Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
On 11/12/2021 18:42, Adam D. Barratt wrote: On Mon, 2021-12-06 at 08:39 +0100, Yadd wrote: sorry, here is the new debdiff Thanks. What's the rationale for this change? --- a/debian/rules +++ b/debian/rules @@ -89,8 +89,8 @@ override_dh_auto_test: jquery-ui.js jquery-ui.min.js themes/base/jquery-ui.css nodejs --check ui/i18n/jquery-ui-i18n.js # Reference files are taken from the quick download ZIP file from # http://jqueryui.com - diff -Bw debian/reference-jquery-ui.js jquery-ui.js - diff -Bw debian/reference-jquery-ui.css themes/base/jquery-ui.css + #diff -Bw debian/reference-jquery-ui.js jquery-ui.js + #diff -Bw debian/reference-jquery-ui.css themes/base/jquery-ui.css endif Hi, this package compared built jquery-ui with upstream version (stored in Debian). This fails now since we changed source
Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Control: tags -1 + confirmed On Sun, 2021-12-12 at 09:22 +0100, Yadd wrote: > On 11/12/2021 18:42, Adam D. Barratt wrote: > > On Mon, 2021-12-06 at 08:39 +0100, Yadd wrote: > > > sorry, here is the new debdiff > > > > > > > Thanks. > > > > What's the rationale for this change? > > > > --- a/debian/rules > > +++ b/debian/rules > > @@ -89,8 +89,8 @@ override_dh_auto_test: jquery-ui.js jquery- > > ui.min.js themes/base/jquery-ui.css > > nodejs --check ui/i18n/jquery-ui-i18n.js > > # Reference files are taken from the quick download ZIP file from > > # http://jqueryui.com > > - diff -Bw debian/reference-jquery-ui.js jquery-ui.js > > - diff -Bw debian/reference-jquery-ui.css themes/base/jquery- > > ui.css > > + #diff -Bw debian/reference-jquery-ui.js jquery-ui.js > > + #diff -Bw debian/reference-jquery-ui.css > > themes/base/jquery-ui.css > > endif > > Hi, > > this package compared built jquery-ui with upstream version (stored > in > Debian). This fails now since we changed source > OK. Please go ahead. Regards, Adam
Processed: Re: Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Processing control commands: > tags -1 + confirmed Bug #998832 [release.debian.org] bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1 Added tag(s) confirmed. -- 998832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1001556: buster-pu: package mailman/1:2.1.29-1+deb10u4
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: car...@debian.org
Hi SRM,
There was another CVE fixed after the last update currently in
buster-pu for mailman which similarly we think does not warrant a DSA.
I have prepared a followup for this one as well:
https://security-tracker.debian.org/tracker/CVE-2021-44227
I'm attaching both debdiffs, once against the base version currently
in buster (1:2.1.29-1+deb10u1, note that htere was as well a DSA for
mailman, 1:2.1.29-1+deb10u2) and once only against the current version
which sits in buster-proposed-updates.
Regards,
Salvatore
diff -Nru mailman-2.1.29/debian/changelog mailman-2.1.29/debian/changelog
--- mailman-2.1.29/debian/changelog 2021-11-20 15:17:30.0 +0100
+++ mailman-2.1.29/debian/changelog 2021-12-12 10:42:54.0 +0100
@@ -1,3 +1,11 @@
+mailman (1:2.1.29-1+deb10u4) buster; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * Fix potential CSRF attack against a list admin from a list member or
+moderator (CVE-2021-44227)
+
+ -- Salvatore Bonaccorso Sun, 12 Dec 2021 10:42:54 +0100
+
mailman (1:2.1.29-1+deb10u3) buster; urgency=medium
* Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.29/debian/patches/CVE-2021-44227.patch
mailman-2.1.29/debian/patches/CVE-2021-44227.patch
--- mailman-2.1.29/debian/patches/CVE-2021-44227.patch 1970-01-01
01:00:00.0 +0100
+++ mailman-2.1.29/debian/patches/CVE-2021-44227.patch 2021-12-12
10:42:54.0 +0100
@@ -0,0 +1,82 @@
+Description: Fix potential CSRF attack against a list admin from a list member
or moderator
+Origin: upstream,
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/diff/1882
+Bug: https://launchpad.net/bugs/1952384
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-44227
+Forwarded: not-needed
+Last-Update: 2021-12-12
+
+=== modified file 'Mailman/CSRFcheck.py'
+--- a/Mailman/CSRFcheck.py
b/Mailman/CSRFcheck.py
+@@ -55,7 +55,7 @@ def csrf_token(mlist, contexts, user=Non
+ token = binascii.hexlify(marshal.dumps((issued, keymac)))
+ return token
+
+-def csrf_check(mlist, token, options_user=None):
++def csrf_check(mlist, token, cgi_user=None):
+ """ check token by mailman cookie validation algorithm """
+ try:
+ issued, keymac = marshal.loads(binascii.unhexlify(token))
+@@ -67,12 +67,25 @@ def csrf_check(mlist, token, options_use
+ key, user = key.split('+', 1)
+ else:
+ user = None
++# Don't allow unprivileged tokens for admin or admindb.
++if cgi_user == 'admin':
++if key not in ('admin', 'site'):
++syslog('mischief',
++ 'admin form submitted with CSRF token issued for %s.',
++ key + '+' + user if user else key)
++return False
++elif cgi_user == 'admindb':
++if key not in ('moderator', 'admin', 'site'):
++syslog('mischief',
++ 'admindb form submitted with CSRF token issued for
%s.',
++ key + '+' + user if user else key)
++return False
+ if user:
+ # This is for CVE-2021-42097. The token is a user token because
+ # of the fix for CVE-2021-42096 but it must match the user for
+ # whom the options page is requested.
+ raw_user = UnobscureEmail(urllib.unquote(user))
+-if options_user and options_user != raw_user:
++if cgi_user and cgi_user != raw_user:
+ syslog('mischief',
+'Form for user %s submitted with CSRF token '
+'issued for %s.',
+--- a/Mailman/Cgi/admin.py
b/Mailman/Cgi/admin.py
+@@ -107,7 +107,8 @@ def main():
+'legend']
+ params = cgidata.keys()
+ if set(params) - set(safe_params):
+-csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'))
++csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
++ 'admin')
+ else:
+ csrf_checked = True
+ # if password is present, void cookie to force password authentication.
+--- a/Mailman/Cgi/admindb.py
b/Mailman/Cgi/admindb.py
+@@ -144,7 +144,8 @@ def main():
+ safe_params = ['adminpw', 'admlogin', 'msgid', 'sender', 'details']
+ params = cgidata.keys()
+ if set(params) - set(safe_params):
+-csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'))
++csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
++ 'admindb')
+ else:
+ csrf_checked = True
+ # if password is present, void cookie to force password authentication.
