Processed: limit source to debhelper, tagging 773965
Processing commands for cont...@bugs.debian.org: limit source debhelper Limiting to bugs with field 'source' containing at least one of 'debhelper' Limit currently set to 'source':'debhelper' tags 773965 + pending Bug #773965 [debhelper] binNMUed db5.3 FTBFS due to --link-doc check Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 773965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773965 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#747141: [debhelper-devel] Bug#747141: Bug#747141: dh_installdocs --link-doc forces source-version dependencies (Was: Re: Bug#747141: closed by Niels Thykier ni...@thykier.net (Bug#747141: fixed
On 2014-12-22 20:28, Stephen Kitt wrote:
Hi Niels,
On Mon, 22 Dec 2014 08:25:03 +0100, Niels Thykier ni...@thykier.net wrote:
[...]
Okay, I guess I realise what happens now that breaks your case. We use
dpkg-parsechangelog -l. During a binNMU this returns the binNMU
version (i.e. source version plus +bX), but I guess you set your own
binary version? The best I can give you is the eqv. of a pkg (=
${binary:Version}).
This minor modification (from our PoV) should not change the output in
the general case, and /may/ fix your case.
It should indeed, and it seems better to me generally speaking, since the
dependency should be on the binary version anyway. There are other packages
in the archive which produce binary packages with versions other than the
source version!
Ok, will do for Stretch.
However, if that does not work, then I am afraid your self-chosen
version scheme cannot be handled automatically by debhelper and you
would have to do the link-doc manually. AFAICT for this to work, you
*must* use identical versions for the binary packages that are affected
by the --link-doc parameter.
In that case (and perhaps in general), what would be nice would be to have
dh_installdocs allow the version to be specified; currently I run
dh_installdocs then sed the substvars to remove the dependency
added by dh_installdocs.
Possibly, but I am not convinced. The goal for debhelper is to make
common tasks easier and not to support every possible way of doing things.
Regarding the arch: any to arch: all and vice-versa cases you fixed, what
about transitional and/or metapackages? Given that they are empty, I
don't see anything in Policy or in practice which would prevent arch: all
metapackages depending on arch: any binary packages without a strict
versioned dependency to provide their changelog and copyright...
You cannot have a correct match between an arch:all and an arch:any
package during a binNMU (or at least, not until debhelper started
extracting the binNMU changelog parts into a separate file). But then
you can only safely do it with an arch:all linking to an arch:any.
However, with the interface debhelper provided, this never worked,
because we would generate a pkg (= ${bVersion}) and after a binNMU the
arch:all version would still depend on the old ${bVersion} (since it
is not rebuilt).
Instead of succeeding such a build and allow broken packages
(uninstallable) packages to reach the archive, we now error out[1].
This is especially helpful, since a lot of people seem to get these work.
Yup, I understand the reasoning behind the change. (I'm guessing
s/work/wrong/ in that last sentence!)
Silly typo on my part indeed.
(gcc-mingw-w64 does this in a binNMU-friendly way.)
Except, you are (at least, in theory) doing it very very wrong! Your
metadata package does not force the exact version between itself and the
link-doc target packages. This allows the versions to go out of sync
and we could (in theory) end up in a situation where the copyright file
do not accurately reflect the copyright/license statements of the
metapackage[2].
Admittedly, for an empty metapackage, this example is a bit
contrived (as the non-content is hardly copyrightable). However,
people might cargo-cult your setup into another package breaking theirs
(from a legal PoV).
It's the empty part I'm relying on ;-). That's why I was asking only about
transitional and metapackages.
I would strongly recommend getting this particular use-case (arch:all
metapackage - arch:any non-metapackage) officially sanctioned before
using it. Primarily to say it is in fact a valid use and secondarily to
highlight the cases, where it *is* valid (which is definitely far from
all cases).
That makes sense, I'll do that...
Even then, I doubt this is a scenario that debhelper will support out
of the box. As mentioned, a fair share of debhelper users have gotten
this wrong, so I will go with the safe-rather-than-sorry approach here.
Yes, that seems perfectly sensible. As long as debhelper doesn't actively
prevent it I won't complain!
Regards,
Stephen
[...]
I doubt we will actively prevent it from happening, but you will have to
implement link-doc manually for unsupported cases.
Thanks,
~Niels
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774143: malicious HTTP request kills gearmand
Package: gearman-job-server Version: 1.0.6-4 Status: install ok installed Installed-Size: 268 Architecture: amd64 Severity: serious A bad HTTP request force gearmand (=0.33 AFAIK) to run in in endless loop until memory out. See bug report https://bugs.launchpad.net/gearmand/+bug/1348865 Bug fixing was commited here http://bazaar.launchpad.net/~1-infe-w/gearmand/1.0/revision/802#libgearman-server/plugins/protocol/http/protocol.cc Regards, Alexei -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773671: [Pkg-javascript-devel] Bug#773671: libv8-3.14: multiple security issues
Hi Moritz, 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff j...@inutil.org: On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote: package: src:libv8-3.14 severity: grave tags: security Hi, the following vulnerabilities were published for libv8-3.14. So if I'm understanding the discussion on debian-devel correctly the libv8 maintainers want to see this treated as an RC-bug. Please clarify your intentions, do you a) intent to fix these issues with patches and if that's not possible remove libv8 along with its rev deps? b) want to keep this with RC severity and tag it jessie-ignore. I would consider that rather broken since foo-ignore is used for issues which are ignored for once, but which will be addressed in release+1. I don't see the libv8 situation change upstream... The rationale behind opening the RC bugs was improving transparency on my side. I think more people follow bugs than the security tracker. I think the call between a) and b) is up to release management, but my interpretation for b) is a bit different. There are RC bugs ignored for several releases thus I think foo-ignore is not strictly for one-off issues and b) would be the proper way of letting liv8 released with Jessie if the security issues stay open. Cheers, Balint c) plan something else I'm missing Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#771669: segfaults with trivial usage
On 12/01/2014 02:38 PM, Lionel Elie Mamane wrote: Hi Christian, May I draw your attention on Debian bug number 771669, which I quote below and which can be read in full at http://bugs.debian.org/771669 ? It was reported against 0.992, but I have reproduced it with 0.999 (which I'm shortly going to upload to Debian). ... Hey Lionel, should be fixed with version 0.9991, please update. Best regards, Christian -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768756: wader: FTBFS in jessie: Tests failures
I intend NMU-ing a fix for this, as per the attached debdff, pending its unblock pre-approval (bug #774134). wader-nmu.debdiff Description: Binary data
Bug#744753: Fix for anacron (running on resume under systemd)
Hi Ivo, I see that you uploaded a fix for #744753, using a unit file called anacron-resume: [Unit] Description=Run anacron jobs at resume After=suspend.target After=hibernate.target After=hybrid-sleep.target [Service] ExecStart=/bin/systemctl --no-block --fail start anacron.service [Install] WantedBy=suspend.target WantedBy=hibernate.target WantedBy=hybrid-sleep.target I don't think, this fixes the issue in a proper way, because ordering that service After=suspend.target, doesn't mean the unit is actually run on resume. Take a look at systemd-suspend.service, which is responsible for putting the system to sleep: [Unit] Description=Suspend Documentation=man:systemd-suspend.service(8) DefaultDependencies=no Requires=sleep.target After=sleep.target [Service] Type=oneshot ExecStart=/lib/systemd/systemd-sleep suspend It *also* has After=sleep.target. That means, depending on the timing, anacron-resume.service might be triggered just before suspend not on resume, and it's not guaranteed that anacron has finished before systemd-sleep is called. I don't think the patch was intended this way? Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#744753: Fix for anacron (running on resume under systemd)
Hi, It *also* has After=sleep.target. That means, depending on the timing, anacron-resume.service might be triggered just before suspend not on resume, and it's not guaranteed that anacron has finished before systemd-sleep is called. I don't think the patch was intended this way? I was told once to use a file like this: [Unit] Description=hdparm resume actions After=suspend.target After=hibernate.target After=hybrid-sleep.target [Service] Type=simple ExecStart=/usr/lib/pm-utils/power.d/95hdparm-apm resume [Install] WantedBy=suspend.target WantedBy=hibernate.target WantedBy=hybrid-sleep.target That's working fine for me. Kind regards, Ralf -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#761170: upstream
Processing control commands: tags -1 patch Bug #761170 [src:libgit2] libgit2: FTBFS on multiple architectures Bug #761539 [src:libgit2] libgit2: FTBFS: Tests failures Added tag(s) patch. Added tag(s) patch. -- 761170: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761170 761539: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761170: upstream
Control: tags -1 patch Hi, On Tue, Nov 25, 2014 at 10:38:44PM +0100, Lucas Nussbaum wrote: Note that the build now fails on i386 too. Trying to reproduce it locally, I run into yet another problem: 1) Failure: repo::iterator::fs_preserves_error [/tmp/libgit2-0.21.1/tests/repo/iterator.c:952] Expected function call to fail: git_iterator_advance(e, i) This problem is only occurs when running is root (the test chmods a file to 000 and checks if accessing it fails). It would probably be a good idea to add another test to check if the test is running as root, and fail in that case (because the tests assume they aren't). The failure that happens on the i386 buildd is this one: 1) Failure: clone::nonetwork::local_absolute_path [/«PKGBUILDDIR»/tests/clone/nonetwork.c:91] Function call failed: (git_clone(g_repo, local_src, ./foo, g_options)) error -1 - git_path_direach callback returned -1 I can reproduce this in my test environment on i386 and amd64. It only happens when the builddir and /tmp are on different filesystems. It seems the local clone tries to create a hard link, which fails across filesystems (the fact that this happens without fallback is an error in itself, so the test actually discovered a problem here). When setting the TMPDIR to a directory on the same filesystem, the test doesn't hit this issue, and the build works fine. It's unclear to me why this only happens on i386, but I suspect that the setup of the buildd chroots isn't the same everywhere. In any case, adding this patch fixes it in my environment. I can do an NMU if necessary. diff --git a/debian/rules b/debian/rules index 0d82de1..75b792d 100755 --- a/debian/rules +++ b/debian/rules @@ -36,6 +36,12 @@ override_dh_auto_install : dh_auto_install --builddirectory=build-debian-release dh_auto_install --builddirectory=build-debian-devel +override_dh_auto_test : + mkdir -p build-debian-release/tmp + TMPDIR=$(PWD)/build-debian-release/tmp dh_auto_test --builddirectory=build-debian-release + mkdir -p build-debian-devel/tmp + TMPDIR=$(PWD)/build-debian-devel/tmp dh_auto_test --builddirectory=build-debian-devel + override_dh_strip: dh_strip --dbg-package=libgit2-dbg Cheers, Ivo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#746109: (no subject)
I was able to build the package according to the suggested fix from bug #745969 (thx Edmund). Thanks for considering the attached patch. Erwan. diff -Naur a/tokens.h b/tokens.h --- a/tokens.h 2014-12-29 16:18:19.442013464 +0100 +++ b/tokens.h 2014-12-29 16:26:12.782018555 +0100 @@ -93,7 +93,6 @@ extern int clex_lineno; extern FILE * yycin; extern char * yyctext; -extern int yycleng; extern int yyclength, yycsize; extern char * yyccomment; @@ -104,7 +103,6 @@ extern int plex_lineno; extern FILE * yypin; extern char * yyptext; -extern int yypleng; extern char * yypcomment; extern int yyplex(void); @@ -114,7 +112,6 @@ extern int perllex_lineno; extern FILE * yyperlin; extern char * yyperltext; -extern int yyperlleng; extern char * yyperlcomment; extern int yyperllex(void); @@ -123,7 +120,6 @@ extern int phplex_lineno; extern FILE * yyphpin; extern char * yyphptext; -extern int yyphpleng; extern char * yyphpcomment; extern int yyphplex(void); @@ -132,7 +128,6 @@ extern int rubylex_lineno; extern FILE * yyrubyin; extern char * yyrubytext; -extern int yyrubyleng; extern char * yyrubycomment; extern int yyrubylex(void);;
Bug#774121: [Android-tools-devel] Bug#774121: adb sideload fails with TWRP 2.8.2.0
Tags: help fixed-upstream Control: merge 738119 This adb package definitely needs some love. I won't have time to work on it for a while, but I'll contribute where I can. Ray Kohler did some work towards this goal, but its not ready for upload. For more info: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738119 signature.asc Description: OpenPGP digital signature
Bug#766920: initramfs-tools: update-initramfs makes system unbootable due to missing rootfs
Same issue still persists after using the root=UUID= syntax with grub (which is the default). Kernel line in grub command line: linux /boot/vmlinuz-3.16-2-amd64 root=UUID=11bb4d9d-8451-4632-9985-1bd9b155dba8 ro quiet Booting ends up with the following screen (with input disabled): Decompressing Linux... Parsing ELF... done. Booting the kernel. Loading, please wait... Gave up waiting for root device. Common problems: [--] ALERT! /dev/disk/by-uuid/11bb4d9d-8451-4632-9985-1bd9b155dba8 does not exist. Dropping to a shell! modprobe: module ehci-orion not found in modules.dep modprobe: module uhci-hcd not found in modules.dep modprobe: module ohci-hcd not found in modules.dep modprobe: module usbhid not found in modules.dep BusyBox v1.22.1 (Debian 1:1.22.0-9+b1) built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/sh: can't access tty; job control turned off Terminal output during the update: [..] processing triggers for initramfs-tools (0.116) ... update-initramfs: Generating /boot/initrd.img-3.16-2-amd64 /dev/sdg1: No such file or directory [--] -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772233: bashism in /bin/sh script
Hi Balint, Le 20/12/2014 10:49, Bálint Réczey a écrit : 2014-12-20 10:30 GMT+01:00 Bálint Réczey bal...@balintreczey.hu: I made a typo in the bug number, please see the fixed patch attached. I also reuploaded the package to DELAYED/2. Thanks a lot for uploading this fix, I was unable to take care of this in the last month. Cheers, Bertrand -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774090: emacs24: a left-click in Emacs sometimes modifies the PRIMARY selection
Control: tags -1 security On 2014-12-28 16:29:12 +0100, Vincent Lefevre wrote: Note: This bug occurs very often and is very annoying, as one needs to reselect what was selected (sometimes hardly possible). Moreover the wrongly pasted text is similar to the correct text[*], meaning that if one doesn't pay attention, one gets a file with permanently incorrect data! Grrr... That's also a security problem. Due to this bug, a paste with a middle click in a web browser can end up in pasting private data! And Javascript can provide the pasted text to the web site immediately (Facebook does that), before the user can notice the problem. -- Vincent Lefèvre vinc...@vinc17.net - Web: https://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: https://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: emacs24: a left-click in Emacs sometimes modifies the PRIMARY selection
Processing control commands: tags -1 security Bug #774090 [emacs24] emacs24: a left-click in Emacs sometimes modifies the PRIMARY selection Added tag(s) security. -- 774090: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774090 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#718148: arpon: FTBFS: Could not find libnet-1.1
Hi, in the meantime the release of ArpON 2.7.2 should also fix those build issues: http://sourceforge.net/p/arpon/code/ci/master/tree/CHANGELOG -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774163: Unable to upgrade or install ttf-root-installer (dpkg: error processing package) because of invalid certificate on root.cern.ch
Package: ttf-root-installer Version: 5.34.19+dfsg-1.1 Severity: grave Hi, when upgrading my system ttf-root-installer broke the upgrade because its configure script failed. I tried to purge it completely and install it again, unfortunately it broke again: $ sudo apt-get install ttf-root-installer Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ttf-root-installer 0 upgraded, 1 newly installed, 0 to remove and 633 not upgraded. Need to get 28.1 kB of archives. After this operation, 91.1 kB of additional disk space will be used. Get:1 http://mirror.ovh.net/debian/ sid/contrib ttf-root-installer all 5.34.19+dfsg-1.1 [28.1 kB] Fetched 28.1 kB in 0s (135 kB/s) Retrieving bug reports... Done Parsing Found/Fixed information... Done Preconfiguring packages ... Selecting previously unselected package ttf-root-installer. (Reading database ... 572464 files and directories currently installed.) Preparing to unpack .../ttf-root-installer_5.34.19+dfsg-1.1_all.deb ... Unpacking ttf-root-installer (5.34.19+dfsg-1.1) ... Setting up ttf-root-installer (5.34.19+dfsg-1.1) ... dpkg: error processing package ttf-root-installer (--configure): subprocess installed post-installation script returned error exit status 5 Errors were encountered while processing: ttf-root-installer E: Sub-process /usr/bin/dpkg returned an error code (1) Upon furter investigation : $ sudo DEBCONF_DEBUG=developer dpkg -D777 --configure ttf-root-installer D01: ensure_diversions: new, (re)loading D01: process queue pkg ttf-root-installer:all queue.len 0 progress 1, try 1 D40: checking dependencies of ttf-root-installer:all (- none) D000400: checking group ... D000400: checking possibility - debconf D000400: checking non-provided pkg debconf:all D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility - wget D000400: checking non-provided pkg wget:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D000400: checking group ... D000400: checking possibility - xfonts-utils D000400: checking non-provided pkg xfonts-utils:amd64 D000400: is installed, ok and found D000400: found 3 D000400: found 3 matched 0 possfixbytrig - D40: ok 2 msgs D40: checking Breaks D000400: checking virtbroken root-ttf Setting up ttf-root-installer (5.34.19+dfsg-1.1) ... D02: fork/exec /var/lib/dpkg/info/ttf-root-installer.postinst ( configure ) debconf (developer): frontend started debconf (developer): frontend running, package name is ttf-root-installer debconf (developer): starting /var/lib/dpkg/info/ttf-root-installer.config configure debconf (developer): -- TITLE ROOT TTF Installer debconf (developer): -- 0 debconf (developer): -- INPUT high ttf-root-installer/blurb debconf (developer): -- 30 question skipped debconf (developer): -- INPUT high ttf-root-installer/dldir debconf (developer): -- 30 question skipped debconf (developer): -- GO debconf (developer): -- 0 ok debconf (developer): -- GET ttf-root-installer/dldir debconf (developer): -- 0 debconf (developer): -- INPUT high ttf-root-installer/savedir debconf (developer): -- 30 question skipped debconf (developer): -- GO debconf (developer): -- 0 ok debconf (developer): -- GET ttf-root-installer/savedir debconf (developer): -- 0 debconf (developer): starting /var/lib/dpkg/info/ttf-root-installer.postinst configure + archive=ttf_fonts.tar.gz + db_get ttf-root-installer/dldir + _db_cmd GET ttf-root-installer/dldir + _db_internal_IFS= + IFS= + printf %s\n GET ttf-root-installer/dldir + IFS= + IFS= read -r _db_internal_line debconf (developer): -- GET ttf-root-installer/dldir debconf (developer): -- 0 + RET= + return 0 + LOCALCOPY= + db_get ttf-root-installer/savedir + _db_cmd GET ttf-root-installer/savedir + _db_internal_IFS= + IFS= + printf %s\n GET ttf-root-installer/savedir + debconf (developer): -- GET ttf-root-installer/savedir IFS= + IFS= read -r _db_internal_line debconf (developer): -- 0 + RET= + return 0 + SAVEDIR= + test ! -f /var/cache/ttf-root-installer + echo + tr [:upper:] [:lower:] + test x != xnone + pwd + savdir=/ + mktemp -d + tmpdir=/tmp/tmp.LG7ux68bWG + cd /tmp/tmp.LG7ux68bWG + test -z + wget --continue --tries=1 --dns-timeout=20 --connect-timeout=20 --read-timeout=300 -q --directory-prefix . -c http://root.cern.ch/download/ttf/ttf_fonts.tar.gz dpkg: error processing package ttf-root-installer (--configure): subprocess installed post-installation script returned error exit status 5 D01: ensure_diversions: same, skipping Errors were encountered while processing: ttf-root-installer Trying to reproduce it manually: $ wget --continue --tries=1 --dns-timeout=20 --connect-timeout=20
Bug#774163: Unable to upgrade or install ttf-root-installer (dpkg: error processing package) because of invalid certificate on root.cern.ch
Seems on the past there were also problems with this file served via ftp. https://bugs.launchpad.net/ubuntu/+source/root-system/+bug/349860 signature.asc Description: OpenPGP digital signature
Bug#773416: marked as done (ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 CVE-2014-9380 CVE-2014-9381)
Your message dated Mon, 29 Dec 2014 19:03:26 + with message-id e1y5fbc-oa...@franck.debian.org and subject line Bug#773416: fixed in ettercap 1:0.7.3-2.1+squeeze2 has caused the Debian Bug report #773416, regarding ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 CVE-2014-9380 CVE-2014-9381 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773416: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: ettercap Severity: grave Tags: security Justification: user security hole Hi, please see https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ for details and patches. Cheers, Moritz ---End Message--- ---BeginMessage--- Source: ettercap Source-Version: 1:0.7.3-2.1+squeeze2 We believe that the bug you reported is fixed in the latest version of ettercap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nguyen Cong cong.nguyen...@toshiba-tsdv.com (supplier of updated ettercap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 25 Dec 2014 15:43:59 +0700 Source: ettercap Binary: ettercap-common ettercap ettercap-gtk Architecture: source i386 Version: 1:0.7.3-2.1+squeeze2 Distribution: squeeze-lts Urgency: medium Maintainer: Murat Demirten mu...@debian.org Changed-By: Nguyen Cong cong.nguyen...@toshiba-tsdv.com Description: ettercap - Multipurpose sniffer/interceptor/logger for switched LAN ettercap-common - Common support files and plugins for ettercap ettercap-gtk - Multipurpose sniffer/interceptor/logger for switched LAN Closes: 773416 Changes: ettercap (1:0.7.3-2.1+squeeze2) squeeze-lts; urgency=medium . * Non-maintainer upload. * Patch a bunch of security vulnerabilities (closes: #773416) - CVE-2014-9380 (Buffer over-read) - CVE-2014-9381 (Signedness error) See: https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/ Patches taken from upstream - 6b196e011fa456499ed4650a360961a2f1323818 pull/608 - 31b937298c8067e6b0c3217c95edceb983dfc4a2 pull/609 Thanks to Nick Sampanis n.sampa...@obrela.com who is responsible for both finding and repairing these issues. Checksums-Sha1: 6c40fc591d18aeb8bec8920f46755349a143061b 1941 ettercap_0.7.3-2.1+squeeze2.dsc 0a6f1c7f14a63bdc15b7674c14f4c5b165e6d5b1 1148766 ettercap_0.7.3.orig.tar.gz e192944698c029921867f4e968b89ea066b0de9c 7308 ettercap_0.7.3-2.1+squeeze2.diff.gz 38948f0989354608c1c56fb76445f0546e5b6db4 303832 ettercap-common_0.7.3-2.1+squeeze2_i386.deb 8a9112eb34fc03f3398d36531dfb0403990ee54e 190786 ettercap_0.7.3-2.1+squeeze2_i386.deb e68d2cdc1a0378e3b2374c59415e2c0c1f8d39e6 226626 ettercap-gtk_0.7.3-2.1+squeeze2_i386.deb Checksums-Sha256: 15205df7151af0d1ef7ac8ede256adf80c2ca985e44eb6c4a34a7dc8619b 1941 ettercap_0.7.3-2.1+squeeze2.dsc 588f500bf42f006793320b9f7781ac8b13f480e320481a309658d346ff5a3cb3 1148766 ettercap_0.7.3.orig.tar.gz 49110fb5a4b24b7c0b6b96ccf5d40ee6998f2b38feb75bba9009e1109adc5e4a 7308 ettercap_0.7.3-2.1+squeeze2.diff.gz 3dad7b38273928364effc4050ab24e7bc57df9462ac643190f65a02021b0e33e 303832 ettercap-common_0.7.3-2.1+squeeze2_i386.deb 2ed6e776463e3c0fc94d5c8b92f54b20bc3069ce61989b9c8ed9e7af387e3514 190786 ettercap_0.7.3-2.1+squeeze2_i386.deb d9fc55a9e4a85f84f4e442eacd1e5955fa0d017df238febc601b8d69c50d 226626 ettercap-gtk_0.7.3-2.1+squeeze2_i386.deb Files: dd9a93b464e8f399815a3b877515ced1 1941 net optional ettercap_0.7.3-2.1+squeeze2.dsc 3683c0512485cc1badc562815fbdd373 1148766 net optional ettercap_0.7.3.orig.tar.gz 08b0c7a2ecfe6681ef507c7b043e9124 7308 net optional ettercap_0.7.3-2.1+squeeze2.diff.gz f7987d5ae3b8d5c7f39f4a21e3a225cc 303832 net optional ettercap-common_0.7.3-2.1+squeeze2_i386.deb ef9900e8a7674d852ae9775996162588 190786 net optional ettercap_0.7.3-2.1+squeeze2_i386.deb 5013f78341f9630de2858a13eaf71b7c 226626 net optional ettercap-gtk_0.7.3-2.1+squeeze2_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG
Bug#773722: marked as done (unzip: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141)
Your message dated Mon, 29 Dec 2014 19:17:05 + with message-id e1y5fop-00028n...@franck.debian.org and subject line Bug#773722: fixed in unzip 6.0-8+deb7u1 has caused the Debian Bug report #773722, regarding unzip: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773722 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: unzip Version: 6.0-4 Severity: grave Tags: security upstream Hi, the following vulnerabilities were published for unzip. (disclaimer I was not yet able to verify any of those, but oCert advisory claims to affect all unzip = 6.0). CVE-2014-8139[0]: CRC32 heap overflow CVE-2014-8140[1]: heap overflow in test_compr_eb CVE-2014-8141[2]: heap overflow in getZip64Data If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. More information are found in the corresponding Red Hat bugzilla entries. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8139 [1] https://security-tracker.debian.org/tracker/CVE-2014-8140 [2] https://security-tracker.debian.org/tracker/CVE-2014-8141 [3] http://www.ocert.org/advisories/ocert-2014-011.html Regards, Salvatore ---End Message--- ---BeginMessage--- Source: unzip Source-Version: 6.0-8+deb7u1 We believe that the bug you reported is fixed in the latest version of unzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso car...@debian.org (supplier of updated unzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 26 Dec 2014 20:04:35 +0100 Source: unzip Binary: unzip Architecture: source amd64 Version: 6.0-8+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Santiago Vila sanv...@debian.org Changed-By: Salvatore Bonaccorso car...@debian.org Description: unzip - De-archiver for .zip files Closes: 773722 Changes: unzip (6.0-8+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Apply upstream fix for three security bugs. CVE-2014-8139: CRC32 verification heap-based overflow CVE-2014-8140: out-of-bounds write issue in test_compr_eb() CVE-2014-8141: out-of-bounds read issues in getZip64Data() (Closes: #773722) Checksums-Sha1: 750342d29f6e203b8766d8d4acaa1e85f868c950 1676 unzip_6.0-8+deb7u1.dsc abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz efa3c8368010fb14355ed6121f1d2018a1122fec 13694 unzip_6.0-8+deb7u1.debian.tar.gz 1d0874f135b2fbeebb0d03124a3072adb8dd6d0a 194914 unzip_6.0-8+deb7u1_amd64.deb Checksums-Sha256: f38e804ae4c8e04d02f4c9d74e91c47b30a9aee048a6c41548bea2a9db4f149d 1676 unzip_6.0-8+deb7u1.dsc 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845 unzip_6.0.orig.tar.gz 02aeb43c88ba38849597e03920422f9612ce8c658f558cd4b34c45b9837a6a5b 13694 unzip_6.0-8+deb7u1.debian.tar.gz 86bcc62e3f26eecdf3d102d8155471adcdf2d0c73f0387421d2c8a8effb4ba12 194914 unzip_6.0-8+deb7u1_amd64.deb Files: 6d96da722abfc94bb4bfdf96e2a71723 1676 utils optional unzip_6.0-8+deb7u1.dsc 62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz 6d0673b9a6cc740dfb0b4fa20af5a824 13694 utils optional unzip_6.0-8+deb7u1.debian.tar.gz 9a9c10dd675f9e080a80e883cdc52f30 194914 utils optional unzip_6.0-8+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUnt0zAAoJEAVMuPMTQ89EaykP/RDih5x5tsCln5jxtb/lLewF 92LRuCxYd27S7Vn1LuB3JoYGk3VK2mpfOXJE28vdCcbiV4iLsedGiOGkIg7obMkH O7sEF4KbQXdL50v8kSVr4K5aBa/W2MZpaZGKPMWBEPh+HFOuzJ0A8WtHH4xMv7qj PMB5CpLNL0DTq3uNqBx37k8g78Ie2xqyBdhmdm2pCS4FxoKHysdtGZWBKZiCNZsl h2kJY/EKw0jMyBf5dqz7zXy6yTDpQpaQNTD0WAPkj4HCaMonSMTt7VU1jlfCTv1U ud+r/lXiIRprYr/5WygHwA/Q0bZyQVgRWt4P7OEXtzfvpYU06dUtwAw8d06+jmFR 0w0u0XVfvvIL398uzhVFZ9pncHTOCQClu0O5vXf67ZK4o2M8SIL8v7N/Sn7E6UZL ABDPrlQbteUql4taj9y6ThVj8aL49T0KK6CBDGhkncADIew+AD2kV2Zc42gqCMUX
Processed: tagging 773416, found 773416 in 1:0.7.3-2
Processing commands for cont...@bugs.debian.org:
tags 773416 + upstream fixed-upstream
Bug #773416 {Done: Nguyen Cong cong.nguyen...@toshiba-tsdv.com} [ettercap]
ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378
CVE-2014-9379 CVE-2014-9380 CVE-2014-9381
Added tag(s) upstream and fixed-upstream.
found 773416 1:0.7.3-2
Bug #773416 {Done: Nguyen Cong cong.nguyen...@toshiba-tsdv.com} [ettercap]
ettercap: CVE-2014-6395 CVE-2014-6396 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378
CVE-2014-9379 CVE-2014-9380 CVE-2014-9381
Marked as found in versions ettercap/1:0.7.3-2.
thanks
Stopping processing here.
Please contact me if you need assistance.
--
773416: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773916: libical: Ship different constant values accross builds
On Thu, 25 Dec 2014 16:46:14 +0100 =?iso-8859-1?B?Suly6W15?= Bobbio lu...@debian.org wrote: Package: libical-dev Version: 1.0-1.1 Severity: critical User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness Hi! While working on the âreproducible buildsâ effort [1], we have noticed that libical could not be built reproducibly: https://jenkins.debian.net/userContent/dbd/libical_1.0-1.1.debbindiff.html Looks like perl script is used to generate the headers which is using unsorted hash, hence random result. Sorting it seems to do the trick. If I fail to upload this, please upload it instead of me. Regards, Dimitri. libical.debdiff Description: Binary data
Processed: tagging 773916
Processing commands for cont...@bugs.debian.org: tags 773916 + patch Bug #773916 [libical-dev] libical: Ship different constant values accross builds Added tag(s) patch. thanks Stopping processing here. Please contact me if you need assistance. -- 773916: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773916 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773671: [Pkg-javascript-devel] Bug#773671: libv8-3.14: multiple security issues
On Mon, Dec 29, 2014 at 12:28:30PM +0100, Bálint Réczey wrote: Hi Moritz, 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff j...@inutil.org: On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote: package: src:libv8-3.14 severity: grave tags: security Hi, the following vulnerabilities were published for libv8-3.14. So if I'm understanding the discussion on debian-devel correctly the libv8 maintainers want to see this treated as an RC-bug. Please clarify your intentions, do you a) intent to fix these issues with patches and if that's not possible remove libv8 along with its rev deps? b) want to keep this with RC severity and tag it jessie-ignore. I would consider that rather broken since foo-ignore is used for issues which are ignored for once, but which will be addressed in release+1. I don't see the libv8 situation change upstream... The rationale behind opening the RC bugs was improving transparency on my side. I think more people follow bugs than the security tracker. Ok. In the past we didn't file bugs on libv8 since they were unlikely to be dealt with anyway. We'll file bugs for any future libv8 issues. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#748728: marked as done (id-utils and libuser: error when trying to install together)
Your message dated Mon, 29 Dec 2014 21:26:11 + with message-id e1y5hpl-0001ro...@franck.debian.org and subject line Bug#748728: fixed in libuser 1:0.60~dfsg-1.2 has caused the Debian Bug report #748728, regarding id-utils and libuser: error when trying to install together to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 748728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748728 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libuser,id-utils Version: libuser/1:0.60~dfsg-1 Version: id-utils/4.6+git20120811-4 Severity: serious User: trei...@debian.org Usertags: edos-file-overwrite Date: 2014-05-20 Architecture: amd64 Distribution: sid Hi, automatic installation tests of packages that share a file and at the same time do not conflict by their package dependency relationships has detected the following problem: Selecting previously unselected package libffi6:amd64. (Reading database ... 10936 files and directories currently installed.) Preparing to unpack .../libffi6_3.1~rc1+r3.0.13-12_amd64.deb ... Unpacking libffi6:amd64 (3.1~rc1+r3.0.13-12) ... Selecting previously unselected package libglib2.0-0:amd64. Preparing to unpack .../libglib2.0-0_2.40.0-3_amd64.deb ... Unpacking libglib2.0-0:amd64 (2.40.0-3) ... Selecting previously unselected package id-utils. Preparing to unpack .../id-utils_4.6+git20120811-4_amd64.deb ... Unpacking id-utils (4.6+git20120811-4) ... Selecting previously unselected package libuser1. Preparing to unpack .../libuser1_1%3a0.60~dfsg-1_amd64.deb ... Unpacking libuser1 (1:0.60~dfsg-1) ... Selecting previously unselected package libuser. Preparing to unpack .../libuser_1%3a0.60~dfsg-1_amd64.deb ... Unpacking libuser (1:0.60~dfsg-1) ... dpkg: error processing archive /var/cache/apt/archives/libuser_1%3a0.60~dfsg-1_amd64.deb (--unpack): trying to overwrite '/usr/share/man/man1/lid.1.gz', which is also in package id-utils 4.6+git20120811-4 Processing triggers for install-info (5.2.0.dfsg.1-3) ... Processing triggers for man-db (2.6.7.1-1) ... Errors were encountered while processing: /var/cache/apt/archives/libuser_1%3a0.60~dfsg-1_amd64.deb E: Sub-process /usr/bin/dpkg returned an error code (1) This is a serious bug as it makes installation fail, and violates sections 7.6.1 and 10.1 of the policy. An optimal solution would consist in only one of the packages installing that file, and renaming or removing the file in the other package. Depending on the circumstances you might also consider Replace relations or file diversions. If the conflicting situation cannot be resolved then, as a last resort, the two packages have to declare a mutual Conflict. Please take into account that Replaces, Conflicts and diversions should only be used when packages provide different implementations for the same functionality. Here is a list of files that are known to be shared by both packages (according to the Contents file for sid/amd64, which may be slightly out of sync): /usr/share/man/man1/lid.1.gz This bug has been filed against both packages. If you, the maintainers of the two packages in question, have agreed on which of the packages will resolve the problem please reassign the bug to that package. You may then also register in the BTS that the other package is affected by the bug. -Ralf. PS: for more information about the detection of file overwrite errors of this kind see http://edos.debian.net/file-overwrites/. ---End Message--- ---BeginMessage--- Source: libuser Source-Version: 1:0.60~dfsg-1.2 We believe that the bug you reported is fixed in the latest version of libuser, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 748...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dimitri John Ledkov dimitri.j.led...@linux.intel.com (supplier of updated libuser package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 29 Dec 2014 20:37:14 + Source: libuser Binary: libuser libuser1-dev libuser1 python-libuser Architecture: amd64 source Version: 1:0.60~dfsg-1.2 Distribution: unstable Urgency: medium Maintainer: Ghe Rivero g...@debian.org Changed-By: Dimitri John
Bug#773916: marked as done (libical: Ship different constant values accross builds)
Your message dated Mon, 29 Dec 2014 21:26:01 + with message-id e1y5hpb-0001la...@franck.debian.org and subject line Bug#773916: fixed in libical 1.0-1.2 has caused the Debian Bug report #773916, regarding libical: Ship different constant values accross builds to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773916: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773916 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libical-dev Version: 1.0-1.1 Severity: critical User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness Hi! While working on the “reproducible builds” effort [1], we have noticed that libical could not be built reproducibly: https://jenkins.debian.net/userContent/dbd/libical_1.0-1.1.debbindiff.html The debbindiff output linked above show that two builds of libical will output different values for the constant defined in the icalvalue_kind enum in ical.h and icalderivedvalue.h. This is bad. It means that any software using these values will break when libical is updated. After a quick look at the report, this might be the cause for #766454. The problem highly likely lies in the following code: https://sources.debian.net/src/libical/1.0-1.1/scripts/mkderivedvalues.pl/?hl=66:74#L66 Sorting the keys before using them should make the output stable accross builds. Ideally this should be done in all similar constructs to enable the package to build reproducibly. Packages having a Build-Depends on libical-dev should probably be binNMU'ed once this is fixed. That should be: agenda.app, asterisk, bluez, cairo-dock-plug-ins, citadel, cyrus-imapd-2.4, evolution, evolution-data-server, evolution-ews, gnokii, goldencheetah, ical2html, kdepimlibs, kmymoney, libsynthesis, openchange, orage, osmo, syncevolution, webcit. [1]: https://wiki.debian.org/ReproducibleBuilds -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Source: libical Source-Version: 1.0-1.2 We believe that the bug you reported is fixed in the latest version of libical, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 773...