[Bug 485873] Re: logwatch should report apparmor events

2013-05-28 Thread Steve Beattie
This unfortunately doesn't work by default in ubuntu because the setting for audit.conf in /usr/share/logwatch/services/ points to the 'messages' logfile which is no longer used in ubuntu. It should either be 'syslog' or 'kernel'. A secondary issue is that if auditd is enabled, events will only

[Bug 852868] Re: php5 var_export() information leak

2011-09-26 Thread Steve Beattie
Thanks for reporting this issue; however, it was already addressed in USN 989-1: http://www.ubuntu.com/usn/usn-989-1/. ** Changed in: php5 (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed

[Bug 852910] Re: PHP Magic Quotes Fails to Protect mysqli_fetch_assoc

2011-09-26 Thread Steve Beattie
Thanks for teporting this issue. PHP in Ubuntu uses libmysqlclient, not mysqlnd, and thus was not affected by this vulnerability. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-4700 ** Changed in: php5 (Ubuntu) Status: Confirmed = Invalid -- You received this bug

[Bug 852885] Re: PHP rfc1867_post_handler File Path Injection Vulnerability

2011-09-26 Thread Steve Beattie
*** This bug is a duplicate of bug 813115 *** https://bugs.launchpad.net/bugs/813115 Thanks for reporting this issue. It had already been reported as bug 813115, which is in progress and which I'm marking this a duplicate of. Please address all further comments around this vulnerability

[Bug 871673] Re: APR apr_fnmatch() Denial of Service Vulnerability

2011-10-13 Thread Steve Beattie
Thanks for reporting this issue, which is CVE-2011-0419. It's a vulnerability in apache's apr library, which in Ubuntu is shipped in the separate 'apr' source package, and the apache packages links against it. It was addressed in USN-1134-1 http://www.ubuntu.com/usn/usn-1134-1. ** CVE added:

[Bug 852865] Re: strrchr() functions information leak

2011-10-13 Thread Steve Beattie
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2484 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/852865 Title: strrchr() functions information leak To manage

[Bug 852871] Re: PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability

2011-10-13 Thread Steve Beattie
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-1914 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/852871 Title: PHP ZEND_SL Opcode Interruption Address

[Bug 852871] Re: PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability

2011-10-17 Thread Steve Beattie
Thanks for reporting this issue. It has been addressed in Ubuntu 10.10 (maverick) and newer. For Ubuntu 10.04 LTS (lucid), I'll be applying the upstream fix for it. For Ubuntu 8.04 LTS (hardy), upstream never fixed this issue in the php 5.2 branch, and backporting the fix is non-trivial and thus

[Bug 852865] Re: strrchr() functions information leak

2011-10-17 Thread Steve Beattie
Thanks for reporting this issue. This issue only affects Ubuntu 8.04 LTS, despite what the securityfocus link above says. It will be addressed in a forthcoming php update. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu.

[Bug 852871] Re: PHP ZEND_SL Opcode Interruption Address Information Leak Vulnerability

2011-10-17 Thread Steve Beattie
(Ubuntu Lucid) Importance: Undecided = Low ** Changed in: php5 (Ubuntu Lucid) Assignee: (unassigned) = Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/852871

[Bug 852865] Re: strrchr() functions information leak

2011-10-17 Thread Steve Beattie
** Changed in: php5 (Ubuntu) Status: Confirmed = Fix Released ** Changed in: php5 (Ubuntu Hardy) Status: New = In Progress ** Changed in: php5 (Ubuntu Hardy) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Hardy) Importance: Undecided = Low

[Bug 852865] Re: strrchr() functions information leak

2011-10-18 Thread Steve Beattie
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-2202 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-3182 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu.

