On Sun, August 31, 2014 14:43, Olivier Berger wrote:
Hi.
On Fri, Aug 29, 2014 at 07:55:10PM +0200, Thijs Kinkhorst wrote:
Hi Olivier,
Please drop the dependency on php-db of php-cas, because as far as I can
see it is not needed at all. I've marked this as important because
php-cas
has
Hi,
On Sun, August 31, 2014 11:54, Morten Bo Johansen wrote:
Trying to use rapt-file to search for a file produces the
following error message:
urllib2.URLError: urlopen error [Errno -2] Name or service not
known
It seems dde.debian.net no longer exists.
Enrico, do you know what
Package: php-cas
Severity: important
Hi Olivier,
Please drop the dependency on php-db of php-cas, because as far as I can
see it is not needed at all. I've marked this as important because php-cas
has been removed from jessie because of this dependency, it may happen
again because php-db is not
Package: php-cas
Severity: serious
Tags: fixed-upstream
Hi Olivier,
php-cas 1.3.3 fixes security issue CVE-2014-4172: urlencode all tickets.
Can you please upgrade php-cas in Debian to this version?
thanks,
Thijs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a
Package: tracker.debian.org
Severity: minor
Hi,
When a package has a Vcs-something field but not a Vcs-Browser field, the
tracker does display a browse link but with an empty href:
a
href=https://svn.non-gnu.uvt.nl/uvt-dev/trunk/package/modmellon/;Subversion/a
(a href=Browse/a)
This can at
severity 730057 serious
retitle 730057 This package shoudl be removed
thanks
Hoi Bas,
freesci is more or less dead upstream and has already attracted
two NMUs. The freesci code was the basis for the SCI support in
ScummVM (and there were fixes on top of it).
So I suggest we remove freesci
Hi Paul,
tags 725411 + security
This bug has been fixed in GnuPG 1.4.17.
Although it's a good robustness and anti-keyring-polution measure, I don't
think it's an acute security issue in stable that needs to be fixed in a
DSA, because the threat model is unclear to me.
I think it's well
Package: tracker.debian.org
Severity: normal
Hi,
https://tracker.debian.org/pkg/gnupg lists an action item called RFH.
Clicking the ? behind it gives the text:
Severity: normal
Created: 2014-07-02
Last Updated: 2014-07-02
The WNPP database contains an RFH (Request For Help) entry for this
Package: tracker.debian.org
Severity: normal
Hi,
https://tracker.debian.org/pkg/gnupg reports an action item
A new upstream version is available: 1.4.18.
Severity: high
Created: 2014-07-13
Last Updated: 2014-07-13
A new upstream version 1.4.18 is available, you should
consider packaging
Op donderdag 26 december 2013 08:25:02 schreef Bernhard Kuemel:
I still have the bug in 1:2.1.15-1 (wheezy (stable) and
1:2.1.16-1 (sid backport to wheezy).
This is a duplicate of the archived bug #228935 from 22 Jan
2004. The proposed solution was:
Read README.Exim and follow the
Op maandag 23 december 2013 12:06:58 schreef Chris Stephenson:
* What exactly did you do (or not do) that was effective (or
ineffective)?
The install failed with a Python stack dump and a report that
/var/lib/mailman/lock did not exist. This was a symbolic link to
On Tue, July 8, 2014 14:50, Gerfried Fuchs wrote:
* Thijs Kinkhorst th...@debian.org [2014-06-12 13:31:13 CEST]:
When using irssiproxy with kernel setting bindv6only = 1 (which is the
default in Debain), irssi only binds to IPv6 and no longer accepts
IPv4 connections to the proxy. The only
Op dinsdag 8 juli 2014 20:52:08 schreef Adam D. Barratt:
Unfortunately, something appears to have gone wrong with the
ia32-libs-gtk upload and I've flagged that one for rejection.
Specifically, the entire debdiff is:
Right, what went wrong is that there are 0 updates for ia32-libs-gtk since
Op maandag 7 juli 2014 11:36:49 schreef Didier 'OdyX' Raboud:
b) Thankfully we don't need to consider the backup plan mentioned in
a) since all we need is enabling sha256 support. Currently, Release
files include MD5+SHA1+SHA256. You'll find a tested patch attached.
