Bug#1016963: u-boot on A20-MICRO
I was successfully able to install the SD image for stable and unstable (daily with u-boot from 2023-01-18. Then I upgraded stable to testing und updated u-boot to 2023.01+dfsg1. Arne
Bug#1020404: luakit: aborts at start
Moin,
begin quotation from Markus Demleitner (in
<20220921185014.db6o56sxwieo3vnm@victor>):
> On Wed, Sep 21, 2022 at 11:36:08AM +0200, Arne Wichmann wrote:
> > Bail out! ERROR:common/util.c:67:strip_ansi_escapes: assertion failed (err
> > == NULL): Error while compiling regular expression
> > ?[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]?
> > at char 3: unrecognised character following \ (g-regex-error-quark, 103)
>
> Argl. That's quite certainly the upstream bug
> https://github.com/luakit/luakit/issues/1005
Thanks for making me notice that. ;)
I will not comment there because I would have to create an account at
Microsoft for this.
[...]
> luakit http://www.tfiu.de/log-escape.html |& cat
[...]
> Can you build from https://salsa.debian.org/debian/luakit.git and see
> whether the thing (a) builds and (b) whether luakit's log messages
> are b/w when filtered through cat as above?
... lots of warnings later...
(a) it builds
(b) the log messages are b/w
And it does not crash anymore, so I can use it until something newer is
uploaded.
Thanks again for the help.
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (a...@saar.de)
signature.asc
Description: PGP signature
Bug#1020404: luakit: aborts at start
Package: luakit
Version: 1:2.2.1-1
Severity: grave
Justification: renders package unusable
Luakit aborts saying:
Bail out! ERROR:common/util.c:67:strip_ansi_escapes: assertion failed (err ==
NULL): Error while compiling regular expression
?[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]? at
char 3: unrecognised character following \ (g-regex-error-quark, 103)
-- System Information:
Debian Release: 11.1
APT prefers testing
APT policy: (90, 'testing'), (90, 'stable'), (50, 'unstable'), (40,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.16 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15),
LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages luakit depends on:
ii libc6 2.34-7
ii libcairo2 1.16.0-5
ii libgdk-pixbuf2.0-0 2.40.2-2
ii libglib2.0-02.73.3-3
ii libgtk-3-0 3.24.24-4+deb11u2
ii libjavascriptcoregtk-4.0-18 2.36.7-1~deb11u1
ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.3
ii libpango-1.0-0 1.50.9+ds-1
ii libsoup2.4-12.74.2-3
ii libsqlite3-03.34.1-3
ii libwebkit2gtk-4.0-372.36.7-1~deb11u1
ii lua-filesystem [lua5.1-filesystem] 1.8.0-1
luakit recommends no packages.
luakit suggests no packages.
-- no debconf information
Bug#990417: small C code snipplet to reproduce the error
In order to reproduce the error I took the code from here (also
attached):
https://gist.github.com/chergert/eb6149916b10d3bf094c
and commented out the #include .
and compiled it with
gcc vdso-getcpu.c -ldl
running the resulting a.out will crash on a s390x qemu guest, but on
ppc64el guest not.
I hope this narrows the scope a bit.
#include
#include
//#include
#include
int (*test_getcpu) (unsigned *cpu,
unsigned *node,
void *cache);
void *
get_vdso_sym (const char *name)
{
static const char *vdso_names[] = {
"linux-vdso.so.1",
"linux-vdso32.so.1",
"linux-vdso64.so.1",
NULL
};
int i;
for (i = 0; vdso_names [i]; i++)
{
void *lib;
void *symbol;
lib = dlopen (vdso_names [i], RTLD_NOW | RTLD_GLOBAL);
if (lib == NULL)
continue;
symbol = dlsym (lib, name);
if (symbol == NULL)
goto cleanup;
if (*(void **)symbol == NULL)
goto cleanup;
return symbol;
cleanup:
dlclose (lib);
}
}
int
main (int argc,
char *argv[])
{
int ret;
int cpu = -1;
test_getcpu = get_vdso_sym ("__kernel_getcpu");
if (test_getcpu == NULL)
test_getcpu = get_vdso_sym ("__vdso_getcpu");
ret = test_getcpu (&cpu, NULL, NULL);
printf ("ret = %d cpu = %d\n", ret, cpu);
return 0;
}
Bug#990417: openjdk-11-jre-headless: running java in qemu s390 gives a SIGILL at C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8
I installed on an debian stable/unstable x86_64 the vm with: sudo virt-install --name debian-s390x --disk size=20 --memory=2000 -- arch=s390x --location http://ftp.debian.org/debian/dists/stretch/main/installer-s390x/ then I upgraded to stable (using stable for installation causes the new vm to freeze during install - another bug?) and installed the openjdk- 11-jre-headless. just execution the command /usr/lib/jvm/java-11-openjdk-s390x/bin/java crashes. This is how to reproduce the bug. This happens with debian stable/unstable on x86_64 as host and/or debian stable/unstable and ubuntu bionic/groovy as guest. Am Dienstag, dem 29.06.2021 um 10:01 +0200 schrieb Matthias Klose: > Control: reassign -1 src:qemu > > works for me on a native machine. You should also provide a test > case. > > > On 6/28/21 7:28 PM, Arne Plöse wrote: > > Package: openjdk-11-jre-headless > > Version: 11.0.11+9-1~deb10u1 > > Severity: grave > > Justification: renders package unusable > > > > Dear Maintainer, > > > > I tried tu run java in an qemu emulated s390 debian VM. > > The bug accects also unstabel and te openjdk versions 15, 16 and > > 17, but not version 1.8 > > > > The outcome is a hs_err_pid632.log. > > # > > # A fatal error has been detected by the Java Runtime Environment: > > # > > # SIGILL (0x4) at pc=0x03ff88c7e6f4, pid=587, tid=588 > > # > > # JRE version: (11.0.11+9) (build ) > > # Java VM: OpenJDK 64-Bit Server VM (11.0.11+9-post-Debian- > > 1deb10u1, mixed mode, sharing, tiered, compressed oops, g1 gc, > > linux-s390x) > > # Problematic frame: > > # C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8 > > # > > # No core dump will be written. Core dumps have been disabled. To > > enable core dumping, try "ulimit -c unlimited" before starting Java > > again > > # > > # > > > > --- S U M M A R Y > > > > Command Line: > > > > Host: 2964, 2 cores, 1G, Debian GNU/Linux 10 (buster) > > Time: Mon Jun 28 19:13:29 2021 CEST elapsed time: 0.099756 seconds > > (0d 0h 0m 0s) > > > > --- T H R E A D --- > > > > Current thread is native thread > > > > Stack: [0x03ff8748,0x03ff8758], > > sp=0x03ff8757e940, free space=1018k > > Native frames: (J=compiled Java code, A=aot compiled Java code, > > j=interpreted, Vv=VM code, C=native code) > > C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8 > > > > > > siginfo: si_signo: 4 (SIGILL), si_code: 5 (ILL_PRVOPC), si_addr: > > 0x03ff88c7e6f4 > > > > > > > > -- System Information: > > Debian Release: 10.10 > > APT prefers stable-updates > > APT policy: (500, 'stable-updates'), (500, 'stable') > > Architecture: s390x > > > > Kernel: Linux 4.19.0-17-s390x (SMP w/2 CPU cores) > > Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C > > (charmap=UTF-8) > > Shell: /bin/sh linked to /bin/dash > > Init: systemd (via /run/systemd/system) > > LSM: AppArmor: enabled > > > > Versions of packages openjdk-11-jre-headless depends on: > > ii ca-certificates-java 20190405 > > ii java-common 0.71 > > ii libasound2 1.1.8-1 > > ii libc6 2.28-10 > > ii libcups2 2.2.10-6+deb10u4 > > ii libfontconfig1 2.13.1-2 > > ii libfreetype6 2.9.1-3+deb10u2 > > ii libgcc1 1:8.3.0-6 > > ii libharfbuzz0b 2.3.1-1 > > ii libjpeg62-turbo 1:1.5.2-2+deb10u1 > > ii liblcms2-2 2.9-3 > > ii libnss3 2:3.42.1-1+deb10u3 > > ii libpcsclite1 1.8.24-1 > > ii libstdc++6 8.3.0-6 > > ii util-linux 2.33.1-0.1 > > ii zlib1g 1:1.2.11.dfsg-1 > > > > openjdk-11-jre-headless recommends no packages. > > > > Versions of packages openjdk-11-jre-headless suggests: > > pn fonts-dejavu-extra > > pn fonts-indic > > pn fonts-ipafont-gothic > > pn fonts-ipafont-mincho > > pn fonts-wqy-microhei | fonts-wqy-zenhei > > pn libnss-mdns > > > > -- no debconf information > > >
Bug#990417: openjdk-11-jre-headless: running java in qemu s390 gives a SIGILL at C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8
Package: openjdk-11-jre-headless Version: 11.0.11+9-1~deb10u1 Severity: grave Justification: renders package unusable Dear Maintainer, I tried tu run java in an qemu emulated s390 debian VM. The bug accects also unstabel and te openjdk versions 15, 16 and 17, but not version 1.8 The outcome is a hs_err_pid632.log. # # A fatal error has been detected by the Java Runtime Environment: # # SIGILL (0x4) at pc=0x03ff88c7e6f4, pid=587, tid=588 # # JRE version: (11.0.11+9) (build ) # Java VM: OpenJDK 64-Bit Server VM (11.0.11+9-post-Debian-1deb10u1, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-s390x) # Problematic frame: # C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8 # # No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again # # --- S U M M A R Y Command Line: Host: 2964, 2 cores, 1G, Debian GNU/Linux 10 (buster) Time: Mon Jun 28 19:13:29 2021 CEST elapsed time: 0.099756 seconds (0d 0h 0m 0s) --- T H R E A D --- Current thread is native thread Stack: [0x03ff8748,0x03ff8758], sp=0x03ff8757e940, free space=1018k Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code) C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8 siginfo: si_signo: 4 (SIGILL), si_code: 5 (ILL_PRVOPC), si_addr: 0x03ff88c7e6f4 -- System Information: Debian Release: 10.10 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: s390x Kernel: Linux 4.19.0-17-s390x (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openjdk-11-jre-headless depends on: ii ca-certificates-java 20190405 ii java-common 0.71 ii libasound21.1.8-1 ii libc6 2.28-10 ii libcups2 2.2.10-6+deb10u4 ii libfontconfig12.13.1-2 ii libfreetype6 2.9.1-3+deb10u2 ii libgcc1 1:8.3.0-6 ii libharfbuzz0b 2.3.1-1 ii libjpeg62-turbo 1:1.5.2-2+deb10u1 ii liblcms2-22.9-3 ii libnss3 2:3.42.1-1+deb10u3 ii libpcsclite1 1.8.24-1 ii libstdc++68.3.0-6 ii util-linux2.33.1-0.1 ii zlib1g1:1.2.11.dfsg-1 openjdk-11-jre-headless recommends no packages. Versions of packages openjdk-11-jre-headless suggests: pn fonts-dejavu-extra pn fonts-indic pn fonts-ipafont-gothic pn fonts-ipafont-mincho pn fonts-wqy-microhei | fonts-wqy-zenhei pn libnss-mdns -- no debconf information
Bug#795014: mpd fails to start because of a symbol mismatch with libadplug-2.2.1.so.0&body=On Sun, 09 Aug 2015 16:36:51 +0200 Xavier Guerrin <xav...@kindwolf.org> wrote:> Package: mpd> Ver
Same problem here on Debian unstable.mpd: symbol lookup error: mpd: undefined symbol: _ZN7CAdPlug7factoryERKSsP4CoplRK8CPlayersRK13CFileProvider
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [reformatted] begin quotation from Sebastian Ramacher (in <20150518184906.ga22...@ramacher.at>): > On 2015-05-18 20:01:47, Alessandro Ghedini wrote: > > On Sat, May 16, 2015 at 03:43:37PM +0200, Alessandro Ghedini wrote: > > > On Sat, May 16, 2015 at 03:07:57PM +0200, Sebastian Ramacher wrote: > > > > On 2015-05-15 15:22:28, Alessandro Ghedini wrote: > > > > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: > > > > > > On 2015-05-14 20:41:15, Arne Wichmann wrote: > > > > > > > Hi, as far as I can see this has not yet been reported or fixed: > > > > > > > > > > > > > > CVE-2014-7937 : Multiple off-by-one errors in > > > > > > > libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in > > > > > > > Google Chrome before 40.0.2214.91, allow remote attackers to > > > > > > > cause a denial of service (use-after-free) or possibly > > > > > > > have unspecified other impact via crafted Vorbis I data [1] > > > > > > > > > > > > > > I marked this as grave as the impact is unclear and might > > > > > > > include arbitrary code execution. Feel free do downgrade if > > > > > > > this can be ruled out. > > > > > > > > > > > > > > (Actually I would like to have a look at the test case to > > > > > > > check a bit more thoroughly, but AFAICS I would need to talk > > > > > > > to google for this.) > > > > > > > > > > > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 > > > > > > > > > > > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html > > > > > > > > > > > > A similar commit to the one maintained in this mailing list > > > > > > post was applied to 11.3. So closing with that version. > > > > > > > > > > Do you mean the patch at [0]? Honestly it doesn't look like the > > > > > ffmpeg patch at all, and the commit message doesn't even mention > > > > > the bug fix. How can you be so sure that the bug is fixed? > > > > > > > > I might have read the commit wrong. Do you have a sample for this CVE? > > > > > > Unfortunately the reproducer isn't public. I contacted > > > ffmpeg-security about it, I'll keep you posted. > > > > I got the reproducer from ffmpeg and it seems that libav in sid isn't > > affected like Sebastian said. So yeah, this bug should stay closed. I > > don't know if the patch linked above is what fixed the issue though. > > Great! Thank you for checking. I am not amused about the closedness with that this was handled - but I am very sure that you are not to blame for this. cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVWwSMAAoJEENYfBy4DUs+lIEP+wQPZB4LPpuc9IfA94jAfEuy 4NY3lGOcF7EZmMKqD0Ha2xhrO1IINTwT7Ifkz/cseJMnqaibP+7FHC2dFoPgQNYR AabT7oGvT3nsWidFJhlnWS2UlRu2oq2MAS2cvCy4bD98EyOl6CGs+Bnv6ZlUVClM qadtfa+s+xGIfrLVntRP5ZGp+pkcYYQcVFCKnR5KVIuYzA0iryw2tORB4bEV56Bi xwEFFXvCta9z8VQs4D6dnmSvIvLBhcyP5zzSQFrqRNXIxbNHSDNyWxQHy5ACzm8Z 9vAL0wZPv6tpCkjrfYlF6pkewtlcUdlnU7pZObpfXfOnc3qS6SJHLnPe77KSWMQ8 TOqneKXtLH2Py0Vt0PxE/vAP5O6rcDl5ixIsDwcdkYQMBNgUTBTlaFCuK3zVSr0Q s4y7fNoMQ/ruff9L3CNuWLvTtMgzM5HwY+krNvl70ctXj0ah2WZatNvF8D0BQ85C O+p79rxfwNWN5pwL7KxkarppwGktZDF7ekjQeNutZwZ+NccCJaaxOGpUbWPFEcya m4ceYsU3tp+QufOCGv9kGrvuxeI6Hz17xN3+bF2uc6A76/nj3gtjRjghnYtzOPzX Fr6y5Ecd44rxy74nkRYCpcvxfSe63GR7/u4VJwCGJ1D3wygnEAloJxFJHIq3UjEJ xn5UfNHp+Ho4XMVSHUfP =3job -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 begin quotation from Sebastian Ramacher (in <20150516130757.ga21...@ramacher.at>): > On 2015-05-15 15:22:28, Alessandro Ghedini wrote: > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: > > > Version: 6:11.3-1 > > > > > > On 2015-05-14 20:41:15, Arne Wichmann wrote: > > > > Package: libavcodec56 > > > > Version: 6:11.3-2 > > > > Severity: grave > > > > Tags: security > > > > Justification: user security hole > > > > > > > > Hi, as far as I can see this has not yet been reported or fixed: > > > > > > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in > > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow > > > > remote attackers to cause a denial of service (use-after-free) or > > > > possibly > > > > have unspecified other impact via crafted Vorbis I data [1] > > > > > > > > I marked this as grave as the impact is unclear and might include > > > > arbitrary > > > > code execution. Feel free do downgrade if this can be ruled out. > > > > > > > > (Actually I would like to have a look at the test case to check a bit > > > > more > > > > thoroughly, but AFAICS I would need to talk to google for this.) > > > > > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html > > > > > > A similar commit to the one maintained in this mailing list post was > > > applied to > > > 11.3. So closing with that version. > > > > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg > > patch at > > all, and the commit message doesn't even mention the bug fix. How can you > > be so > > sure that the bug is fixed? > > I might have read the commit wrong. Do you have a sample for this CVE? There is one referenced in various messages relating to CVE-2014-7937: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg unfortunately it is not publicly available AFAICS. You might ask upstream about it. cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVV0YMAAoJEENYfBy4DUs++FAP/j6NA8gP37qu4hHTFK9rKc+3 ddj3sClTKQ3d8aC2xq3+rgxjUo35YiPgY3sdcTb4Sni5rm8acHpo0NdDlkpPdFS4 gR3nx3t0GEAqe55aLzUls6Rq9U9fWwHrhjl+Kbhr6zNR+XtXoDMj12GA3ICcJp7J ucvMZtpbJhaTJwvqsljn7IAvjgdikAdtxiRqPXHbeAAwKYJkU5Bdlu9eB+YtXABF IAHU8Qyc4PaJ4o/kbv+C5IBk8ILqhZPjTNSdljJryJTPBkH/R5P9VFjJs/rcSh8O nB2bUmXcRX/+tw5GFcLvYrpivylCpQPLebp2gQjoAUuj8ARS931pGEiFxThqffP+ 53F+lG/tIXpO53Yn/CpoOkGm0sjgApSRDgCwJsgy2HkUi8CN66mBt03nciEfPvG6 om60Oa0Mj+BoevtiQeaXRgXI/bsKDz57sUuhOlGY6LbfNbAWew90ns+q1CWTDW/8 uAsi8SgKjVKp3lM8f3TR73GIOMVn8lNAgnSyrbVVGke7nHO0AjwdeV/Ld6So6fWG 1ELvZyzkn/BI6V3W29IjcKlo7ncS9bv6CU1z+vToW2FPUitazS3P2cdr069KyKyH bU8hQPkqDp2jwMMk4DDojS5ue8VhFj0yazhMKYJB7KSzjf57qgegjipEvKQlN5HT FFVJBtD94jGVHzspGh0s =lqqu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html cu AW -- System Information: Debian Release: stretch/sid APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.7-ckt9 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libavcodec56 depends on: ii libavresample2 6:11.3-2 ii libavutil546:11.3-2 ii libc6 2.19-18 ii libgsm11.0.13-4 ii libmp3lame03.99.5+repack1-7 ii libopenjpeg5 1:1.5.2-3 ii libopus0 1.1-2 ii libschroedinger-1.0-0 1.0.11-2.1 ii libspeex1 1.2~rc1.2-1 ii libtheora0 1.1.1+dfsg.1-6 ii libva1 1.5.1-2 ii libvorbis0a1.3.4-2 ii libvorbisenc2 1.3.4-2 ii libvpx11.3.0-3 ii libx264-1422:0.142.2431+gita5831aa-1+b2 ii libx265-43 1.5-1 ii libxvidcore4 2:1.3.3-1 ii multiarch-support 2.19-18 ii zlib1g 1:1.2.8.dfsg-2+b1 libavcodec56 recommends no packages. libavcodec56 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#774643: can't cast Hash to text
Hi
There still seems to be some problems with stored configs, in a test
deployment I have the following minimal node manifest:
define foo($params) {
}
node 'test.adm.easyconnect.no' {
@@foo {'bar': params => {foo => 1, bar => 2} }
}
We use this kind of pattern in quite a few places where it would be
inconvenient to flatten it before exporting, and it works fine on wheezy.
The first run of the agent works fine, and the following value is
written to the database: {"foo"=>"1", "bar"=>"2"}
The second (and third, fourth, ...) run fails: Error: Could not retrieve
catalog from remote server: Error 400 on SERVER: can't cast Hash to text
Enabling as much debug as I know how to on the master it logs this on
the first (successful) run:
Notice: Compiled catalog for test.adm.easyconnect.no in environment
vagrant in 1.20 seconds
Info: Caching catalog for test.adm.easyconnect.no
Debug: Searched for resources in 0.01 seconds
Debug: Searched for resource params and tags in 0.00 seconds
Debug: Resource removal in 0.00 seconds
Debug: Resource merger in 0.00 seconds
Debug: Added resources(initialization) in 0.01 seconds
Debug: Added resources(parameters) in 0.01 seconds
Debug: Added resources(tags) in 0.02 seconds
Debug: Resource addition in 0.06 seconds
Debug: Performed resource comparison in 0.06 seconds
Debug: Using cached facts for test.adm.easyconnect.no
Info: Caching node for test.adm.easyconnect.no
While for the second run:
Info: Caching node for test.adm.easyconnect.no
Notice: Compiled catalog for test.adm.easyconnect.no in environment
vagrant in 0.03 seconds
Info: Caching catalog for test.adm.easyconnect.no
Debug: Searched for resources in 0.01 seconds
Debug: Searched for resource params and tags in 0.00 seconds
Debug: Resource removal in 0.00 seconds
Error: can't cast Hash to text
Agent version doesn't seem to matter, I've tried both 2.7 and 3.7.
Master is on 3.7.2-3 from jessie.
