Bug#896858: RM: libnet-whois-ripe-perl/1.23-2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: rm The package is completely broken in stretch, see #896500 for details.
Bug#896841: jessie-pu: package psensor/1.1.3-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, I have prepared a security update for psensor to fix CVE-2014-10073 in Jessie. This is Debian bug #896195. The security team has marked this issue as no-dsa. I am going to upload the new revision shortly. Please find attached the debdiff. Regards, Markus diff -Nru psensor-1.1.3/debian/changelog psensor-1.1.3/debian/changelog --- psensor-1.1.3/debian/changelog 2014-10-13 09:20:27.0 +0200 +++ psensor-1.1.3/debian/changelog 2018-04-24 21:23:26.0 +0200 @@ -1,3 +1,12 @@ +psensor (1.1.3-2+deb8u1) jessie; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2014-10073: The create_response function in server/server.c in +Psensor allows Directory Traversal because it lacks a check for whether a +file is under the webserver directory. (Closes: #896195) + + -- Markus KoschanyTue, 24 Apr 2018 21:23:26 +0200 + psensor (1.1.3-2) unstable; urgency=medium * debian/control diff -Nru psensor-1.1.3/debian/patches/CVE-2014-10073.patch psensor-1.1.3/debian/patches/CVE-2014-10073.patch --- psensor-1.1.3/debian/patches/CVE-2014-10073.patch 1970-01-01 01:00:00.0 +0100 +++ psensor-1.1.3/debian/patches/CVE-2014-10073.patch 2018-04-24 21:23:26.0 +0200 @@ -0,0 +1,74 @@ +From: Markus Koschany +Date: Mon, 23 Apr 2018 23:51:42 +0200 +Subject: CVE-2014-10073 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896195 +Origin: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c +--- + src/server/server.c | 26 ++ + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/src/server/server.c b/src/server/server.c +index 5862586..fd5662a 100644 +--- a/src/server/server.c b/src/server/server.c +@@ -23,6 +23,7 @@ + #include + #define _(str) gettext(str) + ++#include + #include + #include + #include +@@ -246,13 +247,24 @@ static struct MHD_Response * + create_response(const char *nurl, const char *method, unsigned int *rp_code) + { + struct MHD_Response *resp = NULL; ++ char *rpath; ++ int n; + + if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) { + resp = create_response_api(nurl, method, rp_code); + } else { + char *fpath = get_path(nurl, server_data.www_dir); + +- resp = create_response_file(nurl, method, rp_code, fpath); ++ rpath = realpath(fpath, NULL); ++ if (rpath) { ++ n = strlen(server_data.www_dir); ++ if (!strncmp(server_data.www_dir, rpath, n)) ++ resp = create_response_file(nurl, ++ method, ++ rp_code, ++ fpath); ++ free(rpath); ++ } + + free(fpath); + } +@@ -347,7 +359,7 @@ int main(int argc, char *argv[]) + switch (optc) { + case 'w': + if (optarg) +- server_data.www_dir = strdup(optarg); ++ server_data.www_dir = realpath(optarg, NULL); + break; + case 'p': + if (optarg) +@@ -386,8 +398,14 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + +- if (!server_data.www_dir) +- server_data.www_dir = strdup(DEFAULT_WWW_DIR); ++ if (!server_data.www_dir) { ++ server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL); ++ if (!server_data.www_dir) { ++ fprintf(stderr, ++ _("Webserver directory does not exist.\n")); ++ exit(EXIT_FAILURE); ++ } ++ } + + if (!log_file) + log_file = strdup(DEFAULT_LOG_FILE); diff -Nru psensor-1.1.3/debian/patches/series psensor-1.1.3/debian/patches/series --- psensor-1.1.3/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ psensor-1.1.3/debian/patches/series 2018-04-24 21:23:26.0 +0200 @@ -0,0 +1 @@ +CVE-2014-10073.patch
Bug#894159: transition: icu
