squid3 update for Jessie fixing #728144 #771778
Hi releasers, I plan to upload a squid3_3.4.8-6+deb8u3 package with the fix for #728144 which is coming from the upstream patch at http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13698.patch if you agree to let me do so. Best regards, L -- Luigi Gangitano -- <lu...@debian.org <mailto:lu...@debian.org>> -- <gangit...@lugroma3.org <mailto:gangit...@lugroma3.org>> GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED
Bug#819901: nmu: squid3_3.4.8-6+deb8u2~bpo70+1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hello, My local build system got corrupted and this backport for wheezy was wrongly built on a squeeze build environment. amd64 built is thus corrupted and needs to be rebuilt. Regards, L nmu squid3_3.4.8-6+deb8u2~bpo70+1 . amd64 . wheezy-backports . -m "Rebuild to fix libc6, libstdc++6 dependency error on maintainer build system"
Bug#776472: unblock: squid3/3.4.8-6
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package squid3 Version 3.4.8-6 includes upstream fixes for 4 critical bugs (two high CPU/memory usage and two minor security issues) and a major usability issue in squidclient on default installation with localhost linked to both IPv4 and IPv6 addresses. Debdiff follows. diff -Nru squid3-3.4.8/debian/changelog squid3-3.4.8/debian/changelog --- squid3-3.4.8/debian/changelog 2014-12-16 14:33:14.0 +0100 +++ squid3-3.4.8/debian/changelog 2015-01-28 12:59:07.0 +0100 @@ -1,3 +1,27 @@ +squid3 (3.4.8-6) unstable; urgency=medium + + [ Luigi Gangitano lu...@debian.org ] + * debian/patches/31-squid-3.4-13199.patch +- Added upstream patch fixing excessive CPU usage (Closes: #776461) + + * debian/patches/32-squid-3.4-13210.patch +- Added upstream patch fixing excessive CPU and memory usage in + NTLM and Negotiate authentication helpers (Closes: #776463) + + * debian/patches/33-squid-3.4-13211.patch +- Added upstream patch fixing a possible replay vulnerability on Digest + authentication (Closes: #776464) + + * debian/patches/34-squid-3.4-13213.patch +- Added upstream patch fixing incorrect security permissions for + TOS/DiffServ packet marking (Closes: #776468) + + * debian/patches/35-squid-3.4-13203.patch +- Added upstream patch fixing squidclient unable to connect to host with + both IPv4 and IPv6 addresses (Closes: #742425) + + -- Luigi Gangitano lu...@debian.org Wed, 28 Jan 2015 12:34:42 +0100 + squid3 (3.4.8-5) unstable; urgency=medium [ Luigi Gangitano lu...@debian.org ] diff -Nru squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch --- squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch1970-01-01 01:00:00.0 +0100 +++ squid3-3.4.8/debian/patches/31-squid-3.4-13199.patch2015-01-28 12:59:07.0 +0100 @@ -0,0 +1,28 @@ +From: Luigi Gangitano lu...@debian.org +Date: Wed, 28 Jan 2015 12:27:49 +0100 +Subject: 31-squid-3.4-13199.patch Deleting first fs left psstate-servers + pointing to uninitialized memory, fixing excessive use of CPU + +--- + src/peer_select.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/peer_select.cc b/src/peer_select.cc +index 19e3371..9c26a20 100644 +--- a/src/peer_select.cc b/src/peer_select.cc +@@ -271,11 +271,12 @@ peerSelectDnsPaths(ps_state *psstate) + // due to the allocation method of fs, we must deallocate each manually. + // TODO: use a std::list so we can get the size and abort adding whenever the selection loops reach Config.forward_max_tries + if (fs psstate-paths-size() = (unsigned int)Config.forward_max_tries) { ++assert(fs == psstate-servers); + while (fs) { +-FwdServer *next = fs-next; ++psstate-servers = fs-next; + cbdataReferenceDone(fs-_peer); + memFree(fs, MEM_FWD_SERVER); +-fs = next; ++fs = psstate-servers; + } + } + diff -Nru squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch --- squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch1970-01-01 01:00:00.0 +0100 +++ squid3-3.4.8/debian/patches/32-squid-3.4-13210.patch2015-01-28 12:59:07.0 +0100 @@ -0,0 +1,94 @@ +From: Luigi Gangitano lu...@debian.org +Date: Wed, 28 Jan 2015 12:28:51 +0100 +Subject: squid-3.4-13210.patch Fixes excessive NTLM or Negotiate auth helper + annotations, which lead to excessive CPU and memory use + +--- + src/Notes.cc | 15 +++ + src/Notes.h | 5 + + src/auth/digest/UserRequest.cc| 2 ++ + src/auth/negotiate/UserRequest.cc | 2 ++ + src/auth/ntlm/UserRequest.cc | 2 ++ + 5 files changed, 26 insertions(+) + +diff --git a/src/Notes.cc b/src/Notes.cc +index 0003956..13d530e 100644 +--- a/src/Notes.cc b/src/Notes.cc +@@ -189,6 +189,21 @@ NotePairs::add(const char *key, const char *note) + } + + void ++NotePairs::remove(const char *key) ++{ ++VectorNotePairs::Entry *::iterator i = entries.begin(); ++while (i != entries.end()) { ++if ((*i)-name.cmp(key) == 0) { ++NotePairs::Entry *e = (*i); ++entries.prune(e); ++delete e; ++i = entries.begin(); // vector changed underneath us ++} else ++++i; ++} ++} ++ ++void + NotePairs::addStrList(const char *key, const char *values) + { + String strValues(values); +diff --git a/src/Notes.h b/src/Notes.h +index 47950d4..401c8b9 100644 +--- a/src/Notes.h b/src/Notes.h +@@ -155,6 +155,11 @@ public: + void add(const char *key, const char *value); + + /** ++ * Remove all notes with a given key. ++ */ ++void remove(const char *key
Bug#773290: unblock: squid3/3.4.8-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package squid3 This versione fixes serious bug #773032, which affects upgrades from wheezy to jessie when no change has been made to the original configuration file. diff -Nru squid3-3.4.8/debian/changelog squid3-3.4.8/debian/changelog --- squid3-3.4.8/debian/changelog 2014-12-05 10:46:41.0 +0100 +++ squid3-3.4.8/debian/changelog 2014-12-16 14:33:14.0 +0100 @@ -1,3 +1,11 @@ +squid3 (3.4.8-5) unstable; urgency=medium + + [ Luigi Gangitano lu...@debian.org ] + * debian/squid3.{pre,post}inst +- Moved ACL manager fix to postinst (Closes: #773032) + + -- Luigi Gangitano lu...@debian.org Tue, 16 Dec 2014 13:43:03 +0100 + squid3 (3.4.8-4) unstable; urgency=medium [ Luigi Gangitano lu...@debian.org ] diff -Nru squid3-3.4.8/debian/squid3.postinst squid3-3.4.8/debian/squid3.postinst --- squid3-3.4.8/debian/squid3.postinst 2014-12-05 10:46:41.0 +0100 +++ squid3-3.4.8/debian/squid3.postinst 2014-12-16 14:33:14.0 +0100 @@ -62,8 +62,28 @@ echo Creating Squid HTTP proxy 3.x spool directory structure squid3 -z fi + + # + # Remove obsolete manager ACL definition. + # It will halt upgrade with fatal error if left. + # + if test -f /etc/squid3/squid.conf dpkg --compare-versions $2 lt '3.4' grep -q ^[[:blank:]]*acl manager /etc/squid3/squid.conf ; then + echo Filtering squid.conf manager ACL. + cp /etc/squid3/squid.conf /etc/squid3/squid.conf.pre_3.4_upgrade + sed -e s/^\([ \t]*acl manager.