > 
> > Sorry. :-/
> 
> Thanks for letting us know. :-(
> 
> I'll drop a note to the lists, and we can look at getting a new date
> organised.

Now that stretch EoL is (more or less) out of the way, it would be good
to get 10.5 done as soon as we sensibly can, so as not to slip too far
off schedule.

Next weekend is probably a little too soon - I'd at least like to not
jump straight back into freezing - but how about one of:

- August 1st/2nd
- August 8th/9th

Regards,

Adam

Re: stretch EOL point release (9.13) and 10.5 planning

2020-07-18 Thread Cyril Brulebois 
Adam D. Barratt  (2020-07-18):
> Now that stretch EoL is (more or less) out of the way, it would be good
> to get 10.5 done as soon as we sensibly can, so as not to slip too far
> off schedule.
> 
> Next weekend is probably a little too soon - I'd at least like to not
> jump straight back into freezing - but how about one of:
> 
> - August 1st/2nd
> - August 8th/9th

Both should work equally for me regarding the installer.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Re: stretch EOL point release (9.13) and 10.5 planning

2020-07-18 Thread Steve McIntyre 
On Sat, Jul 18, 2020 at 10:12:41PM +0100, Adam Barratt wrote:
>On Sun, 2020-07-12 at 15:35 +0100, Adam D. Barratt wrote:
>> Hi Steve,
>> 
>> On Sun, 2020-07-12 at 12:46 +0100, Steve McIntyre wrote:
>> > Argh, massive apologies...
>> > 
>> > On Thu, Jun 25, 2020 at 10:38:14AM +0200, Laura Arjona Reina wrote:
>> > > El 15/6/20 a las 18:44, Adam D. Barratt escribió:
>> > > > - July 18/19
>> > 
>> > Massive apologies for dropping a spanner in the works, but
>> > something major has come up. I won't be able to do *all* of that
>> > weekend after all. As Stretch EOL is already a thing, can I suggest
>> > that we keep that to plan and push back the Buster 10.5 release a
>> > little?
>> > 
>> > Sorry. :-/
>> 
>> Thanks for letting us know. :-(
>> 
>> I'll drop a note to the lists, and we can look at getting a new date
>> organised.
>
>Now that stretch EoL is (more or less) out of the way, it would be good
>to get 10.5 done as soon as we sensibly can, so as not to slip too far
>off schedule.
>
>Next weekend is probably a little too soon - I'd at least like to not
>jump straight back into freezing - but how about one of:
>
>- August 1st/2nd
>- August 8th/9th

Either is possible for me, with a preference for the first. Let's not
delay too long if possible.

Cheers,

Steve

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Re: stretch EOL point release (9.13) and 10.5 planning

2020-07-18 Thread Andy Simpkins 


On 18 July 2020 22:39:05 BST, Steve McIntyre  wrote:
>On Sat, Jul 18, 2020 at 10:12:41PM +0100, Adam Barratt wrote:
>>On Sun, 2020-07-12 at 15:35 +0100, Adam D. Barratt wrote:
>>> Hi Steve,
>>> 
>>> On Sun, 2020-07-12 at 12:46 +0100, Steve McIntyre wrote:
>>> > Argh, massive apologies...
>>> > 
>>> > On Thu, Jun 25, 2020 at 10:38:14AM +0200, Laura Arjona Reina
>wrote:
>>> > > El 15/6/20 a las 18:44, Adam D. Barratt escribió:
>>> > > > - July 18/19
>>> > 
>>> > Massive apologies for dropping a spanner in the works, but
>>> > something major has come up. I won't be able to do *all* of that
>>> > weekend after all. As Stretch EOL is already a thing, can I
>suggest
>>> > that we keep that to plan and push back the Buster 10.5 release a
>>> > little?
>>> > 
>>> > Sorry. :-/
>>> 
>>> Thanks for letting us know. :-(
>>> 
>>> I'll drop a note to the lists, and we can look at getting a new date
>>> organised.
>>
>>Now that stretch EoL is (more or less) out of the way, it would be
>good
>>to get 10.5 done as soon as we sensibly can, so as not to slip too far
>>off schedule.
>>
>>Next weekend is probably a little too soon - I'd at least like to not
>>jump straight back into freezing - but how about one of:
>>
>>- August 1st/2nd
>>- August 8th/9th
>
>Either is possible for me, with a preference for the first. Let's not
>delay too long if possible.
>
>Cheers,
>
>Steve
>
>-- 
>Steve McIntyre, Cambridge, UK.   
>st...@einval.com
>  Armed with "Valor": "Centurion" represents quality of Discipline,
>  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
>  concord the digital world while feeling safe and proud.

