Bug#1035875: Arbitrary code execution vulnerability in versions < 2.3

[Lee Garrett]

Package: osslsigncode
Version: 2.1-1
Severity: grave
Tags: security
X-Debbugs-Cc: secur...@debian.org, deb...@rocketjump.eu, Debian Security Team 


It was reported through IRC that the current stable version of osslsigncode
contains an unpatched security vulnerability:

https://github.com/mtrojnar/osslsigncode/releases/tag/2.3

Unfortunately, upstream has not assigned a CVE, and a quick glance at the closed
bug reports didn't reveal any further details.

Regards,
Lee


-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (990, 'testing-security'), (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-8-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages osslsigncode depends on:
ii  libc6 2.36-9
ii  libcurl4  7.88.1-9
ii  libssl3   3.0.8-1

osslsigncode recommends no packages.

osslsigncode suggests no packages.

Bug#1029588: bts: Changes in libio-socket-ssl-perl 2.078 make bts fail to send mail to mail-server via SSL/TLS - hostname verification failed

[Lee Garrett]

On Sat, 18 Mar 2023 17:06:08 +0100 Dominique Dumont  wrote:

On Tue, 14 Feb 2023 22:21:26 +0100 Lee Garrett  wrote:
> Bumped severity as this makes bts currently unusable, and probably 
> breaks for quite a few DDs their workflow.


This does not break on my system where bts is connected to local sendmail 
(which is the default setup).

Which hints at a workaround: have bts connect to local sendmail and have 
sendmail forward the mail to the SMTPS server.


While this setup might work for some people, this has IMHO quite a few hefty 
drawbacks and requires me to maintain a MTA on my local machine. I could 
elaborate, but I don't think it's on-topic for this bug report.




The change mentioned by Daniel affects only a setup where the host if 
configured via its IP address, not via a host name:
See the change in SSL.pm in commit 
https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0


While Daniel did mention this commit (which might or might not be related to the 
issue), bts fails on a configured SMTPS hostname which otherwise correctly 
validates with other MUA.




Which is not the case here:

$ perl -S -MDevel::SimpleTrace bts --smtp-host smtps://mail.wgdd.de usertag 
1029588 + dod-test-with-tls
bts: failed to open SMTPS connection to smtps://mail.wgdd.de
(hostname verification failed)
at main::send_mail(mail.wgdd.de)
at main::mailbtsall(/usr/bin/bts:2839)
at main::(/usr/bin/bts:825)

Unfortunately, I can no longer investigate this issue as it looks like that my 
IP address is now blacklisted on Daniel's server:

$ perl -MDevel::SimpleTrace scripts/bts.pl --smtp-host smtps://mail.wgdd.de 
usertag 1029588 + dod-test-with-tls
bts.pl: failed to open SMTPS connection to smtps://mail.wgdd.de
(Connection refused)
at main::send_mail(mail.wgdd.de)
at main::mailbtsall(scripts/bts.pl:2849)
at main::(scripts/bts.pl:834)

On a hunch, I would guess that Daniel's server is configured to handle STARTTLS, which is not supported by bts. But I cannot verify this. 
In any case this does not explain why Daniel sees bts working with libio-socket-ssl-perl 2.077 but not with 2.078.


I'm sure that bts supports STARTTLS. I am using bts with my MTA on 587/tcp, 
which enforces STARTTLS and requires credentials (I just double-checked via 
swaks). With the old libio-socket-ssl-perl 2.069-1 this works, so it's clearly a 
regression.




All the best


Greetings,
Lee

Bug#1032655: psi-plus segfaults

[Lee Garrett]

Package: psi-plus
Version: 1.4.554-5+b2
Severity: grave
X-Debbugs-Cc: deb...@rocketjump.eu

Hi,

psi-plus currently simply segfaults on a stock bookworm installation:

$ psi-plus 
[20230310 15:43:12] W:libpng warning: iCCP: known incorrect sRGB profile 
(unknown:0, unknown)
[20230310 15:43:12] W:libpng warning: iCCP: known incorrect sRGB profile 
(unknown:0, unknown)
[20230310 15:43:12] W:libpng warning: iCCP: known incorrect sRGB profile 
(unknown:0, unknown)
[20230310 15:43:12] W:libpng warning: iCCP: known incorrect sRGB profile 
(unknown:0, unknown)
Segmentation fault

Regards,
Lee

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-6-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages psi-plus depends on:
ii  libc6 2.36-8
ii  libgcc-s1 12.2.0-14
ii  libhunspell-1.7-0 1.7.1-1
ii  libidn12  1.41-1
ii  libminizip1   1.1-8+b1
ii  libqca-qt5-2  2.3.5-2
ii  libqca-qt5-2-plugins  2.3.5-2
ii  libqt5concurrent5 5.15.8+dfsg-3
ii  libqt5core5a  5.15.8+dfsg-3
ii  libqt5dbus5   5.15.8+dfsg-3
ii  libqt5gui55.15.8+dfsg-3
ii  libqt5keychain1   0.13.2-5
ii  libqt5network55.15.8+dfsg-3
ii  libqt5sql55.15.8+dfsg-3
ii  libqt5sql5-sqlite 5.15.8+dfsg-3
ii  libqt5svg55.15.8-2
ii  libqt5widgets55.15.8+dfsg-3
ii  libqt5x11extras5  5.15.8-2
ii  libqt5xml55.15.8+dfsg-3
ii  libstdc++612.2.0-14
ii  libx11-6  2:1.8.4-2
ii  psi-plus-common   1.4.554-5
ii  zlib1g1:1.2.13.dfsg-1

Versions of packages psi-plus recommends:
ii  psi-plus-l10n 1.4.554-1
ii  psi-plus-plugins  1.4.554-5+b2
ii  psi-plus-sounds   1.4.554-5
ii  sox   14.4.2+git20190427-3.4

Versions of packages psi-plus suggests:
pn  libgnome-keyring0  
ii  xdg-utils  1.1.3-4.1

-- no debconf information

Bug#1032418: zcfan service is not stopped on package removal

[Lee Garrett]

Package: zcfan
Severity: serious
X-Debbugs-Cc: deb...@rocketjump.eu

Hi,

while testing the Breaks: directive between zcfan and thinkfan, I noticed that
the zcfan service is not stopped upon uninstall. This is not caught by piuparts,
as by default the zcfan service is not started. The solution is to have a
debian/rules entry like in [0].

I noticed that you're a DM, and since it's fairly late in the freeze process,
I'm willing to guide your through the process of fixing the package for the
bookworm release.

Regards,
Lee

[0] https://salsa.debian.org/debian/thinkfan/-/blob/master/debian/rules#L24

Full terminal output showing the issue below:

12:59:18 [root@batou:~] 4s # apt install zcfan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  zcfan
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 0 B/8.980 B of archives.
After this operation, 36,9 kB of additional disk space will be used.
Selecting previously unselected package zcfan.
(Reading database ... 377831 files and directories currently installed.)
Preparing to unpack .../zcfan_1.2.1-1+b1_amd64.deb ...
Unpacking zcfan (1.2.1-1+b1) ...
Setting up zcfan (1.2.1-1+b1) ...
Processing triggers for man-db (2.11.2-1) ...
Scanning processes...   

   
Scanning candidates...  

   
Scanning processor microcode... 

   
Scanning linux images...

   

Running kernel seems to be up-to-date.

The processor microcode seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

User sessions running outdated binaries:
 randall @ session #2: gdm-wayland-ses[1967]
 randall @ user manager service: firefox-esr[3254], gnome-session-b[2019], 
gnome-shell[2048], systemd[1784], thunderbird[2932]

No VM guests are running outdated hypervisor (qemu) binaries on this host.
12:59:27 [root@batou:~] 4s # systemctl status zcfan
○ zcfan.service - Zero-configuration fan control for ThinkPad
 Loaded: loaded (/lib/systemd/system/zcfan.service; enabled; preset: 
enabled)
 Active: inactive (dead) since Mon 2023-03-06 12:58:59 CET; 36s ago
   Duration: 1min 9.982s
Process: 17359 ExecStart=/usr/bin/zcfan (code=exited, status=0/SUCCESS)
   Main PID: 17359 (code=exited, status=0/SUCCESS)
CPU: 275ms

Mär 06 12:57:49 batou zcfan[17359]: [CFG] At 90C fan is set to maximum
Mär 06 12:57:49 batou zcfan[17359]: [CFG] At 80C fan is set to medium
Mär 06 12:57:49 batou zcfan[17359]: [CFG] At 70C fan is set to low
Mär 06 12:57:49 batou zcfan[17359]: [FAN] Temperature now 51C, fan set to off
Mär 06 12:58:23 batou zcfan[17359]: [FAN] Temperature now 71C, fan set to low
Mär 06 12:58:26 batou zcfan[17359]: [FAN] Temperature now 50C, fan set to off
Mär 06 12:58:59 batou zcfan[17359]: [FAN] Quit requested, reenabling 
thinkpad_acpi fan control
Mär 06 12:58:59 batou systemd[1]: Stopping zcfan.service - Zero-configuration 
fan control for ThinkPad...
Mär 06 12:58:59 batou systemd[1]: zcfan.service: Deactivated successfully.
Mär 06 12:58:59 batou systemd[1]: Stopped zcfan.service - Zero-configuration 
fan control for ThinkPad.
12:59:35 [root@batou:~] 3 # systemctl start zcfan
12:59:39 [root@batou:~] # systemctl status zcfan
● zcfan.service - Zero-configuration fan control for ThinkPad
 Loaded: loaded (/lib/systemd/system/zcfan.service; enabled; preset: 
enabled)
 Active: active (running) since Mon 2023-03-06 12:59:39 CET; 3s ago
   Main PID: 18995 (zcfan)
  Tasks: 1 (limit: 28396)
 Memory: 264.0K
CPU: 21ms
 CGroup: /system.slice/zcfan.service
 └─18995 /usr/bin/zcfan

Mär 06 12:59:39 batou systemd[1]: Started zcfan.service - Zero-configuration 
fan control for ThinkPad.
Mär 06 12:59:39 batou zcfan[18995]: [CFG] At 90C fan is set to maximum
Mär 06 12:59:39 batou zcfan[18995]: [CFG] At 80C fan is set to medium
Mär 06 12:59:39 batou zcfan[18995]: [CFG] At 70C fan is set to low
Mär 06 12:59:39 batou zcfan[18995]: [FAN] Temperature now 50C, fan set to off
12:59:43 [root@batou:~] # apt purge zcfan
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following 

Bug#995156: easy-rsa: vars Autodetection

[Lee Garrett]

I'm bumping the bug severity because currently it will ignore 
security-relevant settings like keysize and algo, and the defaults are 
pretty weak.

Bug#1029588: bts: Changes in libio-socket-ssl-perl 2.078 make bts fail to send mail to mail-server via SSL/TLS - hostname verification failed

[Lee Garrett]

Bumped severity as this makes bts currently unusable, and probably 
breaks for quite a few DDs their workflow.

Bug#1029803: command-not-found breaks dist-upgrade bullseye → bookworm

[Lee Garrett]

Package: command-not-found
Version: 20.10.1-1
Severity: grave
Tags: patch
X-Debbugs-Cc: deb...@rocketjump.eu, k...@debian.org

Hi Julian,

(this is somewhat related to #968757 and #954249)
(kibi CCed)

Steps to reproduce (on an bullseye installation)
1) Install command-not-found
2) Edit /etc/apt/sources.list to 
deb http://deb.debian.org/debian/ bookworm main contrib non-free 
non-free-firmware
(note the new component non-free-firmware)
3) run `apt update`
# apt update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://deb.debian.org/debian-security bullseye-security InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Hit:4 http://deb.debian.org/debian bullseye-backports InRelease
Hit:5 https://packages.chef.io/repos/apt/stable bullseye InRelease   
Hit:6 http://deb.debian.org/debian bookworm InRelease
Hit:7 http://deb.debian.org/debian sid InRelease
Hit:8 http://deb.debian.org/debian experimental InRelease
Traceback (most recent call last):
  File "/usr/lib/cnf-update-db", line 26, in 
col.create(db)
  File "/usr/share/command-not-found/CommandNotFound/db/creator.py", line 95, 
in create
self._fill_commands(con)
  File "/usr/share/command-not-found/CommandNotFound/db/creator.py", line 143, 
in _fill_commands
self._parse_single_contents_file(con, f, fp.stdout)
  File "/usr/share/command-not-found/CommandNotFound/db/creator.py", line 282, 
in _parse_single_contents_file
priority = component_priorities[component]
KeyError: 'non-free-firmware'
Reading package lists... Done
E: Problem executing scripts APT::Update::Post-Invoke-Success 'if /usr/bin/test 
-w /var/lib/command-not-found/ -a -e /usr/lib/cnf-update-db; then 
/usr/lib/cnf-update-db > /dev/null; fi'
E: Sub-process returned an error code

This is already fixed in unstable, but in it's current form this will break the
upgrade path from bullseye to bookworm. The fix is trivial, adding
`'non-free-firmware': 60,` to CommandNotFound/db/creator.py is enough. I propose
doing a p-u to fix it.

Greets,
Lee

-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 
'stable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-0.deb11.6-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages command-not-found depends on:
ii  apt-file 3.2.2
ii  lsb-release  11.1.0
ii  python3  3.9.2-3
ii  python3-apt  2.2.1

command-not-found recommends no packages.

Versions of packages command-not-found suggests:
pn  snapd  

-- no debconf information

-- debsums errors found:
debsums: changed file 
/usr/share/command-not-found/CommandNotFound/db/creator.py (from 
command-not-found package)

Bug#1028405: ansible-core: autopkgtest regresses with new python3-defaults (python 3.11)

[Lee Garrett]

IIRC this was added because the last python transition (3.9->3.10) broke 
the autopkgtests, so I've added it. As this seems to work this time 
around, I acknowledge the NMU.


On Tue, 10 Jan 2023 08:21:09 -0800 Steve Langasek 
 wrote:

Package: ansible-core
Version: 2.14.1-1
Severity: serious
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu lunar ubuntu-patch

Hi Lee,

The ansible-core autopkgtests fail now that /usr/bin/python3 is python 3.11:

[...]
autopkgtest [08:17:06]: test unit: [---
FATAL: Running under Python version 3.11 instead of 3.10.
FATAL: Command "/usr/bin/env 
ANSIBLE_TEST_CONTENT_ROOT=/tmp/autopkgtest-lxc.8ik95lf6/downtmp/build.jHa/src 
PYTHONPATH=/tmp/ansible-test-iin32i73 /usr/bin/python3 /usr/bin/ansible-test units 
--containers '{}' --truncate 0 --color no --host-path test/results/.tmp/host-n2w5rzai 
--metadata test/results/.tmp/metadata-_yj0am3d.json" returned exit status 1.
autopkgtest [08:17:07]: test unit: ---]
[...]

  
(https://ci.debian.net/data/autopkgtest/unstable/amd64/a/ansible-core/29976247/log.gz)

This comes down to a hard-coded "--python 3.11" option in the autopkgtest
which seems superfluous.

I have uploaded the attached patch to Ubuntu to unblock the python3-defaults
transition there.

Cheers,
--
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developer   https://www.debian.org/
slanga...@ubuntu.com vor...@debian.org

Bug#1024713: ansible-core: Fails autopkgtests in unstable due to new resolvelib

[Lee Garrett]

Hi Scott,

I got around to fix the issue. I took the upstream patch as yours didn't 
apply cleanly to 2.14 anymore. I will upload the package in the next hour.


Thanks for bringing this to my attention!

Regards,
Lee

On 23/11/2022 17:17, Scott Kitterman wrote:

Package: ansible-core
Version: 2.13.4-1
Severity: serious
Tags: patch upstream ftbfs
Justification: fails to build from source (but built successfully in the past)

The current ansible-core package fails autopkgtest in unstable and would
fail in testing if python3-resolvelib were to migrate [1].  The issue
has been fixed upstream [2].  I have tested both on unstable and testing
with the upstream fix using the attached debdiff and it corrects the
test failures.  It also still works with the older resolvelib.

Using the ftbfs tag for this report since it is the closest thing we
have for test failures.

I do intend to NMU in a week to fix this as it blocks testing migration
for python-resolvelib.  Please let me know if you want to take care of
it or your would prefer I go ahead.

Scott K


[1] 
https://ci.debian.net/data/autopkgtest/testing/amd64/a/ansible-core/28587311/log.gz
[2] https://github.com/ansible/ansible/pull/79399/files

Bug#1024713: ansible-core: Fails autopkgtests in unstable due to new resolvelib

[Lee Garrett]

Hi Scott,

thanks for the bug report. A NMU is not needed, I'm currently preparing 
the newest upstream release and hopefully will upload it in the next 
days. If I don't upload within 7 days, feel free to NMU it.


Regards,
Lee


On 23/11/2022 17:17, Scott Kitterman wrote:

Package: ansible-core
Version: 2.13.4-1
Severity: serious
Tags: patch upstream ftbfs
Justification: fails to build from source (but built successfully in the past)

The current ansible-core package fails autopkgtest in unstable and would
fail in testing if python3-resolvelib were to migrate [1].  The issue
has been fixed upstream [2].  I have tested both on unstable and testing
with the upstream fix using the attached debdiff and it corrects the
test failures.  It also still works with the older resolvelib.

Using the ftbfs tag for this report since it is the closest thing we
have for test failures.

I do intend to NMU in a week to fix this as it blocks testing migration
for python-resolvelib.  Please let me know if you want to take care of
it or your would prefer I go ahead.

Scott K


[1] 
https://ci.debian.net/data/autopkgtest/testing/amd64/a/ansible-core/28587311/log.gz
[2] https://github.com/ansible/ansible/pull/79399/files

Bug#716386: [Mayhem] Bug report on tetradraw: tetraview crashes with exit status 139

[Lee Garrett]

Package: tetradraw
Version: 2.0.3-9+b2
Followup-For: Bug #716386
X-Debbugs-Cc: deb...@rocketjump.eu

Hi Rhonda,

sorry to grave dig this bug report, but it seems that tetradraw might be broken
for a couple of releases now. On bullseye it segfaults with rc 139. A few people
in #debian reported the same issue, so it looks like it's 100% reproducible.
Since I'd love to make some nice ascii art for my /etc/motd, it would be nice if
you could find the time to fix it. Thanks in advance!

