[DRE-maint] ruby-thinking-sphinx is marked for autoremoval from testing
ruby-thinking-sphinx 3.1.4-3 is marked for autoremoval from testing on 2016-03-29 It is affected by these RC bugs: 816307: ruby-thinking-sphinx: FTBFS: uninitialized constant MultiSchema::ThinkingSphinx (NameError) ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] ruby-gir-ffi is marked for autoremoval from testing
ruby-gir-ffi 0.9.0-1 is marked for autoremoval from testing on 2016-04-13 It is affected by these RC bugs: 815802: ruby-gir-ffi: Requiring 'gir_ffi' fails ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Processed: reopening 815802
Processing commands for cont...@bugs.debian.org: > reopen 815802 Bug #815802 {Done: Christian Hofstaedtler} [ruby-gir-ffi] ruby-gir-ffi: Requiring 'gir_ffi' fails Bug reopened Ignoring request to alter fixed versions of bug #815802 to the same values previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 815802: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815802 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
Re: [DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file
* Julian Gilbey[160327 20:04]: > I'm reporting this directly rather than via the BTS as it may be a > security hole. Great idea, but sending to @packages.debian.org is likely to expose your report to the world (like in this case); many packages use public mailing lists as their maintainer email, and who knows who/what else is subscribed to the packages.d.o address. -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] ruby-ridley 4.4.3-2 MIGRATED to testing
FYI: The status of the ruby-ridley source package in Debian's testing distribution has changed. Previous version: 4.4.3-1 Current version: 4.4.3-2 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] ruby-tokyocabinet 1.31-5 MIGRATED to testing
FYI: The status of the ruby-tokyocabinet source package in Debian's testing distribution has changed. Previous version: 1.31-4 Current version: 1.31-5 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] ruby-fog-atmos 0.1.0-3 MIGRATED to testing
FYI: The status of the ruby-fog-atmos source package in Debian's testing distribution has changed. Previous version: 0.1.0-2 Current version: 0.1.0-3 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] diaspora-installer 0.5.7.1+debian2 MIGRATED to testing
FYI: The status of the diaspora-installer source package in Debian's testing distribution has changed. Previous version: 0.5.7.1+debian1 Current version: 0.5.7.1+debian2 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#819412: gitlab: creates world-readable secrets file
Package: gitlab Version: 8.4.3+dfsg-12 Severity: grave Tags: security Hello, Somehow, part of the gitlab configuration process created a file called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from /usr/share/gitlab-shell/.gitlab_shell_secret. I don't know its purpose, but I would assume that it is some form of secret key. However, the /var/lib/gitlab/.gitlab_shell_secret file is world-readable, which is not likely to be the desired file mode. 640 would be - presumably - more appropriate. Best wishes, Julian -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gitlab depends on: ii adduser3.114 ii asciidoctor1.5.4-1 ii bc 1.06.95-9+b1 ii bundler1.11.2-1 ii debconf [debconf-2.0] 1.5.59 ii git1:2.8.0~rc3-1 ii gitlab-shell 2.6.10-1 ii gitlab-workhorse 0.6.3-1 ii init-system-helpers1.29 ii letsencrypt0.4.1-1 ii libjs-chartjs 1.0.2-1 ii libjs-clipboard1.4.2-1 ii libjs-fuzzaldrin-plus 0.3.1-1 ii libjs-graphael 0.5+dfsg-1 ii libjs-jquery-cookie10-2 ii libjs-jquery-history 10-2 ii libjs-jquery-nicescroll3.6.6-1 ii nginx 1.9.10-1 ii nginx-full [nginx] 1.9.10-1 ii nodejs 4.3.1~dfsg-3 ii postgresql 9.5+172 ii postgresql-client 9.5+172 ii postgresql-client-9.4 [postgresql-client] 9.4.6-0+deb8u1 ii postgresql-client-9.5 [postgresql-client] 9.5.1-1 ii rake 10.5.0-2 ii redis-server 2:3.0.6-1 ii ruby 1:2.3.0+1 ii ruby-ace-rails-ap 3.0.3-2 ii ruby-activerecord-deprecated-finders 1.0.4-1 ii ruby-activerecord-session-store0.1.1-3 ii ruby-acts-as-taggable-on 3.5.0-2 ii ruby-addressable 2.3.8-1 ii ruby-after-commit-queue1.3.0-1 ii ruby-allocations 1.0.3-1+b2 ii ruby-asana 0.4.0-1 ii ruby-attr-encrypted1.3.4-1 ii ruby-babosa1.0.2-1 ii ruby-bootstrap-sass3.3.5.1-3 ii ruby-browser 1.0.1-1 ii ruby-cal-heatmap-rails 3.5.1+dfsg-1 ii ruby-carrierwave 0.10.0+gh-2 ii ruby-charlock-holmes 0.7.3+dfsg-2+b2 ii ruby-coffee-rails 4.1.0-2 ii ruby-colorize 0.7.7-1 ii ruby-connection-pool 2.2.0-1 ii ruby-creole0.5.0-2 ii ruby-d3-rails 3.5.6+dfsg-1 ii ruby-default-value-for 3.0.1-1 ii ruby-devise3.5.6-2 ii ruby-devise-async 0.9.0-1 ii ruby-devise-two-factor 2.0.0-1 ii ruby-diffy 3.0.6-1 ii ruby-doorkeeper2.2.1-1 ii ruby-dropzonejs-rails 0.7.1-1 ii ruby-email-reply-parser0.5.8-1 ii ruby-fog 1.34.0-3 ii ruby-fogbugz 0.2.1-2 ii ruby-font-awesome-rails4.3.0.0-1 ii ruby-gemnasium-gitlab-service 0.2.6-1 ii ruby-github-linguist 4.7.2-2 ii ruby-github-markup 1.3.3+dfsg-1 ii ruby-gitlab-emoji 0.2.1-1 ii ruby-gitlab-flowdock-git-hook 1.0.1-1 ii ruby-gitlab-git7.2.24-1 ii ruby-gollum-lib4.1.0-3 ii ruby-gon 6.0.1-1 ii ruby-grape 0.13.0-1 ii ruby-grape-entity 0.5.0-1 ii ruby-haml-rails0.9.0-4 ii ruby-hipchat 1.5.2-2 ii ruby-html-pipeline 1.11.0-1 ii ruby-httparty 0.13.5-1
Re: [DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file
On Mon, Mar 28, 2016 at 06:30:51AM +0200, Salvatore Bonaccorso wrote: > Hi Julian, > > On Sun, Mar 27, 2016 at 07:04:27PM +0100, Julian Gilbey wrote: > > Hello, > > > > I'm reporting this directly rather than via the BTS as it may be a > > security hole. > > > > Somehow, part of the gitlab configuration process created a file > > called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from > > /usr/share/gitlab-shell/.gitlab_shell_secret. I don't know its > > purpose, but I would assume that it is some form of secret key. > > However, the /var/lib/gitlab/.gitlab_shell_secret file is > > world-readable, which is not likely to be the desired file mode. 640 > > would be - presumably - more appropriate. > > > > Other non-security bugs going to the BTS > > Since our gitlab package is not yet in a stable release, please report > this directly to the BTS. I think it's safe to do so in this case. > > Regards, > Salvatore OK, shall do, thanks! Julian ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers