Bug#775662: oss4: Insufficient validation of USB device descriptors
On Sun, Jan 18, 2015 at 10:24:30AM +, Ben Hutchings wrote: Source: oss4 Version: 4.2-build2006-2 Severity: critical Tags: security In kernel/drv/oss_usb/oss_usb.c: OSS maintainers, did you forward this upstream? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776251: ack-grep fails to install due to diversion problem
On Mon, 26 Jan 2015 01:01:03 +0100, Axel Beckert wrote: $ dpkg-divert --list *ack* local diversion of /usr/bin/ack-grep to /usr/bin/ack ^ ... which backs my assumption that a _local_ diversion (i.e. none made by a package) is the cause. That's my interpretation as well. I tend to close this issue as invalid/wontfix since the cause is a local (common(*) but so far unsupported) modification of the package. IMHO it has nothing to do with the package itself. But I'd like to hear comments from others from others (especially the Debian Perl Team and the Release Team) first, too. I agree with the wontfix+close. If they agree, I can imagine to add a diversion detection and then removal to ack-grep's preinst script despite the package never used a diversion. But I'm a) unsure if it's ok for a package to remove a _local_ diversion, and Hm; rather not. Maybe a warning might be ok. b) if it's a good idea to introduce such a change that late in the freeze. Probably not. Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT SPI, fellow of the Free Software Foundation Europe `- NP: J.J. Cale: River Runs Deep signature.asc Description: Digital Signature
Bug#775866: vlc: multiple vulnerabilities
On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: * The potential invalid writes in modules/services_discovery/sap.c and modules/access/ftp.c were not fixed as I did not provide a trigger. Note, that the code looks very similar to the confirmed bug in rtp_packetize_xiph_config, and so I leave it to you to decide whether you want to patch this. These have been assigned CVE-2015-1202 and CVE-2015-1203, could you contact upstream for the status of an upstream fix? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774854: race condition between fur and fex_cleanup
Hi Moritz, On Mon, Jan 26, 2015 at 12:28:00PM +0100, Moritz Mühlenhoff wrote: On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote: Package: fex Version: 20140917-1 Severity: serious Tags: security patch upstream pending confirmed jessie As upstream has released a new version of the fex package which closes a security issue and there is no CVE assigned, we'll use this bug to track the issue. Hi, what is the plan for unstable? You can either ask for an unblock with the release team (if the diff between testing an sid is small) or fix these in a targeted upload for testing-proposed-updates. Unstable already has a fixed version. Just jessie still hasn't as of now. The backports should also be updated once the new version is in jessie. I'm currently waiting a bit before asking for an unblock to make sure the package is really fit enough to go in and nobody is complaining. As the update has been reviewed quite a bit before this release, it probably is ready to go in as is. I'd rather not split the fix out and do only a partial patch for testing as per upstream's recommendation. Cheers, Kilian signature.asc Description: Digital signature
Bug#775715: [Pkg-javascript-devel] Bug#775715: libv8-3.14: limiting security support
Hi Michael, Control: tags -1 pending 2015-01-19 7:17 GMT+01:00 Michael Gilbert mgilb...@debian.org: package: libv8-3.14 version: 3.14.5.8-8 severity: grave tags: security Hi, the security team has decided that this package will not receive security support for jessie. This has already been documented in the debian-security-support package for about two months: libv8-3.14 Not covered by security support, only suitable for trusted content Please include a README.Debian.security file describing the security support status and problems for the package. See [0] for an example. Since this will be clearly documented in multiple places, it will no longer be necessary to treat unfixed security bugs as release critical. Best wishes, Mike [0] https://bugs.debian.org/702775 I have added the changes in git [1] and I plan uploading the fix this week. I will check the outstanding security issues for easily fixable ones and include the fixes in the same upload. Cheers, Balint [1] https://anonscm.debian.org/cgit/collab-maint/libv8.git/commit/?h=jessieid=8c56a4f1695dc6787a6861735defdb2ee8ec7253 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776079: marked as done (tkrplot: FTBFS in unstable - fatal error: tk.h: No such file or directory)
Your message dated Mon, 26 Jan 2015 12:48:24 + with message-id e1yfj5c-0002lp...@franck.debian.org and subject line Bug#776079: fixed in tkrplot 0.0.23-3 has caused the Debian Bug report #776079, regarding tkrplot: FTBFS in unstable - fatal error: tk.h: No such file or directory to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776079: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776079 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: tkrplot Version: 0.0.23-2 Severity: serious Tags: sid Hi, tkrplot seems to FTBFS in unstable (but not in jessie) with the error: gcc -std=gnu99 -I/usr/share/R/include -DNDEBUG -I/usr/include/tcl8.6 -I/usr/include/tcl8.6 -fpic -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g -c tcltkimg.c -o tcltkimg.o tcltkimg.c:2:16: fatal error: tk.h: No such file or directory #include tk.h ^ compilation terminated. /usr/lib/R/etc/Makeconf:133: recipe for target 'tcltkimg.o' failed I think this is because R is compiled against tk8.6 in unstable (where the list of include directories are obtained from), but tkrplot only build depends on the tk development headers for tk8.5. Thanks, James ---End Message--- ---BeginMessage--- Source: tkrplot Source-Version: 0.0.23-3 We believe that the bug you reported is fixed in the latest version of tkrplot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 776...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dirk Eddelbuettel e...@debian.org (supplier of updated tkrplot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 26 Jan 2015 06:33:27 -0600 Source: tkrplot Binary: r-cran-tkrplot Architecture: source i386 Version: 0.0.23-3 Distribution: unstable Urgency: low Maintainer: Dirk Eddelbuettel e...@debian.org Changed-By: Dirk Eddelbuettel e...@debian.org Description: r-cran-tkrplot - GNU R embedded Tk plotting device package Closes: 776079 Changes: tkrplot (0.0.23-3) unstable; urgency=low . * debian/control: Switch to tcl8.6/tk8.6 (Closes: #776079) . * debian/control: Set Build-Depends: to current R version * debian/control: Set Standards-Version: to current version Checksums-Sha1: 9f4a2eb29ab8a349fc1b48fe79b2f424e3fc6214 1690 tkrplot_0.0.23-3.dsc c2859338af65d00dcbdea49f2a7e0c2a83022a28 39037 tkrplot_0.0.23.orig.tar.gz fe78f3d5bfae696aaf6c792d2e5004a5ad58110f 2295 tkrplot_0.0.23-3.diff.gz 97fc20affbfdb6126d0e61714800bc555cd32ce5 18706 r-cran-tkrplot_0.0.23-3_i386.deb Checksums-Sha256: cc321c490a1afbbe85d08bb3f453025fd003cf24aa88af300eb3829c8c08d14f 1690 tkrplot_0.0.23-3.dsc 87a4323ce3bc6c852c2dae4727639b9a1c30724327a812379f21d73cecd7deb2 39037 tkrplot_0.0.23.orig.tar.gz d84a607678c913454ccd726cc1fee384c4dc42e2eb76a614cf9d8aca4c90b89a 2295 tkrplot_0.0.23-3.diff.gz bb373da45e1a95afd10670b2742c427a7fe7fd459e195d6f0bcea9ec93308469 18706 r-cran-tkrplot_0.0.23-3_i386.deb Files: 3e94221fa15f787199e48be98a231e99 1690 gnu-r optional tkrplot_0.0.23-3.dsc fc5f678322e3dc13ec953817bb322c4f 39037 gnu-r optional tkrplot_0.0.23.orig.tar.gz 4fc71dd7373febc3f355cb202acec2e7 2295 gnu-r optional tkrplot_0.0.23-3.diff.gz 42fb49c29c44378a9dd29ef7e62c89f7 18706 gnu-r optional r-cran-tkrplot_0.0.23-3_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIVAwUBVMY2tKFIn+KrmaIaAQJxFQ//SQi6wo7CdpSpuTjI8a1KLlXdD+Blz3zD n0KcZfSq0WmlyDOUfeWiaue1Sn67EimWrDnKPrnxB/TmsjXQTeAZTNAh00mFjsAF tPn8g+r27ykKLlpu52YhiG7M4i/5Pw5okADwpBdEhR59chS/nMY4jE/q9uBDz2hh fZolW8WhQA4SlBnXX/dQ9geHyxGpPYWaGkXcusv5/8UUNb6bbOlKV7wVdHtoIE94 7HtrSeC1FuyVYDax8vryWOEpYtxt/mZFDWZAH2Xa6oyeMOudRRxbxPrUn1rlXcrT Gub3fXPSyvC5pR2O10tQjZEujEFFgtI0Agul6avEf1PywuuySZAtLa3F315czszv M8mVTfNwuVlEQkoflkNXy+ZUNQ2glN5SH207Ar/9JrhiRtpqeuvlC8ft5HwOdwi0 +O83613rGrpyCFe8gOzhbuk/s8JCAyFzXhwkFPtht8znumb2z7N3xHt7Rcwqru9o s7Aj1/jjtVU0RZxuHqe6X+C7cG7zK0KAxg3vScidXLithDhpTqz90eSrQ2L3nudX YudDu/aWu7/nzikk38yiJhYMePNYo6WAC9X3BsVErtJHNz6VJL3bPQ1U1h2tuhlX Y5uRcbnShPftN/x8yK1/vlKmGA0sWxv2gdgRTQGofA/jAEz3CnxVEw7/zDTqxIH/ 5rzlhJbRGmY= =Ce8X -END PGP SIGNATUREEnd Message---
Bug#774854: race condition between fur and fex_cleanup
On Mon, Jan 26, 2015 at 01:41:54PM +0100, Kilian Krause wrote: Hi Moritz, On Mon, Jan 26, 2015 at 12:28:00PM +0100, Moritz Mühlenhoff wrote: On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote: Package: fex Version: 20140917-1 Severity: serious Tags: security patch upstream pending confirmed jessie As upstream has released a new version of the fex package which closes a security issue and there is no CVE assigned, we'll use this bug to track the issue. Hi, what is the plan for unstable? You can either ask for an unblock with the release team (if the diff between testing an sid is small) or fix these in a targeted upload for testing-proposed-updates. Unstable already has a fixed version. Just jessie still hasn't as of now. The backports should also be updated once the new version is in jessie. I'm currently waiting a bit before asking for an unblock to make sure the package is really fit enough to go in and nobody is complaining. As the update has been reviewed quite a bit before this release, it probably is ready to go in as is. Ok, sounds good to me. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776306: mpdscribble: Fails to start because of error in pidfile creation
Package: mpdscribble Version: 0.22-5 Severity: grave Justification: renders package unusable With default configuration the service tries to create its pidfile in folder '/var/run/mpdscribble', but such a folder is not created by installation script, nor it persists to system reboot. This cause the system-wide service to fail to start with the following error. mpdscribble[359]: Failed to create pidfile /var/run/mpdscribble/mpdscribble.pid: No such file or directory mpdscribble.service: main process exited, code=killed, status=5/TRAP systemd[1]: Unit mpdscribble.service entered failed state. Obvious (and tested) workarounds include: 1. After each reboot, create the folder '/var/run/mpdscribble' owned by mpdscribble:mpdscribble with permissions ug+rwX (~default). 2. Disable pidfile creation, by commenting the corresponding line in /etc/mpdscribble.conf . -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (800, 'unstable'), (700, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mpdscribble depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.55 ii init-system-helpers1.22 ii libc6 2.19-13 ii libglib2.0-0 2.42.1-1 ii libmpdclient2 2.9-1 ii libsoup2.4-1 2.48.0-1 ii lsb-base 4.1+Debian13+nmu1 ii ucf3.0030 mpdscribble recommends no packages. Versions of packages mpdscribble suggests: pn mpd none -- debconf information: signature.asc Description: This is a digitally signed message part.
