Bug#1006944: transition: proj
On 3/22/22 16:58, Sebastiaan Couwenberg wrote: On 3/22/22 09:44, Sebastiaan Couwenberg wrote: On 3/21/22 22:43, Sebastian Ramacher wrote: Please go ahead Thanks. proj (9.0.0-1) has been uploaded to unstable and is now built & installed on all release architectures. Thanks for scheduling the binNMUs. Dependency level 2 and 3 are done, level 4 can be scheduled. grass and r-cran-sf are done, qgis and r-cran-lwgeom can be binNMUed. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Processed: tags 1002956 -moreinfo
Processing commands for cont...@bugs.debian.org: > tags 1002956 -moreinfo Bug #1002956 [release.debian.org] bullseye-pu: package rabbitmq-server/3.8.9-3 CVE-2021-32718, CVE-2021-32719 Bug #1004513 [release.debian.org] bullseye-pu: package rabbitmq-server/3.8.9-3 Removed tag(s) moreinfo. Removed tag(s) moreinfo. > End of message, stopping processing here. Please contact me if you need assistance. -- 1002956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002956 1004513: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004513 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1008143: nmu: uwsgi-plugin-php_2.0.20+2+0.0.13+b1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu uwsgi-plugin-php_2.0.20+2+0.0.13+b1 . ANY . unstable . -m "rebuilt against uwsgi-src 2.0.20+4 to fix #1007774" uwsgi-plugin-php is currently broken in unstable (see #1007774). src:uwsgi contains the source files for uwsgi-plugin-php and has been updated to include the fix in 2.0.20+4 .
NEW changes in stable-new
Processing changes file: debian-installer_20210731+deb11u3_ppc64el-buildd.changes ACCEPT Processing changes file: debian-installer_20210731+deb11u3_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: debian-installer_20210731+deb11u3_amd64-buildd.changes ACCEPT Processing changes file: debian-installer_20210731+deb11u3_arm64-buildd.changes ACCEPT Processing changes file: debian-installer_20210731+deb11u3_armel-buildd.changes ACCEPT Processing changes file: debian-installer_20210731+deb11u3_i386-buildd.changes ACCEPT Processing changes file: debian-installer_20210731+deb11u3_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: debian-installer_20210731+deb11u3_armhf-buildd.changes ACCEPT Processing changes file: debian-installer_20210731+deb11u3_mipsel-buildd.changes ACCEPT
Bug#1008153: bullseye-pu: package node-node-forge/0.10.0~dfsg-3+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-node-forge signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. [ Impact ] medium vulnerability [ Tests ] New test added [ Risks ] Low risk, test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better checks [ Other info ] Upstream patch applied without any change Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index b3d4bd9..2ee4aa6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-node-forge (0.10.0~dfsg-3+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix signature verification +(Closes: CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + + -- Yadd Wed, 23 Mar 2022 11:13:28 +0100 + node-node-forge (0.10.0~dfsg-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2022-24773.patch b/debian/patches/CVE-2022-24773.patch new file mode 100644 index 000..93b8805 --- /dev/null +++ b/debian/patches/CVE-2022-24773.patch @@ -0,0 +1,658 @@ +Description: fix signature verification issues (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were + reported by Moosa Yahyazadeh (moosa-yahyaza...@uiowa.edu): + . + - Leniency in checking `digestAlgorithm` structure can lead to signature + forgery. + - The code is lenient in checking the digest algorithm structure. This can + allow a crafted structure that steals padding bytes and uses unchecked + portion of the PKCS#1 encoded message to forge a signature when a low + public exponent is being used. + - Failing to check tailing garbage bytes can lead to signature forgery. + - The code does not check for tailing garbage bytes after decoding a + `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed + and garbage data added to forge a signature when a low public exponent is + being used. + - Leniency in checking type octet. + - `DigestInfo` is not properly checked for proper ASN.1 structure. This can + lead to successful verification with signatures that contain invalid + structures but a valid digest. + . + For more information, please see "Bleichenbacher's RSA signature forgery based + on implementation error" by Hal Finney: + https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/ + . + Fixed with the following: + . + - [asn1] `fromDer` is now more strict and will default to ensuring all + input bytes are parsed or throw an error. A new option `parseAllBytes` + can disable this behavior. + - **NOTE**: The previous behavior is being changed since it can lead + to security issues with crafted inputs. It is possible that code + doing custom DER parsing may need to adapt to this new behavior and + optional flag. + - [rsa] Add and use a validator to check for proper structure of parsed + ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that + the hash algorithm identifier is a known value. An invalid + `DigestInfo` or algorithm identifier will now cause an error to be + thrown. + - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking. + - [tests] Tests were added for all of the reported issues. A private + verify option was added to assist in checking multiple possible + failures in the test data. +Author: David I. Lehn +Origin: upstream, https://github.com/digitalbazaar/forge/commit/3f0b49a0 +Bug: + https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765 + https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g + https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-23 + +--- a/lib/asn1.js b/lib/asn1.js +@@ -411,6 +411,8 @@ + * @param [options] object with options or boolean strict flag + * [strict] true to be strict when checking value lengths, false to + *allow truncated values (default: true). ++ * [parseAllBytes] true to ensure all bytes are parsed ++ *(default: true) + * [decodeBitStrings] true to attempt to decode the content of + *BIT STRINGs (not OCTET STRINGs) using strict mode. Note that + *without schema support to understand the data context this can +@@ -418,24 +420,31 @@ + *flag will be deprecated or removed as soon as schema support is + *
Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-node-forge signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. [ Impact ] medium vulnerability [ Tests ] New test added [ Risks ] Low risk, test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better checks [ Other info ] Upstream patch applied without any change except indentation Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index bd1ee3d..a11ea65 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-node-forge (0.8.1~dfsg-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix signature verification +(Closes: CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + + -- Yadd Wed, 23 Mar 2022 11:28:00 +0100 + node-node-forge (0.8.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/patches/CVE-2022-24773.patch b/debian/patches/CVE-2022-24773.patch new file mode 100644 index 000..9f36228 --- /dev/null +++ b/debian/patches/CVE-2022-24773.patch @@ -0,0 +1,658 @@ +Description: fix signature verification issues (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were + reported by Moosa Yahyazadeh (moosa-yahyaza...@uiowa.edu): + . + - Leniency in checking `digestAlgorithm` structure can lead to signature + forgery. + - The code is lenient in checking the digest algorithm structure. This can + allow a crafted structure that steals padding bytes and uses unchecked + portion of the PKCS#1 encoded message to forge a signature when a low + public exponent is being used. + - Failing to check tailing garbage bytes can lead to signature forgery. + - The code does not check for tailing garbage bytes after decoding a + `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed + and garbage data added to forge a signature when a low public exponent is + being used. + - Leniency in checking type octet. + - `DigestInfo` is not properly checked for proper ASN.1 structure. This can + lead to successful verification with signatures that contain invalid + structures but a valid digest. + . + For more information, please see "Bleichenbacher's RSA signature forgery based + on implementation error" by Hal Finney: + https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/ + . + Fixed with the following: + . + - [asn1] `fromDer` is now more strict and will default to ensuring all + input bytes are parsed or throw an error. A new option `parseAllBytes` + can disable this behavior. + - **NOTE**: The previous behavior is being changed since it can lead + to security issues with crafted inputs. It is possible that code + doing custom DER parsing may need to adapt to this new behavior and + optional flag. + - [rsa] Add and use a validator to check for proper structure of parsed + ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that + the hash algorithm identifier is a known value. An invalid + `DigestInfo` or algorithm identifier will now cause an error to be + thrown. + - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking. + - [tests] Tests were added for all of the reported issues. A private + verify option was added to assist in checking multiple possible + failures in the test data. +Author: David I. Lehn +Origin: upstream, https://github.com/digitalbazaar/forge/commit/3f0b49a0 +Bug: + https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765 + https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g + https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-23 + +--- a/lib/asn1.js b/lib/asn1.js +@@ -411,6 +411,8 @@ + * @param [options] object with options or boolean strict flag + * [strict] true to be strict when checking value lengths, false to + *allow truncated values (default: true). ++ * [parseAllBytes] true to ensure all bytes are parsed ++ *(default: true) + * [decodeBitStrings] true to attempt to decode the content of + *BIT STRINGs (not OCTET STRINGs) using strict mode. Note that + *without schema support to understand the data context this can +@@ -418,24 +420,31 @@ + *flag will be deprecated or removed as soon as schema support is + *
NEW changes in oldstable-new
Processing changes file: debian-installer_20190702+deb10u12_source.changes ACCEPT
Bug#1008161: bullseye-pu: package geeqie/1.6-9+deb11u1
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal
I would like to fix a bug in geeqie in bullseye where selecting several
items in a file-list and then trying to deselect one item using
Ctrl+click doesn't work as it should.
Unfortunately this isn't reported in the Debian BTS, but the bug I
reacted to is upstream [1], and the original bug [2] also showing a
video of the problem. (I asked the reporter to report it in Debian, but
he/she hasn't done that yet).
The fix is cherry-picked from upstream, and also available in versions
from 1.7 and forward, already packaged and tested in unstable. I have
tested the cherry-picked fix in stable and it works.
1: https://github.com/BestImageViewer/geeqie/issues/969
2: https://github.com/BestImageViewer/geeqie/issues/939
[ Risks ]
This is a small change in leaf package, should be very low risk.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
diff -Nru geeqie-1.6/debian/changelog geeqie-1.6/debian/changelog
--- geeqie-1.6/debian/changelog 2021-05-27 23:43:23.0 +0200
+++ geeqie-1.6/debian/changelog 2022-03-23 11:40:44.0 +0100
@@ -1,3 +1,9 @@
+geeqie (1:1.6-9+deb11u1) bullseye; urgency=medium
+
+ * Add patch to fix Ctrl click inside of a block selection
+
+ -- Andreas Rönnquist Wed, 23 Mar 2022 11:40:44 +0100
+
geeqie (1:1.6-9) unstable; urgency=medium
* Remove ufraw and ufraw-batch from recommends/suggests
diff -Nru geeqie-1.6/debian/patches/0008-Fix-939-Ctrl-click-inside-of-a-block-selection-resul.patch geeqie-1.6/debian/patches/0008-Fix-939-Ctrl-click-inside-of-a-block-selection-resul.patch
