Bug#703153: unblock: binkd/0.9.11-1.1
Control: retitle -1 unblock: binkd/0.9.11-1.1 NMU entered (after some DELAY) unstable last week. Andreas -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515a7d35.6070...@debian.org
Re: nbd freeze exception?
Hi all, On 29-03-13 08:24, Wouter Verhelst wrote: Hrm. Some of these are things that I do think should be part of r0. How about this, then: - No new upstream release (I knew that was a long shot, but hey, I had to try) - I do upload a package with the following patches: - #685610 (important bug, failure of name-based exports when not used as root filesystem; patch in the BTS) - http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=a0c3244429ea367defc0867cea8b2f351581c9d5 (make nbd-server not go berserk upon receipt of a 'list exports' packet; fixes a remote DoS; not RC because it's disabled by default, but bad enough that it shouldn't be in the release) - http://nbd.git.sourceforge.net/git/gitweb.cgi?p=nbd/nbd;a=commitdiff;h=9c8f822c023732ca9871358e2d324257e0290707 (or equivalent; there is still some discussion on that patch. Fixes a false positive for a request out of range error that triggers on 32-bit machines only) I've never received an answer to this. Meanwhile, I've done two uploads (because I forgot to fix the 'list exports' thing in the first upload, so I had to do another) with hardly anything more than the above. I'd appreciate it if you could look at the upload and possibly approve it, although I of course concede that it's your prerogative to reject the upload for testing, if you think it prudent. Thanks, I realize I might be looking like an ass here, but I'd really like some reply to this request. For reference, the individual patches that went into these releases are available (with more detailed explanation) at http://anonscm.debian.org/gitweb/?p=users/wouter/nbd.git;a=summary. I didn't drink the 3.0 (quilt) kool-aid, so not there yet. Thanks, -- Copyshops should do vouchers. So that next time some bureaucracy requires you to mail a form in triplicate, you can mail it just once, add a voucher, and save on postage. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515a8b9f.2020...@debian.org
Bug#704514: unblock: otrs2/3.1.7+dfsg1-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package otrs2 diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 3.1.7+dfsg1-8/debian/changelog --- 3.1.7+dfsg1-7/debian/changelog 2013-02-27 10:25:48.144232210 +0100 +++ 3.1.7+dfsg1-8/debian/changelog 2013-04-02 10:48:16.815442475 +0200 @@ -1,3 +1,14 @@ +otrs2 (3.1.7+dfsg1-8) unstable; urgency=high + + * Add missing post database schemas for new installations with dbconfig. +Without it, new installations will miss some important foreign keys and +later fail to update to version 3.2.x. +Closes: #702251 + * Add upstream patch 31-CVE-2013-2625 to improve permission checks in +LinkObject. This fixes CVE-2013-2625. + + -- Patrick Matthäi pmatth...@debian.org Tue, 02 Apr 2013 10:39:24 +0200 + otrs2 (3.1.7+dfsg1-7) unstable; urgency=high * Do not call otrs.SetPermissions.pl in postinst, since it modificates a few diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff --- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 1970-01-01 01:00:00.0 +0100 +++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff 2013-04-02 10:48:16.819442449 +0200 @@ -0,0 +1,151 @@ +# Upstream patch from: +# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509 +# Improved permission checks in LinkObject. +# This fixes CVE-2013-2625. + +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm 2012-01-06 14:00:04.0 +0100 otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm2013-03-28 09:46:00.652927141 +0100 +@@ -63,6 +63,20 @@ + ); + } + ++# permission check ++my $Permission = $Self-{LinkObject}-ObjectPermission( ++Object = $Form{SourceObject}, ++Key= $Form{SourceKey}, ++UserID = $Self-{UserID}, ++); ++ ++if ( !$Permission ) { ++return $Self-{LayoutObject}-NoPermission( ++WithHeaderMessage= 'You need ro permission!', ++WithHeader = 'yes', ++); ++} ++ + # get form params + $Form{TargetIdentifier} = $Self-{ParamObject}-GetParam( Param = 'TargetIdentifier' ) + || $Form{SourceObject}; +@@ -140,6 +154,14 @@ + next IDENTIFIER if !$Target[1];# TargetKey + next IDENTIFIER if !$Target[2];# LinkType + ++my $DeletePermission = $Self-{LinkObject}-ObjectPermission( ++Object = $Target[0], ++Key= $Target[1], ++UserID = $Self-{UserID}, ++); ++ ++next IDENTIFIER if !$DeletePermission; ++ + # delete link from database + my $Success = $Self-{LinkObject}-LinkDelete( + Object1 = $Form{SourceObject}, +@@ -336,6 +358,14 @@ + $TargetKey= $TargetKeyOrg; + } + ++my $AddPermission = $Self-{LinkObject}-ObjectPermission( ++Object = $TargetObject, ++Key= $TargetKey, ++UserID = $Self-{UserID}, ++); ++ ++next TARGETKEYORG if !$AddPermission; ++ + # add links to database + my $Success = $Self-{LinkObject}-LinkAdd( + SourceObject = $SourceObject, +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm 2012-01-10 15:44:27.0 +0100 otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm 2013-03-28 09:46:00.656927287 +0100 +@@ -161,6 +161,39 @@ + return 1; + } + ++=item ObjectPermission() ++ ++checks read permission for a given object and UserID. ++ ++$Permission = $LinkObject-ObjectPermission( ++Object = 'Ticket', ++Key = 123, ++UserID = 1, ++); ++ ++=cut ++ ++sub ObjectPermission { ++my ( $Self, %Param ) = @_; ++ ++# check needed stuff ++for my $Argument (qw(Object Key UserID)) { ++if ( !$Param{$Argument} ) { ++$Self-{LogObject}-Log( ++Priority = 'error', ++Message = Need $Argument!, ++); ++return; ++} ++} ++ ++return $Self-{TicketObject}-TicketPermission( ++Type = 'ro', ++TicketID = $Param{Key}, ++UserID = $Param{UserID}, ++); ++} ++ + =item ObjectDescriptionGet() + + return a hash of object descriptions +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject.pm +---
Bug#704514: Acknowledgement (unblock: otrs2/3.1.7+dfsg1-8)
Am 02.04.2013 11:15, schrieb Debian Bug Tracking System: Thank you for filing a new Bug report with Debian. Hi, just in this second upstream released the security advisory for CVE-2013-2625: http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/ -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515aa5f3.7040...@debian.org
Bug#704520: RM: midgard2-core/10.05.7.1-1 php5-midgard2/10.05.7-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi dear Release Team, hi dear midgard2-core and php5-midgard2 maintainers, as explained in http://bugs.debian.org/677795#67 , I think midgard2-core (and it's only build-rdep, php5-midgard2) should get removed from testing: As I read it, the package had several packaging-related issues summing up to that serious bug, filed two weeks before the freeze. Since then, in September, a package supposedly fixing these issues has been uploaded and queued in NEW [0]; it hasn't been liberated from NEW yet. From here, I see three ways forward: a) a new package enters unstable, and then Wheezy, but that seems unlikely; b) midgard2-core and php5-midgard2 are removed from Wheezy, thereby removing the RC bug. c) that bug either gets downgraded to non-RC severity, or tagged wheezy-ignore by the release team. As I think the concerns originally leading to the severity of that bug are correct, I would rather be of the opinion to drop the two packages. As you see, I think that as this point, b) is the only reasonable choice. Cheers, OdyX -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130402111353.12302.32095.reportbug@gyllingar
Bug#704524: unblock: nbd/1:3.2-4
