Bug#1022791: nmu: 2.4.3.7-4+b3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu tripwire_2.4.3.7-4+b3 . ANY . unstable . -m "Rebuild with new libc (Closes #1022791)" Tripwire is statically build and libc updates break it. Thanks. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#994910: Uploading ASAP
tags 994910 + pending thanks Hi, I'll make an upload to unstable ASAP. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#957184: eurephia: diff for NMU version 1.1.0-6.1
Hi, Sudip. Thanks for the upload. No need to cancel it :-) On Mon, Nov 30, 2020 at 08:52:30PM +, Sudip Mukherjee wrote: > Control: tags 957184 + patch > Control: tags 957184 + pending > -- > > Dear maintainer, > > I've prepared an NMU for eurephia (versioned as 1.1.0-6.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should cancel it. > > -- > Regards > Sudip > > diff -Nru eurephia-1.1.0/debian/changelog eurephia-1.1.0/debian/changelog > --- eurephia-1.1.0/debian/changelog 2016-09-16 08:38:26.0 +0100 > +++ eurephia-1.1.0/debian/changelog 2020-11-30 20:44:45.0 + > @@ -1,3 +1,11 @@ > +eurephia (1.1.0-6.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Fix ftbfs with GCC-10. (Closes: #957184) > +- Use fcommon with CFLAGS. > + > + -- Sudip Mukherjee Mon, 30 Nov 2020 20:44:45 > + > + > eurephia (1.1.0-6) unstable; urgency=medium > >* Make build reproducible. Thanks Chris Lamb for the patch! > diff -Nru eurephia-1.1.0/debian/rules eurephia-1.1.0/debian/rules > --- eurephia-1.1.0/debian/rules 2015-07-07 16:04:12.0 +0100 > +++ eurephia-1.1.0/debian/rules 2020-11-29 22:27:12.0 + > @@ -3,7 +3,7 @@ > dh $@ > > override_dh_auto_configure: > - $(shell DEB_CFLAGS_MAINT_APPEND="-fPIC -std=gnu89" dpkg-buildflags > --export=configure) ./configure --prefix /usr --plug-in --fw-iptables > --db-sqlite3 --sqlite3-path /var/lib/eurephia --eurephiadm --openvpn-src > /usr/include/openvpn > + $(shell DEB_CFLAGS_MAINT_APPEND="-fPIC -std=gnu89 -fcommon" > dpkg-buildflags --export=configure) ./configure --prefix /usr --plug-in > --fw-iptables --db-sqlite3 --sqlite3-path /var/lib/eurephia --eurephiadm > --openvpn-src /usr/include/openvpn > override_dh_auto_clean: > rm -rf configure.log > dh_auto_clean -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#955643: tripwire: FTBFS: dpkg-gencontrol: error: error occurred while parsing Built-Using field: glibc (= 2.30-4), libgcc1 (= ),
Hi, Lucas.
On Fri, Apr 03, 2020 at 09:56:02PM +0200, Lucas Nussbaum wrote:
> Source: tripwire
> Version: 2.4.3.7-1
> Severity: serious
> Justification: FTBFS on amd64
> Tags: bullseye sid ftbfs
> Usertags: ftbfs-20200402 ftbfs-bullseye
>
> Hi,
>
> During a rebuild of all packages in sid, your package failed to build
> on amd64.
>
> Relevant part (hopefully):
>
> > dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), libgcc1 (= ), "
> > dpkg-gencontrol: warning: Depends field of package tripwire: substitution
> > variable ${shlibs:Depends} used, but is not defined
> > dpkg-gencontrol: warning: can't parse dependency libgcc1 (= )
> > dpkg-gencontrol: error: error occurred while parsing Built-Using field:
> > glibc (= 2.30-4), libgcc1 (= ),
> > dh_gencontrol: error: dpkg-gencontrol -ptripwire -ldebian/changelog
> > -Tdebian/tripwire.substvars -Pdebian/.debhelper/tripwire/dbgsym-root
> > "-VBuilt-Using=glibc (= 2.30-4), libgcc1 (= ), " -UPre-Depends -URecommends
> > -USuggests -UEnhances -UProvides -UEssential -UConflicts
> > -DPriority=optional -UHomepage -UImportant -UBuilt-Using
> > -DAuto-Built-Package=debug-symbols -DPackage=tripwire-dbgsym
> > "-DDepends=tripwire (= \${binary:Version})" "-DDescription=debug symbols
> > for tripwire" "-DBuild-Ids=29bff36c96f9f7f161804f634705648d102836ba
> > 3a7a08dca92e1782576544245bf22db1edd8f5c7
> > a01ce61d78fff4d6276e5a8914e5ef3ed1dfee7a
> > cc2f0ff87227a5dd8f907527250c554b8384d95c" -DSection=debug -UMulti-Arch
> > -UReplaces -UBreaks returned exit code 25
> > dh_gencontrol: error: Aborting due to earlier error
> > make: *** [debian/rules:85: binary-arch] Error 25
I just build the package with sbuild without any issues. Here's the
relevant part:
dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), gcc-10 (= 10-20200418-1), "
dpkg-gencontrol: warning: Depends field of package tripwire: substitution
variable ${shlibs:Depends} used, but is not defined
dpkg-gencontrol: warning: Depends field of package tripwire: substitution
variable ${shlibs:Depends} used, but is not defined
dh_md5sums
dh_builddeb
dpkg-deb: building package 'tripwire-dbgsym' in
'../tripwire-dbgsym_2.4.3.7-1_amd64.deb'.
dpkg-deb: building package 'tripwire' in '../tripwire_2.4.3.7-1_amd64.deb'.
dpkg-genbuildinfo --build=binary
dpkg-genchanges --build=binary >../tripwire_2.4.3.7-1_amd64.changes
dpkg-genchanges: info: binary-only upload (no source code included)
dpkg-source --after-build .
dpkg-buildpackage: info: binary-only upload (no source included)
Build finished at 2020-04-19T14:14:59Z
I have no idea why in the rebuild this happened:
> > dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), libgcc1 (= ), "
Instead of:
> dh_gencontrol -- -VBuilt-Using="glibc (= 2.30-4), gcc-10 (= 10-20200418-1), "
Maybe a glitch in the gcc-10 package?
