[DRE-maint] ruby-thinking-sphinx is marked for autoremoval from testing

2016-03-28 Thread Debian testing autoremoval watch 
ruby-thinking-sphinx 3.1.4-3 is marked for autoremoval from testing on 
2016-03-29

It is affected by these RC bugs:
816307: ruby-thinking-sphinx: FTBFS: uninitialized constant 
MultiSchema::ThinkingSphinx (NameError)


___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] ruby-gir-ffi is marked for autoremoval from testing

2016-03-28 Thread Debian testing autoremoval watch 
ruby-gir-ffi 0.9.0-1 is marked for autoremoval from testing on 2016-04-13

It is affected by these RC bugs:
815802: ruby-gir-ffi: Requiring 'gir_ffi' fails


___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Processed: reopening 815802

2016-03-28 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> reopen 815802
Bug #815802 {Done: Christian Hofstaedtler } [ruby-gir-ffi] 
ruby-gir-ffi: Requiring 'gir_ffi' fails
Bug reopened
Ignoring request to alter fixed versions of bug #815802 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
815802: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815802
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Re: [DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file

2016-03-28 Thread Christian Hofstaedtler 
* Julian Gilbey  [160327 20:04]:
> I'm reporting this directly rather than via the BTS as it may be a
> security hole.

Great idea, but sending to @packages.debian.org is
likely to expose your report to the world (like in this case);
many packages use public mailing lists as their maintainer email,
and who knows who/what else is subscribed to the packages.d.o
address.

-- 
 ,''`.  Christian Hofstaedtler 
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] ruby-ridley 4.4.3-2 MIGRATED to testing

2016-03-28 Thread Debian testing watch 
FYI: The status of the ruby-ridley source package
in Debian's testing distribution has changed.

  Previous version: 4.4.3-1
  Current version:  4.4.3-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] ruby-tokyocabinet 1.31-5 MIGRATED to testing

2016-03-28 Thread Debian testing watch 
FYI: The status of the ruby-tokyocabinet source package
in Debian's testing distribution has changed.

  Previous version: 1.31-4
  Current version:  1.31-5

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] ruby-fog-atmos 0.1.0-3 MIGRATED to testing

2016-03-28 Thread Debian testing watch 
FYI: The status of the ruby-fog-atmos source package
in Debian's testing distribution has changed.

  Previous version: 0.1.0-2
  Current version:  0.1.0-3

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] diaspora-installer 0.5.7.1+debian2 MIGRATED to testing

2016-03-28 Thread Debian testing watch 
FYI: The status of the diaspora-installer source package
in Debian's testing distribution has changed.

  Previous version: 0.5.7.1+debian1
  Current version:  0.5.7.1+debian2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#819412: gitlab: creates world-readable secrets file

2016-03-28 Thread Julian Gilbey 
Package: gitlab
Version: 8.4.3+dfsg-12
Severity: grave
Tags: security

Hello,

Somehow, part of the gitlab configuration process created a file
called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
/usr/share/gitlab-shell/.gitlab_shell_secret.  I don't know its
purpose, but I would assume that it is some form of secret key.
However, the /var/lib/gitlab/.gitlab_shell_secret file is
world-readable, which is not likely to be the desired file mode.  640
would be - presumably - more appropriate.

