Bug#737735: /usr/sbin/nologin shell change breaks SSH authentication in amanda
Russ Allbery r...@debian.org wrote: I suspect that you have your debconf priority settings set to suppress prompting. If you change the shell and then run: dpkg-reconfigure base-passwd and say no to the question of whether you want update-passwd to change the shell, it will leave it alone and remember that response for all subsequent upgrades. This works. Thanks. I had already tried dpkg-reconfigure with low priority, but not while the shell was changed. -- Sam Couter | mailto:s...@couter.id.au signature.asc Description: Digital signature
Bug#737735: /usr/sbin/nologin shell change breaks SSH authentication in amanda
Package: base-passwd Version: 3.5.32 After upgrading base-passwd on the amanda clients, amcheck starts spitting out messages like the following: WARNING: fw: selfcheck request failed: tcpm_recv_token: invalid size: This account is currently not available.\n I use the SSH authentication and transport method, which means Amanda uses SSH to connect to the clients as the backup user to run amandad. I have set the authorized_keys file for the backup user to force the amandad command, but this is executed using the login shell. Setting the shell to /bin/sh makes the error message go away, running update-passwd brings it back. -- Sam Couter | mailto:s...@couter.id.au signature.asc Description: Digital signature
Bug#512883: Potential data loss
severity 512883 grave stop Nightmare scenario I'm currently in: gphoto2 --get-all-files gphoto2 --delete-all-files Photos gone. Explain to wife where photos went. Hastily rustle up SD card reader, install FAT undelete utilities, hope it all turns out in the end. -- Sam Couter | mailto:s...@couter.id.au OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#572978: opensync-plugin-gpe: Broken by latest multisync0.90
Package: opensync-plugin-gpe Version: 0.22-1 msync from latest version of multisync-tools package cannot load opensync plugins with versions 0.22, including GPE plugin: s...@laptop:~$ msynctool --sync n810 Synchronizing group n810 The previous synchronization was unclean. Slow-syncing ** ERROR:/build/buildd-opensync_0.22-4-i386-F3znn3/opensync-0.22/opensync/opensync_plugin.c:457:osync_plugin_get_path: assertion failed: (plugin) The program then stalls and must be terminated with Ctrl-C. I assume there's some kind of upgrade migration plan and that this is supposed to be just a temporary problem. I am reporting this against the plugin, not the package that broke it, as I expect the plugin will be upgraded as part of the plan. If that's not the case, feel free to reassign the bug. -- Sam Couter | mailto:s...@couter.id.au OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#552112: python-vobject: Fails to parse long quoted-printable encoded lines
Package: python-vobject Version: 0.8.1c-1 Severity: normal Long lines may be encoded in quoted-printable by a trailing equals sign. vobject attempts to parse the continuation line separately and raises a ParseError. The attached one-line patch modifies an existing quoted-printable test case to expose the bug. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core) Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages python-vobject depends on: ii python2.5.4-2An interactive high-level object-o ii python-dateutil 1.4.1-3powerful extensions to the standar ii python-support1.0.3 automated rebuilding support for P python-vobject recommends no packages. python-vobject suggests no packages. -- no debconf information -- Sam Couter | mailto:s...@couter.id.au OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- python-vobject-0.8.1c.orig/test_files/more_tests.txt +++ python-vobject-0.8.1c/test_files/more_tests.txt @@ -71,14 +71,14 @@ quoted-printable - vcf = 'BEGIN:VCARD\nVERSION:2.1\nN;ENCODING=QUOTED-PRINTABLE:;=E9\nFN;ENCODING=QUOTED-PRINTABLE:=E9\nTEL;HOME:01\nEND:VCARD\n\n' + vcf = 'BEGIN:VCARD\nVERSION:2.1\nN;ENCODING=QUOTED-PRINTABLE:;=E9\nFN;ENCODING=QUOTED-PRINTABLE:=E9long=\nline\nTEL;HOME:01\nEND:VCARD\n\n' vcf = vobject.readOne(vcf) vcf.n.value Name: ? vcf.n.value.given u'\xe9' vcf.serialize() -'BEGIN:VCARD\r\nVERSION:2.1\r\nFN:\xc3\xa9\r\nN:;\xc3\xa9;;;\r\nTEL:01\r\nEND:VCARD\r\n' +'BEGIN:VCARD\r\nVERSION:2.1\r\nFN:\xc3\xa9longline\r\nN:;\xc3\xa9;;;\r\nTEL:01\r\nEND:VCARD\r\n' vcs = 'BEGIN:VCALENDAR\r\nPRODID:-//OpenSync//NONSGML OpenSync vformat 0.3//EN\r\nVERSION:1.0\r\nBEGIN:VEVENT\r\nDESCRIPTION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:foo =C3=A5=0Abar =C3=A4=\r\n=0Abaz =C3=B6\r\nUID:20080406T152030Z-7822\r\nEND:VEVENT\r\nEND:VCALENDAR\r\n' vcs = vobject.readOne(vcs, allowQP = True) signature.asc Description: Digital signature
