Bug#407824: Webapp-Packages and lighttpd
Hi there, i am the maintainer of mantis, which is a php-based bug-tracking-system. As i myself am pretty impressed by lighttpd, I would like to provide the users of my package with the availability to select lighttpd during my package installation, so that an alias /mantis is configured. But there are various problems, where i hope that we can solve them together: 1) apache does have a directory conf.d where configuration files like the one I need are stored. Where is the proper place for me to store such a file in the configuration tree of lighttpd? 2) php isn't as simple as installing a module like it is in apache, afaik. So is there any possibility to make it that easy? So that i can provide user with a running mantis, by installing it, just as they can when using apache. If not: Okay, then i just would need to hear that and i would provide some sort of info to my users. Thanks in advance Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#421077: icedove should take GNOME's Preferred applications into account
Package: icedove Severity: normal Under a default debian system with a GNOME Desktop Environment you can set your preferred browser to 'Iceweasel' but some applications use the x-www-browser defined with update-alternatives. This is not intuitive for a modern desktop and most common users should not and would not want to be forced to use the console to update this setting. Also it makes the desktops inconsistent. icedove is one of the applications using x-www-browser instead of what is defined in GNOME's settings. That is bad behaviour. Better would be: It should take the GNOME settings (or maybe KDE, don't know that because i am not using it) into account. If the DE sets a browser, it should use this one with higher priority then the system-wide alternative. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#421077: icedove should take GNOME's Preferred applications into account
retitle 421077 icedove should declare a Suggests: on icedove-gnome-support bye Alexander Sack - Debian Bugmail wrote: installing icedove-gnome-support should bring you that feature. Okay, so it is my failure. Thanks. But for an ordinary user it is hard to find that this package even exists. Even I - as a somewhat more-professional user - didn't find it, just because i did not expect such a package to exist. So it would make sense to declare a Suggests: on icedove-gnome-support (and eventually an Enhances: icedove into icedove-gnome-support) Additional you should change README.Debian, cause the information therein is basically very irritating. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#420875: Linux Kernel NULL Pointer Dereferences and Security Bypass
Package: linux-image Severity: critical Tags: security According to debsecan and current CVEs is Debian vulnerable to CVE-2007-1734. Because this is remote exploitable i set the priority of this bug report to critical. Description of this security issue: nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments. This security issue is considered one with high severity. Security team gets CC. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#283922: LDAPv3
Hi, Anthony Callegaro schrieb: Hey there, This is indeed due to Mantis not supporting LDAP v3. To solve it you need to add @ldap_set_option($t_ds, LDAP_OPT_PROTOCOL_VERSION, 3); in file /usr/share/mantis/www/core/ldap_api.php. Patrick, is there anyway that this could be included in the Debian package so we wouldn't have to modify it after each upgrade ? yes, if that solves the problem i can incorporate this change into the next upload. I'm trying to make it ready as soon as i can as 1.0.7 has been released recently. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#408823: mantis: dpkg-reconfigure deletes config_defaults_inc.php
Hi, this one is definitive reproducible, but I cannot really understand, why this happens. Fact is that configuration files that has been created by my package during installation are to be deleted on removal. Therefore the pre-removal script contains an entry which deletes those configuration files. But for me it seems that it is a bug in dpkg that these script is called during reconfigure. I will inform me about this issue, before I do anything about it. Thanks for reporting this issue. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#415158: mantis: CVE-2006-6574 Allows unauthorized disclosure of information
Package: mantis Version: 1.0.6-4.1 Severity: important Tags: security pending The current version of mantis in the repository is affectable to CVE-2006-6574. The description for this security impact reads as following: Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field. Informations about impact (according to NVD at NIST): CVSS Severity: 2.3 (Low) Range: Remotely exploitable Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information I'm adding this note for information, as I am working on fixing this issue. The packager of the Fedora Core Packages of mantis has issued an patch backporting the changes made to 1.1.0a2 which is not vulnerable. I will check if this patch can be incorporated into this package and upload it with the next upload, which is to held only by this security issues. Greets Patrick signature.asc Description: OpenPGP digital signature
Bug#414796: Default apache.conf doesn't work
Frank Lichtenheld schrieb: Package: mantis Version: 1.0.6+dfsg-4.1 Severity: important debian/apache.conf has the following line: php_value include_path . To be able to use the system's libphp-phpmailer and libphp-adodb one needs to change that to php_value include_path .:/usr/share/php:/usr/share though (or change the require calls for these libraries). Are you sure there is a bug? In a default debian installation my packages are running without any problems. And they do use the systems libphp-phpmailer and libphp-adodb as the mantis package does not install the packages adodb and phpmailer files with it. Where did you expect problems with the package, if you did? Greets Patrick signature.asc Description: OpenPGP digital signature
Bug#409153: Add functionality which allows single entries to be exported
Package: revelation Severity: wishlist Hi, revelation supports exporting password directory to various formats. But it does not allow exporting single / selected entries only. Here for me and my company colleagues anyway this would be a very needed functionality, cause we often have to exchange password data for import into each others revelation directory. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#405778: Patch for the 1.0.6+dfsg-4.1 NMU of mantis
Hi Christian, thanks for your NMU and the patches of it. I'm afraid that i did not answer these days, but unfortunately I've been quiet busy in private affairs. I will now patch my sources with your NMU patch and then go on working/investigating on the current open bugs. If you would like to work on the call for updates, as you mentioned in your other e-mail, yes i would appreciate that as I do have to focus my current little time on those important bugs in the BTS. Best Regards Patrick Christian Perrier wrote: Dear maintainer of mantis, 3 days ago, I sent you a notice announcing my intent to upload a NMU of your package to fix its pending l10n issues. You either agreed for this NMU or did not respond to my notices. I will now upload this NMU to DELAYED/0-DAY (which means an immediate upload). The NMU patch is attached to this mail. The NMU changelog is: Source: mantis Version: 1.0.6+dfsg-4.1 Distribution: unstable Urgency: low Maintainer: Christian Perrier [EMAIL PROTECTED] Date: Sun, 21 Jan 2007 19:11:23 +0100 Closes: 405778 406252 Changes: mantis (1.0.6+dfsg-4.1) unstable; urgency=low . * Non-maintainer upload to fix remaining l10n issues * Add debconf-updatepo to the clean target * Debian templates translations: - French updated. Closes: #406252 - Japanese updated. Closes: #405778 diff -Nru mantis-1.0.6+dfsg.old/debian/changelog mantis-1.0.6+dfsg/debian/changelog --- mantis-1.0.6+dfsg.old/debian/changelog2007-01-21 17:11:29.035202902 +0100 +++ mantis-1.0.6+dfsg/debian/changelog2007-01-21 19:12:29.544956402 +0100 @@ -1,3 +1,13 @@ +mantis (1.0.6+dfsg-4.1) unstable; urgency=low + + * Non-maintainer upload to fix remaining l10n issues + * Add debconf-updatepo to the clean target + * Debian templates