[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1105192: unblock: debian-security-support/13+2025.05.07

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-security-support@packages.debian.org
Control: affects -1 + src:debian-security-support

Please unblock package debian-security-support, it has no autopkgtest
and won't migrate before the hard freeze.

The debdiff is rather trivial and attached.

$ debdiff debian-security-support_13+2025.04.12.dsc debian-security-support_13+2025.05.07.dsc|diffstat
 debian/changelog                                 |   24 ++++++++++++++++++++++++
 debian/control                                   |    2 +-
 debian/debian-security-support.lintian-overrides |    4 ++--
 debian/salsa-ci.yml                              |    2 ++
 security-support.deb10                           |    1 +
 security-support.deb11                           |    3 +++
 security-support.deb12                           |    7 ++++---
 security-support.deb13                           |   11 ++++++-----
 8 files changed, 43 insertions(+), 11 deletions(-)

Thanks for your work on trixie.

unblock debian-security-support/13+2025.05.07


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

No matter how many mistakes you make or how slow you progress, you are still
way ahead of everyone who isn't trying.

diff -Nru debian-security-support-13+2025.04.12/debian/changelog debian-security-support-13+2025.05.07/debian/changelog
--- debian-security-support-13+2025.04.12/debian/changelog	2025-04-12 18:00:29.000000000 +0200
+++ debian-security-support-13+2025.05.07/debian/changelog	2025-05-07 20:32:35.000000000 +0200
@@ -1,3 +1,27 @@
+debian-security-support (1:13+2025.05.07) unstable; urgency=medium
+
+  [ Chris Hofstaedtler ]
+  * deb13|12: python2.7 and python-stdlib-extensions have been removed long
+    ago.
+
+  [ Sylvain Beucler ]
+  * deb13|12|11|10: Add musescore(2|3) to limited security support.
+
+  [ Bastien Roucariès ]
+  * deb13|12: Add gobgp as limited golang support.
+
+  [ Holger Levsen ]
+  * deb13: use references to
+    https://www.debian.org/releases/trixie/release-notes instead of the
+    bookworm ones.
+  * debian/salsa-ci.yml: disable autopkgtests on salsa-ci.
+  * Bump Standard-Version to 4.7.2, no changes needed.
+
+  [ Santiago Ruano Rincón ]
+  * deb11: EOL odoo in bullseye. Closes: #1100929.
+
+ -- Holger Levsen <holger@debian.org>  Wed, 07 May 2025 20:32:35 +0200
+
 debian-security-support (1:13+2025.04.12) unstable; urgency=medium
 
