Bug#1030263: telegram-desktop: Telegram-Desktop ignores Shift-Key
Package: telegram-desktop Version: 4.5.3+ds-1+b1 Severity: normal Hi. Since the latest upgrade, telegram-desktop ignores the shift-modifier on my system. cu AW -- Package-specific info: -- System Information: Debian Release: 11.1 APT prefers testing APT policy: (90, 'testing'), (90, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.4 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages telegram-desktop depends on: ii libabsl20220623 20220623.1-1 ii libavcodec59 7:5.1.2-1 ii libavformat59 7:5.1.2-1 ii libavutil57 7:5.1.2-1 ii libc6 2.36-8 ii libgcc-s1 10.2.1-6 ii libglib2.0-0 2.74.5-1 ii libglibmm-2.68-1 2.74.0-2 ii libhunspell-1.7-0 1.7.0-3 ii libjpeg62-turbo 1:2.1.2-1+b1 ii libkf5coreaddons5 5.101.0-1 ii liblz4-1 1.9.3-2 ii libminizip1 1.1-8+b1 ii libopenal11:1.19.1-2 ii libopus0 1.3.1-0.1 ii libqrcodegencpp1 1.6.0-1 ii libqt5core5a [qtbase-abi-5-15-8] 5.15.8+dfsg-2 ii libqt5gui55.15.8+dfsg-2 ii libqt5network55.15.8+dfsg-2 ii libqt5qml55.15.8+dfsg-2 ii libqt5quickwidgets5 5.15.8+dfsg-2 ii libqt5svg55.15.8-2 ii libqt5waylandcompositor5 5.15.8-2 ii libqt5widgets55.15.8+dfsg-2 ii librlottie0-1 0.1+dfsg-2 ii libsigc++-3.0-0 3.4.0-1 ii libssl3 3.0.7-2 ii libstdc++612.2.0-14 ii libswresample47:5.1.2-1 ii libswscale6 7:5.1.2-1 ii libvpx7 1.12.0-1 ii libwayland-client01.21.0-1 ii libx11-6 2:1.8.3-3 ii libxcb-keysyms1 0.4.0-1+b2 ii libxcb-record01.14-3 ii libxcb-screensaver0 1.14-3 ii libxcb1 1.14-3 ii libxcomposite11:0.4.5-1 ii libxdamage1 1:1.1.5-2 ii libxext6 2:1.3.3-1.1 ii libxfixes31:5.0.3-2 ii libxrandr22:1.5.1-1 ii libxtst6 2:1.2.3-1.1 ii libxxhash00.8.0-2 ii qt5-image-formats-plugins 5.15.2-2 ii zlib1g1:1.2.11.dfsg-2+deb11u2 Versions of packages telegram-desktop recommends: ii fonts-open-sans 1.11-1.1 ii libwebkit2gtk-4.0-37 2.38.3-1~deb11u1 telegram-desktop suggests no packages. Versions of packages telegram-desktop is related to: pn xdg-desktop-portal pn xdg-desktop-portal-backend -- no debconf information [2023.02.01 11:50:25] Launched version: 4005003, install beta: [FALSE], alpha: 0, debug mode: [FALSE] [2023.02.01 11:50:25] Executable dir: /usr/bin/, name: telegram-desktop [2023.02.01 11:50:25] Initial working dir: /home/aw/ [2023.02.01 11:50:25] Working dir: /home/aw/.local/share/TelegramDesktop/ [2023.02.01 11:50:25] Command line: telegram-desktop [2023.02.01 11:50:25] Executable path before check: /usr/bin/telegram-desktop [2023.02.01 11:50:25] Logs started [2023.02.01 11:50:25] Launcher filename: org.telegram.desktop.desktop [2023.02.01 11:50:25] We use allocator from /lib/x86_64-linux-gnu/libc.so.6 [2023.02.01 11:50:25] Connecting local socket to /tmp/87a6964082b9339a3cac3aa763854bc5-{87A94AB0-E370-4cde-98D3-ACC110C5967D}... [2023.02.01 11:50:25] This is the only instance of Telegram, starting server and app... [2023.02.01 11:50:25] Moved logging from '/home/aw/.local/share/TelegramDesktop/log_start0.txt' to '/home/aw/.local/share/TelegramDesktop/log.txt'! [2023.02.01 11:50:25] Primary screen DPI: 96.2922 [2023.02.01 11:50:25] System tray available: [FALSE] [2023.02.01 11:50:25] Icon theme: hicolor [2023.02.01 11:50:25] Fallback icon theme: hicolor [2023.02.01 11:50:25] App Info: reading settings... [2023.02.01 11:50:25] App Info: reading encrypted settings... [2023.02.01 11:50:26] Lang Info: Loaded cached, keys: 4561 [2023.02.01 11:50:26] Audio Info: Failed to load pipewire 0.3 stubs. [2023.02.01 11:50:26] OpenAL Logging Level: (not set) [2023.02.01 11:50:26] Audio Playback Devices: ALSA Default;HDA Intel PCH, ALC892 Analog (CARD=PCH,DEV=0);HDA Intel PCH, ALC892 Digital (CARD=PCH,DEV=1);HDA Intel PCH, HDMI 0 (CARD=PCH,DEV=3);HDA Intel PCH, HDMI 1 (CARD=PCH,DEV=7);HDA Intel PCH, HDMI 2 (CARD=PCH,DEV=8)
Bug#1020404: luakit: aborts at start
Moin, begin quotation from Markus Demleitner (in <20220921185014.db6o56sxwieo3vnm@victor>): > On Wed, Sep 21, 2022 at 11:36:08AM +0200, Arne Wichmann wrote: > > Bail out! ERROR:common/util.c:67:strip_ansi_escapes: assertion failed (err > > == NULL): Error while compiling regular expression > > ?[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]? > > at char 3: unrecognised character following \ (g-regex-error-quark, 103) > > Argl. That's quite certainly the upstream bug > https://github.com/luakit/luakit/issues/1005 Thanks for making me notice that. ;) I will not comment there because I would have to create an account at Microsoft for this. [...] > luakit http://www.tfiu.de/log-escape.html |& cat [...] > Can you build from https://salsa.debian.org/debian/luakit.git and see > whether the thing (a) builds and (b) whether luakit's log messages > are b/w when filtered through cat as above? ... lots of warnings later... (a) it builds (b) the log messages are b/w And it does not crash anymore, so I can use it until something newer is uploaded. Thanks again for the help. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@saar.de) signature.asc Description: PGP signature
Bug#1020404: luakit: aborts at start
Package: luakit Version: 1:2.2.1-1 Severity: grave Justification: renders package unusable Luakit aborts saying: Bail out! ERROR:common/util.c:67:strip_ansi_escapes: assertion failed (err == NULL): Error while compiling regular expression ?[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]? at char 3: unrecognised character following \ (g-regex-error-quark, 103) -- System Information: Debian Release: 11.1 APT prefers testing APT policy: (90, 'testing'), (90, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.16 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages luakit depends on: ii libc6 2.34-7 ii libcairo2 1.16.0-5 ii libgdk-pixbuf2.0-0 2.40.2-2 ii libglib2.0-02.73.3-3 ii libgtk-3-0 3.24.24-4+deb11u2 ii libjavascriptcoregtk-4.0-18 2.36.7-1~deb11u1 ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.3 ii libpango-1.0-0 1.50.9+ds-1 ii libsoup2.4-12.74.2-3 ii libsqlite3-03.34.1-3 ii libwebkit2gtk-4.0-372.36.7-1~deb11u1 ii lua-filesystem [lua5.1-filesystem] 1.8.0-1 luakit recommends no packages. luakit suggests no packages. -- no debconf information
Bug#987784: luakit: Luakit should provide more information why it does not like a certificate
Package: luakit Version: 1:2.2.1-1 Severity: wishlist Tags: upstream When I view a HTTPS-page with no usable certificate, I get a message like the following: Your connection may be insecure! A problem occurred while loading the URL https://[...] Unacceptable TLS certificate: The certificate does not match the expected identity of the site that it was retrieved from. The certificate has expired. In the typical case when that happens, I want to find out what is wrong in more detail. Including a link to a summary of the certificate data would be very helpful. cu AW -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (90, 'testing'), (60, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.28 (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15), LANGUAGE=en_GB.iso885915 (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages luakit depends on: ii libc6 2.31-11 ii libcairo2 1.16.0-5 ii libgdk-pixbuf2.0-0 2.40.2-2 ii libglib2.0-02.66.8-1 ii libgtk-3-0 3.24.24-3 ii libjavascriptcoregtk-4.0-18 2.32.0-2 ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.1 ii libpango-1.0-0 1.46.2-3 ii libsoup2.4-12.72.0-3 ii libsqlite3-03.34.1-3 ii libwebkit2gtk-4.0-372.32.0-2 ii lua-filesystem [lua5.1-filesystem] 1.6.3-1 luakit recommends no packages. luakit suggests no packages. -- no debconf information
Bug#926644: xpat2: debian/watch should be updated
begin quotation from Axel Beckert (in <20190408114259.gl25...@sym.noone.org>): > uscan on xpat2's source directory bails out as follows: > > > In watch file debian/watch, reading FTP > > directory ftp://sunsite.unc.edu/pub/Linux/games/solitaires/ failed: > > 500 Connection refused > > It seems as if https://www.ibiblio.org/pub/Linux/games/solitaires/ > would a good replacement. Thank you for the pointer. Whenever I do another upload I will consider this. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@saar.de) signature.asc Description: PGP signature
Bug#878940: xpat2: Windows should be large enough to fit contents
Hi, begin quotation from Andrej Mernik (in <150827088179.9737.3627721575484887746.reportbug@andrej-namizni>): > currently, the game starts in a window which is wide/tall enough for some > games, but too narrow for the others (Spider, Seahaven, Monte Carlo, Midnight > Oil, etc.). This can cause confusion. > > Ideally, the game should start in a window with dimensions big enough to fit > all games. > > The same problem also applies to the help popup window which is tiny by > default (see screenshot). This window should also be at least as big as > the main window. Thanks for the report. I will probably not do much about this in the next months - as there is no upstram and I am not a programmer (even though I can read and write C) I tend to avoid doing bigger changes to the package. Patches are welcome though. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@saar.de) signature.asc Description: PGP signature
Bug#818262: xpat2: Buffer overflow when saving a game in xpat2
Package: xpat2 begin quotation from letouzey (in <20160301115822.16629.45548.report...@septem.inria.fr>): > Trying to save any game in xpat2 under Debian Jessie always triggers a crash > with the following message: Ack - I will look at this as time permits. (Just so you know I received this although the mail probably bounced.) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@saar.de) signature.asc Description: Digital signature
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [reformatted] begin quotation from Sebastian Ramacher (in 20150518184906.ga22...@ramacher.at): On 2015-05-18 20:01:47, Alessandro Ghedini wrote: On Sat, May 16, 2015 at 03:43:37PM +0200, Alessandro Ghedini wrote: On Sat, May 16, 2015 at 03:07:57PM +0200, Sebastian Ramacher wrote: On 2015-05-15 15:22:28, Alessandro Ghedini wrote: On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: On 2015-05-14 20:41:15, Arne Wichmann wrote: Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html A similar commit to the one maintained in this mailing list post was applied to 11.3. So closing with that version. Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? I might have read the commit wrong. Do you have a sample for this CVE? Unfortunately the reproducer isn't public. I contacted ffmpeg-security about it, I'll keep you posted. I got the reproducer from ffmpeg and it seems that libav in sid isn't affected like Sebastian said. So yeah, this bug should stay closed. I don't know if the patch linked above is what fixed the issue though. Great! Thank you for checking. I am not amused about the closedness with that this was handled - but I am very sure that you are not to blame for this. cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVWwSMAAoJEENYfBy4DUs+lIEP+wQPZB4LPpuc9IfA94jAfEuy 4NY3lGOcF7EZmMKqD0Ha2xhrO1IINTwT7Ifkz/cseJMnqaibP+7FHC2dFoPgQNYR AabT7oGvT3nsWidFJhlnWS2UlRu2oq2MAS2cvCy4bD98EyOl6CGs+Bnv6ZlUVClM qadtfa+s+xGIfrLVntRP5ZGp+pkcYYQcVFCKnR5KVIuYzA0iryw2tORB4bEV56Bi xwEFFXvCta9z8VQs4D6dnmSvIvLBhcyP5zzSQFrqRNXIxbNHSDNyWxQHy5ACzm8Z 9vAL0wZPv6tpCkjrfYlF6pkewtlcUdlnU7pZObpfXfOnc3qS6SJHLnPe77KSWMQ8 TOqneKXtLH2Py0Vt0PxE/vAP5O6rcDl5ixIsDwcdkYQMBNgUTBTlaFCuK3zVSr0Q s4y7fNoMQ/ruff9L3CNuWLvTtMgzM5HwY+krNvl70ctXj0ah2WZatNvF8D0BQ85C O+p79rxfwNWN5pwL7KxkarppwGktZDF7ekjQeNutZwZ+NccCJaaxOGpUbWPFEcya m4ceYsU3tp+QufOCGv9kGrvuxeI6Hz17xN3+bF2uc6A76/nj3gtjRjghnYtzOPzX Fr6y5Ecd44rxy74nkRYCpcvxfSe63GR7/u4VJwCGJ1D3wygnEAloJxFJHIq3UjEJ xn5UfNHp+Ho4XMVSHUfP =3job -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 begin quotation from Sebastian Ramacher (in 20150516130757.ga21...@ramacher.at): On 2015-05-15 15:22:28, Alessandro Ghedini wrote: On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: Version: 6:11.3-1 On 2015-05-14 20:41:15, Arne Wichmann wrote: Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html A similar commit to the one maintained in this mailing list post was applied to 11.3. So closing with that version. Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? I might have read the commit wrong. Do you have a sample for this CVE? There is one referenced in various messages relating to CVE-2014-7937: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg unfortunately it is not publicly available AFAICS. You might ask upstream about it. cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVV0YMAAoJEENYfBy4DUs++FAP/j6NA8gP37qu4hHTFK9rKc+3 ddj3sClTKQ3d8aC2xq3+rgxjUo35YiPgY3sdcTb4Sni5rm8acHpo0NdDlkpPdFS4 gR3nx3t0GEAqe55aLzUls6Rq9U9fWwHrhjl+Kbhr6zNR+XtXoDMj12GA3ICcJp7J ucvMZtpbJhaTJwvqsljn7IAvjgdikAdtxiRqPXHbeAAwKYJkU5Bdlu9eB+YtXABF IAHU8Qyc4PaJ4o/kbv+C5IBk8ILqhZPjTNSdljJryJTPBkH/R5P9VFjJs/rcSh8O nB2bUmXcRX/+tw5GFcLvYrpivylCpQPLebp2gQjoAUuj8ARS931pGEiFxThqffP+ 53F+lG/tIXpO53Yn/CpoOkGm0sjgApSRDgCwJsgy2HkUi8CN66mBt03nciEfPvG6 om60Oa0Mj+BoevtiQeaXRgXI/bsKDz57sUuhOlGY6LbfNbAWew90ns+q1CWTDW/8 uAsi8SgKjVKp3lM8f3TR73GIOMVn8lNAgnSyrbVVGke7nHO0AjwdeV/Ld6So6fWG 1ELvZyzkn/BI6V3W29IjcKlo7ncS9bv6CU1z+vToW2FPUitazS3P2cdr069KyKyH bU8hQPkqDp2jwMMk4DDojS5ue8VhFj0yazhMKYJB7KSzjf57qgegjipEvKQlN5HT FFVJBtD94jGVHzspGh0s =lqqu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html cu AW -- System Information: Debian Release: stretch/sid APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.7-ckt9 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libavcodec56 depends on: ii libavresample2 6:11.3-2 ii libavutil546:11.3-2 ii libc6 2.19-18 ii libgsm11.0.13-4 ii libmp3lame03.99.5+repack1-7 ii libopenjpeg5 1:1.5.2-3 ii libopus0 1.1-2 ii libschroedinger-1.0-0 1.0.11-2.1 ii libspeex1 1.2~rc1.2-1 ii libtheora0 1.1.1+dfsg.1-6 ii libva1 1.5.1-2 ii libvorbis0a1.3.4-2 ii libvorbisenc2 1.3.4-2 ii libvpx11.3.0-3 ii libx264-1422:0.142.2431+gita5831aa-1+b2 ii libx265-43 1.5-1 ii libxvidcore4 2:1.3.3-1 ii multiarch-support 2.19-18 ii zlib1g 1:1.2.8.dfsg-2+b1 libavcodec56 recommends no packages. libavcodec56 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#717544: Workaround for CVE-2013-2207
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So, as this seems to be around for a bit longer I thing mentioning the workarounds would be helpful: - - Make sure user_allow_other is not set in /etc/fuse.conf - - Remove the SUID bit from /usr/lib/pt_chown This is mostly inferred from [1]. Does this work? When does this not work? Any comment? [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2207 cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVBs5EAAoJEENYfBy4DUs+5vgP/07qI3cTAKOeTbPH5BcBS+XB fNJFmOtTUdXaC9FW0YMAf/kLDtCeI5WXypY0gERyaoh4OaIdEhiWQ1nEIcBD/C0T Z09s0D1L/1lypK3sCz+PO34IlFHmkRNTwlF0TLsYE/8oGAIQgWLEfj9Zxg1szr96 FX+QaM4+IVl9ZYMzrsq8uGZil24X5rkSyBItG+Av+4KqkelD/5wDT91f+YNhWAIN j5zXGzTMPPNpYl1Owux2wltPc1Yd90ZUdn0ZSR8nFPfarlx00TvB4Y7pc3EA1cPi dS8KWzqueswbleilhyMSjpq505rcbBTsMKl45cY4cKa6n7WVn/ruLLU4AfgZ1mB5 EkeYBp+v1BmXP0FtLIbOnTKQD21mVaXIAN7HCsvw8NFJaTf+fQm2FXzbp5MVi/vo MZnyzXIUFxmhgr/CJf1ICviFdIawm7ISGdqdf9yjVgLBbPC1Cl5Kdd9G2wCEx4U1 wJhrGDmpVzU+r+nsNUswyAO9aCLkmGfLHx27s0OX5VjzLo18YW/nSmI9t/MC8/g1 xc+BV9QR2LXewxfT46THQwidCT0yFveFd1N2yBSugEKT1yrvx3+61p/Ox+i+DGUn TCANbn818IEm4H9Nji42n2uOTyYS0vR6aWVbnCeAsTijrky1oBCNAmiGbWd30fBO p87pLEBhfA+Tf8daTnDP =TtDT -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698920: fvwm: In FvwmWinList, the list shows the title names instead of the icon names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 begin quotation from Vincent Lefevre (in 20150219170837.ga18...@xvii.vinc17.org): On 2015-02-19 16:20:55 +, Thomas Adam wrote: This looks as though it was fixed by being commented out. Note that this is not desirable and as the person who seems to have introduced the bug, I might look into it at some point in the future. What is it you're expecting in terms of confirmation? It'll be in the next FVWM release whenever that is. I thought that there could be a backport for 2.6.5 (which is what Debian is using). Because of this bug, I'm still using an old fvwm version. That would be cool - I pinned fvwm at the wheezy version for the time being. Having a newer version would be charming. cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJU6FXNAAoJEENYfBy4DUs+4jAP/03iI0NGp/xfhkQC/TaJ/paM RWoE3Sbn62j9XL4C1Q3qHW9hkJFNKYaOIDIIjkdoZsNxy83PejSHDL0G/LzUBurK 9r7YjBJmeXxRb0Lx9YoAd/s2orPwlvtR2W6MmgoQrYgxOHUVqOZkjpBcVyMgOiVu CxvRYEQQvo/moO7XBkipkv7y2GbV3klsOst9CABRpH392doL2AFbT8CJDwuBL+DX sWNYjvtcuS6NvygaxYCBBQllN1qV3a/fRD3j6k3ToDk8mqY3Ns2PCEh7zYTZlgJc lGtogQltQY2gOz+R5p/62IX4ELvjRmPz1Se9KUzC3TMCDDwzjfo9GYW1pRpOd2S3 egpwnPwmhU5MiamnKUqc6nf20PWGiRxM/uQMQ/XHPktGuBRa0ruGg+2T6ZgXzo7v +3RrLIe9zG0b0SXJaR2y5HE+b6pDfYC9znLB0nt7PDn4FxJcsaUjiI++TEUpI7CF YQG5vZCzzWRptAf1wF/6+GjhfyFbj16q+WVl57F8ORH5dr7jKo/USZ0Sb7jtXPiK H2hvUnnXe36/dWKJh5nREUxD2c+dAkNiqsGFkRMufSmGzyYssmIYch8sl3LUVEL+ F/7VgnZHkJ2fLSPf2sheKg1e/zhtvmPqccfhrUdu8tFJQAgYg24o50QOqn3JuPq7 otC54709gnUtefq3iKHn =7MXK -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#508087: closed by Bastian Blank wa...@debian.org (no bug)
