Bug 57340 - libreoffice: Multiple issues (4.4)
libreoffice: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-9-errata
Assigned To: Quality Assurance
Iván.Delgado
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-27 08:05 CEST by Quality Assurance
Modified: 2024-05-29 12:32 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2024-05-27 08:05:44 CEST
New Debian libreoffice 1:6.1.5-3~deb9u3 fixes:
This update addresses the following issue:
1:6.1.5-3~deb9u3 (Sat, 25 May 2024 19:33:00 +0000)
* Team upload by ELTS security team.
* Fix CVE-2024-3044: Unchecked script execution in Graphic on-click binding  in affected LibreOffice versions allowed an attacker to create a document  which without prompt will execute scripts built-into LibreOffice on  clicking a graphic. Such scripts were previously deemed trusted but are now  deemed untrusted.
Comment 1 Quality Assurance univentionstaff 2024-05-27 09:01:00 CEST
--- mirror/ftp/4.4/unmaintained/4.4-2/source/libreoffice_5.2.7-1+deb9u11.dsc
+++ apt/ucs_4.4-0-errata4.4-9/source/libreoffice_6.1.5-3~deb9u3.dsc
@@ -1,4 +1,183 @@
-1:5.2.7-1+deb9u11 [Fri, 06 Sep 2019 11:53:15 +0200] Rene Engelhard <rene@debian.org>:
+1:6.1.5-3~deb9u3 [Sat, 25 May 2024 19:33:00 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * Team upload by ELTS security team.
+  * Fix CVE-2024-3044: Unchecked script execution in
+    Graphic on-click binding in affected LibreOffice
+    versions allowed an attacker to create a document
+    which without prompt will execute scripts built-into
+    LibreOffice on clicking a graphic.
+    Such scripts were previously deemed trusted
+    but are now deemed untrusted.
+
+1:6.1.5-3~deb9u2 [Thu, 28 Dec 2023 09:25:58 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * Upload by ELTS security team.
+  * Fix CVE-2023-6185: An Improper Input Validation vulnerability
+    was found in GStreamer integration of The Document
+    Foundation LibreOffice allows an attacker to execute arbitrary
+    GStreamer plugins. In affected versions the filename of the
+    embedded video is not sufficiently escaped when passed to
+    GStreamer enabling an attacker to run arbitrary
+    gstreamer plugins depending on what plugins are installed
+    on the target system.
+  * Fix CVE-2023-6186: LibreOffice supports hyperlinks.
+    In addition to the typical common protocols such as
+    http/https hyperlinks can also have target URLs that
+    can launch built-in macros or dispatch built-in
+    internal commands. In affected version of LibreOffice
+    there are scenarios where these can be executed without warning
+    if the user activates such hyperlinks. In later versions
+    the users's explicit macro execution permissions
+    for the document are now consulted if these non-typical
+    hyperlinks can be executed. The possibility to use these
+    variants of hyperlink targets for floating frames has been removed.
+  * Fix CVE-2020-12802: LibreOffice has a 'stealth mode' in which only
+    documents from locations deemed 'trusted' are allowed to
+    retrieve remote resources. This mode is not the default mode,
+    but can be enabled by users who want to disable LibreOffice's ability
+    to include remote resources within a document. A flaw existed
+    where remote graphic links loaded from docx documents were omitted
+    from this protection.
+  * Fix CVE-2020-12801: If LibreOffice has an encrypted document
+    open and crashes, that document is auto-saved encrypted.
+    On restart, LibreOffice offers to restore the document
+    and prompts for the password to decrypt it. If the recovery
+    is successful, and if the file format of the recovered document
+    was not LibreOffice's default ODF file format, then affected versions
+    of LibreOffice default that subsequent saves of the document
+    are unencrypted. This may lead to a user accidentally saving
+    a MSOffice file format document unencrypted while believing
+    it to be encrypted.
+  * Fix CVE-2020-12803: ODF documents can contain forms to be
+    filled out by the user. Similar to HTML forms, the contained
+    form data can be submitted to a URI, for example, to an external
+    web server. To create submittable forms, ODF implements the
+    XForms W3C standard, which allows data to be submitted without
+    the need for macros or other active scripting. LibreOffice allowed
+    forms to be submitted to any URI, including file: URIs, enabling
+    form submissions to overwrite local files. User-interaction
+    is required to submit the form, but to avoid the possibility
+    of malicious documents engineered to maximize the possibility of
+    inadvertent user submission this feature has now been limited to
+    http[s] URIs, removing the possibility to overwrite local files.
+
+1:6.1.5-3~deb9u1 [Fri, 08 Sep 2023 20:01:47 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  [ Rene Engelhard ]
+  * Rebuild for stretch-backports.
+
+  * debian/patches/apparmor-{cleanups,mesa,opencl}.diff, debian/patches/series,
+    debian/rules: revert this and apparmor >= 2.13.1 recommends; stretch doesn't
+    have apparmor on per default but let's go sure
+  * debian/control.in, debian/patches/series, debian/libreoffice-base-drivers.NEWS,
+    debian/patches/use-mariadb-java-instead-of-mysql-java.diff: revert for
+    stretch-backports...
+  * debian/patches/disableClassPathURLCheck.diff: revert configure check for
+    stretch-backports
+  * tarballs/*, debian/source/include-binaries: include needed internal
+    stuff
+ 
+  [ Bastien Roucariès ]
+  * Upload to stretch as a backport
+  * Import patch for 1:6.1.5-3+deb10u10
+  * Use external xmlsec in order to avoid FTBFS
+
+1:6.1.5-3+deb10u10 [Sat, 12 Aug 2023 19:58:29 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * CVE-2023-2255: Improper access control in editor components of
+    LibreOffice allowed an attacker to craft
+    a document that would cause external links to be loaded without prompt.
+    In the affected versions of LibreOffice documents
+    that used "floating frames"
+    linked to external files, would load the contents of those frames
+    without prompting the user for permission to do so.
+    This was inconsistent with the treatment of other linked
+    content in LibreOffice.
+
+1:6.1.5-3+deb10u9 [Fri, 11 Aug 2023 19:09:29 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * Team upload by the LTS team
+  * CVE-2022-3874: Libreoffice may be configured to add an empty
+    entry to the Java class path.
+    This may lead to run arbitrary Java code from the
+    current directory.
+  * CVE-2023-0950: Improper Validation of Array Index vulnerability in the
+    spreadsheet component allows an attacker to craft a
+    spreadsheet document that will cause an array index
+    underflow when loaded. In the affected versions of LibreOffice
+    certain malformed spreadsheet formulas, such as AGGREGATE,
+    could be created with less parameters passed to the formula
+    interpreter than it expected, leading to an array index
+    underflow, in which case there is a risk that arbitrary
+    code could be executed.
+
+1:6.1.5-3+deb10u8 [Sat, 25 Mar 2023 10:55:37 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * Add salsa testsuite
+  * CVE-2022-26307: add Initialization Vectors to password storage.
+    LibreOffice supports the storage of passwords for web connections in
+    the user’s configuration database. The stored passwords are encrypted
+    with a single master key provided by the user. A flaw in LibreOffice
+    existed where master key was poorly encoded resulting in weakening its
+    entropy from 128 to 43 bits making the stored passwords vulerable to a
+    brute force attack if an attacker has access to the users stored
+    config.
+  * fix CVE-2022-26306: LibreOffice supports the storage of passwords for
+    web connections in the user’s configuration database. The stored
+    passwords are encrypted with a single master key provided by the
+    user. A flaw in LibreOffice existed where the required initialization
+    vector for encryption was always the same which weakens the security
+    of the encryption making them vulnerable if an attacker has access to
+    the user's configuration data
+  * CVE-2022-26305: compare authors using Thumbprint
+    An Improper Certificate Validation vulnerability in LibreOffice
+    existed where determining if a macro was signed by a trusted author
+    was done by only matching the serial number and issuer string of the
+    used certificate with that of a trusted certificate. This is not
+    sufficient to verify that the macro was actually signed with the
+    certificate. An adversary could therefore create an arbitrary
+    certificate with a serial number and an issuer string identical to a
+    trusted certificate which LibreOffice would present as belonging to
+    the trusted author, potentially leading to the user to execute
+    arbitrary code contained in macros improperly trusted.