--- geeqie-1.6/debian/patches/0008-Fix-939-Ctrl-click-inside-of-a-block-selection-resul.patch 1970-01-01 01:00:00.0 +0100
+++ geeqie-1.6/debian/patches/0008-Fix-939-Ctrl-click-inside-of-a-block-selection-resul.patch 2022-03-23 11:33:16.0 +0100
@@ -0,0 +1,41 @@
+From: Colin Clark
+Date: Sun, 9 Jan 2022 10:10:50 +
+Subject: Fix #939: Ctrl-click inside of a block selection results in whole
+ selection being cancelled
+
+https://github.com/BestImageViewer/geeqie/issues/939
+---
+ src/view_file/view_file_list.c | 19 ++-
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/src/view_file/view_file_list.c b/src/view_file/view_file_list.c
+index 6418b41..76d6422 100644
+--- a/src/view_file/view_file_list.c
b/src/view_file/view_file_list.c
+@@ -798,16 +798,17 @@ static gboolean vflist_select_cb(GtkTreeSelection *selection, GtkTreeModel *stor
+ GtkTreeIter iter;
+ GtkTreePath *cursor_path;
+
+- gtk_tree_view_get_cursor(GTK_TREE_VIEW(vf->listview), &cursor_path, NULL);
+- if (cursor_path)
+- {
+- gtk_tree_model_get_iter(store, &iter, cursor_path);
+- gtk_tree_model_get(store, &iter, FILE_COLUMN_POINTER, &VFLIST(vf)->select_fd, -1);
+- gtk_tree_path_free(cursor_path);
+- }
+- else
++ VFLIST(vf)->select_fd = NULL;
++
++ if (!path_currently_selected && gtk_tree_model_get_iter(store, &iter, tpath))
+ {
+- VFLIST(vf)->select_fd = NULL;
++ gtk_tree_view_get_cursor(GTK_TREE_VIEW(vf->listview), &cursor_path, NULL);
++ if (cursor_path)
++ {
++ gtk_tree_model_get_iter(store, &iter, cursor_path);
++ gtk_tree_model_get(store, &iter, FILE_COLUMN_POINTER, &VFLIST(vf)->select_fd, -1);
++ gtk_tree_path_free(cursor_path);
++ }
+ }
+
+ if (vf->layout &&
diff -Nru geeqie-1.6/debian/patches/series geeqie-1.6/debian/patches/series
--- geeqie-1.6/debian/patches/series 2021-03-10 13:38:32.0 +0100
+++ geeqie-1.6/debian/patches/series 2022-03-23 11:33:16.0 +0100
@@ -5,3 +5,4 @@
0005-Fix-822-The-image-rotation-keys-and-affect-the-wrong.patch
0006-Fix-860-871-remote-and-slideshow-on-startup.patch
0007-Fix-644-Images-fail-to-render-on-MacOS.patch
+0008-Fix-939-Ctrl-click-inside-of-a-block-selection-resul.patch
Bug#1008162: bullseye-pu: package node-minimist/1.2.5+~cs5.3.1-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-minimist is vulnerable to a prototype pollution not totally fixed
by CVE-2020-7598 patch (pushed in 1.2.5-1 and 1.2.0-1+deb10u1)
[ Impact ]
Medium vulnerability
[ Tests ]
Test updated by upstream, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better object check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c2fbfe1..a2262fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-minimist (1.2.5+~cs5.3.1-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2021-44906)
+
+ -- Yadd Wed, 23 Mar 2022 12:33:02 +0100
+
node-minimist (1.2.5+~cs5.3.1-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-44906.patch
b/debian/patches/CVE-2021-44906.patch
new file mode 100644
index 000..36bee5f
--- /dev/null
+++ b/debian/patches/CVE-2021-44906.patch
@@ -0,0 +1,59 @@
+Description: Fix for prototype pollution
+ The initial fix for prototype pollution (cf. SNYK-JS-MINIMIST-559764) in
+ setKey() was insufficient.
+Author: Yadd
+Origin: upstream, https://github.com/substack/minimist/pull/165
+Bug: https://github.com/substack/minimist/issues/164
+Forwarded: not-needed
+Last-Update: 2022-03-23
+
+--- a/index.js
b/index.js
+@@ -70,7 +70,7 @@
+ var o = obj;
+ for (var i = 0; i < keys.length-1; i++) {
+ var key = keys[i];
+-if (key === '__proto__') return;
++if (isConstructorOrProto(o, key)) return;
+ if (o[key] === undefined) o[key] = {};
+ if (o[key] === Object.prototype || o[key] === Number.prototype
+ || o[key] === String.prototype) o[key] = {};
+@@ -79,7 +79,7 @@
+ }
+
+ var key = keys[keys.length - 1];
+-if (key === '__proto__') return;
++if (isConstructorOrProto(o, key)) return;
+ if (o === Object.prototype || o === Number.prototype
+ || o === String.prototype) o = {};
+ if (o === Array.prototype) o = [];
+@@ -243,3 +243,7 @@
+ return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
+ }
+
++
++function isConstructorOrProto (obj, key) {
++return key === 'constructor' && typeof obj[key] === 'function' || key ===
'__proto__';
++}
+--- a/test/proto.js
b/test/proto.js
+@@ -42,3 +42,19 @@
+ t.equal(argv.y, undefined);
+ t.end();
+ });
++
++test('proto pollution (constructor function)', function (t) {
++var argv = parse(['--_.concat.constructor.prototype.y', '123']);
++function fnToBeTested() {}
++t.equal(fnToBeTested.y, undefined);
++t.equal(argv.y, undefined);
++t.end();
++});
++
++// powered by snyk - https://github.com/backstage/backstage/issues/10343
++test('proto pollution (constructor function) snyk', function (t) {
++var argv = parse('--_.constructor.constructor.prototype.foo bar'.split('
'));
++t.equal((function(){}).foo, undefined);
++t.equal(argv.y, undefined);
++t.end();
++})
diff --git a/debian/patches/series b/debian/patches/series
index 81a5e8e..eee91a0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
nodejs.patch
+CVE-2021-44906.patch
Bug#1008163: buster-pu: package node-minimist/1.2.0-1+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-minimist is vulnerable to a prototype pollution not totally fixed
by CVE-2020-7598 patch (pushed in 1.2.5-1 and 1.2.0-1+deb10u1)
[ Impact ]
Medium vulnerability
[ Tests ]
Test updated by upstream, passed localy (sadly not enabled in buster)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better object check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 327fcb5..5d1f9d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-minimist (1.2.0-1+deb10u2) buster; urgency=medium
+
+ * Fix prototype pollution (Closes: CVE-2021-44906)
+
+ -- Yadd Wed, 23 Mar 2022 12:42:36 +0100
+
node-minimist (1.2.0-1+deb10u1) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-44906.patch
b/debian/patches/CVE-2021-44906.patch
new file mode 100644
index 000..8f26607
--- /dev/null
+++ b/debian/patches/CVE-2021-44906.patch
@@ -0,0 +1,59 @@
+Description: Fix for prototype pollution
+ The initial fix for prototype pollution (cf. SNYK-JS-MINIMIST-559764) in
+ setKey() was insufficient.