--
Knut Arne Bjørndal, Tekniker Easy Connect AS - http://1890.no
E-post: knut.arne.bjorn...@easyconnect.no
signature.asc
Description: OpenPGP digital signature
Bug#773610: libapache2-svn: apache2 restart failed: mod_dav_svn.so: undefined symbol:, dav_svn__new_error
Package: libapache2-svn Version: 1.6.17dfsg-4+deb7u7 Severity: grave Justification: renders package unusable The wheezy-security upload breaks libapache2-svn in exactly the same way as the previous upload 1.6.17dfsg-4+deb7u5, which was fixed in 1.6.17dfsg-4+deb7u6, see bug number 741314 for more details. service apache2 start [ ok ] Starting web server: apache2. apache2: Syntax error on line 244 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/dav_svn.load: Cannot load /usr/lib/apache2/modules/mod_dav_svn.so into server: /usr/lib/apache2/modules/mod_dav_svn.so: undefined symbol: dav_svn__new_error Arne Nordmark -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#755781: mysql-server-5.5 fails to start after security upgrade from 5.5.37-0+wheezy1 to 5.5.38-0+wheezy1
Hi Enrico, for me, upgrade was w/o problems. > Jul 23 10:11:45 debian mysqld: 140723 10:11:45 InnoDB: Initializing buffer > pool, size = 128.0M > Jul 23 10:11:45 debian mysqld: InnoDB: mmap(137363456 bytes) failed; errno 12 > Jul 23 10:11:45 debian mysqld: 140723 10:11:45 InnoDB: Completed > initialization of buffer pool > Jul 23 10:11:45 debian mysqld: 140723 10:11:45 InnoDB: Fatal error: cannot > allocate memory for the buffer pool Your logs indicate you ran out of memory ;-) # perror 12 OS error code 12: Cannot allocate memory -- Regards(); return "Arne Rusek"; -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#739580: does not run
I am not at home right now, I will have to wait 10 days or so. Greetings from Holland, Arne On Sunday, February 23, 2014 6:24 PM, Laurent Bigonville wrote: Hi, Could you a little bit more precise on what's happening? The window is not shown and that's all? Could you maybe try to run gnome-system-monitor in strace and/or gdb to see what the process is doing? I definitely cannot reproduce this here. Cheers, Laurent Bigonville
Bug#739580: does not run
Package: gnome-system-monitor Version: 3.10.2-2 Severity: grave # gnome-system-monitor glibtop: Non-standard uts for running kernel: release 3.12-1-amd64=3.12.0 gives version code 199680 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnome-system-monitor depends on: ii dconf-gsettings-backend [gsettings-backend] 0.18.0-1 ii libc62.17-97 ii libcairo21.12.16-2 ii libgcc1 1:4.8.2-15 ii libgdk-pixbuf2.0-0 2.30.4-1 ii libglib2.0-0 2.38.2-5 ii libglibmm-2.4-1c2a 2.36.2-1 ii libgtk-3-0 3.10.7-1 ii libgtkmm-3.0-1 3.8.1-1 ii libgtop2-7 2.28.5-2 ii libpango-1.0-0 1.36.0-1+b1 ii libpangocairo-1.0-0 1.36.0-1+b1 ii librsvg2-2 2.40.0-1 ii libsigc++-2.0-0c2a 2.2.11-3 ii libstdc++6 4.8.2-15 ii libsystemd-login0204-7 ii libwnck-3-0 3.4.7-1 Versions of packages gnome-system-monitor recommends: ii gvfs 1.16.3-2 gnome-system-monitor suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#739031: invoke-rc.d: unknown initscript, /etc/init.d/dictd not found.
Package: dict-freedict-eng-rus Version: 2014.02.02-1 Severity: serious Preparing to unpack .../dict-freedict-eng-rus_2014.02.02-1_all.deb ... Unpacking dict-freedict-eng-rus (2014.02.02-1) ... Setting up dict-freedict-eng-rus (2014.02.02-1) ... invoke-rc.d: unknown initscript, /etc/init.d/dictd not found. dpkg: error processing package dict-freedict-eng-rus (--configure): subprocess installed post-installation script returned error exit status 100 Errors were encountered while processing: dict-freedict-eng-rus -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash dict-freedict-eng-rus depends on no packages. dict-freedict-eng-rus recommends no packages. Versions of packages dict-freedict-eng-rus suggests: pn dict | opendict | kdict | gnome-dictionary pn dictd | serpento -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#738973: invoke-rc.d: unknown initscript, /etc/init.d/dictd not found.
Package: dict-freedict-nld-deu Version: 2014.02.02-1 Severity: grave Preparing to unpack .../dict-freedict-nld-deu_2014.02.02-1_all.deb ... Unpacking dict-freedict-nld-deu (2014.02.02-1) ... Setting up dict-freedict-nld-deu (2014.02.02-1) ... invoke-rc.d: unknown initscript, /etc/init.d/dictd not found. dpkg: error processing package dict-freedict-nld-deu (--configure): subprocess installed post-installation script returned error exit status 100 Errors were encountered while processing: dict-freedict-nld-deu Other dict-freedict-packages also. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash dict-freedict-nld-deu depends on no packages. dict-freedict-nld-deu recommends no packages. Versions of packages dict-freedict-nld-deu suggests: pn dict | opendict | kdict | gnome-dictionary pn dictd | serpento -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#738572: libav-tools: CVE-2011-3935
Package: libav-tools Version: 6:9.11-1 Severity: grave Tags: security Justification: user security hole Hi... As far as I can see, CVE-2011-3935 [1] applies to libav-tools. As the descriptions for the problem are bit low on information I use a high severity - feel free to lower it if that is not appropriate. A fix for ffmpeg is at [2]. [1] https://security-tracker.debian.org/tracker/CVE-2011-3935 [2] http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=668494acd8b20f974c7722895d4a6a14c1005f1e cu AW -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12.9 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages libav-tools depends on: ii dpkg 1.17.6 ii libavcodec54 6:9.11-1 ii libavdevice53 6:9.10-2 ii libavfilter3 6:9.10-2 ii libavformat54 6:9.11-1 ii libavresample1 6:9.11-1 ii libavutil526:9.11-1 ii libbz2-1.0 1.0.6-5 ii libc6 2.17-97 ii libgnutls262.12.23-10+b1 ii libgsm11.0.13-4 ii libmp3lame03.99.5+repack1-3 ii libopenjpeg2 1.3+dfsg-4.7+b1 ii libopus0 1.1-1 ii librtmp0 2.4+20121230.gitdf6c518-1 ii libschroedinger-1.0-0 1.0.11-2 ii libsdl1.2debian1.2.15-8 ii libspeex1 1.2~rc1.1-1 ii libswscale26:9.11-1 ii libtheora0 1.1.1+dfsg.1-3.1 ii libva1 1.2.1-2 ii libvorbis0a1.3.2-1.3 ii libvorbisenc2 1.3.2-1.3 ii libvpx11.3.0-2 ii libx264-1332:0.133.2339+git585324f-2+b1 ii libxvidcore4 2:1.3.2-9 ii zlib1g 1:1.2.8.dfsg-1 libav-tools recommends no packages. Versions of packages libav-tools suggests: pn frei0r-plugins -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#726578: Ping: pwgen: Multiple vulnerabilities in passwords generation
Thank you for reacting quickly! begin quotation from Theodore Ts'o (in <20140112234500.ga15...@thunk.org>): > On Sun, Jan 12, 2014 at 09:27:14PM +0100, Arne Wichmann wrote: > > This grave problem is now open for more than two months. Is there any plan > > to resolve this? > > First, the CVE about having the unavailability of /dev/random fail > hard -- sure, that should be a separate bug since that's a fix that I > think is reasonable at this point. We can now guarantee that > /dev/random exists everywhere. (And by that same token, if an > attacker can cause /dev/random not to be present, they probably have > root, so you're probably toast anyway. So I don't think it's going to > really improve things to remove the drand() fallback, but I don't have > strong feelings about that.) So you might clone a new bug for this... > Secondly, I'll note that one of the CVE's were rejected as not a > vulnerability. (In general it would have been better to have opened > seperate bugs for each CVE.) Different maintainers have different preferences here - I will note that you want seperate bugs (as we do for a number of other packages). > Finally, whether you think the other two CVE's justify this to be > serious, let alone "grave" bug really depends on what you think the > goals of pwgen are. To quote from the manual page: This is your decision - we try to use a fitting severity for every problem, but sometimes the cases are not so clear. > The pwgen program generates passwords which are designed to be easily > memorized by humans, while being as secure as possible. Human-memo??? > rable passwords are never going to be as secure as completely com??? > pletely random passwords. In particular, passwords generated by pwgen > without the -s option should not be used in places where the password > could be attacked via an off-line brute-force attack.On the other > hand, completely randomly generated passwords have a tendency to be > written down, and are subject to being compromised in that fashion. > > So we could change the defaults to be "pwgen -csy 20", in which case > you would get passwords like tihs: > > L}U@lc_~i^>n|ro!4uI- 1`;yXlYVMW%?E9)3A&7G **}6BoBu=!~3)y?3v]Or > >=>:PC;H?E7*+6$c&-QH URGgjUNG[\dSw\>p7F-] _AXZ~(HYd8Q#%b>!]'u: > ~)0 > I'm not sure that would be an improvement, as simply no one would use > them. > > OK, how about this? (Generated using pwgen -s). > > vQ6uwkMk lSswO2MB tA8dYPpl KU1pQ2Xh 2XfxRyrC Za2xKx7h psPwHZ0c dOsC0JBX > JY3udA9c t6LzoiUq M0jR3AoS GOHkNE7G TeThsZz1 6cVi4ayY Poe4hPj7 o2a7OpPC > Xh24cRLO 1chQyseV 6c2k0O3B OkdgRxy4 K6Vc4JY2 ylO3IE9B gVvNxw6B 7wjcOXwF > > Again, this will make the professional paranoids happy (although > perhaps not as happy as ">=>:PC;H?E7*+6$c&-QH"), but its not clear that > real users would be any less likely to write "ylO3IE9B" on a sticky > note which is pasted to their monitor, or just in a "passwords" file > in their home directory. I do not have a really good idea on how to handle this. Some ideas come to mind, mostly inspired by [1]: - Improve the algorithm to be less biased. Though I see that would not be easy. - Warn about the bias - Use -s as default [2] suggests, that there is a patch out there, but I have not yet looked at it. > So ultimately, a lot of this is about an argument over defaults, and I > think the higher level problem is that no matter what password policy > you use, passwords are doomed as a technology. Anything which is > secure against a brute force attack is impossible for a user to use, > unless they share passwords across multiple sites so they only have to > remember one password such as "ylO3IE9B" --- at which point they get > toast once some web site screws up in some way and gets penetrated by > bad guys. I see the point, but that does not make the problem go away, and in many cases you do not have so much of a choice, so the program does still have its points. CVE-2013-4440 has an easy fix, isn't it? [1] http://www.openwall.com/lists/oss-security/2012/01/19/24 [2] http://marc.info/?l=oss-security&m=138015793928431&w=2 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#722540: Ping: CVE-2013-4289 CVE-2013-4290
Hi. Is there any progress on this bug? This grave issue is now open for three months. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#726578: Ping: pwgen: Multiple vulnerabilities in passwords generation
Hi! This grave problem is now open for more than two months. Is there any plan to resolve this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#729615: akonadi-server: Akonadi Bug 325024
Quoting Lisandro Damián Nicanor Pérez Meyer : tag 729615 moreinfo thanks On Friday 15 November 2013 00:21:42 Arne Alder wrote: [snip] since last full-upgrade i'm running into problems in kmail. First it looked like just flashy folders and mails, but the log file said something different: Would you mind pointing me to the log file? Ie, I don't know to what log file you are referring to. Sorry, that i wasn't specific about that. I'm starting kmail as a user in a x session, so all the log output of kmail and akonadi* is written to ~/.xsession-errors. Kinds regards, Arne. -- Arne Alder Linux Consultant Mail: al...@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#729615: akonadi-server: Akonadi Bug 325024
Package: akonadi-server Version: 1.10.2-2 Severity: grave Tags: upstream patch Justification: renders package unusable Hello, since last full-upgrade i'm running into problems in kmail. First it looked like just flashy folders and mails, but the log file said something different: ASSERT failure in QueryBuilder::buildWhereCondition(): "No values given for IN condition.", file ../../server/src/storage/querybuilder.cpp, line 354 After that akonadiserver dies and gets restarted by akonadi_control (thats the reason why kmail is reloading all data). I ddg for the bug and found it allready solved since 4 months: akonadi bug report: http://mail.kde.org/pipermail/kdepim-bugs/2013-September/088179.html bugfix: https://projects.kde.org/projects/kdesupport/akonadi/repository/revisions/d76aeb18fbc346e89481ce9b3157b4518e8485f7 Thanks, Arne -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages akonadi-server depends on: ii akonadi-backend-mysql 1.10.2-2 ii akonadi-backend-postgresql 1.10.2-2 ii akonadi-backend-sqlite 1.10.2-2 ii libakonadiprotocolinternals11.10.2-2 ii libboost-program-options1.54.0 1.54.0-3 ii libc6 2.17-95 ii libgcc1 1:4.8.2-4 ii libqt4-dbus 4:4.8.5+git121-g2a9ea11+dfsg1-2 ii libqt4-network 4:4.8.5+git121-g2a9ea11+dfsg1-2 ii libqt4-sql 4:4.8.5+git121-g2a9ea11+dfsg1-2 ii libqt4-xml 4:4.8.5+git121-g2a9ea11+dfsg1-2 ii libqtcore4 4:4.8.5+git121-g2a9ea11+dfsg1-2 ii libqtgui4 4:4.8.5+git121-g2a9ea11+dfsg1-2 ii libsoprano4 2.9.4+dfsg-1 ii libstdc++6 4.8.2-4 akonadi-server recommends no packages. Versions of packages akonadi-server suggests: ii akonadi-backend-mysql 1.10.2-2 ii akonadi-backend-postgresql 1.10.2-2 ii akonadi-backend-sqlite 1.10.2-2 -- no debconf information -- Arne Alder Linux Consultant Mail: al...@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#728796: can not remove package
Package: yaws Version: 1.97-1 Severity: serious # dpkg -P --force all yaws (Reading database ... 315953 files and directories currently installed.) Removing yaws ... Stopping yaws: invoke-rc.d: initscript yaws, action "stop" failed. dpkg: error processing yaws (--purge): subprocess installed pre-removal script returned error exit status 1 Starting yaws: .. failedYaws web server. Errors were encountered while processing: yaws -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages yaws depends on: ii adduser 3.113+nmu3 ii erlang-yaws 1.97-2 ii ssl-cert 1.0.33 yaws recommends no packages. Versions of packages yaws suggests: pn yaws-chat pn yaws-doc pn yaws-mail pn yaws-wiki pn yaws-yapp -- Configuration Files: /etc/yaws/conf.avail/localhost-ssl.conf [Errno 13] Permission denied: u'/etc/yaws/conf.avail/localhost-ssl.conf' /etc/yaws/conf.avail/localhost.conf [Errno 13] Permission denied: u'/etc/yaws/conf.avail/localhost.conf' /etc/yaws/yaws.conf [Errno 13] Permission denied: u'/etc/yaws/yaws.conf' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#712840: CVE-2013-1961 in tiff3 - fix for stable?
