Processed: tagging 862611, severity of 862611 is serious

Processing commands for cont...@bugs.debian.org: > # http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 > tags 862611 + security Bug #862611 [deluge-webui] deluge-webui: directory traversal attack vulnerability Added tag(s) security. > severity 862611 serious Bug #862611 [deluge-webui]

Bug#860608: [pkg-golang-devel] Bug#860608: Bug#860608: golang: FTBFS: Go version is "go1.6.1", ignoring -next /<>/api/next.txt

On Sat, May 6, 2017 at 2:20 PM, Michael Stapelberg wrote: > > > On Tue, May 2, 2017 at 10:23 AM, Michael Hudson-Doyle < > michael.hud...@canonical.com> wrote: > >> On 2 May 2017 at 19:23, Michael Stapelberg wrote: >> >>> Sorry for the late reply,

Bug#858178: uuidcdef: buffer overflow

tags 858178 + patch thanks This is correctly diagnosing a buffer which is to small. The length of data written to the buffer is always constant, (20 bytes more than the length of the buffer), and not under user control, so there is probably not a security problem here. A patch, to increase the

Bug#862542: marked as done (reprozip: File conflict: trying to overwrite '/usr/bin/reprozip', which is also in package python3-reprozip:i386 1.0.9-2)

Your message dated Mon, 15 May 2017 06:18:33 + with message-id and subject line Bug#862542: fixed in reprozip 1.0.9-3 has caused the Debian Bug report #862542, regarding reprozip: File conflict: trying to overwrite '/usr/bin/reprozip', which is also in

Bug#771790: Fwd: Package broken

On May 15, 2017 06:06, "Val Markovic" wrote: [Sending you a copy of my response on the bug since I forgot to cc you.] -- Forwarded message -- From: Val Markovic Date: Sun, May 14, 2017 at 9:57 PM Subject: Re: Package broken To:

Bug#861878: nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler

Lumin, on sam. 13 mai 2017 05:59:24 +, wrote: > > This was documented in NEWS.Debian.gz. Having to use "--compiler-options > > -fPIC" was however not documented in NEW.Debian.gz, at least that should > > be done. > > Well, what do you think we can to to deal with this bug? I Cc-ed gcc, llvm

Bug#862570: libmenu-cache: menu-cached socket may be blocked by another user.

Hi I requested a CVE via cveform.mitre.org for this issue. Regards, Salvatore

Processed: forwarded upstream

Processing control commands: > forwarded -1 https://bitbucket.org/wooster/biplist/issues/8 Bug #860656 [src:python-biplist] python-biplist: FTBFS on i386: dh_auto_test: pybuild --test --test-nose -i python{version} -p 2.7 returned exit code 13 Set Bug forwarded-to-address to

Bug#860656: forwarded upstream

Control: forwarded -1 https://bitbucket.org/wooster/biplist/issues/8 Since the plist format stores the length of the integer, storing a long should always return a long: 0001 # of bytes is 2^, big-endian bytes https://en.wikipedia.org/wiki/Property_list#Mac_OS_X On python3 this does

Bug#862652: debian-edu-config: wrong exim4 configuration breaks SMTP server security

control: found -1 1.926 control: found -1 1.818+deb8u2 control: Severity -1 serious thanks -- cheers, Holger signature.asc Description: Digital signature

Processed: Re: Bug#862652: debian-edu-config: wrong exim4 configuration breaks SMTP server security

Processing control commands: > found -1 1.926 Bug #862652 [debian-edu-config] debian-edu-config: wrong exim4 configuration breaks SMTP server security Marked as found in versions debian-edu-config/1.926. > found -1 1.818+deb8u2 Bug #862652 [debian-edu-config] debian-edu-config: wrong exim4

Bug#862652: debian-edu-config: wrong exim4 configuration breaks SMTP server security

control: tags -1 + pending # a fix is in git already, though improvements have been discussed on irc # ;tl;dr: we're on it. -- cheers, Holger signature.asc Description: Digital signature

Processed: Re: Bug#862652: debian-edu-config: wrong exim4 configuration breaks SMTP server security

Processing control commands: > tags -1 + pending Bug #862652 [debian-edu-config] debian-edu-config: wrong exim4 configuration breaks SMTP server security Added tag(s) pending. -- 862652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862652 Debian Bug Tracking System Contact

Bug#862571: pcmanfm: single instance socket may be blocked by another user.

Hi I requested a CVE for this issue via cveform.mitre.org Regards, Salvatore

Bug#861483: marked as done (ycmd: FTBFS against libclang with versioned symbols)

Your message dated Mon, 15 May 2017 09:05:01 + with message-id and subject line Bug#861483: fixed in ycmd 0+20161219+git486b809-2 has caused the Debian Bug report #861483, regarding ycmd: FTBFS against libclang with versioned symbols to be marked as done.

