Bug#1066313: fixed upstream
These issues are fixed upstream in main, but there is not a release. The fix is in commit 1171bf2fd4e7a0cab02cf5fca59090b65af9cd29. Clément would you pull that fix into the package to resolve this FTBFS?
Bug#938737: u1db: Python2 removal in sid/bullseye
Moritz Mühlenhoff writes: > On Fri, Aug 30, 2019 at 07:57:06AM +, Matthias Klose wrote: >> Package: src:u1db >> Version: 13.10-6.4 >> Severity: normal >> Tags: sid bullseye >> User: debian-pyt...@lists.debian.org >> Usertags: py2removal >> >> Python2 becomes end-of-live upstream, and Debian aims to remove >> Python2 from the distribution, as discussed in >> https://lists.debian.org/debian-python/2019/07/msg00080.html >> >> Your package either build-depends, depends on Python2, or uses Python2 >> in the autopkg tests. Please stop using Python2, and fix this issue >> by one of the following actions. > > Hi Micah, > per Wikipedia the Ubuntu One cloud storage has been shut down many years > ago, should this simply be removed? We were not using it for Ubuntu One cloud storage, but instead as its more generic use case as "a cross-platform, cross-device, syncable database API", which we modified to have client-side encrypted database replicas and documents. However, it is not being used any longer, and should simply be removed. -- micah
Bug#895381: Severity
Hello Sergio, I'm reviewing bugs that are currently release critical at our local bug squashing party, and I stumbled on yours. I'm not disputing this bug exists, I'm just trying to determine why it is you set the severity to "Serious". As you are probably aware, this severity indicates that this is a sever violation of Debian policy (violates a "must" or "required" directive), or in the package maintainer's opinion, makes the package unsuitable for release. Can you specify what part of debian policy this issue makes this bug severity "Serious"? Thanks! -- micah
Bug#892340: Status of upload?
Hello Marc, I'm checking up on RC bugs, because we are working on a Bug Squashing Party here. Back in November, you were saying you were going to combine this fix with a bump of upstream's version: > I was planning to combine this with an update from upstream. I'm wondering if you are planning on doing this soon? If you aren't, maybe we could upload the package with the fix? -- micah
Bug#859927: Works, uploaded to DELAYED-3
That fix works, I've done a NMU fixed package and uploaded it to DELAYED-3. Micah
Bug#859927: Confirmed
I've confirmed this bug, as reported: I installed lighttpd: The following NEW packages will be installed: lighttpd spawn-fcgi 0 upgraded, 2 newly installed, 0 to remove and 326 not upgraded. Need to get 299 kB of archives. After this operation, 1,019 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://httpredir.debian.org/debian sid/main amd64 lighttpd amd64 1.4.45-1 [284 kB] Get:2 http://httpredir.debian.org/debian sid/main amd64 spawn-fcgi amd64 1.6.4-1+b1 [14.9 kB] Fetched 299 kB in 1s (194 kB/s) Selecting previously unselected package lighttpd. (Reading database ... 206019 files and directories currently installed.) Preparing to unpack .../lighttpd_1.4.45-1_amd64.deb ... Unpacking lighttpd (1.4.45-1) ... Selecting previously unselected package spawn-fcgi. Preparing to unpack .../spawn-fcgi_1.6.4-1+b1_amd64.deb ... Unpacking spawn-fcgi (1.6.4-1+b1) ... Setting up spawn-fcgi (1.6.4-1+b1) ... Setting up lighttpd (1.4.45-1) ... Created symlink /etc/systemd/system/multi-user.target.wants/lighttpd.service → /lib/systemd/system/lighttpd.service. Processing triggers for systemd (232-20) ... Processing triggers for man-db (2.7.6.1-2) ... and confirmed it is running: root@reeds:/home/micah/debian/lighttpd-1.4.45# ps auxw |grep lighttpd www-data 2129 0.0 0.0 58924 5452 ?Ss 15:03 0:00 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf root 4119 0.0 0.0 12788 956 pts/3S+ 15:03 0:00 grep lighttpd I enabled the module as described in the bug: root@reeds:/home/micah/debian/lighttpd-1.4.45# lighttpd-enable-mod fastcgi-php Met dependency: fastcgi Enabling fastcgi-php: ok Enabling fastcgi: ok Run "service lighttpd force-reload" to enable changes root@reeds:/home/micah/debian/lighttpd-1.4.45# service lighttpd force-reload and now lighttpd is not running: root@reeds:/home/micah/debian/lighttpd-1.4.45# ps auxw |grep lighttpd root 4223 0.0 0.0 12788 980 pts/3S+ 15:04 0:00 grep lighttpd I will attempt to apply the patch and see if it works. micah
Bug#817521: libapache-mod-removeip: Removal of debhelper compat 4
Hello, intrigeriwrites: > Hi Micah, > > Adrian Bunk: >> Can you anyway NMU this package? > >> The alternative is that it will get removed from stretch soon. > > Well, it's not a goal of mine to include as many packages in Stretch > as possible. So I really don't want to be the one who decides that > a given package will be part of a Debian stable release, if its > maintainers are not ready to support it there; in this case, I see > little indication that they are. (And backports are always an option > anyway :) > > Micah, what do you think? If you're ready to support the package in > Stretch, I'm happy to give some one-shot help by NMU'ing it over the > week-end. It would be great if the package could continue to be in Stretch. Unfortunately, I have not been able to address this issue, and would be very happy if you could NMU the work you did to fix this issue! micah signature.asc Description: PGP signature
Bug#848766: reel: FTBFS: ERROR: Test "ruby2.3" failed: Failure/Error: response = http.request(request)
Antonio Terceirowrites: >> Relevant part (hopefully): >> > Failure/Error: response = http.request(request) >> > >> > OpenSSL::SSL::SSLError: >> >SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert >> > unsupported certificate Hmm, I built the reverse depends on ruby-certificate-authority and found this failure in reel, and patched it in 0.6.1-3 to fix this error. I'm surprised its back, that means something didn't go right with my patch. I'll have a look at it. > Micah, was there a specific reason to package an unreleased snapshot of > ruby-certificate-authority? The changelog doesn't really say anything. The last official upstream tagged release and gem publish was august 2012. The upstream author bumped the version to 2.0 in Sept. 2012, and there have been a number of important fixes (including security) since then. There is also a request in the github issue tracker for a new release in May 2014, no response. I spoke with the original packager (Sebastien Badia) about updating this to the current master which fixes those issues, and he gave the go ahead if we resolved all the reverse-deps. micah
Bug#761114: network-manager: erroneously removes externally provided routes
Package: network-manager Version: 0.9.10.0-2 Severity: serious Tags: patch Justification: breaks unrelated software Hello, When using unrelated software, such as openvpn, that pushes default routes, network-manager immediately (and incorrectly) removes that route. This is new behavior in 0.9.10, it does not do this in previous versions. I spent quite a bit of time debugging this issue with upstream NM people on their IRC channel, in the end they came up with a patch that was committed upstream in git with the following hash: 06703c1670d0f96834b268920b09792e22fdb4c4) I tested this change, and it worked well for me, previously I uploaded a NMU, with this patch, thinking that this was #755015, and it successfully fixed the problem for me and others I know who are experiencing this issue. However, the NMU was not acknowledged in -2, due to it being targeted for the incorrect bug number. Considering that this effectively breaks all OpenVPN setups (and other software that modifies default routes) that are not using network-manager's built-in VPN mechanisms, this seems to me a serious regression over previous versions. Seeing as upstream has acknowledged this issue and provided a fix for it and that fix has been tested and even migrated to testing, it seems to me appropriate to cherry-pick the change in the package without waiting for the next major release of NM. I'm happy to re-NMU this fix, this time with the right bug number. Attached is the NMU diff (I'd only add the bug number to the changelog). micah -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages network-manager depends on: ii adduser3.113+nmu3 ii dbus 1.8.6-2 ii init-system-helpers1.21 ii isc-dhcp-client4.3.1-1 ii libc6 2.19-10 ii libdbus-1-31.8.6-2 ii libdbus-glib-1-2 0.102-1 ii libgcrypt111.5.4-3 ii libglib2.0-0 2.40.0-5 ii libgnutls-deb0-28 3.3.7-2 ii libgudev-1.0-0 208-8 ii libmm-glib01.2.0-1 ii libndp01.4-1 ii libnewt0.520.52.17-1 ii libnl-3-2003.2.24-2 ii libnl-genl-3-200 3.2.24-2 ii libnl-route-3-200 3.2.24-2 ii libnm-glib40.9.10.0-2 ii libnm-util20.9.10.0-2 ii libpam-systemd 208-8 ii libpolkit-gobject-1-0 0.105-6.1 ii libreadline6 6.3-8 ii libsoup2.4-1 2.46.0-2 ii libsystemd-daemon0 208-8 ii libsystemd-login0 208-8 ii libteamdctl0 1.12-1 ii libuuid1 2.20.1-5.8 ii lsb-base 4.1+Debian13 ii policykit-10.105-6.1 ii udev 208-8 ii wpasupplicant 1.1-1 Versions of packages network-manager recommends: ii crda 3.13-1 ii dnsmasq-base 2.71-1 ii iptables 1.4.21-2 ii modemmanager 1.2.0-1 ii ppp 2.4.6-2 Versions of packages network-manager suggests: ii avahi-autoipd 0.6.31-4 pn libteam-utils none -- Configuration Files: /etc/NetworkManager/NetworkManager.conf changed: [main] plugins=ifupdown,keyfile [ifupdown] managed=false [logging] -- no debconf information diff -Nru network-manager-0.9.10.0/debian/changelog network-manager-0.9.10.0/debian/changelog --- network-manager-0.9.10.0/debian/changelog 2014-07-10 00:49:54.0 -0400 +++ network-manager-0.9.10.0/debian/changelog 2014-08-11 12:37:33.0 -0400 @@ -1,3 +1,11 @@ +network-manager (0.9.10.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Pull patch from upstream to fix checks for default +routes + + -- Micah Anderson mi...@debian.org Mon, 11 Aug 2014 12:08:31 -0400 + network-manager (0.9.10.0-2) unstable; urgency=medium * New upstream release. diff -Nru network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes --- network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes 1969-12-31 19:00:00.0 -0500 +++ network-manager-0.9.10.0/debian/patches/0006-Fix-checks-for-default-routes 2014-08-11 12:37:08.0 -0400 @@ -0,0 +1,83 @@ +Index: network-manager-0.9.10.0/src/nm-ip4-config.c +=== +--- network-manager-0.9.10.0.orig/src/nm-ip4-config.c 2014-07-03 20:44:19.0 -0400 network-manager-0.9.10.0/src/nm-ip4-config.c 2014-07-29 19:42:06.965378158 -0400 +@@ -198,7 +198,7 @@ + for (i = 0; i priv-routes-len; i++) { + const NMPlatformIP4Route *route = g_array_index (priv-routes, NMPlatformIP4Route, i); + +- if (route-network == 0) { ++ if (NM_PLATFORM_IP_ROUTE_IS_DEFAULT (route)) { + if (route-metric
Bug#758318: FTBFS: missing build-depends: sp
Package: bird Version: 1.4.4-1 Severity: serious Tags: patch Justification: Fails to build from source Hello, The bird package currently fails to build from source because during the pdf generation phase it cannot find /usr/bin/nsgmls. Simply adding the 'sp' package to the build-depends makes it work again. The attached patch shows this. I'm happy to upload this as a NMU if it would help you. make[2]: Entering directory '/home/micah/debian/bird-1.4.4/doc' /home/micah/debian/bird-1.4.4/tools/progdoc /home/micah/debian/bird-1.4.4 /Doc /doc/Doc prog-intro.sgml /nest/Doc rt-fib.c rt-table.c Warning(551): Function parameter 'before_old' not described in 'rte_announce' Warning(1446): Function parameter 'tab' not described in 'rt_prune_table' rt-attr.c proto.sgml proto.c Warning(731): Function parameter 'UNUSED' not described in 'graceful_restart_done' proto-hooks.c Warning(161): Function parameter 'buflen' not described in 'get_attr' iface.c neighbor.c Warning(352): Function parameter 'a' not described in 'neigh_ifa_update' cli.c locks.c /conf/Doc conf.c cf-lex.l Warning(561): Function parameter 'c' not described in 'cf_lex_init' /filter/Doc filter.c tree.c trie.c Warning(84): Function parameter 'lp' not described in 'f_new_trie' /proto/Doc /proto/bfd/Doc bfd.c /proto/bgp/Doc bgp.c Warning(729): Function parameter 'UNUSED' not described in 'bgp_incoming_connection' packets.c attrs.c /proto/ospf/Doc ospf.c topology.c Warning(1610): Function parameter 'pool' not described in 'ospf_top_new' neighbor.c iface.c packet.c lsalib.c dbdes.c rt.c /proto/pipe/Doc pipe.c /proto/rip/Doc rip.c auth.c /proto/radv/Doc radv.c packets.c /proto/static/Doc static.c ../nest/rt-dev.c /sysdep/Doc sysdep.sgml /sysdep/unix/Doc log.c Warning(106): Function parameter 'buf' not described in 'log_commit' krt.c /lib/Doc ip.c ipv4.c ipv6.c lists.c checksum.c bitops.c patmatch.c printf.c xmalloc.c resource.sgml resource.c mempool.c slab.c event.c ../sysdep/unix/io.c Warning(454): Function parameter 'fmt_spec' not described in 'tm_format_datetime' ./sgml2html prog.sgml Processing file prog.sgml sh: 1: /usr/bin/nsgmls: not found ./sgml2latex --output=tex prog.sgml Processing file prog.sgml sh: 1: /usr/bin/nsgmls: not found pdflatex prog.tex This is pdfTeX, Version 3.14159265-2.6-1.40.15 (TeX Live 2014/Debian) (preloaded format=pdflatex) restricted \write18 enabled. entering extended mode ! I can't find file `prog.tex'. * prog.tex (Press Enter to retry, or Control-D to exit) Please type another input file name: -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bird depends on: ii adduser 3.113+nmu3 ii libc6 2.19-7 ii libreadline6 6.3-8 ii libtinfo5 5.9+20140712-2 bird recommends no packages. Versions of packages bird suggests: ii bird-doc 1.4.4-1 diff --git a/debian/changelog b/debian/changelog index f8b69d0..0f662e4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +bird (1.4.4-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add sp package to Build-depends to provide missing /usr/bin/nsgmls +fixing FTBFS + + -- Micah Anderson mi...@debian.org Sat, 16 Aug 2014 15:45:29 -0400 + bird (1.4.4-1) unstable; urgency=medium * New upstream version 1.4.4 diff --git a/debian/control b/debian/control index 5d10ec6..27c3bd8 100644 --- a/debian/control +++ b/debian/control @@ -12,7 +12,7 @@ Build-Depends: quilt, autotools-dev, xsltproc, docbook-xsl, - linuxdoc-tools-latex + linuxdoc-tools-latex, sp Maintainer: Ondřej Surý ond...@debian.org Standards-Version: 3.9.5 Vcs-Browser: http://git.debian.org/?p=users/ondrej/bird.git
Bug#737149: CVE-2014-1691: Remote code execution in horde 5.1.1
Package: horde3 Version: 3.3.8+debian0-2 Severity: serious Tags: security Justification: security issue Hello, As detailed on the debian security tracker[0] and reported on oss-sec[1] and assigned CVE 2014-1691, there is a remote code execution bug in horde affecting all versions from at least horde 3.1.x to 5.1.1. That includes squeeze... I've got a patch that applies to the horde3 package in squeeze that resolves this issue, please find it attached[2]... I've built and tested these packages on Squeeze in an active environment. I am not certain where this particular code is used, so I wasn't sure if I was able to test exactly that code path. If you would like, I can provide a package for squeeze for a DSA. Micah 0. https://security-tracker.debian.org/tracker/CVE-2014-1691 1. http://seclists.org/oss-sec/2014/q1/153 2. https://gist.github.com/pietro/8712454/raw/b03bc5ecb7ec1f1f778b867ecd6d9d142d0ddaf7/gistfile1.diff -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages horde3 depends on: ii apache2 2.4.7-1 ii apache2-bin [httpd] 2.4.7-1 ii libapache2-mod-php5 5.5.8+dfsg-3 ii libjs-scriptaculous 1.9.0-2 ii php-log 1.12.7-1 ii php-mail 1.2.0-5 ii php-mail-mime1.8.8-1 ii php5-gd 5.5.8+dfsg-3 ii php5-mcrypt 5.5.8+dfsg-3 Versions of packages horde3 recommends: pn fckeditor none ii locales2.17-97 ii logrotate 3.8.7-1 pn php-date none ii php-db 1.7.14-2 pn php-file none ii php-mdb2 2.5.0b5-1 pn php-mdb2-driver-mysql | php-mdb2-driver-pgsql | php-mdb2-driv none pn php-services-weather none ii php5-cli 5.5.8+dfsg-3 pn php5-mysql | php5-pgsql | php5-ldapnone pn tinymce2 | tinymce none Versions of packages horde3 suggests: pn chora2none pn enscript none ii gettext 0.18.3.2-1 pn gollemnone pn imp4 none pn kronolith2none ii libgeoip1 1.6.0-1 pn libwpd-tools none pn mnemo2none pn php-net-imap none pn php5-auth-pam none ii php5-common [php5-mhash] 5.5.8+dfsg-3 pn ppthtml none pn rpm none pn source-highlight none pn turba2none pn unrtf none pn webcppnone pn wvnone pn xlhtmlnone -- Configuration Files: /etc/horde/horde3/.htaccess [Errno 13] Permission denied: u'/etc/horde/horde3/.htaccess' /etc/horde/horde3/conf.php [Errno 13] Permission denied: u'/etc/horde/horde3/conf.php' /etc/horde/horde3/conf.xml [Errno 13] Permission denied: u'/etc/horde/horde3/conf.xml' /etc/horde/horde3/hooks.php [Errno 13] Permission denied: u'/etc/horde/horde3/hooks.php' /etc/horde/horde3/mime_drivers.php [Errno 13] Permission denied: u'/etc/horde/horde3/mime_drivers.php' /etc/horde/horde3/motd.php [Errno 13] Permission denied: u'/etc/horde/horde3/motd.php' /etc/horde/horde3/nls.php [Errno 13] Permission denied: u'/etc/horde/horde3/nls.php' /etc/horde/horde3/prefs.php [Errno 13] Permission denied: u'/etc/horde/horde3/prefs.php' /etc/horde/horde3/registry.d/README [Errno 13] Permission denied: u'/etc/horde/horde3/registry.d/README' /etc/horde/horde3/registry.php [Errno 13] Permission denied: u'/etc/horde/horde3/registry.php' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#716909: Should be resolved
close 716909 thanks I believe that I've resolved this, the following addresses are allowed to send, if there is an additional ftp master email that needs to be allowed, please let me know and I will add that: d...@ftp-master.debian.org, debb...@bugs.debian.org, debb...@busoni.debian.org, debian-bugs-d...@lists.debian.org, f...@debian.org, instal...@ftp-master.debian.org, nore...@release.debian.org, ow...@bugs.debian.org, ow...@busoni.debian.org, ow...@packages.qa.debian.org, p...@qa.debian.org,pabs q...@master.debian.org micah pgpGwp9mxXYPM.pgp Description: PGP signature
Bug#710163: CVE-2013-1629: Man in the middle possibility
Package: python-pip Version: 1.1-3 Severity: serious Tags: security Justification: security Hello, It appears as if python-pip in Debian (all versions supported) suffers from CVE-2013-1629. This CVE appears to still be reserved, but is clearly described in a few places on the internet[0],[1]. A new version uploaded to sid would solve this problem there, but to backport these issues to wheezy and squeeze may be a bit difficult. Thanks, micah 0. http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ 1. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-pip depends on: ii python2.7.3-5 ii python-pkg-resources 0.6.37-1 ii python-setuptools 0.6.37-1 ii python2.6 2.6.8-2 Versions of packages python-pip recommends: ii build-essential 11.6 pn python-dev-all none python-pip suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#710164: CVE-2013-1629: Man in the middle possibility
Package: python-virtualenv Version: 1.7.1.2-2 Severity: serious Tags: security Justification: security Hello, It seems as if python-virtualenv embeds a copy of pip[0], and there is a security issue with python-pip noted as CVE-2013-1629 which affects squeeze and wheezy (it appears fixed in sid and jessie). This issue currently is marked as 'reserved' by Mitre, but it is clearly defined on the internet[1],[2]. Please coordinate with the debian security team to update this package as soon as possible to resolve this issue. Please reference this CVE and bug number in any changelog dealing with this problem. Micah 0. This is in violation of debian policy '4.13 Convenience copies of code' and should be fixed to depend on the version of python-pip in the archive. 1.http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ 2. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698294: [Pkg-puppet-devel] Bug#698294: Bug#698294: diff for NMU 2.7.18-2.1
Russ Allbery r...@debian.org writes: Anton Gladky gl...@debian.org writes: Ok, I canceled the upload. We cannot postpone Wheezy-release, waiting for every upstream's decision. If the solution works, why should not it be applied? Otherwise the package should be removed from testing. The solution may work, but if upstream deems the code insufficient it might be because of some very important reasons. For example, it might make this specific situation work, but breaks other things, or only works for one case, but not another, or many other possible reasons. For this issue, what caused this upstream was a fix for another issue, and I am not sure that the proposed fix will cause the original issue to re-appear, I dont want a regression for that issue to come up as a result. I don't think it is such a great idea to stuff something into the Debian package that upstream has a problem with, it tends to make upstream unhappy when they have to deal with the fact that it exists in the Debian package for years. In particular I'm thinking of how great they have been when security issues have come up and they've produced backports of fixes for the versions that we carry. If their backports aren't going to work because we decided to put in some code that they didn't like in the first place, how do we deal with the security fix then? The problem is mildly obscure (many Puppet manifests, including very complex and non-trivial ones, will never trigger this error condition) and absolutely does not warrant removing the package from testing. In fact, I'm tempted to downgrade it to important again, although if there is a tested upstream fix, I'd be in favor of applying it for wheezy. I have to agree with Russ, this is a kind of weird corner case. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698294: [Pkg-puppet-devel] Bug#698294: diff for NMU 2.7.18-2.1
Anton Gladky gl...@debian.org writes: Hi, I have rescheduled an upload for 15-days. Or you want me to cancel it completely? Anton On 03/01/2013 12:45 PM, Stig Sandbeck Mathisen wrote: That patch was marked as Code Insufficient in the upstream bug tracker two weeks ago at http://projects.puppetlabs.com/issues/7680#note-18 Please delay it until this is resolved by upstream. As far as I know, there is no 'DELAYED/until this is resolved by upstream' queue :) Uploading something that upstream has deemed insufficient code, even to DELAYED-15 doesn't seem like the right thing to do, especially since this places an arbitrary deadling on upstream. I think it best to cancel this upload until we have a clear fix from upstream. I understand that this issue impacts you and you would like a resolution, but I think that the right thing to do here is to speed up that resolution with upstream. Figure out what it is that is insufficient in the code and get that resolved. Once upstream is happy with the code, then we can look at what needs to be done to get this into Debian. pgpgaFlnG1M2t.pgp Description: PGP signature
Bug#700350: dovecot-core: fails to upgrade from squeeze to bpo: Can't locate feature.pm in @INC
Marco Nenciarini mnen...@kcore.it writes: Il giorno 12/feb/2013, alle ore 17:16, Jaldhar H. Vyas ha scritto: Thanks for the patch but if the diagnosis is correct it seems it will not be needed as -7 took out the perl code. So backporting that should solve the problem. Unfortunately I am rather pressed for time right now and the other dovecot maintainers even more so. Micah can you take care of this? I can take care of backporting if it's ok for you all. please go ahead, I'm quite busy until next week myself. micah pgpsI8C4nF_VL.pgp Description: PGP signature
Bug#681549: Still present in 1.2.0-3
Dane Elwell dane.elw...@ukfast.co.uk writes: This bug seems to still exist in CouchDB 1.2.0-3 update that was pushed out recently in Wheezy. Setting up couchdb (1.2.0-3) ... Installing new version of config file /etc/init.d/couchdb ... Installing new version of config file /etc/logrotate.d/couchdb ... [] Starting database server: couchdbApache CouchDB needs write permission on the PID file: /var/run/couchdb/couchdb.pid failed! invoke-rc.d: initscript couchdb, action start failed. dpkg: error processing couchdb (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: couchdb E: Sub-process /usr/bin/dpkg returned an error code (1) I think this happens when you upgrade from 1.2.0-2, where the bad ownership was, to 1.2.0-3 where it is fixed. If you install 1.2.0-3 directly, without ever having 1.2.0-2 installed, you no longer have the problem. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#681549: Unsuitable for release
severity 681549 serious thanks I'm marking this bug as serious (accidentally made it grave a minute ago), bucause I believe that it makes the package unsuitable for release, and the fix is trivial, so it should be able to be brought into wheezy without issue. The this issue renders the package uninstallable: Starting database server: couchdbApache CouchDB needs write permission on the PID file: /var/run/couchdb/couchdb.pid failed! invoke-rc.d: initscript couchdb, action start failed. dpkg: error processing couchdb (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: couchdb E: Sub-process /usr/bin/dpkg returned an error code (1) -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680235: debirf: wheezy minimal image segfaults during boot
Hi Lucas, * Lucas Nussbaum lu...@lucas-nussbaum.net [2012-09-30 03:43-0400]: On 08/09/12 at 23:03 -0400, Daniel Kahn Gillmor wrote: Control: tags 680235 + unreproducible moreinfo Hi Lucas-- On 07/04/2012 10:40 AM, Lucas Nussbaum wrote: I generate a wheezy 'minimal' image using debirf (running it as root, since running it as normal user fails). After generation, I try to boot it using: kvm -m 512 -kernel vmlinuz-3.2.0-2-amd64 -initrd debirf-minimal_wheezy_3.2.0-2-amd64.cgz During boot, I get: [0.419335] rtc_cmos 00:01: RTC can wake from S4 [0.419735] rtc_cmos 00:01: rtc core: registered rtc_cmos as rtc0 [0.420093] rtc0: alarms up to one day, 114 bytes nvram, hpet irqs [0.420392] cpuidle: using governor ladder [0.420629] cpuidle: using governor menu [0.420987] TCP cubic registered [0.421230] NET: Registered protocol family 10 [0.423396] Mobile IPv6 [0.423606] NET: Registered protocol family 17 [0.423868] Registering the dns_resolver key type [0.424263] registered taskstats version 1 [0.424643] rtc_cmos 00:01: setting system clock to 2012-07-04 14:30:03 UTC ( 1341412203) [0.425109] Initializing network drop monitor service [0.426024] Freeing unused kernel memory: 572k freed [0.426406] Write protecting the kernel read-only data: 6144k [0.428208] Freeing unused kernel memory: 672k freed [0.430214] Freeing unused kernel memory: 684k freed [0.432194] init[31]: segfault at 57d71c ip 0044104d sp 7fff83ab1 7f0 error 7 in sh[40+1b3000] Segmentation fault unpacking rootfs... [1.340047] Refined TSC clocksource calibration: 2793.734 MHz. i've been unable to reproduce this with existing versions, including 0.33 (just uploaded to unstable). Are you able to see this on other hardware? do you still have the image you created available? i'd be happy to take a look at it and try to dissect what's happening. Hi, I confirm that I can still reproduce this in wheezy using debirf 0.32. Using debirf 0.33 (only package that was updated when testing; same machine), it works fine both using the minimal.tgz example from debirf 0.32, and the one from debirf 0.33. I've uploaded the broken image to http://blop.info/pub/vmlinuz-3.2.0-3-amd64 http://blop.info/pub/debirf-minimal_wheezy_3.2.0-3-amd64.cgz To reproduce, boot with kvm -m 512 -kernel vmlinuz-3.2.0-3-amd64 -initrd debirf-minimal_wheezy_3.2.0-3-amd64.cgz I just downloaded your two files and did the kvm command that you provided and I did not get the segfault, rather it booted up to this: /proc/cmdline: No such file or directory Debian GNU/Linux wheezy/sid (none) tty1 (none) login: but otherwise, I do not get the segfault that you experience. The only difference here is that I was running in Squeeze. Unfortunately, I could not find a wheezy box with amd64 and kvm extensions. I'll ask around to see what I can find. micah signature.asc Description: Digital signature
Bug#678072: [Pkg-puppet-devel] Bug#678072: puppet-lint: fails to run
Holger Levsen hol...@layer-acht.org writes: severity 678072 serious thanks On Dienstag, 19. Juni 2012, John Eikenberry wrote: Running puppet-lint fails every time, with or without any arguments. This coincided with a recent change of ruby to default to 1.9.1 instead of 1.8. The puppet-common package, which puppet-lint depends on, doesn't include support for 1.9.1. as ruby will default to 1.9 in wheezy this will make the package completly unusable, thus raising the severity. According to: https://github.com/rodjek/puppet-lint/issues/103 - this should work with 1.9.2, this patch doesn't appear in the debian package, and looks pretty trivial. The reported issue seems to be pretty different from what was reported in the upstream github though. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675971: what should we be doing?
