Bug#165101: marked as done (libghttp1: ghttp_flush_response_buffer() induces failures on requests of unpredictable length)
Your message dated Tue, 06 Jan 2004 18:32:22 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#165101: fixed in libghttp 1.0.9-14
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--
Received: (at submit) by bugs.debian.org; 16 Oct 2002 22:00:20 +
>From [EMAIL PROTECTED] Wed Oct 16 17:00:20 2002
Return-path: <[EMAIL PROTECTED]>
Received: from barbados.bluemug.com [63.195.182.101] (person)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 181wDE-0007tq-00; Wed, 16 Oct 2002 17:00:20 -0500
Received: from fiji.bluemug.com ([192.168.50.32] ident=mail)
by barbados.bluemug.com with esmtp (Exim 3.35 #1)
id 181wDD-0001qu-00; Wed, 16 Oct 2002 15:00:19 -0700
Received: from caladan.dyn.bluemug.com ([192.168.60.108] helo=caladan)
by fiji.bluemug.com with esmtp (Exim 3.35 #1)
id 181wDE-00037s-00; Wed, 16 Oct 2002 15:00:20 -0700
Received: from devin by caladan with local (Exim 3.36 #1 (Debian))
id 181wDC-0007mK-00; Wed, 16 Oct 2002 15:00:18 -0700
From: Devin Carraway <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libghttp1: ghttp_flush_response_buffer() induces failures on requests
of unpredictable length
X-Mailer: reportbug 1.50
Date: Wed, 16 Oct 2002 15:00:18 -0700
Message-Id: <[EMAIL PROTECTED]>
Sender: Devin Carraway <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=2.2 required=5.0
tests=FROM_ENDS_IN_NUMS,SPAM_PHRASE_00_01
version=2.41
X-Spam-Level: **
Package: libghttp1
Version: 1.0.9-9
Severity: normal
When conducting an async-mode ghttp transfer of a URI whose webserver
did not provide a Content-Length: header, using
ghttp_flush_response_buffer() will induce an "Unknown error" failure at
the end of the transfer.
Sample code appears below. Compiled and run with an argument of
"http://www.debian.org/"; (which furnishes a Content-Length header) it
runs to successful completion. Run against http://base.debian.net/
(which does not), it fails. If the call to
ghttp_flush_response_buffer() is commented out, it runs to completion in
either case.
$ ./simple-get http://www.debian.org/
conn0: response-headers [0/0]
conn0: response [585/-1]
conn0: response [1009/14704]
conn0: response [2033/14704]
[...]
conn0: response [13617/14704]
conn0: response [14641/14704]
conn0: none [0/0]
conn0 received 160979 bytes
$ ./simple-get http://base.debian.net/
conn0: response-headers [0/0]
conn0: response [0/-1]
conn0: response [1443/-1]
conn0: response [1602/-1]
conn0: response [1688/-1]
conn0: response [1696/-1]
conn0: response [2997/-1]
conn0: response [4021/-1]
ghttp err: Unknown Error.
/* simple-get.c */
#include
#include
#include
void bail(char *s)
{
fputs(s, stderr); fputc('\n', stderr);
exit(1);
}
void status(ghttp_request *r, char *desc)
{
ghttp_current_status st;
st = ghttp_get_status(r);
fprintf(stderr, "%s: %s [%d/%d]\n",
desc,
st.proc == ghttp_proc_request ? "request" :
st.proc == ghttp_proc_response_hdrs ?
"response-headers" :
st.proc == ghttp_proc_response ? "response" : "none",
st.bytes_read, st.bytes_total);
}
int main(int argc, char **argv)
{
int bytes = 0;
ghttp_request *req;
ghttp_status req_status;
if (argc < 2) bail("usage: simple-get URI");
req = ghttp_request_new();
if (ghttp_set_uri(req,argv[1]) < 0)
bail("ghttp_set_uri");
if (ghttp_prepare(req) < 0)
bail("ghttp_prepare");
if (ghttp_set_sync(req, ghttp_async) < 0)
bail("ghttp_set_sync");
do {
status(req, "conn0");
req_status = ghttp_process(req);
if (req_status == ghttp_error) {
fprintf(stderr, "ghttp err: %s\n",
ghttp_get_error(req));
return 2;
}
if (req_status != ghttp_error && ghttp_get_body_len(req) > 0) {
bytes += ghttp_get_body_len(req);
ghttp_flush_response_buffer(req);
}
} while (req_status == ghttp_not_done);
fprintf(stderr, "conn0 received %d bytes\n", bytes);
ghttp_clean(req);
return 0;
}
-- System Information
Debian Release: testing/unstable
Architect
Bug#226356: Buffer overflow vulnerability (CAN-2003-0850)
On Mon, Jan 05, 2004 at 06:17:07PM -0800, Matt Zimmerman wrote: > Package: libnids > Severity: grave > > "The TCP reassembly functionality in libnids before 1.18 allows remote > attackers to cause "memory corruption" and possibly execute arbitrary code > via "overlarge TCP packets." > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0850 > > An update to version 1.18 should be sufficient to correct the problem. > > I am copying [EMAIL PROTECTED], since that is the only reverse > dependency. This package is orphaned and could be removed if this bug is > not fixed. I maintain dsniff - and will adopt libnids and upload a more recent version shortly. I've retitled #188171 to reflect this, although the cotrol address seems to be a little bit slow today. Steve --
Re: Processed: libxaw-dev is long gone
Hamish Moffatt <[EMAIL PROTECTED]> writes: > On Tue, Jan 06, 2004 at 03:48:54PM -0600, Debian Bug Tracking System wrote: >> Processing commands for [EMAIL PROTECTED]: >> >> > severity 169969 serious >> Bug#169969: acfax: Pure virtual build-depends on libxaw-dev >> Severity set to `serious'. >> >> > severity 170006 serious >> Bug#170006: emacs20: Pure virtual build-depends on libxaw-dev >> Severity set to `serious'. > > Why is a pure virtual build-depends a serious bug? > Could you please point out the section of policy? > > > We've had this discussion before (in #169969) and you didn't convince > me. The problem now is that there isn't any libxaw-dev virtual package at all any more. I retitled the bugs also, to reflect this fact. -- Daniel Schepler "Please don't disillusion me. I [EMAIL PROTECTED]haven't had breakfast yet." -- Orson Scott Card
Re: Processed: libxaw-dev is long gone
On Wed, Jan 07, 2004 at 09:14:54AM +1100, Hamish Moffatt wrote: > On Tue, Jan 06, 2004 at 03:48:54PM -0600, Debian Bug Tracking System wrote: > > Processing commands for [EMAIL PROTECTED]: > > > > > severity 169969 serious > > Bug#169969: acfax: Pure virtual build-depends on libxaw-dev > > Severity set to `serious'. > > > > > severity 170006 serious > > Bug#170006: emacs20: Pure virtual build-depends on libxaw-dev > > Severity set to `serious'. > > Why is a pure virtual build-depends a serious bug? > Could you please point out the section of policy? Forget the pure virtual bit - nothing in unstable provides libxaw-dev any more. xfree86 (4.2.1-12) unstable; urgency=high [...] * Kill off libxaw-dev virtual package per discussion on debian-devel mailing list. - debian/control: + libxaw6-dev now conflicts with and replaces libxaw7-dev instead of libxaw-dev + libxaw6-dev no longer provides libxaw-dev + libxaw7-dev now conflicts with and replaces libxaw6-dev instead of libxaw-dev + libxaw7-dev no longer provides libxaw-dev [...] -- Branden Robinson <[EMAIL PROTECTED]> Tue, 30 Sep 2003 15:34:48 -0500 Cheers, -- Colin Watson [EMAIL PROTECTED]
Re: Processed: libxaw-dev is long gone
On Tue, Jan 06, 2004 at 03:48:54PM -0600, Debian Bug Tracking System wrote: > Processing commands for [EMAIL PROTECTED]: > > > severity 169969 serious > Bug#169969: acfax: Pure virtual build-depends on libxaw-dev > Severity set to `serious'. > > > severity 170006 serious > Bug#170006: emacs20: Pure virtual build-depends on libxaw-dev > Severity set to `serious'. Why is a pure virtual build-depends a serious bug? Could you please point out the section of policy? We've had this discussion before (in #169969) and you didn't convince me. Hamish -- Hamish Moffatt VK3SB <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Processed: libxaw-dev is long gone
Processing commands for [EMAIL PROTECTED]: > severity 169969 serious Bug#169969: acfax: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 170006 serious Bug#170006: emacs20: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 169975 serious Bug#169975: gnushogi: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 169979 serious Bug#169979: kdrill: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 169981 serious Bug#169981: pixmap: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 170013 serious Bug#170013: snake4: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 17 serious Bug#17: xpaint: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > severity 170005 serious Bug#170005: xwave: Pure virtual build-depends on libxaw-dev Severity set to `serious'. > retitle 169969 acfax: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#169969: acfax: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 170006 emacs20: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#170006: emacs20: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 169975 gnushogi: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#169975: gnushogi: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 169979 kdrill: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#169979: kdrill: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 169981 pixmap: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#169981: pixmap: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 170013 snake4: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#170013: snake4: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 17 xpaint: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#17: xpaint: Pure virtual build-depends on libxaw-dev Changed Bug title. > retitle 170005 xwave: FTBFS: Obsolete Build-Depends on libxaw-dev Bug#170005: xwave: Pure virtual build-depends on libxaw-dev Changed Bug title. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Please remove libming and libming-fonts-openoffice
reassign 166973 ftp.debian.org reassign 166990 ftp.debian.org retitle 166973 Please remove libming retitle 166990 Please remove libming-fonts-openoffice thanks libming and libming-fonts-openoffice have been orphaned for over a year; during that time there appear to have been perhaps a dozen commits to upstream's CVS repository, and my impression is that it's not particularly actively maintained there. libming has no reverse dependencies that I can see other than libming-fonts-openoffice, and vice versa. libming currently has two grave bugs, one of which indicates that it needs source changes to make it work with the current PHP API. I think these two packages should simply be removed. Thanks, -- Colin Watson [EMAIL PROTECTED]
Bug#214149: [Crm114-general] Re: crm114-20040102-1.0-SanityCheck-auto.1.tar.gz
On Tue, Jan 06, 2004 at 02:51:40PM +0100, Pavel Kolar wrote: > Joost van Baal wrote: > >I've just build > >http://mdcc.cx/pub/crm114/crm114-20040102-1.0-SanityCheck-auto.1.tar.gz > >from Bill's new crm114-20040102-1.0-SanityCheck.src.tar.gz. Available > >from http://mdcc.cx/crm114/ . No big new changes, except from the one's > >Bill did. > > Please, could you comment on the "auto" situation for Debian? See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=214149 . (Bugreport list Cc-ed). Of course, crm114_20031129-RC11-1_i386.deb is build from a not-autoconfiscated upstream source. > Will you generate also the deb package or the debian rules? I'd rather first spend my time on finishing proper autoconfiscation. This will not only benefit Debian package maintainers, but also people building RPM's and BSD ports. However, building a new .deb from crm114-20040102-1.0-SanityCheck-auto.1.tar.gz is likely very easy, just make some minor adaptations to http://mdcc.cx/pub/crm114/debian/crm114_20031129-RC11-1.diff.gz . Bye, Joost signature.asc Description: Digital signature
Bug#172886: marked as done (cvsweb: spelling/grammar bug in man page)
Your message dated Mon, 05 Jan 2004 19:02:27 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#172886: fixed in cvsweb 3:2.9.1-1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 13 Dec 2002 09:03:09 + >From [EMAIL PROTECTED] Fri Dec 13 03:03:00 2002 Return-path: <[EMAIL PROTECTED]> Received: from pd952509b.dip.t-dialin.net (johannes.sipsolutions.com) [217.82.80.155] by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 18Mlim-0002Ex-00; Fri, 13 Dec 2002 03:03:00 -0600 Received: by johannes.sipsolutions.com (Postfix, from userid 1000) id 170911516C2C; Wed, 11 Dec 2002 22:23:20 +0100 (CET) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Johannes Berg <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: cvsweb: spelling/grammar bug in man page X-Mailer: reportbug 2.9 Date: Wed, 11 Dec 2002 22:23:20 +0100 Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Status: No, hits=3.3 required=5.0 tests=DATE_IN_PAST_24_48,SPAM_PHRASE_00_01 version=2.41 X-Spam-Level: *** Package: cvsweb Version: 3:1.112-4 Severity: minor The man page says: "cvsweb is a cgi script that offer [...]" which should be "offers" instead. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux johannes 2.4.20-xfs #2 Mon Dec 9 18:45:10 CET 2002 i686 Locale: LANG=en_US, [EMAIL PROTECTED] (ignored: LC_ALL set) Versions of packages cvsweb depends on: ii apache [httpd]1.3.26-1.1 Versatile, high-performance HTTP s ii cvs 1.11.2-5 Concurrent Versions System ii perl 5.8.0-14 Larry Wall's Practical Extraction ii rcs 5.7-13 The GNU Revision Control System -- no debconf information --- Received: (at 172886-close) by bugs.debian.org; 6 Jan 2004 14:31:16 + >From [EMAIL PROTECTED] Tue Jan 06 08:31:16 2004 Return-path: <[EMAIL PROTECTED]> Received: from auric.debian.org [206.246.226.45] by master.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1AdekS-0003eG-00; Mon, 05 Jan 2004 18:07:04 -0600 Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian)) id 1Adefz-00030y-00; Mon, 05 Jan 2004 19:02:27 -0500 From: James Bromberger <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.43 $ Subject: Bug#172886: fixed in cvsweb 3:2.9.1-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Mon, 05 Jan 2004 19:02:27 -0500 Delivered-To: [EMAIL PROTECTED] Source: cvsweb Source-Version: 3:2.9.1-1 We believe that the bug you reported is fixed in the latest version of cvsweb, which is due to be installed in the Debian FTP archive: cvsweb_2.9.1-1.diff.gz to pool/main/c/cvsweb/cvsweb_2.9.1-1.diff.gz cvsweb_2.9.1-1.dsc to pool/main/c/cvsweb/cvsweb_2.9.1-1.dsc cvsweb_2.9.1-1_all.deb to pool/main/c/cvsweb/cvsweb_2.9.1-1_all.deb cvsweb_2.9.1.orig.tar.gz to pool/main/c/cvsweb/cvsweb_2.9.1.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Bromberger <[EMAIL PROTECTED]> (supplier of updated cvsweb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Mon, 5 Jan 2004 23:01:55 + Source: cvsweb Binary: cvsweb Architecture: source all Version: 3:2.9.1-1 Distribution: unstable Urgency: low Maintainer: James Bromberger <[EMAIL PROTECTED]> Changed-By: James Bromberger <[EMAIL PROTECTED]> Description: cvsweb - a CGI interface to your CVS repository Closes: 155047 172886 Changes: cvsweb (3:2.9.1-1) unstable; urgency=low . * New upstream release (beta) from FreeBSD fork. * New maintainer. Closes: #155047 * Fix grammer in man page. Closes: #172886 Files: 868b4e11d617ef30829175de0b2fd17a 590 devel optional cvsweb_2.9.1-1.dsc 323dce567e2e47f67febeb6cfa3a2714 64258 devel optional cvsweb_2.9.1.orig.tar.gz e8a2a7e110
Processed: tag 226241 + patch
Processing commands for [EMAIL PROTECTED]: > tag 226241 + patch Bug#226241: libming-dev: mingpp.h can't be compiled Tags were: sid Tags added: patch > -- Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#226356: Buffer overflow vulnerability (CAN-2003-0850)
Package: libnids Severity: grave "The TCP reassembly functionality in libnids before 1.18 allows remote attackers to cause "memory corruption" and possibly execute arbitrary code via "overlarge TCP packets." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0850 An update to version 1.18 should be sufficient to correct the problem. I am copying [EMAIL PROTECTED], since that is the only reverse dependency. This package is orphaned and could be removed if this bug is not fixed. -- System Information: Debian Release: unstable Architecture: i386 Kernel: Linux mizar 2.4.22-deb5-evms2.1.1-skas3-1 #1 Mon Dec 22 14:08:31 PST 2003 i686 Locale: LANG=en_US, LC_CTYPE=en_US -- - mdz
