Bug#1078779: ansible-core: Ansible not updating mtime on changed files, keeping old mtime!!!
Package: ansible-core Version: 2.17.0,2.17.1,2.17.2,2.17.3 Severity: important Tags: patch upstream X-Debbugs-Cc: m...@mattgrant.net.nz Dear Maintainer, Ansible is not updating mtimes on the files it changes on a system. This breaks normal POSIX behaviour, and means make type configuration reloads don't work. I found this when changing my firewall Shorewall configuration, and then find that iptables was not updated! Bind9 zone file reloading is also affected. This 'oversight' in their programming is a criticla bug. Upstream Bug reports are #83235 (one liner partial fix and applied as in attached patch), and #83805) I am working with upstream to get these crticial fixes integrated. I found this fix backporting latest Ansible to Bookworm for my local usage. Cheers, Matthew Grant -- System Information: Debian Release: 12.6, and Sid unstable APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.103-amd64-mag-lts (SMP w/32 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ansible-core depends on: ii openssh-client1:9.2p1-2+deb12u3 ii python3 3.11.2-1+b1 ii python3-cryptography 38.0.4-3 ii python3-distutils 3.11.2-3 ii python3-dnspython 2.3.0-1 ii python3-httplib2 0.20.4-3 ii python3-jinja23.1.2-1 pn python3-netaddr ii python3-packaging 23.0-1 ii python3-pycryptodome 3.11.0+dfsg1-4 ii python3-resolvelib0.9.0-2 ii python3-yaml 6.0-3+b2 Versions of packages ansible-core recommends: pn ansible pn python3-argcomplete pn python3-jmespath pn python3-kerberos pn python3-libcloud ii python3-passlib 1.7.4-3 pn python3-selinux pn python3-winrm pn python3-xmltodict Versions of packages ansible-core suggests: pn cowsay pn sshpass Description: atomic_move() mtime fix Fix mtime not updating on ansible template or copy . This fixes the issue of mtimes on ansible 2.17+ not having the mtime/atime update when a tmplated or copied file is altered. This can lead to issues with software that uses a make type algorithm to dect changes on reload, such as Bind 9.x or Shorewall the latter leading to possible security issues with firewalls not reloading as expected! Author: Matthew Grant Forwarded: upstream Ansible Bugs #83235 (applied upstream), #83805 Last-Update: 2024-08-16 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: ansible-core/lib/ansible/module_utils/basic.py === --- ansible-core.orig/lib/ansible/module_utils/basic.py +++ ansible-core/lib/ansible/module_utils/basic.py @@ -1598,6 +1598,7 @@ class AnsibleModule(object): dest_stat = os.stat(b_dest) os.chown(b_src, dest_stat.st_uid, dest_stat.st_gid) shutil.copystat(b_dest, b_src) +os.utime(b_src, (time.time(), time.time())) except OSError as e: if e.errno != errno.EPERM: raise @@ -1645,14 +1646,14 @@ class AnsibleModule(object): os.close(tmp_dest_fd) # leaves tmp file behind when sudo and not root try: -shutil.move(b_src, b_tmp_dest_name, copy_function=shutil.copy if keep_dest_attrs else shutil.copy2) +shutil.move(b_src, b_tmp_dest_name, copy_function=shutil.copy2 if keep_dest_attrs else shutil.copy) except OSError: # cleanup will happen by 'rm' of tmpdir # copy2 will preserve some metadata if keep_dest_attrs: -shutil.copy(b_src, b_tmp_dest_name) -else: shutil.copy2(b_src, b_tmp_dest_name) +else: +shutil.copy(b_src, b_tmp_dest_name) if self.selinux_enabled(): self.set_context_if_different( @@ -1661,6 +1662,8 @@ class AnsibleModule(object): tmp_stat = os.stat(b_tmp_dest_name) if keep_dest_attrs and dest_stat and (tmp_stat.st_uid != dest_stat.st_uid or tmp_stat.st_gid != dest_stat.st_gid): os.chown(b_tmp_dest_name, dest_stat.st_uid, dest_stat.st_gid) +if keep_de
Bug#1023606: samba: IPv6 only samba-tool gpo listall does not work, can't find DC
Package: samba Version: 4.16.5 Severity: important Tags: patch upstream ipv6 X-Debbugs-Cc: m...@mattgrant.net.nz This is reported upstream as Samba bug https://bugzilla.samba.org/show_bug.cgi?id=15226 Bug in central Samba DNS resolution code in IPv6 only environment. This one probably also affects domain sign up and join code, as well as samba-tool gpo funcionality. finddcs() does not resolve SRV records when there are only records in the DNS for the AD DC servers. Patch attached. Please merge with Debian Samba packages. -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.75-amd64-mag-lts (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages samba depends on: ii adduser 3.118 ii dpkg 1.20.12 ii init-system-helpers 1.60 ii libbsd0 0.11.3-1 ii libc62.31-13+deb11u5 ii libcups2 2.3.3op2-3+deb11u2 ii libgnutls30 3.7.1-5+deb11u2 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 hi libldb2 2:2.4.1+mag-1 ii libpam-modules 1.4.0-9+deb11u1 ii libpam-runtime 1.4.0-9+deb11u1 ii libpopt0 1.18-2 pn libpython3.7 ii libpython3.9 3.9.2-1 ii libtalloc2 2.3.3+mag-1~0mag0 ii libtasn1-6 4.16.0-2 ii libtdb1 1.4.6+mag-1 ii libtevent0 0.11.0+mag-1~0mag0 ii libwbclient0 2:4.16.5+mag-2 ii lsb-base 11.1.0 ii procps 2:3.3.17-5 ii python3 3.9.2-3 ii python3-dnspython2.0.0-1 pn python3-samba pn samba-common pn samba-common-bin pn samba-libs ii tdb-tools1.4.6+mag-1 Versions of packages samba recommends: ii attr1:2.4.48-6 ii logrotate 3.18.0-2+deb11u1 ii python3-markdown3.3.4-1 pn samba-dsdb-modules pn samba-vfs-modules Versions of packages samba suggests: pn bind9 ii bind9-utils [bind9utils] 1:9.16.33-1~deb11u1 ii bind9utils1:9.16.33-1~deb11u1 ii chrony4.0-8+deb11u2 pn ctdb ii ldb-tools 2:2.5.2+samba4.16.5+mag-2 ii smbldap-tools 0.9.11-2 pn ufw pn winbind diff --git a/source4/libcli/resolve/dns_ex.c b/source4/libcli/resolve/dns_ex.c index 0bb3ba02287..0525d0d019a 100644 --- a/source4/libcli/resolve/dns_ex.c +++ b/source4/libcli/resolve/dns_ex.c @@ -81,7 +81,7 @@ struct dns_records_container { uint32_t count; }; -static int reply_to_addrs(TALLOC_CTX *mem_ctx, uint32_t *a_num, +static int reply_to_addrs(TALLOC_CTX *mem_ctx, uint32_t *addr_num, char ***cur_addrs, uint32_t total, struct dns_request *reply, int port) { @@ -151,8 +151,8 @@ static int reply_to_addrs(TALLOC_CTX *mem_ctx, uint32_t *a_num, rr->name->pLabelList->label); if (addrs[total]) { total++; - if (rr->type == QTYPE_A) { - (*a_num)++; + if (rr->type == QTYPE_A || rr->type == QTYPE_) { + (*addr_num)++; } } } @@ -211,7 +211,7 @@ static struct dns_records_container get_a__records(TALLOC_CTX *mem_ctx, struct dns_request *reply; struct dns_records_container ret; char **addrs = NULL; - uint32_t a_num, total; + uint32_t addr_num, total; uint16_t qtype; TALLOC_CTX *tmp_ctx; DNS_ERROR err; @@ -236,12 +236,13 @@ static struct dns_records_container get_a__records(TALLOC_CTX *mem_ctx, } } - a_num = total = 0; - total = reply_to_addrs(tmp_ctx, &a_num, &addrs, total, reply, port); + addr_num = total = 0; + total = reply_to_addrs(tmp_ctx, &addr_num, &addrs, total, reply, port); - if (qtype == QTYPE_ && a_num == 0) { + if (qtype == QTYPE_ && addr_num == 0) { /* - * DNS server didn't returned A when asked for records. + * DNS server didn't returned A when asked for records, + * and no record returned either * Most of the server do it, let's ask for A specificaly. */ err = dns_lookup(tmp_ctx, name, QTYPE_A, &reply); @@ -249,7 +250,7 @@ static struct dns_records_container get_a__records(TALLOC_CTX *mem_ctx, goto done;
Bug#1012783: samba: Non upstream changes in source tarball
Source: samba Version: 4.16.2 Severity: normal Dear Maintainer, Your package source includes changes that are not in the upstream tarball for 4.16.2. Specifically, these are build generated manpages, and html files. The list of them is below. You can remove these files from the samba git master package branch on a clean repository by using git rm for each one: # git checkout master # git reset --hard # git clean -fdx # for F in `cat file-list.txt`; do git rm $F; done and then git commit the changes. List of files: ctdb/doc/ctdb-etcd.7 ctdb/doc/ctdb-etcd.7.html ctdb/doc/ctdb-script.options.5 ctdb/doc/ctdb-script.options.5.html ctdb/doc/ctdb-statistics.7 ctdb/doc/ctdb-tunables.7 ctdb/doc/ctdb.1 ctdb/doc/ctdb.1.html ctdb/doc/ctdb.7 ctdb/doc/ctdb.7.html ctdb/doc/ctdb.conf.5 ctdb/doc/ctdb.conf.5.html ctdb/doc/ctdb.sysconfig.5 ctdb/doc/ctdb_diagnostics.1 ctdb/doc/ctdb_mutex_ceph_rados_helper.7 ctdb/doc/ctdb_mutex_ceph_rados_helper.7.html ctdb/doc/ctdbd.1 ctdb/doc/ctdbd_wrapper.1 ctdb/doc/ltdbtool.1 ctdb/doc/onnode.1 ctdb/doc/ping_pong.1 docs/manpages/cifsdd.8 docs/manpages/dbwrap_tool.1 docs/manpages/eventlogadm.8 docs/manpages/idmap_ad.8 docs/manpages/idmap_autorid.8 docs/manpages/idmap_hash.8 docs/manpages/idmap_ldap.8 docs/manpages/idmap_nss.8 docs/manpages/idmap_rfc2307.8 docs/manpages/idmap_rid.8 docs/manpages/idmap_script.8 docs/manpages/idmap_tdb.8 docs/manpages/idmap_tdb2.8 docs/manpages/libsmbclient.7 docs/manpages/lmhosts.5 docs/manpages/log2pcap.1 docs/manpages/mvxattr.1 docs/manpages/net.8 docs/manpages/nmbd.8 docs/manpages/nmblookup.1 docs/manpages/ntlm_auth.1 docs/manpages/pam_winbind.8 docs/manpages/pam_winbind.conf.5 docs/manpages/pdbedit.8 docs/manpages/profiles.1 docs/manpages/rpcclient.1 docs/manpages/samba-regedit.8 docs/manpages/samba-tool.8 docs/manpages/samba.7 docs/manpages/samba.8 docs/manpages/samba_downgrade_db.8 docs/manpages/sharesec.1 docs/manpages/smb.conf.5 docs/manpages/smbcacls.1 docs/manpages/smbclient.1 docs/manpages/smbcontrol.1 docs/manpages/smbcquotas.1 docs/manpages/smbd.8 docs/manpages/smbget.1 docs/manpages/smbgetrc.5 docs/manpages/smbpasswd.5 docs/manpages/smbpasswd.8 docs/manpages/smbspool.8 docs/manpages/smbspool_krb5_wrapper.8 docs/manpages/smbstatus.1 docs/manpages/smbtar.1 docs/manpages/smbtree.1 docs/manpages/testparm.1 docs/manpages/traffic_learner.7 docs/manpages/traffic_replay.7 docs/manpages/vfs_acl_tdb.8 docs/manpages/vfs_acl_xattr.8 docs/manpages/vfs_aio_fork.8 docs/manpages/vfs_aio_pthread.8 docs/manpages/vfs_audit.8 docs/manpages/vfs_btrfs.8 docs/manpages/vfs_cacheprime.8 docs/manpages/vfs_cap.8 docs/manpages/vfs_catia.8 docs/manpages/vfs_ceph.8 docs/manpages/vfs_ceph_snapshots.8 docs/manpages/vfs_commit.8 docs/manpages/vfs_crossrename.8 docs/manpages/vfs_default_quota.8 docs/manpages/vfs_dirsort.8 docs/manpages/vfs_extd_audit.8 docs/manpages/vfs_fake_perms.8 docs/manpages/vfs_fileid.8 docs/manpages/vfs_fruit.8 docs/manpages/vfs_full_audit.8 docs/manpages/vfs_glusterfs.8 docs/manpages/vfs_glusterfs_fuse.8 docs/manpages/vfs_gpfs.8 docs/manpages/vfs_io_uring.8 docs/manpages/vfs_linux_xfs_sgid.8 docs/manpages/vfs_media_harmony.8 docs/manpages/vfs_nfs4acl_xattr.8 docs/manpages/vfs_offline.8 docs/manpages/vfs_prealloc.8 docs/manpages/vfs_preopen.8 docs/manpages/vfs_readahead.8 docs/manpages/vfs_readonly.8 docs/manpages/vfs_recycle.8 docs/manpages/vfs_shadow_copy.8 docs/manpages/vfs_shadow_copy2.8 docs/manpages/vfs_shell_snap.8 docs/manpages/vfs_snapper.8 docs/manpages/vfs_streams_depot.8 docs/manpages/vfs_streams_xattr.8 docs/manpages/vfs_syncops.8 docs/manpages/vfs_time_audit.8 docs/manpages/vfs_tsmsm.8 docs/manpages/vfs_unityed_media.8 docs/manpages/vfs_virusfilter.8 docs/manpages/vfs_widelinks.8 docs/manpages/vfs_worm.8 docs/manpages/vfs_xattr_tdb.8 docs/manpages/vfs_zfsacl.8 docs/manpages/vfstest.1 docs/manpages/wbinfo.1 docs/manpages/winbind_krb5_localauth.8 docs/manpages/winbind_krb5_locator.8 docs/manpages/winbindd.8 docs/manpages/winexe.1 docs/manpages/mdsearch.1 docs/manpages/samba-bgqd.8 docs/manpages/samba-dcerpcd.8 docs/manpages/vfs_expand_msdfs.8 -- Package-specific info: * /etc/samba/smb.conf present, but not attached * /var/lib/samba/dhcp.conf not present -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.46-amd64-mag-lts (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
Bug#1012240: winbind does not return AD groups a user is a member of AT ALL, or only one
Package: winbind Version: 2:4.16.1+mag-1 Severity: important Dear Maintainer, I have rebuilt samba 4.16.1 packages as I am including a samba INTERNAL DNS patch, bt I have not altered the packaging significantly other than this, and have not touched winbind I have been finding that when I login to the machine using a user from samba AD,with groups from samba AD, none of those AD groups that user is a member of show up in the output from the 'groups' command. Further more: shalom: -root- [/home/admin] # wbinfo -r grantma failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND Could not get groups for user grantma And in the samba logs: [2022/06/02 16:30:45.687576, 0] ../../source3/winbindd/winbindd_samr.c:71(open_internal_samr_conn) open_internal_samr_conn: Could not connect to samr pipe: NT_STATUS_ACCESS_DENIED The above works fine when the samba package is installed along with winbind. After the call find that the following programs are running: shalom: -root- [/home/admin] # ps -ef | grep samba root 139564 1 0 16:29 ?00:00:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=40 --np-helper --debuglevel=0 root 139574 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=5 --debuglevel=0 root 139576 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=6 --debuglevel=0 root 139578 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=7 --debuglevel=0 root 139580 139564 0 16:29 ?00:00:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=4 --worker-index=8 --debuglevel=0 root 139583 136857 0 16:29 pts/500:00:00 grep samba When the above binaries permisions are set by: shalom: -root- [/home/admin] # chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad the following happens: shalom: -root- [/home/admin] # chmod 400 /usr/libexec/samba/samba-dcerpcd /usr/libexec/samba/rpcd_lsad It appears that wind bind needs samba-dcerpcd and rpcd_lsad to function correctly. Could these binaries and dependent libraries be moved to the winbind package please? Thank you! Matt Grant -- Package-specific info: * /etc/samba/smb.conf present, and attached * /var/lib/samba/dhcp.conf not present -- System Information: Debian Release: 11.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.40-amd64-mag-lts (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages winbind depends on: ii init-system-helpers 1.60 ii libbsd0 0.11.3-1 ii libc62.31-13+deb11u3 ii libgnutls30 3.7.1-5 ii libldap-2.4-22.4.57+dfsg-3+deb11u1 ii libpopt0 1.18-2 ii libtalloc2 2.3.3+mag-1~0mag0 ii libtdb1 1.4.6+mag-1 ii libtevent0 0.11.0+mag-1~0mag0 ii libwbclient0 2:4.16.1+mag-1 ii lsb-base 11.1.0 ii samba-common 2:4.16.1+mag-1 ii samba-common-bin 2:4.16.1+mag-1 ii samba-libs 2:4.16.1+mag-1 winbind recommends no packages. Versions of packages winbind suggests: ii libnss-winbind 2:4.16.1+mag-1 ii libpam-winbind 2:4.16.1+mag-1 -- no debconf information [Global] netbios name = SHALOM realm = AD.ANATHOTH.NET workgroup = AD kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab server string = %h DebianLinux Host security = ads client signing = auto server signing = auto # TLS setup tls certfile = /etc/ipsec.d/certs/anathoth_shalom.ad.anathoth.net.crt tls keyfile = /etc/ipsec.d/private/anathoth_shalom.ad.anathoth.net.key tls cafile = /etc/ipsec.d/cacerts/anathoth_vpn_ca.crt # Winbind settings # # Winbind idmap setup idmap config * : backend = autorid idmap config * : range = 20-200020 idmap config * : rangesize = 20 idmap config AD : backend = ad idmap config AD : range = 1-5 idmap config AD : unix_primary_group = yes idmap config AD : unix_nss_info = yes # Winbind offline logon winbind offline logon = no winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind refresh tickets = yes winbind cache time = 300 template shell = /bin/bash template homedir = /home/%D/%U
Bug#1005270: ITP: wsdd -- The Web Service Discovery Daemon, to announce hosts for the Windows Network Browser
Package: wnpp Severity: wishlist Owner: Matthew Grant X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: wsdd Version : 0.7.0 Upstream Author : Steffan Christgau * URL : https://github.com/christgau/wsdd * License : MIT License Programming Lang: Python 3 Description : The Web Service Discovery Daemon, to announce hosts for the Windows Network Browser This daemon is used to announce Linux Hosts to Windows 7+ computers for use in their File Manager network browsing, by using the Windows Services Discovery Protocol. This protocol is a local network segment procotol, which is multicasted on udp/3072, and incoming on tcp/5357 on the 239.255.255.250/ff02::c multicast addresses. It DOES have security issues, but it is designed for use in a trusted environment inside a firewall. Its quite useful for Samba, taking over from WINS and the Samba nmbd daemon. Installing this restores the Network browsing functionality to Windows 7+ Samba clients. I am initially getting it packaged and aceptted, dealing with intial bugs, and then will pass it on to the Debian Python Maintainers Team of which I am a member.
Bug#970903: RM: dms/oldstable -- ROM; removing until have time to revamp it
Package: ftp.debian.org Severity: normal Hi! Could you please remove the package from unstable as I honetly don't have the time at the moment to revamp the package for modern Debian. I am about to take it our ot use probably for myself, as I am focusing on Samba server development and IPv6 for my current employer. Some time in the future when I have spare time I may start work on this project again, but I am officially putting it on hold for now. Thank you so much for doing this. Best Regards, Matt Grant
Bug#918143: python3-daemon: DaemonRunner.__init__ failing with Python3 when opening stderr
Package: python3-daemon Version: 2.1.2-2 Severity: important Tags: upstream patch Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** Packaging zfs-snap-manager. Uses DaemonRunner to fork into background. Problem with openning stderr in DaemonRunner.__init__ . With Python3 buffering argument to open() should be set to 1 for line buffering. This class fails to work with Python3, rendering this package mostly unusable. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.12-amd64-mag (SMP w/8 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-daemon depends on: ii python33.7.1-3 ii python3-lockfile 1:0.12.2-2 ii python3-pkg-resources 40.6.2-1 python3-daemon recommends no packages. python3-daemon suggests no packages. -- no debconf information Index: python-daemon-2.1.2/daemon/runner.py === --- python-daemon-2.1.2.orig/daemon/runner.py +++ python-daemon-2.1.2/daemon/runner.py @@ -37,6 +37,9 @@ from .daemon import (basestring, unicode from .daemon import DaemonContext from .daemon import _chain_exception_from_existing_exception_context +# Sort out buffering constant for open() +BUFFERING = (1 if sys.version_info.major >= 3 else 0) + class DaemonRunnerError(Exception): """ Abstract base class for errors from DaemonRunner. """ @@ -110,7 +113,7 @@ class DaemonRunner: self.daemon_context.stdin = open(app.stdin_path, 'rt') self.daemon_context.stdout = open(app.stdout_path, 'w+t') self.daemon_context.stderr = open( -app.stderr_path, 'w+t', buffering=0) +app.stderr_path, 'w+t', buffering=BUFFERING) self.pidfile = None if app.pidfile_path is not None:
Bug#774519: unblock: netscript-2.4/5.4.8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package netscript-2.4 2 serious bugs have been fixed in 5.4.8: #717871 netscript: fails to install due to insserv rejecting the script header: There is a loop between service networking and netscript if started This is due to the ifupdown providing insserv support for $network, and netscript-2.4 also doing the same. Both packages configure networking. The setting for $network is configured in /etc/insserv/insserv.conf, but there is no way of overriding that, is there? This is fixed by removing init.d support for insserv/sysvinit, and depending on systemd-sysv #773772/#773773 netscript-2.4: Interace names with '-' in them cannot be set up, and network configuration fails. Netscript overloads variable names by adding the interface name at the start. '-' are not acceptable parts of /bin/bash environment variable names. The changes for this convert '-' in interface names to '_', which also should be done to interface names in /etc/netscript/network.conf This bug was fixed in 5.4.7 and I forgot to put a 'Closes' in the changelog and had to close #773772/3 via the bugs.debian.org control interface. A small fix involving quoting misplacement to do with bridge configuration is also in 5.4.8. I know this is a minor change that fixes an 'Important' level bug I found. I am the upstream author for Netscript and a Debian Developer (since the early 2000s), and upstream is actually released directly into Debian, hence no -1 -2 package release levels. It was one of my first Debian packages. I would release it differently now. It has functional heurestics that would be nice to have in ifupdown. The useful iptables handling is available as a seperate package netscript-ipfilter, which is better than iptables-persistent as it has history, and 'helper' chains. The above fixes are all minor 5.4.x version bug fixes. Note that new 5.x functionality has been added. Please unblock the package, even though it has the bridge handling quoting fixes. All the above has been tested on an openstack server on Jessie/unstable I am setting up to learn about Openstack Changlog entries for 5.4.7 and 5.4.8 (include/attach the debdiff against the package in testing) unblock netscript-2.4/5.4.8 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) diff -Nru netscript-2.4-5.4.6/debian/changelog netscript-2.4-5.4.8/debian/changelog --- netscript-2.4-5.4.6/debian/changelog 2014-12-22 19:48:40.0 +1300 +++ netscript-2.4-5.4.8/debian/changelog 2014-12-23 18:05:08.0 +1300 @@ -1,6 +1,21 @@ +netscript-2.4 (5.4.8) unstable; urgency=medium + + * Remove sysvint/inserv support for package. (Closes: #771871) +Revert totally removing ifupdown emulation/Provides as this breaks too +many things. This just removes the dependency loop in /etc/init.d files +which is unfixable. + + -- Matthew Grant Tue, 23 Dec 2014 17:50:04 +1300 + +netscript-2.4 (5.4.7) unstable; urgency=medium + + * Convert '-' in interface names to '_' (Closes: #773772) + + -- Matthew Grant Mon, 22 Dec 2014 21:10:30 +1300 + netscript-2.4 (5.4.6) unstable; urgency=medium - * Remove ifupdown emulation (Closes: #771871) + * Remove ifupdown emulation -- Matthew Grant Mon, 22 Dec 2014 19:48:20 +1300 diff -Nru netscript-2.4-5.4.6/debian/control netscript-2.4-5.4.8/debian/control --- netscript-2.4-5.4.6/debian/control 2014-12-22 19:50:08.0 +1300 +++ netscript-2.4-5.4.8/debian/control 2014-12-23 18:06:20.0 +1300 @@ -7,8 +7,8 @@ Package: netscript-2.4 Architecture: all -Depends: iproute2 | iproute (>= 20001007), bridge-utils (>= 0.9.3), iptables, netbase, bash (>= 2.03), isc-dhcp-client | dhcpcd | pump, ${misc:Depends} -Provides: netscript +Depends: iproute2 | iproute (>= 20001007), bridge-utils (>= 0.9.3), iptables, netbase, bash (>= 2.03), isc-dhcp-client | dhcpcd | pump, systemd-sysv, ${misc:Depends} +Provides: netscript, ifupdown Conflicts: netscript, netscript-2.2, ifupdown, netscript-ipfilter Replaces: netscript, ifupdown Suggests: whereami, dnsmasq, resolvconf, wpasupplicant, wicd, quagga, radvd, bird diff -Nru netscript-2.4-5.4.6/debian/netscript-2.4.links netscript-2.4-5.4.8/debian/netscript-2.4.links --- netscript-2.4-5.4.6/debian/netscript-2.4.links 2014-12-22 19:46:26.0 +1300 +++ netscript-2.4-5.4.8/debian/netscript-2.4.links 2014-12-23 17:43:57.0 +1300 @@ -2,3 +2,7 @@ usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/if.conf.5.gz usr/share/man/man5/netscript-2.4.conf.5.gz usr/share/man/man5/qos.conf.5.gz usr/share/man/ma
Bug#773773: netscript-2.4: Interace names with '-' in them cannot be set up, network configuration fails.
Package: netscript-2.4 Version: 5.4.5 Severity: important Tags: patch Dear Maintainer, * What led up to the situation Setting up a machine to run Open Stack on it, and the OpenVSwitch bridges were named "br-ex" and "br-int" Configuring interface: eth0 br0 man0Error: argument "ex_MTU:-" is wrong: Invalid "mtu" value Error: an inet prefix is expected rather than "ex". Error: an inet prefix is expected rather than "ex". Error: argument "ex_TXQLEN:-" is wrong: Invalid "txqueuelen" value br-exError: argument "int_MTU:-" is wrong: Invalid "mtu" value Error: an inet prefix is expected rather than "int". Error: an inet prefix is expected rather than "int". Error: argument "int_TXQLEN:-" is wrong: Invalid "txqueuelen" value br-intError: argument "man0_MTU:-" is wrong: Invalid "mtu" value Error: an inet prefix is expected rather than "man0". Error: an inet prefix is expected rather than "man0". Error: argument "man0_TXQLEN:-" is wrong: Invalid "txqueuelen" value brg-man0Error: argument "ex0_MTU:-" is wrong: Invalid "mtu" value Error: an inet prefix is expected rather than "ex0". Error: an inet prefix is expected rather than "ex0". Error: argument "ex0_TXQLEN:-" is wrong: Invalid "txqueuelen" value brg-ex0. This is quite a problem. Investigated and found that it is a limitation of the way the package configuration parses shell environment variables. -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages netscript-2.4 depends on: ii bash 4.3-11+b1 ii bridge-utils 1.5-9 ii init-system-helpers 1.22 ii iproute 1:3.16.0-2 ii iproute2 3.16.0-2 ii iptables 1.4.21-2+b1 ii isc-dhcp-client 4.3.1-5 ii netbase 5.3 netscript-2.4 recommends no packages. Versions of packages netscript-2.4 suggests: ii bird 1.4.5-1 ii dnsmasq2.72-2 pn quagga ii radvd 1:1.9.1-1.3 ii resolvconf 1.77~0mag01 pn whereami pn wicd ii wpasupplicant 2.3-1 -- Configuration Files: /etc/netscript/network.conf changed: VERBOSE=YES IPV6_MODULE=NO IPV6_DISABLE=NO IPV4_FWDING_KERNEL=YES IPV6_FWDING_KERNEL=YES NET_GLOBAL_SYSCTL=" ipv4/ip_nonlocal_bind NO ipv4/ip_dynaddr NO ipv4/icmp_echo_ignore_all NO ipv4/icmp_echo_ignore_broadcasts YES ipv4/tcp_ecn NO " BACKUP_LEVELS=3 IF_AUTO="eth0 brg0 blan0 bdmz0 baoe0 binet1 bwan0 br0" IF_DYNAMIC="ppp0" ALLIF_ACCEPT_REDIRECTS=NO IF_DEFAULT_IPV6_DISABLE=NO DEF_IP_SPOOF=YES DEF_IP_KRNL_LOGMARTIANS=YES BRG_SWITCH=no blan0_IPADDR="192.168.110.35/24_brd_192.168.110.255 fd14:828:ba69:1:ae22:bff:fe28:13ab/64 2001:470:f012:1:ae22:bff:fe28:13ab/64" brg0_IPADDR="172.31.7.1/24_brd_172.31.7.255 fd14:828:ba69:7::1/64 2001:470:f012:7::1/64" baoe0_IPADDR="fd14:828:ba69:f::2/64" blan0_IP_SPOOF=YES brg0_IP_SPOOF=YES blan0_IP_KRNL_LOGMARTIANS=YES brg0_IP_KRNL_LOGMARTIANS=NO binet1_IP_KRNL_LOGMARTIANS=NO bdmz0_IP_KRNL_LOGMARTIANS=NO eth0_IPV6_DISABLE=YES binet1_IPV6_DISABLE=YES bdmz0_IPV6_DISABLE=YES br0_IPV6_DISABLE=YES bwan0_IPV6_DISABLE=YES baoe0_IPV6_DISABLE=NO blan0_IPV6_DISABLE=NO brg0_IPV6_DISABLE=NO baoe0_IPV6_FWDING=NO blan0_IPV6_ACCEPT_RA=YES blan0_IPV6_ACCEPT_RA_PINFO=NO blan0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64 blan0_IPV6_ROUTER_SOLICITATIONS=YES blan0_RESOLVCONF="options edns0 inet6\nsearch internal.anathoth.net anathoth.net\nnameserver fd14:828:ba69:1:21c:f0ff:fefa:f3c0" ppp_FAIRQ=YES ppp_TXQLEN=30 ppp0_start () { # don't run pppd if link already exists... [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 # call ISP pppd call avpptp0 } ppp_stop () { [ ! -f /var/run/$1.pid ] && return 0 qt kill `cat /var/run/$1.pid` sleep 5 # Wait for pppd to die } ppp0_network_ppp () { ip route replace 192.168.6.0/24 via 192.168.6.2 dev ppp0 ip route replace 111.65.225.99/32 via 192.168.6.2 dev ppp0 } MRK_CRIT=0x1 # Critical traffic, routing, DNS MRK_IA=0x2 # Interactive traffic - telnet, ssh, IRC MRK_T1=0xa MRK_T2=0x14 CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0" IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0" LOG_LEVEL=warning LOG_MAXRATE=3 # messages per second LOG_TARGET=REJECT IPV6_LOG_TARGET=REJECT IPV6_ICMPHOST
Bug#773772: netscript-2.4: Interace names with '-' in them cannot be set up, and network configuration fails.
Package: netscript-2.4 Version: 5.4.5 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages netscript-2.4 depends on: ii bash 4.3-11+b1 ii bridge-utils 1.5-9 ii init-system-helpers 1.22 ii iproute 1:3.16.0-2 ii iproute2 3.16.0-2 ii iptables 1.4.21-2+b1 ii isc-dhcp-client 4.3.1-5 ii netbase 5.3 netscript-2.4 recommends no packages. Versions of packages netscript-2.4 suggests: ii bird 1.4.5-1 ii dnsmasq2.72-2 pn quagga ii radvd 1:1.9.1-1.3 ii resolvconf 1.77~0mag01 pn whereami pn wicd ii wpasupplicant 2.3-1 -- Configuration Files: /etc/netscript/network.conf changed: VERBOSE=YES IPV6_MODULE=NO IPV6_DISABLE=NO IPV4_FWDING_KERNEL=YES IPV6_FWDING_KERNEL=YES NET_GLOBAL_SYSCTL=" ipv4/ip_nonlocal_bind NO ipv4/ip_dynaddr NO ipv4/icmp_echo_ignore_all NO ipv4/icmp_echo_ignore_broadcasts YES ipv4/tcp_ecn NO " BACKUP_LEVELS=3 IF_AUTO="eth0 brg0 blan0 bdmz0 baoe0 binet1 bwan0 br0" IF_DYNAMIC="ppp0" ALLIF_ACCEPT_REDIRECTS=NO IF_DEFAULT_IPV6_DISABLE=NO DEF_IP_SPOOF=YES DEF_IP_KRNL_LOGMARTIANS=YES BRG_SWITCH=no blan0_IPADDR="192.168.110.35/24_brd_192.168.110.255 fd14:828:ba69:1:ae22:bff:fe28:13ab/64 2001:470:f012:1:ae22:bff:fe28:13ab/64" brg0_IPADDR="172.31.7.1/24_brd_172.31.7.255 fd14:828:ba69:7::1/64 2001:470:f012:7::1/64" baoe0_IPADDR="fd14:828:ba69:f::2/64" blan0_IP_SPOOF=YES brg0_IP_SPOOF=YES blan0_IP_KRNL_LOGMARTIANS=YES brg0_IP_KRNL_LOGMARTIANS=NO binet1_IP_KRNL_LOGMARTIANS=NO bdmz0_IP_KRNL_LOGMARTIANS=NO eth0_IPV6_DISABLE=YES binet1_IPV6_DISABLE=YES bdmz0_IPV6_DISABLE=YES br0_IPV6_DISABLE=YES bwan0_IPV6_DISABLE=YES baoe0_IPV6_DISABLE=NO blan0_IPV6_DISABLE=NO brg0_IPV6_DISABLE=NO baoe0_IPV6_FWDING=NO blan0_IPV6_ACCEPT_RA=YES blan0_IPV6_ACCEPT_RA_PINFO=NO blan0_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=64 blan0_IPV6_ROUTER_SOLICITATIONS=YES blan0_RESOLVCONF="options edns0 inet6\nsearch internal.anathoth.net anathoth.net\nnameserver fd14:828:ba69:1:21c:f0ff:fefa:f3c0" ppp_FAIRQ=YES ppp_TXQLEN=30 ppp0_start () { # don't run pppd if link already exists... [ -f /var/run/$1.pid ] && kill -0 `cat /var/run/$1.pid` && return 0 # call ISP pppd call avpptp0 } ppp_stop () { [ ! -f /var/run/$1.pid ] && return 0 qt kill `cat /var/run/$1.pid` sleep 5 # Wait for pppd to die } ppp0_network_ppp () { ip route replace 192.168.6.0/24 via 192.168.6.2 dev ppp0 ip route replace 111.65.225.99/32 via 192.168.6.2 dev ppp0 } MRK_CRIT=0x1 # Critical traffic, routing, DNS MRK_IA=0x2 # Interactive traffic - telnet, ssh, IRC MRK_T1=0xa MRK_T2=0x14 CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" IPV6_CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ah_0/0 ipip_0/0 encap_0/0" IPV6_MANGLE_OUTPUT_BYPASS="gre_0/0 esp_0/0 ipip_0/0 encap_0/0" LOG_LEVEL=warning LOG_MAXRATE=3 # messages per second LOG_TARGET=REJECT IPV6_LOG_TARGET=REJECT IPV6_ICMPHOST_MAXRATE=200 # messages per second IPV6_ICMPFWD_MAXRATE=1000 # messages per second IPV6_ICMPHOST_OPTIONAL="redirect 144 145 146 147" IPV6_ICMPFWD_OPTIONAL="144 145 146 147" MARTIAN_BYPASS="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" IPV6_MARTIAN_BYPASS="fd14:828:ba69::/48" MARTIAN_NETS="" # List of additional martian/invalid # IP source addresses - network/mask IPV6_MARTIAN_NETS="" LOG_NOISE="NO" IPV6_LOG_NOISE="NO" INGRESS_IPS="127.0.0.1 203.79.116.183 192.168.110.254 172.31.10.254" IPV6_INGRESS_IPS="fd14:828:ba69:1::254 2001:470:f012::254 fd14:828:ba69:2::254 2001:470:f012:2::254 2001:470:c:2e6::2" INGRESS_FWD_NETS="127.0.0.0/8" IPV6_INGRESS_FWD_NETS="::1" SNMP_MANAGER_IPS="192.168.1.1" IPV6_SNMP_MANAGER_IPS="::1" SNMP_DEST_BLOCK=0/0 IPV6_SNMP_DEST_BLOCK=::/0 IP_BLOCKS="203.79.116.183/32" IPV6_IP_BLOCKS="2001:470:f012::/48" SMB_BLOCK=YES SNMP_BLOCK=YES IPV6_OUT_TARGET=RETURN -- no debconf inf
Bug#755350: owncloud-client: Invisible icon in systray on Gnome 3.12
Package: owncloud-client Version: 1.6.1+dfsg-1 Severity: normal Dear Maintainer, Show up in 3.8, not there in 3.12 Had me quite puzzled for a while as I thought application was not working as it should. Show up as a blank square as you do a mouseover in Gnome shell sys tray. Cheers, Matt *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages owncloud-client depends on: ii libc6 2.19-7 ii libgcc1 1:4.9.1-1 ii libowncloudsync0 1.6.1+dfsg-1 ii libqt5core5a 5.3.1+dfsg-3 ii libqt5dbus5 5.3.1+dfsg-3 ii libqt5gui55.3.1+dfsg-3 ii libqt5network55.3.1+dfsg-3 ii libqt5sql5-sqlite 5.3.1+dfsg-3 ii libqt5widgets55.3.1+dfsg-3 ii libqt5xml55.3.1+dfsg-3 ii libstdc++64.9.1-1 ii owncloud-client-l10n 1.6.1+dfsg-1 owncloud-client recommends no packages. owncloud-client suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#755349: libqtkeychain0: Fails to remember password due to changes in Gnome 3.12
Package: libqtkeychain0 Version: 0.3.0git201404080932-2 Severity: important Tags: upstream Dear Maintainer, Hi! Foiund thread on Web about this https://github.com/owncloud/mirall/issues/1501 Updating to HEAD of qtkeychain0 fixes this problem. I tested by rebuilding package. Cheers, MAtt -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libqtkeychain0 depends on: ii libc6 2.19-7 ii libgcc11:4.9.1-1 ii libqt4-dbus4:4.8.6+dfsg-2 ii libqtcore4 4:4.8.6+dfsg-2 ii libstdc++6 4.9.1-1 ii multiarch-support 2.19-7 Versions of packages libqtkeychain0 recommends: ii gnome-keyring 3.12.0-2 libqtkeychain0 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#754925: gnome-bluetooth: libgnome-bluetooth-applet.so missing - gnome-shell fails with "Unhappy Face" failuter screen
Package: gnome-bluetooth Version: 3.12.0-4 Severity: normal Dear Maintainer, /usr/lib/gnome-bluetooth/libgnome-bluetooth-applet.so.0.0.0 missing from package. Is there a missing package dependency? apt-file-search does not find .so file apt-get upgraded to Gnome3.12 as it entered unstable. Had to enable lightdm as gdm3 was giving blackscreen Then desktop login failed. On checking /var/log/syslog found: Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cann ot open shared object file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cann ot open shared object file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: Unrecoverable failure in required component gnome-shell.desktop -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnome-bluetooth depends on: ii bluez 5.21-1 ii libatk1.0-0 2.12.0-1 ii libc6 2.19-7 ii libcairo-gobject2 1.12.16-2 ii libcairo2 1.12.16-2 ii libgdk-pixbuf2.0-02.30.7-1 ii libglib2.0-0 2.40.0-3 ii libgnome-bluetooth13 3.12.0-4 ii libgtk-3-03.12.2-1+b1 ii libpam-systemd204-14 ii libpango-1.0-01.36.3-1 ii libpangocairo-1.0-0 1.36.3-1 ii libudev1 204-14 ii obex-data-server 0.4.5-1+b3 ii obexd-client 0.48-2+b1 ii udev 204-14 Versions of packages gnome-bluetooth recommends: ii gnome-control-center 1:3.12.1-4 ii gvfs-backends 1.20.2-1 Versions of packages gnome-bluetooth suggests: ii gnome-user-share 3.10.2-1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#754924: gnome-shell: Get Gnome3 Failed screen due to missing bluetooth library
Source: gnome-shell Severity: grave Justification: renders package unusable Dear Maintainer, Used aptitude to upgrade to Gnome 3.12 Rebooted system gdm3 did not work, just gave black X11 screen Switched to lightdm, logging into destop gave "Gnome Failed" unhappy face screen. Checked /var/log/syslog, gnome-session had logged: Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cannot open shared obje ct file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while loading shared libraries: libgnome-bluetooth-applet.so.0: cannot open shared object file: No such file or directory Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' exited with code 127 Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop' respawning too quickly Jul 16 12:35:01 moriah gnome-session[6411]: Unrecoverable failure in required component gnome-shell.desktop -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#622394: systemd: nfs-common and rpcbind unit files to fix systemd NFS issues properly
Package: nfs-common Version: 1:1.2.8-6 Followup-For: Bug #622394 Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? When running under systemd: o NFS mounts from /etc/fstab do not work. o NFS exports also fail due to rpcbind not starting before nfs-common and nfs- kernel-server systemd is the new default system init for linux. The above should just work. * What exactly did you do (or not do) that was effective (or ineffective)? Created my own /etc/tmpfiles.d/rpcbind.conf: #Type PathMode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - and /lib/systemd/system file (I did this one in /etc/systemd/system): --- [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap and enabled above unit: # systemctl enable rpcbind.service Did for nfs-common to make NFS rpc support to start at correct time: Created /etc/systemd/system/nfs-common.service (can be put in /lib/systemd/system [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target - # systemctl enable nfs-common * What was the outcome of this action? Rpc Bind starting correctly, with registration state saving over restart, NFS service working normally # systemctl status rpcbind rpcbind.service - RPC bind portmap service Loaded: loaded (/etc/systemd/system/rpcbind.service; enabled) Drop-In: /run/systemd/generator/rpcbind.service.d └─50-rpcbind-$portmap.conf Active: active (running) since Wed 2014-05-14 10:38:13 NZST; 13min ago Main PID: 5066 (rpcbind) CGroup: name=systemd:/system/rpcbind.service └─5066 /sbin/rpcbind -f -w May 14 10:38:13 moriah systemd[1]: Started RPC bind portmap service. # systemctl status nfs-common nfs-common.service - NFS Common daemons Loaded: loaded (/etc/systemd/system/nfs-common.service; enabled) Active: active (exited) since Wed 2014-05-14 10:35:01 NZST; 19min ago Main PID: 259 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/nfs-common.service Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. All the NFS RPC daemons have port activation in latest nfs-utils upstream, and service files. Please consider using these as the socket activation saves haing to manually configure which NFS RPC daemons are needed. -- Package-specific info: -- rpcinfo -- program vers proto port service 104 tcp111 portmapper 103 tcp111 portmapper 102 tcp111 portmapper 104 udp111 portmapper 103 udp111 portmapper 102 udp111 portmapper 132 tcp 2049 nfs 133 tcp 2049 nfs 134 tcp 2049 nfs 1002272 tcp 2049 1002273 tcp 2049 132 udp 2049 nfs 133 udp 2049 nfs 134 udp 2049 nfs 1002272 udp 2049 1002273 udp 2049 1000211 udp 38783 nlockmgr 1000213 udp 38783 nlockmgr 1000214 udp 38783 nlockmgr 1000211 tcp 49538 nlockmgr 1000213 tcp 49538 nlockmgr 1000214 tcp 49538 nlockmgr 151 udp 58915 mountd 151 tcp 40052 mountd 152 udp 40524 mountd 152 tcp 60384 mountd 153 udp 55957 mountd 153 tcp 49758 mountd -- /etc/default/nfs-common -- NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes RPCGSSDOPTS="" -- /etc/idmapd.conf -- [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs Domain = internal.anathoth.net Local-Realms = ANATHOTH.NET [Translation] Method = nsswitch [Mapping] Nobody-User = nobody Nobody-Group = nogroup -- /etc/fstab -- #shalom:/src/media/src nfs noauto,defaults,user,exec 0 0 #shalom:/home /media/home nfs noauto,defaults,user,exec 0 0 #en-gedi:/home /srv/home nfs noauto,async,_netdev,soft,intr,defaults,exec0 0 -- /proc/mounts -- nfsd /proc/fs/nfsd nfsd rw,relatime 0 0 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versio
Bug#748074: rpcbind has no systemd unit and tmp file files
Package: rpcbind Version: 0.2.1-3 Severity: important Tags: patch Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? When running under systemd: o NFS mounts from /etc/fstab do not work. o NFS exports also fail due to rpcbind not starting before nfs-common and nfs- kernel-server systemd is the new default system init for linux. The above should just work. * What exactly did you do (or not do) that was effective (or ineffective)? Created my own /etc/tmpfiles.d/rpcbind.conf: #Type PathMode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - and /lib/systemd/system file (I did this one in /etc/systemd/system): --- [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap and enabled above unit: # systemctl enable rpcbind.service Did for nfs-common to make NFS rpc support to start at correct time: Created /etc/systemd/system/nfs-common.service (can be put in /lib/systemd/system [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target - # systemctl enable nfs-common * What was the outcome of this action? Rpc Bind starting correctly, with registration state saving over restart, NFS service working normally # systemctl status rpcbind rpcbind.service - RPC bind portmap service Loaded: loaded (/etc/systemd/system/rpcbind.service; enabled) Drop-In: /run/systemd/generator/rpcbind.service.d └─50-rpcbind-$portmap.conf Active: active (running) since Wed 2014-05-14 10:38:13 NZST; 13min ago Main PID: 5066 (rpcbind) CGroup: name=systemd:/system/rpcbind.service └─5066 /sbin/rpcbind -f -w May 14 10:38:13 moriah systemd[1]: Started RPC bind portmap service. # systemctl status nfs-common nfs-common.service - NFS Common daemons Loaded: loaded (/etc/systemd/system/nfs-common.service; enabled) Active: active (exited) since Wed 2014-05-14 10:35:01 NZST; 19min ago Main PID: 259 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/nfs-common.service Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. All the NFS RPC daemons have port activation in latest nfs-utils upstream, and service files. Please consider using these as the socket activation saves haing to manually configure which NFS RPC daemons are needed. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages rpcbind depends on: ii initscripts 2.88dsf-53 ii insserv 1.14.0-5 ii libc-bin 2.18-5 ii libc62.18-5 ii libtirpc10.2.2-7 ii libwrap0 7.6.q-25 ii lsb-base 4.1+Debian12 rpcbind recommends no packages. rpcbind suggests no packages. -- no debconf information #Type PathMode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap
Bug#744014: python3-pyparsing: ParseBaseException.markInputline() - "".join() given more than one argument
Source: python3-pyparsing Version: 2.0.0+ ? Severity: normal Tags: upstream patch Dear Maintainer, Working on pPython3 program which quite seriously uses PyParsing When ever displaying error Parsing output, an Exception is thrown: File "/usr/share/dms/dms/app/zone_tool.py", line 2251, in do_edit_zone print(exc.markInputline(), file=self.stdout) File "/usr/lib/python3/dist-packages/pyparsing.py", line 207, in markInputline markerString, line_str[line_column:]) TypeError: join() takes exactly one argument (3 given) Added missing () or [] around arguments, producing an iterable, and everything worked, and I got line by line parsing errors with position display happening. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Index: pyparsing-2.0.1+dfsg1/pyparsing.py === --- pyparsing-2.0.1+dfsg1.orig/pyparsing.py 2013-07-17 19:08:10.0 +1200 +++ pyparsing-2.0.1+dfsg1/pyparsing.py 2014-04-09 18:37:03.991046822 +1200 @@ -203,8 +203,8 @@ line_str = self.line line_column = self.column - 1 if markerString: -line_str = "".join(line_str[:line_column], -markerString, line_str[line_column:]) +line_str = "".join([line_str[:line_column], +markerString, line_str[line_column:]]) return line_str.strip() def __dir__(self): return "loc msg pstr parserElement lineno col line " \
Bug#740916: ITP: dms -- DNS Management System
Package: wnpp Severity: wishlist Owner: Matthew Grant * Package name: dms Version : 1.0 Upstream Author : Matthew Grant * URL : http://mattgrant.net.nz/software/dms * License : GPL3 Programming Lang: Python Description : DNS Management System DNS Management System using bind9 and PostgresQL 9.2+. Uses Dynamic Updates to update and manage the Zones in Bind9. Has a daemon which uses a State Machine for publishing zones from the DB. There is a command line/shell program zone_tool for operation on the Zones, including running an editor, and a JSON RPC over http interface via Apache and mod_wsgi. oMaster can have DR Failover oIPv6 fully supported in back end and front end oIPv6 DNS RRs () oDynamic DNS configuration of Master server reduces need for reconfig and reload operations. oDNS RRs supported include SOA NS A MX PTR TXT SPF RP SSHFP SRV NSAP NAPTR LOC KX IPSECKEY HINFO CERT DS. DNSSEC handled by bind9 master oAuto DNSSEC via Bind9 dynamic DNS. Bind9 master server auto maintains zone DNSSEC operations records and signing. NSEC3 and NSEC supported. DNSSEC key management on Master server file system pending write of key management module. Key material directory is replicated via DR protocol (rsync) though. DMS is fully enabled to use DNSSEC for securing our core domains. o Apex resource record (SOA and NS) management across all zones - can be turned off per zone. o Auto reverse PTR generation o Customer control of their own automated reverse DNS. Individual PTR records, and complete reverse zones. Useful for business IPv6 and IPv4 blocks. Enables on site use of IP PABX, intranet and email for SMBs on XDSL/Fibre. o zone_tool command line administrative tool on master servers o IPSEC secured communications between each of DR master replicas and slaves o Modular design. For example, Racoon IPSEC can be replaced if needed. o Multiple Slave DNS server software implementations. NL Netlabs nsd3 can be used as a slave server once backend code is completed, and a simple configuration monitoring/HUP daemon implemented to run on each slave. o slave server/Server Groups (SG) support. Live migration of zones. o Private SGs for internal zones. o Retention of deleted zones in database for aged auto-deletion later. o Multiple Zone Instances per Zone. Roll forward and roll back changes. Again old ZIs aged for auto deletion above a threshold number. o Templates used for generating name server configuration includes - master, replicas and slaves. o Rsync to distribute name server configuration to servers. o Central distribution of name server configuration segments. o Hot standby master replica for DR purposes with manually controlled fail over. Includes automatic replica/slave server reconfiguration. o WSGI JSON RPC over HTTPS API for mulitple front ends o Security tags to control what front ends can see o Zone reference metadata to tag the zone with the owner/customer entity ID. Set by DMI when a zone is created. Tag out of table in DB via foreign key for easy reference renaming. o zone_tool has built in pager support and editor support via standard shell environment variables. o zone_tool has a configurable restricted shell mode for Help Desk use o RR Groups and RR comments supported in DB for use in text editor and in Web Admin DMI (DNS Management Interface) o zone_tool has colourised diff support to display changes between different ZIs for a zone o Vim can be used as zone tool editor, giving DNS colourised Zone file syntax high lighting. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#679482: Still experiencing this bug, any updates?
On 28/10/13 11:04, Dan Levin wrote: > Hi, > I'm still experiencing symptoms of this on wheezy (more details below). > Has there been any fix, to anyone's knowledge? privsep support on racoon is byuggy. There is a new version out there from netbsd, but the code has had creeping netbsdisms and compiler makefile issues, and it a real sod to get it going. Try strongswan, it works on Debian kfreebsd and ordinary wheezyy. racoon is long in the tooth, and because of the sort of bitrot and security issues it has (runs as root) I think it might be better if this part of ipsec-tools was deprecated. Regards, Matthew Grant > -- > Package: racoon > State: installed > Automatically installed: no > Version: 1:0.8.0-14 > Priority: extra > Section: net > Maintainer: Matthew Grant > Architecture: amd64 > Uncompressed Size: 1,147 k > Depends: debconf (>= 0.5) | debconf-2.0, ipsec-tools (= 1:0.8.0-14), > libc6 (>= 2.8), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>= > 1.10+dfsg~), libk5crypto3 (>= 1.6.dfsg.2), > libkrb5-3 (>= 1.6.dfsg.2), libldap-2.4-2 (>= 2.4.7), libpam0g > (>= 0.99.7.1), libssl1.0.0 (>= 1.0.0), adduser, perl > > > # After initiating a disconnect from the VPN client: > Oct 27 21:56:02 localhost racoon: [x.x.x.x] DEBUG: delete payload for > protocol ESP > Oct 27 21:56:02 localhost racoon: ERROR: privsep_socket: unauthorized > domain (15) > Oct 27 21:56:02 localhost racoon: INFO: racoon privileged process > 23084 terminated > Oct 27 21:56:02 localhost kernel: [1207378.180116] racoon[23109]: > segfault at 10 ip 7fb003750b7b sp 7fff225ef210 error 4 in > racoon[7fb003727000+92000] > -- > Best, > -Dan Levin signature.asc Description: OpenPGP digital signature
Bug#695192: bind9: CVE-2012-5688
Why does the Wheezy release team have its nose so stuck up about a minor upstream version number? 9.8.4-P1 IS ISC's official bug fixed release of the 9.8.x source tree , INCLUDING 9.8.1* Don't drive the security maintainers into loops about unsupported code in an upcoming stable release! Sheesh, some time dogged adherence to policy is NOT achieving our main end results. Cheers, Matthew Grant On Thu, Dec 13, 2012 at 6:52 AM, Moritz Muehlenhoff wrote: > On Wed, Dec 05, 2012 at 05:25:36AM -0700, LaMont Jones wrote: > > On Wed, Dec 05, 2012 at 09:31:00AM +0100, Moritz Muehlenhoff wrote: > > > Package: bind9 > > > Severity: grave > > > Tags: security > > > Justification: user security hole > > > Please see https://kb.isc.org/article/AA-00828 > > > Stable is not affected. This needs to be fixed through > testing-proposed-updates, > > > since the testing and unstable packages have diverged and won't be > updated that > > > late in the freeze. > > > > I've been holding unstable at 9.8 in the hope that it might make it into > > testing. ISC has quit supporting 9.8.1, I'd like to as well. > > > > I'll look into the backport soon, if the security team doesn't beat me > to it. > > LaMont, can you upload a version targeted at testing-proposed-updates > based on > 1:9.8.1.dfsg.P1-4.4 ? > > Cheers, > Moritz > >
Bug#693385: unblock: bind9/1:9.8.4.dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package bind9 1) a rebase bind9 for wheezy to 9.8.4 will make security maintenance a lot easier going forward. To properly fix bugs - some security and basic functionaliy, upstream have changed data structure code, and some flags. Makes patching tricky (see below). 2) Bug #690569 DNS wildcards fail to resolve with DNSsec enabled - a basic DNS protocol bug. To get DNS resolving going have to turn off DNSSEC validation - a bit of a thinko. Found there were too many changes to 9.8.x ISC upstream since 9.8.1-P3 for me to consider patching it reliably. ISC don't give access to their VCS. Note: also fixes CVE-2012-4244 Note: libdns81, libisc83 are updated to libdns88 and libisc84 in upstream. Thank you for looking into this. I really appreciate your time and dedication to Debian. Best Regards, Matthew Grant debdiff: File lists identical (after any substitutions) Control files: lines which differ (wdiff format) Depends: libbind9-80 (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} libc6 (>= 2.4), libcap2 (>= 2.10), [-libdns81-] {+libdns88+} (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} libgssapi-krb5-2 (>= 1.6.dfsg.2), [-libisc83-] {+libisc84+} (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} libisccc80 (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} libisccfg82 (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} liblwres80 (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} libssl1.0.0 (>= 1.0.0), {+libxml2 (>= 2.7.4),+} debconf (>= 0.5) | debconf-2.0, netbase, adduser, lsb-base (>= 3.2-14), bind9utils (= [-1:9.8.1.dfsg.P1-4.3),-] {+1:9.8.4.dfsg-1),+} net-tools Installed-Size: [-816-] {+940+} Version: [-1:9.8.1.dfsg.P1-4.3-] {+1:9.8.4.dfsg-1+} unblock bind9/1:9.8.4.dfsg-1 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693016: bind9: CVE-2012-4244 - A specially crafted Resource Record could cause named to terminate
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.3 Severity: normal Tags: upstream Dear Maintainer, This is a remote DoS exploit on a recursive servers, or authorative servers if RR loaded from file or via zone transfer. Quoting https://kb.isc.org/article/AA-00778/74 "If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a subsequent query for that record will cause named to exit with an assertion failure." Fixed in package bind9_9.8.4.dfsg-1 uploaded to unstable. It's not practical to reliably backport a fix for this. ISC have markedly changed data structures and flags to fix other bugs, making patching risky. They do not provide access to their VCS. 9.8.4 is bug fixed upstream version of 9.8.1 Rational for bind9_9.8.4.dfsg-1 package is to make bug fixing wheezy bind9 easier/more reliable once released. Please upgrade wheezy bind9 to 9.8.4.dfsg-1 I am a DDwith a C network router programming background, and am currently working on an ISP DNS system, and have evaluated patchability for other CVEs, and found too much of a risk of introducing other bugs when using patches from other ISC versions of bind9 like 9.6ESRV. Best Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.8.1.dfsg.P1-4.3 ii debconf [debconf-2.0] 1.5.46 ii libbind9-801:9.8.1.dfsg.P1-4.3 ii libc6 2.13-35 ii libcap21:2.22-1.2 ii libdns81 1:9.8.1.dfsg.P1-4.3 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libisc83 1:9.8.1.dfsg.P1-4.3 ii libisccc80 1:9.8.1.dfsg.P1-4.3 ii libisccfg821:9.8.1.dfsg.P1-4.3 ii liblwres80 1:9.8.1.dfsg.P1-4.3 ii libssl1.0.01.0.1c-4 ii lsb-base 4.1+Debian7 ii net-tools 1.60-24.2 ii netbase5.0 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc ii dnsutils1:9.8.1.dfsg.P1-4.3 pn resolvconf pn ufw -- Configuration Files: /etc/bind/named.conf.local changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693015: bind9: CVE-2012-4244 - A specially crafted Resource Record could cause named to terminate
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.3 Severity: normal Tags: upstream Dear Maintainer, This is a remote DoS exploit on a recursive servers, or authorative servers if RR loaded from file or via zone transfer. Quoting https://kb.isc.org/article/AA-00778/74 "If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a subsequent query for that record will cause named to exit with an assertion failure." Fixed in package bind9_9.8.4.dfsg-1 uploaded to unstable. It's not practical to reliably backport a fix for this. ISC have markedly changed data structures and flags to fix other bugs, making patching risky. They do not provide access to their VCS. 9.8.4 is bug fixed upstream version of 9.8.1 Rational for bind9_9.8.4.dfsg-1 package is to make bug fixing wheezy bind9 easier/more reliable once released. Please upgrade wheezy bind9 to 9.8.4.dfsg-1 I am a DDwith a C network router programming background, and am currently working on an ISP DNS system, and have evaluated patchability for other CVEs, and found too much of a risk of introducing other bugs when using patches from other ISC versions of bind9 like 9.6ESRV. Best Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.8.1.dfsg.P1-4.3 ii debconf [debconf-2.0] 1.5.46 ii libbind9-801:9.8.1.dfsg.P1-4.3 ii libc6 2.13-35 ii libcap21:2.22-1.2 ii libdns81 1:9.8.1.dfsg.P1-4.3 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libisc83 1:9.8.1.dfsg.P1-4.3 ii libisccc80 1:9.8.1.dfsg.P1-4.3 ii libisccfg821:9.8.1.dfsg.P1-4.3 ii liblwres80 1:9.8.1.dfsg.P1-4.3 ii libssl1.0.01.0.1c-4 ii lsb-base 4.1+Debian7 ii net-tools 1.60-24.2 ii netbase5.0 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc ii dnsutils1:9.8.1.dfsg.P1-4.3 pn resolvconf pn ufw -- Configuration Files: /etc/bind/named.conf.local changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#669213: bind9: new upstream release: 9.9
Hi! I believe it is best to stick with 9.8.x for wheezy. 9.9.x is too much of a change, too many unknowns. The bind9 package as been using a 9.8.x code base, and configuration, and 9.8.4 is a bug fixed version of 9.8.1 9.9.x is too much of a change now that wheezy is frozen. Cheers, Matthew Grant On Tue, Oct 30, 2012 at 9:50 PM, Sebastian Wiesinger wrote: > * LaMont Jones [2012-10-29 21:38]: > > On Mon, Oct 29, 2012 at 05:22:10PM +, Adam D. Barratt wrote: > > > Indeed. In any case, were the new version to be accepted in to the > > > release then the appropriate route would be via unstable, not direct > > > to t-p-u. > > > > Works for me. I'll toss 9.8.4 into sid. As for getting it into wheezy, > > it'll make the support life easier for the inevitable security fixes that > > will follow. There are probably other reasons. > > Hi, > > if the route goes via unstable, could we perhaps immediately go to > 9.9.2? 9.9 has the most useful new features regarding DNSSEC. > > Regards > > Sebastian > > -- > GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE > SCYTHE. > -- Terry Pratchett, The Fifth Elephant > >
Bug#689755: bind9: memory leak in named
M. Interesting. I will check 9.8.4 CHANGES and see if there are any likely looking candidates. On Tue, Oct 30, 2012 at 4:58 AM, Christoph Anton Mitterer < christoph.anton.mitte...@lmu.de> wrote: > A friend of mine, who basically uses my config with his own nameserver, > had the same issues, and could "solve" it by disabling recursion. > > > Cheers, > Chris. >
Bug#689755: Bug#690142: marked as done (remote named DoS on recursor (CVE-2012-5166))
Hi THere! Just trying to avoid people wasting effort on bind9 NMU work. I am working with LaMont Jones on an update for wheezy to bind9 9.8.4, rebased on the ISC 9.8.4 code, which will definitely close #690569, #690142, and may be #689755. (The rest of the Important bugs appear to be with old versions of bind9 before 9.7.x.) The main reason is to reduce the work required for security patching and to mostly eliminate the risk of introducing new bugs with the fixes. It has been found that the data structures between ISC bind9 9.8.1 and 9.8.4 have markedly changed due to essential protocol fixes and security fixes. Applying patches is no longer that simple a matter, with a considerable risk of introducing new bugs. I originally adapted up the patch for bind9 9.8.1.dfsg.P1-4.2 , and was proceeding to fix #690569 "DNS wildcards fail to resolve with DNSsec enabled" when I found that there was a serious risk of introducing new new bugs, and desisted from NMUing bind9. (I was a professional C router programmer) There is also the matter of "#689755 bind9: memory leak in named". I am currently working on an ISP DNS project based on wheezy, and have observed some suspicious behaviour in this regard. On reading the ISC CHANGES file for 9.8.4, there are fixes that could be related to this sort of behavior. This is a notice that the bind9 9.8.1.dfsg.P1-4.x package might be replaced, after going through the appropriate channels (Debian Release Team). LaMont will be uploading our work to wheezy-proposed shortly. A repository of work done so far is up at http://anonscm.debian.org/git/collab-maint/bind9.git/ Thank you very much for your patience. Best Regards, Matthew Grant On 29/10/12 11:21, Debian Bug Tracking System wrote: > Your message dated Sun, 28 Oct 2012 23:16:32 +0100 > with message-id <20121028221632.ga21...@spike.0x539.de> > and subject line fixed in 9.8.1.dfsg.P1-4.3 > has caused the Debian Bug report #690142, > regarding remote named DoS on recursor (CVE-2012-5166) > to be marked as done. > > This means that you claim that the problem has been dealt with. > If this is not the case it is now your responsibility to reopen the > Bug report if necessary, and/or fix the problem forthwith. > > (NB: If you are a system administrator and have no idea what this > message is talking about, this may indicate a serious mail system > misconfiguration somewhere. Please contact ow...@bugs.debian.org > immediately.) > > signature.asc Description: OpenPGP digital signature
Bug#690410: Puredata 0.43.2-4 crashing due to _FORTIFY_SOURCE with large patch
Package: puredata Followup-For: Bug #690410 Recompiled puredata with the following 2 lines added to the top of debian/rules: # Stop problems with puredata crashing due to buffer space issues? export DEB_BUILD_MAINT_OPTIONS=hardening=+format,-fortify,+stackprotector,+relro This turns off _FORTIFY_SOURCE. Puredata works with out problems with the PD 'patches' in my project. If you look at the back trace in the stack dump in the original bau report, it crashed in: pd(pd_typedmess+0x45b)[0x456fab] pd(outlet_anything+0x4a)[0x458eca] pd(pd_typedmess+0x1db)[0x456d2b] pd(binbuf_eval+0x90b)[0x4600fb] pd(outlet_list+0x4a)[0x458e3a] pd[0x455b5c] pd(outlet_float+0x3f)[0x458d0f] pd(outlet_bang+0x29)[0x458be9] pd(sched_tick+0x77)[0x463047] pd(m_mainloop+0x1e9)[0x463319] bang, float, list are basic puredata objects. binbuf_eval() is also one of the functions. It looks like puredata uses functions like strcat(), strcpy() in non-conventional ways with some kind of buffer. Turning off _FORTIFY_SOURCE looks like it needs to be done to ensure 100% functionality. Just patching one or two instances of the functions may not get all the problem points fixed as the puredata algorithms probably assume that the functions will copy/concatenate indefinitely throughout the whole code base. Talk to upstream before turning on _FORTIFY_SOURCE please. Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages puredata depends on: ii puredata-core 0.43.2-5~0mag1 ii puredata-dev0.43.2-5~0mag1 ii puredata-doc0.43.2-5~0mag1 ii puredata-extra 0.43.2-5~0mag1 ii puredata-gui0.43.2-5~0mag1 ii puredata-utils 0.43.2-5~0mag1 Versions of packages puredata recommends: ii gem 3:0.93.3-6~0mag0 Versions of packages puredata suggests: ii pd-aubio 0.3.2-4.2+b1 ii pd-csound 1:5.17.11~dfsg-2 ii pd-pdp 1:0.12.5-2 ii pd-zexy2.2.5-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691391: libcurl3-gnutls: git push on libcurl3-gnutls_7.28-2 fails when changes pushed
Package: libcurl3-gnutls Version: 7.28.0-2 Followup-For: Bug #691391 Some new information, git push with GIT_CURL_VERBOSE=1 set. Hope this to clear it up. Had to wait to re-test. git push works with 7.26.0-1 shalom-ext: -grantma- [~/dms] $ GIT_CURL_VERBOSE=1 git push * About to connect() to git.devel.net.nz port 443 (#0) * Trying 210.5.55.254... * 0x174eb50 is at send pipe head! * STATE: CONNECT => WAITCONNECT handle 0x1757960; (connection #0) * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * found 152 certificates in /etc/ssl/certs/ca-certificates.crt * STATE: WAITCONNECT => PROTOCONNECT handle 0x1757960; (connection #0) *server certificate verification SKIPPED *compression: NULL *cipher: AES-128-CBC *MAC: SHA1 * STATE: PROTOCONNECT => DO handle 0x1757960; (connection #0) > GET /dms/dms.git/info/refs?service=git-receive-pack HTTP/1.1 User-Agent: git/1.7.10.4 Host: git.devel.net.nz Accept: */* Pragma: no-cache * STATE: DO => DO_DONE handle 0x1757960; (connection #0) * STATE: DO_DONE => WAITPERFORM handle 0x1757960; (connection #0) * STATE: WAITPERFORM => PERFORM handle 0x1757960; (connection #0) * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 401 Authorization Required < Date: Thu, 25 Oct 2012 22:47:08 GMT < Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q < WWW-Authenticate: Digest realm="Git Access", nonce="gDas++nMBAA=c016e62b78666c4a06557a090758dfc879f46c72", algorithm=MD5, domain="/", qop="auth" < Content-Length: 401 < Content-Type: text/html; charset=iso-8859-1 < * Ignoring the response-body * Connection #0 to host git.devel.net.nz left intact * Issue another request to this URL: * 'https://git.devel.net.nz/dms/dms.git/info/refs?service=git-receive-pack' * Re-using existing connection! (#0) with host git.devel.net.nz * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * 0x174eb50 is at send pipe head! * STATE: CONNECT => DO handle 0x1757960; (connection #0) * Server auth using Digest with user 'grantma' > GET /dms/dms.git/info/refs?service=git-receive-pack HTTP/1.1 Authorization: Digest username="grantma", realm="Git Access", nonce="gDas++nMBAA=c016e62b78666c4a06557a090758dfc879f46c72", uri="/dms/dms.git/info/refs?service=git-receive-pack", cnonce="MDg3MTk1", nc=0001, qop=auth, response="d4ae9115c24ef228c2ed2ad5f0d57d03", algorithm="MD5" User-Agent: git/1.7.10.4 Host: git.devel.net.nz Accept: */* Pragma: no-cache * STATE: DO => DO_DONE handle 0x1757960; (connection #0) * STATE: DO_DONE => WAITPERFORM handle 0x1757960; (connection #0) * STATE: WAITPERFORM => PERFORM handle 0x1757960; (connection #0) * additional stuff not fine transfer.c:1037: 0 0 * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Date: Thu, 25 Oct 2012 22:47:08 GMT < Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q < Expires: Fri, 01 Jan 1980 00:00:00 GMT < Pragma: no-cache < Cache-Control: no-cache, max-age=0, must-revalidate < Authentication-Info: rspauth="f9b91ee07350a722ea8b344efcb8b588", cnonce="MDg3MTk1", nc=0001, qop=auth < Transfer-Encoding: chunked < Content-Type: application/x-git-receive-pack-advertisement < * STATE: PERFORM => DONE handle 0x1757960; (connection #0) * Connection #0 to host git.devel.net.nz left intact Counting objects: 17, done. Delta compression using up to 2 threads. Compressing objects: 100% (9/9), done. Writing objects: 100% (9/9), 1.30 KiB, done. Total 9 (delta 8), reused 0 (delta 0) * About to connect() to git.devel.net.nz port 443 (#0) * Trying 210.5.55.254... * connected * Connected to git.devel.net.nz (210.5.55.254) port 443 (#0) * found 152 certificates in /etc/ssl/certs/ca-certificates.crt * SSL re-using session ID *server certificate verification SKIPPED *compression: NULL *cipher: AES-128-CBC *MAC: SHA1 > POST /dms/dms.git/git-receive-pack HTTP/1.1 User-Agent: git/1.7.10.4 Host: git.devel.net.nz Accept-Encoding: deflate, gzip Content-Type: application/x-git-receive-pack-request Accept: application/x-git-receive-pack-result Content-Length: 1465 * upload completely sent off: 1465 out of 1465 bytes * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 401 Authorization Required < Date: Thu, 25 Oct 2012 22:47:08 GMT < Server: Apache/2.2.17 (FreeBSD) mod_ssl/2.2.17 OpenSSL/0.9.8q * Authentication problem. Ignoring this. < WWW-Authenticate: Digest realm="Git Access", nonce="pgyv++nMBAA=41fb149a41d3357b9a730d21bf98ad166d26937e", algorithm=MD5, domain="/", qop="auth" < Content-Length: 401 < Content-Type: text/html; charset=iso-8859-1 * The requested URL returned error: 401 * Closing connection #0 error: RPC failed; result=22, HTTP code = 401 fatal: The remote
Bug#691391: libcurl3-gnutls: git push on libcurl3-gnutls_7.28-2 fails when changes pushed
Package: libcurl3-gnutls Version: 7.28.0-2 Severity: important See my shell log below Still have a problem. Cheers, Matthew Grant - shalom-ext: -grantma- [~/dms] $ git push Counting objects: 19, done. Delta compression using up to 2 threads. Compressing objects: 100% (10/10), done. Writing objects: 100% (10/10), 1.11 KiB, done. Total 10 (delta 9), reused 0 (delta 0) error: RPC failed; result=22, HTTP code = 401 fatal: The remote end hung up unexpectedly fatal: The remote end hung up unexpectedly Everything up-to-date shalom-ext: -grantma- [~/dms] $ git pull Already up-to-date. shalom-ext: -grantma- [~/dms] $ cd ../scratch/ shalom-ext: -grantma- [~/scratch] $ wget http://packages.debian.org/wheezy/libcurl3-gnutls --2012-10-25 15:20:35-- http://packages.debian.org/wheezy/libcurl3-gnutls Resolving packages.debian.org (packages.debian.org)... 2001:648:2ffc:deb:214:22ff:feb2:17e8, 2001:8d8:81:1520::1, 194.177.211.202, ... Connecting to packages.debian.org (packages.debian.org)|2001:648:2ffc:deb:214:22ff:feb2:17e8|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘libcurl3-gnutls’ [ <=> ] 18,662 25.8KB/s in 0.7s 2012-10-25 15:20:38 (25.8 KB/s) - ‘libcurl3-gnutls’ saved [18662] shalom-ext: -grantma- [~/scratch] $ sudo dpkg -i libcurl3-gnutls_7.26.0-1_amd64.deb dpkg: warning: downgrading libcurl3-gnutls:amd64 from 7.28.0-2 to 7.26.0-1 (Reading database ... 53528 files and directories currently installed.) Preparing to replace libcurl3-gnutls:amd64 7.28.0-2 (using libcurl3-gnutls_7.26.0-1_amd64.deb) ... Unpacking replacement libcurl3-gnutls:amd64 ... Setting up libcurl3-gnutls:amd64 (7.26.0-1) ... shalom-ext: -grantma- [~/scratch] $ cd ../dms shalom-ext: -grantma- [~/dms] $ git push Counting objects: 19, done. Delta compression using up to 2 threads. Compressing objects: 100% (10/10), done. Writing objects: 100% (10/10), 1.11 KiB, done. Total 10 (delta 9), reused 0 (delta 0) To https://git.devel.net.nz/dms/dms.git 2312dd1..d066e87 master -> master -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libcurl3-gnutls depends on: ii libc6 2.13-35 ii libgcrypt111.5.0-3 ii libgnutls262.12.20-1 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libidn11 1.25-2 ii libldap-2.4-2 2.4.31-1 ii librtmp0 2.4+20111222.git4e06e21-1 ii libssh2-1 1.4.2-1.1 ii multiarch-support 2.13-35 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages libcurl3-gnutls recommends: ii ca-certificates 20120623 libcurl3-gnutls suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690569: Bug#690142: remote named DoS on recursor (CVE-2012-5166) and Bug#690569 (DNS wildcards fail to resolve with DNSSEC enabled)
On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert wrote: > On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote: > > Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - > breaks > > RFC 4035)be reclassified as grave, or at least Important severity? > You implied a bug severity increase. Its now at important. > > > > We need to get something done about this one. Having to turn off DNSSEC > > validation to get correct resolution behaviour is not good for security > re > > DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS. > > I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to > relate to wildcard handling. Someone will have to look at whether > those are the right changes and if they're complete, and then port it > to the current version. See attached. > Checked diff. Its looks a mess. Have you compiled bind9 package and checked that it handles wiildcard query? I am not confident that data structures are handled correctly. (Used to be professional router C programmer, and have extensive kernel patch experience) Could someone on the security team who knows bind9 look at this please to see if they can patch bind9 9.8.1.dfsg-4.2 and 9.7.3 (squeeze)? > > Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x) > > please. Lamount Jones, it would be good if you could do this please? > Does > > not look that hard. Have looked in bind9 package git. > > No. We're in the freeze now. Fixes need to be backported. > If backporting a fix is not possible with the certainty of no introduced bugs, we have no choice. Debian Bind9 cannot ship with a basic DNS protocol handling error. As it stands it is severely broken in the resolver. DNSSEC on the Internet is now a must. ISC have been diligent in backporting fixes to their 9.8.x minor version stream. There are only one or 2 new features, and I believe 1 or 2 configuration changes that are backwards compatible Consequently Bind 9.8.4 (or 9.7.7) is mostly coherent with Debian's policy of back porting fixes. (ISC really know their own data structures, but also unfortunately do not make their VCS publicly available, only release complete tarballs, so finding the 100% correct patch can be a major problem.) I believe a policy exception is possible in this case if needed, given that bind9 is such an important piece of software. My case is put. Could the security team please help to determine what to do. Regards, Matthew Grant
Bug#690569: Bug#690142: remote named DoS on recursor (CVE-2012-5166) and Bug#690569 (DNS wildcards fail to resolve with DNSSEC enabled)
Thanks, I will cross check this with all ISC tar balls between 9.8.1 and 9.8.2. This is when the CHANGES file lists it was fixed. I have noted that ISC changed things quite a lot with some internal structures over 9.8.x/9.7.x/9.6.x, when I was examining some issues to do with query rate DoS attacks. Debian bind does not have those changes, but I gave it the benefit of the doubt. I 'll quickly assess whether there are any problems here or not. Have been a professional C router programmer. If its not good, we really have issues. There comes a point when upstream has been diligent about fixes, and we have to redo a lot of it, and we are not the experts Cheers, Matthew On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert wrote: > On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote: > > Hi Michael! > > > > Sorry to bother you again, but want some advice before I leap. > > > > Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled - > breaks > > RFC 4035)be reclassified as grave, or at least Important severity? > > > > We need to get something done about this one. Having to turn off DNSSEC > > validation to get correct resolution behaviour is not good for security > re > > DNS cache poisoning attacks, which is why DNSSEC was implemented in DNS. > > I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to > relate to wildcard handling. Someone will have to look at whether > those are the right changes and if they're complete, and then port it > to the current version. See attached. > > > Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x) > > please. Lamount Jones, it would be good if you could do this please? > Does > > not look that hard. Have looked in bind9 package git. > > No. We're in the freeze now. Fixes need to be backported. > > Best wishes, > Mike >
Bug#690569: DNS wildcards fail to resolve with DNSsec enabled
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.2 Followup-For: Bug #690569 Problem exists in current Debian Version of bind9. This is broken behaviour with regards RFC4035 Section 3.1.3 and maybe some parts of RFC4952. This means the version of bind in unstable and testing is non functional for the purposes of being used as a resolver when DNSSEC validation is required. Turning off DNSSEC resolution to work around this significantly reduces the authenticity around the DNS response. This makes this version of bind9 far more open to Kaminsky DNS cache posioning attacks. Severity of bug whould be raised to grave. Resolution is obvious, move cod base to at least latest ISC 9.8.x Bind 9, which is 9.8.4. Cheers, Matthew Grant shalom: -grantma- [~] $ dig www.nuonexclusief.nl @shalom-svc.internal.anathoth.net. ; <<>> DiG 9.8.1-P1 <<>> www.nuonexclusief.nl @shalom-svc.internal.anathoth.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44296 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.nuonexclusief.nl. IN A ;; Query time: 3104 msec ;; SERVER: 172.31.10.1#53(172.31.10.1) ;; WHEN: Tue Oct 16 13:26:40 2012 ;; MSG SIZE rcvd: 38 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bind9 depends on: ii adduser3.113+nmu3 ii bind9utils 1:9.8.1.dfsg.P1-4.2 ii debconf [debconf-2.0] 1.5.46 ii libbind9-801:9.8.1.dfsg.P1-4.2 ii libc6 2.13-35 ii libcap21:2.22-1.2 ii libdns81 1:9.8.1.dfsg.P1-4.2 ii libgssapi-krb5-2 1.10.1+dfsg-2 ii libisc83 1:9.8.1.dfsg.P1-4.2 ii libisccc80 1:9.8.1.dfsg.P1-4.2 ii libisccfg821:9.8.1.dfsg.P1-4.2 ii liblwres80 1:9.8.1.dfsg.P1-4.2 ii libssl1.0.01.0.1c-4 ii lsb-base 4.1+Debian7 ii net-tools 1.60-24.2 ii netbase5.0 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind9-doc ii dnsutils1:9.8.1.dfsg.P1-4.2 pn resolvconf pn ufw -- Configuration Files: /etc/bind/named.conf.local changed [not included] -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690142: remote named DoS on recursor (CVE-2012-5166)
Package: bind9 Version: 1:9.8.1.dfsg.P1-4.2 Followup-For: Bug #690142 Dear Maintainer, Attaching a patch for this version of Debian bind9. NMUing in 2 days with 1:9.8.1.dfsg.P1-4.3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- /tmp/bind9-9.8.1.dfsg.P1/bin/named/query.c 2011-11-16 22:32:08.0 +1300 +++ bind9-9.8.1.dfsg.P1/bin/named/query.c 2012-10-15 13:48:55.572735596 +1300 @@ -1137,13 +1137,6 @@ mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE("query_isduplicate: false: done"); @@ -1341,6 +1334,7 @@ if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1401,11 +1395,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { -if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1444,11 +1440,13 @@ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_, &mname)) { -if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1960,22 +1958,24 @@ crdataset->type == dns_rdatatype_) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { -if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname->link could - * leak below. - */ - INSIST(mname0 == NULL); - - query_releasename(client, &fname); - fname = mname; - mname0 = mname; -} else - need_addname = ISC_TRUE; +if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname->link could + * leak below. + */ + INSIST(mname0 == NULL); + + query_releasename(client, &fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; +} ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE;
Bug#690410: Puredata 0.43.2-4 crashing due to _FORTIFY_SOURCE with large patch
Package: puredata Version: 0.43.2-4 Severity: grave I have a large puerdata patch using GEM that was working early on last year. At the moment it is crashing on start with calls to __fortify_fail() in libc. There are two pds running, one handling sound and wiimote input, and a slave doing GEM display work. They communicate over a TCP socket. Pure data with the _FORTIFY_SOURCE=2 is not usable for any serious work, destroying the purpose of the porting and packaing to Debian The same problems also show up in puredata plugins/libraries with this turned on as well. The one that blew up in the same way was gem-plugin-magick I know that this is security hardening, and that buffer overflows are bad in any application, as they tend to go and corrupt the running application. But puredata is an interpreted langauge progam used by artists typically on closed off networks behind a firewall/router. It is hard enough to get going properly with out this unneeded security stuff being turned on. Please compile pruedata with _FORTIFY_SOURCE=0 for the whole puredata module stack and dependencies until the causes of this are fixed upstream. I am going to try the puredata package compiled with _FORTIFY_SOURCE=0, and see if I can get my valuable project going again. BTW, I am a Debian Developer. Cheers, Matthew Grant PS: Stack dump of setup in line below. $ cat antigua.sh #!/bin/bash pd -noaudio -nomidi -lib Gem -nogui boatshed.pd & pd antigua.pd # Kill 1st pd on exit kill %1 $ ./antigua.sh sys_nmidiin 0, nmidiindev 1 @ the zexy external 2.2.5 @ @ (l) forum::für::umläute @ @ iem @ kug @ @ compiled: Nov 22 2011 @ @ send me a 'help' message @ priority 6 scheduling enabled. priority 8 scheduling enabled. warning: class 'abs~' overwritten; old one renamed 'abs~_aliased' matchbox: OSC-pattern matching code (c) Matt Wright, CNMAT warning: class 'wrap' overwritten; old one renamed 'wrap_aliased' GEM: Graphics Environment for Multimedia GEM: ver: 0.93.3 GEM: compiled: Jun 11 2012 GEM: maintained by IOhannes m zmoelnig GEM: Authors : Mark Danks (original version) GEM:Chris Clepper GEM:Cyrille Henry GEM:IOhannes m zmoelnig GEM: with help by Guenter Geiger, Daniel Heckenberg, James Tittle, Hans-Christoph Steiner, et al. GEM: found a bug? miss a feature? please report it: GEM:homepage http://gem.iem.at/ GEM:bug-tracker http://sourceforge.net/projects/pd-gem/ GEM:mailing-list http://lists.puredata.info/listinfo/gem-dev/ open: /etc/pd/gem.conf: No such file or directory open: /home/grantma/.pd/gem.conf: No such file or directory open: ./gem.conf: No such file or directory GEM: compiled for SIMD architecture: SSE2 MMX GEM: using SSE2 optimization load plugins 'image' in '/usr/lib/pd/extra/Gem/' pattern : /usr/lib/pd/extra/Gem/gem_image*.so GEM: Only using 8 color bits GEM: Direct Rendering enabled! GEM: GLEW version 1.7.0 GEM: Start rendering error: [pix_image]: failed to load image '/home/grantma/Desktop/Situational_Choreo_Project/pd/boat-shed-end.jpg' verbose(4): ... you might be able to track this down from the Find menu. priority 6 scheduling enabled. priority 8 scheduling enabled. *** buffer overflow detected ***: pd terminated === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f75d3577f37] /lib/x86_64-linux-gnu/libc.so.6(+0xebdf0)[0x7f75d3576df0] pd[0x49b5c0] pd(pd_typedmess+0x45b)[0x456fab] pd(outlet_anything+0x4a)[0x458eca] pd(pd_typedmess+0x1db)[0x456d2b] pd(binbuf_eval+0x90b)[0x4600fb] pd(outlet_list+0x4a)[0x458e3a] pd[0x455b5c] pd(outlet_float+0x3f)[0x458d0f] pd(outlet_bang+0x29)[0x458be9] pd(sched_tick+0x77)[0x463047] pd(m_mainloop+0x1e9)[0x463319] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f75d34a9ead] pd[0x415161] === Memory map: 0040-004e7000 r-xp fe:00 661348 /usr/bin/puredata 006e6000-006e7000 r--p 000e6000 fe:00 661348 /usr/bin/puredata 006e7000-006e9000 rw-p 000e7000 fe:00 661348 /usr/bin/puredata 006e9000-006f8000 rw-p 00:00 0 017e5000-018cc000 rw-p 00:00 0 [heap] 7f75c8fa7000-7f75c8fa8000 r-xp fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c8fa8000-7f75c91a8000 ---p 1000 fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c91a8000-7f75c91a9000 r--p 1000 fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c91a9000-7f75c91aa000 rw-p 2000 fe:00 924698 /usr/lib/pd-extended/extra/creb/ead~.pd_linux 7f75c91aa000-7f75c91ab000 r-xp fe:00 927354 /usr/lib/
Bug#677713: ipsec-tools: General update after the debconf review process
Just starting work, give me a few hours and I will finish latter this afternoon. On 14/07/12 04:36, Christian PERRIER wrote: > Quoting Christian PERRIER (bubu...@debian.org): >> Dear Debian maintainer, >> >> On Saturday, June 16, 2012, I sent you a notification about the beginning of >> a review >> action on debconf templates for ipsec-tools. >> >> Then, I sent you a bug report with rewritten templates and announcing >> the beginning of the second phase of this action: call for translation >> updates. >> >> Translators have been working hard and here is now the result of their >> efforts. >> >> Please consider using it EVEN if you committed files to your >> development tree as long as they were reported. > > > Is an upload planned at some point? Now that we are in freeze, I tend > to be more pushy for translations to be includedand I don't > hesitate NMUing packages when it takes too much time (I can't focus on > dozens of packages at the same time). > > Many thanks in advance for your answer. > signature.asc Description: OpenPGP digital signature
Bug#681641: netscript-2.4: Missing quotes in if.conf for brg_iface() resulted in seriously misconfigured network
Package: netscript-2.4 Version: 5.2.11 Severity: serious Tags: patch Missing quotes when setting up bridge resulted in vlaned eth0 interface being on bridge brg0 with its vlan1 vlan interface. vlan2 was connected to internet. vlan1 traffic was slow, and connectivity came and went. This happened when IPv6 was explicitly disabled for eth0, and etho was not configured onto a bridge. It is a corner case configuration with a serious result iin network not functioning, and in the case of this system involved, leaking internal traffic to the Internet. Network configuration was not such that a system on Internet could connect internally. Quotes put on 3rd and 4th arguments to brg_iface up in if.conf fixes this siuation. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages netscript-2.4 depends on: ii bash4.2-2 ii bridge-utils1.5-4 ii iproute 20120521-3 ii iptables1.4.14-2 ii isc-dhcp-client [dhcp3-client] 4.2.2.dfsg.1-5 ii netbase 5.0 Versions of packages netscript-2.4 recommends: ii quagga 0.99.21-3 Versions of packages netscript-2.4 suggests: ii dnsmasq2.62-3 ii quagga 0.99.21-3 pn resolvconf pn whereami pn wicd pn wpasupplicant -- Configuration Files: /etc/netscript/if.conf changed: SED_IFSTR='s/\([A-Za-z]*\)[0-9]*$/\1/' SED_IPV4STR='s/^.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+[/0-9]\+\) .*$/\1/' SED_IPV6STR='s/^.*inet6 \([0-9a-f]\+\:.*\:[0-9a-f]\+[/0-9]\+\) .*$/\1/' SED_IPV6ADDR="sed -e 's/:0\+\([0-9a-fA-F]\+\)/:\1/g' | sed -e 's/^0\+\([0-9a-fA-F]\+\)/\1/'| sed -e 's/\(:0\)\+:\(:0\)*\|\(:0\)*:\(:0\)\+/:/'" SED_IPV4ADDR="sed -e 's/\.0\+\([0-9a-fA-F]\+\)/.\1/g' | sed -e 's/^0\+\([0-9a-fA-F]\+\)/\1/'" if_addr_start () { local IPADDR2 ADDR ADDR2 local ADDRS local ANS local OIFS local IFACE=$1 # Glue stuff if [ -n "$MASKLEN" ]; then IPADDR="${IPADDR}/${MASKLEN}" fi if [ -n "$PTPADDR" ]; then IPADDR="${IPADDR}_peer_${PTPADDR}" fi if [ -n "$BROADCAST" ]; then IPADDR="${IPADDR}_brd_${BROADCAST}" fi if [ -n "$IP_EXTRA_ADDRS" ]; then IPADDR="$IPADDR $IP_EXTRA_ADDRS" fi # Take care of leading zeroes in supplied addresses for ADDR in $IPADDR; do if echo $ADDR | grep -q ':'; then #IPv6 ADDR2=`echo $ADDR | eval $SED_IPV6ADDR` IPADDR2="$IPADDR2 $ADDR2" else #IPv4 ADDR2=`echo $ADDR | eval $SED_IPV4ADDR` IPADDR2="$IPADDR2 $ADDR2" fi done IPADDR="$IPADDR2" # Set up link MTU etc ip link set $1 $IFCFG_MULTICAST $IFCFG_MTU # Set up IPv6 Interface sysctl here before interface goes up ifv6_setproc $1 accept_redirects $IPV6_ACCEPT_REDIRECTS ifv6_setproc $1 accept_ra $IPV6_ACCEPT_RA ifv6_setproc $1 accept_ra_pinfo $IPV6_ACCEPT_RA_PINFO ifv6_setproc $1 accept_ra_rt_info_max_plen $IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN ifv6_setproc $1 disable_ipv6 $IPV6_DISABLE ifv6_setproc $1 forwarding $IPV6_FWDING ifv6_setproc $1 router_solicitations $IPV6_ROUTER_SOLICITATIONS ifv6_setproc $1 use_tempaddr $IPV6_PRIVACY # Bring the interface up ip link set dev $1 up # This one has to be set after interface up ifv6_setproc $1 mtu $IPV6_MTU # Set up the addresses on the interface ADDRS=`ip addr show dev $IFACE | grep '^.*inet[ 46]' \ | sed -e "$SED_IPV4STR" | sed -e "$SED_IPV6STR"` for ADDR in $IPADDR; do for ADDR2 in $ADDRS; do ADDR2=`echo $ADDR2 | sed -e 's/\/32\|\/128//'` ANS=${ADDR#$ADDR2} if [ "$ANS" != "$ADDR" ]; then continue 2 fi done OIFS=$IFS IFS="${IFS}_" ip addr add $ADDR dev $IFACE IFS=$OIFS done # Strip out addresses that should not be there for ADDR in $ADDRS; do # Don't delete IPv6 link local addresses if echo $ADDR | grep -q -i '^fe[89ab]'; then continue fi ANS=`echo $IPADDR | grep $ADDR` if [ -z "$ANS" ]; then ip addr del $ADDR dev $IFACE
Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
Package: libc6 Version: 2.13-34 Severity: Serious Tags: security Hi! I am submitting this report as there seems to be no easy way to get DNSSEC validation happening for all DNS lookups. This is a litmus test to make sure we cover this matter, or see if we have an easy procedure in wheezy to enable client DNSSEC validation. With the DNS root zone now signed, and .org and .net, and many soon to be done country specific TLDs, there does not appear to be any easy way of taking advantage of this in wheezy or sid. >From my investigations this can only be enabled by recompiling each bit of software to set the RES_USE_DNSSEC flag in _res.options, as well as RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c Please create a resolv.conf flag so that RES_USE_DNSSEC is available to the systems administrator, and maybe a debconf screen to select it. This is about proactively avoiding DNS spoofing and securing against it. Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libc-bin 2.13-34 ii libgcc1 1:4.7.1-2 libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.44 ii glibc-doc 2.13-34 ii locales2.13-34 -- debconf information: glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: glibc/restart-services: libraries/restart-without-asking: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#679483: racoon.conf 'peers_certfile dnssec' does not do DNSSEC validation.
Package: racoon Version: 1:0.8.0-12 Severity: normal Tags: upstream Dear Maintainer, Re racoon.conf 'peers_certfile dnssec' On looking at the code for this option, which is little used yet, the daemon does not set the RES_USE_DNSSEC or RES_USE_EDNS0 in src/racoon/dnssec.c Ssh had to be compiled with this option for DNSSEC SSHFP checking to work. See Debian bug #569592 There is the option to link racoon/ipsec-tools against lwres, and from the look of the code, it looks like NetBSD has RES_USE_DNSSEC from resolv.h turned on.. Will create patch to fix, as I am interested in using this option. This code is little used yet, as DNSSEC is only just starting to spread. From the looks of it, I believe most client DNS resolvers are buggy in this area. Thus, I have classified this with priority normal. Regards, Matthew Grant (myself) *** Please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.01.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#679482: racoon with privsep enabled segfaults with 'unauthorized domain'
Package: racoon Version: 1:0.8.0-12 Severity: normal Tags: upstream Dear Maintainer, When privsep is enabled, so that the network exposed racoon is not running as root, daemon dies with: Jun 29 16:28:10 sid-dev racoon: ERROR: privsep_socket: unauthorized domain (15) Jun 29 16:28:10 sid-dev kernel: [327028.659475] racoon[14085]: segfault at 10 ip 7fb7cde186ab sp 7fffcf87e1f0 error 4 in racoon[7fb7cddef000+92000] This happens with anonymous as well as PSK keyed connections, and presumably happens with all different modes of authorization algorithms. This network daemon ideally should not be running network exposed as root. Running with privsep off, there is no problems with this. Regards, The Maintainer Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.01.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed: global: log: notify privsep: yes peer(%default): certificate_type: x509 sid-dev.internal.anathoth.net-cert.pem sid-dev.internal.anathoth.net-key.pem #my_identifier: fqdn sid-dev.internal.anathoth.net lifetime: time 60 min #verify_identifier: on #verify_cert: on #authentication_method[0]: rsasig connection(%anonymous): #admin_status: enabled admin_status: disabled connection(%default): src_ip: 192.168.110.3 src_range: 192.168.110.3/32 peer(192.168.110.5): #peers_identifier: fqdn sid-dev.internal.anathoth.net connection(sid-dev): dst_ip: 192.168.110.5 dst_range: 192.168.110.5/32 mode: tunnel admin_status: enabled -- debconf information: * racoon/config_mode: racoon-tool -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#679481: racoon: Root network daemon compiled without _FORTIFY_SOURCE
Package: racoon Version: 1:0.8.0-12 Severity: serious Dear Maintainer, Racoon has a history of network vulnerabilities, running as root on the host. It is concerning that it is compiled without all hardening options employed. debian/rules has CFLAGS -D_FORTIFY_SOURCE=0, default debian comipile flags are for this to be set to 2. This was apparently done to get a 0.8.0 beta release to comile on i386/i486. Is this 0 setting needed any more? The linitian warnings given are 'hardening-no-fortify-source' which indicates the program is compiled with strcpy strcat et al, and strncpy, strncat not being substituted. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.01.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#677713: [BTS#677713] templates://ipsec-tools/{racoon.templates} : Final update for English review
Dear Christian, Hope you are not too busy. On Thu, Jun 28, 2012 at 6:02 PM, Christian PERRIER wrote: > > Please review the suggested changes, and if you have any > objections, let me know in the next 3 days. > After looking at the changes, I have a suggestion for the control file Description of the packages. ipsec-tools and racoon are cross platform, and run on Debian/kfreebsd. The current full ipsec-tools/racoon are included in NetBSD as the IPSEC daemon, and in Mac OSX. It was the original IPSEC implementation that worked with the in kernel.org 2.6.x IPSEC stack, and was ported from the KAME IPv6 project (http://www.kame.net). From 'apt-cache rdepends ipsec-tools' I believe all the IPSEC software on Debian depends on ipsec-tools, presumably for init scripts to initialise the in kernel IPSEC SPD and SAD tables. Racoon is currently the ONLY IKE daemon for the Debian/kfreebsd architecture The control Description: should also mention that it works with Debian/kfreebsd. Thank you very much for all your work, Cheers, Matthew Grant
Bug#677713: [RFR] templates://ipsec-tools/{racoon.templates}
Christian, The wording in the template was changed as the racoon-tool script has had a major refresh, and I will be expanding and maintaining it in the future. The previous wording was saying that it was deprecated as the NetBSD ipsec-tools people did not like it I don't have access to that email conversation, but the message had a considerable bias that does not reflect the current state of affairs. The "direct" mode is pointed out clearly for the purpose it serves, and is mentioned first. However, racoon is rather uninformative in its log messages when it fails due to mis-configuration, and it does not manage the SPD like openswan/strongswan, hence racoon-tool perl script. OK, The only thing changing here is the content of the message. Any variables, script logic is not being touched for stability reasons for Wheezy freeze. I have checked the new racoon-tool (I am its original author) for functionality carefully, and it is a lot better than the older version that was not even working. There are no translations yet of the debconf messages for this package as far as I can remember, so another patch to clean up typos and make it clearer as Justin Rye may be warranted if only just for the sake of getting the English correct and up to policy standard, as this is an improvement on the status quo, and does not affect install logic. Thanks heaps for your help, Matthew Grant On Mon, Jun 18, 2012 at 5:04 PM, Christian PERRIER wrote: > Quoting Justin B Rye (j...@edlug.org.uk): > > > > debconf template messages/translations I believe can be changed during > > > freeze, no? > > > > That sort of question is best addressed to d-l-e rather than me! > > > Translations, yes. > > Debconf templates, I would insist you don't unless: > - deeply required > - fully coordinated with i18n team (particularly handling the > translation update round and wait for a GO before uploading-->we're > targeting full completion for a fewlanguages and I track them one by > one > > >
Bug#677713: [RFR] templates://ipsec-tools/{racoon.templates}
On 17/06/12 06:16, Justin B Rye wrote: > Justin B Rye wrote: >> Description: IPsec utilities >>IPsec (Internet Protocol security) offers end-to-end security for >>network traffic at the IP layer. >>. >>This package is a port of the utilities from the KAME IPsec >>implementation on BSD. > > Correction: actually my patch says "This package is a Linux port..." > (and likewise for racoon). Please collect changes in a diff. We are close to a freeze, just want current package to settle into wheezy. debconf template messages/translations I believe can be changed during freeze, no? signature.asc Description: OpenPGP digital signature
Bug#677713: [ITR] templates://ipsec-tools/{racoon.templates}
Cool Christian, I am good to go, and will review template for a later upload after Wheezy freeze, as I think language type stuff is a reason for release uploads. Cheers, Matthew Grant On 16/06/12 23:11, Christian PERRIER wrote: > Dear Debian maintainer, > > The Debian internationalisation team and the Debian English > localisation team will soon begin the review of the debconf > templates used in ipsec-tools. > > This review takes place for all packages that use debconf to interact with > users and its aims are: > - to improve the use of English in all debconf templates; > - to make the wording of debconf templates more consistent; > - to encourage more translations of templates. > > Even if your first language is English, this process is likely to help > track down typos or errors, and improve consistency between the > debconf templates of your package and that of other packages in the > distribution. > > The process involves both debian-l10n-english contributors and > Debian translators. > > The details of the process are given in > http://wiki.debian.org/I18n/SmithDebconfReviewProcess. > > I will act as the coordinator of this activity for ipsec-tools. > > The first step of the process is to review the debconf source > template file(s) of ipsec-tools. This review will start on Tuesday, June 19, > 2012, or > as soon as you acknowledge this mail with an agreement for us to > carry out this process. > > All parts of the process will be carried out in close collaboration > with you, and, unless you explicitely ask for it, no upload nor NMU > will happen for ipsec-tools. > > If you approve this process, please let us know by replying to this > mail. If some work in progress on your side would conflict with such a > rewrite (such as adding or removing debconf templates), please say so, > and we will defer the review to later in the development cycle. > > Thank you for your attention. > signature.asc Description: OpenPGP digital signature
Bug#677642: Info received (Bug#677642: netscript-2.4: configuring interface step in boot process times out when trying to connect to fixed IP)
Have had further email with party concerned - he mis-configured the machine, so closing bug. On Sat, Jun 16, 2012 at 8:27 AM, Debian Bug Tracking System < ow...@bugs.debian.org> wrote: > Thank you for the additional information you have supplied regarding > this Bug report. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > If you wish to submit further information on this problem, please > send it to 677...@bugs.debian.org. > > Please do not send mail to ow...@bugs.debian.org unless you wish > to report a problem with the Bug-tracking system. > > -- > 677642: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677642 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems >
Bug#677642: netscript-2.4: configuring interface step in boot process times out when trying to connect to fixed IP
Have a look at /etc/net script/network.conf. further down this file you will find eth_start/eth_stop functions. They hook functions to hook dhcp in for initial configuration (and where you can hook tunnel daemons etc). Also configure eth0_IPADDR. Dpkg --purge ifupdown as it can cause some issues with unit script circular dependencies at times. Please let me know how you go. Matthew Grant On Jun 16, 2012 4:39 AM, "Gilbert Sullivan" wrote: > Package: netscript-2.4 > Version: 5.2.11 > Severity: normal > > Dear Maintainer, > *** Please consider answering these questions, where appropriate *** > > * What led up to the situation? > >On 05/18/2012 upgrade in netbase:amd64 (4.47, 5.0) resulted in > automatic removal of ifupdown and automatic >installation of netscript 2.4. Problem appeared first reboot > following these changes to the system. > > * What exactly did you do (or not do) that was effective (or > ineffective)? > >Setting system to connect using any fixed IP address results in a > 60 second timeout at the configuring >interface step of the boot process. Then the system goes on to a > second 60 second timeout at the starting >MTA step of the boot process. > >Setting system to connect via DHCP results in a normal boot process > with no timeouts. > >I can turn off Wicd and prevent it from starting. Again, > configuring /etc/network/interfaces for fixed IP >address results in two 60 second timeouts, and configuring > interfaces for DHCP results in a normal boot >process with no timeouts. > >Hitting + key combination at the configuring interface > prompt during the boot process causes the >boot process to continue at a normal pace with no timeout at > starting MTA step. > > * What was the outcome of this action? > >I believe I have eliminated Wicd as a suspect. I have also > confirmed that the system does actually have >the correct fixed IP address when these timeouts occur. But it > LOOKS as though the system were waiting >the timeout period to receive a DHCP lease. > > -- System Information: > Debian Release: wheezy/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages netscript-2.4 depends on: > ii bash4.2-2 > ii bridge-utils1.5-3 > ii iproute 20120521-2 > ii iptables1.4.13-1.1 > ii isc-dhcp-client [dhcp3-client] 4.2.2.dfsg.1-5 > ii netbase 5.0 > > Versions of packages netscript-2.4 recommends: > ii quagga 0.99.21-3 > > Versions of packages netscript-2.4 suggests: > ii dnsmasq2.61-1 > ii quagga 0.99.21-3 > ii resolvconf 1.65 > ii whereami 0.3.34-0.3 > ii wicd 1.7.2.4-2 > ii wpasupplicant 1.0-2 > > -- Configuration Files: > /etc/netscript/ipfilter-defs/README [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/README' > /etc/netscript/ipfilter-defs/dnat-defs [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/dnat-defs' > /etc/netscript/ipfilter-defs/example.def [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/example.def' > /etc/netscript/ipfilter-defs/example2.def [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/example2.def' > /etc/netscript/ipfilter-defs/local.def [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/local.def' > /etc/netscript/ipfilter-defs/masq-defs [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/masq-defs' > /etc/netscript/ipfilter-defs/network-defs [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/network-defs' > /etc/netscript/ipfilter-defs/prototypes-defs [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/prototypes-defs' > /etc/netscript/ipfilter-defs/prototypes.sh [Errno 13] Permission denied: > u'/etc/netscript/ipfilter-defs/prototypes.sh' > > -- no debconf information > > >
Bug#639970: Difficult to due to racoon/setkey SPD management design
Racoon does not create all the SPD policy for manually configured IPSEC connections, and they have to be manually entered. It does not keep track of them, so it does not clean up on exit. There are valid use cases for using setkey to set up static IPSEC keying for local network security for IPv6 local net ICMP multicast messages. Adding this feature to the racoon init script would break this. Racoon/setkey is basically a 'lower level' tool than strongswan. I have done a lot of work on racoon-tool which does manage the SPD based on the coneections you have configured, which now supports X509 and PSK connections, transport and tunnel mode, IPv6 and IPv4, with X509 certs and PSK working, along with basic anonymous VPN server set up, and I am willing to put it up on backports. Please tell me if these features cover your usage cases. Cheers, Matthew Grant
Bug#617859: sha384 and sha512 tested on Wheezy, Kernel 3.2
Hi Mats, I have tested this on the current 3.2 kernel that is in Debian Wheezy, and both are now working. This is now solved for the testing distribution Since sha256 is working, and is more than adequate for giving good security, not doing anything for Lenny. Closing the bug as won't fix. Cheers, Matthew Grant
Bug#675423: python-setproctitle: Tar.gz file of debian/ for 1.1.6 for reference
Package: python-setproctitle Version: 1.0.1-1 Followup-For: Bug #675423 Have packaged 1.1.6 for local use. Attaching my debian/ for python3-setproctitle, python-setproctitle for reference. Python tests disabled due to the state of the code in upstream - does not work easily, binary pyrun3 needs to be compiled by gcc for test, and Makefile is horrible, make check creates py3 dir and files not used in build. Could not easily script in debian/rules, and old debian/rules test code can't install pyrun3/pyrun2 in test hook up - setup.py does not have a target for this Cheers, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash python-setproctitle-debian.tar.gz Description: GNU Zip compressed data
Bug#675423: python-setproctitle: New upstream version 1.1.6, Python3 support missing.
