Bug#773416: [DEBIAN-LTS] ettercap package
Hi *, nope, you seems to be modifying other patches rather than the strict necessary to fix this bug. Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the description mentions only one) (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) ) also the patch subject might be not really needed, I leave Raphael to review the rest :) I propose something like this instead. (note the patch might not apply at all, I manually changed it) diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog @@ -1,3 +1,16 @@ +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Patch a bunch of security vulnerabilities (closes: #773416) + - CVE-2014-9380 (Buffer over-read) + - CVE-2014-9381 (Signedness error) + See: + https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ + Patches taken from upstream + - 6b196e011fa456499ed4650a360961a2f1323818 pull/608 + - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609 + Thanks to Nick Sampanis n.sampa...@obrela.com who is responsible for + both finding and repairing these issues. + + -- Nguyen Cong cong.nguyen...@toshiba-tsdv.com Tue, 23 Dec 2014 09:44:32 +0700 + ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch @@ -0,0 +1,35 @@ +From: Nick Sampanis n.sampa...@obrela.com +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3 +Date: Mon, 22 Dec 2014 10:22:56 + (UTC) + +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 +allows remote attackers to cause a denial of service (out-of-bounds +read) via a packet containing only a CVS_LOGIN signature. + +Integer signedness error in the dissector_cvs function in +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause +a denial of service (crash) via a crafted password, which triggers +a large memory allocation. +See Debian Bug #773416#20 + +--- a/src/dissectors/ec_cvs.c b/src/dissectors/ec_cvs.c +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs) + { +DECLARE_DISP_PTR_END(ptr, end); +char tmp[MAX_ASCII_ADDR_LEN]; +- char *p; ++ u_char *p; +size_t i; + +/* don't complain about unused var */ +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs) + +/* move over the cvsroot path */ +ptr += strlen(CVS_LOGIN) + 1; ++ if (ptr = end) ++ return NULL; + +/* go until \n */ +while(*ptr != '\n' ptr != end) ptr++; cheers, and Merry XMas, Gianfranco -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773836: marked as done (glance: unrestricted path traversal flaw)
Your message dated Thu, 25 Dec 2014 10:19:14 + with message-id e1y45vi-0005b4...@franck.debian.org and subject line Bug#773836: fixed in glance 2014.1.3-6 has caused the Debian Bug report #773836, regarding glance: unrestricted path traversal flaw to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: glance Version: 2014.1.3-5 Severity: serious Tags: security upstream Hi Setting this to serious/RC since this probably should go as well to jessie (please let me know if you disagree on severity). From [1]: [1] http://www.openwall.com/lists/oss-security/2014/12/23/2 Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. More details are also on the Red Hat bugzilla entry[2]. [2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474 Regards, Salvatore ---End Message--- ---BeginMessage--- Source: glance Source-Version: 2014.1.3-6 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand z...@debian.org (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 25 Dec 2014 17:28:05 +0800 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.1.3-6 Distribution: unstable Urgency: high Maintainer: PKG OpenStack openstack-de...@lists.alioth.debian.org Changed-By: Thomas Goirand z...@debian.org Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 773836 Changes: glance (2014.1.3-6) unstable; urgency=high . * Added restrict_client_download_and_delete_files_in_glance-api_juno.patch from upstream (Closes: #773836). * Build-depends on openstack-pkg-tools (= 20~) to ensure we have the systemd fixes. Checksums-Sha1: a5c5d62b1ac1023803725ce388f3f76a9682d17f 3438 glance_2014.1.3-6.dsc 6fb5d8f44ea75bf449e7be118a11c86d525fba62 39152 glance_2014.1.3-6.debian.tar.xz f313a8ae542a9b2cd6925c1ba64fd8025f258607 407610 python-glance_2014.1.3-6_all.deb 29eaa71d12288ef8a648c30a3a482e207bf146c0 9290 glance_2014.1.3-6_all.deb d8ddc7ee7578265987aab995eb677916411fec6c 215192 python-glance-doc_2014.1.3-6_all.deb f19a35b1307ba80fcd83c608d614714f357470b7 43228 glance-common_2014.1.3-6_all.deb a18ead101d4949e97fd0987ff800b1adf47d831d 38818 glance-api_2014.1.3-6_all.deb 67c07c1fbaa54710311c60d52828977cd252 14022 glance-registry_2014.1.3-6_all.deb Checksums-Sha256: b0f3111ede34a0f1f8005e9a78dd3fec2e1ff232d3d585eb090283d35289c068 3438 glance_2014.1.3-6.dsc d475263a0dd9b44975fb6e97e430a7a12b1b1980c77fe539e2829dbab024012d 39152 glance_2014.1.3-6.debian.tar.xz fa4a516d9b159811cf1885562b317dc58b15de70beb55b80063b824e39801de7 407610 python-glance_2014.1.3-6_all.deb 8f03a9e2fd2243138e925d202ed98809c74c065f0cef3eb4c49003c2df7880bd 9290 glance_2014.1.3-6_all.deb f775ff96d17129d3a89e04fe5233441c3166cb3042a81f1e8b170d585b427492 215192 python-glance-doc_2014.1.3-6_all.deb 831a883797de4dad8d88c7e04092e82d7b3b585dca2b0b1c1ec33801320d1c37 43228 glance-common_2014.1.3-6_all.deb ef965846dfb83459bd66e2fc6a548eec76152a755457db08c21e9499ecd4fc29 38818 glance-api_2014.1.3-6_all.deb d42653b6aee37824f7bd713710ffc7fd3886901b5e7551a1d7193f4cb1c781f0 14022 glance-registry_2014.1.3-6_all.deb Files: e7bbdad2cf539ae95e311b235feef062 3438 net extra glance_2014.1.3-6.dsc
