Bug#775871: torbrowser-launcher: TorBrowser Bundle signing key changed
Bug confirmed for me, as signified by the warning: key not found when running. Please update. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775873: marked as done (patch: directory traversal via file rename)
Your message dated Sat, 24 Jan 2015 17:18:23 + with message-id e1yf4ln-00031n...@franck.debian.org and subject line Bug#775873: fixed in patch 2.7.3-1 has caused the Debian Bug report #775873, regarding patch: directory traversal via file rename to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775873: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: patch Version: 2.7.1-7 Tags: security patch now support git-style patches, which allows renaming files. This feature can be abused for directory traversal. As a proof of concept, applying the attached patch creates a file in /tmp: $ ls /tmp/moo /bin/ls: cannot access /tmp/moo: No such file or directory $ mkdir empty cd empty $ patch -p1 ~/traversal2.diff patching file moo patching file ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo (renamed from moo) $ ls /tmp/moo /tmp/moo -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages patch depends on: ii libc6 2.19-13 -- Jakub Wilk diff --git a/moo b/moo new file mode 100644 --- /dev/null +++ b/tmp/moo @@ -0,0 +1 @@ +moo diff --git a/moo a/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo rename from x rename to x ---End Message--- ---BeginMessage--- Source: patch Source-Version: 2.7.3-1 We believe that the bug you reported is fixed in the latest version of patch, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) g...@debian.org (supplier of updated patch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 23 Jan 2015 20:27:32 + Source: patch Binary: patch Architecture: source amd64 Version: 2.7.3-1 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) g...@debian.org Changed-By: Laszlo Boszormenyi (GCS) g...@debian.org Description: patch - Apply a diff file to an original Closes: 775873 775901 Changes: patch (2.7.3-1) unstable; urgency=high . * New upstream release with security fixes: - fix all cases of CVE-2015-1196 (closes: #775873, #775901), - fix infinite loop while applying patch, CVE-2014-9637. * Remove outdated disable-update-version and add_manpage_time.patch Debian patches. * Add homepage field. * Add watch file. Checksums-Sha1: 4f268078a1fbca817718bdbdc55800dc248010c2 1795 patch_2.7.3-1.dsc 4191a36e4733935912280650b32644d9c786dfa1 684764 patch_2.7.3.orig.tar.xz f55e05a44ce413bad4ec4024b1535642a32bb49e 8008 patch_2.7.3-1.debian.tar.xz ea9a4bac964c7597778c622a8180ead0dd14c8a3 100886 patch_2.7.3-1_amd64.deb Checksums-Sha256: 1995faba243dd94983feaed23d5426cbdafdeea062716d6e16d3f2293c8cecb3 1795 patch_2.7.3-1.dsc d09022de9d629561bf4dad44625ef4b1ead15178b210412113531730cdb6f19d 684764 patch_2.7.3.orig.tar.xz ec7b8b549a0ae8a00edd4655715100e22d85c3f3babc7c83ee0008cc23093632 8008 patch_2.7.3-1.debian.tar.xz 3af466c57953e6a653d703e3f665d8e02f2a4ef862c70f8cac2033aed4dc7096 100886 patch_2.7.3-1_amd64.deb Files: 4911f5407afb72e201faa3ec9a8191f8 1795 vcs standard patch_2.7.3-1.dsc 29b87be845e4662ab0ca0d48a805ecc6 684764 vcs standard patch_2.7.3.orig.tar.xz ce27aa99309c2c801fd6f9bcc951aa2c 8008 vcs standard patch_2.7.3-1.debian.tar.xz c6ce0a0e9a7793382f674a640cac50e7 100886 vcs standard patch_2.7.3-1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUw8gPAAoJENzjEOeGTMi/zlMQAI4/qvk+rLMAlScuQLzerLL7 RGDqAH3I0bVuucHkHhVKIsHGm2AeME4NdE+HZnThrgEL94Opz3fKY8j3arPWgFkR GQJP4jEo76LLLFfwzB5TVefqN/BviRiG4dYzCTMC5p+ojs75z7z9UX3V3+Ki2Gcr
Bug#776135: marked as done (wireshark: Multiple security issues in 1.12.3 and prior versions)
Your message dated Sat, 24 Jan 2015 21:20:20 + with message-id e1yf87w-0006ii...@franck.debian.org and subject line Bug#776135: fixed in wireshark 1.12.1+g01b65bf-3 has caused the Debian Bug report #776135, regarding wireshark: Multiple security issues in 1.12.3 and prior versions to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776135 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: wireshark Severity: serious Tags: security fixed-upstream pending Please see release notes: https://www.wireshark.org/docs/relnotes/wireshark-1.12.3.html Cheers, Balint ---End Message--- ---BeginMessage--- Source: wireshark Source-Version: 1.12.1+g01b65bf-3 We believe that the bug you reported is fixed in the latest version of wireshark, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 776...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Balint Reczey bal...@balintreczey.hu (supplier of updated wireshark package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sat, 24 Jan 2015 16:01:19 +0100 Source: wireshark Binary: wireshark-common wireshark wireshark-qt tshark wireshark-dev wireshark-dbg wireshark-doc libwireshark5 libwsutil4 libwsutil-dev libwireshark-data libwireshark-dev libwiretap4 libwiretap-dev Architecture: source amd64 all Version: 1.12.1+g01b65bf-3 Distribution: unstable Urgency: high Maintainer: Balint Reczey bal...@balintreczey.hu Changed-By: Balint Reczey bal...@balintreczey.hu Description: libwireshark-data - network packet dissection library -- data files libwireshark-dev - network packet dissection library -- development files libwireshark5 - network packet dissection library -- shared library libwiretap-dev - network packet capture library -- development files libwiretap4 - network packet capture library -- shared library libwsutil-dev - network packet dissection utilities library -- shared library libwsutil4 - network packet dissection utilities library -- shared library tshark - network traffic analyzer - console version wireshark - network traffic analyzer - GTK+ version wireshark-common - network traffic analyzer - common files wireshark-dbg - network traffic analyzer - debug symbols wireshark-dev - network traffic analyzer - development tools wireshark-doc - network traffic analyzer - documentation wireshark-qt - network traffic analyzer - Qt version Closes: 776135 776136 Changes: wireshark (1.12.1+g01b65bf-3) unstable; urgency=high . * security fixes from Wireshark 1.12.3 (Closes: #776135): - The WCCP dissector could crash (CVE-2015-0559, CVE-2015-0560) - The LPP dissector could crash (CVE-2015-0561) - The DEC DNA Routing Protocol dissector could crash (CVE-2015-0562) - The SMTP dissector could crash (CVE-2015-0563) - Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam Rathaus. (CVE-2015-0564) * Fix GTK Broadway crash (Closes: #776136) Checksums-Sha1: f6ff47c2f010f54e2801a3752717f3d317190642 3295 wireshark_1.12.1+g01b65bf-3.dsc 13ef633ddcf4a10babdc0e68a534660b53490fae 68080 wireshark_1.12.1+g01b65bf-3.debian.tar.xz 03c4945580e27cb1d96c9088608042cf5b22aaed 180310 wireshark-common_1.12.1+g01b65bf-3_amd64.deb 2970ee844c4f0eebc6920be1e18def3667b0b8ee 771662 wireshark_1.12.1+g01b65bf-3_amd64.deb edfbb28390f09570a72e6b35767b7cdaa96ce878 1058056 wireshark-qt_1.12.1+g01b65bf-3_amd64.deb 2a59ad20b6527727dabc87a1cade821f52de6eca 160888 tshark_1.12.1+g01b65bf-3_amd64.deb 069f74322f70d9f036d53cc330ae3eaead582abd 144412 wireshark-dev_1.12.1+g01b65bf-3_amd64.deb c45dd1af01cd387b594379a919d75ff0f282dd25 38769980 wireshark-dbg_1.12.1+g01b65bf-3_amd64.deb cd9d0008ba8792aa9eda1f0083bfa77bbe7c70ff 3868574 wireshark-doc_1.12.1+g01b65bf-3_all.deb 27b278c5ac498c729f46f937fbc792432d556645 11272208 libwireshark5_1.12.1+g01b65bf-3_amd64.deb 5a0fe21977fd36c5783b34b2edbacb27fcc632b9 94678 libwsutil4_1.12.1+g01b65bf-3_amd64.deb a214b2789a6a78719233e7970b8c7ac6cb5d390d 71292 libwsutil-dev_1.12.1+g01b65bf-3_amd64.deb
Bug#776136: marked as done (wireshark: Crashes when filter string is edited on Broadway)
Your message dated Sat, 24 Jan 2015 21:20:20 + with message-id e1yf87w-0006io...@franck.debian.org and subject line Bug#776136: fixed in wireshark 1.12.1+g01b65bf-3 has caused the Debian Bug report #776136, regarding wireshark: Crashes when filter string is edited on Broadway to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776136 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: wireshark Severity: serious Tags: fixed-upstream pending From https://code.wireshark.org/review/#/c/6494/ : The Broadway GDK backend does never sets event-string. This results in a crash when filter_string_te_key_pressed_cb tries to read its contents.Since the documentation marks reading the string as deprecated, try to handle the character conversion here. It is based on _gdk_x11_event_translate_keyboard_string (from gtk+), but without trying to interpret Escape as '\033', and without trying to convert control characters (example: Ctrl + 1). A buffer of 6 bytes is used to hold a UTF-8 code point (there is no zero terminator, so 7 bytes as found in the original implementation is unnecessary).As g_locale_from_utf8 returns dynamically allocated memory, change the control flow to have a single exit point where pointers are freed as needed.Reproduce with gtk3: $ broadwayd :5 $ GDK_BACKEND=broadway BROADWAY_DISPLAY=:5 wireshark-gtk (now open http://localhost:8085/ and start typing in the display filter)Keys tested: e € (AltGr + 5) ü (AltGr + , u) In the X11 backend, these still get displayed correctly. In the broadway backend however, the accents are missing due to a bug in the broadway implementation. Cheers, Balint ---End Message--- ---BeginMessage--- Source: wireshark Source-Version: 1.12.1+g01b65bf-3 We believe that the bug you reported is fixed in the latest version of wireshark, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 776...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Balint Reczey bal...@balintreczey.hu (supplier of updated wireshark package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sat, 24 Jan 2015 16:01:19 +0100 Source: wireshark Binary: wireshark-common wireshark wireshark-qt tshark wireshark-dev wireshark-dbg wireshark-doc libwireshark5 libwsutil4 libwsutil-dev libwireshark-data libwireshark-dev libwiretap4 libwiretap-dev Architecture: source amd64 all Version: 1.12.1+g01b65bf-3 Distribution: unstable Urgency: high Maintainer: Balint Reczey bal...@balintreczey.hu Changed-By: Balint Reczey bal...@balintreczey.hu Description: libwireshark-data - network packet dissection library -- data files libwireshark-dev - network packet dissection library -- development files libwireshark5 - network packet dissection library -- shared library libwiretap-dev - network packet capture library -- development files libwiretap4 - network packet capture library -- shared library libwsutil-dev - network packet dissection utilities library -- shared library libwsutil4 - network packet dissection utilities library -- shared library tshark - network traffic analyzer - console version wireshark - network traffic analyzer - GTK+ version wireshark-common - network traffic analyzer - common files wireshark-dbg - network traffic analyzer - debug symbols wireshark-dev - network traffic analyzer - development tools wireshark-doc - network traffic analyzer - documentation wireshark-qt - network traffic analyzer - Qt version Closes: 776135 776136 Changes: wireshark (1.12.1+g01b65bf-3) unstable; urgency=high . * security fixes from Wireshark 1.12.3 (Closes: #776135): - The WCCP dissector could crash (CVE-2015-0559, CVE-2015-0560) - The LPP dissector could crash (CVE-2015-0561) - The DEC DNA Routing Protocol dissector could crash (CVE-2015-0562) - The SMTP dissector could crash (CVE-2015-0563) - Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam Rathaus. (CVE-2015-0564) * Fix GTK Broadway crash (Closes: #776136) Checksums-Sha1: f6ff47c2f010f54e2801a3752717f3d317190642 3295
Bug#776075: marked as done (ats2-lang: FTBFS on most architectures)
