Bug#998156: contains non-DFSG-free files

* Henry Cejtin: > (I assume you meant ml-nlffigen.) ml-nlffigen is part of SML/NJ, not > part of MLton. /usr/bin/mlnlffigen is part of mlton-tools. I believe the code generation requirements are different for MLton and SML/NJ.

Bug#998156: contains non-DFSG-free files

* Henry Cejtin: > As far as I know, the ckit stuff is just included because it needed > some tweaks to work under MLton. > I don't think that any of "our" stuff depends on it. I think mlnffigen needs ckit.

Bug#993162: libc6: i386 (Geode LX): latest push to Bookwork produces multiple sig ILL

* Aurelien Jarno: > I have been looking at the corresponding instruction, this is: > > 2ed0 <__cpu_indicator_init@GCC_4.8.0>: > 2ed0: f3 0f 1e fb endbr32 > > This is an Intel CET instruction, and it seems your CPU doesn't support > executing it. Anyway this shows that

Bug#975219: [Debichem-devel] Bug#975219: elkcode: FTBFS: internal compiler error: in lookup_field_for_decl, at tree-nested.c:288

* Lucas Nussbaum: > Hi Michael, > > On 22/11/20 at 15:32 +0100, Michael Banck wrote: >> Hi Lucas, >> >> That looks like an ICE, shouldn't that be filed with gfortran? > > Usually my logic is: if there's only one similar failure, I file a bug > against the affected package, rather than against

Bug#964815: it looks like dprof2calltree cannot be distributed with a GPL-2 work

* Nicholas D. Steeves: > Hi, > > Adrian Bunk writes: > >> On Fri, Jul 10, 2020 at 07:48:31PM -0400, Nicholas D Steeves wrote: >> >>> it would still not be DFSG-free, because it >>> fails the "desert island test" for snail mail. Were OmniTI Computer >>> Consulting would accept email, it would

Bug#954715: glibc: FTBFS: tests failed: signal/tst-minsigstksz-1 signal/tst-minsigstksz-2

* Lucas Nussbaum: > Source: glibc > Version: 2.30-2 > Severity: serious > Justification: FTBFS on amd64 > Tags: bullseye sid ftbfs > Usertags: ftbfs-20200322 ftbfs-bullseye > > Hi, > > During a rebuild of all packages in sid, your package failed to build > on amd64. >> FAIL:

Bug#924712: crypt() not available _XOPEN_SOURCE is defined

* Francesco Poli: > Hello everyone, > I am sorry to ask, but... I cannot understand what's the status of > [this bug report]. > > [this bug report]: > > A serious bug for libc6-dev without any apparent activity since last > March? Sure there must have been some

Bug#924891: glibc: FTBFS: /<>/build-tree/amd64-libc/conform/UNIX98/ndbm.h/scratch/ndbm.h-test.c:1:10: fatal error: ndbm.h: No such file or directory

retitle 924891 glibc: misc/tst-pkey fails due to cleared PKRU register after signal in amd64 32-bit compat mode thanks * Lucas Nussbaum: > On 27/03/19 at 08:48 +0100, Florian Weimer wrote: >> > If that's useful, I can easily provide access to an AWS VM to debug this >>

Bug#924891: glibc: FTBFS: /<>/build-tree/amd64-libc/conform/UNIX98/ndbm.h/scratch/ndbm.h-test.c:1:10: fatal error: ndbm.h: No such file or directory

* Lucas Nussbaum: > On 26/03/19 at 23:10 +0100, Aurelien Jarno wrote: >> On 2019-03-22 17:30, Florian Weimer wrote: >> > > About the archive rebuild: The rebuild was done on EC2 VM instances from >> > > Amazon Web Services, using a clean, minimal and up-to-date

Bug#924891: glibc: FTBFS: /<>/build-tree/amd64-libc/conform/UNIX98/ndbm.h/scratch/ndbm.h-test.c:1:10: fatal error: ndbm.h: No such file or directory

