Bug#1070736: Compose key broken in gnome-terminal (and others)

[Arne Nordmark]

Another thing that might well be the same underlying problem:

Using version 2.74.6-2+deb12u1, a Compose sequence like 'Compose " a' 
enters nothing in gnome-terminal and emacs.


Using version 2.74.6-2, the same sequence enters an "ä".

Arne

Bug#1040902: libfreefem++: Paths in /etc/freefem++.pref do not match installation paths

[Arne Nordmark]

Package: libfreefem++
Version: 4.11+dfsg1-3
Severity: normal

Dear Maintainer,

The conffile /etc/freefem++.pref contains the following lines
loadpath += "/usr/lib/ff++/4.9/lib"
includepath += "/usr/lib/ff++/4.9/idp"
which do not match where files are actually installed.

This leads to errors like:
nordmark@deedee:~$ FreeFem++ /usr/share/doc/freefem++/examples/3d/beam-3d.edp
-- FreeFem++ v4.9 ( - git no git)
 Load: lg_fem lg_mesh lg_mesh3 eigenvalue 
1 : load "medit"
Load error: medit
 fail: 
 dlerror : /usr/lib/ff++/4.9/lib/medit.so: cannot open shared object file: No 
such file or directory
list prefix: './' '/usr/lib/ff++/4.9/lib/' list suffix: '' , '.so' 
  current line = 1
Load error : medit
line number :1, medit
error Load error : medit
line number :1, medit
 code = 2 mpirank: 0

The lines should probably be
loadpath += "/usr/lib/freefem++"
includepath += "/usr/include/freefem++/idp"
instead.

With the changed conffile below, the example seems to work OK.

Best regards
Arne

-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libfreefem++ depends on:
ii  coinor-libipopt1v5 3.11.9-2.3+b1
ii  libatlas3-base [liblapack.so.3]3.10.3-13
ii  libblas3 [libblas.so.3]3.11.0-2
ii  libc6  2.36-9
ii  libfftw3-double3   3.3.10-1
ii  libgcc-s1  12.2.0-14
ii  libgfortran5   12.2.0-14
ii  libgsl27   2.7.1+dfsg-5
ii  liblapack3 [liblapack.so.3]3.11.0-2
ii  libmetis5  5.1.0.dfsg-7
ii  libmumps-seq-5.5   5.5.1-1
ii  libopenblas0-pthread [liblapack.so.3]  0.3.21+ds-4
ii  libopenmpi34.1.4-3+b1
ii  libptscotch-7.07.0.3-2
ii  libstdc++6 12.2.0-14
ii  libsuperlu55.3.0+dfsg1-2+b1
ii  libtet1.5  1.5.0-5
ii  libumfpack51:5.12.0+dfsg-2

libfreefem++ recommends no packages.

libfreefem++ suggests no packages.

-- Configuration Files:
/etc/freefem++.pref changed:
loadpath += "./"
loadpath += "/usr/lib/ff++/4.9/lib"
includepath += "/usr/lib/ff++/4.9/idp"
loadpath += "/usr/lib/freefem++"
includepath += "/usr/include/freefem++/idp"


-- debconf-show failed

Bug#1035803: resolvconf: dns-search entries for lo.inet are absent from /run/resolvconf/interface/lo.inet file

[Arne Nordmark]

Package: resolvconf
Version: 1.91+nmu1
Severity: normal

Dear Maintainer,

Lines like

iface lo inet loopback
dns-search a.example.com b.example.com

in /etc/network/interfaces no longer causes the corresponding entries to show 
up in /etc/resolv.conf in bookworm, while they did show up in bullseye.

The file /run/resolvconf/interface/lo.inet contains just a single newline after 
running "ifdown lo; ifup lo".

>From what I can see, the update script /etc/network/if-up.d/000resolvconf runs 
>succesfully, creating the expected lo.inet file, but then that file is somehow 
>immediately replaced by the nearly empty file.

A workaround is to make the entries end up in lo.inet6 instead:

iface lo inet6 loopback
dns-search a.example.com b.example.com

which seems to work fine.

I am sorry I have not beeen able to nail down the cause of this problem, but 
thanks for maintaining resolvconf in Debian.
Arne


-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-8-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages resolvconf depends on:
ii  debconf [debconf-2.0]  1.5.82
ii  lsb-base   11.6
ii  sysvinit-utils [lsb-base]  3.06-4

resolvconf recommends no packages.

resolvconf suggests no packages.

-- debconf-show failed

Bug#1035800: unbound: Resolvconf update script exits with return code 1 when no nameservers are found

[Arne Nordmark]

Package: unbound
Version: 1.17.1-2
Severity: normal

Dear Maintainer,

When booting with resolvconf installed and the resolvconf update script 
(/etc/resolvconf/update.d/unbound) executable, the unbound-resolvconf service 
fails:

maj 09 10:47:20 systemd[1]: Started unbound-resolvconf.service - Unbound 
asyncronous resolvconf update helper.
maj 09 10:47:20 unbound-helper[1291]: run-parts: 
/etc/resolvconf/update.d/unbound exited with return code 1
maj 09 10:47:20 systemd[1]: unbound-resolvconf.service: Main process exited, 
code=exited, status=1/FAILURE
maj 09 10:47:20 systemd[1]: unbound-resolvconf.service: Failed with result 
'exit-code'.

At this point in booting, the network is not fully configured yet, and no file 
in /run/resolvconf/interface contains any non-local nameserver info.

If the unbound-resolvconf service is restarted after nameserver info has been 
added, it starts normally.

Could this behaviour be due to the exit code from "egrep -v" causing the script 
to fail, since the script is started with "#!/bin/sh -e"?

Thanks for maintaining unbound in Debian.
Arne

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-8-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages unbound depends on:
ii  adduser3.132
ii  init-system-helpers1.65.2
ii  libc6  2.36-9
ii  libevent-2.1-7 2.1.12-stable-8
ii  libnghttp2-14  1.52.0-1
ii  libprotobuf-c1 1.4.1-1+b1
ii  libpython3.11  3.11.2-6
ii  libssl33.0.8-1
ii  libsystemd0252.6-1
ii  lsb-base   11.6
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages unbound recommends:
ii  dns-root-data  2023010101

Versions of packages unbound suggests:
ii  apparmor  3.0.8-3
ii  openssl   3.0.8-1

-- debconf-show failed

Bug#1031979: libnss-ldapd: Entries for passwd and shadow are cleared on upgrade when system locale is sv_SE.UTF-8

[Arne Nordmark]

Den 2023-04-02 kl. 16:22, skrev Arthur de Jong:

On Sun, 2023-02-26 at 10:50 +0100, Arne Nordmark wrote:

The search for enabled services in /etc/nsswitch.conf breaks when
using the Swedish locale.

LANG=C sed -n 
's/^[[:space:]]*\([a-z]*\)[[:space:]]*:.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p'
 /etc/nsswitch.conf | xargs

gives "passwd group shadow" which is correct, whereas

LANG=sv_SE.UTF-8 sed -n 
's/^[[:space:]]*\([a-z]*\)[[:space:]]*:.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p'
 /etc/nsswitch.conf | xargs

gives "group".


Interestingly, I cannot reproduce this on unstable (I generated the
proper locale and use LC_ALL instead of LANG to override all LC_*
variables I had set), also minimising the problem doesn't show this
issue:

echo "shadow: " | LC_ALL=C sed -n 
's/^[[:space:]]*\([a-z]*\)[[:space:]]*:.*/\1/p'
echo "shadow: " | LC_ALL=sv_SE.UTF-8 sed -n 
's/^[[:space:]]*\([a-z]*\)[[:space:]]*:.*/\1/p'

(both return the same output for me)


Indeed, something has changed between buster and bookworm, probably the 
locale. So, depending on the unpacking order, this may not even affect 
all upgrades from buster to bookworm.




Anyway, I'll change the maintainer scripts to force the C locale so we
have consistent rexex processing by sed, grep and other tools.


Thank you again.

Arne

Bug#1031979: libnss-ldapd: Entries for passwd and shadow are cleared on upgrade when system locale is sv_SE.UTF-8

[Arne Nordmark]

Package: libnss-ldapd
Version: 0.9.12-3
Severity: normal

Dear Maintainer,

The search for enabled services in /etc/nsswitch.conf breaks when using the 
Swedish locale.

In the debconf ".config" script we have the nss_list_configured() function. 
Compare the output in the "C" and the Swedish locale:

LANG=C sed -n 
's/^[[:space:]]*\([a-z]*\)[[:space:]]*:.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p'
 /etc/nsswitch.conf | xargs

gives 

passwd group shadow

which is correct, whereas

LANG=sv_SE.UTF-8 sed -n 
's/^[[:space:]]*\([a-z]*\)[[:space:]]*:.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p'
 /et\
c/nsswitch.conf | xargs

gives

group

and the difference seems to come from the presence of the "w" character.

Thus the passwd and shadow entries are turned off in /etc/nsswitch.conf on each 
package upgrade.

Replacing the character class [a-z] by [[:alpha:]] seems to restore 
functionality:

LANG=C sed -n 
's/^[[:space:]]*\([[:alpha:]]*\)[[:space:]]*:.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p'
 /etc/nsswitch.conf | xargs
passwd group shadow

LANG=sv_SE.UTF-8 sed -n 
's/^[[:space:]]*\([[:alpha:]]*\)[[:space:]]*:.*[[:space:]]ldap\([[:space:]].*\)\?/\1/p'
 /etc/nsswitch.conf | xargs
passwd group shadow

Found this on a bullseye-bookworm test upgrade. For some reason, checking the 
nsswitch file did not occur to me until after lots of checks for 
LDAP/SSL/Database problems etc. Then I remembered the same thing happend a few 
years ago on the buster->bullseye upgrade. Thus I really should have isolated 
and reported the problem years ago. Sorry about that.

Thanks for maintaining (and being upstream) for this package.

Arne


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnss-ldapd depends on:
ii  debconf [debconf-2.0]  1.5.82
ii  libc6  2.36-8
ii  nslcd [nslcd-2]0.9.12-3

libnss-ldapd recommends no packages.

libnss-ldapd suggests no packages.

-- debconf-show failed

Bug#1014793: linux-image-5.10.0-16-amd64: Kernel crashes while serving NFS

[Arne Nordmark]

Den 2022-07-15 kl. 21:58, skrev Salvatore Bonaccorso:

I would be interested to either pinpoint the regressing commit
upstream beween 5.10.120 and 5.10.127 or conversely the fixing commit
beween 5.10.127 upstream and 5.10.130 where you are not able anymore
to reproduce the error. What I can say, I have already imported
5.10.130 for furture upload (cf.
https://salsa.debian.org/kernel-team/linux/-/merge_requests/506).


Bisection for the regression proved too hard.

Bisection for the fix went better, I can get a crash with 5.10.128-00010 
but not yet with 5.10.128-00011. This indicates that the fixing commit 
was probably:


commit 6a0b9512a6aa7b7835d8138f5ffdcb4789c093d4
Author: Chuck Lever 
Date:   Thu Jun 30 16:48:18 2022 -0400

SUNRPC: Fix READ_PLUS crasher

which indeed seems to touch code involved in NFS service.

Consequently, the breaking commit was probably:

6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in 
xdr_get_next_encode_buffer()")





Bisection would be a new experience for me, even compiling the kernel seem
like ages ago ... (using Debian since 0.93R6).


Would the following help?
https://wiki.debian.org/DebianKernel/GitBisect
Do you need any more specifc help to get it rolling?


That was indeed helpful.



Regards,
Salvatore


Thanks
Arne

Bug#1014793: linux-image-5.10.0-16-amd64: Kernel crashes while serving NFS

[Arne Nordmark]

Sorry for the late reply.

Den 2022-07-13 kl. 12:07, skrev Salvatore Bonaccorso:

Control: tags -1 + moreinfo

Hello Arne,



...



As you seem to reliably reproduce the issue, do you have the
possiblity (on the nonproduction instance) to try to bisect down the
problem? Additionally to the bisect, on a testinstance were the issue
is reproducible, can you run a selfcompiled 5.10.130 upstream to see
if the problem is still present?


I have now set up a test environment, and been able to reproduce NFS 
crashes with the Debian linux-image-5.10.0-16-amd64 and self-compiled 
upstream v5.10.127 kernels.


I have not been able to get a self-compiled upstream v5.10.130 to crash.

As for bisection, I am not entirely clear what is expected from me. Do 
you mean bisect the upstream kernels? Between which points? v5.10.120 to 
v5.10.127?


Bisection would be a new experience for me, even compiling the kernel 
seem like ages ago ... (using Debian since 0.93R6).




Regards,
Salvatore


Thanks again,
Arne

Bug#1014793: linux-image-5.10.0-16-amd64: Kernel crashes while serving NFS

[Arne Nordmark]

Package: src:linux
Version: 5.10.127-1
Severity: normal

Dear Maintainer,

The new kernel in Debian 11.4 seems unstable and crashes when serving 
NFS. On two different computers, these lockups happens within minutes, 
typically when a client runs firefox on an NFS-mounted home directory. 
Typically the servers lock up without any printout, but on one occasion, 
the following was logged:


jul 10 08:35:13 ano4 kernel: general protection fault, probably for 
non-canonical address 0x2f48514544455145:  [#1] SMP PTI
jul 10 08:35:13 ano4 kernel: CPU: 2 PID: 1244 Comm: nfsd Not tainted 
5.10.0-16-amd64 #1 Debian 5.10.127-1
jul 10 08:35:13 ano4 kernel: Hardware name: System manufacturer System 
Product Name/P5Q DELUXE, BIOS 220105/21/2009

jul 10 08:35:13 ano4 kernel: RIP: 0010:fsnotify+0x2d9/0x570
jul 10 08:35:13 ano4 kernel: Code: 78 08 44 0b 30 44 0b 68 40 48 83 c1 
01 48 83 f9 04 75 d9 66 66 66 66 90 44 8b 4c 24 1c 44 89 e8 f7 d0 45 21 
f1 41 85 c1 74 4f <49> 8b 3f 48 8b 07 48 85 c0 0f 84 0a 01 00 00 48 8d 
7c 24 38 44 89

jul 10 08:35:13 ano4 kernel: RSP: 0018:abe901fa3bc8 EFLAGS: 00010202
jul 10 08:35:13 ano4 kernel: RAX: bab6aebe RBX: 0001 
RCX: 0004
jul 10 08:35:13 ano4 kernel: RDX: 00035a00 RSI: 0001 
RDI: 2f48514544455145
jul 10 08:35:13 ano4 kernel: RBP: abe901fa3c20 R08: 0001 
R09: 0002
jul 10 08:35:13 ano4 kernel: R10: 0002 R11: 0002 
R12: 0002
jul 10 08:35:13 ano4 kernel: R13: 45495141 R14: 424d6757 
R15: 2f48514544455145
jul 10 08:35:13 ano4 kernel: FS:  () 
GS:939527d0() knlGS:
jul 10 08:35:13 ano4 kernel: CS:  0010 DS:  ES:  CR0: 
80050033
jul 10 08:35:13 ano4 kernel: CR2: 560b8cee4000 CR3: 0001034da000 
CR4: 000406e0