--
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#949682: Denial of Service due to cooking handling
Package: libmodsecurity3 Version: 3.0.3-1 Severity: serious Tags: security upstream A security issue was discovered by Ervin Hegedüs in Modsecurity 3.0.3. More info: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/ Fixed package is already in unstable. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#928053: Adjusting severity
severity 928053 important thanks Hi, Thanks, Christian and Ervin, for your help. I'm lowering the severity of this bug since it does not really affect Debian (as explained in upstream link regarding this issue). If anyone disagrees with this change, please get in touch with me before raising it again. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#911154: netkit-ntalk misses the generator for configure
On Thu, Dec 06, 2018 at 06:42:33AM +0100, Christoph Biedl wrote: > tags -1 patch > user debian-rele...@lists.debian.org > usertags -1 + bsp-2018-12-ch-bern > thanks > > So here we go ... > > The files resulting from the conversion to cmake are not as terse as I > hoped they would be. Still, at least for me, this is an improvement > over to several handcrafted rules, especially for any future changes in > the Debian build system. > [snip] > ### Packages maintained by Alberto Gonzalez Iniesta > > * netkit-bootparamd > * netkit-ntalk > * netkit-rsh > * netkit-rusers > * netkit-rwall > * netkit-rwho > * netkit-tftp > > Alberto, you'll do me a favour if you could refrain from uploading > for a few days - I'll do some more checks and expect one or two more > things will come up that require an adjustment. > > Also, some formatting was done in my personal style. Feel free to apply > your $QUILT_REFRESH_ARGS on top of this. Hello, Christoph. Huge thanks for your massive work on this. I'll wait for any news from you for a few days. No problem at all. Cheers, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#911154: netkit-ntalk misses the generator for configure
On Mon, Nov 05, 2018 at 08:01:21AM +0100, Christoph Biedl wrote: > [ > Cc'ing *all* affected packages. Noisy, but all parties involved > should be aware of the progress. > ] > > Helmut Grohne wrote... > > > I'm not sure that adding our own confgen is maintainable in the long > > run. We already have very many build systems in Debian. We've learned > > the hard way that supporting many different build and packaging tools is > > expensive. Nowadays, most packages use debhelper and that kind of > > centralization bears benefits in modifiability. So I wonder whether > > outright replacing confgen usage (effectively reimplementing the build > > system for <= 15 packages) would be more maintainable in the long run. > > Most likely, that would make cross building just work. On the other > > hand, we'd have to extend the prospective confgen to support that use > > case. > > > > I'm suggesting that rewriting all those build systems using one of the > > standard tools (e.g. autotools, cmake, meson, maybe not qmake, ...) > > could mean less work. > > Switching to e.g. cmake means a one-time more-or-less complex manual > transition but afterwards the packaging should be in a sane state for > quite some time. Hi! Thanks a lot for looking into this, Christoph. > Still I assume this will be my job - however, the changes will go > beyond a sound NMU size. So I'll send out patches, and eventually go > the package salvaging way. Please, let me know if I can be of any help. I don't know anything about cmake, but I maintain (or upload) a bunch of affected netkit-* packages. I hope I can save you some work with those. > If someone more experienced in cmake wants to help, please get in > touch. Otherwise, allow me until end of November to create the fixes - > there is something called "real life" out there. Still my plan is to > salvage *all* packages. The expensive part is the thing called "setup > fee" somewhere else, and I'm mostly done with it. I'll look into your changes on bsd-finger and see if I can reproduce those on others. Thanks again, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#911209: FTBFS (some tests fail)
Package: modsecurity Version: 3.0.2-1 Severity: serious Yep, some tests are failing on all buildd. Looking into it. Thanks Santiago Vila for the heads up. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#875885: netkit-tftp: does not trap ./configure errors
On Fri, Sep 15, 2017 at 05:17:44PM +0200, Helmut Grohne wrote: > Source: netkit-tftp > Version: 0.17-18.1 > Severity: serious > Justification: policy 4.6 > > netkit-tftp's debian/rules does not trap errors from ./configure. In > case ./configure fails, the build continues. This can produces > apparently successful misbuilds and is prohibited by the Debian policy > in section 4.6. > > Helmut Hello, Helmut. Have you tested your assertion? Because if ./configure fails, MCONFIG is not created and the build (make) fails: make[1]: Entering directory '/home/agi/debian/netkit-tftp/netkit-tftp/tftp' Makefile:3: ../MCONFIG: No such file or directory make[1]: *** No rule to make target '../MCONFIG'. Stop. make[1]: Leaving directory '/home/agi/debian/netkit-tftp/netkit-tftp/tftp' make: *** [Makefile:7: tftp.build] Error 2 Could you let me know how to reproduce a misbuild? Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#875885: netkit-tftp: does not trap ./configure errors
Hello, Raphael. Dead upstream requires few updates to a package. Anyway, I was just looking into that now. Regards, Alberto On Tue, Jul 03, 2018 at 09:44:46AM +0200, Raphael Hertzog wrote: > Hello Alberto, > > it's been 8 years that you haven't touched netkit-tftp and the package > has been removed from Debian testing due to the bug I'm replying to. > > Can you take care of fixing the bug and/or properly orphaning the package > if you are no longer interested in it? > > Regards, > > On Fri, 15 Sep 2017, Helmut Grohne wrote: > > Source: netkit-tftp > > Version: 0.17-18.1 > > Severity: serious > > Justification: policy 4.6 > > > > netkit-tftp's debian/rules does not trap errors from ./configure. In > > case ./configure fails, the build continues. This can produces > > apparently successful misbuilds and is prohibited by the Debian policy > > in section 4.6. > > > > Helmut > -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#865589: Ships a tmpfile in /usr and /etc, one overriding the other
tags 865589 + pending thanks On Fri, Jun 23, 2017 at 02:49:32AM +0200, Michael Biebl wrote: > Package: openvpn > Version: 2.4.3-1 > Severity: serious > > Hi, > > I just noticed that the latest openvpn update now ships a tmpfile in /etc: > /etc/tmpfiles.d/openvpn.conf > > This is odd, since the package also ships: > /usr/lib/tmpfiles.d/openvpn.conf > > tmpfiles in /etc/tmpfiles.d are reserved to the local administrator and > override a tmpfile with the same name from /usr/lib/tmpfiles.d > > Marking as RC, as something is clearly broken here, and > /usr/lib/tmpfiles.d/openvpn.conf being overriddden means that > /run/openvpn is no longer created. > Ooops, fixing ASAP. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#865480: Wheezy update of openvpn?
On Thu, Jun 22, 2017 at 11:16:04AM +0200, Raphael Hertzog wrote:
> Hello Alberto,
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openvpn:
> https://security-tracker.debian.org/tracker/CVE-2017-7508
> https://security-tracker.debian.org/tracker/CVE-2017-7520
> https://security-tracker.debian.org/tracker/CVE-2017-7521
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-...@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
Hi,
Yep, the workflow seems a bit messy for an overworked newcomer. Please
find attached the corresponding debdiff. I have tested the resulting
package in one of my servers (not that many wheezy around these days)
and seems to work fine.
Thanks,
Alberto
--
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru openvpn-2.2.1/debian/changelog openvpn-2.2.1/debian/changelog
--- openvpn-2.2.1/debian/changelog 2017-05-12 15:39:52.0 +0200
+++ openvpn-2.2.1/debian/changelog 2017-06-22 18:58:30.0 +0200
@@ -1,3 +1,11 @@
+openvpn (2.2.1-8+deb7u5) wheezy-security; urgency=low
+
+ * The "Bye bye OpenVPN" release.
+ * patches/CVE-2017-7520.patch: Prevent two kinds of stack buffer OOB reads
+ and a crash for invalid input data. (CVE-2017-7520)
+
+ -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 22 Jun 2017 18:53:39
+0200
+
openvpn (2.2.1-8+deb7u4) wheezy-security; urgency=medium
* Non-maintainer upload by the Debian LTS team.
diff -Nru openvpn-2.2.1/debian/patches/CVE-2017-7520.patch
openvpn-2.2.1/debian/patches/CVE-2017-7520.patch
--- openvpn-2.2.1/debian/patches/CVE-2017-7520.patch1970-01-01
01:00:00.0 +0100
+++ openvpn-2.2.1/debian/patches/CVE-2017-7520.patch2017-06-22
18:56:54.0 +0200
@@ -0,0 +1,56 @@
+commit 4bec9d25d519a56bc40458e947d3dfa964b82b13
+Author: Guido Vranken <guidovran...@gmail.com>
+Date: Fri May 19 14:04:25 2017 +0200
+
+Prevent two kinds of stack buffer OOB reads and a crash for invalid input
data
+
+Pre-authentication remote crash/information disclosure for clients
+
+If clients use a HTTP proxy with NTLM authentication (i.e.
+"--http-proxy [|'auto'|'auto-nct'] ntlm2"),
+a man-in-the-middle attacker between the client and the proxy can
+cause the client to crash or disclose at most 96 bytes of stack
+memory. The disclosed stack memory is likely to contain the proxy
+password.
+
+If the proxy password is not reused, this is unlikely to compromise
+the security of the OpenVPN tunnel itself. Clients who do not use
+the --http-proxy option with ntlm2 authentication are not affected.
+
+CVE: 2017-7520
+Signed-off-by: Guido Vranken <guidovran...@gmail.com>
+Acked-by: Gert Doering <g...@greenie.muc.de>
+Message-Id:
<CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com>
+URL:
https://www.mail-archive.com/search?l=mid=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com
+Signed-off-by: Gert Doering <g...@greenie.muc.de>
+(cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
+(cherry picked from commit f38a4a105979b87ebebe9be1c3d323116d3fb924)
+
+Index: openvpn-2.2.1/ntlm.c
+===
+--- openvpn-2.2.1.orig/ntlm.c 2011-06-24 08:13:39.0 +0200
openvpn-2.2.1/ntlm.c 2017-06-22 18:56:50.624960031 +0200
+@@ -190,7 +190,7 @@
+*/
+
+ char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */
+- char buf2[128]; /* decoded reply from proxy */
++ unsigned char buf2[128]; /* decoded reply from proxy */
+ unsigned char phase3[464];
+
+ char md4_hash[21];
+@@ -281,7 +281,13 @@
+ tib_len = buf2[0x28];/* Get Target Information block
size */
+ if (tib_len > 96) tib_len = 96;
+ {
+-char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target
Information block pointer */
++char *tib_ptr;
++int tib_pos = buf2[0x2c];
++if (tib_pos + tib_len > sizeof(buf2))
++ {
++
Bug#865480: Wheezy update of openvpn?
On Thu, Jun 22, 2017 at 11:16:04AM +0200, Raphael Hertzog wrote: > Hello Alberto, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of openvpn: > https://security-tracker.debian.org/tracker/CVE-2017-7508 > https://security-tracker.debian.org/tracker/CVE-2017-7520 > https://security-tracker.debian.org/tracker/CVE-2017-7521 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-...@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of openvpn updates > for the LTS releases. > > Thank you very much. > > Raphaël Hertzog, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup Hi Raphaël, My plan was to start working on this today, let see if real life agrees on this. I'l start with sid, stretch, jessie and then wheezy. I'll let you know when I start working on wheezy to avoid duplicate efforts. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#851587: libapache2-modsecurity: prompting due to modified conffiles which were not modified by the user: /etc/apache2/mods-available/security2.conf
Control: severity -1 important Control: found -1 2.6.6-7 Hi, After some research, I traced the bug to a conffile rename that was done on May 2013 (2.6.6-7). That is, the bug is present on wheezy -> jessie transitions. There's nothing that can be done now to fix this prompt (those files are already "modified"). So getting modsecurity out of Stretch won't solve it (thus lowering the severity). I will remove the transitional package on my next upload, but that won't fix the issue for Stretch anyway. Regards, Alberto On Mon, Jan 16, 2017 at 05:59:41PM +0100, Andreas Beckmann wrote: > Package: libapache2-modsecurity > Version: 2.9.1-2 > Severity: serious > User: debian...@lists.debian.org > Usertags: piuparts > > Hi, > > during a test with piuparts I noticed your package failed the piuparts > upgrade test because dpkg detected a conffile as being modified and then > prompted the user for an action. As there is no user input, this fails. > But this is not the real problem, the real problem is that this prompt > shows up in the first place, as there was nobody modifying this conffile > at all, the package has just been installed and upgraded... > > This is a violation of policy 10.7.3, see > https://www.debian.org/doc/debian-policy/ch-files.html#s10.7.3, > which says "[These scripts handling conffiles] must not ask unnecessary > questions (particularly during upgrades), and must otherwise be good > citizens." > > https://wiki.debian.org/DpkgConffileHandling should help with figuring > out how to do this properly. > > In https://lists.debian.org/debian-devel/2009/08/msg00675.html and > followups it has been agreed that these bugs are to be filed with > severity serious. > > >From the attached log (scroll to the bottom...): > > Setting up libapache2-mod-security2 (2.9.1-2) ... > > Configuration file '/etc/apache2/mods-available/security2.conf' >==> Modified (by you or by a script) since installation. >==> Package distributor has shipped an updated version. > What would you like to do about it ? Your options are: > Y or I : install the package maintainer's version > N or O : keep your currently-installed version > D : show the differences between the versions > Z : start a shell to examine the situation >The default action is to keep your current version. > *** security2.conf (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing > package libapache2-mod-security2 (--configure): >end of file on stdin at conffile prompt > dpkg: dependency problems prevent configuration of libapache2-modsecurity: >libapache2-modsecurity depends on libapache2-mod-security2; however: > Package libapache2-mod-security2 is not configured yet. > > dpkg: error processing package libapache2-modsecurity (--configure): >dependency problems - leaving unconfigured > Setting up libcap2-bin (1:2.25-1) ... > Processing triggers for libc-bin (2.24-8) ... > Processing triggers for systemd (232-8) ... > Errors were encountered while processing: >libapache2-mod-security2 >libapache2-modsecurity > > > This was observed during a wheezy->jessie->stretch upgrade test. > > > cheers, > > Andreas -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Bug#848024: Fails to connect after upgrade to openvpn 2.4
On Sat, Dec 17, 2016 at 10:46:46AM +0100, Julien Cristau wrote: > On Tue, Dec 13, 2016 at 19:19:53 +0100, Michael Biebl wrote: > > > Am 13.12.2016 um 18:22 schrieb Michael Biebl: > > > Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=776045 > > > > > > Am 13.12.2016 um 18:02 schrieb Michael Biebl: > > >> Am 13.12.2016 um 16:53 schrieb Alberto Gonzalez Iniesta: > > >>> Hi there, > > >>> > > >>> The --tls-remote was removed in OpenVPN 2.4, and was already marked as > > >>> DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: > > >>> > > >>> Please also note: This option is now deprecated. It will be removed > > >>> either in OpenVPN v2.4 or v2.5. So please make sure you support the new > > >>> X.509 name formatting described with the --compat-names option as > > >>> soon as possible by updating your configurations to use > > >>> --verify-x509-name instead. > > >>> > > >>> IMHO this should have been fixed in network-manager-openvpn before 2.4 > > >>> arrived. > > >> > > >> Ok, thanks for the info. > > >> I've cloned this bug report for openvpn. It needs a versioned Breaks > > >> against network-manager-openvpn once a fixed version has been uploaded, > > >> to > > >> avoid breakage on partial uploads. > > >> > > >> I'll ping you once such a version is available. > > > > > > I've blocked the two bugs accordingly and forwarded the issue to upstream. > > > > Looking at https://codesearch.debian.net/search?q=tls-remote > > there are possibly more packages which are affected. > > Have you notified them about this and/or checked that they are not affected? > > > > I'm not sure if it's a bit late at this point of the release cycle to > > introduce such a change in openvpn. I've CCed the release-team on their > > input on this, i.e. whether we want openvpn in stretch 2.4 and how the > > removal of tls-remote should be handled. > > > Now is not the time to make incompatible changes affecting other > packages? How hard would it be to provide backwards compatibility here? Hi Julien, the change does not affect other packages, but setups using a deprecated option. A note will be added to NEWS.Debian. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848062: Not such bug
Control: retitle -1 Warn users of removed tls-remote option Control: severity -1 normal Control: tags -1 + pending As Michael explains in #848024 this is not a bug and this does not break NetworkManager(-openvpn), but a deprecated (long time ago) option that is now gone. I'll add a NEWS.Debian entry to warn users. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#848024: [Pkg-utopia-maintainers] Bug#848024: Fails to connect after upgrade to openvpn 2.4