Moin! As far as i remember, it was deinstalled automatically during a system upgrade... greetings, arne 2014-09-06 20:30 GMT+02:00 Debian Bug Tracking System ow...@bugs.debian.org: This is an automatic notification regarding your Bug report which was filed against the lvm2 package: #508087: lvm2: should not uninstall when the system is using lvm It has been closed by Bastian Blank wa...@debian.org. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Bastian Blank wa...@debian.org by replying to this email. -- 508087: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508087 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Weitergeleitete Nachricht -- From: Bastian Blank wa...@debian.org To: 508087-d...@bugs.debian.org Cc: Date: Sat, 6 Sep 2014 20:28:11 +0200 Subject: no bug A user is allowed to shoot itself in the feet. Bastian -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, Day of the Dove, stardate unknown -- Weitergeleitete Nachricht -- From: Arne Wichmann arnew-report...@rasentrimmer.org To: Debian Bug Tracking System sub...@bugs.debian.org Cc: Date: Sun, 07 Dec 2008 20:18:40 +0100 Subject: lvm2: should not uninstall when the system is using lvm Package: lvm2 Version: 2.02.39-2 Severity: wishlist maybe a question whether one really wants to uninstall lvm2 when the system is using volumes would me good? -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages lvm2 depends on: ii libc62.7-16 GNU C Library: Shared libraries ii libdevmapper1.02.1 2:1.02.27-4 The Linux Kernel Device Mapper use ii libreadline5 5.2-3 GNU readline and history libraries lvm2 recommends no packages. Versions of packages lvm2 suggests: ii dmsetup 2:1.02.27-4 The Linux Kernel Device Mapper use -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#717544: Patch for CVE-2013-2207
begin quotation from Moritz Muehlenhoff (in 20140301122144.ga11...@inutil.org): Version: 2.18-1 On Fri, Aug 23, 2013 at 02:13:40PM +0200, Arne Wichmann wrote: tags #717544 + patch Hi. A patch for CVE-2013-2207 is available on http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207 Fixed in sid with commit https://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69 What about stable? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#646020: Ping: CVE-2011-3624
begin quotation from Antonio Terceiro (in 20140212131039.ga2...@debian.org): On Mon, Feb 10, 2014 at 03:49:31PM +0100, Arne Wichmann wrote: There has been no action on this bug for over a year now. Is there any plan to do something about this? not quite - there is no patch for this anywhere - webrick is hardly something that anyone with a little bit of sanity would use in production I see. Maybe there should just be a clear warning against using this (for example by syslogging a warning) and then it could be marked as unimportant in the security tracker... cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#646020: Ping: CVE-2011-3624
Hi! There has been no action on this bug for over a year now. Is there any plan to do something about this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#738572: libav-tools: CVE-2011-3935
Package: libav-tools Version: 6:9.11-1 Severity: grave Tags: security Justification: user security hole Hi... As far as I can see, CVE-2011-3935 [1] applies to libav-tools. As the descriptions for the problem are bit low on information I use a high severity - feel free to lower it if that is not appropriate. A fix for ffmpeg is at [2]. [1] https://security-tracker.debian.org/tracker/CVE-2011-3935 [2] http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=668494acd8b20f974c7722895d4a6a14c1005f1e cu AW -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12.9 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages libav-tools depends on: ii dpkg 1.17.6 ii libavcodec54 6:9.11-1 ii libavdevice53 6:9.10-2 ii libavfilter3 6:9.10-2 ii libavformat54 6:9.11-1 ii libavresample1 6:9.11-1 ii libavutil526:9.11-1 ii libbz2-1.0 1.0.6-5 ii libc6 2.17-97 ii libgnutls262.12.23-10+b1 ii libgsm11.0.13-4 ii libmp3lame03.99.5+repack1-3 ii libopenjpeg2 1.3+dfsg-4.7+b1 ii libopus0 1.1-1 ii librtmp0 2.4+20121230.gitdf6c518-1 ii libschroedinger-1.0-0 1.0.11-2 ii libsdl1.2debian1.2.15-8 ii libspeex1 1.2~rc1.1-1 ii libswscale26:9.11-1 ii libtheora0 1.1.1+dfsg.1-3.1 ii libva1 1.2.1-2 ii libvorbis0a1.3.2-1.3 ii libvorbisenc2 1.3.2-1.3 ii libvpx11.3.0-2 ii libx264-1332:0.133.2339+git585324f-2+b1 ii libxvidcore4 2:1.3.2-9 ii zlib1g 1:1.2.8.dfsg-1 libav-tools recommends no packages. Versions of packages libav-tools suggests: pn frei0r-plugins none -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726578: Ping: pwgen: Multiple vulnerabilities in passwords generation
Thank you for reacting quickly! begin quotation from Theodore Ts'o (in 20140112234500.ga15...@thunk.org): On Sun, Jan 12, 2014 at 09:27:14PM +0100, Arne Wichmann wrote: This grave problem is now open for more than two months. Is there any plan to resolve this? First, the CVE about having the unavailability of /dev/random fail hard -- sure, that should be a separate bug since that's a fix that I think is reasonable at this point. We can now guarantee that /dev/random exists everywhere. (And by that same token, if an attacker can cause /dev/random not to be present, they probably have root, so you're probably toast anyway. So I don't think it's going to really improve things to remove the drand() fallback, but I don't have strong feelings about that.) So you might clone a new bug for this... Secondly, I'll note that one of the CVE's were rejected as not a vulnerability. (In general it would have been better to have opened seperate bugs for each CVE.) Different maintainers have different preferences here - I will note that you want seperate bugs (as we do for a number of other packages). Finally, whether you think the other two CVE's justify this to be serious, let alone grave bug really depends on what you think the goals of pwgen are. To quote from the manual page: This is your decision - we try to use a fitting severity for every problem, but sometimes the cases are not so clear. The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human-memo??? rable passwords are never going to be as secure as completely com??? pletely random passwords. In particular, passwords generated by pwgen without the -s option should not be used in places where the password could be attacked via an off-line brute-force attack.On the other hand, completely randomly generated passwords have a tendency to be written down, and are subject to being compromised in that fashion. So we could change the defaults to be pwgen -csy 20, in which case you would get passwords like tihs: L}U@lc_~i^n|ro!4uI- 1`;yXlYVMW%?E9)3A7G **}6BoBu=!~3)y?3v]Or =:PC;H?E7*+6$c-QH URGgjUNG[\dSw\p7F-] _AXZ~(HYd8Q#%b!]'u: ~)0I-{)}_Ya*Q2nlWN; ^#t~1/'sf@*xz9GOhBuv e_[-_Fe{CD#]DY8@M^a I'm not sure that would be an improvement, as simply no one would use them. OK, how about this? (Generated using pwgen -s). vQ6uwkMk lSswO2MB tA8dYPpl KU1pQ2Xh 2XfxRyrC Za2xKx7h psPwHZ0c dOsC0JBX JY3udA9c t6LzoiUq M0jR3AoS GOHkNE7G TeThsZz1 6cVi4ayY Poe4hPj7 o2a7OpPC Xh24cRLO 1chQyseV 6c2k0O3B OkdgRxy4 K6Vc4JY2 ylO3IE9B gVvNxw6B 7wjcOXwF Again, this will make the professional paranoids happy (although perhaps not as happy as =:PC;H?E7*+6$c-QH), but its not clear that real users would be any less likely to write ylO3IE9B on a sticky note which is pasted to their monitor, or just in a passwords file in their home directory. I do not have a really good idea on how to handle this. Some ideas come to mind, mostly inspired by [1]: - Improve the algorithm to be less biased. Though I see that would not be easy. - Warn about the bias - Use -s as default [2] suggests, that there is a patch out there, but I have not yet looked at it. So ultimately, a lot of this is about an argument over defaults, and I think the higher level problem is that no matter what password policy you use, passwords are doomed as a technology. Anything which is secure against a brute force attack is impossible for a user to use, unless they share passwords across multiple sites so they only have to remember one password such as ylO3IE9B --- at which point they get toast once some web site screws up in some way and gets penetrated by bad guys. I see the point, but that does not make the problem go away, and in many cases you do not have so much of a choice, so the program does still have its points. CVE-2013-4440 has an easy fix, isn't it? [1] http://www.openwall.com/lists/oss-security/2012/01/19/24 [2] http://marc.info/?l=oss-securitym=138015793928431w=2 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#735287: logcheck: invent conditional logging
Package: logcheck Version: 1.3.15 Severity: wishlist Hi... There is one thing I would like to have in logcheck for quite a long time already: Invent a mechanism by which a pattern is only mailed (or not mailed) if another pattern was seen a given time before it (or also possibly after it). For example I would like to make reboots invisible on some machines, but I do want to see it if the sshd terminates as long as the machine is not rebooting. cu AW -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12.6 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages logcheck depends on: ii adduser3.113+nmu3 ii cron 3.0pl1-124 ii exim4-daemon-light [mail-transport-agent] 4.82-3 ii lockfile-progs 0.1.17 ii logtail1.3.15 pn mime-construct none ii rsyslog [system-log-daemon]7.4.4-1 Versions of packages logcheck recommends: ii logcheck-database 1.3.15 Versions of packages logcheck suggests: pn syslog-summary none -- Configuration Files: /etc/logcheck/logcheck.conf changed [not included] /etc/logcheck/logcheck.logfiles [Errno 13] Permission denied: u'/etc/logcheck/logcheck.logfiles' -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#735105: libnss3: CVE-2013-1741 in wheezy
