Bug#399656: about:iceweasel still shows firefox
severity 399656 serious thank you this bug is a serious policy violation because the term firefox itself is now non-free. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#369508: Fwd: FTBFS due to gfortran
i think these error messages are indicating that the line at 24 is within a DO block, whereas the GOTO at 18 is external to the DO. similar with the line at 25. gfortran may be more strict about these conditions than g77. you probably need to rewrite the algoritm so it doesn't rely on unsafe logic. hope this helps. mike On 5/31/06, Dirk Eddelbuettel [EMAIL PROTECTED] wrote: deb-science'rs, Anybody here who could help me with a Fortran problem? I cannot compil one (old) routine in the source package fmultivar with gfortran: [EMAIL PROTECTED]:~/src/debian/CRAN/fMultivar-221.10065/src$ gfortran -c 46C-OutlierDetection.f [...] In file 46C-OutlierDetection.f:79 18GOTO (21,22,23,24,25), KSKIP 2 Error: Label at (1) is not in the same block as the GOTO statement at (2) In file 46C-OutlierDetection.f:113 25 SUMK=SUMK+FBL 1 In file 46C-OutlierDetection.f:79 [...] I fudged the original bug (#369003) in debian/rules by compiling this file only with f2c, but as two other packages depend on fmultivar (binary: r-cran-fmultivar) I now seem to have hit a FTBFS (#369508) on amd64 for one of the users of r-cran-fmultivar even though it all works out in pbuilder on my i386. Upstream, while notified, has been silent so far ... Help would be appreciated. Dirk -- Hell, there are no rules here - we're trying to accomplish something. -- Thomas A. Edison -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502140: Could this bug be related to the pam upgrade?
The one thing I would note is that, in the rare case that there are no system-level daemons running on your system that use PAM, the message will not be shown. Michael, before the screensaver locked up on you, did you see the debconf warning that Christian quotes above? I do not recall seeing any warnings or dialogs. I followed the instructions (almost) as posted: I changed my sources.list to lenny and installed apt, dpkg, and aptitude. Then I ran apt-get dist-upgrade rather than aptitude upgrade. Then I let the download start and left the computers. When I came back I was unable to log in. If not, what services do you have installed on your system? (Even at, cron, cups, gdm, or samba should trigger display of this message.) And what debconf settings did you use when running the upgrade? I'm running cups and gdm. I'm not sure what debconf settings I used... I'm guessing I used the defaults? If this is the cause of the problem, then we could address that by either: - having libpam-modules pre-depend on libpam0g (= 0.99.7.1), forcing the question to be displayed before libpam-modules is unpacked or - adding a separate debconf question about screensavers only, shown in the package preinst advising the user to disable their screen lock for the duration of the upgrade. As a user, I would prefer the first of the two solutions. As long as I can log in when I come back to the computer and have that dialog waiting, I would be content. Otherwise there are going to be a lot of people (that don't have the patience to read instructions) that will get locked out and be ticked off. This is one of those issues that the reviews will bitch and moan about. If this problem can be dealt with now, before the release, then it should. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#418462: mailman: Fails to upgrade from Sarge to Etch
tag 418462 moreinfo help thank you should this really be a release-critical issue for lenny? it's rather late in the game to fix an upgrade failure for sarge - etch. however, if it still exists for etch - lenny, then it should be fixed. otherwise, i believe that this report should be closed. submitter, can you ascertain whether this is a problem for etch - lenny? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502976: severity
found 502976 0.98.3-4 found 502976 0.98.1-1+lenny3 thank you i just tested the version in testing-proposed-updates. the problem does exist there as well. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#449497: [Foo2zjs-maintainer] Bug#449497: TC proposal for dispute
the paragraph for the technical committee seems like a very good start. however, i request the following rewrite of the fourth sentance: The submitter sees the getweb script's dependencies on external data/files as potentially dangerous. Once the package enters stable, upstream changes (moving/modifying files, etc.) can break functionality -- leading to a package that can no longer be considered stable. External dependencies also potentially leave users vulnerable to security risks (the upstream site could be spoofed or hijacked and malicious files hosted instead of the legitimate firmware files). Also, the submitter views external dependencies as a possible violation of the spirit of the debian policy, which currently is not explicitly clear on the issue. Section 2.2.1 says ... the packages in main must not require a package outside of main for compilation or execution (thus, the package must not declare a 'Depends', 'Recommends', or 'Build-Depends' relationship on a non-main package). This makes the policy clear about packages, but it does not address dependencies on other external non-packaged non-free files. It is the submitter's belief that Debian's policy should be reworded for clarity on situations such as this. thank you for your consideration. i appologize for being difficult, but i believe that it is better to address the issue now, since the impending release forces action on the matter. i am certain that ignoring the problem will result in no action until the next release (1.5 years from now). i am not willing to wait. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502140: cannot unlock screen during etch - lenny transition
if a sufficiently detailed note about this (and a recommendation to disable the screensaver) is added to the release notes, then i believe that this bug can be closed. btw, where can i review the release notes at? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502140: cannot unlock screen during etch - lenny transition
the previous suggestion also seems like it would work pretty well. some python-like pseudo code: while $ xscreensaver-command -exit fails (indicating screensaver active): present dialog indicating that an active xscreensaver was detected wait for user to unlock screen and respond to dialog perform pam and xscreensaver installation restart xscreensaver daemon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502140: cannot unlock screen during etch - lenny transition
or even better: while $ xscreensaver-command -exit fails (indicating screensaver active): sleep 5 seconds perform pam and xscreensaver installation restart xscreensaver daemon which eliminates any need for user intervention. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502976: severity
i can also confirm that this problem is fixed in the testing-proposed-updates version (0.98.1-1+lenny3). i had mistakenly only changed python-matplotlib (not python-matplotlib-data) to the testing-proposed-updates version. i realized this today and changed both packages to this version. plotting works fine now. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502976: severity
the backend : GTKAgg solution does indeed work for the stable version. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#449497: foo2zjs: getweb script depends on non-free firmware
i'll go ahead and start the discussion since no one else is running with it. this matter is rather urgent since the problem is now being considered release-critical for lenny. i see three possible courses of action: 1. ignore the problem: mark the bug wontfix rationalle: the firmware fetching stuff is a small component of the package and the debian policy is not explicitly clear on the matter cons: leaves vector for possible security attacks and script can become non-functional (e.g. getweb has been non-functional in over a year in etch) 2. fix the problem now: either remove getweb completely or make a separate foo2zjs-contrib package with just getweb, and have this ready for the lenny release rationalle: since getweb is a security risk and could break, it should be eliminated cons: less functionality for user. some work for the maintainer. 3. fix the problem later: same as above, but tag lenny-ignore rationalle: same as above, but with limited time, this is the least path of resistance cons: same as above, but leaves users vulnerable during the lenny time frame. there is also the matter of whether the policy should be clarified for this type of situation -- and whether all other cases of fetching scripts should be tagged release-critical. i will leave this for further discussion since it isn't so urgent. let me again stress that action is URGENT since this is release-critical for lenny. regards, mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#503814: Direction on foo2zjs and web fetching scripts
