Bug#804787: jessie-pu: package servefile/0.4.3-1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On 2015-11-11 16:39, Sebastian Lohff wrote:

there has been a directory traversal bug in servefile, it was fixed in
version 0.4.4. I talked to the Debian security team and they said a DSA
would not be necessary and recommended doing a stable-pu. Therefore
I'd like to propose an update to 0.4.4 (debdiff attached).


+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * New upstream version

That's not really a suitable changelog for an upload to unstable, 
particularly one that fixes security issues. It's certainly not suitable 
for a stable update.


The point of a changelog entry is to explain the purpose of the upload. 
In this case it is to fix a security problem and some other (specific, 
and enumerated in upstream's changelog) issues, not simply because a new 
upstream release is available. Please make the changelog indicate what 
has actually changed - see 
https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-changelog-do 
, for example.


Regards,

Adam

Bug#804787: jessie-pu: package servefile/0.4.3-1

[Sebastian Lohff]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

there has been a directory traversal bug in servefile, it was fixed in
version 0.4.4. I talked to the Debian security team and they said a DSA
would not be necessary and recommended doing a stable-pu. Therefore
I'd like to propose an update to 0.4.4 (debdiff attached).

Greetings,
seba

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog
--- servefile-0.4.3/ChangeLog	2013-12-28 01:55:41.0 +0100
+++ servefile-0.4.4/ChangeLog	2015-11-10 21:05:35.0 +0100
@@ -1,6 +1,18 @@
 servefile changelog
 ===
 
+2015-11-10 v0.4.4
+-
+
+	0.4.4 released
+
+	* prefer using TLS1.2/TLS1 with --ssl if available
+	* issue v3 certificates for self signed certificates with --ssl
+	* removed lots of unnecessary error output
+	* fixed a bug where wrong ranges were used on a HEAD request in directory listing mode
+	* fixed a bug where directory listing mode allowed path traversal
+
+
 2013-12-28 v0.4.3
 -
 
diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog
--- servefile-0.4.3/debian/changelog	2014-08-12 22:11:04.0 +0200
+++ servefile-0.4.4/debian/changelog	2015-11-11 15:52:59.0 +0100
@@ -1,3 +1,9 @@
+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+  * New upstream version
+
+ -- Sebastian Lohff   Tue, 10 Nov 2015 21:22:17 +0100
+
 servefile (0.4.3-1) unstable; urgency=low
 
   * New upstream version
diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control
--- servefile-0.4.3/debian/control	2014-08-13 00:41:01.0 +0200
+++ servefile-0.4.4/debian/control	2015-11-10 21:27:07.0 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Sebastian Lohff 
 Build-Depends: debhelper (>= 9.0~), python
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Homepage: http://seba-geek.de/stuff/servefile/
 
 Package: servefile
diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO
--- servefile-0.4.3/PKG-INFO	2013-12-28 02:31:38.0 +0100
+++ servefile-0.4.4/PKG-INFO	2015-11-10 21:13:09.0 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: servefile
-Version: 0.4.3
+Version: 0.4.4
 Summary: Serve files from shell via a small HTTP server
 Home-page: http://seba-geek.de/stuff/servefile/
 Author: Sebastian Lohff
diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile
--- servefile-0.4.3/servefile	2013-12-28 02:21:57.0 +0100
+++ servefile-0.4.4/servefile	2015-11-10 20:54:36.0 +0100
@@ -7,7 +7,7 @@
 
 from __future__ import print_function
 
-__version__ = '0.4.3'
+__version__ = '0.4.4'
 
 import argparse
 import base64
@@ -16,7 +16,6 @@
 import mimetypes
 import urllib
 import os
-import posixpath
 import re
 import select
 import socket
@@ -102,7 +101,7 @@
 	try:
 		fromto[0] = int(fromto[0])
 		fromto[1] = int(fromto[1])
-	except:
+	except ValueError:
 		return (False, None)
 
 	if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0:
@@ -154,11 +153,7 @@
 		self.end_headers()
 		block = self.getChunk(myfile, fromto)
 		while block:
-			try:
-self.wfile.write(block)
-			except socket.error as e:
-print("%s ABORTED transmission (Reason %s: %s)" % (self.client_address[0], e[0], e[1]))
-return False
+			self.wfile.write(block)
 			block = self.getChunk(myfile, fromto)
 		myfile.close()
 		print("%s finished downloading %s" % (self.client_address[0], filePath))
@@ -310,6 +305,15 @@
 		""" Send file or directory index, depending on requested path """
 		path = self.getCleanPath()
 
+		# check if path is in current serving directory
+		currBaseDir = os.path.abspath(self.targetDir) + os.path.sep
+		requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep
+		if not requestPath.startswith(currBaseDir):
+			self.send_response(301)
+			self.send_header("Location", '/')
+			self.end_headers()
+			return
+
 		if os.path.isdir(path):
 			if not self.path.endswith('/'):
 self.send_response(301)
@@ -325,7 +329,7 @@
 	self.end_headers()
 else:
 	self.send_response(200)
-	self.sendContentHeaders(self, path, length)
+	self.sendContentHeaders(path, length)
 	self.end_headers()
 			else:
 self.sendFile(path, head)
@@ -406,7 +410,7 @@
 			
 		
 		
-		""" % {'path': posixpath.normpath(urllib.unquote(self.path))}
+		""" % {'path': os.path.normpath(urllib.unquote(self.path))}
 		footer = """
 http://seba-geek.de/stuff/servefile/;>servefile %(version)s
 
@@ 

Processed: Re: Bug#804787: jessie-pu: package servefile/0.4.3-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #804787 [release.debian.org] jessie-pu: package servefile/0.4.3-1
Added tag(s) moreinfo.

-- 
804787: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804787
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#804775: transition: bullet

[Markus Koschany]

Am 11.11.2015 um 15:47 schrieb Emilio Pozuelo Monfort:
> Control: tags -1 confirmed
> 
> On 11/11/15 14:21, Markus Koschany wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: transition
>>
>> Hello release team,
>>
>> I would like to request a transition for Bullet 2.83.6.
>> Upstream made a backward-incompatible ABI change between
>> version 2.83.5 and 2.83.6 without changing the SONAME too.
> 
> You can go ahead and upload this to unstable.
> 
> Emilio

Uploaded to unstable.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature

Bug#804775: transition: bullet

[Emilio Pozuelo Monfort]

Control: tags -1 confirmed

On 11/11/15 14:21, Markus Koschany wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> Hello release team,
> 
> I would like to request a transition for Bullet 2.83.6.
> Upstream made a backward-incompatible ABI change between
> version 2.83.5 and 2.83.6 without changing the SONAME too.

You can go ahead and upload this to unstable.

Emilio

Bug#804775: transition: bullet

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hello release team,

I would like to request a transition for Bullet 2.83.6.
Upstream made a backward-incompatible ABI change between
version 2.83.5 and 2.83.6 without changing the SONAME too.

https://bugs.debian.org/801914

I have renamed the binary packages and added Breaks and Replaces
against the older version. The package is ready in experimental.

All reverse-dependencies should be binNMUable without requiring any
further action.

The r-deps are:

hkl
gazebo
cyphesis-cpp
openmw


Ben file:

title = "bullet";
is_affected = 
/\b(libbulletcollision2\.83\.6|libbulletdynamics2\.83\.6|libbulletfileloader2\.83\.6|libbulletsoftbody2\.83\.6|libbulletworldimporter2\.83\.6|libbulletxmlworldimporter2\.83\.6|libconvexdecomposition2\.83\.6|libgimpactutils2\.83\.6|libhacd2\.83\.6|liblinearmath2\.83\.6|libbulletcollision2\.83v5|libbulletdynamics2\.83v5|libbulletfileloader2\.83v5|libbulletsoftbody2\.83v5|libbulletworldimporter2\.83v5|libbulletxmlworldimporter2\.83v5|libconvexdecomposition2\.83v5|libgimpactutils2\.83v5|libhacd2\.83v5|liblinearmath2\.83v5)\b/;

is_good = 
/\b(libbulletcollision2\.83\.6|libbulletdynamics2\.83\.6|libbulletfileloader2\.83\.6|libbulletsoftbody2\.83\.6|libbulletworldimporter2\.83\.6|libbulletxmlworldimporter2\.83\.6|libconvexdecomposition2\.83\.6|libgimpactutils2\.83\.6|libhacd2\.83\.6|liblinearmath2\.83\.6)\b/;

is_bad = 
/\b(libbulletcollision2\.83v5|libbulletdynamics2\.83v5|libbulletfileloader2\.83v5|libbulletsoftbody2\.83v5|libbulletworldimporter2\.83v5|libbulletxmlworldimporter2\.83v5|libconvexdecomposition2\.83v5|libgimpactutils2\.83v5|libhacd2\.83v5|liblinearmath2\.83v5)\b/;

Regards,

Markus

Processed: Re: Bug#804775: transition: bullet

[Debian Bug Tracking System]

Processing control commands:

> tags -1 confirmed
Bug #804775 [release.debian.org] transition: bullet
Added tag(s) confirmed.

