Bug#929453: lftp: hangs on getting directory contents at the end of mirror

[Nico Golde]

Any idea what is causing this?

Bug#929453: lftp: hangs on getting directory contents at the end of mirror

[Nico Golde]

Package: lftp
Version: 4.8.4-2
Severity: important

Hi Noël,
First thanks for maintaining lftp!

I've got two machines that run the same version of Debian and the same version 
(and same configuration)
of lftp and one of them, lftp behaves very weird at the end of mirror command.

This manifests in the following output:

...
Transferring file `foo01'
Transferring file `foo02'
Transferring file `foo03'
New: 11 files, 0 symlinks
421696988 bytes transferred in 47 seconds (8.58 MiB/s)
Retrying mirror...
Getting directory contents (0) [Waiting for response...]

At that point, lftp is just stuck.
The exact mirror command that is executed is "mirror -R -c -v".

I have attached a minimal config for which this problem occurs and hope that 
helps. Specifically, the timeout does not seem to kick in and I have no idea 
why. There's also nothing obvious in the transfer log that hints to a problem.

I have also attached an strace from slightly before this happens, i.e. when 
the files are stat'ed the last time. It seems lftp hangs up in some infinite 
select loop without valuing the timeout or noticing that the server has closed 
the connection. FWIW, this connection uses sftp.

Hope this helps. This has been bugging me for a while now and I've got no idea 
what this is.

Thanks!
Nico
set ftp:passive-mode yes
set ftp:ssl-allow yes
set ftp:ssl-allow-anonymous no
set ftp:ssl-auth TLS
set ftp:ssl-data-use-keys yes
set ftp:ssl-force yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ftp:ssl-protect-list yes
set ssl:verify-certificate yes
set mirror:set-permissions off
set cache:enable false
set ftp:use-site-idle false
set ftp:use-mdtm false
set ftp:lang false
set ftp:use-hftp false
set ftp:use-feat false
set ftp:use-stat false
set ftp:stat-interval 30
set ftp:sync-mode true
set ftp:skey-allow false
set mirror:no-empty-dirs true

set net:timeout 10
set net:max-retries 2
set net:reconnect-interval-base 5
set net:reconnect-interval-multiplier 1
debug
lstat("/home/bla/foo01", {st_mode=S_IFREG|0644, st_size=21696051, ...}) = 0
lstat("/home/bla/foo02", {st_mode=S_IFREG|0644, st_size=5000, ...}) = 0
lstat("/home/bla/foo03", {st_mode=S_IFREG|0644, st_size=540, ...}) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 7
fcntl(7, F_GETFL)   = 0x2 (flags O_RDWR)
fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK)= 0
fcntl(7, F_SETFD, FD_CLOEXEC)   = 0
setsockopt(7, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(54152), 
sin_addr=inet_addr("X")}, [28->16]) = 0
bind(7, {sa_family=AF_INET, sin_port=htons(0), 
sin_addr=inet_addr("XX")}, 16) = 0
getsockname(7, {sa_family=AF_INET, sin_port=htons(34865), 
sin_addr=inet_addr("XX")}, [28->16]) = 0
sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\27\3\3\0 
\0\0\0\0\0\0\0(\206\240\225\326h%YA\234h\307~g\206\310`\337\232\233"..., 
iov_len=37}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 37
brk(0x560b2eb48000) = 0x560b2eb48000
close(5)= 0
select(5, [], [4], NULL, {tv_sec=0, tv_usec=13894}) = 1 (out [4], left 
{tv_sec=0, tv_usec=13892})
recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily 
unavailable)
select(5, [4], [], NULL, {tv_sec=0, tv_usec=13787}) = 0 (Timeout)
ioctl(0, TIOCGPGRP, [1772]) = 0
getpgrp()   = 1772
ioctl(1, TIOCGWINSZ, {ws_row=48, ws_col=211, ws_xpixel=0, ws_ypixel=0}) = 0
write(1, "Getting directory contents (0) ["..., 56) = 56
write(1, "\r", 1)   = 1
select(5, [4], [], NULL, {tv_sec=0, tv_usec=78028}) = 1 (in [4], left 
{tv_sec=0, tv_usec=75885})
recvfrom(4, "\27\3\3\0,", 5, 0, NULL, NULL) = 5
recvfrom(4, 
",r`\317\224\351\nl/\367\214\374+\273\26\2524.\234\230\245\363E\365h\275*5\26\10\10I"...,
 44, 0, NULL, NULL) = 44
recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily 
unavailable)
sendmsg(4, {msg_name=NULL, msg_namelen=0, 
msg_iov=[{iov_base="\27\3\3\0\36\0\0\0\0\0\0\0)AX\200\347\262\335s\221\246V\221|\320\336z:9\271v"...,
 iov_len=35}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 35
select(5, [], [4], NULL, {tv_sec=0, tv_usec=74351}) = 1 (out [4], left 
{tv_sec=0, tv_usec=74349})
recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily 
unavailable)
select(5, [4], [], NULL, {tv_sec=0, tv_usec=74195}) = 1 (in [4], left 
{tv_sec=0, tv_usec=57018})
recvfrom(4, "\27\3\3\0J", 5, 0, NULL, NULL) = 5
recvfrom(4, 
",r`\317\224\351\nm\302\t\r>si\356$\346DS\222\362\362\327\201\307\274D[\254S\361\264"...,
 74, 0, NULL, NULL) = 74
recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily 
unavailable)
getpeername(4, {sa_family=AF_INET, sin_port=htons(43486), 
sin_addr=inet_addr("Y")}, [28->16]) = 0
connect(7, {sa_family=AF_INET, sin_port=htons(63183), 
sin_addr=inet_addr("Y")}, 16) = -1 EINPROGRESS (Operation now in 
progress)

Bug#902225: RFS: ii/1.8-1

[Nico Golde]

Hi itd,
the license change for debian patches is fine!

Cheers,
Nico

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


signature.asc
Description: PGP signature

Bug#852159: mktorrent: upstream changed maintainer, actual version missing new interesting features

[Nico Golde]

Hi,
* Paride Legovini  [2018-08-01 22:31]:
> Nico Golde wrote on 29/07/2018:
> > * Paride Legovini  [2018-07-29 19:52]:
[...] 
> The Debian packaging is Copyright (C) 2009, Nico Golde 
> and is licensed under the GPL, see `/usr/share/common-licenses/GPL-2'.
> 
> Does this mean GPL2 or GPL2+ (GPL2 or any later version)? (Upstream is
> licensed as GPL2+, so I think it would be nice to use the same licensing
> terms for homogeneity, but it's up to you.)

Feel free to change any aspect as you like, including this one.

Cheers,
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0

Bug#852159: mktorrent: upstream changed maintainer, actual version missing new interesting features

[Nico Golde]

Hi,
I just realized I haven't responded to this bug ever. I'm very short on time 
at the moment and in fact will retire my Debian account soon. If you or anyone 
is interested in hijacking this package, please go ahead!

Kind regards,
Nico

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


signature.asc
Description: PGP signature

Bug#895634: please package lftp 4.8.3

[Nico Golde]

Source:lftp
Severity:wishlist

Hey Noël,
Could you update lftp to 4.8.3? This brings some useful features such as 
the parallel option for mget.

Thanks!
Nico

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


signature.asc
Description: PGP signature

Bug#890995: ii: new upstream version

[Nico Golde]

Hi,
* itd <i...@firemail.cc> [2018-02-21 13:48]:
> thanks for maintaining ii.
> 
> As of 2018-02-04 ii version 1.8 is available. Please consider packaging it. 
> Feel
> free to use the patch attached as you think fit to do so (no attribution
> required). [1]

Do you want to hijack the package? You are more than welcome to do so!

Kind regards,
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


signature.asc
Description: PGP signature

Bug#842558: O: nitrogen - wallpaper browser and changing utility for X

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the nitrogen package.

nitrogen is a graphical wallpaper utility that can be used in two modes, 
browser and recall. Some of the things to look for in nitrogen are:

 * Multihead and Xinerama support (setting
   different wallpapers for each monitor)
 * Recall mode to restore wallpapers via startup script
 * Uses freedesktop.org standard for thumbnails
 * Can set GNOME background
 * Command line set modes for script usage
 * Inotify monitoring of browsed directories



pgpvOJLM8QLEB.pgp
Description: PGP signature

Bug#842559: O: libacpi - general purpose library for ACPI

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the libacpi package.

libacpi is a general purpose shared library for programs gathering ACPI data 
on Linux. It implements thermal zones, battery information, fan information 
and AC states.


pgplYyWdftV3w.pgp
Description: PGP signature

Bug#842557: O: binclock - binary clock for console with color support

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the binclock package.

BinClock - Displays system time in binary format. It supports showing the time 
with eight different colors, and it can run a loop that prints the time every 
second. The default colors and characters for printing can be changed with a 
config file.

I think this is a toy program. If nobody feels inclined to take it, I think we 
are better off removing it from the archive.

Cheers,
Nico


pgpmTgNvfziY1.pgp
Description: PGP signature

Bug#842556: O: yacpi - ncurses based acpi monitor for text mode

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the yacpi package.

yacpi (yet another configuration and power interface) is an ncurses based ACPI 
monitoring program for notebooks. There is also a text-only output so it is 
possible to include it in scripts. It displays various ACPI information like 
battery status, temperature, charging circuits and AC status. Additionally it 
displays CPU govenor and current frequency.


pgpW1rhWI0VAK.pgp
Description: PGP signature

Bug#842555: O: tsocks -- transparent network access through a SOCKS 4 or 5 proxy

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the tsocks package.

The package description is:
 tsocks provides transparent network access through a SOCKS version 4
 or 5 proxy (usually on a firewall). tsocks intercepts the calls
 applications make to establish TCP connections and transparently
 proxies them as necessary. This allows existing applications to use
 SOCKS without recompilation or modification.


pgpPj9_cqmNSY.pgp
Description: PGP signature

Bug#817875: libacpi: Patch used in NMU 0.2-4.1

[Nico Golde]

* Petter Reinholdtsen  [2016-03-11 09:48]:
> The libacpi package have not been able to extract battery status for a
> while, and this break several packages, among them battery-stats.  I
> wanted to do something about this, so I just uploaded an NMU fixing the
> bugs in the package.  As the maintainer is listed as having a low NMU
> threshold, I decided to upload directly into unstable instead of using
> the delayed queue.  The attached patch is the changes I made to the
> source package:

Thanks, also feel free to hijack this completely!
Nico

Bug#776728: newsbeuter: nasty memory leak in 2.8

[Nico Golde]

Hi,

> On 03 Jan 2016, at 12:30, Manuel A. Fernandez Montecelo 
> <manuel.montez...@gmail.com> wrote:
> 
> Control: tags -1 + patch
> 
> 
> Hi all,
> 
> 2015-02-01 18:25 Nico Golde:
>> Hi,
>> * Mark Nipper <ni...@bitgnome.net> [2015-02-01 19:06]:
>>>It seems there is a rather nasty memory leak in 2.8 of
>>> newsbeuter.  The bug for it is mentioned here (with a pretty graph!):
>>> ---
>>> https://github.com/akrennmair/newsbeuter/issues/119
>>> 
>>> This has caused a smaller virtual host I have running to lock up
>>> multiple times now (due to a separate issue in btrfs I suspect), until I
>>> finally sat down to go back through my atop history.  At this point, it
>>> was clear the issue was, in part, due to this memory leak in newsbeuter
>>> (which I typically leave running in a tmux window indefinitely).
>> [...]
>> 
>> Thanks for the report! Checking back with upstream if he is willing to make a
>> new release, otherwise I'll take the separate patch.
> 
> It would be very nice to get this fixed, it's getting up to 800+MB of
> mem within hours, it seems to stabilise a bit after that.
> 
> 
> Version 2.9 was released a few weeks after this last message as
> promised, and fixes the problem, so it would be extra nice to have ...

Sorry, please see https://lists.debian.org/debian-wnpp/2015/10/msg00056.html. I 
don't have the time to maintain this anymore. 

Kind regards,
Nico 

Bug#800753: Bug#805366: stfl: build-depends on spl-dev which is gone from the archive

[Nico Golde]

Hi,
* Emilio Pozuelo Monfort <po...@debian.org> [2015-11-17 20:17]:
> Source: stfl
> Version: 0.22-1.2
> Severity: serious
> 
> Your package build-depends on spl-dev, making it unbuildable as that
> package no longer exists.
> 
> See https://bugs.debian.org/801704

Too bad. I have an RFA open for stfl. I'm CC'ing this so if a person is 
interested in adopting it can consider adopting spl as well. I have no 
intentions of doing another upload for this.

Cheers,
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpSQ6yUP8GlP.pgp
Description: PGP signature

Bug#800755: RFA: httping -- ping-like program for http-requests

[Nico Golde]

Package: wnpp
Severity: normal

I request an adopter for the httping package.

The package description is:
 httping is like ping for HTTP. It sends requests to a hostname or a remote
 URL and it shows you how long it takes to connect, send a HTTP request and
 retrieve the reply (only the header).
 .
 It supports SSL as well as various different ways to use it.

Bug#800754: RFA: tcpxtract -- extracts files from network traffic based on file signatures

[Nico Golde]

Package: wnpp
Severity: normal

I request an adopter for the tcpxtract package.

The package description is:
 tcpxtract is a fast console tool to extract files from network traffic
 based on file headers and footers (so called carving).
 26 file formats are supported out of the box by tcpxtract but new formats
 can be added without problems.
 Foremost configurations are simple to convert to tcpxtracts configuration
 files.
 .
 It uses libpcap and it can be used with tcpdump files.

Bug#800751: RFA: httping -- ping-like program for http-requests

[Nico Golde]

Package: wnpp
Severity: normal

I request an adopter for the httping package as I don't have enough time 
anymore.

The package description is:
 httping is like ping for HTTP. It sends requests to a hostname or a remote
 URL and it shows you how long it takes to connect, send a HTTP request and
 retrieve the reply (only the header).
 .
 It supports SSL as well as various different ways to use it.

Bug#800753: RFA: stfl -- structured terminal forms language/library

[Nico Golde]

Package: wnpp
Severity: normal

I request an adopter for the stfl package as I don't have enough time anymore.

The package description is:
 stfl is a library which implements a curses-based widget set for text
 terminals.
 .
 This package contains the shared library for libstfl.

Bug#800750: RFA: fetchmail -- SSL enabled POP3, APOP, IMAP mail gatherer/forwarder

[Nico Golde]

Package: wnpp
Severity: normal

I request an adopter for the fetchmail package as I think I don't have enough 
time anymore.

The package description is:
 fetchmail is a free, full-featured, robust, and well-documented remote mail
 retrieval and forwarding utility intended to be used over on-demand TCP/IP
 links (such as SLIP or PPP connections).  It retrieves mail from remote mail
 servers and forwards it to your local (client) machine's delivery system, so
 it can then be read by normal mail user agents such as mutt, elm, pine,
 (x)emacs/gnus, or mailx.  The fetchmailconf package includes an interactive
 GUI configurator suitable for end-users.
 .
 Kerberos V and GSSAPI are supported.
 .
 Kerberos IV,  RPA, OPIE and other support for some other features are
 available if the package is recompiled.

Bug#800752: RFA: newsbeuter -- text mode rss feed reader with podcast support

[Nico Golde]

Package: wnpp
Severity: normal

I request an adopter for the newsbeuter package as I don't have the time 
anymore.

The package description is:
 newsbeuter is an innovative RSS feed reader for the text console.
 It supports OPML import/exports, HTML rendering, podcast (podbeuter),
 offline reading, searching and storing articles to your filesystem,
 and many more features.
 .
 Its user interface is coherent, easy to use, and might look
 common to users of mutt and slrn.

Bug#781803: [pkg-fetchmail-maint] Bug#781803: [l10n] [de] fetchmail: german translation abgeschossen

[Nico Golde]

Hi,
* Mario Lang ml...@delysid.org [2015-04-03 12:47]:
 Running fetchmail -q in a german environment, fetchmail tells me:
 
 fetchmail: Hintergrund-fetchmail mit Kennung 3220 abgeschossen.
 
 I don't think that abgeschossen is an appropriate translation.
 I'd say beendet is a much better.
 
 Abgeschossen sounds like a message from an ego-shooter.

Thanks for the report! Being a native speaker myself, I don't care either way 
to be honest, but I can see how beendet sounds a little more professional. 
Matthias, do you mind changing this?

Cheers,
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#776728: newsbeuter: nasty memory leak in 2.8

[Nico Golde]

Hi,
* Mark Nipper ni...@bitgnome.net [2015-02-01 19:06]:
   It seems there is a rather nasty memory leak in 2.8 of
 newsbeuter.  The bug for it is mentioned here (with a pretty graph!):
 ---
 https://github.com/akrennmair/newsbeuter/issues/119
 
 This has caused a smaller virtual host I have running to lock up
 multiple times now (due to a separate issue in btrfs I suspect), until I
 finally sat down to go back through my atop history.  At this point, it
 was clear the issue was, in part, due to this memory leak in newsbeuter
 (which I typically leave running in a tmux window indefinitely).
[...] 

Thanks for the report! Checking back with upstream if he is willing to make a 
new release, otherwise I'll take the separate patch.

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775255: [pkg-fetchmail-maint] Bug#775255: fetchmail: Fails to start when libssl has SSLv3 disabled

[Nico Golde]

severity 775255 wishlist
retitle 775255 provide possibility to disable sslv3 or remove completely
thanks

Hi,
* Chiraag Nataraj chiraag.nata...@gmail.com [2015-01-14 03:50]:
 Yes, it works with the version of libssl from unstable since SSLv3 is not 
 disabled in that version. The main problem is that currently, fetchmail does 
 not work with more secure versions of libssl (which have SSLv3 disabled 
 completely). I just provided one solution (completely disable SSLv3 in 
 fetchmail), but if another one (such as automatically detecting that libssl 
 does not provide SSLv3 and therefore not even attempting to load the SSLv3 
 symbols) works better, that's fine too.
 
 Currently, the version of fetchmail in experimental is the same as the 
 version of fetchmail in unstable. If necessary, you could release a 
 different version of fetchmail for experimental which drops SSLv3 support 
 entirely (if updating the one in unstable seems like a bad idea currently), 
 since SSLv3 support *should* be dropped at some point due to the POODLE bug.
 
 This is not an issue of fetchmail negotiating SSLv3 by default, this is an 
 issue of fetchmail looking for symbols in libssl *which don't exist*.

 The first would only surface if, for example, libssl provided an empty 
 implementation of SSLv3 but still exported the symbols. What's happening 
 right now is that the symbols don't even exist, which leads to the program 
 not working at all. This is regardless of whether or not I actually utilize 
 SSLv3 as my protocol (which I never specifically requested).

I'm glad you are explaining this to me, but I think you misunderstood my point.
It is clear to me where this error is coming from and that it is openssl 
essentially breaking compatibility here.
I merely made the point that in the git version of fetchmail sslv3 is by 
default not negotiated, which is why I think your patch is not helpful as it 
clearly wasn't upstream's intention to remove this support entirely, at least 
not in this form.

So in conclusion, also after seeing Matthias' take on this, I'll change this 
bug to wishlist for providing a possibility to disable sslv3 or remove it 
entirely. I know this is not your original intention with filing the bug, but 
there is nothing to fix from the fetchmail package point of view right now, 
this is something the openssl maintainer needs to fix by properly bumping the 
soname and package names. My alternative would be to close the bug or reassign 
it to openssl, but I do think that it's reasonable to ask for this particular 
feature change anyway, so we can as well track it.

Cheers
Nico

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgp44lRswnliw.pgp
Description: PGP signature

Bug#775255: [pkg-fetchmail-maint] Bug#775255: fetchmail: Fails to start when libssl has SSLv3 disabled

[Nico Golde]

Hi,
* Chiraag Nataraj chiraag.nata...@gmail.com [2015-01-13 12:22]:
 Package: fetchmail
 Version: 6.3.26-1+b1
 Severity: grave
 Justification: renders package unusable

You filed a bug against a version that works absolutely fine with the openssl 
version it is supposed to work with. Hence, I'm inclined to close that bug or 
downgrade it to wishlist in favor of removing/disabling sslv3 support in 
fetchmail.

 When the latest version of libssl1.0.0 is installed from experimental (which 
 has SSLv3 disabled), Fetchmail exits with the following error:
 
 fetchmail: relocation error: fetchmail: symbol SSLv3_client_method, version 
 OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference

See above

 Fetchmail should be rebuilt to not require SSLv3.

The patch you included simply removes this feature entirely:
--- fetchmail-6.3.26/socket.c   2013-04-23 22:00:45.0 +0200
+++ socket.c2015-01-14 00:29:53.412608735 +0100
@@ -913,8 +913,6 @@
report(stderr, GT_(Your operating system does not 
support SSLv2.\n));
return -1;
 #endif
-   } else if(!strcasecmp(ssl3,myproto)) {
-   _ctx[sock] = SSL_CTX_new(SSLv3_client_method());
} else if(!strcasecmp(tls1,myproto)) {
_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
} else if (!strcasecmp(ssl23,myproto)) {

In the current git version of fetchmail, sslv3 is not negotiated by default, 
unless a user explicitly requests to do so. As such I'm not sure how useful 
this patch is as well.

Matthias, do you mind weighing in on this?

Thanks
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgp6k_wlDGEsI.pgp
Description: PGP signature

Bug#768843: [pkg-fetchmail-maint] Bug#768843: fetchmail: Improved TLS support

[Nico Golde]

Hi Kurt,
* Kurt Roeckx k...@roeckx.be [2014-11-09 17:12]:
 The attached patch improves fethcmail SSL/TLS support.  It seems
 to have some misunderstandings of openssl / SSL / TLS.

Thanks! I am checking back with upstream regarding this as I'm aware that 
Matthias also made changes related to this.

Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpdbsx80x8i1.pgp
Description: PGP signature

Bug#765935: mktorrent: COPYRIGHT is misspelt as COPYRIGH in the man page

[Nico Golde]

Hi,
* Colin S. Miller deb...@csmiller.demon.co.uk [2014-10-19 13:45]:
 Dear Maintainer,
 In the man page,
 the section title COPYRIGHT is misspelt as COPYRIGH,
 i.e. it is missing the T.

Will change on the next upload, thanks!
Nico


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#754073: [pkg-fetchmail-maint] Bug#754073: fetchmailconf: Fetchmail does not start -- libBLT.2.4.so.8.6

[Nico Golde]

reassign 754073 blt
merge 751767 754073
thanks

* Jonás Andradas j.andra...@gmail.com [2014-07-07 12:03]:
 Package: fetchmailconf
 Version: 6.3.26-1
 Severity: grave
 Justification: renders package unusable
 
 Dear Maintainer,
 
 when trying to start fetchmailconf, the following error is found:
 
 ~$ fetchmailconf
 Traceback (most recent call last):
   File /usr/lib/python2.7/dist-packages/fetchmailconf.py, line 8, in 
 module
 from Tkinter import *
   File /usr/lib/python2.7/lib-tk/Tkinter.py, line 42, in module
 raise ImportError, str(msg) + ', please install the python-tk package'
 ImportError: libBLT.2.4.so.8.6: cannot open shared object file: No such file 
 or
 directory, please install the python-tk package
 
 Package python-tk is installed, and blt too.  However the libBLT library
 present in the system is 2.5 instead of 2.4:
 
 ls: cannot access /usr/lib/libBLT.2.4.so.8.6: No such file or directory
 
 blt: /usr/lib/libBLT.2.5.so.8.6
 
 If this bug should not be associated with fetchmailconf but with python-tk,
 please, change it accordingly (if possible), or I will re-open it there.
 
 Thank you very much in advance,
 
 Best Regards,
 
 Jonás.
 
 
 
 -- System Information:
 Debian Release: jessie/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
 Architecture: i386 (i686)
 
 Kernel: Linux 3.12-1-686-pae (SMP w/4 CPU cores)
 Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
 Shell: /bin/sh linked to /bin/dash
 
 Versions of packages fetchmailconf depends on:
 ii  fetchmail  6.3.26-1
 ii  python 2.7.6-2
 ii  python-tk  2.7.7-2
 
 fetchmailconf recommends no packages.
 
 fetchmailconf suggests no packages.
 
 -- no debconf information
 
 ___
 pkg-fetchmail-maint mailing list
 pkg-fetchmail-ma...@lists.alioth.debian.org
 http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-fetchmail-maint

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpg8Vgl1Ueyz.pgp
Description: PGP signature

Bug#752598: [pkg-fetchmail-maint] Bug#752598: fetchmail: please run restorecon after creating directory from init script

[Nico Golde]

Hi,
* Russell Coker russ...@coker.com.au [2014-06-25 06:01]:
 When an init script creates a directory it needs to run restorecon to ensure
 that the correct SE Linux context is used.  I have attached a patch to do 
 this.

Thanks, I'll include that in the next upload!

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgp6RhThAhDfO.pgp
Description: PGP signature

Bug#722382: Updating the Ruby packaging policy for your package «libstfl-ruby»

[Nico Golde]

Hi,
* Jonas Genannt jonas.gena...@capi2name.de [2014-01-16 12:39]:
 Hello stfl-Maintainer,
 
 during Ruby Sprint in Paris, we have created an patch for your package to fit 
 the Ruby
 Debian policy.
 
 This patch removes Ruby 1.8 dependency and moves that package to gem2deb 
 helper.
 
 Pleas include the patch to fix your package. Otherwise we can't remove ruby 
 1.8 from the
 archive.

Will include in the next upload.

Thanks!
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#733307: newsbeuter: segfaults frequently

[Nico Golde]

Hi,
* Martin Erik Werner martinerikwer...@gmail.com [2013-12-28 12:57]:
 Dear Maintainer,
 The current version of newsbeuter segfaults frequently at some stage in
 the feed refresh process. I remember it not doing that in some earlier
 version about a year ago or so (sorry for imprecise information there).

Just to let you know, upstream in the meantime was able to track down the 
issue and a patch is ready. I was told there should be a new release soon for 
which I'm waiting for. So this should be addressed soon[tm].

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgp84haUrnR5C.pgp
Description: PGP signature

Bug#727553: binwalk maintenance

[Nico Golde]

Hey Leo,
are you still interested in maintaining binwalk?
This hasn't received an update since almost a year in Debian even though 
updates from upstream are fairly frequent and a lot of features have been 
added recently.

I would appreciate if you could either update the package or seek for 
assistance.

Thanks
Nico

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpBkNvDnKLPs.pgp
Description: PGP signature

Bug#733347: newsbeuter: please provide a dbg package

[Nico Golde]

Hi,
* Martin Erik Werner martinerikwer...@gmail.com [2013-12-28 19:14]:
 Dear Maintainer,
 It would be nice if newsbeuter provided a -dbg package, I've attached a
 quick patch for this. If it looks ok, please consider adding it.

Sounds like a good idea, will include this in the next upload.
Thanks!

Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpTDy317OMfz.pgp
Description: PGP signature

Bug#731382: Re[2]: Bug#731382: libpam-fprintd: do not show password if user enters one

[Nico Golde]

tags 731382 - security
thanks

Hi,
this is not a security issue by itself, thus removing the tag. Imho this 
should also not be a normal bug, but wishlist, but I'll leave that part to the 
maintainer.

Nico


pgpNKRM1ZUYd4.pgp
Description: PGP signature

Bug#731382: libpam-fprintd: do not show password if user enters one

[Nico Golde]

Hi,
* Shawn Landden sh...@churchofgit.com [2013-12-04 21:17]:
 Users are use to entering passwords at login prompts and the like.
 It would be nice if libpam-fprintd could swallow the input like
 password prompts do, instead of prominentally displaying the user's password
 if they type it in.

I'm slightly confused by this report. Please note that I'm not the maintainer 
though. Given that you use libpam-fprintd, why would you enter a password in 
the first place if you authenticate using your fingerprint?
Or are you talking about the scenario in which fprint is used and a user 
accidently enters a password when there is no password prompt?

Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpxfvSCmTQaW.pgp
Description: PGP signature

Bug#724837: apt-xapian-index: unsafe polkit usage

[Nico Golde]

Package: apt-xapian-index
Severity: grave
Tags: security patch

Hi,
the following vulnerability was published for apt-xapian-index.

CVE-2013-1064[0]: (from Ubuntu USN)
| It was discovered that apt-xapian-index was using polkit in an unsafe
| manner. A local attacker could possibly use this issue to bypass intended
| polkit authorizations.

The patch from Ubuntu is attached.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1064
http://security-tracker.debian.org/tracker/CVE-2013-1064

Please adjust the affected versions in the BTS as needed.


-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0
Description: fix possible privilege escalation via policykit UID lookup race.
Author: Marc Deslauriers marc.deslauri...@canonical.com

Index: apt-xapian-index-0.45ubuntu2/update-apt-xapian-index-dbus
===
--- apt-xapian-index-0.45ubuntu2.orig/update-apt-xapian-index-dbus	2012-10-31 09:07:53.0 -0400
+++ apt-xapian-index-0.45ubuntu2/update-apt-xapian-index-dbus	2013-09-13 14:41:36.564345788 -0400
@@ -34,15 +34,8 @@
 /org/freedesktop/PolicyKit1/Authority, 
 org.freedesktop.PolicyKit1.Authority)
 policykit = dbus.Interface(obj, org.freedesktop.PolicyKit1.Authority)
-info = dbus.Interface(connection.get_object('org.freedesktop.DBus',
-  '/org/freedesktop/DBus/Bus', 
-  False), 
-  'org.freedesktop.DBus')
-pid = info.GetConnectionUnixProcessID(sender) 
-subject = ('unix-process', 
-   { 'pid' : dbus.UInt32(pid, variant_level=1),
- 'start-time' : dbus.UInt64(0, variant_level=1),
-   }
+subject = ('system-bus-name', 
+   { 'name': dbus.String(sender, variant_level = 1) }
   )
 details = { '' : '' }
 flags = dbus.UInt32(1) #   AllowUserInteraction = 0x0001


pgpavcWPT51X7.pgp
Description: PGP signature

Bug#724545: vino: CVE-2013-5745 denial of service via infinite loop

[Nico Golde]

Package: vino
Severity: grave
Tags: security

Hi,
the following vulnerability was published for vino.

CVE-2013-5745[0]:
| Persistent DoS Vulnerability in Vino VNC Server
| 
| This vulnerability is triggered when the user is required to enter a password.
| The server closes the client connection on receiving an unexpected input
| sequence from the client.
| 
| The unprocessed client data remains in the buffer; the server does not remove
| them from buffer since the client connection has been closed.
| The result is an infinite loop at the do-while (more_data_pending
| (rfb_client-sock)) in vino-server.c:415
| The gdm and vino-server processes together take up 100% CPU, causing denial of
| service (see screenshot).
| In our tests, the DOS is triggered when the same input sequence is replayed
| twice (see pcap).
| 
| vino-server.c:415 (vino 2.26.1):
| 407:vino_server_client_data_pending (GIOChannel   *source,
| 408: GIOCondition  condition,
| 409: rfbClientPtr  rfb_client)
| 410:{
| 411:  if (rfb_client-onHold)
| 412:return TRUE;
| 414:  do {
| 415:rfbProcessClientMessage (rfb_client);
| 416:  } while (more_data_pending (rfb_client-sock));
| 
| The original 2.26.1 binary, pcap and screenshot are attached with this email.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745
http://security-tracker.debian.org/tracker/CVE-2013-5745
https://bugzilla.gnome.org/show_bug.cgi?id=641811

Please adjust the affected versions in the BTS as needed.

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpboSmVJ1snk.pgp
Description: PGP signature

Bug#705007: E763: Word characters differ between spell files

[Nico Golde]

Hey Uwe,
is there any update to this bug? While the issue itself is fairly minor, this 
is a bit annoying in practice.

Thanks
Nico


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#713018: [pkg-fetchmail-maint] Bug#713018: Occasionally complains with fetchmail: socket error while fetching from...

[Nico Golde]

Hi,
* Kingsley G. Morse Jr. kings...@loaner.com [2013-06-21 23:39]:
 99% of the time, fetchmail seems to work A-OK for
 me.
 
 Thank you very much for maintaining it.
 
 A cron job ran fetchmail every minute for years.
 
 Maybe about soon after I upgraded some gnutls packages,
 about 1% of the times cron ran fetchmail, cron started
 sending me emails saying
 
 fetchmail: Connection errors for this poll:
 name 0: connection to mailserver:995 [1.2.3.4/995] failed: Connection 
 refused.
 POP3 connection to mailserver failed: Connection refused
 
 It happens with versions 6.3.22-2 and 6.3.26-1 of Debian's
 fetchmail package.
 
 I suspect it also happened with version 6.3.22-1.
 
 Running fetchmail as
 
 fetchmail -vvv  --nodetach --nosyslog
 
 sometimes reported
 
 fetchmail: running ssh %h /usr/sbin/imapd (host mailserver2 service 
 imap)
 fetchmail: socket error while fetching from kingsley@mailserver2
 fetchmail: Server CommonName mismatch: *.web_hosting_company_mail != 
 mailserver1

This sounds like http://www.fetchmail.info/fetchmail-FAQ.html#R6

Can you check this?

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#709215: nitrogen: Please provide desktop file

[Nico Golde]

Hi,
* Andrew Starr-Bochicchio a...@debian.org [2013-05-21 19:03]:
 It would be nice if nitrogen provided a desktop file so that it can be found 
 an
 opened through the menu system, not just from the command line.
 
