Bug#1034276: unblock: fwknop/2.6.10-16
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: fwk...@packages.debian.org Control: affects -1 + src:fwknop Please unblock package fwknop [ Reason ] The AppArmor profile was incorrectly installed in the systemd system service path: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034055 [ Impact ] I'm not sure whether it would cause any actual problems, but it is likely a policy violation and the bug reporter did file it as an RC bug. [ Tests ] I upgraded to the version I uploaded to unstable yesterday and confirmed that the file is in the new location: $ dpkg -L fwknop-apparmor-profile | grep usr.sbin.fwknopd /usr/share/apparmor/extra-profiles/usr.sbin.fwknopd [ Risks ] Trivial fix. I made it so that the AppArmor profile is not automatically enabled either to avoid changing (i.e. fixing) the behavior compared to what it was in -15. So this should be a no-op in terms of functionality. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock fwknop/2.6.10-16 diff -Nru fwknop-2.6.10/debian/changelog fwknop-2.6.10/debian/changelog --- fwknop-2.6.10/debian/changelog 2023-01-10 21:23:46.0 -0800 +++ fwknop-2.6.10/debian/changelog 2023-04-10 20:52:01.0 -0700 @@ -1,3 +1,12 @@ +fwknop (2.6.10-16) unstable; urgency=high + + * Install apparmor profile in /usr/share/apparmor/extra-profiles/ +instead of the systemd service directory. Note that the profile +will not be used unless manually copied into /etc/apparmor.d/ +(Closes: #1034055). + + -- Francois Marier Mon, 10 Apr 2023 20:52:01 -0700 + fwknop (2.6.10-15) unstable; urgency=medium [ Helmut Grohne ] diff -Nru fwknop-2.6.10/debian/fwknop-apparmor-profile.install fwknop-2.6.10/debian/fwknop-apparmor-profile.install --- fwknop-2.6.10/debian/fwknop-apparmor-profile.install 2023-01-10 21:23:46.0 -0800 +++ fwknop-2.6.10/debian/fwknop-apparmor-profile.install 2023-04-10 20:52:01.0 -0700 @@ -1 +1 @@ -extras/apparmor/usr.sbin.fwknopd /usr/lib/systemd/system/ +extras/apparmor/usr.sbin.fwknopd /usr/share/apparmor/extra-profiles/
Bug#986780: unblock: email-reminder/0.8.1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package email-reminder [ Reason ] The .desktop file is not installed (bug #986744). [ Impact ] A non-technical user likely won't be able to start the application at all. [ Tests ] Manual test: open gnome-shell and ensure it's displayed in the list of applications. [ Risks ] Minimal: one-line change which only affects the .desktop file. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock email-reminder/0.8.1-3 diff -Nru email-reminder-0.8.1/debian/changelog email-reminder-0.8.1/debian/changelog --- email-reminder-0.8.1/debian/changelog 2021-01-18 22:01:41.0 -0800 +++ email-reminder-0.8.1/debian/changelog 2021-04-10 19:26:37.0 -0700 @@ -1,3 +1,9 @@ +email-reminder (0.8.1-3) unstable; urgency=medium + + * Add missing .desktop file (closes: #986744). + + -- Francois Marier Sat, 10 Apr 2021 19:26:37 -0700 + email-reminder (0.8.1-2) unstable; urgency=medium * Bump Standards-Version up to 4.5.1. diff -Nru email-reminder-0.8.1/debian/install email-reminder-0.8.1/debian/install --- email-reminder-0.8.1/debian/install 1969-12-31 16:00:00.0 -0800 +++ email-reminder-0.8.1/debian/install 2021-04-10 19:26:37.0 -0700 @@ -0,0 +1 @@ +email-reminder.desktop usr/share/applications
Bug#933636: CVE-2019-14934
On 2020-02-07 at 10:14:24, Salvatore Bonaccorso wrote: > > It looks OK to me. Tagging moreinfo until there's a final diff. > > Friendly ping, any news? (It's too late now for the upcoming point > release though). It's still on my list, but not a very high priority. Definitely won't happen until at least after the Ubuntu 20.04 Debian merge deadline. Francois -- https://fmarier.org/
Bug#933636: CVE-2019-14934
There is now an additional CVE that affects pdfresurrect in buster and stretch: https://security-tracker.debian.org/tracker/CVE-2019-14934 Neither this one or CVE-2019-14267 are deemed worthy of a DSA however. If you approve the first upload I have prepared for buster and stretch, I will revise it to include the fix for this second CVE, but I will wait for your initial approval before putting any more work into this. Francois -- https://fmarier.org/
Bug#933636: stretch-pu: package pdfresurrect/0.12-6
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I'd like to fix a buffer overflow in the pdfresurrect version that's in stretch. See https://security-tracker.debian.org/tracker/CVE-2019-14267. Attached is the debdiff. Francois diff -Nru pdfresurrect-0.12/debian/changelog pdfresurrect-0.12/debian/changelog --- pdfresurrect-0.12/debian/changelog 2015-09-13 18:30:02.0 -0700 +++ pdfresurrect-0.12/debian/changelog 2019-07-30 08:54:01.0 -0700 @@ -1,3 +1,9 @@ +pdfresurrect (0.12-6+deb9u1) stretch; urgency=high + + * Fix buffer overflow (CVE-2019-14267). + + -- Francois Marier Tue, 30 Jul 2019 08:54:01 -0700 + pdfresurrect (0.12-6) unstable; urgency=medium * Run wrap-and-sort diff -Nru pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch --- pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.0 -0800 +++ pdfresurrect-0.12/debian/patches/CVE-2019-14267.patch 2019-07-30 08:54:01.0 -0700 @@ -0,0 +1,47 @@ +commit 4ea7a6f4f51d0440da651d099247e2273f811dbc +Author: Matt Davis +Date: Thu Jul 25 20:30:04 2019 -0700 +Last-Update: 2019-07-30 + +Prevent a buffer overflow in possibly corrupt PDFs. + +The startxref identification logic assumed a worse case of having to +inspect 256 bytes. However, that is not always the case (e.g., +corrupted PDFs). This patch prevents that situation. + +This bug was identified by j0lamma. Thanks! + +CVE-2019-14267 + +diff --git a/main.c b/main.c +index d274acc..18ba696 100644 +--- a/main.c b/main.c +@@ -230,7 +230,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name) + + pdf = pdf_new(name); + pdf_get_version(fp, pdf); +-pdf_load_xrefs(fp, pdf); ++if (pdf_load_xrefs(fp, pdf) == -1) { ++ pdf_delete(pdf); ++ return NULL; ++} + pdf_load_pages_kids(fp, pdf); + + return pdf; +diff --git a/pdf.c b/pdf.c +index 27b09a1..b671537 100644 +--- a/pdf.c b/pdf.c +@@ -210,6 +210,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf) + fseek(fp, pos - (++pos_count), SEEK_SET); + + /* Suck in end of "startxref" to start of %%EOF */ ++if (pos_count >= sizeof(buf)) { ++ ERR("Failed to locate the startxref token. " ++ "This might be a corrupt PDF.\n"); ++ return -1; ++} + memset(buf, 0, sizeof(buf)); + fread(buf, 1, pos_count, fp); + c = buf; diff -Nru pdfresurrect-0.12/debian/patches/series pdfresurrect-0.12/debian/patches/series --- pdfresurrect-0.12/debian/patches/series 2015-09-13 18:30:02.0 -0700 +++ pdfresurrect-0.12/debian/patches/series 2019-07-30 08:54:01.0 -0700 @@ -1 +1,2 @@ fix_manpage_path.patch +CVE-2019-14267.patch
Bug#933637: buster-pu: package pdfresurrect/0.15-2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu I'd like to fix a buffer overflow in the pdfresurrect version that's in buster. See https://security-tracker.debian.org/tracker/CVE-2019-14267. Attached is the debdiff. Francois diff -Nru pdfresurrect-0.15/debian/changelog pdfresurrect-0.15/debian/changelog --- pdfresurrect-0.15/debian/changelog 2019-03-01 23:12:55.0 -0800 +++ pdfresurrect-0.15/debian/changelog 2019-07-30 08:41:35.0 -0700 @@ -1,3 +1,9 @@ +pdfresurrect (0.15-2+deb10u1) buster; urgency=high + + * Fix buffer overflow (CVE-2019-14267). + + -- Francois Marier Tue, 30 Jul 2019 08:41:35 -0700 + pdfresurrect (0.15-2) unstable; urgency=medium * Bump Standars-Version up to 4.3.0 diff -Nru pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch --- pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 1969-12-31 16:00:00.0 -0800 +++ pdfresurrect-0.15/debian/patches/CVE-2019-14267.patch 2019-07-30 08:41:35.0 -0700 @@ -0,0 +1,46 @@ +commit 4ea7a6f4f51d0440da651d099247e2273f811dbc +Author: Matt Davis +Date: Thu Jul 25 20:30:04 2019 -0700 + +Prevent a buffer overflow in possibly corrupt PDFs. + +The startxref identification logic assumed a worse case of having to +inspect 256 bytes. However, that is not always the case (e.g., +corrupted PDFs). This patch prevents that situation. + +This bug was identified by j0lamma. Thanks! + +CVE-2019-14267 + +diff --git a/main.c b/main.c +index d604613..de2f8e9 100644 +--- a/main.c b/main.c +@@ -203,7 +203,10 @@ static pdf_t *init_pdf(FILE *fp, const char *name) + + pdf = pdf_new(name); + pdf_get_version(fp, pdf); +-pdf_load_xrefs(fp, pdf); ++if (pdf_load_xrefs(fp, pdf) == -1) { ++ pdf_delete(pdf); ++ return NULL; ++} + pdf_load_pages_kids(fp, pdf); + + return pdf; +diff --git a/pdf.c b/pdf.c +index 4cd7f12..b23b50a 100644 +--- a/pdf.c b/pdf.c +@@ -233,6 +233,11 @@ int pdf_load_xrefs(FILE *fp, pdf_t *pdf) + fseek(fp, pos - (++pos_count), SEEK_SET); + + /* Suck in end of "startxref" to start of %%EOF */ ++if (pos_count >= sizeof(buf)) { ++ ERR("Failed to locate the startxref token. " ++ "This might be a corrupt PDF.\n"); ++ return -1; ++} + memset(buf, 0, sizeof(buf)); + SAFE_E(fread(buf, 1, pos_count, fp), pos_count, +"Failed to read startxref.\n"); diff -Nru pdfresurrect-0.15/debian/patches/series pdfresurrect-0.15/debian/patches/series --- pdfresurrect-0.15/debian/patches/series 1969-12-31 16:00:00.0 -0800 +++ pdfresurrect-0.15/debian/patches/series 2019-07-30 08:41:35.0 -0700 @@ -0,0 +1 @@ +CVE-2019-14267.patch
Bug#801617: RM: vimperator/stable -- ROM; keeps breaking with Iceweasel security updates
Package: ftp.debian.org Severity: normal I would like to request removal of vimperator from stable since it constantly gets out of sync with new security releases of Iceweasel and breaks. In fact, it is currently broken at the moment (800508). There is also some uncertainty around the upcoming add-on signing enforcement. The alternative is for users to install it directly from upstream: https://addons.mozilla.org/en-US/firefox/addon/vimperator/ Updates will be handled automatically by Iceweasel. Note: it has already been removed from unstable (801473). Francois
Bug#801617: RM: vimperator/stable -- ROM; keeps breaking with Iceweasel security updates
On 2015-10-12 at 17:37:17, Adam D. Barratt wrote: > Removals from {,old}stable are handled by the Release Team. Interesting, I guess there's a bug in reportbug :) > Should the package also be removed from oldstable? Yes, it's definitely broken in oldstable too (and has been for a long time). Francois -- http://fmarier.org/
Bug#711736: pu: package vimperator/3.3-2
On 2015-01-17 at 12:14:21, Adam D. Barratt wrote: It doesn't look like anything happened in the meantime. Do we know what's required to make the package work with the current iceweasel in wheezy? Now that stable and unstable are tracking the same version of iceweasel, I'm guessing we need to upload the unstable version of iceweasel as a stable wheezy update. Francois -- Francois Marier identi.ca/fmarier http://fmarier.org twitter.com/fmarier -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150117173852.ge1...@akranes.dyndns.org
Bug#769056: unblock: rkhunter/1.4.2-0.3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package rkhunter This release fixes a single important bug (#767731) introduced in the latest upstream release, with a very simple fix: - if [ `${IPCS_CMD} -u 2/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then + if [ `LANG=C ${IPCS_CMD} -u 2/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then (the addition of LANG=C before grepping in the command's output) Attached is a full debdiff. unblock rkhunter/1.4.2-0.3 diff -Nru rkhunter-1.4.2/debian/changelog rkhunter-1.4.2/debian/changelog --- rkhunter-1.4.2/debian/changelog 2014-10-19 20:14:41.0 +1300 +++ rkhunter-1.4.2/debian/changelog 2014-11-07 14:35:51.0 +1300 @@ -1,3 +1,10 @@ +rkhunter (1.4.2-0.3) unstable; urgency=medium + + * Non-maintainer upload. + * Fix IPCS command on non-English locales (closes: #767731) + + -- Francois Marier franc...@debian.org Fri, 07 Nov 2014 14:34:19 +1300 + rkhunter (1.4.2-0.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff --- rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff 1970-01-01 12:00:00.0 +1200 +++ rkhunter-1.4.2/debian/patches/20_fix-ipcs-language.diff 2014-11-07 14:35:51.0 +1300 @@ -0,0 +1,18 @@ +Description: Force english locale for ipcs call +Author: Francois Marier franc...@debian.org +Forwarded: https://sourceforge.net/p/rkhunter/patches/42/ +Last-Update: 2014-11-07 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767731 +Bug: https://sourceforge.net/p/rkhunter/bugs/130/ + +--- a/files/rkhunter b/files/rkhunter +@@ -13964,7 +13964,7 @@ ${FOUND_PROCS} + touch ${IPCS_TMPFILE} + FOUND=0; echo $FOUND ${IPCS_TMPFILE} + +-if [ `${IPCS_CMD} -u 2/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then ++if [ `LANG=C ${IPCS_CMD} -u 2/dev/null | awk -F' ' '/segments allocated/ {print $3}'` -ne 0 ]; then + ${IPCS_CMD} -m | grep ^0x | while read RKH_SHM_KEY RKH_SHM_SHMID RKH_SHM_OWNER RKH_SHM_PERMS RKH_SHM_BYTES RKH_SHM_NATTACH RKH_SHM_STATUS; do + if [ $RKH_SHM_PERMS -eq 666 -a $RKH_SHM_BYTES -ge 100 ]; then + FOUND=1; echo $FOUND ${IPCS_TMPFILE} diff -Nru rkhunter-1.4.2/debian/patches/series rkhunter-1.4.2/debian/patches/series --- rkhunter-1.4.2/debian/patches/series 2014-10-19 20:14:41.0 +1300 +++ rkhunter-1.4.2/debian/patches/series 2014-11-07 14:35:51.0 +1300 @@ -1,3 +1,4 @@ 05_custom_conffile.diff 10_fix-man.diff 15_remove-empty-dir.diff +20_fix-ipcs-language.diff
Bug#768202: unblock: email-reminder/0.7.8-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package email-reminder The only change is the addition of a new DebConf translation (Dutch). unblock email-reminder/0.7.8-2 diff -Nru email-reminder-0.7.8/debian/changelog email-reminder-0.7.8/debian/changelog --- email-reminder-0.7.8/debian/changelog 2014-10-09 23:48:19.0 +1300 +++ email-reminder-0.7.8/debian/changelog 2014-10-30 10:02:16.0 +1300 @@ -1,3 +1,9 @@ +email-reminder (0.7.8-2) unstable; urgency=medium + + * Add Dutch debconf translation (closes: #767237) + + -- Francois Marier franc...@debian.org Thu, 30 Oct 2014 10:01:40 +1300 + email-reminder (0.7.8-1) unstable; urgency=medium * New upstream release (closes: #629631, #746617) diff -Nru email-reminder-0.7.8/debian/po/nl.po email-reminder-0.7.8/debian/po/nl.po --- email-reminder-0.7.8/debian/po/nl.po 1970-01-01 12:00:00.0 +1200 +++ email-reminder-0.7.8/debian/po/nl.po 2014-10-30 10:02:16.0 +1300 @@ -0,0 +1,120 @@ +# Dutch translation of email-reminder debconf templates. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the email-reminder package. +# Frans Spiesschaert frans.spiesscha...@yucom.be, 2014. +# +msgid +msgstr +Project-Id-Version: email-reminder\n +Report-Msgid-Bugs-To: email-remin...@packages.debian.org\n +POT-Creation-Date: 2009-02-26 09:58+1300\n +PO-Revision-Date: 2014-10-16 14:00+0200\n +Last-Translator: Frans Spiesschaert frans.spiesscha...@yucom.be\n +Language-Team: Dutch debian-l10n-du...