Dear release team, Thank you for making a decision on the direction for bug #449497 in foo2zjs [1]. I believe that this is a reasonable choice for now due to the impending release. However, I would really like to see an honest and consructive conversation on the issue. I believe that there are some major security and functionality problems with fetching scripts, and there should be clear direction from the members of the debian project on the matter. I would like to be able to completely trust main, so it is my hope that developers would do everything in their power to keep main as clean and safe as possible. I am just a user, so I feel powerless to do anything, and my experience dealing with the foo2zjs maintainers was not exactly constructive [2],[3],[4] (primarily because of apathy, over-reactiveness, and hyper sensitivity on their part and perhaps a lack of appreciation for the bug severity command and control authority [5] on my part). Where do we go from here to make sure the issue gets the appropriate level of thought and consideration that it deserves (after lenny gets released of course)? Best wishes, Michael Gilbert [1] http://lists.debian.org/debian-release/2008/11/msg00106.html [2] http://bugs.debian.org/449497 [3] http://bugs.debian.org/503813 [4] http://bugs.debian.org/503814 [5] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#503814: Direction on foo2zjs and web fetching scripts
Dear release team, Thank you for making a decision on the direction for bug #449497 in foo2zjs [1]. I believe that this is a reasonable choice for now due to the impending release. However, I would really like to see an honest and consructive conversation on the issue. I believe that there are some major security and functionality problems with fetching scripts, and there should be clear direction from the members of the debian project on the matter. I would like to be able to completely trust main, so it is my hope that developers would do everything in their power to keep main as clean and safe as possible. I am just a user, so I feel powerless to do anything, and my experience dealing with this issue through the foo2zjs maintainers was not exactly constructive [2],[3],[4] (primarily because of over-reactiveness and hyper sensitivity on their part and perhaps a lack of appreciation for debian's bug command and control authority [5] on my part -- and of course some good old misunderstanding and misinterpretation). Where do I go from here to make sure the issue gets the appropriate level of thought and consideration that it deserves (after lenny gets released of course)? Best wishes, Michael Gilbert [1] http://lists.debian.org/debian-release/2008/11/msg00106.html [2] http://bugs.debian.org/449497 [3] http://bugs.debian.org/503813 [4] http://bugs.debian.org/503814 [5] http://lists.debian.org/debian-ctte/2008/10/msg6.html P.S. Please CC me on any responses since I am not subscribed to these lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#505360: libgnutls26: CVE-2008-4989 security flaw in certificate chain verification
Package: libgnutls26 Version: 2.4.2-2 Severity: grave Tags: security Justification: user security hole redhat has just released an update that fixes a security flaw in gnutls [1]. the CVE page [2] indicates that the issue is currently reserved, but redhat describes the problem as: Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates. (CVE-2008-4989) redhat describes this as a moderate severity issue, so i assume that this should be tracked as medium-urgency in debian. it is not clear which versions are affected. the redhat updates are only for their enterprise (rhel 5) version, which is gnutls 1.4.1. [1] https://rhn.redhat.com/errata/RHSA-2008-0982.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#492657: epiphany-webkit: not ready to be included in a stable release
No, we can only remove source + all related binary packages from testing and won't do it otherwise as it would be a mess with security updates or rebuilds... looks like you're going to have to change the rules script so that the epiphany-webkit binary package does not get built. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496851: yelp: does not correctly handle format strings for certain error messages
Package: yelp Version: 2.22.1-6 Severity: grave Tags: security Justification: user security hole yelp is vulnerable to attacks via badly formatted strings for certain error messages. ubuntu recently released a fix for this problem [1]. the issue is described as: Aaron Grattafiori discovered that the Gnome Help Viewer did not handle format strings correctly when displaying certain error messages. If a user were tricked into opening a specially crafted URI, a remote attacker could execute arbitrary code with user privileges. this may or may not be related to CVE-2008-3533 [2]. this should be considered a high-urgency vulnerability since it allows remote attackers to exectute arbitrary code. thank you for the hard work. [1] http://www.ubuntu.com/usn/usn-638-1 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3533 -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages yelp depends on: ii docbook-xml4.5-5 standard XML documentation system, ii gconf2 2.22.0-1 GNOME configuration database syste ii gnome-doc-utils0.12.2-1 a collection of documentation util ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co ii libc6 2.7-13GNU C Library: Shared libraries ii libdbus-glib-1-2 0.76-1simple interprocess messaging syst ii libgcc11:4.3.1-9 GCC support library ii libgconf2-42.22.0-1 GNOME configuration database syste ii libglade2-01:2.6.2-1 library to load .glade files at ru ii libglib2.0-0 2.16.5-1 The GLib library of C routines ii libgnome2-02.20.1.1-1The GNOME 2 library - runtime file ii libgnomeui-0 2.20.1.1-1The GNOME 2 libraries (User Interf ii libgnomevfs2-0 1:2.22.0-4GNOME Virtual File System (runtime ii libgtk2.0-02.12.11-3 The GTK+ graphical user interface ii libpango1.0-0 1.20.5-1 Layout and rendering of internatio ii librarian0 0.8.0-2 Rarian is a documentation meta-dat ii libstartup-notificatio 0.9-1 library for program launch feedbac ii libstdc++6 4.3.1-9 The GNU Standard C++ Library v3 ii libx11-6 2:1.1.4-2 X11 client-side library ii libxml22.6.32.dfsg-3 GNOME XML library ii libxslt1.1 1.1.24-2 XSLT processing library - runtime ii man-db 2.5.2-2 on-line manual pager ii xml-core 0.11 XML infrastructure and XML catalog ii xulrunner-1.9 1.9.0.1-1 XUL + XPCOM application runner ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages yelp recommends: ii doc-base 0.8.16 utilities to manage online documen ii ttf-dejavu2.25-3 Metapackage to pull in ttf-dejavu- yelp suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496851: bug #496851
tag 496851 etch found 496851 2.14.3-2 fixed 496851 2.22.1-4 thank you after doing a little more research, i've confirmed that this is indeed CVE-2008-3533, which is already being tracked in debian and has been fixed in testing and unstable [1]. other useful info may be found in [2],[3]. i think the urgency for the problem in stable should be increased to high-urgency. [1] http://security-tracker.debian.net/tracker/CVE-2008-3533 [2] https://bugs.launchpad.net/ubuntu/+source/yelp/+bug/254860 [3] http://bugzilla.gnome.org/show_bug.cgi?id=546364 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496851: yelp: does not correctly handle format strings for certain error messages
notfound 496851 2.22-1-6 thank you what about a getting a fix for this issue into stable? yelp (2.22.1-4) unstable; urgency=high * SECURITY: New patch, 60_format-string, fixes format string vulnerability; bump urgency to high; CVE-2008-3533; GNOME #546364; from SVN r3173; LP: #254860. Package: yelp Version: 2.22.1-6 Severity: grave Tags: security Justification: user security hole yelp is vulnerable to attacks via badly formatted strings for certain error messages. ubuntu recently released a fix for this problem [1]. the issue is described as: Aaron Grattafiori discovered that the Gnome Help Viewer did not handle format strings correctly when displaying certain error messages. If a user were tricked into opening a specially crafted URI, a remote attacker could execute arbitrary code with user privileges. this may or may not be related to CVE-2008-3533 [2]. this should be considered a high-urgency vulnerability since it allows remote attackers to exectute arbitrary code. thank you for the hard work. [1] http://www.ubuntu.com/usn/usn-638-1 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3533 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#463184: security.debian.org: wasn't CVE-2007-2645 fixed in DSA-1310-1?