 This patch was recently commited upstream:
 
 https://github.com/andrewsomething/nitrogen/commit/227ea7a82f698807df7ea038f6a0fd4febb77b75.patch

Will add in the next upload. Thanks!
Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#708515: keystone: CVE-2013-2014 DoS via large POST requests

[Nico Golde]

Package: keystone
Severity: grave
Tags: security patch

Hi,
the following vulnerability was published for keystone.

CVE-2013-2014[0]:
| Concurrent requests with large POST body can crash the keystone process.
| This can be used by Malicious and lead to DOS to Cloud Service Provider.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

Upstream patch: https://review.openstack.org/#/c/22661/

Seems to be fixed for experimental in 2013.1-1.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014
http://security-tracker.debian.org/tracker/CVE-2013-2014

-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpXnGMT1X84j.pgp
Description: PGP signature

Bug#706644: untrusted input file might be harmful

[Nico Golde]

Hi,
* John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de [2013-05-02 23:15]:
 The package has been orphaned in Debian since 2007 and abandoned by upstream 
 at 
 the same time since the upstream developer and Debian maintainer are the same 
 person.
 
 Popcon shows just 113 installations and there are no reverse dependencies.
 
 I therefore suggest removing the package from testing due to it's bad shape.

FWIF, I'm fine with that. The stuff is easy to address, but I lost interest in 
doing so.

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpyfYgwuHJUs.pgp
Description: PGP signature

Bug#706045: [pkg-fetchmail-maint] Bug#706045: help?

[Nico Golde]

Hi,
* Tomas Pospisek t...@sourcepole.ch [2013-04-25 11:29]:
 This bug being a RC blocker: is anyone of the fetchmail maintainers working 
 on 
 this bug (mimedecode option drops last message line if it is unterminated)? 
 Shall I try to integrate the patch and do a NMU?
 *t

Feel free, otherwise I'll probably fix it next week. Sorry I'm traveling right 
now...

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpd2a8vm2ykA.pgp
Description: PGP signature

Bug#706041: O: tpp -- text presentation program

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the tpp package.

The package description is:
 Tpp stands for text presentation program and is an ncurses-based presentation
 tool. The presentation can be written with your favorite editor in a simple
 description format and then shown on any text terminal that is supported by
 ncurses - ranging from an old VT100 to the Linux framebuffer to an xterm.
 .
 It supports color, LaTeX output of presentation, sliding in text,
 a command prompt and additional cool features.

As I'm not using this anymore and my ruby is pretty rusty by now, I have no 
interest in maintaining this further.
There is one pending change being merged from a contributor that would address 
the ncurses
problems mentioned in the BTS.

https://github.com/akrennmair/tpp

Feel free to contribute here, Andreas is also happily merging pull requests.
But other than that, the project is not further developed.

Thanks
Nico


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#703738: [pkg-fetchmail-maint] Bug#703738: fetchmail: Dot at 1st column of any line cuts delivered message

[Nico Golde]

Hi,
* Pavel Vavra pla...@square.cz [2013-03-23 00:47]:
 Hallo maintainer,
 fetchmail break messages with '.' character at 1st column of mail body.
 It sometimes happens receiving mails from MS Outlook where line is
 wrapped just before last dot in a text paragraph. Affected message
 is cut to delivered and undelivered part. Cut position is at the
 described dot, start of message is delivered and the rest disappears.
 No error message is issued to user.
 
 How to reproduce this bug:
 No MS tools are neccessary to simulate problem. You can simply compose
 a message similar to the following and send it as plain text to a mailserver.
 Then fetch this mail via fetchmail (tested with POP3 protocol) and show it.
 
 ---
 Sample message. This message wil be partially delivered.
 Cut point is here:
 ..
 This part of message will never be delivered by fetchmail
 ---
 
 Changing fetchmail to another package, e.g. mpop leads to delivery
 of whole message.

Can you show fetchmail -v of such a message fetch?
I can not reproduce this behaviour.

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpcTSwpzvCIT.pgp
Description: PGP signature

Bug#703632: Please update the package 'newsbeuter' to version 2.6

[Nico Golde]

Hi,
* Miś Uszatek adres.em...@ymail.com [2013-03-21 17:01]:
 Please update the package 'newsbeuter' to version 2.6.

This already happened, even though I just noticed I uploaded the package with 
my old key.. Expect an upload to pop up shortly...

Cheers
Nico
-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpw9l2OUZyDj.pgp
Description: PGP signature

Bug#702267: stunnel: CVE-2013-1762 buffer overflow in TLM authentication of the CONNECT protocol negotiation

[Nico Golde]

Package: stunnel
Severity: grave
Tags: security

Hi,
the following vulnerability was published for stunnel.

Please see https://www.stunnel.org/CVE-2013-1762.html for details.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762
http://security-tracker.debian.org/tracker/CVE-2013-1762

Please adjust the affected versions in the BTS as needed.


-- 
Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0


pgpT8ASTvKXcZ.pgp
Description: PGP signature

Bug#701838: sudo: CVE-2013-1775 authentication bypass when clock is reset

[Nico Golde]

Package: sudo
Severity: grave
Tags: security

Hi,
the following vulnerability was published for sudo.

CVE-2013-1775[0]:
(from the upstream report)

Sudo 1.8.6p7 and 1.7.10p7 are now available which include a fix
for the following bug:

Sudo authentication bypass when clock is reset

Summary:
When a user successfully authenticates with sudo, a time stamp
file is updated to allow that user to continue running sudo
without requiring a password for a preset time period (five
minutes by default).  The user's time stamp file can be reset
using sudo -k or removed altogether via sudo -K.

A user who has sudo access and is able to control the local
clock (common in desktop environments) can run a command via
sudo without authenticating as long as they have previously
authenticated themselves at least once by running sudo -k and
then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other
than those allowed by the sudoers policy.

Sudo versions affected:
Sudo 1.6.0 through 1.7.10p7 and sudo 1.8.0 through 1.8.6p7.

Details:
By default, sudo displays a lecture when the user's time stamp
file is not present.  In sudo 1.6, the -k option was changed
to reset the time stamp file to the epoch rather than remove
it to prevent the lecture from being displayed the next time
sudo was run.  No special case was added for handling a time
stamp file set to the epoch since the clock should never
legitimately be set to that value.

However, there are two common ways for the clock to be reset
to the epoch.  The first way is when the clock is reset due to
a fully drained battery on some systems.  The other way is by
a user logged in to a desktop environment that allows changes
to the date and time.

As long as the user has successfully run sudo before, they are
able to run sudo -k to reset the time stamp file.  This action
does not require a password and is not logged.  If the user is
also able to reset the date and time to the epoch (1970-01-01
01:00:00), they will be able to run sudo without having to
authenticate.

Impact:
The flaw may allow someone with physical access to a machine
that is not password-protected to run sudo commands without
knowing the logged in user's password.  On systems where sudo
is the principal way of running commands as root, such as on
Ubuntu and Mac OS X, there is a greater chance that the logged
in user has run sudo before and thus that an attack would
succeed.

Fix:
The bug is fixed in sudo 1.8.6p7 and 1.7.10p7.  These versions
will ignore a time stamp file that is set to the epoch.

Workaround:
Using sudo -K instead of sudo -k will completely remove the
time stamp file instead of just resetting it.

Credit:
I'd like to thank Marco Schoepl for finding and reporting this
long-standing bug.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
http://security-tracker.debian.org/tracker/CVE-2013-1775
Please adjust the affected versions in the BTS as needed.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpbmpQYgwHAw.pgp
Description: PGP signature

Bug#701839: sudo: CVE-2013-1776 potential bypass of sudo tty_tickets constraints

[Nico Golde]

 1.8.6 and 1.7.10, if a password was
required when the -n flag was specified the failure would not
be logged, allowing the program to perform such probes without
being detected.  The successful command (if any), would still
be logged.

Fix:
The bug is fixed in sudo 1.8.6p7 and 1.7.10p6.

Credit:
Ryan Castellucci brought the initial ttyname() issue to my
attention.  Subsequently, James Ogden discovered that using
setsid() to create a new session would cause sudo to fall back
to using ttyname().

Other shortcomings in sudo's tty_tickets functionality have
been known and discussed openly for some time.  There is a long
discussion about them at:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023



If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
http://security-tracker.debian.org/tracker/CVE-2013-1776
Please adjust the affected versions in the BTS as needed.


-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpc_GnIsaKAh.pgp
Description: PGP signature

Bug#700102: openssh: CVE-2010-5107 trivial DoS due to default configuration

[Nico Golde]

Package: openssh-server
Severity: important
Tags: security patch

Hi,
the following vulnerability was published for openssh-server.

CVE-2010-5107[0]:
http://www.openwall.com/lists/oss-security/2013/02/06/5

This resulted in the following upstream changes:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

It would be also great if you could push this to stable-proposed-updates so 
this is changed for wheezy.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5107
http://security-tracker.debian.org/tracker/CVE-2010-5107

Please adjust the affected versions in the BTS as needed.

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpNEP9WHCFGN.pgp
Description: PGP signature

Bug#699425: [pkg-fetchmail-maint] Bug#699425: Fetchmail's resolvconf update script can be simplified

[Nico Golde]

severity 699425 wishlist
thanks

* Thomas Hood jdth...@gmail.com [2013-01-31 11:25]:
 Package: fetchmail
 Version: 6.3.22-2
 Severity: minor
 
 Fetchmail's resolvconf update script
 (/etc/resolvconf/update-libc.d/fetchmail) can be simplified.

While I appreciate patches in general, I don't see the bug in this case. 
Hence downgrading.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#697595: O: openbox -- standards compliant, fast, light-weight, extensible window manager

[Nico Golde]

Package: wnpp
Severity: normal

I intend to orphan the openbox package.

The package description is:
 Openbox works with your applications, and makes your desktop easier to manage.
 This is because the approach to its development was the opposite of what seems
 to be the general case for window managers.  Openbox was written first to
 comply with standards and to work properly.  Only when that was in place did
 the team turn to the visual interface.
 .
 Openbox is fully functional as a stand-alone working environment, or can be
 used as a drop-in replacement for the default window manager in the GNOME or
 KDE desktop environments.
 .
 Openbox 3 is a completely new breed of window manager.  It is not based upon
 any existing code base, although the visual appearance has been based upon
 that of Blackbox.  Openbox 2 was based on the Blackbox 0.65.0 codebase.
 .
 Some of the things to look for in Openbox are:
 .
  * ICCCM and EWMH compliance!
  * Very fast
  * Chainable key bindings
  * Customizable mouse actions
  * Window resistance
  * Multi-head Xinerama support!
  * Pipe menus

I repeatedly asked for help (RFH) with little to no effect. Also Daniel Baumann
raised interest to take over the package before I orphan it, but never stepped 
up
and did so.

Someone please give this package some love, I do no longer feel responsible for 
it and I also do not use openbox anymore.

Cheers
Nico


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#671530: tpp: does not work with ruby 1.9

[Nico Golde]

Hi,
* Per Andersson avtob...@gmail.com [2012-05-04 22:48]:
 I have tried running tpp with the pending upload of
 ruby-ncurses 1.3.1-1, which has wide character support (ncursesw), and
 ruby 1.9. With this setup tpp does not respond to keyboard input.
 Running tpp with ruby 1.8 and the pending ruby-ncurses upload works
 fine.
 
