Candidates for removal from testing (2013-01-24)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, We are considering removing the following packages from testing as they have unfixed RC bugs filed against them. The packages can be found in the attached dd-list. The bugs that put them on this list can be found in the removals file (also attached) just above the package name. The packages have been selected based on the following criteria: * The package had at least one RC bug without activity for the past 14 days. * If a bug is assigned to multiple packages, both packages will be affected. * The RC bug affects both unstable and testing. * The affected package does not have any reverse dependencies in testing. If the relevant RC bugs in the affected packages are not dealt with /before/ Thursday the 31th of Jan., the packages will be removed from testing. Note that dealt with may also include downgrading a severity-inflated bug or fixing affected versions in the BTS. Please remember to file unblock bugs for packages fixed via uploads to unstable (and tpu bugs for requests to fix the package via a tpu upload). Should you need a bit more time than given, please do not hesitate to contact us. It is also easier for us if we can avoid having to reintroduce a removed package. We will check the DELAYED queues before activing the removal hints, so NMUs in the DELAYED queues will be given a chance to reach unstable. Thanks, Niels (on behalf of the Release Team) The bugs were found using the tools from: svn://svn.debian.org/svn/collab-qa/rc-buggy-leaf-packages http://release.debian.org/wheezy/freeze_policy.html --88-- dd-list --88-- Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org jenkins Debian QA Group packa...@qa.debian.org bzr-gtk James Page james.p...@ubuntu.com jenkins (U) Pierre Chifflier pol...@debian.org glpi Romain Beauxis to...@rastageeks.org lastfmproxy Wouter Verhelst wou...@debian.org pmw --88-- end of dd-list --88-- --88-- removals --88-- # #697402 remove bzr-gtk/0.103.0+bzr792-3 # #694642 remove glpi/0.83.31-1 # #696816 remove jenkins/1.447.2+dfsg-2 # #694589 remove lastfmproxy/1.3b-2 # #696844 remove pmw/1:4.24-1 --88-- end of removals --88-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRAUhvAAoJEAVLu599gGRCdKoP/AouibtJnE4H4MGdGNxU4rJE G4kJaeqpR/aeKBiti30eXdUwKLfMNGE2dFqbrp0Wgp/YSE+vr22JyqyC43AHoKkD dLhpqcnFVKfQe97MvsdbVel6Ox5x45wwGFqkO5HwT6M5cLc9RClCm7sA0XyCsinQ dmq3nR0tJW9pfnTm97bwCRmisJ9DwVxtgjKqr082sfQFsUOkZP7OpM2q0ZDtwC84 X4/P+7rHSOor8Evj8lE75fN4rXu0e4bjq98yRprRuHHyWLSmqpuvFpniBlQFmsI3 kdMv2r5WL6NU3bT6IGDhjcx4gq8FouRbKYyTybhua2J8Ez9bkp4gbR5VMh3nmIrI e7BI0UEWIeYz2TmyclSp/1DCjQY+Rl9NmTJpklcJuAUgtDHt2pZCnVemz/iEvkjv mZbVhynfNeZrnlR0KQGQXdshm2K2amF0WoF9as71vU9EqMUI2DXiD8fDTgtQa2+B YuP1Pk5hEko5A9c9tAjSNfEOjnLaFfbUfW1+5gCplzF7Vd4FcY5JTiAKzOliwPpD lMrPL5XTgUDfz6d9sW2aGA2Iyk6ruhDk0d98YcpmviQE72aTyHuZ8m97zqhAprdt eaCD56R3TJfr2DKRh6933Ccq7AtLcUx4asOCZV6myEFKSg4kMd5LEAyVlziNYxxx Gp5OZE+O4xLtiMtU+MUy =/0Pa -END PGP SIGNATURE- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
[bts-link] source package eclipse
# # bts-link upstream status pull for source package eclipse # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # user bts-link-upstr...@lists.alioth.debian.org # remote status report for #595282 (http://bugs.debian.org/595282) # Bug title: eclipse: Update 3.5.2-5 - 3.5.2-6 causes Android SDK plugin to stop working # * https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132 # * remote status changed: NEW - ASSIGNED forwarded 595282 https://bugs.eclipse.org/bugs/show_bug.cgi?id=351485, merged-upstream: https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132 usertags 595282 - status-NEW usertags 595282 + status-ASSIGNED # remote status report for #595282 (http://bugs.debian.org/595282) # Bug title: eclipse: Update 3.5.2-5 - 3.5.2-6 causes Android