Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Hi, IIUC this is about fixing 2 non-security bugs, that were introduced prior to buster's initial release. I personally don't think this fits the LTS project scope. Maybe other LTS members will have a different opinion. Cheers! Sylvain Beucler Debian LTS Team On 13/09/2022 15:27, Santiago R.R. wrote: El 10/09/22 a las 19:11, Adam D. Barratt escribió: On Wed, 2020-05-27 at 11:56 +0200, Santiago R.R. wrote: Since 1.0.6-9, bzip2 was built without the -D_FILE_OFFSET_BITS=64 CPPFLAG, and so it's not able to handle > 2GB files in 32-bit archs. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944557 I've uploaded a fixed version to unstable yesterday. It would be great to fix it also in buster. Please, consider the attached debdiff. Would it be OK for you to upload it? Apologies for apparently letting this sit unanswered. (FTR there was a reply from a non-SRM member 18 months ago.) And I am sorry I missed that answer. The final point release for buster has now happened, so any further updates to packages in buster will need to be handled via LTS. I'm therefore going to close this request now. [snip] I am forwarding this to the LTS folks, so they can decide about this change.
tla update for Debian 5.0.5
Hello stable release managers,
I would like to upload a security update for Lenny, for package 'tla'.
http://www.debian.org/security/2009/dsa-1953
As it's a minor issue, the security team asked me to upload it through
a point-release update (cf. forwarded message below).
A package can be found at:
http://www.beuc.net/tmp/tla/lenny-stable/tla_1.3.5+dfsg-14+lenny1.dsc
Is it OK with you?
Here's the interdiff:
diff -u tla-1.3.5+dfsg/debian/changelog tla-1.3.5+dfsg/debian/changelog
--- tla-1.3.5+dfsg/debian/changelog
+++ tla-1.3.5+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+tla (1.3.5+dfsg-14+lenny1) stable; urgency=low
+
+ * QA upload.
+ * Fix CVE-2009-3560 and CVE-2009-3720 denial-of-services by patching
+bundled libexpat (closes: #560940).
+
+ -- Sylvain Beucler Tue, 13 Apr 2010 17:55:51 +0200
+
tla (1.3.5+dfsg-14) unstable; urgency=low
* QA upload.
diff -u tla-1.3.5+dfsg/debian/patches/00list
tla-1.3.5+dfsg/debian/patches/00list
--- tla-1.3.5+dfsg/debian/patches/00list
+++ tla-1.3.5+dfsg/debian/patches/00list
@@ -5,0 +6,2 @@
+CVE-2009-3560.dpatch
+CVE-2009-3720.dpatch
only in patch2:
unchanged:
--- tla-1.3.5+dfsg.orig/debian/patches/CVE-2009-3720.dpatch
+++ tla-1.3.5+dfsg/debian/patches/CVE-2009-3720.dpatch
@@ -0,0 +1,22 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3720.dpatch by Sylvain Beucler
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2009-3720 vulnerability
+## DP: Check:
+## DP:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&diff_format=l
+## DP: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940
+
+...@dpatch@
+diff -urNad tla-1.3.5+dfsg~/src/expat/lib/xmltok_impl.c
tla-1.3.5+dfsg/src/expat/lib/xmltok_impl.c
+--- tla-1.3.5+dfsg~/src/expat/lib/xmltok_impl.c2006-07-20
08:34:33.0 +0200
tla-1.3.5+dfsg/src/expat/lib/xmltok_impl.c 2010-01-23 19:35:20.0
+0100
+@@ -1741,7 +1741,7 @@
+const char *end,
+POSITION *pos)
+ {
+- while (ptr != end) {
++ while (ptr < end) {
+ switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+ case BT_LEAD ## n: \
only in patch2:
unchanged:
--- tla-1.3.5+dfsg.orig/debian/patches/CVE-2009-3560.dpatch
+++ tla-1.3.5+dfsg/debian/patches/CVE-2009-3560.dpatch
@@ -0,0 +1,23 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3560.dpatch by Sylvain Beucler
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2009-3560 vulnerability
+## DP: Check:
+## DP:
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.166&diff_format=h
+## DP: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560940
+
+...@dpatch@
+diff -urNad tla-1.3.5+dfsg~/src/expat/lib/xmlparse.c
tla-1.3.5+dfsg/src/expat/lib/xmlparse.c
+--- tla-1.3.5+dfsg~/src/expat/lib/xmlparse.c 2006-07-20 08:34:33.0
+0200
tla-1.3.5+dfsg/src/expat/lib/xmlparse.c2010-01-23 19:32:26.0
+0100
+@@ -3615,6 +3615,9 @@
+ return XML_ERROR_UNCLOSED_TOKEN;
+ case XML_TOK_PARTIAL_CHAR:
+ return XML_ERROR_PARTIAL_CHAR;
++ case -XML_TOK_PROLOG_S:
++tok = -tok;
++break;
+ case XML_TOK_NONE:
+ #ifdef XML_DTD
+ /* for internal PE NOT referenced between declarations */
Best regards,
- Sylvain
- Forwarded message from Moritz Muehlenhoff -
Date: Mon, 22 Mar 2010 18:56:22 +0100
From: Moritz Muehlenhoff
To: Sylvain Beucler
Cc: t...@security.debian.org, b...@decadent.org.uk
Subject: Re: Versioning: security updates and binary uploads
User-Agent: Mutt/1.5.20 (2009-06-14)
On Mon, Mar 22, 2010 at 02:19:13PM +0100, Sylvain Beucler wrote:
> Ciao!
>
> On Mon, Mar 22, 2010 at 01:21:55PM +0100, Giuseppe Iuculano wrote:
> > Il 21/03/2010 14:16, Sylvain Beucler ha scritto:
> > > There's no conflict right now, because 'b' '<' 'etch', but there would
> > > be a conflict if 'etch' had been called instead 'alfred' or anything
> > > that is '<' 'b'.
> > >
> > > So maybe I should use:
> > > -> tla-1.3.5+dfsg-9+b1+etch1
> > > as a rule?
> >
> > As you wrote, there is no conflict right now, so you should use
> > tla-1.3.5+dfsg-9+etch1.
>
> Ok, thanks.
>
> > BTW, currently there isn't any security issues opened for tla, what are
> > you preparing?
>
> tla includes a copy of libexpat, so it's affected by:
> http://www.debian.org/security/2009/dsa-1953
> A fix was uploaded to testing, but not to stable and old-stable.
This specific issue doesn't warrant a DSA, please update it through a stable
point update:
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> Btw, do you still accept old-stable uploads?
Support for Etch has ended some weeks ago.
Cheers,
Moritz
- End forwarded message -
signature.asc
Description: Digital signature
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u3
Hi, On Mon, 8 Jul 2024 09:48:40 -0400 (EDT) Nicolas Mora wrote: Thanks for the update, I will upload it next week if that's ok I'm checking the alignment of bullseye and bookworm, in preparation of the bullseye LTS phase starting tomorrow. :) Do you intend to fix CVE-2024-25715 as well? (as in bookworm 12.6, "fix open redirection via redirect_uri") Is it something a LTS contributor could help with? Cheers! Sylvain Beucler Debian LTS Team
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u3
Hello Nicolas, On 14/08/2024 17:09, Nicolas Mora wrote: Thanks for your offer. I'm away for a few days. I can prepare the package for Bullseye LTS at the end of August. That would be nice, thanks :) I've never made a package for LTS before, so I don't know how it works though. Is it like a pu package? Send a debdiff to the LTS team, then when accepted push it via dput to ftp-master? We have a step-by-step documentation here: https://lts-team.pages.debian.net/wiki/Development.html In short, DDs can directly upload to bullseye-lts and publish a DLA. Or, one can propose a debdiff at debian-...@lists.debian.org (ideally along with test procedures) and the LTS Team will take care of the administrativia. Cheers! Sylvain Beucler Debian LTS Team
Bug#601420: unblock: freedink-data/1.08.20100103-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Please unblock package freedink-data I updated the Dutch translation, along with instructions to regenerate the .mo (in debian/rules). Cf. #601245. I also used by new @debian.org in debian/control. unblock freedink-data/1.08.20100103-3 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (300, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101025222333.8154.25840.report...@gun
Bug#1071417: org-mode 9.4.0+dfsg-1+deb11u2 flagged for acceptance