Is the situation that all users that are at 1.2.3-348 and older can speak to each other and all users that are at 1.2.3-349 and greater can speak to each other, but =349 cannot speak to =348 users? If so, is the intended plan for everyone to bump up to =349? If that is true, at the very least this warrants a NEWS entry. micah -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: Unarchive: The problem still persists
Arno Töll a...@debian.org writes: Hi, On 24.05.2012 19:12, micah anderson wrote: Do you have a way of testing this? I've set up something that I believe should let the messages through based on the X-Loop header, but need to test that it is working. There was a mistake in what was done, but that has been fixed now. Well, basically I will reply to you through the BTS. If my message reaches you, the problem seems fixed (pretending you didn't whitelist me explicitly given I'm the only one to complain :). It looks like this went through fine on my end. Shall we close the bug? micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: Unarchive: The problem still persists
Arno Töll a...@debian.org writes: Hello, reopening the bug as the problem still persists. Do you have a way of testing this? I've set up something that I believe should let the messages through based on the X-Loop header, but need to test that it is working. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: Unarchive: The problem still persists
micah anderson mi...@riseup.net writes: Arno Töll a...@debian.org writes: Hello, reopening the bug as the problem still persists. Do you have a way of testing this? I've set up something that I believe should let the messages through based on the X-Loop header, but need to test that it is working. There was a mistake in what was done, but that has been fixed now. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: bug mail bounces
Stefan Fritsch s...@sfritsch.de writes: Hi, I think the problem is that you can't match on the Sender or From headers, because those remain unmodified for BTS mail. But BTS mail seems to have X-Loop: ow...@bugs.debian.org and X-Debian-PR-Source: name-of-source-package Maybe you can match on either of those. I can't think of any mailing list software that allows for matching on headers to allow messages to the list. Seeing as its not an uncommon scenario for group maintained packages to use a mailing list for their communication, and receiving to the mailing list bugs from the tracker is important, this restriction seems a problem. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#672893: security: private archives available to all
Package: sympa Version: 6.0.1+dfsg-4 Severity: grave Tags: security patch Justification: user security hole It is possible to open the archive management (arc_manage) page for any list, even those set to only be available to members, giving anyone the option to download the archive, or delete the archive. http://www.sympa.org/distribution/latest-stable/NEWS Patch for the version in stable: https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympar1=6706r2=7358pathrev=7358 Please reference CVE-2012-2352 in any changelogs addressing this issue. micah System Information: Debian Release: wheezy/sid Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: Unarchive: The problem still persists
On Sun, 06 May 2012 12:17:04 +0200, Arno Töll a...@debian.org wrote: Hi Micah, On 06.05.2012 06:13, micah anderson wrote: What address is not working? I looked around for a canonical list of role addresses that should accept emails, but I couldn't find one, so I gathered as many as I could and added them. Policy says in §3.3: The email address given in the Maintainer control field must accept [..] non-spam mail from the bug-tracking system. Yes, I am aware of that policy section that lacks any specifics. However, you don't as you are dropping mail from people who contact you through the BTS (i.e. not over explicit carbon copies). I'm afraid I don't understand what that means. How do people contact me through the BTS? If its not through debb...@bugs.debian.org, debb...@busoni.debian.org, nore...@release.debian.org, ow...@bugs.debian.org, or ow...@busoni.debian.org then I do not understand how an individual can contact a package's listed address through the BTS. I'm sorry I must seem dense here, but perhaps you could provide me with an example? This makes it impossible to contact you over the BTS. If you really think such sender restrictions make sense, you should at least make sure you do accept mail from people sent via the BTS, e.g. by whitelisting mail from the BTS mail server (busoni.debian.org). I wont whitelist the entire BTS mail server, not without a more narrow definition of where things are coming from. micah -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: Unarchive: The problem still persists
On Sat, 05 May 2012 19:04:06 +0200, Arno Töll a...@debian.org wrote: Hello, reopening the bug as the problem still persists. What address is not working? I looked around for a canonical list of role addresses that should accept emails, but I couldn't find one, so I gathered as many as I could and added them. I've added: d...@ftp-master.debian.org debb...@bugs.debian.org debb...@busoni.debian.org debian-bugs-d...@lists.debian.org f...@debian.org instal...@ftp-master.debian.org nore...@release.debian.org ow...@bugs.debian.org ow...@busoni.debian.org ow...@packages.qa.debian.org p...@qa.debian.org q...@master.debian.org but that isn't covering it, so I'd like to know what other one is needed. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#660206: [debian-mysql] Bug#660206: This is a regression
On Mon, 09 Apr 2012 10:21:08 -0700, Clint Byrum cl...@fewbar.com wrote: Excerpts from micah anderson's message of Sun Apr 08 10:13:40 -0700 2012: severity 660206 serious thanks This is actually a regression, the only way to get things to work again is to downgrade package like such: apt-get install mysql-server-5.1=5.1.49-3 mysql-client-5.1=5.1.49-3 mysql-common=5.1.49-3 mysql-server-core-5.1=5.1.49-3 libmysqlclient16=5.1.49-3 micah So, I'm not sure I agree that this is such a serious regression. I would agree that this is not a *very* serious regression, but its a regression nonetheless. In my opinon an un intenteded regression is not suitable for release as a security upload and should be replaced as soon as a fix becomes available. *lenny* shipped with rails 2.1.0. 1.2.6 was released in 2007, and is not supported in Debian at all. The referenced upstream bug talks about using client versions older than 4.1, which is basically ancient. I agree. However, the reality is that the security upgrade brought in unrelated changes to the security upgrade and caused unrelated software to break. I'm not disputing that this is a regression introduced by the upstream jump to 5.1.61, but I don't know that its worth downgrading and losing security updates for. Perhaps the client libraries should be updated to something that is still supported by upstream and/or Debian. The two choices here are to either downgrade mysql, or to upgrade client libraries. While it seems sensible to upgrade client libraries to a newer supported version, one should not have to do that because of a security upgrade of another package. That option takes you from the realm of routine security maintainence into the much more serious realm of migrating completely other software to new client libraries that would require a significant architecture overhaul (I dont know how much you know about rails, but the difference between 2.1 and 2.2 is not a trivial minor release, but typically involves almost a complete rewrite). During a maintainence window, when you are expecting to only do an isolated security upgrade of a package, the last thing the sysadmin who is performing the upgrade is going to do is to re-write some other code to deal with a surprise regression in the security package. So while I do agree with you that the 'right' thing to do is to get the software updated to newer client libraries, rather than to have exposed security holes, the reality is that until that can happen (and in one case that I am dealing with, that re-write is in progress, but is 6 months out) I would hope that stable-security or a stable update would include a fix to this regression, when it comes available. micah -- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666865: libapache-mod-removeip: Maintainer address does not accept mail from role accounts
The maintainer address you added to your package does not accept mail from role accounts, including but not limited to the bug tracking system. This is a policy violation as of §3.3: The email address given in the Maintainer control field must accept mail from those role accounts in Debian used to send automated mails regarding the package. This includes non-spam mail from the bug-tracking system, all mail from the Debian archive maintenance software, and other role accounts or automated processes that are commonly agreed on by the project. Thanks, i've updated the allow list, unfortunately there doesn't seem to be a good canonical list of the aliases that are needed, it would be a good idea to have that so people can properly follow policy. micah pgpxvBcPlUQ8J.pgp Description: PGP signature
Bug#666865: libapache-mod-removeip: Maintainer address does not accept mail from role accounts
The maintainer address you added to your package does not accept mail from role accounts, including but not limited to the bug tracking system. This is a policy violation as of §3.3: The email address given in the Maintainer control field must accept mail from those role accounts in Debian used to send automated mails regarding the package. This includes non-spam mail from the bug-tracking system, all mail from the Debian archive maintenance software, and other role accounts or automated processes that are commonly agreed on by the project. Thanks, i've updated the allow list, unfortunately there doesn't seem to be a good canonical list of the aliases that are needed, it would be a good idea to have that so people can properly follow policy. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659392: Some information
On Tue, 14 Feb 2012 19:22:29 -0500, micah anderson mi...@riseup.net wrote: CVE-2012-0791 has a simple changeset: Sorry, I switched these CVE issues, this one is actually CVE-2012-0909 https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25 it touches two files: framework/Form/lib/Horde/Form/Type.php framework/Form/package.xml neither of these files is in horde3 or imp4 that is in Squeeze. For the other issue CVE-2012-0909, that seems to affect Squeeze's IMP, this one is actually CVE-2012-0791. and a changeset between version 4.3.10 and 4.3.11 was published here: http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.10-h3-4.3.11.gz Squeeze has 4.3.7 - I've looked at the changeset above with a co-worker and it does not look too hard to port to the debian version. We'll do so in the next couple of days if nobody else does first. have a patch, testing it now. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659392: Info received (debdiff)
On Wed, 15 Feb 2012 13:57:55 -0500, micah mi...@algae.riseup.net wrote: Attached is a debdiff against the squeeze version to fix imp4. I forgot to mention that I've built a package off of this diff and tested it and it seems to work fine (I have no way of testing that the XSS issue is fixed). mich -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659392: Some information
I've been trying to figure out if this issue affects stable. The issues point to this openwall post: http://www.openwall.com/lists/oss-security/2012/01/22/2 which has actual git commits for things. CVE-2012-0791 has a simple changeset: https://github.com/horde/horde/commit/208eae43c95136a67104f760027a8892a22b6e25 it touches two files: framework/Form/lib/Horde/Form/Type.php framework/Form/package.xml neither of these files is in horde3 or imp4 that is in Squeeze. For the other issue CVE-2012-0909, that seems to affect Squeeze's IMP, and a changeset between version 4.3.10 and 4.3.11 was published here: http://ftp.horde.org/pub/imp/patches/patch-imp-h3-4.3.10-h3-4.3.11.gz Squeeze has 4.3.7 - I've looked at the changeset above with a co-worker and it does not look too hard to port to the debian version. We'll do so in the next couple of days if nobody else does first. micah -- pgpgDDdP8MDbA.pgp Description: PGP signature
Bug#657942: frei0r-plugins: Cannot install
Package: frei0r-plugins Version: 1.1.22git20091109-1.1 Severity: serious Its impossible to install this package. The following packages have unmet dependencies: frei0r-plugins : Depends: libcvaux2.1 but it is not installable Depends: libhighgui2.1 but it is not installable -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages frei0r-plugins depends on: ii libc6 2.13-24 ii libcv2.1 2.1.0-7+b2 ii libcvaux2.1none ii libgavl1 none ii libgcc11:4.6.2-12 ii libhighgui2.1 none ii libstdc++6 4.6.2-12 frei0r-plugins recommends no packages. frei0r-plugins suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#653107: Should this package be removed?
On Fri, 23 Dec 2011 23:40:20 +0100, Moritz Muehlenhoff j...@debian.org wrote: Package: util-vserver Severity: serious util-vserver hasn't seen an upload since 1.5 years and vserver support has been dropped from the Debian kernels post-Squeeze. Should util-vserver be removed as well? I'm not sure. Before the kernel team started providing vserver kernels, I was providing a kernel source patch set, which still require the user-space utilities to exist. I haven't decided if I will do that again, it depends on lxc maturing enough to be a usable alternative, which so far it has not and until it does, I'm not convinced that vservers should go away in debian. pgpIFbRGLaoDp.pgp Description: PGP signature
Bug#629998: Conflicting st binary name
Hi, It was written: We're also tossing around changing the OpenStack 'st' to 'swiftly'. Whatever it becomes, it'll likely happen in our next release, 1.4.1. It appears that 1.4.3 is the latest version, with 1.4.4 coming. Did this rename happen, and if so, can we resolve this issue (perhaps by uploading a new version?) thanks! micah ps - thanks for your work on this project, and zigo for the packaging! -- pgpmMLwQhaLBY.pgp Description: PGP signature
Bug#629998: Conflicting st binary name
On Mon, 26 Sep 2011 23:33:50 +0800, Thomas Goirand tho...@goirand.fr wrote: On 09/26/2011 10:43 PM, Gregory Holt wrote: Yes, the rename did happen: st - swift I'm not sure who/how the Debian packaging for OpenStack Swift is handled, but I expect they're listed on this bug so probably got emailed. Hi, I have seen that Glance and Swift are now released (code name Diablo, version 2011.3 for Glance, and 1.4.4 for Swift). I have seen that both Glance and Swift seems ok for an upload, but I want to do functional testing of them before the upload, and for the moment, Nova fails with its unit tests. So please bare with me and allow a bit more of time, so that I can make my tests before the uploads. Seems reasonable! FYI, OpenStack got released last Friday, and I'm only discovering what's new in this release. It's not exactly a very simple thing, so it may take some time until I can upload. Oh wow, I had no idea it was just realeased! I didn't mean to pressure you :) Also, there's now an Alioth project for it, and I'd be very happy to have help on releasing this new version in Debian. I can't commit to helping there now, i'm trying to get rid of some commitments now because I am overextended. Depending on how that goes, and if we decide to use OpenStack, I will keep that in mind! thanks again for your work on this, its very much appreciated! micah pgphMnPedDlZl.pgp Description: PGP signature
Bug#614864: ping?
Hi folks, This security issue really needs to be dealt with, I'm concerned that we are getting close to one month from when the bug was first reported to the BTS, we are already over one month from when the bug was reported upstream. I'm looking for any feedback on the work I did... micah -- pgpT5pKpqyUzU.pgp Description: PGP signature
Bug#614864: patch
Hi, I decided to help a little bit moving these issues forward. I did what I could, but now the more experienced debian rails people need to act. In particular, there is a decision that needs to be made for CVE-2011-0446, and a review of the fix I did for CVE-2011-0447. I am happy to help facilitate in any other way, but I need others who have more experience to weigh in on those. Both of these CVEs affect all versions of rails, including those in oldstable. CVE-2011-0446 - Patch for rails 2.3 to fix CVE-2011-0446 is here: http://rubyonrails-security.googlegroups.com/attach/365b8a23b76a6b4a/2-3-mailto.patch?part=3 The upstream commit id is: abe97736b8316f1b714cac56c115c0779aa73217 Looking through the commit log for the above fix, it was done to rails 2.3.11, which has had three other commits that touched actionpack/lib/action_view/helpers/url_helper.rb, the largest one is 9ca6df83f606a0fb8be3815328111d0cdaa7c65b which backports html_safe and the latest rails_xss plugin. This change seems to be a pre-requisite for the security fix, the sad thing is that it is a big change. I did not do anything with CVE-2011-0446 as it was intrusive, hopefully others who have experience with this package can weigh in on the best way forwards with this one. Once this is resolved a security release could happen. CVE-2011-0447 - The patch for rails 2.1 to fix CVE-2011-0447 is here: http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-1-csrf.patch?part=3 I was able to cherry-pick this commit (d622353dd399908770473d417ecef028524b8c8b) from upstream's git repo into the debian debian-lenny branch without any conflicts. I went ahead and did that and have committed it, along with a changelog entry and a NEWS entry that comes straight from the mailing list. It is my opinion that the fix for lenny in 2.1 is done. Please someone who has more skills in rails review this to make sure it is good, and then I think it can be uploaded after contacting the security team. The patch for rails 2.3 to fix CVE-2011-0447 is here: http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-3-csrf.patch?part=5 I was able to cherry-pick this commit (9998f79b9cf9c60b07baf4c23a02178034e06d85) from upstream's git repo into the debian v2.3-stable branch without any conflicts. I also went ahead and committed this change, along with a changelog entry and a NEWS entry that came from the mailing list, identical to the debian-lenny 2.1 one above. Once CVE-2011-0446 has been resolved for 2.3, then this can be uploaded. A few notes: 1. I noticed that the upload that made it into squeeze was never tagged as debian/2.3.5-1.2, so I went ahead and did that. 2. I wasn't sure what the difference between the branch 'debian-lenny' and v2.1-stable were. The 'debian-lenny' one seemed to have the most recent security fixes, and had a debian directory, so I went with that one. 3. v2.3-stable seemed to be the place for squeeze fixes, which differs from the nomenclature used in #2, perhaps that fix should be in a debian-squeeze branch? If so, then please change it, and clarify #2 for v2.3-stable too. Micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603882: util-vserver: startup script breaks boot (on sparc)
On Thu, 18 Nov 2010 04:13:20 +0100 (CET), Daniel Hokka Zakrisson dan...@hozac.com wrote: What dietlibc version was used to build the binaries? Does it have http://people.linux-vserver.org/~dhozac/p/m/delta-dietdirent-fix01.diff applied? IIRC this was one way that problem exhibited itself. Looking at the build logs for sparc, it looks like 0.32-5 of dietlibc was used. Looking at the debian source for that version of dietlibc, and comparing it to the patch you reference, no it was not applied. That patch is odd, all it does is move the int below the char buf[PAGE_SIZE-(sizeof (int)*3)]; what is going on there? micah pgpJlxeUlvxFV.pgp Description: PGP signature
Bug#603882: util-vserver: startup script breaks boot (on sparc)
On Thu, 18 Nov 2010 04:13:20 +0100 (CET), Daniel Hokka Zakrisson dan...@hozac.com wrote: What dietlibc version was used to build the binaries? Does it have http://people.linux-vserver.org/~dhozac/p/m/delta-dietdirent-fix01.diff applied? IIRC this was one way that problem exhibited itself. Actually, I lied. The patch *is* applied. I was looking at the unpatched source, but if I looked at the patched source before its built, it is in fact there. micah pgpQ00Mmbq6M7.pgp Description: PGP signature
Bug#600206: libcompass-ruby: compass apparently completely broken
On Tue, 16 Nov 2010 15:18:56 +0530, Deepak Tripathi dee...@debian.org wrote: Hi Steve, Sorry for delay; i was on vacation to India (Raj). Yes actually popcon is very low for libcompass-ruby but i will still discuss with Micah Anderson mi...@debian.org who is the primary maintainer for this module and will update about his thought to the bug reports asap. I dont mind it being removed from testing. micah pgpCkTCMo8OfX.pgp Description: PGP signature
Bug#593465: Please try
On Thu, 21 Oct 2010 13:15:58 +0200 (CEST), Jan Kontze kon...@ub.fu-berlin.de wrote: Hi Micah, I Wrote: Hi Micah! Hi, I just posted a follow-up to the Debian bug you reported about the squirrelmail security regression. I neglected to CC you, so you probably didn't know about it. But could you have a look and try the fixed package that I've uploaded and then report back to the bug report? For your convience, I'm speaking of this one: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593465 thanks! micah Yes, your fix (gotten from: http://people.debian.org/~micah/squirrelmail_1.4.15-4+lenny4_all.deb) seems to solve the problem with 8-bit char passwords in my setup - I could log in without problem into squirrelmail with such a password. Thank you a lot! :-) the new package seems to have a negative side effect: the search via squirrelmail now gives an error and yields no results any more. What I see is this when I search: ERROR: Could not complete request. Query: FETCH (FLAGS UID RFC822.SIZE INTERNALDATE BODY.PEEK[HEADER.FIELDS (Date To Cc From Subject X-Priority Importance Priority Content-Type)]) Reason Given: Error in IMAP command received by server. Is that the same as you? micah pgpTd6kMPrg8u.pgp Description: PGP signature
Bug#593465: found where function was added upstream
I looked at the SM upstream source for their SM-1_4-STABLE branch, and found that they added this function Mon Jul 27, 2009, as evidenced here: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13733r2=13789 Considering that the version of SM that is in Lenny was uploaded in December of 2008, the sqimap_run_literal_command would not have been there thus would need to be added for the security update. It looks like the update that Thijs prepared[0] added that function. Why it doesn't work is what needs to be determined. micah 0. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593465#10 -- pgpj67JsVUpmS.pgp Description: PGP signature
Bug#593465: tried the fix too
I tried the fixed package too, and I got the same error as reported by Jan Kontze. I'm running courier imapd from Lenny, and perdition. I looked at the fix some more on the SM websvn, and I think I found a missing hunk that was applied at the same time the security fix was, but is *not* in the debian package: 216a218,221 { $response = 'OK'; break 2; } I just applied that on top of Thijs' fixed package, and then attempted to login with a user with an 8-bit character in their password, and it worked. I think that if this hunk was added along with the missing function that was included in Thijs' package, it should solve the regression. micah -- pgpg0CzoEAdBc.pgp Description: PGP signature
Bug#593465: Try this fixed package
I've uploaded a package that includes my fix, it seems to be working well for me. If other people on this bug report can try it to see if it works for them, that would be helpful. you can get the package here: http://people.debian.org/~micah/squirrelmail_1.4.15-4+lenny4_all.deb note: source packages are in the same directory. micah -- pgpwLbgtiIOd0.pgp Description: PGP signature
Bug#598074: additionally produces this error
r...@nuthatch:~# /etc/init.d/ipsec stop Stopping strongSwan IPsec failed: starter is not running /etc/init.d/ipsec: line 96: return: : numeric argument required micah pgpcnkLasa1kc.pgp Description: PGP signature
Bug#595432: perdition: Missing dependency: make
Package: perdition Version: 1.17.1-2 Severity: serious Justification: Policy 3.5 I tried to install my backport of perdition onto my lenny box and got this: (Reading database ... 36581 files and directories currently installed.) Preparing to replace perdition 1.17.1-2 (using perdition_1.19~rc3-1~bpo50+1_i386.deb) ... /var/lib/dpkg/info/perdition.prerm: line 6: make: command not found Unpacking replacement perdition ... dpkg: error processing perdition (--install): dependency problems - leaving unconfigured Processing triggers for man-db ... Errors were encountered while processing: perdition hrm, looks like perdition requires make in the postinst. Perhaps this could be fixed in a point release? -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#587913: libcompass-ruby: package broken
tag 587913 +moreinfo tag 587913 +unreproducible severity 587913 normal thanks On Fri, 02 Jul 2010 18:00:30 +0200, Christophe Moille whil...@doomfr.com wrote: Package could not be installed. The following information may help to resolve the situation: Can you provide more information about how your apt preferences/policies and sources are setup? You seem to be running a mixed stable/testing environment? I have no problem installing. The following packages have unmet dependencies: libcompass-ruby: Depends: libcompass-ruby1.8 but it is not going to be installed Depends: libfssm-ruby but it is not going to be installed This doesn't happen to me, instead it looks like this to me: algae:/home/micah# apt-get install libcompass-ruby Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libcompass-ruby1.8 libfssm-ruby The following NEW packages will be installed: libcompass-ruby libcompass-ruby1.8 libfssm-ruby 0 upgraded, 3 newly installed, 0 to remove and 1 not upgraded. Need to get 402kB of archives. After this operation, 1,790kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://debian.lcs.mit.edu sid/main libcompass-ruby1.8 0.8.17debian-1 [385kB] Get:2 http://debian.lcs.mit.edu sid/main libfssm-ruby 0.1.4-2 [3,060B] Get:3 http://debian.lcs.mit.edu sid/main libcompass-ruby 0.8.17debian-1 [13.1kB] Fetched 402kB in 0s (705kB/s) Selecting previously deselected package libcompass-ruby1.8. (Reading database ... 299065 files and directories currently installed.) Unpacking libcompass-ruby1.8 (from .../libcompass-ruby1.8_0.8.17debian-1_all.deb) ... Selecting previously deselected package libfssm-ruby. Unpacking libfssm-ruby (from .../libfssm-ruby_0.1.4-2_all.deb) ... Selecting previously deselected package libcompass-ruby. Unpacking libcompass-ruby (from .../libcompass-ruby_0.8.17debian-1_all.deb) ... Setting up libcompass-ruby1.8 (0.8.17debian-1) ... Setting up libfssm-ruby (0.1.4-2) ... Setting up libcompass-ruby (0.8.17debian-1) ... algae:/home/micah# -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#577366: [Pkg-puppet-devel] Bug#577366: Bug#577366: puppet: FTBFS: install: invalid user `puppet'
On Fri, 16 Apr 2010 14:23:25 +1000, Andrew Pollock apoll...@debian.org wrote: On Sun, Apr 11, 2010 at 10:15:14AM +0200, Lucas Nussbaum wrote: install -Dp -m0644 -o puppet -g puppet ext/rack/files/config.ru \ /build/user-puppet_0.25.4-3-amd64-zxBvTe/puppet-0.25.4/debian/puppetmaster/usr/share/puppet/rack/puppetmasterd install: invalid user `puppet' make: *** [install] Error 1 Looks like this was introduced in commit 93a3ed1e3b70fe394f7ac96c235d527347ad57d2. Micah, the brown paper bag is all yours ;-) Right, however I'm afraid your solution to this issue was not the right one. We actually *do* want the config.ru file owned by the user puppet because passenger will suid to that user. Perhaps a better answer would be to do this in a postinst? micah pgpLbCJcPPyla.pgp Description: PGP signature
Bug#574532: libffi-ruby: FTBFS: missing build-dep on ruby1.9.1
On Thu, 18 Mar 2010 17:06:51 -0400, Aaron M. Ucko u...@debian.org wrote: Package: libffi-ruby Version: 0.6.2debian-4 Severity: serious Justification: fails to build from source Hi, Micah! libffi-ruby fails to build because it tries to run ruby1.9.1 but build-depends instead on the old ruby1.9 package: /usr/bin/ruby1.9.1 debian-setup.rb config --installdirs=std make: /usr/bin/ruby1.9.1: Command not found make: *** [install/libffi-ruby1.9.1] Error 127 Could you please correct that? Yes, certainly. thanks for letting me know. I have one other bug I need to resolve before I can upload, but I expect to do it soon. Also, please correct the libffi-ruby binary package's dependency to be on libffi-ruby1.8 rather than libruby1.8. (Likewise for libcompass-ruby, libfssm-ruby and librb-inotify-ruby; please let me know if you'd like me to file separate reports for them.) It seems that when you re-use things, you tend to copy all the bugs too. I'll fix these as well. micah -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574142: [DRE-maint] Bug#574142: merb non-DSFG
Packaging updated, see changelog: http://github.com/opscode/opscode-packages/tree/master/debian/merb/Debian Cc tfheen for upload sponsorship. This package is in the debian-ruby-extras team svn repository and was updated last night to fix this issue. I had uploaded it, but the orig.tar.gz in the archive didn't match the one that was generated by my uscan, so it got rejected. I'm re-doing that upload now. The difference between the change in the github repository and the svn repository is pretty minor, they are effectively identical. The only difference is the change is done in the team's svn repository. It appears you've done the work on the package in the past, do you have access to commit to the svn repository? micah pgpzCuY3PlQ33.pgp Description: PGP signature
Bug#558685: some more information and patch on rails issues