*\)/# \1 # Commented out on upgrade to 3.4/ /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf + fi + ;; + abort-upgrade) + # + # Revert the automated configuration changes we may have done + # + if test -f /etc/squid3/squid.conf.pre_3.4_upgrade; then + echo Removing squid.conf changes. + mv /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf + fi + exit 0 ;; - abort-upgrade|abort-remove|abort-deconfigure) + abort-remove|abort-deconfigure) ;; *) # diff -Nru squid3-3.4.8/debian/squid3.preinst squid3-3.4.8/debian/squid3.preinst --- squid3-3.4.8/debian/squid3.preinst 2014-12-05 10:46:41.0 +0100 +++ squid3-3.4.8/debian/squid3.preinst 2014-12-16 14:33:14.0 +0100 @@ -4,24 +4,8 @@ case $1 in upgrade|install-upgrade) - # - # Remove obsolete manager ACL definition. - # It will halt upgrade with fatal error if left. - # - if test -f /etc/squid3/squid.conf dpkg --compare-versions $2 lt '3.4.8-3' grep -q ^[[:blank:]]*acl manager /etc/squid3/squid.conf ; then - echo Filtering squid.conf manager ACL. - cp /etc/squid3/squid.conf /etc/squid3/squid.conf.pre_3.4_upgrade - sed -e s/^\([ \t]*acl manager.*\)/# \1 # Commented out on upgrade to 3.4/ /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf - fi ;; abort-upgrade) - # - # Revert the automated configuration changes we may have done - # - if test -f /etc/squid3/squid.conf.pre_3.4_upgrade; then - echo Removing squid.conf changes. - mv /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf - fi exit 0 ;; esac unblock squid3/3.4.8-5 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Foreign Architectures: amd64 Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141216135117.20642.45063.report...@debian.openconsulting.it
Bug#772091: unblock: squid3/3.4.8-4
retitle 772091 unblock: squid3/3.4.8-4 thanks I uploaded a new version with a small fix to preinst script. Please see below the debdiff since version currently in testing (3.4.8-2). Thanks, L Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock Please unblock package squid3 before stricter freeze policy applies 3.4.8-4 fixes an important bug (#768170) which prevents squid3 from starting after upgrade from wheezy with standard config. diff -Nru squid3-3.4.8/debian/changelog squid3-3.4.8/debian/changelog --- squid3-3.4.8/debian/changelog 2014-10-29 15:51:34.0 +0100 +++ squid3-3.4.8/debian/changelog 2014-12-05 10:46:41.0 +0100 @@ -1,3 +1,25 @@ +squid3 (3.4.8-4) unstable; urgency=medium + + [ Luigi Gangitano lu...@debian.org ] + * debian/squid3.preinst +- Revert changes on abort-upgrade + + -- Luigi Gangitano lu...@debian.org Fri, 05 Dec 2014 10:44:02 +0100 + +squid3 (3.4.8-3) unstable; urgency=medium + + [ Amos Jeffries amosjeffr...@squid-cache.org ] + * debian/squid3.preinst +- Remove obsolete manager ACL definition from squid.conf + when upgrading squid3 package (Closes: #768170) + + + [ Luigi Gangitano lu...@debian.org ] + * debian/squid3.preinst +- Fix configuration file only if needed and match any uncommented line + + -- Luigi Gangitano lu...@debian.org Fri, 5 Dec 2014 01:27:51 +0100 + squid3 (3.4.8-2) unstable; urgency=medium [ Santiago Garcia Mantinan ma...@debian.org ] diff -Nru squid3-3.4.8/debian/squid3.preinst squid3-3.4.8/debian/squid3.preinst --- squid3-3.4.8/debian/squid3.preinst 2014-10-29 15:51:34.0 +0100 +++ squid3-3.4.8/debian/squid3.preinst 2014-12-05 10:46:41.0 +0100 @@ -4,8 +4,24 @@ case $1 in upgrade|install-upgrade) + # + # Remove obsolete manager ACL definition. + # It will halt upgrade with fatal error if left. + # + if test -f /etc/squid3/squid.conf dpkg --compare-versions $2 lt '3.4.8-3' grep -q ^[[:blank:]]*acl manager /etc/squid3/squid.conf ; then + echo Filtering squid.conf manager ACL. + cp /etc/squid3/squid.conf /etc/squid3/squid.conf.pre_3.4_upgrade + sed -e s/^\([ \t]*acl manager.*\)/# \1 # Commented out on upgrade to 3.4/ /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf + fi ;; abort-upgrade) + # + # Revert the automated configuration changes we may have done + # + if test -f /etc/squid3/squid.conf.pre_3.4_upgrade; then + echo Removing squid.conf changes. + mv /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf + fi exit 0 ;; esac unblock squid3/3.4.8-4 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/efcb635e-446f-457f-b2a0-ff9e321a3...@debian.org
Bug#772091: unblock: squid3/3.4.8-3
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock Please unblock package squid3 before stricter freeze policy applies 3.4.8-3 fixes an important bug (#768170) which prevents squid3 from starting after upgrade from wheezy with standard config. --- squid3-3.4.8/debian/changelog 2014-10-29 15:51:34.0 +0100 +++ squid3-3.4.8/debian/changelog 2014-12-05 01:28:34.0 +0100 @@ -1,3 +1,17 @@ +squid3 (3.4.8-3) unstable; urgency=medium + + [ Amos Jeffries amosjeffr...@squid-cache.org ] + * debian/squid3.preinst +- Remove obsolete manager ACL definition from squid.conf + when upgrading squid3 package (Closes: #768170) + + + [ Luigi Gangitano lu...@debian.org ] + * debian/squid3.preinst +- Fix configuration file only if needed and match any uncommented line + + -- Luigi Gangitano lu...@debian.org Fri, 5 Dec 2014 01:27:51 +0100 + squid3 (3.4.8-2) unstable; urgency=medium [ Santiago Garcia Mantinan ma...@debian.org ] diff -Nru squid3-3.4.8/debian/squid3.preinst squid3-3.4.8/debian/squid3.preinst --- squid3-3.4.8/debian/squid3.preinst 2014-10-29 15:51:34.0 +0100 +++ squid3-3.4.8/debian/squid3.preinst 2014-12-05 01:28:34.0 +0100 @@ -4,8 +4,24 @@ case $1 in upgrade|install-upgrade) + # + # Remove obsolete manager ACL definition. + # It will halt upgrade with fatal error if left. + # + if test -f /etc/squid3/squid.conf dpkg --compare-versions $2 lt '3.4.8-3' grep -q ^[[:blank:]]*acl manager /etc/squid3/squid.conf ; then + echo Filtering squid.conf manager ACL. + cp /etc/squid3/squid.conf /etc/squid3/squid.conf.pre_3.4_upgrade + sed -e s/^\([ \t]*acl manager.*\)/# \1 # Commented out on upgrade to 3.4/ /etc/squid3/squid.conf.pre_3.4_upgrade /etc/squid3/squid.conf + fi ;; abort-upgrade) + # + # Revert the automated configuration changes we may have done + # + if test -f /etc/squid3/squid.conf.upgrade-backup; then + echo Removing squid.conf changes. + mv /etc/squid3/squid.conf.upgrade-backup /etc/squid3/squid.conf + fi exit 0 ;; esac unblock squid3/3.4.8-3 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: sysvinit (via /sbin/init) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141205003647.5828.70173.report...@debian.openconsulting.it
