Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault

2012-08-21 Thread Jeroen Massar
On 2012-08-22 00:50, Ondřej Surý wrote:
> Debian dind't enable bind9 stats so it's not vulnerable.

There are people who build from the source package and who might enable
this, from that perspective it would be good to upgrade to it.

And there are also other fixes in that version note the segfault fix
for when a zone is gone from nsd.conf.

As such, it would be really nice to have a new version.

Greets,
 Jeroen


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: src:fex: GPL + additional restrictions

2012-08-21 Thread Debian Bug Tracking System
Processing control commands:

> found -1 20100208+debian1-1+squeeze3
Bug #685585 [src:fex] src:fex: GPL + additional restrictions
Marked as found in versions fex/20100208+debian1-1+squeeze3.

-- 
685585: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685585
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685585: src:fex: GPL + additional restrictions

2012-08-21 Thread Ansgar Burchardt
Source: fex
Version: 20120215-3
Control: found -1 20100208+debian1-1+squeeze3
Severity: serious

Philipp Kern  writes:
> On Sat, Aug 18, 2012 at 09:13:42PM +0100, Adam D. Barratt wrote:
>> + YOU ARE NOT ALLOWED TO USE THIS SOFTWARE FOR MILITARY PURPOSES OR WITHIN
>> + MILITARY ORGANIZATIONS! THIS INCLUDES ALSO MILITARY RESEARCH AND
>> + EDUCATION!
>> That doesn't really seem like something Debian can really meet or
>> enforce...
>
> Hereby bringing this to the attention of the ftp-masters. fex is in main
> but includes that clause on top of AGPL-3.
>
> Which probably means for one that it's no longer compatible with GPL code,
> which might or might not be relevant, and, more severly, it's not compatible
> with the DFSG.

That clause is an additional restriction to the GPL and makes fex
undistributable by Debian (not even in non-free).

Ansgar


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685584: xml-light: CVE-2012-3514

2012-08-21 Thread Moritz Muehlenhoff
Package: xml-light
Severity: grave
Tags: security
Justification: user security hole

This was posted to oss-security:

--
Xml-Light has been moved to google code SVN here :
http://ocamllibs.googlecode.com/svn/trunk/xml-light/

I've applied a fix in r234 by using String Map instead of Hashtbl for
DTD proof.

Best,
Nicolas

Please use CVE-2012-3514 for this issue.
--

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection

2012-08-21 Thread Henri Salo
Package: inn
Version: 1.7.2q-41
Severity: grave

>From oss-security mailing list:

the STARTTLS implementation in INN's NNTP server for readers,
nnrpd, before 2.5.3 does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands
into encrypted sessions by sending a cleartext command that
is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.

References:
[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002
[3] https://bugzilla.redhat.com/show_bug.cgi?id=850478

Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz

http://www.openwall.com/lists/oss-security/2012/08/21/8
http://www.openwall.com/lists/oss-security/2012/08/21/12

- Henri Salo


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685551: marked as done (ntfs-3g: returns incorect type for junction points in readdir())

2012-08-21 Thread Debian Bug Tracking System
Your message dated Wed, 22 Aug 2012 05:17:44 +
with message-id 
and subject line Bug#685551: fixed in ntfs-3g 1:2012.1.15AR.6-1
has caused the Debian Bug report #685551,
regarding ntfs-3g: returns incorect type for junction points in readdir()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
685551: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685551
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ntfs-3g
Version: 1:2012.1.15AR.5-4
Severity: serious
Tags: patch upstream
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

*** /tmp/tmpkpCNMv/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * ntfs-3g-junction-point-fix.patch: Return the correct type (DT_LINK) for
NTFS Junction points, in readdir(). (LP: #997391)

A bug was recently fixed in upstream ntfs-3g, where baobab (The GNOME
disk usage visualisation tool) will loop infinitely when scanning a
Windows 7 partition.

http://tuxera.com/forum/viewtopic.php?f=2&t=29578
https://bugzilla.redhat.com/show_bug.cgi?id=849332

Thanks for considering the patch.

SR

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 
'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Description: Return d_type = DT_LNK for NTFS Junction points in readdir()
 readdir() was returning DT_DIR while stat() was returning S_IFLNK.
 This caused baobab to infinitely loop.
Author: Jean-Pierre Andre
Origin: upstream, http://tuxera.com/forum/viewtopic.php?f=2&t=29578
Bug-Ubuntu: https://launchpad.net/bugs/997391
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=849332
Last-Update: 2012-08-21

--- a/libntfs-3g/dir.c
+++ b/libntfs-3g/dir.c
@@ -867,6 +867,83 @@
 	INDEX_TYPE_ALLOCATION,	/* index allocation */
 } INDEX_TYPE;
 
+/*
+ *		Decode Interix file types
+ *
+ *	Non-Interix types are returned as plain files, because a
+ *	Windows user may force patterns very similar to Interix.
+ */
+
+static u32 ntfs_interix_types(ntfs_inode *ni)
+{
+	ntfs_attr *na;
+	u32 dt_type;
+	le64 magic;
+
+	dt_type = NTFS_DT_UNKNOWN;
+	na = ntfs_attr_open(ni, AT_DATA, NULL, 0);
+	if (na) {
+		/* Unrecognized patterns (eg HID + SYST) are plain files */
+		dt_type = NTFS_DT_REG;
+		if (na->data_size <= 1) {
+			if (!(ni->flags & FILE_ATTR_HIDDEN))
+dt_type = (na->data_size ?
+		NTFS_DT_SOCK : NTFS_DT_FIFO);
+		} else {
+			if ((na->data_size >= (s64)sizeof(magic))
+			&& (ntfs_attr_pread(na, 0, sizeof(magic), &magic)
+== sizeof(magic))) {
+if (magic == INTX_SYMBOLIC_LINK)
+	dt_type = NTFS_DT_LNK;
+else if (magic == INTX_BLOCK_DEVICE)
+	dt_type = NTFS_DT_BLK;
+else if (magic == INTX_CHARACTER_DEVICE)
+	dt_type = NTFS_DT_CHR;
+			}
+		}
+		ntfs_attr_close(na);
+	}
+	return (dt_type);
+}
+
+/*
+ *		Decode file types
+ *
+ *	Better only use for Interix types and junctions,
+ *	unneeded complexity when used for plain files or directories
+ *
+ *	Error cases are logged and returned as unknown.
+ */
+
+static u32 ntfs_dir_entry_type(ntfs_inode *dir_ni, MFT_REF mref, FILE_ATTR_FLAGS attributes)
+{
+	ntfs_inode *ni;
+	u32 dt_type;
+
+	dt_type = NTFS_DT_UNKNOWN;
+	ni = ntfs_inode_open(dir_ni->vol, mref);
+	if (ni) {
+		if ((attributes & FILE_ATTR_REPARSE_POINT)
+		&& ntfs_possible_symlink(ni))
+			dt_type = NTFS_DT_LNK;
+		else
+			if ((attributes & FILE_ATTR_SYSTEM)
+			   && !(attributes & FILE_ATTR_I30_INDEX_PRESENT))
+dt_type = ntfs_interix_types(ni);
+			else
+dt_type = (attributes
+		& FILE_ATTR_I30_INDEX_PRESENT
+	? NTFS_DT_DIR : NTFS_DT_REG);
+		if (ntfs_inode_close(ni)) {
+ /* anything special to do ? */
+		}
+	}
+	if (dt_type == NTFS_DT_UNKNOWN)
+		ntfs_log_error("Could not decode the type of inode %lld\n",
+(long long)MREF(mref));
+	return (dt_type);
+}
+
 /**
  * ntfs_filldir - ntfs specific filldir method
  * @dir_ni:	ntfs inode of current directory
@@ -901,19 +978,23 @@
 dir_ni->vol->mft_record_size;
 	else /* if (index_type == INDEX_TYPE_ROOT) */
 		*pos = (u8*)ie - (u8*)iu.ir;
+	mref = le64_to_cpu(ie->indexed_file);
+metadata = (MREF(mref) != FILE_root) && (MREF(mref) < FILE_first_user);
 	/* Skip root directory self reference entry. */
 	if (MREF_LE(ie->indexed_file) == FILE_root)
 		return 0;
-	if (ie->key.file_name.file_attributes & FILE_ATTR_I30_INDEX_PRESENT)
+

Bug#682627: marked as done (ddd: FTBFS: configure hangs for 60 minutes)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Wed, 22 Aug 2012 03:02:37 +
with message-id 
and subject line Bug#682627: fixed in ddd 1:3.3.12-4
has caused the Debian Bug report #682627,
regarding ddd: FTBFS: configure hangs for 60 minutes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
682627: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682627
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ddd
Version: 1:3.3.12-3
Severity: serious
Tags: wheezy sid
User: debian...@lists.debian.org
Usertags: qa-ftbfs-20120724 qa-ftbfs
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part:
>  debian/rules build
> debian/rules:14: warning: overriding commands for target 
> `debian/stamp-autotools-files'
> /usr/share/cdbs/1/class/autotools-files.mk:51: warning: ignoring old commands 
> for target `debian/stamp-autotools-files'
> test -x debian/rules
> mkdir -p "builddir"
> if test -e /usr/share/misc/config.guess ; then \
>   for i in ./config.guess ; do \
>   if ! test -e $i.cdbs-orig ; then \
>   mv $i $i.cdbs-orig ; \
>   cp --remove-destination 
> /usr/share/misc/config.guess $i ; \
>   fi ; \
>   done ; \
>   fi
> if test -e /usr/share/misc/config.sub ; then \
>   for i in ./config.sub ; do \
>   if ! test -e $i.cdbs-orig ; then \
>   mv $i $i.cdbs-orig ; \
>   cp --remove-destination 
> /usr/share/misc/config.sub $i ; \
>   fi ; \
>   done ; \
>   fi
> autoreconf -vfi
> autoreconf: Entering directory `.'
> autoreconf: configure.ac: not using Gettext
> autoreconf: running: aclocal --force 
> autoreconf: configure.ac: tracing
> autoreconf: running: libtoolize --copy --force
> libtoolize: putting auxiliary files in `.'.
> libtoolize: copying file `./ltmain.sh'
> libtoolize: Consider adding `AC_CONFIG_MACRO_DIR([m4])' to configure.ac and
> libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
> libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
> autoreconf: running: /usr/bin/autoconf --force
> autoreconf: running: /usr/bin/autoheader --force
> autoreconf: running: automake --add-missing --copy --force-missing
> configure.ac:59: installing `./install-sh'
> configure.ac:59: installing `./missing'
> ddd/Makefile.am: installing `./depcomp'
> autoreconf: Leaving directory `.'
> touch debian/stamp-autotools-files
> chmod a+x /«PKGBUILDDIR»/./configure
> mkdir -p builddir
> cd builddir &&   CFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4 
> -Wformat -Werror=format-security -Wall -W -DNDEBUG" CXXFLAGS="-g -O2 
> -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security 
> -Wall -W -DNDEBUG" CPPFLAGS="-D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,relro 
> -Wl,--as-needed" RSH=rsh LPR=lpr XTERM=xterm XFONTSEL=xfontsel GCORE=gcore 
> ice_cv_find_xp=no ac_cv_lib_Xp_XpSelectInput=no /«PKGBUILDDIR»/./configure 
> --build=x86_64-linux-gnu  --prefix=/usr --includedir="\${prefix}/include" 
> --mandir="\${prefix}/share/man" --infodir="\${prefix}/share/info" 
> --sysconfdir=/etc --localstatedir=/var --libexecdir="\${prefix}/lib/ddd"  
> --disable-maintainer-mode --disable-dependency-tracking 
> --disable-silent-rules   --with-readline-libraries 
> --disable-builtin-app-defaults --disable-builtin-manual 
> --disable-builtin-news --disable-builtin-license --with-userinfo="Daniel 
> Schepler " 
> configure: WARNING: unrecognized options: --disable-maintainer-mode, 
> --disable-silent-rules
> checking for product name... ddd 3.3.12 "Dale Head"
> checking for expiration date... no
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... no
> checking for mawk... mawk
> checking whether make sets $(MAKE)... yes
> checking whether make sets $(MAKE)... (cached) yes
> checking for g77... no
> checking for fort77... no
> checking for f77... no
> checking for f2c... no
> checking whether ln -s works... yes
> checking for sh... /bin/sh
> checking for gtar... no
> checking for tar... tar
> checking for gm4... no
> checking for m4... m4
> checking for gsed... no
> checking for 

Bug#684748: Arduino Ethernet library fix, needs testing

2012-08-21 Thread Scott Howard
On Sat, Aug 18, 2012 at 7:29 AM, Scott Howard  wrote:
> On Sat, Aug 18, 2012 at 3:32 AM, Marco Righi  wrote:
>> do you ask about this?
>>
>> Command 36 of 1 $avr-gcc --verbose
>> Using built-in specs.
>> COLLECT_GCC=avr-gcc
>> COLLECT_LTO_WRAPPER=/usr/lib/gcc/avr/4.7.0/lto-wrapper
>> Target: avr
>> Configured with: ../src/configure -v --enable-languages=c,c++
>> --prefix=/usr/lib --infodir=/usr/share/info --mandir=/usr/share/man
>> --bindir=/usr/bin --libexecdir=/usr/lib --libdir=/usr/lib --enable-shared
>> --with-system-zlib --enable-long-long --enable-nls
>> --without-included-gettext --disable-libssp --build=x86_64-linux-gnu
>> --host=x86_64-linux-gnu --target=avr
>> Thread model: single
>> gcc version 4.7.0 (GCC)
>
> thanks, helps a lot (looks right...) - i'll keep looking at it

Sorry to bug you again, but could you try the Ethernet.cpp file you
sent me in a 32 bit VM (or machine if you have one)? I think it may be
a bug in the 64 bit ld.

Also, can you post the output of "$ avr-ld --version" ?

Cheers,
Scott


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#656762: Set the debug property on the fail whale so it can be moved with the mouse to a corner

2012-08-21 Thread Carlos Alberto Lopez Perez
Hi!


When I was using gnome3 some months ago this bug annoyed me more than a
couple of times, I was able to work-around it by making the annoying
whale window to be a normal desktop window, so when it pop-ups you can
move it to a corner with the mouse and save your data before logging out.

To make the whale be a movable desktop window you just have to set the
debug property.

Here is the patch that I applied to achieve this:


$ cat gnome-session-3.2.1/debian/patches/make-whale-be-debug.patch
--- a/gnome-session/gsm-manager.c
+++ b/gnome-session/gsm-manager.c
@@ -286,7 +286,7 @@
 allow_logout = !_log_out_is_locked_down (manager);
 }

-gsm_fail_whale_dialog_we_failed (FALSE,
+gsm_fail_whale_dialog_we_failed (TRUE,
  allow_logout,
  want_extensions_ui);
 }



signature.asc
Description: OpenPGP digital signature


Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Christoph Anton Mitterer
On Tue, 2012-08-21 at 09:07 +0200, Ondřej Surý wrote:
> > Maybe add just a small paragraph that the configuration of the
> > extensions has changed and php users should read the NEWS file?
> 
> That's probably sensible approach.  I have quickly drafted short
> paragraph which can be used for release notes:
Sounds good...

> which have .php, .php[345] and .phtml extensions on a most right
> place 
May I suggest to add "for security reasons" in the end?
I guess we all agreed that deliberately using "foo.php.jpeg" is in most
cases dangerous and bad style, too,... so why not teach our users a
bit?! :-)


On Tue, 2012-08-21 at 09:48 +0200, Ondřej Surý wrote:
> Nope I mean that the extension should be last.
Perhaps use the phrase "rightmost extension", or "trailing extension"?
Or even give a short example?


Cheers,
Chris.


smime.p7s
Description: S/MIME cryptographic signature


Bug#672959: [patch] Bug#672959: kfreebsd-*: panic: vm_fault_copy_wired

2012-08-21 Thread Steven Chamberlain
Hi!

On 21/08/12 22:43, Roger Leigh wrote:
> I've put a test package here:
>   http://people.debian.org/~rleigh/sysvinit/sysvinit_2.88dsf-33.dsc
> 
> I'd be grateful if anyone could build this [...]

That works okay, even with a genuinely dirty rootfs where fsck carries
out a repair.  I'm using kfreebsd-i386 as well.

Thanks!
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#679409: lightdm: Fails to start on boot, invoke-rc.d lightdm start fails

2012-08-21 Thread Steve Langasek
On Tue, Aug 21, 2012 at 10:28:07PM +0100, Roger Leigh wrote:
> On Sun, Aug 19, 2012 at 12:53:21PM -0700, Steve Langasek wrote:
> > On Sun, Aug 12, 2012 at 09:48:02AM +0100, Roger Leigh wrote:
> > > On Sun, Aug 12, 2012 at 03:37:52PM +1000, James Tocknell wrote:

> > > I've patched startpar to special-case lightdm as for gdm/kdm, but this
> > > doesn't appear to have any effect here (but is probably generally a good
> > > thing to have).

> > The change that was committed has nothing at all to do with this bug, and to
> > me it looks like an unnecessary divergence from startpar upstream; so I've
> > reverted those changes from the git repo.  IMHO it's not something that's
> > worth carrying a delta from upstream over.  But feel free to reinstate if
> > you disagree.

> My thinking here was that if startpar is special casing the priorities
> of display managers, shouldn't it be behaving the same for all the
> common ones?  That said, I am not certain /why/ it's special casing
> them in the first place; certainly lightdm appears to function
> perfectly well without the patch.  I don't have strong feelings either
> way here--personally I'd prefer them all removed if this is solely to
> hack in something better expressed through dependencies.

It's not a dependency at all, only a priority.  Startpar *may* start
everything in parallel, or it may rate limit the number of services starting
simultaneously; and in either event the priority says that the DM should be
started first before any other services that are ready to start, because
it's the most important thing to get up and going (if present).

So yes, it makes sense for these to be consistent; my point is only that
this is such a minor thing that it's not important enough to warrant
carrying a delta from upstream, and it's better to just get it upstreamed
first.  But I also don't have strong feelings.

> > BTW, Roger, could you please run 'echo DEBCHANGE_RELEASE_HEURISTIC=changelog
> > >> ~/.devscripts' on your development machine?  This is the only sensible
> > behavior to use with dch in a shared VCS; it's very frustrating to have to
> > check the archive or look at git tags each time to figure out whether the
> > changes I'm looking at on trunk are uploaded or not...

> I've done this, but isn't it the documented default behaviour?

A recent change, first landed in unstable in May.  Assuming your changelog
entries are created using dch, it appears you probably weren't running that
version. :)

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature


Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault

2012-08-21 Thread Ondřej Surý
Debian dind't enable bind9 stats so it's not vulnerable.

Ondřej Surý

On 21. 8. 2012, at 22:40, Jeroen Massar  wrote:

> Package: nsd3
> Severity: critical
> 
> 3.2.13 is out for a month already, might be nice to get an updated
> package...
> 
> Greets,
> Jeroen
> 
> --
> 
> https://www.nlnetlabs.nl/projects/nsd/
> {{{
> 
> NSD 3.2.13
> Jul 27, 2012
> Bugfixes
> Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service
> vulnerability from DNS packet when using --enable-zone-stats.
> Bugfix #460: man page correction - identity.
> Fix for nsd-patch segfault if zone has been removed from nsd.conf
> (thanks Ilya Bakulin)
> 
> NSD 3.2.12
> Jul 19, 2012
> Bugfixes
> Fix for VU#624931 CVE-2012-2978: NSD denial of service vulnerability
> from non-standard DNS packet from any host on the internet.
> 
> NSD 3.2.11
> Jul 9, 2012
> Features
> Fallback to AXFR if IXFR is unknown at the primary. NSD considers IXFR
> unknown at the primary if there is a negative response for the IXFR
> RRtype. This does not override the value for 'allow-axfr-fallback'.
> Allow for reading in new DNSKEY algorithm mnemonics (RFC5155, RFC5702,
> RFC5933, and RFC6605 (ECDSA)).
> Zone statistics, enable with --enable-zone-stats. This stores the BIND8
> stats per zone in a configurable statistics file. This option does not
> scale and should therefore not be enabled when serving many zones.
> Support for TLSA RRtype (DANE).
> Bugfixes
> Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't add
> the wildcard domain NSEC into the answer section. Instead, put the
> wildcard expanded NSEC into the answer section and keep the wildcard
> domain NSEC in the authority section.
> Fix for accept spinning reported by OpenBSD.
> Fix restart failed due to bad ixfr packet because of zone removed from
> nsd.conf.
> Bugfix #453: typo in nsdc man page.
> }}}


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: Bug#685323: Non-persistent XSS vulnerability in contrib script

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> close 685323 1.0.8.4-1
Bug #685323 [php-geshi] Non-persistent XSS vulnerability in contrib script
Marked as fixed in versions geshi/1.0.8.4-1.
Bug #685323 [php-geshi] Non-persistent XSS vulnerability in contrib script
Marked Bug as done
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
685323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#672959: [patch] Bug#672959: kfreebsd-*: panic: vm_fault_copy_wired

2012-08-21 Thread Axel Beckert
Hi Roger,

Roger Leigh wrote:
> I've put a test package here:
>   http://people.debian.org/~rleigh/sysvinit/sysvinit_2.88dsf-33.dsc
> 
> I'd be grateful if anyone could build this and double-check that this
> is correct, and fixes the bug.  I'll upload this as soon as that's
> done.

Works for me on kfreebsd-i386 after a "touch /forcefsck". No more
crash.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-|  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> tags 685324 = security upstream patch
Bug #685324 [php-geshi] Local File Inclusion Vulnerability in contrib script
Added tag(s) patch; removed tag(s) unreproducible and moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
685324: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685324
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed (with 1 errors): Re: Bug#685323: Non-persistent XSS vulnerability in contrib script

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> tags 685323 = unreproducible upstream security
Bug #685323 [php-geshi] Non-persistent XSS vulnerability in contrib script
Removed tag(s) moreinfo.
> notfound 685323 geshi/1.0.8.4-1
Bug #685323 [php-geshi] Non-persistent XSS vulnerability in contrib script
No longer marked as found in versions geshi/1.0.8.4-1.
> close 685323 geshi/1.0.8.4-1
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
685323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685323: Non-persistent XSS vulnerability in contrib script

2012-08-21 Thread Steven Chamberlain
tags 685323 = unreproducible upstream security
notfound 685323 geshi/1.0.8.4-1
close 685323 geshi/1.0.8.4-1
thanks

Bug supposedly affected langwiz.php where a leftover var_dump($_GET)
could pose an XSS risk if deployed on a public-facing webserver. [1]

That file does not exist in the source version of php-geshi packaged by
Debian.  It was formerly known as langcheck,php, which is shipped by
php-geshi 1.0.8.4-1 in doc/examples/, but the vulnerability was not
introduced until later.

[1]
http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/contrib/langwiz.php?r1=2508&r2=2507&pathrev=2508

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: found 681963 in 2.0.5-1, affects 685060, affects 685468

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> found 681963 2.0.5-1
Bug #681963 [munin-node] munin-node: removes directories that were installed by 
another package: /etc/munin/plugin-conf.d/, /var/lib/munin/plugin-state/
Marked as found in versions 2.0.5-1/.
> affects 685060 + gfs2-tools
Bug #685060 [corosync] corosync: fails to install: postinst fails on 
update-rc.d call
Added indication that 685060 affects gfs2-tools
> affects 685468 + autofs-ldap
Bug #685468 [autofs] autofs: fails to purge - command ucf in postrm not found
Added indication that 685468 affects autofs-ldap
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
681963: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681963
685060: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685060
685468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685468
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#684415: marked as done (Doesn't work anymore with subdirectories)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 21:47:37 +
with message-id 
and subject line Bug#684415: fixed in bins 1.1.29-16
has caused the Debian Bug report #684415,
regarding Doesn't work anymore with subdirectories
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
684415: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684415
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bins
Version: 1.1.29-15
Severity: grave

Hi,

Some directories (thumbs, thumbs/Sm, thumbs/Med, etc.) are not created
anymore, causing bins to fail in when one handles more than one album.

It worked well in Squeeze (ver. 1.1.29-15)

$ LANG=C bins -t /usr/share/bins dir1 album
[…]
 > 
  > dir2 > 
Image IMG_1882.JPG
Exception 435: unable to open image
`/tmp/album/dir2/thumbs/IMG_1882_pre.jpg': No such file or directory
@ error/blob.c/OpenBlob/2638 at /usr/bin/bins line 3626.
jpegtran: can't open /tmp/album/dir2/thumbs/IMG_1882_pre.jpg for
reading
Exception 435: unable to open image
`/tmp/album/dir2/thumbs/Sm/IMG_1882_Sm.jpg': No such file or
directory @ error/blob.c/OpenBlob/2638 at /usr/bin/bins line 3626.
jpegtran: can't open /tmp/album/dir2/thumbs/Sm/IMG_1882_Sm.jpg for
reading
Exception 435: unable to open image
`/tmp/album/dir2/thumbs/Med/IMG_1882_Med.jpg': No such file or
directory @ error/blob.c/OpenBlob/2638 at /usr/bin/bins line 3626.
jpegtran: can't open /tmp/album/dir2/thumbs/Med/IMG_1882_Med.jpg for
reading
cp: cannot create regular file
`/tmp/album/dir2/thumbs/Lg/IMG_1882_Lg.jpg': No such file or
directory

Cannot copy /tmp/dir1/dir2/IMG_1882.JPG to
/tmp/album/dir2/thumbs/Lg/IMG_1882_Lg.jpg: 256 at /usr/bin/bins line
3585.

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bins depends on:
ii  libhtml-clean-perl0.8-11
ii  libhtml-parser-perl   3.69-2
ii  libhtml-template-perl 2.91-1
ii  libimage-info-perl1.28-1
ii  libimage-size-perl3.232-1
ii  libio-string-perl 1.08-2
ii  libjpeg-progs 8d-1
ii  liblocale-gettext-perl1.05-7+b1
ii  libtext-iconv-perl1.7-5
ii  libtext-unaccent-perl 1.08-1+b3
ii  libtimedate-perl  1.2000-1
ii  liburi-perl   1.60-1
ii  libxml-grove-perl 0.46alpha-12
ii  libxml-handler-yawriter-perl  0.23-6
ii  libxml-perl   0.08-2
ii  libxml-writer-perl0.615-1
ii  libxml-xql-perl   0.68-6
ii  perlmagick8:6.7.7.10-3

bins recommends no packages.

bins suggests no packages.

-- no debconf information
--- End Message ---
--- Begin Message ---
Source: bins
Source-Version: 1.1.29-16

We believe that the bug you reported is fixed in the latest version of
bins, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Rousseau  (supplier of updated bins package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Thu, 16 Aug 2012 19:28:34 -0400
Source: bins
Binary: bins
Architecture: source all
Version: 1.1.29-16
Distribution: unstable
Urgency: low
Maintainer: Ludovic Rousseau 
Changed-By: Ludovic Rousseau 
Description: 
 bins   - Generate static HTML photo albums using XML and EXIF tags
Closes: 684412 684415
Changes: 
 bins (1.1.29-16) unstable; urgency=low
 .
   [ David Prévot ]
   * debian/patches/39_fix_local_install Fix /usr/local… path (Closes: #684412)
   * remove debian/patches/37_bins_thumbnails
 Drop the #196310 fix that breaks subdirectories (Closes: #684415)
 .
   [ Ludovic Rousseau ]
   * ACK NMU by David Prévot
Checksums-Sha1: 
 fbe202c293a3823eab6ef66b3bbe2340b1ff931d 1228 bins_1.1.29-16.dsc
 fa4d95c5db0d0239743c04

Bug#672959: [patch] Bug#672959: kfreebsd-*: panic: vm_fault_copy_wired

2012-08-21 Thread Roger Leigh
On Tue, Aug 21, 2012 at 10:47:57AM +0200, Axel Beckert wrote:
> Hi,
> 
> Petr Salinger wrote:
> > >I'm beginning to think that startpar is malfunctioning in some way
> > >(after checkroot.sh returns, but before it runs the next script).
> > 
> > Thanks to Steven for excelent hint.
> 
> Indeed. That fits perfectly with my observation that always the last
> thing I saw before the crash was the ":" from the last line of
> checkroot.sh. No trace of another init.d script being started.
> 
> > The patch bellow fixes it for me.
> > Please could also other people verify it.
> 
> Will do this evening. Thanks Petr!

Many thanks Petr for the patch, and everyone else for testing and
investigating.

I've put a test package here:
  http://people.debian.org/~rleigh/sysvinit/sysvinit_2.88dsf-33.dsc

I'd be grateful if anyone could build this and double-check that this
is correct, and fixes the bug.  I'll upload this as soon as that's
done.


Thanks again,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#679409: lightdm: Fails to start on boot, invoke-rc.d lightdm start fails

2012-08-21 Thread Roger Leigh
On Sun, Aug 19, 2012 at 12:53:21PM -0700, Steve Langasek wrote:
> On Sun, Aug 12, 2012 at 09:48:02AM +0100, Roger Leigh wrote:
> > On Sun, Aug 12, 2012 at 03:37:52PM +1000, James Tocknell wrote:
> 
> > I've patched startpar to special-case lightdm as for gdm/kdm, but this
> > doesn't appear to have any effect here (but is probably generally a good
> > thing to have).
> 
> The change that was committed has nothing at all to do with this bug, and to
> me it looks like an unnecessary divergence from startpar upstream; so I've
> reverted those changes from the git repo.  IMHO it's not something that's
> worth carrying a delta from upstream over.  But feel free to reinstate if
> you disagree.

My thinking here was that if startpar is special casing the priorities
of display managers, shouldn't it be behaving the same for all the
common ones?  That said, I am not certain /why/ it's special casing
them in the first place; certainly lightdm appears to function
perfectly well without the patch.  I don't have strong feelings either
way here--personally I'd prefer them all removed if this is solely to
hack in something better expressed through dependencies.

> BTW, Roger, could you please run 'echo DEBCHANGE_RELEASE_HEURISTIC=changelog
> >> ~/.devscripts' on your development machine?  This is the only sensible
> behavior to use with dch in a shared VCS; it's very frustrating to have to
> check the archive or look at git tags each time to figure out whether the
> changes I'm looking at on trunk are uploaded or not...

I've done this, but isn't it the documented default behaviour?


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#673676: [buildd-tools-devel] Bug#673676: sbuild-createchroot: broken due to debian-archive-keyring changes

2012-08-21 Thread Roger Leigh
On Thu, Aug 16, 2012 at 05:16:23PM +0200, Cyril Brulebois wrote:
> Roger Leigh  (04/07/2012):
> > This was fixed in 4bc2072701ddd last week, and is pending upload.
> > (Should already be tagged pending.)
> > 
> > I have a few other bugs to fix in sbuild, but should be uploading it
> > in the next week or so.
> 
> “Next month”-ly-ping?

This was done over the weekend.  Hope this addresses all the
outstanding issues.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linuxhttp://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-GPG Public Key  F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#671846: CVE-2011-2486

2012-08-21 Thread Moritz Muehlenhoff
On Mon, May 07, 2012 at 03:37:48PM +0200, Moritz Muehlenhoff wrote:
> Package: nspluginwrapper
> Severity: grave
> Tags: security
> 
> Please see this Red Hat bugzilla entry for more information and a reference 
> to the
> upstream fix: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2486

This is straightforward to patch, but given that 
- this bug has seen no followup since 3.5 months 
- the last upload was in 2009 
- there's a 64 bit version of the flash plugin these days

we should rather remove it from Wheezy or the archive?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: your mail

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> tag 683742 + pending
Bug #683742 [python-pastedeploy] python-pastedeploy: Missing dependency on 
python-paste or missing paste package file
Added tag(s) pending.
> tag 671247 + pending
Bug #671247 [src:pastedeploy] pastedeploy: FTBFS if built twice in a row: 
aborting due to unexpected upstream changes
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
671247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=671247
683742: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683742
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#681680: mediathekview: finds only 1376 out of 57537 movies

2012-08-21 Thread Markus Koschany
Hello,

this is just a reminder and a ping. I would like to know if you are
still interested in maintaining MediathekView?

If you are busy at the moment or if you can't maintain the package
anymore, please say so.

Otherwise i think it would be best to contact the Debian Release Team
and ask them for their opinion. Of course we would need a sponsor, too.

Unless i hear something different i will proceed and ask someone to
sponsor the package next week, provided the Release Team accepts an
upload to Testing.

Regards
Markus



signature.asc
Description: OpenPGP digital signature


Bug#685469: marked as done (ekg2: missing copyright file)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 21:17:42 +
with message-id 
and subject line Bug#685469: fixed in ekg2 1:0.3.1-2
has caused the Debian Bug report #685469,
regarding ekg2: missing copyright file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
685469: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ekg2
Version: 1:0.3.1-1
Severity: serious
Justification: Policy 12.5
User: debian...@lists.debian.org
Usertags: piuparts


Hi,

during a test with piuparts I noticed that your package does not contain
a copyright file.

# ls -la /usr/share/doc/ekg2
total 0
drwxr-xr-x   2 root root  140 Aug 21 02:42 .
drwxr-xr-x 154 root root 3580 Aug 21 02:42 ..
lrwxrwxrwx   1 root root   26 Nov 14  2011 commands-pl.txt -> 
../../ekg2/commands-pl.txt
lrwxrwxrwx   1 root root   25 Nov 14  2011 session-en.txt -> 
../../ekg2/session-en.txt
lrwxrwxrwx   1 root root   25 Nov 14  2011 session-pl.txt -> 
../../ekg2/session-pl.txt
lrwxrwxrwx   1 root root   22 Nov 14  2011 vars-en.txt -> ../../ekg2/vars-en.txt
lrwxrwxrwx   1 root root   22 Nov 14  2011 vars-pl.txt -> ../../ekg2/vars-pl.txt
# ls -lad /usr/share/doc/ekg2
drwxr-xr-x 2 root root 140 Aug 21 02:42 /usr/share/doc/ekg2

Andreas
--- End Message ---
--- Begin Message ---
Source: ekg2
Source-Version: 1:0.3.1-2

We believe that the bug you reported is fixed in the latest version of
ekg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcin Owsiany  (supplier of updated ekg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 21 Aug 2012 22:57:55 +0200
Source: ekg2
Binary: ekg2-core ekg2 ekg2-api-docs ekg2-dbg ekg2-gnupg ekg2-jabber 
ekg2-remote ekg2-scripting-python ekg2-scripting-perl ekg2-ui-gtk 
ekg2-ui-ncurses ekg2-xosd
Architecture: source amd64 all
Version: 1:0.3.1-2
Distribution: unstable
Urgency: medium
Maintainer: Marcin Owsiany 
Changed-By: Marcin Owsiany 
Description: 
 ekg2   - instant messenger and IRC client for UNIX systems
 ekg2-api-docs - instant messenger and IRC client for UNIX systems - API 
documenta
 ekg2-core  - instant messenger and IRC client for UNIX systems - main program
 ekg2-dbg   - instant messenger and IRC client for UNIX systems - debugging sym
 ekg2-gnupg - instant messenger and IRC client for UNIX systems - GnuPG
 ekg2-jabber - instant messenger and IRC client for UNIX systems - Jabber/XMPP
 ekg2-remote - instant messenger and IRC client for UNIX systems - remote interf
 ekg2-scripting-perl - instant messenger and IRC client for UNIX systems - Perl 
scriptin
 ekg2-scripting-python - instant messenger and IRC client for UNIX systems - 
Python script
 ekg2-ui-gtk - instant messenger and IRC client for UNIX systems - GTK+ interfac
 ekg2-ui-ncurses - instant messenger and IRC client for UNIX systems - ncurses 
inter
 ekg2-xosd  - instant messenger and IRC client for UNIX systems - X OSD
Closes: 685469
Changes: 
 ekg2 (1:0.3.1-2) unstable; urgency=medium
 .
   * RC-bugfix upload aimed at testing
   * [57a396e] Do not install conflicting symlinks. (Closes: #685469)
Checksums-Sha1: 
 753f3f0b97499db0e23a758e87f0d9ebd9dfa19f 2508 ekg2_0.3.1-2.dsc
 e9dd2b5f18729b0cf77ed98c5305567b52cb7dae 34938 ekg2_0.3.1-2.debian.tar.gz
 74794bc860dfa6eaef9a6215ca8bce93ca7a1d5f 670544 ekg2-core_0.3.1-2_amd64.deb
 eacfdb2f07b1350bfac91d292fe1f653ed752bc5 1374 ekg2_0.3.1-2_amd64.deb
 90ea36a3407eac83ee7ceac1e05c57d33300f439 2865774 ekg2-api-docs_0.3.1-2_all.deb
 dd8778e14775fd6a5099ca22e50ca7c9ac1a9f48 2068384 ekg2-dbg_0.3.1-2_amd64.deb
 6a6380bcfc4c471aba6d7d58aa301a2c9198c39c 10976 ekg2-gnupg_0.3.1-2_amd64.deb
 bb32e0b73bb9a53f0fc0cd0d855801e13fc96594 90216 ekg2-jabber_0.3.1-2_amd64.deb
 058dbcb157b253f9f1cb9c2b830702a7bc3fcb46 57228 ekg2-remote_0.3.1-2_amd64.deb
 62f230bf1c151cb3e1b17badbcd3beece307d4c3 23832 
ekg2-scripting-python_0.3.1-2_amd64.deb
 3f54323a7c7f5bd7e09dc4272b2316d3f9c98004 67532 
ekg2-scripting-perl_0.3.1-2_amd64.deb
 2066b041214beda3b6d8ff8c3ca8ee24d35dd459 89432 ekg2-ui-gtk_0.3.1-2_amd64.deb
 3b377955e12d40425e31afa43

Bug#674556: A workaround

2012-08-21 Thread Josue Abarca
I can confirm this bug, a workaround for this problem is:

Press the: "System (Windows) key or Alt+F1"  these key combinations
will take you to the overview, where you will be able to see the top
menu bar and the bottom menu bar.


ii  gnome-common   3.4.0.1-1
ii  mutter-common  3.4.1-5
ii  recordmydesktop0.3.8.1+svn602-1 amd64

-- 
Josué M. Abarca S.
Vos mereces Software Libre.
PGP key 4096R/70D8FB2A 2009-06-17
Huella de clave = B3ED 4984 F65A 9AE0 6511  DAF4 756B EB4B 70D8 FB2A


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685551: ntfs-3g: returns incorect type for junction points in readdir()

2012-08-21 Thread Stefano Rivera
Package: ntfs-3g
Version: 1:2012.1.15AR.5-4
Severity: serious
Tags: patch upstream
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

*** /tmp/tmpkpCNMv/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * ntfs-3g-junction-point-fix.patch: Return the correct type (DT_LINK) for
NTFS Junction points, in readdir(). (LP: #997391)

A bug was recently fixed in upstream ntfs-3g, where baobab (The GNOME
disk usage visualisation tool) will loop infinitely when scanning a
Windows 7 partition.

http://tuxera.com/forum/viewtopic.php?f=2&t=29578
https://bugzilla.redhat.com/show_bug.cgi?id=849332

Thanks for considering the patch.

SR

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 
'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Description: Return d_type = DT_LNK for NTFS Junction points in readdir()
 readdir() was returning DT_DIR while stat() was returning S_IFLNK.
 This caused baobab to infinitely loop.
Author: Jean-Pierre Andre
Origin: upstream, http://tuxera.com/forum/viewtopic.php?f=2&t=29578
Bug-Ubuntu: https://launchpad.net/bugs/997391
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=849332
Last-Update: 2012-08-21

--- a/libntfs-3g/dir.c
+++ b/libntfs-3g/dir.c
@@ -867,6 +867,83 @@
 	INDEX_TYPE_ALLOCATION,	/* index allocation */
 } INDEX_TYPE;
 
+/*
+ *		Decode Interix file types
+ *
+ *	Non-Interix types are returned as plain files, because a
+ *	Windows user may force patterns very similar to Interix.
+ */
+
+static u32 ntfs_interix_types(ntfs_inode *ni)
+{
+	ntfs_attr *na;
+	u32 dt_type;
+	le64 magic;
+
+	dt_type = NTFS_DT_UNKNOWN;
+	na = ntfs_attr_open(ni, AT_DATA, NULL, 0);
+	if (na) {
+		/* Unrecognized patterns (eg HID + SYST) are plain files */
+		dt_type = NTFS_DT_REG;
+		if (na->data_size <= 1) {
+			if (!(ni->flags & FILE_ATTR_HIDDEN))
+dt_type = (na->data_size ?
+		NTFS_DT_SOCK : NTFS_DT_FIFO);
+		} else {
+			if ((na->data_size >= (s64)sizeof(magic))
+			&& (ntfs_attr_pread(na, 0, sizeof(magic), &magic)
+== sizeof(magic))) {
+if (magic == INTX_SYMBOLIC_LINK)
+	dt_type = NTFS_DT_LNK;
+else if (magic == INTX_BLOCK_DEVICE)
+	dt_type = NTFS_DT_BLK;
+else if (magic == INTX_CHARACTER_DEVICE)
+	dt_type = NTFS_DT_CHR;
+			}
+		}
+		ntfs_attr_close(na);
+	}
+	return (dt_type);
+}
+
+/*
+ *		Decode file types
+ *
+ *	Better only use for Interix types and junctions,
+ *	unneeded complexity when used for plain files or directories
+ *
+ *	Error cases are logged and returned as unknown.
+ */
+
+static u32 ntfs_dir_entry_type(ntfs_inode *dir_ni, MFT_REF mref, FILE_ATTR_FLAGS attributes)
+{
+	ntfs_inode *ni;
+	u32 dt_type;
+
+	dt_type = NTFS_DT_UNKNOWN;
+	ni = ntfs_inode_open(dir_ni->vol, mref);
+	if (ni) {
+		if ((attributes & FILE_ATTR_REPARSE_POINT)
+		&& ntfs_possible_symlink(ni))
+			dt_type = NTFS_DT_LNK;
+		else
+			if ((attributes & FILE_ATTR_SYSTEM)
+			   && !(attributes & FILE_ATTR_I30_INDEX_PRESENT))
+dt_type = ntfs_interix_types(ni);
+			else
+dt_type = (attributes
+		& FILE_ATTR_I30_INDEX_PRESENT
+	? NTFS_DT_DIR : NTFS_DT_REG);
+		if (ntfs_inode_close(ni)) {
+ /* anything special to do ? */
+		}
+	}
+	if (dt_type == NTFS_DT_UNKNOWN)
+		ntfs_log_error("Could not decode the type of inode %lld\n",
+(long long)MREF(mref));
+	return (dt_type);
+}
+
 /**
  * ntfs_filldir - ntfs specific filldir method
  * @dir_ni:	ntfs inode of current directory
@@ -901,19 +978,23 @@
 dir_ni->vol->mft_record_size;
 	else /* if (index_type == INDEX_TYPE_ROOT) */
 		*pos = (u8*)ie - (u8*)iu.ir;
+	mref = le64_to_cpu(ie->indexed_file);
+metadata = (MREF(mref) != FILE_root) && (MREF(mref) < FILE_first_user);
 	/* Skip root directory self reference entry. */
 	if (MREF_LE(ie->indexed_file) == FILE_root)
 		return 0;
-	if (ie->key.file_name.file_attributes & FILE_ATTR_I30_INDEX_PRESENT)
+	if ((ie->key.file_name.file_attributes
+		 & (FILE_ATTR_REPARSE_POINT | FILE_ATTR_SYSTEM))
+	&& !metadata)
+		dt_type = ntfs_dir_entry_type(dir_ni, mref,
+	ie->key.file_name.file_attributes);
+	else if (ie->key.file_name.file_attributes
+		 & FILE_ATTR_I30_INDEX_PRESENT)
 		dt_type = NTFS_DT_DIR;
-	else if (fn->file_attributes & FILE_ATTR_SYSTEM)
-		dt_type = NTFS_DT_UNKNOWN;
 	else
 		dt_type = NTFS_DT_REG;
 
 		/* return metadata files and hidden files if requested */
-	mref = le64_to_cpu(ie->indexed_file);
-metadata = (MREF(mref) != FILE_root) && (MREF(mref) < FILE_first_user);
 if ((!metadata && (NVolShowHidFiles(dir_ni->vol)
 || !(fn->file_attributes & FILE_ATTR_HIDDEN)))
 || (NVolShowSysFiles(dir_ni->vol) && (NVolShowHidFiles(dir_ni->vol)
--- a/src/ntfs-3g.c
+++ b/src/ntf

Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault

2012-08-21 Thread Jeroen Massar
Package: nsd3
Severity: critical

3.2.13 is out for a month already, might be nice to get an updated
package...

