Bug#569313: acidbase: upgrade for php-5.3
This was fixed in the CVS for the main project. You guys might want to check that out. :) Kevin On Feb 11, 2010, at 9:06 AM, Jeremy T. Bouse wrote: Could you please try to be any more vague or would it be too much to ask for information that actually helps identify the problem other than saying there's a problem. Otherwise it's just as big a waste of time as a snipe hunt. Vladimir Stavrinov wrote: Package: acidbase Version: 1.4.4-3 Severity: normal The recent system upgrade break down acidbase. It doesn't work with new php version. Please, adjust Your code for new php. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Shell: /bin/sh linked to /bin/bash Versions of packages acidbase depends on: ii dbconfig-common 1.8.43 common framework for packaging dat ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii libphp-adodb 5.09a-1The ADOdb database abstraction lay ii libwww-perl 5.834-1Perl HTTP/WWW client/ server librar ii mysql-client-5.1 [virtual-mys 5.1.43-1 MySQL database client binaries ii php-mail 1.1.14-2 PHP PEAR module for sending email ii php-mail-mime 1.5.3-0.1 PHP PEAR module for creating MIME ii php5 5.3.1-3server-side, HTML- embedded scripti ii postgresql-client-8.4 [postgr 8.4.2-2front-end programs for PostgreSQL acidbase recommends no packages. Versions of packages acidbase suggests: ii snort-mysql 2.8.5.2-2 flexible Network Intrusion Detecti -- debconf information: * acidbase/mysql/admin-user: root acidbase/internal/reconfiguring: false acidbase/pgsql/authmethod-user: acidbase/db/basepath: * acidbase/db/app-user: snort * acidbase/webserver: Apache2 acidbase/dbconfig-install: true acidbase/dbconfig-upgrade: true acidbase/upgrade-error: abort acidbase/internal/skip-preseed: false acidbase/install-error: abort acidbase/upgrade-backup: true acidbase/pgsql/method: unix socket acidbase/pgsql/admin-user: postgres acidbase/pgsql/authmethod-admin: ident * acidbase/mysql/method: unix socket * acidbase/database-type: mysql acidbase/dbconfig-reinstall: false acidbase/pgsql/changeconf: false acidbase/dbconfig-remove: * acidbase/db/dbname: snort acidbase/pgsql/no-empty-passwords: acidbase/remote/host: * acidbase/base_advisory: acidbase/missing-db-package-error: abort acidbase/pgsql/manualconf: acidbase/passwords-do-not-match: acidbase/remove-error: abort acidbase/remote/newhost: acidbase/remote/port: acidbase/purge: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569313: acidbase: upgrade for php-5.3
It just seems that if you wanted to maintain the project within Debian, it would make sense to at least track CVS. If you are going to fix the bug your self it would just be duplicate effort. Kevin On Feb 11, 2010, at 9:56 AM, Jeremy T. Bouse wrote: Then when is the release with the fix as we're not tracking CVS... Kevin Johnson wrote: This was fixed in the CVS for the main project. You guys might want to check that out. :) Kevin On Feb 11, 2010, at 9:06 AM, Jeremy T. Bouse wrote: Could you please try to be any more vague or would it be too much to ask for information that actually helps identify the problem other than saying there's a problem. Otherwise it's just as big a waste of time as a snipe hunt. Vladimir Stavrinov wrote: Package: acidbase Version: 1.4.4-3 Severity: normal The recent system upgrade break down acidbase. It doesn't work with new php version. Please, adjust Your code for new php. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Shell: /bin/sh linked to /bin/bash Versions of packages acidbase depends on: ii dbconfig-common 1.8.43 common framework for packaging dat ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii libphp-adodb 5.09a-1The ADOdb database abstraction lay ii libwww-perl 5.834-1Perl HTTP/WWW client/server librar ii mysql-client-5.1 [virtual-mys 5.1.43-1 MySQL database client binaries ii php-mail 1.1.14-2 PHP PEAR module for sending email ii php-mail-mime 1.5.3-0.1 PHP PEAR module for creating MIME ii php5 5.3.1-3server-side, HTML-embedded scripti ii postgresql-client-8.4 [postgr 8.4.2-2front-end programs for PostgreSQL acidbase recommends no packages. Versions of packages acidbase suggests: ii snort-mysql 2.8.5.2-2 flexible Network Intrusion Detecti -- debconf information: * acidbase/mysql/admin-user: root acidbase/internal/reconfiguring: false acidbase/pgsql/authmethod-user: acidbase/db/basepath: * acidbase/db/app-user: snort * acidbase/webserver: Apache2 acidbase/dbconfig-install: true acidbase/dbconfig-upgrade: true acidbase/upgrade-error: abort acidbase/internal/skip-preseed: false acidbase/install-error: abort acidbase/upgrade-backup: true acidbase/pgsql/method: unix socket acidbase/pgsql/admin-user: postgres acidbase/pgsql/authmethod-admin: ident * acidbase/mysql/method: unix socket * acidbase/database-type: mysql acidbase/dbconfig-reinstall: false acidbase/pgsql/changeconf: false acidbase/dbconfig-remove: * acidbase/db/dbname: snort acidbase/pgsql/no-empty-passwords: acidbase/remote/host: * acidbase/base_advisory: acidbase/missing-db-package-error: abort acidbase/pgsql/manualconf: acidbase/passwords-do-not-match: acidbase/remove-error: abort acidbase/remote/newhost: acidbase/remote/port: acidbase/purge: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569313: acidbase: upgrade for php-5.3
