dwarfutils: CVE-2024-2002 & mold - guidance?
Hello folks, Because it will cause a removal of mold, I had a look to dwarfutils: https://salsa.debian.org/pkg-llvm-team/dwarfutils/ Given that dwarfutils hasn't been updated in Debian since Sept 2021, it seems that the easier path is to upload a new upstream release in the archive which contains the security fixes. Now, the bad news is that a lot of symbols have been removed: https://salsa.debian.org/pkg-llvm-team/dwarfutils/-/blob/master/debian/libdwarf1.symbols.amd64?ref_type=heads (grep for MISSING). I don't know if they are internal or actually used. I didn't bump the soname yet. I see two paths: * we go the clean way: bump of soname, migration (which should not be too complex given that it is a leaf lib) * we upload the current version. it will work for dwarfdump but might break other libs (esp outside of Debian) Please let me know what you would prefer. Thanks Sylvstre
Re: Status for RT on `Rules-Requires-Root: no` transition
Hi, Here is one final update as the freeze is about to start. * First and foremost, I consider the transition as over, since there are no more packages left that are actionable by me nor is there any pending reason to revert the change. * Only three known issues remain as affecting testing. These are d-i, shim, and the shim arm64 helper. As stated before, in all three cases, the maintainer and agreed they would fix on their own, since these packages have non-trivial circumstances where a "careless" NMU would harm more than help. * Since last time, I NMU'ed both bash and lintian. These NMUs have been processed and the fix reached testing, marking the end of key packages that I can fix. I also NMUed ifeffit (non-key package pending auto-removal). That NMU as made its way to testing as well keeping ifeffit from being auto-removed. * On the non-key package side, there are only 5 non-key packages that still have a transition both open. All 5 have multiple RC bugs, so they are kept out of testing due to an unrelated issue in addition to the transition bug. Note 2 of them are older versions of gcc cross that we probably do not want in this stable release anyhow. I suspect they should be removed from unstable down the line. Thanks for your time and for helping us to make Trixie be rootless by default! :) Best regards, Niels OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1098725: curl 7.88.1-10+deb12u12 flagged for acceptance
package release.debian.org tags 1098725 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: curl Version: 7.88.1-10+deb12u12 Explanation: fix test failures due to port clashes
Processed: curl 7.88.1-10+deb12u12 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1098725 = bookworm pending Bug #1098725 [release.debian.org] bookworm-pu: package curl/7.88.1-10+deb12u11 Ignoring request to alter tags of bug #1098725 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1098725: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098725 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1099646: transition: gcc-14
Hi Nicolas I've scheduled binNMUs of music123 and topal. There was a team upload of phcpack instead. I have not yet scheduled the binNMU of alire. As per the tracker, it has a build-dependency on libgnatcoll, which has not yet been uploaded to unstable. Regards Graham
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u12_all-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_amd64-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_armel-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_i386-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_ppc64el-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u12_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u12_arm64-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_armhf-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: chromium_134.0.6998.35-1~deb12u1_amd64.changes ACCEPT Processing changes file: chromium_134.0.6998.35-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: chromium_134.0.6998.35-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: chromium_134.0.6998.35-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: chromium_134.0.6998.35-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_source.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_armhf-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_ppc64el-buildd.changes ACCEPT Processing changes file: firefox-esr_128.8.0esr-1~deb12u1_s390x-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_source.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_all-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_amd64-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_arm64-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_armel-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_armhf-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_i386-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_mips64el-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_mipsel-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_ppc64el-buildd.changes ACCEPT Processing changes file: libreoffice_7.4.7-1+deb12u7_s390x-buildd.changes ACCEPT Processing changes file: curl_7.88.1-10+deb12u12_mipsel-buildd.changes ACCEPT
Bug#1086761: bookworm-pu: package edk2/2022.11-6+deb12u2
On Mon, Dec 30, 2024 at 08:49:17PM +0100, Salvatore Bonaccorso wrote: > Hi Dann, > > On Fri, Nov 15, 2024 at 04:07:16PM +, Jonathan Wiltshire wrote: > > Control: tag -1 confirmed > > > > Please go ahead. > > As Jonathan from the stable release managers have given an ack on the > edk2 upload for bookworm, are you able to do the upload in the next > few days? The window for the next point release is closing upcoming > weekend and it would be nice to see those CVEs fixed in bookworm. Apologies for the delay. Now uploaded.
Bug#1099894: transition: addresses-for-gnustep/gnustep-addresses
Control: tags -1 confirmed On 2025-03-09 14:41:21 +0200, Yavor Doganov wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: addresses-for-gnus...@packages.debian.org > Control: affects -1 + src:addresses-for-gnustep + src:gnustep-addresses > User: release.debian@packages.debian.org > Usertags: transition > > Our intention was to do this transition together with the rest of the > GNUstep libraries (RT #1099081) but the package has been in NEW until > today. This is a bugfix release following a full audit of the code > inspired by #1087735. To cite the upstream announcement [1]: > > , > | AddressManager and Addresses Frameworks got a major maintenance > | release, 0.5.0. Highly recommended: code modernisation, highly > | improved encoding detection and RFC compliance for UTF-8, display > | fixes, memory and initialization handling, crash fixers > ` > > Both rdeps agenda.app and gnumail build fine against the new version. Please go ahead. Cheers > > There is no auto tracker because the source package was renamed from > addresses-for-gnustep to gnustep-addresses to match the naming > convention that was proposed to the FTP masters [2] and the rest of > the GNUstep libraries/frameworks in the archive. > > Here is a ben file constructed by reportbug: > > title = "addresses-for-gnustep/gnustep-addresses"; > is_affected = .depends ~ "libaddresses0" | .depends ~ "libaddressview0" | > .depends ~ "libaddresses0.5.0" | .depends ~ "libaddressview0.5.0"; > is_good = .depends ~ "libaddresses0.5.0" | .depends ~ "libaddressview0.5.0"; > is_bad = .depends ~ "libaddresses0" | .depends ~ "libaddressview0"; > > [1] https://savannah.nongnu.org/news/?id=10726 > [2] > https://alioth-lists.debian.net/pipermail/pkg-gnustep-maintainers/2025-January/006272.html > -- Sebastian Ramacher
Processed: php-matomo-device-detector: PHPUnit 12 compatibility
Processing control commands: > block 1099656 by -1 Bug #1099656 [release.debian.org] transition: phpunit 12 1099656 was blocked by: 1099659 1099656 was not blocking any bugs. Added blocking bug(s) of 1099656: 1099942 -- 1099656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099656 1099942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099942 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: thunderbird_128.8.0esr-1~deb12u1_source.changes ACCEPT Processing changes file: thunderbird_128.8.0esr-1~deb12u1_all-buildd.changes ACCEPT Processing changes file: thunderbird_128.8.0esr-1~deb12u1_amd64-buildd.changes ACCEPT Processing changes file: thunderbird_128.8.0esr-1~deb12u1_arm64-buildd.changes ACCEPT Processing changes file: thunderbird_128.8.0esr-1~deb12u1_i386-buildd.changes ACCEPT Processing changes file: thunderbird_128.8.0esr-1~deb12u1_ppc64el-buildd.changes ACCEPT
Bug#1099894: transition: addresses-for-gnustep/gnustep-addresses
Package: release.debian.org Severity: normal X-Debbugs-Cc: addresses-for-gnus...@packages.debian.org Control: affects -1 + src:addresses-for-gnustep + src:gnustep-addresses User: release.debian@packages.debian.org Usertags: transition Our intention was to do this transition together with the rest of the GNUstep libraries (RT #1099081) but the package has been in NEW until today. This is a bugfix release following a full audit of the code inspired by #1087735. To cite the upstream announcement [1]: , | AddressManager and Addresses Frameworks got a major maintenance | release, 0.5.0. Highly recommended: code modernisation, highly | improved encoding detection and RFC compliance for UTF-8, display | fixes, memory and initialization handling, crash fixers ` Both rdeps agenda.app and gnumail build fine against the new version. There is no auto tracker because the source package was renamed from addresses-for-gnustep to gnustep-addresses to match the naming convention that was proposed to the FTP masters [2] and the rest of the GNUstep libraries/frameworks in the archive. Here is a ben file constructed by reportbug: title = "addresses-for-gnustep/gnustep-addresses"; is_affected = .depends ~ "libaddresses0" | .depends ~ "libaddressview0" | .depends ~ "libaddresses0.5.0" | .depends ~ "libaddressview0.5.0"; is_good = .depends ~ "libaddresses0.5.0" | .depends ~ "libaddressview0.5.0"; is_bad = .depends ~ "libaddresses0" | .depends ~ "libaddressview0"; [1] https://savannah.nongnu.org/news/?id=10726 [2] https://alioth-lists.debian.net/pipermail/pkg-gnustep-maintainers/2025-January/006272.html