+  * CVE-2021-25636: only use X509Data
+    LibreOffice supports digital signatures of ODF documents and macros
+    within documents, presenting visual aids that no alteration of the
+    document occurred since the last signing and that the signature is
+    valid. An Improper Certificate Validation vulnerability in LibreOffice
+    allowed an attacker to create a digitally signed ODF document, by
+    manipulating the documentsignatures.xml or macrosignatures.xml stream
+    within the document to contain both "X509Data" and "KeyValue" children
+    of the "KeyInfo" tag, which when opened caused LibreOffice to verify
+    using the "KeyValue" but to report verification with the unrelated
+    "X509Data" value.
+  * CVE-2022-3140: Insufficient validation of "vnd.libreoffice.command"
+    URI schemes. LibreOffice supports Office URI Schemes to enable browser
+    integration of LibreOffice with MS SharePoint server. An additional
+    scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In
+    the affected versions of LibreOffice links using that scheme could be
+    constructed to call internal macros with arbitrary arguments. Which
+    when clicked on, or activated by document events, could result in
+    arbitrary script execution without warning.
+    
+1:6.1.5-3+deb10u7 [Mon, 08 Mar 2021 13:13:24 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/fix-PYTHONPATH.diff: backport upstream fix to
+    not leave a bare trailing : in PYTHONPATH as it causes unconditional
+    loading of encodings.py from . (closes: #984703)
+
+1:6.1.5-3+deb10u6 [Sat, 01 Feb 2020 15:13:43 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/glm-0.9.9-ctor.diff: add from master, fix opengl slide
+    transitions with glm >= 0.9.9 (closes: #917927)
+
+1:6.1.5-3+deb10u5 [Thu, 31 Oct 2019 18:26:41 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/Postgresql-12-no-adsrc.diff: add from
+    libreoffice-6-3 branch; fix the postgresql driver with
+    PostgreSQL 12 (closes: #943873)
+
+1:6.1.5-3+deb10u4 [Fri, 06 Sep 2019 11:52:03 +0200] Rene Engelhard <rene@debian.org>:
 
   * debian/patches/expand-pyuno-path-separators.diff.
     debian/patches/construct-final-url-from-parsed-output.diff,
@@ -7,4 +186,1202 @@
     debian/patches/Improve-check.diff: add from
     libreoffice-6-3(-0,-1) branch - more fixes...
     (CVE-2019-9854/CVE-2019-9855)
-
+  * debian/patches/allow-link-updates-in-an-intermediate-linked-document.diff:
+    add from libreoffice-6-2 branch - fix regression from CVE-2018-6871
+
+1:6.1.5-3+deb10u3 [Tue, 06 Aug 2019 19:47:48 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/expand-LibreLogo-checks-to-global-events.diff,
+    debian/patches/decode-url-escape-codes-and-check-each-path-segment.diff:
+    debian/patches/keep-name-percent-encoded.diff
+    debian/patches/Properly-obtain-location.diff:
+    backport from libreoffice-6-3-0 branch - more fixes for CVE-2019-9848 and
+    CVE-2018-16858
+    (CVE-2019-9850/CVE-2019-9851/CVE-2019-9852/CVE-2019-9853)
+
+1:6.1.5-3+deb10u2 [Tue, 18 Jun 2019 20:36:04 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/More-uses-of-referer-URL-with-SvxBrushItem.diff:
+    add patch from libreoffice-6-2 branch to fix CVE-2019-9849
+
+1:6.1.5-3+deb10u1 [Sun, 09 Jun 2019 10:27:49 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/sanitize-LibreLogo-calls.diff,
+    debian/patches/explictly-exclude-LibreLogo-from-XScript-usage.diff:
+    add from git; fixing CVE-2019-9848 
+
+1:6.1.5-3 [Thu, 11 Apr 2019 22:39:53 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/jp-JP-Reiwa.diff: Introduce next Japanese gengou
+    era 'Reiwa', from libreoffice-6-1 branch
+
+1:6.1.5-2 [Wed, 03 Apr 2019 13:19:34 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/mention-java-common-package.diff: update message to
+    reflect current config dir...
+  * debian/patches/java.vendor-Debian.diff: make jvmfwk recognize "Debian"
+    as java.vendor as that's what is set in openjdk 11 >= 11.0.3+4-2
+    - see #926009 (closes: #926318)
+
+  * debian/control.gtk3.in:
+    - make libreoffice-gtk3 recommend gstreamer1.0-gtk3 (see LP: #1820062)
+  * debian/rules:
+    - remove i386 special-casing for openjdk-8 and -9 from old "stack clash
+      fix broken on i386" days preventing removal openjdk-8
+      (closes: #926281)
+
+1:6.1.5-1 [Sat, 02 Feb 2019 21:49:54 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/patches/tdf123077.diff: add from libreoffice-6-1 branch
+    (closes: #920859)
+  * debian/control.in, debian/rules: recommend fonts-noto-{,ui}-core
+    instead of transitional fonts-noto-hinted (closes: #920960)
+
+1:6.1.5~rc1-2 [Thu, 24 Jan 2019 23:49:14 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/jdk-11.0.2-javadoc.diff: backport from master
+    (closes: #920331)
+
+1:6.1.5~rc1-1 [Wed, 16 Jan 2019 22:00:43 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  [ Rene Engelhard ]
+  * debian/rules:
+    - add mesa-opencl-icd | beignet-opencl-icd as alternatives to
+      ocl-icd-libopencl1
+
+  [ Vincas Dargis ]
+  * debian/patches/apparmor-opencl.diff: Include OpenCL abstractions to fix
+    OpenCL usage in Calc
+
+1:6.1.4-4 [Sun, 13 Jan 2019 08:25:12 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/control.in: bump recommends for apparmor to >= 2.13.1 and conflict
+    against apparmor (<< 2.13.1~) (closes: #918499)
+  * debian/control.in, debian/rules: make apparmor recommends/conflicts
+    dependant on ENABLE_APPARMOR_PROFILES=y
+  * debian/control.transitonals.in: add missing {misc:Depends} for -ogltrans
+  * debian/control.kde*.in: Replaces: libreoffice-kde (<< 1:6.1.0~alpha1-1)
+    (closes: #919103)
+
+1:6.1.4-3 [Mon, 31 Dec 2018 22:57:41 +0000] Rene Engelhard <rene@debian.org>:
+
+  * reupload will full control...
+
+1:6.1.4-2 [Sun, 30 Dec 2018 15:25:38 +0000] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/m68k-fix-parameter-type.patch: as name says,
+    thanks John Paul Adrian Glaubitz (closes: #917539)
+  * debian/patches/lo-xlate-lang-be.diff: belarussian -> belarusian
+    (closes: #917795)
+
+  * debian/tests/smoketest: fix
+  * debian/rules: fix libcmis version check (and mysqlcppconn build-dep)
+  * debian/rules, debian/control*in, debian/scripts/gid2pkgdirs.sh:
+    merge -ogltrans into -impress
+
+1:6.1.4-1 [Sat, 15 Dec 2018 14:02:18 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+    - show partial signatures even if cert validation fails
+      (CERT-Bund#2018100828000257)
+
+  * debian/patches/disableClassPathURLCheck.diff: add new upstream
+    configure check for this (from master)
+
+  * debian/patches/mdds-1.4.1.diff, debian/patches/orcus-0.14.diff,
+    debian/rules, debian/shlibs.override.orcus:
+    use mdds 1.4.x and orcus 0.14.x
+
+  * debian/rules, debian/control.firebird.in:
+    - enable Firebird on BE archs
+  * debian/rules:
+    - fix running the odk/build-examples* tests on _all builds
+    - disable gdrive stuff. chromium isn't in buster anymore and gdrive didn't
+      work with chromiums id/secret anyway) (closes: #909152)
+    - build-depend on libmysqlcppconn >= 1.1.9-4 if building with libcmis 0.5.2
+      (snapshots) since LO will pick up c++17 then and otherwise it'll break
+    - debian/tests/smoketest: skip test on big-endian architectures (see below)
+
+  * merge from Ubuntu:
+    [ Evangelos Foutras ]
+    - poppler-fix-build-0-70.patch: fix build failure with poppler >= 0.70
+    [ Olivier Tilloy ]
+    - debian/patches/poppler-dropped-gbool.patch: cherry-pick
+      upstream commit to fix build failure with poppler >= 0.71
+      (see https://gerrit.libreoffice.org/#/c/63625/)
+    (closes: #915726)
+    - debian/tests/smoketest: revert previous change and skip the test
+      altogether on s390x, where unit tests are intentionally not built
+
+1:6.1.3-2 [Sat, 24 Nov 2018 10:59:44 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/apparmor-mesa.diff: #include mesa abstraction
+    (closes: #905437)
+  * debian/patches/disableClassPathURLCheck.diff: add workaround to
+    fix build with openjdks with S8195874 included - add
+    -Djdk.net.URLClassPath.disableClassPathURLCheck=true to JAVAIFLAGS;
+    see https://gerrit.libreoffice.org/#/c/63118/2
+
+  * debian/patches/use-mariadb-java-instead-of-mysql-java.diff: as name says;
+    use org.mariadb.jdbc.Driver instead of com.mysql.jdbc.Driver
+  * debian/control.in:
+    - Suggest libmariadb-java instead of libmysql-java. See #912916 for more
+      information.
