Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-security-support@packages.debian.org
Control: affects -1 + src:debian-security-support
Please unblock package debian-security-support to fix an important bug
("#1106203: debian-security-support: check-security-support doesn't detect
packages whose binary and source version differ" which affects thousands
of packages with binNMUs where the version differs too) and which updates
the security support status of some packages.
[ Reason ]
see above and
debian-security-support (1:13+2025.06.17) unstable; urgency=medium
[ Santiago Ruano Rincón ]
* check-support-status: query source:Package instead of Source to get the
list of packages. Closes: #1106203.
* security-support.deb13 and .deb12: fix typo related to gobgp.
* security-support.deb11:
- update release notes links from bullseye as the HTML version of the
release notes is no longer available.
- mark gobgp with limited support.
[ Holger Levsen ]
* security-support.deb13: mark mozjs128 as limited support (and drop mozjs78
and mozjs102 from there as they are not part of trixie). Closes: #1105199.
Thanks to Simon McVittie.
[ Jochen Sprickerhof ]
* security-support.deb11: fix package names. Thanks to Roberto C. Sánchez.
-- Holger Levsen <holger@debian.org> Tue, 17 Jun 2025 15:56:37 +0200
[ Impact ]
packages with no or limited security support might not be announced as
such, thus breaking the core functionality of d-s-s.
[ Tests ]
the package has been in sid since 11 days with no failures reported
whatsoever. there are also build time tests.
[ Risks ]
the actual code change is 1 line and has been reviewed and confirmed
working manually several times.
$ debdiff debian-security-support_13+2025.05.07.dsc debian-security-support_13+2025.06.17.dsc|diffstat
check-support-status.in | 2 +-
debian/changelog | 23 ++++++++++++++++++++++-
security-support.deb11 | 11 ++++++-----
security-support.deb12 | 2 +-
security-support.deb13 | 5 ++---
t/check-support-status.t | 8 ++++++++
6 files changed, 40 insertions(+), 11 deletions(-)
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Thanks for your work on trixie!
unblock debian-security-support/1:13+2025.06.17
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
If enough people learn how to do something, it protects those that don't know
how to, this is known as nerd immunity.
diff -Nru debian-security-support-13+2025.05.07/check-support-status.in debian-security-support-13+2025.06.17/check-support-status.in
--- debian-security-support-13+2025.05.07/check-support-status.in 2025-05-07 20:07:04.000000000 +0200
+++ debian-security-support-13+2025.06.17/check-support-status.in 2025-06-16 22:06:42.000000000 +0200
@@ -160,7 +160,7 @@
# Get list of installed packages
INSTALLED_LIST="$TEMPDIR/installed"
-LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${Source}\n' |
+LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${source:Package}\n' |
[% AWK %] '($1=="install"){print}' |
[% AWK %] -F'\t' '{if($4==""){print $2"\t"$3"\t"$2}else{print $2"\t"$3"\t"$4}}' >"$INSTALLED_LIST"
diff -Nru debian-security-support-13+2025.05.07/debian/changelog debian-security-support-13+2025.06.17/debian/changelog
--- debian-security-support-13+2025.05.07/debian/changelog 2025-05-07 20:32:35.000000000 +0200
+++ debian-security-support-13+2025.06.17/debian/changelog 2025-06-17 15:56:37.000000000 +0200
@@ -1,3 +1,24 @@
+debian-security-support (1:13+2025.06.17) unstable; urgency=medium
+
+ [ Santiago Ruano Rincón ]
+ * check-support-status: query source:Package instead of Source to get the
+ list of packages. Closes: #1106203.
+ * security-support.deb13 and .deb12: fix typo related to gobgp.
+ * security-support.deb11:
+ - update release notes links from bullseye as the HTML version of the
+ release notes is no longer available.
+ - mark gobgp with limited support.
+
+ [ Holger Levsen ]
+ * security-support.deb13: mark mozjs128 as limited support (and drop mozjs78
+ and mozjs102 from there as they are not part of trixie). Closes: #1105199.
+ Thanks to Simon McVittie.
+
+ [ Jochen Sprickerhof ]
+ * security-support.deb11: fix package names. Thanks to Roberto C. Sánchez.
+
+ -- Holger Levsen <holger@debian.org> Tue, 17 Jun 2025 15:56:37 +0200
+
debian-security-support (1:13+2025.05.07) unstable; urgency=medium
[ Chris Hofstaedtler ]
@@ -15,7 +36,7 @@
https://www.debian.org/releases/trixie/release-notes instead of the
bookworm ones.
* debian/salsa-ci.yml: disable autopkgtests on salsa-ci.
- * Bump Standard-Version to 4.7.2, no changes needed.
+ * Bump Standards-Version to 4.7.2, no changes needed.
[ Santiago Ruano Rincón ]
* deb11: EOL odoo in bullseye. Closes: #1100929.
diff -Nru debian-security-support-13+2025.05.07/security-support.deb11 debian-security-support-13+2025.06.17/security-support.deb11
--- debian-security-support-13+2025.05.07/security-support.deb11 2025-05-07 20:07:04.000000000 +0200
+++ debian-security-support-13+2025.06.17/security-support.deb11 2025-06-17 13:03:28.000000000 +0200
@@ -20,7 +20,8 @@
ganglia limited See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
ganglia-web limited See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
gnupg1 limited See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes.en.txt
-golang.* limited See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking
+gobgp limited See https://www.debian.org/releases/bullseye/amd64/release-notes.en.txt (Section 5.2.1.3)
+golang.* limited See https://www.debian.org/releases/bullseye/amd64/release-notes.en.txt (Section 5.2.1.3)
gpac non-supported 1.0.1+dfsg1-4+deb11u3 2024-08-08 https://lists.debian.org/debian-lts/2024/08/msg00007.html
intel-mediasdk non-supported 21.1.0-1 2024-11-07 abandoned upstream, upstream does not publish enough information to fix issues.
iotjs non-supported 1.0+715-1 2024-08-15 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078334
@@ -34,9 +35,9 @@
musescore2 limited Only supported with trusted files, see README.Debian shipped in package and #1070860
musescore3 limited Only supported with trusted files, see README.Debian shipped in package and #1070860
node-matrix-js-sdk non-supported 9.3.0+~cs9.9.16-2 2025-01-30 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094651
-ocsinventory-serfalsever limited Only supported behind an authenticated HTTP zone
+ocsinventory-server limited Only supported behind an authenticated HTTP zone
odoo non-supported 14.0.0+dfsg.2-7+deb11u2 2025-04-12 Lack of clear information upstream about the commits fixing CVEs makes it difficult to backport patches. See #1100929
-openjdk-17 limited See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#openjdk-17
+openjdk-17 limited See https://www.debian.org/releases/bullseye/amd64/release-notes.en.txt (Section 5.2.1.2)
pdns-recursor non-supported 4.4.2-3 2024-05-14 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070176
phppgadmin non-supported 7.13.0+dfsg-2 2024-06-29 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072589
pypy non-supported 7.3.3+dfsg-2 2024-09-29 Includes python2.7 stdlib. https://lists.debian.org/debian-lts/2024/08/msg00057.html
@@ -44,9 +45,9 @@
pytest-testinfra non-supported 6.1.0-1 2024-06-29 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070175
python-stdlib-extensions non-supported 2.7.18-1 2024-09-29 Only included for building packages, not running them. https://lists.debian.org/debian-lts/2024/08/msg00057.html
python2.7 non-supported 2.7.18-8+deb11u1 2024-09-29 Only included for building packages, not running them. https://lists.debian.org/debian-lts/2024/08/msg00057.html
-qtwebengine-openfalsesource-src limited No security support upstream and backports not feasible, only for use on trusted content
+qtwebengine-opensource-src limited No security support upstream and backports not feasible, only for use on trusted content
qtwebkit limited No security support upstream and backports not feasible, only for use on trusted content
-qtwebkit-opensoufalserce-src limited No security support upstream and backports not feasible, only for use on trusted content
+qtwebkit-opensource-src limited No security support upstream and backports not feasible, only for use on trusted content
salt non-supported 3002.6+dfsg1-4+deb11u1 2024-06-29 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070175
samba limited Only non-AD Domain Controller use cases are supported. See https://lists.debian.org/debian-security-announce/2023/msg00169.html
slurm-wlm non-supported 20.11.7+really20.11.4-2+deb11u1 2024-05-14 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071127
diff -Nru debian-security-support-13+2025.05.07/security-support.deb12 debian-security-support-13+2025.06.17/security-support.deb12
--- debian-security-support-13+2025.05.07/security-support.deb12 2025-05-07 20:32:35.000000000 +0200
+++ debian-security-support-13+2025.06.17/security-support.deb12 2025-06-16 22:06:48.000000000 +0200
@@ -18,7 +18,7 @@
ganglia limited See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
ganglia-web limited See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
gnupg1 limited See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
-gobgpd limited See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
+gobgp limited See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
golang.* limited See https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#golang-static-linking
intel-mediasdk non-supported 22.5.4-1 2024-11-21 abandoned upstream, upstream does not publish enough information to fix issues.
jython limited Includes python2.7 stdlib, support limited until Py3 port, see #975058 and https://lists.debian.org/debian-lts/2024/08/msg00027.html
diff -Nru debian-security-support-13+2025.05.07/security-support.deb13 debian-security-support-13+2025.06.17/security-support.deb13
--- debian-security-support-13+2025.05.07/security-support.deb13 2025-05-07 20:12:27.000000000 +0200
+++ debian-security-support-13+2025.06.17/security-support.deb13 2025-06-16 22:06:48.000000000 +0200
@@ -18,15 +18,14 @@
ganglia limited See README.Debian.security, only supported behind an authenticated HTTP zone, #702775
ganglia-web limited See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
gnupg1 limited See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
-gobgpd limited See https://www.debian.org/releases/trixie/release-notes/issues.en.html#go-and-rust-based-packages
+gobgp limited See https://www.debian.org/releases/trixie/release-notes/issues.en.html#go-and-rust-based-packages
golang.* limited See https://www.debian.org/releases/trixie/release-notes/issues.en.html#go-and-rust-based-packages
isc-dhcp non-supported 4.4.3-P1-2 2023-07-05 https://lists.isc.org/pipermail/dhcp-users/2022-October/022786.html
jython limited Includes python2.7 stdlib, support limited until Py3 port, see #975058 and https://lists.debian.org/debian-lts/2024/08/msg00027.html
kde4libs limited khtml has no security support upstream, only for use on trusted content
khtml limited khtml has no security support upstream, only for use on trusted content, see #1004293
libspring-java limited See README.Debian.security included in the package
-mozjs102 limited Not covered by security support, only suitable for trusted content, see package description
-mozjs78 limited Not covered by security support, only suitable for trusted content, see #959804
+mozjs128 limited Not covered by security support, only suitable for trusted content, see package description
musescore2 limited Only supported with trusted files, see README.Debian shipped in package and #1070860
musescore3 limited Only supported with trusted files, see README.Debian shipped in package and #1070860
ocsinventory-server limited Only supported behind an authenticated HTTP zone
diff -Nru debian-security-support-13+2025.05.07/t/check-support-status.t debian-security-support-13+2025.06.17/t/check-support-status.t
--- debian-security-support-13+2025.05.07/t/check-support-status.t 2025-05-07 20:07:04.000000000 +0200
+++ debian-security-support-13+2025.06.17/t/check-support-status.t 2025-06-16 22:06:42.000000000 +0200
@@ -203,6 +203,7 @@
node-.* non-supported 0 2020-02-20 https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
openjdk-6 non-supported 6b35-1.13.7-1~deb7u1 2031-05-23 No perpetual term support
php5 limited See README.Debian.security for the PHP security policy
+gobgp limited binNMU'ed package from a statically linked ecosystem
__EOS__
mock_query_list (
$query_list,
@@ -215,6 +216,7 @@
[ 'ioi', 'supported-package', '1.0-1' ],
[ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
[ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ],
+ [ 'ioi', 'gobgpd', '3.10.0-1+b4', 'gobgp' ],
],
);
@@ -243,6 +245,11 @@
- libjs-marked (installed version: 0.3.2+dfsg-1)
+* Source:gobgp
+ Details: binNMU'ed package from a statically linked ecosystem
+ Affected binary package:
+ - gobgpd (installed version: 3.10.0-1+b4)
+
* Source:php5
Details: See README.Debian.security for the PHP security policy
Affected binary package:
@@ -267,6 +274,7 @@
debconf/1.5.36.1
debconf-i18n/1.5.36.1
libjs-marked/0.3.2+dfsg-1
+gobgpd/3.10.0-1+b4
php5/5.3.3-7+squeeze19
openjdk-6-jre/6b35-1.13.7-1~deb7u1
__EOS__
Attachment:
signature.asc
Description: PGP signature