Bug#1023606: samba: IPv6 only samba-tool gpo listall does not work, can't find DC
Package: samba
Version: 4.16.5
Severity: important
Tags: patch upstream ipv6
X-Debbugs-Cc: m...@mattgrant.net.nz
This is reported upstream as Samba bug
https://bugzilla.samba.org/show_bug.cgi?id=15226
Bug in central Samba DNS resolution code in IPv6 only environment. This one
probably also
affects domain sign up and join code, as well as samba-tool gpo
funcionality.
finddcs() does not resolve SRV records when there are only records in the
DNS for the AD DC servers.
Patch attached. Please merge with Debian Samba packages.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.75-amd64-mag-lts (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.20.12
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc62.31-13+deb11u5
ii libcups2 2.3.3op2-3+deb11u2
ii libgnutls30 3.7.1-5+deb11u2
ii libldap-2.4-22.4.57+dfsg-3+deb11u1
hi libldb2 2:2.4.1+mag-1
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpopt0 1.18-2
pn libpython3.7
ii libpython3.9 3.9.2-1
ii libtalloc2 2.3.3+mag-1~0mag0
ii libtasn1-6 4.16.0-2
ii libtdb1 1.4.6+mag-1
ii libtevent0 0.11.0+mag-1~0mag0
ii libwbclient0 2:4.16.5+mag-2
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii python3 3.9.2-3
ii python3-dnspython2.0.0-1
pn python3-samba
pn samba-common
pn samba-common-bin
pn samba-libs
ii tdb-tools1.4.6+mag-1
Versions of packages samba recommends:
ii attr1:2.4.48-6
ii logrotate 3.18.0-2+deb11u1
ii python3-markdown3.3.4-1
pn samba-dsdb-modules
pn samba-vfs-modules
Versions of packages samba suggests:
pn bind9
ii bind9-utils [bind9utils] 1:9.16.33-1~deb11u1
ii bind9utils1:9.16.33-1~deb11u1
ii chrony4.0-8+deb11u2
pn ctdb
ii ldb-tools 2:2.5.2+samba4.16.5+mag-2
ii smbldap-tools 0.9.11-2
pn ufw
pn winbind
diff --git a/source4/libcli/resolve/dns_ex.c b/source4/libcli/resolve/dns_ex.c
index 0bb3ba02287..0525d0d019a 100644
--- a/source4/libcli/resolve/dns_ex.c
+++ b/source4/libcli/resolve/dns_ex.c
@@ -81,7 +81,7 @@ struct dns_records_container {
uint32_t count;
};
-static int reply_to_addrs(TALLOC_CTX *mem_ctx, uint32_t *a_num,
+static int reply_to_addrs(TALLOC_CTX *mem_ctx, uint32_t *addr_num,
char ***cur_addrs, uint32_t total,
struct dns_request *reply, int port)
{
@@ -151,8 +151,8 @@ static int reply_to_addrs(TALLOC_CTX *mem_ctx, uint32_t
*a_num,
rr->name->pLabelList->label);
if (addrs[total]) {
total++;
- if (rr->type == QTYPE_A) {
- (*a_num)++;
+ if (rr->type == QTYPE_A || rr->type == QTYPE_) {
+ (*addr_num)++;
}
}
}
@@ -211,7 +211,7 @@ static struct dns_records_container
get_a__records(TALLOC_CTX *mem_ctx,
struct dns_request *reply;
struct dns_records_container ret;
char **addrs = NULL;
- uint32_t a_num, total;
+ uint32_t addr_num, total;
uint16_t qtype;
TALLOC_CTX *tmp_ctx;
DNS_ERROR err;
@@ -236,12 +236,13 @@ static struct dns_records_container
get_a__records(TALLOC_CTX *mem_ctx,
}
}
- a_num = total = 0;
- total = reply_to_addrs(tmp_ctx, _num, , total, reply, port);
+ addr_num = total = 0;
+ total = reply_to_addrs(tmp_ctx, _num, , total, reply, port);
- if (qtype == QTYPE_ && a_num == 0) {
+ if (qtype == QTYPE_ && addr_num == 0) {
/*
- * DNS server didn't returned A when asked for records.
+ * DNS server didn't returned A when asked for records,
+ * and no record returned either
* Most of the server do it, let's ask for A specificaly.
*/
err = dns_lookup(tmp_ctx, name, QTYPE_A, );
@@ -249,7 +250,7 @@ static struct dns_records_container
get_a__records(TALLOC_CTX *mem_ctx,
goto done;
}
-
Bug#1012783: samba: Non upstream changes in source tarball
Source: samba Version: 4.16.2 Severity: normal Dear Maintainer, Your package source includes changes that are not in the upstream tarball for 4.16.2. Specifically, these are build generated manpages, and html files. The list of them is below. You can remove these files from the samba git master package branch on a clean repository by using git rm for each one: # git checkout master # git reset --hard # git clean -fdx # for F in `cat file-list.txt`; do git rm $F; done and then git commit the changes. List of files: ctdb/doc/ctdb-etcd.7 ctdb/doc/ctdb-etcd.7.html ctdb/doc/ctdb-script.options.5 ctdb/doc/ctdb-script.options.5.html ctdb/doc/ctdb-statistics.7 ctdb/doc/ctdb-tunables.7 ctdb/doc/ctdb.1 ctdb/doc/ctdb.1.html ctdb/doc/ctdb.7 ctdb/doc/ctdb.7.html ctdb/doc/ctdb.conf.5 ctdb/doc/ctdb.conf.5.html ctdb/doc/ctdb.sysconfig.5 ctdb/doc/ctdb_diagnostics.1 ctdb/doc/ctdb_mutex_ceph_rados_helper.7 ctdb/doc/ctdb_mutex_ceph_rados_helper.7.html ctdb/doc/ctdbd.1 ctdb/doc/ctdbd_wrapper.1 ctdb/doc/ltdbtool.1 ctdb/doc/onnode.1 ctdb/doc/ping_pong.1 docs/manpages/cifsdd.8 docs/manpages/dbwrap_tool.1 docs/manpages/eventlogadm.8 docs/manpages/idmap_ad.8 docs/manpages/idmap_autorid.8 docs/manpages/idmap_hash.8 docs/manpages/idmap_ldap.8 docs/manpages/idmap_nss.8 docs/manpages/idmap_rfc2307.8 docs/manpages/idmap_rid.8 docs/manpages/idmap_script.8 docs/manpages/idmap_tdb.8 docs/manpages/idmap_tdb2.8 docs/manpages/libsmbclient.7 docs/manpages/lmhosts.5 docs/manpages/log2pcap.1 docs/manpages/mvxattr.1 docs/manpages/net.8 docs/manpages/nmbd.8 docs/manpages/nmblookup.1 docs/manpages/ntlm_auth.1 docs/manpages/pam_winbind.8 docs/manpages/pam_winbind.conf.5 docs/manpages/pdbedit.8 docs/manpages/profiles.1 docs/manpages/rpcclient.1 docs/manpages/samba-regedit.8 docs/manpages/samba-tool.8 docs/manpages/samba.7 docs/manpages/samba.8 docs/manpages/samba_downgrade_db.8 docs/manpages/sharesec.1 docs/manpages/smb.conf.5 docs/manpages/smbcacls.1 docs/manpages/smbclient.1 docs/manpages/smbcontrol.1 docs/manpages/smbcquotas.1 docs/manpages/smbd.8 docs/manpages/smbget.1 docs/manpages/smbgetrc.5 docs/manpages/smbpasswd.5 docs/manpages/smbpasswd.8 docs/manpages/smbspool.8 docs/manpages/smbspool_krb5_wrapper.8 docs/manpages/smbstatus.1 docs/manpages/smbtar.1 docs/manpages/smbtree.1 docs/manpages/testparm.1 docs/manpages/traffic_learner.7 docs/manpages/traffic_replay.7 docs/manpages/vfs_acl_tdb.8 docs/manpages/vfs_acl_xattr.8 docs/manpages/vfs_aio_fork.8 docs/manpages/vfs_aio_pthread.8 docs/manpages/vfs_audit.8 docs/manpages/vfs_btrfs.8 docs/manpages/vfs_cacheprime.8 docs/manpages/vfs_cap.8 docs/manpages/vfs_catia.8 docs/manpages/vfs_ceph.8 docs/manpages/vfs_ceph_snapshots.8 docs/manpages/vfs_commit.8 docs/manpages/vfs_crossrename.8 docs/manpages/vfs_default_quota.8 docs/manpages/vfs_dirsort.8 docs/manpages/vfs_extd_audit.8 docs/manpages/vfs_fake_perms.8 docs/manpages/vfs_fileid.8 docs/manpages/vfs_fruit.8 docs/manpages/vfs_full_audit.8 docs/manpages/vfs_glusterfs.8 docs/manpages/vfs_glusterfs_fuse.8 docs/manpages/vfs_gpfs.8 docs/manpages/vfs_io_uring.8 docs/manpages/vfs_linux_xfs_sgid.8 docs/manpages/vfs_media_harmony.8 docs/manpages/vfs_nfs4acl_xattr.8 docs/manpages/vfs_offline.8 docs/manpages/vfs_prealloc.8 docs/manpages/vfs_preopen.8 docs/manpages/vfs_readahead.8 docs/manpages/vfs_readonly.8 docs/manpages/vfs_recycle.8 docs/manpages/vfs_shadow_copy.8 docs/manpages/vfs_shadow_copy2.8 docs/manpages/vfs_shell_snap.8 docs/manpages/vfs_snapper.8 docs/manpages/vfs_streams_depot.8 docs/manpages/vfs_streams_xattr.8 docs/manpages/vfs_syncops.8 docs/manpages/vfs_time_audit.8 docs/manpages/vfs_tsmsm.8 docs/manpages/vfs_unityed_media.8 docs/manpages/vfs_virusfilter.8 docs/manpages/vfs_widelinks.8 docs/manpages/vfs_worm.8 docs/manpages/vfs_xattr_tdb.8 docs/manpages/vfs_zfsacl.8 docs/manpages/vfstest.1 docs/manpages/wbinfo.1 docs/manpages/winbind_krb5_localauth.8 docs/manpages/winbind_krb5_locator.8 docs/manpages/winbindd.8 docs/manpages/winexe.1 docs/manpages/mdsearch.1 docs/manpages/samba-bgqd.8 docs/manpages/samba-dcerpcd.8 docs/manpages/vfs_expand_msdfs.8 -- Package-specific info: * /etc/samba/smb.conf present, but not attached * /var/lib/samba/dhcp.conf not present -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.46-amd64-mag-lts (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
Bug#1012240: winbind does not return AD groups a user is a member of AT ALL, or only one
Package: winbind Version: 2:4.16.1+mag-1 Severity: important Dear Maintainer, I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS patch, bt I have not altered the packaging significantly other than this, and have not touched winbind I have been finding that when I login to the machine using a user from samba AD,with groups from samba AD, none of those AD groups that user is a member of show up in the output from the 'groups' command. Further more: shalom: -root- [/home/admin] # wbinfo -r grantma failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND Could not get groups for user grantma And in the samba logs: [2022/06/02 16:30:45.687576, 0] ../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn) open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_ACCESS_DENIED The above works fine when the samba package is installed along with winbind. After the call find that the following programs are running: shalom: -root- [/home/admin] # ps -ef | grep samba root 139564 1 0 16:29 ?00:00:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40 --np-helper --debuglevel=0 root 139574 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=5 --debuglevel=0 root 139576 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=6 --debuglevel=0 root 139578 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=7 --debuglevel=0 root 139580 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=8 --debuglevel=0 root 139583 136857 0 16:29 pts/500:00:00 grep samba When the above binaries permisions are set by: shalom: -root- [/home/admin] # chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad the following happens: shalom: -root- [/home/admin] # chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function correctly. Could these binaries and dependent libraries be moved to the winbind package please? Thank you! Matt Grant -- Package-specific info: * /etc/samba/smb.conf present, and attached * /var/lib/samba/dhcp.conf not present -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.40-amd64-mag-lts (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages winbind depends on: ii init-system-helpers 1.60 ii libbsd0 0.11.3-1 ii libc62.31-13+deb11u3 ii libgnutls30 3.7.1-5 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii libpopt0 1.18-2 ii libtalloc2 2.3.3+mag-1~0mag0 ii libtdb1 1.4.6+mag-1 ii libtevent0 0.11.0+mag-1~0mag0 ii libwbclient0 2:4.16.1+mag-1 ii lsb-base 11.1.0 ii samba-common 2:4.16.1+mag-1 ii samba-common-bin 2:4.16.1+mag-1 ii samba-libs 2:4.16.1+mag-1 winbind recommends no packages. Versions of packages winbind suggests: ii libnss-winbind 2:4.16.1+mag-1 ii libpam-winbind 2:4.16.1+mag-1 -- no debconf information [Global] netbios name = SHALOM realm = AD.ANATHOTH.NET workgroup = AD kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab server string = %h DebianLinux Host security = ads client signing = auto server signing = auto # TLS setup tls certfile = /etc/ipsec.d/certs/anathoth_shalom.ad.anathoth.net.crt tls keyfile = /etc/ipsec.d/private/anathoth_shalom.ad.anathoth.net.key tls cafile = /etc/ipsec.d/cacerts/anathoth_vpn_ca.crt # Winbind settings # # Winbind idmap setup idmap config * : backend = autorid idmap config * : range = 20-200020 idmap config * : rangesize = 20 idmap config AD : backend = ad idmap config AD : range = 1-5 idmap config AD : unix_primary_group = yes idmap config AD : unix_nss_info = yes # Winbind offline logon winbind offline logon = no winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind refresh tickets = yes winbind cache time = 300 template shell = /bin/bash template homedir = /home/%D/%U
Bug#1005270: ITP: wsdd -- The Web Service Discovery Daemon, to announce hosts for the Windows Network Browser
Package: wnpp Severity: wishlist Owner: Matthew Grant X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: wsdd Version : 0.7.0 Upstream Author : Steffan Christgau * URL : https://github.com/christgau/wsdd * License : MIT License Programming Lang: Python 3 Description : The Web Service Discovery Daemon, to announce hosts for the Windows Network Browser This daemon is used to announce Linux Hosts to Windows 7+ computers for use in their File Manager network browsing, by using the Windows Services Discovery Protocol. This protocol is a local network segment procotol, which is multicasted on udp/3072, and incoming on tcp/5357 on the 239.255.255.250/ff02::c multicast addresses. It DOES have security issues, but it is designed for use in a trusted environment inside a firewall. Its quite useful for Samba, taking over from WINS and the Samba nmbd daemon. Installing this restores the Network browsing functionality to Windows 7+ Samba clients. I am initially getting it packaged and aceptted, dealing with intial bugs, and then will pass it on to the Debian Python Maintainers Team of which I am a member.
Bug#970903: RM: dms/oldstable -- ROM; removing until have time to revamp it
Package: ftp.debian.org Severity: normal Hi! Could you please remove the package from unstable as I honetly don't have the time at the moment to revamp the package for modern Debian. I am about to take it our ot use probably for myself, as I am focusing on Samba server development and IPv6 for my current employer. Some time in the future when I have spare time I may start work on this project again, but I am officially putting it on hold for now. Thank you so much for doing this. Best Regards, Matt Grant
Bug#918143: python3-daemon: DaemonRunner.__init__ failing with Python3 when opening stderr
Package: python3-daemon Version: 2.1.2-2 Severity: important Tags: upstream patch Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** Packaging zfs-snap-manager. Uses DaemonRunner to fork into background. Problem with openning stderr in DaemonRunner.__init__ . With Python3 buffering argument to open() should be set to 1 for line buffering. This class fails to work with Python3, rendering this package mostly unusable. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.12-amd64-mag (SMP w/8 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-daemon depends on: ii python33.7.1-3 ii python3-lockfile 1:0.12.2-2 ii python3-pkg-resources 40.6.2-1 python3-daemon recommends no packages. python3-daemon suggests no packages. -- no debconf information Index: python-daemon-2.1.2/daemon/runner.py === --- python-daemon-2.1.2.orig/daemon/runner.py +++ python-daemon-2.1.2/daemon/runner.py @@ -37,6 +37,9 @@ from .daemon import (basestring, unicode from .daemon import DaemonContext from .daemon import _chain_exception_from_existing_exception_context +# Sort out buffering constant for open() +BUFFERING = (1 if sys.version_info.major >= 3 else 0) + class DaemonRunnerError(Exception): """ Abstract base class for errors from DaemonRunner. """ @@ -110,7 +113,7 @@ class DaemonRunner: self.daemon_context.stdin = open(app.stdin_path, 'rt') self.daemon_context.stdout = open(app.stdout_path, 'w+t') self.daemon_context.stderr = open( -app.stderr_path, 'w+t', buffering=0) +app.stderr_path, 'w+t', buffering=BUFFERING) self.pidfile = None if app.pidfile_path is not None:
Bug#774519: unblock: netscript-2.4/5.4.8
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package netscript-2.4
2 serious bugs have been fixed in 5.4.8:
#717871 netscript: fails to install due to insserv rejecting the script
header: There is a loop between service networking and netscript if started
This is due to the ifupdown providing insserv support for $network, and
netscript-2.4 also doing the same. Both packages configure networking. The
setting for $network is configured in /etc/insserv/insserv.conf, but there is
no way of overriding that, is there?