jul 10 08:35:13 ano4 kernel: Call Trace:
jul 10 08:35:13 ano4 kernel:  __fsnotify_parent+0xe7/0x2d0
jul 10 08:35:13 ano4 kernel:  ? ext4_buffered_write_iter+0xce/0x160 [ext4]
jul 10 08:35:13 ano4 kernel:  ? do_iter_readv_writev+0x152/0x1b0
jul 10 08:35:13 ano4 kernel:  do_iter_write+0xc8/0x1b0
jul 10 08:35:13 ano4 kernel:  nfsd_vfs_write+0x175/0x510 [nfsd]
jul 10 08:35:13 ano4 kernel:  nfsd4_write+0x135/0x1b0 [nfsd]
jul 10 08:35:13 ano4 kernel:  nfsd4_proc_compound+0x40d/0x680 [nfsd]
jul 10 08:35:13 ano4 kernel:  nfsd_dispatch+0xd3/0x180 [nfsd]
jul 10 08:35:13 ano4 kernel:  svc_process_common+0x3d4/0x6d0 [sunrpc]
jul 10 08:35:13 ano4 kernel:  ? nfsd_svc+0x320/0x320 [nfsd]
jul 10 08:35:13 ano4 kernel:  svc_process+0xb7/0xf0 [sunrpc]
jul 10 08:35:13 ano4 kernel:  nfsd+0xe8/0x140 [nfsd]
jul 10 08:35:13 ano4 kernel:  ? nfsd_destroy+0x60/0x60 [nfsd]
jul 10 08:35:13 ano4 kernel:  kthread+0x11b/0x140
jul 10 08:35:13 ano4 kernel:  ? __kthread_bind_mask+0x60/0x60
jul 10 08:35:13 ano4 kernel:  ret_from_fork+0x22/0x30
jul 10 08:35:13 ano4 kernel: Modules linked in: dm_snapshot dm_bufio tun 
cpufreq_ondemand cpufreq_powersave cpufreq_conservative 
cpufreq_userspace aes_generic libaes crypto_simd cryptd glue_helper cbc 
cts rpcsec_gss_krb5 sit tunnel4 ip_tunnel nft_nat sch_fq_codel rc_pinnacl
e_pctv_hd em28xx_rc rc_core si2157 si2168 i2c_mux em28xx_dvb dvb_core 
snd_hda_codec_analog snd_hda_codec_generic ledtrig_audio ivtv_alsa 
tuner_simple tuner_types snd_hda_codec_hdmi wm8775 snd_hda_intel tda9887 
tda8290 snd_intel_dspcfg tea5767 soundwire_intel tuner 
soundwire_generic_allocation snd_soc_core snd
_compress soundwire_cadence cx25840 snd_hda_codec ivtv snd_hda_core 
snd_hwdep soundwire_bus em28xx kvm_intel radeon tveeprom snd_pcm cx2341x 
kvm ttm videodev snd_timer snd irqbypass soundcore drm_kms_helper mc 
serio_raw evdev cec i2c_algo_bit iTCO_wdt intel_pmc_bxt 
iTCO_vendor_support pcspkr watchdog sg acpi_
cpufreq asus_atk0110 button nft_chain_nat nf_nat nft_reject_inet 
nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_counter nft_ct
jul 10 08:35:13 ano4 kernel:  nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 
coretemp firewire_sbp2 nf_tables nfnetlink loop nfsd parport_pc ppdev 
nfs_acl lockd lp auth_rpcgss parport grace drm fuse sunrpc configfs 
ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 raid10 raid4
56 async_raid6_recov async_memcpy async_pq async_xor async_tx xor 
raid6_pq libcrc32c crc32c_generic raid0 multipath linear dm_mod raid1 
md_mod sd_mod hid_generic t10_pi ata_generic crc_t10dif 
crct10dif_generic st crct10dif_common usbhid pata_marvell hid ahci 
libahci mpt3sas firewire_ohci firewire_core aic7xxx
 crc_itu_t libata skge ehci_pci uhci_hcd scsi_transport_spi lpc_ich 
i2c_i801 sky2 ehci_hcd psmouse i2c_smbus raid_class scsi_transport_sas 
usbcore scsi_mod usb_common floppy

jul 10 08:35:13 ano4 kernel: ---[ end trace 159cb95f57d30ea4 ]---
jul 10 08:35:13 ano4 kernel: RIP: 0010:fsnotify+0x2d9/0x570
jul 10 08:35:13 ano4 kernel: Code: 78 08 44 0b 30 44 0b 68 40 48 83 c1 
01 48 83 f9 04 75 d9 66 66 66 66 90 44 8b 4c 24 1c 44 89 e8 f7 d0 45 21 
f1 41 85 c1 74 4f 

Bug#934236: openafs-fileserver: postinst uses akeyconvert, but the package does not depend on openafs-krb5

[Arne Nordmark]

Den 2019-08-09 kl. 03:10, skrev Benjamin Kaduk:
> On Thu, Aug 08, 2019 at 03:16:31PM +0200, Arne Nordmark wrote:

> I will think a bit about whether it is better to leave the akeyconvert
> invocation in openafs-fileserver and make it conditional on akeyconvert's
> presence, add the openafs-krb5 dependency, or move the call to the
> openafs-krb5 maintainer script. 

As input for that, in my case the file servers running stretch did not
have openafs-krb5 installed, only a copied rxkad.keytab, so options 1
and 3 I guess would have left the file servers non-functional (lacking
the KeyFileExt). Depending on the error messages, this may have been
hard to track down.

Thanks again
Arne

Bug#934236: openafs-fileserver: postinst uses asetkey, but the package does not depend on openafs-krb5

[Arne Nordmark]

Package: openafs-fileserver
Version: 1.8.2-1
Severity: normal

The stanza

if [ -r /etc/openafs/server/rxkad.keytab ] ; then
akeyconvert
fi

in the postinst will fail if openafs-krb5 is not installed or is of version 1.6.

This happens for example when doing a partial upgrade from stretch to buster 
using apt-get upgrade.

A dependency on openafs-krb5 should be added to the package.

Thanks
Arne

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), 
LANGUAGE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openafs-fileserver depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  libc6  2.28-10
ii  libhcrypto4-heimdal7.5.0+dfsg-3
ii  libroken18-heimdal 7.5.0+dfsg-3
ii  lsb-base   10.2019051400
ii  openafs-client 1.8.2-1

Versions of packages openafs-fileserver recommends:
pn  ntp | time-daemon  

Versions of packages openafs-fileserver suggests:
pn  openafs-doc  

Bug#897917: Stretch kernel 4.9.88-1 breaks startup of RPC, KDC services

[Arne Nordmark]

I have also seen this on a couple of SSD-only systems.

I think the problem is that the random number generator takes about two
minutes to initialize, long enough for systemd to give up on these
processes. Unbound is similar, but there unit file keeps trying until
the random numbers are available.

>From the log:
May  5 10:19:02 ano2 kernel: [  126.436729] random: crng init done

Pressing the keyboard a few times (thus providing entropy) will allow
the boot to continue.

This definitely seems to be a kernel problem.

Arne

Bug#892723: dehydrated: Dehydrated broken in stable due to unhandled redirect

[Arne Nordmark]

Package: dehydrated
Version: 0.3.1-3+deb9u1
Severity: normal

Since recently, updating a cert no longer works. The challenge works, and the 
new cert is created, but creating the cert chain fails:

...
 + Creating fullchain.pem...
   + ERROR: An error occurred while sending get-request to 
http://cert.int-x3.letsencrypt.org/ (Status 301)
...

The new cert is consequently not "actived" by symlinks, and the deploy scripts 
are not run.
The reason is a new redirect at Let's Encrypt, and curl does not follow 
redirects unless the "-L" switch is given.

This was fixed upstrem by 


Arne

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 4.9.0-6-686-pae (SMP w/1 CPU core)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), 
LANGUAGE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages dehydrated depends on:
ii  ca-certificates  20161130+nmu1
ii  curl 7.52.1-5+deb9u4
ii  openssl  1.1.0f-3+deb9u1

dehydrated recommends no packages.

dehydrated suggests no packages.

-- no debconf information

Bug#887637: rsyslog-gnutls: TLS server does not send intermediate certificates, breaking verification

[Arne Nordmark]

On Thu, 18 Jan 2018 16:27:35 +0100 Arne Nordmark <nordm...@mech.kth.se> 
wrote:

>
> gtlsLoadOurCertKey() uses gnutls_x509_crt_import() on the file data, 
and this function only handles one cert.

>

If one uses gnutls_x509_crt_list_import() instead, intermediate certs 
could be supported. With the attached patch,

the server sends all certificates in the file.

Arne



--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -173,6 +173,7 @@
 	gnutls_datum_t data = { NULL, 0 };
 	uchar *keyFile;
 	uchar *certFile;
+	int lenRcvd;
 
 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
 
@@ -192,9 +193,12 @@
 
 	/* try load certificate */
 	CHKiRet(readFile(certFile, ));
-	CHKgnutls(gnutls_x509_crt_init(>ourCert));
+	pThis->nOurCerts=sizeof(pThis->pOurCerts);
+	lenRcvd=gnutls_x509_crt_list_import(pThis->pOurCerts, >nOurCerts, , GNUTLS_X509_FMT_PEM,0);
+	if (lenRcvd<0) {
+		CHKgnutls(lenRcvd);
+	}
 	pThis->bOurCertIsInit = 1;
-	CHKgnutls(gnutls_x509_crt_import(pThis->ourCert, , GNUTLS_X509_FMT_PEM));
 	free(data.data);
 	data.data = NULL;
 
@@ -210,7 +214,9 @@
 		if(data.data != NULL)
 			free(data.data);
 		if(pThis->bOurCertIsInit) {
-			gnutls_x509_crt_deinit(pThis->ourCert);
+			for (int i=0; inOurCerts; ++i) {
+gnutls_x509_crt_deinit(pThis->pOurCerts[i]);
+			}
 			pThis->bOurCertIsInit = 0;
 		}
 		if(pThis->bOurKeyIsInit) {
@@ -255,8 +261,8 @@
 #else
 	st->type = GNUTLS_CRT_X509;
 #endif
-	st->ncerts = 1;
-	st->cert.x509 = >ourCert;
+	st->ncerts = pThis->nOurCerts;
+	st->cert.x509 = pThis->pOurCerts;
 	st->key.x509 = pThis->ourKey;
 	st->deinit_all = 0;
 
@@ -1204,7 +1210,9 @@
 	}
 
 	if(pThis->bOurCertIsInit)
-		gnutls_x509_crt_deinit(pThis->ourCert);
+  for (int i=0; inOurCerts; ++i) {
+			gnutls_x509_crt_deinit(pThis->pOurCerts[i]);
+  }
 	if(pThis->bOurKeyIsInit)
 		gnutls_x509_privkey_deinit(pThis->ourKey);
 	if(pThis->bHaveSess)
--- a/runtime/nsd_gtls.h
+++ b/runtime/nsd_gtls.h
@@ -25,6 +25,7 @@
 #include "nsd.h"
 
 #define NSD_GTLS_MAX_RCVBUF 8 * 1024 /* max size of buffer for message reception */
+#define NSD_GTLS_MAX_CERT 10 /* max number of certs in our chain */
 
 typedef enum {
 	gtlsRtry_None = 0,	/**< no call needs to be retried */
@@ -56,7 +57,8 @@
  * set to 1 and changed to 0 after the first report. It is changed back to 1 after
  * one successful authentication. */
 	permittedPeers_t *pPermPeers; /* permitted peers */
-	gnutls_x509_crt_t ourCert;	/**< our certificate, if in client mode (unused in server mode) */
+	gnutls_x509_crt_t pOurCerts[NSD_GTLS_MAX_CERT];	/**< our certificate, if in client mode (unused in server mode) */
+	unsigned int nOurCerts;  /* number of certificates in our chain */
 	gnutls_x509_privkey_t ourKey;	/**< our private key, if in client mode (unused in server mode) */
 	short	bOurCertIsInit;	/**< 1 if our certificate is initialized and must be deinit on destruction */
 	short	bOurKeyIsInit;	/**< 1 if our private key is initialized and must be deinit on destruction */

Bug#887637: rsyslog-gnutls: TLS server does not send intermediate certificates, breaking verification

[Arne Nordmark]

Package: rsyslog-gnutls
Version: 8.24.0-1
Severity: normal

The setup consists of a TLS-enabled rsyslog server and TLS-enbled rsyslog 
clients without using client certificate authentication.

When DefaultNetstreamDriverCertFile on the server specifies a file with a 
single cert (which is signed by a top level cert available to the clients),
clients can connect.

When DefaultNetstreamDriverCertFile on the server specifies a file with a cert 
followed by an intermediate cert (which is signed by a top level cert available 
to the clients),
clients fail to connect.

Using "openssl s_client" reveals that only the server cert is sent, not the 
intermediate cert, and thus clients will fail
server cert verification since the intermediate certificate is not available.

The relevant code is in runtime/nsd_gtls.c. Interestingly enough there are two 
separate functions that read the certificate:

gtlsAddOurCert() uses gnutls_certificate_set_x509_key_file(), which will handle 
intermediate certs correctly.

gtlsLoadOurCertKey() uses gnutls_x509_crt_import() on the file data, and this 
function only handles one cert.

The later function seems meant to be used in clients to read the client 
certificate when using client authentication,
but is also called in gtlsInitSession(). If one changes gtlsInitSession() to 
read
#if HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION && 0
thus disabling the call to gtlsLoadOurCertKey(),
the server will present the intermediate cert and clients will be able to 
connect.

Arne

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), 
LANGUAGE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages rsyslog-gnutls depends on:
ii  libc62.24-11+deb9u1
ii  libgnutls30  3.5.8-5+deb9u3
ii  rsyslog  8.24.0-1

rsyslog-gnutls recommends no packages.

Versions of packages rsyslog-gnutls suggests:
ii  gnutls-bin  3.5.8-5+deb9u3

-- no debconf information

Bug#886768: Acknowledgement (linux-headers-3.16.0-5-amd64: inode_change_ok() missing, breaks openafs module build)

[Arne Nordmark]

Newer OpenAFS versions replace

code = inode_change_ok(inode, );

by

code = setattr_prepare(file_dentry(afile->filp), );

The file_dentry() helper is not present in linux-headers-3.16.0-5
either, but

code = setattr_prepare(afile->filp->f_path.dentry, );

at least seems to compile. Is this the correct replacement?

Arne

Bug#886768: (no subject)

[Arne Nordmark]

Control: reassign -1 src:linux

Bug#886768: linux-headers-3.16.0-5-amd64: inode_change_ok() missing, breaks openafs module build

[Arne Nordmark]

Package: linux-headers-3.16.0-5-amd64
Version: 3.16.51-3+deb8u1
Severity: normal

Since the latest jessie security update, the OpenAFS module (from 
openafs-modules-source, version 1.6.9-2+deb8u6)
no longer builds.

The error seems to be:
  CC [M]  
/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.16.0-5-amd64-SP/osi_file.o
  
/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.16.0-5-amd64-SP/osi_file.c:
 In function ‘osi_UFSTruncate’:
  
/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.16.0-5-amd64-SP/osi_file.c:187:5:
 error: implicit declaration of function ‘inode_change_ok’ 
[-Werror=implicit-function-declaration]
   code = inode_change_ok(inode, );
^
cc1: some warnings being treated as errors
/usr/src/linux-headers-3.16.0-5-common/scripts/Makefile.build:262: receptet för 
målet 
”/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.16.0-5-amd64-SP/osi_file.o”
 misslyckades
make[8]: *** 
[/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.16.0-5-amd64-SP/osi_file.o]
 Fel 1

This is a regression, since the module builds fine with 
linux-headers-3.16.0-4-amd64.

Arne

-- System Information:
Debian Release: 8.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-headers-3.16.0-5-amd64 depends on:
ii  linux-compiler-gcc-4.8-x86 3.16.51-3+deb8u1
ii  linux-headers-3.16.0-5-common  3.16.51-3+deb8u1
ii  linux-kbuild-3.16  3.16.7-ckt20-1

linux-headers-3.16.0-5-amd64 recommends no packages.

linux-headers-3.16.0-5-amd64 suggests no packages.

-- no debconf information

Bug#886719: linux-headers-3.2.0-5-amd64: inode_change_ok() missing, breaks openafs module build

[Arne Nordmark]

Package: linux-headers-3.2.0-5-amd64
Version: 3.2.96-3
Severity: normal

Since the latest wheezy security update, the OpenAFS module (from 
openafs-modules-source, version 1.6.1-3+deb7u8)
no longer builds.

The error seems to be:
  CC [M]  
/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.2.0-5-amd64-SP/osi_file.o
/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.2.0-5-amd64-SP/osi_file.c:
 In function ‘osi_UFSTruncate’:
/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.2.0-5-amd64-SP/osi_file.c:184:5:
 error: implicit declaration of funct
ion ‘inode_change_ok’ [-Werror=implicit-function-declaration]
cc1: some warnings being treated as errors
make[8]: *** 
[/usr/src/modass/usr_src/modules/openafs/src/libafs/MODLOAD-3.2.0-5-amd64-SP/osi_file.o]
 Fel 1

This is a regression, since the module builds fine with 
linux-headers-3.2.0-4-amd64.

Arne

-- System Information:
Debian Release: 7.11
  APT prefers oldoldstable-updates
  APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages linux-headers-3.2.0-5-amd64 depends on:
ii  gcc-4.6   4.6.3-14
pn  linux-headers-3.2.0-5-common  
ii  linux-kbuild-3.2  3.2.17-1

linux-headers-3.2.0-5-amd64 recommends no packages.

linux-headers-3.2.0-5-amd64 suggests no packages.

Bug#865962: openafs-fileserver: Periodic restarts configured in BosConfig causes bosserver to be shut down

[Arne Nordmark]

Package: openafs-fileserver
Version: 1.6.20-2
Severity: normal

Dear Maintainer,

This Sunday morning, the bosserver process on all stretch machines was found to 
have stopped.