I wouldn't expect you to package every CVS release. My understanding was that you were going to try and fix the bug, in that case I thought I would provide you with a solution that was easier then building it yourself. I guess I don't understand the work of debian maintainers or your busy schedules. ;-) Kevin On Feb 11, 2010, at 10:18 AM, Jeremy T. Bouse wrote: We track stable releases... and the last release put out was 1.4.4 which was packaged... I don't have time to track and repackage every CVS update and the website doesn't appear to have any patch to 1.4.4 to fix the problem already which means I have to track it down which is time I don't have. I'll mark this bug as wishlist and upstream and when a release is made it'll be included. Kevin Johnson wrote: It just seems that if you wanted to maintain the project within Debian, it would make sense to at least track CVS. If you are going to fix the bug your self it would just be duplicate effort. Kevin On Feb 11, 2010, at 9:56 AM, Jeremy T. Bouse wrote: Then when is the release with the fix as we're not tracking CVS... Kevin Johnson wrote: This was fixed in the CVS for the main project. You guys might want to check that out. :) Kevin On Feb 11, 2010, at 9:06 AM, Jeremy T. Bouse wrote: Could you please try to be any more vague or would it be too much to ask for information that actually helps identify the problem other than saying there's a problem. Otherwise it's just as big a waste of time as a snipe hunt. Vladimir Stavrinov wrote: Package: acidbase Version: 1.4.4-3 Severity: normal The recent system upgrade break down acidbase. It doesn't work with new php version. Please, adjust Your code for new php. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Shell: /bin/sh linked to /bin/bash Versions of packages acidbase depends on: ii dbconfig-common 1.8.43 common framework for packaging dat ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii libphp-adodb 5.09a-1The ADOdb database abstraction lay ii libwww-perl 5.834-1Perl HTTP/WWW client/server librar ii mysql-client-5.1 [virtual-mys 5.1.43-1 MySQL database client binaries ii php-mail 1.1.14-2 PHP PEAR module for sending email ii php-mail-mime 1.5.3-0.1 PHP PEAR module for creating MIME ii php5 5.3.1-3server-side, HTML-embedded scripti ii postgresql-client-8.4 [postgr 8.4.2-2front-end programs for PostgreSQL acidbase recommends no packages. Versions of packages acidbase suggests: ii snort-mysql 2.8.5.2-2 flexible Network Intrusion Detecti -- debconf information: * acidbase/mysql/admin-user: root acidbase/internal/reconfiguring: false acidbase/pgsql/authmethod-user: acidbase/db/basepath: * acidbase/db/app-user: snort * acidbase/webserver: Apache2 acidbase/dbconfig-install: true acidbase/dbconfig-upgrade: true acidbase/upgrade-error: abort acidbase/internal/skip-preseed: false acidbase/install-error: abort acidbase/upgrade-backup: true acidbase/pgsql/method: unix socket acidbase/pgsql/admin-user: postgres acidbase/pgsql/authmethod-admin: ident * acidbase/mysql/method: unix socket * acidbase/database-type: mysql acidbase/dbconfig-reinstall: false acidbase/pgsql/changeconf: false acidbase/dbconfig-remove: * acidbase/db/dbname: snort acidbase/pgsql/no-empty-passwords: acidbase/remote/host: * acidbase/base_advisory: acidbase/missing-db-package-error: abort acidbase/pgsql/manualconf: acidbase/passwords-do-not-match: acidbase/remove-error: abort acidbase/remote/newhost: acidbase/remote/port: acidbase/purge: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569313: acidbase: upgrade for php-5.3