Hi Release Team, FTR this is not the right bug, this was a bullseye PU for fossil, not org-mode (#1070108). Not sure what happened. This fossil update never made it to bullseye. Leaving this closed, planning a DLA with an updated fix. Cheers! Sylvain Beucler Debian LTS Team On Mon, 27 May 2024 14:04:37 + Jonathan Wiltshire wrote: package release.debian.org tags 1071417 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: org-mode Version: 9.4.0+dfsg-1+deb11u2 Explanation: protect against unsafe remote resources [CVE-2024-30203 CVE-2024-30204 CVE-2024-30205]
Bug#1104760: bookworm-pu: package fossil/1:2.21-1+deb12u1
Package: release.debian.org Control: affects -1 + src:fossil X-Debbugs-Cc: fos...@packages.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: bookworm X-Debbugs-Cc: b...@beuc.net Severity: normal Hello Release Team, [ Reason ] This update fixes #1070069: serious issue in the fossil HTTP client, related to the fix for CVE-2024-24795 for apache2 (2.4.59-1~deb12u1), preventing it from cloning from a fixed Apache2 server (which now strips the 'Content-Length' response header issued by the fossil CGI server, to prevent a general case of response splitting). This was fixed in DLA-3819-1 for fossil/buster. https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html This superseeds #1070998 (full backport proposal), this is a targeted fix. [ Impact ] The user can't use the fossil client to clone Fossil repositories hosted with Apache2 (unless a specific server-side work-around was applied in the Apache2 configuration), and otherwise can't cope with a network configuration where the 'Content-Length' header is not provided by the remote server/proxy stack. [ Tests ] No new test cases were introduced upstream. The embedded test suite has errors, even in unstable, but with the patch it runs with the same number of successes and errors, so no regression was spotted. Later history of src/http.c was reviewed to spot possible regressions, and follow-up fixes for 'Connection' headers is also included. Manual testing was performed by reproducing the issue with an Apache2+CGI+Fossil setup, with or without the configuration work-around, and with or without enabling mod_http2 which triggers different 'Connection' headers. In all cases cloning is now fixed. [ Risks ] The Fossil internal HTTP code seems a bit ad-hoc, but the upstream fix is published for a year, and so is the buster DLA. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in stable [X] the issue is verified as fixed in unstable (1:2.24-5) [ Changes ] Minimal backport of upstream changes, that make the HTTP client code a bit more robust. Typically the fossil client now can read data up to connection close when the 'Content-Length' header is missing. Also fixes 'Connection' header parsing to handle multiple values. Unlike DLA-3819-1, no 'Break' header was introduced in debian/control, as there's no particular conflict when fossil and apache2 are on the same server. This is an issue with the fossil *client* and a remote apache2. [ Other info ] A DLA is also planned for bullseye. (#1071417 somehow didn't make it as a OSPU.)diff -Nru fossil-2.21/debian/changelog fossil-2.21/debian/changelog --- fossil-2.21/debian/changelog2023-02-26 19:58:27.0 +0100 +++ fossil-2.21/debian/changelog2025-05-04 11:12:18.0 +0200 @@ -1,3 +1,13 @@ +fossil (1:2.21-1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix issue in the fossil HTTP client, related to the fix for +CVE-2024-24795/apache2, preventing it from cloning from a fixed +Apache2 server (which now strips the Content-Length response header +issued by the fossil CGI server). (Closes: #1070069) + + -- Sylvain Beucler Sun, 04 May 2025 11:12:18 +0200 + fossil (1:2.21-1) unstable; urgency=medium * Add upstream/metadata diff -Nru fossil-2.21/debian/patches/CVE-2024-24795-regression.patch fossil-2.21/debian/patches/CVE-2024-24795-regression.patch --- fossil-2.21/debian/patches/CVE-2024-24795-regression.patch 1970-01-01 01:00:00.0 +0100 +++ fossil-2.21/debian/patches/CVE-2024-24795-regression.patch 2025-05-04 11:12:18.0 +0200 @@ -0,0 +1,139 @@ +Origin: https://fossil-scm.org/home/info/a8e33fb161f45b65 +Origin: https://fossil-scm.org/home/info/71919ad1b542832c +Origin: https://fossil-scm.org/home/info/f4ffefe708793b03 +Origin: https://fossil-scm.org/home/info/5f47bb59a7846aeb +Reviewed-by: Sylvain Beucler +Last-Update: 2025-05-04 + +Only backported parts relevant to the fossil HTTP client fix, +discarded debugging improvements. + +Commit: a8e33fb161f45b65167f0dfe39b6fcbad21f5844ee469131fd8fa8fc09cd5e99 +Date: 2024-04-17 12:58:08 +Author: drh +Comment: Fix the HTTP-reply parser so that it is able to deal with replies that lack a Content-Length header field. This resolves the issue reported by [forum:/forumpost/12ac403fd29cfc89|forum post 12ac403fd29cfc89]. Also in this merge: (1) Add the --xverbose option to "fossil clone". (2) Improved error messages when web servers misbehave. See also my misguided and incorrect [https://bz.apache.org/bugzilla/show_bug.cgi?id=68905|Apache bug 68905]. Special thanks to Apache devs for setting me straight. +Branch: trunk +Tags: trunk +Phase:*MERGE* + +Commit: 71919ad1b542832c615df0af08999c9624ade13
Bug#1101047: RM: php-horde/5.2.23+debian0-6
Package: release.debian.org Control: affects -1 + src:php-horde X-Debbugs-Cc: php-ho...@packages.debian.org User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: debian-...@lists.debian.org, b...@beuc.net Severity: normal Hello Release Team, This is a request to RM the php-horde-* package set, from Debian 12 bookworm specifically. Horde 5.x is currently incompatible with PHP8, making the package mostly unusable, with many random errors. See grave bugs at: https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=stable;maint=team%2Bdebian-horde-team%40tracker.debian.org No complete patch set for these issues is currently available. New working installs are currently not possible, notably preventing testing security fixes. Note: php-horde-* is already dropped from trixie. Note: The maintainers wish to maintain it in unstable. See also the recap at: https://lists.debian.org/debian-lts/2025/03/msg00012.html and the maintainer's OK at: https://lists.debian.org/debian-lts/2025/03/msg00017.html There are many packages, `grep 'Package: php-horde' deb.debian.org_debian_dists_bookworm_main_source_Sources` gives me: php-horde php-horde-activesync php-horde-alarm php-horde-ansel php-horde-argv php-horde-auth php-horde-autoloader php-horde-browser php-horde-cache php-horde-cli php-horde-compress php-horde-compress-fast php-horde-constraint php-horde-content php-horde-controller php-horde-core php-horde-crypt php-horde-crypt-blowfish php-horde-css-parser php-horde-cssminify php-horde-data php-horde-date php-horde-date-parser php-horde-dav php-horde-db php-horde-editor php-horde-elasticsearch php-horde-exception php-horde-feed php-horde-form php-horde-gollem php-horde-group php-horde-groupware php-horde-hashtable php-horde-history php-horde-http php-horde-icalendar php-horde-idna php-horde-image php-horde-imap-client php-horde-imp php-horde-imsp php-horde-ingo php-horde-injector php-horde-itip php-horde-javascriptminify php-horde-kolab-format php-horde-kolab-server php-horde-kolab-session php-horde-kolab-storage php-horde-kronolith php-horde-ldap php-horde-listheaders php-horde-lock php-horde-log php-horde-logintasks php-horde-lz4 php-horde-mail php-horde-mail-autoconfig php-horde-mapi php-horde-memcache php-horde-mime php-horde-mime-viewer php-horde-mnemo php-horde-nag php-horde-nls php-horde-notification php-horde-oauth php-horde-openxchange php-horde-pack php-horde-passwd php-horde-pdf php-horde-perms php-horde-prefs php-horde-queue php-horde-rdo php-horde-role php-horde-routes php-horde-rpc php-horde-scheduler php-horde-scribe php-horde-secret php-horde-serialize php-horde-service-facebook php-horde-service-gravatar