Bug#929453: lftp: hangs on getting directory contents at the end of mirror
Any idea what is causing this?
Bug#929453: lftp: hangs on getting directory contents at the end of mirror
Package: lftp Version: 4.8.4-2 Severity: important Hi Noël, First thanks for maintaining lftp! I've got two machines that run the same version of Debian and the same version (and same configuration) of lftp and one of them, lftp behaves very weird at the end of mirror command. This manifests in the following output: ... Transferring file `foo01' Transferring file `foo02' Transferring file `foo03' New: 11 files, 0 symlinks 421696988 bytes transferred in 47 seconds (8.58 MiB/s) Retrying mirror... Getting directory contents (0) [Waiting for response...] At that point, lftp is just stuck. The exact mirror command that is executed is "mirror -R -c -v". I have attached a minimal config for which this problem occurs and hope that helps. Specifically, the timeout does not seem to kick in and I have no idea why. There's also nothing obvious in the transfer log that hints to a problem. I have also attached an strace from slightly before this happens, i.e. when the files are stat'ed the last time. It seems lftp hangs up in some infinite select loop without valuing the timeout or noticing that the server has closed the connection. FWIW, this connection uses sftp. Hope this helps. This has been bugging me for a while now and I've got no idea what this is. Thanks! Nico set ftp:passive-mode yes set ftp:ssl-allow yes set ftp:ssl-allow-anonymous no set ftp:ssl-auth TLS set ftp:ssl-data-use-keys yes set ftp:ssl-force yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ftp:ssl-protect-list yes set ssl:verify-certificate yes set mirror:set-permissions off set cache:enable false set ftp:use-site-idle false set ftp:use-mdtm false set ftp:lang false set ftp:use-hftp false set ftp:use-feat false set ftp:use-stat false set ftp:stat-interval 30 set ftp:sync-mode true set ftp:skey-allow false set mirror:no-empty-dirs true set net:timeout 10 set net:max-retries 2 set net:reconnect-interval-base 5 set net:reconnect-interval-multiplier 1 debug lstat("/home/bla/foo01", {st_mode=S_IFREG|0644, st_size=21696051, ...}) = 0 lstat("/home/bla/foo02", {st_mode=S_IFREG|0644, st_size=5000, ...}) = 0 lstat("/home/bla/foo03", {st_mode=S_IFREG|0644, st_size=540, ...}) = 0 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 7 fcntl(7, F_GETFL) = 0x2 (flags O_RDWR) fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK)= 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 setsockopt(7, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 getsockname(4, {sa_family=AF_INET, sin_port=htons(54152), sin_addr=inet_addr("X")}, [28->16]) = 0 bind(7, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("XX")}, 16) = 0 getsockname(7, {sa_family=AF_INET, sin_port=htons(34865), sin_addr=inet_addr("XX")}, [28->16]) = 0 sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\27\3\3\0 \0\0\0\0\0\0\0(\206\240\225\326h%YA\234h\307~g\206\310`\337\232\233"..., iov_len=37}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 37 brk(0x560b2eb48000) = 0x560b2eb48000 close(5)= 0 select(5, [], [4], NULL, {tv_sec=0, tv_usec=13894}) = 1 (out [4], left {tv_sec=0, tv_usec=13892}) recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) select(5, [4], [], NULL, {tv_sec=0, tv_usec=13787}) = 0 (Timeout) ioctl(0, TIOCGPGRP, [1772]) = 0 getpgrp() = 1772 ioctl(1, TIOCGWINSZ, {ws_row=48, ws_col=211, ws_xpixel=0, ws_ypixel=0}) = 0 write(1, "Getting directory contents (0) ["..., 56) = 56 write(1, "\r", 1) = 1 select(5, [4], [], NULL, {tv_sec=0, tv_usec=78028}) = 1 (in [4], left {tv_sec=0, tv_usec=75885}) recvfrom(4, "\27\3\3\0,", 5, 0, NULL, NULL) = 5 recvfrom(4, ",r`\317\224\351\nl/\367\214\374+\273\26\2524.\234\230\245\363E\365h\275*5\26\10\10I"..., 44, 0, NULL, NULL) = 44 recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\27\3\3\0\36\0\0\0\0\0\0\0)AX\200\347\262\335s\221\246V\221|\320\336z:9\271v"..., iov_len=35}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 35 select(5, [], [4], NULL, {tv_sec=0, tv_usec=74351}) = 1 (out [4], left {tv_sec=0, tv_usec=74349}) recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) select(5, [4], [], NULL, {tv_sec=0, tv_usec=74195}) = 1 (in [4], left {tv_sec=0, tv_usec=57018}) recvfrom(4, "\27\3\3\0J", 5, 0, NULL, NULL) = 5 recvfrom(4, ",r`\317\224\351\nm\302\t\r>si\356$\346DS\222\362\362\327\201\307\274D[\254S\361\264"..., 74, 0, NULL, NULL) = 74 recvfrom(4, 0x560b2eafdbb3, 5, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable) getpeername(4, {sa_family=AF_INET, sin_port=htons(43486), sin_addr=inet_addr("Y")}, [28->16]) = 0 connect(7, {sa_family=AF_INET, sin_port=htons(63183), sin_addr=inet_addr("Y")}, 16) = -1 EINPROGRESS (Operation now in progress)
Bug#902225: RFS: ii/1.8-1
Hi itd, the license change for debian patches is fine! Cheers, Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 signature.asc Description: PGP signature
Bug#852159: mktorrent: upstream changed maintainer, actual version missing new interesting features
Hi, * Paride Legovini [2018-08-01 22:31]: > Nico Golde wrote on 29/07/2018: > > * Paride Legovini [2018-07-29 19:52]: [...] > The Debian packaging is Copyright (C) 2009, Nico Golde > and is licensed under the GPL, see `/usr/share/common-licenses/GPL-2'. > > Does this mean GPL2 or GPL2+ (GPL2 or any later version)? (Upstream is > licensed as GPL2+, so I think it would be nice to use the same licensing > terms for homogeneity, but it's up to you.) Feel free to change any aspect as you like, including this one. Cheers, Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0
Bug#852159: mktorrent: upstream changed maintainer, actual version missing new interesting features
Hi, I just realized I haven't responded to this bug ever. I'm very short on time at the moment and in fact will retire my Debian account soon. If you or anyone is interested in hijacking this package, please go ahead! Kind regards, Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 signature.asc Description: PGP signature
Bug#895634: please package lftp 4.8.3
Source:lftp Severity:wishlist Hey Noël, Could you update lftp to 4.8.3? This brings some useful features such as the parallel option for mget. Thanks! Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 signature.asc Description: PGP signature
Bug#890995: ii: new upstream version
Hi, * itd <i...@firemail.cc> [2018-02-21 13:48]: > thanks for maintaining ii. > > As of 2018-02-04 ii version 1.8 is available. Please consider packaging it. > Feel > free to use the patch attached as you think fit to do so (no attribution > required). [1] Do you want to hijack the package? You are more than welcome to do so! Kind regards, Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 signature.asc Description: PGP signature
Bug#842558: O: nitrogen - wallpaper browser and changing utility for X
Package: wnpp Severity: normal I intend to orphan the nitrogen package. nitrogen is a graphical wallpaper utility that can be used in two modes, browser and recall. Some of the things to look for in nitrogen are: * Multihead and Xinerama support (setting different wallpapers for each monitor) * Recall mode to restore wallpapers via startup script * Uses freedesktop.org standard for thumbnails * Can set GNOME background * Command line set modes for script usage * Inotify monitoring of browsed directories pgpvOJLM8QLEB.pgp Description: PGP signature
Bug#842559: O: libacpi - general purpose library for ACPI
Package: wnpp Severity: normal I intend to orphan the libacpi package. libacpi is a general purpose shared library for programs gathering ACPI data on Linux. It implements thermal zones, battery information, fan information and AC states. pgplYyWdftV3w.pgp Description: PGP signature
Bug#842557: O: binclock - binary clock for console with color support
Package: wnpp Severity: normal I intend to orphan the binclock package. BinClock - Displays system time in binary format. It supports showing the time with eight different colors, and it can run a loop that prints the time every second. The default colors and characters for printing can be changed with a config file. I think this is a toy program. If nobody feels inclined to take it, I think we are better off removing it from the archive. Cheers, Nico pgpmTgNvfziY1.pgp Description: PGP signature
Bug#842556: O: yacpi - ncurses based acpi monitor for text mode
Package: wnpp Severity: normal I intend to orphan the yacpi package. yacpi (yet another configuration and power interface) is an ncurses based ACPI monitoring program for notebooks. There is also a text-only output so it is possible to include it in scripts. It displays various ACPI information like battery status, temperature, charging circuits and AC status. Additionally it displays CPU govenor and current frequency. pgpW1rhWI0VAK.pgp Description: PGP signature
Bug#842555: O: tsocks -- transparent network access through a SOCKS 4 or 5 proxy
Package: wnpp Severity: normal I intend to orphan the tsocks package. The package description is: tsocks provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). tsocks intercepts the calls applications make to establish TCP connections and transparently proxies them as necessary. This allows existing applications to use SOCKS without recompilation or modification. pgpPj9_cqmNSY.pgp Description: PGP signature
Bug#817875: libacpi: Patch used in NMU 0.2-4.1
* Petter Reinholdtsen[2016-03-11 09:48]: > The libacpi package have not been able to extract battery status for a > while, and this break several packages, among them battery-stats. I > wanted to do something about this, so I just uploaded an NMU fixing the > bugs in the package. As the maintainer is listed as having a low NMU > threshold, I decided to upload directly into unstable instead of using > the delayed queue. The attached patch is the changes I made to the > source package: Thanks, also feel free to hijack this completely! Nico
Bug#776728: newsbeuter: nasty memory leak in 2.8
Hi, > On 03 Jan 2016, at 12:30, Manuel A. Fernandez Montecelo > <manuel.montez...@gmail.com> wrote: > > Control: tags -1 + patch > > > Hi all, > > 2015-02-01 18:25 Nico Golde: >> Hi, >> * Mark Nipper <ni...@bitgnome.net> [2015-02-01 19:06]: >>>It seems there is a rather nasty memory leak in 2.8 of >>> newsbeuter. The bug for it is mentioned here (with a pretty graph!): >>> --- >>> https://github.com/akrennmair/newsbeuter/issues/119 >>> >>> This has caused a smaller virtual host I have running to lock up >>> multiple times now (due to a separate issue in btrfs I suspect), until I >>> finally sat down to go back through my atop history. At this point, it >>> was clear the issue was, in part, due to this memory leak in newsbeuter >>> (which I typically leave running in a tmux window indefinitely). >> [...] >> >> Thanks for the report! Checking back with upstream if he is willing to make a >> new release, otherwise I'll take the separate patch. > > It would be very nice to get this fixed, it's getting up to 800+MB of > mem within hours, it seems to stabilise a bit after that. > > > Version 2.9 was released a few weeks after this last message as > promised, and fixes the problem, so it would be extra nice to have ... Sorry, please see https://lists.debian.org/debian-wnpp/2015/10/msg00056.html. I don't have the time to maintain this anymore. Kind regards, Nico
Bug#800753: Bug#805366: stfl: build-depends on spl-dev which is gone from the archive
Hi, * Emilio Pozuelo Monfort <po...@debian.org> [2015-11-17 20:17]: > Source: stfl > Version: 0.22-1.2 > Severity: serious > > Your package build-depends on spl-dev, making it unbuildable as that > package no longer exists. > > See https://bugs.debian.org/801704 Too bad. I have an RFA open for stfl. I'm CC'ing this so if a person is interested in adopting it can consider adopting spl as well. I have no intentions of doing another upload for this. Cheers, Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpSQ6yUP8GlP.pgp Description: PGP signature
Bug#800755: RFA: httping -- ping-like program for http-requests
Package: wnpp Severity: normal I request an adopter for the httping package. The package description is: httping is like ping for HTTP. It sends requests to a hostname or a remote URL and it shows you how long it takes to connect, send a HTTP request and retrieve the reply (only the header). . It supports SSL as well as various different ways to use it.
