Bug#1025083: bullseye-pu: package omnievents/1:2.6.2-5.1+deb11u1

y of 'omnievents-doc' +to fix broken symlinks that prevent reading part of the documentation. + . + Closes: #989339 + + -- Guilherme de Paula Xavier Segundo Mon, 28 Nov 2022 17:20:30 -0300 + omnievents (1:2.6.2-5.1) unstable; urgency=medium * Non maintainer upload by

Bug#980259: buster-pu: package cyrus-imapd/3.0.8-6+deb10u5

) [ Changes ] Regex fix Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index c96adf9c..240d1f4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.0.8-6+deb10u5) buster; urgency=medium + + * Fix cron script (Closes: #980240) + + -- Xavier Guimard Sat

Bug#980032: RM: node-request/2.88.1-5

Le 13/01/2021 à 11:56, Adrian Bunk a écrit : > On Wed, Jan 13, 2021 at 09:37:52AM +0100, Xavier Guimard wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: rm >> X-Debbugs-Cc: pkg-javascript-de...

Bug#980032: [Pkg-javascript-devel] Bug#980032: RM: node-request/2.88.1-5

Le 13/01/2021 à 12:22, Xavier a écrit : > Le 13/01/2021 à 11:56, Adrian Bunk a écrit : >> On Wed, Jan 13, 2021 at 09:37:52AM +0100, Xavier Guimard wrote: >>> Package: release.debian.org >>> Severity: normal >>> User: release.debian@packages.debian.org &g

Bug#980032: RM: node-request/2.88.1-5

node-jsdom migration. Cheers, Xavier

Bug#977735: buster-pu: package node-ini/1.3.5-1+deb10u1

@@ -1,3 +1,11 @@ +node-ini (1.3.5-1+deb10u1) buster; urgency=medium + + * Team upload + * Do not allow invalid hazardous string as section name +(Closes: #977718, CVE-2020-7788) + + -- Xavier Guimard Sat, 19 Dec 2020 20:48:36 +0100 + node-ini (1.3.5-1) unstable; urgency=medium * Team Upload

Bug#976392: buster-pu: package node-y18n/3.2.1-2+deb10u1

[ Changes ] Just a little change in variable initialization Note: package already uploaded Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 72257ee..d969c10 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-y18n (3.2.1-2+deb10u1) buster; urgency=medium

Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2

Le 03/12/2020 à 21:50, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Sun, Nov 22, 2020 at 06:14:05PM +, Adam D. Barratt wrote: >> Control: tags -1 + confirmed >> >> On Thu, 2020-10-29 at 07:43 +0100, Xavier Guimard wrote: >>> libdbi-perl is still vul

Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2

gelog @@ -1,3 +1,11 @@ +libdbi-perl (1.642-1+deb10u2) buster; urgency=medium + + [ Salvatore Bonaccorso ] + * t/51dbm_file.t: add test from RT#99508 + * lib/DBD/File.pm: fix CVE-2014-10401 (Closes: #972180) + + -- Xavier Guimard Thu, 29 Oct 2020 07:35:08 +0100 + libdbi-perl (1.642-1+deb10u1) b

Bug#972903: buster-pu: package node-pathval/1.1.0-3+deb10u1

-7751) + + -- Xavier Guimard Mon, 26 Oct 2020 04:44:16 +0100 + node-pathval (1.1.0-3) unstable; urgency=medium * Point d/watch to /releases instead of /tags. diff --git a/debian/patches/CVE-2020-7751.diff b/debian/patches/CVE-2020-7751.diff new file mode 100644 index 000..7d1ed9a

Bug#972694: buster-pu: package node-object-path/0.11.4-2+deb10u1

pollution in set() (Closes: CVE-2020-15256) + + -- Xavier Guimard Thu, 22 Oct 2020 18:38:10 +0200 + node-object-path (0.11.4-2) unstable; urgency=medium * Update Vcs fields for migration to https://salsa.debian.org/ diff --git a/debian/patches/CVE-2020-15256.diff b/debian/patches/CVE-2020

Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1

Le 17/09/2020 à 22:23, Xavier a écrit : > Le 17/09/2020 à 21:26, Adam D. Barratt a écrit : >> Control: tags -1 + confirmed >> >> On Sat, 2020-09-12 at 08:50 +0200, Xavier wrote: >>> >> >> +libdbi-perl (1.642-1+deb10u1) buster; urgency=medium >> + &g

Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1

Le 17/09/2020 à 21:26, Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Sat, 2020-09-12 at 08:50 +0200, Xavier wrote: >> > > +libdbi-perl (1.642-1+deb10u1) buster; urgency=medium > + > + * Fix memory corruption in XS functions when Perl stack is real

Bug#970307: buster-pu: package node-mysql/2.16.0-1+deb10u1

+ * Team upload + * Add localInfile option to control LOAD DATA LOCAL INFILE +(Closes: #934712, CVE-2019-14939) + + -- Xavier Guimard Mon, 14 Sep 2020 15:57:57 +0200 + node-mysql (2.16.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-14939.patch b/debi

Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1

Le 12/09/2020 à 08:46, Xavier a écrit : > Le 11/09/2020 à 21:38, Salvatore Bonaccorso a écrit : >> Hi Xavier, >> >> On Fri, Sep 11, 2020 at 06:02:00PM +0200, Xavier Guimard wrote: >>> Package: release.debian.org >>> Severity: normal >>> Tags: buster

Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1

Le 11/09/2020 à 21:38, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Fri, Sep 11, 2020 at 06:02:00PM +0200, Xavier Guimard wrote: >> Package: release.debian.org >> Severity: normal >> Tags: buster >> User: release.debian@packages.debian.org >>

Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1

when Perl stack is reallocated +(Closes: CVE-2020-14392) + + -- Xavier Guimard Thu, 10 Sep 2020 10:04:13 +0200 + libdbi-perl (1.642-1) unstable; urgency=medium [ Xavier Guimard ] diff --git a/debian/patches/CVE-2020-14392.patch b/debian/patches/CVE-2020-14392.patch new file mode 100644

Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1

: #969668, CVE-2020-7729) + + -- Xavier Guimard Sun, 06 Sep 2020 23:41:10 +0200 + grunt (1.0.1-8) unstable; urgency=medium [ Harish K ] diff --git a/debian/patches/CVE-2020-7729.patch b/debian/patches/CVE-2020-7729.patch new file mode 100644 index 000..64bed12 --- /dev/null +++ b/debian

Bug#969369: buster-pu: package node-elliptic/6.4.1_dfsg-1+deb10u1

ex 74b516f..3bc7a59 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-elliptic (6.4.1~dfsg-1+deb10u1) buster; urgency=medium + + * Prevent malleability and overflows (Closes: CVE-2020-13822) + + -- Xavier Guimard Tue, 01 Sep 2020 13:24:44 +0200 + node-elliptic (6.4.1~dfsg-1

Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1

ailures 2. the upstream fix adds security checks without modifying algorithm Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 04127dd..ee819f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-url-parse (1.2.0-2+deb10u1) buster; urgency=medium + + * Ad

Bug#969348: buster-pu: package node-bl/1.1.2-1+deb10u1

-1,3 +1,10 @@ +node-bl (1.1.2-1+deb10u1) buster; urgency=medium + + * Team upload + * Add patch to fix over-read vulnerability (Closes: #969309, CVE-2020-8244) + + -- Xavier Guimard Mon, 31 Aug 2020 10:35:09 +0200 + node-bl (1.1.2-1) unstable; urgency=low * Team upload. diff --git a/d

Bug#969163: buster-pu: package npm/5.8.0+ds6-4+deb10u2

ium + + * Team upload + * Don't show password in logs (Closes: CVE-2020-15095) + + -- Xavier Guimard Fri, 28 Aug 2020 13:36:33 +0200 + npm (5.8.0+ds6-4+deb10u1) buster; urgency=medium * Add patches to fix arbitrary path access diff --git a/debian/patches/CVE-2020-15095.diff b/debian/pa

Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

Le 31/07/2020 à 10:27, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Fri, May 08, 2020 at 02:09:41PM +0200, Salvatore Bonaccorso wrote: >> Hi Xavier, >> >> On Sat, Apr 25, 2020 at 07:24:14PM +0100, Adam D. Barratt wrote: >>> Control: tags -1 + confirmed

Bug#960575: buster-pu: package node-dot-prop/4.1.1-1+deb10u2

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, CVE-2020-8116 fix introduced a regression that affects npm (#960283). This little fix solves the problem. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index

Bug#960395: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u4

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, I introduced a bug in nginx configuration while fixing CVE-2019-19791. Here is the fix. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 3eb7087d9

Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit : > Hi, > > let me reply before adsb has a chance ;) > > On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote: >> Finally I found a way to fix CVE and keep autopkgtest OK >> (node-markdown-it-html5-embed). Here is a

Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Le 04/05/2020 à 11:54, Adam D. Barratt a écrit : > On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: >> Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : >>> On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: >>>> Hi Xavier, >>>> >>>> On Sat

Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Le 04/05/2020 à 11:54, Adam D. Barratt a écrit : > On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: >> Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : >>> On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: >>>> Hi Xavier, >>>> >>>> On Sat

Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : > On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: >> Hi Xavier, >> >> On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: >>> Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : >>>> On Sat, 2020-0

Bug#958931: buster-pu: package node-mongodb/3.1.13+~3.1.11-2+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, bson (embedded in node-mongodb) is vulnerable to Deserialization of Untrusted Data. This upstream fix fixes both CVE-2019-2391 and CVE-2020-7610. Cheers, Xavier diff --git a

Bug#954988: stretch-pu: package node-knockout/3.4.2-2+deb9u1

Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping for old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue. Cheers, Xavier diff --git a/debian

Bug#954985: buster-pu: package node-knockout/3.4.2-2+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping for old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue. Cheers, Xavier diff --git a/debian

Bug#954835: buster-pu: package node-yargs-parser/11.1.1-1+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-yargs-parser is vulnerable to prototype pollution. I fixed it and added a basic test taken from [1]. Sid version is fixed (18.1.1-1). Cheers, Xavier [1] https://snyk.io

Bug#954398: buster-pu: package node-dot/1.1.1-1+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-dot ≤ 1.1.2 is vulnerable to code execution after prototype pollution. I imported upstream fix and wrote a basic test to verify that CVE is really fixed. Cheers, Xavier

Bug#953763: buster-pu: package node-minimist/1.2.0-1+deb10u1

, Xavier diff --git a/debian/changelog b/debian/changelog index 8406b1a..327fcb5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-minimist (1.2.0-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #953762, CVE-2020-7598) + + -- Xavier

Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, 2 new vulnerabilities have been published for dojo: prototype pollutions. I imported the 2 upstream fixes here. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog

Bug#953286: RM: node-srs/0.4.8+dfsg-4

). To help Node.js 12 migration, I would like to ask for its testing-only removal with node-millstone, its reverse dependency. Cheers, Xavier

Bug#953029: RM: node-nodedbi/1.0.13+dfsg-1

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, node-nodedbi is incompatible with Node.js ≥ 12 (#953028). I'd like to see it removed from testing (only) to permit Node.js 12 migration. Cheers, Xavier

Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1

Le 01/03/2020 à 22:52, Andreas Beckmann a écrit : >> +#CVE-2019-10785.patch > > The patch is commented in the series file and thus does not get applied. > > Andreas Sorry for this error. Here is the real patch. Cheers, Xavier diff --git a/debian/changelog b/debian/change

Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1

Le 29/02/2020 à 14:48, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Sat, Feb 29, 2020 at 09:10:51AM +0100, Xavier Guimard wrote: >> Package: release.debian.org >> Severity: normal >> Tags: buster >> User: release.debian@packages.debian.org >&g

Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1

fixes this issue Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 14447b52..0e5dc462 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium + + * Team upload + * Cleanup improper regex usage (Closes

Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: >> Control: tags -1 + confirmed >> >> On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: >>> node-handlebars is vulnearable to prototype