-- 
I am good for either weekend.
Given a preferance i would prefer the 1st.  

Cheers
/Andy
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Bug#965124: transition: pcl

2020-07-18 Thread Sebastian Ramacher 
Control: forwarded -1 https://release.debian.org/transitions/html/auto-pcl.html
Control: tags -1 + confirmed

On 2020-07-16 16:10:32 +0200, Jochen Sprickerhof wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> Hi Release team,
> 
> I would like to transition pcl to unstable. The Ben file is fine,
> ros-perception-pcl compiles against the new version and I will upload a
> fixed python-pcl version during the transition.

Please go ahead with the upload to unstable.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Processed: Re: Bug#965124: transition: pcl

2020-07-18 Thread Debian Bug Tracking System 
Processing control commands:

> forwarded -1 https://release.debian.org/transitions/html/auto-pcl.html
Bug #965124 [release.debian.org] transition: pcl
Set Bug forwarded-to-address to 
'https://release.debian.org/transitions/html/auto-pcl.html'.
> tags -1 + confirmed
Bug #965124 [release.debian.org] transition: pcl
Added tag(s) confirmed.

-- 
965124: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965124
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#965023: transition: re2

2020-07-18 Thread Sebastian Ramacher 
Control: tags -1 + confirmed

On 2020-07-14 20:25:37 +0200, Sebastian Ramacher wrote:
> Control: forwarded -1 
> https://release.debian.org/transitions/html/auto-protobuf.html
> 
> On 2020-07-14 08:29:21 -0700, Stefano Rivera wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > 
> > Public ABI Breakage:
> > An entry was inserted into an enum, rather than appended to the end.
> > 
> > Public API Breakage:
> > None
> > 
> > Reverse Dependencies:
> > * dnsdist seems to have had uninstallable Build-Dependencies, in my testing
> >   yesterday, but built fine on the 5th.
> 
> dnsdist is currently involved in the protobuf transition, so this may
> have been a temporary issue. But let's wait until protobuf migrated to
> not entagle these two transitions.

protobuf migrated, so let's do this one.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Processed: Re: Bug#965023: transition: re2

2020-07-18 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #965023 [release.debian.org] transition: re2
Added tag(s) confirmed.

-- 
965023: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965023
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#962563: transition: nettle

2020-07-18 Thread peter green 

I just went through the remaining items on the transition tracker for this 
transition
filing bug reports where appropriate.

freewheeling:
sid-only, unrelated FTBFS bug 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946863

haskell-hopenpgp/haskell-hopenpgp-tools:
haskell-incremental-parser has picked up a build-depends on a package that has 
never
built on 6/10 release architectures
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965299

ocamlnet:
FTBFS on most architectures, doesn't look related to nettle transition
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965300

opendht:
FTBFS, doesn't look related to nettle transition.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965301

caml-crush (sid-only):
no binnmu scheduled (builds successfully on reproducible builds)

ring (sid-only):
unrelated FTBFS
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961837

dpaste (sid-only)
FTBFS on reproducible builds, depends on rc buggy package.

Bug#965023: transition: re2

2020-07-18 Thread stefanor 
Control: forwarded -1 https://release.debian.org/transitions/html/auto-re2.html

Uploaded, and it's built on all the release archs.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Processed: Re: Bug#965023: transition: re2

2020-07-18 Thread Debian Bug Tracking System 
Processing control commands:

> forwarded -1 https://release.debian.org/transitions/html/auto-re2.html
Bug #965023 [release.debian.org] transition: re2
Changed Bug forwarded-to-address to 
'https://release.debian.org/transitions/html/auto-re2.html' from 
'https://release.debian.org/transitions/html/auto-protobuf.html'.

-- 
965023: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965023
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Re: Optional Build-Depends

2020-07-18 Thread Adrian Bunk 
On Thu, Jul 16, 2020 at 07:27:52PM +0200, Julian Andres Klode wrote:
>...
> We have came up with a syntax, one goal being to break parsers and not
> silently ignore optional deps:
> 
>   Build-Depends: foo? (>= 1) | baz

Any suggestion has to equally cover runtime dependencies,
the same situation is common there.