Bug#764732: gcc-4.9: broken -O2 optimizations on armhf
Control: tags -1 + help this is not seen on the gcc-4.9 Linaro branch, so a ARM porter should identify the relevant backport. On 12/25/2014 06:12 AM, Matthias Klose wrote: the escalation is wrong. there exist several workarounds for it (lowering the optimization, using gcc-4.8, ...). I asked the ARM porters to address this properly (Hector on IRC agreed to forward this), however I don't see any progress here. Now CCing debian-arm explicitly. On 12/23/2014 11:48 AM, Santiago Vila wrote: severity 764732 serious thanks On Fri, 10 Oct 2014, Hector Oron wrote: Package: gcc-4.9 Version: 4.9.1-16 Severity: important Hello, Found a FTBFS while trying to build unzip package in Debian/sid on armhf host. [...] Yesterday, I uploaded unzip 6.0-13 fixing several security bugs, but it will not migrate to testing because of this, which has just been reported against unzip as Bug #773785. Since this is really a gcc bug, I'm raising the severity accordingly. Please tell me about the likelihood that this is indeed fixed in gcc, because if it's low I will have to look for a workaround in unzip (such as lowering the optimization level). Thanks. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#764732: gcc-4.9: broken -O2 optimizations on armhf
Processing control commands: tags -1 + help Bug #764732 [gcc-4.9] gcc-4.9: broken -O2 optimizations on armhf Added tag(s) help. -- 764732: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764732 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773913: Lightdm switches immediately to a black screen
Package: lightdm Version: 1.10.3-3 Severity: grave Justification: renders package unusable Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? I think it happened after an important upgrade related to systemd a few months ago but I'm not fully sure. I'm now using systemd-logind. * What was the outcome of this action? Notice that I report the bug with a different kernel. The kernel on which the bug occurs is: Linux 3.16-2-amd64 Lightdm starts and instantly (maybe after 1/10 sec) shows a black screen. It is possible to login (I can see that the HDD light working) but the screen is still black. I'm reporting this for lightdm but I guess this is more general. Notice that when I use another kernel (3.14-2-amd64) the situation is a bit different: the screen is black but if I increase the luminosity of the screen then it suddenly works. * What outcome did you expect instead? To be able at least to increase the luminosity until it works. The best would be of course to have immediately a screen with display on. -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772971: marked as done (src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098))
Your message dated Thu, 25 Dec 2014 15:32:06 + with message-id e1y4aou-0002bl...@franck.debian.org and subject line Bug#772971: fixed in nvidia-graphics-drivers 304.125-1 has caused the Debian Bug report #772971, regarding src:nvidia-graphics-drivers*: CVE-2014-8298: GLX-INDIRECT (Including CVE-2014-8093, CVE-2014-8098) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772971: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: nvidia-graphics-drivers Severity: critical Tags: security This is the NVIDIA-specific part of DSA-3095-1 xorg-server -- security update https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8298 The NVIDIA Linux Discrete GPU drivers before R304.125, R331.x before R331.113, R340.x before R340.65, R343.x before R343.36, and R346.x before R346.22, Lixux for Tegra (L4T) driver before R21.2, and Chrome OS driver before R40 allows remote attackers to cause a denial of service (segmentation fault and X server crash) or possibly execute arbitrary code via a crafted GLX indirect rendering protocol request. http://lists.x.org/archives/xorg-announce/2014-December/002500.html http://nvidia.custhelp.com/app/answers/detail/a_id/3610 Release series fixed in version -- Releases prior to 304 Has reached 'end of life' and no longer supported. 304.* 304.125 available as of 12/9 319.* no longer supported 331.* 331.113 available as of 12/9 340.* 340.65 available as of 12/9 343.* 343.36 available as of 12/9 346.