Bug#950854: buster-pu: package node-anymatch/2.0.0-1+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, too many dependencies are required in Buster to install anymatch. This little fix reduce them, build/test & autopkgtest are OK. Cheers, Xavier diff --git a/debian/changel

Bug#950773: buster-pu: package node-dot-prop/4.1.1-1+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-dot-prop is vulnerable to a prototype pollution. This upstream patch fixes the problem. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 84868fc

Bug#950151: Fwd: transition: pkg-js-tools

Le 31/01/2020 à 14:18, Paul Gevers a écrit : > Hi yadd, > > On 29-01-2020 20:23, Xavier wrote: >>> SELECT distinct package.name FROM package JOIN content ON content.pid = >>> package.id WHERE architecture = 'i386' AND filename LIKE >>> './

Bug#950151: Fwd: transition: pkg-js-tools

Le 29/01/2020 à 20:04, Helmut Grohne a écrit : > Hi Xavier, > > On Wed, Jan 29, 2020 at 06:54:36PM +0100, Xavier wrote: >> FYI, I opened a transition BTS to fix bad install to i386 arch >> (DEB_HOST_MULTIARCH problem) > > If you tell me about a bug report, please

Bug#950151: transition: pkg-js-tools

Le 29/01/2020 à 15:43, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Hi all, > > pkg-js-tools provides a Node.js auto installer (debhelper plugin) used > by JS Team. &

Bug#950151: transition: pkg-js-tools

ckages are those which: * are arch-dependent * and depends on pkg-js-tools * and were rebuilt after pkg-js-tools 0.9.0 release (0.8 in experimental) Cheers, Xavier [1]: https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/i386/node-request-promise.html Ben file (try): title = &qu

Bug#949702: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u3

endpoints - When 2FA is used, the grantSession plugin does not filter successful connections - OIDC relying party restriction introduced in 2.0.0 does not work when a previous federation was granted in the same session Cheers, Xavier diff --git a/debian/NEWS b/debian/NEWS index 454e18b

Bug#949121: buster-pu: package node-kind-of/6.0.2+dfsg-1+deb10u1

. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index f69a6ac..93d28bf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-kind-of (6.0.2+dfsg-1+deb10u1) buster; urgency=medium + + * Team upload + * fix type checking vul in ctorName (Closes: #948095, CVE

Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-handlebars is vulnearable to prototype pollution (CVE-2019-19919). This patch is exactly the one of upstream. Cheers, Xavier diff --git a/debian/changelog b/debian

Bug#947125: buster-pu: package cyrus-imapd/3.0.8-6+deb10u4

Le 22/12/2019 à 17:32, Adam D. Barratt a écrit : > On Sat, 2019-12-21 at 19:44 +0100, Xavier wrote: >> Le 21/12/2019 à 16:18, Adam D. Barratt a écrit : >>> Control: tags -1 + moreinfo >>> >>> On Sat, 2019-12-21 at 14:43 +0100, Xavier Guimard wrote: > [...] &g

Bug#947172: buster-pu: package npm/5.8.0+ds6-4+deb10u1

-normalize-package-bin package) used by these fixes. After discussion with security team, these CVEs will be tagged as no-dsa. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 85e9028..d7b986f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +npm (5.8.0+ds6-4

Bug#947125: buster-pu: package cyrus-imapd/3.0.8-6+deb10u4

Le 21/12/2019 à 16:18, Adam D. Barratt a écrit : > Control: tags -1 + moreinfo > > On Sat, 2019-12-21 at 14:43 +0100, Xavier Guimard wrote: >> cyrus-imapd has a RC bug. This little patch tested by reporters fixes >> the problem. > > Fun timing, given +deb10u3 only

Bug#947125: buster-pu: package cyrus-imapd/3.0.8-6+deb10u4

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, cyrus-imapd has a RC bug. This little patch tested by reporters fixes the problem. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 391230f..c96adf9

Bug#945122: buster-pu: package cyrus-imapd/3.0.8-6+deb10u2

connection. However, this little patch fixes the problem. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 8023011..b011c8f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high + + * Fix privilege escalation on

Bug#942143: buster-pu: package apache2/2.4.38-3+deb10u2

Le 10/10/2019 à 22:04, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > CVE-2019-10092 patch added a regression (#941202). This patch fixes it > (taken

Bug#942143: buster-pu: package apache2/2.4.38-3+deb10u2

&r2=1865748&pathrev=1865749) Cheers, Xavier

Bug#942075: buster-pu: package cyrus-imapd/3.0.8-6+deb10u1

point release. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 8e0033c..ecc4273 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium + + * Fix data loss (Closes: #933163) + + -- Xavier Guimard Wed, 09 Oct

Bug#941683: buster-pu: package node-yarnpkg/1.13.0-1+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-yarnpkg is vulnerable: it exports auth data in http requests (#941354, CVE-2019-5448). This patch imports upstream fix. Cheers, Xavier diff --git a/debian/changelog b

Bug#941227: [Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1

I forgot debdiff, sorry Le 26/09/2019 à 20:11, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > node-set-value is vulnerable to prototype pollution (#9

Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1

could be safely added to next buster point release. Cheers, Xavier [1]: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213

Bug#939897: stretch-pu: package node-mixin-deep/1.1.3-1+deb9u1

Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, since stretch and buster have the same node-mixin-deep, I added here the same security patches than pushed in buster. Cheers, Xavier diff --git a/debian/changelog b/debian

Bug#935970: stretch-pu: package node-fstream/1.0.10-1+deb9u1

Control: tags -1 - moreinfo Le 01/09/2019 à 12:38, Adam D. Barratt a écrit : > node-fstream is vulnerable to Arbitrary File Overwrite (#931408, > CVE-2019-13173). This little patch fixes the problem. Sorry, I forgot to push it. Done (see #939166)

Bug#939166: buster-pu: package node-fstream/1.0.10-1+deb10u1

index 8162572..9d3352a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-fstream (1.0.10-1+deb10u1) buster; urgency=medium + + * Team upload + * Clobber a Link if it's in the way of a File +(Closes: #931408, CVE-2019-13173) + + -- Xavier Guimard Sun, 01 Sep 2019

Bug#935976: stretch-pu: package node-ws/1.1.0+ds1.e6ddaae4-3+deb9u1

Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, During buster release, we fixed CVE-2016-10542 for node-ws. The same patch can be applied in Stretch. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index

Bug#935970: stretch-pu: package node-fstream/1.0.10-1+deb9u1

Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, node-fstream is vulnerable to Arbitrary File Overwrite (#931408, CVE-2019-13173). This little patch fixes the problem. Cheers, Xavier diff --git a/debian/changelog b/debian

Bug#934704: buster-pu: package node-lodash/4.17.11+dfsg-2+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi all, node-lodash is vulnerable to prototype pollution (#933079, CVE-2019-10744). I imported upstream fix in the attached debdiff. Cheers, Xavier diff --git a/debian/changelog b

Bug#933595: transition: pkg-js-tools

issue. Cheers, Xavier Ben file: title = "pkg-js-tools"; is_affected = .depends ~ "pkg-js-tools"; is_good = .depends ~ "pkg-js-tools (>= 0.8.[6-9])"; is_bad = .depends ~ "pkg-js-tools";

Bug#932884: release.debian.org: What is the good way to update rollup ?

(rollup-0.52, rollup-0.67,...) with "alternative" mechanism, then rollup becomes a virtual package. Regression fixes: replace rollup build dependency by the good one: rollup-0.67,... * * * Cheers, Xavier

Bug#931596: stretch-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1

Control: tags - moreinfo Le 22/07/2019 à 01:31, Jonathan Wiltshire a écrit : > Control: tag -1 moreinfo > > Hi, > > On Mon, Jul 08, 2019 at 07:04:20AM +0200, Xavier Guimard wrote: >> Package: release.debian.org >> Severity: normal >> Tags: buster >> User:

Bug#932606: buster-pu: package node-mixin-deep/1.1.3-3+deb10u1

Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi all, node-mixin-deep is vulnerable to prototype pollution (#932500, CVE-2019-10746). Here is a proposed update. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog

Bug#931596: stretch-pu: package libjavascript-beautifier-perl/0.25-1+deb10u1

t;=>" in operators list). Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index d53fc65..531e69b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libjavascript-beautifier-perl (0.25-1+deb10u1) unstable; urgency=medium + + * Add missing "=>" op

Bug#929611: CVE-2019-13031

Hi all, my previous debdiff fixes CVE-2019-13031 (#931117). I'll update debian/changelog if you agree with this update

Bug#929611: Update

Hi all, I updated my debdiff due to a little security hole discovered in lemonldap-ng 1.9.x Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index a1fe37b..e1e20aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (1.9.7-3+deb9u2) stretch; urgency

Bug#930107: unblock: cyrus-imapd/3.0.8-6

Le 07/06/2019 à 07:08, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package cyrus-imapd > > Hi all, > > Cyrus-Imapd is vulnerable to remote arbit

Bug#930112: stretch-pu: package node-growl/1.7.0-1+deb9u1

Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi all, node-growl in stretch is vulnerable to #900868 / CVE-2017-16042. I imported upstream patch and embedded the little shell-escape module. Cheers, Xavier -- System

Bug#930107: unblock: cyrus-imapd/3.0.8-6

debdiff includes also a missing dependency that closes #872238. Cheers, Xavier unblock cyrus-imapd/3.0.8-6 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd6

Bug#929663: unblock: node-unicode-property-value-aliases/3.4.0+ds-1

We should also amend Debian policy to ban the Emperor of Japan from abdicating during a freeze ;-)

Bug#929663: unblock: node-unicode-property-value-aliases/3.4.0+ds-1

ow to force a rebuilt of it in Buster. node-unicode-data should also build-depends on node-unicode-property-value-aliases >=3.4.0+ds-1. Cheers, Xavier unblock node-unicode-property-value-aliases/3.4.0+ds-1 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (900,

Bug#929611: stretch-pu: package lemonldap-ng/1.9.7-3+deb9u2

includes a patch that fix this regression and fix also a little bug fixed also by upstream (do not push Access-Control-Allow-Origin on Ajax requests). Discussion on this regression is at the end of #928944 issue. Cheers, Xavier -- System Information: Debian Release: 10.0 APT prefers testing APT

Bug#929452: release.debian.org: [pre-approval] testing-proposed-updates for unicode changes

Control: tags -1 - moreinfo Le 23/05/2019 à 22:25, Niels Thykier a écrit : > Control: tags -1 moreinfo > > Xavier Guimard: >> Package: release.debian.org >> Severity: normal >> >> Hi all, >> >> dur to unicode change, 2 nodejs packages require an upd

Bug#929452: release.debian.org: [pre-approval] testing-proposed-updates for unicode changes

in testing-proposed-updates? Packages are tested locally, build + autopkgtest OK. Sorry for the inconvenience. Cheers, Xavier -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unsta

Bug#929449: unblock: acorn/5.5.3+ds3-3

your work! Cheers, Xavier unblock acorn/5.5.3+ds3-3 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (S

Bug#929068: unblock: cyrus-imapd/3.0.8-5

spaces in mailboxes * Add patches to fix some memory leaks found by code analyser (upstream) I also added myself to uploaders (package is RFA), since I need it here. I think I can take maintainance of it, at least during Buster life. cyrus-imapd has no reverse dependencies. Cheers, Xavier

Bug#929027: [pre-approval] unblock: cyrus-imapd/3.0.9-1

d thing to upgrate cyrus-imapd instead of backporting the majority of these changes. Diff contains also many documentation updates that have no consequences on upgrade. Cheers, Xavier unblock cyrus-imapd/3.0.9-1 -- System Information: Debian Release: buster/sid APT prefers testing APT po

Bug#928954: unblock: lemonldap-ng/2.0.2+ds-7+deb10u1

lemonldap-ng-portal/t/42-Register-Security.t * lemonldap-ng-portal/t/77-2F-Mail-with-global-storage.t lemonldap-ng has no reverse dependencies. Upstream provides more than 9000 unit tests that runs all main features, so I think it low risky to unblock lemonldap-ng. Cheers, Xavier unblock lemonld

Bug#928711: unblock: [pre-approval] cyrus-imapd/3.0.8-5

this spelling error patch (joined) or upload a minimal change? Cheers, Xavier unblock cyrus-imapd/3.0.8-5 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures:

Bug#928677: unblock: node-mqtt-packet/6.0.0-2

x malformed subscribe crash (Closes: #928673, CVE-2019-5432) * Fix debian/copyright format url * Enable upstream test during build node-mqtt-packet has no reverse dependencies. So I think it is not risky to upgrade Buster package. Cheers, Xavier unblock node-mqtt-packet/6.0.0-2 diff --git

Bug#928626: unblock: node-axios/0.17.1+dfsg-2

gth (Closes: #928624, CVE-2019-10742) * Fix debian/copyright format URL node-axios has no reverse dependencies. I think it is low risky to upgrade node-axios in Buster. Cheers, Xavier unblock node-axios/0.17.1+dfsg-2 -- System Information: Debian Release: buster/sid APT prefers testing

Bug#928623: unblock: node-regjsparser/0.6.0+ds-2

+-> node-css-loader +-> node-buble +-> node-rollup-plugin-buble +-> rollup The changes on installed files are related only to unicode update. Cheers, Xavier unblock node-regjsparser/0.6.0+ds-2 -- System Information: Debian Release: buster/sid APT prefers te

Bug#928610: unblock: node-unicode-data/0~20190414+gitbf518e99-2

Le 07/05/2019 à 17:20, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package node-unicode-data > > Hi all, > > Julien pushed a new version of node-u

Bug#928610: unblock: node-unicode-data/0~20190414+gitbf518e99-2

, Xavier unblock node-unicode-data/0~20190414+gitbf518e99-2 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU

Bug#928281: unblock: lemonldap-ng/2.0.2+ds-7 (pre-approval)

Control: tags -1 - moreinfo Le 01/05/2019 à 23:00, Niels Thykier a écrit : > Control: tags -1 moreinfo confirmed > > Xavier Guimard: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >>

Bug#928281: unblock: lemonldap-ng/2.0.2+ds-7 (pre-approval)

opportune to update lemonldap-ng package to have better l10n support in Buster? Cheers, Xavier unblock lemonldap-ng/2.0.2+ds-7 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 

Bug#927959: unblock: node-fresh/0.2.0-2

Le 26/04/2019 à 17:43, Xavier a écrit : > Le 26/04/2019 à 17:41, Xavier a écrit : >> Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >>> Package: release.debian.org >>> Severity: normal >>> User: release.debian@packages.debian.org >>> Usertags: unbl

Bug#927959: unblock: node-fresh/0.2.0-2

Le 26/04/2019 à 17:41, Xavier a écrit : > Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> >> Please unblock package node-fresh >>

Bug#927959: unblock: node-fresh/0.2.0-2

Le 25/04/2019 à 15:35, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package node-fresh > > Hi all, > > node-fresh is vulnerable to CVE-2017-16119 (#9

Bug#927959: unblock: node-fresh/0.2.0-2

tested build and tests of node-serve-static, node-send and node-express (using additional needed modules). I plan to upload a new node-express in experimental with tests enabled to see autopkgtest regression if any. Cheers, Xavier unblock node-fresh/0.2.0-2 diff --git a/debian/changelog b/debian/cha

Bug#927871: unblock: node-js-beautify/1.7.5+dfsg-3

/lib/nodejs/js-beautify/node_modules/editorconfig/lib/ini.js So I think it is low risky to upgrade node-js-beautify in Buster. Cheers, Xavier unblock node-js-beautify/1.7.5+dfsg-3 diff --git a/debian/changelog b/debian/changelog index 4a58c69..c7bff6c 100644 --- a/debian/changelog +++ b/debia

  1   2   >