BosLog contained:

Sun Jun 25 04:01:06 2017: Core limits now -1 -1
Sun Jun 25 04:01:06 2017: Server directory access is okay
Sun Jun 25 04:01:06 2017: fs started pid 15456: /usr/lib/openafs/fileserver
Sun Jun 25 04:01:06 2017: fs started pid 15457: /usr/lib/openafs/volserver
Sun Jun 25 04:01:06 2017: vlserver started pid 15458: /usr/lib/openafs/vlserver
Sun Jun 25 04:01:06 2017: ptserver started pid 15459: /usr/lib/openafs/ptserver
Sun Jun 25 04:01:06 2017: Listening on 0.0.0.0:7007
Sun Jun 25 04:01:06 2017: fs:vol exited on signal 15
Sun Jun 25 04:01:06 2017: vlserver exited on signal 15
Sun Jun 25 04:01:06 2017: ptserver exited on signal 15
Sun Jun 25 04:01:06 2017: fs:file exited on signal 3 (core dumped)
Sun Jun 25 04:01:06 2017: Shutdown of BOS server and processes in response to 
signal 15

The time is consistent with the restarttime entry in /etc/openafs/BosConfig:

restarttime 11 0 4 0 0
checkbintime 3 0 5 0 0
bnode fs fs 1
parm /usr/lib/openafs/fileserver
parm /usr/lib/openafs/volserver
parm /usr/lib/openafs/salvager
end
bnode simple vlserver 1
parm /usr/lib/openafs/vlserver
end
bnode simple ptserver 1
parm /usr/lib/openafs/ptserver
end

The reason why a restarttime entry is present is lost in the mists of time, but 
might well have been a default setting once.

Using the bos command to restart bosserver manually gives the same result:

# bos restart -server localhost -bosserver -localauth

causes bosserver to shut down, again with the same log entry.

This is definitely a regression compared to jessie.
As I interpret the log entry, a signal 15 is sent from the outside.
The most obvious difference (compared to jessie) is the presence of a systemd 
unit file in the stretch version.
Is systemd process control clashing with how bos tries to restart itself?

Thanks for maintaining the Debian OpenAFS packages
Arne Nordmark

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), 
LANGUAGE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openafs-fileserver depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers1.48
ii  libc6  2.24-11+deb9u1
ii  libcomerr2 1.43.4-2
ii  libk5crypto3   1.15-1
ii  libkrb5-3  1.15-1
ii  lsb-base   9.20161125
ii  openafs-client 1.6.20-2

Versions of packages openafs-fileserver recommends:
ii  ntp  1:4.2.8p10+dfsg-3

Versions of packages openafs-fileserver suggests:
pn  openafs-doc  

Bug#849100: Is initializing exit_status to 0 really correct?

[Arne Nordmark]

Note that the man page for dhclient-script says:

The exit status of dhclient-script will be passed to dhclient-exit-hooks 
in the  exit_sta‐
tus  shell variable, and will always be zero if the script succeeded at 
the task for which
it was invoked.   The rest of the environment as described previously 
for  dhclient-enter-
hooks  is  also  present.   The /etc/dhcp/dhclient-exit-hooks and 
/etc/dhcp/dhclient-exit-
hooks.d/* scripts can modify the value  of  exit_status  to  change the  
exit  status  of

dhclient-script.

This seems to be in conflict with the implemented fix of setting 
exit_status=0 before calling the hooks. If the man page is correct, each 
script in turn should have the chance to update exit_status, and the 
value after calling the final script is the one to use for return.


Arne

Bug#737679: autofs does not appear to support IPv6 hostname lookups for NFS mounts

[Arne Nordmark]

For the record: Version 5.1.2-1 (currently in stretch), still shows this 
problem, and building --with-libtirpc still resolves the problem.


Are there any known downsides to using libtirpc?

Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-12-07 kl. 17:35, skrev Emmanuel Bourg:
> Le 7/12/2016 à 13:28, Arne Nordmark a écrit :
> 
> Thanks for the info. I'm trying to reproduce the same error but I
> haven't succeeded so far. Here is was I did:
> 

...

> 9. Create a test page /var/lib/tomcat7/webapps/ROOT/test.jsp with:
> 
>   <%@page import="javax.naming.*,javax.sql.*" %>
>   <%
>   Context initContext = new InitialContext();
>   Context envContext  = (Context) initContext.lookup("java:/comp/env");
>   DataSource ds = (DataSource) envContext.lookup("jdbc/test");
> 
>   out.println("DataSource: " + ds);
>   %>
> 
> There is still something different with your setup but I don't know what.

If I add

  out.println("Loaded by: " + ds.getClass().getClassLoader());

to test.jsp I get

Loaded by: org.apache.catalina.loader.StandardClassLoader@4876e0

so the WebappClassLoader is not being used in this example, probably
because there are no classes in the webapp.

> 
> 
>> Am I correct in understanding that you want me to add the loop on top of
>> version 7.0.56-3+deb8u5 without the other changes from upstream 7.0.73?
> 
> Yes please.

OK. I first built 7.0.56-3+deb8u5 as disatributed, installed, and
verified that your example works but not my webapp. Then I added the
loop to validateGlobalResourceAccess() (patch attached), reinstalled
libtomcat7-java, restarted tomcat7, and verified that both webapps now work.

> 
> Emmanuel Bourg
> 

Thanks for your patience,
Arne
--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
+++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
@@ -116,9 +116,12 @@
 
 private static boolean validateGlobalResourceAccess(String globalName) {
 ClassLoader cl = Thread.currentThread().getContextClassLoader();
-Map<String,String> registrations = globalResourceRegistrations.get(cl);
-if (registrations != null && registrations.containsValue(globalName)) {
-return true;
+while (cl != null) {
+Map<String,String> registrations = globalResourceRegistrations.get(cl);
+if (registrations != null && registrations.containsValue(globalName)) {
+return true;
+}
+cl = cl.getParent();
 }
 return false;
 }

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-12-07 kl. 11:38, skrev Emmanuel Bourg:

Hi Arne,

Were is located the jar of your JDBC driver?


I have put a symlink in /var/lib/tomcat7/common, so that would be loaded 
by the "Common" class loader.


The default Debian configuration in /etc/tomcat7/catalina.properties 
seem to be slightly broken here, so in the "common.loader" I had to 
change from ${catalina.home}/common/... to ${catalina.base}/common/...





I can build and run Debian tomcat7 on both wheezy and jessie, so if you
would like me to make any further tests, please let me know.


Would you be able to try again with the missing loop?


Am I correct in understanding that you want me to add the loop on top of 
version 7.0.56-3+deb8u5 without the other changes from upstream 7.0.73?




Emmanuel Bourg



Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
> On 04.12.2016 09:22, Arne Nordmark wrote:
>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>> also suffers from this problem.
>>
>> Can it be so that the important part missing is the loop traversing the
>> class loaders in validateGlobalResourceAccess():
>>
>> while (cl != null) {
>>  ...
>>  cl = cl.getParent();
>> }
> 
> Hello,
> 
> I have prepared the update for Wheezy. Since you confirmed that using the 
> ResourceLinkFactory class
> from 7.x trunk works for you, we have replaced the current version with this 
> one. At the moment I
> fail to understand what we are missing because upstream's fix for 
> CVE-2016-6797 is relatively
> straightforward [1] and we have already taken your bug report into account.
> 
> Could you elaborate in which file the code from above is missing?

Sorry if I was unclear. In the ResourceLinkFactory class,
CVE-2016-6797.patch adds among other things the new method

private static boolean validateGlobalResourceAccess(String globalName)

However, the upstream version 7.0.73 there is another change to this new
method, which is the loop over the parent class loaders I was referring
to above.

It seems that when preparing CVE-2016-6797-part2.patch, this change was
left out, but it may be the change that actually makes things work.

I can build and run Debian tomcat7 on both wheezy and jessie, so if you
would like me to make any further tests, please let me know.

Thanks,
Arne

> 
> Thanks,
> 
> Markus
> 
> 
> [1] https://svn.apache.org/viewvc?view=revision=1757275
> 
> 
> 
> 
> 

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
also suffers from this problem.

Can it be so that the important part missing is the loop traversing the
class loaders in validateGlobalResourceAccess():

while (cl != null) {
 ...
 cl = cl.getParent();
}

Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-11-23 kl. 17:52, skrev Emmanuel Bourg:
> Would you be able to rebuild with this version of the
> ResourceLinkFactory class and see if it works better?
> 
> https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java
> 

Indeed, with this file, things seem to work (crossing my fingers that I
have understood how to use quilt, and thus built correctly). I had to
make one change to line 43 to make it compile.

I am attaching the refreshed version of CVE-2016-6797.patch for reference.

Merci beaucoup,
Arne


Description: Fixes CVE-2016-6797: The ResourceLinkFactory did not limit web
 application access to global JNDI resources to those resources explicitly
 linked to the web application. Therefore, it was possible for a web
 application to access any global JNDI resource whether an explicit
 ResourceLink had been configured or not.
Origin: backport, https://svn.apache.org/r1757275
--- a/java/org/apache/catalina/core/NamingContextListener.java
+++ b/java/org/apache/catalina/core/NamingContextListener.java
@@ -41,6 +41,7 @@
 import org.apache.catalina.ContainerEvent;
 import org.apache.catalina.ContainerListener;
 import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
 import org.apache.catalina.Host;
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
@@ -68,6 +69,7 @@
 import org.apache.naming.ResourceRef;
 import org.apache.naming.ServiceRef;
 import org.apache.naming.TransactionRef;
+import org.apache.naming.factory.ResourceLinkFactory;
 import org.apache.tomcat.util.modeler.Registry;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -344,6 +346,11 @@
 registry.unregisterComponent(objectName);
 }
 }
+
+javax.naming.Context global = getGlobalNamingContext();
+if (global != null) {
+ResourceLinkFactory.deregisterGlobalResourceAccess(global);
+}
 } finally {
 objectNames.clear();
 
@@ -1167,6 +1174,17 @@
 logger.error(sm.getString("naming.bindFailed", e));
 }
 
+ResourceLinkFactory.registerGlobalResourceAccess(
+getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal());
+}
+
+
+private javax.naming.Context getGlobalNamingContext() {
+if (container instanceof Context) {
+Engine e = (Engine) ((Context) container).getParent().getParent();
+return e.getService().getServer().getGlobalNamingContext();
+}
+return null;
 }
 
 
@@ -1270,6 +1288,7 @@
 logger.error(sm.getString("naming.unbindFailed", e));
 }
 
+ResourceLinkFactory.deregisterGlobalResourceAccess(getGlobalNamingContext(), name);
 }
 
 
--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
+++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
@@ -5,20 +5,21 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *  http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- */ 
-
-
+ */
 package org.apache.naming.factory;
 
+import java.util.HashMap;
 import java.util.Hashtable;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import javax.naming.Context;
 import javax.naming.Name;
@@ -28,35 +29,32 @@
 import javax.naming.spi.ObjectFactory;
 
 import org.apache.naming.ResourceLinkRef;
-
+import org.apache.naming.StringManager;
 
 /**
  * Object factory for resource links.
- * 
+ *
  * @author Remy Maucherat
  */
-public class ResourceLinkFactory
-implements ObjectFactory {
-
-
-// --- Constructors
-
+public class ResourceLinkFactory implements ObjectFactory {
 
 // --- Static Variables
 
+private static final StringManager sm = StringManager.getManager(Constants.Package);
 
 /**
  * Global naming context.
  */
 private static Context globalContext = null;
 
+private static Map> globalResourceRegistrations =
+new ConcurrentHashMap>();
 
 // - Public Methods
 
-
 /**
  * Set the global context (note: can only be used once).
- * 
+ *
  * @param newGlobalContext new global context value
  */
 public static void 

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-11-23 kl. 17:52, skrev Emmanuel Bourg:
> 
> Would you be able to rebuild with this version of the
> ResourceLinkFactory class and see if it works better?
> 
> https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java
> 

I take it you mean this in addition to the other changes in
CVE-2016-6797.patch?

Will do.

Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Yet another data point:

I rebuilt 7.0.56-3+deb8u5 with CVE-2016-6797.patch deleted, and again
the problem goes away.

Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-11-23 kl. 14:09, skrev Emmanuel Bourg:
> Did you enable the security manager?

I have not changed that part of /etc/default/tomcat7, so it still reads

#TOMCAT7_SECURITY=no

which should imply that the security manager is not enabled.

Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Den 2016-11-23 kl. 12:36, skrev Emmanuel Bourg:
> Hi Arne,
> 
> Thank you for reporting this issue. Could you check if it also occurs
> with the tomcat7 package from jessie-backports please?

Thanks for the quick reply.

No, with version 7.0.73-1~bpo8+1 I do not have this problem. I guess
this indicates a problem with backporting the patch to 7.0.56.

> 
> Emmanuel Bourg
> 

Arne

Bug#845425: DataSource no longer accessible since jessie security update

[Arne Nordmark]

Package: tomcat7
Version: 7.0.56-3+deb8u5
Severity: normal

After the security update 7.0.56-3+deb8u5, I get an error message:

ALLVARLIG: Servlet.service() for servlet [Faces Servlet] in context with
path [/mech] threw exception [Filter execution threw an exception] with
root cause
org.hibernate.HibernateException: Unable to determine appropriate
DataSource to use

This seems likely to be connected with the fix for bug #842666, but I am
not expert enough to determine whether this is due to misconfiguration,
a problem with the fix, a problem in Hibernate, or ...

It used to work with 7.0.56-3+deb8u4, and downgrading to 7.0.56-3+deb8u3
from stable also restores the functionality.

/etc/tomcat7/server.xml:
...
  
...
   
   
...
  
...

webapp/META-INF/context.xml:

  


Thanks,
Arne

Bug#753732: NFS sec=krb5 does not work with cross-realm

[Arne Nordmark]

On Fri, 04 Jul 2014 16:36:12 +0200 Jaap Winius jwin...@umrk.nl wrote:
 Package: nfs-common
 Version: 1.2.6-4
 
 NFS with sec=krb5i or sec=krb5p using MIT Kerberos does not work when  
 cross-realm authentication is used -- only when clients have an  
 Kerberos ticket for the same realm. This happens consistently and in  
 cases when cross-realm authentication does work with other services on  
 the same machine, such as SSH.
 

...

 The second set involves a user account with the same name, jwinius,  
 but with a Kerberos ticket from a different, albeit trusted realm:  
 UMRK.NL. This always results in an authentication failure:

...

 The user experience ends with a Permission denied message, although  
 the client does receive a Kerberos service ticket despite the failure.  
 The rpc.idmapd daemon seems to translate the jwin...@umrk.nl account  
 to jwin...@dapadam.nl with user ID 1. In some situations this  
 might be incorrect, but here it's okay because both accounts belong to  
 the same person.
 
 When authentication fails, the only evidence that I can see for this  
 in the server's log output is in the fifth line shown:  
 nss_gss_princ_to_ids: Local-Realm 'UMRK.NL': NOT FOUND. Apparently,  
 the local Kerberos KDC is not interrogated and the trust entry for the  
 UMRK.NL realm is never discovered.

You have not included the content of /etc/idmapd.conf.

There are several options for translating principals, and if user names
are the same in both realms a simple line like

Local-Realms: DAPADAM.NL, UMRK.NL

might do it.

Arne Nordmark


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#773610: libapache2-svn: apache2 restart failed: mod_dav_svn.so: undefined symbol:, dav_svn__new_error

[Arne Nordmark]

Package: libapache2-svn
Version: 1.6.17dfsg-4+deb7u7
Severity: grave
Justification: renders package unusable

The wheezy-security upload breaks libapache2-svn in exactly the same way
as the
previous upload 1.6.17dfsg-4+deb7u5, which was fixed in 1.6.17dfsg-4+deb7u6,
see bug number 741314 for more details.

 service apache2 start
[ ok ] Starting web server: apache2.
apache2: Syntax error on line 244 of /etc/apache2/apache2.conf: Syntax
error on
line 2 of /etc/apache2/mods-enabled/dav_svn.load: Cannot load
/usr/lib/apache2/modules/mod_dav_svn.so into server:
/usr/lib/apache2/modules/mod_dav_svn.so: undefined symbol:
dav_svn__new_error

Arne Nordmark



-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#737679: needs to be built with libtirpc

[Arne Nordmark]

 It looks like this is down to autofs not handling names using only
 IPv6 addresses.  Not sure why this happens given that I would have
 expected it to just pass this directly to mount(8) but it's
 presumably doing more than that.  Not sure exactly what the cause
 is, though /usr/lib/x86_64-linux-gnu/autofs/mount_nfs.so is using
 getaddrinfo and I can't see any obvious defect with a quick glance
 over the sources.

Autofs does some initial NFS probing of its own, as part of handling
server replication. From the debug output for a successful mount from a
dual-stack server, we can also see that get_nfs_info() is only using the
IPv4 address(es) of the server.