   [ Jochen Sprickerhof ]
diff -Nru debian-security-support-13+2025.04.12/debian/control debian-security-support-13+2025.05.07/debian/control
--- debian-security-support-13+2025.04.12/debian/control	2025-04-04 12:04:01.000000000 +0200
+++ debian-security-support-13+2025.05.07/debian/control	2025-05-07 20:32:35.000000000 +0200
@@ -16,7 +16,7 @@
     original-awk,
     po-debconf,
     xmlto,
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/debian-security-support.git
 Vcs-Browser: https://salsa.debian.org/debian/debian-security-support
diff -Nru debian-security-support-13+2025.04.12/debian/debian-security-support.lintian-overrides debian-security-support-13+2025.05.07/debian/debian-security-support.lintian-overrides
--- debian-security-support-13+2025.04.12/debian/debian-security-support.lintian-overrides	2025-04-04 12:03:58.000000000 +0200
+++ debian-security-support-13+2025.05.07/debian/debian-security-support.lintian-overrides	2025-05-07 20:32:35.000000000 +0200
@@ -3,5 +3,5 @@
 debian-security-support: debconf-is-not-a-registry [usr/share/debian-security-support/check-support-status.hook:*]
 debian-security-support: possibly-insecure-handling-of-tmp-files-in-maintainer-script /tmp [postinst:43]
 debian-security-support: unused-debconf-template debian-security-support/ended [templates:2]
-debian-security-support: unused-debconf-template debian-security-support/limited [templates:108]
-debian-security-support: unused-debconf-template debian-security-support/earlyend [templates:214]
+debian-security-support: unused-debconf-template debian-security-support/limited [templates:114]
+debian-security-support: unused-debconf-template debian-security-support/earlyend [templates:226]
diff -Nru debian-security-support-13+2025.04.12/debian/salsa-ci.yml debian-security-support-13+2025.05.07/debian/salsa-ci.yml
--- debian-security-support-13+2025.04.12/debian/salsa-ci.yml	2025-04-04 12:04:01.000000000 +0200
+++ debian-security-support-13+2025.05.07/debian/salsa-ci.yml	2025-05-07 20:29:58.000000000 +0200
@@ -1,3 +1,5 @@
 ---
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+variables:
+  SALSA_CI_DISABLE_AUTOPKGTEST: 1
diff -Nru debian-security-support-13+2025.04.12/security-support.deb10 debian-security-support-13+2025.05.07/security-support.deb10
--- debian-security-support-13+2025.04.12/security-support.deb10	2025-04-12 17:07:34.000000000 +0200
+++ debian-security-support-13+2025.05.07/security-support.deb10	2025-05-07 20:07:04.000000000 +0200
@@ -27,6 +27,7 @@
 lucene-solr                 non-supported   3.6.2+dfsg-20+deb10u2       2024-04-07  Ancient version with limited use for the server component.
 mozjs52                     limited  Not covered by security support, only suitable for trusted content
 mozjs60                     limited  Not covered by security support, only suitable for trusted content
+musescore                   limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
 nvidia-cuda-toolkit         non-supported   9.2.148-7+deb10u1           2024-04-30  Impossible to backport single patches to fix open issues since the package is closed-source. A full version backport is not binary compatible
 ocsinventory-server         limited  Only supported behind an authenticated HTTP zone
 pluxml                      non-supported   5.6-1                       2023-05-06  Removed from Debian. No upstream response to CVE.
diff -Nru debian-security-support-13+2025.04.12/security-support.deb11 debian-security-support-13+2025.05.07/security-support.deb11
--- debian-security-support-13+2025.04.12/security-support.deb11	2025-04-12 17:07:34.000000000 +0200
+++ debian-security-support-13+2025.05.07/security-support.deb11	2025-05-07 20:07:04.000000000 +0200
@@ -31,8 +31,11 @@
 libspring-java                   limited  should be only used for building other Debian packages or in a secured local environment with trusted devices.
 mozjs68                          limited  Not covered by security support, only suitable for trusted content, see #959804
 mozjs78                          limited  Not covered by security support, only suitable for trusted content, see #959804
+musescore2                       limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
+musescore3                       limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
 node-matrix-js-sdk               non-supported   9.3.0+~cs9.9.16-2                2025-01-30  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094651
 ocsinventory-serfalsever         limited  Only supported behind an authenticated HTTP zone
+odoo                             non-supported   14.0.0+dfsg.2-7+deb11u2          2025-04-12  Lack of clear information upstream about the commits fixing CVEs makes it difficult to backport patches. See #1100929
 openjdk-17                       limited  See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#openjdk-17
 pdns-recursor                    non-supported   4.4.2-3                          2024-05-14  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070176  
 phppgadmin                       non-supported   7.13.0+dfsg-2                    2024-06-29  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072589
diff -Nru debian-security-support-13+2025.04.12/security-support.deb12 debian-security-support-13+2025.05.07/security-support.deb12
--- debian-security-support-13+2025.04.12/security-support.deb12	2025-04-12 17:07:34.000000000 +0200
+++ debian-security-support-13+2025.05.07/security-support.deb12	2025-05-07 20:32:35.000000000 +0200
@@ -18,19 +18,20 @@
 ganglia                     limited  See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
 ganglia-web                 limited  See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
 gnupg1                      limited  See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
