Bug#694520: chocolate-doom: there are no humans in Maintainer:/Uploaders: fields

[Jon Dowland]

Package: chocolate-doom
Version: 1.7.0-1
Severity: serious
Justification: policy section 3.3

There are no humans in the Uploaders or Maintainers fields for this
version of the package, which is a policy violation.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (750, 'testing'), (700, 'stable'), (600, 'unstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages prboom depends on:
ii  libc6 2.13-35
ii  libgl1-mesa-glx [libgl1]  8.0.4-2
ii  libglu1-mesa [libglu1]8.0.4-2
ii  libpng12-01.2.49-1
ii  libsdl-mixer1.2   1.2.12-3
ii  libsdl-net1.2 1.2.8-2
ii  libsdl1.2debian   1.2.15-5

Versions of packages prboom recommends:
ii  freedoom [boom-wad]  0.8~beta1-1
pn  timidity 

Versions of packages prboom suggests:
ii  game-data-packager  32

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694521: libxml2: CVE-2012-5134

[Moritz Muehlenhoff]

Package: libxml2
Version: 2.6.32.dfsg-5+lenny3
Severity: grave
Tags: security
Justification: user security hole

The following was discovered by the Google Chrome developers:
http://googlechromereleases.blogspot.in/2012/11/stable-channel-update.html

Fix:
http://git.gnome.org/browse/libxml2/commit/?id=6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692295: RFS: couchdb/1.2.0-2.1 [NMU] [RC]

[Dominik George]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

> On Mon, 2012-11-26 at 13:41 +0100, Dominik George wrote:
> > I am looking for a sponsor for my package "couchdb". The upload would fix 
> > RC bug #692295.
>  May I ask some things? How is it your package, if you are not listed as
> maintainer nor uploader?

Ask the person who wrote the RFS template generator. On the other hand, 
it's the Debian communities package. Maybe it should say "my version xyz 
of package foo". If you take any offence on this, I really pity you.

> Why do you NMU immediately when I'm known for quick reply?

First, because I can, second, because that's what the DDs at the BSP told 
me to do.

> Why do you ignore other fixes that I've mentioned to you in
> my previous mail? That includes collation with RMs.

You did not mention any fixes. You mentioned a pending upload. I thought 
you were referring to the pending upload of 1.2.0-2 to *wheezy*, which 
does not include any fix for the issue we are discussing.

How about being a bit more specific next time? I also find that you failed 
to post any details of your fix to the BTS. Even though you may be known 
for "quick reply", other parties might be interested in how to fix the 
problem beforehand. You even may want testers for a patch before uploading 
it. In any case, the BTS report log lacks any hint whatsoever about your 
fix.

> Anyway, I've included your patch in -3, even if I'm not convinced about
> it. I think it would have been better to send HUP signal first, then
> after a specified time send TERM signal to couchdb.

Abusing SIGHUP for shutdown in my opinion is a major violation of 
well-estabished standards that should be discussed with upstream.

In conclusion, Debian is a community-effort. I am very convinced that no 
single person owns any part of it, so no single person should ever take 
offence on someone else helping them. If you had e-mailed your own patch 
for the problem to the BTS right when you wrote it, also mentioning that 
you are about to upload it, would have both solve the problem you see 
*and* saved me and the fellows at the BSP quite a few hours of work. 
Please note that you posted your tiny little hint about some pending 
upload only *after* you realized that we were doing work on the issue.

Please also realize that Frank and I spent almost two full days on the 
issue, discussing with dpkg and apt developers and shell gurus all 
possible ways of solving this issue in a way that does *not* violate 
upstream's ideas of signal handling. Although you included the fix in the 
end, and although you claim to be *quick* at it, please try to recognize 
your fellow community members' work and also try to understand if they 
like to get credits for it.

Cheers,
Nik
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)

iQFOBAEBAgA4BQJQtHyWMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n
cGctcG9saWN5LnR4dC5hc2MACgkQWfyOHW8qgAHUjAf+MM3xHsT8l4Nv2lChyOxC
urmpRYX+dZDI9BKOIBRKZHq42e7h8h6EtdPAiQ7x0wuW01hXhVcbnSmP4YR/Jbao
QgaJfXbyJK641MV80tv5qZPN1K13KF3+a4PAwmrIZQpKstC6ekuC5Xm9RsTE3zi5
dzktw6DPxQU4l1v8HDKkECetJmKi2Gf40SZ8bLrW84jHg0hQn9KnEjeV8HstfIvw
PKoKfFz53yRXRYH1dLyIOi1/H5TYzFzOSh2g/+ysd+jU8Gk8efspXvJE7gVP6TA/
+0toWjlPgbK8KiQmKtMAmFtq3BKA6fZybMWkXwkXG4tHDuu3r4yKexgZdBsub4mY
lA==
=e1CH
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692129: Preliminar patch, test needed

[René Mayrhofer]

On 2012-11-24 19:12, Maximiliano Curia wrote:
> The bug seems to be recognized by upstream but there seems to be no work going
> on towards a fix. I've prepared a preliminar patch, but I can't test it right
> now, if you can reproduce it, please test the patch and let me now of the
> results.
> 
> I'll try to contact upstream and ask for their input.
> 
> If you want to test this packages you can use the packages published in:
> http://maxy.com.ar/debian
> 
> Or you can use the attached patch and apply it to the pptpd package.

Thanks for the patch! I would like to get this fixed, but will
realistically be unable to test it myself due to "real life
constrains"... If anybody can test it in a different setting to verify
that it fixes the bugs and doesn't break other cases, I am happy to do
an upload.

best regards,
Rene


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#688682: modifies conffiles (policy 10.7.3): /etc/dma/dma.conf

[Peter Pentchev]

On Mon, Nov 26, 2012 at 09:18:49PM +0100, Michael Banck wrote:
> Hi,
> 
> On Sun, Nov 25, 2012 at 10:32:38PM +0100, Laszlo Kajan wrote:
> > Control: tag -1 + pending
> > 
> > Implemented Arno's suggestion, debdiff attached. 
> 
> I have uplaoded Laszlo's patch unchanged to DELAYED/5-day, his debdiff
> still applies.

Thank you - all three of you!

No objections to the upload; I'll incorporate the changes in my repo.

G'luck,
Peter

-- 
Peter Pentchev  r...@ringlet.net r...@freebsd.org pe...@packetscale.com
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
This would easier understand fewer had omitted.


signature.asc
Description: Digital signature

Bug#694403: Please ship an init script, not just a systemd unit

[Riccardo Magliocchetti]

Il 27/11/2012 00:41, Michael Biebl ha scritto:


Btw, having initramfs integration as Steve pointed out, would be really
nice.
On my system loading the kernel and the initramfs already takes longer
then booting the userspace. So having a chart of the initramfs would be
really helpful.


Last year i've added a bootchart2 initramfs hook here
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603656#15

Also see comment #16 for a correction in the instructions.

Should we ship this stuff in the package or should them added to 
initramfs-tools ?


thanks,
riccardo


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694403: Please ship an init script, not just a systemd unit

[Riccardo Magliocchetti]

Hello,

I'm one of the upstream maintainers of bootchart2.

Il 26/11/2012 07:42, Steve Langasek ha scritto:

Package: bootchart2
Version: 0.14.4-1.1
Severity: serious
Justification: Policy 9.11

The bootchart2 package currently ships systemd unit files, but no init
script.  This means the behavior is different when booting with systemd than
when booting with sysvinit.  This appears to be a violation of Policy 9.11:

   [A]ny package integrating with other init systems must also be
   backwards-compatible with `sysvinit' by providing a SysV-style init
   script with the same name as and equivalent functionality to any
   init-specific job, as this is the only start-up configuration method
   guaranteed to be supported by all init implementations.


Ouch, from what i understand from systemd they are supposed to stop 
/sbin/bootchartd after 20 seconds of active state. Do we have that kind 
of control with sysvinit? other than calling sleep :)



In practice, my experience is that if I install bootchart, then install
bootchart2 without purging bootchart, and boot with systemd, systemd gets
very confused and leaves the bootchart daemon running indefinitely.  In
contrast, if I boot with sysvinit, the init script in /etc/rc2.d/ does a
perfectly adequate job of stopping bootchartd at the right point.  So the
lack of sysvinit integration looks to actually hurt integration with systemd
too.


Well, i don't what the original bootchart init script is doing but 
bootchart2 on sysvinit is not supposed to require it thus we do not ship 
it :). /sbin/bootchartd should stop itself when a process set in 
EXIT_PROC from /etc/bootchartd.conf is found. Of course you can call 
/sbin/bootchard stop manually.


So imho an init script is not that useful, even more if a start action 
will actually stop the collector.


Maybe we should conflict with bootchart because one of its script is 
affecting us though.


Said that your feedback is much appreciated, I'd really like to have 
bootchart2 be the first choice when doing boot profiling instead of the 
old bootchart.


thanks,
riccardo


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Do not use ffmpeg in netgen

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 618968 +patch
Bug #618968 [netgen] netgen: links with both GPL-licensed and GPL-incompatible 
libraries
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
618968: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618968
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[Anton Gladky]

tags 618968 +patch
thanks

Please, consider the following patch, which prevents of
using ffmpeg in netgen build. It will, of course, cut the functionality
of netgen, but will let to stay it in wheezy.

The upload should be done directly to wheezy, because
sid contains the version, which will unlikely go to a testing.

Thanks,

Anton


nmu.debdiff
Description: Binary data

Bug#694254: cyrus-common-2.4: upgrading from lenny to squeeze to wheezy requires db4.2-util in wheezy for db migration

[Ondřej Surý]

severity 694254 wishlist
thank you

This is not a bug per se. Manual intervention is required to upgrade
from lenny to squeeze, and there is no way how to automate this from
wheezy. Setting the severity to wishlist, so it's kept as an evidence,
but feel free to close the bug report if you think it's more
appropriate.

Ondrej

cyrus-common-2.2 has following debconf dialogue:

Template: cyrus-common-2.2/warnbackendchange
Type: error
Description: Modified database backends
 Comparison between /usr/lib/cyrus/cyrus-db-types.txt and
 /usr/lib/cyrus/cyrus-db-types.active shows that database backends for
 Cyrus IMAPd have been changed.
 .
 This means that those databases for which the database backends changed
 might need to be converted manually to the new format, using the
 cvt_cyrusdb(8) utility.
 .
 Please refer to /usr/share/doc/cyrus-common-2.2/README.Debian.database
 for more information.  Do not start cyrmaster until you have converted
 the databases to the new format.

Ondrej

On Sun, Nov 25, 2012 at 4:43 PM, Ondřej Surý  wrote:
> Hi,
>
> upgrading from lenny to squeeze required manual intervention. E.g. it's more 
> a feature than a bug.
>
> Ondřej Surý
>
> On 24. 11. 2012, at 19:52, Andreas Beckmann  wrote:
>
>> Package: cyrus-common-2.2,cyrus-common-2.4
>> Version: 2.4.16-2
>> Severity: serious
>> User: debian...@lists.debian.org
>> Usertags: piuparts
>>
>> Hi,
>>
>> during a distupgrade test with piuparts I noticed your package requires
>> the db4.2-util package (which is only in lenny) to perform a db upgrade
>> in wheezy. Looks like the db has not been upgraded during the
>> lenny->squeeze upgrade step.
>>
>> This was observed on a piuparts test distupgrading from lenny to squeeze
>> to wheezy. Setting the severity to serious since this may affect the
>> upgrade path of servers that were initially set up with lenny (or
>> earlier) and were upgraded to squeeze long ago.
>>
>>
>>> From the attached log:
>>
>>  Setting up db4.7-util (4.7.25-21) ...
>>  Setting up db4.8-util (4.8.30-12) ...
>>  Setting up cyrus-common (2.4.16-2) ...
>>  Installing new version of config file /etc/pam.d/sieve ...
>>  Installing new version of config file /etc/pam.d/lmtp ...
>>  Creating/updating cyrus user account...
>>  The user `cyrus' is already a member of `sasl'.
>>  cyrus-common: Creating cyrus-imapd directories...Creating/updating cyrus 
>> control directories in /var/lib/cyrus...
>>  Creating/updating partition spool /var/spool/cyrus/mail...
>>  Creating/updating partition spool /var/spool/cyrus/news...
>>  Trying to optimize Cyrus partitions, edit /etc/default/cyrus-imapd to 
>> disable...
>>  done.
>>  cyrus-common: Creating empty user_deny database...done.
>>  Setting up cyrus-common-2.4 (2.4.16-2) ...
>>  Installing new version of config file /etc/imapd.conf ...
>>  Installing new version of config file /etc/cyrus.conf ...
>>  /usr/lib/cyrus/bin/upgrade-db: db4.2-util not installed
>>  /usr/lib/cyrus/bin/upgrade-db: please do: [sudo] apt-get install db4.2-util
>>  /usr/lib/cyrus/bin/upgrade-db: and rerun the upgrade again
>>  dpkg: error processing cyrus-common-2.4 (--configure):
>>   subprocess installed post-installation script returned error exit status 2
>>  dpkg: dependency problems prevent configuration of cyrus-common-2.2:
>>   cyrus-common-2.2 depends on cyrus-common-2.4; however:
>>Package cyrus-common-2.4 is not configured yet.
>>
>>  dpkg: error processing cyrus-common-2.2 (--configure):
>>   dependency problems - leaving unconfigured
>>  Errors were encountered while processing:
>>   cyrus-common-2.4
>>   cyrus-common-2.2
>>
>> cheers,
>>
>> Andreas
>> 
>> ___
>> Pkg-Cyrus-imapd-Debian-devel mailing list
>> pkg-cyrus-imapd-debian-de...@lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel



-- 
Ondřej Surý 


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Re: Bug#694254: cyrus-common-2.4: upgrading from lenny to squeeze to wheezy requires db4.2-util in wheezy for db migration

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 694254 wishlist
Bug #694254 [cyrus-common-2.2,cyrus-common-2.4] cyrus-common-2.4: upgrading 
from lenny to squeeze to wheezy requires db4.2-util in wheezy for db migration
Severity set to 'wishlist' from 'serious'
> thank you
Stopping processing here.

Please contact me if you need assistance.
-- 
694254: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694254
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: 686200 still open in unstable

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> found 686200 2:8.8.0+2012.05.21-724730-4
Bug #686200 {Done: Bernd Zeimetz } [open-vm-tools] 
open-vm-tools: fails to upgrade do failing to stop the old daemon
Marked as found in versions open-vm-tools/2:8.8.0+2012.05.21-724730-4 and 
reopened.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
686200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694534: sec: bad defaults

[Florian Gleixner]

Source: sec
Version: 2.5.3-1+nmu1
Severity: critical

Starting sec with /etc/default/sec untouched causes sec to write to
syslog for example every time a rule creates a context. This may cause
another context to get created. So sec wrote > 400GB syslog in 24h at my
system making it unusable.

From the sec.pl manpage:

"Warning: be careful with this option if you use SEC  for  monitoring
syslog logfiles, because it might create message loops (SEC log messages
are written to SEC input files that trigger new log messages)."

Resolution: delete the "syslog=daemon" in /etc/default/sec




signature.asc
Description: OpenPGP digital signature

Bug#694468: marked as done (libldns-dev: missing Breaks+Replaces: ldnsutils (<< 1.6.13-3))

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 11:32:56 +
with message-id 
and subject line Bug#694468: fixed in ldns 1.6.13-4
has caused the Debian Bug report #694468,
regarding libldns-dev: missing Breaks+Replaces: ldnsutils (<< 1.6.13-3)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
694468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694468
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libldns-dev
Version: 1.6.13-3
Severity: serious
User: trei...@debian.org
Usertags: edos-file-overwrite

Architecture: amd64
Distribution: wheezy->sid (partial) upgrade

Hi,

automatic installation tests of packages that share a file and at the
same time do not conflict by their package dependency relationships has
detected the following problem:

  Selecting previously unselected package ldnsutils.
  Unpacking ldnsutils (from .../ldnsutils_1.6.13-1_amd64.deb) ...

