Bug#703153: unblock: binkd/0.9.11-1.1

2013-04-02 Thread Andreas Beckmann 
Control: retitle -1 unblock: binkd/0.9.11-1.1

NMU entered (after some DELAY) unstable last week.


Andreas


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/515a7d35.6070...@debian.org

Re: nbd freeze exception?

2013-04-02 Thread Wouter Verhelst 
Hi all,

On 29-03-13 08:24, Wouter Verhelst wrote:
 Hrm.

 Some of these are things that I do think should be part of r0.

 How about this, then:

 - No new upstream release (I knew that was a long shot, but hey, I had
   to try)
 - I do upload a package with the following patches:
   - #685610 (important bug, failure of name-based exports when not used
 as root filesystem; patch in the BTS)
   - 
 http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=a0c3244429ea367defc0867cea8b2f351581c9d5
 (make nbd-server not go berserk upon receipt of a 'list exports'
 packet; fixes a remote DoS; not RC because it's disabled by default,
 but bad enough that it shouldn't be in the release)
   - 
 http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=9c8f822c023732ca9871358e2d324257e0290707
 (or equivalent; there is still some discussion on that patch. Fixes
 a false positive for a request out of range error that triggers on
 32-bit machines only)
 I've never received an answer to this.

 Meanwhile, I've done two uploads (because I forgot to fix the 'list
 exports' thing in the first upload, so I had to do another) with hardly
 anything more than the above.

 I'd appreciate it if you could look at the upload and possibly approve
 it, although I of course concede that it's your prerogative to reject
 the upload for testing, if you think it prudent.

 Thanks,

I realize I might be looking like an ass here, but I'd really like some
reply to this request.

For reference, the individual patches that went into these releases are
available (with more detailed explanation) at
http://anonscm.debian.org/gitweb/?p=users/wouter/nbd.git;a=summary. I
didn't drink the 3.0 (quilt) kool-aid, so not there yet.

Thanks,

-- 
Copyshops should do vouchers. So that next time some bureaucracy
requires you to mail a form in triplicate, you can mail it just once,
add a voucher, and save on postage.


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/515a8b9f.2020...@debian.org

Bug#704514: unblock: otrs2/3.1.7+dfsg1-8

2013-04-02 Thread Patrick Matthäi 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package otrs2



diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 
3.1.7+dfsg1-8/debian/changelog
--- 3.1.7+dfsg1-7/debian/changelog  2013-02-27 10:25:48.144232210 +0100
+++ 3.1.7+dfsg1-8/debian/changelog  2013-04-02 10:48:16.815442475 +0200
@@ -1,3 +1,14 @@
+otrs2 (3.1.7+dfsg1-8) unstable; urgency=high
+
+  * Add missing post database schemas for new installations with dbconfig.
+Without it, new installations will miss some important foreign keys and
+later fail to update to version 3.2.x.
+Closes: #702251
+  * Add upstream patch 31-CVE-2013-2625 to improve permission checks in
+LinkObject. This fixes CVE-2013-2625.
+
+ -- Patrick Matthäi pmatth...@debian.org  Tue, 02 Apr 2013 10:39:24 +0200
+
 otrs2 (3.1.7+dfsg1-7) unstable; urgency=high

   * Do not call otrs.SetPermissions.pl in postinst, since it modificates a few
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 
3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff
--- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff  1970-01-01 
01:00:00.0 +0100
+++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff  2013-04-02 
10:48:16.819442449 +0200
@@ -0,0 +1,151 @@
+# Upstream patch from:
+# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509
+# Improved permission checks in LinkObject.
+# This fixes CVE-2013-2625.
+
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm 
otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm   2012-01-06 
14:00:04.0 +0100
 otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm2013-03-28 
09:46:00.652927141 +0100
+@@ -63,6 +63,20 @@
+ );
+ }
+
++# permission check
++my $Permission = $Self-{LinkObject}-ObjectPermission(
++Object = $Form{SourceObject},
++Key= $Form{SourceKey},
++UserID = $Self-{UserID},
++);
++
++if ( !$Permission ) {
++return $Self-{LayoutObject}-NoPermission(
++WithHeaderMessage= 'You need ro permission!',
++WithHeader = 'yes',
++);
++}
++
+ # get form params
+ $Form{TargetIdentifier} = $Self-{ParamObject}-GetParam( Param = 
'TargetIdentifier' )
+ || $Form{SourceObject};
+@@ -140,6 +154,14 @@
+ next IDENTIFIER if !$Target[1];# TargetKey
+ next IDENTIFIER if !$Target[2];# LinkType
+
++my $DeletePermission = $Self-{LinkObject}-ObjectPermission(
++Object = $Target[0],
++Key= $Target[1],
++UserID = $Self-{UserID},
++);
++
++next IDENTIFIER if !$DeletePermission;
++
+ # delete link from database
+ my $Success = $Self-{LinkObject}-LinkDelete(
+ Object1 = $Form{SourceObject},
+@@ -336,6 +358,14 @@
+ $TargetKey= $TargetKeyOrg;
+ }
+
++my $AddPermission = $Self-{LinkObject}-ObjectPermission(
++Object = $TargetObject,
++Key= $TargetKey,
++UserID = $Self-{UserID},
++);
++
++next TARGETKEYORG if !$AddPermission;
++
+ # add links to database
+ my $Success = $Self-{LinkObject}-LinkAdd(
+ SourceObject = $SourceObject,
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm 
otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm  2012-01-10 
15:44:27.0 +0100
 otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm   2013-03-28 
09:46:00.656927287 +0100
+@@ -161,6 +161,39 @@
+ return 1;
+ }
+
++=item ObjectPermission()
++
++checks read permission for a given object and UserID.
++
++$Permission = $LinkObject-ObjectPermission(
++Object  = 'Ticket',
++Key = 123,
++UserID  = 1,
++);
++
++=cut
++
++sub ObjectPermission {
++my ( $Self, %Param ) = @_;
++
++# check needed stuff
++for my $Argument (qw(Object Key UserID)) {
++if ( !$Param{$Argument} ) {
++$Self-{LogObject}-Log(
++Priority = 'error',
++Message  = Need $Argument!,
++);
++return;
++}
++}
++
++return $Self-{TicketObject}-TicketPermission(
++Type = 'ro',
++TicketID = $Param{Key},
++UserID   = $Param{UserID},
++);
++}
++
+ =item ObjectDescriptionGet()
+
+ return a hash of object descriptions
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm 
otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm
+---

Bug#704514: Acknowledgement (unblock: otrs2/3.1.7+dfsg1-8)

2013-04-02 Thread Patrick Matthäi 

Am 02.04.2013 11:15, schrieb Debian Bug Tracking System:

Thank you for filing a new Bug report with Debian.



Hi,

just in this second upstream released the security advisory for 
CVE-2013-2625:

http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/


--
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatth...@debian.org
patr...@linux-dev.org
*/


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/515aa5f3.7040...@debian.org

Bug#704520: RM: midgard2-core/10.05.7.1-1 php5-midgard2/10.05.7-1

2013-04-02 Thread Didier Raboud 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi dear Release Team, hi dear midgard2-core and php5-midgard2 maintainers,

as explained in http://bugs.debian.org/677795#67 , I think midgard2-core
(and it's only build-rdep, php5-midgard2) should get removed from
testing:

 As I read it, the package had several packaging-related issues
 summing up to that serious bug, filed two weeks before the freeze.
 Since then, in September, a package supposedly fixing these issues has
 been uploaded and queued in NEW [0]; it hasn't been liberated from NEW
 yet. From here, I see three ways forward: 
 
 a) a new package enters unstable, and then Wheezy, but that seems
unlikely;
 b) midgard2-core and php5-midgard2 are removed from Wheezy, thereby
removing the RC bug.
 c) that bug either gets downgraded to non-RC severity, or tagged
wheezy-ignore by the release team.
 
 As I think the concerns originally leading to the severity of that bug
 are correct, I would rather be of the opinion to drop the two
 packages.

As you see, I think that as this point, b) is the only reasonable
choice.

Cheers,

OdyX

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, 
'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130402111353.12302.32095.reportbug@gyllingar

Bug#704524: unblock: nbd/1:3.2-4

2013-04-02 Thread Steven Chamberlain 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal
X-Debbugs-Cc: wou...@debian.org

Hi,

On 02/04/13 08:41, Wouter Verhelst wrote:
 I'd appreciate it if you could look at the upload and possibly approve
 it, although I of course concede that it's your prerogative to reject
 the upload for testing, if you think it prudent.
[...]
 I realize I might be looking like an ass here, but I'd really like some
 reply to this request.

