Bug#697831: unblock: eglibc/2.13-38
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package eglibc, whose changes were discussed on IRC with adsb a while ago, and has now been uploaded. Debdiff attached, but a quick step through the changelog: [ Adam Conrad ] * debian/patches/arm/cvs-ldconfig-cache-abi.diff: Backport upstream patch to re-enable ldconfig cache tagging for armhf binaries again. * debian/patches/arm/unsubmitted-ldconfig-cache-abi.diff: Re-enable and adjust to account for changes in cvs-ldconfig-cache-abi.diff. * debian/debhelper.in/libc.preinst: Remove old ld.so.cache on upgrade. The above changes are needed to make multiarch between armel and armhf work properly. They were previously included in eglibc, then temporarily reverted when an upstream conflict occurred, and now reintroduced with the upstream versions of the patches. Well-tested in both previous Debian revisions and in several Ubuntu releases. * debian/control.in/amd64: Move libc6-amd64 from standard to optional. Just making control match the archive. [ Jonathan Nieder ] * control.in/opt: correct misspelling of "Ezra" in descriptions of *-i686 variants. Thanks to Thorsten Glaser. Typo fix. * patches/any/local-tst-eintr1-eagain.diff: new patch to work around a race that lets pthread_create hit resource limits when the kernel takes too long to clean up after joined threads. (closes: #673596) Testsuite fix, doesn't affect any runtime code. [ Samuel Thibault ] * patches/any/local-fhs-linux-paths.diff: Patch vardb path on !linux too. * Add patches/hurd-i386/libpthread_hurd_cond_wait.diff: New patch to add support for translators with pthread. * Add patches/hurd-i386/submitted-fork_port_leak.diff: New patch to fix port leak on fork. * libc0.3.symbols.hurd-i386: Add libpthread.so.0.3 symbols. * Add patches/hurd-i386/tg-hurdsig-boot-fix.diff to fix sigstate_is_global_rcv at boot in libpthread-based translators. * patches/hurd-i386/tg-hurdsig-global-dispositions.diff: Update with Thomas' fork deadlock fix. * patches/hurd-i386/unsubmitted-single-hurdselect-timeout.diff: Temporarily fix double select timeout on single fd. * patches/hurd-i386/unsubmitted-setitimer_fix.diff: Fix Hurd implementation of setitimer. And the above are all hurd fixes which don't impact any other arches and IMO should be accepted on the "well, it can't make hurd any more broken" principle. :P unblock eglibc/2.13-38 -- System Information: Debian Release: wheezy/sid APT prefers raring-updates APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7.0-7-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -u eglibc-2.13/debian/changelog eglibc-2.13/debian/changelog --- eglibc-2.13/debian/changelog +++ eglibc-2.13/debian/changelog @@ -1,3 +1,38 @@ +eglibc (2.13-38) unstable; urgency=low + + [ Adam Conrad ] + * debian/patches/arm/cvs-ldconfig-cache-abi.diff: Backport upstream +patch to re-enable ldconfig cache tagging for armhf binaries again. + * debian/patches/arm/unsubmitted-ldconfig-cache-abi.diff: Re-enable +and adjust to account for changes in cvs-ldconfig-cache-abi.diff. + * debian/debhelper.in/libc.preinst: Remove old ld.so.cache on upgrade. + * debian/control.in/amd64: Move libc6-amd64 from standard to optional. + + [ Jonathan Nieder ] + * control.in/opt: correct misspelling of "Ezra" in descriptions of +*-i686 variants. Thanks to Thorsten Glaser. + * patches/any/local-tst-eintr1-eagain.diff: new patch to work around +a race that lets pthread_create hit resource limits when the kernel +takes too long to clean up after joined threads. (closes: #673596) + + [ Samuel Thibault ] + * patches/any/local-fhs-linux-paths.diff: Patch vardb path on !linux too. + * Add patches/hurd-i386/libpthread_hurd_cond_wait.diff: New patch to add +support for translators with pthread. + * Add patches/hurd-i386/submitted-fork_port_leak.diff: New patch to fix port +leak on fork. + * libc0.3.symbols.hurd-i386: Add libpthread.so.0.3 symbols. + * Add patches/hurd-i386/tg-hurdsig-boot-fix.diff to fix +sigstate_is_global_rcv at boot in libpthread-based translators. + * patches/hurd-i386/tg-hurdsig-global-dispositions.diff: Update with Thomas' +fork deadlock fix. + * patches/hurd-i386/unsubmitted-single-hurdselect-timeout.diff: Temporarily +fix double select timeout on single fd. + * patches/hurd-i386/unsubmitted-setitimer_fix.diff: Fix Hurd implementation +of setitimer. + + -- Adam Conrad Sun, 30 Dec 2012 06:06:32 -0700 + eglibc (2.13-37) unstable; urgency=low [ Aurelien Jarno ] diff -u eglibc-2.13/debian/control eglibc-2.13/debian/control --- eglibc-2.13/debian/control +++ eglibc-2.13/de
Re: emacsen-common 2.0.4 - acceptable for wheezy?
"Adam D. Barratt" writes: > Thanks for the review. Rob - please feel free to go ahead. emacsen-common 2.0.5 has been uploaded to unstable. Please let me know if you have any trouble. Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87txqpag9y@trouble.defaultvalue.org
Bug#686547: unblock: calibre/0.8.64+dfsg-1
Hi, (Christian, I came across this while looking for RC bugs as part of my T&S.) On Wed, Dec 19, 2012 at 07:40:04PM +, Adam D. Barratt wrote: > On Wed, 2012-10-31 at 16:34 +0100, intrigeri wrote: > > Julien Cristau wrote (30 Sep 2012 13:10:55 GMT) : > > > 3) upload to tpu a fix for whatever issues are serious enough, not just > > > #653328. > > > > Apart of #653328, only bugs of severity normal or minor were fixed > > since 0.8.51+dfsg-1. > > > > However, the fixes for #678686 (typo in package description) and > > #674838 (fonts-liberation path changed and the symbolic link is > > broken) look trivial, harmless, and useful enough to be worth > > including in Wheezy at this point. > > => Julien's third alternative makes sense to me. > > Anyone any interest in preparing a t-p-u for that? I've prepared a t-p-u candidate with all the above, based on Arno's previous t-p-u candidate. I just pulled in the fixes for #678686 and #674838 as applied by Martin in later versions of the package. Everything's available on http://www.sk2.org/calibre/ with the dsc at http://www.sk2.org/calibre/calibre_0.8.51+dfsg+wheezy1-1.1.dsc - I'm not (yet) a DD so I'd need a sponsor (Christian?) if the release team are OK with the package. The changelog is as follows: calibre (0.8.51+dfsg+wheezy1-1.1) testing-proposed-updates; urgency=low * Non-maintainer upload. [ Arno Töll ] * Remove quick_start.epub from the tarball, do not install said file to the calibre binary package. See #653328 for background. Upstream version 0.8.64 includes this file with a changed license again, so no change is needed with respect to Debian. (Closes: #653328) [ Martin Pitt ] * debian/control: Fix "upports" typo. (Closes: #678686) * debian/control, debian/rules: ttf-liberation is no more, move to fonts-liberation. Thanks to Kan-Ru Chen! (Closes: #674838) -- Stephen Kitt Wed, 09 Jan 2013 08:12:30 +0100 The debdiff against the package in testing is as follows: diff -Nru calibre-0.8.51+dfsg/debian/calibre.README.Debian calibre-0.8.51+dfsg+wheezy1/debian/calibre.README.Debian --- calibre-0.8.51+dfsg/debian/calibre.README.Debian2012-05-14 12:13:47.0 +0200 +++ calibre-0.8.51+dfsg+wheezy1/debian/calibre.README.Debian2013-01-09 23:25:50.0 +0100 @@ -4,7 +4,7 @@ Customizing LRF fonts - By default, the calibre package maps the LRF standard fonts to the the -free Liberation fonts (package ttf-liberation): +free Liberation fonts (package fonts-liberation): Swis721 BT Roman -> LiberationSans-Regular.ttf Dutch801 Rm BT Roman -> LiberationSerif-Regular.ttf diff -Nru calibre-0.8.51+dfsg/debian/changelog calibre-0.8.51+dfsg+wheezy1/debian/changelog --- calibre-0.8.51+dfsg/debian/changelog2012-05-14 12:13:47.0 +0200 +++ calibre-0.8.51+dfsg+wheezy1/debian/changelog2013-01-09 08:13:42.0 +0100 @@ -1,3 +1,20 @@ +calibre (0.8.51+dfsg+wheezy1-1.1) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + + [ Arno Töll ] + * Remove quick_start.epub from the tarball, do not install said file to the +calibre binary package. See #653328 for background. Upstream version +0.8.64 includes this file with a changed license again, so no change is +needed with respect to Debian. (Closes: #653328) + + [ Martin Pitt ] + * debian/control: Fix "upports" typo. (Closes: #678686) + * debian/control, debian/rules: ttf-liberation is no more, move to +fonts-liberation. Thanks to Kan-Ru Chen! (Closes: #674838) + + -- Stephen Kitt Wed, 09 Jan 2013 08:12:30 +0100 + calibre (0.8.51+dfsg-1) unstable; urgency=low * New upstream release. diff -Nru calibre-0.8.51+dfsg/debian/control calibre-0.8.51+dfsg+wheezy1/debian/control --- calibre-0.8.51+dfsg/debian/control 2012-05-14 12:13:47.0 +0200 +++ calibre-0.8.51+dfsg+wheezy1/debian/control 2013-01-09 08:11:24.0 +0100 @@ -57,7 +57,7 @@ xdg-utils, imagemagick, poppler-utils, - ttf-liberation, + fonts-liberation, calibre-bin (>= ${source:Version}), ${misc:Depends} Recommends: python-dnspython @@ -107,7 +107,7 @@ Calibre is primarily an e-book cataloging program. It manages your e-book collection for you. It is designed around the concept of the logical book, i.e. a single entry in the database that may correspond to e-books in several - formats. It also upports conversion from a dozen different e-book formats to + formats. It also supports conversion from a dozen different e-book formats to LRF and EPUB. A graphical interface to the conversion software can be accessed easily by just clicking the "Convert E-books" button. . diff -Nru calibre-0.8.51+dfsg/debian/rules calibre-0.8.51+dfsg+wheezy1/debian/rules --- calibre-0.8.51+dfsg/debian/rules2012-05-14 12:13:47.0 +0200 +++ calibre-0.8.51+dfsg+wheezy1/debian/rules2013-01-09 08:11:56.0 +0100 @@ -42,9 +42,9 @@ # remove hardcoded prs500 fonts, so that
Bug#697812: marked as done (unblock: ruby-activerecord-3.2/3.2.6-4)