Bug#800754: RFA: tcpxtract -- extracts files from network traffic based on file signatures
Package: wnpp Severity: normal I request an adopter for the tcpxtract package. The package description is: tcpxtract is a fast console tool to extract files from network traffic based on file headers and footers (so called carving). 26 file formats are supported out of the box by tcpxtract but new formats can be added without problems. Foremost configurations are simple to convert to tcpxtracts configuration files. . It uses libpcap and it can be used with tcpdump files.
Bug#800751: RFA: httping -- ping-like program for http-requests
Package: wnpp Severity: normal I request an adopter for the httping package as I don't have enough time anymore. The package description is: httping is like ping for HTTP. It sends requests to a hostname or a remote URL and it shows you how long it takes to connect, send a HTTP request and retrieve the reply (only the header). . It supports SSL as well as various different ways to use it.
Bug#800753: RFA: stfl -- structured terminal forms language/library
Package: wnpp Severity: normal I request an adopter for the stfl package as I don't have enough time anymore. The package description is: stfl is a library which implements a curses-based widget set for text terminals. . This package contains the shared library for libstfl.
Bug#800750: RFA: fetchmail -- SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
Package: wnpp Severity: normal I request an adopter for the fetchmail package as I think I don't have enough time anymore. The package description is: fetchmail is a free, full-featured, robust, and well-documented remote mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It retrieves mail from remote mail servers and forwards it to your local (client) machine's delivery system, so it can then be read by normal mail user agents such as mutt, elm, pine, (x)emacs/gnus, or mailx. The fetchmailconf package includes an interactive GUI configurator suitable for end-users. . Kerberos V and GSSAPI are supported. . Kerberos IV, RPA, OPIE and other support for some other features are available if the package is recompiled.
Bug#800752: RFA: newsbeuter -- text mode rss feed reader with podcast support
Package: wnpp Severity: normal I request an adopter for the newsbeuter package as I don't have the time anymore. The package description is: newsbeuter is an innovative RSS feed reader for the text console. It supports OPML import/exports, HTML rendering, podcast (podbeuter), offline reading, searching and storing articles to your filesystem, and many more features. . Its user interface is coherent, easy to use, and might look common to users of mutt and slrn.
Bug#781803: [pkg-fetchmail-maint] Bug#781803: [l10n] [de] fetchmail: german translation abgeschossen
Hi, * Mario Lang ml...@delysid.org [2015-04-03 12:47]: Running fetchmail -q in a german environment, fetchmail tells me: fetchmail: Hintergrund-fetchmail mit Kennung 3220 abgeschossen. I don't think that abgeschossen is an appropriate translation. I'd say beendet is a much better. Abgeschossen sounds like a message from an ego-shooter. Thanks for the report! Being a native speaker myself, I don't care either way to be honest, but I can see how beendet sounds a little more professional. Matthias, do you mind changing this? Cheers, Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776728: newsbeuter: nasty memory leak in 2.8
Hi, * Mark Nipper ni...@bitgnome.net [2015-02-01 19:06]: It seems there is a rather nasty memory leak in 2.8 of newsbeuter. The bug for it is mentioned here (with a pretty graph!): --- https://github.com/akrennmair/newsbeuter/issues/119 This has caused a smaller virtual host I have running to lock up multiple times now (due to a separate issue in btrfs I suspect), until I finally sat down to go back through my atop history. At this point, it was clear the issue was, in part, due to this memory leak in newsbeuter (which I typically leave running in a tmux window indefinitely). [...] Thanks for the report! Checking back with upstream if he is willing to make a new release, otherwise I'll take the separate patch. Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775255: [pkg-fetchmail-maint] Bug#775255: fetchmail: Fails to start when libssl has SSLv3 disabled
severity 775255 wishlist retitle 775255 provide possibility to disable sslv3 or remove completely thanks Hi, * Chiraag Nataraj chiraag.nata...@gmail.com [2015-01-14 03:50]: Yes, it works with the version of libssl from unstable since SSLv3 is not disabled in that version. The main problem is that currently, fetchmail does not work with more secure versions of libssl (which have SSLv3 disabled completely). I just provided one solution (completely disable SSLv3 in fetchmail), but if another one (such as automatically detecting that libssl does not provide SSLv3 and therefore not even attempting to load the SSLv3 symbols) works better, that's fine too. Currently, the version of fetchmail in experimental is the same as the version of fetchmail in unstable. If necessary, you could release a different version of fetchmail for experimental which drops SSLv3 support entirely (if updating the one in unstable seems like a bad idea currently), since SSLv3 support *should* be dropped at some point due to the POODLE bug. This is not an issue of fetchmail negotiating SSLv3 by default, this is an issue of fetchmail looking for symbols in libssl *which don't exist*. The first would only surface if, for example, libssl provided an empty implementation of SSLv3 but still exported the symbols. What's happening right now is that the symbols don't even exist, which leads to the program not working at all. This is regardless of whether or not I actually utilize SSLv3 as my protocol (which I never specifically requested). I'm glad you are explaining this to me, but I think you misunderstood my point. It is clear to me where this error is coming from and that it is openssl essentially breaking compatibility here. I merely made the point that in the git version of fetchmail sslv3 is by default not negotiated, which is why I think your patch is not helpful as it clearly wasn't upstream's intention to remove this support entirely, at least not in this form. So in conclusion, also after seeing Matthias' take on this, I'll change this bug to wishlist for providing a possibility to disable sslv3 or remove it entirely. I know this is not your original intention with filing the bug, but there is nothing to fix from the fetchmail package point of view right now, this is something the openssl maintainer needs to fix by properly bumping the soname and package names. My alternative would be to close the bug or reassign it to openssl, but I do think that it's reasonable to ask for this particular feature change anyway, so we can as well track it. Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgp44lRswnliw.pgp Description: PGP signature
Bug#775255: [pkg-fetchmail-maint] Bug#775255: fetchmail: Fails to start when libssl has SSLv3 disabled
Hi, * Chiraag Nataraj chiraag.nata...@gmail.com [2015-01-13 12:22]: Package: fetchmail Version: 6.3.26-1+b1 Severity: grave Justification: renders package unusable You filed a bug against a version that works absolutely fine with the openssl version it is supposed to work with. Hence, I'm inclined to close that bug or downgrade it to wishlist in favor of removing/disabling sslv3 support in fetchmail. When the latest version of libssl1.0.0 is installed from experimental (which has SSLv3 disabled), Fetchmail exits with the following error: fetchmail: relocation error: fetchmail: symbol SSLv3_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference See above Fetchmail should be rebuilt to not require SSLv3. The patch you included simply removes this feature entirely: --- fetchmail-6.3.26/socket.c 2013-04-23 22:00:45.0 +0200 +++ socket.c2015-01-14 00:29:53.412608735 +0100 @@ -913,8 +913,6 @@ report(stderr, GT_(Your operating system does not support SSLv2.\n)); return -1; #endif - } else if(!strcasecmp(ssl3,myproto)) { - _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); } else if(!strcasecmp(tls1,myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); } else if (!strcasecmp(ssl23,myproto)) { In the current git version of fetchmail, sslv3 is not negotiated by default, unless a user explicitly requests to do so. As such I'm not sure how useful this patch is as well. Matthias, do you mind weighing in on this? Thanks Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgp6k_wlDGEsI.pgp Description: PGP signature
Bug#768843: [pkg-fetchmail-maint] Bug#768843: fetchmail: Improved TLS support
Hi Kurt, * Kurt Roeckx k...@roeckx.be [2014-11-09 17:12]: The attached patch improves fethcmail SSL/TLS support. It seems to have some misunderstandings of openssl / SSL / TLS. Thanks! I am checking back with upstream regarding this as I'm aware that Matthias also made changes related to this. Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpdbsx80x8i1.pgp Description: PGP signature
Bug#765935: mktorrent: COPYRIGHT is misspelt as COPYRIGH in the man page
Hi, * Colin S. Miller deb...@csmiller.demon.co.uk [2014-10-19 13:45]: Dear Maintainer, In the man page, the section title COPYRIGHT is misspelt as COPYRIGH, i.e. it is missing the T. Will change on the next upload, thanks! Nico -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754073: [pkg-fetchmail-maint] Bug#754073: fetchmailconf: Fetchmail does not start -- libBLT.2.4.so.8.6
reassign 754073 blt merge 751767 754073 thanks * Jonás Andradas j.andra...@gmail.com [2014-07-07 12:03]: Package: fetchmailconf Version: 6.3.26-1 Severity: grave Justification: renders package unusable Dear Maintainer, when trying to start fetchmailconf, the following error is found: ~$ fetchmailconf Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/fetchmailconf.py, line 8, in module from Tkinter import * File /usr/lib/python2.7/lib-tk/Tkinter.py, line 42, in module raise ImportError, str(msg) + ', please install the python-tk package' ImportError: libBLT.2.4.so.8.6: cannot open shared object file: No such file or directory, please install the python-tk package Package python-tk is installed, and blt too. However the libBLT library present in the system is 2.5 instead of 2.4: ls: cannot access /usr/lib/libBLT.2.4.so.8.6: No such file or directory blt: /usr/lib/libBLT.2.5.so.8.6 If this bug should not be associated with fetchmailconf but with python-tk, please, change it accordingly (if possible), or I will re-open it there. Thank you very much in advance, Best Regards, Jonás. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.12-1-686-pae (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fetchmailconf depends on: ii fetchmail 6.3.26-1 ii python 2.7.6-2 ii python-tk 2.7.7-2 fetchmailconf recommends no packages. fetchmailconf suggests no packages. -- no debconf information ___ pkg-fetchmail-maint mailing list pkg-fetchmail-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-fetchmail-maint -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpg8Vgl1Ueyz.pgp Description: PGP signature