* 346.22 Beta available as of 12/9 All NVIDIA drivers (in non-free) are affected: not fixable (no new upstream release will be provided): nvidia-graphics-drivers-legacy-96xx | 96.43.18-2 | squeeze/non-free | source nvidia-graphics-drivers-legacy-96xx | 96.43.23-3 | wheezy/non-free | source nvidia-graphics-drivers-legacy-96xx | 96.43.23-7~bpo70+1 | wheezy-backports/non-free | source nvidia-graphics-drivers-legacy-173xx | 173.14.27-2 | squeeze/non-free | source nvidia-graphics-drivers-legacy-173xx | 173.14.35-1~bpo60+2 | squeeze-backports/non-free | source nvidia-graphics-drivers-legacy-173xx | 173.14.35-4 | wheezy/non-free | source nvidia-graphics-drivers-legacy-173xx | 173.14.39-2~bpo70+1 | wheezy-backports/non-free | source nvidia-graphics-drivers | 195.36.31-6squeeze2 | squeeze/non-free | source nvidia-graphics-drivers | 295.59-1~bpo60+2| squeeze-backports/non-free | source uploads planned (new upstream release required): nvidia-graphics-drivers | 304.117-1 | wheezy/non-free | source nvidia-graphics-drivers-legacy-304xx | 304.123-4~bpo70+1 | wheezy-backports/non-free | source nvidia-graphics-drivers-legacy-304xx | 304.123-4 | jessie/non-free | source nvidia-graphics-drivers-legacy-304xx | 304.123-4 | sid/non-free | source nvidia-graphics-drivers | 319.82-1~bpo70+2| wheezy-backports/non-free | source nvidia-graphics-drivers | 340.46-6| jessie/non-free | source nvidia-graphics-drivers | 340.58-1| sid/non-free | source nvidia-graphics-drivers | 343.22-2| experimental/non-free | source I expect wheezy (only nvidia-graphics-drivers can be fixed there) shall be fixed via wheezy-proposed-updates, no DSA, as in the previous ones? Andreas ---End Message--- ---BeginMessage--- Source: nvidia-graphics-drivers Source-Version: 304.125-1 We believe that the bug you reported is fixed in the latest version of nvidia-graphics-drivers, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 772...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann a...@debian.org (supplier of updated nvidia-graphics-drivers package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive
Bug#773836: marked as done (glance: unrestricted path traversal flaw)
Your message dated Thu, 25 Dec 2014 15:34:39 + with message-id e1y4aqx-0002yl...@franck.debian.org and subject line Bug#773836: fixed in glance 2014.2.1-2 has caused the Debian Bug report #773836, regarding glance: unrestricted path traversal flaw to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: glance Version: 2014.1.3-5 Severity: serious Tags: security upstream Hi Setting this to serious/RC since this probably should go as well to jessie (please let me know if you disagree on severity). From [1]: [1] http://www.openwall.com/lists/oss-security/2014/12/23/2 Masahito Muroi from NTT reported a vulnerability in Glance. By setting a malicious image location an authenticated user can download or delete any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. More details are also on the Red Hat bugzilla entry[2]. [2] https://bugzilla.redhat.com/show_bug.cgi?id=1174474 Regards, Salvatore ---End Message--- ---BeginMessage--- Source: glance Source-Version: 2014.2.1-2 We believe that the bug you reported is fixed in the latest version of glance, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand z...@debian.org (supplier of updated glance package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 25 Dec 2014 17:24:40 +0800 Source: glance Binary: python-glance glance python-glance-doc glance-common glance-api glance-registry Architecture: source all Version: 2014.2.1-2 Distribution: experimental Urgency: medium Maintainer: PKG OpenStack openstack-de...@lists.alioth.debian.org Changed-By: Thomas Goirand z...@debian.org Description: glance - OpenStack Image Service - metapackage glance-api - OpenStack Image Service - API server glance-common - OpenStack Image Service - common files glance-registry - OpenStack Image Service - registry server python-glance - OpenStack Image Service - Python client library python-glance-doc - OpenStack Image Service - Python library documentation Closes: 773836 Changes: glance (2014.2.1-2) experimental; urgency=medium . * Added restrict_client_download_and_delete_files_in_glance-api_juno.patch from upstream (Closes: #773836). Checksums-Sha1: 09c9cf854a6dc0801691b37663ea505a2e5bdba3 3706 glance_2014.2.1-2.dsc 53ad31c733804a2238005ea39261eb0ae0bfd8b9 204816 glance_2014.2.1-2.debian.tar.xz 8a64026359ef939bb8fdce09dbdd3fc04f0ca506 586150 python-glance_2014.2.1-2_all.deb 13dc43b042206d14f1c080404586d96f6874eb50 213772 glance_2014.2.1-2_all.deb 270d3d6b191c040ff16a6bdcea68771031379a7c 428222 python-glance-doc_2014.2.1-2_all.deb f56280c4d027cd9e5c2fcaa67b3fddeb24c6d84f 248220 glance-common_2014.2.1-2_all.deb d384e5dc8dbc4a7a55c7e94bc749869d7c763e5d 243304 glance-api_2014.2.1-2_all.deb f319dc3a8f462e8f75b393423730f162daf45c6a 218526 glance-registry_2014.2.1-2_all.deb Checksums-Sha256: 841525637d60d527a5755904eabb3dd9a0d63c89a78317f8f0c8ccc7fd57df86 3706 glance_2014.2.1-2.dsc f217f24a7a8e62e6758eab68de6843d6221bfe7ec5854f3bb7fa2ef0cf818901 204816 glance_2014.2.1-2.debian.tar.xz 59f00cb0ed180925e21e14f4b8a15388f2098664175639c71573e81b7ca1bde2 586150 python-glance_2014.2.1-2_all.deb ce60d6bd76b3318c6cae506254742e3e335f628793fd1eef241b048726766268 213772 glance_2014.2.1-2_all.deb 1c8488f383a4250937954db9e31eeb7da5662cb3ea918a69f1702662548d08a7 428222 python-glance-doc_2014.2.1-2_all.deb 0dd874309ce81844bbcdc65a7b685e59e9ab3d7f8c89f37c2e33c234132970ab 248220 glance-common_2014.2.1-2_all.deb ffd604d9567b51676515276efa9fc6be724e1705c43970c0e8ed963798b1ae0c 243304 glance-api_2014.2.1-2_all.deb cbaaee1fbb1aec7d879278cd7b7eadf8ac59779897af628bfa4c015569b4c8be 218526 glance-registry_2014.2.1-2_all.deb Files: abb70b3decb5c7ffe11657a9823f8c9c 3706 net extra glance_2014.2.1-2.dsc ada1e18ac552a56f2b564aa611fca20f 204816 net extra glance_2014.2.1-2.debian.tar.xz
Bug#773916: libical: Ship different constant values accross builds
Package: libical-dev Version: 1.0-1.1 Severity: critical User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness Hi! While working on the “reproducible builds” effort [1], we have noticed that libical could not be built reproducibly: https://jenkins.debian.net/userContent/dbd/libical_1.0-1.1.debbindiff.html The debbindiff output linked above show that two builds of libical will output different values for the constant defined in the icalvalue_kind enum in ical.h and icalderivedvalue.h. This is bad. It means that any software using these values will break when libical is updated. After a quick look at the report, this might be the cause for #766454. The problem highly likely lies in the following code: https://sources.debian.net/src/libical/1.0-1.1/scripts/mkderivedvalues.pl/?hl=66:74#L66 Sorting the keys before using them should make the output stable accross builds. Ideally this should be done in all similar constructs to enable the package to build reproducibly. Packages having a Build-Depends on libical-dev should probably be binNMU'ed once this is fixed. That should be: agenda.app, asterisk, bluez, cairo-dock-plug-ins, citadel, cyrus-imapd-2.4, evolution, evolution-data-server, evolution-ews, gnokii, goldencheetah, ical2html, kdepimlibs, kmymoney, libsynthesis, openchange, orage, osmo, syncevolution, webcit. [1]: https://wiki.debian.org/ReproducibleBuilds -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature
Processed: Re: pidgin-encryption: Please default to stronger keys
Processing control commands: severity -1 grave Bug #766700 [pidgin-encryption] pidgin-encryption: Please default to stronger keys Severity set to 'grave' from 'important' tags -1 patch pending Bug #766700 [pidgin-encryption] pidgin-encryption: Please default to stronger keys Added tag(s) pending and patch. -- 766700: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766700 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765319: marked as done (missing license in debian/copyright)
Your message dated Thu, 25 Dec 2014 18:33:34 + with message-id e1y4de6-00066u...@franck.debian.org and subject line Bug#765319: fixed in pioneers 14.1-3 has caused the Debian Bug report #765319, regarding missing license in debian/copyright to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 765319: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765319 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: pioneers Version: 15.2-1 Severity: serious User: alteh...@debian.org Usertags: ftp X-Debbugs-CC: ftpmas...@ftp-master.debian.org thanks Dear Maintainer, please add the missing license of: editor/gtk/pioneers-editor.svg client/gtk/data/pioneers.svg server/gtk/pioneers-server.svg debian/copyright. client/gtk/data/style-ai.svg is licensed under CC-BY-SA 2.5 which is not DFSG-free, so please remove it. Thanks! Thorsten ---End Message--- ---BeginMessage--- Source: pioneers Source-Version: 14.1-3 We believe that the bug you reported is fixed in the latest version of pioneers, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 765...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bas Wijnen wij...@debian.org (supplier of updated pioneers package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Thu, 25 Dec 2014 09:51:13 -0500 Source: pioneers Binary: pioneers pioneers-console pioneers-meta-server pioneers-data pioneers-console-data Architecture: source amd64 all Version: 14.1-3 Distribution: testing Urgency: medium Maintainer: Roland Clobus rclo...@rclobus.nl Changed-By: Bas Wijnen wij...