+  * debian/patches/jdbc-driver-classpaths.diff: add org.mariadb.jdbc.Driver
+    classpath pointing to /usr/share/java/mariadb-java-client.jar
+  * debian/libreoffice-base.bug-script.in: add libmariadb-java
+  (closes: #913360, thanks Markus Koschany)
+
+  * debian/libreoffice-base-drivers.NEWS: add NEWS about above change
+  * debian/libreoffice-base.{postrm,preinst}.in: remove manual
+    --package $DPKG_MAINTSCRIPT_PACKAGE, since dpkg-divert defaults to it
+    since 1.16.0 anyway if not specified (see #912140).
+  * debian/control.in: update -core versioned Breaks: to -kde5, not -kde, thanks
+    Julien Cristau 
+
+1:6.1.3-1 [Mon, 29 Oct 2018 21:29:20 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+    - keeps pyuno script processing below base uri (fixes CVE-2018-16858)
+
+1:6.1.3~rc1-2 [Sun, 28 Oct 2018 17:16:36 +0000] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/patches/fix-tests-openjdk11.patch: fix odk examples'
+    build with Java11 (from upstream master)
+
+  * debian/tests/control: mark pyuno-import, uno-import, test-extension,
+    test-extension-shared and the sdk/util/check.pl and apparmor tests as
+    superficial
+
+1:6.1.3~rc1-1 [Wed, 10 Oct 2018 21:25:32 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+    - accepts to insert empty field with 'not null' database constraint
+      (closes: #910576)
+
+  * debian/patches/DefaultLabel-only-for-interactively-created-OBJs.diff: add
+    from master (closes: #907710)
+
+1:6.1.2-1 [Thu, 20 Sep 2018 23:43:47 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+1:6.1.1-1 [Mon, 10 Sep 2018 23:38:40 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/patches/fix-gtk3_kde5-filepicker-infinite-loop.diff: add from
+    libreoffice-6-1 branch: fixes possible infinite loop in gtk3_kde5
+    filepicker (closes: #906987)
+
+1:6.1.1~rc1-2 [Fri, 31 Aug 2018 12:45:39 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/apparmor-fixes.diff: add patch from master to
+    allow printing to file
+  * debian/patches/do-not-reset-permissions-on-save.diff: as name says,
+    from libreoffice-6-1 branch (closes: #907476)
+
+  * debian/rules: move libdbahsqllo.so from -base-drivers to -base-core
+    (closes: #907397)
+  * debian/control.in:
+    - add Replaces: for above
+    - bump ure Dependency in -core to (>= 6.1.1~) (closes: #907650)
+
+1:6.1.1~rc1-1 [Fri, 24 Aug 2018 18:57:08 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/apparmor-kde.diff: backport AppArmor KDE fixes from
+    master
+  * debian/control.in:
+    - *really* recommend apparmor (>= 2.13)
+
+1:6.1.0-1 [Sun, 12 Aug 2018 08:13:03 +0200] Rene Engelhard <rene@debian.org>:
+
+  * Libreoffice 6.1.0 final (identical to rc3)
+
+  * debian/patches/apparmor-fixes.diff: add patch from libreoffice-6-1
+    branch to fix saving of documents in apparmor enforce mode
+    (closes: #905442)
+  * debian/patches/apparmor-cleanups.diff: use dri-enumerate abstraction of
+    apparmor; add from https://gerrit.libreoffice.org/#/c/58589
+
+  * debian/control.in:
+    - recommend apparmor (>= 2.13) for above
+    - make -common also depend on -style-colibre, since it apparently also
+      is needed to have LO draw iit's check/radiobuttons correctly
+      (closes: #904598, #905408, #905819)
+
+1:6.1.0~rc3-1 [Thu, 02 Aug 2018 21:06:53 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/do-not-hide-test-output.diff: also do not hide PythonTests
+    output
+
+  * debian/control.in: add Breaks/Replaces: libreoffice-common (<<
+    1:6.1.0~alpha1-1) to libreoffice-help-common (closes: #905185)
+  * debian/tests/control, debian/tests/smoketest: use "skippable" restriction
+    and return 77 instead of 0 if running into the timeout
+  * debian/tests/*: use $AUTOPKGTEST_TMP instead of $ADTTMP
+  * debian/rules:
+    - don't suggest libreoffice-spellcheck-tr (for
+      libreoffice-zemberek) anymore - dead upstream. thanks Muhammet Kara 
+    - support new "terse" in DEB_BUILD_OPTIONS
+    - replace #!/usr/bin/env perl shebangs in some files by #!/usr/bin/perl
+    - also fix up ../00/usr/share/libreoffice/help/... in doc-base....
+
+1:6.1.0~rc2-3 [Mon, 23 Jul 2018 18:54:04 +0000] Rene Engelhard <rene@debian.org>:
+
+  * debian/tests/control:
+    - "timeout" is in coreutils...
+  * debian/rules:
+    - add | firefox at the end of the -help browser depends (closes: #904312)
+
+1:6.1.0~rc2-2 [Sat, 21 Jul 2018 23:52:12 +0000] Rene Engelhard <rene@debian.org>:
+
+  * upload to unstable
+
+1:6.1.0~rc2-1 [Thu, 19 Jul 2018 22:17:15 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/apparmor-allow-java.security.diff: allow
+    /etc/java-??-openjdk/security/java.security read access, denied because
+    it's a symlink (closes: #903900)
+
+  * debian/tests/control: add missing libreoffice-dev dependency for the
+    "smoketest" test
+  * debian/tests/uno: run config_host.mk with (e.g.) BUILD_KDE=n to avoid
+    configure failure because qmake is not correctly found
+  * debian/rules:
+    - don't depend on x-www-browser, only "qutebrowser" provides it.
+      Use firefox-esr | epiphany-browser | konqueror | chromium which is
+      the order xdg-open (which is used to actually open the help) does, too
+      (closes: #904022)
+    - temporarily disable dwz. fails since the change to gcc 8
+
+1:6.1.0~rc1-2 [Thu, 05 Jul 2018 21:31:20 +0000] Rene Engelhard <rene@debian.org>:
+
+  * rebuild with correct control (all languages...)
+
+1:6.1.0~rc1-1 [Wed, 04 Jul 2018 23:50:05 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/rules:
+    - make the tests fatal again (where they were before - amd64/arm64),
+      the "broken" hsqldb->firebird auto-migration got disabled for 6.1
+    - fix PYTHON_VERSION override to work again;
+      export PYTHON_{CFLAGS,LIBS} ourselves
+  * debian/control.transitionals.in: make libreoffice-kde "all" again since
+    it its built everywhere since last upload
+  * debian/uno-libs3.symbols: add sal PRIVATE_x.y* symbols (closes: #902898)
+
+1:6.1.0~beta2-1 [Sun, 17 Jun 2018 10:09:05 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream beta release
+    - fixes moving keyboard focus to sidebar styles panel after pressing F11
+      (closes: #870476)
+
+  * debian/patches/allow-opensymbol-rebuild.diff: from upstream
+    https://gerrit.libreoffice.org/#/c/54938/, add new --enable-build-opensymbol
+  * debian/patches/gtk3-kde5-32bit.diff: add patch from
+    https://gerrit.libreoffice.org/#/c/55474 to fix gtk3_kde5 filepicker build
+    on 32bit
+  * debian/patches/do-not-hide-test-output.diff: don't use tee since that hides
+    the failure (and -o pipefail doesn't work), just use plain 2>&1 and no log
+
+  * debian/rules:
+    - allow fontforge additionally to of fontforge-nox
+    - remove custom build-opensymbol target; use new --enable-build-opensymbol
+    - fix i386 conditional for not adding a (not fullfillable on stretch 
+      even with backports) default-jdk (>= 2:1.9) build-dep
+    - don't enable dwz on stretch-backports, the needed debhelper conflicts
+      against the (needed via libgpgmepp-dev) stable qt5-qmake :/
+    - remove USE_DWZ_MULTIFILE conditional (which was disabled),
+      default since debhelper 11.3
+    - make BUILD_TEST_PACKAGES=y be based on DEB_BUILD_PROFILES, not
+      DEB_BUILD_OPTIONS
+    - enable gtk3_kde also on 32bit archs
+    - ignore test failures for now; broke already in beta1-1 but was hidden by
+      the do-not-hide-test-output.diff bug, so no regression. Needs to be
+      investigated.
