Backport brotli 1.0.3 to Ubuntu 16.04 LTS

Bug #1795077 reported by Jeremy Bicha on 2018-09-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
brotli (Ubuntu)
Jeremy Bicha

Bug Description

Note to SRU Team
This update adds a new binary package: libbrotli1

We need libbrotli1 and libbrotli-dev promoted to main. python-brotli and python3-brotli can remain in universe.

The approved MIR which mentions this will be done is LP: #1737053

webkit2gtk 2.20 released in March 2018 dropped its embedded brotli and woff2 libraries to use the system libraries. Because that version is a security update, webkit2gtk has not had support for woff2 web fonts since then in Ubuntu 16.04 LTS.

The version of brotli in Ubuntu 16.04 LTS is too old to support webkit2gtk so we are backporting the version from Ubuntu 18.04 LTS

Test Case
1. Verify that woff2 is able to build successfully against brotli.

2. Build webkit2gtk against woff2 and verify that woff2 fonts appear to work on web sites.

Regression Potential
brotli has no reverse dependencies in Ubuntu 16.04 LTS.

The new version is substantially more usable since it now offers a C library instead of just the Python bindings.

This version also introduces a basic autopkgtest to ensure basic use of the Python bindings work. There are also build tests.

Other Info
brotli is also used by apache2 in Ubuntu 18.10.

The woff2 SRU for Ubuntu 16.04 LTS is LP: #1795094

CVE References

Jeremy Bicha (jbicha) on 2018-09-28
Changed in brotli (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Changed in brotli (Ubuntu Xenial):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jeremy Bicha (jbicha)
Jeremy Bicha (jbicha) on 2018-09-28
description: updated
Jeremy Bicha (jbicha) on 2018-09-29
description: updated

Hello Jeremy, or anyone else affected,

Accepted brotli into xenial-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in brotli (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Jeremy Bicha (jbicha) wrote :

I used rmadison -S to verify that the xenial-updates main and universe components were correct for brotli.

I verified that my proposed woff2 SRU builds fine in my xenial sbuild that uses xenial-proposed.

And the brotli autopkgtests pass.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package brotli - 1.0.3-1ubuntu1~16.04.1

brotli (1.0.3-1ubuntu1~16.04.1) xenial; urgency=medium

  * Backport from Ubuntu 18.04 LTS. This updated version is required for
    woff2 support in webkit2gtk. (LP: #1795077)
  * Lower debhelper compat to 9

brotli (1.0.3-1ubuntu1) bionic; urgency=medium

  * Apply pull requests #651, #656 to fix alignment issues on armhf.

brotli (1.0.3-1) unstable; urgency=medium

  * New upstream version 1.0.3
  * Drop obsolete patches

brotli (1.0.2-3) unstable; urgency=medium

  [ Jeremy Bicha ]
  * Use dh_missing --fail-missing (Closes: #888950)

  [ Tomasz Buchert ]
  * d/copyright: remove appveyor path (Closes: #888947)
  * Bump debhelper compat to 11

brotli (1.0.2-2) unstable; urgency=medium

  * Upload to unstable

brotli (1.0.2-1~exp0) experimental; urgency=medium

  * New upstream version 1.0.2
  * Updated std-ver to 4.1.0 (no changes needed)

brotli (1.0.0-1~exp0) experimental; urgency=medium

  * New upstream version 1.0.0
  * d/*: migrate 0.6.0 to 1.0.0
  * d/symbols: fix symbols file (Closes: #870831)
  * d/patches: refresh
  * Upload to experimental

brotli (0.6.0-2~exp0) experimental; urgency=medium

  [Tomasz Buchert]
  * d/gbp.conf: remove obsolete gbp.conf
  * d/control: add Ondřej to Uploaders
  * debian: provide shared libs pkgs
  * d/control: bump Standards-Version to 4 (no changes needed)

  [Ondřej Surý]
  * Use SOVERSION in libbrotli package name and add symbols file
  * Rewrite as autopkgtests
  * Upload to experimental
  * Add missing cmake to Build-Depends
  * Fix libbrotli0.6.0.symbols to refer to correct package
  * Add lintian override for amalgated libbrotli0.6.0 package

brotli (0.6.0-1) unstable; urgency=medium

  * d/*: debhelper 10 and uscan 4
  * New upstream version 0.6.0

brotli (0.5.2+dfsg-2) unstable; urgency=medium

  * Make object list deterministic (Closes: #845780)

brotli (0.5.2+dfsg-1) unstable; urgency=medium

  * Imported Upstream version 0.5.2+dfsg (Closes: #842016)
  * Update debian/rules to use new build system

brotli (0.4.0+dfsg-1) unstable; urgency=medium

  * Imported Upstream version 0.4.0+dfsg
  * Bumped Standards-Version to 3.9.8 (no changes needed)

brotli (0.3.0+dfsg-3) unstable; urgency=medium

  [ Raúl Benencia ]
  * Fixes for CVE-2016-1968 and CVE-2016-1624 (Closes: #817233)

  [ Tomasz Buchert ]
  * Bump Standards-Version to 3.9.7 (no changes needed)

 -- Jeremy Bicha <email address hidden> Fri, 28 Sep 2018 17:36:57 -0400

Changed in brotli (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for brotli has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers