Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Control: tags -1 -moreinfo -unreproducible Could you please followup on the security issue in the actual bug report (#890604)? This is the RFS, and I doubt you meant to mark the sponsorship request as "unreproducible". :) That said, I'm just a messenger: I wanted to make sure you were aware of the security issues and considered it seriously. You might want to send the same message to the bug report, and CC secur...@debian.org to make sure the security issue is filed properly. Thanks! A. On 2018-02-17 11:59:51, Janusz Dobrowolski wrote: > control: tags -1 +moreinfo +unreproducible > > Hi, > > As far a I know all the old vulnerabilities reported on debian > bugtracker has been fixed in the package made available on > mentors.debian.org page. Anyway, to be sure I have tried to reproduce > the bug mentioned on new installation version to no avail. CSRF > countermeasures implemented long time ago in response also to CVE cited > seems to work as expected, so exploit code available (e.g. here: > https://securitywarrior9.blogspot.fr/2018/02/cross-site-request-forgery-front.html) > does not work, returning 'Request from outside of this page is > forbidden.' in the json payload returned, with no changes in application > data. > > Saying that, maybe still there are some additional conditions, which > allow attacker to omit csrf token checks, not stated in the > vulnerabilities reports, so moreinfo tag added. > > Janusz > > > > On 16.02.2018 17:22, Antoine Beaupre wrote: >> Hi, >> >> I haven't reveiewed the package in details, but before this is accepted >> into Debian, care should be taken to review the existing security >> vulnerabilities that affect this package. >> >> For example, CVE-2018-7176 (bug #890604) currently affects the package >> you are proposing to upload (2.4.3). It the package is uploaded as such, >> you should clarify what the way forward is to fix that package. Either >> it will be fixed in a subsequent release, or the package will have to be >> marked as unsupported in Debian. >> >> https://security-tracker.debian.org/tracker/CVE-2018-7176 >> >> Thank you for your attention. >> >> A. -- Drowning people Sometimes die Fighting their rescuers. - Octavia Butler
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
control: tags -1 +moreinfo +unreproducible Hi, As far a I know all the old vulnerabilities reported on debian bugtracker has been fixed in the package made available on mentors.debian.org page. Anyway, to be sure I have tried to reproduce the bug mentioned on new installation version to no avail. CSRF countermeasures implemented long time ago in response also to CVE cited seems to work as expected, so exploit code available (e.g. here: https://securitywarrior9.blogspot.fr/2018/02/cross-site-request-forgery-front.html) does not work, returning 'Request from outside of this page is forbidden.' in the json payload returned, with no changes in application data. Saying that, maybe still there are some additional conditions, which allow attacker to omit csrf token checks, not stated in the vulnerabilities reports, so moreinfo tag added. Janusz On 16.02.2018 17:22, Antoine Beaupre wrote: > Hi, > > I haven't reveiewed the package in details, but before this is accepted > into Debian, care should be taken to review the existing security > vulnerabilities that affect this package. > > For example, CVE-2018-7176 (bug #890604) currently affects the package > you are proposing to upload (2.4.3). It the package is uploaded as such, > you should clarify what the way forward is to fix that package. Either > it will be fixed in a subsequent release, or the package will have to be > marked as unsupported in Debian. > > https://security-tracker.debian.org/tracker/CVE-2018-7176 > > Thank you for your attention. > > A.
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Hi, I haven't reveiewed the package in details, but before this is accepted into Debian, care should be taken to review the existing security vulnerabilities that affect this package. For example, CVE-2018-7176 (bug #890604) currently affects the package you are proposing to upload (2.4.3). It the package is uploaded as such, you should clarify what the way forward is to fix that package. Either it will be fixed in a subsequent release, or the package will have to be marked as unsupported in Debian. https://security-tracker.debian.org/tracker/CVE-2018-7176 Thank you for your attention. A. signature.asc Description: PGP signature
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Hi Janusz, On Tue, Dec 26, 2017 at 06:53:39PM +0100, Janusz Dobrowolski wrote: > Hi Tobi, > > Thanks for the review. I have fixed most of the issues you have pointed out. > One thing I could not address yet is declared debhelper compatibility > level. My current development box runs Ubuntu 14.04, and for some reason > I could not successfully compile the package using gbp buildpackage in > pbuilder environment. I will have to investigate it further. You definitely should not build for Debian in Ubuntu. At least, debootstrap a Debian chroot and build from there, but bulding from Ubuntu calls for trouble. You will also not have a recent toolchain with that old Ubuntu, so there is so much stuff that you will miss... > Anyway, I have pushed fixed package version to mentors.debian.net, and > one additional warning appeared. While the latest published Debian > standards specification seems to be 4.1.2.0, lintian check section on > mentors frontaccounting package page shows now new-standards-version > warning. This appeared after advised change in the SV field from > previous 3.9.8, so I guess it is just false positive due to not up to > date lintian version on mentors.debian.net? Exactly, mentors runs an older version. > Regarding old bug reports on BTS, I have resolved all that marked +rm > already. I will make also a review of the rest old closed bugs, but as > far as I know most of them are already fixed in current package. The bugs I see on the BTS are all "Done". This is wrong... Looking at #717031 as an example: You did reopen it but you have marked it fixed afterwards. Don't do that. Bugs must be closed using the changelog. -- tobi > Janusz > > On 25.12.2017 20:11, Tobias Frost wrote: > > Control: tags -1 moreinfo > > > > Hi Janusz, > > > > I've seen that you've uploaded a new pacakge to mentors... > > (would be great if you could that announce that on the bug too, so > > people now that its time to take a look)... > > > > (I've some time to spend to review packages, but I won't be able to do > > a complete review. Sorry, I do not plan to sponsor this pacakge) > > > > - Please drop d/README.source, using quilt is standard. > > - You do not close the ITP in the changelog, stating the reintroduction > > as reason, > > - d/compat is level 9, you want 11. > > - d/control: > > - You do not need to B-D on quilt > > - SV is out of date > > - lots of trailing whitespaces. wrap-and-sort might help. > > - d/copyright: License short specifieer "GPL-3" is actually "GPL-3+" > > Same with the LGPL -> LPGL-2.1+ ? > > - please modernize d/rules (short debhelper format?) > > > > - You probably want to unarchive and reopen the bugs you gonna close > > and also check the other bugs (if any) if they are still applicable and > > reopen them too. (This procedure is listed in the link pabs showed you) > > > > Please remove the moreinfo tag once you're ready for another round of > > review! > > > > -- > > tobi > > > >
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Hi Tobi, Thanks for the review. I have fixed most of the issues you have pointed out. One thing I could not address yet is declared debhelper compatibility level. My current development box runs Ubuntu 14.04, and for some reason I could not successfully compile the package using gbp buildpackage in pbuilder environment. I will have to investigate it further. Anyway, I have pushed fixed package version to mentors.debian.net, and one additional warning appeared. While the latest published Debian standards specification seems to be 4.1.2.0, lintian check section on mentors frontaccounting package page shows now new-standards-version warning. This appeared after advised change in the SV field from previous 3.9.8, so I guess it is just false positive due to not up to date lintian version on mentors.debian.net? Regarding old bug reports on BTS, I have resolved all that marked +rm already. I will make also a review of the rest old closed bugs, but as far as I know most of them are already fixed in current package. Janusz On 25.12.2017 20:11, Tobias Frost wrote: > Control: tags -1 moreinfo > > Hi Janusz, > > I've seen that you've uploaded a new pacakge to mentors... > (would be great if you could that announce that on the bug too, so > people now that its time to take a look)... > > (I've some time to spend to review packages, but I won't be able to do > a complete review. Sorry, I do not plan to sponsor this pacakge) > > - Please drop d/README.source, using quilt is standard. > - You do not close the ITP in the changelog, stating the reintroduction > as reason, > - d/compat is level 9, you want 11. > - d/control: > - You do not need to B-D on quilt > - SV is out of date > - lots of trailing whitespaces. wrap-and-sort might help. > - d/copyright: License short specifieer "GPL-3" is actually "GPL-3+" > Same with the LGPL -> LPGL-2.1+ ? > - please modernize d/rules (short debhelper format?) > > - You probably want to unarchive and reopen the bugs you gonna close > and also check the other bugs (if any) if they are still applicable and > reopen them too. (This procedure is listed in the link pabs showed you) > > Please remove the moreinfo tag once you're ready for another round of > review! > > -- > tobi >
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Control: tags -1 moreinfo Hi Janusz, I've seen that you've uploaded a new pacakge to mentors... (would be great if you could that announce that on the bug too, so people now that its time to take a look)... (I've some time to spend to review packages, but I won't be able to do a complete review. Sorry, I do not plan to sponsor this pacakge) - Please drop d/README.source, using quilt is standard. - You do not close the ITP in the changelog, stating the reintroduction as reason, - d/compat is level 9, you want 11. - d/control: - You do not need to B-D on quilt - SV is out of date - lots of trailing whitespaces. wrap-and-sort might help. - d/copyright: License short specifieer "GPL-3" is actually "GPL-3+" Same with the LGPL -> LPGL-2.1+ ? - please modernize d/rules (short debhelper format?) - You probably want to unarchive and reopen the bugs you gonna close and also check the other bugs (if any) if they are still applicable and reopen them too. (This procedure is listed in the link pabs showed you) Please remove the moreinfo tag once you're ready for another round of review! -- tobi
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
On Thu, 2017-12-21 at 23:51 +0100, Janusz Dobrowolski wrote: > Taking into account the package is not part of any debian repo, can I > just update the version published on my mentors.debian.net account > without version change, or should I update package version to 2.4.3-2 > before upload? You can overwrite versions on the mentors website. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Hi, Thank you for pointing this documentation fragment, I have overlooked it indeed. Now I have prepared slightly changed package version, including additional fixes to bugs found in old BTS reports, but first package version (2.4.3-1) is already uploaded to my mentors account. Taking into account the package is not part of any debian repo, can I just update the version published on my mentors.debian.net account without version change, or should I update package version to 2.4.3-2 before upload? Janusz On 21.12.2017 01:51, Paul Wise wrote: > On Wed, Dec 20, 2017 at 6:57 AM, Janusz Dobrowolski wrote: > >> This package was recently included in wheezy, but seems later was >> orphaned sometime back in 2013, and currently is absent from debian >> repositories. Now it is refreshed, and as one of upstream developers I'm >> ready to maintain it under kind supervision of some sponsor. > Please note the extra steps required when reintroducing removed packages: > > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#reintroducing-pkgs >
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
On Wed, Dec 20, 2017 at 6:57 AM, Janusz Dobrowolski wrote: > This package was recently included in wheezy, but seems later was > orphaned sometime back in 2013, and currently is absent from debian > repositories. Now it is refreshed, and as one of upstream developers I'm > ready to maintain it under kind supervision of some sponsor. Please note the extra steps required when reintroducing removed packages: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#reintroducing-pkgs -- bye, pabs https://wiki.debian.org/PaulWise
Bug#884816: RFS: frontaccounting/2.4.3-1 [ITA]
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "frontaccounting" * Package name: frontaccounting Version : 2.4.3-1 Upstream Author : FrontAccounting team. * URL : http://frontaccounting.com * License : GPL-3 Section : web It builds those binary packages: frontaccounting - web-based double-entry accounting and ERP program This package was recently included in wheezy, but seems later was orphaned sometime back in 2013, and currently is absent from debian repositories. Now it is refreshed, and as one of upstream developers I'm ready to maintain it under kind supervision of some sponsor. To access further information about this package, please visit the following URL: https://mentors.debian.net/package/frontaccounting Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/f/frontaccounting/frontaccounting_2.4.3-1.dsc More information about FrontAccounting can be obtained from https://www.frontaccounting.com. Regards, Janusz Dobrowolski