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal X-Debbugs-Cc: wou...@debian.org Hi, On 02/04/13 08:41, Wouter Verhelst wrote: I'd appreciate it if you could look at the upload and possibly approve it, although I of course concede that it's your prerogative to reject the upload for testing, if you think it prudent. [...] I realize I might be looking like an ass here, but I'd really like some reply to this request. It's in sid, so this might as well be an unblock request with debdiff attached. So I've done this for you. Could the Release Team please consider to: unblock nbd/1:3.2-4 But I'm fairly sure it's not acceptable in its current form. I had to gzip the debdiff to get a 10KiB attachment. It seems autoconf stuff was regenerated with newer versions? Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org nbd_3.2-2_3.2-4.debdiff.gz Description: GNU Zip compressed data
Bug#704524: unblock: nbd/1:3.2-4
Control: tags -1 moreinfo Hi Wouter, You had a FTBFS on mips which would need to be fixed in any case. E: listing not allowed by server. FAIL: list That sounds like it might be related to this change you mentioned? But seems odd it would only occur on one architecture: On 12/03/13 09:39, Wouter Verhelst wrote: (make nbd-server not go berserk upon receipt of a 'list exports' packet; fixes a remote DoS Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515ad330.7090...@pyro.eu.org
Processed: Re: Bug#704524: unblock: nbd/1:3.2-4
Processing control commands: tags -1 moreinfo Bug #704524 [release.debian.org] unblock: nbd/1:3.2-4 Added tag(s) moreinfo. -- 704524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704524 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b704524.136490681328116.transcr...@bugs.debian.org
Bug#704524: unblock: nbd/1:3.2-4
Hi Steven, On 02-04-13 14:51, Steven Chamberlain wrote: Control: tags -1 moreinfo Hi Wouter, You had a FTBFS on mips which would need to be fixed in any case. E: listing not allowed by server. FAIL: list That sounds like it might be related to this change you mentioned? But seems odd it would only occur on one architecture: It's not the only failure in the test suite; looking at the tests that failed, my guess is that there is another nbd-server running on the buildd in question. Mips buildd admins: can you please verify if that is the case? If so (and it's not genuinely installed), please kill it and reschedule the build, it should work then. (I discovered a while back that the nbd-server test suite did not properly kill the running server, which opens port 10809 by default. I thought I fixed that, but I might be mistaken...) -- Copyshops should do vouchers. So that next time some bureaucracy requires you to mail a form in triplicate, you can mail it just once, add a voucher, and save on postage. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/515ad840.5070...@debian.org
Bug#704530: RM: semanticscuttle/0.98.4+dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, Please remove semanticscuttle from wheezy. The problems are detailed in RC bug #659390. My last message details that I had to conquer three different problems to get to an error-free home screen. Even if we fix all three, the presence of the problems indicates that this package didn't receive adequate testing to be releasable at this point. In the bug log, the maintainer has already agreed with removal from wheezy as a course of action. It has never been in a stable release. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130402152139.6424.23909.reportbug@localhost.localdomain
Bug#704473: RM: gnutls28 -- ROM; should not be shipped in wheezy
Control: tag -1 moreinfo Andreas Metzler ametz...@downhill.at.eu.org writes: please remove gnutls28 3.0.22-3 from unstable but keep the version in experimental. We currently intend to drop gnutls28 from wheezy, since it is a leaf package and creates non-neglible unnecessary work for Debian-security. gnutls26 will provide the binary packages gnutls-bin and guile-gnutls again (they are currently built from gnutls28.) I would like to do this transition via unstable and therefore ask you to remove gnutls28 3.0.22-3 (source and binary) from unstable. This is is necessary since unstable has a newer version of gnutls28 than testing. See http://article.gmane.org/gmane.linux.debian.devel.release/64871 for details. In the patch there I see: +binary-makedeb/gnutls-bin:: DEB_DH_GENCONTROL_ARGS := -- -v3.0.20-3+really$(DEB_VERSION) That would make version number in unstable go backwards. We really don't want this. Is there any reason not to use 3.0.22-3+really$(something-else)? That would be higher than the version in unstable. Ansgar -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sj38yhvv@deep-thought.43-1.org
Bug#704530: marked as done (RM: semanticscuttle/0.98.4+dfsg-1)
Your message dated Tue, 02 Apr 2013 19:27:23 +0100 with message-id 1364927243.4653.1.ca...@jacala.jungle.funky-badger.org and subject line Re: Bug#704530: RM: semanticscuttle/0.98.4+dfsg-1 has caused the Debian Bug report #704530, regarding RM: semanticscuttle/0.98.4+dfsg-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704530: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, Please remove semanticscuttle from wheezy. The problems are detailed in RC bug #659390. My last message details that I had to conquer three different problems to get to an error-free home screen. Even if we fix all three, the presence of the problems indicates that this package didn't receive adequate testing to be releasable at this point. In the bug log, the maintainer has already agreed with removal from wheezy as a course of action. It has never been in a stable release. Cheers, Thijs ---End Message--- ---BeginMessage--- On Tue, 2013-04-02 at 17:21 +0200, Thijs Kinkhorst wrote: Please remove semanticscuttle from wheezy. The problems are detailed in RC bug #659390. My last message details that I had to conquer three different problems to get to an error-free home screen. Even if we fix all three, the presence of the problems indicates that this package didn't receive adequate testing to be releasable at this point. In the bug log, the maintainer has already agreed with removal from wheezy as a course of action. It has never been in a stable release. Removal hint added. Regards, Adam---End Message---
Bug#703818: marked as done (tpu: fonts-vlgothic/20120629-2)
Your message dated Tue, 2 Apr 2013 21:17:10 +0200 with message-id 20130402191710.ge5...@radis.cristau.org and subject line Re: Bug#703818: tpu: fonts-vlgothic/20120629-2 has caused the Debian Bug report #703818, regarding tpu: fonts-vlgothic/20120629-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 703818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703818 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: tpu Hi, Please approve fonts-vlgothic-20120629-2 upload to testing-proposed-updates. Its fix is tiny as below, and same fix for fonts-ipafont/ipaexfont which is permitted to introduce wheezy before. diff -Nru fonts-vlgothic-20120629/debian/changelog fonts-vlgothic-20120629/debian/changelog --- fonts-vlgothic-20120629/debian/changelog2012-06-29 16:29:25.0 +0900 +++ fonts-vlgothic-20120629/debian/changelog2013-03-24 13:50:11.0 +0900 @@ -1,3 +1,16 @@ +fonts-vlgothic (20120629-2) testing-proposed-updates; urgency=low + + [ Andreas Beckmann a...@debian.org ] + * ttf-vlgothic.preinst: Unregister the ttf-japanese-gothic.ttf alternative. + * fonts-vlgothic.preinst: Clean up the ttf-japanese-gothic.ttf alternative +set up by ttf-vlgothic in squeeze. This needs to be done in fonts-vlgothic +as well since there is no guarantee that the transitional ttf-vlgothic +package was installed and has cleaned this up. Since new installations of +fonts-vlgothic cannot be distinguished from upgrades from ttf-vlgothic, +this needs to be run on new installations, too. (Closes: #699905) + + -- Hideki Yamane henr...