Preparation of Debian GNU/Linux 2.2r7

An up-to-date version is at http://master.debian.org/~joey/2.2r7/

I am preparing another revision of the stable Debian distribution (r7) and will infrequently send reports so people can actually comment on it and intervene whenever this is required.

The plan is to get this revision of Debian GNU/Linux 2.2 (codename `potato') out at the beginning of July this year (2002). James Troup still has to give the final approval for each package since he is the ftpmaster involved with stable revisions. However, I will try to make his work as easy as possible in the hope to get the next revision out properly. Thanks for your attention.

This may also be the last version of the 2.2 series, depending on how well the woody release is making progress. There is, however, still a possibility another update (r8, to be scheduled at the beginning of August) has to be released before Debian 3.0.

My requirements for packages to go into stable:

1. The package fixes a security problem. An advisory by our own Security Team would be quite helpful. I really should make this a requirement for security uploads.

2. The package fixes a critical bug which can lead into data loss, data corruption, or an overly broken system, or the package is broken or not usable (anymore).

3. The stable version of the package is not installable at all due to broken or unmet dependencies or broken installation scripts.

4. All released architectures have to be in sync.

Packages, which I will most probably reject:

. Package which fix non-critical bugs.

. Misplaced uploads, i.e. packages that were uploaded to 'stable unstable' or `frozen unstable'.

. Packages for which its binary packages are out of sync with regard to all supported architectures in the stable distribution.

. Binary packages for which the source got lost somehow.

Accepted packages

These packages should be installed into stable and be part of the next revision.

analogstable2:5.22-0potato3alpha, arm, i386, m68k, powerpc, sparc, source
analogupdates2:5.22-0potato4alpha, arm, i386, m68k, powerpc, sparc, source

DSA 125, backport of 5.22 for security reasons. The advisory mentions version 5.22-0potato1, though.

apache-commonstable1.3.9-14alpha, arm, i386, m68k, powerpc, sparc
apache-commonupdates1.3.9-14.1alpha, arm, i386, m68k, powerpc, sparc
apache-devstable1.3.9-14alpha, arm, i386, m68k, powerpc, sparc
apache-devupdates1.3.9-14.1alpha, arm, i386, m68k, powerpc, sparc
apache-docstable1.3.9-14all
apache-docupdates1.3.9-14.1all
apachestable1.3.9-14alpha, arm, i386, m68k, powerpc, sparc, source
apacheupdates1.3.9-14.1alpha, arm, i386, m68k, powerpc, sparc, source

DSA 131

apache-perlstable1.3.9-13.1-1.21.20000309-1alpha, arm, i386, m68k, powerpc, sparc, source
apache-perlupdates1.3.9-14.1-1.21.20000309-1alpha, arm, i386, m68k, powerpc, sparc, source

DSA 133

apache-sslupdates1.3.9.13-4.1alpha, arm, i386, m68k, powerpc, sparc, source

DSA 132

snake4stable1.0.10-1alpha, arm, i386, m68k, powerpc, sparc, source
snake4updates1.0.10-1.0.1alpha

Binary-only non-maintainer upload for alpha; no source changes. (See Bug#103300)

cupsys-bsdstable1.0.4-9alpha, arm, i386, m68k, powerpc, sparc
cupsys-bsdupdates1.0.4-12alpha, arm, i386, m68k, powerpc, sparc
cupsysstable1.0.4-9alpha, arm, i386, m68k, powerpc, sparc, source
cupsysupdates1.0.4-12alpha, arm, i386, m68k, powerpc, sparc, source
libcupsys1-devstable1.0.4-9alpha, arm, i386, m68k, powerpc, sparc
libcupsys1-devupdates1.0.4-12alpha, arm, i386, m68k, powerpc, sparc
libcupsys1stable1.0.4-9alpha, arm, i386, m68k, powerpc, sparc
libcupsys1updates1.0.4-12alpha, arm, i386, m68k, powerpc, sparc

-10: Security upload: DSA 110, Buffer overflow

-11: More security fixes: more complete patch for attribute buffer handling and a more correct path validation check to prevent ".." attacks.

-12: Remove lpd backend for security reasons.

customstable1.9962-2all, source
customupdates1.9962-3all, source

New upload to fix a maintainer-side time warp (Fixes Bug#103300)

erlang-basestable49.1-10all
erlang-baseupdates49.1-10.1all
erlang-erlstable49.1-10all
erlang-erlupdates49.1-10.1all
erlang-javastable49.1-10all
erlang-javaupdates49.1-10.1all
erlangstable49.1-10i386, powerpc, sparc, source
erlangupdates49.1-10.1i386, powerpc, sparc, source

Probably from the zlib fuckup

* Non-maintainer upload by the Security Team * Apply patch for double-free bug to included copy of zlib

etherealstable0.8.0-2potatoalpha, arm, i386, m68k, powerpc, sparc, source
etherealupdates0.8.0-3potatoalpha, arm, i386, m68k, powerpc, sparc, source

Security upload (backports of 0.9.3) - DSA 130

- asn1.c: fixes zero-length g_malloc that could have caused problems.