reopen 463184 thanks I've verified it in the source code: The correct patch was used to address CVE-2006-4168, only the wrong bug number was added to the DSA. Instead of #424775 this should've read #430012. ok. so, was the security issue described in bug #424775 actually ever fixed? looking at all of the DSAs since the beginning of 2006, i only see the one upload of libexif (DSA-1310 -- which you now say fixed only CVE-2006-4168). did that upload of libexif actually address both CVE-2006-4168 and CVE-2007-2645? if so, then the DSA should be updated to indicate that this is the case. if not, then http://idssi.enyo.de/tracker/status/release/unstable needs to be updated to indicate that the CVE-2007-2645 vulnerability still exists in the archive, and the fix (http://bugs.debian.org/424775) needs to be uploaded as soon as possible. thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#463184: security.debian.org: wasn't CVE-2007-2645 fixed in DSA-1310-1?
did that upload of libexif actually address both CVE-2006-4168 and CVE-2007-2645? if so, then the DSA should be updated to indicate that this is the case. if not, then http://idssi.enyo.de/tracker/status/release/unstable needs to be updated to indicate that the CVE-2007-2645 vulnerability still exists in the archive, and the fix (http://bugs.debian.org/424775) needs to be uploaded as soon as possible. oops, i was looking at the unstable page. CVE-2007-2645 is indeed listed on the stable page (http://idssi.enyo.de/tracker/status/release/stable). btw, any chance of the fix getting uploaded to etch any time soon? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#479644: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
i believe that this is actually an issue with webkit itself, not the libqt4-webkit package (which uses webkit as a library). CVE-2008-1025 seems to indicate that the issue is wholely within webkit (there is no mention of qt). submitter, do you have further details that would confirm that the problem also resides in libqt4-webkit? otherwise, this bug should be reassigned to webkit. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#479644: libqt4-webkit:CVE-2008-1025 Cross-site scripting (XSS) vulnerability in Apple WebKit
On 5/6/08, Michael Gilbert wrote: i believe that this is actually an issue with webkit itself, not the libqt4-webkit package (which uses webkit as a library). CVE-2008-1025 seems to indicate that the issue is wholely within webkit (there is no mention of qt). i am mistaken, it looks like qt4-x11 duplicates the webkit source code, rather than relying on it as a library, which in my opinion is certainly not a very good approach. please ignore the previous message. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#475152: bug #475152
looks like ubuntu has released updated versions of the packages affected by this vulnerability [1]. any chance the fixes for etch will be released soon? [1] http://www.ubuntu.com/usn/usn-611-1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#490127: libwebkit-1.0-1: CVE-2008-2307 javascript memory corruption security issue
Package: libwebkit-1.0-1 Version: 1.0.1-1 Severity: grave Tags: security Justification: user security hole the webkit packages in fedora were recently updated to fix a memory corruption issue in the javascript handler [1]. i'm not sure if this affects sid since the webkit package no longer indicates the svn version number, but this should be looked at. it looks like webkit svn 34655 includes fixes for the problem. thanks for the hard work. [1] http://lwn.net/Articles/289257/ -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libwebkit-1.0-1 depends on: ii libatk1.0-01.22.0-1 The ATK accessibility toolkit ii libc6 2.7-12GNU C Library: Shared libraries ii libcairo2 1.6.4-6 The Cairo 2D vector graphics libra ii libcurl3-gnutls7.18.2-5 Multi-protocol file transfer libra ii libfontconfig1 2.6.0-1 generic font configuration library ii libfreetype6 2.3.7-1 FreeType 2 font engine, shared lib ii libgcc11:4.3.1-6 GCC support library ii libglib2.0-0 2.16.4-1 The GLib library of C routines ii libgtk2.0-02.12.11-1 The GTK+ graphical user interface ii libicu38 3.8.1-2 International Components for Unico ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii libpango1.0-0 1.20.5-1 Layout and rendering of internatio ii libpng12-0 1.2.27-1 PNG library - runtime ii libsqlite3-0 3.5.9-3 SQLite 3 shared library ii libstdc++6 4.3.1-6 The GNU Standard C++ Library v3 ii libx11-6 2:1.1.4-2 X11 client-side library ii libxml22.6.32.dfsg-2 GNOME XML library ii libxslt1.1 1.1.24-1 XSLT processing library - runtime ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library libwebkit-1.0-1 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#483841: midori: currently uninstallable on unstable and experimental because libwebkitgtk1d no longer in the archive
Package: midori Severity: grave Justification: renders package unusable midori is currently uninstallable because it has a dependency on libwebkitgtk1d. note that the webkit library package was recently renamed to libwebkit-1.0-1. please update the midori dependencies to use libwebkit-1.0-1 instead of libwebkitgtk1d. thanks for the hard work. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages midori depends on: ii libatk1.0-01.22.0-1 The ATK accessibility toolkit ii libc6 2.7-11GNU C Library: Shared libraries ii libcairo2 1.6.4-3 The Cairo 2D vector graphics libra ii libfontconfig1 2.5.93-1 generic font configuration library ii libfreetype6 2.3.5-1+b1FreeType 2 font engine, shared lib ii libglib2.0-0 2.16.3-2 The GLib library of C routines ii libgtk2.0-02.12.9-4 The GTK+ graphical user interface ii libpango1.0-0 1.20.2-2 Layout and rendering of internatio ii libpng12-0 1.2.27-1 PNG library - runtime ii libsexy2 0.1.11-2 collection of additional GTK+ widg pn libwebkitgtk1d none(no description available) ii libx11-6 2:1.0.3-7 X11 client-side library ii libxcursor11:1.1.9-1 X cursor management library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio ii libxi6 2:1.1.3-1 X11 Input extension library ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library ii libxml22.6.32.dfsg-2 GNOME XML library ii libxrandr2 2:1.2.2-2 X11 RandR extension library ii libxrender11:0.9.4-1 X Rendering Extension client libra ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime midori recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#498764: ffmpeg-debian: vulnerable to denial-of-service attack (CVE-2008-3230)
Package: ffmpeg-debian Version: 0.svn20080206-12 Severity: grave Tags: security Justification: user security hole according to the debian security tracker [1], ffmpeg is known to be vulnerable to a denial-of-service attack [2]. the description of the CVE is The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial of service (application crash) via a crafted GIF file, possibly related to gstreamer, as demonstrated by lol-giftopnm.gif. i'm reporting this here to make you aware of the issue, and so the issue can be tracked as release-critical for etch. this affects stable, testing, and unstable. thanks for the hard work. [1] http://security-tracker.debian.net/tracker/CVE-2008-3230 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3230 -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#498768: libxml2: does not correctly handle long entity names (CVE-2008-3529)
Package: libxml2 Version: 2.6.32.dfsg-3 Severity: grave Tags: security Justification: user security hole ubuntu just released a fix for a problem in libxml2 [1]. the issue appears to currently be reserved [2], but since ubuntu has released a fix, other distributions need to follow suit soon to limit the window of opportunity for attacks. the description of the problem is It was discovered that libxml2 did not correctly handle long entity names. If a user were tricked into processing a specially crafted XML document, a remote attacker could execute arbitrary code with user privileges or cause the application linked against libxml2 to crash, leading to a denial of service. this likely affects all releases (stable, testing, and unstable). thanks for the hard work. [1] http://lwn.net/Articles/298282/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libxml2 depends on: ii libc6 2.7-13GNU C Library: Shared libraries ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages libxml2 recommends: ii xml-core 0.11 XML infrastructure and XML catalog libxml2 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502139: etch - lenny upgrade failure
Yes, please upload a targeted fix to testing-proposed-updates. Thanks already. thanks for fixing this so quickly. awesome turnaround time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#389688: Bug#389668: qemu: windows vista rc1 installation crashes
On 10/7/06, Arian Sigari wrote: Hello, is there any solution for the Windows Vista in qemu Bug? arian sigari hi Arian, i am the original bug reporter. i myself have not figured out a solution, nor have i found anything on google. and it appears that the debian qemu maintainers have not even looked at the issue. if you send updates on this issue directly to [EMAIL PROTECTED], a broader and more skilled pool of people (all the debian qemu maintainers and other developers on the debian bugs mailing list) will see your message and be able to help out. i am forwarding it for you. qemu maintainers, is there any work being done to address this bug? if not could you forward this upstream, marki it as such, and coordinate with them to get a fix in? thank you very much for your hard work. mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#389688: Info received (Bug#389668: qemu: windows vista rc1 installation crashes)
disregard my previous email. it was intended for bug 389668. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#389274: #389274 nvidia-kernel-2.6.17-1-686: not built against the latest kernel
will an nvidia-kernel-2.6.17-2-686 package be uploaded or is the new nvidia driver only being built for the 2.6.18 kernels? mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#389274: #389274 nvidia-kernel-2.6.17-1-686: not built against the latest kernel
ok, thanks for the info. On 10/13/06, Randall Donald [EMAIL PROTECTED] wrote: On Thu, 2006-10-12 at 22:52 -0400, Michael Gilbert wrote: will an nvidia-kernel-2.6.17-2-686 package be uploaded or is the new nvidia driver only being built for the 2.6.18 kernels? Only 2.6.18 kernels. It will be the kernel for etch. mike -- Randall Donald [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#413469: bug 413469
Tuomo, just set up a mailer auto-reply that says i do not support out of date ion3 development snapshots and will not respond to mails unless the first line contains the output of 'ion3 --version' and shows a date that is newer than one month old. then it doesn't matter what distributions choose to do because you can just ignore out-of-date users. with that said, i agree that in-development snapshots should be kept out of unstable, and only done in experimental. maybe this should be a change to debian-policy? mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428782: nvidia-glx-legacy-96xx: uninstallable due to missing nvidia-kernel-legacy-96xx-1.0.9631 dependency
Package: nvidia-glx-legacy-96xx Severity: serious Justification: 2 nvidia-kernel-legacy-96xx-1.0.9631 is currently not available in the archive, and since nvidia-glx-legacy-96xx depends on it, the package is not installable. thanks for the hard work. mike -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (400, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nvidia-glx-legacy-96xx depends on: ii libc6 2.5-9+b1 GNU C Library: Shared libraries ii libx11-6 2:1.0.3-7 X11 client-side library ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar pn nvidia-kernel-legacy-96xx-1.0 none (no description available) ii x11-common1:7.2-3X Window System (X.Org) infrastruc nvidia-glx-legacy-96xx recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428782: closed by Filipus Klutiero [EMAIL PROTECTED] (Invalid)
reopen 428782 thanks -- Forwarded message -- From: Filipus Klutiero [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 14 Jun 2007 07:22:37 -0400 Subject: Invalid nvidia-kernel-legacy-96xx-1.0.9631 is a virtual package. It should be possible to build an nvidia LKM package providing it (although I don't know if that's currently the case). why not include pre-built binary packages for the legacy nvidia kernel driver as is done with the standard nvidia kernel driver? mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428782: closed by Filipus Klutiero [EMAIL PROTECTED] (Close)
reopen 428728 thanks From: Filipus Klutiero To: [EMAIL PROTECTED] Date: Thu, 14 Jun 2007 20:09:33 -0400 Subject: Close why not include pre-built binary packages for the legacy nvidia kernel driver as is done with the standard nvidia kernel driver? If you're implying that Debian decided not to distribute pre-built nvidia legacy 96xx LKM packages, I suggest you provide a reference, because I never heard that. there are no nvdia-kernel-legacy-96xx-2.6.18-4-* packages. $ cat /etc/apt/sources.list # lenny deb http://ftp.debian.org/debian/ lenny main contrib non-free deb-src http://ftp.debian.org/debian/ lenny main contrib non-free # lenny security deb http://security.debian.org/ lenny/updates main contrib non-free deb-src http://security.debian.org/ lenny/updates main contrib non-free # sid deb http://ftp.debian.org/debian/ sid main contrib non-free deb-src http://ftp.debian.org/debian/ sid main contrib non-free $ apt-cache search nvidia-kernel-legacy nvidia-glx-legacy - NVIDIA binary Xorg driver (legacy version) nvidia-kernel-legacy-2.6-486 - NVIDIA binary kernel module for 2.6 series compiled for 486 nvidia-kernel-legacy-2.6-686 - NVIDIA binary kernel module for 2.6 series compiled for 686 nvidia-kernel-legacy-2.6-k7 - NVIDIA binary kernel module for 2.6 series compiled for k7 nvidia-kernel-legacy-2.6.18-4-486 - NVIDIA binary kernel module for Linux 2.6.18-4-486 (legacy version) nvidia-kernel-legacy-2.6.18-4-686 - NVIDIA binary kernel module for Linux 2.6.18-4-686 (legacy version) nvidia-kernel-legacy-2.6.18-4-k7 - NVIDIA binary kernel module for Linux 2.6.18-4-k7 (legacy version) nvidia-kernel-legacy-source - NVIDIA binary kernel module source (legacy version) nvidia-glx-legacy-71xx - NVIDIA binary Xorg driver (71xx legacy version) nvidia-glx-legacy-96xx - NVIDIA binary Xorg driver (96xx legacy version) nvidia-kernel-legacy-71xx-source - NVIDIA binary kernel module source (71xx legacy version) nvidia-kernel-legacy-96xx-source - NVIDIA binary kernel module source (96xx legacy version) Please do not reopen this bug again, unless you can defend that it is valid. put down the knife. mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428782: closed by Filipus Klutiero [EMAIL PROTECTED] (Close)
reopen 428782 thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428782: closed by Filipus Klutiero [EMAIL PROTECTED] (Close)
reopen 428782 thanks From: Filipus Klutiero To: [EMAIL PROTECTED] Date: Sun, 17 Jun 2007 22:29:57 -0400 Subject: Close The fact that there are no prebuilt nvidia 96xx LKM packages does not mean that Debian decided not to distribute some...as shown by Randall's message. that is not the point i have been making. you continue to misunderstand. the nvidia-kernel-legacy-96xx-$(uname -r)-* packages are still not available in the unstable archive. hence, this bug cannot be considered done. this really should not be such a big deal. i understand that it takes time to put the packages together, and i'll wait patiently, but this bug should not be closed until the problem is actually solved. thank you for understanding. mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#430150: deluge-torrent: crashes during startup