Bug#752598: [pkg-fetchmail-maint] Bug#752598: fetchmail: please run restorecon after creating directory from init script
Hi, * Russell Coker russ...@coker.com.au [2014-06-25 06:01]: When an init script creates a directory it needs to run restorecon to ensure that the correct SE Linux context is used. I have attached a patch to do this. Thanks, I'll include that in the next upload! Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgp6RhThAhDfO.pgp Description: PGP signature
Bug#722382: Updating the Ruby packaging policy for your package «libstfl-ruby»
Hi, * Jonas Genannt jonas.gena...@capi2name.de [2014-01-16 12:39]: Hello stfl-Maintainer, during Ruby Sprint in Paris, we have created an patch for your package to fit the Ruby Debian policy. This patch removes Ruby 1.8 dependency and moves that package to gem2deb helper. Pleas include the patch to fix your package. Otherwise we can't remove ruby 1.8 from the archive. Will include in the next upload. Thanks! Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#733307: newsbeuter: segfaults frequently
Hi, * Martin Erik Werner martinerikwer...@gmail.com [2013-12-28 12:57]: Dear Maintainer, The current version of newsbeuter segfaults frequently at some stage in the feed refresh process. I remember it not doing that in some earlier version about a year ago or so (sorry for imprecise information there). Just to let you know, upstream in the meantime was able to track down the issue and a patch is ready. I was told there should be a new release soon for which I'm waiting for. So this should be addressed soon[tm]. Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgp84haUrnR5C.pgp Description: PGP signature
Bug#727553: binwalk maintenance
Hey Leo, are you still interested in maintaining binwalk? This hasn't received an update since almost a year in Debian even though updates from upstream are fairly frequent and a lot of features have been added recently. I would appreciate if you could either update the package or seek for assistance. Thanks Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpBkNvDnKLPs.pgp Description: PGP signature
Bug#733347: newsbeuter: please provide a dbg package
Hi, * Martin Erik Werner martinerikwer...@gmail.com [2013-12-28 19:14]: Dear Maintainer, It would be nice if newsbeuter provided a -dbg package, I've attached a quick patch for this. If it looks ok, please consider adding it. Sounds like a good idea, will include this in the next upload. Thanks! Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpTDy317OMfz.pgp Description: PGP signature
Bug#731382: Re[2]: Bug#731382: libpam-fprintd: do not show password if user enters one
tags 731382 - security thanks Hi, this is not a security issue by itself, thus removing the tag. Imho this should also not be a normal bug, but wishlist, but I'll leave that part to the maintainer. Nico pgpNKRM1ZUYd4.pgp Description: PGP signature
Bug#731382: libpam-fprintd: do not show password if user enters one
Hi, * Shawn Landden sh...@churchofgit.com [2013-12-04 21:17]: Users are use to entering passwords at login prompts and the like. It would be nice if libpam-fprintd could swallow the input like password prompts do, instead of prominentally displaying the user's password if they type it in. I'm slightly confused by this report. Please note that I'm not the maintainer though. Given that you use libpam-fprintd, why would you enter a password in the first place if you authenticate using your fingerprint? Or are you talking about the scenario in which fprint is used and a user accidently enters a password when there is no password prompt? Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpxfvSCmTQaW.pgp Description: PGP signature
Bug#724837: apt-xapian-index: unsafe polkit usage
Package: apt-xapian-index Severity: grave Tags: security patch Hi, the following vulnerability was published for apt-xapian-index. CVE-2013-1064[0]: (from Ubuntu USN) | It was discovered that apt-xapian-index was using polkit in an unsafe | manner. A local attacker could possibly use this issue to bypass intended | polkit authorizations. The patch from Ubuntu is attached. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1064 http://security-tracker.debian.org/tracker/CVE-2013-1064 Please adjust the affected versions in the BTS as needed. -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 Description: fix possible privilege escalation via policykit UID lookup race. Author: Marc Deslauriers marc.deslauri...@canonical.com Index: apt-xapian-index-0.45ubuntu2/update-apt-xapian-index-dbus === --- apt-xapian-index-0.45ubuntu2.orig/update-apt-xapian-index-dbus 2012-10-31 09:07:53.0 -0400 +++ apt-xapian-index-0.45ubuntu2/update-apt-xapian-index-dbus 2013-09-13 14:41:36.564345788 -0400 @@ -34,15 +34,8 @@ /org/freedesktop/PolicyKit1/Authority, org.freedesktop.PolicyKit1.Authority) policykit = dbus.Interface(obj, org.freedesktop.PolicyKit1.Authority) -info = dbus.Interface(connection.get_object('org.freedesktop.DBus', - '/org/freedesktop/DBus/Bus', - False), - 'org.freedesktop.DBus') -pid = info.GetConnectionUnixProcessID(sender) -subject = ('unix-process', - { 'pid' : dbus.UInt32(pid, variant_level=1), - 'start-time' : dbus.UInt64(0, variant_level=1), - } +subject = ('system-bus-name', + { 'name': dbus.String(sender, variant_level = 1) } ) details = { '' : '' } flags = dbus.UInt32(1) # AllowUserInteraction = 0x0001 pgpavcWPT51X7.pgp Description: PGP signature
Bug#724545: vino: CVE-2013-5745 denial of service via infinite loop
Package: vino Severity: grave Tags: security Hi, the following vulnerability was published for vino. CVE-2013-5745[0]: | Persistent DoS Vulnerability in Vino VNC Server | | This vulnerability is triggered when the user is required to enter a password. | The server closes the client connection on receiving an unexpected input | sequence from the client. | | The unprocessed client data remains in the buffer; the server does not remove | them from buffer since the client connection has been closed. | The result is an infinite loop at the do-while (more_data_pending | (rfb_client-sock)) in vino-server.c:415 | The gdm and vino-server processes together take up 100% CPU, causing denial of | service (see screenshot). | In our tests, the DOS is triggered when the same input sequence is replayed | twice (see pcap). | | vino-server.c:415 (vino 2.26.1): | 407:vino_server_client_data_pending (GIOChannel *source, | 408: GIOCondition condition, | 409: rfbClientPtr rfb_client) | 410:{ | 411: if (rfb_client-onHold) | 412:return TRUE; | 414: do { | 415:rfbProcessClientMessage (rfb_client); | 416: } while (more_data_pending (rfb_client-sock)); | | The original 2.26.1 binary, pcap and screenshot are attached with this email. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745 http://security-tracker.debian.org/tracker/CVE-2013-5745 https://bugzilla.gnome.org/show_bug.cgi?id=641811 Please adjust the affected versions in the BTS as needed. -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpboSmVJ1snk.pgp Description: PGP signature
Bug#705007: E763: Word characters differ between spell files
Hey Uwe, is there any update to this bug? While the issue itself is fairly minor, this is a bit annoying in practice. Thanks Nico -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#713018: [pkg-fetchmail-maint] Bug#713018: Occasionally complains with fetchmail: socket error while fetching from...
Hi, * Kingsley G. Morse Jr. kings...@loaner.com [2013-06-21 23:39]: 99% of the time, fetchmail seems to work A-OK for me. Thank you very much for maintaining it. A cron job ran fetchmail every minute for years. Maybe about soon after I upgraded some gnutls packages, about 1% of the times cron ran fetchmail, cron started sending me emails saying fetchmail: Connection errors for this poll: name 0: connection to mailserver:995 [1.2.3.4/995] failed: Connection refused. POP3 connection to mailserver failed: Connection refused It happens with versions 6.3.22-2 and 6.3.26-1 of Debian's fetchmail package. I suspect it also happened with version 6.3.22-1. Running fetchmail as fetchmail -vvv --nodetach --nosyslog sometimes reported fetchmail: running ssh %h /usr/sbin/imapd (host mailserver2 service imap) fetchmail: socket error while fetching from kingsley@mailserver2 fetchmail: Server CommonName mismatch: *.web_hosting_company_mail != mailserver1 This sounds like http://www.fetchmail.info/fetchmail-FAQ.html#R6 Can you check this? Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#709215: nitrogen: Please provide desktop file
Hi, * Andrew Starr-Bochicchio a...@debian.org [2013-05-21 19:03]: It would be nice if nitrogen provided a desktop file so that it can be found an opened through the menu system, not just from the command line. This patch was recently commited upstream: https://github.com/andrewsomething/nitrogen/commit/227ea7a82f698807df7ea038f6a0fd4febb77b75.patch Will add in the next upload. Thanks! Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#708515: keystone: CVE-2013-2014 DoS via large POST requests
Package: keystone Severity: grave Tags: security patch Hi, the following vulnerability was published for keystone. CVE-2013-2014[0]: | Concurrent requests with large POST body can crash the keystone process. | This can be used by Malicious and lead to DOS to Cloud Service Provider. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. Upstream patch: https://review.openstack.org/#/c/22661/ Seems to be fixed for experimental in 2013.1-1. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2014 http://security-tracker.debian.org/tracker/CVE-2013-2014 -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpXnGMT1X84j.pgp Description: PGP signature
Bug#706644: untrusted input file might be harmful
Hi, * John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de [2013-05-02 23:15]: The package has been orphaned in Debian since 2007 and abandoned by upstream at the same time since the upstream developer and Debian maintainer are the same person. Popcon shows just 113 installations and there are no reverse dependencies. I therefore suggest removing the package from testing due to it's bad shape. FWIF, I'm fine with that. The stuff is easy to address, but I lost interest in doing so. Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpyfYgwuHJUs.pgp Description: PGP signature
Bug#706045: [pkg-fetchmail-maint] Bug#706045: help?