On Tue, Apr 24, 2018 at 6:46 PM, Rene Engelhardwrote: > On Mon, Apr 23, 2018 at 09:19:06PM +0200, László Böszörményi wrote: >> > I would appreciate a number of failing rdeps and how many are due to ICU >> > API >> > changes and how many are due to icu-config removal. >> [...] I do not >> recall any API change. In short, there are fifteen packages FTBFS and > > Interesting. I do. Let me rephrase my sentence. I do not remember any FTBFS reason which happens due to an ICU API change. I could build all dependent packages without any code change in those. Sorry for the bad wording. I'm in a run, but double checked my patches and all about ICU detection without icu-config installed - expect one. That is OpenTTD which need an additional build dependency on libicu-le-hb-dev. To be extra sure about the possible changes needed in the packages, I'll start the rebuild tests soon. Kind regards, Laszlo/GCS
Bug#894159: transition: icu
On Mon, Apr 23, 2018 at 09:19:06PM +0200, László Böszörményi wrote: > > I would appreciate a number of failing rdeps and how many are due to ICU API > > changes and how many are due to icu-config removal. > [...] I do not > recall any API change. In short, there are fifteen packages FTBFS and Interesting. I do. https://cgit.freedesktop.org/libreoffice/core/diff/i18npool/source/breakiterator/breakiterator_unicode.cxx?id=3e42714c76b1347babfdea0564009d8d82a83af4 Regards, Rene
Bug#895943: marked as done (transition: perl 5.26.2)
Your message dated Tue, 24 Apr 2018 19:34:12 +0300 with message-id <20180424163412.GB32467@estella.local.invalid> and subject line Re: Bug#895943: transition: perl 5.26.2 has caused the Debian Bug report #895943, regarding transition: perl 5.26.2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895943: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895943 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, perl 5.26.2-1 in experimental. It is binary compatible with 5.26.0 and 5.26.1 and therefore Provides all of perlapi-5.26.0, perlapi-5.26.1 and perlapi-5.26.2. However, as usual, four packages will need binNMUs once it enters unstable due to their strict versioned dependencies on the current perl version: libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl libcommon-sense-perl These binNMUs will need the 'extra-depends' wanna-build feature to make sure the new perl is pulled in. Please let us know if/when it's OK to upload. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- On Wed, Apr 18, 2018 at 01:46:58PM +0200, Emilio Pozuelo Monfort wrote: > On 18/04/18 06:38, Niko Tyni wrote: > > On Tue, Apr 17, 2018 at 06:44:50PM +0200, Emilio Pozuelo Monfort wrote: > >> Control: tags -1 confirmed > >> > >> On 17/04/18 18:38, Niko Tyni wrote: > >>> Package: release.debian.org > >>> Severity: normal > >>> User: release.debian@packages.debian.org > >>> Usertags: transition > >>> perl 5.26.2-1 in experimental. It is binary compatible with 5.26.0 and > >>> 5.26.1 and therefore Provides all of perlapi-5.26.0, perlapi-5.26.1 > >>> and perlapi-5.26.2. However, as usual, four packages will need binNMUs > >>> once it enters unstable due to their strict versioned dependencies on > >>> the current perl version: > binNMUs scheduled: > > $ wb nmu libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl > libcommon-sense-perl . ANY . -m "Rebuild against perlapi-5.26.2." > --extra-depends 'perl-base (>= 5.26.2)' 5.26.2-2 is in testing now, so closing this. Many thanks for the smooth migration! -- Niko--- End Message ---
Please allow paleomix to migrate to testing
Hello, We have one more case of an arch:all package held up in testing because of installability issues on i386 due to a dependency on bwa and other packages. Can paleomix be allowed to migrate to Testing? https://qa.debian.org/excuses.php?package=paleomix Thanks and regards Andreas. -- http://fam-tille.de
Bug#896811: [Pkg-nagios-devel] Bug#896811: stretch-pu: package icinga2/2.6.0-2+deb9u1
Hi Felix, Thanks for caring about icinga2. Please help maintain the package withing the Nagios team. On 2018-04-24 14:59, Felix Geyer wrote: I'd like to upload this fix to stretch, debdiff is attached. Please push your changes to the (to be created) stretch branch of the git repository: https://salsa.debian.org/nagios-team/pkg-icinga2 Kind Regards, Bas
Bug#896811: stretch-pu: package icinga2/2.6.0-2+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, Icinga2 2.6.0 stores timestamps as local time instead of UTC in the database when the PostgreSQL IDO backend is used. The result is that Icinga Web 2 displays all date/times with an offset (unless system time is UTC of course). While you could argue that this is only a cosmetic problem I think it's important for a monitoring system to display the correct time. This has been fixed upstream in 2.6.1. Bug report is at https://github.com/Icinga/icinga2/issues/4874 I'd like to upload this fix to stretch, debdiff is attached. Felix diff -Nru icinga2-2.6.0/debian/changelog icinga2-2.6.0/debian/changelog --- icinga2-2.6.0/debian/changelog 2016-12-19 16:13:45.0 +0100 +++ icinga2-2.6.0/debian/changelog 2018-04-23 15:47:44.0 +0200 @@ -1,3 +1,9 @@ +icinga2 (2.6.0-2+deb9u1) stretch; urgency=medium + + * Fix timestamps being stored as local time in PostgreSQL. + + -- Felix GeyerMon, 23 Apr 2018 15:47:44 +0200 + icinga2 (2.6.0-2) unstable; urgency=medium * [e0f34e4] Add patch 41_ido_mysql57 - for compatibility with MySQL 5.7 diff -Nru icinga2-2.6.0/debian/patches/43_postgres_timezone icinga2-2.6.0/debian/patches/43_postgres_timezone --- icinga2-2.6.0/debian/patches/43_postgres_timezone 1970-01-01 01:00:00.0 +0100 +++ icinga2-2.6.0/debian/patches/43_postgres_timezone 2018-04-18 08:17:02.0 +0200 @@ -0,0 +1,23 @@ +From e9db716b26e49a36d733d5e224280fb63943fb9f Mon Sep 17 00:00:00 2001 +From: Michael Friedrich +Date: Wed, 11 Jan 2017 17:34:09 +0100 +Subject: [PATCH] Ensure that PostgreSQL timestamps are UTC + +fixes #13617 +--- + lib/db_ido_pgsql/idopgsqlconnection.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/db_ido_pgsql/idopgsqlconnection.cpp b/lib/db_ido_pgsql/idopgsqlconnection.cpp +index f398fda50..c16f9f50f 100644 +--- a/lib/db_ido_pgsql/idopgsqlconnection.cpp b/lib/db_ido_pgsql/idopgsqlconnection.cpp +@@ -636,7 +636,7 @@ bool IdoPgsqlConnection::FieldToEscapedString(const String& key, const Value& va + } else if (DbValue::IsTimestamp(value)) { + long ts = rawvalue; + std::ostringstream msgbuf; +- msgbuf << "TO_TIMESTAMP(" << ts << ")"; ++ msgbuf << "TO_TIMESTAMP(" << ts << ") AT TIME ZONE 'UTC'"; + *result = Value(msgbuf.str()); + } else if (DbValue::IsTimestampNow(value)) { + *result = "NOW()"; diff -Nru icinga2-2.6.0/debian/patches/series icinga2-2.6.0/debian/patches/series --- icinga2-2.6.0/debian/patches/series 2016-12-16 18:28:37.0 +0100 +++ icinga2-2.6.0/debian/patches/series 2018-04-18 08:56:34.0 +0200 @@ -1,3 +1,4 @@ 21_config_changes 41_ido_mysql57 42_mips_boost_bind_workaround +43_postgres_timezone
Processed: Re: Bug#895633: transition: poppler
Processing control commands: > tags -1 pending Bug #895633 [release.debian.org] transition: poppler Added tag(s) pending. -- 895633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895633 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#895633: transition: poppler
Control: tags -1 pending On 19/04/18 19:31, Emilio Pozuelo Monfort wrote: > Control: tags -1 confirmed > > On 13/04/18 20:02, Emilio Pozuelo Monfort wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> Control: block -1 with 894371 >> >> Time for another poppler transition. It's in experimental, and all >> the rdepends build fine, except for >> >> gdcm, due to an unrelated bug #894371. > > This is ongoing now. Some rdeps failed due to the new texlive-bin, but poppler migrated already. Cheers, Emilio