@debian.org Sun, 24 Mar 2013 13:41:11 +0900 + fonts-vlgothic (20120629-1) unstable; urgency=low * New upstream release diff -Nru fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst --- fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst 2011-09-18 23:16:57.0 +0900 +++ fonts-vlgothic-20120629/debian/fonts-vlgothic.preinst 2013-03-24 13:47:02.0 +0900 @@ -72,6 +72,18 @@ fi fi + # Remove the alternative set up by the old ttf-vlgothic package. + # Do this again here since there is no guarantee that the transitional + # ttf-vlgothic package was installed and has cleaned this up. + # Do this for new installations (as we can't distinguish them from + # upgrades from ttf-vlgothic) as well as upgrades that did not yet + # clean this up. + # (This can be removed after jessie was released with this code.) + if dpkg --compare-versions $2 lt 20120629-1.1~ ; then + update-alternatives --remove ttf-japanese-gothic.ttf \ + /usr/share/fonts/truetype/vlgothic/VL-Gothic-Regular.ttf + fi + esac #DEBHELPER# ---End Message--- ---BeginMessage--- On Mon, Apr 1, 2013 at 09:16:41 +0900, Hideki Yamane wrote: On Mon, 1 Apr 2013 00:45:04 +0100 Jonathan Wiltshire j...@debian.org wrote: Please go ahead and ping this bug when it is uploaded. Thanks! uploaded it. Approved. Cheers, Julien signature.asc Description: Digital signature ---End Message---
Bug#704442: marked as done (unblock: devscripts/2.12.7 (pre-approval dch --bpo fix))
Your message dated Tue, 2 Apr 2013 21:20:06 +0200 with message-id 20130402192006.gf5...@radis.cristau.org and subject line Re: Bug#704442: unblock: devscripts/2.12.7 (pre-approval dch --bpo fix) has caused the Debian Bug report #704442, regarding unblock: devscripts/2.12.7 (pre-approval dch --bpo fix) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704442: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704442 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, In the current version of devscripts in wheezy, when invoking dch --bpo, generates a changelog like this one: devscripts (2.12.6~bpo60+1) squeeze-backports; urgency=low It should of course use this instead: devscripts (2.12.6~bpo70+1) wheezy-backports; urgency=low Would the release team accept that I upload the attached fix to SID, in order to fix this problem in Wheezy? I think it's rather minimal, so it shouldn't be a big problem. Otherwise, I'm ok to wait for the release, and upload the fix in wheezy-proposed-updates, though since we already have backports opened, I think it would be wise not to delay this fix too much. Please let me know. Cheers, Thomas Goirand (zigo) diff -Nru devscripts-2.12.6/debian/changelog devscripts-2.12.7/debian/changelog --- devscripts-2.12.6/debian/changelog 2012-11-25 07:49:03.0 +0800 +++ devscripts-2.12.7/debian/changelog 2013-03-21 23:36:50.0 +0800 @@ -1,3 +1,9 @@ +devscripts (2.12.7) unstable; urgency=low + + * Now using ~bpo70+1 instead of ~bpo60+1 when invoking dch --bpo. + + -- Thomas Goirand z...@debian.org Thu, 21 Mar 2013 23:36:16 +0800 + devscripts (2.12.6) unstable; urgency=low * Actual install German translation. diff -Nru devscripts-2.12.6/scripts/debchange.pl devscripts-2.12.7/scripts/debchange.pl --- devscripts-2.12.6/scripts/debchange.pl 2012-07-07 06:29:24.0 +0800 +++ devscripts-2.12.7/scripts/debchange.pl 2013-03-21 23:38:18.0 +0800 @@ -613,8 +613,8 @@ my $EMAIL = 'EMAIL'; my $DISTRIBUTION = 'UNRELEASED'; my $bpo_dist = ''; -my %bpo_dists = ( 60, 'squeeze' ); -my $latest_bpo_dist = '60'; +my %bpo_dists = ( 70, 'wheezy' ); +my $latest_bpo_dist = '70'; my $CHANGES = ''; # Changelog urgency, possibly propogated to NEWS files my $CL_URGENCY = ''; ---End Message--- ---BeginMessage--- On Tue, Apr 2, 2013 at 01:21:58 +0800, Thomas Goirand wrote: Anyway, I don't think this is very critical. If you would like to forget about this until the release, and focus on more important things, I'm ok with that. Let's do that then. Cheers, Julien signature.asc Description: Digital signature ---End Message---
Bug#704432: unblock: linux/3.2.41-2
Control: tags -1 confirmed d-i On Mon, Apr 1, 2013 at 03:57:12 +0100, Ben Hutchings wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package linux The changes from 3.2.39-2 to 3.2.41-2 include: from a while ago: jcristau KiBi: there's a new kernel, too KiBi need to look up the ia64 thing KiBi not listed in pkglists, so should be ok too cc:ing to confirm this is ok from the d-i pov. Cheers, Julien signature.asc Description: Digital signature
Processed: Re: Bug#704432: unblock: linux/3.2.41-2
Processing control commands: tags -1 confirmed d-i Bug #704432 [release.debian.org] unblock: linux/3.2.41-2 Added tag(s) d-i and confirmed. -- 704432: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704432 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b704432.13649307862744.transcr...@bugs.debian.org
Bug#704514: marked as done (unblock: otrs2/3.1.7+dfsg1-8)
Your message dated Tue, 02 Apr 2013 20:41:09 +0100 with message-id 1364931669.4653.5.ca...@jacala.jungle.funky-badger.org and subject line Re: Bug#704514: unblock: otrs2/3.1.7+dfsg1-8 has caused the Debian Bug report #704514, regarding unblock: otrs2/3.1.7+dfsg1-8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704514: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704514 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package otrs2 diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/changelog 3.1.7+dfsg1-8/debian/changelog --- 3.1.7+dfsg1-7/debian/changelog 2013-02-27 10:25:48.144232210 +0100 +++ 3.1.7+dfsg1-8/debian/changelog 2013-04-02 10:48:16.815442475 +0200 @@ -1,3 +1,14 @@ +otrs2 (3.1.7+dfsg1-8) unstable; urgency=high + + * Add missing post database schemas for new installations with dbconfig. +Without it, new installations will miss some important foreign keys and +later fail to update to version 3.2.x. +Closes: #702251 + * Add upstream patch 31-CVE-2013-2625 to improve permission checks in +LinkObject. This fixes CVE-2013-2625. + + -- Patrick Matthäi pmatth...@debian.org Tue, 02 Apr 2013 10:39:24 +0200 + otrs2 (3.1.7+dfsg1-7) unstable; urgency=high * Do not call otrs.SetPermissions.pl in postinst, since it modificates a few diff -Naur '--exclude=.svn' 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff --- 3.1.7+dfsg1-7/debian/patches/31-CVE-2013-2625.diff 1970-01-01 01:00:00.0 +0100 +++ 3.1.7+dfsg1-8/debian/patches/31-CVE-2013-2625.diff 2013-04-02 10:48:16.819442449 +0200 @@ -0,0 +1,151 @@ +# Upstream patch from: +# https://github.com/OTRS/otrs/commit/d90b8715dc348d57ffc415aeb1f57c31fa90c509 +# Improved permission checks in LinkObject. +# This fixes CVE-2013-2625. + +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/Modules/AgentLinkObject.pm 2012-01-06 14:00:04.0 +0100 otrs2-3.1.7+dfsg1/Kernel/Modules/AgentLinkObject.pm2013-03-28 09:46:00.652927141 +0100 +@@ -63,6 +63,20 @@ + ); + } + ++# permission check ++my $Permission = $Self-{LinkObject}-ObjectPermission( ++Object = $Form{SourceObject}, ++Key= $Form{SourceKey}, ++UserID = $Self-{UserID}, ++); ++ ++if ( !$Permission ) { ++return $Self-{LayoutObject}-NoPermission( ++WithHeaderMessage= 'You need ro permission!', ++WithHeader = 'yes', ++); ++} ++ + # get form params + $Form{TargetIdentifier} = $Self-{ParamObject}-GetParam( Param = 'TargetIdentifier' ) + || $Form{SourceObject}; +@@ -140,6 +154,14 @@ + next IDENTIFIER if !$Target[1];# TargetKey + next IDENTIFIER if !$Target[2];# LinkType + ++my $DeletePermission = $Self-{LinkObject}-ObjectPermission( ++Object = $Target[0], ++Key= $Target[1], ++UserID = $Self-{UserID}, ++); ++ ++next IDENTIFIER if !$DeletePermission; ++ + # delete link from database + my $Success = $Self-{LinkObject}-LinkDelete( + Object1 = $Form{SourceObject}, +@@ -336,6 +358,14 @@ + $TargetKey= $TargetKeyOrg; + } + ++my $AddPermission = $Self-{LinkObject}-ObjectPermission( ++Object = $TargetObject, ++Key= $TargetKey, ++UserID = $Self-{UserID}, ++); ++ ++next TARGETKEYORG if !$AddPermission; ++ + # add links to database + my $Success = $Self-{LinkObject}-LinkAdd( + SourceObject = $SourceObject, +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/System/LinkObject/Ticket.pm 2012-01-10 15:44:27.0 +0100 otrs2-3.1.7+dfsg1/Kernel/System/LinkObject/Ticket.pm 2013-03-28 09:46:00.656927287 +0100 +@@ -161,6 +161,39 @@ + return 1; + } + ++=item ObjectPermission() ++ ++checks read permission for a given object and UserID. ++ ++$Permission = $LinkObject-ObjectPermission( ++
Re: Bug#695224: Locale::Maketext versioning in perl package
On Sun, Mar 31, 2013 at 05:46:12PM +0100, Dominic Hargreaves wrote: There is a problem with the perl package, as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55 onwards, whereby the application of the security fix in that ticket now causes double-escaping problems where people workaround the problem by escaping themselves, when they detect an earlier Locale::Maketext by version number. I am slightly wary about importing the new (1.23) version of Locale::Maketext as I mentioned in that bug already, but my fears may be unfounded. Could you comment about whether you would accept such a change in wheezy at this time? (I can't really decide whether it's RC or not). FWIW, it looks clear to me that the only functional changes in the patch are the $VERSION increments in the .pm files. The rest is documentation and test cases, and the only important $VERSION is most probably the main one in Locale/Maketext.pm. While that change itself is trivial, it has action-at-distance effects - otherwise this wouldn't be an issue at all. I think the risk potential is mostly in breaking something that's trusting Module::CoreList (dh-make-perl and lintian come to mind, CPAN.pm and CPANPLUS.pm might be affected somehow too?), and that it's not a very big risk but still a real one. Thinking about the necessity of this: Paul is IMO right that security fixes and other backported stuff usually don't change functionality API-wise, and I'm generally sympathetic to the idea of incrementing $VERSION when they do. Unfortunately that's hard to do in the general case (as the versioning scheme doesn't really support downstream branching.) In this specific case, upgrading Locale::Maketext fully to 1.23 in wheezy would probably have been the right thing to do if we had anticipated these issues. But we didn't, and it seems very late in the release process to do it now. Also, I can't really see us applying anything but the targeted fix for squeeze. I see Fedora/RedHat also upgraded their Locale::Maketext modules without incrementing $VERSION (I checked the patches in RHEL 6 / Perl 5.10.1 and Fedora Core 16 17 / Perl 5.14.3). So it looks like even if we do try to fix this for wheezy, applications still have to check for features rather than versions to stay on the safe side. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130402191556.GA5302@madeleine.local.invalid
Bug#704432: unblock: linux/3.2.41-2
On Tue, Apr 02, 2013 at 09:26:21PM +0200, Julien Cristau wrote: Control: tags -1 confirmed d-i On Mon, Apr 1, 2013 at 03:57:12 +0100, Ben Hutchings wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package linux The changes from 3.2.39-2 to 3.2.41-2 include: from a while ago: jcristau KiBi: there's a new kernel, too KiBi need to look up the ia64 thing KiBi not listed in pkglists, so should be ok too cc:ing to confirm this is ok from the d-i pov. kernel-image-3.2.0-4-itanium-di now provides efi-modules, so I believe d-i should carry on building. ia64 netboot will be broken but that's basically unavoidable. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130402195225.gb2...@decadent.org.uk
Bug#704291: marked as done (unblock: openjdk-7/7u3-2.1.7-1)