Greets,
 Jeroen

--

https://www.nlnetlabs.nl/projects/nsd/
{{{

NSD 3.2.13
Jul 27, 2012
Bugfixes
Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service
vulnerability from DNS packet when using --enable-zone-stats.
Bugfix #460: man page correction - identity.
Fix for nsd-patch segfault if zone has been removed from nsd.conf
(thanks Ilya Bakulin)

NSD 3.2.12
Jul 19, 2012
Bugfixes
Fix for VU#624931 CVE-2012-2978: NSD denial of service vulnerability
from non-standard DNS packet from any host on the internet.

NSD 3.2.11
Jul 9, 2012
Features
Fallback to AXFR if IXFR is unknown at the primary. NSD considers IXFR
unknown at the primary if there is a negative response for the IXFR
RRtype. This does not override the value for 'allow-axfr-fallback'.
Allow for reading in new DNSKEY algorithm mnemonics (RFC5155, RFC5702,
RFC5933, and RFC6605 (ECDSA)).
Zone statistics, enable with --enable-zone-stats. This stores the BIND8
stats per zone in a configurable statistics file. This option does not
scale and should therefore not be enabled when serving many zones.
Support for TLSA RRtype (DANE).
Bugfixes
Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't add
the wildcard domain NSEC into the answer section. Instead, put the
wildcard expanded NSEC into the answer section and keep the wildcard
domain NSEC in the authority section.
Fix for accept spinning reported by OpenBSD.
Fix restart failed due to bad ixfr packet because of zone removed from
nsd.conf.
Bugfix #453: typo in nsdc man page.
}}}


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685542: Acknowledgement (d-push: Error when using https://myserver/Microsoft-Server-ActiveSync)

2012-08-21 Thread nb

Hello,

In fact the problem is in the line :
define('STATE_DIR', '/var/lib/d-push/state');
that should be :
define('STATE_DIR', '/var/lib/d-push/state/');

Notice the trailing '/'. This solves the problem.

Regards

nb

Le 21-08-2012 21:24, ow...@bugs.debian.org a écrit :

Thank you for filing a new Bug report with Debian.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due 
course.


Your message has been sent to the package maintainer(s):
 Wolfram Quester 

If you wish to submit further information on this problem, please
send it to 685...@bugs.debian.org.

Please do not send mail to ow...@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: tagging 685469

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> tags 685469 + confirmed
Bug #685469 [ekg2] ekg2: missing copyright file
Added tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
685469: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685502: [request-tracker-maintainers] Bug#685502: fails to install in chroots

2012-08-21 Thread Daniel Baumann
retitle 685502 fails to install when system has no FQDN
thanks

On 08/21/2012 08:37 PM, Dominic Hargreaves wrote:
> hostname is called from /var/lib/dpkg/info/request-tracker4.config.
> Specifically it calls hostname -f.

indeed.

> This would normally be configured by debootstrap

(personally, i think one should always use FQDN as hostname, however..)

if rt really wants to depends on having a FQDN as hostname, then it
needs to handle that gracefully. having a FQDN or not is at the
sysadmins discretion, not the rt maintainers ;)

> based on the host system; presumably your host system
> also doesn't have a working hostname -f?

not that it matters, but my hosts do have a proper FQDN, just my chroots
do not (as they are no 'real' systems).

-- 
Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:  daniel.baum...@progress-technologies.net
Internet:   http://people.progress-technologies.net/~daniel.baumann/


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: [request-tracker-maintainers] Bug#685502: fails to install in chroots

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> retitle 685502 fails to install when system has no FQDN
Bug #685502 [request-tracker4] fails to install in chroots
Changed Bug title to 'fails to install when system has no FQDN' from 'fails to 
install in chroots'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
685502: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685502
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685469: ekg2: missing copyright file

2012-08-21 Thread Marcin Owsiany
tag confirmed
thanks

On Tue, Aug 21, 2012 at 09:30:34AM +0200, Andreas Beckmann wrote:
> [resending, forgot to Cc: the bug]
> 
> On 2012-08-21 08:38, Marcin Owsiany wrote:
> >> # ls -la /usr/share/doc/ekg2
> >> total 0
> >> drwxr-xr-x   2 root root  140 Aug 21 02:42 .
> >> drwxr-xr-x 154 root root 3580 Aug 21 02:42 ..
> >> lrwxrwxrwx   1 root root   26 Nov 14  2011 commands-pl.txt -> 
> >> ../../ekg2/commands-pl.txt
> >> lrwxrwxrwx   1 root root   25 Nov 14  2011 session-en.txt -> 
> >> ../../ekg2/session-en.txt
> >> lrwxrwxrwx   1 root root   25 Nov 14  2011 session-pl.txt -> 
> >> ../../ekg2/session-pl.txt
> >> lrwxrwxrwx   1 root root   22 Nov 14  2011 vars-en.txt -> 
> >> ../../ekg2/vars-en.txt
> >> lrwxrwxrwx   1 root root   22 Nov 14  2011 vars-pl.txt -> 
> >> ../../ekg2/vars-pl.txt
> >> # ls -lad /usr/share/doc/ekg2
> >> drwxr-xr-x 2 root root 140 Aug 21 02:42 /usr/share/doc/ekg2
> > 
> > Interesting. What architecture is this? This looks different on my TV:
> 
> Observed this in a minimal sid chroot on amd64 - its probably important
> to test in a clean minimal chroot that never had anything ekg2 installed.
> 
> # dpkg -S /usr/share/doc/ekg2/*
> ekg2-core: /usr/share/doc/ekg2/commands-pl.txt
> ekg2-core: /usr/share/doc/ekg2/session-en.txt
> ekg2-core: /usr/share/doc/ekg2/session-pl.txt
> ekg2-core: /usr/share/doc/ekg2/vars-en.txt
> ekg2-core: /usr/share/doc/ekg2/vars-pl.txt
> 
> # l -d /usr/share/doc/ekg2*
> drwxr-xr-x 2 root root 140 Aug 21 02:42 /usr/share/doc/ekg2
> drwxr-xr-x 4 root root 340 Aug 21 02:42 /usr/share/doc/ekg2-core
> lrwxrwxrwx 1 root root   9 Nov 14  2011 /usr/share/doc/ekg2-jabber ->
> ekg2-core
> drwxr-xr-x 2 root root 220 Aug 21 02:42 /usr/share/doc/ekg2-ui-ncurses
> 
> # l /usr/share/doc/ekg2-core/
> total 88
> drwxr-xr-x   4 root root   340 Aug 21 02:42 .
> drwxr-xr-x 231 root root  5120 Aug 21 02:53 ..
> -rw-r--r--   1 root root  3967 Mar 19  2011 IDEAS-2.0.gz
> -rw-r--r--   1 root root  3993 Mar 19  2011 README.Debian
> -rw-r--r--   1 root root  7289 Mar 19  2011 README.gz
> -rw-r--r--   1 root root  2493 Mar 19  2011 TODO
> -rw-r--r--   1 root root 14635 Mar 19  2011 TODO.Debian.gz
> -rw-r--r--   1 root root  1396 Mar 19  2011 ULOTKA
> drwxr-xr-x   2 root root   600 Aug 21 02:42 book-en
> drwxr-xr-x   2 root root   760 Aug 21 02:42 book-pl
> -rw-r--r--   1 root root  7130 Nov 14  2011 changelog.Debian.gz
> -rw-r--r--   1 root root 18698 Mar 19  2011 copyright
> -rw-r--r--   1 root root   753 Mar 19  2011 events.txt
> -rw-r--r--   1 root root   854 Mar 19  2011 przenosny-kod.txt
> -rw-r--r--   1 root root  1697 Mar 19  2011 queries.txt
> -rw-r--r--   1 root root  1446 Mar 19  2011 sim.txt
> -rw-r--r--   1 root root   701 Mar 19  2011 voip.txt
> 
> symlinks in /usr/share/doc usually open a can of worms ... dpkg does not
> replace directories with symlinks-to-directories and vice versa, so
> special care needs to be taken on upgrades

Ah, I get it now, ekg2-core ships some of the files in
/usr/share/doc/ekg2, rather than .../ekg2-core,
and ekg2 contains /usr/share/doc/ekg2 that is a symlink.

It's a pity lintian did not complain about this.

-- 
Marcin Owsiany  http://marcin.owsiany.pl/
GnuPG: 2048R/02F946FC  35E9 1344 9F77 5F43 13DD  6423 DBF4 80C6 02F9 46FC


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> unmerge 685324
Bug #685324 [php-geshi] Local File Inclusion Vulnerability in contrib script
Bug #685323 [php-geshi] Non-persistent XSS vulnerability in contrib script
Disconnected #685324 from all other report(s).
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
685323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323
685324: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685324
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685323: Bug#685324: Local File Inclusion Vulnerability in contrib script

2012-08-21 Thread Steven Chamberlain
unmerge 685324 685323
thanks

Hi Benny,

If I seem annoyed, it's because I was alerted about security issues in a
package deployed on one of my systems, and had to spend time looking
into it urgently.  (And I still don't know what the issues really are.)

All I could find out is that you've been insisting that Debian
distribute a new version of your software, that you had an "idea on how
to get them to update GeSHi", and that nothing from the contrib/
directory in the source is shipped in the php-geshi package anyway.

http://packages.debian.org/squeeze/all/php-geshi/filelist

So I'm still not sure what to make of this.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#682826: world writable directories possible patch

2012-08-21 Thread Jeremias
Hi:

Using chmod 1777 could help?

I attached a patch just in case it does.

Cheers,


-- 
Jeremías--- ilisp.postinst.orig	2012-08-21 16:39:21.911900568 -0300
+++ ilisp.postinst	2012-08-21 16:38:51.211748311 -0300
@@ -65,7 +65,7 @@
 case "$1" in
 configure)
 	set_keybindings
-	chmod 777 /usr/lib/ilisp # Required so that users can build .fasl files
+	chmod 1777 /usr/lib/ilisp # Required so that users can build .fasl files
 	register-common-lisp-source ilisp
 	ensure_symlinks
 	;;

Bug#685323: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script

2012-08-21 Thread Benny Baumann
Dear Steven,

Am 20.08.2012 05:12, schrieb Steven Chamberlain:
> tags 685324 + moreinfo unreproducible
> tags 685323 + moreinfo unreproducible
> merge 685324 685323
> severity 685326 wishlist
> merge 685326 584251
> thanks
>
> Hi,
>
> Were these reports of security issues supposed to be genuine?
Yes, they were, as they are really two distinct security issues.
> Or was this simply your "idea on how to get them to update GeSHi". [1]
Well, no. But it'd be a bit long for this mail to shed light on all the
background. And since I don't want to bore you to death while you
actually could be doing something useful (like e.g. updating the
package) I refrain from doing so.
> You refer to vulnerabilities in unspecified "contrib" scripts, but it
> seems to me that Debian does not even ship them in the php-geshi package.
Debian ships them. And the Security Team already has been notified about
the details. That's also the reason why these two bugs have been made
public as part of a longer discussion yesterday.
> "Debian who STILL believes the most recent version is 1.0.8.4", actually
> identifies the latest version as 1.0.8.10 on the PTS [2], with a link to
> the source tarball, and that will surely update within a few hours to
> indicate the new 1.0.8.11 release.
Just checked [2]: Still says 1.0.8.10. But that wasn't the point of the
blog post: The point was about the packaging which was (and by the way
still is) way behind; but more on this in a moment.
> Yes, you already filed a wishlist bug asking for someone to package the
> new version, so there was no reason to file a new 'serious'-severity
> duplicate just now demanding the same.
There was a request on the #debian-qa channel when I talked to some
people directly asking for it. If you'd like the log just ask.
> It seems to me you are in fact wasting the time of whoever would
> potentially package your software, of developers busy fixing serious
> issues to make the next Debian release happen, and of the security team,
> who would be kindly looking after users for the package's 2-3 year term
> in stable/oldstable.
Oh, thanks for that compliment, but I've to decline. Given exactly the
2-3 years this package will be in stable/oldstable is the reason why
there should be an update to something reasonably recent before the
package is put into a distribution. Putting in a package which is
~40kLOCs in diffs behind the current version (to compare the core
component only is about 5kLOC) will be a monster to support. Last time
there was a report to fix something in a stable release took about 4
months of MY time to look up a patch that the Package maintainers
requested; it would have taken about 2 days using upstream AND testing
it thouroughly.
> Some users really prefer long-term, unchanging versions, because they
> deploy lots of software that they don't want to have to review for
> what's changed, update it, re-test and check compatibility on a regular
> basis.  Debian's stable distribution fulfills that need.
Yeah, no news to me. And BTW: I'm also using Debian on some of my systems.