+  * debian/control.test-packages.in:
+    - add Build-Profiles: <!nocheck>
+  * debian/control.sdk.in:
+    - add Build-Profiles: <!nodoc> for -dev-doc
+  * debian/control.in:
+    - the colibre change was reverted; make -common depend on -style-tango
+
+1:6.1.0~beta1-1 [Fri, 25 May 2018 11:29:12 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream beta release
+    - allows rk on .gnupg/random_seed to fix hang on gpg encryption
+      (closes: #899380)
+
+  * debian/tests/patches/odk-build-examples-standalone.diff: make apply again
+  * debian/patches/do-not-hide-test-output.diff: as name says. to prevent
+    slow(er) archs/buildds timing about because e.g. the new uitests might take
+    too long without an output
+  * debian/patches/no-ant-check-if-unneeded.diff: as name says, only check
+    for ant if we really need it for building something
+
+  * debian/rules:
+    - build-depend on fontforge-nox and rebuild opens___.tff from OpenSymbol.sfd
+    - fix numbertext-data-recommends substvar
+    - optimize the build-indep build a bit more
+      + remove build-indep dependency on build-arch to not run the full
+        testsuite on -A (build-indep) builds.
+        Only run the odk "check" (SDK files) and build-example tests
+      + build without --enable-symbols on build-indep builds
+    - enable (gtk3_)kde5 (and qt5) only on 64bit archs for now
+    - make -help-xx depend with = on -help-common and -help-common depend on
+      x-www-browser, too, it already contains HTML
+    - rebuild smoketestdoc.sxw; install it into libreoffice-smoketest-data
+    - move ant to Build-Depends-Indep
+  * debian/tests/odk-build-examples: fix
+  * debian/control.in: move numbertext-data-recommends to Depends: as the
+    numbertext stuff is used for ooxml im/export.. (theoretical, since
+    libnumbertext depends on it already, but...)
+  * debian/copyright: add the various (c)'s of OpenSymbol.sfd
+  * debian/libreoffice-help-common.links: symlink normalize.css to
+    /usr/share/javascript/normalize.css/normalize.css and depend on
+    libjs-normalize.css (closes: #898788), but mention ./help3xsl/normalize.css
+    in copyright
+  * debian/tests/*:
+    - remove build-needed in smoketest and build some needed parts ourselves.
+      Add missing LD_LIBRARY_PATH and use
+      /usr/share/libreoffice/smoketestdoc.sxw. Enable
+    - honour $ADTTMP
+    - rename junit-subsequentcheck to junit
+    - add "uno" test running the bridgetest using /usr/lib/libreoffice/uno.
+      only depends on "ure"
+    - run "perl odk/util/check.pl /usr/lib/libreoffice/sdk"
+  * debian/rules, debian/control.systray.in: the systray "Quickstarter" is
+    finally gone upstream.
+
+1:6.1.0~beta1~git20180507-1 [Mon, 07 May 2018 20:42:58 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream snapshot
+
+  * debian/patches/disable-tests-somehow-needing-more-fonts.diff,
+    debian/patches/tdf108963-test.diff: remove. Obsolete after Liberation
+    fix
+
+  * debian/libreoffice-help-common.doc-base: ... rename
+  * debian/libreoffice-help.doc-base.in: ... here and only use as template.
+    Update Index: for localized "index" (text/shared/main0108.html) and fix
+    Section:
+  * debian/rules:
+    - move also the -help-common parts to /usr/share
+    - create/populate libreoffice-help-xx .doc-base files
+    - use internal libetonyek on stretch-backports
+    - use -type f for pupulating Files: in .doc-base to leave out dirs...
+    - stop special-casing i386 to explicitly use openjdk (9), use default-java
+      again and add appropriate versioned build-depends
+    - install the language-specific media/helpimg/xx into their correct packages
+    - fix build with -B/all (unpackaged help) languages
+    - add Build-Conflicts: against "broken" fonts-liberation
+    - remove explicit SAL_USE_VCLPLUGIN="svp" from make check call since it's
+      apparently unneeded (and even actually harmful) now
+  * debian/rules, debian/control.in: add stuff for new libnumbertext usage
+  * debian/lo-java-ref.in: move to Programming/Java
+  * debian/tests/odk-build-examples: build also new split-out
+    CustomTarget_odk/build-examples_java
+
+1:6.1.0~alpha1-1 [Fri, 27 Apr 2018 04:57:42 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream alpha release
+    - fixes cross-file links with xlsx files (closes: #658569)
+    - apparently preserves conditional formatting with copy paste operations
+      (again) (closes: #868349)
+    - fixes crash on typing any character with IME in Wayland
+      (closes: #898632)
+
+  * debian/patches/no-packagekit-per-default.diff: use the new config options
+    to disable the packagekit install stuff
+  * debian/patches/odk-no-dot.diff: remove, see below
+
+  * debian/rules:
+    - install TestExtension.oxt into a new libreoffice-smoketest-data package
+      which can be used by autopkgtests
+    - enable gtk3_kde vclplug (closes: #752230) and "kde5" (kde5be)
+    - re-enable pdfium on arm64 again; is now not using its internal allocator
+      anymore
+    - use new $(call java_dependency, default-jdk) for default-jdk builddep
+    - add Build-Depends-Indep: on graphviz, since Debians doxygen sets
+      HAVE_DOT to YES (see #818787) and upstreams configure.ac now checks for
+      this and fails if "dot" isn't present.
+  * debian/tests/*: add autopkgtest to test install TestExtension.oxt
+    (user and shared)
+  * debian/tests/*: add initial version of a autopkgtest to run the smoketest,
+    build smoketestdoc.sxw here for now (and a full build...). Disabled for now.
+  * debian/control.transitionals.in: add -kde -> kde5 transitional package
+  * debian/libreoffice-sdbc-firebird.bug-script.in: remove, firebird not
+    experimental anymore
+  * debian/control.in:
+    - update for new icon defaults, make -common depend on -style-colibre and
+      -gnome recommend -style-elementary
+  * debian/control*in, debian/rules, debian/libreoffice-help-common.doc-base:
+    build with --with-help=html and split common files into a new
+    libreoffice-help-common
+
+  * merge from Ubuntu:
+    - debian/patches/hide-maths-desktop-file.patch: hide
+      math icon from the shell (see #883734)
+
+1:6.0.4~rc1-4 [Tue, 24 Apr 2018 11:46:54 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/patches/disable-java-in-odk-build-examples-on-zero-vm.diff:
+    as name says, the test builds many Java projects without a output and on
+    Zero this is slow -> "hangs" gets killed because of inactivity
+  * explicitely disable junit tests when determining that java uses the Zero VM
+
+1:6.0.4~rc1-3 [Sat, 21 Apr 2018 19:11:50 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/rules:
+    - sigh. readd lost if to disable make check on big-endian archs.
+
+1:6.0.4~rc1-2 [Sat, 21 Apr 2018 17:20:41 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/rules:
+    - clean up/simplify test on/off/fatal handling and use findstring
+      as everywhere else
+    - disable running make check on armel and mipsel. hangs.
+
+1:6.0.4~rc1-1 [Wed, 18 Apr 2018 14:27:06 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/appstream-ignore-startcenter.diff: add
+    X-AppStream-Ignore=True to startcenter.desktop, thanks Olivier
+    (closes: #892364)
+
+1:6.0.3-1 [Mon, 02 Apr 2018 14:48:09 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/patches/gpg-overly-long-filenames-fix.diff: backport
+    https://gerrit.libreoffice.org/#/c/50978/ fix to fix gpg encryption
+    test ("File name too long")
+  * debian/patches/disable-flaky-tests.diff: remove disabling of
+    testODFEncryptedGPG.
+  * debian/patches/check-for-gpgconf-and-run-user.diff: as name says,
+    don't fail when gpgconf --create-socketdir doesn't work because
+    /run/user/<uid> doesn't exist... Check for it.
+
+  * debian/rules:
+    - add explicit gpg-agent and gpgconf build-dependencies
+    - add explicit python3-distutils build-dependency as
+      python3.6 3.6.5~rc1-2 dropped its python3-distutils dependency...
+
+1:6.0.2-1 [Wed, 28 Feb 2018 18:37:57 +0100] Rene Engelhard <rene@debian.org>:
+
+  [ Rene Engelhard ]
+  * New upstream release
+
+  * debian/patches/orcus-0.13.3.diff: backport patches to fix build/tests
+    against orcus 0.13.3
+  * debian/patches/disable-some-sc-tests-with-internal-cppunit.diff: update
+
+  * debian/watch: update for the multiple tarballs
+  * debian/copyright: remove Files-Excluded: for files already removed by
+    upstreams pack script anyway to allow mk-origtargz doing --symlink
+  * debian/scripts/mk-origtargz: own mk-origtargz..
+
+  * debian/rules:
+    - --disable-pdfium on arm64
+    - actually build without -g if ENABLE_SYMBOLS=n
+    - add get-orig-source target for "real" upstream tarballs
+    - fix libvisio dependency
+    - bump runtime (and test) depends for liborcus to >= 0.13.3
+  * debian/control.in:
+    - recommend xdg-utils in -common (for xdg-{open,email})
+
+  [ Olivier Tilloy ]
+  * debian/rules: define ${java-common-depends} when building
+    libreoffice-wiki-publisher and libreoffice-nlpsolver (closes: #891765)
+
+1:6.0.1-1 [Thu, 08 Feb 2018 19:29:39 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+    - fixes CVE-2018-1055: libreoffice: Remote arbitrary file disclosure
+      vulnerability via WEBSERVICE formula
+
+  * debian/control.in: bump ure Depends for -core to (>= 6.0.0~)
+    (closes: #889074)
+  * debian/rules:
+    - use internal mdds for stretch-backports
+  * debian/tests/control: make uicheck depend on libreoffice-l10n-{he,ja}
+    for the text direction UI Test
+
+  * merge from Ubuntu:
+    - Bump shlibs overrides for libvisio and orcus
+
+1:6.0.0-1 [Mon, 29 Jan 2018 18:52:54 +0100] Rene Engelhard <rene@debian.org>:
+
+  * LibreOffice 6.0.0 final release (identical to rc3)
+
+  * upload to unstable
+
+  * debian/patches/glm-0.9.9.diff: fix build with glm 0.9.9 (closes: #888737)
+
+  * merge from Ubuntu:
+    - debian/patches/apparmor-fixes.diff: allow JVM execution
+
+  * debian/rules:
+    - re-enable system-glm; bump libglm-dev build-depdendency to
+      libglm-dev (>= 0.9.9~a2) when using gcc >= 7.3
+    - re-enable -systray. Actually in stock 6.0 upstream debs the feature *is
+      still in the options...
+
+1:6.0.0~rc3-2 [Sat, 27 Jan 2018 14:37:23 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/disable-flaky-tests.diff: disable testODFEncryptedGPG test;
+    the signing parts work, so...
+
+1:6.0.0~rc3-1 [Sat, 27 Jan 2018 11:36:59 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/apparmor-fixes.diff: add patch from master with syntax
+    fixes. Also include X abstractions and allow .mozilla/firefox/** reading
+  * debian/patches/apparmor-updates.diff: more gpg stuff: gpg(sm), .gnupg/*
+  (both together closes: #887593)
+  * debian/rules, debian/source/include-binaries: temporarily use internal glm;
+    configure check fails since the gcc 7.3 upload
+
+1:6.0.0~rc2-1 [Thu, 11 Jan 2018 23:05:44 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/poppler-0.62.diff: backport from master to fix build with
+    poppler 0.62
+
+  * debian/rules:
+    - rename 30_opensymbol.conf to 30-opensymbol.conf for consistency
+
+1:6.0.0~rc1-1 [Wed, 20 Dec 2017 17:41:30 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+    - fixes keyboard navigation for textboxes in slide layout (closes: #870387)
+    - fixes Glue points in Draw (closes: #883989)
+
+  * debian/patches/apparmor-usrmerge.diff: allow also /usr/bin/dash (etc.)
+    - usrmerge...
+
+  * debian/libreoffice-common.bug-script.in: revert running aa-status;
+    Might not exist and actually displaying the status needs root. People
+    shouldn't run reportbug as root, though...
+  * debian/rules:
+    - stop passing --disable-report-builder to build-archs configure since
+      even though it's built the report builder doesn't work then. Move
+      from Build-Depends-Indep: to Build-Depends: again (closes: #875688);
+    - update ar FONT_SUGGESTS: fonts-arabeyes ->
+      fonts-kacst, fonts-hosny-amiri, fonts-sil-scheherazade, fonts-hosny-thabit
+  * debian/rules, debian/control*.in:
+      s/REPORTDESIGN/REPORTBUILDER/ and
+      control.reportdesign.in -> control.reportbuilder.in while we're at it
+  * debian/copyright:
+    - mention sysui/desktop/apparmor/* copyright/license
+    - mention icon_themes/elementary*/* copyright/license
+  * debian/control.in:
+    - remove fonts-noto-unhinted from Recommends: again per
+      upstream suggestion
+    - recommend both fonts-liberation (LO ships 2 + Narrow from 1)
+  * debian/rules, debian/control.in: recommend and build-depend against
+    fonts-liberation2 instead of fonts-liberation since that is actually
+    what LO upstream ships (see above)
+
+1:6.0.0~beta2-1 [Fri, 08 Dec 2017 00:44:28 +0100] Rene Engelhard <rene@debian.org>:
+
+  [ Rene Engelhard ]
+  * New upstream beta release
+
+  * debian/patches/apparmor-complain.diff: set complain mode for oosplash
+    and soffice.bin profiles
+  * debian/patches/sal-fix-kfreebsd-build.diff: add from gerrit
+
+  * debian/control.in: remove openjdk conflicts ...
+  * debian/rules: ... and make them Depends in JAVA_RUNTIME_DEPENDS for the
+    Java-using packages. Also allow openjdk-9 everywhere
+  This doesn't prevent usage of the "broken" JDK but otherwise we "break"
+  jodconverter/natbraille in testing... And linux 4.14.2-1 is also supposed to
+  fix the regression finally...
+  This also closes: #882436
+
+  * debian/rules:
+    - stop installing disabled symlinks for apparmor (closes: #883800)
+    - actually install the OpenSymbol fontconfig snippet into a 
+      /etc/fonts.d/30_opensymbol.conf
+    - change BRAND_BASE_DIR in fundamentalrc so that we don't get
+      /usr/lib/libreoffice/program/../program/xpdfimport calls. We know
+      the path and the apparmor profile doesn't allow this
+  * debian/libreoffice-common.bug-script.in: run aa-status
+  * debian/control.in: add gnupg to Suggests
+
+  [ intrigeri ]
+  * debian/README.Debian: document how to debug and customize the included
+    AppArmor profiles
+
+1:6.0.0~beta1-2 [Mon, 04 Dec 2017 19:01:27 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/libreoffice-common.{triggers,postinst}.in,
+    debian/shell-lib-lool.sh: add trigger updating LOOLs systemplate
+  * debian/libreoffice-common.triggers.in: switch to interest-noawait triggers
+
+  * merge from Ubuntu:
+    - debian/patches/fix-includes-in-aarch64-bridge.patch: add from master
+
+1:6.0.0~beta1-1 [Sat, 25 Nov 2017 17:17:54 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream beta release
+
+  * debian/patches/ww8export-HAVE_MORE_FONTS.diff: move ...
+  * debian/patches/disable-tests-somehow-needing-more-fonts.diff: ... here
+    and patch also ooxmlexport4
+
+  * debian/rules:
+    - use (dh_)dwz and (if enabled) install the multifile file into
+      uno-libs3-dbgsym.
+      Thanks Matthias Klose for the hint.
+      Make *-dbgsym depend on uno-libs3-dbgsym which should contain the above
+      file and is recommended anyway because of the gdb helpers.
+    - be consequent and enable the junit tests on arm64 now that
+      those work.
+    - stop passing --disable-database-connectivity for no-Base archs
+      (closes: #874274)
+    - explicitly use and depend on openjdk 9 on i386 now that #876069 is fixed.
+    - replace some manual dpkg-parsechangelog calls with
+      $(DEB_VERSION) and $(DEB_DISTRIBUTION) and fix logic for
+      --disable-dependency-tracking
+    - enable missed sr-Latn but merge into -sr
+    - install the apparmor profiles disabled for now (closes: #882597)
+  * debian/libreoffice-sdbc-firebird.maintscript: remove (redundant)
+    $DPKG_MAINTSCRIPT_PACKAGE and update version (closes: #880426)
+  * debian/rules, debian/libreoffice-common.maintscript: fix path in/for
+    apparmor profiles (add missing /). mv_conffile the files to the new
+    name...
+  * debian/control.in: make -core conflict against openjdk-{6,7,8}-jre-headless
+    on i386- -java-common would make more sense, but it's Arch: all..
+  * debian/control.in:
+    - add fonts-noto-hinted, fonts-noto-mono, fonts-noto-unhinted to
+      Recommends
+    - clean up mozilla suggests to just firefox-esr | thunderbird | firefox
+    - add versions to openjdk-{7,8}-jre-headless conflicts now that they are
+      also supposed to be fixed
+  * debian/control.{kde.}.in: suggest the "certificate managers" for gpg:
+    gpa, seahorse, kleopatra | kgpg
+
+1:6.0.0~alpha1-1 [Fri, 20 Oct 2017 13:42:40 +0000] Rene Engelhard <rene@debian.org>:
+
+  [ Rene Engelhard ]
+  * New upstream alpha release
+
+  * debian/patches/tdf108963-test.diff: adapt test to what we get; the
+    text _is_ rotated on export, so...
+
+  * merge from Ubuntu, thanks Rico Tzschichholz:
+    - Add "elementary" style package
+
+  * debian/rules:
+    - finally stop building -systray. GNOME 3.26 doesn't show it anymore,
+      and in 6.0 the feature is not completely removed yet but the UI for
+      setting it is already gone anyway....
+
+  [ Rico Tzschichholz ]
+  * Add Kannada (kn) langpack
+
+1:5.4.3~rc1-1 [Fri, 20 Oct 2017 13:40:01 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/no-check-if-root.diff: remove (senseful, IMHO!) check
+    given policy implies "build" should be able to run as root... :(
+  * debian/patches/avoid-throwing-cpp-exceptions-across-libgpeg-c-frames.diff:
+    add from master, fixing CppunitTest_vcl_filters_test on arm*
+  * debian/patches/debian-hardened-buildflags-CPPFLAGS.diff: split this up,
+    into the CPPFLAGS part here ..
+  * debian/patches/debian-hardened-buildflags-no-LO-fstack-protector-strong.diff:
+    and the removal of the explicit default -fstack-protector-strong here.
+  * debian/patches/arm64-bridges-no-stack-protector-strong.diff: add from master:
+    go sure that we build gcc3_linux_aarch64/cpp2uno.cxx only with
+    -fstack-protector. Works for us by chance because of above
+    debian-hardened-buildflags-no-LO-fstack-protector-strong.diff
+  * debian/patches/arm64-disable-sc-functions-test.diff: add patch from master
+    to disable the sc_*_functions_test on arm64 (as for x86).
+
+  * debian/rules:
+    - *really* fix -dbgsym 0775 permissions by manually fixing them after
+      mkdir -p's (dh_fixperms doesn't run on -dbgsym) which apparently
+      create them as 775 (at least on the buildds)
+    - fix libreoffice-dev-doc.doc-base.lo-idl-ref (again)
+    - add missing dependency to build-arch to install-arch
+    - make armhf/arm64 test failures fatal now that above test is fixed which
+      was the only one failing; upstream apparently also builds armhf/arm64
+      flatpaks now for flathub
+  * debian/copyright:
+    - fix various missing-license-paragraph-in-dep5-copyright
+
+1:5.4.2-3 [Tue, 10 Oct 2017 21:28:41 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/ww8export-HAVE_MORE_FONTS.diff, debian/rules: revert
+    change of -2. Actually doesn't work. (Did in a testbuild, but...)
+
+1:5.4.2-2 [Tue, 10 Oct 2017 14:33:23 +0000] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/ww8export-HAVE_MORE_FONTS.diff: remove again ...
+  * debian/rules: ... and install LOs fc_local.conf to instdir before make
+    check
+
+  * debian/control.{lang,help},in: remove | language-support-translations-*
+    Depends:/Recommends: to unconfuse piuparts
+
+1:5.4.2-1 [Sun, 08 Oct 2017 11:38:20 +0200] Rene Engelhard <rene@debian.org>:
+
+  * LibreOffice 5.4.2 final release (identical to rc2)
+
+  * upload to unstable
+
+  * debian/patches/disable-flaky-tests.diff: disable chart2_dump test
+    (closes: #877794)
+  * debian/patches/ww8export-HAVE_MORE_FONTS.diff: temporarily(?) disable
+    testTableKeep test, fails with --without-fonts even though Liberation
+    is in Build-Depends:...
+
+  * debian/libreoffice-sdbc-firebird.maintscript: restore, we need it
+    from upgrades involving jessie since jessies version gets kept on
+    jessie->stretch upgrades... (closes: #877494)
+
+1:5.4.2~rc2-1 [Fri, 29 Sep 2017 15:33:05 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/control.help.in: drop now obsolete Depends on
+    libreoffice-style-default (closes: #877175)
+
+1:5.4.2~rc1-1 [Fri, 22 Sep 2017 09:21:11 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/icu-no-icu-config.diff: don't use icu-config for
+    determining the ICU version; doesn't exist in (Debian's) ICU 59.1 anymore
+
+  * debian/rules:
+    - move STRETCH_BACKPORT conditional for coinmp lower in rules so it
+      gets honoured and make libwps/libmwaw internal unconditionally
+      (RUN_MAKE_CHECK=n on BE archs)...
+    - move images_helpimg.zip to usr/share like the others; remove obsolete
+      helpimg mangling in the "other" images_*.zip
+  * debian/control.in: remove -style-default provides since it doesn't help at
+    all on default changes; depend on tango since that apparently is now the
+    (last) fallback (closes: #874196)
+  * debian/control.gtk?.in: remove -style-tango recommends, obsoleted by
+    above
+
+1:5.4.1-1 [Tue, 29 Aug 2017 16:39:44 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+    - fixes middle click paste (closes: #871588)
+
+  * debian/patches/stop-shipping-mimelnk-desktop-files.diff: as name says
+    (closes: #872001)
+  * debian/patches/java9.diff: backport Java 9 patch from master
+
+  * debian/rules:
+    - install appstream stuff into /usr/share/metainfo. sigh.
+    - make -writer-dbgsym recommend -core-dbgsym as it wants some gdb stuff
+      from it
+    - set UNO_LIBS_DBG_ROOT to fix gdb helper installation for uno-libs3 again
+      and make -core-dbgsym recommends uno-libs3-dbgsym (same reason as above)
+    - generate and install apparmor profiles
+    - be consequent and bump the build-dependencies for the DLP libs when
+      we run the tests; based on patch by Rico Tzschichholz
+    - run dh_strip_nondeterminism
+    - disable -kde and the (unmaintained for LO) oxygen theme.
+      Qt4 should go away. See
+      https://lists.debian.org/debian-devel-announce/2017/08/msg00006.html
+    - set locale to en-US.UTF-8 also for make check, the dbaccess tests
+      fail in some frenchy locale...
+    - remove libbz2-dev from Build-Depends, coinutils got fixed
+    - move pagein-{calc,draw,impress,writer} to their respective packages
+    - move dk.mk from -dev-common to -dev as it's not arch-indep, thanks
+      Rico Tzschichholz
+  * debian/scripts/gid2pkgdirs.sh: fix move of types/*.rdb and services/*.rdb
+    to core and move pagein-common there too. They reference libmergedlo.so
+    which doesn't exist on all archs (closes: #873443)
+  * debian/control*in:
+    - move to policy 4.0.1; extra -> optional
+    - Breaks/Replaces for above
+
+1:5.4.0-1 [Tue, 25 Jul 2017 22:30:57 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * upload to unstable
+
+  * debian/patches/examples-fix-SDK_AUTO_DEPLOYMENT-check.diff: don't try
+    to do "auto deployment" when SDK_AUTO_DEPLOYMENT = NO...
+  * debian/patches/libebook-1.2.so.19.diff: backport from master; adds
+    libebook-1.2.so.19 (e-d-s 3.24+) to EApi.cxx
+
+  * debian/rules:
+    - strip librhino-java from java:Depends, we use the internal one still..
+    - add pstoedit, imagemagick and ghostscript as (test) Build-Depends:
+  * debian/control.in:
+    - add ghostscript to the "EPS Suggests"
+  * debian/rules. debian/control.in:
+    - add libsane-suggests substvar to prepare for libsane1
+
+  * merge from Ubuntu, thanks Rico Tzschichholz
+    - don't recommend libreoffice-sdbc-firebird if firebird is disabled
+
+  [ Rico Tzschichholz ]
+  - fix get_libebook_dep.sh for libebook1.2-dev (>= 3.24)
+
+1:5.4.0~rc2-1 [Sat, 15 Jul 2017 10:16:28 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/mediawiki-oor-replace.diff: back to ="fuse" for Paths.xcu
+    as otherwise it overwrites Template paths and breaks the python wizards
+    (closes: #867209)
+
+  * debian/tests/control, debian/uitest: improve, we can only run the test
+    now; remove build-needed
+  * debian/tests/control, debian/tests/sdk-examples: move ...
+  * debian/tests/control, debian/tests/odk-build-examples: ... here and use
+    upstreams odk/build-examples check directly.
+    (Needs zip, python3-uno and libreoffice-officbean as new test Depends:)
+  * debian/tests/odk-build-examples: actually set -e...
+  * debian/rules, debian/tests/control: remove extra hackery to add our
+    Build-Depends(-Indep): to debian/tests/control.in; misses some packages
+    (e.g. ant) and it should work at least since autopktest 3.16 from Jul 2015;
+    use @builddeps@ instead
+  * debian/tests/control, debian/tests/*uno-import.diff: split; make
+    pyuno-import test import pyuno while uno-import does import uno
+    (the uichecks do the former). Add python3 dependency for safety.
+  * debian/test/control: sort by importance
+  * debian/tests/: unapply patch after the make (or on error) so that the
+    next test can patch it...
+  * debian/tests/*: more cleanups for newer autopkgtests; use allow-stderr
+    instead of manual 2>&1
+
+  * debian/rules:
+    - be consequent and set RUN_PYTESTS=n (and RUN_MAKE_UICHECK=n) where we set
+      RUN_MAKE_CHECK=n
+    - be consequent and add $(IGNORE_MAKE_CHECK_FAILURES) also to the "extra"
+      test runs
+    - disable the tests on bigendian archs: hang (failures non-fatal anyway.)
+    - make i386 make check notfatal for now given the i386 Java Stack Clash
+      regression
+  * debian/control.in:
+    - make -common Conflicts: older mediawikis to go sure
+
+  * merge from Ubuntu, thanks Rico Tzschichholz
+    - Bump soname in shlibs.override.orcus
+
+1:5.4.0~rc1-1 [Mon, 26 Jun 2017 19:25:59 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/tests/control.in, debian/tests/uicheck,
+    debian/tests/patches/uicheck-standalone.diff: add initial version
+    of autopgktest running uitest 
+
+  * debian/rules, debian/patches/system-xmlsec.diff: backport patch from
+    master and add conditional for system-xmlsec. use it.
+
+  * debian/rules, debian/control.lokit.in:
+    - move /usr/share/gir-1.0/LOKDocView-0.1.gir to libreofficekit-dev and
+      make libreofficekit-dev depend on gir1.2-lokdocview-0.1 as per gir
+      policy
+  * debian/rules:
+    - clean up JRE Depends; we consider java6_architectures as Java arch, so
+      let's remove the Java5 alternatives
+  * debian/copyright, debian/source/include-binaries: remove xmlsec
+  * debian/rules:
+    - fix dh_missing call
+  * debian/tests/sdk-examples: DevelopersGuide/OfficeDev/DesktopEnvironment
+    needs -ljawt. Build this to check this and the JAVA_PROC_TYPE setting also.
+
+1:5.4.0~beta2-4 [Mon, 12 Jun 2017 23:44:55 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/gb_SUPPRESS_TESTS.diff: add more tests to suppress
+    (from master)
+  * debian/patches/odk-settings-JAVA_PROC_TYPE.diff: set correct
+    JAVA_PROC_TYPE for arm{el,hf}, mips* and ppc64el
+  * debian/patches/gerrit_38597.diff: add from gerrit for master, fixes
+    i386 tests
+
+  * debian/rules, debian/scripts/locale-gen: upstream insists on using
+    en_US.UTF-8 for the tests. "Steal" the locale-gen stuff from gcc
+  * debian/control.in: make -core depend on ure (>= 5.4.0~beta2~)
+    (closes: #864690)
+  * debian/control.in:
+    - make -gstreamer recommend gstreamer1.0-plugins-bad as we apparently
+      want/need gtksink
+
+  * merge from Ubuntu:
+    - debian/tests/patches/java-subsequentcheck-standalone.diff: refreshed
+
+1:5.4.0~beta2-3 [Fri, 09 Jun 2017 05:18:08 +0200] Rene Engelhard <rene@debian.org>:
+
+  *  debian/patches/series, also-suppress-odk-build-examples.diff: sigh.
+     don't do that yet, not yet ready....
+
+1:5.4.0~beta2-2 [Thu, 08 Jun 2017 15:55:59 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/disable-db-tests.diff: update
+
+  * debian/rules:
+    - try harder and also export LC_ALL=C.UTF-8 for uitest as the
+      buildd/sbuild sets LC_ALL=POSIX already
+    - fix icon installation in install-indep
+
+1:5.4.0~beta2-1 [Wed, 07 Jun 2017 19:42:57 +0000] Rene Engelhard <rene@debian.org>:
+
+  * New upstream beta release
+    - is now able to do "insert->image, choose pdf". Not insert->docunent
+      but close enough, so this closes: #814598
+      (unfortunately only using internal pdfium. sigh.)
+
+  * debian/scripts/gid2pkgdirs.sh, debian/control{,.transitionals}.in:
+    remove extra libreoffice-pdfimport, merge (even though the poppler
+    dependency...) back to -common/-core since it has the above new feature and
+    otherwise it may get confusing what is what.
+
+  * debian/rules, debian/patches/cppunit-optional.diff: as name says;
+    make cppunit build-dep optional and add <!nocheck> to the build-dep
+  * debian/patches/disable-unneeded-test-programs.diff : micro-optimisation;
+    as name says.
+  * debian/gb_SUPPRESS_TESTS.diff: backport from master, allow checks build
+    but not run them
+
+  * tarballs/pdfium-3064.tar.bz2, debian/copyright,
+    debian/source/include-binaries, debian/libreoffice-core.lintian-overrides:
+    include pdfium; override embedded-library for lcms2
+
+  * debian/rules:
+    - adapt for (upcoming) usage of dh_missing
+    - run build-nocheck with --without-junit --without-cppunit to configure
+      and run check with them; build the checks with gb_SUPPRESS_TESTS first
+      before running them 
+    - replace symlinks /usr/share/applications/*.desktop. move
+      /usr/lib/libreoffice/share/xdg/*.desktop (except qstart.desktop) to
+      them instead. Fixes e.g. appstream-generator for our appstream data
+      (which cannot handle the symlinks...)
+    - enable running make uicheck
+
+1:5.3.3-2 [Sat, 27 May 2017 10:52:43 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/sensible-lomua.diff: sync upstreams
+    "add xdg-email as the default email route" into here
+
+  * debian/rules:
+    - fix logic error; make -g1 etc work also with noddebs. Build with those
+      flags also if building no -dbgsym
+    - move DPKG_EXPORT_BUILDFLAGS and buildflags.mk include later to make it
+      effective (worked before, but...)
+    - fix /usr/share/libreoffice/program/classes/unoil.jar symlink
+  * debian/control.in:
+    - remove obsolete Pre-Depends
+  * debian/rules, debian/control.in: remove now unneeded dejavu-depends
+    substvar, simply use fonts-dejavu. Move from Depends: to Recommends: like
+    the other fonts
+  * debian/copyright: fix (add missing .'s)
+
+1:5.3.3-1 [Thu, 04 May 2017 20:33:52 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/control.in:
+    - recommend new fonts-open-sans
+
+1:5.3.2-1 [Wed, 29 Mar 2017 12:48:44 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/patches/help-msg-add-package-info.diff,
+    debian/patches/mention-java-common-package.diff,
+    debian/patches/mediawiki-oor-replace.diff:
+    debian/patches/series: actually update the patches and re-enable...
+
+  * debian/rules:
+    - move /usr/include/libreoffice/sal/typesizes.h symlink to -dev
+      instead of -dev-common (closes: #858199)
+  * debian/control.in:
+    - add missing -java-common Depends: to -script-provider-{bsh,js}
+  * debian/control.mediawiki.in:
+    - add missing JRE depends
+  (thanks to Daniel Richard G. for those two, see #858655)
+  * debian/control.in:
+   - make libreoffice meta-package only recommend libreoffice-java-common
+     (closes: #858655)
+
+1:5.3.1-1 [Wed, 08 Mar 2017 02:02:25 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/rules, debian/libreoffice-dev-doc.links, debian/lo*.in:
+    install SDK documentation into /usr/share/doc/libreoffice/sdk (and adapt
+    dev-docs symlinks/doc-base stuff). Remove extra license file (thanks
+    lintian) which otherwise would still install over the symlink.