Your message dated Sat, 24 Jan 2015 21:18:46 + with message-id e1yf86q-0005wn...@franck.debian.org and subject line Bug#776075: fixed in ats2-lang 0.1.8-1 has caused the Debian Bug report #776075, regarding ats2-lang: FTBFS on most architectures to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 776075: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776075 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: ats2-lang Version: 0.1.7-1 Severity: serious Hi, ats2-lang FTBFS on most architectures. The 32-bit arches all fail with an error like this (eg on i386): make -C utils/atscc patscc make[2]: Entering directory '/«PKGBUILDDIR»/utils/atscc' /«PKGBUILDDIR»/bin/patsopt --output patscc_dats.c --dynamic patscc.dats freeitmlst_mark_unset: illegal pointer: ptr = 0x9104064 Makefile:41: recipe for target 'patscc_dats.c' failed Some of the 64-bit arches fail with other errors later on (segfaults or other random errors). https://buildd.debian.org/status/package.php?p=ats2-lang http://buildd.debian-ports.org/status/package.php?p=ats2-langsuite=sid Thanks, James ---End Message--- ---BeginMessage--- Source: ats2-lang Source-Version: 0.1.8-1 We believe that the bug you reported is fixed in the latest version of ats2-lang, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 776...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthew Danish m...@debian.org (supplier of updated ats2-lang package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 24 Jan 2015 14:43:24 -0500 Source: ats2-lang Binary: ats2-lang Architecture: source amd64 Version: 0.1.8-1 Distribution: unstable Urgency: medium Maintainer: Matthew Danish m...@debian.org Changed-By: Matthew Danish m...@debian.org Description: ats2-lang - ATS version 2 programming language compiler Closes: 768442 776075 Changes: ats2-lang (0.1.8-1) unstable; urgency=medium . * New upstream release * Upstream applied fix for FTBFS (Closes: #776075) * Remove unnecessary build parallelism (Closes: #768442) Checksums-Sha1: 77b924b8f2b67a06b8a7ced1dfe0d7edc98b72eb 1725 ats2-lang_0.1.8-1.dsc 4c23eafa53b613318360f01e59c7fc8cd868d0f5 3257775 ats2-lang_0.1.8.orig.tar.gz 0e207ace3f32fb1d810d78aab5cf5fe1d5ebfc3c 5020 ats2-lang_0.1.8-1.debian.tar.xz 4aea79d199744058219c333854d9fc29607b48e9 693790 ats2-lang_0.1.8-1_amd64.deb Checksums-Sha256: 9eb7a6e8465fe59ad248a216779ee69f1887867258d034a002e7de9ba9064424 1725 ats2-lang_0.1.8-1.dsc 24b6dc57d28476fe578bfff98e9fef097865061da21ac92a0d80a07decf74652 3257775 ats2-lang_0.1.8.orig.tar.gz 6b752e17408d1186af5eea472e9a19e7061a9d33bdd43f1f93bf313a392ba020 5020 ats2-lang_0.1.8-1.debian.tar.xz 995b61c650d02ef0ede1255d8b1218a01625e50e3e006b2cbb8fed462cc40d40 693790 ats2-lang_0.1.8-1_amd64.deb Files: 19f11cad6ef2a7e91936476a1b272f24 1725 devel optional ats2-lang_0.1.8-1.dsc d180418fee55df6bb39ccd95464ff286 3257775 devel optional ats2-lang_0.1.8.orig.tar.gz 74e67f6e10c78fe35d0b0ec9cf17c7bb 5020 devel optional ats2-lang_0.1.8-1.debian.tar.xz f09455893a67a59d9bf9410d1c5e4f63 693790 devel optional ats2-lang_0.1.8-1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUxAepAAoJELwQvQ97i/CLhwkQAIN3jaSb1F31ttVOjO735H0S 420pWXJktWZwgYK8006q+VxosvoLw4h9fSPmaslaV3q1X4sqxQPce+An4uWf+V3O 1Pylyo29gw8a5ZwyhAVQPv5NhCq4U2SekK/40sGqTVJgyk1W0TdyUI8+x1inY+ty Qo4rXHvL4xUAAne04FC/sw4Hgy0jVfJVmTVTk6un4njroic3oUTaViUBtQjGdw+H VslB857MnywKPNUFKVEet7onZwBSNHgPXarqn/8oOhdMTRCPa4XS5hUuoL8lUUgt GtKPbnXDRQYI0n0abSaGvywVLKIF/FMAqU3mxsAhJ/a0AZxWlh2OhNhYA81u/Jyy KY4vVSMPZ4+Zo5oVts0wa56VxxBZN78ytKOYmLp/4tU0B2FsnB7BszUGc9QQ+oqU DfJQkDJTujj8X6LqfWQ8rO0DXZuXiki4O90vaj00lJmbzOsFFJvraanKbc7q5ebC kEQdRcNlm2fVPhxbWYL+RShJMikSdbG1ZBNPV9NoEZ8WjQ17EdrFHBvrUuzYbwrt kQ4BfblSIBox7byjWr2DirOLRTPFmVbK5h9FNySMB+k40fh5NNCuPsarpjedG2ti fNvCbtaI3yKOvH8hi3o3Wbyu3hQ529FTPcw5qVQPnBBt25iAMsbi+N+DcGQvAXm7 Vh4iC9AQwSIimzSERnA/ =u1p5 -END PGP SIGNATUREEnd Message---
Bug#747863: nut: diff for NMU version 2.7.2-1.1
Le Sat, 24 Jan 2015 11:33:23 +, Neil Williams codeh...@debian.org a écrit : That doesn't seem to be part of the original bug which was for a clean install of nut-client. If you think this second issue is RC, then a new bug could be opened but that depends on whether this affects the version currently in testing and whether it actually causes a Policy violation in doing so, or just left-over files. Left-over files on upgrade are usually considered as a Policy violation isn't it? If you had concerns about the fixes proposed in the bug, maybe those should have been mentioned in a reply to the original bug (opened in September). I was actually thinking about adding a wrapper around the executables to check the MODE, instead of removing the service files now that the release was getting closer. I should probably have mentioned it in the bug report, but as said I really have little time at the moment. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776113: emacs23-common-non-dfsg: Useless without emacs23
Axel Beckert a...@debian.org writes: emacs23 has been removed from Unstable like three months ago. So IMHO its non-free components are useless to keep in Debian and especially useless to release with Jessie. Filing as RC-level bug against the package to hear some other opinions, especially the maintainer ones. This was an oversight on my part -- I should have requested removal. Feel free to reassign and retitle this bug report accordingly as RM bug report against ftp.debian.org if you agree with me. Or feel free to downgrade this bug report if you disagree. Please feel welcome to reassign it yourself, or I'll try to get to it later this weekend. Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775635: marked as done (chiark-tcl: FTBFS in jessie: build-dependency not installable: tcl8.4-dev)
Your message dated Sat, 24 Jan 2015 18:33:22 + with message-id e1yf5wm-0003ov...@franck.debian.org and subject line Bug#775635: fixed in chiark-tcl 1.1.3 has caused the Debian Bug report #775635, regarding chiark-tcl: FTBFS in jessie: build-dependency not installable: tcl8.4-dev to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775635: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775635 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: chiark-tcl Version: 1.1.2 Severity: serious Tags: jessie sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20150117 qa-ftbfs Justification: FTBFS in jessie on amd64 Hi, During a rebuild of all packages in jessie (in a jessie chroot, not a sid chroot), your package failed to build on amd64. Relevant part (hopefully): ┌──┐ │ Install chiark-tcl build dependencies (apt-based resolver) │ └──┘ Installing build dependencies Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: sbuild-build-depends-chiark-tcl-dummy : Depends: tcl8.4-dev but it is not installable E: Unable to correct problems, you have held broken packages. apt-get failed. The full build log is available from: http://aws-logs.debian.net/ftbfs-logs/2015/01/17/chiark-tcl_1.1.2_jessie.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on EC2 VM instances from Amazon Web Services, using a clean, minimal and up-to-date chroot. Every failed build was retried once to eliminate random failures. ---End Message--- ---BeginMessage--- Source: chiark-tcl Source-Version: 1.1.3 We believe that the bug you reported is fixed in the latest version of chiark-tcl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ian Jackson ijack...@chiark.greenend.org.uk (supplier of updated chiark-tcl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 22 Jan 2015 19:00:22 + Source: chiark-tcl Binary: libtcl-chiark-1 Architecture: i386 source Version: 1.1.3 Distribution: unstable Urgency: low Maintainer: Ian Jackson ijack...@chiark.greenend.org.uk Changed-By: Ian Jackson ijack...@chiark.greenend.org.uk Closes: 775635 Description: libtcl-chiark-1 - Tcl interfaces for adns, cdb, crypto, etc. Changes: chiark-tcl (1.1.3) unstable; urgency=low . * Build-Depends: Add tcl8.5-dev to the front of the list of possibilities. Current Tcl packages do not provide tcl-dev, and no earlier version than 8.5 is, in fact, in jessie (8.4 was removed in April 2014). Closes:#775635. (FTBFS) Checksums-Sha1: 95b248ca4ac721ebfb7fb124c8535088069a06d5 1252 chiark-tcl_1.1.3.dsc 6714f51af0e980a8cd636e6a8826d15d900f6630 63231 chiark-tcl_1.1.3.tar.gz da2ef7637ba7ebbcad1acfa925c27a0f3b3e7c88 62918 libtcl-chiark-1_1.1.3_i386.deb Checksums-Sha256: 5a55332ca32779357d921ea827d0ec527b1f4ca2054a5e7d629836f459926a2d 1252 chiark-tcl_1.1.3.dsc efe1018ac64d849c7a53c34aba87abfa3046b4b18601b3294518a8cbcb05d971 63231 chiark-tcl_1.1.3.tar.gz 0e5aac221484955f991e4ba6c9a346fd1f203516caef37ba97dc5bf339c64a65 62918 libtcl-chiark-1_1.1.3_i386.deb Files: f1af2582f64e2aa66515fbebaa44b7ca 1252 interpreters optional chiark-tcl_1.1.3.dsc 22b28f4d8c11395b2006573d54aa4da9 63231 interpreters optional chiark-tcl_1.1.3.tar.gz 3ff160fb8f32aa607ce8bc000be633ba 62918 interpreters optional libtcl-chiark-1_1.1.3_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12
Bug#776159: Acknowledgement (freeorion: Keyboard seems to be undetected, not responding to key entered.)
Seems to need to be merged to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730405 From: ow...@bugs.debian.org To: bouchereric0...@hotmail.com Subject: Bug#776159: Acknowledgement (freeorion: Keyboard seems to be undetected, not responding to key entered.) Date: Sat, 24 Jan 2015 18:45:06 + Thank you for filing a new Bug report with Debian. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. As you requested using X-Debbugs-CC, your message was also forwarded to bouchereric0...@hotmail.com (after having been given a Bug report number, if it did not have one). Your message has been sent to the package maintainer(s): Debian Games Team pkg-games-de...@lists.alioth.debian.org If you wish to submit further information on this problem, please send it to 776...@bugs.debian.org. Please do not send mail to ow...@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 776159: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776159 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: forwarded with patch
Processing commands for cont...@bugs.debian.org: forwarded 745835 http://lists.nongnu.org/archive/html/lynx-dev/2015-01/msg00029.html Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked Bug #776073 [lynx-cur] lynx-cur: can connect to site with expired certificate Set Bug forwarded-to-address to 'http://lists.nongnu.org/archive/html/lynx-dev/2015-01/msg00029.html'. Set Bug forwarded-to-address to 'http://lists.nongnu.org/archive/html/lynx-dev/2015-01/msg00029.html'. End of message, stopping processing here. Please contact me if you need assistance. -- 745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835 776073: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776073 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776159: freeorion: Keyboard seems to be undetected, not responding to key entered.
severity 776159 normal reassign 776159 libois-1.3.0 forcemerge 776159 730405 thanks On 24.01.2015 19:42, Eric Boucher wrote: Package: freeorion Version: 0.4.4-2+b1 Severity: grave Justification: renders package unusable Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Simply start the game. * What exactly did you do (or not do) that was effective (or ineffective)? Did try a second keyboard, same, no special driver installed. * What was the outcome of this action? Same, key doesn't seems to be received by the game but does by the OS (Alt+Tab allow me to switch to an other software without issue. * What outcome did you expect instead? As everyones, pressed keys being entered to the game. *** End of the template - remove these template lines *** Hello, this is a bug in the ois library and affects not everyone. You can change this behaviour by editing ~/.freeorion/OISInput.cfg and setting x11_keyboard_grab=false to x11_keyboard_grab=true FreeOrion will migrate to SDL2 in the near future and this bug will go away then. Regards, Markus signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#776159: freeorion: Keyboard seems to be undetected, not responding to key entered.
Processing commands for cont...@bugs.debian.org: severity 776159 normal Bug #776159 [freeorion] freeorion: Keyboard seems to be undetected, not responding to key entered. Severity set to 'normal' from 'grave' reassign 776159 libois-1.3.0 Bug #776159 [freeorion] freeorion: Keyboard seems to be undetected, not responding to key entered. Bug reassigned from package 'freeorion' to 'libois-1.3.0'. No longer marked as found in versions freeorion/0.4.4-2. Ignoring request to alter fixed versions of bug #776159 to the same values previously set forcemerge 776159 730405 Bug #776159 [libois-1.3.0] freeorion: Keyboard seems to be undetected, not responding to key entered. Bug #776159 [libois-1.3.0] freeorion: Keyboard seems to be undetected, not responding to key entered. Added tag(s) patch. Bug #759344 [libois-1.3.0] freeorion: Keyboard randomly stops working Removed indication that 759344 affects freeorion Removed indication that 730405 affects freeorion Bug #730405 [libois-1.3.0] libois-1.3.0: ignores keypresses that are falsely detected as key repeats Merged 730405 759344 776159 thanks Stopping processing here. Please contact me if you need assistance. -- 730405: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730405 759344: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759344 776159: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776159 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775418: marked as done (pcmanfm-dbg: copyright file missing after upgrade (policy 12.5))
Your message dated Sat, 24 Jan 2015 22:48:25 +
with message-id e1yf9vb-0001xk...@franck.debian.org
and subject line Bug#775418: fixed in pcmanfm 1.2.3-1.1
has caused the Debian Bug report #775418,
regarding pcmanfm-dbg: copyright file missing after upgrade (policy 12.5)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
775418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775418
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: pcmanfm-dbg
Version: 1.2.3-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
a test with piuparts revealed that your package misses the copyright
file after an upgrade, which is a violation of Policy 12.5:
https://www.debian.org/doc/debian-policy/ch-docs.html#s-copyrightfile
After the upgrade /usr/share/doc/$PACKAGE/ is just an empty directory.
This was observed on the following upgrade paths:
wheezy - jessie
From the attached log (scroll to the bottom...):
2m55.1s ERROR: WARN: Inadequate results from running adequate!
pcmanfm-dbg: missing-copyright-file /usr/share/doc/pcmanfm-dbg/copyright
MISSING COPYRIGHT FILE: /usr/share/doc/pcmanfm-dbg/copyright
# ls -lad /usr/share/doc/pcmanfm-dbg
drwxr-xr-x 2 root root 40 Dec 29 05:59 /usr/share/doc/pcmanfm-dbg
# ls -la /usr/share/doc/pcmanfm-dbg/
total 0
drwxr-xr-x 2 root root40 Dec 29 05:59 .
drwxr-xr-x 607 root root 12480 Dec 29 06:00 ..
Additional info may be available here:
https://wiki.debian.org/MissingCopyrightFile
Note that dpkg intentionally does not replace directories with symlinks
and vice versa, you need the maintainer scripts to do this.
See in particular the end of point 4 in
https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-unpackphase
It is recommended to use the dpkg-maintscript-helper commands
'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14)
to perform the conversion, ideally using d/$PACKAGE.mainstscript.
Do not forget to add 'Pre-Depends: ${misc:Pre-Depends}' in d/control.
See dpkg-maintscript-helper(1) and dh_installdeb(1) for details.
cheers,
Andreas
pcmanfm-dbg_1.2.3-1.log.gz
Description: application/gzip
---End Message---
---BeginMessage---
Source: pcmanfm
Source-Version: 1.2.3-1.1
We believe that the bug you reported is fixed in the latest version of
pcmanfm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mateusz Łukasik mat...@linuxmint.pl (supplier of updated pcmanfm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 22 Jan 2015 21:56:10 +0100
Source: pcmanfm
Binary: pcmanfm pcmanfm-dbg
Architecture: source
Version: 1.2.3-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian LXDE Maintainers lxde-deb...@lists.lxde.org
Changed-By: Mateusz Łukasik mat...@linuxmint.pl
Description:
pcmanfm- extremely fast and lightweight file manager
pcmanfm-dbg - extremely fast and lightweight file manager (debug)
Closes: 775418
Changes:
pcmanfm (1.2.3-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Add code to transition /usr/share/doc/pcmanfm-dbg from directory to
symlink (Closes: #775418).
Checksums-Sha1:
c67857bf579494acb8a8b3f88d6db84647d570c3 2162 pcmanfm_1.2.3-1.1.dsc
fad6f2688fb47be6c8aae9ffbd533fc278ad6588 11844 pcmanfm_1.2.3-1.1.debian.tar.xz
Checksums-Sha256:
de259dedbf0f194a95cb0b12e603f8b6a2f3e152b10d7869cbc07b37d265cc74 2162
pcmanfm_1.2.3-1.1.dsc
a016e50641981ddb0ac78ff254bbadeeb7d9933c65cc48f6ef1b6dc50aa19871 11844
pcmanfm_1.2.3-1.1.debian.tar.xz
Files:
ada3584dfdee20b48a4950922f969056 2162 utils optional pcmanfm_1.2.3-1.1.dsc
f8f0eb6147184d891c02e99b4bb9d3b2 11844 utils optional
pcmanfm_1.2.3-1.1.debian.tar.xz
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQJ8BAEBCgBmBQJUwXh4XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGbIoP/23EoH+d/+rCv3z4hQtbEdkI
eiDBkw2sxgYL2atxzaAuwOQIOXTjWTPf0xGkZhd/l6KpN879EWxfWIHCSgtfqLki
+Qvd00iLCPcNZbEsgn42dpgMNP5Z3HYoD7luYfg1dxkQIWNIoT3OqnKC30MOrKF5
Bug#776113: emacs23-common-non-dfsg: Useless without emacs23
Control: reassign -1 ftp.debian.org Control: retitle -1 RM: emacs23-common-non-dfsg -- RoM: obsolete; superseeded by emacs24-common-non-dfsg Control: severity -1 normal Hi Rob, thanks for the prompt answer! Rob Browning wrote: Axel Beckert a...@debian.org writes: emacs23 has been removed from Unstable like three months ago. So IMHO its non-free components are useless to keep in Debian and especially useless to release with Jessie. Filing as RC-level bug against the package to hear some other opinions, especially the maintainer ones. This was an oversight on my part -- I should have requested removal. No problem. Happens. :-) Feel free to reassign and retitle this bug report accordingly as RM bug report against ftp.debian.org if you agree with me. Or feel free to downgrade this bug report if you disagree. Please feel welcome to reassign it yourself, or I'll try to get to it later this weekend. Done herewith. Regards, Axel -- ,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#776113: emacs23-common-non-dfsg: Useless without emacs23
Processing control commands: reassign -1 ftp.debian.org Bug #776113 [emacs23-common-non-dfsg] emacs23-common-non-dfsg: Useless without emacs23 Bug reassigned from package 'emacs23-common-non-dfsg' to 'ftp.debian.org'. No longer marked as found in versions emacs23-non-dfsg/23.4+1-1. Ignoring request to alter fixed versions of bug #776113 to the same values previously set retitle -1 RM: emacs23-common-non-dfsg -- RoM: obsolete; superseeded by emacs24-common-non-dfsg Bug #776113 [ftp.debian.org] emacs23-common-non-dfsg: Useless without emacs23 Changed Bug title to 'RM: emacs23-common-non-dfsg -- RoM: obsolete; superseeded by emacs24-common-non-dfsg' from 'emacs23-common-non-dfsg: Useless without emacs23' severity -1 normal Bug #776113 [ftp.debian.org] RM: emacs23-common-non-dfsg -- RoM: obsolete; superseeded by emacs24-common-non-dfsg Severity set to 'normal' from 'serious' -- 776113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774844: xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC
Niko Tyni writes (Bug#774844: xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC): In that case the dependency on perl would be direct, but the script would fail in exactly the same way when a newer perl-modules is unpacked - because Time::Piece needs Time::Local from perl-modules, and that wouldn't be on the search path anymore. Again, that would be an indirect dependency, although of a different kind. I suspect it has more to do with the circular dependency between perl and perl-modules. No, that's not it. At the time when the bug occurs perl has always been happily configured. We see the bug with xfonts-traditional because both (a) it has a trigger and (b) luck means that the usual ordering exposes the bug. But as I explained earlier, this situation is not limited to packages with triggers. It can be repro'd with xfonts-traditional without triggers being involved. I don't quite buy this argument about triggers not being involved. Earlier I described a repro where xfonts-traditional's postinst fails the `configure' operation. The trigger is not a necessary component of the failure. Consider, in a wheezy chroot: ... In this situation dpkg would agree to install and configure a package that Depends on 'file' and uses that command in 'postinst configure', but the configure step would fail. Does that imply that the new libmagic1 package should Break older versions of file? I don't think that makes sense. I think this does't normally actually arise because apt prefers to configure things in a different order. So why does it after s/file/perl/ and s/libmagic1/perl-modules/ ? It looks to me like this new Breaks: requirement arises from the dpkg triggers implementation and possibly concerns only circular dependencies. The loop breaking logic that looks for postinst scripts (policy 7.2) seems related. Clearly we don't have this for triggers, only for the configure step. The loop is nothing to do with it. The problem is that the dependency checking has always been a bit loose in these kind of cases, but it hasn't mattered very much until now. It would be better if dpkg would avoid configuring (or invoking trigger processing for) A when A-B-C and C is not configured, but B is. That's not a practical solution for jessie. I still think the Breaks as suggested earlier is the correct solution. Ian. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775682: marked as done (websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access)
Your message dated Sat, 24 Jan 2015 19:18:38 +
with message-id e1yf6ea-0008uk...@franck.debian.org
and subject line Bug#775682: fixed in websvn 2.3.1-1+deb6u1
has caused the Debian Bug report #775682,
regarding websvn: CVE-2013-6892: arbitrary file access when downloads enabled
for users with commit access
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
775682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: websvn
Severity: serious
Tags: security patch
Hi,
James Clawson reported:
Arbitrary files with a known path can be accessed in websvn by committing a
symlink to a repository and then downloading the file (using the download
link).
An attacker must have write access to the repo, and the download option must
have been enabled in the websvn config file.
Example:
- Create a symlink to /etc/passwd and commit it to the repo.
- Access websvn and download the file.
- The downloaded file will be the web server's /etc/passwd (i.e. the symlink is
resolved on the web server).
This will also work with symlinks to directories, but dlmode=zip must be added
to the download link manually. Zip must be installed manually to be able to
download directories.
I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog
when fixing the issue.
I've created attached patch which solves the bug.
Cheers,
Thijs
diff -ur oud/dl.php nieuw/dl.php
--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
+++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100
@@ -137,6 +137,18 @@
exit(0);
}
+ // For security reasons, disallow direct downloads of filenames that
+ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
+ // Deciding whether the symlink is relative and legal within the
+ // repository would be nice but seems to error prone at this moment.
+ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
+ header('HTTP/1.x 500 Internal Server Error', true, 500);
+ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
+ print 'Download of symlinks disallowed: '.xml_entities($archiveName).'.';
+ removeDirectory($tempDir);
+ exit(0);
+ }
+
// Set timestamp of exported directory (and subdirectories) to timestamp of
// the revision so every archive of a given revision has the same timestamp.
$revDate = $logEntry-date;
@@ -180,7 +192,7 @@
$downloadMimeType = 'application/x-zip';
$downloadArchive .= '.zip';
// Create zip file
- $cmd = $config-zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
+ $cmd = $config-zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
execCommand($cmd, $retcode);
if ($retcode != 0) {
error_log('Unable to call zip command: '.$cmd);
---End Message---
---BeginMessage---
Source: websvn
Source-Version: 2.3.1-1+deb6u1
We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst th...@debian.org (supplier of updated websvn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Sat, 24 Jan 2015 12:31:44 +
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.3.1-1+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Pierre Chifflier pol...@debian.org
Changed-By: Thijs Kinkhorst th...@debian.org
Description:
websvn - interface for Subversion repositories written in PHP
Closes: 775682
Changes:
websvn (2.3.1-1+deb6u1) squeeze-lts; urgency=high
.
* Non-maintainer upload by the security team.
* Disable download of in-repository symlinks to prevent arbitrary
file access (CVE-2013-6892, Closes: #775682).