And if you really want to try: GeSHi 1.0.7.15 (which should be around
etch IIRC) can be replaced by a current 1.0.8.11 and everything just
keeps working. That's aboutith Cygwin half my system breaks everytime I
install an update.
> The freeze deadline has already passed, for someone to have
> _volunteered_ to update the GeSHi package in time for the Wheezy release
> process.  The only exception now might be for a genuine security fix or
> serious flaw (which would probably be only a minimal patch for the
> specific issue),
Feel lucky I had the revisions for the bugfix still at hand...

And regarding the packaging: It has been known for at least the time
there was this wishlist ticket that GeSHi was needing an update in
unstable/testing. It's absolutely not my fault that there's only someone
waking up once a security problem is notified. Also: I repeatedly tried
to get someone who was willing to do the packaging for php-geshi to
resolve those long-standing issues. If again the packaging team can't
manage to grant necessary privileges for about 5 month that's another
problem on your side.
> It is possible for more frequent updates to be packaged in testing or
> backports, for example to support new programming languages, but it
> would require continued effort on the part of a volunteer maintainer.
> That person would have had to process your bug reports too.
Correct. And I already did some work on this part prior and in parallel
to these reports. So don't be as gentle as an elephant shopping for
procelain.
>
> [1] http://blog.benny-baumann.de/?p=1297
>
> [2] http://packages.qa.debian.org/g/geshi.html
>
> Regards,
Regards,
upstream.



signature.asc
Description: OpenPGP digital signature


Bug#685542: d-push: Error when using https://myserver/Microsoft-Server-ActiveSync

2012-08-21 Thread nb
Package: d-push
Version: 2.0-1
Severity: grave
Tags: d-i
Justification: renders package unusable

Dear Maintainer,

When I try to use https://myserver/Microsoft-Server-ActiveSync to test d-push, 
I have the following error messages :
d-push - Open Source ActiveSync
Version 2.0-1
FatalMisconfigurationException

The configured state directory should terminate with a '/'



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=ANSI_X3.4-1968) 
(ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages d-push depends on:
ii  debconf [debconf-2.0]  1.5.46
ii  php-mail   1.2.0-4
ii  php-pear   5.4.4-4
ii  php5   5.4.4-4
ii  php5-cli   5.4.4-4
ii  php5-imap  5.4.4-4

Versions of packages d-push recommends:
ii  apache2  2.2.22-11
ii  apache2-mpm-prefork [httpd-cgi]  2.2.22-11
ii  libapache2-mod-php5  5.4.4-4

d-push suggests no packages.

-- Configuration Files:
/etc/d-push/config.php changed:
http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
/
/**
 *  Default settings
 */
// Defines the default time zone, change e.g. to "Europe/London" if 
necessary
define('TIMEZONE', '');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
// Try to set unlimited timeout
define('SCRIPT_TIMEOUT', 0);
//Max size of attachments to display inline. Default is 1MB
define('MAX_EMBEDDED_SIZE', 1048576);
/**
 *  Default FileStateMachine settings
 */
define('STATE_DIR', '/var/lib/d-push/state');
/**
 *  Logging settings
 */
define('LOGFILEDIR', '/var/log/d-push/');
define('LOGFILE', LOGFILEDIR . 'd-push.log');
define('LOGERRORFILE', LOGFILEDIR . 'd-push-error.log');
// Possible Loglevels are:
// LOGLEVEL_OFF, LOGLEVEL_FATAL, LOGLEVEL_ERROR, LOGLEVEL_WARN,
// LOGLEVEL_INFO, LOGLEVEL_DEBUG, LOGLEVEL_WBXML, LOGLEVEL_DEVICEID,
// LOGLEVEL_WBXMLSTACK, LOGLEVEL_ALL
// see /usr/share/d-push/lib/core/zpushdefs.php for more info
define('LOGLEVEL', LOGLEVEL_DEBUG);
define('LOGAUTHFAIL', false);
// To save e.g. WBXML data only for selected users, add the usernames to 
the array
// The data will be saved into a dedicated file per user in the LOGFILEDIR
define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
$specialLogUsers = array();
/**
 *  Mobile settings
 */
// Device Provisioning
define('PROVISIONING', true);
// This option allows the 'loose enforcement' of the provisioning policies 
for older
// devices which don't support provisioning (like WM 5 and HTC Android 
Mail) - dw2412 contribution
// false (default) - Enforce provisioning for all devices
// true - allow older devices, but enforce policies on devices which 
support it
define('LOOSE_PROVISIONING', false);
// Default conflict preference
// Some devices allow to set if the server or PIM (mobile)
// should win in case of a synchronization conflict
//   SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
//   SYNC_CONFLICT_OVERWRITE_PIM- PIM is overwritten, Server wins 
(default)
define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
// Global limitation of items to be synchronized
// The mobile can define a sync back period for calendar and email items
// For large stores with many items the time period could be limited to a 
max value
// If the mobile transmits a wider time period, the defined max value is 
used
// Applicable values:
//   SYNC_FILTERTYPE_ALL (default, no limitation)
//   SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, 
SYNC_FILTERTYPE_2WEEKS,
//   SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, 
SYNC_FILTERTYPE_6MONTHS
define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL);
// Interval in seconds before checking if there are changes on the server 
when in Ping.
// It means the highest time span before a change is pushed to a mobile. 
Set it to
// a higher value if you have a high load on the server.
define('PING_INTERVAL', 30);
// Interval in seconds to force a re-check of potentially missed 
notifications when
// using a changes sink. Default are 300 seconds (every 5 min).
// This can also be disabled by setting it to false
define('SINK_FORCERECHECK', 300);
/***

Bug#685540: asterisk-flite: app_flite fails to load

2012-08-21 Thread Gedalya

Package: asterisk-flite
Version: 2.1-1
Severity: grave

Using asterisk 1:1.8.13.0~dfsg-1+b1 on wheezy.

asterisk01-noc01*CLI> module load app_flite
Unable to load module app_flite
Command 'module load app_flite' failed.
[Aug 21 15:02:01] WARNING[10528]: loader.c:779 inspect_module: Module 
'app_flite.so' was not compiled with the same compile-time options as 
this version of Asterisk.
[Aug 21 15:02:01] WARNING[10528]: loader.c:780 inspect_module: Module 
'app_flite.so' will not be initialized as it may cause instability.
[Aug 21 15:02:01] WARNING[10528]: loader.c:863 load_resource: Module 
'app_flite' could not be loaded.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685502: [request-tracker-maintainers] Bug#685502: fails to install in chroots

2012-08-21 Thread Dominic Hargreaves
On Tue, Aug 21, 2012 at 12:50:47PM +0200, Daniel Baumann wrote:
> request-tracker4 fails to install in a chroot (standard debian sid
> chroot, with /proc mounted, recommends disabled):
> 
> [...]
> Setting up request-tracker4 (4.0.6-4) ...
> **WARNING**··
> **WARNING**  If you are using mod_perl or any form of persistent perl
> **WARNING**  process such as FastCGI, you will need to restart your
> **WARNING**  web server and any persistent processes now.
> **WARNING**··
> **WARNING**  For mod_perl this means
> **WARNING**··
> **WARNING**  invoke-rc.d apache2 stop && invoke-rc.d apache2 start
> **WARNING**··
> hostname: Name or service not known
> dpkg: error processing request-tracker4 (--configure):
>  subprocess installed post-installation script returned error exit status 1
> Errors were encountered while processing:
>  request-tracker4
> E: Sub-process /usr/bin/dpkg returned an error code (1)
> (sid_i386)root@progress:/home/user#
> 
> unfortunately, looking at the postinst, i didn't spot the error immediately.

hostname is called from /var/lib/dpkg/info/request-tracker4.config.
Specifically it calls hostname -f. This would normally be configured
by debootstrap based on the host system; presumably your host system
also doesn't have a working hostname -f?

I'm not convinced that this is an RC bug in request-tracker4, although it
could plausibly be more resilient to systems without a valid FQDN.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685536: planetsplitter crahes on current planet.osm.bz2

2012-08-21 Thread Dmitry E. Oboukhov
Package: routino
Severity: grave
Version: 2.2-4

If You download current planet.osm.bz2 and try to use planetsplitter
with it it will crash (accert):

$ pv ../map/planet-latest.osm.bz2 | bunzip2|planetsplitter --loggable

Parse OSM Data
==
 
22,1GB 11:57:50 [ 537kB/s] [=>] 100%
Read: Lines=4418786769 Nodes=1517336218 Ways=143432273 Relations=1486052

Process OSM Data


planetsplitter: nodesx.c:190: SortNodeList: Assertion `nodesx->idata' failed.
zsh: done pv ../map/planet-latest.osm.bz2 | bunzip2 | 
zsh: abort (core dumped)  planetsplitter --loggable

echo bt|gdb planetsplitter core
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/planetsplitter...(no debugging symbols 
found)...done.
[New LWP 26259]

warning: Can't read pathname for load map: Ошибка ввода/вывода.
Core was generated by `planetsplitter --loggable'.
Program terminated with signal 6, Aborted.
#0  0x7f3ec70f9475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) #0  0x7f3ec70f9475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x7f3ec70fc6f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x7f3ec70f2621 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00402872 in ?? ()
#4  0x00401a49 in ?? ()
#5  0x7f3ec70e5ead in __libc_start_main ()
   from /lib/x86_64-linux-gnu/libc.so.6
#6  0x004022d5 in ?? ()
#7  0x7fffbc7cb968 in ?? ()
#8  0x001c in ?? ()
#9  0x0002 in ?? ()
#10 0x7fffbc7cc665 in ?? ()
#11 0x7fffbc7cc674 in ?? ()
#12 0x in ?? ()
(gdb) quit

-- 

. ''`.   Dmitry E. Oboukhov
: :’  :   email: un...@debian.org jabber://un...@uvw.ru
`. `~’  GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature


Bug#681903: marked as done (melange-client: missing dependency on python-pkg-resources)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 17:02:35 +
with message-id 
and subject line Bug#681903: fixed in python-melangeclient 0.1-1.2
has caused the Debian Bug report #681903,
regarding melange-client: missing dependency on python-pkg-resources
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
681903: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681903
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: melange-client
Version: 0.1-1.1
Severity: serious
Justification: Policy 3.5

In a minimal chroot:

$ melange
Traceback (most recent call last):
  File "/usr/bin/melange", line 5, in 
from pkg_resources import load_entry_point
ImportError: No module named pkg_resources

--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Source: python-melangeclient
Source-Version: 0.1-1.2

We believe that the bug you reported is fixed in the latest version of
python-melangeclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann  (supplier of updated python-melangeclient 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 19 Aug 2012 18:43:39 +0200
Source: python-melangeclient
Binary: python-melangeclient melange-client
Architecture: source all
Version: 0.1-1.2
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack 
Changed-By: gregor herrmann 
Description: 
 melange-client - Melange client
 python-melangeclient - client API library for Melange
Closes: 681903
Changes: 
 python-melangeclient (0.1-1.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix "missing dependency on python-pkg-resources":
 - add dependency on python-pkg-resources to melange-client
 - add patch python-melangeclient-namespace.diff and
 - bump build-dependency on python-all to (>= 2.6.6-14~)
 Thanks to Jakub Wilk for the bug report and the fixes that I'm
 putting together here.
 (Closes: #681903)
Checksums-Sha1: 
 0ec75460e5299febaa3e7bcec8379d5c13e3993b 1926 python-melangeclient_0.1-1.2.dsc
 686e29e045a24e9e703791d7556aa4f393a0b60d 2611 
python-melangeclient_0.1-1.2.debian.tar.gz
 e76189e7eb01fd32dc254cb72bd3ab579f164bf4 22178 
python-melangeclient_0.1-1.2_all.deb
 34cef63d19d5db06232af603e981e0aad0b16268 2372 melange-client_0.1-1.2_all.deb
Checksums-Sha256: 
 91903ca7971710032d008e63fece49f5fddf63ab6a5573e4c6773752cdc536b3 1926 
python-melangeclient_0.1-1.2.dsc
 2e81b6f0805671106bea697dbd0307d3702a49b19c10e7c7918027ed23639393 2611 
python-melangeclient_0.1-1.2.debian.tar.gz
 aca4851622f4f410302c2ab73900da0c363f46b23a73e953ab4c3a04a737ea58 22178 
python-melangeclient_0.1-1.2_all.deb
 094052a7c484a5e38b8a7a9123fa28f2c70a15b1dda474b9288223f9235436cd 2372 
melange-client_0.1-1.2_all.deb
Files: 
 25d9a326c20936cb045bfeb99894e231 1926 python extra 
python-melangeclient_0.1-1.2.dsc
 b0a7aed4e96587a0a5ff0c2ed2232b59 2611 python extra 
python-melangeclient_0.1-1.2.debian.tar.gz
 9efd3b0115880702d9f6150ba93935fe 22178 python extra 
python-melangeclient_0.1-1.2_all.deb
 76d886f5c48fd855973411d694154eee 2372 python extra 
melange-client_0.1-1.2_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQMRhtAAoJELs6aAGGSaoG3eQQALMDxtscA4dZHxKTmgNd/vZI
RdNgkH0wp+orQgOaYBum8XjraC6QpJDjsiVpaV/zkKSKTvuUorQT9NxtjyqvhtXv
YUlX9lyQOU5QPlQGluGPk+eQgGFuqZRSfrRWbKTaVcwwNjsgiiDMNUfe4VvUqY3h
84+TjIsYE2u5TtVMa29eWd7Dnie58o4uHIlVT7b6EjtaXxVLF+ACIqH00+Qoh+H8
3TwTwXUfoJS1pUu2xPKbfk2rJ6tgZTmwyeDHWGDA3qi2lH36Hp92xtGDkqYv+rff
RUJY+raCM2HqQuBinVRLTjmFlfgnIukc6CIbISjH9lrvpXOWw0PkbpljvzxoO8kz
imYXWoTR9UZpGul7ta+DbME2TKcJWqAOI6zpz13jEZ3LXleyvO1D3njMRW1eaD9C
1xnqI3vbrvSNql8+FOa0fsYt0iAAjUsm1FZk/DQmF7IF+nIHSZUZ+FRzIonFV5HW
7tvRqyiHFbzmXh2ZE3XzGjujpV7TRODQz5ZuY75p0w2abyCXSNTFldm/NZpbtWwh
wqh2T3/PTfH0pFvzWVjYB3FcB85s07w7uTQnLdaDsqXz8dzYnpl6PzP369zAPTYB
ayl0+80gvQL8eqP/p9C7KrIhV/u7MotHYIwNN+ji5imvi41lxLgEkPfshLtVSNe7
jGhDx/zIJAfiCh97oaP3
=mKcj
-END PGP SIGNATURE End Message ---


Bug#685524: After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on startup

2012-08-21 Thread Lisandro Damián Nicanor Pérez Meyer
Control: severity -1 important

On Tue 21 Aug 2012 12:49:57 Arto Jantunen escribió:
> Package: qt4-x11
> Version: 4:4.8.2+dfsg-1
> Severity: grave
> 
> Starting KDE with qt4 version 4:4.8.2+dfsg-1 installed causes kwin to
> segfault on startup somewhere in libpthread, with 4:4.8.2-2+b1 everything
> works as expected.
[snip]

Looking at this:

> Kernel: Linux 3.6.0-rc2 (SMP w/2 CPU cores; PREEMPT)

I have asked our users on IRC and so far the outcome is that this is not 
reproducible using pure Sid nor Wheezy with Qt from Sid. But some of them 
experimented problems with kwin with kernels from experimental.

So, I'm reducing the severity of this bug at least until we can reproduce this 
with pure wheezy/sid.

Kinds regards, Lisandro.

-- 
"La política es una actividad noble. Hay que revalorizarla, ejerciéndola con
vocación y una dedicación que exige testimonio, martirio, o sea, morir
por el bien común."
  Padre Bergoglio - http://www.lanacion.com.ar/1153060

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.


Processed: Re: Bug#685524: After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on startup

2012-08-21 Thread Debian Bug Tracking System
Processing control commands:

> severity -1 important
Bug #685524 [qt4-x11] After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on 
startup
Severity set to 'important' from 'grave'

-- 
685524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: Bug#685524: After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on startup

2012-08-21 Thread Debian Bug Tracking System
Processing control commands:

> tag -1 unreproducible moreinfo
Bug #685524 [qt4-x11] After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on 
startup
Ignoring request to alter tags of bug #685524 to the same tags previously set

-- 
685524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: Bug#685524: After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on startup

2012-08-21 Thread Debian Bug Tracking System
Processing control commands:

> tag -1 unreproducible moreinfo
Bug #685524 [qt4-x11] After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on 
startup
Added tag(s) unreproducible and moreinfo.

-- 
685524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685524: After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on startup

2012-08-21 Thread Lisandro Damián Nicanor Pérez Meyer
Control: tag -1 unreproducible moreinfo
thanks

Hi Arto!

On Tue 21 Aug 2012 12:49:57 Arto Jantunen escribió:
> Package: qt4-x11
> Version: 4:4.8.2+dfsg-1
> Severity: grave
> 
> Starting KDE with qt4 version 4:4.8.2+dfsg-1 installed causes kwin to
> segfault on startup somewhere in libpthread, with 4:4.8.2-2+b1 everything
> works as expected.

Just for the record: which video card are you using? Are the drivers free or 
non-free?

I'm also running a 64-bit system and could not reproduce this issue.

> I'll see if I can generate a proper backtrace..

Please try to, as this is quite strange. I have added two patches to Qt but 
they should not mess with kwin AFAIU.

Kinds regards, Lisandro.

-- 
Los chicos tienen un mayor dominio de la tecnología (y las habilidades y
lenguaje que eso implica) que los adultos con los que se relacionan. Por lo
general saben más que sus propios padres, sus docentes, sus pediatras,
psicólogos, que los políticos y funcionarios de sus comunidades. Eso afectó la
autoridad que tenía un adulto para habilitar al mundo.
  Luis Pescetti
  http://www.luispescetti.com/regale-su-obra/

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.


Bug#685192: apt: redirection handling changes in 0.9.4 may break aptitude

2012-08-21 Thread Raphael Geissert
H David,

On Tuesday 21 August 2012 08:50:34 David Kalnischkies wrote:
> For clarity: This partial upgrade thing effects not only aptitude, but
> APT itself and "just" by extension all front-ends even if the message
> just talks about how aptitude is unable to handle the internal change in
> libapt and how it talks to his own http-method shipped in 'apt'.

As far as I tested, it doesn't affect APT as long as it isn't a partial 
upgrade from the experimental version that had a separate libapt-pk4.10.
Upgrading apt will also pull in libapt-pkg4.12, and at the time the new 
packages are unpacked no new http method is started. The next call to APT 
would already use the new versions of apt and the http method.

Am I missing something?

> And I doubt that a bug containing the words "partial upgrade" and
> "unofficial sources" (which http.debian.net still is, even as a
> well-recieved "mirror" of official content) fits very well in the
> severity "grave" bucket, but I let it slight for the moment.

Just one fact:
I have seen more than one mirror, part of the Debian mirrors network, 
redirect from /debian/ to /pub/linux/debian/ and stuff like that.
At the moment there should be none of those in the mirrors list, but users 
who had picked one of those mirrors before the path was changed would be 
affected.

That said, if you disagree with the severity, feel free to change it.

Not sure how common Michael Prokop's scenario is with FAI. He was using a 
minimal debootstrapped chroot and then upgrading it.

> I think Depends are a bit hard in that case. It's not only a loop, but
> libapt-pkg can be used without the method-binaries in a lot of cases, so
> a Recommends: apt (>= ${binary:Version})
> feels more appropriated and should trigger an upgrade of 'apt' in this
> partial upgrade situation as well (as long as the installation of
> Recommends are not disabled) without negative consequences on the
> installation order.
> 
> 
> The only thing not covered by this Recommends is that you can still
> remove apt from your system and possibly break aptitude (and other
> packages using the acquire-system from libapt) - for any libapt user
> this will be equal to the removal of an essential package through,
> however the specific front-end handles this (apt-get is e.g. very vocal
> about that).

If you do consider those cases, then Breaks should probably be used instead.
Recommends is not enough even for the scenario where this bug was 
reproduced: grml - recommends are disabled by default.

I haven't tested a squeeze->wheezy upgrade with Breaks, though. Will try to 
get around it today so that I can report back...

> Same case if s/he prefers to disable installation of recommends.
> And with this back to the initial topic: Adding a recommends, okay?

... because I don't think Recommends is appropriate.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685524: After upgrading to 4:4.8.2+dfsg-1 kwin segfaults on startup

2012-08-21 Thread Arto Jantunen
Package: qt4-x11
Version: 4:4.8.2+dfsg-1
Severity: grave

Starting KDE with qt4 version 4:4.8.2+dfsg-1 installed causes kwin to segfault
on startup somewhere in libpthread, with 4:4.8.2-2+b1 everything works as
expected.

I'll see if I can generate a proper backtrace..

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6.0-rc2 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#678189: marked as done (packagekit-backend-aptcc: insecure tempfile use)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 15:17:49 +
with message-id 
and subject line Bug#678189: fixed in packagekit 0.7.6-1
has caused the Debian Bug report #678189,
regarding packagekit-backend-aptcc: insecure tempfile use
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
678189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678189
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: packagekit-backend-aptcc
Version: 0.7.4-4
Severity: grave
Tags: security
Justification: user security hole

/usr/share/PackageKit/helpers/aptcc/pkconffile uses a tempfile with a
fixed name in /tmp, which means anyone could create a
/tmp/pkconffile.templates symlink and have root trash the contents of
the linked file.  You need to use mktemp (or File::Temp or however it's
called in perl).

Cheers,
Julien

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages packagekit-backend-aptcc depends on:
ii  app-install-data2010.11.17
ii  libapt-inst1.5  0.9.6
ii  libapt-pkg4.12  0.9.6
ii  libc6   2.13-33
ii  libgcc1 1:4.7.1-1
ii  libglib2.0-02.32.3-1
ii  libgstreamer0.10-0  0.10.36-1
ii  libstdc++6  4.7.1-1
ii  libxml2 2.8.0+dfsg1-4
ii  python  2.7.3~rc2-1
ii  python-packagekit   0.7.4-4

Versions of packages packagekit-backend-aptcc recommends:
ii  apt-xapian-index  0.45
ii  packagekit0.7.4-4

Versions of packages packagekit-backend-aptcc suggests:
ii  gdebi-core  0.8.5

-- no debconf information


--- End Message ---
--- Begin Message ---
Source: packagekit
Source-Version: 0.7.6-1

We believe that the bug you reported is fixed in the latest version of
packagekit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klumpp  (supplier of updated packagekit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 21 Aug 2012 16:41:43 +0200
Source: packagekit
Binary: packagekit packagekit-tools packagekit-docs libpackagekit-glib2-14 
libpackagekit-glib2-dev gir1.2-packagekitglib-1.0 libpackagekit-qt2-2 
libpackagekit-qt2-dev packagekit-gtk3-module gstreamer0.10-packagekit 
browser-plugin-packagekit python-packagekit packagekit-backend-aptcc 
packagekit-backend-smart packagekit-dbg
Architecture: source amd64 all
Version: 0.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Matthias Klumpp 
Changed-By: Matthias Klumpp 
Description: 
 browser-plugin-packagekit - Plugin to install missing plugins using PackageKit
 gir1.2-packagekitglib-1.0 - GObject introspection data for the PackageKit GLib 
library
 gstreamer0.10-packagekit - GStreamer plugin to install codecs using PackageKit
 libpackagekit-glib2-14 - Library for accessing PackageKit using GLib
 libpackagekit-glib2-dev - Library for accessing PackageKit using GLib 
(development files)
 libpackagekit-qt2-2 - Library for accessing PackageKit using Qt4
 libpackagekit-qt2-dev - Library for accessing PackageKit using Qt4 
(development files)
 packagekit - Provides a package management service
 packagekit-backend-aptcc - APT backend for PackageKit
 packagekit-backend-smart - Smart backend for PackageKit
 packagekit-dbg - Debugging symbols for PackageKit
 packagekit-docs - Documentation for PackageKit
 packagekit-gtk3-module - Install fonts automatically using PackageKit
 packagekit-tools - Provides PackageKit command-line tools
 python-packagekit - PackageKit backend Python bindings
Closes: 678189
Changes: 
 packagekit (0.7.6-1) unstable; urgency=low
 .
   * New upstream bugfix release: 0.7.6
 Changes relevant to Debian:
 - aptcc: Don't use tempfile with fixed name for conffiles
(Matthias Klumpp) (Closes: #678189)
 - Add GStreamer 1.0 support to the PackageKit plugin
(Ric

Bug#683927: marked as done (CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 14:47:43 +
with message-id 
and subject line Bug#683927: fixed in libcloud 0.5.0-1.1
has caused the Debian Bug report #683927,
regarding CVE-2012-3446: MITM vulnerability in TLS/SSL certificates verification
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
683927: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683927
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libcloud
Severity: grave
Tags: security
Justification: user security hole

Hi,

a new libcloud was released, fixing a MITM vulnerability in the TLS/SSL
certificates verification. Basically the hostname/CN check is done using
a wrong regular expression which will match even superset of the
hostname.

See http://libcloud.apache.org/security.html and
https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401
and please upload an isolated fix to unstable, since we're in freeze.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libcloud
Source-Version: 0.5.0-1.1

We believe that the bug you reported is fixed in the latest version of
libcloud, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann  (supplier of updated libcloud package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 19 Aug 2012 16:24:16 +0200
Source: libcloud
Binary: python-libcloud
Architecture: source all
Version: 0.5.0-1.1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team 

Changed-By: gregor herrmann 
Description: 
 python-libcloud - unified Python interface into the cloud
Closes: 683927
Changes: 
 libcloud (0.5.0-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * [SECURITY] Fix "CVE-2012-3446: MITM vulnerability in TLS/SSL certificates
 verification": add patch
 0001-Fix-hostname-validation-in-the-SSL-verification-code.patch
 taken from upstream git.
 (Closes: #683927)
Checksums-Sha1: 
 99cbb37c71184c36f9583d30b3dd9a3fe62b5713 1850 libcloud_0.5.0-1.1.dsc
 63a3ccd273dc831a70191b7c9c09b1407c2a30ae 3906 libcloud_0.5.0-1.1.debian.tar.gz
 235929ff1db6eaea941fc8059030561f5520743d 115100 
python-libcloud_0.5.0-1.1_all.deb
Checksums-Sha256: 
 d72e1d5570a2e28b64441045476dcf3c94c1e74a6b2dbed5893b62d8f5b16fa2 1850 
libcloud_0.5.0-1.1.dsc
 cc43a96f96258c34b73cb72f15ccdf7a3115fe7c131051e30bf401638d45b3f1 3906 
libcloud_0.5.0-1.1.debian.tar.gz
 f554f5abc6e782da7132cfcfb2f42af7de9b4ee699cebeabdb4e4fa28058ef2d 115100 
python-libcloud_0.5.0-1.1_all.deb
Files: 
 6ad72a4b7e72e985d16ebfc6d9db8bb8 1850 python optional libcloud_0.5.0-1.1.dsc
 987b0da6cba7428855f07f34581e7339 3906 python optional 
libcloud_0.5.0-1.1.debian.tar.gz
 59296c9f49a50dc95e598e1e10c295f4 115100 python optional 
python-libcloud_0.5.0-1.1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQMPd6AAoJELs6aAGGSaoG4NQP/1CCP5Cs62fbSH41QgKApeLF
ysfhBs0ao+mgnWLx4GJ3mOtYd4cleKyeHjxObadkWjk2XbN1RYGZpjKzgVSAW8uA
EZqZuM4dgZGu9J9vVHUq877OnO0upMjmDxSZSkqFTCOsCSUJNOpGaLG1+606hL1l
/Boe8fAjCOBWKTRsjx++GPDgEss9drG9HrKk7sVmq+TiRVXNfCi6xj7eeaZ+XiAD
0o59hB80xT0JYdfPH45Hv5DZRocWBxgHaeOPomwublCSAe9lCxlb4bJ8bC5f8Scb
5hDyzIMVlcpcRkxn+1Z07K6dg5YRqZUzEojwls2CyDuO+Ux/rj3GuXdC8JQO6bOU
oI2/gxRuhZzgKTobntwBGbZ7wXtWMvMmWkD9IHyeutJzQutY8DS2SgSLtosGhCtc
orVoOpfSRlvIoODrhswjpsBfg0zgTXyl/cix9kblNDJSQ20PbSWOrHfqpN2sBhXW
887LFJ9eqW4JBNxTagYWSc+aCdDWYwYK3nP/57o6/bwzA+/9ZiCFiFQG/8Sx//eS
uY5LIEgsRHZdCB0/ra1oPIespyog7q1jilZNQIwUTeHb05BoAGzB4Mt1jkYfBcxK
2r4Xb+aMOkvXqkwBoi7CYtOmjRzdonMMUH3tU3+fSJBhCPRK/0Q2pdCnZk+bznyS
TqJTCFsAoX6XaiQ/gNSy
=jf8O
-END PGP SIGNATURE End Message ---


Bug#685192: apt: redirection handling changes in 0.9.4 may break aptitude

2012-08-21 Thread David Kalnischkies
For clarity: This partial upgrade thing effects not only aptitude, but APT
itself and "just" by extension all front-ends even if the message just talks
about how aptitude is unable to handle the internal change in libapt and
how it talks to his own http-method shipped in 'apt'.