IPv6 support seems to need libtirpc. If autofs is rebuilt using
--with-libtirpc, both IPv6 and IPv4 addresses are used in
get_nfs_info(), and the IPv6 only case now works.

In wheezy at least, the following patch (or something similar):

--- a/lib/rpc_subs.c
+++ b/lib/rpc_subs.c
@@ -34,6 +34,7 @@
 #include pthread.h
 #include poll.h

+/*
 #ifdef WITH_LIBTIRPC
 #undef auth_destroy
 #define auth_destroy(auth)  \
@@ -43,6 +44,7 @@
 ((*((auth)-ah_ops-ah_destroy))(auth));\
 } while (0)
 #endif
+*/

 #include mount.h
 #include rpc_subs.h

which removes a redefinition of auth_destroy() is also needed. The
redefinition seems to have been an attempt to avoid a symbol clash on
log_debug(), but in the wheezy macro there is no symbol clash, and the
redefinition instead creates an undefined symbol auth_put().

Arne


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#739261: libhdf5-openmpi-dev: Version in stable (wheezy) does not work with gfortran from stable

[Arne Nordmark]

Package: libhdf5-openmpi-dev
Version: 1.8.8-9
Severity: normal

The current version in wheezy was not built using the current version of 
gfortran in wheezy,
and compilation fails:

prompt h5fc h5_crtdat.f90
h5_crtdat.f90:26.6:

   USE HDF5 ! This module contains all necessary modules
   1
Fatal Error: Wrong module version '6' (expected '9') for file 
'hdf5.mod'
--

The first line of /usr/include/hdf5.mod reads:
GFORTRAN module version '6' created from ../../../../fortran/src/HDF5mpio.f90 
on Thu Mar  8 11:40:49 2012

This is issue #630986 manifesting itself again, and a rebuild in a current 
wheezy environment
is enough to solve this problem.

It would be nice to see such a rebuilt in upcoming stable (wheezy) releases.

Thanks
Arne Nordmark

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libhdf5-openmpi-dev depends on:
ii  hdf5-helpers1.8.8-9
ii  libhdf5-openmpi-7   1.8.8-9
ii  libjpeg8-dev [libjpeg-dev]  8d-1
ii  libopenmpi-dev  1.4.5-1
ii  zlib1g-dev  1:1.2.7.dfsg-13

libhdf5-openmpi-dev recommends no packages.

Versions of packages libhdf5-openmpi-dev suggests:
pn  libhdf5-doc  none

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#736325: dh-make-drupal: Developer versions are detected as recommended

[Arne Nordmark]

Package: dh-make-drupal
Version: 1.7-1
Severity: normal

Developer versions of modules are detected as both recommended and 
developer,
and selected over recommended versions, when scanning the Drupal site.

kaipak[nordmark]~/tmp dh-make-drupal -D --debug 3 date
D:Parsed options:
---
d_ver: 7
min_status: :recommended
force_overwrite: false
debug: '3'
report_only: false
debianize: false
skip_build: false
skip_recommend: false
switches: -us -uc
tarball: false
proj_version: 
proj_type: Modules
mangle_version: true
provides: 
project: date
D:Preparing package for 'date' for Drupal 7, status = recommended
D:Fetching project information from https://drupal.org/project/date
D:Project type for date: Modules
D:Found version 7.x-2.7 (recommended)
D:This release was uploaded on 2013-12-21 00:00:00 +0100
D:Found version 6.x-2.9 (recommended)
D:This release was uploaded on 2012-04-27 00:00:00 +0200
D:Found version 8.x-1.x-dev (recommended)
D:This release was uploaded on 2013-09-30 00:00:00 +0200
D:Found version 7.x-2.x-dev (recommended)
D:This release was uploaded on 2014-01-06 00:00:00 +0100
D:Found version 6.x-2.x-dev (recommended)
D:This release was uploaded on 2013-10-21 00:00:00 +0200
D:Found version 8.x-1.x-dev (developer)
D:This release was uploaded on 2013-09-30 00:00:00 +0200
D:Found version 7.x-2.x-dev (developer)
D:This release was uploaded on 2014-01-06 00:00:00 +0100
D:Found version 6.x-2.x-dev (developer)
D:This release was uploaded on 2013-10-21 00:00:00 +0200
D:Going over 8 available releases, searching for compatibility with Drupal 
7, minimum development status recommended (2)
I:   Found #DrupalProject::Project:0x00014a2a30 version 2~~dev (status: 
recommended)
D:Download URL: http://ftp.drupal.org/files/projects/date-7.x-2.x-dev.tar.gz
D:Retreiving remote file 
http://ftp.drupal.org/files/projects/date-7.x-2.x-dev.tar.gz
D:Attempting to save in drupal7-mod-date_2~~dev.orig.tar.gz
D:Skipping Debian package creation as requested at command line

Note that version 7.x-2.x-dev is listed twice, first as (recommended),
and secondly as (developer).

This is the sid version of dh-make-drupal, running on a wheezy system,
since the wheezy version no longer parses the Drupal site at all.

Thanks,
Arne

-- System Information:
Debian Release: 7.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dh-make-drupal depends on:
ii  build-essential  11.5
ii  debhelper9.20120909
ii  libruby  1:1.9.3
ii  ruby 1:1.9.3
ii  ruby-hpricot 0.8.6-3

dh-make-drupal recommends no packages.

Versions of packages dh-make-drupal suggests:
pn  drupal6 | drupal7  none

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

[Arne Nordmark]

Package: isc-dhcp-client
Version: 4.2.2.dfsg.1-5
Severity: normal
Tags: upstream ipv6 patch

dhclient unconditionally assumes an on-link prefix matching the address 
and with a length of 64 when setting an IPv6 address. Like routing 
information, on-link prefix information is not part of the DHCPv6 
protocol, so this is just a guess from the part of dhclient.


RFC 5942 asserts that on-link prefixes and addresses are independent 
concepts, and on-link prefix information must only come from Router 
Advertisements or manual configuration. Section 5 specifically points 
out that a /64 prefix must not be assumed.


In my case where a /112 prefix is used, the routing table becomes

nordmark@strix:~$ ip -6 route
2001:6b0:1:1e90::40:0/112 dev wlan0  proto kernel  metric 256  expires 
2592301sec

2001:6b0:1:1e90::/64 dev wlan0  proto kernel  metric 256
default via fe80::92e6:baff:fe68:ce8f dev wlan0  proto kernel  metric 
1024 expires 1777sec


and hosts sharing the /64 prefix but not the /112 are falsely determined 
as being on-link, and have become unreachable.


This is (probably, the bug tracking is closed so I can not verify) 
reported upstream as ISC-Bugs #29468.


The corresponding bug where Network Manager wrongly trusts the prefix 
length information from dhclient is #661885.


The incuded patch removes the use of the bogus ip6_prefixlen variables 
from dhclient-script and uses /128 when setting an address. Should other 
programs use these variables, they are hard coded as 128 instead of 64.


Arne


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-client depends on:
ii  debianutils  4.3.2
ii  iproute  20120521-3
ii  isc-dhcp-common  4.2.2.dfsg.1-5
ii  libc62.13-33

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
ii  avahi-autoipd  0.6.31-1
ii  resolvconf 1.67

-- no debconf information
--- a/client/dhc6.c
+++ b/client/dhc6.c
@@ -3899,11 +3899,10 @@
   piaddr(addr-address),
   (unsigned) addr-plen);
 		} else {
-			/* Current practice is that all subnets are /64's, but
-			 * some suspect this may not be permanent.
+			/* Prefixlen set to 128 since this is only an address.
 			 */
 			client_envadd(client, prefix, ip6_prefixlen,
-  %d, 64);
+  %d, 128);
 			client_envadd(client, prefix, ip6_address,
   %s, piaddr(addr-address));
 		}
--- a/debian/dhclient-script.linux
+++ b/debian/dhclient-script.linux
@@ -344,9 +344,9 @@
 ;;
 
 BOUND6|RENEW6|REBIND6)
-if [ ${new_ip6_address} ]  [ ${new_ip6_prefixlen} ]; then
+if [ ${new_ip6_address} ]; then
 # set leased IP
-ip -6 addr add ${new_ip6_address}/${new_ip6_prefixlen} \
+ip -6 addr add ${new_ip6_address}/128 \
 dev ${interface} scope global
 fi
 
@@ -360,23 +360,19 @@
 ;;
 
 DEPREF6)
-if [ -z ${cur_ip6_prefixlen} ]; then
-exit_with_hooks 2
-fi
-
 # set preferred lifetime of leased IP to 0
-ip -6 addr change ${cur_ip6_address}/${cur_ip6_prefixlen} \
+ip -6 addr change ${cur_ip6_address}/128 \
 dev ${interface} scope global preferred_lft 0
 
 ;;
 
 EXPIRE6|RELEASE6|STOP6)
-if [ -z ${old_ip6_address} ] || [ -z ${old_ip6_prefixlen} ]; then
+if [ -z ${old_ip6_address} ]; then
 exit_with_hooks 2
 fi
 
 # delete leased IP
-ip -6 addr del ${old_ip6_address}/${old_ip6_prefixlen} \
+ip -6 addr del ${old_ip6_address}/128 \
 dev ${interface}
 
 ;;

Bug#661885: Acknowledgement (network-manager: Should not take IPv6 prefix length from DHCPv6 client)

[Arne Nordmark]

This is reported in network manager upstream as
https://bugzilla.gnome.org/show_bug.cgi?id=656610


A fix was recently committed upstream as 
eb460b70dad82d366d35fa5703c0e79a1389e4d1.


Arne


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661581: Fails to resume from suspend on ASUS P67-M mainboard

[Arne Nordmark]

2012-03-01 16:31, Jonathan Nieder skrev:

tags 661581 = upstream
forwarded 661581 http://thread.gmane.org/gmane.linux.kernel/1240187/focus=52118
quit

Arne Nordmark wrote:


Some newer ASUS mainboards fails to resume from suspend on
Linux. Instead the computer immediately restarts a few times, and then
does a full boot. This has been traced to an ACPI problem, and a
symtom is the kernel messages:

[...]

ACPI Error: [RAMB] Namespace lookup failure, AE_NOT_FOUND (20110623/psargs-359)
ACPI Exception: AE_NOT_FOUND, Could not execute arguments for [RAMW] (Region) 
(20110623/nsinit-349)

When applying the commit
[...];h=8931d9ea78848b073bf299594f148b83abde4a5e
to the current kernel sources from backports, the error messages
disappears, and resume functionality is restored.


Thanks.  Was this a regression?

Passed upstream.  Hopefully the fix can be part of the 3.2.y series
some time soon, so everyone benefits from it.


Looks like this made it into 3.2.16:

...
 drivers/acpi/acpica/acobject.h|1
 drivers/acpi/acpica/dsargs.c  |2
 drivers/acpi/acpica/excreate.c|6 +
...
Lin Ming (1):
  ACPICA: Fix to allow region arguments to reference other scopes
...



Hope that helps,
Jonathan


Thanks,
Arne



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661885: network-manager: Should not take IPv6 prefix length from DHCPv6 client

[Arne Nordmark]

Package: network-manager
Version: 0.8.1-6+squeeze1
Severity: normal
Tags: ipv6

On my IPv6 network with prefix length 112, network manager sets the IPv6
address on the interface with prefix length 64:

nordmark@ano7:~$ ip -6 addr
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP
qlen 1000
inet6 2001:6b0:1:1e90::40:34/64 scope global
   valid_lft forever preferred_lft forever
inet6 fe80::92e6:baff:fe52:723c/64 scope link
   valid_lft forever preferred_lft forever

nordmark@ano7:~$ ip -6 route
2001:6b0:1:1e90::40:0/112 dev eth0  proto kernel  metric 256  expires 86242sec
mtu 1500 advmss 1440 hoplimit 0
2001:6b0:1:1e90::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440
hoplimit 0
fe80::/64 dev wlan0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
default via fe80::92e6:baff:fe68:ce8f dev eth0  proto kernel  metric 1024  mtu
1500 advmss 1440 hoplimit 64

Note the correct route with prefixlength 112 inserted by the kernel (from
listening to RA), and the wrong route with prefix length 64 caused by
NetworkManager when it set the address.  All addresses that share the 64 bit
prefix but not the 112 bit prefix has become unreachable.

In fact DHCPv6 when giving out addresses does not deal with prefix lengths at
all, and thus the DHCPv6 client has no idea what the prefix lenth should be.
The ISC DHCPv6 client does in fact return a prefix length to Network Manager,
but it is hard coded to always be 64, and when Network Manager trusts this
information, this bug appears.

In Network Manager, one could always set the address with prefix length 128,
since the correct route with be inserted by the kernel anyway.  I tried
modifying the ISC DHCPv6 client to always return 128 as the prefix length, and
then things work as expected. Alternatively, since Network Manager in fact
listens to RAs, it already has the correct prefix length, and could use that.
Using the DHCPv6 client for the prefix length information is the wrong thing to
do, anyway.

Thanks
Arne



-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager depends on:
ii  adduser 3.112+nmu2   add and remove users and groups
ii  dbus1.2.24-4+squeeze1simple interprocess messaging syst
ii  isc-dhcp-client 4.1.1-P1-15+squeeze3 ISC DHCP client
ii  libc6   2.11.3-3 Embedded GNU C Library: Shared lib
ii  libdbus-1-3 1.2.24-4+squeeze1simple interprocess messaging syst
ii  libdbus-glib-1-20.88-2.1 simple interprocess messaging syst
ii  libgcrypt11 1.4.5-2  LGPL Crypto library - runtime libr
ii  libglib2.0-02.24.2-1 The GLib library of C routines
ii  libgnutls26 2.8.6-1+squeeze1 the GNU TLS library - runtime libr
ii  libgudev-1.0-0  164-3GObject-based wrapper library for 
ii  libnl1  1.1-6library for dealing with netlink s
ii  libnm-glib2 0.8.1-6+squeeze1 network management framework (GLib
ii  libnm-util1 0.8.1-6+squeeze1 network management framework (shar
ii  libpolkit-gobject-1 0.96-4+squeeze1  PolicyKit Authorization API
ii  libuuid12.17.2-9 Universally Unique ID library
ii  lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  udev164-3/dev/ and hotplug management daemo
ii  wpasupplicant   0.6.10-2.1   client support for WPA and WPA2 (I

Versions of packages network-manager recommends:
ii  dnsmas 2.55-2+b1 A small caching DNS proxy and DHCP
ii  iptabl 1.4.8-3   administration tools for packet fi
ii  modemm 0.4+git.20100624t180933.6e79d15-2 D-Bus service for managing modems
ii  policy 0.96-4+squeeze1   framework for managing administrat
ii  ppp2.4.5-4   Point-to-Point Protocol (PPP) - da

Versions of packages network-manager suggests:
ii  avahi-autoipd  0.6.27-2+squeeze1 Avahi IPv4LL network address confi

-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf changed:
[main]
plugins=ifupdown,keyfile
no-auto-default=90:e6:ba:52:72:3c,
[ifupdown]
managed=false


-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661581: Fails to resume from suspend on ASUS P67-M mainboard

[Arne Nordmark]

2012-03-01 16:31, Jonathan Nieder skrev:

tags 661581 = upstream
forwarded 661581 http://thread.gmane.org/gmane.linux.kernel/1240187/focus=52118
quit

Arne Nordmark wrote:


Some newer ASUS mainboards fails to resume from suspend on
Linux. Instead the computer immediately restarts a few times, and then
does a full boot. This has been traced to an ACPI problem, and a
symtom is the kernel messages:

[...]

ACPI Error: [RAMB] Namespace lookup failure, AE_NOT_FOUND (20110623/psargs-359)
ACPI Exception: AE_NOT_FOUND, Could not execute arguments for [RAMW] (Region) 
(20110623/nsinit-349)

When applying the commit
[...];h=8931d9ea78848b073bf299594f148b83abde4a5e
to the current kernel sources from backports, the error messages
disappears, and resume functionality is restored.


Thanks.  Was this a regression?


No. The same problem is found in the squeeze kernel and in 2.6.39 from 
backports, so I think it is safe to say that this has never worked before.


Thanks
Arne



Passed upstream.  Hopefully the fix can be part of the 3.2.y series
some time soon, so everyone benefits from it.