It's in sid, so this might as well be an unblock request with debdiff
attached.  So I've done this for you.

Could the Release Team please consider to:
unblock nbd/1:3.2-4

But I'm fairly sure it's not acceptable in its current form.  I had to
gzip the debdiff to get a 10KiB attachment.  It seems autoconf stuff
was regenerated with newer versions?

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


nbd_3.2-2_3.2-4.debdiff.gz
Description: GNU Zip compressed data

Bug#704524: unblock: nbd/1:3.2-4

2013-04-02 Thread Steven Chamberlain 
Control: tags -1 moreinfo

Hi Wouter,

You had a FTBFS on mips which would need to be fixed in any case.

 E: listing not allowed by server.
 FAIL: list

That sounds like it might be related to this change you mentioned?  But
seems odd it would only occur on one architecture:

On 12/03/13 09:39, Wouter Verhelst wrote:
 (make nbd-server not go berserk upon receipt of a 'list exports'
 packet; fixes a remote DoS

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/515ad330.7090...@pyro.eu.org

Processed: Re: Bug#704524: unblock: nbd/1:3.2-4

2013-04-02 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 moreinfo
Bug #704524 [release.debian.org] unblock: nbd/1:3.2-4
Added tag(s) moreinfo.

-- 
704524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704524
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b704524.136490681328116.transcr...@bugs.debian.org

Bug#704524: unblock: nbd/1:3.2-4

2013-04-02 Thread Wouter Verhelst 
Hi Steven,

On 02-04-13 14:51, Steven Chamberlain wrote:
 Control: tags -1 moreinfo

 Hi Wouter,

 You had a FTBFS on mips which would need to be fixed in any case.

 E: listing not allowed by server.
 FAIL: list
 That sounds like it might be related to this change you mentioned?  But
 seems odd it would only occur on one architecture:
It's not the only failure in the test suite; looking at the tests that
failed, my guess is that there is another nbd-server running on the
buildd in question.

Mips buildd admins: can you please verify if that is the case? If so
(and it's not genuinely installed), please kill it and reschedule the
build, it should work then.

(I discovered a while back that the nbd-server test suite did not
properly kill the running server, which opens port 10809 by default. I
thought I fixed that, but I might be mistaken...)

-- 
Copyshops should do vouchers. So that next time some bureaucracy
requires you to mail a form in triplicate, you can mail it just once,
add a voucher, and save on postage.


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/515ad840.5070...@debian.org

Bug#704530: RM: semanticscuttle/0.98.4+dfsg-1

2013-04-02 Thread Thijs Kinkhorst 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

Please remove semanticscuttle from wheezy.

The problems are detailed in RC bug #659390. My last message details that
I had to conquer three different problems to get to an error-free home
screen. Even if we fix all three, the presence of the problems indicates
that this package didn't receive adequate testing to be releasable at
this point.

In the bug log, the maintainer has already agreed with removal from
wheezy as a course of action. It has never been in a stable release.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130402152139.6424.23909.reportbug@localhost.localdomain

Bug#704473: RM: gnutls28 -- ROM; should not be shipped in wheezy

2013-04-02 Thread Ansgar Burchardt 
Control: tag -1 moreinfo

Andreas Metzler ametz...@downhill.at.eu.org writes:
 please remove gnutls28 3.0.22-3 from unstable but keep the version in 
 experimental.

 We currently intend to drop gnutls28 from wheezy, since it is a leaf
 package and creates non-neglible unnecessary work for
 Debian-security.

 gnutls26 will provide the binary packages gnutls-bin and guile-gnutls
 again (they are currently built from gnutls28.) I would like to do
 this transition via unstable and therefore ask you to remove gnutls28
 3.0.22-3 (source and binary) from unstable. This is is necessary since
 unstable has a newer version of gnutls28 than testing.

 See http://article.gmane.org/gmane.linux.debian.devel.release/64871
 for details.

In the patch there I see:

+binary-makedeb/gnutls-bin:: DEB_DH_GENCONTROL_ARGS := -- 
-v3.0.20-3+really$(DEB_VERSION)

That would make version number in unstable go backwards. We really don't
want this.