Bug#769014: unblock: libecap/0.2.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libecap Version 0.2.0-3 fixes an RC bug caused by upstream autoconf which prevented libecap to build on several new architectures. diff -Nru libecap-0.2.0/debian/changelog libecap-0.2.0/debian/changelog --- libecap-0.2.0/debian/changelog 2012-12-05 20:11:58.0 +0100 +++ libecap-0.2.0/debian/changelog 2014-11-10 19:24:58.0 +0100 @@ -1,3 +1,22 @@ +libecap (0.2.0-3) unstable; urgency=low + + * Enable 'foreign' automake option, thanks to Andrey Rahmatullin +(Closes: #766492) + + -- Luigi Gangitano lu...@debian.org Mon, 10 Nov 2014 19:21:04 +0100 + +libecap (0.2.0-2) unstable; urgency=low + + * Fix FTBFS on new ports, thanks to Breno Leitao (Closes: #748292) + + * debian/copyright +- Fixed short name for BSD license + + * debian/control +- Bumped Standard-Version to 3.9.6 (no change needed) + + -- Luigi Gangitano lu...@debian.org Mon, 20 Oct 2014 19:21:04 +0200 + libecap (0.2.0-1) unstable; urgency=low * Initial release (Closes: #634204) diff -Nru libecap-0.2.0/debian/control libecap-0.2.0/debian/control --- libecap-0.2.0/debian/control2012-12-05 20:03:23.0 +0100 +++ libecap-0.2.0/debian/control2014-11-10 19:24:58.0 +0100 @@ -1,8 +1,8 @@ Source: libecap Priority: extra Maintainer: Luigi Gangitano lu...@debian.org -Build-Depends: debhelper (= 8.0.0), autotools-dev, cdbs -Standards-Version: 3.9.2 +Build-Depends: debhelper (= 8.0.0), autotools-dev, cdbs, dh-autoreconf +Standards-Version: 3.9.6 Section: libs Homepage: http://www.e-cap.org/Downloads diff -Nru libecap-0.2.0/debian/copyright libecap-0.2.0/debian/copyright --- libecap-0.2.0/debian/copyright 2011-07-17 20:20:51.0 +0200 +++ libecap-0.2.0/debian/copyright 2014-11-10 19:24:58.0 +0100 @@ -4,7 +4,7 @@ Files: * Copyright: 2008 Alex Rousskov and The Measurement Factory -License: Simplified BSD +License: BSD-2-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . diff -Nru libecap-0.2.0/debian/patches/automake-foreign.patch libecap-0.2.0/debian/patches/automake-foreign.patch --- libecap-0.2.0/debian/patches/automake-foreign.patch 1970-01-01 01:00:00.0 +0100 +++ libecap-0.2.0/debian/patches/automake-foreign.patch 2014-11-10 19:24:58.0 +0100 @@ -0,0 +1,16 @@ +Description: Set the foreign option for automake +Author: Andrey Rahmatullin w...@debian.org +Bug-Debian: https://bugs.debian.org/766492 +Last-Update: 2014-11-08 + +--- libecap-0.2.0.orig/configure.in libecap-0.2.0/configure.in +@@ -14,7 +14,7 @@ AC_CONFIG_SRCDIR([src/libecap/adapter/se + AC_CONFIG_HEADERS(src/libecap/common/ac-autoconf.h) + AX_PREFIX_CONFIG_H(src/libecap/common/autoconf.h) + +-AM_INIT_AUTOMAKE([nostdinc]) ++AM_INIT_AUTOMAKE([nostdinc foreign]) + AM_MAINTAINER_MODE + + LT_INIT diff -Nru libecap-0.2.0/debian/patches/series libecap-0.2.0/debian/patches/series --- libecap-0.2.0/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ libecap-0.2.0/debian/patches/series 2014-11-10 19:24:58.0 +0100 @@ -0,0 +1 @@ +automake-foreign.patch diff -Nru libecap-0.2.0/debian/rules libecap-0.2.0/debian/rules --- libecap-0.2.0/debian/rules 2012-12-05 20:10:06.0 +0100 +++ libecap-0.2.0/debian/rules 2014-11-10 19:24:58.0 +0100 @@ -2,6 +2,7 @@ include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/autoreconf.mk override_dh_installchangelogs: dh_installchangelogs change.log upstream unblock libecap/0.2.0-3 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141110183830.26903.4386.report...@debian.openconsulting.it
Bug#767256: unblock: squid3/3.4.8-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package squid3 3.4.8-2 uploaded today fixes a bunch of important bugs (#732183, #760400, #763867, #761209, #728222, #765476). unblock squid3/3.4.8-2 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.16-3-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141029160812.2315.15109.report...@debian.openconsulting.it
squid3_3.4.8-1 waiting in unstable with security fixes
Hi releasers, squid3 is being handled by a team effort finally, just in time for Jessy. We uploaded a new upstream with some simple fixes for the most critical bugs last week. Can you please review it and allow it in testing? Thanks, L -- Luigi Gangitano -- lu...@debian.org mailto:lu...@debian.org -- gangit...@lugroma3.org mailto:gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED
Re: squid3_3.4.8-1 waiting in unstable with security fixes
Il giorno 20/ott/2014, alle ore 19:14, Adam D. Barratt a...@adam-barratt.org.uk ha scritto: On Mon, 2014-10-20 at 19:09 +0200, Luigi Gangitano wrote: squid3 is being handled by a team effort finally, just in time for Jessy. We uploaded a new upstream with some simple fixes for the most critical bugs last week. Can you please review it and allow it in testing? Review isn't the main issue right now (although the size of the diff is unpleasant). Rather: out of date on kfreebsd-amd64: squid-cgi, squid-purge, squid3, squid3-common, squid3-dbg, squidclient (from 3.3.8-1.2) out of date on kfreebsd-i386: squid-cgi, squid-purge, squid3, squid3-common, squid3-dbg, squidclient (from 3.3.8-1.2) That is actually caused by #764897 and should be fixed as soon as the next package is uploaded. Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/d9630930-d9ea-4687-911f-f97135752...@debian.org
Bug#751477: wheezy-pu: package squid3/3.1.20-2.2+deb7u1 (NMU)
Hi, Thanks Helmut for taking care of this bug. Release Team, I support this upload from Helmut. Best regards, L Il giorno 13/giu/2014, alle ore 13:18, Helmut Grohne hel...@subdivi.de ha scritto: Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: Luigi Gangitano lu...@debian.org Dear release team, I intend to NMU squid3/3.1.20-2.2+deb7u1 to stable to fix #712754. The bug is about squid3 occasionally dieing from an assertion failure. The bug is hard to trigger and the only parameter that is known to have an influence is load. After the main squid worker dies it is automatically restarted by its supervisor process. Still this bug causes pages to be truncated when squid crashes. Please find the proposed .debdiff attached. I am running it on my wheezy/amd64 server for testing and did not observe similar crashes or regressions since switching to the patched package. Can I go ahead an upload the fixed package? Helmut squid3_3.1.20-2.2+deb7u1.debdiff -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/77cbecce-b7a2-42fa-b758-631ef4656...@debian.org
Bug#701474: unblock: drupal7/7.14-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package drupal7 7.14-2 backports the patch between 7.19 and 7.20, which fixes one DoS vulnerability in image derivatives generation: http://drupal.org/SA-CORE-2013-002 Additionaly it removes a false warning for security issues fixed upstream and integrated in Debian security patches: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700545 I'm including a debdiff against drupal7_7.14-1.3 currently in testing. unblock drupal7/7.14-2 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash diff -Nru drupal7-7.14/debian/changelog drupal7-7.14/debian/changelog --- drupal7-7.14/debian/changelog 2013-01-29 19:22:30.0 +0100 +++ drupal7-7.14/debian/changelog 2013-02-23 16:25:12.0 +0100 @@ -1,3 +1,18 @@ +drupal7 (7.14-2) unstable; urgency=high + + [ Luigi Gangitano ] + * Urgency high due to security fixes + + * Acknowledge NMUs from Gunnar Wolf + + * Incorporated fix for DoS on image derivative generation +(Ref: SA-CORE-2013-002, CVE-2013-0316) (Closes: #701165) + + * Removed update warnings for Drupal core, since security fixes are provided +by Debian updates. (Closes: #700545) + + -- Luigi Gangitano lu...@debian.org Sat, 23 Feb 2013 15:12:35 +0100 + drupal7 (7.14-1.3) unstable; urgency=low * Non-maintainer upload. diff -Nru drupal7-7.14/debian/patches/70_SA-CORE-2013-002 drupal7-7.14/debian/patches/70_SA-CORE-2013-002 --- drupal7-7.14/debian/patches/70_SA-CORE-2013-002 1970-01-01 01:00:00.0 +0100 +++ drupal7-7.14/debian/patches/70_SA-CORE-2013-002 2013-02-23 16:16:02.0 +0100 @@ -0,0 +1,440 @@ +Origin: backport (diff between 7.19 and 7.20) +Forwarded: not-needed +From: Luigi Gangitano lu...@debian.org +Last-Update: 2013-02-23 +Applied-Upstream: Yes +Description: Fixes SA_CORE-2013-002 (DoS) + This patch is taken from the diff between 7.19 and 7.20, applying it + to the currently frozen version (7.14). For further details, the + advisory is in: + . + http://drupal.org/SA-CORE-2013-002 + +--- a/modules/image/image.module b/modules/image/image.module +@@ -30,11 +30,16 @@ + */ + define('IMAGE_STORAGE_MODULE', IMAGE_STORAGE_OVERRIDE | IMAGE_STORAGE_DEFAULT); + ++/** ++ * The name of the query parameter for image derivative tokens. ++ */ ++define('IMAGE_DERIVATIVE_TOKEN', 'itok'); ++ + // Load all Field module hooks for Image. + require_once DRUPAL_ROOT . '/modules/image/image.field.inc'; + + /** +- * Implement of hook_help(). ++ * Implements hook_help(). + */ + function image_help($path, $arg) { + switch ($path) { +@@ -766,16 +771,24 @@ + * The image style + */ + function image_style_deliver($style, $scheme) { +- // Check that the style is defined and the scheme is valid. +- if (!$style || !file_stream_wrapper_valid_scheme($scheme)) { +-drupal_exit(); +- } +- + $args = func_get_args(); + array_shift($args); + array_shift($args); + $target = implode('/', $args); + ++ // Check that the style is defined, the scheme is valid, and the image ++ // derivative token is valid. (Sites which require image derivatives to be ++ // generated without a token can set the 'image_allow_insecure_derivatives' ++ // variable to TRUE to bypass the latter check, but this will increase the ++ // site's vulnerability to denial-of-service attacks.) ++ $valid = !empty($style) file_stream_wrapper_valid_scheme($scheme); ++ if (!variable_get('image_allow_insecure_derivatives', FALSE)) { ++$valid = $valid isset($_GET[IMAGE_DERIVATIVE_TOKEN]) $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://' . $target); ++ } ++ if (!$valid) { ++return MENU_ACCESS_DENIED; ++ } ++ + $image_uri = $scheme . '://' . $target; + $derivative_uri = image_style_path($style['name'], $image_uri); + +@@ -960,6 +973,10 @@ + */ + function image_style_url($style_name, $path) { + $uri = image_style_path($style_name, $path); ++ // The token query is added even if the 'image_allow_insecure_derivatives' ++ // variable is TRUE, so that the emitted links remain valid if it is changed ++ // back to the default FALSE. ++ $token_query = array(IMAGE_DERIVATIVE_TOKEN = image_style_path_token($style_name, $path)); + + // If not using clean URLs, the image derivative callback is only available + // with the query string. If the file does not exist, use url() to ensure +@@ -967,10 +984,33 @@ + // actual file path, this avoids bootstrapping PHP once the files are built. + if (!variable_get('clean_url') file_uri_scheme($uri) == 'public' !file_exists($uri)) { + $directory_path = file_stream_wrapper_get_instance_by_uri($uri)-getDirectoryPath(); +-return url
Bug#695305: unblock: squid3/3.1.20-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package squid3 Version 3.1.20-2 fixes an 'important' bug (#660489) with the addition of a simple upstream patch. No other diffs where added. This bug allows squid3 to run correctly if IPv6 has been disabled at boot time. Debdiff for 3.1.20-2: diff -Nru squid3-3.1.20/debian/changelog squid3-3.1.20/debian/changelog --- squid3-3.1.20/debian/changelog 2012-06-18 15:35:15.0 +0200 +++ squid3-3.1.20/debian/changelog 2012-12-06 21:02:23.0 +0100 @@ -1,3 +1,11 @@ +squid3 (3.1.20-2) unstable; urgency=low + + * debian/patches/20-ipv6-fix +- Added upstream fix for squid not working when IPv6 is not loaded + (Closes: #660489) + + -- Luigi Gangitano lu...@debian.org Thu, 06 Dec 2012 20:02:56 +0100 + squid3 (3.1.20-1) unstable; urgency=low * New upstream release diff -Nru squid3-3.1.20/debian/patches/20-ipv6-fix squid3-3.1.20/debian/patches/20-ipv6-fix --- squid3-3.1.20/debian/patches/20-ipv6-fix1970-01-01 01:00:00.0 +0100 +++ squid3-3.1.20/debian/patches/20-ipv6-fix2012-12-06 20:20:58.0 +0100 @@ -0,0 +1,11 @@ +--- a/src/ip/IpAddress.cc b/src/ip/IpAddress.cc +@@ -605,7 +605,7 @@ + dst-ai_protocol == 0) + dst-ai_protocol = IPPROTO_UDP; + +-if (force == AF_INET6 || (force == AF_UNSPEC IsIPv6()) ) { ++if (force == AF_INET6 || (force == AF_UNSPEC Ip::EnableIpv6 IsIPv6()) ) { + dst-ai_addr = (struct sockaddr*)new sockaddr_in6; + + memset(dst-ai_addr,0,sizeof(struct sockaddr_in6)); diff -Nru squid3-3.1.20/debian/patches/series squid3-3.1.20/debian/patches/series --- squid3-3.1.20/debian/patches/series 2012-02-07 16:34:05.0 +0100 +++ squid3-3.1.20/debian/patches/series 2012-12-06 20:22:12.0 +0100 @@ -1,3 +1,4 @@ 01-cf.data.debian.patch 02-makefile-defaults.patch 15-cachemgr-default-config.patch +20-ipv6-fix unblock squid3/3.1.20-2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121206202128.3246.61334.report...@debian.openconsulting.it
Re: lusca - should it be in Debian?
Il giorno 14/dic/2011, alle ore 19:48, Steve McIntyre ha scritto: On Sat, Dec 03, 2011 at 04:58:58PM +0100, Luigi Gangitano wrote: Il giorno 02/dic/2011, alle ore 12:41, Steve McIntyre ha scritto: OK, that's fair enough I guess. But are you going to do any work on the package in the meantime, like fixing the RC bugs? If not, it should be pulled from the archive now rather than leaving it until the freeze. Yes, I will handle those bugs during the coming week. Ping? Finally got upstream involved and both bug fixed. A new version with fixes will be uploaded in the next few days as soon as an official release is made upstream. Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/906b4457-753c-43ef-9ce5-22274c048...@debian.org
Re: lusca - should it be in Debian?
Il giorno 02/dic/2011, alle ore 12:41, Steve McIntyre ha scritto: On Fri, Dec 02, 2011 at 05:36:23AM +0100, Luigi Gangitano wrote: Il giorno 01/dic/2011, alle ore 19:18, Steve McIntyre ha scritto: Hi Luigi, I'm working through the list of build failures for armhf while we bring up the new architecture, and I've just got to lusca. I'm concerned about the status of this package: * it's an svn snapshot of a fork of squid * it's been uploaded once into Debian * there are 2 serious bugs open against it for over 2 months without any response from you as the maintainer * a very low popcon score suggests it has a very small number of users Please re-consider if this package should be in the archive or not. Hi Steve, Lusca is a promising fork of Squid 2.x from Adrian Chadd once he left the Squid development team. I support his idea of modularization of squid 2.x and added the package to Debian hoping to get some momentum around it. Development seems to lag upstream, however, and will surely consider if it should be released in Wheezy, once the freeze approaches. OK, that's fair enough I guess. But are you going to do any work on the package in the meantime, like fixing the RC bugs? If not, it should be pulled from the archive now rather than leaving it until the freeze. Yes, I will handle those bugs during the coming week. Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caace9ea-b8cd-453b-8488-cb08ecd67...@debian.org
Re: lusca - should it be in Debian?