@debian.org Description: pioneers - Settlers of Catan board game pioneers-console - Settlers of Catan board game - console parts pioneers-console-data - Settlers of Catan board game - data files for console parts pioneers-data - Settlers of Catan board game - data files pioneers-meta-server - Settlers of Catan board game - meta-server Closes: 765319 Changes: pioneers (14.1-3) testing; urgency=medium . [ Roland Clobus ] * Updated copyright which clarifies the license for the images. (closes: #765319) * Applied license patch from the upstream repository. * Updated translations, as mentioned in #768176. Checksums-Sha1: 5d83094bf04f77ff92f9c0e83a059cb92dfcebad 2388 pioneers_14.1-3.dsc d4659dd2aaa0f232cc7c86ee8edc654e4724534d 92100 pioneers_14.1-3.debian.tar.xz e12500bb336c259acb77d3c334b77ba3fe84e932 288742 pioneers_14.1-3_amd64.deb ba1035e076e774af13d2412d351270abf0bedd27 173388 pioneers-console_14.1-3_amd64.deb 4504d109527e36da0b71ddcaf914ae3e60d7e782 116344 pioneers-meta-server_14.1-3_amd64.deb 74457347f8aa6cf72988f0eff75c5899510d8692 2699606 pioneers-data_14.1-3_all.deb 37b06ee45c69a4b932d69f12de6eaa94004dca40 218448 pioneers-console-data_14.1-3_all.deb Checksums-Sha256: e092cc376808561f97606774db1919f059e0788e2cbf30b393a0e4846b6fc8f6 2388 pioneers_14.1-3.dsc 82352af88de49acfe7a84d6340a343009846999a993ba9d2cc9e03d5b9471428 92100 pioneers_14.1-3.debian.tar.xz 0a4f9488f8e68c23569752beb873ae75f190fcf76858290b3b34412e5f19856c 288742 pioneers_14.1-3_amd64.deb ba677c86af311e269b19c87ae31cfdc41c8c346b01539518aff78ca44980755b 173388 pioneers-console_14.1-3_amd64.deb 708fd5a892b78889b921a2b34e5bd455f953d6959805648e15e7a2036d0fd22c 116344 pioneers-meta-server_14.1-3_amd64.deb cc5c809d047c4cd3c0d9525f0e50a9d57fe88e8a761c559054e39f5e20891e51 2699606 pioneers-data_14.1-3_all.deb 044c22322414d1bcd6df2f6824314b35899157b142219e3c655cfe45c8c0b51a 218448 pioneers-console-data_14.1-3_all.deb Files: 11221c755d55e3efadb9d0490bba3ba8 2388 games optional pioneers_14.1-3.dsc 24cce6c2ee35fec4ea974e58dbf9867d 92100 games optional pioneers_14.1-3.debian.tar.xz b55a7bab12324186957ff250844a87e7 288742 games optional pioneers_14.1-3_amd64.deb c1e3800aab1e6d5eb408e881f3dc07af 173388 games optional pioneers-console_14.1-3_amd64.deb b7296fa317bfbdaef143bd4a8f7561fc 116344 games optional pioneers-meta-server_14.1-3_amd64.deb 55049cbb9cc897b5c6b1bd6a6c09b964 2699606 games optional pioneers-data_14.1-3_all.deb 7933ade8eaf40107bf7074e86ebe019a 218448 games optional
Processed: Fw: Subject: netfilter-persistent: Running firewall before partitions mounted
Processing commands for cont...@bugs.debian.org: severity 760424 serious Bug #760424 [netfilter-persistent] Subject: netfilter-persistent: Running firewall before partitions mounted Severity set to 'serious' from 'wishlist' tags 760424 patch Bug #760424 [netfilter-persistent] Subject: netfilter-persistent: Running firewall before partitions mounted Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 760424: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760424 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Bug#772831: squidguard: squid 2.7 redirector protocol used by squidguard is no more supported with squid 3.4
Processing commands for cont...@bugs.debian.org: severity 772831 serious Bug #772831 [squidguard] squidguard: squid 2.7 redirector protocol used by squidguard is no more supported with squid 3.4 Severity set to 'serious' from 'important' thanks Stopping processing here. Please contact me if you need assistance. -- 772831: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772831 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772831: squidguard: squid 2.7 redirector protocol used by squidguard is no more supported with squid 3.4
After some tests I created this updated patch. With it squidguard is running with squid3 version 3.4.8. Ciao, Joo Package: squidguard Subject: fix for working (only) with squid 3.4 and higher Author: Joachim Wiedorn joodebian at joonet.de Origin: other, http://bugs.squid-cache.org/show_bug.cgi?id=3978 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772831 Forwarded: yes Last-Update: 2014-12-22 Incorrectly use of Squid helper protocol (old squid-2.5 protocol). This bugfix let it work together with squid3 v3.4 and higher. Pay attention that with this patch squidguard don't work with squid 3.3 and lower anymore! --- diff -urN s13/src/main.c s14/src/main.c --- s13/src/main.c 2014-12-11 18:10:03.943372692 +0100 +++ s14/src/main.c 2014-12-23 23:07:49.583732080 +0100 @@ -185,7 +185,7 @@ sgReloadConfig(); } if(failsafe_mode) { - puts(); + puts(ERR message=\squidGuard failsafe mode\); fflush(stdout); if(sig_hup){ sgReloadConfig(); @@ -194,7 +194,7 @@ } if(parseLine(buf,squidInfo) != 1){ sgLogError(ERROR: Error parsing squid line: %s,buf); - puts(); + puts(BH message=\squidGuard error parsing squid line\); } else { src = Source; @@ -206,14 +206,14 @@ acl = sgAclCheckSource(src); if((redirect = sgAclAccess(src,acl,squidInfo)) == NULL){ if(src == NULL || src-cont_search == 0){ - puts(); + puts(ERR); break; } else if(src-next != NULL){ src = src-next; continue; } else { - puts(); + puts(ERR); break; } } else { @@ -225,9 +225,11 @@ squidInfo.ident[0] = '-'; squidInfo.ident[1] = '\0'; } - fprintf(stdout,%s %s/%s %s %s\n,redirect,squidInfo.src, - squidInfo.srcDomain,squidInfo.ident, - squidInfo.method); + if (isdigit(redirect[0]) isdigit(redirect[1]) isdigit(redirect[2]) redirect[3]==':') { + fprintf(stdout,OK status=%c%c%c url=\%s\\n, redirect[0], redirect[1], redirect[2], redirect[4]); + } else + fprintf(stdout,OK rewrite-url=\%s\\n,redirect); + /* sgLogDebug(DEBUG: %s %s/%s %s %s\n,redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ break; } diff -urN s13/src/main.c.in s14/src/main.c.in --- s13/src/main.c.in 2011-10-01 20:49:00.0 +0200 +++ s14/src/main.c.in 2014-12-11 18:19:26.775347885 +0100 @@ -185,7 +185,7 @@ sgReloadConfig(); } if(failsafe_mode) { - puts(); + puts(ERR message=\squidGuard failsafe mode\); fflush(stdout); if(sig_hup){ sgReloadConfig(); @@ -194,7 +194,7 @@ } if(parseLine(buf,squidInfo) != 1){ sgLogError(ERROR: Error parsing squid line: %s,buf); - puts(); + puts(BH message=\squidGuard error parsing squid line\); } else { src = Source; @@ -206,14 +206,14 @@ acl = sgAclCheckSource(src); if((redirect = sgAclAccess(src,acl,squidInfo)) == NULL){ if(src == NULL || src-cont_search == 0){ - puts(); + puts(ERR); break; } else if(src-next != NULL){ src = src-next; continue; } else { - puts(); + puts(ERR); break; } } else { @@ -225,9 +225,11 @@ squidInfo.ident[0] = '-'; squidInfo.ident[1] = '\0'; } - fprintf(stdout,%s %s/%s %s %s\n,redirect,squidInfo.src, - squidInfo.srcDomain,squidInfo.ident, - squidInfo.method); + if (isdigit(redirect[0]) isdigit(redirect[1]) isdigit(redirect[2]) redirect[3]==':') { + fprintf(stdout,OK status=%c%c%c url=\%s\\n, redirect[0], redirect[1], redirect[2], redirect[4]); + } else + fprintf(stdout,OK rewrite-url=\%s\\n,redirect); + /* sgLogDebug(DEBUG: %s %s/%s %s %s\n,redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ break; } diff -urN s13/src/sgDiv.c s14/src/sgDiv.c --- s13/src/sgDiv.c 2011-10-01 20:49:00.0 +0200 +++ s14/src/sgDiv.c 2014-12-11 18:19:26.775347885 +0100 @@ -782,7 +782,7 @@ } sgLogError(ERROR: Going into emergency mode); while(fgets(buf, MAX_BUF, stdin) != NULL){ -puts(); +puts(ERR); fflush(stdout); } sgLogError(ERROR: Ending emergency mode, stdin empty); diff -urN s13/src/sgDiv.c.in s14/src/sgDiv.c.in --- s13/src/sgDiv.c.in 2014-12-11 18:10:26.551870993 +0100 +++ s14/src/sgDiv.c.in 2014-12-11 18:19:26.775347885 +0100 @@ -784,7 +784,7 @@ } sgLogError(ERROR: Going into emergency mode); while(fgets(buf, MAX_BUF, stdin) != NULL){ -puts(); +puts(ERR); fflush(stdout); } sgLogError(ERROR: Ending emergency mode, stdin empty); signature.asc Description: PGP signature
Processed: forcibly merging 708726 675112
Processing commands for cont...@bugs.debian.org: forcemerge 708726 675112 Bug #708726 [directfb] FTBFS as typo of LDFLAGS Bug #675112 [directfb] directfb: FTBFS in experimental: C compiler cannot create executables Severity set to 'normal' from 'serious' Bug #708726 [directfb] FTBFS as typo of LDFLAGS There is no source info for the package 'directfb' at version '1.4.3-1' with architecture '' Unable to make a source version for version '1.4.3-1' Marked as found in versions 1.4.3-1. Added tag(s) experimental and patch. Merged 675112 708726 thanks Stopping processing here. Please contact me if you need assistance. -- 675112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675112 708726: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708726 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: severity of 675112 is serious
Processing commands for cont...@bugs.debian.org: severity 675112 serious Bug #675112 [directfb] directfb: FTBFS in experimental: C compiler cannot create executables Bug #708726 [directfb] FTBFS as typo of LDFLAGS Severity set to 'serious' from 'normal' Severity set to 'serious' from 'normal' thanks Stopping processing here. Please contact me if you need assistance. -- 675112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675112 708726: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708726 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772831: marked as done (squidguard: squid 2.7 redirector protocol used by squidguard is no more supported with squid 3.4)
Your message dated Thu, 25 Dec 2014 22:04:05 + with message-id e1y4gvp-0004sw...@franck.debian.org and subject line Bug#772831: fixed in squidguard 1.5-4 has caused the Debian Bug report #772831, regarding squidguard: squid 2.7 redirector protocol used by squidguard is no more supported with squid 3.4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772831: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772831 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: squidguard Version: 1.5-3 Severity: important Tags: upstream Dear Maintainer, Trying jessie packages and using squidguard 1.5-3 with squid 3.4 leads to warning messages in /var/log/squid3/cache.log: 2014/12/11 08:58:49 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.0.14/- - GET'. Future Squid will treat this as part of the URL. 2014/12/11 10:14:00 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.0.14/- - GET'. Future Squid will treat this as part of the URL. 2014/12/11 11:09:50 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.0.12/- - GET'. Future Squid will treat this as part of the URL. 