@lists.debian.org\n +Language: nl\n +MIME-Version: 1.0\n +Content-Type: text/plain; charset=UTF-8\n +Content-Transfer-Encoding: 8bit\n +Plural-Forms: nplurals=2; plural=(n != 1);\n + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid Run daily email-reminder cronjob? +msgstr Dagelijks een crontaak voor email-reminder uitvoeren? + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid +By default, email-reminder checks once a day for reminders that need to be +sent out. +msgstr +Standaard controleert email-reminder eens per dag of er herinneringen +verzonden moeten worden. + +#. Type: string +#. Description +#: ../templates:2001 +msgid SMTP server: +msgstr SMTP-server: + +#. Type: string +#. Description +#: ../templates:2001 +msgid +Specify the address of the outgoing mail server that email-reminder should +use to send its emails. +msgstr +Geef het adres op van de server voor uitgaande mail die door email-reminder +gebruikt moet worden om zijn berichten te versturen. + +#. Type: string +#. Description +#: ../templates:3001 +msgid SMTP username: +msgstr SMTP-gebruikersnaam: + +#. Type: string +#. Description +#: ../templates:3001 +msgid If the outgoing mail server requires a username, enter it here. +msgstr +Indien de server voor uitgaande mail een gebruikersnaam nodig heeft, geeft u +die hier in. + +#. Type: string +#. Description +#. Type: password +#. Description +#: ../templates:3001 ../templates:4001 +msgid Leave this blank if the SMTP server doesn't require authentication. +msgstr +Vul hier niets in, indien de SMTP-server geen authenticatie nodig heeft. + +#. Type: password +#. Description +#: ../templates:4001 +msgid SMTP password: +msgstr SMTP-wachtwoord: + +#. Type: password +#. Description +#: ../templates:4001 +msgid If the outgoing mail server requires a password, enter it here. +msgstr +Indien de server voor uitgaande mail een wachtwoord nodig heeft, geeft u dat +hier in. + +#. Type: boolean +#. Description +#: ../templates:5001 +msgid Connect to the SMTP server using SSL? +msgstr SSL gebruiken om contact maken met de SMTP-server? + +#. Type: boolean +#. Description +#: ../templates:5001 +msgid +If the SMTP server supports SSL and you choose this option, data exchanged +with it will be encrypted. +msgstr +Indien u voor deze optie kiest en de SMTP-server SSL ondersteunt, zal de +gegevensuitwisseling ermee versleuteld gebeuren. + +#. Type: string +#. Description +#: ../templates:6001 +msgid Reminder mails originating address: +msgstr Adres van de afzender van de herinneringsberichten: + +#. Type: string +#. Description +#: ../templates:6001 +msgid +Reminder emails will appear to come from this address. The default should +work unless the SMTP server requires routable domains in source addresses. +msgstr +De herinneringsberichten zullen van dit adres afkomstig lijken. Meestal zal +wat hier standaard voorgesteld wordt, werken, tenzij het voor de SMTP-server +nodig is dat het afzenderadres een routeerbaar domein is.
Bug#768031: unblock: safe-rm/0.12-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package safe-rm This new upstream version consists of a single change: --- safe-rm-0.11/safe-rm2014-10-08 00:28:47.0 +1300 +++ safe-rm-0.12/safe-rm2014-11-03 15:11:18.0 +1300 @@ -3,9 +3,8 @@ use warnings; use strict; use Cwd 'realpath'; -use Env; i.e. the removal of an unnecessary dependency which was breaking upgrades (release-critical bug #767477). A full debdiff against the package in testing is attached, but the only change other than version numbers and changelogs is the above line. unblock safe-rm/0.12-1 diff -Nru safe-rm-0.11/Changes safe-rm-0.12/Changes --- safe-rm-0.11/Changes 2014-10-08 00:28:47.0 +1300 +++ safe-rm-0.12/Changes 2014-11-03 15:11:18.0 +1300 @@ -1,3 +1,6 @@ +0.12 (2014-11-03) + - Remove unnecessary dependency on Env + 0.11 (2014-10-08) - Read user config from $XDG_CONFIG_HOME/safe-rm too - Update URL and email address (safe-rm.org.nz is deprecated) diff -Nru safe-rm-0.11/debian/changelog safe-rm-0.12/debian/changelog --- safe-rm-0.11/debian/changelog 2014-10-22 10:26:01.0 +1300 +++ safe-rm-0.12/debian/changelog 2014-11-03 15:19:24.0 +1300 @@ -1,3 +1,9 @@ +safe-rm (0.12-1) unstable; urgency=high + + * New upstream release (closes: #767477) + + -- Francois Marier franc...@debian.org Mon, 03 Nov 2014 15:18:31 +1300 + safe-rm (0.11-2) unstable; urgency=medium * Add Dutch debconf translation (closes: #766254) diff -Nru safe-rm-0.11/safe-rm safe-rm-0.12/safe-rm --- safe-rm-0.11/safe-rm 2014-10-08 00:28:47.0 +1300 +++ safe-rm-0.12/safe-rm 2014-11-03 15:11:18.0 +1300 @@ -3,9 +3,8 @@ use warnings; use strict; use Cwd 'realpath'; -use Env; -our $VERSION = '0.11'; +our $VERSION = '0.12'; my $homedir= $ENV{HOME} || q{}; my $LEGACY_CONFIG_FILE = $homedir/.safe-rm;
Bug#752359: RM: freecode-submit -- ROM; obsolete; abandoned upstream
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm This package is no longer useful since the underlying service (freecode.com) has now shut down and is no longer accepting new submissions: The Freecode site has been moved to a static state effective June 18, 2014 due to low traffic levels and so that folks will focus on more useful endeavors than site upkeep. source: http://freecode.com/about -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014061811.25069.48157.reportbug@akranes
Bug#711736: pu: package vimperator/3.3-2
On 2014-01-21 at 18:20:32, intrigeri wrote: Cyril Brulebois wrote (23 Sep 2013 04:02:26 GMT) : Adam D. Barratt a...@adam-barratt.org.uk (2013-06-09): Control: tags -1 + moreinfo wheezy it's been 3+ months now. ... and now 7+ months. Sorry, I've obviously dropped the ball here. If anybody wants to take this bug over and prepare/test a package for stable, I'd be happy to review and sponsor if needed. Francois -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140121221203.ga9...@isafjordur.dyndns.org
Bug#711736: pu: package vimperator/3.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Iceweasel 17 got pushed to stable through a security update. The version of iceweasel-vimperator that's in stable is not compatible with Iceweasel 17 and the security team has suggested I uploaded an updated package to stable-proposed. The package I would be uploading is simply the one that's currently in unstable (upstream release 3.7.1). It is compatible with Iceweasel up to 21 so it should be good for a while. Francois -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130609071313.29674.58541.report...@isafjordur.dyndns.org
Bug#680591: unblock: gitmagic/20120520-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gitmagic The diff between 20120520-1 (the version that's currently in freeze-exception) and 20120520-2 only consists of the addition of a missing build dependency. This build dependency was added to fix RC bug #674303 (FTBFS). The debdiff against 20120520-1 is attached. unblock gitmagic/20120520-2 diff -Nru gitmagic-20120520/debian/changelog gitmagic-20120520/debian/changelog --- gitmagic-20120520/debian/changelog 2012-05-20 22:11:34.0 +1200 +++ gitmagic-20120520/debian/changelog 2012-07-01 22:05:21.0 +1200 @@ -1,3 +1,9 @@ +gitmagic (20120520-2) unstable; urgency=medium + + * Add missing package to build-dependency to fix FTBFS (closes: #674303) + + -- Francois Marier franc...@debian.org Sun, 01 Jul 2012 22:04:22 +1200 + gitmagic (20120520-1) unstable; urgency=low * New upstream release diff -Nru gitmagic-20120520/debian/control gitmagic-20120520/debian/control --- gitmagic-20120520/debian/control 2012-05-20 22:11:34.0 +1200 +++ gitmagic-20120520/debian/control 2012-07-01 22:05:21.0 +1200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Francois Marier franc...@debian.org Build-Depends: debhelper (= 9) -Build-Depends-Indep: asciidoc, gawk, docbook-utils, tidy, xmlto +Build-Depends-Indep: asciidoc, gawk, docbook-utils, tidy, xmlto, texlive-lang-cyrillic Standards-Version: 3.9.3 Homepage: http://www-cs-students.stanford.edu/~blynn/gitmagic/ Vcs-git: git://git.debian.org/git/collab-maint/gitmagic.git
Re: whatsnewfm in squeeze-updates?
