Package: qa.debian.org
I accidentally discovered that [EMAIL PROTECTED] acts as a mail
amplifier. A single messagge to [EMAIL PROTECTED], containing lots of
commands of the form
subscribe ada-mode
subscribe apache2
subscribe asterisk
...
causes a mail message to be sent for each of these
tag 341227 confirmed upstream
forwarded 341227 http://rt.cpan.org/NoAuth/Bug.html?id=8576
thanks
* Martin Zobel-Helas:
there seems to be an typo in @EXPORT_OK of
/usr/share/perl5/Algorithm/Diff.pm. It's should be LCSidx, not LCDidx,
as the function is called LCSidx
Thanks. This has been
Package: mozilla-firefox
Version: 1.4.99+1.5rc3.dfsg-1
Severity: normal
When starting Firefox after an upgrade from 1.0.7 for the first time,
Firefox does not show the usual local Debian start page, but some
Google page.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
* Sven Mueller:
http://www.dyadsecurity.com/webmin-0001.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341394
If this is considered a possible remote root compromise, the spampd bug
I reported a while ago to [EMAIL PROTECTED] (see also bug
#332259) is also a possible remote
* Justin Pryzby:
#295211 manpages-dev is more recent than GNU libc.
Does this bug still apply?
Yes. For example, exit_group is documented in a manual page, but not
yet supported by the current libc version.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe.
* Michel Quercia:
like this ?
--
# corps de boucle à dérouler. taille du code = 24 octets
# entrer avec eax = edx = 1er chiffre de a, CF = 0
#undef BODY
#define BODY(x,y,z) \
adcl
* Michel Quercia:
I don't know how to make a patch. Is this ok ?
It is.
--- 985,991
#define BODY(x,y,z) \
adcl x(%ebx,%ecx,4), %eax; \
!/* movl y(%esi,%ecx,4), %edx */ .byte 0x8B, 0x54, 0x8E, y; \
movl %eax, x(%edi,%ecx,4); \
!/* adcl
tag 335881 patch
thanks
* Michel Quercia:
Florian Weimer a écrit :
You must also byte-code the final movl instruction, I'm afraid:
Sorry. Attached is the new diff file (with respect to the original 0.21
source).
Thanks a lot. I can confirm that this patch applies to the Debian
package
* Martin Quinson:
So, I reopen this bug just to leave the discussion open and see what
happens. In my opinion, this is a unfixable bug. Whatever we do in login to
prevent it could be done by an attacker, too. But I may well be wrong.
One approach is a secure attention key:
Package: postgresql-common
Version: 7
Severity: normal
The postgres user is created with home directory /home/postgres, which
does not exist.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Martin Pitt:
Florian Weimer [2005-05-11 11:49 +0200]:
Package: postgresql-common
Version: 7
Severity: normal
The postgres user is created with home directory /home/postgres, which
does not exist.
Right, it is not supposed to be created. postgres is a system user
which owns
Package: postgresl-8.0
Version: 8.0.2-1
Severity: grave
Tags: security
Justification: user security hole
The server creates a socket in /tmp, which is unsafe. Any local user
can create a similar socket and impersonate the database server.
This bug also breaks backwards comaptibility with old
* Martin Samuelsson:
About patching upstream, they state in their FAQ that they will not
accept additions to scp. However if implementing it in sftp it might
have a chance to get in.
http://www.openssh.org/faq.html#2.10
The draft standard they mention is nowhere to be found.
It's
* Teddy Hogeborn:
In (libc)Socket-Level Options, SO_RCVBUF is documented as having a
type size_t. In Linux, it is of type int. The man page socket(7)
does not say what type it is. The same goes for SO_SNDBUF.
According to the kernel and Stevens, it's an indeed an int. So the
documentation
Package: ghc6-doc
Version: 6.4-3
Severity: normal
The file /usr/share/doc/ghc6-doc/html/index.html references to the
compiler documentation, but it is not included in the package.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Alasdair McWilliam:
Change to:
AC_CHECK_FUNCS([times index rindex setlinebuf va_copy __va_copy])
va_copy is a macro, so this check won't work reliably.
On Debian, it's safe to use va_copy unconditionally because it's part
of GCC's stdarg.h header.