> The behavior being:
> 
>If foo resolves to a valid package name, this is a normal
>dependency. So if it's like version 0.9, the dependency would
>be unsat/depwait
> 
>For tools stripping alternatives, which I think buildds do,
>it becomes slightly more complex, as they need to check if
>foo exists:
> 
>  foo exists => drop `| baz`
>  foo does not exist => drop `foo? (>= 1.0) |`
> 
>(this is obviously a recursive thing)
>...

How would optional dependencies be handled for testing migration
and testing autoremoval?

The intuitive handling would be that the package can migrate to testing 
when baz is in testing but foo is not,
and can stay in testing when foo gets removed from testing but baz stays 
in testing.[1]

If anyone would suggest checking whether foo is in unstable
the obvious next question would be what should happen if foo
is stuck in NEW at the time the package enters unstable,
and foo then enters unstable after the migration of your package.

foo might have missed the freeze deadline, this would break
uploading your package to unstable during the freeze.

> 1. You can start optionally build-depending on stuff available
>only on some architectures, without having to use arch restriction
>lists.
> 
>   Arch restriction lists are tediuous, especially also because in
>   the case of libraries, they need to be recursively applied:
>
> libfoo is only available on bar
> libbaz depends on libfoo
>
>   results in build-depends: libbaz [bar]
>
>   With optional build-depends, you can just write libbaz? and
>   not have to update the dep each time libfoo appears on a new
>   arch. (apply argument to longer recursive chains)
>...

It was never necessary to use arch restriction lists for that.

When several reverse dependencies are affected, the correct solution
for this problem is one package (or Provides) foobaz that selects the 
package for an architecture.

cu
Adrian

[1] assuming no runtime dependencies are generated on packages from foo

Bug#954299: marked as done (RM: libperlspeak-perl -- RoST; unmaintained; security issues)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:30:16 +
with message-id 
and subject line Bug#954299: Removed package(s) from oldstable
has caused the Debian Bug report #954299,
regarding RM: libperlspeak-perl -- RoST; unmaintained; security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
954299: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954299
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Control: clone -1 -2
Control: retitle -2 RM: libperlspeak-perl/2.01-2 from stretch

Hi

Please remove libperlspeak-perl/2.01-2 on next point release time from
buster and stretch (cloning the bug accordingly twice as two bugs are
needed).

The package is going to be removed from unstable: It is unmaintained
for ages upstream, has no reverse dependencies, hardly any users,
problematic design and security issues accordingly.

See #954297 for the removal request from unstable.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

libperlspeak-perl | 2.01-2 | source, all

--- Reason ---
RoST; unmaintained; security issues
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 954...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/954299

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#908468: marked as done (RM: weboob -- RoM; unmaintained; already removed from later releases)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:28:37 +
with message-id 
and subject line Bug#905385: Removed package(s) from oldstable
has caused the Debian Bug report #905385,
regarding RM: weboob -- RoM; unmaintained; already removed from later releases
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
905385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905385
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal


Quack,

This update has been made to:
  - fix #905299 to remove insults
  - add a warning in the package description about the naming

See attached debdiff.

I plan to do the same for Jessie if you agree on this one.

Regards.
\_o<

--
Marc Dequènesdiff -Nru weboob-1.2/debian/changelog weboob-1.2/debian/changelog
--- weboob-1.2/debian/changelog	2017-01-09 11:43:06.0 +0900
+++ weboob-1.2/debian/changelog	2018-08-03 02:59:42.0 +0900
@@ -1,3 +1,15 @@
+weboob (1.2-1+deb9u1) stretch; urgency=medium
+
+  [ Jonathan Dowland ]
+  * Backport a patch from upstream to remove homophobic comments
+and user insults. Closes: #905299.
+
+  [ Marc Dequènes (Duck) ]
+  * Add warning about the software naming scheme.
+  * remove_insults2.patch: extra cleanup
+
+ -- Jonathan Dowland   Thu, 02 Aug 2018 18:59:42 +0100
+
 weboob (1.2-1) unstable; urgency=medium
 
   * New Upstream Release.
diff -Nru weboob-1.2/debian/control weboob-1.2/debian/control
--- weboob-1.2/debian/control	2017-01-09 11:43:06.0 +0900
+++ weboob-1.2/debian/control	2018-08-03 02:59:42.0 +0900
@@ -18,6 +18,12 @@
 Breaks: python-weboob-core (<< 0.i-2)
 Replaces: python-weboob-core (<< 0.i-2)
 Description: Weboob, Web Out Of Browsers - library
+ Note from the Maintainer:
+ This software, included binaries and maybe other content contain childish
+ references to a specific women's body part. Upstream refused to rename it.
+ There is no diminishing or insulting message so I decided to keep it in the
+ archive. You may nevertheless feel uncomfortable using this tool.
+ .
  Weboob is a project helping interaction between applications and websites.
  .
  This package contains:
@@ -41,6 +47,12 @@
 Depends: ${misc:Depends}, ${python:Depends}, python-weboob (>= ${source:Version}), python-html2text, python-prettytable
 Recommends: python-termcolor
 Description: CLI applications to interact with websites
+ Note from the Maintainer:
+ This software, included binaries and maybe other content contain childish
+ references to a specific women's body part. Upstream refused to rename it.
+ There is no diminishing or insulting message so I decided to keep it in the
+ archive. You may nevertheless feel uncomfortable using this tool.
+ .
  This package contains command-line applications including:
   * boobank: Bank accounts management
   * boobathon: Application to participate to a boobathon
@@ -78,6 +90,12 @@
 Architecture: all
 Depends: ${misc:Depends}, ${python:Depends}, python-weboob (>= ${source:Version}), python-pyqt5
 Description: Qt applications to interact with websites
+ Note from the Maintainer:
+ This software, included binaries and maybe other content contain childish
+ references to a specific women's body part. Upstream refused to rename it.
+ There is no diminishing or insulting message so I decided to keep it in the
+ archive. You may nevertheless feel uncomfortable using this tool.
+ .
  This package contains Qt applications including:
   * qbooblyrics: Search songs and get lyrics
   * qboobmsg: Read and post messages on websites
diff -Nru weboob-1.2/debian/patches/remove_homophobic_insults.patch weboob-1.2/debian/patches/remove_homophobic_insults.patch
--- weboob-1.2/debian/patches/remove_homophobic_insults.patch	1970-01-01 09:00:00.0 +0900
+++ weboob-1.2/debian/patches/remove_homophobic_insults.patch	2018-08-03 02:59:42.0 +0900
@@ -0,0 +1,50 @@
+commit 4c044e72fdf10988da8d1115c5fcd989f7fe519e
+Author: Jonathan Dowland 
+Date:   Thu Jul 12 16:57:31 2018 +0200
+
+Remove unnecessary bits in comments;
+
+Cherry pick from upstream:
+commit 3f12b9e6c1b2599df51b064b956e61c77bb060fb
+Author: Benjamin Bouvier 
+Date:   Thu Jul 12 16:57:31 2018 +0200
+
+diff --git a/modules/aum/browser.py b/modules/aum/browser.py
+index d29f5d803..9160f1a9e 100644
+--- a/modules/aum/browser.py
 b/modules/aum/browser.py
+@@ -400,7 +400,7 @@ class AuMBrowser(Browser):
+ 
+ @url2id
+ def get_profile(self, id):
+-# XXX OLD API IS DISABLED

Bug#905385: marked as done (RM: weboob -- RoM; unmaintained; already removed from later releases)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:28:37 +
with message-id 
and subject line Bug#905385: Removed package(s) from oldstable
has caused the Debian Bug report #905385,
regarding RM: weboob -- RoM; unmaintained; already removed from later releases
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
905385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905385
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello stable-release managers,

Filing this bug to open a dialogue with you about updating the weboob
package in Stretch to fix #905299 ("includes homophobic comments and
insults the user")

This has been fixed upstream. I've prepared an initial backported
patch[1], but it needs updating to close the right bug number (this
one), possibly change the version number (I used NMU scheme so far),
replace UNRELEASED with the correct suite (which is what for s-p-u?).

Once those are addressed, and assuming you approve in principle this
update, and also assuming the maintainers are in favour (CCed), I'll
attach the debdiff here.

Can/should we link this new bug with #905299 in some way (blocks:
relationship?)

This bug is also present in oldstable, and old-oldstable. I've done a
preliminary patch for oldstable too[2], the same caveats apply. I intend
to request an oldstable update in just the same way as I have here for
Stretch.

Is old-oldstable archived? It appears not, but, are there any plans for
another point release? In other words, should I file another bug to
manage an old-oldstable update to fix this?

[1] 
https://salsa.debian.org/jmtd/weboob/commit/5feca16265b0ce689df1d1c0c4dd61f824af0c34
[2] 
https://salsa.debian.org/jmtd/weboob/commit/1729299187743a45c08bf6c987d2f95581a9cad1


Thanks

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

python-weboob |  1.2-1 | all
python-weboob-core |  1.2-1 | all
weboob |  1.2-1 | source, all
 weboob-qt |  1.2-1 | all

--- Reason ---
RoM; unmaintained; already removed from later releases
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/905385

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Mark Hymers (the ftpmaster behind the curtain)--- End Message ---

Bug#952647: marked as done (RM: firefox-esr/60.9.0esr-1~deb9u1 [armel] -- RoQA; version 68+ no longer supported on armel)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:29:36 +
with message-id 
and subject line Bug#952647: Removed package(s) from oldstable
has caused the Debian Bug report #952647,
regarding RM: firefox-esr/60.9.0esr-1~deb9u1 [armel] -- RoQA; version 68+ no 
longer supported on armel
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952647
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

firefox-esr 68+ is no longer supported on armel due to lack of the
required nodejs 8.11.
Please remove the stale binaries from stretch.


Andreas
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

firefox-esr | 60.9.0esr-1~deb9u1 | armel

--- Reason ---
RoQA; version 68+ no longer supported on armel
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/952647

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#929871: marked as done (RM: simpleid -- RoM; does not work with PHP7)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:29:02 +
with message-id 
and subject line Bug#929871: Removed package(s) from oldstable
has caused the Debian Bug report #929871,
regarding RM: simpleid -- RoM; does not work with PHP7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929871
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Tags: stretch

Hi,

 As Bug#929575, simpleid 0.8.1-15 doesn't work with PHP7.x that is shipped
 with Debian9 "stretch" and Debian10 "buster", so I propose we'll remove it.
 And, for testing package was removed (#929832) but stable package still
 remains.


-- 
Regards,

 Hideki Yamane henrich @ debian.org/iijmio-mail.jp
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

  simpleid |   0.8.1-15 | source, all

--- Reason ---
RoM; does not work with PHP7
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/929871

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#952648: marked as done (RM: firefox-esr/52.9.0esr-1~deb9u1 [mips mipsel mips64el] -- RoQA; missing B-D/FTBFS)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:29:58 +
with message-id 
and subject line Bug#952648: Removed package(s) from oldstable
has caused the Debian Bug report #952648,
regarding RM: firefox-esr/52.9.0esr-1~deb9u1 [mips mipsel mips64el] -- RoQA; 
missing B-D/FTBFS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
952648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952648
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

firefox-esr 60+ has not been built on mips* for stretch due to lack of
the required rustc version (mipsel, mips64el) or a FTBFS (mips).
It seems to build fine in buster. 
Please remove the stale mips* binaries from stretch.

Andreas
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

firefox-esr | 52.9.0esr-1~deb9u1 | mips, mips64el, mipsel

--- Reason ---
RoQA; missing B-D/FTBFS
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 952...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/952648

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#958573: marked as done (RM: yahoo2mbox -- RoQA; unusable since 2013)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:32:00 +
with message-id 
and subject line Bug#958573: Removed package(s) from oldstable
has caused the Debian Bug report #958573,
regarding RM: yahoo2mbox -- RoQA; unusable since 2013
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: rm
Control: clone -1 -2
Control: tag -2 = stretch

According to #719916 and the removal from unstable #955334, the
yahoo2mbox package is unusable since 2013. I cannot test it myself.

Please remove it from (old)stable, too.


Andreas
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

yahoo2mbox | 0.24-2 | source, all

--- Reason ---
RoQA; unusable since 2013
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 958...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/958573

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#958576: marked as done (RM: kerneloops -- RoQA; service http://oops.kernel.org no longer available)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:32:27 +
with message-id 
and subject line Bug#958576: Removed package(s) from oldstable
has caused the Debian Bug report #958576,
regarding RM: kerneloops -- RoQA; service http://oops.kernel.org no longer 
available
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958576: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958576
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: rm
Control: clone -1 -2
Control: tag -2 = stretch

According to #953172 the kerneloops package is no longer usable since
the service http://oops.kernel.org is no longer available.
The package was already removed from unstable: #956031

I haven't tested usability in (old)stable myself, but I think it should
be removed there, too.


Andreas
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

kerneloops | 0.12+git20140509-6 | source, amd64, arm64, armel, armhf, i386, 
mips, mips64el, mipsel, ppc64el, s390x
kerneloops-applet | 0.12+git20140509-6 | amd64, arm64, armel, armhf, i386, 
mips, mips64el, mipsel, ppc64el, s390x

--- Reason ---
RoQA; service http://oops.kernel.org no longer available
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 958...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/958576

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#956701: marked as done (RM: enigmail -- RoQA; incompatible with stretch's thunderbird)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:31:43 +
with message-id 
and subject line Bug#956701: Removed package(s) from oldstable
has caused the Debian Bug report #956701,
regarding RM: enigmail -- RoQA; incompatible with stretch's thunderbird
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
956701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956701
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

enigmail is no longer installable with the thunderbird version
now in stretch (#949736).

Updating enigmail in stretch might be non-trivial due to the
versioned dependency on gnupg.

It is expected that shortly after the final non-LTS release of stretch
there will be an LTS update of thunderbird in stretch with a version
that can no longer be supported by enigmail:
https://www.enigmail.net/index.php/en/home/news/70-2019-10-08-future-openpgp-support-in-thunderbird

I do not see a better solution than removing the enigmail package
that is already not installable in stretch.

Daniel Kahn Gillmor Cc'ed, an ACK/NAK would be appreciated.
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

  enigmail | 2:2.0.8-5~deb9u1 | source, all

--- Reason ---
RoQA; incompatible with stretch's thunderbird
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 956...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/956701

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#958923: marked as done (RM: quotecolors -- RoM; incompatible with newer Thunderbird versions)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:32:45 +
with message-id 
and subject line Bug#958923: Removed package(s) from oldstable
has caused the Debian Bug report #958923,
regarding RM: quotecolors -- RoM; incompatible with newer Thunderbird versions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
958923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958923
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Dear RT,

the package xul-ext-quotecolors, an Thunderbird extension, isn't usable
any longer since Thunderbird ESR has moved to 68.x due API changes within
Thunderbird. It's dead from the upstream side and wont get updates in
the future, please remove the package from the old-stable release.

There is a RC bug about the non usable functionality in testing.
https://bugs.debian.org/950512

I also requested the removal from unstable
https://bugs.debian.org/958913

Thanks
Carsten Schoenert
-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

quotecolors |  0.3-4 | source
xul-ext-quotecolors |  0.3-4 | all

--- Reason ---
RoM; incompatible with newer Thunderbird versions
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 958...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/958923

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#959492: marked as done (RM: getlive -- RoQA; Upstream Dead; Not Working Anymore)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:33:47 +
with message-id 
and subject line Bug#959492: Removed package(s) from oldstable
has caused the Debian Bug report #959492,
regarding RM: getlive -- RoQA; Upstream Dead; Not Working Anymore
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
959492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959492
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: rm
Control: clone -1 -2
Control: tags -2 = stretch
Control: usertags -2 rm

On Tue, 18 Feb 2020 15:56:18 -0500 Boyuan Yang 
wrote in #951617:
> Package: ftp.debian.org
> 
> Dear FTP Masters,
> 
> As described in https://bugs.debian.org/950452 , the upstream of package
> getlive no longer maintains it since 2014 due to hotmail live's contstantly
> breaking changes. As a result, package getlive has been broken since then. I
> believe we should have it removed from Debian archive since it is really
> useless now.

Let's follow sid and do the same in (old-)stable.

Andreas
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

   getlive | 2.4+cvs20120801-1 | source, all

--- Reason ---
RoQA; Upstream Dead; Not Working Anymore
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/959492

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

Bug#959377: marked as done (RM: torbirdy -- RoQA; incompatible with newer Thunderbird versions)

2020-07-18 Thread Debian Bug Tracking System 
Your message dated Sat, 18 Jul 2020 09:33:04 +
with message-id 
and subject line Bug#959377: Removed package(s) from oldstable
has caused the Debian Bug report #959377,
regarding RM: torbirdy -- RoQA; incompatible with newer Thunderbird versions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
959377: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959377
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: rm

torbirdy is incompatible with Thunderbird > 60 and has already
been removed from unstable, see #945456 for background.
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is now fixed; the following
package(s) have been removed from oldstable:

  torbirdy |0.2.1-1 | source
xul-ext-torbirdy |0.2.1-1 | all

--- Reason ---
RoQA; incompatible with newer Thunderbird versions
--

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959...@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/959377

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Archive Administrator (the ftpmaster behind the curtain)--- End Message ---

  1   2   >