Bug#381333: Please consider adding fstyp

Package: moreutils Version: 0.15 Severity: wishlist Hi Joey, please consider adding alias fstyp - identify filesystem to the morutils package. Regards, Joey -- WARNING: Do not execute! This call violates patent DE10108564. http://www.elug.de/projekte/paten

Bug#371076: cfs SIGSEGV

Please use CVE-2006-3123 for this issue. Gerrit, please mention it in the proper changelog entry when you're uploading the next package anyway. Regards, Joey -- This is GNU/Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the

Bug#380273: DHCP server exits unexpectedly on DHCPOFFER with specific client-identifier

I have assigned CVE-2006-3122 to this issue. Eloy, please let us know which version in sid fixes the problem when you upload a package. Andrew, is it ok when we credit you in the advisory for discovery? Andrew Steets wrote: > There is a bug in ISC DHCP server version 2 that causes the server to

Bug#377299: sitebar: CVE-2006-3320: cross-site scripting

Thijs Kinkhorst wrote: > > > CVE-2006-3320: "Cross-site scripting (XSS) vulnerability in command.php > > in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary > > web script or HTML via the command parameter." > > I've already fixed this by NMU in unstable. I've also prepared a

Bug#380152: missing raid456 modules

maximilian attems wrote: > severity 380152 serious > stop > > an boot failure is RC. True, but not a boot-failure in a kernel which is not part of the release. Hence, madducks downgrade was fine. > 2.6.18 linux-image package are under preparation. > 2.6.17 or higher will be used for Etch, > curr

Bug#378544: Undefined macros in manpages

Justin Pryzby wrote: > > Thanks for your report. Fixes, as described below, will appear in upstream > > 2.37. Cool! > > > results: line dismissed > > > fix: .B instead of .Fd > > > > Not correct; no change. (Is the Debian page different from my upstream, > > perhaps?) > Indeed it is: > http:

Bug#380054: CVE-2006-2898: Denial of service in Asterisk

Mark Purcell wrote: > On Thursday 27 July 2006 07:34, Martin Schulze wrote: > > The patch used for security is attached. > > Thanks Joey, > > In asterisk 1.2.10 half of that patch is already applied upstream. > > I have applied the other half and am in the process of

Bug#380054: CVE-2006-2898: Denial of service in Asterisk

Package: asterisk Version: 1.2.10.dfsg-1 Severity: grave Tags: security patch A problem has been discovered in the IAX2 channel driver of Asterisk, an Open Source Private Branch Exchange and telephony toolkit, which may allow a remote to cause au crash of the Asterisk server. The patch used for s

Bug#372285: makecontext(3)

Michael Kerrisk wrote: > > Please apply it either directly or adjusted for your needs. > > I haven't taken this as is, but have done a few rewrites in the > page including adding some text that mentions that these > arguments are 'int'. Great. Thanks and welcome back. Regards, Joey --

Bug#372285: makecontext(3)

Hi Michael, here's a small addition to makecontext(3) based on Helmut's comment in : Index: man3/makecontext.3 === RCS file: /var/cvs/debian/manpages/man3/makecontext.3,v retrieving revision 1.1.1.8 dif

Bug#379297: epoll_ctl manual error

Frank van Viegen wrote: > Package: manpages-dev > Version: 2.34-1 > > The epoll_ctl(2) man page states: > > ERRORS > EBADF epfd is not a valid file descriptor. > > However, based upon actual kernel (2.6.11-9-em64t-p4-smp) behaviour it > should probably read: > > ERRORS > EBADF fd

Bug#379829: manpages: regex(7) is practically unreadable - offer of rewrite

Paul LeoNerd Evans wrote: > I have been using regexps for about 4 years now, and even I can't > understand regex(7). > > I therefore propose a rewrite, to be much longer, a much gentler > introduction for people who don't understand them, to include plenty of > examples to illustrate, and general

Bug#379627: zimpl: Description improvement

Package: zimpl Version: current Severity: minor - Description: Mathematical modeling language for optimization problems + Description: Mathematical modelling language for optimization problems Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Ple

Bug#379618: skyeye: Description improvement

Package: skyeye Version: current Severity: minor Description: A Embedded Hardware Simulation Please make this either of Description: Embedded Hardware Simulation or Description: An Embedded Hardware Simulation (I'd prefer the first...) Regards, Joey -- Long noun chains don't autom

Bug#372719: regression in FreeType security fix for DSA-1095

Steve Langasek wrote: > On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote: > > > Steve Langasek wrote: > > > As mentioned earlier this month, a regression was found in the freetype > > > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications t

Bug#378631: haxe: Description improvement

Package: haxe Version: current Severity: minor - Description: Web programming languge generating Flash, AJAX or Neko + Description: Web programming language generating Flash, AJAX or Neko Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror. Please

Bug#356939: "Security" fix for shadow in sarge (#356939)

Christian Perrier wrote: > As a consequence, I hereby ask the security team to DROP the processing > of the 4.0.3-31sarge6 version you have. As you wish, packages deleted. Regards, Joey -- Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. Please always C

Bug#375617: Patch

Attached is a patch that simply changes the pathname. Regards, Joey -- Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. Please always Cc to me when replying to me on the lists. diff -u -p -Nr --exclude CVS orig/spread-3.17.2/session.c spread-3.17.2/sess

Bug#372719: regression in FreeType security fix for DSA-1095

Steve Langasek wrote: > On Mon, Jun 26, 2006 at 08:36:07AM +0100, Steve Kemp wrote: > > On Sun, Jun 25, 2006 at 03:09:51PM -0700, Steve Langasek wrote: > > > > As mentioned earlier this month, a regression was found in the freetype > > > 2.1.7-2.5 package uploaded for DSA-1095 which caused applica

Bug#372719: regression in FreeType security fix for DSA-1095

Hi! Steve Langasek wrote: > As mentioned earlier this month, a regression was found in the freetype > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash > with division-by-zero errors. I've prepared a maintainer upload to fix > this regression using the patch from bug #373

Bug#374577: mimms: patch to fix many buffer overflows vulnerability

Anon Sricharoenchai wrote: > Package: mimms > Version: 0.0.9-1 > Severity: grave > Justification: user security hole > Tags: security patch > > According to the patch attached in this report, it has many possible buffer > overflows. > For example, > - memcpy(buf, data, length) without bounding the

Bug#368060: packaging for etch ok -

Here are packages that I would upload if you don't object. http://people.debian.org/~joey/NMU/thuban/ Regards, Joey -- Given enough thrust pigs will fly, but it's not necessarily a good idea. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Con

Bug#373913: [EMAIL PROTECTED]: CVE-2006-3081 assigned to MySQL str_to_date() DoS]

FYI Regards, Joey - Forwarded message from "Steven M. Christey" <[EMAIL PROTECTED]> - == Name: CVE-2006-3081 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3081 Reference: BUGTRAQ:20060614 MySQL D

Bug#374388: Changing default Accept: list

Package: lynx Version: 2.8.5-2sarge2 Severity: wishlist When I try to view http://www.debian.org/events/2006/0624-froscon content negotiation is in place. Lynx requests a file of type text/html, [..], text/*. However, text/calendar and text/html are available on www.debian.org and Apache seems to

Bug#374296: Changing default Accept: list

Martin Schulze wrote: > It may be a good idea to adjust the default accept_media setting (which > will result in the Accept: HTTP header) a little bit: > > - accept_media text/*, image/*, application/*, message/*, audio/* > + accept_media text/html, text/plain, text/comma-separat

Bug#374296: Changing default Accept: list

Package: w3m Version: 0.5.1-4 Severity: wishlist Disclaimer: I'm not totally sure this would be a proper fix. When I try to view http://www.debian.org/events/2006/0624-froscon content negotiation is in place. w3m requests a file of type text/*. However, text/calendar and text/html are available

Bug#372172: CVE-2006-2230: Denial of service in xine-ui

@@ -1,3 +1,12 @@ +xine-ui (0.99.3-1sarge1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Corrected call to report() and printf() to fix format string +vulnerabilities [src/xitk/main.c, src/xitk/xine-toolkit/xitk.c, +CVE-2006-2230] + + -- Martin Schulze

Bug#326606: sendfile: receive fails to bounce

Ulli Horlacher wrote: > > > However, receive reacts like this: > > > > > > $ receive -ba [EMAIL PROTECTED] > > > %receive-Warning: file [EMAIL PROTECTED] not found > > Bug in the receive man-page (*). > > The correct syntax is: receive -ab [EMAIL PROTECTED] > > (The argument for option -b must

Bug#370668: Spelling errors in tmpreaper

Package: tmpreaper Version: 1.6.6 Severity: minor /usr/share/doc/tmpreaper/README.security.gz: - Now let is sit, suspended, for x days. Tmpreaper then removes the + Now let it sit, suspended, for x days. Tmpreaper then removes the - limit it to a certian smaller class of victim programs, b

Bug#368202: sarge: dia: CVE-2006-2480 and CVE-2006-2453: format string vulnerability

Roland Stigge wrote: > Hi, > > besides the upload to unstable, I've backported the upstream patch for > #368202. See attachment. > > Feel free to upload if appropriate. We don't consider it approriate unless you provide us with an attack vector, i.e. automatic processing of files from untrusted

Bug#369819: libtiff-tools: Buffer overflow in tiffsplit [CVE-2006-2656]

Jay Berkenbilt wrote: > > I've fixed this libtiff-tools problem. The problem is fixed in > 3.8.2-3 (which I am about to upload) and in 3.7.2-5. Attached is a > patch that brings 3.7.2-4 to 3.7.2-5. I haven't built or tested it > under srage, but I have verified that the 3.7.2-5 package as creat

Bug#327732: CVE name

This issue is assigned CVE-2005-3573. Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscrib

Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Martin Pitt wrote: > Hi Joey, > > Martin Schulze [2006-05-28 19:37 +0200]: > > > [1] http://people.debian.org/~mpitt/psql-sarge/ > > > [2] > > > http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff > > > > Thanks a lo

Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Martin Pitt wrote: > Hi security team, > > I backported the relevant changes from 7.4.13 and put the sarge > security update to [1]. This time, just putting 7.4.13 into > sarge-security would even have been safer IMHO, and that's what users > would want anyway, but we already had this discussion s

Bug#366816: CVE-2006-2542

angelog @@ -1,3 +1,11 @@ +xmcd (2.6-14woody1) oldstable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Fully implemented non-world-writeable directories [libdi_d/config.sh +alias xmcdconfig, CVE-2006-2542] + + -- Martin Schulze <[EMAIL PROTECTED]> Thu, 2

Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Martin Pitt wrote: > Hi Florian, hi security team, hi everyone else, > > just for the record, sid has updated packages already. > > I'm 70% into completing the security update for sarge. However, due to > the nature of the vulns, the patches are enormous, and thus require > meticulous porting and

Bug#364443: CVE-2006-2237

Thomas Kaehn wrote: > Hi, > > will CVE-2006-2237 be fixed in Sarge? I can't see a DSA yet and the > problem is not listed as a non-vulnarability. I was working on this already. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin Please always Cc to

Bug#359042: freeradius: dpatch for CVE-2006-1354: "EAP-MSCHAPv2 vulnerability"

Alec Berryman wrote: > Package: freeradius > Followup-For: Bug #359042 > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Attached dpatch is reformatted from revision 1.11 of > src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c. > > The fix applies and compiles, but I have not do

Bug#367272: FreeTalk should allow users to overwrite system defaults

Package: freetalk Version: 0.5-2 Currently, freetalk loads a lot of files upon startup. One of them is beep.scm. However, some users may prefer the client not to beep upon each and every message. You guessed it, I am among those. However,.freetalk/freetalk.scm is loaded before init.scm, the sy

Bug#351834: nl_langinfo(3) lacks precondition

Michael Kerrisk wrote: > > > is nl_langinfo(3) somehow different here from a host of > > > other functions whose behaviour depends on setlocale(). > > > E.g., strptime(3), printf(3), etc, most of which do not > > > explicitly mention the need to call setlocale()? > > > > Not sure about the other f

Bug#296340: lynx: patch to fix CVE-2004-1617

Thomas Dickey wrote: > > > reformatted as a dpatch. After applying the patch and rebuilding, pages > > > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.html no > > > longer causes lynx to exhaust memory and crash. > > > > > > Patch obtained from: > > > ftp://ftp.openbsd.org/pub/OpenBS

Bug#365940: Files for a Quagga DSA (RIPD unauthenticated route injection)

Christian Hammers wrote: > Attached you will find a diff that can be used to make a DSA for the > recent Quagga security bug. Thanks a lot for preparing the update. Please also mention CVE-2006-2223 CVE-2006-2224 in the unstable changelog when you're doing the next upload anyway. Regards,

Bug#296340: lynx: patch to fix CVE-2004-1617

Alec Berryman wrote: > Package: lynx > Version: 2.8.5-2sarge1 > Followup-For: Bug #296340 > > Attached is a patch from OpenBSD to fix CVE-2004-1617. It has been > reformatted as a dpatch. After applying the patch and rebuilding, pages > like http://lcamtuf.coredump.cx/mangleme/gallery/lynx_die1.

Bug#366683: CVE-2006-2162: Buffer overflow in nagios

Sean Finney wrote: > On Fri, May 12, 2006 at 06:24:21AM +0200, Martin Schulze wrote: > > Please let me know the version in sid that will have this problem > > fixed once you know it. > > for nagios 1.x: 1.4-1 (or 2:1.4-1, since there's an epoch i guess) > for nagios 2

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

Hendrik Weimer wrote: > Martin Schulze <[EMAIL PROTECTED]> writes: > > > Umh... but since the query_string is already sanitised globally > > how can XSS still happen? Was the sanitising not sucessful? > > AFAICS the query_string is not being decoded first. Therefor

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

Hendrik Weimer wrote: > Martin Schulze <[EMAIL PROTECTED]> writes: > > > How can the diricons and config parameters be exploited? From a quick > > glance I can't find an open associated with $DirIcons. > > The diricons issue is a XSS vulnerability. It has

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

How can the diricons and config parameters be exploited? From a quick glance I can't find an open associated with $DirIcons. I assume $SiteConfig leads to an open() call. Charles Fry wrote: > Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl >

Bug#366927: CVE-2006-2247: Information leak in webcalendar

, CVE-2006-2247] + + -- Martin Schulze <[EMAIL PROTECTED]> Fri, 12 May 2006 08:10:15 +0200 + webcalendar (0.9.45-4sarge3) stable-security; urgency=high * Fixed multiple security vulnerabilities only in patch2: unchanged: --- webcalendar-0.9.45.orig/includes/user.php +++ webcalendar-0.9.

Bug#366682: CVE-2006-2162: Buffer overflow in nagios

Hi Sean! Sean Finney wrote: > On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: > > > - crafting a simple "user-agent" that can illustrate the vulnerability > > > by sending a negative or 0 value for content length to a nagios cgi > > >

Bug#366682: CVE-2006-2162: Buffer overflow in nagios

02/debian/changelog @@ -1,3 +1,11 @@ +nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Add overflow protection for Content-Length [cgi/getcgi.c, +debian/patches/9_CVE-2006-2162.dpatch] + + -- Martin Schulze <[EMAIL P

Bug#365680: CGIIRC vulnerability (Bug#365680)

Elrond wrote: > On Sun, May 07, 2006 at 09:16:35AM +0200, Martin Schulze wrote: > [...] > > If an update enters stable-security and the version in testing ist the > > same as in stable, then the new version propagates into testing. If, > > additionally, the version in un

Bug#365680: CGIIRC vulnerability (Bug#365680)

Mario 'BitKoenig' Holbe wrote: > > Elrond wrote: > > > I _might_ be able to test, wether the package still works > > Please let us know. > > Tests are done. Everything seems to work well. > > > Update prepared. > > Go on :) > Please make sure you did also add 50_client-c_bufferoverflow_fix to >

Bug#365680: CGIIRC vulnerability (Bug#365680)

Elrond wrote: > Nearly all the relevant information, that is currently > available regarding this issue, is in the bug logs. > (see: ) > > Very Short summary: > > * bufferoverflow in C code > * remotely exploitable > * CVE has been requested by micah > * Untested pa

Bug#365680: CGIIRC vulnerability (Bug#365680)

Elrond wrote: > Nearly all the relevant information, that is currently > available regarding this issue, is in the bug logs. > (see: ) Are you going to update the package in sid as well? Or should the package propagate via stable-security? Regards, Joey --

Bug#366004: bash completion for cdcd

Package: cdcd Severity: wishlist Hi, attached please find a simple function for bash completion for the cdcd command. I'd be glad if it would be added to future versions. License is GPLv2 or higher, same as for cdcd itself. Regards, Joey -- It's practically impossible to look at a p

Bug#351996: manpages-dev: toupper & such should reference towupper & such

Michael Kerrisk wrote: > > Michael Kerrisk, le Wed 05 Apr 2006 23:13:29 +0200, a écrit : > > > From an upstream point of view, I don't want to make these > > > changes at this time. The reason is that the w* pages in > > > question do not yet exist. I have added text to the > > > HOWTOHELP docume

Bug#365357: In etch the manpage of umount in spanish is different that the same manpage in english

reassign 365357 manpages-es thanks David M wrote: > Package: manpages-es > Version: 1.55-4 > Package: manpages > Version: 2.22-1 > > The options explained in Spanish : > umount -a [-nrv] [-t tipofsv] > umount [-nrv] dispositivo | dir [...] > The options explained in English: > umount -a [-dflnrv]

Bug#364977: manpages-dev: clone.2 needs updating

Michael Kerrisk wrote: > Hi Justin, > > > > > > Yes. I mean, if you open a report and immedaitely tag it > > > > "upstream" means that the bug is not in the Debian .diff.gz, and the > > > > version indicates what version the bug was found in. > > > > > > Oh -- thanks for the education. I had

Bug#351834: nl_langinfo(3) lacks precondition

Michael Kerrisk wrote: > > In order to have nl_langinfo(3) return the proper information > > it is required to call setlocale (TYPE, "") first, which isn't > > mentioned in the manpage of nl_langinfo(3). Please add. > > Joey, > > is nl_langinfo(3) somehow different here from a host of > other fu

Bug#324466: Please differentiate

severity 324466 normal tags 324466 +help +moreinfo quit Please find out why some files require different behaviour and others do not. It does not make sense to switch the code forward and backward every time the other type of dbf files appear. Regards, Joey -- Testing? What's that? If

Bug#338116: CVE assignment

Moritz Muehlenhoff wrote: > This has been assigned CVE-2005-3559, please mention it in the > changelog when fixing it. The attached patch fixes this problem. This problem is also fixed in the Debian package 1.2.7.1.dfsg-2. Regards, Joey -- Experience is something you don't get until j

Bug#315532: Asterisk Manager Interface Overflow

Mark Purcell wrote: > Bug #315532 has been rasied as grave security related bug against > asterisk-1.0.7, which is included in the released sarge. > > It refers to a potential overflow in the Asterisk Manager Interface, which is > not enabled by default in the Debian asterisk package. In additi

Bug#363394: Broken description

Simon Josefsson wrote: > >> > I see the following description dependency graph: > >> > > >> >+-+ > >> >| | > >> > shisa -> shishid -> shishi <-+ > >> > ^ ^ ^ > >> > | | | > >> > shishi-common

Bug#363127: CVE-2006-1664: Malformed MPEG Stream Buffer Overflow Vulnerability

Stefan Fritsch wrote: > Package: libxine1 > Version: 1.1.1-1 > Severity: grave > Tags: security > Justification: user security hole > > > > According to CVE-2006-1664, there is a "buffer overflow in > xine_list_delete_current in libxine 1.14 and earlier, as distributed > in xine-lib 1.1.1 and ea

Bug#360559: openvpn CVE-2006-1629?