SDK plugin to stop working # * https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132 # * remote status changed: NEW - ASSIGNED forwarded 595282 https://bugs.eclipse.org/bugs/show_bug.cgi?id=351485, merged-upstream: https://bugs.eclipse.org/bugs/show_bug.cgi?id=304132 usertags 595282 - status-NEW usertags 595282 + status-ASSIGNED thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#696816: jenkins: Security issues were found in Jenkins core
Hi there, The issue was raised on debian-devel[0] that this bug still affects unstable and is causing jenkins to be a candidate for removal from wheezy. I have backported the fixes for these issues from upstream git; they are attached to this e-mail as separate quilt patches for the sake of cleanliness. I have also uploaded a source NMU package[1] to mentors.debian.net, which I intend to seek sponsorship for if I don't get a reply to this bug report within 72 hours (as the deadline given by the Release Team for removal from testing is 31st January). Please let me know if you need anything further from me. Thanks, Steven. [0] Thread Candidates for removal from testing (2013-01-24), which doesn't seem to be in the web archives yet. [1] http://mentors.debian.net/package/jenkins Description: Cherry-picked fix from 1.480.1 Security issue: - CVE-2012-6073 open redirect Origin: Upstream, commit ab0ac1ac499f734892c2203edc508a6dbf5fa42d Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 --- a/core/src/main/java/hudson/Util.java +++ b/core/src/main/java/hudson/Util.java @@ -1173,6 +1173,31 @@ } /** + * Return true if the systemId denotes an absolute URI . + * + * The same algorithm can be seen in {@link URI}, but + * implementing this by ourselves allow it to be more lenient about + * escaping of URI. + */ +public static boolean isAbsoluteUri(String uri) { +int idx = uri.indexOf(':'); +if (idx0) return false; // no ':'. can't be absolute + +// #, ?, and / must not be before ':' +return idx_indexOf(uri, '#') idx_indexOf(uri,'?') idx_indexOf(uri,'/'); +} + +/** + * Works like {@link String#indexOf(int)} but 'not found' is returned as s.length(), not -1. + * This enables more straight-forward comparison. + */ +private static int _indexOf(String s, char ch) { +int idx = s.indexOf(ch); +if (idx0) return s.length(); +return idx; +} + +/** * Loads a key/value pair string as {@link Properties} * @since 1.392 */ --- a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java +++ b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java @@ -137,7 +137,7 @@ String pattern = req.getParameter(pattern); if(pattern==null) pattern = req.getParameter(path); // compatibility with Hudson1.129 -if(pattern!=null) { +if(pattern!=null !Util.isAbsoluteUri(pattern)) {// avoid open redirect rsp.sendRedirect2(pattern); return; } --- a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java +++ b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java @@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import hudson.Util; import org.acegisecurity.AuthenticationException; import org.acegisecurity.ui.webapp.AuthenticationProcessingFilter; @@ -50,6 +51,9 @@ if (targetUrl == null) return getDefaultTargetUrl(); +if (Util.isAbsoluteUri(targetUrl)) +return .; // avoid open redirect + // URL returned from determineTargetUrl() is resolved against the context path, // whereas the from URL is resolved against the top of the website, so adjust this. if(targetUrl.startsWith(request.getContextPath())) --- a/core/src/test/java/hudson/UtilTest.java +++ b/core/src/test/java/hudson/UtilTest.java @@ -230,4 +230,14 @@ } } } + +public void testIsAbsoluteUri() { +assertTrue(Util.isAbsoluteUri(http://foobar/;)); +assertTrue(Util.isAbsoluteUri(mailto:k...