Kind regards,
Lee


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 
'stable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.16.1 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tetradraw depends on:
ii  libc6 2.31-13+deb11u2
ii  libncursesw6  6.2+20201114-2
ii  libtinfo6 6.2+20201114-2

tetradraw recommends no packages.

tetradraw suggests no packages.

-- no debconf information

Bug#995879: uninstallable due to dependency on ansible-core

[Lee Garrett]

On 07/10/2021 16:56, Daniel Baumann wrote:
> Package: ansible
> Version: 4.6.0-1
> Severity: serious
> Tags: experimental
> 
> Hi,
> 
> ansible in experimental is currently uninstallable because of the
> dependency on ansible-core which is unavailable/not yet uploaded in
> Debian as it seems.
> 
> Regards,
> Daniel

Yes, that is correct and expected. ansible-core still has to be fixed
and then make it through the NEW queue before it shows up in
experimental. ansible has already been uploaded there to make it easier
for the ftp team to review it. I'm hoping to upload it some time this
weekend.

Bug#981699: fixed in thinkfan 1.2.1-3.1

[Lee Garrett]

Hi,

On 28/09/2021 22:46, Thorsten Glaser wrote:
> Debian FTP Masters dixit:
> 
>>   * Don't ship an example config in /etc/thinkfan.yaml (Closes: #983727)
>>   * Ship example config in /usr/share/doc/thinkfan/examples/
> 
> I don’t think these resolve my issue with the newer thinkfan releases.
> 
> I’ve looked at the example configuration, and it refers to multiple
> hwmon and other files, which caused problems with my laptop. With the
> older thinkfan release, my configuration literally consisted of only
> the temperatures, nothing else, and it worked (Thinkpad X61), and the
> new configuration file doesn’t have a “user’s PoV” documentation for
> how to achieve an at-all working configuration.

That's entirely possible, but there is no single config that will work
for more than a few similar models. Note that you can still use your
/etc/thinkfan.conf (in the "old" schema) just fine if that one still
works for you. Long-term I'd love to collect a few thinkfan.yaml to ship
as examples for specific (thinkpad) models. I'd also like to point out
that the RC bug was about upgrading failing, which was because a
non-working /etc/thinkfan.yaml was placed there, taking precedence over
the thinkfan.conf, which has now been fixed. thinkfan being difficult to
configure is definitely a valid issue, but I'd like to continue that
discussion in a new wishlist bug.

Greetings from Hamburg,
Lee

Bug#983140: closed by Debian FTP Masters (reply to Lee Garrett ) (Bug#983140: fixed in ansible 2.10.7+merged+base+2.10.8+dfsg-1)

[Lee Garrett]

Hi Baptiste,

On 20/04/2021 22:07, Baptiste Beauplat wrote:
> Hi Lee,
> 
> On 2021/04/19 11:06 PM, Debian Bug Tracking System wrote:
>> #983140: ansible: Does not detect correct python interpreter on bullseye 
>> target
>>
>> It has been closed by Debian FTP Masters  
>> (reply to Lee Garrett ).
> 
> Glad to hear this will be fixed by this new version.
> 
> I was also working on a patch for 2.9.16 but I guess it's a bit late of
> that :)
> 
> I'll attach it anyway for reference because I managed to have all unit
> tests working by avoiding the user home directory. You might be
> interested to have a look at that.

Thanks for the attachment, I'll have a look at it to see how you solved
the problems I ran into.

> 
> Thanks again for maintaining ansible!
> 
> Best,
> 

You're welcome! And thanks for helping out. :)

Greets,
Lee

Bug#983140: ansible: Does not detect correct python interpreter on bullseye target

[Lee Garrett]

Hi Dominic,

I'll upload a fix as soon as the unblock request for ansible-base goes
through. As a workaround you can also set the python interpreter as
described in [0], either changing the default or setting it for
individual hosts.

I'm not sure if putting python3 further up the list might break
non-Debian systems (which could be targets where this code runs), I'll
have to check that first.

FYI, for 2.12+ the interpreter discovery will depend on the target OS
detected. You can already test it by setting interpreter_python=auto in
the [defaults] section of ansible.cfg.

Regards,
Lee

[0]
https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html

Bug#979618: Bug#979590: fixed in libx11 2:1.7.0-2

[Lee Garrett]

I can confirm that upgrading libx11-6 to match libx11-xcb1 fixed my
issue with chromium. Thanks!

Bug#979618: chromium freezes on start, triggering a force quit by gnome

[Lee Garrett]

Package: chromium
Version: 87.0.4280.88-0.4
Severity: grave
X-Debbugs-Cc: deb...@rocketjump.eu

Hi,

starting chromium on bullseye will render a window (with various elements
shifted down by half a screen), which is impossible to interact with, and causes
gnome to offer a "force quit" prompt after a few seconds.

Output from the CLI:
->8-->8-->8-->8-->8-->8-->8-->8-->8-->8-->8-
$ chromium
libva error: vaGetDriverNameByIndex() failed with unknown libva error, 
driver_name = (null)
[9413:9413:0109/060426.733876:ERROR:vaapi_wrapper.cc(541)] vaInitialize failed: 
unknown libva error
[9413:9413:0109/060426.735693:ERROR:sandbox_linux.cc(374)] InitializeSandbox() 
called with multiple threads in process gpu-process.
[9413:9413:0109/060426.855283:ERROR:shared_context_state.cc(74)] Skia shader 
compilation error


Errors:

[9413:9413:0109/060426.858413:ERROR:shared_context_state.cc(74)] Skia shader 
compilation error


Errors:

[9413:9413:0109/060426.860282:ERROR:shared_context_state.cc(74)] Skia shader 
compilation error


Errors:

[9413:9413:0109/060426.867099:ERROR:shared_context_state.cc(74)] Skia shader 
compilation error


Errors:

[9413:9413:0109/060426.869489:ERROR:shared_context_state.cc(74)] Skia shader 
compilation error


Errors:

[9415:9428:0109/060426.876651:ERROR:nss_util.cc(283)] After loading Root Certs, 
loaded==false: NSS error code: -8018
[9413:9413:0109/060426.993836:ERROR:shared_context_state.cc(74)] Skia shader 
compilation error


Errors:

[9413:9413:0109/060430.833703:ERROR:gl_surface_presentation_helper.cc(259)] 
GetVSyncParametersIfAvailable() failed for 1 times!
[9413:9413:0109/060430.839756:ERROR:gl_surface_presentation_helper.cc(259)] 
GetVSyncParametersIfAvailable() failed for 2 times!
Killed
->8-->8-->8-->8-->8-->8-->8-->8-->8-->8-->8-

Various things I've tried:
- reverting to chromium(,-common,-sandbox) to 87.0.4280.88-0.3 -> same problem
- reverting to chromium(,-common,-sandbox) to 87.0.4280.88-0.3 -> same problem
- starting chromium with a fresh profile -> same problem

Installing debug symbols and starting `chromium -g` will result in the same
errors, except for chromium complaining about being started in single-process
mode.

One user on #debian-next IRC reported no such errors on sid and KDE, so it might
not effect all users. I *think* about a week ago chromium still ran fine (I only
use it for debugging purposes). Checking /var/log/apt/history.log, I don't see
any libva* packages being updated in that timeframe.

Regards,
Lee


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chromium depends on:
ii  chromium-common  87.0.4280.88-0.4
ii  libasound2   1.2.4-1.1
ii  libatk-bridge2.0-0   2.38.0-1
ii  libatk1.0-0  2.36.0-2
ii  libatomic1   10.2.1-3
ii  libatspi2.0-02.38.0-2
ii  libavcodec58 7:4.3.1-5
ii  libavformat587:4.3.1-5
ii  libavutil56  7:4.3.1-5
ii  libc62.31-6
ii  libcairo21.16.0-5
ii  libcups2 2.3.3op1-4
ii  libdbus-1-3  1.12.20-1
ii  libdrm2  2.4.103-2
ii  libevent-2.1-7   2.1.12-stable-1
ii  libexpat12.2.10-1
ii  libflac8 1.3.3-2
ii  libfontconfig1   2.13.1-4.2
ii  libfreetype6 2.10.4+dfsg-1
ii  libgbm1  20.3.2-1
ii  libgcc-s110.2.1-3
ii  libgdk-pixbuf-2.0-0  2.42.2+dfsg-1
ii  libglib2.0-0 2.66.4-1
ii  libgtk-3-0   3.24.24-1
ii  libharfbuzz0b2.6.7-1
ii  libicu67 67.1-5
ii  libjpeg62-turbo  1:2.0.5-2
ii  libjsoncpp24 1.9.4-4
ii  liblcms2-2   2.9-4+b1
ii  libminizip1  1.1-8+b1
ii  libnspr4 2:4.29-1
ii  libnss3  2:3.60-1
ii  libopenjp2-7 2.3.1-1
ii  libopus0 1.3.1-0.1
ii  libpango-1.0-0   1.46.2-3
ii  libpangocairo-1.0-0  1.46.2-3
ii  libpng16-16  1.6.37-3
ii  libpulse014.0-2
ii  libre2-9 20201101+dfsg-2
ii  libsnappy1v5 1.1.8-1
ii  libstdc++6   10.2.1-3
ii  libwebp6 0.6.1-2+b1
ii  libwebpdemux20.6.1-2+b1
ii  libwebpmux3  0.6.1-2+b1
ii  libx11-6 2:1.6.12-1
ii  libx11-xcb1  2:1.7.0-1
ii  libxcb1  1.14-2.1
ii  libxcomposite1   1:0.4.5-1
ii  libxdamage1   

Bug#971309: ansible: diff for NMU version 2.9.16+dfsg-1.1

[Lee Garrett]

Hi Sebastian,

thanks, I acknowledge the NMU. I'm in the process of packaging ansible
2.10.x which will already contain the fix. So feel free to consider this
bug closed.