Hi, * Tomas Pospisek t...@sourcepole.ch [2013-04-25 11:29]: This bug being a RC blocker: is anyone of the fetchmail maintainers working on this bug (mimedecode option drops last message line if it is unterminated)? Shall I try to integrate the patch and do a NMU? *t Feel free, otherwise I'll probably fix it next week. Sorry I'm traveling right now... Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpd2a8vm2ykA.pgp Description: PGP signature
Bug#706041: O: tpp -- text presentation program
Package: wnpp Severity: normal I intend to orphan the tpp package. The package description is: Tpp stands for text presentation program and is an ncurses-based presentation tool. The presentation can be written with your favorite editor in a simple description format and then shown on any text terminal that is supported by ncurses - ranging from an old VT100 to the Linux framebuffer to an xterm. . It supports color, LaTeX output of presentation, sliding in text, a command prompt and additional cool features. As I'm not using this anymore and my ruby is pretty rusty by now, I have no interest in maintaining this further. There is one pending change being merged from a contributor that would address the ncurses problems mentioned in the BTS. https://github.com/akrennmair/tpp Feel free to contribute here, Andreas is also happily merging pull requests. But other than that, the project is not further developed. Thanks Nico -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703738: [pkg-fetchmail-maint] Bug#703738: fetchmail: Dot at 1st column of any line cuts delivered message
Hi, * Pavel Vavra pla...@square.cz [2013-03-23 00:47]: Hallo maintainer, fetchmail break messages with '.' character at 1st column of mail body. It sometimes happens receiving mails from MS Outlook where line is wrapped just before last dot in a text paragraph. Affected message is cut to delivered and undelivered part. Cut position is at the described dot, start of message is delivered and the rest disappears. No error message is issued to user. How to reproduce this bug: No MS tools are neccessary to simulate problem. You can simply compose a message similar to the following and send it as plain text to a mailserver. Then fetch this mail via fetchmail (tested with POP3 protocol) and show it. --- Sample message. This message wil be partially delivered. Cut point is here: .. This part of message will never be delivered by fetchmail --- Changing fetchmail to another package, e.g. mpop leads to delivery of whole message. Can you show fetchmail -v of such a message fetch? I can not reproduce this behaviour. Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpcTSwpzvCIT.pgp Description: PGP signature
Bug#703632: Please update the package 'newsbeuter' to version 2.6
Hi, * Miś Uszatek adres.em...@ymail.com [2013-03-21 17:01]: Please update the package 'newsbeuter' to version 2.6. This already happened, even though I just noticed I uploaded the package with my old key.. Expect an upload to pop up shortly... Cheers Nico -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpw9l2OUZyDj.pgp Description: PGP signature
Bug#702267: stunnel: CVE-2013-1762 buffer overflow in TLM authentication of the CONNECT protocol negotiation
Package: stunnel Severity: grave Tags: security Hi, the following vulnerability was published for stunnel. Please see https://www.stunnel.org/CVE-2013-1762.html for details. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762 http://security-tracker.debian.org/tracker/CVE-2013-1762 Please adjust the affected versions in the BTS as needed. -- Nico Golde - XMPP: n...@jabber.ccc.de - GPG: 0xA0A0 pgpT8ASTvKXcZ.pgp Description: PGP signature
Bug#701838: sudo: CVE-2013-1775 authentication bypass when clock is reset
Package: sudo Severity: grave Tags: security Hi, the following vulnerability was published for sudo. CVE-2013-1775[0]: (from the upstream report) Sudo 1.8.6p7 and 1.7.10p7 are now available which include a fix for the following bug: Sudo authentication bypass when clock is reset Summary: When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using sudo -k or removed altogether via sudo -K. A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running sudo -k and then setting the clock to the epoch (1970-01-01 01:00:00). The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy. Sudo versions affected: Sudo 1.6.0 through 1.7.10p7 and sudo 1.8.0 through 1.8.6p7. Details: By default, sudo displays a lecture when the user's time stamp file is not present. In sudo 1.6, the -k option was changed to reset the time stamp file to the epoch rather than remove it to prevent the lecture from being displayed the next time sudo was run. No special case was added for handling a time stamp file set to the epoch since the clock should never legitimately be set to that value. However, there are two common ways for the clock to be reset to the epoch. The first way is when the clock is reset due to a fully drained battery on some systems. The other way is by a user logged in to a desktop environment that allows changes to the date and time. As long as the user has successfully run sudo before, they are able to run sudo -k to reset the time stamp file. This action does not require a password and is not logged. If the user is also able to reset the date and time to the epoch (1970-01-01 01:00:00), they will be able to run sudo without having to authenticate. Impact: The flaw may allow someone with physical access to a machine that is not password-protected to run sudo commands without knowing the logged in user's password. On systems where sudo is the principal way of running commands as root, such as on Ubuntu and Mac OS X, there is a greater chance that the logged in user has run sudo before and thus that an attack would succeed. Fix: The bug is fixed in sudo 1.8.6p7 and 1.7.10p7. These versions will ignore a time stamp file that is set to the epoch. Workaround: Using sudo -K instead of sudo -k will completely remove the time stamp file instead of just resetting it. Credit: I'd like to thank Marco Schoepl for finding and reporting this long-standing bug. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775 http://security-tracker.debian.org/tracker/CVE-2013-1775 Please adjust the affected versions in the BTS as needed. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpbmpQYgwHAw.pgp Description: PGP signature
Bug#701839: sudo: CVE-2013-1776 potential bypass of sudo tty_tickets constraints
1.8.6 and 1.7.10, if a password was required when the -n flag was specified the failure would not be logged, allowing the program to perform such probes without being detected. The successful command (if any), would still be logged. Fix: The bug is fixed in sudo 1.8.6p7 and 1.7.10p6. Credit: Ryan Castellucci brought the initial ttyname() issue to my attention. Subsequently, James Ogden discovered that using setsid() to create a new session would cause sudo to fall back to using ttyname(). Other shortcomings in sudo's tty_tickets functionality have been known and discussed openly for some time. There is a long discussion about them at: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 http://security-tracker.debian.org/tracker/CVE-2013-1776 Please adjust the affected versions in the BTS as needed. -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpc_GnIsaKAh.pgp Description: PGP signature
Bug#700102: openssh: CVE-2010-5107 trivial DoS due to default configuration
Package: openssh-server Severity: important Tags: security patch Hi, the following vulnerability was published for openssh-server. CVE-2010-5107[0]: http://www.openwall.com/lists/oss-security/2013/02/06/5 This resulted in the following upstream changes: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c?r1=1.234#rev1.234 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.5?r1=1.156#rev1.156 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?r1=1.89#rev1.89 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. It would be also great if you could push this to stable-proposed-updates so this is changed for wheezy. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5107 http://security-tracker.debian.org/tracker/CVE-2010-5107 Please adjust the affected versions in the BTS as needed. -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpNEP9WHCFGN.pgp Description: PGP signature
Bug#699425: [pkg-fetchmail-maint] Bug#699425: Fetchmail's resolvconf update script can be simplified
severity 699425 wishlist thanks * Thomas Hood jdth...@gmail.com [2013-01-31 11:25]: Package: fetchmail Version: 6.3.22-2 Severity: minor Fetchmail's resolvconf update script (/etc/resolvconf/update-libc.d/fetchmail) can be simplified. While I appreciate patches in general, I don't see the bug in this case. Hence downgrading. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697595: O: openbox -- standards compliant, fast, light-weight, extensible window manager
Package: wnpp Severity: normal I intend to orphan the openbox package. The package description is: Openbox works with your applications, and makes your desktop easier to manage. This is because the approach to its development was the opposite of what seems to be the general case for window managers. Openbox was written first to comply with standards and to work properly. Only when that was in place did the team turn to the visual interface. . Openbox is fully functional as a stand-alone working environment, or can be used as a drop-in replacement for the default window manager in the GNOME or KDE desktop environments. . Openbox 3 is a completely new breed of window manager. It is not based upon any existing code base, although the visual appearance has been based upon that of Blackbox. Openbox 2 was based on the Blackbox 0.65.0 codebase. . Some of the things to look for in Openbox are: . * ICCCM and EWMH compliance! * Very fast * Chainable key bindings * Customizable mouse actions * Window resistance * Multi-head Xinerama support! * Pipe menus I repeatedly asked for help (RFH) with little to no effect. Also Daniel Baumann raised interest to take over the package before I orphan it, but never stepped up and did so. Someone please give this package some love, I do no longer feel responsible for it and I also do not use openbox anymore. Cheers Nico -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#671530: tpp: does not work with ruby 1.9
Hi, * Per Andersson avtob...@gmail.com [2012-05-04 22:48]: I have tried running tpp with the pending upload of ruby-ncurses 1.3.1-1, which has wide character support (ncursesw), and ruby 1.9. With this setup tpp does not respond to keyboard input. Running tpp with ruby 1.8 and the pending ruby-ncurses upload works fine. I expected tpp to respond to user keyboard input with ruby 1.9 as it does with ruby 1.8. Can you please tell me the exact steps to reproduce this? I can't seem to reproduce it with ruby 1.9.3p194 and ruby-ncurses 1.3.1. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpVoB14jOvuq.pgp Description: PGP signature