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dimitri John Ledkov dimitri.j.led...@linux.intel.com (supplier of updated libical package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 29 Dec 2014 18:42:22 + Source: libical Binary: libical-dev libical1 libical-dbg Architecture: amd64 source Version: 1.0-1.2 Distribution: unstable Urgency: medium Maintainer: Fathi Boudra f...@debian.org Changed-By: Dimitri John Ledkov dimitri.j.led...@linux.intel.com Closes: 773916 Description: libical1 - iCalendar library implementation in C (runtime) libical-dbg - debugging symbols for libical libical-dev - iCalendar library implementation in C (development) Changes: libical (1.0-1.2) unstable; urgency=medium . * Non-maintainer upload. * Sort keys to generate reproducible source code. (Closes: #773916) Checksums-Sha1: f3508ec583127bd03079e1012b75193269c8b267 205446 libical-dev_1.0-1.2_amd64.deb 5ac83c9c8acb695c9303fe1cd35f97e2ac5739b5 184536 libical1_1.0-1.2_amd64.deb 58f62bb8aebecd4b7797b1ac06b62efedaf90f07 383776 libical-dbg_1.0-1.2_amd64.deb 478f37d881f55e788a402997d79f394fb51955e2 1455 libical_1.0-1.2.dsc 572db1febc02bc81610a77faa940baa62f45a998 21403 libical_1.0-1.2.debian.tar.gz Checksums-Sha256: f6e93e65d33d35039b1424ddc1fd6ca196e128dc9c921919ef7fa28944466569 205446 libical-dev_1.0-1.2_amd64.deb 7a79f9b649f648ade573ccce1ba31cf3abc1541d7aaf044f7cb640d06d857430 184536 libical1_1.0-1.2_amd64.deb 4dbc45b7521861be4f0c3f86d44125fcf905ad9b4fcd080d9eb065252446b923 383776 libical-dbg_1.0-1.2_amd64.deb 2457f805bd59bf45caddf94d2cd95dcea2a98b6a1ec5d169d769409035b2c1a5 1455 libical_1.0-1.2.dsc 3a4e83d9f27b04255b884c9f11b50572d2c7a0845fa1f04dff542aeb1f9bfbcb 21403 libical_1.0-1.2.debian.tar.gz Files:
Processed: Fwd: Bug#773865: unblock: imagemagick/8:6.8.9.9-4 [security]
Processing control commands: severity -1 serious Bug #770009 [imagemagick] Imagemagick FTBFS on mips on mips-aql-* not on ball Severity set to 'serious' from 'important' -- 770009: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770009 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772862: marked as done (wordpress: Trigger cycle causes dpkg to fail processing)
Your message dated Mon, 29 Dec 2014 22:00:07 + with message-id e1y5imb-0005wc...@franck.debian.org and subject line Bug#772862: fixed in wordpress 4.1+dfsg-1 has caused the Debian Bug report #772862, regarding wordpress: Trigger cycle causes dpkg to fail processing to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772862: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772862 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: wordpress Version: 4.0.1+dfsg-2 Severity: serious Hi! This package can get involved in a trigger cycle. The problem is that it installs interests on /usr/share/wordpress/wp-content with files there provided by wordpress-theme-twentyfourteen, which is directly or transitively depended on by wordpress itself. A solution to the above is to simply switch the triggers to their noawait variants, in this case from «interest» to «interest-noawait», as long as they are not critical for the activating packages, which I cannot tell here. Otherwise a fix might unfortunatly be more involved. Thanks, Guillem ---End Message--- ---BeginMessage--- Source: wordpress Source-Version: 4.1+dfsg-1 We believe that the bug you reported is fixed in the latest version of wordpress, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 772...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Craig Small csm...@debian.org (supplier of updated wordpress package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 20 Dec 2014 15:31:21 +1100 Source: wordpress Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen wordpress-theme-twentyfourteen wordpress-theme-twentythirteen Architecture: source all Version: 4.1+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Craig Small csm...@debian.org Changed-By: Craig Small csm...@debian.org Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files Closes: 762523 772862 773075 Changes: wordpress (4.1+dfsg-1) unstable; urgency=medium . * New upstream release * Changed trigger to noawait Closes: #772862 * Updated apache example Closes: #773075 * Updated to standards 3.9.6 * Added getid3 and mediaelement to linktree Closes: #762523 * Removed two unbuildable mediaelement files Checksums-Sha1: 73497e87ebcdaeea2d976f45b52f257bf7de4136 2505 wordpress_4.1+dfsg-1.dsc 0b105e79723c1f1c16764eb98122ed426f738940 4749996 wordpress_4.1+dfsg.orig.tar.xz 2c10bab772b17b716fa29e49d2bc185b172f75a2 5980276 wordpress_4.1+dfsg-1.debian.tar.xz dda7d98d6cd516469dc181580277eec5a4f0640e 3160630 wordpress_4.1+dfsg-1_all.deb 2c6674d11cbb4aa7659d8ce332573b3eea9d7d87 4238050 wordpress-l10n_4.1+dfsg-1_all.deb ec54abbbf2e281a710913d14f8583f7e5147c931 506774 wordpress-theme-twentyfifteen_4.1+dfsg-1_all.deb aab2bb2046e134333bd4cc365fab89afa8b2a1fc 803032 wordpress-theme-twentyfourteen_4.1+dfsg-1_all.deb 7e2b76e685ee843b92b7131728a4f6153f665965 322446 wordpress-theme-twentythirteen_4.1+dfsg-1_all.deb Checksums-Sha256: 38d8aef038af3d7580a0865d3c1b788e0ed9fe142a341e82e4f26077e65af1ff 2505 wordpress_4.1+dfsg-1.dsc 11ca9ce2f5b05866df9521a50b8be22ac2315f652aa95ba49bdb202c5dda4954 4749996 wordpress_4.1+dfsg.orig.tar.xz 9b8df328aeeaca1e24f60a82aa066714141555ee8a5e156e99989201cba4baed 5980276 wordpress_4.1+dfsg-1.debian.tar.xz b1a7f8362e4bd9af1e09f9eefa3b0fbfcbe17af6376f5d8b5b0df400392d44d2 3160630 wordpress_4.1+dfsg-1_all.deb a41dd68d5f7139b513be114a4e84bbe094ab286df7d3509be61bf4840094e44c 4238050 wordpress-l10n_4.1+dfsg-1_all.deb 65003faa7f2d6a573e61aa6fcb7f2f4dd612f234773580cad4cb88a6c819a5d1 506774 wordpress-theme-twentyfifteen_4.1+dfsg-1_all.deb b7c4a4e0ce307ef8924ac9d0387cfba1c6c560ec1a8004c89b43fb3404e5e052 803032 wordpress-theme-twentyfourteen_4.1+dfsg-1_all.deb e23fa646d1604d2983e56d4a5d5a38a2694f383783043dc13aa40b8313a98bd6 322446
Bug#764630: RFS: javatools 0.48 [RC]
On Sun, 21. Dec 09:57 tony mancill tmanc...@debian.org wrote: On 12/15/2014 12:06 AM, Mathieu Malaterre wrote: On Sun, Dec 14, 2014 at 6:50 PM, Markus Koschany a...@gambaru.de wrote: [...] Actually what was the reasoning behind the choice to use a custom shell script like jarwrapper instead of jexec to register executable jars with binfmt-misc? This question also came up in the bug report. Here is my guess: `jexec` only works with openjdk installed. At one point debian had multiple java implementation (sun, kaffe...). These days only two really remains, so maybe an easier solution would be to have a `gcj-exec` provided by `gcj-jdk` to mimic openjdk package. Which means it would be much easier to handle the LD_LIBRARY_PATH issue within the `gcj-exec` executable. jarwrapper is only really needed with a custom jre installation... That sounds reasonable to me, although it can be hard in practice to keep things functional for users running non-Debian JRE packages. Which is not to say that we shouldn't generally discourage jarwrapper... I think before we create another solution like gcj-exec, it is easier to maintain the current implementation of jarwrapper. I agree that gcj's handling of LD_LIBRARY_PATH and Multiarch could be improved but in my opinion there are other aspects about gcj which deserve even more attention. Most modern Java applications just don't work with it. I suggest to upload the fix for #764630 now. I just saw tony's email from the 21th. The current state on master is final. I haven't planned any further changes to jarwrapper. Please go ahead. Regards, Markus signature.asc Description: Digital signature
Bug#772008: CVE request: mpfr: buffer overflow in mpfr_strtofr
On Mon, Dec 08, 2014 at 01:45:12PM +0100, Vasyl Kaigorodov wrote: Hello, A buffer overflow was reported [1] in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (discussion is at [1]; first fix in the GMP documentation is at [2]). This bug is present in the MPFR versions from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by running make check in a 32-bit ABI under GNU/Linux with alloca disabled (this is currently possible by using the --with-gmp-build configure option where alloca has been disabled in the GMP build). It is fixed by the strtofr patch [3]. Corresponding changeset in the 3.1 branch: 9110 [4]. [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74 [3]: http://www.mpfr.org/mpfr-3.1.2/patch11 [4]: https://gforge.inria.fr/scm/viewvc.php?view=revroot=mpfrrevision=9110 References: - https://bugzilla.redhat.com/show_bug.cgi?id=1171701 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772008 Can a CVE be assigned to this please? This seems to have fallen through the cracks, adding cve-ass...@mitre.org to CC. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#773783: marked as done (nftables 0.3 should not be released with jessie)