Regards,
Lee

On Wed, 6 Jan 2021 12:07:18 +0100 Sebastian Ramacher
 wrote:
> Control: tags 971309 + patch
> Control: tags 971309 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for ansible (versioned as 2.9.16+dfsg-1.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
> 
> Cheers
> -- 
> Sebastian Ramacher

Bug#973096: python-bleach: FTBFS: dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p "3.9 3.8" returned exit code 13

[Lee Garrett]

Hi,

I've prepared a fix for this package at

https://salsa.debian.org/python-team/packages/python-bleach/-/merge_requests/1

I lack permissions to merge to master and upload this package. The patch
itself is based on a pending upstream MR, details are in the quilt patch
annotation.

Regards,
Lee

Bug#961622: segfault on watching any stream

[Lee Garrett]

Package: gnome-twitch
Version: 0.4.1-3
Severity: grave

Hi,

current gnome-twitch will segfault on any stream selected. I've tried the
gstreamer-cairo and gstreamer-opengl backend to verify it's not backend related.

It starts fine, but selecting any stream will give the following output:
$ gnome-twitch 
[17:49:27] Message - GNOME-Twitch : {GtApp:370} Startup, running version '0.4.1'
[17:49:27] Message - GNOME-Twitch : {GtFollowsManager:254} Follows file at 
'/home/randall/.local/share/gnome-twitch/followed-channels.json' doesn't exist
[17:49:27] Message - GNOME-Twitch : {GtApp:339} Activate
[17:49:27] Message - GNOME-Twitch : {GtPlayer:132} Loading chat settings
[17:49:29] Message - GNOME-Twitch : {GtPlayer:1287} Can't open channel, no 
backend loaded
[17:49:33] Message - GNOME-Twitch : {GtPlayer:999} Loaded player backend 
'GStreamer Cairo player backend'
[17:49:33] Message - GNOME-Twitch : {GtPlayerBackendGstreamerCairo:246} Init
[17:49:33] Critical - GLib-GObject : g_object_get: assertion 'G_IS_OBJECT 
(object)' failed
[17:49:33] Warning - GNOME-Twitch : cannot set NULL uri
[17:49:33] Critical - Gtk : gtk_widget_add_events: assertion 'GTK_IS_WIDGET 
(widget)' failed
[17:49:33] Critical - Gtk : gtk_widget_set_can_focus: assertion 'GTK_IS_WIDGET 
(widget)' failed
[17:49:33] Critical - Gtk : gtk_container_add: assertion 'GTK_IS_WIDGET 
(widget)' failed
[17:49:33] Warning - GLib-GObject : invalid (NULL) pointer instance
[17:49:33] Critical - GLib-GObject : g_signal_connect_data: assertion 
'G_TYPE_CHECK_INSTANCE (instance)' failed
[17:49:33] Warning - GLib-GObject : invalid (NULL) pointer instance
[17:49:33] Critical - GLib-GObject : g_signal_connect_data: assertion 
'G_TYPE_CHECK_INSTANCE (instance)' failed
[17:49:33] Message - GNOME-Twitch : {GtPlayer:1310} Opening stream 'asmongold' 
with quality 'source'
[17:49:33] Warning - GNOME-Twitch : {GtTwitch:336} Received unsuccessful 
response from url 'https://api.twitch.tv/api/channels/asmongold/access_token' 
with code '410' and body '{"error":"Gone","status":410,"message":"this API has 
been removed."}'
[17:49:33] Warning - GNOME-Twitch : {GtTwitch:594} Error getting stream access 
token for channel 'asmongold' because: Received unsuccessful response from url 
'https://api.twitch.tv/api/channels/asmongold/access_token' with code '410' and 
body '{"error":"Gone","status":410,"message":"this API has been removed."}'
Segmentation fault

Regards,
Lee

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.14 (SMP w/8 CPU cores; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-twitch depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.36.0-1
ii  libc62.30-8
ii  libgdk-pixbuf2.0-0   2.40.0+dfsg-4
ii  libglib2.0-0 2.64.2-1
ii  libgtk-3-0   3.24.20-1
ii  libjson-glib-1.0-0   1.4.4-2
ii  libpeas-1.0-01.26.0-2
ii  libsoup2.4-1 2.70.0-1
ii  libwebkit2gtk-4.0-37 2.28.2-2
ii  libx11-6 2:1.6.9-2+b1

Versions of packages gnome-twitch recommends:
ii  gnome-twitch-player-backend-gstreamer-cairo  0.4.1-3

gnome-twitch suggests no packages.

-- no debconf information

Bug#951488: rspamd/buster causes extensive load on upstream servers, will be disabled

[Lee Garrett]

Package: rspamd
Followup-For: Bug #951488

Hi,

after debugging the issue further with the upstream author we came to the
conclusion that the packages in Debian are not reponsible for the issue.
Apparently even older versions shipped by Synology appliances are causing the
issue due to a broken backpressue algorithm.

Source:
https://twitter.com/rspamd/status/1229774962296225799
https://www.reddit.com/r/synology/comments/f5jczp/mailplus_server_and_rspamdcom/fi0g29t/

As such, I'm closing this bug.

Regards,
Lee

Bug#909196: geany: webhelper seems ported to webkit2gtk, please reenable it

[Lee Garrett]

Hi,

it seems as though geany-plugin-webhelper was removed from buster/sid.
Looking at the changelog, there's the following entry:

geany-plugins (1.32+dfsg-3) unstable; urgency=medium

  * [67b34ed] Disable webkit-using plugins: markdown, webhelper
webkitgtk-3.0 is not to be used as it is deprecated, but the port to
webkit2gtk-4.0 isn't ready yet.

 -- Chow Loong Jin   Thu, 11 Jan 2018 03:17:55 +0800

Since the packages cleanly install and also upgrade fine, I'm lowering
the severity of this bug report. I don't expect this to be enabled again
at this point in the release cycle (buster is in deep freeze), but it
might be possible that this gets added to buster-backports.

HTH,
Lee

On Wed, 19 Sep 2018 11:40:55 -0400 PICCORO McKAY Lenz
 wrote:
> Package: geany-plugin-webhelper
> Version: geany-plugin-webhelper unable to install in testing
> Severity: grave
> 
> when upgrade geany-plugin-webhelper are missing and due that breaks my
> geany instalation
> 
> i make pressure due i'm unnable to use webhelper and geany becomes
> unnusable.. crash when push save button (due make refresh to the
> plugin that does not exist and config file said are enabled, but its a
> older version)
> 
> The geany and geany-plugins packages are 1.33-1 version,
> geany-plugin-webhelper still only in 1.29 and it is unable to install
> cause dependencies error:
> 
> geany-plugin-webhelper:
>  Depende: geany-abi-71
>   Depende: geany-plugins-common (=1.29+dfsg-1) pero se va a instalar
> 1.33+dfsg-1+b1
> 
> 
> Seems problema around webkit support was resolved with that commit:
> 
> https://github.com/geany/geany-plugins/pull/746/commits/4039a13882f4b9e2127f6e7b018bdbdffe36e2a2
> 
> and the bugt reported
> https://github.com/geany/geany-plugins/issues/412 ; i added notes
> about it!
> 
> 
> 
> Lenz McKAY Gerardo (PICCORO)
> http://qgqlochekone.blogspot.com
> 
> 

Bug#928728: testssl.sh: missing dependencies

[Lee Garrett]

Package: testssl.sh
Version: 2.9.5-7+dfsg1-1
Severity: serious
Justification: Policy 3.5

Hi,

on a minimal Debian installation testssl fails to work. It's missing at least
these dependencies (package name in brackets):

- dig (dnsutils)
- host (bind9-host)
- ps (procps)
- hexdump (bsdmainutils)

Thanks in advance,
Lee

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages testssl.sh depends on:
ii  openssl  1.1.1b-2

testssl.sh recommends no packages.

testssl.sh suggests no packages.

-- no debconf information

Bug#923298: chromium: file overlap with chromium-sandbox without Conficts and/or Replaces

[Lee Garrett]

Hi,

your issue is related to mixing stable and testing, which is not supported and
causing your issue here. More below:

On Tue, 26 Feb 2019 10:54:15 +1100 "G. Branden Robinson"
 wrote:
> Package: chromium
> Version: 72.0.3626.96-1~deb9u1
> Severity: grave
> Justification: renders package unusable
> 
> I have been tracking testing for several months.
> 
> This looks to me like a missing or insufficiently versioned Replaces
> declaration, but I did not dig deeply into this except to check the BTS
> to see if it had bitten anyone else.  To my surprise, it looks like it
> has not.
> 
[...]

> Get:1 http://ftp.au.debian.org/debian buster/main amd64 chromium-sandbox 
> amd64 72.0.3626.53-1 [137 kB]
> Fetched 137 kB in 1s (179 kB/s)  
> Selecting previously unselected package chromium-sandbox.
> (Reading database ... 351969 files and directories currently installed.)
> Preparing to unpack .../chromium-sandbox_72.0.3626.53-1_amd64.deb ...
> Unpacking chromium-sandbox (72.0.3626.53-1) ...
> dpkg: error processing archive 
> /var/cache/apt/archives/chromium-sandbox_72.0.3626.53-1_amd64.deb (--unpack):
This ^^^ here is not the current version in testing anymore. Current version
is 72.0.3626.109-1.

>  trying to overwrite '/usr/lib/chromium/chrome-sandbox', which is also in 
> package chromium 72.0.3626.96-1~deb9u1
This ^^^ version here is the current package in stretch.

You can easily solve your issue by cleanly upgrading to testing. You can also
seek help in #debian on irc.oftc.net. I'm leaving this bug open however, as
this issue could also happen during upgrade from stretch to buster. It's
missing versioned dependencies.

Regards,
Lee

Bug#912297: ansible: CVE-2018-16837

[Lee Garrett]

Quick follow-up: I don't have a patch for CVE-2018-10875. However, the patch
in question I have is for CVE-2018-10855, which is already checked in on the
stretch branch of the packaging repo.

For some reason the security tracker has this CVE marked as "not affected",
although I could reproduce the issue on stretch.


On 08/11/2018 11:51, Lee Garrett wrote:
> Hi,
> 
> sorry for the late response. CVE-2018-16837 should be fairly straight-forward
> to fix in stretch and jessie.
> 
> For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
> it to the git stretch branch tomorrow (not on my work machine right now).
> 
> For CVE-2018-10874, it's not clear if it affects stable. The inventory module
> was completely rewritten in (IIRC) ansible 2.5, so it won't be a
> straight-forward patch.
> 
> Regards,
> Lee
> 
> On 07/11/2018 22:55, Moritz Mühlenhoff wrote:
>> On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
>>> Hi Ivo,
>>>
>>>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
>>> [..]
>>>> - user module - do not pass ssh_key_passphrase on cmdline
>>>>   (CVE-2018-16837)
>>>
>>> Thanks for providing this and no problem that this wasn't in the
>>> changelog.
>>>
>>> Security team: This still affects stretch and jessie as I unless
>>> I'm missing something - would you like me to prepare an upload for
>>> stable? I'm happy to take the LTS side of things.
>>
>> We can fix that one in a DSA, but should also fix CVE-2018-10875
>> and CVE-2018-10874, then.
>>
>> Cheers,
>> Moritz
>>
> 

Bug#912297: ansible: CVE-2018-16837

[Lee Garrett]

Hi,

sorry for the late response. CVE-2018-16837 should be fairly straight-forward
to fix in stretch and jessie.

For CVE-2018-10875 I have a patch in my work dir that should fix it. I'll push
it to the git stretch branch tomorrow (not on my work machine right now).

For CVE-2018-10874, it's not clear if it affects stable. The inventory module
was completely rewritten in (IIRC) ansible 2.5, so it won't be a
straight-forward patch.

Regards,
Lee

On 07/11/2018 22:55, Moritz Mühlenhoff wrote:
> On Tue, Oct 30, 2018 at 12:35:05AM -0400, Chris Lamb wrote:
>> Hi Ivo,
>>
>>> From the upstream changelog for 2.7.1+dfsg-1 (already in unstable):
>> [..]
>>> - user module - do not pass ssh_key_passphrase on cmdline
>>>   (CVE-2018-16837)
>>
>> Thanks for providing this and no problem that this wasn't in the
>> changelog.
>>
>> Security team: This still affects stretch and jessie as I unless
>> I'm missing something - would you like me to prepare an upload for
>> stable? I'm happy to take the LTS side of things.
> 
> We can fix that one in a DSA, but should also fix CVE-2018-10875
> and CVE-2018-10874, then.
> 
> Cheers,
> Moritz
> 

Bug#912599: [Pkg-nagios-devel] Bug#912599: icinga2-common: incinga2-common fails to install cleanly (hidden dep on icinga2)

[Lee Garrett]

Hi Sebastiaan,

On 01/11/2018 20:15, Sebastiaan Couwenberg wrote:> Hi Lee,
>
> On 11/1/18 6:41 PM, Lee Garrett wrote:
>> installing icinga2-common on a system that does not have icinga2 installed
fails
>> as follows:
>>
>> [...]
>>
>> Installing icinga2 directly, which pulls in icinga2-common, makes the
>> installation go through cleanly.
>
> Installing icinga2-common by itself makes no sense.
I agree, though there might be corner cases where this might happen, like
during dist-upgrade.

>
>> Besides the policy violation it makes it hard to install icinga2 with the 
>> chef
>> cookbook at https://supermarket.chef.io/cookbooks/icinga2, as it installs 
>> every
>> package after each other (with a version number restriction).
> I have no sympathy for broken configuration management. The cookbook not
> working is something you need take up with its developer.
Indeed, they unfortunately happen to be the cookbooks provided by upstream.

Thanks for the quick fix!

Regards,
Lee

Bug#912599: icinga2-common: incinga2-common fails to install cleanly (hidden dep on icinga2)

[Lee Garrett]

Package: icinga2-common
Version: 2.6.0-2
Severity: serious
Justification: Policy 3.5

Dear maintainer,

installing icinga2-common on a system that does not have icinga2 installed fails
as follows:

--->8-->8-->8-->8-->8-->8-->8-->8-->8-->8---
# apt install icinga2-common
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following NEW packages will be installed:
  icinga2-common
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/93.6 kB of archives.
After this operation, 401 kB of additional disk space will be used.
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package icinga2-common.
(Reading database ... 533789 files and directories currently installed.)
Preparing to unpack .../icinga2-common_2.6.0-2_all.deb ...
Unpacking icinga2-common (2.6.0-2) ...
Setting up icinga2-common (2.6.0-2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/icinga2.service →
/lib/systemd/system/icinga2.service.
Job for icinga2.service failed because the control process exited with error
code.
See "systemctl status icinga2.service" and "journalctl -xe" for details.
invoke-rc.d: initscript icinga2, action "start" failed.
● icinga2.service - Icinga host/service/network monitoring system
   Loaded: loaded (/lib/systemd/system/icinga2.service; enabled; vendor preset:
enabled)
   Active: failed (Result: exit-code) since Thu 2018-11-01 18:37:29 CET; 7ms ago
  Process: 4157 ExecStartPre=/usr/lib/icinga2/prepare-dirs
/usr/lib/icinga2/icinga2 (code=exited, status=6)
  CPU: 1ms

Nov 01 18:37:29 saito systemd[1]: Starting Icinga host/service/network
monitoring system...
Nov 01 18:37:29 saito prepare-dirs[4157]: /usr/lib/icinga2/prepare-dirs: 1:
/usr/lib/icinga2/prepare-dirs: /usr/sbin/icinga2: not found
Nov 01 18:37:29 saito prepare-dirs[4157]: Could not fetch RunAsUser variable.
Error ''. Exiting.
Nov 01 18:37:29 saito systemd[1]: icinga2.service: Control process exited,
code=exited status=6
Nov 01 18:37:29 saito systemd[1]: Failed to start Icinga host/service/network
monitoring system.
Nov 01 18:37:29 saito systemd[1]: icinga2.service: Unit entered failed state.
Nov 01 18:37:29 saito systemd[1]: icinga2.service: Failed with result
'exit-code'.
dpkg: error processing package icinga2-common (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (232-25+deb9u4) ...
Errors were encountered while processing:
 icinga2-common
==  How can you help?  (doc: https://wiki.debian.org/how-can-i-help ) ==

-  Show old opportunities as well as new ones: how-can-i-help --old  -
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
--->8-->8-->8-->8-->8-->8-->8-->8-->8-->8---

Installing icinga2 directly, which pulls in icinga2-common, makes the
installation go through cleanly.

Besides the policy violation it makes it hard to install icinga2 with the chef
cookbook at https://supermarket.chef.io/cookbooks/icinga2, as it installs every
package after each other (with a version number restriction).

Regards,
Lee


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages icinga2-common depends on:
ii  adduser  3.115
ii  init-system-helpers  1.48
ii  lsb-base 9.20161125
ii  lsb-release  9.20161125

Versions of packages icinga2-common recommends:
ii  logrotate  3.11.0-0.1

icinga2-common suggests no packages.

-- Configuration Files:
/etc/icinga2/conf.d/app.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/app.conf'
/etc/icinga2/conf.d/apt.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/apt.conf'
/etc/icinga2/conf.d/commands.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/commands.conf'
/etc/icinga2/conf.d/downtimes.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/downtimes.conf'
/etc/icinga2/conf.d/groups.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/groups.conf'
/etc/icinga2/conf.d/hosts.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/hosts.conf'
/etc/icinga2/conf.d/notifications.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/notifications.conf'
/etc/icinga2/conf.d/satellite.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/satellite.conf'
/etc/icinga2/conf.d/services.conf [Errno 13] Permission denied: 
'/etc/icinga2/conf.d/services.conf'
/etc/icinga2/conf.d/templates.conf [Errno 13] Permission denied: 

Bug#898969: dnssec-trigger: fails with OpenSSL in experimental due to too-small key

[Lee Garrett]

Hi,

Any update on this bug? dnssec-trigger will be autoremoved due to this bug
tomorrow. I'd like to see it in buster, though.

Regards,
Lee

Bug#880047: postgrey doesn't start because it can't write its pid

[Lee Garrett]

Hi,

I triaged this bug on a fresh stretch VM. Installing postgrey 1.36-3 and
rebooting did not trigger the bug. I tried with both systemd and sysvinit.
Looking at /etc/init.d/postgrey, I see the following:

PIDFILE=/var/run/$DAEMON_NAME.pid

So the above init script shipped in stretch does not require
/var/run/postgrey/ to be created, since it is not used. But wait! Since the
init script is a conffile, it could be that the reporter upgraded from jessie.
However, postgrey 1.35-1 also has the following line:

PIDFILE=/var/run/$DAEMON_NAME.pid

As such, I don't think this bug ever existed in stretch or jessie, but was a
result of users trying to fix #756813. It may be possible that the init script
was inherited from wheezy or earlier, I did not check those releases. If that
was the case, I think the bug would have been noticed earlier.

Greetings from the Chemnitz BSP,
Lee

Bug#909000: Enigmail 2.0 needed in Stretch after Thunderbird 60 upload

[Lee Garrett]

The problem here is that the newer enigmail from buster depends on gnupg (>=
2.2.8-2~), which is only available in stretch-backports. If there is no way to
make it work with gnupg from stable, I proprose to remove enigmail from
stable, and offer it via stretch-backports.

Whatever the eventual solution may be, it would be great to solve this issue
very soon, as this is currently breaking things for users in stable.

On Mon, 17 Sep 2018 10:14:31 +0200 Jonas Meurer  wrote:
> Source: enigmail
> Version: 2:1.9.9-1~deb9u1
> Severity: grave
> 
> Dear maintainers,
> 
> yesterday, Thunderbird 1:60.0-2~deb9u1 got uploaded to Stretch (via
> security). This thunderbird version breaks enigmail (<< 2:2~), which
> leads to uninstallable/unusable Enigmail in Debian Stretch.
> 
> May I suggest to backport Enigmail 2.0 to Debian Stretch as well?
> 
> Cheers
>  jonas
> 
> -- System Information:
> Debian Release: 9.5
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to en_US.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> -- no debconf information
> 
> 

Bug#903718: gplaycli currently unusable in stable/backport/testing/unstable

[Lee Garrett]

Package: gplaycli
Version: 0.2.10-1~bpo9+1
Severity: grave
Justification: renders package unusable

Hi,

I'm currently having a hard time to get gplaycli running again. It seems as
though the version in Debian is currently unusable:

# with stable-backports:
$ gplaycli -d com.imgur.mobile -v
GPlayCli version 0.2.10
Configuration file is /etc/gplaycli/gplaycli.conf
Using cached token.
Using token to connect to API
Token has expired or is invalid. Retrieving a new one...
Retrieving token ...
Token: gplayclia...@gmail.com
1 / 1 com.imgur.mobile
Error while downloading com.imgur.mobile : this package does not exist, try to
search it via --search before
A few packages could not be downloaded :
com.imgur.mobile
list index out of range

# on testing/unstable
$ gplaycli -d com.imgur.mobile -v
Traceback (most recent call last):
  File "/usr/bin/gplaycli", line 28, in 
from androguard.core.bytecodes import apk as androguard_apk  # Androguard
ImportError: No module named androguard.core.bytecodes

And stable currently doesn't have the token feature. However, even with my own
generated credentials it doesn't work:

$ cat credentials.conf
[Credentials]
# created with raccoon
android_ID=
gmail_address=gapps.sucks.cngn.ro...@gmail.com
gmail_password=
language=en_US

$ gplaycli -d com.imgur.mobile -v -c credentials.conf 
Using credentials.conf from current directory...
Cannot login to GooglePlay ( server says: BadAuthentication )

I'd love to have this working in Debian, but in it's current shape and form IMHO
it's not fit for inclusion.

Unfortunately the latest upstream via pip3 isn't usable either:
fdroid@packages:~$ pip3 install --upgrade-strategy only-if-needed gplaycli
Collecting gplaycli
Collecting gpapi==0.4.2 (from gplaycli)
  Using cached
https://files.pythonhosted.org/packages/ba/5e/b20066f6e0f69aab0fca832770371eb4579cf26393286b7f58641a011ac2/gpapi-0.4.2-py3-none-any.whl
Collecting pyaxmlparser (from gplaycli)
  Using cached
https://files.pythonhosted.org/packages/82/e6/2a024e09a16281e0039b1aa38400c0ad35a8edb2c2aa59988aa1e3a77845/pyaxmlparser-0.3.9-py3-none-any.whl
Collecting pycryptodome (from gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/bf/60/520c09d88138bdef60a4d8911d3375521b3c30f41c57fce73a51a01b9318/pycryptodome-3.6.4-cp35-cp35m-manylinux1_x86_64.whl
Collecting protobuf (from gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/11/c4/8a35f5af5f26040ae7f3d521875e43429d2955d598fa3f2d0b6b88133bb1/protobuf-3.6.0-cp35-cp35m-manylinux1_x86_64.whl
Collecting requests (from gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/65/47/7e02164a2a3db50ed6d8a6ab1d6d60b69c4c3fdf57a284257925dfc12bda/requests-2.19.1-py2.py3-none-any.whl
Collecting lxml (from pyaxmlparser->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/5c/ee/e4acac810a85da614a60bf2221535bc2517d553b8d733cfd2dd644e2ab15/lxml-4.2.3-cp35-cp35m-manylinux1_x86_64.whl
Collecting click==6.7 (from pyaxmlparser->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/34/c1/8806f99713ddb993c5366c362b2f908f18269f8d792aff1abfd700775a77/click-6.7-py2.py3-none-any.whl
Collecting six>=1.9 (from protobuf->gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Collecting setuptools (from protobuf->gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/ff/f4/385715ccc461885f3cedf57a41ae3c12b5fec3f35cce4c8706b1a112a133/setuptools-40.0.0-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests->gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/7c/e6/92ad559b7192d846975fc916b65f667c7b8c3a32bea7372340bfe9a15fa5/certifi-2018.4.16-py2.py3-none-any.whl
Collecting urllib3<1.24,>=1.21.1 (from requests->gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
Collecting chardet<3.1.0,>=3.0.2 (from requests->gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
Collecting idna<2.8,>=2.5 (from requests->gpapi==0.4.2->gplaycli)
  Using cached
https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl
Installing collected packages: pycryptodome, six, setuptools, protobuf, certifi,
urllib3, chardet, idna, requests, gpapi, lxml, click, pyaxmlparser, gplaycli
Successfully installed certifi-2018.4.16 chardet-3.0.4 click-6.7 gpapi-0.4.2
gplaycli-3.23 idna-2.7 lxml-4.2.3 protobuf-3.6.0 pyaxmlparser-0.3.9
pycryptodome-3.6.4 requests-2.19.1 setuptools-40.0.0 six-1.11.0 urllib3-1.23
You have new mail in /var/mail/fdroid
fdroid@packages:~$ gplaycli -d com.imgur.mobile -v
[INFO] 

Bug#898433: FTBFS: README.md -> README.rst

[Lee Garrett]

Hi Daniel,

I've fixed it again. However, I'm not sure how this FTBFS for you. It built
fine before, and also on the buildds. Maybe you have some setting that turns
lintian warnings into errors?

Regards,
Lee

On 18/05/18 20:55, Harlan Lieberman-Berg wrote:
> Oh, I see what's happening.
> 
> Lee, can you do a -2 and make sure to merge against git on salsa?
> 
> On Fri, May 18, 2018 at 2:49 PM, Harlan Lieberman-Berg
>  wrote:
>> Hi Daniel,
>>
>> I'm a bit confused as well.  I didn't upload any debs at all; I did a
>> source-only upload.  The buildd's successfully built -2 against the
>> original tarball that was uploaded with -1... and I just rebuilt it
>> again.
>>
>> Can you verify your source matches the sha256sum of
>> 5e817a3e077565bc1ff294d5a4748fbd8d78435fa721ebf617945568e45d603a?  You
>> can retrieve the original source with pristine-tar against the git
>> repository on salsa.
>>
>> On Fri, May 18, 2018 at 1:20 PM, Daniel Baumann
>>  wrote:
>>> reopen 898433
>>> found 898433 2.5.3+dfsg-1
>>> thanks
>>>
>>> Hi,
>>>
>>> thanks for fixing it, however, your last upload unfortunaly re-imports
>>> the problem.
>>>
>>> I'm a bit confused on how the package could have been built at all. The
>>> source package FTBFS'es, but you could upload the *_all.debs. Do you
>>> build from different sources than what is included in the source package?
>>>
>>> Regards,
>>> Daniel
>>
>>
>>
>> --
>> Harlan Lieberman-Berg
>> ~hlieberman
> 
> 
> 

Bug#870599: python-jinja2 2.9 breaks ansible in stable

[Lee Garrett]

reassign 870599 python-jinja2
kthxbye

Hi,

can you add a Breaks: ansible << 2.3 to python-jinja2 in sid? That will help
with upgrading from stretch to buster. The template module in ansible 2.2.1
(stretch) is broken with jinja2 2.9 and above.

Regards,
Lee

Bug#871601: ansible-2.3.1.0+dfsg-1 is uninstallable

[Lee Garrett]

Hi Robbie,

this is due to the ansible template module being incompatible with jinja2
v2.9. We are aware of this problem [0], and it has already been reported
upstream [1]. I know this is annoying, but at least it stops people upgrading
from stable to testing/unstable to break their ansible installations. As a
workaround you can downgrade python-jinja2 to the version in stable. There
seems to be a patch available since a couple of hours, but I haven't got
around to test it yet.

Regards,
Lee

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870599
[1] https://github.com/ansible/ansible/issues/20494

On 09/08/17 15:27, Robbie Harwood wrote:
> Package: ansible
> Version: 2.3.1.0+dfsg-1
> Severity: grave
> Justification: renders package unusable
> 
> Dear Maintainer,
> 
> ansible-2.3.1.0+dfsg-1 depends on python-jinja2 < 2.9.  However, this is not
> available in testing/unstable/experimental.  As a result,
> ansible-2.3.1.0+dfsg-1 is uninstallable, and its migration from unstable has
> been blocked.
> 
> Thanks,
> --Robbie
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing-debug
>   APT policy: (600, 'testing-debug'), (600, 'testing'), (400, 
> 'unstable-debug'), (400, 'unstable'), (200, 'experimental-debug'), (200, 
> 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.11.0-1-rt-amd64 (SMP w/4 CPU cores; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
> 
> Versions of packages ansible depends on:
> ii  python2.7.13-2
> ii  python-crypto 2.6.1-7+b1
> ii  python-httplib2   0.9.2+dfsg-1
> ii  python-jinja2 2.9.6-1
> ii  python-netaddr0.7.18-2
> ii  python-paramiko   2.0.0-1
> ii  python-pkg-resources  36.0.1-1
> ii  python-yaml   3.12-1+b1
> 
> Versions of packages ansible recommends:
> ii  python-kerberos   1.1.5-2+b3
> ii  python-selinux2.6-3+b2
> pn  python-winrm  
> ii  python-xmltodict  0.11.0-1
> 
> Versions of packages ansible suggests:
> pn  cowsay   
> pn  sshpass  
> 
> -- no debconf information
> 

Bug#861842: snort 2.9.7 is EOL upstream

[Lee Garrett]

Source: snort
Version: 2.9.7.0-5
Severity: grave
Justification: renders package unusable

Dear maintainer,

The version of snort in Debian testing/sid has reached EOL in March [0], making 
it difficult to provide security updates or rule updates over the lifecycle of
stretch. Since no newer version is packaged yet and stretch is deep into the
freeze, I suggest removing the package from stretch.

[0]
http://blog.snort.org/2017/03/snort-2976-is-end-of-life.html
https://snort.org/eol

Regards,
Lee

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#818705: general: multipackage issue

[Lee Garrett]

Hi Richard,

please ask for support in the Debian IRC channel, which you can reach at
#debian on irc.oftc.net. Or the debian-user mailinglist, which is found at
https://lists.debian.org/debian-user/. There we'll be able to further debug
your issue. See you there!

Greetings,
Lee

Bug#829076: general: Random freezes but the mouse can still move

[Lee Garrett]

Hi John,

thank you for coming forward with your problem, but I think a better approach
for resolving your issue is to bring it up on IRC, or use the the debian-user
mailing list to further debug the issue. Then, if your problem is not solved,
but further narrowed down, you can provide better infos and file the bug
against the respective package.

The IRC channel is #debian on irc.oftc.net, and the mailing list you can find
at https://lists.debian.org/debian-user/. See you there!

Greetings,
Lee

Bug#823004: gplaycli: sensitive information in config file

[Lee Garrett]

Hi,

On 07/11/16 17:56, matlink wrote:
> Hi Lee,
> 
> Well the main goal for gplaycli was to provide a noconf and very easy to
> use command line for downloading apks.

I totally see the appeal, which is why I'm using it and want to see it in good
shape in Debian. :)
I'm personally working towards a way to have a phone without any google apps.

> Creating a google account is for some people not the best idea, because
> they either disagree with their ToS or they don't want to give Google
> too many infos (AFAIK Google requires a phone number).

Yes, good point.

> I am totally aware of the issues that providing default credentials
> includes. Anyway, I am tired of resetting that default credentials'
> account password because a fool changes it. It's sad to see there are
> always such persons to mess everything up.

You can probably avoid people changing the password by activating 2FA. No idea
if gplaycli still works then, needs to be tested.

> 
> The approach you give seems interesting, however the simplicity of usage
> falls down. But I'm ready to get rid of these default credentials. Maybe
> the github version could provide defaults credentials, and the debian
> one does not?

How about the following:

The updated package will ask via debconf if the user wants to provide
credentials. If confirmed, google user/pass will be accepted and an Android ID
generated. If denied, it will use your credentials, just as currently. In
non-interactive installations it'll default to your credentials.

We'll provide in a README how to generate the Android ID, in case people want
to switch to their own credentials. Ideally it should just be adding new
credentials to /etc/gplaycli/credentials.conf and then just re-run a command
to generate the Android ID.

> I will need to investigate again on how to generate an AndroidID (Racoon
> does it well, Dummy Droid too, Hans-Christoph Steiner is on the way to
> package it for debian).

I'll look around. Last time I attempted it, I spent a few hours. Apparently
many tools that achieve this have suffered bit rot due to API changes.

> To be honest, I'm out of time these days and I don't think it'll go
> better. Any help is greatly appreciated.
> 
> Regards,

Regards,
Lee


> Le 07/11/2016 à 17:11, Lee Garrett a écrit :
>> Package: gplaycli
>> Followup-For: Bug #823004
>>
>> Hi Matlink,
>>
>> the way gplaycli is shipped makes it problematic for several reasons:
>> - Sharing account passwords violates Google's ToS
>> - Someone could abuse that account for spamming via gmail, prompting Google 
>> to disable the account
>> - Everyone can change the password (just checked) breaking every 
>> installation of gplaycli
>> - It probably makes it easier to track gplaycli users
>> (probably more problems if I'd dig more)
>>
>> So the right approach must be:
>> Use debconf to ask for google account credentials (no defaults), then 
>> generate the Android ID by
>> some other means. AFAICS this currently means that another tools needs to be 
>> included/packaged to
>> generate this.
>>
>> You probably know better what the general approach is, if you could outline 
>> them I'd be more than
>> happy to help with implementing this.
>>
>> Bumping the bug severity accordingly.
>>
>> Regards,
>> Lee
>>
>> -- System Information:
>> Debian Release: stretch/sid
>>   APT prefers testing
>>   APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental')
>> Architecture: amd64 (x86_64)
>> Foreign Architectures: i386
>>
>> Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
>> Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>> Init: systemd (via /run/systemd/system)
> 

Bug#823748: tar: illegal hardware instruction breaks apt-get upgrade

[Lee Garrett]

On 17/05/16 14:21, Vlad Orlov wrote:
> Hi,
> 
> This doesn't happen even in VirtualBox working on a host with an old Core 2 
> Duo
> (both host and guest Debian installations are 64-bit). The upgrade went fine.

This is because your CPU architecture is not 32 bit, and not i586 or lower.
I'm sure if you set that by hand, you will be able to reproduce that.

Bug#823748: tar: illegal hardware instruction breaks apt-get upgrade

[Lee Garrett]

Hi Dirk,

which type of processor do you have on that machine? As ydirson pointed out,
older CPU types (80586 and below on the i386 architecture) are not supported
anymore in stretch.

For everyone else: I can't reproduce this bug on my Intel i5, so it's safe to
upgrade.

Regards,
Lee

Bug#820999: libicu4j-4.2-java: Missing conflicts/replaces on libicu4j-java

[Lee Garrett]

Package: libicu4j-4.2-java
Version: 4.2.1.1-4
Severity: serious
Justification: Policy 7.6.1

Dear maintainer,

installing this package with libicu4j-java still present causes dpkg to bail 
because it's trying to overwrite the other packages's files. See the log below:

Performing actions...
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
(Reading database ... 452097 files and directories currently installed.)
Preparing to unpack .../libicu4j-4.2-java_4.2.1.1-4_all.deb ...
Unpacking libicu4j-4.2-java (4.2.1.1-4) ...
dpkg: error processing archive 
/var/cache/apt/archives/libicu4j-4.2-java_4.2.1.1-4_all.deb (--unpack):
 trying to overwrite 
'/usr/share/maven-repo/com/ibm/icu/icu4j/4.2.1.1/icu4j-4.2.1.1.pom', which is 
also in package libicu4j-java 4.2.1.1-3
Errors were encountered while processing:
 /var/cache/apt/archives/libicu4j-4.2-java_4.2.1.1-4_all.deb
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
Failed to perform requested operation on package.  Trying to recover:
Press Return to continue.

Kind regards,
Lee Garrett

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (101, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

[Lee Garrett]

Hi Jay,

thanks for going through the effort of checking up on all CVEs and 
packaging it up.


CVE-2012-2088 still affects 3.9.4-5+squeeze5 though. The only other 
vulnerability left is tracked in #688944, which was opened just today.


--Lee


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688600: asterisk: command sip show peers stopped working

[Lee Garrett]

This might have to do with the fact that SIP is broken in 
1:1.6.2.9-2+squeeze7.


Also see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688053


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

[Lee Garrett]

On 09/23/2012 01:52 PM, Luciano Bello wrote:

The patch looks good for me. I can write the DSA text today. Just a minor
question: CVE-2010-2482 should be fixed in 3.9.4. Did I missed something?


According to the sources linked to in Debian's security-tracker, all 
versions up to and including 3.9.4 are affected.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#678140: Two tiff issues: CVE-2012-2113 / CVE-2012-2088

[Lee Garrett]

AFAICS stable is still affected by both CVEs. Can you confirm this? 
Patches are available in the Ubuntu natty version of libtiff4.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#406782: linux-wlan-ng-firmware: fails to build package

[Lee Garrett]

Package: linux-wlan-ng-firmware
Version: 0.2.6+svn20061108+dfsg-1
Severity: grave
Justification: renders package unusable

Hello there,

with moving prism2dl to the -firmware package following bug shows up:

First of all, line 46 is redundant (cd $my_temp), as we already are in that 
working dir. The second problem lets the actual build 
fail: man/prism2dl.1 is missing in the source file, that's why dh_installman 
flakes out. Attached is a log of the execution of 
linux-wlan-ng-build-firmware-deb (I changed the first line to #!/bin/bash -x so 
it is easier to debug).

Anyways, keep up the good work and thank you for providing these packages!
--Lee


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (600, 'testing'), (450, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19-batou-chmp-custom-dsdt
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages linux-wlan-ng-firmware depends on:
ii  build-essential 11.3 informational list of build-essent
ii  debhelper   5.0.42   helper programs for debian/rules
ii  fakeroot1.5.10   Gives a fake root environment
ii  linux-wlan-ng   0.2.6+svn20061108+dfsg-1 utilities for wireless prism2 card
ii  linux-wlan-ng-s 0.2.6+svn20061108+dfsg-1 linux-wlan-ng driver
ii  subversion  1.4.2dfsg1-2 Advanced version control system

linux-wlan-ng-firmware recommends no packages.

-- debconf information:
  linux-wlan-ng-firmware/info:
[EMAIL PROTECTED]:~/tmp$ linux-wlan-ng-build-firmware-deb
+ DEBIAN_SRC=/usr/src/linux-wlan-ng.tar.bz2
+ DEBIAN=/usr/share/linux-wlan-ng-firmware/debian
+ SVN=svn://svn.shaftnet.org/linux-wlan-ng/trunk
++ pwd
+ PWD=/home/randall/tmp
++ mktemp -d prism2-XX
+ my_temp=prism2-Z22453
+ cd prism2-Z22453
+ tar xjf /usr/src/linux-wlan-ng.tar.bz2
+ mkdir src
+ svn co -N svn://svn.shaftnet.org/linux-wlan-ng/trunk/src/prism2/ src/prism2
Asrc/prism2/af010104.hex
Asrc/prism2/shared.prism2
Asrc/prism2/pm010102.hex
Asrc/prism2/ak010104.hex
Asrc/prism2/ru010803.hex
Asrc/prism2/rf010804.hex
Asrc/prism2/README.firmware
Asrc/prism2/prism2_ssf.pda
Asrc/prism2/Makefile
Asrc/prism2/r1010701.hex
Ausgecheckt, Revision 1815.
+ cp src/prism2/af010104.hex src/prism2/ak010104.hex src/prism2/pm010102.hex 
src/prism2/r1010701.hex src/prism2/rf010804.hex 
src/prism2/ru010803.hex modules/linux-wlan-ng/src/prism2
+ svn co -N svn://svn.shaftnet.org/linux-wlan-ng/trunk/src/prism2/download 
src/prism2/download
Asrc/prism2/download/Makefile
Asrc/prism2/download/prism2dl.c
 U   src/prism2/download
Ausgecheckt, Revision 1815.
+ cp src/prism2/download/prism2dl.c modules/linux-wlan-ng/src/prism2/download
+ rm -rf src
+ mv modules/linux-wlan-ng/add-ons modules/linux-wlan-ng/CHANGES 
modules/linux-wlan-ng/config.in modules/linux-wlan-ng/config.out 
modules/linux-wlan-ng/Configure modules/linux-wlan-ng/COPYING 
modules/linux-wlan-ng/debian modules/linux-wlan-ng/doc 
modules/linux-wlan-ng/etc modules/linux-wlan-ng/FAQ 
modules/linux-wlan-ng/LICENSE modules/linux-wlan-ng/Makefile 
modules/linux-wlan-ng/man modules/linux-wlan-ng/README 
modules/linux-wlan-ng/scripts modules/linux-wlan-ng/src 
modules/linux-wlan-ng/THANKS modules/linux-wlan-ng/TODO .
+ rm -rf modules debian
+ cd prism2-Z22453
/usr/bin/linux-wlan-ng-build-firmware-deb: line 46: cd: prism2-Z22453: Datei 
oder Verzeichnis nicht gefunden
+ cp -r /usr/share/linux-wlan-ng-firmware/debian .
+ chmod a+rx debian/rules
+ dpkg-buildpackage -rfakeroot -us -uc
dpkg-buildpackage: source package is linux-wlan-ng
dpkg-buildpackage: source version is 0.2.6+svn20061108+dfsg-1
dpkg-buildpackage: source changed by Victor Seva [EMAIL PROTECTED]
dpkg-buildpackage: host architecture i386
dpkg-buildpackage: source version without epoch 0.2.6+svn20061108+dfsg-1
 fakeroot debian/rules clean
dh_clean debian/postinst
rm -f configure-stamp build-stamp install-stamp
 dpkg-source -b prism2-Z22453
dpkg-source: warning: source directory `./prism2-Z22453' is not 
sourcepackage-upstreamversion 
`linux-wlan-ng-0.2.6+svn20061108+dfsg'
dpkg-source: building linux-wlan-ng in 
linux-wlan-ng_0.2.6+svn20061108+dfsg-1.tar.gz
dpkg-source: building linux-wlan-ng in 
linux-wlan-ng_0.2.6+svn20061108+dfsg-1.dsc
 debian/rules build
detected flavours for current arch are:
# to make the configure script happy we have to provide a real
# kernel source tree.
BUILD_MODULES=n BUILD_UTILS=y CC=cc ./Configure -d debian/config-for-lwng

-- Linux WLAN Configuration Script -

The default responses are correct for most users.

Build linux-wlan-ng tools? (y/n) [y]
Build Prism2.x PCMCIA Card Services (_cs) driver? (y/n) [n]
Build Prism2 PLX9052 based PCI (_plx) adapter driver? (y/n) [n]
Build Prism2.5 native PCI (_pci) driver? (y/n) [n]
Build Prism2.5 USB (_usb) driver? (y/n) [n]

Linux source directory 

Bug#355577: linux-wlan-ng-source: debian/postinst.modules.in missing

[Lee Garrett]

Package: linux-wlan-ng-source
Version: 0.2.4+svn20060128-1
Severity: grave
Justification: renders package unusable

Hello,

generating a modules package with make-kpkg results in a uninstallable
package, because $(PACKAGE).postinst is empty. Checking debian/rules,
$(PACKAGE).postinst is generated from debian/postinst.modules.in, which
isn't in the linux-wlan-ng-source.tar.gz file.

I guess this happened by accident, so it should be easy to fix, by
adding the missing file back into the tarball.

Keep up the good work!

Kind regards,
Lee

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (700, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages linux-wlan-ng-source depends on:
ii  debhelper 5.0.22 helper programs for debian/rules
ii  module-assistant  0.10.2 tool to make module package creati

linux-wlan-ng-source recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]