Is there any reason not to use 3.0.22-3+really$(something-else)? That
would be higher than the version in unstable.

Ansgar


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87sj38yhvv@deep-thought.43-1.org

Bug#704530: marked as done (RM: semanticscuttle/0.98.4+dfsg-1)

2013-04-02 Thread Debian Bug Tracking System 
Your message dated Tue, 02 Apr 2013 19:27:23 +0100
with message-id 1364927243.4653.1.ca...@jacala.jungle.funky-badger.org
and subject line Re: Bug#704530: RM: semanticscuttle/0.98.4+dfsg-1
has caused the Debian Bug report #704530,
regarding RM: semanticscuttle/0.98.4+dfsg-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704530: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704530
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

Please remove semanticscuttle from wheezy.

The problems are detailed in RC bug #659390. My last message details that
I had to conquer three different problems to get to an error-free home
screen. Even if we fix all three, the presence of the problems indicates
that this package didn't receive adequate testing to be releasable at
this point.

In the bug log, the maintainer has already agreed with removal from
wheezy as a course of action. It has never been in a stable release.


Cheers,
Thijs
---End Message---
---BeginMessage---
On Tue, 2013-04-02 at 17:21 +0200, Thijs Kinkhorst wrote:
 Please remove semanticscuttle from wheezy.
 
 The problems are detailed in RC bug #659390. My last message details that
 I had to conquer three different problems to get to an error-free home
 screen. Even if we fix all three, the presence of the problems indicates
 that this package didn't receive adequate testing to be releasable at
 this point.
 
 In the bug log, the maintainer has already agreed with removal from
 wheezy as a course of action. It has never been in a stable release.

Removal hint added.

Regards,

Adam---End Message---

Bug#703818: marked as done (tpu: fonts-vlgothic/20120629-2)

2013-04-02 Thread Debian Bug Tracking System 
Your message dated Tue, 2 Apr 2013 21:17:10 +0200
with message-id 20130402191710.ge5...@radis.cristau.org
and subject line Re: Bug#703818: tpu: fonts-vlgothic/20120629-2
has caused the Debian Bug report #703818,
regarding tpu: fonts-vlgothic/20120629-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
703818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: tpu

Hi,

 Please approve fonts-vlgothic-20120629-2 upload to testing-proposed-updates.
 Its fix is tiny as below, and same fix for fonts-ipafont/ipaexfont which is 
 permitted to introduce wheezy before.


diff -Nru fonts-vlgothic-20120629/debian/changelog 
fonts-vlgothic-20120629/debian/changelog
--- fonts-vlgothic-20120629/debian/changelog2012-06-29 16:29:25.0 
+0900
+++ fonts-vlgothic-20120629/debian/changelog2013-03-24 13:50:11.0 
+0900
@@ -1,3 +1,16 @@
+fonts-vlgothic (20120629-2) testing-proposed-updates; urgency=low
+
+  [ Andreas Beckmann a...@debian.org ] 
+  * ttf-vlgothic.preinst: Unregister the ttf-japanese-gothic.ttf alternative.
+  * fonts-vlgothic.preinst: Clean up the ttf-japanese-gothic.ttf alternative
+set up by ttf-vlgothic in squeeze. This needs to be done in fonts-vlgothic
+as well since there is no guarantee that the transitional ttf-vlgothic
+package was installed and has cleaned this up. Since new installations of
+fonts-vlgothic cannot be distinguished from upgrades from ttf-vlgothic,
+this needs to be run on new installations, too.  (Closes: #699905)
+
+ -- Hideki Yamane henr...@debian.org  Sun, 24 Mar 2013 13:41:11 +0900
+
 fonts-vlgothic (20120629-1) unstable; urgency=low
 
   * New upstream release 
diff -Nru fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst 
fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst
--- fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst   2011-09-18 
23:16:57.0 +0900
+++ fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst   2013-03-24 
13:47:02.0 +0900
@@ -72,6 +72,18 @@
   fi
   fi
 
