Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]
On Sat, Jan 05, 2013 at 04:44:48PM +, Dominic Hargreaves wrote: Strangely, when I try and reproduce with a vanilla 5.14.3 build, I get: $ ./perl -e 'print xx(2**31)' $ echo $? 0 which seems wrong in a different way... FWIW, I can reproduce it with an unpatched 5.14.3 on current sid i386 (a personality=linux32 chroot on an amd64 kernel to be precise). I copied config.over from the Debian package and then called its 'config.debian --static'. I haven't bisected which Configure options actually count. My guess is it's just going out of memory but doesn't handle it too gracefully. Core was generated by `./perl -e print xx(2**31)'. Program terminated with signal 11, Segmentation fault. #0 0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6 (gdb) bt #0 0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6 #1 0x08162f9d in memcpy (__len=2002024496, __src=optimized out, __dest=optimized out) at /usr/include/i386-linux-gnu/bits/string3.h:52 #2 PerlIOBuf_write (my_perl=0x8df0008, f=0x8e07d70, vbuf=0x77525008, count=optimized out) at perlio.c:4184 #3 0x0813fefd in Perl_do_print (my_perl=my_perl@entry=0x8df0008, sv=0x8e0c13c, fp=fp@entry=0x8e07d70) at doio.c:1257 #4 0x080e4ab3 in Perl_pp_print (my_perl=0x8df0008) at pp_hot.c:773 #5 0x080e2878 in Perl_runops_standard (my_perl=0x8df0008) at run.c:41 #6 0x0807eef0 in S_run_body (oldscope=0, my_perl=0x8df0008) at perl.c:2365 #7 perl_run (my_perl=0x8df0008) at perl.c:2283 #8 0x0806125f in main (argc=3, argv=0xffdefe94, env=0xffdefea4) at perlmain.c:120 Summary of my perl5 (revision 5 version 14 subversion 3) configuration: Derived from: Platform: osname=linux, osvers=3.2.0-4-amd64, archname=i486-linux-gnu-thread-multi-64int uname='linux madeleine 3.2.0-4-amd64 #1 smp debian 3.2.32-1 i686 gnulinux ' config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.14 -Darchlib=/usr/lib/perl/5.14 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.14.3 -Dsitearch=/usr/local/lib/perl/5.14.3 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Uuseshrplib -des' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -g', cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include' ccversion='', gccversion='4.7.2', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags =' -Wl,-z,relro -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /lib/i386-linux-gnu /lib/../lib /usr/lib/i386-linux-gnu /usr/lib/../lib /lib /usr/lib libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.13' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -Wl,-z,relro -L/usr/local/lib -fstack-protector' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF USE_REENTRANT_API Locally applied patches: uncommitted-changes Built under linux Compiled at Jan 11 2013 08:10:08 @INC: lib /usr/local/lib/perl/5.14.3 /usr/local/share/perl/5.14.3 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14
Bug#697847: [Pkg-ace-devel] Bug#697847: missing source for Win32 binaries
On Thu, Jan 10, 2013 at 09:26:37PM +0100, Thomas Girard wrote: Since my GPG key has expired, I will not be able to upload this in a timely fashion, so you can consider this email as a call for NMU. For info, you can simply change the expiration date... Neil -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697580: connman: CVE-2012-6459
Ping, any news regarding this RC bug? If no one volunteers, I'd be happy to make an NMU. As for the testing of this bug, I cannot readily verify the fix since the test utility for Connman - test-connman - is not part of Debian. However, since the patch was provided by upstream, I assume that the changes made are correct and working. So we should trust them and apply the patch immediately. Comments? Cheers, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697919: Fails to build if the build machine is fast
Package: plexus-cipher Version: 1.5-3 Severity: serious Tags: patch Justification: fails to build from source (but built successfully in the past) When building on a fast machine i get: Running org.sonatype.plexus.components.cipher.PBECipherTest +K09MzMSG00HwGTNaRzYDsUqhiabft0kDLpG1hGpezo= +K09MzMSG00HwGTNaRzYDsUqhiabft0kDLpG1hGpezo= Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.002 sec FAILURE! Results : Failed tests: testEncrypt(org.sonatype.plexus.components.cipher.PBECipherTest) Digging into this a bit it, the failed test asserts that a certain plaintext doesn't encrypt to the same result twice. Unfortunately the PBECipher implementation intializes it random generators with System.currentTimeMillis (suspicious in itself imho), which simply means encrypting a plaintext twice in the same milisecond will result in the same encrypted text, hence a test failure. Attaching a simple patch which enforces a sleep between the two encrypt calls which works around this issue -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- a/src/test/java/org/sonatype/plexus/components/cipher/PBECipherTest.java +++ b/src/test/java/org/sonatype/plexus/components/cipher/PBECipherTest.java @@ -55,6 +55,8 @@ System.out.println(enc); +Thread.sleep (100); + String enc2 = _cipher.encrypt64( _cleatText, _password ); assertNotNull( enc2 );
Bug#697930: nagios3: CVE-2012-6096
Package: nagios3 Severity: grave Tags: security Justification: user security hole This was assigned CVE-2012-6096: http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html Fix: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revisionrevision=2547 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697931: icinga: CVE-2012-6096
Package: icinga Severity: grave Tags: security Justification: user security hole This was assigned CVE-2012-6096: http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html Fix: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revisionrevision=2547 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#681138: closed by Thomas Mueller thomas.muel...@tmit.eu (Bug#681138: fixed in owncloud 4.0.5debian-1)
On Fri, Jul 27, 2012 at 02:51:20PM +, Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report which was filed against the owncloud package: #681138: owncloud: setup sets wrong db entrys which prevent using cal/carddav It has been closed by Thomas Mueller thomas.muel...@tmit.eu. This RC bug still affects wheezy. I had a look at how to fix this, but could find out from http://bugs.owncloud.org/thebuggenie/owncloud/issues/oc-1199 (the Comments don't appear to appear when you click on the 'Comments' link) or git log -p v4.0.4..v4.0.5 what the change in 4.0.5 which fixes this was. Can someone who is familiar with owncloud advise? Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697866: libgtk-3-bin fails to upgrade to 3.4.2-5
On 18:55 Thu 10 Jan , Michael Biebl wrote:
On 10.01.2013 18:25, Vasudev Kamath wrote:
Package: libgtk-3-bin
Version: 3.4.2-5
Severity: serious
When trying to upgrade from 3.4.2-4 to 3.4.2-5 I get following error and
aptitude aborts
Adding 'diversion of /usr/sbin/update-icon-caches to
/usr/sbin/update-icon-caches.gtk2 by libgtk-3-bin'
dpkg-divert: error: rename involves overwriting
`/usr/sbin/update-icon-caches.gtk2' with
different file `/usr/sbin/update-icon-caches', not allowed
dpkg: error processing
/var/cache/apt/archives/libgtk-3-bin_3.4.2-5_amd64.deb (--unpack):
subprocess new pre-installation script returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libgtk-3-bin_3.4.2-5_amd64.deb
This leaves the package management in broken state hence I marked the
bug as serious
The relevant code hasn't been changed for ages, so I really doubt that
it is a problem specific to 3.4.2-5.
What does
dpkg -S /usr/sbin/update-icon-caches
give you.
This command gives libgtk2.0-bin, libgtk-3-bin:/usr/sbin/update-icon-caches
But weirdly
dpkg -S /usr/sbin/update-icon-caches.gtk2
dpkg-query: no path found matching pattern /usr/sbin/update-icon-caches.gtk2
also apt-file search fails to find package which ships update-icon-caches.gtk2
Which version of libgtk2.0-0 do you have installed?