Your message dated Wed, 09 Jan 2013 22:09:11 + with message-id <1357769351.21796.3.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#697812: unblock: ruby-activerecord-3.2/3.2.6-4 has caused the Debian Bug report #697812, regarding unblock: ruby-activerecord-3.2/3.2.6-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697812: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697812 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2. The new versions uploaded do unstable fix CVE-2013-0155. Since the fix is spread across those two packages, I think they should handled together, and that's why I am filing a single unblock request for both packages. The debdiffs against the packages in testing are attached. You will notice a buid-dependency bump change, but that's in debian/control.in, not debian/control, so it's harmless. unblock ruby-activerecord-3.2/3.2.6-4 unblock ruby-actionpack-3.2/3.2.6-5 TIA, -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog --- ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-03 11:21:21.0 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-09 18:22:50.0 -0300 @@ -1,3 +1,10 @@ +ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high + + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk +[CVE-2013-0155] (Closes: #697744). + + -- Antonio Terceiro Wed, 09 Jan 2013 18:18:07 -0300 + ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch --- ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 2013-01-09 18:25:01.0 -0300 @@ -0,0 +1,25 @@ +From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Fri, 4 Jan 2013 12:02:22 -0800 +Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts. + [CVE-2013-0155] * dealing with empty hashes. Thanks + Damien Mathieu + +diff --git a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb +index 6b118b4..b31fdfd 100644 +--- a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb +@@ -6,7 +6,12 @@ module ActiveRecord + + if allow_table_name && value.is_a?(Hash) + table = Arel::Table.new(column, engine) +- build_from_hash(engine, value, table, false) ++ ++ if value.empty? ++'1 = 2' ++ else ++build_from_hash(engine, value, table, false) ++ end + else + column = column.to_s + diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series --- ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-03 11:04:55.0 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-09 18:17:11.0 -0300 @@ -1,2 +1,3 @@ Remove_rubygems_dependency.patch 3-2-dynamic_finder_injection.patch +CVE-2013-0155.patch diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog --- ruby-actionpack-3.2-3.2.6/debian/changelog 2012-08-10 13:33:44.0 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/changelog 2013-01-09 18:27:16.0 -0300 @@ -1,3 +1,10 @@ +ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high + + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk +[CVE-2013-0155] (Closes: #697802) + + -- Antonio Terceiro Wed, 09 Jan 2013 18:25:45 -0300 + ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high * Add patches for security problems (Closes: #684454): diff -Nru ruby-actionpack-3.2-3.2.6/debian/control.in ruby-actionpack-3.2-3.2.6/debian/control.in --- ruby-actionpack-3.2-3.2.6/debian/control.in 2012-06-16 21:
Re: Bug#697025: gstreamer0.10: please re-upload built against GLib 2.32
On 09.01.2013 22:29, Simon McVittie wrote: > On 01/01/13 13:26, Julien Cristau wrote: >> On Sun, Dec 30, 2012 at 23:28:13 +, Simon McVittie wrote: >>> I've only tested this fairly trivially (totem still plays >>> videos); I'll do some more testing before uploading if it becomes >>> necessary, but it'd be better if a maintainer could do proper >>> testing and a MU. > > Any maintainer opinions on this? > >> This seems to be missing a way to ensure plugins get a dependency >> on the rebuilt libgstreamer0.10-0 (or whatever else is needed to >> prevent the combination of a gstreamer and plugin that disagree on >> the size of structs)? > > As far as I can work out, bumping libgstreamer0.10-0's shlibs would only > help to achieve this if we additionally NMU a bunch of packages to > rebuild them against the new libgstreamer0.10-0 so they get a > dependency. Some of them are multiarch and would thus need a sourceful > upload (gst-plugins-*0.10, *farstream*, etc.) so that doesn't seem > ideal; most of the affected packages have the new ABI already. How many would need a sourceful upload? > One alternative would be for libgstreamer0.10-0 to have versioned Breaks > on those packages, which would reduce the number of uploads considerably. > > Another alternative would be to add Breaks to libglib2.0-0 and rely on > the fact that a newly-built libgstreamer0.10-0 already picks up > Depends: libglib2.0-0 (>> squeeze's), and so squeeze-to-wheezy partial > upgrades that pull in the new libgstreamer0.10-0 also pull in the new > libglib2.0-0, which forces the other affected packages to be upgraded > or removed. I've just dropped a bunch of Breaks from libglib2.0-0 since that broke the dist-upgrade of a default GNOME installation. [1] I'm worried that adding new Breaks to libglib2.0-0 might bring back those problems. Michael [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676485 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#697796: marked as done (unblock: ruby-activesupport-2.3/2.3.14-5)
Your message dated Wed, 09 Jan 2013 21:47:07 + with message-id <1357768027.21796.2.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#697796: unblock: ruby-activesupport-2.3/2.3.14-5 has caused the Debian Bug report #697796, regarding unblock: ruby-activesupport-2.3/2.3.14-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697796 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-2.3 This version adds a fix for vulnerabilities in parameter parsing [CVE-2013-0156] Closes: #697789] the debdiff against the package in testing is attached. unblock ruby-activesupport-2.3/2.3.14-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro diff -Nru ruby-activesupport-2.3-2.3.14/debian/changelog ruby-activesupport-2.3-2.3.14/debian/changelog --- ruby-activesupport-2.3-2.3.14/debian/changelog 2012-06-29 14:33:46.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/changelog 2013-01-09 16:35:41.0 -0300 @@ -1,3 +1,11 @@ +ruby-activesupport-2.3 (2.3.14-5) unstable; urgency=high + + * Team upload. + * Add fix for vulnerabilities in parameter parsing [CVE-2013-0156]. +Closes: #697789 + + -- Antonio Terceiro Wed, 09 Jan 2013 16:34:24 -0300 + ruby-activesupport-2.3 (2.3.14-4) unstable; urgency=low * Team upload. diff -Nru ruby-activesupport-2.3-2.3.14/debian/control ruby-activesupport-2.3-2.3.14/debian/control --- ruby-activesupport-2.3-2.3.14/debian/control 2012-06-29 14:34:34.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/control 2013-01-09 16:47:31.0 -0300 @@ -2,7 +2,6 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers -Uploaders: Ondřej Surý DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), diff -Nru ruby-activesupport-2.3-2.3.14/debian/control.in ruby-activesupport-2.3-2.3.14/debian/control.in --- ruby-activesupport-2.3-2.3.14/debian/control.in 2012-06-29 14:28:53.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/control.in 2012-09-01 17:38:25.0 -0300 @@ -2,7 +2,6 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers -Uploaders: Ondřej Surý DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch --- ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch 2013-01-09 16:33:35.0 -0300 @@ -0,0 +1,82 @@ +From 70adb9613e4a40c5645c99da374639c41012e4fc Mon Sep 17 00:00:00 2001 +From: Jeremy Kemper +Date: Sat, 5 Jan 2013 17:46:26 -0700 +Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow + symbols or yaml. + +diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +index a43763f..d7a8c1e 100644 +--- a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc: + end + end + ++DISALLOWED_XML_TYPES = %w(symbol yaml) ++class DisallowedType < StandardError #:nodoc: ++ def initialize(type) ++super "Disallowed type attribute: #{type.inspect}" ++ end ++end ++ + XML_TYPE_NAMES = { + "Symbol" => "symbol", + "Fixnum" => "integer", +@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc: + end + + module ClassMethods +- def from_xml(xml) +-typecast_xml_value(unrename_keys(XmlMini.parse(xml))) ++ def from_xml(xml, disallowed_types = nil) ++typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types) ++ end ++ ++ def from_trusted_xml(xml) ++from_xml xml, [] + end + + private +-def typecast_xml_value(value) ++def typecast_xml_value(value, disallowed_typ
Bug#697812: unblock: ruby-activerecord-3.2/3.2.6-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2. The new versions uploaded do unstable fix CVE-2013-0155. Since the fix is spread across those two packages, I think they should handled together, and that's why I am filing a single unblock request for both packages. The debdiffs against the packages in testing are attached. You will notice a buid-dependency bump change, but that's in debian/control.in, not debian/control, so it's harmless. unblock ruby-activerecord-3.2/3.2.6-4 unblock ruby-actionpack-3.2/3.2.6-5 TIA, -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog --- ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-03 11:21:21.0 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-09 18:22:50.0 -0300 @@ -1,3 +1,10 @@ +ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high + + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk +[CVE-2013-0155] (Closes: #697744). + + -- Antonio Terceiro Wed, 09 Jan 2013 18:18:07 -0300 + ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch --- ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 2013-01-09 18:25:01.0 -0300 @@ -0,0 +1,25 @@ +From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Fri, 4 Jan 2013 12:02:22 -0800 +Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts. + [CVE-2013-0155] * dealing with empty hashes. Thanks + Damien Mathieu + +diff --git a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb +index 6b118b4..b31fdfd 100644 +--- a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb +@@ -6,7 +6,12 @@ module ActiveRecord + + if allow_table_name && value.is_a?(Hash) + table = Arel::Table.new(column, engine) +- build_from_hash(engine, value, table, false) ++ ++ if value.empty? ++'1 = 2' ++ else ++build_from_hash(engine, value, table, false) ++ end + else + column = column.to_s + diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series --- ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-03 11:04:55.0 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-09 18:17:11.0 -0300 @@ -1,2 +1,3 @@ Remove_rubygems_dependency.patch 3-2-dynamic_finder_injection.patch +CVE-2013-0155.patch diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog --- ruby-actionpack-3.2-3.2.6/debian/changelog 2012-08-10 13:33:44.0 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/changelog 2013-01-09 18:27:16.0 -0300 @@ -1,3 +1,10 @@ +ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high + + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk +[CVE-2013-0155] (Closes: #697802) + + -- Antonio Terceiro Wed, 09 Jan 2013 18:25:45 -0300 + ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high * Add patches for security problems (Closes: #684454): diff -Nru ruby-actionpack-3.2-3.2.6/debian/control.in ruby-actionpack-3.2-3.2.6/debian/control.in --- ruby-actionpack-3.2-3.2.6/debian/control.in 2012-06-16 21:11:38.0 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/control.in 2012-11-14 09:42:31.0 -0300 @@ -7,7 +7,7 @@ Antonio Terceiro , DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), - gem2deb (>= 0.2.13~), + gem2deb (>= 0.3.0~), ruby-activesupport-3.2 (>= @RAILS_VERSION@), ruby-activesupport-3.2 (<< @RAILS_VERSION@.), ruby-activerecord-3.2 (>= @RAILS_VERSION@), diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch --- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 2013-01-09 18:28:16.0 -0300 @@ -0,0 +1,57 @@ +From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson
Processed: Re: Bug#697798: pu: package bind9/1:9.7.3.dfsg-1~squeeze8
Processing control commands: > tags -1 + squeeze confirmed Bug #697798 [release.debian.org] pu: package bind9/1:9.7.3.dfsg-1~squeeze9 Added tag(s) squeeze and confirmed. -- 697798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b697798.135776768327334.transcr...@bugs.debian.org
Bug#697798: pu: package bind9/1:9.7.3.dfsg-1~squeeze8
