Bug#616673: rhythmbox-plugins: CVE-2012-3355 Plugin context contains hardcoded path to /tmp/context/
Package: rhythmbox-plugins Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/616673/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679283: CVE-2012-2825
Package: libxslt Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/679283/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#694810: plib: CVE-2012-4552
Package: plib Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/694810/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#694407: freeradius: CVE-2011-4966
Package: freeradius Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/694407/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680059: revelation: FPM exporter doesn't encrypt password files [CVE-2012-3818]
Package: revelation Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/680059/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686764: xen: Multiple security issues
Package: xen Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/686764/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698402: marked as done (wicd-curses: crashes on start)
Your message dated Fri, 18 Jan 2013 14:33:48 +0100 with message-id CAJN4MBPa6xqYE+Ke48RY9JsPWpxBxrhX0d1wB7kMv-wf=zx...@mail.gmail.com and subject line Re: Bug#698402: please close, solved has caused the Debian Bug report #698402, regarding wicd-curses: crashes on start to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 698402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698402 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: wicd Version: 1.7.2.4-4 Severity: grave Justification: renders package unusable Dear Maintainer, wicd-curses crashes at startup with the following output: $ wicd-curses Traceback (most recent call last): File /usr/share/wicd/curses/wicd-curses.py, line 1063, in module main() File /usr/share/wicd/curses/wicd-curses.py, line 995, in main ui.run_wrapper(run) File /usr/local/lib/python2.7/dist-packages/urwid/raw_display.py, line 242, in run_wrapper return fn() File /usr/share/wicd/curses/wicd-curses.py, line 88, in wrapper return func(*args, **kargs) File /usr/share/wicd/curses/wicd-curses.py, line 1003, in run app = appGUI() File /usr/share/wicd/curses/wicd-curses.py, line 548, in __init__ self.wiredCB = urwid.Filler(WiredComboBox(wiredL)) File /usr/share/wicd/curses/wicd-curses.py, line 378, in __init__ self.__super.__init__(use_enter=False) File /usr/share/wicd/curses/curses_misc.py, line 352, in __init__ self.focus = focus AttributeError: can't set attribute -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7.2-tidux (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages wicd depends on: ii wicd-cli [wicd-client] 1.7.2.4-4 ii wicd-curses [wicd-client] 1.7.2.4-4 ii wicd-daemon1.7.2.4-4 ii wicd-gtk [wicd-client] 1.7.2.4-4 wicd recommends no packages. wicd suggests no packages. Versions of packages wicd-cli depends on: ii python 2.7.3~rc2-1 ii wicd-daemon 1.7.2.4-4 Versions of packages wicd-cli recommends: ii sudo 1.8.5p2-1 Versions of packages wicd-gtk depends on: ii python 2.7.3~rc2-1 ii python-glade2 2.24.0-3 ii python-gtk22.24.0-3 ii wicd-daemon1.7.2.4-4 Versions of packages wicd-gtk recommends: ii gksu 2.0.2-6 ii python-notify 0.1.1-3 Versions of packages wicd-curses depends on: ii python2.7.3~rc2-1 ii python-urwid 1.0.1-2 ii wicd-daemon 1.7.2.4-4 Versions of packages wicd-curses recommends: ii sudo 1.8.5p2-1 Versions of packages wicd-daemon depends on: ii adduser 3.113+nmu3 ii dbus 1.6.8-1 ii debconf 1.5.49 ii ethtool 1:3.4.2-1 ii iproute 20120521-3 ii iputils-ping 3:20101006-1+b1 ii isc-dhcp-client 4.2.2.dfsg.1-5+deb70u2 ii lsb-base 4.1+Debian8 ii net-tools1.60-24.2 ii psmisc 22.19-1 ii python 2.7.3~rc2-1 ii python-dbus 1.1.1-1 ii python-gobject 3.2.2-1 ii python-wicd 1.7.2.4-4 ii wireless-tools 30~pre9-8 ii wpasupplicant1.0-3+b2 Versions of packages wicd-daemon recommends: ii rfkill 0.4-1 ii wicd-cli [wicd-client] 1.7.2.4-4 ii wicd-curses [wicd-client] 1.7.2.4-4 ii wicd-gtk [wicd-client] 1.7.2.4-4 Versions of packages wicd-daemon suggests: ii pm-utils 1.4.1-9 Versions of packages python-wicd depends on: ii python 2.7.3~rc2-1 -- debconf information: * wicd/users: ---End Message--- ---BeginMessage--- 2013/1/18 Jonathan Lane jonathan.w.l...@gmail.com The problem wasn't the Debian system packages, but essentially interpreter spoofing caused by a different version of urwid installed in /usr/local/lib on my system. Please mark this as closed. Done, thanks :) David -- . ''`. Debian developer | http://wiki.debian.org/DavidPaleino : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/ `. `'` GPG: 1392B174 | http://deb.li/dapal `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174 ---End Message---
Bug#697197: marked as done (mha4mysql-manager: masterha_master_switch aborts during failover with 'Use of uninitialized value')
Your message dated Fri, 18 Jan 2013 13:47:59 + with message-id e1twciz-0003ua...@franck.debian.org and subject line Bug#697197: fixed in mha4mysql-manager 0.53-2 has caused the Debian Bug report #697197, regarding mha4mysql-manager: masterha_master_switch aborts during failover with 'Use of uninitialized value' to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697197: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697197 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: mha4mysql-manager Version: 0.53-1 Severity: serious Tags: patch Dear Maintainer, masterha_master_switch aborts with the following error upon attempting a master failover/switch, rendering it virtually unusable: Use of uninitialized value in scalar chomp at /usr/lib/perl5/site_perl/5.8.8/MHA/ManagerConst.pm line 90 This is a known bug[1], due to a change in the behaviour of Log::Dispatch. The upstream fix[2] is trivial to apply. Regards, Apollon [1] https://code.google.com/p/mysql-master-ha/issues/detail?id=32 [2] https://github.com/yoshinorim/mha4mysql-manager/commit/cde41fd3ff97d2b9bc8ce99bc05af7f1d845e891 -- System Information: Debian Release: 7.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing'), (90, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mha4mysql-manager depends on: ii libconfig-tiny-perl 2.14-1 ii libdbd-mysql-perl 4.021-1+b1 ii libdbi-perl 1.622-1 ii liblog-dispatch-perl 2.32-1 ii libparallel-forkmanager-perl 0.7.5-2 ii mha4mysql-node0.53-1 ii perl 5.14.2-16 mha4mysql-manager recommends no packages. mha4mysql-manager suggests no packages. -- no debconf information ---End Message--- ---BeginMessage--- Source: mha4mysql-manager Source-Version: 0.53-2 We believe that the bug you reported is fixed in the latest version of mha4mysql-manager, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 697...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. KURASHIKI Satoru lur...@gmail.com (supplier of updated mha4mysql-manager package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 18 Jan 2013 22:12:15 +0900 Source: mha4mysql-manager Binary: mha4mysql-manager Architecture: source all Version: 0.53-2 Distribution: unstable Urgency: medium Maintainer: KURASHIKI Satoru lur...@gmail.com Changed-By: KURASHIKI Satoru lur...@gmail.com Description: mha4mysql-manager - Master High Availability Manager and Tools for MySQL, Manager Pac Closes: 697197 Changes: mha4mysql-manager (0.53-2) unstable; urgency=medium . * backports upstream patch to fix UUV issue. (Closes: #697197) - set urgency medium to close serious bug. Checksums-Sha1: ce992bf3108f9b5981597e22ed6e09298518 2016 mha4mysql-manager_0.53-2.dsc 612ff81a86737a6d87ffb5878b47e84c59419f46 2016 mha4mysql-manager_0.53-2.debian.tar.gz a95dc6a94c0a252dad14ea08051201f237fe546a 75392 mha4mysql-manager_0.53-2_all.deb Checksums-Sha256: 91efacb8a77df6be044a9f1f8b1ea1704d5e53ff3ec6ac6fbeb5ec163acb416b 2016 mha4mysql-manager_0.53-2.dsc 7b0a0b86eafa4124631e96162c990a4181a2711d641743eca2a697002e9fec3b 2016 mha4mysql-manager_0.53-2.debian.tar.gz 0921f0e3d4af920c3a33905d69dd786464d023f77b98b90d508e2ea93197e95a 75392 mha4mysql-manager_0.53-2_all.deb Files: c332cf235d23691db1bf2bd058ef5b4f 2016 perl optional mha4mysql-manager_0.53-2.dsc a81d82cc88fcb443d9b1f6bf243e635c 2016 perl optional mha4mysql-manager_0.53-2.debian.tar.gz 3a892c8b9a66728e06c056b0544e954c 75392 perl optional mha4mysql-manager_0.53-2_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQ+VDAAAoJENJ93hFAovETNDoP/RUXaUcsqohnJ0krGdnIYq7v 81Mw7tZGmnt1AN+uGnRBQ5V7eel7EmLClTQhzqN20z/q8HIesnFuLuvOJUd19T3x /G5mGU4DEE6IVFslfcmi2wnGkuTa6Wq6dWoif8H1zkSjJkUhW3WFQIAcKpxHl1q3 G6LUehE/oIWnsyJcOkZTPW/v21t73O9gmhJAaZHziNavwHhHHo155QHRo9lVFtxu
Bug#698439: couchdb: CVE-2012-5650 CVE-2012-5649
Package: couchdb Severity: grave Tags: security Justification: user security hole Please see http://seclists.org/fulldisclosure/2013/Jan/82 http://seclists.org/fulldisclosure/2013/Jan/80 Please apply isolated fixes instead of updating to a full new release. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698440: ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183
Package: ruby-rack Severity: grave Tags: security Justification: user security hole Please see these links for details: http://seclists.org/oss-sec/2013/q1/80 http://seclists.org/oss-sec/2013/q1/83 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686650: bcron update for stable
Hi, as suggested by Jonathan below, I prepared a bcron package fixing #686650 as candidate for the next squeeze point release. A debdiff is attached, the package ready for upload. Regards, Gerrit. On Thu, Jan 17, 2013 at 11:42:08AM -, Jonathan Wiltshire wrote: Package: bcron Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/686650/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 diff -u bcron-0.09/debian/changelog bcron-0.09/debian/changelog --- bcron-0.09/debian/changelog +++ bcron-0.09/debian/changelog @@ -1,3 +1,14 @@ +bcron (0.09-11+squeeze1) stable; urgency=high + + * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff: +new; from upstream git; bcron-exec: Mark all temporary files +close-on-exec and close selfpipe; this fixes a security bug in +bcron where cron jobs get access to the temporary output files from +all other jobs that are still running (CVE-2012-6110, closes: +#686650). + + -- Gerrit Pape p...@smarden.org Fri, 18 Jan 2013 03:21:49 + + bcron (0.09-11) unstable; urgency=low * debian/bcron-run.postrm: services' supervise dirs are now located in only in patch2: unchanged: --- bcron-0.09.orig/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff +++ bcron-0.09/debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-on-exec-and.diff @@ -0,0 +1,79 @@ +From 6b30379c3bcab65a6a21b5c7677e333dbc357cc3 Mon Sep 17 00:00:00 2001 +From: Bruce Guenter br...@untroubled.org +Date: Fri, 5 Oct 2012 18:15:11 -0600 +Subject: [PATCH] bcron-exec: Mark all temporary files close-on-exec and + close selfpipe + +This fixes a security bug in bcron where cron jobs get access to the +temporary output files from all other jobs that are still running. + +First reported in Debian: +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650 + +Conflicts: + NEWS +--- + bcron-exec.c |3 +++ + tests/exec-fds | 22 ++ + 2 files changed, 25 insertions(+) + create mode 100644 tests/exec-fds + +diff --git a/bcron-exec.c b/bcron-exec.c +index 2414bd8..ec6c641 100644 +--- a/bcron-exec.c b/bcron-exec.c +@@ -13,6 +13,7 @@ + #include path/path.h + #include str/env.h + #include str/str.h ++#include unix/cloexec.h + #include unix/nonblock.h + #include unix/selfpipe.h + #include unix/sig.h +@@ -106,6 +107,7 @@ static void exec_cmd(int fdin, int fdout, +const str* env, +const struct passwd* pw) + { ++ selfpipe_close(); + dup2(fdin, 0); + close(fdin); + dup2(fdout, 1); +@@ -205,6 +207,7 @@ static void start_slot(int slot, + return; + } + unlink(tmp.s); ++cloexec_on(fd); + gethostname(hostname, sizeof hostname); + wrap_str(str_copyns(tmp, 6, To: , mailto, \n, + From: Cron Daemon root@, hostname, \n)); +diff --git a/tests/exec-fds b/tests/exec-fds +new file mode 100644 +index 000..f2c4a9f +--- /dev/null b/tests/exec-fds +@@ -0,0 +1,22 @@ ++doexec \ ++ 'sleep 1; echo all done' \ ++ 'echo here 4; echo here 5; echo here 6; echo here 7; echo here 8' ++result ++15:2^@KJob complete,15:1^@KJob complete, ++bcron-exec: (USER) CMD (sleep 1; echo all done) ++bcron-exec: (USER) CMD (echo here 4; echo here 5; echo here 6; echo here 7; echo here 8) ++bcron-exec: Waiting for remaining slots to complete ++To: USER ++From: Cron Daemon root@HOST ++Subject: Cron USER@HOST echo here 4; echo here 5; echo here 6; echo here 7; echo here 8 ++ ++/bin/sh: 1: 4: Bad file descriptor ++/bin/sh: 1: 5: Bad file descriptor ++/bin/sh: 1: 6: Bad file descriptor ++/bin/sh: 1: 7: Bad file descriptor ++/bin/sh: 1: 8: Bad file descriptor ++To: USER ++From: Cron Daemon root@HOST ++Subject: Cron USER@HOST sleep 1; echo all done ++ ++all done +-- +1.7.10.4 +
Bug#695224: Locale::Maketext security fix: real world breakage?
On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote: * Dominic Hargreaves d...@earth.li [2012-12-05T13:51:19] I wondered (and the question has arised within the Debian project) whether anyone might be relying on the previous behaviour? Have you been able to do any assessment of this? It's difficult to say, unfortunately, because (I suppose) most projects that would use Locale::Maketext would not be CPAN projects, and so finding them is not trivial. I did do some grepping of the CPAN and found zero cases. It should be quite easy to add this behavior back as optional, if we find we've broken anything. Hi, A fix for that has been in Debian unstable/testing for the past month and we've had no reports of problems. That doesn't mean everything, of course, but it is probably time to decide whether to push this out to Debian stable. As such I'd be very interested in hearing from anyone who has real world examples of this breaking things. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697617: jenkins: remote code execution vulnerability
On Thu, Jan 10, 2013 at 2:29 PM, Miguel Landaeta mig...@miguel.cc wrote: On Thu, Jan 10, 2013 at 2:03 PM, James Page james.p...@ubuntu.com wrote: I'm trying to get some advice from upstream on this - hopefully I'll hear back in the next ~24hrs Good to know, I'll stay tuned. Hi James, is there any news about this issue? Cheers, -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/ Faith means not wanting to know what is true. -- Nietzsche -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697892: marked as done (kmk_sed fails to parse character classes)
Your message dated Fri, 18 Jan 2013 18:32:47 + with message-id e1twgkb-0004gt...@franck.debian.org and subject line Bug#697892: fixed in kbuild 1:0.1.9998svn2543+dfsg-1 has caused the Debian Bug report #697892, regarding kmk_sed fails to parse character classes to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697892: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697892 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: src:virtualbox Version: 4.1.18-dfsg-1.1 Severity: serious Tags: sid experimental Justification: fails to build from source (but built successfully in the past) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 While trying to rebuild virtualbox with the patch from #691169 (which works fine BTW), I noticed that the package doesn't build in a sid or experimental chroot. The error is: kBuild: Creating directory /tmp/buildd/virtualbox-4.1.18-dfsg/out/obj/Runtime/ kmk_builtin_mkdir -p -- /tmp/buildd/virtualbox-4.1.18-dfsg/out/obj/Runtime/ kBuild: Generating /tmp/buildd/virtualbox-4.1.18-dfsg/out/obj/Runtime/errmsgdata.h from /tmp/buildd/virtualbox-4.1.18-dfsg/include/iprt/err.h /tmp/buildd/virtualbox-4.1.18-dfsg/include/VBox/err.h /usr/bin/kmk_redirect -wo /tmp/buildd/virtualbox-4.1.18-dfsg/out/obj/Runtime/errmsgdata.h -- /usr/bin/kmk_sed -f /tmp/buildd/virtualbox-4.1.18-dfsg/src/VBox/Runtime/common/err/errmsg.sed /tmp/buildd/virtualbox-4.1.18-dfsg/include/iprt/err.h /tmp/buildd/virtualbox-4.1.18-dfsg/include/VBox/err.h /usr/bin/kmk_sed: file /tmp/buildd/virtualbox-4.1.18-dfsg/src/VBox/Runtime/common/err/errmsg.sed line 31: Unmatched [ or [^ kmk: *** [/tmp/buildd/virtualbox-4.1.18-dfsg/out/obj/Runtime/errmsgdata.h] Error 1 kmk: *** Deleting file `/tmp/buildd/virtualbox-4.1.18-dfsg/out/obj/Runtime/errmsgdata.h' kmk: *** Waiting for unfinished jobs Fortunately for wheezy, it builds fine (with and without the patch) in a testing chroot. I'm attaching the complete build log. Cheers, gregor - -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=de_AT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQ7045AAoJELs6aAGGSaoG+34P/3T5VFLVFaVZE6Vs1eFFs/Gd U5StS1XGBwkrtCdCta4h6zFYlDzU5jCRqAHylGNeBoHFdLVMi+IC1zX0XLP/lz7f avUv6Xu8ydCu/Wad18McwI3NMc+AvWajG5dZy8I2H96sU8wG4awV7vjBElXxlWeM +kpWj4hfHa70voGMOLyFrQ14NLxp5VKNRPIgIhmLe07mQRPDfe7pKHElIiOxlKqM T7fr29n3qw9TpyrK0buN0zgLtE1dzPMGjnTH6CasBNcM0WYTk7Uf699gOzF4+qyc FUv1jz8sCwfaxyQekzCF3dXmtcLOmJ5Vf9D+5DPOVvFT8RNnVBN3lN/y+pgcWT8Q QT0sDCG1MCZXFbh105a83kYhd4UAFqN6ghsdM5tciQPCob7AuBZViiVcvhEXxgh4 D2qvtNad8wj1Zfq7Q/AavlLwTx3iFxL1Ym7CAw4xhtqiVnejAylCQF3ubsWc23X5 khDH/aEbobL8kAuqb99cZ+ieLhsyiffp81vlnhN1ExRTt3utmxwPhQTf4H0UXpDJ h+gqRClqMBFbZc/71iarObq7oVYCZfha0rmEofnEc4qx2I8+XMAal7Y5i7s0GydI Poifi/ICbwfk9fKSbBcbuofPUpEOJSaoAkfqfoMeRt+FUsx91bhB0wD1RmH6sf3Z 1+HnWLg7penVDG6QWT6R =AOYz -END PGP SIGNATURE- virtualbox_4.1.18-dfsg-1.1_amd64.build.gz Description: GNU Zip compressed data ---End Message--- ---BeginMessage--- Source: kbuild Source-Version: 1:0.1.9998svn2543+dfsg-1 We believe that the bug you reported is fixed in the latest version of kbuild, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 697...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Geyer debfx-...@fobos.de (supplier of updated kbuild package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 18 Jan 2013 19:00:28 +0100 Source: kbuild Binary: kbuild Architecture: source amd64 Version: 1:0.1.9998svn2543+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Virtualbox Team pkg-virtualbox-de...@lists.alioth.debian.org Changed-By: Felix Geyer debfx-...@fobos.de Description: kbuild - framework for writing simple makefiles for complex tasks Closes: 697892 Changes: kbuild (1:0.1.9998svn2543+dfsg-1) unstable; urgency=high . *
Bug#690151: Stable upload request - Fw: Bug#690151: claws-mail: CVE-2012-4507
Hi release team, As requested by Jonathan, I've prepared an upload with the minimal changes required for fixing this, debdiff attached. IIRC this is the first time I'm going to upload something to stable, so, before uploading, any hints on missing bits or common pitfalls awaiting would be greatly appreciated. Thanks in advance, --- Begin forwarded message: Date: Thu, 17 Jan 2013 11:42:13 - From: Jonathan Wiltshire j...@debian.org To: 690...@bugs.debian.org Subject: Bug#690151: claws-mail: CVE-2012-4507 Package: claws-mail Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/690151/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 --- End forwarded message. -- Ricardo Mones http://people.debian.org/~mones «Alimony and bribes will engage a large share of your wealth.» diff -Nru claws-mail-3.7.6/debian/changelog claws-mail-3.7.6/debian/changelog --- claws-mail-3.7.6/debian/changelog 2010-10-13 16:36:26.0 +0200 +++ claws-mail-3.7.6/debian/changelog 2013-01-18 19:25:19.0 +0100 @@ -1,3 +1,10 @@ +claws-mail (3.7.6-4+squeeze1) stable; urgency=low + + * patches/99_fix_CVE-2012-4507.patch + - Added fix for CVE-2012-4507 from 3.8.1-2 (Closes: #690151) + + -- Ricardo Mones mo...@debian.org Fri, 18 Jan 2013 19:03:36 +0100 + claws-mail (3.7.6-4) unstable; urgency=low * debian/rules, debian/claws-mail-doc.dirs diff -Nru claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch --- claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch 1970-01-01 01:00:00.0 +0100 +++ claws-mail-3.7.6/debian/patches/99_fix_CVE-2012-4507.patch 2013-01-18 19:25:19.0 +0100 @@ -0,0 +1,19 @@ +Subject: fix for CVE-2012-4507 +From: Michael Schwendt mschwe...@gmail.com +Bug: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2743 +Bug-RedHat: https://bugzilla.redhat.com/862578 +Bug-Debian: http://bugs.debian.org/690151 +Applied-Upstream: 3.8.1cvs82 + +diff -purN claws-mail-3.8.1.orig/src/procmime.c claws-mail-3.8.1/src/procmime.c +--- claws-mail-3.8.1.orig/src/procmime.c 2012-06-27 11:05:22.0 +0200 claws-mail-3.8.1/src/procmime.c 2012-10-11 18:40:13.0 +0200 +@@ -1753,6 +1753,8 @@ static void parse_parameters(const gchar + continue; + + charset = value; ++ if (charset == NULL) ++ continue; + lang = strchr(charset, '\''); + if (lang == NULL) + continue; diff -Nru claws-mail-3.7.6/debian/patches/series claws-mail-3.7.6/debian/patches/series --- claws-mail-3.7.6/debian/patches/series 2009-07-03 15:27:51.0 +0200 +++ claws-mail-3.7.6/debian/patches/series 2013-01-18 19:25:19.0 +0100 @@ -1,2 +1,3 @@ 11mark_trashed_as_read.patch 12fix_manpage_header.patch +99_fix_CVE-2012-4507.patch signature.asc Description: PGP signature
Bug#665012: CVE-2012-1570: maradns deleted domain record cache persistance flaw
Upstream here. It's a six-line patch: http://maradns.org/download/patches/security/maradns-1.4.11-ghostdomain.patch This should not be too difficult to apply. Also, the security report is somewhat inaccurate. Both MaraDNS and Deadwood were never vulnerable to the Ghost Domain bug as described in the original report...something said report points out. However, the programs were vulnerable to caching records with a long TTL...easily fixed by capping TTLs to only last one day. Finally, MaraDNS 1.4 will no longer be supported by me on June 21, 2015. Please be sure to update all MaraDNS packages to 2.0 before then. - Sam --- maradns-1.4.11/server/recursive.c 2012-01-13 13:39:01.0 -0600 +++ maradns-1.4.12/server/recursive.c 2012-03-17 09:52:27.0 -0600 @@ -1370,6 +1370,10 @@ ttl = js_readuint32(server_reply,offset); if(ttl == JS_ERROR) return JS_ERROR; +if(ttl 20) +ttl = 20; +if(ttl 86400) /* One day; Ghost domain fix */ +ttl = 86400; offset += 4; /* Get the rdlength of the SOA record */ rdlength = js_readuint16(server_reply,offset); @@ -2019,8 +2023,8 @@ problems that Franky reported */ if(ttl 20) ttl = 20; -if(ttl 63072000) /* Two years */ -ttl = 63072000; +if(ttl 86400) /* One day; Ghost domain fix */ +ttl = 86400; /* If this is a CNAME answer then we don't store it for over * 15 minutes */ if(ttl 900 cname_original_record != 0) On Thu, Jan 17, 2013 at 3:42 AM, Jonathan Wiltshire j...@debian.org wrote: Package: maradns Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/665012/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690151: Stable upload request - Fw: Bug#690151: claws-mail: CVE-2012-4507
Control: found -1 3.7.6-4 On Fri, 2013-01-18 at 20:08 +0100, Ricardo Mones wrote: As requested by Jonathan, I've prepared an upload with the minimal changes required for fixing this, debdiff attached. IIRC this is the first time I'm going to upload something to stable, so, before uploading, any hints on missing bits or common pitfalls awaiting would be greatly appreciated. Thanks for preparing the update. Not a missing bit as such, but it's generally easier for us to track requests for stable updates if they are filed as appropriately user-tagged bugs (e.g. via reportbug). In any case, please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Stable upload request - Fw: Bug#690151: claws-mail: CVE-2012-4507
Processing control commands: found -1 3.7.6-4 Bug #690151 {Done: Ricardo Mones mo...@debian.org} [claws-mail] claws-mail: CVE-2012-4507 Marked as found in versions claws-mail/3.7.6-4. -- 690151: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690151 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686650: bcron update for stable
Control: found -1 0.09-11 On Fri, 2013-01-18 at 14:57 +, Gerrit Pape wrote: as suggested by Jonathan below, I prepared a bcron package fixing #686650 as candidate for the next squeeze point release. A debdiff is attached, the package ready for upload. Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: bcron update for stable
Processing control commands: found -1 0.09-11 Bug #686650 {Done: Gerrit Pape p...@smarden.org} [bcron] bcron: CVE-2012-6110: bcron file descriptors not closed Marked as found in versions bcron/0.09-11. -- 686650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698439: marked as done (couchdb: CVE-2012-5650 CVE-2012-5649)
Your message dated Fri, 18 Jan 2013 20:47:33 + with message-id e1twiqb-0004yi...@franck.debian.org and subject line Bug#698439: fixed in couchdb 1.2.0-4 has caused the Debian Bug report #698439, regarding couchdb: CVE-2012-5650 CVE-2012-5649 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 698439: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698439 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: couchdb Severity: grave Tags: security Justification: user security hole Please see http://seclists.org/fulldisclosure/2013/Jan/82 http://seclists.org/fulldisclosure/2013/Jan/80 Please apply isolated fixes instead of updating to a full new release. Cheers, Moritz ---End Message--- ---BeginMessage--- Source: couchdb Source-Version: 1.2.0-4 We believe that the bug you reported is fixed in the latest version of couchdb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 698...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) g...@debian.hu (supplier of updated couchdb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 18 Jan 2013 20:04:01 +0100 Source: couchdb Binary: couchdb Architecture: source amd64 Version: 1.2.0-4 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) g...@debian.hu Changed-By: Laszlo Boszormenyi (GCS) g...@debian.hu Description: couchdb- RESTful document oriented database Closes: 698439 Changes: couchdb (1.2.0-4) unstable; urgency=high . * Fix CVE-2012-5649 and CVE-2012-5650 with adding upstream fixes as patches: improve_parsing_of_mochiweb_relative_paths.patch , improve_script_url_validation.patch and include_a_comment_before_jsonp_output.patch (closes: #698439). Checksums-Sha1: db6951c398718e9cfaf823ec011ff2bb54b51e40 1246 couchdb_1.2.0-4.dsc bc9bcfaa03a8cd3f57df84b03b2fd483304a4695 10909 couchdb_1.2.0-4.debian.tar.gz 36a609671755ab1daf534e44ace2f9da0570956c 1026938 couchdb_1.2.0-4_amd64.deb Checksums-Sha256: afb6d30ecfabdd421803eb318a5f22c2a898decb4e17bf88dae629e6fac5 1246 couchdb_1.2.0-4.dsc f837158f017d190787d831ccce1c54c9d4778c0d0bab73331ad1575df0704ac5 10909 couchdb_1.2.0-4.debian.tar.gz d9c524bd7d7f127c0f7ebb6e9304b026f93b2d110950e5eb344e123279488aa5 1026938 couchdb_1.2.0-4_amd64.deb Files: 08f4bf2cbc100ff9ae513676c0a878bc 1246 misc optional couchdb_1.2.0-4.dsc 36bd943948e28bb11bd27544b28794d9 10909 misc optional couchdb_1.2.0-4.debian.tar.gz 4c450627a3fb847deb577bd442694ae7 1026938 misc optional couchdb_1.2.0-4_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlD5p08ACgkQMDatjqUaT93n3wCfV0LF2QLP8lQMtzXZWSx86EId RqcAnRMH0qlGf7ijuTitTaYODqNyJ8Si =9Q0W -END PGP SIGNATUREEnd Message---
Processed: Re: wims: still modifies shipped files: /var/lib/wims/public_html/gifs/*
Processing control commands: found -1 1:4.04~dfsg-2 Bug #687947 {Done: Georges Khaznadar georg...@debian.org} [wims] wims: modifies shipped files: /var/lib/wims/public_html/gifs/*, /var/lib/wims/public_html/themes/* Marked as found in versions wims/1:4.04~dfsg-2; no longer marked as fixed in versions wims/1:4.04~dfsg-2 and reopened. -- 687947: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687947 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687947: wims: still modifies shipped files: /var/lib/wims/public_html/gifs/*
Followup-For: Bug #687947 Control: found -1 1:4.04~dfsg-2 Hi, not much has changed in the last release ... therefore reopening. 1m19.5s ERROR: FAIL: debsums reports modifications inside the chroot: /var/lib/wims/public_html/gifs/symbols/20/_Arrow-h.gif /var/lib/wims/public_html/gifs/symbols/20/_Arrow-v.gif /var/lib/wims/public_html/gifs/symbols/20/_ArrowR-h.gif /var/lib/wims/public_html/gifs/symbols/20/_ArrowR-v.gif /var/lib/wims/public_html/gifs/symbols/20/_Diode-h.gif /var/lib/wims/public_html/gifs/symbols/20/_Diode-v.gif /var/lib/wims/public_html/gifs/symbols/20/_DiodeR-h.gif /var/lib/wims/public_html/gifs/symbols/20/_DiodeR-v.gif /var/lib/wims/public_html/gifs/symbols/20/_Zener-h.gif /var/lib/wims/public_html/gifs/symbols/20/_Zener-v.gif /var/lib/wims/public_html/gifs/symbols/20/_ZenerR-h.gif /var/lib/wims/public_html/gifs/symbols/20/_ZenerR-v.gif /var/lib/wims/public_html/gifs/symbols/20/_iArrow-h.gif /var/lib/wims/public_html/gifs/symbols/20/_iArrow-v.gif /var/lib/wims/public_html/gifs/symbols/20/_iArrowR-h.gif /var/lib/wims/public_html/gifs/symbols/20/_iArrowR-v.gif /var/lib/wims/public_html/gifs/symbols/20/del-h.gif /var/lib/wims/public_html/gifs/symbols/20/del-v.gif /var/lib/wims/public_html/gifs/symbols/20/delR-h.gif /var/lib/wims/public_html/gifs/symbols/20/delR-v.gif /var/lib/wims/public_html/gifs/symbols/20/isrc-v.gif /var/lib/wims/public_html/gifs/symbols/20/isrcR-v.gif /var/lib/wims/public_html/gifs/symbols/20/meter-h.gif /var/lib/wims/public_html/gifs/symbols/20/meter-v.gif /var/lib/wims/public_html/gifs/symbols/20/meterR-h.gif /var/lib/wims/public_html/gifs/symbols/20/meterR-v.gif /var/lib/wims/public_html/gifs/symbols/20/nand-h.gif /var/lib/wims/public_html/gifs/symbols/20/nand-v.gif /var/lib/wims/public_html/gifs/symbols/20/nandR-h.gif /var/lib/wims/public_html/gifs/symbols/20/nandR-v.gif /var/lib/wims/public_html/gifs/symbols/20/nor-h.gif /var/lib/wims/public_html/gifs/symbols/20/nor-v.gif /var/lib/wims/public_html/gifs/symbols/20/norR-h.gif /var/lib/wims/public_html/gifs/symbols/20/norR-v.gif /var/lib/wims/public_html/gifs/symbols/20/npn-h.gif /var/lib/wims/public_html/gifs/symbols/20/npn-v.gif /var/lib/wims/public_html/gifs/symbols/20/npn2-h.gif /var/lib/wims/public_html/gifs/symbols/20/npn2-v.gif /var/lib/wims/public_html/gifs/symbols/20/npn2R-h.gif /var/lib/wims/public_html/gifs/symbols/20/npn2R-v.gif /var/lib/wims/public_html/gifs/symbols/20/npnR-h.gif /var/lib/wims/public_html/gifs/symbols/20/npnR-v.gif /var/lib/wims/public_html/gifs/symbols/20/pnp-h.gif /var/lib/wims/public_html/gifs/symbols/20/pnp-v.gif /var/lib/wims/public_html/gifs/symbols/20/pnp2-h.gif /var/lib/wims/public_html/gifs/symbols/20/pnp2-v.gif /var/lib/wims/public_html/gifs/symbols/20/pnp2R-h.gif /var/lib/wims/public_html/gifs/symbols/20/pnp2R-v.gif /var/lib/wims/public_html/gifs/symbols/20/pnpR-h.gif /var/lib/wims/public_html/gifs/symbols/20/pnpR-v.gif /var/lib/wims/public_html/gifs/symbols/20/xnor-h.gif /var/lib/wims/public_html/gifs/symbols/20/xnor-v.gif /var/lib/wims/public_html/gifs/symbols/20/xnorR-h.gif /var/lib/wims/public_html/gifs/symbols/20/xnorR-v.gif Andreas wims_1:4.04~dfsg-2.log.gz Description: GNU Zip compressed data
Bug#688738: marked as done (docbookwiki: ships a SVN repository in /usr, modified by postinst, overwritten during upgrade)
Your message dated Fri, 18 Jan 2013 21:19:42 + with message-id e1twjli-0003sr...@franck.debian.org and subject line Bug#696930: Removed package(s) from unstable has caused the Debian Bug report #688738, regarding docbookwiki: ships a SVN repository in /usr, modified by postinst, overwritten during upgrade to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 688738: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688738 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: docbookwiki Version: 0.9.2-4 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package modifies shipped files. That has the potential for big problems after upgrades or reinstallation: (in a clean sid chroot) # apt-get install docbookwiki [...] # svn info file:///usr/share/docbookwiki/content/SVN/repository/ Path: repository URL: file:///usr/share/docbookwiki/content/SVN/repository Repository Root: file:///usr/share/docbookwiki/content/SVN/repository Repository UUID: 7d3ebdad-230e-481f-a383-3ffd8345fe86 Revision: 16 Node Kind: directory Last Changed Author: dbwiki Last Changed Rev: 16 Last Changed Date: 2012-09-25 09:22:50 + (Tue, 25 Sep 2012) # apt-get install --reinstall docbookwiki [...] # svn info file:///usr/share/docbookwiki/content/SVN/repository/ Path: repository URL: file:///usr/share/docbookwiki/content/SVN/repository Repository Root: file:///usr/share/docbookwiki/content/SVN/repository Repository UUID: 50a00ebf-ae70-4589-9e29-d9f6f4293c27 Revision: 8 Node Kind: directory Last Changed Author: dbwiki Last Changed Rev: 8 Last Changed Date: 2009-07-15 05:15:31 + (Wed, 15 Jul 2009) A svn repository would belong to /var/lib/docbookwiki, its contents may not be shipped as files. Shipping a dumpfile and loading this to initially seed the repository would be an option. debsums reports modification of the following files, from the attached log (scroll to the bottom...): debsums: missing file /usr/share/docbookwiki/content/SVN/my_docs/aolsp_servers_en.xml (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/my_docs/aolsp_services_en.xml (from docbookwiki package) debsums: can't check docbookwiki file /usr/share/docbookwiki/content/SVN/repository/db/revprops/0 (not a regular file) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/1 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/2 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/3 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/4 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/5 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/6 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/7 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revprops/8 (from docbookwiki package) debsums: can't check docbookwiki file /usr/share/docbookwiki/content/SVN/repository/db/revs/0 (not a regular file) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/1 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/2 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/3 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/4 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/5 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/6 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/7 (from docbookwiki package) debsums: missing file /usr/share/docbookwiki/content/SVN/repository/db/revs/8 (from docbookwiki package) /usr/share/docbookwiki/content/SVN/book_list /usr/share/docbookwiki/content/SVN/repository/README.txt /usr/share/docbookwiki/content/SVN/repository/conf/authz /usr/share/docbookwiki/content/SVN/repository/conf/svnserve.conf /usr/share/docbookwiki/content/SVN/repository/db/current /usr/share/docbookwiki/content/SVN/repository/db/format
Bug#694138: marked as done (docbookwiki: fails to install: svn: E180001: Unable to connect to a repository at URL 'file:///usr/share/docbookwiki/content/SVN/repository')
Your message dated Fri, 18 Jan 2013 21:19:42 + with message-id e1twjli-0003sr...@franck.debian.org and subject line Bug#696930: Removed package(s) from unstable has caused the Debian Bug report #694138, regarding docbookwiki: fails to install: svn: E180001: Unable to connect to a repository at URL 'file:///usr/share/docbookwiki/content/SVN/repository' to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 694138: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694138 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: docbookwiki Version: 0.9.2-6 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release, thus the severity. From the attached log (scroll to the bottom...): Selecting previously unselected package docbookwiki. (Reading database ... 31121 files and directories currently installed.) Unpacking docbookwiki (from .../docbookwiki_0.9.2-6_all.deb) ... Setting up docbookwiki (0.9.2-6) ... adduser: Warning: The home directory `/usr/share/docbookwiki' does not belong to the user you are currently creating. svn: E180001: Unable to connect to a repository at URL 'file:///usr/share/docbookwiki/content/SVN/repository' svn: E180001: Unable to open an ra_local session to URL svn: E180001: Unable to open repository 'file:///usr/share/docbookwiki/content/SVN/repository' svn: E180001: Unable to connect to a repository at URL 'file:///usr/share/docbookwiki/content/SVN/repository/trunk' svn: E180001: Unable to open an ra_local session to URL svn: E180001: Unable to open repository 'file:///usr/share/docbookwiki/content/SVN/repository/trunk' Checking out 'file:///usr/share/docbookwiki/content/SVN/repository/trunk/' in 'my_docs' svn: E180001: Unable to connect to a repository at URL 'file:///usr/share/docbookwiki/content/SVN/repository/trunk' svn: E180001: Unable to open an ra_local session to URL svn: E180001: Unable to open repository 'file:///usr/share/docbookwiki/content/SVN/repository/trunk' Checking out 'file:///usr/share/docbookwiki/content/SVN/repository/trunk/' in '../downloads/xml_source/' svn: E180001: Unable to connect to a repository at URL 'file:///usr/share/docbookwiki/content/SVN/repository/trunk' svn: E180001: Unable to open an ra_local session to URL svn: E180001: Unable to open repository 'file:///usr/share/docbookwiki/content/SVN/repository/trunk' Building content. This may take some time...cp: cannot create regular file 'my_docs/docbookwiki_guide_en.xml': No such file or directory svn: E155007: '/usr/share/docbookwiki/content/SVN/my_docs' is not a working copy svn: E155007: '/usr/share/docbookwiki/content/SVN/my_docs/docbookwiki_guide_en.xml' is not a working copy svn: E155007: '/usr/share/docbookwiki/content/SVN/my_docs/media' is not a working copy svn: E155007: '/usr/share/docbookwiki/content/SVN/my_docs/media/docbookwiki_guide' is not a working copy svn: E155007: '/usr/share/docbookwiki/content/SVN/my_docs/media/docbookwiki_guide' is not a working copy ... cheers, Andreas docbookwiki_0.9.2-6.log.gz Description: GNU Zip compressed data ---End Message--- ---BeginMessage--- Version: 0.9.2-6+rm Dear submitter, as the package docbookwiki has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see http://bugs.debian.org/696930 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org. Debian distribution maintenance software pp. Luca Falavigna (the ftpmaster behind the curtain)---End Message---
Bug#698462: FTBFS due to inkscape
Package: taurus Version: 3.0.0-1 Severity: serious inkscape ask a few question during the build. It means that it stop the build - FTBFS now we use imagemagick as fallback -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-486 Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash From: =?UTF-8?q?Picca=20Fr=C3=A9d=C3=A9ric-Emmanuel?= pi...@debian.org Date: Fri, 18 Jan 2013 21:20:39 +0100 Subject: upstream fix for the FTBFS due to image conversion --- setup.py | 24 +--- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/setup.py b/setup.py index c3afb89..92d570a 100644 --- a/setup.py +++ b/setup.py @@ -585,7 +585,6 @@ if sphinx: def run(self): self.resource_dir = abspath('lib', 'taurus', 'qt', 'qtgui', 'resource') self.taurus = os.path.join(self.resource_dir, 'taurus.png') -import PyQt4.Qt orig_dir = os.path.abspath(os.curdir) os.chdir(self.resource_dir) @@ -699,13 +698,13 @@ if sphinx: class build_doc(BuildDoc): user_options = BuildDoc.user_options + \ - [('use-inkscape', None, - Use inkscape for building the icon catalog (useful if QApplication cannot be used when building, but requires inkscape))] -boolean_options = BuildDoc.boolean_options + ['use-inkscape'] + [('external-img-tools', None, + Use external tools for converting the icon catalog (useful if QApplication cannot be used while building, but requires inkscape and imagemagick))] +boolean_options = BuildDoc.boolean_options + ['external-img-tools'] def initialize_options (self): BuildDoc.initialize_options(self) -self.use_inkscape = False +self.external_img_tools = False def has_doc_api(self): return True @@ -757,20 +756,20 @@ if sphinx: # copy the tango icons to the build directory of documentation target = os.path.join(build_dir, 'devel') -if not self.use_inkscape: +if not self.external_img_tools: import PyQt4.Qt if PyQt4.Qt.qApp.instance() is None: self.app = PyQt4.Qt.QApplication([]) print(\tBuilding PNGs for icon catalog) -os.path.walk(resource, svg_to_png, (resource, target, self.use_inkscape)) +os.path.walk(resource, svg_to_png, (resource, target, self.external_img_tools)) return cmdclass['build_doc'] = build_doc def svg_to_png(arg, dirname, fnames): -resource, target, use_inkscape = arg -if not use_inkscape: +resource, target, external_img_tools = arg +if not external_img_tools: import PyQt4.Qt relpath = os.path.relpath(dirname, start=resource) path = os.path.join(target, relpath) @@ -783,9 +782,12 @@ def svg_to_png(arg, dirname, fnames): target_fname = fbase + .png full_target_fname = os.path.join(path, target_fname) if not os.path.isfile(full_target_fname): -if use_inkscape: -cmd = inkscape -z -e '%s' -w 24 '%s' /dev/null%(full_target_fname, full_source_fname) +if external_img_tools: +cmd = inkscape -z '%s' -e '%s' -w 24 /dev/null 2/dev/null%(full_source_fname, full_target_fname) ok = not(os.system(cmd)) +if not ok: +cmd = convert -resize 24 '%s' '%s' /dev/null 2/dev/null%(full_source_fname, full_target_fname) +ok = not(os.system(cmd)) else: pixmap = PyQt4.Qt.QPixmap(full_source_fname) pix = pixmap.scaledToWidth(24, PyQt4.Qt.Qt.SmoothTransformation)
Bug#698463: openarena-dbg: copyright file missing after upgrade (policy 12.5)
Package: openarena-dbg Version: 0.8.8-7 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, a test with piuparts revealed that your package misses the copyright file after an upgrade from squeeze to wheezy, which is a violation of Policy 12.5: http://www.debian.org/doc/debian-policy/ch-docs.html#s-copyrightfile After the upgrade /usr/share/doc/$PACKAGE/ is just an empty directory. From the attached log (scroll to the bottom...): MISSING COPYRIGHT FILE: /usr/share/doc/openarena-dbg/copyright # ls -lad /usr/share/doc/openarena-dbg drwxr-xr-x 2 root root 40 Jan 18 10:23 /usr/share/doc/openarena-dbg # ls -la /usr/share/doc/openarena-dbg/ total 0 drwxr-xr-x 2 root root 40 Jan 18 10:23 . drwxr-xr-x 146 root root 3020 Jan 18 10:23 .. Additional info may be available here: http://wiki.debian.org/MissingCopyrightFile cheers, Andreas openarena-dbg_0.8.8-7.log.gz Description: GNU Zip compressed data
Bug#698466: apt-cacher-ng: fails to install: apt-cacher-ng.postinst: curl: not found
Package: apt-cacher-ng Version: 0.7.12-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release, thus the severity. From the attached log (scroll to the bottom...): Selecting previously unselected package apt-cacher-ng. (Reading database ... 6882 files and directories currently installed.) Unpacking apt-cacher-ng (from .../apt-cacher-ng_0.7.12-1_amd64.deb) ... Setting up apt-cacher-ng (0.7.12-1) ... /var/lib/dpkg/info/apt-cacher-ng.postinst: 91: /var/lib/dpkg/info/apt-cacher-ng.postinst: curl: not found dpkg: error processing apt-cacher-ng (--configure): subprocess installed post-installation script returned error exit status 127 Errors were encountered while processing: apt-cacher-ng cheers, Andreas apt-cacher-ng_0.7.12-1.log.gz Description: GNU Zip compressed data
Processed: found 694889 in openjdk-7-source/7u3-2.1.4-1, found 669278 in kraft/0.45-2 ..., affects 698375
Processing commands for cont...@bugs.debian.org: found 694889 openjdk-7-source/7u3-2.1.4-1 Bug #694889 [ca-certificates-java] ca-certificates-java: early triggered jks-keystore may fail and leave the temporary /etc/java-7-openjdk/jvm-$arch.cfg Bug #694888 [ca-certificates-java] ca-certificates-java: early triggered jks-keystore may fail and leave the temporary /etc/java-7-openjdk/jvm-$arch.cfg The source openjdk-7-source and version 7u3-2.1.4-1 do not appear to match any binary packages Marked as found in versions openjdk-7-source/7u3-2.1.4-1. Marked as found in versions openjdk-7-source/7u3-2.1.4-1. found 669278 kraft/0.45-2 Bug #669278 [src:phonon] please add phonon-backend-xine transitional package Bug #669878 [src:phonon] Could not perform immediate configuration on 'phonon-backend-vlc' Marked as found in versions kraft/0.45-2. Marked as found in versions kraft/0.45-2. found 669278 konversation/1.4-1 Bug #669278 [src:phonon] please add phonon-backend-xine transitional package Bug #669878 [src:phonon] Could not perform immediate configuration on 'phonon-backend-vlc' Marked as found in versions konversation/1.4-1. Marked as found in versions konversation/1.4-1. affects 698375 + redhat-cluster-suite Bug #698375 [gfs2-utils] gfs2-utils: fails to upgrade from squeeze: insserv: script gfs2-utils: service gfs2 already provided! Added indication that 698375 affects redhat-cluster-suite thanks Stopping processing here. Please contact me if you need assistance. -- 669278: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669278 669878: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669878 694888: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694888 694889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694889 698375: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698375 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698481: mantis: multiple XSS vulnerabilities
Package: mantis Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Some vulnerabilities in mantis where reported: [1]: http://www.mantisbt.org/bugs/view.php?id=15373 (CVE-2013-0197) http://marc.info/?l=oss-securitym=135853951928065w=2 [2]: http://www.mantisbt.org/bugs/view.php?id=15384 (CVE requested) http://marc.info/?l=oss-securitym=135855157632710w=2 [3]: http://www.mantisbt.org/bugs/view.php?id=15258 (CVE requested) http://marc.info/?l=oss-securitym=135855599401856w=2 Please include the CVE identifiers. For [2] it is mentioned that it was only introduced in 1.2.12 and other versions should not be vulnerable, but have listet here too to check. Patches for all should be in the bugtracker. Regards, Salvatore -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJQ+kNeAAoJEHidbwV/2GP+LUUQANBaVV/M3fv7rEbwxtA/ZjYj KrJ0pQ7Vfy+pTvGugpkweNb7mGkiJ9HqyxOyvX01s6fF9ZvAfrl6YiiSIn5a07ZL XZa0YXtn44a9LbrOvf8/sGoYddM4b8SoG04vr9HmQsnwP2NCUnJpUu0vDCdEq9sK AKHEHtQE/A5t2jmWe8Wp8CHFXPe+pGzkU+YceiBFUSBvbjoqJhB3u8vKDXkWWD0E 2s04VOQEoQTVyCfUITXl4Luidc0Qx/DFLwULicNTB94p0pEwpti6UBthaeZYU8xH g31O6wdxkP5aayMAFpCZH3LTYE9UOCQYlmckMR5EpMfeYdwZ/Snt0lNJDi0yQYwV lZTwseJ4UbNmDcutBBvKKmx48SBrzNC9VVxNiTilqe4c59LOIHQOj8wKwdnEdHuT 94pqvyPH3SuDKrWnXQf3edDHqlLeEwtW2Ct28TCBWVX6nEOdLTiPh4DvNHARr/Jh ylVMiyHQWAxDmPJqjYPj5MbSWhXrvP9YmNPNgcsvmh9EK5Z8rTR/hiULU3hqgr7E KzNav8kJu+Rk9GCxcVj3rh5ytZLW5r5Due2ILst8E3AFJYmqmlhZFde1uUPZllXm 2j5iOd/mshuhYFvnGFmIKdwdtwyjDYVprAB7/mUh5/7oprni5kRGP86LH6i02QG4 qsO6i7wIomLpU4iw0EHX =SKll -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org