- asn1.c: fixes possible buffer overflow.

hordestable2:1.2.6-0.potato.4all, source
hordeupdates2:1.2.6-0.potato.5all, source
impstable2:2.2.6-0.potato.4all, source
impupdates2:2.2.6-0.potato.5all, source

DSA 126

libapache-mod-ssl-docstable2.4.10-1.3.9-1potato1all
libapache-mod-ssl-docupdates2.4.10-1.3.9-1potato2all
libapache-mod-sslstable2.4.10-1.3.9-1potato1alpha, arm, i386, m68k, powerpc, sparc, source
libapache-mod-sslupdates2.4.10-1.3.9-1potato2alpha, arm, i386, m68k, powerpc, sparc, source

DSA 135 (non-US)

listar-cgistable0.129a-2.potato1alpha, arm, i386, m68k, powerpc, sparc
listar-cgiupdates0.129a-2.potato2alpha, arm, i386, m68k, powerpc, sparc
listarstable0.129a-2.potato1alpha, arm, i386, m68k, powerpc, sparc, source
listarupdates0.129a-2.potato2alpha, arm, i386, m68k, powerpc, sparc, source

DSA 123 - covers 0.129a-2.potato1, though. This one adds:

* SECURITY: Applied argv security fixes from the Ecartis tree.

qpopperstable2.53-5alpha, arm, i386, m68k, powerpc, sparc, source
qpopperupdates2.53-7alpha, arm, i386, m68k, powerpc, sparc, source

Fix a bug that can cause lost data and DoS. (closes:#140784, #114300) This only affected qpoper-2.23 and before. Thank for Masaki Ikeda <masaki@orange.co.jp>'s patch.

!!! Not yet verified !!!

sudostable1.6.2p2-2.1alpha, arm, i386, m68k, powerpc, sparc, source
sudoupdates1.6.2p2-2.2alpha, arm, i386, m68k, powerpc, sparc, source

DSA 128

uucpstable1.06.1-11potato2alpha, arm, i386, m68k, powerpc, sparc, source
uucpupdates1.06.1-11potato3alpha, arm, i386, m68k, powerpc, sparc, source

DSA 129

vrwebstable1.5-5alpha, arm, i386, m68k, powerpc, sparc, source
vrwebupdates1.5-5.1alpha, arm, i386, m68k, powerpc, sparc, source

* Non-maintainer upload by the security team * Upgrade zlib to 1.1.3 and apply patch for double-free bug

Cleaning bits from the zlib disaster

wmtvstable0.6.5-2.0.1sparc
wmtvstable0.6.5-2potato2alpha, arm, i386, m68k, powerpc, source
wmtvupdates0.6.5-3potato3alpha, arm, i386, m68k, powerpc, sparc, source

Security Upload, DSA 108, symlink vulnerability. This upload fixes the sparc foobarness.

xsanestable0.50-5alpha, arm, i386, m68k, powerpc, sparc, source
xsaneupdates0.50-5.1alpha, arm, i386, m68k, powerpc, sparc, source

DSA 118 - insecure temporary files

Need further investigation

These packages need further investigation. One reason the package is listed here could be that I'm not yet convinced this package should go into stable, but don't want to reject it entirely at the moment. Another reason could be that released and updated architectures are not in sync yet.

cfengine-docstable1.5.3-6all
cfengine-docupdates1.5.3-7all
cfenginestable1.5.3-6arm, i386, m68k, powerpc, sparc, source
cfenginestable1.5.3-6.0.1alpha
cfengineupdates1.5.3-7alpha, arm, i386, m68k, powerpc, sparc, source

Changelog says: fix stat -> lstat in src/image.c, else a symlink might be followed if we are purging. This is security bug!

Requires attention from the security team

dns-browsestable1.6-4all, source
dns-browseupdates1.6-5all, source

Changelog says: Fixed dns_tree so that it uses the HOME directory for cache files (Closes: #146591)

This requires action by the Security Team

fetchmailconfstable5.3.3-3all
fetchmailconfupdates5.3.3-4all
fetchmailstable5.3.3-3alpha, arm, i386, m68k, powerpc, sparc, source
fetchmailupdates5.3.3-4alpha, i386, m68k, powerpc, sparc, source

* SECURITY FIX: avoid buffer overflow on 64bit archs (imap.c) This is a remote-expolitable buffer overflow, if the imap server is hostile (backported from new upstream 5.9.12). Bug discovery and fix by Nalin Dahyabai

