Bug#559854: FTBFS: qreal mixup on armel.

[Riku Voipio]

Package: mscore
Version: 0.9.5+dfsg-1
Severity: normal
User: debian-...@lists.debian.org
Usertags: eabi

On armel, qreal is defined as float rather than double. thus, any calls to 
functions
that take qreals should be cast to qreal first. See the snip with the build 
error:

> [ 86%] Building CXX object mscore/CMakeFiles/mscore.dir/bracket.cpp.o
> [ 86%] Building CXX object mscore/CMakeFiles/mscore.dir/canvas.cpp.o
> /build/buildd-mscore_0.9.5+dfsg-1-armel-zHPlOl/mscore-0.9.5+dfsg/mscore/mscore/canvas.cpp:2346:
>  error: prototype for 'void Canvas::setMag(double)' does not match any in 
> class 'Canvas'
> /build/buildd-mscore_0.9.5+dfsg-1-armel-zHPlOl/mscore-0.9.5+dfsg/mscore/mscore/canvas.h:160:
>  error: candidate is: void Canvas::setMag(qreal)
> make[4]: *** [mscore/CMakeFiles/mscore.dir/canvas.cpp.o] Error 1
> make[4]: Leaving directory 
> `/build/buildd-mscore_0.9.5+dfsg-1-armel-zHPlOl/mscore-0.9.5+dfsg/build'
> make[3]: *** [mscore/CMakeFiles/mscore.dir/all] Error 2




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#525549: gnucash: Missing account file

[Micha Lenk]

Hi Sam,

Sam Morris wrote:
> I would appreciate it if you could make a gnucash-dbg package available
> to aid in debugging this further.

Gnucash 2.2.9-2, currently available in Debian unstable, has now a
gnucash-dbg package with debugging symbols. Could you triage your bug
again with this package installed?

Thanks in advance.

Regards
  Micha



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559719: ITP: classlib -- C++ Class Library

[Michael Tautschnig]

> Package: wnpp
> Severity: wishlist
> Owner: Gabriele Giacone <1o5g4...@gmail.com>
> 
> * Package name: classlib
>   Version : 3.0.9
>   Upstream Author : Lassi Tuura 
> * URL : http://cmsmac01.cern.ch/~lat/exports
> * License : GPL2
>   Programming Lang: C++
>   Description : C++ Class Library
> 
> I'm also working on good short and long descriptions and
> binary package name.
> Suggestions are welcome.
> 

Could you please also bug upstream about renaming this library? "classlib" is
just as good as naming it "lib" only, in a C++ context. 

On the other hand, as it is only needed as a dependency of iSpy, why not ship it
together with iSpy sources and don't even build specific binary packages?

Best,
Michael



pgp3cHruSnGl9.pgp
Description: PGP signature

Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain

[Anssi Kolehmainen]

I had pretty much the same problems when I upgraded from samba 3.3.4 to
3.4.3 (failed to decrypt with error Decrypt integrity check failed,
Wrong principal in request, etc.) and spent few hours trying everything.

The fix was to reboot Windows XP which I used to access shares. Go
figure.

-- 
Anssi Kolehmainen
anssi.kolehmai...@iki.fi
040-5085390



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559795: marked as done (debian-installer: The purpose of choosing a country is unclear)

[Frans Pop]

On Monday 07 December 2009, Debian Bug Tracking System wrote:
> > Version: 20090123lenny1
[...]
> I don't know what version of D-I you're talking about.

I would say that the version gives a pretty clear indication that it was 
the Lenny installer...



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#423618: konqueror crashes when opening pubmed advanced search

[Wolfgang Wirth]

Package: konqueror
Version: 4:3.5.9.dfsg.1-6
Followup-For: Bug #423618


The current version of konqueror crashes when clicking the link advanced search 
(top of the page) on the site:
http://www.ncbi.nlm.nih.gov/pubmed/

(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0xb68596c0 (LWP 10060)]
(no debugging symbols found)
#6  0xb7740bb9 in QGList::findRef () from /usr/lib/libqt-mt.so.3
#7  0xb77420c4 in QGList::removeRef () from /usr/lib/libqt-mt.so.3
#8  0xb615b5ae in ?? () from /usr/lib/libkhtml.so.4
#9  0xb746d364 in QObject::event () from /usr/lib/libqt-mt.so.3
#10 0xb74087c5 in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#11 0xb7409806 in QApplication::notify () from /usr/lib/libqt-mt.so.3
#12 0xb7125b92 in KApplication::notify () from /usr/lib/libkdecore.so.4
#13 0xb73fe003 in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#14 0xb73b36be in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#15 0xb74211a0 in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#16 0xb7421066 in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#17 0xb7408e5f in QApplication::exec () from /usr/lib/libqt-mt.so.3
#18 0xb6809bcc in kdemain () from /usr/lib/libkdeinit_konqueror.so
#19 0xb7f52464 in kdeinitmain () from /usr/lib/kde3/konqueror.so

konqueror also does not display the above mentioned website correctly, but this 
is only a small inconvenience :)

Btw: I use konqueror for ~7 years by now as my standard browser and I really 
like it!

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages konqueror depends on:
ii  kcontrol 4:3.5.9.dfsg.1-6control center for KDE
ii  kdebase-kio-plug 4:3.5.9.dfsg.1-6core I/O slaves for KDE
ii  kdelibs4c2a  4:3.5.10.dfsg.1-0lenny3 core libraries and binaries for al
ii  kdesktop 4:3.5.9.dfsg.1-6miscellaneous binaries and files f
ii  kfind4:3.5.9.dfsg.1-6file-find utility for KDE
ii  libc62.7-18  GNU C Library: Shared libraries
ii  libgcc1  1:4.3.2-1.1 GCC support library
ii  libkonq4 4:3.5.9.dfsg.1-6core libraries for Konqueror
ii  libqt3-mt3:3.3.8b-5+b1   Qt GUI Library (Threaded runtime v
ii  libstdc++6   4.3.2-1.1   The GNU Standard C++ Library v3
ii  libx11-6 2:1.1.5-2   X11 client-side library

konqueror recommends no packages.

Versions of packages konqueror suggests:
pn  gij-4.1(no description available)
ii  khelpcente 4:4.0.0.really.3.5.9.dfsg.1-6 help center for KDE
ii  konq-plugi 4:3.5.9-2 plugins for Konqueror, the KDE fil
ii  ksvg   4:3.5.9-3+lenny2  SVG viewer for KDE
pn  libgcj7-aw (no description available)
pn  libjessie- (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#558426: atl1e performance problems with native IPv6

[Joerg Pareigis]

> [...]
> I've built the module from the sources for the next stable kernel package, 
> including this patch.  So try using this:
> http://womble.decadent.org.uk/tmp/atl1e.ko
>
OK, thanks a lot.
Now I'm using this module.
Unfortunately this module runs not perfect yet.
At first I thought it's OK, because the output of "ls -lR /usr" is very fast, 
but when I start a X-Application through a
"ssh -X host" I see a lot of truncated pakets :-(
And also additional "ls -lR" tests produces truncated pakets...

-- 
Joerg.





--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559771: [Evolution] Bug#559771: evolution-dev: Might be missing a Depends on libgtkhtml*-dev

[Yves-Alexis Perez]

On lun., 2009-12-07 at 01:22 +0100, Cyril Brulebois wrote:
> mail-notification's #549745 sounds like triggered because evolution-dev
> fails to depend on libgtkhtml*-dev while some of its headers include 

Hey,

I've added the dependency in svn, but won't upload before evolution
finally migrates to testing. For the moment I guess the best solution is
to manually add the dependency to mail-notification.

Cheers,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#559539: libselinux1: Selinux warnings during installation of grub-pc in clean sid chroot

[Clint Adams]

Paolo,

We are suggesting the change below since SELinux will apparently be useless if
is_selinux_enabled() returns -1, and the warnings in that case are not clearly
helpful.

On Sun, Dec 06, 2009 at 08:09:18PM +0100, Frans Pop wrote:
> If I repeat the installation of grub-pc now, the warnings do *not* occur, 
> so there seems to be a bug that blindly assumes selinux is active if /proc 
> is not mounted?
> 
> Attached an strace for one of the sed processes which shows the file 
> accesses from libselinux1 with /proc unmounted.
> 
> Hmmm. is_selinux_enabled() in src/enabled.c has the following code which is 
> executed if selinux_mnt is NULL:
> /* Drop back to detecting it the long way. */
> fp = fopen("/proc/filesystems", "r");
> if (!fp)
> return -1;
> 
> So, is_selinux_enabled() returns -1 here, which makes the test in sed true:
> ./sed-4.2.1/sed/execute.c:748:  if (is_selinux_enabled ())
> 
> Should sed maybe explicitly test for a value of 1 (or > 0) instead?


diff --git a/sed/execute.c b/sed/execute.c
index b83c9ec..17bf076 100644
--- a/sed/execute.c
+++ b/sed/execute.c
@@ -745,7 +745,7 @@ open_next_file(name, input)
 panic(_("couldn't edit %s: not a regular file"), input->in_file_name);
 
 #ifndef BOOTSTRAP
-  if (is_selinux_enabled ())
+  if (is_selinux_enabled () == 1)
{
   security_context_t con;
  if (getfilecon (input->in_file_name, &con) != -1)



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559853: yaboot: Yaboot does not handle ext4 root partition?

[Rick Thomas]

Package: yaboot
Version: 1.3.13a-1
Severity: normal


I installed a squeeze" system (using the sid d-i netinst image) and just for 
fun I 
decided to try setting root up as an ext4 filesystem.

All went well until the reboot into the new system.

It complained about the filesystem being corrupt and refused to boot.

I was able to boot into an ext3 partition by naming it in response to the
"boot:" prompt.

I have not tried reinstalling from the same CD with root as an ext3 filesystem,
so I can't immediately rule out something besides root=ext4 as the causative
factor, but it sure seems like it's a possibility.

Anybody else seen this?

Rick


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.30-2-powerpc
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages yaboot depends on:
ii  libc6 2.10.2-2   GNU C Library: Shared libraries

Versions of packages yaboot recommends:
ii  hfsutils  3.2.6-11   Tools for reading and writing Maci
ii  powerpc-utils 1.1.3-24   Various utilities for Linux/PowerP

yaboot suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559796: debian-installer: doesn't recognize manual changes to disk contents

[Frans Pop]

reassign 559796 partman-base
severity 559796 wishlist
thanks

> I noticed inside the partitioner that I couldn't create a /boot ext3
> with extra-small journal.

Personally I just use ext2 for /boot.

> So I did that manually instead. But I couldn't 
> figure out any way to make the installer recognize that there was a
> filesystem on that partition now, so that I could have selected for it
> to not be formatted again, without rebooting the installer.

So exiting to the menu and restarting partman did not work?

It's possible that file system detection is only executed the first time 
partman in started.

IIRC there is a flag /var/lib/partman/filesystems_detected (or something 
close to that). Possibly deleting that before restarting partman would do 
what you want. Could you verify that?

> Given that the installer can't implement every configuration option one
> could possibly think of, I think it would be nice if the manual fallback
> would work without too much trouble.

I see your point, but the challenge is to implement it in a way that does 
not confuse the hell out of users.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#512377: segmentation fault in telrcv()

[Anand (make others happy )]

Hi,

Yes, it is still happening to me, I am using Linux i686.

Thanks,
Anand

On Fri, Dec 4, 2009 at 9:50 PM, Alberto Gonzalez Iniesta 
wrote:

> On Thu, Aug 06, 2009 at 01:34:03PM +0530, Anand (make others happy ) wrote:
> > Hi,
> >
> >
> > I can handle this NULL check but not sure of the root cause if this.
> Since I
> > do not have much knowledge on telnetd code base, could you please help me
> > out here. I am running netkit-telnet-0.17
>
>
> Hi, I cannot reproduce it, is it still happening to you? Which arch are
> you using?
>
> Thanks,
>
> Alberto
>
> --
> Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
> agi@(inittab.org|debian.org)| en GNU/Linux y software libre
> Encrypted mail preferred| http://inittab.com
>
> Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
>

Bug#559795: debian-installer: The purpose of choosing a country is unclear

[Frans Pop]

On Monday 07 December 2009, Florian Zumbiehl wrote:
> After having selected a language for the installer, the installer asks
> for "a country", but doesn't say anything about the effects this choice
> has.

This has recently been improved in the version of the installer for 
Squeeze. Would you care to try a daily built image [1] and comment on the 
new version?

It is also documented in the installation guide [2] of course.

> In the case of language variants, it's somewhat obvious what it could be
> good for. But after all, (a) it doesn't ask for a language variant, it
> asks for a country and (b) it wouldn't make much sense to ask for a
> "desired country" after I said that I didn't want any localization at
> all if it were for the selection of language variants only.

The reasons for choosing a country are:
- used to select correct time zone
- determines the default country for mirror selection later
- helps in selecting language variants (locales)

Cheers,
FJP

[1] http://www.debian.org/devel/debian-installer/
[2] http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#localechooser



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#532152: Request for help with iproute2 bugs.

[Andreas Henriksson]

On mån, 2009-12-07 at 14:47 +1100, Simon Horman wrote:
> On Thu, Dec 03, 2009 at 12:08:27PM +1100, Simon Horman wrote:
> > On Mon, Nov 23, 2009 at 11:37:42AM +0100, Andreas Henriksson wrote:
> > > http://bugs.debian.org/532152 - incorrectly enumerates existing addresses.
> > >   iproute: 'ip addr flush' exits with error on first try
> > 
> > I've taken a stab at this one.
> > 
> 
> Any feedback?


Looks good to me! Thanks for taking care of this.

Hopefully Stephen does his next round of reviews soon so this (and other
pending patches) gets applied. We'll have to wait and see

-- 
Regards,
Andreas Henriksson



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559795: Some more thoughts ...

[Frans Pop]

On Monday 07 December 2009, Florian Zumbiehl wrote:
> Given my assumption that the country selection is both for the selection
> of language variants and of the computer's default time zone:
> I think those two things are completely orthogonal and thus should
> actually be split in two. Just because your mother tongue is Brazilian
> Spanish, doesn't mean you don't currently live Russia. Even though
> you may know some Russian, you still may prefer your computer to
> talk to you in your mother tongue. Still you may want your computer
> to display the time of the place where you currently live ...

This is fully supported in the Squeeze version of the installer and it 
should also be more clear in the user interface now.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#552984: emacs22-gtk: menu bar mode menus do not open

[Ian Zimmerman]

There's something even weirder: sometimes the menus do open, but are
completely wrong.  The items seem to be "held over" from the menu that
was in the same position in the menubar, _for the previous buffer
displayed in the window_.

For example, let's say my saved desktop makes emacs start up with the
.emacs file opened, so the menubar corresponds to Emacs Lisp mode.  In
position 7 on the menubar is the Emacs Lisp menu, with items like
"Indent Line".  Now I want to send some email, so in the same window I
open a Message mode buffer.  For this mode, the Message menu is in
position 7.  Sometimes it will be empty as reported, but sometimes
the items will be those from the Emacs Lisp menu!  What a ^*%! mess.

I hope this will help to have it tracked down and fixed _fast_.  It is
the most important program in the distribution after all :-)

-- 
Ian Zimmerman 
gpg public key: 1024D/C6FF61AD 
fingerprint: 66DC D68F 5C1B 4D71 2EE5  BD03 8A00 786C C6FF 61AD
Ham is for reading, not for eating.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559852: xinit: --tmpdir is not supported by Lenny's mktemp

[Sven Joachim]

Package: xinit
Version: 1.2.0-1
Severity: important

Quoting the Debian changelog:

,
| xinit (1.2.0-1) unstable; urgency=low
| 
|   [ Julien Cristau ]
|   * 06_move_serverauthfile_into_tmp.diff: use mktemp --tmpdir to honour
| $TMPDIR (closes: #480958).
`

The mktemp version in Lenny does not understand the --tmpdir option,
which will break startx in some interesting ways.  You should either

- depend on coreutils (>= 7.4-1) to ensure that the coreutils version of
  mktemp is used, or

- remove the --tmpdir switch, since the coreutils version of mktemp
  honors TMPDIR by default (the Lenny version of mktemp will create the
  file in /tmp, as before).


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.31.6-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xinit depends on:
ii  libc6 2.10.2-2   GNU C Library: Shared libraries
ii  libx11-6  2:1.3.2-1  X11 client-side library
ii  x11-common1:7.4+4X Window System (X.Org) infrastruc
ii  xauth 1:1.0.4-1  X authentication utility

Versions of packages xinit recommends:
ii  blackbox [x-window-ma 0.70.1-2.2 Window manager for X
ii  fluxbox [x-window-man 1.1.1-4Highly configurable and low resour
ii  icewm [x-window-manag 1.2.37+1.3.4pre2-8 wonderful Win95-OS/2-Motif-like wi
ii  konsole [x-terminal-e 4:3.5.10.dfsg.1-2  X terminal emulator for KDE
di  ksmserver [x-session- 4:3.5.10.dfsg.1-2  session manager for KDE
ii  kwin [x-window-manage 4:3.5.10.dfsg.1-2  the KDE window manager
ii  lxterminal [x-termina 0.1.6-1desktop independent vte-based term
ii  xserver-xorg  1:7.4+4the X.Org X server
ii  xserver-xorg-core [xs 2:1.6.5-1  Xorg X server - core server
ii  xterm [x-terminal-emu 251-1  X terminal emulator

xinit suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559539: libselinux1: Selinux warnings during installation of grub-pc in clean sid chroot

[Clint Adams]

On Mon, Dec 07, 2009 at 12:14:48AM -0600, Manoj Srivastava wrote:
> It is not a valid response, it is an error response. As the man
>  page says, is_selinux_enabled returns 1 if SELinux is running or 0 if
>  it is not. Anything else is undefined; you  certainly should not assume
>  that selinux is running unless the return value is 1.
> 
> >> Should sed maybe explicitly test for a value of 1 (or > 0) instead?
> >
> > Is -1 meant to be an "I don't know" response?
> 
> It is meant to be an error value. Since you can't take
>  corrective action, just ignore it and go on.

So if /proc is missing it's better to try to get the security context anyway
or to assume there are none?



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559826: analysis of vulnerable redland versions

[Dave Beckett]

No version before 1.0.9 is vulnerable - they do not use libtool and ltdl.

That leaves:
testing/squeeze 1.0.9-2
unstable/sid1.0.9-3

which are vulnerable.

No etch or lenny releases are vulnerable.

redland 1.0.9 upstream was built with libtool 2.2.6 so patching
source file redland-1.0.9/libltdl/ltdl.c with the one from the 2.2.6b
release should fix it.

Dave



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559539: libselinux1: Selinux warnings during installation of grub-pc in clean sid chroot

[Manoj Srivastava]

On Sun, Dec 06 2009, Clint Adams wrote:

> On Sun, Dec 06, 2009 at 08:09:18PM +0100, Frans Pop wrote:
>> Hmmm. is_selinux_enabled() in src/enabled.c has the following code which is 
>> executed if selinux_mnt is NULL:
>> /* Drop back to detecting it the long way. */
>> fp = fopen("/proc/filesystems", "r");
>> if (!fp)
>> return -1;
>> 
>> So, is_selinux_enabled() returns -1 here, which makes the test in sed true:
>> ./sed-4.2.1/sed/execute.c:748:  if (is_selinux_enabled ())
>
> If -1 is a valid response, the is_selinux_enabled man page should be
> corrected. 

It is not a valid response, it is an error response. As the man
 page says, is_selinux_enabled returns 1 if SELinux is running or 0 if
 it is not. Anything else is undefined; you  certainly should not assume
 that selinux is running unless the return value is 1.

>> Should sed maybe explicitly test for a value of 1 (or > 0) instead?
>
> Is -1 meant to be an "I don't know" response?

It is meant to be an error value. Since you can't take
 corrective action, just ignore it and go on.

manoj
-- 
"They that can give up essential liberty to obtain a little temporary
saftey deserve neither liberty not saftey." -- Benjamin Franklin, 1759
Manoj Srivastava    
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559787: [php-maint] Bug#559787: php4: CVE-2008-5624

[Raphael Geissert]

severity 559787 important
thanks

Hi Michael,

safe_mode and open_basedir do not receive security support (see
README.Debian.security in php4-common and data/package-tags on the
tracker repo) and PHP4 is far behind security updates anyway.

Sean, apparently at some point you said you were going to prepare an
updated package, do you still plan to work on one?

Maybe another upload could be prepared addressing the most severe
issues and declaring the EOL of security support.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559851: aspell-de: tries to register non-existent alternative

[Sven Joachim]

Package: aspell-de
Version: 20091006-1
Severity: serious

Your package fails to configure:

,
| # LC_ALL=C dpkg --configure aspell-de
| Setting up aspell-de (20091006-1) ...
| update-alternatives: error: alternative path /usr/lib/aspell/de-neu.multi 
doesn't exist.
| dpkg: error processing aspell-de (--configure):
|  subprocess installed post-installation script returned error exit status 2
| Errors were encountered while processing:
|  aspell-de
`


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.31.6-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages aspell-de depends on:
ii  aspell0.60.6-2   GNU Aspell spell-checker
ii  dictionaries-common   1.4.0  Common utilities for spelling dict

aspell-de recommends no packages.

aspell-de suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559850: rm: Please provide --preserve-home for $HOME, like --preserve-root for /

[Josh Triplett]

Package: coreutils
Version: 8.0-2
Severity: wishlist

rm provides a --preserve-root, enabled by default, to prevent
"rm -rf /".  Please consider adding a similar option --preserve-home,
also enabled by default, which prevents removing the arguably more
important $HOME .

- Josh Triplett

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages coreutils depends on:
ii  libacl1   2.2.49-1   Access control list shared library
ii  libattr1  1:2.4.44-1 Extended attribute shared library
ii  libc6 2.10.2-2   GNU C Library: Shared libraries
ii  libselinux1   2.0.89-4   SELinux runtime shared libraries

coreutils recommends no packages.

coreutils suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559791: on boost 1.39; blocks removal of boost1.39

[Steve M. Robbins]

Package: python-visual
Severity: normal

Patch for incoming NMU:

diff -u -r --new-file orig/python-visual-5.12/debian/changelog 
python-visual-5.12/debian/changelog
--- orig/python-visual-5.12/debian/changelog2009-12-06 22:22:39.0 
-0600
+++ python-visual-5.12/debian/changelog 2009-12-06 22:25:29.0 -0600
@@ -1,3 +1,11 @@
+python-visual (1:5.12-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * control: Change boost build dependencies to unversioned packages.
+Closes: #559791.
+
+ -- Steve M. Robbins   Sun, 06 Dec 2009 22:25:28 -0600
+
 python-visual (1:5.12-1) unstable; urgency=low
 