Geoff Crompton wrote: > Just wondering if there is an openvpn update in the works to fix > CVE-2006-1629? I'm working on it. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. -- To UNSUB

Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and privileges escalation vulnerability.

CVE-2006-1744 has been assigned to this. Regards, Joey -- Long noun chains don't automatically imply security. -- Bruce Schneier Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact

Bug#333160: Requesting change of severity to grave

Daniel Webb wrote: > On Wed, Apr 12, 2006 at 07:51:53PM +1000, Nathan Scott wrote: > > > Please do... actions speak alot louder than words. > > [I'm CCing security because I already wrote them about this] > > I've never used any of these libraries, so bear with me... > > (looking at the Debian

Bug#364573: apt-watch-backend: Wrong description

Package: apt-watch-backend Version: current Severity: minor http://packages.debian.org/unstable/admin/apt-watch-backend";>apt-watch-backend — Applet that monitors apt sources for upgrades. http://packages.debian.org/unstable/admin/apt-watch-gnome";>apt-watch-gnome — Applet that monitors ap

Bug#364572: latex-make: Description improvement

Package: latex-make Version: current Severity: minor - Description: easy compiling of complexe (and simple) LaTeX documents + Description: Easy compiling of complex (and simple) LaTeX documents ^ Regards, Joey -- Long noun chains don't au

Bug#360843: who should?

paul cannon wrote: > It seems rather like manpages-dev /should/ be the one to own these, and > a bug should be filed on modutils to get these manpages out of there. In a former time it was the job of manpages/manpages-dev to document the interface to the kernel and libc, i.e. system calls etc. Th

Bug#359332: boinc-client: Description improvement

Frank S. Thomas wrote: > package boinc-client > tags 359332 + pending > thanks > > Moin Joey, > > On Monday 27 March 2006 23:33, Martin Schulze wrote: > > > href="http://packages.debian.org/unstable/net/boinc-client";>boinc-client >> -- BOINC cor

Bug#363394: Broken description

Simon Josefsson wrote: > Martin Schulze <[EMAIL PROTECTED]> writes: > > > Package: shishi > > > > Looking at the following descriptions: > > > > http://packages.debian.org/unstable/net/shisa";>shisa > > -- Administration utilitity for S

Bug#363392: shisa: Description kaputt

Package: shisa Version: current Severity: minor Description: Administration utilitity for Shishid ^ What is that? (shishid shouldn't be capitalised either, I'd say) Regards, Joey -- GNU GPL: "The source will be with you... always." Please always C

Bug#363394: Broken description

Package: shishi Looking at the following descriptions: http://packages.debian.org/unstable/net/shisa";>shisa -- Administration utilitity for Shishid. http://packages.debian.org/unstable/net/shishi";>shishi -- Command line utilitity for Shishi. http://packages.debian.org/unstable/libs/shis

Bug#358689: [CVE-2006-0042] Remote DoS in libapreq2-perl

Steinar H. Gunderson wrote: > On Mon, Mar 13, 2006 at 12:25:13AM +0100, Martin Schulze wrote: > > An algorithm weakness has been discovered in Apache2::Request, the > > generic request library for Apache2 which can be exploited remotely > > and cause a denial of servic

Bug#359626: rtpproxy: Description improvement

Package: rtpproxy Version: current Severity: minor Description: RTP proxy for SER Err... yes... the name implies that it's an RTP proxy. However, what is RTP? Who is SER? And why does it have to be a Debian package? Can't SER use it without Debian? Please craft a short description that help