--
To UNSUBSCRIBE, email to [EMAIL
* Marc Haber:
+#if defined(__GNUC__) || (defined(__powerpc__) defined(__FreeBSD__))
#define VA_COPY __va_copy
+#elif defined(__powerpc__) defined(__NetBSD__)
+#define VA_COPY va_copy
#else
#define VA_COPY(x, y) x = y
#endif
Would that be ok with both of you?
__va_copy is provided
Package: manpages-dev
Version: 2.02-2
Severity: normal
Please document that the res_search function return the *actual* length
of the response, which may be greater than the length of the supplied
buffer.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
See this message below. Recent OpenLDAP versions will recover
automatically, as needed.
Rumor has it that Berkeley DB 4.4 will offer similar functionality,
too.
From: Howard Chu [EMAIL PROTECTED]
Subject: Re: Force single thread of control during recovery
Newsgroups: comp.databases.berkeley-db
* Michal Pasternak:
I vote for this bug. Without wrapper scripts it is pretty hard (and, from a
practical point of view: _impossible_) to use subversion repository, as
everything breaks, due to wrong chmod.
Please investigate the FSFS backend, with proper directory permissions
(i.e. GID
* Sven Luther:
i guess sparc-*-* should be changed by sparc*-*-*, and we can then
close this bug.
But why does the host triplet not match sparc*-*-*?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Package: mutt
Version: 1.5.11-4
When a quit mutt after the mailbox has been externally modified (and
all messages in it have been deleted), mutt crashes with a GNU libc
error message:
-*-Mutt: ~/Mail/INCOMING/mail.misc [Msgs:1]---(threads/date)(all)---
Writing messages... 0 (0%)***
* Daniel Kobras:
tag 345238 + patch
thanks
On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
With some user interaction, this is exploitable through Gnus and
Thunderbird. I think this warrants increasing the severity to
grave.
Here's the vanilla fix from upstream SVN
* Marc Haber:
debsecan complains
invalid version 1.2.9-1~zg1 of package $PACKAGE
The version is, however, correct. This should be fixed.
How? Is there an official description of the ~ semantics?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
Package: wine
Version: 0.9-1
Severity: grave
Tags: security
H D Moore mentioned that Wine contains vulnerable code similar to
Microsoft Windows:
http://lists.immunitysec.com/pipermail/dailydave/2006-January/002806.html
The fix seems to be to remove that case label.
--
To UNSUBSCRIBE, email
* Marc Haber:
On Fri, Jan 06, 2006 at 10:55:28AM +0100, Florian Weimer wrote:
* Marc Haber:
debsecan complains
invalid version 1.2.9-1~zg1 of package $PACKAGE
The version is, however, correct. This should be fixed.
How? Is there an official description of the ~ semantics?
I didn't
* Nathanael Nerode:
There are no packages in etch which depend on any of the db2 packages.
In unstable, there are only htdig, qtstalker, and libdb2-ruby. qtstalker
is being converted to libdb4 upstream, and libdb2-ruby isn't actually used
by anything else. htdig appears to be unmaintained.
* Ralf Stubner:
| All rights reserved. No part of this publication may be reproduced,
| stored in a retrieval system, or transmitted in any form or by any
| means, electronic, mechanical, photocopying, recording or otherwise,
| without prior written permission of the publisher.
(from
Package: max-db
Version: 7.5.00.19-1
Severity: serious
The HTML documentation has apparently been generated by a tool called
SAP Html Export:
!-- Exported by SAP Html Export 70.0 at 19.10.2004 01:58:23 --
This means that these HTML documents are not the preferred form of
the work for making
* Gustavo Franco:
I think we can inform about PTS and remove Google direct reference as in
the following message:
The PTS seems to have stopped updating, too. 8-(
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Marc Haber:
What happens if there are multiple ~?
They are processed in order.
dpkg --compare-versions handles ~ correctly.
And APT? Does it behave differently? (There are differences between
the two in the area of epoch handling.)
I'm going to add something like the following:
-
The following packages have unmet dependencies:
ocaml: Depends: ocaml-nox-3.08.3
E: Broken packages
I get this from my mirror regularly. It occurs because the
package index is downloaded first .. but the packages come later.
No, this has to be something else, I'm afaraid. Missing
* Paul Richards:
Attempting to install 'ocaml' on current debian stable fails due to
broken packages.