* Steffen Joeris steffen.joe...@skolelinux.de [2010-01-30 17:13-0500]: Hi Adam These issues have been assigned CVE ids, see below: CVE-2009-4214[0]: | Cross-site scripting (XSS) vulnerability in the strip_tags function in | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote | attackers to inject arbitrary web script or HTML via vectors involving | non-printing ASCII characters, related to HTML::Tokenizer and | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. CVE-2008-7248[1]: | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify | tokens for requests with certain content types, which allows remote | attackers to bypass cross-site request forgery (CSRF) protection for | requests to applications that rely on this protection, as demonstrated | using text/plain. CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in the @@unverifiable_types. The upstream patch for this issue is here[2] and needs to be included in the sid version. I can confirm that the lenny version does not include 'text' in the @@unverifiable_types in the mime_type.rb. I also can confirm that the sid/squeeze version contains 'text', and thus they are affected and need updating. CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please have a deeper look at that change, because I didn't. :) I can confirm that this one affects lenny. It also affects the sid/squeeze version, so this will need to be updated as well. I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the updated packages for lenny, please also include a fix for CVE-2009-3086[4]. Sounds like a DSA for Lenny which hits both CVEs, as well as an upload to sid, with urgency=high, seems to be the name of the game here. micah signature.asc Description: Digital signature
Bug#474087: Tested and NMU'ing 2
On Sun, 31 Jan 2010 01:32:01 +0100, Sebastian Harl tok...@debian.org wrote: Hi, On Sat, Jan 30, 2010 at 07:23:35PM -0500, micah wrote: As part of the fun at the NYC BSP, I decided to try and fix this issue. I built this package, with the patch that Simon McVittie submitted. I then asked someone to test this on a system with ipmi and it seemed to work fine: Side note: The pkg-config commands are, of course, unrelated to IPMI being available on some system. In my earlier E-mail, I was referring to testing the OpenIPMI tools included in the package. Ah, I didn't understand that. I don't actually have any idea how to test the ipmi tools included in the package. I'm happy to arrange a test or two to make sure that they are working as expected, if you can tell me what I should run? aromatase:/var/temp# pkg-config --libs OpenIPMIpthread -pthread -lOpenIPMIpthread -lOpenIPMIutils -lOpenIPMI I suppose, you're missing a newline here ;-) Sorry, the missing line is just the: aromatase:/var/temp# Micah pgpETcexog0vD.pgp Description: PGP signature
Bug#566913: 566913: twisted-doc: recommends obsolete twisted-doc-api
As part of the BSP party here in NYC, I'm NMU'ing this, uploading to the 3-day DELAYED queue with this patch (with only a minor change in the changelog to include the Closes line for this bug). thanks! micah pgpo3jN21Nved.pgp Description: PGP signature
Bug#552825: klibc: FTBFS: usr/kinit/nfsmount/mount.c:179: error: 'MNTPROC_MNT' undeclared (first use in this function)
Hi maks! * maximilian attems m...@stro.at [2010-01-31 04:44-0500]: On Wed, Oct 28, 2009 at 11:41:14AM +0100, Lucas Nussbaum wrote: Source: klibc Version: 1.5.15-1 ... During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part: gcc -Wp,-MD,usr/kinit/nfsmount/.mount.o.d -nostdinc -iwithprefix include -Iusr/include/arch/x86_64 -Iusr/include/bits64 -Iusr/klibc/../include -Iusr/include -Ilinux/include -D__KLIBC__=1 -D__KLIBC_MINOR__=5 -D_BITSIZE=64 -fno-stack-protector -m64 -Os -fno-asynchronous-unwind-tables -fomit-frame-pointer -falign-functions=1 -falign-jumps=1 -falign-loops=1 -W -Wall -Wno-sign-compare -Wno-unused-parameter -c -o usr/kinit/nfsmount/mount.o usr/kinit/nfsmount/mount.c usr/kinit/nfsmount/mount.c: In function 'mount_call': usr/kinit/nfsmount/mount.c:179: error: 'MNTPROC_MNT' undeclared (first use in this function) ... The full build log is available from: http://people.debian.org/~lucas/logs/2009/10/28/klibc_1.5.15-1_lsid64.buildlog known, have a local patch for that, need to push upstream to also get a reall release of latest git, thanks. Just poking you on this... your last email was from October, any progress on this RC bug? thx! micah signature.asc Description: Digital signature
Bug#563380: [DRE-maint] Bug#563380: libgpgme-ruby1.8: /usr/lib/ruby/1.8/gpgme.rb:898:in `new': Unknown error code (GPGME::Error)
On Sun, 17 Jan 2010 19:56:47 +0100, Jérémy Bobbio lu...@debian.org wrote: On Sat, Jan 02, 2010 at 01:45:50PM +0100, Jérémy Bobbio wrote: The version of libgpgme-ruby1.8 currently in Debian is not compatible with the version of libgpgme actually in Debian. […] This problem breaks schleuder in sid, so a fix or an updated version would be very much welcome. Ping? Should I do an NMU? Hey Jérémy! Although there are specific maintainers for ruby libraries maintained under the pkg-ruby-extras team (and libgpgme-ruby seems to be maintained by Rudi Cilibrasi cilib...@debian.org), I think that most everyone has had other team members do work on others' packages, and I suspect that one should assume a low-threshold NMU policy in general. It would be better if you joined the team and updated the package via the subversion repository, it would reduce the work on everyone in general, however I would completely understand if you didn't feel like joining yet another team, and its certainly not reasonable to ask that all users of a package be part of the maintenance team :) micah pgpGNMLBn6jFU.pgp Description: PGP signature
Bug#544756: [Secure-testing-team] Bug#544756: linux-image-2.6.26-2-686: Kernel still vulnerable by dsa-1862
* Christoph Siess c...@geekhost.info [2009-09-02 14:57-0400]: Package: linux-image-2.6.26-2-686 Version: 2.6.26-17lenny2 Severity: critical Tags: security Justification: root security hole Hi, according to http://www.debian.org/security/2009/dsa-1862 this Version of the 2.6.26-2 Kernel should not be vulnerable to CVE-2009-2692. Unfortunately I'm still able to break my system: c...@server:~$ gcc exploit.c -o exploit c...@server:~$ ./exploit sh-3.2# id uid=0(root) gid=0(root) groups=115(wheel),1000(chs) I got the exploit from http://www.risesecurity.org/exploits/linux-sendpage.c Correct my if I got something wrong, but according to my understanding this shouldn't be possible with version 2.6.26-17lenny2. I'm afraid this doesn't work on any of the systems i am running 2.6.26-17lenny2 on: mi...@tern:~$ wget http://www.risesecurity.org/exploits/linux-sendpage.c Saving to: `linux-sendpage.c' 100%[] 2009-09-03 19:01:43 (24.2 KB/s) - `linux-sendpage.c' saved [9380/9380] mi...@tern:~$ gcc linux-sendpage.c -o exploit mi...@tern:~$ ./exploit sh-3.2$ id uid=1001(micah) gid=1007(micah) groups=4(adm),20(dialout),33(www-data),100(users),1007(micah) micah signature.asc Description: Digital signature
Bug#527872: Me too
I just upgraded to awesome 3.3.1-1 and because it seemed like this was fixed, I decided to try a dbus restart, and was sad to find out it actually wasn't. So this is a me too. micah signature.asc Description: Digital signature
Bug#536452: rpm: please build-depend on libbeecrypt-dev
Hi Aníbal! * Aníbal Monsalve Salazar ani...@debian.org [2009-07-09 21:20-0400]: util-vserver build-depends on libbeecrypt6-dev which will be removed from unstable in the near future. Ok, thanks for the warning! The current beecrypt in unstable ships libbeecrypt-dev instead of libbeecrypt6-dev. Hasn't hit my mirror yet, but I'll update the debian/control so the next upload will have it! Micah signature.asc Description: Digital signature
Bug#527065: util-vserver: diff for NMU version 0.30.216~r2772-6.1
Hi Andrew, * Andrew Lee and...@linux.org.tw [2009-06-13 02:40-0400]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 tags 527065 +patch thanks Dear maintainer, I've prepared an NMU for util-vserver (versioned as 0.30.216~r2772-6.1). And it will be uploaded to DELAYED/02. Please free to tell me if I should delay it longer. I appreciate the help with the package, although typically a NMU is done after a patch is not being applied, so sending a patch and doing a 2-day NMU at the same time is a little aggressive. I'm also wondering how you can do this NMU because as far as I can tell you aren't yet a DD :) I have been working on a new version of util-vserver to upload, with a newer snapshot, so I was delaying this fix until that was finished. However I can upload this fix to resolve the RC bug. In any case, what would be even better than doing NMUs would be if you would join the Alioth team and help with the util-vserver packaging effort, its an open team, although nobody has helped on it so far and I would appreciate the help! Micah signature.asc Description: Digital signature
Bug#527065: util-vserver: diff for NMU version 0.30.216~r2772-6.1
* Andrew Lee and...@linux.org.tw [2009-06-14 12:57-0400]: Hi Micah, Micah Anderson wrote: Hi Andrew, I appreciate the help with the package, although typically a NMU is done after a patch is not being applied, so sending a patch and doing a 2-day NMU at the same time is a little aggressive. I'm also wondering how you can do this NMU because as far as I can tell you aren't yet a DD :) Sorry for the unclear message. I do not want aggressive. I just reproduce other DD does for NMU. Please let me know the proper way if I did this wrong. I guess you may smelled that I am in NM process so that my AM would sponsor the upload. :) No problem at all. The bug is a RC bug and I have not reacted to it in a timely manner. Doing the NMU with a 2-day delay is fine, for this bug. I have been working on a new version of util-vserver to upload, with a newer snapshot, so I was delaying this fix until that was finished. However I can upload this fix to resolve the RC bug. I see. My attention was to solve the RC bug for next point release. It would be great if you accept this NMU for me. I've uploaded a new package with that fix, thanks for sending the patch! In any case, what would be even better than doing NMUs would be if you would join the Alioth team and help with the util-vserver packaging effort, its an open team, although nobody has helped on it so far and I would appreciate the help! Thanks for your invitation. I've sent the request on Alioth. Please update me for the new version of util-vserver with a newer snapshot via alioth. I have accepted your request on Alioth. micah signature.asc Description: Digital signature
Bug#526173: clamav-milter: initscript fails to start, options are deprecated
Package: clamav-milter Version: 0.95.1+dfsg-0volatile2 Severity: grave Justification: renders package unusable New rewrite of clamav-milter fails to hurl, instead of starting, dry heaves. First all previous command-line options seem to have mysteriously disappeared and no documentation about where they went, or what they should be replaced by in the config file. Pretty much any command-line option causes milter to not start. Second, initscript uses command-line options, so milter will not start without editing initscript to deal with --pidfile $PIDFILE $SOCKET in two locations. micah -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#518198: [debpool] Bug#518198: One other missing dependency
* Magnus Holmgren holmg...@debian.org [2009-03-05 14:49-0500]: On onsdagen den 4 mars 2009, Micah Anderson wrote: The list of missing package dependencies is actually: libdigest-sha-perl, libarchive-tar-perl and liblinux-inotify2-perl I never got around to looking at Andres's changes, but I thought the intention was that at least libdigest-sha-perl and liblinux-inotify2-perl would be optional? When I ran debpool it complained about those missing perl libraries, perhaps they are optional, but the complaints made me think otherwise. micah signature.asc Description: Digital signature
Bug#518198: debpool: Missing dependencies
Package: debpool Version: 0.5.1 Severity: grave Justification: renders package unusable Missing dependencies on: libarchive-tar-perl and liblinux-inotify2-perl micah -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#518198: One other missing dependency
The list of missing package dependencies is actually: libdigest-sha-perl, libarchive-tar-perl and liblinux-inotify2-perl signature.asc Description: Digital signature
Bug#508397: dietlibc: Undefined symbol: umount2 on alpha and ia64
* Gerrit Pape [EMAIL PROTECTED] [2008-12-11 04:30-0500]: On Wed, Dec 10, 2008 at 04:11:14PM -0500, Micah Anderson wrote: As it turns out dietlibc-0.31 doesn't properly define the umount2 symbols on two architectures: alpha and ia64. This sadly results in a build regression for util-vserver, which used to build on these architectures, but is refusing to build now. This is holding back an important transition of the package into Lenny. In otherwords, if this package cannot be built on alpha/ia64, then it will not be usable for most cases in Lenny due to the previous version not functioning properly in two important respects. Hi, I'm surprised. Not that I question that there's possibly a bug, but version 0.31-1 of dietlibc is in the archive since more than one year. I wonder why the util-vserver package needs such changes that late in the Debian release cycle. Yeah, I was surprised too. However, it goes far up the chain... the newer kernels brought in some virtualization namespace changes, which only have begun to appear in the kernels that have now transitioned into Lenny. These new changes mean that util-vserver has to change the way it deals with unmounting and cleanup in the guest because the chroot barrier is being faded out in favor of the new namespaces and pivot_root. Anyway, I'm sorry, I currently don't have the time to look at it or even upload a new package, please NMU if you think that's the right thing. Ok, I've been recruiting testers on different arches and just have mips, arm and sparc left to test before we are certain that the change works right. thanks! micah signature.asc Description: Digital signature
Bug#508397: dietlibc: Undefined symbol: umount2 on alpha and ia64
Package: dietlibc Version: 0.31-1 Severity: grave Tags: patch Justification: renders package unusable Hi, As it turns out dietlibc-0.31 doesn't properly define the umount2 symbols on two architectures: alpha and ia64. This sadly results in a build regression for util-vserver, which used to build on these architectures, but is refusing to build now. This is holding back an important transition of the package into Lenny. In otherwords, if this package cannot be built on alpha/ia64, then it will not be usable for most cases in Lenny due to the previous version not functioning properly in two important respects. The buildlogs which demonstrate this problem are: alpha: http://buildd.debian.org/fetch.cgi?pkg=util-vserverver=0.30.216%7Er2772-5arch=alphastamp=1227907425file=log ia64: http://buildd.debian.org/fetch.cgi?pkg=util-vserverver=0.30.216%7Er2772-5arch=ia64stamp=1227907303file=log both complain, rightly: diet -Os gcc -Wall -g -O2 -std=c99 -Wall -pedantic -W -funit-at-a-time -o src/exec-remount src/exec-remount.o lib/libvserver.a src/exec-remount.o: In function `main': /build/buildd/util-vserver-0.30.216~r2772/src/exec-remount.c:110: undefined reference to `umount2' collect2: ld returned 1 exit status The solution to this is the attached patch, I believe. micah -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash dietlibc depends on no packages. dietlibc recommends no packages. Versions of packages dietlibc suggests: ii dietlibc-dev 0.31-1 diet libc - a libc optimized for s pn dietlibc-doc none (no description available) -- no debconf information --- a/syscalls.s/umount.S 9 Jan 2001 17:57:49 - 1.1 +++ b/syscalls.s/umount.S 10 Dec 2008 20:21:33 - @@ -1,3 +1,7 @@ #include syscalls.h +#if defined(__NR_oldumount) defined(__NR_umount) +syscall(oldumount,umount) +#else syscall(umount,umount) +#endif --- a/syscalls.s/umount2.S 4 Jan 2003 22:21:48 - 1.2 +++ b/syscalls.s/umount2.S 10 Dec 2008 20:21:33 - @@ -1,5 +1,7 @@ #include syscalls.h -#ifdef __NR_umount2 +#if defined(__NR_umount2) syscall(umount2,umount2) +#elif defined(__NR_oldumount) defined(__NR_umount) +syscall(umount,umount2) #endif
Bug#506949: util-vserver: /proc Permisson denied errors in vservers (e.g. openssh-server, postfix unusable)
* Florian Sievers [EMAIL PROTECTED] [2008-11-26 05:35-0500]: Package: util-vserver Version: 0.30.216~r2772-4 Severity: critical Justification: breaks unrelated software *** Please type your report below this line *** After updating to version 0.30.216~r2772-4 services like openssh or postfix stopped working. This is the output from the auth.log form one of my vservers: ---Debug output from auth.log--- Nov 25 11:39:25 web sshd[13098]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 Nov 25 11:39:25 web sshd[13091]: debug1: Forked child 13098. Nov 25 11:39:25 web sshd[13098]: error writing /proc/self/oom_adj: Permission denied Nov 25 11:39:25 web sshd[13098]: debug1: inetd sockets after dupping: 3, 3 Nov 25 11:39:25 web sshd[13098]: Connection from 192.168.0.140 port 52076 Nov 25 11:39:25 web sshd[13098]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-3 Nov 25 11:39:25 web sshd[13098]: debug1: match: OpenSSH_5.1p1 Debian-3 pat OpenSSH* Nov 25 11:39:25 web sshd[13098]: debug1: Enabling compatibility mode for protocol 2.0 Nov 25 11:39:25 web sshd[13098]: debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3 Nov 25 11:39:25 web sshd[13099]: fatal: chroot(/var/run/sshd): Operation not permitted Nov 25 11:39:25 web sshd[13099]: debug1: do_cleanup Nov 25 11:39:25 web sshd[13098]: debug1: do_cleanup --End of debug output-- Same problems with postfix and dovecot. The chroot command on the console fails too. For sshd, this appears to be because of UsePrivilegeSeparation being set to 'yes' in in sshd config, which is the debian default along with SYS_CHROOT bcapability restricted by default in -4. micah signature.asc Description: Digital signature
Bug#506949: util-vserver: /proc Permisson denied errors in vservers (e.g. openssh-server, postfix unusable)
What kernel version and arch are you running? It looks like i686 from your bug report, but please verify. I'm on i686 with 2.6.26, and I am not able to replicate this. Micah signature.asc Description: Digital signature
Bug#501154: sympa: not supported by perl version in Lenny
Micah Anderson a écrit : Package: sympa Version: 5.3.4-5.2 Severity: grave Justification: renders package unusable After installation of sympa, it tries to start the daemons, and the following errors are printed out for each of the daemons: Setting up sympa (5.3.4-5.2) ... Starting Sympa mailing list manager: sympaPrototype mismatch: sub Lock::LOCK_SH () vs none at /usr/lib/sympa/bin/Lock.pm line 38. Constant subroutine LOCK_SH redefined at /usr/lib/sympa/bin/Lock.pm line 38. Prototype mismatch: sub Lock::LOCK_EX () vs none at /usr/lib/sympa/bin/Lock.pm line 39. Constant subroutine LOCK_EX redefined at /usr/lib/sympa/bin/Lock.pm line 39. Prototype mismatch: sub Lock::LOCK_NB () vs none at /usr/lib/sympa/bin/Lock.pm line 40. Constant subroutine LOCK_NB redefined at /usr/lib/sympa/bin/Lock.pm line 40. $* is no longer supported at /usr/lib/sympa/bin/sympa.pl line 162. I made these go away by commenting out: #sub LOCK_SH {1}; #sub LOCK_EX {2}; #sub LOCK_NB {4}; in Lock.pm on line 38, I dont know if this causes any problems * Olivier Salaün [EMAIL PROTECTED] [2008-10-06 03:19-0400]: The first problem (Constant subroutine LOCK_XX redefined) has already been fixed *4 months ago* in the development trunk as well as in the 5.4 stable branch, see http://sourcesup.cru.fr/cgi/viewvc.cgi/branches/sympa-5.4-branch/src/Lock.pm?r1=4922r2=5048 Great! I should have checked this before reporting it upstream. The other error: $* is no longer supported at /usr/lib/sympa/bin/parser.pl line 63. Is not something I know how to fix, however I believe that this was deprecated by perl 5.10 as perldoc perlvar says: [snip] Which makes me think that maybe this should be changed to use the /m modifier, but I dont know what this particular function in sympa does. * Olivier Salaün [EMAIL PROTECTED] [2008-10-06 03:19-0400]: You're right, we had already fixed similar code earlier but obviously forgot this one. We'll fix the problem ASAP in both trunk and 5.4 branch. If you don't mind, could you add an entry in Sympa's own tracking system : https://sourcesup.cru.fr/tracker/?group_id=23 Certainly, I'll add something right now. Sorry for the delay. Micah signature.asc Description: Digital signature
Bug#501154: sympa: not supported by perl version in Lenny
* Olivier Berger [EMAIL PROTECTED] [2008-10-06 04:45-0400]: Le lundi 06 octobre 2008 à 12:17 +0200, Olivier Salaün a écrit : Micah Anderson a écrit : After installation of sympa, it tries to start the daemons, and the following errors are printed out for each of the daemons: Setting up sympa (5.3.4-5.2) ... Starting Sympa mailing list manager: sympaPrototype mismatch: sub Lock::LOCK_SH () vs none at /usr/lib/sympa/bin/Lock.pm line 38. SNIP FYI, I have merged with bug #483891 which had been filed already for that problem. My apologies, I should have looked at older bugs to see if it was already filed. in Lock.pm on line 38, I dont know if this causes any problems The first problem (Constant subroutine LOCK_XX redefined) has already been fixed *4 months ago* in the development trunk as well as in the 5.4 stable branch, see http://sourcesup.cru.fr/cgi/viewvc.cgi/branches/sympa-5.4-branch/src/Lock.pm?r1=4922r2=5048 And the corresponding bug was tagged as forwarded to http://sourcesup.cru.fr/tracker/index.php?func=detailaid=3953group_id=23atid=167 in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483891#11 ... ;-) Great, and it looks like a new version of the package was uploaded to Debian with these patches applied. However, to get these into Lenny, a release exception will need to be requested through debian-release. The other error: $* is no longer supported at /usr/lib/sympa/bin/parser.pl line 63. * Olivier Berger [EMAIL PROTECTED] [2008-10-06 04:45-0400]: You're right, we had already fixed similar code earlier but obviously forgot this one. We'll fix the problem ASAP in both trunk and 5.4 branch. If you don't mind, could you add an entry in Sympa's own tracking system : https://sourcesup.cru.fr/tracker/?group_id=23 Thanks. I'm not sure, but maybe this needs reopening http://sourcesup.cru.fr/tracker/index.php?func=detailaid=3953group_id=23atid=167 instead ? This is the same URL as above (about Lock.pm), but this second issue has nothing to do with Lock.pm, but is about the use of '$*', so I think I'll open another bug. Micah signature.asc Description: Digital signature
Bug#501605: I cannot reproduce this
tag 501605 + unreproducible thanks I've just attempted to do an install of -6 myself and I did not get this error: Setting up sympa (5.3.4-6) ... Configuration file read, default log level 0 Sympa 5.3.4 started Conf::checkfiles() creating spool /var/spool/sympa/automatic Conf::checkfiles() creating spool /var/spool/sympa/topic Conf::checkfiles() creating spool /var/spool/sympa/bounce Conf::checkfiles() creating spool /var/spool/sympa/subscribe Conf::checkfiles() creating spool /var/spool/sympa/distribute Conf::checkfiles() creating spool /var/spool/sympa/msg/bad Conf::checkfiles() creating spool /var/spool/sympa/distribute/bad Conf::checkfiles() creating spool /var/spool/sympa/automatic/bad Conf::checkfiles() Updating static CSS file /var/lib/sympa/static_content/css/style.css ; previous file renamed Conf::checkfiles() Updating static CSS file /var/lib/sympa/static_content/css/print.css ; previous file renamed Conf::checkfiles() Updating static CSS file /var/lib/sympa/static_content/css/fullPage.css ; previous file renamed Conf::checkfiles() Updating static CSS file /var/lib/sympa/static_content/css/print-preview.css ; previous file renamed Language::SetLang() Language::SetLang(), missing locale parameter Upgrade process... Upgrading from to 5.3.4... Upgrade::upgrade() Upgrade::upgrade(, 5.3.4) Upgrade::upgrade() Rebuilding config.bin files for ALL lists...it may take a while... Upgrade::upgrade() Rebuilding the admin_table... Upgrade::upgrade() Migrating templates to TT2 format... Upgrade::upgrade() Rebuilding web archives... Upgrade::upgrade() Initializing the new admin_table... Upgrade::upgrade() Old web templates HTML structure is not compliant with latest ones. Upgrade::upgrade() Moving old-style web templates out of the include_path... Upgrade::upgrade() Cleaning buggy list config files... Upgrade::upgrade() Rename archives/log. files... Upgrade::upgrade() Updating the new robot_subscriber and robot_admin Db fields... Upgrade::upgrade() Renaming web archive directories with the list domain... Upgrade::upgrade() Updating subscribed field of the subscriber table... Upgrade::upgrade() 0 rows have been updated Upgrade::upgrade() Updating subscribed field of the subscriber table... Upgrade::upgrade() 0 rows have been updated Upgrade::upgrade() Updating subscribed field of the subscriber table... Upgrade::upgrade() 0 rows have been updated Upgrade::upgrade() Updating subscribed field of the subscriber table... Upgrade::upgrade() 0 rows have been updated Upgrade::upgrade() Renaming bounce sub-directories adding list domain... Upgrade::upgrade() Update lists config using include_list parameter... Upgrade::upgrade() Looking for customized mhonarc-ressources.tt2 files... Upgrade::upgrade() Rebuilding web archives... Upgrade::upgrade() Q-Encoding web documents filenames... Upgrade::upgrade() Encoding all custom files to UTF-8... Upgrade::upgrade() 0 files have been modified Upgrade process finished. Starting Sympa mailing list manager: sympa. Starting Sympa mailing list archive manager: archived. Starting Sympa task manager: task_manager. Starting Sympa bounce manager: bounced. Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Writing extended state information... Done Reading task descriptions... Done signature.asc Description: Digital signature
Bug#496520: patch to resolve this
tags 496520 +patch thanks Hi, Attached is a patch to fix this insecure tempfile usage in the code. I did not make the POD change, as I think that this doesn't qualify as an RC-exception (this doesn't mean it should not be fixed, just that justifying this change for a freeze-exception doesn't seem likely). I am uploading this fix as there is a 0-day NMU policy for RC bugs, and this has been open for much longer than zero days. Micah signature.asc Description: Digital signature
Bug#501154: sympa: not supported by perl version in Lenny
Package: sympa Version: 5.3.4-5.2 Severity: grave Justification: renders package unusable After installation of sympa, it tries to start the daemons, and the following errors are printed out for each of the daemons: Setting up sympa (5.3.4-5.2) ... Starting Sympa mailing list manager: sympaPrototype mismatch: sub Lock::LOCK_SH () vs none at /usr/lib/sympa/bin/Lock.pm line 38. Constant subroutine LOCK_SH redefined at /usr/lib/sympa/bin/Lock.pm line 38. Prototype mismatch: sub Lock::LOCK_EX () vs none at /usr/lib/sympa/bin/Lock.pm line 39. Constant subroutine LOCK_EX redefined at /usr/lib/sympa/bin/Lock.pm line 39. Prototype mismatch: sub Lock::LOCK_NB () vs none at /usr/lib/sympa/bin/Lock.pm line 40. Constant subroutine LOCK_NB redefined at /usr/lib/sympa/bin/Lock.pm line 40. $* is no longer supported at /usr/lib/sympa/bin/sympa.pl line 162. I made these go away by commenting out: #sub LOCK_SH {1}; #sub LOCK_EX {2}; #sub LOCK_NB {4}; in Lock.pm on line 38, I dont know if this causes any problems or not. The other error: $* is no longer supported at /usr/lib/sympa/bin/parser.pl line 63. Is not something I know how to fix, however I believe that this was deprecated by perl 5.10 as perldoc perlvar says: $* Set to a non-zero integer value to do multi-line matching within a string, 0 (or undefined) to tell Perl that it can assume that strings contain a single line, for the purpose of optimizing pattern matches. Pattern matches on strings con taining multiple newlines can produce confusing results when $* is 0 or undefined. Default is undefined. (Mnemonic: * matches multiple things.) This variable influences the interpretation of only ^ and $. A literal newline can be searched for even when $* == 0. Use of $* is deprecated in modern Perl, supplanted by the /s and /m modifiers on pattern matching. Assigning a non-numerical value to $* triggers a warning (and makes $* act if $* == 0), while assigning a numerical value to $* makes that an implicit int is applied on the value. Which makes me think that maybe this should be changed to use the /m modifier, but I dont know what this particular function in sympa does. Due to the fact that the four daemons all produce these errors when sympa is started, and the effects of running code with unsupported perlisms and unresolved prototype mismatches makes me think that this version of sympa should not be released with Debian. Micah -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-vserver-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sympa depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0]1.5.23 Debian configuration management sy ii dsyslog [system-log-daemon] 0.4.0 advanced modular syslog daemon pn libarchive-zip-perl none (no description available) ii libc62.7-13 GNU C Library: Shared libraries pn libcgi-fast-perl none (no description available) pn libcrypt-ciphersaber-perlnone (no description available) ii libdbd-mysql-perl4.008-1 A Perl5 database interface to the ii libdbi-perl 1.607-1 Perl5 database interface by Tim Bu ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module pn libintl-perl none (no description available) ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a ii libmailtools-perl2.04-1 Manipulate email in perl programs pn libmd5-perl none (no description available) ii libmime-perl 5.427-1 transitional dummy package ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m pn libmsgcat-perl none (no description available) pn libnet-ldap-perl none (no description available) pn libtemplate-perl none (no description available) ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li pn mhonarc none (no description available) ii perl [libmime-base64-perl] 5.10.0-15 Larry Wall's Practical Extraction pn perl-suidnone (no description available) ii postfix [mail-transport-agen 2.5.5-1.1 High-performance mail transport ag Versions of packages sympa recommends: ii doc-base 0.8.16 utilities to manage online documen ii logrotate 3.7.1-4Log rotation utility Versions of packages sympa suggests: ii apache2-mpm-prefork [httpd] 2.2.9-10 Apache HTTP Server -