Package: python-setproctitle Version: 1.0.1 Severity: important Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Python3 support needed for software I need to run on next stable release. * What exactly did you do (or not do) that was effective (or ineffective)? Trying to email Developer. He does not appear to be active. * What was the outcome of this action? Nothing heard yet, will give it a few days. * What outcome did you expect instead? A timely response. Wheezy freeze is coming up. Python 3 support for this is needed for work software, and administrative scripts and daemons. Clear output in ps and top prevents Sys admin confusion. Considering NMU of package if no timely response by Tuesday. *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#675421: python-psutil: Unit test test_name fails for Python3.2, upstream issue 271
Package: python-psutil Version: 0.4.1-1 Severity: normal Tags: upstream Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Work to support Python 3.2 * What exactly did you do (or not do) that was effective (or ineffective)? Building the package * What was the outcome of this action? Filed bug upstream, issue no 271, URL: http://code.google.com/p/psutil/issues/detail?id=271 * What outcome did you expect instead? Test passing. Test code does not account for the different names possible due to suffix added onto python3.2 bionary name due to threading configuration etc. *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#675419: python-psutil: Unittest test_get_io_counters fails, upstream issue 270.
Package: python-psutil Version: 0.4.1-1 Severity: normal Tags: upstream Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Adding Python3 support for package, noticed this unit test failure on python2.6, python2.7, and python3.2 * What was the outcome of this action? Posted Bug upstream, Issue 270, URL: http://code.google.com/p/psutil/issues/detail?id=270 * What outcome did you expect instead? Expected test to not fail. Just a thought, is this due to upstream not properly yet supporting Linux 3.2 kernel? My guess is that something has changed in /proc or /sys. *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#636526: python-psutil: Patch to support Python3.
Package: python-psutil Version: 0.4.1-1 Followup-For: Bug #636526 Dear Maintainer, We have some internal work Python 3 packages that would like to deploy on Wheezy, and we depend on your package. The attached patch also closes Bug #637382, as dh_python2 and dhpython3 are required to effect the Python3 build. In doing the guides on the Debian wiki: http://wiki.debian.org/Python/TransitionToDHPython2 and http://wiki.debian.org/Python/LibraryStyleGuide were followed. debian/rules was carefully merged with the example in the LibraryStyleGuide, debian/control updated. Please note that your test code in debian rules was very carefully moved and made compatible with the LibraryStyleGuide, and has had the filter 'nocheck ' for DEB BUILD OPTIONS added. In the default build, all the tests still run. The print statement you used to get the python $LIB has had parenthesis added for Python3, and I checked the LIB statement was backwards compatible on python2.6 and python2.7 I did note the test_get_io_counters failure on all 3 versions of Python, and this maybe due to moving to the 3.2 kernel. The Python3.2 test test_name failed due to the underlying python binary being 'python3.2mu' instead of 'python3.2' but these are definitely seperate bugs to the build bugs. This also creates a python-psutil-doc package, and Recommends it to the different library package. Lintian was giving issues about clashes in the docs and this seems to be the best way of resolving it. There are two lintian warnings: W: python-psutil: hardening-no-relro usr/lib/python2.6/dist-packages/_psutil_linux.so W: python-psutil: hardening-no-relro usr/lib/python2.6/dist-packages/_psutil_posix.so but these look like they were already there before this patch. I can Please look this over and get back to me. Could we collaborate on this please? This patch contains almost all the work that needs to be done. If you like, I can branch the svn archive, and you can edit this work so that you are happy with it. It would be good to get it in for wheezy. Cheers, Matthew Grant, DD since before 2005 *** End of the template - remove these lines *** -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Index: debian/changelog === --- debian/changelog (revision 21979) +++ debian/changelog (working copy) @@ -1,3 +1,10 @@ +python-psutil (0.4.1-2~ae123) UNRELEASED; urgency=low + + * Add support for Python 3.x build (Closes: #636526) + * Move from python-support to dh_python2 and dh_python3 (Closes: #637382) + + -- Matthew Grant Thu, 31 May 2012 11:40:12 +1200 + python-psutil (0.4.1-1) unstable; urgency=low * New upstream release Index: debian/python3-psutil.install === --- debian/python3-psutil.install (revision 0) +++ debian/python3-psutil.install (revision 0) @@ -0,0 +1 @@ +usr/lib/python3 Index: debian/docs === --- debian/docs (revision 21979) +++ debian/docs (working copy) @@ -1 +0,0 @@ -docs Index: debian/rules === --- debian/rules (revision 21979) +++ debian/rules (working copy) @@ -1,23 +1,36 @@ #!/usr/bin/make -f +DH_VERBOSE=1 -PYVERS:=$(shell pyversions -s) +PYTHON2:=$(shell pyversions -vr) +PYTHON3:=$(shell py3versions -vr) %: - dh $@ + dh $@ --with python2,python3 -build: - dh build - - # run tests +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) +test-python%: -for test in test_memory_leaks.py test_psutil.py ;\ do \ - for python in $(PYVERS) ; do \ - echo "running "test/$$test" on "$$python ; \ - LIB=$$($$python -c "from distutils.command.build import build ; from distutils.core import Distribution ; b = build(Distribution()) ; b.finalize_options() ; print b.build_platlib") ; \ - PYTHONPATH=$$LIB $$python test/$$test ; \ - done \ + echo "running "test/$$test" on "python$* ; \ + LIB=$$(python$* -c "from distutils.command.build import build ; from distutils.core import Distribution ; b = build(Distribution()) ; b.finalize_options() ; print(b.build_platlib)") ; \ + PYTHONPATH=$$LIB python$* test/$$test ; \ done +override_dh_auto_test: $(PYTHON2:%=test-python%) $(PYTHON3:%=test-python%) +endif + +build-python%: + python$* setup.py build + +override_dh_auto_build: $(PYTHON3:%=build-python%) + dh_auto_build + +install-python%: + python$* setup.py install --root=$(CURDIR)/debian/tmp --install-layout=deb + +override_dh_auto_install: $(PYTHON3:%=install-python%) + dh_auto_install + override_dh_install
Bug#650176: racoon: include patch for checkpoint xauth
I am going to be doing a round of maintaining on the package shortly. and will try to include the patch if it applies. Cheers, Matthew On Tue, May 15, 2012 at 12:13 PM, Dominic Evans wrote: > +1 to this > > applies cleanly to current debian package as next patch in series > > $ quilt push -a > $ quilt import ipsec-tools-0.7.3-checkpoint-v1.patch > $ quilt refresh --strip-trailing-whitespace > > >
Bug#661668: racoon: uninstallable on squeeze - something error happened while pfkey initializing
Hi Simon! Which kernel are you running with? Distribution or self-compiled. Either your xfrm kernel modules are not loading or they are not compiled. I will have a quick look into it, with a clean squeeze install. If it works there (which I think it will) I will be closing the bug. Any how, I am reducing priority of this bug to normal as 0.8.0 is working well in testing/unstable. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Bug#656474: ipsec-tools: racoon: Make verification of x509 CRLs optional
This is something set up by upstream, and in big governments deployments it could be seen as considered necessary/mandatory. IE - The ability to turn it off may be considered an anti-feature and security hole... CRLs actually have their weaknesses due to update issues when the network does not go... IPSEC public keys in a DNSSEC signed DNS domain zone don't suffer like this. Have you considered setting up your own small CA, rather than using the ones backed by Versign etc? This would significantly reduce the chain length, and avoid exposure to a CA compromise. The package tinyca is the one I use to generate my own CA and X509 certs for internal and VPN usage. Its a Perl GTK application that wraps OpenSSL, and can have multiple CAs. On Fri, Jan 20, 2012 at 5:31 AM, Jan Sievers < siev...@kokosinseln.zedat.fu-berlin.de> wrote: > Package: ipsec-tools > Version: 1:0.7.3-12 > Severity: wishlist > Tags: upstream > > Currently when configured to verify peer x509 certificates ("verify_cert > on") this includes the > verification of certificate revocation lists (CRL). > > Racoon sets the following OpenSSL flags: > > >X509_V_FLAG_CRL_CHECK >X509_V_FLAG_CRL_CHECK_ALL > > > before asking OpenSSL to verify the certificate. > > This will produce warnings in the racoon log file, if the CRL lists are not > present. This is especially annoying, if the certificates are part of a > certificate chain, because for every certificate in the chain racoon will > print this warning. > > I think it would be nice to have a configuration option like > > >verify_crl [on|all|off] > > > so I could let the certificates be verified, but either don't care about > CRLs at all or just care about the actual peer certificate and not the > intermediate CAs. If the intermediate CA certs get revoked, I would surely > want to know, but do not want that our systems stop talking to each other > right away. > > Regards, > Jan > > > > -- System Information: > Debian Release: 6.0.3 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) > Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) > Shell: /bin/sh linked to /bin/dash > > Versions of packages ipsec-tools depends on: > ii libc6 2.11.2-10Embedded GNU C Library: > Shared lib > ii libcomerr2 1.41.12-4stable1 common error description > library > ii libgssapi-krb5-21.8.3+dfsg-4squeeze5 MIT Kerberos runtime > libraries - k > ii libk5crypto31.8.3+dfsg-4squeeze5 MIT Kerberos runtime > libraries - C > ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries > ii libpam0g1.1.1-6.1+squeeze1 Pluggable Authentication > Modules l > ii libssl0.9.8 0.9.8o-4squeeze5 SSL shared libraries > > ipsec-tools recommends no packages. > > ipsec-tools suggests no packages. > > -- Configuration Files: > /etc/init.d/setkey changed [not included] > /etc/ipsec-tools.conf changed [not included] > > -- no debconf information > > >
Bug#650310: Jackd 2 driver buggy - puredata locks up toggling DSP on/off.
Package: puredata Version: 0.43.0-4 Severity: grave Tags: upstream Puredata locks up when toggling DSP on/off, and it opens/closes its jackd connections. There are also problems running jackd asynchronously, with lots of error messages. What makes this bug grave is that most default Debian installs are running pulseaudio which is a required dependency for the default desktop, and most workstations only have one audio device. Pulseaudio is very hard to kill off, being restarted automatically when it is not there. Puredata works with its ALSA drivers, but you cannot use those drivers with pulseaudio hogging the audio devices. Jackd2 can be installed and run from qjackctl, which is what you expect if you want performance audio, but then puredata will not work properly due to its bug jack implementation. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages puredata depends on: ii puredata-core 0.43.0-4 ii puredata-dev0.43.0-4 ii puredata-doc0.43.0-4 ii puredata-extra 0.43.0-4 ii puredata-gui0.43.0-4 ii puredata-utils 0.43.0-4 Versions of packages puredata recommends: ii gem 1:0.92.3-2+b1 Versions of packages puredata suggests: pn pd-aubio pn pd-csound pn pd-pdp pn pd-zexy -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#622134: transition: openssl 1.0.0
Hi Julien This should be fixed for ipsec-tools and racoon as of 0.8.0-9 on sid. Checked on sid amd64 via apt-cache depends. Building again on kfreebsd-i386 and kfreebsd-amd64 via buildd. Closed the 2 bugs that kept kfreebsd. Lets see if this package makes it to testing. Cheers, Matthew On Thu, 2011-10-06 at 20:46 +0200, Julien Cristau wrote: > On Sun, Apr 10, 2011 at 16:02:14 +0200, Kurt Roeckx wrote: > > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > This is to track the transition of openssl 1.0.0. Most of the > > problems are related to dropping SSLv2 support. > > > openssl098 is still kept in testing by: > - ace (ICE on armel) > - beid (RC-buggy, candidate for removal) > - ipsec-tools (#619687 #643570, has reverse dependencies) > - isakmpd (#622051, candidate for removal) > - isdnutils (#618228, has reverse dependencies) > - pantomime1.2 (part of the gnustep transition) > - transgui (#632532, candidate for removal) > > A fix for the ones with reverse dependencies would be nice... > > Cheers, > Julien > > > signature.asc Description: This is a digitally signed message part
Bug#643570: ipsec-tools: FTBFS(kfreebsd): symbol change
Hi Setting up a Debian kfreebsd sid VM to get this sorted on the weekend. If you want to help, can give you ssh access. Cheers, Matthew On Wed, Sep 28, 2011 at 6:28 AM, Christoph Egger wrote: > Package: src:ipsec-tools > Version: 1:0.8.0-6 > Severity: serious > Tags: sid wheezy > User: debian-...@lists.debian.org > Usertags: kfreebsd > X-Debbugs-Cc: debian-...@lists.debian.org > > Hi! > > Your package failed to build on the kfreebsd-* buildds: > > --- debian/ipsec-tools.symbols (ipsec-tools_1:0.8.0-6_kfreebsd-amd64) > +++ dpkg-gensymbolsSHAP1q 2011-09-26 19:18:51.0 + > @@ -71,7 +71,7 @@ > pfkey_send_get@Base 0.7.3 > pfkey_send_getspi@Base 0.7.3 > pfkey_send_getspi_nat@Base 0.8.0 > - pfkey_send_migrate@Base 0.7.3 > +#MISSING: 1:0.8.0-6# pfkey_send_migrate@Base 0.7.3 > pfkey_send_promisc_toggle@Base 0.7.3 > pfkey_send_register@Base 0.7.3 > pfkey_send_spdadd2@Base 0.7.3 > make[1]: *** [override_dh_perl] Error 1 > make[1]: Leaving directory > `/build/buildd-ipsec-tools_0.8.0-6-kfreebsd-amd64-RNpoBK/ipsec-tools-0.8.0' > make: *** [binary-arch] Error 2 > > Full build log at > > https://buildd.debian.org/status/fetch.php?pkg=ipsec-tools&arch=kfreebsd-amd64&ver=1%3A0.8.0-6&stamp=1317064813 > > Regards > >Christoph > > If you have further questions please mail debian-...@lists.debian.org > > -- > 9FED 5C6C E206 B70A 5857 70CA 9655 22B9 D49A E731 > Debian Developer | Lisp Hacker | CaCert Assurer > > >
Bug#613257: wiican: Depends on upstart
Sorry I have taken so long. Just got to the point where I can work on this. My Laptop with bluetooth was out for the six with a crash on boot type scenario due to incorrect kernel config... Regards, Matthew On Sun, Apr 3, 2011 at 3:04 AM, Julien Cristau wrote: > severity 613257 serious > kthxbye > > On Sun, Feb 13, 2011 at 11:06:03 -0800, Josh Triplett wrote: > > > Package: wiican > > Version: 0.3.1-4 > > Severity: normal > > > > wiican depends on upstart. Normal packages should never depend on a > > particular init system; they just need to work with the init system the > > user has installed. If the package provides an upstart job, I think a > > compatibility interface exists to run that job as a normal init script. > > If the package doesn't provide an upstart job, then you should just drop > > the dependency. > > > Ack (actually, normal packages should *not* provide upstart jobs in > Debian at this point, AFAIK). In addition, wiiscan is being built on > kfreebsd, but as upstart is not available there it's not installable. > > Cheers, > Julien > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQIcBAEBCAAGBQJNlzroAAoJEDEBgAUJBeQMrF0QAPiY125ZpDLMMhz48fyYEfAx > 6ngm/lqvEwxCi+tn+CJXWM/i/wiz1ip9Y+lebl/r10lms1ZTBQac8F5006kuRwBe > NRGVs3vgEX8OhYxC2OhSON1cP51wFHxE8aZ5caVWSDDBG5O13OxYop3qFV3xejF+ > vcpvBOVd8Rhb/oan1t5o4p08IZ90Ioo+ZyjG2QDBaP1sV1qKRMzKzpXkdt3wLpL0 > uo21Dltrd8PZY4cOIL8CLcSfRNNUWI2cOKBIO5qx2oiWc9zFNLR92pqdy6NO6MJS > 16IZiIfpYbcvs1Ndx9sj6WTxdmS2+F8RNCgBcSgJXZv3308aFzBSCJPF4e7m97gt > yRBsMsTTV7IPrZKCYAxcUbs2Gr48XueTMTdV6l3hvSDkyZy44yeJNvDwru/Iau2v > iEjhNPc0TaPrMQzIteMnTDGB4k+HStHjgdHYrKECl9Tnwha8w6JRc/6RzDDEqWue > h6dEOAUhWn0DZOwM9YqGikxIKgXXgK1c3ti6jpYMXulR5LnrV3+/mHmxLVTWEhSt > 8Gbg3WZstGVmELUylFFVXrXcsrxvap7HeylraePUHMNrbqo0j+CpVqONvJP2CTkC > iH539oOCSxc2M6vHimqkDgomi4oDbxyTsbG6Yp4R4TfhOhjiXPij0GimmL1m2KqA > UPfJPn37dc6MnpeULg1R > =A0t6 > -END PGP SIGNATURE- > >
Bug#592340: Patch for bug
here's the patch for reference -- Show where the quotes are missing. --- netscript 2009-12-21 09:26:18 + +++ netscript 2010-07-29 00:30:30 + @@ -941,7 +941,7 @@ return 0 ;; esac - eval local IF_CHAIN_AUTO=\${"$1"_IF_CHAIN_AUTO:-""} + eval local IF_CHAIN_AUTO=\"\${"$1"_IF_CHAIN_AUTO:-""}\" if_up $1 && vb echo -n " $1" for IF in $IF_CHAIN_AUTO; do if_up $IF && vb echo -n " $IF" @@ -969,8 +969,8 @@ ;; esac local REV_IF_CHAIN - eval local IF_CHAIN=\${"$1"_IF_CHAIN:-""} - eval local IF_CHAIN_AUTO=\${"$1"_IF_CHAIN_AUTO:-""} + eval local IF_CHAIN=\"\${"$1"_IF_CHAIN:-""}\" + eval local IF_CHAIN_AUTO=\"\${"$1"_IF_CHAIN_AUTO:-""}\" IF_CHAIN="$IF_CHAIN_AUTO $IF_CHAIN" for IF in $IF_CHAIN; do REV_IF_CHAIN="$REV_IF_CHAIN $IF" signature.asc Description: This is a digitally signed message part
Bug#592340: netscript-2.4: Missing quotes prevent eth0_IF_CHAIN_AUTO from handling more than one interface.