The following packages have unmet dependencies:
ocaml: Depends: ocaml-nox-3.08.3
E: Broken packages
What does apt-get install ocaml-nox print, or apt-get install
ocaml-nox-3.08.3?
* Steve Kemp:
A DSA has just been released for smstools due to an insecure
usage of syslog in the logging code.
Please mention the CVE name CVE-2006-0083 in the changelog when fixing
this bug.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
* Frank Küster:
Florian, are you on a general search for non-free docs, and looking at
more files in tetex-doc? Then please also send a Debbugs-Cc to
[EMAIL PROTECTED] (Woeful copyright file).
I'm aware of that bug report, but think of it as a separate matter
(especially the tex.web status
* Frank Küster:
#218195 is about the woeful copyright file, not the woeful copyright of
a particular file... What we really need to do is to sort out which
parts of teTeX are under which license, and document that clearly (and
remove if necessary), and to that end collecting information
Package: ocaml-mode
Version: 3.09.1-1
Please enable ocaml-mode for emacs-snapshot (two edits are required in
the install/ocaml-mode file). Basically functionality works, so there
does not seem to be any reason to disable it.
(Please consider enabling font-lock support by default, too.)
--
To
* Frank Küster:
It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied. Or is such a check
if (newSize 0) {
goto err1;
}
enough to detect an integer overflow, because
* Steve Kemp:
My ff does not crashed, but it ate really much cpu-time when I tested
slightly modified version of javascript.
Not a security issue, just a DOS attack.
Mozilla.org do not regard DOS attacks as security issues, so we cannot
either.
Even if the browser cannot be
* Frank Küster:
Would
if (nTiles = INT_MAX / sizeof(JPXTile) {
error(getPos(), Bad tile count in JPX SIZ marker segment);
return gFalse;
be okay?
It might still be a DoS issue, I think. Allocating arbitrary amounts
of memory upon user request is usually a bad idea.
* Mike Furr:
So I reassigned 332902 to binutils and merged them. IMO, adding that
option to all of OCaml is a bad idea based on the notes in the gcc manpage:
Only use these options when there are significant benefits from
doing so. When you specify these options, the assembler and
* Frank Küster:
The function that is called in *tetex-bin* is not gmallocn, but gmalloc
- it's based on xpdf 3.00, not 3.01, and this is the very reason why I
need to check for an overflow in nTiles * sizeof(JPXTile).
Sure, I wanted to explain why this is not sufficient. It should be
* Mike Hommey:
Even if the browser cannot be restarted after the attack has been
carried out? The impact of this bug is slightly different from other
crash bugs.
Are you sure the firefox process was not still running ? That would
explain the browser not being able to restart...
According
* Martin Pitt:
- For invalid (big) positive values of nObjs which, when multiplied with nObjs
overflow an int, we have two cases:
But neither ISO C nor GNU C make any promises regarding this case.
Overflow is undefined, period.
You can pass -fwrapv to gcc if you want modulo arithmetic for
* Martin Pitt:
Hi Florian!
Florian Weimer [2005-12-09 11:53 +0100]:
* Martin Pitt:
- For invalid (big) positive values of nObjs which, when multiplied with
nObjs
overflow an int, we have two cases:
But neither ISO C nor GNU C make any promises regarding this case.
Overflow
* Ola Lundqvist:
As i understand this article at gmane.org this is a IE bug. Fixing this
in horde do not give much effect as it is just as simple to trigger this
bug in any html page anywhere else.
But these HTML pages cannot retrieve session authentication
information from IMP. In the end,
* Julien Cristau:
ocaml FTBFS on hppa with the following error (from the build log):
../../ocamlcompopt.sh -warn-error Ay -I ../camlp4 -I ../boot -c -impl
pa_o_fast.ppo
[...]
/tmp/camlasm6f9a2e.s: Assembler messages:
/tmp/camlasm6f9a2e.s:97621: Error: Field out of range [-262144..262143]
* Florian Weimer:
This looks indeed like a GAS bug (or a miscompilation of GAS). The
branch target is only a few hundred instructions away, so it should be
reachable using a BL instruction.
I was wrong, this is not a real GAS bug. (See the binutils list for a
discussion.) The object file
* Matthew Vernon:
Dec 1 21:37:40 mpiblaster kernel: HighMem: empty
Dec 1 21:37:40 mpiblaster kernel: Swap cache: add 0, delete 0, find 0/0,
race 0+0
Dec 1 21:37:40 mpiblaster kernel: Out of Memory: Killed process 19833
(sshd).