Control: tags -1 + squeeze confirmed On Wed, 2013-01-09 at 13:00 -0700, LaMont Jones wrote: > +bind9 (1:9.7.3.dfsg-1~squeeze9) squeeze-proposed-updates; urgency=low > + > + * Update db.root with new IP for D.root-servers.net. Closes: #697352 > + > + -- LaMont Jones Tue, 08 Jan 2013 07:07:02 -0700 Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1357767675.21796.1.ca...@jacala.jungle.funky-badger.org
Re: Bug#697025: gstreamer0.10: please re-upload built against GLib 2.32
On Wed, Jan 9, 2013 at 21:29:11 +, Simon McVittie wrote: > The broken situation is that at runtime, you have a "new" libglib2.0-0, > an "old" libgstreamer0.10-0, and a "new" third-package. > That situation can be prevented by making sure every "new" third-package has versioned depends on "new" libgstreamer0.10-0, which is why I asked for the shlibs bump. And yes, this does mean rebuilding those third-packages after the shlibs bump, but I think that's better than adding more Breaks than necessary. Cheers, Julien signature.asc Description: Digital signature
Bug#697799: marked as done (unblock: ruby-activesupport-3.2/3.2.6-5)
Your message dated Wed, 09 Jan 2013 21:32:30 + with message-id <1357767150.21796.0.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#697799: unblock: ruby-activesupport-3.2/3.2.6-5 has caused the Debian Bug report #697799, regarding unblock: ruby-activesupport-3.2/3.2.6-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697799 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-3.2 This release includes a fix for CVE-2013-0156, fixing debian bug #697790 The debdiff against the package in testing is attached unblock ruby-activesupport-3.2/3.2.6-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog --- ruby-activesupport-3.2-3.2.6/debian/changelog 2012-08-10 14:23:44.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/changelog 2013-01-09 17:24:43.0 -0300 @@ -1,3 +1,10 @@ +ruby-activesupport-3.2 (3.2.6-5) unstable; urgency=high + + * debian/patches/CVE-2013-0156.patch: fix for vulnerabilities in +vulnerabilities in parameter parsing [CVE-2013-0156] (Closes: #697790) + + -- Antonio Terceiro Wed, 09 Jan 2013 17:23:52 -0300 + ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high * debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability. diff -Nru ruby-activesupport-3.2-3.2.6/debian/control ruby-activesupport-3.2-3.2.6/debian/control --- ruby-activesupport-3.2-3.2.6/debian/control 2012-06-24 18:57:55.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/control 2012-09-01 17:38:38.0 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers Uploaders: - Ondřej Surý , Antonio Terceiro , DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activesupport-3.2-3.2.6/debian/control.in ruby-activesupport-3.2-3.2.6/debian/control.in --- ruby-activesupport-3.2-3.2.6/debian/control.in 2012-06-15 23:41:30.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/control.in 2012-09-01 17:38:38.0 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers Uploaders: - Ondřej Surý , Antonio Terceiro , DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch --- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 2013-01-09 17:10:22.0 -0300 @@ -0,0 +1,76 @@ +From 43109ecb986470ef023a7e91beb9812718f000fe Mon Sep 17 00:00:00 2001 +From: Jeremy Kemper +Date: Sat, 5 Jan 2013 17:46:26 -0700 +Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow + symbols or yaml. + +diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +index 5f07bb4..b820a16 100644 +--- a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +@@ -85,15 +85,33 @@ class Hash + end + end + ++ class DisallowedType < StandardError #:nodoc: ++def initialize(type) ++ super "Disallowed type attribute: #{type.inspect}" ++end ++ end ++ ++ DISALLOWED_XML_TYPES = %w(symbol yaml) ++ + class << self +-def from_xml(xml) +- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml))) ++def from_xml(xml, disallowed_types = nil) ++ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types) ++end ++ ++def from_trusted_xml(xml) ++ from_xml xml, [] + end + + private +- def typecast_xml_value(value) ++ def typecast_xml_value(value, disallowed_types = nil) ++disallowed_types ||= DISALLOWED_XML_TYPES ++ + case value.class.to_s + when 'Hash' ++if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type']) ++ raise DisallowedType, value['typ
Re: Bug#697025: gstreamer0.10: please re-upload built against GLib 2.32
On 01/01/13 13:26, Julien Cristau wrote: > On Sun, Dec 30, 2012 at 23:28:13 +, Simon McVittie wrote: >> I've only tested this fairly trivially (totem still plays >> videos); I'll do some more testing before uploading if it becomes >> necessary, but it'd be better if a maintainer could do proper >> testing and a MU. Any maintainer opinions on this? > This seems to be missing a way to ensure plugins get a dependency > on the rebuilt libgstreamer0.10-0 (or whatever else is needed to > prevent the combination of a gstreamer and plugin that disagree on > the size of structs)? As far as I can work out, bumping libgstreamer0.10-0's shlibs would only help to achieve this if we additionally NMU a bunch of packages to rebuild them against the new libgstreamer0.10-0 so they get a dependency. Some of them are multiarch and would thus need a sourceful upload (gst-plugins-*0.10, *farstream*, etc.) so that doesn't seem ideal; most of the affected packages have the new ABI already. One alternative would be for libgstreamer0.10-0 to have versioned Breaks on those packages, which would reduce the number of uploads considerably. Another alternative would be to add Breaks to libglib2.0-0 and rely on the fact that a newly-built libgstreamer0.10-0 already picks up Depends: libglib2.0-0 (>> squeeze's), and so squeeze-to-wheezy partial upgrades that pull in the new libgstreamer0.10-0 also pull in the new libglib2.0-0, which forces the other affected packages to be upgraded or removed. The broken situation is in this dependency chain: libglib2.0-0 <- libgstreamer0.10-0 <- third-package with this embedding: struct ThirdPackageThing { ... struct GstThing { ... struct GStaticMutex; ... } ... } Let's call anything that encodes the old (glib2.0 << 2.32) size of GStaticMutex "old", and anything that encodes the new (glib2.0 >= 2.32) size of GStaticMutex "new". The binaries in libgstreamer0.10-0 are either "old" or "new" depending on their interpretation of their own headers. That interpretation depends on the version of libglib2.0-dev, "old" or "new", that was installed when they were compiled. The binaries in third-package are either "old" or "new", depending on their interpretation of GStreamer's headers. That interpretation depends only on the version of libglib2.0-dev that was installed at the time they were compiled; it does not depend on the version of libgstreamer0.10-dev that was installed at the time they were compiled. This is because, in the usual C way, the Gst headers don't explicitly say what the size of GstThing is: they only define it in terms of the size of GStaticMutex, and the compiler does the arithmetic anew while building each translation unit. (This is how we can have third-level packages appearing in the "new" set, even though no "new" version of gstreamer0.10 exists yet.) The broken situation is that at runtime, you have a "new" libglib2.0-0, an "old" libgstreamer0.10-0, and a "new" third-package. AFAICS, a big pile of versioned Breaks from libglib2.0-0 to packages that are known to be affected and built with "old" GLib would resolve this. I'm somewhat concerned that that many versioned Breaks are going to make the apt resolver work harder, and might themselves break the full-upgrade process (like #676485). I believe that can be mitigated by making the versioned Breaks specific to the affected architectures, which would result in no additional upgrade problems for users of unaffected architectures - but in practice I don't think anyone ever runs piuparts on the affected architectures, making it harder for any upgrade problems to be discovered. Regards, S -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50ede127.6020...@debian.org
Bug#692734: unblock: ettercap/0.7.5-4
> I'm not aware of any security issues in Ettercap and the release > announcement of 0.7.5 doesn't mention them either. > The 0.7.4 release mentions several buffer overflows, but this version > is already in testing. Well, that depends on *which* 0.7.4 you mean, NG-0.7.4 vs v0.7.4, but in any case, even just peeking at the very tip of the 0.7.5 tree in git we immediately see something highly suspicious: $ cd ettercap $ git log --pretty=oneline --deco --graph v0.7.5| head -5 * 9e82ea656a5cbecc79823143907564cd4b446573 (tag: v0.7.5) Merge branch 'ettercap_rc' |\ | * 302152524ccd09ac4252d5f33c617cc6e9ed9545 Merge pull request #29 from kholia/o5logon-fixes | |\ | | * b510c1520a64372fffd04449413bb0255598d149 Fix crash with Nmap generated packets, catch login failures ...^ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871uduxe7y@cs.nuim.ie
Bug#697799: unblock: ruby-activesupport-3.2/3.2.6-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-3.2 This release includes a fix for CVE-2013-0156, fixing debian bug #697790 The debdiff against the package in testing is attached unblock ruby-activesupport-3.2/3.2.6-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog --- ruby-activesupport-3.2-3.2.6/debian/changelog 2012-08-10 14:23:44.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/changelog 2013-01-09 17:24:43.0 -0300 @@ -1,3 +1,10 @@ +ruby-activesupport-3.2 (3.2.6-5) unstable; urgency=high + + * debian/patches/CVE-2013-0156.patch: fix for vulnerabilities in +vulnerabilities in parameter parsing [CVE-2013-0156] (Closes: #697790) + + -- Antonio Terceiro Wed, 09 Jan 2013 17:23:52 -0300 + ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high * debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability. diff -Nru ruby-activesupport-3.2-3.2.6/debian/control ruby-activesupport-3.2-3.2.6/debian/control --- ruby-activesupport-3.2-3.2.6/debian/control 2012-06-24 18:57:55.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/control 2012-09-01 17:38:38.0 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers Uploaders: - Ondřej Surý , Antonio Terceiro , DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activesupport-3.2-3.2.6/debian/control.in ruby-activesupport-3.2-3.2.6/debian/control.in --- ruby-activesupport-3.2-3.2.6/debian/control.in 2012-06-15 23:41:30.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/control.in 2012-09-01 17:38:38.0 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers Uploaders: - Ondřej Surý , Antonio Terceiro , DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch --- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 2013-01-09 17:10:22.0 -0300 @@ -0,0 +1,76 @@ +From 43109ecb986470ef023a7e91beb9812718f000fe Mon Sep 17 00:00:00 2001 +From: Jeremy Kemper +Date: Sat, 5 Jan 2013 17:46:26 -0700 +Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow + symbols or yaml. + +diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +index 5f07bb4..b820a16 100644 +--- a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +@@ -85,15 +85,33 @@ class Hash + end + end + ++ class DisallowedType < StandardError #:nodoc: ++def initialize(type) ++ super "Disallowed type attribute: #{type.inspect}" ++end ++ end ++ ++ DISALLOWED_XML_TYPES = %w(symbol yaml) ++ + class << self +-def from_xml(xml) +- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml))) ++def from_xml(xml, disallowed_types = nil) ++ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types) ++end ++ ++def from_trusted_xml(xml) ++ from_xml xml, [] + end + + private +- def typecast_xml_value(value) ++ def typecast_xml_value(value, disallowed_types = nil) ++disallowed_types ||= DISALLOWED_XML_TYPES ++ + case value.class.to_s + when 'Hash' ++if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type']) ++ raise DisallowedType, value['type'] ++end ++ + if value['type'] == 'array' + _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) }) + if entries.nil? || (c = value['__content__'] && c.blank?) +@@ -101,9 +119,9 @@ class Hash + else + case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a? + when "Array" +- entries.collect { |v| typecast_xml_value(v) } ++ entries.collect { |v| typecast_xml_value(v, disallowed_types) } + when "Hash" +- [typecast_xml_value(entries)] ++ [typecast_xml_value(entries, disallowed_types)] + else + raise "can't typecast #{entries.inspect}" + end +@@ -127,14 +145,14 @@ class Ha
Bug#692287: unblock: audacious/3.2.4-1
Thanks for putting audacious 3.2.4 into Wheezy :)
Processed: retitle 697798 to pu: package bind9/1:9.7.3.dfsg-1~squeeze9
Processing commands for cont...@bugs.debian.org: > retitle 697798 pu: package bind9/1:9.7.3.dfsg-1~squeeze9 Bug #697798 [release.debian.org] pu: package bind9/1:9.7.3.dfsg-1~squeeze8 Changed Bug title to 'pu: package bind9/1:9.7.3.dfsg-1~squeeze9' from 'pu: package bind9/1:9.7.3.dfsg-1~squeeze8' > thanks Stopping processing here. Please contact me if you need assistance. -- 697798: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.135776353930888.transcr...@bugs.debian.org
Bug#697688: marked as done (unblock: proftpd-dfsg/1.3.4a-3)
Your message dated Wed, 9 Jan 2013 21:16:20 +0100 with message-id <20130109201619.gg5...@radis.cristau.org> and subject line Re: Bug#697688: unblock: proftpd-dfsg/1.3.4a-3 has caused the Debian Bug report #697688, regarding unblock: proftpd-dfsg/1.3.4a-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697688: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697688 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package proftpd-dfsg [SECURITY] New patch 3841 fixes CVE-2012-6095: a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. Diff consists in a single patch file '3841' in quilt format. The same patch has been backported to stable (for version 1.3.3). unblock proftpd-dfsg/1.3.4a-3 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- On Tue, Jan 8, 2013 at 15:14:59 +0100, Francesco Paolo Lovergine wrote: > unblock proftpd-dfsg/1.3.4a-3 > Unblocked, thanks. Cheers, Julien signature.asc Description: Digital signature --- End Message ---
Bug#697798: pu: package bind9/1:9.7.3.dfsg-1~squeeze8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu d.root-servers.net changed IP addresses 2013-01-03, the old IP will go away in "about 6 months". lamont = diff --git a/debian/changelog b/debian/changelog index 13f278e..2ef9801 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +bind9 (1:9.7.3.dfsg-1~squeeze9) squeeze-proposed-updates; urgency=low + + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + + -- LaMont Jones Tue, 08 Jan 2013 07:07:02 -0700 + bind9 (1:9.7.3.dfsg-1~squeeze8) squeeze-security; urgency=high * Apply patch extracted from 9.7.6-P4 to fix CVE-2012-5166 diff --git a/debian/db.root b/debian/db.root index d081faa..6c19741 100644 --- a/debian/db.root +++ b/debian/db.root @@ -9,8 +9,8 @@ ; on server FTP.INTERNIC.NET ; -OR-RS.INTERNIC.NET ; -; last update:Jun 17, 2010 -; related version of root zone: 2010061700 +; last update:Jan 3, 2013 +; related version of root zone: 2013010300 ; ; formerly NS.INTERNIC.NET ; @@ -31,7 +31,8 @@ C.ROOT-SERVERS.NET. 360 A 192.33.4.12 ; FORMERLY TERP.UMD.EDU ; .360 NSD.ROOT-SERVERS.NET. -D.ROOT-SERVERS.NET. 360 A 128.8.10.90 +D.ROOT-SERVERS.NET. 360 A 199.7.91.13 +D.ROOT-SERVERS.NET. 360 2001:500:2D::D ; ; FORMERLY NS.NASA.GOV ; = -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109200025.29977.26375.report...@catsear.mmjgroup.com
Bug#697794: marked as done (unblock: nusoap/0.7.3-5)
Your message dated Wed, 9 Jan 2013 20:58:42 +0100 with message-id <20130109195842.gf5...@radis.cristau.org> and subject line Re: Bug#697794: unblock: nusoap/0.7.3-5 has caused the Debian Bug report #697794, regarding unblock: nusoap/0.7.3-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697794: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697794 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock nusoap 0.7.3-5 It fixes CVE-2012-6071 Cheers, Moritz unblock nusoap/0.7.3-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- On Wed, Jan 9, 2013 at 20:10:21 +0100, Moritz Muehlenhoff wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock nusoap 0.7.3-5 > > It fixes CVE-2012-6071 > Unblocked, thanks. Cheers, Julien signature.asc Description: Digital signature --- End Message ---
Bug#697796: unblock: ruby-activesupport-2.3/2.3.14-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-2.3 This version adds a fix for vulnerabilities in parameter parsing [CVE-2013-0156] Closes: #697789] the debdiff against the package in testing is attached. unblock ruby-activesupport-2.3/2.3.14-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro diff -Nru ruby-activesupport-2.3-2.3.14/debian/changelog ruby-activesupport-2.3-2.3.14/debian/changelog --- ruby-activesupport-2.3-2.3.14/debian/changelog 2012-06-29 14:33:46.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/changelog 2013-01-09 16:35:41.0 -0300 @@ -1,3 +1,11 @@ +ruby-activesupport-2.3 (2.3.14-5) unstable; urgency=high + + * Team upload. + * Add fix for vulnerabilities in parameter parsing [CVE-2013-0156]. +Closes: #697789 + + -- Antonio Terceiro Wed, 09 Jan 2013 16:34:24 -0300 + ruby-activesupport-2.3 (2.3.14-4) unstable; urgency=low * Team upload. diff -Nru ruby-activesupport-2.3-2.3.14/debian/control ruby-activesupport-2.3-2.3.14/debian/control --- ruby-activesupport-2.3-2.3.14/debian/control 2012-06-29 14:34:34.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/control 2013-01-09 16:47:31.0 -0300 @@ -2,7 +2,6 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers -Uploaders: Ondřej Surý DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), diff -Nru ruby-activesupport-2.3-2.3.14/debian/control.in ruby-activesupport-2.3-2.3.14/debian/control.in --- ruby-activesupport-2.3-2.3.14/debian/control.in 2012-06-29 14:28:53.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/control.in 2012-09-01 17:38:25.0 -0300 @@ -2,7 +2,6 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers -Uploaders: Ondřej Surý DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch --- ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.0 -0300 +++ ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch 2013-01-09 16:33:35.0 -0300 @@ -0,0 +1,82 @@ +From 70adb9613e4a40c5645c99da374639c41012e4fc Mon Sep 17 00:00:00 2001 +From: Jeremy Kemper +Date: Sat, 5 Jan 2013 17:46:26 -0700 +Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow + symbols or yaml. + +diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +index a43763f..d7a8c1e 100644 +--- a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc: + end + end + ++DISALLOWED_XML_TYPES = %w(symbol yaml) ++class DisallowedType < StandardError #:nodoc: ++ def initialize(type) ++super "Disallowed type attribute: #{type.inspect}" ++ end ++end ++ + XML_TYPE_NAMES = { + "Symbol" => "symbol", + "Fixnum" => "integer", +@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc: + end + + module ClassMethods +- def from_xml(xml) +-typecast_xml_value(unrename_keys(XmlMini.parse(xml))) ++ def from_xml(xml, disallowed_types = nil) ++typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types) ++ end ++ ++ def from_trusted_xml(xml) ++from_xml xml, [] + end + + private +-def typecast_xml_value(value) ++def typecast_xml_value(value, disallowed_types = nil) ++ disallowed_types ||= DISALLOWED_XML_TYPES ++ + case value.class.to_s + when 'Hash' ++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type']) ++raise DisallowedType, value['type'] ++ end ++ + if value['type'] == 'array' + child_key, entries = value.detect { |k,v| k != 'type' } # child_key is throwaway + if entries.nil? || (c = value['__content__'] && c.blank?) +@@ -175,9 +192,9 @@ module ActiveSupport #:nodoc: + else + case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a? + when "Array" +-entries.collect { |v| t
Bug#697667: marked as done (unblock: opendkim/2.6.8-4)
Your message dated Wed, 9 Jan 2013 20:54:06 +0100 with message-id <20130109195406.ge5...@radis.cristau.org> and subject line Re: Bug#697667: unblock: opendkim/2.6.8-4 has caused the Debian Bug report #697667, regarding unblock: opendkim/2.6.8-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697667 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package opendkim I haven't uploaded this to unstable yet, this is a pre-approval request as the bug is not RC, but it's a trivial fix backported from upstream with negligible risk of regression that will help admins diagnose and troubleshoot DKIM signing/verification issues. Since currently the logs get the message selector wrong (it logs the signing domain instead), it makes it very difficult to troubleshoot selector related isseus (which are not rare). Please let me know if this is OK and if so, I'm prepared to upload right away. unblock opendkim/2.6.8-4 diff -u opendkim-2.6.8/debian/changelog opendkim-2.6.8/debian/changelog --- opendkim-2.6.8/debian/changelog +++ opendkim-2.6.8/debian/changelog @@ -1,3 +1,10 @@ +opendkim (2.6.8-4) unstable; urgency=low + + * Backport fix from upstream to log the correct message selector +(Closes: #695145) (fix was included as part of the just released 2.7.4) + + -- Scott Kitterman Tue, 08 Jan 2013 02:44:28 -0500 + opendkim (2.6.8-3) unstable; urgency=medium * Urgency medium for low risk RC bug fix only in patch2: unchanged: --- opendkim-2.6.8.orig/opendkim/opendkim.c +++ opendkim-2.6.8/opendkim/opendkim.c @@ -13365,7 +13365,7 @@ for (c = 0; c < nsigs; c++) { domain = dkim_sig_getdomain(sigs[c]); - selector = dkim_sig_getdomain(sigs[c]); + selector = dkim_sig_getselector(sigs[c]); err = dkim_sig_geterror(sigs[c]); errstr = dkim_sig_geterrorstr(err); --- End Message --- --- Begin Message --- On Tue, Jan 8, 2013 at 21:38:25 -0500, Scott Kitterman wrote: > On Tuesday, January 08, 2013 07:52:26 PM Julien Cristau wrote: > > Control: tag -1 confirmed > > > > On Tue, Jan 8, 2013 at 02:55:00 -0500, Scott Kitterman wrote: > > > Please let me know if this is OK and if so, I'm prepared to upload right > > > away. > > > > Go ahead. > > Thanks, uploaded. > Unblocked. Cheers, Julien signature.asc Description: Digital signature --- End Message ---
Bug#693924: marked as done (unblock: ltsp/5.4.2-5)
Your message dated Wed, 9 Jan 2013 20:51:56 +0100 with message-id <20130109195156.gd5...@radis.cristau.org> and subject line Re: Bug#693924: unblock: ltsp/5.4.2-5 has caused the Debian Bug report #693924, regarding unblock: ltsp/5.4.2-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 693924: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693924 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package ltsp It includes several bashism and dashism fixes that interfered with operation of several key scripts in LTSP, sometimes silently and thus hard to troubleshoot. Several of the other bugs resulted in a non-booting LTSP environment in some configurations. All of the included patches are committed upstream. LTSP does contain the ltsp-client builder .udeb, though no code in the .udeb itself was changed, and the ltsp-client-builder is not used in the default installer. The debdiff contains some date changes in debian/po/*, which should probably be fixed in the packaging someday as it is basically needless noise. Apologies for that. Thanks for your consideration! live well, vagrant diff -Nru ltsp-5.4.2/debian/changelog ltsp-5.4.2/debian/changelog --- ltsp-5.4.2/debian/changelog 2012-06-27 16:14:12.0 -0700 +++ ltsp-5.4.2/debian/changelog 2012-11-20 21:27:32.0 -0800 @@ -1,3 +1,35 @@ +ltsp (5.4.2-4) unstable; urgency=low + + * ltsp-client-core: Add patch to nbd-disconnect to handle cryptsetup swap +devices (Closes: #690267). + + -- Vagrant Cascadian Tue, 20 Nov 2012 21:26:04 -0800 + +ltsp (5.4.2-3) unstable; urgency=low + + * ltsp-client-core patches from upstream: +- Fix use of 'echo -e' by switching to printf in screen-x-common + (Closes: #692920). +- Fix use of a "read -p" bashism in ltsp-cleanup (Closes: #690638). +- Fix dashisms in update-kernels using "local -" by saving flags and + restoring them later (Closes: #693499). +- Prevent setting of LTSP_FATCLIENT variable from causing ltsp-client-core + initscript to die (Closes: #693745). +- Move ltspconfig cache processing earlier, so that variables defined in + lts.conf can override autodetected variables (Closes: #689668). +- Fix initramfs udhcp hook to use /run instead of /tmp, which allows the + booting from a network using PXE ProxyDHCP (Closes: #693746). + + * ltsp-server patches from upstream: +- Fix bashism in ltsp-config by using printf instead of 'echo -e' and echo + with "\n" interpreting (Closes: #690618). +- Fix ltsp-update-image to support servers with separate /boot partition. + (Closes: #693636). +- Fix dashisms in ltsp-update-image using "local -" by saving flags and + restoring them later (Closes: #693496). + + -- Vagrant Cascadian Mon, 19 Nov 2012 14:17:21 -0800 + ltsp (5.4.2-2) unstable; urgency=low * ltsp-server: Move lts.conf from doc to doc/examples. diff -Nru ltsp-5.4.2/debian/patches/cryptsetup-swap-with-nbd ltsp-5.4.2/debian/patches/cryptsetup-swap-with-nbd --- ltsp-5.4.2/debian/patches/cryptsetup-swap-with-nbd 1969-12-31 16:00:00.0 -0800 +++ ltsp-5.4.2/debian/patches/cryptsetup-swap-with-nbd 2012-11-20 21:27:32.0 -0800 @@ -0,0 +1,25 @@ + 2409 Vagrant Cascadian2012-11-19 + Also support cryptsetup swap devices backed by NBD. + http://bugs.debian.org/690267 + +=== modified file 'client/share/ltsp/nbd-disconnect' +--- old/client/share/ltsp/nbd-disconnect 2012-05-14 19:23:51 + new/client/share/ltsp/nbd-disconnect 2012-11-20 00:40:53 + +@@ -32,6 +32,16 @@ + swapoff "$device" + nbd-client -d "$device" + ;; ++/dev/mapper/swap[0-9]) ++nbd_device=$(cryptsetup status "$device" | awk '/device:/{print $2}') ++swapoff "$device" ++cryptsetup remove "$device" ++case "$nbd_device" in ++/dev/nbd[1-9]) ++nbd-client -d "$nbd_device" ++;; ++esac ++;; + esac + done < /proc/swaps + + diff -Nru ltsp-5.4.2/debian/patches/fatclients-return-0 ltsp-5.4.2/debian/patches/fatclients-return-0 --- ltsp-5.4.2/debian/patches/fatclients-return-0 1969-12-31 16:00:00.0 -0800 +++ ltsp-5.4.2/debian/patches/fatclients-return-0 2012-11-19 14:33:11.0 -0800 @@ -0,0 +1,18 @@ + 2407 Vagrant Cascadian2012-11-19 + ltsp_config.d/
Re: [Openstack-devel] Bug#685251: Fixing Debian bug #685251 for the ryu plugin in Openstack
Hi Thomas Ok, thanks. Where do I find the folsom packaging? If -6 things are included in folsom I think it is better to upload a special testing variant instead of -7 as the replace rules would be too complicated otherwise. // Ola On Wed, Jan 09, 2013 at 04:02:04PM +0800, Thomas Goirand wrote: > Hi Ola, > > Thanks for taking care of this! :) > > On 01/09/2013 03:51 AM, Ola Lundqvist wrote: > > Happy new year Thomas! > > > > Skipping release team for this mail as I want to check one thing with you. > > You write that we will not maintain the -6 version in sid. Do that mean > > that all the work I did for this package (to move out the plugin files > > to respective package will be in vain? > > > > Or is folsom release based on -6 version? > > I believe your changes are already in the Folsom packaging. Though it'd > be worth checking for it again. > > As I told you, I intend to replace the SID version by Folsom as soon as > we release Wheezy, and if the FTP-Masters don't take another month to > accept the new packages... that delay is by the way a bit worrisome. I > wonder what I could do to help them. Probably by trying to review some > packages which I didn't upload. > > > Just checking. Based on your answer I will simply upload a -7 version > > that will be more or less identical to the version I was thinking > > of uploading to testing-proposed-updates. > > > > // Ola > > Yes, I believe that's the way to go. Upload -7 to SID, and ask for an > unblock. If we need additional breaks+replaces because of -6, then so be > it IMO... > > Cheers, > > Thomas Goirand > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comAnnebergsslingan 37\ | o...@debian.org 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109193552.ga10...@inguza.net
Bug#697794: unblock: nusoap/0.7.3-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock nusoap 0.7.3-5 It fixes CVE-2012-6071 Cheers, Moritz unblock nusoap/0.7.3-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109191021.7545.53131.reportbug@pisco.westfalen.local
Bug#692734: unblock: ettercap/0.7.5-4
On Wed, Jan 09, 2013 at 03:24:58PM +, Neil McGovern wrote: > On Wed, Jan 09, 2013 at 02:40:25PM +, Barak A. Pearlmutter wrote: > > As I've stated previously, I don't believe that backporting fixes is > > really feasible. There are too many, they are mixed with > > non-security-related modifications, there would be enormous opportunity > > for error, and ongoing security maintenance would be quite difficult. > > Do you have CVE numbers, BTS references or any further detail? These > very changes make it not suitable for update when we've been frozen for > over 6 months. I'm not aware of any security issues in Ettercap and the release announcement of 0.7.5 doesn't mention them either. The 0.7.4 release mentions several buffer overflows, but this version is already in testing. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109183800.ga15...@inutil.org
Bug#693550: unblock: mame/0.146-5
Hi, On Thu, Dec 13, 2012 at 02:59:04PM +0100, Emmanuel Kasper wrote: > > Why does this change it to -mtune=generic instead of just nothing > > at all? > I asked Cesare Falco, the developper who did this commit, and his > answer is > " My idea was to make the build as optimized as possible > without breaking compatibility with older CPUs, which > is exactly the meaning of the generic tuning." > > It looks OK to me according to the detailed description of the option > when it was introduced to gcc: > http://gcc.gnu.org/ml/gcc-patches/2006-01/msg01045.html > " The option is mainly intended > to help building distributions where you don't know what CPU the code > will run on in advance." While in the long run, not adding anything would probably be the best thing, but this is what was tested and was found to fix a crash reported in LP. If necessary, I'll prepare a -6 with this dropped entirely, which is the plan for future non-wheezy uploads. > >> Finally, mame/0.146-5 includes minor changes in the default > >> configuration file, as we want to revert an unfortunate commit > >> which slipped through. (debdiff will be included, but right now > >> it is treated as spam by bugs-master.debian.org ...) > >> > > This one needs more details because I don't know what it's trying > > to fix, and what impact it has. My biggest concern about this is the default search path for per-user configuration files got changed a while ago, and I never noticed until it was too late. When I started working on MAME, we established ~/.mame would be the directory for all things config for MAME, as one would expect (sure, in retrospect I'd be considering ~/.config/mame now, but that's another story). With this config, users would configure MAME using ~/.mame/mame.ini. http://anonscm.debian.org/gitweb/?p=pkg-games/mame.git;a=commitdiff;h=16ce619f80cc067d0536c49823766eb5ec4e1ea2 This commit changed this and changed all paths to ~/mame, regardless of their type (config, autogenerated stuff, savegames, etc vs. data). http://anonscm.debian.org/gitweb/?p=pkg-games/mame.git;a=commitdiff;h=2f0981b18e1713878022f9c570f708bc48e679a7 -5 is an attempt to bring mame.ini to its initial state. As wheezy is the first release with mame and mess, I'd like to see this change accepted so we don't force a path update for jessie. As for MESS, Ivo asks in #693562 about the mess.ini changes in the debdiff. I believe the uimodekey setting slipped in the system config by mistake and then got (silently, grr) removed. As for video, it was set to opengl because that's the only usable mode available, then changed to software emulation (which is unusably slow) due to some unreproducible reports of X server crashes when starting mess or mame, and then reverted once again to opengl as it's the only setting that makes these programs actually usable, and the X crashes weren't confirmed. Or that's what I recall about this. I'm sorry there's no full mention of all of this in the changelogs, no excuse for that. In short, we're requesting unblocks: unblock mame/0.146-5 unblock mess/0.146-4 Thanks for considering, Jordi -- Jordi Mallach Pérez -- Debian developer http://www.debian.org/ jo...@sindominio.net jo...@debian.org http://www.sindominio.net/ GnuPG public key information available at http://oskuro.net/ signature.asc Description: Digital signature
Bug#692734: marked as done (unblock: ettercap/0.7.5-4)
Your message dated Wed, 9 Jan 2013 16:45:11 + with message-id <20130109164511.gp6...@halon.org.uk> and subject line Re: Bug#692734: unblock: ettercap/0.7.5-4 has caused the Debian Bug report #692734, regarding unblock: ettercap/0.7.5-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 692734: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692734 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hello release team, please unblock package ettercap. A new upstream version 0.7.5 of ettercap (a network sniff/attack tool) fixes a variety of security issues. It does not seem practical to me to backport the fixes, because many of them are made on top of non-security-related changes, and teasing them apart etc would be a great deal of work and also quite error-prone. The upstream team is very eager to get the new version in place, and I find their reasoning compelling. This is briefly alluded to in BTS 691465. Note that ettercap is a leaf package (nothing depends on it) so there is no real down-side to allowing 0.7.5 to progress to testing and then having a show-stopping problem pop up. In that case it would likely be pulled ... which I think we'd have to do anyway if 0.7.5 is not allowed into testing, since in that case we'll have known latent security issues. On the other hand, with 0.7.5 we have an active (quite pro-active in fact) and highly responsive upstream team eager to fix any issues that we might bring to their attention. --Barak. -- Barak A. Pearlmutter Hamilton Institute & Dept Comp Sci, NUI Maynooth, Co. Kildare, Ireland http://www.bcl.hamilton.ie/~barak/ --- End Message --- --- Begin Message --- On Wed, Jan 09, 2013 at 04:20:25PM +, Barak A. Pearlmutter wrote: > > So, can you please let me know if you're going to backport the fixes, > > or if I should remove it from wheezy. > > As I've already said repeatedly, I don't think backporting all and only > the security-relevant patches is a realistic option. > Noted, removal hint added. Neil -- signature.asc Description: Digital signature --- End Message ---
Bug#697782: marked as done (unblock: swami/2.0.0+svn389-2)
Your message dated Wed, 09 Jan 2013 16:39:00 + with message-id and subject line Re: Bug#697782: unblock: swami/2.0.0+svn389-2 has caused the Debian Bug report #697782, regarding unblock: swami/2.0.0+svn389-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697782 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please consider: unblock swami/2.0.0+svn389-2 This is one of the two sourceful uploads for #694525. diffstat for swami-2.0.0+svn389 swami-2.0.0+svn389 changelog |7 +++ control |2 ++ 2 files changed, 9 insertions(+) diff -Nru swami-2.0.0+svn389/debian/changelog swami-2.0.0+svn389/debian/changelog --- swami-2.0.0+svn389/debian/changelog 2012-02-12 23:16:30.0 + +++ swami-2.0.0+svn389/debian/changelog 2013-01-02 21:12:11.0 + @@ -1,3 +1,10 @@ +swami (2.0.0+svn389-2) unstable; urgency=low + + * Rebuild against newer GLib. (Closes: #697026) + * Recommends on jackd. (Closes: #697031) + + -- Alessio Treglia Wed, 02 Jan 2013 21:11:49 + + swami (2.0.0+svn389-1) unstable; urgency=low * Team upload. diff -Nru swami-2.0.0+svn389/debian/control swami-2.0.0+svn389/debian/control --- swami-2.0.0+svn389/debian/control 2012-02-12 22:23:15.0 + +++ swami-2.0.0+svn389/debian/control 2013-01-02 21:10:27.0 + @@ -36,6 +36,8 @@ libswami0 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Recommends: + jackd Breaks: libswami0 (<= 2.0.0+svn389-1~) Replaces: libswami0 (<= 2.0.0+svn389-1~) Description: MIDI instrument editor application --- End Message --- --- Begin Message --- On 09.01.2013 16:23, Simon McVittie wrote: +swami (2.0.0+svn389-2) unstable; urgency=low + + * Rebuild against newer GLib. (Closes: #697026) + * Recommends on jackd. (Closes: #697031) + + -- Alessio Treglia Wed, 02 Jan 2013 21:11:49 + Already unblocked. :-) (since the 2nd in fact, if the notation in my hints file is to be believed). Regards, Adam--- End Message ---
Bug#697782: unblock: swami/2.0.0+svn389-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please consider: unblock swami/2.0.0+svn389-2 This is one of the two sourceful uploads for #694525. diffstat for swami-2.0.0+svn389 swami-2.0.0+svn389 changelog |7 +++ control |2 ++ 2 files changed, 9 insertions(+) diff -Nru swami-2.0.0+svn389/debian/changelog swami-2.0.0+svn389/debian/changelog --- swami-2.0.0+svn389/debian/changelog 2012-02-12 23:16:30.0 + +++ swami-2.0.0+svn389/debian/changelog 2013-01-02 21:12:11.0 + @@ -1,3 +1,10 @@ +swami (2.0.0+svn389-2) unstable; urgency=low + + * Rebuild against newer GLib. (Closes: #697026) + * Recommends on jackd. (Closes: #697031) + + -- Alessio Treglia Wed, 02 Jan 2013 21:11:49 + + swami (2.0.0+svn389-1) unstable; urgency=low * Team upload. diff -Nru swami-2.0.0+svn389/debian/control swami-2.0.0+svn389/debian/control --- swami-2.0.0+svn389/debian/control 2012-02-12 22:23:15.0 + +++ swami-2.0.0+svn389/debian/control 2013-01-02 21:10:27.0 + @@ -36,6 +36,8 @@ libswami0 (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Recommends: + jackd Breaks: libswami0 (<= 2.0.0+svn389-1~) Replaces: libswami0 (<= 2.0.0+svn389-1~) Description: MIDI instrument editor application -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109162317.ga16...@reptile.pseudorandom.co.uk
Bug#692734: unblock: ettercap/0.7.5-4
> Do you have CVE numbers, BTS references or any further detail? No, I don't believe any such processes were engaged. But examination of the actual changes shows many potentially security-relevant deltas. The tool is most commonly used in "friendly" networks to look for vulnerabilities, so this does not render it useless. But I would be surprised if it were not possible to create hostile traffic that would at the very least crash the tool, and likely subvert it. > So, can you please let me know if you're going to backport the fixes, > or if I should remove it from wheezy. As I've already said repeatedly, I don't think backporting all and only the security-relevant patches is a realistic option. I could go back to the old build system while keeping the updated C sources. This would dramatically reduce the delta count, but seems silly. --Barak. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ehhuxr92@cs.nuim.ie
Bug#697764: unblock: glib2.0/2.33.12+really2.32.4-5
retitle 697764 unblock: glib2.0/2.33.12+really2.32.4-5 thanks On 09.01.2013 14:51, Michael Biebl wrote: > unblock glib2.0/2.33.12+really2.32.4-4 A stupid typo slipped into -4, so I had to do a brown paper bag release. Full debdiff is attached. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? diff -Nru glib2.0-2.33.12+really2.32.4/debian/changelog glib2.0-2.33.12+really2.32.4/debian/changelog --- glib2.0-2.33.12+really2.32.4/debian/changelog 2012-10-24 11:51:16.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/changelog 2013-01-09 16:14:52.0 +0100 @@ -1,3 +1,22 @@ +glib2.0 (2.33.12+really2.32.4-5) unstable; urgency=low + + * Fix the closing fi in the if statement in postrm. + + -- Michael Biebl Wed, 09 Jan 2013 16:14:49 +0100 + +glib2.0 (2.33.12+really2.32.4-4) unstable; urgency=low + + * Take into account multiarch when removing the cache files in postrm: +Remove /usr/lib/gio/modules/giomodule.cache only for the native +architecture for which this cache file was created. +After removing /usr/share/glib-2.0/schemas/gschemas.compiled on purge, +run dpkg-trigger explicitly, so in case libglib2.0-0 is installed for +other architectures, the cache file is re-created. (Closes: #696389) + * Drop the various Breaks from libglib2.0-0. Those are causing APT to fail +on a dist-upgrade from squeeze to wheezy. (Closes: #676485) + + -- Michael Biebl Tue, 08 Jan 2013 23:30:04 +0100 + glib2.0 (2.33.12+really2.32.4-3) unstable; urgency=low * Team upload diff -Nru glib2.0-2.33.12+really2.32.4/debian/control glib2.0-2.33.12+really2.32.4/debian/control --- glib2.0-2.33.12+really2.32.4/debian/control 2012-10-24 12:33:11.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/control 2013-01-09 16:16:18.0 +0100 @@ -38,14 +38,7 @@ ${shlibs:Depends} Recommends: libglib2.0-data, shared-mime-info -Breaks: gvfs (<< 1.8), -gnome-control-center (<< 1:3), -gnome-session (<< 3.0.0-3), -gdm3 (<< 3.0.3), -libgtk-3-0 (<< 3.0.12), -emacs23 (<< 23.4+1-3), -eog (<< 3.2.2-3), -gwaei (<< 3.2.0b1-2) +Breaks: gvfs (<< 1.8) Replaces: libglib2.0-dev (<< 2.23.2-2) Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} diff -Nru glib2.0-2.33.12+really2.32.4/debian/control.in glib2.0-2.33.12+really2.32.4/debian/control.in --- glib2.0-2.33.12+really2.32.4/debian/control.in 2012-09-23 09:31:12.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/control.in 2013-01-08 08:00:23.0 +0100 @@ -38,14 +38,7 @@ ${shlibs:Depends} Recommends: @DATA_PKG@, shared-mime-info -Breaks: gvfs (<< 1.8), -gnome-control-center (<< 1:3), -gnome-session (<< 3.0.0-3), -gdm3 (<< 3.0.3), -libgtk-3-0 (<< 3.0.12), -emacs23 (<< 23.4+1-3), -eog (<< 3.2.2-3), -gwaei (<< 3.2.0b1-2) +Breaks: gvfs (<< 1.8) Replaces: @DEV_PKG@ (<< 2.23.2-2) Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} diff -Nru glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in --- glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in 2012-03-30 15:37:03.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in 2013-01-09 16:07:40.0 +0100 @@ -10,12 +10,22 @@ fi if [ -d /usr/lib/gio/modules ]; then # Purge the cache -rm -f /usr/lib/gio/modules/giomodule.cache -rmdir -p --ignore-fail-on-non-empty /usr/lib/gio/modules +if [ $(dpkg --print-architecture) = #ARCH# ]; then +rm -f /usr/lib/gio/modules/giomodule.cache +rmdir -p --ignore-fail-on-non-empty /usr/lib/gio/modules +fi fi if [ "$1" = purge ] && [ -d /usr/share/glib-2.0/schemas ]; then # Purge the compiled schemas rm -f /usr/share/glib-2.0/schemas/gschemas.compiled rmdir -p --ignore-fail-on-non-empty /usr/share/glib-2.0/schemas + +# With multiarch enabled we can't be certain that the cache file +# isn't needed for other architectures since it is not reference +# counted. The best we can do is to fire a file trigger which will +# regenerate the cache file if required. +if [ -d /usr/share/glib-2.0/schemas ]; then +dpkg-trigger /usr/share/glib-2.0/schemas +fi fi signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#697764: unblock: glib2.0/2.33.12+really2.32.4-5
Processing commands for cont...@bugs.debian.org: > retitle 697764 unblock: glib2.0/2.33.12+really2.32.4-5 Bug #697764 [release.debian.org] unblock: glib2.0/2.33.12+really2.32.4-4 Changed Bug title to 'unblock: glib2.0/2.33.12+really2.32.4-5' from 'unblock: glib2.0/2.33.12+really2.32.4-4' > thanks Stopping processing here. Please contact me if you need assistance. -- 697764: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697764 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.135774839623621.transcr...@bugs.debian.org
Bug#692734: unblock: ettercap/0.7.5-4
On Wed, Jan 09, 2013 at 02:40:25PM +, Barak A. Pearlmutter wrote: > As I've stated previously, I don't believe that backporting fixes is > really feasible. There are too many, they are mixed with > non-security-related modifications, there would be enormous opportunity > for error, and ongoing security maintenance would be quite difficult. Do you have CVE numbers, BTS references or any further detail? These very changes make it not suitable for update when we've been frozen for over 6 months. > Some background: upstream development stalled, and a new team has (with > the blessing of the retired old team) taken over. The new team is > willing to do security updates on their versions, but it is not > realistic to expect them to be able to do security patches for an > ancient version full of backported patches. No, that's what we expect *you* to do as the maintainer. If you feel you cannot support software for the length of the stable release, then it's simple: find help or let's not have it in a stable release. > On the other hand, I personally don't see any disadvantage to letting > 0.7.5* in and pulling it if there is a problem, instead of just pulling > it preemptively in case there is a problem. Because by that stage a number of people will have already installed it and we have provided a commitment to have it in the release. > So that is my recommendation. The choice, however, is with the > release team. > That's not going to happen. So, can you please let me know if you're going to backport the fixes, or if I should remove it from wheezy. Neil -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109152458.gn6...@halon.org.uk