> About the archive rebuild: The rebuild was done on EC2 VM instances from > Amazon Web Services, using a clean, minimal and up-to-date chroot. Every > failed build was retried once to eliminate random failures. I believe the actual test failure is tst-pkey. Presumably, this rebuild was

Bug#924712: crypt() not available _XOPEN_SOURCE is defined

* Laurent Bigonville: > Le 19/03/19 à 19:43, Florian Weimer a écrit : >> * Laurent Bigonville: >> >>> Package: libc6-dev >>> Version: 2.28-8 >>> Severity: serious >>> >>> Hi, >>> >>> The crypt.3 manp

Bug#924712: crypt() not available _XOPEN_SOURCE is defined

* Laurent Bigonville: > Package: libc6-dev > Version: 2.28-8 > Severity: serious > > Hi, > > The crypt.3 manpage, state that _XOPEN_SOURCE should be define for > crypt() to be available. > > But it looks that it's currently the opposite, if _XOPEN_SOURCE is > defined, the function cannot be

Bug#904808: libcap-ng0: libcap-ng's use of pthread_atfork causes segfaults

The problem here is the weak declaration: $ eu-readelf --symbols=.dynsym /lib64/libcap-ng.so.0.0.0 | grep pthread_atfork 28: 0 NOTYPE WEAK DEFAULTUNDEF pthread_atfork In the Fedora 29 build, the constructor looks like this: Dump of assembler code for function

Bug#907585: Backport also needs fixing

found 907585 20180518-1~bpo9+1 thanks firmware-cavium_20180518-1~bpo9+1_all.deb is still in the package pool and contains the offending binary.

Bug#857909: [libc6-dev] getpid() in child process created using clone(CLONE_VM) returns parent's pid

* John Paul Adrian Glaubitz: > I would suggest filing a bug report to glibc upstream or posting on > their mailing list to ask for feedback. Upstream has since removed the PID cache:

Bug#846374: debsecan: Debsecan cannot access https://security-tracker.debian.org/tracker/debsecan/*/1

* Berke Durak: > Debsecan stopped working. It fails as it is trying to access > >https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC > > or /sid, /jessie, etc. > > It displays the following error: > > % debsecan > error: while downloading >

Bug#839317: [pkg-golang-devel] Bug#839317: golang-1.7: FTBFS: tests failed

* Lucas Nussbaum: >> --- FAIL: TestLoadFixed (0.00s) >> time_test.go:943: Now().In(loc).Zone() = "-01", -3600, want >> "GMT+1", -3600 Is this due to a tzdata change?

Bug#832824: haskell-src-exts: reporting a bug at GHC for linker error. build fail on mips64el

* Clint Adams: > Can you explain what GHC might be doing wrong? Did binutils get > stricter about something? What is R_MIPS_GOT_DISP? Are the GOT > constraints the same on mips64el as they are on mipsel? I suppose so, because the instruction encoding is quite similar. According to the

Bug#839260: ghostscript: various sandbox bypasses

Package: ghostscript Version: 9.19~dfsg-3 Tags: security Severity: grave Tavis Ormandy has reported several sandbox bypasses on the oss-security mailing list. (also see follow-ups) Filed upstream as:

Bug#839051: bind9: Unfixed crasher bug in wheezy LTS

Package: bind9 Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 Tags: security wheezy Severity: grave The wheezy LTS version of bind9 has an additional crasher bug. It may be due to an incomplete backport of the fix for CVE-2015-5477. I'm attaching the reproducer. Upstream BIND without the fix for

Bug#839010: bind9: CVE-2016-2776: Assertion failure in query processing

Package: bind9 Version: 1:9.10.3.dfsg.P4-10.1 Tags: security Severity: grave ISC has released a security alert at Relevant information from this report follows: CVE: CVE-2016-2776 Document Version: 2.0 Posting date:

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

* Thomas Orgis: > Am Tue, 27 Sep 2016 10:27:04 +0100 > schrieb James Cowgill : > >> Does this have a CVE ID? If not it should get one. > > I wondered about that. At the moment I just acted on the bug report and > pushed the fix. I have to personal experience with the CVE

Bug#819050: Please leave the severity at serious, this bug is a security issue.

* Hilko Bengen: > the original report may not have been 100% clear on this, but the bug is > the main cause of a vulnerability in Suricata (a network IDS/IPS) that > allows for remote denial of service, possibly remote code execution by > simply passing crafted packets by a Suricata installation.

Bug#807341: git-repair: uses non-random tempdir /tmp/tmprepo.0/.git/

* Jonas Smedegaard: > git-repair uses /tmp/tmprepo.0/.git/ which is clearly static, and I > believe therefore (on non-hardened systems) insecure. I think it does mkdir and if it fails, it tries again with /tmp/tmprepo.1, /tmp/tmrepo.2, and so on. I'm not sure you can abuse this and fool

Bug#803161: mailman: /var/log/mailman/* world-readable by default, leaking sensitive list information

severity 803161 normal thanks * Dominik George: > Severity: critical > Tags: security > Justification: root security hole > > The log files of mailman, residing in /var/lib/mailman/log and in > /var/log/mailman, and the log directory itself are created > world-readable by default. This discloses

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

* James Cowgill: > They seemed pretty resistive to the idea of just adding specific > patches on top of 1.3.9, and if you look at the changelog there are a > number of other security bugs which seem important but don't have CVEs > because they couldn't be triggered remotely. >

Bug#781128: security.debian.org: GeoDNS load balancing of Debian Security mirrors + out of date mirrors means you cant patch

* Sam McLeod: 4) Mirror given by GeoDNS for security.debian.org was: - nashira.anu.edu.au (Located in Canberra, Australia) - Out of date and did not contain the patch. As far as I can tell, the Australian mirror is in sync now: $ wget -q -O- --header Host: security.debian.org

Bug#781128: security.debian.org: GeoDNS load balancing of Debian Security mirrors + out of date mirrors means you cant patch

* Sam McLeod: So the fix is just to wait for all Debian mirrors to be in sync before you can patch? We usually send out the announcement email only after the mirror sync has completed. But there can be delays, and other users might get confused if there is a security update without a matching

Bug#773610: libapache2-svn: apache2 restart failed: mod_dav_svn.so: undefined symbol:, dav_svn__new_error

* Arne Nordmark: The wheezy-security upload breaks libapache2-svn in exactly the same way as the previous upload 1.6.17dfsg-4+deb7u5, which was fixed in 1.6.17dfsg-4+deb7u6, see bug number 741314 for more details. Ugh, I'm building this now myself and will upload another version if it passes

Bug#760377: confirm apache 1 and gpl-1+ situation

* Paul Gevers: [2] http://anonscm.debian.org/cgit/collab-maint/xmlrpc-c.git/tree/lib/util/getoptx.h?h=debian-sid You should investigate if you can use the getopt from glibc, which is released under the LGPL. [3]

Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded

* Andreas Barth: we have the following debian bug report about an security isuse in libpam-oath (source oath-toolkit, upstream web page http://www.nongnu.org/oath-toolkit/ ). What is the appropriate process to get an CVE number on it? This issue is already public, as it is documented in the

Bug#766397: Bug#766395: emacs/gnus: Uses s_client to for SSL.

* Richard Stallman: I've read that falling back to ssl3 is a real security hole, being exploited frequently. That feature should be removed. GNUTLS automatically and securely upgrades to a TLS protocol if supported by the server. Dropping SSL 3.0 support altogether will only encourage

Bug#742145: openssl: uses only 32 bytes (256 bit) for key generation

* Thorsten Glaser: Historically, the OpenSSL command line tools have been intended for debugging only. I disagree, It's what I was told by the OpenSSL developers. Also, what do other tools (that do not invoke openssl(1) unlike most of these I saw, which were shell wrappers around it) do,

Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC

Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A

Bug#731933: libmicrohttpd: CVE-2013-7038 CVE-2013-7039

overflow issue reported by Florian Weimer -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#707410: NMU debdiff