   * New upstream release.
diff -u -r --new-file orig/python-visual-5.12/debian/control 
python-visual-5.12/debian/control
--- orig/python-visual-5.12/debian/control  2009-12-06 22:22:39.0 
-0600
+++ python-visual-5.12/debian/control   2009-12-06 22:24:22.0 -0600
@@ -2,7 +2,7 @@
 Section: python
 Priority: optional
 Maintainer: Jonas Smedegaard 
-Build-Depends: cdbs (>= 0.4.39), autotools-dev, devscripts (>= 2.10.7), quilt, 
patchutils (>= 0.2.25), python-all-dev (>= 2.3.5-11), python-central (>= 
0.5.6), debhelper (>= 6), dh-buildinfo, python-numpy, libgtkglextmm-x11-1.2-dev 
(>= 1.2), libglibmm-2.4-dev, libpangomm-1.4-dev, libglademm-2.4-dev, 
libpango1.0-dev, libfreetype6-dev, libboost-python1.39-dev, 
libboost-signals1.39-dev, libboost-thread1.39-dev, libglu1-mesa-dev | 
xlibmesa-glu-dev | libglu-dev
+Build-Depends: cdbs (>= 0.4.39), autotools-dev, devscripts (>= 2.10.7), quilt, 
patchutils (>= 0.2.25), python-all-dev (>= 2.3.5-11), python-central (>= 
0.5.6), debhelper (>= 6), dh-buildinfo, python-numpy, libgtkglextmm-x11-1.2-dev 
(>= 1.2), libglibmm-2.4-dev, libpangomm-1.4-dev, libglademm-2.4-dev, 
libpango1.0-dev, libfreetype6-dev, libboost-python-dev, libboost-signals-dev, 
libboost-thread-dev, libglu1-mesa-dev | xlibmesa-glu-dev | libglu-dev
 Standards-Version: 3.8.3
 XS-Python-Version: all
 Homepage: http://www.vpython.org
diff -u -r --new-file 
orig/python-visual-5.12/debian/patches/2000_boost_python_workaround.patch 
python-visual-5.12/debian/patches/2000_boost_python_workaround.patch
--- orig/python-visual-5.12/debian/patches/2000_boost_python_workaround.patch   
1969-12-31 18:00:00.0 -0600
+++ python-visual-5.12/debian/patches/2000_boost_python_workaround.patch
2009-12-06 23:03:11.0 -0600
@@ -0,0 +1,17 @@
+Origin: 2000_boost_python_workaround.patch
+
+This seems to be a Boost.Python bug.  The following
+patch works around it.
+
+
+diff -u -r orig/python-visual-5.12/src/python/cvisualmodule.cpp 
python-visual-5.12/src/python/cvisualmodule.cpp
+--- orig/python-visual-5.12/src/python/cvisualmodule.cpp   2009-05-11 
22:49:06.0 -0500
 python-visual-5.12/src/python/cvisualmodule.cpp2009-12-06 
22:49:30.0 -0600
+@@ -9,6 +9,7 @@
+ #include 
+ #include 
+ 
++#include 
+ #include 
+ #include 
+ #include 
diff -u -r --new-file orig/python-visual-5.12/debian/patches/series 
python-visual-5.12/debian/patches/series
--- orig/python-visual-5.12/debian/patches/series   2009-12-06 
22:22:39.0 -0600
+++ python-visual-5.12/debian/patches/series2009-12-06 23:01:47.0 
-0600
@@ -1,2 +1,3 @@
 1002_unquieten_compile.patch
 1003_include_python_header.patch
+2000_boost_python_workaround.patch


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559674: Bug #559674,Wrong group in munin-node config stops processing of, rest of file

[Tom Feiner]

tags 559674 -pending
retitle 559674 Wrong group in munin-node config stops processing of, rest of
conffile, breaking other plugins configuration
severity 559674 important
forwarded 559674 http://munin.projects.linpro.no/ticket/788
quit

Hi,

As Stig mentioned, Exim logs to /var/log/exim/*.log (on my system it's
/var/log/exim4).

But the group (at least on my sid system) is adm (which has read permissions
on the logs) so it looks like using adm would work.

Here's what I see on my system (sid):
ls -la /var/log/exim4/
total 96
drwxr-s---  2 Debian-exim adm   4096 Sep 16 06:25 .
drwxr-xr-x 13 rootroot  4096 Oct 10 19:49 ..
-rw-r-  1 Debian-exim adm  20176 Oct 30 20:35 mainlog
-rw-r-  1 Debian-exim adm  37547 Sep 16 06:25 mainlog.1
-rw-r-  1 Debian-exim adm   1746 Sep 15 06:25 mainlog.2.gz
-rw-r-  1 Debian-exim adm287 Sep 14 06:25 mainlog.3.gz
-rw-r-  1 Debian-exim adm510 Sep 13 06:25 mainlog.4.gz
-rw-r-  1 Debian-exim adm467 Aug 28 09:25 mainlog.5.gz
-rw-r-  1 Debian-exim adm348 Oct 30 14:23 paniclog

However this bug raises a bigger issue, where a wrong/non-existant/mistyped
group for a plugin configuration, even if the plugin not used, causes
munin-node to skip the rest of its configuration file, breaking the
configuration for the rest of the plugins.

I've forwarded this issue upstream so they'll be aware of the problem and
hopefully fix it.

Thanks,
Tom Feiner




signature.asc
Description: OpenPGP digital signature

Bug#559849: freecad: Missing / in a path entry

[Benedikt Spranger]

Package: freecad
Version: 0.9.2646.3-1
Severity: normal

While "Insert a new View of a Part in the active drawing" I get the following
error message:

"Cannot open file /usr/share/freecadMod/Drawing/Templates/A3_Landscape.svg"

There is a / missing.

-- System Information:
Debian Release: squeeze/sid
  APT prefers sid
  APT policy: (500, 'sid'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages freecad depends on:
ii  libboost-filesy 1.40.0-4 filesystem operations (portable pa
ii  libboost-progra 1.40.0-4 program options library for C++
ii  libboost-regex1 1.40.0-4 regular expression library for C++
ii  libboost-signal 1.40.0-4 managed signals and slots library 
ii  libboost-system 1.40.0-4 Operating system (e.g. diagnostics
ii  libc6   2.10.2-2 GNU C Library: Shared libraries
ii  libcoin60   3.1.2-1  high-level 3D graphics kit impleme
ii  libgcc1 1:4.4.2-3GCC support library
ii  libgl1-mesa-glx 7.6-1A free implementation of the OpenG
ii  libglu1-mesa [l 7.6-1The OpenGL utility library (GLU)
ii  libice6 2:1.0.6-1X11 Inter-Client Exchange library
ii  libopencascade- 6.3.0.dfsg.1-4   OpenCASCADE CAE platform shared li
ii  libopencascade- 6.3.0.dfsg.1-4   OpenCASCADE CAE platform shared li
ii  libqt4-network  4:4.5.3-4Qt 4 network module
ii  libqt4-opengl   4:4.5.3-4Qt 4 OpenGL module
ii  libqt4-qt3suppo 4:4.5.3-4Qt 3 compatibility library for Qt 
ii  libqt4-svg  4:4.5.3-4Qt 4 SVG module
ii  libqt4-webkit   4:4.5.3-4Qt 4 WebKit module
ii  libqt4-xml  4:4.5.3-4Qt 4 XML module
ii  libqtcore4  4:4.5.3-4Qt 4 core module
ii  libqtgui4   4:4.5.3-4Qt 4 GUI module
ii  libsm6  2:1.1.1-1X11 Session Management library
ii  libsoqt4-20 1.4.2~svn20090224-2  Qt4 GUI component toolkit for Inve
ii  libstdc++6  4.4.2-3  The GNU Standard C++ Library v3
ii  libx11-62:1.3.2-1X11 client-side library
ii  libxerces-c28   2.8.0+deb1-2 validating XML parser library for 
ii  libxext62:1.0.4-1X11 miscellaneous extension librar
ii  libxi6  2:1.2.1-2X11 Input extension library
ii  libxmu6 2:1.0.5-1X11 miscellaneous utility library
ii  libxt6  1:1.0.7-1X11 toolkit intrinsics library
ii  libzipios++0c2a 0.1.5.9+cvs.2007.04.28-5 a small C++ library for reading zi
ii  python  2.5.4-2  An interactive high-level object-o
ii  python-support  1.0.6automated rebuilding support for P
ii  python2.5   2.5.4-3  An interactive high-level object-o
ii  zlib1g  1:1.2.3.3.dfsg-15compression library - runtime

Versions of packages freecad recommends:
ii  python-pivy   0.5.0~svn765-2 Coin binding for Python

Versions of packages freecad suggests:
ii  freecad-doc 0.9.2646.3-1 FreeCAD documentation
ii  python-opencv   1.0.0-6.3Python bindings for the computer v

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#556015: debian-policy: Clarify requirements for copyright file

[Russ Allbery]

Steve Langasek  writes:
> On Sun, Dec 06, 2009 at 09:18:21PM -0800, Russ Allbery wrote:

>> No, Lintian has a special tag that it issues when it's checking a binary
>> package in isolation and therefore can't double-check that the doc symlink
>> points within the same source package.  That tag isn't (and certainly
>> shouldn't be) something that the archive auto-rejects on.

> Does lintian issue that tag when the package isn't being checked in
> isolation, it's being checked via the .changes file for a -B upload?