Bug#692734: unblock: ettercap/0.7.5-4
As I've stated previously, I don't believe that backporting fixes is really feasible. There are too many, they are mixed with non-security-related modifications, there would be enormous opportunity for error, and ongoing security maintenance would be quite difficult. Some background: upstream development stalled, and a new team has (with the blessing of the retired old team) taken over. The new team is willing to do security updates on their versions, but it is not realistic to expect them to be able to do security patches for an ancient version full of backported patches. On the other hand, I personally don't see any disadvantage to letting 0.7.5* in and pulling it if there is a problem, instead of just pulling it preemptively in case there is a problem. So that is my recommendation. The choice, however, is with the release team. --Barak. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mwwixvvq@cs.nuim.ie
Bug#697764: unblock: glib2.0/2.33.12+really2.32.4-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package glib2.0 It fixes two RC bugs. Related to #676485 is the pu request for gdm3/squeeze [1],[2]. glib2.0 (2.33.12+really2.32.4-4) unstable; urgency=low * Take into account multiarch when removing the cache files in postrm: Remove /usr/lib/gio/modules/giomodule.cache only for the native architecture for which this cache file was created. After removing /usr/share/glib-2.0/schemas/gschemas.compiled on purge, run dpkg-trigger explicitly, so in case libglib2.0-0 is installed for other architectures, the cache file is re-created. (Closes: #696389) * Drop the various Breaks from libglib2.0-0. Those are causing APT to fail on a dist-upgrade from squeeze to wheezy. (Closes: #676485) -- Michael Biebl Tue, 08 Jan 2013 23:30:04 +0100 Full debdiff is attached. In case you are wondering, why the gvfs Breaks was kept: We noticed in our upgrade tests, that only packages with an (indirect) dependency on libgdk-pixbuf2.0-0 were causing problems. So only those were dropped. Cheers, Michael unblock glib2.0/2.33.12+really2.32.4-4 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697751 [2] https://lists.debian.org/debian-release/2012/12/msg00778.html -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru glib2.0-2.33.12+really2.32.4/debian/changelog glib2.0-2.33.12+really2.32.4/debian/changelog --- glib2.0-2.33.12+really2.32.4/debian/changelog 2012-10-24 11:51:16.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/changelog 2013-01-08 23:30:05.0 +0100 @@ -1,3 +1,16 @@ +glib2.0 (2.33.12+really2.32.4-4) unstable; urgency=low + + * Take into account multiarch when removing the cache files in postrm: +Remove /usr/lib/gio/modules/giomodule.cache only for the native +architecture for which this cache file was created. +After removing /usr/share/glib-2.0/schemas/gschemas.compiled on purge, +run dpkg-trigger explicitly, so in case libglib2.0-0 is installed for +other architectures, the cache file is re-created. (Closes: #696389) + * Drop the various Breaks from libglib2.0-0. Those are causing APT to fail +on a dist-upgrade from squeeze to wheezy. (Closes: #676485) + + -- Michael Biebl Tue, 08 Jan 2013 23:30:04 +0100 + glib2.0 (2.33.12+really2.32.4-3) unstable; urgency=low * Team upload diff -Nru glib2.0-2.33.12+really2.32.4/debian/control glib2.0-2.33.12+really2.32.4/debian/control --- glib2.0-2.33.12+really2.32.4/debian/control 2012-10-24 12:33:11.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/control 2013-01-08 23:33:01.0 +0100 @@ -38,14 +38,7 @@ ${shlibs:Depends} Recommends: libglib2.0-data, shared-mime-info -Breaks: gvfs (<< 1.8), -gnome-control-center (<< 1:3), -gnome-session (<< 3.0.0-3), -gdm3 (<< 3.0.3), -libgtk-3-0 (<< 3.0.12), -emacs23 (<< 23.4+1-3), -eog (<< 3.2.2-3), -gwaei (<< 3.2.0b1-2) +Breaks: gvfs (<< 1.8) Replaces: libglib2.0-dev (<< 2.23.2-2) Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} diff -Nru glib2.0-2.33.12+really2.32.4/debian/control.in glib2.0-2.33.12+really2.32.4/debian/control.in --- glib2.0-2.33.12+really2.32.4/debian/control.in 2012-09-23 09:31:12.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/control.in 2013-01-08 08:00:23.0 +0100 @@ -38,14 +38,7 @@ ${shlibs:Depends} Recommends: @DATA_PKG@, shared-mime-info -Breaks: gvfs (<< 1.8), -gnome-control-center (<< 1:3), -gnome-session (<< 3.0.0-3), -gdm3 (<< 3.0.3), -libgtk-3-0 (<< 3.0.12), -emacs23 (<< 23.4+1-3), -eog (<< 3.2.2-3), -gwaei (<< 3.2.0b1-2) +Breaks: gvfs (<< 1.8) Replaces: @DEV_PKG@ (<< 2.23.2-2) Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} diff -Nru glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in --- glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in 2012-03-30 15:37:03.0 +0200 +++ glib2.0-2.33.12+really2.32.4/debian/libglib2.0-0.postrm.in 2013-01-08 23:28:38.0 +0100 @@ -10,12 +10,22 @@ fi if [ -d /usr/lib/gio/modules ]; then # Purge the cache -rm -f /usr/lib/gio/modules/giomodule.cache -rmdir -p --ignore-fail-on-non-empty /usr/lib/gio/modules +if [ $(dpkg --print-architecture) = #ARCH# ]; then +rm -f /usr/lib/gio/modules/giomodule.cache +rmdir -p --ignore-fail-on-non-empty /usr/lib/gio/modules +fi fi if [ "$1" = purge ] && [ -d /usr/share/glib-2.0/schemas ]; then # Purge the compiled schemas rm -f /usr/share
Bug#697757: unblock: proftpd-dfsg/1.3.4a-4 (pre-approval)
Sorry the memcache fix would trigger a lot of changes due to a new b-d and problems with m-a linking. So please, just consider the locale change which is safe. On Wed, Jan 09, 2013 at 01:00:25PM +0100, Francesco P. Lovergine wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package proftpd-dfsg to fix a locale problem and render the > provided mod_tls_memcache module truly working when used. These chages > are not relevant for security as for -3 previously requested and uploaded. > > unblock proftpd-dfsg/1.3.4a-4 > > The relevant changes are: > > diff --git a/debian/changelog b/debian/changelog > index 6d23904..62bb291 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,11 @@ > +proftpd-dfsg (1.3.4a-4) UNRELEASED; urgency=low > + > + * Memcache missing enabling at configuration time prevented > mod_tls_memcache working. > + * Removed it/ru moving of locale directories. That hack is lost in time and > +currently wrong. > + > + -- Francesco Paolo Lovergine Wed, 09 Jan 2013 > 12:48:21 +0100 > + > proftpd-dfsg (1.3.4a-3) unstable; urgency=low > >[SECURITY] New patch 3841 fixes CVE-2012-6095: a possible race > diff --git a/debian/rules b/debian/rules > index 79e7ccb..b37a693 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -41,7 +41,7 @@ CONF_ARGS := --prefix=/usr \ >--with-includes=$(shell pg_config --includedir):$(shell > mysql_config --include|sed -e 's/-I//') \ >--mandir=/usr/share/man --sysconfdir=/etc/$(NAME) > --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \ >--enable-sendfile --enable-facl --enable-dso --enable-autoshadow > --enable-ctrls --with-modules=mod_readme \ > - --enable-ipv6 --enable-nls --with-lastlog=/var/log/lastlog > --enable-pcre $(DEVELOPT) > + --enable-ipv6 --enable-nls --enable-memcache > --with-lastlog=/var/log/lastlog --enable-pcre $(DEVELOPT) > > ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) >CONF_ARGS += --build $(DEB_HOST_GNU_TYPE) > @@ -68,8 +68,6 @@ install: build > dh_prep > > $(MAKE) DESTDIR=$(CURDIR)/debian/tmp INSTALL_STRIP="$(INSTALL_STRIP)" > install > - mv $(CURDIR)/debian/tmp/usr/share/locale/it_IT > $(CURDIR)/debian/tmp/usr/share/locale/it > - mv $(CURDIR)/debian/tmp/usr/share/locale/ru_RU > $(CURDIR)/debian/tmp/usr/share/locale/ru > > configure: configure-stamp > configure-stamp: > -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109131020.gc3...@blegrez.ba.issia.cnr.it
Bug#692734: unblock: ettercap/0.7.5-4
Hi, 365 files changed, 23718 insertions(+), 14033 deletions(-) This isn't something that can be reviewed, especially with the large number of unrelated changes to (for example build system switch!) the package. The options remaining are: * Backport specific fixes for the version in testing * Remove the package Could you please indicate if you wish to do the first or the second. Thanks, Neil On Tue, Jan 08, 2013 at 11:03:59PM +, Barak A. Pearlmutter wrote: > That is a matter of release policy. > > I believe I've made clear my own recommended action, listed the > alternative possibilities I consider realistic, and given supporting > reasoning. After that, this becomes a matter for the release team to > decide. They can take my recommendation, or do something else, as they > wish. > > It is ridiculous process-over-sense to say that the release team should > ask me, via your sending me your interpretation of their policy > document, to ask them to do something which you think they've already > decided to do. (Especially when I don't think what you seem to think > they've already decided to do is the best option.) After all, if they > have decided to do something, they can just do it. We're trying to > produce a good operating system here, not an improv parody of paralyzing > procedure-heavy bureaucratic inertia. > > > It's a bit frustrating to see that the release gets delayed because of > > situations like these. > > Ettercap is a minor leaf package. This issue is not a release delayer. > > --Barak. > > > -- > To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/871udvs2e8@cs.nuim.ie > > -- signature.asc Description: Digital signature
Bug#697757: unblock: proftpd-dfsg/1.3.4a-4 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package proftpd-dfsg to fix a locale problem and render the provided mod_tls_memcache module truly working when used. These chages are not relevant for security as for -3 previously requested and uploaded. unblock proftpd-dfsg/1.3.4a-4 The relevant changes are: diff --git a/debian/changelog b/debian/changelog index 6d23904..62bb291 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +proftpd-dfsg (1.3.4a-4) UNRELEASED; urgency=low + + * Memcache missing enabling at configuration time prevented mod_tls_memcache working. + * Removed it/ru moving of locale directories. That hack is lost in time and +currently wrong. + + -- Francesco Paolo Lovergine Wed, 09 Jan 2013 12:48:21 +0100 + proftpd-dfsg (1.3.4a-3) unstable; urgency=low [SECURITY] New patch 3841 fixes CVE-2012-6095: a possible race diff --git a/debian/rules b/debian/rules index 79e7ccb..b37a693 100755 --- a/debian/rules +++ b/debian/rules @@ -41,7 +41,7 @@ CONF_ARGS := --prefix=/usr \ --with-includes=$(shell pg_config --includedir):$(shell mysql_config --include|sed -e 's/-I//') \ --mandir=/usr/share/man --sysconfdir=/etc/$(NAME) --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \ --enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme \ ---enable-ipv6 --enable-nls --with-lastlog=/var/log/lastlog --enable-pcre $(DEVELOPT) +--enable-ipv6 --enable-nls --enable-memcache --with-lastlog=/var/log/lastlog --enable-pcre $(DEVELOPT) ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) CONF_ARGS += --build $(DEB_HOST_GNU_TYPE) @@ -68,8 +68,6 @@ install: build dh_prep $(MAKE) DESTDIR=$(CURDIR)/debian/tmp INSTALL_STRIP="$(INSTALL_STRIP)" install - mv $(CURDIR)/debian/tmp/usr/share/locale/it_IT $(CURDIR)/debian/tmp/usr/share/locale/it - mv $(CURDIR)/debian/tmp/usr/share/locale/ru_RU $(CURDIR)/debian/tmp/usr/share/locale/ru configure: configure-stamp configure-stamp: -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109120023.ga10...@blegrez.ba.issia.cnr.it