Hi! Is there any fix in stable for tiff3 planned? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#717009: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674
Package: libavcodec53 Version: 6:0.8.7-1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, I have here another series of CVEs for libav. Some of these are fixed, some of these I was not able to check. Those without comment were checked by me and seem valid - at least to me. CVE-2013-0845 CVE-2013-0846 CVE-2013-0847 - vim '+/while (avio_tell(s->pb) < end' libavformat/id3v2.c above command brings you to the suspected problem position in libav, the problem looks solved to me This one is actually for libavformat, but I include it here for simplicity CVE-2013-0848 - I was not able to find the problem in libav CVE-2013-0849 - fixed in experimental CVE-2013-0850 - seems fixed in experimental CVE-2013-0851 CVE-2013-0852 CVE-2013-0853 CVE-2013-0854 - fixed in experimental CVE-2013-0855 - looks invalid as the problem is checked in alac_set_info CVE-2013-0856 CVE-2013-0857 CVE-2013-0858 - I was not able to find the problem in libav CVE-2013-0860 - I was not able to find the problem in libav CVE-2013-0861 CVE-2013-0865 - fixed in experimental CVE-2013-0866 - looks fixed. am I correct? CVE-2013-0867 - I was not able to find the problem in libav CVE-2013-0868 CVE-2013-0869 - looks fixed. am I correct? CVE-2013-0870 - seems to be invalid - relevant code fragment is not present in libav CVE-2013-0873 - looks fixed. am I correct? CVE-2013-0874 - seems to be invalid - relevant code fragment is not present in libav CVE-2013-3670 looks valid - libav commits given in security tracker fix different things AFAICS CVE-2013-3672 CVE-2013-3674 I hope these cses are a bit more well-defined as those I sent in January. cu soon, hopefully, AW -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9.8 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages libavcodec53 depends on: ii libavutil516:0.8.7-1 ii libc6 2.17-7 ii libdirac-encoder0 1.0.2-6 ii libgsm11.0.13-4 ii libmp3lame03.99.5+repack1-3 ii libopenjpeg2 1.3+dfsg-4.6 ii libschroedinger-1.0-0 1.0.11-2 ii libspeex1 1.2~rc1-7 ii libtheora0 1.1.1+dfsg.1-3.1 ii libva1 1.1.1-3 ii libvorbis0a1.3.2-1.3 ii libvorbisenc2 1.3.2-1.3 ii libvpx11.2.0-2 ii libx264-1232:0.123.2189+git35cf912-1 ii libxvidcore4 2:1.3.2-9 ii multiarch-support 2.17-7 ii zlib1g 1:1.2.8.dfsg-1 libavcodec53 recommends no packages. libavcodec53 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#703071: CVE-2011-1187, CVE-2012-0475, CVE-2013-{0773,0775,0776,0780,0782,0783}
This grave bug is no open for more than a month with no action on it. Do you have any plans to do something about it or shall wheezy be released with arbitrary code executions in iceweasel? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#703071: CVE-2011-1187, CVE-2012-0475, CVE-2013-{0773,0775,0776,0780,0782,0783}
Package: iceweasel Severity: grave Tags: security Hi, the following vulnerabilities were published for iceweasel. (I am aware that these are fixed in experimental, but they should also be fixed in testing and stable. If I can be of assistance please indicate so.) CVE-2011-1187[0]: | Google Chrome before 10.0.648.127 allows remote attackers to bypass | the Same Origin Policy via unspecified vectors, related to an "error | message leak." CVE-2012-0475[1]: | Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and | SeaMonkey before 2.9 do not properly construct the Origin and | Sec-WebSocket-Origin HTTP headers, which might allow remote attackers | to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or | (2) WebSocket operation involving a nonstandard port number and an | IPv6 address that contains certain zero fields. CVE-2013-0773[2]: | The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) | implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x | before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before | 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a | prototype, which allows remote attackers to obtain sensitive | information from chrome objects or possibly execute arbitrary | JavaScript code with chrome privileges via a crafted web site. CVE-2013-0775[3]: | Use-after-free vulnerability in the | nsImageLoadingContent::OnStopContainer function in Mozilla Firefox | before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before | 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 | allows remote attackers to execute arbitrary code via crafted web | script. CVE-2013-0780[4]: | Use-after-free vulnerability in the | nsOverflowContinuationTracker::Finish function in Mozilla Firefox | before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before | 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 | allows remote attackers to execute arbitrary code or cause a denial of | service (heap memory corruption) via a crafted document that uses | Cascading Style Sheets (CSS) -moz-column-* properties. CVE-2013-0782[5]: | Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion | function in Mozilla Firefox before 19.0, Firefox ESR 17.x before | 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, | and SeaMonkey before 2.16 allows remote attackers to execute arbitrary | code via unspecified vectors. CVE-2013-0783[6]: | Multiple unspecified vulnerabilities in the browser engine in Mozilla | Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird | before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey | before 2.16 allow remote attackers to cause a denial of service | (memory corruption and application crash) or possibly execute | arbitrary code via unknown vectors. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1187 http://security-tracker.debian.org/tracker/CVE-2011-1187 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0475 http://security-tracker.debian.org/tracker/CVE-2012-0475 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773 http://security-tracker.debian.org/tracker/CVE-2013-0773 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775 http://security-tracker.debian.org/tracker/CVE-2013-0775 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780 http://security-tracker.debian.org/tracker/CVE-2013-0780 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782 http://security-tracker.debian.org/tracker/CVE-2013-0782 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783 http://security-tracker.debian.org/tracker/CVE-2013-0783 Please adjust the affected versions in the BTS as needed. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#684889: CVE-2012-3480 - stable update?
Hi! Is there any plan to fix CVE-2012-3480 / #684889 in stable? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#694483: CVEs: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361
begin quotation from Reinhard Tartler (in ): > Thanks for caring about security in libav. Sorry for the delay. I > tried hard to gather additional information about these issues, but > was not successful. Yeah, the information politics of the reporters could be more open. > On Mon, Nov 26, 2012 at 8:30 PM, Arne Wichmann wrote: > > > I have here another series of CVEs for ffmpeg/libav: > > > > CVE-2012-2882 > > Libav's ogg decoder is a bit different to the one in FFmpeg. Can you > please provide a testfile so that we can test if this issue affects > Libav at all? I dug around for a bit and found commit 9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68 for ffmpeg, which seems to address the issue. More effort will follow when I find the reserves for that. > > CVE-2012-5359 > > CVE-2012-5360 > > CVE-2012-5361 > > > > For the last 3 http://technet.microsoft.com/en-us/security/msvr/msvr12-017 > > claims that they are fixed in ffmpeg 0.11, but the available information on > > all of them is a bit thin. > > Sorry, without proper information what's going on here, there is > nothing that we can do about this. Again, please provide a sample that > demonstrates the issue. *nod* Same here. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#694483: CVEs: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361
Source: libav Version: 0.8.4 Severity: grave Tags: security Justification: user security hole Dear Maintainer, I have here another series of CVEs for ffmpeg/libav: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361 For the last 3 http://technet.microsoft.com/en-us/security/msvr/msvr12-017 claims that they are fixed in ffmpeg 0.11, but the available information on all of them is a bit thin. Thanks for all the good work! AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.29 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688847: Unclear status of CVE-2012-2774 CVE-2012-2783 CVE-2012-2791 CVE-2012-2797 CVE-2012-2803 CVE-2012-2804
I just had a look at the above mentioned problems and I am a bit unsure about their status. As far as I can see the fixes are not applied, the status in http://security-tracker.debian.org/tracker/source-package/libav still lists these issues as open, but the bug is closed. Are these problems real? Are they fixed? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#677195: CVE-2012-2673 - still open in stable
Hi... This bug is still open in stable - is there any plan for a fix? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#687925: diff for NMU version 1.4.20.2-10.1
2012/9/17 Ritesh Raj Sarraf : > Hello Arne / Ross, > > This debian bug, 687925, is release critical for the OpenStack suite. > OpenStack uses iscsitarget as its storage sub-module. > > As is explained in this bug report, the ietd daemon does not seem to be > releasing the sparse files that it exposes to the initiator, even after > the initiator has logged out the sessions. > > This fix, in revision 478, is not part of the stable 1.4.20 branch. > > Debian is in freeze now, and the iscsitarget version that will ship with > Wheezy is the 1.4.20.2 stable branch. > > Is it safe to pick this one fix against the stable branch? Ritesh, It should be safe. ISTR that I didn't put it into the 1.4.20 stable branch immediately as I didn't get around to testing it against older kernels (< 2.6.35) back then. Exercising the steps outlined in [1] in a ubuntu 10.04.4 vm with 2.6.32-42-server with this patch in place didn't show any regressions, so I just cherry-picked and pushed it to our 1.4.20 branch as well. HTH, Arne [1] https://bugs.launchpad.net/ubuntu/+source/iscsitarget/+bug/967984 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#684527: openssl: CVE-2011-5095 - The remote SSL/TLS server accepts a weak Diffie-Hellman public value
Package: openssl Version: 0.9.8o-4squeeze13 Severity: grave Tags: security Justification: user security hole openssl in squeeze (at least up to 0.9.8o-4squeeze13) is vulnerable to CVE-2011-5095 [1]. For reference you might have a look at [2] - the problem seems to be that fips/dh/fips_dh_key.c does not incorporate a fix in crypto/dh/dh_key.c, namely calling DH_check_pub_key, like in [3]. As far as I can see the problem is gone in 1.0.1c - but I leave this bug open for unstable/testing so that it can be doublechecked by someone more versed in openssl. [1] http://security-tracker.debian.org/tracker/CVE-2011-5095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095 [2] http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-5095.html [3] http://cvs.openssl.org/chngview?cn=14375 cu AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages openssl depends on: ii libc62.13-33 ii libssl1.0.0 1.0.1c-3 ii zlib1g 1:1.2.7.dfsg-13 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20120623 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#683929: Aw: Re: Bug#683929: systemd: Graphic acceleration only works for root
> I don't see how that makes the package as a whole unusable, but anyway. > I'll leave that up to Tollef. Point taken. (I thought it might be rather off-putting to users to see graphics break in a quite drastic way.) > .. >> >> Versions of packages systemd recommends:>>> pn libpam-systemd >> ...>libpam-systemd is a Recommends, so installed by default. You should >trust your package maintainers, unless you know what you are doing. I do. Blindly. Too much so perhaps. Turns out this is a classical misunderstanding -- I understood that I _must not_ install _any_ version of libpam-systemd. Nevertheless I should have tried regardless.Many thanks for sorting this out for me on a Sunday! -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#683929: systemd: Graphic acceleration only works for root
Package: systemd Version: 44-4 Severity: grave Justification: renders package unusable Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? Installation of systemd-sysv * What exactly did you do (or not do) that was effective (or ineffective)? Graphics falls back to unaccelerated GTK2 style desktop on DELL E6520 series laptop with nvidia graphic card. If startx is called from a root shell, graphics acceleration works. I.e. only root can use gnome-shell, all others get software rendering. Reinstalling sysvinit restores accelerated graphics for all users. -- System Information: Debian Release: wheezy/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemd depends on: ii dpkg 1.16.8 ii initscripts 2.88dsf-29 ii libacl1 2.2.51-8 ii libaudit01:1.7.18-1.1 ii libc62.13-35 ii libcap2 1:2.22-1.1 ii libcryptsetup4 2:1.4.3-2 ii libdbus-1-3 1.6.2-2 ii libkmod2 9-1 ii liblzma5 5.1.1alpha+20120614-1 ii libpam0g 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsystemd-daemon0 44-4 ii libsystemd-id128-0 44-4 ii libsystemd-journal0 44-4 ii libsystemd-login044-4 ii libudev0 175-5 ii libwrap0 7.6.q-24 ii udev 175-5 ii util-linux 2.20.1-5.1 Versions of packages systemd recommends: pn libpam-systemd Versions of packages systemd suggests: ii python2.7.3-2 ii python-cairo 1.8.8-1+b2 ii python-dbus 1.1.1-1 ii systemd-gui 44-4 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#663579: CVE-2012-1147 - Not on *nix
readfilemap.c is not compiled on *nix [1]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1147 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#670636: April security release - fixed in stable-security
fixed 670636 5.1.63-0+squeeze1 thanks 670636 is fixed in stable-security (shouldn't it really be closed now?) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#483217: texlive-latex-base: 483217: status?
begin quotation from Norbert Preining (in <20120627143050.ge25...@gamma.logic.tuwien.ac.at>): > On Mi, 27 Jun 2012, Arne Wichmann wrote: > > Given that, the relevant files should be removed from debian, as they are > > not DFSG-free. Am I wrong there? > > Yes you are. Could you please enlighten me about my misunderstanding? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618968: Ping - netgen license problems
begin quotation from Francesco Poli (in <20120625215725.69523c3a3df0a27f62672...@paranoici.org>): > On Mon, 25 Jun 2012 10:36:50 +0200 Arne Wichmann wrote: > > > So, at least as far as I can see, there are a number of things to be done > > in various time frames: > > - Alert enough people to the problem (via debian-user, messages in the > > packaging, other mailing lists and similar means) > > I am not sure debian-user is the appropriate place for such a call for > help... Well, if you are trying to reach your users, this seems to be a possible vector to me > What do you mean by "messages in the packaging"? At least I get mails by apt-listchanges... Other tactics may also be available - but I am not the epigon of debian packaging. > As far as other mailing lists are concerned, I tried to see if other > debian-legal participants could join me in this persuasion effort, but > I unfortunately received no reply: I do not think that debian-legal is a good starting point for a massive campaign. > Maybe debian-science could be another appropriate mailing list, but I > suspect that a good number of its participants are already aware of the > issue, due to the various bug reports filed against packages maintained > by the Debian Science team: #617613, #617931, and #618968 (that is to > say, this one). A mail there might still help a bit. > > - Remove the package from debian if nothing happens. > > I am trying hard to avoid this, but I am failing to get help from other > people... That's really frustrating! :-( *sigh* cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#483217: texlive-latex-base: 483217: status?
begin quotation from Norbert Preining (in <20120619024124.gd14...@gamma.logic.tuwien.ac.at>): > On Sa, 16 Jun 2012, Arne Wichmann wrote: > > > Bug #483217 about licensing issues in files by Donald Arseneau was given > > > an exception for lenny. Do you plan to do so for squeeze also or has > > > someone managed to convince him to license his work in a more useful > > > way? > > > > And for wheezy again? > > Yes probably. I don't see a reasonable outcome sooner or later. Given that, the relevant files should be removed from debian, as they are not DFSG-free. Am I wrong there? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618968: Ping - netgen license problems
begin quotation from Francesco Poli (in <20120620232034.ae7eb33bd4efe458d8ed7...@paranoici.org>): > On Sat, 16 Jun 2012 18:38:00 +0200 Arne Wichmann wrote: > > This serious bug is now open without any action for more than a year. Is > > that supposed to change? > > Hi Arne, > thanks for following up on my bug report. > > I am personally trying hard to persuade Open CASCADE S.A.S. to > re-license Open CASCADE Technology under GPLv2-compatible terms. > This is solution (A), as described in my original bug report. > I have been pestering Open CASCADE S.A.S. since April 2009... > > Unfortunately, latest news [1] is that they postponed the decision > (again!). > > [1] http://dev.opencascade.org/index.php?q=node/31#comment-63 > > However, several months have passed since February 2012 (at least for > some definition of "several"!). > Hence, I've recently resumed my persuasion effort. > > But I need help from other people. > *Many* other people. > As I repeatedly stated in the bug log [2] of #617613 (especially, > please read at least the original report [3]), other people should > contact Open CASCADE S.A.S. and try to persuade them to re-license Open > CASCADE Technology under GPLv2-compatible terms (for instance, under > the GNU LGPL v2.1). > If nobody helps me in this persuasion struggle, I am afraid that the > only solution will be to remove a number of packages from Debian, which > is always a sad defeat! So, at least as far as I can see, there are a number of things to be done in various time frames: - Alert enough people to the problem (via debian-user, messages in the packaging, other mailing lists and similar means) - Remove the package from debian if nothing happens. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#631051: Ping - onemore build problem
This RC bug is now open for almost one year. Is there any plan to get it fixed? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618876: Ping - non-free data
This serious bug is now open for more than a year. Is there any plan to fix it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#637488: Ping - remove t1lib
begin quotation from Adam D. Barratt (in <1339930157.7014.2.ca...@jacala.jungle.funky-badger.org>): > On Sun, 2012-06-17 at 12:14 +0200, Arne Wichmann wrote: > > Just to remember... As far as I can see there are no more rdepends left. > > Are there any more reasons not to remove t1lib? > > How did you determine that? Running "dak rm -Rn t1lib" on ftp-master > says: It seems I should improve on my tool knowledge. > Checking reverse dependencies... > # Broken Depends: > dvi2ps: dvi2ps [amd64] > evince: libevdocument3-4 > grace: grace > gtkmathview: libgtkmathview-bin > libgtkmathview-dev > libgtkmathview0c2a > lablgtkmathview: liblablgtkmathview-ocaml > vflib3: vflib3 [amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips > mipsel powerpc s390 s390x sparc] > vflib3-bin > vflib3-dev > > # Broken Build-Depends: > claws-mail: libt1-dev > evince: libt1-dev > grace: libt1-dev > gtkmathview: libt1-dev (>= 5.1.1-1.1) > swftools: libt1-dev > vflib3: libt1-dev > > Dependency problem found. So it is time to file bugs to these respective packages, isn't it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#634131: Ping - import error
This serious problem is now unhandled for almost a year. Is there any plan to handle it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#637488: Ping - remove t1lib
Just to remember... As far as I can see there are no more rdepends left. Are there any more reasons not to remove t1lib? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#629730: Ping - FTBFS
This RC bug is patched but unfixed for more than a year now. Is there any plan to change this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#629154: Ping - packages using python-support are configured before they are usable
Ok, this has now had time to be considered for a year - isn't it time to do something about it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#609537: Ping - /etc/init.d/mysql stop problems
This RC bug is now unfixed for more than a year - the solution from 4dd128e8.1080...@gmail.com looks promising, but there was no action on it. Is there any plan for a change? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#627174: Ping - FTBFS
This RC bug is now pending for more than one year. Is there anu plan to change this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#626391: Ping - venkman crashes
This RC bug is now open for more than a year. Even though it is an upstream bug, it might be worthwile to reconsider the situation. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#623382: Ping - gnat fatal error - gone away?
tag 623382 + unreproducible thanks I could not reproduce this problem using gnat-4.4 . As it is fixed in gnats in version 4.4 - does it still exist? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#599523: Ping - unexpected downgrades
Is there any progress on this serious bug? It is now unhandled for more than one year. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#618968: Ping - netgen license problems
This serious bug is now open without any action for more than a year. Is that supposed to change? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#610885: Ping
Is this problem still there and/or is there any plan to work on this for wheezy? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#579522: Ping
Ok, squeeze is long gone and this serious bug is unhandled for more than 18 months. Is there any plan to fix this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#603405: Ping
This serious bug is now unhandled for 18 months. Is there any plan to find a solution for this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#538822: Ping
So, this is now unhandled for more than 9 months after it seemed almost fixed. What are the problemsat the moment? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#483217: texlive-latex-base: 483217: status?
begin quotation from Paul Wise (in <1268552369.2860.193.camel@chianamo>): > Ping, > > Bug #483217 about licensing issues in files by Donald Arseneau was given > an exception for lenny. Do you plan to do so for squeeze also or has > someone managed to convince him to license his work in a more useful > way? And for wheezy again? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#665012: CVE-2012-1570 not yet fixed in stable
begin quotation from Moritz Mühlenhoff (in <20120416154357.GA4565@pisco.westfalen.local>): > On Mon, Apr 16, 2012 at 12:43:40AM +0100, Nicholas Bamber wrote: > > On 15/04/12 16:18, Arne Wichmann wrote: > > >Found: 665012 1.4.03-1.1 > > > > > >As far as I can see this is not yet fixed in stable. > > > > > >cu > > > > > >AW > > > > Arne, > > All the security issues are present in the stable release. I never > > got a reply from the security team to my last proposed upload though > > the security profile was slightly different then. > > This issue doesn't warrant a DSA. You can fix it through a stable > point update instead. So, is there a chance to see a fix to this in a stable point update? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#628455: CVE-2011-1521 again
unarchive 628455 found 628455 2.6.6-8+b1 thanks Ok, this is still open. There is a fix: http://hg.python.org/cpython/raw-rev/9eeda8e3a13f I think the last hunk will not apply cleanly, but as this is just NEWS it should not be a problem. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#672660: linux-2.6: CVE-2012-0810 kernel-rt: stack corruption when task gets scheduled out using the debug stack
Package: linux-2.6 Version: 3.2.16-1 Severity: grave Tags: security Justification: user security hole This seems to have slipped through the kernel-sec repository... Citing Redhat: The issue is that the int3 handler uses a per CPU debug stack, and calls do_traps() with interrupts enabled but preemption disabled. Then a signal is sent to the current process, and the code that handles the signal grabs a spinlock. This spinlock becomes a mutex (sleeping lock) when CONFIG_PREEMPT_RT_FULL is enabled. If there is contention on this lock then the task may schedule out. As the task is using a per CPU stack, and another task may come in and use the same stack, the stack can become corrupted and cause the kernel to panic. http://security-tracker.debian.org/tracker/CVE-2012-0810 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0810 Keep up the good work, AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.16 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#668920: grub-pc: grub 1.99-21 fails to detect mdraid partitions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 04/16/2012 03:56 PM, Colin Watson wrote:
> On Mon, Apr 16, 2012 at 12:17:59AM +0800, Arne Goetje wrote:
>> Upgrading from 1.99-17 to 1.99-21 on wheezy today renders the
>> system unbootable. Grub cannot detect any mdraid partition and is
>> therefor unable to load the kernel.
>
> Does it emit any error messages that might be useful to help us
> track this down?
Error message for each HD is "error: no such partition".
Since I have 4 HDs, the message appears 4 times.
>> Downgrading to 1.99-17 solves the problem.
> [...]
>> *** BEGIN /proc/mdstat Personalities :
>> [raid1] md1 : active raid1 sdc[0] sdd[1] 488386496 blocks [2/2]
>> [UU] md127 : active raid1 sda[0] sdb[1] 488386496 blocks [2/2]
>> [UU] unused devices: *** END
>> /proc/mdstat
> [...]
>> * grub-pc/install_devices: /dev/sdc
>
> This jumped out at me. Are you quite sure that your BIOS is
> actually booting from /dev/sdc? It's possible that it's attempting
> to boot from an old copy of the GRUB core image installed to a
> different disk, which then gets confused by the newer modules in
> /boot/grub/. In this theory, downgrading to 1.99-17 would help
> because perhaps that core image is ABI-compatible with those
> modules; the support for non-512-byte sectors in 1.99-19 was
> probably a core/modules ABI break so this is plausible enough.
>
> My standard advice is to install GRUB to all fixed disks
> ('dpkg-reconfigure grub-pc') unless you have a good reason not to.
I remember I installed grub on all disks when I set up the machine.
However, 'dpkg-reconfigure grub-pc' doesn't give me any option to
configure that any more. I tried a manual 'grub-setup /dev/md127 ;
grub-setup /dev/md1' after installing the new version, but it didn't
help. grub-setup doesn't let me install on /dev/sd*, since the disks
are grouped into raid arrays now.
The boot device is /dev/md127 and the root partition /dev/md127p1.
(Itʼs named md127, because when I installed squeeze on the machine, I
chose the name md0 for the first raid array, not knowing that it would
secretly rename it to md127, since it somehow doesn't like the
numbering start from 0.)
Attached is my grub.cfg
HTH
Cheers
Arne
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJPj7qnAAoJENiwmJtstTzsdEsQAJMyrigq08JBYf4YJgHUQK4o
xV2qQrFI6Uk/3nfwRFx3G4287c+BTNKPusV7wtS/PaNPLntXgNoy3TGu0LQioKiu
Q3nsqUJjCiNT7CbxyVpBeEdH+msT4qgP67V9pbVqwJLVHETDkecxWk67tcAHaETi
NNLZWDxqx4afHuBfX+7WvVPuuLwFWqKn6AZYp7S3xCZk0j3V9r9wuwO69maW5iuA
Lxh34LExEvD6+wzUpupDZdxo7Q3Diz1Z1e/w2t4ADRwhAoTYJPLxQx6n4K7nIk6R
79fXa8Alkb+8fzop8NQkj+b79Xp2Tqb/6tfjBQbFXr4Cr/Oayk+QLuQt1MEnY8qm
nQtyY76FOPSiasWRT2smM7syif4vZBSCJVG6XCO2+geva40kjeq/iD/Qv3d7hsfS
wmM7nnvGGS4jPwDsl5mpKpUjzZmb8f1rBVUWcjMEpcispX1btrrpGTJDNCVOIWui
HgTRo0SHwQSQORMsOUJoQFuV5sA5giWzqEUV7bDeFKLhS+g6XifoEQocHnLT9qf0
yFbgOxcYStYDzjktM+MzmqScoGVxRvwmddWQQ/gEeTt8fxhANV+Am9XL47WMhukz
zZvZYwEkEckzw5srEYAx8lFbcLViPOGrffw4/46Efp34Wftlt/IdoVnigCImQhKr
j8ldZU6tWaUdpmjKvGFU
=bB4z
-END PGP SIGNATURE-
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
load_env
fi
set default="0"
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
}
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
if loadfont /usr/share/grub/unicode.pf2 ; then
set gfxmode=640x480
load_video
insmod gfxterm
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
set locale_dir=($root)/boot/grub/locale
set lang=C
insmod gettext
fi
terminal_output gfxterm
set timeout=5
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
insmod png
if background_image /usr/share/images/desktop-base/spa
Bug#668920: grub-pc: grub 1.99-21 fails to detect mdraid partitions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Package: grub-pc
Version: 1.99-21
Severity: critical
Justification: breaks the whole system
Upgrading from 1.99-17 to 1.99-21 on wheezy today renders the system
unbootable.
Grub cannot detect any mdraid partition and is therefor unable to load
the kernel.
Downgrading to 1.99-17 solves the problem.
- -- Package-specific info:
*** BEGIN /proc/mounts
/dev/md127p1 / ext4
rw,relatime,errors=remount-ro,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/md127p3 /home ext4
rw,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/md127p2 /var ext4
rw,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/md1p2 /home/arne/build ext4
rw,nosuid,nodev,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/md1p5 /mnt/mail ext4
rw,nosuid,nodev,noexec,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/md1p6 /home/arne/images ext4
rw,nosuid,nodev,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/sr0 /media/Debian\040squeeze\04020110324-08:07 iso9660
ro,nosuid,nodev,relatime,uid=1000,gid=1000,iocharset=utf8,mode=0400,dmode=0500
0 0
*** END /proc/mounts
*** BEGIN /boot/grub/device.map
*** END /boot/grub/device.map
*** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
load_env
fi
set default="0"
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
}
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root
fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
if loadfont /usr/share/grub/unicode.pf2 ; then
set gfxmode=640x480
load_video
insmod gfxterm
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root
fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
set locale_dir=($root)/boot/grub/locale
set lang=en_US
insmod gettext
fi
terminal_output gfxterm
set timeout=5
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root
fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
insmod png
if background_image /usr/share/images/desktop-base/spacefun-grub.png; then
set color_normal=light-gray/black
set color_highlight=white/black
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Debian GNU/Linux, with Linux 3.2.0-2-686-pae' --class
debian --class gnu-linux --class gnu --class os {
insmod gzio
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root
fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
echo'Loading Linux 3.2.0-2-686-pae ...'
linux /boot/vmlinuz-3.2.0-2-686-pae root=/dev/md127p1 ro quiet
echo'Loading initial ramdisk ...'
initrd /boot/initrd.img-3.2.0-2-686-pae
}
menuentry 'Debian GNU/Linux, with Linux 3.2.0-2-686-pae (recovery
mode)' --class debian --class gnu-linux --class gnu --class os {
insmod gzio
insmod raid
insmod mdraid09
insmod part_msdos
insmod ext2
set root='(mduuid/a64afb126a34e01de368bf24bd0fce41,1)'
search --no-floppy --fs-uuid --set=root
fe2d67a4-6b34-4abb-bf1d-9fcb39b65b30
echo'Loading Linux 3.2.0-2-686-pae ...'
linux /boot/vmlinuz-3.2.0-2-686-pae root=/dev/md127p1 ro single
echo'Loading initial ramdisk ...'
initrd /boot/initrd.img-3.2.0-2-686-pae
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply
type the
# menu entries you want to add after this comment. Be careful not to
change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f $prefix
Bug#665012: CVE-2012-1570 not yet fixed in stable
Found: 665012 1.4.03-1.1 As far as I can see this is not yet fixed in stable. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#665902: [pkg-fso-maint] Bug#665902: fso-config-gta*: uninstallable in sid
solution: those are deprecated, use fso-gta0[12]
i assume those packages will disappear in a near future.
On Mon, 26 Mar 2012 23:03:04 +0200, Adam D. Barratt
wrote:
Package: fso-config-gta01
Version: 20090224-1
Severity: serious
Hi,
fso-config-gta0{1,2} are uninstallable in unstable. They depend on
fso-frameworkd, but that package conflicts with the -config packages.
Regards,
Adam
___
pkg-fso-maint mailing list
pkg-fso-ma...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-fso-maint
--
--
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#641738: Ping
This grave bug is now pending for almost 2 months. Is there any update on the situation? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#628843: Ping
begin quotation from Nicolas François (in <20111017211732.gj16...@nekral.nekral.homelinux.net>): > On Sun, Oct 16, 2011 at 05:20:31PM +0200, bubu...@debian.org wrote: > > Quoting Arne Wichmann (a...@anhrefn.saar.de): > > > This critical bug is now pending for more than 3 months. Is there any > > > update on the situation? > > > > Nicolas should actually release upstream 4.1.5 and then upload > > 4.1.5-1. Nicolas? > > Yes, this is the plan. > There are still some untested changes, and I still have a few uncommitted > changes on my tree. > > Regarding this bug > * Arne, I do not know if your ping was related to the potential security >impact, but it could help to have an assessment of the proposed solution >(and also comment 46) Ok, let me think... - @@ -264,6 +264,11 @@ This has the effect that "su -c ... " can no longer be used to call programs which use terminals - for example dialog. This should at least be prominently documented. The rest looks like it could work. But I would not call myself a specialist on Unix tty-handling. The last sentence applies to comment 46, too. > * It did not seem that critical to me (e.g. in the pointed >comp.security.oss.general thread, there were no agreement for a CVE) I do not really want to argue about bug severity here - this assessment is better left to you. I did however use su in the past in non-interactive scripts to lower privileges - if this isn't supported it should at least be documented, again... ;-) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#628843: Ping
This critical bug is now pending for more than 3 months. Is there any update on the situation? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#621866: Bug fixed in unstable/testung/experimental
As far as I can see, this bug is fixed in testing (and anything newer): /usr/share/doc/rsync/changelog.gz: [...] - Fixed a data-corruption issue when preserving hard-links without preserving file ownership, and doing deletions either before or during the transfer (CVE-2011-1097). This fixes some assert errors in the hard-linking code, and some potential failed checksums (via -c) that should have matched. [...] cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#621866: Ping
Hi, This grave Bug is now open for more than 4 months. Is there anythind happening to fix it? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#623551: Ping
Hi, this grave bug is now open for more than 3 months - is there a plan for an update? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#606922: jpake not enabled in sid
It does not look like jpake is enabled in sid:
[130] ~/src/openssh-5.5p1
(518) a...@anhrefn $ find . -type f '!' -name '*.[ch]' |xargs zgrep -i jpake
./ChangeLog: disallow a hostile server from checking jpake auth by sending
an
./ChangeLog: - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c]
Whitespace and
./ChangeLog: [auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h
schnorr.c]
./ChangeLog: [auth2-jpake.c]
./ChangeLog: Move JPAKE define to make life easier for portable. ok djm@
./ChangeLog: [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c
auth2-jpake.c]
./ChangeLog: compiled-time disabled (turn on -DJPAKE in Makefile.inc).
./Makefile.in: entropy.o gss-genr.o umac.o jpake.o schnorr.o \
./Makefile.in: auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
./debian/patches/ssh-vulnkey.patch: int
zero_knowledge_password_authentication; /* Try jpake */
./debian/patches/ssh-vulnkey.patch: /* If
true, permit jpake auth */
./debian/patches/gssapi-dump.patch: #ifdef JPAKE
./debian/patches/selinux-role.patch:void*jpake_ctx;
./debian/patches/gssapi.patch: entropy.o gss-genr.o umac.o jpake.o schnorr.o \
./debian/patches/gssapi.patch: auth2-none.o auth2-passwd.o auth2-pubkey.o
auth2-jpake.o \
./debian/patches/gssapi.patch: #ifdef JPAKE
./debian/patches/gssapi.patch: #ifdef JPAKE
./debian/patches/gssapi.patch: #ifdef JPAKE
./debian/patches/gssapi.patch: {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE,
mm_answer_jpake_get_pwdata},
./debian/patches/gssapi.patch: #ifdef JPAKE
./debian/patches/gssapi.patch: #ifdef JPAKE
./.pc/gssapi.patch/Makefile.in: entropy.o gss-genr.o umac.o jpake.o schnorr.o \
./.pc/gssapi.patch/Makefile.in: auth2-none.o auth2-passwd.o auth2-pubkey.o
auth2-jpake.o \
./.pc/ssh-vulnkey.patch/Makefile.in:entropy.o gss-genr.o umac.o jpake.o
schnorr.o \
./.pc/ssh-vulnkey.patch/Makefile.in:auth2-none.o auth2-passwd.o
auth2-pubkey.o auth2-jpake.o \
./.pc/authorized-keys-man-symlink.patch/Makefile.in:entropy.o gss-genr.o
umac.o jpake.o schnorr.o \
./.pc/authorized-keys-man-symlink.patch/Makefile.in:auth2-none.o
auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
./.pc/lintian-symlink-pickiness.patch/Makefile.in: entropy.o gss-genr.o
umac.o jpake.o schnorr.o \
./.pc/lintian-symlink-pickiness.patch/Makefile.in: auth2-none.o
auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
Keep up the good work,
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (a...@linux.de)
signature.asc
Description: Digital signature
Bug#584653: RC bugs in upcoming stable
So, to clarify, does that mean that this 6 month old [1] security problem which was deemed too difficult to fix by the stable security team [2] will be around for the next 2 years because the only available fix does not make it into stable? [3] [1] http://www.securityfocus.com/archive/1/511433 [2] http://security-tracker.debian.org/tracker/CVE-2010-2055 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653 cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#589524: postgresql-common: still does not install due to init.d lsb error
On Tue, 20 Jul 2010 14:12:08 +0200, Martin Pitt wrote: arne [2010-07-20 12:55 +0200]: while upgrading today i experience exactly the same issue as the op: You need the new postgresql-8.4 to go along with this update. well, i did aptitude dist-upgrade everything necessary should have been included by default. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#589524: postgresql-common: still does not install due to init.d lsb error
Package: postgresql-common Version: 109 Severity: normal while upgrading today i experience exactly the same issue as the op: apt-get -f install Reading package lists... Done Building dependency tree Reading state information... Done 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded. 2 not fully installed or removed. After this operation, 0B of additional disk space will be used. Setting up postgresql-common (109) ... insserv: script postgresql: service postgresql already provided! insserv: exiting now! update-rc.d: error: insserv rejected the script header dpkg: error processing postgresql-common (--configure): subprocess installed post-installation script returned error exit status 1 dpkg: dependency problems prevent configuration of postgresql-8.4: postgresql-8.4 depends on postgresql-common (>= 104~); however: Package postgresql-common is not configured yet. dpkg: error processing postgresql-8.4 (--configure): dependency problems - leaving unconfigured Errors were encountered while processing: postgresql-common postgresql-8.4 E: Sub-process /usr/bin/dpkg returned an error code (1) -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages postgresql-common depends on: ii adduser 3.112 add and remove users and groups ii debconf [debconf-2.0] 1.5.33 Debian configuration management sy ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip ii postgresql-client-common 109manager for multiple PostgreSQL cl ii procps1:3.2.8-9 /proc file system utilities ii ssl-cert 1.0.25 simple debconf wrapper for OpenSSL postgresql-common recommends no packages. postgresql-common suggests no packages. -- debconf information: postgresql-common/obsolete-major: -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#525549: Ping
Hi, Is there any progress on this issue? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#520485: Ping
Hi, Is there any progress on this issue? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#518250: Is this a bug?
Looking at this it seems that there is not much of a bug left. Can this be closed (or otherwise downgraded)? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#514220: Ping
Hi... Is there any progress on this? cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#511582: Ping
Is there anything happening here? The issue is now open for 18 Months... cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#508589: Reassigning as it seems to be a kernel problem after all
reassign 508589 linux-2.6 thanks As this seems to be a kernel-issue after all, I reassign it back. Hopefully it will be sorted out between the different parties in some time. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Bug#589167: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 187.
Package: apt-mirror Version: 0.4.8-1 Severity: grave Tags: sid apt-mirror worked at first start without problem. The second time the program gives: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 187. Even after apt-get remove apt-mirror apt-get install apt-mirror the program will not start: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 187. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt-mirror depends on: ii adduser 3.112 add and remove users and groups ii perl 5.10.1-13 Larry Wall's Practical Extraction ii perl-modules 5.10.1-13 Core Perl modules ii wget 1.12-2 retrieves files from the web apt-mirror recommends no packages. apt-mirror suggests no packages. -- no debconf information -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt-mirror depends on: ii adduser 3.112 add and remove users and groups ii perl 5.10.1-13 Larry Wall's Practical Extraction ii perl-modules 5.10.1-13 Core Perl modules ii wget 1.12-2 retrieves files from the web apt-mirror recommends no packages. apt-mirror suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#575742: Intend to NMU 575742 (was: CVE-2009-3995 CVE-2009-3996: Multiple heap-based buffer overflows)
I prepared the appended patch as an NMU, it will be uploaded to delayed/2
by a...@debian.org soon.
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (a...@linux.de)
diff -u libmikmod-3.1.11/debian/changelog libmikmod-3.1.11/debian/changelog
--- libmikmod-3.1.11/debian/changelog
+++ libmikmod-3.1.11/debian/changelog
@@ -1,3 +1,11 @@
+libmikmod (3.1.11-6.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * debian/patches/CVE-2009-3995f.patch: fixes buffer overflows in the
+loaders for Impulse Tracker and Ultratracker files. (Closes: #575742)
+
+ -- Arne Wichmann Sat, 12 Jun 2010 16:14:44 +0200
+
libmikmod (3.1.11-6.1) unstable; urgency=high
* Non-maintainer upload.
only in patch2:
unchanged:
--- libmikmod-3.1.11.orig/debian/patches/CVE-2009-3995f.patch
+++ libmikmod-3.1.11/debian/patches/CVE-2009-3995f.patch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2009-3995f.dpatch by
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Patch for CVE-2009-3995 and CVE-2009-3996
+
+...@dpatch@
+
+diff -Ndurp libmikmod-3.1.11/loaders/load_it.c
libmikmod-3.1.11-fixed/loaders/load_it.c
+--- libmikmod-3.1.11/loaders/load_it.c 2010-05-31 14:10:34.0 +0200
libmikmod-3.1.11-fixed/loaders/load_it.c 2010-05-31 14:10:10.0
+0200
+@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)
+ #endif
+
+ IT_ProcessEnvelope(vol);
++ /* fix for CVE-2009-3995 - snatched from SuSe's
fix -- AW */
++ if (ih.volpts>= ENVPOINTS)
++ ih.volpts = ENVPOINTS-1;
++
+ for(u=0;uvolenv[u].val=(ih.volnode[u]<<2);
+
+diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c
libmikmod-3.1.11-fixed/loaders/load_ult.c
+--- libmikmod-3.1.11/loaders/load_ult.c2010-05-31 14:10:34.0
+0200
libmikmod-3.1.11-fixed/loaders/load_ult.c 2010-05-31 14:10:10.0
+0200
+@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)
+ for(u=0;u=UF_MAXCHAN)
++ of.numchn=UF_MAXCHAN - 1;
+
+ /* read pan position table for v1.5 and higher */
+ if(mh.id[14]>='3') {
signature.asc
Description: Digital signature
Bug#578345: [Lwat] Bug#578345: lwat in Squeeze: Fail to create user with ldap error34 "Invalid DN syntax"
On 04/19/2010 07:48 AM, Petter Reinholdtsen wrote: > > Package: lwat > Version: 0.18~beta-3 > Severity: grave > User: debian-...@lists.debian.org > Usertag: debian-edu > > When testing lwat in a Squeeze based Debian Edu install of > main-server+thin-client-server (using PXE), it is impossible to create > a user. Setting severity to grave, as this make lwat unable to fill > its purpose, to create users and groups in LDAP. Have you tried using one of the admin.ini examples provided by lwat. looks like it's the group "none" that's in the template that causes this. If this group is removed from the template, then it works. If remove none, and add school instead, it also works. Looks like the bug is in the php-function "parse_ini_file" It looks like it works if you put the group name "none" in single quotes like this: 'none' If you try to use double quotes, lwat looks for a group named '"none"' Don't remember why the group 'none' was added anymore, maybe it's a sign that it should go away ? Not sure how to fix this. I think it's a bug of php5, (and maybe debian-edu), it could be fixed in lwat, but then we have to write a new parser for ini-files, and I dont think i want that. // faj -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#574111: E: main.c: Failed to create '/tmp/pulse-$USER': Permission denied
After rebuilding libpulsecore5 0.9.10-3+lenny2 from source on amd64, pulseaudio now works for me again. Maybe the build environment for the security update was broken? Arne -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#546315: pavucontrol suddenly fails with Gtk::IconThemeError
looks like it is related to using bluetooth. if the headset is connected, pavucontrol fails. once it is disconnected, pavucontrol works again. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#546315: pavucontrol suddenly fails with Gtk::IconThemeError
Package: pavucontrol Version: 0.9.8-1 Severity: grave Justification: renders package unusable am not quite sure what happend, but from one minute to the other pavucontrol doesn't start anymore. $ pavucontrol terminate called after throwing an instance of 'Gtk::IconThemeError' Aborted soem browsing and the output of strace seemed to indicate, that it is searching simple in the wrong pathes, ie below $HOME, ~/.icons ~/.local/share/icons/, and /usr/local/. but simply copying the icons from /usr/share doesn't help. i would append a log of strace, but i don't know how to do that with reportbug. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30.5 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pavucontrol depends on: ii libatk1.0-0 1.26.0-1 The ATK accessibility toolkit ii libc6 2.9-26 GNU C Library: Shared libraries ii libcairo2 1.8.8-2 The Cairo 2D vector graphics libra ii libcairomm-1.0-11.8.0-1 C++ wrappers for Cairo (shared lib ii libcanberra-gtk00.12-1.1 Gtk+ helper for playing widget eve ii libcanberra00.12-1.1 a simple abstract interface for pl ii libfontconfig1 2.6.0-4 generic font configuration library ii libfreetype62.3.9-5 FreeType 2 font engine, shared lib ii libgcc1 1:4.4.1-3GCC support library ii libglade2-0 1:2.6.4-1library to load .glade files at ru ii libglademm-2.4-1c2a 2.6.7-2 C++ wrappers for libglade2 (shared ii libglib2.0-02.20.5-1 The GLib library of C routines ii libglibmm-2.4-1c2a 2.20.1-1 C++ wrapper for the GLib toolkit ( ii libgtk2.0-0 2.16.6-1 The GTK+ graphical user interface ii libgtkmm-2.4-1c2a 1:2.16.0-2 C++ wrappers for GTK+ 2.4 (shared ii libpango1.0-0 1.24.5-1 Layout and rendering of internatio ii libpangomm-1.4-12.24.0-3 C++ Wrapper for pango (shared libr ii libpulse-mainloop-glib0 0.9.16-1 PulseAudio client libraries (glib ii libpulse0 0.9.16-1 PulseAudio client libraries ii libsigc++-2.0-0c2a 2.0.18-2 type-safe Signal Framework for C++ ii libstdc++6 4.4.1-3 The GNU Standard C++ Library v3 ii libxml2 2.7.4.dfsg-1 GNOME XML library pavucontrol recommends no packages. pavucontrol suggests no packages. -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#524483: locales-all: locales installation fails always with "cannot map archive header: Invalid argument"
What is the output of ls -al /usr/lib/locale/locale-archive ? ls: cannot access /usr/lib/locale/locale-archive: No such file or directory How much space is available in this directory? df -h / FilesystemSize Used Avail Use% Mounted on rootfs247M 164M 84M 67% / What filesystem is it? Any particular mount option? rootfs on / type jffs2 (rw,noatime,errors=remount-ro) making locale-gen running localedef with --no-archive creates the locales defined, but of course not the archive. the filesystem question is actually quite interesting -- i linked the folder to an ext3 formatted sd card df: /dev/mmcblk0p25.6G 2.5G 2.9G 47% /mnt mount: /dev/mmcblk0p2 on /mnt type ext3 (rw,noatime,errors=remount-ro) and locale-gen went straight through. seems, jiffs2 is troublesome, doesn't it? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#524483: locales-all: locales installation fails always with "cannot map archive header: Invalid argument"
Package: locales-all Version: 2.9-7 Severity: grave Justification: renders package unusable installing locales-all or running locle.gen always ends with cannot map archive header: Invalid argument (which makes the installtion fail, of course) and the loacles are not available. since locales did not work, i installed locales-all, led to believe by "This package contains the precompiled locale data for all supported locales." that everything was done -- but not so, the exact same stuff happnend (making me ask, what in fact is the meaning of that senetence). -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: armel (armv4tl) Kernel: Linux 2.6.28-20090105.git69b2aa26 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages locales-all depends on: ii libc6 [glibc-2.9-1] 2.9-7 GNU C Library: Shared libraries ii lzma 4.43-14Compression method of 7z format in locales-all recommends no packages. locales-all suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#447404: fglrx-driver: fglrx-driver should not provide xserver-xorg-video-1.0
i didn't find any! if there is one, please, give the number. regards On Sat, 20 Oct 2007 22:24:49 +0200, Julien Cristau <[EMAIL PROTECTED]> wrote: forcemerge 443129 447404 kthxbye On Sat, Oct 20, 2007 at 22:19:24 +0200, arne anka wrote: Package: fglrx-driver Version: 8.40.4-2 Severity: grave File: fglrx-driver Justification: renders package unusable the package is uninstallable: Please look at existing bugs before reporting duplicates. Thanks, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#447404: fglrx-driver: fglrx-driver should not provide xserver-xorg-video-1.0
Package: fglrx-driver Version: 8.40.4-2 Severity: grave File: fglrx-driver Justification: renders package unusable the package is uninstallable: aptitude install fglrx-driver Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Building tag database... Done The following packages are BROKEN: xserver-xorg-core The following NEW packages will be installed: fglrx-driver 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 6192kB of archives. After unpacking 18.1MB will be used. The following packages have unmet dependencies: xserver-xorg-core: Conflicts: xserver-xorg-video-1.0 which is a virtual package. Resolving dependencies... Unable to resolve dependencies! Giving up... Abort. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.23 (PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages fglrx-driver depends on: ii libc6 2.6.1-6GNU C Library: Shared libraries ii libgcc1 1:4.2.2-3 GCC support library ii libstdc++51:3.3.6-15 The GNU Standard C++ Library v3 ii libx11-6 2:1.0.3-7 X11 client-side library ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar ii libxrandr22:1.2.2-1 X11 RandR extension library ii libxrender1 1:0.9.4-1 X Rendering Extension client libra ii xserver-xorg-core 2:1.4-3Xorg X server - core server Versions of packages fglrx-driver recommends: pn fglrx-kernel (no description available)
Bug#426630: lwat: Bug fixed in cvs
Package: lwat Followup-For: Bug #426630 The bug was caused by a typo in postinst, causing lwat to not set up an admin.ini if the admin/user scheme was selected during installation. This is now fixed in cvs, and will be included in 0.15-x if not before // faj -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#426630: lwat: postinst fails to install admin.ini
Package: lwat Version: 0.14-3 Severity: grave Justification: renders package unusable When installed lwat from unstable/testing, I get no /etc/lwat/admin.ini This makes it impossible to add new users, which is a core function for lwat. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (1000, 'stable'), (900, 'testing'), (800, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8) Versions of packages lwat depends on: ii apache22.2.3-4 Next generation, scalable, extenda ii apache2-mpm-prefork [apach 2.2.3-4 Traditional model for Apache HTTPD ii debconf [debconf-2.0] 1.5.11Debian configuration management sy ii libapache2-mod-php55.2.0-8+etch4 server-side, HTML-embedded scripti ii php5 5.2.0-8+etch4 server-side, HTML-embedded scripti ii php5-cli 5.2.0-8+etch4 command-line interpreter for the p ii php5-ldap 5.2.0-8+etch4 LDAP module for php5 ii smarty-gettext 1.0b1-2 provides gettext support for smart lwat recommends no packages. -- debconf information: * shared/ldapns/base-dn: dc=bzzware,dc=org * lwat/authprefix: ou=AuthGroup * lwat/minPwLength: 5 * lwat/allowPwSet: true * lwat/minPwLower: 0 * lwat/netgroupprefix: ou=Netgroup * lwat/domain: test.bzzware.org * lwat/minPwNumber: 0 * shared/ldapns/ldap-server: localhost * lwat/uselisgroup: false * lwat/minPwUpper: 0 * lwat/hostprefix: ou=Hosts * lwat/homedirlocation: /home * lwat/groupprefix: ou=Group * lwat/templates: educational institution -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402010: gosa leaves the ldap admin password readable by any web application
Cajus Pollmeier skrev: > Am Donnerstag 07 Dezember 2006 14:37 schrieb Finn-Arne Johansen: >> Package: gosa >> Version: 2.5.6-2 >> Severity: critical >> Tags: security >> Justification: root security hole >> >> >> The documentation in gosa tells the admin to install gosa.conf under >> /etc/gosa/gosa.conf, and to make it readable by the group www-data. >> In this configuration file, the ldap admin password is stored in >> cleartext. Any process running under the web process can now read that >> file, and if the same ldap users was used for authenticating , it would >> be rather easy to create a user with root access. >> >> this litle script placed under my ~/public_html/ revealed the password >> on my server >> > > So, do you have another solution, actually? Any web application that stores > information about passwords has the same problem, you can simply get > passwords to mysql databases, etc. > > Don't use public stuff on these administrative servers. I'm not responsible > for configuring your PHP installation, i.e. use PHPs secure mode to avoid > these cases. Please add these notes to the explenation or at least to the README.Debian file Someone thought about adding gosa as the user admin tool for Debian-Edu, until I pointed this out. -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402010: gosa leaves the ldap admin password readable by any web application
Package: gosa Version: 2.5.6-2 Severity: critical Tags: security Justification: root security hole The documentation in gosa tells the admin to install gosa.conf under /etc/gosa/gosa.conf, and to make it readable by the group www-data. In this configuration file, the ldap admin password is stored in cleartext. Any process running under the web process can now read that file, and if the same ldap users was used for authenticating , it would be rather easy to create a user with root access. this litle script placed under my ~/public_html/ revealed the password on my server -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (900, 'testing'), (800, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-686 Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8) Versions of packages gosa depends on: ii apache2-mpm-prefork 2.2.3-3.1Traditional model for Apache HTTPD ii fping 2.4b2-to-ipv6-14 sends ICMP ECHO_REQUEST packets to ii libcrypt-smbhash-perl 0.12-1 generate LM/NT hash of a password ii php55.2.0-7 server-side, HTML-embedded scripti ii php5-gd 5.2.0-7 GD module for php5 ii php5-imagick0.9.11+1-4.1 ImageMagick module for php5 ii php5-imap 5.2.0-7 IMAP module for php5 ii php5-ldap 5.2.0-7 LDAP module for php5 ii php5-mhash 5.2.0-7 MHASH module for php5 ii php5-mysql 5.2.0-7 MySQL module for php5 ii php5-recode 5.2.0-7 recode module for php5 ii postfix [mail-transport 2.3.4-2 A high-performance mail transport ii smarty 2.6.14-1 Template engine for PHP ii smarty-gettext 1.0b1-2 provides gettext support for smart ii wwwconfig-common0.0.48 Debian web auto configuration gosa recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Raphael Hertzog skrev: > On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: >> Dieter Simader skrev: >>> The sessionid is still there but not used anymore. >>> >>> If you need more info let me know. >> OK, as said - I've tested that the new package installs ok, but I have >> not found the time to check how the bug is fixed. >> >> Since I'm under a rather heavy workload now, I doubt that I can make the >> time to verify anything else than that the upgrade went ok. > > Same for me. I'm rather busy lately and I prepared this patch because it's > a security issue but I do not have time to test the old security-patched > package. > > I have no reason to believe that it would cause major pains however. > Petter, maybe you have some time to test the sarge update? > >> If Raphael understands the patch, I suggest it's uploaded to the >> security mirror, and that a DSA is released. > > Indeed, but I just generated a new version of that update since a second > security issue has been fixed in 2.6.19 (a directory traversal bug). I > also applied applied the fix for the "new window" function which broke due > to the change in the session id handling. How did that break ? I'm using 2.4.7-2sarge1, and the "new window" function works as far as I can see. So if "new window" should fail to work because of the patch, the patch is not working, since "new window" works for me. I seldom use that function, I rather right-click and selects "open in new TAB" > Please checkout the updated package (and patch) at: > http://people.debian.org/~hertzog/sql-ledger/ well, I do run the same version, but I guess you built a new version with the same version number. Here is the entry from the changelog on the version I'm using: sql-ledger (2.4.7-2sarge1) stable-security; urgency=high * Security upload. * Fix bad handling of sessionid: CVE-2006-4244 Closes: #386519 -- Raphael Hertzog <[EMAIL PROTECTED]> Sun, 10 Sep 2006 21:56:34+0200 -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ Debian-edu developer and Solution provider EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Dieter Simader skrev: > The sessionid is still there but not used anymore. > > If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is fixed. Since I'm under a rather heavy workload now, I doubt that I can make the time to verify anything else than that the upgrade went ok. If Raphael understands the patch, I suggest it's uploaded to the security mirror, and that a DSA is released. -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ Debian-edu developer and Solution provider EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