Your message dated Mon, 29 Dec 2014 16:30:22 -0800 with message-id caczd_tdm9rd1blz4pgvdy_cvze4bqpveh1nmu6gjmsoz0a-...@mail.gmail.com and subject line Closing #773783, #773784 has caused the Debian Bug report #773783, regarding nftables 0.3 should not be released with jessie to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773783 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: nftables Version: 0.3-1 Severity: serious This package is unsuitable in a stable system. ---End Message--- ---BeginMessage--- nftables and libnftnl have been removed from jessie, thus I'm closing these bug reports (these packages will not automatically migrate to testing until the freeze is lifted). Vincent---End Message---
Bug#773784: marked as done (libnftnl 1.0.2-1 should not be released with jessie)
Your message dated Mon, 29 Dec 2014 16:30:22 -0800 with message-id caczd_tdm9rd1blz4pgvdy_cvze4bqpveh1nmu6gjmsoz0a-...@mail.gmail.com and subject line Closing #773783, #773784 has caused the Debian Bug report #773784, regarding libnftnl 1.0.2-1 should not be released with jessie to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 773784: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773784 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: libnftnl Version: 1.0.2-1 Severity: serious This package is unsuitable for a stable system. ---End Message--- ---BeginMessage--- nftables and libnftnl have been removed from jessie, thus I'm closing these bug reports (these packages will not automatically migrate to testing until the freeze is lifted). Vincent---End Message---
Bug#755597: marked as done (django-conneg: Please ensure it works with Django 1.7)
Your message dated Tue, 30 Dec 2014 01:33:27 + with message-id e1y5lgd-0006xf...@franck.debian.org and subject line Bug#755597: fixed in django-conneg 0.9.4-2 has caused the Debian Bug report #755597, regarding django-conneg: Please ensure it works with Django 1.7 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 755597: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755597 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Source: django-conneg Version: 0.9.4-1 Severity: important User: python-dja...@packages.debian.org Usertags: django17 Hello, your package django-conneg depends on python-django. As you might know, Django 1.7 will be soon available and as each new upstream major version, it brings many changes, some of them which are backwards incompatible (after a deprecation period covering 2 major versions): https://docs.djangoproject.com/en/1.7/releases/1.7/ https://docs.djangoproject.com/en/1.7/releases/1.7/#backwards-incompatible-changes-in-1-7 We intend to upload Django 1.7 to unstable as soon as it is available because we really want the latest version in jessie and the freeze is approaching fast. In preparation of that, I have uploaded a release candidate in experimental. Please test your package against Django 1.7 in experimental. If a new upstream version of your package is required, please package it now. If you can't upload it to unstable because it only works with Django 1.7, feel free to upload it to experimental too. If the current package works fine, please close this bug (or retitle it as a suggestion to implement Python 3 support and drop its severity to wishlist[1]). If it's broken, please tag it as confirmed. If it's not broken, but would benefit from further work, please tag it as confirmed but reduce the severity. If you have experimental in your sources.list you can install the latest version easily: $ sudo apt-get install -t experimental python-django python3-django [1] We have recently added Python 3 support with the addition of python3-django. Consider doing the same if your package is a Django application/library. Thank you for your help! PS: I will raise the confirmed bugs that are still of severity important to serious once we upload Django 1.7 to unstable. ---End Message--- ---BeginMessage--- Source: django-conneg Source-Version: 0.9.4-2 We believe that the bug you reported is fixed in the latest version of django-conneg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 755...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jordan Metzmeier jmetzmeie...@gmail.com (supplier of updated django-conneg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 04 Nov 2014 22:48:58 -0600 Source: django-conneg Binary: python-django-conneg Architecture: source all Version: 0.9.4-2 Distribution: unstable Urgency: medium Maintainer: Olivier Berger ober...@debian.org Changed-By: Jordan Metzmeier jmetzmeie...@gmail.com Description: python-django-conneg - Framework for content-negotiated views in Django Closes: 755597 Changes: django-conneg (0.9.4-2) unstable; urgency=medium . * Apply upstream patch to fix build failures with Django 1.7 (Closes: #755597) Checksums-Sha1: b894fa13f442f432e6f829b6230be11a68ab5fe0 2136 django-conneg_0.9.4-2.dsc 36d4c959b885079870b310468107bf8cd60bfc9d 4096 django-conneg_0.9.4-2.debian.tar.xz de854c41f2e18869375672680b85a4cbdcbd942c 18704 python-django-conneg_0.9.4-2_all.deb Checksums-Sha256: 19132466b9bde23ed52c967d616ef6e326dcfae2b34039f82ff722703c2a 2136 django-conneg_0.9.4-2.dsc c49b9673dd8814ce1813cf4de6751c9ae0ca13ed47354def127e94309271e7cd 4096 django-conneg_0.9.4-2.debian.tar.xz 5e7e770d69d65ffd5d18b49fb092f846cfc9386d686556f27da4392a85992623 18704 python-django-conneg_0.9.4-2_all.deb Files: c33fd13a266d7746ddc2e3fd210e2132 2136 python optional django-conneg_0.9.4-2.dsc afa8dd6711fbf7d72a2d57cda0848bb0 4096 python optional django-conneg_0.9.4-2.debian.tar.xz 9dddac414f4afb1a02b363210e15e138 18704 python optional python-django-conneg_0.9.4-2_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1
Bug#774191: [dbab] wrong path
Package: dbab Version: 1.1.2-1 Severity: grave --- Please enter the report below this line. --- hey, just installed this package, (thanks for packaging it, looks interesting... :-) ) but it is unusable, dbab service doesnt start and standalone commands fail on a fresh install. problem is in the /usr/sbin/dbab-* scripts that look for dbab-* config files in /etc/ , instead of /etc/dbab/ as described by the package: https://packages.debian.org/sid/all/dbab/filelist man page also describes wrong paths in FILES section. also (maybe in a separate bug report?) daemon/service paths are wrong (typo), pointing to /usr/sbin/dbab-srv, instead of /usr/sbin/dbab-svr, and make the daemon unusable as well.. changing the paths to everything above, and starting it, looks up and working :) thx, dimitris. --- System information. --- Architecture: amd64 Kernel: Linux 3.16.0-4-amd64 Debian Release: 8.0 500 unstablehttp.debian.net 500 testing security.debian.org 500 testing http.debian.net 500 stable deb.opera.com --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. signature.asc Description: OpenPGP digital signature
Bug#774192: CVE-2014-9057
Source: movabletype-opensource Severity: grave Tags: security Hi, please see https://movabletype.org/news/2014/12/6.0.6.html Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774194: CVE-2014-9218 CVE-2014-9219
Package: phpmyadmin Severity: grave Tags: security Please see: http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774191: [dbab] wrong path
On Mon, Dec 29, 2014 at 8:34 PM, Dimitris dimit...@stinpriza.org wrote: just installed this package, (thanks for packaging it, looks interesting... :-) ) but it is unusable, dbab service doesnt start and standalone commands fail on a fresh install. Hi dimitris, Thanks for your interest and sorry for the problems, which needs some explanations. All the reported problems have been fixed in version 1.2.2-1, which was uploaded to mentors about 7 days ago. Somehow the uploading to Debian part was delayed. Today, as the dbab package was officially included in Debian repo, dbab was removed from mentors, including the upgraded version 1.2.2-1. I'll redo the mentors uploading, and inform my sponsor again. Thanks for your interest hope that the upgraded version will be in Debian sooner this time. tong -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774191: Please sponsor dbab, the dnsmasq-based ad-blocker
Hi Wookey, Thanks for your help, the dbab package is now officially included in Debian repo, and we have a bug report opened already. Due to the fact that dbab was removed from mentors, including the upgraded version 1.2.2-1, I've re-uploaded it to mentors again, closing bug #774191 as well this time. The respective dsc file can be found at: http://mentors.debian.net/debian/pool/main/d/dbab/dbab_1.2.2-1.dsc Please upload it at your earliest convenience. Thanks tong -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: user debian-secur...@lists.debian.org, usertagging 774192, tagging 774192 ..., usertagging 774194 ...
