[Bug 1436467] [NEW] Why is libaccounts-glib0 a hard dependancy of an image viewer?

[George Bateman]

Public bug reported:

I don't expect an image viewer to require the single sign-on package. I
should be able to install Shotwell without it, or remove the package
without losing Shotwell. The Debian version does not require it. Please
could you demote the dependency to a recommendation/suggestion?

lsb_release -rd: Description: Ubuntu 14.04.2 LTS, Release: 14.04
apt-cache policy shotwell:
shotwell:
  Installed: 0.18.0-0ubuntu4.3
  Candidate: 0.18.0-0ubuntu4.3
  Version table:
 *** 0.18.0-0ubuntu4.3 0
500 http://gb.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
100 /var/lib/dpkg/status
 0.18.0-0ubuntu4 0
500 http://gb.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

** Affects: shotwell (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1436467

Title:
  Why is libaccounts-glib0 a hard dependancy of an image viewer?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shotwell/+bug/1436467/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1374715] Re: CVE links in the updater are invalid

[George Bateman]

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1374715

Title:
  CVE links in the updater are invalid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1374715/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1374715] Re: CVE links in the updater are invalid

[George Bateman]

Both links now work for me. I imagine that invalid links are allowed if and 
only if there is a CVE with the correct code, which would explain why this bug 
wasn't picked up in testing.
Nonetheless, I still think that we should add CVE- to  ensure that the 
correct error messages are shown even before the CVE is uploaded.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1374715

Title:
  CVE links in the updater are invalid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1374715/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1374715] [NEW] CVE links in the updater are invalid

[George Bateman]

Public bug reported:

The auto-updater was asking for permission to update Bash. The Changes 
message was as follows:
Changes for bash versions:
Installed version: 4.3-7ubuntu1.3
Available version: 4.3-7ubuntu1.4

Version 4.3-7ubuntu1.4:

  * SECURITY UPDATE: out-of-bounds memory access
- debian/patches/CVE-2014-718x.diff: guard against overflow and fix
  off-by-one in parse.y and y.tab.c.
- CVE-2014-7186
- CVE-2014-7187
  * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- debian/patches/variables-affix.diff: add prefixes and suffixes in
  variables.c.

Each CVE link went to an URL such as 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7186. This is an error page 
which states that the CVE_ID is invalid. I would have expected to see a bug 
description of some sort.
Manually changing the URL to 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error 
message, which now claims the ID is valid but unrecognised. I assume this is 
for the reason suggested, that the problem has not been uploaded, and that this 
is now the correct URL.
Does the code that generates the links need to include CVE- in the URLs?

I assume that this will apply to all updates, not just Bash, but I can't
yet verify this.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: update-manager 1:0.196.12
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Aptdaemon:

Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 27 10:40:34 2014
ExecutablePath: /usr/bin/update-manager
GsettingsChanges:
 b'com.ubuntu.update-manager' b'show-details' b'true'
 b'com.ubuntu.update-manager' b'window-height' b'1000'
 b'com.ubuntu.update-manager' b'first-run' b'false'
 b'com.ubuntu.update-manager' b'window-width' b'1215'
 b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
InstallationDate: Installed on 2014-07-31 (57 days ago)
InstallationMedia: Ubuntu 14.04 LTS Trusty Tahr - Release amd64 (20140417)
InterpreterPath: /usr/bin/python3.4
PackageArchitecture: all
SourcePackage: update-manager
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: update-manager (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug trusty

** Description changed:

  The auto-updater was asking for permission to update Bash. The Changes 
message was as follows:
  Changes for bash versions:
  Installed version: 4.3-7ubuntu1.3
  Available version: 4.3-7ubuntu1.4
  
  Version 4.3-7ubuntu1.4:
  
-   * SECURITY UPDATE: out-of-bounds memory access
- - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
-   off-by-one in parse.y and y.tab.c.
- - CVE-2014-7186
- - CVE-2014-7187
-   * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
- - debian/patches/variables-affix.diff: add prefixes and suffixes in
-   variables.c.
+   * SECURITY UPDATE: out-of-bounds memory access
+ - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
+   off-by-one in parse.y and y.tab.c.
+ - CVE-2014-7186
+ - CVE-2014-7187
+   * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
+ - debian/patches/variables-affix.diff: add prefixes and suffixes in
+   variables.c.
  
  Each CVE link went to an URL such as 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-7186. This is an error page 
which states that the CVE_ID is invalid. I would have expected to see a bug 
description of some sort.
- Manually changing the URL to 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error 
message, which now claims the ID is valid but unrecognised. (I assume this is 
for the reason suggested, that the problem has not been uploaded).
+ Manually changing the URL to 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 changed the error 
message, which now claims the ID is valid but unrecognised. I assume this is 
for the reason suggested, that the problem has not been uploaded, and that this 
is now the correct URL.
+ Does the code that generates the links need to include CVE- in the URLs?
  
  I assume that this will apply to all updates, not just Bash, but I can't
  yet verify this.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: update-manager 1:0.196.12
  ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
  Uname: Linux 3.13.0-36-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.4
  Aptdaemon:
-  
+ 
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sat Sep 27 10:40:34 2014
  ExecutablePath: /usr/bin/update-manager
  GsettingsChanges:
-  b'com.ubuntu.update-manager' b'show-details' b'true'
-  b'com.ubuntu.update-manager' b'window-height' b'1000'
-  b'com.ubuntu.update-manager' b'first-run' b'false'
-  b'com.ubuntu.update-manager' b'window-width' b'1215'
-  b'com.ubuntu.update-manager' b'launch-time' b'1411810242'
+  b'com.ubuntu.update-manager'