Bug#774748: #774748: ruby-redcloth: CVE-2012-6684
* Moritz Mühlenhoff j...@inutil.org [150126 13:45]: On Fri, Jan 09, 2015 at 10:57:13PM +0100, Christian Hofstaedtler wrote: AFAICT there is no publicly available patch, and upstream is more or less dead. Redmine's patched redcloth3 looks very different from the current redcloth 4.x sources, so I have my doubts if forward porting this is feasible. Suggestions welcome. Then we should remove it from jessie. Looking at the rdeps, this would affect quite some packages, as redcloth is a dependency of one of the documentation tools. Not sure if it can be ripped out so easily. Best, Christian -- ,''`. Christian Hofstaedtler z...@debian.org : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- pgpJe9nLSonrx.pgp Description: PGP signature
Bug#774748: #774748: ruby-redcloth: CVE-2012-6684
On Fri, Jan 09, 2015 at 10:57:13PM +0100, Christian Hofstaedtler wrote: AFAICT there is no publicly available patch, and upstream is more or less dead. Redmine's patched redcloth3 looks very different from the current redcloth 4.x sources, so I have my doubts if forward porting this is feasible. Suggestions welcome. Then we should remove it from jessie. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776079: tkrplot: FTBFS in unstable - fatal error: tk.h: No such file or directory
On 23 January 2015 at 17:17, James Cowgill wrote: | Source: tkrplot | Version: 0.0.23-2 | Severity: serious | Tags: sid | | Hi, | | tkrplot seems to FTBFS in unstable (but not in jessie) with the error: | gcc -std=gnu99 -I/usr/share/R/include -DNDEBUG -I/usr/include/tcl8.6 -I/usr/include/tcl8.6 -fpic -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -g -c tcltkimg.c -o tcltkimg.o | tcltkimg.c:2:16: fatal error: tk.h: No such file or directory | #include tk.h | ^ | compilation terminated. | /usr/lib/R/etc/Makeconf:133: recipe for target 'tcltkimg.o' failed | | I think this is because R is compiled against tk8.6 in unstable (where | the list of include directories are obtained from), but tkrplot only | build depends on the tk development headers for tk8.5. Agreed, and good catch by the rebuild . Simple fix coming right up. Thanks, Dirk -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768897: MBR disklabels also yield destructive pvcreate
Control: severity -1 important Control: clone -1 -2 Control: retitle -2 Installation manual should warn about the use of LVM partition types Control: reassign -2 installation-guide On Sun, Jan 18, 2015 at 04:24:43PM +, Steve McIntyre wrote: On Wed, Nov 19, 2014 at 03:36:19PM -0600, Drake Wilson wrote: FYI: I've just confirmed with partman-lvm 99 (plus whatever libparted is in the last Debian testing weekly ISO) that MBR disklabels using 8e (Linux LVM) as a type code for LUKS are also affected by this. So it's not just GPT. It's arguably even more dangerous for MBR, because the type code space is so small that collisions should be expected, but util-linux's fdisk in MBR mode also provides a 0xda code for non-FS data, so users in that case may be less tempted to default to the underlying volume type. Hi Drake, I've just reproduced your findings here, and I'm looking at the code right now. As you've guessed, the partman-lvm code currently unconditionally tries to set up *every* partition with an LVM partition type, regardless. If you're interested the code is in partman-lvm/choose_partition/lvm/do_option:do_initial_setup(). It calls into partman-lvm/lib/lvm-base.sh:pv_create(), and pv_create() checks to see if the partition is already set up as a PV (by calling pvs) - if so, it leaves it alone, otherwise it calls pvcreate. So... There are a few things to do here: 1. Don't do what you're doing! This is one of the few areas where the partition type matters in d-i 2. I'm looking to add a check in pv_list() so it will either: (a) Ignore partitions tagged with LVM type but some other filesystem/blkid contents; OR (b) Warn about such partitions and ask the user what to do. 2(a) looks much easier, I'll be honest, so that's my plan for now. And after playing with this a lot more, I'm going to have to admit defeat I'm afraid. The code in partman-lvm is very flexible in terms of allowing user choice, but that actually makes this particular case even harder. The best thing I can tell you is: don't use the partition types for LVM unless you really want to use LVM on those partitions! Sorry. :-/ We should add a warning in the installation manual for this corner case, at least. I've opened a new bug for that above. -- Steve McIntyre, Cambridge, UK.st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: pending
Processing commands for cont...@bugs.debian.org: package resolvconf Limiting to bugs with field 'package' containing at least one of 'resolvconf' Limit currently set to 'package':'resolvconf' tags 775356 pending Bug #775356 [resolvconf] resolvconf: bashisms in /etc/dhcp/dhclient-enter-hooks.d/resolvconf: shopt and [[ ... ]] Added tag(s) pending. stop Stopping processing here. Please contact me if you need assistance. -- 775356: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775356 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774918: marked as done (cups-pdf: copyright file missing after upgrade (policy 12.5))
Your message dated Mon, 26 Jan 2015 15:48:28 + with message-id e1yflts-he...@franck.debian.org and subject line Bug#774918: fixed in cups-pdf 2.6.1-15 has caused the Debian Bug report #774918, regarding cups-pdf: copyright file missing after upgrade (policy 12.5) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 774918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774918 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: cups-pdf Version: 2.6.1-14 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, a test with piuparts revealed that your package misses the copyright file after an upgrade, which is a violation of Policy 12.5: https://www.debian.org/doc/debian-policy/ch-docs.html#s-copyrightfile After the upgrade /usr/share/doc/$PACKAGE/ is just an empty directory. This was observed on the following upgrade paths: wheezy - jessie From the attached log (scroll to the bottom...): 1m46.2s ERROR: WARN: Inadequate results from running adequate! cups-pdf: missing-copyright-file /usr/share/doc/cups-pdf/copyright 1m48.7s DUMP: MISSING COPYRIGHT FILE: /usr/share/doc/cups-pdf/copyright # ls -lad /usr/share/doc/cups-pdf drwxr-xr-x 2 root root 40 Dec 12 15:05 /usr/share/doc/cups-pdf # ls -la /usr/share/doc/cups-pdf/ total 0 drwxr-xr-x 2 root root 40 Dec 12 15:05 . drwxr-xr-x 192 root root 4000 Dec 12 15:05 .. Additional info may be available here: https://wiki.debian.org/MissingCopyrightFile Note that dpkg intentionally does not replace directories with symlinks and vice versa, you need the maintainer scripts to do this. See in particular the end of point 4 in https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-unpackphase It is recommended to use the dpkg-maintscript-helper commands 'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14) to perform the conversion, ideally using d/$PACKAGE.mainstscript. Do not forget to add 'Pre-Depends: ${misc:Pre-Depends}' in d/control. See dpkg-maintscript-helper(1) and dh_installdeb(1) for details. cheers, Andreas cups-pdf_2.6.1-14.log.gz Description: application/gzip ---End Message--- ---BeginMessage--- Source: cups-pdf Source-Version: 2.6.1-15 We believe that the bug you reported is fixed in the latest version of cups-pdf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 774...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Martin-Éric Racine martin-eric.rac...@iki.fi (supplier of updated cups-pdf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 17 Jan 2015 20:17:41 +0200 Source: cups-pdf Binary: printer-driver-cups-pdf cups-pdf Architecture: source amd64 Version: 2.6.1-15 Distribution: unstable Urgency: medium Maintainer: Debian CUPS Maintainers debian-print...@lists.debian.org Changed-By: Martin-Éric Racine martin-eric.rac...@iki.fi Description: cups-pdf - PDF writer backend for CUPS (dummy transitional package) printer-driver-cups-pdf - printer driver for PDF writing via CUPS Closes: 774918 Changes: cups-pdf (2.6.1-15) unstable; urgency=medium . * debian/cups-pdf.maintscript: + New file. Handles dir_to_symlink for 2.6.1-10 (Closes: #774918). * debian/control: + cups-pdf: Pre-Depends: ${misc:Pre-Depends}; for dir_to_symlink. = cups-pdf: Arch: all to any; dh_installdocs: WARNING: --link-doc between architecture all and not all packages breaks binNMUs = Migrated Maintainers to debian-print...@lists.debian.org * debian/copyright: + Updated upstream's e-mail address as requested by Volker Behr himself. * debian/patches: + 05_update_upstreams_e-mail_address.patch: update upstream's README too. Checksums-Sha1: d0d33accdf36debd272b887fba5ad91051eb3b4f 1852 cups-pdf_2.6.1-15.dsc 1a4eb409992d8c5933bfc5bbf87f6e1965980273 13532 cups-pdf_2.6.1-15.debian.tar.xz 327b4d9a83d3b4bc8809f6675eae49110c98d9b4 43666 printer-driver-cups-pdf_2.6.1-15_amd64.deb 42f8082b8437fe0e720444bee38cbde7cf316672 1128 cups-pdf_2.6.1-15_amd64.deb Checksums-Sha256:
Processed: Re: Bug#768897: MBR disklabels also yield destructive pvcreate
Processing control commands: severity -1 important Bug #768897 [partman-lvm] quietly very aggressive WRT existing LVM-typed partitions Severity set to 'important' from 'critical' clone -1 -2 Bug #768897 [partman-lvm] quietly very aggressive WRT existing LVM-typed partitions Bug 768897 cloned as bug 776313 retitle -2 Installation manual should warn about the use of LVM partition types Bug #776313 [partman-lvm] quietly very aggressive WRT existing LVM-typed partitions Changed Bug title to 'Installation manual should warn about the use of LVM partition types' from 'quietly very aggressive WRT existing LVM-typed partitions' reassign -2 installation-guide Bug #776313 [partman-lvm] Installation manual should warn about the use of LVM partition types Bug reassigned from package 'partman-lvm' to 'installation-guide'. No longer marked as found in versions partman-lvm/98 and partman-lvm/99. Ignoring request to alter fixed versions of bug #776313 to the same values previously set -- 768897: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768897 776313: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776313 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775866: vlc: multiple vulnerabilities
On 2015-01-26 13:49:26, Moritz Mühlenhoff wrote: On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: * The potential invalid writes in modules/services_discovery/sap.c and modules/access/ftp.c were not fixed as I did not provide a trigger. Note, that the code looks very similar to the confirmed bug in rtp_packetize_xiph_config, and so I leave it to you to decide whether you want to patch this. These have been assigned CVE-2015-1202 and CVE-2015-1203, could you contact upstream for the status of an upstream fix? Just because they look similar, does not make them a vulnerability. The format string for ftp_SendCommand is not attacker controlled. The reporter still has not answered questions about how the invalid write in modules/access/ftp.c could be triggered [1]. Similarly, the issue in modules/services_discovery/sap.c lacks a trigger. The rather disturbing thread can be found at [2]. Cheers [1] https://mailman.videolan.org/pipermail/vlc-devel/2014-December/100674.html [2] https://mailman.videolan.org/pipermail/vlc-devel/2014-December/100675.html -- Sebastian Ramacher signature.asc Description: Digital signature
Bug#775888: marked as done (virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427)
Your message dated Mon, 26 Jan 2015 15:22:05 + with message-id e1yflul-0005zh...@franck.debian.org and subject line Bug#775888: fixed in virtualbox 4.3.18-dfsg-2 has caused the Debian Bug report #775888, regarding virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775888: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775888 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: virtualbox Severity: grave Tags: security Justification: user security hole No specific details available yet: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz ---End Message--- ---BeginMessage--- Source: virtualbox Source-Version: 4.3.18-dfsg-2 We believe that the bug you reported is fixed in the latest version of virtualbox, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ritesh Raj Sarraf r...@debian.org (supplier of updated virtualbox package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Thu, 22 Jan 2015 10:51:40 +0100 Source: virtualbox Binary: virtualbox-qt virtualbox virtualbox-dbg virtualbox-dkms virtualbox-source virtualbox-guest-dkms virtualbox-guest-source virtualbox-guest-x11 virtualbox-guest-utils Architecture: source amd64 all Version: 4.3.18-dfsg-2 Distribution: unstable Urgency: high Maintainer: Debian Virtualbox Team pkg-virtualbox-de...@lists.alioth.debian.org Changed-By: Ritesh Raj Sarraf r...@debian.org Description: virtualbox - x86 virtualization solution - base binaries virtualbox-dbg - x86 virtualization solution - debugging symbols virtualbox-dkms - x86 virtualization solution - kernel module sources for dkms virtualbox-guest-dkms - x86 virtualization solution - guest addition module source for dk virtualbox-guest-source - x86 virtualization solution - guest addition module source virtualbox-guest-utils - x86 virtualization solution - non-X11 guest utilities virtualbox-guest-x11 - x86 virtualization solution - X11 guest utilities virtualbox-qt - x86 virtualization solution - Qt based user interface virtualbox-source - x86 virtualization solution - kernel module source Closes: 775888 Changes: virtualbox (4.3.18-dfsg-2) unstable; urgency=high . [ Frank Mehnert ] * d/rules: Disable experimental code by exporting VBOX_WITH_VMSVGA= VBOX_WITH_VMSVGA3D= this fixes CVE-2014-6595, CVE-2014-6590, CVE-2014-6589, CVE-2014-6588 and CVE-2015-0427. (Closes: #775888) Checksums-Sha1: 94c1f73c34b36c4280141cf401f9bd20104702c1 3705 virtualbox_4.3.18-dfsg-2.dsc f33dc1070a4f567a05e748926f9760f5bcebf56d 75152 virtualbox_4.3.18-dfsg-2.debian.tar.xz 0622b29b6f8bd6fe8ac20ef4dfaa82b3809e3c9e 4662584 virtualbox-qt_4.3.18-dfsg-2_amd64.deb 7c61c90797cbefc086c9027ef77d85d2c6ad500a 15923432 virtualbox_4.3.18-dfsg-2_amd64.deb 5b0024d263b4855fb551bedf8862cc681dfc9e0b 63737284 virtualbox-dbg_4.3.18-dfsg-2_amd64.deb dd8f4583159b8e07585c18287eade039d65d150b 579224 virtualbox-dkms_4.3.18-dfsg-2_all.deb 9add9beb0b44502be88854e730a39879ebd0d468 677130 virtualbox-source_4.3.18-dfsg-2_all.deb a45b557dd014378511c311cc7259bbc05351ab98 490566 virtualbox-guest-dkms_4.3.18-dfsg-2_all.deb 19915dc3077df44189764fea6a9fb1d97d16a364 579734 virtualbox-guest-source_4.3.18-dfsg-2_all.deb bccd626fa2354b48b843594adeeb607496829cb4 1019648 virtualbox-guest-x11_4.3.18-dfsg-2_amd64.deb 1e3ad723db1afa237c7af62007f2a2b503b9b975 385242 virtualbox-guest-utils_4.3.18-dfsg-2_amd64.deb Checksums-Sha256: e0d1d908f4533123ad2efa7468cd781f4fcf68fad23f3ec4162cf58b0a3f36ab 3705 virtualbox_4.3.18-dfsg-2.dsc e312f7e74ba99a69452ae85160f9d79c93b37cc913a48a3d8c1327c621e6d353 75152 virtualbox_4.3.18-dfsg-2.debian.tar.xz d448ca6d53551ddf49a8b6431f1d31e026f50ab9e43a2124fe99b48ce2048cbc 4662584 virtualbox-qt_4.3.18-dfsg-2_amd64.deb e0710376a785617e3d3ae24004e82dcccf73b14cac20cbd15df7ed99d2765719 15923432 virtualbox_4.3.18-dfsg-2_amd64.deb 60141cebe3b0b037f93bba3d8e232cb222341795b8f828c692b8866272dc77d0 63737284
Bug#776309: fglrx-driver: Hung PC with black screen and solid white cursor in upper left corner
Package: fglrx-driver Version: 1:14.12-1 Severity: critical Justification: breaks the whole system Dear Fglrx Maintainers, When this package is installed the system boots to a completely hung state with a solid cursor in the upper left hand corner. The hang leaves the system unaccessible though ssh and not recoverable through the ctrl-alt F1 mechanism. The log files indicate the fglrx-driver is loaded into the kernel as it should be. However the hang is so hard that no additional information is written to kernel.log messages Xorg.0.log or system.log. This error also occurs with a direct install of the latest upstream driver, AMD Catalyst Omega 14.12. I am running this on a AMD A10-7850k Kaveri on Gigabyte GA-F2A88XM-D3A (AMD 88x) Bolton D4 Chipset. I don't know if the APU part has anything to do with this. I previously have reported this bug to the mail serve http://lists.alioth.debian.org/pipermail/pkg-fglrx-devel/2014-December/006071.html but did not have any error messsage to present at the time because the hangs don't leave log files. Since then, I have used netconsole to log the kernel error messages to another debian PC over the network. With netconsole logging on, sometimes I am able to use alt-sysreq k alt-sysreq s commands to write the log files. Most times however there is no response to even these failsafe commands. What follows are netconsole logs from a streight boot to gdm3, netconsole logs from a boot to init 3 followed