Bug#671540: tpp: please update to gem2deb packaging
Hi, * Per Andersson avtob...@gmail.com [2012-05-04 23:45]: The Debian Ruby Team is working on transition to gem2deb packaging [0]. All ruby packages should follow the guidelines [1] for a more consistent user experience with ruby packages in Debian. Necessary changes are as follows: debian/compat: 7 debian/control: Build-Depends: debhelper (= 7.0.50~), gem2deb (= 0.2.13~), dpatch (= 1.11) XS-Ruby-Versions: 1.8 XB-Ruby-Versions: ${ruby:Versions} Depends: ruby1.8, ruby-ncurses debian/rules: #!/usr/bin/make -f %: dh $@ --buildsystem=ruby --with ruby I have been ignoring this for too long. I will fix this with a new upload soon. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpDoNdiVcufk.pgp Description: PGP signature
Bug#697251: gnupg2: gnupg key import memory corruption
Hi, * Eric Dorland e...@debian.org [2013-01-05 14:02]: * Thijs Kinkhorst (th...@debian.org) wrote: On Fri, January 4, 2013 11:39, Thijs Kinkhorst wrote: On Thu, January 3, 2013 04:19, Christoph Anton Mitterer wrote: This is a follow up for #697108 and CVE-2012-6085. Eric, Thanks for fixing this in unstable. Can you also provide an update for stable-security? Let me know if you prefer that we handle it. As a heads up, I plan to work on DSA's for gnupg{,2} this weekend, I'll apply the patch from the unstable upload, unless you object. Attached is the debdiff for the stable security update. A little bigger than one might want, but it wouldn't build with removing some of this cruft. Let me know if it's ok and I'll upload it. I can live with that cruft, please go ahead and upload. Thanks! Nico pgpBF9FtemLWT.pgp Description: PGP signature
Bug#696161: unblock: fetchmail/6.3.22-2
Hi, * Julien Cristau jcris...@debian.org [2012-12-28 18:12]: Control: tags -1 moreinfo On Mon, Dec 17, 2012 at 13:16:13 +0100, Nico Golde wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock fetchmail. The version in unstable contains two minor changes. One fixing a memory leak under certain use cases (#688015) and a command line option combination that did not work as intended (#671294). Err, no, it contains a new upstream release. What are you referring to? The upstream release was made after these patches have been picked and the package has been uploaded. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696161: unblock: fetchmail/6.3.22-2
Hi, * Salvatore Bonaccorso car...@debian.org [2012-12-28 19:19]: On Fri, Dec 28, 2012 at 06:46:40PM +0100, Nico Golde wrote: Hi, * Julien Cristau jcris...@debian.org [2012-12-28 18:12]: Control: tags -1 moreinfo On Mon, Dec 17, 2012 at 13:16:13 +0100, Nico Golde wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock fetchmail. The version in unstable contains two minor changes. One fixing a memory leak under certain use cases (#688015) and a command line option combination that did not work as intended (#671294). Err, no, it contains a new upstream release. What are you referring to? The upstream release was made after these patches have been picked and the package has been uploaded. The problem here is in testing we have 6.3.21-4 and unstable has 6.3.22-2. The debdiff between the two versions seems quite big to review (but a lot of autogenerated stuff?): [...] Oh that's a good point, I didn't notice that earlier. Ok, I will push to spu later. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696161: unblock: fetchmail/6.3.22-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock fetchmail. The version in unstable contains two minor changes. One fixing a memory leak under certain use cases (#688015) and a command line option combination that did not work as intended (#671294). unblock: fetchmail/6.3.22-2 Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpfnXZfpa52X.pgp Description: PGP signature
Bug#688015: [pkg-fetchmail-maint] Bug#688015: memory leak
Hi, * Dominik dominiks.m...@gmx.net [2012-12-09 14:01]: I can confirm the issue reported by Erik. My .fetchmailrc contains 8 blocks like this: server pop.example.com proto pop3 user username pass pw mda /usr/bin/procmail options ssl fetchall no keep So I'm fetching the remote E-Mails via POP3 SSL on my server. Die fetchmail process is running 24/7. After around 1 month the fetchmail process is at nearly 200MB memory usage. After around 2-3 month ~400MB. When starting the fetchmail process there are ~6 MB memory allocated. So the only thing I can say at the moment is that fetchmail is consuming more memory the longer it runs, without a normal reason for this. I have also tested version 6.3.22-1 = it shows the same behavior. Can you let fetchmail run with valgrind over a longer time? I'm really not sure how to reproduce this. I have fetchmail instances running 24/7 since months with around 6MB RAM being used in daemon mode. Also what platform is this? Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#694935: unblock: openbox/3.5.0-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock openbox. The version in unstable contains a minor change fixing an RC bug which causes installations/upgrades to fail (#694396). unblock: openbox/3.5.0-6 Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpnZQ758B09Z.pgp Description: PGP signature
Bug#693608: yui: multiple cross-site scripting issues in the flash component infrastructure
Package: yui Severity: grave Tags: security Hi, the following vulnerabilities were published for yui. CVE-2012-5883[0]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x | and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and | 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web | script or HTML via vectors related to swfstore.swf, a similar issue to | CVE-2010-4209. CVE-2012-5882[1]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers to | inject arbitrary web script or HTML via vectors related to | uploader.swf, a similar issue to CVE-2010-4208. CVE-2012-5881[2]: | Cross-site scripting (XSS) vulnerability in the Flash component | infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers to | inject arbitrary web script or HTML via vectors related to charts.swf, | a similar issue to CVE-2010-4207. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5883 http://security-tracker.debian.org/tracker/CVE-2012-5883 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5882 http://security-tracker.debian.org/tracker/CVE-2012-5882 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881 http://security-tracker.debian.org/tracker/CVE-2012-5881 http://yuilibrary.com/support/20121030-vulnerability/ Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpZwJy8KONTL.pgp Description: PGP signature
Bug#693116: ii: Homepage URL in package description is incorrect.
Hi, * Simon Kainz si...@familiekainz.at [2012-11-13 10:13]: the new Homepage URL is http://tools.suckless.org/ii/ Thanks for noticing. Will be fixed in the next upload. Cheers Nico pgpIYrpSMtvhb.pgp Description: PGP signature
Bug#692737: suckless-tools: newer slock versions prevents unwanted exposure of passwords
Hi, * Vasudev Kamath kamathvasu...@gmail.com [2012-11-08 19:13]: this package has not updated any of the tools included since two years. Please package newer tools, especially but most important slock. As per the freeze policy I can't really introduce new things into Wheezy so I didn't consider putting new versions into 38-2. I'm preparing 39 version with all bugs closed and latest version of software but it will not be in wheezy and will be backported once wheezy is stable. Sure, I'm not worried about wheezy too much. The current version of slock has no indication whatsoever that a screen lock is active. After a longer idle period of the display, it is therefore impossible to distinguish between a locked screen and an inactive screen. As a result, it is not too difficult to write your password somewhere you don't want to because you assumed the screen was locked. Hence I marked this as grave, this happened to me multiple times. Newer slock versions have a color indication once you hit the first key on the keyboard that shows you that the lock is active. But If I understand correctly it is not a bug but that is how slock was designed previously and patch was later submitted to colourise and give more features to slock which was later merged by Anselm to prepare 1.1 version. So can you please reconsider on the severity of the bug? Well yeah, if you look at it like that, it's more a feature request. However if you consider the security nature of this program, I rather consider this as hardening or even a bug given that this is not a hypothetical scenario but one that happens often (and certainly not only to me). Now coming to the colourising feature are you talking about this specific commit[1] or all the 3 new patches from the tip? If this is the single patch you meant then I will try to cherrypick it but again I don't know new unblock request will be entertained by release team [2] I'm not sure to be honest. I've seen the new dualcolor patch in the recent tip, but that's not the one I had in mind, I haven't tested this one yet. The one that initially implemented this in March was: http://hg.suckless.org/slock/rev/0eade055cef0 PS: I will be on vacation for a week from tomorrow so I'm really not sure if I will be able to finish this package soon. If you can prepare an NMU I'll be happy with that :-). Only thing is I don't want package to be removed from Wheezy because multiple packages depend on it. No worries :) Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgp1JWT45gTM7.pgp Description: PGP signature
Bug#692737: suckless-tools: newer slock versions prevents unwanted exposure of passwords
Package: suckless-tools Version: 38-2 Severity: grave Justification: user security hole Hey, this package has not updated any of the tools included since two years. Please package newer tools, especially but most important slock. The current version of slock has no indication whatsoever that a screen lock is active. After a longer idle period of the display, it is therefore impossible to distinguish between a locked screen and an inactive screen. As a result, it is not too difficult to write your password somewhere you don't want to because you assumed the screen was locked. Hence I marked this as grave, this happened to me multiple times. Newer slock versions have a color indication once you hit the first key on the keyboard that shows you that the lock is active. Kind regards Nico -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Hi, * Vincent Lefevre vinc...@vinc17.net [2012-10-28 00:11]: When cat'ing some binary file, my xterm crashed. I've managed to find the cause: the mc5 terminfo sequence (prtr_on / turn on printer). The problem can be reproduced with: 1. Run xterm from another terminal. 2. Run the following command: printf \033[5i or tput mc5 The message sh: 1: : Permission denied appears in the first terminal. I can't reproduce this with xterm 278-2 on amd64. [...] In addition to possible data loss due to the crash, this is a security problem, because the sequence may appear in a remote file. Sorry, I couldn't parse this sentence. What exactly are the security implications? So far I don't see how this qualifies for a security bug. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
tags 691642 - security thanks Hi, * Vincent Lefevre vinc...@vinc17.net [2012-10-28 13:32]: On 2012-10-28 11:37:58 +0100, Nico Golde wrote: [...] In addition to possible data loss due to the crash, this is a security problem, because the sequence may appear in a remote file. Sorry, I couldn't parse this sentence. What exactly are the security implications? So far I don't see how this qualifies for a security bug. If some external data (because they contain some unexpected byte sequence) make a local program crash (so that user data are lost), that's a security bug. Just like when you have a bug in the image decoder used by your web browser that makes it crash on some image files. That was exactly my point, this is not treated as a security bug in Debian, but a regular bug. Cheers Nico pgpsYH2GOu8pB.pgp Description: PGP signature
Bug#689990: wpa: CVE-2012-4445 denial of service
Hi, * Stefan Lippers-Hollmann s@gmx.de [2012-10-08 23:37]: On Monday 08 October 2012, Nico Golde wrote: Package: wpa Severity: grave Tags: security patch Hi, the following vulnerability was published for hostapd. CVE-2012-4445[0]: | Timo Warns discovered that the internal authentication server of hostapd, | a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator, | is vulnerable to a buffer overflow when processing fragmented EAP-TLS | messages. As a result, an internal overflow checking routine terminates | the process. An attacker can abuse this flaw to conduct denial of service | attacks via crafted EAP-TLS messages prior to any authentication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. Please also ask for an unblock on -release after fixing this issue so it will be picked up for wheezy. The patch I used for the DSA: http://people.debian.org/~nion/nmu-diff/hostapd-0.6.10-2_0.6.10-2+squeeze1.patch For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445 http://security-tracker.debian.org/tracker/CVE-2012-4445 Thanks a lot, I found that one[1] after receiving the ftp-master accept already, I'll try to contact a potential sponsor for [2] within the next few hours. Uploaded :) Thanks! Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689990: wpa: CVE-2012-4445 denial of service
Package: wpa Severity: grave Tags: security patch Hi, the following vulnerability was published for hostapd. CVE-2012-4445[0]: | Timo Warns discovered that the internal authentication server of hostapd, | a user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator, | is vulnerable to a buffer overflow when processing fragmented EAP-TLS | messages. As a result, an internal overflow checking routine terminates | the process. An attacker can abuse this flaw to conduct denial of service | attacks via crafted EAP-TLS messages prior to any authentication. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. Please also ask for an unblock on -release after fixing this issue so it will be picked up for wheezy. The patch I used for the DSA: http://people.debian.org/~nion/nmu-diff/hostapd-0.6.10-2_0.6.10-2+squeeze1.patch For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445 http://security-tracker.debian.org/tracker/CVE-2012-4445 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpIXtg4srhH2.pgp Description: PGP signature
Bug#689657: yacpi: Always shows empty batteries on Thinkpad T61
Hi, * Axel Beckert a...@debian.org [2012-10-04 22:12]: on my Thinkpad T61 running Wheezy, yacpi always shows BAT0 Capacity [ ] 0% despite acpi says Battery 0: Unknown, 99% and acpi -V says Battery 0: design capacity 6749 mAh, last full capacity 5916 mAh = 87%. Same counts for a second battery which can be inserted instead of the CD-ROM. It always shows 0% despite the battery is not completely empty. The remainder of what yacpi displays on that box seems to be correct. This is a known problem by libacpi #484264. Since you are not the first to notice this, I will not reassign the bug and leave this open. I hope I have time soon to look into these issues. To be honest, I got demotivated following constant kernel changes so I didn't touch this code in a long time. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689225: newsbeuter : fails to build in unstable
forwarded 689225 http://code.google.com/p/newsbeuter/issues/detail?id=303 thanks Hi, * Julian Taylor jtaylor.deb...@googlemail.com [2012-09-30 16:52]: Package: newsbeuter Severity: important newsbeuter fails to build in unstable. For some reason testing is not affected. c++ -ggdb -Iinclude -Istfl -Ifilter -I. -Irss -Wall -Wextra -DLOCALEDIR=\/usr/share/locale\ -I/usr/include/libxml2 -I/usr/include/json -I/usr/include/ncursesw -I/usr/include/p11-kit-1 -DHAVE_GCRYPT=1 -o src/ttrss_api.o -c src/ttrss_api.cpp src/ttrss_api.cpp: In member function 'rsspp::feed newsbeuter::ttrss_api::fetch_feed(const string)': src/ttrss_api.cpp:223:3: error: 'boolean' was not declared in this scope src/ttrss_api.cpp:223:11: error: expected ';' before 'unread' src/ttrss_api.cpp:238:7: error: 'unread' was not declared in this scope make[1]: *** [src/ttrss_api.o] Error 1 Thanks for the report. This is due to a change in libjson. I wrote a patch and submitted it upstream, new Debian package is on its way... Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpBAqsunzicr.pgp Description: PGP signature
Bug#688015: [pkg-fetchmail-maint] Bug#688015: memory leak
Hi, * Erik Thiele erik.thi...@thiele-hydraulik.de [2012-09-18 09:48]: [...] how can I further supply information on this issue? It is a production machine, but maybe I can somehow help find the cause of the issue anyway? Or is that memory leakage a known issue? This is not known to me at least. Unfortunately the logs don't show that fetchmail had memory issues. The kernel randomly starts killing processes (depending on your policy) if no memory can be allocated anymore. Could you log the virtual memory usage of specifically fetchmail? Also, it may be interesting to see what running fetchmail with valgrind on your end produces. Can you test that? Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpMmBLx0GCLt.pgp Description: PGP signature
Bug#687935: reject -security-announce mails with duplicate DSA ids in the subject
Package: lists.debian.org Severity: wishlist Hi, it is a known issue that sometimes DSA ids are reused on debian-security-announce due to human race conditions or not paying enough attention. Also this was recently discussed again on the security list[0]. There is already some sanity checking on the body of the DSA mail and a signature check as far as I know. Is it feasible to reject mails as well if they use a previously allocated DSA id? I would imagine this may be problematic as all current checks can be performed solely by looking at the incoming email instead of looking at the archive. Nonetheless, as there have been more than 20 reuses in the last years, I thought I'd ask if this is possible in the first place. [0] http://lists.debian.org/debian-security/2012/09/msg00016.html Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpBLojDjS49C.pgp Description: PGP signature
Bug#687512: please update the security team's gpg key information
Package: www.debian.org Severity: grave Hi, the Debian security team is using a new gpg key. Can you update http://www.debian.org/security/faq to reflect the new key? Instead of 0x68B64E0D, the new key is 0x90F8EEC5. Also see http://lists.debian.org/debian-security-announce/2012/msg00189.html for reference. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpyVPmB53Owy.pgp Description: PGP signature
Bug#687166: [pkg-ntp-maintainers] Bug#687166: ntp: NTP security vulnerability because not using authentication by default
Hi, * Ask Bjørn Hansen a...@ntppool.org [2012-09-11 01:01]: On Sep 10, 2012, at 15:07, Kurt Roeckx k...@roeckx.be wrote: [...] So my understanding of things is that even if we also had a way to distribute all the public keys, you still can't get it to work as you need to provide each client with a secret key. I think what first needs to be done is have an autokey implementation that either doesn't need a private key for each client but is secure or doesn't need state on the server side for each client. Indeed; I thought ntpd had a public key encryption scheme where we just need the secret key on the server[1] and the public key can be general for all Debian users. (I think that's the 'autokey' scheme -- the trustedkey/requestkey stuff is where you share a secret between client and server). That was my understanding as well. At least the documentation states: key pairs are used where establishing shared secrets is difficult. The autokey mechanism uses key pairs.. Cheers Nico pgpbjwzet5yC2.pgp Description: PGP signature
Bug#687274: CVE-2012-4405 integer overflow leading to heap based buffer overflow in embedded icclib
Package: ghostscript Severity: grave Tags: security patch Hi, the following vulnerability was published for ghostscript. Quoting from the original report, as the mitre entry does not exist so far.. CVE-2012-4405[0]: | An array index error leading to heap-based buffer out-of-buffer bounds write | flaw was found in the way International Color Consortium (ICC) Format library | (aka icclib) as used in Ghostscript and Argyll Color Management System computed | dimensional increment through the clut based on the count of input channels. | Using specially-crafted ICC profiles, an attacker could create a malicious | PostScript or PDF file with embedded images which would cause Ghostscript to | crash or, potentially, execute arbitrary code when opened by the victim. | Similarly when such specially-crafted ICC profile was inspected by some of the | Argyll Color Management System tools it could lead to particular executable | crash or, arbitrary code execution with the privileges of the user running the If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405 http://security-tracker.debian.org/tracker/CVE-2012-4405 Patch: https://bugzilla.redhat.com/attachment.cgi?id=609986 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgplyEZ1B1Jvd.pgp Description: PGP signature
Bug#687327: unblock: freeradius/2.1.12+dfsg-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock freeradius. The version in unstable contains an isolated fix for CVE-2012-3547. unblock: freeradius/2.1.12+dfsg-1.1 Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpqhfBkbc3Yl.pgp Description: PGP signature
Bug#687175: freeradius: CVE-2012-3547 stack-based buffer overflow in EAP-TLS handling