Bug#524618: amanda-server: SSH support completely broken
Package: amanda-server Version: 1:2.5.2p1-5 Severity: important Amanda doesn't know where the SSH executable is. Build with SSH installed or by adding SSH=/usr/bin/ssh to the beginning of the ./configure line in debian/rules. Ubuntu bug here: https://bugs.launchpad.net/ubuntu/+source/amanda/+bug/229929 -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.29-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages amanda-server depends on: ii amanda-common 1:2.5.2p1-5 Advanced Maryland Automatic Networ ii bsd-mailx [mailx] 8.1.2-0.20081101cvs-2 A simple mail user agent ii libc6 2.9-7 GNU C Library: Shared libraries ii libncurses55.7+20090314-1shared libraries for terminal hand ii libreadline5 5.2-4 GNU readline and history libraries ii mailx 1:20081101-2 Transitional package for mailx ren amanda-server recommends no packages. Versions of packages amanda-server suggests: ii amanda-client1:2.5.2p1-5 Advanced Maryland Automatic Networ ii cpio 2.9.90-3GNU cpio -- a program to manage ar pn gnuplot none (no description available) ii perl [perl5] 5.10.0-19 Larry Wall's Practical Extraction -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#509005: viking: 0.9.7 available upstream
Package: viking Severity: wishlist New upstream version (0.9.7) is available. -- Sam Couter | mailto:s...@couter.id.au OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#507226: python-kaa-metadata: ValueError: too many values to unpack
Package: python-kaa-metadata Version: 0.7.4-2 Severity: important Some DVDs cannot be detected by Freevo, giving the error ValueError: too many values to unpack and causing little girls to be sad that they can't watch Dora the Explorer. Please think of the children! See the following mailing list posting for some more information: http://www.mail-archive.com/[EMAIL PROTECTED]/msg18203.html -- Sam Couter | mailto:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: PGP signature
Bug#502576: apt-listbugs: Undeclared dependency on locales package
Package: apt-listbugs After the locales package has been purged: fw:/var# apt-listbugs /usr/lib/ruby/1.8/locale/posix.rb:23:in `resolve_alias': undefined method `has_key?' for nil:NilClass (NoMethodError) from /usr/lib/ruby/1.8/locale/posix.rb:50:in `locale_from_env' from /usr/lib/ruby/1.8/locale/posix.rb:48:in `each' from /usr/lib/ruby/1.8/locale/posix.rb:48:in `locale_from_env' from /usr/lib/ruby/1.8/locale/base.rb:48:in `system' from /usr/lib/ruby/1.8/locale.rb:57:in `system' from /usr/lib/ruby/1.8/locale.rb:65:in `default' from /usr/lib/ruby/1.8/locale.rb:73:in `current' from /usr/lib/ruby/1.8/gettext.rb:279:in `sgettext' from /usr/lib/ruby/1.8/gettext.rb:263:in `_' from /usr/share/apt-listbugs/apt-listbugs/logic.rb:311 from /usr/sbin/apt-listbugs:227:in `require' from /usr/sbin/apt-listbugs:227 -- Sam Couter | mailto:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#496649: openvpn: TLS key exchange fails
Package: openvpn Version: 2.1~rc9-3 After upgrading to 2.1~rc9-3, OpenVPN fails TLS negotiation. Downgrading to 2.1~rc7-1 (the latest currently on snapshot.debian.net) fixes the problem. High verbosity settings and tcpdump both confirm packets containing keys and/or certificates are being exchanged in both directions. The server prints the TLS: Initial packet log message but never the VERIFY message. Upgrading the client to 2.1~rc9-3 and keeping the server on 2.1~rc7-1, the VPN continues to work. -- Sam Couter | mailto:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#496270: freevo: Typo in /etc/init.d/freevo_encodingserver; cannot restart
Package: freevo Severity: minor [EMAIL PROTECTED]:/etc/freevo# /etc/init.d/freevo_encodingserver restart /etc/init.d/freevo_encodingserver: line 77: restart_freevo_encodingserver: command not found [EMAIL PROTECTED]:/etc/freevo# The function restart_freevo should be named restart_freevo_encodingserver. -- Sam Couter | mailto:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#489328: freevo: Fails to remove freevo user on package purge
Package: freevo The freevo package creates a new user (freevo) and group in the postinst script. The prerm script doesn't delete the user or the group. -- Sam Couter | mailto:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#485773: vala-utils: Should at least Suggest: gnome-common
Package: vala-utils Version: 0.3.3-1 Severity: minor vala-gen-project generates a project with an autogen.sh that depends on gnome-autogen.sh from the gnome-common package. It would be nice if vala-gen-project would Suggest: gnome-common. And the dependency for the generated project should be documented as it's not immediately obvious which package contains gnome-autogen.sh. -- Sam Couter | mailto:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#472924: openvpn: Multiple VPN configuration from /etc/network/interfaces
Package: openvpn Severity: wishlist The attached patch to /etc/network/if-up.d/openvpn allows for starting more than one tunnel when an interface is configured using ifup/ifdown. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- openvpn.orig 2008-03-25 16:42:53.0 +1100 +++ openvpn 2008-03-25 16:43:47.0 +1100 @@ -7,5 +7,7 @@ fi if [ -n $IF_OPENVPN ]; then - $OPENVPN start $IF_OPENVPN + for vpn in $IF_OPENVPN; do +$OPENVPN start $vpn + done fi signature.asc Description: Digital signature
Bug#440301: iso-scan.postinst fails to find ISO on partitioned USB stick
Jérémy Bobbio [EMAIL PROTECTED] wrote: Some changes have been made to iso-scan since Etch was released. Could you please tell us if the bug is still present in current (Lenny) daily builds of the debian-installer? I've finally gotten around to actually rebooting a machine that can boot from USB. The bug still exists in the daily build of 05-Nov-2007. My opinion is that list-devices is at fault, not iso-scan. The hack I've tried this time didn't seem to slow the installer down so much, so I've included a patch just in case it's useful. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- i.orig/bin/list-devices 2007-11-06 20:55:13.0 +1100 +++ i/bin/list-devices 2007-11-06 20:57:27.0 +1100 @@ -50,7 +50,7 @@ esac # Some USB sticks and CD drives are misdetected as floppy # This allows to scan for those - if ! $match [ $TYPE = maybe-usb-floppy ]; then + if ! $match [ $TYPE = maybe-usb-floppy -o $TYPE = disk ]; then if udevinfo -q env -p $devpath 2/dev/null | \ grep -q '^ID_BUS=usb' \ udevinfo -q env -p $devpath 2/dev/null | \ signature.asc Description: Digital signature
Bug#440916: firehol: Latest version lost OpenVPN service definition
Package: firehol Version: 1.256-1 Severity: minor FireHOL version 1.231-7 knew about OpenVPN, while version 1.256-1 does not. Just add the following lines back into /sbin/firehol: server_openvpn_ports=tcp/1194 udp/1194 client_openvpn_ports=default -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#440919: firehol: Please add mention of /etc/default/firehol to NEWS.Debian
Package: firehol Version: 1.256-1 Severity: minor In the interests of reducing the element of surprise, please add a mention of the new START_FIREHOL setting to NEWS.Debian so apt-listchanges can email it to the admin. It would also be useful if there was a comment in /etc/default/firehol that the value YES must be all uppercase. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#440919: firehol: Please add mention of /etc/default/firehol to NEWS.Debian
Alexander Wirt [EMAIL PROTECTED] wrote: Ehm this is far from being new and is there for ages, I just moved it out of the binary to the initscript. I hadn't realised that, but I just upgraded from a working 1.231-7 to a non-working 1.256-1, so something about that setting has changed. But I will add such a pointer. Thanks. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#440301: iso-scan.postinst fails to find ISO on partitioned USB stick
Package: debian-installer Version: 4.0r1 When installing from hd-media boot image on a USB stick which has been partitioned, the ISO image is not found. I tracked the problem down to the interaction between iso-scan.postinst and list-devices. 'list-devices partition' will not find partitions on USB sticks that detect as floppies, and 'list-devices floppy' will only show the USB stick device, not any partitions it may have. My workaround was to cause 'list-devices partition' to also list partitions on USB floppies. This got the job done, but it's probably not suitable for release as it confused the partitioner and slowed it down quite a bit. Someone more familiar with the various interactions with list-devices should come up with a better idea. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#420399: cryptsetup: decrypt_derived must use --showkeys option with dmsetup
Package: cryptsetup Version: 1.0.4+svn26-1 Severity: important The dmsetup table command has changed so that it no longer shows encryption keys in the output unless the --showkeys option is passed to it. This breaks the decrypt_derived script used to derive a key from the key used to encrypt a different volume. Fix: Just add --showkeys to the dmsetup invocation in /lib/cryptsetup/scripts/decrypt_derived -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#401306: snmpd: restart, reload fail if snmpd not already running
Package: snmpd Version: 5.2.3-4 The init script combines set -e with start-stop-daemon --stop, but misses --oknodo on the stop, restart and reload actions. start-stop-daemon returns 1 if it can't find a process to stop, and the init script bails out. Fix: add --oknodo to the start-stop-daemon invocations in the stop, restart and reload actions in the init script. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#385317: [Pkg-cryptsetup-devel] Bug#385317: cryptsetup: cannot start encrypted swap with static key
found 385317 1.0.4~rc2-1 stop Jonas Meurer [EMAIL PROTECTED] wrote: hello sam, this is a known bug, already documented in bug #379771. That one looks like a different bug. I don't have a problem with cryptsetup detecting an existing unencrypted swap partition because there isn't one. The problem I have is that once it's decrypted the partition it finds a previously existing encrypted swap partition which it complains about. cryptsetup should just use the previously existing swap partition as-is when it finds it. the upload of cryptsetup 1.0.4~rc2-1, fixing this bug as well as many others is currently pending due to build issues. I've installed that version and this bug isn't fixed yet. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#385317: cryptsetup: cannot start encrypted swap with static key
Package: cryptsetup Version: 1.0.3-3 With the following line in /etc/crypttab: cswap /dev/mapper/rootvg-swap /etc/keys/swap.key swap The cryptdisks script fails to start the encrypted swap device: laptop:/lib/cryptsetup/checks# /etc/init.d/cryptdisks start Starting remaining crypto disks... cswap(starting) - The device /dev/mapper/cswap contains a filesystem type swap. - the check for '/dev/mapper/cswap' failed. /dev/mapper/cswap contains data. - removing the crypto device cswap croot(running) done. laptop:/lib/cryptsetup/checks# The line that fails is /lib/cryptsetup/cryptdisks.functions line 346: if $SWCHECK $MAPPER/$dst $SWCHECKARGS; then mkswap $MAPPER/$dst 2/dev/null /dev/null else echo -e \n - the check for '$MAPPER/$dst' failed. $MAPPER/$dst contains data. 2 echo - removing the crypto device $dst 2 do_close fi SWCHECK is un_vol_id, which fails when the newly started swap partition already contains a swap header, which it will if the encryption key isn't random. I'm not sure of the intent of the test, but the following seems to work: if /lib/cryptsetup/checks/vol_id $MAPPER/$dst $SWCHECKARGS || $SWCHECK $MAPPER/$dst $SWCHECKARGS; then mkswap $MAPPER/$dst 2/dev/null /dev/null elif ! /lib/cryptsetup/checks/vol_id $MAPPER/$dst $SWCHECKARGS; then echo -e \n - the check for '$MAPPER/$dst' failed. $MAPPER/$dst contains data. 2 echo - removing the crypto device $dst 2 do_close fi -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#365306: Also need to chmod u-s /usr/lib/amanda/dumper
The SSH authentication agent gets messed up somehow when /usr/lib/amanda/dumper is suid. I needed to chmod u-s /usr/lib/amanda/dumper to make it work properly. Perhaps dpkg-statoverride is of use here. There may be a way to make the suid work without losing the SSH authentication agent environment variables too. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#365306: amanda: Please support 'ssh' authentication (and transport) method
Package: amanda Version: 1:2.5.0-2 Severity: wishlist Please support the 'ssh' authentication method, which also doubles as a secure transport. The docs claim that just adding '--with-ssh-security' to the configure command line is sufficient. My basic testing indicates that this is true. I haven't tested to see if it breaks anything else. -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#364284: cdrw-taper: New version available
Package: cdrw-taper Version: 0.3-7 Severity: wishlist A new version (0.4) of CDRW-Taper has been made available: http://www.tivano.de/software/amanda/Installation.shtml -- Sam Couter | mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#321666: iopl() returns EPERM because ptal-mlcd isn't root!
The problem is that ptal-mlcd is running as a non-root user and is trying to use iopl() to grant itself permission to directly mess with the parallel IO port. iopl() only works for root. Looks like this bug only affects parallel printers. The iopl() man page says Permissions are inherited by fork and exec., so one solution may be to make the iopl() call from the init script. Which, BTW, needs a dose of use English;. What the hell is this mess? $( = $) = $gpw[2] $gpw[2] $agpw[2]; $ = $ = $upw[2]; That's just line noise! One other solution is to run ptal-mlcd as root, then get it to drop privileges itself after calling iopl(). This is probably the best/neatest solution but also the more difficult one to implement. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#321666: Found bug #321666 again
found 321666 0.91-7 found 321666 0.91-8 stop Without details on the bug, I can't be 100% sure, but I'm seeing this same error message with both 0.91-8 and 0.91-7. Device permissions look fine, ptal-printd is running as the hpojlp user, and hpojlp is in the lp group. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#324851: firehol: provide concurrent execution protection
Package: firehol Version: 1.231-3 Please provide a way to safely run firehol from PPP scripts even if it hasn't yet finished running from the boot process. I used to use 'condrestart' to do this, but the meaning of that command seems to have changed. It needs to run from the ip-up scripts so IP address changes are noticed, and it needs to run on boot so the machine is protected ASAP. Having it run twice concurrently leads to doubled-up rules or lots of errors. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#315740: Not just amd64
I'm seeing the same behaviour on an AMD Athlon XP which is i386 architecture, so it's not restricted to amd64 only. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#302652: Patch for build attached
tags 302652 +patch stop Trivial patch for build attached. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- ../beepcore-c.orig/beepcore-c-0.2+cvs20030603/debian/rules 2005-07-09 18:38:04.809081760 +1000 +++ beepcore-c-0.2+cvs20030603/debian/rules 2005-07-09 17:15:07.795536577 +1000 @@ -52,6 +52,8 @@ dh_testroot rm -f build-stamp configure-stamp -$(MAKE) distclean + # Keep dpkg-source happy + rm -f config.sub config.guess dh_clean install: build --- ../beepcore-c.orig/beepcore-c-0.2+cvs20030603/unix/Makefile.in 2002-09-07 11:15:25.0 +1000 +++ beepcore-c-0.2+cvs20030603/unix/Makefile.in 2005-07-09 18:27:22.471183497 +1000 @@ -37,7 +37,7 @@ all: libbeepcore-c.la clean: - rm -f libbeepcore-c.la + rm -rf *.[ao] *.so *.lo *.la .libs install: libbeepcore-c.la $(INSTALL_DIR) $(DESTDIR)$(libdir) signature.asc Description: Digital signature
Bug#315074: ipkungfu: Renders system inaccessible
Package: ipkungfu Version: 0.5.2-3 Severity: critical Justification: renders entire system inaccessible Don't do this: # apt-get install ipkungfu Because then you have to do this: - Grab spare monitor and keyboard - Lug spare monitor and keyboard across the room/city/state/country - Crawl into corner where machines are stacked - Plug spare monitor and keyboard in - Shut down (or purge) ipkungfu - Unplug monitor and keyboard - Return monitor and keyboard to their rightful resting places Not happy. At least my spare monitor and keyboard only have to travel a few metres. I'd be *pissed* if I had to drive across town or wake someone local up to fix it. Simplest fix: add /etc/default/ipkungfu with ENABLED=false, source the file in the init script and only start if ENABLED is not false. Side note: [EMAIL PROTECTED]:~# grep -A3 Include /etc/init.d/ipkungfu # Include ipkungfu defaults if available if [ -f /etc/ipkungfu ] ; then . /etc/ipkungfu fi [EMAIL PROTECTED]:~# file /etc/ipkungfu /etc/ipkungfu: directory [EMAIL PROTECTED]:~# -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#309615: libapache2-svn: missing Depends
Package: libapache2-svn Version: 1.1.4-2 Severity: serious Justification: Breaks apache The libapache2-svn package needs a few extra Depends: on SASL and SSL libraries. [EMAIL PROTECTED]:/var/log/apache2# /etc/init.d/apache2 start Starting web server: Apache2/usr/sbin/apache2: error while loading shared libraries: libsasl.so.7: cannot open shared object file: No such file or directory [EMAIL PROTECTED]:/var/log/apache2# ldd /usr/lib/apache2/modules/mod_authz_svn.so | grep not found libsasl.so.7 = not found libssl.so.0.9.6 = not found libcrypto.so.0.9.6 = not found -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#304853: firehol: concurrency check fails
Package: firehol Version: 1.231-1 Severity: important /sbin/firehol contains lines like: if [ -f /var/lock/firehol ] ; then echo Stopping: FireHOL is already running. exit 0 fi ... but nothing ever creates a file named /var/lock/firehol. Running firehol at boot and at PPP link establishment (also at boot time) causes two firehol instances to run at once, resulting in all sorts of breakage. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#302652: beepcore-c: debuild; debuild clean; debuild - breaks
Package: beepcore-c Version: 0.2+cvs20030603-1 debuild; debuild clean leaves cruft lying around that dpkg-source can't handle for the next build: dpkg-source: building beepcore-c in beepcore-c_0.2+cvs20030603-1.diff.gz dpkg-source: cannot represent change to unix/.libs/libbeepcore-c.so.0.1.0: binary file contents changed dpkg-source: cannot represent change to unix/.libs/libbeepcore-c.so.0: dpkg-source: new version is symlink dpkg-source: old version is nonexistent dpkg-source: cannot represent change to unix/.libs/libbeepcore-c.so: dpkg-source: new version is symlink dpkg-source: old version is nonexistent dpkg-source: cannot represent change to unix/.libs/libbeepcore-c.a: binary file contents changed dpkg-source: cannot represent change to unix/.libs/libbeepcore-c.la: dpkg-source: new version is symlink dpkg-source: old version is nonexistent dpkg-source: cannot represent change to config.sub: dpkg-source: new version is symlink dpkg-source: old version is something else dpkg-source: cannot represent change to config.guess: dpkg-source: new version is symlink dpkg-source: old version is something else dpkg-source: building beepcore-c in beepcore-c_0.2+cvs20030603-1.dsc dpkg-source: unrepresentable changes to source I don't know if this counts as a serious bug [FTBFS], since it builds immediately after extracting the source tarball, and I don't know if repeated in-place builds are required by policy. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#215191: pdns-backend-ldap: Can't find SOA for reverse zones
Matthijs Mohlmann [EMAIL PROTECTED] wrote: Are you still experiencing this problem ? No, because I haven't been using PowerDNS for a while now. I don't know if this problem was eventually fixed or not. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#300849: beepcore-c0: mishandles sending CDATA piggyback data in channel open confirmation
Package: beepcore-c0 Version: 0.2+cvs20030603-1 Tags: patch xml_normalize_length() and xml_normalize_worker() disagree about the handling of CDATA sections. This leads to underruns when sending CDATA piggyback data in channel confirmations. Not-strictly-correct but probably good-enough-in-nearly-all-cases patch attached. It'll break if the piggyback data has more than one CDATA section. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- beepcore-c-0.2+cvs20030603.orig/utility/xml_entities.c +++ beepcore-c-0.2+cvs20030603/utility/xml_entities.c @@ -297,6 +297,7 @@ int xml_normalize_worker(char * in, char * out, int outlen) { char * entities[256], * thisin, * thisout, * tmp; int inchar; + char *cdata, *cdataend; memset(entities, 0, sizeof(char *) * 256); entities[''] = ;tl; /* lt;; */ @@ -305,6 +306,9 @@ entities['\''] = ;sopa; /* apos;; */ entities[''] = ;pma; /* amp;; */ + cdata = strstr(in, ![CDATA[); + if (cdata) +cdataend = strstr(cdata, ]]) + 3; inchar = strlen(in); thisin = (in[inchar - 1]); thisout = (out[outlen]); @@ -312,7 +316,7 @@ thisout--; while (inchar) { -if (entities[(int)*thisin]) { +if (entities[(int)*thisin] !(cdata thisin = cdata cdataend thisin cdataend)) { tmp = entities[(int)*thisin]; while (*tmp) { *(thisout--) = *(tmp++); signature.asc Description: Digital signature
Bug#300506: Ignore previous patch
Please ignore the patch I sent in the bug report; it causes more problems than it fixes. The bug report is accurate, the patch is shoddy. I'll be working on a new one. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#300506: beepcore-c0: Incorrectly handles CDATA piggyback data
Package: beepcore-c0 Version: 0.2+cvs20030603-1 Tags: patch If a start message carries piggyback data that's expressed as a CDATA element, beepcore parses it incorrectly and chops the final off. Patch attached. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- beepcore-c-0.2+cvs20030603.orig/base/generic/channel_0.c +++ beepcore-c-0.2+cvs20030603/base/generic/channel_0.c @@ -823,6 +823,8 @@ case '': if (2 = stridx) { stateidx--; /* pop back to PCDATA */ + if (current_counter) + (*current_counter)++; /* This gets decremented again later */ } else { stridx = 0; } signature.asc Description: Digital signature
Bug#295036: libglibmm-2.4-1: assertion failed: (gobject_ == castitem)