This is fixed by removing init.d support for insserv/sysvinit, and depending on
systemd-sysv
#773772/#773773 netscript-2.4: Interace names with '-' in them cannot be set
up, and network configuration fails.
Netscript overloads variable names by adding the interface name at the start.
'-' are not acceptable parts of /bin/bash environment variable names. The
changes for this convert '-' in interface names to '_', which also should be
done to interface names in /etc/netscript/network.conf
This bug was fixed in 5.4.7 and I forgot to put a 'Closes' in the changelog and
had to close #773772/3 via the bugs.debian.org control interface.
A small fix involving quoting misplacement to do with bridge configuration is
also in 5.4.8. I know this is a minor change that fixes an 'Important' level
bug I found.
I am the upstream author for Netscript and a Debian Developer (since the early
2000s), and upstream is actually released directly into Debian, hence no -1 -2
package release levels. It was one of my first Debian packages. I would
release it differently now. It has functional heurestics that would be nice to
have in ifupdown. The useful iptables handling is available as a seperate
package netscript-ipfilter, which is better than iptables-persistent as it has
history, and 'helper' chains.
The above fixes are all minor 5.4.x version bug fixes. Note that new 5.x
functionality has been added. Please unblock the package, even though it has
the bridge handling quoting fixes.
All the above has been tested on an openstack server on Jessie/unstable I am
setting up to learn about Openstack
Changlog entries for 5.4.7 and 5.4.8
(include/attach the debdiff against the package in testing)
unblock netscript-2.4/5.4.8
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8)
diff -Nru netscript-2.4-5.4.6/debian/changelog netscript-2.4-5.4.8/debian/changelog
--- netscript-2.4-5.4.6/debian/changelog 2014-12-22 19:48:40.0 +1300
+++ netscript-2.4-5.4.8/debian/changelog 2014-12-23 18:05:08.0 +1300
@@ -1,6 +1,21 @@
+netscript-2.4 (5.4.8) unstable; urgency=medium
+
+ * Remove sysvint/inserv support for package. (Closes: #771871)
+Revert totally removing ifupdown emulation/Provides as this breaks too
+many things. This just removes the dependency loop in /etc/init.d files
+which is unfixable.
+
+ -- Matthew Grant m...@mattgrant.net.nz Tue, 23 Dec 2014 17:50:04 +1300
+
+netscript-2.4 (5.4.7) unstable; urgency=medium
+
+ * Convert '-' in interface names to '_' (Closes: #773772)
+
+ -- Matthew Grant m...@mattgrant.net.nz Mon, 22 Dec 2014 21:10:30 +1300
+
netscript-2.4 (5.4.6) unstable; urgency=medium
- * Remove ifupdown emulation (Closes: #771871)
+ * Remove ifupdown emulation
-- Matthew Grant m...@mattgrant.net.nz Mon, 22 Dec 2014 19:48:20 +1300
diff -Nru netscript-2.4-5.4.6/debian/control netscript-2.4-5.4.8/debian/control
--- netscript-2.4-5.4.6/debian/control 2014-12-22 19:50:08.0 +1300
+++ netscript-2.4-5.4.8/debian/control 2014-12-23 18:06:20.0 +1300
@@ -7,8 +7,8 @@
Package: netscript-2.4
Architecture: all
-Depends: iproute2 | iproute (= 20001007), bridge-utils (= 0.9.3), iptables, netbase, bash (= 2.03), isc-dhcp-client | dhcpcd | pump, ${misc:Depends}
-Provides: netscript
+Depends: iproute2 | iproute (= 20001007), bridge-utils (= 0.9.3), iptables, netbase, bash (= 2.03), isc-dhcp-client | dhcpcd | pump, systemd-sysv, ${misc:Depends}
+Provides: netscript, ifupdown
Conflicts: netscript, netscript-2.2, ifupdown, netscript-ipfilter
Replaces: netscript, ifupdown
Suggests: whereami, dnsmasq, resolvconf, wpasupplicant, wicd, quagga, radvd, bird
diff -Nru netscript-2.4-5.4.6/debian/netscript-2.4.links netscript-2.4-5.4.8/debian/netscript-2.4.links
--- netscript-2.4-5.4.6/debian/netscript-2.4.links 2014-12-22 19:46:26.0 +1300
+++ netscript-2.4-5.4.8/debian/netscript-2.4.links 2014-12-23 17:43:57.0 +1300
@@ -2,3 +2,7 @@
usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/if.conf.5.gz
usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/qos.conf.5.gz
usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/ipfilter.conf.5
Bug#773772: netscript-2.4: Interace names with '-' in them cannot be set up, and network configuration fails.
Package: netscript-2.4
Version: 5.4.5
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages netscript-2.4 depends on:
ii bash 4.3-11+b1
ii bridge-utils 1.5-9
ii init-system-helpers 1.22
ii iproute 1:3.16.0-2
ii iproute2 3.16.0-2
ii iptables 1.4.21-2+b1
ii isc-dhcp-client 4.3.1-5
ii netbase 5.3
netscript-2.4 recommends no packages.
Versions of packages netscript-2.4 suggests:
ii bird 1.4.5-1
ii dnsmasq2.72-2
pn quagga none
ii radvd 1:1.9.1-1.3
ii resolvconf 1.77~0mag01
pn whereami none
pn wicd none
ii wpasupplicant 2.3-1
-- Configuration Files:
/etc/netscript/network.conf changed:
VERBOSE=YES
IPV6_MODULE=NO
IPV6_DISABLE=NO
IPV4_FWDING_KERNEL=YES
IPV6_FWDING_KERNEL=YES
NET_GLOBAL_SYSCTL=
ipv4/ip_nonlocal_bind NO
ipv4/ip_dynaddr NO
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES
ipv4/tcp_ecn NO
BACKUP_LEVELS=3
IF_AUTO=eth0 brg0 blan0 bdmz0 baoe0 binet1 bwan0 br0
IF_DYNAMIC=ppp0
ALLIF_ACCEPT_REDIRECTS=NO
IF_DEFAULT_IPV6_DISABLE=NO
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=no
blan0_IPADDR=192.168.110.35/24_brd_192.168.110.255
fd14:828:ba69:1:ae22:bff:fe28:13ab/64 2001:470:f012:1:ae22:bff:fe28:13ab/64
brg0_IPADDR=172.31.7.1/24_brd_172.31.7.255 fd14:828:ba69:7::1/64
2001:470:f012:7::1/64
baoe0_IPADDR=fd14:828:ba69:f::2/64
blan0_IP_SPOOF=YES
brg0_IP_SPOOF=YES
blan0_IP_KRNL_LOGMARTIANS=YES
brg0_IP_KRNL_LOGMARTIANS=NO
binet1_IP_KRNL_LOGMARTIANS=NO
bdmz0_IP_KRNL_LOGMARTIANS=NO
eth0_IPV6_DISABLE=YES
binet1_IPV6_DISABLE=YES
bdmz0_IPV6_DISABLE=YES
br0_IPV6_DISABLE=YES
bwan0_IPV6_DISABLE=YES
baoe0_IPV6_DISABLE=NO
blan0_IPV6_DISABLE=NO
brg0_IPV6_DISABLE=NO
baoe0_IPV6_FWDING=NO
blan0_IPV6_ACCEPT_RA=YES
blan0_IPV6_ACCEPT_RA_PINFO=NO
blan0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
blan0_IPV6_ROUTER_SOLICITATIONS=YES
blan0_RESOLVCONF=options edns0 inet6\nsearch internal.anathoth.net
anathoth.net\nnameserver fd14:828:ba69:1:21c:f0ff:fefa:f3c0
ppp_FAIRQ=YES
ppp_TXQLEN=30
ppp0_start () {
# don't run pppd if link already exists...
[ -f /var/run/$1.pid ] kill -0 `cat /var/run/$1.pid` return 0
# call ISP
pppd call avpptp0
}
ppp_stop () {
[ ! -f /var/run/$1.pid ] return 0
qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
}
ppp0_network_ppp () {
ip route replace 192.168.6.0/24 via 192.168.6.2 dev ppp0
ip route replace 111.65.225.99/32 via 192.168.6.2 dev ppp0
}
MRK_CRIT=0x1 # Critical traffic, routing, DNS
MRK_IA=0x2 # Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
CLS_FAIRQ=${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp
${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh
IPV6_CLS_FAIRQ=${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain
${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh
MANGLE_OUTPUT_BYPASS=gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0
IPV6_MANGLE_OUTPUT_BYPASS=gre_0/0 esp_0/0 ipip_0/0 encap_0/0
LOG_LEVEL=warning
LOG_MAXRATE=3 # messages per second
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT
IPV6_ICMPHOST_MAXRATE=200 # messages per second
IPV6_ICMPFWD_MAXRATE=1000 # messages per second
IPV6_ICMPHOST_OPTIONAL=redirect 144 145 146 147
IPV6_ICMPFWD_OPTIONAL=144 145 146 147
MARTIAN_BYPASS=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
IPV6_MARTIAN_BYPASS=fd14:828:ba69::/48
MARTIAN_NETS= # List of additional martian/invalid
# IP source addresses - network/mask
IPV6_MARTIAN_NETS=
LOG_NOISE=NO
IPV6_LOG_NOISE=NO
INGRESS_IPS=127.0.0.1 203.79.116.183 192.168.110.254 172.31.10.254
IPV6_INGRESS_IPS=fd14:828:ba69:1::254 2001:470:f012::254 fd14:828:ba69:2::254
2001:470:f012:2::254 2001:470:c:2e6::2
INGRESS_FWD_NETS=127.0.0.0/8
IPV6_INGRESS_FWD_NETS=::1
SNMP_MANAGER_IPS=192.168.1.1
IPV6_SNMP_MANAGER_IPS=::1
SNMP_DEST_BLOCK=0/0
IPV6_SNMP_DEST_BLOCK=::/0
IP_BLOCKS=203.79.116.183/32
IPV6_IP_BLOCKS=2001:470:f012::/48
SMB_BLOCK=YES
SNMP_BLOCK=YES
IPV6_OUT_TARGET=RETURN
-- no debconf information
--
To UNSUBSCRIBE, email to
Bug#773773: netscript-2.4: Interace names with '-' in them cannot be set up, network configuration fails.
Package: netscript-2.4
Version: 5.4.5
Severity: important
Tags: patch
Dear Maintainer,
* What led up to the situation
Setting up a machine to run Open Stack on it, and the OpenVSwitch bridges were
named br-ex and br-int
Configuring interface: eth0 br0 man0Error: argument ex_MTU:- is wrong:
Invalid mtu value
Error: an inet prefix is expected rather than ex.
Error: an inet prefix is expected rather than ex.
Error: argument ex_TXQLEN:- is wrong: Invalid txqueuelen value
br-exError: argument int_MTU:- is wrong: Invalid mtu value
Error: an inet prefix is expected rather than int.
Error: an inet prefix is expected rather than int.
Error: argument int_TXQLEN:- is wrong: Invalid txqueuelen value
br-intError: argument man0_MTU:- is wrong: Invalid mtu value
Error: an inet prefix is expected rather than man0.
Error: an inet prefix is expected rather than man0.
Error: argument man0_TXQLEN:- is wrong: Invalid txqueuelen value
brg-man0Error: argument ex0_MTU:- is wrong: Invalid mtu value
Error: an inet prefix is expected rather than ex0.
Error: an inet prefix is expected rather than ex0.
Error: argument ex0_TXQLEN:- is wrong: Invalid txqueuelen value
brg-ex0.
This is quite a problem. Investigated and found that it is a limitation of the
way the package configuration parses shell environment variables.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages netscript-2.4 depends on:
ii bash 4.3-11+b1
ii bridge-utils 1.5-9
ii init-system-helpers 1.22
ii iproute 1:3.16.0-2
ii iproute2 3.16.0-2
ii iptables 1.4.21-2+b1
ii isc-dhcp-client 4.3.1-5
ii netbase 5.3
netscript-2.4 recommends no packages.
Versions of packages netscript-2.4 suggests:
ii bird 1.4.5-1
ii dnsmasq2.72-2
pn quagga none
ii radvd 1:1.9.1-1.3
ii resolvconf 1.77~0mag01
pn whereami none
pn wicd none
ii wpasupplicant 2.3-1
-- Configuration Files:
/etc/netscript/network.conf changed:
VERBOSE=YES
IPV6_MODULE=NO
IPV6_DISABLE=NO
IPV4_FWDING_KERNEL=YES
IPV6_FWDING_KERNEL=YES
NET_GLOBAL_SYSCTL=
ipv4/ip_nonlocal_bind NO
ipv4/ip_dynaddr NO
ipv4/icmp_echo_ignore_all NO
ipv4/icmp_echo_ignore_broadcasts YES
ipv4/tcp_ecn NO
BACKUP_LEVELS=3
IF_AUTO=eth0 brg0 blan0 bdmz0 baoe0 binet1 bwan0 br0
IF_DYNAMIC=ppp0
ALLIF_ACCEPT_REDIRECTS=NO
IF_DEFAULT_IPV6_DISABLE=NO
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=no
blan0_IPADDR=192.168.110.35/24_brd_192.168.110.255
fd14:828:ba69:1:ae22:bff:fe28:13ab/64 2001:470:f012:1:ae22:bff:fe28:13ab/64
brg0_IPADDR=172.31.7.1/24_brd_172.31.7.255 fd14:828:ba69:7::1/64
2001:470:f012:7::1/64
baoe0_IPADDR=fd14:828:ba69:f::2/64
blan0_IP_SPOOF=YES
brg0_IP_SPOOF=YES
blan0_IP_KRNL_LOGMARTIANS=YES
brg0_IP_KRNL_LOGMARTIANS=NO
binet1_IP_KRNL_LOGMARTIANS=NO
bdmz0_IP_KRNL_LOGMARTIANS=NO
eth0_IPV6_DISABLE=YES
binet1_IPV6_DISABLE=YES
bdmz0_IPV6_DISABLE=YES
br0_IPV6_DISABLE=YES
bwan0_IPV6_DISABLE=YES
baoe0_IPV6_DISABLE=NO
blan0_IPV6_DISABLE=NO
brg0_IPV6_DISABLE=NO
baoe0_IPV6_FWDING=NO
blan0_IPV6_ACCEPT_RA=YES
blan0_IPV6_ACCEPT_RA_PINFO=NO
blan0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64
blan0_IPV6_ROUTER_SOLICITATIONS=YES
blan0_RESOLVCONF=options edns0 inet6\nsearch internal.anathoth.net
anathoth.net\nnameserver fd14:828:ba69:1:21c:f0ff:fefa:f3c0
ppp_FAIRQ=YES
ppp_TXQLEN=30
ppp0_start () {
# don't run pppd if link already exists...
[ -f /var/run/$1.pid ] kill -0 `cat /var/run/$1.pid` return 0
# call ISP
pppd call avpptp0
}
ppp_stop () {
[ ! -f /var/run/$1.pid ] return 0
qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
}
ppp0_network_ppp () {
ip route replace 192.168.6.0/24 via 192.168.6.2 dev ppp0
ip route replace 111.65.225.99/32 via 192.168.6.2 dev ppp0
}
MRK_CRIT=0x1 # Critical traffic, routing, DNS
MRK_IA=0x2 # Interactive traffic - telnet, ssh, IRC
MRK_T1=0xa
MRK_T2=0x14
CLS_FAIRQ=${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp
${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh
IPV6_CLS_FAIRQ=${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain
${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh
MANGLE_OUTPUT_BYPASS=gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0
IPV6_MANGLE_OUTPUT_BYPASS=gre_0/0 esp_0/0 ipip_0/0 encap_0/0
LOG_LEVEL=warning
LOG_MAXRATE=3 # messages per second
LOG_TARGET=REJECT
IPV6_LOG_TARGET=REJECT
IPV6_ICMPHOST_MAXRATE=200 # messages per second
IPV6_ICMPFWD_MAXRATE=1000 #
Bug#755349: libqtkeychain0: Fails to remember password due to changes in Gnome 3.12
Package: libqtkeychain0 Version: 0.3.0git201404080932-2 Severity: important Tags: upstream Dear Maintainer, Hi! Foiund thread on Web about this https://github.com/owncloud/mirall/issues/1501 Updating to HEAD of qtkeychain0 fixes this problem. I tested by rebuilding package. Cheers, MAtt -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libqtkeychain0 depends on: ii libc6 2.19-7 ii libgcc11:4.9.1-1 ii libqt4-dbus4:4.8.6+dfsg-2 ii libqtcore4 4:4.8.6+dfsg-2 ii libstdc++6 4.9.1-1 ii multiarch-support 2.19-7 Versions of packages libqtkeychain0 recommends: ii gnome-keyring 3.12.0-2 libqtkeychain0 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#755350: owncloud-client: Invisible icon in systray on Gnome 3.12
Package: owncloud-client Version: 1.6.1+dfsg-1 Severity: normal Dear Maintainer, Show up in 3.8, not there in 3.12 Had me quite puzzled for a while as I thought application was not working as it should. Show up as a blank square as you do a mouseover in Gnome shell sys tray. Cheers, Matt *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages owncloud-client depends on: ii libc6 2.19-7 ii libgcc1 1:4.9.1-1 ii libowncloudsync0 1.6.1+dfsg-1 ii libqt5core5a 5.3.1+dfsg-3 ii libqt5dbus5 5.3.1+dfsg-3 ii libqt5gui55.3.1+dfsg-3 ii libqt5network55.3.1+dfsg-3 ii libqt5sql5-sqlite 5.3.1+dfsg-3 ii libqt5widgets55.3.1+dfsg-3 ii libqt5xml55.3.1+dfsg-3 ii libstdc++64.9.1-1 ii owncloud-client-l10n 1.6.1+dfsg-1 owncloud-client recommends no packages. owncloud-client suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754924: gnome-shell: Get Gnome3 Failed screen due to missing bluetooth library
Source: gnome-shell Severity: grave Justification: renders package unusable Dear Maintainer, Used aptitude to upgrade to Gnome 3.12 Rebooted system gdm3 did not work, just gave black X11 screen Switched to lightdm, logging into destop gave Gnome Failed unhappy face screen. Checked /var/log/syslog, gnome-session had logged: Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cannot open shared obje ct file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cannot open shared object file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: Unrecoverable failure in required component gnome-shell.desktop -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754925: gnome-bluetooth: libgnome-bluetooth-applet.so missing - gnome-shell fails with Unhappy Face failuter screen
Package: gnome-bluetooth Version: 3.12.0-4 Severity: normal Dear Maintainer, /usr/lib/gnome-bluetooth/libgnome-bluetooth-applet.so.0.0.0 missing from package. Is there a missing package dependency? apt-file-search does not find .so file apt-get upgraded to Gnome3.12 as it entered unstable. Had to enable lightdm as gdm3 was giving blackscreen Then desktop login failed. On checking /var/log/syslog found: Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cann ot open shared object file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cann ot open shared object file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: Unrecoverable failure in required component gnome-shell.desktop -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnome-bluetooth depends on: ii bluez 5.21-1 ii libatk1.0-0 2.12.0-1 ii libc6 2.19-7 ii libcairo-gobject2 1.12.16-2 ii libcairo2 1.12.16-2 ii libgdk-pixbuf2.0-02.30.7-1 ii libglib2.0-0 2.40.0-3 ii libgnome-bluetooth13 3.12.0-4 ii libgtk-3-03.12.2-1+b1 ii libpam-systemd204-14 ii libpango-1.0-01.36.3-1 ii libpangocairo-1.0-0 1.36.3-1 ii libudev1 204-14 ii obex-data-server 0.4.5-1+b3 ii obexd-client 0.48-2+b1 ii udev 204-14 Versions of packages gnome-bluetooth recommends: ii gnome-control-center 1:3.12.1-4 ii gvfs-backends 1.20.2-1 Versions of packages gnome-bluetooth suggests: ii gnome-user-share 3.10.2-1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#748074: rpcbind has no systemd unit and tmp file files
Package: rpcbind Version: 0.2.1-3 Severity: important Tags: patch Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? When running under systemd: o NFS mounts from /etc/fstab do not work. o NFS exports also fail due to rpcbind not starting before nfs-common and nfs- kernel-server systemd is the new default system init for linux. The above should just work. * What exactly did you do (or not do) that was effective (or ineffective)? Created my own /etc/tmpfiles.d/rpcbind.conf: #Type PathMode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - and /lib/systemd/system file (I did this one in /etc/systemd/system): --- [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap and enabled above unit: # systemctl enable rpcbind.service Did for nfs-common to make NFS rpc support to start at correct time: Created /etc/systemd/system/nfs-common.service (can be put in /lib/systemd/system [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target - # systemctl enable nfs-common * What was the outcome of this action? Rpc Bind starting correctly, with registration state saving over restart, NFS service working normally # systemctl status rpcbind rpcbind.service - RPC bind portmap service Loaded: loaded (/etc/systemd/system/rpcbind.service; enabled) Drop-In: /run/systemd/generator/rpcbind.service.d └─50-rpcbind-$portmap.conf Active: active (running) since Wed 2014-05-14 10:38:13 NZST; 13min ago Main PID: 5066 (rpcbind) CGroup: name=systemd:/system/rpcbind.service └─5066 /sbin/rpcbind -f -w May 14 10:38:13 moriah systemd[1]: Started RPC bind portmap service. # systemctl status nfs-common nfs-common.service - NFS Common daemons Loaded: loaded (/etc/systemd/system/nfs-common.service; enabled) Active: active (exited) since Wed 2014-05-14 10:35:01 NZST; 19min ago Main PID: 259 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/nfs-common.service Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. All the NFS RPC daemons have port activation in latest nfs-utils upstream, and service files. Please consider using these as the socket activation saves haing to manually configure which NFS RPC daemons are needed. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages rpcbind depends on: ii initscripts 2.88dsf-53 ii insserv 1.14.0-5 ii libc-bin 2.18-5 ii libc62.18-5 ii libtirpc10.2.2-7 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian12 rpcbind recommends no packages. rpcbind suggests no packages. -- no debconf information #Type PathMode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap
Bug#622394: systemd: nfs-common and rpcbind unit files to fix systemd NFS issues properly
Package: nfs-common Version: 1:1.2.8-6 Followup-For: Bug #622394 Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? When running under systemd: o NFS mounts from /etc/fstab do not work. o NFS exports also fail due to rpcbind not starting before nfs-common and nfs- kernel-server systemd is the new default system init for linux. The above should just work. * What exactly did you do (or not do) that was effective (or ineffective)? Created my own /etc/tmpfiles.d/rpcbind.conf: #Type PathMode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - and /lib/systemd/system file (I did this one in /etc/systemd/system): --- [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap and enabled above unit: # systemctl enable rpcbind.service Did for nfs-common to make NFS rpc support to start at correct time: Created /etc/systemd/system/nfs-common.service (can be put in /lib/systemd/system [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target - # systemctl enable nfs-common * What was the outcome of this action? Rpc Bind starting correctly, with registration state saving over restart, NFS service working normally # systemctl status rpcbind rpcbind.service - RPC bind portmap service Loaded: loaded (/etc/systemd/system/rpcbind.service; enabled) Drop-In: /run/systemd/generator/rpcbind.service.d └─50-rpcbind-$portmap.conf Active: active (running) since Wed 2014-05-14 10:38:13 NZST; 13min ago Main PID: 5066 (rpcbind) CGroup: name=systemd:/system/rpcbind.service └─5066 /sbin/rpcbind -f -w May 14 10:38:13 moriah systemd[1]: Started RPC bind portmap service. # systemctl status nfs-common nfs-common.service - NFS Common daemons Loaded: loaded (/etc/systemd/system/nfs-common.service; enabled) Active: active (exited) since Wed 2014-05-14 10:35:01 NZST; 19min ago Main PID: 259 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/nfs-common.service Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. All the NFS RPC daemons have port activation in latest nfs-utils upstream, and service files. Please consider using these as the socket activation saves haing to manually configure which NFS RPC daemons are needed. -- Package-specific info: -- rpcinfo -- program vers proto port service 104 tcp111 portmapper 103 tcp111 portmapper 102 tcp111 portmapper 104 udp111 portmapper 103 udp111 portmapper 102 udp111 portmapper 132 tcp 2049 nfs 133 tcp 2049 nfs 134 tcp 2049 nfs 1002272 tcp 2049 1002273 tcp 2049 132 udp 2049 nfs 133 udp 2049 nfs 134 udp 2049 nfs 1002272 udp 2049 1002273 udp 2049 1000211 udp 38783 nlockmgr 1000213 udp 38783 nlockmgr 1000214 udp 38783 nlockmgr 1000211 tcp 49538 nlockmgr 1000213 tcp 49538 nlockmgr 1000214 tcp 49538 nlockmgr 151 udp 58915 mountd 151 tcp 40052 mountd 152 udp 40524 mountd 152 tcp 60384 mountd 153 udp 55957 mountd 153 tcp 49758 mountd -- /etc/default/nfs-common -- NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes RPCGSSDOPTS= -- /etc/idmapd.conf -- [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs Domain = internal.anathoth.net Local-Realms = ANATHOTH.NET [Translation] Method = nsswitch [Mapping] Nobody-User = nobody Nobody-Group = nogroup -- /etc/fstab -- #shalom:/src/media/src nfs noauto,defaults,user,exec 0 0 #shalom:/home /media/home nfs noauto,defaults,user,exec 0 0 #en-gedi:/home /srv/home nfs noauto,async,_netdev,soft,intr,defaults,exec0 0 -- /proc/mounts -- nfsd /proc/fs/nfsd nfsd rw,relatime 0 0 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Bug#744014: python3-pyparsing: ParseBaseException.markInputline() - .join() given more than one argument
Source: python3-pyparsing Version: 2.0.0+ ? Severity: normal Tags: upstream patch Dear Maintainer, Working on pPython3 program which quite seriously uses PyParsing When ever displaying error Parsing output, an Exception is thrown: File /usr/share/dms/dms/app/zone_tool.py, line 2251, in do_edit_zone print(exc.markInputline(), file=self.stdout) File /usr/lib/python3/dist-packages/pyparsing.py, line 207, in markInputline markerString, line_str[line_column:]) TypeError: join() takes exactly one argument (3 given) Added missing () or [] around arguments, producing an iterable, and everything worked, and I got line by line parsing errors with position display happening. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Index: pyparsing-2.0.1+dfsg1/pyparsing.py === --- pyparsing-2.0.1+dfsg1.orig/pyparsing.py 2013-07-17 19:08:10.0 +1200 +++ pyparsing-2.0.1+dfsg1/pyparsing.py 2014-04-09 18:37:03.991046822 +1200 @@ -203,8 +203,8 @@ line_str = self.line line_column = self.column - 1 if markerString: -line_str = .join(line_str[:line_column], -markerString, line_str[line_column:]) +line_str = .join([line_str[:line_column], +markerString, line_str[line_column:]]) return line_str.strip() def __dir__(self): return loc msg pstr parserElement lineno col line \
Bug#740916: ITP: dms -- DNS Management System
Package: wnpp Severity: wishlist Owner: Matthew Grant m...@mattgrant.net.nz * Package name: dms Version : 1.0 Upstream Author : Matthew Grant m...@mattgrant.net.nz * URL : http://mattgrant.net.nz/software/dms * License : GPL3 Programming Lang: Python Description : DNS Management System DNS Management System using bind9 and PostgresQL 9.2+. Uses Dynamic Updates to update and manage the Zones in Bind9. Has a daemon which uses a State Machine for publishing zones from the DB. There is a command line/shell program zone_tool for operation on the Zones, including running an editor, and a JSON RPC over http interface via Apache and mod_wsgi. oMaster can have DR Failover oIPv6 fully supported in back end and front end oIPv6 DNS RRs () oDynamic DNS configuration of Master server reduces need for reconfig and reload operations. oDNS RRs supported include SOA NS A MX PTR TXT SPF RP SSHFP SRV NSAP NAPTR LOC KX IPSECKEY HINFO CERT DS. DNSSEC handled by bind9 master oAuto DNSSEC via Bind9 dynamic DNS. Bind9 master server auto maintains zone DNSSEC operations records and signing. NSEC3 and NSEC supported. DNSSEC key management on Master server file system pending write of key management module. Key material directory is replicated via DR protocol (rsync) though. DMS is fully enabled to use DNSSEC for securing our core domains. o Apex resource record (SOA and NS) management across all zones - can be turned off per zone. o Auto reverse PTR generation o Customer control of their own automated reverse DNS. Individual PTR records, and complete reverse zones. Useful for business IPv6 and IPv4 blocks. Enables on site use of IP PABX, intranet and email for SMBs on XDSL/Fibre. o zone_tool command line administrative tool on master servers o IPSEC secured communications between each of DR master replicas and slaves o Modular design. For example, Racoon IPSEC can be replaced if needed. o Multiple Slave DNS server software implementations. NL Netlabs nsd3 can be used as a slave server once backend code is completed, and a simple configuration monitoring/HUP daemon implemented to run on each slave. o slave server/Server Groups (SG) support. Live migration of zones. o Private SGs for internal zones. o Retention of deleted zones in database for aged auto-deletion later. o Multiple Zone Instances per Zone. Roll forward and roll back changes. Again old ZIs aged for auto deletion above a threshold number. o Templates used for generating name server configuration includes - master, replicas and slaves. o Rsync to distribute name server configuration to servers. o Central distribution of name server configuration segments. o Hot standby master replica for DR purposes with manually controlled fail over. Includes automatic replica/slave server reconfiguration. o WSGI JSON RPC over HTTPS API for mulitple front ends o Security tags to control what front ends can see o Zone reference metadata to tag the zone with the owner/customer entity ID. Set by DMI when a zone is created. Tag out of table in DB via foreign key for easy reference renaming. o zone_tool has built in pager support and editor support via standard shell environment variables. o zone_tool has a configurable restricted shell mode for Help Desk use o RR Groups and RR comments supported in DB for use in text editor and in Web Admin DMI (DNS Management Interface) o zone_tool has colourised diff support to display changes between different ZIs for a zone o Vim can be used as zone tool editor, giving DNS colourised Zone file syntax high lighting. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679482: Still experiencing this bug, any updates?
On 28/10/13 11:04, Dan Levin wrote: Hi, I'm still experiencing symptoms of this on wheezy (more details below). Has there been any fix, to anyone's knowledge? privsep support on racoon is byuggy. There is a new version out there from netbsd, but the code has had creeping netbsdisms and compiler makefile issues, and it a real sod to get it going. Try strongswan, it works on Debian kfreebsd and ordinary wheezyy. racoon is long in the tooth, and because of the sort of bitrot and security issues it has (runs as root) I think it might be better if this part of ipsec-tools was deprecated. Regards, Matthew Grant -- Package: racoon State: installed Automatically installed: no Version: 1:0.8.0-14 Priority: extra Section: net Maintainer: Matthew Grant matthewgra...@gmail.com Architecture: amd64 Uncompressed Size: 1,147 k Depends: debconf (= 0.5) | debconf-2.0, ipsec-tools (= 1:0.8.0-14), libc6 (= 2.8), libcomerr2 (= 1.01), libgssapi-krb5-2 (= 1.10+dfsg~), libk5crypto3 (= 1.6.dfsg.2), libkrb5-3 (= 1.6.dfsg.2), libldap-2.4-2 (= 2.4.7), libpam0g (= 0.99.7.1), libssl1.0.0 (= 1.0.0), adduser, perl # After initiating a disconnect from the VPN client: Oct 27 21:56:02 localhost racoon: [x.x.x.x] DEBUG: delete payload for protocol ESP Oct 27 21:56:02 localhost racoon: ERROR: privsep_socket: unauthorized domain (15) Oct 27 21:56:02 localhost racoon: INFO: racoon privileged process 23084 terminated Oct 27 21:56:02 localhost kernel: [1207378.180116] racoon[23109]: segfault at 10 ip 7fb003750b7b sp 7fff225ef210 error 4 in racoon[7fb003727000+92000] -- Best, -Dan Levin signature.asc Description: OpenPGP digital signature
Bug#695192: bind9: CVE-2012-5688
Why does the Wheezy release team have its nose so stuck up about a minor upstream version number? 9.8.4-P1 IS ISC's official bug fixed release of the 9.8.x source tree , INCLUDING 9.8.1* Don't drive the security maintainers into loops about unsupported code in an upcoming stable release! Sheesh, some time dogged adherence to policy is NOT achieving our main end results. Cheers, Matthew Grant On Thu, Dec 13, 2012 at 6:52 AM, Moritz Muehlenhoff j...@inutil.org wrote: On Wed, Dec 05, 2012 at 05:25:36AM -0700, LaMont Jones wrote: On Wed, Dec 05, 2012 at 09:31:00AM +0100, Moritz Muehlenhoff wrote: Package: bind9 Severity: grave Tags: security Justification: user security hole Please see https://kb.isc.org/article/AA-00828 Stable is not affected. This needs to be fixed through testing-proposed-updates, since the testing and unstable packages have diverged and won't be updated that late in the freeze. I've been holding unstable at 9.8 in the hope that it might make it into testing. ISC has quit supporting 9.8.1, I'd like to as well. I'll look into the backport soon, if the security team doesn't beat me to it. LaMont, can you upload a version targeted at testing-proposed-updates based on 1:9.8.1.dfsg.P1-4.4 ? Cheers, Moritz
Bug#693385: unblock: bind9/1:9.8.4.dfsg-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package bind9
1) a rebase bind9 for wheezy to 9.8.4 will make security maintenance a
lot easier going forward. To properly fix bugs - some security and
basic functionaliy, upstream have changed data structure code, and some
flags. Makes patching tricky (see below).