+--- a/Mailman/Cgi/edithtml.py
b/Mailman/Cgi/edithtml.py
+@@ -111,7 +111,8 @@ def main():
+ safe_params = ['VARHELP', '
Bug#1001438: transition: glibc 2.33
On 2021-12-11 15:28, Sebastian Ramacher wrote: > Control: tags -1 confirmed > Control: forwarded -1 > https://release.debian.org/transitions/html/glibc-2.33.html > > On 2021-12-09 23:27:41 +0100, Aurelien Jarno wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > X-Debbugs-Cc: debian-gl...@lists.debian.org > > > > Dear release team, > > > > I would like to get a transition slot for glibc 2.33. It has been > > available in experimental for one month and a half without any reported > > bug report. It has been built successfully on all release architectures > > and many ports architectures. > > Please go ahead. Thanks, I have just uploaded it. > > A few issues found through the autopkgtest pseudo excuses for > > experimental have been fixed. The remaining are false positive, with the > > exception of kore, but which is not testing as it FTBFS. I submitted bug #1001558 for kore. > Thanks, I'll add the necessary hints once the glibc upload is old > enough. Those false positives are due to the fact that glibc from experimental is used, and I do not expect them to appear for glibc in sid. In addition a few of them after cruft got removed from experimental. All that said, we so many reverse dependencies, there might get more issues appearing. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Bug#1001115: docker.io 20.10.5+dfsg1-1+deb11u1 flagged for acceptance
package release.debian.org tags 1001115 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: docker.io Version: 20.10.5+dfsg1-1+deb11u1 Explanation: fix possible change of host file system permissions [CVE-2021-41089]; lock down file permissions in /var/lib/docker [CVE-2021-41091]; prevent credentials being sent to the default registry [CVE-2021-41092]; add support for "clone3" syscall in default seccomp policy
Bug#1001398: privoxy 3.0.32-2+deb11u1 flagged for acceptance
package release.debian.org tags 1001398 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: privoxy Version: 3.0.32-2+deb11u1 Explanation: fix memory leaks [CVE-2021-44540 CVE-2021-44541 CVE-2021-44542]; fix cross-site scripting issue [CVE-2021-44543]
Processed: docker.io 20.10.5+dfsg1-1+deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1001115 = bullseye pending Bug #1001115 [release.debian.org] bullseye-pu: package docker.io/20.10.5+dfsg1-1+deb11u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1001115: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001115 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1001474: bpftrace 0.11.3-5+deb11u1 flagged for acceptance
package release.debian.org tags 1001474 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: bpftrace Version: 0.11.3-5+deb11u1 Explanation: fix arrary indexing
Processed: bpftrace 0.11.3-5+deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1001474 = bullseye pending Bug #1001474 [release.debian.org] bullseye-pu: package bpftrace/0.11.3-5 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1001474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001474 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: privoxy 3.0.32-2+deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1001398 = bullseye pending Bug #1001398 [release.debian.org] bullseye-pu: package privoxy/3.0.32-2 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1001398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001398 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: apache-log4j2_2.15.0-1~deb11u1_source.changes ACCEPT Processing changes file: apache-log4j2_2.15.0-1~deb11u1_all-buildd.changes ACCEPT Processing changes file: bpftrace_0.11.3-5+deb11u1_source.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_source.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_source.changes ACCEPT
Bug#1000472: rustc-mozilla 1.51.0+dfsg1-1~deb11u1 flagged for acceptance
package release.debian.org tags 1000472 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rustc-mozilla Version: 1.51.0+dfsg1-1~deb11u1 Explanation: new source package to support building of newer firefox-esr and thunderbird versions
Processed: rustc-mozilla 1.51.0+dfsg1-1~deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1000472 = bullseye pending Bug #1000472 [release.debian.org] bullseye-pu: package rustc-mozilla/1.51.0+dfsg1-1~deb11u1 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 1000472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000472 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1001100: golang-1.15 1.15.15-1~deb11u2 flagged for acceptance