libgtk2.0-0:
Installed: 2.24.10-2
Candidate: 2.24.10-2
Version table:
2.24.14-1 0
1 http://localhost/debian/ experimental/main amd64 Packages
*** 2.24.10-2 0
500 http://localhost/debian/ unstable/main amd64 Packages
100 /var/lib/dpkg/status
What's the output of
md5sum /usr/sbin/update-icon-caches*
6a2ca9da3d9e2cbb106f36a54a782ac6 /usr/sbin/update-icon-caches
Hope this information helps. I will be travelling over weekend so might
not be able to reply in case further information is required. I should
be able to get back from Monday
Best Regards
--
Vasudev Kamath
http://copyninja.info
Connect on ~friendica: copyninja@{frndk.de | vasudev.homelinux.net}
IRC nick: copyninja | vasudev {irc.oftc.net | irc.freenode.net}
GPG Key: C517 C25D E408 759D 98A4 C96B 6C8F 74AE 8770 0B7E
signature.asc
Description: Digital signature
Bug#697936: condor: CVE-2012-5390: possible privilege escalation
Package: condor Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerability was published for condor. CVE-2012-5390[0]: Possible privilege escalation This is mentioned on the stable release series notes[1] as well as the development release series[2]. Should be fixed in 7.8.6 and 7.9.1, so wheezy and unstable might be affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2012-5390 [1] http://research.cs.wisc.edu/htcondor/manual/v7.8/9_3Stable_Release.html [2] http://research.cs.wisc.edu/htcondor/manual/v7.9/9_3Development_Release.html [3] https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=3268 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQ8CLbAAoJEHidbwV/2GP+rMMP/2LDnVx6ZrxE7Tqf6rEVs/GD uz0e6LarP8uJRhEqBoyBjiMtVukyLdRtVY3yCvY/CnpA6rl4eyGAjb69nJHesXiA Tbj0j4txv61lak4VlDEqeP+ZtGo+bl+VSM1RKIpYcMNMS5niHDMUiaPGY6r+d3xP f9whMv6lHk+S9n24crohL7jH3S8S6Sir+/fQutPXfBeHPw48r2zSAL8M1mTYLD1L cJLw88lomP8WdJm/i8Ox/d8jkb9rynpFtWVa116XI/2KWyIIHLlvdCxXVKcrHCGm dL3Wid1Cn5xeGpj9q5QbRqCPbWgJKcO5paxqH3e8uKR79gtWYXrPCMWRzKIe0O4k BYP2b6REGBu3ZYoroqtZZcRe4qCbWzVDnjWM1uxEcxDNfnQhxSrq0MjU5ks/Jpdk /eIAZU0PBcLdck2tHNkhwsgXts6j0XH6ggOUDUvXU1BC4bfPI8+4qphiPpcJySbl a6A07LvMwKakq96xAgaA6LN0gFuvzqhb+ZpTNV0k/qJxX1YelN6aEpBMHnpb+WfI eO65hpEKtvr3tEA7SKVwn+Ci4jTbXebWTVMMGr5OqIddpDYEW161CD0/6ojnxZH6 zoqZ3E2Z/7y44JFv2+bhCqbUf1MjS1E2npa/OdajQb0mf+WcBw3EIHyAnqyuNOiy 9o9zaQ6vrdGInUONlw1C =jnzW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697936: condor: CVE-2012-5390: possible privilege escalation
Hi I have submitted this as grave severity, but could you double check if this is actually a problem for condor in Debian? [1]: http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#640851: evolution: local mail files no longer accessible
Because of this bug i updated to 3.6.1-1 from experimental - it didn't help. Regards Karsten -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697795: tsung crashes: Kernel pid terminated
Hi Stuart,
Thanks for your report.
On Wed, Jan 9, 2013 at 2:52 PM, Stuart Freeman
stuart.free...@et.gatech.edu wrote:
Tsung crashes with output that looks like:
$ tsung -f tsung.xml start
Starting Tsung
Log directory is: /home/stuart/.tsung/log/20130109-1449
{Kernel pid
terminated,application_controller,{application_terminated,tsung_controller,shutdown}}
Crash dump was written to: erl_crash.dump
Kernel pid terminated (application_controller)
({application_terminated,tsung_controller,shutdown})
I am unable to reproduce your crash.
My installation:
ii tsung 1.4.2-1.1amd64distributed multi-protocol load t
ii erlang-base 1:15.b.1-dfsg-3 amd64Erlang/OTP virtual
machine and base applications
Here is my test (attached is my tsung.xml file)
~/src$ tsung -f tsung.xml start
Starting Tsung
Log directory is: /home/ghantoos/.tsung/log/20130111-1011
^C
BREAK: (a)bort (c)ontinue (p)roc info (i)nfo (l)oaded
(v)ersion (k)ill (D)b-tables (d)istribution
Can you please provide you xml file for further investigation?
In the meantime, I will be downgrading the severity to Important.
Cheers,
Ignace M
?xml version=1.0?
!DOCTYPE tsung SYSTEM /usr/share/tsung/tsung-1.0.dtd
tsung loglevel=info version=1.0
clients
client host=localhost use_controller_vm=true maxusers=3/
/clients
servers
server host=127.0.0.1 port=80 type=tcp/
/servers
load
arrivalphase phase=1 duration=5 unit=minute
users interarrival=1 unit=second/users
/arrivalphase
/load
sessions
session name=localhost probability=100 type=ts_http
transaction name=localpage_01
requesthttp url='http://localhost/' version='1.1' method='GET'/http/request
/transaction
/session
/sessions
/tsung
/xml
Processed: Re: Bug#697795: tsung crashes: Kernel pid terminated
Processing commands for cont...@bugs.debian.org: severity 697795 important Bug #697795 [tsung] tsung crashes: Kernel pid terminated Severity set to 'important' from 'grave' tags 697795 = moreinfo unreproducible Bug #697795 [tsung] tsung crashes: Kernel pid terminated Added tag(s) unreproducible and moreinfo. thanks Stopping processing here. Please contact me if you need assistance. -- 697795: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697795 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#697930: nagios3: CVE-2012-6096
Processing control commands: found -1 3.2.1-2 Bug #697930 [nagios3] nagios3: CVE-2012-6096 Marked as found in versions nagios3/3.2.1-2. -- 697930: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697930 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697930: nagios3: CVE-2012-6096
Control: found -1 3.2.1-2 On 2013-01-11 13:50, Moritz Muehlenhoff wrote: Package: nagios3 Severity: grave Tags: security Justification: user security hole This was assigned CVE-2012-6096: http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html Fix: http://nagios.svn.sourceforge.net/viewvc/nagios?view=revisionrevision=2547 I tested against squeeze and reproduced the problem. We use nagios at work so I'm happy to prepare DSA packages if required. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697936: [htcondor-debian] Bug#697936: condor: CVE-2012-5390: possible privilege escalation
On Jan 11, 2013, at 8:45 AM, Salvatore Bonaccorso car...@debian.org wrote: Hi I have submitted this as grave severity, but could you double check if this is actually a problem for condor in Debian? [1]: http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html Regards, Salvatore This security vulnerability only affects Condor's standard universe, which is disabled in the Debian package. Thus, the Debian package of Condor is unaffected. Thanks and regards, Jaime Frey UW-Madison HTCondor Project -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695774: redmine: fails to upgrade, says something about a pgsql_adapter
On Sun, 16 Dec 2012, Jérémy Lal wrote: I am working on a fix. Any news? In the meantime, I tried to recover myself: look into /etc/redmine/default/database.yml what was used as password, connect as postgres to the DB and ALTER ROLE and set the redmine user’s password to that. Doesn’t work ☹ bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697936: marked as done (condor: CVE-2012-5390: possible privilege escalation)
Your message dated Fri, 11 Jan 2013 17:15:50 +0100 with message-id 2013061550.GA17037@elende and subject line Re: [htcondor-debian] Bug#697936: condor: CVE-2012-5390: possible privilege escalation has caused the Debian Bug report #697936, regarding condor: CVE-2012-5390: possible privilege escalation to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697936: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697936 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: condor Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerability was published for condor. CVE-2012-5390[0]: Possible privilege escalation This is mentioned on the stable release series notes[1] as well as the development release series[2]. Should be fixed in 7.8.6 and 7.9.1, so wheezy and unstable might be affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2012-5390 [1] http://research.cs.wisc.edu/htcondor/manual/v7.8/9_3Stable_Release.html [2] http://research.cs.wisc.edu/htcondor/manual/v7.9/9_3Development_Release.html [3] https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=3268 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQ8CLbAAoJEHidbwV/2GP+rMMP/2LDnVx6ZrxE7Tqf6rEVs/GD uz0e6LarP8uJRhEqBoyBjiMtVukyLdRtVY3yCvY/CnpA6rl4eyGAjb69nJHesXiA Tbj0j4txv61lak4VlDEqeP+ZtGo+bl+VSM1RKIpYcMNMS5niHDMUiaPGY6r+d3xP f9whMv6lHk+S9n24crohL7jH3S8S6Sir+/fQutPXfBeHPw48r2zSAL8M1mTYLD1L cJLw88lomP8WdJm/i8Ox/d8jkb9rynpFtWVa116XI/2KWyIIHLlvdCxXVKcrHCGm dL3Wid1Cn5xeGpj9q5QbRqCPbWgJKcO5paxqH3e8uKR79gtWYXrPCMWRzKIe0O4k BYP2b6REGBu3ZYoroqtZZcRe4qCbWzVDnjWM1uxEcxDNfnQhxSrq0MjU5ks/Jpdk /eIAZU0PBcLdck2tHNkhwsgXts6j0XH6ggOUDUvXU1BC4bfPI8+4qphiPpcJySbl a6A07LvMwKakq96xAgaA6LN0gFuvzqhb+ZpTNV0k/qJxX1YelN6aEpBMHnpb+WfI eO65hpEKtvr3tEA7SKVwn+Ci4jTbXebWTVMMGr5OqIddpDYEW161CD0/6ojnxZH6 zoqZ3E2Z/7y44JFv2+bhCqbUf1MjS1E2npa/OdajQb0mf+WcBw3EIHyAnqyuNOiy 9o9zaQ6vrdGInUONlw1C =jnzW -END PGP SIGNATURE- ---End Message--- ---BeginMessage--- Hi Jaime On Fri, Jan 11, 2013 at 10:03:45AM -0600, Jaime Frey wrote: On Jan 11, 2013, at 8:45 AM, Salvatore Bonaccorso car...@debian.org wrote: Hi I have submitted this as grave severity, but could you double check if this is actually a problem for condor in Debian? [1]: http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html Regards, Salvatore This security vulnerability only affects Condor's standard universe, which is disabled in the Debian package. Thus, the Debian package of Condor is unaffected. Thank you. I'm updating the security-tracker marking it as not-affecting Debian then. This bug can be closed then. Regards, Salvatore signature.asc Description: Digital signature ---End Message---
Bug#570516: Not easily reproducible
Hi, Though I'm currently not using md, I have done so in the past, and it has always worked well for me. I saw this bug report and thought that I might try to reproduce it. Here's what I did: 1. retrieved debian-5010-i386-netinst.iso from http://cdimage.debian.org/mirror/cdimage/archive/5.0.1.0/i386/iso-cd/ 2. created a new VMware virtual machine with two 1GB IDE virtual disks 3. started a text-based install 4. created partitions manually using the installer menus: hda1: 98.7 MB, ext3, /boot hda2: 970.6 MB, raid hdb1: 98.7 MB, swap hdb2: 970.6 MB, raid md0: RAID1, hda2 and hdb2, ext3, / (root filesystem) 5. received an error message about failing to read the partition table on md0, which is odd, but apparently harmless. Running mount in the 2nd virtual console showed md0 mounted as /target, so I continued installation. 6. installation completed, booting from hard drive succeeded 7. removed lenny from sources.list, added squeeze, ran apt-get update apt-get dist-upgrade 8. MD arrays needed for the root filesystem: all 9. rebooted successfully with new kernel Things to try: * start with Debian 5.0.0 (outdated oldstable) * upgrade to 6.0.0 (outdated stable) * upgrade to wheezy (current testing) * create the md array manually using old superblocks or whatever if possible? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: found 697895 in 0.9.13-2, severity of 697895 is grave, tagging 697895
Processing commands for cont...@bugs.debian.org: found 697895 0.9.13-2 Bug #697895 [libextlib-ruby] Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156) Marked as found in versions libextlib-ruby/0.9.13-2. severity 697895 grave Bug #697895 [libextlib-ruby] Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156) Severity set to 'grave' from 'normal' tags 697895 + security Bug #697895 [libextlib-ruby] Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156) Added tag(s) security. thanks Stopping processing here. Please contact me if you need assistance. -- 697895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697186: marked as done (Missing dependency on libcollection-dev)
Your message dated Fri, 11 Jan 2013 17:32:38 +
with message-id e1ttit8-6w...@franck.debian.org
and subject line Bug#697186: fixed in ding-libs 0.1.3-2
has caused the Debian Bug report #697186,
regarding Missing dependency on libcollection-dev
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
697186: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697186
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: libini-config-dev
Version: 0.1.3-1
Severity: serious
Tags: patch
In /usr/include/ini_config.h there is a dependency on libcollection-dev
#include collection.h
However it only depends on its own binary:
Depends: libini-config2 (= 0.1.3-1)
Marked serious for violation of Debian Policy section 3.5 Dependencies:
Every package must specify the dependency information about other
packages that are required for the first to work correctly.
