Bug#740898: [9e1ed7f] Fix for Bug#740898 committed to git
tags 740898 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sat, 21 Mar 2015 12:05:27 +0100. The fix will be in the next upload. = Ignore Suckit false positive Closes:#740898 = You can check the diff of the fix at: ;a=commitdiff;h=9e1ed7f -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777583: Incorrect debian/copyright for smartmontools
retitle -1 debian/copyright for smartmontools is too restrictive severity -1 wishlist Il 14/02/2015 06:57, Mark H Weaver ha scritto: Every package must be accompanied by a verbatim copy of its copyright information and distribution license in the file /usr/share/doc/package/copyright. Note the word verbatim. Therefore, smartmontools clearly violates a must directive of Debian policy, and so this bug should have severity serious as per https://www.debian.org/Bugs/Developer#severities. The README file says: == COPYING == Copyright (C) 2002-9 Bruce Allen smartmontools-supp...@lists.sourceforge.net Copyright (C) 2004-14 Christian Franke smartmontools-supp...@lists.sourceforge.net This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. Cheers, Giuseppe. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766178: [12d5f9d] Fix for Bug#766178 committed to git
tags 766178 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Tue, 21 Oct 2014 13:28:29 +0200. The fix will be in the next upload. = Correct maintscript syntax Closes: #766178 = You can check the diff of the fix at: ;a=commitdiff;h=12d5f9d -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754684: [c2c3369] Fix for Bug#754684 committed to git
tags 754684 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sat, 18 Oct 2014 16:53:15 +0200. The fix will be in the next upload. = Fix FTBFS on kfreebsd-* Closes: #754684 = You can check the diff of the fix at: ;a=commitdiff;h=c2c3369 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#765659: /etc/default/chromium removed in postinst
Package: chromium Version: 37.0.2062.120-3 Severity: grave Hi, debian/chromium.postinst line 12 Really you cannot remove /etc/default/chromium file without asking or warning user... You have to move in /etc/chromium-browser/default This is what happens when you push huge commits and nobody can double chek it. Thanks for removing my /etc/default/chromium. Cheers, Giuseppe -- System Information: Debian Release: jessie/sid APT prefers testing-proposed-updates APT policy: (990, 'testing-proposed-updates'), (990, 'testing'), (500, 'unstable'), (500, 'stable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages chromium depends on: ii gconf-service3.2.6-3 ii libasound2 1.0.28-1 ii libc62.19-11 ii libcairo21.12.16-5 ii libcap2 1:2.24-6 ii libcups2 1.7.5-1 ii libdbus-1-3 1.8.8-1+b1 ii libexpat12.1.0-6 ii libfontconfig1 2.11.0-6.1 ii libfreetype6 2.5.2-2 ii libgcc1 1:4.9.1-16 ii libgconf-2-4 3.2.6-3 ii libgdk-pixbuf2.0-0 2.30.8-1+b1 ii libglib2.0-0 2.42.0-1 ii libgnome-keyring03.12.0-1 ii libgtk2.0-0 2.24.24-1 ii libharfbuzz0b0.9.35-1 ii libjpeg621:1.3.1-3 ii libnspr4 2:4.10.7-1 ii libnspr4-0d 2:4.10.7-1 ii libnss3 2:3.17.1-1 ii libpango-1.0-0 1.36.7-1 ii libpangocairo-1.0-0 1.36.7-1 ii libspeechd2 0.8-6 ii libspeex11.2~rc1.2-1 ii libstdc++6 4.9.1-16 ii libudev1 215-5+b1 ii libx11-6 2:1.6.2-3 ii libxcomposite1 1:0.4.4-1 ii libxcursor1 1:1.1.14-1 ii libxdamage1 1:1.1.4-2 ii libxext6 2:1.3.2-1 ii libxfixes3 1:5.0.1-2 ii libxi6 2:1.7.4-1 ii libxml2 2.9.1+dfsg1-4 ii libxrandr2 2:1.4.2-1 ii libxrender1 1:0.9.8-1 ii libxslt1.1 1.1.28-2+b1 ii libxss1 1:1.2.2-1 ii libxtst6 2:1.2.2-1 ii xdg-utils1.1.0~rc1+git20111210-7.1 chromium recommends no packages. Versions of packages chromium suggests: ii chromium-inspector 37.0.2062.120-3 ii chromium-l10n 37.0.2062.120-3 -- Configuration Files: /etc/chromium/default [Errno 2] File o directory non esistente: u'/etc/chromium/default' /etc/chromium/initial_bookmarks.html [Errno 2] File o directory non esistente: u'/etc/chromium/initial_bookmarks.html' /etc/chromium/master_preferences [Errno 2] File o directory non esistente: u'/etc/chromium/master_preferences' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764180: /etc/default/chromium removed in postinst
Package: chromium Version: 37.0.2062.120-3 Severity: grave Hi, debian/chromium.postinst line 12 Really you cannot remove /etc/default/chromium file without asking... You have to move it in /etc/chromium-browser/default This is what happens when you push huge commits and nobody can double check it. Thanks for removing my /etc/default/chromium. Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#761728: [49fccbc] Fix for Bug#761728 committed to git
tags 761728 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sat, 4 Oct 2014 19:11:13 +0200. The fix will be in the next upload. = Depends on kmod | kldutils Closes: #761728 = You can check the diff of the fix at: ;a=commitdiff;h=49fccbc -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#757758: [9064776] Fix for Bug#757758 committed to git
tags 757758 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sat, 4 Oct 2014 19:28:19 +0200. The fix will be in the next upload. = Fixed sed without options issue. Closes: #757758 Thanks: Cristian Ionescu-Idbohrn = You can check the diff of the fix at: ;a=commitdiff;h=9064776 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745646: chromium: certificate revocation is not checked
tags 745646 unreproducible notfound 745646 34.0.1847.116-2 severity 745646 normal thanks Il 2014-04-30 20:30 Jonathan Nieder ha scritto: However Vincent is right that the CRLSets[1] are a different mechanism than OCSP revocation checking and that CRLSet checking is enabled by default. Yes, that's true, but I really can't reproduce this issue. In all my installations, CRLset are updated correctly. If it is broken then that would indeed be a serious bug. I don't think this would be a serious bug. You should consider CRLSet only as better than nothing. Please try to find a real case where you are more secure with it but consider that: - CRLSet includes at most 2% of the revoked certificates currently published by the Internet's certificate authorities - updates to CRLSet appear to often take several days - if an attacker can use a revoked certificate, he can intercept traffic, so he could also intercept CRLSets updates Cheers, Giuseppe -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745646: [Pkg-chromium-maint] Bug#745646: closed by Michael Gilbert mgilb...@debian.org (Re: Bug#745646: chromium: certificate revocation is not checked)
Hi, On 30/04/2014 02:28, Vincent Lefevre wrote: No, Chromium developers tell users not to enable it, and consider it as an obsolete option that will be removed. Indeed, in case of real MITM attack, the attacker can block the OCSP server, in which case Chromium will silently consider the certificate as valid, and this is complete non-sense! Said otherwise, revocation checking in Chromium can work only when it is not needed. So, to do the real check, you must not enable this option, just rely on the CRLSet. *Please stop to reopen this bug.* That check is not enabled by default because it doesn't meaningfully add to security. Benefits of online revocation checking are insignificant and it compromises privacy (CA knows the IP address of users and sites they are visiting). Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#745646: [Pkg-chromium-maint] Bug#745646: closed by Michael Gilbert mgilb...@debian.org (Re: Bug#745646: chromium: certificate revocation is not checked)
On 30/04/2014 19:49, Vincent Lefevre wrote: Bug 745646 is a different bug, specifically about the CRLSet system, which is very broken. What you write is not a bug, if you want to do revocation check you must enable it in settings. chromium --temp-profile Go to settings and enable revocation check, go to https://www.vinc17.net:4433/ and you will see that is denied. Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#741908: extplorer: CVE-2013-5951
Hi Thomas, On 17/03/2014 08:34, Thomas Goirand wrote: I've been waiting for comments on my security upload for 5 months now. The issue was supposed to be embargoed (in fact, just waiting on Debian...). Please review the fixed packages!!! If you don't have time to review it, just accept that I upload then. http://archive.gplhost.com/pub/security/extplorer/ Sorry about that. Please upload, I will take care of this. Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#728823: [Pkg-chromium-maint] Bug#728823: Fails to start: Running without the SUID sandbox!