+Author: Yadd
+Origin: upstream, https://github.com/substack/minimist/pull/165
+Bug: https://github.com/substack/minimist/issues/164
+Forwarded: not-needed
+Last-Update: 2022-03-23
+
+--- a/index.js
b/index.js
+@@ -70,7 +70,7 @@
+ var o = obj;
+ for (var i = 0; i < keys.length-1; i++) {
+ var key = keys[i];
+-if (key === '__proto__') return;
++if (isConstructorOrProto(o, key)) return;
+ if (o[key] === undefined) o[key] = {};
+ if (o[key] === Object.prototype || o[key] === Number.prototype
+ || o[key] === String.prototype) o[key] = {};
+@@ -79,7 +79,7 @@
+ }
+
+ var key = keys[keys.length - 1];
+-if (key === '__proto__') return;
++if (isConstructorOrProto(o, key)) return;
+ if (o === Object.prototype || o === Number.prototype
+ || o === String.prototype) o = {};
+ if (o === Array.prototype) o = [];
+@@ -243,3 +243,7 @@
+ return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
+ }
+
++
++function isConstructorOrProto (obj, key) {
++return key === 'constructor' && typeof obj[key] === 'function' || key ===
'__proto__';
++}
+--- a/test/parse.js
b/test/parse.js
+@@ -195,3 +195,19 @@
+ t.same(argv.beep, { boop : true });
+ t.end();
+ });
++
++test('proto pollution (constructor function)', function (t) {
++var argv = parse(['--_.concat.constructor.prototype.y', '123']);
++function fnToBeTested() {}
++t.equal(fnToBeTested.y, undefined);
++t.equal(argv.y, undefined);
++t.end();
++});
++
++// powered by snyk - https://github.com/backstage/backstage/issues/10343
++test('proto pollution (constructor function) snyk', function (t) {
++var argv = parse('--_.constructor.constructor.prototype.foo bar'.split('
'));
++t.equal((function(){}).foo, undefined);
++t.equal(argv.y, undefined);
++t.end();
++})
diff --git a/debian/patches/series b/debian/patches/series
index 01db0e3..71e31e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
nodejs.patch
CVE-2020-7598.diff
+CVE-2021-44906.patch
Bug#1008164: RM: obfs4proxy/0.0.8-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Opening this bug after a recomendation from debian-security. Version 0.0.8 of obfs4proxy has a security bug, which has only been fixed in a later version (0.0.13, see bug number #1004374), and also suffers from incompatibilty issues with later versions of the package. Version 0.0.13 is already in bullseye-backports.
Bug#1008166: bullseye-pu: package debian-edu-config/2.11.56+deb11u4
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-...@lists.debian.org
[ Reason ]
While setting up a new Debian Edu school in Dec/Jan 2021/2022 several
issues popped up in Debian Edu 11 that have now been resolved in Debian
Edu testing/unstable and many of the fixes we would love to see available
in Debian Edu 11, as well.
[ Impact ]
For Debian Edu, the proposed 2.11.56+deb11u4 version of debian-edu-config
will provide many problem solutions for issues that have been encountered
with the current version of debian-edu-config (main package for Debian
Edu 11).
[ Tests ]
(What automated or manual tests cover the affected code?)
[ Risks ]
For non-Debian-Edu users there will be no risk, at all. For Debian Edu
users new issues may be introduced (hopefully not!), esp. due to the
large number of fixes provided / code changes shipped in 2.11.56+deb11u4.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ [ Wolfgang Schweer ]
+ * etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
+network sent to root@. (Closes: #1003727).
-> TJENER's mainserver is configured as a local MTA collecting system mails
from Debian Edu clients. Such mails have been refused by TJENER's exim
configuration before (since Debian Edu 11).
+ * Use mktemp instead of deprecated tempfile, adjust:
+- etc/X11/Xsession-debian-edu
+- sbin/debian-edu-update-netblock
+- share/debian-edu-config/tools/gosa-sync
+- testsuite/postoffice
+(Closes: #1005352).
-> The 'tempfile' executable produces warning messages about being
deprecated when used. The 'mktemp' file does not.
+ [ Mike Gabriel ]
+ * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service
+principals if they don't yet exist. (Closes: #1002014).
-> The above issue has been critical for Debian Edu 11 setups and was
only spotted recently. Whenever a system entry in GOsa² was edited, the
Krb5 principal would change. This lead to login failures on Debian Edu
clients (after a GOsa² edit of the system entry in LDAP).
+ * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment.
-> Well, maybe not release critical, but comment mentioned stuff about
user accounts while this script is for host accounts.
+ * share/debian-edu-config/tools/setup-freeradius-server: Fix integer
+comparison in run-by-root check. Script was not executable fully (not even
+as root).
-> Make the setup-freeradius-server usable without manual editing of the
script before usage.
+ * debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
+Debian-Edu_rootCA from this script. This now is the task of the
+fetch-rootca-cert script. (Closes: #971780).
-> fetch-ldap-cert init script and fetch-rootca-cert script had some common
functionality (retrieval of the .intern domain's rootCA by clients).