(please CC me on replies, thanks!) On 2011-11-16 at 22:19:24, Adam D. Barratt wrote: Please prepare a debdiff including the upstream changes and send it to -release for a pre-upload ack. The description changes in debian/control could also be included if you wish. See the attached debdiff which contains: - new upstream version (0.7.2) - updated package description Is 0.7.1+squeeze1 a reasonable version number for this or should I use something else to emphasize a bit more the fact that it's a new upstream release too? Cheers, Francois -- Francois Marier identi.ca/fmarier http://fmarier.orgtwitter.com/fmarier diff -u whatsnewfm-0.7.1/debian/changelog whatsnewfm-0.7.1/debian/changelog --- whatsnewfm-0.7.1/debian/changelog +++ whatsnewfm-0.7.1/debian/changelog @@ -1,3 +1,11 @@ +whatsnewfm (0.7.1-1+squeeze1) stable; urgency=medium + + * New 0.7.2 upstream release (closes: #647079) +- take the name change into account and make package work again + * Update package description to refer to freecode.com + + -- Christian Garbs deb...@cgarbs.de Sun, 20 Nov 2011 21:59:46 +1300 + whatsnewfm (0.7.1-1) unstable; urgency=low * New upstream release (closes: #531104) diff -u whatsnewfm-0.7.1/debian/control whatsnewfm-0.7.1/debian/control --- whatsnewfm-0.7.1/debian/control +++ whatsnewfm-0.7.1/debian/control @@ -10,8 +10,9 @@ Architecture: all Depends: perl, libberkeleydb-perl, exim4 | mail-transport-agent Recommends: procmail | maildrop -Description: A utility to filter the daily newsletter from freshmeat.net - whatsnewfm is a utility to filter the daily newsletter from freshmeat.net +Description: A utility to filter the daily newsletter from freecode.com + whatsnewfm is a utility to filter the daily newsletter from freecode.com + (formerly freshmeat.net). . The main purpose is to cut the huge newsletter to a smaller size by only showing items that you didn't see before. only in patch2: unchanged: --- whatsnewfm-0.7.1.orig/README +++ whatsnewfm-0.7.1/README @@ -1,17 +1,18 @@ - whatsnewfm 0.7.1 + whatsnewfm 0.7.2 - 2009/05/30 + 2011/11/01 - (c) 2000-2009 by Christian Garbs mi...@cgarbs.de + (c) 2000-2011 by Christian Garbs mi...@cgarbs.de Joerg Plate jo...@plate.cx Dominik Brettnacher domi...@brettnacher.org Pedro Melo Cunha m...@isp.novis.pt Matthew Gabeler-Lee m...@po.cwru.edu Bernd Rilling brill...@ifsw.uni-stuttgart.de Jost Krieger jost.krie...@ruhr-uni-bochum.de + Francois Marier franc...@debian.org Licensed under GNU GPL (see COPYING for details) @@ -42,7 +43,7 @@ ~~~ whatsnewfm is a utility to filter the daily newsletter from -http://freshmeat.net +http://freecode.com The main purpose is to cut the huge newsletter to a smaller size by only showing items that you didn't see before. @@ -93,14 +94,14 @@ newsletters through the whatsnewfm filter: :0 w : -* ^Subject: freshmeat.net Daily Update: +* ^Subject: Freecode Daily Update: * !^X-Loop:.*whatsnewfm | /path/to/whatsnewfm.pl Alternatively, if you are using maildrop, you need to add something like this to your ~/.mailfilter: -if (/^Subject: freshmeat.net Daily Update:/ !/^X-Loop:.*whatsnewfm/) +if (/^Subject: Freecode Daily Update:/ !/^X-Loop:.*whatsnewfm/) { xfilter /path/to/whatsnewfm.pl } @@ -108,16 +109,16 @@ 4) Add whatsnewfm to your hot database: whatsnewfm.pl add whatsnewfm 5) Check your setup by mailing the file welcome to yourself with - freshmeat.net Daily Update: TEST as subject: + Freecode Daily Update: TEST as subject: - mail -s freshmeat.net Daily Update: TEST your@email welcome + mail -s Freecode Daily Update: TEST your@email welcome You should then receive an update information for the whatsnewfm application. This is good. Otherwise, there is an error in your setup. -6) If you're not yet subscribed to the freshmeat newsletter, do so at - http://freshmeat.net +6) If you're not yet subscribed to the freecode newsletter, do so at + http://freecode.com 7) If one of the new applications is interesting to you, then add it to your hot database. See [6] for details. @@ -210,7 +211,7 @@ This database contains the applications that you are interested in. You will be informed of every update within these applications. The applications are identified by the project id that is shown in the -parsed freshmeat newsletter. +parsed freecode newsletter. To see what is in the database, just may use less or cat on the database file (although the 'view' command (see below) should be used, @@ -249,10 +250,10 @@ You can enter a comment to help you remember what this application does (good for project ids that are acronymns): - whatsnewfm.pl add whatsnewfm Parses the freshmeat newsletter. + whatsnewfm.pl add whatsnewfm Parses
whatsnewfm in squeeze-updates?
