Bug#930722: arc, arcanist: Both ship arc binary
On Wed, Jun 19, 2019 at 6:18 AM Julian Andres Klode wrote: > > Package: arc,arcanist > Severity: serious > > arc: /usr/bin/arc > arcanist: /usr/bin/arc > > One of them needs to be renamed, or both. As one who has made use of various incarnations of the 'arc' program since the 1990s, and as one who has been thinking about adopting the 'arc' package in Debian, I note that the 'arc' package has been in Debian since 2004 while 'arcanist' has only been in Debian since 2015. Therefore 'arcanist' has likely been violating policy since it was brought into Debian. It's also interesting that the popcon for 'arc' (~1000) is some 10 times what 'arcanist' (~100) has, likely because 'arc' is an archiver. I also find it interesting that bug number 919697 was opened on 'arcanist' as 'Serious' back in January about the same problem, noting that "arcanist: file conflict with arc" but was then downgraded to normal the maintainer. So that maintainer could have fixed the problem at least when he uploaded a new version of the 'arcanist' package in February, if he hadn't been aware of the problem until then. -- Robert J. Clay rjc...@gmail.com j...@rocasa.us
Bug#869994: work around solution
On 18 May 2018, Reto Schoch wrote: > Your suggested workaround made me once again have a glimpse on the > developer's website and there I found at the top of the FAQ that he > meanwhile has a respond to this issue, namely: > perl 5.26 @INC error If you get something like this instead of the login > screen I also can now see that the author added that information, as well as the reference URL for the issue, to the SQL-Ledger FAQ. Since I'm having to patch it anyway for the Debian package and it's being installed to a known directory, I'm using the example given in that reference for "Script Authors". And it does seems to work, although I'm only able to get as far as the 'Create Dataset' page because a template selection is required and that directory is missing any contents in the distribution archive. -- Robert J. Clay rjc...@gmail.com j...@rocasa.us
Bug#869994: SQL-Ledger packaging project at salsa.debian.org
The old Aloith server is is no longer available and has largely been replaced the new GItLab instance at salsa.debian.org. The SQL-Ledger packaging project is now at https://salsa.debian.org/debian/sql-ledger. -- Robert J. Clay rjc...@gmail.com
Bug#900942: Fwd: [ledgersmb-announce] Security announcement for CVE-2018-9246 / PGObject::Util::DBAdmin
Source: libpgobject-util-dbadmin-perl Severity: grave Tags: security https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9246 -- Forwarded message - From: Erik Huelsmann Date: Wed, Jun 6, 2018 at 6:36 PM Subject: [ledgersmb-announce] Security announcement for CVE-2018-9246 / PGObject::Util::DBAdmin To: This mail is sent to this mailing list because PGObject::Util::DBAdmin itself doesn't have a mailing list to send the disclosure to. We'll update its repository to reflect the announcement below. Please take note of the security advisory below, known as CVE-2018-9246 Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection. The vulnerability allows an attacker to execute arbitrary code with the same privileges as the running application through the create(), run_file(), backup() and restore() functions. Affected versions: PGObject::Util::DBAdmin versions 0.110.0 and lower. Vulnerability type: Insufficiently sanitized arguments in external program invocation Discoverer: Nick Prater (NP Broadcast LTD) Resolution: Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0 available on CPAN).
Bug#869994: proposed fix
> Greetings all using FindBin and adding the current directory everywhere > sql-ledger calls perl should fix the issue in all versions. I appreciate the example perl script you provided but since it's known where the package is installing sql-ledger to, I don't think using "FindBin" is necessary. At least, that's what what I'm assuming with the patch I've created for the ITA[1] I've been working on. I originally wrote the patch against sql-ledger 3.0.8 but will be updating as necessary for use against the most recent version I currently see, which is 3.2.6. -- Robert J. Clay rjc...@gmail.com [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862963
Bug#851086: RFH: citadel/webcit
On Tue, Dec 12, 2017 at 11:16 AM, Michael Meskes wrote: > Robert, > >> If not I'm going to have it removed I guess. >> >> I'd be against that. > > Me too, but somebody has to be able to put some time into it. :) > >> I have a Jessie installed system that I can't update to Stretch >> because citadel won't run on it yet; and the Citadel install there >> is >> one of the primary reasons I'm running that system. (And I prefer to >> use Debian for my systems, and 'official' packages when possible.) > > What's the problem? I'm not aware of any grave bug on Stretch, but may > have missed it. Well, perhaps not "grave" and I have perhaps gotten overly focused on wanting to test out newer versions but there is also the 'important' bug #862296[1], although I do think I'd found a work-around for the issue. > >> There used to be a team maintaining these packages, >> > but I'm the only one who worked on it in recent years. >> >>I've wondered about that... >>I'm a DM (as j...@rocasa.us) not a DD, so there are some things I >> can't do directly. I am very interested in helping how I can with >> the Citadel packages. > > If you're interested, how about becoming a member of the team? Actually, I'm already listed as a member... (Robert Clay, 'jame-guest') -- Robert J. Clay rjc...@gmail.com [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862296
Bug#851086: [Pkg-citadel-devel] Bug#859789: Bug#859789: RFH: citadel/webcit
On Mon, Dec 11, 2017 at 11:29 PM, Art Cancro wrote: > > On 2017-12-11 7:42 AM, Michael Meskes wrote: > >> Anyone interested in citadel/webcit? I am, as I prefer to use the Debian packages for my systems. And will do what I can in support of keeping it in Debian. (As well as the other Citadel packages, of course.) >> There used to be a team maintaining these packages, but I'm the only one >> who worked on it in recent years. I had wondered about that. >> Not having used the software myself I do use it, and plan to keep doing so. And to further that, plan to do more testing myself after hearing how the results of the current testing of the new version goes. -- Robert J. Clay rjc...@gmail.com j...@rocasa.us
Bug#859789: RFH: citadel/webcit
Michael, On Mon, Dec 11, 2017 at 7:42 AM, Michael Meskes wrote: > Anyone interested in citadel/webcit? I am. (As well as the rest of the citadel packages of course.) > If not I'm going to have it removed I guess. I'd be against that. I have a Jessie installed system that I can't update to Stretch because citadel won't run on it yet; and the Citadel install there is one of the primary reasons I'm running that system. (And I prefer to use Debian for my systems, and 'official' packages when possible.) I also have a couple of LXC containers (for stretch & buster) I've used for testing citadel versions, which are waiting pending the results of the testing I've seen mention of in the Citadel Development mailing list. > There used to be a team maintaining these packages, > but I'm the only one who worked on it in recent years. I've wondered about that... I'm a DM (as j...@rocasa.us) not a DD, so there are some things I can't do directly. I am very interested in helping how I can with the Citadel packages. > Not having used the software myself I don't > really intend to spend more time on it and both packages have an RC bug, that > upstream may or may not have fixed. I've been waiting to see how the testing for the new version goes, that runs on Debian Stretch. If that works out well and the citadel packages can be updated and it migrates to Testing without issue, I'd like to at least see it back ported to stretch-backports. (And yes, I'd be more than happy to keep an eye on any such package in backports.) -- Robert J. Clay rjc...@gmail.com j...@rocasa.us
Bug#869994: sql-ledger: Can't locate bin/mozilla/login.pl in @INC
Hi Neil! On Thu, Dec 7, 2017 at 6:48 AM, Neil Redgate wrote: > On Wed, 2017-12-06 at 12:46 -0500, Robert J. Clay wrote: > > As a reminder; the title of the bug you opened was changed to the > following to better reflect the issue with the sql-ledger package: > > sql-ledger: Can't locate bin/mozilla/login.pl in @INC > > Thank you for changing the title. > >> On Sun, Jul 30, 2017 at 4:09 AM, Neil Redgate wrote: > > >> I have contacted the developer of sql-ledger and he has given me a couple of >> suggestions - which I hope to look into later today. > > >And did any of those suggestions help? > >Since there is going to be the same issue with any of the more > recent versions of Perl, I've been wondering if he was going to > release a new version that fixed the issue... > > I contacted the developer, and he offered the following advice - > > > SQL-Ledger code is generic. There is an > > eval { require "sql-ledger.conf"; }; > > which may call @INC. > > comment the line and see if it works. > > > Unfortunately there was no improvement, I did the following - > > A) commented out the eval line in admin.pl and login.pl only > launched admin and login pages separately. > Both returned 500: Internal Server Error message > My browser's debugging page states this page "failed to load the resource > 