Bug#804787: jessie-pu: package servefile/0.4.3-1
Control: tags -1 + moreinfo On 2015-11-11 16:39, Sebastian Lohff wrote: there has been a directory traversal bug in servefile, it was fixed in version 0.4.4. I talked to the Debian security team and they said a DSA would not be necessary and recommended doing a stable-pu. Therefore I'd like to propose an update to 0.4.4 (debdiff attached). +servefile (0.4.4-1~deb8u1) jessie; urgency=high + + * New upstream version That's not really a suitable changelog for an upload to unstable, particularly one that fixes security issues. It's certainly not suitable for a stable update. The point of a changelog entry is to explain the purpose of the upload. In this case it is to fix a security problem and some other (specific, and enumerated in upstream's changelog) issues, not simply because a new upstream release is available. Please make the changelog indicate what has actually changed - see https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-changelog-do , for example. Regards, Adam
Bug#804787: jessie-pu: package servefile/0.4.3-1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, there has been a directory traversal bug in servefile, it was fixed in version 0.4.4. I talked to the Debian security team and they said a DSA would not be necessary and recommended doing a stable-pu. Therefore I'd like to propose an update to 0.4.4 (debdiff attached). Greetings, seba -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog --- servefile-0.4.3/ChangeLog 2013-12-28 01:55:41.0 +0100 +++ servefile-0.4.4/ChangeLog 2015-11-10 21:05:35.0 +0100 @@ -1,6 +1,18 @@ servefile changelog === +2015-11-10 v0.4.4 +- + + 0.4.4 released + + * prefer using TLS1.2/TLS1 with --ssl if available + * issue v3 certificates for self signed certificates with --ssl + * removed lots of unnecessary error output + * fixed a bug where wrong ranges were used on a HEAD request in directory listing mode + * fixed a bug where directory listing mode allowed path traversal + + 2013-12-28 v0.4.3 - diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog --- servefile-0.4.3/debian/changelog 2014-08-12 22:11:04.0 +0200 +++ servefile-0.4.4/debian/changelog 2015-11-11 15:52:59.0 +0100 @@ -1,3 +1,9 @@ +servefile (0.4.4-1~deb8u1) jessie; urgency=high + + * New upstream version + + -- Sebastian LohffTue, 10 Nov 2015 21:22:17 +0100 + servefile (0.4.3-1) unstable; urgency=low * New upstream version diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control --- servefile-0.4.3/debian/control 2014-08-13 00:41:01.0 +0200 +++ servefile-0.4.4/debian/control 2015-11-10 21:27:07.0 +0100 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Sebastian Lohff Build-Depends: debhelper (>= 9.0~), python -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Homepage: http://seba-geek.de/stuff/servefile/ Package: servefile diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO --- servefile-0.4.3/PKG-INFO 2013-12-28 02:31:38.0 +0100 +++ servefile-0.4.4/PKG-INFO 2015-11-10 21:13:09.0 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: servefile -Version: 0.4.3 +Version: 0.4.4 Summary: Serve files from shell via a small HTTP server Home-page: http://seba-geek.de/stuff/servefile/ Author: Sebastian Lohff diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile --- servefile-0.4.3/servefile 2013-12-28 02:21:57.0 +0100 +++ servefile-0.4.4/servefile 2015-11-10 20:54:36.0 +0100 @@ -7,7 +7,7 @@ from __future__ import print_function -__version__ = '0.4.3' +__version__ = '0.4.4' import argparse import base64 @@ -16,7 +16,6 @@ import mimetypes import urllib import os -import posixpath import re import select import socket @@ -102,7 +101,7 @@ try: fromto[0] = int(fromto[0]) fromto[1] = int(fromto[1]) - except: + except ValueError: return (False, None) if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0: @@ -154,11 +153,7 @@ self.end_headers() block = self.getChunk(myfile, fromto) while block: - try: -self.wfile.write(block) - except socket.error as e: -print("%s ABORTED transmission (Reason %s: %s)" % (self.client_address[0], e[0], e[1])) -return False + self.wfile.write(block) block = self.getChunk(myfile, fromto) myfile.close() print("%s finished downloading %s" % (self.client_address[0], filePath)) @@ -310,6 +305,15 @@ """ Send file or directory index, depending on requested path """ path = self.getCleanPath() + # check if path is in current serving directory + currBaseDir = os.path.abspath(self.targetDir) + os.path.sep + requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep + if not requestPath.startswith(currBaseDir): + self.send_response(301) + self.send_header("Location", '/') + self.end_headers() + return + if os.path.isdir(path): if not self.path.endswith('/'): self.send_response(301) @@ -325,7 +329,7 @@ self.end_headers() else: self.send_response(200) - self.sendContentHeaders(self, path, length) + self.sendContentHeaders(path, length) self.end_headers() else: self.sendFile(path, head) @@ -406,7 +410,7 @@ - """ % {'path': posixpath.normpath(urllib.unquote(self.path))} + """ % {'path': os.path.normpath(urllib.unquote(self.path))} footer = """ http://seba-geek.de/stuff/servefile/;>servefile %(version)s @@
Processed: Re: Bug#804787: jessie-pu: package servefile/0.4.3-1
Processing control commands: > tags -1 + moreinfo Bug #804787 [release.debian.org] jessie-pu: package servefile/0.4.3-1 Added tag(s) moreinfo. -- 804787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804787 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#804775: transition: bullet
Am 11.11.2015 um 15:47 schrieb Emilio Pozuelo Monfort: > Control: tags -1 confirmed > > On 11/11/15 14:21, Markus Koschany wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> >> Hello release team, >> >> I would like to request a transition for Bullet 2.83.6. >> Upstream made a backward-incompatible ABI change between >> version 2.83.5 and 2.83.6 without changing the SONAME too. > > You can go ahead and upload this to unstable. > > Emilio Uploaded to unstable. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#804775: transition: bullet
Control: tags -1 confirmed On 11/11/15 14:21, Markus Koschany wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Hello release team, > > I would like to request a transition for Bullet 2.83.6. > Upstream made a backward-incompatible ABI change between > version 2.83.5 and 2.83.6 without changing the SONAME too. You can go ahead and upload this to unstable. Emilio
Bug#804775: transition: bullet
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello release team, I would like to request a transition for Bullet 2.83.6. Upstream made a backward-incompatible ABI change between version 2.83.5 and 2.83.6 without changing the SONAME too. https://bugs.debian.org/801914 I have renamed the binary packages and added Breaks and Replaces against the older version. The package is ready in experimental. All reverse-dependencies should be binNMUable without requiring any further action. The r-deps are: hkl gazebo cyphesis-cpp openmw Ben file: title = "bullet"; is_affected = /\b(libbulletcollision2\.83\.6|libbulletdynamics2\.83\.6|libbulletfileloader2\.83\.6|libbulletsoftbody2\.83\.6|libbulletworldimporter2\.83\.6|libbulletxmlworldimporter2\.83\.6|libconvexdecomposition2\.83\.6|libgimpactutils2\.83\.6|libhacd2\.83\.6|liblinearmath2\.83\.6|libbulletcollision2\.83v5|libbulletdynamics2\.83v5|libbulletfileloader2\.83v5|libbulletsoftbody2\.83v5|libbulletworldimporter2\.83v5|libbulletxmlworldimporter2\.83v5|libconvexdecomposition2\.83v5|libgimpactutils2\.83v5|libhacd2\.83v5|liblinearmath2\.83v5)\b/; is_good = /\b(libbulletcollision2\.83\.6|libbulletdynamics2\.83\.6|libbulletfileloader2\.83\.6|libbulletsoftbody2\.83\.6|libbulletworldimporter2\.83\.6|libbulletxmlworldimporter2\.83\.6|libconvexdecomposition2\.83\.6|libgimpactutils2\.83\.6|libhacd2\.83\.6|liblinearmath2\.83\.6)\b/; is_bad = /\b(libbulletcollision2\.83v5|libbulletdynamics2\.83v5|libbulletfileloader2\.83v5|libbulletsoftbody2\.83v5|libbulletworldimporter2\.83v5|libbulletxmlworldimporter2\.83v5|libconvexdecomposition2\.83v5|libgimpactutils2\.83v5|libhacd2\.83v5|liblinearmath2\.83v5)\b/; Regards, Markus