While infinite recursion is certainly a error
* Justin Pryzby:
tag 309599 moreinfo
thanks
Does this bug still apply? The relevant section says:
The res_query(), res_search(), res_querydomain(),
res_mkquery() and res_send() functions return the length
of the response, or -1 if an error occurs.
Which
Package: libdb4.4
Version: 4.4.16-1
Tags: patch upstream
If DBC-c_get is invoked with two DBTs with the DB_DBT_USERMEM flag,
and the flag is DB_NEXT, and the key DBT is too small, and the value
in the database is empty, DBC-c_get returns a DB_BUFFER_SMALL error
code *and* advances the cursor.
* alex bodnaru:
on the other hand, etch and sid can resolv the host
only if i sufix the host name with `.', but the host
can resolv the uml address.
I'm sorry, but this can only be investigated if you provide the actual
domain names involved.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
Upstream has responded; they won't fix this, and they no longer
maintain the native code compiler on HPPA. I susgest to disable it in
the Debian package.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Package: apache
Tags: security upstream
Severity: important
Upstream reports a cross-site scripting issue in Apache:
http://issues.apache.org/bugzilla/show_bug.cgi?id=37874
Impact does not seem to be substantial (rather obscure module,
specific configuration required, only clients running IE
Package: apache2
Tags: security upstream
Severity: important
Upstream reports a cross-site scripting issue in Apache:
http://issues.apache.org/bugzilla/show_bug.cgi?id=37874
Impact does not seem to be substantial (rather obscure module,
specific configuration required, only clients running IE
Package: gst-ffmpeg
Tags: security
Severity: grave
The package embeds a local copy of libavcodec, which is vulnerable to
CVE-2005-4048:
http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558
http://mplayerhq.hu/pipermail/ffmpeg-cvslog/2005-December/000979.html
Please check if it is
* Wichert Akkerman:
debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
debug1: no match: mpSSH_0.0.1
Find out what (Open)SSH version this actually is, we can then add a
regexp to set the proper compatibility flags.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a
* Wichert Akkerman:
Previously Florian Weimer wrote:
* Wichert Akkerman:
debug1: Remote protocol version 2.0, remote software version mpSSH_0.0.1
debug1: no match: mpSSH_0.0.1
Find out what (Open)SSH version this actually is, we can then add a
regexp to set the proper compatibility
* Thijs Kinkhorst:
For the testing (etch) and unstable distribution (sid) this problem has
been fixed in version 0.9.8-5.
close 335997 0.9.8-4
-4 or -5?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Nelson A. de Oliveira:
While running debsecan, it's finishing with this error:
ValueError: invalid Debian version string
Could you me send me a compressed copy of your /var/lib/dpkg/status
file? It probably contains some funny version string.
--
To UNSUBSCRIBE, email to [EMAIL
tag 344106 confirmed
thanks
* Nelson A. de Oliveira:
Could you me send me a compressed copy of your /var/lib/dpkg/status
file? It probably contains some funny version string.
Attached. :-)
The following entry is the culprit:
Package: amsn
Status: install ok installed
Priority: optional
* Amaya Rodrigo Sastre:
[EMAIL PROTECTED]debsecan-create-cron --suite sid
/usr/sbin/debsecan-create-cron: cron file /etc/cron.d/debsecan created.
debsecan-create-cron only takes a single argument, and copies to the
cron job. I admit it's confusing, and I'm going to add a check to
reject funny
* Yaroslav Halchenko:
now you've got an active user/tester thus you might get an increase
in the amount of bug reports :-)
Thanks.
On my first try of the package I've decided to do full system
security upgrade, so I ran
apt-get install $(debsecan --suite sid --format packages
* Luca Capello:
I'm in the process of debianize some CL software [1] and I've the same
problem as bug #328423: some extra features of the package needs other
packages to be installed, so I don't know if the package should use
Suggests or Recommends.
Use Recommends: if the functionality added
retitle 336342 Clarify permitted epoch values
thanks
* Florian Weimer:
Package: debian-policy
Version: 3.6.2.1
Severity: normal
In section 5.6.12, the permitted epoch values are not specified
precisely. Large epochs tend to cause problems for some tools, for
example dpkg, whose behavior
* Lionel Elie Mamane:
Please investigate this before uploading to Debian.