@kohsuke.org)); +assertTrue(Util.isAbsoluteUri(d123://test/)); +assertFalse(Util.isAbsoluteUri(foo/bar/abc:def)); +assertFalse(Util.isAbsoluteUri(foo?abc:def)); +assertFalse(Util.isAbsoluteUri(foo#abc:def)); +assertFalse(Util.isAbsoluteUri(foo/bar)); +} } Description: Cherry-picked fix from 1.480.1 Security issue: - CVE-2012-6074 cross-site scripting vulnerability Origin: Upstream, commit 1d48e7bf8254349a19328d56bd8006635a95866d Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 --- a/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly +++ b/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly @@ -68,7 +68,7 @@ tr class=${transitive} td/td td colspan=2 class=desc -j:out value=${build.truncatedDescription}/ +j:out value=${app.markupFormatter.translate(build.truncatedDescription)}/ /td /tr /j:if signature.asc Description: PGP signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: login regression
the fix introduced a very annoying regression: see https://issues.jenkins-ci.org/browse/JENKINS-16278 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#698974: libjsyntaxpane-java: Need update to 0.9.5~r156
Package: libjsyntaxpane-java Version: 0.9.5~r148-2 Severity: important Dear Maintainer, I am in the process of packaging freeplane 1.2.20, and this requires jsyntaxpane 0.9.5~r156. Now I checked that (in testing) only umlet and freeplane depend on libjsyntaxpane-java, and both packages work better with r156 than with r148 (I built umlet 11.3-5 from unstable and with jsyntaxpane 0.9.5~r148 the editor pane has no highlighting, but with 0.9.5~r156 it seems to work fine). -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.2.0-1-686-pae (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information -- Felix Natter __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#698975: maven: Install 3.x poms
Package: maven Version: 3.0.4-5 Severity: normal Dear Maintainer, It would be very helpful for packaging of dependent packages if the poms for this package could also install 3.x symlinks where possible. This would avoid the potential need to update dependent packages when maven gets updated. Thanks, Andy __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#698998: felix-main: felix-framework requires java-wrappers to be installed, but it's not listed as a dependency
Package: felix-main Version: 4.0.1-2 Severity: important felix-main includes a script called felix-framework, which is a short-hand for starting the Felix framework in one go. This script sources the file /usr/lib/java-wrappers/java-wrappers.sh without checking whether that file exists. The file comes from the java-wrappers package, but that package is not listed as a dependency for felix-main. This causes using the felix-framework tool to fail if java-wrappers is not installed. Two solutions are possible: java-wrappers can be added as a run-time dependency for the felix-main package, or a check can be added to the tool not to source the /usr/lib/java-wrappers/java-wrappers.sh file if it doesn't exist. Without the felix-framework short-hand, the Felix framework can still be used by calling java -jar /usr/share/felix-framework/bin/felix.jar yourself. Therefore I'm giving this bug Severity: important for breaking a normal use-case but not breaking the pacakge completely. sjors@foo:~$ felix-framework /usr/bin/felix-framework: 9: .: Can't open /usr/lib/java-wrappers/java-wrappers.sh sjors@foo:~$ sudo apt-get install java-wrappers […] sjors@foo:~$ felix-framework […] Welcome to Apache Felix Gogo g! -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages felix-main depends on: ii libfelix-bundlerepository-java 1.6.6-1 ii libfelix-gogo-command-java 0.12.0-2 ii libfelix-gogo-runtime-java 0.10.0-2 ii libfelix-gogo-shell-java0.10.0-2 ii libfelix-main-java 4.0.1-2 felix-main recommends no packages. Versions of packages felix-main suggests: pn libfelix-main-java-doc none -- no debconf information __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.