Bug#699888: new nss packages fixing cve-2013-1620
On Fri, Mar 15, 2013 at 06:52:45PM +0100, Mike Hommey wrote: I was considering we should get 3.14.x in both testing and stable-security, actually, but it needs some work to make it on par with the versions in testing and stable, because in its current state it breaks some things people might expect not to be broken with a stable update (most notoriously, md5 signature of certificates are rejected, and there are a few other things like that) So, here are a few more info: - 3.13 disabled SSL 2.0 by default - 3.13 added a defense against the Rizzo and Duong attack, which is known to break applications. It can be disabled easily. - 3.14 removed support for md5 signature of certificates. These are the main compatibility issues we'd have with bumping NSS to 3.14 in stable (where it's 3.12) and testing (where it's 3.13). All of them can be fixed by turning some constants to PR_FALSE. That would leave us with the possibility of pure bugs emerging. I think we should take that risk, especially considering the fixes we can't backport. That would also fix bug 697865 (that one is backportable, but that's painful and risky). FWIW, AFAIK, RedHat is pushing 3.14 to all its long term support releases. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581999: rinputd: fails to install
On Fri, Mar 15, 2013 at 10:30:09PM +0100, Julien Cristau wrote: On Fri, Mar 15, 2013 at 18:56:21 +0100, Ralf Treinen wrote: diff -ur rinputd-1.0.5.old/debian/config rinputd-1.0.5/debian/config --- rinputd-1.0.5.old/debian/config 2012-04-12 20:06:14.0 +0200 +++ rinputd-1.0.5/debian/config 2013-03-15 17:44:54.0 +0100 @@ -2,8 +2,6 @@ set -e -[ `echo $DEBIAN_FRONTEND | tr '[:upper:]' '[:lower:]'` = noninteractive ] exit 0 - . /usr/share/debconf/confmodule db_beginblock @@ -13,6 +11,10 @@ db_go +# initialisation of USER and PASS needed in the non-interactive case +USER=rinputd +PASS=`openssl rand -base64 8` + db_get rinputd/username USER=$RET db_get rinputd/passwd I'm not sure you can rely on non-essential packages being installed during config. That includes openssl. Good point. Also how does this work when you're just overriding those values a couple of lines later? These values would be used in the case the debconf frontend is non-inteactive. Anyway, this is a leaf package with virtual zero popcon. I wonder why the release team hasn't kicked it out of wheezy since a long time. -Ralf. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699888: new nss packages fixing cve-2013-1620
On sam., 2013-03-16 at 08:34 +0100, Mike Hommey wrote: So, here are a few more info: - 3.13 disabled SSL 2.0 by default - 3.13 added a defense against the Rizzo and Duong attack, which is known to break applications. It can be disabled easily. - 3.14 removed support for md5 signature of certificates. These are the main compatibility issues we'd have with bumping NSS to 3.14 in stable (where it's 3.12) and testing (where it's 3.13). All of them can be fixed by turning some constants to PR_FALSE. That would leave us with the possibility of pure bugs emerging. I think we should take that risk, especially considering the fixes we can't backport. That would also fix bug 697865 (that one is backportable, but that's painful and risky). FWIW, AFAIK, RedHat is pushing 3.14 to all its long term support releases. I know it's invasive but I'm not sure we won't have to do anyway during Wheezy support life. I mean, nobody should do SSL 2.0 at all anyway (OpenSSL already disable SSLv2 in 1.0.1, even though it doesn't matter for browsers), and md5 for certificates is known broken too. I'ts definitely late for such surprise for users, but will it be better if it's done during the life of a stable release? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#703128: davical: errors when accessing some php files as non-admin user
severity 703128 important thanks Op zaterdag 16 maart 2013 00:45:18 schreef Christoph Anton Mitterer: Marking this as important and security, as such ungracefull errors tend to be prone to attacks. Rightly so. These issues indeed should be fixed to prevent any security issues proactively, and it would be great even, if possible, to fix them in wheezy. However, there are no concrete security holes known so this is a matter of hardening rather than a real vulnerability. 2) setup.php - user get's the whole setup page... including the ability to see the whole phpinfo() output... which contains all kind of private environment information that might be used by an attacker. Therefore the severity: grave. I disagree about the severity of this. Yes, phpinfo() shouldn't be shown. However, nearly all of the 'private environment information' is fully predictable on a Debian system (paths, php versions, library versions, you name it, it's all trivially known already). Add to that that it's not available to the world but only to authorised users. This shouldn't happen, but does not justify 'grave'. Nonetheless, I urge the maintainer to take this up with upstream and if a straightforward patch is available, apply it and request unblock. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Processed: Re: Bug#703128: davical: errors when accessing some php files as non-admin user
Processing commands for cont...@bugs.debian.org: severity 703128 important Bug #703128 [src:davical] davical: errors when accessing some php files as non-admin user Severity set to 'important' from 'grave' thanks Stopping processing here. Please contact me if you need assistance. -- 703128: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703128 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699888: new nss packages fixing cve-2013-1620
Op zaterdag 16 maart 2013 09:37:25 schreef Yves-Alexis Perez: On sam., 2013-03-16 at 08:34 +0100, Mike Hommey wrote: So, here are a few more info: - 3.13 disabled SSL 2.0 by default - 3.13 added a defense against the Rizzo and Duong attack, which is known to break applications. It can be disabled easily. - 3.14 removed support for md5 signature of certificates. These are the main compatibility issues we'd have with bumping NSS to 3.14 in stable (where it's 3.12) and testing (where it's 3.13). All of them can be fixed by turning some constants to PR_FALSE. That would leave us with the possibility of pure bugs emerging. I think we should take that risk, especially considering the fixes we can't backport. That would also fix bug 697865 (that one is backportable, but that's painful and risky). FWIW, AFAIK, RedHat is pushing 3.14 to all its long term support releases. I know it's invasive but I'm not sure we won't have to do anyway during Wheezy support life. I mean, nobody should do SSL 2.0 at all anyway (OpenSSL already disable SSLv2 in 1.0.1, even though it doesn't matter for browsers), and md5 for certificates is known broken too. Well, wheezy already has 3.13 so SSLv2 and Rizzo (BEAST) are already gone in wheezy, right? I'm all for adding the md5 part aswell to wheezy. Indeed, we need to be proactive with this before it becomes a stable release. So let's go with 3.14 for wheezy. I'ts definitely late for such surprise for users, but will it be better if it's done during the life of a stable release? I think the main question is if we can push this out to users of squeeze. I'm not against that per se. If disabling SSLv2 hurts someone seriously, it's about time because they'd have a big problem otherwise. This is also the case for BEAST, but perhaps the risk of it breaking something legitimate is higher. We can consider to put it into a DSA in which the text details how to disable the options if they cause trouble. An alternative is to put it into spu instead, where it may be slightly (probably just slightly) more acceptable to change behaviour than in a DSA. But it will also mean having to wait a few months at least. Do you know if RHEL is pushing it through the security channels or the stable updates channels? Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Processed: tagging 698294
Processing commands for cont...@bugs.debian.org: tags 698294 + confirmed pending Bug #698294 [puppet] puppet: Checksum mismatch when copying followed symlinks (upstream #7680) Added tag(s) confirmed and pending. thanks Stopping processing here. Please contact me if you need assistance. -- 698294: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698294 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702524: gawk: Depends should really be Pre-Depends
Hi, | -Change Pre-Depends to Depends (OK now that base-files Pre-Depends: awk) This is not correct and needs to be reverted, since it means that gawk might be unpacked before its dependencies during upgrades. If the awk alternative is set to gawk, other packages which are unpacked in the same run and use awk in their pre{inst,rm} scripts which fail. This is not unlikely to happen in squeeze - wheezy upgrades, since gawk in wheezy gained a new dependency on libsigsegv2. As Jeroen's sponsor I discussied this issue with him when that upload was prepared. The conclusion back then was as follows: Op maandag 21 mei 2012 11:11:40 schreef Jeroen Schot: - Alle awk's (mawk, original-awk, gawk) gebruiken pre-depends. - 'awk' bevindt zich in de Essential closure (base-files pre-depends: awk). Na wat research geloof ik toch dat de pre-depends weg kan. Oorspronkelijke reden is te vinden in deze mail [1] in debian-policy 1998: base-files had toen een depends: awk. Dit was eigenlijk subtiel fout en werd gecorrigeerd in 2008 [2]. Sindsdien is de pre-depends niet meer nodig. [1]: http://lists.debian.org/debian-policy/1998/02/msg00195.html [2]: http://lists.debian.org/debian-devel/2008/07/msg01028.html So this is how we arrived at the conclusion that it would be possible to drop it. I've pinged Jeroen oob about this bug but didn't receive a response yet. Given the point in the release cycle, I think the safe approach for now is to revert the change and re-add the Pre-depends. We can always reopen the issue post- release if further discussion on the necessity of the pre-depends is desired. I'll upload a package with the change soon. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Processed: user release.debian....@packages.debian.org, usertagging 697230, tagging 697230
Processing commands for cont...@bugs.debian.org: # will hopefully be fixed pre release, but otherwise can go in through security user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was jcris...@debian.org). usertags 697230 wheezy-can-defer There were no usertags set. Usertags are now: wheezy-can-defer. tags 697230 + wheezy-ignore Bug #697230 [asterisk] asterisk: Two security issues: AST-2012-014 / AST-2012-015 Added tag(s) wheezy-ignore. thanks Stopping processing here. Please contact me if you need assistance. -- 697230: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697230 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#702703: prelude-manager: sql error during install: at line 11: You have an error in your SQL syntax; [...] near 'TYPE=InnoDB' at line 4
Processing control commands: severity -1 serious Bug #702703 [prelude-manager] prelude-manager: sql error during install: at line 11: You have an error in your SQL syntax; [...] near 'TYPE=InnoDB' at line 4 Severity set to 'serious' from 'important' -- 702703: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702703 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: severity of xen-api bug 702428 is important
Processing commands for cont...@bugs.debian.org: severity 702428 important Bug #702428 [xcp-xapi] HVM fails to start with VIF / qemu-dm error Severity set to 'important' from 'serious' End of message, stopping processing here. Please contact me if you need assistance. -- 702428: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702428 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581999: rinputd: fails to install
On Sat, Mar 16, 2013 at 08:56:15AM +0100, Ralf Treinen wrote: On Fri, Mar 15, 2013 at 10:30:09PM +0100, Julien Cristau wrote: On Fri, Mar 15, 2013 at 18:56:21 +0100, Ralf Treinen wrote: diff -ur rinputd-1.0.5.old/debian/config rinputd-1.0.5/debian/config --- rinputd-1.0.5.old/debian/config 2012-04-12 20:06:14.0 +0200 +++ rinputd-1.0.5/debian/config 2013-03-15 17:44:54.0 +0100 @@ -2,8 +2,6 @@ set -e -[ `echo $DEBIAN_FRONTEND | tr '[:upper:]' '[:lower:]'` = noninteractive ] exit 0 - . /usr/share/debconf/confmodule db_beginblock @@ -13,6 +11,10 @@ db_go +# initialisation of USER and PASS needed in the non-interactive case +USER=rinputd +PASS=`openssl rand -base64 8` + db_get rinputd/username USER=$RET db_get rinputd/passwd I'm not sure you can rely on non-essential packages being installed during config. That includes openssl. Good point. Also how does this work when you're just overriding those values a couple of lines later? These values would be used in the case the debconf frontend is non-inteactive. Anyway, this is a leaf package with virtual zero popcon. I wonder why the release team hasn't kicked it out of wheezy since a long time. I agree. Upstream is at best dormant, the fix is clearly non-trivial and with a popcon of i4:v4 it's just wasting good people's time. I'll take it out later if there are no objections. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#661018: marked as done (FTBS due to new freexl)
Your message dated Sat, 16 Mar 2013 11:34:14 + with message-id 1363433654.2662.14.ca...@jacala.jungle.funky-badger.org and subject line Re: Bug#661018: FTBS due to new freexl has caused the Debian Bug report #661018, regarding FTBS due to new freexl to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 661018: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661018 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: spatialite-bin Version: 3.0.0~beta20110817-3 Severity: serious File: /usr/bin/spatialite libtool: compile: gcc -DPACKAGE_NAME=\libspatialite\ -DPACKAGE_TARNAME=\libspatialite\ -DPACKAGE_VERSION=\3.0.0-beta\ -DPACKAGE_STRING=\libspatialite 3.0.0-beta\ -DPACKAGE_BUGREPORT=\a.furi...@lqt.it\ -DPACKAGE_URL=\\ -DPACKAGE=\libspatialite\ -DVERSION=\3.0.0-beta\ -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STDIO_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_MATH_H=1 -DHAVE_FLOAT_H=1 -DHAVE_FCNTL_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDDEF_H=1 -DHAVE_STDINT_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SQLITE3_H=1 -DHAVE_SQLITE3EXT_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\.libs/\ -DTIME_WITH_SYS_TIME=1 -DLSTAT_FOLLOWS_SLASHED_SYMLINK=1 -DLSTAT_FOLLOWS_SLASHED_SYMLINK=1 -DHAVE_STRFTIME=1 -DHAVE_MEMSET=1 -DHAVE_STRCASECMP=1 -DHAVE_STRERROR=1 -DHAVE_STRNCASECMP=1 -DHAVE_STRSTR=1 -DHAVE_FDATASYNC=1 -D HAVE_FTRUNCATE=1 -DHAVE_GETCWD=1 -DHAVE_GETTIMEOFDAY=1 -DHAVE_LOCALTIME_R=1 -DHAVE_MEMMOVE=1 -DHAVE_STRERROR=1 -DHAVE_LIBSQLITE3=1 -DHAVE_LIBSQLITE3=1 -DHAVE_PROJ_API_H=1 -DHAVE_GEOS_C_H=1 -DHAVE_ICONV_H=1 -DHAVE_FREEXL_H=1 -I. -g -O2 -I../../src/headers -D_LARGE_FILE=1 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE=1 -DNDEBUG=1 -g -O2 -c virtualXL.c -fPIC -DPIC -o .libs/virtualXL.o virtualXL.c: In function 'vXL_create': virtualXL.c:273:9: warning: passing argument 4 of 'freexl_get_cell_value' from incompatible pointer type [enabled by default] /usr/include/freexl.h:573:16: note: expected 'struct FreeXL_CellValue *' but argument is of type 'unsigned char *' virtualXL.c:273:9: error: too many arguments to function 'freexl_get_cell_value' /usr/include/freexl.h:573:16: note: declared here virtualXL.c: In function 'vXL_eval_constraints': virtualXL.c:548:10: warning: passing argument 4 of 'freexl_get_cell_value' from incompatible pointer type [enabled by default] /usr/include/freexl.h:573:16: note: expected 'struct FreeXL_CellValue *' but argument is of type 'unsigned char *' virtualXL.c:548:10: error: too many arguments to function 'freexl_get_cell_value' /usr/include/freexl.h:573:16: note: declared here virtualXL.c: In function 'vXL_column': virtualXL.c:818:11: warning: passing argument 4 of 'freexl_get_cell_value' from incompatible pointer type [enabled by default] /usr/include/freexl.h:573:16: note: expected 'struct FreeXL_CellValue *' but argument is of type 'unsigned char *' virtualXL.c:818:11: error: too many arguments to function 'freexl_get_cell_value' /usr/include/freexl.h:573:16: note: declared here make[4]: *** [virtualXL.lo] Error 1 make[4]: Leaving directory `/tmp/buildd/spatialite-3.0.0~beta20110817/libspatialite/src/spatialite' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/tmp/buildd/spatialite-3.0.0~beta20110817/libspatialite/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/tmp/buildd/spatialite-3.0.0~beta20110817/libspatialite' dh_auto_build: make -j1 returned exit code 2 make[1]: *** [override_dh_auto_build] Error 2 make[1]: Leaving directory `/tmp/buildd/spatialite-3.0.0~beta20110817' make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 E: Failed autobuilding of package -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.2.0-1-686-pae (SMP w/1 CPU core) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages spatialite-bin depends on: ii libc6 2.13-26 ii libexpat1 2.0.1-7.2 ii libfreexl1 1.0.0b-1 ii libgeos-c1 3.3.1-1 ii libproj04.7.0-1 ii libreadline66.2-8 ii libspatialite3 3.0.0~beta20110817-3 ii libsqlite3-03.7.10-1 spatialite-bin recommends no packages. spatialite-bin suggests no packages. -- no debconf information ---End Message--- ---BeginMessage---
Bug#678979: request freeze exception for slony1-2
On Sun, 2012-10-07 at 14:30 +0200, Mehdi Dogguy wrote: On 21/09/2012 04:58, Peter Eisentraut wrote: According to bug #678979 [0], which was submitted by the lead upstream developer, slony 2.0 does not work well with postgresql 9.1. Therefore, we had to resolve to making an upgrade to slony version 2.1, and I request that that be allowed into wheezy now. [...] Unfortunately, we are not able to accept such large changes at this stage of the freeze. [2] Since slony in Debian have little popcon, does it make sense to skip the Wheezy release? iow, remove slony from wheezy (since it doesn't work and we are not able to accept the new one). Alternatively, we could very well accept a targeted fix based on current Wheezy's version… (correct me if I'm wrong), the discussion in #678979 made me think that it was not possible to extract a minimal patch. Ping? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702453: marked as done (missing Replaces/Breaks: gir1.0-clutter-1.0)
Your message dated Sat, 16 Mar 2013 11:47:41 + with message-id e1ugpap-0003uh...@franck.debian.org and subject line Bug#702453: fixed in cogl 1.10.2-7 has caused the Debian Bug report #702453, regarding missing Replaces/Breaks: gir1.0-clutter-1.0 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702453 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: gir1.2-cogl-1.0 Version: 1.10.2-6 Severity: serious Did an upgrade from a default squeeze install to wheezy on Vmware Workstation 8. The apt-get dist-upgrade process failed during installation of gir1.2-cogl-1.0 because gir1.0-clutter-1.0 is still installed. The installation was in a non working state after reboot and lost also the network connection. Upgrade process was followed as written in: http://www.debian.org/releases/wheezy/i386/release-notes/ch-upgrading.de.html After dpkg -r --force-depends gir1.0-clutter-1.0 the upgrade was able to continue. I suggest that the old gir1.0-clutter-1.0 should be removed by new package before the new one is installed. Sorry for german language but that was the output: entpacken von gir1.2-freedesktop (aus .../gir1.2-freedesktop_1.32.1-1_i386.deb) ... Vormals abgewähltes Paket libcogl9 wird gewählt. Entpacken von libcogl9 (aus .../libcogl9_1.10.2-6_i386.deb) ... Vormals abgewähltes Paket gir1.2-cogl-1.0 wird gewählt. Entpacken von gir1.2-cogl-1.0 (aus .../gir1.2-cogl-1.0_1.10.2-6_i386.deb) ... dpkg: Fehler beim Bearbeiten von /var/cache/apt/archives/gir1.2-cogl-1.0_1.10.2-6_i386.deb (--unpack): Versuch, »/usr/lib/girepository-1.0/Cogl-1.0.typelib« zu überschreiben, welches auch in Paket gir1.0-clutter-1.0 1.2.12-3 ist ---End Message--- ---BeginMessage--- Source: cogl Source-Version: 1.10.2-7 We believe that the bug you reported is fixed in the latest version of cogl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 702...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau jcris...@debian.org (supplier of updated cogl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 16 Mar 2013 12:07:50 +0100 Source: cogl Binary: libcogl9 libcogl-common libcogl-dev libcogl9-dbg libcogl-doc gir1.2-cogl-1.0 libcogl-pango0 libcogl-pango-dev libcogl-pango0-dbg gir1.2-coglpango-1.0 Architecture: source all amd64 Version: 1.10.2-7 Distribution: unstable Urgency: high Maintainer: Rico Tzschichholz ric...@ubuntu.com Changed-By: Julien Cristau jcris...@debian.org Description: gir1.2-cogl-1.0 - GObject introspection data for the Cogl 1.0 library gir1.2-coglpango-1.0 - GObject introspection data for the CoglPango 1.0 library libcogl-common - Object oriented GL/GLES Abstraction/Utility Layer (common files) libcogl-dev - Object oriented GL/GLES Abstraction/Utility Layer (development fi libcogl-doc - Object oriented GL/GLES Abstraction/Utility Layer (documentation) libcogl-pango-dev - Object oriented GL/GLES Abstraction/Utility Layer (development fi libcogl-pango0 - Object oriented GL/GLES Abstraction/Utility Layer libcogl-pango0-dbg - Object oriented GL/GLES Abstraction/Utility Layer (debug files) libcogl9 - Object oriented GL/GLES Abstraction/Utility Layer libcogl9-dbg - Object oriented GL/GLES Abstraction/Utility Layer (debug files) Closes: 702453 Changes: cogl (1.10.2-7) unstable; urgency=high . [ Josselin Mouette ] * Add missing epoch on libxcomposite-dev build-dependency. . [ Julien Cristau ] * Add replaces/conflicts on gir1.0-clutter-1.0 because of a file conflict (closes: #702453). Checksums-Sha1: 5a34e6ee8885f9386720dd81fc0cb8929cdce495 2924 cogl_1.10.2-7.dsc afbbfaa30fe343b5b6ac64dbfeaa2470ee7795e1 13031 cogl_1.10.2-7.debian.tar.gz 2bb5e76e269f71c27ed4ad61bbb7fe9e26c8e86f 227966 libcogl-common_1.10.2-7_all.deb c4a92acfa631bf00210e8ec46ab57b774211487c 193866 libcogl-doc_1.10.2-7_all.deb 73a25f961c53ab312f3fa3966f83e51c40a957ed 217632 libcogl9_1.10.2-7_amd64.deb 022554220aa5aad441bc6e03bf0ab70b935d6eb2 135560 libcogl-dev_1.10.2-7_amd64.deb ef0884fed62eff48b3b6899a12678eb71c8e2b87 720554
Bug#702524: gawk: Depends should really be Pre-Depends
Hi, Here's the diff for the gawk I'm going to upload. Cheers, Thijs diff -Nru gawk-4.0.1+dfsg/debian/changelog gawk-4.0.1+dfsg/debian/changelog --- gawk-4.0.1+dfsg/debian/changelog 2012-05-21 10:36:06.0 +0200 +++ gawk-4.0.1+dfsg/debian/changelog 2013-03-16 12:43:50.0 +0100 @@ -1,3 +1,10 @@ +gawk (1:4.0.1+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Change Depends back to Pre-Depends (closes: #702524). + + -- Thijs Kinkhorst th...@debian.org Sat, 16 Mar 2013 12:31:51 +0100 + gawk (1:4.0.1+dfsg-2) unstable; urgency=low * debian/control: diff -Nru gawk-4.0.1+dfsg/debian/control gawk-4.0.1+dfsg/debian/control --- gawk-4.0.1+dfsg/debian/control 2012-05-21 10:29:16.0 +0200 +++ gawk-4.0.1+dfsg/debian/control 2013-03-16 12:33:24.0 +0100 @@ -16,7 +16,8 @@ Architecture: any Multi-Arch: foreign Provides: awk -Depends: ${misc:Depends}, ${shlibs:Depends} +Pre-Depends: ${shlibs:Depends} +Depends: ${misc:Depends} Suggests: gawk-doc Description: GNU awk, a pattern scanning and processing language `awk', a program that you can use to select particular records in a signature.asc Description: This is a digitally signed message part.
Bug#702524: marked as done (gawk: Depends should really be Pre-Depends)
Your message dated Sat, 16 Mar 2013 12:02:37 + with message-id e1ugpor-0005pr...@franck.debian.org and subject line Bug#702524: fixed in gawk 1:4.0.1+dfsg-2.1 has caused the Debian Bug report #702524, regarding gawk: Depends should really be Pre-Depends to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702524 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: gawk Version: 1:4.0.1+dfsg-2 Severity: serious The Debian changelog for this version mentions: , | -Change Pre-Depends to Depends (OK now that base-files Pre-Depends: awk) ` This is not correct and needs to be reverted, since it means that gawk might be unpacked before its dependencies during upgrades. If the awk alternative is set to gawk, other packages which are unpacked in the same run and use awk in their pre{inst,rm} scripts which fail. This is not unlikely to happen in squeeze - wheezy upgrades, since gawk in wheezy gained a new dependency on libsigsegv2. Both mawk and original-awk use Pre-Depends for that reason. -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 3.8.2-nouveau (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gawk depends on: ii libc6 2.13-38 ii libreadline6 6.2+dfsg-0.1 ii libsigsegv2 2.9-4 gawk recommends no packages. Versions of packages gawk suggests: ii gawk-doc 4.0.1+ds-1 -- no debconf information ---End Message--- ---BeginMessage--- Source: gawk Source-Version: 1:4.0.1+dfsg-2.1 We believe that the bug you reported is fixed in the latest version of gawk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 702...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst th...@debian.org (supplier of updated gawk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sat, 16 Mar 2013 12:31:51 +0100 Source: gawk Binary: gawk Architecture: source amd64 Version: 1:4.0.1+dfsg-2.1 Distribution: unstable Urgency: medium Maintainer: Arthur Loiret aloi...@debian.org Changed-By: Thijs Kinkhorst th...@debian.org Description: gawk - GNU awk, a pattern scanning and processing language Closes: 702524 Changes: gawk (1:4.0.1+dfsg-2.1) unstable; urgency=medium . * Non-maintainer upload. * Change Depends back to Pre-Depends (closes: #702524). Checksums-Sha1: 98d9ed9c3fc05e948027495ead2c000d937a5441 1492 gawk_4.0.1+dfsg-2.1.dsc ff603bd9b31d4cab94aefe8f5feaf3d6fb72663a 46491 gawk_4.0.1+dfsg-2.1.debian.tar.gz 4d6065666181a430b961a0a6393db2562f908038 971710 gawk_4.0.1+dfsg-2.1_amd64.deb Checksums-Sha256: 973fbe3311587295b0313bd0676b1725ecb273e23c4d3ae0b6a830ed8908f465 1492 gawk_4.0.1+dfsg-2.1.dsc ec08e0e3f965d5c14e6726932e25b8a96ed2c860c4c58273c9abed3270b8a4b1 46491 gawk_4.0.1+dfsg-2.1.debian.tar.gz 3e5be94893eb76d9c396e11cf40fee63b351166e4b9735e36c4c64974540 971710 gawk_4.0.1+dfsg-2.1_amd64.deb Files: 29da1ef48014e6f4f91a199e956ad1ee 1492 interpreters optional gawk_4.0.1+dfsg-2.1.dsc dbbeb8b33f32e96364af0954bd3ff110 46491 interpreters optional gawk_4.0.1+dfsg-2.1.debian.tar.gz 984730ae49afce4befd7e31c0298a5a7 971710 interpreters optional gawk_4.0.1+dfsg-2.1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRRFvBAAoJEFb2GnlAHawEjPQIAImpMdCYoVmJcMmvHjOLvgna hKvDikQ7SX62KuoSTqsIJLzOZKpXi48XBufUO+v267g7fk35Ka0Gl3fu8eCHkvvb tcjP9ynEM/Z/d26pVAbIoVPN7O3zkUC52M8breq52cN7sUXdA6VbtyzjwDm0L8Z6 dIoxhf+yDf+4v6uy8edpMs2LY2ihqJOgjq0WWo5GuhzkKuXX430IyyErF1gV6RYE Ir3LsA1emTitt26+mIVLesZL/J9XBlZvQTbDzkYWDMFmXT/g4dI5JzENW0R678QW TZKcH6tTzBBBsa+3ejM5+BgJpqKJ4pz+iA8bbQ0nDW7kjFm+AUDd8GJJfy/HIBo= =pQzm -END PGP SIGNATUREEnd Message---