Checksums-Sha1:
0004104959ce476a2e739b290a5162234715af05 1327 websvn_2.3.1-1+deb6u1.dsc
9949834c4b5fa37f7f2240b47ccb7ca313fc8395 25518 websvn_2.3.1-1+deb6u1.diff.gz
f8aebd29348ab556a10ba14c3afef65c6d478228 256202 websvn_2.3.1-1+deb6u1_all.deb
Checksums-Sha256:
eff678346fcd66a944ac12bb3dec163ae7a5b2efe9ee0f5b1f730687646c0889 1327
Bug#740998: rdnssd: merge-hook overwrites /etc/resolv.conf when /sbin/resolvconf is not installed
On Mon, Oct 27, 2014 at 11:55 AM, Rémi Denis-Courmont wrote: Le lundi 27 octobre 2014, 15:20:37 Raphael Hertzog a écrit : On Fri, 07 Mar 2014, Frank Heckenbach wrote: The merge-hook script overwrites /etc/resolv.conf when /sbin/resolvconf is not installed, thereby erasing additional entries in this file such as name etc. And it also erases non-IPv6 DNS servers that were present in that file before. Right now, this package got installed by default on a Jessie GNOME desktop and it really interacts badly with NetworkManager which was handling the file perfectly fine (i.e. it included already the IPv6 DNS servers identified by rdnsd). That *is* a problem. Indeed NetworkManager has gained support for RDNSS for a long time already, and thus made completely rdnssd redundant if not counter- productive on a system with NetworkManager. I haven't looked into the details of this bug, but since discussion has stalled for a long time, and trying to get it started again, wouldn't an obvious fix be to add conflicts between network-manager and rdnssd? Is there any reason not to do that? Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775638: IPv6 database is corrupt
Okay, I sorted it out. The reason the city DB was corrupted is because we were putting so many locations into the location file that we were overflowing the addressable places to put them. The Maxmind format uses 3 bytes to store offsets, so when we exceed offset 0xFF our offsets wrap around to 0 and nothing good happens after that. I added a check for the overflow condition, so the code that creates city DBs errors out instead of silently making a corrupted database. Coincidentally, we were just barely over the size limit for Maxmind's format, which is why a fairly small number of entries were affected. That left the issue of why we were overflowing in the first place. It turns out that a large fraction of the locations in the CSV data aren't actually needed (aren't associated with any IP address). In order to fit the data into a .dat file in Maxmind's format, we have to scan for those and remove them. There are a huge number of them, as I said -- removing them shrinks the .dat file from 31 MB to 20 MB. I've attached a patch which does both of those things. I've built gdnsd successfully with this patch applied and the DBs rebuilt. I've also tested it by running geoiplookup against the database for several addresses. The patch also fixes the area code and metro code for US addresses, which I noticed were backwards (switched with one another). Hope this helps, let me know if you see any issues. -Andrew On Fri, Jan 23, 2015 at 11:52 AM, Andrew Moise andrew.mo...@gmail.com wrote: Hi Patrick. I tracked it down to a few broken entries in the city DB. It looks like the DB creation code makes almost all the entries correctly, but there are a couple of them that come out corrupted: (jessie)moise@localhost:~$ geoiplookup 1.120.146.170 GeoIP Country Edition: AU, Australia GeoIP City Edition, Rev 1: GP, ���-��-��%��%��%��%��- �- �-Ɣ-��%��%�-��-x�-v�-, N/A, N/A, N/A, -180.00, -179.993500, 0, 0 GeoIP ASNum Edition: AS30722 Vodafone Omnitel B.V. Note that's with a local build of the database -- that particular IP address may not be corrupted in the actual jessie database. In that local DB, as in the actual jessie database, almost all the entries are correct, just there are a handful that look like that one. I've been busy the last couple days, but I expect that I'll get enough time today to actually track down what's going wrong and fix it. -Andrew On Jan 23, 2015 9:43 AM, Patrick Matthäi pmatth...@debian.org wrote: Hi Andrew, do you have got any news? :) Am 20.01.2015 um 18:43 schrieb Andrew Moise: Thanks Patrick. One note - just like the v6 issue, the gdnsd test suite is detecting a genuine problem in the city DB. It is something wrong with the city DB creation tools that's causing it (i.e. not just an issue with the gdnsd tests). I just haven't finished tracking down exactly what the issue is yet. -Andrew On Jan 20, 2015 12:22 PM, Patrick Matthäi pmatth...@debian.org wrote: tag #775638 + confirmed clone #775638 -1 reassign -1 geoip-bin retitle -1 geoip-generator produces faulty v6/city database severity -1 grave found -1 1.6.2-3 thanks Hi Am 18.01.2015 um 05:21 schrieb Debian Bug Tracking System: Processing commands for cont...@bugs.debian.org: reassign 775638 geoip-database 20141027-1 Bug #775638 [src:gdnsd] gdnsd: FTBFS in jessie: dh_auto_test: make -j1 test returned exit code 2 Bug reassigned from package 'src:gdnsd' to 'geoip-database'. No longer marked as found in versions gdnsd/2.1.0-1. Ignoring request to alter fixed versions of bug #775638 to the same values previously set Bug #775638 [geoip-database] gdnsd: FTBFS in jessie: dh_auto_test: make -j1 test returned exit code 2 Marked as found in versions geoip-database/20141027-1. retitle 775638 IPv6 database is corrupt Bug #775638 [geoip-database] gdnsd: FTBFS in jessie: dh_auto_test: make -j1 test returned exit code 2 Changed Bug title to 'IPv6 database is corrupt' from 'gdnsd: FTBFS in jessie: dh_auto_test: make -j1 test returned exit code 2' severity 775638 grave Bug #775638 [geoip-database] IPv6 database is corrupt Severity set to 'grave' from 'serious' thanks thanks for spotting it. Curious that no one (also myself!) spotted it. The patch for the v6 database is just: --- geoip/branches/jessie/debian/src/geoip-csv-to-dat.cpp 2015-01-19 18:50:04 UTC (rev 5693) +++ geoip/branches/jessie/debian/src/geoip-csv-to-dat.cpp 2015-01-20 08:31:03 UTC (rev 5694) @@ -959,6 +959,7 @@ address_family = AF_INET; break; case '6': + database_type = GEOIP_COUNTRY_EDITION_V6; address_family = AF_INET6; break; case 'i': But Andrew found out that there is also an issue with the city database, which is working in general, but the gdnsd tests also fail. -- /* Mit
Bug#776185: tiff: CVE-2014-8127 CVE-2014-8128 CVE-2014-8129 CVE-2014-8130
Source: tiff Version: 4.0.3-12 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerabilities were published for tiff. CVE-2014-8127[0]: various out-of-bound reads CVE-2014-8128[1]: various out-of-bounds write CVE-2014-8129[2]: various out-of-bound read and write CVE-2014-8130[3]: divide by zero If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. Note that at the time of the advisory, for three of the reported issues, there was not fix in CVS HEAD yet. The individual bugs are also linked from the security-tracker. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8127 http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt [1] https://security-tracker.debian.org/tracker/CVE-2014-8128 http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.txt [2] https://security-tracker.debian.org/tracker/CVE-2014-8129 http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_Writes.txt [3] https://security-tracker.debian.org/tracker/CVE-2014-8130 http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt [4] http://www.openwall.com/lists/oss-security/2015/01/24/15 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776063: dbus fails to upgrade rendering entire apt unusable
Control: reassign 776063 apt Control: severity 771428 critical Control: forcemerge 771428 776063 Control: affects 771428 dbus On Fri, 23 Jan 2015 at 19:04:33 +0100, Guillem Jover wrote: I think this one should be merged with the other dbus+triggers+apt bugs. Merging it, using the higher of the two severity values. apt maintainers and/or the release team are of course welcome to downgrade it as desired, I'm not trying to play severity inflation games here; but it seems to be coming up somewhat frequently and it isn't obvious how to recover, so RC severity does not seem disproportionate. I notice that before the failing upgrade, Yaroslav had dpkg 1.17.21 and apt 1.0.9.4 (if I'm reading the right status-file backup), which means he did not have the fix for https://bugs.debian.org/769609 in apt. dpkg and apt were upgraded to 1.17.23 and 1.0.9.6 earlier in the same batch that failed with this dbus trigger thing, which I assume means dbus was upgraded with the old apt (although maybe the new dpkg). Is the fix for https://bugs.debian.org/769609 expected to fix this particular issue, or am I misreading it? I don't think this can be worked around in dbus, barring the removal of its triggers. If it's absolutely necessary, I might be able to back out the trigger for jessie, because it is *meant* to be non-essential: dbus-daemon is meant to use inotify to monitor the system services directory, and that feature works fine for me. However, I've had reports that it doesn't work for everyone, hence the trigger (and in any case it seems more predictable/deterministic to use a trigger to kick off the reload when all new packages are known to be fully in place). Or if dropping it down to interest-noawait would help, that isn't really semantically correct, but it's probably acceptable in practice? https://bugs.debian.org/740139 is the bug report that prompted me to add the trigger, FWIW. S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#776063: dbus fails to upgrade rendering entire apt unusable
Processing control commands: reassign 776063 apt Bug #776063 [dbus] dbus fails to upgrade rendering entire apt unusable Bug reassigned from package 'dbus' to 'apt'. No longer marked as found in versions dbus/1.8.12-1. Ignoring request to alter fixed versions of bug #776063 to the same values previously set severity 771428 critical Bug #771428 [apt] apt tries to configure dbus before libdbus-1-3, fails to upgrade Bug #774124 [apt] apt tries to configure dbus before libdbus, fails to upgrade Severity set to 'critical' from 'normal' Severity set to 'critical' from 'normal' forcemerge 771428 776063 Bug #771428 [apt] apt tries to configure dbus before libdbus-1-3, fails to upgrade Bug #774124 [apt] apt tries to configure dbus before libdbus, fails to upgrade Bug #774124 [apt] apt tries to configure dbus before libdbus, fails to upgrade Added tag(s) moreinfo. Added tag(s) moreinfo. Bug #776063 [apt] dbus fails to upgrade rendering entire apt unusable Added indication that 776063 affects src:dbus,dbus Marked as found in versions apt/1.0.9.3. Merged 771428 774124 776063 affects 771428 dbus Bug #771428 [apt] apt tries to configure dbus before libdbus-1-3, fails to upgrade Bug #774124 [apt] apt tries to configure dbus before libdbus, fails to upgrade Bug #776063 [apt] dbus fails to upgrade rendering entire apt unusable Ignoring request to set affects of bug 771428 to the same value previously set Ignoring request to set affects of bug 774124 to the same value previously set Ignoring request to set affects of bug 776063 to the same value previously set -- 771428: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771428 774124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774124 776063: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776063 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770008: marked as done (calendar-google-provider: Can no longer connect to Google calendars)
Your message dated Sun, 25 Jan 2015 01:35:50 + with message-id e1yfc7c-0003oo...@franck.debian.org and subject line Bug#770008: fixed in icedove 31.4.0-2 has caused the Debian Bug report #770008, regarding calendar-google-provider: Can no longer connect to Google calendars to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 770008: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770008 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: calendar-google-provider Version: 33.0~b1-1 Severity: grave Justification: renders package unusable Dear Maintainer, calendar-google-provider was working fine for me until yesterday. Now I can't even authenticate to any Google calendars, though Exchange ones still work fine via a different add-on. I assume that the problem is https://developers.google.com/google-apps/calendar/v2/developers_guide_protocol This API is a subject to the Deprecation Policy and will be shutdown on November 17, 2014. Please use APIv3 instead. If it's relevant, upstream Philipp Kewisch mentions that he hopes to release a 1.0.3 soon but I don't know how those version numbers relate to the Debian package ones. Cheers, Mark -- System Information: Debian Release: 7.7 APT prefers stable APT policy: (600, 'stable'), (500, 'stable-updates'), (50, 'testing'), (40, 'unstable'), (30, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information ---End Message--- ---BeginMessage--- Source: icedove Source-Version: 31.4.0-2 We believe that the bug you reported is fixed in the latest version of icedove, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 770...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Goehre ch...@sigxcpu.org (supplier of updated icedove package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 24 Jan 2015 19:03:28 -0500 Source: icedove Binary: icedove icedove-dev icedove-dbg iceowl-extension calendar-google-provider Architecture: source amd64 all Version: 31.4.0-2 Distribution: unstable Urgency: low Maintainer: Christoph Goehre ch...@sigxcpu.org Changed-By: Christoph Goehre ch...@sigxcpu.org Description: calendar-google-provider - Google Calendar support for lightning- and iceowl-extension icedove- mail/news client with RSS and integrated spam filter support icedove-dbg - Debug Symbols for Icedove icedove-dev - Development files for Icedove iceowl-extension - Calendar Extension for Thunderbird/Icedove Closes: 762190 770008 773876 774790 Changes: icedove (31.4.0-2) unstable; urgency=low . [ Christoph Goehre ] * [305b0fb] debian/icedove.desktop: correct StartupWMClass to 'Icedove' (Closes: #773876) * [8b4871a] rebuild patch queue from patch-queue branch added patches: - iceowl/adjust-calendar-google-provider-to-Google-Calendar-A.patch (Closes: #770008) - iceowl/get-rid-of-subdir-shim-in-gdata-provider.patch modified patches: - p-kfree-hurd/FTBFS-hurd-adding-GNU-Hurd-to-the-list-of-OS-systems.patch - p-kfree-hurd/FTBFS-hurd-adding-the-HURD-platform-to-the-configure.patch - p-kfree-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch - p-kfree-hurd/LDAP-support-building-on-GNU-kFreeBSD-and-GNU-Hurd.patch - p-kfree-hurd/correcting-file-inclusion-for-kfreebsd-and-hurd.patch * [573c8bb] debian/rules: move some gdata modules into 'shim' subdir * [acf83d3] debian/icedove.desktop: add MimeType text/calendar (Closes: #762190) . [ Carsten Schoenert ] * [cf73d7e] debian/README.Debian: adding note around HTTPS Everythere (Closes: #774790) Checksums-Sha1: c27bfc5a0a51629bef173056d5b2feaf1e2e5031 2919 icedove_31.4.0-2.dsc 3c09f0f32e39d10ba4df39cb98853d20b639e36e 448624 icedove_31.4.0-2.debian.tar.xz 7cb2a3abc4ca5afe35da80472828c4f2a724c587 29551614 icedove_31.4.0-2_amd64.deb 32ee981e75f60b00b5bf81c8699ca15cd6768913 5175920 icedove-dev_31.4.0-2_amd64.deb 48546d3d73509f837497b42ed0164e6b967b0232 203653748
Processed: Re: libqt4-ruby1.8: leaves diversion after upgrade from from lenny - squeeze - wheezy - jessie
Processing control commands: severity -1 serious Bug #775894 [libqt4-ruby1.8] libqt4-ruby1.8: leaves diversion after upgrade from from lenny - squeeze - wheezy - jessie Bug #692956 [libqt4-ruby1.8] libqt4-ruby1.8: leaves diversion after upgrade from squeeze Severity set to 'serious' from 'important' Severity set to 'serious' from 'important' -- 692956: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692956 775894: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775894 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: user debian...@lists.debian.org, usertagging 755876, tagging 719104, unarchiving 660594 ...