Package: netscript-2.4 Severity: important Only one interface can be specified in the string, when it should handle many. This can prevent networking from coming up correctly, possibly rendering parts of network unreachable. I am the DD and upstream author of this package. This is a bug I discovered while at work. Fix is just adding quotes in the correct places. A patch is included for reference. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.utf8, LC_CTYPE=en_NZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#561627: sysvinit ALWAYS replaces upstart on dist-upgrade
Package: sysvinit Version: 2.87dsf-8 Severity: normal I should be able to install the system /sbin/init I want, not one that is forced because it is 'essential'. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sysvinit depends on: ii initscripts 2.87dsf-8 scripts for initializing and shutt ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libselinux1 2.0.89-4 SELinux runtime shared libraries ii libsepol1 2.0.40-2 SELinux library for manipulating b ii sysv-rc 2.87dsf-8 System-V-like runlevel change mech ii sysvinit-utils2.87dsf-8 System-V-like utilities sysvinit recommends no packages. sysvinit suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#547509: Patch used in NMU version 5.1.7+nmu3
Peter, Sorry for not responding sooner. I have been quite lax with my maintenance due to study reasons, and I also managed to forget the passphrase to my old GPG key. I am in the process of getting a new key. I got a 1024 bit DSA key signed by another Debian Developer just yesterday, but I doubt that it will be accepted due to new preferences on key strength using at least 2048 bit and SHA2 instead of SHA1. I will get a new version of the package uploaded once this is sorted out. Best Regards, Matthew Grant On Sun, 2009-09-20 at 14:48 +0200, Petter Reinholdtsen wrote: > Package: netscript-2.4 > Version: 5.1.7+nmu3 > Severity: wishlist > Tags: patch > > This is the patch I used in my NMU. > > diff -Nru netscript-2.4-5.1.7+nmu2/debian/changelog > netscript-2.4-5.1.7+nmu3/debian/changelog > --- netscript-2.4-5.1.7+nmu2/debian/changelog 2009-09-13 13:27:27.0 > +0200 > +++ netscript-2.4-5.1.7+nmu3/debian/changelog 2009-09-20 14:46:27.0 > +0200 > @@ -1,3 +1,12 @@ > +netscript-2.4 (5.1.7+nmu3) unstable; urgency=low > + > + * Non-maintainer upload to fix release goal. > + * Make ifupdown init.d scrtip dependency optional, to avoid having the > +package depend on ifupdown. Fixes installation problem detected by > +piuparts. > + > + -- Petter Reinholdtsen Sun, 20 Sep 2009 14:45:23 +0200 > + > netscript-2.4 (5.1.7+nmu2) unstable; urgency=low > >* Non-maintainer upload. > diff -Nru netscript-2.4-5.1.7+nmu2/netscript.init > netscript-2.4-5.1.7+nmu3/netscript.init > --- netscript-2.4-5.1.7+nmu2/netscript.init 2009-09-13 12:54:54.0 > +0200 > +++ netscript-2.4-5.1.7+nmu3/netscript.init 2009-09-20 14:46:04.0 > +0200 > @@ -1,8 +1,9 @@ > #! /bin/sh -e > ### BEGIN INIT INFO > # Provides: netscript > -# Required-Start:mountkernfs $local_fs ifupdown > +# Required-Start:mountkernfs $local_fs > # Required-Stop: $local_fs > +# Should-Start: ifupdown > # X-Start-Before:networking > # Default-Start: S > # Default-Stop: 0 6 > > Happy hacking, signature.asc Description: This is a digitally signed message part
Bug#546459: netscript-2.4: Patch used in NMU version 5.1.7+nmu2
Hi! I have lost the password to my gpg key, and I am contacting a local Debian Developer tomorrow to get this sorted - It was time I created a stronger key anyhow. Cheers, Matthew Grant On Sun, Sep 13, 2009 at 11:27 PM, Petter Reinholdtsen wrote: > > Package: netscript-2.4 > Version: 5.1.7+nmu2 > Severity: wishlist > Tags: patch > > This is the patch I used in the updated NMU I just uploaded. > > diff -Nru netscript-2.4-5.1.7/debian/changelog > netscript-2.4-5.1.7+nmu2/debian/changelog > --- netscript-2.4-5.1.7/debian/changelog 2008-12-30 01:42:53.0 > +0100 > +++ netscript-2.4-5.1.7+nmu2/debian/changelog 2009-09-13 12:58:52.0 > +0200 > @@ -1,3 +1,19 @@ > +netscript-2.4 (5.1.7+nmu2) unstable; urgency=low > + > + * Non-maintainer upload. > + * Patched the wrong file in the last upload. Patch netscript.init, > + not debian/init. Make sure to remove the debian/init copy in the > + clean target of debian/rules. Last NMU is obsolete (Closes: #546457). > + > + -- Petter Reinholdtsen Sun, 13 Sep 2009 12:55:24 +0200 > + > +netscript-2.4 (5.1.7+nmu1) unstable; urgency=low > + > + * Non-maintainer upload to fix release goal. > + * Fix init.d script dependency headers (Closes: 542246). > + > + -- Petter Reinholdtsen Sun, 13 Sep 2009 11:58:38 +0200 > + > netscript-2.4 (5.1.7) unstable; urgency=low > > * Remove suggests entry in debian/control for waproamd. (Closes: #509392) > @@ -6,7 +22,7 @@ > > netscript-2.4 (5.1.6) unstable; urgency=low > > - * Fix netscript so that ti will run with dash as /bin/sh. > + * Fix netscript so that it will run with dash as /bin/sh. > * Update my maintainer address to matthewgra...@gmail.com > > -- Matthew Grant Mon, 29 Dec 2008 13:17:53 +1300 > diff -Nru netscript-2.4-5.1.7/debian/rules > netscript-2.4-5.1.7+nmu2/debian/rules > --- netscript-2.4-5.1.7/debian/rules 2008-02-06 05:11:45.0 +0100 > +++ netscript-2.4-5.1.7+nmu2/debian/rules 2009-09-13 12:56:16.0 > +0200 > @@ -22,6 +22,7 @@ > > # Add here commands to clean up after the build process. > # -$(MAKE) clean > + $(RM) debian/init > > dh_clean > > diff -Nru netscript-2.4-5.1.7/netscript.init > netscript-2.4-5.1.7+nmu2/netscript.init > --- netscript-2.4-5.1.7/netscript.init 2008-02-06 05:56:30.0 +0100 > +++ netscript-2.4-5.1.7+nmu2/netscript.init 2009-09-13 12:54:54.0 > +0200 > @@ -1,8 +1,9 @@ > #! /bin/sh -e > ### BEGIN INIT INFO > -# Provides: networking > -# Required-Start: mountkernfs $local_fs > +# Provides: netscript > +# Required-Start: mountkernfs $local_fs ifupdown > # Required-Stop: $local_fs > +# X-Start-Before: networking > # Default-Start: S > # Default-Stop: 0 6 > # Short-Description: Raise network interfaces, and setup iptables. > > Happy hacking, > -- > Petter Reinholdtsen > > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#467092: O: c-sig -- A signature tool for GNU Emacs
Package: wnpp Severity: normal Another thing that is on slow-bake No new release since 1999/06/10. MAy be of interest to some emacs fans though. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash signature.asc Description: This is a digitally signed message part
Bug#467091: O: apollon -- KDE-based interface to giFT file-sharing system
Package: wnpp Severity: normal It is not used that much anymore, and it has been on slow bake upstream without any recent release. Last release 2005/05/08. This may be one for the dustbin. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash signature.asc Description: This is a digitally signed message part
Bug#416207: artsd ALSA failure - looks like same thing
Hi! On my Debian sid installation also get a similar failure sharon: -grantma- [~] $ artsd ALSA lib confmisc.c:1105:(snd_func_refer) Unable to find definition 'defaults.pcm.dmix_format' ALSA lib conf.c:3500:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory ALSA lib conf.c:3957:(snd_config_expand) Args evaluate error: No such file or directory ALSA lib pcm.c:2143:(snd_pcm_open_noupdate) Unknown PCM dmix:CK8S Error while initializing the sound driver: device: default can't be opened for playback (No such file or directory) Machine is a an NForce 3 SN95G2 shuttle, running i386 Debian unstable with Xen kernel compiled form Debian sources. lspci lists sound card is a Multimedia audio controller: nVidia Corporation nForce3 250Gb AC'97 Audio Controller (rev a1) Hope that this is helpful. Useing OSS emulation is a workaround -- Matthew Grant <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#305734: asterisk: On PowerPC, hanging up on voicemail causes non-stop log messages
Package: asterisk Version: 1:1.0.7.dfsg.1-2 Severity: normal Tags: patch Getting the compiler flags wrong (missing -fsigned-char) causes the following log message several times a second: WARNING[7261]: Failed to write frame Log grew fast giving possiblity of file system filling up. This was caused by hanging up on the Voicemail. Putting in missing double quotes aroung the grep on the machine type output to make sure the '-fsigned-char' was added to gcc command line fixed this. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.11-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages asterisk depends on: ii asterisk-config 1:1.0.7.dfsg.1-2 config files for asterisk ii asterisk-sounds-main1:1.0.5-2sound files for asterisk ii libasound2 1.0.8-3 ALSA library ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libgsm1 1.0.10-13Shared libraries for GSM speech co ii libncurses5 5.4-4Shared libraries for terminal hand ii libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex ii libpq3 7.4.7-2 PostgreSQL C client library ii libpri1 1.0.7-1 Primary Rate ISDN specification li ii libspeex1 1.1.6-2 The Speex Speech Codec ii libsqlite0 2.8.16-1 SQLite shared library ii libssl0.9.7 0.9.7e-2 SSL shared libraries ii libtonezone11:1.0.7-3tonezone library (runtime) ii unixodbc2.2.4-11 ODBC tools libraries ii zlib1g 1:1.2.2-3compression library - runtime -- no debconf information --- asterisk-1.0.7.dfsg.1/debian/patches/20_Makefile.dpatch 2005-04-22 07:12:51.0 +1200 +++ asterisk-1.0.7.dfsg.1-mine/debian/patches/20_Makefile.dpatch 2005-04-16 21:04:08.0 +1200 @@ -80,7 +80,7 @@ endif -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo "-fsigned-char"; fi) -+CFLAGS+=$(shell if uname -m | grep -q ppc\|arm\|s390\|s390x; then echo "-fsigned-char"; fi) ++CFLAGS+=$(shell if uname -m | grep -q "ppc\|arm\|s390\|s390x"; then echo "-fsigned-char"; fi) CFLAGS+=$(shell if [ -f /usr/include/osp/osp.h ]; then echo "-DOSP_SUPPORT -I/usr/include/osp" ; fi) ifeq (${OSARCH},FreeBSD)
Bug#305731: zaptel command ztcfg freezes on PowerPC causing boot failure
Package: zaptel Version: 2:1.0.7-1.mag.1 Severity: critical Tags: patch Justification: breaks the whole system ztcfg command freezes on zaptel module loads, halting boot process when hotplug does its boot time stuff. Same old Makefile/compiler flags problem as before - you forgot to put the double quotes around the arguments to grep!!! Basically as same for fix for asterisk on PPC going potty when someone hangs up on the voicenmail! Matthew Grant -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.11-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages zaptel depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex -- no debconf information --- zaptel-1.0.7/debian/patches/Makefile.dpatch 2005-04-22 07:26:26.0 +1200 +++ zaptel-1.0.7-mine/debian/patches/Makefile.dpatch2005-04-22 07:25:02.0 +1200 @@ -27,7 +27,7 @@ CFLAGS+=-I. -O4 -g -Wall -DBUILDING_TONEZONE #-DTONEZONE_DRIVER -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo "-fsigned-char"; fi) -CFLAGS+=$(shell if uname -m | grep -q x86_64; then echo "-m64"; fi) -+CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc\|powerpc\|arm\|s390; then echo "-fsigned-char"; fi) ++CFLAGS+=$(shell if echo $(UNAME_M) | grep -q "ppc\|powerpc\|arm\|s390"; then echo "-fsigned-char"; fi) +CFLAGS+=$(shell if echo $(UNAME_M) | grep -q x86_64; then echo "-m64"; fi) LCFLAGS=-fPIC $(CFLAGS) -DBUILDING_TONEZONE -KFLAGS+=-I/usr/src/linux-2.4/include -O6
Bug#302847: zaptel command ztcfg freezes on Debian PowerPC causing boot failure.
Package: zaptel Version: 1:1.0.7-1 Severity: critical Tags: patch Justification: breaks the whole system When ztcfg executes due to zaptel module load during hotplug initialisation, ztcfg does not exit causing boot process to stop. Ctrl-C on console will not recover condition. Machine must be power cycled. This is specific to Debian PPC architecture. Problem due to missing "-fsigned-char" to gcc when binaries are compiled. This is due to a typo in the grep executed in the Debian patch to the zaptel Makefile. Patch is included. Matthew Grant --- zaptel-1.0.7/debian/patches/Makefile.dpatch 2005-04-03 22:13:06.0 +1200 +++ zaptel-1.0.7/debian/patches/Makefile.dpatch.orig2005-04-03 22:13:24.0 +1200 @@ -27,7 +27,7 @@ CFLAGS+=-I. -O4 -g -Wall -DBUILDING_TONEZONE #-DTONEZONE_DRIVER -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo "-fsigned-char"; fi) -CFLAGS+=$(shell if uname -m | grep -q x86_64; then echo "-m64"; fi) -+CFLAGS+=$(shell if echo $(UNAME_M) | egrep -q "ppc|powerpc"; then echo "-fsigned-char"; fi) ++CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc; then echo "-fsigned-char"; fi) +CFLAGS+=$(shell if echo $(UNAME_M) | grep -q x86_64; then echo "-m64"; fi) LCFLAGS=-fPIC $(CFLAGS) -DBUILDING_TONEZONE -KFLAGS+=-I/usr/src/linux-2.4/include -O6 -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.11-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages zaptel depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#296209: gnome-icon-theme: New postint script - gtk-update-icon-cache problems, results in 'blank' icons!
Package: gnome-icon-theme Version: 2.8.0-2 Severity: grave Justification: renders package unusable Upgrading from 2.8.0-1 results in all the icons in Nautilus turning to the default 'blank page' icon, most of the icons in Evolution for email and folders turn into red X crosses, and the show desktop icon in the panel going to a red X cross as well. Going back to the 2.8.0-1 version of the packkage fixed the problem for me. Please fix this! This bug is a major usability issues as it is not easy to tell if an email has an attachment, or whether a file is a directory or data! Very off-putting to any Gnome user. Is this a Powerpc only problem? I don't think it is though -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: powerpc (ppc) Kernel: Linux 2.6.10-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages gnome-icon-theme depends on: ii hicolor-icon-theme0.7-1 default fallback theme for FreeDes -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#292732: racoon leaks memory like a sieve - 100MB in a week!
Package: racoon Version: 0.3.3-5 Severity: normal racoon leaked so much memory that after about a week or so the machine it was running on could not be logged into. This can only probabaly be fixed by going to the 0.4.x version of racoon. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: powerpc (ppc) Kernel: Linux 2.6.10-pmac-2.6 Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1) Versions of packages racoon depends on: ii debconf 1.4.42 Debian configuration management sy ii ipsec-tools 0.3.3-5 IPsec tools for Linux ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an -- debconf information: * racoon/config_mode: racoon-tool -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]