And I doubt that a bug containing the words "partial upgrade" and
"unofficial sources" (which http.debian.net still is, even as a well-recieved
"mirror" of official content) fits very well in the severity "grave" bucket,
but I let it slight for the moment.


On Sat, Aug 18, 2012 at 2:53 AM, Raphael Geissert  wrote:
> Now, the easiest way to prevent this kind of conflict would be by adding a
> Depends: apt >= 0.9.4 to libapt-pkg4.12. Not sure how much trouble it would
> cause to a squeeze->wheezy upgrade, as it would force apt to also be
> upgraded when upgrading aptitude (upgrading apt already requires upgrading
> aptitude.) It also introduces a soft dependency loop, but it seems harmless.

I think Depends are a bit hard in that case. It's not only a loop, but
libapt-pkg can be used without the method-binaries in a lot of cases, so a
Recommends: apt (>= ${binary:Version})
feels more appropriated and should trigger an upgrade of 'apt' in this
partial upgrade situation as well (as long as the installation of Recommends
are not disabled) without negative consequences on the installation order.


The only thing not covered by this Recommends is that you can still remove
apt from your system and possibly break aptitude (and other packages using
the acquire-system from libapt) - for any libapt user this will be equal to
the removal of an essential package through, however the specific front-end
handles this (apt-get is e.g. very vocal about that).

The net-result would be that front-ends should depend on 'apt' if they use
the acquire system (some do, even if they don't, packagesearch for example
 seems to be such a candidate).

Yet, this might be wrong in the (less likely case) that a user uses only
debtorrent or https which is provided by other packages and therefore the
acquire system could be used without needing the "standard" methods in 'apt'.
So again, a Recommends would be more in order maybe.

On the other hand: A depends could be added automatically with our symbol
file if an acquire symbol is used, recommends can't be added in this way.
Maybe we should add such a feature to dpkg-dev as it could come in handy for
(big) libraries using other tools internally in certain paths.
Might be better than requiring the library user to declare such a relation.


In the end we are talking about an "priority: important" package, so a user
who wants to remove it should be able to handle the pain s/he has to suffer.
'apt' doesn't depend on a network-manager, even through it is likely that
you need some sort of network access to get packages from somewhere else…

Same case if s/he prefers to disable installation of recommends.
And with this back to the initial topic: Adding a recommends, okay?


Best regards

David Kalnischkies


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#672959: startpar triggers kfreebsd panic: vm_fault_copy_wired

2012-08-21 Thread Steven Chamberlain
retitle 672959 startpar triggers kfreebsd panic: vm_fault_copy_wired
thanks

On 21/08/12 09:16, Petr Salinger wrote:
>> I'm beginning to think that startpar is malfunctioning in some way
>> (after checkroot.sh returns, but before it runs the next script).
> 
> Thanks to Steven for excelent hint.

I'm just happy my mail was coherent at that hour.

Thank you for a brilliant patch.  With it I'm no longer seeing panics on
kfreebsd-i386

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: Bug#672959: startpar triggers kfreebsd panic: vm_fault_copy_wired

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> retitle 672959 startpar triggers kfreebsd panic: vm_fault_copy_wired
Bug #672959 [src:sysvinit] kfreebsd-*: panic: vm_fault_copy_wired
Changed Bug title to 'startpar triggers kfreebsd panic: vm_fault_copy_wired' 
from 'kfreebsd-*: panic: vm_fault_copy_wired'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
672959: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672959
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#683284: CVE-2012-3438

2012-08-21 Thread Jonathan Wiltshire
Package: graphicsmagick

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-rele...@lists.debian.org
1: http://prsc.debian.net/tracker/683284/
2: <201101232332.11736.th...@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#621866: rsync: CVE-2011-1097 DoS and possibly code execution on client side

2012-08-21 Thread Jonathan Wiltshire
Package: rsync

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-rele...@lists.debian.org
1: http://prsc.debian.net/tracker/621866/
2: <201101232332.11736.th...@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685502: fails to install in chroots

2012-08-21 Thread Daniel Baumann
Package: request-tracker4
Version: 4.0.6-4
Severity: serious

Hi,

request-tracker4 fails to install in a chroot (standard debian sid
chroot, with /proc mounted, recommends disabled):

[...]
Setting up request-tracker4 (4.0.6-4) ...
**WARNING**··
**WARNING**  If you are using mod_perl or any form of persistent perl
**WARNING**  process such as FastCGI, you will need to restart your
**WARNING**  web server and any persistent processes now.
**WARNING**··
**WARNING**  For mod_perl this means
**WARNING**··
**WARNING**  invoke-rc.d apache2 stop && invoke-rc.d apache2 start
**WARNING**··
hostname: Name or service not known
dpkg: error processing request-tracker4 (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 request-tracker4
E: Sub-process /usr/bin/dpkg returned an error code (1)
(sid_i386)root@progress:/home/user#

unfortunately, looking at the postinst, i didn't spot the error immediately.

Regards,
Daniel

-- 
Address:Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:  daniel.baum...@progress-technologies.net
Internet:   http://people.progress-technologies.net/~daniel.baumann/


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Philip Hands
Konstantin Khomoutov  writes:
...
> Then I suggest it to be rephrased "... extensions on the rightmost
> place ...", or may be even simpler: "... php5-cgi now only serves files
> which have .php, .php[345] or .phtml as their rightmost extension
> ...".

how about "... have .php, .php[345] or .phtml at the end"?

(or 'right-hand end' if you think there's any possibility of confusion)

'extension' only really makes sense on FAT and similar file systems, and
the extension on those file systems does not include the full-stop (.)

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/
|-|  HANDS.COM Ltd.http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND


pgpKjk6dgpJES.pgp
Description: PGP signature


Bug#683288: marked as done (rt-authen-externalauth: privilege escalation)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 10:33:23 +
with message-id 
and subject line Bug#683288: fixed in rt-authen-externalauth 0.10-2
has caused the Debian Bug report #683288,
regarding rt-authen-externalauth: privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
683288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rt-authen-externalauth
Severity: grave
Tags: security
Justification: user security hole

Hi,

a security issue has been found in rt-authen-externalauth package. From
http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html:


RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are
vulnerable to an escalation of privilege attack where the URL of a RSS
feed of the user can be used to acquire a fully logged-in session as
that user. CVE-2012-2770 has been assigned to this vulnerability.


For Wheezy, please fix this  with an isolated fix instead of updating to a
new upstream release (since the freeze is in effect)

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: rt-authen-externalauth
Source-Version: 0.10-2

We believe that the bug you reported is fixed in the latest version of
rt-authen-externalauth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tom Jampen  (supplier of updated rt-authen-externalauth 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Thu, 10 Aug 2012 21:53:49 +0200
Source: rt-authen-externalauth
Binary: rt4-extension-authenexternalauth
Architecture: source i386
Version: 0.10-2
Distribution: unstable
Urgency: low
Maintainer: Tom Jampen 
Changed-By: Tom Jampen 
Description: 
 rt4-extension-authenexternalauth - External authentication module for request 
tracker 4
Closes: 683288
Changes: 
 rt-authen-externalauth (0.10-2) unstable; urgency=low
 .
   * Fixing typos in README.Debian.
   * Adding patch from Alex Vandiver  to fix privilege 
escalation
 bug (Closes: #683288).
Checksums-Sha1: 
 a7713698f2a20662208849b36b9425609e02a0d3 1316 rt-authen-externalauth_0.10-2.dsc
 8818bfc4e5f5ae98652d5decb9a89ca3e65e1b5e 3436 
rt-authen-externalauth_0.10-2.debian.tar.xz
 62ed48372a8c7d9f894418d52af17a9b4c7ae7ef 28980 
rt4-extension-authenexternalauth_0.10-2_i386.deb
Checksums-Sha256: 
 9ad9e308f51e678c0afba82168a5ce998602ba19e543d4f23ffaded82a6ca1dd 1316 
rt-authen-externalauth_0.10-2.dsc
 4772862609b3a56fb90ee86b11817422509147f101f2b90d5e7fd78b0b6f7e72 3436 
rt-authen-externalauth_0.10-2.debian.tar.xz
 26038ae6e6422ef8b19427946c638570af6d86419062a8863fcbd272af355b2f 28980 
rt4-extension-authenexternalauth_0.10-2_i386.deb
Files: 
 b409f7ca00627c865ceaa9b51682c358 1316 perl optional 
rt-authen-externalauth_0.10-2.dsc
 029173eddfa1f2d92947b7df4974097d 3436 perl optional 
rt-authen-externalauth_0.10-2.debian.tar.xz
 2adf4e47a32cc25c22ae18bdb79414ec 28980 perl optional 
rt4-extension-authenexternalauth_0.10-2_i386.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlAzYEQACgkQ+C5cwEsrK540ygCfZqSMRcMpQpbPBV+F8F5X1T7f
roMAn03PTsS96ISr7rPsUwxJEzlpUQQ/
=BNyu
-END PGP SIGNATURE End Message ---


Bug#684885: update-guestfs-appliance fails for wheezy because it looks for 'diff' instead of 'diffutils'

2012-08-21 Thread Guido Günther
The error message is:

Fetched 79,4 MB in 1min 16s (1.037 kB/s)

  
febootstrap: aptitude: error: no file was downloaded corresponding to package 
diff

after downloading the packages. Changing diff to diffutils in
/usr/lib/guestfs/packagelist makes update-guestfs-appliance finish as
expeced.
Cheers,
 -- Guido


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Konstantin Khomoutov
On Tue, 21 Aug 2012 09:48:37 +0200
Ondřej Surý  wrote:

[...]
> >> The mime-types package has dropped non-standard definitions of
> >> PHP MIME-Types as a security measure.  Default PHP configuration
> >> for libapache2-mod-php5{filter} and php5-cgi now only serve files
> >> which have .php, .php[345] and .phtml extensions on a most right
> >> place as opposed to previous state where .php.foobar
> >> would have been interpreted.  Please read NEWS file in the PHP
> >> SAPI of your choice for further information.
> >
> > I fail to parse that "on a most right place" bit though I'm not a
> > native speaker.  If you meant that those extension specifications
> > form a minimal sane and safe subset, may be just go ahead and write
> > exactly that. ;-)
> 
> Nope I mean that the extension should be last.
> 
> E.g.  index.blah.php, but not index.php.blah.
Thanks for the explanation.

Then I suggest it to be rephrased "... extensions on the rightmost
place ...", or may be even simpler: "... php5-cgi now only serves files
which have .php, .php[345] or .phtml as their rightmost extension ...".


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: retitle

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> retitle 685360 AMD SB 750 + Logitech USB keyboard brokenness with Linux 3.2 
> (regression from 2.6.38)
Bug #685360 [src:linux] AMD SB 750 + Logitech USB keyboard broken and system 
unbootable with Linux 3.2 (regression from 2.6.38)
Changed Bug title to 'AMD SB 750 + Logitech USB keyboard brokenness with Linux 
3.2 (regression from 2.6.38)' from 'AMD SB 750 + Logitech USB keyboard broken 
and system unbootable with Linux 3.2 (regression from 2.6.38)'
> --
Stopping processing here.

Please contact me if you need assistance.
-- 
685360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685360
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#672959: [patch] Bug#672959: kfreebsd-*: panic: vm_fault_copy_wired

2012-08-21 Thread Axel Beckert
Hi,

Petr Salinger wrote:
> >I'm beginning to think that startpar is malfunctioning in some way
> >(after checkroot.sh returns, but before it runs the next script).
> 
> Thanks to Steven for excelent hint.

Indeed. That fits perfectly with my observation that always the last
thing I saw before the crash was the ":" from the last line of
checkroot.sh. No trace of another init.d script being started.

> The patch bellow fixes it for me.
> Please could also other people verify it.

Will do this evening. Thanks Petr!

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-|  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#668757: ping...

2012-08-21 Thread Christoph Martin
Hi Neil,

Am 19.08.2012 10:10, schrieb Neil Williams:
> Any news on a fix for netdisco packages to not use /home ?
> 
> If this bug is not fixed, the package will have to be removed from
> testing and probably from unstable too. 
> 
> If, as Gabriele has already mentioned in this bug, the user created does
> not need to have a specific directory path, please confirm this so
> that the package can have a trivial fix to drop the --shell option and
> change --home to /var/lib/netdisco.
> 

I could upload a new version with just the adduser line fixed, but that
leaves the problem with existing installations.

Existing /home/netdisco directories need to be removed. They should
always be emtpy. If not, don't remove the directory and notify the user.

The homedir of existing user netdisco needs to be updated.

Christoph

-- 

Christoph Martin, Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Instant-Messaging: Jabber: mar...@uni-mainz.de
  (Siehe http://www.zdv.uni-mainz.de/4010.php)
<>

signature.asc
Description: OpenPGP digital signature


Bug#672959: [patch] Bug#672959: kfreebsd-*: panic: vm_fault_copy_wired

2012-08-21 Thread Petr Salinger

tags 672959 +patch
--

Hi.


/sbin/startpar -p 4 -t 20 -T 3 -M boot -P N -R S

And the same happens even with -p 0.  This is a single-CPU VM running
kfreebsd-i386.


I'm beginning to think that startpar is malfunctioning in some way
(after checkroot.sh returns, but before it runs the next script).


Thanks to Steven for excelent hint.
The patch bellow fixes it for me.
Please could also other people verify it.

Petr


--- sysvinit-2.88dsf.orig/startpar/startpar.c
+++ sysvinit-2.88dsf/startpar/startpar.c
@@ -1121,10 +1121,11 @@ int main(int argc, char **argv)
   exit(1);
 }
 #endif
-
+#ifdef __linux__
   /* lock us into memory */
   if (geteuid() == 0)
 mlockall(MCL_CURRENT|MCL_FUTURE);
+#endif
   errno = 0;

   gettimeofday(&glastio, 0);


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Processed: Re: [patch] Bug#672959: kfreebsd-*: panic: vm_fault_copy_wired

2012-08-21 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org:

> tags 672959 +patch
Bug #672959 [src:sysvinit] kfreebsd-*: panic: vm_fault_copy_wired
Added tag(s) patch.
> --
Stopping processing here.