Processing commands for cont...@bugs.debian.org: user debian-secur...@lists.debian.org Setting user to debian-secur...@lists.debian.org (was car...@debian.org). usertags 774192 + tracked There were no usertags set. Usertags are now: tracked. tags 774192 + upstream fixed-upstream Bug #774192 [src:movabletype-opensource] CVE-2014-9057 Added tag(s) upstream and fixed-upstream. retitle 774192 movabletype-opensource: CVE-2014-9057 Bug #774192 [src:movabletype-opensource] CVE-2014-9057 Changed Bug title to 'movabletype-opensource: CVE-2014-9057' from 'CVE-2014-9057' usertags 774194 + tracked There were no usertags set. Usertags are now: tracked. tags 774194 + upstream fixed-upstream Bug #774194 [phpmyadmin] CVE-2014-9218 CVE-2014-9219 Added tag(s) upstream and fixed-upstream. retitle 774194 phpmyadmin: CVE-2014-9218 CVE-2014-9219 Bug #774194 [phpmyadmin] CVE-2014-9218 CVE-2014-9219 Changed Bug title to 'phpmyadmin: CVE-2014-9218 CVE-2014-9219' from 'CVE-2014-9218 CVE-2014-9219' thanks Stopping processing here. Please contact me if you need assistance. -- 774192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774192 774194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774194 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: severity of 774185 is serious ..., found 774185 in 1.2.9-1
Processing commands for cont...@bugs.debian.org: # Justification: Maintainers opinion severity 774185 serious Bug #774185 [libsys-virt-perl] libsys-virt-perl: Relax dependency on libvirt-bin to recommends Severity set to 'serious' from 'normal' retitle 774185 libsys-virt-perl: Wrong runtime dependency on libvirt-bin Bug #774185 [libsys-virt-perl] libsys-virt-perl: Relax dependency on libvirt-bin to recommends Changed Bug title to 'libsys-virt-perl: Wrong runtime dependency on libvirt-bin' from 'libsys-virt-perl: Relax dependency on libvirt-bin to recommends' found 774185 1.2.9-1 Bug #774185 [libsys-virt-perl] libsys-virt-perl: Wrong runtime dependency on libvirt-bin Marked as found in versions libsys-virt-perl/1.2.9-1. thanks Stopping processing here. Please contact me if you need assistance. -- 774185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774185 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: tagging 774185
Processing commands for cont...@bugs.debian.org: tags 774185 + pending Bug #774185 [libsys-virt-perl] libsys-virt-perl: Wrong runtime dependency on libvirt-bin Added tag(s) pending. thanks Stopping processing here. Please contact me if you need assistance. -- 774185: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774185 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#774192: CVE-2014-9057
Control: tags -1 + patch
Control: found -1 5.1.4+dfsg-4
Hi Dominic,
On Tue, Dec 30, 2014 at 02:56:31AM +0100, Moritz Muehlenhoff wrote:
Source: movabletype-opensource
Severity: grave
Tags: security
Hi,
please see https://movabletype.org/news/2014/12/6.0.6.html
Attaches is the extracted patch for the 5.2.x series.
Regards,
Salvatore
--- a/lib/MT/XMLRPCServer.pm 2013-11-07 04:55:39.0 +0100
+++ b/lib/MT/XMLRPCServer.pm 2014-12-24 11:13:10.0 +0100
@@ -78,6 +78,18 @@
$HAVE_XML_PARSER = $@ ? 0 : 1;
}
+sub _validate_params {
+my ($params) = @_;
+
+foreach my $p (@$params) {
+die _fault( MT-translate(Invalid parameter) )
+if ( 'ARRAY' eq ref $p )
+or ( 'HASH' eq ref $p );
+}
+
+return 1;
+}
+
sub _fault {
my $mt = MT::XMLRPCServer::Util::mt_new();
my $enc = $mt-config('PublishCharset');
@@ -126,6 +138,7 @@
sub _login {
my $class = shift;
my ( $user, $pass, $blog_id ) = @_;
+
my $mt = MT::XMLRPCServer::Util::mt_new();
my $enc = $mt-config('PublishCharset');
require MT::Author;
@@ -274,11 +287,10 @@
my $cat_class = MT-model('category');
# The spec says to ignore invalid category names.
-@categories = grep {defined} $cat_class-search(
-{ blog_id = $entry-blog_id,
-label = $cats,
-}
-);
+@categories
+= grep {defined}
+$cat_class-search(
+{ blog_id = $entry-blog_id, label = $cats, } );
}
}
@@ -288,10 +300,7 @@
my $place;
if ($is_primary_placement) {
$place = MT::Placement-load(
-{ entry_id = $entry-id,
-is_primary = 1,
-}
-);
+{ entry_id = $entry-id, is_primary = 1, } );
}
if ( !$place ) {
$place = MT::Placement-new;
@@ -310,10 +319,7 @@
# Delete all the secondary placements, so each of the remaining
# iterations of the loop make a brand new placement.
my @old_places = MT::Placement-load(
-{ entry_id = $entry-id,
-is_primary = 0,
-}
-);
+{ entry_id = $entry-id, is_primary = 0, } );
for my $place (@old_places) {
$place-remove;
}
@@ -391,8 +397,7 @@
);
$entry-allow_comments( $item-{mt_allow_comments} )
if exists $item-{mt_allow_comments};
-$entry-title( $item-{title} )
-if exists $item-{title};
+$entry-title( $item-{title} ) if exists $item-{title};
$class-_apply_basename( $entry, $item, \%param );
@@ -488,6 +493,21 @@
else {
( $blog_id, $user, $pass, $item, $publish ) = @_;
}
+
+_validate_params( [ $blog_id, $user, $pass, $publish ] ) or return;
+my $values;
+foreach my $k ( keys %$item ) {
+if ( 'categories' eq $k || 'mt_tb_ping_urls' eq $k ) {
+
+# XMLRPC supports categories array and mt_tb_ping_urls array
+_validate_params( \@{ $item-{$k} } ) or return;
+}
+else {
+push @$values, $item-{$k};
+}
+}
+_validate_params( \@$values ) or return;
+
$class-_new_entry(
blog_id = $blog_id,
user= $user,
@@ -500,6 +520,21 @@
sub newPage {
my $class = shift;
my ( $blog_id, $user, $pass, $item, $publish ) = @_;
+
+_validate_params( [ $blog_id, $user, $pass, $publish ] ) or return;
+my $values;
+foreach my $k ( keys %$item ) {
+if ( 'mt_tb_ping_urls' eq $k ) {
+
+# XMLRPC supports mt_tb_ping_urls array
+_validate_params( \@{ $item-{$k} } ) or return;
+}
+else {
+push @$values, $item-{$k};
+}
+}
+_validate_params( \@$values ) or return;
+
$class-_new_entry(
blog_id = $blog_id,
user= $user,
@@ -648,6 +683,21 @@
else {
( $entry_id, $user, $pass, $item, $publish ) = @_;
}
+
+_validate_params( [ $entry_id, $user, $pass, $publish ] ) or return;
+my $values;
+foreach my $k ( keys %$item ) {
+if ( 'categories' eq $k || 'mt_tb_ping_urls' eq $k ) {
+
+# XMLRPC supports categories array and mt_tb_ping_urls array
+_validate_params( \@{ $item-{$k} } ) or return;
+}
+else {
+push @$values, $item-{$k};
+}
+}
+_validate_params( \@$values ) or return;
+
$class-_edit_entry(
entry_id = $entry_id,
user = $user,
@@ -660,6 +710,22 @@
sub editPage {
my $class = shift;
my ( $blog_id, $entry_id, $user, $pass, $item, $publish ) = @_;
+
+_validate_params( [ $blog_id, $entry_id, $user, $pass, $publish ] )
+or return;
+my $values;
+foreach my $k ( keys %$item ) {
+if (
Processed: Re: Bug#774192: CVE-2014-9057
Processing control commands: tags -1 + patch Bug #774192 [src:movabletype-opensource] movabletype-opensource: CVE-2014-9057 Added tag(s) patch. found -1 5.1.4+dfsg-4 Bug #774192 [src:movabletype-opensource] movabletype-opensource: CVE-2014-9057 Marked as found in versions movabletype-opensource/5.1.4+dfsg-4. -- 774192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774192 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