After fetch-rootca-cert was added, we failed to reduce functionality of
fetch-ldap-cert.
On Debian Edu clients, these two scripts were actually interfering with
one another.
+ * debian/debian-edu-config.fetch-rootca-cert: Ensure proper symlinking of
+Debian-Edu_rootCA.crt in /usr/local/share/ca-certificates/ to
+Debian-Edu_rootCA.crt in /etc/ssl/ca-certificates. Forced symlinking is
+required, because earlier versions of the fetch-ldap-cert init script put
+Debian-Edu_rootCA.crt into /etc/ssl/ca-certificates/ as a file. Forced
+symlinking replaces files by the wanted symlink. The -n option (no-
+dereference) is required to make sure we don't follow any already existing
+symlink. (This relates to #971780).
-> Fix an issue resulting from fetch-ldap-cert performing the rootCA
download differently from fetch-rootca-cert in previous versions of
debian-edu-config. With the change explained above, the transition of
Debian Edu client based on debian-edu-config 2.11.56+deb11u3 (and
earlier) to debian-edu-config 2.11.56+deb11u4 should be smooth.
+ * share/debian-edu-config/tools/update-proxy-from-wpad:
+- Fix typo (wrong protocol) in APT proxy config creation.
+- Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
+ named 03debian-edu-config rather than meddling with /etc/apt/apt.conf
+ directly. Clean up any earlier meddling from apt.conf, as well. (Closes:
+ #1003560).
-> Stop meddling with /etc/apt/apt.conf directly, use a debian-edu-config
namespace file instead. Also, this allows deployment of Debian Edu
systems using FAI (and let FAI's default http proxy configuration
superceded Debian Edu's proxy configuration).
+ * share/debian-edu-config/tools/{update-proxy-from-wpad,wpad-extra}:
+- Don't fail if proxy update is not possible, only send warnings to stderr
+ and syslog. Don't
Bug#1008166: bullseye-pu: package debian-edu-config/2.11.56+deb11u4
Hi again, On Mi 23 Mär 2022 13:19:54 CET, Mike Gabriel wrote: [ Tests ] (What automated or manual tests cover the affected code?) I forgot to mention the nature of the performed tests. All code changes were tested in the field on at least 2 sometimes 3 Debian Edu production sites. All resolved problems were problems that were encountered in the field on one of my production Debian Edu 11 setups. The solutions / bug fixes were first developed and tested on-premise. Once the wanted functionality was achieved, the changes were provided for Debian Edu testing/unstable and then backported to 2.11.56+deb11u4 of debian-edu-config. The on-premise solutions were then removed and replaced by preview versions of debian-edu-config 2.11.56+deb11u4 and tested again. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpYZ_EYyMbzC.pgp Description: Digitale PGP-Signatur
Bug#1008168: bullseye-pu: package node-url-parse/1.5.3-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-url-parse is vulnerable to an authorization Bypass Through
User-Controlled (CVE-2022-0686).
[ Impact ]
medium vulnerability
[ Tests ]
Test updated, passed
[ Risks ]
Low risk, patch is trivial and new test passed
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better checks.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 175b525..67a3dca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Handle the case where the port is specified but empty(Closes:
CVE-2022-0686)
+
+ -- Yadd Wed, 23 Mar 2022 14:20:54 +0100
+
node-url-parse (1.5.3-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0686.patch
b/debian/patches/CVE-2022-0686.patch
new file mode 100644
index 000..12cab4c
--- /dev/null
+++ b/debian/patches/CVE-2022-0686.patch
@@ -0,0 +1,92 @@
+Description: Handle the case where the port is specified but empty
+Author: Luigi Pinca
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/d5c64791
+Bug: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-03-23
+
+--- a/index.js
b/index.js
+@@ -3,6 +3,7 @@
+ var required = require('requires-port')
+ , qs = require('querystringify')
+ , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
++ , port = /:\d+$/
+ , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
+ , windowsDriveLetter = /^[a-zA-Z]:/
+ , whitespace =
'[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
+@@ -39,7 +40,7 @@
+ ['/', 'pathname'],// Extract from the back.
+ ['@', 'auth', 1], // Extract from the front.
+ [NaN, 'host', undefined, 1, 1], // Set left over value.
+- [/:(\d+)$/, 'port', undefined, 1],// RegExp the back.
++ [/:(\d*)$/, 'port', undefined, 1],// RegExp the back.
+ [NaN, 'hostname', undefined, 1, 1]// Set left over.
+ ];
+
+@@ -433,7 +434,7 @@
+ case 'host':
+ url[part] = value;
+
+- if (/:\d+$/.test(value)) {
++ if (port.test(value)) {
+ value = value.split(':');
+ url.port = value.pop();
+ url.hostname = value.join(':');
+@@ -490,6 +491,7 @@
+
+ var query
+ , url = this
++, host = url.host
+ , protocol = url.protocol;
+
+ if (protocol && protocol.charAt(protocol.length - 1) !== ':') protocol +=
':';
+@@ -502,7 +504,15 @@
+ result += '@';
+ }
+
+- result += url.host + url.pathname;
++ //
++ // Trailing colon is removed from `url.host` when it is parsed. If it still
++ // ends with a colon, then add back the trailing colon that was removed.
This
++ // prevents an invalid URL from being transformed into a valid one.
++ //
++ if (host[host.length - 1] === ':' || (port.test(url.hostname) &&
!url.port)) {
++host += ':';
++ }
++ result += host + url.pathname;
+
+ query = 'object' === typeof url.query ? stringify(url.query) : url.query;
+ if (query) result += '?' !== query.charAt(0) ? '?'+ query : query;
+--- a/test/test.js
b/test/test.js
+@@ -401,6 +401,28 @@
+ assume(parsed.slashes).is.true();
+ });
+
++ it('handles the case where the port is specified but empty', function () {
++var parsed = parse('http://example.com:');
++
++assume(parsed.protocol).equals('http:');
++assume(parsed.port).equals('');
++assume(parsed.host).equals('example.com');
++assume(parsed.hostname).equals('example.com');
++assume(parsed.pathname).equals('/');
++assume(parsed.origin).equals('http://example.com');
++assume(parsed.href).equals('http://example.com/');
++
++parsed = parse('http://example.com::');
++
++assume(parsed.protocol).equals('http:');
++assume(parsed.port).equals('');
++assume(parsed.host).equals('example.com:');
++assume(parsed.hostname).equals('example.com:');
++assume(parsed.pathname).equals('/');
++assume(parsed.origin).equals('http://example.com:');
++assume(parsed.href).equals('http://example.com::/');
++ });
++
+ describe('origin', function () {
+ it('generates an origin property', function () {
+ var url = 'http://google.com:80/pathname'
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..2b5fec1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-0686.patch
Processed: affects 1008143
Processing commands for cont...@bugs.debian.org: > affects 1008143 uwsgi-plugin-php Bug #1008143 [release.debian.org] nmu: uwsgi-plugin-php_2.0.20+2+0.0.13+b1 Added indication that 1008143 affects uwsgi-plugin-php > thanks Stopping processing here. Please contact me if you need assistance. -- 1008143: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008143 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1007905: transition: icu
On Sat, 19 Mar 2022 at 09:28:49 +0200, Adrian Bunk wrote: > On Fri, Mar 18, 2022 at 06:05:38PM +, Simon McVittie wrote: > > Obviously all these copies of essentially the same codebase are quite > > unfortunate, but mozjs and ICU seem to be sufficiently tightly-coupled > > that perhaps using its vendored version of ICU, at least temporarily, > > would be wiser than using the system copy? > > IMHO unblocking GNOME by temporarily making mozjs91 use its vendored > version until the ICU transition would be a reasonable approach. I've followed Adrian's suggestion and uploaded a version of mozjs91 to experimental that uses the vendored copy of ICU, decoupling it from this transition. jbicha is planning to upload that to unstable shortly. This also has the advantage that more of the mozjs91 test-suite passes. Several tests unfortunately make assertions about ICU behaviours that can validly change from release to release, like the precise formatting of datetime strings in various languages - I don't think Mozilla upstream really support swapping it out for a system copy. On Mon, 21 Mar 2022 at 06:50:34 +0100, László Böszörményi wrote: > Can you elucidate why Ubuntu would be forced to do the ICU 71.1 > transition for their current to be released LTS version? They would not, but it'll mean we can't be as confident about changes made in Debian being equally valid for Ubuntu or vice versa. > As noted, mozjs78 and 0ad FTBFS in my pbuilder setups. That's interesting, 0ad built fine for me against 70.1 on a porterbox (i386 on barriere) - and its vendored copy of mozjs78 is built with i18n disabled (--without-intl-api), which should in principle disable the ICU dependency. I'm not sure what's going on there. mozjs78 is expected to FTBFS in most ICU transitions, because as with mozjs91, its test-suite makes a lot of assertions about things that are really ICU behaviours rather than mozjs behaviours, and change from version to version. As Adrian suggested, I've done an upload to experimental that switches it to use the vendored ICU. This can be uploaded to unstable whenever needed. After we move gjs from mozjs78 to mozjs91 (which jbicha is preparing now), mozjs78 will only be in Debian for the benefit of cjs and policykit-1/experimental, both of which I hope will move away from mozjs78 before bookworm. smcv
Bug#1007905: transition: icu
On Wed, Mar 23, 2022 at 10:53 AM Simon McVittie wrote: > On Mon, 21 Mar 2022 at 06:50:34 +0100, László Böszörményi wrote: > > As noted, mozjs78 and 0ad FTBFS in my pbuilder setups. > > That's interesting, 0ad built fine for me against 70.1 on a porterbox > (i386 on barriere) - and its vendored copy of mozjs78 is built with > i18n disabled (--without-intl-api), which should in principle disable > the ICU dependency. I'm not sure what's going on there. 0ad will fail to build if you pull in everything else from experimental. See the patch at https://bugs.debian.org/1008075 Thanks, Jeremy Bicha
Bug#1007906: transition: mutter
Control: tags -1 - moreinfo On Fri, 18 Mar 2022 at 12:00:56 +, Simon McVittie wrote: > As usual, this includes a libmutter ABI break, from libmutter-9-0 to > libmutter-10-0. Suitable versions of gnome-shell and budgie-desktop are > already available in experimental. The GNOME team is ready for this transition now. As usual, lots of Shell extensions are affected by API changes and will need porting or removal, but as usual, I think removing the affected Shell extensions from testing is a better answer than waiting for all of them to be fixed: if we allowed optional addons to prevent GNOME from being updated, then we'd be stuck on some much older version forever. > However, before we can do this transition, we will need to get gjs 1.72 > into unstable; that in turn requires mozjs91, which requires either a > transition to icu 70 (#1007905), or changing mozjs91 to use its vendored > copy of icu for now. I uploaded a version of mozjs91 to experimental that uses the vendored copy of ICU, and jbicha is going to move that to unstable shortly. smcv
Processed: Re: Bug#1007906: transition: mutter
Processing control commands: > tags -1 - moreinfo Bug #1007906 [release.debian.org] transition: mutter Removed tag(s) moreinfo. -- 1007906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007906 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in oldstable-new