On Feb 11, 2010, at 10:31 AM, Jeremy T. Bouse wrote: Maintaining packages is a volunteer effort and comes after my 2 paying jobs. Join the club :-) I understand it is volunteer and didn't mean to piss in your wheaties. I don't have time to go tracking through CVS to figure out a patch for the problem, that was not even mentioned in the initial bug report. I agree that the bug report was vague and if it had been sent to me, I would have also responded for more information as you did. Since I held more information I thought I would help you out. Obviously that was a mistake and will refrain from trying to build a communication path between the Debian package maintainer and the project lead. Maybe, if it is so hard to maintain, you guys should just remove BASE from the repository. I know it would make my life easier. I will go back to ignoring the existence of a Debian package and you can go back to ignoring the fact that there is an entire team of developers that would be willing to help you out. It would also appear that the CVS repository is useless as far as tagging as it appears there was no 1.4.4 release tag made so I couldn't even generate a diff from CVS between the released tarball version and the current CVS HEAD that supposedly fixes the problem. I didn't realize I had forgotten to tag the release. While that does make things more difficult I don't think it renders the repository useless. Like I said, I was just trying to help you out but obviously that irritated you some how. Have a good day, Kevin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569313: acidbase: upgrade for php-5.3
Vladimir, We will be releasing a new version as soon as possible from the main project. I am not sure when that will be available, so maybe you should switch until then. Kevin On Feb 11, 2010, at 10:49 AM, Vladimir Stavrinov wrote: On Thu, Feb 11, 2010 at 09:56:06AM -0500, Jeremy T. Bouse wrote: Then when is the release with the fix as we're not tracking CVS... Kevin is right. You should make difference. Yes, You shouldn't build package for every CVS update. But if the package become totally unusable (as now) You should upgrade it. -- * Vladimir Stavrinov ** *** v...@inist.ru * * -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#402406: Proposed plan to fix acibase issues (was Re: Debian Etch has been frozen)
On Dec 12, 2006, at 4:54 AM, Javier Fernández-Sanguino Peña wrote: severity 402406 important thanks On Mon, Dec 11, 2006 at 10:26:32PM +0100, Daniel Rodriguez Garcia wrote: Therefore, I think the problem here is time. It would be a pity to lose this package for this silly thing. License issues are not a silly thing. They are rather important if we want to ship a free OS. I agree and understand. Possible alternatives: 1) Cut out the graphics rendering functionality from ACIDBASE (not really essential, for me). A link for exporting data to a spreadsheet format would be enough. Currently I think that's the only viable option, remove the php- image-graph *and* ensure the package can work without it. I agree with Jeremy that providing a package that does not Depend: on php-image-graph but asks the user to use a mechanism which is outside the Debian package management system to install needed functionality is a no-no. If the dependency is removed then the maintainer must ensure that the package can fully work without it, even if that means stripping of PHP pages that depend on that library. That would imply (doing a cursory look at the PHP code): - remove the link from base_main.php to base_graph_main.php - do not include base_graph_form.php in base_main.php - modify base_graph_common.php so that it does not complain so loudly when Image/Graph is not found. Just say that the functionality is currently not available in Debian (due to license issues, point to the Bug report) and say that users that need it will have to install the PEAR modules. - document in NEWS.Debian why the graphs have been removed and when will they be reenabled in the front page. I guess I am confused at some of what is being suggested. I had recommend just removing the dependency on Image_graph and was told it was a half-assed idea? And if you remove the dependance, why would you remove the link? Change the error message on base_graph_common.php to reflect the needed PEAR install and you will be done. For reference, the bug to be referenced is #401797 *and* #402406 (do not reference #340730 or #335994) That way users will not see the PHP scripts used to make graphs and they will not (going through the GUI) get a big error saying you are missing something. While at the same time, users depending on them will still be able to reach the PHP scripts and see what happened. Does that sound like a plan? David, could you please change that and test that the changes I outline are sufficient? Since the Debian package is not maintained by me or the project, it is you choice whether to do this. Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net
Bug#402406: Debian Etch has been frozen