(This means a whole
urgency=high accordingly
[ gnutls26 (2.8.6-1+squeeze3) oldstable-security; urgency=high ]
* 22_gnutls-2.8.5-cve-2014-0092.patch by Nikos Mavrogiannopoulos: Fix
certificate validation issue. CVE-2014-0092
-- Thijs Kinkhorst th...@debian.org Mon, 30 Jun 2014 13:45:39 +0200
ia32-libs-gtk
severity 745408 important
tags 745408 moreinfo
thanks
Op maandag 21 april 2014 16:20:45 schreef bastien ROUCARIES:
This source package contains the following files from the
IETF under non-free license terms:
doc/OpenPGP
This file only referances an IETF RFC, so I do not believe it is
On Thu, June 19, 2014 16:10, Filipus Klutiero wrote:
Package: php5
Version: 5.6.0~beta4+dfsg-4
Severity: wishlist
The 5.6.0~beta4+dfsg-2 changelog entry reads:
We shouldn't request users to read the full upgrade notes for 2 reasons:
1. We have nothing to gain from users reading that. We
Package: needrestart
Version: 0.9-1
Severity: wishlist
Hi,
On my system needrestart seems to spend the majority of its time on scanning
/usr/bin/perl. This may be justifyable, except that there is no regular proces
on this machine that uses perl. Inspection turns out that this /usr/bin/perl is
On Mon, June 16, 2014 00:06, Adam D. Barratt wrote:
Control: tags -1 + pending
On Sun, 2014-05-25 at 17:55 +0200, Stefan Fritsch wrote:
I have just uploaded apache2_2.2.22-13+deb7u2:
Flagged for acceptance; sorry for the delay.
apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium
*
Hi,
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy. Are you able to provide an
update for wheezy for this issue?
As for squeeze, if it's not too much extra work it would be great
Hi Michael,
On Thu, June 12, 2014 13:52, Michael Vogt wrote:
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
apt: no authentication checks for source packages
The Debian security team has assigned CVE-2014-0478 to this issue.
APT developers: we should fix this in wheezy
Package: irssi
Version: 0.8.15-5+b1
Severity: normal
Tags: ipv6
Hi,
When using irssiproxy with kernel setting bindv6only = 1 (which is the
default in Debain), irssi only binds to IPv6 and no longer accepts
IPv4 connections to the proxy. The only reason I found to fix this
is to disable
severity 750682 normal
tags 750682 pending
thanks
On Thu, June 5, 2014 18:36, Filipus Klutiero wrote:
Package: php5
Version: 5.6.0~beta3+dfsg-2
Severity: serious
NEWS.Debian contains the following entry:
php5 (5.6.0~alpha1+dfsg-1) experimental; urgency=medium
* THIS IS A DEVELOPMENT
I am curious where the bug is here...
The message is very much still true and will be/should be removed when
upstream reach RC phase.
This should not be used in production (and that also holds for Debian
testing - it should
not be used for production).
Yes, testing should in princple not
On Wed, May 28, 2014 06:39, Christian PERRIER wrote:
This is the last call for comments for the review of debconf
templates for debian-security-support.
From debian/control:
for which support has had to be limited
The form 'has had to be' seems contructed to me and also general writing
advice
Package: needrestart
Version: 0.9-1
Severity: wishlist
Hi,
Needrestart sports a progress indicator in debconf while it tries to find
services that need a restart. However, this scanning for services is
most of the time very fast and the full repainting of the screen actually
costs more time than
Hi,
For the Squeeze LTS project, we would like two Debian mailing lists setup to
help communicate changes out to the wider LTS userbase.
Name: debian-lts-changes
Name: debian-lts-announce
I support creation of these lists for the LTS effort.
Cheers,
Thijs
signature.asc
Description: This
Package: moodle
Version: 2.6.2-1
Severity: serious
At the time of writing this, I am the single active maintainer on the
Moodle package in unstable/testing. The time I spend on the package
I can spend at work because we're using the package in its current
form as it is in unstable. It's however
On Sun, May 4, 2014 10:33, Andreas Barth wrote:
* Kurt Roeckx (k...@roeckx.be) [140504 01:03]:
On Sat, May 03, 2014 at 06:53:29PM +0100, Ian Jackson wrote:
For the record, the TC expects maintainers to continue to support
the multiple available init systems in Debian. That
Package: debian-keyring
Version: 2013.04.21
Severity: minor
Hi,
The current package description is:
GnuPG keys of Debian Developers
The Debian project wants developers to digitally sign the announcements
of their packages with GnuPG, to protect against forgeries. This package
Hi Dan,
On Fri, May 2, 2014 04:02, Dan Poltawski wrote:
On 2 May 2014 02:46, David Prévot taf...@debian.org wrote:
The embedded PHPExcel copy (#718585) embeds OLE (#487558) which is not
DFSG compliant (PHP-2.02)[1,2].
We have removed this library in upstream in version 2.6:
Package: libapache2-mod-geoip
Version: 1.2.7-1
Severity: normal
Tags: patch
Hi,
The module installs a file geoip.conf in mods-available, which by default
enables GeoIP lookups serverwide; that is, for every request to this server
a GeoIP database lookup will be done.
This is not recommended by
On Fri, April 18, 2014 17:46, Adam D. Barratt wrote:
On 2014-04-16 16:18, William Dauchy wrote:
On Apr16 11:06, Adam D. Barratt wrote:
On a related note, it would be appreciated if comments such as
cleanup
series were more verbose in future, as it appears to have involved
removing
enabled
Hi Adam,
On Sun, April 13, 2014 14:39, Adam D. Barratt wrote:
On Sun, 2014-04-13 at 13:58 +0200, William Dauchy wrote:
Is there someone available to validate this package? Lots of present
fixes are more than needed to have an usable version of php in
production.
Such comments really aren't
Package: apt
Severity: wishlist
Hi,
When library packages are upgraded, services using those libraries need
to be restarted for the change to take effect. A default Debian installation
does nothing to inform the user about that. Some packages have implemented
their own service restarting check
Package: wordpress
Severity: serious
Tags: security fixed-upstream patch
Hi,
Wordpress 3.8.2 was released which fixes two security issues and several more
bugs.
http://wordpress.org/news/2014/04/wordpress-3-8-2/
CVE-2014-0165
Wordpress privilege escalation: prevent contributors from
Op woensdag 9 april 2014 15:07:08 schreef Klemens Baum:
Package: ca-certificates
Following the OpenSSL CVE-2014-0160 Heartbleed vulnerability [1,2],
any certificate that was used with an vulnerable version of OpenSSL (I
read somewhere 1/3 of the web) should be handled as it is compromised.
Hi Frederic,
So indeed, it was just a compilation option bug...
Do you think you can include this patch in next 2.4.0 ?
Sure, I'll have it in the next upload and I'll see to get it included
upstream.
Can you please upload it over the coming days? I got an email that my
package
severity 743889 normal
thanks
Hi,
We have code that checks some of the applications that need to be
restarted, but it has a static list of packages to check and it's
outdated. We're working on improving that list and providing an
other update that will restart those services.
I do not
On Mon, April 7, 2014 11:49, Thorsten Glaser wrote:
Please remove the Depends: php5-json from php itself.
PHP should not depend on any of its extensions; people
can rather do that themselves. (Actually, this is an
issue in every version that had this Depends.)
The dependency exists for
On Wed, April 2, 2014 05:01, Paul Tagliamonte wrote:
These certs were removed from Debian a month ago. Perhaps you'd be
interested in the recent thread on devel:
https://lists.debian.org/debian-devel/2014/03/msg00375.html
Thank you, but I think the maintainer knows very well that he removed
On Tue, April 1, 2014 08:57, Klaus Ethgen wrote:
Hmmm, for some reason someone changed the certificte of bugs.debian.org
to a unknown certificate issuer so bts show does not work anymore. Who
the hell is GANDI CA?
You're kidding right, maybe because of the date? The Gandi CA is signed by
the
Hi all,
Please provide an additional binary package, e.g. ca-certificates-cacert
that installs the cacert certificates without any further involvement of
the user.
I think this is the way we should go forward that will satisfy the users
of CAcert and also satisfy the desire to keep that
Hi,
CVE names have been assigned for these issues. The assignment is rather
complicated. If you fix both issues in one upload it's ok to just mention
that it addresses the 5 CVE's named below.
http://framework.zend.com/security/advisory/ZF2014-01
CVE-2014-2681 - This CVE is for the lack of
On Tue, April 1, 2014 17:50, Bas van den Dikkenberg wrote:
Please specify in witch part of distrobution license it states its non
free, and what has to change in de license to make distrubtibol with
ca-certificates
There is an explanation here of why it's non free:
Hi Norbert,
On Mon, March 31, 2014 03:33, Norbert Preining wrote:
Sending /etc/fstab without asking the user is not acceptable,
as there might be passwords saved in there.
It would help the security team and anyone else not intimately involved
with this package if you could indicate more
Klaus,
On Mon, March 31, 2014 09:03, Debian Bug Tracking System wrote:
Processing commands for cont...@bugs.debian.org:
severity 741561 critical
Bug #741561 {Done: Michael Shuler mich...@pbandjelly.org}
[ca-certificates] Please Include CAcert Root Certificates
Severity set to 'critical'
Package: zendframework
Severity: serious
Tags: security fixed-upstream patch
Hi,
Two new security advisories were published for the Zend Framework.
* ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse
On Mon, March 31, 2014 15:29, Norbert Preining wrote:
Hi Michael,
On Mon, 31 Mar 2014, Michael Biebl wrote:
can you try the attached bug script, you need to copy it to
it works for me.
I chose to use Y as default, since /etc/fstab should not usually contain
password information.
I think
Package: biomaj-watcher
Severity: important
Tags: security
Hi,
the following vulnerability was published for biomaj-watcher.
CVE-2013-1636[0]:
| Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in
| Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link
| Lite plugin
Package: dokuwiki
Version: 0.0.20131208-1
Severity: minor
Hi,
If you unselect all webservers in the debconf question on which one to
configure, after that still a question appears about whether the webserver
should be restarted. This could of course be omitted in that case.
Cheers,
Thijs
--
Package: release.debian.org
Severity: minor
Tags: patch
Attached patch uses softer colours which are easier on the eye for
the architecture qualification page.
From 3932bb06d69557a5d05efbf50459d9b7b9b5cccf Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst th...@debian.org
Date: Sat, 22 Mar 2014 14
On Sat, March 22, 2014 16:28, Julien Cristau wrote:
looks like that if col==red is now broken?
Indeed, see fixed patch attached.
Thijs
From 8f84a1be4a9c49782ea8f736ef315508591e1608 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst th...@debian.org
Date: Sat, 22 Mar 2014 16:47:16 +0100
Subject
On Mon, March 17, 2014 03:06, Bas Wijnen wrote:
The other option is to get a
certificate, which costs money. Except with CAcert.
This is not true. There are several CA services recognised by the major
browsers and thus the ca-certifcates package which offer free as in money
SSL certificates;
Hi,
Thanks, but this does not really answer my question?
Thijs
On Mon, March 17, 2014 17:48, Christian Weiske wrote:
Configure apache to handle .phar, .phar.bz2, phar.gz and .phar.zip
files with the PHP module.
Resolves: #639268
---
INSTALL| 6 +++---
tags 737963 moreinfo unreproducible
thanks
Hi,
On Fri, February 7, 2014 11:03, Francesco De Francesco wrote:
Directives upload_max_filesize and post_max_size are not read unless you
move them at the top of the file.
After weeks of headache I tried to change the php.ini this way after
On Sat, September 15, 2012 13:08, Christian Weiske wrote:
The bug is from Suhosin which doesn't allow execution of phar:// URLs
No, this is not the issue. The issue is that apache does not even let
PHP handle the .phar file at all.