[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure

2011-10-18 Thread Steve Beattie
: (unassigned) = Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Lucid) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Maverick) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: apache2 (Ubuntu Natty) Assignee: (unassigned) = Steve

[Bug 874130] Re: Canonicalize fallback only works for different realm (MITKRB RT #6917)

2011-10-18 Thread Steve Beattie
Unfortunately, the version in oneiric-proposed was superceded by a security update to krb5 (though the versioning of the proposed version doesn't correctly reflect that) in USN 1233-1 http://www.ubuntu.com/usn/usn-1233-1/. Attached is a debdiff against the version of krb5 in oneiric-security,

[Bug 874130] Re: Canonicalize fallback only works for different realm (MITKRB RT #6917)

2011-10-18 Thread Steve Beattie
** Patch added: krb5_1.9.1+dfsg-1ubuntu2.1.debdiff https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/874130/+attachment/2559171/+files/krb5_1.9.1%2Bdfsg-1ubuntu2.1.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in

[Bug 877607] Re: package libapache2-mod-php5 5.3.5-1ubuntu7.3 failed to install/upgrade: vereistenproblemen - blijft ongeconfigureerd

2011-10-19 Thread Steve Beattie
This appears to be the issue: ERROR: Module reqtimeout does not exist! mod_reqtimeout should be provided by the apache2.2-bin package. Is it installed and in a consistent state? ** Changed in: php5 (Ubuntu) Status: New = Incomplete -- You received this bug notification because you

[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure

2011-10-24 Thread Steve Beattie
Thanks, Michael, I expect packages to go out in the next couple of days. FYI, the lucid debdiff you posted did not include an edit to debian/patches/00list, so I don't believe it's getting applied in your ppa build. -- You received this bug notification because you are a member of Ubuntu Server

[Bug 750371] Re: squid causing /var to stay busy during shutdown

2011-10-31 Thread Steve Beattie
I was able to reproduce this issue with squid 2.7.STABLE9-2ubuntu5.1, and have verified that the version in maverick-proposed, 2.7.STABLE9-2ubuntu5.2 appears to fix the issue. After upgrading, squid continued to function as expected. Marking verification-done. ** Tags removed: verification-needed

[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions

2012-02-06 Thread Steve Beattie
/viewvc?view=revisionrevision=323007, plus there's an additional memory leak addressed by http://svn.php.net/viewvc?view=revisionrevision=323013). ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0830 ** Changed in: php5 (Ubuntu Lucid) Assignee: (unassigned) = Steve Beattie

[Bug 928550] Re: PHP Comparison Issues ... 0 equates to 'D'

2012-02-07 Thread Steve Beattie
Thanks for taking the time to report this issue and help improve Ubuntu. While from a programmer's perspective, it's unexpected behavior; however, it is correct as documented at: http://php.net/manual/en/language.operators.comparison.php What's happening is that when comparing a string to a

[Bug 908154] Re: PHP session garbage collection measured in minutes instead of seconds

2012-02-09 Thread Steve Beattie
BIll, The /usr/lib/php5/maxlifetime script is already dividing the result by 60; if you run it with the default settings, you will see that it returns 24 (the expected number of minutes). So your patch should not be necessary. Is that not the behavior you see? What does it output if you run it

[Bug 908154] Re: PHP session garbage collection measured in minutes instead of seconds

2012-02-09 Thread Steve Beattie
** Changed in: php5 (Ubuntu) Status: Incomplete = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/908154 Title: PHP session garbage collection measured in minutes

[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions

2012-02-10 Thread Steve Beattie
Yes, this has been fixed in hardy (8.04 LTS); however, I forgot to incorporate the bug number in the changelog entry for the hardy version. You are correct that this issue has not been addressed in precise, yet. As for CVE-2012-0830, there is no separate bug report; the security team doesn't

[Bug 930115] Re: php5 5.3.2-1ubuntu4.13 introduced regression in magic_quotes_gpc

2012-02-10 Thread Steve Beattie
in: php5 (Ubuntu Lucid) Assignee: Canonical Security Team (canonical-security) = Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/930115 Title: php5 5.3.2

[Bug 930115] Re: php5 5.3.2-1ubuntu4.13 introduced regression in magic_quotes_gpc

2012-02-13 Thread Steve Beattie
Yes, as Ondřej said, all supported releases were affected and the issue was that ini_get('magic_quotes_gpc') was returning the wrong value, magic_quotes_gpc would still get set correctly. Also, get_magic_quotes_gpc() returned the correct value, too. Fixes for all releases have gone out as

[Bug 923699] Re: Compiling PHP 5 fails due to missing suhosin_patch.c

2012-02-13 Thread Steve Beattie
Hakan, note that the php source package includes a quilt series of patches to be applied in the debian/patches/ directory. This includes the php-suhosin patch which adds the file that make is reporting missing. You may wish to read the Quilt for Debian Maintainers page at

[Bug 932239] Re: Multiple Samba security vulnerabilities

2012-02-17 Thread Steve Beattie
Note that Ubuntu, like many linux distributions, backports security fixes rather than upgrading to new versions of software to attempt to prevent the introduction of regressions and changes in behavior in released versions of software. CVE-2010-3069 was addressed in

[Bug 932239] Re: Multiple Samba security vulnerabilities

2012-02-17 Thread Steve Beattie
Also, you can check the status yourself of the CVEs we are aware of at the Ubuntu Security cve tracker: http://people.canonical.com/~ubuntu- security/cve/ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu.

[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions

2012-02-24 Thread Steve Beattie
This was addressed in precise in the 5.3.10-1ubuntu1 merge, closing. ** Changed in: php5 (Ubuntu Precise) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu.

[Bug 877740] Re: CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure

2012-02-27 Thread Steve Beattie
This was fixed for Ubuntu 8.04 LTS (hardy) in 2.2.8-1ubuntu0.22 as referred to in USN http://www.ubuntu.com/usn/usn-1259-1 ; closing. ** Changed in: apache2 (Ubuntu Hardy) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Server

[Bug 959419] Re: package postfix 2.7.0-1ubuntu0.2 failed to install/upgrade: sous-processus nouveau script pre-installation tué par le signal (Relais brisé (pipe))

2012-03-19 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager

2012-03-22 Thread Steve Beattie
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956581 Title: Stack Buffer Overflow in HTTP Manager To manage notifications about this bug go to:

[Bug 956580] Re: Remote Crash Vulnerability in Milliwatt Application

2012-03-22 Thread Steve Beattie
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956580 Title: Remote Crash Vulnerability in Milliwatt Application To manage notifications about

[Bug 956578] Re: Remote crash vulnerability in SIP channel driver

2012-03-22 Thread Steve Beattie
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/956578 Title: Remote crash vulnerability in SIP channel driver To manage notifications about this

[Bug 956581] Re: Stack Buffer Overflow in HTTP Manager

2012-03-22 Thread Steve Beattie
Hi Paul, When compiling with your added patches, a new compiler warning pops up: +chan_sip.c: In function 'parse_register_contact': +chan_sip.c:13312:2: warning: implicit declaration of function 'parse_uri_legacy_check' [-Wimplicit-function-declaration] greping through the source, I don't see

[Bug 969228] Re: Unable to load another apparmor profile from /etc/apparmor.d/lxc/

2012-03-30 Thread Steve Beattie
Hi, can you attach the profiles in question? That will help in diagnosing the issue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/969228 Title: Unable to load another apparmor

[Bug 986314] [NEW] squid3 missing pie and bind-now hardening options

2012-04-20 Thread Steve Beattie
Public bug reported: The squid (v2) package had all of the hardening options enabled (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542723) due to squid receiving and parsing network input and the number of and severity of prior security issues; however, with the transition to squid3 some

[Bug 986314] Re: squid3 missing pie and bind-now hardening options

2012-04-20 Thread Steve Beattie
For more details on the hardening options, please see http://wiki.debian.org/Hardening Attached is a debdiff for precise-proposed SRU that addresses the issue as well as fixes the file descriptor limit in bug 986159. I've built and confirmed both issues locally, as well as performed a modicum of

[Bug 986159] Re: squid3 open file descriptors limit is set incorrectly

2012-04-20 Thread Steve Beattie
Hi, I've attached a debidff to bug 986314 that addresses that issue as well as this one for an SRU. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/986159 Title: squid3 open file

[Bug 986314] Re: squid3 missing pie and bind-now hardening options

2012-04-20 Thread Steve Beattie
** Changed in: squid3 (Ubuntu) Importance: Undecided = High ** Tags added: qa-r-t regression-release -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/986314 Title: squid3 missing

[Bug 986159] Re: squid3 open file descriptors limit is set incorrectly

2012-04-20 Thread Steve Beattie
** Changed in: squid3 (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/986159 Title: squid3 open file descriptors limit is set incorrectly

[Bug 986314] Re: squid3 missing pie and bind-now hardening options

2012-04-20 Thread Steve Beattie
** Bug watch added: Debian Bug tracker #669684 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669684 ** Also affects: squid3 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669684 Importance: Unknown Status: Unknown -- You received this bug notification because

[Bug 791758] Re: CVE-2011-1929 and Dovecot 1.0.10-1ubuntu5.2 in Hardy

2012-04-23 Thread Steve Beattie
Hi, Sorry for losing track of the issue. I was getting corrupted headers where because one header had multiple NULLs in it, when dovecot wrote the message back, it ended up dropping that header and merging/corrupting another header. The example I came up with was where the original message

[Bug 978999] Re: command injection on the host via the xmlrpc api

2012-05-15 Thread Steve Beattie
I believe upstream attempted to address this in https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cobbler in Ubuntu.

[Bug 289367] Re: camellia cipher does not work in racoon - enable camellia in openssl

2012-05-21 Thread Steve Beattie
This was fixed in oneiric with the introduction of openssl 1.0.0. On precise: $ openssl ciphers CAMELLIA DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ADH-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ADH-CAMELLIA128-SHA:CAMELLIA128-SHA Marking this bug report

[Bug 1010514] Re: Source group based security group rule without protocol and port causes failures

2012-06-11 Thread Steve Beattie
** Also affects: nova (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/1010514 Title: Source group based security group rule without

[Bug 1010514] Re: Source group based security group rule without protocol and port causes failures

2012-06-12 Thread Steve Beattie
** Changed in: nova (Ubuntu Oneiric) Status: New = In Progress ** Changed in: nova (Ubuntu Precise) Status: New = In Progress ** Changed in: nova (Ubuntu Oneiric) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: nova (Ubuntu Precise) Assignee: (unassigned

[Bug 1009422] Re: (CVE-2012-1013) krb5 : kadmind denial of service

2012-07-23 Thread Steve Beattie
This is a low priority issue due to the required privileges needed to exploit it. ** Changed in: krb5 (Ubuntu) Importance: Undecided = Low -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu.

[Bug 1009422] Re: (CVE-2012-1013) krb5 : kadmind denial of service

2012-07-31 Thread Steve Beattie
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1012 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1014 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-1015 -- You received this bug notification because you are a member

[Bug 1015405] Re: ClamAV error: CL_EFORMAT: Bad format or broken data

2012-08-15 Thread Steve Beattie
Thanks Scott, I'm reviewing the natty, oneiric, and precise debdiffs now. ** Changed in: clamav (Ubuntu Natty) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: clamav (Ubuntu Precise) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: clamav (Ubuntu

[Bug 985184] Re: Security groups fail to be set correctly if incorrect case is used for protocol specification

2012-08-24 Thread Steve Beattie
Dave, this was fixed for Ubuntu precise in http://www.ubuntu.com/usn/usn-1466-1/ (2012.1-0ubuntu2.2). Thanks. ** Changed in: nova (Ubuntu Precise) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to

[Bug 992447] Re: Communication with store.juju.ubuntu.com is not authenticated

2012-08-29 Thread Steve Beattie
Clint, Thanks, debdiff looks good. I'll push this out today. ** Changed in: juju (Ubuntu Precise) Status: Confirmed = In Progress ** Changed in: juju (Ubuntu Precise) Assignee: Clint Byrum (clint-fewbar) = Steve Beattie (sbeattie) -- You received this bug notification because you

[Bug 992447] Re: Communication with store.juju.ubuntu.com is not authenticated

2012-08-30 Thread Steve Beattie
Clint, FYI, I slightly modified the patch headers to make them DEP-3 compliant (added Subject: lines with brief descriptions of the issues they address). Unsubscribing ubuntu-security-sponsors since there is no more open tasks for that team to undertake. Thanks! -- You received this bug

[Bug 1033920] Re: Dashboard raises a ServiceCatalogException when attempting to download juju settings

2012-09-04 Thread Steve Beattie
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2094 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2144 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu.

[Bug 1040626] Re: Update user's default tenant partially succeeds without authz

2012-09-06 Thread Steve Beattie
This was fixed in Ubuntu 12.04 LTS in http://www.ubuntu.com/usn/usn-1552-1/ but still needs to be fixed in quantal (ubuntu 12.10). Attached is a debdiff to do so. ** Patch added: keystone_2012.2~f3-0ubuntu2.debdiff

[Bug 1040626] Re: Update user's default tenant partially succeeds without authz

2012-09-06 Thread Steve Beattie
** Changed in: keystone (Ubuntu) Status: New = Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/1040626 Title: Update user's default tenant partially succeeds without

[Bug 1040626] Re: Update user's default tenant partially succeeds without authz

2012-09-07 Thread Steve Beattie
Addressed in Ubuntu 12.10 with keystone 2012.2~rc1~20120906.2517-0ubuntu2. ** Changed in: keystone (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu.

[Bug 1050211] Re: (CVE-2012-4244) bind9: specially crafted resource record causes named to exit

2012-09-13 Thread Steve Beattie
Thanks for reporting this, we are aware of it and are working on an update. Marking as public. ** Changed in: bind9 (Ubuntu) Importance: Undecided = High ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is

[Bug 769354] [NEW] elinks accepts self-signed ssl certificates without warning

2011-04-22 Thread Steve Beattie
Public bug reported: Binary package hint: elinks elinks accepts self-signed certificates without warning or raising an error. Sadly, this is a regression that got introduced somewhere between hardy and karmic. With hardy's version (0.11.3-5ubuntu2): # elinks -dump -eval 'set

[Bug 769354] Re: elinks accepts self-signed ssl certificates without warning

2011-04-22 Thread Steve Beattie
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to elinks in Ubuntu. https://bugs.launchpad.net/bugs/769354 Title: elinks accepts self-signed ssl certificates without warning -- Ubuntu-server-bugs mailing list

[Bug 774452] Re: php-pear: pecl install reports Call to undefined method PEAR::raiseErro()

2011-04-30 Thread Steve Beattie
Reproduced, thanks for the report and the pointer. ** Changed in: php5 (Ubuntu) Status: New = Confirmed ** Changed in: php5 (Ubuntu) Importance: Undecided = High ** Changed in: php5 (Ubuntu) Assignee: (unassigned) = Steve Beattie (sbeattie) -- You received this bug notification

[Bug 651049] Re: php5: FILTER_VALIDATE_URL will invalidate a hostname that includes '-'

2011-05-03 Thread Steve Beattie
Removing the reference to CVE-2010-3710; that was fixed in USN 1042-1 (http://www.ubuntu.com/usn/usn-1042-1) and is a separate issue anyway. ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3710 -- You received this bug notification because you are a member of Ubuntu

[Bug 774452] Re: php-pear: pecl install reports Call to undefined method PEAR::raiseErro()

2011-05-04 Thread Steve Beattie
ndefontenay: what release are you seeing this in? I can't reproduce the lstat() warnings; however, the Fatal Error due to the PEAR::raiseErro() typo unfortunately affects all releases. I'm currently testing the fix for this, and will hopefully be able to release it soon. Thanks for your patience

[Bug 776642] Re: segfaults from 5.2.4-2ubuntu5.15

2011-05-04 Thread Steve Beattie
Joey: yes, I expect to release updated packages within the next 24 hours. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/776642 Title: segfaults from 5.2.4-2ubuntu5.15 --

[Bug 792557] [NEW] dovecot fails to start on oneiric

2011-06-03 Thread Steve Beattie
Public bug reported: Attempting to start dovecot with the default configuration on oneiric fails: $ sudo start dovecot dovecot stop/waiting $ ps auwwx | grep dovecot ubuntu8793 0.0 0.1 4188 876 pts/0S+ 13:17 0:00 grep --color=auto dovecot This is because the

[Bug 792557] Re: dovecot fails to start on oneiric

2011-06-03 Thread Steve Beattie
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/792557 Title: dovecot fails to start on oneiric -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify

[Bug 797161] Re: package amavisd-new-postfix (not installed) failed to install/upgrade: underproces installerede post-installation-script returnerede afslutningsstatus 1

2011-06-15 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 798855] Re: package samba 2:3.5.8~dfsg-1ubuntu2.2 failed to install/upgrade: problemas de dependencias - se deja sin configurar

2011-06-17 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 781985] Re: Format string bugs in mysqlhotcopy

2011-07-08 Thread Steve Beattie
Note that it's not a security issue in this context as perl blocks format string issues; Modification of a read-only value attempted at /usr/bin/mysqlhotcopy line 459 is perl blocking the issue. ** Changed in: mysql-5.1 (Ubuntu) Status: Incomplete = Confirmed -- You received this bug

[Bug 781982] Re: Format string bug in mysqldumpslow

2011-07-08 Thread Steve Beattie
** Changed in: mysql-5.1 (Ubuntu) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/781982 Title: Format string bug in mysqldumpslow To manage

[Bug 769354] Re: elinks accepts self-signed ssl certificates without warning

2011-08-04 Thread Steve Beattie
** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to elinks in Ubuntu. https://bugs.launchpad.net/bugs/769354 Title: elinks accepts self-signed ssl certificates without warning To

[Bug 837991] Re: Update apache2 to 2.2.19-2 to fix CVE-2011-3192

2011-09-06 Thread Steve Beattie
Attached is a debdiff for the merge of apache 2.2.20-1 (I was unable to do this via bzr due to bug 842144). I've verified that the package builds on i386 and amd64 and ran the lp:qa-regression-testing tests against that package, and confirmed that no regressions occur. ** Description changed:

[Bug 837991] Re: Please merge apache2 2.2.20-1 to fix CVE-2011-3192+regressions

2011-09-06 Thread Steve Beattie
And here is the debdiff of 2.2.20-1ubuntu1 against 2.2.20-1, to show just the ubuntu changes to the package. ** Patch added: apache2-2.2.20-1_2.2.20-1ubuntu1.diff https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+attachment/2362703/+files/apache2-2.2.20-1_2.2.20-1ubuntu1.diff **

[Bug 839569] Re: Apache2 is still Range header DoS vulnerable if gzip compression is enabled

2011-09-07 Thread Steve Beattie
Paweł, Can you confirm that sending a request with an overlapping byte range e.g.: HEAD / HTTP/1.1 Host: localhost Range:bytes=1-15,10-35,8-9,14-22,0-5,23- Accept-Encoding: gzip Connection: close returns 200 OK? Perhaps you could report what modules you have loaded? apache2ctl -t -D

[Bug 839569] Re: Apache2 is still Range header DoS vulnerable if gzip compression is enabled

2011-09-08 Thread Steve Beattie
Paweł and Upen, thanks for following up. Based on your comments, I'm going to close this bug report; please re-open it if you find any evidence that suggests the fix for CVE-2011-3192 is incomplete. Stefan, thanks for chiming in. ** CVE added: http://www.cve.mitre.org/cgi-

[Bug 813115] Re: CVE-2011-2202

2011-09-19 Thread Steve Beattie
Beattie (sbeattie) ** Changed in: php5 (Ubuntu Lucid) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Maverick) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Natty) Assignee: (unassigned) = Steve Beattie (sbeattie) -- You

[Bug 222761] Re: [SRU] upsd doesn't start NOT 221737

2008-05-29 Thread Steve Beattie
I reproduced the initial problem using nut-2.2.1-2.1ubuntu7. I verified that using the package in -proposed, nut-2.2.1-2.1ubuntu7.1, corrects the issue, but *only* if the -proposed package is a new installation of the nut package. Upgrading to the nut package in -proposed from the version released

[Bug 224428] Re: [SRU] munin-node not restarted after plugin installation

2008-05-29 Thread Steve Beattie
I am unable to reproduce the initial reporters problem with a fresh install of the original version shipped with Hardy, munin-node 1.2.5-2ubuntu3. Perhaps we can get a better test case here? I did verify the package in -proposed, munin-node 1.2.5-2ubuntu3.1, does show the list of available