translations: +- French updated. Closes: #406252 +- Japanese updated. Closes: #405778 + + -- Christian Perrier [EMAIL PROTECTED] Sun, 21 Jan 2007 19:11:23 +0100 + mantis (1.0.6+dfsg-4) unstable; urgency=low * Added README.MultipleInstances which contains informations about diff -Nru mantis-1.0.6+dfsg.old/debian/po/fr.po mantis-1.0.6+dfsg/debian/po/fr.po --- mantis-1.0.6+dfsg.old/debian/po/fr.po 2007-01-21 17:11:29.019201902 +0100 +++ mantis-1.0.6+dfsg/debian/po/fr.po 2007-01-21 19:10:58.799285152 +0100 @@ -17,7 +17,7 @@ msgstr Project-Id-Version: fr\n Report-Msgid-Bugs-To: [EMAIL PROTECTED] -POT-Creation-Date: 2006-12-05 13:34+0100\n +POT-Creation-Date: 2006-12-13 17:32+0100\n PO-Revision-Date: 2006-12-09 08:35+0100\n Last-Translator: Christian Perrier [EMAIL PROTECTED]\n Language-Team: French debian-l10n-french@lists.debian.org\n @@ -60,7 +60,7 @@ #. Type: string #. Description #: ../templates:3001 -msgid \From:\ address for bug reports emails: +msgid Sender address for bug reports emails: msgstr Adresse origine des courriels de rapports de bogues : #. Type: string diff -Nru mantis-1.0.6+dfsg.old/debian/po/ja.po mantis-1.0.6+dfsg/debian/po/ja.po --- mantis-1.0.6+dfsg.old/debian/po/ja.po 2007-01-21 17:11:29.019201902 +0100 +++ mantis-1.0.6+dfsg/debian/po/ja.po 2007-01-21 19:10:58.951294652 +0100 @@ -14,21 +14,21 @@ # msgid msgstr -Project-Id-Version: mantis 0.19.2-1\n +Project-Id-Version: mantis 1.0.6+dfsg-3\n Report-Msgid-Bugs-To: [EMAIL PROTECTED] POT-Creation-Date: 2006-12-13 17:32+0100\n -PO-Revision-Date: 2005-01-23 22:39+0900\n -Last-Translator: Hideki Yamane [EMAIL PROTECTED]\n +PO-Revision-Date: 2007-01-04 10:47+0900\n +Last-Translator: Hideki Yamane (Debian-JP) [EMAIL PROTECTED]\n Language-Team: Japanese debian-japanese@lists.debian.org\n MIME-Version: 1.0\n -Content-Type: text/plain; charset=EUC-JP\n +Content-Type: text/plain; charset=UTF-8\n Content-Transfer-Encoding: 8bit\n #. Type: string #. Description #: ../templates:1001 msgid Email address of the Mantis Administrator: -msgstr +msgstr Mantis 管理者のメールアドレス: #. Type: string #. Description @@ -37,38 +37,38 @@ This is mainly prompted to the user in case of errors that might require the intervention of the system administrator. msgstr +これは主にシステム管理者の介入が必要なエラーにユーザが遭遇した際に表示されま +す。 #. Type: string #. Description #: ../templates:2001 msgid Email address of the webmaster: -msgstr +msgstr webmaster のメールアドレス: #. Type: string #. Description #: ../templates:2001 msgid This address is displayed in the bottom of all Mantis pages. -msgstr +msgstr このアドレスは Mantis の全ページ下部に表示されます。 #. Type: string #. Description #: ../templates:3001 -#, fuzzy msgid Sender address for bug reports emails: -msgstr �Х�ѥ��� \From:\ ���ɥ쥹 +msgstr バグ報告メール用の送信者アドレス: #. Type: string #. Description #: ../templates:3001 msgid This email address will be used in all emails sent by Mantis. -msgstr +msgstr このメールアドレスは、Mantis
Bug#402830: Patch for the 3.0.2-2 NMU of smstools
Hi Mark, so how do we proceed with our upload? Is there any process in this case that happened here? Greets Patrick Mark Purcell wrote: Christian, Thanks for the NMU for smstools. However, please read the developers reference section on NMUs: http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-nmu NMU's are supposed to have a new minor version number. You should of numbered your package: 3.0.2-1.1 Patrick and I were on the cusp of releasing 3.0.2-2. Mark On Saturday 20 January 2007 11:04, Christian Perrier wrote: Source: smstools Version: 3.0.2-2 Distribution: unstable Urgency: low Maintainer: Christian Perrier [EMAIL PROTECTED] Date: Thu, 18 Jan 2007 22:09:50 +0100 Closes: 402830 403138 Changes: smstools (3.0.2-2) unstable; urgency=low . * Non-maintainer upload to fix a longstanding l10n issue and mark a new string as translatable * Mark Other as translatable in templates. Closes: #402830 * Debconf templates translations: - French added. Closes: #403138 -- in medias res Gesellschaft für Kommunikationstechnologien mbH Dahlenerstr. 570 41239 Mönchengladbach tel. +49 (0) 2166 - 685 fax. +49 (0) 2166 - 800 email: [EMAIL PROTECTED] signature.asc Description: OpenPGP digital signature
Bug#402830: smstools: pending upload to fix these po-debconf bugs?