Processing commands for cont...@bugs.debian.org:
user debian...@lists.debian.org
Setting user to debian...@lists.debian.org (was a...@debian.org).
usertags 755876 piuparts
There were no usertags set.
Usertags are now: piuparts.
tags 719104 + pending
Bug #719104 [topgit] Please remove me from Uploaders
Added tag(s) pending.
unarchive 660594
Bug #660594 {Done: Bdale Garbee bd...@gag.com} [sudo,sudo-ldap] sudo:
prompting due to modified conffiles which where not modified by the user
Unarchived Bug 660594
tags 769798 - jessie sid
Bug #769798 [openswan-modules-dkms] openswan-modules-dkms: module FTBFS with
linux-headers-3.2.0-4-amd64 3.2.63-2+deb7u1
Removed tag(s) sid and jessie.
found 769798 1:2.6.37-3+deb7u1
Bug #769798 [openswan-modules-dkms] openswan-modules-dkms: module FTBFS with
linux-headers-3.2.0-4-amd64 3.2.63-2+deb7u1
Marked as found in versions openswan/1:2.6.37-3+deb7u1.
tags 692954 + patch pending
Bug #692954 [courier-mta] courier-mta: leaves diversion after upgrade from lenny
Added tag(s) pending and patch.
notfixed 768397 1:14.12-1
Bug #768397 {Done: Patrick Matthäi pmatth...@debian.org} [fglrx-modules-dkms]
fglrx-modules-dkms 1:14.9+ga14.201-2 don't build against kernel 3.17.0
No longer marked as fixed in versions fglrx-driver/1:14.12-1.
tags 768397 + pending
Bug #768397 {Done: Patrick Matthäi pmatth...@debian.org} [fglrx-modules-dkms]
fglrx-modules-dkms 1:14.9+ga14.201-2 don't build against kernel 3.17.0
Added tag(s) pending.
tags 737401 - moreinfo
Bug #737401 {Done: Andreas Beckmann a...@debian.org} [fglrx-driver]
fglrx-driver: AIGLX error causes X server to crash
Removed tag(s) moreinfo.
notfixed 753887 2.2+dfsg-exp1
Bug #753887 {Done: Michael Tokarev m...@tls.msk.ru} [qemu-system-x86]
qemu-system-x86 - Two ide-hd/-cd devices are assigned to the same bus
There is no source info for the package 'qemu-system-x86' at version
'2.2+dfsg-exp1' with architecture ''
Unable to make a source version for version '2.2+dfsg-exp1'
No longer marked as fixed in versions 2.2+dfsg-exp1.
fixed 753887 2.2+dfsg-1exp
Bug #753887 {Done: Michael Tokarev m...@tls.msk.ru} [qemu-system-x86]
qemu-system-x86 - Two ide-hd/-cd devices are assigned to the same bus
Marked as fixed in versions qemu/2.2+dfsg-1exp.
fixed 753887 1:2.2+dfsg-2exp
Bug #753887 {Done: Michael Tokarev m...@tls.msk.ru} [qemu-system-x86]
qemu-system-x86 - Two ide-hd/-cd devices are assigned to the same bus
Marked as fixed in versions qemu/1:2.2+dfsg-2exp.
found 753887 1:2.1+dfsg-11
Bug #753887 {Done: Michael Tokarev m...@tls.msk.ru} [qemu-system-x86]
qemu-system-x86 - Two ide-hd/-cd devices are assigned to the same bus
Marked as found in versions qemu/1:2.1+dfsg-11.
affects 774844 + xfonts-traditional
Bug #774844 [perl] xfonts-traditional: fails to upgrade from 'wheezy': Can't
locate File/Find.pm in @INC
Added indication that 774844 affects xfonts-traditional
tags 775894 + patch
Bug #775894 [libqt4-ruby1.8] libqt4-ruby1.8: leaves diversion after upgrade
from from lenny - squeeze - wheezy - jessie
Bug #692956 [libqt4-ruby1.8] libqt4-ruby1.8: leaves diversion after upgrade
from squeeze
Added tag(s) patch.
Added tag(s) patch.
fixed 775044 7u75-2.5.4-1
Bug #775044 {Done: Matthias Klose d...@debian.org} [src:openjdk-7] openjdk-7:
FTBFS: java.lang.RuntimeException: time is more than 10 years from present:
110453040
Marked as fixed in versions openjdk-7/7u75-2.5.4-1.
found 768561 2014.1-10
Bug #768561 {Done: Thomas Goirand z...@debian.org} [ironic-common]
ironic-common: unowned files after purge (policy 6.8, 10.8):
/var/lib/ironic/{cache, ironicdb}
Marked as found in versions ironic/2014.1-10.
thanks
Stopping processing here.
Please contact me if you need assistance.
--
660594: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660594
692954: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692954
692956: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692956
719104: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719104
737401: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737401
753887: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753887
755876: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755876
768397: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768397
768561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768561
769798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769798
774844: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774844
775044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775044
775894: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775894
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775894: libqt4-ruby1.8: leaves diversion after upgrade from from lenny - squeeze - wheezy - jessie
On Sunday, January 25, 2015 01:20:01 Andreas Beckmann wrote: Followup-For: Bug #775894 Control: severity -1 serious Hi, after the upgrade sequence lenny - squeeze - wheezy - jessie the situation of rbqtapi is as follows: # l /usr/bin/rbqt* lrwxrwxrwx 1 root root7 May 18 2014 /usr/bin/rbqt4api - rbqtapi -rwxr-xr-x 1 root root 4570 Jun 28 2013 /usr/bin/rbqtapi.qt3 # dpkg -S /usr/bin/rbqt* ruby-qt4: /usr/bin/rbqt4api diversion by libqt4-ruby1.8 from: /usr/bin/rbqtapi diversion by libqt4-ruby1.8 to: /usr/bin/rbqtapi.qt3 Since there is no /usr/bin/rbqtapi, I'm raising the severity to serious. The attached patch fixes the situation by cleaning up the obsolete diversion in ruby-qt4.postinst. I'm doing this in ruby-qt4 instead of the transitional libqt4-ruby1.8 package since the transitional one may alredy have been removed. I verified in piuparts and manually that this patch actually cleans up the situation. I would suggest you go ahead an NMU (no delay). I'm travelling for work, so unlikely to be able to at this for at least a week. Scott K signature.asc Description: This is a digitally signed message part.
Bug#775044: marked as done (openjdk-7: FTBFS: java.lang.RuntimeException: time is more than 10 years from present: 1104530400000)
Your message dated Sun, 25 Jan 2015 00:18:36 +0100 with message-id 54c4284c.5060...@debian.org and subject line Re: openjdk-7: FTBFS: java.lang.RuntimeException: time is more than 10 years from present: 110453040 has caused the Debian Bug report #775044, regarding openjdk-7: FTBFS: java.lang.RuntimeException: time is more than 10 years from present: 110453040 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775044 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: openjdk-7 Version: 7u71-2.5.3-2 Severity: serious From my pbuilder build log (on amd64): ... rm -f /tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk.build-boot/lib/currency.data /tmp/buildd/openjdk-7-7u71-2.5.3/build/bootstrap/jdk1.6.0/bin/java -XX:-PrintVMOptions -XX:+UnlockDiagnosticVMOptions -XX:-LogVMOutput -Xmx512m -Xms512m -XX:PermSize=32m -XX:MaxPermSize=160m -jar /tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk.build-boot/btjars/generatecurrencydata.jar -o /tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk.build-boot/lib/currency.data.temp \ ../../../src/share/classes/java/util/CurrencyData.properties Error: time is more than 10 years from present: 110453040 java.lang.RuntimeException: time is more than 10 years from present: 110453040 at build.tools.generatecurrencydata.GenerateCurrencyData.makeSpecialCaseEntry(GenerateCurrencyData.java:285) at build.tools.generatecurrencydata.GenerateCurrencyData.buildMainAndSpecialCaseTables(GenerateCurrencyData.java:225) at build.tools.generatecurrencydata.GenerateCurrencyData.main(GenerateCurrencyData.java:154) Makefile:345: recipe for target '/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk.build-boot/lib/currency.data' failed make[6]: *** [/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk.build-boot/lib/currency.data] Error 1 make[6]: Leaving directory '/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk-boot/jdk/make/java/java' Makefile:63: recipe for target 'all' failed make[5]: *** [all] Error 1 make[5]: Leaving directory '/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk-boot/jdk/make/java' Makefile:253: recipe for target 'all' failed make[4]: *** [all] Error 1 make[4]: Leaving directory '/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk-boot/jdk/make' make/jdk-rules.gmk:92: recipe for target 'jdk-build' failed make[3]: *** [jdk-build] Error 2 make[3]: Leaving directory '/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk-boot' Makefile:251: recipe for target 'build_product_image' failed make[2]: *** [build_product_image] Error 2 make[2]: Leaving directory '/tmp/buildd/openjdk-7-7u71-2.5.3/build/openjdk-boot' Makefile:2301: recipe for target 'stamps/icedtea-boot.stamp' failed make[1]: *** [stamps/icedtea-boot.stamp] Error 2 make[1]: Leaving directory '/tmp/buildd/openjdk-7-7u71-2.5.3/build' debian/rules:1308: recipe for target 'stamps/build' failed make: *** [stamps/build] Error 1 dpkg-buildpackage: error: debian/rules build gave error exit status 2 (If I divide that number by 1000, it becomes Fri Dec 31 22:00:00 UTC 2004. So I'm not sure where the number comes from, but it appears to be off by a factor of 1000.) -- Daniel Schepler ---End Message--- ---BeginMessage--- fixed in 7u75-2.5.4-1---End Message---
Bug#774844: xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC
Niko Tyni writes (Re: Bug#774844: xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC): reassign 774844 perl 5.20.1-4 thanks ... Fine by me, I'm not arguing against that. Clearly it's time to stop/postpone the discussion about theoretical wider effects and do what's necessary for jessie. I think so, yes. So reassigning the bug. I'll be uploading the Breaks+Pre-Depends change hopefully tomorrow. Thank you, and thanks for your careful attention and searching questions. Regards, Ian. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: tagging 776063
Processing commands for cont...@bugs.debian.org: tags 776063 - moreinfo Bug #776063 [apt] dbus fails to upgrade rendering entire apt unusable Bug #771428 [apt] apt tries to configure dbus before libdbus-1-3, fails to upgrade Bug #774124 [apt] apt tries to configure dbus before libdbus, fails to upgrade Removed tag(s) moreinfo. Removed tag(s) moreinfo. Removed tag(s) moreinfo. thanks Stopping processing here. Please contact me if you need assistance. -- 771428: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771428 774124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774124 776063: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776063 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775418: pcmanfm: diff for NMU version 1.2.3-1.1
Thank you for the patch, I hope it works and fixes the problem. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776159: freeorion: Keyboard seems to be undetected, not responding to key entered.