Hope that helps,
Jonathan





--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661581: linux-image-3.2.0-0.bpo.1-amd64: Fails to resume from suspend on ASUS P67-M mainboard

[Arne Nordmark]

Package: linux-2.6
Version: 3.2.4-1~bpo60+1
Severity: normal
Tags: patch

Some newer ASUS mainboards fails to resume from suspend on
Linux. Instead the computer immediately restarts a few times, and then
does a full boot. This has been traced to an ACPI problem, and a symtom 
is the kernel messages:


Feb 19 01:13:55 ano1 kernel: [0.493066] ACPI Error: [RAMB] Namespace 
lookup failure, AE_NOT_FOUND (20110623/psargs-359)
Feb 19 01:13:55 ano1 kernel: [0.493070] ACPI Exception: 
AE_NOT_FOUND, Could not execute arguments for [RAMW] (Region) 
(20110623/nsinit-349)


When applying the commit
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=8931d9ea78848b073bf299594f148b83abde4a5e
to the current kernel sources from backports, the error messages 
disappears, and resume functionality is restored.


It would be nice to have this fix in wheezy.

Thanks
Arne

-- Package-specific info:
** Version:
Linux version 3.2.0-0.bpo.1-amd64 (Debian 3.2.4-1~bpo60+1) 
(nordm...@mech.kth.se) (gcc version 4.4.5 (Debian 4.4.5-8) ) #1 SMP Mon 
Feb 27 11:19:28 CET 2012


** Command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-0.bpo.1-amd64 root=/dev/mapper/part2-root 
ro enable_mtrr_cleanup quiet


** Tainted: PO (4097)
 * Proprietary module has been loaded.
 * Out-of-tree module has been loaded.

** Kernel log:
[29165.078180] pata_jmicron :07:00.1: restoring config space at 
offset 0x5 (was 0x1, writing 0xc031)
[29165.078186] pata_jmicron :07:00.1: restoring config space at 
offset 0x4 (was 0x1, writing 0xc041)
[29165.078196] pata_jmicron :07:00.1: restoring config space at 
offset 0x1 (was 0x10, writing 0x15)
[29165.078266] r8169 :08:00.0: restoring config space at offset 0x1 
(was 0x17, writing 0x100407)
[29165.078370] xhci_hcd :09:00.0: restoring config space at offset 
0x1 (was 0x16, writing 0x100402)

[29165.078404] pcieport :00:1c.7: wake-up capability disabled by ACPI
[29165.078410] xhci_hcd :09:00.0: PME# disabled
[29165.078455] PM: early resume of devices complete after 1.295 msecs
[29165.078565] ehci_hcd :00:1a.0: PCI INT A - GSI 23 (level, low) 
- IRQ 23

[29165.078578] ehci_hcd :00:1a.0: setting latency timer to 64
[29165.078594] snd_hda_intel :00:1b.0: PCI INT A - GSI 22 (level, 
low) - IRQ 22

[29165.078601] snd_hda_intel :00:1b.0: setting latency timer to 64
[29165.078626] pci :00:1c.4: PCI INT A - GSI 17 (level, low) - IRQ 17
[29165.078632] pci :00:1c.4: setting latency timer to 64
[29165.078654] ehci_hcd :00:1d.0: PCI INT A - GSI 23 (level, low) 
- IRQ 23

[29165.078660] ehci_hcd :00:1d.0: setting latency timer to 64
[29165.078666] ahci :00:1f.2: setting latency timer to 64
[29165.078669] snd_hda_intel :00:1b.0: irq 55 for MSI/MSI-X
[29165.078690] radeon :01:00.0: setting latency timer to 64
[29165.078692] snd_hda_intel :01:00.1: PCI INT B - GSI 17 (level, 
low) - IRQ 17

[29165.078701] snd_hda_intel :01:00.1: setting latency timer to 64
[29165.078732] pci :05:00.0: PCI INT A - GSI 16 (level, low) - IRQ 16
[29165.078742] pci :05:00.0: setting latency timer to 64
[29165.078757] ahci :07:00.0: PCI INT A - GSI 17 (level, low) - IRQ 17
[29165.078771] pata_jmicron :07:00.1: PCI INT B - GSI 18 (level, 
low) - IRQ 18

[29165.078775] ahci :07:00.0: setting latency timer to 64
[29165.078794] pata_jmicron :07:00.1: setting latency timer to 64
[29165.078811] pcieport :00:1c.6: wake-up capability disabled by ACPI
[29165.078829] r8169 :08:00.0: PME# disabled
[29165.078850] snd_hda_intel :01:00.1: irq 56 for MSI/MSI-X
[29165.078884] xhci_hcd :09:00.0: setting latency timer to 64
[29165.078910] usb usb3: root hub lost power or was reset
[29165.078911] usb usb4: root hub lost power or was reset
[29165.079884] parport_pc 00:03: activated
[29165.080717] serial 00:09: activated
[29165.086038] xhci_hcd :09:00.0: irq 49 for MSI/MSI-X
[29165.086048] xhci_hcd :09:00.0: irq 50 for MSI/MSI-X
[29165.086051] xhci_hcd :09:00.0: irq 51 for MSI/MSI-X
[29165.086053] xhci_hcd :09:00.0: irq 52 for MSI/MSI-X
[29165.086056] xhci_hcd :09:00.0: irq 53 for MSI/MSI-X
[29165.093419] [drm] PCIE GART of 512M enabled (table at 
0x0004).

[29165.093474] radeon :01:00.0: WB enabled
[29165.094542] sd 1:0:0:0: [sdb] Starting disk
[29165.094565] sd 2:0:0:0: [sdc] Starting disk
[29165.094567] sd 0:0:0:0: [sda] Starting disk
[29165.117175] r8169 :08:00.0: eth0: link down
[29165.139248] [drm] ring test succeeded in 1 usecs
[29165.139265] [drm] ib test succeeded in 0 usecs
[29165.146602] firewire_core: skipped bus generations, destroying all nodes
[29165.398276] ata7: SATA link down (SStatus 0 SControl 300)
[29165.430229] ata5: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[29165.483465] ata5.00: configured for UDMA/100
[29165.574272] usb 3-1: reset low-speed USB device number 2 using xhci_hcd
[29165.604232] xhci_hcd :09:00.0: xHCI xhci_drop_endpoint called 
with 

Bug#630609: libpam-afs-session: Leaks SIGCHLD to calling process

[Arne Nordmark]

Package: libpam-afs-session
Version: 1.7-2
Severity: normal


When using pam_afs_session with local logins for vsftp, a vsftp
process hangs on wait4() shortly after completing pam_setcred(),
hanging the ftp connection.

While running pam, vsftp has a handler for SIGCHLD installed, recording
the signal for the exit of /usr/bin/aklog. The pending signal is then acted
upon later on in vsftp, resulting in a wait4() that has no chance of
completing.

Comparing with other PAM modules, I found that pam_tmpdir also runs a
helper application, but in contrast to pam_afs_session, a default
signal handler for SIGCHLD in installed for the duration of the
fork()-wait().

It seems reasonable that also pam_afs_session should make sure that a
signal handler for SIGCHLD from the calling process is not triggered
by the running of aklog.

Thanks
Arne

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-afs-session depends on:
ii  libc6   2.11.2-10Embedded GNU C Library: Shared lib
ii  libkrb5-3   1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii  libpam-runtime  1.1.1-6.1Runtime support for the PAM librar
ii  libpam0g1.1.1-6.1Pluggable Authentication Modules l

Versions of packages libpam-afs-session recommends:
ii  heimdal-cl 1.4.0~git20100726.dfsg.1-1+b1 Heimdal Kerberos - clients
ii  libpam-krb 4.3-1 PAM module for MIT Kerberos
ii  openafs-cl 1.4.12.1+dfsg-4   AFS distributed filesystem client 
ii  openafs-kr 1.4.12.1+dfsg-4   AFS distributed filesystem Kerbero

libpam-afs-session suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#629129: dovecot-imapd: Aborted SASL authentication results in 5s delay

[Arne Nordmark]

Package: dovecot-imapd
Version: 1:1.2.15-7
Severity: normal

This seems to be a regression from lenny, and was found to be the
source of the IMP4 web mail system becoming essentially unusable,
since the 5s delay hits just about any operation in the web mail system.

In this case dovecot imapd announces GSSAPI and PLAIN athentication 
methods to

an imap client using the libc-client library. The libc-client code
first starts using GSSAPI without first checking for a a Kerberos
ticket cache, and when later the ticket cache is found not to exist,
aborts the authentication and tries with PLAIN instead. At this point
squeeze imapd delays for 5s. This does not happen when using the same
client against a lenny imapd.

The was reported upstream and fixed in
http://hg.dovecot.org/dovecot-1.2/rev/e7721f67688a.

Upstream states this problem is not present in dovecot 2.0, so this
report is for the (slim) possibility of having a stable update.

Thanks
Arne

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#610071: grub-pc postinst loops when running non-interactive with multiple devices

[Arne Nordmark]

Package: grub-pc
Version: 1.98+20100804-13
Severity: normal

Because of #601141,
grub-pc postinst will always ask for devices to install, when
installed on multiple devices. When doing non-intercative parallel
upgrades (in my case using pdsh), this casuses the upgrade process to
stop at that point. However, when the connection is broken, the
postinst goes into an infinite loop instead of terminating. Example:
init(1)-+-aptitude(19983)-+-dpkg(20327)---frontend(25206)---grub-pc.postins(25226)---grub-pc.postins(10661)-+-grub-pc.postins(10662+
| | 
`-sort(10663)
| `-{aptitude}(19984)


The top level grub-pc,postinst repeatedly forks new processes, leading
to high load and a need to manually clean these processes on every
computer.

Arne

  -- Package-specific info:

*** BEGIN /proc/mounts
/dev/mapper/all-root / ext4 
rw,relatime,errors=remount-ro,barrier=1,data=ordered 0 0
/dev/mapper/all-cache /var/cache/openafs ext4 
rw,relatime,barrier=1,data=ordered 0 0
*** END /proc/mounts

*** BEGIN /boot/grub/device.map
(hd0)   /dev/disk/by-id/ata-ST380815AS_6RACVTL9
(hd1)   /dev/disk/by-id/ata-ST380815AS_6RACZGS1
(hd2)   /dev/disk/by-id/ata-ST3400620NS_9QG462BX
(hd3)   /dev/disk/by-id/ata-ST3400620NS_9QH09QTE
*** END /boot/grub/device.map

*** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  load_env
fi
set default=0
if [ ${prev_saved_entry} ]; then
  set saved_entry=${prev_saved_entry}
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z ${boot_once} ]; then
saved_entry=${chosen}
save_env saved_entry
  fi
}

function load_video {
  insmod vbe
  insmod vga
  insmod video_bochs
  insmod video_cirrus
}

insmod raid
insmod mdraid
insmod lvm
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(all-root)'
search --no-floppy --fs-uuid --set 137d0a64-7dc8-4d37-bf62-01f5a235c309
if loadfont /usr/share/grub/unicode.pf2 ; then
  set gfxmode=1024x768
  load_video
  insmod gfxterm
fi
terminal_output gfxterm
insmod raid
insmod mdraid
insmod lvm
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(all-root)'
search --no-floppy --fs-uuid --set 137d0a64-7dc8-4d37-bf62-01f5a235c309
set locale_dir=($root)/boot/grub/locale
set lang=sv
insmod gettext
set timeout=5
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
insmod raid
insmod mdraid
insmod lvm
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(all-root)'
search --no-floppy --fs-uuid --set 137d0a64-7dc8-4d37-bf62-01f5a235c309
insmod png
if background_image /usr/share/images/desktop-base/spacefun-grub.png; then
  set color_normal=light-gray/black
  set color_highlight=white/black
else
  set menu_color_normal=cyan/blue
  set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Debian GNU/Linux, with Linux 2.6.32-5-amd64' --class debian --class 
gnu-linux --class gnu --class os {
insmod raid
insmod mdraid
insmod lvm
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(all-root)'
search --no-floppy --fs-uuid --set 137d0a64-7dc8-4d37-bf62-01f5a235c309
echo'Loading Linux 2.6.32-5-amd64 ...'
linux   /boot/vmlinuz-2.6.32-5-amd64 root=/dev/mapper/all-root ro 
enable_mtrr_cleanup quiet
echo'Loading initial ramdisk ...'
initrd  /boot/initrd.img-2.6.32-5-amd64
}
menuentry 'Debian GNU/Linux, with Linux 2.6.32-5-amd64 (recovery mode)' --class 
debian --class gnu-linux --class gnu --class os {
insmod raid
insmod mdraid
insmod lvm
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(all-root)'
search --no-floppy --fs-uuid --set 137d0a64-7dc8-4d37-bf62-01f5a235c309
echo'Loading Linux 2.6.32-5-amd64 ...'
linux   /boot/vmlinuz-2.6.32-5-amd64 root=/dev/mapper/all-root ro 
single enable_mtrr_cleanup
echo'Loading initial ramdisk ...'
initrd  /boot/initrd.img-2.6.32-5-amd64
}
### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_memtest86+ ###
menuentry Memory test (memtest86+) {
insmod raid
insmod mdraid
insmod lvm
insmod part_gpt
insmod part_gpt
insmod ext2
set root='(all-root)'
search --no-floppy --fs-uuid --set 137d0a64-7dc8-4d37-bf62-01f5a235c309
linux16 /boot/memtest86+.bin
}
menuentry Memory test (memtest86+, serial console 115200) {

Bug#594884: pdsh: gender expression support broken

[Arne Nordmark]

Package: pdsh
Version: 2.18-6
Severity: normal

Support for gender expressions seems broken:

kaipak[nordmark]~ pdsh -g 'debian=lennyws' uname -v
p...@kaipak: no remote hosts specified

On the other hand:
kaipak[nordmark]~ nodeattr -c 'debian=lennyws'
alpboden,aneto,annapurna,anzer,ararat,baldy,caa1,caa2,caa3,caa4,caa5,caa6,clisham,cook,damavand,dampier,deedee,dexter,dhaulagiri,dundret,eidsfjell,elbrus,etna,falketind,frostisen,fuji,furka,gasherbrum,gausta,glittertind,graham,grytfoten,hicks,jannu,kandel,karhorn,kyrkja,lhotse,makalu,mana,manaslu,mandark,maudit,merrick,musala,nona,paradiso,saipal,schauinsland,seekopf,shafberg,sikaram,skagsnebb,skala,snowdon,spare1,spare2,spare3,spare4,spare5,storsylen,susten,terminal1,terminal2,terminal3,terminal4,tour,valluga,vesuvio

Nothing more complicated than the simple syntax:
-g attr[=val][,attr[=val],...]
seems to work.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pdsh depends on:
ii  debconf [debc 1.5.35 Debian configuration management sy
ii  genders   1.14-2 cluster configuration management d
ii  heimdal-clien 1.4.0~git20100726.dfsg.1-1 Heimdal Kerberos - clients
ii  libc6 2.11.2-2   Embedded GNU C Library: Shared lib
ii  libgenders0   1.14-2 C library for parsing and querying
ii  libltdl7  2.2.6b-2   A system independent dlopen wrappe
ii  openssh-clien 1:5.5p1-4  secure shell (SSH) client, for sec
ii  perl  5.10.1-14  Larry Wall's Practical Extraction 

pdsh recommends no packages.

pdsh suggests no packages.

-- debconf information:
  pdsh/setuidroot: false



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#588234: GNUTLS and threads are considered incompatible

[Arne Nordmark]

Consider the check in config-scripts/cups-ssl.m4:

if test x$have_pthread = xyes; then
AC_MSG_WARN([The current version of GNU TLS cannot be 
made thread-safe.])

else
have_ssl=1


From the build log:

checking for libgnutls-config... no
checking for libgcrypt-config... /usr/bin/libgcrypt-config
configure: WARNING: The current version of GNU TLS cannot be made 
thread-safe.


Changing the configure options to --disable-threads gives instead:

checking for libgnutls-config... no
checking for libgcrypt-config... /usr/bin/libgcrypt-config
Using SSLLIBS=-lgnutls   -lgcrypt
Using SSLFLAGS=  

and the resulting binaries indeed support TLS again.

This seems to be the same issue as 590610.

Thanks
Arne



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#588234: cups: TLS support missing

[Arne Nordmark]

Package: cups
Version: 1.4.4-1
Severity: normal


As of the latest squeeze version, TLS support seems to be gone.

/var/log/cups/error_log:
E [06/Jul/2010:07:52:39 +0200] Unknown directive ServerCertificate on line 142.
E [06/Jul/2010:07:52:39 +0200] Unknown directive ServerKey on line 143.
E [06/Jul/2010:11:57:21 +0200] Bad request line  from ano6.mech.kth.se!

The last line comes when trying to connect using https://.

The same setup worked fine for the previous squeeze version.