Bug#359334: pyqonsole: Description improvement

Package: pyqonsole Description: console program written in Python What the heck does this package provide? Please use a descriptive short description. A good example can be extracted from the long description, 1st sentence: X Window terminal written in Python Regards, Joey -- We al

Bug#359332: boinc-client: Description improvement

Package: boinc-client http://packages.debian.org/unstable/net/boinc-client";>boinc-client -- BOINC core client. http://packages.debian.org/unstable/devel/boinc-dev";>boinc-dev -- BOINC platform for distributed computing (development files). http://packages.debian.org/unstable/x11/boinc-man

Bug#358061: mutt: Mutt should filter control characters from headers

Vincent Lefevre wrote: > Package: mutt > Version: 1.5.11+cvs20060126-2 > Severity: grave > Tags: security > Justification: user security hole > > Mutt doesn't filter control characters, in particular the ^J and ^M, > from headers, which can lead to unwanted behavior; in particular when > replying,

Bug#357580: firebird2-*-server: remotelly crashable

Damyan Ivanov wrote: > Here's a patch that fixes the crash. The fix is > rather ugly IMHO, but this is what upstream proposed. > > Please apply it to stable version of firebird2. > > Unstable package is due for upload. > > More information (discovery, reproduction) on > http://bugs.debian.org/35

Bug#357580: firebird2-*-server: remotelly crashable

Damyan Ivanov wrote: > Here's a patch that fixes the crash. The fix is > rather ugly IMHO, but this is what upstream proposed. The patch looks good. I've requested a CVE name as well, will upload fixed packages for sarge tonight. Regards, Joey -- Of course, I didn't mean that, which i

Bug#349196: a fix for sudo in sarge

Proposed updates for woody and sarge are here: http://klecker.debian.org/~joey/security/sudo/ I'd be glad if you could test them. Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROT

Bug#304525: New ilohamail XSS patch

Ulf Harnhammar wrote: > Hello, > > I thought I'd better improve the XSS patch for ilohamail now, > before we have to celebrate birthdays for that bug.. Oh dear! This even predates the release of sarge. I'll copy it to the security queue, the update will propagate into sid automatically. For th

Bug#357842: common-lisp-controller too verbose

Package: common-lisp-controller Version: 5.11 Upgrading common-lisp-controller to the current version in sid resulted in the following output. I'm pretty sure this is a bit too much. Could this output be omitted? I'm not sure if this is a bug in common-lisp-controller or in sbcl, so please reas

Bug#356280: smarteiffel 1.1-8 way too verbose

Package: smarteiffel Version: 1.1-8 Severity: normal I configured smarteiffel today and have to admit that its postinst script is a big too verbose for my taste. Could you ... *cough* make it only emit important messages or error messages during its postinst script? Here's what I saw as output:

Bug#350764: sysklogd_1.4.1-17.1(mipsel/unstable): FTBFS: includes kernel header in userspace

Noah Meyerhans wrote: > On Tue, Jan 31, 2006 at 08:41:35AM -0800, Ryan Murray wrote: > > > gcc -O2 -Wall -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 > > > -D_LARGEFILE_SOURCE -DSYSV -fomit-frame-pointer -fno-strength-reduce > > > -DFSSTND -c ksym_mod.c > > > In file included from /usr/include/asm

Bug#355211: freeciv-server: security hole

Jason Dorje Short wrote: > Package: freeciv-server > Version: 2.0.7-2 > Severity: important > > > Jordi - > > There is a security hole in Freeciv 2.0 allowing a remote user to trigger a > server crash (it is unlikely anything more than a crashed civserver would > result from the hole). This pat

Bug#354464: [CVE-2006-0876] popfile remote DoS

Stefan Fritsch wrote: > Package: popfile > Severity: grave > Tags: security > > Cite: > POPFile before 0.22.4 allows remote attackers to cause a denial of > service (application crash) via unspecified vectors involving > character sets within e-mail messages. > > see also > http://popfile.sourcef