Bug#659899: CVE-2012-0790: XSS
Control: reopen -1 Hi, squeeze is vulnerable, as seen on the Navigator Graph page by changing the displaymode in the URL. It gets echoed back by this: return divERROR: unknown displaymode $mode/div I'm not convinced the 'blacklist characters' approach was a great way to handle it, but at least in wheezy/sid it seems no longer possible to inject HTML that way. Even in smokeping-2.6.9 though the start and end time fields are not filtered. For example, enter this in one of the text boxes as a start or end time: now oops and the generated HTML contains: IMG id=zoom BORDER=0 width=697 height=315 SRC=/smokeping/images/__navcache/136343653521739_now oops _1363423440.png Fortunately though, it doesn't seem possible to use an equals sign in these parameters, and so I don't see a way to perform XSS. It is a little scary that these strings are also used to create/unlink files: /var/cache/smokeping/images/__navcache# ls -alt | head -rw-r--r-- 1 www-data root 32316 Mar 16 12:22 136343653521739_now oops _1363423440.png And so for example, a start/end time of: now/ triggers an error; the quotes in the error message are not properly 'quoted', but fortunately HTML tags are being stripped out somehow: ERROR: Could not save png to '/var/cache/smokeping/images/__navcache/136343678121739_now/_1363423440.png' /var/cache/smokeping/images/__navcache/136343678121739_now/_1363423440.png Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#659899: CVE-2012-0790: XSS
Processing control commands: reopen -1 Bug #659899 {Done: Antoine Beaupré anar...@debian.org} [smokeping] CVE-2012-0790: XSS 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions will be cleared, and you may need to re-add them. Bug reopened No longer marked as fixed in versions smokeping/2.6.7-1. -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#701991: maven3: CVE-2013-0253
Processing control commands: reassign -1 src:wagon2 Bug #701991 [src:maven] maven3: CVE-2013-0253 Bug reassigned from package 'src:maven' to 'src:wagon2'. Ignoring request to alter found versions of bug #701991 to the same values previously set Ignoring request to alter fixed versions of bug #701991 to the same values previously set tags -1 + patch Bug #701991 [src:wagon2] maven3: CVE-2013-0253 Added tag(s) patch. -- 701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#701991: maven3: CVE-2013-0253
Processing control commands: reassign -1 src:wagon2 Bug #701991 [src:wagon2] maven3: CVE-2013-0253 Ignoring request to reassign bug #701991 to the same package tags -1 + patch Bug #701991 [src:wagon2] maven3: CVE-2013-0253 Ignoring request to alter tags of bug #701991 to the same tags previously set -- 701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701991: maven3: CVE-2013-0253
Control: reassign -1 src:wagon2 Control: tags -1 + patch Hi, The email does not appear to have reached the BTS, so I am resending it (and quoting it in full). ~Niels On 2013-03-15 04:49, Arnaud Fontaine wrote: Control: reassign -1 src:wagon2 Control: tags -1 + patch Hello, This security issue is actually affecting libwagon2-java as, besides of build improvements, maven 3.0.5 only bumps wagon2 version from 2.2 to 2.4 (should maven be rebuilt when a fixed version has been uploaded?). Therefore, I'm reassigning this issue to wagon2 instead. According to [0], it is recommended to upgrade to Maven Wagon 2.4 however this is not really possible as the new version requires (at least, when testing by changing the required version, I got more dependency errors later on) libmaven-parent-java = 23 which is not available in the archive. Moreover, there are many unrelated changes so the only solution is probably to backport the patches. The issue on Maven Wagon BTS seems to be: https://jira.codehaus.org/browse/WAGON-385 And the patches (quite small indeed): https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5 https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5 As I don't know anything about Maven (I'm just hunting RC bugs ;-)), could you please confirm that these patches fix this issue? I can later NMU if it helps. Also, there seems to have been several other bug fixes (including security-related ones), not sure if they are really critical, just pointing out what I have found so far while checking git history from Maven Wagon 2.2 to 2.4: https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5 https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2 https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac Cheers, __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702791: tagging 702791
On Mon, Mar 11, 2013 at 08:56:47 -0700, Clint Byrum wrote: This is fixed upstream by allowing the timeout to be raised... since it is an arch:all package, I don't expect this to be disruptive to buildds, only to users trying to build on extremely slow systems. The submitter said the failures were reproducible on various systems. That seems at odds with you saying this only affects extremely slow systems. Also the reason we ship source packages is for users, not primarily for buildds. Cheers, Julien signature.asc Description: Digital signature
Bug#703171: bdii: fails to install: mv: cannot move '/tmp/tmp.SuSMJe59Wd' to '/etc/apparmor.d/local/usr.sbin.slapd': No such file or directory
Package: bdii Version: 5.2.17-2 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release, thus the severity. From the attached log (scroll to the bottom...): Selecting previously unselected package bdii. (Reading database ... 9604 files and directories currently installed.) Unpacking bdii (from .../archives/bdii_5.2.17-2_all.deb) ... Setting up bdii (5.2.17-2) ... Creating config file /etc/bdii/bdii-slapd.conf with new version Creating config file /etc/bdii/bdii-top-slapd.conf with new version mv: cannot move '/tmp/tmp.SuSMJe59Wd' to '/etc/apparmor.d/local/usr.sbin.slapd': No such file or directory dpkg: error processing bdii (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: bdii I haven't looked at the package, but that probably means /etc/apparmor.d/local/ is missing. In that case you should ship that as an empty directory in the package (and *not* mkdir/rmdir it in the maintainer scripts), so dpkg will take care of the creation/removal. cheers, Andreas bdii_5.2.17-2.log.gz Description: GNU Zip compressed data
Bug#659899: CVE-2012-0790: XSS
On 16/03/13 12:40, Steven Chamberlain wrote: and the generated HTML contains: IMG id=zoom BORDER=0 width=697 height=315 SRC=/smokeping/images/__navcache/136343653521739_now oops _1363423440.png Fortunately though, it doesn't seem possible to use an equals sign in these parameters, and so I don't see a way to perform XSS. I forgot to mention something obvious, that angle bracket are filtered out here, otherwise XSS would have been easy. Braces { } are also filtered. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: found 703141 in 1.4.0.6~dfsg1-3, found 699647 in 1.3.5~rc2-1
Processing commands for cont...@bugs.debian.org: found 703141 1.4.0.6~dfsg1-3 Bug #703141 [scratch] scratch: fails to install if gnome-session-common is installed but hicolor-icon-theme is not Marked as found in versions scratch/1.4.0.6~dfsg1-3. found 699647 1.3.5~rc2-1 Bug #699647 [proftpd-mod-geoip] proftpd-mod-geoip: /usr/lib/proftpd/mod_geoip.so missing after upgrade from sid Marked as found in versions proftpd-dfsg/1.3.5~rc2-1. thanks Stopping processing here. Please contact me if you need assistance. -- 699647: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699647 703141: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703141 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
On Sat, 2013-03-16 at 12:40 +, Steven Chamberlain wrote: Control: reopen -1 [...] squeeze is vulnerable, as seen on the Navigator Graph page by changing the displaymode in the URL. It gets echoed back by this: Bug reopened No longer marked as fixed in versions smokeping/2.6.7-1. Is that really what you meant to do? If the intent was to indicate that squeeze needs fixing but other versions are okay, the appropriate tool is making sure the found versions are correct, not removing the fixed version and -done indication. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
Control: fixed -1 2.6.7-1 Hi Steven On Sat, Mar 16, 2013 at 12:40:04PM +, Steven Chamberlain wrote: Control: reopen -1 Hmm, as Adam wrote, was this intentional? Because this way we lost the version tracking for already fixed version. BTS handles fixed versions already. Btw, it's a nice timing, since I just yesterday uploaded also the fix for smokeping to stable to security-master which is not to be reviewed. Thank you furthermore for your analysis of further issues! If possible, could you bring these further possible issues to upstream (Tobias Oetiker is already in CC list however). Attached is the debdiff which I uploaded yesterday. Thank you and regards, Salvatore diff -u smokeping-2.3.6/debian/changelog smokeping-2.3.6/debian/changelog --- smokeping-2.3.6/debian/changelog +++ smokeping-2.3.6/debian/changelog @@ -1,3 +1,14 @@ +smokeping (2.3.6-5+squeeze1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2012-0790: Fix cross-site scripting vulnerability allowing a +remote attacker to inject arbitrary web script or html via the +displaymode parameter. Initial patch prepared by Antoine Beaupré. +Add an adjustment to the patterns to exclude more special +characters. (Closes: #659899) + + -- Salvatore Bonaccorso car...@debian.org Fri, 15 Mar 2013 22:46:57 +0100 + smokeping (2.3.6-5) unstable; urgency=medium * debian/patches/20_html-parser.dpatch: fix an incompatibility with diff -u smokeping-2.3.6/debian/patches/00list smokeping-2.3.6/debian/patches/00list --- smokeping-2.3.6/debian/patches/00list +++ smokeping-2.3.6/debian/patches/00list @@ -3,0 +4 @@ +30_cve-2012-0790.dpatch only in patch2: unchanged: --- smokeping-2.3.6.orig/debian/patches/30_cve-2012-0790.dpatch +++ smokeping-2.3.6/debian/patches/30_cve-2012-0790.dpatch @@ -0,0 +1,74 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## cve-2012-0790.dpatch by Vincent Danen, ported to 2.3 by Antoine Beaupré +## add additional fixes on the regexp from smokeping 2.6.9 +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix for CVE-2012-0790 + +@DPATCH@ +diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm +index d29a547..b74c3fc 100644 +--- a/lib/Smokeping.pm b/lib/Smokeping.pm +@@ -134,8 +134,10 @@ sub cgiurl { + sub hierarchy ($){ + my $q = shift; + my $hierarchy = ''; ++my $h = $q-param('hierarchy'); + if ($q-param('hierarchy')){ +- $hierarchy = 'hierarchy='.$q-param('hierarchy').';'; ++ $h =~ s/[%';]/./g; ++ $hierarchy = 'hierarchy='.$h.';'; + }; + return $hierarchy; + } +@@ -176,6 +178,7 @@ sub update_dynaddr ($$){ + my $address = $ENV{REMOTE_ADDR}; + my $targetptr = $cfg-{Targets}; + foreach my $step (@target){ ++$step =~ s/[%';]/./g; + return Error: Unknown target $step + unless defined $targetptr-{$step}; + $targetptr = $targetptr-{$step}; +@@ -979,6 +982,7 @@ sub get_detail (;$){ + my $open = shift; + my $mode = shift || $q-param('displaymode') || 's'; + ++$mode =~ s/[%';]/./g; + my $phys_tree = $tree; + my $phys_open = $open; + if ($tree-{__tree_link}){ +@@ -1376,13 +1380,15 @@ sub get_detail (;$){ + } elsif ($mode eq 's') { # classic mode + $startstr =~ s/\s/%20/g; + $endstr =~ s/\s/%20/g; ++my $t = $q-param('target'); ++$t =~ s/[%';]/./g; + for my $slave (@slaves){ + my $s = $slave ? ~$slave : ; + $page .= div; + # $page .= (time-$timer_start).br/; + # $page .= join ,map {'$_'} @task; + $page .= br/; +-$page .= ( qq{a href=}.cgiurl($q,$cfg).?.hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}.target=.$q-param('target').$s.'' ++$page .= ( qq{a href=}.cgiurl($q,$cfg).?.hierarchy($q).qq{displaymode=n;start=$startstr;end=now;}.target=.$t.$s.'' + . qq{IMG BORDER=0 SRC=${imghref}${s}_${end}_${start}.png}./a ); # + $page .= /div; + } +@@ -1525,8 +1531,15 @@ sub hierarchy_switcher($$){ + sub display_webpage($$){ + my $cfg = shift; + my $q = shift; +-my ($path,$slave) = split(/~/,$q-param('target') || ''); ++my $targ = ''; ++my $t = $q-param('target'); ++if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){ ++$targ = $1; ++$targ =~ s/[%';]/./g; ++} ++my ($path,$slave) = split(/~/,$targ); + my $hierarchy = $q-param('hierarchy'); ++$hierarchy =~ s/[%';]/./g; + die ERROR: unknown hierarchy $hierarchy\n + if $hierarchy and not $cfg-{Presentation}{hierarchies}{$hierarchy}; + my $open = [ (split /\./,$path||'') ];
Processed: Re: Bug#659899: CVE-2012-0790: XSS
Processing control commands: fixed -1 2.6.7-1 Bug #659899 [smokeping] CVE-2012-0790: XSS Marked as fixed in versions smokeping/2.6.7-1. -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703186: bastille: Cannot detect Perl version.