-- 
804775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804775
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#802851: jessie-pu: package qpsmtpd/0.84-11

[Devin Carraway]

On Sun, Oct 25, 2015 at 01:23:11PM +, Adam D. Barratt wrote:

> While the proposed patch on its own looks fine, in order for us to give
> an ack on the upload please prepare, build and test a package on jessie
> - versioned as 0.84-11+deb8u1 rather than -12 - and send the source
> debdiff to this bug report.

Debdiff attached.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 4096R/9197B5F9: 9C64 37CD 1B7B 029D 0933  49EA 1E52 7672 9197 B5F9
diff -Nru qpsmtpd-0.84/debian/changelog qpsmtpd-0.84/debian/changelog
--- qpsmtpd-0.84/debian/changelog   2013-08-13 00:39:07.0 -0700
+++ qpsmtpd-0.84/debian/changelog   2015-11-11 00:18:17.0 -0800
@@ -1,3 +1,11 @@
+qpsmtpd (0.84-11+deb8u1) stable; urgency=medium
+
+  * Patch for compatibility-breaker change in Net::DNS (Closes: #795836)
+  * Depend on libnet-dns-perl >= 0.81, since 0.66 from oldstable has the
+opposite compatibility problem
+
+ -- Devin Carraway   Sat, 24 Oct 2015 07:27:50 +
+
 qpsmtpd (0.84-11) unstable; urgency=low
 
   * Add Japanese debconf translation; thanks to victory (Closes:
diff -Nru qpsmtpd-0.84/debian/control qpsmtpd-0.84/debian/control
--- qpsmtpd-0.84/debian/control 2013-07-01 19:28:34.0 -0700
+++ qpsmtpd-0.84/debian/control 2015-10-24 01:04:20.0 -0700
@@ -7,7 +7,7 @@
 
 Package: qpsmtpd
 Architecture: all
-Depends: ${misc:Depends}, ${perl:Depends}, debconf (>= 1.0.0), adduser (>= 
3.0), libdigest-hmac-perl, libmail-spf-perl (>= 2.8.0), libnet-dns-perl, 
libnet-perl, libmailtools-perl, libipc-shareable-perl, libclamav-client-perl, 
libsocket6-perl, libio-socket-inet6-perl
+Depends: ${misc:Depends}, ${perl:Depends}, debconf (>= 1.0.0), adduser (>= 
3.0), libdigest-hmac-perl, libmail-spf-perl (>= 2.8.0), libnet-dns-perl (>= 
0.81), libnet-perl, libmailtools-perl, libipc-shareable-perl, 
libclamav-client-perl, libsocket6-perl, libio-socket-inet6-perl
 Suggests: spamassassin (>= 3.0.0), clamav-daemon, tinycdb
 Homepage: http://smtpd.develooper.com/
 Description: Flexible SMTP daemon for network-level spam detection
diff -Nru qpsmtpd-0.84/debian/files qpsmtpd-0.84/debian/files
--- qpsmtpd-0.84/debian/files   1969-12-31 16:00:00.0 -0800
+++ qpsmtpd-0.84/debian/files   2015-11-11 00:22:31.0 -0800
@@ -0,0 +1 @@
+qpsmtpd_0.84-11+deb8u1_all.deb mail extra
diff -Nru qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch 
qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch
--- qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch
1969-12-31 16:00:00.0 -0800
+++ qpsmtpd-0.84/debian/patches/netdns_header_compat-bug795836.patch
2015-10-24 00:25:59.0 -0700
@@ -0,0 +1,13 @@
+Index: qpsmtpd-0.84/qpsmtpd-forkserver
+===
+--- qpsmtpd-0.84.orig/qpsmtpd-forkserver   2015-10-24 05:35:24.0 
+
 qpsmtpd-0.84/qpsmtpd-forkserver2015-10-24 07:23:18.815328768 +
+@@ -281,7 +281,7 @@
+ # all children should have different seeds, to prevent conflicts
+ srand();
+ for (0 .. rand(65536)) {
+-  Net::DNS::Header::nextid();
++  Net::DNS::Header::id();
+ }
+   
+ close $_ for $select->handles;
diff -Nru qpsmtpd-0.84/debian/patches/series qpsmtpd-0.84/debian/patches/series
--- qpsmtpd-0.84/debian/patches/series  2013-07-01 19:21:52.0 -0700
+++ qpsmtpd-0.84/debian/patches/series  2015-10-24 00:23:00.0 -0700
@@ -2,3 +2,4 @@
 spf_plugin-upstream-02912602842.patch
 spf_plugin-bug693181.patch
 ipv6_warnings-bug693179.patch
+netdns_header_compat-bug795836.patch


signature.asc
Description: Digital signature

Bug#789214: jessie-pu: package cloud-init/0.7.6~bzr976-2 -> -3

[Charles Plessy]

Le Sun, Oct 18, 2015 at 01:13:26AM +0200, Thomas Goirand a écrit :
> 
> Ping? Is there anyone from the stable release team that could spend a
> bit of time here?

Hello everybody,

I propose that we declare time bankrupcy on that issue, give up on fixing it,
and update Sid's package instead, which is now seriously outdated.

Regarless of this bug, there will be the demand for a backport of the version
in Squeeze, which will satisfy Jessie users almost as well as a stable update.

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

EMAIL МАРКЕТИНГ

[Артемий]

Продвижение любых объявлений в сети
Лучшая реклама не та, которая формирует имидж, а которая реально приводит новых 
клиентов

- Самые минимальные расценки на рынке
- Вы получите звонки клиентов в день обращения
- Широкий выбор аудиторий

Закажите рассылку по телефону:  7 \ 49 5\  5  17 = О6= 4 8

Processed: add block

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> block 789077 by 804799
Bug #789077 [release.debian.org] transition: ruby2.2
789077 was blocked by: 791848 803489 803589 791846 791847 803587
789077 was not blocking any bugs.
Added blocking bug(s) of 789077: 804799
> --
Stopping processing here.

Please contact me if you need assistance.
-- 
789077: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789077
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#802851: jessie-pu: package qpsmtpd/0.84-11

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #802851 [release.debian.org] jessie-pu: package qpsmtpd/0.84-11
Removed tag(s) moreinfo.
Bug #802851 [release.debian.org] jessie-pu: package qpsmtpd/0.84-11
Added tag(s) confirmed.

-- 
802851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802851
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#802851: jessie-pu: package qpsmtpd/0.84-11

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Wed, 2015-11-11 at 00:36 -0800, Devin Carraway wrote:
> On Sun, Oct 25, 2015 at 01:23:11PM +, Adam D. Barratt wrote:
> 
> > While the proposed patch on its own looks fine, in order for us to give
> > an ack on the upload please prepare, build and test a package on jessie
> > - versioned as 0.84-11+deb8u1 rather than -12 - and send the source
> > debdiff to this bug report.
> 
> Debdiff attached.

diff -Nru qpsmtpd-0.84/debian/files qpsmtpd-0.84/debian/files
--- qpsmtpd-0.84/debian/files   1969-12-31 16:00:00.0 -0800
+++ qpsmtpd-0.84/debian/files   2015-11-11 00:22:31.0 -0800
@@ -0,0 +1 @@
+qpsmtpd_0.84-11+deb8u1_all.deb mail extra

That shouldn't really be ending up in the diff.

Other than that, please go ahead; thanks.

Regards,

Adam

Bug#804810: RM: python-repoze.what/1.0.9-5

[Clint Byrum]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

This package is blocking python-repoze.who 2.2-2 from entering testing.
That, in turn, blocks python-pysaml2 v3 from entering testing, which is
in turn blocking keystone from entering testing.

Meanwhile, the project upstream has not received any commits for several
years. The only real reverse dependency in the archive, turbogears2
will hopefully remove the dependency on python-repoze.what-plugins given
this bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804809

tg.devtools is already removed from testing and so would not block this.

So, once that bug is acted upon, it should be quite simple to
remove this and python-repoze.what-plugins from testing (and likely
eventually from the archive if they are not updated to work with modern
python-repoze.who).