Hi, Christian Perrier wrote: Hello, This bug, as well as #402830, is marked pending. Is there any reason for not uploading a new version fixing them, now that we are in freeze (both bugs qualify for a freeze exception)? yes, there are reasons for not uploading an updated version yet. In fact there are more important bugs then l10n bugs, which are not yet solved. At least not enough to release a new version. I'm working on it with pressure, but I'm pretty busy right now. In case you can't do it now, I propose an upload in the next days, which I will do anyway if I don't receive an answer pretty soon (I'm currently running a bmlitz NMU campaign for pending l10n bugs). If you don't see that i close these bugs in the next 1 or 2 days, then please feel free to NMU a version fixing just the l10n bugs. I will have to take care for the other outstanding bugs apart from that, then. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#403580: Installation fails if /etc/mailname does not exist
Package: mantis Severity: normal I have received the following mail which indicates that there seems to be a bug in the postinst script of mantis. I haven't checked it yet, but i open this bug report, so that others can be informed about this issue, too. Original Message Subject: Hello, maintainer of mantis~ Date: Mon, 18 Dec 2006 12:47:44 +0900 From: 김진욱 Jinwook Kim [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear Patrick Schoenfeld Today I update mantis by apt. but there are some errors that I don't remember. And next time, mantis is 'half-configured' in my aptitude list. I tried to reinstall mantis. But I just get some error msg like this migraing old settings into dbconfig-common: done cat: /etc/mailname: No such file or directory dpkg: error processing mantis (--configure): In my opinion 'mantis package' need more dependency or '/etc/mailname' requirement. Is that right? sorry that my short english. -- in medias res Gesellschaft für Kommunikationstechnologien mbH Dahlenerstr. 570 41239 Mönchengladbach tel. +49 (0) 2166 - 685 fax. +49 (0) 2166 - 800 email: [EMAIL PROTECTED] signature.asc Description: OpenPGP digital signature
Bug#403615: Upgrade from 3.0-1 to 3.0.1-1 fails
Package: smstools Severity: important Version: 3.0.1-1 The upstream author reported me that upgrading from 3.0-1 to 3.0.1-1 fails. The reason is (seems to be), that the init script from 3.0-1 contains a bug which causes the stop target to fail. This is fixed in 3.0.1-1, but is problematic for the upgrade path. We can handle this by having smsd killed before upgrading. This workaround has already been added to 3.0.1-1 but did not work. Therefore we need to do additional testing (upstream author and I am already doing so) to get it fixed properly. signature.asc Description: OpenPGP digital signature
Bug#403616: init script does not properly check if daemon is already running
Package: smstools Severity: normal Version: 3.0.1-1 Tags: pending The upstream author informed me, that the init script of the debian package does not check properly if smsd is already started, when using the start target. So it gets started twice, resulting in an undefined state. Technical this is because of the rm commands in the start target that do delete .LOCK files, pid file, etc. - before they are issued it is not checked if smsd is running or not. This rm's should only be done if no smsd instance is running. signature.asc Description: OpenPGP digital signature
Bug#403626: libisccfg1 should Replaces: libisccfg0 (and Conflicts: libisccfg0)
Package: libisccfg1 Severity: normal libisccfg1 seems to replace libisccfg0, but when upgrading from Sarge to testing libisccfg0 is not beeing removed, resulting in an orphaned remaining libisscfg0 package. This situation could be handled by adding these fields to debian/control: Replaces: libisccfg0 Conflicts: libisccfg0 I found this reverese dependencies for the package: Reverse Depends: lwresd,libisccfg0 libbind-dev,libisccfg0 1:9.2.4-1sarge1 bind9,libisccfg0 1:9.2.4-1sarge1 bind9,libisccfg0 But they seem not to exist in Etch anymore. This will force the removal of the old, orphaned libisscfg0 package. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#403138: smstools: French debconf templates translation
Hi, Ivan Buresi wrote: Package: smstools Version: N/A Severity: wishlist Tags: patch l10n *** Documents/Bazar/msgtrans.txt Please find attached the French debconf templates translation, proofread by the debian-l10n-french mailing list contributors. This file should be put as debian/po/fr.po in your package build tree. thanks for your contribution. I will include the .po file in the next upload. Best Regards Patrick signature.asc Description: OpenPGP digital signature
Bug#402829: mantis: not supportable by the security team