@@ +mlton (20100608-5.1) unstable; urgency=low + + * Non-Maintainer Upload + * Apply upstream patch to avoid __gmp_const breakage +(Closes: 707410) + * Apply patch from Matthias Klose to allow building on more target +triplets on i386, not just i486-linux-gnu (Closes: 640137) + + -- Florian

Bug#709382: Built-Using, libgcc, and libc_nonshared

* Russ Allbery: Clearly no one else in the world is worrying about this; there's lots of GPLv2-only software out there and all the distributions are happily distributing binaries built with current GCC without worrying about this. I'm not sure to what extent we can use that as an excuse,

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

* Steven Chamberlain: Hi, On 22/05/13 19:46, Florian Weimer wrote: Sorry for the delay. I'm taking care of this now. Thank you for the DSA. I notice a problem though when this was (I think - I'm unsure of the security team's processes here) copied to the main archive, probably so

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

* Steven Chamberlain: On 01/05/13 15:20, Christoph Egger wrote: Florian Weimer f...@deneb.enyo.de writes: Looks good. Please upload to security-master directly. You have to rebuild with -sa, though, so that the upstream tarball is included in the upload. Should be somewhere in your

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

* Tom Yu: Some limited testing indicates that when the packet storm is confined to a single host, legitimate kpasswd and kadm5 requests can still get through, and the CPU usage pegs at about 70%. I haven't tested with multiple hosts involved. Out of curiosity, how many spoofed packets have

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

* Tom Yu: Florian Weimer f...@deneb.enyo.de writes: * Tom Yu: Some limited testing indicates that when the packet storm is confined to a single host, legitimate kpasswd and kadm5 requests can still get through, and the CPU usage pegs at about 70%. I haven't tested with multiple hosts

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

* Sam Hartman: I assume this goes back to squeeze as well. Shouldn't the severity be higher? This seems probably worth a DSA because such ping-pong attacks can really be bad for a network/server. Or am I missing mittigations? Yes, packet loops can be annoying. I think we should issue a DSA

Bug#708267: cve-2002-2443: kpasswd udp ping-pong

* Sam Hartman: Florian == Florian Weimer f...@deneb.enyo.de writes: Florian Yes, packet loops can be annoying. I think we should issue Florian a DSA for this. OK, do you want me to prepare patches and builds for squeeze and wheezy? Yes, that would be ideal. -- To UNSUBSCRIBE

Bug#708291: libjansi-native-java: package appears to be unusable

Package: libjansi-native-java Version: 1.0-3 Severity: grave The package claims to provide JNI libraries, but is architecture: all. For some reason, there are no DSOs in the JAR files. I think as it stands, the package is completely usable. -- To UNSUBSCRIBE, email to

Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)

* Thijs Kinkhorst: A buffer overflow in the proxy_pass module has been reported by Nginx upstream, and a patch made available. Please see: http://www.openwall.com/lists/oss-security/2013/05/13/3 The issue is already fixed in the version in sid, and as far as I can see the code is not

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

* Christoph Egger: Hi! Steven Chamberlain ste...@pyro.eu.org writes: tags 706414 + pending thanks I've applied upstream's patch in SVN, I'm running it now on my NFS server and seems okay. Christoph, would you be able to do an upload of this to unstable please? I'm building right now.

Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

* Christoph Egger: Packages will be in people.d.o:~christoph soon (or shall I upload to security directly? Looks good. Please upload to security-master directly. You have to rebuild with -sa, though, so that the upstream tarball is included in the upload. -- To UNSUBSCRIBE, email to

Bug#690817: Is that bug still open?

* Ingo Jürgensmann: I'm fine with that, but unfortunately you didn't answer my question regarding the prominent warning about security issues that is still left open and visible to the end user. Please see the attached screenshots. This appears to be a different bug. Apparently, Drupal

Bug#691394: opendkim: DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust

* Scott Kitterman: This is not something that can be dealt with operationally. Unlike GPG, where keys are trusted based on signatures and web of trust (and people can decline to sign bad keys), in DKIM keys are trusted based on their being published in the sending domain's DNS and there is

Bug#689755: bind9: memory hole in named

* Christoph Anton Mitterer: On Mon, 2012-10-08 at 07:14 +0200, Florian Weimer wrote: Have you configured a memory limit for the cache? Which would you mean max-cache-size or max-acache-size? Not sure. I think in my days, there was max-cache-size only. Well I think that's a design bug

Bug#689755: bind9: memory hole in named

retitle 689755 bind9: memory leak in named thanks * Christoph Anton Mitterer: Since some update (unfortunately I forgot which one,.. but it's at least months ago) I experiece a memory hole in named. Have you configured a memory limit for the cache? By default, there is no limit, and records

Bug#682826: world writable directories possible patch

Using chmod 1777 could help? I attached a patch just in case it does. Not really, I think. Users cannot build .fasl files for other users because they could supply crafted ones which do something different from what the original Lisp sources do. -- To UNSUBSCRIBE, email to

Bug#682826: world writable directories possible patch

* Barak A. Pearlmutter: - have a setuid program that builds fasl files from trusted sources, which in practice means download them itself or from .deb packages Or a daemon, given that it's difficult to write SUID programs in Lisp. I thought we had common-lisp-controller for that? -- To

Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC

* Matthew Grant: From my investigations this can only be enabled by recompiling each bit of software to set the RES_USE_DNSSEC flag in _res.options, as well as RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c This

Bug#679272: bcfg2-server: unescaped shell command issues in the Trigger plugin

* Arto Jantunen: In Debian (and all other distros I know of) the bcfg2 server runs as root, so in practice this is a remote root hole (limited to attackers who can connect to the bcfg2 server (protected by a password and/or an ssl key)). .dsc and .debian.tar.gz for a fixed package are

Bug#658276: libcurl3: Doesn't work for all sites anymore

* Alessandro Ghedini: Anyway, you can upload to security-master when ready. You must build the package with specifying the -sa flag, on a squeeze system. Ok, thank you. Thanks for uploading. I'm a bit confused--is this an interoperability issue introduced by DSA-2398-1? -- To

Bug#658276: libcurl3: Doesn't work for all sites anymore

* Alessandro Ghedini: We should fix this through stable-security. Please send a debdiff once the fix has been testing in unstable for a few days. Attached is the debdiff for stable-security. Looks good. If everything's ok I will upload it (I'm a DD since a few hours) in a few days, once

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

* Simon McVittie: Dear security team: what do you consider the severity of this bug to be? Is it the sort of thing you issue DSAs for? So the problem seems to be traffic amplification by a factor or 250. (around 2000 bytes in, 500,000 bytes out). Is this correct? Is there any experience

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

* Simon McVittie: Some proposed updates using the patch from ioquake3 are in my home directory on alioth: http://alioth.debian.org/~smcv/. Patch for review: http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commitdiff;h=caeb284533211bb0f76872279106a49306290168 Thanks for working

Bug#661150: dropbear: CVE-2012-0920 SSH server use-after-free vulnerability]

* Gerrit Pape: For stable, I backported the fix to 0.52, swiftly checked with upstream (thx Matt), and prepared theses changes (debdiff attached): Thanks. Please build with -sa and upload to security-master. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a

Bug#659899: CVE-2011-0790: XSS

* Antoine Beaupré: ++ $h =~ s/[%]/./g; ++$step =~ s/[%]/./g; ++$mode =~ s/[%]/./g; ++$t =~ s/[%]/./g; ++$targ =~ s/[;%]/./g; ++$hierarchy =~ s/[;%]/./g; These patterns do not match the special character . Therefore, it is still possible to

Bug#661509: security.debian.org: Packages-file for squeeze-amd64 broken

* Tim Riemenschneider: security.debian.org is currently unusable (for amd64 squeeze) I cannot reproduce this (at 20:17 CET). What does currently mean, exactly? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact

Bug#659899: CVE-2011-0790: XSS

* Antoine Beaupré: I don't actually know - I followed your lead and used that patch in the bugzilla Redhat bugtrackers: https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw Okay, I'm notifying folks that this patch is probably not correct.