(please CC me on replies, thanks) Last week, I sponsored an update of whatsnewfm which brought the package up to date with the new format of the freecode.com (formerly freshmeat.net) newsletter. As it is, the package doesn't work at all in squeeze so I was thinking that it might be a good candidate for squeeze-updates. If so, should I upload to stable or is there a special upload target for -updates? Cheers, Francois P.S. The lenny package is also affected but that one has been broken for years so it's probably not worth fixing at this stage. signature.asc Description: Digital signature
Status of unblock mahara/1.2.6-2
(Please CC me on any replies. Thanks!) Now that we are in deep freeze, I was wondering if it was likely that this unblock request for Mahara would be granted: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599377 It fixes a DFSG-related RC bug in squeeze (removal of non-free code) as well as making upgrades from lenny work. Cheers, Francois signature.asc Description: Digital signature
Bug#599377: unblock: mahara/1.2.6-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package mahara Mahara 1.2.6 was released upstream to fix two RC bugs: - removal of a non-free swf video player (#591200) - upgrades from 1.0.x (the version in lenny) didn't work (not in the BTS) I did most of these fixes in mahara-1.2.6-1, but I forgot about one swf so I had to upload mahara-1.2.6-2 shortly after. Relevant changelog entries: mahara (1.2.6-2) unstable; urgency=medium * Move flowplayer.audio to the contrib package as well * Add an allow rule in apache.conf for flowplayer.audio -- Francois Marier franc...@debian.org Mon, 06 Sep 2010 20:59:44 +1200 mahara (1.2.6-1) unstable; urgency=medium * New upstream release (to address #591200): - removal of the tinymce media plugin - replaced the non-free media player with flowplayer * Move mediaplayer into a separate contrib package (closes: #591200) * Relax the deny rule on serving lib to make flowplayer work * Add a dependency on tinymce and use that instead of bundled version * Bump Standards-Version up to 3.9.1 * Urgency set to medium because of RC bug -- Francois Marier franc...@debian.org Mon, 06 Sep 2010 20:51:17 +1200 unblock mahara/1.2.6-2 -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.34.7-grsec (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101007025852.13349.57901.report...@isafjordur.dyndns.org
Re: Please unblock mahara-1.2.6-2 (currently in NEW)
The package has now made it past NEW, so I'd like to request an unblock for it to fix RC bug #591200. Note that there is a new debconf template (Danish) that got submitted after the freeze: bug #597766. If you think it should go into squeeze, I can prepare mahara-1.2.6-3 with only that change. Otherwise, I'll do it post-squeeze. Cheers, Francois -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101003011933.ge18...@isafjordur.dyndns.org
Please unblock mahara-1.2.6-2 (currently in NEW)
Hi, Mahara 1.2.6 was released upstream to fix two RC bugs: - removal of a non-free swf video player (#591200) - upgrades from 1.0.x (the version in lenny) didn't work (not in the BTS) The reason why it's currently in NEW is that I created a new contrib package with the swf files in it. They come with source code, but they require tools that aren't in Debian to be built from source. (I did most of these fixes in mahara-1.2.6-1, but I forgot about one swf so I had to upload mahara-1.2.6-2 shortly after.) Let me know if this request isn't useful as long as the packages as in NEW and I'll resubmit once they've been accepted by ftpmasters. Cheers, Francois -- Francois Marier identi.ca/fmarier http://feeding.cloud.geek.nz twitter.com/fmarier signature.asc Description: Digital signature
Security bug in mahara-1.0.4-3: upload to testing-proposed-updates?
(Please CC me on your replies, thanks!) Hello, The version of mahara that's in lenny (1.0.4-3) has an XSS vulnerability as reported in the release notes: http://mahara.org/interaction/forum/topic.php?id=198 (no Debian bug or CVE number for it at the moment) There is a new upstream release (1.0.9) containing these fixes in sid. However, given that it contains other non-security changes, I have also prepared a patched 1.0.4 version for lenny. I have attached the very small debdiff between -3 and -4 to this email. Please let me know whether I should upload 1.0.4-4 to testing-proposed-updates or whether you prefer to unblock the package that's in sid. Cheers, Francois diff -u mahara-1.0.4/debian/changelog mahara-1.0.4/debian/changelog --- mahara-1.0.4/debian/changelog +++ mahara-1.0.4/debian/changelog @@ -1,3 +1,12 @@ +mahara (1.0.4-4) testing-proposed-updates; urgency=low + + * Fix XSS issues in forum descriptions and posts, backported from +these upstream commits: + a3a3824aadcaebd6e416d5b18b1f1129c0f30cac + b86d471361456a9b7c58492121feb1ae85222ada + + -- Francois Marier franc...@debian.org Wed, 04 Feb 2009 14:51:32 +1300 + mahara (1.0.4-3) testing-proposed-updates; urgency=high * Depend on libphp-snoopy instead of using the embedded copy shipped only in patch2: unchanged: --- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/view.tpl +++ mahara-1.0.4/htdocs/interaction/forum/theme/default/view.tpl @@ -8,7 +8,7 @@ div id=viewforum table id=forumdescription tr - td{$forum-description}/td + td{$forum-description|clean_text}/td {if $admin} td align=right class=nowrap a href={$WWWROOT}interaction/edit.php?id={$forum-id|escape} class=btn-editdk{str tag=edittitle section=interaction.forum}/a/td only in patch2: unchanged: --- mahara-1.0.4.orig/htdocs/interaction/forum/theme/default/simplepost.tpl +++ mahara-1.0.4/htdocs/interaction/forum/theme/default/simplepost.tpl @@ -19,6 +19,6 @@ {$post-poster|display_name|escape}/a/h5 divimg src={$WWWROOT}thumb.php?type=profileiconamp;maxsize=100amp;id={$post-poster} alt=/div h5{$post-postcount}/h5/td - td{$post-body}/td + td{$post-body|clean_text}/td /tr /table \ No newline at end of file
Security fixes in moodle-1.8.2.dfsg-3 (please unblock)
(Please CC me on your replies, thanks!) Hello, Moodle 1.8.8 was recently released and it fixes a number of security issues which are present in the current lenny moodle package. Attached is a debdiff of the -2 (in lenny) against -3. It fixes all of these vulnerabilities: * Delete unused (but vulnerable) Spellchecker plugin to htmlarea (MSA-09-0005, CVE-2008-5153) * Hide images of deleted users (MSA-09-0001) * Fix user pix disclosure (MSA-09-0002) * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004) * Fix XSS vulnerabilities in logs (MSA-09-0007) * Fix CSRF vulnerability in forum code (MSA-09-0008) After talking to the testing security team, I have uploaded this package to unstable with the hope that it will be unblocked for lenny. Cheers, Francois diff -u moodle-1.8.2.dfsg/debian/rules moodle-1.8.2.dfsg/debian/rules --- moodle-1.8.2.dfsg/debian/rules +++ moodle-1.8.2.dfsg/debian/rules @@ -59,6 +59,7 @@ rm -f debian/moodle/usr/share/moodle/admin/delete.php rm -f debian/moodle/usr/share/moodle/mod/wiki/ewiki/fragments/mkhuge rm -f debian/moodle/usr/share/moodle/search/.cvsignore + rm -rf debian/moodle/usr/share/moodle/lib/editor/htmlarea/plugins/SpellChecker rm -rf debian/moodle/usr/share/moodle/lib/smarty rm -rf debian/moodle/usr/share/moodle/lib/yui diff -u moodle-1.8.2.dfsg/debian/changelog moodle-1.8.2.dfsg/debian/changelog --- moodle-1.8.2.dfsg/debian/changelog +++ moodle-1.8.2.dfsg/debian/changelog @@ -1,3 +1,15 @@ +moodle (1.8.2.dfsg-3) unstable; urgency=high + + * Delete unused (but vulnerable) Spellchecker plugin to htmlarea +(MSA-09-0005, CVE-2008-5153) + * Hide images of deleted users (MSA-09-0001) + * Fix user pix disclosure (MSA-09-0002) + * Fix XSS vulnerabilities in HTML blocks (MSA-09-0004) + * Fix XSS vulnerabilities in logs (MSA-09-0007) + * Fix CSRF vulnerability in forum code (MSA-09-0008) + + -- Francois Marier franc...