Processed: Re: Bug#804775: transition: bullet
Processing control commands: > tags -1 confirmed Bug #804775 [release.debian.org] transition: bullet Added tag(s) confirmed. -- 804775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804775 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#802851: jessie-pu: package qpsmtpd/0.84-11
On Sun, Oct 25, 2015 at 01:23:11PM +, Adam D. Barratt wrote: > While the proposed patch on its own looks fine, in order for us to give > an ack on the upload please prepare, build and test a package on jessie > - versioned as 0.84-11+deb8u1 rather than -12 - and send the source > debdiff to this bug report. Debdiff attached. -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 4096R/9197B5F9: 9C64 37CD 1B7B 029D 0933 49EA 1E52 7672 9197 B5F9 diff -Nru qpsmtpd-0.84/debian/changelog qpsmtpd-0.84/debian/changelog --- qpsmtpd-0.84/debian/changelog 2013-08-13 00:39:07.0 -0700 +++ qpsmtpd-0.84/debian/changelog 2015-11-11 00:18:17.0 -0800 @@ -1,3 +1,11 @@ +qpsmtpd (0.84-11+deb8u1) stable; urgency=medium + + * Patch for compatibility-breaker change in Net::DNS (Closes: #795836) + * Depend on libnet-dns-perl >= 0.81, since 0.66 from oldstable has the +opposite compatibility problem + + -- Devin CarrawaySat, 24 Oct 2015 07:27:50 + + qpsmtpd (0.84-11) unstable; urgency=low * Add Japanese debconf translation; thanks to victory (Closes: diff -Nru qpsmtpd-0.84/debian/control qpsmtpd-0.84/debian/control --- qpsmtpd-0.84/debian/control 2013-07-01 19:28:34.0 -0700 +++ qpsmtpd-0.84/debian/control 2015-10-24 01:04:20.0 -0700 @@ -7,7 +7,7 @@ Package: qpsmtpd Architecture: all -Depends: ${misc:Depends}, ${perl:Depends}, debconf (>= 1.0.0), adduser (>= 3.0), libdigest-hmac-perl, libmail-spf-perl (>= 2.8.0), libnet-dns-perl, libnet-perl, libmailtools-perl, libipc-shareable-perl, libclamav-client-perl, libsocket6-perl, libio-socket-inet6-perl +Depends: ${misc:Depends}, ${perl:Depends}, debconf (>= 1.0.0), adduser (>= 3.0), libdigest-hmac-perl, libmail-spf-perl (>= 2.8.0), libnet-dns-perl (>= 0.81), libnet-perl, libmailtools-perl, libipc-shareable-perl, libclamav-client-perl, libsocket6-perl, libio-socket-inet6-perl Suggests: spamassassin (>= 3.0.0), clamav-daemon, tinycdb Homepage: http://smtpd.develooper.com/ Description: Flexible SMTP daemon for network-level spam detection diff -Nru qpsmtpd-0.84/debian/files qpsmtpd-0.84/debian/files --- qpsmtpd-0.84/debian/files 1969-12-31 16:00:00.0 -0800 +++ qpsmtpd-0.84/debian/files 2015-11-11 00:22:31.0 -0800 @@ -0,0 +1 @@ +qpsmtpd_0.84-11+deb8u1_all.deb mail extra diff -Nru qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch --- qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch 1969-12-31 16:00:00.0 -0800 +++ qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch 2015-10-24 00:25:59.0 -0700 @@ -0,0 +1,13 @@ +Index: qpsmtpd-0.84/qpsmtpd-forkserver +=== +--- qpsmtpd-0.84.orig/qpsmtpd-forkserver 2015-10-24 05:35:24.0 + qpsmtpd-0.84/qpsmtpd-forkserver2015-10-24 07:23:18.815328768 + +@@ -281,7 +281,7 @@ + # all children should have different seeds, to prevent conflicts + srand(); + for (0 .. rand(65536)) { +- Net::DNS::Header::nextid(); ++ Net::DNS::Header::id(); + } + + close $_ for $select->handles; diff -Nru qpsmtpd-0.84/debian/patches/series qpsmtpd-0.84/debian/patches/series --- qpsmtpd-0.84/debian/patches/series 2013-07-01 19:21:52.0 -0700 +++ qpsmtpd-0.84/debian/patches/series 2015-10-24 00:23:00.0 -0700 @@ -2,3 +2,4 @@ spf_plugin-upstream-02912602842.patch spf_plugin-bug693181.patch ipv6_warnings-bug693179.patch +netdns_header_compat-bug795836.patch signature.asc Description: Digital signature
Bug#789214: jessie-pu: package cloud-init/0.7.6~bzr976-2 -> -3
Le Sun, Oct 18, 2015 at 01:13:26AM +0200, Thomas Goirand a écrit : > > Ping? Is there anyone from the stable release team that could spend a > bit of time here? Hello everybody, I propose that we declare time bankrupcy on that issue, give up on fixing it, and update Sid's package instead, which is now seriously outdated. Regarless of this bug, there will be the demand for a backport of the version in Squeeze, which will satisfy Jessie users almost as well as a stable update. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan
EMAIL МАРКЕТИНГ
Продвижение любых объявлений в сети Лучшая реклама не та, которая формирует имидж, а которая реально приводит новых клиентов - Самые минимальные расценки на рынке - Вы получите звонки клиентов в день обращения - Широкий выбор аудиторий Закажите рассылку по телефону: 7 \ 49 5\ 5 17 = О6= 4 8
Processed: add block
Processing commands for cont...@bugs.debian.org: > block 789077 by 804799 Bug #789077 [release.debian.org] transition: ruby2.2 789077 was blocked by: 791848 803489 803589 791846 791847 803587 789077 was not blocking any bugs. Added blocking bug(s) of 789077: 804799 > -- Stopping processing here. Please contact me if you need assistance. -- 789077: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789077 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#802851: jessie-pu: package qpsmtpd/0.84-11
Processing control commands: > tags -1 -moreinfo +confirmed Bug #802851 [release.debian.org] jessie-pu: package qpsmtpd/0.84-11 Removed tag(s) moreinfo. Bug #802851 [release.debian.org] jessie-pu: package qpsmtpd/0.84-11 Added tag(s) confirmed. -- 802851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802851 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#802851: jessie-pu: package qpsmtpd/0.84-11
Control: tags -1 -moreinfo +confirmed On Wed, 2015-11-11 at 00:36 -0800, Devin Carraway wrote: > On Sun, Oct 25, 2015 at 01:23:11PM +, Adam D. Barratt wrote: > > > While the proposed patch on its own looks fine, in order for us to give > > an ack on the upload please prepare, build and test a package on jessie > > - versioned as 0.84-11+deb8u1 rather than -12 - and send the source > > debdiff to this bug report. > > Debdiff attached. diff -Nru qpsmtpd-0.84/debian/files qpsmtpd-0.84/debian/files --- qpsmtpd-0.84/debian/files 1969-12-31 16:00:00.0 -0800 +++ qpsmtpd-0.84/debian/files 2015-11-11 00:22:31.0 -0800 @@ -0,0 +1 @@ +qpsmtpd_0.84-11+deb8u1_all.deb mail extra That shouldn't really be ending up in the diff. Other than that, please go ahead; thanks. Regards, Adam
Bug#804810: RM: python-repoze.what/1.0.9-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm This package is blocking python-repoze.who 2.2-2 from entering testing. That, in turn, blocks python-pysaml2 v3 from entering testing, which is in turn blocking keystone from entering testing. Meanwhile, the project upstream has not received any commits for several years. The only real reverse dependency in the archive, turbogears2 will hopefully remove the dependency on python-repoze.what-plugins given this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804809 tg.devtools is already removed from testing and so would not block this. So, once that bug is acted upon, it should be quite simple to remove this and python-repoze.what-plugins from testing (and likely eventually from the archive if they are not updated to work with modern python-repoze.who).