2) Bug #690569 DNS wildcards fail to resolve with DNSsec enabled - a
basic DNS protocol bug. To get DNS resolving going have to turn off
DNSSEC validation - a bit of a thinko. Found there were too many
changes to 9.8.x ISC upstream since 9.8.1-P3 for me to consider patching
it reliably. ISC don't give access to their VCS.
Note: also fixes CVE-2012-4244
Note: libdns81, libisc83 are updated to libdns88 and libisc84 in
upstream.
Thank you for looking into this. I really appreciate your time and
dedication to Debian.
Best Regards,
Matthew Grant
debdiff:
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Depends: libbind9-80 (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+}
libc6 (= 2.4), libcap2 (= 2.10), [-libdns81-] {+libdns88+} (=
[-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} libgssapi-krb5-2 (=
1.6.dfsg.2), [-libisc83-] {+libisc84+} (= [-1:9.8.1.dfsg.P1-4.3),-]
{+1:9.8.4.dfsg-1),+} libisccc80 (= [-1:9.8.1.dfsg.P1-4.3),-]
{+1:9.8.4.dfsg-1),+} libisccfg82 (= [-1:9.8.1.dfsg.P1-4.3),-]
{+1:9.8.4.dfsg-1),+} liblwres80 (= [-1:9.8.1.dfsg.P1-4.3),-]
{+1:9.8.4.dfsg-1),+} libssl1.0.0 (= 1.0.0), {+libxml2 (= 2.7.4),+}
debconf (= 0.5) | debconf-2.0, netbase, adduser, lsb-base (= 3.2-14),
bind9utils (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} net-tools
Installed-Size: [-816-] {+940+}
Version: [-1:9.8.1.dfsg.P1-4.3-] {+1:9.8.4.dfsg-1+}
unblock bind9/1:9.8.4.dfsg-1
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#693015: bind9: CVE-2012-4244 - A specially crafted Resource Record could cause named to terminate
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.3 Severity: normal Tags: upstream Dear Maintainer, This is a remote DoS exploit on a recursive servers, or authorative servers if RR loaded from file or via zone transfer. Quoting https://kb.isc.org/article/AA-00778/74 If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a subsequent query for that record will cause named to exit with an assertion failure. Fixed in package bind9_9.8.4.dfsg-1 uploaded to unstable. It's not practical to reliably backport a fix for this. ISC have markedly changed data structures and flags to fix other bugs, making patching risky. They do not provide access to their VCS. 9.8.4 is bug fixed upstream version of 9.8.1 Rational for bind9_9.8.4.dfsg-1 package is to make bug fixing wheezy bind9 easier/more reliable once released. Please upgrade wheezy bind9 to 9.8.4.dfsg-1 I am a DDwith a C network router programming background, and am currently working on an ISP DNS system, and have evaluated patchability for other CVEs, and found too much of a risk of introducing other bugs when using patches from other ISC versions of bind9 like 9.6ESRV. Best Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.8.1.dfsg.P1-4.3 ii debconf [debconf-2.0] 1.5.46 ii libbind9-801:9.8.1.dfsg.P1-4.3 ii libc6 2.13-35 ii libcap21:2.22-1.2 ii libdns81 1:9.8.1.dfsg.P1-4.3 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libisc83 1:9.8.1.dfsg.P1-4.3 ii libisccc80 1:9.8.1.dfsg.P1-4.3 ii libisccfg821:9.8.1.dfsg.P1-4.3 ii liblwres80 1:9.8.1.dfsg.P1-4.3 ii libssl1.0.01.0.1c-4 ii lsb-base 4.1+Debian7 ii net-tools 1.60-24.2 ii netbase5.0 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc none ii dnsutils1:9.8.1.dfsg.P1-4.3 pn resolvconf none pn ufw none -- Configuration Files: /etc/bind/named.conf.local changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#693016: bind9: CVE-2012-4244 - A specially crafted Resource Record could cause named to terminate
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.3 Severity: normal Tags: upstream Dear Maintainer, This is a remote DoS exploit on a recursive servers, or authorative servers if RR loaded from file or via zone transfer. Quoting https://kb.isc.org/article/AA-00778/74 If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a subsequent query for that record will cause named to exit with an assertion failure. Fixed in package bind9_9.8.4.dfsg-1 uploaded to unstable. It's not practical to reliably backport a fix for this. ISC have markedly changed data structures and flags to fix other bugs, making patching risky. They do not provide access to their VCS. 9.8.4 is bug fixed upstream version of 9.8.1 Rational for bind9_9.8.4.dfsg-1 package is to make bug fixing wheezy bind9 easier/more reliable once released. Please upgrade wheezy bind9 to 9.8.4.dfsg-1 I am a DDwith a C network router programming background, and am currently working on an ISP DNS system, and have evaluated patchability for other CVEs, and found too much of a risk of introducing other bugs when using patches from other ISC versions of bind9 like 9.6ESRV. Best Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.8.1.dfsg.P1-4.3 ii debconf [debconf-2.0] 1.5.46 ii libbind9-801:9.8.1.dfsg.P1-4.3 ii libc6 2.13-35 ii libcap21:2.22-1.2 ii libdns81 1:9.8.1.dfsg.P1-4.3 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libisc83 1:9.8.1.dfsg.P1-4.3 ii libisccc80 1:9.8.1.dfsg.P1-4.3 ii libisccfg821:9.8.1.dfsg.P1-4.3 ii liblwres80 1:9.8.1.dfsg.P1-4.3 ii libssl1.0.01.0.1c-4 ii lsb-base 4.1+Debian7 ii net-tools 1.60-24.2 ii netbase5.0 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc none ii dnsutils1:9.8.1.dfsg.P1-4.3 pn resolvconf none pn ufw none -- Configuration Files: /etc/bind/named.conf.local changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669213: bind9: new upstream release: 9.9
Hi! I believe it is best to stick with 9.8.x for wheezy. 9.9.x is too much of a change, too many unknowns. The bind9 package as been using a 9.8.x code base, and configuration, and 9.8.4 is a bug fixed version of 9.8.1 9.9.x is too much of a change now that wheezy is frozen. Cheers, Matthew Grant On Tue, Oct 30, 2012 at 9:50 PM, Sebastian Wiesinger sebast...@karotte.orgwrote: * LaMont Jones lam...@mmjgroup.com [2012-10-29 21:38]: On Mon, Oct 29, 2012 at 05:22:10PM +, Adam D. Barratt wrote: Indeed. In any case, were the new version to be accepted in to the release then the appropriate route would be via unstable, not direct to t-p-u. Works for me. I'll toss 9.8.4 into sid. As for getting it into wheezy, it'll make the support life easier for the inevitable security fixes that will follow. There are probably other reasons. Hi, if the route goes via unstable, could we perhaps immediately go to 9.9.2? 9.9 has the most useful new features regarding DNSSEC. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Bug#689755: bind9: memory leak in named
M. Interesting. I will check 9.8.4 CHANGES and see if there are any likely looking candidates. On Tue, Oct 30, 2012 at 4:58 AM, Christoph Anton Mitterer christoph.anton.mitte...@lmu.de wrote: A friend of mine, who basically uses my config with his own nameserver, had the same issues, and could solve it by disabling recursion. Cheers, Chris.
Bug#689755: Bug#690142: marked as done (remote named DoS on recursor (CVE-2012-5166))
Hi THere! Just trying to avoid people wasting effort on bind9 NMU work. I am working with LaMont Jones on an update for wheezy to bind9 9.8.4, rebased on the ISC 9.8.4 code, which will definitely close #690569, #690142, and may be #689755. (The rest of the Important bugs appear to be with old versions of bind9 before 9.7.x.) The main reason is to reduce the work required for security patching and to mostly eliminate the risk of introducing new bugs with the fixes. It has been found that the data structures between ISC bind9 9.8.1 and 9.8.4 have markedly changed due to essential protocol fixes and security fixes. Applying patches is no longer that simple a matter, with a considerable risk of introducing new bugs. I originally adapted up the patch for bind9 9.8.1.dfsg.P1-4.2 , and was proceeding to fix #690569 DNS wildcards fail to resolve with DNSsec enabled when I found that there was a serious risk of introducing new new bugs, and desisted from NMUing bind9. (I was a professional C router programmer) There is also the matter of #689755 bind9: memory leak in named. I am currently working on an ISP DNS project based on wheezy, and have observed some suspicious behaviour in this regard. On reading the ISC CHANGES file for 9.8.4, there are fixes that could be related to this sort of behavior. This is a notice that the bind9 9.8.1.dfsg.P1-4.x package might be replaced, after going through the appropriate channels (Debian Release Team). LaMont will be uploading our work to wheezy-proposed shortly. A repository of work done so far is up at http://anonscm.debian.org/git/collab-maint/bind9.git/ Thank you very much for your patience. Best Regards, Matthew Grant On 29/10/12 11:21, Debian Bug Tracking System wrote: Your message dated Sun, 28 Oct 2012 23:16:32 +0100 with message-id 20121028221632.ga21...@spike.0x539.de and subject line fixed in 9.8.1.dfsg.P1-4.3 has caused the Debian Bug report #690142, regarding remote named DoS on recursor (CVE-2012-5166) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) signature.asc Description: OpenPGP digital signature
Bug#690410: Puredata 0.43.2-4 crashing due to _FORTIFY_SOURCE with large patch
Package: puredata Followup-For: Bug #690410 Recompiled puredata with the following 2 lines added to the top of debian/rules: # Stop problems with puredata crashing due to buffer space issues? export DEB_BUILD_MAINT_OPTIONS=hardening=+format,-fortify,+stackprotector,+relro This turns off _FORTIFY_SOURCE. Puredata works with out problems with the PD 'patches' in my project. If you look at the back trace in the stack dump in the original bau report, it crashed in: pd(pd_typedmess+0x45b)[0x456fab] pd(outlet_anything+0x4a)[0x458eca] pd(pd_typedmess+0x1db)[0x456d2b] pd(binbuf_eval+0x90b)[0x4600fb] pd(outlet_list+0x4a)[0x458e3a] pd[0x455b5c] pd(outlet_float+0x3f)[0x458d0f] pd(outlet_bang+0x29)[0x458be9] pd(sched_tick+0x77)[0x463047] pd(m_mainloop+0x1e9)[0x463319] bang, float, list are basic puredata objects. binbuf_eval() is also one of the functions. It looks like puredata uses functions like strcat(), strcpy() in non-conventional ways with some kind of buffer. Turning off _FORTIFY_SOURCE looks like it needs to be done to ensure 100% functionality. Just patching one or two instances of the functions may not get all the problem points fixed as the puredata algorithms probably assume that the functions will copy/concatenate indefinitely throughout the whole code base. Talk to upstream before turning on _FORTIFY_SOURCE please. Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages puredata depends on: ii puredata-core 0.43.2-5~0mag1 ii puredata-dev0.43.2-5~0mag1 ii puredata-doc0.43.2-5~0mag1 ii puredata-extra 0.43.2-5~0mag1 ii puredata-gui0.43.2-5~0mag1 ii puredata-utils 0.43.2-5~0mag1 Versions of packages puredata recommends: ii gem 3:0.93.3-6~0mag0 Versions of packages puredata suggests: ii pd-aubio 0.3.2-4.2+b1 ii pd-csound 1:5.17.11~dfsg-2 ii pd-pdp 1:0.12.5-2 ii pd-zexy2.2.5-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691391: libcurl3-gnutls: git push on libcurl3-gnutls_7.28-2 fails when changes pushed
Package: libcurl3-gnutls Version: 7.28.0-2 Followup-For: Bug #691391 Some new information, git push with GIT_CURL_VERBOSE=1 set. Hope this to clear it up. Had to wait to re-test. git push works with 7.26.0-1 shalom-ext: -grantma- [~/dms] $ GIT_CURL_VERBOSE=1 git push * About to connect() to git.devel.net.nz port 443 (#0) * Trying 210.5.55.254... * 0x174eb50 is at send pipe head! * STATE: CONNECT = WAITCONNECT handle 0x1757960; (connection #0) * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * found 152 certificates in /etc/ssl/certs/ca-certificates.crt * STATE: WAITCONNECT = PROTOCONNECT handle 0x1757960; (connection #0) *server certificate verification SKIPPED *compression: NULL *cipher: AES-128-CBC *MAC: SHA1 * STATE: PROTOCONNECT = DO handle 0x1757960; (connection #0) GET /dms/dms.git/info/refs?service=git-receive-pack HTTP/1.1 User-Agent: git/1.7.10.4 Host: git.devel.net.nz Accept: */* Pragma: no-cache * STATE: DO = DO_DONE handle 0x1757960; (connection #0) * STATE: DO_DONE = WAITPERFORM handle 0x1757960; (connection #0) * STATE: WAITPERFORM = PERFORM handle 0x1757960; (connection #0) * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported HTTP/1.1 401 Authorization Required Date: Thu, 25 Oct 2012 22:47:08 GMT Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q WWW-Authenticate: Digest realm=Git Access, nonce=gDas++nMBAA=c016e62b78666c4a06557a090758dfc879f46c72, algorithm=MD5, domain=/, qop=auth Content-Length: 401 Content-Type: text/html; charset=iso-8859-1 * Ignoring the response-body * Connection #0 to host git.devel.net.nz left intact * Issue another request to this URL: * 'https://git.devel.net.nz/dms/dms.git/info/refs?service=git-receive-pack' * Re-using existing connection! (#0) with host git.devel.net.nz * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * 0x174eb50 is at send pipe head! * STATE: CONNECT = DO handle 0x1757960; (connection #0) * Server auth using Digest with user 'grantma' GET /dms/dms.git/info/refs?service=git-receive-pack HTTP/1.1 Authorization: Digest username=grantma, realm=Git Access, nonce=gDas++nMBAA=c016e62b78666c4a06557a090758dfc879f46c72, uri=/dms/dms.git/info/refs?service=git-receive-pack, cnonce=MDg3MTk1, nc=0001, qop=auth, response=d4ae9115c24ef228c2ed2ad5f0d57d03, algorithm=MD5 User-Agent: git/1.7.10.4 Host: git.devel.net.nz Accept: */* Pragma: no-cache * STATE: DO = DO_DONE handle 0x1757960; (connection #0) * STATE: DO_DONE = WAITPERFORM handle 0x1757960; (connection #0) * STATE: WAITPERFORM = PERFORM handle 0x1757960; (connection #0) * additional stuff not fine transfer.c:1037: 0 0 * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported HTTP/1.1 200 OK Date: Thu, 25 Oct 2012 22:47:08 GMT Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q Expires: Fri, 01 Jan 1980 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, max-age=0, must-revalidate Authentication-Info: rspauth=f9b91ee07350a722ea8b344efcb8b588, cnonce=MDg3MTk1, nc=0001, qop=auth Transfer-Encoding: chunked Content-Type: application/x-git-receive-pack-advertisement * STATE: PERFORM = DONE handle 0x1757960; (connection #0) * Connection #0 to host git.devel.net.nz left intact Counting objects: 17, done. Delta compression using up to 2 threads. Compressing objects: 100% (9/9), done. Writing objects: 100% (9/9), 1.30 KiB, done. Total 9 (delta 8), reused 0 (delta 0) * About to connect() to git.devel.net.nz port 443 (#0) * Trying 210.5.55.254... * connected * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * found 152 certificates in /etc/ssl/certs/ca-certificates.crt * SSL re-using session ID *server certificate verification SKIPPED *compression: NULL *cipher: AES-128-CBC *MAC: SHA1 POST /dms/dms.git/git-receive-pack HTTP/1.1 User-Agent: git/1.7.10.4 Host: git.devel.net.nz Accept-Encoding: deflate, gzip Content-Type: application/x-git-receive-pack-request Accept: application/x-git-receive-pack-result Content-Length: 1465 * upload completely sent off: 1465 out of 1465 bytes * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported HTTP/1.1 401 Authorization Required Date: Thu, 25 Oct 2012 22:47:08 GMT Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q * Authentication problem. Ignoring this. WWW-Authenticate: Digest realm=Git Access, nonce=pgyv++nMBAA=41fb149a41d3357b9a730d21bf98ad166d26937e, algorithm=MD5, domain=/, qop=auth Content-Length: 401 Content-Type: text/html; charset=iso-8859-1 * The requested URL returned error: 401 * Closing connection #0 error: RPC failed; result=22, HTTP code = 401 fatal: The remote end hung up unexpectedly fatal: The remote end hung up unexpectedly
Bug#691391: libcurl3-gnutls: git push on libcurl3-gnutls_7.28-2 fails when changes pushed
Package: libcurl3-gnutls Version: 7.28.0-2 Severity: important See my shell log below Still have a problem. Cheers, Matthew Grant - shalom-ext: -grantma- [~/dms] $ git push Counting objects: 19, done. Delta compression using up to 2 threads. Compressing objects: 100% (10/10), done. Writing objects: 100% (10/10), 1.11 KiB, done. Total 10 (delta 9), reused 0 (delta 0) error: RPC failed; result=22, HTTP code = 401 fatal: The remote end hung up unexpectedly fatal: The remote end hung up unexpectedly Everything up-to-date shalom-ext: -grantma- [~/dms] $ git pull Already up-to-date. shalom-ext: -grantma- [~/dms] $ cd ../scratch/ shalom-ext: -grantma- [~/scratch] $ wget http://packages.debian.org/wheezy/libcurl3-gnutls --2012-10-25 15:20:35-- http://packages.debian.org/wheezy/libcurl3-gnutls Resolving packages.debian.org (packages.debian.org)... 2001:648:2ffc:deb:214:22ff:feb2:17e8, 2001:8d8:81:1520::1, 194.177.211.202, ... Connecting to packages.debian.org (packages.debian.org)|2001:648:2ffc:deb:214:22ff:feb2:17e8|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘libcurl3-gnutls’ [ = ] 18,662 25.8KB/s in 0.7s 2012-10-25 15:20:38 (25.8 KB/s) - ‘libcurl3-gnutls’ saved [18662] shalom-ext: -grantma- [~/scratch] $ sudo dpkg -i libcurl3-gnutls_7.26.0-1_amd64.deb dpkg: warning: downgrading libcurl3-gnutls:amd64 from 7.28.0-2 to 7.26.0-1 (Reading database ... 53528 files and directories currently installed.) Preparing to replace libcurl3-gnutls:amd64 7.28.0-2 (using libcurl3-gnutls_7.26.0-1_amd64.deb) ... Unpacking replacement libcurl3-gnutls:amd64 ... Setting up libcurl3-gnutls:amd64 (7.26.0-1) ... shalom-ext: -grantma- [~/scratch] $ cd ../dms shalom-ext: -grantma- [~/dms] $ git push Counting objects: 19, done. Delta compression using up to 2 threads. Compressing objects: 100% (10/10), done. Writing objects: 100% (10/10), 1.11 KiB, done. Total 10 (delta 9), reused 0 (delta 0) To https://git.devel.net.nz/dms/dms.git 2312dd1..d066e87 master - master -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libcurl3-gnutls depends on: ii libc6 2.13-35 ii libgcrypt111.5.0-3 ii libgnutls262.12.20-1 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libidn11 1.25-2 ii libldap-2.4-2 2.4.31-1 ii librtmp0 2.4+20111222.git4e06e21-1 ii libssh2-1 1.4.2-1.1 ii multiarch-support 2.13-35 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages libcurl3-gnutls recommends: ii ca-certificates 20120623 libcurl3-gnutls suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690569: Bug#690142: remote named DoS on recursor (CVE-2012-5166) and Bug#690569 (DNS wildcards fail to resolve with DNSSEC enabled)
On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert mgilb...@debian.orgwrote: On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote: Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - breaks RFC 4035)be reclassified as grave, or at least Important severity? You implied a bug severity increase. Its now at important. We need to get something done about this one. Having to turn off DNSSEC validation to get correct resolution behaviour is not good for security re DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS. I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to relate to wildcard handling. Someone will have to look at whether those are the right changes and if they're complete, and then port it to the current version. See attached. Checked diff. Its looks a mess. Have you compiled bind9 package and checked that it handles wiildcard query? I am not confident that data structures are handled correctly. (Used to be professional router C programmer, and have extensive kernel patch experience) Could someone on the security team who knows bind9 look at this please to see if they can patch bind9 9.8.1.dfsg-4.2 and 9.7.3 (squeeze)? Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x) please. Lamount Jones, it would be good if you could do this please? Does not look that hard. Have looked in bind9 package git. No. We're in the freeze now. Fixes need to be backported. If backporting a fix is not possible with the certainty of no introduced bugs, we have no choice. Debian Bind9 cannot ship with a basic DNS protocol handling error. As it stands it is severely broken in the resolver. DNSSEC on the Internet is now a must. ISC have been diligent in backporting fixes to their 9.8.x minor version stream. There are only one or 2 new features, and I believe 1 or 2 configuration changes that are backwards compatible Consequently Bind 9.8.4 (or 9.7.7) is mostly coherent with Debian's policy of back porting fixes. (ISC really know their own data structures, but also unfortunately do not make their VCS publicly available, only release complete tarballs, so finding the 100% correct patch can be a major problem.) I believe a policy exception is possible in this case if needed, given that bind9 is such an important piece of software. My case is put. Could the security team please help to determine what to do. Regards, Matthew Grant
Bug#690569: Bug#690142: remote named DoS on recursor (CVE-2012-5166) and Bug#690569 (DNS wildcards fail to resolve with DNSSEC enabled)
Thanks, I will cross check this with all ISC tar balls between 9.8.1 and 9.8.2. This is when the CHANGES file lists it was fixed. I have noted that ISC changed things quite a lot with some internal structures over 9.8.x/9.7.x/9.6.x, when I was examining some issues to do with query rate DoS attacks. Debian bind does not have those changes, but I gave it the benefit of the doubt. I 'll quickly assess whether there are any problems here or not. Have been a professional C router programmer. If its not good, we really have issues. There comes a point when upstream has been diligent about fixes, and we have to redo a lot of it, and we are not the experts Cheers, Matthew On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert mgilb...@debian.orgwrote: On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote: Hi Michael! Sorry to bother you again, but want some advice before I leap. Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - breaks RFC 4035)be reclassified as grave, or at least Important severity? We need to get something done about this one. Having to turn off DNSSEC validation to get correct resolution behaviour is not good for security re DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS. I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to relate to wildcard handling. Someone will have to look at whether those are the right changes and if they're complete, and then port it to the current version. See attached. Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x) please. Lamount Jones, it would be good if you could do this please? Does not look that hard. Have looked in bind9 package git. No. We're in the freeze now. Fixes need to be backported. Best wishes, Mike
Bug#690569: DNS wildcards fail to resolve with DNSsec enabled
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.2 Followup-For: Bug #690569 Problem exists in current Debian Version of bind9. This is broken behaviour with regards RFC4035 Section 3.1.3 and maybe some parts of RFC4952. This means the version of bind in unstable and testing is non functional for the purposes of being used as a resolver when DNSSEC validation is required. Turning off DNSSEC resolution to work around this significantly reduces the authenticity around the DNS response. This makes this version of bind9 far more open to Kaminsky DNS cache posioning attacks. Severity of bug whould be raised to grave. Resolution is obvious, move cod base to at least latest ISC 9.8.x Bind 9, which is 9.8.4. Cheers, Matthew Grant shalom: -grantma- [~] $ dig www.nuonexclusief.nl @shalom-svc.internal.anathoth.net. ; DiG 9.8.1-P1 www.nuonexclusief.nl @shalom-svc.internal.anathoth.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 44296 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.nuonexclusief.nl. IN A ;; Query time: 3104 msec ;; SERVER: 172.31.10.1#53(172.31.10.1) ;; WHEN: Tue Oct 16 13:26:40 2012 ;; MSG SIZE rcvd: 38 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.8.1.dfsg.P1-4.2 ii debconf [debconf-2.0] 1.5.46 ii libbind9-801:9.8.1.dfsg.P1-4.2 ii libc6 2.13-35 ii libcap21:2.22-1.2 ii libdns81 1:9.8.1.dfsg.P1-4.2 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libisc83 1:9.8.1.dfsg.P1-4.2 ii libisccc80 1:9.8.1.dfsg.P1-4.2 ii libisccfg821:9.8.1.dfsg.P1-4.2 ii liblwres80 1:9.8.1.dfsg.P1-4.2 ii libssl1.0.01.0.1c-4 ii lsb-base 4.1+Debian7 ii net-tools 1.60-24.2 ii netbase5.0 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc none ii dnsutils1:9.8.1.dfsg.P1-4.2 pn resolvconf none pn ufw none -- Configuration Files: /etc/bind/named.conf.local changed [not included] -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9
Version: 1:9.8.1.dfsg.P1-4.2
Followup-For: Bug #690142
Dear Maintainer,
Attaching a patch for this version of Debian bind9. NMUing in 2 days with
1:9.8.1.dfsg.P1-4.3
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- /tmp/bind9-9.8.1.dfsg.P1/bin/named/query.c 2011-11-16 22:32:08.0 +1300
+++ bind9-9.8.1.dfsg.P1/bin/named/query.c 2012-10-15 13:48:55.572735596 +1300
@@ -1137,13 +1137,6 @@
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE(query_isduplicate: false: done);
@@ -1341,6 +1334,7 @@
if (dns_rdataset_isassociated(rdataset)
!query_isduplicate(client, fname, type, mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, fname);
fname = mname;
} else
@@ -1401,11 +1395,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, mname)) {
-if (mname != NULL) {
- query_releasename(client, fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname-list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL
@@ -1444,11 +1440,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_, mname)) {
-if (mname != NULL) {
- query_releasename(client, fname);
- fname = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_APPEND(fname-list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL
@@ -1960,22 +1958,24 @@
crdataset-type == dns_rdatatype_) {
if (!query_isduplicate(client, fname, crdataset-type,
mname)) {
-if (mname != NULL) {
- /*
- * A different type of this name is
- * already stored in the additional
- * section. We'll reuse the name.
- * Note that this should happen at most
- * once. Otherwise, fname-link could
- * leak below.
- */
- INSIST(mname0 == NULL);
-
- query_releasename(client, fname);
- fname = mname;
- mname0 = mname;
-} else
- need_addname = ISC_TRUE;
+if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this name is
+ * already stored in the additional
+ * section. We'll reuse the name.
+ * Note that this should happen at most
+ * once. Otherwise, fname-link could
+ * leak below.
+ */
+ INSIST(mname0 == NULL);
+
+ query_releasename(client, fname);
+ fname = mname;
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
+}
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname-list, crdataset, link);
added_something = ISC_TRUE;
Bug#690410: Puredata 0.43.2-4 crashing due to _FORTIFY_SOURCE with large patch
Package: puredata Version: 0.43.2-4 Severity: grave I have a large puerdata patch using GEM that was working early on last year. At the moment it is crashing on start with calls to __fortify_fail() in libc. There are two pds running, one handling sound and wiimote input, and a slave doing GEM display work. They communicate over a TCP socket. Pure data with the _FORTIFY_SOURCE=2 is not usable for any serious work, destroying the purpose of the porting and packaing to Debian The same problems also show up in puredata plugins/libraries with this turned on as well. The one that blew up in the same way was gem-plugin-magick I know that this is security hardening, and that buffer overflows are bad in any application, as they tend to go and corrupt the running application. But puredata is an interpreted langauge progam used by artists typically on closed off networks behind a firewall/router. It is hard enough to get going properly with out this unneeded security stuff being turned on. Please compile pruedata with _FORTIFY_SOURCE=0 for the whole puredata module stack and dependencies until the causes of this are fixed upstream. I am going to try the puredata package compiled with _FORTIFY_SOURCE=0, and see if I can get my valuable project going again. BTW, I am a Debian Developer. Cheers, Matthew Grant PS: Stack dump of setup in line below. $ cat antigua.sh #!/bin/bash pd -noaudio -nomidi -lib Gem -nogui boatshed.pd pd antigua.pd # Kill 1st pd on exit kill %1 $ ./antigua.sh sys_nmidiin 0, nmidiindev 1 @ the zexy external 2.2.5 @ @ (l) forum::für::umläute @ @ iem @ kug @ @ compiled: Nov 22 2011 @ @ send me a 'help' message @ priority 6 scheduling enabled. priority 8 scheduling enabled. warning: class 'abs~' overwritten; old one renamed 'abs~_aliased' matchbox: OSC-pattern matching code (c) Matt Wright, CNMAT warning: class 'wrap' overwritten; old one renamed 'wrap_aliased' GEM: Graphics Environment for Multimedia GEM: ver: 0.93.3 GEM: compiled: Jun 11 2012 GEM: maintained by IOhannes m zmoelnig GEM: Authors : Mark Danks (original version) GEM:Chris Clepper GEM:Cyrille Henry GEM:IOhannes m zmoelnig GEM: with help by Guenter Geiger, Daniel Heckenberg, James Tittle, Hans-Christoph Steiner, et al. GEM: found a bug? miss a feature? please report it: GEM:homepage http://gem.iem.at/ GEM:bug-tracker http://sourceforge.net/projects/pd-gem/ GEM:mailing-list http://lists.puredata.info/listinfo/gem-dev/ open: /etc/pd/gem.conf: No such file or directory open: /home/grantma/.pd/gem.conf: No such file or directory open: ./gem.conf: No such file or directory GEM: compiled for SIMD architecture: SSE2 MMX GEM: using SSE2 optimization load plugins 'image' in '/usr/lib/pd/extra/Gem/' pattern : /usr/lib/pd/extra/Gem/gem_image*.so GEM: Only using 8 color bits GEM: Direct Rendering enabled! GEM: GLEW version 1.7.0 GEM: Start rendering error: [pix_image]: failed to load image '/home/grantma/Desktop/Situational_Choreo_Project/pd/boat-shed-end.jpg' verbose(4): ... you might be able to track this down from the Find menu. priority 6 scheduling enabled. priority 8 scheduling enabled. *** buffer overflow detected ***: pd terminated === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f75d3577f37] /lib/x86_64-linux-gnu/libc.so.6(+0xebdf0)[0x7f75d3576df0] pd[0x49b5c0] pd(pd_typedmess+0x45b)[0x456fab] pd(outlet_anything+0x4a)[0x458eca] pd(pd_typedmess+0x1db)[0x456d2b] pd(binbuf_eval+0x90b)[0x4600fb] pd(outlet_list+0x4a)[0x458e3a] pd[0x455b5c] pd(outlet_float+0x3f)[0x458d0f] pd(outlet_bang+0x29)[0x458be9] pd(sched_tick+0x77)[0x463047] pd(m_mainloop+0x1e9)[0x463319] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f75d34a9ead] pd[0x415161] === Memory map: 0040-004e7000 r-xp fe:00 661348 /usr/bin/puredata 006e6000-006e7000 r--p 000e6000 fe:00 661348 /usr/bin/puredata 006e7000-006e9000 rw-p 000e7000 fe:00 661348 /usr/bin/puredata 006e9000-006f8000 rw-p 00:00 0 017e5000-018cc000 rw-p 00:00 0 [heap] 7f75c8fa7000-7f75c8fa8000 r-xp fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c8fa8000-7f75c91a8000 ---p 1000 fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c91a8000-7f75c91a9000 r--p 1000 fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c91a9000-7f75c91aa000 rw-p 2000 fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c91aa000-7f75c91ab000 r-xp fe:00 927354 /usr/lib/pd/extra/ggee/bandpass.pd_linux 7f75c91ab000-7f75c93ab000 ---p 1000 fe:00 927354
Bug#681641: netscript-2.4: Missing quotes in if.conf for brg_iface() resulted in seriously misconfigured network
Package: netscript-2.4
Version: 5.2.11
Severity: serious
Tags: patch
Missing quotes when setting up bridge resulted in vlaned eth0 interface being
on bridge brg0 with its vlan1 vlan interface. vlan2 was connected to internet.
vlan1 traffic was slow, and connectivity came and went. This happened when
IPv6 was explicitly disabled for eth0, and etho was not configured onto a
bridge. It is a corner case configuration with a serious result iin network
not functioning, and in the case of this system involved, leaking internal
traffic to the Internet. Network configuration was not such that a system on
Internet could connect internally.
Quotes put on 3rd and 4th arguments to brg_iface interface up in if.conf
fixes this siuation.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages netscript-2.4 depends on:
ii bash4.2-2
ii bridge-utils1.5-4
ii iproute 20120521-3
ii iptables1.4.14-2
ii isc-dhcp-client [dhcp3-client] 4.2.2.dfsg.1-5
ii netbase 5.0
Versions of packages netscript-2.4 recommends:
ii quagga 0.99.21-3
Versions of packages netscript-2.4 suggests:
ii dnsmasq2.62-3
ii quagga 0.99.21-3
pn resolvconf none
pn whereami none
pn wicd none
pn wpasupplicant none
-- Configuration Files:
/etc/netscript/if.conf changed:
SED_IFSTR='s/\([A-Za-z]*\)[0-9]*$/\1/'
SED_IPV4STR='s/^.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+[/0-9]\+\) .*$/\1/'
SED_IPV6STR='s/^.*inet6 \([0-9a-f]\+\:.*\:[0-9a-f]\+[/0-9]\+\) .*$/\1/'
SED_IPV6ADDR=sed -e 's/:0\+\([0-9a-fA-F]\+\)/:\1/g' | sed -e
's/^0\+\([0-9a-fA-F]\+\)/\1/'| sed -e 's/\(:0\)\+:\(:0\)*\|\(:0\)*:\(:0\)\+/:/'
SED_IPV4ADDR=sed -e 's/\.0\+\([0-9a-fA-F]\+\)/.\1/g' | sed -e
's/^0\+\([0-9a-fA-F]\+\)/\1/'
if_addr_start () {
local IPADDR2 ADDR ADDR2
local ADDRS
local ANS
local OIFS
local IFACE=$1
# Glue stuff
if [ -n $MASKLEN ]; then
IPADDR=${IPADDR}/${MASKLEN}
fi
if [ -n $PTPADDR ]; then
IPADDR=${IPADDR}_peer_${PTPADDR}
fi
if [ -n $BROADCAST ]; then
IPADDR=${IPADDR}_brd_${BROADCAST}
fi
if [ -n $IP_EXTRA_ADDRS ]; then
IPADDR=$IPADDR $IP_EXTRA_ADDRS
fi
# Take care of leading zeroes in supplied addresses
for ADDR in $IPADDR; do
if echo $ADDR | grep -q ':'; then
#IPv6
ADDR2=`echo $ADDR | eval $SED_IPV6ADDR`
IPADDR2=$IPADDR2 $ADDR2
else
#IPv4
ADDR2=`echo $ADDR | eval $SED_IPV4ADDR`
IPADDR2=$IPADDR2 $ADDR2
fi
done
IPADDR=$IPADDR2
# Set up link MTU etc
ip link set $1 $IFCFG_MULTICAST $IFCFG_MTU
# Set up IPv6 Interface sysctl here before interface goes up
ifv6_setproc $1 accept_redirects $IPV6_ACCEPT_REDIRECTS
ifv6_setproc $1 accept_ra $IPV6_ACCEPT_RA
ifv6_setproc $1 accept_ra_pinfo $IPV6_ACCEPT_RA_PINFO
ifv6_setproc $1 accept_ra_rt_info_max_plen
$IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN
ifv6_setproc $1 disable_ipv6 $IPV6_DISABLE
ifv6_setproc $1 forwarding $IPV6_FWDING
ifv6_setproc $1 router_solicitations $IPV6_ROUTER_SOLICITATIONS
ifv6_setproc $1 use_tempaddr $IPV6_PRIVACY
# Bring the interface up
ip link set dev $1 up
# This one has to be set after interface up
ifv6_setproc $1 mtu $IPV6_MTU
# Set up the addresses on the interface
ADDRS=`ip addr show dev $IFACE | grep '^.*inet[ 46]' \
| sed -e $SED_IPV4STR | sed -e $SED_IPV6STR`
for ADDR in $IPADDR; do
for ADDR2 in $ADDRS; do
ADDR2=`echo $ADDR2 | sed -e 's/\/32\|\/128//'`
ANS=${ADDR#$ADDR2}
if [ $ANS != $ADDR ]; then
continue 2
fi
done
OIFS=$IFS
IFS=${IFS}_
ip addr add $ADDR dev $IFACE
IFS=$OIFS
done
# Strip out addresses that should not be there
for ADDR in $ADDRS; do
# Don't delete IPv6 link local addresses
if echo $ADDR | grep -q -i '^fe[89ab]'; then
continue
fi
ANS=`echo $IPADDR | grep $ADDR`
if [ -z $ANS ]; then
ip addr del $ADDR dev $IFACE
Bug#677713: ipsec-tools: General update after the debconf review process
Just starting work, give me a few hours and I will finish latter this afternoon. On 14/07/12 04:36, Christian PERRIER wrote: Quoting Christian PERRIER (bubu...@debian.org): Dear Debian maintainer, On Saturday, June 16, 2012, I sent you a notification about the beginning of a review action on debconf templates for ipsec-tools. Then, I sent you a bug report with rewritten templates and announcing the beginning of the second phase of this action: call for translation updates. Translators have been working hard and here is now the result of their efforts. Please consider using it EVEN if you committed files to your development tree as long as they were reported. Is an upload planned at some point? Now that we are in freeze, I tend to be more pushy for translations to be includedand I don't hesitate NMUing packages when it takes too much time (I can't focus on dozens of packages at the same time). Many thanks in advance for your answer. signature.asc Description: OpenPGP digital signature
Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
Package: libc6 Version: 2.13-34 Severity: Serious Tags: security Hi! I am submitting this report as there seems to be no easy way to get DNSSEC validation happening for all DNS lookups. This is a litmus test to make sure we cover this matter, or see if we have an easy procedure in wheezy to enable client DNSSEC validation. With the DNS root zone now signed, and .org and .net, and many soon to be done country specific TLDs, there does not appear to be any easy way of taking advantage of this in wheezy or sid. From my investigations this can only be enabled by recompiling each bit of software to set the RES_USE_DNSSEC flag in _res.options, as well as RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c Please create a resolv.conf flag so that RES_USE_DNSSEC is available to the systems administrator, and maybe a debconf screen to select it. This is about proactively avoiding DNS spoofing and securing against it. Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libc-bin 2.13-34 ii libgcc1 1:4.7.1-2 libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.44 ii glibc-doc 2.13-34 ii locales2.13-34 -- debconf information: glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: glibc/restart-services: libraries/restart-without-asking: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677713: [BTS#677713] templates://ipsec-tools/{racoon.templates} : Final update for English review
Dear Christian, Hope you are not too busy. On Thu, Jun 28, 2012 at 6:02 PM, Christian PERRIER bubu...@debian.orgwrote: Please review the suggested changes, and if you have any objections, let me know in the next 3 days. After looking at the changes, I have a suggestion for the control file Description of the packages. ipsec-tools and racoon are cross platform, and run on Debian/kfreebsd. The current full ipsec-tools/racoon are included in NetBSD as the IPSEC daemon, and in Mac OSX. It was the original IPSEC implementation that worked with the in kernel.org 2.6.x IPSEC stack, and was ported from the KAME IPv6 project (http://www.kame.net). From 'apt-cache rdepends ipsec-tools' I believe all the IPSEC software on Debian depends on ipsec-tools, presumably for init scripts to initialise the in kernel IPSEC SPD and SAD tables. Racoon is currently the ONLY IKE daemon for the Debian/kfreebsd architecture The control Description: should also mention that it works with Debian/kfreebsd. Thank you very much for all your work, Cheers, Matthew Grant
Bug#679481: racoon: Root network daemon compiled without _FORTIFY_SOURCE
Package: racoon Version: 1:0.8.0-12 Severity: serious Dear Maintainer, Racoon has a history of network vulnerabilities, running as root on the host. It is concerning that it is compiled without all hardening options employed. debian/rules has CFLAGS -D_FORTIFY_SOURCE=0, default debian comipile flags are for this to be set to 2. This was apparently done to get a 0.8.0 beta release to comile on i386/i486. Is this 0 setting needed any more? The linitian warnings given are 'hardening-no-fortify-source' which indicates the program is compiled with strcpy strcat et al, and strncpy, strncat not being substituted. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.01.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679482: racoon with privsep enabled segfaults with 'unauthorized domain'
Package: racoon Version: 1:0.8.0-12 Severity: normal Tags: upstream Dear Maintainer, When privsep is enabled, so that the network exposed racoon is not running as root, daemon dies with: Jun 29 16:28:10 sid-dev racoon: ERROR: privsep_socket: unauthorized domain (15) Jun 29 16:28:10 sid-dev kernel: [327028.659475] racoon[14085]: segfault at 10 ip 7fb7cde186ab sp 7fffcf87e1f0 error 4 in racoon[7fb7cddef000+92000] This happens with anonymous as well as PSK keyed connections, and presumably happens with all different modes of authorization algorithms. This network daemon ideally should not be running network exposed as root. Running with privsep off, there is no problems with this. Regards, The Maintainer Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.01.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed: global: log: notify privsep: yes peer(%default): certificate_type: x509 sid-dev.internal.anathoth.net-cert.pem sid-dev.internal.anathoth.net-key.pem #my_identifier: fqdn sid-dev.internal.anathoth.net lifetime: time 60 min #verify_identifier: on #verify_cert: on #authentication_method[0]: rsasig connection(%anonymous): #admin_status: enabled admin_status: disabled connection(%default): src_ip: 192.168.110.3 src_range: 192.168.110.3/32 peer(192.168.110.5): #peers_identifier: fqdn sid-dev.internal.anathoth.net connection(sid-dev): dst_ip: 192.168.110.5 dst_range: 192.168.110.5/32 mode: tunnel admin_status: enabled -- debconf information: * racoon/config_mode: racoon-tool -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679483: racoon.conf 'peers_certfile dnssec' does not do DNSSEC validation.
Package: racoon Version: 1:0.8.0-12 Severity: normal Tags: upstream Dear Maintainer, Re racoon.conf 'peers_certfile dnssec' On looking at the code for this option, which is little used yet, the daemon does not set the RES_USE_DNSSEC or RES_USE_EDNS0 in src/racoon/dnssec.c Ssh had to be compiled with this option for DNSSEC SSHFP checking to work. See Debian bug #569592 There is the option to link racoon/ipsec-tools against lwres, and from the look of the code, it looks like NetBSD has RES_USE_DNSSEC from resolv.h turned on.. Will create patch to fix, as I am interested in using this option. This code is little used yet, as DNSSEC is only just starting to spread. From the looks of it, I believe most client DNS resolvers are buggy in this area. Thus, I have classified this with priority normal. Regards, Matthew Grant (myself) *** Please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.01.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677713: [RFR] templates://ipsec-tools/{racoon.templates}
Christian, The wording in the template was changed as the racoon-tool script has had a major refresh, and I will be expanding and maintaining it in the future. The previous wording was saying that it was deprecated as the NetBSD ipsec-tools people did not like it I don't have access to that email conversation, but the message had a considerable bias that does not reflect the current state of affairs. The direct mode is pointed out clearly for the purpose it serves, and is mentioned first. However, racoon is rather uninformative in its log messages when it fails due to mis-configuration, and it does not manage the SPD like openswan/strongswan, hence racoon-tool perl script. OK, The only thing changing here is the content of the message. Any variables, script logic is not being touched for stability reasons for Wheezy freeze. I have checked the new racoon-tool (I am its original author) for functionality carefully, and it is a lot better than the older version that was not even working. There are no translations yet of the debconf messages for this package as far as I can remember, so another patch to clean up typos and make it clearer as Justin Rye may be warranted if only just for the sake of getting the English correct and up to policy standard, as this is an improvement on the status quo, and does not affect install logic. Thanks heaps for your help, Matthew Grant On Mon, Jun 18, 2012 at 5:04 PM, Christian PERRIER bubu...@debian.orgwrote: Quoting Justin B Rye (j...@edlug.org.uk): debconf template messages/translations I believe can be changed during freeze, no? That sort of question is best addressed to d-l-e rather than me! Translations, yes. Debconf templates, I would insist you don't unless: - deeply required - fully coordinated with i18n team (particularly handling the translation update round and wait for a GO before uploading--we're targeting full completion for a fewlanguages and I track them one by one
Bug#677642: Info received (Bug#677642: netscript-2.4: configuring interface step in boot process times out when trying to connect to fixed IP)
Have had further email with party concerned - he mis-configured the machine, so closing bug. On Sat, Jun 16, 2012 at 8:27 AM, Debian Bug Tracking System ow...@bugs.debian.org wrote: Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. If you wish to submit further information on this problem, please send it to 677...@bugs.debian.org. Please do not send mail to ow...@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 677642: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677642 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#677713: [ITR] templates://ipsec-tools/{racoon.templates}
Cool Christian, I am good to go, and will review template for a later upload after Wheezy freeze, as I think language type stuff is a reason for release uploads. Cheers, Matthew Grant On 16/06/12 23:11, Christian PERRIER wrote: Dear Debian maintainer, The Debian internationalisation team and the Debian English localisation team will soon begin the review of the debconf templates used in ipsec-tools. This review takes place for all packages that use debconf to interact with users and its aims are: - to improve the use of English in all debconf templates; - to make the wording of debconf templates more consistent; - to encourage more translations of templates. Even if your first language is English, this process is likely to help track down typos or errors, and improve consistency between the debconf templates of your package and that of other packages in the distribution. The process involves both debian-l10n-english contributors and Debian translators. The details of the process are given in http://wiki.debian.org/I18n/SmithDebconfReviewProcess. I will act as the coordinator of this activity for ipsec-tools. The first step of the process is to review the debconf source template file(s) of ipsec-tools. This review will start on Tuesday, June 19, 2012, or as soon as you acknowledge this mail with an agreement for us to carry out this process. All parts of the process will be carried out in close collaboration with you, and, unless you explicitely ask for it, no upload nor NMU will happen for ipsec-tools. If you approve this process, please let us know by replying to this mail. If some work in progress on your side would conflict with such a rewrite (such as adding or removing debconf templates), please say so, and we will defer the review to later in the development cycle. Thank you for your attention. signature.asc Description: OpenPGP digital signature
Bug#677713: [RFR] templates://ipsec-tools/{racoon.templates}
On 17/06/12 06:16, Justin B Rye wrote: Justin B Rye wrote: Description: IPsec utilities IPsec (Internet Protocol security) offers end-to-end security for network traffic at the IP layer. . This package is a port of the utilities from the KAME IPsec implementation on BSD. Correction: actually my patch says This package is a Linux port... (and likewise for racoon). Please collect changes in a diff. We are close to a freeze, just want current package to settle into wheezy. debconf template messages/translations I believe can be changed during freeze, no? signature.asc Description: OpenPGP digital signature
Bug#677642: netscript-2.4: configuring interface step in boot process times out when trying to connect to fixed IP
Have a look at /etc/net script/network.conf. further down this file you will find eth_start/eth_stop functions. They hook functions to hook dhcp in for initial configuration (and where you can hook tunnel daemons etc). Also configure eth0_IPADDR. Dpkg --purge ifupdown as it can cause some issues with unit script circular dependencies at times. Please let me know how you go. Matthew Grant On Jun 16, 2012 4:39 AM, Gilbert Sullivan whirly...@comcast.net wrote: Package: netscript-2.4 Version: 5.2.11 Severity: normal Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? On 05/18/2012 upgrade in netbase:amd64 (4.47, 5.0) resulted in automatic removal of ifupdown and automatic installation of netscript 2.4. Problem appeared first reboot following these changes to the system. * What exactly did you do (or not do) that was effective (or ineffective)? Setting system to connect using any fixed IP address results in a 60 second timeout at the configuring interface step of the boot process. Then the system goes on to a second 60 second timeout at the starting MTA step of the boot process. Setting system to connect via DHCP results in a normal boot process with no timeouts. I can turn off Wicd and prevent it from starting. Again, configuring /etc/network/interfaces for fixed IP address results in two 60 second timeouts, and configuring interfaces for DHCP results in a normal boot process with no timeouts. Hitting Ctrl+C key combination at the configuring interface prompt during the boot process causes the boot process to continue at a normal pace with no timeout at starting MTA step. * What was the outcome of this action? I believe I have eliminated Wicd as a suspect. I have also confirmed that the system does actually have the correct fixed IP address when these timeouts occur. But it LOOKS as though the system were waiting the timeout period to receive a DHCP lease. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages netscript-2.4 depends on: ii bash4.2-2 ii bridge-utils1.5-3 ii iproute 20120521-2 ii iptables1.4.13-1.1 ii isc-dhcp-client [dhcp3-client] 4.2.2.dfsg.1-5 ii netbase 5.0 Versions of packages netscript-2.4 recommends: ii quagga 0.99.21-3 Versions of packages netscript-2.4 suggests: ii dnsmasq2.61-1 ii quagga 0.99.21-3 ii resolvconf 1.65 ii whereami 0.3.34-0.3 ii wicd 1.7.2.4-2 ii wpasupplicant 1.0-2 -- Configuration Files: /etc/netscript/ipfilter-defs/README [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/README' /etc/netscript/ipfilter-defs/dnat-defs [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/dnat-defs' /etc/netscript/ipfilter-defs/example.def [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/example.def' /etc/netscript/ipfilter-defs/example2.def [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/example2.def' /etc/netscript/ipfilter-defs/local.def [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/local.def' /etc/netscript/ipfilter-defs/masq-defs [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/masq-defs' /etc/netscript/ipfilter-defs/network-defs [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/network-defs' /etc/netscript/ipfilter-defs/prototypes-defs [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/prototypes-defs' /etc/netscript/ipfilter-defs/prototypes.sh [Errno 13] Permission denied: u'/etc/netscript/ipfilter-defs/prototypes.sh' -- no debconf information
Bug#617859: sha384 and sha512 tested on Wheezy, Kernel 3.2
Hi Mats, I have tested this on the current 3.2 kernel that is in Debian Wheezy, and both are now working. This is now solved for the testing distribution Since sha256 is working, and is more than adequate for giving good security, not doing anything for Lenny. Closing the bug as won't fix. Cheers, Matthew Grant
Bug#639970: Difficult to due to racoon/setkey SPD management design
Racoon does not create all the SPD policy for manually configured IPSEC connections, and they have to be manually entered. It does not keep track of them, so it does not clean up on exit. There are valid use cases for using setkey to set up static IPSEC keying for local network security for IPv6 local net ICMP multicast messages. Adding this feature to the racoon init script would break this. Racoon/setkey is basically a 'lower level' tool than strongswan. I have done a lot of work on racoon-tool which does manage the SPD based on the coneections you have configured, which now supports X509 and PSK connections, transport and tunnel mode, IPv6 and IPv4, with X509 certs and PSK working, along with basic anonymous VPN server set up, and I am willing to put it up on backports. Please tell me if these features cover your usage cases. Cheers, Matthew Grant
Bug#675423: python-setproctitle: Tar.gz file of debian/ for 1.1.6 for reference
Package: python-setproctitle Version: 1.0.1-1 Followup-For: Bug #675423 Have packaged 1.1.6 for local use. Attaching my debian/ for python3-setproctitle, python-setproctitle for reference. Python tests disabled due to the state of the code in upstream - does not work easily, binary pyrun3 needs to be compiled by gcc for test, and Makefile is horrible, make check creates py3 dir and files not used in build. Could not easily script in debian/rules, and old debian/rules test code can't install pyrun3/pyrun2 in test hook up - setup.py does not have a target for this Cheers, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash python-setproctitle-debian.tar.gz Description: GNU Zip compressed data
Bug#636526: python-psutil: Patch to support Python3.
Package: python-psutil Version: 0.4.1-1 Followup-For: Bug #636526 Dear Maintainer, We have some internal work Python 3 packages that would like to deploy on Wheezy, and we depend on your package. The attached patch also closes Bug #637382, as dh_python2 and dhpython3 are required to effect the Python3 build. In doing the guides on the Debian wiki: http://wiki.debian.org/Python/TransitionToDHPython2 and http://wiki.debian.org/Python/LibraryStyleGuide were followed. debian/rules was carefully merged with the example in the LibraryStyleGuide, debian/control updated. Please note that your test code in debian rules was very carefully moved and made compatible with the LibraryStyleGuide, and has had the filter 'nocheck ' for DEB BUILD OPTIONS added. In the default build, all the tests still run. The print statement you used to get the python $LIB has had parenthesis added for Python3, and I checked the LIB statement was backwards compatible on python2.6 and python2.7 I did note the test_get_io_counters failure on all 3 versions of Python, and this maybe due to moving to the 3.2 kernel. The Python3.2 test test_name failed due to the underlying python binary being 'python3.2mu' instead of 'python3.2' but these are definitely seperate bugs to the build bugs. This also creates a python-psutil-doc package, and Recommends it to the different library package. Lintian was giving issues about clashes in the docs and this seems to be the best way of resolving it. There are two lintian warnings: W: python-psutil: hardening-no-relro usr/lib/python2.6/dist-packages/_psutil_linux.so W: python-psutil: hardening-no-relro usr/lib/python2.6/dist-packages/_psutil_posix.so but these look like they were already there before this patch. I can Please look this over and get back to me. Could we collaborate on this please? This patch contains almost all the work that needs to be done. If you like, I can branch the svn archive, and you can edit this work so that you are happy with it. It would be good to get it in for wheezy. Cheers, Matthew Grant, DD since before 2005 *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Index: debian/changelog === --- debian/changelog (revision 21979) +++ debian/changelog (working copy) @@ -1,3 +1,10 @@ +python-psutil (0.4.1-2~ae123) UNRELEASED; urgency=low + + * Add support for Python 3.x build (Closes: #636526) + * Move from python-support to dh_python2 and dh_python3 (Closes: #637382) + + -- Matthew Grant matthewgra...@gmail.com Thu, 31 May 2012 11:40:12 +1200 + python-psutil (0.4.1-1) unstable; urgency=low * New upstream release Index: debian/python3-psutil.install === --- debian/python3-psutil.install (revision 0) +++ debian/python3-psutil.install (revision 0) @@ -0,0 +1 @@ +usr/lib/python3 Index: debian/docs === --- debian/docs (revision 21979) +++ debian/docs (working copy) @@ -1 +0,0 @@ -docs Index: debian/rules === --- debian/rules (revision 21979) +++ debian/rules (working copy) @@ -1,23 +1,36 @@ #!/usr/bin/make -f +DH_VERBOSE=1 -PYVERS:=$(shell pyversions -s) +PYTHON2:=$(shell pyversions -vr) +PYTHON3:=$(shell py3versions -vr) %: - dh $@ + dh $@ --with python2,python3 -build: - dh build - - # run tests +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) +test-python%: -for test in test_memory_leaks.py test_psutil.py ;\ do \ - for python in $(PYVERS) ; do \ - echo running test/$$test on $$python ; \ - LIB=$$($$python -c from distutils.command.build import build ; from distutils.core import Distribution ; b = build(Distribution()) ; b.finalize_options() ; print b.build_platlib) ; \ - PYTHONPATH=$$LIB $$python test/$$test ; \ - done \ + echo running test/$$test on python$* ; \ + LIB=$$(python$* -c from distutils.command.build import build ; from distutils.core import Distribution ; b = build(Distribution()) ; b.finalize_options() ; print(b.build_platlib)) ; \ + PYTHONPATH=$$LIB python$* test/$$test ; \ done +override_dh_auto_test: $(PYTHON2:%=test-python%) $(PYTHON3:%=test-python%) +endif + +build-python%: + python$* setup.py build + +override_dh_auto_build: $(PYTHON3:%=build-python%) + dh_auto_build + +install-python%: + python$* setup.py install --root=$(CURDIR)/debian/tmp --install-layout=deb + +override_dh_auto_install: $(PYTHON3:%=install-python%) + dh_auto_install + override_dh_installchangelogs: dh_installchangelogs HISTORY @@ -27,6 +40,11 @@ override_dh_compress
Bug#675419: python-psutil: Unittest test_get_io_counters fails, upstream issue 270.
Package: python-psutil Version: 0.4.1-1 Severity: normal Tags: upstream Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Adding Python3 support for package, noticed this unit test failure on python2.6, python2.7, and python3.2 * What was the outcome of this action? Posted Bug upstream, Issue 270, URL: http://code.google.com/p/psutil/issues/detail?id=270 * What outcome did you expect instead? Expected test to not fail. Just a thought, is this due to upstream not properly yet supporting Linux 3.2 kernel? My guess is that something has changed in /proc or /sys. *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675421: python-psutil: Unit test test_name fails for Python3.2, upstream issue 271
Package: python-psutil Version: 0.4.1-1 Severity: normal Tags: upstream Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Work to support Python 3.2 * What exactly did you do (or not do) that was effective (or ineffective)? Building the package * What was the outcome of this action? Filed bug upstream, issue no 271, URL: http://code.google.com/p/psutil/issues/detail?id=271 * What outcome did you expect instead? Test passing. Test code does not account for the different names possible due to suffix added onto python3.2 bionary name due to threading configuration etc. *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675423: python-setproctitle: New upstream version 1.1.6, Python3 support missing.
Package: python-setproctitle Version: 1.0.1 Severity: important Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Python3 support needed for software I need to run on next stable release. * What exactly did you do (or not do) that was effective (or ineffective)? Trying to email Developer. He does not appear to be active. * What was the outcome of this action? Nothing heard yet, will give it a few days. * What outcome did you expect instead? A timely response. Wheezy freeze is coming up. Python 3 support for this is needed for work software, and administrative scripts and daemons. Clear output in ps and top prevents Sys admin confusion. Considering NMU of package if no timely response by Tuesday. *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650176: racoon: include patch for checkpoint xauth
I am going to be doing a round of maintaining on the package shortly. and will try to include the patch if it applies. Cheers, Matthew On Tue, May 15, 2012 at 12:13 PM, Dominic Evans oldma...@gmail.com wrote: +1 to this applies cleanly to current debian package as next patch in series $ quilt push -a $ quilt import ipsec-tools-0.7.3-checkpoint-v1.patch $ quilt refresh --strip-trailing-whitespace
Bug#661668: racoon: uninstallable on squeeze - something error happened while pfkey initializing
Hi Simon! Which kernel are you running with? Distribution or self-compiled. Either your xfrm kernel modules are not loading or they are not compiled. I will have a quick look into it, with a clean squeeze install. If it works there (which I think it will) I will be closing the bug. Any how, I am reducing priority of this bug to normal as 0.8.0 is working well in testing/unstable. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Bug#656474: ipsec-tools: racoon: Make verification of x509 CRLs optional
This is something set up by upstream, and in big governments deployments it could be seen as considered necessary/mandatory. IE - The ability to turn it off may be considered an anti-feature and security hole... CRLs actually have their weaknesses due to update issues when the network does not go... IPSEC public keys in a DNSSEC signed DNS domain zone don't suffer like this. Have you considered setting up your own small CA, rather than using the ones backed by Versign etc? This would significantly reduce the chain length, and avoid exposure to a CA compromise. The package tinyca is the one I use to generate my own CA and X509 certs for internal and VPN usage. Its a Perl GTK application that wraps OpenSSL, and can have multiple CAs. On Fri, Jan 20, 2012 at 5:31 AM, Jan Sievers siev...@kokosinseln.zedat.fu-berlin.de wrote: Package: ipsec-tools Version: 1:0.7.3-12 Severity: wishlist Tags: upstream Currently when configured to verify peer x509 certificates (verify_cert on) this includes the verification of certificate revocation lists (CRL). Racoon sets the following OpenSSL flags: X509_V_FLAG_CRL_CHECK X509_V_FLAG_CRL_CHECK_ALL before asking OpenSSL to verify the certificate. This will produce warnings in the racoon log file, if the CRL lists are not present. This is especially annoying, if the certificates are part of a certificate chain, because for every certificate in the chain racoon will print this warning. I think it would be nice to have a configuration option like verify_crl [on|all|off] so I could let the certificates be verified, but either don't care about CRLs at all or just care about the actual peer certificate and not the intermediate CAs. If the intermediate CA certs get revoked, I would surely want to know, but do not want that our systems stop talking to each other right away. Regards, Jan -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/dash Versions of packages ipsec-tools depends on: ii libc6 2.11.2-10Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-4stable1 common error description library ii libgssapi-krb5-21.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k ii libk5crypto31.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - C ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries ii libpam0g1.1.1-6.1+squeeze1 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8o-4squeeze5 SSL shared libraries ipsec-tools recommends no packages. ipsec-tools suggests no packages. -- Configuration Files: /etc/init.d/setkey changed [not included] /etc/ipsec-tools.conf changed [not included] -- no debconf information
Bug#650310: Jackd 2 driver buggy - puredata locks up toggling DSP on/off.
Package: puredata Version: 0.43.0-4 Severity: grave Tags: upstream Puredata locks up when toggling DSP on/off, and it opens/closes its jackd connections. There are also problems running jackd asynchronously, with lots of error messages. What makes this bug grave is that most default Debian installs are running pulseaudio which is a required dependency for the default desktop, and most workstations only have one audio device. Pulseaudio is very hard to kill off, being restarted automatically when it is not there. Puredata works with its ALSA drivers, but you cannot use those drivers with pulseaudio hogging the audio devices. Jackd2 can be installed and run from qjackctl, which is what you expect if you want performance audio, but then puredata will not work properly due to its bug jack implementation. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages puredata depends on: ii puredata-core 0.43.0-4 ii puredata-dev0.43.0-4 ii puredata-doc0.43.0-4 ii puredata-extra 0.43.0-4 ii puredata-gui0.43.0-4 ii puredata-utils 0.43.0-4 Versions of packages puredata recommends: ii gem 1:0.92.3-2+b1 Versions of packages puredata suggests: pn pd-aubio none pn pd-csound none pn pd-pdp none pn pd-zexynone -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622134: transition: openssl 1.0.0
Hi Julien This should be fixed for ipsec-tools and racoon as of 0.8.0-9 on sid. Checked on sid amd64 via apt-cache depends. Building again on kfreebsd-i386 and kfreebsd-amd64 via buildd. Closed the 2 bugs that kept kfreebsd. Lets see if this package makes it to testing. Cheers, Matthew On Thu, 2011-10-06 at 20:46 +0200, Julien Cristau wrote: On Sun, Apr 10, 2011 at 16:02:14 +0200, Kurt Roeckx wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition This is to track the transition of openssl 1.0.0. Most of the problems are related to dropping SSLv2 support. openssl098 is still kept in testing by: - ace (ICE on armel) - beid (RC-buggy, candidate for removal) - ipsec-tools (#619687 #643570, has reverse dependencies) - isakmpd (#622051, candidate for removal) - isdnutils (#618228, has reverse dependencies) - pantomime1.2 (part of the gnustep transition) - transgui (#632532, candidate for removal) A fix for the ones with reverse dependencies would be nice... Cheers, Julien signature.asc Description: This is a digitally signed message part
Bug#643570: ipsec-tools: FTBFS(kfreebsd): symbol change
Hi Setting up a Debian kfreebsd sid VM to get this sorted on the weekend. If you want to help, can give you ssh access. Cheers, Matthew On Wed, Sep 28, 2011 at 6:28 AM, Christoph Egger christ...@debian.orgwrote: Package: src:ipsec-tools Version: 1:0.8.0-6 Severity: serious Tags: sid wheezy User: debian-...@lists.debian.org Usertags: kfreebsd X-Debbugs-Cc: debian-...@lists.debian.org Hi! Your package failed to build on the kfreebsd-* buildds: --- debian/ipsec-tools.symbols (ipsec-tools_1:0.8.0-6_kfreebsd-amd64) +++ dpkg-gensymbolsSHAP1q 2011-09-26 19:18:51.0 + @@ -71,7 +71,7 @@ pfkey_send_get@Base 0.7.3 pfkey_send_getspi@Base 0.7.3 pfkey_send_getspi_nat@Base 0.8.0 - pfkey_send_migrate@Base 0.7.3 +#MISSING: 1:0.8.0-6# pfkey_send_migrate@Base 0.7.3 pfkey_send_promisc_toggle@Base 0.7.3 pfkey_send_register@Base 0.7.3 pfkey_send_spdadd2@Base 0.7.3 make[1]: *** [override_dh_perl] Error 1 make[1]: Leaving directory `/build/buildd-ipsec-tools_0.8.0-6-kfreebsd-amd64-RNpoBK/ipsec-tools-0.8.0' make: *** [binary-arch] Error 2 Full build log at https://buildd.debian.org/status/fetch.php?pkg=ipsec-toolsarch=kfreebsd-amd64ver=1%3A0.8.0-6stamp=1317064813 Regards Christoph If you have further questions please mail debian-...@lists.debian.org -- 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 Debian Developer | Lisp Hacker | CaCert Assurer
Bug#613257: wiican: Depends on upstart
Sorry I have taken so long. Just got to the point where I can work on this. My Laptop with bluetooth was out for the six with a crash on boot type scenario due to incorrect kernel config... Regards, Matthew On Sun, Apr 3, 2011 at 3:04 AM, Julien Cristau jcris...@debian.org wrote: severity 613257 serious kthxbye On Sun, Feb 13, 2011 at 11:06:03 -0800, Josh Triplett wrote: Package: wiican Version: 0.3.1-4 Severity: normal wiican depends on upstart. Normal packages should never depend on a particular init system; they just need to work with the init system the user has installed. If the package provides an upstart job, I think a compatibility interface exists to run that job as a normal init script. If the package doesn't provide an upstart job, then you should just drop the dependency. Ack (actually, normal packages should *not* provide upstart jobs in Debian at this point, AFAIK). In addition, wiiscan is being built on kfreebsd, but as upstart is not available there it's not installable. Cheers, Julien -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJNlzroAAoJEDEBgAUJBeQMrF0QAPiY125ZpDLMMhz48fyYEfAx 6ngm/lqvEwxCi+tn+CJXWM/i/wiz1ip9Y+lebl/r10lms1ZTBQac8F5006kuRwBe NRGVs3vgEX8OhYxC2OhSON1cP51wFHxE8aZ5caVWSDDBG5O13OxYop3qFV3xejF+ vcpvBOVd8Rhb/oan1t5o4p08IZ90Ioo+ZyjG2QDBaP1sV1qKRMzKzpXkdt3wLpL0 uo21Dltrd8PZY4cOIL8CLcSfRNNUWI2cOKBIO5qx2oiWc9zFNLR92pqdy6NO6MJS 16IZiIfpYbcvs1Ndx9sj6WTxdmS2+F8RNCgBcSgJXZv3308aFzBSCJPF4e7m97gt yRBsMsTTV7IPrZKCYAxcUbs2Gr48XueTMTdV6l3hvSDkyZy44yeJNvDwru/Iau2v iEjhNPc0TaPrMQzIteMnTDGB4k+HStHjgdHYrKECl9Tnwha8w6JRc/6RzDDEqWue h6dEOAUhWn0DZOwM9YqGikxIKgXXgK1c3ti6jpYMXulR5LnrV3+/mHmxLVTWEhSt 8Gbg3WZstGVmELUylFFVXrXcsrxvap7HeylraePUHMNrbqo0j+CpVqONvJP2CTkC iH539oOCSxc2M6vHimqkDgomi4oDbxyTsbG6Yp4R4TfhOhjiXPij0GimmL1m2KqA UPfJPn37dc6MnpeULg1R =A0t6 -END PGP SIGNATURE-
Bug#592340: netscript-2.4: Missing quotes prevent eth0_IF_CHAIN_AUTO from handling more than one interface.