  Setting up ldnsutils (1.6.13-1) ...

  Selecting previously unselected package libldns-dev.
  Unpacking libldns-dev (from .../libldns-dev_1.6.13-3_amd64.deb) ...
  dpkg: error processing /var/cache/apt/archives/libldns-dev_1.6.13-3_amd64.deb 
(--unpack):
   trying to overwrite '/usr/share/man/man1/ldns-config.1.gz', which is also in 
package ldnsutils 1.6.13-1
  dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
  Errors were encountered while processing:
   /var/cache/apt/archives/libldns-dev_1.6.13-3_amd64.deb


This is a serious bug as it makes installation/upgrade fail, and
violates sections 7.6.1 and 10.1 of the policy.

As this problem can be demonstrated during partial upgrades from wheezy
to sid (but not within wheezy or sid itself), this indicates a
missing or insufficiently versioned Replaces+Breaks relationship.
But since this particular upgrade ordering is not forbidden by any
dependency relationship, it is possible that apt (or $PACKAGE_MANAGER)
will use this erroneus path on squeeze->wheezy upgrades.

Here is a list of files that are known to be shared by both packages
(according to the Contents files for squeeze and wheezy on amd64, which
may be slightly out of sync):

  usr/share/man/man1/ldns-config.1.gz


The following relationships are currently defined:

  Package:   libldns-dev
  Conflicts: n/a
  Breaks:ldnsutil (<< 1.6.13-2)
  Replaces:  ldnsutil (<< 1.6.13-2)

Wrong package name: ldnsutil*s*
insufficient version: the man page was still there in -2

The following relationships should be added for a clean takeover of
these files
(http://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces):

  Package:   libldns-dev
  Breaks:ldnsutils (<< 1.6.13-3)
  Replaces:  ldnsutils (<< 1.6.13-3)


Cheers,

Andreas

PS: for more information about the detection of file overwrite errors
of this kind see http://edos.debian.net/file-overwrites/.


ldnsutils=1.6.13-1_libldns-dev=1.6.13-3.log.gz
Description: GNU Zip compressed data
--- End Message ---
--- Begin Message ---
Source: ldns
Source-Version: 1.6.13-4

We believe that the bug you reported is fixed in the latest version of
ldns, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý  (supplier of updated ldns package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 27 Nov 2012 12:05:04 +0100
Source: ldns
Binary: libldns1 libldns1-dbg libldns-dev ldnsutils python-ldns
Architecture: source amd64
Version: 1.6.13-4
Distribution: unstable
Urgency: low
Maintainer: Ondřej Surý 
Changed-By: Ondřej Surý 
Description: 
 ldnsutils  - ldns library for DNS programming
 libldns-dev - ldns library for DNS programming
 libldns1   - ldns library for DNS programming
 libldns1-dbg - ldns library for DNS programming (debug symbols)
 python-ldns - Python bindings for the ldns library for DNS programming
Closes: 694468
Changes: 
 ldns (1.6.13-4) unstable; urgency=low
 .
   * Add correct Breaks/Replaces, fix typo and version (Closes: #694468)
Checksums-Sha1: 
 acd2b43b614cb1c6fba3c116a466459bf823e352 1463 ldns_1.6.13-4.dsc
 f718875c81d4f8a79b2f83a50eff474406fadce0 12952 ldns_1.6.13-4.debian.tar.gz
 aa079cb1d6b16778eb

Bug#692791: Proposed patch now available...

[Didier 'OdyX' Raboud]

Le lundi, 26 novembre 2012 19.52:46, Michael Sweet a écrit :
> OK, I've posted proposed patches for CUPS 1.6 and trunk (1.7); patches for
> older versions of CUPS will be substantially similar (might be some churn
> due to new configuration directives)
> 
> Available at:
> 
> http://www.cups.org/str.php?L4223

Hi Michael, hi Debian Security Team,

I have now taken a look at the proposed upstream security fix and have merged 
it in the 1.6.1 branch, see the two commits on the pkg-cups/cups.git 
repository:

- 6026af39ea3da038c6e49226779de59520da7cc6 for the proposed patches;
- d39e6abee95f747d024f2b41970c6d7a888f0dd0 for the fixes in other patches;

Roughly, the patch splits the configuration stanzas from /etc/cups/cupsd.conf 
into two files: /etc/cups/cupsd.conf and /etc/cups/cups-files.conf. The first 
stays web-configurable and the latter can only be configured by root.

While it's a nice long-term solution for new cups installs, I'm afraid it's 
not suitable as a security hotfix (so probably not targetted at Debian testing 
nor stable): the administrator has to handle the configuration files split un 
himself. In addition to that, web-modified cupsd.conf is very likely to hinder 
the automatic configuration stanza's split.

On the longer term (for Jessie), I think web-modifiable cupsd.conf (and 
printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick 
to this new cups configuration files handling.

Opinions on ways forward for Wheezy (testing) and Squeeze (stable) ?

Cheers,

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#520753: marked as done (postinst couldn't change to /etc/cups/pppd)

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 11:48:02 +
with message-id 
and subject line Bug#520753: fixed in ghostscript 9.05~dfsg-6.3
has caused the Debian Bug report #520753,
regarding postinst couldn't change to /etc/cups/pppd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
520753: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520753
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ghostscript
Version: 8.64~dfsg-1
Severity: normal

Hi,

the postinst script tried to change to /etc/cups/pppd, but I don't have
the package cups installed. I have only the package cups-client installed
and use cups on a remote machine.

Updating category cid..
Updating category cmap..
Updating category psprint..
cd: 77: can't cd to /etc/cups/ppd
Richte ghostscript-x ein (8.64~dfsg-1) ...
Verarbeite Trigger für menu ...
Verarbeite Trigger für python-support ...

Bye, Jörg.

-- System Information:
Debian Release: unstable/experimental
  APT prefers unstable
  APT policy: (900, 'unstable'), (700, 'experimental')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.29-rc8
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ghostscript depends on:
ii  debconf [debc 1.5.26 Debian configuration management sy
ii  debianutils   2.31   Miscellaneous utilities specific t
ii  defoma0.11.10-0.2Debian Font Manager -- automatic f
ii  ghostscript [ 8.64~dfsg-1The GPL Ghostscript PostScript/PDF
ii  gs-common 8.64~dfsg-1Dummy package depending on ghostsc
ii  gsfonts   1:8.11+urwcyr1.0.7~pre44-4 Fonts for the Ghostscript interpre
ii  libc6 2.9-6  GNU C Library: Shared libraries
ii  libcups2  1.3.9-15   Common UNIX Printing System(tm) - 
ii  libcupsimage2 1.3.9-15   Common UNIX Printing System(tm) - 
ii  libgnutls26   2.6.4-2the GNU TLS library - runtime libr
ii  libgs88.64~dfsg-1The Ghostscript PostScript/PDF int
ii  libgssapi-krb 1.6.dfsg.4~beta1-11MIT Kerberos runtime libraries - k
ii  libjpeg62 6b-14  The Independent JPEG Group's JPEG 
ii  libpng12-01.2.35-1   PNG library - runtime
ii  libtiff4  3.8.2-11   Tag Image File Format (TIFF) libra
ii  zlib1g1:1.2.3.3.dfsg-13  compression library - runtime

Versions of packages ghostscript recommends:
ii  psfontmgr0.11.10-0.2 PostScript font manager -- part of

Versions of packages ghostscript suggests:
ii  ghostscript-x8.64~dfsg-1 The GPL Ghostscript PostScript/PDF
pn  hpijs  (no description available)

-- no debconf information


signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 9.05~dfsg-6.3

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud  (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 25 Nov 2012 14:39:30 +0100
Source: ghostscript
Binary: ghostscript ghostscript-cups ghostscript-x ghostscript-doc libgs9 
libgs9-common libgs-dev ghostscript-dbg
Architecture: source all amd64
Version: 9.05~dfsg-6.3
Distribution: unstable
Urgency: low
Maintainer: Debian Printing Team 
Changed-By: Didier Raboud 
Description: 
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-cups - interpreter for the PostScript language and for PDF - CUPS 
filter
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug 
symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - 
Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 
support
 libgs-dev  - interpreter for the PostScript l

Bug#640939: Moreinfo

[Wolfgang Schweer]

Hi all,

during BSP Essen I stumbled upon this thread, now I found time for 
some testing.

[Martin Pitt]
>I discussed this with Till, and we both have no real idea how to get
>to a situation where lpadmin as root asks for a password. It is
>already called with -h /var/run/cups/cups.sock to ensure it's not
>talking to a remote server. It seems you need a particular cups
>configuration to achieve this.

-

cups 1.5.3-2.6, system without Kerberos, DefaultAuthType set to 
"Negotiate" just for testing, no other changes to cupsd.conf:
 
root@eagle:~# lpadmin -h /var/run/cups/cups.sock -d 
Password for root on localhost?
[need to press return key]
lpadmin: Unauthorized
root@eagle:~# lpadmin -h 127.0.0.1 -d 
lpadmin: Unauthorized
root@eagle:~# lpadmin -h localhost -d 
lpadmin: Unauthorized

root@eagle:~# 

-

IMO the root pw questioning was most probably introduced by adding 
extended Kerberos support upstream, therefore expecting a valid 
hostname/IP as server argument causing problems in related cases, too.

(upstream revision 9732 on trunk, see URL in message #54 above.)

Maybe replacing "-h /var/run/cups/cups.sock" by "-h localhost" would 
solve the reported problem (and related ones) -- if no sideeffects 
are triggered.

A related problem on a kerberized system: #663995, 
upstream: http://www.cups.org/str.php?L4140


Regards,

Wolfgang



signature.asc
Description: Digital signature

Bug#692791: Proposed patch now available...

[Michael Sweet]

Didier,

On 2012-11-27, at 6:45 AM, Didier 'OdyX' Raboud  wrote:
> ...
> While it's a nice long-term solution for new cups installs, I'm afraid it's 
> not suitable as a security hotfix (so probably not targetted at Debian 
> testing 
> nor stable): the administrator has to handle the configuration files split un 
> himself. In addition to that, web-modified cupsd.conf is very likely to 
> hinder 
> the automatic configuration stanza's split.

A package update can lay down a new cups-files.conf, and it shouldn't be hard 
to do a short migration script that copies the dozen or so affected directives 
from cupsd.conf to the new cups-files.conf file.  I guess it just depends on 
whether you want to close this particular hole and how you want to deal with it.

CUPS 1.6.2 will ship with the split configuration files and a warning to 
error_log when the cupsd.conf file contains directives that should be moved.

A simpler (but less complete) fix for CUPS 1.5.x and earlier would be to 
blacklist /etc and /dev for the logs - we wanted something more complete.

> On the longer term (for Jessie), I think web-modifiable cupsd.conf (and 
> printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick 
> to this new cups configuration files handling.

Back in the day when we were adapting CUPS to the FHS (1.0, 2.0? I don't 
remember) we decided not to use /var/lib because /etc is the place for editable 
configuration files and /var/lib is the place for files that are managed by 
software.  printers.conf, classes.conf, and cupsd.conf *are* user-editable 
files (even if that isn't the typical case for classes.conf and printers.conf). 
*If* we move to a non-editable format in the future (likely for CUPS 2.0) we 
will definitely restructure things to put those files in /var/lib.

I don't advise that you try to patch current CUPS to use /var/lib/cupsd for 
cupsd stuff and /etc/cups for everything else since the current code assumes 
that all CUPS configuration files are in one location.  The patch will be very 
very messy and hard to maintain.

__
Michael Sweet, Senior Printing System Engineer, PWG Chair


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692791: Proposed patch now available...

[Didier 'OdyX' Raboud]

Le mardi, 27 novembre 2012 14.00:07, Michael Sweet a écrit :
> A package update can lay down a new cups-files.conf, and it shouldn't be
> hard to do a short migration script that copies the dozen or so affected
> directives from cupsd.conf to the new cups-files.conf file.  I guess it
> just depends on whether you want to close this particular hole and how you
> want to deal with it.

Exactly. I'll investigate the idea of scripting the configuration files 
upgrade (probably using ucf). The point is that it's not the type of changes 
we particularily welcome in stable releases.

> CUPS 1.6.2 will ship with the split configuration files and a warning to
> error_log when the cupsd.conf file contains directives that should be
> moved.
> 
> A simpler (but less complete) fix for CUPS 1.5.x and earlier would be to
> blacklist /etc and /dev for the logs - we wanted something more complete.

Sure. As mentionned, for the long-term the chosen solution is the correct one. 
Yet we need something as undisruptive and safe as possible for our stable 
release.

> > On the longer term (for Jessie), I think web-modifiable cupsd.conf (and
> > printers.conf) should be moved to /var/lib/cupsd/ and I think we should
> > stick to this new cups configuration files handling.
> 
> Back in the day when we were adapting CUPS to the FHS (1.0, 2.0? I don't
> remember) we decided not to use /var/lib because /etc is the place for
> editable configuration files and /var/lib is the place for files that are
> managed by software.  printers.conf, classes.conf, and cupsd.conf *are*
> user-editable files (even if that isn't the typical case for classes.conf
> and printers.conf). *If* we move to a non-editable format in the future
> (likely for CUPS 2.0) we will definitely restructure things to put those
> files in /var/lib.
> 
> I don't advise that you try to patch current CUPS to use /var/lib/cupsd for
> cupsd stuff and /etc/cups for everything else since the current code
> assumes that all CUPS configuration files are in one location.  The patch
> will be very very messy and hard to maintain.

Sure, thanks for the detailed response. Over lunch I realised pushing 
cupsd.conf to /var/lib/cupsd would indeed be a bad idea.

Cheers,

OdyX


signature.asc
Description: This is a digitally signed message part.

Bug#625985: marked as done (net-snmp: FTBFS on kfreebsd-*: ./.libs/libnetsnmpmibs.so: undefined reference to `kd')

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 13:47:59 +
with message-id 
and subject line Bug#625985: fixed in net-snmp 5.4.3~dfsg-2.7
has caused the Debian Bug report #625985,
regarding net-snmp: FTBFS on kfreebsd-*: ./.libs/libnetsnmpmibs.so: undefined 
reference to `kd'
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
625985: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625985
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: net-snmp
Version: 5.4.3~dfsg-2.1
Severity: serious
Justification: FTBFS
User: debian-...@lists.debian.org
Usertags: kfreebsd

Hi,

(-bsd + buildd maints in x-d-cc)

your package still FTBFS, but only on kfreebsd-* now. I can't replicate
this in an uptodate chroot on the kfreebsd-amd64 porterbox, so here's a
bug about it:
| libtool: compile:  gcc -I../include -I. -I../agent -I../agent/mibgroup 
-I../snmplib -g -O2 -DNETSNMP_USE_INLINE -Ukfreebsd -Dkfreebsd=kfreebsd 
-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing 
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE 
-D_FILE_OFFSET_BITS=64 -I/usr/lib/perl/5.12/CORE -c snmpd.c -o snmpd.o 
>/dev/null 2>&1
| /bin/bash ../libtool  --mode=link gcc -g -O2 -DNETSNMP_USE_INLINE -Ukfreebsd 
-Dkfreebsd=kfreebsd  -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN 
-fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64  -I/usr/lib/perl/5.12/CORE   -o 
snmpd snmpd.lo  -L../snmplib/.libs -L../snmplib -L./.libs -L./helpers/.libs 
-L./helpers  libnetsnmpagent.la helpers/libnetsnmphelpers.la libnetsnmpmibs.la 
../snmplib/libnetsnmp.la  -Wl,-E
| libtool: link: gcc -g -O2 -DNETSNMP_USE_INLINE -Ukfreebsd -Dkfreebsd=kfreebsd 
-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing 
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE 
-D_FILE_OFFSET_BITS=64 -I/usr/lib/perl/5.12/CORE -o .libs/snmpd .libs/snmpd.o 
-Wl,-E  -L../snmplib/.libs -L../snmplib -L./.libs -L./helpers/.libs -L./helpers 
./.libs/libnetsnmpagent.so helpers/.libs/libnetsnmphelpers.so 
./.libs/libnetsnmpmibs.so ../snmplib/.libs/libnetsnmp.so
| ./.libs/libnetsnmpmibs.so: undefined reference to `kd'
| collect2: ld returned 1 exit status

Full build logs:
  https://buildd.debian.org/status/package.php?p=net-snmp

Mraw,
KiBi.


--- End Message ---
--- Begin Message ---
Source: net-snmp
Source-Version: 5.4.3~dfsg-2.7

We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 625...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Banck  (supplier of updated net-snmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Sat, 24 Nov 2012 13:30:51 +0100
Source: net-snmp
Binary: snmpd snmp libsnmp-base libsnmp15 libsnmp15-dbg libsnmp-dev 
libsnmp-perl libsnmp-python tkmib
Architecture: source amd64 all
Version: 5.4.3~dfsg-2.7
Distribution: unstable
Urgency: low
Maintainer: Michael Banck 
Changed-By: Michael Banck 
Description: 
 libsnmp-base - SNMP (Simple Network Management Protocol) MIBs and documentation
 libsnmp-dev - SNMP (Simple Network Management Protocol) development files
 libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support
 libsnmp-python - SNMP (Simple Network Management Protocol) Python support
 libsnmp15  - SNMP (Simple Network Management Protocol) library
 libsnmp15-dbg - SNMP (Simple Network Management Protocol) library debug
 snmp   - SNMP (Simple Network Management Protocol) applications
 snmpd  - SNMP (Simple Network Management Protocol) agents
 tkmib  - SNMP (Simple Network Management Protocol) MIB browser
Closes: 625985
Changes: 
 net-snmp (5.4.3~dfsg-2.7) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/patches/27_kfreebsd_bug625985.patch: New patch, fix build error on
 kfreebsd-*, by Steven Chamberlain (closes: #625985).
Checksums-Sha1: 
 56608e887b441eec1e5b17d24f27a3933e816e00 2108 net-snmp_5.4.3~dfsg-2.7.dsc
 e3f858cd4cec905485a38ea742306650cce5b8c7 55826 
net-snmp_5.4.3~dfsg-2.7.debian.tar.gz
 e73bb3c1b8d67a551e

Bug#618968: Do not use ffmpeg in netgen

[trophime]

On Tue, 2012-11-27 at 11:45 +0100, Anton Gladky wrote:
> tags 618968 +patch
> thanks
> 
> Please, consider the following patch, which prevents of
> using ffmpeg in netgen build. It will, of course, cut the functionality
> of netgen, but will let to stay it in wheezy.
> 
> The upload should be done directly to wheezy, because
> sid contains the version, which will unlikely go to a testing.
> 
> Thanks,
> 
> Anton

Hi,
unless I'm wrong netgen requires the following package to have "ffmpeg"
features : libswscale-dev, libavformat-dev, libavcodec-dev. None of
these packages are concerned with the switch from ffmpeg to libav.

I think there is no reason to apply this patch.
Best

C


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694417: bbdb: package installation creates /root/.gnupg/*

[Sébastien Villemot]

Control: tags -1 + patch

Dear Maintainers,

Andreas Beckmann  writes:

> Package: bbdb
> Version: 2.36-2
> Severity: serious
> User: debian...@lists.debian.org
> Usertags: piuparts
>
> during a test with piuparts I noticed that your package creates files in
> /root. From the attached log (scroll to the bottom):
>
> 1m4.7s ERROR: FAIL: Package purging left files on system:
>   /root/.gnupg/not owned
>   /root/.gnupg/gpg.confnot owned
>   /root/.gnupg/pubring.gpg not owned
>   /root/.gnupg/secring.gpg not owned

Please find attached a patch that fixes this bug. I can perform the NMU
if you are busy now, but I would appreciate your feedback on the patch.

Regards,
diff -Nru bbdb-2.36/debian/bbdb.emacsen-install bbdb-2.36/debian/bbdb.emacsen-install
--- bbdb-2.36/debian/bbdb.emacsen-install	2010-12-12 16:03:00.0 +0100
+++ bbdb-2.36/debian/bbdb.emacsen-install	2012-11-27 14:53:21.0 +0100
@@ -74,6 +74,11 @@
 
 	# at ELCDIR
 	( cd ${ELCDIR}
+
+	# Prevent epg from manipulating /root/.gnupg (#694417)
+	TMPGNUPGHOME=`mktemp -d --tmpdir gnupg.XX`
+	export GNUPGHOME=${TMPGNUPGHOME}
+
 	echo "Generating bbdb-autoloads..."
 echo "Generating bbdb-autoloads" >> $LOG
 	make autoloads >> $LOG 2>&1
@@ -86,7 +91,7 @@
 		GNUSDIR=${GNUSDIR} \
 		MHEDIR=${MHEDIR} >> $LOG 2>&1
 	mv lisp/*.elc utils/*.el .
-	rm -rf tex utils lisp Makefile
+	rm -rf tex utils lisp Makefile ${TMPGNUPGHOME}
 	${FLAVOR} ${COMPILE} *.el >> $LOG 2>&1
 	)
 	cat > ${ELCDIR}/load-path.el <  Tue, 27 Nov 2012 14:32:04 +0100
+
 bbdb (2.36-2) unstable; urgency=low
 
   * Update to bbdb-vcard 0.3, which better parses birthdays

-- 
 .''`.Sébastien Villemot
: :' :Debian Developer
`. `' http://www.dynare.org/sebastien
  `-  GPG Key: 4096R/381A7594


pgpG4KRUSyFg6.pgp
Description: PGP signature

Processed: Re: Bug#694417: bbdb: package installation creates /root/.gnupg/*

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + patch
Bug #694417 [bbdb] bbdb: package installation creates /root/.gnupg/*
Added tag(s) patch.

-- 
694417: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694417
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: r2202 - mysql-5.5/branches/unstable/debian

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 692871 pending
Bug #692871 [mysql-server-5.5] mysql-server-5.5: Regression in privileges of 
mysql debian-sys-maint user
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
692871: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692871
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[Anton Gladky]

Hi Christophe,

sorry, I don't get your point regarding these packages. The patch
completely removes ffmpeg from netgen, so the license issue can
be "solved" in this case.

Thanks,

Anton


2012/11/27 trophime :
> Hi,
> unless I'm wrong netgen requires the following package to have "ffmpeg"
> features : libswscale-dev, libavformat-dev, libavcodec-dev. None of
> these packages are concerned with the switch from ffmpeg to libav.
>
> I think there is no reason to apply this patch.
> Best
>
> C
>
>


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[trophime]

On Tue, 2012-11-27 at 15:10 +0100, Anton Gladky wrote:
> Hi Christophe,
> 
> sorry, I don't get your point regarding these packages. The patch
> completely removes ffmpeg from netgen, so the license issue can
> be "solved" in this case.

netgen does not use ffmpeg as such. It uses libav libraries!
So from my point of view we do not need to disable "ffmpeg" feature in
netgen.

Get a look at the code... There is no use of ffmpeg.
C
> 
> Thanks,
> 
> Anton
> 
> 
> 2012/11/27 trophime :
> > Hi,
> > unless I'm wrong netgen requires the following package to have "ffmpeg"
> > features : libswscale-dev, libavformat-dev, libavcodec-dev. None of
> > these packages are concerned with the switch from ffmpeg to libav.
> >
> > I think there is no reason to apply this patch.
> > Best
> >
> > C
> >
> >


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[Anton Gladky]

Well, there is a list of files in libav, which are also under
GPL-license [1]. I do not know, whether those files are used
for building.

Anton

[1] http://packages.debian.org/changelogs/pool/main/liba/libav/current/copyright

2012/11/27 trophime :
> libav


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692791: members of lpadmin can read every file on server via cups

[Marc Deslauriers]

FYI, as a security fix for our stable releases in Ubuntu, we plan on
disabling cupsd.conf modification in the web interface entirely.
Attached is the patch we plan on using.

Marc.
Description: fix privilege escalation by disabling config file editing via
 the web interface
Author: Marc Deslauriers 
Forwarded: No
Bug: https://www.cups.org/str.php?L4223
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791

Index: cups-1.6.1/doc/help/policies.html
===
--- cups-1.6.1.orig/doc/help/policies.html	2012-11-27 09:16:17.608346696 -0500
+++ cups-1.6.1/doc/help/policies.html	2012-11-27 09:16:19.768346750 -0500
@@ -19,7 +19,7 @@
 Policies are stored in the cupsd.conf file in Policy sections. Each policy has an alphanumeric name that is used to select it. Inside the policy section are one or more Limit subsections which list the operations that are affected by the rules inside it. Listing 1 shows the default operation policy, appropriately called "default", that is shipped with CUPS.
 
-The easiest way to add a policy to the cupsd.conf file is to use the web interface. Click on the Administration tab and then the Edit Configuration File button to edit the current cupsd.conf file. Click on the Save Changes button to save the changes and restart the scheduler. If you edit the cupsd.conf file from the console, make sure to restart the cupsd process before trying to use the new policy.
+If you edit the cupsd.conf file from the console, make sure to restart the cupsd process before trying to use the new policy.
 
 
 Listing 1: Default Operation Policy
Index: cups-1.6.1/templates/admin.tmpl
===
--- cups-1.6.1.orig/templates/admin.tmpl	2012-11-27 09:16:19.740346750 -0500
+++ cups-1.6.1/templates/admin.tmpl	2012-11-27 09:16:19.772346751 -0500
@@ -28,7 +28,6 @@
 Server
 
 
-
 
 
 
Index: cups-1.6.1/cgi-bin/admin.c
===
--- cups-1.6.1.orig/cgi-bin/admin.c	2012-11-27 09:16:19.744346750 -0500
+++ cups-1.6.1/cgi-bin/admin.c	2012-11-27 09:16:34.236347121 -0500
@@ -1880,6 +1880,7 @@
 
 cgiEndHTML();
   }
+#if 0 /* Disabled to fix CVE-2012-5519 security issue */
   else if (cgiGetVariable("SAVECHANGES") && cgiGetVariable("CUPSDCONF"))
   {
/*
@@ -2124,6 +2125,7 @@
 
 cgiEndHTML();
   }
+#endif
 }
 
 

Processed: block 693994 with 694164, block 687449 with 694164

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 693994 with 694164
Bug #693994 [redmine] redmine: Missing dependency on rubygems | libruby1.9.1
693994 was not blocked by any bugs.
693994 was not blocking any bugs.
Added blocking bug(s) of 693994: 694164
> block 687449 with 694164
Bug #687449 [redmine] redmine: postinst script terminates with negative exit 
status
687449 was not blocked by any bugs.
687449 was not blocking any bugs.
Added blocking bug(s) of 687449: 694164
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
687449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687449
693994: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693994
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[trophime]

On Tue, 2012-11-27 at 15:25 +0100, Anton Gladky wrote:
> Well, there is a list of files in libav, which are also under
> GPL-license [1]. I do not know, whether those files are used
> for building.
> 
> Anton
> 
> [1] 
> http://packages.debian.org/changelogs/pool/main/liba/libav/current/copyright
> 
> 2012/11/27 trophime :
> > libav

The files from libav used in netgen are :

#include 
#include 
#include 

It seems that only swscale.h is under GPL
The others are under LGPL.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[Anton Gladky]

>From libswscale/swscale.h:

/*
 * Copyright (C) 2001-2003 Michael Niedermayer 
 *
 * This file is part of Libav.
 *
 * Libav is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=blob;f=libswscale/swscale.h;h=b5a6a576817c8022d3ba4e10375a9480eb95c7be;hb=HEAD

Is it ok to close the bug?

Thanks,

Anton


2012/11/27 trophime :
> wscale.h


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692129: Preliminar patch, test needed

[Isaac Connor]

Works good for me. Thank-you!

On 12-11-27 03:48 AM, René Mayrhofer wrote:

On 2012-11-24 19:12, Maximiliano Curia wrote:

The bug seems to be recognized by upstream but there seems to be no work going
on towards a fix. I've prepared a preliminar patch, but I can't test it right
now, if you can reproduce it, please test the patch and let me now of the
results.

I'll try to contact upstream and ask for their input.

If you want to test this packages you can use the packages published in:
http://maxy.com.ar/debian

Or you can use the attached patch and apply it to the pptpd package.

Thanks for the patch! I would like to get this fixed, but will
realistically be unable to test it myself due to "real life
constrains"... If anybody can test it in a different setting to verify
that it fixes the bugs and doesn't break other cases, I am happy to do
an upload.

best regards,
Rene




--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#618968: Do not use ffmpeg in netgen

[trophime]

On Tue, 2012-11-27 at 15:59 +0100, Anton Gladky wrote:
> From libswscale/swscale.h:
> 
> /*
>  * Copyright (C) 2001-2003 Michael Niedermayer 
>  *
>  * This file is part of Libav.
>  *
>  * Libav is free software; you can redistribute it and/or
>  * modify it under the terms of the GNU Lesser General Public
>  * License as published by the Free Software Foundation; either
>  * version 2.1 of the License, or (at your option) any later version.
>  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 
> USA
>  */
> 
> http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=blob;f=libswscale/swscale.h;h=b5a6a576817c8022d3ba4e10375a9480eb95c7be;hb=HEAD
> 
> Is it ok to close the bug?

For me it's ok to close it

Best
C
> 
> Thanks,
> 
> Anton
> 
> 
> 2012/11/27 trophime :
> > wscale.h


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: severity of 694520 is important

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 694520 important
Bug #694520 [chocolate-doom] chocolate-doom: there are no humans in 
Maintainer:/Uploaders: fields
Severity set to 'important' from 'serious'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694520
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694277: marked as done (missing: Breaks+Replaces: gsoap (<< 2.7.17))

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 15:32:50 +
with message-id 
and subject line Bug#694277: fixed in gsoap 2.8.7-2
has caused the Debian Bug report #694277,
regarding missing: Breaks+Replaces: gsoap (<< 2.7.17)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
694277: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694277
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gsoap-doc
Version: 2.7.17-1
Severity: serious
User: trei...@debian.org
Usertags: edos-file-overwrite

Architecture: amd64
Distribution: squeeze->wheezy (partial) upgrade

Hi,

automatic installation tests of packages that share a file and at the
same time do not conflict by their package dependency relationships has
detected the following problem:

  Selecting previously deselected package gsoap.
  (Reading database ... 6286 files and directories currently installed.)
  Unpacking gsoap (from .../gsoap_2.7.9l-0.2_amd64.deb) ...
  Setting up gsoap (2.7.9l-0.2) ...