Please contact me if you need assistance.
-- 
672959: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672959
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Ondřej Surý
On Tue, Aug 21, 2012 at 9:38 AM, Konstantin Khomoutov
 wrote:
> On Tue, Aug 21, 2012 at 09:07:59AM +0200, Ondřej Surý wrote:
>
> [...]
>>> Maybe add just a small paragraph that the configuration of the
>>> extensions has changed and php users should read the NEWS file?
>>
>> That's probably sensible approach.  I have quickly drafted short
>> paragraph which can be used for release notes:
>>
>> Default PHP extension configuration
>> ---
>>
>> The mime-types package has dropped non-standard definitions of
>> PHP MIME-Types as a security measure.  Default PHP configuration
>> for libapache2-mod-php5{filter} and php5-cgi now only serve files
>> which have .php, .php[345] and .phtml extensions on a most right
>> place as opposed to previous state where .php.foobar
>> would have been interpreted.  Please read NEWS file in the PHP
>> SAPI of your choice for further information.
>
> I fail to parse that "on a most right place" bit though I'm not a native
> speaker.  If you meant that those extension specifications form a minimal
> sane and safe subset, may be just go ahead and write exactly that. ;-)

Nope I mean that the extension should be last.

E.g.  index.blah.php, but not index.php.blah.

O.
-- 
Ondřej Surý 


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Konstantin Khomoutov
On Tue, Aug 21, 2012 at 09:07:59AM +0200, Ondřej Surý wrote:

[...]
>> Maybe add just a small paragraph that the configuration of the
>> extensions has changed and php users should read the NEWS file?
> 
> That's probably sensible approach.  I have quickly drafted short
> paragraph which can be used for release notes:
> 
> Default PHP extension configuration
> ---
> 
> The mime-types package has dropped non-standard definitions of
> PHP MIME-Types as a security measure.  Default PHP configuration
> for libapache2-mod-php5{filter} and php5-cgi now only serve files
> which have .php, .php[345] and .phtml extensions on a most right
> place as opposed to previous state where .php.foobar
> would have been interpreted.  Please read NEWS file in the PHP
> SAPI of your choice for further information.

I fail to parse that "on a most right place" bit though I'm not a native
speaker.  If you meant that those extension specifications form a minimal
sane and safe subset, may be just go ahead and write exactly that. ;-)


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685418: lbzip2: build-arch target in debian/rules doesn't work

2012-08-21 Thread Mikołaj Izdebski
Hi,

> Thanks for fixing the issue in unstable!
> But I fear you will have to fix it in testing too, as I do not think RT
> will allow 2.2-2 in testing at this point of the freeze.

I submited an ublokck request (#685484). If freeze exception for new
upstream version if not granted, I will prepare a fix only for this
bug in wheezy.

Mikolaj


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#685469: ekg2: missing copyright file

2012-08-21 Thread Andreas Beckmann
[resending, forgot to Cc: the bug]

On 2012-08-21 08:38, Marcin Owsiany wrote:
>> # ls -la /usr/share/doc/ekg2
>> total 0
>> drwxr-xr-x   2 root root  140 Aug 21 02:42 .
>> drwxr-xr-x 154 root root 3580 Aug 21 02:42 ..
>> lrwxrwxrwx   1 root root   26 Nov 14  2011 commands-pl.txt -> 
>> ../../ekg2/commands-pl.txt
>> lrwxrwxrwx   1 root root   25 Nov 14  2011 session-en.txt -> 
>> ../../ekg2/session-en.txt
>> lrwxrwxrwx   1 root root   25 Nov 14  2011 session-pl.txt -> 
>> ../../ekg2/session-pl.txt
>> lrwxrwxrwx   1 root root   22 Nov 14  2011 vars-en.txt -> 
>> ../../ekg2/vars-en.txt
>> lrwxrwxrwx   1 root root   22 Nov 14  2011 vars-pl.txt -> 
>> ../../ekg2/vars-pl.txt
>> # ls -lad /usr/share/doc/ekg2
>> drwxr-xr-x 2 root root 140 Aug 21 02:42 /usr/share/doc/ekg2
> 
> Interesting. What architecture is this? This looks different on my TV:

Observed this in a minimal sid chroot on amd64 - its probably important
to test in a clean minimal chroot that never had anything ekg2 installed.

# dpkg -S /usr/share/doc/ekg2/*
ekg2-core: /usr/share/doc/ekg2/commands-pl.txt
ekg2-core: /usr/share/doc/ekg2/session-en.txt
ekg2-core: /usr/share/doc/ekg2/session-pl.txt
ekg2-core: /usr/share/doc/ekg2/vars-en.txt
ekg2-core: /usr/share/doc/ekg2/vars-pl.txt

# l -d /usr/share/doc/ekg2*
drwxr-xr-x 2 root root 140 Aug 21 02:42 /usr/share/doc/ekg2
drwxr-xr-x 4 root root 340 Aug 21 02:42 /usr/share/doc/ekg2-core
lrwxrwxrwx 1 root root   9 Nov 14  2011 /usr/share/doc/ekg2-jabber ->
ekg2-core
drwxr-xr-x 2 root root 220 Aug 21 02:42 /usr/share/doc/ekg2-ui-ncurses

# l /usr/share/doc/ekg2-core/
total 88
drwxr-xr-x   4 root root   340 Aug 21 02:42 .
drwxr-xr-x 231 root root  5120 Aug 21 02:53 ..
-rw-r--r--   1 root root  3967 Mar 19  2011 IDEAS-2.0.gz
-rw-r--r--   1 root root  3993 Mar 19  2011 README.Debian
-rw-r--r--   1 root root  7289 Mar 19  2011 README.gz
-rw-r--r--   1 root root  2493 Mar 19  2011 TODO
-rw-r--r--   1 root root 14635 Mar 19  2011 TODO.Debian.gz
-rw-r--r--   1 root root  1396 Mar 19  2011 ULOTKA
drwxr-xr-x   2 root root   600 Aug 21 02:42 book-en
drwxr-xr-x   2 root root   760 Aug 21 02:42 book-pl
-rw-r--r--   1 root root  7130 Nov 14  2011 changelog.Debian.gz
-rw-r--r--   1 root root 18698 Mar 19  2011 copyright
-rw-r--r--   1 root root   753 Mar 19  2011 events.txt
-rw-r--r--   1 root root   854 Mar 19  2011 przenosny-kod.txt
-rw-r--r--   1 root root  1697 Mar 19  2011 queries.txt
-rw-r--r--   1 root root  1446 Mar 19  2011 sim.txt
-rw-r--r--   1 root root   701 Mar 19  2011 voip.txt

symlinks in /usr/share/doc usually open a can of worms ... dpkg does not
replace directories with symlinks-to-directories and vice versa, so
special care needs to be taken on upgrades

Andreas


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Ondřej Surý
> Default PHP extension configuration

^^^
This needs Apache 2, e.g.

Default PHP extension configuration for Apache 2.

> ---
>
> The mime-types package has dropped non-standard definitions of
> PHP MIME-Types as a security measure.  Default PHP configuration
> for libapache2-mod-php5{filter} and php5-cgi now only serve files
> which have .php, .php[345] and .phtml extensions on a most right
> place as opposed to previous state where .php.foobar
> would have been interpreted.  Please read NEWS file in the PHP
> SAPI of your choice for further information.

O.
-- 
Ondřej Surý 


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Bug#683648: marked as done (Django's HTMLParser incompatible with python 2.7.3)

2012-08-21 Thread Debian Bug Tracking System
Your message dated Tue, 21 Aug 2012 07:17:39 +
with message-id 
and subject line Bug#683648: fixed in python-django 1.4.1-2
has caused the Debian Bug report #683648,
regarding Django's HTMLParser incompatible with python 2.7.3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
683648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683648
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1.4-1
Severity: important
Tags: security

https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
http://www.openwall.com/lists/oss-security/2012/07/31/1
http://www.openwall.com/lists/oss-security/2012/07/31/2

- Henri Salo
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 1.4.1-2

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog  (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 21 Aug 2012 08:42:10 +0200
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.4.1-2
Distribution: unstable
Urgency: low
Maintainer: Chris Lamb 
Changed-By: Raphaël Hertzog 
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 683648
Changes: 
 python-django (1.4.1-2) unstable; urgency=low
 .
   * New patch 01_use_stdlib_htmlparser_when_possible.diff to not override
 Python stdlib's HTMLParser with Python versions which are unaffected by
 http://bugs.python.org/issue670664 Closes: #683648
 Thanks to David Watson  for the patch.
   * Update the above patch to use the version committed upstream (commit
 57d9ccc).
Checksums-Sha1: 
 d62bfb18310b9699d947ceb747b8a21acbad5875 2227 python-django_1.4.1-2.dsc
 33122b2eff602542d2b491c006cc6ec2e6989641 21752 
python-django_1.4.1-2.debian.tar.gz
 3583e0c0356f5e38a275cc0050c5b447cf33ec89 5372486 python-django_1.4.1-2_all.deb
 3a1af5a14ce037886fda5b4ff38ff669499a2617 2357394 
python-django-doc_1.4.1-2_all.deb
Checksums-Sha256: 
 c6e85f47e63a11ca6596e66dda2c00bfd3ff8892ee88eed5e6bfabff1aeb634b 2227 
python-django_1.4.1-2.dsc
 e3949c4c01376a84c089be8c014f51132949de5bb222ffadadb45ce2a2a1e1e0 21752 
python-django_1.4.1-2.debian.tar.gz
 ea1fcfeb0e9c5cabf9c2ce356065c1b56d92ece68c7e24c0a262fcb277760469 5372486 
python-django_1.4.1-2_all.deb
 9181315a0d286ef6452d497eeb49c4647356ceecaf1a0ff378262930ef967c0d 2357394 
python-django-doc_1.4.1-2_all.deb
Files: 
 9cea65bc20d1e916cd32106069ac6d2a 2227 python optional python-django_1.4.1-2.dsc
 ae35b19d8a86aff274c23daca444b765 21752 python optional 
python-django_1.4.1-2.debian.tar.gz
 c711322a583d132c317da185724dbf1c 5372486 python optional 
python-django_1.4.1-2_all.deb
 f5b8d83332002466656dfff4234abcbb 2357394 doc optional 
python-django-doc_1.4.1-2_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJQMzTHAAoJEOYZBF3yrHKabacP/RYlosC2Jpl8NsvYPvATJJTu
MyR0+r2q4bJfnuYu4nJg0CMmtIjGxWngIyDiIiJIZ1LSiyr+ZktgSLtxWNsR2beD
BjlPLRi0ABKJYYducGE5+l/oRD4gF4EKya6IECwcITOd4bdtGgUo+ajRKWLViZG6
mBBXz0PdSLbV3ggVTO9InBUVKWRlLLBzaHRNJpEdobBiH41QG5ZmyN5bLWuK0J/V
hLqs/sYhT0YMZGmbS1lsWoG11qsNr0qP9HGkC2Ma5VQRkqIAnZqFp4HdREtzx+7L
l1bPHCwRYN6d1rvz9B2Gw2mcYL+ePhm3zttl7GO9qP3GssTDSEYZIAtH8AgcGnu4
rkmi7qtkdLPzt+gx8SsMcndbiQDIb7XJOwaaAi2KEJKrb7STTKZJI2wtPdVyn0Uk
OmsS9MCs/1T9INA1QJKKwDd067A+Oevf7YB2rWbkL02DJe+TiE+tWhDl8Ag5BzXO
IFKw831UnphsikdYtH0cTuHlnUeNOoBY8dSoQTXJb4d+zyKVbC6YltSGUjDFB7sw
TRRdl1xYD5l/oTOJ1Zs1rMVDpKSXdyKq1PDCnofwYZtvXgozVlJ8tb5nGPgN21Cl
EOPTUlqTdQntHdevficH0tVsnmmnIycIbsaUv9uJ8iZ0jrkyKSbRrJPoSfMT2DMo
XBvVH1/i+gyWRRIK5Xsh
=xwhY
-END PGP SIGNATURE End Message ---


Bug#674089: Possible release note for systems running PHP through CGI.

2012-08-21 Thread Ondřej Surý
On Mon, Aug 20, 2012 at 8:12 PM, Stefan Fritsch  wrote:
> On Monday 20 August 2012, Ondřej Surý wrote:
>> Ah, I see; it gets executed when there is no know handler or
>> mime-type for second extension.
>>
>> E.g. index.php.jpeg works as expected (e.g. returning PHP source
>> code), index.php.blubb but gets executed. I don't think there's any
>> harm in disabling php.foobar and php.blubb files.
>
> There is also the case that the extensions after .php are known to
> Apache but are not associated with mime types or handlers. For
> example, there are extensions like .de and .en which cause the
> Content-Language header to be set, extensions for setting the charset
> (e.g. .utf8) and extensions for setting the content-encoding (none
> configured by default).
>
> I don't know how often this is actually used together with php.
> Setting the Content-* headers in the php script seems saner to me.

Right, I have never seen this to be used together with PHP, but it
probably deserves a note somewhere.

>> > Good to see that we are heading towards a solution anyway.
>> >
>> > What shall I do with #674089 ?  I can reassign it to php5-cgi so
>> > that your next upload closes it, or do we still need release
>> > notes ?
>>
>> I think we still might need release notes, but it needs to be
>> updated based on final impact of changes we have done. I am not
>> sure if the information about .php.
>> is worth release notes or just NEWS file in PHP. My guess would be
>> latter, but opinions may vary.
>
> Maybe add just a small paragraph that the configuration of the
> extensions has changed and php users should read the NEWS file?

That's probably sensible approach.  I have quickly drafted short
paragraph which can be used for release notes:

Default PHP extension configuration
---

The mime-types package has dropped non-standard definitions of
PHP MIME-Types as a security measure.  Default PHP configuration
for libapache2-mod-php5{filter} and php5-cgi now only serve files
which have .php, .php[345] and .phtml extensions on a most right
place as opposed to previous state where .php.foobar
would have been interpreted.  Please read NEWS file in the PHP
SAPI of your choice for further information.


---

O.
-- 
Ondřej Surý 


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org