I will suggest that libcollection-dev be added to the Depends
entry in the control file, as done in the following patch:
diff --git a/debian/control b/debian/control
index 0bb7179..dfc43cb 100644
--- a/debian/control
+++ b/debian/control
@@ -113,7 +113,7 @@ Description: refcounted array for C
Package: libini-config-dev
Section: libdevel
Architecture: any
-Depends: libini-config2 (= ${binary:Version}), ${misc:Depends}
+Depends: libini-config2 (= ${binary:Version}), libcollection-dev (=
${binary:Version}), ${misc:Depends}
Description: Development files for libini_config
Library to process config files in INI format into a libcollection data
structure. Development files.
--
Best regards
Asbjørn Sloth Tønnesen
asbjorn.biz
---End Message---
---BeginMessage---
Source: ding-libs
Source-Version: 0.1.3-2
We believe that the bug you reported is fixed in the latest version of
ding-libs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 697...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen tjaal...@ubuntu.com (supplier of updated ding-libs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Mon, 07 Jan 2013 21:41:36 +0100
Source: ding-libs
Binary: libpath-utils-dev libpath-utils1 libdhash-dev libdhash1
libcollection-dev libcollection2 libref-array-dev libref-array1
libini-config-dev libini-config2
Architecture: source amd64
Version: 0.1.3-2
Distribution: unstable
Urgency: low
Maintainer: Debian SSSD Team pkg-sssd-de...@lists.alioth.debian.org
Changed-By: Timo Aaltonen tjaal...@ubuntu.com
Description:
libcollection-dev - Development files for libcollection
libcollection2 - Collection data-type for C
libdhash-dev - Development files for libdhash
libdhash1 - Dynamic hash table
libini-config-dev - Development files for libini_config
libini-config2 - INI file parser for C
libpath-utils-dev - Development files for libpath_utils
libpath-utils1 - Filesystem Path Utilities
libref-array-dev - Development files for refcounted array for C
libref-array1 - refcounted array for C
Closes: 697186
Changes:
ding-libs (0.1.3-2) unstable; urgency=low
.
* Add missing Depends on libcollection-dev for libini-config-dev.
Thanks to Asbjørn Sloth Tønnesen asbj...@asbjorn.biz (Closes: #697186)
Checksums-Sha1:
1c03ac7d64968b6b8781b1c834a256d2115cb550 2349 ding-libs_0.1.3-2.dsc
0b76ac7f6d003a7c5069a04c42ea9c61f97fb7a9 2918 ding-libs_0.1.3-2.diff.gz
4899f1af376730c6f1b41f9edaf071d0e80aa916 7692
libpath-utils-dev_0.1.3-2_amd64.deb
8e329f5e719131b74beae1d882285490d69e62ea 8480 libpath-utils1_0.1.3-2_amd64.deb
ce0717f7f16abc62ee9d3309d011a9089c0d6e46 14788 libdhash-dev_0.1.3-2_amd64.deb
c5db95fcea09fd5958cffdf6a9685c0450c0740b 8516 libdhash1_0.1.3-2_amd64.deb
87073abd41b8f24df8c1452dfa554ee7cf180a3a 26786
libcollection-dev_0.1.3-2_amd64.deb
85f6a097ee366ecc5f4d9bf503b80976e91b23d6 23032 libcollection2_0.1.3-2_amd64.deb
b03d6c9918b38239063c26d2ed8aabd99f76b6e3 5438
libref-array-dev_0.1.3-2_amd64.deb
213ca2039af1f05acbb886a0eca38756588749b7 6630 libref-array1_0.1.3-2_amd64.deb
42a93a8e9e80ab11369f10e877b679d63ef7ef12 12024
libini-config-dev_0.1.3-2_amd64.deb
29e8550b949322a738e222d992b5a3e390e61d11 17326 libini-config2_0.1.3-2_amd64.deb
Bug#659301: Icedove will not start unless libdbusservice.so and libmailcomps.so, removed
Hello Raymond, On Thu, Dec 13, 2012 at 01:45:35PM -0500, Raymond S Brand wrote: Carsten, I'm still using the (current) one from Debian Squeeze, and every time there is a security update I have to remove those libraries again to get it to work. why not trying to use a version from Backports or from the inofficial backport repository [1] from Mike? Mike provide the current ESR version 10 for squeeze. More about backport can be found in the wiki [2]. The described behavior is strange, we have at the moment no idea where this comes from. To get deeper into it please provide some error logging. This can be also found in the wiki [3]. But I can really recommend to use at minimum the squeeze backports. Version 3.0.x is really old and quite not updated by mozilla! [1] http://mozilla.debian.net [2] http://wiki.debian.org/Icedove#BackPorts [3] http://wiki.debian.org/Icedove#Debugging Regards Carsten -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: marked as notfound
Processing commands for cont...@bugs.debian.org: notfound 659994 icedove/10.0.3-2 Bug #659994 [icedove] [regression] icedove: symbol lookup error: [...]/libdbusservice.so: undefined symbol: NS_Alloc Bug #660736 [icedove] Subject: icedove deads on undefined symbol Bug #691985 [icedove] icedove: aborts on startup Ignoring request to alter found versions of bug #659994 to the same values previously set Ignoring request to alter found versions of bug #660736 to the same values previously set Ignoring request to alter found versions of bug #691985 to the same values previously set notfound 660736 icedove/10.0.3-2 Bug #660736 [icedove] Subject: icedove deads on undefined symbol Bug #659994 [icedove] [regression] icedove: symbol lookup error: [...]/libdbusservice.so: undefined symbol: NS_Alloc Bug #691985 [icedove] icedove: aborts on startup Ignoring request to alter found versions of bug #660736 to the same values previously set Ignoring request to alter found versions of bug #659994 to the same values previously set Ignoring request to alter found versions of bug #691985 to the same values previously set notfound 671483 icedove/10.0.3-2 Bug #671483 [icedove] icedove: crashes on startup with failed assertion Ignoring request to alter found versions of bug #671483 to the same values previously set notfound 691985 icedove/10.0.3-2 Bug #691985 [icedove] icedove: aborts on startup Bug #659994 [icedove] [regression] icedove: symbol lookup error: [...]/libdbusservice.so: undefined symbol: NS_Alloc Bug #660736 [icedove] Subject: icedove deads on undefined symbol Ignoring request to alter found versions of bug #691985 to the same values previously set Ignoring request to alter found versions of bug #659994 to the same values previously set Ignoring request to alter found versions of bug #660736 to the same values previously set notfound 659301 icedove/10.0.3-2 Bug #659301 [icedove] icedove: Icedove will not start unless libdbusservice.so and libmailcomps.so removed Ignoring request to alter found versions of bug #659301 to the same values previously set thanks Stopping processing here. Please contact me if you need assistance. -- 659301: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659301 659994: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659994 660736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660736 671483: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671483 691985: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691985 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#681227: Can anyone reproduce #681227: installation-reports: grub-install tries to install to a nonsense string?!
tags 681227 + patch block 651720 by 681227 # kFreeBSD bugfix couldn't enter wheezy yet due to regressions thanks Hi, On 07/01/13 19:56, Wouter Verhelst wrote: What to do with the workaround added by Wouter in grub-installer/1.84? The workaround tried to eliminate the possibility of invalid data coming from somewhere in the installer. [...] I understand this made sense *if* a bug in the installer had been appending nonsense to an otherwise-valid $bootdev, but I think we've disproven this now. Silently ignoring a failure seems risky when we know that it should not happen. (Someone may want to specify multiple targets, and if one of them is typo'd it would be silently skipped in this case). That's indeed the only case that isn't caught by the current code. But that was at least caught by the original code - the GRUB install step failed if the user gave invalid input. Except in this bug report, the user thought the failure was a software bug, rather than wrong keyboard input which I'm sure it was. With the workaround still in place, it may silently ignore such an error, whether it comes from the user or from code, and I think that is a more harmful situation. Removing the workaround would close regressions #696903, #696942 affecting sid, unbreaking the sid_d-i daily images, where GRUB is not installable right now for kfreebsd-*, grub-yeeloong and apparently grub-efi systems. It would also allow important bugfix #681227 to migrate to testing. IMHO it would close this bug too, because it would mean the user-supplied bootdevs *are* being validated again. Patch for this actually just a diff limited to ./grub-installer from: $ git revert a070f516 99389d59 926cee22 Of course there are still ways to improve, e.g. offering a list of partitions to choose from instead of free-text input, but anything like that must surely wait until another release. Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org diff --git a/grub-installer b/grub-installer index 9a72e54..f01eda1 100755 --- a/grub-installer +++ b/grub-installer @@ -645,16 +645,11 @@ info Installing grub on '$bootdev' update_mtab -installed=0 - if [ -z $frdisk ]; then + # Install grub on each space separated disk in the list bootdevs=$bootdev for bootdev in $bootdevs; do - # workaround for #681227 - if ! [ $bootdev = dummy -o -b $bootdev -o -c $bootdev ]; then - continue - fi grub_install_params= if ! is_floppy $bootdev; then if $chroot $ROOT grub-install -h 21 | grep -q no-floppy; then @@ -690,7 +685,6 @@ if [ -z $frdisk ]; then esac if [ $CODE = 0 ]; then info grub-install ran successfully - installed=$(( $installed + 1 )) else case $ARCH:$grub_package in *:grub|*:grub-pc|*:grub-efi|sparc:grub-ieee1275) @@ -707,12 +701,7 @@ if [ -z $frdisk ]; then exit 1 fi done - if [ $installed -lt 1 ]; then - error no boot device found to install to - # we should probably show an error message here, but I believe - # we're in string freeze... - exit 1 - fi + else # Semi-manual grub setup for Serial ATA RAID/multipath
Processed: Re: Bug#681227: Can anyone reproduce #681227: installation-reports: grub-install tries to install to a nonsense string?!
Processing commands for cont...@bugs.debian.org:
tags 681227 + patch
Bug #681227 [grub-installer] does not validate free-form input
Added tag(s) patch.
block 651720 by 681227
Bug #651720 {Done: Wouter Verhelst wou...@debian.org} [src:grub-installer]
new ZFS install on / fails if /boot isn't ZFS
651720 was not blocked by any bugs.
651720 was not blocking any bugs.
Added blocking bug(s) of 651720: 681227
# kFreeBSD bugfix couldn't enter wheezy yet due to regressions
thanks
Stopping processing here.
Please contact me if you need assistance.
--
651720: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651720
681227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681227
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674156: Bug#697025: gstreamer0.10: please re-upload built against GLib 2.32
On 09/01/13 21:54, Michael Biebl wrote: On 09.01.2013 22:29, Simon McVittie wrote: As far as I can work out, bumping libgstreamer0.10-0's shlibs would only help to achieve this if we additionally NMU a bunch of packages to rebuild them against the new libgstreamer0.10-0 so they get a dependency. How many would need a sourceful upload? See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694525#59. tl;dr: up to 22 sourceful and 38 binNMU, although not all of those depend on GStreamer (some depend directly on GLib). Having said that, if Julien's reasoning from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674156#54 is valid for Gst, then it's presumably valid for GLib as well? If so, then the thing to do would be to bump GLib's shlibs instead of adding the Breaks, and sourceful-upload or binNMU those 60 packages (as appropriate). I'm worried that adding new Breaks to libglib2.0-0 might bring back those problems. Yeah, I was getting worried about that too. The way I see this is that there are some sets of packages in wheezy that are already in a broken situation. By making a sourceful upload of gstreamer0.10, together with the sourceful upload of swami that has already happened and a pile of 14 binNMUs (see 694525#59), we can get full upgrades into a consistent state. I agree that full upgrades work is less desirable than every partial upgrade allowed by apt works - but it's also better than the situation we're in right now! In particular, I believe that after those uploads, gnome-dvb-daemon, the package that started all this, would be able to build on the affected architectures again. I've spent some time trying to gather and provide useful information, but I do not maintain the packages in question, and I am unlikely to be able to do 22 sourceful uploads of unfamiliar packages any time soon. Better plans gratefully received. If you (for broad plural values of you) would like me to leave this discussion and let the maintainers of the affected packages sort it out among themselves, please say. S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685061: gfs2-utils: diff for NMU version 3.1.3-1.1
tags 685061 + pending
thanks
Dear maintainer,
I've prepared an NMU for gfs2-utils (versioned as 3.1.3-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
p.s.: I know this package is only available in unstable, so one might
argue why the NMU is done. But redhat-cluster-suite depends on
gfs2-utils. I'm preparing also a NMU for redhat-cluster (#697870).
Regards,
Salvatore
diff -Nru gfs2-utils-3.1.3/debian/changelog gfs2-utils-3.1.3/debian/changelog
--- gfs2-utils-3.1.3/debian/changelog 2012-08-06 14:17:02.0 +0200
+++ gfs2-utils-3.1.3/debian/changelog 2013-01-11 19:18:10.0 +0100
@@ -1,3 +1,14 @@
+gfs2-utils (3.1.3-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add missing Depends on gfs2-cluster for gfs2-utils.
+Fix gfs2-utils: fails to install due to incorrect dependencies in
+init.d LSB header. gfs2-utils init script contains a dependency on the
+service providing gfs_controld, which in turn is provided by
+gfs2-cluster. (Closes: #685061)
+
+ -- Salvatore Bonaccorso car...@debian.org Thu, 10 Jan 2013 19:36:49 +0100
+
gfs2-utils (3.1.3-1) unstable; urgency=low
* Initial release as stand-alone package; this used to be part of the
diff -Nru gfs2-utils-3.1.3/debian/control gfs2-utils-3.1.3/debian/control
--- gfs2-utils-3.1.3/debian/control 2012-08-06 14:14:55.0 +0200
+++ gfs2-utils-3.1.3/debian/control 2013-01-11 19:18:10.0 +0100
@@ -10,7 +10,7 @@
Package: gfs2-utils
Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, psmisc, cman
+Depends: ${misc:Depends}, ${shlibs:Depends}, gfs2-cluster (= ${binary:Version}), psmisc, cman
Replaces: gfs2-tools (= 3.0.17)
Conflicts: gfs2-tools (= 3.0.17)
Description: Global File System 2 - filesystem tools
signature.asc
Description: Digital signature
Processed: gfs2-utils: diff for NMU version 3.1.3-1.1
Processing commands for cont...@bugs.debian.org: tags 685061 + pending Bug #685061 [gfs2-utils] gfs2-utils: fails to install due to incorrect dependencies in init.d LSB header Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 685061: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685061 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697870: redhat-cluster: diff for NMU version 3.1.8-1.1
tags 697870 + pending
thanks
Dear maintainer,
I've prepared an NMU for redhat-cluster (versioned as 3.1.8-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Note: I know that #697870 is not yet older than 7 days. If you want to
do an upload yourself or I should wait longer, please let me know.
Regards,
Salvatore
diff -Nru redhat-cluster-3.1.8/debian/changelog redhat-cluster-3.1.8/debian/changelog
--- redhat-cluster-3.1.8/debian/changelog 2012-08-05 10:34:43.0 +0200
+++ redhat-cluster-3.1.8/debian/changelog 2013-01-11 19:40:29.0 +0100
@@ -1,3 +1,13 @@
+redhat-cluster (3.1.8-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Drop clvm Depends for redhat-cluster-suite binary package.
+Cluster (clvm) support was dropped in lvm2 source package by removing
+the clvm binary package. Drop the Depends also in redhat-cluster-suite.
+(Closes: #697870)
+
+ -- Salvatore Bonaccorso car...@debian.org Thu, 10 Jan 2013 21:40:28 +0100
+
redhat-cluster (3.1.8-1) unstable; urgency=low
[ Andres Rodriguez ]
diff -Nru redhat-cluster-3.1.8/debian/control redhat-cluster-3.1.8/debian/control
--- redhat-cluster-3.1.8/debian/control 2012-08-05 10:42:02.0 +0200
+++ redhat-cluster-3.1.8/debian/control 2013-01-11 19:40:29.0 +0100
@@ -23,7 +23,7 @@
Package: redhat-cluster-suite
Architecture: all
Depends: ${misc:Depends}, cman (= ${binary:Version}), rgmanager (= ${binary:Version}),
- gfs2-utils (= 3.1), clvm, fence-agents, resource-agents
+ gfs2-utils (= 3.1), fence-agents, resource-agents
Description: Red Hat cluster suite - metapackage
RHCS is a cluster management infrastructure, for building
high-availability multi-node clusters with service and IP failover on
signature.asc
Description: Digital signature
Processed: redhat-cluster: diff for NMU version 3.1.8-1.1
Processing commands for cont...@bugs.debian.org: tags 697870 + pending Bug #697870 [redhat-cluster-suite] redhat-cluster-suite: Fails to install due to removed clvm package Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 697870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697870 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695774: redmine: fails to upgrade, says something about a pgsql_adapter
On 11/01/2013 17:12, Thorsten Glaser wrote: On Sun, 16 Dec 2012, Jérémy Lal wrote: I am working on a fix. Any news? I'll try to make config script use the first generated password if a second database user name is the same as a first one. But i'm not sure i can even read the first password value. In the meantime, I tried to recover myself: look into /etc/redmine/default/database.yml what was used as password, connect as postgres to the DB and ALTER ROLE and set the redmine user’s password to that. Doesn’t work ☹ well it should, so maybe only the md5 sum of the password is recorded or something. The problem if you do that is that dbconfig still has another value for the password, so next time database.yml is updated after reconfigure/update it will be populated by a wrong value (but you will be prompted since it is a config file). You'd better try : * dump db * dpkg-reconfigure -plow redmine and ask for reinstallation of the database. Jérémy. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Hi
Attached the upstream commits applied to the unstable version and
generated debdiff. But this creates too some additional files in one
of the binary packages created:
ruby-extlib:
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-
-rw-r--r-- root/root
/usr/share/rubygems-integration/1.8/specifications/extlib-0.9.15.gemspec
-rw-r--r-- root/root
/usr/share/rubygems-integration/1.9.1/specifications/extlib-0.9.15.gemspec
Regards,
Salvatore
diff -u ruby-extlib-0.9.15/debian/changelog ruby-extlib-0.9.15/debian/changelog
--- ruby-extlib-0.9.15/debian/changelog
+++ ruby-extlib-0.9.15/debian/changelog
@@ -1,3 +1,11 @@
+ruby-extlib (0.9.15-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the
+XML parser. (Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso car...@debian.org Fri, 11 Jan 2013 21:14:26 +0100
+
ruby-extlib (0.9.15-2) unstable; urgency=low
* Add full text of the Ruby licence.
@@ -49 +56,0 @@
-
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/spec/hash_spec.rb
+++ ruby-extlib-0.9.15/spec/hash_spec.rb
@@ -254,7 +254,7 @@
'approved' = nil,
'written_on' = nil,
'viewed_at' = nil,
- 'content'= nil,
+ 'content'= { 'type' = 'yaml' },
'parent_id' = nil
}
Hash.from_xml(topic_xml)[topic].should == expected_topic_hash
@@ -292,12 +292,12 @@
# Changed this line where the key is :message. The yaml specifies this
as a symbol, and who am I to change what you specify
# The line in ActiveSupport is
# 'content' = { 'message' = Have a nice day, 1 = should be an
integer, array = [{ should-have-dashes = true, should_have_underscores
= true }] },
- 'content' = { :message = Have a nice day, 1 = should be an
integer, array = [{ should-have-dashes = true, should_have_underscores
= true }] },
+ 'content' = --- \n1: should be an integer\n:message: Have a nice
day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n,
'author_email_address' = da...@loudthinking.com,
'parent_id' = nil,
'ad_revenue' = BigDecimal(1.50),
'optimum_viewing_angle' = 135.0,
- 'resident' = :yes
+ 'resident' = 'yes'
}
Hash.from_xml(topic_xml)[topic].each do |k,v|
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/lib/extlib/hash.rb
+++ ruby-extlib-0.9.15/lib/extlib/hash.rb
@@ -279,9 +279,7 @@
self.typecasts[decimal] = lambda{|v| BigDecimal(v)}
self.typecasts[double]= lambda{|v| v.nil? ? nil : v.to_f}
self.typecasts[float] = lambda{|v| v.nil? ? nil : v.to_f}
- self.typecasts[symbol]= lambda{|v| v.to_sym}
self.typecasts[string]= lambda{|v| v.to_s}
- self.typecasts[yaml] = lambda{|v| v.nil? ? nil : YAML.load(v)}
self.typecasts[base64Binary] = lambda{|v| v.unpack('m').first }
self.available_typecasts = self.typecasts.keys
Processed: tagging 697895
Processing commands for cont...@bugs.debian.org: tags 697895 + patch Bug #697895 [libextlib-ruby] Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156) Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 697895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Hi (resending this as I missed the bugreport) On Fri, Jan 11, 2013 at 12:06:54AM +, Joshua Timberman wrote: Package: libextlib-ruby Version: 0.9.13-2 Severity: grave Tags: security Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to resolve security issues reported in CVE-2013-0156. The patches are are available from the extlib Git repository on GitHub to remove symbol and yaml coercion, respectively: https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8 934fc31c5 https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f d681538dd (Disclaimer: I'm not the maintainer/part of team for ruby-extlib package, but trying to help on this if needed). Attached is the first debdiff for the version in Squeeze based on the above commits. But I noticed when I rebuild the package I get the following debdiff for libextlib-ruby-doc: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first - -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.png Files in first .deb but not in second - -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.png So it looks the compression is on other files. Regards, Salvatore diff -u libextlib-ruby-0.9.13/debian/changelog libextlib-ruby-0.9.13/debian/changelog --- libextlib-ruby-0.9.13/debian/changelog +++ libextlib-ruby-0.9.13/debian/changelog @@ -1,3 +1,11 @@ +libextlib-ruby (0.9.13-2+squeeze1) stable-security; urgency=high + + * Non-maintainer upload. + *
Bug#697895: marked as done (Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156))
Your message dated Fri, 11 Jan 2013 21:32:37 + with message-id e1ttmdn-0006lz...@franck.debian.org and subject line Bug#697895: fixed in ruby-extlib 0.9.15-3 has caused the Debian Bug report #697895, regarding Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libextlib-ruby Version: 0.9.13-2 Severity: grave Tags: security Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to resolve security issues reported in CVE-2013-0156. The patches are are available from the extlib Git repository on GitHub to remove symbol and yaml coercion, respectively: https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8 934fc31c5 https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f d681538dd ---End Message--- ---BeginMessage--- Source: ruby-extlib Source-Version: 0.9.15-3 We believe that the bug you reported is fixed in the latest version of ruby-extlib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 697...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cédric Boutillier bou...@debian.org (supplier of updated ruby-extlib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 11 Jan 2013 18:15:39 +0100 Source: ruby-extlib Binary: ruby-extlib libextlib-ruby libextlib-ruby1.8 libextlib-ruby1.9.1 libextlib-ruby-doc Architecture: source all Version: 0.9.15-3 Distribution: unstable Urgency: high Maintainer: Bryan McLellan b...@loftninjas.org Changed-By: Cédric Boutillier bou...@debian.org Description: libextlib-ruby - Transitional package for ruby-extlib libextlib-ruby-doc - Transitional package for ruby-extlib libextlib-ruby1.8 - Transitional package for ruby-extlib libextlib-ruby1.9.1 - Transitional package for ruby-extlib ruby-extlib - general Ruby class extensions for DataMapper and Merb Closes: 697895 Changes: ruby-extlib (0.9.15-3) unstable; urgency=high . * Team upload. * Import patches 633974b2759d9b92 and 4540e7102b803624 from uptream to remove symbol and YAML coercion from the XML parser. [CVE-2013-0156] (Closes: #697895) Checksums-Sha1: bb10dad19c2671801877e5b5fb15b14532462daf 2247 ruby-extlib_0.9.15-3.dsc 4f8571ba3b7aefe7bdce8e8fbe7716fcb45c7ad6 4687 ruby-extlib_0.9.15-3.diff.gz ff0b3141b7f2df240b8307ceb05d624851c34974 35582 ruby-extlib_0.9.15-3_all.deb 0a77158c8ec33b24c9836c0821661bfd20cec286 4180 libextlib-ruby_0.9.15-3_all.deb ae9559bbad34b34bced92323424726f3815331ae 4180 libextlib-ruby1.8_0.9.15-3_all.deb 494f0fd4dafaccec7641dfe1f1f033f3dd68b711 4182 libextlib-ruby1.9.1_0.9.15-3_all.deb 516f4bd2e7273e37dd8a9c80430cf9fe0bf7cfd7 4180 libextlib-ruby-doc_0.9.15-3_all.deb Checksums-Sha256: 6c9063a4daf662391409fa81852b5e6914fbc127c9e0f61ea78526232e941e17 2247 ruby-extlib_0.9.15-3.dsc 95df8ec52d1638083d0e14c339f52f6aa827480208a93355c23614d25b5a6211 4687 ruby-extlib_0.9.15-3.diff.gz bf2ac87e0e17a46ec5583f4007e9dede358360d17c5a7be716b941a44fdf68fa 35582 ruby-extlib_0.9.15-3_all.deb b17a332bbf7155e39b6a49f2a1f48d8bc6deafcb55593d63b7ca2bb14fdb274d 4180 libextlib-ruby_0.9.15-3_all.deb 4461dfcf4ef248d25bcb0c4e90514586d412603ba2425e5e25b882ddae8bd522 4180 libextlib-ruby1.8_0.9.15-3_all.deb a69cfbfd58c237a228b11ad5c3569a76484c08128cf358c5be055c83d0436aa0 4182 libextlib-ruby1.9.1_0.9.15-3_all.deb a320b93c04731473d46d257fe35f8c861472bb8115b9ddbc31610ccd45e5642c 4180 libextlib-ruby-doc_0.9.15-3_all.deb Files: 3be760292b64478fc60cc2a42613c52e 2247 ruby extra ruby-extlib_0.9.15-3.dsc 96a039c95e8affe0cfacecf4e34e1720 4687 ruby extra ruby-extlib_0.9.15-3.diff.gz c9a0ee978f40a2e45d5f811d048dc958 35582 ruby extra ruby-extlib_0.9.15-3_all.deb db26187f88999befae8996172108ed98 4180 oldlibs extra libextlib-ruby_0.9.15-3_all.deb 0b792d88f11cec7f8182b4f3b09b5feb 4180 oldlibs extra libextlib-ruby1.8_0.9.15-3_all.deb 29a5db040f8330c612b172ab627abcbb 4182 oldlibs extra libextlib-ruby1.9.1_0.9.15-3_all.deb