  Selecting previously deselected package gsoap-doc.
  Unpacking gsoap-doc (from .../gsoap-doc_2.8.7-1_all.deb) ...
  dpkg: error processing /var/cache/apt/archives/gsoap-doc_2.8.7-1_all.deb 
(--unpack):
   trying to overwrite '/usr/share/doc-base/gsoap', which is also in package 
gsoap 2.7.9l-0.2


This is a serious bug as it makes installation/upgrade fail, and
violates sections 7.6.1 and 10.1 of the policy.

As this problem can be demonstrated during partial upgrades from squeeze
to wheezy (but not within squeeze or wheezy itself), this indicates a
missing or insufficiently versioned Replaces+Breaks relationship.
But since this particular upgrade ordering is not forbidden by any
dependency relationship, it is possible that apt (or $PACKAGE_MANAGER)
will use this erroneus path on squeeze->wheezy upgrades.

Here is a list of files that are known to be shared by both packages
(according to the Contents files for squeeze and wheezy on amd64, which
may be slightly out of sync):

  usr/share/doc-base/gsoap


It looks like gsoap-doc was split from gsoap in 2.7.17-1

The following relationships are currently defined:

  Package:   gsoap-doc
  Conflicts: n/a
  Breaks:n/a
  Replaces:  n/a

The following relationships should be added for a clean takeover of
these files
(http://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces):

  Package:  gsoap-doc
  Breaks:   gsoap (<< 2.7.17)
  Replaces: gsoap (<< 2.7.17)


Cheers,

Andreas

PS: for more information about the detection of file overwrite errors
of this kind see http://edos.debian.net/file-overwrites/.


gsoap=2.7.9l-0.2_gsoap-doc=2.8.7-1.log.gz
Description: GNU Zip compressed data
--- End Message ---
--- Begin Message ---
Source: gsoap
Source-Version: 2.8.7-2

We believe that the bug you reported is fixed in the latest version of
gsoap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattias Ellert  (supplier of updated gsoap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 27 Nov 2012 14:42:31 +0100
Source: gsoap
Binary: libgsoap2 gsoap gsoap-doc gsoap-dbg
Architecture: source amd64 all
Version: 2.8.7-2
Distribution: unstable
Urgency: low
Maintainer: Mattias Ellert 
Changed-By: Mattias Ellert 
Description: 
 gsoap  - Development libraries and stub generators for gSOAP
 gsoap-dbg  - Debugging symbols for gSOAP
 gsoap-doc  - gSOAP documentation
 libgsoap2  - Runtime libraries for gSOAP
Closes: 694277
Changes: 
 gsoap (2.8.7-2) unstable; urgency=low
 .
   * Add missing Replaces/Breaks (Closes: #694277)
Checksums-Sha1: 
 a7b188a9b4f4cb01b4d9a8d4493cf2342a723122 2052 gsoap_2.8.7-2.dsc
 a02e9479c6bc28aab2c6736d1b57d3c250e0bb80 10177 gsoap_2.8.7-2.debian.tar.gz
 c573df280f9efbad51f6b305aeb50358f3d80086 532752 libgsoap2_2.8.7-2_amd64.deb
 7cddcdbcb41fc36ff33d0cf17b59e4c9b84e13b4 1397848 gsoap_2.8.7-2_amd64.deb
 a4fc636ece0b1acabffe8aef6c2ff3c8e4a1fea6 3358392 gsoap-dbg_2.8.7-2_amd64.deb
 d02bc7e304a287bb350721d3ee86bfc55f5db8a0 3866478 gsoap-doc_2.8.7-2_all.deb
Checksums-Sha256: 
 7386fd2bdf5e9ec4e7199414bd0a31b99435b64682e7874b95cf8eaffa6b0e52 2052

Bug#694392: marked as done (globus-common-progs: missing Breaks+Replaces: grid-packaging-tools (<< 3.5))

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 15:32:37 +
with message-id 
and subject line Bug#694392: fixed in globus-common 14.7-2
has caused the Debian Bug report #694392,
regarding globus-common-progs: missing Breaks+Replaces: grid-packaging-tools 
(<< 3.5)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
694392: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694392
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: globus-common-progs
Version: 14.6-1
Severity: serious
User: trei...@debian.org
Usertags: edos-file-overwrite

Architecture: amd64
Distribution: squeeze->wheezy (partial) upgrade

Hi,

automatic installation tests of packages that share a file and at the
same time do not conflict by their package dependency relationships has
detected the following problem:

  Selecting previously deselected package grid-packaging-tools.
  Unpacking grid-packaging-tools (from 
.../grid-packaging-tools_3.2globus2-5_all.deb) ...

  Setting up grid-packaging-tools (3.2globus2-5) ...

  Selecting previously deselected package globus-common-progs.
  Unpacking globus-common-progs (from .../globus-common-progs_14.6-1_amd64.deb) 
...
  dpkg: error processing 
/var/cache/apt/archives/globus-common-progs_14.6-1_amd64.deb (--unpack):
   trying to overwrite '/usr/share/globus/config.guess', which is also in 
package grid-packaging-tools 3.2globus2-5


This is a serious bug as it makes installation/upgrade fail, and
violates sections 7.6.1 and 10.1 of the policy.

As this problem can be demonstrated during partial upgrades from squeeze
to wheezy (but not within squeeze or wheezy itself), this indicates a
missing or insufficiently versioned Replaces+Breaks relationship.
But since this particular upgrade ordering is not forbidden by any
dependency relationship, it is possible that apt (or $PACKAGE_MANAGER)
will use this erroneus path on squeeze->wheezy upgrades.

Here is a list of files that are known to be shared by both packages
(according to the Contents files for squeeze and wheezy on amd64, which
may be slightly out of sync):

usr/share/globus/config.guess

In grid-packaging-tools 3.5-1 this was renamed to
usr/share/globus/gpt/config.guess, removing the file conflict.


The following relationships are currently defined:

  Package:   globus-common-progs
  Conflicts: globus-openssl-progs (<< 6)
  Breaks:n/a
  Replaces:  globus-openssl-progs (<< 6)

The following relationships should be added for a clean takeover of
these files
(http://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces):

  Package:  globus-common-progs
  Breaks:   grid-packaging-tools (<< 3.5)
  Replaces: grid-packaging-tools (<< 3.5)


Cheers,

Andreas

PS: for more information about the detection of file overwrite errors
of this kind see http://edos.debian.net/file-overwrites/.
--- End Message ---
--- Begin Message ---
Source: globus-common
Source-Version: 14.7-2

We believe that the bug you reported is fixed in the latest version of
globus-common, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattias Ellert  (supplier of updated globus-common 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 27 Nov 2012 13:38:18 +0100
Source: globus-common
Binary: libglobus-common0 globus-common-progs libglobus-common-dev 
libglobus-common-doc globus-common-dbg
Architecture: source amd64 all
Version: 14.7-2
Distribution: unstable
Urgency: low
Maintainer: Mattias Ellert 
Changed-By: Mattias Ellert 
Description: 
 globus-common-dbg - Globus Toolkit - Common Library Debug Symbols
 globus-common-progs - Globus Toolkit - Common Library Programs
 libglobus-common-dev - Globus Toolkit - Common Library Development Files
 libglobus-common-doc - Globus Toolkit - Common Library Documentation Files
 libglobus-common0 - Globus Toolkit - Common Library
Closes: 694392
Changes: 
 globus-common (14.7-2) unstable; urgency=low
 .
   * Add missing Replaces/Breaks (Closes: #694392)
Checksums-Sha1: 
 808fa4d139126c7680b137c79a93bd3c7f6a348f 2311 globus-common_14.7-2.dsc
 760969044c891144332232691a7be

Bug#688634: roundcube-sqlite upgrade causes serious data-loss

[Roger Lynn]

On 24/11/2012 15:03, Dominik George wrote:
>> I have asked people that did successfuly upgrade real sqlite databse to
>> MySQL if they could provide directions or a script but they don't
>> remember how they did it exactly. If nobody can come up with a script,
>> we will just have to put a note in the release notes about this. I
>> personnaly don't think that there are large installations using SQLite
>> databases.
> 
> Honestly, I think making a release note out of it is the way to go. Admins 
> should be capable of migrating the data themselves.

I installed the sqlite version of Roundcube at work because I don't
understand databases (we are too small to employ a sysadmin, and if we did
we would probably end up with a Windows server). At the rate things are
going my (20) users are going to lose data and I wish I had installed
Squirrelmail as I did at home.

Roger


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#693744: Can't install libvirt0

[Leonardo Serra]

Hi,

I can't install libvirt0:

server:~# aptitude install libvirt0
The following NEW packages will be installed:
  libnetcf1{ab} libnl1{a} libvirt0
0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 2270 kB/2324 kB of archives. After unpacking 4417 kB will be
used.
The following packages have unmet dependencies:
 libnetcf1 : Conflicts: libvirt0 (<= 0.10.1-2~) but 0.9.12-5 is to be
installed.
The following actions will resolve these dependencies:

 Keep the following packages at their current version:
1) libvirt0 [Not Installed]

I believe this is a RC bug!

Thanks,
leoserra


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#688634: roundcube-sqlite upgrade causes serious data-loss

[Dominik George]

> I installed the sqlite version of Roundcube at work because I don't
> understand databases (we are too small to employ a sysadmin, and if we did
> we would probably end up with a Windows server). At the rate things are
> going my (20) users are going to lose data and I wish I had installed
> Squirrelmail as I did at home.

You could ask for help on one of the forums or mailing lists. Dumping 
SQLite and inserting into MySQL is trivial, so you should be going within 
no time.

Again, the BTS is for reporting technical issues, not a support forum.

-nik


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Re: Bug#694262: icinga-web: includes sourceless swf files

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 694262 serious
Bug #694262 [icinga-web] icinga-web: includes sourceless swf files
Severity set to 'serious' from 'normal'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694262: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694262
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: severity of 694537 is serious

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # [17:16] < Maulkin> carnil: Looks like it's RC to me. Please file a bug with 
> a debdiff against testing requesting a t-p-u upload permission
> severity 694537 serious
Bug #694537 [libio-prompt-perl] libio-prompt-perl: Version of IO::Prompt in 
wheezy dies if you call prompt() in non-"main" package
Severity set to 'serious' from 'important'
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694537: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694537
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#690128: inn2: conffile disappearing during squeeze->wheezy upgrade: /etc/news/motd.news

[Nick Leverton]

I've prepared a fix for this along the lines I suggested.  It proved
awkward to choose between mv_conffile and rm_conffile due to the
multi-stage nature of maintainer scripts, so I ended up using rm_conffile
and inserting some code in the postinst script to capture the dpkg-bak
file and rename it in the event that it had been modified.

If anyone would care to review and perhaps upload it, the dsc is at
http://mentors.debian.net/debian/pool/main/i/inn2/inn2_2.5.3-1.1.dsc
I am happy to deal with the unblock etc but would appreciate sponsoring
for the upload.  Failing that I shall go bother Mentors as usual :-)

Nick


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694486: lib/LWP/Authen/Wsse.pm uses Digest::SHA1

[Salvatore Bonaccorso]

Control: tags -1 + pending

Hi

On Mon, Nov 26, 2012 at 08:50:34PM +0100, Ansgar Burchardt wrote:
> Package: liblwp-authen-wsse-perl
> Version: 0.05-1
> Severity: serious
> 
> lib/LWP/Authen/Wsse.pm uses Digest::SHA1 which is no longer in Debian.
> It should use Digest::SHA instead which is part of the core modules
> included with the perl interpreter since 5.10.
> 
> In most cases just replacing Digest::SHA1 by Digest::SHA should be
> enough.  Also change Digest/SHA1.pm to Digest/SHA.pm.

The attached patch should solve, #694486. But I have not yet pushed
the changes to git.

Salvatore
From 384e1f6b6b5d4fd2aeb68becefabeda998f9beb5 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso 
Date: Tue, 27 Nov 2012 17:36:57 +0100
Subject: [PATCH] Use Digest::SHA instead of Digest::SHA1

libdigest-sha1-perl package was reoved from Debian. Digest::SHA is part
of Perl core modules included with the perl interpreter since 5.10.

Thanks: Ansgar Burchardt 
Closes: #694486
---
 lib/LWP/Authen/Wsse.pm |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/LWP/Authen/Wsse.pm b/lib/LWP/Authen/Wsse.pm
index a5d9046..bb26283 100644
--- a/lib/LWP/Authen/Wsse.pm
+++ b/lib/LWP/Authen/Wsse.pm
@@ -6,7 +6,7 @@ use English qw( -no_match_vars );
 
 $LWP::Authen::Wsse::VERSION = '0.05';
 
-use Digest::SHA1 ();
+use Digest::SHA  ();
 use MIME::Base64 ();
 
 =head1 NAME
@@ -75,7 +75,7 @@ sub authenticate {
 my $nonce = $class->make_nonce;
 my $nonce_enc = MIME::Base64::encode_base64( $nonce, WITHOUT_LINEBREAK );
 my $digest= MIME::Base64::encode_base64(
-Digest::SHA1::sha1( $nonce . $now . $pass ), WITHOUT_LINEBREAK
+Digest::SHA::sha1( $nonce . $now . $pass ), WITHOUT_LINEBREAK
 );
 
 my $auth_header = ( $proxy ? 'Proxy-Authorization' : 'Authorization' );
@@ -114,7 +114,7 @@ sub authenticate {
 }
 
 sub make_nonce {
-Digest::SHA1::sha1( time() . {} . rand() . $PID );
+Digest::SHA::sha1( time() . {} . rand() . $PID );
 }
 
 sub now_w3cdtf {
-- 
1.7.10.4



signature.asc
Description: Digital signature

Processed: Re: Bug#694486: lib/LWP/Authen/Wsse.pm uses Digest::SHA1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #694486 [liblwp-authen-wsse-perl] lib/LWP/Authen/Wsse.pm uses Digest::SHA1
Added tag(s) pending.

-- 
694486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#693283: marked as done (mantis: CVE-2012-5522 CVE-2023-5523)

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 17:17:44 +
with message-id 
and subject line Bug#693283: fixed in mantis 1.2.11-1.2
has caused the Debian Bug report #693283,
regarding mantis: CVE-2012-5522 CVE-2023-5523
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
693283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693283
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mantis
Severity: grave
Tags: security
Justification: user security hole

Please see here:
http://www.openwall.com/lists/oss-security/2012/11/13/8

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: mantis
Source-Version: 1.2.11-1.2

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Richter  (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Sat, 24 Nov 2012 18:04:54 +
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.2.11-1.2
Distribution: unstable
Urgency: high
Maintainer: Michael Banck 
Changed-By: Simon Richter 
Description: 
 mantis - web-based bug tracking system
Closes: 693283
Changes: 
 mantis (1.2.11-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Refresh quilt patches
   * Fix two CVEs (Closes: #693283)
 - CVE-2012-5522
 - CVS-2012-5523
Checksums-Sha1: 
 a95f69fde55f0f796ba67448efff624f518e404c 1238 mantis_1.2.11-1.2.dsc
 0aa7137cc2280772280534c1cc209140d92398a1 61185 mantis_1.2.11-1.2.debian.tar.gz
 050016bb4073dbe90bf88023bc4c252f43b3336c 2209794 mantis_1.2.11-1.2_all.deb
Checksums-Sha256: 
 ac65f38e7d595e143f87ee140c8ad2ebb1646b2a3bf8aae4a0df758e6534c5d4 1238 
mantis_1.2.11-1.2.dsc
 2a17a510fe4b7f3b4bfcbe04fc0b578d942af44d3dd69e0e530bdba36385a51e 61185 
mantis_1.2.11-1.2.debian.tar.gz
 1567627701256a697dd38a95fc88fe02d4cdd0f89905fdbfa413eee640453079 2209794 
mantis_1.2.11-1.2_all.deb
Files: 
 4c8ad3d2b88dbcb46e86ce95c1a5e6e8 1238 web optional mantis_1.2.11-1.2.dsc
 3a555a271b7aba9aa65caa37de764c7e 61185 web optional 
mantis_1.2.11-1.2.debian.tar.gz
 4dded7f3b7844774939c749f9ebb98d0 2209794 web optional mantis_1.2.11-1.2_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlCw+68ACgkQmHaJYZ7RAb8mvgCfQrNPH9FlQWfmLksMwV8Iy/+t
8q8An0VRZ8dHckak4ba9FbjC07kYmEs0
=XXa/
-END PGP SIGNATURE End Message ---

Bug#694554: Installation fails on ARM - config script fails

[Dominique Lasserre]

Package: apt-build
Version: 0.12.42
Severity: grave
thanks

Hi,

if the string "processor" was not found in /proc/cpuinfo, package
(pre)configuration will fail (e.g. on ARM).
This bug was introduced with apt-build 0.12.42.