Package: freeorion Version: 0.4.4-2+b1 Severity: grave Justification: renders package unusable Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Simply start the game. * What exactly did you do (or not do) that was effective (or ineffective)? Did try a second keyboard, same, no special driver installed. * What was the outcome of this action? Same, key doesn't seems to be received by the game but does by the OS (Alt+Tab allow me to switch to an other software without issue. * What outcome did you expect instead? As everyones, pressed keys being entered to the game. *** End of the template - remove these template lines *** -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.18.0-3-exton (SMP w/8 CPU cores) Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeorion depends on: ii freeorion-data0.4.4-2 ii libboost-date-time1.55.0 1.55.0+dfsg-3 ii libboost-filesystem1.55.0 1.55.0+dfsg-3 ii libboost-python1.55.0 1.55.0+dfsg-3 ii libboost-regex1.55.0 1.55.0+dfsg-3 ii libboost-serialization1.55.0 1.55.0+dfsg-3 ii libboost-system1.55.0 1.55.0+dfsg-3 ii libboost-thread1.55.0 1.55.0+dfsg-3 ii libbulletcollision2.822.82-r2704+dfsg-2 ii libc6 2.19-13 ii libfreetype6 2.5.2-2 ii libgcc1 1:4.9.1-19 ii libgl1-mesa-glx [libgl1] 10.3.2-1 ii libglu1-mesa [libglu1]9.0.0-2 ii libjpeg62-turbo 1:1.3.1-11 ii liblinearmath2.82 2.82-r2704+dfsg-2 ii libogre-1.9.0 1.9.0+dfsg1-4 ii libois-1.3.0 1.3.0+dfsg0-5 ii libopenal11:1.15.1-5 ii libpng12-01.2.50-2+b2 ii libpython2.7 2.7.8-11 ii libstdc++64.9.1-19 ii libtiff5 4.0.3-12 ii libvorbisfile31.3.4-2 freeorion recommends no packages. freeorion suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774844: new pre-dependency: perl{,-base,-modules} - dpkg (= 1.17.17)
Niko Tyni writes (Re: new pre-dependency: perl{,-base,-modules} - dpkg (=
1.17.17)):
On Mon, Jan 19, 2015 at 11:15:04AM +0100, Guillem Jover wrote:
I've not looked into the details yet, but just to comment that there's
been talk about possibly reverting that fix, because in some error
situations it can get apt into an unrecoverable state (#774124). :(
...
(I guess this just calls for both a fixed apt, and a dpkg that
workarounds any such situation.)
Thanks. So do you think I should wait for that to be resolved first?
I don't think so, no.
AFAICS the worst that could happen with such a revert is that the perl
Pre-Depends+Breaks fix stops working and xfonts-traditional 'postinst
triggered' functionality needs to be changed to survive missing
dependencies.
As Guillem said:
Of course reverting that fix brings back all upgrade issues related
to trigger processing w/o the required dependencies. Which are
probably more, and easier to get into.
I agree with Guillem that reverting the triggers dependency fix would
be a worse idea.
Ian.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774844: xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC
reassign 774844 perl 5.20.1-4 thanks On Sat, Jan 24, 2015 at 06:39:02PM +, Ian Jackson wrote: It would be better if dpkg would avoid configuring (or invoking trigger processing for) A when A-B-C and C is not configured, but B is. That's not a practical solution for jessie. I still think the Breaks as suggested earlier is the correct solution. Fine by me, I'm not arguing against that. Clearly it's time to stop/postpone the discussion about theoretical wider effects and do what's necessary for jessie. So reassigning the bug. I'll be uploading the Breaks+Pre-Depends change hopefully tomorrow. Thanks, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#774844: xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC
Processing commands for cont...@bugs.debian.org: reassign 774844 perl 5.20.1-4 Bug #774844 [xfonts-traditional] xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC Bug reassigned from package 'xfonts-traditional' to 'perl'. No longer marked as found in versions xfonts-traditional/1.6. Ignoring request to alter fixed versions of bug #774844 to the same values previously set Bug #774844 [perl] xfonts-traditional: fails to upgrade from 'wheezy': Can't locate File/Find.pm in @INC Marked as found in versions perl/5.20.1-4. thanks Stopping processing here. Please contact me if you need assistance. -- 774844: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774844 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774872: gpsd: prompting due to modified conffiles which were not modified by the user: /etc/default/gpsd
Followup-For: Bug #774872
Hi Bernd,
can we get this fixed for /etc/default/gpsd from lenny, too?
Tested patch attached. Somewhere on the upgrade patch
jessie-squeeze-wheezy the config file gets modified, so I added both
md5sums.
Andreas
From a5b4b78059cff72a63a3ed21aa662c89bbae8801 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann a...@debian.org
Date: Sat, 24 Jan 2015 04:42:49 +0100
Subject: [PATCH] avoid prompting due to modified lenny conffiles
---
debian/gpsd.preinst | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/debian/gpsd.preinst b/debian/gpsd.preinst
index aba1c8d..463f57d 100644
--- a/debian/gpsd.preinst
+++ b/debian/gpsd.preinst
@@ -13,9 +13,10 @@ case $1 in
if [ -f /etc/default/gpsd ]; then
cp /etc/default/gpsd /etc/default/gpsd.dpkg-pre_3.10
gpsd_hashsum=$(md5sum /etc/default/gpsd | awk '{print $1}')
-# handle upgrades from squeeze - wheeze - jessie
+# handle upgrades from lenny - squeeze - wheeze - jessie
case ${gpsd_hashsum} in
-5944bab322c2a6df28cf0e64f7f7ec86|4d3f8665963201dc74721ef06bf27989)
+# wheezy # squeeze# lenny # lenny - squeeze - wheezy
+5944bab322c2a6df28cf0e64f7f7ec86|4d3f8665963201dc74721ef06bf27989|d19811464c448c0852ad541be3f7fdc3|370942c4da267af152f6c3178137e60f)
rm -f /etc/default/gpsd
;;
esac
--
2.1.4
Bug#770492: linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files
Control: retitle -1 linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files (CVE-2015-1350) Hi, In http://www.openwall.com/lists/oss-security/2015/01/24/5 there was a CVE assignment for this issue, CVE-2015-1350. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#770492: linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files
Processing control commands: retitle -1 linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files (CVE-2015-1350) Bug #770492 [src:linux] linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files Changed Bug title to 'linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files (CVE-2015-1350)' from 'linux-image-3.16.0-4-686-pae: chown removes security.capability xattr on other users' files' -- 770492: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770492 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#744753: Fix for anacron (running on resume under systemd)
Hi Michael, That means, depending on the timing, anacron-resume.service might be triggered just before suspend not on resume, and it's not guaranteed that anacron has finished before systemd-sleep is called. I don't think the patch was intended this way? thanks for the analysis. Is there are reason for not reopening the bug? Patrick signature.asc Description: This is a digitally signed message part.
Processed: your mail
Processing commands for cont...@bugs.debian.org: severity 775175 normal Bug #775175 [congruity] congruity: Unable to login with mhgui or executing EZHex Files because of changes in the MyHarmony website. Severity set to 'normal' from 'grave' thanks Stopping processing here. Please contact me if you need assistance. -- 775175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775175 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775873: patch: directory traversal via file rename
Control: retitle -1 patch: directory traversal via file rename Hi Jonathan, On Thu, Jan 22, 2015 at 09:56:20PM +, Jonathan Wiltshire wrote: On Thu, Jan 22, 2015 at 09:49:39PM +, Jonathan Wiltshire wrote: This issue was assigned CVE-2015-1196. If you upload fixed packages, please include the CVE identifier in the changelog. Seems the previous fix was incomplete, if I understand the traffic correctly. I think this needs a new CVE. CVE-2015-1196 was assigned for the following: [1] https://bugs.debian.org/775227 [2] https://security-tracker.debian.org/tracker/CVE-2015-1196 and the directory traversal via file rename does not seem to have a CVE yet? (retitling back this subject just to avoid confusion). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#775873: patch: directory traversal via file rename
Processing control commands: retitle -1 patch: directory traversal via file rename Bug #775873 [patch] patch: CVE-2015-1196 directory traversal via file rename Changed Bug title to 'patch: directory traversal via file rename' from 'patch: CVE-2015-1196 directory traversal via file rename' -- 775873: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: found 775873 in 2.7.1-1
Processing commands for cont...@bugs.debian.org: # support for git-style patches introduced in 2.7. found 775873 2.7.1-1 Bug #775873 [patch] patch: directory traversal via file rename Marked as found in versions patch/2.7.1-1. thanks Stopping processing here. Please contact me if you need assistance. -- 775873: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775873: patch: directory traversal via file rename
On Sat, Jan 24, 2015 at 11:04 AM, Salvatore Bonaccorso car...@debian.org wrote: On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote: and the directory traversal via file rename does not seem to have a CVE yet? (retitling back this subject just to avoid confusion). I have requested a CVE for this one at http://www.openwall.com/lists/oss-security/2015/01/24/2 OK, but please note that there are three CVE number requests now[1][2][3]. Fixes are released and the packaging is ready. Should I wait for the CVE number assignment to note those in changelog or better if I upload the new version? Regards, Laszlo/GCS [1] https://security-tracker.debian.org/tracker/TEMP-000-064450 [2] https://security-tracker.debian.org/tracker/TEMP-0775873-B5D91A [3] https://security-tracker.debian.org/tracker/TEMP-0775901-CA9436 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: severity of 728365 is serious
Processing commands for cont...@bugs.debian.org: severity 728365 serious Bug #728365 [rhn-client-tools] python-rhn: Running rhn_reg fails with a TypeError exception. Severity set to 'serious' from 'normal' thanks Stopping processing here. Please contact me if you need assistance. -- 728365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728365 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#728365: marked as done (python-rhn: Running rhn_reg fails with a TypeError exception.)
Your message dated Sat, 24 Jan 2015 09:20:23 + with message-id e1yewtd-0004pb...@franck.debian.org and subject line Bug#728365: fixed in rhn-client-tools 1.8.26-4 has caused the Debian Bug report #728365, regarding python-rhn: Running rhn_reg fails with a TypeError exception. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 728365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728365 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: python-rhn Version: 2.5.52-1 Severity: normal Title says all. Patch attached. root@:~# rhnreg_ks --serverUrl=https://spacewalk.xx.org/XMLRPC --activationkey=1-6eeaef0e9e7b42e048d09fbdce7add50 An error has occurred: type 'exceptions.TypeError' See /var/log/up2date for more information root@:~# cat /var/log/up2date [...] type 'exceptions.TypeError': cannot marshal None unless allow_none is enabled -- System Information: Debian Release: 7.2 Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-042stab061.2 (SMP w/16 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages python-rhn depends on: ii python 2.7.3-4+deb7u1 ii python-openssl 0.13-2+deb7u1 ii python2.6 2.6.8-1.1 ii python2.7 2.7.3-6 python-rhn recommends no packages. python-rhn suggests no packages. -- no debconf information --- /usr/lib/python2.7/dist-packages/rhn/rpclib.py 2013-10-31 09:31:16.317846287 + +++ rpclib.py 2013-10-31 09:31:04.335978079 + @@ -229,7 +229,7 @@ self._transport.set_progress_callback(progressCallback, bufferSize) def _req_body(self, params, methodname): -return xmlrpclib.dumps(params, methodname, encoding=self._encoding) +return xmlrpclib.dumps(params, methodname, encoding=self._encoding, allow_none=True) def get_response_headers(self): if self._transport: ---End Message--- ---BeginMessage--- Source: rhn-client-tools Source-Version: 1.8.26-4 We believe that the bug you reported is fixed in the latest version of rhn-client-tools, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 728...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernd Zeimetz b...@debian.org (supplier of updated rhn-client-tools package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 24 Jan 2015 09:39:24 +0100 Source: rhn-client-tools Binary: rhn-client-tools Architecture: source amd64 Version: 1.8.26-4 Distribution: unstable Urgency: medium Maintainer: Bernd Zeimetz b...@debian.org Changed-By: Bernd Zeimetz b...@debian.org Description: rhn-client-tools - Red Hat Network Client Tools Closes: 728365 Changes: rhn-client-tools (1.8.26-4) unstable; urgency=medium . * [e3525938] Fix installTime function for multiarch. This should avoid to send None as timestamp via xmlrpc, which resulted in a traceback due to changes in xmlrpc, breaking spacewalk support. Thanks to Klaas Demter and Philipp Born (Closes: #728365) Checksums-Sha1: 9f5d4ff9cb8401978a028e7db10243f815a85bcc 2033 rhn-client-tools_1.8.26-4.dsc 41cdb402d1adc66886bd74e46d78d71864780c3c 3329 rhn-client-tools_1.8.26-4.diff.gz 9b668297be04c895de5e5b00b978268a09658c89 345352 rhn-client-tools_1.8.26-4_amd64.deb Checksums-Sha256: b83160d384065b6fa171c0fed8bb488a459237371cb94aa955fef2cd88819090 2033 rhn-client-tools_1.8.26-4.dsc 380d5f5fd33cfc4548677aea1d0b375ff23cd8d03bea1b5ada138df7652dd7b6 3329 rhn-client-tools_1.8.26-4.diff.gz 61a673b75d13da8c30f01a2e3b9ae71d552cad7c9802a9b020e35511ca253420 345352 rhn-client-tools_1.8.26-4_amd64.deb Files: 3ce8525d642c5f7075c6bd52de58f567 2033 python extra rhn-client-tools_1.8.26-4.dsc 0d448da8ea5353b396f4b57443da35e3 3329 python extra rhn-client-tools_1.8.26-4.diff.gz a4ee8b5d278090f404abf305c5305610 345352 python extra rhn-client-tools_1.8.26-4_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUw1sxAAoJEOs2Fxpv+UNfbo0P/R1jk+MKPqKaq4ApUtDnga3p PyCv82iPn+Lq+cFuSSzBkkPlGGwgFBlmoyfyYljxwyRfAayyHG5x6Xo5n+7r5L21 LrpclVXmIT0eiBaSHjb2M2VJn8VqONJfTwKElNKaHkhQ0aRIqkXL6C6OszjEBtWc
Bug#775873: patch: directory traversal via file rename
Hi, On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote: Control: retitle -1 patch: directory traversal via file rename Hi Jonathan, On Thu, Jan 22, 2015 at 09:56:20PM +, Jonathan Wiltshire wrote: On Thu, Jan 22, 2015 at 09:49:39PM +, Jonathan Wiltshire wrote: This issue was assigned CVE-2015-1196. If you upload fixed packages, please include the CVE identifier in the changelog. Seems the previous fix was incomplete, if I understand the traffic correctly. I think this needs a new CVE. CVE-2015-1196 was assigned for the following: [1] https://bugs.debian.org/775227 [2] https://security-tracker.debian.org/tracker/CVE-2015-1196 and the directory traversal via file rename does not seem to have a CVE yet? (retitling back this subject just to avoid confusion). I have requested a CVE for this one at http://www.openwall.com/lists/oss-security/2015/01/24/2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775624: procps: FTBFS in jessie: dh_auto_test: make -j1 check returned exit code 2
❦ 24 janvier 2015 18:50 +1100, Craig Small csm...@debian.org : I'm not sure if you are able to, but if you could apply the attached patch to see if the test works now that would be great. make make test (fails) apply patch make make test (works) Yes, the patch makes the tests pass. -- Write and test a big program in small pieces. - The Elements of Programming Style (Kernighan Plauger) signature.asc Description: PGP signature
Bug#775873: patch: directory traversal via file rename
Hi! On Sat, Jan 24, 2015 at 11:17:03AM +0100, László Böszörményi (GCS) wrote: On Sat, Jan 24, 2015 at 11:04 AM, Salvatore Bonaccorso car...@debian.org wrote: On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote: and the directory traversal via file rename does not seem to have a CVE yet? (retitling back this subject just to avoid confusion). I have requested a CVE for this one at http://www.openwall.com/lists/oss-security/2015/01/24/2 OK, but please note that there are three CVE number requests now[1][2][3]. Fixes are released and the packaging is ready. Should I wait for the CVE number assignment to note those in changelog or better if I upload the new version? IMO, if you have patches ready to fix these issues, you can go ahead with an upload if CVEs are not assigned by then, since for all but one we have also a reference in the BTS identifying the issue. Regards, Salvatore p.s.: don't use the TEMP names in the changelog, since they can change over time. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775564: wheezy-backports affected by emacs24 bug #775564 (fails to byte-compile apel)
Axel Beckert a...@debian.org writes: And when we're at it: A similar issue showed up with notmuch-emacs. I though found no obvious changelog entry in notmuch's changelog either. The latest changelog entry talks about Emacs 24.4 related bug fixes, so maybe Breaks: notmuch-emacs ( 0.18.2-1~) would help there, too. Those changes (between 0.18.1 and 0.18.2) are only about the test suite, which is only run at build time. d -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776136: wireshark: Crashes when filter string is edited on Broadway
Package: wireshark Severity: serious Tags: fixed-upstream pending From https://code.wireshark.org/review/#/c/6494/ : The Broadway GDK backend does never sets event-string. This results in a crash when filter_string_te_key_pressed_cb tries to read its contents.Since the documentation marks reading the string as deprecated, try to handle the character conversion here. It is based on _gdk_x11_event_translate_keyboard_string (from gtk+), but without trying to interpret Escape as '\033', and without trying to convert control characters (example: Ctrl + 1). A buffer of 6 bytes is used to hold a UTF-8 code point (there is no zero terminator, so 7 bytes as found in the original implementation is unnecessary).As g_locale_from_utf8 returns dynamically allocated memory, change the control flow to have a single exit point where pointers are freed as needed.Reproduce with gtk3: $ broadwayd :5 $ GDK_BACKEND=broadway BROADWAY_DISPLAY=:5 wireshark-gtk (now open http://localhost:8085/ and start typing in the display filter)Keys tested: e € (AltGr + 5) ü (AltGr + , u) In the X11 backend, these still get displayed correctly. In the broadway backend however, the accents are missing due to a bug in the broadway implementation. Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776137: sudo: fails to switch between sudo and sudo-ldap: chown: cannot access '/etc/sudoers': No such file or directory
Package: sudo Version: 1.8.10p3-1 Severity: serious Hi, actually I only wanted to check whether sudo-ldap/wheezy leaving the obsolete conffile /etc/init.d/sudo after upgrades to jessie could cause problems. (Does not look like this, but you could consider using dpkg-maintscript-helper rm_conffile /etc/init.d/sudo 1.8.10p3-2~ anyway - with appropriate versioning, of course.) The upgrade to jessie with sudo-ldap/jessie went smooth, and thereafter I wanted to switch to sudo/jessie, which failed due to missing /etc/sudoers, the problem is reproducible in plain jessie, too: # apt-get install sudo Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: sudo-ldap The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 1 to remove and 5 not upgraded. Need to get 0 B/848 kB of archives. After this operation, 52.2 kB disk space will be freed. Do you want to continue? [Y/n] debconf: unable to initialize frontend: Dialog debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76, line 1.) debconf: falling back to frontend: Readline (Reading database ... 13871 files and directories currently installed.) Removing sudo-ldap (1.8.10p3-1) ... invoke-rc.d: policy-rc.d denied execution of stop. Selecting previously unselected package sudo. (Reading database ... 13780 files and directories currently installed.) Preparing to unpack .../sudo_1.8.10p3-1_amd64.deb ... Unpacking sudo (1.8.10p3-1) ... Setting up sudo (1.8.10p3-1) ... WARNING: /etc/sudoers not present! chown: cannot access '/etc/sudoers': No such file or directory dpkg: error processing package sudo (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: sudo E: Sub-process /usr/bin/dpkg returned an error code (1) or the other way around: # apt-get install sudo-ldap Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libffi6 libgnutls-deb0-28 libhogweed2 libldap-2.4-2 libnettle4 libp11-kit0 libsasl2-2 libsasl2-modules-db libtasn1-6 Suggested packages: gnutls-bin Recommended packages: libsasl2-modules The following packages will be REMOVED: sudo The following NEW packages will be installed: libffi6 libgnutls-deb0-28 libhogweed2 libldap-2.4-2 libnettle4 libp11-kit0 libsasl2-2 libsasl2-modules-db libtasn1-6 sudo-ldap 0 upgraded, 10 newly installed, 1 to remove and 5 not upgraded. Need to get 0 B/2409 kB of archives. After this operation, 3814 kB of additional disk space will be used. Do you want to continue? [Y/n] debconf: unable to initialize frontend: Dialog debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76, line 10.) debconf: falling back to frontend: Readline (Reading database ... 13772 files and directories currently installed.) Removing sudo (1.8.10p3-1) ... invoke-rc.d: policy-rc.d denied execution of stop. Selecting previously unselected package libnettle4:amd64. (Reading database ... 13687 files and directories currently installed.) Preparing to unpack .../libnettle4_2.7.1-5_amd64.deb ... Unpacking libnettle4:amd64 (2.7.1-5) ... Selecting previously unselected package libhogweed2:amd64. Preparing to unpack .../libhogweed2_2.7.1-5_amd64.deb ... Unpacking libhogweed2:amd64 (2.7.1-5) ... Selecting previously unselected package libffi6:amd64. Preparing to unpack .../libffi6_3.1-2+b2_amd64.deb ... Unpacking libffi6:amd64 (3.1-2+b2) ... Selecting previously unselected package libp11-kit0:amd64. Preparing to unpack .../libp11-kit0_0.20.7-1_amd64.deb ... Unpacking libp11-kit0:amd64 (0.20.7-1) ... Selecting previously unselected package libtasn1-6:amd64. Preparing to unpack .../libtasn1-6_4.2-2_amd64.deb ... Unpacking libtasn1-6:amd64 (4.2-2) ... Selecting previously unselected package libgnutls-deb0-28:amd64. Preparing to unpack .../libgnutls-deb0-28_3.3.8-5_amd64.deb ... Unpacking libgnutls-deb0-28:amd64 (3.3.8-5) ... Selecting previously unselected package libsasl2-modules-db:amd64. Preparing to unpack .../libsasl2-modules-db_2.1.26.dfsg1-12_amd64.deb ... Unpacking libsasl2-modules-db:amd64 (2.1.26.dfsg1-12) ... Selecting previously unselected package libsasl2-2:amd64. Preparing to unpack .../libsasl2-2_2.1.26.dfsg1-12_amd64.deb ... Unpacking libsasl2-2:amd64 (2.1.26.dfsg1-12) ... Selecting previously unselected package libldap-2.4-2:amd64. Preparing to unpack .../libldap-2.4-2_2.4.40-3_amd64.deb ... Unpacking libldap-2.4-2:amd64 (2.4.40-3) ... Selecting previously unselected package sudo-ldap. Preparing to unpack .../sudo-ldap_1.8.10p3-1_amd64.deb ... Unpacking sudo-ldap (1.8.10p3-1) ... Setting up libnettle4:amd64 (2.7.1-5) ... Setting up libhogweed2:amd64
Processed: limit source to lintian, tagging 775467, tagging 775760
Processing commands for cont...@bugs.debian.org: limit source lintian Limiting to bugs with field 'source' containing at least one of 'lintian' Limit currently set to 'source':'lintian' tags 775467 + pending Bug #775467 [lintian] Elaborate info for script-in-etc-init.d-not-registered-via-update-rc.d Added tag(s) pending. tags 775760 + pending Bug #775760 [lintian,ftp.debian.org,openjdk-8] openjdk-8 rejected due to wrong lintian warning Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 775467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775467 775760: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775760 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: duplicate report
Processing commands for cont...@bugs.debian.org: merge 745835 776073 Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked Bug #776073 [lynx-cur] lynx-cur: can connect to site with expired certificate Marked as found in versions lynx-cur/2.8.8pre5-1. Added tag(s) jessie-ignore. Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked Marked as found in versions lynx-cur/2.8.9dev1-2. Merged 745835 776073 -- Stopping processing here. Please contact me if you need assistance. -- 745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835 776073: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776073 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776135: wireshark: Multiple security issues in 1.12.3 and prior versions
Package: wireshark Severity: serious Tags: security fixed-upstream pending Please see release notes: https://www.wireshark.org/docs/relnotes/wireshark-1.12.3.html Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: user debian-secur...@lists.debian.org, usertagging 776135, tagging 776135
Processing commands for cont...@bugs.debian.org: user debian-secur...@lists.debian.org Setting user to debian-secur...@lists.debian.org (was car...@debian.org). usertags 776135 + tracked There were no usertags set. Usertags are now: tracked. tags 776135 + upstream Bug #776135 [wireshark] wireshark: Multiple security issues in 1.12.3 and prior versions Added tag(s) upstream. thanks Stopping processing here. Please contact me if you need assistance. -- 776135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776135 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: jessie
Processing commands for cont...@bugs.debian.org:
tags 776113 + sid jessie
Bug #776113 [emacs23-common-non-dfsg] emacs23-common-non-dfsg: Useless without
emacs23
Added tag(s) sid and jessie.
tags 775062 + sid jessie
Bug #775062 {Done: Neil Williams codeh...@debian.org} [grok] grok doesn't
grok group name ('group name must start with a non-digit')
Added tag(s) sid and jessie.
thanks
Stopping processing here.