Or alternatively, depend on the bible-kjv-text package, which already
is in main.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Could you show us your TWiki.cfg file, please?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Hilko Bengen:
db_query uses sprintf to replace placeholder expressions if passed
more than one argument and it seems to me that using %s does the same
thing as PHP's string expansion as in 4.5.3.
What about SQL injection? Doesn't db_query protect against it, while
PHP's string expansion
* Hilko Bengen:
Do you have any idea how the $key parameter to sess_destroy
(includes/session.inc) is generated?
It seems as if drupal uses the value generated by PHP, which would
mean that it's not exploitable for SQL injection, but I'm not sure.
--
To UNSUBSCRIBE, email to [EMAIL
* Dave Love:
Yes, please turn off the default persistent caching of hosts (at
least). I think this should also be done upstream. It can lead to
lockout of logins in an obscure fashion -- at least it did on Fedora
systems running what appears to be the same version of nscd with the
same
* Yaroslav Halchenko:
Please feel free to close the bug :-)
I'm afraid; the other problematic packages you reported are real. So
let's keep this bug open.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hi,
would you please answer Joey's question if these security fixes have
been applied in the ssh-krb5 package?
Thanks,
Florian
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Clint Adams:
But you wouldn't object to a patch in principle, right?
Nope.
There seems to be a problem: The on-disk lock region format changes.
This means that it's not worth the trouble, I guess.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
tags 344976 confirmed pending
thanks
* Nelson A. de Oliveira:
Today while upgrading debsecan to version 0.3.2, I saw this error:
Setting up debsecan (0.3.2) ...
/var/lib/dpkg/info/debsecan.config: 30: arith: syntax error: STATE + 1
dpkg: error processing debsecan (--configure):
subprocess
* Zlatko Calusic:
Package: debsecan
Version: 0.3.2
Severity: normal
I'm getting emails like this every hour:
Traceback (most recent call last):
File /usr/bin/debsecan, line 875, in ?
rate_system(target, options, fetch_data(options), history)
File /usr/bin/debsecan, line 798, in
tag 344996 confirmed
thanks
* Zlatko Calusic:
This means that your /var/lib/dpkg/status file contains some invalid
data. I'll investigate it if you can send mee a compressed copy.
Interesting, I'll send you a copy off-list to help you debug it, sure.
The culprit is:
Package: nerolinux
Package: libdb4.4
Version: 4.4.16-3
Tags: upstream patch
The patch below (from Keith Bostic/Sleepycat, posted to the
comp.databases.berkeley-db newsgroup) fixes a problem with DB_REGISTER
support. I'm not yet sure if this fixes my problem mentioned on the
pkg-db mailiung list, but I hope so.
Package: imagemagick
Version: 6.2.4.5-0.3
Tags: security
The delegate code in Imagemagick is vulnerable to shell command
injection, using specially crafted file names:
$ cp /usr/lib/openoffice/share/template/en-US/wizard/bitmap/germany.wmf \
' ; echo Hi! 2; : '.gif
$ display ' ; echo Hi! 2; :
* Cyril Bouthors:
[EMAIL PROTECTED]:~# debsecan --only-fixed --suite sarge
CVE-2005-0034 libdns11 (fixed, remotely exploitable, obsolete)
obsolete means that a package of that name is no longer available
from the archive. The
* Cyril Bouthors:
ii proftpd 1.2.10-15sarge1.0.1 Versatile, virtual-hosting FTP daemon
Ah, this version has been binary-NMUed, and I didn't think about that.
I think I've fixed the server-side data generation (it's r3179 in the
secure-testing repository, for future reference). No client-side
severity 345238 grave
thanks
With some user interaction, this is exploitable through Gnus and
Thunderbird. I think this warrants increasing the severity to
grave.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tag 345469 -security
merge 340283 345469
thanks
* Joey Hess:
This web page, which was originally developed as a proof of concept for
a different security hole in MSIE, makes firefox spin, consuming cpu and
being completly unresponsive to user input until killed.
* Cyril Bouthors:
This sounds like an interesting application. If you find the output
format too difficult to parse, I can add yet another one to
accommodate your needs.