This is caused by grep (in config script) which properly returns "0" (-c
switch) but because it didn't find anything return a non zero exit code
-> maintainer script fails.


Regards
Dominique


0xB2E4F4F3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Bug#692979: Bug#693002: libimager-perl: breaks libimager-qrcode-perl

[gregor herrmann]

On Fri, 16 Nov 2012 23:00:49 +0200, Niko Tyni wrote:

> > Think about it this way: without versioned depends, there is nothing
> > to resolve the brokenness for users with squeeeze's libimager-perl
> > 0.75-1 that have somehow installed libimager-qrcode-perl 0.0333-1.
> FWIW, that isn't really possible as there's a major version upgrade of perl
> itself between squeeze and wheezy. The squeeze version of libimager-perl
> depends on perlapi-5.10.1, while the wheezy version of libimager-qrcode-perl
> depends on perlapi-5.14.2, and those aren't coinstallable.

Oh, that's a good point, and I've missed it so far.
Thanks!
 
> My humble opinion is that binNMUing libimager-qrcode-perl (with
> proper dep-waits) would be the minimal action too solve the RC part of
> this issue, as the sid and wheezy versions of libimager-perl have the
> same IMAGER_API_VERSION. No Breaks or versioned Build-Depends are needed
> for working upgrades from squeeze AFAICS.

Ack.
 
> If that course of action is chosen, it would be advisable to freeze
> libimager-perl in sid until the release, to ensure that any future
> builds of libimager-qrcode-perl don't get accidentally compiled
> with a wrong IMAGER_API_VERSION.

I've added a note to d/changelog in git.
 
> If we want protection for upgrades from wheezy/sid, the next smallest
> fix would need AFAICS
>  - a sourceful upload of libimager-qrcode-perl 0.033-2 that Depends
>and Build-Depends on libimager-perl (>= 0.90+dfsg) or something like that
>  - a tpu upload of libimager-perl 0.91+dfsg-3 that Breaks
>libimager-qrcode-perl (<< 0.033-2)

Ack.
IMO that's a slight overkill.
 
> The tpu upload could be avoided by reverting libimager-perl to
> 0.91+dfsg in sid, either with an epoch or a mangled version number
> (0.93+dfsg+is+0.91+dfsg or whatever.)

Ouch :)
 
> In any case, after the release, I think a proper dependency system
> should be implemented like in the libdbi-perl case, and appropriate
> Breaks should be added against the wheezy versions.

Totally.
 
> If there are no thinkos above (somebody please check it :),
> I think it's the release team that should make the call.

Right.
I've now filed a binNMU bug report pointing to our discussions here,
so we'll here from them, I guess.


Cheers,
gregor
 
-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Beatles


signature.asc
Description: Digital signature

Bug#694557: APT paths aren't built properly

[Dominique Lasserre]

Package: apt-build
Priority: serious
thanks

Hi,

apt-config is used to join APT pathes. But it is not used properly. Each
"item" is joined together:
 eval $(apt-config shell etcdir Dir::Etc)
 eval $(apt-config shell sourceslist Dir::Etc::sourcelist)
 eval $(apt-config shell sourcesparts Dir::Etc::sourceparts)
...
 ... /"$etcdir""$sourceslist" /"$etcdir""$sourcesparts"/*.list ...

This will work in most cases but if the config value is not relative (or
if rootdir DIR was changed manually), this will produce unexpected paths.

Example: If Dir::Etc::sourcelist is set to "/foobar.list" with current
join method this will result in "/etc//foobar.list" which is of course
*not* "/foobar.list" -> APT does not find source entry of apt-build ->
instalation of packages built with apt-build isn't possible.

Solution: Use apt-config properly (with /f or /d suffix to build paths).


Regards
Dominique


0xB2E4F4F3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Bug#693885: marked as done (src:mathgl: non-free files in main (GFDL with Back/Front Cover Text))

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 18:47:56 +
with message-id 
and subject line Bug#693885: fixed in mathgl 1.11.2-15
has caused the Debian Bug report #693885,
regarding src:mathgl: non-free files in main (GFDL with Back/Front Cover Text)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
693885: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693885
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mathgl
Version: 1.11.2-14
Severity: serious
Control: found -1 2~rc1-3

Files: texinfo/*
Copyright: (C) 2008 Alexey Balakin 
License: GFDL-1.2+
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.2 or
 any later version published by the Free Software Foundation; with no
 Invariant Sections, with the Front-Cover Texts being ``A GNU Manual,''
 and with the Back-Cover Texts as in (a) below.  A copy of the
 license is included in the section entitled ``GNU Free Documentation
 License.''
 (a) The FSF's Back-Cover Text is: ``You have the freedom to
 copy and modify this GNU manual.  Buying copies from the FSF
 supports it in developing GNU and promoting software freedom.''

The GFDL is only free without Invariant Sections and without Front- and
Back-Cover Texts.

Ansgar
--- End Message ---
--- Begin Message ---
Source: mathgl
Source-Version: 1.11.2-15

We believe that the bug you reported is fixed in the latest version of
mathgl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dimitrios Eftaxiopoulos  (supplier of updated mathgl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Fri, 23 Nov 2012 21:59:35 +0200
Source: mathgl
Binary: mathgl mathgl-doc-en mathgl-doc-ru libmgl5 libmgl-data libmgl-dev 
libmgl-fltk5 libmgl-qt5 libmgl-wx5 libmgl-glut5 python-mathgl
Architecture: source amd64 all
Version: 1.11.2-15
Distribution: unstable
Urgency: low
Maintainer: Debian Science Maintainers 

Changed-By: Dimitrios Eftaxiopoulos 
Description: 
 libmgl-data - library for scientific graphs. (data files)
 libmgl-dev - library for scientific graphs. (development files)
 libmgl-fltk5 - library for scientific graphs. (FLTK runtime library)
 libmgl-glut5 - library for scientific graphs. (GLUT runtime library)
 libmgl-qt5 - library for scientific graphs. (Qt runtime library)
 libmgl-wx5 - library for scientific graphs. (wxWidgets runtime library)
 libmgl5- library for scientific graphs. (main runtime library)
 mathgl - library for scientific graphs. (utlities and examples)
 mathgl-doc-en - library for scientific graphs. (English documentation)
 mathgl-doc-ru - library for scientific graphs. (Russian documentation)
 python-mathgl - library for scientific graphs. (Python module)
Closes: 693885
Changes: 
 mathgl (1.11.2-15) unstable; urgency=low
 .
   * Change debian/copyright file such that the license of the documentation
 files included in the upstream source texinfo directory, becomes free
 (Closes: #693885).
Checksums-Sha1: 
 75363bf597e4f8b589c129d3a816ed07e0eee57a 2821 mathgl_1.11.2-15.dsc
 a925c7c4a5941fb43a9b71592698b13769725415 29576 mathgl_1.11.2-15.debian.tar.gz
 2b45f88e878aad32d75c4c32940af3ed8d227ec1 39380 mathgl_1.11.2-15_amd64.deb
 290f914a055450846e7272542e8a09dbdafd2504 807054 libmgl5_1.11.2-15_amd64.deb
 eddc0a94a08e54545aead93f7ba1a841a9707abe 1035548 libmgl-dev_1.11.2-15_amd64.deb
 4e99956e1efb5b22df4b4e1824f58af2b177fad6 42878 libmgl-fltk5_1.11.2-15_amd64.deb
 e7c9cab8b0f0933d4aaa4754200aa6536ce6171e 56608 libmgl-qt5_1.11.2-15_amd64.deb
 f380577c8dd8521cb8c1791fdd8130d5da123f57 42146 libmgl-wx5_1.11.2-15_amd64.deb
 d9cb5c62cdd9a416164282241e42da3e6179bf2c 30408 libmgl-glut5_1.11.2-15_amd64.deb
 4dbd5e622c1d961deecd5cec8aca903ee8abcf3a 323452 
python-mathgl_1.11.2-15_amd64.deb
 17426b3b7f058dbb62b373c251153b8c9ceffb35 6788314 
mathgl-doc-en_1.11.2-15_all.deb
 589b0ab1a49769a0b5be08de9cf0b115077f0d94 6861590 
mathgl-doc-ru_1.11.2-15_all.deb
 56cab06639ef055694ccdd14d8aab15b93ee90d7 4148732 libmgl-data_1.11.2-15_all.deb
Checksums-Sha256: 
 1e511de2b632ab387c

Bug#618968: Do not use ffmpeg in netgen

[Anton Gladky]

tags 618968 - patch + moreinfo
thanks

Francesco, could you, please, verify, whether the bug can be
closed?

Thanks,

Anton


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Re: Bug#618968: Do not use ffmpeg in netgen

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 618968 - patch + moreinfo
Bug #618968 [netgen] netgen: links with both GPL-licensed and GPL-incompatible 
libraries
Removed tag(s) patch.
Bug #618968 [netgen] netgen: links with both GPL-licensed and GPL-incompatible 
libraries
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
618968: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618968
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#686846: Bug#686845: upgrade fails when using sympa with sqlite3

[Emmanuel Bouthenot]

On Sun, Nov 25, 2012 at 12:26:56PM +0100, Roland Stigge wrote:
[...]

> can you please post your patch? When it's lacking testing, we can
> possibly help here.

The fix is committed on top of the master branch in git repository:

git clone git://anonscm.debian.org/collab-maint/sympa.git

I will be glad to get some feedback before pushing this fix in
unstable.

If you want to test, a dsc is available here:

http://debian.openics.org/tmp/sympa_6.1.11~dfsg-5~local0.dsc

A binary package for amd64 is also available:

http://debian.openics.org/tmp/sympa_6.1.11~dfsg-5~local0_amd64.deb


Thanks in advance,

Regards,

M.

-- 
Emmanuel Bouthenot
  mail: kolter@{openics,debian}.orggpg: 4096R/0x929D42C3
  xmpp: kol...@im.openics.org  irc: kolter@{freenode,oftc}


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694323: [gsfonts] Fonts include copyrighted adobe fragment all right reserved

[Frank Kuester]

Hi Bastien, hi Norbert,

Norbert Preining  writes:

>> The Debian orig.tar.gz doesn't seem to contain the source archive's
>> contents.  I'm not familiar with font generation, but it seems to me
>> that, in order to be able to generate corrected Type1 files with a fixed
>> fontforge version, we would need the contents of lm2.003.mt1.zip, e.g.:
>
> It is not a question of fontforge... THe lines mentioned come from
>   pfcommon.dat
> which was inherited from metatype1.

If this is right, then it is wrong to block the bug by the fontforge
bug, isn't it?  Bastien, I'm not sure enough about this to remove the
blocking myself, please do it.

>> Does that mean we have one more RC bug, namely that the sources are
>> incomplete?  debian/copyright says:
>
> No. I don't consider the metatype sources necessary, because afterwards
> the fonts went through manual hinting and fixing.

How ist that done?  I thought it was done with fontforge scripts - I
understand this is not the case?  Did they really open the font files in
interactive fontforge, adjust and safe?

Regards, Frank


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed (with 1 errors): Re: local mail spool still unaccessible with evo 3.4.4.-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 640851 serious
Bug #640851 [evolution] evolution: local mail files no longer accessible
Severity set to 'serious' from 'important'
> merge 640851 679347
Bug #640851 [evolution] evolution: local mail files no longer accessible
Unable to merge bugs because:
forwarded of #679347 is 'https://bugzilla.gnome.org/show_bug.cgi?id=679017' not 
''
severity of #679347 is 'important' not 'serious'
Failed to merge 640851: Did not alter merged bugs
Debbugs::Control::set_merged('transcript', 'GLOB(0x104ece8)', 
'requester', 'Svante Signell ', 'request_addr', 
'cont...@bugs.debian.org', 'request_msgid', 
'<1354047099.363.199.ca...@hp.my.own.domain>', 'request_subject', ...) called 
at /usr/local/lib/site_perl/Debbugs/Control/Service.pm line 537
eval {...} called at 
/usr/local/lib/site_perl/Debbugs/Control/Service.pm line 536
Debbugs::Control::Service::control_line('line', 'merge 640851 679347', 
'clonebugs', 'HASH(0x1a2dbf8)', 'limit', 'HASH(0x1a2d5e0)', 
'common_control_options', 'ARRAY(0x1a2d628)', 'errors', ...) called at 
/usr/lib/debbugs/service line 474

> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
640851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640851
679347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679347
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: forcemerge Re: local mail spool still unaccessible with evo 3.4.4.-1

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> forcemerge 640851 679347
Bug #640851 [evolution] evolution: local mail files no longer accessible
Bug #640851 [evolution] evolution: local mail files no longer accessible
Added tag(s) fixed-upstream.
Bug #679347 [evolution] regression: 3.4 broke spool mbox file accounts
Unset Bug forwarded-to-address
Severity set to 'serious' from 'important'
Marked as found in versions evolution/3.4.4-1 and evolution/3.0.3-1.
Merged 640851 679347
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
640851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640851
679347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679347
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692791: members of lpadmin can read every file on server via cups

[Didier 'OdyX' Raboud]

Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
> FYI, as a security fix for our stable releases in Ubuntu, we plan on
> disabling cupsd.conf modification in the web interface entirely.
> Attached is the patch we plan on using.

Hi Marc,

while testing your patch I noticed it was not masking the "Edit Configuration 
File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).

Updated patch is attached.

Cheers,

OdyX
Description: fix privilege escalation by disabling config file editing via
 the web interface
Author: Marc Deslauriers 
Forwarded: No
Bug: https://www.cups.org/str.php?L4223
Bug-Debian: http://bugs.debian.org/692791

--- a/doc/help/policies.html
+++ b/doc/help/policies.html
@@ -19,7 +19,7 @@
 Policies are stored in the cupsd.conf file in Policy sections. Each policy has an alphanumeric name that is used to select it. Inside the policy section are one or more Limit subsections which list the operations that are affected by the rules inside it. Listing 1 shows the default operation policy, appropriately called "default", that is shipped with CUPS.
 
-The easiest way to add a policy to the cupsd.conf file is to use the web interface. Click on the Administration tab and then the Edit Configuration File button to edit the current cupsd.conf file. Click on the Save Changes button to save the changes and restart the scheduler. If you edit the cupsd.conf file from the console, make sure to restart the cupsd process before trying to use the new policy.
+If you edit the cupsd.conf file from the console, make sure to restart the cupsd process before trying to use the new policy.
 
 
 Listing 1: Default Operation Policy
--- a/templates/admin.tmpl
+++ b/templates/admin.tmpl
@@ -28,7 +28,6 @@
 Server
 
 
-
 
 
 
--- a/cgi-bin/admin.c
+++ b/cgi-bin/admin.c
@@ -1900,6 +1900,7 @@
 
 cgiEndHTML();
   }
+#if 0 /* Disabled to fix CVE-2012-5519 security issue */
   else if (cgiGetVariable("SAVECHANGES") && cgiGetVariable("CUPSDCONF"))
   {
/*
@@ -2144,6 +2145,7 @@
 
 cgiEndHTML();
   }
+#endif
 }
 
 
--- a/templates/de/admin.tmpl
+++ b/templates/de/admin.tmpl
@@ -28,7 +28,6 @@
 Server
 
 
-
 
 
 
--- a/templates/es/admin.tmpl
+++ b/templates/es/admin.tmpl
@@ -28,7 +28,6 @@
 Servidor
 
 
-
 
 
 
--- a/templates/eu/admin.tmpl
+++ b/templates/eu/admin.tmpl
@@ -28,7 +28,6 @@
 Zerbitzaria
 
 
-
 
 
 
--- a/templates/fr/admin.tmpl
+++ b/templates/fr/admin.tmpl
@@ -28,7 +28,6 @@
 Serveur
 
 
-
 
 
 
--- a/templates/hu/admin.tmpl
+++ b/templates/hu/admin.tmpl
@@ -32,7 +32,6 @@
 Kiszolgáló
 
 
-
 
 
 
--- a/templates/id/admin.tmpl
+++ b/templates/id/admin.tmpl
@@ -28,7 +28,6 @@
 Server
 
 
-
 
 
 
--- a/templates/it/admin.tmpl
+++ b/templates/it/admin.tmpl
@@ -28,7 +28,6 @@
 Server
 
 
-
 
 
 
--- a/templates/ja/admin.tmpl
+++ b/templates/ja/admin.tmpl
@@ -28,7 +28,6 @@
 サーバー
 
 
-
 
 
 
--- a/templates/pl/admin.tmpl
+++ b/templates/pl/admin.tmpl
@@ -28,7 +28,6 @@
 Serwery
 
 
-
 
 
 
--- a/templates/ru/admin.tmpl
+++ b/templates/ru/admin.tmpl
@@ -28,7 +28,6 @@
 Сервер
 
 
-
 
 
 

Bug#692791: members of lpadmin can read every file on server via cups

[Marc Deslauriers]

On 12-11-27 03:51 PM, Didier 'OdyX' Raboud wrote:
> Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
>> FYI, as a security fix for our stable releases in Ubuntu, we plan on
>> disabling cupsd.conf modification in the web interface entirely.
>> Attached is the patch we plan on using.
> 
> Hi Marc,
> 
> while testing your patch I noticed it was not masking the "Edit Configuration 
> File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).
> 
> Updated patch is attached.
> 

Ah! thanks for that, I completely overlooked the localized template files.

Marc.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692295: RFS: couchdb/1.2.0-2.1 [NMU] [RC]

[Laszlo Boszormenyi (GCS)]

Hi Dominik,

On Tue, 2012-11-27 at 09:41 +0100, Dominik George wrote:
> Ask the person who wrote the RFS template generator. On the other hand, 
> it's the Debian communities package. Maybe it should say "my version xyz 
> of package foo". If you take any offence on this, I really pity you.
 I don't take it as an offence, I was just curious why did you write it
as your package.

> > Why do you NMU immediately when I'm known for quick reply?
> First, because I can, second, because that's what the DDs at the BSP told 
> me to do.
 It's always friendly to ask the maintainer first, s/he may have other
things waiting in the queue and/or know a better way to achieve the same
goal.

> > Why do you ignore other fixes that I've mentioned to you in
> > my previous mail? That includes collation with RMs.
> You did not mention any fixes. You mentioned a pending upload. I thought 
> you were referring to the pending upload of 1.2.0-2 to *wheezy*, which 
> does not include any fix for the issue we are discussing.
 I gave you the URL to check and you noted that it doesn't fix the bug
you are referring to. For me, it was look like you checked the attached
diff before answering.
 There's no need to do an extra upload to make an already uploaded
version available in testing (Wheezy this time). A freeze exception is
enough from a release manager.

> How about being a bit more specific next time? I also find that you failed 
> to post any details of your fix to the BTS. Even though you may be known 
> for "quick reply", other parties might be interested in how to fix the 
> problem beforehand. You even may want testers for a patch before uploading 
> it. In any case, the BTS report log lacks any hint whatsoever about your 
> fix.
 ? Please check again #682172 [1], it contains details and attached diff
files. Sure, I'll CC everything next time to the relevant bugreports.

> > Anyway, I've included your patch in -3, even if I'm not convinced about
> > it. I think it would have been better to send HUP signal first, then
> > after a specified time send TERM signal to couchdb.
> 
> Abusing SIGHUP for shutdown in my opinion is a major violation of 
> well-estabished standards that should be discussed with upstream.
 As noted, it's not CouchDB upstream, but the Erlang VM. It does not
ignore SIGHUP itself, but inherit that mask from apt-get . The Erlang VM
actually doesn't have any possibility to change the signal ignorance
mask as I know. Thus even if I note it to upstream, it's a language
barrier and known already.

> In conclusion, Debian is a community-effort. I am very convinced that no 
> single person owns any part of it, so no single person should ever take 
> offence on someone else helping them.
 I agree on this. As a community effort, it needs coordination. You
missed to ask the maintainer first, that you've an RC bugfix, would s/he
upload soon or an NMU would be better after twenty-four hours. Instead,
you immediately ignored the maintainer and asked everyone for NMU
sponsorship. I asked questions to learn what I can do better next time
to prevent misunderstanding. It was you who make offence and even CC to
a closed bugreport.

>  If you had e-mailed your own patch 
> for the problem to the BTS right when you wrote it, also mentioning that 
> you are about to upload it, would have both solve the problem you see 
> *and* saved me and the fellows at the BSP quite a few hours of work.
 A discussion was going on an other bugreport and you were given with an
URL of that. You are right that only when I've learnt you are working on
that issue. I had the presupposition that you'll check it and when you
replied that doesn't fix the issue, I thought you did.

> Please note that you posted your tiny little hint about some pending 
> upload only *after* you realized that we were doing work on the issue.
 I agree on this, I should have tag the bug as pending. The little hint
about upload pending contained the URL with the attached diff and the
information release managers are involved in discussion.

> Please also realize that Frank and I spent almost two full days on the 
> issue, discussing with dpkg and apt developers and shell gurus all 
> possible ways of solving this issue in a way that does *not* violate 
> upstream's ideas of signal handling. Although you included the fix in the 
> end, and although you claim to be *quick* at it, please try to recognize 
> your fellow community members' work and also try to understand if they 
> like to get credits for it.
 I do note others work in changelogs, see some quick examples[2][3][4].
About the SIGHUP change, you mentioned '[varacanero]', that I couldn't
parse. On the other hand, you are noted in couchdb_sighup.patch as it
was your work and I do honor it.

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682172
[2] http://packages.qa.debian.org/s/sqlite3/news/20120516T212014Z.html
[3] http://packages.qa.debian.org/p/python-eventlet/news/20121117T144838Z.html
[4

Processed: tagging 694486

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 694486 + patch
Bug #694486 [liblwp-authen-wsse-perl] lib/LWP/Authen/Wsse.pm uses Digest::SHA1
Added tag(s) patch.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: tagging 694486

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 694486 - pending
Bug #694486 [liblwp-authen-wsse-perl] lib/LWP/Authen/Wsse.pm uses Digest::SHA1
Removed tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692649: marked as done (trousers: CVE-2012-0698)

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 21:47:05 +
with message-id 
and subject line Bug#692649: fixed in trousers 0.3.5-2+squeeze1
has caused the Debian Bug report #692649,
regarding trousers: CVE-2012-0698
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
692649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692649
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: trousers
Severity: grave
Tags: security
Justification: user security hole

Please see here for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698

Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: trousers
Source-Version: 0.3.5-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
trousers, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier  (supplier of updated trousers package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 08 Nov 2012 22:08:58 +0100
Source: trousers
Binary: trousers trousers-dbg libtspi1 libtspi-dev
Architecture: source amd64
Version: 0.3.5-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian QA Group 
Changed-By: Pierre Chifflier 
Description: 
 libtspi-dev - open-source TCG Software Stack (development)
 libtspi1   - open-source TCG Software Stack (library)
 trousers   - open-source TCG Software Stack (daemon)
 trousers-dbg - open-source TCG Software Stack (debug)
Closes: 692649
Changes: 
 trousers (0.3.5-2+squeeze1) stable-security; urgency=high
 .
   * Fix crash when malformed packet is received (CVE-2012-0698)
 Closes: #692649
Checksums-Sha1: 
 fcfedfd2a6a114505836da7deb5e82eb55db4fac 1803 trousers_0.3.5-2+squeeze1.dsc
 8fee28572c4bc88f6e2bcd30a65b0788f93262c2 1335262 trousers_0.3.5.orig.tar.gz
 09197c5194b42421ac393c3fd5894d3b2811d007 21421 
trousers_0.3.5-2+squeeze1.debian.tar.gz
 fc80a424e3c20c2c37f2df16ff7e9a38137a94b7 150482 
trousers_0.3.5-2+squeeze1_amd64.deb
 8a2579f6ddbd9b4674253e1d41cd1c1becd3efa2 581460 
trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 b972bffa945b04842146f818866b7137049cd0c8 202954 
libtspi1_0.3.5-2+squeeze1_amd64.deb
 3154881cda28495f680aeff8fbb5c9aa94dea8c3 660636 
libtspi-dev_0.3.5-2+squeeze1_amd64.deb
Checksums-Sha256: 
 0c611f353db1b01ba6ea5726fae1b49d92dff5f86c4d9e3c6d46dd967d77bfc9 1803 
trousers_0.3.5-2+squeeze1.dsc
 9145db73d7080e86f1a990db4735715ea5f1eae4d47a1d43f775747a7ca580ad 1335262 
trousers_0.3.5.orig.tar.gz
 ec4829987a4986ca7cb7da21e39255c90554ca439ab297d3fe257575809c0337 21421 
trousers_0.3.5-2+squeeze1.debian.tar.gz
 da30f05dee460f7d4653a7f14fb56f0f8ff2102d0ff143fb32e4c98cf8a007ce 150482 
trousers_0.3.5-2+squeeze1_amd64.deb
 e2d964f9634838f458a692cde31a68d29a40528fc8eb46612ac790935930 581460 
trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 49b57a588a5501b2a4381fd69efb3387f218a4323f515e1663b1c62ce3ca8f94 202954 
libtspi1_0.3.5-2+squeeze1_amd64.deb
 ca0b527a4272be8c9220634049e3f9a1cc17c810c88f7bccb7dbbd645406ecb7 660636 
libtspi-dev_0.3.5-2+squeeze1_amd64.deb
Files: 
 079c130d72c78e77ad91c0724b6677a6 1803 admin optional 
trousers_0.3.5-2+squeeze1.dsc
 8655de35a98d2f2bde210d605fa60918 1335262 admin optional 
trousers_0.3.5.orig.tar.gz
 26fa3c6f5154b6462e4518d33f04f75e 21421 admin optional 
trousers_0.3.5-2+squeeze1.debian.tar.gz
 577efbb75d27707f54f932ef7a4c82c9 150482 admin optional 
trousers_0.3.5-2+squeeze1_amd64.deb
 abf01ff3659acbe4e0e8c362da95640e 581460 debug extra 
trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 ba5aa0983d70bcf2af9f43dab62d02e4 202954 libs optional 
libtspi1_0.3.5-2+squeeze1_amd64.deb
 dc756b907e2b1547cf64977a9cd96557 660636 libdevel optional 
libtspi-dev_0.3.5-2+squeeze1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQrp5SAAoJEMYaZNzxOTmY5ykP/0lrqNfsAg0bh4hto5MKGEHm
iIkgvErNUPs4fTm9IDHMny0fTPWGOwxIbr64LrvSdYk3t48peMaf6lKbrzjsxY9T
ofq2k+HCFp6Y455vN9cbUujis9gJwJrZ5+k3TlQFttVliV2laPQ5gnWam6cWTmoH
wSK95CKCZbgtCSbJda4/ehN1KaU4nPLw6mXgjvjOkl2bFgELYeFuWUeo358+zPQP
zRhGH0iYpHJT46DKyscNtJqE2xJUDNm5chxslhe/aFO3VkwaGDi74LbG9dCoGt9p
tn/uE3II2zoqmTjPvPh7pOV0KHQMsGI1+59eA

Bug#670405: ekiga: During start up segfault in `libopal.so.3.10.4`

[Steven Chamberlain]

On 03/11/12 17:43, Adam D. Barratt wrote:
> On Sat, 2012-11-03 at 02:43 -0400, Michael Gilbert wrote:
>> It distorts udd views.  I'm fixing that so we have a better view of
>> what needs really needs fixing:
>> http://udd.debian.org/bugs.cgi?release=wheezy_and_sid&merged=ign&done=only&fnewerval=7&rc=1&sortby=id&sorto=asc&ctags=1&cdeferred=1
> 
> That sounds like the query needs fixing. [...]

Also the PTS shows the RC bug count as zero, because it was closed in
some version.  This gave me the false impression this bug must have been
fixed.  But if it is not fixed in testing/unstable I would still call it
an RC bug.

Clicking on the "RC: 0" in the PTS, links to a page on the BTS listing
no RC bugs either.

I had no idea the ";dist=unstable" BTS view even existed until now (I
just found the combo box in the BTS search form, but it isn't labelled
or explained what its purpose is).


On the plus side, at least apt-listbugs still warns of this bug if
installing/upgrading the package.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: bug 694486 is forwarded to http://rt.cpan.org/Public/Bug/Display.html?id=81488

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> forwarded 694486 http://rt.cpan.org/Public/Bug/Display.html?id=81488
Bug #694486 [liblwp-authen-wsse-perl] lib/LWP/Authen/Wsse.pm uses Digest::SHA1
Set Bug forwarded-to-address to 
'http://rt.cpan.org/Public/Bug/Display.html?id=81488'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694288: marked as done (libsoprano-doc: missing Breaks+Replaces: libsoprano-dev (<< 2.6.0))

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 22:03:10 +
with message-id 
and subject line Bug#694288: fixed in soprano 2.7.6+dfsg.1-2
has caused the Debian Bug report #694288,
regarding libsoprano-doc: missing Breaks+Replaces: libsoprano-dev (<< 2.6.0)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
694288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libsoprano-doc
Version: 2.6.0+dfsg.1-1
Severity: serious
User: trei...@debian.org
Usertags: edos-file-overwrite

Architecture: amd64
Distribution: squeeze->wheezy (partial) upgrade

Hi,

automatic installation tests of packages that share a file and at the
same time do not conflict by their package dependency relationships has
detected the following problem:

  Selecting previously deselected package libsoprano-dev.
  Unpacking libsoprano-dev (from .../libsoprano-dev_2.5.0+dfsg.1-1_amd64.deb) 
...

  Setting up libsoprano-dev (2.5.0+dfsg.1-1) ...

  Selecting previously deselected package libsoprano-doc.
  (Reading database ... 7390 files and directories currently installed.)
  Unpacking libsoprano-doc (from .../libsoprano-doc_2.7.6+dfsg.1-1_all.deb) ...
  dpkg: error processing 
/var/cache/apt/archives/libsoprano-doc_2.7.6+dfsg.1-1_all.deb (--unpack):
   trying to overwrite '/usr/share/soprano/doc/soprano.tag', which is also in 
package libsoprano-dev 2.5.0+dfsg.1-1


This is a serious bug as it makes installation/upgrade fail, and
violates sections 7.6.1 and 10.1 of the policy.