2014/12/11 11:22:08 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.0.34/- - GET'. Future Squid will treat this as part of the URL. 2014/12/11 11:29:10 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.0.14/- - GET'. Future Squid will treat this as part of the URL. 2014/12/11 12:59:22 kid1| UPGRADE WARNING: URL rewriter reponded with garbage ' 192.168.0.14/- - GET'. Future Squid will treat this as part of the URL. But that's not just warning's, because if URL becomes too long it can make squid3 to exit. Can also find information and patch looking at the squid bugg report: http://bugs.squid-cache.org/show_bug.cgi?id=3978 or around freebsd ecosystem: http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2014-September/292033.html Regards, EG -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages squidguard depends on: ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38+deb7u6 ii libdb5.1 5.1.29-5 ii libldap-2.4-2 2.4.31-1+nmu2 Versions of packages squidguard recommends: ii liburi-perl 1.60-1 ii libwww-perl 6.04-1 pn squid3 | squid none Versions of packages squidguard suggests: pn ldap-utils none pn squidguard-doc none -- Configuration Files: /etc/squidguard/squidGuard.conf.default [Errno 13] Permission denied: u'/etc/squidguard/squidGuard.conf.default' -- debconf information: squidguard/dbreload: true ---End Message--- ---BeginMessage--- Source: squidguard Source-Version: 1.5-4 We believe that the bug you reported is fixed in the latest version of squidguard, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 772...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Joachim Wiedorn ad_deb...@joonet.de (supplier of updated squidguard package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 25 Dec 2014 20:21:03 +0100 Source: squidguard Binary: squidguard squidguard-doc Architecture: all amd64 i386 source Version: 1.5-4 Distribution: unstable Urgency: medium Maintainer: Joachim Wiedorn joodeb...@joonet.de Changed-By: Joachim Wiedorn ad_deb...@joonet.de Closes: 772831 Description: squidguard-doc - filter and redirector plugin for Squid - Documentation squidguard - filter and redirector plugin for Squid Changes: squidguard (1.5-4) unstable; urgency=medium . * Fix for working with squid 3.4 and higher. Closes: #772831 * Update dependency to squid3 (= 3.4.0) because the new patch let squidguard only support newer versions of squid3 and don't support squid 2.7 anymore. Checksums-Sha1: 7604c559ec5ec2322dd0eb7bce375acced726c9d 121446 squidguard_1.5-4_amd64.deb 7e159a40145be6dc87fb6ae34f1237cc0f6f3b10
Processed: Re: Bug#773832: systemd: LSB job raise network interfaces hangs with allow-hotplug and no cable
Processing control commands: reassign -1 ifupdown Bug #773832 [systemd] systemd: LSB job raise network interfaces hangs with allow-hotplug and no cable Bug reassigned from package 'systemd' to 'ifupdown'. No longer marked as found in versions systemd/215-7. Ignoring request to alter fixed versions of bug #773832 to the same values previously set forcemerge 771943 -1 Bug #771943 {Done: Andrew Shadura andre...@debian.org} [ifupdown] ifupdown: boot hangs, interface won't raise Bug #773832 [ifupdown] systemd: LSB job raise network interfaces hangs with allow-hotplug and no cable Severity set to 'serious' from 'normal' Marked Bug as done Marked as fixed in versions ifupdown/0.7.51. Marked as found in versions ifupdown/0.7.50. Merged 771943 773832 -- 771943: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771943 773832: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773832: systemd: LSB job raise network interfaces hangs with allow-hotplug and no cable
On 2014-12-24 10:34, Michael Biebl wrote: Am 23.12.2014 um 21:22 schrieb Hugh Davenport: Package: systemd Version: 215-7 Severity: normal Dear Maintainer, * What led up to the situation? Recently updated, and now boot hangs on LSB job raise network interfaces. Waited several minutes and still hanging. Says it has no limit. * What exactly did you do (or not do) that was effective (or ineffective)? Plugging in cable made it work. No cable it hanged. interfaces file had allow-hotplug, and NOT auto * What was the outcome of this action? When I commented out allow-hotplug, booted fine, with and without cable. With allow-hotplug, cable had to be in, otherwise would hang. * What outcome did you expect instead? Boot to happen with no delay, even if no cable plugged in. Maybe similar to bug #754218? My interfaces file is now: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface # BUG: commented as hung on boot #allow-hotplug eth0 iface eth0 inet dhcp iface wlan0 inet dhcp wpa-essid redacted wpa-psk redacted Can you please try ifupdown 0.7.51 from unstable. It is supposed to fix this issue. That worked. This bug is a dup of bug #771943 it seems then. Sorry! -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#762417: [Pkg-libvirt-maintainers] Bug#762417: vinagre: cannot connect - libgrypt error?