Control: reassign -1 network-manager-openvpn On Tue, Dec 13, 2016 at 04:31:35PM +0100, Michael Biebl wrote: > Control: reassign -1 openvpn > Control: severity -1 serious > Control: affects -1 network-manager-openvpn > > Am 13.12.2016 um 11:33 schrieb dann frazier: > > Package: network-manager-openvpn > > Version: 1.2.6-2 > > Severity: normal > > > > After upgrading to openvpn 2.4~rc1-2, my VPN connection began to fail: > > > > Dec 13 09:49:37 xps13 NetworkManager[738]: Options error: Unrecognized > > option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote > > (2.4_rc1) > > (Options error: Unrecognized option or missing or extra parameter(s) in > > [CMD-LINE]:1: tls-remote (2.4_rc1) > > > > I'm working around this by reverting to openvpn 2.3.11-2. > > > Dear openvpn maintainers, > > could you have a look at this bug report please. > It seems the new openvpn rc release breaks the NetworkManager openvpn > plugin. > I've bumped it to RC, so the package doesn't migrate to testing for now. > > If there is something which needs to be fixed on the > network-manager-openvpn, please clone this bug report or reassign back. > Hi there, The --tls-remote was removed in OpenVPN 2.4, and was already marked as DEPRECATED in OpenVPN 2.3. From OpenVPN 2.3's manpage: Please also note: This option is now deprecated. It will be removed either in OpenVPN v2.4 or v2.5. So please make sure you support the new X.509 name formatting described with the --compat-names option as soon as possible by updating your configurations to use --verify-x509-name instead. IMHO this should have been fixed in network-manager-openvpn before 2.4 arrived. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#828477: Building against openssl1.0 for the time being
Control: unblock 827061 by -1 Uploaded 2.4~rc1-1 build against openssl1.0 until upstream moves to 1.1 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Bug#772000: openvpn cannot start with systemd
On Thu, Dec 04, 2014 at 03:16:11PM +0530, Pirate Praveen wrote: package: openvpn version: 2.3.4-5 severity: grave justification: autostarting of openvpn does not work I have tested both server and client with systemd on sid. Configuration is correct as manually running openvpn via 'openvpn server.conf' and 'openvpn client.conf' works. Same configuration is working with upstart on Ubuntu 12.04 Could you provide your /etc/default/openvpn, and the ouput of: systemctl status openvpn -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768411: After reboot openvpn server don't start
On Fri, Nov 07, 2014 at 10:35:34AM +0100, Jörg Frings-Fürst wrote: Package: openvpn Version: 2.3.4-3 Severity: grave Since the last update openvpn don't start anymore after reboot. sysemctl status openvpn gives: ● openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; disabled) Active: inactive (dead) ### systemctl enable openvpn ? -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#768411: Working on it
Yep, I can reproduce it. Sorry for the bug. I'm working on it. Cheers, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761234: openvpn: Openvpn connects to server but no data pass the tunel. Bad LZO decompression in server log
Czesz Maciej, Could you send me your configuration files (minus the sensitive data) so I can try to reproduce it? Thanks, Alberto On Sat, Sep 13, 2014 at 09:13:06PM +0200, Maciej Kotliński wrote: Hi, I've set tun-mtu 1500. Tun-mtu is not set on the client. There are no errors in server log now. The tunnel still don't work. Connection is being established normally. I see packets travelling to the server's ethernet port . I can't see any traffic on tun interface of the server. I also noticed such message in dmesg: Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev- instead. Regards, Maciek W dniu 12.09.2014 o 09:57, Alberto Gonzalez Iniesta pisze: On Fri, Sep 12, 2014 at 12:10:44AM +0200, Maciej Kotliński wrote: Package: openvpn Version: 2.3.3-1 Severity: grave Justification: renders package unusable I can connect to OpenVPN server (2.3.2), no data is passed thru the tunnel. I use networm-manager openvpn plugin. Tcpdump see packages traveling out the client's both on tun0 interface and client's eth interface. I can't see any traffic on servers's tun interface. Server's ethernet interface receives packets from client(encapsulated traffic). There is a lot of Bad LZO decompression header byte: 0 message in server log. Other clients (mostly Windows and Android) don't have such a problem. The tunnel worked on the same laptop before. Some update made the problem. I tried to use openvpn openvpn_2.2.1-8+deb7u2_amd64.deb without succes. Hi, these warnings can be the source of the problem: Thu Sep 11 23:59:57 2014 83.26.245.199:46853 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1578' Thu Sep 11 23:59:57 2014 83.26.245.199:46853 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' Have you tried following this advice: Thu Sep 11 23:59:57 2014 83.26.245.199:46853 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#761234: openvpn: Openvpn connects to server but no data pass the tunel. Bad LZO decompression in server log
On Fri, Sep 12, 2014 at 12:10:44AM +0200, Maciej Kotliński wrote: Package: openvpn Version: 2.3.3-1 Severity: grave Justification: renders package unusable I can connect to OpenVPN server (2.3.2), no data is passed thru the tunnel. I use networm-manager openvpn plugin. Tcpdump see packages traveling out the client's both on tun0 interface and client's eth interface. I can't see any traffic on servers's tun interface. Server's ethernet interface receives packets from client(encapsulated traffic). There is a lot of Bad LZO decompression header byte: 0 message in server log. Other clients (mostly Windows and Android) don't have such a problem. The tunnel worked on the same laptop before. Some update made the problem. I tried to use openvpn openvpn_2.2.1-8+deb7u2_amd64.deb without succes. Hi, these warnings can be the source of the problem: Thu Sep 11 23:59:57 2014 83.26.245.199:46853 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1578' Thu Sep 11 23:59:57 2014 83.26.245.199:46853 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' Have you tried following this advice: Thu Sep 11 23:59:57 2014 83.26.245.199:46853 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#720806: openvpn: FTBFS: configure: error: lzo enabled but missing
tags 720806 + unreproducible thanks Hi, I cannot reproduce this on a clean updated env. This bug may have been triggered by this other one [1]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720749 Can a rebuild of the package be scheduled? Regards, Alberto On Sun, Aug 25, 2013 at 03:45:03PM +0200, David Suárez wrote: Source: openvpn Version: 2.3.2-4 Severity: serious Tags: jessie sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20130825 qa-ftbfs Justification: FTBFS on amd64 Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part (hopefully): checking for ssl_init in -lpolarssl... no checking for aes_crypt_cbc in -lpolarssl... no checking for lzo1x_1_15_compress in -llzo2... no checking for lzo1x_1_15_compress in -llzo... no checking git checkout... no configure: error: lzo enabled but missing The full build log is available from: http://aws-logs.debian.net/ftbfs-logs/2013/08/25/openvpn_2.3.2-4_unstable.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on EC2 VM instances from Amazon Web Services, using a clean, minimal and up-to-date chroot. Every failed build was retried once to eliminate random failures. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666846: libapache-mod-evasive: diff for NMU version 1.10.1-1.1
Hi Colin, Thanks for the patchupload. DELAYED/2 is OK, I'll upload today if time permits. Cheers, Alberto On Wed, Jul 10, 2013 at 09:41:34AM +0100, Colin Watson wrote: Control: tag -1 pending Dear maintainer, I've prepared an NMU for libapache-mod-evasive (versioned as 1.10.1-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712414: I can confirm this bug
On Mon, Jun 17, 2013 at 01:00:23PM +0600, Aleksey I Zavilohin wrote: after upgrade to 2.2.1-8+deb7u1 stop working udp server Hi Aleksey, Did this happen with all clients? Which client versions are you running? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712414: I can confirm this bug
On Mon, Jun 17, 2013 at 03:45:04PM +0600, Aleksey I Zavilohin wrote: 17.06.2013 14:23, Alberto Gonzalez Iniesta пишет: On Mon, Jun 17, 2013 at 01:00:23PM +0600, Aleksey I Zavilohin wrote: after upgrade to 2.2.1-8+deb7u1 stop working udp server Hi Aleksey, Did this happen with all clients? Which client versions are you running? yes, for all clients. Different: i can`t check all client. I think 2.1.x and securepoint ssl vpn (packed with openvpn client 2.2.2) - from my side. I traced the problem to the multihome option (and the patch applied in +deb7u1). I'll get in touch with upstream to see if this can be fixed. Thanks for your help, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712414: Fix for CVE-2013-2061 breaks multihome?
