Bug#884463: passenger: CVE-2017-16355: arbitrary file read
Hey, It looks like version 5.0.30 is not impacted by the CVE[1], and to the best of my abilities, I couldn't reproduce the insecure behavior. I didn't try to read through the source to see if a fix patch *might* still do something useful. Commit 4043718264095cde6623c2cbe8c644541036d7bf[2] does merge cleanly, build and run, but I could not test that it fixes anything (being unable to repro the bug). I've included a debdiff, if you want to include it anyway (I only did a cursory test of the new package, so we would maybe want to do more extensive verification that the patch doesn't break anything). Regards, Martin 1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355 2: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf debdiff Description: Binary data
Bug#562011: request-tracker3.6: users forced to log in multiple times
Subject: request-tracker3.6: users forced to log in multiple times Package: request-tracker3.6 Version: 3.6.1-4+etch1 Severity: normal Since the last update, users are forced to log in once to see the main page, then again to look at a specific queue, and then again to see a ticket's details. This seems to be reported here: http://www.gossamer-threads.com/lists/rt/users/90794 with a patch and new packages written by Dominic, the maintainer. I have not tried them because I don't have a redundant rt server. -- Package-specific info: Changed files: -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-xen-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages request-tracker3.6 depends on: ii libapache-session-perl 1.81-1Perl modules for keeping persisten ii libcache-cache-perl1.05-2Managed caches of persistent infor ii libcache-simple-timedexpir 0.26-1Perl module to cache and expire ke ii libcalendar-simple-perl1.17-2Perl extension to create simple ca ii libclass-returnvalue-perl 0.53-1A return-value object that lets yo ii libdbd-pg-perl 1.49-2+etch1 a PostgreSQL interface for Perl 5 ii libdbi-perl1.53-1etch1 Perl5 database interface by Tim Bu ii libdbix-searchbuilder-perl 1.45-2Encapsulate SQL queries and rows i ii libexception-class-perl1.21-1a module that allows you to declar ii libfcgi-perl 0.67-2FastCGI Perl module ii libfreezethaw-perl 0.43-3converting Perl structures to stri ii libgd-graph-perl 1.43.08-2.1 Graph Plotting Module for Perl 5 ii libgd-text-perl0.86-3.1 Text utilities for use with GD ii libhtml-mason-perl 1:1.35-3 HTML::Mason Perl module ii libhtml-parser-perl3.55-1+etch1 A collection of modules that parse ii libhtml-scrubber-perl 0.08-3Perl extension for scrubbing/sanit ii liblocale-maketext-fuzzy-p 0.02-2Maketext from already interpolated ii liblocale-maketext-lexicon 0.62-1Lexicon-handling backends for Loc ii liblog-dispatch-perl 2.11-1Dispatches messages to multiple Lo ii libmailtools-perl 1.74-1Manipulate email in perl programs ii libmime-perl 5.420-0.1 Perl5 modules for MIME-compliant m ii libmldbm-perl 2.01-1Store multidimensional hash struct ii libmodule-versions-report- 1.02-3Report versions of all modules in ii libparams-validate-perl0.77-1validate parameters to Perl method ii libregexp-common-perl 2.120-4 Provide commonly requested regular ii libterm-readkey-perl 2.30-3A perl module for simple terminal ii libtest-inline-perl2.103-1 Perl extension for embed tests and ii libtext-autoformat-perl1.13-1Perl module for automatic text wra ii libtext-quoted-perl1.8-3 Extract the structure of a quoted ii libtext-template-perl 1.44-1.1 Text::Template perl module ii libtext-wikiformat-perl0.78-0.1 translates Wiki formatted text int ii libtext-wrapper-perl 1.000-2 Simple word wrapping routine ii libtime-modules-perl 2003.1126-2 Various Perl modules for time/date ii libtree-simple-perl1.17-1A simple tree object ii libuniversal-require-perl 0.10-1Load modules from a variable ii libxml-rss-perl1.05-1Perl module for managing RSS (RDF ii libxml-simple-perl 2.14-5Perl module for reading and writin ii perl 5.8.8-7etch6 Larry Wall's Practical Extraction ii postfix [mail-transport-ag 2.3.8-2+etch1 A high-performance mail transport ii rt3.6-apache2 3.6.1-4+etch1 Apache 2 specific files for reques ii rt3.6-clients 3.6.1-4+etch1 Mail gateway and command-line inte ii sysklogd [system-log-daemo 1.4.1-18 System Logging Daemon Versions of packages request-tracker3.6 recommends: pn postgresql-8.1 | postgresql | none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#542680: ldm: ssh warnings force repetition of password entry
