Bug#1064034: FTBFS: Expired test certificate
Package: ruby3.1 Version: 3.1.2-8 Severity: serious Tags: ftbfs A build of ruby3.1 fails on the test stage, since multiple test/net/http/test_https.rb tests return > "ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 peeraddr=(null) state=error: sslv3 alert certificate expired\n" where no error was expected. Failing tests: TestNetHTTPS#test_get, TestNetHTTPS#test_skip_hostname_verification, TestNetHTTPS#test_skip_hostname_verification, TestNetHTTPS#test_post, TestNetHTTPS#test_min_version, TestNetHTTPS#test_get_SNI, TestNetHTTPS#test_get, TestNetHTTPS#test_post, TestNetHTTPS#test_min_version, TestNetHTTPS#test_get_SNI The actual reason is that the certificate it uses (file test/net/fixtures/server.crt) *IS* expired: $ openssl x509 -in test/net/fixtures/server.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C = JP, ST = Shimane, L = Matz-e city, O = Ruby Core Team, CN = Ruby Test CA, emailAddress = secur...@ruby-lang.org Validity Not Before: Jan 2 03:27:13 2019 GMT Not After : Jan 1 03:27:13 2024 GMT Subject: C = JP, ST = Shimane, O = Ruby Core Team, OU = Ruby Test, CN = localhost This was fixed upstream on https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
Bug#1042530: [request-tracker-maintainers] Bug#1042530
Control: tags -1 +upstream Control: severity -1 normal Resetting severity to normal, as it was a result of the FTBFS. There's an old ckeditor version bundled by upstream. It's not confirmed if the CVE can be exploited in RT. Should be fixed, but not a release-critical issue. >
Bug#1042527: [request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified
Control: tags +upstream Control: severity normal Resetting severity to normal, as it was a result of the FTBFS. There's an old ckeditor version bundled by upstream. It's not confirmed if the CVE can be exploited in RT. Should be fixed, but not a release-critical issue.
Bug#1042527: [request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified
tags 1042527 -ftbfs Hello Bastien Upstream does provide only a minified javascript in their release tarball, but Debian package includes the source of the ckeditor used within the third-party tarball http://deb.debian.org/debian/pool/main/r/request-tracker5/request-tracker5_5.0.3+dfsg.orig-third-party-source.tar.gz and minifies that source during the build process with the debian/build-final-ckeditor.sh script. There is more information on the history of this tarball on the bug with upstream https://rt.bestpractical.com/Ticket/Display.html?id=37009 Regards
Bug#1026669: request-tracker5: FTBFS: can't locate java: No such file or directory
The error here is that ./debian/build-final-ckeditor.sh fails with « can't locate java: No such file or directory » This script is actually calling ckbuilder ( jexec /usr/bin/ckbuilder -- build ... ) However, the package correctly lists ckbuilder as a build-dep, and ckbuilder itself depends on java ( default-jre | java{7..11}-runtime) The full build log shows that java *was* installed, *and* that it provided the usual suspects: > update-alternatives: using /usr/lib/jvm/java-17-openjdk- > amd64/bin/java to provide /usr/bin/java (java) in auto mode > update-alternatives: using /usr/lib/jvm/java-17-openjdk- > amd64/bin/jpackage to provide /usr/bin/jpackage (jpackage) in auto > mode > update-alternatives: using /usr/lib/jvm/java-17-openjdk- > amd64/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode > update-alternatives: using /usr/lib/jvm/java-17-openjdk- > amd64/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) > in auto mode > update-alternatives: using /usr/lib/jvm/java-17-openjdk- > amd64/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
Bug#984520: 'error: symbol "grub_register_command_lockdown" not found' and then lightdm fails to start
Package: grub2 Version: 2.02+dfsg1-20+deb10u4 Followup-For: Bug #984520 Dear Maintainer, I am also facing this error every now and then. Sometimes GRUB doesn't boot and keeps showing "error: symbol `grub_register_command_lockdown' not found.". On pressing any key, GRUB restarts and I get the same error again. I can fix the issue by booting into a Knoppix live, mounting the filesystem under /mnt, chrooting into it and running grub-install /dev/sda. However, it's quite annoying and time-wasting. I wonder how is it possible to fix the problem just by running the grub-install command again. I don't know either what's triggering this issue, but I think the one to blame is some kernel upgrade which triggers a grub-update. Yours faithfully, -- Package-specific info: *** BEGIN /proc/mounts /dev/mapper/root / ext4 rw,relatime,errors=remount-ro 0 0 /dev/vda1 /boot ext3 rw,relatime,errors=remount-ro 0 0 /dev/mapper/var /var ext4 rw,relatime,errors=remount-ro 0 0 *** END /proc/mounts *** BEGIN /boot/grub/device.map (fd0) /dev/fd0 (hd0) /dev/vda (hd1) /dev/vdb *** END /boot/grub/device.map *** BEGIN /boot/grub/grub.cfg # # DO NOT EDIT THIS FILE # # It is automatically generated by grub-mkconfig using templates # from /etc/grub.d and settings from /etc/default/grub # ### BEGIN /etc/grub.d/00_header ### if [ -s $prefix/grubenv ]; then set have_grubenv=true load_env fi if [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true else set default="0" fi if [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id" else menuentry_id_option="" fi export menuentry_id_option if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true fi function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi } function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi } if [ x$feature_default_font_path = xy ] ; then font=unicode else insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root b80ab3af-3b43-40f4-99b1-168a721ea949 else search --no-floppy --fs-uuid --set=root b80ab3af-3b43-40f4-99b1-168a721ea949 fi font="/usr/share/grub/unicode.pf2" fi if loadfont $font ; then set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_US insmod gettext fi terminal_output gfxterm if [ "${recordfail}" = 1 ] ; then set timeout=30 else if [ x$feature_timeout_style = xy ] ; then set timeout_style=menu set timeout=30 # Fallback normal timeout code in case the timeout_style feature is # unavailable. else set timeout=30 fi fi ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/05_debian_theme ### set menu_color_normal=cyan/blue set menu_color_highlight=white/blue ### END /etc/grub.d/05_debian_theme ### ### BEGIN /etc/grub.d/10_linux ### function gfxmode { set gfxpayload="${1}" } set linux_gfx_mode= export linux_gfx_mode menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-b80ab3af-3b43-40f4-99b1-168a721ea949' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_msdos insmod ext2 set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 0dfb2e8d-27fe-4ff5-bf51-3d873f3910b9 else search --no-floppy --fs-uuid --set=root 0dfb2e8d-27fe-4ff5-bf51-3d873f3910b9 fi echo'Loading Linux 4.19.0-16-amd64 ...' linux /vmlinuz-4.19.0-16-amd64 root=UUID=b80ab3af-3b43-40f4-99b1-168a721ea949 ro quiet systemd.show_status=1 acpi=force net.ifnames=0 biosdevname=0 rd.luks.name=c9430ec8-ae4b-4a84-9371-9746e87fff7c=root rd.neednet=1 ip=10.0.0.121:::255.255.255.0:tornavacas:eth1:none:10.0.0.103:10.0.0.104 echo'Loading initial ramdisk ...' initrd /initrd.img-4.19.0-16-amd64 } submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-b80ab3af-3b43-40f4-99b1-168a721ea949' { menuentry 'Debian GNU/Linux, with Linux 4.19.0-16-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-16-amd64-advanced-b80ab3af-3b43-40f4-99b1-168a721ea949' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_m
Bug#928415: armagadd-on-2.0
Changing "xpinstall.signatures.required" to "false" will work on builds without MOZ_REQUIRE_SIGNING. This can be checking by going to resource://gre/modules/AppConstants.jsm and checking the value of MOZ_REQUIRE_SIGNING, if it is false, the signatures can be disabled with the above config. Note it will not work on official mozilla builds. But it does on Debian.¹ There were a couple of upstream commits for working around the bug: https://hg.mozilla.org/releases/mozilla-beta/rev/d716b75b8ac3f4588061e720074c093dae08e43e https://hg.mozilla.org/releases/mozilla-beta/rev/f272348572e8160a73001b85013f35db51397064 although they later reverted them. The studies released by mozilla to fix this are: * hotfix-update-xpi-signing-intermediate-bug-1548973: https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi (sha256 b25031ac78020aad3be1fb8144cacbcf4a9b2d866585f066a577c10b835cd800, it's signed by mozilla like other xpis) * hotfix-reset-xpi-verification-timestamp-1548973 seems to be just a preference change for app.update.lastUpdateTime.xpi-signature-verification (in order to trigger a xpi recheck): "hotfix-reset-xpi-verification-timestamp-1548973": { "name": "hotfix-reset-xpi-verification-timestamp-1548973", "branch": "hotfix", "expired": false, "lastSeen": "2019-05-04T21:13:01.960Z", "preferenceName": "app.update.lastUpdateTime.xpi-signature-verification", "preferenceValue": 1556945257, "preferenceType": "integer", "previousPreferenceValue": 0, "preferenceBranchType": "user", "experimentType": "exp" }, Installing hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi manually also makes extension work on Debian. Disabled addons don't get reenabled, but resetting app.update.lastUpdateTime .xpi-signature-verification to an older value also makes them work again a little after restart. ¹ Also on Ubuntu, and probably on the rest of distros using a derivative package as well.
Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier
Rodrigo Campos wrote: > It's already on sid and a backport is ready, will ask for BSA and craig will > upload when the BSA is assigned. What about the versions on wheezy/jessie/stretch? Should they be handled on this bug, get a new one for each, or will they simply be handled without one by the security team, now they have CVEs¹? ¹ These issues got assigned CVE-2017-14718 to CVE-2017-14726 Thanks!
Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier
Salvatore wrote: > have you identified already the issue -> fixing commit mappings? For version 4.8.1 [buster, sid], upstream fixed them on 4.8.2 https://codex.wordpress.org/Version_4.8.2 For version 4.7.5 [stretch], upstream fixed them on 4.7.6 https://codex.wordpress.org/Version_4.7.6 For version 4.1 [jessie], upstream fixed them on 4.1.19 https://codex.wordpress.org/Version_4.1.19 For version 3.6.1 [wheezy], upstream didn't release a fix. 4.7.6 and 4.1.19 seem to be security fixes only. WordPress 4.8.2 also contains six maintenance fixes to the 4.8 release series (but that would go to sid, so it's ok). There is a slightly misleading commit message on one of them whose description says it's bumping to the wrong version, but other than that -thankfully- it looks quite clear which issue is fixing each of the backported commits
Bug#702475: Bug#707879: apache2: mod_mpm_itk.so: undefined symbol: cap_set_proc
Thanks Arno, I didn't find 702475 when searching earlier. Stefan, I confirm that the workaround works (but you need to use the full path). --- /etc/apache2/mods-available/mpm_itk.load2013-05-12 10:39:44.743748291 + +++ /etc/apache2/mods-available/mpm_itk.load2013-05-12 10:39:44.743748291 + @@ -1,2 +1,3 @@ # Conflicts: mpm_event mpm_worker mpm_prefork +LoadFile /lib/x86_64-linux-gnu/libcap.so.2 LoadModule mpm_itk_module /usr/lib/apache2/modules/mod_mpm_itk.so -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#599046: kmess: I have this problem too.
Package: kmess Version: 2.0.3-2 Severity: normal -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kmess depends on: ii kdebase-runtime 4:4.4.5-1runtime components from the offici ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib ii libgcc1 1:4.5.1-7GCC support library ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr ii libgif4 4.1.6-9 library for GIF images (library) ii libkdecore5 4:4.4.5-1the KDE Platform Core Library ii libkdeui5 4:4.4.5-1the KDE Platform User Interface Li ii libkhtml5 4:4.4.5-1the KHTML Web Content Rendering En ii libkio5 4:4.4.5-1the Network-enabled File Managemen ii libkjsapi4 4:4.4.5-1the KJS API Library for the KDE De ii libknewstuff2-4 4:4.4.5-1the "Get Hot New Stuff" v2 Library ii libknotifyconfig4 4:4.4.5-1library for configuring KDE Notifi ii libkonq54:4.4.5-1core libraries for Konqueror ii libkparts4 4:4.4.5-1the Framework for the KDE Platform ii libphonon4 4:4.6.0really4.4.2-1 the core library of the Phonon mul ii libqca2-plugin-ossl 0.1~20070904-4 QCA OSSL plugin for libqca2 ii libqt4-dbus 4:4.6.3-1+b1 Qt 4 D-Bus module ii libqt4-network 4:4.6.3-1+b1 Qt 4 network module ii libqt4-svg 4:4.6.3-1+b1 Qt 4 SVG module ii libqt4-test 4:4.6.3-1+b1 Qt 4 test module ii libqt4-xml 4:4.6.3-1+b1 Qt 4 XML module ii libqtcore4 4:4.6.3-1+b1 Qt 4 core module ii libqtgui4 4:4.6.3-1+b1 Qt 4 GUI module ii libsolid4 4:4.4.5-1Solid Library for KDE Platform ii libstdc++6 4.4.5-2 The GNU Standard C++ Library v3 ii libx11-62:1.3.3-3X11 client-side library ii libxml2 2.7.7.dfsg-4 GNOME XML library ii libxslt1.1 1.1.26-6 XSLT 1.0 processing library - runt ii libxss1 1:1.2.0-2X11 Screen Saver extension library ii phonon 4:4.6.0really4.4.2-1 metapackage for the Phonon multime kmess recommends no packages. Versions of packages kmess suggests: ii konqueror 4:4.4.5-1 advanced file manager, web browser -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org