Bug#880222: courier-imap: couriertcpd running as root while listening on port 143
Package: courier-imap Version: 4.17.2+0.76.3-5 Severity: grave Tags: security Justification: user security hole Dear Marcus, couriertcpd runs as root instead of the courier user for IMAP connections. I've not found (nor looked for) any exploit, but I think running as root while listening on a network socket is a security risk of its own. Please have a look here: https://sourceforge.net/p/courier/mailman/message/36096805/ -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (990, 'stable'), (600, 'unstable'), (400, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages courier-imap depends on: ii courier-authlib 0.66.4-9 ii courier-base0.76.3-5 ii courier-mta [mail-transport-agent] 0.76.3-5 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u1 ii libcourier-unicode1 1.4-3+b1 ii libgamin0 [libfam0] 0.1.10-5+b1 ii libgdbm31.8.3-14 ii libidn111.33-1 ii sysvinit-utils 2.88dsf-59.9 courier-imap recommends no packages. Versions of packages courier-imap suggests: ii courier-doc 0.76.3-5 pn imap-client -- Configuration Files: /etc/courier/imapd changed: ADDRESS=0 PORT=143 MAXDAEMONS=120 MAXPERIP=200 PIDFILE=/run/courier/imapd.pid TCPDOPTS="-nodnslookup -noidentlookup" IMAPACCESSFILE=/etc/courier/imapaccess LOGGEROPTS="-name=imapd" IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE" IMAP_KEYWORDS=1 IMAP_ACL=1 IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE" IMAP_PROXY=0 IMAP_PROXY_FOREIGN=0 IMAP_IDLE_TIMEOUT=60 IMAP_MAILBOX_SANITY_CHECK=1 IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN" IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN" IMAP_DISABLETHREADSORT=0 IMAP_CHECK_ALL_FOLDERS=0 IMAP_OBSOLETE_CLIENT=0 IMAP_UMASK=022 IMAP_ULIMITD=131072 IMAP_USELOCKS=1 IMAP_SHAREDINDEXFILE=/etc/courier/shared/index IMAP_ENHANCEDIDLE=0 IMAP_TRASHFOLDERNAME=Trash IMAP_EMPTYTRASH=Trash:7 IMAP_MOVE_EXPUNGE_TO_TRASH=0 SENDMAIL=/usr/sbin/sendmail HEADERFROM=X-IMAP-Sender IMAPDSTART=YES MAILDIRPATH=Maildir /etc/courier/imapd-ssl changed: SSLPORT=993 SSLADDRESS=0 SSLPIDFILE=/run/courier/imapd-ssl.pid SSLLOGGEROPTS="-name=imapd-ssl" IMAPDSSLSTART=YES IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=0 COURIERTLS=/usr/bin/couriertls TLS_CIPHER_LIST="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA" TLS_CERTFILE=/etc/courier/imapd.pem TLS_DHPARAMS=/etc/courier/dhparams.pem TLS_TRUSTCERTS=/etc/ssl/cert.pem TLS_VERIFYPEER=NONE TLS_CACHEFILE=/var/lib/courier/couriersslcache TLS_CACHESIZE=524288 MAILDIRPATH=Maildir /etc/courier/imapd.cnf [Errno 13] Permission denied: '/etc/courier/imapd.cnf' -- no debconf information
Bug#797936: libsimgearscene3.4.0: Fixed
Package: libsimgearscene3.4.0 Followup-For: Bug #797936 Fixed in latest update. Thanks. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (998, 'unstable'), (994, 'testing'), (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libsimgearscene3.4.0 depends on: ii libc6 2.19-19 ii libexpat1 2.1.0-7 ii libgcc1 1:5.2.1-16 ii libgl1-mesa-glx [libgl1] 10.6.5-1 ii libglu1-mesa [libglu1]9.0.0-2 ii libopenal11:1.16.0-3 ii libopenscenegraph100v53.2.1-7 ii libopenthreads20 3.2.1-7 ii libsimgearcore3.4.0 3.4.0-2+b1 ii libstdc++65.2.1-16 ii zlib1g1:1.2.8.dfsg-2+b1 libsimgearscene3.4.0 recommends no packages. libsimgearscene3.4.0 suggests no packages. -- no debconf information
Bug#531476: mp3gain: corrupts the mp3 file
Stefan Fritsch wrote: If vlc crashes, there is obviously a bug in vlc. right, but I assumed that such a bug in VLC would be already fixed since a long time if it were triggered by normal (i.e. not badly corrupted) mp3 files. Have you tried playing it with a different player? I've tried with the default gnome media player (Ubuntu 9.04) and I got silence without the crash. However today I cannot reproduce the bug anymore, now it seems that mp3gain produces good files even for VLC... maybe the problem is somewhere else. If you undo the change with mp3gain -u file Does it work again? I did not try that and I cannot try now, unless this supposed bug shows up again. I'm going to do some work with mp3gain today, if you can leave this bug report open for a while, I'll report the results back in a few hours. Thanks, Lucio. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531476: mp3gain: corrupts the mp3 file
I couldn't manage to reproduce this bug anymore. Feel free to invalidate it. Should it happen again in the future I'll ask to reopen this bug report. Thanks, Lucio. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531476: mp3gain: corrupts the mp3 file
Package: mp3gain Version: 1.4.6-7+b1 Severity: critical Justification: causes serious data loss It usually works. However with at least one mp3 file of mine, the following command sistematically destroys the file data to the point that VLC crashes while trying to play it (after a few seconds of plain silence): # mp3gain -g 5 audiotrack.mp3 I can't leave my audiotrack.mp3 file for download in order to reproduce the bug, because it's not a free file, however I obtained that file from a dvd rip with: # ffmpeg -i mydvd.avi -acodec copy -vn audiotrack.mp3 and this original mp3 file plays ok in VLC and any other common player. mydvd.avi has been extracted from the DVD ISO with HandBrake available at debian-multimedia.org. -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (990, 'stable'), (50, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-vserver-686 (SMP w/1 CPU core) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mp3gain depends on: ii libc6 2.7-18 GNU C Library: Shared libraries mp3gain recommends no packages. mp3gain suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#498474: (no subject)
Subject: bash-completion: TAB always outputs -sh: ( compgen -f -X -- '...' ): No such file or directory Package: bash-completion Version: 20080705 Severity: grave Justification: renders package unusable Whenever I type a prefix and then hit TAB, I see the folowing on the console: -sh: ( compgen -d -- 'Mai' ): No such file or directory -sh: ( compgen -f -X -- 'Mai' ): No such file or directory where Mai is the prefix I've keyed in. The output of ls is: $ ls log Maildir The bug happens with any command, be it cd MaiTAB, rm -rf MaiTAB, ls MaiTAB or others. It happens even when there's no file starting with the prefix. I think the bug is a grave one because my bash-completion is actually unusable. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages bash-completion depends on: ii bash 3.2-4 The GNU Bourne Again SHell bash-completion recommends no packages. bash-completion suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#348413: locales: depends on glibc-2.3.2.ds1-22 which isn't available in sarge
Package: locales Version: 2.3.2.ds1-22 Severity: grave Justification: renders package unusable The subject says it all. I'm quite surprised no one noticed this bug until now, since libc6-dev suggests locales. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ANSI_X3.4-1968) Versions of packages locales depends on: ii debconf 1.4.30.13 Debian configuration management sy pn glibc-2.3.2.ds1-22 Not found. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#348413: please close the bug report, it was my fault.
Sorry for the inconvenience, it was my fault. I'd installed libc6 from sid previously. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