Package: libglibmm-2.4-1 Version: 2.4.6-1 Multiple inheritance of the form of The Diamond of Death causes an assertion failure in Glib::Object::Object(). Test code attached. Compile with: g++ test.cc -o test `pkg-config glibmm-2.4 --cflags --libs` Run with: ./test And see: glibmm-ERROR **: file objectbase.cc: line 77 (void Glib::ObjectBase::initialize(GObject*)): assertion failed: (gobject_ == castitem) aborting... Aborted -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C #include glibmm/object.h #include glibmm/init.h class A : public Glib::Object { public: A(void){}; }; class B : public Glib::Object { public: B(void){}; }; class C : public A, public B { public: C(void){}; }; int main(int argc, char *argv) { Glib::init(); C *c = new C; } signature.asc Description: Digital signature
Bug#294277: cdrw-taper: inconsistencies about need for intermediate directory
Ross Boylan [EMAIL PROTECTED] wrote: README.Debian says $DUMP_DIR should be on a large partition; one with enough free space to hold all of your dumped backups. Install.html says Since the PORT-WRITE command is now supported you no longer need to configure a holding disk. (Note I'm assuming, perhaps incorrectly, that the holding disk and the $DUMP_DIR are the same thing.) They're not. Amanda has the concept of a holding disk, where it spools your backups before writing them to tape. You can instead have it write them directly to CDRW-Taper, which needs its own place to store stuff until it has enough to write a CD. That place is $DUMP_DIR. Overview.html says The idea is to have the taper copy the backed up data to several intermediate directories, each representing a single CDRW. After the backup is finished, these can be burnt to CDRW one by one. The first disk can be burnt as soon as it's ready. The rest have to be stored on the disk until a human (or trained monkey) can physically change CDs and burn some more. There is supposedly some support for disk changers, just incase you have one, but I don't think it's tested. All this leaves me thoroughly confused about whether I need to have disk space sufficient to hold my entire backup at once or not. This is probably the difference between something that is feasible or not for me. You will need approximately enough space to hold (entire backup - one CD/DVD). I'm interested in backing up to multiple CD's. Unfortunately, Install.html is filled with lots of warnings that the relevant functionality (including PORT-WRITE) is alpha. I have successfully had CDRW-Taper automatically burning the first disc of a backup run, but I wouldn't call it well tested. I had to fix a few bugs to make it work and I may not have gotten them all. The authors of this package might want to look at, or even use, cdbackup, which has multi-volume capability. The (upstream) authors of this package don't seem to care about it anymore. I'm personally using bacula these days, not CDRW-Taper, and I'm looking for someone to take over the package. I can sponsor uploads. P.S. I'd think amanda-cdrw-taper would be a better name for this package. This is possibly true, but probably not worth the trouble of changing it. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#293658: RFA: cdrw-taper -- taper replacement for amanda to support backups to CD-RW or DVD+RW
Package: wnpp Severity: normal I no longer use CDRW-Taper and would prefer it be maintained by a regular user. Doesn't appear to be actively maintained upstream. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#292628: shorewall: Add actions for Bacula backup system
Package: shorewall Version: 2.0.15-1 Severity: wishlist Please add attached actions for Bacula backup system. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C # # Shorewall 2.0 /etc/shorewall/action.AllowAmanda # # This action accepts connections required by the Amanda backup system. # ## #TARGET SOURCE DESTPROTO DESTSOURCE RATE # PORTPORT(S)LIMIT ACCEPT - - tcp bacula-dir #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall 2.0 /etc/shorewall/action.AllowAmanda # # This action accepts connections required by the Amanda backup system. # ## #TARGET SOURCE DESTPROTO DESTSOURCE RATE # PORTPORT(S)LIMIT ACCEPT - - tcp bacula-fd #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall 2.0 /etc/shorewall/action.AllowAmanda # # This action accepts connections required by the Amanda backup system. # ## #TARGET SOURCE DESTPROTO DESTSOURCE RATE # PORTPORT(S)LIMIT ACCEPT - - tcp bacula-sd #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE signature.asc Description: Digital signature
Bug#291667: firehol: Please wait until ppp0 exists