Arne

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cups depends on:
ii  adduser 3.112add and remove users and groups
ii  bc  1.06.95-2The GNU bc arbitrary precision cal
ii  cups-client 1.4.4-1  Common UNIX Printing System(tm) - 
ii  cups-common 1.4.4-1  Common UNIX Printing System(tm) - 
ii  debconf [debconf-2.0]   1.5.32   Debian configuration management sy
ii  ghostscript 8.71~dfsg2-3 The GPL Ghostscript PostScript/PDF
ii  libavahi-client30.6.25-4 Avahi client library
ii  libavahi-common30.6.25-4 Avahi common library
ii  libc6   2.11.2-2 Embedded GNU C Library: Shared lib
ii  libcups21.4.4-1  Common UNIX Printing System(tm) - 
ii  libcupscgi1 1.4.4-1  Common UNIX Printing System(tm) - 
ii  libcupsdriver1  1.4.4-1  Common UNIX Printing System(tm) - 
ii  libcupsimage2   1.4.4-1  Common UNIX Printing System(tm) - 
ii  libcupsmime11.4.4-1  Common UNIX Printing System(tm) - 
ii  libcupsppdc11.4.4-1  Common UNIX Printing System(tm) - 
ii  libdbus-1-3 1.2.24-1 simple interprocess messaging syst
ii  libgcc1 1:4.4.4-6GCC support library
ii  libgssapi-krb5-21.8.1+dfsg-5 MIT Kerberos runtime libraries - k
ii  libijs-0.35 0.35-7   IJS raster image transport protoco
ii  libkrb5-3   1.8.1+dfsg-5 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.17-2.1   OpenLDAP libraries
ii  libpam0g1.1.1-3  Pluggable Authentication Modules l
ii  libpaper1   1.1.24   library for handling paper charact
ii  libpoppler5 0.12.4-1 PDF rendering library
ii  libslp1 1.2.1-7.7OpenSLP libraries
ii  libstdc++6  4.4.4-6  The GNU Standard C++ Library v3
ii  libusb-0.1-42:0.1.12-15  userspace USB programming library
ii  lsb-base3.2-23.1 Linux Standard Base 3.2 init scrip
ii  perl-modules5.10.1-13Core Perl modules
ii  poppler-utils   0.12.4-1 PDF utilitites (based on libpopple
ii  procps  1:3.2.8-9/proc file system utilities
ii  ssl-cert1.0.25   simple debconf wrapper for OpenSSL
ii  ttf-freefont20090104-7   Freefont Serif, Sans and Mono True
ii  zlib1g  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages cups recommends:
ii  cups-driver-gutenprint5.2.5-1printer drivers for CUPS
ii  foomatic-filters  4.0-20090509-1 OpenPrinting printer support - fil
ii  ghostscript-cups  8.71~dfsg2-3   The GPL Ghostscript PostScript/PDF

Versions of packages cups suggests:
ii  cups-bsd1.4.4-1  Common UNIX Printing System(tm) - 
pn  cups-pdfnone   (no description available)
ii  cups-ppdc   1.4.4-1  Common UNIX Printing System(tm) - 
ii  foomatic-db 20090616-1   OpenPrinting printer support - dat
ii  foomatic-db-engine  4.0-20090509-2.1 OpenPrinting printer support - pro
ii  hplip   3.10.5-1 HP Linux Printing and Imaging Syst
pn  smbclient   none   (no description available)
ii  udev158-1/dev/ and hotplug management daemo
pn  xpdf-korean | xpdf-japa none   (no description available)

-- Configuration Files:
/etc/cups/cupsd.conf changed:
LogLevel warn
MaxLogSize 0
SystemGroup lpadmin
Listen 631
Listen /var/run/cups/cups.sock
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
BrowseAddress anobhs-bcast.mech.kth.se
BrowseAddress bcast.bockholm.net
BrowseAddress 130.237.233.216
BrowseRelay ano4.mech.kth.se anobhs-bcast.mech.kth.se
BrowseRelay ano4.mech.kth.se bcast.bockholm.net
DefaultAuthType Basic
Location /
  Order allow,deny
  Allow localhost
  Allow From 130.237.233.208/28
  Allow From 130.237.233.224/29
  Allow From 172.17.2.0/24
  

Bug#587602: sendmail-base: update_tls should check for tls in submit.mc too.

[Arne Nordmark]

Package: sendmail-base
Version: 8.14.3-5+lenny1
Severity: wishlist

update_tls scans sendmail.mc for a line like
include(`/etc/mail/tls/starttls.m4')dnl
and if not found, a warning message is printed and /etc/mail/tls/starttls.m4
is overwritten.

We use only the submit portion of sendmail, with client certificate
authentication to a mail hub. Now we have to add the line to sendmail.mc,
even though this file is not used for anything alse.

If update_tls could additionally check submit.mc for then line, and set REFD=1
also in that case, we would not have to make any changes to sendmail.mc at all.

Thanks
Arne

-- Package-specific info:
Ouput of /usr/share/bug/sendmail-base/script:

ls -alR /etc/mail:
/etc/mail:
total 268
drwxr-sr-x   7 smmta smmsp  4096 2010-03-10 09:30 .
drwxr-xr-x 114 root  root  12288 2010-06-30 02:56 ..
-rw---   1 root  smmsp  4261 2010-03-10 09:30 access
-rw-r-   1 smmta smmsp 12288 2010-03-10 09:30 access.db
-rw-r--r--   1 root  root281 2010-01-29 15:03 address.resolve
lrwxrwxrwx   1 root  smmsp10 2010-03-10 09:27 aliases - ../aliases
-rw-r-   1 smmta smmsp 12288 2010-03-10 09:30 aliases.db
-rw-r--r--   1 root  root   3281 2010-03-10 09:30 databases
-rw-r-   1 smmta smmsp50 2010-03-10 09:27 default-auth-info
-rw-r--r--   1 root  root   5657 2010-01-29 15:24 helpfile
-rw-r--r--   1 root  smmsp29 2010-03-10 09:27 local-host-names
drwxr-sr-x   2 smmta smmsp  4096 2010-03-10 09:27 m4
-rwxr-xr--   1 root  smmsp  9940 2010-03-10 09:30 Makefile
drwxr-xr-x   2 root  root   4096 2010-03-10 09:27 peers
drwxr-xr-x   2 smmta smmsp  4096 2010-03-10 09:27 sasl
-rw-r--r--   1 root  smmsp 64858 2010-03-10 09:30 sendmail.cf
-rw-r--r--   1 root  root  12234 2010-03-10 09:30 sendmail.conf
-rw-r--r--   1 root  smmsp  4204 2010-03-10 09:30 sendmail.mc
-rw-r--r--   1 root  root149 2010-01-29 15:03 service.switch
-rw-r--r--   1 root  root180 2010-01-29 15:03 service.switch-nodns
drwxr-sr-x   2 smmta smmsp  4096 2010-03-10 09:27 smrsh
-rw-r--r--   1 root  smmsp 59382 2010-03-10 09:30 submit.cf
-rw-r--r--   1 root  smmsp  2435 2010-03-10 09:30 submit.mc
drwxr-xr-x   2 smmta smmsp  4096 2010-03-10 09:30 tls
-rw-r--r--   1 root  smmsp 0 2010-03-10 09:27 trusted-users

/etc/mail/m4:
total 8
drwxr-sr-x 2 smmta smmsp 4096 2010-03-10 09:27 .
drwxr-sr-x 7 smmta smmsp 4096 2010-03-10 09:30 ..
-rw-r- 1 root  smmsp0 2010-03-10 09:27 dialup.m4
-rw-r- 1 root  smmsp0 2010-03-10 09:27 provider.m4

/etc/mail/peers:
total 12
drwxr-xr-x 2 root  root  4096 2010-03-10 09:27 .
drwxr-sr-x 7 smmta smmsp 4096 2010-03-10 09:30 ..
-rw-r--r-- 1 root  root   328 2010-01-29 15:03 provider

/etc/mail/sasl:
total 16
drwxr-xr-x 2 smmta smmsp 4096 2010-03-10 09:27 .
drwxr-sr-x 7 smmta smmsp 4096 2010-03-10 09:30 ..
-rwxr--r-- 1 root  root  3680 2010-03-10 09:30 sasl.m4
-rw-r- 1 smmta smmsp  885 2010-03-10 09:27 Sendmail.conf.2

/etc/mail/smrsh:
total 8
drwxr-sr-x 2 smmta smmsp 4096 2010-03-10 09:27 .
drwxr-sr-x 7 smmta smmsp 4096 2010-03-10 09:30 ..
lrwxrwxrwx 1 root  smmsp   26 2010-03-10 09:27 mail.local - 
/usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root  smmsp   17 2010-03-10 09:27 procmail - /usr/bin/procmail

/etc/mail/tls:
total 60
drwxr-xr-x 2 smmta smmsp 4096 2010-03-10 09:30 .
drwxr-sr-x 7 smmta smmsp 4096 2010-03-10 09:30 ..
-rw-r--r-- 1 root  root  4130 2008-05-15 06:31 mail_sender_crt.pem
-rw-r- 1 root  smmsp 1679 2008-05-14 10:53 mail_sender_key.pem
-rw-r--r-- 1 root  root 7 2010-03-10 09:27 no_prompt
-rw--- 1 root  root  1191 2010-03-10 09:27 sendmail-client.cfg
-rw-r--r-- 1 root  smmsp 1241 2010-03-10 09:27 sendmail-client.crt
-rw--- 1 root  root  1021 2010-03-10 09:27 sendmail-client.csr
-rw-r- 1 root  smmsp 1675 2010-03-10 09:27 sendmail-common.key
-rw-r- 1 root  smmsp 1582 2010-03-10 09:27 sendmail-common.prm
-rw--- 1 root  root  1191 2010-03-10 09:27 sendmail-server.cfg
-rw-r--r-- 1 root  smmsp 1241 2010-03-10 09:27 sendmail-server.crt
-rw--- 1 root  root  1021 2010-03-10 09:27 sendmail-server.csr
-rwxr--r-- 1 root  root  3252 2010-03-10 09:30 starttls.m4

sendmail.conf:
DAEMON_NETMODE=Static;
DAEMON_NETIF=eth0;
DAEMON_MODE=None;
DAEMON_PARMS=;
DAEMON_HOSTSTATS=No;
DAEMON_MAILSTATS=No;
QUEUE_MODE=${DAEMON_MODE};
QUEUE_INTERVAL=10m;
QUEUE_PARMS=;
MSP_MODE=Cron;
MSP_INTERVAL=20m;
MSP_PARMS=;
MSP_MAILSTATS=${DAEMON_MAILSTATS};
MISC_PARMS=;
CRON_MAILTO=root;
CRON_PARMS=;
LOG_CMDS=No;
HANDS_OFF=No;
AGE_DATA=;
DAEMON_RUNASUSER=No;
DAEMON_STATS=${DAEMON_MAILSTATS};
MSP_STATS=${MSP_MAILSTATS};


sendmail.mc:
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.13.8-3 2006-12-08 20:21:10 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl#DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission, Addr=127.0.0.1')dnl
define(`confPRIVACY_FLAGS',dnl

Bug#574555: BUG: scheduling while atomic: irq/11-b43/2018/0x00000101

[Arne Nordmark]

Ben Hutchings wrote:

On Fri, 2010-06-18 at 16:40 +0200, Arne Nordmark wrote:
My problem seems related to those in Ubuntu report #55 
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/55. If I 
unload the 3c59x module, I can no longer reproduce this problem, and 
wireless is stable. With the 3c59x module loaded, b43 wireless is 
essentially unusable, since the machine will reliably lock up.


I've attached two patches which together may fix this problem, but they
involve quite major changes to the driver.  I do not have any hardware
of this type which I could use to test them.


Indeed, I can no longer reproduce the problem with these patches 
applied. Both wired (3c59x) and wireless (b43) can now handle GB 
transfers, which is about 100x more than was typically needed to trigger 
 the problem for wireless.


I now question my judgement in reporting my problem on an existing bug 
report, as the resolution does not fit the original reporter's 
description (no 3c59x module loaded).




Please could you follow the instructions at
http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official
to build a package with these changes included, then test whether these
changes fix the problem for you and keep the wired network card working.


Since that section is very explicit in mentioning dependencies, may I 
point out that the test-patches script relies on commands (dch at 
least) from the devscripts package.




Ben.




Thanks
Arne



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#574555: BUG: scheduling while atomic: irq/11-b43/2018/0x00000101

[Arne Nordmark]

My problem seems related to those in Ubuntu report #55 
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/55. If I 
unload the 3c59x module, I can no longer reproduce this problem, and 
wireless is stable. With the 3c59x module loaded, b43 wireless is 
essentially unusable, since the machine will reliably lock up.


Arne



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#574555: BUG: scheduling while atomic: irq/11-b43/2018/0x00000101

[Arne Nordmark]

 ext3 jbd mbcache sd_mod crc_t10dif ata_generic uhci_hcd 
ata_piix ehci_hcd video libata 3c59x usbcore output floppy button mii 
nls_base

 scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan]
May  8 09:35:48 dhcp190 kernel: [ 1830.65] Pid: 2018, comm: 
irq/11-b43 Not tainted 2.6.32-5-686 #1

May  8 09:35:48 dhcp190 kernel: [ 1830.644452] Call Trace:
May  8 09:35:48 dhcp190 kernel: [ 1830.644479]  [c1267c45] ? 
schedule+0x7e/0x7dc
May  8 09:35:48 dhcp190 kernel: [ 1830.644550]  [d0beda88] ? 
ieee80211_invoke_rx_handlers+0x12e7/0x1970 [mac80211]
May  8 09:35:48 dhcp190 kernel: [ 1830.644580]  [d09461aa] ? 
vortex_timer+0x0/0x1f3 [3c59x]
May  8 09:35:48 dhcp190 kernel: [ 1830.644608]  [c106d4ce] ? 
synchronize_irq+0x89/0x9b
May  8 09:35:48 dhcp190 kernel: [ 1830.644631]  [c10445ce] ? 
autoremove_wake_function+0x0/0x2d
May  8 09:35:48 dhcp190 kernel: [ 1830.644650]  [d09461cf] ? 
vortex_timer+0x25/0x1f3 [3c59x]
May  8 09:35:48 dhcp190 kernel: [ 1830.644671]  [d09461aa] ? 
vortex_timer+0x0/0x1f3 [3c59x]
May  8 09:35:48 dhcp190 kernel: [ 1830.644689]  [c103b56c] ? 
run_timer_softirq+0x16a/0x1eb
May  8 09:35:48 dhcp190 kernel: [ 1830.644709]  [c1035e8c] ? 
__do_softirq+0xaa/0x151
May  8 09:35:48 dhcp190 kernel: [ 1830.644721]  [c1035f64] ? 
do_softirq+0x31/0x3c
May  8 09:35:48 dhcp190 kernel: [ 1830.644733]  [c10360cf] ? 
_local_bh_enable_ip+0x63/0x6e
May  8 09:35:48 dhcp190 kernel: [ 1830.644792]  [d0df490f] ? 
b43_rx+0x434/0x456 [b43]
May  8 09:35:48 dhcp190 kernel: [ 1830.644816]  [d0df4208] ? 
b43_attr_interfmode_store+0xc5/0xe9 [b43]
May  8 09:35:48 dhcp190 kernel: [ 1830.644843]  [d0df86e3] ? 
op32_fill_descriptor+0x2a/0x8b [b43]
May  8 09:35:48 dhcp190 kernel: [ 1830.644868]  [d0df80a0] ? 
b43_dma_rx+0x211/0x283 [b43]
May  8 09:35:48 dhcp190 kernel: [ 1830.644891]  [d0de9d1f] ? 
b43_do_interrupt_thread+0x3fa/0x4cb [b43]
May  8 09:35:48 dhcp190 kernel: [ 1830.644914]  [d0de9e05] ? 
b43_interrupt_thread_handler+0x15/0x27 [b43]
May  8 09:35:48 dhcp190 kernel: [ 1830.644929]  [c106ce05] ? 
irq_thread+0xc4/0x1a5
May  8 09:35:48 dhcp190 kernel: [ 1830.644955]  [c10252de] ? 
complete+0x28/0x36
May  8 09:35:48 dhcp190 kernel: [ 1830.644967]  [c106cd41] ? 
irq_thread+0x0/0x1a5
May  8 09:35:48 dhcp190 kernel: [ 1830.644979]  [c104439c] ? 
kthread+0x61/0x66
May  8 09:35:48 dhcp190 kernel: [ 1830.644991]  [c104433b] ? 
kthread+0x0/0x66
May  8 09:35:48 dhcp190 kernel: [ 1830.645012]  [c1003d47] ? 
kernel_thread_helper+0x7/0x10



Arne Nordmark



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#575033: general: The button shutdown dont shutdown the machine, only show me the login window.

[Arne Nordmark]

Sounds like bug #548120.