Your message dated Tue, 02 Apr 2013 21:10:20 +0100 with message-id 1364933420.4653.6.ca...@jacala.jungle.funky-badger.org and subject line Re: Bug#704291: unblock: openjdk-7/7u3-2.1.7-1 has caused the Debian Bug report #704291, regarding unblock: openjdk-7/7u3-2.1.7-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 704291: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704291 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock please unblock openjdk-7/7u3-2.1.7-1, new minor upstream version including two security issues: openjdk-7 (7u3-2.1.7-1) unstable; urgency=high * IcedTea7 2.1.7 release: * Security fixes: - S8007014, CVE-2013-0809: Improve image handling. - S8007675, CVE-2013-1493: Improve color conversion. * Backports: - S8002344: Krb5LoginModule config class does not return proper KDC list from DNS. - S8004344: Fix a crash in ToolkitErrorHandler() in XlibWrapper.c. - S8006179: JSR292 MethodHandles lookup with interface using findVirtual(). - S8006882: Proxy generated classes in sun.proxy package breaks JMockit. * Bug fixes: - PR1303: Correct #ifdef to #if - Stop libraries being stripped in the OpenJDK build. - PR1340: Simplify the rhino class rewriter to avoid use of concurrency. - Revert 7017193 and add the missing free call, until a better fix is ready. ---End Message--- ---BeginMessage--- On Sun, 2013-03-31 at 11:08 +0200, Matthias Klose wrote: please unblock openjdk-7/7u3-2.1.7-1, new minor upstream version including two security issues: Done. Regards, Adam---End Message---
Bug#704432: unblock: linux/3.2.41-2
Ben Hutchings b...@decadent.org.uk (02/04/2013): from a while ago: jcristau KiBi: there's a new kernel, too KiBi need to look up the ia64 thing KiBi not listed in pkglists, so should be ok too cc:ing to confirm this is ok from the d-i pov. kernel-image-3.2.0-4-itanium-di now provides efi-modules, so I believe d-i should carry on building. ia64 netboot will be broken but that's basically unavoidable. Please go ahead. Mraw, KiBi. signature.asc Description: Digital signature
Bug#704444: unblock: cacti/0.8.8a+dfsg-4
Hi, On Mon, Apr 01, 2013 at 10:03:09AM +0200, Paul Gevers wrote: I have attached the debdiff between version 3 currently in Wheezy and version 4, now in unstable. Being a regression and, if I understand correctly from others, rather awkward for users, I'm surprised to see this bug is severity:normal. Is that really a true reflection? Either way it's rather a large diff, I'm inclined towards deferring to a point release at least... -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Como Proveer Servicio al Cliente que Impacte y Sorprenda
¡No deje la satisfacción de sus clientes a la incertidumbre! CÓMO PROVEER servicio al cliente que IMPACTE y SORPRENDA. 22 de abril - De 10:00 a.m a 1:00 p.m y De 3:00 p.m. a 6:00 p.m. (Hora del Centro de México). Lugar: Su computadora o dispositivo móvil. Cuando se trata de hacer que su negocio se distinga por la calidad del servicio que presta, no basta satisfacer a su cliente; ¡usted necesita rebasar sus expectativas! Un cliente al que su compañía se ha ganado se siente importante y valorado; regresa continuamente, y lo recomendará con sus colegas, amigos y familiares, tanto en persona como en redes sociales. Se incluye: •Cómo “conectar” con su cliente. •Cómo proyectar atención y empatía, aun bajo presión. •Tips poderosos para manejar distintas personalidades de clientes. Adquiera el folleto completo y sin compromiso, sólo responda este correo con los siguientes datos: Nombre: Empresa: Teléfono: ¡Será un placer atenderle! Lic. Areliz Massanges. Líder de Proyectos. O bien, comuníquese a nuestro Centro de Atención Telefónica al 018002129393 Para eliminar su correo debian-release@lists.debian.org de nuestra lista responda cli22. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f21046caca5c12a279fa80b5001dc...@institucioneseducativas.info
Bug#704566: unblock: isc-dhcp/4.2.2.dfsg.1-5+deb70u4
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Please unblock package isc-dhcp This upload fixes a security issue in the embedded bind library. It's a bit large due to the addition of a secondary patch system for patching bind issues. Please see attached patch. unblock isc-dhcp/4.2.2.dfsg.1-5+deb70u4 dhcp.patch Description: Binary data