Package: ldm Version: 2:2.0.42-2 Severity: normal -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 the warning happens on our systems when ssh adds rsa key for 10.2.2..., as we only have our hosts' keys listed by name. the problem with ldm is that this warning leads to ldm seeming to forget that the user typed in their password, prompting for it again after a brief pause. note that the cursor also does not start within the second password prompt, and the user is forced to tab or click into it. this is not unimportant, as the root problem being fixed will obviate any need to address this. please note that the dependencies listed below are for version 2:2.0.6-4, but i couldn't get reportbug to run in the chroot (which uses squeeze). - -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ldm depends on: ii gtk2-engines [gtk2-eng 1:2.14.3-2theme engines for GTK+ 2.x ii libatk1.0-01.22.0-1 The ATK accessibility toolkit ii libc6 2.7-18GNU C Library: Shared libraries ii libcairo2 1.6.4-7 The Cairo 2D vector graphics libra ii libglib2.0-0 2.16.6-2 The GLib library of C routines ii libgtk2.0-02.12.12-1~lenny1 The GTK+ graphical user interface ii libpango1.0-0 1.20.5-5 Layout and rendering of internatio ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh ii ssh1:5.1p1-5 secure shell client and server (me ii xserver-xorg 1:7.3+19 the X.Org X server ii xserver-xorg-core [xse 2:1.4.2-10.lenny2 Xorg X server - core server Versions of packages ldm recommends: ii netcat1.10-38TCP/IP swiss army knife -- transit ii netcat-traditional [netcat] 1.10-38TCP/IP swiss army knife ldm suggests no packages. - -- no debconf information -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJKjaHFAAoJEFkKA9VMSuUo3eAP+wS1MLTGdWeILQFnJSOHBvJT cZ0Ln+kVqERUyGL1Olnb7Fr5NETlcFp5r+iPHSWdmb2FfIog+63qVqRRs0/uVdiN 0MYkuo0rznxi4mK81URa3ZBfqndN9uZxzy5Vd7DyeL83AViMBZBqa/PJW9SD5+2m raqcque6JFJAZhYDKezHbtOXb5C+WaUEF7qXu+Q/fxZJXvT611qEW7LNkSPB7D9f BgJ+WC8JCNISTPaEflNUgy5OoYKrNZGK9LC52P52hqe8m7oDL3rMc1y7dWBMc8Ry wfX6fv9Kzw5UfMGQmfLPA4vLUu3ZGFww+v0341E1szWec/E4BIHfnnsAhumJby0S oLlzCEf4NVvGMhH6BYo9T+bTTmUDX/0RmyIjXi5rhRGmW/Qc7+jqEjJW8Ef6HQk/ vJvxHXr39YAPQNkAHZb06ke4R05UXkDXw8AqFTEsaaMeuJBBsBkMggWVnStMJtic ioDVKmpKs8YiybTxy6jocnyXabEAHHDCndFRebRem1D8IhY1lXYCYWVR/K5T73hC pS5b9jcd880qLipwLTw99KfUNVBc6crlwPOXzx03GrVMWZTZnOVt16x+/QPIWZo2 x4rqF7RN0WQKK9E9fwNbH2UqZ6lTiFmFA4Ido5ftHnDxvAAi6gHsDzKEtKpki2ii M+MGhiMlhfY4z4NTbvnE =Jstq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#416868: ltsp-server: example dhcpd.conf fails to mention next-server
Package: ltsp-server Version: 0.99debian11 Severity: important the docs need to reference the need to specify a next-server when using dhcp3. -- Package-specific info: packages in chroot: /opt/ltsp/i386 ii initramfs-tools 0.85ftools for generating an initramfs ii ldm 0.99debian11 LTSP display manager ii ltsp-client 0.99debian11 LTSP client environment -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-k7 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages ltsp-server depends on: ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy ii debconf-utils 1.5.11 debconf utilities ii debootstrap 0.3.3.2 Bootstrap a basic Debian system ii esound-clients 0.2.36-3 Enlightened Sound Daemon - clients ii gettext-base0.16.1-1 GNU Internationalization utilities ii iproute 20061002-3 Professional tools to control the ii lsb-release 3.1-23.1 Linux Standard Base version report ii nfs-kernel-server 1:1.0.10-6 Kernel NFS server support ii openbsd-inetd [inet-superse 0.20050402-5 The OpenBSD Internet Superserver ii openssh-client 1:4.3p2-9Secure shell client, an rlogin/rsh ii python 2.4.4-2 An interactive high-level object-o ii ssh 1:4.3p2-9Secure shell client and server (tr ii tcpd7.6.dbs-13 Wietse Venema's TCP wrapper utilit ii tftpd-hpa 0.43-1.1 HPA's tftp server ii update-inetd4.27-0.4 inetd.conf updater Versions of packages ltsp-server recommends: pn nbd-servernone (no description available) ii openssh-server1:4.3p2-9 Secure shell server, an rshd repla ii ssh 1:4.3p2-9 Secure shell client and server (tr -- debconf information: ltsp-server/build_client: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#356989: installer fails on raid setup
Package: installation-reports Boot method: CD Image version: 2006-02-20 version 31r1 from a random mirror Date: 2006-03-14 12:00 UTC Machine: random, consumer-grade, desktop parts Processor: varied Memory: varied Partitions: 2 harddrives of different sizes, each with only an exactly 15 GB partition, bootable, for RAID. software RAID1 setup with the two drives. RAID1 drive has a partition of 14.5 GB as the first partition, bootable, defaults, ext3, mounted at /. The reminding .5 GB as part5 is the swap partition. variations on this pattern. Output of lspci and lspci -n: not available or very applicable Base System Installation Checklist: [O] = OK, [E] = Error (please elaborate below), [ ] = didn't try it Initial boot worked:[O] Configure network HW: [O] Config network: [O] Detect CD: [O] Load installer modules: [O] Detect hard drives: [O] Partition hard drives: [?] Create file systems:[E] Mount partitions: [ ] Install base system:[ ] Install boot loader:[ ] Reboot: [ ] Comments/Problems: the error is reported while making the filesystem, where tune2fs cannot stat /dev/md/0p1, which ideed does not exist. cfdisk on /dev/md/0 shows the partitions as being there, but the entries in /dev for the partitions seem not to have been created. i have tried rebooting after creating the raid device, to no success. i tried creating the partitioning and software RAID by hand, and went through the steps without apparent problems, but that /dev/md/0p1 did not get created automatically, and i became as if stumped. i further tried it on two different systems with 5 different drives, in total. notably, none of the drives were the same size, but i made sure to make only a single partition of the exact same size an any two drives i was testing with. thanks for any help you can give. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#308740: clamav-daemon setup hangs
hey stephen, On Thu, May 12, 2005 at 09:22:50AM -0400, Stephen Gran wrote: This one time, at band camp, [EMAIL PROTECTED] said: while doing the setup step for the upgrade of clamav-daemon, the process forks to ucf which hangs waiting for user input. Not here, at least. Can you provide any additional detail? How you came to this conclusion? A way to reproduce? I am afraid I am going to need more than that to find and fix this. so i was running a woody system with a few backports (postfix, mostly), and was doing a dist-upgrade. clamav-daemon was coming in as version 0.84-1. the process hung at Setting up clamav-daemon..., dpkg strace'd to be a fork/wait4. the particular command it made a call to was: /usr/bin/ucf --three-way --debconf-ok /var/lib/clamav/clamdrotate.debconf /etc/logrotate.d/clamav-daemon which strace'd to be waiting in read(0, ...), which is stdin. that, when i ran it manually, was sitting at the familiar blue menu of yes, no, or diff on some config file in /etc/clamav/ which i must have changed. i think it was that i had changed a config file that led to it not working. after i had run the command manually and ran dpkg --configure -a, the clamav init script was complaining about StreamSaveToDisk not being a recognized option, which i then commented out, so i must have missed something by running ucf manually... my /etc/clamav/ dir now has a clamd.conf, clamd.conf.dpkg-dist and clamav.conf.dpkg-old, so it looks like there was at least a config file renaming between versions. i don't know about reporducing it, as that was the only system i had clamav installed on, and i don't know what version i was upgrading from. i might have a backup of the entire system somewhere i could restore from to learn more about the original environment. i'll look for that. is there a log file dpkg puts information into that would be useful to you? thanks, good luck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