Arne



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#574111: E: main.c: Failed to create '/tmp/pulse-$USER': Permission denied

[Arne Nordmark]

After rebuilding libpulsecore5 0.9.10-3+lenny2  from source on amd64, 
pulseaudio now works for me again. Maybe the build environment for the 
security update was broken?


Arne



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#573277: Assertion error in pdsh when using genders

[Arne Nordmark]

Package: pdsh
Version: 2.16-1
Severity: normal

Running pdsh using a /etc/genders file results in an assertion error:

kaipak[nordmark]~ pdsh -a uptime
pdsh: list.c:288: list_count: Assertion `l != ((void *)0)' failed.
pdsh: list.c:288: list_count: Assertion `l != ((void *)0)' failed.

Running with an explicit list instead works:

kaipak[nordmark]~ pdsh -w`nodeattr -c ~nonexistentattr` -R ssh uptime

(is there a better way to get all hosts in /etc/genders?)

The funny thing is that the assertion error in only seen when the pdsh
command is run from certain hosts (all running up-to-date lenny). It
is however consistent, in that the error occurs on a particular host
either all the time, or never.

The error does not seem to depend on the contents of the /etc/genders
file. Even a single line like:
hostname pdsh_rcmd_type=ssh
triggers the error. The command nodeattr -k shows no error in the
/etc/genders file.

Recompiling the 2.18-5 version from sid shows no change in this behavior.


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages pdsh depends on:
ii  debconf [debconf-2.0]1.5.24  Debian configuration management sy
ii  genders  1.11-1-1cluster configuration management d
ii  heimdal-clients [rsh-cli 1.2.dfsg.1-2.1  Heimdal Kerberos - clients
ii  libc62.7-18lenny2GNU C Library: Shared libraries
ii  libgenders0  1.11-1-1C library for parsing and querying
ii  openssh-client [rsh-clie 1:5.1p1-5   secure shell client, an rlogin/rsh
ii  perl 5.10.0-19lenny2 Larry Wall's Practical Extraction 

pdsh recommends no packages.

pdsh suggests no packages.

-- debconf information:
  pdsh/setuidroot: false



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#410280: Seems OK in etch

[Arne Nordmark]

I can no longer reproduce this in etch (v 1.1-3), so this issue seems to 
be fixed.


Thanks,
Arne



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#380730: Seems to be fixed in lenny

[Arne Nordmark]

Hello,

I can no longer reproduce this problem in lenny (v 0.2.3-2), so this 
problem may be fixed.


Thanks,
Arne



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#410280: Err... seems OK in lenny, that should be.

[Arne Nordmark]

Sorry, The previous message should refer to lenny.

Arne



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#408219: ntpd giving up on eth0 before it is initialized

[Arne Nordmark]

I wrote:

I ran into this problem with eth1, my WLAN card. I found that
by moving the script from /etc/dhcp3/dhclient-enter-hooks.d to
/etc/dhcp3/dhclient-exit-hooks.d it is now executed at the
correct phase, after the interface has been given addresses.


Except ... scripts from that location aren't run when the dhcp
is invoked the very first time, only on subsequent invocations...



Is this so? At least on etch, the /etc/dhcp3/dhclient-script ends with 
the line

exit_with_hooks 0
and on my system, exit hooks seems to run at startup time. It seems 
correct to run ntp_servers_setup_add at exit hook time, and possibly 
keep ntp_servers_setup_remove running at enter hook time.



--
Aleksi Suhonen


Arne Nordmark




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#443319: Patch suggestion

[Arne Nordmark]

I encountered the same problem.

Maybe the attached patch could be used?

Arne
--- sendmail-8.13.8/sendmail/srvrsmtp.c	2007-09-24 15:46:20.0 +0200
+++ build-tree/sendmail-8.13.8/sendmail/srvrsmtp.c	2007-09-24 15:47:01.0 +0200
@@ -1552,7 +1552,7 @@
 break;
 			}
 
-			if (ismore)
+			if (ismore  !(strlen(q)==1  q[0]=='='))
 			{
 /* could this be shorter? XXX */
 # if SASL = 2

Bug#443233: geneweb: Action in logrotate file does not work

[Arne Nordmark]

Subject: geneweb: Action in logrotate file does not work
Package: geneweb
Version: 4.10-25
Severity: normal

*** Please type your report below this line ***
/etc/logrotate.d/geneweb contains the lines

postrotate
invoke-rc.d force-reload /dev/null

which leads to the error

/etc/cron.daily/logrotate:
invoke-rc.d: syntax error: missing required parameter
error: error running postrotate script for /var/log/geneweb.log
run-parts: /etc/cron.daily/logrotate exited with return code 1

Clearly the line should read

invoke-rc.d geneweb force-reload /dev/null

instead.

Thanks,
Arne

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#413194: libneon26: Subversion does not work with Kerberos authentication

[Arne Nordmark]

Subject: libneon26: Subversion does not work with Kerberos authentication
Package: libneon26
Version: 0.26.2-3.1
Severity: normal

*** Please type your report below this line ***

Trying subversion with a valid Kerberos ticket:

[EMAIL PROTECTED]:~$ svn list https://www2.mech.kth.se/svn/simson
svn: PROPFIND request failed on '/svn/simson'
svn: PROPFIND of '/svn/simson': 207 Multi-Status (https://www2.mech.kth.se)

This seems to be a known issue with libneon26, see
http://www.lyra.org/pipermail/neon/2007-February/002386.html and the
suggested patch in the reply.

Applying the patch below indeed solves the problem.

Thank you
Arne Nordmark

--- neon26-0.26.2/src/ne_auth.c 2007-03-03 07:35:07.0 +0100
+++ ne_auth.c   2007-03-03 07:32:18.0 +0100
@@ -516,7 +516,7 @@
 char *sep, *ptr = strchr(duphdr, ' ');
 int ret;

-if (strncmp(hdr, Negotiate, ptr - hdr) != 0) {
+if (strncmp(hdr, Negotiate, ptr - duphdr) != 0) {
 NE_DEBUG(NE_DBG_HTTPAUTH, gssapi: Not a Negotiate response!\n);
 ne_free(duphdr);
 return NE_ERROR;

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libneon26 depends on:
ii  libc62.3.6.ds1-11GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description 
library

ii  libkrb53 1.4.4-6 MIT Kerberos runtime libraries
ii  libssl0. 0.9.8c-4SSL shared libraries
ii  libxml2  2.6.27.dfsg-1   GNOME XML library
ii  zlib1g   1:1.2.3-13  compression library - runtime

libneon26 recommends no packages.

-- no debconf information


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#397793: Should be merged with #412061 (and thus closed)

[Arne Nordmark]

I believe that this is the same issue as 412061.

If that is the case, the bugs should be merged.

Thank you for your work.
Arne


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#410280: heimdal-clients: kpagsh fails to start - problem with deducing cache type?

[Arne Nordmark]

Package: heimdal-clients
Version: 0.7.2.dfsg.1-9
Severity: normal

After  logging in using GDM and the libpam-krb5 PAM module,
the ccache env variable is set to

KRB5CCNAME=/tmp/krb5cc_1015_snP3CL

lognan[nordmark]~ klist
Credentials cache: FILE:/tmp/krb5cc_1015_snP3CL
Principal: [EMAIL PROTECTED]

  Issued   Expires  Principal
Feb  9 09:57:28  Feb 11 09:57:28  krbtgt/[EMAIL PROTECTED]
Feb  9 09:57:28  Feb 11 09:57:28  afs/[EMAIL PROTECTED]

Now try kpagsh:

lognan[nordmark]~ kpagsh
kpagsh: Failed getting ops for /tmp/krb5cc_1015_snP3CL credential cache: Success

and no new shell is started.

However, this works:

lognan[nordmark]~ kpagsh --cache-type=FILE

and this also (note FILE:):
lognan[nordmark]~ KRB5CCNAME=FILE:/tmp/krb5cc_1015_snP3CL
lognan[nordmark]~ kpagsh

It seems like kpagsh has a problem deducing the cache type from the
original setting of the KRB5CCNAME variable, and simply refuses to start.

Thanks
Arne

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages heimdal-clients depends on:
ii  krb5-config 1.12 Configuration files for Kerberos V
ii  libasn1-6-heimdal   0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libc6   2.3.6.ds1-10 GNU C Library: Shared libraries
ii  libdb4.24.2.52+dfsg-1Berkeley v4.2 Database Libraries [
ii  libedit22.9.cvs.20050518-2.2 BSD editline and history libraries
ii  libgssapi4-heimdal  0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libhdb7-heimdal 0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libhesiod0  3.0.2-18.1   Libraries for hesiod, a service na
ii  libkadm5clnt4-heimd 0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libkadm5srv7-heimda 0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libkafs0-heimdal0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libkrb5-17-heimdal  0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libldap22.1.30-13.2  OpenLDAP libraries
ii  libncurses5 5.5-5Shared libraries for terminal hand
ii  libotp0-heimdal 0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libroken16-heimdal  0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libsl0-heimdal  0.7.2.dfsg.1-9   Libraries for Heimdal Kerberos
ii  libssl0.9.8 0.9.8c-4 SSL shared libraries

heimdal-clients recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#400959: libpam-openafs-session: setuid() should not be called in current (parent) process

[Arne Nordmark]

Package: libpam-openafs-session
Version: 1.0-6
Severity: normal

In pam_close_session(), one finds

if(setuid(UID)  0) {

called in the current process. 

This breaks for example gdm, which can no longer control the X server during 
logout, and it subsequently complains about :0 being busy.

If k_unlog() must be called as the PAM user, one should fork() and call 
setuid() in the child process.

This old bug did not manifest itself earlier because of #399013.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#395315: Issue seems to be solved in 3.0.23d-1

[Arne Nordmark]

The code now uses NULL as the cleanup function in pam_set_data().

I recommend closing this bug.

Thanks
Arne


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#399013: libpam-openafs-session: The test for when to run unlog is reversed

[Arne Nordmark]

Package: libpam-openafs-session
Version: 1.0-5.1
Severity: normal


In pam_sm_close_session() in pam_openafs-krb5_sess.c, one finds the test

  if (!pam_get_data (pamh, aklog_run, data) ) {
DLOG (pam_close_session, Aklog never run so not running unlog);
  return PAM_SUCCESS;
  }

However, pam_get_data() returns PAM_SUCCESS (a.k.a. 0) when the data is found,
which means that this test does the opposite of what was intended.

For example, a users su:ing to a user without a Kerberos password, will find
his tokens removed upon exit from su.

The test should be written

  if (pam_get_data (pamh, aklog_run, data) != PAM_SUCCESS) {

In pam_sm_open_session() one finds

  if ( pam_get_data (pamh, aklog_run, test_data) == 0) {
   DLOG (pM_open_session, aklog already run);
   return PAM_SUCCESS;
  }

This test does come out right, but 0 should be replaced by PAM_SUCCESS
for clarity.

Thanks
Arne

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-openafs-session depends on:
ii  libc62.3.6.ds1-7 GNU C Library: Shared libraries
ii  libpam-krb5  2.5-1   PAM module for MIT Kerberos
ii  openafs-client   1.4.2-2 AFS distributed filesystem client 
ii  openafs-krb5 1.4.2-2 AFS distributed filesystem Kerbero

libpam-openafs-session recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#397793: login: Should /bin/su really call pam_end() in child before exec()?

[Arne Nordmark]

Package: login
Version: 1:4.0.18.1-5
Severity: minor

From src/su.c:

child = fork ();
if (child == 0) {   /* child shell */
pam_end (pamh, PAM_SUCCESS);

if (doshell)
(void) shell (shellstr, (char *) args[0], envp);
else
(void) execve (shellstr, (char **) args, envp);
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
} else if (child == -1) {

Is there a good reason (security related or other) why pam_end() is
called here? With libpam-krb5, it has the effect that the ticket cache
is removed, before the user has a chance to use it.

Thanks
Arne


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages login depends on:
ii  libc62.3.6.ds1-7 GNU C Library: Shared libraries
ii  libpam-modules   0.79-4  Pluggable Authentication Modules f
ii  libpam-runtime   0.79-4  Runtime support for the PAM librar
ii  libpam0g 0.79-4  Pluggable Authentication Modules l

login recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#396045: openafs-modules-source: aklog -setpag no longer works

[Arne Nordmark]

Russ Allbery wrote:

Arne Nordmark [EMAIL PROTECTED] writes:


Package: openafs-modules-source
Version: 1.4.2-2
Severity: normal



aklog -setpag no longer works with the kernel module from 1.4.2-2.  This
breaks libpam-openafs-session, so users no longer get token upon login.


Unfortunately, this was an intentional upstream change and it may not be
possible to restore this behavior safely.  Apparently the intrusive
manipulation of the Linux kernel required to add one's parent process to a
new group is nasty enough that it was causing race conditions and was
becoming hard to maintain.  It's also a disgusting hack that the kernel
developers are never going to want to support.

Writing a new AFS PAM module that doesn't require this hack is at the top
of my priority list, and I will do what I can to get a fix for this into
etch, probably by teaching libpam-openafs-session how to create the PAG
itself directly.  This is hard to do in general, but on Linux with a
current OpenAFS client the interface via /proc/fs/openafs/afs_ioctl is
simple enough that we may be able to use it directly as a workaround until
we have a more general solution.



Thank you very much for this encouraging information. Funny though that 
a change like this happens between (-fc4) and (final).


For what it is worth, I recompiled (for etch) the port I had done of 
libpam-openafs-session to Heimdal for (probably) woody (where krb5 and 
heimdal conflicted more than they do now). This code (Heimdal afslog 
does not have a switch corresponding to -setpag, so I added a call to 
k_setpag() before running afslog) seems to work and put the tokens in a 
new PAG. I am attaching that file for your reference.


Thanks again,
Arne

/*
 * pam_krb5_sess.c
 *
 * PAM session management functions for pam_openafs_session
 * 
 *
 */
#include sys/types.h
#include sys/wait.h
#include unistd.h
#include syslog.h
#include pwd.h
#include stdio.h
#include krb5.h
#include kafs.h

#define KERBCACHE KRB5CCNAME
#define AFSLOG /usr/bin/afslog

#define MAXBUF 256

/* A useful logging macro */
/* from libpam-krb5 */
#define DLOG(error_func, error_msg) \
if (debug) \
syslog(LOG_DEBUG, pam_openafs_session: %s: %s, \
	   error_func, error_msg)
#define ELOG(error_func, error_msg) \
syslog(LOG_ERR, pam_openafs_session: %s: %s, \
	   error_func, error_msg)


#include security/pam_appl.h
#include security/pam_modules.h

/* We need to store whether afslog has been run.
   We do this with the afslog_run data item.  The value doesn't matter, so we use an int.*/
static int dummy;

static void dummy_cleanup (pam_handle_t *pamh, void * data, int end_status)
{
  return;
}


/* Initiate session management */
int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
  pid_t pid;
  int debug = 0;
  int newpag = 1;
  int status;
  int i;
  const char *name;
  struct passwd *pw;
  char *envi[2];
  char namecache[]={KERBCACHE};
  const char *filecache;
  char buf[MAXBUF];
  int pamret;
  const void *test_data;
  envi[1]=NULL;
  
  for (i = 0; i  argc; i++) {
if (strcmp(argv[i], debug) == 0)
  debug = 1;
if (strcmp(argv[i], no_newpag) == 0)
  newpag = 0;
  }

  if ( pam_get_data (pamh, afslog_run, test_data) == 0) {
DLOG (pM_open_session, afslog already run);
return PAM_SUCCESS;
  }
  
  if(pam_get_user(pamh, name, ) != PAM_SUCCESS )
return PAM_SERVICE_ERR;
  pw =getpwnam (name);
  if(!pw) {
ELOG(getpwnam,Unable to get the user UID);
return PAM_SERVICE_ERR;
  }
  filecache=pam_getenv(pamh,namecache);
  if (!filecache) {
DLOG (open_session, Could not find Kerberos tickets; not running afslog);
return PAM_SUCCESS;
  }
  if ((pamret = pam_set_data (pamh, afslog_run, (void *) dummy, dummy_cleanup))
  != 0 ) {
ELOG (open_session, Unable to set PAM data);
return pamret;
  }
  
  if (newpag)
if (k_hasafs()) {
  k_setpag();
  DLOG(open_session,setpag);
}

  DLOG(open_session,fork..);
  
  pid=fork();  
  if(pid==0) { /* il figlio */ 

if(setuid(pw-pw_uid)  0) {
  ELOG(setuid,Unable to set the appropriate UID);
  exit(1);
}

snprintf(buf,MAXBUF-1,%s=%s,namecache,filecache);
envi[0]=buf;
DLOG(ENVIRONNEMENT, envi[0]);

execle( AFSLOG,afslog, NULL,envi);

ELOG(open_session,fatal error);
exit(-1);
  }
  waitpid(pid, status, 0);
  if(WIFEXITED(status)) {
DLOG(KRB5 OPENSESSION, OK !);
return PAM_SUCCESS;
  }
  return PAM_SESSION_ERR;
}


/* Terminate session management */
int
pam_sm_close_session(pam_handle_t *pamh, 
		 int flags, int argc, const char **argv)
{
  const char *name;
  struct passwd *pw;
  char *envi[2];
  char namecache[]={KERBCACHE};
  const char *filecache;
  char buf[MAXBUF];
  int i,debug=0;
  int UID=-1;
  pid_t pid;
  int status;
  const void *data;

  
  envi[1]=NULL;
  for (i = 0; i  argc; i++) {
if (strcmp(argv[i], debug) == 0) {
  debug = 1;
  break

Bug#396045: openafs-modules-source: aklog -setpag no longer works

[Arne Nordmark]

Package: openafs-modules-source
Version: 1.4.2-2
Severity: normal


aklog -setpag no longer works with the kernel module from 1.4.2-2.
This breaks libpam-openafs-session, so users no longer get token upon login.