Bug#861836: marked as done (ntirpc: CVE-2017-8779)

Your message dated Mon, 15 May 2017 09:04:26 + with message-id and subject line Bug#861836: fixed in ntirpc 1.4.4-1 has caused the Debian Bug report #861836, regarding ntirpc: CVE-2017-8779 to be marked as done. This means that you claim that the problem

Bug#861755: marked as done (libpll: FTBFS on x86: AVX target specific option mismatch)

Your message dated Mon, 15 May 2017 09:04:17 + with message-id and subject line Bug#861755: fixed in libpll 0.3.0-1 has caused the Debian Bug report #861755, regarding libpll: FTBFS on x86: AVX target specific option mismatch to be marked as done. This

Bug#861878: nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler

@doko GCC-5 may be removed from unstable when CUDA 9.0 is uploaded. See below. (Maybe doko is already in some of these lists.) > The problem is the move of some parts of the toolchain to pie by > default, without updating the whole toolchain. Whenever not using only > gcc for building object

Processed: severity of 862652 is serious

Processing commands for cont...@bugs.debian.org: > severity 862652 serious Bug #862652 [debian-edu-config] debian-edu-config: wrong exim4 configuration breaks SMTP server security Severity set to 'serious' from 'normal' > thanks Stopping processing here. Please contact me if you need

Bug#845102: marked as done (ogamesim: FTBFS when built with dpkg-buildpackage -A (dpkg-genbuildinfo error))

Your message dated Mon, 15 May 2017 10:19:28 + with message-id and subject line Bug#845102: fixed in ogamesim 20130107-3 has caused the Debian Bug report #845102, regarding ogamesim: FTBFS when built with dpkg-buildpackage -A (dpkg-genbuildinfo error) to

Bug#861987: marked as done (flightcrew: insecure use of /tmp)

Your message dated Mon, 15 May 2017 11:48:37 + with message-id and subject line Bug#861987: fixed in flightcrew 0.7.2+dfsg-9 has caused the Debian Bug report #861987, regarding flightcrew: insecure use of /tmp to be marked as done. This means that you

Bug#862400: several bios updates exist since 2007

(please keep me in CC) On Sat, 13 May 2017 06:16:44 +0200 franckr wrote: > Hi Arturo, > > I cannot help for kernel, however, and you probably already know it: > Several bios updates became available since 10/04/2007 version. > Did you consider them ? (ie checking release

Bug#860169: marked as done (glue-sprite: Inconsistent dependencies)

Your message dated Mon, 15 May 2017 12:04:53 + with message-id and subject line Bug#860169: fixed in glue 0.13-1 has caused the Debian Bug report #860169, regarding glue-sprite: Inconsistent dependencies to be marked as done. This means that you claim

Processed: tagging 861593

Processing commands for cont...@bugs.debian.org: > tags 861593 + pending Bug #861593 [postfix-cdb] postfix-cdb: Broken after upgrade from jessie Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 861593:

Bug#862605: marked as done (Missing ondemand CPU governor.)

Your message dated Mon, 15 May 2017 15:23:02 +0100 with message-id <1494858182.29474.29.ca...@decadent.org.uk> and subject line Re: Bug#862605: Missing ondemand CPU governor. has caused the Debian Bug report #862605, regarding Missing ondemand CPU governor. to be marked as done. This means that

Processed: notfound 862605 in 3.16.39-1+deb8u2

Processing commands for cont...@bugs.debian.org: > notfound 862605 3.16.39-1+deb8u2 Bug #862605 [linux-image-3.16.0-4-amd64] Missing ondemand CPU governor. No longer marked as found in versions linux/3.16.39-1+deb8u2. > thanks Stopping processing here. Please contact me if you need assistance.

Processed: Re: Bug#862570: libmenu-cache: menu-cached socket may be blocked by another user.

Processing control commands: > retitle -1 menu-cache: CVE-2017-8933: socket may be blocked by another user Bug #862570 {Done: Andriy Grytsenko } [libmenu-cache3] libmenu-cache: menu-cached socket may be blocked by another user. Changed Bug title to 'menu-cache: CVE-2017-8933:

Bug#862571: pcmanfm: single instance socket may be blocked by another user.

Control: retitle -1 pcmanfm: CVE-2017-8934: single instance socket may be blocked by another user This issue has been assigned CVE-2017-8934. Regards, Salvatore

Bug#862570: libmenu-cache: menu-cached socket may be blocked by another user.

Control: retitle -1 menu-cache: CVE-2017-8933: socket may be blocked by another user Hi This issue has been assigned CVE-2017-8933. Regards, Salvatore

Processed: forcibly merging 861074 862656

Processing commands for cont...@bugs.debian.org: > forcemerge 861074 862656 Bug #861074 {Done: Jonas Meurer } [cryptsetup] cryptsetup: cryptroot-hook doesn't honor initramfs-tools' (>= 0.129) logic for resume devices Bug #862656 [cryptsetup] cryptsetup: WARNING: failed to

Processed: Re: Bug#862571: pcmanfm: single instance socket may be blocked by another user.

Processing control commands: > retitle -1 pcmanfm: CVE-2017-8934: single instance socket may be blocked by > another user Bug #862571 {Done: Andriy Grytsenko } [pcmanfm] pcmanfm: single instance socket may be blocked by another user. Changed Bug title to 'pcmanfm:

Bug#862652: marked as done (debian-edu-config: wrong exim4 configuration breaks SMTP server security)

Your message dated Mon, 15 May 2017 16:48:44 + with message-id and subject line Bug#862652: fixed in debian-edu-config 1.927 has caused the Debian Bug report #862652, regarding debian-edu-config: wrong exim4 configuration breaks SMTP server security to be

Bug#861878: nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler

On 15.05.2017 02:06, Lumin wrote: > @doko GCC-5 may be removed from unstable when CUDA 9.0 > is uploaded. See below. [I'd like to reach gcc-5 5.5 reach snapshot.debian.org, which will be around June/July. Then we can remove it]. > (Maybe doko is already in some of these lists.) > >> The problem

Bug#771790: Fixed with 1.0.0

I have packaged up latest upstream version (1.0.0) here: https://github.com/Valloric/dirty.js I've tested it out locally (using upstream's tutorial) on latest stretch RC with nodejs v4.8.2 and it's working fine. I'll look for a sponsor on debian-mentors to do a NMU.

Bug#862611: deluge-webui: directory traversal attack vulnerability

Hi, > deluge-webui: directory traversal attack vulnerability I think this is fixed in: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable=41acade01ae88f7b7bbdba308a0886771aa582fd Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org /

Bug#771790: Fixed with 1.0.0

Hi, The latest upstream version is 1.1.0, which is a bug fix release. Check here: https://github.com/felixge/node-dirty/commit/6285fce15d3bc76bc288259ed2a095cd2936e218 On Mon, May 15, 2017 at 7:03 PM Val Markovic wrote: > I have packaged up latest upstream version (1.0.0)

Processed: forcibly merging 849357 856322

Processing commands for cont...@bugs.debian.org: > forcemerge 849357 856322 Bug #849357 [kernel-package] kernel-package: make-kpkg kernel_headers fails for linux 4.10-rc1; missing REPORTING-BUGS Bug #856322 [kernel-package] kernel-package: 4.10 kernel - kernel_headers package not building. File

Processed: severity of 849357 is serious, tagging 849357

Processing commands for cont...@bugs.debian.org: > severity 849357 serious Bug #849357 [kernel-package] kernel-package: make-kpkg kernel_headers fails for linux 4.10-rc1; missing REPORTING-BUGS Severity set to 'serious' from 'normal' > tags 849357 + patch Bug #849357 [kernel-package]

Bug#862611: deluge-webui: directory traversal attack vulnerability

CVE requested via https://cveform.mitre.org/ Regards, Salvatore

Processed: Change domain part of submitter address to debian.org

Processing commands for cont...@bugs.debian.org: > submitter 852998 ! Bug #852998 {Done: "Adam D. Barratt" } [release.debian.org] jessie-pu: package dropbear/2014.65-1 Changed Bug submitter to 'guil...@debian.org' from 'Guilhem Moulin '. >

Processed: Re: Bug#855324: pdfsam fails to start

Processing control commands: > reopen -1 Bug #855324 {Done: Markus Koschany } [pdfsam] pdfsam fails to start 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions will be cleared, and you may need to re-add them. Bug reopened No longer

Bug#855324: pdfsam fails to start

Control: reopen -1 Hi, just updated a machine from jessie -> stretch and stuck with the problem that pdfsam fails to start. The problem is that existing ~/.pdfsam/config.xml need to be changed too. I'd propose to write a NEWS entry to inform people and tell them what to do. Best, Philip

Processed: flightgear: CVE-2017-8921

Processing control commands: > found -1 3.0.0-5 Bug #862689 [src:flightgear] flightgear: CVE-2017-8921 Marked as found in versions flightgear/3.0.0-5. -- 862689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862689 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems

Bug#862690: imagemagick: Built-Using field with binary version

Package: src:imagemagick Version: 8:6.9.7.4+dfsg-7 Severity: serious The latest imagemagick upload has been built by the arch:all build daemon, but has later been rejected by dak: On 2017-05-15 15:48, Debian FTP Masters wrote: > imagemagick-6-doc_6.9.7.4+dfsg-7_all.deb: Built-Using refers to

Bug#862689: flightgear: CVE-2017-8921

Source: flightgear Version: 1:2016.4.4+dfsg-2 Severity: grave Tags: upstream patch security Control: found -1 3.0.0-5 Hi, the following vulnerability was published for flightgear. CVE-2017-8921[0]: | In FlightGear before 2017.2.1, the FGCommand interface allows | overwriting any file the user

Processed: forcibly merging 849357 848066

Processing commands for cont...@bugs.debian.org: > forcemerge 849357 848066 Bug #849357 [kernel-package] kernel-package: make-kpkg kernel_headers fails for linux 4.10-rc1; missing REPORTING-BUGS Bug #856322 [kernel-package] kernel-package: 4.10 kernel - kernel_headers package not building. File

Processed: tagging 862611

Processing commands for cont...@bugs.debian.org: > tags 862611 + upstream fixed-upstream Bug #862611 [deluge-webui] deluge-webui: directory traversal attack vulnerability Added tag(s) fixed-upstream and upstream. > thanks Stopping processing here. Please contact me if you need assistance. --

Bug#862568: python-ncclient: Incomplete debian/copyright?

On Sun, May 14, 2017 at 06:13:28PM (+0100), Chris Lamb wrote: > Hi, > > I just ACCEPTed python-ncclient from NEW but noticed it was missing > attribution in debian/copyright for at least > > examples/csr1000v_example.py > ncclient/transport/ssh.py > setup.py > > (This is not exhaustive

Bug#771790: Fixed with 1.0.0

Thanks for pointing that out! But it hasn't been git-tagged, it failed the build on Travis, and it's only a couple of commits from 1.0.0 so it might make more sense to just go with 1.0.0. On Mon, May 15, 2017 at 11:34 AM, Marcos Marado wrote: > Hi, > > The latest

Bug#859805: marked as done (postfix-ldap: unsupported dictionary type: ldap after upgrade)

Your message dated Mon, 15 May 2017 21:08:08 + with message-id and subject line Bug#859805: fixed in postfix 3.1.4-5 has caused the Debian Bug report #859805, regarding postfix-ldap: unsupported dictionary type: ldap after upgrade to be marked as done.

Bug#852750: marked as done (libreadline7: readline() interferes with blocked SIGALRM)

Your message dated Mon, 15 May 2017 21:08:29 + with message-id and subject line Bug#852750: fixed in readline 7.0-3 has caused the Debian Bug report #852750, regarding libreadline7: readline() interferes with blocked SIGALRM to be marked as done. This

Bug#861593: marked as done (postfix-cdb: Broken after upgrade from jessie)

Your message dated Mon, 15 May 2017 21:08:08 + with message-id and subject line Bug#861593: fixed in postfix 3.1.4-5 has caused the Debian Bug report #861593, regarding postfix-cdb: Broken after upgrade from jessie to be marked as done. This means that

Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

Control: tags -1 confirmed Am 15.05.2017 um 00:01 schrieb Nikolaus Rath: > Package: xarchiver > Version: 1:0.5.4-1+deb8u1 > Severity: critical > Justification: causes serious data loss > > As far as I can tell, using xarchiver to add additional files to a > .tar.xz file will destroy the existing

Processed: Re: Bug#862593: xarchiver: Adding files to .tar.xz deletes existing content

Processing control commands: > tags -1 confirmed Bug #862593 [xarchiver] xarchiver: Adding files to .tar.xz deletes existing content Added tag(s) confirmed. -- 862593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862593 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems

Bug#861878: nvidia-cuda-toolkit: nvcc needs to pass -fpie to compiler

>> That means, the "build your whole application with clang-3.8" >> advise is temporary and specific to CUDA 8.0. Before uploading >> CUDA 9.0 to unstable/experimental, we can change the default >> compiler back to GCC. And backporting CUDA 9.0 to stretch >> will eliminate the compiler trouble. >

Bug#862568: marked as done (python-ncclient: Incomplete debian/copyright?)

Your message dated Mon, 15 May 2017 21:52:57 + with message-id and subject line Bug#862568: fixed in python-ncclient 0.5.3-2 has caused the Debian Bug report #862568, regarding python-ncclient: Incomplete debian/copyright? to be marked as done. This means

Bug#862690: marked as done (imagemagick: Built-Using field with binary version)

Your message dated Mon, 15 May 2017 22:04:37 + with message-id and subject line Bug#862690: fixed in imagemagick 8:6.9.7.4+dfsg-8 has caused the Debian Bug report #862690, regarding imagemagick: Built-Using field with binary version to be marked as done.

Bug#860609: influxdb: FTBFS: Test failures

Hi. I said: > This failure is the same I reported in Bug #850282, and it should be > fixed in version 1.1.1+dfsg1-4. > > Let's hope that britney takes this closing-with-version message > as an indication that version 1.1.1+dfsg1-4 should propagate to testing. > > If this does not happen

Bug#862611: marked as done (deluge-webui: directory traversal attack vulnerability)

Your message dated Tue, 16 May 2017 00:33:53 + with message-id and subject line Bug#862611: fixed in deluge 1.3.13+git20161130.48cedf63-3 has caused the Debian Bug report #862611, regarding deluge-webui: directory traversal attack vulnerability to be

Bug#860608: [pkg-golang-devel] Bug#860608: Bug#860608: golang: FTBFS: Go version is "go1.6.1", ignoring -next /<>/api/next.txt

On Mon, May 15, 2017 at 08:56:08AM +0200, Michael Stapelberg wrote: > >> Package: golang-github-gosexy-gettext-dev > > vorlon, can we file for removal of this package? It wasn’t touched since > > 2013 and has no rdepends. > Done: https://bugs.debian.org/862612 Thanks for filing, 100% agreed.

Bug#861771: marked as done (Fails to install: postinst script returned error exit status 1)

Your message dated Mon, 15 May 2017 22:35:17 + with message-id and subject line Bug#861771: fixed in nodm 0.13-1.3 has caused the Debian Bug report #861771, regarding Fails to install: postinst script returned error exit status 1 to be marked as done.

Bug#862611: [/master] Check if template files exist and raise 404 if not in order to protect webui against directory traversal (Closes: #862611).

tag 862611 pending thanks Date: Mon May 15 20:09:36 2017 -0400 Author: Andrew Starr-Bochicchio Commit ID: 3d1b3b4500f155a25bc2e5e92ae56437fa728041 Commit URL: https://anonscm.debian.org/cgit/collab-maint/deluge.git;a=commitdiff;h=3d1b3b4500f155a25bc2e5e92ae56437fa728041

Processed: [/master] Check if template files exist and raise 404 if not in order to protect webui against directory traversal (Closes: #862611).

Processing commands for cont...@bugs.debian.org: > tag 862611 pending Bug #862611 [deluge-webui] deluge-webui: directory traversal attack vulnerability Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 862611:

Bug#771790: Fixed with 1.0.0

OK, so talking to pabs@ on debian-mentors, seems like a good approach to take here is to do NMU uploads to unstable and stable. I'm happy to do the work there (short of uploading, since I can't). Second part: Marcos, do you use this package on stable, testing or unstable? Also note that dirty.js

Bug#862712: node-brace-expansion: regular expression denial of service

Package: node-brace-expansion Version: 1.1.6-1 Severity: serious Tags: security There is a regular expression denial of service issue in node-brace-expansion <= 1.1.6. More details available here: https://nodesecurity.io/advisories/338 -- bye, pabs https://wiki.debian.org/PaulWise

Bug#860608: marked as done (golang: FTBFS: Go version is "go1.6.1", ignoring -next /<>/api/next.txt)

Your message dated Tue, 16 May 2017 05:05:58 + with message-id and subject line Bug#860608: fixed in golang-github-gosexy-gettext 0~git20130221-2 has caused the Debian Bug report #860608, regarding golang: FTBFS: Go version is "go1.6.1", ignoring -next

Processed: reopening 860608

Processing commands for cont...@bugs.debian.org: > reopen 860608 Bug #860608 {Done: Steve Langasek } [src:golang] golang: FTBFS: Go version is "go1.6.1", ignoring -next /<>/api/next.txt 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions

Bug#860608: [pkg-golang-devel] Bug#860608: Bug#860608: golang: FTBFS: Go version is "go1.6.1", ignoring -next /<>/api/next.txt

On Mon, May 15, 2017 at 03:17:03PM -0700, Steve Langasek wrote: > On Mon, May 15, 2017 at 08:56:08AM +0200, Michael Stapelberg wrote: > > >> Package: golang-github-gosexy-gettext-dev > > > vorlon, can we file for removal of this package? It wasn’t touched since > > > 2013 and has no rdepends. >