by gdm3 start, and the Xorg.0.log I was able to save coresponding streight boot. The Xorg.0.log doesn't seem to offer any information but there are kernel stack traces in the netconsole logs. Let me know if any other information would help. Thanks, Greg Futia ---netconsole log normal boot --- [6.628937] netconsole: network logging started [6.661532] b43 ssb0:0: firmware: direct-loading firmware b43/pcm5.fw [6.671682] AVX version of gcm_enc/dec engaged. [6.676168] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni) [6.687487] b43 ssb0:0: firmware: direct-loading firmware b43/b0g0initvals5.fw [6.701275] b43 ssb0:0: firmware: direct-loading firmware b43/b0g0bsinitvals5.fw [6.765116] fglrx: module license 'Proprietary. (C) 2002 - ATI Technologies, Starnberg, GERMANY' taints kernel. [6.766746] Disabling lock debugging due to kernel taint [6.794278] 6[fglrx] Maximum main memory to use for locked dma buffers: 6659 MBytes. [6.796044] 6[fglrx] vendor: 1002 device: 130f revision: 0 count: 1 [6.798488] 6[fglrx] IOMMU is enabled, CrossFire are not supported on this platform [6.800104] 6[fglrx] Disable IOMMU in BIOS options or kernel boot parameters to support CF [6.801920] 6[fglrx] ioport: bar 4, base 0xf000, size: 0x100 [6.804564] 6[fglrx] Kernel PAT support is enabled [6.806187] 6[fglrx] module loaded - fglrx 14.50.2 [Nov 20 2014] with 1 minors [6.879285] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht' [6.982892] alg: No test for crc32 (crc32-pclmul) [7.294533] cfg80211: World regulatory domain updated: [7.296160] cfg80211: DFS Master region: unset [7.296194] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time) [7.299273] cfg80211: (2402000 KHz - 2472000 KHz @ 4 KHz), (N/A, 2000 mBm), (N/A) [7.300862] cfg80211: (2457000 KHz - 2482000 KHz @ 4 KHz), (N/A, 2000 mBm), (N/A) [7.302408] cfg80211: (2474000 KHz - 2494000 KHz @ 2 KHz), (N/A, 2000 mBm), (N/A) [7.303933] cfg80211: (517 KHz - 525 KHz @ 8 KHz, 16 KHz AUTO), (N/A, 2000 mBm), (N/A) [7.305475] cfg80211: (525 KHz - 533 KHz @ 8 KHz, 16 KHz AUTO), (N/A, 2000 mBm), (0 s) [7.306989] cfg80211: (549 KHz - 573 KHz @ 16 KHz), (N/A, 2000 mBm), (0 s) [7.308524] cfg80211: (5735000 KHz - 5835000 KHz @ 8 KHz), (N/A, 2000 mBm), (N/A) [7.310035] cfg80211: (5724 KHz - 6372 KHz @ 216 KHz), (N/A, 0 mBm), (N/A) [7.376664] snd_hda_intel :00:01.1: enabling device ( - 0002) [7.377515] snd_hda_intel :00:01.1: irq 93 for MSI/MSI-X [7.518986] ppdev: user-space parallel port driver [7.544329] sr 7:0:0:0: [sr0] [7.545848] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE [7.547335] sr 7:0:0:0: [sr0] [7.548847] Sense Key : Illegal Request [current] [7.550346] sr 7:0:0:0: [sr0] [7.551815] Add. Sense: Invalid field in parameter list [7.552724] sr 7:0:0:0: [sr0] CDB: [7.553634] Read(10): 28 00 00 04 a3 40 00 00 02 00 [7.554510] end_request: I/O error, dev sr0, sector 1215744 [7.555342] Buffer I/O error on device sr0, logical block 151968 [7.557351] input: HD-Audio Generic HDMI/DP,pcm=3 as /devices/pci:00/:00:01.1/sound/card0/input6 [7.558579] kvm: Nested Virtualization enabled [7.559726] kvm: Nested Paging enabled [
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. For Wheezy, it is building right now. Once the build is complete, I'll push it to s-p-u. And send you the debdiff. -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com Necessity is the mother of invention. signature.asc Description: OpenPGP digital signature
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On 01/26/2015 09:07 PM, Ritesh Raj Sarraf wrote: On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. For Wheezy, it is building right now. Once the build is complete, I'll push it to s-p-u. And send you the debdiff. Please find attached the debdiff. Please give me an ACK, and then I'll do the upload. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System diff -Nru virtualbox-4.1.18-dfsg/debian/changelog virtualbox-4.1.18-dfsg/debian/changelog --- virtualbox-4.1.18-dfsg/debian/changelog 2014-04-14 14:54:39.0 +0530 +++ virtualbox-4.1.18-dfsg/debian/changelog 2015-01-26 19:07:00.0 +0530 @@ -1,3 +1,12 @@ +virtualbox (4.1.18-dfsg-2+deb7u4) wheezy-security; urgency=medium + + [ Frank Mehnert ] + * fix security vulnerabilities (Closes: #775888) + CVE-2015-0377, CVE-2015-0418 + - debian/patches/CVE-2015-0{377,418}.patch + + -- Gianfranco Costamagna costamagnagianfra...@yahoo.it Thu, 22 Jan 2015 14:21:14 +0100 + virtualbox (4.1.18-dfsg-2+deb7u3) wheezy-security; urgency=high * Fix memory corruption vulnerabilities in 3D acceleration. (Closes: #741602) diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch --- virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch 1970-01-01 05:30:00.0 +0530 +++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0377.patch 2015-01-26 19:07:00.0 +0530 @@ -0,0 +1,20 @@ +Index: src/VBox/VMM/VMMAll/IOMAllMMIO.cpp +=== +--- a/src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95342) b/src/VBox/VMM/VMMAll/IOMAllMMIO.cpp (revision 95343) +@@ -1696,7 +1696,14 @@ + if (rc2 == VERR_SEM_BUSY) + return VINF_IOM_HC_MMIO_READ_WRITE; + #endif +-VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMmioGetRange(pVM, GCPhysFault)); ++PIOMMMIORANGE pRange = iomMmioGetRange(pVM, GCPhysFault); ++if (RT_UNLIKELY(!pRange)) ++{ ++IOM_UNLOCK(pVM); ++return VERR_IOM_MMIO_RANGE_NOT_FOUND; ++} ++ ++VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, pRange); + IOM_UNLOCK(pVM); + return VBOXSTRICTRC_VAL(rcStrict); + } diff -Nru virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch --- virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch 1970-01-01 05:30:00.0 +0530 +++ virtualbox-4.1.18-dfsg/debian/patches/CVE-2015-0418.patch 2015-01-26 19:07:00.0 +0530 @@ -0,0 +1,32 @@ +Index: include/VBox/vmm/hwacc_vmx.h +=== +--- a/include/VBox/vmm/hwacc_vmx.h (revision 96156) b/include/VBox/vmm/hwacc_vmx.h (revision 96157) +@@ -525,6 +525,12 @@ + #define VMX_EXIT_WBINVD 54 + /** 55 XSETBV. Guest software attempted to execute XSETBV. */ + #define VMX_EXIT_XSETBV 55 ++/** 57 RDRAND. Guest software attempted to execute RDRAND. */ ++#define VMX_EXIT_RDRAND 57 ++/** 58 INVPCID. Guest software attempted to execute INVPCID. */ ++#define VMX_EXIT_INVPCID58 ++/** 59 VMFUNC. Guest software attempted to execute VMFUNC. */ ++#define VMX_EXIT_VMFUNC 59 + /** @} */ + + +Index: src/VBox/VMM/VMMR0/HWVMXR0.cpp +=== +--- a/src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96156) b/src/VBox/VMM/VMMR0/HWVMXR0.cpp (revision 96157) +@@ -4112,6 +4112,10 @@ + case VMX_EXIT_VMWRITE: /* 25 Guest software executed VMWRITE. */ + case VMX_EXIT_VMXOFF: /* 26 Guest software executed VMXOFF. */ + case VMX_EXIT_VMXON:/* 27 Guest software executed VMXON. */ ++case VMX_EXIT_INVEPT: /* 50 Guest software executed INVEPT. */ ++case VMX_EXIT_INVVPID: /* 53 Guest software executed INVVPID. */ ++case VMX_EXIT_INVPCID: /* 58 Guest software executed INVPCID. */ ++case VMX_EXIT_VMFUNC: /* 59 Guest software executed VMFUNC. */ + /** @todo inject #UD immediately */ + rc = VERR_EM_INTERPRETER; + break; diff -Nru virtualbox-4.1.18-dfsg/debian/patches/series virtualbox-4.1.18-dfsg/debian/patches/series --- virtualbox-4.1.18-dfsg/debian/patches/series2014-04-14 14:55:14.0 +0530 +++ virtualbox-4.1.18-dfsg/debian/patches/series2015-01-26 19:07:00.0 +0530 @@ -20,3 +20,5 @@ 38-security-fixes-2014-01.patch CVE-2014-0981.patch
Bug#775588: [Pkg-haskell-maintainers] Bug#775588: darcs: Missing copyright information
Hi, How about lowering the severity of this bug? I just received this: fusionforge 5.3.2+20141104-3 is marked for autoremoval from testing on 2015-03-02 It (build-)depends on packages with these RC bugs: 775588: darcs: Missing copyright information Cheers! Sylvain -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776316: [Pkg-samba-maint] Bug#776316: samba: failed to build on mips
On Mon, Jan 26, 2015 at 01:42:51PM -0500, Michael Gilbert wrote: package: src:samba version: 2:4.1.13+dfsg-4 severity: serious The latest upload failed to build on the mips buildd: https://buildd.debian.org/status/package.php?p=samba See the comment in the build log: 21:17:20 runner /usr/bin/gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fstack-protector -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DSTATIC_python_irpc_MODULES=NULL -DSTATIC_python_irpc_MODULES_PROTO= -MD -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -Idefault/source4/librpc -I../source4/librpc -Idefault/include/public -I../include/public -Idefault/source4 -I../source4 -Idefault/lib -I../lib -Idefault/source4/lib -I../source4/lib -Idefault/source4/include -I../source4/include -Idefault/include -I../include -Idefault/lib/replace -I../lib/replace -Idefault -I../../../../usr/include -Idefault -I.. -Idefault/lib/param -I../lib/param -Idefault/libcli/ldap -I../libcli/ldap -Idefault/librpc -I../librpc -Idefault/source4/dsdb -I../source4/dsdb -Idefault/python -I../python -Idefault/libcli/auth -I../libcli/auth -Idefault/lib/addns -I../lib/addns -Idefault/auth/gensec -I../auth/gensec -Idefault/auth/credentials -I../auth/credentials -Idefault/lib/krb5_wrap -I../lib/krb5_wrap -Idefault/lib/ldb-samba -I../lib/ldb-samba -Idefault/libcli/dns -I../libcli/dns -Idefault/libcli/util -I../libcli/util -Idefault/source4/auth/kerberos -I../source4/auth/kerberos -Idefault/source4/param -I../source4/param -Idefault/lib/socket -I../lib/socket -Idefault/lib/util/charset -I../lib/util/charset -Idefault/source4/libcli -I../source4/libcli -Idefault/source4/lib/events -I../source4/lib/events -Idefault/lib/async_req -I../lib/async_req -Idefault/source4/auth/gensec -I../source4/auth/gensec -Idefault/auth/kerberos -I../auth/kerberos -Idefault/source4/auth -I../source4/auth -Idefault/lib/dbwrap -I../lib/dbwrap -Idefault/source3 -I../source3 -Idefault/source3/include -I../source3/include -Idefault/source3/lib -I../source3/lib -Idefault/lib/tdb_compat -I../lib/tdb_compat -Idefault/lib/iniparser -I../lib/iniparser -Idefault/source3/librpc -I../source3/librpc -Idefault/source4/cluster -I../source4/cluster -Idefault/libcli/netlogon -I../libcli/netlogon -Idefault/libcli/security -I../libcli/security -Idefault/libcli/nbt -I../libcli/nbt -Idefault/libcli/drsuapi -I../libcli/drsuapi -Idefault/lib/tsocket -I../lib/tsocket -Idefault/source4/lib/tls -I../source4/lib/tls -Idefault/libds/common -I../libds/common -Idefault/source4/libcli/smb2 -I../source4/libcli/smb2 -Idefault/source4/lib/messaging -I../source4/lib/messaging -Idefault/auth/ntlmssp -I../auth/ntlmssp -Idefault/source4/heimdal_build -I../source4/heimdal_build -Idefault/libcli/cldap -I../libcli/cldap -Idefault/source4/lib/socket -I../source4/lib/socket -Idefault/auth -I../auth -Idefault/libcli/smb -I../libcli/smb -Idefault/libcli/lsarpc -I../libcli/lsarpc -Idefault/source4/libcli/ldap -I../source4/libcli/ldap -Idefault/dynconfig -I../dynconfig -Idefault/lib/compression -I../lib/compression -Idefault/source4/lib/stream -I../source4/lib/stream -Idefault/lib/crypto -I../lib/crypto -I/usr/local/include -I/usr/include/et -I/usr/include/heimdal -I/usr/include/python2.7 -I/usr/include/mips-linux-gnu/python2.7 -D_SAMBA_BUILD_=4 -DHAVE_CONFIG_H=1 -D_GNU_SOURCE=1 -D_XOPEN_SOURCE_EXTENDED=1 default/source4/librpc/gen_ndr/py_irpc.c -c -o default/source4/librpc/gen_ndr/py_irpc_81.o The bug is not reproducible, so it is likely a hardware or OS problem. Cheers, Jelmer -- Jelmer Vernooij jel...@debian.org Debian Developer https://jelmer.uk/ signature.asc Description: Digital signature
Bug#775882: [debian-mysql] Bug#775882: mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015?
The page https://mariadb.com/kb/en/security/ has updated and includes info about these latest CVEs. It seems most issues were fixed in 5.5.41/10.0.16. One was for 5.5.39/10.0.13. 10.0.16 hasn't been yet released, but I'll expect it is released soon and I will try to be as fast as possible in updating the package in Debian once the .16 release is out. CVE-2015-0385 and CVE-2015-0409 are not listed in the MariaDB security list. I've sent email asking about their status and I'll track the results in this bug report. Here is some background info about the CVE status by a MariaDB core developer: https://lists.launchpad.net/maria-discuss/msg02153.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: tagging 772076
Processing commands for cont...@bugs.debian.org: tags 772076 + moreinfo Bug #772076 [icedove] confirm certificate exception dialog keeps re-appearing Added tag(s) moreinfo. thanks Stopping processing here. Please contact me if you need assistance. -- 772076: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772076 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776253: dependency on libwv-1.2-4 too weak
On Mon, Jan 26, 2015 at 12:25:07AM +0100, Helmut Grohne wrote: Package: wv Version: 1.2.9-4+b1 Severity: serious Justification: policy 12.3 footnote 2 Tags: patch wv contains a symlink /usr/share/doc/wv which points to libwv-1.2-4. Its dependency on libwv-1.2-4 is unversioned though which means, that the copyright and changelog files can get out of sync. This violates the Debian policy section 12.3 footnote 2. This is because, wv installes this symlink manually rather than using dh_installdocs --link-doc. Thus, wv needs to add libwv-1.2-4 (= ${binary:Version}) to its Depends in debian/control. Note that libwv-dev is already correctly doing so. If you're able upload this fix, then please do so. Dan -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745835: marked as done (lynx-cur: certificate revocation is not checked)
Your message dated Mon, 26 Jan 2015 18:33:26 + with message-id e1yfotw-0004uc...@franck.debian.org and subject line Bug#745835: fixed in lynx-cur 2.8.9dev4-1 has caused the Debian Bug report #745835, regarding lynx-cur: certificate revocation is not checked to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: lynx-cur Version: 2.8.8pre5-1 Severity: grave Tags: security Justification: user security hole Certificate revocation is not checked: lynx opens https://www.cloudflarechallenge.com/ without any warning or error, contrary to Firefox (and to Chromium when the CRLSet is up-to-date). -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages lynx-cur depends on: ii libbsd0 0.6.0-2 ii libbz2-1.01.0.6-5 ii libc6 2.18-4 ii libgcrypt11 1.5.3-4 ii libgnutls26 2.12.23-14 ii libidn11 1.28-2 ii libncursesw5 5.9+20140118-1 ii libtinfo5 5.9+20140118-1 ii zlib1g1:1.2.8.dfsg-1 Versions of packages lynx-cur recommends: ii mime-support 3.54 lynx-cur suggests no packages. -- debconf information: lynx-cur/defaulturl: http://www.vinc17.org/ lynx-cur/etc_lynx.cfg: ---End Message--- ---BeginMessage--- Source: lynx-cur Source-Version: 2.8.9dev4-1 We believe that the bug you reported is fixed in the latest version of lynx-cur, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 745...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler ametz...@debian.org (supplier of updated lynx-cur package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 26 Jan 2015 18:57:50 +0100 Source: lynx-cur Binary: lynx-cur lynx-cur-wrapper lynx Architecture: source i386 all Version: 2.8.9dev4-1 Distribution: experimental Urgency: medium Maintainer: Debian QA Group packa...@qa.debian.org Changed-By: Andreas Metzler ametz...@debian.org Description: lynx - Text-mode WWW Browser (transitional package) lynx-cur - Text-mode WWW Browser with NLS support (development version) lynx-cur-wrapper - Wrapper for lynx-cur (transitional package) Closes: 745835 Changes: lynx-cur (2.8.9dev4-1) experimental; urgency=medium . * QA upload. * 21_do_not_strip_-g.diff: Build with -g. (Thanks, Simon Ruderich) * New upstream version: + Makes use of gnutls_certificate_verification_status_print instead of only checking a selection of verification errors. Closes: #745835 Checksums-Sha1: fa04139a2c7975a369f2f8cf97b2bb359d8b1e0d 1984 lynx-cur_2.8.9dev4-1.dsc 51afd13325581999e26b2deb981dc0ff199a055f 2584900 lynx-cur_2.8.9dev4.orig.tar.bz2 331d217c6f5933a45c3fa43c3004202ef36f60ac 23940 lynx-cur_2.8.9dev4-1.debian.tar.xz b92c76a2b297de07465bd75f348dc53ca1c10efa 1681176 lynx-cur_2.8.9dev4-1_i386.deb de5c8411d5bf468f65eb1c7e71e3be179d85178a 233938 lynx-cur-wrapper_2.8.9dev4-1_all.deb 698dffa16a26a3bb409e9da713ff64ec65436cae 234342 lynx_2.8.9dev4-1_all.deb Checksums-Sha256: 0f5f41e442ee64060fa5975b5184da07a49fad9e57b945eabc22b4ac268df383 1984 lynx-cur_2.8.9dev4-1.dsc 86b06175e6cf7ce3084538f638a5fc1ef02ef32a5a563c5f5241dc3ff277586f 2584900 lynx-cur_2.8.9dev4.orig.tar.bz2 bcbb2652d81442e88c8327153f37853b45a10348c891bcdd380cc324d3faa98e 23940 lynx-cur_2.8.9dev4-1.debian.tar.xz 7bba5811830b497a20fa95da9124f9d51b07f4f98ca03e855fb0d7569a84fa4e 1681176 lynx-cur_2.8.9dev4-1_i386.deb 8e24eb3f4529add53c1f0368975d79e1895d3ff080a8a0d41833346f37c17d05 233938 lynx-cur-wrapper_2.8.9dev4-1_all.deb d2e7cb72e8dff65a53052e1d1c8e492b4cb40d99a0e9de0e2b316ba1c97f0f54 234342 lynx_2.8.9dev4-1_all.deb Files: 51cbfeaabcf1efb7e48262687bcf0ee1 1984 web extra lynx-cur_2.8.9dev4-1.dsc ac82492886913f8c9285a2f1e9f2e5aa 2584900 web extra