Looks that way.

# We can only check if both packages come from the same source
# if our source package is currently unpacked in the lab, too!
if (-d "source") {  # yes, it's unpacked

# $link from the same source pkg?
if (-l "source/binary/$link") {
# yes, everything is ok.
} else {
# no, it is not.
tag "usr-share-doc-symlink-to-foreign-package", "$link";
}
} else {# no, source is not available
tag 
"cannot-check-whether-usr-share-doc-symlink-points-to-foreign-package", "";
}

-- 
Russ Allbery (r...@debian.org)   



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#520862: libkarma - FTBFS: /usr/bin/csc: Command not found

[Cyril Brulebois]

tag 520862 pending
thanks

peter green  (23/03/2009):
> mono-devel needs to be moved from build-depends-indep to
> build-depends to fix this bug.

Indeed, thanks. Please find attached the patch for my NMU.

Mraw,
KiBi.
diff -u libkarma-0.0.6/debian/changelog libkarma-0.0.6/debian/changelog
--- libkarma-0.0.6/debian/changelog
+++ libkarma-0.0.6/debian/changelog
@@ -1,3 +1,11 @@
+libkarma (0.0.6-4.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix FTBFS on buildds: Move mono-devel from B-D-I to B-D as suggested
+by Peter Green, thanks! (Closes: #520862).
+
+ -- Cyril Brulebois   Mon, 07 Dec 2009 06:20:39 +0100
+
 libkarma (0.0.6-4.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u libkarma-0.0.6/debian/control libkarma-0.0.6/debian/control
--- libkarma-0.0.6/debian/control
+++ libkarma-0.0.6/debian/control
@@ -1,8 +1,8 @@
 Source: libkarma
 Priority: extra
 Maintainer: Joe Nahmias 
-Build-Depends: debhelper (>= 6), dpatch, zlib1g-dev, libtagc0-dev, libusb-dev
-Build-Depends-Indep: cli-common-dev (>= 0.4.4), mono-devel (>= 2.0.1), libmono2.0-cil (>= 2.0.1)
+Build-Depends: debhelper (>= 6), dpatch, zlib1g-dev, libtagc0-dev, libusb-dev, mono-devel (>= 2.0.1)
+Build-Depends-Indep: cli-common-dev (>= 0.4.4), libmono2.0-cil (>= 2.0.1)
 Standards-Version: 3.8.0
 Section: libs
 Homepage: http://www.freakysoft.de/html/libkarma/


signature.asc
Description: Digital signature

Bug#559795: Some more thoughts ...

[Florian Zumbiehl]

Some more thoughts I should have explained a bit more explicitly, maybe ...

Given my assumption that the country selection is both for the selection
of language variants and of the computer's default time zone:
I think those two things are completely orthogonal and thus should
actually be split in two. Just because your mother tongue is Brazilian
Spanish, doesn't mean you don't currently live Russia. Even though
you may know some Russian, you still may prefer your computer to
talk to you in your mother tongue. Still you may want your computer
to display the time of the place where you currently live ...

But at least, the installer should point out what effect the
selection has.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559848: ufraw: unhelpful default for save file name

[Ian Zimmerman]

Package: ufraw
Version: 0.16-1
Severity: normal


ufraw seems to always remember the last file name used for saving, and
use this as the default file name for the next save, instead of
deriving the save file name from the input file name.  This means
unless I remember to edit the output file name, I'll get a warning, or
worse, overwrite the last output with the next one if the warning is
disabled.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.31.6-core2-small (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ufraw depends on:
ii  desktop-file-utils 0.15-2Utilities for .desktop files
ii  libatk1.0-01.28.0-1  The ATK accessibility toolkit
ii  libbz2-1.0 1.0.5-3   high-quality block-sorting file co
ii  libc6  2.10.2-2  GNU C Library: Shared libraries
ii  libcairo2  1.8.8-2   The Cairo 2D vector graphics libra
ii  libexiv2-5 0.18.2-1+b1   EXIF/IPTC metadata manipulation li
ii  libfontconfig1 2.6.0-4   generic font configuration library
ii  libfreetype6   2.3.11-1  FreeType 2 font engine, shared lib
ii  libgcc11:4.4.2-3 GCC support library
ii  libglib2.0-0   2.22.2-2  The GLib library of C routines
ii  libgomp1   4.4.2-3   GCC OpenMP (GOMP) support library
ii  libgtk2.0-02.18.3-1  The GTK+ graphical user interface 
ii  libgtkimageview0   1.6.1-2   image viewer widget for GTK+
ii  libjpeg62  6b-15 The Independent JPEG Group's JPEG 
ii  liblcms1   1.18.dfsg-1   Color management library
ii  libpango1.0-0  1.26.1-1  Layout and rendering of internatio
ii  libpng12-0 1.2.40-1  PNG library - runtime
ii  libstdc++6 4.4.2-3   The GNU Standard C++ Library v3
ii  libtiff4   3.9.2-1   Tag Image File Format (TIFF) libra
ii  zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime

ufraw recommends no packages.

ufraw suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559847: dgen segfaults on 64bit system

[Alex Rozenshteyn]

Package: dgen
Version: 1.23-11
Severity: important


attempting to run the command
dgen "Hard Wired (PD).bin"
segfaults, as does running dgen with other genesis roms.

file "Hard Wired (PD).bin" yields
Hard Wired (PD).bin: Sega MegaDrive/Genesis raw ROM dump Name: "ST YOU HAVE 
EVER"

Hard Wired can be legally downloaded from 
http://www.emulator-zone.com/doc.php/roms.html

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (600, 'stable'), (501, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dgen depends on:
ii  libc6 2.10.2-2   GNU C Library: Shared libraries
ii  libgcc1   1:4.4.2-3  GCC support library
ii  libgl1-mesa-glx [libgl1]  7.6-1  A free implementation of the OpenG
ii  libsdl1.2debian   1.2.13-5   Simple DirectMedia Layer
ii  libstdc++64.4.2-3The GNU Standard C++ Library v3

dgen recommends no packages.

dgen suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#556015: debian-policy: Clarify requirements for copyright file

[Steve Langasek]

On Sun, Dec 06, 2009 at 09:18:21PM -0800, Russ Allbery wrote:
> Steve Langasek  writes:

> > If one package is arch: any and one package is arch: all, won't the lintian
> > check fail anyway in the event of a -B build (as happens on all the
> > autobuilders), due to the arch: all package being unavailable?  Would this
> > translate to an archive auto-reject?

> No, Lintian has a special tag that it issues when it's checking a binary
> package in isolation and therefore can't double-check that the doc symlink
> points within the same source package.  That tag isn't (and certainly
> shouldn't be) something that the archive auto-rejects on.

Does lintian issue that tag when the package isn't being checked in
isolation, it's being checked via the .changes file for a -B upload?

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#559830: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

On Sun, 6 Dec 2009 21:19:50 -0800 Steve Langasek wrote:
> On Mon, Dec 07, 2009 at 12:04:18AM -0500, Michael Gilbert wrote:
> > Package: unixodbc
> > Severity: grave
> > Tags: security
> 
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for libtool.  I have determined that this package embeds a
> > vulnerable copy of the libtool source code.  However, since this is a
> > mass bug filing (due to so many packages embedding libtool), I have not
> > had time to determine whether the vulnerable code is actually present
> > in any of the binary packages. Please determine whether this is the
> > case. If the binary packages are not affected, please feel free to close
> > the bug with a message containing the details of what you did to check.
> 
> Package: unixodbc
> Depends: [...] libltdl7 (>= 2.2.6a) [...]

the depends line isn't really enough justification in itself.  you
should manually check the linking process to be fully sure that the
system library is being used. thanks.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#556015: debian-policy: Clarify requirements for copyright file

[Russ Allbery]

Steve Langasek  writes:

> If one package is arch: any and one package is arch: all, won't the lintian
> check fail anyway in the event of a -B build (as happens on all the
> autobuilders), due to the arch: all package being unavailable?  Would this
> translate to an archive auto-reject?

No, Lintian has a special tag that it issues when it's checking a binary
package in isolation and therefore can't double-check that the doc symlink
points within the same source package.  That tag isn't (and certainly
shouldn't be) something that the archive auto-rejects on.