 I expected tpp to respond to user keyboard input with ruby 1.9 as it
 does with ruby 1.8.

Can you please tell me the exact steps to reproduce this?
I can't seem to reproduce it with ruby 1.9.3p194 and ruby-ncurses 1.3.1.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpVoB14jOvuq.pgp
Description: PGP signature

Bug#671540: tpp: please update to gem2deb packaging

[Nico Golde]

Hi,
* Per Andersson avtob...@gmail.com [2012-05-04 23:45]:
 The Debian Ruby Team is working on transition to gem2deb packaging [0].
 All ruby packages should follow the guidelines [1] for a more consistent
 user experience with ruby packages in Debian.
 
 
 Necessary changes are as follows:
 
 
 debian/compat:
 7
 
 
 debian/control:
 Build-Depends: debhelper (= 7.0.50~), gem2deb (= 0.2.13~), dpatch (= 1.11)
 XS-Ruby-Versions: 1.8
 
 XB-Ruby-Versions: ${ruby:Versions}
 Depends: ruby1.8, ruby-ncurses
 
 
 debian/rules:
 #!/usr/bin/make -f
 %:
   dh $@ --buildsystem=ruby --with ruby

I have been ignoring this for too long. I will fix this with a new upload 
soon.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpDoNdiVcufk.pgp
Description: PGP signature

Bug#697251: gnupg2: gnupg key import memory corruption

[Nico Golde]

Hi,
* Eric Dorland e...@debian.org [2013-01-05 14:02]:
 * Thijs Kinkhorst (th...@debian.org) wrote:
  On Fri, January 4, 2013 11:39, Thijs Kinkhorst wrote:
   On Thu, January 3, 2013 04:19, Christoph Anton Mitterer wrote:
   This is a follow up for #697108 and CVE-2012-6085.
  
   Eric,
  
   Thanks for fixing this in unstable. Can you also provide an update for
   stable-security? Let me know if you prefer that we handle it.
  
  As a heads up, I plan to work on DSA's for gnupg{,2} this weekend, I'll
  apply the patch from the unstable upload, unless you object.
 
 Attached is the debdiff for the stable security update. A little
 bigger than one might want, but it wouldn't build with removing some
 of this cruft. Let me know if it's ok and I'll upload it.

I can live with that cruft, please go ahead and upload. Thanks!

Nico


pgpBF9FtemLWT.pgp
Description: PGP signature

Bug#696161: unblock: fetchmail/6.3.22-2

[Nico Golde]

Hi,
* Julien Cristau jcris...@debian.org [2012-12-28 18:12]:
 Control: tags -1 moreinfo
 
 On Mon, Dec 17, 2012 at 13:16:13 +0100, Nico Golde wrote:
 
  Package: release.debian.org
  Severity: normal
  User: release.debian@packages.debian.org
  Usertags: freeze-exception
  
  Hi,
  please unblock fetchmail. The version in unstable contains two minor 
  changes.
  One fixing a memory leak under certain use cases (#688015) and a command 
  line option 
  combination that did not work as intended (#671294).
  
 Err, no, it contains a new upstream release.

What are you referring to? The upstream release was made after these patches 
have been picked and the package has been uploaded.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696161: unblock: fetchmail/6.3.22-2

[Nico Golde]

Hi,
* Salvatore Bonaccorso car...@debian.org [2012-12-28 19:19]:
 On Fri, Dec 28, 2012 at 06:46:40PM +0100, Nico Golde wrote:
  Hi,
  * Julien Cristau jcris...@debian.org [2012-12-28 18:12]:
   Control: tags -1 moreinfo
   
   On Mon, Dec 17, 2012 at 13:16:13 +0100, Nico Golde wrote:
   
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock fetchmail. The version in unstable contains two minor 
changes.
One fixing a memory leak under certain use cases (#688015) and a 
command line option 
combination that did not work as intended (#671294).

   Err, no, it contains a new upstream release.
  
  What are you referring to? The upstream release was made after these 
  patches 
  have been picked and the package has been uploaded.
 
 The problem here is in testing we have 6.3.21-4 and unstable has
 6.3.22-2. The debdiff between the two versions seems quite big to
 review (but a lot of autogenerated stuff?):
[...] 
Oh that's a good point, I didn't notice that earlier. Ok, I will push to spu 
later.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#696161: unblock: fetchmail/6.3.22-2

[Nico Golde]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock fetchmail. The version in unstable contains two minor changes.
One fixing a memory leak under certain use cases (#688015) and a command line 
option 
combination that did not work as intended (#671294).

unblock: fetchmail/6.3.22-2

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpfnXZfpa52X.pgp
Description: PGP signature

Bug#688015: [pkg-fetchmail-maint] Bug#688015: memory leak

[Nico Golde]

Hi,
* Dominik dominiks.m...@gmx.net [2012-12-09 14:01]:
 I can confirm the issue reported by Erik.
 
 My .fetchmailrc contains 8 blocks like this:
 
  server pop.example.com
  proto pop3
  user username
  pass pw
  mda /usr/bin/procmail
  options ssl fetchall no keep
 
 So I'm fetching the remote E-Mails via POP3 SSL on my server.
 
 Die fetchmail process is running 24/7.
 After around 1 month the fetchmail process is at nearly 200MB memory usage.
 After around 2-3 month ~400MB.
 
 When starting the fetchmail process there are ~6 MB memory allocated.
 
 So the only thing I can say at the moment is that fetchmail is consuming more 
 memory the longer it runs, without a normal reason for this.
 I have also tested version 6.3.22-1 = it shows the same behavior.

Can you let fetchmail run with valgrind over a longer time? I'm really not 
sure how to reproduce this. I have fetchmail instances running 24/7 since 
months with around 6MB RAM being used in daemon mode.

Also what platform is this?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#694935: unblock: openbox/3.5.0-6

[Nico Golde]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock openbox. The version in unstable contains a minor change fixing 
an RC bug which causes installations/upgrades to fail (#694396).

unblock: openbox/3.5.0-6

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpnZQ758B09Z.pgp
Description: PGP signature

Bug#693608: yui: multiple cross-site scripting issues in the flash component infrastructure

[Nico Golde]

Package: yui
Severity: grave
Tags: security

Hi,
the following vulnerabilities were published for yui.

CVE-2012-5883[0]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x
| and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and
| 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web
| script or HTML via vectors related to swfstore.swf, a similar issue to
| CVE-2010-4209.

CVE-2012-5882[1]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to
| inject arbitrary web script or HTML via vectors related to
| uploader.swf, a similar issue to CVE-2010-4208.

CVE-2012-5881[2]:
| Cross-site scripting (XSS) vulnerability in the Flash component
| infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to
| inject arbitrary web script or HTML via vectors related to charts.swf,
| a similar issue to CVE-2010-4207.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities  Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883
http://security-tracker.debian.org/tracker/CVE-2012-5883
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882
http://security-tracker.debian.org/tracker/CVE-2012-5882
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881
http://security-tracker.debian.org/tracker/CVE-2012-5881
http://yuilibrary.com/support/20121030-vulnerability/

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpZwJy8KONTL.pgp
Description: PGP signature

Bug#693116: ii: Homepage URL in package description is incorrect.

[Nico Golde]

Hi,
* Simon Kainz si...@familiekainz.at [2012-11-13 10:13]:
 the new Homepage URL is http://tools.suckless.org/ii/

Thanks for noticing. Will be fixed in the next upload.
Cheers
Nico


pgpIYrpSMtvhb.pgp
Description: PGP signature

Bug#692737: suckless-tools: newer slock versions prevents unwanted exposure of passwords

[Nico Golde]

Hi,
* Vasudev Kamath kamathvasu...@gmail.com [2012-11-08 19:13]:
  this package has not updated any of the tools included since two years.
  Please package newer tools, especially but most important slock.
 
 As per the freeze policy I can't really introduce new things into Wheezy
 so I didn't consider putting new versions into 38-2. I'm preparing 39
 version with all bugs closed and latest version of software but it will
 not be in wheezy and will be backported once wheezy is stable.

Sure, I'm not worried about wheezy too much.

  The current version of slock has no indication whatsoever that a screen 
  lock is active.
  After a longer idle period of the display, it is therefore impossible to 
  distinguish between a locked
  screen and an inactive screen. As a result, it is not too difficult to 
  write your password somewhere
  you don't want to because you assumed the screen was locked.
  Hence I marked this as grave, this happened to me multiple times.
  
  Newer slock versions have a color indication once you hit the first key on 
  the keyboard that shows
  you that the lock is active.
 
 But If I understand correctly it is not a bug but that is how slock was
 designed previously and patch was later submitted to colourise and give
 more features to slock which was later merged by Anselm to prepare 1.1
 version. So can you please reconsider on the severity of the bug?

Well yeah, if you look at it like that, it's more a feature request. However 
if you consider the security nature of this program, I rather consider this as 
hardening or even a bug given that this is not a hypothetical scenario but one 
that happens often (and certainly not only to me).

 Now coming to the colourising feature are you talking about this
 specific commit[1] or all the 3 new patches from the tip? If this is the
 single patch you meant then I will try to cherrypick it but again I
 don't know new unblock request will be entertained by release team [2]

I'm not sure to be honest. I've seen the new dualcolor patch in the recent 
tip, but that's not the one I had in mind, I haven't tested this one yet.
The one that initially implemented this in March was:
http://hg.suckless.org/slock/rev/0eade055cef0

 PS: I will be on vacation for a week from tomorrow so I'm really not
 sure if I will be able to finish this package soon. If you can prepare
 an NMU I'll be happy with that :-). Only thing is I don't want package
 to be removed from Wheezy because multiple packages depend on it.

No worries :)

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgp1JWT45gTM7.pgp
Description: PGP signature

Bug#692737: suckless-tools: newer slock versions prevents unwanted exposure of passwords

[Nico Golde]

Package: suckless-tools
Version: 38-2
Severity: grave
Justification: user security hole


Hey,
this package has not updated any of the tools included since two years.
Please package newer tools, especially but most important slock.

The current version of slock has no indication whatsoever that a screen lock is 
active.
After a longer idle period of the display, it is therefore impossible to 
distinguish between a locked
screen and an inactive screen. As a result, it is not too difficult to write 
your password somewhere
you don't want to because you assumed the screen was locked.
Hence I marked this as grave, this happened to me multiple times.

Newer slock versions have a color indication once you hit the first key on the 
keyboard that shows
you that the lock is active.

Kind regards
Nico


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash

[Nico Golde]

Hi,
* Vincent Lefevre vinc...@vinc17.net [2012-10-28 00:11]:
 When cat'ing some binary file, my xterm crashed. I've managed to find
 the cause: the mc5 terminfo sequence (prtr_on / turn on printer). The
 problem can be reproduced with:
 
 1. Run xterm from another terminal.
 2. Run the following command:
  printf \033[5i
or
  tput mc5
The message sh: 1: : Permission denied appears in the first
terminal.

I can't reproduce this with xterm 278-2 on amd64.
[...] 

 In addition to possible data loss due to the crash, this is a security
 problem, because the sequence may appear in a remote file.