Bug#776073: marked as done (lynx-cur: can connect to site with expired certificate)
Your message dated Mon, 26 Jan 2015 18:33:26 + with message-id e1yfotw-0004uc...@franck.debian.org and subject line Bug#745835: fixed in lynx-cur 2.8.9dev4-1 has caused the Debian Bug report #745835, regarding lynx-cur: can connect to site with expired certificate to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: lynx-cur Version: 2.8.9dev1-2+b1 Severity: grave Tags: security Justification: user security hole lynx can connect to https://www.projet-plume.org/ without any error, though its certificate has expired. Firefox says: www.projet-plume.org uses an invalid security certificate. The certificate expired on 2014-12-05 00:59. The current time is 2015-01-23 16:38. (Error code: sec_error_expired_certificate) Also checked with: openssl s_client -CApath /etc/ssl/certs -connect www.projet-plume.org:443 which outputs: CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify return:1 depth=1 C = NL, O = TERENA, CN = TERENA SSL CA verify return:1 depth=0 C = FR, L = LABEGE CEDEX, O = CNRS, OU = MOY1678, CN = projet-plume.org verify error:num=10:certificate has expired notAfter=Dec 4 23:59:59 2014 GMT verify return:1 depth=0 C = FR, L = LABEGE CEDEX, O = CNRS, OU = MOY1678, CN = projet-plume.org notAfter=Dec 4 23:59:59 2014 GMT verify return:1 [...] Verify return code: 10 (certificate has expired) --- DONE -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages lynx-cur depends on: ii libbsd00.7.0-2 ii libbz2-1.0 1.0.6-7+b2 ii libc6 2.19-13 ii libgcrypt201.6.2-4+b1 ii libgnutls-deb0-28 3.3.8-5 ii libidn11 1.29-1+b2 ii libncursesw5 5.9+20140913-1+b1 ii libtinfo5 5.9+20140913-1+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages lynx-cur recommends: ii mime-support 3.58 lynx-cur suggests no packages. -- debconf information: lynx-cur/etc_lynx.cfg: lynx-cur/defaulturl: http://www.vinc17.org/ ---End Message--- ---BeginMessage--- Source: lynx-cur Source-Version: 2.8.9dev4-1 We believe that the bug you reported is fixed in the latest version of lynx-cur, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 745...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler ametz...@debian.org (supplier of updated lynx-cur package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 26 Jan 2015 18:57:50 +0100 Source: lynx-cur Binary: lynx-cur lynx-cur-wrapper lynx Architecture: source i386 all Version: 2.8.9dev4-1 Distribution: experimental Urgency: medium Maintainer: Debian QA Group packa...@qa.debian.org Changed-By: Andreas Metzler ametz...@debian.org Description: lynx - Text-mode WWW Browser (transitional package) lynx-cur - Text-mode WWW Browser with NLS support (development version) lynx-cur-wrapper - Wrapper for lynx-cur (transitional package) Closes: 745835 Changes: lynx-cur (2.8.9dev4-1) experimental; urgency=medium . * QA upload. * 21_do_not_strip_-g.diff: Build with -g. (Thanks, Simon Ruderich) * New upstream version: + Makes use of gnutls_certificate_verification_status_print instead of only checking a selection of verification errors. Closes: #745835 Checksums-Sha1: fa04139a2c7975a369f2f8cf97b2bb359d8b1e0d 1984 lynx-cur_2.8.9dev4-1.dsc 51afd13325581999e26b2deb981dc0ff199a055f 2584900 lynx-cur_2.8.9dev4.orig.tar.bz2 331d217c6f5933a45c3fa43c3004202ef36f60ac 23940
Bug#775866: vlc: multiple vulnerabilities
On Mon, Jan 26, 2015 at 05:33:30PM +0100, Sebastian Ramacher wrote: On 2015-01-26 13:49:26, Moritz Mühlenhoff wrote: On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: * The potential invalid writes in modules/services_discovery/sap.c and modules/access/ftp.c were not fixed as I did not provide a trigger. Note, that the code looks very similar to the confirmed bug in rtp_packetize_xiph_config, and so I leave it to you to decide whether you want to patch this. These have been assigned CVE-2015-1202 and CVE-2015-1203, could you contact upstream for the status of an upstream fix? Just because they look similar, does not make them a vulnerability. The format string for ftp_SendCommand is not attacker controlled. The reporter still has not answered questions about how the invalid write in modules/access/ftp.c could be triggered [1]. Similarly, the issue in modules/services_discovery/sap.c lacks a trigger. The rather disturbing thread can be found at [2]. [1] https://mailman.videolan.org/pipermail/vlc-devel/2014-December/100674.html [2] https://mailman.videolan.org/pipermail/vlc-devel/2014-December/100675.html Given upstream's response we'll mark these as non-issues in the Debian security tracker, then. I'm adding MITRE to CC; CVE-2015-1202 and CVE-2015-1203 are disputed by upstream, please consider to mark them as rejected. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775882: [debian-mysql] Bug#775882: mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015?
Control: tags -1 upstream fixed-upstream Control: retitle -1 mariadb-10.0: CVE-2015-0411 CVE-2015-0382 CVE-2015-0381 CVE-2015-0432 CVE-2014-6568 CVE-2015-0374 Hi Otto, On Fri, Jan 23, 2015 at 08:46:46AM +0200, Otto Kekäläinen wrote: I started to search information about this 2 days ago, but so far I haven't found any indication that these would affect MariaDB, though I haven't got the definitive final reply from mariadb devs confirming so either. So the following CVEs were fixed with the 10.0.16 upload according to [1]: CVE-2015-0411 CVE-2015-0382 CVE-2015-0381 CVE-2015-0432 CVE-2014-6568 CVE-2015-0374 [1] https://mariadb.com/kb/en/mariadb/mariadb-10016-release-notes/ Could you prepare an update so that these fixes can be included in Jessie? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#775882: [debian-mysql] Bug#775882: mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015?
Processing control commands: tags -1 upstream fixed-upstream Bug #775882 [src:mariadb-10.0] mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015? Added tag(s) upstream and fixed-upstream. retitle -1 mariadb-10.0: CVE-2015-0411 CVE-2015-0382 CVE-2015-0381 CVE-2015-0432 CVE-2014-6568 CVE-2015-0374 Bug #775882 [src:mariadb-10.0] mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015? Changed Bug title to 'mariadb-10.0: CVE-2015-0411 CVE-2015-0382 CVE-2015-0381 CVE-2015-0432 CVE-2014-6568 CVE-2015-0374' from 'mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015?' -- 775882: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775882 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#767019: xscreensaver: postinst overwrites /etc/X11/app-defaults/XScreenSaver without asking
On Sat, Dec 20, 2014 at 9:02 AM, Michael Gilbert wrote: if [ -L /etc/X11/app-defaults/XScreenSaver ]; then if [ $(readlink /etc/X11/app-defaults/XScreenSaver) = XScreenSaver-nogl -o \ $(readlink /etc/X11/app-defaults/XScreenSaver) = XScreenSaver-gl]; then rm /etc/X11/app-defaults/XScreenSaver fi This doesn't handle the case where the user intentionally had both xscreensaver-gl and xscreensaver installed, and manually set the symlink to XscreenSaver-nogl. Mhm, couldn't we apply this part of the patch and at least make this bug less RC that way? Alex -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775888: virtualbox: CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0418 CVE-2015-0427
On Mon, Jan 26, 2015 at 09:07:19PM +0530, Ritesh Raj Sarraf wrote: On 01/21/2015 01:23 PM, Moritz Muehlenhoff wrote: In the past someone from upstream posted the upstream commits to the bug log, maybe you can contact them for more information so that we can merge the isolated fixes into the jessie version? Cheers, Moritz Moritz, For unstable, I've pushed the upload an d asked for an exception. I've added the VMSVGA fixes to the security tracker, but there are also two issues in Core, which apply to wheezy/jessie: Could you please check back with upstream on CVE-2015-0377 and CVE-2015-0418? http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775625: [pkg-php-pear] symfony: Review, upload and unblock needed to fix #775625 (FTBFS in jessie)