I'm missing why we would want Apache to handle the phar file
On Thu, March 6, 2014 22:44, Vincent Lefevre wrote:
On 2014-03-06 13:46:13 +0100, Thijs Kinkhorst wrote:
A simple test with openssl s_client reveals that www.inria.fr has not
configured the correct certificate chain for the TCS certificates. This
needs to be taken up with the administrators
Hi Clement,
On Tue, February 25, 2014 07:32, Clement Wong wrote:
Our web servers has been using a self patched version for a long time
because of the sybase regression from deb7u3, and this is a big problem
for us in terms of security, we dont have the manpower to keep our php up
to date.
Hi,
Thank you both for your interest.
As you're both not DD's at the moment, you cannot upload the package yourself.
I propose to give you commit access to the package's repository and you make
your changes there. If you have a complete upload there's people involved in
the packaging that can
Op dinsdag 18 februari 2014 20:30:28 schreef Werner Koch:
On Tue, 18 Feb 2014 09:47, th...@debian.org said:
I do not object against this upload but would like to know if Werner
would approve of the patch. Werner?
The patch is quite obvious. IIRC, it has also been posted to the BTS or
the
Package: wnpp
Severity: normal
We request an adopter for the signing-party package. There's currently
a number of co-maintainers but the majority of them have indicated to
have no time to contribute a lot to the package.
The package is an interesting collection of tools and in the BTS there's
a
Package: wnpp
Severity: normal
I'm orphaning the package 'mailping' which can measure email round trip
times in a munin setup.
I have only done a single upload to fix a number of issues, and no
urgent problems have been reported since. However, it packaging can
probably use some modernisation
Hi Dan,
Op dinsdag 4 februari 2014 13:53:18 schreef Dan Jacobson:
Package: ttf-mscorefonts-installer
It is nowhere documented how to reverse the effects of installing this
package.
Does one need a second package, ttf-mscorefonts-uninstaller, that will
clean up the effects?
Purging
On Wed, February 19, 2014 20:03, Michal ÄihaÅ wrote:
As phpMyAdmin code does not check for it's presence (there is no
need for that as it's distributed in upstream tarball), I don't think it
good idea to do this.
It would be nice if phpMyAdmin could add such a check, it seems to me not
very
On Mon, February 17, 2014 19:43, Daniel Kahn Gillmor wrote:
On 02/15/2014 01:07 PM, Dominic Hargreaves wrote:
Control: severity -1 critical
Justification: makes unrelated software on the system break
[...]
On reflection, I'm upgrading the severity of this bug, since it's
blocking RC (FTBFS)
.patch.
+CVE-2013-5605: Null_Cipher() does not respect maxOutputLen; allowing
+remote attackers to cause a denial of service or possibly have
+unspecified other impact via invalid handshake packets.
+
+ -- Thijs Kinkhorst th...@debian.org Fri, 31 Jan 2014 09:19:46 +0100
+
ia32-libs
Package: gnupg
Version: 1.4.16-1
Tags: patch
Original Message
Subject: Re: [FOSDEM] Keysigning: list of participants now available
From:Philip Paeps phi...@fosdem.org
Date:Thu, January 30, 2014 12:21
To: gregor herrmann
On Thu, January 30, 2014 15:17, alberto fuentes wrote:
On Thu, Jan 30, 2014 at 1:11 PM, Alexander Wirt formo...@debian.org
wrote:
On Wed, 29 Jan 2014, Alberto Fuentes wrote:
Package: wnpp
Severity: wishlist
Owner: Alberto Fuentes paj...@gmail.com
* Package name: KeySigningPartyTools
Package: freerdp
Severity: wishlist
Hi,
Experimental currently contains a git snapshot from June 2013.
It would be great if that could be upgraded to a more recent
snapshot, since important features have been added since,
including support for gateways which is becoming a more
common
On Tue, January 14, 2014 16:40, Robert Bihlmeyer wrote:
Package: moodle
Version: 2.5.3-3
Severity: serious
Having libjs-yui-common and libjs-yui-common installed, an upgrade of
moodle from 2.5.3-2 to -3 results in loss of a large number of files
from these two packages.
What I think
tags 733195 moreinfo
thanks
Hi Kingsley,
On Thu, December 26, 2013 23:51, Kingsley G. Morse Jr. wrote:
Someone I know uses an Apple computer to send me
encrypted emails.
