Bug#694694: jruby: CVE-2012-5370
Package: jruby Severity: grave Tags: security Justification: user security hole Hi, please see the Red Hat bug for details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5370 Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#690204: Bug#537051: Add no-await trigger support and Breaks to fix ca-certificates-java breakage
Hi! On Tue, 2012-11-13 at 13:18:37 -0800, Don Armstrong wrote: Control: tag -1 patch Please find the attached patches which fix this problem. I've tested them a bit, but please review them. ca-certificates (20121112+nmu1) unstable; urgency=low * Non-maintainer upload * Breaks ca-certificates-java (20121112+nmu1); partially fixing #537051. * Provide update-ca-certificates and update-ca-certificates-fresh triggers. * Call the triggers using no-await so that the configuration files from the newer version of ca-certificates-java are in places before the upgrade. Closes: #537051. diff --git a/debian/ca-certificates.triggers b/debian/ca-certificates.triggers new file mode 100644 index 000..14dec6e --- /dev/null +++ b/debian/ca-certificates.triggers @@ -0,0 +1,4 @@ +interest-noawait update-ca-certificates +interest-noawait update-ca-certificates-fresh As these are not supported by squeeze's dpkg, this can cause upgrade problems (see below). +interest update-ca-certificates +interest update-ca-certificates-fresh (OOC why the duplicates?) diff --git a/debian/control b/debian/control index 5ef776e..8f84573 100644 --- a/debian/control +++ b/debian/control @@ -13,9 +13,11 @@ Vcs-Browser: http://git.debian.org/?p=collab-maint/ca-certificates.git Package: ca-certificates Architecture: all +Pre-Depends: dpkg (= 1.16.1) This only guarantees that this dpkg version will be configured before installing this package, but not that the currently running dpkg will be that one version, so the upgrade from squeeze can still fail due to parser errors for the unknown triggers directive. diff --git a/debian/postinst b/debian/postinst index 198c57e..9964e27 100644 --- a/debian/postinst +++ b/debian/postinst @@ -142,12 +142,29 @@ EOF # fix bogus symlink to ca-certificates.crt on upgrades; see # Debian #643667; drop after wheezy if dpkg --compare-versions $2 lt-nl 20111025; then - update-ca-certificates --fresh + dpkg-trigger --no-await update-ca-certificates-fresh else - update-ca-certificates + dpkg-trigger --no-await update-ca-certificates fi ;; This is of course fine, though. Thanks, Guillem __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
[bts-link] source package commons-httpclient
# # bts-link upstream status pull for source package commons-httpclient # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # user bts-link-upstr...@lists.alioth.debian.org # remote status report for #692442 (http://bugs.debian.org/692442) # Bug title: CVE-2012-5783: Insecure certificate validation # * http://issues.apache.org/jira/browse/HTTPCLIENT-1265 # * remote status changed: (?) - Resolved # * remote resolution changed: (?) - Won-t-Fix # * closed upstream tags 692442 + fixed-upstream usertags 692442 + status-Resolved resolution-Won-t-Fix thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
[bts-link] source package axis
# # bts-link upstream status pull for source package axis # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # user bts-link-upstr...@lists.alioth.debian.org # remote status report for #692650 (http://bugs.debian.org/692650) # Bug title: axis: CVE-2012-5784 # * http://issues.apache.org/jira/browse/AXIS-2883 # * remote status changed: (?) - Open usertags 692650 + status-Open thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: [bts-link] source package commons-httpclient
Processing commands for cont...@bugs.debian.org: # # bts-link upstream status pull for source package commons-httpclient # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # user bts-link-upstr...@lists.alioth.debian.org Setting user to bts-link-upstr...@lists.alioth.debian.org (was bts-link-de...@lists.alioth.debian.org). # remote status report for #692442 (http://bugs.debian.org/692442) # Bug title: CVE-2012-5783: Insecure certificate validation # * http://issues.apache.org/jira/browse/HTTPCLIENT-1265 # * remote status changed: (?) - Resolved # * remote resolution changed: (?) - Won-t-Fix # * closed upstream tags 692442 + fixed-upstream Bug #692442 [commons-httpclient] CVE-2012-5783: Insecure certificate validation Added tag(s) fixed-upstream. usertags 692442 + status-Resolved resolution-Won-t-Fix There were no usertags set. Usertags are now: status-Resolved resolution-Won-t-Fix. thanks Stopping processing here. Please contact me if you need assistance. -- 692442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#690204: Bug#537051: Add no-await trigger support and Breaks to fix ca-certificates-java breakage
On Thu, 29 Nov 2012, Guillem Jover wrote: On Tue, 2012-11-13 at 13:18:37 -0800, Don Armstrong wrote: diff --git a/debian/ca-certificates.triggers b/debian/ca-certificates.triggers new file mode 100644 index 000..14dec6e --- /dev/null +++ b/debian/ca-certificates.triggers @@ -0,0 +1,4 @@ +interest-noawait update-ca-certificates +interest-noawait update-ca-certificates-fresh As these are not supported by squeeze's dpkg, this can cause upgrade problems (see below). +interest update-ca-certificates +interest update-ca-certificates-fresh (OOC why the duplicates?) They're not duplicated; it can handle both noawait and non-noawait triggers. diff --git a/debian/control b/debian/control index 5ef776e..8f84573 100644 --- a/debian/control +++ b/debian/control @@ -13,9 +13,11 @@ Vcs-Browser: http://git.debian.org/?p=collab-maint/ca-certificates.git Package: ca-certificates Architecture: all +Pre-Depends: dpkg (= 1.16.1) This only guarantees that this dpkg version will be configured before installing this package, but not that the currently running dpkg will be that one version, so the upgrade from squeeze can still fail due to parser errors for the unknown triggers directive. I've actually tested this, and it hasn't been a problem. I suppose the only way you could get it to be one is if you were manually using dpkg. If that's really the case, then it basically means that no package in wheezy can use the noawait triggers at all. [Unfortunately, the triggers have to be noawait triggers so that the Breaks: ca-certificates-java comes into effect before the trigger fires.] Don Armstrong -- I have no use for before and after pictures. I can't remember starting, and I'm never done. -- a softer world #221 http://www.asofterworld.com/index.php?id=221 http://www.donarmstrong.com http://rzlab.ucr.edu __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#690204: Bug#537051: Add no-await trigger support and Breaks to fix ca-certificates-java breakage
On 11/29/2012 10:48 AM, Don Armstrong wrote: I've actually tested this, and it hasn't been a problem. I suppose the only way you could get it to be one is if you were manually using dpkg. If that's really the case, then it basically means that no package in wheezy can use the noawait triggers at all. Just for documentation, I've attached a log of my testing a straight dist-upgrade, prior to the uploads to unstable. -- Kind regards, Michael ca-certificates_squeeze-wheezy_dist-upgrade.log.gz Description: application/gzip __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#690888: RFS: update to libautomaton-java to publish maven artifacts
On 10/27/2012 06:00 AM, Thomas Koch wrote: Hi, please sponsor my update to libautomaton-java (src: automaton). I moved the packaging to Git, authorized by the last uploader Michael Banck: http://anonscm.debian.org/gitweb/?p=pkg-java/automaton.git The package can be build from git with git-buildpackage. Please tell me if you'd prefer a source package for sponsoring. Regards, Thomas Koch, http://www.koch.ro Hello Thomas, I'm looking into sponsoring this upload. However, I have a question about the package version in the changelog. The changelog contains: automaton (1.11-8+dfsg1-1) UNRELEASED; urgency=low * Install maven artifacts (Closes: #690888) * Update debhelper compat level to 9 * Update standards-version to 3.9.3 * Add myself (Thomas Koch) to uploaders * Packaging moved to Git * fix lintian warning copyright-refers-to-deprecated-bsd-license-file -- Thomas Koch tho...@koch.ro Sun, 11 Mar 2012 15:36:19 +0100 automaton (1.11-8-1) unstable; urgency=low snip I'm not clear on why the package version is -8+dfsg1-1 instead of -8-2. Did you end up repacking the .orig.tar.gz? (And if so, I don't see any evidence of it in the pristine-tar branch.) Would it be okay to set the package version to 1.11-8-2 for the sponsored upload? Thank you, tony signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.