Bug#1064034: FTBFS: Expired test certificate

[Ángel]

Package: ruby3.1
Version: 3.1.2-8
Severity: serious
Tags: ftbfs

A build of ruby3.1 fails on the test stage, since multiple
test/net/http/test_https.rb tests return 

> "ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0
peeraddr=(null) state=error: sslv3 alert certificate expired\n"

where no error was expected.


Failing tests:
TestNetHTTPS#test_get, TestNetHTTPS#test_skip_hostname_verification,
TestNetHTTPS#test_skip_hostname_verification, TestNetHTTPS#test_post,
TestNetHTTPS#test_min_version, TestNetHTTPS#test_get_SNI,
TestNetHTTPS#test_get, TestNetHTTPS#test_post,
TestNetHTTPS#test_min_version, TestNetHTTPS#test_get_SNI


The actual reason is that the certificate it uses (file
test/net/fixtures/server.crt) *IS* expired:

$ openssl x509 -in test/net/fixtures/server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JP, ST = Shimane, L = Matz-e city, O = Ruby Core Team, CN = 
Ruby Test CA, emailAddress = secur...@ruby-lang.org
Validity
Not Before: Jan  2 03:27:13 2019 GMT
Not After : Jan  1 03:27:13 2024 GMT
Subject: C = JP, ST = Shimane, O = Ruby Core Team, OU = Ruby Test, CN = 
localhost


This was fixed upstream on 
https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416

Bug#1042530: [request-tracker-maintainers] Bug#1042530

[Ángel]

Control: tags -1 +upstream
Control: severity -1 normal

Resetting severity to normal, as it was a result of the FTBFS. There's
an old ckeditor version bundled by upstream. It's not confirmed if the
CVE can be exploited in RT.
Should be fixed, but not a release-critical issue.

> 

Bug#1042527: [request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified

[Ángel]

Control: tags +upstream
Control: severity normal

Resetting severity to normal, as it was a result of the FTBFS. There's
an old ckeditor version bundled by upstream. It's not confirmed if the
CVE can be exploited in RT.
Should be fixed, but not a release-critical issue.

Bug#1042527: [request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified

[Ángel]

tags 1042527 -ftbfs

Hello Bastien

Upstream does provide only a minified javascript in their release
tarball, but Debian package includes the source of the ckeditor used
within the third-party tarball 
http://deb.debian.org/debian/pool/main/r/request-tracker5/request-tracker5_5.0.3+dfsg.orig-third-party-source.tar.gz
and minifies that source during the build process with the
debian/build-final-ckeditor.sh script.

There is more information on the history of this tarball on the bug
with upstream https://rt.bestpractical.com/Ticket/Display.html?id=37009

Regards

Bug#1026669: request-tracker5: FTBFS: can't locate java: No such file or directory

[Ángel]

The error here is that ./debian/build-final-ckeditor.sh fails with
« can't locate java: No such file or directory »

This script is actually calling ckbuilder ( jexec /usr/bin/ckbuilder --
build ... )

However, the package correctly lists ckbuilder as a build-dep, and
ckbuilder itself depends on java ( default-jre | java{7..11}-runtime)

The full build log shows that java *was* installed, *and* that it
provided the usual suspects:

> update-alternatives: using /usr/lib/jvm/java-17-openjdk-
> amd64/bin/java to provide /usr/bin/java (java) in auto mode
> update-alternatives: using /usr/lib/jvm/java-17-openjdk-
> amd64/bin/jpackage to provide /usr/bin/jpackage (jpackage) in auto
> mode
> update-alternatives: using /usr/lib/jvm/java-17-openjdk-
> amd64/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
> update-alternatives: using /usr/lib/jvm/java-17-openjdk-
> amd64/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry)
> in auto mode
> update-alternatives: using /usr/lib/jvm/java-17-openjdk-
> amd64/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode

Bug#984520: 'error: symbol "grub_register_command_lockdown" not found' and then lightdm fails to start

[Jesús Ángel]

Package: grub2
Version: 2.02+dfsg1-20+deb10u4
Followup-For: Bug #984520

Dear Maintainer,

I am also facing this error every now and then. Sometimes GRUB doesn't
boot and keeps showing "error: symbol `grub_register_command_lockdown'
not found.".
On pressing any key, GRUB restarts and I get the same error again.

I can fix the issue by booting into a Knoppix live, mounting the
filesystem under
/mnt, chrooting into it and running grub-install /dev/sda. However, it's
quite
annoying and time-wasting.

I wonder how is it possible to fix the problem just by running the
grub-install
command again. I don't know either what's triggering this issue, but I
think the
one to blame is some kernel upgrade which triggers a grub-update.