Processed: transition: addresses-for-gnustep/gnustep-addresses
Processing control commands: > affects -1 + src:addresses-for-gnustep + src:gnustep-addresses Bug #1099894 [release.debian.org] transition: addresses-for-gnustep/gnustep-addresses Added indication that 1099894 affects src:addresses-for-gnustep, +, and src:gnustep-addresses -- 1099894: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099894 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u12_source.changes ACCEPT
Processed: reassign 1087665 to ftp.debian.org
Processing commands for cont...@bugs.debian.org: > # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087665#19 missing CC to > control@ > reassign 1087665 ftp.debian.org Bug #1087665 [release.debian.org] RM: ruby-appraisal -- RoM Bug reassigned from package 'release.debian.org' to 'ftp.debian.org'. Ignoring request to alter found versions of bug #1087665 to the same values previously set Ignoring request to alter fixed versions of bug #1087665 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1087665: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087665 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: user release.debian....@packages.debian.org, usertagging 1092940, tagging 1092940
Processing commands for cont...@bugs.debian.org: > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was a...@adam-barratt.org.uk). > usertags 1092940 + pu There were no usertags set. Usertags are now: pu. > tags 1092940 + bookworm Bug #1092940 [release.debian.org] release.debian.org: package gstreamer1.0/1.22.12-0~deb12u1 Added tag(s) bookworm. > thanks Stopping processing here. Please contact me if you need assistance. -- 1092940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092940 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: edk2 2022.11-6+deb12u2 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 1086761 = bookworm pending Bug #1086761 [release.debian.org] bookworm-pu: package edk2/2022.11-6+deb12u2 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1086761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086761 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1086761: edk2 2022.11-6+deb12u2 flagged for acceptance
package release.debian.org tags 1086761 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: edk2 Version: 2022.11-6+deb12u2 Explanation: fix overflow condition in PeCoffLoaderRelocateImage() [CVE-2024-38796]; fix potential UINT32 overflow in S3 ResumeCount [CVE-2024-1298]
Bug#1081553: transition: abseil
Hi Emilio (2025.03.05_04:29:16_-0400) I missed this reply. Let's go ahead with the new abseil then. I NMUed the new abseil (in coordination with Benjamin) and have uploaded re2. They're building now. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Bug#1099846: marked as done (nmu: several packages to help the Erlang transition)
Your message dated Sun, 9 Mar 2025 23:45:27 +0100 with message-id and subject line Re: Bug#1099846: nmu: several packages to help the Erlang transition has caused the Debian Bug report #1099846, regarding nmu: several packages to help the Erlang transition to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1099846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099846 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Control: block 1069929 by -1 Hi release team! In order to complete transition to Erlang 27 (see [1] for detail), I'd like to ask you for a series of binNMUs. The packages erlang-asciideck, erlang-base64url, erlang-cf, erlang-cowlib, erlang-erlware-commons, erlang-getopt, erlang-goldrush, erlang-horse, erlang-idna, erlang-jiffy, erlang-jose, erlang-lager, erlang-luerl, erlang-poolboy, erlang-unicode-util-compat, erlang-mochiweb are not required to be updated/ported to the new Erlang version, simple binNmu should be sufficient for them. nmu erlang-asciideck . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-base64url . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-cf . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-cowlib . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-erlware-commons . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-getopt . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-goldrush . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-horse . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-idna . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-jiffy . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-jose . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-lager . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-luerl . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-poolboy . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-unicode-util-compat . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" nmu erlang-mochiweb . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069929 Cheers! -- Sergei Golovan --- End Message --- --- Begin Message --- On 2025-03-08 23:14:25 +0300, Sergei Golovan wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > Control: block 1069929 by -1 > > > Hi release team! > > In order to complete transition to Erlang 27 (see [1] for detail), I'd like > to ask you for a series of binNMUs. The packages erlang-asciideck, > erlang-base64url, erlang-cf, erlang-cowlib, erlang-erlware-commons, > erlang-getopt, erlang-goldrush, erlang-horse, erlang-idna, erlang-jiffy, > erlang-jose, erlang-lager, erlang-luerl, erlang-poolboy, > erlang-unicode-util-compat, erlang-mochiweb are not required to be > updated/ported to the new Erlang version, simple binNmu should be sufficient > for them. > > nmu erlang-asciideck . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-base64url . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-cf . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" > nmu erlang-cowlib . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-erlware-commons . ANY . unstable . -m "Rebuild with Erlang 27, > see #1069929" > nmu erlang-getopt . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-goldrush . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-horse . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-idna . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" > nmu erlang-jiffy . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-jose . ANY . unstable . -m "Rebuild with Erlang 27, see #1069929" > nmu erlang-lager . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-luerl . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-poolboy . ANY . unstable . -m "Rebuild with Erlang 27, see > #1069929" > nmu erlang-unicode-util-compat . ANY . unstable . -m "Rebuild with Erlang > 27, see #1069929"
NEW changes in stable-new
Processing changes file: base-files_12.4+deb12u10_source.changes ACCEPT Processing changes file: edk2_2022.11-6+deb12u2_source.changes ACCEPT
NEW changes in stable-new
Processing changes file: base-files_12.4+deb12u10_amd64-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_arm64-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_armel-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_armhf-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_i386-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_mips64el-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_mipsel-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_ppc64el-buildd.changes ACCEPT Processing changes file: base-files_12.4+deb12u10_s390x-buildd.changes ACCEPT Processing changes file: edk2_2022.11-6+deb12u2_all-buildd.changes ACCEPT
Bug#1094736: transition: libcdio
I'm seeing autopkgtest failures for libdevice-cdio-perl in the tracker
for libcdio (excuses panel):
https://tracker.debian.org/pkg/libcdio
The failures are in 32-bits architectures, e.g., for i386:
https://ci.debian.net/packages/libd/libdevice-cdio-perl/testing/i386/58673931/
Since it's so easy for me to run the test on i386, I built
libdevice-cdio-perl locally (on a fresh installation of unstable/i386),
then I ran autopkgtest, also locally with `autopkgtest . -- null'.
The test it passes, including on the test case that fails on the CI:
t/07.iso2.t .
1..5
# Test ISO9660::IFS routines
ok 1 - Open CD image ../data/isofs-m1.cue
ok 2 - CD 9660 file stats: find_lsn(26)
ok 3 - CD 9660 file stats: stat('COPYING)'
ok 4 - Read directory: readdir('/')
ok 5 - File contents comparison
ok
Will this autopkgtest failure prevent the migration to testing?
Cheers,
Gabriel