Bug#659899: CVE-2011-0790: XSS

* Antoine Beaupré: I don't actually know - I followed your lead and used that patch in the bugzilla Redhat bugtrackers: https://bugzilla.redhat.com/attachment.cgi?id=556619action=diffcontext=patchcollapsed=headers=1format=raw *grml* Fedora has already released the potentially incorrect

Bug#659296: Comments on the 0.4.1-6 upload

Vasudev Kamath asked me to include this information in the bug report. From: Florian Weimer f...@deneb.enyo.de Subject: Re: Accepted surf 0.4.1-6 (source i386) To: Vasudev Kamath kamathvasu...@gmail.com Date: Fri, 10 Feb 2012 23:18:36 +0100 Message-ID: 87vcnemiwz@mid.deneb.enyo.de * Vasudev

Bug#388141: Let's ask for a relicensing agreement

* David Prévot: provided to the Debian website Perhaps it could be made clearer that this applies to the web site proper and not to other contributions to Debian which also appear on the web. I think there should be a paragraph about third party contributions submitted by the recipient. The

Bug#516394: djbdns

* Russ Allbery: The remaining statement on this bug from the security team is: | djbdns should not be part of squeeze until it is properly hardened | against cache poisoning. It is between 100 and 200 times easier than | with other DNS servers. I don't understand the basis of that comment

Bug#652371: [CVE-2011-4824] SQL injection issue in auth_login.php

Package: cacti Version: 0.8.7g-1 Tags: security upstream fixed-upstream Severity: grave Several vulnerabilities have been disclosed in cacti: | SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h | allows remote attackers to execute arbitrary SQL commands via the |

Bug#645881: critical update 29 available

* Philipp Kern: sun-java6 is sadly still a very high profile package. I won't go and break all those installations which force sun-java6 over openjdk-6 locally, either in unattended installations or through other means. It's really unfortunate that most of those installations seem to need

Bug#645881: critical update 29 available

* Matthias Klose: On 12/11/2011 01:07 PM, Holger Levsen wrote: Hi, On Sonntag, 11. Dezember 2011, Philipp Kern wrote: sorry, but I'd rather like to have an announcement that it has a bug, me too, for all the reasons Philipp noted. It's also trivial to download the fixed jdk from

Bug#651225: Security vulnerabilities (CVE-2011-2904, CVE-2011-3263, CVE-2011-3265, CVE-2011-4674)

Package: zabbix Version: 1:1.8.2-1squeeze2 Tags: security Severity: grave There appear to be several unfixed unverabilities in Zabbix in squeeze, including SQL injection vulnerabilities: http://security-tracker.debian.org/tracker/CVE-2011-2904

Bug#650880: aptitude safe-upgrade segfaults, aptitude update fails: E: Encountered a section with no Package: header

reopen 650880 reassign 650880 aptitude retitle 650880 aptitude segfaults with malformed Packages file severity 650880 normal tags 650880 -security thanks * Ralf Spenneberg: Running aptitude upgrade then fails: LANG=C aptitude safe-upgrade Reading package lists... Error! E: Encountered a

Bug#645881: critical update 29 available

* Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on

Bug#648373: [CVE-2011-4130] Use-after-free issue

* Francesco P. Lovergine: A use-after-free issue has been discovered in ProFTPd: http://bugs.proftpd.org/show_bug.cgi?id=3711 It seems that squeeze is vulnerable, too. I haven't checked the code in lenny yet. I have 1.3.3a-6squeeze3 ready for squeeze with the required fix. Waiting

Bug#648359: [CVE-2011-4000] Unspecified buffer overflow vulnerability

Package: libchasen2 Version: 2.4.4-16 Severity: grave Tags: security JPCERT disclosed an unspecified buffer overflow vulnerability in ChaSen: http://jvn.jp/en/jp/JVN16901583/index.html Apparently, upstream will not provide patches. Would you be willing to work on this issue if we can obtain

Bug#648373: [CVE-2011-4130] Use-after-free issue

Package: proftpd-dfsg Version: 1.3.3a-6squeeze1 Severity: grave Tags: security A use-after-free issue has been discovered in ProFTPd: http://bugs.proftpd.org/show_bug.cgi?id=3711 It seems that squeeze is vulnerable, too. I haven't checked the code in lenny yet. -- To UNSUBSCRIBE, email to

Bug#645881: critical update 29 available

* Moritz Muehlenhoff: As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ If anyone remembers the rationale behind the DLJ, perhaps they can check if the current BCL matches our needs, too?