[EMAIL PROTECTED]:~$ aklog -setpag
[EMAIL PROTECTED]:~$ tokens

Tokens held by the Cache Manager:

   --End of list--
[EMAIL PROTECTED]:~$ aklog
[EMAIL PROTECTED]:~$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1015) tokens for [EMAIL PROTECTED] [Expires Oct 29 17:51]
   --End of list--

After downgrading the kernel module to 1.4.2~fc4-3 (keeping openafs-client and 
openafs-krb5 at 1.4.2-2), aklog -setpag works again.

Thanks
Arne


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages openafs-modules-source depends on:
ii  bison   1:2.3.dfsg-4 A parser generator that is compati
ii  debhelper   5.0.40   helper programs for debian/rules
ii  flex2.5.33-9 A fast lexical analyzer generator.
ii  kernel-package  10.062   A utility for building Linux kerne
ii  module-assistant0.10.7   tool to make module package creati

openafs-modules-source recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#395315: Sementation fault when using password component of pam_winbind

[Arne Nordmark]

Package: winbind
Version: 3.0.23c-2
Severity: normal


/usr/bin/passwd crashes with Segmentation fault when changing password.

passwd: password updated successfully
Segmentation fault

The password is acually changed OK, the crash comes during PAM cleanup.

The problem seems to be these lines form pam_sm_chauthtok() in
source/nsswitch/pam_winbind.c:

...
time_t pwdlastset_prelim = 0;
...
pam_set_data(pamh, PAM_WINBIND_PWD_LAST_SET, (void 
*)pwdlastset_prelim,  _pam_winbind_cleanup_func);
...

Although this strange type conversion from (time_t) to (void *) seems to work,
bad things happen when _pam_winbind_cleanup_func() cllas free() on the value
during PAM cleanup.

Using

pam_set_data( ... , NULL);

instead seems to resolve this problem (I do not know if NULL is allowed
for this argument. It seems to work).

Thanks
Arne

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages winbind depends on:
ii  adduser 3.97 Add and remove users and groups
ii  libc6   2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libcomerr2  1.39-1   common error description library
ii  libkrb531.4.4-3  MIT Kerberos runtime libraries
ii  libldap22.1.30-13+b1 OpenLDAP libraries
ii  libpam0g0.79-3.2 Pluggable Authentication Modules l
ii  libpopt01.10-3   lib for parsing cmdline parameters
ii  lsb-base3.1-15   Linux Standard Base 3.1 init scrip
ii  samba-common3.0.23c-2Samba common files used by both th

winbind recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#395041: libpam-krb5: password component corrupts memory when stacked

[Arne Nordmark]

Package: libpam-krb5
Version: 2.4-1
Severity: normal


With

password required pam_cracklib.so retry=3 minlen=4 difok=1
password optional pam_krb5.so use_authtok

in /etc/pam.d/comon-password, /usr/bin/passwd crashes like

Password:
New UNIX password:
Retype new UNIX password:
*** glibc detected *** corrupted double-linked list: 0xa7edb4f8 ***
Aborted

Using try_first_pass or use_first_pass gives the same result. Without 
any argument, so pam-krb5 asks for the new password, the crash does not 
occur.

The password change does succeed, by the way. The crash comes during 
cleanup.

Thanks
Arne

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-krb5 depends on:
ii  krb5-config  1.10Configuration files for Kerberos V
ii  libc62.3.6.ds1-4 GNU C Library: Shared libraries
ii  libcomerr2   1.39-1  common error description library
ii  libkrb53 1.4.4-3 MIT Kerberos runtime libraries
ii  libpam0g 0.79-3.2Pluggable Authentication Modules l

libpam-krb5 recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#372854: Problem solved upstream in 1.2.2

[Arne Nordmark]

This issue has been solved in CUPS 1.2.2, see upstream STR 1798.

I have verified that in works now in Debian Etch.

Thanks
Arne Nordmark



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#372855: Reported to upstream (STR #1887)

[Arne Nordmark]

I reported this upstream as STR #1887, and a fix is promised for the 
upcoming 1.2.3 release.


Thanks
Arne Nordmark


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#380730: libgnomecups1.0-1: Loading of ppd files from remote CUPS servers does not work

[Arne Nordmark]

Package: libgnomecups1.0-1
Version: 0.2.2-5
Severity: normal


When using a local CUPS server that gathers printing information from CUPS
browse messages, the ppd files for the detected printers can not be used 
in Gnome applications. For example when using gedit, one get the message:

GnomePrintCupsPlugin-Message: The ppd file for the CUPS printer lwhall48 
could not be loaded.

and consequently options like paper size, trays etc does not show up.
In non-Gnome applications things work as expected. It also works if a 
remote CUPS server is configured in /etc/cups/client.conf (as opposed to 
using the local CUPS server). It also works in sarge, so this seems to be a 
regression.

If the variable

static gboolean go_directly_to_printer_when_possible = FALSE;

is changed to TRUE in libgnomecups/gnome-cups-printer.c then things start 
to work again, but this may of course have other consequences.

Thanks,
Arne Nordmark


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libgnomecups1.0-1 depends on:
ii  libc6 2.3.6-15   GNU C Library: Shared libraries
ii  libcupsys21.2.1-3Common UNIX Printing System(tm) - 
ii  libglib2.0-0  2.10.3-3   The GLib library of C routines
ii  libgnutls13   1.4.1-1the GNU TLS library - runtime libr

Versions of packages libgnomecups1.0-1 recommends:
ii  cupsys1.2.1-3Common UNIX Printing System(tm) - 

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#372854: BrowseRelay info message shows addresses the wrong way around

[Arne Nordmark]

Package: cupsys
Version: 1.2.1-2
Severity: minor

At the log level setting of

LogLevel info

the informational message about BrowseRelay settings (as recorded in
/var/log/cups/error_log) has the source
and destination fields exchanged. For example having

BrowseRelay ano2.mech.kth.se anobhs-bcast.mech.kth.se

causes the message

Relaying from 130.237.233.231 to ano2.mech.kth.se:631 (IPv4)

in error_log. This is confusing.

Fix: exchange temp and temp2 in the statement

  cupsdLogMessage(CUPSD_LOG_INFO, Relaying from %s to 
%s:%d(IPv4),

  temp, temp2,ntohs(relay-to.ipv4.sin_port));

at line 2545 in scheduler/conf.c

Thanks
Arne

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages cupsys depends on:
ii  adduser  3.87Add and remove users and groups
ii  debconf [debconf-2.0]1.5.1   Debian configuration 
management sy
ii  gs-esp   8.15.1.dfsg.1-2 The Ghostscript PostScript 
interpr

ii  libc62.3.6-13GNU C Library: Shared libraries
ii  libcupsimage21.2.1-2 Common UNIX Printing 
System(tm) -
ii  libcupsys2   1.2.1-2 Common UNIX Printing 
System(tm) -
ii  libdbus-1-2  0.61-6  simple interprocess 
messaging syst
ii  libgnutls13  1.3.5-1.1   the GNU TLS library - 
runtime libr

ii  libldap2 2.1.30-13   OpenLDAP libraries
ii  libpam0g 0.79-3.1Pluggable Authentication 
Modules l
ii  libpaper11.1.17  Library for handling paper 
charact

ii  libslp1  1.2.1-5 OpenSLP libraries
ii  lsb-base 3.1-10  Linux Standard Base 3.1 
init scrip
ii  patch2.5.9-4 Apply a diff file to an 
original

ii  perl-modules 5.8.8-4 Core Perl modules
ii  procps   1:3.2.6-2.2 /proc file system utilities
ii  xpdf-utils [poppler-util 3.01-8  Portable Document Format 
(PDF) sui

ii  zlib1g   1:1.2.3-11  compression library - runtime

Versions of packages cupsys recommends:
ii  cupsys-client 1.2.1-2Common UNIX Printing 
System(tm) -

pn  foomatic-filters  none (no description available)
ii  smbclient 3.0.22-1   a LanManager-like simple 
client fo


-- debconf information:
  cupsys/raw-print: true
  cupsys/browse: true
  cupsys/ports: 631
  cupsys/backend: ipp, lpd, parallel, socket, usb
  cupsys/portserror:


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#372855: cupsys: Sending BrowseRelay packets causes EINVAL in sendto()

[Arne Nordmark]

Package: cupsys
Version: 1.2.1-2
Severity: normal

Relaying CUPS browse packet does not seem to work. Using

BrowseRelay ano2.mech.kth.se anobhs-bcast.mech.kth.se

cases the follwing error message

E [11/Jun/2006:07:14:19 +0200] cupsdUpdateCUPSBrowse: sendto failed for 
relay 1

- Invalid argument.

each time a browse packet is received from ano2.mech.kth.se, and these
packets are not relayed. There seems to
be an upstream bug report about this: http://www.cups.org/str.php?L1745
but if I understand correctly, that bug report was closed without any
action, since the bug reporter's disk had just crashed, and he could thus
no longer reproduce the problem. The source code looks like

 if (sendto(BrowseSocket, packet, bytes, 0,
 (struct sockaddr *)(Relays[i].to),
 sizeof(http_addr_t)) = 0)

at line 1460 in scheduler/dirsvc.c. If I change

 sizeof(http_addr_t)

(which evaluates to 256) into

 sizeof(struct sockaddr_in)

(which evaluates to 16)

the error message disappears and relaying functionality is restored.


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages cupsys depends on:
ii  adduser  3.87Add and remove users and groups
ii  debconf [debconf-2.0]1.5.1   Debian configuration 
management sy
ii  gs-esp   8.15.1.dfsg.1-2 The Ghostscript PostScript 
interpr

ii  libc62.3.6-13GNU C Library: Shared libraries
ii  libcupsimage21.2.1-2 Common UNIX Printing 
System(tm) -
ii  libcupsys2   1.2.1-2 Common UNIX Printing 
System(tm) -
ii  libdbus-1-2  0.61-6  simple interprocess 
messaging syst
ii  libgnutls13  1.3.5-1.1   the GNU TLS library - 
runtime libr

ii  libldap2 2.1.30-13   OpenLDAP libraries
ii  libpam0g 0.79-3.1Pluggable Authentication 
Modules l
ii  libpaper11.1.17  Library for handling paper 
charact

ii  libslp1  1.2.1-5 OpenSLP libraries
ii  lsb-base 3.1-10  Linux Standard Base 3.1 
init scrip
ii  patch2.5.9-4 Apply a diff file to an 
original

ii  perl-modules 5.8.8-4 Core Perl modules
ii  procps   1:3.2.6-2.2 /proc file system utilities
ii  xpdf-utils [poppler-util 3.01-8  Portable Document Format 
(PDF) sui

ii  zlib1g   1:1.2.3-11  compression library - runtime

Versions of packages cupsys recommends:
ii  cupsys-client 1.2.1-2Common UNIX Printing 
System(tm) -

pn  foomatic-filters  none (no description available)
ii  smbclient 3.0.22-1   a LanManager-like simple 
client fo


-- debconf information:
  cupsys/raw-print: true
  cupsys/browse: true
  cupsys/ports: 631
  cupsys/backend: ipp, lpd, parallel, socket, usb
  cupsys/portserror:


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#132601: openafs module does not load on SMP sparc

[Arne Nordmark]

Hello,
Russ Allbery wrote:
tags 132601 moreinfo
thanks
Greetings,
I'm going through old bugs on the Debian OpenAFS packages, and found this
bug that you had filed a bit over three years ago:
| Package: openafs-modules-source
| Version: 1.2.3final2-0.potato1
| 
| The module does not load in a 2.2.20 SMP kernel with modversions, since
| the symbol kernel_flag_R__ver_kernel_flag does not exist. This symbol
| comes from a block of defines in src/config/param.sparc_linux22.h
| (commented as hack, I don't know what else with theese symbols). The
| block is absent in the other Linux architectures. When this block is
| removed, the module loads and seems to work. There is an identical block
| in src/config/param.sparc_linux24.h too, but I have not tried a 2.4
| kernel.

While that bit is still in param.sparc_linux*.h, those are the only
references to kernel_flag in the entire OpenAFS source base in the version
of OpenAFS currently in testing.  I'm not just directly closing this bug
since I don't have an SMP Linux SPARC system to test on, but I'm almost
positive that this bug has been fixed (although it's possible there are
other lingering Linux SPARC problems).
Are you still seeing this problem, or other difficulties loading the
current OpenAFS module on SMP SPARC?  Please let me know; if not, I'll
close this bug.
Thanks!
We have given away all our SPARC system during the last year, so I am 
not able to provide any new input on this. Running on SMP SPARC was 
probably just a test anyway, since I cannot remember running that 
configuration.

Anyway, thanks for taking time to look into this. If there are no recent 
(non-Debian) reports on this, the bug is likely to be fixed, just as you 
say.

Arne

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#296878: arla: /dev/nnpfs0 is not created at boot time with recent versions of udev

[Arne Nordmark]

Package: arla
Version: 0.36.2-11
Severity: normal


udev version 0.053-1 creates the directory /dev/.udevdb instead of
/dev/.udev.tdb so the ugly hack in /etc/init.d/arla no longer works
with kernel-image-2.6.8. Changing the test to

# ugly hack to create the device if running udev
# Should be removed when arla supports sysfs
if [ -e /dev/.udevdb -a ! -c /dev/nnpfs0 ]; then

restores functionality.

Arne

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages arla depends on:
ii  arla-modules-2.6.8-2- 0.36.2+2.6.8-12A free client for the AFS - Kernel
ii  debconf   1.4.30.11  Debian configuration management sy
ii  debianutils   2.8.4  Miscellaneous utilities specific t
ii  libasn1-6-heimdal 0.6.3-7Libraries for Heimdal Kerberos
ii  libc6 2.3.2.ds1-20   GNU C Library: Shared libraries an
ii  libcomerr21.35-6 The Common Error Description libra
ii  libdb4.1  4.1.25-18  Berkeley v4.1 Database Libraries [
ii  libedit2  2.9.cvs.20040827-1 BSD editline and history libraries
ii  libice6   4.3.0.dfsg.1-10Inter-Client Exchange library
ii  libkafs0-heimdal  0.6.3-7Libraries for Heimdal Kerberos
ii  libkrb-1-kerberos4kth 1.2.2-11.1 Kerberos Libraries for Kerberos4 F
ii  libkrb5-17-heimdal0.6.3-7Libraries for Heimdal Kerberos
ii  libncurses5   5.4-4  Shared libraries for terminal hand
ii  libroken16-kerberos4k 1.2.2-11.1 Roken Libraries for Kerberos4 From
ii  libsl0-kerberos4kth   1.2.2-11.1 Sl Libraries for Kerberos4 From KT
ii  libsm64.3.0.dfsg.1-10X Window System Session Management
ii  libssl0.9.7   0.9.7e-2   SSL shared libraries
ii  libx11-6  4.3.0.dfsg.1-10X Window System protocol client li
ii  libxaw7   4.3.0.dfsg.1-10X Athena widget set library
ii  libxext6  4.3.0.dfsg.1-10X Window System miscellaneous exte
ii  libxmu6   4.3.0.dfsg.1-10X Window System miscellaneous util
ii  libxt64.3.0.dfsg.1-10X Toolkit Intrinsics
ii  xlibs 4.3.0.dfsg.1-10X Keyboard Extension (XKB) configu

-- debconf information:
  arla/cell-info:
* arla/create-nnpfs: true
* arla/thiscell: mech.kth.se


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]