On Sun, 2 Jun 2019 23:29:51 +0200, Emmanuel Bourg wrote:
I admit using / as home directory isn't perfect, but I fail to see how
this can be considered insecure.
What about setting the -Duser.home JVM parameter when Tomcat is started
instead of changing the system user home?
Tomcat is
Hello,
I've just installed the following from stretch-backports:
$ dpkg --list | grep tomcat9 | cut -c1-60
ii libtomcat9-java 9.0.16-4~bpo9+1
ii tomcat9 9.0.16-4~bpo9+1
ii tomcat9-common 9.0.16-4~bpo9+1
tch says to ask for a password.
Of note: given that the order cannot be guaranteed in LDAP results,
sudoers.ldap(5) mentions the "sudoOrder" attribute.
You may need to switch the order of the values in your nsswitch.conf(5)
file.
--
David Magda
Package: src:linux
Version: 4.19.67-2+deb10u2
Severity: normal
Dear Maintainer,
The virtio-rng.ko is not present cloud image kernel package:
debian@dm-test1:~$ locate virtio
/usr/lib/modules/4.19.0-6-cloud-amd64/kernel/drivers/virtio
Please consider including the fix for this to "apt-mirror" packages in
previous releases.
Some of us use Deb 8/9 (jessie/strech) to run our internal mirrors, and
those mirrors will server Deb10 (buster) systems.
While the code is in the /master/ branch, it was never pulled into an
official release.
I've asked why this is:
http://www.openldap.org/lists/openldap-technical/201901/msg00040.html
Regards,
David
Package: ssl-cert
Version: 1.0.39
Severity: wishlist
The current default keylength for the snakeoil cert is 2048 bits. However,
these certs could now live for ten years (3650 days), which as I type
this could be upto 2028.
Various technical bodies are recently that for long-lived secrets,
a
Package: ssl-cert
Version: 1.0.39
Severity: normal
In the make_snakeoil() funtion, the code gets the FQDN of the system
via a call to 'hostname -f'. Then it checks if this the FQDN is longer
than 64 characters, and if it is, uses the short hostname.
However, a FQDN can be up to 255 octets per
So what is the status of this bug?
heirloom-mailx is now a transitional package to s-nail, but s-nail does
not proved "mailx". At least on stretch (Deb9).
Not very transitional if the same commands are not provided.
"Current systems" in the sense of 'systems that are currently being
used'. :)
Awesome.
On 2017-11-20 17:15, Andreas Tille wrote:
Control: tags -1 pending
On Mon, Nov 20, 2017 at 11:51:28AM -0500, David Magda wrote:
Package: zstd
Severity: wishlist
It would be really han
Package: zstd
Severity: wishlist
It would be really handy to have a backports package available for
Debian 8 so that zstd could be used for current systems without having
to develope an in-house package.
We have quite a few jessie systems, and it will be supported via LTS
until 2020, [1] so it
Package: mlocate
Version: 0.26-1
Severity: wishlist
Hello,
We have mlocate installed on quite a few of our VMs, and when cron.daily is
run on them, they all start at the same time. This can create a bit of I/O
all at once. I think that quite a few Debian installations are now VMs, and
so this
Package: acmetool
Version: 0.0.59-1+b1
Severity: normal
The provided example snippets for Apache and nginx both have an alias
for the "/.well-known/acme-challenge/" URL path pointing to
"/var/run/acme/acme-challenge/". But when one does a 'quickstart' the
text in webroot question only metnions
Package: acmetool
Version: 0.0.59-1+b1
Severity: wishlist
There is a bit of a convention, created by the "ssl-cert" package AFAICT,
that private keys are owned by the group "ssl-cert". This allows packages
to not run as root but still have use the certs.
It also allows for processes to drop
Package: ssl-cert
Version: 1.0.35
Severity: important
Newer web browsers (Chrome 58+, Firefox 48+) are requiring that
Subject Alternative Names (SANs) be present in certificates,
and are ignoring the Common Name (CN) field.
The snakeoils certs generated by make-ssl-cert(8) currently do not
put
I was reviewing some stuff and ran across this bug I filed a while ago.
I do not know if this is the best way to do this, but:
I have created a "preinst" script to try to create /etc/sasl2/ by
default, but handle situations where /usr/lib/sasl2/ already exists (and
create softlinks for
Hello,
Any news on this bug? I know that "cyrus-sasl2-doc" exists:
https://packages.debian.org/search?keywords=cyrus-sasl2-doc
and the file/s are in there, but given that the -doc package is "only"
250KB, perhaps it's easier to just put everything into the -bin package
and have one less
Package: ssl-cert
Version: 1.0.35
Severity: wishlist
The make-ssl-cert(8) utility has a bunch of things it can get from
debconf:
make-ssl-cert/vulnerable_prng:
make-ssl-cert/altname:
make-ssl-cert/hostname:
make-ssl-cert/title:
These are used in the ask_via_debconf() function.