+  * debian/control.sdk.in: update -devs libreoffice-dev-doc Conflicts to
+    (<< 1:5.2.5-2~) and add Conflicts: libreoffice (<< 1:5.2.5-2~) to both
+    -dev*- for safety
+  * debian/rules:
+    - enable mergelibs only on 64bit archs (and i386), ld goes to OOM on
+      mips(el) for example...
+    - allow build with gold (maybe for LTO?)
+    - ignore "libreoffice" for --link-doc
+    - fix dh_installdocs calls to install copyright for "libreoffice"
+    - symlink /usr/share/libreoffice/program/classes/unoil.jar to
+      /usr/share/java/unoil.jar to "dedup" it
+    - run rdfind to get duplicated /usr/share/icons/gnome symlinked to
+      hicolor if identical (closes: #835515); add rdlink/symlinks B-D-I
+    - fix generating lo-idl-ref doc-base file
+  * debian/control.in, debian/rules, debian/scripts/cleandupes: remove unused
+    fdupes B-D-I and commented-out usage
+  * debian/rules, debian/control.in: recommend -sdbc-firebird only where it's
+    built (LE) to prepare for it being a dependency when firebird will be the
+    default embedded engine
+
+1:5.3.0-1 [Wed, 01 Feb 2017 01:25:24 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release
+
+  * debian/rules:
+    - add support for building with clang
+    - move from hardcoded C(XX)FLAGS for -g -> -g1 to recommended
+      DEB_C(XX)FLAGS_MAINT_*
+  * debian/missing-sources:
+    - add source of jquery 3.1.1 (from libjs-jquery package) for
+      helpcontent2/source/jquery-3.1.1.min.js
+ 
+1:5.3.0~rc2-1 [Tue, 17 Jan 2017 01:31:09 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/change-from-glew-to-epoxy.diff: update
+  * debian/patches/m68k-use-mlong-jump-table-offsets.diff: add;
+    as name says
+
+  * debian/rules:
+    - build-depend on gcc-7/g++-7 (>= 7-20170106) for m68k for
+      -mlong-jump-table-offsets
+
+1:5.3.0~rc1-2 [Sat, 24 Dec 2016 01:01:40 +0100] Rene Engelhard <rene@debian.org>:
+
+  * debian/rules:
+    - readd somehow lost libgl1-mesa-dev build-dependency...
+
+1:5.3.0~rc1-1 [Fri, 23 Dec 2016 21:17:03 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream release candidate
+
+  * debian/patches/change-from-glew-to-epoxy.diff: backport from master;
+    as name says
+  * debian/patches/gtk3-opengl-slideshow.diff: backport from master to fix
+    ogltrans generically with gtk3
+  * debian/patches/disable-flaky-tests.diff: also disable svx.AccessibleShape
+
+  * debian/control.ogltrans.in:
+    - add Conflicts: libreoffice-gtk3 (<< 1:5.2.4~rc2)
+
+  * debian/rules:
+    - change glew conditionals/build-deps to epoxy
+    - ENABLE_GDRIVE=y again on armhf and arm64
+
+1:5.3.0~beta2-1 [Sun, 11 Dec 2016 10:40:18 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream beta release
+
+  * debian/patches/m68k-alignment.diff: add patch from John Paul Adrian
+    Glaubitz to fix m68k alignment
+
+  * debian/libreoffice-sdbc-firebird.NEWS: add NEWS entry about the format
+    incompatibility
+  * debian/rules: revert ENABLE_GDRIVE=y on arm* as chromium got uploaded
+    without it to sid and it's gone from experimental again on those
+
+1:5.3.0~beta1-1 [Wed, 23 Nov 2016 12:43:18 +0100] Rene Engelhard <rene@debian.org>:
+
+  * New upstream beta release
+
+  * try using just the used tarballs to avoid confusion and to shrink the
+    .orig (they are downloaded anyway and not in the .orig)
+    - remove unneeded tarballs from tarballs
+    - include needed tarballs in include-binaries
+    - update debian/copyright (remove many, add forgotten swingEx
+      fix src -> tarballs; actually add MPL-2.0/ASF blurb) 
+    - update README.Debian-source
+
+  * debian/patches/fix-system-lpsolve-build.diff: rename to ..
+  * build-against-shared-lpsolve.diff: ... this to make the purpose more clear
+  * debian/patches/fix-system-lpsolve-build.diff: add new one adding
+    -llpsolve55_pic test/linkage (disabled)
+  * debian/patches/no-openssl.diff: don't uselessly check for openssl and
+    don't require openssl in postgresql-sdbc-impl, not (directly) used
+
+  * debian/scripts/get_libvlc_dep.sh: fix to work again (also) with
+    new multiarchified libvlc5
+
+  * debian/rules:
+    - don't install ChangeLog (now done automatically by dh compat >= 7) as
+      it doubles -common/-core size and increases font-opensymbol *by 10* 
+    - ENABLE_GDRIVE=y also on armhf and arm64 as we've chromium there now, too
+    - enable mysql-connector again now that libmysqlcppconn _and_
+      mysql-workbench are built against mariadb.
+      Bump Build-Dependency on libmysqlcppconn to >= 1.1.7-4 to go sure
+      we're getting a >= 1.1.7 dependency
+      Fix adding the libmysqlcppconn-dev Build-Dep in the default case
+  * debian/control.in:
+    - add Breaks: browser-plugin-libreoffice to libreoffice-core
+      (closes: #843980)
+  * debian/control.firebird.in: fix substvar: s/server/engine/
+  * debian/libreoffice-common.maintscript: remove apparently unneeded quotes
+    which now breaks at dpkg-maintscript-helper call... (closes: #844683)
+
+1:5.3.0~alpha1-1 [Thu, 20 Oct 2016 15:46:34 +0200] Rene Engelhard <rene@debian.org>:
+
+  * New upstream alpha release
+    - fixes typo in VCL.xcu; s/Tino/Tinos/ (closes: #834580)
+    - fixes (experimental) Gtk print dialog crash (closes: #839701)
+    - fixes copy paste cells between two tables of two documents with Gtk3
+      (closes: #834622)
+    - fixes tooltips when dragging/filling cells with Gtk3 (closes: #831977)
+
+  * debian/control.{lang,help}.in: use ${help-l10n-virtual-version} as
+    versioned Provides
+  * debian/rules, debian/control.transitionals.in: remove jessie->stretch
+    transitionals again
+  * debian/rules, control.gcj.in: cleanup:
+    - remove support for gcj (and thus building -gcj "native") completely;
+      removed upstream; and also openjdk-9 apparently will drop support for
+      source/target 1.5 (which gcj only supports) and gcc-7 apparently even
+      will drop gcj, too
+      (also the officeotron/odfvalidator stuff fails because due to the java-gcj
+      in the path for safety reasons it picks up gcj..)
+    - use java6_architectures for computing OOO_JAVA_ARCHS
+  * debian/copyright: add schema/*/* to Files-Excluded: :/
+  * debian/uno-libs3.symbols: update
+  * debian/rules:
+    - bump dh compat to 10
+    - re-enable firebird (closes: #841253)
+
+1:5.2.7-1+deb9u11 [Fri, 06 Sep 2019 11:53:15 +0200] Rene Engelhard <rene@debian.org>:
+
+  * debian/patches/expand-pyuno-path-separators.diff.
+    debian/patches/construct-final-url-from-parsed-output.diff,
+    debian/patches/an-absolute-uri-is-invalid-input.diff,
+    debian/patches/Improve-check-for-absolute-URI.diff,
+    debian/patches/Improve-check.diff: add from
+    libreoffice-6-3(-0,-1) branch - more fixes...
+    (CVE-2019-9854/CVE-2019-9855)
+

<http://piuparts.knut.univention.de/4.4-9/#8823948148225707108>
Comment 2 Iván.Delgado univentionstaff 2024-05-28 08:42:11 CEST
OK: bug
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
 Freexian ships dbgsym packages and new packages

[4.4-9] 3353eda841 Bug #57340: libreoffice 1:6.1.5-3~deb9u3
 doc/errata/staging/libreoffice.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

[4.4-9] 68a19b7f23 Bug #57340: libreoffice 1:6.1.5-3~deb9u3
 doc/errata/staging/libreoffice.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
Comment 3 Iván.Delgado univentionstaff 2024-05-29 12:32:00 CEST
<https://errata.software-univention.de/#/?erratum=4.4x1578>