Hi Steve, Lusca is a promising fork of Squid 2.x from Adrian Chadd once he left the Squid development team. I support his idea of modularization of squid 2.x and added the package to Debian hoping to get some momentum around it. Development seems to lag upstream, however, and will surely consider if it should be released in Wheezy, once the freeze approaches. Regards, L Il giorno 01/dic/2011, alle ore 19:18, Steve McIntyre ha scritto: Hi Luigi, I'm working through the list of build failures for armhf while we bring up the new architecture, and I've just got to lusca. I'm concerned about the status of this package: * it's an svn snapshot of a fork of squid * it's been uploaded once into Debian * there are 2 serious bugs open against it for over 2 months without any response from you as the maintainer * a very low popcon score suggests it has a very small number of users Please re-consider if this package should be in the archive or not. -- Steve McIntyre, Cambridge, UK.st...@einval.com Mature Sporty Personal More Innovation More Adult A Man in Dandism Powered Midship Specialty -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2195a490-423d-4e96-a45f-68786e91b...@debian.org
Re: Your drupal6 stable upload
Hi Adam, The stable-proposed-updates upload of drupal6_6.18-1squeeze1 was requested by DSA since the issue was rated 'minor'. See the attached email. Sorry if I didn't follow the preferred approach, but I was not aware of it and did not verify beforehand. Do you want me to file the bug now? Regards, L Il giorno 27/giu/2011, alle ore 14.20, Adam D. Barratt ha scritto: Hi, I noticed that you've uploaded a drupal6 package to proposed-updates, fixing a security issue. Was the upload discussed with the security team beforehand, to verify that they did not want to release a DSA for the issue? In either case, for future uploads please note that the preferred approach is to file an appropriately user-tagged bug against release.debian.org (reportbug has templates which will dtrt) and wait for confirmation before uploading. Regards, Adam -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 ---BeginMessage--- On Tue, Jun 21, 2011 at 04:45:39AM +0200, Luigi Gangitano wrote: Il giorno 20/giu/2011, alle ore 20.39, Florian Weimer ha scritto: * Luigi Gangitano: I've prepared an updated version of drupal6 which fixes a XSS vulnerability in the color module (SA-CORE-2011-001). Please find the attached files. Thanks for contacting us. It seems to me that explotation of this vulnerability requires write access to the Drupal site. Is this correct? Then you should fix this through stable-proposed-updates because it is a vulnerability with very low impact. Exploit requires admin access (or custom access with equivalent rights on themes) to the website and a theme with color selection support. Color module allows for changeable colors in themes. There is at least on them with color support (Garland) installed by default. There is also a reflected XSS in error-handling requiring on-screen error display, which is turned on by default. More details: http://drupal.org/node/1168756 Please let me know which between stable-proposed-updates or stable-security is the right queue. Please upload through stable-proposes-updates. Cheers, Moritz ---End Message---
Re: Freeze exception for squid3
Il giorno 09/ago/2010, alle ore 00.40, Julien Cristau ha scritto: On Sun, Aug 8, 2010 at 20:53:31 +0200, Luigi Gangitano wrote: Full list of changes at http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_5_1.html http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_6.html is actually a small set of changes since translation changes are not shipped with squid3 but are packaged in squid-langpack. ATM there is no known regression in 3.1.6 since its release on Aug 2nd. OK, please upload and ping us again when the package has been accepted. squid3_3.1.6-1 entered unstable a couple of hours ago. :-) Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8964a933-5161-4f58-a7b2-01822377c...@debian.org
Freeze exception for squid3
Hi, I admit I was caught a bit off guard by the freeze announcement (was on a small vacation) and need some directions on how to handle the current squid3 status. Briefly: - testing holds 3.1.3-2, which is affected by #584223 and is actually unusable in its default configuration (and for those upgrading from the lenny version); - unstable holds 3.1.5-2 which fixes #584223, but FTBFS on alpha (no IPv6 on build machines) and did not migrate to testing in the last few weeks; - upstream released 3.1.6 fixing the build time IPv6 check at build-time on Aug 2nd, but I didn't have the time to package and upload it before the freeze announcement. I would like to ship 3.1.6 with squeeze, which is the current upstream release and would be easier to maintain during squeeze lifetime. Can you please give some advice? Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/912e5db2-5a05-4f12-9185-f818ea03a...@debian.org
Re: Freeze exception for squid3
Il giorno 08/ago/2010, alle ore 20.35, Julien Cristau ha scritto: How big is the diff from 3.1.5 to 3.1.6? Do you have an idea of the regression potential? Full list of changes at http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_5_1.html http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_6.html is actually a small set of changes since translation changes are not shipped with squid3 but are packaged in squid-langpack. ATM there is no known regression in 3.1.6 since its release on Aug 2nd. Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1149ccae-a457-4344-9ef3-fe46b6cc3...@debian.org
Bug#578532: nmu: squid3_3.1.1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu User: release.debian@packages.debian.org Usertags: binnmu Hello, during the last build of squid3 on amd64 a missing system header for IPv6 socket on the build machine caused squid3_3.1.1-3 to ship without IPv6 support. Bug is reported as #578047 and #578519. nmu squid3_3.1.1-3 . amd64 . -m Rebuild with IPv6 support (Closes: #578047, #578519) Regards, L -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100420162320.20487.30773.report...@seneca.lugroma3.org
Re: Bits from the Release Team: What should go into squeeze?
Il giorno 14/mar/2010, alle ore 21.42, Philipp Kern ha scritto: We would like to know what needs attention, what bugs still need to be fixed in your package before squeeze is released, which features or new upstream versions you want to see in squeeze which are not ready yet. Furthermore we would like to get an overview of the remaining transitions that need to be done. Not a team, but... :-) Speaking of squid3, I'd like to get the first stable release of 3.1 in squeeze. 3.1.0.16 (beta) is in experimental ATM and 3.1.0.18 will be uploaded shortly. 3.1.0.18 is expected to be the last beta, with a 3.1.1 (stable) release planned for march 29th. Squid 3.1 adds long-waited IPv6 support and should be the only squid package in squeeze+1. I'd definitely prefer to ship a stable version of 3.1 than the current 3.0.STABLE tree, but will consider shipping 3.1.0.18 if the time is running out. Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/80ff560b-266d-42eb-a5e3-f3fa840de...@debian.org
Re: CVE-2009-{4369,4370,4371}: drupal6 XSS issues
Hi Adam, Il giorno 19/gen/2010, alle ore 20.23, Adam D. Barratt ha scritto: On Tue, 2010-01-19 at 19:21 +0100, Luigi Gangitano wrote: as suggested by the security team, I've just prepared an upload for drupal6 fixing a minor security issue. Can ou please take a look at the attached patch and authorize upload to s-p-u? Please go ahead. Uploaded. As a side-note, it's preferred (and easier to review) if the proposed changes are provided as a debdiff against the package currently in stable / s-p-u (i.e. 6.6-3lenny3 in this case). Right. I've attached a debdiff for your convenience. :-) Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 drupal6_6.6-3lenny4.debdiff Description: Binary data
Re: squid3_3.0.STABLE8-3+lenny2, fixes regression in lates security update
Il giorno 09/ago/09, alle ore 18:17, Nico Golde ha scritto: Hi, * Nico Golde debian-release...@ngolde.de [2009-08-09 15:17]: * Philipp Kern pk...@debian.org [2009-08-09 14:46]: On Sun, Aug 09, 2009 at 01:16:31AM +0200, Luigi Gangitano wrote: Please find the attached patch against current sources. Can you please provide a debdiff instead? TIA. Luigi, are you talking about a regression introduced by my upload or by the updated advisory at http://www.squid-cache.org/Advisories/SQUID-2009_2.txt? Cause this is not about a regression but about a similar attack vector via a different path and in this case I think the update should get a DSA. Ok as this is what it is about looking at your diff file there is no need to go through proposed-updates with this. A security update fixing that is ready. debdiff: http://people.debian.org/~nion/nmu-diff/squid3-3.0.STABLE8-3+lenny1_3.0.STABLE8-3+lenny2.patch Thanks for the fast upload! :-) Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
squid: fix for #513102 in lenny 5.0.1
Hi releasers, can you please provide me direction on how to get a small bug fix in the next point release of lenny? This bug was known before lenny release, but since I was waiting for 2.7.STABLE3-4.1 to get in testing (it included a security fix), I could not prepare a new upload in time for the release. This bug breaks resolvconf update for squid. The fix is a simple one- line defining the correct PATH so that invoke-rc.d can be found. Should I prepare a 4.1lenny1 version and upload to lenny-proposed- updates? Thanks for your help. L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Re: squid: fix for #513102 in lenny 5.0.1