Package: bastille Version: 1:3.0.9-13 Severity: serious Tags: patch The script /usr/sbin/bastille is not able to compute PERL_VERSION correctly, leaving the variable empty on system with mixed testing-unstable. The implemented commmand pipe chain is broken and amateurish! A functional patch is herewith contibuted. Regards, Mats Erik Andersson, DM --- /usr/sbin/bastille.orig 2010-09-19 16:17:26.0 +0200 +++ /usr/sbin/bastille 2013-03-16 15:02:33.989657752 +0100 @@ -150,10 +150,8 @@ # We check that the version is at least the minimum PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version | -head -2 |# the second line contains the version -tr\n | # split words into separate lines -sed -e s/^v// |# to get rid of the v in v5.6.0 -grep ^[1-9]\. |# find a word that starts with number dot + # Extract version string only, on the second line! +sed -n -e '2 s/.*(v\([1-9]\.[0-9]\{1,4\}\.[0-9]\{1,4\}\)).*/\1/p' | sed -e s/_/./` # substitute _patchlevel with .patchlevel # (used in 5.005_03 and prior)
Bug#703187: Last upload forgets to include .egg-info directory
Package: python-gevent Version: 0.13.6-1+nmu2 Severity: serious Tags: patch The last NMU that fixed #661342 forgets to include the .egg-info directory, causing tools like pip that rely on the egg infrastructure to fail to see gevent. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal'), (100, 'quantal-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-25-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru python-gevent-0.13.6/debian/python-gevent.install python-gevent-0.13.6/debian/python-gevent.install --- python-gevent-0.13.6/debian/python-gevent.install 2013-03-03 14:22:23.0 +0100 +++ python-gevent-0.13.6/debian/python-gevent.install 2013-03-16 15:26:35.0 +0100 @@ -1,2 +1,3 @@ usr/lib/python2*/*-packages/gevent/*.py usr/lib/python2*/*-packages/gevent/*[!_][!d].so +usr/lib/python2*/*-packages/*.egg-info
Bug#688634: roundcube-sqlite upgrade causes serious data-loss
❦ 3 mars 2013 00:28 CET, Holger Levsen hol...@layer-acht.org : Here is my proposition: http://anonscm.debian.org/gitweb/?p=pkg-roundcube/roundcube.git;a=commitd iff;h=15f5a10444c9d4c8bf7b3e83a82dd6f9e2a4b384 seems right, yes, but it misses a pointer to instructions how to upgrade to a working installation. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688634#99 is just a start, but at least that. I wonder if a pointer there, or somewhere better, could be added. So, here is a wiki page with a complete procedure for update. http://wiki.debian.org/Roundcube/DeprecationOfSQLitev2 I am uploading a version of Roundcube with the appropriate NEWS entry pointing to this page. -- Make it right before you make it faster. - The Elements of Programming Style (Kernighan Plauger) pgpG_46kkBcki.pgp Description: PGP signature
Processed: tags +pending
Processing commands for cont...@bugs.debian.org: tags 702703 +pending Bug #702703 [prelude-manager] prelude-manager: sql error during install: at line 11: You have an error in your SQL syntax; [...] near 'TYPE=InnoDB' at line 4 Added tag(s) pending. tags 660455 +pending Bug #660455 [prelude-manager] prelude-manager: fails to purge - command in postrm not found Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 660455: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660455 702703: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702703 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687401: Bug#680335: unblock: scim/1.4.14-2
On Thu, Sep 20, 2012 at 22:55:28 +0900, Rolf Leggewie wrote: On 20.09.2012 14:52, Hideki Yamane wrote: The reason is scim-anthy was unblocked (Bug#685036) and migrated to testing but scim (1.4.14-2) still stops in unstable. So, release managers, can you consider to unblock scim to fix RC as well? Yamane-San, thank you for your report. Hello from Tokyo, how are you? Your analysis is spot on, scim-anthy fails to build from scratch due to a newer scim version not having migrated yet from unstable to testing. I'll answer here hoping to save the release team a bit of time. Scim already has an unblock request open for a while (bug 680335 which also has some background information) . The problem was externally induced by a concurrent upload of a build dependency just before the freeze, leading to an FTBFS for the version we uploaded just before the deadline. The fix for this was simple enough yet it went in after the freeze, meaning that the release team now needs to review not only this small fix but the changes we uploaded just before the freeze as well :-( For this they need more time, but I can assure you that they are aware of the situation. We're not going to unblock a new upstream release of scim, I'm afraid. If there are RC issues in wheezy then they'll need package removals or targetted fixes. Cheers, Julien signature.asc Description: Digital signature
Bug#688634: roundcube-sqlite upgrade causes serious data-loss
Hi Vincent, On Samstag, 16. März 2013, Vincent Bernat wrote: So, here is a wiki page with a complete procedure for update. http://wiki.debian.org/Roundcube/DeprecationOfSQLitev2 I am uploading a version of Roundcube with the appropriate NEWS entry pointing to this page. awesome, thanks a lot! (On a quick look so far only) this page looks really good! cheers, Holger -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
Hi, On 16/03/13 13:56, Adam D. Barratt wrote: On Sat, 2013-03-16 at 12:40 +, Steven Chamberlain wrote: No longer marked as fixed in versions smokeping/2.6.7-1. Is that really what you meant to do? I can't remember now, so it was probably a mistake, but now I can think of a reason to reopen it: Is the fix in 2.6.7-1 not considered sufficient, or does wheezy/sid need the revised fix from 2.6.9? In what places were the and = characters thought to still be a risk? (Other than in start/end dates as I've shown; but those are still not being filtered in upstream 2.6.9) Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
Control: found -1 2.6.7-1 Control: fixed -1 2.6.9-1~exp0 Control: fixed -1 2.3.6-5+squeeze1 Control: tags -1 pending Control: block -1 with 703193 On 2013-03-16, Salvatore Bonaccorso wrote: Control: fixed -1 2.6.7-1 Hi Steven On Sat, Mar 16, 2013 at 12:40:04PM +, Steven Chamberlain wrote: Control: reopen -1 Hmm, as Adam wrote, was this intentional? Because this way we lost the version tracking for already fixed version. BTS handles fixed versions already. From what I understand from the upstream changelog, 2.6.7 would still be affected, because the patch we had before was incomplete. So I think that reopen was actually accurate. I have done an upload of 2.6.9 to factor those changes in, which I hope to pass by the RM so that 2.6.9-1 gets into wheezy. 2.6.9 unfortunately has unrelated changes, so I have uploaded it to experimental, but those changes seem important enough, to me, to go into wheezy. Before going forward with the sid upload, I'll wait for RM's approval though. See #703193 for followup on that. Thanks for the security upload! A. -- Information is not knowledge Knowledge is not wisdom Wisdom is not truth - Frank Zappa pgpQXYXLZUQUP.pgp Description: PGP signature
Processed: Re: Bug#659899: CVE-2012-0790: XSS
Processing control commands: found -1 2.6.7-1 Bug #659899 [smokeping] CVE-2012-0790: XSS Marked as found in versions smokeping/2.6.7-1; no longer marked as fixed in versions smokeping/2.6.7-1. fixed -1 2.6.9-1~exp0 Bug #659899 [smokeping] CVE-2012-0790: XSS There is no source info for the package 'smokeping' at version '2.6.9-1~exp0' with architecture '' Unable to make a source version for version '2.6.9-1~exp0' Marked as fixed in versions 2.6.9-1~exp0. fixed -1 2.3.6-5+squeeze1 Bug #659899 [smokeping] CVE-2012-0790: XSS There is no source info for the package 'smokeping' at version '2.3.6-5+squeeze1' with architecture '' Unable to make a source version for version '2.3.6-5+squeeze1' Marked as fixed in versions 2.3.6-5+squeeze1. tags -1 pending Bug #659899 [smokeping] CVE-2012-0790: XSS Added tag(s) pending. block -1 with 703193 Bug #659899 [smokeping] CVE-2012-0790: XSS 659899 was not blocked by any bugs. 659899 was not blocking any bugs. Added blocking bug(s) of 659899: 703193 -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: marked as done (CVE-2012-0790: XSS)
Your message dated Sat, 16 Mar 2013 16:48:54 + with message-id e1uguhu-0004en...@franck.debian.org and subject line Bug#659899: fixed in smokeping 2.6.9-1~exp0 has caused the Debian Bug report #659899, regarding CVE-2012-0790: XSS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: smokeping Severity: grave Tags: security This has been assigned CVE-2011-0790: http://holisticinfosec.org/content/view/188/45/ Patch: https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw Cheers, Moritz ---End Message--- ---BeginMessage--- Source: smokeping Source-Version: 2.6.9-1~exp0 We believe that the bug you reported is fixed in the latest version of smokeping, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 659...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré anar...@debian.org (supplier of updated smokeping package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 16 Mar 2013 11:34:03 -0400 Source: smokeping Binary: smokeping Architecture: source all Version: 2.6.9-1~exp0 Distribution: experimental Urgency: high Maintainer: Antoine Beaupré anar...@debian.org Changed-By: Antoine Beaupré anar...@debian.org Description: smokeping - latency logging and graphing system Closes: 659899 Changes: smokeping (2.6.9-1~exp0) experimental; urgency=high . * New upstream release to properly fix CVE-2012-0790 (Closes: #659899) * Acknowledge the NMU, thanks gregor! Checksums-Sha1: 877dfb9e0a47413b55f952774fc7d6d5bfd9680c 2085 smokeping_2.6.9-1~exp0.dsc 55f82ed4979eb3ee28d8fd2379c1c22629f800cc 417586 smokeping_2.6.9.orig.tar.gz 40a70971e72e9abe23c7dd6fedcc9dd45cdeed43 21804 smokeping_2.6.9-1~exp0.debian.tar.gz f3893ece65584765275b14181556bc33fa178bf6 427554 smokeping_2.6.9-1~exp0_all.deb Checksums-Sha256: bbccc4d7397f24a98c6b564b047ae6ebaf3fa0a8cf938811cd8c7aef8604aca4 2085 smokeping_2.6.9-1~exp0.dsc 7a88dcc8eed4d12c77c37d5d0a0bcfc76d24943c87e469a7d7136e084c26e1d5 417586 smokeping_2.6.9.orig.tar.gz 900bf69abeca6704aed72bd0d317e0b5e84bf71b0cb95915e8b42c07bff2e009 21804 smokeping_2.6.9-1~exp0.debian.tar.gz e362afc0c96c94d41d5b56fe92f1dde76158f398e3b696781551c5729d459ad4 427554 smokeping_2.6.9-1~exp0_all.deb Files: e2e54664b7935474a4fd94589de71375 2085 net extra smokeping_2.6.9-1~exp0.dsc 8553840ec5b00b41334f7578a527824f 417586 net extra smokeping_2.6.9.orig.tar.gz 35d570557f4cf5f8c343817bd9fb63c1 21804 net extra smokeping_2.6.9-1~exp0.debian.tar.gz 94056ccaaa7de3e81d8596b60d1d714b 427554 net extra smokeping_2.6.9-1~exp0_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRRJ0WAAoJEHkhUlJ7dZIeOxsQAIet1K1+5r8mCGI1uBByOhB6 qMAcP/aNdxswsPwpsklekXuZqTH8KmRN+UslK9r434eTAKdfk8MLCAMSoe1oKgbn 1ynSVZt7qHY4Gm/bRLbKoTJLuiZXbHpDeWZgjIZCz5k2I4FUryBKlS1PUx7hYlf7 gN9rD4GPcguaUfO2AsCRwGgRBJ9K/6bpWM4f8twC1Lo+Xw+wqr1jZymhp+WyPjqR qLpKC+gBg8cTIsdbdGCl81sAR86BcOoeOl0O+4LvfNWDh7b1Mt/4lzbOv0PmyI6c 6EyggsOhtzIWmWYA7osc145EMPgxjCQocYeDtn1Qr9jXx1NDL/J/DAl36XtzrdGB PQaMBhH2PJXlyI/yNFI74YliAFJKNphVGDJ1n/mQORhR4h8wmmWa3fxCTsIfGKR1 v4/VOfeA7Z/um8VGshFNuIas3j6USD8S0ygbWsjEfABUe/Uc82wI/FaAWVcCsZui rczmj7iBPiFN35SDjDRiwdr/6yU6PuSUz4VyhKJkwQOub3Naxz9xKCUzDAK3sefT ffKt/fXVvxmCnTD7N5lCf/gfu+GlFh1gyGLNksz+edX+tcKgIKOcRmS3rYfrbTDL zYq2by1MHtXmYdwndGHSKZ6Sz7TLgiwwv/lA1BJXhTHj5+hK3rXA2iBnNiAxIK2z c7Jum2xmpRoo8GC9cJ3U =xfJe -END PGP SIGNATUREEnd Message---
Bug#688634: marked as done (roundcube-sqlite upgrade causes serious data-loss)
Your message dated Sat, 16 Mar 2013 16:48:48 + with message-id e1uguho-0004bj...@franck.debian.org and subject line Bug#688634: fixed in roundcube 0.7.2-7 has caused the Debian Bug report #688634, regarding roundcube-sqlite upgrade causes serious data-loss to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 688634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688634 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- package: roundcube-sqlite version: 0.7.2-4 severity: critical Hi, roundcube-sqlite 0.7.2-4 is a transitional package depending on roundcube- mysql or -pysql, but without an actual upgrade path, leading to serious data loss, eg. user mail stati, user settings and also stuff like addressbook contents. There is a debian/roundcube-sqlite.NEWS stating this, but I dont think this is enough. At the very least this must be mentioned in the release notes... (upgrade instructions would be better, automatic upgrades the best.) #659041 Add SQLite 3.x support links to http://trac.roundcube.net/ticket/1488332, which claims sqlite3 support has been added to the 0.9 branch, but I don't think it's helpful for wheezy. cheers, Holger ---End Message--- ---BeginMessage--- Source: roundcube Source-Version: 0.7.2-7 We believe that the bug you reported is fixed in the latest version of roundcube, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 688...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vincent Bernat ber...@debian.org (supplier of updated roundcube package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 16 Mar 2013 17:26:20 +0100 Source: roundcube Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-plugins Architecture: source all Version: 0.7.2-7 Distribution: unstable Urgency: low Maintainer: Debian Roundcube Maintainers pkg-roundcube-maintain...@lists.alioth.debian.org Changed-By: Vincent Bernat ber...@debian.org Description: roundcube - skinnable AJAX based webmail solution for IMAP servers - metapack roundcube-core - skinnable AJAX based webmail solution for IMAP servers roundcube-mysql - metapackage providing MySQL dependencies for RoundCube roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins Closes: 688634 699604 Changes: roundcube (0.7.2-7) unstable; urgency=low . * Fix dependencies to postgresql and postgresql-client. Closes: #699604. * Drop roundcube-sqlite transition package since we don't provide an automatic upgrade path. The user will have to remove the package by herself. Move the related NEWS entry from roundcube-sqlite to roundcube-core and explain how to continue upgrade. Closes: #688634. Checksums-Sha1: 562f402ec8556765a0cecd581db6551a31c805bd 2219 roundcube_0.7.2-7.dsc dc9e7b32a245ecb0cec559d3fdea92e883feffaf 52933 roundcube_0.7.2-7.debian.tar.gz b6fd0e394003213d3852f1881ce4fb93bb57a327 1027490 roundcube-core_0.7.2-7_all.deb 11908dc0656f34c59733fd12aec3815d8417b854 27464 roundcube_0.7.2-7_all.deb cf2e4c99bc6c0bdcaf888322c15f55904560b7e7 27406 roundcube-mysql_0.7.2-7_all.deb 2fbe69843cba2d8f62223dc79f9b9cd131b580f0 27402 roundcube-pgsql_0.7.2-7_all.deb 6633016245789a97cfae8b91effaeb5bb31b07c2 322230 roundcube-plugins_0.7.2-7_all.deb Checksums-Sha256: ba16d9bb75df22421d10f62e29be4ff3b6739e97b0b6c4183b760e8ab5dd5ed6 2219 roundcube_0.7.2-7.dsc 5410946e922dde11b7a4d27726df6f3f034dc2265367e47370b181ccec16d297 52933 roundcube_0.7.2-7.debian.tar.gz 2795a72921248c1b24dbf2da7f342f249c616d6f7fce5e0f80f4418ec142c45b 1027490 roundcube-core_0.7.2-7_all.deb ab6cdab431370772ce35d4c1e8982f7e4017e67cfad131329c2e7937902266fa 27464 roundcube_0.7.2-7_all.deb 09768e246d636b96fcdbfa5be22491ffd7b7872c95955541f25820551b273226 27406 roundcube-mysql_0.7.2-7_all.deb 6d6a5fe3587bf7b167c057ddab8f66c69b46ba12c4ce3d1dba2f47f249b91a92 27402 roundcube-pgsql_0.7.2-7_all.deb 1f8ad199c88e1d3539403dc2bc3553b9fc7e6b96f236e86dbc3141531d553821 322230 roundcube-plugins_0.7.2-7_all.deb Files:
Bug#678979: request freeze exception for slony1-2
On Sat, 2013-03-16 at 11:38 +, Adam D. Barratt wrote: On Sun, 2012-10-07 at 14:30 +0200, Mehdi Dogguy wrote: On 21/09/2012 04:58, Peter Eisentraut wrote: According to bug #678979 [0], which was submitted by the lead upstream developer, slony 2.0 does not work well with postgresql 9.1. Therefore, we had to resolve to making an upgrade to slony version 2.1, and I request that that be allowed into wheezy now. [...] Unfortunately, we are not able to accept such large changes at this stage of the freeze. [2] Since slony in Debian have little popcon, does it make sense to skip the Wheezy release? iow, remove slony from wheezy (since it doesn't work and we are not able to accept the new one). Alternatively, we could very well accept a targeted fix based on current Wheezy's version… (correct me if I'm wrong), the discussion in #678979 made me think that it was not possible to extract a minimal patch. Ping? As far as I'm concerned, the matter is closed. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: your mail
Processing commands for cont...@bugs.debian.org: fixed 702669 4.3.9+dfsg1-1+squeeze8 Bug #702669 {Done: Adam D. Barratt a...@adam-barratt.org.uk} [typo3-src] TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843) Bug #702574 {Done: Adam D. Barratt a...@adam-barratt.org.uk} [typo3-src] TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core (CVE-2013-1842, CVE-2013-1843) There is no source info for the package 'typo3-src' at version '4.3.9+dfsg1-1+squeeze8' with architecture '' Unable to make a source version for version '4.3.9+dfsg1-1+squeeze8' Marked as fixed in versions 4.3.9+dfsg1-1+squeeze8. Marked as fixed in versions 4.3.9+dfsg1-1+squeeze8. thanks Stopping processing here. Please contact me if you need assistance. -- 702574: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702574 702669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: fixed 659899 in 2.6.9-1~exp0
Processing commands for cont...@bugs.debian.org: fixed 659899 2.6.9-1~exp0 Bug #659899 {Done: Antoine Beaupré anar...@debian.org} [smokeping] CVE-2012-0790: XSS There is no source info for the package 'smokeping' at version '2.6.9-1~exp0' with architecture '' Unable to make a source version for version '2.6.9-1~exp0' Ignoring request to alter fixed versions of bug #659899 to the same values previously set thanks Stopping processing here. Please contact me if you need assistance. -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703187: Last upload forgets to include .egg-info directory
Control: tags -1 confirmed On 2013-03-16 16:03:55, Jeroen Dekkers wrote: Package: python-gevent Version: 0.13.6-1+nmu2 Severity: serious Tags: patch The last NMU that fixed #661342 forgets to include the .egg-info directory, causing tools like pip that rely on the egg infrastructure to fail to see gevent. Indeed. I'll prepare a new NMU with your patch. Thanks! regards -- Sebastian Ramacher signature.asc Description: Digital signature
Processed: Re: Bug#703187: Last upload forgets to include .egg-info directory
Processing control commands: tags -1 confirmed Bug #703187 [python-gevent] Last upload forgets to include .egg-info directory Added tag(s) confirmed. -- 703187: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703187 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702346: icu: CVE-2013-0900
Moritz Muehlenhoff j...@inutil.org wrote: Google fixed a security issue in icu, which is embedded in Chrome: http://googlechromereleases.blogspot.de/2013/02/stable-channel-update_21.html | [152442] Medium CVE-2013-0900: Race condition in ICU. Credit to Google Chrome Security Team (Inferno). I contact the Google Chrome Security Team and they pointed me to the following upstream bug (which is private ATM, but maybe you have access?): http://bugs.icu-project.org/trac/ticket/9737 I don't. They also send me links to the upstream fixes: http://bugs.icu-project.org/trac/changeset/32865 http://bugs.icu-project.org/trac/changeset/32908 I can prepare a new upload with these fixes and call it CVE-2013-0900. There's a one-line fix for a Malayalam rendering problem (which causes a crash on certain codes and is therefore a potential DOS attack) which I will probably include in the same upload. Ordinarily I would not fix two issues in the same upload, particularly during a freeze, but the extreme simplicity of the second one makes me think this will be okay in this case. -- Jay Berkenbilt q...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702346: icu: CVE-2013-0900
Jay Berkenbilt q...@debian.org wrote: They also send me links to the upstream fixes: http://bugs.icu-project.org/trac/changeset/32865 http://bugs.icu-project.org/trac/changeset/32908 I can prepare a new upload with these fixes and call it CVE-2013-0900. There's a one-line fix for a Malayalam rendering problem (which causes a crash on certain codes and is therefore a potential DOS attack) which I will probably include in the same upload. Ordinarily I would not fix two issues in the same upload, particularly during a freeze, but the extreme simplicity of the second one makes me think this will be okay in this case. Actually, these changes don't apply cleanly to ICU 4.8. There are namespace changes and other type changes so that even manually resolving the conflicts doesn't produce something that compiles. I don't have time to resolve thisI may have to fall back to my de-facto strategy of waiting for someone else who has more time than I do to take care of it. I think ICU 4.8 is still in active security support at Red Hat. I have often been the beneficiary of their good work on backporting security issues. -- Jay Berkenbilt q...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702633: marked as done (CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c)
Your message dated Sat, 16 Mar 2013 20:26:44 +0100 with message-id 20130316192644.ga13...@earth.ramacher.at and subject line Re: Bug#702633: CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c has caused the Debian Bug report #702633, regarding CVE-2012-1016: NULL pointer dereference (DoS) in plugins/preauth/pkinit/pkinit_srv.c to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702633 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: src:krb5 Version: 1.10.1+dfsg-4 Severity: serious Tags: security Dear kerberos maintainers, I noticed that your recent upload of 1.10.1+dfsg-4 fixed CVE-2013-1415, but it does not say anything about CVE-2012-1016. Those two vulnerabilities were fixed in the same upstream release 1.10.4. Could you have a look at whether this particular issue CVE-2012-1016 affects us and downgrade or close this bug as appropriate? Helmut ---End Message--- ---BeginMessage--- Version: 1.10.1+dfsg-4+nmu1 Hi Arnaud On 2013-03-15 17:20:12, Arnaud Fontaine wrote: After checking the source code, this part of the code does not seem to have changed between 1.10.1 and 1.10.4, so AFAIU this bug affects at least the version available in testing and unstable. The current code is: if ((rep9 != NULL rep9-choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL rep-choice == choice_pa_pk_as_rep_dhInfo)) { /* If mutually supported KDFs were found, use the alg agility KDF */ if (rep-u.dh_Info.kdfID) { Thus, rep could be NULL which has been addressed by the following upstream patch: https://github.com/krb5/krb5/commit/cd5ff932c9d1439c961b0cf9ccff979356686aff I also prepared a NMU[0] in case it helps (it builds fine with cowbuilder but I could not test it though) and attached the diff to this email. The bug has already been fixed in 1.10.1+dfsg-4+nmu1 with the same patch. There doesn't seem to be an nmudiff in the bug log and the -done mail is also missing. Maybe they got lost during the BTS outage yesterday or are stuck in some queue and have yet to be delivered to the BTS. So let's close the bug. I've also attached the debdiff between 1.10.1+dfsg-4 and 1.10.1+dfsg-1+nmu1. Regards -- Sebastian Ramacher diff -Nru krb5-1.10.1+dfsg/debian/changelog krb5-1.10.1+dfsg/debian/changelog --- krb5-1.10.1+dfsg/debian/changelog 2013-02-20 02:54:44.0 +0100 +++ krb5-1.10.1+dfsg/debian/changelog 2013-03-15 05:17:03.0 +0100 @@ -1,3 +1,11 @@ +krb5 (1.10.1+dfsg-4+nmu1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cve-2013-1016: null pointer derefence when handling a draft9 request +(closes: #702633). + + -- Michael Gilbert mgilb...@debian.org Fri, 15 Mar 2013 04:15:27 + + krb5 (1.10.1+dfsg-4) unstable; urgency=high * KDC null pointer dereference with PKINIT, CVE-2013-1415 diff -Nru krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch --- krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch 1970-01-01 01:00:00.0 +0100 +++ krb5-1.10.1+dfsg/debian/patches/cve-2013-1016.patch 2013-03-15 05:18:53.0 +0100 @@ -0,0 +1,16 @@ +Description: fix cve-2013-1016. +Author: Michael Gilbert mgilb...@debian.org + +--- krb5-1.10.1+dfsg.orig/src/plugins/preauth/pkinit/pkinit_srv.c krb5-1.10.1+dfsg/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1017,8 +1017,8 @@ pkinit_server_return_padata(krb5_context + (rep != NULL rep-choice == choice_pa_pk_as_rep_dhInfo)) { + + /* If mutually supported KDFs were found, use the alg agility KDF */ +-if (rep-u.dh_Info.kdfID) { +-secret.data = server_key; ++if (rep != NULL rep-u.dh_Info.kdfID) { ++secret.data = (char *)server_key; + secret.length = server_key_len; + + retval = pkinit_alg_agility_kdf(context, secret, diff -Nru krb5-1.10.1+dfsg/debian/patches/series krb5-1.10.1+dfsg/debian/patches/series --- krb5-1.10.1+dfsg/debian/patches/series 2013-02-20 02:54:44.0 +0100 +++ krb5-1.10.1+dfsg/debian/patches/series 2013-03-15 05:18:29.0 +0100 @@ -19,3 +19,4 @@ upstream/0019-Null-pointer-deref-in-kadmind-CVE-2012-1013.patch 0020-gssapi-never-unload-mechanisms.patch 0021-PKINIT-null-pointer-deref-CVE-2013-1415.patch +cve-2013-1016.patch signature.asc Description: Digital signature ---End Message---
Bug#674908: [sparc] iceweasel: JavaScript crash on some sites
control: severity -1 important control: tag -1 unreproducible Only Hartwig responded to my call to testing of fixed binary [1], and, unfortunately, it still crashes for him on the same site [2]. It does not for me, however I have a different CPU: UltraSPARC III as opposed to UltraSPARC II in Hartwig's SunBlade 100. As I don't have access to to a machine where the bug is reproducible, I will not able to make any further progress on this bug. Since this is (possibly) only relevant to certain hardware, and since its reproducible for only the original reporter, I am downgrading the severity. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: re: [sparc] iceweasel: JavaScript crash on some sites
Processing control commands: severity -1 important Bug #674908 [iceweasel] [sparc] iceweasel: JavaScript crash on some sites Severity set to 'important' from 'grave' tag -1 unreproducible Bug #674908 [iceweasel] [sparc] iceweasel: JavaScript crash on some sites Added tag(s) unreproducible. -- 674908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674908 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703200: libav: CVE-2013-0894 CVE-2013-2277 CVE-2013-2495 CVE-2013-2496
package: src:libav severity: grave version: 6:0.8.5-1 Hi, the following vulnerabilities were published for libav. These are currently unfixed in 0.8.5-1. CVE-2013-0894[0]: | Buffer overflow in the vorbis_parse_setup_hdr_floors function in the | Vorbis decoder in vorbisdec.c in libavcodec in FFmpeg through 1.1.3, | as used in Google Chrome before 25.0.1364.97 on Windows and Linux and | before 25.0.1364.99 on Mac OS X and other products, allows remote | attackers to cause a denial of service (divide-by-zero error or | out-of-bounds array access) or possibly have unspecified other impact | via vectors involving a zero value for a bark map size. CVE-2013-2277[1]: | The ff_h264_decode_seq_parameter_set function in h264_ps.c in | libavcodec in FFmpeg before 1.1.3 does not validate the relationship | between luma depth and chroma depth, which allows remote attackers to | cause a denial of service (out-of-bounds array access and application | crash) or possibly have unspecified other impact via crafted H.264 | data. CVE-2013-2495[2]: | The iff_read_header function in iff.c in libavformat in FFmpeg through | 1.1.3 does not properly handle data sizes for Interchange File Format | (IFF) data during operations involving a CMAP chunk or a video codec, | which allows remote attackers to cause a denial of service (integer | overflow, out-of-bounds array access, and application crash) or | possibly have unspecified other impact via a crafted header. CVE-2013-2496[3]: | The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in | FFmpeg through 1.1.3 does not properly determine certain end pointers, | which allows remote attackers to cause a denial of service | (out-of-bounds array access and application crash) or possibly have | unspecified other impact via crafted Microsoft RLE data. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0894 http://security-tracker.debian.org/tracker/CVE-2013-0894 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2277 http://security-tracker.debian.org/tracker/CVE-2013-2277 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2495 http://security-tracker.debian.org/tracker/CVE-2013-2495 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2496 http://security-tracker.debian.org/tracker/CVE-2013-2496 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Fwd:
Processing commands for cont...@bugs.debian.org: close 672994 Bug #672994 [socat] CVE-2012-0219: buffer overflow Marked Bug as done tag 701897 -unreproducible Bug #701897 [grep] CVE-2012-5667: buffer overflow with overly long input lines Removed tag(s) unreproducible. thanks Stopping processing here. Please contact me if you need assistance. -- 672994: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672994 701897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701897 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Fwd:
Processing commands for cont...@bugs.debian.org: close 619857 Bug #619857 [erlang] erlang: Urgend warning to upgrade to R14B02 Marked Bug as done thanks Stopping processing here. Please contact me if you need assistance. -- 619857: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Fwd:
Processing commands for cont...@bugs.debian.org: found 628843 1:4.1.4.2+svn3283-1 Bug #628843 [login] login: tty hijacking possible in su via TIOCSTI ioctl Marked as found in versions shadow/1:4.1.4.2+svn3283-1. notfound 628843 1:4.1.4.2+svn3283-2+squeeze1 Bug #628843 [login] login: tty hijacking possible in su via TIOCSTI ioctl No longer marked as found in versions shadow/1:4.1.4.2+svn3283-2+squeeze1. thanks Stopping processing here. Please contact me if you need assistance. -- 628843: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: your mail
Processing commands for cont...@bugs.debian.org: found 659899 2.3.6-5 Bug #659899 {Done: Antoine Beaupré anar...@debian.org} [smokeping] CVE-2012-0790: XSS Marked as found in versions smokeping/2.3.6-5. notfound 659899 2.6.7-1 Bug #659899 {Done: Antoine Beaupré anar...@debian.org} [smokeping] CVE-2012-0790: XSS No longer marked as found in versions smokeping/2.6.7-1. thanks Stopping processing here. Please contact me if you need assistance. -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699888: new nss packages fixing cve-2013-1620
We can consider to put it into a DSA in which the text details how to disable the options if they cause trouble. An alternative is to put it into spu instead, where it may be slightly (probably just slightly) more acceptable to change behaviour than in a DSA. But it will also mean having to wait a few months at least. Do you know if RHEL is pushing it through the security channels or the stable updates channels? For what its worth, ubuntu pushed 3.14 to all of its releases through their security update channel: http://www.ubuntu.com/usn/usn-1763-1 It also looks like bumping nspr was also required: http://www.ubuntu.com/usn/usn-1763-2 Do you want me to look at preparing those updates for squeeze? In the meantime, this should really be fixed in unstable. Mike, do you want to do a maintainer upload, or is ok if I go ahead with the nmu? Thanks, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699888: new nss packages fixing cve-2013-1620
On Sat, Mar 16, 2013 at 04:53:00PM -0400, Michael Gilbert wrote: We can consider to put it into a DSA in which the text details how to disable the options if they cause trouble. An alternative is to put it into spu instead, where it may be slightly (probably just slightly) more acceptable to change behaviour than in a DSA. But it will also mean having to wait a few months at least. Do you know if RHEL is pushing it through the security channels or the stable updates channels? For what its worth, ubuntu pushed 3.14 to all of its releases through their security update channel: http://www.ubuntu.com/usn/usn-1763-1 It also looks like bumping nspr was also required: http://www.ubuntu.com/usn/usn-1763-2 IIRC, it's not required, but one of the releases between 4.9.2 and 4.9.5 fixed some issue that might be worth fixing at this point. Do you want me to look at preparing those updates for squeeze? I'd rather know what we do wrt md5, ssl2 and beast. In the meantime, this should really be fixed in unstable. Mike, do you want to do a maintainer upload, or is ok if I go ahead with the nmu? Likewise, I'd rather know what we do wrt md5, and while at it, cacert (the cert of which uses a md5 signature at the moment, so it effectively doesn't work ; see bug 682470) before uploading, so as to avoid doing two uploads. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
Hi Antoine Dropping Tobias Oetiker again from Cc, don't know if he is actually interested to follow this. But we might/should bring further issues with smokeping to him. On Sat, Mar 16, 2013 at 12:42:39PM -0400, Antoine Beaupré wrote: Control: found -1 2.6.7-1 Control: fixed -1 2.6.9-1~exp0 Control: fixed -1 2.3.6-5+squeeze1 Control: tags -1 pending Control: block -1 with 703193 On 2013-03-16, Salvatore Bonaccorso wrote: Control: fixed -1 2.6.7-1 Hi Steven On Sat, Mar 16, 2013 at 12:40:04PM +, Steven Chamberlain wrote: Control: reopen -1 Hmm, as Adam wrote, was this intentional? Because this way we lost the version tracking for already fixed version. BTS handles fixed versions already. From what I understand from the upstream changelog, 2.6.7 would still be affected, because the patch we had before was incomplete. So I think that reopen was actually accurate. Indeed, Steven is right. 2.6.7-1 has not the full charatecter set as supplied later with the 2.6.9 release upstream, so this needs to be also updated and pushed for wheezy. So again, thanks Steven for pringing this up. I have done an upload of 2.6.9 to factor those changes in, which I hope to pass by the RM so that 2.6.9-1 gets into wheezy. 2.6.9 unfortunately has unrelated changes, so I have uploaded it to experimental, but those changes seem important enough, to me, to go into wheezy. Before going forward with the sid upload, I'll wait for RM's approval though. See #703193 for followup on that. Hmm, this will quite sure not be approved. And Jonathan Wiltshire already commented there. A new upstream version at this stage of the freeze is not acceptable. But how about the attached patch for unstable? Thank you for your work, and regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote: Hmm, this will quite sure not be approved. And Jonathan Wiltshire already commented there. A new upstream version at this stage of the freeze is not acceptable. But how about the attached patch for unstable? ... which I have forgotten to attach. Regards, Salvatore --- a/lib/Smokeping.pm +++ b/lib/Smokeping.pm @@ -170,7 +170,7 @@ my $hierarchy = ''; my $h = $q-param('hierarchy'); if ($q-param('hierarchy')){ - $h =~ s/[%]/./g; + $h =~ s/[%';]/./g; $hierarchy = 'hierarchy='.$h.';'; }; return $hierarchy; @@ -212,7 +212,7 @@ my $address = $ENV{REMOTE_ADDR}; my $targetptr = $cfg-{Targets}; foreach my $step (@target){ -$step =~ s/[%]/./g; +$step =~ s/[%';]/./g; return Error: Unknown target $step unless defined $targetptr-{$step}; $targetptr = $targetptr-{$step}; @@ -1047,7 +1047,7 @@ my $tree = shift; my $open = shift; my $mode = shift || $q-param('displaymode') || 's'; -$mode =~ s/[%]/./g; +$mode =~ s/[%';]/./g; my $phys_tree = $tree; my $phys_open = $open; if ($tree-{__tree_link}){ @@ -1447,7 +1447,7 @@ $startstr =~ s/\s/%20/g; $endstr =~ s/\s/%20/g; my $t = $q-param('target'); -$t =~ s/[%]/./g; +$t =~ s/[%';]/./g; for my $slave (@slaves){ my $s = $slave ? ~$slave : ; $page .= div; @@ -1601,7 +1601,7 @@ my $t = $q-param('target'); if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){ $targ = $1; -$targ =~ s/[;%]/./g; +$targ =~ s/[%';]/./g; } my ($path,$slave) = split(/~/,$targ); if ($slave and $slave =~ /(\S+)/){ @@ -1610,7 +1610,7 @@ $slave = $1; } my $hierarchy = $q-param('hierarchy'); -$hierarchy =~ s/[;%]/./g; +$hierarchy =~ s/[%';]/./g; die ERROR: unknown hierarchy $hierarchy\n if $hierarchy and not $cfg-{Presentation}{hierarchies}{$hierarchy}; my $open = [ (split /\./,$path||'') ];
Bug#659899: CVE-2012-0790: XSS
Hi! On 16/03/13 21:53, Salvatore Bonaccorso wrote: On Sat, Mar 16, 2013 at 10:47:54PM +0100, Salvatore Bonaccorso wrote: [...] But how about the attached patch for unstable? Thank you for that. It does seem like the right way to handle it for wheezy. Your patch seems correct to me. But defining $xssBadRx would be just one extra line of diff... so why not use it? Then it would be more consistent with upstream. I've added Tobias back into Cc: as I would like to ask: While here, I wonder if the user-supplied $start/$end could be filtered with this same regex, to address the things I noted earlier? I thought maybe it could go in parse_datetime which is before they are used in any file paths or output by anything. And I don't *think* any valid time specifier would contain the characters of $xssBadRx. Thanks everyone, Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659899: CVE-2012-0790: XSS
Another difference is that upstream 2.6.9 used a replacement character of underscore rather than a dot. Attached is my suggested revision of Salvatore's patch (also adds filtering of time specifiers). I've tested this on an existing wheezy/sid SmokePing installation; it stops the injection of quotes into the img tag I demonstrated before. It also prevents those characters from being used in graph filenames in the cache directory. I've tried some valid time specifiers and they are still working. Regards, -- Steven Chamberlain ste...@pyro.eu.org Index: smokeping-2.6.8/lib/Smokeping.pm === --- smokeping-2.6.8.orig/lib/Smokeping.pm 2012-02-26 18:19:45.0 + +++ smokeping-2.6.8/lib/Smokeping.pm 2013-03-16 23:07:00.0 + @@ -28,6 +28,8 @@ # make sure we do not end up with , in odd places where one would expect a '.' # we set the environment variable so that our 'kids' get the benefit too +my $xssBadRx = qr/[%';]/; + $ENV{'LC_NUMERIC'}='C'; if (setlocale(LC_NUMERIC,) ne C) { if ($ENV{'LC_ALL'} eq 'C') { @@ -170,7 +172,7 @@ my $hierarchy = ''; my $h = $q-param('hierarchy'); if ($q-param('hierarchy')){ - $h =~ s/[%]/./g; + $h =~ s/$xssBadRx/_/g; $hierarchy = 'hierarchy='.$h.';'; }; return $hierarchy; @@ -212,7 +214,7 @@ my $address = $ENV{REMOTE_ADDR}; my $targetptr = $cfg-{Targets}; foreach my $step (@target){ -$step =~ s/[%]/./g; +$step =~ s/$xssBadRx/_/g; return Error: Unknown target $step unless defined $targetptr-{$step}; $targetptr = $targetptr-{$step}; @@ -1024,6 +1026,7 @@ sub parse_datetime($){ my $in = shift; for ($in){ +$in =~ s/$xssBadRx/_/g; /^(\d+)$/ do { my $value = $1; $value = time if $value 2**32; return $value}; /^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/ return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1); @@ -1047,7 +1050,7 @@ my $tree = shift; my $open = shift; my $mode = shift || $q-param('displaymode') || 's'; -$mode =~ s/[%]/./g; +$mode =~ s/$xssBadRx/_/g; my $phys_tree = $tree; my $phys_open = $open; if ($tree-{__tree_link}){ @@ -1447,7 +1450,7 @@ $startstr =~ s/\s/%20/g; $endstr =~ s/\s/%20/g; my $t = $q-param('target'); -$t =~ s/[%]/./g; +$t =~ s/$xssBadRx/_/g; for my $slave (@slaves){ my $s = $slave ? ~$slave : ; $page .= div; @@ -1601,7 +1604,7 @@ my $t = $q-param('target'); if ( $t and $t !~ /\.\./ and $t =~ /(\S+)/){ $targ = $1; -$targ =~ s/[;%]/./g; +$targ =~ s/$xssBadRx/_/g; } my ($path,$slave) = split(/~/,$targ); if ($slave and $slave =~ /(\S+)/){ @@ -1610,7 +1613,7 @@ $slave = $1; } my $hierarchy = $q-param('hierarchy'); -$hierarchy =~ s/[;%]/./g; +$hierarchy =~ s/$xssBadRx/_/g; die ERROR: unknown hierarchy $hierarchy\n if $hierarchy and not $cfg-{Presentation}{hierarchies}{$hierarchy}; my $open = [ (split /\./,$path||'') ];
Bug#703207: apt-transport-spacewalk: removing the package breaks apt: sh: 1: /usr/lib/apt-spacewalk/post_invoke.py: not found
Package: apt-transport-spacewalk Version: 1.0.6-2 Severity: serious If you remove the package (but not purge), the APT hook will be failing every time any package is installed or removed: # apt-get install -qq apt-transport-spacewalk [...] # dpkg -r apt-transport-spacewalk (Reading database ... 12883 files and directories currently installed.) Removing apt-transport-spacewalk ... # apt-get install -qq zzuf debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package zzuf. (Reading database ... 12874 files and directories currently installed.) Unpacking zzuf (from .../zzuf_0.13.svn20100215-4_i386.deb) ... Setting up zzuf (0.13.svn20100215-4) ... sh: 1: /usr/lib/apt-spacewalk/post_invoke.py: not found E: Problem executing scripts DPkg::Post-Invoke '/usr/lib/apt-spacewalk/post_invoke.py' E: Sub-process returned an error code -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698294: marked as done (puppet: Checksum mismatch when copying followed symlinks (upstream #7680))
Your message dated Sat, 16 Mar 2013 23:38:25 + with message-id e1uh0gd-0008a7...@franck.debian.org and subject line Bug#698294: fixed in puppet 2.7.18-4 has caused the Debian Bug report #698294, regarding puppet: Checksum mismatch when copying followed symlinks (upstream #7680) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 698294: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698294 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: puppet Version: 2.7.18-2 Severity: important Dear maintainers, I am building a number of Wheezy-based servers for my organisation and have run into what is for us a show-stopper Puppet bug. The bug does not appear in Squeeze. Consider the following 'file' resource: file { /tmp/example: source = puppet:///modules/example/example.$fqdn, links = follow, } If, on the puppetmaster, /etc/puppet/modules/example/files/example.fqdn were a symlink to another file, the file may not be created on the puppet client with an error indicating a mismatched checksum. The error might look like: err: /Stage[pre]/Example/File[/tmp/example]/ensure: change from absent to present failed: Could not rename temporary file /tmp/example.puppettmp_4293 to /tmp/example: File written to disk did not match checksum; discarding changes ( vs {md5}d41d8cd98f00b204e9800998ecf8427e) at /etc/puppet/modules/example/manifests/init.pp:12 at /etc/puppet/modules/example/manifests/init.pp:12 If the file is created already, for example by using touch to create an empty file, Puppet will not touch the file at all and will fail to update its contents - silently. When using 'puppet agent --test --verbose --debug' or 'puppetd -tvd', there is no mention of the file in the output of the command, but the resource is present in reports on our Puppet Dashboard and marked as unchanged. Applying the patch [1] in the upstream bug [2] to the client resolves the issue for us. As the upstream bug appears to be being ignored completely by the upstream maintainers, can you please carry the patch in the Debian package? [1] - http://projects.puppetlabs.com/issues/7680#note-6 [2] - http://projects.puppetlabs.com/issues/7680 Best regards, Chris -- System Information: Debian Release: 7.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages puppet depends on: ii dpkg 1.16.9 ii puppet-common 2.7.18-2 ii ruby1.81.8.7.358-6 Versions of packages puppet recommends: ii ruby [rdoc] 4.9 Versions of packages puppet suggests: pn etckeeper none pn puppet-el none pn vim-puppet none -- Configuration Files: /etc/default/puppet changed [not included] -- no debconf information ---End Message--- ---BeginMessage--- Source: puppet Source-Version: 2.7.18-4 We believe that the bug you reported is fixed in the latest version of puppet, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 698...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stig Sandbeck Mathisen s...@debian.org (supplier of updated puppet package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 15 Mar 2013 20:32:40 +0100 Source: puppet Binary: puppet-common puppet puppetmaster-common puppetmaster puppetmaster-passenger vim-puppet puppet-el puppet-testsuite Architecture: source all Version: 2.7.18-4 Distribution: unstable Urgency: low Maintainer: Puppet Package Maintainers pkg-puppet-de...@lists.alioth.debian.org Changed-By: Stig Sandbeck Mathisen s...@debian.org Description: puppet - Centralized configuration management - agent startup and compatib puppet-common - Centralized configuration management puppet-el - syntax highlighting for puppet manifests in emacs puppet-testsuite - Centralized configuration management - test suite puppetmaster - Centralized configuration management - master startup and compati puppetmaster-common - Puppet master common scripts puppetmaster-passenger -
Bug#702499: Confirmed
hi, just in case somebody wants to debug this, here is a full backtrace from python2.7-dbg: bzed@harris ~% gdb --args python2.7-dbg -c 'import zbar' GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as arm-linux-gnueabihf. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/bin/python2.7-dbg...done. (gdb) run Starting program: /usr/bin/python2.7-dbg -c import\ zbar [Thread debugging using libthread_db enabled] Using host libthread_db library /lib/arm-linux-gnueabihf/libthread_db.so.1. Program received signal SIGSEGV, Segmentation fault. strlen () at ../ports/sysdeps/arm/strlen.S:29 29 ../ports/sysdeps/arm/strlen.S: No such file or directory. (gdb) thread apply all Please specify a command following the thread ID list (gdb) thread apply all bt full Thread 1 (Thread 0xb6ff9000 (LWP 4115)): #0 strlen () at ../ports/sysdeps/arm/strlen.S:29 No locals. #1 0x000875cc in PyString_FromString (str=0x3 Address 0x3 out of bounds) at ../Objects/stringobject.c:121 size = 3067538440 op = 0xb6fdf308 __PRETTY_FUNCTION__ = PyString_FromString #2 0x00074e28 in PyDict_GetItemString (v= {'__new__': built-in method __new__ of type object at remote 0xb6fe0200, 'scan': method_descriptor at remote 0xb6ca2b78, 'results': getset_descriptor at remote 0xb6ca2bb8, 'set_config': method_descriptor at remote 0xb6ca2a38, '\xb5\x89\xb0\x02\xaf\xf8`\xb9`z`L|DO\xf0': getset_descriptor at remote 0xb6ca2bf8, 'enable_cache': method_descriptor at remote 0xb6ca2ab8, 'parse_config': method_descriptor at remote 0xb6ca2a78, 'recycle': method_descriptor at remote 0xb6ca2b38}, key=0x3 Address 0x3 out of bounds) at ../Objects/dictobject.c:2421 kv = '\xb5\x89\xb0\x02\xaf\xf8`\xb9`z`L|DO\xf0' rv = 0x0 #3 0x0009f3e4 in add_getset (type=0xb6fe0200, gsp=0xb6fe01c8) at ../Objects/typeobject.c:3626 descr = getset_descriptor at remote 0xb6ca2bf8 dict = {'__new__': built-in method __new__ of type object at remote 0xb6fe0200, 'scan': method_descriptor at remote 0xb6ca2b78, 'results': getset_descriptor at remote 0xb6ca2bb8, 'set_config': method_descriptor at remote 0xb6ca2a38, '\xb5\x89\xb0\x02\xaf\xf8`\xb9`z`L|DO\xf0': getset_descriptor at remote 0xb6ca2bf8, 'enable_cache': method_descriptor at remote 0xb6ca2ab8, 'parse_config': method_descriptor at remote 0xb6ca2a78, 'recycle': method_descriptor at remote 0xb6ca2b38} #4 0x000a0bbe in PyType_Ready (type=0xb6fe0200) at ../Objects/typeobject.c:4037 dict = {'__new__': built-in method __new__ of type object at remote 0xb6fe0200, 'scan': method_descriptor at remote 0xb6ca2b78, 'results': getset_descriptor at remote 0xb6ca2bb8, 'set_config': method_descriptor at remote 0xb6ca2a38, '\xb5\x89\xb0\x02\xaf\xf8`\xb9`z`L|DO\xf0': getset_descriptor at remote 0xb6ca2bf8, 'enable_cache': method_descriptor at remote 0xb6ca2ab8, 'parse_config': method_descriptor at remote 0xb6ca2a78, 'recycle': method_descriptor at remote 0xb6ca2b38} bases = (type at remote 0x1ec918,) base = 0x1ec918 i = 1 n = 1 __PRETTY_FUNCTION__ = PyType_Ready #5 0xb6fd1f7a in initzbar () at /build/buildd-zbar_0.10+doc-7+b1-armhf-GrwGYn/zbar-0.10+doc/python/zbarmodule.c:126 ei = 46 mod = 0x0 dict = unknown at remote 0xbefff090 tp_dict = unknown at remote 0x1078bf #6 0x0011438c in _PyImport_LoadDynamicModule (name=0x330130 zbar, pathname=0x35a6d8 /usr/lib/python2.7/dist-packages/zbar_d.so, fp=0x3672f0) at ../Python/importdl.c:53 m = 0x0 lastdot = 0x0 shortname = 0x330130 zbar packagecontext = 0x0 oldcontext = 0x0 p = 0xb6fd1e69 initzbar #7 0x0026 in load_module (name=0x330130 zbar, fp=0x3672f0, pathname=0x35a6d8 /usr/lib/python2.7/dist-packages/zbar_d.so, type=3, loader=0x0) at ../Python/import.c:1866 modules = ('zbar', {'__builtins__': module at remote 0xb6df1508, '__name__': '__main__', '__doc__': None, '__package__': None}, {...}, None) m = unknown at remote 0xf8e31b00 err = -1 #8 0x00112b2c in import_submodule (mod=None, subname=0x330130 zbar, fullname=0x330130 zbar) at ../Python/import.c:2645 buf = 0x35a6d8 /usr/lib/python2.7/dist-packages/zbar_d.so fp = 0x3672f0 path = 0x0 loader = 0x0 fdp = 0xb6dff0f8 modules = {'copy_reg': module at remote 0xb6d628c0, 'sre_compile': module at remote 0xb6d77850, '_sre': module at remote 0xb6d77a48, 'encodings': module at remote 0xb6d92ab8, 'site': module at remote 0xb6d97188, '__builtin__': module at remote 0xb6df1508, 'sysconfig': module at
Bug#659899: CVE-2012-0790: XSS
On 2013-03-16, Steven Chamberlain wrote: Another difference is that upstream 2.6.9 used a replacement character of underscore rather than a dot. Attached is my suggested revision of Salvatore's patch (also adds filtering of time specifiers). I've tested this on an existing wheezy/sid SmokePing installation; it stops the injection of quotes into the img tag I demonstrated before. It also prevents those characters from being used in graph filenames in the cache directory. I've tried some valid time specifiers and they are still working. Alright, I pushed this patch as 2.6.8-2, thanks! I have also requested a freeze exception for that upload. Hopefully that will be enough for now. :) A. -- Premature optimization is the root of all evil - Donald Knuth pgpdwWz6j7ehc.pgp Description: PGP signature
Bug#659899: marked as done (CVE-2012-0790: XSS)
Your message dated Sun, 17 Mar 2013 00:49:06 + with message-id e1uh1mc-0004k2...@franck.debian.org and subject line Bug#659899: fixed in smokeping 2.6.8-2 has caused the Debian Bug report #659899, regarding CVE-2012-0790: XSS to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: smokeping Severity: grave Tags: security This has been assigned CVE-2011-0790: http://holisticinfosec.org/content/view/188/45/ Patch: https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw Cheers, Moritz ---End Message--- ---BeginMessage--- Source: smokeping Source-Version: 2.6.8-2 We believe that the bug you reported is fixed in the latest version of smokeping, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 659...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré anar...@debian.org (supplier of updated smokeping package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 16 Mar 2013 20:19:34 -0400 Source: smokeping Binary: smokeping Architecture: source all Version: 2.6.8-2 Distribution: unstable Urgency: high Maintainer: Antoine Beaupré anar...@debian.org Changed-By: Antoine Beaupré anar...@debian.org Description: smokeping - latency logging and graphing system Closes: 659899 Changes: smokeping (2.6.8-2) unstable; urgency=high . * Acknowledge gregor's NMU, thanks! * Urgency high to fix CVE-2012-0790 again (Closes: #659899) Checksums-Sha1: 2001f27b361fa00717c3496f08fa8ba443110574 2065 smokeping_2.6.8-2.dsc ac75a445c24936fa9c35b20ba36e5d4acb225f42 22964 smokeping_2.6.8-2.debian.tar.gz 776d638d1ea1df901f2de044b0e15b9dccf5b7c5 422294 smokeping_2.6.8-2_all.deb Checksums-Sha256: 883c11e013cfa1be9f1a7d87d9312a41051c0ec5fec6041170402de433048b10 2065 smokeping_2.6.8-2.dsc 8a4174706da018e74ca38294b2cf26ae4aaf5fa623580085257589a443faf7f3 22964 smokeping_2.6.8-2.debian.tar.gz eb2a52c83ac0ac5815fa9dce3f3f8f7ed7f2c4e8343136a5b388a71ffc4a57f6 422294 smokeping_2.6.8-2_all.deb Files: a53ee67d8b0d5ec9bde4aa4b9c1291ac 2065 net extra smokeping_2.6.8-2.dsc ee13cf4069858e725f3cd40baa0b3c82 22964 net extra smokeping_2.6.8-2.debian.tar.gz 701ef1e7668442d0e797b85c94910d67 422294 net extra smokeping_2.6.8-2_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRRQ7aAAoJEHkhUlJ7dZIeahAP/ioE+xU946mC9WRYWMLXTaaY sidLksQ7lE96O0AK38jqduuCFLVUlNsyFaQREB+XTNRy2RmvijUvU0GxF3QDfCou GFVp69+6ra9Z8Qr7YZrEt7CWUNjwF1ogjXk8v9ssizMtDQvRnH4nB2mBKkNOD8Ls 05bOQ1fSxDefqFEY6TBjilKPp73og2jHaL20Y8nX05UW2+773EMk/UZt+luZIWed x8yyjjJlKTl/pHnBI5rx7SCweGL+QzZfx1slQ9CBdbYpMvoLtR2Nc5BVjRSuLchY 0KpyzNsIeebLdAfhI18c6hkJyWrrGHQA64oj8dC5qQfaGP6Rct2d8xezvXsdiYsg 9xipK3jSul/Kf3R7jbd+6U7KZmeajHqjokiAA6h5HqQ16UAN7sB2NNxmwG4EOHwG LMiyaPMcuZq84zHtaYX0kb3dDn66lmtaGUpr7ubmp6UVNSV5GX1q48Qupv9ysTgK 31N51Ikny/XDBQasi4So4oBr/a8C6MawbMsRDYLMVs8tcFG28Iwp5FEA5yUL9A2c 8pr1CxsdCbAxCGJnaiefmSBwDXEBWfFoPBE+z5ASymrAZIyF6OV0A8ktFTYfIhQ2 csiJENuyLxvnKic25oyX9hTAueANUBnPY/Cm4Qryb0GOyR7WObPCSIFKN0eq+n0G xUOJ19nOSb0nspbrQSNs =Yqoe -END PGP SIGNATUREEnd Message---
Bug#698910: marked as done (zoneminder: CVE-2013-0232: arbitrary command execution vulnerability)
Your message dated Sun, 17 Mar 2013 00:47:39 + with message-id e1uh1ld-0003s9...@franck.debian.org and subject line Bug#698910: fixed in zoneminder 1.24.2-8+squeeze1 has caused the Debian Bug report #698910, regarding zoneminder: CVE-2013-0232: arbitrary command execution vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 698910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: zoneminder Severity: grave Tags: security Justification: user security hole Hi The following arbitrary command execution vulnerability was disclosed for zoneminder: http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/ Regards, Salvatore ---End Message--- ---BeginMessage--- Source: zoneminder Source-Version: 1.24.2-8+squeeze1 We believe that the bug you reported is fixed in the latest version of zoneminder, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 698...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vagrant Cascadian vagr...@debian.org (supplier of updated zoneminder package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 05 Mar 2013 11:29:20 -0800 Source: zoneminder Binary: zoneminder Architecture: source i386 Version: 1.24.2-8+squeeze1 Distribution: stable-security Urgency: high Maintainer: Peter Howard p...@northern-ridge.com.au Changed-By: Vagrant Cascadian vagr...@debian.org Description: zoneminder - Linux video camera security and surveillance solution Closes: 698910 700912 Changes: zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high . * Add CVE-2013-0232 patch [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content. Thanks to James McCoy james...@debian.org (Closes: #698910) Thanks also to Salvatore Bonaccorso car...@debian.org * Add CVE-2013-0332 patch [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912). Thanks to Salvatore Bonaccorso car...@debian.org for the patch. Checksums-Sha1: ae8f0f4b6efe78716884bc1e7c90d7540e953160 2163 zoneminder_1.24.2-8+squeeze1.dsc ea854c941b83374a352d7d794a4462e279fea487 965521 zoneminder_1.24.2.orig.tar.gz e48447bcbc7dff2fc0298df6bc945c228a2a3f02 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz 52df39684bdf4a824093307f08e4feb0f6089634 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb Checksums-Sha256: fcf53e1f74a319e01b5ebc27bac5fbd6206361a1009bb71b838408375bd6a30a 2163 zoneminder_1.24.2-8+squeeze1.dsc fd8475138ccee8870534f1210a3d1e3e1990e963dd73146a6d310dc71c463dca 965521 zoneminder_1.24.2.orig.tar.gz 49dc4eca5d00d895a66d69429624dbf1c6bcd292a24869ea198a1ac49a07113b 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz 076ea52707b213172ddde42420d27dc0de7d5c0d865651700d50d48af589a1f8 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb Files: 5948f712a603d4ea59dff82b3c0cd13d 2163 net optional zoneminder_1.24.2-8+squeeze1.dsc 550d2f8f08852134028c3b1cf8fa437f 965521 net optional zoneminder_1.24.2.orig.tar.gz 65fc0a8d14f672dd3c6cf8586abdf086 16354 net optional zoneminder_1.24.2-8+squeeze1.debian.tar.gz df954eec140564bac3f36dcb5c8e4fc9 1452144 net optional zoneminder_1.24.2-8+squeeze1_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRNlGIAAoJELeLgtSBS5G2j2UP/20Y4yz7on6jQvEZhh6AS7I0 rzGODYx9YZj/EJcUwlXR9g8dmrRnbFi8tpOOA+0EXUVqeJwOj3wq+ch+7aPYuzgK /WKT3tp+H/qxcqXcKHD1+vDvDKds2qjRIBQHLev4pWqaqY+s8ocvne63oRqRKb9q u3zdo3wn7nJoiPbQKvCB0SlQWxV5fGyOJ0YQ0CYOF2qjYViUEge0XUhCWi9IhudL ukuQR+KSuAS4N2i8Z/+32edCBdOgBL9uYCsMJ5LUSi4A0m8g08O5Jghg6foClLAh ur3JDAfmamBEHMvTw1+qfw1Ek3xwUjqjKXjlGpxOilvgCfOAVml3KY3JZ3rTE+5g xA570W2oDEuFO7ZHxxzg5EMCI5gGlyJWDhs6u1gJbk8bbBz7bKCyvqduC+tK5www XglushHPUGtOPuhFcbG5nHYklJL01S0nIPoFEXxAzjiPBp+URql7+EYMJGVfibHc wTKFs1ks7TjjDrmQkyc0XJrZWvg3QQgGy5E2cxt8amBfuBEzR9pHTTzK95iO18cc mKNE1vqc5q/cyjp+5IlIl9Pmjyg1UDrgz1exICbJTIZq/3XrNZCzlGHM367eOXeY lVEOx7oJkwMZ5L0zQVwgn0bj8ui9A5w6FHiy9t6YEufhi+5BVAqSPJqQ4032tMv4 njXHyQV4scz8PdHjrcTF =ZGx8 -END PGP SIGNATUREEnd Message---
Bug#700912: marked as done (zoneminder: CVE-2013-0332: local file inclusion vulnerability)
Your message dated Sun, 17 Mar 2013 00:47:39 + with message-id e1uh1ld-0003sd...@franck.debian.org and subject line Bug#700912: fixed in zoneminder 1.24.2-8+squeeze1 has caused the Debian Bug report #700912, regarding zoneminder: CVE-2013-0332: local file inclusion vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700912: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700912 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: zoneminder Version: 1.24.2-8 Severity: grave Tags: security patch Justification: user security hole Control: fixed -1 1.25.0-1 Hi In zoneminder forum there is the following security patch announce: http://www.zoneminder.com/forums/viewtopic.php?f=1t=17979 1.24.2-8 is affected by this file inclusion vulnerability. Attached are the patches from svn, r3483 and r3488. Note: upstream 1.25.0 has a sligthly modified detaint function: function detaintPath( $path ) { // Remove any absolute paths, or relative ones that want to go up $path = preg_replace( '/\.(?:\.+[\\/][\\/]*)+/', '', $path ); $path = preg_replace( '/^[\\/]+/', '', $path ); return( $path ); } Regards Salvatore Index: web/includes/functions.php === --- web/includes/functions.php (revision 3482) +++ web/includes/functions.php (revision 3483) @@ -2350,13 +2350,21 @@ return( rand( 1, 99 ) ); } +function detaintPath( $path ) +{ +// Remove any absolute paths, or relative ones that want to go up +$path = preg_replace( '/\.\.\//', '', $path ); +$path = preg_replace( '/^\//', '', $path ); +return( $path ); +} + function getSkinFile( $file ) { global $skinBase; $skinFile = false; foreach ( $skinBase as $skin ) { -$tempSkinFile = 'skins'.'/'.$skin.'/'.$file; +$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); if ( file_exists( $tempSkinFile ) ) $skinFile = $tempSkinFile; } @@ -2369,7 +2377,7 @@ $skinFile = false; foreach ( $skinBase as $skin ) { -$tempSkinFile = 'skins'.'/'.$skin.'/'.$file; +$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file ); if ( file_exists( $tempSkinFile ) ) $skinFile = $tempSkinFile; } Index: web/index.php === --- web/index.php (revision 3482) +++ web/index.php (revision 3483) @@ -97,10 +97,13 @@ require_once( 'includes/functions.php' ); if ( isset($_REQUEST['view']) ) -$view = validHtmlStr($_REQUEST['view']); +$view = detaintPath($_REQUEST['view']); +if ( isset($_REQUEST['request']) ) +$request = detaintPath($_REQUEST['request']); + if ( isset($_REQUEST['action']) ) -$action = validHtmlStr($_REQUEST['action']); +$action = detaintPath($_REQUEST['action']); require_once( 'includes/actions.php' ); @@ -109,13 +112,10 @@ if ( isset( $_REQUEST['request'] ) ) { -$request = validHtmlStr($_REQUEST['request']); foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile ) { if ( !file_exists( $includeFile ) ) -{ Fatal( Request '$request' does not exist ); -} require_once $includeFile; } return; @@ -127,9 +127,7 @@ foreach ( $includeFiles as $includeFile ) { if ( !file_exists( $includeFile ) ) -{ Fatal( View '$view' does not exist ); -} require_once $includeFile; } } Index: web/includes/functions.php === --- web/includes/functions.php (revision 3487) +++ web/includes/functions.php (revision 3488) @@ -2353,8 +2353,8 @@ function detaintPath( $path ) { // Remove any absolute paths, or relative ones that want to go up -$path = preg_replace( '/\.\.\//', '', $path ); -$path = preg_replace( '/^\//', '', $path ); +$path = preg_replace( '/\.\.+\/\/*/', '', $path ); +$path = preg_replace( '/^\/\/*/', '', $path ); return( $path ); } ---End Message--- ---BeginMessage--- Source: zoneminder Source-Version: 1.24.2-8+squeeze1 We believe that the bug you reported is fixed in the latest version of zoneminder, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to
Bug#702735: marked as done (firebird2.1: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability)
Your message dated Sun, 17 Mar 2013 00:47:16 + with message-id e1uh1kq-0003no...@franck.debian.org and subject line Bug#702735: fixed in firebird2.1 2.1.3.18185-0.ds1-11+squeeze1 has caused the Debian Bug report #702735, regarding firebird2.1: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702735: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702735 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: firebird2.1 Severity: grave Tags: security Hi the following vulnerability was published for firebird2.1. CVE-2013-2492[0]: Request Processing Buffer Overflow Vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see also [1] and [2]. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492 http://security-tracker.debian.org/tracker/CVE-2013-2492 [1] http://tracker.firebirdsql.org/browse/CORE-4058 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492 Thank you for looking into this. Regards, Salvatore ---End Message--- ---BeginMessage--- Source: firebird2.1 Source-Version: 2.1.3.18185-0.ds1-11+squeeze1 We believe that the bug you reported is fixed in the latest version of firebird2.1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 702...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Damyan Ivanov d...@debian.org (supplier of updated firebird2.1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 12 Mar 2013 10:30:31 +0200 Source: firebird2.1 Binary: firebird2.1-super firebird2.1-classic libfbembed2.1 firebird2.1-common firebird2.1-server-common firebird2.1-dev firebird2.1-examples firebird2.1-doc firebird2.1-common-doc Architecture: source all amd64 Version: 2.1.3.18185-0.ds1-11+squeeze1 Distribution: stable-security Urgency: high Maintainer: Debian Firebird Group pkg-firebird-gene...@lists.alioth.debian.org Changed-By: Damyan Ivanov d...@debian.org Description: firebird2.1-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code firebird2.1-common - common files for firebird 2.1 servers and clients firebird2.1-common-doc - copyright, licensing and changelogs of firebird2.1 firebird2.1-dev - Development files for Firebird - an RDBMS based on InterBase 6.0 firebird2.1-doc - Documentation files for firebird database version 2.1 firebird2.1-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code firebird2.1-server-common - common files for firebird 2.1 servers firebird2.1-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code libfbembed2.1 - Firebird embedded client/server library Closes: 702735 Changes: firebird2.1 (2.1.3.18185-0.ds1-11+squeeze1) stable-security; urgency=high . * Apply patch from upstream revision r57728 (unfuzzied) fixing a remote unauthenticated stack overflow in the Firebird server (CVE-2013-2492) Closes: #702735 Checksums-Sha1: 952df5eacdc39926b4d03845d50cee91a6bbbfe1 2346 firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.dsc 4852c169b652d8ab27741c71bb29ed68cf3be311 7430001 firebird2.1_2.1.3.18185-0.ds1.orig.tar.gz f2ee2a059557c23474eba37c3d801b6575b33256 120674 firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.diff.gz e22bb70d3cf472b3c7b7e5516334ba75ddd6dc17 58592 firebird2.1-dev_2.1.3.18185-0.ds1-11+squeeze1_all.deb 2c32c124933a63f9224e099e5abc53df8b5e5a7d 164452 firebird2.1-examples_2.1.3.18185-0.ds1-11+squeeze1_all.deb e795a8a068258b52bb07d8fc45e61d62c1f9f751 974320 firebird2.1-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb ead3137e43d3caf339b9ec63ffdb847b0a664aff 471360 firebird2.1-common-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb 1e8723bf21ce96dd7b1cc12e5831be723928e9d8 2966574 firebird2.1-super_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb 7629dcad565c4724fdec313559d0807139266da3 1576456 firebird2.1-classic_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb 6874b1d1028a13e5fa2ca2410158ef30bf10b504 1370008 libfbembed2.1_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb 9c8ef30ca3dfd3e8f715ab358ccba04d1f336734
Bug#702736: marked as done (firebird2.5: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability)
Your message dated Sun, 17 Mar 2013 00:47:26 + with message-id e1uh1l0-0003q3...@franck.debian.org and subject line Bug#702736: fixed in firebird2.5 2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1 has caused the Debian Bug report #702736, regarding firebird2.5: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 702736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702736 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: firebird2.5 Severity: grave Tags: security Hi the following vulnerability was published for firebird2.5. CVE-2013-2492[0]: Request Processing Buffer Overflow Vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see also [1] and [2]. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492 http://security-tracker.debian.org/tracker/CVE-2013-2492 [1] http://tracker.firebirdsql.org/browse/CORE-4058 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492 Thank you for looking into this. Regards, Salvatore ---End Message--- ---BeginMessage--- Source: firebird2.5 Source-Version: 2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1 We believe that the bug you reported is fixed in the latest version of firebird2.5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 702...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Damyan Ivanov d...@debian.org (supplier of updated firebird2.5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 12 Mar 2013 10:21:04 +0200 Source: firebird2.5 Binary: firebird2.5-super firebird2.5-classic firebird2.5-superclassic libfbclient2 libfbembed2.5 libib-util firebird2.5-common firebird2.5-server-common firebird2.5-classic-common firebird2.5-dev firebird2.5-examples firebird2.5-doc firebird2.5-common-doc Architecture: source all amd64 Version: 2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1 Distribution: stable-security Urgency: high Maintainer: Debian Firebird Group pkg-firebird-gene...@lists.alioth.debian.org Changed-By: Damyan Ivanov d...@debian.org Description: firebird2.5-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code firebird2.5-classic-common - common files for firebird 2.5 classic and superclassic server firebird2.5-common - common files for firebird 2.5 servers and clients firebird2.5-common-doc - copyright, licnesing and changelogs of firebird2.5 firebird2.5-dev - Development files for Firebird - an RDBMS based on InterBase 6.0 firebird2.5-doc - Documentation files for firebird database version 2.5 firebird2.5-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code firebird2.5-server-common - common files for firebird 2.5 servers firebird2.5-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code firebird2.5-superclassic - Firebird SupecClassic Server - an RDBMS based on InterBase 6.0 co libfbclient2 - Firebird client library libfbembed2.5 - Firebird embedded client/server library libib-util - Firebird UDF support library Closes: 693210 702736 Changes: firebird2.5 (2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1) stable-security; urgency=high . * Apply patch from upstream revision r57728 (unfuzzied) fixing a remote unauthenticated stack overflow in the Firebird server (CVE-2013-2492) Closes: #702736 * Apply patch from upstream revision r54702 fixing a crash (NULL pointer dereference) when peraring an empty SQL statement with trace services enabled (CVE-2012-5529) Closes: #693210 Checksums-Sha1: 9606b98bb730635c1c68f24ebbf3ae7cbd6ae0a6 2561 firebird2.5_2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1.dsc 07f39f34dd8ec37c0e9bdfa1b9ca450257102c29 6915217 firebird2.5_2.5.0.26054~ReleaseCandidate3.ds2.orig.tar.gz 86175222bf96708f060cd50e451a861a53e123ab 127686 firebird2.5_2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1.diff.gz 525931a43383acec964679c7ef48c0f1d161d0e3 65370 firebird2.5-dev_2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1_all.deb
Bug#703213: Manditory upgrade of bitcoin versions = 0.7.2
Source: bitcoin Version: 0.7.2-1 Severity: serious From upstream: http://bitcoin.org/may15.html The most recent accidental fork is forcing an upgrade. We either should get bitcoin 0.8.1 in to unstable or add some wrapper to bitcoind and bitocin-qt to create a DB_CONFIG file. Summary below: 15 May 2013 Upgrade Deadline What is happening If you are using Bitcoin-Qt/bitcoind version 0.7.2 or earlier, you must take action before 15 May, 2013. If you do nothing, you are likely to be left behind and will be out of sync with the rest of the Bitcoin network. We recommend that you upgrade to version 0.8.1 before the 15th of May to avoid any issues. If you are a solo miner or mining pool operator, please see the the notes at the end of this page for how to upgrade safely. If you cannot upgrade to version 0.8.1 If you cannot upgrade to the latest version, you can still avoid the problem. Create a file called DB_CONFIG in the bitcoin data directory, containing these two lines: set_lg_dir database set_lk_max_locks 5 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#703214: Should Break older unknown-horizons
Package: python-fife Version: 0.3.4-1 Severity: serious Unknown Horizons 2012.1 won't work with this new fife so we should break it! -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 10.0-0-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-fife depends on: ii libboost-filesystem1.49.0 1.49.0-3.2 ii libboost-regex1.49.0 1.49.0-3.2 ii libboost-system1.49.0 1.49.0-3.2 ii libc0.12.13-38 ii libgcc11:4.7.2-5 ii libgl1-mesa-glx [libgl1] 8.0.5-3 ii libguichan-0.8.1-1 0.8.2-10+b1 ii libguichan-opengl-0.8.1-1 0.8.2-10+b1 ii libguichan-sdl-0.8.1-1 0.8.2-10+b1 ii libogg01.3.0-4 ii libopenal1 1:1.14-4 ii libpng12-0 1.2.49-1 ii libpython2.6 2.6.8-1.1 ii libpython2.7 2.7.3-6 ii libsdl-image1.21.2.12-2 ii libsdl-ttf2.0-02.0.11-2 ii libsdl1.2debian1.2.15-5 ii libstdc++6 4.7.2-5 ii libtinyxml2.6.22.6.2-1 ii libvorbis0a1.3.2-1.3 ii libvorbisfile3 1.3.2-1.3 ii libxcursor11:1.1.13-1 ii python 2.7.3-4 python-fife recommends no packages. python-fife suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org