Please contact me if you need assistance.
--
775062: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775062
776113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#747863: nut: diff for NMU version 2.7.2-1.1
On Wed, 21 Jan 2015 23:55:03 +0100 Laurent Bigonville bi...@debian.org wrote: On Sat, 17 Jan 2015 11:14:32 + Neil Williams li...@codehelp.co.uk wrote: Dear maintainer, Hello, I've prepared an NMU for nut (versioned as 2.7.2-1.1), taking Martin's third option of porting the Ubuntu change to debian/rules which simply drops the upstream systemd file and uses the sysvinit fallback. As part of the Debian UK BSP, I will upload it to DELAYED/4. Please feel free to tell me if I should delay it longer. Thanks for your NMU, just saw now that it was uploaded. I unfortunately didn't saw your patch earlier, because I don't think it's complete :/ When upgrading from the previous version that is currently in unstable, the files/symlinks in /etc/systemd and /var/lib/systemd are not automatically removed. You explicitly need to add the following calls somewhere in the maintainer script to properly remove all the leftovers. deb-systemd-helper purge foo.service /dev/null deb-systemd-helper unmask foo.service /dev/null Do you think you could take care of doing a new upload? I don't have a lot of time ATM unfortunately? That doesn't seem to be part of the original bug which was for a clean install of nut-client. If you think this second issue is RC, then a new bug could be opened but that depends on whether this affects the version currently in testing and whether it actually causes a Policy violation in doing so, or just left-over files. If you had concerns about the fixes proposed in the bug, maybe those should have been mentioned in a reply to the original bug (opened in September). -- Neil Williams = http://www.linux.codehelp.co.uk/ pgpWpy5HSxQa2.pgp Description: OpenPGP digital signature
Bug#776145: GLib-CRITICAL spam on STDERR
Package: libglib2.0-cil
Severity: serious
[this is a shortened version of my original report that was eaten by
reportbug which deserves a critical bugreport for the data loss]
Since a change in glib warnings are printed to STDERR for /each/
g_source_remove call if the item wasn't in the list. This can lead to
serious hardware resource usage (see below), thus severity set to
serious.
Example of such message:
(smuxi-frontend-gnome:4942): GLib-CRITICAL **: Source ID 3462469 was
not found when attempting to remove it
meebey@redhorse:~$ ls -lh ~/.cache/gdm/session.log
-rw--- 1 meebey meebey 130M 2015-01-24 12:16
/home/meebey/.cache/gdm/session.log
meebey@redhorse:~$ grep -c -F 'GLib-CRITICAL **: Source ID'
/home/meebey/.cache/gdm/session.log
1194536
--
Best regards,
Mirco 'meebey' Bauer
FOSS Developer mee...@meebey.net https://www.meebey.net/
Debian Developermee...@debian.org http://www.debian.org/
GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/
PGP-Key ID 0xEEF946C8 https://meebey.net/pubkey.asc
commit 3a01260d87c738361f1b72673f73135b4d7545e7
Author: Bertrand Lorentz bertrand.lore...@gmail.com
Date: Sat Jul 5 15:52:56 2014 +0200
glib: Fix native GLib warnings when disposing SourceProxy objects
When an instance of SourceProxy was finalized, we would try to remove
the corresponding source, even if it was already removed. This now
causes native GLib to print out warnings because it can't find the
source ID.
Now Source.Remove only calls g_source_remove if we really had a handler
registered for the ID we're removing.
diff --git a/glib/Source.cs b/glib/Source.cs
index b62c3c5..89e691f 100644
--- a/glib/Source.cs
+++ b/glib/Source.cs
@@ -54,9 +54,15 @@ namespace GLib {
public static bool Remove (uint tag)
{
- lock (Source.source_handlers)
-source_handlers.Remove (tag);
- return g_source_remove (tag);
+ // g_source_remove always returns true, so we follow that
+ bool ret = true;
+
+ lock (Source.source_handlers) {
+if (source_handlers.Remove (tag)) {
+ ret = g_source_remove (tag);
+}
+ }
+ return ret;
}
}
}
commit 9c78f7019c8622a3fc7a10c3d3dc8dcb5f44a289
Author: Cody Russell c...@jhu.edu
Date: Fri Jul 11 09:51:53 2014 -0500
Check that source_handlers contains the tag.
diff --git a/glib/Source.cs b/glib/Source.cs
index 89e691f..cf9f4ba 100644
--- a/glib/Source.cs
+++ b/glib/Source.cs
@@ -58,7 +58,8 @@ namespace GLib {
bool ret = true;
lock (Source.source_handlers) {
-if (source_handlers.Remove (tag)) {
+if (source_handlers.Contains (tag)) {
+ source_handlers.Remove (tag);
ret = g_source_remove (tag);
}
}
Bug#775313: debsums -c don't report all changed files
Hi, Axel Beckert wrote: Axel Beckert wrote: Axel Beckert wrote: I've pushed a prelimiary NMU to the git branch nmu: https://anonscm.debian.org/cgit/collab-maint/debsums.git/log/?h=nmu I intend to upload that one as NMU to DELAYED/2 after some testing. Will post a full debdiff here once I'm done with testing. I've just uploaded an NMU to DELAYED/2. Full debdiff attached. It's my first upload with the new GnuPG key, so let's hope it works fine. :-) Seems as if didn't work, not sure why as I didn't get any mail about it. I plan to do a direct upload of the same files later today. Sorry for the additional delay. There are currently some keyring issues which made the uploads fail and which need to be resolved first. (For those who can and are curious, see #5655 on rt.debian.org.) In the meanwhile, I'm happy if anyone else could upload the current state of the nmu branch in Git (https://anonscm.debian.org/cgit/collab-maint/debsums.git/commit/?h=nmuid=2cbb4941824f529b7242e1090b8c98bb7cc467c5) directly to unstable. Otherwise I'll do it as soon as the above mentioned keyring issues are resolved. Thanks to Paul Tagliamonte for checking why the uploads failed and thanks to Gunnar Wolf for looking at and caring about the keyring issues! Regards, Axel -- ,''`. | Axel Beckert a...@debian.org, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: Digital signature
Bug#776145: [pkg-cli-libs-team] Bug#776145: GLib-CRITICAL spam on STDERR
tags 776145 + patch thanks On Sat, Jan 24, 2015 at 2:41 PM, Mirco Bauer mee...@debian.org wrote: ... [this is a shortened version of my original report that was eaten by reportbug which deserves a critical bugreport for the data loss] ... [nevermind: I have found the initial report in /tmp/reportbug-*] This glib message happens each time the GC wants to unref objects that are no longer referenced. Older glib versions simply ignored this, newer version writes that message for every invocation. Since this can lead to serious hardware resource usage (writes to files are expensive) I have set the severity to serious. grep -c -F 'GLib-CRITICAL **: Source ID' /home/meebey/.cache/gdm/session.log 1204472 2015-01-24 12:16: 1,194,536 messages 2015-01-24 14:54: 1,204,472 messages So about 10,000 messages (writes) in about 3 hours. -- Best regards, Mirco 'meebey' Bauer FOSS Developer mee...@meebey.net https://www.meebey.net/ Debian Developermee...@debian.org http://www.debian.org/ GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/ PGP-Key ID 0xEEF946C8 https://meebey.net/pubkey.asc -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: [pkg-cli-libs-team] Bug#776145: GLib-CRITICAL spam on STDERR
Processing commands for cont...@bugs.debian.org: tags 776145 + patch Bug #776145 [libglib2.0-cil] GLib-CRITICAL spam on STDERR Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 776145: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776145 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775682: diff for websvn nmu
Hi, I've NMU'ed websvn for this security issue with attached debdiff. Cheers, Thijs websvn_nmudiff.debdiff Description: Binary data
Bug#775682: marked as done (websvn: CVE-2013-6892: arbitrary file access when downloads enabled for users with commit access)
Your message dated Sat, 24 Jan 2015 13:33:23 +
with message-id e1yf0q3-0002ua...@franck.debian.org
and subject line Bug#775682: fixed in websvn 2.3.3-1.2
has caused the Debian Bug report #775682,
regarding websvn: CVE-2013-6892: arbitrary file access when downloads enabled
for users with commit access
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
775682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: websvn
Severity: serious
Tags: security patch
Hi,
James Clawson reported:
Arbitrary files with a known path can be accessed in websvn by committing a
symlink to a repository and then downloading the file (using the download
link).
An attacker must have write access to the repo, and the download option must
have been enabled in the websvn config file.
Example:
- Create a symlink to /etc/passwd and commit it to the repo.
- Access websvn and download the file.
- The downloaded file will be the web server's /etc/passwd (i.e. the symlink is
resolved on the web server).
This will also work with symlinks to directories, but dlmode=zip must be added
to the download link manually. Zip must be installed manually to be able to
download directories.
I've assigned CVE-2013-6892 to this issue. Please mention it in the changelog
when fixing the issue.
I've created attached patch which solves the bug.
Cheers,
Thijs
diff -ur oud/dl.php nieuw/dl.php
--- oud/dl.php 2015-01-18 16:03:30.688791512 +0100
+++ nieuw/dl.php 2015-01-18 16:27:00.950897749 +0100
@@ -137,6 +137,18 @@
exit(0);
}
+ // For security reasons, disallow direct downloads of filenames that
+ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
+ // Deciding whether the symlink is relative and legal within the
+ // repository would be nice but seems to error prone at this moment.
+ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
+ header('HTTP/1.x 500 Internal Server Error', true, 500);
+ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
+ print 'Download of symlinks disallowed: '.xml_entities($archiveName).'.';
+ removeDirectory($tempDir);
+ exit(0);
+ }
+
// Set timestamp of exported directory (and subdirectories) to timestamp of
// the revision so every archive of a given revision has the same timestamp.
$revDate = $logEntry-date;
@@ -180,7 +192,7 @@
$downloadMimeType = 'application/x-zip';
$downloadArchive .= '.zip';
// Create zip file
- $cmd = $config-zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
+ $cmd = $config-zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
execCommand($cmd, $retcode);
if ($retcode != 0) {
error_log('Unable to call zip command: '.$cmd);
---End Message---
---BeginMessage---
Source: websvn
Source-Version: 2.3.3-1.2
We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst th...@debian.org (supplier of updated websvn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Sat, 24 Jan 2015 12:31:44 +
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.3.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Pierre Chifflier pol...@debian.org
Changed-By: Thijs Kinkhorst th...@debian.org
Description:
websvn - interface for Subversion repositories written in PHP
Closes: 775682
Changes:
websvn (2.3.3-1.2) unstable; urgency=high
.
* Non-maintainer upload by the security team.
* Disable download of in-repository symlinks to prevent arbitrary
file access (CVE-2013-6892, Closes: #775682).
Checksums-Sha1:
8434786c42750300417987374d152e48fd87ca4f 1380 websvn_2.3.3-1.2.dsc
6d14165c21efafeeeb4f01dc2a18e9d2017b5ced 26396 websvn_2.3.3-1.2.debian.tar.xz
b4030cda02864cd15b0d65d79a206027524e0712 218682 websvn_2.3.3-1.2_all.deb
Checksums-Sha256:
d23ba68cc78822c8470ccb4b1a2c12f90429a2d693462e6e7855793309201527 1380
websvn_2.3.3-1.2.dsc