Hi, I applied the fix for CVE-2013-2061 [0] to Debian's stable version of openvpn (2.2.1) [1]. When the new package was sent to the mirrors I got a couple of reports of broken VPNs [2]. After some testing I think the problem arises with the use of multihome option. The server daemon starts to log lots of these: Jun 17 12:43:52 srv ovpn-srv[31073]: write UDPv4 []: Invalid argument (code=22) Jun 17 12:43:53 srv ovpn-srv[31073]: write UDPv4 []: Invalid argument (code=22) If the multihome option is removed, the VPN comes back to live. Could a patch to fix this be made or should we go back to 2.2.1 without the patch to fix CVE-2013-2061? Thanks, Alberto [0] https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707329 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712414 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712414: Problem tracked to GCC optimizations
Seems like the problem was a change in the GCC version between the first 2.2.1-8 build and the current version in Wheezy. Patch upstream here: https://community.openvpn.net/openvpn/ticket/297 I'll contact Stable Release Managers in order to get a new version of openvpn ASAP. In the meantime, could you try the new package (amd64) here [1]? http://fotos.inittab.org/openvpn_2.2.1-8+deb7u2_amd64.deb Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712414: openvpn: UDP server stops after update to 2.2.1-8+deb7u1
Hi Richard, I'm not able to reproduce it with a couple of servers, could you provide your config (without the sensible information)? THanks, Alberto On Sat, Jun 15, 2013 at 07:46:40PM +0200, Richard Lucassen wrote: Package: openvpn Version: 2.2.1-8 Severity: grave Justification: renders package unusable Dear Maintainer, After an upgrade, all tunnels to a UDP server stopped working. Here's what's in the logs: Jun 15 18:32:58 server-10.250.3.0-udp-1195-tun2[21034]: 1.2.3.4:36595 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jun 15 18:32:58 server-10.250.3.0-udp-1195-tun2[21034]: 1.2.3.4:36595 TLS Error: TLS handshake failed Jun 15 18:32:58 server-10.250.3.0-udp-1195-tun2[21034]: 1.2.3.4:36595 SIGUSR1[soft,tls-error] received, client-instance restarting And lots of these: Jun 15 18:32:56 server-10.250.3.0-udp-1195-tun2[21034]: 1.2.3.4:36595 write UDPv4 []: Invalid argument (code=22) There were two instances of an OpenVPN server that stopped working. Downgrading to the previous version (2.2.1-8) resolved the problem. R. -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.5.7 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.49 ii initscripts2.88dsf-41 ii libc6 2.13-38 ii liblzo2-2 2.06-1 ii libpam0g 1.1.3-7.1 ii libpkcs11-helper1 1.09-1 ii libssl1.0.01.0.1e-2 ii net-tools 1.60-24.2 openvpn recommends no packages. Versions of packages openvpn suggests: ii openssl 1.0.1e-2 pn resolvconf none -- debconf information: openvpn/create_tun: false -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#710217: modsecurity-apache: CVE-2013-2765: NULL pointer dereference
On Tue, Jun 04, 2013 at 06:50:50AM +0200, Salvatore Bonaccorso wrote: Hi Alberto On Wed, May 29, 2013 at 09:17:26AM +0200, Salvatore Bonaccorso wrote: the following vulnerability was published for modsecurity-apache. CVE-2013-2765[0]: NULL pointer dereference Upstream patch is at [1], fixed in 2.7.4[2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765 http://security-tracker.debian.org/tracker/CVE-2013-2765 [1] https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba [2] https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES Please adjust the affected versions in the BTS as needed. Did you had a chance to already look at the upload for unstable? Can you also contact the Stable Release Managers for asking then for the inclusion in the next point release? (Note that the freeze for the NEW queue for it is already the coming weekend). Hi Salvatore, I was the AFK all the weekend, I'm preparing the upload to unstable now, and will contact SRM afterwards. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666848: closed by Alberto Gonzalez Iniesta a...@inittab.org (Bug#666848: fixed in modsecurity-apache 2.6.6-7)
On Thu, May 23, 2013 at 02:19:42PM +0200, Arno Töll wrote: Hi, thanks for your work. Note, that I forgot one more issue which came me in mind later when I already posted a patch. When transitioning to the new conffiles you also possibly need to update the symlink in /etc/apache2/mods-enabled, as it may be dangling otherwise. Everything else should be fine though, although your binary package should be called libapache2-mod-security2. Your .so is called mod_security2.so, so the corresponding binary package should be libapache2-mod-security2, and the .load/.conf files should be named like the .so, too (which is what you did by applying my patch). Hi Arno, Thank you for your patch. I'll check the symlink issue you point. I'll change the package name in an future (soon) upload too. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704625: Tested a bit further the mod_security patch I backported
On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote: Hi, I installed mod_security with the patch I backported, made sure the module was loaded by Apache, and tested to query http://localhost;, then I could see the It works! default Debian Apache page. So, I'd say: so far so good, Apache doesn't crash. Salvatore, could you tell how you find out about this CVE, and are you sure that the commit you linked is fixing the problem (which I do not understand fully...)? If you confirm that you are sure it fixes the CVE, then I believe I could NMU the fixed package in the delayed queue. Hi Thomas and Salvatore, Thanks for the heads-up. Strangely I didn't get the first mail (the bug report), but luckily got Thomas' mails. I'll check this ASAP and make an upload accordingly. Cheers, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704625: Tested a bit further the mod_security patch I backported
On Sat, Apr 06, 2013 at 12:08:41PM +0200, Salvatore Bonaccorso wrote: Hi Alberto, hi Thomas On Sat, Apr 06, 2013 at 10:50:43AM +0200, Alberto Gonzalez Iniesta wrote: On Sat, Apr 06, 2013 at 02:43:39PM +0800, Thomas Goirand wrote: Hi, I installed mod_security with the patch I backported, made sure the module was loaded by Apache, and tested to query http://localhost;, then I could see the It works! default Debian Apache page. So, I'd say: so far so good, Apache doesn't crash. Salvatore, could you tell how you find out about this CVE, and are you sure that the commit you linked is fixing the problem (which I do not understand fully...)? If you confirm that you are sure it fixes the CVE, then I believe I could NMU the fixed package in the delayed queue. Hi Thomas and Salvatore, Thanks for the heads-up. Strangely I didn't get the first mail (the bug report), but luckily got Thomas' mails. I'll check this ASAP and make an upload accordingly. Bad you have not got the inital mail trough the BTS. :( Thank you for preparing the update. For the new option the default value is Off, if I understand it correctly, but configurable to On/Off. Could you also add a bit of Documentation for it? Could you also prepare an update for squeeze-security for ? Please target there squeeze-security (instead of stable-security) in case the update will happen just when wheezy get's released ;-) to prepare for an update to security-master? Hi again, I've packages ready for sid/wheezy and squeeze. I'm waiting upstream blessing on them before uploading. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692936: No remote address supplied after a while
On Sat, Nov 17, 2012 at 06:26:13PM -0500, Antoine Beaupré wrote: Package: openvpn-auth-ldap Version: 2.0.3-4 Followup-For: Bug #692936 Hum. It seems that this packaging is failing to build on kfreebsd, and for good reasons: https://buildd.debian.org/status/fetch.php?pkg=openvpn-auth-ldaparch=kfreebsd-amd64ver=2.0.3-4stamp=1352718255 auth-ldap.m:538:4: error: 'ret' undeclared (first use in this function) I don't know how I missed this, or why this is building here, but it shouldn't build. Here's a new patch that fixes that compile error. A. Thanks! Just uploaded. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687866: libapache-mod-security: copyright file missing after upgrade (policy 12.5)
On Thu, Sep 27, 2012 at 06:53:05PM +0200, Salvatore Bonaccorso wrote: Hi Alberto Only a short look at this. The problem is, that after an update from Squeeze to Wheezy, there is still a link /usr/share/doc/libapache-mod-security - mod-security-common But this is gone. So the solution is not exactly the same as in similar bugreports, but the broken symlink needs to be replaced to link to libapache2-modsecurity, if I'm correct. libapache-mod-security is then only a transitional package which Depends on the libapache2-modsecurity package. Does this help? Hi Salvatore, Yes, it does help. I'll try to fix this ASAP (no time yet). Thanks a lot, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687866: libapache-mod-security: copyright file missing after upgrade (policy 12.5)
On Sun, Sep 16, 2012 at 06:19:18PM +, Bart Martens wrote: After the upgrade /usr/share/doc/libapache-mod-security/ is just an empty directory. agi@lib:~$ mkdir kk agi@lib:~$ cd kk agi@lib:~/kk$ wget http://ftp.de.debian.org/debian/pool/main/m/modsecurity-apache/libapache-mod-security_2.6.6-3_all.deb --2012-09-24 18:06:38-- http://ftp.de.debian.org/debian/pool/main/m/modsecurity-apache/libapache-mod-security_2.6.6-3_all.deb Resolving ftp.de.debian.org (ftp.de.debian.org)... 141.76.2.4 Connecting to ftp.de.debian.org (ftp.de.debian.org)|141.76.2.4|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 17614 (17K) [application/x-debian-package] Saving to: ‘libapache-mod-security_2.6.6-3_all.deb’ 100%[===] 17,614 93.5KB/s in 0.2s 2012-09-24 18:06:38 (93.5 KB/s) - ‘libapache-mod-security_2.6.6-3_all.deb’ saved [17614/17614] agi@lib:~/kk$ dpkg -c libapache-mod-security_2.6.6-3_all.deb drwxr-xr-x root/root 0 2012-07-12 13:08 ./ drwxr-xr-x root/root 0 2012-07-12 13:08 ./usr/ drwxr-xr-x root/root 0 2012-07-12 13:08 ./usr/share/ drwxr-xr-x root/root 0 2012-07-12 13:08 ./usr/share/doc/ drwxr-xr-x root/root 0 2012-07-12 13:08 ./usr/share/doc/libapache-mod-security/ -rw-r--r-- root/root 3239 2012-07-12 13:06 ./usr/share/doc/libapache-mod-security/changelog.Debian.gz -rw-r--r-- root/root 12825 2012-06-15 12:32 ./usr/share/doc/libapache-mod-security/changelog.gz -rw-r--r-- root/root 852 2012-07-12 13:03 ./usr/share/doc/libapache-mod-security/copyright agi@lib:~/kk$ The output produced by piuparts can be found here : http://piuparts.debian.org/squeeze2wheezy/fail/libapache-mod-security_2.6.6-3.log The requested URL /squeeze2wheezy/fail/libapache-mod-security_2.6.6-3.log was not found on this server ? -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652702: Still GRAVE
On Tue, Dec 20, 2011 at 10:58:46AM +0100, Dr. Markus Waldeck wrote: Hi, you introduced a dependency to the iproute package! openvpn 2.2.0-2 WHITOUT iproute: do_ifconfig, tt-ipv6=0, tt-did_ifconfig_ipv6_setup=0 /sbin/ifconfig tun2 10.1.2.6 pointopoint 10.1.2.5 mtu 1500 openvpn 2.2.1-2 WHITOUT iproute: do_ifconfig, tt-ipv6=0, tt-did_ifconfig_ipv6_setup=0 /bin/ip link set dev tun2 up mtu 1500 Linux ip link set failed: could not execute external program Exiting Yes, I'm back to ifconfig in the next upload. I didn't use iproute on the Debian packages, but couldn't remember why. Only the Linux kernel works with it. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652702: openvpn: fails to start after upgrade: Linux ip link set failed: could not execute external program
done
fi
log_end_msg ${STATUS:-0}
;;
stop)
log_daemon_msg Stopping $DESC
if test -z $2 ; then
for PIDFILE in `ls /var/run/openvpn.*.pid 2 /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg $NAME
done
else
while shift ; do
[ -z $1 ] break
if test -e /var/run/openvpn.$1.pid ; then
PIDFILE=`ls /var/run/openvpn.$1.pid 2 /dev/null`
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
log_progress_msg $NAME
else
log_failure_msg (failure: No such VPN is running: $1)
fi
done
fi
log_end_msg 0
;;
reload|force-reload)
log_daemon_msg Reloading $DESC
for PIDFILE in `ls /var/run/openvpn.*.pid 2 /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf
/dev/null 21 ; then
stop_vpn
sleep 1
start_vpn
log_progress_msg (restarted)
else
kill -HUP `cat $PIDFILE` || true
log_progress_msg $NAME
fi
done
log_end_msg 0
;;
soft-restart)
log_daemon_msg $DESC sending SIGUSR1
for PIDFILE in `ls /var/run/openvpn.*.pid 2 /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
kill -USR1 `cat $PIDFILE` || true
log_progress_msg $NAME
done
log_end_msg 0
;;
restart)
shift
$0 stop ${@}
sleep 1
$0 start ${@}
;;
cond-restart)
log_daemon_msg Restarting $DESC.
for PIDFILE in `ls /var/run/openvpn.*.pid 2 /dev/null`; do
NAME=`echo $PIDFILE | cut -c18-`
NAME=${NAME%%.pid}
stop_vpn
sleep 1
start_vpn
done
log_end_msg 0
;;
status)
GLOBAL_STATUS=0
if test -z $2 ; then
# We want status for all defined VPNs.
# Returns success if all autostarted VPNs are defined and running
if test x$AUTOSTART = xnone ; then
# Consider it a failure if AUTOSTART=none
log_warning_msg No VPN autostarted
GLOBAL_STATUS=1
else
if ! test -z $AUTOSTART -o x$AUTOSTART = xall ; then
# Consider it a failure if one of the autostarted VPN is not defined
for VPN in $AUTOSTART ; do
if ! test -f $CONFIG_DIR/$VPN.conf ; then
log_warning_msg VPN '$VPN' is in AUTOSTART but is not defined
GLOBAL_STATUS=1
fi
done
fi
fi
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2 /dev/null`; do
NAME=${CONFIG%%.conf}
# Is it an autostarted VPN ?
if test -z $AUTOSTART -o x$AUTOSTART = xall ; then
AUTOVPN=1
else
if test x$AUTOSTART = xnone ; then
AUTOVPN=0
else
AUTOVPN=0
for VPN in $AUTOSTART; do
if test x$VPN = x$NAME ; then
AUTOVPN=1
fi
done
fi
fi
if test x$AUTOVPN = x1 ; then
# If it is autostarted, then it contributes to global status
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn VPN
'${NAME}' || GLOBAL_STATUS=1
else
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn VPN '${NAME}'
(non autostarted) || true
fi
done
else
# We just want status for specified VPNs.
# Returns success if all specified VPNs are defined and running
while shift ; do
[ -z $1 ] break
NAME=$1
if test -e $CONFIG_DIR/$NAME.conf ; then
# Config exists
status_of_proc -p /var/run/openvpn.${NAME}.pid openvpn VPN
'${NAME}' || GLOBAL_STATUS=1
else
# Config does not exist
log_warning_msg VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !
GLOBAL_STATUS=1
fi
done
fi
exit $GLOBAL_STATUS
;;
*)
echo Usage: $0
{start|stop|reload|restart|force-reload|cond-restart|soft-restart|status} 2
exit 1
;;
esac
exit 0
-- debconf information:
openvpn/vulnerable_prng:
openvpn/create_tun: false
--
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Fri, Oct 22, 2010 at 03:29:11PM +0300, Teodor MICU wrote: Hi, On Thu, Oct 21, 2010 at 2:03 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: I've got a new -2 package (same location) with upstream's solution, instead of mine. Would you mind testing it? That would probably be the one I upload to close this report. I've just tested this package (built on Oct 21) and the problem seems to be fixed. Great! Thanks a lot, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Fri, Oct 15, 2010 at 05:45:48PM +0300, Teodor MICU wrote: Hi, On Fri, Oct 15, 2010 at 3:39 PM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Could you try with this package [1]? [1] http://etc.inittab.org/~agi/openvpn_2.1.3-2_i386.deb I've reverted the original config on the oVPN server and with the -2 package it works fine as on v2.1.0. Hi Teodor, I've got a new -2 package (same location) with upstream's solution, instead of mine. Would you mind testing it? That would probably be the one I upload to close this report. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Thu, Oct 14, 2010 at 01:15:49PM +0300, Teodor MICU wrote: Hi, On Thu, Oct 14, 2010 at 11:37 AM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Hi, could you attach (without sensitive data) the server and client configurations? Sure. The real company addresses and names were replaced with generic names. Hi Teodor, I think I found the bug. But you can help me confirm this (and solve the problem for the time being). Could you try this (on the server config): Change: push route remote_host 255.255.255.255 net_gateway To: push route OPENVPN_REMOTE_PEER 255.255.255.255 net_gateway Seems there's something wrong with 'remote_host'. I'll check the source now. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Thu, Oct 14, 2010 at 01:15:49PM +0300, Teodor MICU wrote: Hi, On Thu, Oct 14, 2010 at 11:37 AM, Alberto Gonzalez Iniesta a...@inittab.org wrote: Hi, could you attach (without sensitive data) the server and client configurations? Sure. The real company addresses and names were replaced with generic names. Hi Teodor, Could you try with this package [1]? THanks [1] http://etc.inittab.org/~agi/openvpn_2.1.3-2_i386.deb -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600166: openvpn: at start it adds 40 bogus routes not specified in configuration
On Thu, Oct 14, 2010 at 11:24:40AM +0300, Teodor wrote: Package: openvpn Version: 2.1.3-1 Severity: grave Justification: renders package unusable Hi, I've upgraded openvpn package after migration to 'squeeze'. One of the VPN connections is not working anymore and it adds 40 bogus routes that are not specified anywhere. It should add routes from the server, but it only adds the route to the internal oVPN subnet (it is a 'subnet' configuration) -- thus it renders the package unusable. I've attached the connection log from /var/log/syslog (some real info was replaced with generic names). Hi, could you attach (without sensitive data) the server and client configurations? Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#569658: ModSecurity Detection Bypass and Denial of Service Vulnerabilities
On Thu, Mar 11, 2010 at 09:03:38AM +0100, Nico Golde wrote: Hi Alberto, what is the status of this bug? Hi Nico, I'm building the new package right now. Thanks for the ping. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#562778: [Pkg-fglrx-devel] Bug#562778: Same thing here
On Wed, Jan 20, 2010 at 09:08:50PM +0100, Patrick Matthäi wrote: make: *** [kmod_build] Error 2 build failed with return value 2 Upstreams driver does not work with this kernel, we have patched it. A! Good to know. Thanks a lot for the tip :) -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#562778: Same thing here
I get these errors when trying to compile ATI's 9.12 with Linux 2.6.32. The kernel source is from Ubuntu (long story) but the problem with these two versions is not Debian/Ubuntu specific (saw it somewhere else too). And since the kernel module does not build, you get exactly the same errors the original reporter got (and no accel). r...@kickseed:/lib/modules/fglrx/build_mod# LC_ALL=C ./make.sh AMD kernel module generator version 2.1 doing Makefile based build for kernel 2.6.x and higher rm -rf *.c *.h *.o *.ko *.GCC* .??* *.symvers make -C /lib/modules/2.6.32-11-generic/build SUBDIRS=/lib/modules/fglrx/build_mod/2.6.x modules make[1]: Entering directory `/usr/src/linux-headers-2.6.32-11-generic' CC [M] /lib/modules/fglrx/build_mod/2.6.x/firegl_public.o In file included from /lib/modules/fglrx/build_mod/2.6.x/firegl_public.c:443: /lib/modules/fglrx/build_mod/2.6.x/drm_proc.h: In function 'FGLDRM__vma_info': /lib/modules/fglrx/build_mod/2.6.x/drm_proc.h:497: warning: format '%08lx' expects type 'long unsigned int', but argument 5 has type 'phys_addr_t' /lib/modules/fglrx/build_mod/2.6.x/firegl_public.c: In function 'KCL_MapPageToPfn': /lib/modules/fglrx/build_mod/2.6.x/firegl_public.c:1586: warning: unused variable 'bus_addr' CC [M] /lib/modules/fglrx/build_mod/2.6.x/kcl_acpi.o CC [M] /lib/modules/fglrx/build_mod/2.6.x/kcl_agp.o CC [M] /lib/modules/fglrx/build_mod/2.6.x/kcl_debug.o CC [M] /lib/modules/fglrx/build_mod/2.6.x/kcl_ioctl.o CC [M] /lib/modules/fglrx/build_mod/2.6.x/kcl_io.o /lib/modules/fglrx/build_mod/2.6.x/kcl_io.c: In function 'KCL_IO_FASYNC_Terminate': /lib/modules/fglrx/build_mod/2.6.x/kcl_io.c:122: error: 'SIGIO' undeclared (first use in this function) /lib/modules/fglrx/build_mod/2.6.x/kcl_io.c:122: error: (Each undeclared identifier is reported only once /lib/modules/fglrx/build_mod/2.6.x/kcl_io.c:122: error: for each function it appears in.) make[2]: *** [/lib/modules/fglrx/build_mod/2.6.x/kcl_io.o] Error 1 make[1]: *** [_module_/lib/modules/fglrx/build_mod/2.6.x] Error 2 make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-11-generic' make: *** [kmod_build] Error 2 build failed with return value 2 -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#423210: any news?
On Fri, May 22, 2009 at 09:38:33AM +0200, Michael Prokop wrote: Hi, sing still can't be installed in Debian/unstable due to depends on libnet0 instead of libnet1. I think sing has to be removed from Debian, I'll fill a bug against ftp.debian.org. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#515314: gqcam: Depends on GTK 1.2
On Thu, Feb 26, 2009 at 11:29:30PM -0500, Barry deFreese wrote: tags 515314 + patch thank you Hi, Attached is a patch that builds with Gtk2. It appears that I don't have the hardware to test this with unfortunately so it definitely needs some good testing. Hi Barry, Thanks a lot for looking at this. I applied your patch (and did some cleaning on the package), but the results weren't as expected :( With your patch the application will crash as soon as the mouse pointer hits it. Yeah, start it (you can even see some output from the cam) move your mouse in to its window and... $ gqcam -v /dev/video0 gqcam: Fatal IO error 11 (Resource temporarily unavailable) on X server :0.0. I'm attaching an strace of it, in case it helps. Thanks again, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#486441: fails to start on fresh install, aborts postinst
On Mon, Jun 16, 2008 at 07:44:02AM +0200, martin f krafft wrote: Package: openvpn Version: 2.1~rc7-4 Severity: serious On a completely fresh install: Setting up openvpn (2.1~rc7-4) ... Starting virtual private network daemon.:invoke-rc.d: initscript openvpn, action start failed. dpkg: error processing openvpn (--configure): subprocess post-installation script returned error exit status 1 The init.d script was modified to use LSB functions in the last upload. But that shouldn't break it. Could you run the script with '-x'. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#483723: /usr/sbin/openssl-vulnkey: not found
On Fri, May 30, 2008 at 08:33:07PM +0200, martin f krafft wrote:
Package: openvpn
Version: 2.1~rc7-2
Severity: grave
lapse:~|master|% sudo /etc/init.d/openvpn start rw-fregate
Starting virtual private network daemon: rw-fregatesh:
/usr/sbin/openssl-vulnkey: not found
You either meant s/sbin/bin/ or s/ssl/vpn/
Or the file moved:
openssl-blacklist (0.3.2) unstable; urgency=low
* debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey
to /usr/bin (Closes: #482435).