Package: libnss3 Version: 2:3.14.5-1 Severity: important Tags: security, wheezy, squeeze Hi! You recently fixed CVE-2013-1741 in unstable, but it is still open for wheezy and squeeze. cu AW -- System Information: Debian Release: 7.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages libnss3 depends on: ii libc6 2.13-38 ii libnspr4 2:4.9.2-1+deb7u1 ii libnspr4-0d2:4.9.2-1+deb7u1 ii libsqlite3-0 3.7.13-1+deb7u1 ii multiarch-support 2.13-38 ii zlib1g 1:1.2.7.dfsg-13 libnss3 recommends no packages. libnss3 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#735105: libnss3: CVE-2013-1741 in wheezy
control: retitle 735105 CVE-2013-1741 and CVE-2013-5606 in wheezy Hi. The same applies to CVE-2013-5606. (Oops, I sent too fast.) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#726578: Ping: pwgen: Multiple vulnerabilities in passwords generation
Hi! This grave problem is now open for more than two months. Is there any plan to resolve this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#722540: Ping: CVE-2013-4289 CVE-2013-4290
Hi. Is there any progress on this bug? This grave issue is now open for three months. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#698920: fvwm: In FvwmWinList, the list shows the title names instead of the icon names
begin quotation from Dan Espen (in ic61s0x85c@home.home): Arne Wichmann a...@anhrefn.saar.de writes: begin quotation from Schaaf, Jonathan P (GE Healthcare) (in c2dddb22b0ae094db5f3ce04cb9e2f2615a20...@cinurcna02.e2k.ad.ge.com): Ok, doing some tests it seems that the logic of setting window/icon names in fvwm is broken. The behavior depends on the ability of the client to do set UTF8-properties, but it is broken in any case. Tests follow: Just on a hunch, you might want to try this version: ftp://ftp.fvwm.org/pub/fvwm/version-2/fvwm-2.6.3.tar.gz A patch was added in 2.6.4 that seems really suspicious to me. For my own purposes, I've been reverting the patch to event.c that relates to icon names because it's been causing segfaults for me. The problem doesn't seem to appear with this version. I've reverted the patch in the 2.6.6 branch. If you have time I'd like to hear if it helps. If you have an easy way to find and install it I will take a look... cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#254615: Tar 1.27 supports ACL's
fixed 451932 1.27-3 fixed 254615 1.27-3 thanks As far as I can see [1] these bugs are fixed in 1.27 . [1] http://git.savannah.gnu.org/cgit/tar.git/plain/NEWS?id=release_1_27 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#698920: fvwm: In FvwmWinList, the list shows the title names instead of the icon names
begin quotation from Schaaf, Jonathan P (GE Healthcare) (in c2dddb22b0ae094db5f3ce04cb9e2f2615a20...@cinurcna02.e2k.ad.ge.com): Ok, doing some tests it seems that the logic of setting window/icon names in fvwm is broken. The behavior depends on the ability of the client to do set UTF8-properties, but it is broken in any case. Tests follow: Just on a hunch, you might want to try this version: ftp://ftp.fvwm.org/pub/fvwm/version-2/fvwm-2.6.3.tar.gz A patch was added in 2.6.4 that seems really suspicious to me. For my own purposes, I've been reverting the patch to event.c that relates to icon names because it's been causing segfaults for me. The problem doesn't seem to appear with this version. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#717009: closed by Reinhard Tartler siret...@tauware.de (Bug#717009: fixed in libav 6:9.9-1)
Hi! begin quotation from Debian Bug Tracking System (in handler.717009.d717009.138119152026841.notifd...@bugs.debian.org): This is an automatic notification regarding your Bug report which was filed against the libavcodec53 package: #717009: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674 It has been closed by Reinhard Tartler siret...@tauware.de. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Reinhard Tartler siret...@tauware.de by replying to this email. some of these still do not seem fixed to me... Date: Tue, 16 Jul 2013 02:14:18 +0200 From: Arne Wichmann a...@linux.de To: Debian Bug Tracking System sub...@bugs.debian.org Subject: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674 X-Mailer: reportbug 6.4.4 Namely the following: CVE-2013-0845 CVE-2013-0851 CVE-2013-0852 CVE-2013-0868 CVE-2013-3670 looks valid - libav commits given in security tracker fix different things AFAICS CVE-2013-3672 CVE-2013-3674 Are these irrelevant for libav? Furthermore: CVE-2013-0848 - I was not able to find the problem in libav CVE-2013-0860 - I was not able to find the problem in libav Can I consider these fixed? And finally - is there a chance that we get a fixed version for stable, too? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#728208: liblcms1: CVE-2013-4160 - lcms can be made to crash
Package: liblcms1 Version: 1.19.dfsg-1.2 Severity: important Tags: security Dear Maintainer, CVE-2013-4160 also applies to lcms. cu AW -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11.5 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages liblcms1 depends on: ii libc6 2.17-93 ii multiarch-support 2.17-93 liblcms1 recommends no packages. Versions of packages liblcms1 suggests: pn liblcms-utils none -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698920: fvwm: In FvwmWinList, the list shows the title names instead of the icon names
Ok, doing some tests it seems that the logic of setting window/icon names in fvwm is broken. The behavior depends on the ability of the client to do set UTF8-properties, but it is broken in any case. Tests follow: On urxvt: (551) aw@anhrefn $ xprop -id 0x328 |grep WM_.*NAME|grep -v LOCALE _NET_WM_ICON_VISIBLE_NAME(UTF8_STRING) = nix _NET_WM_VISIBLE_NAME(UTF8_STRING) = nix _NET_WM_ICON_NAME(UTF8_STRING) = nix WM_ICON_NAME(STRING) = nix _NET_WM_NAME(UTF8_STRING) = nix WM_NAME(STRING) = nix (552) aw@anhrefn $ echo -ne \033]1;icon\007 (553) aw@anhrefn $ xprop -id 0x328 |grep WM_.*NAME|grep -v LOCALE _NET_WM_ICON_VISIBLE_NAME(UTF8_STRING) = nix _NET_WM_VISIBLE_NAME(UTF8_STRING) = nix _NET_WM_ICON_NAME(UTF8_STRING) = icon WM_ICON_NAME(STRING) = icon _NET_WM_NAME(UTF8_STRING) = nix WM_NAME(STRING) = nix (554) aw@anhrefn $ echo -ne \033]2;title\007 (555) aw@anhrefn $ xprop -id 0x328 |grep WM_.*NAME|grep -v LOCALE _NET_WM_ICON_VISIBLE_NAME(UTF8_STRING) = nix _NET_WM_VISIBLE_NAME(UTF8_STRING) = title _NET_WM_ICON_NAME(UTF8_STRING) = icon WM_ICON_NAME(STRING) = icon _NET_WM_NAME(UTF8_STRING) = title WM_NAME(STRING) = title (556) aw@anhrefn $ echo -ne \033]1;icon1\007 (557) aw@anhrefn $ xprop -id 0x328 |grep WM_.*NAME|grep -v LOCALE _NET_WM_ICON_VISIBLE_NAME(UTF8_STRING) = title _NET_WM_VISIBLE_NAME(UTF8_STRING) = title _NET_WM_ICON_NAME(UTF8_STRING) = icon1 WM_ICON_NAME(STRING) = icon1 _NET_WM_NAME(UTF8_STRING) = title WM_NAME(STRING) = title On rxvt: (557) aw@anhrefn $ xprop -id 0x282 |grep WM_.*NAME|grep -v LOCALE WM_ICON_NAME(STRING) = nix WM_NAME(STRING) = nix (558) aw@anhrefn $ echo -ne \033]1;icon\007 (559) aw@anhrefn $ xprop -id 0x282 |grep WM_.*NAME|grep -v LOCALE WM_ICON_NAME(STRING) = icon WM_NAME(STRING) = nix (560) aw@anhrefn $ echo -ne \033]2;title\007 (561) aw@anhrefn $ xprop -id 0x282 |grep WM_.*NAME|grep -v LOCALE WM_ICON_NAME(STRING) = icon WM_NAME(STRING) = title In any of the rxvt-cases, WM_NAME is displayed in FvwmIconMan - altough *FvwmIconMan*format %i is in the config file. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#687530: eglibc: Patch for CVE-2012-4412
tags 687530 + patch thanks Hi! There is a patch for CVE-2012-4412 at https://sourceware.org/git/?p=glibc.git;a=commit;h=303e567a8062200dc06acde7c76fc34679f08d8f cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#689423: eglibc: Patch for CVE-2012-4424
tags 689423 + patch thanks Hi, There is a patch for CVE-2012-4412 at https://sourceware.org/git/?p=glibc.git;a=commit;h=141f3a77fe4f1b59b0afa9bf6909cd2000448883 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#717544: Patch for CVE-2013-2207
tags #717544 + patch Hi. A patch for CVE-2013-2207 is available on http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-2207 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#717178: CVE-2013-4788 - upstream bugreport
There is an upstream bug report for CVE-2013-4788 at http://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2013-4788 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#712840: CVE-2013-1961 in tiff3 - fix for stable?
Hi! Is there any fix in stable for tiff3 planned? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#601337: Events related bug reports
begin quotation from David Prévot (in 51e17f25.6040...@debian.org): begin quotation from Joost van Baal-Ili?? (in 20130710193844.go18...@beskar.mdcc.cx): seems to work: people know who to expect, without too much overhead. Can people behind events@ have a look at www.d.o/events bug reports, close those that are not relevant anymore, and maybe (propose a way to) fix the others? http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=www.debian.org;ordering=dir#_0_7_3 Ok, I reworked the admin and checklist pages to close #650378. I will not fix #645720 - should I close it wontfix? Regarding #601337 my solution would be to move events/talks and events/speakers to the wiki, which would mostly also close #650378. I will eventuelly do that if there are no objections. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#717009: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674
Package: libavcodec53 Version: 6:0.8.7-1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, I have here another series of CVEs for libav. Some of these are fixed, some of these I was not able to check. Those without comment were checked by me and seem valid - at least to me. CVE-2013-0845 CVE-2013-0846 CVE-2013-0847 - vim '+/while (avio_tell(s-pb) end' libavformat/id3v2.c above command brings you to the suspected problem position in libav, the problem looks solved to me This one is actually for libavformat, but I include it here for simplicity CVE-2013-0848 - I was not able to find the problem in libav CVE-2013-0849 - fixed in experimental CVE-2013-0850 - seems fixed in experimental CVE-2013-0851 CVE-2013-0852 CVE-2013-0853 CVE-2013-0854 - fixed in experimental CVE-2013-0855 - looks invalid as the problem is checked in alac_set_info CVE-2013-0856 CVE-2013-0857 CVE-2013-0858 - I was not able to find the problem in libav CVE-2013-0860 - I was not able to find the problem in libav CVE-2013-0861 CVE-2013-0865 - fixed in experimental CVE-2013-0866 - looks fixed. am I correct? CVE-2013-0867 - I was not able to find the problem in libav CVE-2013-0868 CVE-2013-0869 - looks fixed. am I correct? CVE-2013-0870 - seems to be invalid - relevant code fragment is not present in libav CVE-2013-0873 - looks fixed. am I correct? CVE-2013-0874 - seems to be invalid - relevant code fragment is not present in libav CVE-2013-3670 looks valid - libav commits given in security tracker fix different things AFAICS CVE-2013-3672 CVE-2013-3674 I hope these cses are a bit more well-defined as those I sent in January. cu soon, hopefully, AW -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9.8 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages libavcodec53 depends on: ii libavutil516:0.8.7-1 ii libc6 2.17-7 ii libdirac-encoder0 1.0.2-6 ii libgsm11.0.13-4 ii libmp3lame03.99.5+repack1-3 ii libopenjpeg2 1.3+dfsg-4.6 ii libschroedinger-1.0-0 1.0.11-2 ii libspeex1 1.2~rc1-7 ii libtheora0 1.1.1+dfsg.1-3.1 ii libva1 1.1.1-3 ii libvorbis0a1.3.2-1.3 ii libvorbisenc2 1.3.2-1.3 ii libvpx11.2.0-2 ii libx264-1232:0.123.2189+git35cf912-1 ii libxvidcore4 2:1.3.2-9 ii multiarch-support 2.17-7 ii zlib1g 1:1.2.8.dfsg-1 libavcodec53 recommends no packages. libavcodec53 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#646150: www.debian.org: please define a policy for event locations
begin quotation from David Prévot (in 20130706234216.ga28...@mikado.tilapin.org): On Sat, Dec 03, 2011 at 10:17:03AM +0800, Paul Wise wrote: On Fri, 2011-12-02 at 15:34 +0100, Luca Capello wrote: I have started to document this on a wiki page [1], I will wait one more week before sending an RFC to the d-publicity@ mailing list. [1] http://wiki.debian.org/Teams/Events/Policy Since there doesn???t seem to be any team willing to update the ww.d.o/events section any more [2], is this issue still relevant? 2: http://anonscm.debian.org/viewvc/webwml/webwml/english/events/index.wml?r1=1.43r2=1.44 As far as I can see this is not the case. I am not willing to update the events page, but see below. begin quotation from Luca Capello (in sa7ppurpxub@gismo.pca.it): On Sun, 07 Jul 2013 01:42:17 +0200, David Prévot wrote: On Sat, Dec 03, 2011 at 10:17:03AM +0800, Paul Wise wrote: [...] Good catch, bug closed, but as a wontfix since the solution has been implemented in another package (wiki.d.o). The organization page [3] nevertheless list ten names for that team, is it still relevant to keep it on this page? If so, who is actually still active in this team? 3: http://www.debian.org/intro/organization#publicity The last check done around 2013-05-20 [4] resulted in at least three replies (Arne, Joost and Martin). I will monitor the events@d.o mailbox until DebConf13 and then step down, after having removed my name from that page (and consequently asking from my removal from events@d.o). In the last months I have been the only person noticeably reacting to mails to eve...@debian.org apart from Luca. As I am unwilling to work with the debian www pages on a regular basis I stopped maintaining the events list and added a link to the evnts page at wiki.debian.org. I am willing to keep that current and add any event that is reported to events@d.o. for the time being. If somebody pops up and is willing to maintain the events list I am willing to revert this. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#703071: CVE-2011-1187, CVE-2012-0475, CVE-2013-{0773,0775,0776,0780,0782,0783}
This grave bug is no open for more than a month with no action on it. Do you have any plans to do something about it or shall wheezy be released with arbitrary code executions in iceweasel? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#703071: CVE-2011-1187, CVE-2012-0475, CVE-2013-{0773,0775,0776,0780,0782,0783}
Package: iceweasel Severity: grave Tags: security Hi, the following vulnerabilities were published for iceweasel. (I am aware that these are fixed in experimental, but they should also be fixed in testing and stable. If I can be of assistance please indicate so.) CVE-2011-1187[0]: | Google Chrome before 10.0.648.127 allows remote attackers to bypass | the Same Origin Policy via unspecified vectors, related to an error | message leak. CVE-2012-0475[1]: | Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and | SeaMonkey before 2.9 do not properly construct the Origin and | Sec-WebSocket-Origin HTTP headers, which might allow remote attackers | to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or | (2) WebSocket operation involving a nonstandard port number and an | IPv6 address that contains certain zero fields. CVE-2013-0773[2]: | The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) | implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x | before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before | 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a | prototype, which allows remote attackers to obtain sensitive | information from chrome objects or possibly execute arbitrary | JavaScript code with chrome privileges via a crafted web site. CVE-2013-0775[3]: | Use-after-free vulnerability in the | nsImageLoadingContent::OnStopContainer function in Mozilla Firefox | before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before | 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 | allows remote attackers to execute arbitrary code via crafted web | script. CVE-2013-0780[4]: | Use-after-free vulnerability in the | nsOverflowContinuationTracker::Finish function in Mozilla Firefox | before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before | 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 | allows remote attackers to execute arbitrary code or cause a denial of | service (heap memory corruption) via a crafted document that uses | Cascading Style Sheets (CSS) -moz-column-* properties. CVE-2013-0782[5]: | Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion | function in Mozilla Firefox before 19.0, Firefox ESR 17.x before | 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, | and SeaMonkey before 2.16 allows remote attackers to execute arbitrary | code via unspecified vectors. CVE-2013-0783[6]: | Multiple unspecified vulnerabilities in the browser engine in Mozilla | Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird | before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey | before 2.16 allow remote attackers to cause a denial of service | (memory corruption and application crash) or possibly execute | arbitrary code via unknown vectors. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1187 http://security-tracker.debian.org/tracker/CVE-2011-1187 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0475 http://security-tracker.debian.org/tracker/CVE-2012-0475 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773 http://security-tracker.debian.org/tracker/CVE-2013-0773 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775 http://security-tracker.debian.org/tracker/CVE-2013-0775 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780 http://security-tracker.debian.org/tracker/CVE-2013-0780 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782 http://security-tracker.debian.org/tracker/CVE-2013-0782 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783 http://security-tracker.debian.org/tracker/CVE-2013-0783 Please adjust the affected versions in the BTS as needed. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#646570: boot error
begin quotation from Daniel Baumann (in 5130ffa7.4070...@progress-technologies.net): i think your machine needs the --stupid option of extlinux, please confirm. Sorry, this machine does not exist any more - so I will not be able to assist further. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#681564: fix
begin quotation from Marek Andricik (in 20130123090843.ge3...@mail.vychod.net): Removing the libdata-alias-perl package helps. Apache and WebGUI works again. Tested on fresh Sid and Wheezy. No other package depended on libdata-alias-perl. I would not call this solution but rather clue for someone more experienced in the matter who can really find the cause and possibly fix it. Thanks, this workaround helped for the time being. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#681888: CVE-2012-3406: exploits in the wild, upstream report?
Hi, just for information: [1] suggests that exploits for one of 340[456] may be out in the wild. Moreover I did not find an upstream glibc-bug about this yet. Is there one? [1] https://bugs.launchpad.net/ubuntu/%2Bsource/eglibc/%2Bbug/1031301 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#684889: CVE-2012-3480 - stable update?
Hi! Is there any plan to fix CVE-2012-3480 / #684889 in stable? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#681564: webgui: apache2 segfaults - same here
Fust FYI: I have mostly the same problems here. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#694483: CVEs: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361
begin quotation from Reinhard Tartler (in caj0ccebl3xsmm+swok3ocfxsore9nq-yyy7r8_4zyazjt5m...@mail.gmail.com): Thanks for caring about security in libav. Sorry for the delay. I tried hard to gather additional information about these issues, but was not successful. Yeah, the information politics of the reporters could be more open. On Mon, Nov 26, 2012 at 8:30 PM, Arne Wichmann a...@linux.de wrote: I have here another series of CVEs for ffmpeg/libav: CVE-2012-2882 Libav's ogg decoder is a bit different to the one in FFmpeg. Can you please provide a testfile so that we can test if this issue affects Libav at all? I dug around for a bit and found commit 9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68 for ffmpeg, which seems to address the issue. More effort will follow when I find the reserves for that. CVE-2012-5359 CVE-2012-5360 CVE-2012-5361 For the last 3 http://technet.microsoft.com/en-us/security/msvr/msvr12-017 claims that they are fixed in ffmpeg 0.11, but the available information on all of them is a bit thin. Sorry, without proper information what's going on here, there is nothing that we can do about this. Again, please provide a sample that demonstrates the issue. *nod* Same here. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#696447: wesnoth-1.11-dm: Game dies with Error: invalid side(1) found
Package: wesnoth-1.11-dm Version: 1:1.11.0-1 Severity: normal Dear Maintainer, While playing 'Delfadors Memoirs' in the Szenario DM-Dark_Sky_Over_Weldyn the game dies with Error while playing the game: game_error: invalid side(1) found in unit definition. I will try to attach the relevant save file. Thanks for this great game! AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.35 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages wesnoth-1.11-dm depends on: ii wesnoth-1.11-core 1:1.11.0-1 wesnoth-1.11-dm recommends no packages. wesnoth-1.11-dm suggests no packages. -- no debconf information DM-Dark_Sky_Over_Weldyn.gz Description: GNU Zip compressed data
Bug#688847: Unclear status of CVE-2012-2774 CVE-2012-2783 CVE-2012-2791 CVE-2012-2797 CVE-2012-2803 CVE-2012-2804
I just had a look at the above mentioned problems and I am a bit unsure about their status. As far as I can see the fixes are not applied, the status in http://security-tracker.debian.org/tracker/source-package/libav still lists these issues as open, but the bug is closed. Are these problems real? Are they fixed? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#694483: CVEs: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361
Source: libav Version: 0.8.4 Severity: grave Tags: security Justification: user security hole Dear Maintainer, I have here another series of CVEs for ffmpeg/libav: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361 For the last 3 http://technet.microsoft.com/en-us/security/msvr/msvr12-017 claims that they are fixed in ffmpeg 0.11, but the available information on all of them is a bit thin. Thanks for all the good work! AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.29 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#681888: Patch for CVE-2012-3406
tag 681888 + patch thanks There is a fix for CVE-2012-3406 in https://bugzilla.redhat.com/attachment.cgi?id=594722 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#677195: CVE-2012-2673 - still open in stable
Hi... This bug is still open in stable - is there any plan for a fix? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#349251: Ping
Hi. Even though this is just a normal bug it does have security implications, and it is open for over 5 years now. Could somebody have a closer look at it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#684527: openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Package: openssl Version: 0.9.8o-4squeeze13 Severity: grave Tags: security Justification: user security hole openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3]. As far as I can see the problem is gone in 1.0.1c - but I leave this bug open for unstable/testing so that it can be doublechecked by someone more versed in openssl. [1] http://security-tracker.debian.org/tracker/CVE-2011-5095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095 [2] http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5095.html [3] http://cvs.openssl.org/chngview?cn=14375 cu AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc62.13-33 ii libssl1.0.0 1.0.1c-3 ii zlib1g 1:1.2.7.dfsg-13 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20120623 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#670636: April security release - fixed in stable-security
fixed 670636 5.1.63-0+squeeze1 thanks 670636 is fixed in stable-security (shouldn't it really be closed now?) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#663579: CVE-2012-1147 - Not on *nix
readfilemap.c is not compiled on *nix [1]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1147 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#675872: closed by Debian FTP Masters ftpmas...@ftp-master.debian.org (Bug#680362: Removed package(s) from unstable)
found 675872 5.1.63-0+squeeze1 thanks This is still open in stable. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#483217: texlive-latex-base: 483217: status?
begin quotation from Norbert Preining (in 20120627143050.ge25...@gamma.logic.tuwien.ac.at): On Mi, 27 Jun 2012, Arne Wichmann wrote: Given that, the relevant files should be removed from debian, as they are not DFSG-free. Am I wrong there? Yes you are. Could you please enlighten me about my misunderstanding? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618968: Ping - netgen license problems
begin quotation from Francesco Poli (in 20120625215725.69523c3a3df0a27f62672...@paranoici.org): On Mon, 25 Jun 2012 10:36:50 +0200 Arne Wichmann wrote: So, at least as far as I can see, there are a number of things to be done in various time frames: - Alert enough people to the problem (via debian-user, messages in the packaging, other mailing lists and similar means) I am not sure debian-user is the appropriate place for such a call for help... Well, if you are trying to reach your users, this seems to be a possible vector to me What do you mean by messages in the packaging? At least I get mails by apt-listchanges... Other tactics may also be available - but I am not the epigon of debian packaging. As far as other mailing lists are concerned, I tried to see if other debian-legal participants could join me in this persuasion effort, but I unfortunately received no reply: I do not think that debian-legal is a good starting point for a massive campaign. Maybe debian-science could be another appropriate mailing list, but I suspect that a good number of its participants are already aware of the issue, due to the various bug reports filed against packages maintained by the Debian Science team: #617613, #617931, and #618968 (that is to say, this one). A mail there might still help a bit. - Remove the package from debian if nothing happens. I am trying hard to avoid this, but I am failing to get help from other people... That's really frustrating! :-( *sigh* cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#483217: texlive-latex-base: 483217: status?
begin quotation from Norbert Preining (in 20120619024124.gd14...@gamma.logic.tuwien.ac.at): On Sa, 16 Jun 2012, Arne Wichmann wrote: Bug #483217 about licensing issues in files by Donald Arseneau was given an exception for lenny. Do you plan to do so for squeeze also or has someone managed to convince him to license his work in a more useful way? And for wheezy again? Yes probably. I don't see a reasonable outcome sooner or later. Given that, the relevant files should be removed from debian, as they are not DFSG-free. Am I wrong there? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618968: Ping - netgen license problems
begin quotation from Francesco Poli (in 20120620232034.ae7eb33bd4efe458d8ed7...@paranoici.org): On Sat, 16 Jun 2012 18:38:00 +0200 Arne Wichmann wrote: This serious bug is now open without any action for more than a year. Is that supposed to change? Hi Arne, thanks for following up on my bug report. I am personally trying hard to persuade Open CASCADE S.A.S. to re-license Open CASCADE Technology under GPLv2-compatible terms. This is solution (A), as described in my original bug report. I have been pestering Open CASCADE S.A.S. since April 2009... Unfortunately, latest news [1] is that they postponed the decision (again!). [1] http://dev.opencascade.org/index.php?q=node/31#comment-63 However, several months have passed since February 2012 (at least for some definition of several!). Hence, I've recently resumed my persuasion effort. But I need help from other people. *Many* other people. As I repeatedly stated in the bug log [2] of #617613 (especially, please read at least the original report [3]), other people should contact Open CASCADE S.A.S. and try to persuade them to re-license Open CASCADE Technology under GPLv2-compatible terms (for instance, under the GNU LGPL v2.1). If nobody helps me in this persuasion struggle, I am afraid that the only solution will be to remove a number of packages from Debian, which is always a sad defeat! So, at least as far as I can see, there are a number of things to be done in various time frames: - Alert enough people to the problem (via debian-user, messages in the packaging, other mailing lists and similar means) - Remove the package from debian if nothing happens. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#637488: Ping - remove t1lib
Just to remember... As far as I can see there are no more rdepends left. Are there any more reasons not to remove t1lib? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#634131: Ping - import error
This serious problem is now unhandled for almost a year. Is there any plan to handle it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#637488: Ping - remove t1lib
begin quotation from Adam D. Barratt (in 1339930157.7014.2.ca...@jacala.jungle.funky-badger.org): On Sun, 2012-06-17 at 12:14 +0200, Arne Wichmann wrote: Just to remember... As far as I can see there are no more rdepends left. Are there any more reasons not to remove t1lib? How did you determine that? Running dak rm -Rn t1lib on ftp-master says: It seems I should improve on my tool knowledge. Checking reverse dependencies... # Broken Depends: dvi2ps: dvi2ps [amd64] evince: libevdocument3-4 grace: grace gtkmathview: libgtkmathview-bin libgtkmathview-dev libgtkmathview0c2a lablgtkmathview: liblablgtkmathview-ocaml vflib3: vflib3 [amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc] vflib3-bin vflib3-dev # Broken Build-Depends: claws-mail: libt1-dev evince: libt1-dev grace: libt1-dev gtkmathview: libt1-dev (= 5.1.1-1.1) swftools: libt1-dev vflib3: libt1-dev Dependency problem found. So it is time to file bugs to these respective packages, isn't it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618876: Ping - non-free data
This serious bug is now open for more than a year. Is there any plan to fix it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#631051: Ping - onemore build problem
This RC bug is now open for almost one year. Is there any plan to get it fixed? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#483217: texlive-latex-base: 483217: status?
begin quotation from Paul Wise (in 1268552369.2860.193.camel@chianamo): Ping, Bug #483217 about licensing issues in files by Donald Arseneau was given an exception for lenny. Do you plan to do so for squeeze also or has someone managed to convince him to license his work in a more useful way? And for wheezy again? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#538822: Ping
So, this is now unhandled for more than 9 months after it seemed almost fixed. What are the problemsat the moment? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#603405: Ping
This serious bug is now unhandled for 18 months. Is there any plan to find a solution for this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#579522: Ping
Ok, squeeze is long gone and this serious bug is unhandled for more than 18 months. Is there any plan to fix this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#610885: Ping
Is this problem still there and/or is there any plan to work on this for wheezy? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618968: Ping - netgen license problems
This serious bug is now open without any action for more than a year. Is that supposed to change? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#599523: Ping - unexpected downgrades
Is there any progress on this serious bug? It is now unhandled for more than one year. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#623382: Ping - gnat fatal error - gone away?
tag 623382 + unreproducible thanks I could not reproduce this problem using gnat-4.4 . As it is fixed in gnats in version 4.4 - does it still exist? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#625657: Transient problem - not RC
tag 625657 - moreinfo severity 625657 important At least I would not consider this release critical. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#626391: Ping - venkman crashes
This RC bug is now open for more than a year. Even though it is an upstream bug, it might be worthwile to reconsider the situation. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#627174: Ping - FTBFS
This RC bug is now pending for more than one year. Is there anu plan to change this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#609537: Ping - /etc/init.d/mysql stop problems
This RC bug is now unfixed for more than a year - the solution from 4dd128e8.1080...@gmail.com looks promising, but there was no action on it. Is there any plan for a change? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#629154: Ping - packages using python-support are configured before they are usable
Ok, this has now had time to be considered for a year - isn't it time to do something about it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#629730: Ping - FTBFS
This RC bug is patched but unfixed for more than a year now. Is there any plan to change this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#628455: CVE-2011-1521 again
unarchive 628455 found 628455 2.6.6-8+b1 thanks Ok, this is still open. There is a fix: http://hg.python.org/cpython/raw-rev/9eeda8e3a13f I think the last hunk will not apply cleanly, but as this is just NEWS it should not be a problem. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#675872: mysql-server-5.1: CVE-2012-0882 - one more underspecified security problem
Package: mysql-server-5.1 Version: 5.1.61-0+squeeze1 Severity: important Hi. Quoting from the RedHat Bugreport [1]: CVE-2012-0882: unspecified remote exploit (released with VulnDisco Pack Professional 9.17). This is mostly a heads-up as there is not enough information to fix this bug. See also: [2] [3] [4] [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0882 [2] http://security-tracker.debian.org/tracker/CVE-2012-0882 [3] http://www.openwall.com/lists/oss-security/2012/02/24/3 [4] http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0882.html cu AW -- System Information: Debian Release: 6.0.4 APT prefers stable APT policy: (500, 'stable'), (80, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-042stab049.6 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages mysql-server-5.1 depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [de 1.5.36.1 Debian configuration management sy ii libc6 2.13-27 Embedded GNU C Library: Shared lib ii libdbi-perl 1.616-1+b1 Perl Database Interface (DBI) ii libgcc1 1:4.6.3-1GCC support library ii libmysqlcli 5.1.61-0+squeeze1MySQL database client library ii libstdc++6 4.6.3-1 GNU Standard C++ Library v3 ii lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii mysql-clien 5.1.61-0+squeeze1MySQL database client binaries ii mysql-commo 5.1.61-0+squeeze1MySQL database common files, e.g. ii mysql-serve 5.1.61-0+squeeze1MySQL database server binaries ii passwd 1:4.1.4.2+svn3283-2+squeeze1 change and administer password and ii perl5.12.4-4 Larry Wall's Practical Extraction ii psmisc 22.11-1 utilities that use the proc file s ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages mysql-server-5.1 recommends: ii heirloom-mailx [mailx]12.4-2 feature-rich BSD mail(1) pn libhtml-template-perl none (no description available) Versions of packages mysql-server-5.1 suggests: pn tinycanone (no description available) -- debconf information: mysql-server/error_setting_password: mysql-server-5.1/start_on_boot: true mysql-server-5.1/postrm_remove_databases: false mysql-server-5.1/nis_warning: mysql-server-5.1/really_downgrade: false mysql-server/password_mismatch: mysql-server/no_upgrade_when_using_ndb: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#665012: CVE-2012-1570 not yet fixed in stable
begin quotation from Moritz Mühlenhoff (in 20120416154357.GA4565@pisco.westfalen.local): On Mon, Apr 16, 2012 at 12:43:40AM +0100, Nicholas Bamber wrote: On 15/04/12 16:18, Arne Wichmann wrote: Found: 665012 1.4.03-1.1 As far as I can see this is not yet fixed in stable. cu AW Arne, All the security issues are present in the stable release. I never got a reply from the security team to my last proposed upload though the security profile was slightly different then. This issue doesn't warrant a DSA. You can fix it through a stable point update instead. So, is there a chance to see a fix to this in a stable point update? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack
Package: linux-2.6 Version: 3.2.16-1 Severity: grave Tags: security Justification: user security hole This seems to have slipped through the kernel-sec repository... Citing Redhat: The issue is that the int3 handler uses a per CPU debug stack, and calls do_traps() with interrupts enabled but preemption disabled. Then a signal is sent to the current process, and the code that handles the signal grabs a spinlock. This spinlock becomes a mutex (sleeping lock) when CONFIG_PREEMPT_RT_FULL is enabled. If there is contention on this lock then the task may schedule out. As the task is using a per CPU stack, and another task may come in and use the same stack, the stack can become corrupted and cause the kernel to panic. http://security-tracker.debian.org/tracker/CVE-2012-0810 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0810 Keep up the good work, AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.16 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#672218: rsyslog: Logrotate error message
Package: rsyslog Version: 5.8.11-1 Severity: normal Dear Maintainer, For some time now I receive some new error messages by mail from cron: /etc/cron.daily/logrotate: invoke-rc.d: action rotate is unknown, but proceeding anyway. As far as I can see they are coming from /etc/logrotate.d/rsyslog : --- snip --- postrotate invoke-rc.d rsyslog rotate /dev/null endscript --- snip --- Greetings, AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.15 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages rsyslog depends on: ii initscripts 2.88dsf-22.1 ii libc62.13-32 ii lsb-base 4.1+Debian2 ii zlib1g 1:1.2.6.dfsg-2 Versions of packages rsyslog recommends: ii logrotate 3.8.1-1 Versions of packages rsyslog suggests: pn rsyslog-docnone pn rsyslog-gnutls none pn rsyslog-gssapi none pn rsyslog-mysql | rsyslog-pgsql none pn rsyslog-relp none -- Configuration Files: /etc/logcheck/ignore.d.server/rsyslog [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/rsyslog' -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631017: crash on group reply
tags 631017 + upstream confirmed This problem is known upstream: http://dev.mutt.org/trac/ticket/3531 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#656716: displays text/x-gettext attachment with internal viewer ignoring ~/.mailcap
tags 656716 + moreinfo thanks It seems to me that this is as documented in Chapters 5.3 and 5.4 in the manual. If you want text/x-gettext not to be displayed using the internal viewer you could set auto_view text/x-gettext in your .muttrc . You can then use 'm' in the attachment menu to view the message using vim. Does this solve your problem? Did I misunderstand your problem? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#670076: pam: CVE-2011-3628 - pam_motd does not sanitize environment
Source: pam Severity: normal Tags: security Hi, citing from ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/comments/0): pam_motd calls the scripts in /etc/update-motd.d/ as root without sanitising the environment. While that is acceptable when called for instance by sshd or by getty through login where the environment should be controlled, it becomes an issue if for instance session optional pam_motd.so is added to /etc/pam.d/su With that done, a user can simply update his $PATH to look first in a directory that contains malicious replacements for commands called by the /etc/update-motd.d/ scripts (for instance uname called by 00_header). pam_motd should perform the same kind of sanitisation as pam_exec, or even better not do the run-part /etc/update-motd.d/ at all but add some pam_exec calls to the pam configuration. That issue is made worth by the fact that the running of those scripts by pam_motd is not documented. Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3628 for some (well...) information. cu AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.14 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#619405: Forward this?
At least as far as I can see this is clearly a bug - shouldn't it be forwarded? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#585559: mutt: tokyocabinet is slower than gdbm
So, what happened to these benchmarks? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#423931: Forward this?
Isn't 600962 somewhat resolved now, at least to the point that we should forward this bug? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#665012: CVE-2012-1570 not yet fixed in stable
Found: 665012 1.4.03-1.1 As far as I can see this is not yet fixed in stable. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#652631: www.debian.org: please clarify the distinction between 'events@d.o' and 'debian-events-*@lists.d.o'
[partly reformatted] begin quotation from Francesca Ciceri (in 20120221135142.gh8...@zouish.org): sorry for the late reply on this important discussion: lately I was really really busy (in real life) and I just did Debian work if cruelly pinged ;). Same for me. On Mon, Dec 26, 2011 at 01:30:10AM +0100, Bernd Zeimetz wrote: On 12/25/2011 11:11 PM, Arne Wichmann wrote: [...] b) at least for those who have access to Debian machines nothing is happening behind the scene, given that 'events@d.o' is archived on master [8]. [8] http://anonscm.debian.org/viewvc/webwml/webwml/english/events/README?revision=1.8view=markup Hm. Where is the archive? I have not. Am I the only one to which this applies? No. we often have people organizing stuff which are not DDs. Not-DDs can be added to @debian.org alias: at least I was added at events@d.o when I wasn't a DD yet, and the same happened for cdvend...@debian.org. Wrt organization: wiki is really useful for organizing stuff. And is also quite easy to follow the organization process *if* you're aware of the existence of the wikipage. Yep, this is one of the points. On Mon, Dec 26, 2011 at 01:30:10AM +0100, Bernd Zeimetz wrote: May be the events team should - instead of founding itself - talk to those people who are known to provide merch and booth material if they want to join and what they can provide? [...] Even better: the even team should consist of people from each d-events-$(locale) list (probably those who are organizing a lot of stuff). Oh!! Finally! To make a long story short: I have no experience of organizing events, for instance, and I'm in the events team just to do the promoting/www part. It's quite a while that me and Luca are talking about enlarge the team, to include at least 1 person from each part-of-the-world where events are more regularly organized. This person need to be one who often organizes events/booths, so someone with experience and who knows practical things about events. Now, we usually have a lot of events in Europe mostly in the German-speaking area, but also in France and UK. Then we have few events in the US, some in Hispano America and Brazil and a *lot* of events in India (thanks to the Debian India group) and some in Taiwan. I've thought about a couple of names for some of these areas (please fill the list of possible candidates for this area, or propose yourself!), to be part of the events team: German-speaking area: Annette Kalbow, Arne Wichmann, Axel Beckert, Franziska Lichtblau I, at least, am not opposed to the idea. France-speaking area: Carl Chenet, Sylvestre Ledru UK: ... US: ... Hispano America: Fernando Estrada, Gunnar Wolf Brazil: Ana Caroll Comandulli, Marcelo Santana India: Praveen Arimbrathodiyil Taiwan: Andrew Lee -nl had a quite active community when I last looked at it... [...] If you all agree on this part, I'd really like to start to send some invitation to the events team. ;) Do. ;) begin quotation from Franziska Lichtblau (in 20120223082519.ga31...@old-forest.org): Hey, On Tue, Feb 21, 2012 at 02:51:42PM +0100, Francesca Ciceri wrote: [...] First of all, just a correction: On Mon, Dec 26, 2011 at 01:30:10AM +0100, Bernd Zeimetz wrote: On 12/25/2011 11:11 PM, Arne Wichmann wrote: [...] b) at least for those who have access to Debian machines nothing is happening behind the scene, given that 'events@d.o' is archived on master [8]. [8] http://anonscm.debian.org/viewvc/webwml/webwml/english/events/README?revision=1.8view=markup I have not. Am I the only one to which this applies? No. we often have people organizing stuff which are not DDs. Not-DDs can be added to @debian.org alias: at least I was added at events@d.o when I wasn't a DD yet, and the same happened for cdvend...@debian.org. Arne, Axel and me talked about this to Luka at Fosdem - this problems seems to be solved. Hm. What was the solution? I remember, at least for me it was mainly a clarification of the workflow, as Rhalina wrote below. Wrt organization: wiki is really useful for organizing stuff. And is also quite easy to follow the organization process *if* you're aware of the existence of the wikipage. Same thing applies here: There seems to be just a misunderstanding. So the workflow as I understood it is: Find an event, create a Wikipage, send event-+wikilink to events@d.o and everything is fine. From there on the event will be promoted and the organisation can happen in the wiki or via mailinglist etc. And this should be documented prominently - the workflow of event organization. In my view it should be the following: - If you find an event in which Debien could possibly take part, mail to debian-events-region. - If you want to organize an event create a wiki page for it (documentation how to do
Bug#655154: woof: No space left on device when /tmp is full
Package: woof Version: 20091227-2 Severity: normal Dear Maintainer, today woof threw exceptions while receiving an uploading file. * What led up to the situation? While using the upload-function, uploading to a machine with a 50MB /tmp (my router) i encountered No space left on device exception. woof was started in a directory where enough space was provided for the expected data and (smaller) testuploads succeeded. * What was the outcome of this action? Exception happened during processing of request from ('__.__.__.__', 49201) Traceback (most recent call last): File /usr/lib/python2.6/SocketServer.py, line 560, in process_request_thread self.finish_request(request, client_address) File /usr/lib/python2.6/SocketServer.py, line 322, in finish_request self.RequestHandlerClass(request, client_address, self) File /usr/lib/python2.6/SocketServer.py, line 617, in __init__ self.handle() File /usr/lib/python2.6/BaseHTTPServer.py, line 329, in handle self.handle_one_request() File /usr/lib/python2.6/BaseHTTPServer.py, line 323, in handle_one_request method() File /usr/bin/woof, line 153, in do_POST strict_parsing = 1) File /usr/lib/python2.6/cgi.py, line 508, in __init__ self.read_multi(environ, keep_blank_values, strict_parsing) File /usr/lib/python2.6/cgi.py, line 637, in read_multi environ, keep_blank_values, strict_parsing) File /usr/lib/python2.6/cgi.py, line 510, in __init__ self.read_single() File /usr/lib/python2.6/cgi.py, line 647, in read_single self.read_lines() File /usr/lib/python2.6/cgi.py, line 669, in read_lines self.read_lines_to_outerboundary() File /usr/lib/python2.6/cgi.py, line 720, in read_lines_to_outerboundary self.__write(odelim + line) File /usr/lib/python2.6/cgi.py, line 679, in __write self.file.write(line) IOError: [Errno 28] No space left on device * What outcome did you expect instead? I would have expected that woof does not use /tmp to cache large files. A cache in the destination directory seems more appropriate. Yours, arne wichmann -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages woof depends on: ii python 2.6.7-3 woof recommends no packages. woof suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#646570: boot error
begin quotation from Daniel Baumann (in 4ef8ead4.7080...@progress-technologies.net): can you reproduce it with 4.05? Yes. (Installed, wrote the mbr, rebooted, same problem.) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#652631: www.debian.org: please clarify the distinction between 'events@d.o' and 'debian-events-*@lists.d.o'
I kept debian-events-eu and events in the receipients list - I feel that the discussion is relevant there. I will trim the reference mail heavily. begin quotation from Luca Capello (in 87vcpchgy1.fsf...@gismo.pca.it): On Sun, 18 Dec 2011 15:50:05 +0100, Axel Beckert wrote: Bernd Zeimetz wrote: On 12/18/2011 01:03 PM, Arne Wichmann wrote: begin quotation from Luca Capello (in 877h2jm9bv@gismo.pca.it): I do not like the way things are handled in that mail. I do not feel that centralization is a good idea for event handling, but this is what is being done: eve...@debian.org is an interface in which I as non-DD can not participate in. http://wiki.debian.org/CategoryEvents is global and very unsorted and not very usable to alert me to what is happening. Were your feelings also influenced but how the CeBIT 2012 booth is being organized [7]? This was the first time the Events team was contacted by the organizers of an event, in a non-English language, so I am for any improvements in the workflow I followed [4]. [7] http://lists.debian.org/874nx0n9zh@gismo.pca.it No, as I have decided not to paricipate in organizing this (no time, too far away, no crash space near the event) I did not devote too much attention. [...] I structured my reply on points, it should be easier to reply. a) there is no Events cabal ;-) b) at least for those who have access to Debian machines nothing is happening behind the scene, given that 'events@d.o' is archived on master [8]. [8] http://anonscm.debian.org/viewvc/webwml/webwml/english/events/README?revision=1.8view=markup I have not. Am I the only one to which this applies? c) I do not consider *any* wiki as official documentation, which means that the wikipage Arne referred to [9] should not be used as such. [9] http://wiki.debian.org/CategoryEvents On the other hand, a wiki page is a good means to organise events. d) I think there is a misunderstanding of what I wrote at [6], here the extract of my words: --8---cut here---start-8--- Submitting an event === This is the easiest part: whenever you know of any event Debian is present, simply send an email in English to eve...@debian.org [15]. We will then do all the necessary steps to find someone willing to participate/coordinate the Debian presence and announce the event to the appropriate debian-events-* mailing lists [16][17][18][19], if not already done. --8---cut here---end---8--- As far as I read the text above, the Events team *does* not organize an event, instead it will (or it should or, if you prefer, I think it should): 1. receive notice of an event Debian will take part in. 2. if not already present, find the main responsible for that event (we request that for the entry in the event page [10][11]). 3. add the event to the event page [11]. 4. if not already done, announce the event to the (language/region- specific) debian-events-*@ mailing list, so the *official* event page at [11] can be used. [10] http://anonscm.debian.org/viewvc/webwml/webwml/english/events/event.form?revision=1.10view=markup [11] http://www.debian.org/events I still fail to see why/how you think that the Events team wants to centralize how events are managed, while we try to publicize as much/best as possible the highest number of events *through* official channels. At DebConf11, during the Events BoF [12] this topic was discussed again and I thought what I summarized in the report [13] was the consensus drawn from the discussion, let me quote my words: My argument is: event coordination should be possible without a central instance. At the moment the workflow is: mail the event to debian-events-$locale (using suitable locale), the organizer mails that he is doing so to the same mailing list and typically creates a wiki page for further organizing. There is no human single point of failure in that workflow. Moreover the workflow works for everyone, not only DDs. I am not against informing events@d.o, though. --8---cut here---start-8--- First, for the mailing list, the idea would be to still use the already-established debian-events-$SOMETHING [13] mailing list for coordination, with a new mailing list for announcement only (both minor and major events). This should be a restricted-posting mailing list (probably Events and Press membership only): its aim is to provide email notifications whenever a new event is added to the website. A parallel approach would be to duplicate the announcements on Planet Debian, but these points must be coordinated with the Publicity team. --8---cut here---end---8--- [12] http://penta.debconf.org/dc11_schedule/events/731.en.html [13] http
Bug#650555: python2.7: distutils creates .pypirc insecurely
Package: python2.7 Version: 2.7.2-7 Severity: important Tags: security Just to have it visible from python2.7, too: -- begin citation -- distutils uses this method to create .pypirc: def _store_pypirc(self, username, password): Creates a default .pypirc file. rc = self._get_rc_file() f = open(rc, 'w') try: f.write(DEFAULT_PYPIRC % (username, password)) finally: f.close() try: os.chmod(rc, 0600) except OSError: # should do something better here pass There is a tiny timing window between write() and chmod() calls in which the file (with user's password) is world-readable. -- Jaku Wilk -- end citation -- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#641738: Ping
This grave bug is now pending for almost 2 months. Is there any update on the situation? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#648021: fail2ban: Logfile in UTC, localtime UTC+1 - no entrioes found
begin quotation from Yaroslav Halchenko (in 2008125849.gz8...@onerussian.com): On Tue, 08 Nov 2011, a...@old-forest.org wrote: My workaround is 'fail2ban-client set ssh findtime 4600', which is a bit ugly. A nicer approach would be to make a time offset settable. hm... i.e. custom time offset per each jail? Yep. Or for the whole package. But I have not thought that through. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#646570: extlinux: Boot error on boot
begin quotation from Daniel Baumann (in 4ea5.1010...@progress-technologies.net): On 10/26/2011 11:42 AM, Arne Wichmann wrote: anhrefn# /sbin/fdisk -l /dev/hda [...] /dev/hda3 * 3984120 586067264 291041572+ 83 Linux something is fishy here; you're claiming you're using wheezy/sid, yet your harddisk is /dev/hd* and not /dev/sd*. Yep, this is an old system on old hardware. given that you appear to use an ide disk and thus using an old machine.. are you sure your bios can boot stuff beyond 1024 cylinders? to rule it out, repartition and make your /boot the first partition on that disk. Ok, I moved /boot to another partition on the beginning of the disk and retried - no change. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#646570: extlinux: Boot error on boot
begin quotation from Daniel Baumann (in 4ea6984a.1050...@progress-technologies.net): On 10/25/2011 11:20 AM, Arne Wichmann wrote: After running extlinux-install /dev/hda extlinux-update the order should be extlinux-update, and then extlinux-install; not the other way round. please retry.. I tried that, the outcome did not change. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#646570: extlinux: Boot error on boot
begin quotation from Daniel Baumann (in 4ea7c0cc.80...@progress-technologies.net): On 10/26/2011 10:00 AM, Arne Wichmann wrote: I tried that, the outcome did not change. what filesystem does your /boot use? how does your /etc/default/extlinux, /boot/extlinux/* and /boot/* look like? are you using mbr or gpt? /boot: /dev/hda3 on / type ext3 (rw) I do not use mbr or gpt at the moment. Configuration is mostly as installed by dpkg, details follow... (511) aw@anhrefn $ ls /boot System.map-2.6.32config-2.6.39 memtest86+.bin System.map-2.6.38config-3.0.0 memtest86+_multiboot.bin System.map-2.6.39debian-de.bmp memtest86.bin System.map-3.0.0 debian.bmp onlyblue.bmp any_b.b.preserveddebianlilo.bmp sarge.bmp any_d.b.preservedextlinux sid.bmp boot-compat.b.preserved grub tuxlogo.bmp boot.0300initrd.img-2.6.32 vmlinuz-2.2.13 boot.0340initrd.img-2.6.38 vmlinuz-2.2.18 boot.0800initrd.img-2.6.39 vmlinuz-2.6.32 boot.0803initrd.img-3.0.0 vmlinuz-2.6.38 boot.1600inside.bmp vmlinuz-2.6.39 coffee.bmp mapvmlinuz-3.0.0 config-2.6.32mbr-hda.old config-2.6.38mbr-hda3.old The contents of /boot feel too much to append - if you want more details than this please ask again. /etc/default/extlinux: ## /etc/default/extlinux - configuration file for extlinux-update(8) EXTLINUX_UPDATE=true EXTLINUX_ALTERNATIVES=default recovery EXTLINUX_DEFAULT=l0 EXTLINUX_ENTRIES=all EXTLINUX_MEMDISK=true EXTLINUX_MEMDISK_DIRECTORY=/boot EXTLINUX_MENU_LABEL=Debian GNU/Linux, kernel EXTLINUX_OS_PROBER=true EXTLINUX_PARAMETERS=ro quiet EXTLINUX_ROOT=root=/dev/hda3 EXTLINUX_THEME=debian EXTLINUX_TIMEOUT=50 /boot/extlinux/extlinux.conf: ## /boot/extlinux/extlinux.conf ## ## IMPORTANT WARNING ## ## The configuration of this file is generated automatically. ## Do not edit this file manually, use: extlinux-update default l0 prompt 1 timeout 50 include themes/debian/theme.cfg /boot/extlinux/memdisk.cfg is empty (only comments) /boot/extlinux/{memdisk,ldlinux.sys} are binary files as installed /boot/extlinux/themes is a directory (unchanged from dpkg) /boot/extlinux/linux.cfg is appended cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) ## /boot/extlinux/linux.cfg ## ## IMPORTANT WARNING ## ## The configuration of this file is generated automatically. ## Do not edit this file manually, use: extlinux-update label l0 menu label Debian GNU/Linux, kernel 3.0.0 kernel /boot/vmlinuz-3.0.0 append initrd=/boot/initrd.img-3.0.0 root=/dev/hda3 ro quiet label l0r menu label Debian GNU/Linux, kernel 3.0.0 (recovery mode) kernel /boot/vmlinuz-3.0.0 append initrd=/boot/initrd.img-3.0.0 root=/dev/hda3 ro single text help This option boots the system into recovery mode (single-user) endtext label l1 menu label Debian GNU/Linux, kernel 2.6.39 kernel /boot/vmlinuz-2.6.39 append initrd=/boot/initrd.img-2.6.39 root=/dev/hda3 ro quiet label l1r menu label Debian GNU/Linux, kernel 2.6.39 (recovery mode) kernel /boot/vmlinuz-2.6.39 append initrd=/boot/initrd.img-2.6.39 root=/dev/hda3 ro single text help This option boots the system into recovery mode (single-user) endtext label l2 menu label Debian GNU/Linux, kernel 2.6.38 kernel /boot/vmlinuz-2.6.38 append initrd=/boot/initrd.img-2.6.38 root=/dev/hda3 ro quiet label l2r menu label Debian GNU/Linux, kernel 2.6.38 (recovery mode) kernel /boot/vmlinuz-2.6.38 append initrd=/boot/initrd.img-2.6.38 root=/dev/hda3 ro single text help This option boots the system into recovery mode (single-user) endtext label l3 menu label Debian GNU/Linux, kernel 2.6.32 kernel /boot/vmlinuz-2.6.32 append initrd=/boot/initrd.img-2.6.32 root=/dev/hda3 ro quiet label l3r menu label Debian GNU/Linux, kernel 2.6.32 (recovery mode) kernel /boot/vmlinuz-2.6.32 append initrd=/boot/initrd.img-2.6.32 root=/dev/hda3 ro single text help This option boots the system into recovery mode (single-user) endtext label l4 menu label Debian GNU/Linux, kernel 2.2.18 kernel /boot/vmlinuz-2.2.18 append root=/dev/hda3 ro quiet label l4r menu label Debian GNU/Linux, kernel 2.2.18 (recovery mode) kernel /boot/vmlinuz-2.2.18 append root=/dev/hda3 ro single text help This option boots the system into recovery mode (single-user) endtext label l5 menu label Debian GNU