Package: deluge-torrent Version: 0.5.1.1-1 Severity: grave Justification: renders package unusable the current version of deluge-torrent in unstable no longer starts. here is what happens: $ deluge no existing Deluge session Starting new Deluge session... deluge_core; using libtorrent 0.13.0.0. Compiled with NDEBUG value: 1 Applying preferences Starting DHT... /var/lib/python-support/python2.4/deluge/core.py:723: DeprecationWarning: integer argument expected, got float PREF_FUNCTIONS[pref](self.get_pref(pref)) Traceback (most recent call last): File /usr/bin/deluge, line 106, in ? start_deluge() File /usr/bin/deluge, line 67, in start_deluge interface = deluge.interface.DelugeGTK() File /var/lib/python-support/python2.4/deluge/interface.py, line 57, in __init__ '%s %s'%(common.PROGRAM_NAME, common.PROGRAM_VERSION), common.CONFIG_DIR) File /var/lib/python-support/python2.4/deluge/core.py, line 223, in __init__self.state = pickle.load(pkl_file) File /usr/lib/python2.4/pickle.py, line 1390, in load return Unpickler(file).load() File /usr/lib/python2.4/pickle.py, line 872, in load dispatch[key](self) File /usr/lib/python2.4/pickle.py, line 1083, in load_inst klass = self.find_class(module, name) File /usr/lib/python2.4/pickle.py, line 1138, in find_class __import__(module) ImportError: No module named deluge -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (400, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages deluge-torrent depends on: ii libboost-date-time1.34. 1.34.0-1 set of date-time libraries based o ii libboost-filesystem1.34 1.34.0-1 filesystem operations (portable pa ii libboost-thread1.34.0 1.34.0-1 portable C++ multi-threading ii libc6 2.5-9+b1 GNU C Library: Shared libraries ii libgcc1 1:4.2-20070609-1 GCC support library ii libssl0.9.8 0.9.8e-5 SSL shared libraries ii libstdc++6 4.2-20070609-1 The GNU Standard C++ Library v3 ii notification-daemon 0.3.7-1 a daemon that displays passive pop ii python 2.4.4-6 An interactive high-level object-o ii python-glade2 2.10.4-2 GTK+ bindings: Glade support ii python-gtk2 2.10.4-2 Python bindings for the GTK+ widge ii python-notify 0.1.0-2.1Python bindings for libnotify ii python-support 0.6.4automated rebuilding support for p ii python-xdg 0.15-1.1 A python library to access freedes ii zlib1g 1:1.2.3-15 compression library - runtime deluge-torrent recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#428782: closed by Filipus Klutiero
reopen 428782 thanks From: Filipus Klutiero To: [EMAIL PROTECTED] Date: Sat, 23 Jun 2007 09:56:29 -0400 Subject: Invalid You don't understand. The reason I'm closing this report is not that the prebuilt nvidia 96xx packages are available in sid, but that your report is invalid. There is no bug as your report describes. If you'd decide to reopen this report, you should defend its validity. i have continued to defend the validity. the bug is obvious. the package is uninstallable. this is considered a show stopping / release critical bug. i will now use the guidance of the Developers' information regarding the bug processing system document at http://www.debian.org/Bugs/Developer#closing to logically reason why this bug must be kept open and why *you* do not have the authority to close it: Debian bug reports should be closed when the problem is fixed. Problems in packages can only be considered fixed once a package that includes the bug fix enters the Debian archive. the fix has not entered the archive, so the bug should not be closed. also from the next paragraph: Normally, the only people that should close a bug report are the submitter of the bug and the maintainer(s) of the package against which the bug is filed. There are exceptions to this rule, for example, the bugs filed against unknown packages or certain generic pseudo-packages. When in doubt, don't close bugs, first ask for advice on the debian-devel mailing list. you are neither the bug submitter nor the maintainer, so you do not have the authority to close the bug. you are not even a debian developer... and finally, [w]hen in doubt, don't close bugs there is doubt. if you want to close this bug again, *you* need to justify why the above debian document is invalid. stop overstepping your authority. mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#449497: foo2zjs: application depends on non-free firmware
Package: foo2zjs Version: 20070718dfsg-6 Severity: serious Justification: Policy 2.2.1 foo2zjs relies heavily upon non-free firmware that is hosted at the upstream site. this behavior, i believe, does not adhere to the spirit of the debian policy for software in main (packages should not require packages outside of main). although semantically, the foo2zjs package does not rely on a debian package outside of main, it does however depend on binary firmware packages outside of main (at the upstream host site). i believe that the package, as is, belongs in contrib instead of main. mike -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (400, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages foo2zjs depends on: ii libc6 2.6.1-6GNU C Library: Shared libraries Versions of packages foo2zjs recommends: ii foomatic-db-engine 3.0.2-20061031-1 linuxprinting.org printer support -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#458396: FTBFS because due to missing apt-transport-https libraries
Package: apt Version: 0.7.9 Severity: serious Tags: patch Justification: no longer builds from source the apt-transport-https deb currently does not build because libapt-pkg-libc6.7-6.so.4.6 is not in the right location when dh_shlibs is run. as a temporary fix for the problem, i modified debian/rules to copy the missing libraries from the build directory to debian/apt-transport-https/usr/lib. see attached diff. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.23-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages apt depends on: ii debian-archive-keyring2007.07.31 GnuPG archive keys of the Debian a ii libc6 2.7-5 GNU C Library: Shared libraries ii libgcc1 1:4.2.2-4 GCC support library ii libstdc++64.2.2-4The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information --- ../../apt-0.7.9-orig/debian/rules 2007-12-29 23:53:03.0 -0500 +++ rules 2007-12-30 16:44:57.0 -0500 @@ -313,6 +313,7 @@ dh_compress -p$@ dh_fixperms -p$@ dh_installdeb -p$@ + cp build/bin/libapt* debian/$@/usr/lib dh_shlibdeps -p$@ -l`pwd`/debian/apt/usr/lib:`pwd`/debian/$@/usr/lib dh_gencontrol -p$@ dh_md5sums -p$@
Bug#458396: FTBFS because due to missing apt-transport-https libraries
merge 452862 458396 thank you i should have done a better job searching the previous reports before sending this. i see that there is already a pending fix for this in bug #452862 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#459821: uninstallable: needs to depend on a apt version rather than particular apt libraries
Package: python-apt Version: 0.7.4 Severity: grave Justification: renders package unusable python-apt is currently uninstallable on sid. this is because there is a dependency on the /usr/lib/libapt-inst-libc6.6-1.so.1.1 and /usr/lib/libapt-pkg-libc6.6-6.so.4.6 files. however, as of apt 0.7.10, those files no longer exist (they have been replaced by the 6.7 versions rather than 6.6). the solution to this problem is to depend on the apt package version (0.7.10), rather than the libraries provided by the apt package. thanks for the hard work. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.23-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python-apt depends on: pn libapt-inst-libc6.6-6-1 none (no description available) pn libapt-pkg-libc6.6-6-4. none (no description available) ii libc6 2.7-5GNU C Library: Shared libraries ii libgcc1 1:4.3-20080104-1 GCC support library ii libstdc++6 4.3-20080104-1 The GNU Standard C++ Library v3 ii lsb-release 3.1-24 Linux Standard Base version report ii python 2.4.4-6 An interactive high-level object-o ii python-central 0.5.15 register and build utility for Pyt python-apt recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462730: mousepad: segfaults due to problem (incompatibility?) with libc.so.6
Package: mousepad Version: 0.2.13-1 Severity: grave Justification: renders package unusable mousepad always segfaults when started. gdb indicates that there is a an issue with mousepad's use of libc.so.6: $ gdb mousepad run .. .. .. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb74e36b0 (LWP 6854)] 0xb765c6bb in ?? () from /lib/libc.so.6 System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.23-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mousepad depends on: ii libatk1.0-01.20.0-1 The ATK accessibility toolkit ii libc6 2.7-6 GNU C Library: Shared libraries ii libcairo2 1.4.14-1 The Cairo 2D vector graphics libra ii libfontconfig1 2.5.0-2 generic font configuration library ii libfreetype6 2.3.5-1+b1FreeType 2 font engine, shared lib ii libglib2.0-0 2.15.2-2 The GLib library of C routines ii libgtk2.0-02.12.5-2 The GTK+ graphical user interface ii libpango1.0-0 1.18.4-1 Layout and rendering of internatio ii libpng12-0 1.2.15~beta5-3PNG library - runtime ii libx11-6 2:1.0.3-7 X11 client-side library ii libxfce4util4 4.4.2-1 Utility functions library for Xfce ii libxfcegui4-4 4.4.2-1 Basic GUI C functions for Xfce4 ii libxrender11:0.9.4-1 X Rendering Extension client libra ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime Versions of packages mousepad recommends: ii xfprint4 4.4.2-1Printer GUI for Xfce4 -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#463184: security.debian.org: wasn't CVE-2007-2645 fixed in DSA-1310-1?