Bug#645881: critical update 29 available

* Thijs Kinkhorst: Upstream has released Java SE 6 update 29 yesterday: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html with security fixes. Does the lack of a DLJ version affect us? The special distributor license is no longer available from Oracle: | As a

Bug#641950: secuity of Crypt::RC4

* Nicholas Bamber: Please could have someone have a look at #641950? This module was packaged as it has been flagged up as a dependency of a new version of an existing package. However based upon the comments in the bug report it really is something we do not wish to encourage. In any case

Bug#639916: spread: license wackiness

* Ken Arromdee: Unlike the original BSD 4 clause license this adds or software that uses this software. Is it really that much different in effect from the Affero GPL? It may be a bit more far-reaching, but compliance is so much easier. -- To UNSUBSCRIBE, email to

Bug#640093: Incorrect version number prevents automatic upgrades

Package: opensync Version: 0.22-4squeeze1 Severity: serious At one point, a binary NMU produced a 0.22-4+b1 version, which is larger than 0.22-4squeeze1. Please reupload with a version number like 0.22-4+squeeze1. (Setting severity to serious because #580867 was serious.) -- Florian Weimer

Bug#533934: pperl: FTBFS: tests failed directory

* Dominic Hargreaves: I added the quotation marks because I'm starting to doubt that it is worth spending time on. I use pperl a bit, but probably wouldn't miss it hugely, and upstream appears to be dead. I don't use it anymore, either. You could probably get away without hashing, by using

Bug#629852: Oracle Java SE Critical Patch Update Advisory - June 2011

* Torsten Werner: Am 09.06.2011 02:07, schrieb Sylvestre Ledru: Le mercredi 08 juin 2011 à 23:08 +0200, Nico Golde a écrit : Package: openjdk-6-jre, sun-java6-jre Severity: serious Tags: security A new round of java issues: CVE-2011-0862 CVE-2011-0873 CVE-2011-0815 CVE-2011-0817

Bug#628476: Package does not seem to work at all

Package: python-wordaxe Version: 0.3.2-1 Severity: grave The documentation mentions importing wordaxe.DCWHyphenator. But this does not work: fw@deneb:~$ python Python 2.6.6 (r266:84292, Dec 26 2010, 22:31:48) [GCC 4.4.5] on linux2 Type help, copyright, credits or license for more information.

Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

* Niko Tyni: Security team, I assume this is going to be fixed through a DSA? I don't think this is a security bug on its own. It should be trivial to port this to squeeze and lenny. I'll try to prepare the debdiffs on Sunday, but if somebody else wants to do that, feel free. If this bug

Bug#616114: man in the middle security issue

* Thijs Kinkhorst: The following report by PolarSSL upstream was brought to our attention: https://lists.ubuntu.com/archives/ubuntu-motu/2011-February/007026.html Unfortunately it doesn't disclose details. I'll contact the upstream maintainer about that, but in any case a good start would be

Bug#614151: icedtea6-plugin: (PRSC) Please backport fixes for CVE-2011-0025, 4351 to squeeze, lenny

* Jonathan Wiltshire: Package: icedtea6-plugin Version: 6b11-9.1 Severity: grave Tags: squeeze lenny security Justification: user security hole Usertags: prsc-target-lenny, prsc-target-squeeze Please backport your fixes for the following CVE reports: There is no icedtea6-plugin package

Bug#613098: Zero is unusable on amd64

Package: openjdk-6-jre-zero Version: 6b18-1.8.3-2 Severity: grave At least on amd64, all tests fail during build, and all non-trivial programs fail. Here's a stack trace from javac -zero compiling a trivial program: java.nio.BufferOverflowException at