Package: firehol Version: 1.214-1 Severity: wishlist When using SNAT or DNAT it's useful and sometimes necessary to know the address of the PPP interface. If that address is allocated dynamically, it can't be predicted and put in the configuration. Instead, a line like this in /etc/firehol/firehol.conf can determine the address: EXT_IP=`ip addr show dev ppp0 | awk '$1 ~ /^inet$/ {print $2}'` [ Feel free to include this line in the documentation somewhere ] However, this relies on the ppp0 interface being up and configured. The attached patch allows the user to list interfaces in the variable WAIT_FOR_IFACE in /etc/default/firehol to cause FireHOL to wait until those interfaces exist before reading the configuration file. This also requires that FireHOL be started slightly later in the boot process, after S40networking instead of before. Two patches attached: One for /sbin/firehol for the waiting code itself, one for the postinst script to change the invocation of update-rc.d. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C --- /sbin/firehol 2004-12-24 07:53:47.0 +1100 +++ /root/firehol.new 2005-01-22 19:45:35.0 +1100 @@ -726,6 +726,52 @@ ${CAT_CMD} ${FIREHOL_CONFIG} | ${GAWK_CMD} -f ${FIREHOL_TMP}.awk ${FIREHOL_TMP} ${RM_CMD} -f ${FIREHOL_TMP}.awk +#--- +# Wait for interfaces, if necessary + +wait_for_interface() { + local iface=$1; shift + local timeout=60 + + if [ -n $1 ]; then + timeout=$1 + fi + + local start=`date +%s` + local found=0 + + # loop until the interface is found or the timeout exceeds + while [ `date +%s` -lt $(($start+$timeout)) -a $found -eq 0 ] + do + local addr=`ip addr show $iface 2 /dev/null | awk '$1 ~ /^inet$/ {print $2}'` + if [ -n $addr ] + then + found=1 + fi + if [ $found -eq 0 ] + then + sleep 0.5 + fi + done + + if [ $found -eq 1 ] + then + # the interface is up + return 0 + else + # timeout exceeded + return 1 + fi +} + +if [ -n $WAIT_FOR_IFACE ] +then + for i in $WAIT_FOR_IFACE + do + wait_for_interface $i + done +fi + # -- # Run the configuration file. --- debian/postinst.orig2005-01-22 20:19:18.0 +1100 +++ debian/postinst 2005-01-22 20:19:50.0 +1100 @@ -12,7 +12,7 @@ case $1 in configure) - update-rc.d firehol start 38 S . start 36 0 6 . /dev/null + update-rc.d firehol start 41 S . start 36 0 6 . /dev/null ;; abort-upgrade|abort-remove|abort-deconfigure) signature.asc Description: Digital signature
Bug#291680: firehol: insecure temporary directory handling
Package: firehol Version: 1.214-1 Severity: critical Tags: security sarge Both firehol and firehol-wizard use known temporary file names in a predictably named temporary directory (PID-based). Neither program ensures that those directories are safe before blasting the contents of files within. An attacker can place carefully named symlinks in the directory and overwrite or corrupt many files on the system. I have exploited this (it's trivial if even I can do it). Security team says: You may add that if the author/maintainer doesn't know how to fix the problem either, they should not hesitate to contact us. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature
Bug#246947: ntp-simple should not listen to every single interface + INADDR_ANY
Matthias Urlichs wrote (a long time ago): The default configuration already limits which peers ntpd trusts. The paranoid amongst us don't even want potentially malicious packets getting that far. If ntpd has to inspect a packet to determine whether or not it should trust that packet, it's potentially already vulnerable to attack. If you need to filter more strictly, you can use iptables, or authenticated NTP packets. Personally, I don't see much of a need to implement what amounts to a packet filter in a network daemon when there's a perfectly valid way to do this already. It's a valid strategy sometimes referred to as the many layers of security. First layer is often network topography, second layer may be a packet filter, third layer may be restricting a service from listening on certain interfaces, and a fourth layer may be access controls within that service. These multiple layers mean that if a single layer fails (say, a misconfigured packet filter) the service doesn't instantly become vulnerable. Relying on a single layer may be appropriate for your situation, but it's not always appropriate. It's discourteous for you to simply dismiss the concerns of others whose situations may not match yours. Add me to the list of people who would like a listen w.x.y.z configuration parameter. -- Sam Eddie Couter | mailto:[EMAIL PROTECTED] Debian Developer| mailto:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C signature.asc Description: Digital signature