Bug#498144: More information about this bug
-smime.$$ is created ## to store the signer certificat for step two. I known, that's durty. +my $temporary_file = /tmp/smime-sender..$$ ; -my $temporary_file = $Conf{'tmpdir'}./.'smime-sender.'.$$ ; my $trusted_ca_options = ''; $trusted_ca_options = -CAfile $Conf{'cafile'} if ($Conf{'cafile'}); $trusted_ca_options .= -CApath $Conf{'capath'} if ($Conf{'capath'}); diff -u sympa-5.3.4/debian/postinst sympa-5.3.4/debian/postinst --- sympa-5.3.4/debian/postinst +++ sympa-5.3.4/debian/postinst @@ -481,8 +481,4 @@ db_stop -## Upgrade sympa from previous version(s) if necessary. The upgrade script is smart enough to know -## if it needs to do anything or not -/usr/lib/sympa/bin/sympa.pl --upgrade - ## Other jobs #DEBHELPER# diff -u sympa-5.3.4/debian/changelog sympa-5.3.4/debian/changelog --- sympa-5.3.4/debian/changelog +++ sympa-5.3.4/debian/changelog @@ -1,13 +1,3 @@ -sympa (5.3.4-5.3) unstable; urgency=low - - * Non-maintainer upload. - * Fix insecure use of /tmp in sympa scripts by applying upstream -patch to tools.pl (Closes: #496520) - * Add the sympa.pl --upgrade procedure to the debian/postinst -to migrate existing installs (Closes: #498144) - - -- Micah Anderson [EMAIL PROTECTED] Sat, 04 Oct 2008 14:03:54 -0400 - sympa (5.3.4-5.2) unstable; urgency=low * Non-maintainer upload. signature.asc Description: Digital signature
Bug#496520: Forgot to attach the patch
The patch wasn't attached to the bug, as I previously said it was. I'm attaching it to this email instead. This patch also contains a fix for #498144 (attached to that bug report as well). The upload has been sent to the 5-day delayed queue. Micah signature.asc Description: Digital signature
Bug#501154: Patch adjustment
I've taken David's patch and removed the extraneous bits (substitutions done because of the build process, etc.), and attached the adjusted diff to this bug. Micah diff -u sympa-5.3.4/src/sympa.pl sympa-5.3.4/src/sympa.pl --- sympa-5.3.4/src/sympa.pl +++ sympa-5.3.4/src/sympa.pl @@ -159,7 +159,7 @@ $log_level = $main::options{'log_level'} if ($main::options{'log_level'}); -my @parser_param = ($*, $/); +my @parser_param = ($/); my %loop_info; my %msgid_table; @@ -890,7 +890,7 @@ my ($t_listname, $t_robot); # trying to fix a bug (perl bug ??) of solaris version - ($*, $/) = @parser_param; + ($/) = @parser_param; ## test ever if it is an old bad file if ($t_filename =~ /^BAD\-/i){ diff -u sympa-5.3.4/debian/changelog sympa-5.3.4/debian/changelog --- sympa-5.3.4/debian/changelog +++ sympa-5.3.4/debian/changelog @@ -1,3 +1,10 @@ +sympa (5.3.4-5.3) unstable; urgency=low + + * Non-maintainer upload. + * Updating to comply with current versions of Perl (Closes: #501154). + + -- David Moreno Garza [EMAIL PROTECTED] Sat, 04 Oct 2008 19:47:33 -0400 + sympa (5.3.4-5.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- sympa-5.3.4.orig/src/Lock.pm +++ sympa-5.3.4/src/Lock.pm @@ -35,10 +35,10 @@ use Fcntl qw(LOCK_SH LOCK_EX LOCK_NB); use FileHandle; -sub LOCK_SH {1}; -sub LOCK_EX {2}; -sub LOCK_NB {4}; -sub LOCK_UN {8}; +sub LOCK_SH() {1}; +sub LOCK_EX() {2}; +sub LOCK_NB() {4}; +sub LOCK_UN() {8}; my %list_of_locks; my $default_timeout = 60 * 20; ## After this period a lock can be stolen only in patch2: unchanged: --- sympa-5.3.4.orig/src/parser.pl +++ sympa-5.3.4/src/parser.pl @@ -60,8 +60,8 @@ my ($old_index, $old_data) = ($index, $data); my @old_t = @t; -my @old_mode = ($*, $/); -($*, $/) = (0, \n); +my @old_mode = ($/); +($/) = (0, \n); my $old_desc; if (ref($output) eq 'ARRAY') { @@ -104,6 +104,6 @@ select $old_desc; } -($*, $/) = @old_mode; +($/) = @old_mode; ($index, $data) = ($old_index, $old_data); @t = @old_t; signature.asc Description: Digital signature
Bug#498671: This is not abug
This isn't a bug at all, all the reasons cited aren't actually bugs. (1) It seems abandoned upstream — the last update is Feb 2003 according to CPAN. Thats not a bug, and doesn't make this package RC. (2) bug 443629 (CDATA handling) makes it useles for a large number of feeds, and worse even feeds that work now may break at any time — CDATA is standard XML, after all. Each bug stands on its own. Don't file another bug to point at some other bug. (3) bug 443629 is not just a CDATA problem. Its actually a nearly-arbitrary regexp injection. e.g., f(?2)o{hello}/f(?2)o gives Reference to nonexistent group in regex; marked by -- HERE in m/f(?2) -- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266. Thankfully, { and } are changed to spaces, so (?{code}) is not possible, so its probably just a DoS attack (e.g., via exponential time regexp). See above. (4) libxml-rsslite-perl has no reverse dependencies in lenny or sid. (5) popcon data: Not really a bug either. Overall, the module isn't very widely used, is of questionable quality, is probably a security issue, is abandoned upstream, and I suggest doesn't belong in lenny. If you wanted to file a removal request, that should be done another way, you've filed a bug that doesn't actually report any bug at all. Please do file an actual security bug, if there is one, but 'probably a security bug' isn't strong enough to file a bug. I'm closing this bug, feel free to open a RM request, if you feel thats the correct way to go. Micah signature.asc Description: Digital signature
Bug#496624: util-vserver: missing dependency : schedutils (for ionice)
Hi, * kaouete [EMAIL PROTECTED] [2008-08-26 01:40-0400]: Justification: no longer builds from source Can you provide a build log showing this? It looks like the ionice binary is needed by the configure script. It is included in the schedutils package which is not a dependency of util-vserver. There is no such package called 'schedutils', ionice is included in util-linux. micah signature.asc Description: Digital signature
Bug#496624: util-vserver: missing dependency : schedutils (for ionice)
* Victor NOEL [EMAIL PROTECTED] [2008-08-26 07:22-0400]: It looks like the ionice binary is needed by the configure script. It is included in the schedutils package which is not a dependency of util-vserver. There is no such package called 'schedutils', ionice is included in util-linux. Like someone else said : I am on etch, so I guess this is the reason why it did not work. Yes, you will need to adjust the build-dependencies to make it build properly on etch. If it is in util-linux and this package is a dependency of util-vserver, I guess this bug report should be closed :) I'm closing it, thanks. Maybe the depends field can specify a minimum version of util-linux that contains ionice ? This is not possible to do in etch, you maybe would prefer to wait until the package is available in backports.org. Next time I will check the dependencies more thoroughly :) No problem, micah signature.asc Description: Digital signature
Bug#484479: Fails to start vservers (capget(): Invalid argument)
Hi, Thanks for your bug report. some upgrade of util-vserver made all attempts to start vserver fail with: # vserver pmademo start capget(): Invalid argument capabilities are not enabled in kernel-setup Downgrading backt to 0.30.214-6 the problem is gone (this is latest amd64 binary I found on snapshots.debian.net), but if I rebuild this version from source, I get exacly same error, so the problem might be actually caused by some statically linked code. It seems like the buildds created the binaries against too new kernel headers that have the newest API and util-vserver doesn't support those. This is any kernel headers newer than 2.6.25. These typically are in /usr/include/linux and are from the package linux-libc-dev which currently is shipping at version 2.6.25-4. This is a problem because we don't have alternative headers available for previous kernels so that I can do a build-dep, and util-vserver is happily building against headers that it can't support. The util-vserver trunk can build against the newer headers, so maybe we can pull from there to resolve this. micah signature.asc Description: Digital signature
Bug#484479: Fails to start vservers (capget(): Invalid argument)
* Micah Anderson [EMAIL PROTECTED] [2008-06-04 13:08-0400]: The util-vserver trunk can build against the newer headers, so maybe we can pull from there to resolve this. Hi, I've applied a patch from upstream that I hope will solve this. Can you try this on your machine and let me know the results? You can pull the deb from: http://people.debian.org/~micah/util-vserver or if you would prefer to build it, you can get everything there, or pull it from svn and build it: svn co svn+ssh://svn.debian.org/svn/pkg-vserver/util-vserver/trunk I do not have an amd64 machine to test this, so your help would be appreciated! Thanks, Micah signature.asc Description: Digital signature
Bug#484479: Fails to start vservers (capget(): Invalid argument)
* Michal Čihař [EMAIL PROTECTED] [2008-06-04 11:09-0400]: Hi Dne Wed, 4 Jun 2008 13:39:25 -0400 Micah Anderson [EMAIL PROTECTED] napsal(a): I've applied a patch from upstream that I hope will solve this. Can you try this on your machine and let me know the results? You can pull the deb from: http://people.debian.org/~micah/util-vserver or if you would prefer to build it, you can get everything there, or pull it from svn and build it: svn co svn+ssh://svn.debian.org/svn/pkg-vserver/util-vserver/trunk I do not have an amd64 machine to test this, so your help would be appreciated! Sorry, but nothing has changed, still same error and behavior. ... After quick look at source package ... Because added patch is not being applied ;-). After fixing debian/patches/00list package works fine. Thanks for finding the patch. Haha, oops. Thanks for testing and finding that. I'll add it to 00list and upload now. Micah signature.asc Description: Digital signature
Bug#477392: cupsys tries to overwrite /usr/lib/cups/daemon/cups-lpd which is also in package cupsys-bsd
Package: cupsys Version: 1.3.7-1 Severity: serious Doing an apt-get dist-upgrade today gave me this: Unpacking replacement cupsys ... dpkg: error processing /var/cache/apt/archives/cupsys_1.3.7-4_i386.deb (--unpack): trying to overwrite `/usr/lib/cups/daemon/cups-lpd', which is also in package cupsys-bsd dpkg-deb: subprocess paste killed by signal (Broken pipe) Starting Common Unix Printing System: cupsd. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-vserver-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages cupsys depends on: ii adduser 3.107 add and remove users and groups ii cupsys-common 1.3.7-1Common UNIX Printing System(tm) - ii debconf [debconf-2.0] 1.5.21 Debian configuration management sy ii ghostscript 8.62.dfsg.1-2 The GPL Ghostscript PostScript/PDF ii ghostscript-x [gs-esp 8.62.dfsg.1-2 The GPL Ghostscript PostScript/PDF ii gs-esp8.62.dfsg.1-2 Transitional package ii libavahi-compat-libdn 0.6.22-3 Avahi Apple Bonjour compatibility ii libc6 2.7-10 GNU C Library: Shared libraries ii libcupsimage2 1.3.7-1Common UNIX Printing System(tm) - ii libcupsys21.3.7-1Common UNIX Printing System(tm) - ii libdbus-1-3 1.2.1-1simple interprocess messaging syst ii libgnutls26 2.2.2-1the GNU TLS library - runtime libr ii libkrb53 1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.7-6.2 OpenLDAP libraries ii libpam0g 0.99.7.1-6 Pluggable Authentication Modules l ii libpaper1 1.1.23 library for handling paper charact ii libslp1 1.2.1-7.2 OpenSLP libraries ii lsb-base 3.2-10 Linux Standard Base 3.2 init scrip ii perl-modules 5.8.8-12 Core Perl modules ii procps1:3.2.7-8 /proc file system utilities ii ssl-cert 1.0.18 simple debconf wrapper for OpenSSL ii xpdf-utils [poppler-u 3.02-1.3 Portable Document Format (PDF) sui Versions of packages cupsys recommends: ii avahi-utils 0.6.22-3 Avahi browsing, publishing and dis ii cupsys-client 1.3.7-1 Common UNIX Printing System(tm) - ii foomatic-filters3.0.2-20080211-3 OpenPrinting printer support - fil ii smbclient 1:3.0.28a-2 a LanManager-like simple client fo -- debconf information: cupsys/raw-print: true cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#456996: Please send some info
Hi, * intrigeri [EMAIL PROTECTED] [2008-04-08 03:09-0400]: When I upgraded a lenny system from 0.30.214-6 to 0.30.215-2, all my VServers were restarted without any warning. Yes, this is because of the postrm in 0.30.214-6 stopping the vservers. This actually has been fixed, but if you had 0.30.214-6 installed, any upgrade to a newer version would cause this behavior. That package's postrm is broken and when you upgrade to a new package, that broken postrm is executed. Sadly, I could not fix the package that you actually have installed, but instead must provide you with a new package that has the fix, but you will experience the problem when you transition to the fixed package. I can demonstrate as follows: 1. As you did, I have version 0.30.214-6 installed: # apt-cache policy util-vserver util-vserver: Installed: 0.30.214-6 Candidate: 0.30.215-2 2. I have a vserver running: # vserver-stat CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 44 3 8.6M 2.6M 0m00s56 0m00s44 0m02s63 etch 3. I install util-vserver version 0.30.215-1 (using snapshot.d.n), and it will stop my running vserver, just as you experienced: # apt-get install util-vserver=0.30.215-1 Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: yum The following packages will be upgraded: util-vserver 1 upgraded, 0 newly installed, 0 to remove and 253 not upgraded. Need to get 513kB of archives. After this operation, 147kB of additional disk space will be used. WARNING: The following packages cannot be authenticated! util-vserver Install these packages without verification [y/N]? y Get:1 http://snapshot.debian.net pool/util-vserver util-vserver 0.30.215-1 [513kB] Fetched 513kB in 3s (146kB/s) Preconfiguring packages ... (Reading database ... 265970 files and directories currently installed.) Preparing to replace util-vserver 0.30.214-6 (using .../util-vserver_0.30.215-1_i386.deb) ... Stopping vservers of type 'default' Stopping all running Linux-VServer guests... Stopping etch: done Unpacking replacement util-vserver ... Setting up util-vserver (0.30.215-1) ... Fixing visibility of /proc entries for Linux-VServer guests...done. Starting Linux-VServers in background # vserver-stat CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME (nothing here). 4. Now I start the vserver again so that I can demonstrate that it will not be stopped when I install 0.30.215-2: # vserver etch start Starting system log daemon: syslogd. Starting kernel log daemon: klogd. Not starting internet superserver: no services enabled. Starting OpenBSD Secure Shell server: sshd. Starting periodic command scheduler: crond. # 5. I install util-vserver=0.30.215-2, where you will see that the vserver is *not* stopped, thus the problem was actually fixed: # apt-get install util-vserver=0.30.215-2 Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: yum The following packages will be upgraded: util-vserver 1 upgraded, 0 newly installed, 0 to remove and 253 not upgraded. Need to get 513kB of archives. After this operation, 0B of additional disk space will be used. Get:1 ftp://debian.csail.mit.edu sid/main util-vserver 0.30.215-2 [513kB] Fetched 513kB in 1s (407kB/s) Preconfiguring packages ... (Reading database ... 265996 files and directories currently installed.) Preparing to replace util-vserver 0.30.215-1 (using .../util-vserver_0.30.215-2_i386.deb) ... Unpacking replacement util-vserver ... Setting up util-vserver (0.30.215-2) ... Fixing visibility of /proc entries for Linux-VServer guests...done. Starting Linux-VServers in background 6. Et viola, the vserver is still running: # vserver-stat CTX PROCVSZRSS userTIME sysTIMEUPTIME NAME 44 3 8.6M 2.6M 0m00s10 0m00s36 2m32s36 etch Does that make sense? Micah signature.asc Description: Digital signature