The most important thing is the return code. After a quick overview,
it seems that debsecan is inconditionnally
* Cyril Bouthors:
On top of that, libcurl3 is not listed as obsolete and is not fixed
nor vulnerable :
web8:~# debsecan --only-fixed --suite sarge | grep -v obsolete
CVE-2005-4077 libcurl3 (fixed, medium urgency)
web8:~# apt-get install libcurl3
libcurl3 is already the newest version.
* Cyril Bouthors:
By the way, I have those very old packages installed on a machine that
are not reported by debsecan and I guess they have many security
issues:
kernel-image-2.4.24-1-686 install
kernel-image-2.4.25-1-686-smp install
* Cyril Bouthors:
On 30 Dec 2005, Florian Weimer wrote:
obsolete means that a package of that name is no longer available
from the archive.
I think it shouldn't appear with --only-fixed because obsolete
packages are not fixed. What do you think?
I disagree because --only-fixed
* Cyril Bouthors:
/etc/cron.d/debsecan should be owned by the package
[EMAIL PROTECTED]:~$ dpkg -S /etc/cron.d/debsecan
dpkg: /etc/cron.d/debsecan not found.
Please add it to debian/conffiles.
As far as I understand Policy, the current approach is explicitly
permitted.
Why do you want me
Package: tetex-doc
Version: 3.0-11
Severity: serious
The license is clearly non-free:
| All rights reserved. No part of this publication may be reproduced,
| stored in a retrieval system, or transmitted in any form or by any
| means, electronic, mechanical, photocopying, recording or otherwise,
retitle 345238 [CVE-2005-4601] Shell command injection in delegate code (via
file names)
thanks
This issue has been assigned CVE-2005-4601. Please mention this
identifier in the changelog when fixing this bug.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe.
* Norbert Preining:
+ fd = open (name, O_CREAT|O_EXCL|O_WRONLY, 0666);
0600? 0666 might lead to an information leak.
@@ -1615,14 +1626,15 @@
/* Return a newly-allocated string concatenating S1 and S2. */
This comment is outdated after the patch.
--
To UNSUBSCRIBE, email to [EMAIL
* Sven Mueller:
I created a fixed package (actually two: one for sid/etch and one for
sarge), available at https://mail.incase.de/spampd/sarge-security/
respectively at https://mail.incase.de/spampd/sid/ (until my sponsor
finds the time to upload the latter to sid). Personally, I'm
Note that according to the Ubuntu advisory, this bug might also be
present in the koffice-libs package.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
* Debian Bug Tracking System:
This is an automatic notification regarding your Bug report
#318099: lsb-rpm: [CAN-2005-2096] statically linked copy of zlib,
which was filed against the lsb-rpm package.
How was it fixed? Is zlib still being linked statically?
--
To UNSUBSCRIBE, email to
* Florian Ragwitz:
* URL : http://dnspython.org
It's http://www.dnspython.org/.
If I understand the Python policy correctly, the package should be
called python-dns.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
The CVE project has assigned the name CVE-2005-3299 to this
vulnerability. Please mention it in the changelog when uploading
fixed packages.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
The CVE project has assigned the name CVE-2005-3300 to this
vulnerability. Please mention it in the changelog when uploading
fixed packages.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Package: phpmyadmin
Version: 4:2.6.4-pl2-1
Severity: important
Tags: security
See upstreams announcement PMASA-2005-5:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-5
This set of issues is being tracked as CVE-2005-3301. Please mention
this name in the changelog when
* Adam Conrad:
As for rebuilding with libdb4.3, I've committed the changes required to
do this to SVN, and tested packages, and they seem fine. Someone should
probably write a nice NEWS.Debian entry telling people that they need to
do repository upgrades of one sort or another (dump/load,
* Andres Salomon:
Is there some reason you don't want to simply conflict w/ the GNU
Interactive Tools package? You could provide up-to-date cogito/git-core
packages for use while working w/ the GIT people to rename their
project...
Policy explicitly forbids this, in section 10.1.
--
To
* Flavio Grossi:
without problems, but if I try to compile in native code I get
$ ocamlopt -I +sqlite sqlite.cmxa test.ml
/usr/lib/ocaml/3.08.3/sqlite/libsqlite.a(sqlite_stubs.o): In function
`raise_sqlite_error':
: undefined reference to `sqlite_freemem'
Could you show us the output of
1 - 100 of 1446 matches
Mail list logo