php-horde-service-twitter php-horde-service-urlshortener php-horde-service-weather php-horde-sesha php-horde-sessionhandler php-horde-share php-horde-smtp php-horde-socket-client php-horde-spellchecker php-horde-stream php-horde-stream-filter php-horde-stream-wrapper php-horde-support php-horde-syncml php-horde-template php-horde-test php-horde-text-diff php-horde-text-filter php-horde-text-flowed php-horde-thrift php-horde-timeobjects php-horde-timezone php-horde-token php-horde-translation php-horde-trean php-horde-tree php-horde-turba php-horde-url php-horde-util php-horde-vfs php-horde-view php-horde-webmail php-horde-whups php-horde-wicked php-horde-xml-element php-horde-xml-wbxml Let me know if I can assist in any way. Cheers! Sylvain Beucler Debian LTS Team
Re: Tooling for rebuilding outdated Built-Using
Hi, On 18/06/2025 19:17, Jonathan Wiltshire wrote: https://github.com/sebastinas/drt-tools Output for bullseye attached, though it does not (afaik) add overlay suites like o-p-u and I can't vouch for the accuracy of the run I did, I haven't checked it at all. Attached this time :( Thanks! AFAICS it's overall consistent with the other tooling, except for the extra 'supermin' (which doesn't seem to contain static executables). On 18/06/2025 19:31, Adrian Bunk wrote: Note that in LTS you will afterwards need either either manual Build-Depends on the new version (if making a manual upload) or extra-depends (when making a normal binNMU) since the pre-LTS version of the glibc packages is in the chroots. In the latter case any future DLAs (e.g. for bash or qemu) would again be built against the pre-LTS glibc. A solution for that would be either generating bullseye-security chroots in setup-all-dchroots and using them, or dist-upgrade at the start of the build. Thanks for the info! Is this specific to essential packages pre-installed in the buildd chroots? Cheers! Sylvain
Re: Tooling for rebuilding outdated Built-Using
Hi,
On 27/05/2025 14:06, Sean Whitton wrote:
Hello release team,
How do you detect packages that need rebuilding in stable releases
because they have outdated Built-Using? Sylvain Beucler of the LTS team
noted that we may need to do this for bullseye because we have updated
glibc.
If there are already scripts to do this, it would be great if you could
direct me to them. Thanks.
Probably something like:
# apt-cache dumpavail | \
grep-dctrl \
-F Built-Using 'glibc' -a \
'(' --not -F Architecture all ')' \
-s Source,Package,Version
Package: aide
Version: 0.17.3-4+deb11u2
Source: bash
Package: bash-static
Version: 5.1-2+deb11u1
Source: cdebootstrap (0.7.8)
Package: cdebootstrap-static
Version: 0.7.8+b3
Source: chkrootkit (0.54-1)
Package: chkrootkit
Version: 0.54-1+b2
Source: dar (2.6.13-2)
Package: dar-static
Version: 2.6.13-2+b3
Package: debian-installer
Version: 20210731+deb11u12
Source: sash (3.8-5)
Package: sash
Version: 3.8-5+b13
Source: tripwire (2.4.3.7-3)
Package: tripwire
Version: 2.4.3.7-3+b3
Source: zsh
Package: zsh-static
Version: 5.8-6+deb11u1
Source: zutils (1.10-1)
Package: zutils
Version: 1.10-1+b2
Source: busybox
Package: busybox-static
Version: 1:1.30.1-6+deb11u1
Package: docker.io
Version: 20.10.5+dfsg1-1+deb11u4
Source: qemu
Package: qemu-user-static
Version: 1:5.2+dfsg-11+deb11u4
then manually checking the last upload date, and evaluating the CVE impact.
Some more packages are selected without "--not -F Architecture all",
including debian-installer-netboot-images and
cross-toolchain-base-ports, but we don't have to rebuild everything,
only those we think may be impacted by fixed CVEs.
Note: Built-Using is less exhaustive in older (ELTS) releases.
See also
https://lts-team.pages.debian.net/wiki/TestSuites/golang.html#identify-reverse-build-dependencies
This is tracked through
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/227
Cheers!
Sylvain Beucler
Debian LTS Team