I want to see the patch first. I don't agree with the snippet proposed in the bug report. The snippet in the bug report is a simple revert of the change that broke resolvconf. The proposed change is to add a PATH definition including /usr/sbin: --- squid.orig 2009-02-16 16:00:41.0 +0100 +++ squid 2009-02-16 16:01:06.0 +0100 @@ -1,4 +1,6 @@ #!/bin/sh +PATH=/bin:/sbin:/usr/bin:/usr/sbin + # Make squid aware of changes to resolv.conf invoke-rc.d squid reload || true I'd push this change to lenny if the issue is not in su, as Adeodato pointed out. Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
squid3: please allow transition to lenny
Hi releasers, I would like to ask for allowance of squid3_3.0.STABLE8-3 in lenny. This release fixes a DoS vulnerability. This is the relevant changelog entry: squid3 (3.0.STABLE8-3) unstable; urgency=high * Urgency high due to security fixes * debian/patches/11-SQUID-2009-1 - Added upstream patch fixing Denial of Service in request processing (Ref: SQUID-2009-1, CVE: TBA) -- Luigi Gangitano lu...@debian.org Fri, 06 Feb 2009 20:23:57 +0100 Thanks, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
squid: please allow transition to lenny
Hi releasers, I would like to ask for allowance of squid_2.7.STABLE3-4 in lenny. This release fixes a single RC bug (#512512). This is the relevant changelog entry: squid (2.7.STABLE3-4) unstable; urgency=low * debian/rules - Limit parallel building to the build: section (Closes: #512512) -- Luigi Gangitano lu...@debian.org Wed, 2 Feb 2009 02:53:03 +0100 Thanks, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: sarg: please allow transition to lenny
Il giorno 11/gen/09, alle ore 12:27, Neil McGovern ha scritto: On Sat, Jan 10, 2009 at 06:58:29PM +0100, Luigi Gangitano wrote: Hi releasers, I would like to ask for allowance of sarg_2.2.5-2 in lenny. This fixes several buffer overflows in sarg and packaging errors. There seems to be a mixture of changes directly to the files, and with a patch system. Is this intentional? There is no patch system in sarg packaging. debian/patches is there just to keep track of all the patches that have been applied. I'm going to restructure the packaging as soon as lenny is released, but the binary packages will be mostly the same as this version, just a little more maintainable. :-) Regards, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
squid: please allow transition to lenny
Hi releasers, I would like to ask for allowance of squid_2.7.STABLE3-2 in lenny. This release fixes several bugs and a couple o issues with DNS. This is the relevant changelog entry: squid (2.7.STABLE3-2) unstable; urgency=low * debian/squid.rc - Added status action in rc script (Closes: #492131) - Changed reload action to -k reconfigure (Closes: #506985) * debian/patches/01-cf.data.debian - Added proper defaults to use as APT proxy (Closes: #491151) * debian/patches/59-forward-assert - Added two upstream patches fixing asserts in forward.c (Closes: #503692) * debian/patches/60-dns-queue - Added two upstream patches fixing DNS queue issues with stuck queries and large DNS responses over TCP * debian/{postrm,postrm.squid-cgi,preinst,postinst} - Added set -e line to make lintian happy * debian/postinst - Removed path from squid invocation to make lintian happy * debian/rules - Added standard interpretation of DEB_BUILD_OPTIONS=parallel=n * debian/control - Bumped Standard-Version to 3.8.0 -- Luigi Gangitano lu...@debian.org Fri, 9 Jan 2009 05:29:31 +0200 Thanks, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
squid3: please allow transition to lenny
Hi releasers, I would like to ask for allowance of squid3_3.0.STABLE8-2 in lenny. This release fixes a couple of bug and cleans up packaging quality. This is the relevant changelog entry: squid3 (3.0.STABLE8-2) unstable; urgency=low * debian/squid3.postinst - Fixed non-POSIX option to chown (Closes: #491701) * debian/rules - Removed obsoleted configure options (Closes: 511272) - Added --enable-follow-x-forwarded-for configure option * debian/control - Added dependency on ${misc:Depends} to make lintian happy * debian/squid3.postinst - Removed path from squid3 invocation to make lintian happy * debian/control - Bumped Standard-Version to 3.8.0, no change needed -- Luigi Gangitano lu...@debian.org Fri, 9 Jan 2009 00:02:48 +0200 Thanks, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
drupal6: please allow transition to lenny
Hi releasers, I would like to ask for allowance of drupal6_6.6-2 in lenny. This release acknowledges NMU from Patrick and fixes a couple of bugs that affect druapl6 when installed alongside drupal5 and with postgres backend. This is the relevant changelog entry: drupal6 (6.6-2) unstable; urgency=high * debian/patches/12_SA-2008-073 - Moved NMU changes to dpatch file * debian/control - Added dependency on ${misc:Depends} to make lintian happy * debian/drupal6.{postinst,postrm} - Changed apache configuration link name to drupal6.conf, to avoid collision with drupal5 (Closes: #509769, #505146) - Set default Postgres encoding to UTF8 (Closes: #508506) * debian/README.Debian - Fixed link to installation script (Closes: 507914) -- Luigi Gangitano lu...@debian.org Thu, 08 Jan 2009 20:49:51 +0100 drupal6 (6.6-1.1) unstable; urgency=high * Non-maintainer upload. * Urgency high because this fixes a security issue * Include upstream patch for SA-2008-073, to fix a security issue: The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database. (Ref: SA-2008-073) (Closes: #508473) -- Patrick Schoenfeld schoenf...@debian.org Fri, 12 Dec 2008 09:30:28 +0100 Thanks, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
sarg: please allow transition to lenny
Hi releasers, I would like to ask for allowance of sarg_2.2.5-2 in lenny. This fixes several buffer overflows in sarg and packaging errors. This is the relevant changelog entry: sarg (2.2.5-2) unstable; urgency=low * debian/watch - Use SF redirector and make lintian happy * debian/{rules,compat} - Move DH_COMPAT to debian/compat and make lintian happy * debian/rules - Change make clean invocation and make lintian happier - Added support for DEB_BUILD_OPTIONS - Move documentation files from sarg-php to doc directory - Remove hidden file from /etc/squid/languages * debian/control - Removed dependency on bash, now essential - Bumped Standard-Version to 3.8.0 * debian/postinst - Make postint fail on error * debian/copyright - Added copyright notice - Updated maintainer reference * debian/sarg-reports.1 - Added man page, thanks to Juan Angulo Moreno (Closes: #481889) * debian/patches/show_read_statistics.patch - Added patch from Vladimir Lettiev fixing segfault with show_read_statistics set to no. (Closes: #444845, # 370811) * debian/patches/totger_patches.patch - Added patch from Thomas Bliesener fixing several buffer overflows (Closes: #470791) * debian/patches/opensuse_1_getword_boundary_limit.patch - Added patch from OpenSUSE to avoid segfaults in getword() calls * debian/patches/opensuse_2_enlarge_report_buffers.patch - Added patch from OpenSUSE to avoid overflow in report buffers * debian/patches/opensuse_3_too_small_font_buffer.patch - Added patch from OpenSUSE to avoid overflow in font buffer * debian/patches/opensuse_4_enlarge_log_buffer.patch - Added patch from OpenSUSE to avoid overflow in log buffer * debian/patches/opensuse_5_limit_sprintf.patch - Added patch from OpenSUSE to avoid segfaults in sprintf() calls * debian/patches/opensuse_6_limit_useragent_sprintf.patch - Added patch from OpenSUSE to avoid segfaults in sprintf() calls * debian/patches/opensuse_7_year_assertion.patch - Added patch from OpenSUSE to avoid assertion in year parsing -- Luigi Gangitano lu...@debian.org Sat, 10 Jan 2009 18:14:18 +0100 Thanks, L -- Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
drupal5: please allow transition to lenny, fixes security issues
Hi releasers, I would like to ask for allowance of drupal5_5.10-3 in lenny. This release fixes a couple security issues. This is the relevant changelog entry: drupal5 (5.10-3) unstable; urgency=high [Luigi Gangitano] * Urgency high due to security fixes * debian/patches/12_SA-2008-067 - Added upstream patch fixing several security vulnerabilities (Ref: SA-2008-067, CVE-TBA) (Closes: #503217) * debian/patches/11_SA-2008-060 - Fixed patch file name to follow convention -- Luigi Gangitano [EMAIL PROTECTED] Mon, 24 Oct 2008 23:09:01 +0200 Thanks, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: drupal5: please allow transition to lenny, fixes security issues
I did not receive the message you refer to. Can you please forward it to me? Regards, L Il giorno 25/ott/08, alle ore 13:17, Philipp Kern ha scritto: On Sat, Oct 25, 2008 at 01:09:21PM +0200, Luigi Gangitano wrote: I would like to ask for allowance of drupal5_5.10-3 in lenny. This release fixes a couple security issues. Could you please answer the security team's question[1] sent on Oct 22 about drupal5 and drupal6? Kind regards, Philipp Kern [1] [EMAIL PROTECTED], Author: Moritz Muehlenhoff, sent to d-release, seemingly without Ccing you... -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Release Assistant `. `' xmpp:[EMAIL PROTECTED] Stable Release Manager `-finger pkern/[EMAIL PROTECTED] -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: drupal6: please allow transition to lenny, fixes security issues
Il giorno 22/ott/08, alle ore 00:24, Moritz Muehlenhoff ha scritto: Luigi Gangitano wrote: I would like to ask for allowance of drupal6_6.4-2 in lenny. Currently, there is no drupal6 available in lenny. Could we allow it in lenny even if it is this late? drupal6 is a simple package, architecture all, has no bug reports atm and has no package depending on it. In addition, it has a longer upstream support commitment than the current drupal5 package. If drupal6 doesn't make the lenny release I will maintain a backport, but would sincerely prefer to maintain it in the main archive. You mean replacing drupal5 with drupal6 for Lenny or adding drupal6 on top? Both options would be good. If I had to select one version for the next stable release I'd opt for drupal6, since upstream will support it until two more major release are made. drupal5 will be out of support at next major release. But I'm also willing to support both packages if they are allowed in. Regards, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: drupal6: please allow transition to lenny, fixes security issues
Il giorno 15/ott/08, alle ore 08:43, Marc 'HE' Brockschmidt ha scritto: Luigi Gangitano [EMAIL PROTECTED] writes: I would like to ask for allowance of drupal6_6.4-2 in lenny. Currently, there is no drupal6 available in lenny. Could we allow it in lenny even if it is this late? drupal6 is a simple package, architecture all, has no bug reports atm and has no package depending on it. In addition, it has a longer upstream support commitment than the current drupal5 package. If drupal6 doesn't make the lenny release I will maintain a backport, but would sincerely prefer to maintain it in the main archive. Thanks in advance, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
drupal5: please allow transition to lenny, fixes security issues
Hi releasers, I would like to ask for allowance of drupal5_5.10-2 in lenny. This release fixes several security issues and major breakage of a cron script. This is the relevant changelog entry: drupal5 (5.10-2) unstable; urgency=high [Luigi Gangitano] * Urgency high due to security fixes * debian/po/it.po - Updated Italian debconf translation, thanks to Luca Monducci (Closes: #494537) * debian/cron.sh - Fixed error when BASE_URL is not cleaned (Closes: #494208, #498806) * debian/README.Debian - Added a notice about cookie security and session.cookie_secure configuration (Ref: CVE-2008-3661) (Closes: #501063) * debian/patches/11-SA-2008-060 - Added upstream patch fixing several security vulnerabilities (Ref: SA-2008-060, CVE-TBA) (Closes: #501635) * debian/etc/settings.php - Added exception to Debian PHP session customization allowing for session table rows aging and removal, thanks to Kamthorn Krairaksa and Theppitak Karoonboonyanan. (Closes: #495027) -- Luigi Gangitano [EMAIL PROTECTED] Fri, 14 Oct 2008 15:45:38 +0200 Thanks, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
drupal5_5.10-1: Security Fixes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Releasers, please allow drupal5_5.10-1 in lenny. This version of the package contains only a set of fixes for XSS vulnerabilities (see http://drupal.org/node/295053) . Please also override the urgency=low settings. It should really be urgency=high. May I also ask if a set of small changes (no new upstream and no new feature), each fixing a priority=normal bug would be accepted in Lenny? I would really like to fix a set of pending bugs, but would unnecessarily divert version in testing and unstable at this point of the release process? Thanks, L - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iD8DBQFIpMWz8ZumGJJMDCYRAph2AJ9wfxs+/xAC2bzJTlvSyV1IYppnAgCdH2ae SN+QYPbqY+z7ras9BfI2NuM= =wu3i -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug#431442: squid: crashes occasionally with assertion failed: StatHist.c:195: D[i] = 0
fixed 431442 2.6.10-1 forwarded 431442 http://www.squid-cache.org/bugs/show_bug.cgi?id=1805 thanks [ Posting this to debian-release to investigate if a stable update can be uploaded fixing this bug ] Hi Stephen, this is a known bug in squid which has been fixed in version 2.6.STABLE7. Versions in unstable and testing are not affected. Etch's version is affected and a fix can only be uploaded with RM approval. Regards, L Il giorno mar, 03/07/2007 alle 02.40 +1000, Stephen Rothwell ha scritto: Package: squid Version: 2.6.5-6 Severity: normal I suspect that this is acused by querying squid using SNMP. It is also possible that the cachemgr may be able to generate the crash as it uses the same routine that contains the assert(). -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: Questa è una parte del messaggio firmata digitalmente
Re: Bug#431442: squid: crashes occasionally with assertion failed: StatHist.c:195: D[i] = 0
Il giorno sab, 01/09/2007 alle 13.27 +0200, Adeodato Simó ha scritto: this is a known bug in squid which has been fixed in version 2.6.STABLE7. Versions in unstable and testing are not affected. Etch's version is affected and a fix can only be uploaded with RM approval. Hi Luigi. Without having looked at the bug report in detail, there's an issue that's very relevant: does an isolated patch only fixing that issue exist, and how big/intrusive is it? (Or maybe 2.6.STABLE7 was released just to fix that issue, I don't know so that's why I'm asking.) Hi Adeodato, as with every bug in squid, there is an isolated patch fixing the bug. In this case the patch is a simple one-liner: --- squid/src/snmp_agent.c 22 Sep 2006 02:49:24 - 1.88 +++ squid/src/snmp_agent.c 9 Nov 2006 16:35:07 - 1.89 @@ -1,6 +1,6 @@ /* - * $Id: snmp_agent.c,v 1.88 2006/09/22 02:49:24 hno Exp $ + * $Id: snmp_agent.c,v 1.89 2006/11/09 16:35:07 hno Exp $ * * DEBUG: section 49 SNMP Interface * AUTHOR: Kostas Anagnostakis @@ -498,7 +498,7 @@ break; case PERF_MEDIAN_HTTP_NH: x = statHistDeltaMedian(l-client_http.nh_svc_time, - f-client_http.nm_svc_time); + f-client_http.nh_svc_time); break; default: *ErrP = SNMP_ERR_NOSUCHNAME; Regards, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: Questa è una parte del messaggio firmata digitalmente
Re: Bug#425577: Bug confirmation. Possible target for a future stable update ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Following up to debian-release so this bug is no considered ] Hi André, Santiago, in Squid 2.6 changes where made to the external_acl configuration directive and meaning of concurrency has changed. To achieve old behaviour please use 'children=' instead of 'concurrency='. This change is documented in the RELEASENOTES, even if not so explicitly. See http://www.squid-cache.org/bugs/show_bug.cgi?id=2063 for upstream description of configuration error. Regards, L - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFG0sih8ZumGJJMDCYRAiaKAJ9vOUPosEd9rKCzBT++n8rcmGOdbQCdGMMu lh2HtT1hdZSWVBSbN3NYtgE= =BDci -END PGP SIGNATURE-
Re: Drupal packages in testing
Il giorno 01/lug/07, alle ore 23:40, Luk Claes ha scritto: Drupal is among the ~20-30 packages, which are outlined in pp 30-31 of the slides of my DebConf talk on security support: http://people.debian.org/~jmm/debconf-security.pdf At some point we'll deal with all these en bloc, if you prefer you can unblock it for now, so that it can profit from more testing exposure in testing. Ok, I unblocked drupal5. Thanks. May I point out that I'm in charge of drupal and drupal5 since the beginning of this year (Moritz' slides references 2006 issues with drupal) and that my record for security updates is excellent (every single update in squid and squid3 in the last 4 years have been prepared by me and submitted to security team)? In addition, my main job is security-related and I have a special interest in security issues. And I'm setting up a team for drupal maintenance that will guarantee long-term security support. I see no security issue here, so maybe even drupal-4.7 can be unblocked. Regards, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Drupal packages in testing
Hi releasers, I found out that drupal-4.7 and drupal5 packages are not being accepted in testing on your request and I'm wondering why. Can you please unlock them? Thanks, L -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please allow squid_2.6.5-6 fixing CVE-2007-1560 in etch
Hi all, can you please allow the just uploaded squid_2.6.5-6 in etch. This version adds a one-line fix for DoS vulnerability in TRACE requests (CVE-2007-1560). Thanks, -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please allow squid 2.6.5-5 in etch. Fixing 413709, 411829