Content-Transfer-Encoding: quoted-printable
I found that my email client, version 1.5.21-6.4
of mutt, can work
On Sun, December 15, 2013 19:44, Daniel Kahn Gillmor wrote:
On 12/13/2013 03:33 AM, Thijs Kinkhorst wrote:
Well, the idea of making it invalid was to see if the download would
actually fail on that.
uscan should fail (return non-zero) if pgpsigmangleurl is present and
anything prevents full
On Mon, January 6, 2014 12:16, Thomas Hochstein wrote:
Package: phpmyadmin
Version: 4:3.4.11.1-2
Severity: minor
Dear Maintainer,
the VCS namend in Vcs-Browser and Vcs-Svn is not accessible currently:
thh@thangorodrim:~$ svn checkout
https://svn.kinkhorst.nl/svn/debian/phpmyadmin/trunk
On Fri, January 3, 2014 12:41, Leonardo Boselli wrote:
Can you reopen it changing to minor and suggesting to change the error
message ?
No, because it's an error message from apt, not from this package.
It is documented in the release notes on two different places, and in the
package
Hi,
The file html/rss-newsfeed.php in nagios3 (installed into nagios3-cgi)
use /tmp insecurely by fixed cache dir name:
Actually, besides the tempfile usage, this PHP script exists to query the
Nagios upstream website on any load of the front page of the installation,
which leaks information
Hoi Ivo,
On Fri, January 3, 2014 13:48, Ivo De Decker wrote:
control: reopen 730104
control: close 733963 2.5.3-3
Hi Thijs,
On Fri, Jan 03, 2014 at 12:19:41PM +, Thijs Kinkhorst wrote:
Changes:
moodle (2.5.3-3) unstable; urgency=medium
.
* Drop unused libjs-yui dependency
Hello,
2013/12/23 Thijs Kinkhorst th...@debian.org:
I'm not against this, but have you considerd to have mariadb-server
Provides: mysql-server? Then no packages need to be changed and it will
work instantly..
There is Provides: virtual-mysql-client|-server, but we don't have
Provides
Hi Otto,
MariaDB is an drop in replacement for MySQL. As MariaDB has just
landed in Debian unstable it would be a good time to include it in the
dependencies as an alternative to MySQL.
Please change in the debian/control any occurences of mysql-server and
mysql-client to mariadb-server |
On Tue, December 17, 2013 02:15, Dmitry Katsubo wrote:
In case somebody will try to install SquirrelMail 1.5.1, there are two
issues with it:
1) PHP Fatal error: Call to undefined function session_unregister() in
/usr/share/squirrelmail/functions/global.php on line 111
2) PHP Fatal error:
Hi Christoph,
On Mon, December 16, 2013 23:37, Christoph Lechleitner wrote:
Why is the ca-certificates package not in the list of security relevant
packages?
What is this list you refer to?
Thijs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of
On Thu, December 12, 2013 21:35, Franz Schrober wrote:
Thanks, However, this doesn't work for me. If I put random data in the
.pgp file it will download the orig.tar.gz blindly. Is this expected?
(I'm
using sid.)
What *.pgp? The watch file was configured to scan for *sig files. And yes,
Hi Stephen,
On Sat, November 23, 2013 15:36, Stephen Kitt wrote:
I'm getting ready to upload a new version of gcc-mingw-w64 using gcc
4.8 and enabling libgomp. This causes the gpgv-win32 build to attempt
to build mpicalc.exe, which fails because the assembly code in libmpi
doesn't use
On Sun, June 9, 2013 10:01, Schrober wrote:
Source: gnupg
Severity: wishlist
uscan will receive support [1] for checking downloaded tarballs+signatures
against a predefined set of keys. gnupg is an (or the most) important part
of
the verification procedures in debian. Therefore, I would
Package: libparse-debianchangelog-perl
Version: 1.2.0-1
Severity: normal
Tags: patch
Hi,
CVE syntax will be extended per 2014-01-01, see:
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Attached patch updates the regexp in this package to also detect the
longer forms.
Cheers,
Thijs
Package: aptdaemon
Severity: normal
Tags: patch
Hi,
CVE syntax will be extended per 2014-01-01, see:
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Attached patch updates the regexp in this package to also detect the
longer forms.
Cheers,
Thijs
diff -Nur
Package: rpm2html
Severity: normal
Hi,
html.c contains code for parsing CVE id's. Per 2014-01-01, CVE id's
can have more than 4 digits, see:
https://cve.mitre.org/cve/identifiers/syntaxchange.html
The parsing code in rpm2html will need to be extended to be able
to deal with those CVE's.
Version: 2.3-2
Hi,
This has been fixed in cpqarrayd 2.3-2 but I neglected to mention that in the
changelog.
Thijs
signature.asc
Description: This is a digitally signed message part.
Package: ftp.debian.org
Severity: normal
Hi,
cpqarrayd provides support for Compaq/HP Smart Array RAID controllers.
The package fails to build on powerpc. However, no powerpc hardware
exits that sports such controllers. So please remove the old powerpc
build from unstable.
thanks,
Thijs
--
On Fri, November 29, 2013 10:01, Raphael Hertzog wrote:
Dear security team, please find attached the diff compared to the
respective
versions in stable(-security). Is it OK to upload them ?
Yes, this is OK (ruby1.8 needs to be built with -sa, ruby1.9.1 without).
Thank you for your work on
Package: percona-xtrabackup
Severity: serious
Tags: security fixed-upstream
Hi,
Upstream discovered and fixed use of a static IV in encrypting backups:
A fixed initialization vector (constant string) was used while encrypting
the data. This opened the encrypted stream/data to plaintext attacks
backported. Would it make sense to do that?
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
signature.asc
Description: This is a digitally signed
On Wed, November 13, 2013 19:48, Geoffrey Thomas wrote:
I'm curious what the status of this bug is -- is there a plan to remove
CAcert in the next upload?
Thanks for your interest. A final decision still has to be made. However,
I think enough information and arguments have been gathered by
On Wed, November 6, 2013 09:10, Russ Allbery wrote:
Thijs Kinkhorst th...@debian.org writes:
On Wed, November 6, 2013 01:16, Russ Allbery wrote:
We'll want to look at both sides of that question, and try to
understand how much work like that is potentially on the horizon with
the various
On Wed, November 6, 2013 01:16, Russ Allbery wrote:
We'll want to look at both sides of that question, and try to understand
how much work like that is potentially on the horizon with the various
choices.
Do you? In the past Debian has not shied away from making the choice that
it considers
Package: ftp.debian.org
Severity: normal
Hi,
Please remove ia32-libs and ia32-libs-gtk from unstable. The transition to
multi-arch was completed with wheezy which contained these packages in
transitional form. There's no use to keep the transitional packages for
any longer and they block ongoing
On Sat, November 2, 2013 19:53, Paul Gevers wrote:
Hi,
On 23-07-13 12:52, Graham Inggs wrote:
The lesstif2 package on which your package depends or build-depends is
destined to be removed from the archive before the release of Jessie.
We are nearly there [1, 2]. Could you please remove or
On Thu, October 31, 2013 10:42, Mathieu Parent wrote:
Package: libapache2-mod-auth-cas
Version: 1.0.9.1-4
Hi,
mod_cas is waiting indefinitely for a lock with apache worker.
I suggest to make it conflict with apache2-mpm-worker.
Ref:
Package: dokuwiki
Version: 0.0.20130510a-2
Severity: serious
Hi,
dokuwiki fails to upgrade, and exits the upgrade with an error.
Turning set -x on in postinst, this is what happens:
+ [ -e /etc/apache2/conf.d/dokuwiki.conf ]
+ [ -d /etc/apache2/conf-available -a ! -e
reopen 697940
forwarded 697940 http://trac.nginx.org/nginx/ticket/13
tags 697940 = security upstream
thanks
Hi,
This issue is not yet fixed in the package so it seems premature to close
it. You're probably right that upstream needs to do this and there's no
need for Debian to do it locally. But
201 - 300 of 2622 matches
Mail list logo