Package: netscript-2.4 Severity: important Only one interface can be specified in the string, when it should handle many. This can prevent networking from coming up correctly, possibly rendering parts of network unreachable. I am the DD and upstream author of this package. This is a bug I discovered while at work. Fix is just adding quotes in the correct places. A patch is included for reference. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#592340: Patch for bug
here's the patch for reference -- Show where the quotes are missing.
--- netscript 2009-12-21 09:26:18 +
+++ netscript 2010-07-29 00:30:30 +
@@ -941,7 +941,7 @@
return 0
;;
esac
- eval local IF_CHAIN_AUTO=\${$1_IF_CHAIN_AUTO:-}
+ eval local IF_CHAIN_AUTO=\\${$1_IF_CHAIN_AUTO:-}\
if_up $1 vb echo -n $1
for IF in $IF_CHAIN_AUTO; do
if_up $IF vb echo -n $IF
@@ -969,8 +969,8 @@
;;
esac
local REV_IF_CHAIN
- eval local IF_CHAIN=\${$1_IF_CHAIN:-}
- eval local IF_CHAIN_AUTO=\${$1_IF_CHAIN_AUTO:-}
+ eval local IF_CHAIN=\\${$1_IF_CHAIN:-}\
+ eval local IF_CHAIN_AUTO=\\${$1_IF_CHAIN_AUTO:-}\
IF_CHAIN=$IF_CHAIN_AUTO $IF_CHAIN
for IF in $IF_CHAIN; do
REV_IF_CHAIN=$REV_IF_CHAIN $IF
signature.asc
Description: This is a digitally signed message part
Bug#561627: sysvinit ALWAYS replaces upstart on dist-upgrade
Package: sysvinit Version: 2.87dsf-8 Severity: normal I should be able to install the system /sbin/init I want, not one that is forced because it is 'essential'. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sysvinit depends on: ii initscripts 2.87dsf-8 scripts for initializing and shutt ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libselinux1 2.0.89-4 SELinux runtime shared libraries ii libsepol1 2.0.40-2 SELinux library for manipulating b ii sysv-rc 2.87dsf-8 System-V-like runlevel change mech ii sysvinit-utils2.87dsf-8 System-V-like utilities sysvinit recommends no packages. sysvinit suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#547509: Patch used in NMU version 5.1.7+nmu3
Peter, Sorry for not responding sooner. I have been quite lax with my maintenance due to study reasons, and I also managed to forget the passphrase to my old GPG key. I am in the process of getting a new key. I got a 1024 bit DSA key signed by another Debian Developer just yesterday, but I doubt that it will be accepted due to new preferences on key strength using at least 2048 bit and SHA2 instead of SHA1. I will get a new version of the package uploaded once this is sorted out. Best Regards, Matthew Grant On Sun, 2009-09-20 at 14:48 +0200, Petter Reinholdtsen wrote: Package: netscript-2.4 Version: 5.1.7+nmu3 Severity: wishlist Tags: patch This is the patch I used in my NMU. diff -Nru netscript-2.4-5.1.7+nmu2/debian/changelog netscript-2.4-5.1.7+nmu3/debian/changelog --- netscript-2.4-5.1.7+nmu2/debian/changelog 2009-09-13 13:27:27.0 +0200 +++ netscript-2.4-5.1.7+nmu3/debian/changelog 2009-09-20 14:46:27.0 +0200 @@ -1,3 +1,12 @@ +netscript-2.4 (5.1.7+nmu3) unstable; urgency=low + + * Non-maintainer upload to fix release goal. + * Make ifupdown init.d scrtip dependency optional, to avoid having the +package depend on ifupdown. Fixes installation problem detected by +piuparts. + + -- Petter Reinholdtsen p...@debian.org Sun, 20 Sep 2009 14:45:23 +0200 + netscript-2.4 (5.1.7+nmu2) unstable; urgency=low * Non-maintainer upload. diff -Nru netscript-2.4-5.1.7+nmu2/netscript.init netscript-2.4-5.1.7+nmu3/netscript.init --- netscript-2.4-5.1.7+nmu2/netscript.init 2009-09-13 12:54:54.0 +0200 +++ netscript-2.4-5.1.7+nmu3/netscript.init 2009-09-20 14:46:04.0 +0200 @@ -1,8 +1,9 @@ #! /bin/sh -e ### BEGIN INIT INFO # Provides: netscript -# Required-Start:mountkernfs $local_fs ifupdown +# Required-Start:mountkernfs $local_fs # Required-Stop: $local_fs +# Should-Start: ifupdown # X-Start-Before:networking # Default-Start: S # Default-Stop: 0 6 Happy hacking, signature.asc Description: This is a digitally signed message part
Bug#546459: netscript-2.4: Patch used in NMU version 5.1.7+nmu2
Hi! I have lost the password to my gpg key, and I am contacting a local Debian Developer tomorrow to get this sorted - It was time I created a stronger key anyhow. Cheers, Matthew Grant On Sun, Sep 13, 2009 at 11:27 PM, Petter Reinholdtsen p...@hungry.com wrote: Package: netscript-2.4 Version: 5.1.7+nmu2 Severity: wishlist Tags: patch This is the patch I used in the updated NMU I just uploaded. diff -Nru netscript-2.4-5.1.7/debian/changelog netscript-2.4-5.1.7+nmu2/debian/changelog --- netscript-2.4-5.1.7/debian/changelog 2008-12-30 01:42:53.0 +0100 +++ netscript-2.4-5.1.7+nmu2/debian/changelog 2009-09-13 12:58:52.0 +0200 @@ -1,3 +1,19 @@ +netscript-2.4 (5.1.7+nmu2) unstable; urgency=low + + * Non-maintainer upload. + * Patched the wrong file in the last upload. Patch netscript.init, + not debian/init. Make sure to remove the debian/init copy in the + clean target of debian/rules. Last NMU is obsolete (Closes: #546457). + + -- Petter Reinholdtsen p...@debian.org Sun, 13 Sep 2009 12:55:24 +0200 + +netscript-2.4 (5.1.7+nmu1) unstable; urgency=low + + * Non-maintainer upload to fix release goal. + * Fix init.d script dependency headers (Closes: 542246). + + -- Petter Reinholdtsen p...@debian.org Sun, 13 Sep 2009 11:58:38 +0200 + netscript-2.4 (5.1.7) unstable; urgency=low * Remove suggests entry in debian/control for waproamd. (Closes: #509392) @@ -6,7 +22,7 @@ netscript-2.4 (5.1.6) unstable; urgency=low - * Fix netscript so that ti will run with dash as /bin/sh. + * Fix netscript so that it will run with dash as /bin/sh. * Update my maintainer address to matthewgra...@gmail.com -- Matthew Grant matthewgra...@gmail.com Mon, 29 Dec 2008 13:17:53 +1300 diff -Nru netscript-2.4-5.1.7/debian/rules netscript-2.4-5.1.7+nmu2/debian/rules --- netscript-2.4-5.1.7/debian/rules 2008-02-06 05:11:45.0 +0100 +++ netscript-2.4-5.1.7+nmu2/debian/rules 2009-09-13 12:56:16.0 +0200 @@ -22,6 +22,7 @@ # Add here commands to clean up after the build process. # -$(MAKE) clean + $(RM) debian/init dh_clean diff -Nru netscript-2.4-5.1.7/netscript.init netscript-2.4-5.1.7+nmu2/netscript.init --- netscript-2.4-5.1.7/netscript.init 2008-02-06 05:56:30.0 +0100 +++ netscript-2.4-5.1.7+nmu2/netscript.init 2009-09-13 12:54:54.0 +0200 @@ -1,8 +1,9 @@ #! /bin/sh -e ### BEGIN INIT INFO -# Provides: networking -# Required-Start: mountkernfs $local_fs +# Provides: netscript +# Required-Start: mountkernfs $local_fs ifupdown # Required-Stop: $local_fs +# X-Start-Before: networking # Default-Start: S # Default-Stop: 0 6 # Short-Description: Raise network interfaces, and setup iptables. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#467091: O: apollon -- KDE-based interface to giFT file-sharing system
Package: wnpp Severity: normal It is not used that much anymore, and it has been on slow bake upstream without any recent release. Last release 2005/05/08. This may be one for the dustbin. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash signature.asc Description: This is a digitally signed message part
Bug#467092: O: c-sig -- A signature tool for GNU Emacs
Package: wnpp Severity: normal Another thing that is on slow-bake No new release since 1999/06/10. MAy be of interest to some emacs fans though. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash signature.asc Description: This is a digitally signed message part
Bug#416207: artsd ALSA failure - looks like same thing
Hi! On my Debian sid installation also get a similar failure sharon: -grantma- [~] $ artsd ALSA lib confmisc.c:1105:(snd_func_refer) Unable to find definition 'defaults.pcm.dmix_format' ALSA lib conf.c:3500:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory ALSA lib conf.c:3957:(snd_config_expand) Args evaluate error: No such file or directory ALSA lib pcm.c:2143:(snd_pcm_open_noupdate) Unknown PCM dmix:CK8S Error while initializing the sound driver: device: default can't be opened for playback (No such file or directory) Machine is a an NForce 3 SN95G2 shuttle, running i386 Debian unstable with Xen kernel compiled form Debian sources. lspci lists sound card is a Multimedia audio controller: nVidia Corporation nForce3 250Gb AC'97 Audio Controller (rev a1) Hope that this is helpful. Useing OSS emulation is a workaround -- Matthew Grant [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#305731: zaptel command ztcfg freezes on PowerPC causing boot failure
Package: zaptel Version: 2:1.0.7-1.mag.1 Severity: critical Tags: patch Justification: breaks the whole system ztcfg command freezes on zaptel module loads, halting boot process when hotplug does its boot time stuff. Same old Makefile/compiler flags problem as before - you forgot to put the double quotes around the arguments to grep!!! Basically as same for fix for asterisk on PPC going potty when someone hangs up on the voicenmail! Matthew Grant -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.11-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages zaptel depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex -- no debconf information --- zaptel-1.0.7/debian/patches/Makefile.dpatch 2005-04-22 07:26:26.0 +1200 +++ zaptel-1.0.7-mine/debian/patches/Makefile.dpatch2005-04-22 07:25:02.0 +1200 @@ -27,7 +27,7 @@ CFLAGS+=-I. -O4 -g -Wall -DBUILDING_TONEZONE #-DTONEZONE_DRIVER -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo -fsigned-char; fi) -CFLAGS+=$(shell if uname -m | grep -q x86_64; then echo -m64; fi) -+CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc\|powerpc\|arm\|s390; then echo -fsigned-char; fi) ++CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc\|powerpc\|arm\|s390; then echo -fsigned-char; fi) +CFLAGS+=$(shell if echo $(UNAME_M) | grep -q x86_64; then echo -m64; fi) LCFLAGS=-fPIC $(CFLAGS) -DBUILDING_TONEZONE -KFLAGS+=-I/usr/src/linux-2.4/include -O6
Bug#305734: asterisk: On PowerPC, hanging up on voicemail causes non-stop log messages
Package: asterisk
Version: 1:1.0.7.dfsg.1-2
Severity: normal
Tags: patch
Getting the compiler flags wrong (missing -fsigned-char) causes the following
log message several times a second:
WARNING[7261]: Failed to write frame
Log grew fast giving possiblity of file system filling up.
This was caused by hanging up on the Voicemail.
Putting in missing double quotes aroung the grep on the machine type output
to make sure the '-fsigned-char' was added to gcc command line fixed this.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.11-pmac-2.6
Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1)
Versions of packages asterisk depends on:
ii asterisk-config 1:1.0.7.dfsg.1-2 config files for asterisk
ii asterisk-sounds-main1:1.0.5-2sound files for asterisk
ii libasound2 1.0.8-3 ALSA library
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgsm1 1.0.10-13Shared libraries for GSM speech co
ii libncurses5 5.4-4Shared libraries for terminal hand
ii libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex
ii libpq3 7.4.7-2 PostgreSQL C client library
ii libpri1 1.0.7-1 Primary Rate ISDN specification li
ii libspeex1 1.1.6-2 The Speex Speech Codec
ii libsqlite0 2.8.16-1 SQLite shared library
ii libssl0.9.7 0.9.7e-2 SSL shared libraries
ii libtonezone11:1.0.7-3tonezone library (runtime)
ii unixodbc2.2.4-11 ODBC tools libraries
ii zlib1g 1:1.2.2-3compression library - runtime
-- no debconf information
--- asterisk-1.0.7.dfsg.1/debian/patches/20_Makefile.dpatch 2005-04-22
07:12:51.0 +1200
+++ asterisk-1.0.7.dfsg.1-mine/debian/patches/20_Makefile.dpatch
2005-04-16 21:04:08.0 +1200
@@ -80,7 +80,7 @@
endif
-CFLAGS+=$(shell if uname -m | grep -q ppc; then echo -fsigned-char; fi)
-+CFLAGS+=$(shell if uname -m | grep -q ppc\|arm\|s390\|s390x; then echo
-fsigned-char; fi)
++CFLAGS+=$(shell if uname -m | grep -q ppc\|arm\|s390\|s390x; then echo
-fsigned-char; fi)
CFLAGS+=$(shell if [ -f /usr/include/osp/osp.h ]; then echo -DOSP_SUPPORT
-I/usr/include/osp ; fi)
ifeq (${OSARCH},FreeBSD)
Bug#302847: zaptel command ztcfg freezes on Debian PowerPC causing boot failure.
Package: zaptel Version: 1:1.0.7-1 Severity: critical Tags: patch Justification: breaks the whole system When ztcfg executes due to zaptel module load during hotplug initialisation, ztcfg does not exit causing boot process to stop. Ctrl-C on console will not recover condition. Machine must be power cycled. This is specific to Debian PPC architecture. Problem due to missing -fsigned-char to gcc when binaries are compiled. This is due to a typo in the grep executed in the Debian patch to the zaptel Makefile. Patch is included. Matthew Grant --- zaptel-1.0.7/debian/patches/Makefile.dpatch 2005-04-03 22:13:06.0 +1200 +++ zaptel-1.0.7/debian/patches/Makefile.dpatch.orig2005-04-03 22:13:24.0 +1200 @@ -27,7 +27,7 @@ CFLAGS+=-I. -O4 -g -Wall -DBUILDING_TONEZONE #-DTONEZONE_DRIVER -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo -fsigned-char; fi) -CFLAGS+=$(shell if uname -m | grep -q x86_64; then echo -m64; fi) -+CFLAGS+=$(shell if echo $(UNAME_M) | egrep -q ppc|powerpc; then echo -fsigned-char; fi) ++CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc; then echo -fsigned-char; fi) +CFLAGS+=$(shell if echo $(UNAME_M) | grep -q x86_64; then echo -m64; fi) LCFLAGS=-fPIC $(CFLAGS) -DBUILDING_TONEZONE -KFLAGS+=-I/usr/src/linux-2.4/include -O6 -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.11-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages zaptel depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#296209: gnome-icon-theme: New postint script - gtk-update-icon-cache problems, results in 'blank' icons!
Package: gnome-icon-theme Version: 2.8.0-2 Severity: grave Justification: renders package unusable Upgrading from 2.8.0-1 results in all the icons in Nautilus turning to the default 'blank page' icon, most of the icons in Evolution for email and folders turn into red X crosses, and the show desktop icon in the panel going to a red X cross as well. Going back to the 2.8.0-1 version of the packkage fixed the problem for me. Please fix this! This bug is a major usability issues as it is not easy to tell if an email has an attachment, or whether a file is a directory or data! Very off-putting to any Gnome user. Is this a Powerpc only problem? I don't think it is though -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.10-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages gnome-icon-theme depends on: ii hicolor-icon-theme0.7-1 default fallback theme for FreeDes -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