So it's
On 2016-07-19 00:39, Christian PERRIER wrote:
From the fine documentation[1]:
# Select which update services to use; define the mirrors to be used.
# Values shown below are the normal defaults.
#d-i apt-setup/services-select multiselect security, updates
#d-i
On 2016-07-18 17:48, Philipp Kern wrote:
From the fine documentation[1]:
# Select which update services to use; define the mirrors to be used.
# Values shown below are the normal defaults.
#d-i apt-setup/services-select multiselect security, updates
#d-i apt-setup/security_host
Package: debian-installer
Version: 20150422+deb8u4
Severity: normal
Tags: d-i
We have a segment of our network that is firewalled off from the Internet
at large. We have a local Debian mirror that we use for these subnets
(as well as the organization at large).
When we run an installation by
Package: openssh-server
Version: 1:6.0p1-4+deb7u3
Severity: wishlist
Dear Maintainer,
We're upgrading some systems from Debian 6 to Debian 7 (and then maybe 8). As
part of the update, the newer version of OpenSSH supports the newer ECDSA
format.
However, after the upgrade is complete, and I run
Package: mailman
Version: 1:2.1.18-2
Severity: important
The current copy of /etc/mailman/apache.conf in the mailmain package
has configuration items that are for Apache 2.2. For example:
AllowOverride None
Options ExecCGI
AddHandler
Package: sasl2-bin
Version: 2.1.26.dfsg1-13
Severity: wishlist
If you're using the "ldap" MECHANISM, there are a bunch of configuration
variables that need to be put in /etc/saslauthd.conf. By default there
is no documentation for these values installed in the package, so one has
to go online and
Consistency.
Just about all configuration items on a Linux/Unix system are placed in
/etc, except for the Cyrus SASL packages where there is no
/etc/sasl{,2}/, but rather a /usr/lib/sasl2 (and
/usr/lib/x86_64-linux-gnu/sasl2). It's confusing because /etc/sasldb2
and /etc/saslauthd.conf are
Package: libsasl2-2
Version: 2.1.26.dfsg1-13
Severity: wishlist
The upstream code uses /etc/sasl2/ as the default configuration directory,
as is illustrated in libsasl2.so:
$ strings /usr/lib/x86_64-linux-gnu/libsasl2.so.2 | grep etc
sasl_auxprop_getctx
Sure. Whatever. Feel free to close the ticket.
Package: krb5-config
Version: 2.3
Severity: important
Our Kerberos domain is in the *.OICR.ON.CA address space. We only use it
internally with no exmployment of external entities for things like
cross-domain trust.
Yet, when we install the krb5-config package, it has a bunch of stuff
for
You ask to have these realms removed.
My question is what harm is done by having them there?
So, I'll admit a certain frustration that rather than answering
the questions I asked you responded with your own questions.
Fair enough: as a sysadmin, when I enter answers for package
I own the domain magda.ca: can I get it added so that every Debian
(and Ubuntu) install that uses Kerberos will have that domain in its
krb5.conf?
I have a couple of friends that also have domains, can they request that
they be added too?
What criteria is used to determine what gets added
Package: mysql-mmm-agent
Version: 2.2.1-1.1
Severity: important
We were having issues migrating things via 'mmm_control move_role foo bar{1,2}'
because when the virutal IP (vIP) moved from one host to the other it was no
longer accessible (via ping or telnet) over the network.
It turns out after
Package: mysql-mmm-monitor
Version: 2.2.1-1.1
Severity: important
We were having issues getting the monitor up and running with the following in
the /var/log/mmm_mond.log:
2015/07/08 12:32:10 INFO Waiting for network connection...
2015/07/08 12:32:10 INFO Spawning checker 'ping_ip'...
Has anyone had a chance to look at this and consider the changes to
wheezy and/or squeeze-lts?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Package: java-package
Version: 0.53~bpo70+1
Severity: normal
Dear Maintainer,
I recently tried making a DEB package for both jre-7u75-linux-x64.tar.gz
and server-jre-7u75-linux-x64.tar.gz, and make-jpkg(1) generates a
file called oracle-java7-jre_7u75_amd64.deb for both.
This makes it
I haven't had a chance to look at the code involved, so can't say at the
moment if I have the skills to submit anything useful.
Also, I noticed that for the DEB file generated for the server-jre, in
the Provides line, lists java-browser-plugin. This is wrong, as the
server-jre does not
Package: ssl-cert
Version: 1.0.32
Severity: normal
Version 1.0.35 in jessie/testing create snakeoil certs with SHA-256 as
the hasing algorithm, but the version is wheezy still uses SHA-1.
Given the change in policy of the major browsers (IE, FF, Chrome) to
start marking SHA-1-based certs as
Package: vlan
Version: 1.9-3
Severity: important
Tags: d-i
We have some servers where VLANs are trunked to them in such a way that the
bare network interface does not have any network available. This is because our
network gear cannot simulataneously have the interface be both untagged (with a
We also had the following entries in /var/log/kern.log just before the
system went off the air:
kernel: [18334096.497821] be2net :02:00.7: Unrecoverable error in
the card
kernel: [18334096.497853] be2net :02:00.7: UE: PMEM bit set
kernel: [18334096.497881] be2net
Package: src:linux
Version: 3.2.60-1+deb7u3
Severity: important
Dear Maintainer,
The current Debian 7 kernel only has the 4.2.220 version of the
be2net driver:
$ sudo ethtool -i eth0
driver: be2net
version: 4.2.220u
firmware-version: 4.6.247.5
bus-info:
Package: auditd
Version: 1:1.7.18-1.1
Severity: normal
Dear Maintainer,
The permissions of the audispd(8) binary seem to be incorrect.
I get the following entry in the audit log:
May 30 13:55:46 ops2 auditd: /sbin/audispd permissions should be 0750
The binary, right after installation is:
$
Has anyone had a chance to look at making make-ssl-cert(8) use SHA-2?
Given the (release and retire0 time lines of Debian 8, there could be
the problem of Windows not accepting SHA-1 certs.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe.
Package: ssl-cert
Version: 1.0.32
Severity: normal
Dear Maintainer,
Currently running make-ssl-cert creates self-signed (snake oil) certificates
which use the Signature Algorithm sha1WithRSAEncryption. This has been fine
for the last few years, but there are some recently changes that warrant
Package: libdb5.1
Version: 5.1.29-5
Severity: wishlist
Dear Maintainer,
Given that wheezy only has libdb5.1, but squeeze only has varous libdb4.x
libraries, there may arise a situation where software compiled for libdb4 will
not have anything available to resolve library dependencies.
This
Package: kexec-tools
Version: 1:2.0.3-1
Severity: normal
Dear Maintainer,
We're running the linux-image-3.10-0.bpo.2-amd64 kernel and installed
kdump-tools. We configure the following in /etc/default/kdump-tools:
USE_KDUMP=1
DEBUG_KERNEL=/usr/lib/debug/boot/vmlinux-3.2.0-0.bpo.4-amd64
On 2013-01-31 00:17, Ben Hutchings wrote:
On Wed, 2013-01-30 at 14:50 -0500, David Magda wrote:
The upstream bug report is at:
https://www.redhat.com/archives/crash-utility/2011-June/thread.html#0
http://people.redhat.com/anderson/crash_patches/5.1.5-to-5.1.6.patch
If it is the crash
On 2013-02-12 09:07, David Magda wrote:
In /usr/share/doc/kdump-tools/README.Debian the following text appears:
4. Debug Kernel
You *should* have a debug kernel in order for makedumpfile to process
the vmcore file. Without a debug kernel, the transfer process is
reduced
On 2013-02-21 14:10, Ben Hutchings wrote:
The squeeze kernel is unfortunately missing support for a lot of
current hardware (notably graphics but also some networking chips) so
many people are running later kernel versions. I would love to fix
some of these but I have my hands full and I can
Package: kdump-tools
Version: 1.3.5-1
Severity: normal
In /usr/share/doc/kdump-tools/README.Debian the following text appears:
4. Debug Kernel
You *should* have a debug kernel in order for makedumpfile to process
the vmcore file. Without a debug kernel, the transfer process is
Package: linux-image-3.2.0-0.bpo.4-amd64-dbg
Version: 3.2.35-2~bpo60+1
Severity: normal
I'm trying to get get kernel crash dumps working and am having issues getting
crash(8) working:
root@vm41:/var/crash/201301291809# crash /boot/System.map-3.2.0-0.bpo.4-amd64
kernel_link dump.201301291809
It appears that it may be an issue with the crash package. From the
release notes:
5.1.6 - Fixed several typos in the updated crash.8 man page.
(bob.montgom...@hp.com)
[...]
- Fix to support Linux 3.x version number change. Without the patch,
the crash session fails with
This bug is marked as done, but that's only the case for the wheezy package
(2.2.22). I don't see new binaries for squeeze (2.2.16).
Can you either add the patch to the squeeze package or add something to
squeeze-backports?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
Is there any reason why the patch hasn't been applied? The bug has been
open for two years now.
The squeeze release of lvm2 hasn't been touched since January 2011:
http://packages.debian.org/changelogs/pool/main/l/lvm2/lvm2_2.02.66-5/changelog
But the maintainer (CC'd) has updated the wheezy
Package: general
Severity: wishlist
The pg_rman utiltity would be a useful addition to Debian for people who run
PostgreSQL systems:
pg_rman is an online backup and restore tool for PostgreSQL.
The goal of the pg_rman project is providing a method for online backup and
PITR as easy as
Package: apache2
Version: 2.2.16-6+squeeze1
Severity: wishlist
Recent versions of of Apache support RFC 2817, which allows HTTP software to
'upgrade' connections from non-encrypted to encrypted status; it is sometimes
referred to StartTLS for HTTP.
http://tools.ietf.org/html/rfc2817
54 matches
Mail list logo
