gnustep-base (1.25.1-3) unstable; urgency=medium . * debian/patches/icu-60.patch: Fix FTBFS on big-endian architectures (really closes: #888908). * debian/templates/control.m4 (Standards-Version): Bump to 4.1.4; no changes required. * debian/control: Regenerate. golang-go.crypto (1:0.0~git20180513.94e3fad-2) unstable; urgency=medium . * Build-Depend on golang-golang-x-sys-dev (>= 0.0~git20180510.7dfd129) because x/crypto now needs x/sys/cpu introduced on 2018-04-13. golang-go.crypto (1:0.0~git20180513.94e3fad-1) unstable; urgency=medium . [ Alexandre Viau ] * Point Vcs-* urls to salsa.debian.org. . [ Anthony Fok ] * New upstream version 0.0~git20180513.94e3fad * Apply "cme fix dpkg" fixes to debian/control, bumping Standard-Version to 4.1.4, etc. * Build-Depend on golang-any (>= 2:1.9~) because x/crypto now needs math/bits introduced in go1.9. golang-golang-x-sys (0.0~git20180510.7dfd129-1) unstable; urgency=medium . [ Alexandre Viau ] * Point Vcs-* urls to salsa.debian.org. . [ Anthony Fok ] * New upstream version 0.0~git20180510.7dfd129 * Apply "cme fix dpkg" fixes to debian/control. Bumping Standards-Version to 4.1.4 hhvm (3.24.7+dfsg-2) unstable; urgency=medium . * Correctly remove libsqlite3-3.23.01.patch (Closes: #898404) hhvm (3.24.7+dfsg-1) unstable; urgency=medium . * New upstream release - Drop gcc-7.patch (obsolete with upstream changes, now supported) - Drop reproducible-hack-hhi.patch (obsolete with upstream changes, reproducibility needs to be revisited with the new upstream release) - Drop drop-xlocale.patch (merged upstream) - Refreshed remove-broken-json-test.patch (still unfixed upstream) - Supports libonig 6.8 (Closes: #897250) * Now supports OpenSSL 1.1 (Closes: #858927) - Re-enable IMAP extension * New upstream addresses CVE-2018-6332, CVE-2018-6334 (Closes: #895194), CVE-2018-6335 and CVE-2018-5711 * Remove Alioth git references, going away soon * Switch to debhelper compat level 10 * Switch priority of hhvm-dbg and hhvm-dev to optional * lists.alioth.debian.org is going away, so set myself to Maintainer: and Faidon to Uploaders field until a new solution is found hhvm (3.21.0+dfsg-2) unstable; urgency=medium . * Fix compatibility with glibc 2.26, thanks to Matthias Klose for the report (Closes: #875904) hhvm (3.21.0+dfsg-1) unstable; urgency=medium . * New upstream release 3.21 (3.18 releases were not uploaded to the archive due to various stability problems) * Fix FTBFS with GCC 7 (Closes: #853442) * Back out broken upstream JSON test case (reported at https://github.com/facebook/hhvm/issues/7708) * Add ocamlbuild to build dependencies (reported in #868480, compatibility of 3.21 with ocaml 4.05 needs to be revisited) * Update copyright file for 3.12->3.21 period, taking most of the entries for webscalesqlclient from src:mysql-5.6's copyright file * Remove Upstart job * Bump standards version hhvm (3.12.11+dfsg-1) unstable; urgency=medium . [ Moritz Muehlenhoff ] * New upstream LTS releases, addressing multiple security issues. (Closes: #835032) From 3.12.2: - CVE-2015-8865 - Buffer overwrite in finfo_open with malformed magic - Integer overflow in iptcembed - CVE-2016-3074 - Fix signedness issue in libgd - CVE-2014-9709 - Fix a possible buffer read overflow in gd_gif_in.cpp - Prevent a potential nullptr dereference in ext_xsl - Don't segfault if you try to remove the last autoloader while adding a new one - CVE-2016-1903 - imagerotate information leak - FILTER_FLAG_STRIP_BACKTICK` was being ignored unless other flags are set - CVE-2016-4539 - Fix a segfault in xml_parse_into_struct - Fix a potential null dereference in ZipArchive::extractTo - CVE-2016-4070 - Integer Overflow in php_raw_url_encode From 3.12.3: - CVE-2016-1000004 - Type safety in simplexml import routines - CVE-2016-1000004 - Fix param types for mcrypt_get_block_size() to match PHP - CVE-2016-1000006 - Fix use-after-free in serialize_memoize_param() and ResourceBundle::__construct() - CVE-2016-6870 - Use req::strndup in php_mb_parse_encoding_list to prevent oob memory write. - HHVM-2016-11781481 - Fix nullptr dereference in f_mysqli_stmt_bind{param,result} - HHVM-2016-11791940 - Avoid invalid array access in JSON_decode() - PHP-2016-0072337 - Fix a segfault with invalid dimensions and imagescale out of bounds read in ext_gd From 3.12.5: - CVE-2016-1000109: Ignore Proxy HTTP header from fastcgi requests From 3.12.6: - CVE-2016-6871 - Fix buffer overrun due to integer overflow in bcmath - CVE-2016-6872 - Fix integer overflow in StringUtil::implode - CVE-2016-6873 - Fix self recursion in compact - CVE-2016-6874 - Fix recursion checks in array_*_recursive - CVE-2016-6875 - Fix infinite recursion in wddx - PHP-2015-0070345 - [HHVM][Security] 0003 pcre preg bug 70345 From 3.12.8: - ext_gd: exif_process_IFD_TAG: Use the right offset if reading from stream - Fix some color related crashes in libgd - Don't allow smart_str to overflow int - Integer overflow in _gd2GetHeader - Fix objprof refcounting - Fix buffer overruns in mb_send_mail - Integer overflow in gdImagePaletteToTrueColor - Null pointer dereference in _gdScaleVert - pass2_no_dither out-of-bounds access From 3.12.9: - Fix off-by-one index check in ThreadSafeLocaleHandler::actuallySetLocale - Prevent an integer overflow in _gdContributionsAlloc - Fix a potential overflow in tsrm_virtual_file_ex - Invalid transparent index can result in OOB read or write - Do not treat negative return values from bz2 as size_t - Fix OOB read in exif_process_IFD_in_MAKERNOTE - Prevent an OOB access in locale_accept_from_http - Avoid possible OOB using imagegif - Disable bad zend test - Add an option to explicitly disable NUMA support. From 3.12.10: - Fix a bug in StringUtil::Explode - Fix a couple of bugs in libgd From 3.12.11: - Prevent integer overflow in gdImageWebpCtx - Check depth values in json_decode - Prevent negative gamma values being passed to imagegammacorrect - Fix crypt with over-long salts - Memory leak in exif_process_IFD_in_TIFF - 9da Fix getimagesize returning FALSE on valid jpg . [ Faidon Liambotis ] * Build against libmysqlclient, not libmysqlclient_r. Thanks to Robie Basak for the bug report and patch. (Closes: #825077) * Build-Depend on default-libmysqlclient-dev instead of libmysqlclient-dev. (Closes: #845852) * Add /bin/sh shebangs on maintainer scripts. (Closes: #843281) * Remove update-alternatives --remove from postrm, already included in prerm (and also causes a lintian warning). * Remove David Martínez Moreno from the Uploaders, at the request of the MIA team. (Closes: #843439) * Fix FTBFS with GCC 6, by backporting an upstream fix. (Closes: #812023) * Pass -fno-PIE/-no-pie to gcc to prevent a linking error with GCC 6's new configuration (--enable-default-pie) in combination with HHVM's hand-crafted assembly (translator-asm-helpers.S). * Build-Depend on libssl1.0-dev, as HHVM is not ready for OpenSSL 1.1.0 yet. (Closes: #828340) * Remove Build-Depends on libc-client2007e-dev and thus disable the IMAP extension. libc-client2007e-dev depends on libssl-dev 1.1.0, which conflicts with libssl1.0-dev and is thus impossible to satisfy. * Disable Folly's Fibers, as the current version is incompatible with Boost 1.61 and thus FTBFS. The incompatibility has been fixed upstream but is too intrusive to backport, thus disable the functionality entirely. (Closes: #839303) * Temporarily disable the mcrouter extension as it requires Folly Fibers, that were disabled in this version (see above). * Backport an upstream fix to address an ICU Collation sort key incompatibility with PHP. * Backport an upstream fix to address a segfault when bzip2 and XMLReader are being used together. * Backport an upstream fix to address inconsistent regexp results when running with a newer PCRE version (8.38 instead of 8.32). * Disable test pcre_limit.php which now fails for unknown reasons; upstream seemingly has disabled the test as well for a while with no ill effects. * Add a Documentation line to the systemd service file. * Bump Standards-Version to 3.9.8, no changes needed. hhvm (3.12.1+dfsg-1) unstable; urgency=medium . [ Faidon Liambotis ] * New upstream minor release, multiple security fixes: - XSLTProcessor NULL Pointer dereference (PHP bug #69782, CVE-2015-6838) - HAVAL gives wrong hashes in specific cases (PHP bug #70312) - ZipArchive::extractTo allows for directory traversal when creating directories (PHP bug #70350) - Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes (PHP bug #70385) - php_url_parse_ex() buffer overflow read (PHP bug #70480) - Make FileUitls::Canonicalize return the empty string if it encounters a path with a null byte (CVE-2016-1552) - Disallow null bytes in more path-type arguments (CVE-2016-1552) - Explicitly check for null bytes in more cases (CVE-2016-1552) - Run __wakeup() on unserialized objects at end of unserialization in iptcembed - Fix heap overflow(s) in iptcembed * Backport upstream fix for isnan/isinf that should fix an FTBFS with glibc 2.23 (currently in experimental). (Closes: #818831) . [ Giuseppe Lavagetto ] * Trivial fix to the upstart script. hhvm (3.12.0+dfsg-1) unstable; urgency=medium . * New upstream release. * Refresh all debian/patches; drop: - typos: merged upstream - pass-DNDEBUG-to-RelWithDebInfo: merged upstream - fix-makeparser-bison3: merged upstream - reproducible-sort: merged upstream * Updated patch output-buffer-fix-flush with the latest from D51855. * Add patch revert-unbreak-cjson that reverts a couple of upstream commits new in 3.12 that broke builds with libjson-c (and without the embedded JSON parser). * Minor adjustment to the reproducible-hack-hhi patch, to make the build umask-agnostic as well. * Update Standards-Version to 3.9.7. hhvm (3.11.1+dfsg-1) unstable; urgency=medium . * New minor upstream release. * Build-depend on libpng-dev instead of libpng12-dev for the upcoming libpng transition. (Closes: #809873) * More reproducible fixes: - Create Hack's HHI tarball in a reproducible way. - Statically set HHVM_REPO_SCHEMA from debian/rules. - Pass LC_ALL=C to sort as called by proxygen's header generation script. * Add patch output-buffer-fix-flush, copied straight from upstream's GitHub, to large output streaming. * Update Vcs-Git and Vcs-Browser URLs for HTTPS and cgit. hhvm (3.11.0+dfsg-1) unstable; urgency=medium . [ Faidon Liambotis ] * New upstream release. * Build with stock gcc again; folly's gcc 5.0 issues have been fixed. * Refresh all debian/patches; drop: - support-more-sql-stats: merged upstream - ezc-fix-z-type-in-zend_parse_parameters: was a backport - use_system_TZinfo: merged upstream - fix_freetype_include: unused/unneeded - hack_license.patch: obsolete - license_folly.patch: superfluous * Drop our own debian/-shipped manpages, as these have been merged into the upstream tree instead and enhanced since. * Add Build-depends on gawk, gperf, libboost-context-dev, libre2-dev, libgmp-dev. * Build-depend on libjpeg-dev instead of libjpeg62-dev. (Closes: #796932) * Build-depend on libvpx-dev to enable WebP support for gd. * Drop libiconv-hook-dev dependency and associated patch, libc6's iconv.h should be enough for HHVM and it doesn't appear like upstream's intention was ever to link against libiconv-hook. * Disable asynchronous MySQL support; it depends on the webscalesql fork of libmysqlclient-dev which is not packaged separately in Debian. Upstream bundles it under their third-party repository but it has been stripped from this packaging as the full forked MySQL 5.6 source is too big to be embedded into this package. * Drop patch enable_relro_hack, that enabled hardening (relro) for hh_client/hh_server. Current recommendation by the OCaml team is to not attempt to do any hardening until the OCaml runtime itself gets fixed first (#702349). * Add patch fix_stats_error to fix a MySQL statistics collection error. * Add patch fix-makeparser-bison3 to fix a make-parser.sh incompatibility when ran with Bison3. * Set HOME to debian/build when running the tests so that HHVM can write the HHBC even when $HOME does not exist, or to not leave garbage behind when it exists. * Switch our Provides: hhvm-api-$version to the major/minor HHVM released, based on upstream's recommendation of using HHVM_VERSION_BRANCH. * Remove sources of build variance to hopefully make the build reproducible: - Pass $COMPILER_ID to the compilation process, based on the package's version from debian/changelog. - Add patch reproducible-sort to pass LC_ALL=C to sort. - Add patch reproducible-hack-builddate to remove __DATE__/__TIME__. embedding from the Hack source code. - Add patch reproducible-hack-compilerid to force hack into using $COMPILER_ID instead of always using "git rev-parse". * Update debian/copyright with copyright information for files new in this version (mainly libraries shipped under third-party/). * Switch HHBC location path to /var/cache/hhvm, instead of /var/run/hhvm, since it can get large, there is little benefit from having it in memory and it can persist across reboots. * Switch default source root to /var/www/html. * Switch logging to syslog instead of custom, non-logrotated path in /var/log. * Ship /usr/bin/hh_format, the Hack formatter. * Ship hhvm-gdb and hhvm-leak-isolator in the hhvm-dbg package. This adds a Depends: python to the -dbg package, which is probably okay given hhvm-dbg's relative size to python, as well as its niche usage. * Recommend gdb from hhvm-dbg, as the symbols aren't very useful without gdb, and hhvm-gdb is a shell script that calls gdb. * Cleanup and update /etc/default/hhvm. * Update debian/watch. . [ Giuseppe Lavagetto ] * Move the init script to using /lib/init/init-d-script. * Add upstart and systemd service files. hhvm (3.2.0+dfsg1-2) unstable; urgency=medium . [ Faidon Liambotis ] * Fix the build system to be able to build a release build but with debugging symbols (which we subsequently strip into hhvm-dbg), and pass -DCMAKE_BUILD_TYPE=RelWithDebInfo to configure. . [ David Martínez Moreno ] * Remove the chmod 750 on /var/log/hhvm as it's really an error on the HHVM packaging. * debian/patches: - disable_quicklz_code: Disable the qlz* primitives, as they are GPL-licensed code linked to PHP-licensed one. - static_linking_against_libbfd: Static linking against libbfd per binutils-dev, backported from HEAD. - add_additional_includes_imagemagick: New ImageMagick broke the build, so add the arch includes to the build. - replace_obsolete_lz4_uncompress: In lz4 r122 or beyond, LZ4_uncompress() has been removed after being deprecaded. * debian/copyright: Fixed some mistakes discovered with latest lintian. * debian/control: Bumped Standards-Version to to 3.9.6 (no changes) * Added an additional override for lintian on PHP license, with comment. * Added a manpage for hphpize. . hhvm (3.2.0+dfsg1-1) unstable; urgency=low . [ David Martínez Moreno ] * Initial release. Lots of thanks to Faidon Liambotis, without whom this would have been way worse than it was. This has been a many-month effort and he was pushing all over the place. Also I'm extending my thanks to my coworker at Facebook Paul Tarjan to make me not forget about HHVM. I can't believe it's done! (closes: #727085). * Prepared a new 3.2.0 release without libzip, lz4 and such, and update TODO. There's a script in debian/repack to make new tarballs from the upstream ones. * Added debian/repack to create DFSG-compliant tarballs. * Added debian/README.source to cover the above procedure. * debian/rules: Build the package with -Wl,--as-needed to remove a couple of bogus dependencies, * debian/patches: - fix_freetype_include: Bad include in libgd. - use_system_libzip: Use the system's libzip. - typos: Lots of typos, most of them detected by lintian. Added the false positives to a lintian override file. - use_system_libsqlite: Use the system's libsqlite3. - fix_hphp_lexer: Add a missing semicolon in the HPHP lexer, already merged upstream. - link_libiconv_hook: The iconv library in Debian is called libiconv_hook, so change the CMake detection script to account for that. - fix_ldflags: Fix LDFLAGS injection of hardening flags. * Copied from upstream git debian/hhvm.1.ronn and converted for now to troff, and imported manually too hh_client/hh_server into debian/. * debian/postinst: Make HHVM an alternative with score 40 for php. . [ Faidon Liambotis ] * debian/patches: - use_system_lz4: Use the system's liblz4. - use_system_double-conversion: Use the system's double-conversion library and remove the one in third-party. - public_headers_system: add header files from hphp/system/ too as at least systemlib.h is needed to build an extension. libsimpleini (4.17+dfsg-4) unstable; urgency=medium . * Reconfirm symbols using buildd logs. * d/control: Bump Standards-Version to 4.1.4 (no changes needed). * d/rules: Use "dh_missing --fail-missing". libtext-template-perl (1.53-1) unstable; urgency=medium . * Import upstream version 1.53 * Add build-dependency on Test::More::UTF8 * Update copyright years nodejs (8.11.2~dfsg-1) unstable; urgency=medium . * New upstream version 8.11.2~dfsg * Upstream openssl 1.1.1 wip patches (Closes: #898805) Also make sure tests still run with openssl 1.1.0 qtwebengine-opensource-src (5.10.1+dfsg-4) unstable; urgency=medium . * Backport two upstream patches to fix build with system ICU 60: - icu60-no-aspirational-scripts.patch to disallow aspirational scripts. - icu60-uchar.patch to fix build when UChar is signed char16_t. * Backport upstream patch to fix QtWebEngineProcess resources loading (separate-argv.patch, see upstream QTBUG-66346). * Update Vcs fields for migration to salsa.debian.org. * Update symbols files from buildds’ logs. * Bump Standards-Version to 4.1.4, no changes needed. r-cran-distory (1.4.3-2) unstable; urgency=medium . * Testsuite: autopkgtest-pkg-r * Standards-Version: 4.1.4 * debhelper 11 * Maintainer: Debian R Packages Maintainers * Point Vcs fields to salsa.debian.org * dh-update-R to update Build-Depends * Secure URI in watch file r-cran-seqinr (3.4-5-2) unstable; urgency=medium . * Testsuite: autopkgtest-pkg-r * Standards-Version: 4.1.4 * debhelper 11 * Maintainer: Debian R Packages Maintainers * Point Vcs fields to salsa.debian.org * dh-update-R to update Build-Depends * Secure URI in watch file * do not parse d/changelog tracker-miners (2.0.4-2) unstable; urgency=medium . * Disable enca, libiptcdata, and libosinfo on Ubuntu since they are in 'universe' * Bump Standards-Version to 4.1.4 webkit2gtk (2.20.2-1) unstable; urgency=high . * New upstream release. + This fixes CVE-2018-4200. * debian/patches/fix-atomics-build.patch: + Set THREADS_PREFER_PTHREAD_FLAG to ON. This fixes the build in riscv64 (thanks, Aurelien Jarno). * debian/libwebkit2gtk-4.0-doc.install, debian/rules: + Update path of installed documentation (see WebKit #184771). wesnoth-1.14 (1:1.14.0-1) unstable; urgency=low . [ Vincent Cheng ] * Fix FTCBFS: Let dh_auto_configure pass cross compilers. (Closes: #853101) . [ Rhonda D'Vine ] * New upstream stable release. * Call debian/branchcheck and remove 1.13 files. * Re-add unversioned meta packages. * Remove -dbg package. * Update desktop file patch for the editor. * Add build dependency on libssl-dev. * Update icons location in install file. * Update cmake variable definitions. * Change for renamed changelog.md. * Update Vcs-* URLs for salsa migration. * Build-Depend on debhelper >= 9.20160709 instead of obsolete dh-systemd. * Add lintian override for .in files. * Add fonts-droid-fallback, fonts-lato and fonts-adf-oldania to data package Depends to de-duplicate font files in the archive. REMOVED: simpleparse 2.2.0-1 REMOVED: cutesdr 1.13.42-2 REMOVED: tofu 0.5-6 REMOVED: ruby-notifier 0.5.1-2 REMOVED: drmaa 0.5-1 REMOVED: strongwind 0.9-2 REMOVED: enzyme 0.4.1-1 REMOVED: python-django-casclient 1.2.0-2 REMOVED: libavg 1.8.2-1 REMOVED: mixxx 2.0.0~dfsg-9 REMOVED: python-quantities 0.10.1-1 REMOVED: keras 2.1.5-2 REMOVED: python-rebulk 0.9.0-1 REMOVED: pysurfer 0.7-2 REMOVED: pylint-flask 0.5-2 REMOVED: napalm-ios 0.8.1-1 REMOVED: sphinxcontrib-rubydomain 0.1~dev-20100804-1 REMOVED: vala-terminal 1.3-6 REMOVED: python-mplexporter 0.0.1+20140921-2 REMOVED: napalm-fortios 0.4.0-1 REMOVED: tau 2.17.3.1.dfsg-4.2 REMOVED: linop 0.8.2-3 REMOVED: aplpy 1.1.1-1 REMOVED: cigi-ccl 3.3.3a+svn818-10 REMOVED: python-formalchemy 1.4.2-1 REMOVED: woo 1.0+dfsg1-2 REMOVED: python-flask-rdf 0.2.0-1.1 REMOVED: python-srp 1.0.4-1.1 REMOVED: python-bayespy 0.5.12-1 REMOVED: python-ltfatpy 1.0.12-1 REMOVED: python-wxmpl 2.0.0-2.1 REMOVED: python-cluster 1.3.3-1 REMOVED: pychef 0.2.3-3 REMOVED: v-sim 3.7.2-5 REMOVED: napalm-iosxr 0.5.6-1