Sorry, I couldn't parse this sentence. What exactly are the security 
implications? So far I don't see how this qualifies for a security bug.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash

[Nico Golde]

tags 691642 - security
thanks

Hi,
* Vincent Lefevre vinc...@vinc17.net [2012-10-28 13:32]:
 On 2012-10-28 11:37:58 +0100, Nico Golde wrote:
[...] 
   In addition to possible data loss due to the crash, this is a security
   problem, because the sequence may appear in a remote file.
  
  Sorry, I couldn't parse this sentence. What exactly are the security 
  implications? So far I don't see how this qualifies for a security bug.
 
 If some external data (because they contain some unexpected byte
 sequence) make a local program crash (so that user data are lost),
 that's a security bug. Just like when you have a bug in the image
 decoder used by your web browser that makes it crash on some image
 files.

That was exactly my point, this is not treated as a security bug in Debian, 
but a regular bug.

Cheers
Nico


pgpsYH2GOu8pB.pgp
Description: PGP signature

Bug#689990: wpa: CVE-2012-4445 denial of service

[Nico Golde]

Hi,
* Stefan Lippers-Hollmann s@gmx.de [2012-10-08 23:37]:
 On Monday 08 October 2012, Nico Golde wrote:
  Package: wpa
  Severity: grave
  Tags: security patch
  
  Hi,
  the following vulnerability was published for hostapd.
  
  CVE-2012-4445[0]:
  | Timo Warns discovered that the internal authentication server of hostapd,
  | a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator,
  | is vulnerable to a buffer overflow when processing fragmented EAP-TLS
  | messages.  As a result, an internal overflow checking routine terminates
  | the process.  An attacker can abuse this flaw to conduct denial of service
  | attacks via crafted EAP-TLS messages prior to any authentication.
  
  If you fix the vulnerability please also make sure to include the
  CVE (Common Vulnerabilities  Exposures) id in your changelog entry.
  
  Please also ask for an unblock on -release after fixing this issue so it 
  will
  be picked up for wheezy.
  
  The patch I used for the DSA: 
  http://people.debian.org/~nion/nmu-diff/hostapd-0.6.10-2_0.6.10-2+squeeze1.patch
  
  For further information see:
  
  [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
  http://security-tracker.debian.org/tracker/CVE-2012-4445
 
 Thanks a lot, I found that one[1] after receiving the ftp-master accept
 already, I'll try to contact a potential sponsor for [2] within the 
 next few hours.

Uploaded :)

Thanks!
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#689990: wpa: CVE-2012-4445 denial of service

[Nico Golde]

Package: wpa
Severity: grave
Tags: security patch

Hi,
the following vulnerability was published for hostapd.

CVE-2012-4445[0]:
| Timo Warns discovered that the internal authentication server of hostapd,
| a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator,
| is vulnerable to a buffer overflow when processing fragmented EAP-TLS
| messages.  As a result, an internal overflow checking routine terminates
| the process.  An attacker can abuse this flaw to conduct denial of service
| attacks via crafted EAP-TLS messages prior to any authentication.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

Please also ask for an unblock on -release after fixing this issue so it will
be picked up for wheezy.

The patch I used for the DSA: 
http://people.debian.org/~nion/nmu-diff/hostapd-0.6.10-2_0.6.10-2+squeeze1.patch

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
http://security-tracker.debian.org/tracker/CVE-2012-4445


-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpIXtg4srhH2.pgp
Description: PGP signature

Bug#689657: yacpi: Always shows empty batteries on Thinkpad T61

[Nico Golde]

Hi,
* Axel Beckert a...@debian.org [2012-10-04 22:12]:
 on my Thinkpad T61 running Wheezy, yacpi always shows
 
 BAT0 Capacity [ ]  0%
 
 despite acpi says Battery 0: Unknown, 99% and acpi -V says
 Battery 0: design capacity 6749 mAh, last full capacity 5916 mAh =
 87%.
 
 Same counts for a second battery which can be inserted instead of the
 CD-ROM. It always shows 0% despite the battery is not completely empty.
 
 The remainder of what yacpi displays on that box seems to be correct.

This is a known problem by libacpi #484264.
Since you are not the first to notice this, I will not reassign the bug and 
leave this open.
I hope I have time soon to look into these issues. To be honest, I got 
demotivated following constant kernel changes so I didn't touch this code in a 
long time.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#689225: newsbeuter : fails to build in unstable

[Nico Golde]

forwarded 689225 http://code.google.com/p/newsbeuter/issues/detail?id=303
thanks

Hi,
* Julian Taylor jtaylor.deb...@googlemail.com [2012-09-30 16:52]:
 Package: newsbeuter
 Severity: important
 
 newsbeuter fails to build in unstable. For some reason testing is not
 affected.
 
 c++ -ggdb -Iinclude -Istfl -Ifilter -I. -Irss -Wall -Wextra
 -DLOCALEDIR=\/usr/share/locale\   -I/usr/include/libxml2
 -I/usr/include/json   -I/usr/include/ncursesw -I/usr/include/p11-kit-1
  -DHAVE_GCRYPT=1 -o src/ttrss_api.o -c src/ttrss_api.cpp
 src/ttrss_api.cpp: In member function 'rsspp::feed
 newsbeuter::ttrss_api::fetch_feed(const string)':
 src/ttrss_api.cpp:223:3: error: 'boolean' was not declared in this scope
 src/ttrss_api.cpp:223:11: error: expected ';' before 'unread'
 src/ttrss_api.cpp:238:7: error: 'unread' was not declared in this scope
 make[1]: *** [src/ttrss_api.o] Error 1

Thanks for the report. This is due to a change in libjson. I wrote a patch and 
submitted it upstream, new Debian package is on its way...

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpBAqsunzicr.pgp
Description: PGP signature

Bug#688015: [pkg-fetchmail-maint] Bug#688015: memory leak

[Nico Golde]

Hi,
* Erik Thiele erik.thi...@thiele-hydraulik.de [2012-09-18 09:48]:
[...] 
 how can I further supply information on this issue? It is a production
 machine, but maybe I can somehow help find the cause of the issue
 anyway? Or is that memory leakage a known issue?

This is not known to me at least. Unfortunately the logs don't show that 
fetchmail had memory issues. The kernel randomly starts killing processes 
(depending on your policy) if no memory can be allocated anymore.
Could you log the virtual memory usage of specifically fetchmail?
Also, it may be interesting to see what running fetchmail with valgrind on 
your end produces. Can you test that?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpMmBLx0GCLt.pgp
Description: PGP signature

Bug#687935: reject -security-announce mails with duplicate DSA ids in the subject

[Nico Golde]

Package: lists.debian.org
Severity: wishlist

Hi,
it is a known issue that sometimes DSA ids are reused on 
debian-security-announce due to human race conditions or not paying enough 
attention. Also this was recently discussed again on the security list[0].

There is already some sanity checking on the body of the DSA mail and a 
signature check as far as I know. Is it feasible to reject mails as well if 
they use a previously allocated DSA id?
I would imagine this may be problematic as all current checks can be performed 
solely by looking at the incoming email instead of looking at the archive.
Nonetheless, as there have been more than 20 reuses in the last years, I 
thought I'd ask if this is possible in the first place.

[0] http://lists.debian.org/debian-security/2012/09/msg00016.html

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpBLojDjS49C.pgp
Description: PGP signature

Bug#687512: please update the security team's gpg key information

[Nico Golde]

Package: www.debian.org
Severity: grave

Hi,
the Debian security team is using a new gpg key. Can you update 
http://www.debian.org/security/faq to reflect the new key?
Instead of 0x68B64E0D, the new key is 0x90F8EEC5.

Also see http://lists.debian.org/debian-security-announce/2012/msg00189.html
for reference.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpyVPmB53Owy.pgp
Description: PGP signature

Bug#687166: [pkg-ntp-maintainers] Bug#687166: ntp: NTP security vulnerability because not using authentication by default

[Nico Golde]

Hi,
* Ask Bjørn Hansen a...@ntppool.org [2012-09-11 01:01]:
 On Sep 10, 2012, at 15:07, Kurt Roeckx k...@roeckx.be wrote:
 [...]
  So my understanding of things is that even if we also had
  a way to distribute all the public keys, you still can't
  get it to work as you need to provide each client with
  a secret key.
  
  I think what first needs to be done is have an autokey
  implementation that either doesn't need a private key for
  each client but is secure or doesn't need state on the
  server side for each client.
 
 Indeed; I thought ntpd had a public key encryption scheme where we just need 
 the secret key on the server[1] and the public key can be general for all 
 Debian users.  (I think that's the 'autokey' scheme -- the 
 trustedkey/requestkey stuff is where you share a secret between client and 
 server).

That was my understanding as well. At least the documentation states:
key pairs are used where establishing shared secrets is difficult. The 
autokey mechanism uses key pairs..

Cheers
Nico


pgpbjwzet5yC2.pgp
Description: PGP signature

Bug#687274: CVE-2012-4405 integer overflow leading to heap based buffer overflow in embedded icclib

[Nico Golde]

Package: ghostscript
Severity: grave
Tags: security patch

Hi,
the following vulnerability was published for ghostscript.

Quoting from the original report, as the mitre entry does not exist so far..
CVE-2012-4405[0]:
| An array index error leading to heap-based buffer out-of-buffer bounds write
| flaw was found in the way International Color Consortium (ICC) Format library
| (aka icclib) as used in Ghostscript and Argyll Color Management System 
computed
| dimensional increment through the clut based on the count of input channels.
| Using specially-crafted ICC profiles, an attacker could create a malicious
| PostScript or PDF file with embedded images which would cause Ghostscript to
| crash or, potentially, execute arbitrary code when opened by the victim.
| Similarly when such specially-crafted ICC profile was inspected by some of the
| Argyll Color Management System tools it could lead to particular executable
| crash or, arbitrary code execution with the privileges of the user running the


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405
http://security-tracker.debian.org/tracker/CVE-2012-4405

Patch: https://bugzilla.redhat.com/attachment.cgi?id=609986

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgplyEZ1B1Jvd.pgp
Description: PGP signature

Bug#687327: unblock: freeradius/2.1.12+dfsg-1.1

[Nico Golde]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock freeradius. The version in unstable contains an isolated fix for 
CVE-2012-3547.

unblock: freeradius/2.1.12+dfsg-1.1

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpqhfBkbc3Yl.pgp
Description: PGP signature

Bug#687175: freeradius: CVE-2012-3547 stack-based buffer overflow in EAP-TLS handling

[Nico Golde]

Package: freeradius
Severity: grave
Tags: security

Hi,
the following vulnerability was published for freeradius.

CVE-2012-3547[0]:
| PRE-CERT Security Advisory
| ==
| 
| * Advisory: PRE-SA-2012-06
| * Released on: 10 September 2012
| * Affected product: FreeRADIUS 2.1.10 - 2.1.12
| * Impact: remote code execution
| * Origin: specially crafted client certificates
| * CVSS Base Score: 10
| Impact Subscore: 10
| Exploitability Subscore: 10
|   CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| * Credit: Timo Warns (PRESENSE Technologies GmbH)
| * CVE Identifier: CVE-2012-3547
| 
| 
| Summary
| - ---
| 
| A stack overflow vulnerability has been identified in FreeRADIUS that allows 
to
| remotely execute arbitrary code via specially crafted client certificates
| (before authentication). The vulnerability affects setups using TLS-based EAP
| methods (including EAP-TLS, EAP-TTLS, and PEAP).
| 
| FreeRADIUS defines a callback function cbtls_verify() for certificate
| verification. The function has a local buf array with a size of 64
| bytes. It copies the validity timestamp not after of a client
| certificate to the buf array:
| 
| asn_time = X509_get_notAfter(client_cert);
| if ((lookup = 1)  asn_time  (asn_time-length  MAX_STRING_LEN)) {
| memcpy(buf, (char*) asn_time-data, asn_time-length);
| buf[asn_time-length] = '\0';
| 
| The MAX_STRING_LEN constant is defined to be 254. If asn_time-length is
| greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.
| 
| Depending on the stack layout chosen by the compiler, the vulnerability allows
| to overflow the return address on the stack, which can be exploited for code
| execution.
| 
| 
| Solution
| - 
| 
| The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as
| soon as possible.
| 
| 
| References
| - --
| 
| When further information becomes available, this advisory will be
| updated. The most recent version of this advisory is available at:
| 
| http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
http://security-tracker.debian.org/tracker/CVE-2012-3547

Cheers
Nico


pgpGAERsalgPK.pgp
Description: PGP signature

Bug#687166: ntp: NTP security vulnerability because not using authentication by default

[Nico Golde]

Hi,
* none anots...@fastmail.fm [2012-09-10 15:42]:
[...] 
 An adversary can tamper with the unauthenticated NTP replies and put the users
 time several years back, especially, but not limited, if the bios battery or
 hardware clock is defect. That issue becomes more relevant with new devices
 like RP, which do not even have a hardware clock.
 
 Putting the clock several years back allows an adversary to use already
 revoked, broken, expired certificates; replay old, broken, outdated, known
 vulnerable updates etc.

NTP is certainly subject to spoofing attacks by its nature. I also agree that 
this may be a problem in some settings. Just considering that e.g. kerberos is 
making heavy use of accurate timing. In theory NTP should be robust against 
wrong timing information from single servers. Obviously this doesn't help you, 
if your DNS is also spoofed and you control all NTP servers.

Since NTP does support symmetric/autokey by now, what I really wonder about is
why this is no strict requirement for servers in pool.ntp.org to which 
certainly also our debian ntp vendor zone belongs.

I think it would be desirable to ship default configurations with those keys 
setup.

I CC'ed Ask who is maintaining pool.ntp.org for this discussion.
Ask, is there such a requirement and I missed it or is it not existent?
If not, how realistic is it to change this?

While I don't think this is a critical problem, I'd also love to see this 
changed in future default configurations of the ntp package in Debian.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgp0T1Xk5sldC.pgp
Description: PGP signature

Bug#687166: ntp: NTP security vulnerability because not using authentication by default

[Nico Golde]

Hi,
* Ask Bjørn Hansen a...@ntppool.org [2012-09-10 18:03]:
 On Sep 10, 2012, at 8:13, Nico Golde n...@debian.org wrote:
 [Adding NTP authentication]

 We could setup a set of servers with authentication, but that'd be a much 
 smaller list of servers (for better and worse). It wouldn't be like the 
 current NTP Pool at all.
 
 Next would be to add DNSSEC to the DNS (which is non-trivial with the 
 current zone and the current resources; at peaks the DNS servers get 20-30k 
 qps and each response is different so you have to sign in real-time.).
 
 If there's a need and resources, I could run a zone with DNSSEC and with 
 autokey configured, but it'd not be possible in the open source/everyone 
 volunteers a resource or two scheme.

Wouldn't it still make sense to have a zone configured with autokey even 
without DNSSEC? Or is an active attacker bombarding the victim with faked NTP 
responses without spoofed DNS not an issue at all, so all this matters *only* 
if DNS is spoofed?

Kind regards
Nico
P.S: I'm all but an NTP expert :)
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpK8YFLPvxan.pgp
Description: PGP signature

Bug#687204: Manpage out-of-date

[Nico Golde]

Hi,
* Christoph Egger christ...@debian.org [2012-09-10 22:14]:
   nitrogen's manpage seems to be vastly incopmplete

True, thanks! I'll contact upstream to see if he is willing to update it.
Otherwise I'll take the pain and do it on my own.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#686196: httping: Segmentation fault (after slow responses?)

[Nico Golde]

Hi,
* Olaf van der Spek olafvds...@gmail.com [2012-08-29 22:41]:
 On Wed, Aug 29, 2012 at 10:29 PM, folkert folk...@vanheusden.com wrote:
  Maybe it's simpler if you run gdb yourself. ;)
 
  Yes but then I cannot reproduce it.
 
 Hmm, did you try?

I can also not reproduce the problem :/

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpgn7GwSTmcN.pgp
Description: PGP signature

Bug#686241: httping: Show run time

[Nico Golde]

Hi,
* Olaf van der Spek olafvds...@gmail.com [2012-08-30 15:17]:
 Could you show the run time, like normal ping does?
 
 httping: 5848 connects, 5656 ok, 3.28% failed
 ping: 4 packets transmitted, 4 received, 0% packet loss, time 3001ms

How about using time from your shell? This way not every command where someone 
wants to know the time has to implement it ;)

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0


pgpFnl8kl0KVq.pgp
Description: PGP signature

Bug#683556: openbox: window no more refresh when lauching epfview if awn running

[Nico Golde]

Hi,
* florian gruel fgr...@hotmail.com [2012-08-03 19:41]:
 Hi, I've done the test with awesome, everything seems to be OK.

Ok thank you. Maybe indeed an openbox issue then.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpziAmeXEXg3.pgp
Description: PGP signature

Bug#683556: openbox: window no more refresh when lauching epfview if awn running

[Nico Golde]

Hi,
* florian fgr...@hotmail.com [2012-08-01 19:24]:
 when launching epdfview all windows doesn't refresh anymore, I need to kill 
 epdview from a virtual terminal to reuse the openbox desktop.
 If AWN is not running, no problems. 

Have you tried this in another window manager with awn running? This looks 
rather like an awn issue to me than an openbox issue.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpcHopDDfYiD.pgp
Description: PGP signature

Bug#683322: unblock: bind9/1:9.8.1.dfsg.P1-4.2

[Nico Golde]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock bind9. The version in unstable contains an isolated fix for 
CVE-2012-3817.

unblock: bind9/1:9.8.1.dfsg.P1-4.2

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpSvw4T9XYdh.pgp
Description: PGP signature

Bug#682481: gnome-shell: epiphany shouldn't be the default browser

[Nico Golde]

Hi,
* Julien Cristau jcris...@debian.org [2012-07-23 11:22]:
 On Mon, Jul 23, 2012 at 10:55:49 +0200, Josselin Mouette wrote:
 
  Le lundi 23 juillet 2012 à 10:46 +0200, Julien Cristau a écrit : 
   Package: gnome-shell
   Version: 3.4.1-8
   Severity: serious
   
   The default browser should be one that has at least vaguely credible
   security support, IMO.  epiphany doesn't qualify, chromium or iceweasel
   probably would.
  
  As explained on IRC, they would if at the *very least* they supported
  GTK3.
  
 I don't think doesn't support gtk3 can be more of a blocker than has
 0 security support.  I agree it's not ideal, but it doesn't seem
 there's much of a choice.

FWIW, I do support Julien's request to change this. Without going into detail 
why I think that security should have priority here, why is gtk3 support even 
an issue? Can you explain this a little further?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpWdDkM5640O.pgp
Description: PGP signature

Bug#682309: unblock: ecryptfs-utils/99-1

[Nico Golde]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock ecryptfs-utils. This is a new upstream version that only fixes a 
security issue,
namely CVE-2012-3409.

unblock: ecryptfs-utils/99-1

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpuk7hO1Jm31.pgp
Description: PGP signature

Bug#682193: unblock: nsd3/3.2.12-1

[Nico Golde]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception

Hi,
please unblock nsd3. This is a new upstream version that only fixes a security 
issue,
namely  CVE-2012-2978 which has just been fixedin squeeze with a DSA.

unblock: nsd3/3.2.12-1

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpGljU0bGYmj.pgp
Description: PGP signature

Bug#674448: CVE-2012-2098

[Nico Golde]

Hi,
* Miguel Landaeta mig...@miguel.cc [2012-07-18 17:02]:
 On Thu, May 24, 2012 at 08:13:35PM +0200, Moritz Muehlenhoff wrote:
  Please see https://commons.apache.org/compress/security.html
  
  Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix
  it through a point update for Squeeze 6.0.6.
 
 I had prepared an upload to fix this issue in stable.
 
 Are you OK with an upload to stable then?

Please notify the release team before.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpLUoi2DjDHQ.pgp
Description: PGP signature

Bug#681455: openbox: Does not exit on Exit in pop-up menu.

[Nico Golde]

Hi,
* Sthu Deus sthu.d...@gmail.com [2012-07-14 15:04]:
   Is it clear now?! Or additional explanation needed? - Or it is Your
   strategy - to deny bugs found? :o/
 
  Is it your strategy to piss me off?
 
 No. Just a try to make my message clear for You.

In this case you should phrase your words a little more carefully. It should 
be obvious that asking me if I want to deny bugs is offending me.

  Anyway, I don't know what setup you have exactly. I just tested a
  plain openbox 3.5.0 from upstream as well as openbox from Debian
  again and the exit menu works just fine. You may want to change the
  menu entry to do something like lxsession-logout or execute a command
  to kill your lxde session.
 
 I also use version, and for users on the same host is does not work.
 Can You shed some light on how You change the commands that are run
 from that menu?

Yes, edit /etc/xdg/openbox/menu.xml

  There is no openbox bug here as far as I can judge, thus closing the
  bug report.
 
 Hmm. What if I the commands are set already? May I will check it first
 - after You tell me how?

Sorry, I think I don't understand what you mean. Please try to rephrase.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpO1DfT5Eunr.pgp
Description: PGP signature

Bug#681455: openbox: Does not exit on Exit in pop-up menu.

[Nico Golde]

Hi,
* Sthu sthu.d...@gmail.com [2012-07-13 12:31]:
 When I do press Exit on pop-up menu (the one I get w/ right-click on a 
 desktop),
 openbox does not exit. I have to click logout in its main menu - then from 
 KDM logout
 menu I logout.
 
 Please fix it.

What do you mean? There is no logout button in openbox' main menu and the exit 
button works just fine.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgplrKh3LB7hN.pgp
Description: PGP signature

Bug#679491: [pkg-fetchmail-maint] Bug#679491: [fetchmail] Spamassassin-Fetchmail depedenty boot order needs fixing

[Nico Golde]

Hi,
* David Baron d_ba...@012.net.il [2012-06-29 08:37]:
  The new sysv-rc assined K01 symlinks to fetchmail.
  
  However, I want to have spamassassin and its rules up beforehand. I have 
 been 
  doing this explicitly in what is now rc.local. Fetchmail did not like the 
  duplicated start and my mail wored only after I restarted fetcmail.
  
  There must be a more correct way to do this.
  
  ( Meanwhile, I removed the symlinks to allow my rc.local to start 
  fetchmail. 
  The next upgrades will restore them unless I divert. The sysv-rc gave K03 
  symlinks to spamassassin which would mean starting after fetchmail and 
  there 
  is not menion of the rules. )

K symlinks don't define the start order during boot.

[...] 
 So you just need to have
   Should-Start: spamassassin
 in the fetchmail script.  And/or
   X-Start-Before: fetchmail
 in the spamassassin script.  Then re-run insserv.

This won't happen or at least is very unlikely. I don't see a bug here to be 
honest and the purpose of those targets is not to list every single individual 
program that people might find useful to get started beforehand.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpxrZ7rORTj2.pgp
Description: PGP signature

Bug#678993: openbox: xmodmap freezes openbox in lxde

[Nico Golde]

Hi,
* Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-26 09:48]:
 Hi,
 On 25.06.2012 19:44, Nico Golde wrote:
  Hi, * Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de
  [2012-06-25 17:49]:
  I use my notebook with lxde. after some time of operation I
  connect an external keyboard. The external keyboard now runs
  without my modifications in my ~/.xmodmap file so I call $
  xmodmap .xmodmap the effect is, that the external keyboard is now
  mapped as I wish, but openbox seems not to operate anymore. 
  alt+tab doesn't work, i cannot click on windows to change
  windows. I haven't found any way to change windows or workspaces
  (except closing the current active application) resizing windows
  doesn't work.
  
  I get back to working by running killall -9 openbox ; sleep 10s ;
  openbox  disown; exit (luckily after calling xmodmap, the active
  window is a shell)
  
  Can you share your xmodmap? I can't reproduce this in a quick
  test.
  
 
 there it is:
 http://www.physi.uni-heidelberg.de/~pseyfert/.Xmodmap

Even with this  can't reproduce the described behaviour. What I observe is 
that after loading openbox doesn't react for a short time and openbox uses a 
lot of CPU. During that time it doesn't react to anything, but it does come 
back.

How long did you wait for it to come back?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#678993: openbox: xmodmap freezes openbox in lxde

[Nico Golde]

Hi,
* Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-26 12:15]:
[...] 
 well since that happens each morning I come to the office I'm quite
 quick with killing openbox nowadays. I just tested and waited for two
 minutes without success.

Ok. Could you do me the favor and check if this happens with a different 
window manager as well? I have the feeling that this might not be openbox 
related. In the end xmodmap should be handled by X and the window manager 
should eat whatever signal is delivered by X on a key press.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpv1JXmzKaZk.pgp
Description: PGP signature

Bug#678993: openbox: xmodmap freezes openbox in lxde

[Nico Golde]

Hi,
* Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-25 17:49]:
 I use my notebook with lxde. after some time of operation I connect an 
 external
 keyboard.
 The external keyboard now runs without my modifications in my ~/.xmodmap file
 so I call
 $ xmodmap .xmodmap
 the effect is, that the external keyboard is now mapped as I wish, but openbox
 seems not to operate anymore.
 alt+tab doesn't work, i cannot click on windows to change windows. I haven't
 found any way to change windows or workspaces (except closing the current
 active application)
 resizing windows doesn't work.
 
 I get back to working by running
 killall -9 openbox ; sleep 10s ; openbox  disown; exit
 (luckily after calling xmodmap, the active window is a shell)

Can you share your xmodmap? I can't reproduce this in a quick test.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#650632: mcabber: fails to handle bookmarks for password protected MUCs

[Nico Golde]

Hi,
* Franziska Lichtblau rhal...@old-forest.org [2012-06-16 18:46]:
 first of all thank you for the patch, I think it's a good idea and will
 forward it to upstream as well. 
 Sorry for the long time since you sent the patch - hopefully won't happen
 again. 
[...] 
 Debian123! being the password. 
 Could you maybe just change the output funktion to display * instead of
 the actual password?

Sure, an updated version of the patch is attached. I'm using this patch btw 
since I reported the bug, without problems so far.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.
diff -Nurad mcabber-0.10.1/mcabber/commands.c mcabber-0.10.1.new/mcabber/commands.c
--- mcabber-0.10.1/mcabber/commands.c	2010-12-01 21:51:20.0 +0100
+++ mcabber-0.10.1.new/mcabber/commands.c	2012-06-17 14:08:06.647247157 +0200
@@ -2918,7 +2918,7 @@
 static void room_bookmark(gpointer bud, char *arg)
 {
   const char *roomid;
-  const char *name = NULL, *nick = NULL;
+  const char *name = NULL, *nick = NULL, *passwd = NULL;
   char *tmpnick = NULL;
   enum room_autowhois autowhois = 0;
   enum room_printstatus printstatus = 0;
@@ -2931,7 +2931,8 @@
 char **paramlst;
 char **pp;
 
-paramlst = split_arg(arg, 3, 0); // At most 3 parameters
+paramlst = split_arg(arg, 4, 0); // At most 4 parameters
+
 for (pp = paramlst; *pp; pp++) {
   if (!strcasecmp(*pp, add))
 action = bm_add;
@@ -2943,9 +2944,11 @@
 autojoin = 1;
   else if (!strcmp(*pp, -))
 nick_set = 1;
-  else {
+  else if(nick_set == 0){
 nick_set = 1;
 nick = tmpnick = to_utf8 (*pp);
+  } else if(nick_set == 1){
+   passwd = to_utf8(*pp);
   }
 }
 free_arg_lst(paramlst);
@@ -2961,7 +2964,7 @@
 autowhois   = buddy_getautowhois(bud);
   }
 
-  xmpp_set_storage_bookmark(roomid, name, nick, NULL, autojoin,
+  xmpp_set_storage_bookmark(roomid, name, nick, passwd, autojoin,
 printstatus, autowhois);
   g_free (tmpnick);
 }
@@ -2988,11 +2991,15 @@
 (bm_elt-autojoin ? '*' : ' '), bm_elt-roomjid);
 if (bm_elt-nick)
   g_string_append_printf(sbuf,  (%s), bm_elt-nick);
+if (bm_elt-passwd)
+  /* replace password for security reasons */
+  g_string_append_printf(sbuf,  (*));
 if (bm_elt-name)
   g_string_append_printf(sbuf,  %s, bm_elt-name);
 g_free(bm_elt-roomjid);
 g_free(bm_elt-name);
 g_free(bm_elt-nick);
+g_free(bm_elt-passwd);
 g_free(bm_elt);
 scr_WriteIncomingMessage(NULL, sbuf-str,
  0, HBB_PREFIX_INFO | HBB_PREFIX_CONT, 0);
diff -Nurad mcabber-0.10.1/mcabber/xmpp.c mcabber-0.10.1.new/mcabber/xmpp.c
--- mcabber-0.10.1/mcabber/xmpp.c	2010-12-01 21:51:21.0 +0100
+++ mcabber-0.10.1.new/mcabber/xmpp.c	2012-06-17 14:08:06.647247157 +0200
@@ -2083,7 +2083,7 @@
 // If the node is a conference item, let's add the note to our list.
 if (x-name  !strcmp(x-name, conference)) {
   struct bookmark *bm_elt;
-  const char *autojoin, *name, *nick;
+  const char *autojoin, *name, *nick, *passwd;
   const char *fjid = lm_message_node_get_attribute(x, jid);
   if (!fjid)
 continue;
@@ -2092,10 +2092,13 @@
   autojoin = lm_message_node_get_attribute(x, autojoin);
   nick = lm_message_node_get_child_value(x, nick);
   name = lm_message_node_get_attribute(x, name);
+  passwd = lm_message_node_get_child_value(x, password);
   if (autojoin  !strcmp(autojoin, 1))
 bm_elt-autojoin = 1;
   if (nick)
 bm_elt-nick = g_strdup(nick);
+  if (nick)
+bm_elt-passwd = g_strdup(passwd);
   if (name)
 bm_elt-name = g_strdup(name);
   sl_bookmarks = g_slist_append(sl_bookmarks, bm_elt);
diff -Nurad mcabber-0.10.1/mcabber/xmpp.h mcabber-0.10.1.new/mcabber/xmpp.h
--- mcabber-0.10.1/mcabber/xmpp.h	2010-12-01 21:51:21.0 +0100
+++ mcabber-0.10.1.new/mcabber/xmpp.h	2012-06-17 14:08:06.647247157 +0200
@@ -24,6 +24,7 @@
   gchar *roomjid;
   gchar *name;
   gchar *nick;
+  gchar *passwd;
   guint autojoin;
   /* enum room_printstatus pstatus; */
   /* enum room_autowhois awhois; */


pgphjHGRqKe3y.pgp
Description: PGP signature

Bug#672724: [pkg-fetchmail-maint] Bug#672724: Init script message about disabled daemon should be info rather than warning

[Nico Golde]

Hi,
* Moritz Muehlenhoff j...@debian.org [2012-05-13 11:25]:
 The init script has the following:
 
 if [ ! x$START_DAEMON = xyes -a ! $1 = status ]; then
 log_warning_msg Not starting fetchmail daemon, disabled via 
 /etc/default/fetchmail
 exit 0
 fi
 
 With the fancy LSB messages from current sid, this is displayed as a orange
 warning, while it's rather simple configuration impact w/o harm. You should
 rather use log_action_msg instead of log_warning_msg.

Nach welcher Regel? Genaugenommen habe ich mir das bei anderen Paketen 
abgeguckt, z.B. smart macht das so. Ich seh keine Policy Regel dafür.

Gruß Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpkQ51dHXEj0.pgp
Description: PGP signature

Bug#672724: [pkg-fetchmail-maint] Bug#672724: Init script message about disabled daemon should be info rather than warning

[Nico Golde]

Hi,
* Nico Golde n...@debian.org [2012-05-13 20:09]:
 * Moritz Muehlenhoff j...@debian.org [2012-05-13 11:25]:
  The init script has the following:
  
  if [ ! x$START_DAEMON = xyes -a ! $1 = status ]; then
  log_warning_msg Not starting fetchmail daemon, disabled via 
  /etc/default/fetchmail
  exit 0
  fi
  
  With the fancy LSB messages from current sid, this is displayed as a orange
  warning, while it's rather simple configuration impact w/o harm. You should
  rather use log_action_msg instead of log_warning_msg.
 
 Nach welcher Regel? Genaugenommen habe ich mir das bei anderen Paketen 
 abgeguckt, z.B. smart macht das so. Ich seh keine Policy Regel dafür.

Sorry, this mail was just intended for the reporter:
To roughly translate. Is there a policy rule that states this? To be honest, I 
looked at how other packages do this, e.g. smart, and copied that behaviour.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpspREvULG3q.pgp
Description: PGP signature

Bug#566900: RFH: openbox -- standards compliant, fast, light-weight, extensible window manager

[Nico Golde]

Hi,
* Daniel Baumann daniel.baum...@progress-technologies.net [2012-05-10 09:19]:
 On 05/08/2012 07:12 AM, Nico Golde wrote:
  Feel free to join as a  co-maintainer.
 
 my intention is to consolidate openbox with the rest of the lxde
 packages, i'm currently not interested in another 'not into my workflow
 integrated' leaf package.

Ok fair enough.

 should you at some point decide to orphan it, please let me know before.

Will do, thanks for your interest in this package!
Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgp7kUopoBhT3.pgp
Description: PGP signature

Bug#566900: RFH: openbox -- standards compliant, fast, light-weight, extensible window manager

[Nico Golde]

Hi,
* Daniel Baumann daniel.baum...@progress-technologies.net [2012-04-23 11:34]:
 I offer to adopt openbox on behalf of the Debian LXDE team.

Thanks but so far my intention was not to orphan it. Feel free to join as a 
co-maintainer.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpEM86RJzsEZ.pgp
Description: PGP signature