Bug#456996: Please send some info
* Kurt Roeckx [EMAIL PROTECTED] [2008-03-17 16:51-0400]: On Mon, Mar 17, 2008 at 12:41:38PM -0400, Micah Anderson wrote: tag 456996 +moreinfo thanks Hi, I'm trying to track down how this happened for you, can you please provide the following: If you want to reach me, it helps to send a mail to me. I just noticed that you closed it so I went looking at the bug log. 1. the contents of your /etc/default/util-vserver 2. the debconf value for util-vserver/prerm_stop_running_vservers 3. the debconf vaue for util-vserver/start_on_boot I have not been able to replicate this yet, it may have been fixed in -6, I've tried setting these to all possible combinations, but I suppose I may have missed something. I guess you have been able to reproduce now? Do I still need to do anything? I was able to finally reproduce it, no need to do anything, except install the new version to see if it solves the problem for you. Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#456996: Please send some info
tag 456996 +moreinfo thanks Hi, I'm trying to track down how this happened for you, can you please provide the following: 1. the contents of your /etc/default/util-vserver 2. the debconf value for util-vserver/prerm_stop_running_vservers 3. the debconf vaue for util-vserver/start_on_boot I have not been able to replicate this yet, it may have been fixed in -6, I've tried setting these to all possible combinations, but I suppose I may have missed something. Thanks, Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#429177: I will upload this for you
Due to the security nature of this fix (resolves 3 CVEs), I am going to upload this to the archive for you. I've changed the severity to high and will upload the package immediately, please use severity 'high' on all future security uploads. In the future its probably best if there is a security issue in the package to ask someone in the debian testing team to sponsor your upload if you cannot. So that just leaves lenny, and it might be quicker just to wait the 10 days for it to be promoted from sid to lenny, than to do the work of backporting the XSS fix to 1.2.3. Lenny doesn't matter right now as part of security. This is not a remote code execution hence foot-dragging on my part. It is only a XSS that is specific to usage of some code in rails. There are ways a web application can treat all input data and sanitize it without relying on rails/ruby to do it with magic functions. Actually, Lenny *does* matter in terms of security, that is the whole point of the testing security team. Micah signature.asc Description: Digital signature
Bug#445054: added NEWS.Debian information about this
I have added NEWS.Debian information about this change to the svn repository for the package. In order to fix this, please migrate to static context IDs, to do this simply stop your guest, echo an unique number to /etc/vservers/guest/context and then start your guest. Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#444798: postinst removes conffiles
The postinst script unconditionally removes /etc/vserver{,s}.conf on every configuration. Since the configuration is apparently preserved by sourcing the files and creating a symlink in place of their content, this is okay. However the package both includes and removes the conffile vservers.conf which is not allowed. I've removed in svn the conffile from the package. The functionality has been provided by /etc/defaults/util-vserver. It's is also not okay if VSERVERS_ROOT and VSERVER_ROOT aren't the only things that were ever specified in those files, or if something else *could* have been (legitimately?) added there. Preferably the files aren't removed if anything else is there: If you can find a real world example of this, I'd love to hear it, but what you are talking about here is something like a potato migration to sarge, the oldest tarball I could find of util-vserver only had in this file things that have been moved to the defaults file. The same problem with these removals: |# Remove old startup scripts |rm -f /etc/init.d/vservers-legacy |rm -f /etc/init.d/vservers-default |rm -f /etc/init.d/vprocunhide |rm -f /etc/init.d/rebootmgr These are startup scripts that have been rolled into one startup script, not configuration files. |rm -f /etc/default/util-vservere This was a legacy mistake and never had anything in it. There's another problem too: removal of the symlinks isn't preserved: run.rev vdirbase Can you be a little more specific about this issue in a separate bug report? Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#444572: Any word on this?
I haven't been able to install hpijs for over two weeks now (this bug is 18 days old alone), which is making printing really difficult :) Usually a binNMU doesn't take this long, is there another issue holding things up? Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#432410: util-vserver: Please upload the package
* Raphael Hertzog [EMAIL PROTECTED] [070822 02:57]: Package: util-vserver Version: 0.30.213-1 Followup-For: Bug #432410 This bug is marked as pending. Can you upload it? Unfortunately, I cannot because I am getting some build errors with the newer build suite in sid. Once these are worked out, I will be able to upload. A bin-nmu of this package has been scheduled to fix a problem related to symbol hashing (the package has been built with a bad version of gcc) and the bin-nmu failed due to this bug. Can you say more about this? When sbuild has an alternative, IIRC it considers only the first choice which in that case was modutils. Simply removing the choice is the sensible thing to do since modutils is no more available... Yes, this has been done in the repository some time ago. Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#432410: util-vserver - FTBFS: Build-depends on removed package: modutils
Ola, The modutils package has been removed from sid and lenny as it is a package that supports 2.4 kernels, which are no longer a part of any Debian release (including Etch). Modutils functionality is now provided by module-init-tools, however I am not sure why it is needed for util-vserver, do you? Additionally, the dependency is: modutils|module-init-tools so I am not sure why the build failed. Micah * Bastian Blank [EMAIL PROTECTED] [070709 12:55]: Package: util-vserver Version: 0.30.213-1+b1 Severity: serious There was an error while trying to autobuild your package: Automatic build of util-vserver_0.30.213-1+b1 on lxdebian.bfinv.de by sbuild/s390 98 [...] E: Package modutils has no installation candidate Package modutils is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source apt-get failed. Package installation failed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#403661: torrentflux: fails to install with error code 10
Remi Vanicat wrote: 2006/12/19, Cameron Dale [EMAIL PROTECTED]: On 12/18/06, Remi Vanicat [EMAIL PROTECTED] wrote: $ DEBCONF_DEBUG=developer dpkg --configure --pending Setting up torrentflux (2.1-7) ... debconf (developer): frontend started debconf (developer): frontend running, package name is torrentflux debconf (developer): starting /var/lib/dpkg/info/torrentflux.config configure debconf (developer): -- CAPB backup debconf (developer): -- 0 multiselect escape backup debconf (developer): -- REGISTER dbconfig-common/database-type torrentflux/database-type debconf (developer): -- 10 No such template, dbconfig-common/database-type dpkg: error processing torrentflux (--configure): subprocess post-installation script returned error exit status 10 Errors were encountered while processing: torrentflux This is looking like a dbconfig-common problem to me, so I'm going to forward it to their list to see what they say. I'm having trouble reproducing this though. Could you describe what steps you took to get this error? Was dbconfig-common installed before installing torrentflux, or were they both in the same install? at the first insalation (the one of 2.6) both where installed at the same time. But dbconfig-common as been installed with no problem, and I've tried to purge torrentflux and to reinstall it, and it failed. I just created a sid chroot and attempted to install torrentflux, I did not encounter this problem. I tried a few different failure scenarios (mysql-client not available, mysql-server not installed, database password incorrect, database server not running) and they all worked fine. micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#402679: backupninja: mysql handler overwrites existing backups even if mysqldump fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Joel Fuster wrote: Package: backupninja Version: 0.9.4-4 Severity: critical Justification: causes serious data loss The mysql backup handler happily overwrites your existing sql.gz files with empty tarballs even in situations such as: 1) mysqldump does not exist 2) mysql is not running ...etc. This just bit me when #2 happened due to a crash in mysql which involved corrupted data. Fortunately I have multiple snapshots of the sql.gz files... It looks like this might only happen when you specify the names of the databases you wish to back up. Also, I have only tested this using the mysqldump method. This only occurs when you specify databases and you have compress=no, mysqld isn't running or mysqdump doesn't exist. This is a pretty unique combination of events! Backupninja is designed with the expectation that the backups that you are making of your databases are being backed up to another system or another disk using one of the handlers such as rdiff, duplicity, rsnap, dup, etc. It is expected that the mysqldumps that are made in your backup directory are not the end of the backup, but rather this are shipped off in the remainder of the process. Although I agree its a bad situation to be in to create a zero-byte mysql dump, I am hesitant to agree that this is causes serious data loss. Using that logic, you could claim that backupninja causes serious data loss when you delete everything from your database and then you do a backup of an empty database, or likewise. In any case, I don't like nasty backup surprises, so I've prepared a fix, and will ask the release managers to have this fix allowed into etch. Thanks, Micah -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFf5N09n4qXRzy1ioRAgBNAKCDxYYUoYa6yAhm+tIkaSfcWfo0IQCdFEuR ThX68NqpEqKfLWF63bBjhk8= =X1b+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400582: CVEs assigned
Hi Cameron and Stefan, Stefan requested that I request CVE IDs for the torrentflux issues from Mitre, which I have done, please see below for these. It would be good to pass these upstream and include them in any changelogs that fix these issues that haven't been uploaded already. micah New torrentflux issue has come up, reference URL http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Proposed text: A potential remote command execution has been found in torrentflux, a php-based torrent management software. Arbitrary code execution in metaInfo.php allows an authenticated user to execute remote shell commands on the server when $cfg[enable_file_priority] is set to 'false'. I've created 4 candidates - 3 for the Secunia advisory published in November, and one for this particular issue. See below. == Name: CVE-2006-6328 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6328 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Directory traversal vulnerability in index.php for TorrentFlux 2.2 allows remote attackers to create or overwrite arbitrary files via sequences in the alias_file parameter. == Name: CVE-2006-6329 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6329 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote attackers to delete files by specifying the target filename in the delfile parameter. == Name: CVE-2006-6330 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6330 Reference: MISC:http://www.milw0rm.com/exploits/2786 Reference: SECUNIA:22880 Reference: URL:http://secunia.com/advisories/22880 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 index.php for TorrentFlux 2.2 allows remote registered users to execute arbitrary commands via shell metacharacters in the kill parameter. == Name: CVE-2006-6331 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6331 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23400582 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi/11_missed_security_fixes.dpatch?bug=400582;msg=71;att=1 metaInfo.php in TorrentFlux 2.2, when $cfg[enable_file_priority] is false, allows remote attackers to execute arbitrary commands via shell metacharacters (backticks) in the torrent parameter to details.php. signature.asc Description: OpenPGP digital signature
Bug#393285: Yep
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just wanted to agree with Moritz, I filed the bug to have it removed bug #390951. Micah -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFMruS9n4qXRzy1ioRAp6RAJ0ZdJREAlicm5SUgQGkRiZMJTixnwCcD76/ x8bGZS95kY2ij1nCH4xjR0k= =v2Mu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]