Processing commands for cont...@bugs.debian.org: severity 762417 normal Bug #762417 [gtk-vnc] vinagre: cannot connect - libgrypt error? Severity set to 'normal' from 'grave' thanks Stopping processing here. Please contact me if you need assistance. -- 762417: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762417 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764732: gcc-4.9: broken -O2 optimizations on armhf
Matthias Klose wrote: there exist several workarounds for it (lowering the optimization, using gcc-4.8, ...). Disabling stack protector also seems to result in a succesful compile (reducing it from strong to regular does not). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764732: gcc-4.9: broken -O2 optimizations on armhf
peter green wrote: Matthias Klose wrote: there exist several workarounds for it (lowering the optimization, using gcc-4.8, ...). Disabling stack protector also seems to result in a succesful compile (reducing it from strong to regular does not). And another workaround is to use -marm. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773416: [DEBIAN-LTS] ettercap package
Hi Nguyen, for me (note: I don't have any upload power, so my opinion counts less than 0 here) :) --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog [snip] fine for me, do not need to mention me at all :) --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series [snip] fine only in patch2: unchanged: I would remove the two lines above, don't know why there are here, but they seems to be not useful at all --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch should be fine even if usually newly created files should be something like --- /dev/null +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch [snip] +Subject: Twelve vulnerabilities exist on ettercap-ng which I would say two here, because the other vulnerabilities are not available here the other looks good to me :) cheers, G. (sorry for top posting) Il Giovedì 25 Dicembre 2014 11:26, Nguyen Cong cong.nguyen...@toshiba-tsdv.com ha scritto: Hello Gianfranco Costamagna and Raphael Hertzog, Many thanks for your comments, especially Raphael :). I propose something like this instead. (note the patch might not apply at all, I manually changed it) Yes. Sorry for my mistake, I changed it. Please tell me if I had to set the name in changelog to you, Gianfranco Costamagna. I have re-built it with care. But not sure it's good enough since I have troubled with DEP3. I ended up with upstream patch style. --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch Why is there no context shown here? And this one also. I don't really get it. Could you please review it and give me some comments. Many thanks and Merry Christmas :) Cong On 25/12/2014 16:34, Gianfranco Costamagna wrote: Hi *, nope, you seems to be modifying other patches rather than the strict necessary to fix this bug. Moreover the patch is lacking of a CVE description (actually the patch is fixing two CVEs, and the description mentions only one) (there is also no need to mention me, I'm not the author of the patch, neither of the debdiff :) ) also the patch subject might be not really needed, I leave Raphael to review the rest :) I propose something like this instead. (note the patch might not apply at all, I manually changed it) diff -u ettercap-0.7.3/debian/changelog ettercap-0.7.3/debian/changelog --- ettercap-0.7.3/debian/changelog +++ ettercap-0.7.3/debian/changelog @@ -1,3 +1,16 @@ +ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Patch a bunch of security vulnerabilities (closes: #773416) + - CVE-2014-9380 (Buffer over-read) + - CVE-2014-9381 (Signedness error) + See: + https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ + Patches taken from upstream + - 6b196e011fa456499ed4650a360961a2f1323818 pull/608 + - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609 + Thanks to Nick Sampanis n.sampa...@obrela.com who is responsible for + both finding and repairing these issues. + + -- Nguyen Cong cong.nguyen...@toshiba-tsdv.com Tue, 23 Dec 2014 09:44:32 +0700 + ettercap (1:0.7.3-2.1+squeeze1) stable; urgency=high * Quilt patch for CVE-2013-0722, a stack-based buffer overflow when diff -u ettercap-0.7.3/debian/patches/series ettercap-0.7.3/debian/patches/series --- ettercap-0.7.3/debian/patches/series +++ ettercap-0.7.3/debian/patches/series @@ -3,0 +4 @@ +04_CVE-2014-9380-9381.patch --- ettercap-0.7.3.orig/debian/patches/04_CVE-2014-9380-9381.patch +++ ettercap-0.7.3/debian/patches/04_CVE-2014-9380-9381.patch @@ -0,0 +1,35 @@ +From: Nick Sampanis n.sampa...@obrela.com +Subject: Re: Bug#773416: fixed in ettercap 1:0.8.1-3 +Date: Mon, 22 Dec 2014 10:22:56 + (UTC) + +The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 +allows remote attackers to cause a denial of service (out-of-bounds +read) via a packet containing only a CVS_LOGIN signature. + +Integer signedness error in the dissector_cvs function in +dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause +a denial of service (crash) via a crafted password, which triggers +a large memory allocation. +See Debian Bug #773416#20 + +--- a/src/dissectors/ec_cvs.c b/src/dissectors/ec_cvs.c +@@ -70,7 +70,7 @@ FUNC_DECODER(dissector_cvs) + { +DECLARE_DISP_PTR_END(ptr, end); +char tmp[MAX_ASCII_ADDR_LEN]; +- char *p; ++ u_char *p; +size_t i; + +/* don't complain about unused var */ +@@ -92,6 +92,8 @@ FUNC_DECODER(dissector_cvs) + +/* move over the cvsroot path */ +ptr += strlen(CVS_LOGIN) + 1; ++if (ptr = end) ++return NULL; + +/* go until \n */ +while(*ptr != '\n' ptr != end) ptr++; cheers, and Merry XMas, Gianfranco --