Hi, commit 64b895bf23943f8c72a49216d24e36b128213167 Author: Giuseppe Iuculano iucul...@debian.org Date: Mon Oct 21 13:05:14 2013 +0200 Move chrome_sandbox to chrome-sandbox, chromium reads that file Your -2 uploads didn't contain my -1 changes. Michael, please, please, update your local git copy *before* any future uploads. Cheers, Giuseppe On 05/11/2013 22:57, Michael Biebl wrote: Package: chromium Version: 30.0.1599.101-2 Severity: grave File: /usr/bin/chromium After the latest upgrade, trying to start chromium results in $ chromium [19832:19832:1105/225629:FATAL:browser_main_loop.cc(160)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on. Aborted -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages chromium depends on: ii chromium-inspector 30.0.1599.101-2 ii gconf-service3.2.6-1 ii libasound2 1.0.27.2-3 ii libatk1.0-0 2.10.0-2 ii libc62.17-93 ii libcairo21.12.16-2 ii libcups2 1.6.3-1 ii libdbus-1-3 1.6.18-1 ii libexpat12.1.0-4 ii libfontconfig1 2.11.0-1 ii libfreetype6 2.4.9-1.1 ii libgcc1 1:4.8.2-1 ii libgconf-2-4 3.2.6-1 ii libgcrypt11 1.5.3-2 ii libgdk-pixbuf2.0-0 2.28.2-1 ii libglib2.0-0 2.36.4-1 ii libgnome-keyring03.8.0-2 ii libgtk2.0-0 2.24.22-1 ii libjpeg8 8d-1 ii libnspr4 2:4.10.1-1 ii libnss3 2:3.15.2-1 ii libnss3-1d 2:3.15.2-1 ii libpango-1.0-0 1.36.0-1 ii libpangocairo-1.0-0 1.36.0-1 ii libspeechd2 0.7.1-6.2 ii libstdc++6 4.8.2-1 ii libudev1 204-5 ii libx11-6 2:1.6.2-1 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-1 ii libxext6 2:1.3.2-1 ii libxfixes3 1:5.0.1-1 ii libxml2 2.9.1+dfsg1-3 ii libxrender1 1:0.9.8-1 ii libxslt1.1 1.1.28-2 ii libxss1 1:1.2.2-1 ii xdg-utils1.1.0~rc1+git20111210-7 chromium recommends no packages. Versions of packages chromium suggests: pn chromium-l10n none -- no debconf information ___ Pkg-chromium-maint mailing list pkg-chromium-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-chromium-maint signature.asc Description: OpenPGP digital signature
Bug#717567: [8251afb] Fix for Bug#717567 committed to git
tags 717567 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Thu, 5 Sep 2013 13:34:36 +0200. The fix will be in the next upload. = Fix FTBFS[kfreebsd] Closes: #717567 Thanks: Christoph Egger = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/smartmontools.git;a=commitdiff;h=8251afb -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#706909: [5ae3fa9] Fix for Bug#706909 committed to git
tags 706909 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sun, 2 Jun 2013 10:08:14 +0200. The fix will be in the next upload. = Use /var/lib/smartmontools/drivedb for drivedb.h updates Closes: #706909 = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/smartmontools.git;a=commitdiff;h=5ae3fa9 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702261: libv8: CVE-2012-5153 CVE-2013-0836
On 04/03/2013 16:39, Moritz Muehlenhoff wrote: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5153 Fix: https://code.google.com/p/v8/source/detail?r=13161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0836 Fix: https://code.google.com/p/v8/source/detail?r=12543 Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#699887: Security fix for #699887, CVE-2013-0169
Hi Roland, On 07/02/2013 22:58, Roland Stigge wrote: I prepared a security upload for stable (attached debdiff). Should I upload it to stable-security(security-master)? Thanks for contacting us. please upload to security-master (please make sure to include the .orig.tar.gz in the upload, -sa switch), I will take care of this. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#695224: Locale::Maketext security fix: real world breakage?
Hi Dominic, On 04/02/2013 21:28, Dominic Hargreaves wrote: I had no replies about this, so I think it's time to bite the bullet and decide whether we should target this fix at - stable-security - stable - neither of the above. I think I'm leaning towards stable on the basis that that's a slightly safer place to land a possibly-problematic fix, as well as the fact I don't know of any real world exploits for this, but I an open to (and welcome) all comments. I seem to remember reading that a point release of squeeze is due quite soon, but I couldn't find an announcment of such. from http://openwall.com/lists/oss-security/2012/12/11/4: I think the vulnerability is effective only when attacker has first argument of maketext() under control. However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true. Sure gettext(%s, user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext(). Petr Pisar 2012-12-06 11:18:46 EST This is CVE-2012-6329 and I think this doesn't warrant a DSA, please fix it in stable. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#695703: [Pkg-chromium-maint] Bug#695703: chromium-browser: diff for NMU version 22.0.1229.94~r161065+dfsg-0.1
On 02/01/2013 12:15, David Prévot wrote: I've prepared an NMU for chromium-browser (versioned as 22.0.1229.94~r161065+dfsg-0.1) and uploaded it to DELAYED/2. No, you haven't uploaded it to DELAYED/2. signature.asc Description: OpenPGP digital signature
Bug#696179: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Hi, On 17/12/2012 18:21, Jonathan Wiltshire wrote: Security team: is it too late to get a CVE through you now that a public bug has been filed? And should a DSA be prepared, as I have not looked but can be fairly sure this will affect stable. yes, if it is public, we cannot assign a CVE. you can ask cve-ass...@mitre.org to request one. The window of opportunity is small but the impact could be significant (drive-by downloads, session theft, XSS etc). Actually, it’s not small. Ok, what I really meant was that you'd have to know someone is using Mediawiki to read your feed, which is probably feasible but I can't imagine there are thousands of people doing so. We don't really know either way, we should probably play it cautious. I agree, this issue doesn't warrant a DSA, but you could still fix it through a point update: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#677393: [743e0f4] Fix for Bug#677393 committed to git
tags 677393 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Mon, 16 Jul 2012 12:00:06 +0200. The fix will be in the next upload. = Fixed FTBFS in kfreebsd Closes: #677393 Thanks: Petr Salinger = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/smartmontools.git;a=commitdiff;h=743e0f4 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677393: [f10872d] Fix for Bug#677393 committed to git
tags 677393 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Mon, 16 Jul 2012 14:30:09 +0200. The fix will be in the next upload. = Really fix FTBFS on kfreebsd Closes: #677393 Thanks: Petr Salinger = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/smartmontools.git;a=commitdiff;h=f10872d -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679848: [Pkg-chromium-maint] Bug#679848: chromium: everything related to chrome:// is broken
Hi Norbert! On 07/02/2012 04:53 AM, Norbert Preining wrote: In short, everything that starts with chromium:// Did you mean chrome:// ? Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#676142: [16216c8] Fix for Bug#676142 committed to git
tags 676142 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Wed, 13 Jun 2012 16:29:49 +0200. The fix will be in the next upload. = Fixed FTBFS on kfreebsd. Closes: #676142 Thanks: Petr Salinger = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/smartmontools.git;a=commitdiff;h=16216c8 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#676636: [c0e9499] Fix for Bug#676636 committed to git
tags 676636 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Tue, 12 Jun 2012 11:06:24 +0200. The fix will be in the next upload. = Improved sqlite patch. Thanks: Andrew Chant Closes: #676636 = You can check the diff of the fix at: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=commitdiff;h=c0e9499 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#676636: [e2adf90] Fix for Bug#676636 committed to git
tags 676636 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Mon, 11 Jun 2012 16:16:37 +0200. The fix will be in the next upload. = Applied sqlite patch and fixed omnibox crash Closes: #676636 = You can check the diff of the fix at: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=commitdiff;h=e2adf90 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675563: [Pkg-chromium-maint] Bug#675563: chromium: builds against embedded binary binutils-gold that does not include source
On 02/06/2012 08:15, shawn wrote: I noticed this while trying to get this package to build on armel. Could you patch debian/control and try to build on armel again please? --- a/debian/control +++ b/debian/control @@ -64,7 +64,7 @@ Build-Depends: cdbs, libxt-dev, libxtst-dev, libpam0g-dev, - binutils-gold [!armel !armhf], + binutils-gold, libflac-dev, libwebp-dev, autotools-dev, signature.asc Description: OpenPGP digital signature
Bug#674081: [16893a8] Fix for Bug#674081 committed to git
tags 674081 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Mon, 28 May 2012 10:41:13 +0200. The fix will be in the next upload. = Support serial UPS connection on kfreebsd Closes: #674081 Thanks: Steven Chamberlain = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/apcupsd.git;a=commitdiff;h=16893a8 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#671994: [8cb8e89] Fix for Bug#671994 committed to git
tags 671994 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sat, 19 May 2012 10:22:05 +0200. The fix will be in the next upload. = Use gcc 4.6 for the moment Closes: #671994 = You can check the diff of the fix at: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=commitdiff;h=8cb8e89 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665007: CVE-2012-1185 / CVE-2012-1186: incomplete ImageMagick fixes for CVE-2012-0247 / CVE-2012-0248
Package: imagemagick Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The original fixes for the ImageMagick issues CVE-2012-0247 and CVE-2012-0248 are incomplete. Please see: http://seclists.org/oss-sec/2012/q1/685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1185 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9q/WUACgkQNxpp46476arBQgCeLZLei0zKKvxadUhYfFUpLw6f EF4An30VihPmJDQmyY8MzuOibIoIT5Yx =mRjI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665012: CVE-2012-1570: maradns deleted domain record cache persistance flaw
Package: maradns Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It was reported that MaraDNS suffers from a flaw where it is susceptible to spoofing attacks. Due to an error in the cache update policy, which does not properly handle revoked domain names, a remote attacker could keep a domain name resolvable after it has been deleted from the registration. This flaw is fixed in versions 1.3.0.7.15 and 1.4.12, and is reported to affect all prior versions. References: http://www.maradns.org/changelog.html https://secunia.com/advisories/48492/ https://bugzilla.redhat.com/show_bug.cgi?id=804770 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9q/sIACgkQNxpp46476arqDQCfSFeWlawN7py9L5lKIE+xR1ix ATIAn0DxeHe7ugtuET2C9uHbJcAkIwkz =Pu/Y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#660159: [b88a849] Fix for Bug#660159 committed to git
tags 660159 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sun, 19 Feb 2012 20:18:27 +0100. The fix will be in the next upload. = Remove ardcoded dependency on libvpx0 Closes: #660159 = You can check the diff of the fix at: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=commitdiff;h=b88a849 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656057: CVE-2011-2830
On 16/01/2012 09:43, Giuseppe Iuculano wrote: This is not for libv8, CVE description is wrong, this affects webkit: http://trac.webkit.org/changeset/93495 Or better, the issue is in the V8 binding source in webkit. We use that code only in chromium, I will check if stable is affected. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#654534: Patch
tag 654534 patch thanks CVE-2011-3892 http://src.chromium.org/viewvc/chrome?view=revrevision=107489 CVE-2011-3893 this is due to http://llvm.org/bugs/show_bug.cgi?id=7554 http://src.chromium.org/viewvc/chrome?view=revrevision=106599 http://src.chromium.org/viewvc/chrome?view=revrevision=106621 CVE-2011-3895 http://src.chromium.org/viewvc/chrome?view=revrevision=107662 http://src.chromium.org/viewvc/chrome?view=revrevision=107826 signature.asc Description: OpenPGP digital signature
Bug#516394: [CVE-2008-4392]
Dear Sergiusz, it seems my reply to your private email didn't convince you, so replying again on behalf of the Security Team. Dear Security Team, CVE-2008-4392 has Candidate status and is being reviewed for almost three years now, and still must accepted by the CVE Editorial Board[0]. This is unimportant, there are a lot of of CVEs under review, this doesn't mean they are invalid Why, after so many years, Debian Security Team, after a clear statement from prof. Bernstain[1], without confirmation of this rumour from CVE Editorial Board, still blocks djbdns software from the society? Thijs already wrote we are waiting a patch. All resolver in the Debian archive are properly hardened against cache poisoning, I really don't understand why djbdns should be an exception. Attackers with an access to the network are able to forge DNS responses, and if we treat is as a bug, we must remove all DNS cache software from Debian ASAP. If you are privy to a way to poison other resolver in the Debian archive, please open a bug and we will be happy to discuss the impact. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#640591: smbind: diff for NMU version 0.4.7-5.1
On 12/10/2011 02:27 PM, gregor herrmann wrote: Dear maintainer, I've prepared an NMU for smbind (versioned as 0.4.7-5.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Gregor, thanks for your NMU. Please upload to DELAYED/0 Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#643648: CVE-2011-2834 and CVE-2011-2821
Package: libxml2 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, two libxml2 issues were fixed in the latest chrome updates: CVE-2011-2821 Double free vulnerability in libxml2, as used in Google Chrome before 13.0.782.215, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression. Patch: http://git.gnome.org/browse/libxml2/commit/?id=fec31bcd452e77c10579467ca87a785b41115de6 CVE-2011-2834 Double free vulnerability in libxml2, as used in Google Chrome before 14.0.835.163, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling. Patch: http://src.chromium.org/viewvc/chrome?view=revrevision=98359 Cheers, Giuseppe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6C/OYACgkQNxpp46476apt2ACdHKTvWjo4WoxEWsVD6Z7a9elU AFgAn2ml9iJvUDCXczdrJcVH1PIknJFT =EMJW -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Hi, On 09/04/2011 09:20 PM, Raphael Geissert wrote: NSS now ships modified certs of DigiNotar, their name is Explicitly Disabled DigiNotar rest of the original CN here In chromium, for example, if you browse a DigiNotar-signed website and check the certificate chain you will see the Explicitly Disabled cert there. Giuseppe, do you already have plans for updating chromium? (more info on the CCed bug.) chromium uses libnss, please explain, what kind of update chromium needs? did I miss something? Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#639733: wordpress: Wordpress breaks TinyMCE install
tags 639733 moreinfo unreproducible thanks Hi, On 08/29/2011 08:43 PM, Laurens Blankers wrote: Upgrading from 3.0.5+dfsg-1 to 3.2.1+dfsg-1 causes plugin files to be written to /usr/share/tinymce which is partily symlinked from /usr/share/wordpress/wp-includes/js/tinymce/ this in turns causes TinyMCE to BREAK on Firefox 6 and Chrome 13. Which in turn breaks applications such as Roundcube hence the critical severity. Wordpress should NEVER write files in another packages directory! The only way to fix this is to force the removal of tinymce manually delete the directory and then reinstall tinymce. I can't reproduce this, could you show me which plugins are written in /usr/share/tinymce please? Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#639126: [73b0e59] Fix for Bug#639126 committed to git
tags 639126 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Wed, 24 Aug 2011 14:25:06 +0200. The fix will be in the next upload. = Fixed the dummy chromium-browser-l10n dependency Closes: #639126 = You can check the diff of the fix at: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=commitdiff;h=73b0e59 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631815: reinstalling didn't fix the issue
In my case, reinstalling didn't fix the issue (Derbian testing i386) Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#631615: CVE-2011-2192: libcurl inappropriate GSSAPI delegation
Package: curl Version: 7.21.6-1 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please see http://curl.haxx.se/docs/adv_20110623.html Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4F07cACgkQNxpp46476aqlfwCeP8tSFJPpNkME0Jr4snwc00Um 4dsAnRIq4WskZHnxV1JBmEAmyWonbVMy =jc5G -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#626445: [Pkg-chromium-maint] Bug#626445: multiple (89!) security issues in chromium
Hi Antoine, thanks for the bug report. On 05/12/2011 06:14 AM, Antoine Beaupré wrote: But the version in stable is a much more serious issue. I do not think there is the possbility of maintaining that branch all by ourselves here, and I would recommend either dropping the package from stable and rely on backports, or simply ship the next squeeze release with the 10.x version. Right now, I have the feeling that a lot of people are using Google Chrome's Debian package instead of the chromium package. People like me that stick with the Debian package are actually left in the cold with an outdated version that is actually very vulnerable. This situation seems rather problematic and should be resolved. The situation is not so problematic, chromium in squeeze is vulnerable to only 7 CVEs, I will update the tracker and do a security upload soon. A sid upload is also on the way. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#564853: [0d4b071] Fix for Bug#564853 committed to git
tags 564853 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Sun, 20 Mar 2011 11:11:40 +0100. The fix will be in the next upload. = Fix FTBFS with gcc 4.5 , patch from Ubuntu Closes: #564853 Thanks: shankao = You can check the diff of the fix at: http://git.debian.org/?p=pkg-amule/amule.git;a=commitdiff;h=0d4b071 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#617418: CVE
# [$1000] [74675] High Invalid memory access in v8. Credit to Christian Holler. http://code.google.com/p/v8/issues/detail?id=1146 Patch: http://code.google.com/p/v8/source/detail?r=6773 This is CVE-2011-1286 # [$1000] [74662] High Corruption via re-entrancy of RegExp code. Credit to Christian Holler. http://code.google.com/p/v8/issues/detail?id=1108 Patch: http://code.google.com/p/v8/source/detail?r=6794 http://code.google.com/p/v8/source/detail?r=6805 http://code.google.com/p/v8/source/detail?r=6837 This is CVE-2011-1285 # [$1337] [70877] High Same origin policy bypass in v8. Credit to Daniel Divricean. I have no info at this moment, could you ask upstream more info? This is CVE-2011-1193 #[$1337] [69187] Medium Cross-origin error message leak. Credit to Daniel Divricean. http://code.google.com/p/v8/source/detail?r=6435 This is CVE-2011-1187 Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#617418: v8 security issues fixed in chromium 10.0.648.127
Package: libv8 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, chromium 10.0.648.127 fixed the following security issues in libv8: # [$1000] [74675] High Invalid memory access in v8. Credit to Christian Holler. http://code.google.com/p/v8/issues/detail?id=1146 Patch: http://code.google.com/p/v8/source/detail?r=6773 # [$1000] [74662] High Corruption via re-entrancy of RegExp code. Credit to Christian Holler. http://code.google.com/p/v8/issues/detail?id=1108 Patch: http://code.google.com/p/v8/source/detail?r=6794 http://code.google.com/p/v8/source/detail?r=6805 http://code.google.com/p/v8/source/detail?r=6837 # [$1337] [70877] High Same origin policy bypass in v8. Credit to Daniel Divricean. I have no info at this moment, could you ask upstream more info? #[$1337] [69187] Medium Cross-origin error message leak. Credit to Daniel Divricean. http://code.google.com/p/v8/source/detail?r=6435 These need to be backported for squeeze. Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk12geEACgkQNxpp46476arHAwCdERD5hFencMybvi3op77F44hB TcsAnRz4NuVIvKfbJDJSyllux4OExL7y =0+Lf -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#612618: [Pkg-chromium-maint] Bug#612618: FTBFS: chrome/common/metrics_helpers.cc:22:20: error: prtime.h: No such file or directory
Hey Timo, On 02/09/2011 04:42 PM, Timo Juhani Lindfors wrote: chrome/common/metrics_helpers.cc:22:20: error: prtime.h: No such file or directory Have you installed libnspr4-dev? Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#611518: [Pkg-chromium-maint] Bug#611518: chromium-browser: FTBFS v8/src/arm/macro-assembler-arm.cc:61:3: error: #error For thumb inter-working we require an architecture which supports blx
Hi Timo, On 01/30/2011 01:57 PM, Timo Juhani Lindfors wrote: the contents of src/v8 seems match what is in libv8. Would it be possible to avoid compiling src/v8 if chromium-browser is anyway using external libv8? yes, the version in squeeze already compiles against libv8. The next version in sid will use libv8 too. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#610510: CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption
Package: libvpx Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for libvpx. CVE-2010-4489[0]: | Google Chrome before 8.0.552.215 does not properly handle WebM video, | which allows remote attackers to cause a denial of service | (out-of-bounds read) via unspecified vectors. NOTE: this vulnerability | exists because of a regression. Please ask upstream for an isolated patch for squeeze. - From the chromium side, they fixed this isssue with the following commits: http://src.chromium.org/viewvc/chrome?view=revrevision=65287 http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c?r1=65147r2=65287pathrev=65287 http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libvpx/source/libvpx/vp8/decoder/decodframe.c?r1=65147r2=65287pathrev=65287 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4489 http://security-tracker.debian.org/tracker/CVE-2010-4489 Cheers, Giuseppe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk02uNoACgkQNxpp46476ao4YQCeIqJuuWg6L1VSQz1iebm49sUz ddEAn33+fQlL4Ytg7XglpS7SlGd3Z50W =WEhI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608273: CVE-2010-3853: pam_namespace executes namespace.init with service's environment
Package: pam Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tomas Mraz pointed out that pam_namespace PAM module executes external namespace.init script with an environment settings inherited form the program or service that has pam_namespace configured. Please see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3853 http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_namespace/pam_namespace.c?view=log#rev1.13 https://rhn.redhat.com/errata/RHSA-2010-0819.html If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0bUJsACgkQNxpp46476arzpwCfRYu4yznLD6z970bUPNbJkeE7 0qsAn10ej9XnZ3hnXoQF5PlGXZC9TYfD =OuIG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
Package: tomcat6 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for tomcat6. CVE-2010-4312[0]: | The default configuration of Apache Tomcat 6.x does not include the | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote | attackers to hijack a session via script access to a cookie. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312 http://security-tracker.debian.org/tracker/CVE-2010-4312 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0bcAIACgkQNxpp46476aob7wCeK2joFZ0VfbEB2bXj5TX1B3IC DJQAoIO6Kda29+lblIBOTMgPm8xsTB5q =/b1G -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608288: CVE-2010-4254
Package: moon Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for moon. CVE-2010-4254[0]: | Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is | used, does not properly validate arguments to generic methods, which | allows remote attackers to bypass generic constraints, and possibly | execute arbitrary code, via a crafted method call. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4254 http://security-tracker.debian.org/tracker/CVE-2010-4254 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0bcLIACgkQNxpp46476ar3VQCeMCkgi2LOffgbYtJ1VFi16BZY jA4An3O+Jp9RxvLxI+JdU4RnIuJ1pru7 =Dusj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608289: CVE-2010-3905
Package: eucalyptus Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for eucalyptus. CVE-2010-3905[0]: | The password reset feature in the administrator interface for | Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which | allows remote attackers to gain privileges by sending password reset | requests for other users. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3905 http://security-tracker.debian.org/tracker/CVE-2010-3905 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0bcX4ACgkQNxpp46476aolcACdEyRVzIIcJcjb3MnpIkIa6U/6 JMAAn2y10CbObsCW/xQxWLkOCyJIq4E6 =IPi5 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608290: CVE-2010-4480 CVE-2010-4481
Package: phpmyadmin Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) ids were published for phpmyadmin. CVE-2010-4480[0]: | error.php in PhpMyAdmin 3.3.8.1, and other versions before | 3.4.0-beta1, allows remote attackers to conduct cross-site scripting | (XSS) attacks via a crafted BBcode tag containing @ characters, as | demonstrated using [...@url@page]. CVE-2010-4481[1]: | phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass | authentication and obtain sensitive information via a direct request | to phpinfo.php, which calls the phpinfo function. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480 http://security-tracker.debian.org/tracker/CVE-2010-4480 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4481 http://security-tracker.debian.org/tracker/CVE-2010-4481 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0bdHwACgkQNxpp46476aofUACfaJ8qZk9hruUgU4JuL5t+oDW7 nVkAn2VBTXIrA3x0z85C7DUdLnRo/fkj =pVQM -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607922: CVE-2010-4494: memory corruption (double-free) in XPath processing code
Package: libxml2 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for libxml2. CVE-2010-4494[0]: | Double free vulnerability in Google Chrome before 8.0.552.215 allows | remote attackers to cause a denial of service or possibly have | unspecified other impact via vectors related to XPath handling. Patch: http://git.gnome.org/browse/libxml2/commit/?id=df83c17e5a2646bd923f75e5e507bc80d73c9722 http://git.gnome.org/browse/libxml2/commit/?id=fec31bcd452e77c10579467ca87a785b41115de6 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4494 http://security-tracker.debian.org/tracker/CVE-2010-4494 http://code.google.com/p/chromium/issues/detail?id=63444 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk0Ujz4ACgkQNxpp46476aolzACfaHIcOhuivzJBkMyY7RJnx2eF lsEAnRb/JFF6MetVtL68wbKMWpZAMWP1 =cbLo -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607240: [f29b6ac] Fix for Bug#607240 committed to git
tags 607240 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Fri, 17 Dec 2010 10:59:01 +0100. The fix will be in the next upload. = Use GPL-compliant lyrics in the hello dolly plugin. Closes: #607240 = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=f29b6ac -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602732: [612c23f] Fix for Bug#602732 committed to git
tags 602732 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Mon, 6 Dec 2010 16:51:02 +0100. The fix will be in the next upload. = Remove flv_player.swf from manifest.php Closes: #602732 = You can check the diff of the fix at: http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=612c23f -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602693: Memory corruption in libvpx
Package: libvpx Version: 0.9.1-1 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Christoph Diehl discovered a memory corruption in libvpx. (see the chromium blog post[0], [$1000] [60055] High Memory corruption in libvpx. Credit to Christoph Diehl.) Patch: https://review.webmproject.org/#change,928 [0] http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkzWcQAACgkQNxpp46476arvJACggX5WwHL8bAtBD45YFbD4VokK rO8Anj9dRhk/WUWk2kg8XJ55QlCdVJS8 =8Jj8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602693: Memory corruption in libvpx
On 11/07/2010 10:27 AM, Giuseppe Iuculano wrote: Patch: https://review.webmproject.org/#change,928 Please also apply the following regression patch: http://review.webmproject.org/#change,1098 Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#602609: CVE-2010-4008: does not well process a malformed XPATH
Package: libxml2 Version: 2.7.7.dfsg-4 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, it was discovered that libxml2 does not well process a malformed XPATH, causing crash and allowing arbitrary code execution. Patch: http://git.gnome.org/browse/libxml2/commit/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c http://git.gnome.org/browse/libxml2/commit/?id=ea90b894146030c214a7df6d8375310174f134b9 Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkzVVoYACgkQNxpp46476arbpwCeK9pEIv7u4PC+3YAfUO67eADI Ls0An045V3eap6+bhfM88as/0hq+tEqw =ymuH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#602609: Acknowledgement (CVE-2010-4008: does not well process a malformed XPATH)
fixed 602609 2.7.8.dfsg-1 thanks It was fixed in 2.7.8 Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#597856: CVE-2010-3412: memory overrun issue in CPU profiler
Package: libv8 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for libv8. CVE-2010-3412[0]: | Race condition in the console implementation in Google Chrome before | 6.0.472.59 has unspecified impact and attack vectors. Patch: http://code.google.com/p/v8/source/detail?r=5393 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3412 http://security-tracker.debian.org/tracker/CVE-2010-3412 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkybfD0ACgkQNxpp46476arGqACfcGq98JaVWh6zMTxQG2Uqt8Rc PjsAn3qbWZlOVz/QwESYUpD/fUd2/RWX =Bgvv -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#597856: CVE-2010-3412: memory overrun issue in CPU profiler
On 09/23/2010 06:18 PM, Jérémy Lal wrote: Thank you Giuseppe, i'll fix this tonight. You are welcome. Feel free to ping me if you need a sponsor. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#590296: wget: diff for NMU version 1.12-2.1
tags 590296 + pending thanks Dear maintainer, I've prepared an NMU for wget (versioned as 1.12-2.1) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. Regards. Giuseppe. diff -Nru wget-1.12/debian/changelog wget-1.12/debian/changelog --- wget-1.12/debian/changelog 2010-04-10 00:54:51.0 +0200 +++ wget-1.12/debian/changelog 2010-09-05 15:35:56.0 +0200 @@ -1,3 +1,12 @@ +wget (1.12-2.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2010-2252: use of server provided file name might lead to +overwriting arbitrary files. Thanks to Marc Deslauriers and the Ubuntu +Security team (Closes: #590296) + + -- Giuseppe Iuculano iucul...@debian.org Sun, 05 Sep 2010 15:33:19 +0200 + wget (1.12-2) unstable; urgency=low * acknoledge NMUs. Thanks for your work/help Matt and Anthony diff -Nru wget-1.12/debian/patches/00list wget-1.12/debian/patches/00list --- wget-1.12/debian/patches/00list 2010-04-09 22:48:09.0 +0200 +++ wget-1.12/debian/patches/00list 2010-09-05 15:35:56.0 +0200 @@ -5,3 +5,4 @@ wget-infopod_generated_manpage.dpatch wget-de.po-remove-double-quote-signs wget-zh_CN.po-translation-correction +CVE-2010-2252 diff -Nru wget-1.12/debian/patches/CVE-2010-2252.dpatch wget-1.12/debian/patches/CVE-2010-2252.dpatch --- wget-1.12/debian/patches/CVE-2010-2252.dpatch 1970-01-01 01:00:00.0 +0100 +++ wget-1.12/debian/patches/CVE-2010-2252.dpatch 2010-09-05 15:35:56.0 +0200 @@ -0,0 +1,162 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix arbitrary file overwrite via 3xx redirect +# Origin: upstream, http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html +# Bug: https://savannah.gnu.org/bugs/?29958 +# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590296 + +...@dpatch@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/doc/wget.texi wget/doc/wget.texi +--- wget~/doc/wget.texi 2010-09-05 15:32:44.0 +0200 wget/doc/wget.texi 2010-09-05 15:32:44.0 +0200 +@@ -1487,6 +1487,13 @@ + @code{Content-Disposition} headers to describe what the name of a + downloaded file should be. + +...@cindex Trust server names +...@item --trust-server-names ++ ++If this is set to on, on a redirect the last component of the ++redirection URL will be used as the local file name. By default it is ++used the last component in the original URL. ++ + @cindex authentication + @item --auth-no-challenge + +@@ -2797,6 +2804,10 @@ + Turn on recognition of the (non-standard) @samp{Content-Disposition} + HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}. + +...@item trust_server_names = on/off ++If set to on, use the last component of a redirection URL for the local ++file name. ++ + @item continue = on/off + If set to on, force continuation of preexistent partially retrieved + files. See @samp{-c} before setting it. +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.c wget/src/http.c +--- wget~/src/http.c 2010-09-05 15:30:22.0 +0200 wget/src/http.c 2010-09-05 15:32:44.0 +0200 +@@ -2410,8 +2410,9 @@ + /* The genuine HTTP loop! This is the part where the retrieval is +retried, and retried, and retried, and... */ + uerr_t +-http_loop (struct url *u, char **newloc, char **local_file, const char *referer, +- int *dt, struct url *proxy, struct iri *iri) ++http_loop (struct url *u, struct url *original_url, char **newloc, ++ char **local_file, const char *referer, int *dt, struct url *proxy, ++ struct iri *iri) + { + int count; + bool got_head = false; /* used for time-stamping and filename detection */ +@@ -2457,7 +2458,8 @@ + } + else if (!opt.content_disposition) + { +- hstat.local_file = url_file_name (u); ++ hstat.local_file = ++url_file_name (opt.trustservernames ? u : original_url); + got_name = true; + } + +@@ -2497,7 +2499,7 @@ + + /* Send preliminary HEAD request if -N is given and we have an existing +* destination file. */ +- file_name = url_file_name (u); ++ file_name = url_file_name (opt.trustservernames ? u : original_url); + if (opt.timestamping +!opt.content_disposition +file_exists_p (file_name)) +@@ -2852,9 +2854,9 @@ + + /* Remember that we downloaded the file for later .orig code. */ + if (*dt ADDED_HTML_EXTENSION) +-downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); ++downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); + else +-downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file); ++downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file); + + ret
Bug#591195: [e8a913f] Fix for Bug#591195 committed to git
tags 591195 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Wed, 1 Sep 2010 23:43:44 +0200. The fix will be in the next upload. = Remove swfupload.swf from the binary package, as it cannot be built from source, violating the Policy. Closes: #591195 = You can check the diff of the fix at: http://git.debian.org/?p=users/derevko-guest/wordpress.git;a=commitdiff;h=e8a913f -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594300: CVE-2010-2810: Heap-based buffer overflow
Package: lynx-cur Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for lynx-cur. CVE-2010-2810[0]: | Heap-based buffer overflow in the convert_to_idna function in | WWW/Library/Implementation/HTParse.c in Lynx 2.8.8dev.1 through | 2.8.8dev.4 allows remote attackers to cause a denial of service | (application crash) or possibly execute arbitrary code via a malformed | URL containing a % (percent) character in the domain name. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2810 http://security-tracker.debian.org/tracker/CVE-2010-2810 Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkx0w80ACgkQNxpp46476aroEgCeL1nbj8J2tIr13q2y4Bc712rU uncAnjVm0hTC4nESvaq7j1RV50gkVlQZ =L8OU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594301: CVE-2010-2809: The default configuration does not properly use the @SELECTED_URI feature
Package: uzbl Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for uzbl. CVE-2010-2809[0]: | The default configuration of the lt;Button2gt; binding in Uzbl before | 2010.08.05 does not properly use the @SELECTED_URI feature, which | allows user-assisted remote attackers to execute arbitrary commands | via a crafted HREF attribute of an A element in an HTML document. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2809 http://security-tracker.debian.org/tracker/CVE-2010-2809 Cheers, Giuseppe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkx0xHAACgkQNxpp46476aqC0QCgkuktJJZdbPH34bU2eD9I4CRi ai8An25seVAEQUkJk6iX5SJG21XSPjNP =SpKj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594304: CVE-2010-2790: Multiple cross-site scripting (XSS) vulnerabilities
Package: zabbix Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for zabbix. CVE-2010-2790[0]: | Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery | function in frontends/php/include/classes/class.curl.php in Zabbix | before 1.8.3rc1 allow remote attackers to inject arbitrary web script | or HTML via the (1) filter_set, (2) show_details, (3) filter_rst, or | (4) txt_select parameters to the triggers page (tr_status.php). NOTE: | some of these details are obtained from third party information. Unfortunately the vulnerability described above is not important enough to get it fixed via regular security update in Debian stable. However it would be nice if this could get fixed via a regular point update[1]. Please contact the release team for this. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2790 http://security-tracker.debian.org/tracker/CVE-2010-2790 [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkx0xdoACgkQNxpp46476aqmsgCeLRb69yqdvE6IgcKjrF05NvKj vPUAn0SH1Dk7JRBiItBq+/j0Kj5D933S =d5AS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591204: lvm2: diff for NMU version 2.02.66-2.1
tags 591204 + patch tags 591204 + pending thanks Dear maintainer, I've prepared an NMU for lvm2 (versioned as 2.02.66-2.1) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. Regards. Giuseppe diff -Nru lvm2-2.02.66/debian/changelog lvm2-2.02.66/debian/changelog --- lvm2-2.02.66/debian/changelog 2010-06-18 11:40:08.0 +0200 +++ lvm2-2.02.66/debian/changelog 2010-08-19 11:56:57.0 +0200 @@ -1,3 +1,11 @@ +lvm2 (2.02.66-2.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2010-2526: Fix insecure communication between lvm2 and clvmd +(Closes: #591204) + + -- Giuseppe Iuculano iucul...@debian.org Thu, 19 Aug 2010 11:56:07 +0200 + lvm2 (2.02.66-2) unstable; urgency=medium * Make libdevmapper1.02.1 depend on dmsetup. libdevmapper needs new enough diff -Nru lvm2-2.02.66/debian/patches/CVE-2010-2526.patch lvm2-2.02.66/debian/patches/CVE-2010-2526.patch --- lvm2-2.02.66/debian/patches/CVE-2010-2526.patch 1970-01-01 01:00:00.0 +0100 +++ lvm2-2.02.66/debian/patches/CVE-2010-2526.patch 2010-08-19 11:56:57.0 +0200 @@ -0,0 +1,134 @@ +CVE-2010-2526: fix insecure communication between lvm2 and clvmd +--- a/daemons/clvmd/clvm.h b/daemons/clvmd/clvm.h +@@ -45,9 +45,8 @@ struct clvm_header { + #define CLVMD_FLAG_SYSTEMLV 2 /* Data in system LV under my node name */ + #define CLVMD_FLAG_NODEERRS 4 /* Reply has errors in node-specific portion */ + +-/* Name of the local socket to communicate between libclvm and clvmd */ +-//static const char CLVMD_SOCKNAME[]=/var/run/clvmd; +-static const char CLVMD_SOCKNAME[] = \0clvmd; ++/* Name of the local socket to communicate between lvm and clvmd */ ++static const char CLVMD_SOCKNAME[]= /var/run/clvmd.sock; + + /* Internal commands replies */ + #define CLVMD_CMD_REPLY1 +--- a/daemons/clvmd/clvmd.c b/daemons/clvmd/clvmd.c +@@ -139,6 +139,7 @@ static void process_remote_command(struc + static int process_reply(const struct clvm_header *msg, int msglen, + const char *csid); + static int open_local_sock(void); ++static void close_local_sock(int local_socket); + static int check_local_clvmd(void); + static struct local_client *find_client(int clientid); + static void main_loop(int local_sock, int cmd_timeout); +@@ -287,6 +288,14 @@ static const char *decode_cmd(unsigned c + return buf; + } + ++static void check_permissions() ++{ ++ if (getuid() || geteuid()) { ++ log_error(Cannot run as a non-root user.); ++ exit(4); ++ } ++} ++ + int main(int argc, char *argv[]) + { + int local_sock; +@@ -316,6 +325,7 @@ int main(int argc, char *argv[]) + exit(0); + + case 'R': ++ check_permissions(); + return refresh_clvmd(1)==1?0:1; + + case 'S': +@@ -364,6 +374,8 @@ int main(int argc, char *argv[]) + } + } + ++ check_permissions(); ++ + /* Setting debug options on an existing clvmd */ + if (debug_opt !check_local_clvmd()) { + +@@ -524,6 +536,7 @@ int main(int argc, char *argv[]) + /* Do some work */ + main_loop(local_sock, cmd_timeout); + ++ close_local_sock(local_sock); + destroy_lvm(); + + return 0; +@@ -867,7 +880,6 @@ static void main_loop(int local_sock, in + + closedown: + clops-cluster_closedown(); +- close(local_sock); + } + + static __attribute__ ((noreturn)) void wait_for_child(int c_pipe, int timeout) +@@ -1966,20 +1978,30 @@ static int check_local_clvmd(void) + return ret; + } + ++static void close_local_sock(int local_socket) ++{ ++ if (local_socket != -1 close(local_socket)) ++ stack; ++ ++ if (CLVMD_SOCKNAME[0] != '\0' unlink(CLVMD_SOCKNAME)) ++ stack; ++} + + /* Open the local socket, that's the one we talk to libclvm down */ + static int open_local_sock() + { +- int local_socket; ++ int local_socket = -1; + struct sockaddr_un sockaddr; ++ mode_t old_mask; ++ ++ close_local_sock(local_socket); ++ old_mask = umask(0077); + + /* Open local socket */ +- if (CLVMD_SOCKNAME[0] != '\0') +- unlink(CLVMD_SOCKNAME); + local_socket = socket(PF_UNIX, SOCK_STREAM, 0); + if (local_socket 0) { + log_error(Can't create local socket: %m); +- return -1; ++ goto error; + } + + /* Set Close-on-exec non-blocking */ +@@ -1992,18 +2014,19 @@ static int open_local_sock() + sockaddr.sun_family = AF_UNIX; + if (bind(local_socket, (struct sockaddr *) sockaddr, sizeof(sockaddr))) { + log_error(can't bind local socket: %m); +- close(local_socket); +- return -1; ++ goto error; + } + if (listen(local_socket, 1) != 0) { + log_error(listen local: %m); +- close(local_socket); +- return -1; ++ goto error; + } +- if (CLVMD_SOCKNAME[0] != '\0') +- chmod(CLVMD_SOCKNAME, 0600); + ++ umask(old_mask); + return local_socket; ++error: ++ close_local_sock(local_socket); ++ umask(old_mask); ++ return -1; + } + + void process_message(struct local_client *client, const char *buf, int len, diff -Nru lvm2-2.02.66/debian/patches/series lvm2-2.02.66/debian/patches/series --- lvm2-2.02.66/debian/patches/series
Bug#591204: lvm2: diff for NMU version 2.02.66-2.1
On 08/19/2010 12:26 PM, Bastian Blank wrote: Where does this patch come from? It is not included into the upstream source this way. As long as this is not known: NACK. It comes from upstream, I used the essential part of the patch. Please see: https://www.redhat.com/archives/linux-lvm/2010-July/msg00083.html Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#591204: lvm2: diff for NMU version 2.02.66-2.1
On 08/19/2010 12:54 PM, Bastian Blank wrote: Please describe the changes you made. It even differs in the comments. This only shows the annoncement, the patch is in https://bugzilla.redhat.com/attachment.cgi?id=434982 It is the same patch without the configure and Makefile stuff (upstream added --with-default-run-dir configure argument, I instead hardcoded it to /var/run/clvmd.sock ). I removed that part to avoid autoreconf Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#591204: lvm2: diff for NMU version 2.02.66-2.1
On 08/19/2010 01:29 PM, Giuseppe Iuculano wrote: It is the same patch without the configure and Makefile stuff (upstream added --with-default-run-dir configure argument, I instead hardcoded it to /var/run/clvmd.sock ). I removed that part to avoid autoreconf I just noted I forgot check_permissions(); also for case 'S' (restart), I will upload a new revision soon. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#591204: lvm2: diff for NMU version 2.02.66-2.2
Dear maintainer, I've prepared an NMU for lvm2 (versioned as 2.02.66-2.2) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. Regards. diff -Nru lvm2-2.02.66/debian/changelog lvm2-2.02.66/debian/changelog --- lvm2-2.02.66/debian/changelog 2010-08-19 11:56:57.0 +0200 +++ lvm2-2.02.66/debian/changelog 2010-08-19 13:48:52.0 +0200 @@ -1,3 +1,10 @@ +lvm2 (2.02.66-2.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2010-2526: Also check permission on restart. + + -- Giuseppe Iuculano iucul...@debian.org Thu, 19 Aug 2010 13:47:47 +0200 + lvm2 (2.02.66-2.1) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru lvm2-2.02.66/debian/patches/CVE-2010-2526.patch lvm2-2.02.66/debian/patches/CVE-2010-2526.patch --- lvm2-2.02.66/debian/patches/CVE-2010-2526.patch 2010-08-19 11:56:57.0 +0200 +++ lvm2-2.02.66/debian/patches/CVE-2010-2526.patch 2010-08-19 13:48:52.0 +0200 @@ -38,7 +38,7 @@ int main(int argc, char *argv[]) { int local_sock; -@@ -316,6 +325,7 @@ int main(int argc, char *argv[]) +@@ -316,9 +325,11 @@ int main(int argc, char *argv[]) exit(0); case 'R': @@ -46,7 +46,11 @@ return refresh_clvmd(1)==1?0:1; case 'S': -@@ -364,6 +374,8 @@ int main(int argc, char *argv[]) ++ check_permissions(); + return restart_clvmd(clusterwide_opt)==1?0:1; + + case 'C': +@@ -364,6 +375,8 @@ int main(int argc, char *argv[]) } } @@ -55,7 +59,7 @@ /* Setting debug options on an existing clvmd */ if (debug_opt !check_local_clvmd()) { -@@ -524,6 +536,7 @@ int main(int argc, char *argv[]) +@@ -524,6 +537,7 @@ int main(int argc, char *argv[]) /* Do some work */ main_loop(local_sock, cmd_timeout); @@ -63,7 +67,7 @@ destroy_lvm(); return 0; -@@ -867,7 +880,6 @@ static void main_loop(int local_sock, in +@@ -867,7 +881,6 @@ static void main_loop(int local_sock, in closedown: clops-cluster_closedown(); @@ -71,7 +75,7 @@ } static __attribute__ ((noreturn)) void wait_for_child(int c_pipe, int timeout) -@@ -1966,20 +1978,30 @@ static int check_local_clvmd(void) +@@ -1966,20 +1979,30 @@ static int check_local_clvmd(void) return ret; } @@ -106,7 +110,7 @@ } /* Set Close-on-exec non-blocking */ -@@ -1992,18 +2014,19 @@ static int open_local_sock() +@@ -1992,18 +2015,19 @@ static int open_local_sock() sockaddr.sun_family = AF_UNIX; if (bind(local_socket, (struct sockaddr *) sockaddr, sizeof(sockaddr))) { log_error(can't bind local socket: %m); signature.asc Description: Digital signature
Bug#591204: lvm2: diff for NMU version 2.02.66-2.2
On 08/19/2010 02:11 PM, Mehdi Dogguy wrote: Why two NMUs for a single patch? Can't you drop the first one, fix it and re-upload? Because dcut rm --searchdirs lvm2* didn't work, now I'm trying with rm DELAYED/1-day/libvm2* Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#591204: lvm2: diff for NMU version 2.02.66-2.2
On 08/19/2010 03:27 PM, Mehdi Dogguy wrote: I'm sure dcut cancel $changes_files works :) oh, it worked, thanks! :-) Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#591204: lvm2: diff for NMU version 2.02.66-2.1
On 08/19/2010 04:29 PM, Bastian Blank wrote: Sorry, this is not acceptable. The patch - differes in comments, - used path, - removes autoconf parts without reason, autoreconf is called anyway, and - is incomplete. Well, FWIW this is instead acceptable from a NMUer point of view, anyway this isn't important, happy to see that the intent of NMU speeded up the fix for this issue, thanks for the upload. About your upload to security-master, it was rejected: Rejected: lvm2_2.02.39-8.dsc refers to lvm2_2.02.39.orig.tar.gz, but I can't find it in the queue or in the pool. Please build it with orig.tar.gz (-sa), I will take care of the DSA. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#587732: protobuf: diff for NMU version 2.3.0-2.1
On 07/11/2010 01:51 AM, Iustin Pop wrote: I'm not sure I understand what you mean. The jdk is *not* used during the binary build, except for unittests (if present). The jdk *is* used during the indep build, for the java part. What do you see here as an abuse? Sorry, let me rephrase a bit. If you put openjdk-6 in b-d-i, protobuf can't be built on those archs that hasn't openjdk-6, and imho this can be considered an FTBFS even if the binary build works. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#587732: protobuf: diff for NMU version 2.3.0-2.1
On 07/11/2010 11:45 AM, Julien Cristau wrote: On Sun, Jul 11, 2010 at 09:05:49 +0200, Giuseppe Iuculano wrote: If you put openjdk-6 in b-d-i, protobuf can't be built on those archs that hasn't openjdk-6, and imho this can be considered an FTBFS even if the binary build works. No, it can't. Please explain why it can't. Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#587732: protobuf: diff for NMU version 2.3.0-2.1
On 07/11/2010 12:27 PM, Julien Cristau wrote: Because there's no requirement anywhere that says arch:all packages need to be buildable on all architectures. The binary target must be all that is necessary for the user to build the binary package(s) produced from this source package. So I think this is taken for granted. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#587732: protobuf: diff for NMU version 2.3.0-2.1
On 07/11/2010 12:55 PM, Iustin Pop wrote: Giuseppe, you didn't answer my other question. Can you confirm the package builds fine and the java parts work with gcj? Yes I can. Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#587732: protobuf: diff for NMU version 2.3.0-2.1
tags 587732 + patch tags 587732 + pending thanks Dear maintainer, I've prepared an NMU for protobuf (versioned as 2.3.0-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. diff -Nru protobuf-2.3.0/debian/ant-wrapper protobuf-2.3.0/debian/ant-wrapper --- protobuf-2.3.0/debian/ant-wrapper 2010-05-24 18:29:28.0 +0200 +++ protobuf-2.3.0/debian/ant-wrapper 2010-07-10 19:35:10.0 +0200 @@ -1,6 +1,6 @@ #!/bin/sh -JAVA_HOME=/usr/lib/jvm/java-6-openjdk +JAVA_HOME=/usr/lib/jvm/default-java if [ ! -d $JAVA_HOME ]; then echo Can't find java-6-openjdk, please check the build-depends 12 diff -Nru protobuf-2.3.0/debian/changelog protobuf-2.3.0/debian/changelog --- protobuf-2.3.0/debian/changelog 2010-05-24 18:29:28.0 +0200 +++ protobuf-2.3.0/debian/changelog 2010-07-10 19:35:10.0 +0200 @@ -1,3 +1,11 @@ +protobuf (2.3.0-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Build-depends on on default-jdk and set JAVA_HOME to +/usr/lib/jvm/default-java (Closes: #587732) + + -- Giuseppe Iuculano iucul...@debian.org Sat, 10 Jul 2010 18:37:19 +0200 + protobuf (2.3.0-2) unstable; urgency=low * Fix FTBFS on armel (test-suite failure) by disabling optimizations diff -Nru protobuf-2.3.0/debian/control protobuf-2.3.0/debian/control --- protobuf-2.3.0/debian/control 2010-05-24 18:29:28.0 +0200 +++ protobuf-2.3.0/debian/control 2010-07-10 19:35:10.0 +0200 @@ -5,7 +5,7 @@ Uploaders: Robert S. Edmonds edmo...@debian.org Build-Depends: debhelper (= 7), python (= 2.3.5-11), python-setuptools (= 0.6c8), xmlto, ant, zlib1g-dev, - openjdk-6-jdk, unzip + default-jdk, unzip Build-Depends-Indep: python-support (= 0.6) Standards-Version: 3.8.4 Homepage: http://code.google.com/p/protobuf/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#587732: protobuf: diff for NMU version 2.3.0-2.1
Hi Iustin, On 07/10/2010 08:39 PM, Iustin Pop wrote: I was planning to revert the move of the openjdk-6 from b-d-i to b-d, as an alternative to depend on default-jdk. The move was done simply to have 'jar' available during the build time for a few optional unittests which need it. I think that reverting that change is an abuse of b-d-i, it isn't supposed to be an optional build-depend list. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#585757: libglewmx1.5: 1.5.4-1 makes libglc0 crash
Well, since the problem is somewhere in Quesoglc, I built a version of glc with debug symbols, to see where exactly the error is. And surprise, that version worked. The locally rebuilt package without debug symbols also works. Not sure what exactly is the problem, maybe libglc0 was built on a system with the wrong libglew. What about to close this bug then? :) Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#587732: protobuf should B-D on default-jdk
Since openjdk-6-jdk was available before on those arches, I hoped it will come back. Do you think it won't? It wasn't available, protobuf was built in those archs because you had openjdk-6-jdk in Build-Depends-Indep instead of Build-Depends Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#588137: CVE-2010-1625: Cross-site scripting (XSS) vulnerability
Package: lxr-cvs Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for lxr-cvs. CVE-2010-1625[0]: | Cross-site scripting (XSS) vulnerability in LXR Cross Referencer | before 0.9.7 allows remote attackers to inject arbitrary web script or | HTML via vectors related to the search body and the results page for a | search, a different vulnerability than CVE-2009-4497 and | CVE-2010-1448. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1625 http://security-tracker.debian.org/tracker/CVE-2010-1625 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwxuk8ACgkQNxpp46476aqJAACdHXCgsE0TCu5IzDnbciemz6cA 848An2OoZ/YiLbTXA+23xTP2u6U6xaWx =qvMg -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#588138: CVE-2010-1625: Cross-site scripting (XSS) vulnerability
Package: lxr Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for lxr. CVE-2010-1625[0]: | Cross-site scripting (XSS) vulnerability in LXR Cross Referencer | before 0.9.7 allows remote attackers to inject arbitrary web script or | HTML via vectors related to the search body and the results page for a | search, a different vulnerability than CVE-2009-4497 and | CVE-2010-1448. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1625 http://security-tracker.debian.org/tracker/CVE-2010-1625 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwxupsACgkQNxpp46476aosxgCgkuY2Cj109ESjFEyZbMOcUuQu YK8AnAy8I7TJSd0IhhBtR5C6CV/Dt9Oz =hikO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#588036: CVE-2010-1448: Cross-site scripting (XSS) vulnerability
Package: lxr-cvs Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ciao Giacomo, the following CVE (Common Vulnerabilities Exposures) id was published for lxr-cvs. CVE-2010-1448[0]: | Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR | Cross Referencer before 0.9.8 allows remote attackers to inject | arbitrary web script or HTML via vectors related to a string in the | search page's TITLE element, a different vulnerability than | CVE-2009-4497 and CVE-2010-1625. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1448 http://security-tracker.debian.org/tracker/CVE-2010-1448 Cheers, Giuseppe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwwaiEACgkQNxpp46476ap6rwCfTfeILhDhrGiE0vrpujLXIdFp GDAAn0XzeuMEXfyK0UYaeelDoeJRRF9t =MIdp -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584946: [Pkg-chromium-maint] Bug#584946: chromium-browser: segfault on startup on armel (openmoko freerunner)
Hi Timo, On 06/25/2010 05:41 PM, Timo Juhani Lindfors wrote: version 5.0.375.70~r48679-2 seems to start on openmoko! I can use the menus but trying to load any page results in a dialog that shows an error message that can not be copypasted. It says something about The following page(s) have become unresponsive Hitting wait button multiple times does not seem to have any effect. All this time chromium-browser uses about 50% of all cpu time and is not swapping. Could you try version 5.0.375.86~r49890-1 when it will be available in armel please? Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#584946: [Pkg-chromium-maint] Bug#584946: chromium-browser: segfault on startup on armel (openmoko freerunner)
On 06/25/2010 06:50 PM, Timo Juhani Lindfors wrote: Giuseppe Iuculano giuse...@iuculano.it writes: Could you try version 5.0.375.86~r49890-1 when it will be available in armel please? Sure but the blx instructions in libv8 will still be a problem, right? Yes, please open a bug against libv8 package. Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#581265: [Pkg-chromium-maint] Bug#581265: release blocking bug
block 581265 by 583826 thanks On 05/18/2010 10:21 PM, Moritz Muehlenhoff wrote: The situation has changed a bit: Chromium might still be part of Squeeze. Guiseppe is currently checking with upstream on the feasibility of a upstream support lifetime suitable for the lifetime of Squeeze. Guiseppe, feel free to lower severity as you see fit. I'm currently waiting for an access to the chromium security team, anyway before thinking about chromium in squeeze, we really need a team to work on it. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#584517: CVE-2010-0404: Multiple SQL injection vulnerabilities
On 06/06/2010 06:16 PM, Olivier Berger wrote: Thanks for caring. I've tried and fix the most obvious problems reported by lintian and update the changelog, and have re-uploaded an updated package to mentors. If you can upload it for me, many thanks in advance. Best regards, I've added a comma in the changelog and uploaded your package. * New upstream release (includes fix for CVE-2010-0403, CVE-2010-0404, -Closes: #584518 #584517). +Closes: #584518, #584517). * Remove upstream-security-20090722.diff patch (SA35519 / DSA-1978-1 / btw, there are some minor lintian info/warning/pedantic, consider to fix them, they are easy to fix (lintian -iIvE --pedantic *.changes) Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#584516: CVE-2010-1628: allows context-dependent attackers to execute arbitrary code
Package: ghostscript Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for ghostscript. CVE-2010-1628[0]: | Ghostscript 8.64, 8.70, and possibly other versions allows | context-dependent attackers to execute arbitrary code via a PostScript | file containing unlimited recursive procedure invocations, which | trigger memory corruption in the stack of the interpreter. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1628 http://security-tracker.debian.org/tracker/CVE-2010-1628 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwIu/0ACgkQNxpp46476aqSZwCgiYQSz4A8fTVRECgr8yK/+iot FmwAnAwm+dN/IMETZLh76xRufiD6Z/xS =+7ZU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584517: CVE-2010-0404: Multiple SQL injection vulnerabilities
Package: phpgroupware Severity: grave Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpgroupware. CVE-2010-0404[0]: | Multiple SQL injection vulnerabilities in phpGroupWare (phpgw) before | 0.9.16.016 allow remote attackers to execute arbitrary SQL commands | via unspecified parameters to (1) class.sessions_db.inc.php, (2) | class.translation_sql.inc.php, or (3) class.auth_sql.inc.php in | phpgwapi/inc/. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0404 http://security-tracker.debian.org/tracker/CVE-2010-0404 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwIvrgACgkQNxpp46476aq41wCfQ0VPTXt9wJea3uxc8AyFqinN iJEAn23Iev9NwpsKs0mobx63GDSVoOKs =T2FI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584518: CVE-2010-0403: Directory traversal vulnerability
Package: phpgroupware Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for phpgroupware. CVE-2010-0403[0]: | Directory traversal vulnerability in about.php in phpGroupWare (phpgw) | before 0.9.16.016 allows remote attackers to include and execute | arbitrary local files via a .. (dot dot) in the app parameter. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0403 http://security-tracker.debian.org/tracker/CVE-2010-0403 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwIv0gACgkQNxpp46476aqCYQCglm6nA6T8hmgshCf/tS9ylgwt 7VgAn0e1/fwzFiM/FEgwSoF84y20/j4u =Z/92 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584517: CVE-2010-0404: Multiple SQL injection vulnerabilities
Hi Christian, On 06/04/2010 11:24 AM, christian bac wrote: -the unstable version : 1:0.9.16.016+dfsg-1 that is uploaded on mentors. do you need a sponsor ? Cheers, Giuseppe signature.asc Description: OpenPGP digital signature
Bug#584517: CVE-2010-0404: Multiple SQL injection vulnerabilities
On 06/04/2010 12:44 PM, Olivier Berger wrote: Here : http://mentors.debian.net/cgi-bin/sponsor-pkglist?action=details;package=phpgroupware Please add the Closes entries for the security bugs and add the source format (W: phpgroupware source: missing-debian-source-format). Cheers. Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#581280: [387779e] Fix for Bug#581280 committed to git
tags 581280 + pending thanks Hello, The following change has been committed for this bug by Giuseppe Iuculano iucul...@debian.org on Fri, 4 Jun 2010 13:05:09 +0200. The fix will be in the next upload. = Remove *.moc.cpp files on clean, they don't work with current Qt and cause FTBFS. Thanks: Ilya Barygin Closes: #572821 Closes: #581280 = You can check the diff of the fix at: http://git.debian.org/?p=debian-science/packages/freemat.git;a=commitdiff;h=387779e -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584399: CVE-2010-1626:allows local users to delete the data and index
Package: mysql-dfsg-5.1 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for mysql-dfsg-5.1. CVE-2010-1626[0]: | MySQL before 5.1.46 allows local users to delete the data and index | files of another user's MyISAM table via a symlink attack in | conjunction with the DROP TABLE command, a different vulnerability | than CVE-2008-4098 and CVE-2008-7247. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1626 http://security-tracker.debian.org/tracker/CVE-2010-1626 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwHhZkACgkQNxpp46476apMUACgjvz2G/xzGGRv5UWmuXxjOGPb TCcAoJ+CGHLeeW23lBqqYWxzrow9rnT0 =PCCv -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584400: CVE-2010-1626
Package: mysql-dfsg-5.0 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for mysql-dfsg-5.0. CVE-2010-1626[0]: | MySQL before 5.1.46 allows local users to delete the data and index | files of another user's MyISAM table via a symlink attack in | conjunction with the DROP TABLE command, a different vulnerability | than CVE-2008-4098 and CVE-2008-7247. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1626 http://security-tracker.debian.org/tracker/CVE-2010-1626 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwHhgEACgkQNxpp46476apr1ACgj/0dTbl7XPSC3wR0fH2kRxCU Os0Anjh8yNqu6lKjXyJrrwL9zl/ab+/C =RgmB -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584401: CVE-2010-1620: Integer overflow
Package: gnustep-base Version: 1.19.3-3 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for gnustep-base. CVE-2010-1620[0]: | Integer overflow in the load_iface function in Tools/gdomap.c in | gdomap in GNUstep Base before 1.20.0 might allow context-dependent | attackers to execute arbitrary code via a (1) file or (2) socket that | provides configuration data with many entries, leading to a heap-based | buffer overflow. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1620 http://security-tracker.debian.org/tracker/CVE-2010-1620 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkwHhwoACgkQNxpp46476apFvQCePP+7hUwuYaOJmTnF6vHE9VBS dBwAnj2OWTbudmv2cee0NuFPGe5u2FxC =uNR0 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org