Bug#607794: bind 9.6.ESV.R3 DLV and further delegation issue

severity 607794 important forwarded 607794 bind-b...@isc.org thanks * Peter Palfrader: Peter Palfrader schrieb am Mittwoch, dem 19. Jänner 2011: severity 607794 serious thanks So, I managed to reproduce the problem which has come up a few times now. Note that 9.7.2.dfsg.P3 is not

Bug#493599: pushing udns into squeeze

* Michael Tokarev: udns doesn't handle truncation, so it won't play well with the PowerDNS recursor (which doesn't support EDNS). One of the limitations of simplicity of design - only one socket and it's obviously UDP. With deployment of DNSSEC everywhere EDNS support becomes a

Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

* Aurelien Jarno: I have just committed the fix, I am planning to do an upload soon to unstable. Do you think we should also fix it in stable? via a security release? FYI, I have uploaded eglibc 2.11.2-6+squeeze1 to testing-security. -- To UNSUBSCRIBE, email to

Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble

reassign 584911 openssl 0.9.8g-15+lenny6 retitle 584911 unreadable /usr/lib/ssl/openssl.cnf file breaks OPENSSL_config thanks * Mirko Gebauer: BIND uses the NULL argument, as far as I can tell. So this might be an OpenSSL bug. Well, all I can say is that bind9 as provided by the package

Bug#584911: bind9: hard-coded dependency on /usr/lib/ssl/openssl.cnf might cause trouble

* Mirko Gebauer: /usr/lib/ssl/openssl.cnf is a symlink to /etc/ssl/openssl.cnf, both provided by the package openssl. Unfortunately, on the respective machine, /etc/ssl/openssl.cnf is modified and not world-readable as it is by default after installing the openssl package. Thanks for

Bug#584585: file conflict with libisc50

* Peter Palfrader: Unpacking libisc52 (from .../libisc52_1%3a9.6.ESV.R1+dfsg-0+lenny1_i386.deb) ... dpkg: error processing /var/cache/apt/archives/libisc52_1%3a9.6.ESV.R1+dfsg-0+le nny1_i386.deb (--unpack): trying to overwrite `/usr/lib/libisc.so.50', which is also in package libisc50

Bug#584585: file conflict with libisc50

* Peter Palfrader: Stable has libisc40, and there are no conflicts with that TTBOMK. Ah. Apparently from the libisc50 that was in unstable (and testing?) with bind 9.6 at one point and its backport to lenny-backports. Hmm. I'm not sure what to do about this. Upload a -0+lenny2 with a

Bug#560238: Status, client-side breakage

What's the status here? I think the client-side breakage of v4-mapped addresses reported by Guillaume Gimenez in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560238#129 pretty much settles this. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of

Bug#567039: trac-git: Arbitrary command execution

* Stefan Göbel: Package: trac-git Version: 0.0.20080710-3 Severity: grave Tags: patch security Justification: user security hole The trac-git package in Debian Lenny - if enabled in Trac - allows a remote attacker to execute arbitrary commands on the system with the rights of the user

Bug#506652: status on copyright clearance for boilerplate for xml2rfc?

* Florian Weimer: * Daniel Kahn Gillmor: What's the status on copyright clearance for the boilerplate included in xml2rfc? It would be useful to me to have the latest version available through the repositories (even if it means moving it to non-free, though i hope that wouldn't

Bug#506652: status on copyright clearance for boilerplate for xml2rfc?

* Daniel Kahn Gillmor: What's the status on copyright clearance for the boilerplate included in xml2rfc? It would be useful to me to have the latest version available through the repositories (even if it means moving it to non-free, though i hope that wouldn't be necessary). We can't move

Bug#506652: status on copyright clearance for boilerplate for xml2rfc?

* Daniel Kahn Gillmor: On 12/02/2009 02:00 PM, Florian Weimer wrote: I misread the document. non-free is definitely a possibility. If you think non-free is a reasonable choice for now, could you package up 1.34 and put it there while the request for DFSG-free licensing winds its way

  1   2   3   4   5   >