Bug#697751: pu: package gdm3/2.30.5-6squeeze5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hi, as already discussed, I’d like to propose a stable upload for gdm3 in order to avoid a security risk when doing upgrades. Theoretically, with the greeter session of gdm 2.30 and the glib version in wheezy, you could use default URI handlers, and launch things such as a web browser. A bit of testing didn’t show any dialog from which this could be triggered, but it’s better to be on the safe side. Therefore this update would, when a newer glib is installed, disable all URI handlers, as already done by gdm3 3.4 in wheezy. Proposed diff attached. Cheers, -- .''`. Josselin Mouette : :' : `. `' `- Index: debian/applications/mime-dummy-handler.desktop === --- debian/applications/mime-dummy-handler.desktop (révision 0) +++ debian/applications/mime-dummy-handler.desktop (révision 36541) @@ -0,0 +1,6 @@ +[Desktop Entry] +Type=Application +Name=Dummy URI Handler +Exec=/bin/true %U +Terminal=false +StartupNotify=false Index: debian/applications/mimeapps.list === --- debian/applications/mimeapps.list (révision 0) +++ debian/applications/mimeapps.list (révision 36541) @@ -0,0 +1,19 @@ +[Default Applications] +x-scheme-handler/file=mime-dummy-handler.desktop +x-scheme-handler/ftp=mime-dummy-handler.desktop +x-scheme-handler/ghelp=mime-dummy-handler.desktop +x-scheme-handler/help=mime-dummy-handler.desktop +x-scheme-handler/http=mime-dummy-handler.desktop +x-scheme-handler/https=mime-dummy-handler.desktop +x-scheme-handler/info=mime-dummy-handler.desktop +x-scheme-handler/irc=mime-dummy-handler.desktop +x-scheme-handler/itms=mime-dummy-handler.desktop +x-scheme-handler/mailto=mime-dummy-handler.desktop +x-scheme-handler/man=mime-dummy-handler.desktop +x-scheme-handler/mms=mime-dummy-handler.desktop +x-scheme-handler/rtp=mime-dummy-handler.desktop +x-scheme-handler/rtsp=mime-dummy-handler.desktop +x-scheme-handler/sip=mime-dummy-handler.desktop +x-scheme-handler/trash=mime-dummy-handler.desktop +x-scheme-handler/webcal=mime-dummy-handler.desktop +x-scheme-handler/xmpp=mime-dummy-handler.desktop Index: debian/patches/series === --- debian/patches/series (révision 36540) +++ debian/patches/series (révision 36541) @@ -35,5 +35,6 @@ 35_double_free.patch 36_windowpath.patch 37_shutdown_buttons.patch +38_greeter_datadir.patch 90_relibtoolize.patch 99_CVE-2011-0727.patch Index: debian/patches/38_greeter_datadir.patch === --- debian/patches/38_greeter_datadir.patch (révision 0) +++ debian/patches/38_greeter_datadir.patch (révision 36541) @@ -0,0 +1,49 @@ +From 48705abd751e6e2f1d20b51098e1b97d74855338 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Mon, 20 Jun 2011 17:21:35 + +Subject: daemon: use gnome-session session files instead of autostart + +Before we were doing some sort of weird hybrid thing with +a session file and an autostart directory that wasn't that +much different than just having an autostart directory by +itself. + +Now we fully define the session component list from the session +file, and merely provide a pool of new candidate desktop files to +select that sessoin from. + +This modernizes how we use gnome-session and as a side-effect +enables us the ability to have fallback sessions (which will +be important when defaulting to a shell based greeter later). +--- +(limited to 'daemon/gdm-welcome-session.c') +(refreshed against 2.30) + +Index: gdm3-2.30.5/daemon/gdm-welcome-session.c +=== +--- gdm3-2.30.5.orig/daemon/gdm-welcome-session.c 2013-01-07 12:02:30.717944131 +0100 gdm3-2.30.5/daemon/gdm-welcome-session.c 2013-01-07 12:02:42.682002617 +0100 +@@ -356,6 +356,7 @@ get_welcome_environment (GdmWelcomeSessi + "LC_IDENTIFICATION", "LC_ALL", + NULL + }; ++char *system_data_dirs; + int i; + + load_lang_config_file (LANG_CONFIG_FILE, +@@ -375,6 +376,15 @@ get_welcome_environment (GdmWelcomeSessi + g_strdup (g_getenv (optional_environment[i]))); + } + ++system_data_dirs = g_strjoinv (":", (char **) g_get_system_data_dirs ()); ++ ++g_hash_table_insert (hash, ++ g_strdup ("XDG_DATA_DIRS"), ++ g_strdup_printf ("%s:%s", ++ DATADIR "/gdm/greeter", ++ system_data_dirs)); ++g_free (system_data_dirs); ++ + if (welcome_session->priv->dbus_bus_address != NULL) { + g_hash_table_insert (hash, + g_strdup ("DBUS_SESSION_BUS_ADDRESS"), Index:
Bug#697749: unblock: gtk+3.0/3.4.2-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gtk+3.0. Version 3.4.2-5 fixes important bug #692235. The debdiff is attached. unblock gtk+3.0/3.4.2-5 Cheers, -- .''`.Sébastien Villemot : :' :Debian Developer `. `' http://www.dynare.org/sebastien `- GPG Key: 4096R/381A7594 diff -Nru gtk+3.0-3.4.2/debian/changelog gtk+3.0-3.4.2/debian/changelog --- gtk+3.0-3.4.2/debian/changelog 2012-09-21 18:30:43.0 +0200 +++ gtk+3.0-3.4.2/debian/changelog 2013-01-09 11:00:45.0 +0100 @@ -1,3 +1,17 @@ +gtk+3.0 (3.4.2-5) unstable; urgency=low + + * debian/patches/075_gtkplug-fix-handling-of-key-events-for-layouts.patch: +This patch fixes handling of key events for different layouts in +GtkPlug. In particular, it fixes the keyboard layout switching from +gnome-screensaver when the screen is locked. Closes: #692235 + * debian/libgtk-3-0.symbols: add gdk_x11_keymap_get_group_for_state and +gdk_x11_keymap_key_is_modifier which are introduced by the above patch +(actually backported from the 3.5.2 API). + * debian/rules: call dh_makeshlibs with -V 'libgtk-3-0 (>= 3.4.2-5~)', +since we introduced new public symbols in this Debian revision. + + -- Sébastien Villemot Wed, 09 Jan 2013 11:00:22 +0100 + gtk+3.0 (3.4.2-4) unstable; urgency=low * debian/patches/074_try-harder-to-discriminate-Shift-F10-and-F10.patch: diff -Nru gtk+3.0-3.4.2/debian/libgtk-3-0.symbols gtk+3.0-3.4.2/debian/libgtk-3-0.symbols --- gtk+3.0-3.4.2/debian/libgtk-3-0.symbols 2012-04-19 02:45:51.0 +0200 +++ gtk+3.0-3.4.2/debian/libgtk-3-0.symbols 2013-01-09 10:06:40.0 +0100 @@ -542,7 +542,9 @@ gdk_x11_get_xatom_name@Base 3.0.0 gdk_x11_get_xatom_name_for_display@Base 3.0.0 gdk_x11_grab_server@Base 3.0.0 + gdk_x11_keymap_get_group_for_state@Base 3.4.2-5~ gdk_x11_keymap_get_type@Base 3.0.0 + gdk_x11_keymap_key_is_modifier@Base 3.4.2-5~ gdk_x11_lookup_xdisplay@Base 3.0.0 gdk_x11_register_standard_event_type@Base 3.0.0 gdk_x11_screen_get_monitor_output@Base 3.0.0 diff -Nru gtk+3.0-3.4.2/debian/patches/075_gtkplug-fix-handling-of-key-events-for-layouts.patch gtk+3.0-3.4.2/debian/patches/075_gtkplug-fix-handling-of-key-events-for-layouts.patch --- gtk+3.0-3.4.2/debian/patches/075_gtkplug-fix-handling-of-key-events-for-layouts.patch 1970-01-01 01:00:00.0 +0100 +++ gtk+3.0-3.4.2/debian/patches/075_gtkplug-fix-handling-of-key-events-for-layouts.patch 2013-01-09 10:04:50.0 +0100 @@ -0,0 +1,166 @@ +Description: GtkPlug: fix handling of key events for different layouts + GtkPlug directly handles X KeyPress/Release events, instead of using + translation in GDK (which expects XI2 events for XI2). When this + was done, the handling of the group was stubbed out and never replaced. + . + Export gdk_keymap_x11_group_for_state() and gdk_keymap_x11_is_modifier() + so we can fill out the fields correctly. +Origin: upstream, http://git.gnome.org/browse/gtk+/commit/?id=0aa989ae76d0d080eae16b8a4fde59aca1227cc4 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=675167 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692235 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/gdk/x11/gdkdevicemanager-core-x11.c b/gdk/x11/gdkdevicemanager-core-x11.c +@@ -145,7 +145,7 @@ + gdk_event_set_device (event, device_manager->core_keyboard); + + event->key.state = (GdkModifierType) xevent->xkey.state; +- event->key.group = _gdk_x11_get_group_for_state (display, xevent->xkey.state); ++ event->key.group = gdk_x11_keymap_get_group_for_state (keymap, xevent->xkey.state); + event->key.hardware_keycode = xevent->xkey.keycode; + + event->key.keyval = GDK_KEY_VoidSymbol; +@@ -161,7 +161,7 @@ + _gdk_x11_keymap_add_virt_mods (keymap, &state); + event->key.state |= state; + +- event->key.is_modifier = _gdk_x11_keymap_key_is_modifier (keymap, event->key.hardware_keycode); ++ event->key.is_modifier = gdk_x11_keymap_key_is_modifier (keymap, event->key.hardware_keycode); + + _gdk_x11_event_translate_keyboard_string (&event->key); + +--- a/gdk/x11/gdkdevicemanager-xi2.c b/gdk/x11/gdkdevicemanager-xi2.c +@@ -1160,10 +1160,10 @@ + + event->key.time = xev->time; + event->key.state = _gdk_x11_device_xi2_translate_state (&xev->mods, &xev->buttons, &xev->group); +-event->key.group = _gdk_x11_get_group_for_state (display, event->key.state); ++event->key.group = xev->group.effective; + + event->key.hardware_keycode = xev->detail; +-event->key.is_modifier = _gdk_x11_keymap_key_is_modifier (keymap, event->key.hardware_keycode); ++event->key.is_modifier = gdk_x11_keymap_key_is_modifier (keymap, event->key.hardware_keycode); + + device = g_hash_table_lookup (device_manager->id_table, + GUINT_TO_POINTER (xev->deviceid)); +--- a/gdk/x11/gdkkeys-x11.c b/gd
Re: [Openstack-devel] Bug#685251: Fixing Debian bug #685251 for the ryu plugin in Openstack
Hi Ola, Thanks for taking care of this! :) On 01/09/2013 03:51 AM, Ola Lundqvist wrote: > Happy new year Thomas! > > Skipping release team for this mail as I want to check one thing with you. > You write that we will not maintain the -6 version in sid. Do that mean > that all the work I did for this package (to move out the plugin files > to respective package will be in vain? > > Or is folsom release based on -6 version? I believe your changes are already in the Folsom packaging. Though it'd be worth checking for it again. As I told you, I intend to replace the SID version by Folsom as soon as we release Wheezy, and if the FTP-Masters don't take another month to accept the new packages... that delay is by the way a bit worrisome. I wonder what I could do to help them. Probably by trying to review some packages which I didn't upload. > Just checking. Based on your answer I will simply upload a -7 version > that will be more or less identical to the version I was thinking > of uploading to testing-proposed-updates. > > // Ola Yes, I believe that's the way to go. Upload -7 to SID, and ask for an unblock. If we need additional breaks+replaces because of -6, then so be it IMO... Cheers, Thomas Goirand -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50ed23fc.3090...@debian.org