+gobgpd                      limited  See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
 golang.*                    limited  See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
 intel-mediasdk              non-supported   22.5.4-1  2024-11-21  abandoned upstream, upstream does not publish enough information to fix issues.
-jython                      limited  Includes python2.7 stdlib, support limited until Py3 port, see python2.7 below and https://lists.debian.org/debian-lts/2024/08/msg00027.html
+jython                      limited  Includes python2.7 stdlib, support limited until Py3 port, see #975058 and https://lists.debian.org/debian-lts/2024/08/msg00027.html
 kde4libs                    limited  khtml has no security support upstream, only for use on trusted content
 khtml                       limited  khtml has no security support upstream, only for use on trusted content, see #1004293
 libnet-easytcp-perl         non-supported   0.26-6    2025-01-18  https://bugs.debian.org/1093386; unmaintained upstream
 libspring-java              limited  See README.Debian.security included in the package
 mozjs102                    limited  Not covered by security support, only suitable for trusted content, see package description
 mozjs78                     limited  Not covered by security support, only suitable for trusted content, see #959804
+musescore2                  limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
+musescore3                  limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
 ocsinventory-server         limited  Only supported behind an authenticated HTTP zone
 php-horde.*                 non-supported   0         2025-03-22  https://lists.debian.org/debian-lts/2025/03/msg00012.html; incompatible with PHP8
-python-stdlib-extensions    limited  Only included for building packages, not running them, #975058
-python2.7                   limited  Only included for building packages, not running them, #975058
 qtwebengine-opensource-src  limited  No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit                    limited  No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit-opensource-src     limited  No security support upstream and backports not feasible, only for use on trusted content
diff -Nru debian-security-support-13+2025.04.12/security-support.deb13 debian-security-support-13+2025.05.07/security-support.deb13
--- debian-security-support-13+2025.04.12/security-support.deb13	2025-04-12 17:07:34.000000000 +0200
+++ debian-security-support-13+2025.05.07/security-support.deb13	2025-05-07 20:12:27.000000000 +0200
@@ -18,21 +18,22 @@
 ganglia                     limited  See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
 ganglia-web                 limited  See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
 gnupg1                      limited  See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
-golang.*                    limited  See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
+gobgpd                      limited  See https://www.debian.org/releases/trixie/release-notes/issues.en.html#go-and-rust-based-packages
+golang.*                    limited  See https://www.debian.org/releases/trixie/release-notes/issues.en.html#go-and-rust-based-packages
 isc-dhcp                    non-supported   4.4.3-P1-2       2023-07-05  https://lists.isc.org/pipermail/dhcp-users/2022-October/022786.html
-jython                      limited  Includes python2.7 stdlib, support limited until Py3 port, see python2.7 below and https://lists.debian.org/debian-lts/2024/08/msg00027.html
+jython                      limited  Includes python2.7 stdlib, support limited until Py3 port, see #975058 and https://lists.debian.org/debian-lts/2024/08/msg00027.html
 kde4libs                    limited  khtml has no security support upstream, only for use on trusted content
 khtml                       limited  khtml has no security support upstream, only for use on trusted content, see #1004293
 libspring-java              limited  See README.Debian.security included in the package
 mozjs102                    limited  Not covered by security support, only suitable for trusted content, see package description
 mozjs78                     limited  Not covered by security support, only suitable for trusted content, see #959804
+musescore2                  limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
+musescore3                  limited  Only supported with trusted files, see README.Debian shipped in package and #1070860
 ocsinventory-server         limited  Only supported behind an authenticated HTTP zone
-python-stdlib-extensions    limited  Only included for building packages, not running them, #975058
-python2.7                   limited  Only included for building packages, not running them, #975058
 qtwebengine-opensource-src  limited  No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit                    limited  No security support upstream and backports not feasible, only for use on trusted content
 qtwebkit-opensource-src     limited  No security support upstream and backports not feasible, only for use on trusted content
-rust.*                      limited  See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
+rust.*                      limited  See https://www.debian.org/releases/trixie/release-notes/issues.en.html#go-and-rust-based-packages
 sql-ledger                  limited  Only supported behind an authenticated HTTP zone
 tiles                       limited  Only supported for building packages, #1057343
 vte                         limited  Not covered by security support, only used by debian-installer, #1082885

Attachment: signature.asc
Description: PGP signature

Reply to: