From modelnine at modelnine.org  Fri Aug 23 16:28:00 2019
From: modelnine at modelnine.org (Heiko Wundram)
Date: Fri, 23 Aug 2019 17:28:00 +0200
Subject: [Pkg-sssd-devel] Bug#935528: sssd: Using sssd together with winbind
 causes authentication DoS
Message-ID: <156657408015.51260.15221437610061516006.reportbug@debdev.id.gehrkens.it>

Source: sssd
Severity: important
Tags: patch upstream

Dear Maintainer,

using sssd together with winbind when both services target different authentication
sources (e.g. sssd for LDAP, winbind for AD-domain) leads to an authentication/NSS
DoS due to incorrect recursive NSS calls of sssd for users unknown to both
authentication providers. Upstream has patched the corresponding issues in #3963
and #3964, with backports for 1.16.x attached to the issues (and prepared
for inclusion in the Debian patch framework attached to this report).

Please consider including the corresponding patches in the Debian distribution of
sssd.

-- System Information:
Debian Release: 10.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patches.tar
Type: application/x-tar
Size: 122880 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20190823/eb2376fb/attachment-0001.tar>

From doko at debian.org  Fri Aug 30 08:30:01 2019
From: doko at debian.org (Matthias Klose)
Date: Fri, 30 Aug 2019 07:30:01 +0000
Subject: [Pkg-sssd-devel] Bug#937235: pam-wrapper: Python2 removal in
 sid/bullseye
Message-ID: <E1i3bM9-00059z-P0@paradis.debian.org>

Package: src:pam-wrapper
Version: 1.0.7-1
Severity: normal
Tags: sid bullseye
User: debian-python at lists.debian.org
Usertags: py2removal

Python2 becomes end-of-live upstream, and Debian aims to remove
Python2 from the distribution, as discussed in
https://lists.debian.org/debian-python/2019/07/msg00080.html

Your package either build-depends, depends on Python2, or uses Python2
in the autopkg tests.  Please stop using Python2, and fix this issue
by one of the following actions.

- Convert your Package to Python3. This is the preferred option.  In
  case you are providing a Python module foo, please consider dropping
  the python-foo package, and only build a python3-foo package.  Please
  don't drop Python2 modules, which still have reverse dependencies,
  just document them.
  
  This is the preferred option.

- If the package is dead upstream, cannot be converted or maintained
  in Debian, it should be removed from the distribution.  If the
  package still has reverse dependencies, raise the severity to
  "serious" and document the reverse dependencies with the BTS affects
  command.  If the package has no reverse dependencies, confirm that
  the package can be removed, reassign this issue to ftp.debian.org,
  make sure that the bug priority is set to normal and retitle the
  issue to "RM: PKG -- removal triggered by the Python2 removal".

- If the package has still many users (popcon >= 300), or is needed to
  build another package which cannot be removed, document that by
  adding the "py2keep" user tag (not replacing the py2remove tag),
  using the debian-python at lists.debian.org user.  Also any
  dependencies on an unversioned python package (python, python-dev)
  must not be used, same with the python shebang.  These have to be
  replaced by python2/python2.7 dependencies and shebang.

  This is the least preferred option.

If the conversion or removal needs action on another package first,
please document the blocking by using the BTS affects command, like

  affects <bug number of blocking py2removal bug> + src:pam-wrapper

If there is no py2removal bug for that reverse-dependency, please file
a bug on this package (similar to this bug report).

If there are questions, please refer to the wiki page for the removal:
https://wiki.debian.org/Python/2Removal, or ask for help on IRC
#debian-python, or the debian-python at lists.debian.org mailing list.


From doko at debian.org  Fri Aug 30 08:54:02 2019
From: doko at debian.org (Matthias Klose)
Date: Fri, 30 Aug 2019 07:54:02 +0000
Subject: [Pkg-sssd-devel] Bug#938566: sssd: Python2 removal in sid/bullseye
Message-ID: <E1i3bjO-0001iP-82@paradis.debian.org>

Package: src:sssd
Version: 2.2.0-4
Severity: normal
Tags: sid bullseye
User: debian-python at lists.debian.org
Usertags: py2removal

Python2 becomes end-of-live upstream, and Debian aims to remove
Python2 from the distribution, as discussed in
https://lists.debian.org/debian-python/2019/07/msg00080.html

Your package either build-depends, depends on Python2, or uses Python2
in the autopkg tests.  Please stop using Python2, and fix this issue
by one of the following actions.

- Convert your Package to Python3. This is the preferred option.  In
  case you are providing a Python module foo, please consider dropping
  the python-foo package, and only build a python3-foo package.  Please
  don't drop Python2 modules, which still have reverse dependencies,
  just document them.
  
  This is the preferred option.

- If the package is dead upstream, cannot be converted or maintained
  in Debian, it should be removed from the distribution.  If the
  package still has reverse dependencies, raise the severity to
  "serious" and document the reverse dependencies with the BTS affects
  command.  If the package has no reverse dependencies, confirm that
  the package can be removed, reassign this issue to ftp.debian.org,
  make sure that the bug priority is set to normal and retitle the
  issue to "RM: PKG -- removal triggered by the Python2 removal".

- If the package has still many users (popcon >= 300), or is needed to
  build another package which cannot be removed, document that by
  adding the "py2keep" user tag (not replacing the py2remove tag),
  using the debian-python at lists.debian.org user.  Also any
  dependencies on an unversioned python package (python, python-dev)
  must not be used, same with the python shebang.  These have to be
  replaced by python2/python2.7 dependencies and shebang.

  This is the least preferred option.

If the conversion or removal needs action on another package first,
please document the blocking by using the BTS affects command, like

  affects <bug number of blocking py2removal bug> + src:sssd

If there is no py2removal bug for that reverse-dependency, please file
a bug on this package (similar to this bug report).

If there are questions, please refer to the wiki page for the removal:
https://wiki.debian.org/Python/2Removal, or ask for help on IRC
#debian-python, or the debian-python at lists.debian.org mailing list.