Package: freeradius Severity: grave Tags: security Hi, the following vulnerability was published for freeradius. CVE-2012-3547[0]: | PRE-CERT Security Advisory | == | | * Advisory: PRE-SA-2012-06 | * Released on: 10 September 2012 | * Affected product: FreeRADIUS 2.1.10 - 2.1.12 | * Impact: remote code execution | * Origin: specially crafted client certificates | * CVSS Base Score: 10 | Impact Subscore: 10 | Exploitability Subscore: 10 | CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) | * Credit: Timo Warns (PRESENSE Technologies GmbH) | * CVE Identifier: CVE-2012-3547 | | | Summary | - --- | | A stack overflow vulnerability has been identified in FreeRADIUS that allows to | remotely execute arbitrary code via specially crafted client certificates | (before authentication). The vulnerability affects setups using TLS-based EAP | methods (including EAP-TLS, EAP-TTLS, and PEAP). | | FreeRADIUS defines a callback function cbtls_verify() for certificate | verification. The function has a local buf array with a size of 64 | bytes. It copies the validity timestamp not after of a client | certificate to the buf array: | | asn_time = X509_get_notAfter(client_cert); | if ((lookup = 1) asn_time (asn_time-length MAX_STRING_LEN)) { | memcpy(buf, (char*) asn_time-data, asn_time-length); | buf[asn_time-length] = '\0'; | | The MAX_STRING_LEN constant is defined to be 254. If asn_time-length is | greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy. | | Depending on the stack layout chosen by the compiler, the vulnerability allows | to overflow the return address on the stack, which can be exploited for code | execution. | | | Solution | - | | The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as | soon as possible. | | | References | - -- | | When further information becomes available, this advisory will be | updated. The most recent version of this advisory is available at: | | http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547 http://security-tracker.debian.org/tracker/CVE-2012-3547 Cheers Nico pgpGAERsalgPK.pgp Description: PGP signature
Bug#687166: ntp: NTP security vulnerability because not using authentication by default
Hi, * none anots...@fastmail.fm [2012-09-10 15:42]: [...] An adversary can tamper with the unauthenticated NTP replies and put the users time several years back, especially, but not limited, if the bios battery or hardware clock is defect. That issue becomes more relevant with new devices like RP, which do not even have a hardware clock. Putting the clock several years back allows an adversary to use already revoked, broken, expired certificates; replay old, broken, outdated, known vulnerable updates etc. NTP is certainly subject to spoofing attacks by its nature. I also agree that this may be a problem in some settings. Just considering that e.g. kerberos is making heavy use of accurate timing. In theory NTP should be robust against wrong timing information from single servers. Obviously this doesn't help you, if your DNS is also spoofed and you control all NTP servers. Since NTP does support symmetric/autokey by now, what I really wonder about is why this is no strict requirement for servers in pool.ntp.org to which certainly also our debian ntp vendor zone belongs. I think it would be desirable to ship default configurations with those keys setup. I CC'ed Ask who is maintaining pool.ntp.org for this discussion. Ask, is there such a requirement and I missed it or is it not existent? If not, how realistic is it to change this? While I don't think this is a critical problem, I'd also love to see this changed in future default configurations of the ntp package in Debian. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgp0T1Xk5sldC.pgp Description: PGP signature
Bug#687166: ntp: NTP security vulnerability because not using authentication by default
Hi, * Ask Bjørn Hansen a...@ntppool.org [2012-09-10 18:03]: On Sep 10, 2012, at 8:13, Nico Golde n...@debian.org wrote: [Adding NTP authentication] We could setup a set of servers with authentication, but that'd be a much smaller list of servers (for better and worse). It wouldn't be like the current NTP Pool at all. Next would be to add DNSSEC to the DNS (which is non-trivial with the current zone and the current resources; at peaks the DNS servers get 20-30k qps and each response is different so you have to sign in real-time.). If there's a need and resources, I could run a zone with DNSSEC and with autokey configured, but it'd not be possible in the open source/everyone volunteers a resource or two scheme. Wouldn't it still make sense to have a zone configured with autokey even without DNSSEC? Or is an active attacker bombarding the victim with faked NTP responses without spoofed DNS not an issue at all, so all this matters *only* if DNS is spoofed? Kind regards Nico P.S: I'm all but an NTP expert :) -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpK8YFLPvxan.pgp Description: PGP signature
Bug#687204: Manpage out-of-date
Hi, * Christoph Egger christ...@debian.org [2012-09-10 22:14]: nitrogen's manpage seems to be vastly incopmplete True, thanks! I'll contact upstream to see if he is willing to update it. Otherwise I'll take the pain and do it on my own. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686196: httping: Segmentation fault (after slow responses?)
Hi, * Olaf van der Spek olafvds...@gmail.com [2012-08-29 22:41]: On Wed, Aug 29, 2012 at 10:29 PM, folkert folk...@vanheusden.com wrote: Maybe it's simpler if you run gdb yourself. ;) Yes but then I cannot reproduce it. Hmm, did you try? I can also not reproduce the problem :/ Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpgn7GwSTmcN.pgp Description: PGP signature
Bug#686241: httping: Show run time
Hi, * Olaf van der Spek olafvds...@gmail.com [2012-08-30 15:17]: Could you show the run time, like normal ping does? httping: 5848 connects, 5656 ok, 3.28% failed ping: 4 packets transmitted, 4 received, 0% packet loss, time 3001ms How about using time from your shell? This way not every command where someone wants to know the time has to implement it ;) Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpFnl8kl0KVq.pgp Description: PGP signature
Bug#683556: openbox: window no more refresh when lauching epfview if awn running
Hi, * florian gruel fgr...@hotmail.com [2012-08-03 19:41]: Hi, I've done the test with awesome, everything seems to be OK. Ok thank you. Maybe indeed an openbox issue then. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpziAmeXEXg3.pgp Description: PGP signature
Bug#683556: openbox: window no more refresh when lauching epfview if awn running
Hi, * florian fgr...@hotmail.com [2012-08-01 19:24]: when launching epdfview all windows doesn't refresh anymore, I need to kill epdview from a virtual terminal to reuse the openbox desktop. If AWN is not running, no problems. Have you tried this in another window manager with awn running? This looks rather like an awn issue to me than an openbox issue. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpcHopDDfYiD.pgp Description: PGP signature
Bug#683322: unblock: bind9/1:9.8.1.dfsg.P1-4.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock bind9. The version in unstable contains an isolated fix for CVE-2012-3817. unblock: bind9/1:9.8.1.dfsg.P1-4.2 Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpSvw4T9XYdh.pgp Description: PGP signature
Bug#682481: gnome-shell: epiphany shouldn't be the default browser
Hi, * Julien Cristau jcris...@debian.org [2012-07-23 11:22]: On Mon, Jul 23, 2012 at 10:55:49 +0200, Josselin Mouette wrote: Le lundi 23 juillet 2012 à 10:46 +0200, Julien Cristau a écrit : Package: gnome-shell Version: 3.4.1-8 Severity: serious The default browser should be one that has at least vaguely credible security support, IMO. epiphany doesn't qualify, chromium or iceweasel probably would. As explained on IRC, they would if at the *very least* they supported GTK3. I don't think doesn't support gtk3 can be more of a blocker than has 0 security support. I agree it's not ideal, but it doesn't seem there's much of a choice. FWIW, I do support Julien's request to change this. Without going into detail why I think that security should have priority here, why is gtk3 support even an issue? Can you explain this a little further? Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpWdDkM5640O.pgp Description: PGP signature
Bug#682309: unblock: ecryptfs-utils/99-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock ecryptfs-utils. This is a new upstream version that only fixes a security issue, namely CVE-2012-3409. unblock: ecryptfs-utils/99-1 Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpuk7hO1Jm31.pgp Description: PGP signature
Bug#682193: unblock: nsd3/3.2.12-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: freeze-exception Hi, please unblock nsd3. This is a new upstream version that only fixes a security issue, namely CVE-2012-2978 which has just been fixedin squeeze with a DSA. unblock: nsd3/3.2.12-1 Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpGljU0bGYmj.pgp Description: PGP signature
Bug#674448: CVE-2012-2098
Hi, * Miguel Landaeta mig...@miguel.cc [2012-07-18 17:02]: On Thu, May 24, 2012 at 08:13:35PM +0200, Moritz Muehlenhoff wrote: Please see https://commons.apache.org/compress/security.html Fixed in 1.4.1. This doesn't warrant a DSA, but you could fix it through a point update for Squeeze 6.0.6. I had prepared an upload to fix this issue in stable. Are you OK with an upload to stable then? Please notify the release team before. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpLUoi2DjDHQ.pgp Description: PGP signature
Bug#681455: openbox: Does not exit on Exit in pop-up menu.
Hi, * Sthu Deus sthu.d...@gmail.com [2012-07-14 15:04]: Is it clear now?! Or additional explanation needed? - Or it is Your strategy - to deny bugs found? :o/ Is it your strategy to piss me off? No. Just a try to make my message clear for You. In this case you should phrase your words a little more carefully. It should be obvious that asking me if I want to deny bugs is offending me. Anyway, I don't know what setup you have exactly. I just tested a plain openbox 3.5.0 from upstream as well as openbox from Debian again and the exit menu works just fine. You may want to change the menu entry to do something like lxsession-logout or execute a command to kill your lxde session. I also use version, and for users on the same host is does not work. Can You shed some light on how You change the commands that are run from that menu? Yes, edit /etc/xdg/openbox/menu.xml There is no openbox bug here as far as I can judge, thus closing the bug report. Hmm. What if I the commands are set already? May I will check it first - after You tell me how? Sorry, I think I don't understand what you mean. Please try to rephrase. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpO1DfT5Eunr.pgp Description: PGP signature
Bug#681455: openbox: Does not exit on Exit in pop-up menu.