Re: [Bug 222761] Re: [SRU] upsd doesn't start NOT 221737

2008-06-13 Thread Steve Beattie
. That's fine for going forward, but it leaves people who have attempted to use the released package with their problem unaddressed by the update. If that's sufficient for releasing an update, then go ahead, I was just attempting to report the results I found. Thanks. -- Steve Beattie [EMAIL PROTECTED

[Bug 227613] Re: [SRU] SIGSEGV in bacula-fd

2008-06-23 Thread Steve Beattie
Chuck or anyone else, can you improve the test case by giving a sample configuration for testing this bug fix? This is one of the bugfixes we'd like people to try to verify in the special SRU BugHug day tomorrow: https://wiki.ubuntu.com/UbuntuBugDay/20080624 Thanks! -- [SRU] SIGSEGV in

[Bug 227613] Re: [SRU] SIGSEGV in bacula-fd

2008-06-23 Thread Steve Beattie
** Description changed: Binary package hint: bacula bacula-fd has a know bug/crash when the strippath option is used. more information here: http://bugs.bacula.org/view.php?id=1047 The upstream bug has not been fixed in 2.2.8!! + + TEST CASE: + 1. apt-get install bacula-server

[Bug 52866] Re: SOAP response for associative array is different on ubuntu 6.06

2008-07-22 Thread Steve Beattie
I successfully reproduced the faulty behavior in the version of php5 in dapper-updates, 5.1.2-1ubuntu3.10. I then upgraded the php5 related packages to version in dapper-proposed and can confirm that these do correct the behavior above. I've also re-run the php5 component from the

[Bug 252686] Re: Reload action on init script kills daemon

2008-08-05 Thread Steve Beattie
** Also affects: lsb (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478871 Importance: Unknown Status: Unknown -- Reload action on init script kills daemon https://bugs.launchpad.net/bugs/252686 You received this bug notification because you are a member of Ubuntu

[Bug 228460] Re: /etc/init.d/nagios2 reload kills nagios

2008-08-05 Thread Steve Beattie
*** This bug is a duplicate of bug 252686 *** https://bugs.launchpad.net/bugs/252686 Marking as a duplicate of LP# 252686, which is still open as a possible Hardy Stable Release Update. ** This bug has been marked a duplicate of bug 252686 Reload action on init script kills daemon --

[Bug 253268] Re: php5-cgi not working with suphp in Hardy

2008-08-26 Thread Steve Beattie
** Bug watch added: Debian Bug tracker #477646 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477646 ** Also affects: suphp (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477646 Importance: Unknown Status: Unknown -- php5-cgi not working with suphp in Hardy

[Bug 249824] Re: [intrepid] bind9/named IPv6 unusable

2008-10-17 Thread Steve Beattie
** Also affects: bind9 (Mandriva) via http://qa.mandriva.com/show_bug.cgi?id=43966 Importance: Unknown Status: Unknown -- [intrepid] bind9/named IPv6 unusable https://bugs.launchpad.net/bugs/249824 You received this bug notification because you are a member of Ubuntu Server Team,

[Bug 239513] Re: [SRU] stack smashing detected when calling xmlrpc_set_type

2008-12-04 Thread Steve Beattie
I am able to reproduce this error with php5-xmlrpc 5.2.4-2ubuntu5.3 from hardy-updates on i386, and can confirm that php5-xmlrpc 5.2.4-2ubuntu5.4 in hardy-proposed address the issue. It also passes the security team's regression tests (I've added the above to their testsuite). More checks for

[Bug 239513] Re: [SRU] stack smashing detected when calling xmlrpc_set_type

2008-12-04 Thread Steve Beattie
One last comment: I rebuilt the php package (on i386) using the sources in hardy-proposed; as part of its build, php runs a fairly extensive set of regression tests. There are a couple of new failures versus the results (recorded in the security team's qa-regression-testing bzr tree) from

[Bug 249824] Re: [intrepid] IPv6 unusable

2008-12-16 Thread Steve Beattie
This bug was found in the Intrepid development cycle; removing regression-potential and marking as regression-release. ** Tags added: regression-release ** Tags removed: regression-potential -- [intrepid] IPv6 unusable https://bugs.launchpad.net/bugs/249824 You received this bug notification

[Bug 673102] Re: package clamav 0.95.3 dfsg-1ubuntu0.09.10.3 failed to install/upgrade: problemas de dependencias - se deja sin configurar

2010-11-09 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 674245] Re: package apache2.2-common 2.2.14-5ubuntu8.3 failed to install/upgrade: ErrorMessage: il sottoprocesso vecchio script di post-installation ha restituito lo stato di errore 1

2010-11-12 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

Re: [Bug 592442] Re: fopen fails on some SSL urls

2010-12-01 Thread Steve Beattie
the warning. -- Steve Beattie sbeat...@ubuntu.com http://NxNW.org/~steve/ -- fopen fails on some SSL urls https://bugs.launchpad.net/bugs/592442 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list

[Bug 592442] Re: fopen fails on some SSL urls

2010-12-01 Thread Steve Beattie
Okay, as pointed out in an earlier comment, the self-signed certificate bit is a red-herring. The failure on maverick looks like it's somehow related to how openssl is attempting to negotiate RFC4507bis session tickets, as running openssl s_client with -no_ticket also works; e.g.: openssl

[Bug 673654] Re: Upcoming clamav release with security fixes

2010-12-08 Thread Steve Beattie
Hi Serge, I've gone ahead and uploaded clamav packages to the ubuntu-security- proposed ppa at https://launchpad.net/~ubuntu-security- proposed/+archive/ppa/ ; please test and report feedback here. In doing so, I ran in to a few issues with your debdiff, mostly having to do with your changelog

[Bug 673654] Re: Upcoming clamav release with security fixes

2010-12-08 Thread Steve Beattie
Also, it would be great if there are proof of concept documents for these issues that testcases based on them be added to the lp:qa- regression-testing tests for clamav.py (i.e. http://bazaar.launchpad.net /~ubuntu-bugcontrol/qa-regression- testing/master/annotate/head%3A/scripts/test-clamav.py )

[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308

2011-01-07 Thread Steve Beattie
I've confirmed that marking the double variables as volatile in maverick's php causes the infinite loop not to get triggered on i386 (and think I understand why that's the case). However, attempts to reproduce the issue with php from 9.10 (karmic), 8.04 (hardy), and 6.06 (dapper) fail for no

[Bug 701765] Re: open_basedir breaks by restricting paths to files that should be allowed; Unknown: Failed opening required '/usr/share/phpmyadmin/index.php' (include_path='.') in Unknown on line 0

2011-01-12 Thread Steve Beattie
** Changed in: php5 (Ubuntu) Status: New = Confirmed ** Changed in: php5 (Ubuntu) Importance: Undecided = High ** Changed in: php5 (Ubuntu) Assignee: (unassigned) = Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Server Team

[Bug 701765] Re: open_basedir breaks by restricting paths to files that should be allowed; Unknown: Failed opening required '/usr/share/phpmyadmin/index.php' (include_path='.') in Unknown on line 0

2011-01-12 Thread Steve Beattie
This looks to be the relevant upstream bug http://bugs.php.net/bug.php?id=53352 and commit: http://svn.php.net/viewvc?view=revisionrevision=305698 that fixed it. I'm building and testing packages with that commit applied to verify it fixes the issue. ** Bug watch added: bugs.php.net/ #53352

[Bug 701765] Re: open_basedir breaks by restricting paths to files that should be allowed; Unknown: Failed opening required '/usr/share/phpmyadmin/index.php' (include_path='.') in Unknown on line 0

2011-01-20 Thread Steve Beattie
The trailing slash issue was fixed with usn-1042-2 (http://www.ubuntu.com/usn/usn-1042-2); my apologies for messing up the changelog bug reference. Andrea, I've reproduced the behavior you're seeing on all Ubuntu releases, as well as debian's 5.3.3-7 package in unstable. I've discussed it briefly

[Bug 704264] Re: package bacula-director-mysql 2.4.4-1ubuntu5 failed to install/upgrade: le sous-processus post-installation script a retourné une erreur de sortie d'état 1

2011-02-07 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

  1   2   3   4   5   6   7   8   9   10   >