Bug#808216: Acknowledgement (debmirror: Debmirror seeems to have problems with new SHA256 in Packages.diff/Index files)
Ah, don't write line numbers from memory: I'm talking of the sub fetch_and_apply_diffs, around lines 2435ff. -- Michael Bergbauer <mich...@noname.franken.de> Beijing, China
Bug#808216: debmirror: Debmirror seeems to have problems with new SHA256 in Packages.diff/Index files
Package: debmirror Version: 1:2.16 Severity: grave Justification: renders package unusable Hi *, For a fews days (Dec 09, to be exact, in GMT+8), my debmirror cronjob pulling from ftp.us is running in an infinite loop - using up 100% of a core. After having a closer look, it seems that the culprit code is in lines 2460ff with a $_ value of e.g. 'SHA256-Current: d4228ed8d1591732f9a3af33f4064c4e0d173d16218d12b930d1c5de3673d7ce39582357\n', when parsing my .temp/dists/sid/main/binary-i386/Packages.diff/Index file. As I see it, SHA256 hashes were added just on the day before (Dec 08) and the code in lines 2460ff seems to not handle that hashes (at least as far as I understand this at the moment). Let me know if you need more information. I'm opening this bug against the stable version, as this is the version that's affected here and I don't see a changelog entry for later versions. -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages debmirror depends on: ii bzip2 1.0.6-7+b3 pn libdigest-md5-perl ii liblockfile-simple-perl 0.208-1 ii libnet-inet6glue-perl 0.603-1 ii libwww-perl 6.08-1 ii perl [libdigest-sha-perl] 5.20.2-3+deb8u1 ii perl-modules [libnet-perl] 5.20.2-3+deb8u1 ii rsync 3.1.1-3 Versions of packages debmirror recommends: ii ed 1.10-2 ii gpgv 1.4.18-7 ii patch 2.7.5-1 Versions of packages debmirror suggests: ii gnupg 1.4.18-7 -- no debconf information
Bug#315687: proftpd: Wrong permissions for ftp server
Package: proftpd Version: 1.2.10-17 Severity: critical Justification: root security hole In the most recent (1.2.10-17) version of proftpd, the permissions used by the daemon are somehome mixed up: both anonymous and authenticated connections are mapped to uid 0/gid 0 in the filesystem. New files and directories are created with uid 0/gid 0 (instead of the ftp/nogroup for anon connections resp. the authenticated user). In anon mode, you seem to be trapped in the anon enviroment and can't delete files. With authenticated connections, you also get root access to the whole system (visible to proftpd) and as your access is mapped to root/root, you can delete everything you like (thus the critical severity, as this opens root access to the ftp server's file system. This bug was not reproducable on 1.2.10-16, I had to install 1.2.10-17. The config file wasn't touched during the update to -17. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i586) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.26 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages proftpd depends on: ii adduser 3.64 Add and remove users and groups ii debconf 1.4.51 Debian configuration management sy ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libpam0g0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7g-1 SSL shared libraries ii libwrap07.6.dbs-8Wietse Venema's TCP wrappers libra ii netbase 4.21 Basic TCP/IP networking system ii proftpd-common 1.2.10-17Versatile, virtual-hosting FTP dae ii ucf 1.18 Update Configuration File: preserv proftpd recommends no packages. -- debconf information: * shared/proftpd/anonymous: true shared/proftpd/run_inetd_or_standalone: standalone * shared/proftpd/edit_conffile: false * shared/proftpd/use_debconf: true shared/proftpd/anonymous_access: false * proftpd/edit_conffile: true shared/proftpd/file_changed: shared/proftpd/warning: * shared/proftpd/inetd_or_standalone: inetd * proftpd/run_inetd_or_standalone: inetd shared/proftpd/replace_file_install: false shared/proftpd/sql_statements: * proftpd/anonymous_access: true proftpd/sql_statements: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