Hi, * Sthu sthu.d...@gmail.com [2012-07-13 12:31]: When I do press Exit on pop-up menu (the one I get w/ right-click on a desktop), openbox does not exit. I have to click logout in its main menu - then from KDM logout menu I logout. Please fix it. What do you mean? There is no logout button in openbox' main menu and the exit button works just fine. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgplrKh3LB7hN.pgp Description: PGP signature
Bug#679491: [pkg-fetchmail-maint] Bug#679491: [fetchmail] Spamassassin-Fetchmail depedenty boot order needs fixing
Hi, * David Baron d_ba...@012.net.il [2012-06-29 08:37]: The new sysv-rc assined K01 symlinks to fetchmail. However, I want to have spamassassin and its rules up beforehand. I have been doing this explicitly in what is now rc.local. Fetchmail did not like the duplicated start and my mail wored only after I restarted fetcmail. There must be a more correct way to do this. ( Meanwhile, I removed the symlinks to allow my rc.local to start fetchmail. The next upgrades will restore them unless I divert. The sysv-rc gave K03 symlinks to spamassassin which would mean starting after fetchmail and there is not menion of the rules. ) K symlinks don't define the start order during boot. [...] So you just need to have Should-Start: spamassassin in the fetchmail script. And/or X-Start-Before: fetchmail in the spamassassin script. Then re-run insserv. This won't happen or at least is very unlikely. I don't see a bug here to be honest and the purpose of those targets is not to list every single individual program that people might find useful to get started beforehand. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpxrZ7rORTj2.pgp Description: PGP signature
Bug#678993: openbox: xmodmap freezes openbox in lxde
Hi, * Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-26 09:48]: Hi, On 25.06.2012 19:44, Nico Golde wrote: Hi, * Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-25 17:49]: I use my notebook with lxde. after some time of operation I connect an external keyboard. The external keyboard now runs without my modifications in my ~/.xmodmap file so I call $ xmodmap .xmodmap the effect is, that the external keyboard is now mapped as I wish, but openbox seems not to operate anymore. alt+tab doesn't work, i cannot click on windows to change windows. I haven't found any way to change windows or workspaces (except closing the current active application) resizing windows doesn't work. I get back to working by running killall -9 openbox ; sleep 10s ; openbox disown; exit (luckily after calling xmodmap, the active window is a shell) Can you share your xmodmap? I can't reproduce this in a quick test. there it is: http://www.physi.uni-heidelberg.de/~pseyfert/.Xmodmap Even with this can't reproduce the described behaviour. What I observe is that after loading openbox doesn't react for a short time and openbox uses a lot of CPU. During that time it doesn't react to anything, but it does come back. How long did you wait for it to come back? Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#678993: openbox: xmodmap freezes openbox in lxde
Hi, * Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-26 12:15]: [...] well since that happens each morning I come to the office I'm quite quick with killing openbox nowadays. I just tested and waited for two minutes without success. Ok. Could you do me the favor and check if this happens with a different window manager as well? I have the feeling that this might not be openbox related. In the end xmodmap should be handled by X and the window manager should eat whatever signal is delivered by X on a key press. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpv1JXmzKaZk.pgp Description: PGP signature
Bug#678993: openbox: xmodmap freezes openbox in lxde
Hi, * Paul Seyfert pseyf...@mathphys.fsk.uni-heidelberg.de [2012-06-25 17:49]: I use my notebook with lxde. after some time of operation I connect an external keyboard. The external keyboard now runs without my modifications in my ~/.xmodmap file so I call $ xmodmap .xmodmap the effect is, that the external keyboard is now mapped as I wish, but openbox seems not to operate anymore. alt+tab doesn't work, i cannot click on windows to change windows. I haven't found any way to change windows or workspaces (except closing the current active application) resizing windows doesn't work. I get back to working by running killall -9 openbox ; sleep 10s ; openbox disown; exit (luckily after calling xmodmap, the active window is a shell) Can you share your xmodmap? I can't reproduce this in a quick test. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650632: mcabber: fails to handle bookmarks for password protected MUCs
Hi, * Franziska Lichtblau rhal...@old-forest.org [2012-06-16 18:46]: first of all thank you for the patch, I think it's a good idea and will forward it to upstream as well. Sorry for the long time since you sent the patch - hopefully won't happen again. [...] Debian123! being the password. Could you maybe just change the output funktion to display * instead of the actual password? Sure, an updated version of the patch is attached. I'm using this patch btw since I reported the bug, without problems so far. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. diff -Nurad mcabber-0.10.1/mcabber/commands.c mcabber-0.10.1.new/mcabber/commands.c --- mcabber-0.10.1/mcabber/commands.c 2010-12-01 21:51:20.0 +0100 +++ mcabber-0.10.1.new/mcabber/commands.c 2012-06-17 14:08:06.647247157 +0200 @@ -2918,7 +2918,7 @@ static void room_bookmark(gpointer bud, char *arg) { const char *roomid; - const char *name = NULL, *nick = NULL; + const char *name = NULL, *nick = NULL, *passwd = NULL; char *tmpnick = NULL; enum room_autowhois autowhois = 0; enum room_printstatus printstatus = 0; @@ -2931,7 +2931,8 @@ char **paramlst; char **pp; -paramlst = split_arg(arg, 3, 0); // At most 3 parameters +paramlst = split_arg(arg, 4, 0); // At most 4 parameters + for (pp = paramlst; *pp; pp++) { if (!strcasecmp(*pp, add)) action = bm_add; @@ -2943,9 +2944,11 @@ autojoin = 1; else if (!strcmp(*pp, -)) nick_set = 1; - else { + else if(nick_set == 0){ nick_set = 1; nick = tmpnick = to_utf8 (*pp); + } else if(nick_set == 1){ + passwd = to_utf8(*pp); } } free_arg_lst(paramlst); @@ -2961,7 +2964,7 @@ autowhois = buddy_getautowhois(bud); } - xmpp_set_storage_bookmark(roomid, name, nick, NULL, autojoin, + xmpp_set_storage_bookmark(roomid, name, nick, passwd, autojoin, printstatus, autowhois); g_free (tmpnick); } @@ -2988,11 +2991,15 @@ (bm_elt-autojoin ? '*' : ' '), bm_elt-roomjid); if (bm_elt-nick) g_string_append_printf(sbuf, (%s), bm_elt-nick); +if (bm_elt-passwd) + /* replace password for security reasons */ + g_string_append_printf(sbuf, (*)); if (bm_elt-name) g_string_append_printf(sbuf, %s, bm_elt-name); g_free(bm_elt-roomjid); g_free(bm_elt-name); g_free(bm_elt-nick); +g_free(bm_elt-passwd); g_free(bm_elt); scr_WriteIncomingMessage(NULL, sbuf-str, 0, HBB_PREFIX_INFO | HBB_PREFIX_CONT, 0); diff -Nurad mcabber-0.10.1/mcabber/xmpp.c mcabber-0.10.1.new/mcabber/xmpp.c --- mcabber-0.10.1/mcabber/xmpp.c 2010-12-01 21:51:21.0 +0100 +++ mcabber-0.10.1.new/mcabber/xmpp.c 2012-06-17 14:08:06.647247157 +0200 @@ -2083,7 +2083,7 @@ // If the node is a conference item, let's add the note to our list. if (x-name !strcmp(x-name, conference)) { struct bookmark *bm_elt; - const char *autojoin, *name, *nick; + const char *autojoin, *name, *nick, *passwd; const char *fjid = lm_message_node_get_attribute(x, jid); if (!fjid) continue; @@ -2092,10 +2092,13 @@ autojoin = lm_message_node_get_attribute(x, autojoin); nick = lm_message_node_get_child_value(x, nick); name = lm_message_node_get_attribute(x, name); + passwd = lm_message_node_get_child_value(x, password); if (autojoin !strcmp(autojoin, 1)) bm_elt-autojoin = 1; if (nick) bm_elt-nick = g_strdup(nick); + if (nick) +bm_elt-passwd = g_strdup(passwd); if (name) bm_elt-name = g_strdup(name); sl_bookmarks = g_slist_append(sl_bookmarks, bm_elt); diff -Nurad mcabber-0.10.1/mcabber/xmpp.h mcabber-0.10.1.new/mcabber/xmpp.h --- mcabber-0.10.1/mcabber/xmpp.h 2010-12-01 21:51:21.0 +0100 +++ mcabber-0.10.1.new/mcabber/xmpp.h 2012-06-17 14:08:06.647247157 +0200 @@ -24,6 +24,7 @@ gchar *roomjid; gchar *name; gchar *nick; + gchar *passwd; guint autojoin; /* enum room_printstatus pstatus; */ /* enum room_autowhois awhois; */ pgphjHGRqKe3y.pgp Description: PGP signature
Bug#672724: [pkg-fetchmail-maint] Bug#672724: Init script message about disabled daemon should be info rather than warning
Hi, * Moritz Muehlenhoff j...@debian.org [2012-05-13 11:25]: The init script has the following: if [ ! x$START_DAEMON = xyes -a ! $1 = status ]; then log_warning_msg Not starting fetchmail daemon, disabled via /etc/default/fetchmail exit 0 fi With the fancy LSB messages from current sid, this is displayed as a orange warning, while it's rather simple configuration impact w/o harm. You should rather use log_action_msg instead of log_warning_msg. Nach welcher Regel? Genaugenommen habe ich mir das bei anderen Paketen abgeguckt, z.B. smart macht das so. Ich seh keine Policy Regel dafür. Gruß Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpkQ51dHXEj0.pgp Description: PGP signature
Bug#672724: [pkg-fetchmail-maint] Bug#672724: Init script message about disabled daemon should be info rather than warning
Hi, * Nico Golde n...@debian.org [2012-05-13 20:09]: * Moritz Muehlenhoff j...@debian.org [2012-05-13 11:25]: The init script has the following: if [ ! x$START_DAEMON = xyes -a ! $1 = status ]; then log_warning_msg Not starting fetchmail daemon, disabled via /etc/default/fetchmail exit 0 fi With the fancy LSB messages from current sid, this is displayed as a orange warning, while it's rather simple configuration impact w/o harm. You should rather use log_action_msg instead of log_warning_msg. Nach welcher Regel? Genaugenommen habe ich mir das bei anderen Paketen abgeguckt, z.B. smart macht das so. Ich seh keine Policy Regel dafür. Sorry, this mail was just intended for the reporter: To roughly translate. Is there a policy rule that states this? To be honest, I looked at how other packages do this, e.g. smart, and copied that behaviour. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpspREvULG3q.pgp Description: PGP signature
Bug#566900: RFH: openbox -- standards compliant, fast, light-weight, extensible window manager
Hi, * Daniel Baumann daniel.baum...@progress-technologies.net [2012-05-10 09:19]: On 05/08/2012 07:12 AM, Nico Golde wrote: Feel free to join as a co-maintainer. my intention is to consolidate openbox with the rest of the lxde packages, i'm currently not interested in another 'not into my workflow integrated' leaf package. Ok fair enough. should you at some point decide to orphan it, please let me know before. Will do, thanks for your interest in this package! Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgp7kUopoBhT3.pgp Description: PGP signature
Bug#566900: RFH: openbox -- standards compliant, fast, light-weight, extensible window manager
Hi, * Daniel Baumann daniel.baum...@progress-technologies.net [2012-04-23 11:34]: I offer to adopt openbox on behalf of the Debian LXDE team. Thanks but so far my intention was not to orphan it. Feel free to join as a co-maintainer. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpEM86RJzsEZ.pgp Description: PGP signature