@debian.org Mon, 02 Feb 2009 19:09:10 +1300 + moodle (1.8.2.dfsg-2) unstable; urgency=high [ Dan Poltawski ] diff -u moodle-1.8.2.dfsg/debian/patches/00list moodle-1.8.2.dfsg/debian/patches/00list --- moodle-1.8.2.dfsg/debian/patches/00list +++ moodle-1.8.2.dfsg/debian/patches/00list @@ -2,0 +3,5 @@ +msa090001.dpatch +msa090002.dpatch +msa090004.dpatch +msa090007.dpatch +msa090008.dpatch only in patch2: unchanged: --- moodle-1.8.2.dfsg.orig/debian/patches/msa090004.dpatch +++ moodle-1.8.2.dfsg/debian/patches/msa090004.dpatch @@ -0,0 +1,62 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## msa090004.dpatch by Francois Marier franc...@debian.org +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: html block: proper cleanup of html + +...@dpatch@ +diff --git a/blocks/html/block_html.php b/blocks/html/block_html.php +index ff53961..7099a43 100755 +--- a/blocks/html/block_html.php b/blocks/html/block_html.php +@@ -12,7 +12,7 @@ class block_html extends block_base { + } + + function specialization() { +-$this-title = isset($this-config-title) ? $this-config-title : get_string('newhtmlblock', 'block_html'); ++$this-title = isset($this-config-title) ? format_string($this-config-title) : get_string('newhtmlblock', 'block_html'); + } + + function instance_allow_multiple() { +@@ -24,8 +24,13 @@ class block_html extends block_base { + return $this-content; + } + +-$filteropt = new stdClass; +-$filteropt-noclean = true; ++if (!empty($this-instance-pinned) or $this-instance-pagetype === 'course-view') { ++// fancy html allowed only on course page and in pinned blocks for security reasons ++$filteropt = new stdClass; ++$filteropt-noclean = true; ++} else { ++$filteropt = null; ++} + + $this-content = new stdClass; + $this-content-text = isset($this-config-text) ? format_text($this-config-text, FORMAT_HTML, $filteropt) : ''; +diff --git a/blocks/html/config_instance.html b/blocks/html/config_instance.html +index 8138488..ae2d460 100755 +--- a/blocks/html/config_instance.html b/blocks/html/config_instance.html +@@ -1,4 +1,11 @@ +-?php $usehtmleditor = can_use_html_editor(); ? ++?php ++$usehtmleditor = can_use_html_editor(); ++ ++$text = isset($this-config-text) ? $this-config-text : ''; ++if (empty($this-instance-pinned) and $this-instance-pagetype !== 'course-view') { ++$text = clean_text($text, FORMAT_HTML); ++} ++? + table cellpadding=9 cellspacing=0 + tr valign=top + td align=right?php print_string('configtitle', 'block_html'); ?:/td +@@ -6,7 +13,7 @@ + /tr + tr valign=top + td align=right?php print_string('configcontent', 'block_html'); ?:/td +-td?php print_textarea($usehtmleditor, 25, 50, 0, 0, 'text', isset($this-config-text)?$this-config-text:'') ?/td ++td?php print_textarea($usehtmleditor, 25, 50, 0, 0, 'text', $text) ?/td + /tr + tr + td colspan=3 align=center only in patch2: unchanged
Please unblock docvert 3.4-7 (CVE-2008-5147)
(please CC me on your replies, thanks!) Hello, I have uploaded a new version of docvert which fixes a minor security problem with it. The Testing Security team will not issue an advisory, but given the size of the change (deleting an unused test script) it would be nice if it could propagate to lenny. Here is the debdiff (aside from the changelog): diff -u docvert-3.4/debian/rules docvert-3.4/debian/rules --- docvert-3.4/debian/rules +++ docvert-3.4/debian/rules @@ -43,6 +43,7 @@ cp -r $(CURDIR)/generator-pipeline $(CURDIR)/debian/docvert/usr/share/docvert/ cp -r $(CURDIR)/pipeline $(CURDIR)/debian/docvert/usr/share/docvert/ cp -r $(CURDIR)/core $(CURDIR)/debian/docvert/usr/share/docvert/ + rm $(CURDIR)/debian/docvert/usr/share/docvert/core/lib/pyodconverter/test-pipe-to-pyodconverter.org.sh rm -rf $(CURDIR)/debian/docvert/usr/share/docvert/core/lib/fckeditor rm -rf $(CURDIR)/debian/docvert/usr/share/docvert/core/lib/pclzip-2.6 rm -rf $(CURDIR)/debian/docvert/usr/share/docvert/core/lib/jodconverter/ Cheers, Francois -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Please unblock moodle-1.8.2-2
(Regarding the unblock request submitted last week...) Please note that version of Moodle in Etch is 1.6.3, which is very old and almost unmaintained. The most recent release on the 1.6 branch is 1.6.8 and even the latest stable release is 1.9, which was originally released in March this year. If Moodle is dropped from Lenny, the default behaviour for Etch upgraders will be to keep using 1.6.3 until Squeeze. We can't rely on users making the effort to go and find a backport, and continuing to use 1.6.3 will be a very unsatisfactory experience for them. Thank you for your consideration, Francois -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please unblock moodle-1.8.2-2
Hello, There is currently a freeze exception for version 1.8.2-1.3 of the moodle package. However that version never made it to testing since it didn't fix all of the RC bugs. All RC bug have been fixed in 1.8.2-2 so I would like to suggest that this version be unblocked instead. Attached to this email is a debdiff between -1.3 and -2. Please note that the package is no longer orphaned and now has a committed maintenance team behind it. Cheers, Francois diff -u moodle-1.8.2/debian/rules moodle-1.8.2/debian/rules --- moodle-1.8.2/debian/rules +++ moodle-1.8.2/debian/rules @@ -45,6 +45,7 @@ rm debian/moodle/usr/share/moodle/search/Zend/LICENSE.txt rm debian/moodle/usr/share/moodle/lib/smarty/COPYING.lib rm debian/moodle/usr/share/moodle/iplookup/ipatlas/COPYING + rm debian/moodle/usr/share/moodle/lib/libcurlemu/LICENSE find debian/moodle/usr -type f -exec chmod 644 {} \; find debian/moodle/usr -type d -exec chmod 755 {} \; @@ -56,6 +57,11 @@ chmod 755 debian/moodle/usr/share/moodle/admin/process_email.php rm -f debian/moodle/usr/share/moodle/filter/tex/*mimetex* rm -f debian/moodle/usr/share/moodle/admin/delete.php + rm -f debian/moodle/usr/share/moodle/mod/wiki/ewiki/fragments/mkhuge + rm -f debian/moodle/usr/share/moodle/search/.cvsignore + + rm -rf debian/moodle/usr/share/moodle/lib/smarty + rm -rf debian/moodle/usr/share/moodle/lib/yui dh_installdebconf dh_link diff -u moodle-1.8.2/debian/changelog moodle-1.8.2/debian/changelog --- moodle-1.8.2/debian/changelog +++ moodle-1.8.2/debian/changelog @@ -1,3 +1,37 @@ +moodle (1.8.2-2) unstable; urgency=high + + * Adopt orphaned package (closes: #494642) + * Acknowledge security NMU (closes: #489533, #432264) + * Add Vcs-* fields to debian/control + + Release-critical and security bugs: + + * Depend on smarty instead of using the embedded copy that is shipped +with Moodle (closes: #471158, #488525, #504345) + * Patch security bug in the embedded (and customised) copy of phpmailer +(CVE-2007-3215, closes: #429339, #429190) + * Patch cross-site scripting bug (CVE-2008-3326, closes: #492492) + * Patch snoopy input sanitising (CVE-2008-4796, closes: #504235) + * Upgrade to new LGPL version of domxml-php4-to-php5 (closes: #496069) + + Trivial bug fixes: + + * Depend on zip (closes: #408995) + * Add mysql-client as an alternative to postgresql-client +(closes: #417554, #469094) + * Recommend php5-ldap (closes: #425839) + * Delete unnecessary script with bashisms (closes: #489634) + + Lintian warnings: + + * Bump Standards-Version to 3.8.0 + * Add homepage field to debian/control + * Remove cvsignore file + * Remove extra license file + * Depend on yui instead of using an embedded copy + + -- Francois Marier [EMAIL PROTECTED] Fri, 07 Nov 2008 08:24:28 +1300 + moodle (1.8.2-1.3) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -u moodle-1.8.2/debian/copyright moodle-1.8.2/debian/copyright --- moodle-1.8.2/debian/copyright +++ moodle-1.8.2/debian/copyright @@ -30,6 +30,7 @@ htmlArea, licensed under a BSD license (see below) TinyMCE, licensed under the LGPL bennu, licensed under the LGPL + domxmlphp4-php5, licensed under the LGPL LGPL can be found in the file /usr/share/common-licenses/LGPL, GPL can be found in the file /usr/share/common-licenses/GPL, and diff -u moodle-1.8.2/debian/postinst moodle-1.8.2/debian/postinst --- moodle-1.8.2/debian/postinst +++ moodle-1.8.2/debian/postinst @@ -132,6 +132,10 @@ ln -s /etc/moodle/config.php $moodledir/config.php fi + # Links to external libraries + [ ! -h /usr/share/moodle/lib/smarty ] ln -s /usr/share/php/smarty/libs /usr/share/moodle/lib/smarty + [ ! -h /usr/share/moodle/lib/yui ] ln -s /var/www/yui /usr/share/moodle/lib/yui + # Care about the repository repository=/var/lib/moodle if [ -d $repository ]; then diff -u moodle-1.8.2/debian/control moodle-1.8.2/debian/control --- moodle-1.8.2/debian/control +++ moodle-1.8.2/debian/control @@ -1,16 +1,20 @@ Source: moodle Section: web Priority: optional -Maintainer: Isaac Clerencia [EMAIL PROTECTED] +Maintainer: Moodle Packaging Team [EMAIL PROTECTED] +Uploaders: Francois Marier [EMAIL PROTECTED], Penny Leach [EMAIL PROTECTED], Mathieu Petit-Clair [EMAIL PROTECTED] Build-Depends-Indep: po-debconf Build-Depends: debhelper (= 4.1.13), dpatch -Standards-Version: 3.7.2 +Standards-Version: 3.8.0 +Homepage: http://www.moodle.org/ +Vcs-Git: git://git.debian.org/git/pkg-moodle/moodle.git +Vcs-Browser: http://git.debian.org/?p=pkg-moodle/moodle.git;a=summary Package: moodle Architecture: all -Depends: ${misc:Depends}, libapache2-mod-php5 | php5-cgi, php5-pgsql | php5-mysql, php5-gd, php5-curl, php5-cli, apache2-mpm-prefork | httpd, wwwconfig-common (= 0.0.7), mimetex, ucf, postgresql-client +Depends: ${misc:Depends}, libapache2-mod-php5 | php5-cgi, php5-pgsql | php5-mysql, php5-gd, php5-curl, php5-cli, apache2-mpm-prefork | httpd, wwwconfig-common (= 0.0.7
Re: Upload of mahara 1.0.4-3 to testing-proposed-updates
After talking to the testing security team, I will be taking these two fixes to testing-security instead of testing-proposed-updates. Therefore, please ignore this upload. Cheers, Francois signature.asc Description: Digital signature
Upload of mahara 1.0.4-3 to testing-proposed-updates
(Please CC me on your replies, thanks) Hello, I have just uploaded mahara 1.0.4-3 to testing-proposed-updates in order to fix these two RC bugs: 504170 - CVE-2008-4796: missing input sanitising in Snoopy.class.php 504253 - CVE-2007-3215: remote shell command execution in class.phpmailer.php The fixes are quite small (as shown in the attached debdiff) and an upload through unstable isn't possible since there is a new upstream version in there already. Francois signature.asc Description: Digital signature
Re: Upload of mahara 1.0.4-3 to testing-proposed-updates
On 2008-11-04 at 13:27:24, Francois Marier wrote: The fixes are quite small (as shown in the attached debdiff) Here's the missing file. Francois diff -u mahara-1.0.4/debian/rules mahara-1.0.4/debian/rules --- mahara-1.0.4/debian/rules +++ mahara-1.0.4/debian/rules @@ -36,15 +36,7 @@ rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/adodb/docs/ rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/adodb/tests/ rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/adodb/pear/readme.Auth.txt - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/configure.in - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/INSTALL - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/ChangeLog - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/FAQ - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/AUTHORS - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/Makefile.am - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/autogen.sh - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/TODO - rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/NEWS + rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/snoopy/ rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/pear/File rm -f $(CURDIR)/debian/mahara/usr/share/mahara/lib/pear/File.php rm -rf $(CURDIR)/debian/mahara/usr/share/mahara/lib/pear/PEAR diff -u mahara-1.0.4/debian/mahara.postinst mahara-1.0.4/debian/mahara.postinst --- mahara-1.0.4/debian/mahara.postinst +++ mahara-1.0.4/debian/mahara.postinst @@ -70,6 +70,9 @@ # Link to captcha font [ ! -h /usr/share/mahara/theme/default/static/captcha.ttf ] ln -s /usr/share/fonts/truetype/freefont/FreeMono.ttf /usr/share/mahara/theme/default/static/captcha.ttf + +# Link to libphp-snoopy +[ ! -h /usr/share/mahara/lib/snoopy ] ln -s /usr/share/php/libphp-snoopy/ /usr/share/mahara/lib/snoopy ;; abort-upgrade|abort-remove|abort-deconfigure) diff -u mahara-1.0.4/debian/changelog mahara-1.0.4/debian/changelog --- mahara-1.0.4/debian/changelog +++ mahara-1.0.4/debian/changelog @@ -1,3 +1,12 @@ +mahara (1.0.4-3) testing-proposed-updates; urgency=high + + * Depend on libphp-snoopy instead of using the embedded copy shipped +with Mahara (CVE-2008-4796, closes: #504170) + * Backport upstream's patch (41189c30d198153dc66dc867e160dab948929458) +to phpmailer (CVE-2007-3125, closes: #504253) + + -- Francois Marier [EMAIL PROTECTED] Tue, 04 Nov 2008 12:46:14 +1300 + mahara (1.0.4-2) unstable; urgency=low * Compress the package using bzip2 diff -u mahara-1.0.4/debian/control mahara-1.0.4/debian/control --- mahara-1.0.4/debian/control +++ mahara-1.0.4/debian/control @@ -11,7 +11,7 @@ Package: mahara Architecture: all -Depends: ${misc:Depends}, php5-pgsql | php5-mysql, php5-cli, php5-gd, file, cron, perl, ttf-freefont, php-file, php-pear, smarty +Depends: ${misc:Depends}, php5-pgsql | php5-mysql, php5-cli, php5-gd, file, cron, perl, ttf-freefont, php-file, php-pear, smarty, libphp-snoopy Recommends: mahara-apache2, postgresql | postgresql-8.3 | mysql-server | mysql-server-5.0, clamav, clamav-daemon, php5-curl, php5-xmlrpc, php5-imagick, libfile-slurp-perl, libtext-diff-perl Description: Electronic portfolio, weblog, and resume builder Mahara is a fully featured electronic portfolio, weblog, resume builder and only in patch2: unchanged: --- mahara-1.0.4.orig/htdocs/lib/phpmailer/class.phpmailer.php +++ mahara-1.0.4/htdocs/lib/phpmailer/class.phpmailer.php @@ -390,9 +390,9 @@ */ function SendmailSend($header, $body) { if ($this-Sender != ) -$sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail, $this-Sender); +$sendmail = sprintf(%s -oi -f %s -t, escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender)); else -$sendmail = sprintf(%s -oi -t, $this-Sendmail); +$sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail)); if([EMAIL PROTECTED] = popen($sendmail, w)) { signature.asc Description: Digital signature
Re: Upload of mahara 1.0.4-3 to testing-proposed-updates
On 2008-11-03 at 18:51:42, Raphael Geissert wrote: Just wondering, why don't you do the same for phpmailer? the package in lenny/sid is libphp-phpmailer. The version in Mahara currently has local non-upstreamable customisations. I believe that the upstream plan is to eventually the library entirely from Mahara. Francois signature.asc Description: Digital signature
Please unblock safe-rm/0.3-1