Yours faithfully,

-- Package-specific info:

*** BEGIN /proc/mounts
/dev/mapper/root / ext4 rw,relatime,errors=remount-ro 0 0
/dev/vda1 /boot ext3 rw,relatime,errors=remount-ro 0 0
/dev/mapper/var /var ext4 rw,relatime,errors=remount-ro 0 0
*** END /proc/mounts

*** BEGIN /boot/grub/device.map
(fd0) /dev/fd0
(hd0) /dev/vda
(hd1) /dev/vdb
*** END /boot/grub/device.map

*** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
insmod all_video
  else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root  b80ab3af-3b43-40f4-99b1-168a721ea949
else
  search --no-floppy --fs-uuid --set=root b80ab3af-3b43-40f4-99b1-168a721ea949
fi
font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
  set timeout=30
else
  if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=30
  # Fallback normal timeout code in case the timeout_style feature is
  # unavailable.
  else
set timeout=30
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu 
--class os $menuentry_id_option 
'gnulinux-simple-b80ab3af-3b43-40f4-99b1-168a721ea949' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1'  
0dfb2e8d-27fe-4ff5-bf51-3d873f3910b9
else
  search --no-floppy --fs-uuid --set=root 
0dfb2e8d-27fe-4ff5-bf51-3d873f3910b9
fi
echo'Loading Linux 4.19.0-16-amd64 ...'
linux   /vmlinuz-4.19.0-16-amd64 
root=UUID=b80ab3af-3b43-40f4-99b1-168a721ea949 ro  quiet systemd.show_status=1 
acpi=force net.ifnames=0 biosdevname=0 
rd.luks.name=c9430ec8-ae4b-4a84-9371-9746e87fff7c=root rd.neednet=1 
ip=10.0.0.121:::255.255.255.0:tornavacas:eth1:none:10.0.0.103:10.0.0.104
echo'Loading initial ramdisk ...'
initrd  /initrd.img-4.19.0-16-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 
'gnulinux-advanced-b80ab3af-3b43-40f4-99b1-168a721ea949' {
menuentry 'Debian GNU/Linux, with Linux 4.19.0-16-amd64' --class debian 
--class gnu-linux --class gnu --class os $menuentry_id_option 
'gnulinux-4.19.0-16-amd64-advanced-b80ab3af-3b43-40f4-99b1-168a721ea949' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; 
fi
insmod part_m

Bug#928415: armagadd-on-2.0

[Ángel]

Changing "xpinstall.signatures.required" to "false" will work on builds
without MOZ_REQUIRE_SIGNING.
This can be checking by going to resource://gre/modules/AppConstants.jsm
and checking the value of MOZ_REQUIRE_SIGNING, if it is false, the
signatures can be disabled with the above config.

Note it will not work on official mozilla builds. But it does on
Debian.¹


There were a couple of upstream commits for working around the bug:
https://hg.mozilla.org/releases/mozilla-beta/rev/d716b75b8ac3f4588061e720074c093dae08e43e
https://hg.mozilla.org/releases/mozilla-beta/rev/f272348572e8160a73001b85013f35db51397064

although they later reverted them.



The studies released by mozilla to fix this are:

* hotfix-update-xpi-signing-intermediate-bug-1548973:
https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi
(sha256 b25031ac78020aad3be1fb8144cacbcf4a9b2d866585f066a577c10b835cd800, it's 
signed by mozilla like other xpis)

* hotfix-reset-xpi-verification-timestamp-1548973
seems to be just a preference change for 
app.update.lastUpdateTime.xpi-signature-verification (in order to trigger a xpi 
recheck):
  "hotfix-reset-xpi-verification-timestamp-1548973": {
"name": "hotfix-reset-xpi-verification-timestamp-1548973",
"branch": "hotfix",
"expired": false,
"lastSeen": "2019-05-04T21:13:01.960Z",
"preferenceName":
"app.update.lastUpdateTime.xpi-signature-verification",
"preferenceValue": 1556945257,
"preferenceType": "integer",
"previousPreferenceValue": 0,
"preferenceBranchType": "user",
"experimentType": "exp"
  },



Installing hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi
manually also makes extension work on Debian.
Disabled addons don't get reenabled, but resetting app.update.lastUpdateTime
.xpi-signature-verification to an older value also makes them work again a 
little after restart.




¹ Also on Ubuntu, and probably on the rest of distros using a derivative
package as well.

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

[Ángel]

Rodrigo Campos wrote:
> It's already on sid and a backport is ready, will ask for BSA and craig will
> upload when the BSA is assigned.

What about the versions on wheezy/jessie/stretch? Should they be handled
on this bug, get a new one for each, or will they simply be handled
without one by the security team, now they have CVEs¹?


¹ These issues got assigned CVE-2017-14718 to CVE-2017-14726


Thanks!

Bug#876274: wordpress: 9 security bugs in wordpress 4.8.1 and earlier

[Ángel]

Salvatore wrote:
> have you identified already the issue -> fixing commit mappings?

For version 4.8.1 [buster, sid], upstream fixed them on 4.8.2
https://codex.wordpress.org/Version_4.8.2

For version 4.7.5 [stretch], upstream fixed them on 4.7.6
https://codex.wordpress.org/Version_4.7.6

For version 4.1 [jessie], upstream fixed them on 4.1.19
https://codex.wordpress.org/Version_4.1.19

For version 3.6.1 [wheezy], upstream didn't release a fix.


4.7.6 and 4.1.19 seem to be security fixes only. WordPress 4.8.2 also
contains six maintenance fixes to the 4.8 release series (but that would
go to sid, so it's ok).

There is a slightly misleading commit message on one of them whose
description says it's bumping to the wrong version, but other than that
-thankfully- it looks quite clear which issue is fixing each of the
backported commits

Bug#702475: Bug#707879: apache2: mod_mpm_itk.so: undefined symbol: cap_set_proc

[Ángel González]

Thanks Arno,
I didn't find 702475 when searching earlier.

Stefan, I confirm that the workaround works
(but you need to use the full path).

--- /etc/apache2/mods-available/mpm_itk.load2013-05-12
10:39:44.743748291 +
+++ /etc/apache2/mods-available/mpm_itk.load2013-05-12
10:39:44.743748291 +
@@ -1,2 +1,3 @@
 # Conflicts: mpm_event mpm_worker mpm_prefork
+LoadFile /lib/x86_64-linux-gnu/libcap.so.2
 LoadModule mpm_itk_module /usr/lib/apache2/modules/mod_mpm_itk.so


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#599046: kmess: I have this problem too.

[Miguel Ángel López Vicente]

Package: kmess
Version: 2.0.3-2
Severity: normal



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kmess depends on:
ii  kdebase-runtime 4:4.4.5-1runtime components from the offici
ii  libc6   2.11.2-6 Embedded GNU C Library: Shared lib
ii  libgcc1 1:4.5.1-7GCC support library
ii  libgcrypt11 1.4.5-2  LGPL Crypto library - runtime libr
ii  libgif4 4.1.6-9  library for GIF images (library)
ii  libkdecore5 4:4.4.5-1the KDE Platform Core Library
ii  libkdeui5   4:4.4.5-1the KDE Platform User Interface Li
ii  libkhtml5   4:4.4.5-1the KHTML Web Content Rendering En
ii  libkio5 4:4.4.5-1the Network-enabled File Managemen
ii  libkjsapi4  4:4.4.5-1the KJS API Library for the KDE De
ii  libknewstuff2-4 4:4.4.5-1the "Get Hot New Stuff" v2 Library
ii  libknotifyconfig4   4:4.4.5-1library for configuring KDE Notifi
ii  libkonq54:4.4.5-1core libraries for Konqueror
ii  libkparts4  4:4.4.5-1the Framework for the KDE Platform
ii  libphonon4  4:4.6.0really4.4.2-1 the core library of the Phonon mul
ii  libqca2-plugin-ossl 0.1~20070904-4   QCA OSSL plugin for libqca2
ii  libqt4-dbus 4:4.6.3-1+b1 Qt 4 D-Bus module
ii  libqt4-network  4:4.6.3-1+b1 Qt 4 network module
ii  libqt4-svg  4:4.6.3-1+b1 Qt 4 SVG module
ii  libqt4-test 4:4.6.3-1+b1 Qt 4 test module
ii  libqt4-xml  4:4.6.3-1+b1 Qt 4 XML module
ii  libqtcore4  4:4.6.3-1+b1 Qt 4 core module
ii  libqtgui4   4:4.6.3-1+b1 Qt 4 GUI module
ii  libsolid4   4:4.4.5-1Solid Library for KDE Platform
ii  libstdc++6  4.4.5-2  The GNU Standard C++ Library v3
ii  libx11-62:1.3.3-3X11 client-side library
ii  libxml2 2.7.7.dfsg-4 GNOME XML library
ii  libxslt1.1  1.1.26-6 XSLT 1.0 processing library - runt
ii  libxss1 1:1.2.0-2X11 Screen Saver extension library
ii  phonon  4:4.6.0really4.4.2-1 metapackage for the Phonon multime

kmess recommends no packages.

Versions of packages kmess suggests:
ii  konqueror 4:4.4.5-1  advanced file manager, web browser

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org