Hi Thijs, thanks for you to participate in the discussion. I have seen that you and Moritz has been the persons who had been active in mantis bug fixing. Thijs Kinkhorst wrote: It makes me somehow angry that i invested so much work in bringing mantis back in a good shape, when people can block its release by just saying 'hey it had a bad history'. You did not add here that the first result of this work only entered Debian a couple of weeks ago. While I do value the fact that you've been fixing up the package, the few weeks do not give much time to get a reliable indication of whether the package has made a radical change. Hmm.. yeah. I accept this argument. Unfortunately i will have to accept it. Lets say: I just missed the right point in time to adopt mantis. Given the information by Moritz that it had 21 vulnerabilities it should be worth to mention that almost 50% of the bugs I've seen affected almost dusty versions of mantis that are *far* away from the current release. I'm sorry, but I do not buy this. I've fixed a large number of bugs in the sarge version of Mantis. The sarge version is 1.5 years old. That can hardly be called far away or dusty, can it? The reason why i call the sarge release dusty is not because of its age in years. Its because of the fact that the sarge release shouldn't have been released as it is. It would have been a release were i would have totally agreed to block it for release. But that did not happen. Instead Sarge was shipped with a full-of-bugs (not only security related, but related to packaging) mantis package. Now we try to fix mistakes of the past, if we block the current mantis package from etch. But that will not help much, for the trust the Debian users who wanted to use a mantis Debian package lost. Please provide it then. I do not think it's convincing to use arguments like it was just dusty to support your point. Debian had the most recent version of mantis when sarge released. This didn't seem to be quite immune from vulnerabilities. Well actually you are right. Just saying its dusty isn't right. My fault. But see my above comments about the sarge release. It wasn't suitable for the company i work in, and if you have a close look at the bug reports, other people stuck on the same problems. Thats a good indication that it wasn't in release quality. Even that it wasn't in any half-good quality at all. It was dangerous to ship such a broken package in a stable distribution and *that* is IMHO the main reason, why it has a low user base according to popcon. But this goes for any other package aswell - the point is that these numbers can be seen in a relative way: there's a lot of packages that have way higher numbers. The security team only has a fixed amount of time available to support them. If a package has an exceptionally high amount of work compared to a relatively low usage number, this can be a valid argument. I will stop here on without arguing about popcon, that its a comparisons between apples and bananas, that someone should note that mantis 0.19 were not installable for a lot of people, etc. But just one thing: Have a look at the upstreams bugtracker and the sponsors list. I don't think that this says: Mantis has a poor userbase, but: Debian is not able to provide us with a proper package of mantis, so we don't use there mantis packages. But that *does* require concrete evidence that something has indeed changed. Especially if you're requesting something like this *very* shortly before the release, with little time to revert any mistakes. Yes, you are right. Currently is not the right time to make mistakes, cause we can't revert them in time. But what if blocking mantis from stable would be a mistake? I'm sure it is, even though i understand your arguments and will finally accept them. Off course this removal from etch will be a loose of trust at the remaining 40 people using Debian's mantis packages. But at least they will have the choice to use mantis/unstable or mantis from the backports. It's up to you now: show why mantis deserves the second chance, and why it's essential that it deserves it, at this point, instead of e.g. for Lenny. Personally I've thought this point over. But i will not be able to change your minds until a release of etch. So i will resign and accept your arguments and your doubts and will not discuss further. Until the next release of Debian I will try to keep mantis packages as up-to-date as possible and then we will hopefully re-integrate it. Greets Patrick signature.asc Description: OpenPGP digital signature
Bug#402829: mantis: not supportable by the security team
Damyan Ivanov wrote: 2006/12/14, schönfeld / in-medias-res.com [EMAIL PROTECTED]: Until the next release of Debian I will try to keep mantis packages as up-to-date as possible and then we will hopefully re-integrate it. Patrick, This will still help Debian users, especially if you provide a backport for Etch. Just remember that there is no security support for that (except the one you/upstream provide). Yeah, thats true. And i *will* provide the best support that i can provide and also a backport. -Patrick signature.asc Description: OpenPGP digital signature
Bug#402597: ITP: dnsproxy - a proxy for DNS queries
Package: wnpp Severity: wishlist * Package name: dnsproxy Version : 1.15 Upstream Author : Armin Wolfermann [EMAIL PROTECTED] * URL : http://wolfermann.org/dnsproxy.html * License : an OSI approved MIT-style license Description : a proxy for DNS queries dnsproxy forwards DNS queries to two previously configured nameservers: one for authoritative queries and another for recursive queries. The received answers are sent back to the client unchanged. No local caching is done. . Primary motivation for this project was the need to replace Bind servers with djbdns in an ISP environment. These servers get recursive queries from customers and authoritative queries from outside at the same IP address. Now it is possible to run dnscache and tinydns on the same machine with queries dispatched by dnsproxy. . Another possible scenario is a firewall where proxy queries should be forwarded to the real server in a DMZ. . Homepage: http://wolfermann.org/dnsproxy.html signature.asc Description: OpenPGP digital signature