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi releasers, can you please unfreeze squid 2.6.5-5 which was just uploaded with two fixes: one RC bug (413709) and one debconf translation (411829)? Thanks, - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFF9Xw48ZumGJJMDCYRAj9mAJkBy46nGk6sDd/4VcIBafPq4Dbn6wCeNf0t JcXjYmMvvJYr58aid7T6q8Y= =qD0k -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please allow libapache-mod-acct 0.5-24 in etch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi releasers, I've just uploaded libapache-mod-acct 0.5-24 with three debconf translation updates (Bugs #401031 #413019 #413061), and I'm here asking for manual hinting as required by release freeze. Thanks for your great work!!! Regards, - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFF7EZI8ZumGJJMDCYRAt3+AJ9ptkcHyz4G4d0p+qh2SbQ+fFGeCACfd+SH zwUSy/FVFKlSAhI1wajCDgI= =xzxO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Please consider allowing drupa_4.7.5-1 in etch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Except that Drupal would still be a serious time drain for the Security Team, as vulnerabilities occur regularly. Also, the previous maintainers disappeared and left us with a package with very short upstream maintenance cycles and which was hard to test. I'm against making an exception; I'd first like to see how the new group maintenance turns out until Lenny. Just to make it clear on the security side, I (luigi) am in charge of drupal maintainance and will be until a proper team has been set up. My record with package maintainance is rather good (squid, sarg) and I've always provided Security Team with updated version of my packages in a short time. New drupal package is a lot simpler (uses dbconfig-common instead of specially crafted database scripts) and has already be tested for a security upgrade in 4.7.5-1. Still begging, but if I didn't make it we'll wait for Lenny. :-) Regards, - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFvJGQ8ZumGJJMDCYRAujdAJkBrkIqlS2CuwR8DlAsjGJsLWjXIwCfWnz7 tDxDO0Nk0Z0+cXcAr5sdayg= =Q6I+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please consider allowing drupa_4.7.5-1 in etch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi releasers, I'm aware that etch is frozen, but I'm here to ask for examination of drupal case. Drupal has been removed from etch in december for being unmaintained while an updated package was in the NEW queue with a new maintainer (it was in the NEW queue since the binary package changed name). Now drupal is in unstable and a team has been set up for its maintainership on Alioth (pkg-drupal). No package depends on it and thus no harm can be made to the distribution (I know I'm stretching it a bit but, you know, this is begging, after all :-)) Would you please consider allowing it to transition in etch? Thanks, - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFum6y8ZumGJJMDCYRAuHbAJ9U6W+60HNf9HGvjgPs467CFgdQNACfQb5x k3b1Bah/rOnOOT0UvRlPwOU= =2RsO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please allow squid-2.6.5-4 fixes security bug #407202
Hi releases, please allow the just uplaoded squid-2.6.5-4. Only changes are two upstream patches for security issues. Bug #407202. Ref. CVE-2007-0248. Regards, -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please hint squid-2.6.5-3 in etch: translation updates, bugs 399929 402677
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi releasers, I've just uploaded squid-2.6.5-3 with two debconf release updates, and I'm here asking for manual hinting as required by release freeze. Thanks for your great work!!! Regards, - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFkeah8ZumGJJMDCYRApfOAJ9JqNhTi9TIwD0LcpYXAqO6rW9SLgCfWvC6 SO7QSCH2qgb5+ahETeV/TX4= =7Y7y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please allow squid3-3.0.PRE5-5 in etch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi releasers, squid3-3.0.PRE5-5 missed the etch freeze due to wrong dependency during the sasl2 migration which required a recompile. At the moment is 5 days old. New package fixes several important and critical bugs (#394220, #379969, #400893). Can you please allow it into etch? Thanks, - -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFfYMn8ZumGJJMDCYRAmWAAJ47ewU5QHIfVk51UDnfyI9qJ+xi6gCeMNRF cF5o1jsbu39ohz6/jNRRUWs= =7GFN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Licence issue with sarg
Il giorno sab, 21/05/2005 alle 21.12 -0700, Steve Langasek ha scritto: On Sun, May 22, 2005 at 12:15:20AM +0200, Luigi Gangitano wrote: Hi all, I need help solving a licence issue with sarg. Tonight I found that sarg upstream sources contain a font file that may not be free (Verdana.TTF). I've contacted upstream a few minutes ago. In the meanwhile I'm preparing a package that doesn't contain that file. A new orig.tgz is needed. How should I upload it? According to the guidelines in the freeze announcement. Sorry, you didn't tell us what package this is, so I can't be more specific without merely repeating myself. Sorry, I didn't make it clear that the package was 'sarg', which has version 2.0.5-2 in sarge and version 2.0.7-1 in sid. Both versions contain the file that is not freely licensed (modification is not allowed). Upcoming upstream version 2.0.8 will remove the file. I need to upload a new orig.tar.gz and don't know how to do that for sarge. Thanks, -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: This is a digitally signed message part
Please accept squid_2.5.9-9 in sarge
Hi RMs, as suggested by Frank Lichtenheld, I uploaded a new version of squid with just two patches fixing critical bugs: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query security issue with DNS response spoofing http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-2GB_assert assertion failure while storing objects on disk As a side note, I'd like to point out that Bug #305605, listed in the RC report, while being actually 'grave', applies only to woody and, thus, could be tagged 'sarge-ignore'. Regards, -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: This is a digitally signed message part
One more squid upload. Directions?
Hi all, I'd like to make one more bug-fixing, sarge-targetted squid upload, to address a minor security issue http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query and another corner case of the 2GB file support patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-2GB_assert What is the RM-preferred way to do this? Since sid will need these too, I was thinking of uploading to sid with urgency high and ask for allowance, but don't want to mess things without your advice. Thanks, -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: This is a digitally signed message part
Re: Please accept sarg-2.0.7-1 in sarge
Il giorno mer, 04/05/2005 alle 19.04 -0700, Steve Langasek ha scritto: Can you explain the impact of this segfault? While generating the index file parsing directories if the month string is longer than 3 char a strncpy call in index.c generates a not null-terminated string that is subsequently passed to a strcat, resulting in a segfault. And when is the month string longer than 3 chars? Took a while to contact the original patch submitter, sorry. Apparently this bug is triggered only when a non default option in configuration file is activated (LongUrl = yes). In such case, with some URLs (I'm waiting upstream to provide examples), directories get the wrong date string that triggers segmentation fault. Surely it's a corner case. Regards, -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: This is a digitally signed message part
Re: Please accept sarg-2.0.7-1 in sarge
Quoting Steve Langasek [EMAIL PROTECTED]: . Fixes segfault, produced by inproper use of strncpy functions, look - strncpy doesn't copy leading '\0' symbol! Can you explain the impact of this segfault? While generating the index file parsing directories if the month string is longer than 3 char a strncpy call in index.c generates a not null-terminated string that is subsequently passed to a strcat, resulting in a segfault. With an unpatched binary the workaround is to rename the offending directory, otherwise sarg will continue to segfault. Sarg does not have rdepends and really can do no harm... :-) The harm it does is adding to the release team's load if a new RC bug is found in the newer version you're proposing. Given the time constraints that apply to reviewing each request, we must assume that this risk always exists, so only packages that fix specific bugs will be allowed in now that we've frozen. I do know. Just kidding while asking for something out of the rules... :-) Regards, L This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Please accept sarg-2.0.7-1 in sarge
Hi again Managers, I know that this upgrade request doesn't conform with parameters outlined in Steve's announce, but I wish the new sarg can make it into sarge. This is a minor upstream update fixing some segfaults errors. From upstream Changelog: . Fixes segfault, produced by inproper use of strncpy functions, look - strncpy doesn't copy leading '\0' symbol! Sarg does not have rdepends and really can do no harm... :-) Regards, L sarg (2.0.7-1) unstable; urgency=medium * New upstream release * Urgency medium because segfault fixes in this (and previous) version should go in Sarge * debian/squid.conf - Sinced with upstream changes (addition of dansguardian configuration and ntlm username format) -- Luigi Gangitano [EMAIL PROTECTED] Tue, 3 May 2005 09:14:44 +0200 sarg (2.0.6-2) unstable; urgency=low * language/Turkish - applied sarg-turkish.patch fixing syntax errors (Closes: #279636) -- Luigi Gangitano [EMAIL PROTECTED] Tue, 26 Apr 2005 12:24:23 +0200 sarg (2.0.6-1) unstable; urgency=low * New upstream release * languages/French - removed sarg-french.patch that have been superceeded upstream -- Luigi Gangitano [EMAIL PROTECTED] Sun, 24 Apr 2005 01:52:18 +0200 -- Luigi Gangitano -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 signature.asc Description: This is a digitally signed message part