'favicon.ico' (http://localhost/faviocn.ico) > favicon.ico is only mentioned in the admin.pl and login.pl files in the > directory /bin : $form->{favicon} = "favicon.ico"; > In these files, the line immediately preceding it is $form->{stylesheet} = > "sql-ledger.css"; That quite likely was due to not being able to find it, which is part of the problem when the code (like in SQL-Ledgers) assumes that the 'current directory' is included in the search path in @INC. > > B) commented out the eval line in all 26 .pl files in the parent directory > (including admin and login) > The same error result occurred: 500: Internal Server Error message > My browser's debugging page states this page "failed to load the resource" > 'admin.pl' or 'login.pl' depending on which action I took. Possibly the same issue, with it not being able found the scripts... > > On my debian system, when perl5.24 was installed, there was a temporary > workaround to allow apache2 and postgresql to work with perl. > This involved commenting out the only line (below) in the file > /etc/perl/sitecustomize.pl - > > pop @INC if $INC[-1] eq '.' and !$ENV{PERL_USE_UNSAFE_INC}; > > If this line was left uncommented, postgresql failed to work through a web > browser and gave the same message - 500 Internal Server Error > I understand that perl 5.26 removes the insecurity associated with '.' Yes, with Perl 5.26 they dropped having the current directory (".") in the @INC array altogether, as well as dropping the site customize line (or even checking for it). that was an option to add it back in the a sys admin wanted to. > While investigating the perl-postgresql connection, I came across a bug > report in debian that the current postgresql 9.6 version could not be > built/complied against perl 5.26. > A solution has been targeted for release in "August" > > I do not know if this has been achieved? I do believe it was (and since then made it to Testing...) but as I mentioned then and Gregor also confirmed, that is not something that was relevant to this issue with SQL-Ledger. > Hence, waiting to try again, with a fresh > testing install and install/configuration of sql-ledger. I am most interested in how that goes for you, especially if you add the same kind of block of code that I did, with the appropriate path for your install of SQL-Ledger of course. (Although I'm mostly interested in the package, and in fact am working on adopting it, I may try a manual install of a newer version as well...) > I can access phppgadmin; pgadmin3; phpmyadmin, so I do not think there is a > problem with a webbrowser interface, postgresql or php No, I agree; it's not an issue at the browser end. > However there is a problem with this - when I try and backup (save to file > or email) I get the error message - > > Wide character in print at SL/AM.pm line 2012 (this is repeated 4 times) > and a screen of "random text" in lines and no spaces, but beginning with > Content-Type: application/file: Content-Disposition: attachment; > filename=ndres-3.2.4-20171207.sql.gz > > I have never had this issue when I was able to run 3.24 on my PC > Have you come across this problem in your experience with sql-ledger
Bug#869994: sql-ledger: Can't locate bin/mozilla/login.pl in @INC
Hi Neil! On Thu, Dec 7, 2017 at 10:26 AM, Robert J. Clay wrote: > Note also that I'm still working with the existing version of > SQL-Ledger in Debian, which is still only 3.08. And although the patch I used looks like it resolved the error (although I was getting it as "Can't locate bin/mozilla/admin.pl in @INC" without the patch since it was a new install on Debian Testing and I hadn't gotten to the point of trying a login yet) but other errors were coming up.instead. But it's also true that the 3.08 version is quite old and it needs to be tested with the v3.25 version in any case. > Attempting to build a > new package based on the new SQL-Ledger v3.25 results in other errors Despite those, it looks like I need to try that patch I made with the SQL-Ledger version 3.25 & see how it works with the newer version, & see that newer version works on a Debian Testing install without that "Can't locate" error in the way. If that at least works, I can work on resolving the other packaging issues I found. -- Robert J. Clay rjc...@gmail.com
Bug#869994: Fwd: Bug#869994: sql-ledger: Can't locate bin/mozilla/login.pl in @INC
-- Forwarded message -- From: Robert J. Clay Date: Thu, Dec 7, 2017 at 10:26 AM Subject: Re: Bug#869994: sql-ledger: Can't locate bin/mozilla/login.pl in @INC To: Neil Redgate Hi Neil! Note that I've changed the subject for these emails back to reflect the current title of the bug. On Thu, Dec 7, 2017 at 6:48 AM, Neil Redgate wrote: > > Please see my embedded comments below - > > > On Wed, 2017-12-06 at 12:46 -0500, Robert J. Clay wrote: > > As a reminder; the title of the bug you opened was changed to the > following to better reflect the issue with the sql-ledger package: > > sql-ledger: Can't locate bin/mozilla/login.pl in @INC > > Thank you for changing the title. For the email to which you've just replied; I changed it back to the old subject so that hopefully you would see it more easily,. The retitle of the bug itself was done by one of he Debian Developers who were corresponding with on that bug back then. > On Sun, Jul 30, 2017 at 4:09 AM, Neil Redgate wrote: > > > I contacted the developer, and he offered the following advice - > > > SQL-Ledger code is generic. There is an > > eval { require "sql-ledger.conf"; }; > > which may call @INC. > > comment the line and see if it works. > > Unfortunately there was no improvement, I wonder if he (the SQL-Ledger author) has looked at that same Perl v5.26 reference noted earlier in the bug regarding this issue? https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-%28%22.%22%29-from-@INC What I referenced is in that and what I'm going to try is adding the following code to the scripts, where that path is as it is installed with the Debian package: -- BEGIN { my $dir = "/usr/share/sql-ledger"; chdir $dir or die "Can't chdir to $dir: $!\n"; # safe now push @INC, '.'; } -- Note that I say "try" because although I've created a patch that makes that change in the application scripts, I still need to create a new LXC container (with Debian Testing or Unstable installed) where I can test it after building a test version of the SQL-Ledger package with that patch.. Note also that I'm still working with the existing version of SQL-Ledger in Debian, which is still only 3.08. Attempting to build a new package based on the new SQL-Ledger v3.25 results in other errors (as I noted in the open bug regarding updating the package to that new version [1]) and I want to see if this patch helps with this issue before addressing anything else. I'll follow up further (to you, as well as the bug), later. Robert J. Clay rjc...@gmail.com [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862953 -- Robert J. Clay rjc...@gmail.com
Bug#869994: perl5.26 update: postgresql databases cannot be viewed using browser
Neil, As a reminder; the title of the bug you opened was changed to the following to better reflect the issue with the sql-ledger package: sql-ledger: Can't locate bin/mozilla/login.pl in @INC On Sun, Jul 30, 2017 at 4:09 AM, Neil Redgate wrote: > > I have contacted the developer of sql-ledger and he has given me a couple of > suggestions - which I hope to look into later today. And did any of those suggestions help? Since there is going to be the same issue with any of the more recent versions of Perl, I've been wondering if he was going to release a new version that fixed the issue... > If I have success, I will certainly post my findings. Should it be assumed, then, that you did not have any success? I've not seen any follow up messages from you about it... -- Robert J. Clay rjc...@gmail.com
Bug#852923: dojo package debian/watch file
This is regarding the debian/watch issue but I am directing it here because that bug [1] was merged into this one [2]. On Tue, Sep 12, 2017 at 1:07 PM, Robert J. Clay wrote: > The bug is tagged as 'fixed-stream' and I was > going to try a test build of 1.12.2 (which I had to download manually > because the current d/watch doesn't appear to work) but that archive > appears to be missing (at least) the utils directory. I did some more investigation (since none of the dojo bugs have had any followup recently except from me) and found that the archive I manually downloaded was the wrong one. Investigating further I found that the error being seen when the current debian/watch is used is coming up because the uscan process is not checking in the subdirectories of the download page and is therefore not finding the correct archive. (Why it is then trying the 'shrinksafe' archive which although still being referenced is no longer available, is unclear to me.) Further, what I found is that a change to the debian/watch file by the then maintainer (who, btw, took himself out of the Uploaders list with the most recent upload) has had the effect of no longer doing the upstream search correctly and therefore not being able to find the correct new upstream archive. The difference appearing to be changing "/release-([\d\.]*)/" to "/release-(\d.*)/" in the URL template part the command, apparently intended to "Support development versions" according to the 1.11.0~rc3+dfsg-1 debian/changelog where the change appears to have taken place. Adding those square brackets back in allows it to correctly find and then repack the correct new version of the archive. -- Robert J. Clay rjc...@gmail.com, j...@rocasa.us [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869864 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852923
Bug#852923: dojo package build errors: FTBFS: OPTIMIZER FAILED
What is the status of resolving the issues with the dojo package failing to build from source? I tried a test build of 1.11.0 in stretch as well as in a current sid chroot (using debhelper 9) and the same errors come up. The bug is tagged as 'fixed-stream' and I was going to try a test build of 1.12.2 (which I had to download manually because the current d/watch doesn't appear to work) but that archive appears to be missing (at least) the utils directory. I have a package that depends on dojo so I am very interesting in what is happening with it. -- Robert J. Clay rjc...@gmail.com
Bug#869994: perl5.26 update: postgresql databases cannot be viewed using browser
Neil, Neil, On Tue, Aug 1, 2017 at 5:21 AM, Neil Redgate wrote: > > Hi Gregor, > > While investigating this problem, I came across bug #865020 (message > #1524985) concerning postgresql9.6, perl5.26 and postgresql-plperl? > Perhaps gregor can correct me If I'm wrong but that bug does not look to be related to the bug that you reported. (The title for which, btw, has been changed to be "sql-ledger: Can't locate bin/mozilla/login.pl in @INC".) > It looks like an upgrade is forthcoming sometime this month > > Actually; the bug looks to have been closed already and the version that closed it made it to Testing on 26 July... -- Robert J. Clay rjc...@gmail.com Debian Maintainer
Bug#869994: sql-ledger: Can't locate bin/mozilla/login.pl in @INC
> I will attempt to let the sql-ledger developer know of the situation > though I am not a subscriber to their forum. I also am very interested in that; please let know (or just reply to the bug) what you find out about it. I was able to find postings about similar issues in the forums but not ones specific to installations attempting to use it with Perl v5.26. -- Robert J. Clay rjc...@gmail.com
Bug#725758: LedgerSMB 1.3.x and Apache v2.4?
On Thu, Jan 9, 2014 at 3:57 AM, Robert J. Clay wrote: > On Tue, Jan 7, 2014 at 4:51 AM, Chris Travers wrote: >> Speaking of which, anything I can do to help with the Apache 2.4 issues? > >Well, I don't know how many people are already using LedgerSMB > v1.3.x with Apache v2.4, but it seems to me that there will be; had > you all considered splitting off the 1.3.x LedgerSMB ledger-httpd.conf > file into Apache version specific files, like has already been done > for LedgersSMB v1.4? In the mean time, I'm using a 2.4 compatible version of the file kept in packaging directory; still need to get that to work, though... I am now working on the packaging for 1.3.36; need to get it working for both upgrades and and new installs... >> I will confess it is somewhat difficult as I am currently running Apache >> 2.2, and haven't had time to upgrade my dev environment. Something I've found that seems to be true, at least if the access_compat module is available (like it appears to be in Debian Testing); if the v2.2 compatible file is left in conf.d and no 2.2 compatible version is enabled in conf-available, it does appear to work. This I found on a test system that was updated from wheezy to jessie, which also updated the ledgersmb install to 1.3.25. As I've not yet been able to get a working v2.4 compatible ledgersmb httpd config file; I don't know if such a file was enabled, if that automatically overrides such an existing v2.2 compatible file.. -- Robert J. Clay rjc...@gmail.com j...@rocasa.us -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#725758: ledgersmb: Ledgersmb uses /etc/apache2/conf.d to store ledgersmb-httpd.conf but that is deprecated
(correcting subject line) On Tue, Oct 8, 2013 at 6:37 AM, Moshe Yudkowsky wrote: >Version: 1.3.25-1 >Justification: renders package unusable >Severity: grave > Apache2 no longer supports /etc/apache2/conf.d; configuration > information in that directory is ignored. The alias to > /usr/share/ledgersmb is ignored so URLs will no longer work; even if > that is fixed by symlinks, the *.pl scripts will not run because the > AddHandler is not seen. I disagree that it's of 'Grave' severity (perhaps 'Important'), since just moving and updating the configuration file would take care of the issue. OTOH; I think I I have the issue resolved in the package version I'm currently working on (though it needs testing), so I'm not sure it's worth the trouble to change it. -- Robert J. Clay rjc...@gmail.com j...@rocasa.us -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#725758: [Pkg-sql-ledger-discussion] Bug#725783: ledgersmb: /var/lib/ledgersmb/css does not work, but /usr/share/ledgersmb/css does
On Tue, Oct 8, 2013 at 6:37 AM, Moshe Yudkowsky wrote: >Version: 1.3.25-1 >Justification: renders package unusable >Severity: grave >Tags: patch > Apache2 no longer supports /etc/apache2/conf.d; configuration > information in that directory is ignored. The alias to > /usr/share/ledgersmb is ignored so URLs will no longer work; even if > that is fixed by symlinks, the *.pl scripts will not run because the > AddHandler is not seen. I disagree that it's of 'Grave' severity (perhaps 'Important'), since just moving and updating the configuration file would take care of the issue. OTOH; I think I I have the issue resolved in the package version I'm currently working on, so I'm not sure it's worth the trouble to change it. -- Robert J. Clay rjc...@gmail.com j...@rocasa.us -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org