+   # Remove the alternative set up by the old ttf-vlgothic package.
+   # Do this again here since there is no guarantee that the transitional
+   # ttf-vlgothic package was installed and has cleaned this up.
+   # Do this for new installations (as we can't distinguish them from
+   # upgrades from ttf-vlgothic) as well as upgrades that did not yet
+   # clean this up.
+   # (This can be removed after jessie was released with this code.)
+   if dpkg --compare-versions $2 lt 20120629-1.1~ ; then
+   update-alternatives --remove ttf-japanese-gothic.ttf \
+   /usr/share/fonts/truetype/vlgothic/VL-Gothic-Regular.ttf
+   fi
+
 esac
 
 #DEBHELPER#
---End Message---
---BeginMessage---
On Mon, Apr  1, 2013 at 09:16:41 +0900, Hideki Yamane wrote:

 On Mon, 1 Apr 2013 00:45:04 +0100
 Jonathan Wiltshire j...@debian.org wrote:
  Please go ahead and ping this bug when it is uploaded.
 
  Thanks! uploaded it.
 
Approved.

Cheers,
Julien


signature.asc
Description: Digital signature
---End Message---

Bug#704442: marked as done (unblock: devscripts/2.12.7 (pre-approval dch --bpo fix))

2013-04-02 Thread Debian Bug Tracking System 
Your message dated Tue, 2 Apr 2013 21:20:06 +0200
with message-id 20130402192006.gf5...@radis.cristau.org
and subject line Re: Bug#704442: unblock: devscripts/2.12.7 (pre-approval dch 
--bpo fix)
has caused the Debian Bug report #704442,
regarding unblock: devscripts/2.12.7 (pre-approval dch --bpo fix)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear Release Team,

In the current version of devscripts in wheezy, when invoking dch --bpo,
generates a changelog like this one:
devscripts (2.12.6~bpo60+1) squeeze-backports; urgency=low

It should of course use this instead:
devscripts (2.12.6~bpo70+1) wheezy-backports; urgency=low

Would the release team accept that I upload the attached fix to SID,
in order to fix this problem in Wheezy? I think it's rather minimal,
so it shouldn't be a big problem. Otherwise, I'm ok to wait for the
release, and upload the fix in wheezy-proposed-updates, though since
we already have backports opened, I think it would be wise not to
delay this fix too much.

Please let me know.

Cheers,

Thomas Goirand (zigo)
diff -Nru devscripts-2.12.6/debian/changelog devscripts-2.12.7/debian/changelog
--- devscripts-2.12.6/debian/changelog	2012-11-25 07:49:03.0 +0800
+++ devscripts-2.12.7/debian/changelog	2013-03-21 23:36:50.0 +0800
@@ -1,3 +1,9 @@
+devscripts (2.12.7) unstable; urgency=low
+
+  * Now using ~bpo70+1 instead of ~bpo60+1 when invoking dch --bpo.
+
+ -- Thomas Goirand z...@debian.org  Thu, 21 Mar 2013 23:36:16 +0800
+
 devscripts (2.12.6) unstable; urgency=low
 
   * Actual install German translation.
diff -Nru devscripts-2.12.6/scripts/debchange.pl devscripts-2.12.7/scripts/debchange.pl
--- devscripts-2.12.6/scripts/debchange.pl	2012-07-07 06:29:24.0 +0800
+++ devscripts-2.12.7/scripts/debchange.pl	2013-03-21 23:38:18.0 +0800
@@ -613,8 +613,8 @@
 my $EMAIL = 'EMAIL';
 my $DISTRIBUTION = 'UNRELEASED';
 my $bpo_dist = '';
-my %bpo_dists = ( 60, 'squeeze' );
-my $latest_bpo_dist = '60';
+my %bpo_dists = ( 70, 'wheezy' );
+my $latest_bpo_dist = '70';
 my $CHANGES = '';
 # Changelog urgency, possibly propogated to NEWS files
 my $CL_URGENCY = '';
---End Message---
---BeginMessage---
On Tue, Apr  2, 2013 at 01:21:58 +0800, Thomas Goirand wrote:

 Anyway, I don't think this is very critical. If you would like to forget
 about this until the release, and focus on more important things, I'm ok
 with that.
 
Let's do that then.

Cheers,
Julien


signature.asc
Description: Digital signature
---End Message---

Bug#704432: unblock: linux/3.2.41-2

2013-04-02 Thread Julien Cristau 
Control: tags -1 confirmed d-i

On Mon, Apr  1, 2013 at 03:57:12 +0100, Ben Hutchings wrote:

 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: unblock
 
 Please unblock package linux
 
 The changes from 3.2.39-2 to 3.2.41-2 include:
 
from a while ago:
 jcristau KiBi: there's a new kernel, too
 KiBi need to look up the ia64 thing
 KiBi not listed in pkglists, so should be ok too

cc:ing to confirm this is ok from the d-i pov.

Cheers,
Julien


signature.asc
Description: Digital signature

Processed: Re: Bug#704432: unblock: linux/3.2.41-2

2013-04-02 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 confirmed d-i
Bug #704432 [release.debian.org] unblock: linux/3.2.41-2
Added tag(s) d-i and confirmed.

-- 
704432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704432
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.b704432.13649307862744.transcr...@bugs.debian.org

Bug#704514: marked as done (unblock: otrs2/3.1.7+dfsg1-8)

2013-04-02 Thread Debian Bug Tracking System 
Your message dated Tue, 02 Apr 2013 20:41:09 +0100
with message-id 1364931669.4653.5.ca...@jacala.jungle.funky-badger.org
and subject line Re: Bug#704514: unblock: otrs2/3.1.7+dfsg1-8
has caused the Debian Bug report #704514,
regarding unblock: otrs2/3.1.7+dfsg1-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704514: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704514
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package otrs2



diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 
3.1.7+dfsg1-8/debian/changelog
--- 3.1.7+dfsg1-7/debian/changelog  2013-02-27 10:25:48.144232210 +0100
+++ 3.1.7+dfsg1-8/debian/changelog  2013-04-02 10:48:16.815442475 +0200
@@ -1,3 +1,14 @@
+otrs2 (3.1.7+dfsg1-8) unstable; urgency=high
+
+  * Add missing post database schemas for new installations with dbconfig.
+Without it, new installations will miss some important foreign keys and
+later fail to update to version 3.2.x.
+Closes: #702251
+  * Add upstream patch 31-CVE-2013-2625 to improve permission checks in
+LinkObject. This fixes CVE-2013-2625.
+
+ -- Patrick Matthäi pmatth...@debian.org  Tue, 02 Apr 2013 10:39:24 +0200
+
 otrs2 (3.1.7+dfsg1-7) unstable; urgency=high

   * Do not call otrs.SetPermissions.pl in postinst, since it modificates a few
diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 
3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff
--- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff  1970-01-01 
01:00:00.0 +0100
+++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff  2013-04-02 
10:48:16.819442449 +0200
@@ -0,0 +1,151 @@
+# Upstream patch from:
+# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509
+# Improved permission checks in LinkObject.
+# This fixes CVE-2013-2625.
+
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm 
otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm   2012-01-06 
14:00:04.0 +0100
 otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm2013-03-28 
09:46:00.652927141 +0100
+@@ -63,6 +63,20 @@
+ );
+ }
+
++# permission check
++my $Permission = $Self-{LinkObject}-ObjectPermission(
++Object = $Form{SourceObject},
++Key= $Form{SourceKey},
++UserID = $Self-{UserID},
++);
++
++if ( !$Permission ) {
++return $Self-{LayoutObject}-NoPermission(
++WithHeaderMessage= 'You need ro permission!',
++WithHeader = 'yes',
++);
++}
++
+ # get form params
+ $Form{TargetIdentifier} = $Self-{ParamObject}-GetParam( Param = 
'TargetIdentifier' )
+ || $Form{SourceObject};
+@@ -140,6 +154,14 @@
+ next IDENTIFIER if !$Target[1];# TargetKey
+ next IDENTIFIER if !$Target[2];# LinkType
+
++my $DeletePermission = $Self-{LinkObject}-ObjectPermission(
++Object = $Target[0],
++Key= $Target[1],
++UserID = $Self-{UserID},
++);
++
++next IDENTIFIER if !$DeletePermission;
++
+ # delete link from database
+ my $Success = $Self-{LinkObject}-LinkDelete(
+ Object1 = $Form{SourceObject},
+@@ -336,6 +358,14 @@
+ $TargetKey= $TargetKeyOrg;
+ }
+
++my $AddPermission = $Self-{LinkObject}-ObjectPermission(
++Object = $TargetObject,
++Key= $TargetKey,
++UserID = $Self-{UserID},
++);
++
++next TARGETKEYORG if !$AddPermission;
++
+ # add links to database
+ my $Success = $Self-{LinkObject}-LinkAdd(
+ SourceObject = $SourceObject,
+diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm 
otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm
+--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm  2012-01-10 
15:44:27.0 +0100
 otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm   2013-03-28 
09:46:00.656927287 +0100
+@@ -161,6 +161,39 @@
+ return 1;
+ }
+
++=item ObjectPermission()
++
++checks read permission for a given object and UserID.
++
++$Permission = $LinkObject-ObjectPermission(
++

Re: Bug#695224: Locale::Maketext versioning in perl package

2013-04-02 Thread Niko Tyni 
On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote:
 
 There is a problem with the perl package, as discussed in 
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55
 onwards, whereby the application of the security fix in that ticket
 now causes double-escaping problems where people workaround the problem
 by escaping themselves, when they detect an earlier Locale::Maketext
 by version number.
 
 I am slightly wary about importing the new (1.23) version of
 Locale::Maketext as I mentioned in that bug already, but my fears may
 be unfounded. Could you comment about whether you would accept such
 a change in wheezy at this time? (I can't really decide whether it's
 RC or not).

FWIW, it looks clear to me that the only functional changes in the patch
are the $VERSION increments in the .pm files. The rest is documentation
and test cases, and the only important $VERSION is most probably
the main one in Locale/Maketext.pm.

While that change itself is trivial, it has action-at-distance effects -
otherwise this wouldn't be an issue at all. I think the risk potential
is mostly in breaking something that's trusting Module::CoreList
(dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might
be affected somehow too?), and that it's not a very big risk but still
a real one.

Thinking about the necessity of this: Paul is IMO right that security
fixes and other backported stuff usually don't change functionality
API-wise, and I'm generally sympathetic to the idea of incrementing
$VERSION when they do. Unfortunately that's hard to do in the general case
(as the versioning scheme doesn't really support downstream branching.)

In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy
would probably have been the right thing to do if we had anticipated
these issues. But we didn't, and it seems very late in the release
process to do it now. Also, I can't really see us applying anything but
the targeted fix for squeeze.

I see Fedora/RedHat also upgraded their Locale::Maketext modules without
incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and
Fedora Core 16  17 / Perl 5.14.3). So it looks like even if we do try
to fix this for wheezy, applications still have to check for features
rather than versions to stay on the safe side.
-- 
Niko Tyni   nt...@debian.org


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130402191556.GA5302@madeleine.local.invalid

Bug#704432: unblock: linux/3.2.41-2

2013-04-02 Thread Ben Hutchings 
On Tue, Apr 02, 2013 at 09:26:21PM +0200, Julien Cristau wrote:
 Control: tags -1 confirmed d-i
 
 On Mon, Apr  1, 2013 at 03:57:12 +0100, Ben Hutchings wrote:
 
  Package: release.debian.org
  Severity: normal
  User: release.debian@packages.debian.org
  Usertags: unblock
  
  Please unblock package linux
  
  The changes from 3.2.39-2 to 3.2.41-2 include:
  
 from a while ago:
  jcristau KiBi: there's a new kernel, too
  KiBi need to look up the ia64 thing
  KiBi not listed in pkglists, so should be ok too
 
 cc:ing to confirm this is ok from the d-i pov.

kernel-image-3.2.0-4-itanium-di now provides efi-modules, so I believe
d-i should carry on building.  ia64 netboot will be broken but that's
basically unavoidable.

Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
  - Albert Camus


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130402195225.gb2...@decadent.org.uk

Bug#704291: marked as done (unblock: openjdk-7/7u3-2.1.7-1)

2013-04-02 Thread Debian Bug Tracking System 
Your message dated Tue, 02 Apr 2013 21:10:20 +0100
with message-id 1364933420.4653.6.ca...@jacala.jungle.funky-badger.org
and subject line Re: Bug#704291: unblock: openjdk-7/7u3-2.1.7-1
has caused the Debian Bug report #704291,
regarding unblock: openjdk-7/7u3-2.1.7-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704291: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704291
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

please unblock openjdk-7/7u3-2.1.7-1, new minor upstream version including two
security issues:

openjdk-7 (7u3-2.1.7-1) unstable; urgency=high

  * IcedTea7 2.1.7 release:
  * Security fixes:
- S8007014, CVE-2013-0809: Improve image handling.
- S8007675, CVE-2013-1493: Improve color conversion.
  * Backports:
- S8002344: Krb5LoginModule config class does not return proper KDC list
  from DNS.
- S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c.
- S8006179: JSR292 MethodHandles lookup with interface using findVirtual().
- S8006882: Proxy generated classes in sun.proxy package breaks JMockit.
  * Bug fixes:
- PR1303: Correct #ifdef to #if
- Stop libraries being stripped in the OpenJDK build.
- PR1340: Simplify the rhino class rewriter to avoid use of concurrency.
- Revert 7017193 and add the missing free call, until a better fix is ready.
---End Message---
---BeginMessage---
On Sun, 2013-03-31 at 11:08 +0200, Matthias Klose wrote:
 please unblock openjdk-7/7u3-2.1.7-1, new minor upstream version including two
 security issues:

Done.

Regards,

Adam---End Message---

Bug#704432: unblock: linux/3.2.41-2

2013-04-02 Thread Cyril Brulebois 
Ben Hutchings b...@decadent.org.uk (02/04/2013):
  from a while ago:
   jcristau KiBi: there's a new kernel, too
   KiBi need to look up the ia64 thing
   KiBi not listed in pkglists, so should be ok too
  
  cc:ing to confirm this is ok from the d-i pov.
 
 kernel-image-3.2.0-4-itanium-di now provides efi-modules, so I
 believe d-i should carry on building.  ia64 netboot will be broken
 but that's basically unavoidable.

Please go ahead.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#704444: unblock: cacti/0.8.8a+dfsg-4

2013-04-02 Thread Jonathan Wiltshire 
Hi,

On Mon, Apr 01, 2013 at 10:03:09AM +0200, Paul Gevers wrote:
 I have attached the debdiff between version 3 currently in Wheezy and
 version 4, now in unstable.

Being a regression and, if I understand correctly from others, rather
awkward for users, I'm surprised to see this bug is severity:normal. Is
that really a true reflection?

Either way it's rather a large diff, I'm inclined towards deferring to a
point release at least...

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

directhex i have six years of solaris sysadmin experience, from
8-10. i am well qualified to say it is made from bonghits
layered on top of bonghits


signature.asc
Description: Digital signature

Como Proveer Servicio al Cliente que Impacte y Sorprenda

2013-04-02 Thread Lic. Areliz Massanges. 
¡No deje la satisfacción de sus clientes a la incertidumbre!

CÓMO PROVEER servicio al cliente que IMPACTE y SORPRENDA.   
22 de abril - De 10:00 a.m a 1:00 p.m y De 3:00 p.m. a 6:00 p.m. (Hora del 
Centro de México).
Lugar: Su computadora o dispositivo móvil.

Cuando se trata de hacer que su negocio se distinga por la calidad del servicio 
que presta, no basta satisfacer a su cliente; ¡usted necesita rebasar sus 
expectativas!  Un cliente al que su compañía se ha ganado se siente importante 
y valorado; regresa continuamente, y lo recomendará con sus colegas, amigos y 
familiares, tanto en persona como en redes sociales.

Se incluye:
•Cómo “conectar” con su cliente.
•Cómo proyectar atención y empatía, aun bajo presión.
•Tips poderosos para manejar distintas personalidades de clientes.

Adquiera el folleto completo y sin compromiso, sólo responda este correo con 
los siguientes datos:
Nombre:
Empresa:
Teléfono:

¡Será un placer atenderle!
Lic. Areliz Massanges.
Líder de Proyectos.

O bien, comuníquese a nuestro Centro de Atención Telefónica al 018002129393

Para eliminar su correo debian-release@lists.debian.org de nuestra lista 
responda cli22.



--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/f21046caca5c12a279fa80b5001dc...@institucioneseducativas.info

Bug#704566: unblock: isc-dhcp/4.2.2.dfsg.1-5+deb70u4

2013-04-02 Thread Michael Gilbert 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package isc-dhcp

This upload fixes a security issue in the embedded bind library.  It's
a bit large due to the addition of a secondary patch system for
patching bind issues.  Please see attached patch.

unblock isc-dhcp/4.2.2.dfsg.1-5+deb70u4


dhcp.patch
Description: Binary data