Best wishes,

   Julian

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gitlab depends on:
ii  adduser3.114
ii  asciidoctor1.5.4-1
ii  bc 1.06.95-9+b1
ii  bundler1.11.2-1
ii  debconf [debconf-2.0]  1.5.59
ii  git1:2.8.0~rc3-1
ii  gitlab-shell   2.6.10-1
ii  gitlab-workhorse   0.6.3-1
ii  init-system-helpers1.29
ii  letsencrypt0.4.1-1
ii  libjs-chartjs  1.0.2-1
ii  libjs-clipboard1.4.2-1
ii  libjs-fuzzaldrin-plus  0.3.1-1
ii  libjs-graphael 0.5+dfsg-1
ii  libjs-jquery-cookie10-2
ii  libjs-jquery-history   10-2
ii  libjs-jquery-nicescroll3.6.6-1
ii  nginx  1.9.10-1
ii  nginx-full [nginx] 1.9.10-1
ii  nodejs 4.3.1~dfsg-3
ii  postgresql 9.5+172
ii  postgresql-client  9.5+172
ii  postgresql-client-9.4 [postgresql-client]  9.4.6-0+deb8u1
ii  postgresql-client-9.5 [postgresql-client]  9.5.1-1
ii  rake   10.5.0-2
ii  redis-server   2:3.0.6-1
ii  ruby   1:2.3.0+1
ii  ruby-ace-rails-ap  3.0.3-2
ii  ruby-activerecord-deprecated-finders   1.0.4-1
ii  ruby-activerecord-session-store0.1.1-3
ii  ruby-acts-as-taggable-on   3.5.0-2
ii  ruby-addressable   2.3.8-1
ii  ruby-after-commit-queue1.3.0-1
ii  ruby-allocations   1.0.3-1+b2
ii  ruby-asana 0.4.0-1
ii  ruby-attr-encrypted1.3.4-1
ii  ruby-babosa1.0.2-1
ii  ruby-bootstrap-sass3.3.5.1-3
ii  ruby-browser   1.0.1-1
ii  ruby-cal-heatmap-rails 3.5.1+dfsg-1
ii  ruby-carrierwave   0.10.0+gh-2
ii  ruby-charlock-holmes   0.7.3+dfsg-2+b2
ii  ruby-coffee-rails  4.1.0-2
ii  ruby-colorize  0.7.7-1
ii  ruby-connection-pool   2.2.0-1
ii  ruby-creole0.5.0-2
ii  ruby-d3-rails  3.5.6+dfsg-1
ii  ruby-default-value-for 3.0.1-1
ii  ruby-devise3.5.6-2
ii  ruby-devise-async  0.9.0-1
ii  ruby-devise-two-factor 2.0.0-1
ii  ruby-diffy 3.0.6-1
ii  ruby-doorkeeper2.2.1-1
ii  ruby-dropzonejs-rails  0.7.1-1
ii  ruby-email-reply-parser0.5.8-1
ii  ruby-fog   1.34.0-3
ii  ruby-fogbugz   0.2.1-2
ii  ruby-font-awesome-rails4.3.0.0-1
ii  ruby-gemnasium-gitlab-service  0.2.6-1
ii  ruby-github-linguist   4.7.2-2
ii  ruby-github-markup 1.3.3+dfsg-1
ii  ruby-gitlab-emoji  0.2.1-1
ii  ruby-gitlab-flowdock-git-hook  1.0.1-1
ii  ruby-gitlab-git7.2.24-1
ii  ruby-gollum-lib4.1.0-3
ii  ruby-gon   6.0.1-1
ii  ruby-grape 0.13.0-1
ii  ruby-grape-entity  0.5.0-1
ii  ruby-haml-rails0.9.0-4
ii  ruby-hipchat   1.5.2-2
ii  ruby-html-pipeline 1.11.0-1
ii  ruby-httparty  0.13.5-1

Re: [DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file

2016-03-28 Thread Julian Gilbey 
On Mon, Mar 28, 2016 at 06:30:51AM +0200, Salvatore Bonaccorso wrote:
> Hi Julian,
> 
> On Sun, Mar 27, 2016 at 07:04:27PM +0100, Julian Gilbey wrote:
> > Hello,
> > 
> > I'm reporting this directly rather than via the BTS as it may be a
> > security hole.
> > 
> > Somehow, part of the gitlab configuration process created a file
> > called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
> > /usr/share/gitlab-shell/.gitlab_shell_secret.  I don't know its
> > purpose, but I would assume that it is some form of secret key.
> > However, the /var/lib/gitlab/.gitlab_shell_secret file is
> > world-readable, which is not likely to be the desired file mode.  640
> > would be - presumably - more appropriate.
> > 
> > Other non-security bugs going to the BTS
> 
> Since our gitlab package is not yet in a stable release, please report
> this directly to the BTS. I think it's safe to do so in this case.
> 
> Regards,
> Salvatore

OK, shall do, thanks!

   Julian

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers