[SRM] bzip2 update
Hi,
I'd like to fix CVE-2011-4089 for the next point update.
debdiff below.
Cheers,
Moritz
diff -u bzip2-1.0.5/bzexe bzip2-1.0.5/bzexe
--- bzip2-1.0.5/bzexe
+++ bzip2-1.0.5/bzexe
@@ -125,7 +125,7 @@
umask $umask
/bin/chmod 700 $tmpfile
prog=`echo $0 | /bin/sed 's|^.*/||'`
- if /bin/ln $tmpfile /tmp/$prog 2/dev/null; then
+ if /bin/ln -T $tmpfile /tmp/$prog 2/dev/null; then
trap '/bin/rm -f $tmpfile /tmp/$prog; exit $res' 0
(/bin/sleep 5; /bin/rm -f $tmpfile /tmp/$prog) 2/dev/null
/tmp/$prog ${1+$@}; res=$?
diff -u bzip2-1.0.5/debian/changelog bzip2-1.0.5/debian/changelog
--- bzip2-1.0.5/debian/changelog
+++ bzip2-1.0.5/debian/changelog
@@ -1,3 +1,10 @@
+bzip2 (1.0.5-6+squeeze1) stable; urgency=low
+
+ * Non-maintainer upload by the Security Team
+ * Fix CVE-2011-4089, thanks to vladz (Closes: #632862)
+
+ -- Moritz Muehlenhoff j...@debian.org Mon, 26 Dec 2011 11:39:27 +
+
bzip2 (1.0.5-6) unstable; urgency=high
* Fix integer overflow
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111226132607.GA10976@pisco.westfalen.local
NEW changes in proposedupdates
Processing changes file: linux-2.6_2.6.32-40_amd64.changes ACCEPT -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1rfb1g-0002jo...@franck.debian.org
NEW changes in oldproposedupdates
Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_amd64.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_alpha.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_arm.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_armel.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_hppa.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_i386.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_ia64.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_mips.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_mipsel.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_powerpc.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_s390.changes ACCEPT Processing changes file: asterisk_1.4.21.2~dfsg-3+lenny6_sparc.changes ACCEPT -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1rfb1k-0002ki...@franck.debian.org
Re: Bug#653053: ldap2zone: Sending email every hour fill up the mail spool
On 25.12.2011 09:16, Petter Reinholdtsen wrote: A fix in lpad2zone has been implemented in unstable, where printing to stdout has been replaced with logging to syslog. I would very much like to have the same change in Squeeze, and thus ask for permission from the release managers before uploading to proposed-updates. What version number do you recommend to use for this version? current stable+squeeze1 would be conventional, where there's no current +squeezeX in stable. + * Backport fix from 2.2-2: Made script log using logger by a +patch contributed by Petter Reinholdtsen (Closes: #653053). [...] diff -u ldap2zone-0.1/debian/patches/05_correct_bashisms_ldap2bind.dpatch ldap2zone-0.1/debian/patches/05_correct_bashisms_ldap2bind.dpatch --- ldap2zone-0.1/debian/patches/05_correct_bashisms_ldap2bind.dpatch +++ ldap2zone-0.1/debian/patches/05_correct_bashisms_ldap2bind.dpatch What does the proposed change have to do with fixing bashisms? @@ -27,7 +27,7 @@ if [ $? -ne 0 ]; then - echo -e Reloading the zone '$domain' failed:\n$result 12 -+ printf Reloading the zone '$domain' failed: $result\n 12 ++ logger -t ldap2bind Reloading the zone '$domain' failed: $result\n 12 + else -+ printf Reloading the zone '$domain' was successful\n 12 ++ logger -t ldap2bind Reloading the zone '$domain' was successful\n 12 fi I have to admit that my first thought here was much the same as Julien's - if the problem is that mail is being sent on the successful completion of a job which is expected to succeed, why is a change also being made to the failure path? Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/55e533ee2cbb8f7c719c7655a6ae2...@mail.adsl.funky-badger.org
Bug#653195: transition: libarchive
On Sun, Dec 25, 2011 at 5:09 PM, Niels Thykier ni...@thykier.net wrote: On Dec 25, 2011 19:42 Andres Mejia mcita...@gmail.com wrote: I have finished checking what changes were required for gmameui, tuxcmd-modules, and deb-gview in order to build with both the current version of libarchive (2.8.5) and the latest version (3.0.2). Fortunately, all changes required are trivial. I filed bug reports and patches in the following locations. gmameui: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653231 tuxcmd-modules: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653233 deb-gview: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653237 As said before, all other packages simply need to be binNMUed. The package 'hydrogen' requires a sourceful upload for a seperate issue. With all this said, I am requesting a transition slot for the transition from libarchive 2.8.5 to libarchive 3.0.2. Hi, Thanks for rebuild testing the packages. I have setup a tracker for the libarchive transition at [1], please confirm it matches your expectations. Yes, this is what I expect. In regards to timing, we will have to wait until the evolution3.2 transition is over[2]. We will get back to you when it is done. Very well. ~Niels [1] http://release.debian.org/transitions/html/libarchive.html [2] http://release.debian.org/transitions/html/evolution3.2.html -- Regards, Andres Mejia -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CALgfg4gdFXk3KhHAR=on2KNs8EzTPUfJZAmgay0m=3xxq1z...@mail.gmail.com
Re: [SRM] bzip2 update
On 26.12.2011 13:26, Moritz Mühlenhoff wrote: I'd like to fix CVE-2011-4089 for the next point update. [...] +bzip2 (1.0.5-6+squeeze1) stable; urgency=low + + * Non-maintainer upload by the Security Team + * Fix CVE-2011-4089, thanks to vladz (Closes: #632862) + + -- Moritz Muehlenhoff j...@debian.org Mon, 26 Dec 2011 11:39:27 + Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/188b6739fd80f5a8aa9db6af1c9af...@mail.adsl.funky-badger.org
Re: [SRM] bzip2 update
On Mon, Dec 26, 2011 at 03:38:07PM +, Adam D. Barratt wrote: On 26.12.2011 13:26, Moritz Mühlenhoff wrote: I'd like to fix CVE-2011-4089 for the next point update. [...] +bzip2 (1.0.5-6+squeeze1) stable; urgency=low + + * Non-maintainer upload by the Security Team + * Fix CVE-2011-4089, thanks to vladz (Closes: #632862) + + -- Moritz Muehlenhoff j...@debian.org Mon, 26 Dec 2011 11:39:27 + Please go ahead; thanks. Uploaded. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111226155051.GA4699@pisco.westfalen.local
Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
Hi Adam On Sun, Dec 18, 2011 at 11:12:46PM +0100, Salvatore Bonaccorso wrote: Hey Adam On Sun, Dec 18, 2011 at 02:50:49PM +, Adam D. Barratt wrote: tag 652107 + squeeze moreinfo thanks On Wed, 2011-12-14 at 22:12 +0100, Salvatore Bonaccorso wrote: libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are affected by CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories.. [...] The debdiffs I would propose are attached. I have one further question, would you accept addition of these patches (adapted) [3] and [4]? [3] http://search.cpan.org/diff?from=PAR-Packer-1.011to=PAR-Packer-1.012w=1 [4] http://search.cpan.org/diff?from=PAR-1.004to=PAR-1.005w=1 Yes, those patches should be okay to include. I'd like to see final debdiffs before giving a final ACK though. Sure, please find both attached. In case you would like to have something changed, I will do. It wasn't entirely clear from your mail, but have the packages with the patches applied been tested on squeeze? Yes, now I tested the packages on Squeeze. The build already contains some tests, which all pass, furthermore I did some testing with a par file, and the pp utility. They behave now detecting unsafe directory in /tmp if I create these manually with unsafe permissions. ping :) I wonder if the two debdiffs are okay for inclusion for the next point release of Squeeze? Best regards, Salvatore signature.asc Description: Digital signature
NEW changes in proposedupdates
Processing changes file: inetutils_1.6-3.1+squeeze1_amd64.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_armel.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_i386.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_ia64.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_kfreebsd-amd64.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_kfreebsd-i386.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_mips.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_mipsel.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_powerpc.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_s390.changes ACCEPT Processing changes file: inetutils_1.6-3.1+squeeze1_sparc.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_amd64.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_armel.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_i386.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_ia64.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_mips.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_mipsel.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_powerpc.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_s390.changes ACCEPT Processing changes file: openswan_2.6.28+dfsg-5+squeeze1_sparc.changes ACCEPT -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1rfggq-0007id...@franck.debian.org
Bug#650840: marked as done (transition: zita-convolver)
Your message dated Mon, 26 Dec 2011 23:17:56 +0100 (CET) with message-id 20111226221756.a261522...@thykier.net and subject line Re: transition: zita-convolver has caused the Debian Bug report #650840, regarding transition: zita-convolver to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 650840: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650840 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi! The new upstream release 3.0.3 of the package zita-convolver is sitting in experimental since many weeks and now I feel comfortable to state it's ready to join Debian unstable. Few packages would be affected by this small transition: ir.lv2 jconvolver guitarix Thanks in advance for any reply. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ---End Message--- ---BeginMessage--- Done with the last britney run. :) Thanks for your cooperation, ~Niels ---End Message---
Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
tag 652107 - moreinfo + confirmed thanks On 18.12.2011 22:12, Salvatore Bonaccorso wrote: Hey Adam On Sun, Dec 18, 2011 at 02:50:49PM +, Adam D. Barratt wrote: tag 652107 + squeeze moreinfo thanks On Wed, 2011-12-14 at 22:12 +0100, Salvatore Bonaccorso wrote: libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are affected by CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories.. [...] It wasn't entirely clear from your mail, but have the packages with the patches applied been tested on squeeze? Yes, now I tested the packages on Squeeze. The build already contains some tests, which all pass, furthermore I did some testing with a par file, and the pp utility. They behave now detecting unsafe directory in /tmp if I create these manually with unsafe permissions. Please go ahead; sorry for the delay. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/fdf25f863f5cba5825971e5e2e4f4...@mail.adsl.funky-badger.org
Processed: Re: Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
Processing commands for cont...@bugs.debian.org: tag 652107 - moreinfo + confirmed Bug #652107 [release.debian.org] pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1 Removed tag(s) moreinfo. Bug #652107 [release.debian.org] pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1 Added tag(s) confirmed. thanks Stopping processing here. Please contact me if you need assistance. -- 652107: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652107 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.132493902213383.transcr...@bugs.debian.org
Re: [SRM] bzip2 update
On 26.12.2011 15:50, Moritz Mühlenhoff wrote: On Mon, Dec 26, 2011 at 03:38:07PM +, Adam D. Barratt wrote: On 26.12.2011 13:26, Moritz Mühlenhoff wrote: I'd like to fix CVE-2011-4089 for the next point update. [...] +bzip2 (1.0.5-6+squeeze1) stable; urgency=low + + * Non-maintainer upload by the Security Team + * Fix CVE-2011-4089, thanks to vladz (Closes: #632862) + + -- Moritz Muehlenhoff j...@debian.org Mon, 26 Dec 2011 11:39:27 + Please go ahead; thanks. Uploaded. Flagged for acceptance at the next dinstall; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/bf69a1391889f5e4895fd12570d0c...@mail.adsl.funky-badger.org
NEW changes in proposedupdates
Processing changes file: bzip2_1.0.5-6+squeeze1_amd64.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_amd64.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_armel.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_i386.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_ia64.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_kfreebsd-amd64.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_kfreebsd-i386.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_mips.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_mipsel.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_powerpc.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_s390.changes ACCEPT Processing changes file: krb5-appl_1.0.1-1.2_sparc.changes ACCEPT -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1rfmfl-0003ni...@franck.debian.org
Boost defaults change (1.46.1 -- 1.48)
Hello, The latest Boost (1.48) is now in testing, and I'd like to switch the defaults. My first plan was to simply announce the switch then make it. I did so and got an immediate email from the release team asking to revert the default change, which I did. On Tue, Dec 20, 2011 at 08:00:15PM -0600, Steve M. Robbins wrote: On Mon, Dec 19, 2011 at 10:33:26PM +0100, Julien Cristau wrote: I heard of at least two failures in the last couple of hours: libreoffice (#652681), and wesnoth (#652677). As such, I'd appreciate if you could: - revert boost-defaults to 1.46 for the time being Done. - test-build at least the most prominent reverse deps against 1.48 before bumping it again - contact debian-release before that bump, so we can coordinate a timing that doesn't suck with regards to other ongoing transitions. Now I'd like to coordinate a time for the change. I'd like to point out that any resulting build failures are quite easy to fix: either (a) contact package upstream for boost 1.48 changes; or (b) change the build-dependency from libboostfoo-dev to libboostfoo1.46-dev. It would be quite helpful to do a rebuild of the 237 boost reverse dependencies. Lucas Nussbaum seems to be able to do this: can you run a rebuild with updated boost-defaults? Thanks, -Steve signature.asc Description: Digital signature
Bug#652107: pu: package libpar-packer-perl/1.006-1 and libpar-perl/1.000-1
On Mon, Dec 26, 2011 at 10:36:52PM +, Adam D. Barratt wrote: tag 652107 - moreinfo + confirmed thanks On 18.12.2011 22:12, Salvatore Bonaccorso wrote: Hey Adam On Sun, Dec 18, 2011 at 02:50:49PM +, Adam D. Barratt wrote: tag 652107 + squeeze moreinfo thanks On Wed, 2011-12-14 at 22:12 +0100, Salvatore Bonaccorso wrote: libpar-packer-perl 1.006-1 and libpar-perl 1.000-1 in Squeeze are affected by CVE-2011-4114: PAR packed files are extracted to unsafe and predictable temporary directories.. [...] It wasn't entirely clear from your mail, but have the packages with the patches applied been tested on squeeze? Yes, now I tested the packages on Squeeze. The build already contains some tests, which all pass, furthermore I did some testing with a par file, and the pp utility. They behave now detecting unsafe directory in /tmp if I create these manually with unsafe permissions. Please go ahead; sorry for the delay. No problem, I just wondered. Thanks Adam; I just uploaded the two. Regards Salvatore signature.asc Description: Digital signature