DSA missing


MISSING arm

freeamp-docstable2.0.6-2all
freeamp-docupdates2.0.6-2.1all
freeampstable1.3.1-5m68k, powerpc
freeampstable2.0.6-1arm
freeampstable2.0.6-2alpha, i386, sparc, source
freeampupdates2.0.6-2.1alpha, i386, powerpc, sparc, source
libfreeamp-alsastable2.0.6-2alpha, i386, sparc
libfreeamp-alsaupdates2.0.6-2.1alpha, i386, powerpc, sparc
libfreeamp-esoundstable2.0.6-1arm
libfreeamp-esoundstable2.0.6-2alpha, i386, sparc
libfreeamp-esoundupdates2.0.6-2.1alpha, i386, powerpc, sparc

* Non-maintainer upload by the security team * Apply patch for zlib double-free bug

Looks like a leaf of the zlib disaster


MISSING arm

photopcstable2.1-1powerpc
photopcstable2.8-3arm
photopcstable3.02-2alpha, i386, sparc, source
photopcupdates3.02-2powerpc

Get versions in sync.


MISSING arm

unixcwstable1.1a-2arm
unixcwstable1.1a-5alpha, i386, source
unixcwupdates1.1a-5powerpc, sparc

Get package in sync through all architectures.


MISSING arm

zlib-binstable1:1.1.3-5alpha, arm, i386, powerpc, sparc
zlib-binstable1:1.1.3-5.0.1m68k
zlib-binupdates1:1.1.3-5.1alpha, arm, i386, m68k, powerpc, sparc

zlib1g-dev stable 1:1.1.3-5 alpha, arm, i386, powerpc, sparc zlib1g-dev stable 1:1.1.3-5.0.1 m68k zlib1g-dev updates 1:1.1.3-5.1 alpha, arm, i386, m68k, powerpc, sparc

zlib1g stable 1:1.1.3-5 alpha, arm, i386, powerpc, sparc zlib1g stable 1:1.1.3-5.0.1 m68k zlib1g updates 1:1.1.3-5.1 alpha, arm, i386, m68k, powerpc, sparc

zlib1 stable 1:1.1.3-3 sparc zlib1 stable 1:1.1.3-5 i386 zlib1 stable 1:1.1.3-5.0.1 m68k zlib1 updates 1:1.1.3-5.1 i386, m68k

zlib stable 1:1.1.3-5 source zlib updates 1:1.1.3-5.1 source

delay-install zlib_1.1.3-5.1_alpha.changes delay-install zlib_1.1.3-5.1_arm.changes delay-install zlib_1.1.3-5.1_i386.changes delay-install zlib_1.1.3-5.1_powerpc.changes delay-install zlib_1.1.3-5.1_sparc.changes delay-install zlib_1.1.3-5.1_m68k.changes

DSA 122 - zlib strikes back

No zlib1 package for sparc anymore? Is that intentional? Query debian-sparc

Rejected packages

These packages don't meet the requirements.

dvi2ps-fontdata-a2nstable1.0-5all
dvi2ps-fontdata-a2nupdates1.0-7all
dvi2ps-fontdata-bsrstable1.0-5all
dvi2ps-fontdata-bsrupdates1.0-7all
dvi2ps-fontdata-jastable1.0-5all
dvi2ps-fontdata-jaupdates1.0-7all
dvi2ps-fontdata-n2astable1.0-5all
dvi2ps-fontdata-n2aupdates1.0-7all
dvi2ps-fontdata-ptexfakestable1.0-5all
dvi2ps-fontdata-ptexfakeupdates1.0-7all
dvi2ps-fontdata-rrsstable1.0-5all
dvi2ps-fontdata-rrsupdates1.0-7all
dvi2ps-fontdata-rspstable1.0-5all
dvi2ps-fontdata-rspupdates1.0-7all
dvi2ps-fontdata-tbankstable1.0-5all
dvi2ps-fontdata-tbankupdates1.0-7all
dvi2ps-fontdata-threestable1.0-5all
dvi2ps-fontdata-threeupdates1.0-7all

Misplaced upload to 'stable unstable'

efingerdstable1.3alpha, arm, i386, m68k, powerpc, sparc, source
efingerdupdates1.3.2alpha, arm, i386, m68k, powerpc, sparc, source

Alleged security update, .1 and .2 are broken, though.

Joey is discussion the issue with the maintainer.

jtex-basestable1.8-6all, source
jtex-baseupdates1.8-7all, source

Misplaced upload, stable+unstable

rsyncstable2.3.2-1.2alpha, arm, i386, m68k, powerpc, sparc
rsyncupdates2.3.2-1.3alpha, arm, i386, m68k, powerpc, sparc

DSA 106

Broken packages, hence rejecting

Disclaimer

This list intends to help the ftp-masters releasing 2.2r7. They have the final power to accept a package or not. If you want to comment on this list, please send a mail to Martin Schulze <joey@debian.org>.
Last updated 2002/07/04 12:01 MET