(Please CC me on your replies, thanks!) Hello, I would like to request that you please unblock the safe-rm package to let 0.3-1 propagate to testing. It has a fix for a bug which I believe is quite serious (though no Debian bugs were ever filed for it). The package wasn't protecting files in the current directory even if it claimed to do so and that users were relying on this. Here is the only change between the 0.2 and 0.3 upstream versions: --- safe-rm-0.2/safe-rm 2008-10-24 08:14:57.0 +1300 +++ safe-rm-0.3/safe-rm 2008-09-09 19:12:19.0 +1200 @@ -131,7 +131,7 @@ # Normalize the pathname my $normalized_pathname = $pathname; -if ($normalized_pathname =~ m|/|) { +if ($normalized_pathname =~ m|/| or -e $normalized_pathname) { # Convert to an absolute path (e.g. remove ..) $normalized_pathname = realpath($normalized_pathname); $normalized_pathname = $pathname unless $normalized_pathname; I am both the Debian maintainer and the upstream developer and I don't believe that there are any risks associated with this upgrade. (It has been in unstable for a month and a half already.) Thank you, Francois -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Freeze exception request for docvert
(Please CC me on your reply, thanks!) Hello, I'd like to request a freeze exception for the docvert source package (which includes docvert and docvert-openoffice.org). The latest version in sid (3.4-6) fixes the following serious problems: - 502322: initscript hangs the boot process (release-critical) - missing dependency of docvert-openoffice.org on docvert (this is required and docvert-openoffice.org won't work without it) - initscript could kill openoffice processes belonging to other users And it also contains trivial fixes for the following problems: - 493334: check that docvert is installed when running the cronjob - 489796: capitalization change to the small description - initscript was referring to the wrong names in the LSB comments I have attached a debdiff between the version in lenny (3.4-4) and the one in sid (3.4-6). Francois diff -u docvert-3.4/debian/docvert-openoffice.org.docvert-converter.init docvert-3.4/debian/docvert-openoffice.org.docvert-converter.init --- docvert-3.4/debian/docvert-openoffice.org.docvert-converter.init +++ docvert-3.4/debian/docvert-openoffice.org.docvert-converter.init @@ -1,12 +1,12 @@ #! /bin/sh ### BEGIN INIT INFO -# Provides: docvert-openoffice +# Provides: docvert-converter # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Required-Start:$local_fs $network $syslog # Required-Stop: $local_fs $network $syslog -# Short-Description: Open Office service for Docvert -# Description: This init.d script is used to start Open Office as a +# Short-Description: OpenOffice.org service for Docvert +# Description: This init.d script is used to start OpenOffice.org as a #service. ### END INIT INFO @@ -15,13 +15,13 @@ # Do NOT set -e PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC=Open Office service for Docvert -NAME=docvert-openoffice +DESC=OpenOffice.org service for Docvert +NAME=docvert-converter USER=docvert GROUP=docvert DAEMON=/usr/share/docvert/core/config/unix-specific/openoffice.org-server.sh DAEMON_ARGS= -PIDFILE=/var/run/docvert/openoffice.pid +PIDFILE=/var/run/docvert/converter.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed @@ -47,9 +47,9 @@ # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon -c $USER -g $GROUP --start --pidfile $PIDFILE --exec $DAEMON --test /dev/null || return 1 - start-stop-daemon -c $USER -g $GROUP --start --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS || return 2 + start-stop-daemon -c $USER -g $GROUP --start --pidfile $PIDFILE --background --exec $DAEMON -- $DAEMON_ARGS || return 2 sleep 2 - pgrep soffice $PIDFILE + pgrep -U $USER -G $GROUP soffice $PIDFILE [ -s $PIDFILE ] || return 2 return 0 # Add code here, if necessary, that waits for the process to be ready diff -u docvert-3.4/debian/docvert.cron.daily docvert-3.4/debian/docvert.cron.daily --- docvert-3.4/debian/docvert.cron.daily +++ docvert-3.4/debian/docvert.cron.daily @@ -3,2 +3,4 @@ -find /var/lib/docvert/ -name preview* -type f -mtime 1 | xargs -n 100 rm -f -find /var/lib/docvert/ -name preview* -type d -mtime 1 | xargs --no-run-if-empty -n 100 rmdir --ignore-fail-on-non-empty +if [ -d /var/lib/docvert ]; then + find /var/lib/docvert/ -name preview* -type f -mtime 1 | xargs -n 100 rm -f + find /var/lib/docvert/ -name preview* -type d -mtime 1 | xargs --no-run-if-empty -n 100 rmdir --ignore-fail-on-non-empty +fi diff -u docvert-3.4/debian/changelog docvert-3.4/debian/changelog --- docvert-3.4/debian/changelog +++ docvert-3.4/debian/changelog @@ -1,3 +1,20 @@ +docvert (3.4-6) unstable; urgency=high + + * docvert-openoffice.org needs to depend on docvert + * initscript: +- background the headless OOo process, high urgency (closes: #502322) +- only keep track (and kill) OOo processes owned by the docvert user +- fix all variables still referring to the old initscript name + + -- Francois Marier [EMAIL PROTECTED] Mon, 20 Oct 2008 10:53:57 +1300 + +docvert (3.4-5) unstable; urgency=low + + * Make short descriptions start with a lowercase letter (closes: #489796) + * Check whether the directory exists in the cron job (closes: #493334) + + -- Francois Marier [EMAIL PROTECTED] Sun, 03 Aug 2008 23:29:40 +1200 + docvert (3.4-4) unstable; urgency=low * Add mkdir call to both postinst scripts (closes: #489031) diff -u docvert-3.4/debian/control docvert-3.4/debian/control --- docvert-3.4/debian/control +++ docvert-3.4/debian/control @@ -13,7 +13,7 @@ Pre-Depends: pwgen Depends: python, php5-xsl, php5-cli, php5-gd, php5-tidy, librsvg2-bin, apache2, libapache2-mod-php5, libphp-pclzip, fckeditor Recommends: docvert-openoffice.org, optipng, jpegoptim -Description: Converts word processor files to HTML +Description: converts word processor files to HTML Docvert is a web application which takes word processor files (typically .doc) and converts them to OpenDocument and clean
Proposing an update to chkrootkit
(Please CC me on your replies) I would like to upload a revised version of chkrootkit for the next point release of the stable distribution. The only patch I would apply is: http://tinyurl.com/3sdna3 since it fixes a critical bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421864 Also, I would update the maintainer field since I am now the chkrootkit maintainer. Do you have any objections to these changes? Francois signature.asc Description: Digital signature
Please unblock K3b 0.12.17-8 (instead of 0.12.17-6)
I have just uploaded a new version of K3b (0.12.17-8) to unstable which fixes important bug #401739 (readcd being renamed to readom). Here are the relevant changelog entries: k3b (0.12.17-8) unstable; urgency=medium * Remove a wrong version check for readom (follow-up to bug #401739) -- Francois Marier [EMAIL PROTECTED] Thu, 14 Dec 2006 09:23:25 -0500 k3b (0.12.17-7) unstable; urgency=medium * Support for readom which is the new renamed readcd (closes: #401739) -- Francois Marier [EMAIL PROTECTED] Tue, 12 Dec 2006 21:27:29 -0500 Thanks, Francois -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please consider email-reminder 0.5.2-3 for Sarge
The version of email-reminder in testing has an annoying (but trivial) problem that can render this package totally non-functional: it forgets to recommend 'anacron'. Hence, reminders are not sent by the cron.daily cron job if the machine is turned off at night. Version 0.5.2-3 fixes that problem and was supposed to make it into testing but I uploaded version 0.5.3-1 a week ago and it cancel the transition of 0.5.2-3 to testing. Feel free to push version 0.5.3-1 to testing directly if you prefer, but I would appreciate if you could at least upgrade the version to 0.5.2-3 since the only changes from -2 are in the depends and recommends fields of the control file. Thanks, Francois -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]