As this problem can be demonstrated during partial upgrades from squeeze
to wheezy (but not within squeeze or wheezy itself), this indicates a
missing or insufficiently versioned Replaces+Breaks relationship.
But since this particular upgrade ordering is not forbidden by any
dependency relationship, it is possible that apt (or $PACKAGE_MANAGER)
will use this erroneus path on squeeze->wheezy upgrades.

Here is a list of files that are known to be shared by both packages
(according to the Contents files for squeeze and wheezy on amd64, which
may be slightly out of sync):

  usr/share/soprano/doc/soprano.tag

This file was moved around recently:

  soprano (2.6.0+dfsg.1-1) unstable; urgency=low 
   * Generate soprano.tag while building docs (patch
 doxyfile_generate_tagfile.diff) and install the file to libsoprano-doc
 (/usr/share/soprano/doc/) rather than libsoprano-dev.


The following relationships are currently defined:

  Package:   libsoprano-doc
  Conflicts: n/a 
  Breaks:n/a
  Replaces:  n/a

The following relationships should be added for a clean takeover of
these files
(http://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces):

  Package:  libsoprano-doc
  Breaks:   libsoprano-dev (<< 2.6.0)
  Replaces: libsoprano-dev (<< 2.6.0)


Cheers,

Andreas

PS: for more information about the detection of file overwrite errors
of this kind see http://edos.debian.net/file-overwrites/.


libsoprano-dev=2.5.0+dfsg.1-1_libsoprano-doc=2.7.6+dfsg.1-1.log.gz
Description: GNU Zip compressed data
--- End Message ---
--- Begin Message ---
Source: soprano
Source-Version: 2.7.6+dfsg.1-2

We believe that the bug you reported is fixed in the latest version of
soprano, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano  (supplier of updated soprano package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 27 Nov 2012 22:34:19 +0100
Source: soprano
Binary: soprano-daemon libsoprano4 libsoprano-dev libsoprano-doc libsoprano-dbg
Architecture: source amd64 all
Version: 2.7.6+dfsg.1-2
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers 
Changed-By: Pino Toscano 
Description: 
 libsoprano-dbg - debugging symbols for the Soprano RDF framework
 libsoprano-dev - development files for the Soprano RDF framework
 libsoprano-doc - developer documentation for the Soprano RDF framework
 libsoprano4 - libraries for the Soprano RDF framework
 soprano-daemon - daemon for the Soprano RDF framework
Closes: 694288
Changes: 
 soprano (2.7.6+dfsg.1-2)

Bug#694486: Pending fixes for bugs in the liblwp-authen-wsse-perl package

[pkg-perl-maintainers]

tag 694486 + pending
thanks

Some bugs in the liblwp-authen-wsse-perl package are closed in
revision 6eed5841e15de559e5d571584bd95902a201a7a1 in branch 'master'
by Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/liblwp-authen-wsse-perl.git;a=commitdiff;h=6eed584

Commit message:

Use Digest::SHA instead of Digest::SHA1

libdigest-sha1-perl package was reoved from Debian. Digest::SHA is part
of Perl core modules included with the perl interpreter since 5.10.

Thanks: Ansgar Burchardt 
Closes: #694486


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Pending fixes for bugs in the liblwp-authen-wsse-perl package

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tag 694486 + pending
Bug #694486 [liblwp-authen-wsse-perl] lib/LWP/Authen/Wsse.pm uses Digest::SHA1
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
694486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#692791: members of lpadmin can read every file on server via cups

[Michael Sweet]

Note: disabling he web interface is not enough, you also need to disable HTTP 
PUT in cupsd, which takes care of cupsctl too. However, since that also 
disables helpful things like changing the log level you might want to 
reconsider fixing things that way...


Sent from my iPad

On 2012-11-27, at 3:51 PM, Didier 'OdyX' Raboud  wrote:

> Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
>> FYI, as a security fix for our stable releases in Ubuntu, we plan on
>> disabling cupsd.conf modification in the web interface entirely.
>> Attached is the patch we plan on using.
> 
> Hi Marc,
> 
> while testing your patch I noticed it was not masking the "Edit Configuration 
> File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).
> 
> Updated patch is attached.
> 
> Cheers,
> 
> OdyX
> 


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694486: marked as done (lib/LWP/Authen/Wsse.pm uses Digest::SHA1)

[Debian Bug Tracking System]

Your message dated Tue, 27 Nov 2012 22:18:13 +
with message-id 
and subject line Bug#694486: fixed in liblwp-authen-wsse-perl 0.05-2
has caused the Debian Bug report #694486,
regarding lib/LWP/Authen/Wsse.pm uses Digest::SHA1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
694486: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694486
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: liblwp-authen-wsse-perl
Version: 0.05-1
Severity: serious

lib/LWP/Authen/Wsse.pm uses Digest::SHA1 which is no longer in Debian.
It should use Digest::SHA instead which is part of the core modules
included with the perl interpreter since 5.10.

In most cases just replacing Digest::SHA1 by Digest::SHA should be
enough.  Also change Digest/SHA1.pm to Digest/SHA.pm.

Ansgar
--- End Message ---
--- Begin Message ---
Source: liblwp-authen-wsse-perl
Source-Version: 0.05-2

We believe that the bug you reported is fixed in the latest version of
liblwp-authen-wsse-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 694...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated 
liblwp-authen-wsse-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 27 Nov 2012 17:38:50 +0100
Source: liblwp-authen-wsse-perl
Binary: liblwp-authen-wsse-perl
Architecture: source all
Version: 0.05-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group 
Changed-By: Salvatore Bonaccorso 
Description: 
 liblwp-authen-wsse-perl - Library for enabling X-WSSE authentication in LWP
Closes: 694486
Changes: 
 liblwp-authen-wsse-perl (0.05-2) unstable; urgency=low
 .
   * Team upload.
   * Use Digest::SHA instead of Digest::SHA1
 libdigest-sha1-perl package was reoved from Debian. Digest::SHA is part
 of Perl core modules included with the perl interpreter since 5.10.
 Thanks to Ansgar Burchardt  (Closes: #694486)
Checksums-Sha1: 
 18ebae6a26a7783cbe71dc47b5db9fa2f1b3462b 2080 
liblwp-authen-wsse-perl_0.05-2.dsc
 1f6e1cb0fa5c6741e51fc9a6ac97b60a178c7869 3131 
liblwp-authen-wsse-perl_0.05-2.diff.gz
 cccdfda14c14f523b063b48b5c154d8c20aaac11 7862 
liblwp-authen-wsse-perl_0.05-2_all.deb
Checksums-Sha256: 
 570fdd1c3bb7b26e61da0852caed86bbe110934f8dffa064d6e0648849c32a57 2080 
liblwp-authen-wsse-perl_0.05-2.dsc
 6cda31999742ebc7f8242f7de90c5d626d0b1cd2294ea7205ea9dcd59b90c231 3131 
liblwp-authen-wsse-perl_0.05-2.diff.gz
 5d919358a4860d61fb73bf98ac4c2923b5cfc1194c5ab533d38972b6bae31f7f 7862 
liblwp-authen-wsse-perl_0.05-2_all.deb
Files: 
 7d32fdc75942c36334d11b77a0bc7716 2080 perl optional 
liblwp-authen-wsse-perl_0.05-2.dsc
 65c063f9440cb76959b0173d52cc6e32 3131 perl optional 
liblwp-authen-wsse-perl_0.05-2.diff.gz
 46b7a71d74ebe207fc752b5c0d7b05b7 7862 perl optional 
liblwp-authen-wsse-perl_0.05-2_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJQtTmUAAoJEHidbwV/2GP+EKkQAIhOxFTFw1FIK8mn4Lo7eep5
gO1lHzDIVnb6n0EwwXq+zgG3Ol4gflpm/uPouz/6PrBmK6tHYSNW7rNevLersOgY
LImh0uP7mgdUKTz2yHuy3qyUodUQ3ieU5c25p+bvqeBovZUAj6UYyjlzcdIvSO9K
AZ2z4+dVrSfRhCmPXRmE9FXxX82SVSQcx2y8pKcAG+ThVPeKP3e9w1IZPxVbYf8o
kG0f6q/FW7UTfM/40SJWYvqSRfAp2+vAcSgGMtGXMoWLUPGTrNIBw0r4p85sDBct
fQU4gyxXo9+oINAf8KOwGVBMb/8EVNuA40o6plzvCdT6g3eg+Scy034oxVOb/GoV
ERTGXDrIruT+V8JK3lIh0r1oEHlhO//RvRcuMcn9Zgsuk9W8/VlKhIhK8Y2C0tQ8
r+c8t1xFdRnfXSh1ZnrZGVtrR8fHash2SCtBwout8AR0xful+bfPsuwFl7avV9al
wj70wD4BSK3bhAkEAwMC9blkG16xq3+FoXW1qq2Exfer9M9vB0zhFn/dTzOqpDVV
T0UjMQtu7hb/T35GKp1Nd+6bBXksEUGY25/luUh0FfD4n8y2B+itmVBWW6iq2fm7
NazW6hQx/A9+9QtkQy4QZdzfxXdCQx3Jh71DX0PQLInMHA52Vyv2aKuAnppT0vLS
OX2pKUlHrewXT+C1VUm4
=tAre
-END PGP SIGNATURE End Message ---

Bug#670405: ekiga: During start up segfault in `libopal.so.3.10.4`

[Steven Chamberlain]

Actually, I can't reproduce this issue on linux amd64, with the same
ekiga/libpt/libopal tested by the submitter.

I started ekiga a few times with my existing settings (pre-upgrade).
Then I purged my accounts/config with:

$ gconftool --recursive-unset apps/ekiga

and successfully started ekiga ~5 times.  Then changed audio device from
/dev/dsp1 -> libpt PulseAudio and tried ~5 more times and it is still fine.

I've never seen the crash on startup (although it is a little slow to
start, as it seems to be phoning home to stun.ekiga.net...).

I do see the segfault at exit though (#687079).

-- System Information:
Debian Release: 6.0.5
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ekiga depends on:
ii  evolution-data-server 3.4.3-1evolution database backend
server
ii  gconf-service 3.2.5-1+build1 GNOME configuration
database syste
ii  gconf23.2.5-1+build1 GNOME configuration
database syste
ii  libatk1.0-0   2.4.0-2ATK accessibility toolkit
ii  libavahi-client3  0.6.31-1   Avahi client library
ii  libavahi-common3  0.6.31-1   Avahi common library
ii  libavahi-glib10.6.31-1   Avahi GLib integration library
ii  libc6 2.13-35Embedded GNU C Library:
Shared lib
ii  libdbus-glib-1-2  0.100-1simple interprocess
messaging syst
ii  libebook-1.2-13   3.4.3-1Client library for
evolution addre
ii  libedataserver-1.2-16 3.4.3-1Utility library for
evolution data
ii  libgcc1   1:4.7.1-7  GCC support library
ii  libgconf-2-4  3.2.5-1+build1 GNOME configuration
database syste
ii  libgdk-pixbuf2.0-02.26.1-1   GDK Pixbuf library
ii  libglib2.0-0  2.32.3-1   GLib library of C routines
ii  libgtk2.0-0   2.24.10-2  GTK+ graphical user
interface libr
ii  libldap-2.4-2 2.4.31-1   OpenLDAP libraries
ii  libnotify40.7.5-1sends desktop notifications
to a n
ii  libopal3.10.4 3.10.4~dfsg-3  Open Phone Abstraction
Library - s
ii  libpango1.0-0 1.30.0-1   Layout and rendering of
internatio
ii  libpt2.10.4   2.10.4~dfsg-1  Portable Tools Library
ii  libsasl2-22.1.25.dfsg1-5 Cyrus SASL - authentication
abstra
ii  libsigc++-2.0-0c2a2.2.4.2-1  type-safe Signal Framework
for C++
ii  libstdc++64.7.1-7GNU Standard C++ Library v3
ii  libx11-6  2:1.5.0-1  X11 client-side library
ii  libxext6  2:1.3.1-2  X11 miscellaneous extension
librar
ii  libxml2   2.8.0+dfsg1-5  GNOME XML library
ii  libxv12:1.0.7-1  X11 Video extension library

Versions of packages ekiga recommends:
ii  gvfs 1.12.3-1+b1 userspace virtual
filesystem - GIO
ii  yelp 3.4.2-1 Help browser for GNOME

Versions of packages ekiga suggests:
pn  asterisk   (no description available)
pn  gnugk  (no description available)
pn  mediaproxy (no description available)
pn  rtpproxy   (no description available)
pn  ser(no description available)
pn  siproxd(no description available)
pn  yate   (no description available)

-- no debconf information

-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694570: installation failures with d-i beta4 relating to EFI

[Jonathan Dowland]

Package: installation-reports
Severity: critical
Justification: makes baby jesus cry

Hi,

I just tried d-i beta4 amd64 netinst on my lenovo thinkpad x121e
laptop. The Laptop's firmware has boot mode set to 'either/both'
for legacy BIOS/EFI. The storage device was a totally blank SSD,
no prior OS.

Upon boot, prior to the point where I get to choose graphical /
text / rescue, I get the following error message (this does not
stop me progressing):

"error: prefix not set"

Install progressed as normal. The guided partition scheme
created a GPT partition table and a 512M EFI partition in
addition to boot. It seemed to select grub2-efi. I got a message
like the following towards the end of the process:

"grub-install dummy failed"

The resulting install won't boot; I get the following error¹

Loading Linux 3.2.0-4-amd64 ...
Loading initial ramdisk ...
error: no suitable mode found.
Booting however

That's the last thing I see. No keyboard lights or other 
activity.

I'll just retry this and see if I can capture anything from d-i
before rebooting out of it.

¹ https://twitter.com/jmtd/status/273521879510298624/photo/1


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#680084: none

[intrigeri]

Hi,

Michael Gilbert wrote (19 Nov 2012 00:10:21 GMT) :
> reassign 680084 grub-common
> forcemerge 680084 673573
> thanks

I'm glad you found the root cause of #680084, but perhaps another kind
of relationship would have expressed more clearly the relationship
between those two bugs than a forcemerge?

Unless I'm mistaken:

  * #673573 is the root cause for #680084
  * #680084 can be trivially workaround'd with the patch I've provided
  * #673573 is much wider, possibly harder to solve. has not seen
activity since May

Unless there are good hopes that #673573 is fixed soon (are there?),
I'd still like #680084 to be fixed independently for Wheezy.

What do you think?

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694323: [gsfonts] Fonts include copyrighted adobe fragment all right reserved

[Norbert Preining]

Hi Frank,

On Di, 27 Nov 2012, Frank Küster wrote:
> > It is not a question of fontforge... THe lines mentioned come from
> > pfcommon.dat
> > which was inherited from metatype1.
> 
> If this is right, then it is wrong to block the bug by the fontforge
> bug, isn't it?  Bastien, I'm not sure enough about this to remove the
> blocking myself, please do it.

Wait ... I am not sure either. Maybe fontfoge *also* contains and
adds this code ... I just found the text in the sources of lmodern.

> How ist that done?  I thought it was done with fontforge scripts - I
> understand this is not the case?  Did they really open the font files in
> interactive fontforge, adjust and safe?

I have no idea and I don't want to care about these things. I will not go
to the lenth of recreating the fonts at build time from any kind of
scripts.