package release.debian.org tags 1001100 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: golang-1.15 Version: 1.15.15-1~deb11u2 Explanation: fix buffer over-run issue [CVE-2021-38297], out of bounds read issue [CVE-2021-41771], denial of service issues [CVE-2021-44716 CVE-2021-44717]
Bug#998832: jqueryui 1.12.1+dfsg-8+deb11u1 flagged for acceptance
package release.debian.org tags 998832 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: jqueryui Version: 1.12.1+dfsg-8+deb11u1 Explanation: fix untrusted code execution issues [CVE-2021-41182 CVE-2021-41183 CVE-2021-41184]
Processed: golang-1.15 1.15.15-1~deb11u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1001100 = bullseye pending Bug #1001100 [release.debian.org] bullseye-pu: package golang-1.15/1.15.15-1~deb11u2 Added tag(s) pending; removed tag(s) confirmed and moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 1001100: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001100 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: jqueryui 1.12.1+dfsg-8+deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 998832 = bullseye pending Bug #998832 [release.debian.org] bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 998832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_multi.changes ACCEPT
NEW changes in stable-new
Processing changes file: golang-1.15_1.15.15-1~deb11u2_source.changes ACCEPT Processing changes file: jqueryui_1.12.1+dfsg-8+deb11u1_sourceonly.changes ACCEPT
NEW changes in stable-new
Processing changes file: golang-1.15_1.15.15-1~deb11u2_all-buildd.changes ACCEPT Processing changes file: golang-1.15_1.15.15-1~deb11u2_s390x-buildd.changes ACCEPT
Bug#1000374: marked as done (transition: opencv)
Your message dated Sun, 12 Dec 2021 16:24:43 +0100 with message-id and subject line Re: Bug#1000374: transition: opencv has caused the Debian Bug report #1000374, regarding transition: opencv to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1000374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000374 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I would like to transition OpenCV with a bumped SOVERSION after an ABI breakage by upstream [1]. The Ben file [2] looks good. Cheers Timo [1] https://github.com/opencv/opencv/issues/20878 [2] https://release.debian.org/transitions/html/auto-opencv.html -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmGbYlAACgkQ+C8H+466 LVnDaAwA2GMci6RR2G1ohT8zhA3MA/lHmsKO6fyuqriKz5Up4LkiR4NlYogpcdOq JhsqUAmMrPyY9bI3dnHkFxG5AKFDiiPuvsA5eOz/ZwwuUmv9JBX7fisA01xirhiW LRzeNvIwdSLSsXa35OsH7hIALKbjSUJ2z3xZVdxR+NTfka9wl9MVnP0AHAIOGq5W lbbkL4zigwWqYy4exzkgBRpHFkP5t0HfKZUjGcoQTGeRQlFVZXCA1QV9v2P/aMuI yISn0o2KBJZnLzGJqMuGocyIycqUvXl8CO0vO6TX+A5wd3wuMzM0uymPUs/IMIaj D5R9LQqD49ayYsGUCwK6w0GLWaJjTKDk4/v3VnpkJCeYGUz0nZ/qfb5mvgqeZfcN kSlo7H+g0PdSc/XferClh27ozNjthn6LuUr3C8g5rJ9Y+dPTCID+NZWtcKOH7TmX waSGU2zVvN3IJmuz2X34e38rs4b6/i6JnWqCn1KgaQUHRDbCRzViIcCPb4pC3mFI pHVAygIm =8Q2P -END PGP SIGNATURE- --- End Message --- --- Begin Message --- On 2021-11-25 22:12:36 +0100, Sebastian Ramacher wrote: > Control: tags -1 = confirmed > > On 2021-11-25 21:37:30, Timo Röhling wrote: > > Hi, > > > > * Sebastian Ramacher [2021-11-22 20:34]: > > > Why does the name of the -java package get changed? For the Java ABI > > > nothing changes in this case. If you compare the produced class files, > > > the only difference is that libopencv_java454d.so is loaded instead of > > > libopencv_java454.so. > > I gave it some more thought (and discussed it with Jochen), and I > > ended up reverting that rename, back to libopencv4.5-java, for > > 4.5.4+dfsg-5 in experimental. > > Alright, please go ahead The old packages got removed from testing. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature --- End Message ---
NEW changes in stable-new
Processing changes file: bpftrace_0.11.3-5+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: bpftrace_0.11.3-5+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: bpftrace_0.11.3-5+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_all-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_armel-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_i386-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_s390x-buildd.changes ACCEPT Processing changes file: golang-1.15_1.15.15-1~deb11u2_amd64-buildd.changes ACCEPT Processing changes file: golang-1.15_1.15.15-1~deb11u2_armel-buildd.changes ACCEPT Processing changes file: golang-1.15_1.15.15-1~deb11u2_i386-buildd.changes ACCEPT Processing changes file: golang-1.15_1.15.15-1~deb11u2_ppc64el-buildd.changes ACCEPT Processing changes file: jqueryui_1.12.1+dfsg-8+deb11u1_all-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_armel-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_i386-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_s390x-buildd.changes ACCEPT
Bug#1001587: transition: fmtlib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: z...@debian.org Control: block -1 by 1001527 Hi, fmtlib has bumped its SO name to 8. I have rebuilt the reverse dependencies, the situation is: + spdlog/1.8.5 FTBFS, but the new version 1.9.2 has been uploaded to experimental, which works with fmtlib 8. + vast FTBFS, bug has been filed, #1001527 + purify FTBFS, but for other reason, #1001528. + Other packages are in unstable only, and FTBFS: dpaste, ring, tiledb, lizardfs P.S. since some level 3 packages build-depend fmtlib and spdlog, so I rebuild with fmtlib/8 and spdlog/1.9.2 together. Ben file: title = "fmtlib"; is_affected = .depends ~ "libfmt7" | .depends ~ "libfmt8"; is_good = .depends ~ "libfmt8"; is_bad = .depends ~ "libfmt7";
Processed: transition: fmtlib
Processing control commands: > block -1 by 1001527 Bug #1001587 [release.debian.org] transition: fmtlib 1001587 was not blocked by any bugs. 1001587 was not blocking any bugs. Added blocking bug(s) of 1001587: 1001527 -- 1001587: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001587 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: golang-1.15_1.15.15-1~deb11u2_arm64-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: golang-1.15_1.15.15-1~deb11u2_armhf-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_ppc64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: golang-1.15_1.15.15-1~deb11u2_mips64el-buildd.changes ACCEPT Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_i386-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: privoxy_3.0.32-2+deb11u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: golang-1.15_1.15.15-1~deb11u2_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: privoxy_3.0.32-2+deb11u1_mipsel-buildd.changes ACCEPT
Bug#1001411: bullseye-pu: package dask.distributed/2021.01.0+ds.1-2.1 fixing CVE-2021-42343
On Sat, 2021-12-11 at 17:53 +, Adam D. Barratt wrote: > > Please go ahead. > Ok I uploaded dask.distributed_2021.01.0+ds.1-2.1+deb11u1_source.changes to ftp-master.
NEW changes in stable-new
Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_armel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: docker.io_20.10.5+dfsg1-1+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_arm64-buildd.changes ACCEPT Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_armhf-buildd.changes ACCEPT
Bug#1001438: transition: glibc 2.33
Hi Aurelien, On 12-12-2021 12:37, Aurelien Jarno wrote: Thanks, I'll add the necessary hints once the glibc upload is old enough. Those false positives are due to the fact that glibc from experimental is used, and I do not expect them to appear for glibc in sid. In addition a few of them after cruft got removed from experimental. All that said, we so many reverse dependencies, there might get more issues appearing. I just started to have a look, most issues I've checked so far look false positives. But aribas on i386 wasn't tested for the glibc in experimental (don't know why) but it fails now in unstable and tested with glibc from unstable in testing with stack smashing: https://ci.debian.net/data/autopkgtest/testing/i386/a/aribas/17507755/log.gz How do we handle cross-toolchain-base? It seems to need a rebuild but I didn't investigate if that can be just a binNMU or needs a source upload. Of to bed now. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1000472: bullseye-pu: package rustc-mozilla/1.51.0+dfsg1-1~deb11u1
On Sat, Dec 11, 2021 at 05:04:17PM -0500, Roberto C. Sánchez wrote: > On Sun, Dec 12, 2021 at 06:34:01AM +0900, Mike Hommey wrote: > > On Sat, Dec 11, 2021 at 01:54:21PM +, Adam D. Barratt wrote: > > > On Tue, 2021-11-30 at 13:36 -0500, Roberto C.Sánchez wrote: > > > > On Tue, Nov 30, 2021 at 06:00:57PM +, Adam D. Barratt wrote: > > > > > On Tue, 2021-11-30 at 09:37 -0500, Roberto C.Sánchez wrote: > > > > > > If there are no objections, I will proceed with uploading within > > > > > > the > > > > > > next 24 hours. I'd like to ensure that the new FF/TB make it > > > > > > into > > > > > > the next point release if at all possible and that work is > > > > > > currently > > > > > > blocked by the need for the updated rustc. > > > > > > > > > > > > > > > > I was assuming the plan was for the Firefox and Thunderbird updates > > > > > to > > > > > be released via the security archive. That's certainly how > > > > > basically > > > > > every other update to both packages occurs. > > > > > > > > > Quite right. I conflated the fact that LLVM and rustc are not going > > > > in via security update. Apologies for the confusion. > > > > > > As a quick follow-up to this, with the 11.2 point release being next > > > weekend, and thus the p-u freeze this weekend, I note that the rustc- > > > mozilla upload is not yet in NEW, so we're starting to get quite close > > > timing wise. > > > > Relatedly, what's the plan for cargo in buster? Firefox ESR needs at > > least 0.47, bullseye has 0.47, but buster has 0.43.1. > > Emilio is working on that. There were some tweaks needed to the > rustc-mozilla packages I prepared in order to support his work. As of > this morning he identified some small additional tweaks, but he was able > to work around the issues in order to get a FF build completed. As soon > as he gives me the thumbs up, then I will make the final tweaks and > upload the rustc-mozilla packages. Will it be cargo-mozilla in buster? How about cbindgen? Will it be cbindgen-mozilla or is cbindgen just going to be updated? Mike
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u2_source.changes ACCEPT
Bug#1001438: transition: glibc 2.33
On 2021-12-12 22:18, Paul Gevers wrote: > Hi Aurelien, > > On 12-12-2021 12:37, Aurelien Jarno wrote: > > > Thanks, I'll add the necessary hints once the glibc upload is old > > > enough. > > > > Those false positives are due to the fact that glibc from experimental > > is used, and I do not expect them to appear for glibc in sid. In > > addition a few of them after cruft got removed from experimental. > > > > All that said, we so many reverse dependencies, there might get more > > issues appearing. > > I just started to have a look, most issues I've checked so far look false > positives. But aribas on i386 wasn't tested for the glibc in experimental > (don't know why) but it fails now in unstable and tested with glibc from > unstable in testing with stack smashing: > https://ci.debian.net/data/autopkgtest/testing/i386/a/aribas/17507755/log.gz It's likely an issue on the package, but without further investigating, I can't confirm. I'll try to do that tomorrow. > How do we handle cross-toolchain-base? It seems to need a rebuild but I > didn't investigate if that can be just a binNMU or needs a source upload. That would do it, but unfortunately as it is arch:all, a binNMU is not possible. I'll ask for a new upload. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Re: chromium: Update to version 94.0.4606.61 (security-fixes)
On 12/5/21 6:41 AM, Moritz Mühlenhoff wrote: Am Sun, Dec 05, 2021 at 10:53:56AM +0100 schrieb Paul Gevers: Exactly that. I'd suggest anyone who's interested in seeing Chromium supported to first update it in unstable (and then work towards updated in bullseye-security). I started doing just that: https://salsa.debian.org/dilinger/chromium (v96 and misc-fixes branches). Michel, it looks like upstream deprecated use_x11 and now relies on ozone; do you have the patches for your ozone-based packages somewhere? I tried just setting use_ozone=true in debian/rules, but there's a whole bunch of BUILD.gn inclusion stuff that breaks. Would save me a lot of time if you've already made it work. Thanks, Andres
NEW changes in stable-new
Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u2_amd64-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_arm64-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_armel-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_armhf-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_i386-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_ppc64el-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_11.1+deb11u2_mips64el-buildd.changes ACCEPT Processing changes file: base-files_11.1+deb11u2_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: rustc-mozilla_1.51.0+dfsg1-1~deb11u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux-signed-amd64_5.10.84+1_source.changes ACCEPT Processing changes file: linux-signed-arm64_5.10.84+1_source.changes ACCEPT Processing changes file: linux-signed-i386_5.10.84+1_source.changes ACCEPT