On Dec 11, 2006, at 4:26 PM, Daniel Rodriguez Garcia wrote: Hello, It has been announced recently that Debian Etch has been frozen. I'm not much aware of the implications for ACIDBASE (as it has been currently automatically removed from Etch repository). For the BASE project, there is no implications. We will continue to provide the project via our project pages. For Debian, that is different. I am willing to help how ever I can, but it seems to me that things are out of my hands as I am not the maintainer of the PEAR library. Therefore, I think the problem here is time. It would be a pity to lose this package for this silly thing. Hear Hear. Especially a silly thing that seems to be hit or miss applied. ACID was in debian for years with a library that was commercial. Possible alternatives: 1) Cut out the graphics rendering functionality from ACIDBASE (not really essential, for me). A link for exporting data to a spreadsheet format would be enough. I recommended that and was insulted. 2) A text based histogram (similar to that in main screen)? Not sure how this would be different from the main screen, but if you would like to send me more details, I can see what we can build. It sounds like a nice thing for anyone who doesn't want the full graphing but needs a quick chart. 3) Implement that functionality as a Java applet ?? i.e. optional functionality: you leave the problem of installing Java in their browsers to client users. Never! Sorry grin Java is something that I will always leave out of BASE. I think that moving in that direction is just asking for other troubles and I have enough support emails and phone calls from people having trouble getting to their BASE install just using the browser. Thanks, Daniel R. Let me know what you would like me to do Kevin Kevin Johnson GCIA, GCIH, CISSP, CEH Principal Consultant Secure Ideas http://www.secureideas.net PGP.sig Description: This is a digitally signed message part
Bug#370576: acidbase: Remote File Inclusion Vulnerabilities
On Jun 7, 2006, at 5:08 AM, David Gil wrote: severity 370576 minor thanks Thanks... El mar, 06-06-2006 a las 13:01 -0400, Kevin Johnson escribió: I have to disagree with the Severity of grave. To exploit you need to have register_globals set to on which has not been the default in years. Ok, now the bug has a minor severity. You are right, base is not exploitable with the default installation of the package. We have released 1.2.5 which fixes the issue and a number of other things. Yes, I am aware of it. We'll upload it in a few days. I've submitted the bug report to inform the security team (testing distribution has also base 1.2.4) and to explain more in deep the changes in the 1.2.5 changelog. Great... I appreciate it... It just gets under my skin when researchers find problems, elevate how serious they are and never notify the development team. Well, I don't understand you Kevin. I know you are subscribed to the package tracking system of acidbase, so I know that you receive all the bugs submitted to the package too. If you don't agree with the severty of a bug, you can always change it as I've just done. Sorry this was not meant toward you. I was speaking of St0ke and Milw0rm. I apologize for venting at you and the bug tracking system. As too changing the severity I forgot. We have been busy around here since my new daughter arrived Monday. Sorry for my rant, Kevin Regards, David. Thanks Kevin - BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis!
Bug#370576: acidbase: Remote File Inclusion Vulnerabilities
I have to disagree with the Severity of grave. To exploit you need to have register_globals set to on which has not been the default in years. We have released 1.2.5 which fixes the issue and a number of other things. It just gets under my skin when researchers find problems, elevate how serious they are and never notify the development team. Sorry for my rant, Kevin - BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! On Jun 5, 2006, at 6:24 PM, David Gil wrote: Package: acidbase Severity: grave Tags: security Justification: user security hole http://www.frsirt.com/english/advisories/2006/1996 Advisory ID : FrSIRT/ADV-2006-1996 CVE ID : GENERIC-MAP-NOMATCH Rated as : High Risk Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-05-26 Technical Description Multiple vulnerabilities have been identified in Basic Analysis and Security Engine (BASE), which could be exploited by attackers to execute arbitrary commands. These flaws are due to input validation errors in the base_qry_common.php, base_stat_common.php, and includes/base_include.inc.php scripts that do not validate the BASE_path parameter, which could be exploited by remote attackers to include malicious scripts and execute arbitrary commands with the privileges of the web server. Affected Products Basic Analysis and Security Engine (BASE) 1.2.4 and prior -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-2-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