Best wishes

Norbert

Norbert Preiningpreining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094

HUTTOFT (n.)
The fibrous algae which grows in the dark, moist environment of
trouser turn-ups.
--- Douglas Adams, The Meaning of Liff


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694570: installation failures with d-i beta4 relating to EFI

[Brian Potkin]

On Tue 27 Nov 2012 at 22:26:56 +, Jonathan Dowland wrote:

> The resulting install won't boot; I get the following error¹
> 
> Loading Linux 3.2.0-4-amd64 ...
> Loading initial ramdisk ...
> error: no suitable mode found.
> Booting however
> 
> That's the last thing I see. No keyboard lights or other 

The thread starting at

   http://lists.debian.org/debian-boot/2012/11/thrd2.html

may help. Michael Gilbert's contribution in particular.


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#676424: Bug#454778: emacsen-common: load-path order vs debian-run-directories

[Rob Browning]

intrigeri  writes:

> (Gentle) ping?
>
> I'd rather wait for a solution #677191 to be available, so that both
> remaining RC bugs against emacsen-common can be fixed by the same
> upload / unblock request, but if this does not happen shortly,
> I intend to NMU emacsen-common to apply Kevin's patch and fix the two
> Cc'd bugs, unless you object or someone explains why this would be
> a bad idea.
>
> Thanks for your work on emacsen-common!

Looking in to it now.  Feel free to ping me again if you don't hear back
in the next week or so.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: tagging 684817

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 684817 - unreproducible + confirmed
Bug #684817 [src:lilypond] segfault in lilypond
Removed tag(s) unreproducible.
Bug #684817 [src:lilypond] segfault in lilypond
Added tag(s) confirmed.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
684817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684817
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694570: installation failures with d-i beta4 relating to EFI

[Brian Potkin]

On Wed 28 Nov 2012 at 00:43:14 +, Brian Potkin wrote:

> The thread starting at
> 
>http://lists.debian.org/debian-boot/2012/11/thrd2.html
> 
> may help. Michael Gilbert's contribution in particular.

This is better!

http://lists.debian.org/debian-boot/2012/11/msg00480.html


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#676424: Bug#454778: emacsen-common: load-path order vs debian-run-directories

[Rob Browning]

Rob Browning  writes:

> Looking in to it now.  Feel free to ping me again if you don't hear back
> in the next week or so.

OK, so that (original) code's quite old, but from a quick glance, it
doesn't seem to be doing what I thought it was supposed to be doing, and
I agree that it doesn't look right.

I'm really not sure how it ended up that way, but regardless, I think I
may use Kevin's approach, with perhaps this additional bit:

   (let* ((paths (mapcar copy-sequence dirs)) ; Ensure we have unique objects.

Not likely to matter most of the time, but...

I'll try to generate a new release this weekend.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#676424: Bug#454778: emacsen-common: load-path order vs debian-run-directories

[intrigeri]

Hi,

Rob Browning wrote (28 Nov 2012 02:03:07 GMT) :
> I'm really not sure how it ended up that way, but regardless, I think I
> may use Kevin's approach, with perhaps this additional bit:

>(let* ((paths (mapcar copy-sequence dirs)) ; Ensure we have unique objects.

> Not likely to matter most of the time, but...

> I'll try to generate a new release this weekend.

Excellent!

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: re: Ample ships a /var/run/ample folder: Policy 9.3.2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 -patch
Bug #689769 [ample] Ample ships a /var/run/ample folder: Policy 9.3.2
Removed tag(s) patch.

-- 
689769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689769
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#689769: Ample ships a /var/run/ample folder: Policy 9.3.2

[Michael Gilbert]

control: tag -1 -patch

Removing patch tag since some work needs to be done here.

Best wishes,
Mike


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694589: lastfmproxy: python module/script files in wrong location

[Stuart Prescott]

Package: lastfmproxy
Version: 1.3b-2
Severity: serious
Justification: policy §9.1 (FHS: /var/lib is for state information not 
scripts), python policy §2.1 (module placement)

Hi!

lastfmproxy ships a number of files in /var/lib that belong in /usr/share --
this includes python module files and probably also the png/html/css/js files
as well.

lastfmproxy: /var/lib/lastfmproxy/audioscrobbler.py
lastfmproxy: /var/lib/lastfmproxy/changestation.py
lastfmproxy: /var/lib/lastfmproxy/config.py
lastfmproxy: /var/lib/lastfmproxy/data/album.png
lastfmproxy: /var/lib/lastfmproxy/data/artist.png
lastfmproxy: /var/lib/lastfmproxy/data/default.css
lastfmproxy: /var/lib/lastfmproxy/data/default.html
lastfmproxy: /var/lib/lastfmproxy/data/favicon.ico
lastfmproxy: /var/lib/lastfmproxy/data/main.js
lastfmproxy: /var/lib/lastfmproxy/data/nice_favicon.png
lastfmproxy: /var/lib/lastfmproxy/data/noalbum_medium.gif
lastfmproxy: /var/lib/lastfmproxy/data/sidebar.css
lastfmproxy: /var/lib/lastfmproxy/data/sidebar.html
lastfmproxy: /var/lib/lastfmproxy/data/song.png
lastfmproxy: /var/lib/lastfmproxy/httpclient.py
lastfmproxy: /var/lib/lastfmproxy/lastfm.py
lastfmproxy: /var/lib/lastfmproxy/main.py
lastfmproxy: /var/lib/lastfmproxy/playlist.py
lastfmproxy: /var/lib/lastfmproxy/xspf.py

Additionally, this package does not follow python policy §2.6 (byte
compilation of modules). The use of a python packaging helper such
as dh_python2 would help with this.

(Line 3 of the postinst also means that any debhelper boilerplate
added to the maintainer script will not be executed in a lot of cases
which is not as desirable.)

cheers
Stuart


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#693659: marked as done (vmix floating-point mode does not use proper API on Linux)

[Debian Bug Tracking System]

Your message dated Wed, 28 Nov 2012 03:33:12 +
with message-id 
and subject line Bug#693659: fixed in oss4 4.2-build2007-1+nmu1
has caused the Debian Bug report #693659,
regarding vmix floating-point mode does not use proper API on Linux
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
693659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693659
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: oss4
Version: 4.2-build2006-2
Severity: grave

The functions oss_fp_check(), oss_fp_save() and oss_fp_restore()
manipulate control registers without disabling preemption.  This
can result in corrupting the FPU state of other tasks, hence the
high severity.

They should be changed to use the API declared in .

Ben.

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: oss4
Source-Version: 4.2-build2007-1+nmu1

We believe that the bug you reported is fixed in the latest version of
oss4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert  (supplier of updated oss4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 24 Nov 2012 06:55:01 +
Source: oss4
Binary: oss4-base oss4-gtk oss4-dkms oss4-source oss4-dev liboss4-salsa2 
liboss4-salsa-dev liboss4-salsa-asound2
Architecture: source all amd64
Version: 4.2-build2007-1+nmu1
Distribution: unstable
Urgency: medium
Maintainer: Debian OSS4 Maintainers 

Changed-By: Michael Gilbert 
Description: 
 liboss4-salsa-asound2 - OSS to Alsa compatibility library - binary 
compatibility symlink
 liboss4-salsa-dev - OSS to Alsa compatibility library -- development files
 liboss4-salsa2 - OSS to Alsa compatibility library
 oss4-base  - Open Sound System - base package
 oss4-dev   - Open Sound System - development files
 oss4-dkms  - Open Sound System - DKMS module sources
 oss4-gtk   - Open Sound System - simple GTK2-based mixer control
 oss4-source - Open Sound System - drivers sources
Closes: 693659
Changes: 
 oss4 (4.2-build2007-1+nmu1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Disable preemption in functions touching control registers
 - Patch thanks to Roland Stigge (closes: #693659).
Checksums-Sha1: 
 da9095ed74d5524f8343aa8c9e1dbd726b86e835 3120 oss4_4.2-build2007-1+nmu1.dsc
 4aa47234328d6b374d192588e4e240ca985bf339 81349 
oss4_4.2-build2007-1+nmu1.debian.tar.gz
 cc1edc9dbefc313cbd31ade19de4f5bbf0a80ebe 35344 
oss4-dev_4.2-build2007-1+nmu1_all.deb
 fa4cf27201f357c82e4af9b4cc0eb256ed5b1d45 637108 
oss4-base_4.2-build2007-1+nmu1_amd64.deb
 f3034ec427e93b41466164bfedc8ddccd0ffbe47 36432 
oss4-gtk_4.2-build2007-1+nmu1_amd64.deb
 6032e77a8a1583e9e446afc15fd5b32ef94296b8 1041614 
oss4-dkms_4.2-build2007-1+nmu1_amd64.deb
 ecacf2b81327470003f9e1430abe3f04311d6c60 811680 
oss4-source_4.2-build2007-1+nmu1_amd64.deb
 59cb0e1e03080804237902afcd05f066f1c870a8 62534 
liboss4-salsa2_4.2-build2007-1+nmu1_amd64.deb
 c8cd04d189773bc5d1c5b606604c9fbaaaf90855 11888 
liboss4-salsa-asound2_4.2-build2007-1+nmu1_amd64.deb
Checksums-Sha256: 
 40f8e85820c460f6d38e6bda1f5e52b45549b022eade6c1cb4a90788455be298 3120 
oss4_4.2-build2007-1+nmu1.dsc
 4351f92e9049b132ba191b6d09e2f3f20d1a1f8e1f3e9db49a61b2df405181ab 81349 
oss4_4.2-build2007-1+nmu1.debian.tar.gz
 aa6d300db4cee432b4eab6044203e8f04dc3783aac9903522441f9053e30c3be 35344 
oss4-dev_4.2-build2007-1+nmu1_all.deb
 addcc1ccfab5166e5a5df4884f309a8fefc89cb94c88b6f491049674b88aac65 637108 
oss4-base_4.2-build2007-1+nmu1_amd64.deb
 48d6eac359043531d1c33a23449be5a1fcd10b4262791f235de4d2720874256e 36432 
oss4-gtk_4.2-build2007-1+nmu1_amd64.deb
 8d43e7f8ffea30126accc6e58624ffa45cdde1afcd1c68916263ee1e75809a29 1041614 
oss4-dkms_4.2-build2007-1+nmu1_amd64.deb
 fd

Bug#692791: members of lpadmin can read every file on server via cups

[Michael Sweet]

After looking at this patch in detail, it doesn't actually prevent users in the 
lpadmin group from modifying cupsd.conf and performing the specified privilege 
escalation.

An alternate fix for cups-1.5 and earlier that specifically addresses the 
reported problem by requiring the log files to reside in CUPS_LOGDIR:



alt-CVE-2012-5519.patch
Description: Binary data


On 2012-11-27, at 9:30 AM, Marc Deslauriers  
wrote:

> FYI, as a security fix for our stable releases in Ubuntu, we plan on
> disabling cupsd.conf modification in the web interface entirely.
> Attached is the patch we plan on using.
> 
> Marc.
> 


Michael Sweet, Senior Printing System Engineer, PWG Chair

Bug#690128: inn2: conffile disappearing during squeeze->wheezy upgrade: /etc/news/motd.news

[Russ Allbery]

Julien ÉLIE  writes:

>> Yeah, I'm inclined to agree with this, and wonder if INN should change
>> its upstream behavior to install a sample in a path other than the one
>> used by innd and nnrpd.

> That would also be fine, yes.
> Couldn't we install them as ${PATHETC}/motd.innd.sample and
> ${PATHETC}/motd.nnrpd.sample or should they be in a separate path?
> In the latter case, would the ${PATHETC}/samples directory be fine?

Looking at the files, they're mostly documentation for the facility.  I'm
wondering whether that's a useful thing to install.  The upside of
installing some sort of sample is that it makes it clear to people
installing a new server that this is something that can be done.  The
downside is that the files are not, themselves, actually useful; you
wouldn't use any part of their content when creating a real MOTD file.
They're just documentation.

That makes me feel like handling the documentation some other way, such as
pointers in INSTALL, may be a better idea than installing the sample file.

On second thought, installing them in a separate samples directory means
they aren't obviously there when someone is setting up a new server, so it
seems to eliminate most of the upside and add some additional complexity.

> Shouldn't we do the same for the ${PATHETC}/subscriptions file?  It
> already contains a list of newsgroups.

Yeah, but it's a fairly innocuous one that's been the same for many years.
There's not much there that will really hurt anything, so I'd be inclined
to leave that one alone.

> What for files like ${PATHETC}/actsync.ign?  Maybe the default behaviour
> is not the expected one.

It's not a horrible default, though.  It seems pretty safe to me.

-- 
Russ Allbery (r...@debian.org)   


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#690128: inn2: conffile disappearing during squeeze->wheezy upgrade: /etc/news/motd.news

[Russ Allbery]

Nick Leverton  writes:

> I've prepared a fix for this along the lines I suggested.  It proved
> awkward to choose between mv_conffile and rm_conffile due to the
> multi-stage nature of maintainer scripts, so I ended up using
> rm_conffile and inserting some code in the postinst script to capture
> the dpkg-bak file and rename it in the event that it had been modified.

> If anyone would care to review and perhaps upload it, the dsc is at
> http://mentors.debian.net/debian/pool/main/i/inn2/inn2_2.5.3-1.1.dsc I
> am happy to deal with the unblock etc but would appreciate sponsoring
> for the upload.  Failing that I shall go bother Mentors as usual :-)

Marco, do you want to handle this update?  I'm happy to help here, but
don't want to tromp on you if you'd rather take care of it.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#694589: lastfmproxy: python module/script files in wrong location

[Julien Cristau]

On Wed, Nov 28, 2012 at 03:27:16 +, Stuart Prescott wrote:

> Package: lastfmproxy
> Version: 1.3b-2
> Severity: serious
> Justification: policy §9.1 (FHS: /var/lib is for state information not 
> scripts), python policy §2.1 (module placement)
> 
> Hi!
> 
> lastfmproxy ships a number of files in /var/lib that belong in /usr/share --
> this includes python module files and probably also the png/html/css/js files
> as well.
> 
I don't think this warrants serious severity.

> lastfmproxy: /var/lib/lastfmproxy/audioscrobbler.py
> lastfmproxy: /var/lib/lastfmproxy/changestation.py
> lastfmproxy: /var/lib/lastfmproxy/config.py
> lastfmproxy: /var/lib/lastfmproxy/data/album.png
> lastfmproxy: /var/lib/lastfmproxy/data/artist.png
> lastfmproxy: /var/lib/lastfmproxy/data/default.css
> lastfmproxy: /var/lib/lastfmproxy/data/default.html
> lastfmproxy: /var/lib/lastfmproxy/data/favicon.ico
> lastfmproxy: /var/lib/lastfmproxy/data/main.js
> lastfmproxy: /var/lib/lastfmproxy/data/nice_favicon.png
> lastfmproxy: /var/lib/lastfmproxy/data/noalbum_medium.gif
> lastfmproxy: /var/lib/lastfmproxy/data/sidebar.css
> lastfmproxy: /var/lib/lastfmproxy/data/sidebar.html
> lastfmproxy: /var/lib/lastfmproxy/data/song.png
> lastfmproxy: /var/lib/lastfmproxy/httpclient.py
> lastfmproxy: /var/lib/lastfmproxy/lastfm.py
> lastfmproxy: /var/lib/lastfmproxy/main.py
> lastfmproxy: /var/lib/lastfmproxy/playlist.py
> lastfmproxy: /var/lib/lastfmproxy/xspf.py
> 
> Additionally, this package does not follow python policy §2.6 (byte
> compilation of modules). The use of a python packaging helper such
> as dh_python2 would help with this.
> 
> (Line 3 of the postinst also means that any debhelper boilerplate
> added to the maintainer script will not be executed in a lot of cases
> which is not as desirable.)
> 
This might.

Cheers,
Julien


signature.asc
Description: Digital signature