Processed: tagging 697931
Processing commands for cont...@bugs.debian.org: tags 697931 + patch Bug #697931 [icinga] icinga: CVE-2012-6096 Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 697931: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697931 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: tagging 697930
Processing commands for cont...@bugs.debian.org: tags 697930 + patch Bug #697930 [nagios3] nagios3: CVE-2012-6096 Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 697930: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697930 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697580: marked as done (connman: CVE-2012-6459)
Your message dated Fri, 11 Jan 2013 22:47:39 + with message-id e1ttnnz-0001iq...@franck.debian.org and subject line Bug#697580: fixed in connman 1.0-1.1 has caused the Debian Bug report #697580, regarding connman: CVE-2012-6459 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697580: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697580 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: connman Severity: grave Tags: security Please check, whether the version/configuration in Debian is affected: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6459 https://bugs.tizen.org/jira/browse/TIVI-211 http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=01126286f96856aab6b0de171830f4e8e842e1da Cheers, Moritz ---End Message--- ---BeginMessage--- Source: connman Source-Version: 1.0-1.1 We believe that the bug you reported is fixed in the latest version of connman, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 697...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de (supplier of updated connman package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 09 Jan 2013 15:32:22 +0100 Source: connman Binary: connman connman-dev connman-doc Architecture: source amd64 all Version: 1.0-1.1 Distribution: unstable Urgency: low Maintainer: Alexander Sack a...@debian.org Changed-By: John Paul Adrian Glaubitz glaub...@physik.fu-berlin.de Description: connman- Intel Connection Manager daemon connman-dev - Development files for connman connman-doc - ConnMan documentation Closes: 697580 Changes: connman (1.0-1.1) unstable; urgency=low . * Non-maintainer upload. * Include patch to fix bluetooth offline visibility issue CVE-2012-6459 (Closes: #697580). Checksums-Sha1: 637a018296f141ee304714a5f5acd8665265daa2 2129 connman_1.0-1.1.dsc 65a7bc11635f788313a66bd2be499fbbfb0d55b9 514832 connman_1.0.orig.tar.xz 9b35272a91f4d9845ef5d942bc55d4c4a57af6fd 8957 connman_1.0-1.1.debian.tar.gz 37b6457fbe8ec3c1abb85b3c979a39ef55962d60 295548 connman_1.0-1.1_amd64.deb 0b04e5a410eb05ba1944c6f849f74399c9c8bbc4 20238 connman-dev_1.0-1.1_amd64.deb 50bb09a54f3fca6c51b9bbf3fdc7b0da12d4bba8 40636 connman-doc_1.0-1.1_all.deb Checksums-Sha256: e35151f1507623dc8b002f370669790f4220fbfc647cac035b892afeeb00ef12 2129 connman_1.0-1.1.dsc 627896a506f66629d288934ba7ffb16f539d74f86723c70206cfe9f4c4bcad91 514832 connman_1.0.orig.tar.xz 475efb94e6a2d8db3d0244f8d72e809aa9e7b0ecbd2ccef80228ac4a49aaf811 8957 connman_1.0-1.1.debian.tar.gz 4744d978844d75acf0c1eb5f94978947d562f72c3ee06255ada2d96f51327dec 295548 connman_1.0-1.1_amd64.deb c85cf47b43749df060a9ca28564d74f1c9d16445d3012c53f79e452b9ad5dc31 20238 connman-dev_1.0-1.1_amd64.deb e2497203b4997e7bd538b3c8321e3ac841004d32c94a0cc585dd5d4a6cad7af2 40636 connman-doc_1.0-1.1_all.deb Files: 9bea3998c8e157cd52261e3b2531afd5 2129 net optional connman_1.0-1.1.dsc 0424267d2c1db6fbcaa729bf23967cc4 514832 net optional connman_1.0.orig.tar.xz e64f5180d7e62f75e4096897e9cdab5c 8957 net optional connman_1.0-1.1.debian.tar.gz 50e2d88b63e6c0e0de5e6bfe03473057 295548 net optional connman_1.0-1.1_amd64.deb 9f79dac86abb035acabc97acca66280a 20238 devel optional connman-dev_1.0-1.1_amd64.deb 336d64cea3f17be24af0c450ba2ba702 40636 doc optional connman-doc_1.0-1.1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQ8JIFAAoJEHQmOzf1tfkTDloQAIPgZy2WmFCbN9MNl0Fxnjxq f+WslYPqBrocu/gO/fbAEjs9WZmo6olTzvkugF/QC7gFYdJ4eWOlnqp9WUUwBn6D nf4IGHuhybym2ZJonVoO3sDZna39Gxo8N1IrYyHyzUi/jxaSRzK84rR39UteWTfC 4ssUQRB+r9mV/IZLUgBRA6s7uKzlM9ypZjj9Q/6rZ5Y6CCtw3ayezhS+a7tJvTBR NxUPqU1ImhXwpplmKEmM6CTHAEU6LODSGPpgReVtL2DAvhrlxPvvotVkSIy+Epol U4slxcR2J27XL+Gjf+aJ1dlcdOdPT1/8zuBAIoFGRDQ0lFI2OUtj+KbyNFb3eg0L xcxXkryn49beudBprU2+WREqyjTI71f7YCfj27bgDAHK3aa6dvdBOZwo8tenxCc+ jtiH9E8Bd5P0dm0oxs0zHQrf7cZJv3yz9gp1li7qnQ4NGXWCeTjw1MYHrJFOW9UG w9PGTmjZk0z0oMYVus1xIjBr7uQW0z6cMQDZC0IL81CuDi5G9k27d1uHxjuMpJXX 62YXZybd60CvyCf9ZwsNlYraCzC2cxpKeYYQkS/fAU1zaO7d0XEdtSSQ2YzqOF0V
Processed: user debian...@lists.debian.org, usertagging 697085, found 697085 in 1.3.0+dfsg-1~exp3
Processing commands for cont...@bugs.debian.org: user debian...@lists.debian.org Setting user to debian...@lists.debian.org (was deb...@abeckmann.de). usertags 697085 piuparts There were no usertags set. Usertags are now: piuparts. found 697085 1.3.0+dfsg-1~exp3 Bug #697085 [qemu-system] qemu-system: tries to overwrite doc/qemu/qemu-doc.html from qemu (missing Breaks+Replaces?) Marked as found in versions qemu/1.3.0+dfsg-1~exp3. thanks Stopping processing here. Please contact me if you need assistance. -- 697085: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697085 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote: On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote: Hi, On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerabilities were published for asterisk. CVE-2012-5976[0]: Crashes due to large stack allocations when using TCP CVE-2012-5977[1]: Denial of Service Through Exploitation of Device State Caching If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2012-5976 [1] http://security-tracker.debian.org/tracker/CVE-2012-5977 Please adjust the affected versions in the BTS as needed. According to the advisories all 1.8.x versions seems affected. Likewise is version 1.6.2 from Stable. I have fixes ready. Ok, please upload to security-master once tests are sufficient. Uploaded. On a side note, I'm not sure why https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as open. The respective bug has been closed: As I mentioned before, I can change the default for alwaysauthreject, I'm just not sure this should be done on a Stable package. It's marked as [squeeze] - asterisk no-dsa (minor issue; can be addressed through configuration) The tracker is correct in so far, that this isn't fixed in squeeze through a code fix. If you provide a short text what people need to modify in their config we can add it to the DSA text and use this as the fix for stable. Here goes: CVE-2011-2666 (AST-2011-011) is an advisory that containd two parts: It is gnerally useful security-wise to provide the same answer upon authntication whether or not the authntication failed due to a missing bad username or a bad password (to prever enumerating existing users). Asterisk has a setting called 'alwaysauthreject' in sip.conf to do that, but up until 1.8 its value has defaulted to no (different answer). The patch of CVE-2011-2666 fixed a case that even with this set to yes, the response is different. This was fixed in 1.6.2.9-2+squeeze3 . However in order to avoid breaking backward compatibility the default has remained the same. Upstream developers strongly recommend that users set 'alwaysauthreject=yes' in the section '[general]' of sip.conf. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696342: marked as done ([drupal7] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities in Drupal 6 7)