-- 
Russ Allbery (r...@debian.org)   



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#540427: Real patch for my NMU

[Cyril Brulebois]

Sorry about the first NMU, looks like I only removed libc6-dev from
Build-Depends on a porter box, and checked it was OK there; and only
wrote about it on my devel box, where the NMU was prepared. Hopefully
the next one is OK. Sorry about that.

Mraw,
KiBi.
diff -u jconv-0.8.1/debian/changelog jconv-0.8.1/debian/changelog
--- jconv-0.8.1/debian/changelog
+++ jconv-0.8.1/debian/changelog
@@ -1,3 +1,21 @@
+jconv (0.8.1-1.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Really remove libc6-dev from Build-Depends, do not just write
+something about it in the changelog.
+
+ -- Cyril Brulebois   Mon, 07 Dec 2009 05:43:49 +0100
+
+jconv (0.8.1-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Remove erroneous libc6-dev (>= 2.7) from Build-Depends since it's not
+needed (even in stable); and buggy, since libc6-dev is a virtual
+package on many architectures, and since versioned Provides aren't
+supported (Closes: #540427, #554638).
+
+ -- Cyril Brulebois   Mon, 07 Dec 2009 03:49:49 +0100
+
 jconv (0.8.1-1) unstable; urgency=low
 
   * Initial release (Closes: #520083)
diff -u jconv-0.8.1/debian/control jconv-0.8.1/debian/control
--- jconv-0.8.1/debian/control
+++ jconv-0.8.1/debian/control
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian Multimedia Maintainers 
 Uploaders: Free Ekanayaka , Jaromír Mikeš 
-Build-Depends: debhelper (>= 5), binutils, libc6-dev (>= 2.7 ), libfftw3-dev (>= 3.1.2-3.1 ), libjack-dev, libsndfile1-dev (>= 1.0.19 ), libzita-convolver-dev (>= 1.0.0 ), libclthreads-dev (>= 2.4.0 ), locales, quilt
+Build-Depends: debhelper (>= 5), binutils, libfftw3-dev (>= 3.1.2-3.1 ), libjack-dev, libsndfile1-dev (>= 1.0.19 ), libzita-convolver-dev (>= 1.0.0 ), libclthreads-dev (>= 2.4.0 ), locales, quilt
 Standards-Version: 3.8.1
 Vcs-Git: git://git.debian.org/git/pkg-multimedia/jconv.git
 Vcs-Browser: http://git.debian.org/?p=pkg-multimedia/jconv.git;a=summary


signature.asc
Description: Digital signature

Bug#558752: www.debian.org: Too many Alpha porters on intro/organization

[Steve Langasek]

On Tue, Dec 01, 2009 at 12:28:49AM +0900, Osamu Aoki wrote:

> On Mon, Nov 30, 2009 at 08:39:53PM +1030, Karl Goetz wrote:
> > Package: www.debian.org
> > Severity: minor

> > The "Ports" section of [1] lists half a dozen porters for the Alpha
> > architecture. Sadly, this is incorrect, as there is (afaik) no active
> > Alpha porters in Debian.
> > thanks,

> > [1] http://www.debian.org/intro/organization#distribution

> Alpha -- 
>  member Falk Hueffner
>  member John Goerzen
>  member Steve Langasek
>  member Thimo Neubauer
>  member Norbert Tretkowski 

> Should we remove Alpha section from this list?  Someone who knows this for
> sure, please respond.

The set of active alpha porters in Debian has zero members, and the alpha
port has been dropped as a release architecture for squeeze.  I think this
should be removed from the website, yes.

Cheers,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#524732: simutrans: license is not Artistic as in common-licenses

[Steve Langasek]

On Sun, Dec 06, 2009 at 04:11:54PM +0100, Francesco Poli wrote:
> > "Francesco Poli (t1000)"  writes:

> > > Hence, it's OK that the license text is quoted in full in the
> > > debian/copyright file, but it's *not* OK that this license is called
> > > "Artistic", since the copyright file format specification
> > > (http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=226)
> > > defines "Artistic" as "The original Artistic license, as seen in
> > > /usr/share/common-licenses/Artistic".

> > > Please change the misleading label to something more appropriate
> > > (probably "other").

> > Correct, this might be misleading.  However, in the current DEP-5
> > the "as seen in ..." was dropped.

> Ah, I didn't notice this change.

> > I am not sure what is the intention
> > to do in this case.

> I think this should be clarified: I am Cc:ing Steve Langasek, the
> driver of DEP-5.

Discussions of DEP-5 should take place on the debian-project mailing list;
the purpose of a driver is to guide discussion and document consensus only.

> Steve, could you comment on this bug (#524732): what should be put in
> the debian/copyright when the license is an Artistic one, but not the
> one in /usr/share/common-licenses/Artistic ?

Any short name of your choosing, so long as it does not conflict with those
specified in the DEP, can be used.  If you wish to propose that a particular
license have a standard tag in DEP-5, please do so on debian-project.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#555982: debian-policy: RPATH in binaries and shared libraries

[Steve Langasek]

On Wed, Dec 02, 2009 at 10:29:17PM +0100, Kurt Roeckx wrote:
> So /usr/lib/libextractor.so.1 should either set up an rpath
> for /usr/lib/libextractor/ or tell the full path to the dynamic
> loader when it tries to load it's plugins.

Preferably the latter; I don't see the point in using rpath for something
other than shared library linking, and it just gets you a complimentary
lintian error, so...  (Also, doing this via rpath will, infinitesimally,
slow down the *actual* shared library lookups at startup time.)

> If they weren't plugins you load dynamicly, but something you link
> too, I have mixed feelings about using an rpath.

I don't... in that case they should be in /usr/lib. :)

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#556015: debian-policy: Clarify requirements for copyright file

[Steve Langasek]

On Fri, Dec 04, 2009 at 04:44:51PM -0800, Russ Allbery wrote:
> >> +  
> >> +All the requirements for using a symlink instead of a
> >> +directory as /usr/share/doc/package
> >> +described in  must be met.  This means
> >> +both packages must come from the same source package and the
> >> +package must depend on the package containing its copyright
> >> +and distribution license.
> >> +  
> >> +
> >> +  
> >> +There must be a direct dependency on the package containing
> >> +the copyright and distribution license.  An indirect
> >> +dependency via a third package is not sufficient.
> >> +  

> > Some package currently don't do this, but have an A->B->C dependency,
> > where A, B and C are all from the same source package and C contains the
> > copyright.  I guess it would be good to have some input from a
> > maintainer that does that.

> Lintian has been warning about this for some time, and I think it may even
> be an ftp-master reject at this point.  The logic has been that we don't
> require software looking for copyright files to implement full transitive
> dependency logic, only look in a package and its immediate dependencies.
> I'm okay with relaxing that if we come up with good alternative wording,
> but it's different from what we've required,

I don't agree that this has ever been required prior to the start of
ftp-master lintian rejects.  Lintian is not the standard for what we
require, Policy is; and I don't think "[the package] must be accompanied by
a verbatim copy [in /usr/share/doc/$package/copyright]" implied any of these
requirements.  I think it's clear from context that the intent is to ensure
/usr/share/doc/$package/copyright is present *when all of the package's
dependencies are installed*; if the intent were otherwise, it could have
been stated more simply as "the package must *contain* a verbatim copy
[...]".

So far from being a simple clarification of Policy, I think this is a change
which makes packages buggy under Policy that were not previously.  I
understand the desire to align the Policy rule with what lintian can
reasonably check on a per-source-package basis, but I don't think this
should be made a "must" in advance of the archive actually being in
conformance.

> and I'm not sure it's really worth the effort.  It's not that difficult to
> add the additional direct dependency, and it amounts to a no-op from the
> package management perspective.

There are various operations for which the number of package relationships
in the archive as a whole, or within a cluster of related packages, dominate
the equation.  The requirement of an additional direct dependency is
reasonable, but not a no-op.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#559273: tdsodbc: malloc 4 byte missing but 8 byte writing caused by PHP odbc_fetch_object()

[Steve Langasek]

On Thu, Dec 03, 2009 at 10:05:36AM +0100, Daniel Ly wrote:
> Package: tdsodbc
> Version: 0.82-4
> Severity: normal

> For details see
> http://serverfault.com/questions/90100/64bit-unixodbc-and-freetds-a-bug-in-libtdsodbc-so

You should explain your bug in your email instead of linking to some website
for the explanation.  Some of us are known to check our email offline from
time to time (like right now).

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#556015: debian-policy: Clarify requirements for copyright file

[Steve Langasek]

On Fri, Dec 04, 2009 at 04:39:39PM -0800, Russ Allbery wrote:
> > Should we tighten this to be a dependency on the same version? Otherwise
> > it would be possible to have the two packages coming from different
> > versions of the source package where the license changed in between,
> > with wrong information in the copyright file for the package that has a
> > symlink. Not sure if this hypothetical case is worth the trouble.

> My inclination is to say no, since there are various tricky problems with
> requiring the dependency be on the same version when one package is arch:
> any and one package is arch: all.  There's also been push-back in
> debian-devel against a Lintian tag requiring that the dependency be on the
> same version, so there's some evidence that we don't have consensus for
> requiring that.

If one package is arch: any and one package is arch: all, won't the lintian
check fail anyway in the event of a -B build (as happens on all the
autobuilders), due to the arch: all package being unavailable?  Would this
translate to an archive auto-reject?

(I accept that it may not be the consensus, but at least in the case of
arch:any -> arch:all dependencies within a source package, it's always safe
and appropriate to use (= ${source:Version}) in the dependency; that
wouldn't be the /same/ version, but it's not guaranteed that all binary
package from a given source package have the same binary version number,
either - what matters is the "=" here.)

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#559833: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: imagemagick
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559840: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: sdcc
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559845: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: heartbeat
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I see that heartbeat in unstable no longer
embeds libtool, but it appears that etch and lenny still have it.  I am
not sure if it is actually used in the binary packages though.  Please
check.  If those packages are not affected, please close the bug.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559834: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: hypre
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559836: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: openmpi
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559844: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: libprelude
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559842: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: proftpd-dfsg
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#550058: #527732 orpie: FTBFS: patch

[Richard Darst]

On Mon, Dec 07, 2009 at 04:22:11AM +0100, Cyril Brulebois wrote:

> Really good work! I've just slightly reworded the changelog to
> describe what was done, so that others can check and understand what's
> going on, I hope you're fine with that.

That's no problem at all -- in fact, I was very tired by the time I
got around to making the changelog, and hoping that someone would make
it make sense -- so thanks very much.

I'm glad the changes weren't too much.

Thanks for integrating,

- Richard

-- 
| Richard Darst  -  rkd@  -  boltzmann: up 139 days, 1:40
|http://rkd.zgib.net  -  pgp 0xBD356740
| "Ye shall know the truth and -- the truth shall make you free"



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559831: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: xmlsec1
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559830: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: unixodbc
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559828: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: ski
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559837: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: parser
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559829: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: synfig
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559843: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: babel
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559839: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: sbnc
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559824: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: parser-mysql
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559832: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: clamav
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559822: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: mp4h
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559823: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: naim
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559825: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: pinball
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559826: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: redland
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559841: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: wml
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559838: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: pdsh
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559835: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: lam
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559827: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: siproxd
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559817: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: kdelibs
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559818: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: libannodex
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559819: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: libextractor
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559816: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: jags
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559821: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: libtunepimp
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559820: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: libmcrypt
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559807: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: glame
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#553441: (ämne saknas)

[Geoff Simmons]

severity 553441 normal
thanks

On Sat, Nov 21, 2009 at 01:15:53PM +0100, Erik Andersson wrote:
> Getting a similar result using D-link DWA-140 USB wifi-device, using
> same chipset rt2870sta.
> USB device shows no activitay (ie. blinking LED).
[snip]
> Sys:
> Debian sqeeze Official Snapshot i386 kde-CD Binary-1 20091120-01:12
> kernel: 2.6.30-2-686

Erik's described issue was previously resolved on #debian (OFTC) by using
kernel 2.6.31-1-686.  There was no change involving the firmware as packaged.

Geoff



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559813: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: guile-1.6
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559815: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: hercules
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559806: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: ggobi
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559790: on boost 1.39; blocks removal of boost1.39

[Steve M. Robbins]

Package: sagemath
Severity: normal
Tags: + patch

Patch to fix follows.

diff -u -r orig/sagemath-3.0.5dfsg/debian/changelog 
sagemath-3.0.5dfsg/debian/changelog
--- orig/sagemath-3.0.5dfsg/debian/changelog2009-12-06 19:01:37.0 
-0600
+++ sagemath-3.0.5dfsg/debian/changelog 2009-12-06 21:43:42.0 -0600
@@ -1,3 +1,11 @@
+sagemath (3.0.5dfsg-5.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Change boost dependency to unversioned libboost-python-dev (Closes:
+#559790).
+
+ -- Steve M. Robbins   Sun, 06 Dec 2009 21:43:41 -0600
+
 sagemath (3.0.5dfsg-5) unstable; urgency=low
 
   * Update boost dependency to 1.39 (Closes: #534069).
diff -u -r orig/sagemath-3.0.5dfsg/debian/control 
sagemath-3.0.5dfsg/debian/control
--- orig/sagemath-3.0.5dfsg/debian/control  2009-12-06 19:01:37.0 
-0600
+++ sagemath-3.0.5dfsg/debian/control   2009-12-06 21:37:34.0 -0600
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Tim Abbott 
 Homepage: http://sagemath.org/
-Build-Depends: cdbs (>= 0.4.23-1.1), debhelper (>= 5), quilt, patchutils (>= 
0.2.25), cdbs (>= 0.4.27), libflint-dev (>= 1.011), libiml-dev (>= 1.0.3), 
liblinbox-dev, python-matplotlib, libmpfr-dev, libmpfi-dev, libntl-dev, 
libpari-dev, python-all-dev (>= 2.5), cython, libgivaro-dev, libgsl0-dev, 
libqd-dev, libgcrypt11-dev, libsingular-dev, scons, libsymmetrica-dev, 
libfplll-dev, r-base-dev, libatlas-base-dev, libm4ri-dev (>=0.0.20080521), 
libecm-dev, libgmp3-dev, gfortran, rsync, libzn-poly-dev, 
libboost-python1.39-dev, python-setuptools, libpolybori-dev, python-central (>= 
0.6), time
+Build-Depends: cdbs (>= 0.4.23-1.1), debhelper (>= 5), quilt, patchutils (>= 
0.2.25), cdbs (>= 0.4.27), libflint-dev (>= 1.011), libiml-dev (>= 1.0.3), 
liblinbox-dev, python-matplotlib, libmpfr-dev, libmpfi-dev, libntl-dev, 
libpari-dev, python-all-dev (>= 2.5), cython, libgivaro-dev, libgsl0-dev, 
libqd-dev, libgcrypt11-dev, libsingular-dev, scons, libsymmetrica-dev, 
libfplll-dev, r-base-dev, libatlas-base-dev, libm4ri-dev (>=0.0.20080521), 
libecm-dev, libgmp3-dev, gfortran, rsync, libzn-poly-dev, libboost-python-dev, 
python-setuptools, libpolybori-dev, python-central (>= 0.6), time
 XS-Python-Version: 2.5
 Standards-Version: 3.8.0
 



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sagemath depends on:
pn  cython (no description available)
pn  gap(no description available)
pn  gap-guava  (no description available)
pn  genus2reduction(no description available)
pn  gfan   (no description available)
ii  gfortran  4:4.3.4-1  The GNU Fortran 95 compiler
pn  gmp-ecm(no description available)
ii  ipython   0.10-1 enhanced interactive Python shell
pn  lcalc  (no description available)
ii  libatlas3gf-base [libatla 3.6.0-24   Automatically Tuned Linear Algebra
ii  libc6 2.10.2-2   GNU C Library: Shared libraries
pn  libcdd-test(no description available)
pn  libecm0(no description available)
pn  libflint-1.011 (no description available)
pn  libfplll0  (no description available)
ii  libgcc1   1:4.4.2-3  GCC support library
pn  libgivaro0 (no description available)
ii  libgmp3c2 2:4.3.1+dfsg-3 Multiprecision arithmetic library
ii  libgmpxx4ldbl 2:4.3.1+dfsg-3 Multiprecision arithmetic library 
ii  libgsl0ldbl   1.13+dfsg-1GNU Scientific Library (GSL) -- li
pn  libiml0(no description available)
ii  libjs-jquery  1.3.3-2JavaScript library for dynamic web
pn  liblinbox0 (no description available)
pn  libm4ri-0.0.20080521   (no description available)
pn  libmpfi0   (no description available)
ii  libmpfr1ldbl  2.4.2-1multiple precision floating-point 
pn  libntl-5.4.2   (no description available)
pn  libpari2-gmp   (no description available)
pn  libpolybori-0.5.0-0(no description available)
pn  libqd2c2a  (no description available)
ii  libreadline6  6.0-5  GNU readline and history libraries
pn  libsingular-3-0-4-3(no description available)
ii  libstdc++64.4.2-3The GNU Standard C++ Library v3
pn  libsymmetrica-2.0  (no description available)
pn  libzn-poly-0.8  

Bug#559811: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: graphicsmagick
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559812: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: graphviz
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559809: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: gnu-smalltalk
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559814: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: hamlib
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559805: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: freeradius
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559804: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: dico
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559808: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: gnash
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559810: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: google-gadgets
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559799: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: bochs
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559798: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: arts
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559801: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: collectd
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559800: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: camserv
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559802: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: courier-authlib
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559803: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: cvsnt
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559797: CVE-2009-3736 local privilege escalation

[Michael Gilbert]

Package: libtool
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so please
coordinate with the security team to release a DSA.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#524155: Please investigate removal of basilisk2

[Cyril Brulebois]

Hi,

basilisk2 was already spotted once as being in a very bad shape[1]. It
is currently only built on a few architectures[2], and has been
FTBFSing for 1.5 year[3]. Riky is also wondering[4].

 1. http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=45;bug=309501
 2. https://buildd.debian.org/status/package.php?suite=unstable&p=basilisk2
 3. http://bugs.debian.org/483277
 4. http://bugs.debian.org/524155

Please investigate its removal.

(No need to Cc me, I read -qa@, thanks.)

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#557020: Bug#559794: libfvm-dev: *LOTS* of undefined references

[Cyril Brulebois]

Cyril Brulebois  (07/12/2009):
> Its ./configure now runs fine. Using “block” accordingly.

And the next blocker, at least on kfreebsd-i386 is:
| make[3]: Entering directory 
`/srv/storage/kibi/hack/code-saturne-2.0.0.beta2/gui/Base'
| failed to find pyuic4; tried ./pyuic4
| failed to find pyrcc4; tried ./pyrcc4
| failed to find pylupdate4; tried ./pylupdate4
| try manually editing this program to put the correct paths in place
| make[4]: Entering directory 
`/srv/storage/kibi/hack/code-saturne-2.0.0.beta2/gui/Base'
| make[4]: Nothing to be done for `install-exec-am'.
| make[4]: *** No rule to make target `resource_base_rc.py', needed by 
`install-basePYTHON'.  Stop.

I'm just noting this for reference, I'll get back to looking into it
once libfvm-dev's bug fixed, and once code-saturne given back on all
architectures.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#557193: gnome: [Solved - sort of] Attempting to logout -- popup window saying "File Manager not responding"

[Rick Thomas]

On Dec 1, 2009, at 2:41 AM, Josselin Mouette wrote:


Le mardi 01 décembre 2009 à 00:00 -0500, Rick Thomas a écrit :

The machine in question has a zip drive that is semi-non-functional.
I was getting "interrupt timed out" on /dev/hdd.

When I disconnected the zip drive (I don't plan to use it anymore -
USB flash drives are more practical these days...) the problem went
away.

It looks like the file manager was polling /dev/hdd and not getting
any response -- waiting for a timeout...


In which case, I’d appreciate if you could test again with gvfs  
1.4.1-6

from unstable. The backend for mounting disks is completely different
and this might help.


It didn't help.  Behavior is still the same.

Rick


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559796: debian-installer: doesn't recognize manual changes to disk contents

[Florian Zumbiehl]

Package: debian-installer
Version: 20090123lenny1

I noticed inside the partitioner that I couldn't create a /boot ext3 with
extra-small journal. So I did that manually instead. But I couldn't figure
out any way to make the installer recognize that there was a filesystem
on that partition now, so that I could have selected for it to not be
formatted again, without rebooting the installer.

Given that the installer can't implement every configuration option one
could possibly think of, I think it would be nice if the manual fallback
would work without too much trouble.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#559795: debian-installer: The purpose of choosing a country is unclear

[Florian Zumbiehl]

Package: debian-installer
Version: 20090123lenny1

After having selected a language for the installer, the installer asks for
"a country", but doesn't say anything about the effects this choice has.

In the case of language variants, it's somewhat obvious what it could be
good for. But after all, (a) it doesn't ask for a language variant, it
asks for a country and (b) it wouldn't make much sense to ask for a
"desired country" after I said that I didn't want any localization at all
if it were for the selection of language variants only.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#555686: seahorse-plugins: unable to encrypt via nautilus or commandline

[Ben Lau]

I can also confirm the bug in Debian SID with seahorse-plugins 2.28.1-2

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/2 CPU cores)
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages seahorse-plugins depends on:
ii  gconf22.28.0-1   GNOME configuration database syste
ii  libatk1.0-0   1.28.0-1   The ATK accessibility toolkit
ii  libbonobo2-0  2.24.2-1   Bonobo CORBA interfaces library
ii  libbonoboui2-02.24.2-1   The Bonobo UI library
ii  libc6 2.10.1-3   GNU C Library: Shared libraries
ii  libcairo2 1.8.8-2The Cairo 2D vector graphics libra
ii  libcryptui0   2.28.1-1   the UI library for DBUS functions
ii  libdbus-1-3   1.2.16-2   simple interprocess messaging syst
ii  libdbus-glib-1-2  0.82-2 simple interprocess messaging syst
ii  libfontconfig12.6.0-4generic font configuration library
ii  libfreetype6  2.3.11-1   FreeType 2 font engine, shared lib
ii  libgconf2-4   2.28.0-1   GNOME configuration database syste
ii  libglade2-0   1:2.6.4-1  library to load .glade files at ru
ii  libglib2.0-0  2.22.2-2   The GLib library of C routines
ii  libgnome-keyring0 2.28.1-1   GNOME keyring services library
ii  libgpgme111.2.0-1GPGME - GnuPG Made Easy
ii  libgtk2.0-0   2.18.3-1   The GTK+ graphical user interface
ii  libgtksourceview2.0-0 2.8.1-1shared libraries for the GTK+ synt
ii  libnautilus-extension12.28.1-1   libraries for nautilus components
ii  libnotify1 [libnotify1-gtk2.1 0.4.5-1sends desktop notifications to a n
ii  libpanel-applet2-02.28.0-2   library for GNOME Panel applets
ii  libpango1.0-0 1.26.0-1   Layout and rendering of internatio
ii  seahorse  2.28.1-1   GNOME front end for GnuPG

Versions of packages seahorse-plugins recommends:
ii  openssh-client1:5.1p1-8  secure shell client, an rlogin/rsh

seahorse-plugins suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#557020: Bug#559794: libfvm-dev: *LOTS* of undefined references

[Cyril Brulebois]

block 557020 by 559794
thanks

Cyril Brulebois  (07/12/2009):
> Please find attached a patch to fix those. I didn't use the .la's
> since they're Evil©®™, but more importantly since not all libraries
> you're using provide one. (Of course, automake helps getting
> src/Makefile.in in line.)

I obviously forgot something: you have to add the relevant -dev
packages to the Build-Depends line of your -dev, so that the various
-lfoo are found when one tries to use libfvm.

> I'll be checking code-saturne in a moment and update the other
> report accordingly.

Its ./configure now runs fine. Using “block” accordingly.

Mraw,
KiBi.


signature.asc
Description: Digital signature