Hi, Le 21/01/2015 14:23, David Prévot a écrit : Le 19/01/2015 13:34, Daniel Beyer a écrit : I'm not 100% sure if it really fixes the problem, since I'm not able to reproduce those errors on my local system (neither local, nor with pbuilder sid/jessie). Same here, even within sbuild. […] check if the DEP-8 tests are working on ci.debian.net (exactly the same errors mentions in #775625 occurring there). Unfortunately, the DEP-8 tests are still failing with the fix: http://ci.debian.net/packages/s/symfony/unstable/amd64/ If that’s not enough, or if upstream gives feed back on your PR, we can still roll out another update. Maybe the people behind the bug report or ci.d.n will be able to offer a shell to reproduce the issue we’ve not managed to reproduce so far… Deactivating the tests will also be an option if we can’t reproduce it, but it would be way nicer to keep a eye on eventual php5 regressions (especially with the new fancy “upload to the latest minor version” trend for fixing security issues…). An unblock request may not be necessary Adam is indeed fast ;). taffit@persil:/tmp/partclone-0.2.73$ grep-excuses symfony […] Ignoring block request by freeze, due to unblock request by adsb Regards David signature.asc Description: OpenPGP digital signature
Bug#776316: samba: failed to build on mips
package: src:samba version: 2:4.1.13+dfsg-4 severity: serious Hi, The latest upload failed to build on the mips buildd: https://buildd.debian.org/status/package.php?p=samba Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776253: marked as done (dependency on libwv-1.2-4 too weak)
Your message dated Mon, 26 Jan 2015 21:19:54 + with message-id e1yfr4c-0007vg...@franck.debian.org and subject line Bug#776253: fixed in wv 1.2.9-4.1 has caused the Debian Bug report #776253, regarding dependency on libwv-1.2-4 too weak to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776253: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776253 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: wv Version: 1.2.9-4+b1 Severity: serious Justification: policy 12.3 footnote 2 Tags: patch wv contains a symlink /usr/share/doc/wv which points to libwv-1.2-4. Its dependency on libwv-1.2-4 is unversioned though which means, that the copyright and changelog files can get out of sync. This violates the Debian policy section 12.3 footnote 2. This is because, wv installes this symlink manually rather than using dh_installdocs --link-doc. Thus, wv needs to add libwv-1.2-4 (= ${binary:Version}) to its Depends in debian/control. Note that libwv-dev is already correctly doing so. Attaching a .debdiff for convenience. Helmut diff -Nru wv-1.2.9/debian/changelog wv-1.2.9/debian/changelog --- wv-1.2.9/debian/changelog 2014-10-02 11:35:37.0 +0200 +++ wv-1.2.9/debian/changelog 2015-01-26 00:24:05.0 +0100 @@ -1,3 +1,10 @@ +wv (1.2.9-4.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Tighten dependency wv - libwv-1.2-4 to meet policy 12.3. (Closes: #-1) + + -- Helmut Grohne hel...@subdivi.de Mon, 26 Jan 2015 00:23:37 +0100 + wv (1.2.9-4) unstable; urgency=medium * debian/control: diff -Nru wv-1.2.9/debian/control wv-1.2.9/debian/control --- wv-1.2.9/debian/control 2014-10-02 11:34:13.0 +0200 +++ wv-1.2.9/debian/control 2015-01-26 00:23:34.0 +0100 @@ -11,7 +11,7 @@ Package: wv Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends}, ${shlibs:Depends}, libwv-1.2-4 (= ${binary:Version}) Suggests: texlive, ghostscript, elinks | links | lynx, imagemagick, gv | postscript-viewer Description: Programs for accessing Microsoft Word documents wvWare (previously known as mswordview) is a library that allows access ---End Message--- ---BeginMessage--- Source: wv Source-Version: 1.2.9-4.1 We believe that the bug you reported is fixed in the latest version of wv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 776...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Helmut Grohne hel...@subdivi.de (supplier of updated wv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 26 Jan 2015 20:30:47 +0100 Source: wv Binary: wv libwv-1.2-4 libwv-dev Architecture: source Version: 1.2.9-4.1 Distribution: unstable Urgency: medium Maintainer: Daniel Walrond deb...@djw.org.uk Changed-By: Helmut Grohne hel...@subdivi.de Description: libwv-1.2-4 - Library for accessing Microsoft Word documents libwv-dev - Development files for the wvWare library wv - Programs for accessing Microsoft Word documents Closes: 776253 Changes: wv (1.2.9-4.1) unstable; urgency=medium . * Non-maintainer upload. Acknowledged by Daniel Walrond. * Tighten dependency wv - libwv-1.2-4 to meet policy 12.3. (Closes: #776253) Checksums-Sha1: 1d63b0359571e8e4a85e9a66ac28afc3eb562397 1996 wv_1.2.9-4.1.dsc 32a9e00f73761205f2054639bcf11106ef44d98a 12852 wv_1.2.9-4.1.debian.tar.xz Checksums-Sha256: ac59acbf0edbf3c283afcf53ac5db90fc3c528321c074e427fb7db144415b36a 1996 wv_1.2.9-4.1.dsc 388126c6c96c9d3a06d74225ceb195108c1c7ecab8ecabcd564995c99656c629 12852 wv_1.2.9-4.1.debian.tar.xz Files: a49aba50400789a9fab90a4f64d04934 1996 text optional wv_1.2.9-4.1.dsc b0afd8c8a73689a4b1968e0ebf0ac220 12852 text optional wv_1.2.9-4.1.debian.tar.xz -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUxprKAAoJEC0aqs8kRERCe/YP/jozCappKpwSFS6zrFHNQb8V 8+ZZuL1CbcwtFSi4GzT8xXfjaiUxbQcMiqMaSGuymubzzz0PVQX2xjGQAJgYYhKz Ves8QtfBdRDgJRlYwTD6AsMZEa01LVIJWIsGR4CQXVZufSrHU7uW2MyqAbn+yeFf kCY0YefjbkwZBu2VdnPmzgqMMyuXozhpN2z4Syjm6BojpNgWIIcwPLltGTXGK3kw PXe9BKZdwREMx3ItOwjDwFN1szph38JrgBi0I3Ve/BaLKZw9aHGjgO8OQ5Ofakhk
Processed: Re: libblkid-dev: unhandled symlink to directory conversion: /usr/share/doc/PACKAGE
Processing control commands: found -1 2.25.2-4.1 Bug #775350 {Done: Jonathan Wiltshire j...@debian.org} [libblkid-dev] libblkid-dev: unhandled symlink to directory conversion: /usr/share/doc/PACKAGE Marked as found in versions util-linux/2.25.2-4.1; no longer marked as fixed in versions util-linux/2.25.2-4.1 and reopened. -- 775350: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775350 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775350: libblkid-dev: unhandled symlink to directory conversion: /usr/share/doc/PACKAGE
Followup-For: Bug #775350 Control: found -1 2.25.2-4.1 maintscript has a wrong path (and version): -symlink_to_dir /usr/share/doc/libblkid-dev /usr/share/doc/libblkid 2.25.2-4 +symlink_to_dir /usr/share/doc/libblkid-dev /usr/share/doc/libblkid1 2.25.2-4.2~ Andreas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776345: dleyna-server: Segfault when playing video
Package: dleyna-server Version: 0.4.0-1 Severity: critical Justification: breaks unrelated software Dear Maintainer, * What led up to the situation? Sporadically, when watching video, typically using Totem. Any video. This did not happen until about a month ago (on testing, keeping up to date) * What exactly did you do (or not do) that was effective (or ineffective)? Typically, the system had been running fine for a while, and then I would turn on a video, and within the first couple of minutes of this video running, the following happened. * What was the outcome of this action? There was a segfault in the dleyna-server, and my gnome-shell logged me out and closed all the windows I had open * What outcome did you expect instead? I would expect the video to keep playing, and all of my windows to still be open. The dmesg output describing the segfault is provided below. Please advise as to how I can give you more information on this issue. [49339.327487] dleyna-server-s[26235]: segfault at 8 ip 7ff711375132 sp 7fffacb1bb20 error 4 in libdleyna-server-1.0.so.1.0.3[7ff711365000+21000] -- System Information: Debian Release: 8.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dleyna-server depends on: ii libc6 2.19-13 ii libdleyna-connector-dbus-1.0-1 0.2.0-1 ii libdleyna-core-1.0-30.4.0-1 ii libglib2.0-02.42.1-1 ii libgssdp-1.0-3 0.14.10-1 ii libgupnp-1.0-4 0.20.12-1 ii libgupnp-av-1.0-2 0.12.6-1 ii libgupnp-dlna-2.0-3 0.10.2-1 ii libsoup2.4-12.48.0-1 dleyna-server recommends no packages. dleyna-server suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775871: [Pkg-anonymity-tools] Bug#775871: Any updates to the TBB bundle people ?
Hi shirish शिरीष, On Dienstag, 27. Januar 2015, shirish शिरीष wrote: Also Micha Lee made a new 0.1.9 release around 4 days back so guessing the new one would be the best. I'm well aware - just not sure whether I think 0.1.9 is the best for jessie or 0.1.7 plus the new signing key and the fixes for #775891. Sadly just 0.1.9 is polluted by fixes for tickets #155 and #157, which have *some* Debian relevance too.. Feedback (as in reasonings) very much welcome! cheers, Holger, who will probably upload 0.1.9-1~foo to experimental tomorrow as this is the right thing to do atm for sure anyway ;-) Please comment on what to do for Jessie. see #775921 signature.asc Description: This is a digitally signed message part.
Bug#775882: [debian-mysql] Bug#775882: mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015?
Hi Otto, On Mon, Jan 26, 2015 at 09:03:28PM +0200, Otto Kekäläinen wrote: The page https://mariadb.com/kb/en/security/ has updated and includes info about these latest CVEs. It seems most issues were fixed in 5.5.41/10.0.16. One was for 5.5.39/10.0.13. 10.0.16 hasn't been yet released, but I'll expect it is released soon and I will try to be as fast as possible in updating the package in Debian once the .16 release is out. CVE-2015-0385 and CVE-2015-0409 are not listed in the MariaDB security list. I've sent email asking about their status and I'll track the results in this bug report. Here is some background info about the CVE status by a MariaDB core developer: https://lists.launchpad.net/maria-discuss/msg02153.html Thanks for the update and checking with upstream regarding the two other CVEs. 10.0.16 seems now avaiable[1] (even though not yet announced on the webpage itself). [1] https://downloads.mariadb.com/files/MariaDB/mariadb-10.0.16/source Regards, Salvatore p.s.: FYI, if you want to reach also the submitter of a bug adding it to Cc is needed, since n...@bugs.debian.org does not reach the original submitter, see https://www.debian.org/Bugs/Developer#followup -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773445: linux-image-3.18.0-trunk-686-pae fails to boot from
encrypted usb drive Reply-To: X-Operating-System: Linux ks3353085.kimsufi.com 3.8.13--grs-ipv6-64 X-Debian-Version: 7.8 On Wed, 21 Jan 2015 08:48:53 + Martin Zobel-Helas zo...@debian.org wrote: Hi, could this be related to #773250? Try adding xhci-pc to your initrd. Cheers, Martin Hello Thank you for your suggestion. I can confirm that adding the 'xhci-pci' module to my initramfs fixes the issue for me! So, please add this module to the initrd of any further linux kernel packages. Bob -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776288: phabricator: postinst overwrites local configuration changes during reinstall/upgrade
Source: phabricator Version: 0~git20141130-1 Severity: serious Justification: Policy 10.7.3 Dear Maintainer, phabricator's postinst script uses bin/config to unconditionally set configuration parameters to the package/debconf defaults. This happens on both reinstall and upgrade and overwrites any changes performed by the administrator. According to Debian policy manual, local configuration changes performed by the administrator (using bin/config in this case) must be preserved. The easiest way to do so is to check if the parameters are already set before setting them. Regards, Apollon -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: Digital signature
Processed: severity of 776246 is important
Processing commands for cont...@bugs.debian.org: severity 776246 important Bug #776246 [librsync1] MD4 collision/preimage attacks (CVE-2014-8242) Severity set to 'important' from 'grave' thanks Stopping processing here. Please contact me if you need assistance. -- 776246: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776246 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776246: MD4 collision/preimage attacks (CVE-2014-8242)
Hi, See https://github.com/librsync/librsync/issues/5 . librsync uses MD4 as part of syncing; given the low strength and size of MD4, and the relative ease of computing collisions/preimages, that makes librsync unsafe to use on untrusted data, such as when running a duplicity backup. The upstream fix involves changing the signature format to use a strong hash. The new version of librsync supports reading the old signature format, but always writes the new one. So, fixing this has some of the same implications as Berkeley DB upgrades. In particular, any applications using librsync and its data format across multiple systems will require upgrading any readers along with writers. I'd suggest coordinating this with the reverse dependencies of librsync1. Although a genuine issue, the fix is indeed too invasive to deploy in a stable release and requires something of a transition. We should therefore start this in sid for stretch. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774645: marked as done (libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs)
Your message dated Mon, 26 Jan 2015 10:33:25 + with message-id e1yfgyz-0004st...@franck.debian.org and subject line Bug#774645: fixed in libevent 1.4.13-stable-1+deb6u1 has caused the Debian Bug report #774645, regarding libevent: CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 774645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774645 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: libevent Version: 1.4.13-stable-1 Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for libevent. CVE-2014-6272[0]: potential heap overflow in buffer/bufferevent APIs If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. Upstream patches are found in [1], [2] and [3]. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-6272 [1] http://archives.seul.org/libevent/users/Jan-2015/msg00011.html https://github.com/libevent/libevent/commit/841ecbd96105c84ac2e7c9594aeadbcc6fb38bc4 (2.1) [2] http://archives.seul.org/libevent/users/Jan-2015/msg00012.html https://github.com/libevent/libevent/commit/20d6d4458bee5d88bda1511c225c25b2d3198d6c (2.0) [3] http://archives.seul.org/libevent/users/Jan-2015/msg00013.html https://github.com/libevent/libevent/commit/7b21c4eabf1f3946d3f63cce1319c490caab8ecf (1.4) (FYI, I have already prepared an update for wheezy-security with the upstream patch). Regards, Salvatore ---End Message--- ---BeginMessage--- Source: libevent Source-Version: 1.4.13-stable-1+deb6u1 We believe that the bug you reported is fixed in the latest version of libevent, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 774...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nguyen Cong cong.nguyen...@toshiba-tsdv.com (supplier of updated libevent package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 13 Jan 2015 16:00:14 +0700 Source: libevent Binary: libevent-dev libevent-1.4-2 libevent-core-1.4-2 libevent-extra-1.4-2 Architecture: source amd64 Version: 1.4.13-stable-1+deb6u1 Distribution: squeeze-lts Urgency: low Maintainer: Anibal Monsalve Salazar ani...@debian.org Changed-By: Nguyen Cong cong.nguyen...@toshiba-tsdv.com Description: libevent-1.4-2 - An asynchronous event notification library libevent-core-1.4-2 - An asynchronous event notification library (core) libevent-dev - Development libraries, header files and docs for libevent libevent-extra-1.4-2 - An asynchronous event notification library (extra) Closes: 774645 Changes: libevent (1.4.13-stable-1+deb6u1) squeeze-lts; urgency=low . * Non-maintainer upload by the Debian LTS team. * Fix potential heap overflow in buffer/bufferevent APIs reported in CVE-2014-6272 by applying the upstream-provided patch: https://github.com/libevent/libevent/commit/7b21c4eabf1f3946d3f63cce1319c490caab8ecf Closes: #774645 Checksums-Sha1: 3c0ec7668d42cf59c3023fa644603f39ad57afdc 1496 libevent_1.4.13-stable-1+deb6u1.dsc 2b69c4d652855e0ef4430ce30478bb7f97e687b0 10188 libevent_1.4.13-stable-1+deb6u1.diff.gz 2953cc465ac5a9913549f06830a03a706e7b6179 174142 libevent-dev_1.4.13-stable-1+deb6u1_amd64.deb 970b6780fbed71f62ac305cb0f09b7e1407c305f 62476 libevent-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb 12a8f9f4bc3c2ff13d55828f7722dba22aab 31462 libevent-core-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb ef8c63ac5b2ebc6f46c3f919e240f14d929c420e 52040 libevent-extra-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb Checksums-Sha256: a3a28b358fc2a39ae0397bdbbd780c7145f6ecaf9204afd513fb6d2c841ee7ea 1496 libevent_1.4.13-stable-1+deb6u1.dsc da324f71ee900c83d648ea22bc412d8bc684ba1f3a9f1e87654db69d9284e19d 10188 libevent_1.4.13-stable-1+deb6u1.diff.gz 17b6840bf0879f6e5f50f94fbeec7200f7f508494136223599c5735fd74ce9d3 174142 libevent-dev_1.4.13-stable-1+deb6u1_amd64.deb 3041cc610ef7f1f99d4a5d9dba8dde69da6d6a61723b76bfe779a3d6606f0b17 62476 libevent-1.4-2_1.4.13-stable-1+deb6u1_amd64.deb
Bug#774854: race condition between fur and fex_cleanup
On Mon, Dec 22, 2014 at 10:33:50PM +0100, Kilian Krause wrote: Package: fex Version: 20140917-1 Severity: serious Tags: security patch upstream pending confirmed jessie As upstream has released a new version of the fex package which closes a security issue and there is no CVE assigned, we'll use this bug to track the issue. Hi, what is the plan for unstable? You can either ask for an unblock with the release team (if the diff between testing an sid is small) or fix these in a targeted upload for testing-proposed-updates. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: your mail
Processing commands for cont...@bugs.debian.org: found 775871 0.1.7-1~bpo70+1 Bug #775871 [torbrowser-launcher] torbrowser-launcher: TorBrowser Bundle signing key changed Marked as found in versions torbrowser-launcher/0.1.7-1~bpo70+1. End of message, stopping processing here. Please contact me if you need assistance. -- 775871: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: severity of 776039 is grave
Processing commands for cont...@bugs.debian.org: severity 776039 grave Bug #776039 [grep] grep: CVE-2015-1345: heap buffer overrun Severity set to 'grave' from 'important' thanks Stopping processing here. Please contact me if you need assistance. -- 776039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776039 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: php-kdyby-console: uninstallable in sid: php-symfony-console (= 2.5) is not available anywhere
Processing control commands: affects -1 + php-kdyby-console Bug #776330 [php-kdyby-console] php-kdyby-console: uninstallable in sid: php-symfony-console (= 2.5) is not available anywhere Added indication that 776330 affects php-kdyby-console -- 776330: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776330 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776330: php-kdyby-console: uninstallable in sid: php-symfony-console (= 2.5) is not available anywhere
Package: php-kdyby-console Version: 2.3.0-1 Severity: grave Tags: sid Justification: renders package unusable User: debian...@lists.debian.org Usertags: piuparts Control: affects -1 + php-kdyby-console Hi, during a test with piuparts I noticed your package is no longer installable in sid: The following packages have unmet dependencies: php-kdyby-console : Depends: php-nette (= 2.2) but 2.1.5-1 is to be installed Depends: php-symfony-console (= 2.5) but 2.3.21+dfsg-2 is to be installed a suitable php-nette version is in experimental, but no version is available for php-symfony-console Cheers, Andreas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774257: Happens on jessie d-i rc1 too
FWIW, I reinstalled another laptop with jessie rc1, and adding a printer in GNOME fails due to the same problem. If it matters, the printer is a HP LaserJet P2055DN. /Simon pgpY3UL5QA0o2.pgp Description: OpenPGP digital signatur
Bug#775871: Any updates to the TBB bundle people ?
Hi all, I just came across this bug myself. Once, twice, thrice then I investigated what the issue might be. Went to the cache and compared the sha256sum of the file downloaded with the one given at the tor project. Saw that it matched, then concluded then it's the small python egg which might be the issue and found the bug-report right after. Looking forward to the fix, even if it means having it in experimental. As can be seen it's not to be found even in experimental as of now :- ~$ apt-cache policy torbrowser-launcher torbrowser-launcher: Installed: 0.1.7-1 Candidate: 0.1.7-1 Version table: *** 0.1.7-1 0 600 http://ftp.debian.org/debian/ testing/contrib amd64 Packages 1 http://http.debian.net/debian/ unstable/contrib amd64 Packages 100 /var/lib/dpkg/status whereas iceweasel is right there on experimental :- $ apt-cache policy iceweasel iceweasel: Installed: 35.0-1 Candidate: 35.0-1 Version table: *** 35.0-1 0 1 http://http.debian.net/debian/ experimental/main amd64 Packages 100 /var/lib/dpkg/status 31.4.0esr-1 0 600 http://ftp.debian.org/debian/ testing/main amd64 Packages 1 http://http.debian.net/debian/ unstable/main amd64 Packages Also Micha Lee made a new 0.1.9 release around 4 days back so guessing the new one would be the best. -- Regards, Shirish Agarwal शिरीष अग्रवाल My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com EB80 462B 08E1 A0DE A73A 2C2F 9F3D C7A4 E1C4 D2D8 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org