Your message dated Fri, 11 Jan 2013 18:03:10 -0600 with message-id 20130112000310.gb...@gwolf.org and subject line Re: [drupal7] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities in Drupal 6 7 has caused the Debian Bug report #696342, regarding [drupal7] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities in Drupal 6 7 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 696342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696342 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: drupal7 Version: 7.14-1.1 Severity: critical Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org --- Please enter the report below this line. --- Hi! There's a security update for Drupal6 and Drupal7 available. Please include the patch for not question the Drupal Server about new version available this time, otherwise the users will be prompted by a wrong security warning, which is already solved. Thanks! http://drupal.org/SA-CORE-2012-004 Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Access bypass (User module search - Drupal 6 and 7) A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each user's profile, this could result in additional information about blocked users being disclosed on some sites. CVE: Requested. Access bypass (Upload module - Drupal 6) A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the view uploaded files permission. This issue affects Drupal 6 only. CVE: Requested. Arbitrary PHP code execution (File upload modules - Drupal 6 and 7) Drupal core's file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupal's input validation. This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations. Users of IIS should consider updating their web.config. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way. CVE: Requested. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Drupal core 6.x versions prior to 6.27. Drupal core 7.x versions prior to 7.18. Solution Install the latest version: If you use Drupal 6.x, upgrade to Drupal core 6.27. If you use Drupal 7.x, upgrade to Drupal core 7.18. --- System information. --- Architecture: amd64 Kernel: Linux 3.2.0-4-amd64 Debian Release: 7.0 500 unstablewww.deb-multimedia.org 500 unstableftp.de.debian.org 1 experimentalftp.de.debian.org --- Package information. --- Depends(Version) | Installed -+- debconf(= 0.5) | 1.5.48 OR debconf-2.0 | apache2 | 2.2.22-12 OR httpd| php5 | 5.4.4-10 php5-mysql | 5.4.4-10 OR php5-pgsql | 5.4.4-10 php5-gd | 5.4.4-10 default-mta | OR mail-transport-agent | wwwconfig-common (= 0.0.37) | 0.2.2 mysql-client | 5.5.28+dfsg-1 OR virtual-mysql-client | OR postgresql-client| 9.1+134wheezy2 dbconfig-common
Bug#688792: marked as done (mysql-server-5.5: error in SQL syntax in postinst)
Your message dated Sat, 12 Jan 2013 00:18:28 +
with message-id e1ttons-00034j...@franck.debian.org
and subject line Bug#692871: fixed in mysql-5.5 5.5.29+dfsg-1
has caused the Debian Bug report #692871,
regarding mysql-server-5.5: error in SQL syntax in postinst
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
692871: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692871
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: mysql-server-5.5
Version: 5.5.24+dfsg-8
Severity: normal
Dear Maintainer,
* What led up to the situation?
An upgrade in aptitude.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Nothing. mysql appears to be running. However, the failed change looks
signficant.
* What was the outcome of this action?
* What outcome did you expect instead?
An upgrade without errors.
I am running Debian testing in a chroot. I did an upgrade inside of aptitude
yesterday:
[UPGRADE] mysql-server-5.5:i386 5.5.24+dfsg-7 - 5.5.24+dfsg-8
and the logs show
ERROR: 1064 You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8
NOT ' at line 1
[ERROR] Aborting
The offending line appears to be from the mysql postinst:
ross@corn:/var/lib/dpkg/info$ grep Show_view_priv *
mysql-server-5.5.postinst: Show_view_priv='Y',
Create_routine_priv='Y', Alter_routine_priv='Y', \
mysql-server-5.5.postinst:ALTER TABLE user ADD column Show_view_priv
enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N'; \
\
Note there is another error about old style --language. That's probably a
separate issue, though it would be good to fix.
In case it helps, here is a fuller log:
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24690]: PLEASE REMEMBER TO SET A PASSWORD FOR
THE MySQL root USER !
Sep 23 15:08:33 corn mysqld_safe[24690]: To do so, start the server, then issue
the following commands:
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24690]: /usr/bin/mysqladmin -u root password
'new-password'
Sep 23 15:08:33 corn mysqld_safe[24690]: /usr/bin/mysqladmin -u root -h corn
password 'new-password'
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24690]: Alternatively you can run:
Sep 23 15:08:33 corn mysqld_safe[24690]: /usr/bin/mysql_secure_installation
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24690]: which will also give you the option of
removing the test
Sep 23 15:08:33 corn mysqld_safe[24690]: databases and anonymous user created
by default. This is
Sep 23 15:08:33 corn mysqld_safe[24690]: strongly recommended for production
servers.
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24690]: See the manual for more instructions.
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24690]: Please report any problems with the
/usr/scripts/mysqlbug script!
Sep 23 15:08:33 corn mysqld_safe[24690]:
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 [ERROR] An old style
--language value with language specific part detected: /usr/share/mysql/english/
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 [ERROR] Use
--lc-messages-dir without language specific part instead.
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 [Note] Plugin
'FEDERATED' is disabled.
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: The InnoDB
memory heap is disabled
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: Mutexes and
rw_locks use GCC atomic builtins
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: Compressed
tables use zlib 1.2.3
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: Using Linux
native AIO
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: Initializing
buffer pool, size = 128.0M
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: Completed
initialization of buffer pool
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: highest
supported file format is Barracuda.
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: 1.1.8 started;
log sequence number 5257779
Sep 23 15:08:33 corn mysqld_safe[24736]: 120923 15:08:33 InnoDB: Starting
shutdown...
Sep 23 15:08:35 corn mysqld_safe[24736]: 120923 15:08:35 InnoDB: Shutdown
completed; log sequence number 5257779
Sep 23 15:08:35 corn
Bug#692871: marked as done (mysql-server-5.5: Regression in privileges of mysql debian-sys-maint user)
Your message dated Sat, 12 Jan 2013 00:18:28 + with message-id e1ttons-00034j...@franck.debian.org and subject line Bug#692871: fixed in mysql-5.5 5.5.29+dfsg-1 has caused the Debian Bug report #692871, regarding mysql-server-5.5: Regression in privileges of mysql debian-sys-maint user to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692871: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mysql-server-5.5 Version: 5.5.28+dfsg-1 Severity: serious Justification: important This bug was originally reported in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mysql-5.5/+bug/1062716 Basically, the debian-sys-maint user, which is inserted via raw INSERT, is missing a new privilege for 5.5. This causes problems for those who rely on the user to be able to create users and do other things. This may have also been the issue with warnings we've seen about schema differences. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-17-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ---End Message--- ---BeginMessage--- Source: mysql-5.5 Source-Version: 5.5.29+dfsg-1 We believe that the bug you reported is fixed in the latest version of mysql-5.5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 692...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nicholas Bamber nicho...@periapt.co.uk (supplier of updated mysql-5.5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 11 Jan 2013 15:29:53 + Source: mysql-5.5 Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5 Architecture: source all i386 Version: 5.5.29+dfsg-1 Distribution: unstable Urgency: low Maintainer: Debian MySQL Maintainers pkg-mysql-ma...@lists.alioth.debian.org Changed-By: Nicholas Bamber nicho...@periapt.co.uk Description: libmysqlclient-dev - MySQL database development files libmysqlclient18 - MySQL database client library libmysqld-dev - MySQL embedded database development files libmysqld-pic - PIC version of MySQL embedded server development files mysql-client - MySQL database client (metapackage depending on the latest versio mysql-client-5.5 - MySQL database client binaries mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf mysql-server - MySQL database server (metapackage depending on the latest versio mysql-server-5.5 - MySQL database server binaries and system database setup mysql-server-core-5.5 - MySQL database server binaries mysql-source-5.5 - MySQL source mysql-testsuite-5.5 - MySQL testsuite Closes: 692871 695001 Changes: mysql-5.5 (5.5.29+dfsg-1) unstable; urgency=low . [ Clint Byrum ] * d/mysql-server-5.5.postinst: Patch from Alex Bligh to fix privilege regression that was introduced in the switch from 5.1 to 5.5. (Closes: #692871) * New upstream release. (Closes: #695001) Refreshed patches. Checksums-Sha1: 43779be62bdd8a86901204749cae1e5204c94e33 2954 mysql-5.5_5.5.29+dfsg-1.dsc df1f3af8caf6b14813b4e0789ab6c0379e5de1e1 21199752 mysql-5.5_5.5.29+dfsg.orig.tar.gz a523271db0d7262da3cff95484f8e237608bce9f 304465 mysql-5.5_5.5.29+dfsg-1.debian.tar.gz ad0008d06a1411f0dd760cd1b001be64848b3d3e 108602 mysql-common_5.5.29+dfsg-1_all.deb 8b247ab02c592d393f50f6868a3b62bdaec4f09e 106816 mysql-server_5.5.29+dfsg-1_all.deb 6d4a30ae400e91490298217d756a51e41c83afcf 106692 mysql-client_5.5.29+dfsg-1_all.deb 17bee4c439dec9c9efbc021b17217ccf7e711262 690422 libmysqlclient18_5.5.29+dfsg-1_i386.deb 0cd0f151ac8afa510eb92e4dabadd8419277bd46 3099864 libmysqld-pic_5.5.29+dfsg-1_i386.deb b08c678793a66e425b4e0fa857bbb549d7f14122 3096076 libmysqld-dev_5.5.29+dfsg-1_i386.deb
Bug#695001: marked as done (mysql-5.5: New MySQL issues)
Your message dated Sat, 12 Jan 2013 00:18:28 + with message-id e1ttons-00034n...@franck.debian.org and subject line Bug#695001: fixed in mysql-5.5 5.5.29+dfsg-1 has caused the Debian Bug report #695001, regarding mysql-5.5: New MySQL issues to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 695001: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695001 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mysql-5.5 Severity: grave Tags: security Justification: user security hole Exploits for new MySQL issues have been posted to the full-disclosure mailing list. This mail summarises the current state of affairs: CVE-2012-5611 (formerly tracked as CVE-2012-5579) Exploit: http://seclists.org/fulldisclosure/2012/Dec/4 Patch already available through mariadb. CVE-2012-5612 Exploit: http://seclists.org/fulldisclosure/2012/Dec/5 mariadb bug: https://mariadb.atlassian.net/browse/MDEV-3908 CVE-2012-5613 Exploit: http://seclists.org/fulldisclosure/2012/Dec/6 This was discussed to be intended behaviour: http://seclists.org/oss-sec/2012/q4/388 CVE-2012-5614 Exploit: http://seclists.org/fulldisclosure/2012/De mariadb bug: https://mariadb.atlassian.net/browse/MDEV-3910 CVE-2012-5615 Exploit: http://seclists.org/fulldisclosure/2012/Dec/9 mariadb bug: https://mariadb.atlassian.net/browse/MDEV-3909 Cheers, Moritz ---End Message--- ---BeginMessage--- Source: mysql-5.5 Source-Version: 5.5.29+dfsg-1 We believe that the bug you reported is fixed in the latest version of mysql-5.5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 695...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nicholas Bamber nicho...@periapt.co.uk (supplier of updated mysql-5.5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 11 Jan 2013 15:29:53 + Source: mysql-5.5 Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5 Architecture: source all i386 Version: 5.5.29+dfsg-1 Distribution: unstable Urgency: low Maintainer: Debian MySQL Maintainers pkg-mysql-ma...@lists.alioth.debian.org Changed-By: Nicholas Bamber nicho...@periapt.co.uk Description: libmysqlclient-dev - MySQL database development files libmysqlclient18 - MySQL database client library libmysqld-dev - MySQL embedded database development files libmysqld-pic - PIC version of MySQL embedded server development files mysql-client - MySQL database client (metapackage depending on the latest versio mysql-client-5.5 - MySQL database client binaries mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf mysql-server - MySQL database server (metapackage depending on the latest versio mysql-server-5.5 - MySQL database server binaries and system database setup mysql-server-core-5.5 - MySQL database server binaries mysql-source-5.5 - MySQL source mysql-testsuite-5.5 - MySQL testsuite Closes: 692871 695001 Changes: mysql-5.5 (5.5.29+dfsg-1) unstable; urgency=low . [ Clint Byrum ] * d/mysql-server-5.5.postinst: Patch from Alex Bligh to fix privilege regression that was introduced in the switch from 5.1 to 5.5. (Closes: #692871) * New upstream release. (Closes: #695001) Refreshed patches. Checksums-Sha1: 43779be62bdd8a86901204749cae1e5204c94e33 2954 mysql-5.5_5.5.29+dfsg-1.dsc df1f3af8caf6b14813b4e0789ab6c0379e5de1e1 21199752 mysql-5.5_5.5.29+dfsg.orig.tar.gz a523271db0d7262da3cff95484f8e237608bce9f 304465 mysql-5.5_5.5.29+dfsg-1.debian.tar.gz ad0008d06a1411f0dd760cd1b001be64848b3d3e 108602 mysql-common_5.5.29+dfsg-1_all.deb 8b247ab02c592d393f50f6868a3b62bdaec4f09e 106816 mysql-server_5.5.29+dfsg-1_all.deb 6d4a30ae400e91490298217d756a51e41c83afcf 106692 mysql-client_5.5.29+dfsg-1_all.deb 17bee4c439dec9c9efbc021b17217ccf7e711262 690422 libmysqlclient18_5.5.29+dfsg-1_i386.deb 0cd0f151ac8afa510eb92e4dabadd8419277bd46 3099864 libmysqld-pic_5.5.29+dfsg-1_i386.deb b08c678793a66e425b4e0fa857bbb549d7f14122 3096076
Bug#697714: marked as done (libxcrypt: fix ftbfs due to deprecated libc locking macros)
Your message dated Sat, 12 Jan 2013 00:17:39 +
with message-id e1tton5-0002df...@franck.debian.org
and subject line Bug#697714: fixed in libxcrypt 1:2.4-3
has caused the Debian Bug report #697714,
regarding libxcrypt: fix ftbfs due to deprecated libc locking macros
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
697714: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697714
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: libxcrypt
Version: 1:2.4-1.1
Severity: serious
Tags: patch
Justification: fails to build from source (but built successfully in the
past)
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu raring ubuntu-patch
Dear Maintainer,
This patch fixes an Ubuntu ftbfs for libxcrypt.
Due to a newer version of glibc that includes patch 9463518d:
http://sourceware.org/git/?p=glibc.git;a=commit;h=9463518d0d314d7bd0160315e0ef30e15be08985
libxcrypt no longer compiles on Ubuntu.
This patch replaces the __libc_lock* functions with pthread locking
functions
that behave in the same manner.
* Change __libc_lock to use pthread_mutex interfaces because
__libc_lock interfaces were deprecated by patch 9463518d in glibc.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise-proposed'), (500, 'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-35-lowlatency (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u libxcrypt-2.4/debian/changelog libxcrypt-2.4/debian/changelog
only in patch2:
unchanged:
--- libxcrypt-2.4.orig/src/crypt_util.c
+++ libxcrypt-2.4/src/crypt_util.c
@@ -29,8 +29,7 @@
#endif
#include string.h
-#include bits/libc-lock.h
-#define __libc_lock_t pthread_mutex_t
+#include pthread.h
#ifndef STATIC
#define STATIC static
@@ -264,7 +263,7 @@
*/
struct crypt_data _ufc_foobar;
-__libc_lock_define_initialized (static, _ufc_tables_lock)
+static pthread_mutex_t _ufc_tables_lock = PTHREAD_MUTEX_INITIALIZER;
#ifdef DEBUG
@@ -362,7 +361,7 @@
#endif
if(small_tables_initialized == 0) {
-__libc_lock_lock (_ufc_tables_lock);
+pthread_mutex_lock (_ufc_tables_lock);
if(small_tables_initialized)
goto small_tables_done;
@@ -467,7 +466,7 @@
}
small_tables_initialized = 1;
small_tables_done:
-__libc_lock_unlock(_ufc_tables_lock);
+pthread_mutex_unlock(_ufc_tables_lock);
}
/*
---End Message---
---BeginMessage---
Source: libxcrypt
Source-Version: 1:2.4-3
We believe that the bug you reported is fixed in the latest version of
libxcrypt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 697...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicholas Breen nbr...@debian.org (supplier of updated libxcrypt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 11 Jan 2013 14:16:32 -0800
Source: libxcrypt
Binary: libxcrypt-dev libxcrypt1
Architecture: source i386
Version: 1:2.4-3
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group packa...@qa.debian.org
Changed-By: Nicholas Breen nbr...@debian.org
Description:
libxcrypt-dev - Development files for Crypt library
libxcrypt1 - Crypt library for DES, MD5, and blowfish
Closes: 697714
Changes:
libxcrypt (1:2.4-3) unstable; urgency=low
.
* QA upload (see #679703). Skipping 1:2.4-2 to avoid archive filename
conflicts with prior 2.4-2 upload.
* FTBFS fix: Change __libc_lock to use pthread_mutex interfaces, as
__libc_lock is deprecated. Patch courtesy of Chris J Arges.
(Closes: #697714)
Checksums-Sha1:
4df4f203282e08e43f35df4a98fdfc1eb501e466 1697 libxcrypt_2.4-3.dsc
d7c13179f6b438d507b5b698b2d8ea70867cf0c7 20083 libxcrypt_2.4-3.diff.gz
84054cb5c29b5a7402ee66de178544df8501acfc 37388 libxcrypt-dev_2.4-3_i386.deb
9197300bc6f5b7fb8c1f548845df55c337b47c6b 32708 libxcrypt1_2.4-3_i386.deb
Checksums-Sha256:
2987e1cdb52f9074c09ce76840357c3a05d1100068b3f2f3508490018f778ec2 1697
Bug#681227: Can anyone reproduce #681227: installation-reports: grub-install tries to install to a nonsense string?!
Quoting Steven Chamberlain (ste...@pyro.eu.org): Patch for this actually just a diff limited to ./grub-installer from: $ git revert a070f516 99389d59 926cee22 Agreed from my side. I guess we now just need Cyril's ACK to apply in git and probably buildunless something else is needed in grub-installer (which seems to remain as the last place where we have to stabilize stuff). signature.asc Description: Digital signature