Package: security.debian.org Severity: grave according to the bug report log [1], the 0.6.13-etch1 upload of libexif12 fixed the security vulnerability described by CVE-2007-2645. however, the associated DSA [2] says that the updload of 0.6.13-etch1 fixed the vulnerability described by CVE-2006-4168. it seems very likely someone mistakenly reversed the CVE numbers. so it is probably the case that CVE-2007-2645 was fixed long ago in etch, and CVE-2006-4168 still remains unadressed. [1] http://bugs.debian.org/424775 [2] http://www.debian.org/security/2007/dsa-1310 -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#553018: xulrunner: new upstream versions fixing multiple security issues
package: xulrunner version: 1.9.1.3-3 severity: serious tags: security mozilla has just issued new versions of firefox, seamonkey, etc [0],[1]. these fix multiple CVEs. please update to these versions. as you know, lenny is also affected, so please issue a DSA with the new xulrunner there. thanks. mike [0] http://www.mozilla.com/en-US/firefox/3.5.4/releasenotes [1] http://www.mozilla.com/en-US/firefox/3.0.15/releasenotes -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555217: auth2db: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: auth2db version: 0.2.5-2+dfsg-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js 1.5.1 and earlier) [0], CVE-2008-7220 (affecting prototype.js 1.6.0.2 and earlier) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0 lenny: 1.5.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555220: asterisk: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: asterisk version: 1:1.4.21.2~dfsg-3 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js 1.5.1 and earlier) [0], CVE-2008-7220 (affecting prototype.js 1.6.0.2 and earlier) [1], or both. Your package embeds the following prototype.js versions: sid: uses system prototype.js lenny: 1.4.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555221: libaws: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: libaws version: 2.2dfsg-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.4.0 lenny: 1.4.0 etch: 1.4.0 This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: libjson-ruby version: 1.1.2-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0 lenny: 1.6.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555225: lucene2: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: lucene2 version: 2.3.1+ds1-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.4.0_pre4 lenny: 1.4.0_pre4 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555229: knowledgeroot: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: knowledgeroot version: 0.9.7.3-2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0 lenny: 1.5.0 etch: 1.5.0_rc0 This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555232: mediatomb: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: mediatomb version: 0.11.0-3 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.1.1 lenny: 1.5.1.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555228: glpi: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: glpi version: 0.68.2-1etch0.2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0.2 lenny: 1.5.0 etch: 1.4.0 This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555234: op-panel: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: op-panel version: 0.27.dfsg-2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0_rc0 lenny: N/A etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555231: mt-daapd: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: mt-daapd version: 0.2.4+r1376-1.1+etch2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: uses system prototype.js lenny: uses system prototype.js etch: 1.4.0 This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555235: ebug-http: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: ebug-http version: 0.31-2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.2.0 lenny: 1.2.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555240: qwik: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: qwik version: 0.8.4.4 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.4.0_rc3 lenny: 1.4.0_rc3 etch: 1.4.0_rc3 This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555237: python-poker-network: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: python-poker-network version: 1.0.30-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.4.0 lenny: N/A etch: 1.4.0 This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555239: webhelpers: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: webhelpers version: 0.6-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.1.1 lenny: 1.5.1.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555242: wordpress: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: wordpress version: 2.5.1-11 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0 lenny: 1.6.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555249: symfony: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: symfony version: 1.0.17-4 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0 lenny: 1.5.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555246: hobix: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: hobix version: 0.5~svn20070319-3 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.3.0 lenny: 1.3.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555248: pixelpost: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: pixelpost version: 1.7.1-5 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0 lenny: 1.5.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555244: exaile: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: exaile version: 0.2.11.1+debian-2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.1.1 lenny: 1.5.1.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555255: jscropperui: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: jscropperui version: 1.2.0-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0_rc0 lenny: 1.5.0_rc0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555258: rt-extension-emailcompletion: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: rt-extension-emailcompletion version: 0.06-3 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0 lenny: N/A etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555259: scriptaculous: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: scriptaculous version: 1.8.1-5 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.1 lenny: 1.6.0.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555264: mantis: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: mantis version: 1.1.6+dfsg-2 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.1.1 lenny: 1.5.1.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555263: activeldap: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: activeldap version: 1.0.1-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0.3 (not affected) lenny: 1.6.0.1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555266: otrs2: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: otrs2 version: 2.3.4-5 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.1 lenny: N/A etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555274: plone3: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: plone3 version: 3.1.3-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0_rc1 lenny: 1.5.0_rc1 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555276: wesnoth: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: wesnoth version: 1:1.6.5-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0.1 lenny: N/A etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555268: webcalendar: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
package: webcalendar version: 1.2.0+dfsg-4 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.5.0 lenny: N/A etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 [2] http://dev.rubyonrails.org/ticket/7910 [3] http://prototypejs.org/2008/1/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
On Sun, 8 Nov 2009 22:19:13 -0800 Ryan Niebur wrote: On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote: package: libjson-ruby version: 1.1.2-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0 lenny: 1.6.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. this should have been fixed for unstable in 1.1.4-1, see #555224. what should happen for stable tho? you should prepare an update for proposed-updates. see debian docs and talk to the release team for more info. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555223: libjson-ruby: CVE-2007-2383 and CVE-2008-7720 prototypejs vulnerabilities
On Mon, 9 Nov 2009 20:18:47 -0800 Ryan Niebur wrote: On Mon, Nov 09, 2009 at 10:58:52PM -0500, Michael Gilbert wrote: On Sun, 8 Nov 2009 22:19:13 -0800 Ryan Niebur wrote: On Sun, Nov 08, 2009 at 07:22:57PM -0500, Michael Gilbert wrote: package: libjson-ruby version: 1.1.2-1 severity: serious tags: security Hi, Your package contains an embedded version of prototype.js that is vulnerable to either CVE-2007-2383 (affecting prototype.js before 1.5.1) [0], CVE-2008-7220 (affecting prototype.js before 1.6.0.2) [1], or both. Your package embeds the following prototype.js versions: sid: 1.6.0 lenny: 1.6.0 etch: N/A This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. There are patches available for CVE-2007-2383 [2] and a backport for prototypejs 1.5 for CVE-2008-7720 [3]. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. this should have been fixed for unstable in 1.1.4-1, see #555224. what should happen for stable tho? you should prepare an update for proposed-updates. see debian docs and talk to the release team for more info. I knew that, already did so, http://lists.debian.org/debian-release/2009/11/msg00058.html sorry for uhhh, asking questions that I already knew the answer too :/... oh, fyi, you should submit a bug to release.debian.org, otherwise mailing list messages tend to fall off their todo list. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552038: alien-arena: remote arbitrary code execution
hi, this problem has been disclosed for quite a while now. do you need help packaging the new upstream version? if so, i can prepare an nmu. do you need help preparing backports for the stable releases? if so, i can spend some time on that this weekend. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#555231: oldstable: mt-daapd update addressing #555231
On Wed, 11 Nov 2009 23:02:23 +0100 Julien BLACHE wrote: Adam D. Barratt wrote: Hi, How big is the diff from prototype 1.4.0 (as used in the current package) to 1.6.1? The bug report mentions that patches fixing the two Don't know, I haven't even looked. There were other issues before those two I believe, and they never got fixed. I know that the web interface works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue. CVEs are available, although I wasn't entirely clear as to whether they apply to 1.4.0 or not. My bet is they don't; 1.4.0 is pretty ancient now. the prototype.js CVEs do apply to 1.4.0. The bug log also mentions that you were planning to upload a fixed package to oldstable-security; is that no longer the case? Re-reading the report, it doesn't actually ask for a security upload. I have no preference for security vs. opu, although I don't think this issue is worth a security upload given mt-daapd is not a web app, which reduces the scope of the vulnerabilities considerably IMO. from the security team's perspective, there are way too many packages affected by the prototype.js flaw to issue DSAs for all of them, so they all will/should be handled via stable-proposed-updates. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556267: xulrunner: CVE-2007-1970 phishing vulnerability
Package: xulrunner Version: 1.9.0.13-0 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for xulrunner. CVE-2007-1970[0]: | Mozilla Firefox does not warn the user about HTTP elements on an HTTPS | page when the HTTP elements are dynamically created by a delayed | document.write, which allows remote attackers to supply | unauthenticated content and conduct phishing attacks. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1970 http://security-tracker.debian.org/tracker/CVE-2007-1970 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556268: forwarded
forwarded 556268 https://bugzilla.mozilla.org/show_bug.cgi?id=528772 thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556271: kazehakase: CVE-2007-1084 bookmarklets cross-site info disclosure
Package: kazehakase Version: 0.5.8-1 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published. CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 http://security-tracker.debian.org/tracker/CVE-2007-1084 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556268: forwarded
forwarded 556268 https://bugzilla.mozilla.org/post_bug.cgi thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556267: forwarded
forwarded 556267 https://bugzilla.mozilla.org/show_bug.cgi?id=527733 thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Package: epiphany-browser Version: 2.29.1-2 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published. CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 http://security-tracker.debian.org/tracker/CVE-2007-1084 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556270: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Package: galeon Version: 2.0.7-1.1 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published. CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 http://security-tracker.debian.org/tracker/CVE-2007-1084 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556271: kazehakase: CVE-2007-1084 bookmarklets cross-site info disclosure
On Sun, 15 Nov 2009 10:51:56 +0200 Yavor Doganov wrote: found 556271 0.4.2-1etch1 found 556271 0.5.4-2.2 found 556271 0.5.6-2 thanks Michael Gilbert wrote: Package: kazehakase Version: 0.5.8-1 Severity: serious Tags: security [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 http://security-tracker.debian.org/tracker/CVE-2007-1084 Do I understand correctly that the proper fix for this vulnerability is to disallow adding data:/javascript: URIs with Bookmarks - Add to bookmarks menu, preferrably informing the user with a dialog? Also, does this warrant uploads to stable and oldstable? the issue itself is not too severe from a security perspective, so a DSA will not be issued; however, you can (and probably should) fix this via stable-proposed-updates. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556271: kazehakase: CVE-2007-1084 bookmarklets cross-site info disclosure
On Sun, 15 Nov 2009 10:51:56 +0200 Yavor Doganov wrote: Do I understand correctly that the proper fix for this vulnerability is to disallow adding data:/javascript: URIs with Bookmarks - Add to bookmarks menu, preferrably informing the user with a dialog? yes, that appears to be what the (as-yet unapplied) mozilla patch does. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556271: kazehakase: CVE-2007-1084 bookmarklets cross-site info disclosure
On Sun, 15 Nov 2009 11:28:47 +0200 Yavor Doganov wrote: Michael Gilbert wrote: On Sun, 15 Nov 2009 10:51:56 +0200 Yavor Doganov wrote: Do I understand correctly that the proper fix for this vulnerability is to disallow adding data:/javascript: URIs with Bookmarks - Add to bookmarks menu, preferrably informing the user with a dialog? yes, that appears to be what the (as-yet unapplied) mozilla patch does. i marked it serious because the problem must be fixed before squeeze is released. however, so if the current transitions make more work, go ahead and wait until it makes more sense. OK, I prepared a patch which I'll send upstream in a few minutes. One more question: There's an ongoing xulrunner-1.9.1 transition that's taking longer than expected, so a new upload will reset it. Should I upload to sid with urgency=high or first wait for the transition to complete? Also, does this warrant uploads to stable and oldstable? the issue itself is not too severe from a security perspective, so a DSA will not be issued; however, you can (and probably should) fix this via stable-proposed-updates. I see; will proceed accordingly. What about oldstable? by stable-proposed-updates, i meant both an spu and an ospu. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote: Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. Confirmation before saving the bookmarklet to the list of bookmarks? If so, I’d say epiphany is not affected, since it always ask for confirmation whenever you bookmark something. right, but the current dialog doesn't throw up a scary warning saying that the bookmark contains potentially dangerous javascript, so some work would need to be done to implement that. or, the safer solution would be to disallow javascript in bookmarks. who in their right mind needs that (anti)feature anyway??? note that with respect to epiphany, only the gecko backend is affected. webkit currently acts wacky when bookmarking a site with javascript in the bookmark. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, 16 Nov 2009 17:34:39 +0100, Mike Hommey wrote: On Mon, Nov 16, 2009 at 11:25:04AM -0500, Michael Gilbert wrote: On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote: Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. Confirmation before saving the bookmarklet to the list of bookmarks? If so, I’d say epiphany is not affected, since it always ask for confirmation whenever you bookmark something. right, but the current dialog doesn't throw up a scary warning saying that the bookmark contains potentially dangerous javascript, so some work would need to be done to implement that. or, the safer solution would be to disallow javascript in bookmarks. who in their right mind needs that (anti)feature anyway??? It's a very useful feature. There has been some kind of DOM inspector in such bookmarks way before firebug existed, addons seem like a better place for code/script execution anyway (since there already warnings about installing/running that stuff). from my perspective (and from a solid security standpoint) bookmarks should be static. i.e. users should get what they expect every single time they click the bookmark. and it has the advantage of being cross browsers. so, you're saying that this is a good feature and hence must be kept based on the fact that it is currently available in a lot of browsers (i.e. all gecko-based browsers and no webkit/khtml browsers)? mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#570713: ffmpeg: remaining vulnerabilities from bug #550442
package: ffmpeg version: 0.svn20080206-18 severity: serious tags: security hi, i have just tested the latest ffmpeg update against the original proof of concepts [0] reported in bug #550442 [1]. many of them are still effective. there is some good news though; i've found that upstream has addressed all of the problems in their latest svn version. attached are my findings. reference [2] may be useful to track down the other needed patches; or it may be easier to just upgrade to a new svn (however, the patches still need to be determined for stable). mike [0] http://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550442 [2] http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/97154 ffmpeg Description: Binary data
Bug#571036: [Pkg-fglrx-devel] Bug#571036: fglrx-driver: fglrx 10.2 incompatible with compositing in KDE 4.3
severity 571036 important thanks On Mon, 22 Feb 2010 18:03:55 -0500 Don Pellegrino wrote: The 10.2 release of the ATI Catalyst drivers (fglrx) are incompatible with compositing in KDE 4.3 as discussed on Phoronix at [http://www.phoronix.com/forums/showthread.php?t=22057#post112989]. It has been reported that upgrading to KDE 4.4 resolves the issue [http://www.phoronix.com/forums/showpost.php?p=113029postcount=13] however KDE 4.4 is not to be expected in Debian until after the 4.4.1 release scheduled for March 2, 2010 as per the channel topic in #debian-kde on irc.debian.org. Therefore it would be useful to current KDE users to have fglrx 10.1 remain in the package repository as an option. i don't think lack of compositing is severe enough to be considered release critical. its annoying yes, but as long as standard rendering still works, then it can be worked around. the release version of this package will have to be newer than 10-2 anyway since neither this nor any previous version support xorg 7.5. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559759: webkit: multiple security issues
version: 1.1.21-1 i've checked all of these issues, and they are all fixed in the latest version in unstable. thanks. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559759: webkit: multiple security issues
On Tue, 23 Feb 2010 11:30:57 -0300, Gustavo Noronha Silva wrote: On Mon, 2010-02-22 at 22:40 -0500, Michael Gilbert wrote: version: 1.1.21-1 i've checked all of these issues, and they are all fixed in the latest version in unstable. thanks. Awesome! Did you take notes of what commits fixed them? i recorded that in the security tracker [0]. note that CVE-2009-3272 is still probably open, but it is only a denial-of-service. Also, I assume you wanted to mail -done? yeah, i noticed i forgot the -done and sent another mail shortly after. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564444: [Pkg-fglrx-devel] Bug#564444: fglrx driver in debian squeeze in limbo
On Wed, 24 Feb 2010 08:00:45 -0500, Zachary Uram wrote: This sucks. Stupid closed source drivers cause such problems. Any workaround I can do? I need to build the fglrx driver for debian squeeze (ati radeon hd 4550 card), but I just saw this bug saying the packages have been removed from testing due to a conflict with the x.org transition. The packages referred to here: http://wiki.debian.org/ATIProprietary such as fglrx-control and fglrx-driver are no longer available so what should I do? I don't know when the x.org transition will be finished and I really want 2D/3D acceleration so I can play my games :( the driver works in debian 5.0 (lenny), and is fully supported there. using testing comes with some risk, and if you want to avoid that risk, the stable release is a much better option. if you're feeling adventurous, you can track down the most recent xorg 7.4 packages, which are compatible with the current fglrx driver in sid. launchpad has an archive of all previously released debian packages. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560381: vboxgtk: fails on startup
tag 560381 patch thanks hi, attached is a patch that solves the RC nature of this issue. note that even after this is applied, a lot of the functionality is not working correctly due to the API change (as mentioned previously), but at least you can run existing VMs. i am planning to nmu this after 7 days (of course i will clean it up and make it a quilt patch since it is currently a direct change in the diff, which isn't good). i will look at solving the other problems due to the new API when i find the time. mike diff -u vboxgtk-0.5.0/debian/changelog vboxgtk-0.5.0/debian/changelog --- vboxgtk-0.5.0/debian/changelog +++ vboxgtk-0.5.0/debian/changelog @@ -1,3 +1,9 @@ +vboxgtk (0.5.0-1.1) unstable; urgency=low + + * Fix startup crash (closes: #560381). + + -- Michael Gilbert michael.s.gilb...@gmail.com Sat, 27 Feb 2010 13:21:28 -0500 + vboxgtk (0.5.0-1) unstable; urgency=low [ Devid Antonio Filoni ] only in patch2: unchanged: --- vboxgtk-0.5.0.orig/vboxgtk/vboxgtk_iface.py +++ vboxgtk-0.5.0/vboxgtk/vboxgtk_iface.py @@ -52,7 +52,6 @@ self.vboxdao.vm_states.Stopping: _(Stopping), self.vboxdao.vm_states.Saving: _(Saving), self.vboxdao.vm_states.Restoring: _(Restoring), - self.vboxdao.vm_states.Discarding: _(Discading), self.vboxdao.vm_states.SettingUp: _(Setting Up) } self.builder = gtk.Builder() xml_files = ['xml/vboxgtk-actions.xml',
Bug#535793: webkit: deluge of security vulnerabilities
fixed 535793 1.1.21-1 thanks hi, all of these issues have been triaged in the debian security tracker [0] and found to be fixed on or before the latest webkit in unstable. many of these; however are still open in stable (the open issues at [0]). a DSA needs to be issued for those. thanks, mike [0] http://security-tracker.debian.org/tracker/source-package/webkit -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559833: CVE-2009-3736 local privilege escalation
On Tue, 2 Mar 2010 23:14:50 +0100, Stefano Zacchiroli wrote: On Mon, Dec 07, 2009 at 12:05:22AM -0500, Michael Gilbert wrote: The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the binary packages are not affected, please feel free to close the bug with a message containing the details of what you did to check. I believe this bug report can be closed as false positive. I detail below my verifications to that conclusion and I copy the security team for insights. - the imagemagick source package build-depends on libltdl-dev - all binaries built by imagemagick depends (either directly or transitvely on libltdl7, see shell log [1]) -- tested on amd64 - the build log of latest imagemagick on amd64 says: checking for ltdl.h... yes checking whether lt_dlinterface_register is declared... yes checking for lt_dladvise_preload in -lltdl... yes checking where to find libltdl headers... checking where to find libltdl library... -lltdl it also says, at link time LIBS= -lMagickCore -llcms -ltiff -lfreetype -ljpeg -llqr-1 -lglib-2.0 -lfontconfig -lXext -lSM -lICE -lX11 -lXt -lbz2 -lz -lm -lgomp -lpthread -lltdl without any specific CFLAGS/LDFLAGS. From all the above, I'm inclined to conclude that imagemagick uses system-wide ltdl and hence is unaffected by this bug. Confirmation and/or comments would be very welcome. also: $ ldd /usr/bin/compare | grep ltdl libltdl.so.7 = /usr/lib/libltdl.so.7 (0xb7009000) ... (true for all of the other imagemagick binaries too) i would say this is more than enough checking, and the bug can be safely closed. thanks! mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