Processing changes file: debian-installer_20190702+deb10u12_arm64-buildd.changes ACCEPT Processing changes file: debian-installer_20190702+deb10u12_mips-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: debian-installer_20190702+deb10u12_amd64-buildd.changes ACCEPT Processing changes file: debian-installer_20190702+deb10u12_armel-buildd.changes ACCEPT Processing changes file: debian-installer_20190702+deb10u12_i386-buildd.changes ACCEPT Processing changes file: debian-installer_20190702+deb10u12_s390x-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: debian-installer_20190702+deb10u12_armhf-buildd.changes ACCEPT Processing changes file: debian-installer_20190702+deb10u12_mipsel-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: debian-installer_20190702+deb10u12_mips64el-buildd.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: debian-installer_20190702+deb10u12_ppc64el-buildd.changes ACCEPT
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On Tue, 2022-03-22 at 22:13 +0100, Sebastian Andrzej Siewior wrote: > On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote: > > On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote: > > > OpenSSL signature algorithm check tightening > > > = > > > > > > The OpenSSL update included in this point release includes a > > > change to > > > ensure that the requested signature algorithm is supported by the > > > active security level. > > > > > > Although this will not affect most use-cases, it could lead to > > > error > > > messages being generated if a non-supported algorithm is > > > requested - > > > for example, use of SHA1 with the default security level of 2. In > > > such > > > cases, the security level will need to be explicitly lowered when > > > invoking OpenSSL, using an option such as > > > > > > -cipher "ALL:@SECLEVEL=1" > > > " > > > > So reading it again, I think the "when invoking OpenSSL" is > > confusing. > > Not only the openssl binary is affected, but also all clients and > > server applications making use of the library are. Some > > applications > > might have a way to set the cipher in their own configuration file, > > others might need to change the defaults in /etc/ssl/openssl.cfg > > s/openssl.cfg/openssl.cnf Right, let's have another go at this then: " OpenSSL signature algorithm check tightening = The OpenSSL update provided in this point release includes a change to ensure that the requested signature algorithm is supported by the active security level. Although this will not affect most use-cases, it could lead to error messages being generated if a non-supported algorithm is requested - for example, use of RSA+SHA1 signatures with the default security level of 2. In such cases, the security level will need to be explicitly lowered, either for individual requests or more globally. This may require changes to the configuration of aplications. For OpenSSL itself, per-request lowering can be achieved using a command-line option such as -cipher "ALL:@SECLEVEL=1" with the relevant system-level configuration being found in /etc/ssl/openssl.cnf " Is that any better? Further suggestions welcome, but I'm trying not to make it longer than the rest of the text combined. :-) Regards, Adam
Processed: tagging 1008164
Processing commands for cont...@bugs.debian.org: > tags 1008164 + bullseye Bug #1008164 [release.debian.org] RM: obfs4proxy/0.0.8-1 Added tag(s) bullseye. > thanks Stopping processing here. Please contact me if you need assistance. -- 1008164: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008164 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1008143: marked as done (nmu: uwsgi-plugin-php_2.0.20+2+0.0.13+b1)
Your message dated Wed, 23 Mar 2022 19:44:10 +0100 with message-id <058cf01c-ff8e-fb65-1d0f-1882ffde2...@debian.org> and subject line Re: Bug#1008143: nmu: uwsgi-plugin-php_2.0.20+2+0.0.13+b1 has caused the Debian Bug report #1008143, regarding nmu: uwsgi-plugin-php_2.0.20+2+0.0.13+b1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1008143: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008143 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu uwsgi-plugin-php_2.0.20+2+0.0.13+b1 . ANY . unstable . -m "rebuilt against uwsgi-src 2.0.20+4 to fix #1007774" uwsgi-plugin-php is currently broken in unstable (see #1007774). src:uwsgi contains the source files for uwsgi-plugin-php and has been updated to include the fix in 2.0.20+4 . --- End Message --- --- Begin Message --- Hi, On 23-03-2022 09:53, Alexandre Rossi wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu uwsgi-plugin-php_2.0.20+2+0.0.13+b1 . ANY . unstable . -m "rebuilt against uwsgi-src 2.0.20+4 to fix #1007774" uwsgi-plugin-php is currently broken in unstable (see #1007774). src:uwsgi contains the source files for uwsgi-plugin-php and has been updated to include the fix in 2.0.20+4 . Two comments: 1) A reference (or quote) of https://sources.debian.org/src/uwsgi-plugin-php/0.0.13/debian/README.source/ would have been useful as this construct is not very common. The request rang bells as binNMU is normally the wrong solution. 2) bug 1007774 could have be cloned and reassigned to uwsgi-plugin-php. Anyways, rebuilt scheduled. Paul OpenPGP_signature Description: OpenPGP digital signature --- End Message ---
Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On 2022-03-23 17:40:59 [+], Adam D. Barratt wrote: > Right, let's have another go at this then: > > " > OpenSSL signature algorithm check tightening > = > > The OpenSSL update provided in this point release includes a > change to ensure that the requested signature algorithm is > supported by the active security level. > > Although this will not affect most use-cases, it could lead to > error messages being generated if a non-supported algorithm is > requested - for example, use of RSA+SHA1 signatures with the default > security level of 2. > > In such cases, the security level will need to be explicitly > lowered, either for individual requests or more globally. This > may require changes to the configuration of aplications. For > OpenSSL itself, per-request lowering can be achieved using a > command-line option such as > > -cipher "ALL:@SECLEVEL=1" > > with the relevant system-level configuration being found in > /etc/ssl/openssl.cnf > " > > Is that any better? Further suggestions welcome, but I'm trying not to > make it longer than the rest of the text combined. :-) This good Adam, thank you. I have nothing to add. > Regards, > > Adam Sebastian
Bug#1008184: nmu: unknown packages affected by dpkg-dev bug #1000421
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: binnmu
Hi!
The objdump tool changed its output for copy relocations for versioned
symbols (from @@ to @) in binutils 2.26 (uploaded on 2016-01). This has
caused dpkg-shlibdeps to ignore some of those symbols and potentially end
up generating version restrictions that are less than required. (This was
dpkg bug #1000421.)
So this involves shared libraries using versioned symbols, for symbols
that are objects (variables instead of functions or methods), on
architectures that emit copy relocations for these. On my checks these
were at least any-amd64, hppa and m68k.
A small example on linux-amd64:
,--- copyrel.c ---
#include
int main() { return optind; }
`---
,--- (stretch) ---
$ make copyrel
$ objdump -R copyrel | grep R_[^ ]*_COPY
00201028 R_X86_64_COPY optind@@GLIBC_2.2.5
`---
,--- (sid) ---
$ make copyrel
$ objdump -R copyrel | grep R_[^ ]*_COPY
4028 R_X86_64_COPY optind@GLIBC_2.2.5
`---
What unearthed this was a recentish glibc upload that AFAIR has started
merging its libpthread library into libc proper, and added a new symbol
for a variable (__libc_single_threaded@GLIBC_2.32).
I guess the archive should be checked for other instances of at least
that glibc issue, because that can affect partial upgrades in a pretty
nasty way (with programs being unable to be run-time linked). So that
would imply any program that has been:
* built against glibc >= 2.32-0experimental0
* built using binutils >= 2.26
* built using dpkg-dev < 1.21.0
* containing a copy reloc for __libc_single_threaded:
objdump -R $prog | grep 'R_[^ ]*_COPY .* __libc_single_threaded'
Most of this information should be available at least from the .buildinfo
files.
This could have affected other programs using other versioned variables
from other shared libraries, for quite some time, but not that many shared
libraries use versioned symbols, but checking that would imply more effort
to detect. :/
Thanks,
Guillem
Bug#1008184: nmu: unknown packages affected by dpkg-dev bug #1000421
On Wed, Mar 23, 2022 at 11:29:48PM +0100, Guillem Jover wrote: >... > What unearthed this was a recentish glibc upload that AFAIR has started > merging its libpthread library into libc proper, and added a new symbol > for a variable (__libc_single_threaded@GLIBC_2.32). The merging only happens in 2.34 (currently in experimental), but this new way of detecting multithreading was added in 2.32. > I guess the archive should be checked for other instances of at least > that glibc issue, because that can affect partial upgrades in a pretty > nasty way (with programs being unable to be run-time linked). So that > would imply any program that has been: > > * built against glibc >= 2.32-0experimental0 > * built using binutils >= 2.26 > * built using dpkg-dev < 1.21.0 FTR, this seems to be a 2 month window (give or take a few days due to buildd chroots being updated only twice per week): https://tracker.debian.org/news/1255840/accepted-glibc-232-1-source-into-unstable/ https://tracker.debian.org/news/1284072/accepted-dpkg-1210-source-into-unstable/ > * containing a copy reloc for __libc_single_threaded: > objdump -R $prog | grep 'R_[^ ]*_COPY .* __libc_single_threaded' > > Most of this information should be available at least from the .buildinfo > files. Relevant is also that the binary packages do not already have dependencies on libc6 >= 2.32 for other reasons. >... > This could have affected other programs using other versioned variables > from other shared libraries, for quite some time, but not that many shared > libraries use versioned symbols, but checking that would imply more effort > to detect. :/ Versioned symbols are common, but: >... > So this involves shared libraries using versioned symbols, for symbols > that are objects (variables instead of functions or methods), >... Global variables as part of a library API are usually considered bad practice, and then you'd need a case where such a new variable is used but no new function. __libc_single_threaded is special, and looking at cppcheck the problem occurs in practice mainly due to libstdc++ using it for atomics in its headers when available. > Thanks, > Guillem cu Adrian
Bug#1008184: nmu: unknown packages affected by dpkg-dev bug #1000421
On Thu, Mar 24, 2022 at 01:01:10AM +0200, Adrian Bunk wrote: >... > FTR, this seems to be a 2 month window (give or take a few days due to > buildd chroots being updated only twice per week): >... 3 month window cu Adrian
Re: Bits from the Release Team: bookworm freeze dates (preliminary)
Hi! On Thu, Mar 17, 2022 at 4:09 AM Paul Gevers wrote: .. > 2023-01-12 - Milestone 1 - Transition and toolchain freeze > 2023-02-12 - Milestone 2 - Soft Freeze > 2023-03-12 - Milestone 3 - Hard Freeze - for key packages and > packages without autopkgtests > To be announced - Milestone 4 - Full Freeze Could you please add these dates to https://release.debian.org/ so that DD's can easily look them up when they want, and keep that as an authoritative place for the dates so that if they change, the dates that are in effect can be looked up from that page? Thanks!
Bug#1006944: transition: proj
On 3/23/22 08:09, Sebastiaan Couwenberg wrote: On 3/22/22 16:58, Sebastiaan Couwenberg wrote: On 3/22/22 09:44, Sebastiaan Couwenberg wrote: On 3/21/22 22:43, Sebastian Ramacher wrote: Please go ahead Thanks. proj (9.0.0-1) has been uploaded to unstable and is now built & installed on all release architectures. Thanks for scheduling the binNMUs. Dependency level 2 and 3 are done, level 4 can be scheduled. grass and r-cran-sf are done, qgis and r-cran-lwgeom can be binNMUed. vtk9 is done, therion can be binNMUed. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