I'll talk with openvpn-blacklist's maintainer to see if openvpn-vulnkey
is also moving and upload a new version accordingly.
Thanks,
Alberto
--
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#454880: Status of this bug
On Mon, Apr 07, 2008 at 12:39:49AM +0530, Kumar Appaiah wrote: Hi! The bug 454880 has been marked pending since 9th December. Could you please arrange to have it uploaded? Note that it is now RC, since gcc 4.3 is the default compiler. Hi, the bug was fixed in the last upload (1.1.1-1) but I had to test it before closing it (thus the 'pending' tag, it was pending some testing :) ). Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Bug#384454: ftpd (was Bug#384454)
On Sun, Feb 18, 2007 at 09:34:49PM +1100, Paul Szabo wrote: Dear Security team, A stupid little bug crept into (was left in) #384454 and DSA-1217. My fault originally: I humbly apologize. Please correct it for sarge. Hi all, I already asked this, but it wasn't consired important by the sec team. I'm attaching my previous mail. Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 ---BeginMessage--- On Wed, Nov 22, 2006 at 12:05:34PM +0100, Moritz Muehlenhoff wrote: Alberto Gonzalez Iniesta wrote: I just noticed that the package was updated two days ago. I hope I can have a new one today. Or would it be faster if the Sec. Team just applies the changed mention in my mail? Sorry for this. If you can upload a fixed package today, go ahead. I don't think this will ever be triggered in practice, though. The intersection of people running 2.6 kernels with nproc ressource limits in their PAM config and people running legacy netkit ftpds is most definitely empty. Hi Moritz, the problem with the previous bug was that 2.6 kernels DO set proccess limits, whether we want them or not. And the ftpd package installs a pamd.d configuration file with this line: session requiredpam_limits.so So I guess the problem was indeed there and possible to exploit. Anyway, the patch we (and Gentoo) used introduced and new, easier to exploit, bug. The ftpd server is running commands with EGID 'root' instead of the user's one. And as you know, this is not kernel or local configuration dependant. I've just uploaded a fixed version to Sid. Please find attached the diff file for linux-ftpd_0.17-20sarge3. With the following differences from linux-ftpd_0.17-20sarge2: CUT -- CUT -- diff -u linux-ftpd-0.17/ftpd/popen.c linux-ftpd-0.17/ftpd/popen.c --- linux-ftpd-0.17/ftpd/popen.c +++ linux-ftpd-0.17/ftpd/popen.c @@ -174,7 +174,7 @@ * PSz 25 Aug 06 Must check the return status of these setgid/setuid calls, * see http://www.bress.net/blog/archives/34-setuid-madness.html */ - if ( setgid(geteuid()) != 0 ) _exit(1); + if ( setgid(getegid()) != 0 ) _exit(1); if ( setuid(i) != 0 ) _exit(1); #ifndef __linux__ --- linux-ftpd-0.17/debian/changelog +++ linux-ftpd-0.17/debian/changelog @@ -1,3 +1,13 @@ +linux-ftpd (0.17-20sarge3) stable-security; urgency=high + + * Sarge security release. + * Corrected typo in patch used in previous upload that +made the server run some commands with EGID 'root'. +Thanks to Matt Power (for finding out) and +Stefan Cornelius from Gentoo (for warning me). + + -- Alberto Gonzalez Iniesta [EMAIL PROTECTED] Sat, 25 Nov 2006 19:38:59 +0100 + CUT -- CUT -- Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 linux-ftpd_0.17-20sarge3.diff.gz Description: Binary data signature.asc Description: Digital signature ---End Message---
Bug#384454: closed by Alberto Gonzalez Iniesta [EMAIL PROTECTED] (Bug#384454: fixed in linux-ftpd 0.17-20sarge2)
On Sun, Feb 18, 2007 at 07:24:16AM +1100, Paul Szabo wrote: Dear Maintainer, Yes, the bug in the patch was mine: meant to check the return status of setgid(getegid()) but somehow managed to mis-type that into setgid(geteuid()). Stupid mistake. Shame on me. Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per your latest closure message http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44 (or maybe 20 Nov 2006 as per http://www.debian.org/security/2006/dsa-1217 or 13 Nov 2006 as the date on current http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz ) and contains the wrong patch. So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in sarge (==stable) 0.17-20sarge2. Please fix for sarge also. I sent the fix to the security team, but they decided to ignore it. I wasn't in the mood to fight with them... Feel free to contact them at [EMAIL PROTECTED] You can Cc me if you want. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Bug#403317: upgrading openvpn removes/recreates the init.d links
On Sat, Dec 16, 2006 at 10:15:36AM +0100, Christoph Berg wrote: Package: openvpn Version: 2.0.7-1 Severity: serious Justification: breaks user config Hi, yesterday, I upgraded my notebook to etch. Before that, I moved the S??openvpn link in /etc/rc2.d to K??openvpn, because I don't use the VPN at the moment. After the upgrade, the links was back, at S16. Looking into this, the reason was that I run at high debconf priority, and there is a medium question (openvpn/change_init2) asking me if I wanted that change to be made, defaulting at yes. I think the default should be no. That's what /etc/default/openvpn is for. You don't want to run it, just set AUTOSTART=none. Just like many other packages. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Bug#348076: Cleaning up
retitle 348076 Kmyfirewall Hangs and KDE also does severity 348076 normal tags 348076 moreinfo unreproducible thanks tronko Hi, I'm not able to reproduce this behavior, but it could be due to a erroneous firewall config, and had nothing to do with Kmyfirewall per se. So please, let me know the exact actions you took to reproduce it so I may be able to judge/solve it. By the way, you must be pretty sure the application is really broken to submit a bug with severity 'Critical', I'm setting it to normal till further info is available. Thanks, Alberto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336751: openvpn: OpenVPN 2.0.4 Released -- Note security fixes
Packages for Sarge, until they get released by the security team may by found at: http://etc.inittab.org/~agi/ Packages for sid/testing will be uploaded RSN. -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Bug#321044: libapache-mod-auth-pgsql: FTBFS: Cannot find libpq-fe.h
On Sat, Sep 10, 2005 at 04:05:26PM +0200, Kurt Roeckx wrote: found 321044 0.9.12-8 thanks Hi, It's still failing to build. The path /usr/include/postgresql/8.0 is wrong. And it seems to be /usr/include/postgresq again. Ouch! From the changelog from postgresql-8.0 8.0.3-13: * Move back client include files to /usr/include/postgresql/ for now to not render all client packages unbuildable which have not yet converted to pg_config: Arrrg! You should use pg_config to find those paths: pg_config --includedir returns: /usr/include/postgresql [EMAIL PROTECTED]:~$ pg_config --includedir /usr/include/postgresql/8.0 I was using an outdated version of libpq-deb (8.0.3-7). Upgrading system and updating package. Thanks, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