Bug#342696: curl's off-by-one error (#342696, CVE-2005-4077) update for sarge

Domenico Andreoli wrote: > long time ago the upstream developer informed me that the fix for > curl's CVE-2005-4077 now in sarge with 7.13.2-2sarge4 is not enough. Ouch! > i finally came with a fixed curl 7.13.2-2sarge5 package. it is available > at http://people.debian.org/~cavok/curl/. Thank

Bug#354703: banshee-daap: Description improvement

Package: banshee-daap Version: current Severity: minor - Description: Audio Managment and Playback application (DAAP sharing plugin) + Description: Audio Management and Playback application (DAAP sharing plugin) Regards, Joey -- If you come from outside of Finland, you live in wrong co

Bug#354702: tioga: Description improvement

Package: tioga Version: current Severity: minor - Description: Ruby library for scientific graphes + Description: Ruby library for scientific graphs Regards, Joey -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi Please always Cc to me

Bug#350964: CVE-2006-0225, scponly shell command possible

Thomas Wana wrote: > Hi, > > Geoff Crompton wrote: > >This bug has been closed for unstable (see bug 350964) with the 4.6 > >upload, but will it be fixed for sarge? > > > > Joey: I sent you a patch for that, but it seems you didn't > include this in scponly-4.0sarge1. We also had no discussion >

Bug#352620: confirmed

I can confirm this problem, also based on a different base locale: Generating locales (this might take a while)... de_DE.ISO-8859-1.../usr/share/i18n/locales/iso14651_t1:264: LC_COLLATE: syntax error /usr/share/i18n/locales/iso14651_t1:266: LC_COLLATE: syntax error [..] [then the process hangs]

Bug#352746: tioga: Description improvement

Package: tioga Version: current Severity: minor - Description: A fantastic ruby library for scientific graphes + Description: Ruby library for scientific graphs Thee changes: 1. A pronoun at the beginning of a description is superflous 2. "fantastic", "great", "best" etc. pp. can not really b

Bug#349729: whitelist

Please read the advisory again: http://www.debian.org/security/2006/dsa-946 It says: "Additional variables are only passed through when set as env_check in /etc/sudoers, which might be required for some scripts to continue to work." Use Defaultsenv_check = HOME in /etc/sudoers

Bug#349261: Bug#342943: only kronolith2 fixed

Lionel Elie Mamane wrote: > >>> The problem is that kronolith2 depends on version 3 of the horde > >>> framework (rather than version 2), that the two versions of horde > >>> cannot meaningfully cooperate and there are still some horde2 > >>> applications that have not been ported to horde3. Basica

Bug#349261: Bug#342943: only kronolith2 fixed

Ola Lundqvist wrote: > > > I haven't managed to find any more bugs relating to this particular > > > security hole that isn't fixed by the previous patch in this bug > > > report. kronolith seems to be fairly badly coded wrt security > > > issues though. I'd suggest depreciating kronolith1 and for

Bug#351831: Missing reference to nl_langinfo(3)

Michael Kerrisk wrote: > > It seems that neither localeconv(3) nor setlocale(3) contain a pointer > > to nl_langinfo(3). Such a thing would be overly helpful since for > > developers it can be quite important to properly query the proper > > locale settings. Please add. > > Hi Joey, > > I added

Bug#351834: nl_langinfo(3) lacks precondition

Package: manpages-dev Version: 2.17-1 In order to have nl_langinfo(3) return the proper information it is required to call setlocale (TYPE, "") first, which isn't mentioned in the manpage of nl_langinfo(3). Please add. Regards, Joey -- Of course, I didn't mean that, which is why I did

Bug#351831: Missing reference to nl_langinfo(3)

Package: manpages-dev Version: 2.17-1 It seems that neither localeconv(3) nor setlocale(3) contain a pointer to nl_langinfo(3). Such a thing would be overly helpful since for developers it can be quite important to properly query the proper locale settings. Please add. Regards, Joey -

<    1   2   3   4   5   6   >