golang-github-onsi-ginkgo-v2 (2.28.1-1) unstable; urgency=medium . * Team upload. * New upstream version 2.28.1 - Update versioned Build-Depends on golang-github-google-pprof-dev - Refresh patches - New patch: Ignore missing ArtifactDir. Upstream has not included the new testing function ArtifactDir, so the test fails. For now, we just ignore this function. (Closes: #1129187) heaptrack (1.5.0+dfsg1+git20260219.f16e8d3-2) unstable; urgency=medium . * Team upload. * debian/patches/0002-Disable-tst_heaptrack_interpret.patch: Add patch to disable tst_heaptrack_interpret to fix ftbfs on 32-bit environments. This test is 64-bit only. heaptrack (1.5.0+dfsg1+git20260219.f16e8d3-1) unstable; urgency=medium . * Team upload. * New upstream git trunk snapshot. + Fix compatibility with boost1.89 and later. (really closes: #1127209) * debian/control: Use correct homepage field info. * debian/control: Drop Ruiles-Requires-Root: no. * debian/control: Replace build-dep with kf6 and qt6. (Closes: #1121567) + Correctly build with kchart. (LP: #2122578) * debian/patches/: - 10_update_cmake_version.patch: Dropped, now useless. - 30_cmake-Fix-C-compatibility-of-libunwind-probes.patch: Dropped, merged. * debian/patches/20_disable_some_unreliable_tests.patch: Refreshed. * debian/source/lintian-overrides: Override lintian false positives on upstream-provided test artifacts. imagemagick (8:7.1.2.15+dfsg1-1) unstable; urgency=high . * New upstream release. * Fix a double free in SVG * Fix unreproductible doxygen documentation * Fix CVE-2026-24481: A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. * Fix CVE-2026-24484: Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS. * Fix CVE-2026-24485: When a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and Denial of Service (DoS) * Fix CVE-2026-25576: A heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer. * Fix CVE-2026-25637: A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. * Fix CVE-2026-25638: A memory leak exists in `coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file, resources are allocated. But the function returns early without releasing these allocated resources. * Fix CVE-2026-25794: `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. * Fix CVE-2026-25795: `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. * Fix CVE-2026-25796: In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. * Fix CVE-2026-25797: The ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. * Fix CVE-2026-25798: A NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. * Fix CVE-2026-25799: A logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. * Fix CVE-2026-25897: An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. * Fix CVE-2026-25898: The UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. * Fix CVE-2026-25965: ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. * Fix CVE-2026-25966: The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." * Fix CVE-2026-25967: A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. * Fix CVE-2026-25968: A stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. * Fix CVE-2026-25969: A memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. * Fix CVE-2026-25970: A signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. * Fix CVE-2026-25971: Magick fails to check for circular references between two MSLs, leading to a stack overflow. * Fix CVE-2026-25982: A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service or Information Disclosure. * Fix CVE-2026-25983: A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. * Fix CVE-2026-25985: A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. * Fix CVE-2026-25986: A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. * Fix CVE-2026-25987: A heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. * Fix CVE-2026-25988: Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. * Fix CVE-2026-25989: A crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. * Fix CVE-2026-26066: A crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. * Fix CVE-2026-26283: A `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. * Fix CVE-2026-26284: ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. * Fix CVE-2026-26983: The MSL interpreter crashes when processing a invalid `` element that causes it to use an image after it has been freed. * Fix CVE-2026-27798: A heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. * Fix CVE-2026-27799: A heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. python-qtconsole (5.7.1-3) unstable; urgency=medium . * Team upload. * jupyter-qtconsole Depends: python3-pyqt6, python3-pyqt6.qtsvg Still works with pyqt5 (see qtpy env var QT_API), but set pyqt6 as default. Qt6 also better supports Wayland. * debian/tests Depends: python3-pytest-asyncio in pyqt5 and pyqt6 tests as well, not just pyside6 python-qtconsole (5.7.1-2) unstable; urgency=medium . * Team upload. * debian/tests Depends: python3-pytest-asyncio Needed by test_inprocess_kernel.py python-qtconsole (5.7.1-1) unstable; urgency=medium . * Team upload. * New upstream release * update debian/watch to v5 PyPI pattern * update debian/tests - set QT_QPA_PLATFORM=offscreen to prevent display of test widgets - skip test_other_output (TestJupyterWidget.py), which is flaky with varying output generated - run test_inprocess_kernel.py with pytest not unittest * Standards-Version: 4.7.3 ruby-serverspec (2.43.0-1) unstable; urgency=medium . * Team upload. . [ HIGUCHI Daisuke (VDR dai) ] * step down as a uploader for personal reasons. . [ Lucas Nussbaum ] * d/salsa-ci.yml: remove custom variables as pipeline succeeds without them * debian/gbp.conf: Add for DEP-14 * debian/.gitattributes: remove * debian/salsa-ci.yml: use team-specific include . [ Simon Quigley ] * Upgrade the watch file to version 5. * New upstream release. * Update Standards-Version to 4.7.3. * Drop Rules-Requires-Root field, it is now redundant. * Rely on ${ruby:Depends} for runtime dependencies. * De-duplicate test invocation in the autopkgtest environment.